d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Upgrade Unbound to 1.6.7. More to follow.

Browse Source
This commit is contained in:
Dag-Erling Smørgrav 2018-05-12 14:51:18 +00:00
commit 8a384985ac
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=333564
77 changed files with 847 additions and 197 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
contrib/unbound/cachedb/cachedb.c
View File

@ -347,6 +347,13 @@ prep_data(struct module_qstate* qstate, struct sldns_buffer* buf)
if(!qstate->return_msg || !qstate->return_msg->rep)
return 0;
/* We don't store the reply if its TTL is 0 unless serve-expired is
* enabled. Such a reply won't be reusable and simply be a waste for
* the backend. It's also compatible with the default behavior of
* dns_cache_store_msg(). */
if(qstate->return_msg->rep->ttl == 0 &&
!qstate->env->cfg->serve_expired)
return 0;
if(verbosity >= VERB_ALGO)
log_dns_msg("cachedb encoding", &qstate->return_msg->qinfo,
qstate->return_msg->rep);
@ -387,32 +394,37 @@ good_expiry_and_qinfo(struct module_qstate* qstate, struct sldns_buffer* buf)
&expiry, sizeof(expiry));
expiry = be64toh(expiry);
if((time_t)expiry < *qstate->env->now)
if((time_t)expiry < *qstate->env->now &&
!qstate->env->cfg->serve_expired)
return 0;
return 1;
}
/* Adjust the TTL of the given RRset by 'subtract'. If 'subtract' is
* negative, set the TTL to 0. */
static void
packed_rrset_ttl_subtract(struct packed_rrset_data* data, time_t subtract)
{
size_t i;
size_t total = data->count + data->rrsig_count;
if(data->ttl > subtract)
if(subtract >= 0 && data->ttl > subtract)
data->ttl -= subtract;
else data->ttl = 0;
for(i=0; i<total; i++) {
if(data->rr_ttl[i] > subtract)
if(subtract >= 0 && data->rr_ttl[i] > subtract)
data->rr_ttl[i] -= subtract;
else data->rr_ttl[i] = 0;
}
}
/* Adjust the TTL of a DNS message and its RRs by 'adjust'. If 'adjust' is
* negative, set the TTLs to 0. */
static void
adjust_msg_ttl(struct dns_msg* msg, time_t adjust)
{
size_t i;
if(msg->rep->ttl > adjust)
if(adjust >= 0 && msg->rep->ttl > adjust)
msg->rep->ttl -= adjust;
else msg->rep->ttl = 0;
msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl);
@ -476,10 +488,26 @@ parse_data(struct module_qstate* qstate, struct sldns_buffer* buf)
adjust = *qstate->env->now - (time_t)timestamp;
if(qstate->return_msg->rep->ttl < adjust) {
verbose(VERB_ALGO, "cachedb msg expired");
return 0; /* message expired */
/* If serve-expired is enabled, we still use an expired message
* setting the TTL to 0. */
if(qstate->env->cfg->serve_expired)
adjust = -1;
else
return 0; /* message expired */
}
verbose(VERB_ALGO, "cachedb msg adjusted down by %d", (int)adjust);
adjust_msg_ttl(qstate->return_msg, adjust);
/* Similar to the unbound worker, if serve-expired is enabled and
* the msg would be considered to be expired, mark the state so a
* refetch will be scheduled. The comparison between 'expiry' and
* 'now' should be redundant given how these values were calculated,
* but we check it just in case as does good_expiry_and_qinfo(). */
if(qstate->env->cfg->serve_expired &&
(adjust == -1 || (time_t)expiry < *qstate->env->now)) {
qstate->need_refetch = 1;
}
return 1;
}
@ -563,11 +591,15 @@ cachedb_intcache_lookup(struct module_qstate* qstate)
static void
cachedb_intcache_store(struct module_qstate* qstate)
{
uint32_t store_flags = qstate->query_flags;
if(qstate->env->cfg->serve_expired)
store_flags |= DNSCACHE_STORE_ZEROTTL;
if(!qstate->return_msg)
return;
(void)dns_cache_store(qstate->env, &qstate->qinfo,
qstate->return_msg->rep, 0, qstate->prefetch_leeway, 0,
qstate->region, qstate->query_flags);
qstate->region, store_flags);
}
/**

6
contrib/unbound/config.h
View File

@ -605,7 +605,7 @@
#define PACKAGE_NAME "unbound"
/* Define to the full name and version of this package. */
#define PACKAGE_STRING "unbound 1.6.6"
#define PACKAGE_STRING "unbound 1.6.7"
/* Define to the one symbol short name of this package. */
#define PACKAGE_TARNAME "unbound"
@ -614,7 +614,7 @@
#define PACKAGE_URL ""
/* Define to the version of this package. */
#define PACKAGE_VERSION "1.6.6"
#define PACKAGE_VERSION "1.6.7"
/* default pidfile location */
#define PIDFILE "/var/unbound/unbound.pid"
@ -633,7 +633,7 @@
#define ROOT_CERT_FILE "/var/unbound/icannbundle.pem"
/* version number for resource files */
#define RSRC_PACKAGE_VERSION 1,6,6,0
#define RSRC_PACKAGE_VERSION 1,6,7,0
/* Directory to chdir to */
#define RUN_DIR "/var/unbound"

27
contrib/unbound/configure vendored
View File

@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for unbound 1.6.6.
# Generated by GNU Autoconf 2.69 for unbound 1.6.7.
#
# Report bugs to <unbound-bugs@nlnetlabs.nl>.
#
@ -590,8 +590,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='unbound'
PACKAGE_TARNAME='unbound'
PACKAGE_VERSION='1.6.6'
PACKAGE_STRING='unbound 1.6.6'
PACKAGE_VERSION='1.6.7'
PACKAGE_STRING='unbound 1.6.7'
PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl'
PACKAGE_URL=''
@ -1437,7 +1437,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures unbound 1.6.6 to adapt to many kinds of systems.
\`configure' configures unbound 1.6.7 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@ -1502,7 +1502,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of unbound 1.6.6:";;
short | recursive ) echo "Configuration of unbound 1.6.7:";;
esac
cat <<\_ACEOF
@ -1714,7 +1714,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
unbound configure 1.6.6
unbound configure 1.6.7
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@ -2423,7 +2423,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by unbound $as_me 1.6.6, which was
It was created by unbound $as_me 1.6.7, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@ -2775,11 +2775,11 @@ UNBOUND_VERSION_MAJOR=1
UNBOUND_VERSION_MINOR=6
UNBOUND_VERSION_MICRO=6
UNBOUND_VERSION_MICRO=7
LIBUNBOUND_CURRENT=7
LIBUNBOUND_REVISION=5
LIBUNBOUND_REVISION=6
LIBUNBOUND_AGE=5
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
@ -2836,6 +2836,7 @@ LIBUNBOUND_AGE=5
# 1.6.4 had 7:3:5
# 1.6.5 had 7:4:5
# 1.6.6 had 7:5:5
# 1.6.7 had 7:6:5
# Current -- the number of the binary API that we're implementing
# Revision -- which iteration of the implementation of the binary
@ -2851,7 +2852,7 @@ LIBUNBOUND_AGE=5
# Current and Age. Set Revision to 0, since this is the first
# implementation of the new API.
#
# Otherwise, we're changing the binary API and breaking bakward
# Otherwise, we're changing the binary API and breaking backward
# compatibility with old binaries. Increment Current. Set Age to 0,
# since we're backward compatible with no previous APIs. Set Revision
# to 0 too.
@ -20693,7 +20694,7 @@ _ACEOF
version=1.6.6
version=1.6.7
date=`date +'%b %e, %Y'`
@ -21212,7 +21213,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by unbound $as_me 1.6.6, which was
This file was extended by unbound $as_me 1.6.7, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@ -21278,7 +21279,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
unbound config.status 1.6.6
unbound config.status 1.6.7
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"

7
contrib/unbound/configure.ac
View File

@ -11,14 +11,14 @@ sinclude(dnscrypt/dnscrypt.m4)
# must be numbers. ac_defun because of later processing
m4_define([VERSION_MAJOR],[1])
m4_define([VERSION_MINOR],[6])
m4_define([VERSION_MICRO],[6])
m4_define([VERSION_MICRO],[7])
AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl, unbound)
AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
LIBUNBOUND_CURRENT=7
LIBUNBOUND_REVISION=5
LIBUNBOUND_REVISION=6
LIBUNBOUND_AGE=5
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
@ -75,6 +75,7 @@ LIBUNBOUND_AGE=5
# 1.6.4 had 7:3:5
# 1.6.5 had 7:4:5
# 1.6.6 had 7:5:5
# 1.6.7 had 7:6:5
# Current -- the number of the binary API that we're implementing
# Revision -- which iteration of the implementation of the binary
@ -90,7 +91,7 @@ LIBUNBOUND_AGE=5
# Current and Age. Set Revision to 0, since this is the first
# implementation of the new API.
#
# Otherwise, we're changing the binary API and breaking bakward
# Otherwise, we're changing the binary API and breaking backward
# compatibility with old binaries. Increment Current. Set Age to 0,
# since we're backward compatible with no previous APIs. Set Revision
# to 0 too.

96
contrib/unbound/contrib/aaaa-filter-iterator.patch
View File

@ -1,10 +1,10 @@
Index: trunk/doc/unbound.conf.5.in
===================================================================
--- trunk/doc/unbound.conf.5.in (revision 3587)
--- trunk/doc/unbound.conf.5.in (revision 4357)
+++ trunk/doc/unbound.conf.5.in (working copy)
@@ -593,6 +593,13 @@
possible. Best effort approach, full QNAME and original QTYPE will be sent when
upstream replies with a RCODE other than NOERROR. Default is off.
@@ -701,6 +701,13 @@
this option in enabled. Only use if you know what you are doing.
This option only has effect when qname-minimisation is enabled. Default is off.
.TP
+.B aaaa\-filter: \fI<yes or no>
+Activate behavior similar to BIND's AAAA-filter.
@ -18,7 +18,7 @@ Index: trunk/doc/unbound.conf.5.in
on your private network, and are not allowed to be returned for
Index: trunk/iterator/iter_scrub.c
===================================================================
--- trunk/iterator/iter_scrub.c (revision 3587)
--- trunk/iterator/iter_scrub.c (revision 4357)
+++ trunk/iterator/iter_scrub.c (working copy)
@@ -617,6 +617,32 @@
}
@ -75,10 +75,11 @@ Index: trunk/iterator/iter_scrub.c
/* At this point, we brutally remove ALL rrsets that aren't
* children of the originating zone. The idea here is that,
* as far as we know, the server that we contacted is ONLY
@@ -681,6 +715,24 @@
@@ -680,6 +714,24 @@
prev = NULL;
rrset = msg->rrset_first;
while(rrset) {
+
+ /* ASN: For AAAA records only... */
+ if((ie->aaaa_filter) && (rrset->type == LDNS_RR_TYPE_AAAA)) {
+ /* ASN: If this is not a AAAA query, then remove AAAA
@ -96,13 +97,12 @@ Index: trunk/iterator/iter_scrub.c
+ LDNS_RR_TYPE_AAAA, qinfo->qclass);
+ }
+ /* ASN: End of added code */
+
/* remove private addresses */
if( (rrset->type == LDNS_RR_TYPE_A ||
rrset->type == LDNS_RR_TYPE_AAAA)) {
Index: trunk/iterator/iter_utils.c
===================================================================
--- trunk/iterator/iter_utils.c (revision 3587)
--- trunk/iterator/iter_utils.c (revision 4357)
+++ trunk/iterator/iter_utils.c (working copy)
@@ -175,6 +175,7 @@
}
@ -114,9 +114,9 @@ Index: trunk/iterator/iter_utils.c
Index: trunk/iterator/iterator.c
===================================================================
--- trunk/iterator/iterator.c (revision 3587)
--- trunk/iterator/iterator.c (revision 4357)
+++ trunk/iterator/iterator.c (working copy)
@@ -1776,6 +1776,53 @@
@@ -1847,6 +1847,53 @@
return 0;
}
@ -170,7 +170,7 @@ Index: trunk/iterator/iterator.c
/**
* This is the request event state where the request will be sent to one of
@@ -1823,6 +1870,13 @@
@@ -1894,6 +1941,13 @@
return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
}
@ -184,7 +184,7 @@ Index: trunk/iterator/iterator.c
/* Make sure we have a delegation point, otherwise priming failed
* or another failure occurred */
if(!iq->dp) {
@@ -2922,6 +2976,61 @@
@@ -3095,6 +3149,61 @@
return 0;
}
@ -244,9 +244,9 @@ Index: trunk/iterator/iterator.c
+/* ASN: End of added code */
+
/*
* Return priming query results to interestes super querystates.
* Return priming query results to interested super querystates.
*
@@ -2941,6 +3050,9 @@
@@ -3114,6 +3223,9 @@
else if(super->qinfo.qtype == LDNS_RR_TYPE_DS && ((struct iter_qstate*)
super->minfo[id])->state == DSNS_FIND_STATE)
processDSNSResponse(qstate, id, super);
@ -256,7 +256,7 @@ Index: trunk/iterator/iterator.c
else if(qstate->return_rcode != LDNS_RCODE_NOERROR)
error_supers(qstate, id, super);
else if(qstate->is_priming)
@@ -2978,6 +3090,9 @@
@@ -3151,6 +3263,9 @@
case INIT_REQUEST_3_STATE:
cont = processInitRequest3(qstate, iq, id);
break;
@ -266,7 +266,7 @@ Index: trunk/iterator/iterator.c
case QUERYTARGETS_STATE:
cont = processQueryTargets(qstate, iq, ie, id);
break;
@@ -3270,6 +3385,8 @@
@@ -3460,6 +3575,8 @@
return "INIT REQUEST STATE (stage 2)";
case INIT_REQUEST_3_STATE:
return "INIT REQUEST STATE (stage 3)";
@ -275,7 +275,7 @@ Index: trunk/iterator/iterator.c
case QUERYTARGETS_STATE :
return "QUERY TARGETS STATE";
case PRIME_RESP_STATE :
@@ -3294,6 +3411,7 @@
@@ -3484,6 +3601,7 @@
case INIT_REQUEST_STATE :
case INIT_REQUEST_2_STATE :
case INIT_REQUEST_3_STATE :
@ -285,19 +285,19 @@ Index: trunk/iterator/iterator.c
return 0;
Index: trunk/iterator/iterator.h
===================================================================
--- trunk/iterator/iterator.h (revision 3587)
--- trunk/iterator/iterator.h (revision 4357)
+++ trunk/iterator/iterator.h (working copy)
@@ -113,6 +113,9 @@
@@ -130,6 +130,9 @@
*/
int* target_fetch_policy;
+ /** ASN: AAAA-filter flag */
+ int aaaa_filter;
+
/** ip6.arpa dname in wireformat, used for qname-minimisation */
uint8_t* ip6arpa_dname;
};
@@ -163,6 +166,14 @@
/** lock on ratelimit counter */
lock_basic_type queries_ratelimit_lock;
/** number of queries that have been ratelimited */
@@ -182,6 +185,14 @@
INIT_REQUEST_3_STATE,
/**
@ -311,26 +311,26 @@ Index: trunk/iterator/iterator.h
+ /**
* Each time a delegation point changes for a given query or a
* query times out and/or wakes up, this state is (re)visited.
* This state is reponsible for iterating through a list of
@@ -346,6 +357,13 @@
* This state is responsible for iterating through a list of
@@ -364,6 +375,13 @@
* be used when creating the state. A higher one will be attempted.
*/
int refetch_glue;
+
+ /**
+ * ASN: This is a flag that, if true, means that this query is
+ * for fetching A records to populate cache and determine if we must
+ * return AAAA records or not.
+ */
+ int fetch_a_for_aaaa;
+
/** list of pending queries to authoritative servers. */
struct outbound_list outlist;
Index: trunk/pythonmod/interface.i
===================================================================
--- trunk/pythonmod/interface.i (revision 3587)
--- trunk/pythonmod/interface.i (revision 4357)
+++ trunk/pythonmod/interface.i (working copy)
@@ -632,6 +632,7 @@
@@ -851,6 +851,7 @@
int harden_dnssec_stripped;
int harden_referral_path;
int use_caps_bits_for_id;
@ -340,9 +340,9 @@ Index: trunk/pythonmod/interface.i
size_t unwanted_threshold;
Index: trunk/util/config_file.c
===================================================================
--- trunk/util/config_file.c (revision 3587)
--- trunk/util/config_file.c (revision 4357)
+++ trunk/util/config_file.c (working copy)
@@ -176,6 +176,7 @@
@@ -195,6 +195,7 @@
cfg->harden_referral_path = 0;
cfg->harden_algo_downgrade = 0;
cfg->use_caps_bits_for_id = 0;
@ -352,9 +352,9 @@ Index: trunk/util/config_file.c
cfg->private_domain = NULL;
Index: trunk/util/config_file.h
===================================================================
--- trunk/util/config_file.h (revision 3587)
--- trunk/util/config_file.h (revision 4357)
+++ trunk/util/config_file.h (working copy)
@@ -179,6 +179,8 @@
@@ -209,6 +209,8 @@
int harden_algo_downgrade;
/** use 0x20 bits in query as random ID bits */
int use_caps_bits_for_id;
@ -365,9 +365,9 @@ Index: trunk/util/config_file.h
/** strip away these private addrs from answers, no DNS Rebinding */
Index: trunk/util/configlexer.lex
===================================================================
--- trunk/util/configlexer.lex (revision 3587)
--- trunk/util/configlexer.lex (revision 4357)
+++ trunk/util/configlexer.lex (working copy)
@@ -267,6 +267,7 @@
@@ -279,6 +279,7 @@
use-caps-for-id{COLON} { YDVAR(1, VAR_USE_CAPS_FOR_ID) }
caps-whitelist{COLON} { YDVAR(1, VAR_CAPS_WHITELIST) }
unwanted-reply-threshold{COLON} { YDVAR(1, VAR_UNWANTED_REPLY_THRESHOLD) }
@ -377,9 +377,9 @@ Index: trunk/util/configlexer.lex
prefetch-key{COLON} { YDVAR(1, VAR_PREFETCH_KEY) }
Index: trunk/util/configparser.y
===================================================================
--- trunk/util/configparser.y (revision 3587)
--- trunk/util/configparser.y (revision 4357)
+++ trunk/util/configparser.y (working copy)
@@ -92,6 +92,7 @@
@@ -95,6 +95,7 @@
%token VAR_STATISTICS_CUMULATIVE VAR_OUTGOING_PORT_PERMIT
%token VAR_OUTGOING_PORT_AVOID VAR_DLV_ANCHOR_FILE VAR_DLV_ANCHOR
%token VAR_NEG_CACHE_SIZE VAR_HARDEN_REFERRAL_PATH VAR_PRIVATE_ADDRESS
@ -387,7 +387,7 @@ Index: trunk/util/configparser.y
%token VAR_PRIVATE_DOMAIN VAR_REMOTE_CONTROL VAR_CONTROL_ENABLE
%token VAR_CONTROL_INTERFACE VAR_CONTROL_PORT VAR_SERVER_KEY_FILE
%token VAR_SERVER_CERT_FILE VAR_CONTROL_KEY_FILE VAR_CONTROL_CERT_FILE
@@ -169,6 +170,7 @@
@@ -203,6 +204,7 @@
server_dlv_anchor_file | server_dlv_anchor | server_neg_cache_size |
server_harden_referral_path | server_private_address |
server_private_domain | server_extended_statistics |
@ -395,10 +395,12 @@ Index: trunk/util/configparser.y
server_local_data_ptr | server_jostle_timeout |
server_unwanted_reply_threshold | server_log_time_ascii |
server_domain_insecure | server_val_sig_skew_min |
@@ -893,6 +895,15 @@
@@ -1183,6 +1185,15 @@
OUTYY(("P(server_caps_whitelist:%s)\n", $2));
if(!cfg_strlist_insert(&cfg_parser->cfg->caps_whitelist, $2))
yyerror("out of memory");
}
;
+ }
+ ;
+server_aaaa_filter: VAR_AAAA_FILTER STRING_ARG
+ {
+ OUTYY(("P(server_aaaa_filter:%s)\n", $2));
@ -406,8 +408,6 @@ Index: trunk/util/configparser.y
+ yyerror("expected yes or no.");
+ else cfg_parser->cfg->aaaa_filter = (strcmp($2, "yes")==0);
+ free($2);
+ }
+ ;
}
;
server_private_address: VAR_PRIVATE_ADDRESS STRING_ARG
{
OUTYY(("P(server_private_address:%s)\n", $2));

4
contrib/unbound/contrib/parseunbound.pl
View File

@ -91,7 +91,7 @@ while ( scalar keys %startstats < $numthreads || scalar keys %donestats < $numth
$allstats{$inthread}->{outstandingexc} = $4;
}
elsif ( $line =~ m/info: average recursion processing time ([0-9\.]+) sec/ ) {
$allstats{$inthread}->{recursionavg} = int($1 * 1000); # change sec to milisec.
$allstats{$inthread}->{recursionavg} = int($1 * 1000); # change sec to millisec.
}
elsif ( $line =~ m/info: histogram of recursion processing times/ ) {
next;
@ -103,7 +103,7 @@ while ( scalar keys %startstats < $numthreads || scalar keys %donestats < $numth
}
elsif ( $line =~ m/info: lower\(secs\) upper\(secs\) recursions/ ) {
# since after this line we're unsure if we get these numbers
# at all, we sould consider this marker as the end of the
# at all, we should consider this marker as the end of the
# block. Chances that we're parsing a file halfway written
# at this stage are small. Bold statement.
$donestats{$inthread} = 1;

11
contrib/unbound/daemon/remote.c
View File

@ -827,6 +827,7 @@ print_mem(SSL* ssl, struct worker* worker, struct daemon* daemon)
#endif /* USE_IPSECMOD */
#ifdef USE_DNSCRYPT
size_t dnscrypt_shared_secret = 0;
size_t dnscrypt_nonce = 0;
#endif /* USE_DNSCRYPT */
msg = slabhash_get_mem(daemon->env->msg_cache);
rrset = slabhash_get_mem(&daemon->env->rrset_cache->table);
@ -843,6 +844,7 @@ print_mem(SSL* ssl, struct worker* worker, struct daemon* daemon)
if(daemon->dnscenv) {
dnscrypt_shared_secret = slabhash_get_mem(
daemon->dnscenv->shared_secrets_cache);
dnscrypt_nonce = slabhash_get_mem(daemon->dnscenv->nonces_cache);
}
#endif /* USE_DNSCRYPT */
@ -868,6 +870,9 @@ print_mem(SSL* ssl, struct worker* worker, struct daemon* daemon)
if(!print_longnum(ssl, "mem.cache.dnscrypt_shared_secret"SQ,
dnscrypt_shared_secret))
return 0;
if(!print_longnum(ssl, "mem.cache.dnscrypt_nonce"SQ,
dnscrypt_nonce))
return 0;
#endif /* USE_DNSCRYPT */
return 1;
}
@ -1058,8 +1063,12 @@ print_ext(SSL* ssl, struct ub_stats_info* s)
#ifdef USE_DNSCRYPT
if(!ssl_printf(ssl, "dnscrypt_shared_secret.cache.count"SQ"%u\n",
(unsigned)s->svr.shared_secret_cache_count)) return 0;
if(!ssl_printf(ssl, "dnscrypt_nonce.cache.count"SQ"%u\n",
(unsigned)s->svr.nonce_cache_count)) return 0;
if(!ssl_printf(ssl, "num.query.dnscrypt.shared_secret.cachemiss"SQ"%lu\n",
(unsigned long)s->svr.num_query_dnscrypt_secret_missed_cache)) return 0;
if(!ssl_printf(ssl, "num.query.dnscrypt.replay"SQ"%lu\n",
(unsigned long)s->svr.num_query_dnscrypt_replay)) return 0;
#endif /* USE_DNSCRYPT */
return 1;
}
@ -1771,7 +1780,7 @@ negative_del_rrset(struct lruhash_entry* e, void* arg)
struct ub_packed_rrset_key* k = (struct ub_packed_rrset_key*)e->key;
struct packed_rrset_data* d = (struct packed_rrset_data*)e->data;
/* delete the parentside negative cache rrsets,
* these are namerserver rrsets that failed lookup, rdata empty */
* these are nameserver rrsets that failed lookup, rdata empty */
if((k->rk.flags & PACKED_RRSET_PARENT_SIDE) && d->count == 1 &&
d->rrsig_count == 0 && d->rr_len[0] == 0) {
d->ttl = inf->expired;

23
contrib/unbound/daemon/stats.c
View File

@ -174,6 +174,21 @@ get_dnscrypt_cache_miss(struct worker* worker, int reset)
lock_basic_unlock(&de->shared_secrets_cache_lock);
return r;
}
/** get the number of replayed queries */
static size_t
get_dnscrypt_replay(struct worker* worker, int reset)
{
size_t r;
struct dnsc_env* de = worker->daemon->dnscenv;
lock_basic_lock(&de->nonces_cache_lock);
r = de->num_query_dnscrypt_replay;
if(reset && !worker->env.cfg->stat_cumulative)
de->num_query_dnscrypt_replay = 0;
lock_basic_unlock(&de->nonces_cache_lock);
return r;
}
#endif /* USE_DNSCRYPT */
void
@ -225,13 +240,21 @@ server_stats_compile(struct worker* worker, struct ub_stats_info* s, int reset)
(long long)get_dnscrypt_cache_miss(worker, reset);
s->svr.shared_secret_cache_count = (long long)count_slabhash_entries(
worker->daemon->dnscenv->shared_secrets_cache);
s->svr.nonce_cache_count = (long long)count_slabhash_entries(
worker->daemon->dnscenv->nonces_cache);
s->svr.num_query_dnscrypt_replay =
(long long)get_dnscrypt_replay(worker, reset);
} else {
s->svr.num_query_dnscrypt_secret_missed_cache = 0;
s->svr.shared_secret_cache_count = 0;
s->svr.nonce_cache_count = 0;
s->svr.num_query_dnscrypt_replay = 0;
}
#else
s->svr.num_query_dnscrypt_secret_missed_cache = 0;
s->svr.shared_secret_cache_count = 0;
s->svr.nonce_cache_count = 0;
s->svr.num_query_dnscrypt_replay = 0;
#endif /* USE_DNSCRYPT */
/* get tcp accept usage */

2
contrib/unbound/daemon/unbound.c
View File

@ -400,7 +400,7 @@ detach(void)
#endif /* HAVE_DAEMON */
}
/** daemonize, drop user priviliges and chroot if needed */
/** daemonize, drop user privileges and chroot if needed */
static void
perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
const char** cfgfile, int need_pidfile)

3
contrib/unbound/daemon/worker.c
View File

@ -1633,7 +1633,8 @@ worker_init(struct worker* worker, struct config_file *cfg,
cfg->use_caps_bits_for_id, worker->ports, worker->numports,
cfg->unwanted_threshold, cfg->outgoing_tcp_mss,
&worker_alloc_cleanup, worker,
cfg->do_udp, worker->daemon->connect_sslctx, cfg->delay_close,
cfg->do_udp || cfg->udp_upstream_without_downstream,
worker->daemon->connect_sslctx, cfg->delay_close,
dtenv);
if(!worker->back) {
log_err("could not create outgoing sockets");

4
contrib/unbound/dns64/dns64.c
View File

@ -792,6 +792,10 @@ dns64_inform_super(struct module_qstate* qstate, int id,
qstate->return_msg->rep))
return;
/* Use return code from A query in response to client. */
if (super->return_rcode != LDNS_RCODE_NOERROR)
super->return_rcode = qstate->return_rcode;
/* Generate a response suitable for the original query. */
if (qstate->qinfo.qtype == LDNS_RR_TYPE_A) {
dns64_adjust_a(id, super, qstate);

199
contrib/unbound/dnscrypt/dnscrypt.c
View File

@ -60,6 +60,17 @@ struct shared_secret_cache_key {
};
struct nonce_cache_key {
/** the nonce used by the client */
uint8_t nonce[crypto_box_HALF_NONCEBYTES];
/** the client_magic used by the client, this is associated to 1 cert only */
uint8_t magic_query[DNSCRYPT_MAGIC_HEADER_LEN];
/** the client public key */
uint8_t client_publickey[crypto_box_PUBLICKEYBYTES];
/** the hash table entry, data is uint8_t */
struct lruhash_entry entry;
};
/**
* Generate a key suitable to find shared secret in slabhash.
* \param[in] key: a uint8_t pointer of size DNSCRYPT_SHARED_SECRET_KEY_LENGTH
@ -135,6 +146,87 @@ dnsc_shared_secrets_lookup(struct slabhash* cache,
return slabhash_lookup(cache, hash, key, 0);
}
/**
* Generate a key hash suitable to find a nonce in slabhash.
* \param[in] nonce: a uint8_t pointer of size crypto_box_HALF_NONCEBYTES
* \param[in] magic_query: a uint8_t pointer of size DNSCRYPT_MAGIC_HEADER_LEN
* \param[in] pk: The public key of the client. uint8_t pointer of size
* crypto_box_PUBLICKEYBYTES.
* \return the hash of the key.
*/
static uint32_t
dnsc_nonce_cache_key_hash(const uint8_t nonce[crypto_box_HALF_NONCEBYTES],
const uint8_t magic_query[DNSCRYPT_MAGIC_HEADER_LEN],
const uint8_t pk[crypto_box_PUBLICKEYBYTES])
{
uint32_t h = 0;
h = hashlittle(nonce, crypto_box_HALF_NONCEBYTES, h);
h = hashlittle(magic_query, DNSCRYPT_MAGIC_HEADER_LEN, h);
return hashlittle(pk, crypto_box_PUBLICKEYBYTES, h);
}
/**
* Inserts a nonce, magic_query, pk tuple into the nonces_cache slabhash.
* \param[in] cache: the slabhash in which to look for the key.
* \param[in] nonce: a uint8_t pointer of size crypto_box_HALF_NONCEBYTES
* \param[in] magic_query: a uint8_t pointer of size DNSCRYPT_MAGIC_HEADER_LEN
* \param[in] pk: The public key of the client. uint8_t pointer of size
* crypto_box_PUBLICKEYBYTES.
* \param[in] hash: the hash of the key.
*/
static void
dnsc_nonce_cache_insert(struct slabhash *cache,
const uint8_t nonce[crypto_box_HALF_NONCEBYTES],
const uint8_t magic_query[DNSCRYPT_MAGIC_HEADER_LEN],
const uint8_t pk[crypto_box_PUBLICKEYBYTES],
uint32_t hash)
{
struct nonce_cache_key* k =
(struct nonce_cache_key*)calloc(1, sizeof(*k));
if(!k) {
free(k);
return;
}
lock_rw_init(&k->entry.lock);
memcpy(k->nonce, nonce, crypto_box_HALF_NONCEBYTES);
memcpy(k->magic_query, magic_query, DNSCRYPT_MAGIC_HEADER_LEN);
memcpy(k->client_publickey, pk, crypto_box_PUBLICKEYBYTES);
k->entry.hash = hash;
k->entry.key = k;
k->entry.data = NULL;
slabhash_insert(cache,
hash, &k->entry,
NULL,
NULL);
}
/**
* Lookup a record in nonces_cache.
* \param[in] cache: the slabhash in which to look for the key.
* \param[in] nonce: a uint8_t pointer of size crypto_box_HALF_NONCEBYTES
* \param[in] magic_query: a uint8_t pointer of size DNSCRYPT_MAGIC_HEADER_LEN
* \param[in] pk: The public key of the client. uint8_t pointer of size
* crypto_box_PUBLICKEYBYTES.
* \param[in] hash: the hash of the key.
* \return a pointer to the locked cache entry or NULL on failure.
*/
static struct lruhash_entry*
dnsc_nonces_lookup(struct slabhash* cache,
const uint8_t nonce[crypto_box_HALF_NONCEBYTES],
const uint8_t magic_query[DNSCRYPT_MAGIC_HEADER_LEN],
const uint8_t pk[crypto_box_PUBLICKEYBYTES],
uint32_t hash)
{
struct nonce_cache_key k;
memset(&k, 0, sizeof(k));
k.entry.hash = hash;
memcpy(k.nonce, nonce, crypto_box_HALF_NONCEBYTES);
memcpy(k.magic_query, magic_query, DNSCRYPT_MAGIC_HEADER_LEN);
memcpy(k.client_publickey, pk, crypto_box_PUBLICKEYBYTES);
return slabhash_lookup(cache, hash, &k, 0);
}
/**
* Decrypt a query using the dnsccert that was found using dnsc_find_cert.
* The client nonce will be extracted from the encrypted query and stored in
@ -163,11 +255,44 @@ dnscrypt_server_uncurve(struct dnsc_env* env,
struct lruhash_entry* entry;
uint32_t hash;
uint32_t nonce_hash;
if (len <= DNSCRYPT_QUERY_HEADER_SIZE) {
return -1;
}
query_header = (struct dnscrypt_query_header *)buf;
/* Detect replay attacks */
nonce_hash = dnsc_nonce_cache_key_hash(
query_header->nonce,
cert->magic_query,
query_header->publickey);
lock_basic_lock(&env->nonces_cache_lock);
entry = dnsc_nonces_lookup(
env->nonces_cache,
query_header->nonce,
cert->magic_query,
query_header->publickey,
nonce_hash);
if(entry) {
lock_rw_unlock(&entry->lock);
env->num_query_dnscrypt_replay++;
lock_basic_unlock(&env->nonces_cache_lock);
return -1;
}
dnsc_nonce_cache_insert(
env->nonces_cache,
query_header->nonce,
cert->magic_query,
query_header->publickey,
nonce_hash);
lock_basic_unlock(&env->nonces_cache_lock);
/* Find existing shared secret */
hash = dnsc_shared_secrets_cache_key(key,
cert->es_version[1],
query_header->publickey,
@ -547,7 +672,7 @@ dnsc_find_cert(struct dnsc_env* dnscenv, struct sldns_buffer* buffer)
* In order to be able to serve certs over TXT, we can reuse the local-zone and
* local-data config option. The zone and qname are infered from the
* provider_name and the content of the TXT record from the certificate content.
* returns the number of certtificate TXT record that were loaded.
* returns the number of certificate TXT record that were loaded.
* < 0 in case of error.
*/
static int
@ -770,8 +895,16 @@ dnsc_create(void)
env = (struct dnsc_env *) calloc(1, sizeof(struct dnsc_env));
lock_basic_init(&env->shared_secrets_cache_lock);
lock_protect(&env->shared_secrets_cache_lock,
&env->num_query_dnscrypt_secret_missed_cache,
sizeof(env->num_query_dnscrypt_secret_missed_cache));
&env->num_query_dnscrypt_secret_missed_cache,
sizeof(env->num_query_dnscrypt_secret_missed_cache));
lock_basic_init(&env->nonces_cache_lock);
lock_protect(&env->nonces_cache_lock,
&env->nonces_cache,
sizeof(env->nonces_cache));
lock_protect(&env->nonces_cache_lock,
&env->num_query_dnscrypt_replay,
sizeof(env->num_query_dnscrypt_replay));
return env;
}
@ -803,6 +936,16 @@ dnsc_apply_cfg(struct dnsc_env *env, struct config_file *cfg)
if(!env->shared_secrets_cache){
fatal_exit("dnsc_apply_cfg: could not create shared secrets cache.");
}
env->nonces_cache = slabhash_create(
cfg->dnscrypt_nonce_cache_slabs,
HASH_DEFAULT_STARTARRAY,
cfg->dnscrypt_nonce_cache_size,
dnsc_nonces_sizefunc,
dnsc_nonces_compfunc,
dnsc_nonces_delkeyfunc,
dnsc_nonces_deldatafunc,
NULL
);
return 0;
}
@ -817,7 +960,9 @@ dnsc_delete(struct dnsc_env *env)
sodium_free(env->certs);
sodium_free(env->keypairs);
slabhash_delete(env->shared_secrets_cache);
slabhash_delete(env->nonces_cache);
lock_basic_destroy(&env->shared_secrets_cache_lock);
lock_basic_destroy(&env->nonces_cache_lock);
free(env);
}
@ -858,3 +1003,51 @@ dnsc_shared_secrets_deldatafunc(void* d, void* ATTR_UNUSED(arg))
uint8_t* data = (uint8_t*)d;
free(data);
}
/**
* #########################################################
* ############### Nonces cache functions ##################
* #########################################################
*/
size_t
dnsc_nonces_sizefunc(void *k, void* ATTR_UNUSED(d))
{
struct nonce_cache_key* nk = (struct nonce_cache_key*)k;
size_t key_size = sizeof(struct nonce_cache_key)
+ lock_get_mem(&nk->entry.lock);
(void)nk; /* otherwise ssk is unused if no threading, or fixed locksize */
return key_size;
}
int
dnsc_nonces_compfunc(void *m1, void *m2)
{
struct nonce_cache_key *k1 = m1, *k2 = m2;
return
sodium_memcmp(
k1->nonce,
k2->nonce,
crypto_box_HALF_NONCEBYTES) != 0 ||
sodium_memcmp(
k1->magic_query,
k2->magic_query,
DNSCRYPT_MAGIC_HEADER_LEN) != 0 ||
sodium_memcmp(
k1->client_publickey, k2->client_publickey,
crypto_box_PUBLICKEYBYTES) != 0;
}
void
dnsc_nonces_delkeyfunc(void *k, void* ATTR_UNUSED(arg))
{
struct nonce_cache_key* nk = (struct nonce_cache_key*)k;
lock_rw_destroy(&nk->entry.lock);
free(nk);
}
void
dnsc_nonces_deldatafunc(void* ATTR_UNUSED(d), void* ATTR_UNUSED(arg))
{
return;
}

30
contrib/unbound/dnscrypt/dnscrypt.h
View File

@ -63,11 +63,20 @@ struct dnsc_env {
uint64_t nonce_ts_last;
unsigned char hash_key[crypto_shorthash_KEYBYTES];
char * provider_name;
/** Caches */
struct slabhash *shared_secrets_cache;
/** lock on shared secret cache counters */
lock_basic_type shared_secrets_cache_lock;
/** number of misses from shared_secrets_cache */
size_t num_query_dnscrypt_secret_missed_cache;
/** slabhash keeping track of nonce/cient pk/server sk pairs. */
struct slabhash *nonces_cache;
/** lock on nonces_cache, used to avoid race condition in updating the hash */
lock_basic_type nonces_cache_lock;
/** number of replayed queries */
size_t num_query_dnscrypt_replay;
};
struct dnscrypt_query_header {
@ -139,5 +148,26 @@ void dnsc_shared_secrets_delkeyfunc(void *k, void* arg);
*/
void dnsc_shared_secrets_deldatafunc(void* d, void* arg);
/**
* Computes the size of the nonce cache entry.
*/
size_t dnsc_nonces_sizefunc(void *k, void *d);
/**
* Compares two nonce cache keys.
*/
int dnsc_nonces_compfunc(void *m1, void *m2);
/**
* Function to delete a nonce cache key.
*/
void dnsc_nonces_delkeyfunc(void *k, void* arg);
/**
* Function to delete a nonce cache value.
*/
void dnsc_nonces_deldatafunc(void* d, void* arg);
#endif /* USE_DNSCRYPT */
#endif

52
contrib/unbound/doc/Changelog
View File

@ -1,5 +1,55 @@
10 October 2017: Wouter
- tag 1.6.7
6 October 2017: Wouter
- Fix spelling in unbound-control man page.
5 October 2017: Wouter
- Fix trust-anchor-signaling works in libunbound.
- Fix some more crpls in testdata for different signaling default.
- tag 1.6.7rc1
5 October 2017: Ralph
- Set trust-anchor-signaling default to yes
- Use RCODE from A query on DNS64 synthesized answer.
2 October 2017: Wouter
- Fix param unused warning for windows exportsymbol compile.
25 September 2017: Ralph
- Fix #1450: Generate again patch contrib/aaaa-filter-iterator.patch
(by Danilo G. Baio).
21 September 2017: Ralph
- Log name of looping module
19 September 2017: Wouter
- use a cachedb answer even if it's "expired" when serve-expired is yes
(patch from Jinmei Tatuya).
- trigger refetching of the answer in that case (this will bypass
cachedb lookup)
- allow storing a 0-TTL answer from cachedb in the in-memory message
cache when serve-expired is yes
- Fix DNSCACHE_STORE_ZEROTTL to be bigger than 0xffff.
18 September 2017: Ralph
- Fix #1400: allowing use of global cache on ECS-forwarding unless
always-forward.
18 September 2017: Wouter
- tag 1.6.6 (is 1.6.6rc2)
- Fix that looping modules always stop the query, and don't pass
control.
- Fix #1435: Please allow UDP to be disabled separately upstream and
downstream.
- Fix #1440: [dnscrypt] client nonce cache.
15 September 2017: Wouter
- Fix unbound-host to report error for DNSSEC state of failed lookups.
- Spelling fixes, from Josh Soref.
13 September 2017: Wouter
- tag 1.6.6rc2
- tag 1.6.6rc2, became 1.6.6 on 18 sep. trunk 1.6.7 in development.
12 September 2017: Wouter
- Add dns64 for client-subnet in unbound-checkconf.

2
contrib/unbound/doc/README
View File

@ -1,4 +1,4 @@
README for Unbound 1.6.6
README for Unbound 1.6.7
Copyright 2007 NLnet Labs
http://unbound.net

10
contrib/unbound/doc/example.conf
View File

@ -1,7 +1,7 @@
#
# Example configuration file.
#
# See unbound.conf(5) man page, version 1.6.6.
# See unbound.conf(5) man page, version 1.6.7.
#
# this is a comment.
@ -199,6 +199,10 @@ server:
# upstream connections use TCP only (and no UDP), "yes" or "no"
# useful for tunneling scenarios, default no.
# tcp-upstream: no
# upstream connections also use UDP (even if do-udp is no).
# useful if if you want UDP upstream, but don't provide UDP downstream.
# udp-upstream-without-downstream: no
# Maximum segment size (MSS) of TCP socket on which the server
# responds to queries. Default is 0, system default MSS.
@ -449,7 +453,7 @@ server:
# auto-trust-anchor-file: "/var/unbound/root.key"
# trust anchor signaling sends a RFC8145 key tag query after priming.
# trust-anchor-signaling: no
# trust-anchor-signaling: yes
# File with DLV trusted keys. Same format as trust-anchor-file.
# There can be only one DLV configured, it is trusted from root down.
@ -512,7 +516,7 @@ server:
# that set CD but cannot validate themselves.
# ignore-cd-flag: no
# Serve expired reponses from cache, with TTL 0 in the response,
# Serve expired responses from cache, with TTL 0 in the response,
# and then attempt to fetch the data afresh.
# serve-expired: no

10
contrib/unbound/doc/example.conf.in
View File

@ -1,7 +1,7 @@
#
# Example configuration file.
#
# See unbound.conf(5) man page, version 1.6.6.
# See unbound.conf(5) man page, version 1.6.7.
#
# this is a comment.
@ -199,6 +199,10 @@ server:
# upstream connections use TCP only (and no UDP), "yes" or "no"
# useful for tunneling scenarios, default no.
# tcp-upstream: no
# upstream connections also use UDP (even if do-udp is no).
# useful if if you want UDP upstream, but don't provide UDP downstream.
# udp-upstream-without-downstream: no
# Maximum segment size (MSS) of TCP socket on which the server
# responds to queries. Default is 0, system default MSS.
@ -449,7 +453,7 @@ server:
# auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
# trust anchor signaling sends a RFC8145 key tag query after priming.
# trust-anchor-signaling: no
# trust-anchor-signaling: yes
# File with DLV trusted keys. Same format as trust-anchor-file.
# There can be only one DLV configured, it is trusted from root down.
@ -512,7 +516,7 @@ server:
# that set CD but cannot validate themselves.
# ignore-cd-flag: no
# Serve expired reponses from cache, with TTL 0 in the response,
# Serve expired responses from cache, with TTL 0 in the response,
# and then attempt to fetch the data afresh.
# serve-expired: no

4
contrib/unbound/doc/libunbound.3
View File

@ -1,4 +1,4 @@
.TH "libunbound" "3" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
.TH "libunbound" "3" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
.\"
.\" libunbound.3 -- unbound library functions manual
.\"
@ -43,7 +43,7 @@
.B ub_ctx_zone_remove,
.B ub_ctx_data_add,
.B ub_ctx_data_remove
\- Unbound DNS validating resolver 1.6.6 functions.
\- Unbound DNS validating resolver 1.6.7 functions.
.SH "SYNOPSIS"
.B #include <unbound.h>
.LP

4
contrib/unbound/doc/libunbound.3.in
View File

@ -1,4 +1,4 @@
.TH "libunbound" "3" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
.TH "libunbound" "3" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
.\"
.\" libunbound.3 -- unbound library functions manual
.\"
@ -43,7 +43,7 @@
.B ub_ctx_zone_remove,
.B ub_ctx_data_add,
.B ub_ctx_data_remove
\- Unbound DNS validating resolver 1.6.6 functions.
\- Unbound DNS validating resolver 1.6.7 functions.
.SH "SYNOPSIS"
.B #include <unbound.h>
.LP

2
contrib/unbound/doc/requirements.txt
View File

@ -81,7 +81,7 @@ o Too many Features.
5. Choices
----------
o rfc2181 decourages duplicates RRs in RRsets. unbound does not create
o rfc2181 discourages duplicates RRs in RRsets. unbound does not create
duplicates, but when presented with duplicates on the wire from the
authoritative servers, does not perform duplicate removal.
It does do some rrsig duplicate removal, in the msgparser, for dnssec qtype

2
contrib/unbound/doc/unbound-anchor.8
View File

@ -1,4 +1,4 @@
.TH "unbound-anchor" "8" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
.TH "unbound-anchor" "8" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
.\"
.\" unbound-anchor.8 -- unbound anchor maintenance utility manual
.\"

2
contrib/unbound/doc/unbound-anchor.8.in
View File

@ -1,4 +1,4 @@
.TH "unbound-anchor" "8" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
.TH "unbound-anchor" "8" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
.\"
.\" unbound-anchor.8 -- unbound anchor maintenance utility manual
.\"

2
contrib/unbound/doc/unbound-checkconf.8
View File

@ -1,4 +1,4 @@
.TH "unbound-checkconf" "8" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
.TH "unbound-checkconf" "8" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
.\"
.\" unbound-checkconf.8 -- unbound configuration checker manual
.\"

2
contrib/unbound/doc/unbound-checkconf.8.in
View File

@ -1,4 +1,4 @@
.TH "unbound-checkconf" "8" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
.TH "unbound-checkconf" "8" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
.\"
.\" unbound-checkconf.8 -- unbound configuration checker manual
.\"

54
contrib/unbound/doc/unbound-control.8
View File

@ -1,4 +1,4 @@
.TH "unbound-control" "8" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
.TH "unbound-control" "8" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
.\"
.\" unbound-control.8 -- unbound remote control manual
.\"
@ -337,6 +337,19 @@ number of queries that were successfully answered using a cache lookup
.I threadX.num.cachemiss
number of queries that needed recursive processing
.TP
.I threadX.num.dnscrypt.crypted
number of queries that were encrypted and successfully decapsulated by dnscrypt.
.TP
.I threadX.num.dnscrypt.cert
number of queries that were requesting dnscrypt certificates.
.TP
.I threadX.num.dnscrypt.cleartext
number of queries received on dnscrypt port that were cleartext and not a
request for certificates.
.TP
.I threadX.num.dnscrypt.malformed
number of request that were neither cleartext, not valid dnscrypt messages.
.TP
.I threadX.num.prefetch
number of cache prefetches performed. This number is included in
cachehits, as the original query had the unprefetched answer from cache,
@ -393,6 +406,18 @@ summed over threads.
.I total.num.cachemiss
summed over threads.
.TP
.I total.num.dnscrypt.crypted
summed over threads.
.TP
.I total.num.dnscrypt.cert
summed over threads.
.TP
.I total.num.dnscrypt.cleartext
summed over threads.
.TP
.I total.num.dnscrypt.malformed
summed over threads.
.TP
.I total.num.prefetch
summed over threads.
.TP
@ -439,6 +464,12 @@ Memory in bytes in use by the RRset cache.
.I mem.cache.message
Memory in bytes in use by the message cache.
.TP
.I mem.cache.dnscrypt_shared_secret
Memory in bytes in use by the dnscrypt shared secrets cache.
.TP
.I mem.cache.dnscrypt_nonce
Memory in bytes in use by the dnscrypt nonce cache.
.TP
.I mem.mod.iterator
Memory in bytes in use by the iterator module.
.TP
@ -497,6 +528,14 @@ These queries are also included in the num.query.edns.present number.
The number of queries that are turned away from being send to nameserver due to
ratelimiting.
.TP
.I num.query.dnscrypt.shared_secret.cachemiss
The number of dnscrypt queries that did not find a shared secret in the cache.
The can be use to compute the shared secret hitrate.
.TP
.I num.query.dnscrypt.replay
The number of dnscrypt queries that found a nonce hit in the nonce cache and
hence are considered a query replay.
.TP
.I num.answer.rcode.NXDOMAIN
The number of answers to queries, from cache or from recursion, that had the
return code NXDOMAIN. Also printed for the other return codes.
@ -546,6 +585,19 @@ timing and protocol support information.
.I key.cache.count
The number of items in the key cache. These are DNSSEC keys, one item
per delegation point, and their validation status.
.TP
.I dnscrypt_shared_secret.cache.count
The number of items in the shared secret cache. These are precomputed shared
secrets for a given client public key/server secret key pair. Shared secrets
are CPU intensive and this cache allows unbound to avoid recomputing the
shared secret when multiple dnscrypt queries are sent from the same client.
.TP
.I dnscrypt_nonce.cache.count
The number of items in the client nonce cache. This cache is used to prevent
dnscrypt queries replay. The client nonce must be unique for each client public
key/server secret key pair. This cache should be able to host QPS * `replay
window` interval keys to prevent replay of a query during `replay window`
seconds.
.SH "FILES"
.TP
.I /var/unbound/unbound.conf

54
contrib/unbound/doc/unbound-control.8.in
View File

@ -1,4 +1,4 @@
.TH "unbound-control" "8" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
.TH "unbound-control" "8" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
.\"
.\" unbound-control.8 -- unbound remote control manual
.\"
@ -337,6 +337,19 @@ number of queries that were successfully answered using a cache lookup
.I threadX.num.cachemiss
number of queries that needed recursive processing
.TP
.I threadX.num.dnscrypt.crypted
number of queries that were encrypted and successfully decapsulated by dnscrypt.
.TP
.I threadX.num.dnscrypt.cert
number of queries that were requesting dnscrypt certificates.
.TP
.I threadX.num.dnscrypt.cleartext
number of queries received on dnscrypt port that were cleartext and not a
request for certificates.
.TP
.I threadX.num.dnscrypt.malformed
number of request that were neither cleartext, not valid dnscrypt messages.
.TP
.I threadX.num.prefetch
number of cache prefetches performed. This number is included in
cachehits, as the original query had the unprefetched answer from cache,
@ -393,6 +406,18 @@ summed over threads.
.I total.num.cachemiss
summed over threads.
.TP
.I total.num.dnscrypt.crypted
summed over threads.
.TP
.I total.num.dnscrypt.cert
summed over threads.
.TP
.I total.num.dnscrypt.cleartext
summed over threads.
.TP
.I total.num.dnscrypt.malformed
summed over threads.
.TP
.I total.num.prefetch
summed over threads.
.TP
@ -439,6 +464,12 @@ Memory in bytes in use by the RRset cache.
.I mem.cache.message
Memory in bytes in use by the message cache.
.TP
.I mem.cache.dnscrypt_shared_secret
Memory in bytes in use by the dnscrypt shared secrets cache.
.TP
.I mem.cache.dnscrypt_nonce
Memory in bytes in use by the dnscrypt nonce cache.
.TP
.I mem.mod.iterator
Memory in bytes in use by the iterator module.
.TP
@ -497,6 +528,14 @@ These queries are also included in the num.query.edns.present number.
The number of queries that are turned away from being send to nameserver due to
ratelimiting.
.TP
.I num.query.dnscrypt.shared_secret.cachemiss
The number of dnscrypt queries that did not find a shared secret in the cache.
The can be use to compute the shared secret hitrate.
.TP
.I num.query.dnscrypt.replay
The number of dnscrypt queries that found a nonce hit in the nonce cache and
hence are considered a query replay.
.TP
.I num.answer.rcode.NXDOMAIN
The number of answers to queries, from cache or from recursion, that had the
return code NXDOMAIN. Also printed for the other return codes.
@ -546,6 +585,19 @@ timing and protocol support information.
.I key.cache.count
The number of items in the key cache. These are DNSSEC keys, one item
per delegation point, and their validation status.
.TP
.I dnscrypt_shared_secret.cache.count
The number of items in the shared secret cache. These are precomputed shared
secrets for a given client public key/server secret key pair. Shared secrets
are CPU intensive and this cache allows unbound to avoid recomputing the
shared secret when multiple dnscrypt queries are sent from the same client.
.TP
.I dnscrypt_nonce.cache.count
The number of items in the client nonce cache. This cache is used to prevent
dnscrypt queries replay. The client nonce must be unique for each client public
key/server secret key pair. This cache should be able to host QPS * `replay
window` interval keys to prevent replay of a query during `replay window`
seconds.
.SH "FILES"
.TP
.I @ub_conf_file@

2
contrib/unbound/doc/unbound-host.1
View File

@ -1,4 +1,4 @@
.TH "unbound\-host" "1" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
.TH "unbound\-host" "1" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
.\"
.\" unbound-host.1 -- unbound DNS lookup utility
.\"

2
contrib/unbound/doc/unbound-host.1.in
View File

@ -1,4 +1,4 @@
.TH "unbound\-host" "1" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
.TH "unbound\-host" "1" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
.\"
.\" unbound-host.1 -- unbound DNS lookup utility
.\"

4
contrib/unbound/doc/unbound.8
View File

@ -1,4 +1,4 @@
.TH "unbound" "8" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
.TH "unbound" "8" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
.\"
.\" unbound.8 -- unbound manual
.\"
@ -9,7 +9,7 @@
.\"
.SH "NAME"
.B unbound
\- Unbound DNS validating resolver 1.6.6.
\- Unbound DNS validating resolver 1.6.7.
.SH "SYNOPSIS"
.B unbound
.RB [ \-h ]

4
contrib/unbound/doc/unbound.8.in
View File

@ -1,4 +1,4 @@
.TH "unbound" "8" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
.TH "unbound" "8" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
.\"
.\" unbound.8 -- unbound manual
.\"
@ -9,7 +9,7 @@
.\"
.SH "NAME"
.B unbound
\- Unbound DNS validating resolver 1.6.6.
\- Unbound DNS validating resolver 1.6.7.
.SH "SYNOPSIS"
.B unbound
.RB [ \-h ]

22
contrib/unbound/doc/unbound.conf.5
View File

@ -1,4 +1,4 @@
.TH "unbound.conf" "5" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
.TH "unbound.conf" "5" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
.\"
.\" unbound.conf.5 -- unbound.conf manual
.\"
@ -391,6 +391,11 @@ negotiation between Unbound and other servers.
Enable or disable whether the upstream queries use TCP only for transport.
Default is no. Useful in tunneling scenarios.
.TP
.B udp\-upstream\-without\-downstream: \fI<yes or no>
Enable udp upstream even if do-udp is no. Default is no, and this does not
change anything. Useful for TLS service providers, that want no udp downstream
but use udp to fetch data upstream.
.TP
.B ssl\-upstream: \fI<yes or no>
Enabled or disable whether the upstream queries use SSL only for transport.
Default is no. Useful in tunneling scenarios. The SSL contains plain DNS in
@ -807,7 +812,7 @@ It is possible to use wildcards with this statement, the wildcard is
expanded on start and on reload.
.TP
.B trust\-anchor\-signaling: \fI<yes or no>
Send RFC8145 key tag query after trust anchor priming. Default is off.
Send RFC8145 key tag query after trust anchor priming. Default is on.
.TP
.B dlv\-anchor\-file: \fI<filename>
This option was used during early days DNSSEC deployment when no parent-side
@ -1518,6 +1523,17 @@ using the same public key. It saves a substantial amount of CPU.
Give power of 2 number of slabs, this is used to reduce lock contention
in the dnscrypt shared secrets cache. Close to the number of cpus is
a fairly good setting.
.TP
.B dnscrypt\-nonce\-cache\-size: \fI<memory size>
Give the size of the data structure in which the client nonces are kept in.
Default 4m. In bytes or use m(mega), k(kilo), g(giga).
The nonce cache is used to prevent dnscrypt message replaying. Client nonce
should be unique for any pair of client pk/server sk.
.TP
.B dnscrypt\-nonce\-cache\-slabs: \fI<number>
Give power of 2 number of slabs, this is used to reduce lock contention
in the dnscrypt nonce cache. Close to the number of cpus is
a fairly good setting.
.SS "EDNS Client Subnet Module Options"
.LP
The ECS module must be configured in the \fBmodule\-config:\fR "subnetcache
@ -1531,7 +1547,7 @@ specialized cache. If the authority indicated no support, the response is
stored in the regular cache.
.LP
Additionally, when a client includes the option in its queries, Unbound will
forward the option to the authority if prensent in the whitelist, or
forward the option to the authority if present in the whitelist, or
\fBclient\-subnet\-always\-forward\fR is set to yes. In this case the lookup in
the regular cache is skipped.
.LP

22
contrib/unbound/doc/unbound.conf.5.in
View File

@ -1,4 +1,4 @@
.TH "unbound.conf" "5" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
.TH "unbound.conf" "5" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
.\"
.\" unbound.conf.5 -- unbound.conf manual
.\"
@ -391,6 +391,11 @@ negotiation between Unbound and other servers.
Enable or disable whether the upstream queries use TCP only for transport.
Default is no. Useful in tunneling scenarios.
.TP
.B udp\-upstream\-without\-downstream: \fI<yes or no>
Enable udp upstream even if do-udp is no. Default is no, and this does not
change anything. Useful for TLS service providers, that want no udp downstream
but use udp to fetch data upstream.
.TP
.B ssl\-upstream: \fI<yes or no>
Enabled or disable whether the upstream queries use SSL only for transport.
Default is no. Useful in tunneling scenarios. The SSL contains plain DNS in
@ -807,7 +812,7 @@ It is possible to use wildcards with this statement, the wildcard is
expanded on start and on reload.
.TP
.B trust\-anchor\-signaling: \fI<yes or no>
Send RFC8145 key tag query after trust anchor priming. Default is off.
Send RFC8145 key tag query after trust anchor priming. Default is on.
.TP
.B dlv\-anchor\-file: \fI<filename>
This option was used during early days DNSSEC deployment when no parent-side
@ -1518,6 +1523,17 @@ using the same public key. It saves a substantial amount of CPU.
Give power of 2 number of slabs, this is used to reduce lock contention
in the dnscrypt shared secrets cache. Close to the number of cpus is
a fairly good setting.
.TP
.B dnscrypt\-nonce\-cache\-size: \fI<memory size>
Give the size of the data structure in which the client nonces are kept in.
Default 4m. In bytes or use m(mega), k(kilo), g(giga).
The nonce cache is used to prevent dnscrypt message replaying. Client nonce
should be unique for any pair of client pk/server sk.
.TP
.B dnscrypt\-nonce\-cache\-slabs: \fI<number>
Give power of 2 number of slabs, this is used to reduce lock contention
in the dnscrypt nonce cache. Close to the number of cpus is
a fairly good setting.
.SS "EDNS Client Subnet Module Options"
.LP
The ECS module must be configured in the \fBmodule\-config:\fR "subnetcache
@ -1531,7 +1547,7 @@ specialized cache. If the authority indicated no support, the response is
stored in the regular cache.
.LP
Additionally, when a client includes the option in its queries, Unbound will
forward the option to the authority if prensent in the whitelist, or
forward the option to the authority if present in the whitelist, or
\fBclient\-subnet\-always\-forward\fR is set to yes. In this case the lookup in
the regular cache is skipped.
.LP

2
contrib/unbound/edns-subnet/addrtree.h
View File

@ -108,7 +108,7 @@ struct addrnode {
struct addredge {
/** address of connected node */
addrkey_t *str;
/** lenght in bits of str */
/** length in bits of str */
addrlen_t len;
/** child node this edge is connected to */
struct addrnode *node;

7
contrib/unbound/edns-subnet/subnetmod.c
View File

@ -532,7 +532,7 @@ parse_subnet_option(struct edns_option* ecs_option, struct ecs_data* ecs)
ecs->subnet_addr_fam = sldns_read_uint16(ecs_option->opt_data);
ecs->subnet_source_mask = ecs_option->opt_data[2];
ecs->subnet_scope_mask = ecs_option->opt_data[3];
/* remaing bytes indicate address */
/* remaining bytes indicate address */
/* validate input*/
/* option length matches calculated length? */
@ -602,7 +602,7 @@ ecs_query_response(struct module_qstate* qstate, struct dns_msg* response,
if(sq->subnet_sent &&
FLAGS_GET_RCODE(response->rep->flags) == LDNS_RCODE_REFUSED) {
/* REFUSED reponse to ECS query, remove ECS option. */
/* REFUSED response to ECS query, remove ECS option. */
edns_opt_list_remove(&qstate->edns_opts_back_out,
qstate->env->cfg->client_subnet_opcode);
sq->subnet_sent = 0;
@ -628,7 +628,7 @@ ecs_edns_back_parsed(struct module_qstate* qstate, int id,
sq->ecs_server_in.subnet_validdata)
/* Only skip global cache store if we sent an ECS option
* and received one back. Answers from non-whitelisted
* servers will end up in global cache. Ansers for
* servers will end up in global cache. Answers for
* queries with 0 source will not (unless nameserver
* does not support ECS). */
qstate->no_cache_store = 1;
@ -722,6 +722,7 @@ subnetmod_operate(struct module_qstate *qstate, enum module_ev event,
sq->ecs_server_out.subnet_scope_mask = 0;
sq->ecs_server_out.subnet_validdata = 1;
if(sq->ecs_server_out.subnet_source_mask != 0 &&
qstate->env->cfg->client_subnet_always_forward &&
sq->subnet_downstream)
/* ECS specific data required, do not look at the global
* cache in other modules. */

2
contrib/unbound/edns-subnet/subnetmod.h
View File

@ -119,7 +119,7 @@ int ecs_whitelist_check(struct query_info* qinfo, uint16_t flags,
socklen_t addrlen, uint8_t* zone, size_t zonelen,
struct regional* region, int id, void* cbargs);
/** Check whether reponse from server contains ECS record, if so, skip cache
/** Check whether response from server contains ECS record, if so, skip cache
* store. Called just after parsing EDNS data from server. */
int ecs_edns_back_parsed(struct module_qstate* qstate, int id, void* cbargs);

2
contrib/unbound/iterator/iter_utils.h
View File

@ -252,7 +252,7 @@ void caps_strip_reply(struct reply_info* rep);
int caps_failed_rcode(struct reply_info* rep);
/**
* Store parent-side rrset in seperate rrset cache entries for later
* Store parent-side rrset in separate rrset cache entries for later
* last-resort * lookups in case the child-side versions of this information
* fails.
* @param env: environment with cache, time, ...

12
contrib/unbound/iterator/iterator.c
View File

@ -36,7 +36,7 @@
/**
* \file
*
* This file contains a module that performs recusive iterative DNS query
* This file contains a module that performs recursive iterative DNS query
* processing.
*/
@ -833,7 +833,7 @@ prime_stub(struct module_qstate* qstate, struct iter_qstate* iq, int id,
/**
* Generate A and AAAA checks for glue that is in-zone for the referral
* we just got to obtain authoritative information on the adresses.
* we just got to obtain authoritative information on the addresses.
*
* @param qstate: the qtstate that triggered the need to prime.
* @param iq: iterator query state.
@ -1353,7 +1353,7 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
* the same init processing as ones that do not. Request events that reach
* this state must have a valid currentDelegationPoint set.
*
* This part is primarly handling stub zone priming. Events that reach this
* This part is primarily handling stub zone priming. Events that reach this
* state must have a current delegation point.
*
* @param qstate: query state.
@ -2396,7 +2396,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
if(FLAGS_GET_RCODE(iq->response->rep->flags) ==
LDNS_RCODE_NXDOMAIN) {
/* Stop resolving when NXDOMAIN is DNSSEC
* signed. Based on assumption that namservers
* signed. Based on assumption that nameservers
* serving signed zones do not return NXDOMAIN
* for empty-non-terminals. */
if(iq->dnssec_expected)
@ -2753,7 +2753,7 @@ processPrimeResponse(struct module_qstate* qstate, int id)
/**
* Do final processing on responses to target queries. Events reach this
* state after the iterative resolution algorithm terminates. This state is
* responsible for reactiving the original event, and housekeeping related
* responsible for reactivating the original event, and housekeeping related
* to received target responses (caching, updating the current delegation
* point, etc).
* Callback from walk_supers for every super state that is interested in
@ -3096,7 +3096,7 @@ processFinished(struct module_qstate* qstate, struct iter_qstate* iq,
}
/*
* Return priming query results to interestes super querystates.
* Return priming query results to interested super querystates.
*
* Sets the delegation point and delegation message (not nonRD queries).
* This is a callback from walk_supers.

14
contrib/unbound/iterator/iterator.h
View File

@ -36,7 +36,7 @@
/**
* \file
*
* This file contains a module that performs recusive iterative DNS query
* This file contains a module that performs recursive iterative DNS query
* processing.
*/
@ -62,7 +62,7 @@ struct rbtree_type;
/** max number of queries-sent-out. Make sure large NS set does not loop */
#define MAX_SENT_COUNT 32
/** max number of queries for which to perform dnsseclameness detection,
* (rrsigs misssing detection) after that, just pick up that response */
* (rrsigs missing detection) after that, just pick up that response */
#define DNSSEC_LAME_DETECT_COUNT 4
/**
* max number of QNAME minimisation iterations. Limits number of queries for
@ -142,11 +142,11 @@ struct iter_env {
enum minimisation_state {
/**
* (Re)start minimisation. Outgoing QNAME should be set to dp->name.
* State entered on new query or after following refferal or CNAME.
* State entered on new query or after following referral or CNAME.
*/
INIT_MINIMISE_STATE = 0,
/**
* QNAME minimisataion ongoing. Increase QNAME on every iteration.
* QNAME minimisation ongoing. Increase QNAME on every iteration.
*/
MINIMISE_STATE,
/**
@ -184,7 +184,7 @@ enum iter_state {
/**
* Each time a delegation point changes for a given query or a
* query times out and/or wakes up, this state is (re)visited.
* This state is reponsible for iterating through a list of
* This state is responsible for iterating through a list of
* nameserver targets.
*/
QUERYTARGETS_STATE,
@ -378,7 +378,7 @@ struct iter_qstate {
struct query_info qinfo_out;
/**
* Count number of QNAME minisation iterations. Used to limit number of
* Count number of QNAME minimisation iterations. Used to limit number of
* outgoing queries when QNAME minimisation is enabled.
*/
int minimise_count;
@ -430,7 +430,7 @@ void iter_operate(struct module_qstate* qstate, enum module_ev event, int id,
struct outbound_entry* outbound);
/**
* Return priming query results to interestes super querystates.
* Return priming query results to interested super querystates.
*
* Sets the delegation point and delegation message (not nonRD queries).
* This is a callback from walk_supers.

2
contrib/unbound/libunbound/context.h
View File

@ -90,7 +90,7 @@ struct ub_ctx {
int dothread;
/** next thread number for new threads */
int thr_next_num;
/** if logfile is overriden */
/** if logfile is overridden */
int logfile_override;
/** what logfile to use instead */
FILE* log_out;

2
contrib/unbound/libunbound/libunbound.c
View File

@ -37,7 +37,7 @@
* \file
*
* This file contains functions to resolve DNS queries and
* validate the answers. Synchonously and asynchronously.
* validate the answers. Synchronously and asynchronously.
*
*/

5
contrib/unbound/libunbound/libworker.c
View File

@ -232,8 +232,8 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
cfg->do_tcp?cfg->outgoing_num_tcp:0,
w->env->infra_cache, w->env->rnd, cfg->use_caps_bits_for_id,
ports, numports, cfg->unwanted_threshold,
cfg->outgoing_tcp_mss,
&libworker_alloc_cleanup, w, cfg->do_udp, w->sslctx,
cfg->outgoing_tcp_mss, &libworker_alloc_cleanup, w,
cfg->do_udp || cfg->udp_upstream_without_downstream, w->sslctx,
cfg->delay_close, NULL);
if(!w->is_bg || w->is_bg_thread) {
lock_basic_unlock(&ctx->cfglock);
@ -251,6 +251,7 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
w->env->send_query = &libworker_send_query;
w->env->detach_subs = &mesh_detach_subs;
w->env->attach_sub = &mesh_attach_sub;
w->env->add_sub = &mesh_add_sub;
w->env->kill_sub = &mesh_state_delete;
w->env->detect_cycle = &mesh_detect_cycle;
comm_base_timept(w->base, &w->env->now, &w->env->now_tv);

2
contrib/unbound/libunbound/python/doc/examples/example7.rst
View File

@ -23,7 +23,7 @@ IDN converted attributes
The :class:`unbound.ub_data` class contains attributes suffix which converts
the dname to UTF string. These attributes have the ``_idn`` suffix.
Apart from this aproach, two conversion functions exist
Apart from this approach, two conversion functions exist
(:func:`unbound.idn2dname` and :func:`unbound.dname2idn`).
Source code

11
contrib/unbound/libunbound/unbound.h
View File

@ -37,7 +37,7 @@
* \file
*
* This file contains functions to resolve DNS queries and
* validate the answers. Synchonously and asynchronously.
* validate the answers. Synchronously and asynchronously.
*
* Several ways to use this interface from an application wishing
* to perform (validated) DNS lookups.
@ -177,7 +177,7 @@ struct ub_result {
* False, if validation failed or domain queried has no security info.
*
* It is possible to get a result with no data (havedata is false),
* and secure is true. This means that the non-existance of the data
* and secure is true. This means that the non-existence of the data
* was cryptographically proven (with signatures).
*/
int secure;
@ -623,6 +623,7 @@ struct ub_shm_stat_info {
long long ipsecmod;
long long respip;
long long dnscrypt_shared_secret;
long long dnscrypt_nonce;
} mem;
};
@ -742,11 +743,15 @@ struct ub_server_stats {
long long num_query_dnscrypt_secret_missed_cache;
/** number of dnscrypt shared secret cache entries */
long long shared_secret_cache_count;
/** number of queries which are replays */
long long num_query_dnscrypt_replay;
/** number of dnscrypt nonces cache entries */
long long nonce_cache_count;
};
/**
* Statistics to send over the control pipe when asked
* This struct is made to be memcpied, sent in binary.
* This struct is made to be memcopied, sent in binary.
* shm mapped with (number+1) at num_threads+1, with first as total
*/
struct ub_stats_info {

10
contrib/unbound/services/cache/dns.c vendored
View File

@ -111,7 +111,7 @@ store_rrsets(struct module_env* env, struct reply_info* rep, time_t now,
void
dns_cache_store_msg(struct module_env* env, struct query_info* qinfo,
hashvalue_type hash, struct reply_info* rep, time_t leeway, int pside,
struct reply_info* qrep, struct regional* region)
struct reply_info* qrep, uint32_t flags, struct regional* region)
{
struct msgreply_entry* e;
time_t ttl = rep->ttl;
@ -127,7 +127,7 @@ dns_cache_store_msg(struct module_env* env, struct query_info* qinfo,
* unnecessary, because the cache gets locked per rrset. */
reply_info_set_ttls(rep, *env->now);
store_rrsets(env, rep, *env->now, leeway, pside, qrep, region);
if(ttl == 0) {
if(ttl == 0 && !(flags & DNSCACHE_STORE_ZEROTTL)) {
/* we do not store the message, but we did store the RRs,
* which could be useful for delegation information */
verbose(VERB_ALGO, "TTL 0: dropped msg from cache");
@ -845,7 +845,7 @@ dns_cache_lookup(struct module_env* env,
int
dns_cache_store(struct module_env* env, struct query_info* msgqinf,
struct reply_info* msgrep, int is_referral, time_t leeway, int pside,
struct regional* region, uint16_t flags)
struct regional* region, uint32_t flags)
{
struct reply_info* rep = NULL;
/* alloc, malloc properly (not in region, like msg is) */
@ -890,9 +890,9 @@ dns_cache_store(struct module_env* env, struct query_info* msgqinf,
* Not AA from cache. Not CD in cache (depends on client bit). */
rep->flags |= (BIT_RA | BIT_QR);
rep->flags &= ~(BIT_AA | BIT_CD);
h = query_info_hash(&qinf, flags);
h = query_info_hash(&qinf, (uint16_t)flags);
dns_cache_store_msg(env, &qinf, h, rep, leeway, pside, msgrep,
region);
flags, region);
/* qname is used inside query_info_entrysetup, and set to
* NULL. If it has not been used, free it. free(0) is safe. */
free(qinf.qname);

13
contrib/unbound/services/cache/dns.h vendored
View File

@ -49,6 +49,12 @@ struct reply_info;
struct regional;
struct delegpt;
/** Flags to control behavior of dns_cache_store() and dns_cache_store_msg().
* Must be an unsigned 32-bit value larger than 0xffff */
/** Allow caching a DNS message with a zero TTL. */
#define DNSCACHE_STORE_ZEROTTL 0x100000
/**
* Region allocated message reply
*/
@ -80,11 +86,13 @@ struct dns_msg {
* @param region: region to allocate better entries from cache into.
* (used when is_referral is false).
* @param flags: flags with BIT_CD for AAAA queries in dns64 translation.
* The higher 16 bits are used internally to customize the cache policy.
* (See DNSCACHE_STORE_xxx flags).
* @return 0 on alloc error (out of memory).
*/
int dns_cache_store(struct module_env* env, struct query_info* qinf,
struct reply_info* rep, int is_referral, time_t leeway, int pside,
struct regional* region, uint16_t flags);
struct regional* region, uint32_t flags);
/**
* Store message in the cache. Stores in message cache and rrset cache.
@ -103,11 +111,12 @@ int dns_cache_store(struct module_env* env, struct query_info* qinf,
* from the parentside of the zonecut. This means that the type NS
* can be updated to full TTL even in prefetch situations.
* @param qrep: message that can be altered with better rrs from cache.
* @param flags: customization flags for the cache policy.
* @param region: to allocate into for qmsg.
*/
void dns_cache_store_msg(struct module_env* env, struct query_info* qinfo,
hashvalue_type hash, struct reply_info* rep, time_t leeway, int pside,
struct reply_info* qrep, struct regional* region);
struct reply_info* qrep, uint32_t flags, struct regional* region);
/**
* Find a delegation from the cache.

77
contrib/unbound/services/mesh.c
View File

@ -533,8 +533,22 @@ mesh_new_callback(struct mesh_area* mesh, struct query_info* qinfo,
return 1;
}
static void mesh_schedule_prefetch(struct mesh_area* mesh,
struct query_info* qinfo, uint16_t qflags, time_t leeway, int run);
void mesh_new_prefetch(struct mesh_area* mesh, struct query_info* qinfo,
uint16_t qflags, time_t leeway)
{
mesh_schedule_prefetch(mesh, qinfo, qflags, leeway, 1);
}
/* Internal backend routine of mesh_new_prefetch(). It takes one additional
* parameter, 'run', which controls whether to run the prefetch state
* immediately. When this function is called internally 'run' could be
* 0 (false), in which case the new state is only made runnable so it
* will not be run recursively on top of the current state. */
static void mesh_schedule_prefetch(struct mesh_area* mesh,
struct query_info* qinfo, uint16_t qflags, time_t leeway, int run)
{
struct mesh_state* s = mesh_area_find(mesh, NULL, qinfo,
qflags&(BIT_RD|BIT_CD), 0, 0);
@ -589,6 +603,18 @@ void mesh_new_prefetch(struct mesh_area* mesh, struct query_info* qinfo,
s->list_select = mesh_jostle_list;
}
}
if(!run) {
#ifdef UNBOUND_DEBUG
n =
#else
(void)
#endif
rbtree_insert(&mesh->run, &s->run_node);
log_assert(n != NULL);
return;
}
mesh_run(mesh, s, module_event_new, NULL);
}
@ -666,6 +692,8 @@ mesh_state_create(struct module_env* env, struct query_info* qinfo,
mstate->s.prefetch_leeway = 0;
mstate->s.no_cache_lookup = 0;
mstate->s.no_cache_store = 0;
mstate->s.need_refetch = 0;
/* init modules */
for(i=0; i<env->mesh->mods.num; i++) {
mstate->s.minfo[i] = NULL;
@ -1288,9 +1316,30 @@ int mesh_state_add_reply(struct mesh_state* s, struct edns_data* edns,
return 1;
}
/* Extract the query info and flags from 'mstate' into '*qinfop' and '*qflags'.
* Since this is only used for internal refetch of otherwise-expired answer,
* we simply ignore the rare failure mode when memory allocation fails. */
static void
mesh_copy_qinfo(struct mesh_state* mstate, struct query_info** qinfop,
uint16_t* qflags)
{
struct regional* region = mstate->s.env->scratch;
struct query_info* qinfo;
qinfo = regional_alloc_init(region, &mstate->s.qinfo, sizeof(*qinfo));
if(!qinfo)
return;
qinfo->qname = regional_alloc_init(region, qinfo->qname,
qinfo->qname_len);
if(!qinfo->qname)
return;
*qinfop = qinfo;
*qflags = mstate->s.query_flags;
}
/**
* Continue processing the mesh state at another module.
* Handles module to modules tranfer of control.
* Handles module to modules transfer of control.
* Handles module finished.
* @param mesh: the mesh area.
* @param mstate: currently active mesh state.
@ -1310,7 +1359,8 @@ mesh_continue(struct mesh_area* mesh, struct mesh_state* mstate,
mstate->num_activated++;
if(mstate->num_activated > MESH_MAX_ACTIVATION) {
/* module is looping. Stop it. */
log_err("internal error: looping module stopped");
log_err("internal error: looping module (%s) stopped",
mesh->mods.mod[mstate->s.curmod]->name);
log_query_info(VERB_QUERY, "pass error for qstate",
&mstate->s.qinfo);
s = module_error;
@ -1350,11 +1400,32 @@ mesh_continue(struct mesh_area* mesh, struct mesh_state* mstate,
/* error is bad, handle pass back up below */
mstate->s.return_rcode = LDNS_RCODE_SERVFAIL;
}
if(s == module_error || s == module_finished) {
if(s == module_error) {
mesh_query_done(mstate);
mesh_walk_supers(mesh, mstate);
mesh_state_delete(&mstate->s);
return 0;
}
if(s == module_finished) {
if(mstate->s.curmod == 0) {
struct query_info* qinfo = NULL;
uint16_t qflags;
mesh_query_done(mstate);
mesh_walk_supers(mesh, mstate);
/* If the answer to the query needs to be refetched
* from an external DNS server, we'll need to schedule
* a prefetch after removing the current state, so
* we need to make a copy of the query info here. */
if(mstate->s.need_refetch)
mesh_copy_qinfo(mstate, &qinfo, &qflags);
mesh_state_delete(&mstate->s);
if(qinfo) {
mesh_schedule_prefetch(mesh, qinfo, qflags,
0, 1);
}
return 0;
}
/* pass along the locus of control */

8
contrib/unbound/services/outside_network.c
View File

@ -364,9 +364,9 @@ use_free_buffer(struct outside_network* outnet)
}
}
/** decomission a tcp buffer, closes commpoint and frees waiting_tcp entry */
/** decommission a tcp buffer, closes commpoint and frees waiting_tcp entry */
static void
decomission_pending_tcp(struct outside_network* outnet,
decommission_pending_tcp(struct outside_network* outnet,
struct pending_tcp* pend)
{
if(pend->c->ssl) {
@ -406,7 +406,7 @@ outnet_tcp_cb(struct comm_point* c, void* arg, int error,
}
fptr_ok(fptr_whitelist_pending_tcp(pend->query->cb));
(void)(*pend->query->cb)(c, pend->query->cb_arg, error, reply_info);
decomission_pending_tcp(outnet, pend);
decommission_pending_tcp(outnet, pend);
return 0;
}
@ -1416,7 +1416,7 @@ serviced_delete(struct serviced_query* sq)
struct waiting_tcp* p = (struct waiting_tcp*)
sq->pending;
if(p->pkt == NULL) {
decomission_pending_tcp(sq->outnet,
decommission_pending_tcp(sq->outnet,
(struct pending_tcp*)p->next_waiting);
} else {
waiting_list_remove(sq->outnet, p);

2
contrib/unbound/services/view.h
View File

@ -67,7 +67,7 @@ struct view {
/** rbtree node, key is name */
rbnode_type node;
/** view name.
* Has to be right after rbnode_t due to pointer arithmatic in
* Has to be right after rbnode_t due to pointer arithmetic in
* view_create's lock protect */
char* name;
/** view specific local authority zones */

6
contrib/unbound/sldns/parse.c
View File

@ -33,14 +33,14 @@ ssize_t
sldns_fget_token_l(FILE *f, char *token, const char *delim, size_t limit, int *line_nr)
{
int c, prev_c;
int p; /* 0 -> no parenthese seen, >0 nr of ( seen */
int p; /* 0 -> no parentheses seen, >0 nr of ( seen */
int com, quoted;
char *t;
size_t i;
const char *d;
const char *del;
/* standard delimeters */
/* standard delimiters */
if (!delim) {
/* from isspace(3) */
del = LDNS_PARSE_NORMAL;
@ -244,7 +244,7 @@ sldns_bget_token_par(sldns_buffer *b, char *token, const char *delim,
size_t limit, int* par, const char* skipw)
{
int c, lc;
int p; /* 0 -> no parenthese seen, >0 nr of ( seen */
int p; /* 0 -> no parentheses seen, >0 nr of ( seen */
int com, quoted;
char *t;
size_t i;

12
contrib/unbound/sldns/parse.h
View File

@ -103,9 +103,9 @@ ssize_t sldns_bget_token(struct sldns_buffer *b, char *token, const char *delim,
* after the keyword + k_del until we hit d_del
* \param[in] f file pointer to read from
* \param[in] keyword keyword to look for
* \param[in] k_del keyword delimeter
* \param[in] k_del keyword delimiter
* \param[out] data the data found
* \param[in] d_del the data delimeter
* \param[in] d_del the data delimiter
* \param[in] data_limit maximum size the the data buffer
* \return the number of character read
*/
@ -116,9 +116,9 @@ ssize_t sldns_fget_keyword_data(FILE *f, const char *keyword, const char *k_del,
* after the keyword + k_del until we hit d_del
* \param[in] f file pointer to read from
* \param[in] keyword keyword to look for
* \param[in] k_del keyword delimeter
* \param[in] k_del keyword delimiter
* \param[out] data the data found
* \param[in] d_del the data delimeter
* \param[in] d_del the data delimiter
* \param[in] data_limit maximum size the the data buffer
* \param[in] line_nr pointer to an integer containing the current line number (for
debugging purposes)
@ -131,9 +131,9 @@ ssize_t sldns_fget_keyword_data_l(FILE *f, const char *keyword, const char *k_de
* after the keyword + k_del until we hit d_del
* \param[in] b buffer pointer to read from
* \param[in] keyword keyword to look for
* \param[in] k_del keyword delimeter
* \param[in] k_del keyword delimiter
* \param[out] data the data found
* \param[in] d_del the data delimeter
* \param[in] d_del the data delimiter
* \param[in] data_limit maximum size the the data buffer
* \return the number of character read
*/

8
contrib/unbound/sldns/parseutil.c
View File

@ -165,20 +165,20 @@ sldns_gmtime64_r(int64_t clock, struct tm *result)
#endif /* SIZEOF_TIME_T <= 4 */
static int64_t
sldns_serial_arithmitics_time(int32_t time, time_t now)
sldns_serial_arithmetics_time(int32_t time, time_t now)
{
int32_t offset = time - (int32_t) now;
return (int64_t) now + offset;
}
struct tm *
sldns_serial_arithmitics_gmtime_r(int32_t time, time_t now, struct tm *result)
sldns_serial_arithmetics_gmtime_r(int32_t time, time_t now, struct tm *result)
{
#if SIZEOF_TIME_T <= 4
int64_t secs_since_epoch = sldns_serial_arithmitics_time(time, now);
int64_t secs_since_epoch = sldns_serial_arithmetics_time(time, now);
return sldns_gmtime64_r(secs_since_epoch, result);
#else
time_t secs_since_epoch = sldns_serial_arithmitics_time(time, now);
time_t secs_since_epoch = sldns_serial_arithmetics_time(time, now);
return gmtime_r(&secs_since_epoch, result);
#endif
}

4
contrib/unbound/sldns/parseutil.h
View File

@ -62,13 +62,13 @@ time_t sldns_mktime_from_utc(const struct tm *tm);
* fields of RRSIG records.
*
* \param[in] time number of seconds since epoch (midnight, January 1st, 1970)
* to be intepreted as a serial arithmetics number relative to now.
* to be interpreted as a serial arithmetics number relative to now.
* \param[in] now number of seconds since epoch (midnight, January 1st, 1970)
* to which the time value is compared to determine the final value.
* \param[out] result the struct with the broken-out time information
* \return result on success or NULL on error
*/
struct tm * sldns_serial_arithmitics_gmtime_r(int32_t time, time_t now, struct tm *result);
struct tm * sldns_serial_arithmetics_gmtime_r(int32_t time, time_t now, struct tm *result);
/**
* converts a ttl value (like 5d2h) to a long.

6
contrib/unbound/sldns/rrdef.h
View File

@ -331,13 +331,13 @@ enum sldns_enum_rdf_type
LDNS_RDF_TYPE_NSEC3_NEXT_OWNER,
/** 4 shorts represented as 4 * 16 bit hex numbers
* seperated by colons. For NID and L64.
* separated by colons. For NID and L64.
*/
LDNS_RDF_TYPE_ILNP64,
/** 6 * 8 bit hex numbers seperated by dashes. For EUI48. */
/** 6 * 8 bit hex numbers separated by dashes. For EUI48. */
LDNS_RDF_TYPE_EUI48,
/** 8 * 8 bit hex numbers seperated by dashes. For EUI64. */
/** 8 * 8 bit hex numbers separated by dashes. For EUI64. */
LDNS_RDF_TYPE_EUI64,
/** A non-zero sequence of US-ASCII letters and numbers in lower case.

2
contrib/unbound/sldns/sbuffer.h
View File

@ -497,7 +497,7 @@ sldns_buffer_set_at(sldns_buffer *buffer, size_t at, int c, size_t count)
* writes count bytes of data to the current position of the buffer
* \param[in] buffer the buffer
* \param[in] data the data to write
* \param[in] count the lenght of the data to write
* \param[in] count the length of the data to write
*/
INLINE void
sldns_buffer_write(sldns_buffer *buffer, const void *data, size_t count)

2
contrib/unbound/sldns/str2wire.c
View File

@ -1541,7 +1541,7 @@ int sldns_str2wire_loc_buf(const char* str, uint8_t* rd, size_t* len)
s = strtod(my_str, &my_str);
}
/* skip blanks before norterness */
/* skip blanks before northerness */
while (isblank((unsigned char) *my_str)) {
my_str++;
}

2
contrib/unbound/sldns/wire2str.c
View File

@ -1335,7 +1335,7 @@ int sldns_wire2str_time_scan(uint8_t** d, size_t* dl, char** s, size_t* sl)
if(*dl < 4) return -1;
t = sldns_read_uint32(*d);
date_buf[15]=0;
if(sldns_serial_arithmitics_gmtime_r(t, time(NULL), &tm) &&
if(sldns_serial_arithmetics_gmtime_r(t, time(NULL), &tm) &&
strftime(date_buf, 15, "%Y%m%d%H%M%S", &tm)) {
(*d) += 4;
(*dl) -= 4;

2
contrib/unbound/smallapp/unbound-anchor.c
View File

@ -662,7 +662,7 @@ wipe_ip_usage(struct ip_list* p)
}
}
/** cound unused IPs */
/** count unused IPs */
static int
count_unused(struct ip_list* p)
{

7
contrib/unbound/smallapp/unbound-control.c
View File

@ -254,6 +254,8 @@ static void print_mem(struct ub_shm_stat_info* shm_stat)
#ifdef USE_DNSCRYPT
PR_LL("mem.cache.dnscrypt_shared_secret",
shm_stat->mem.dnscrypt_shared_secret);
PR_LL("mem.cache.dnscrypt_nonce",
shm_stat->mem.dnscrypt_nonce);
#endif
}
@ -360,6 +362,9 @@ static void print_extended(struct ub_stats_info* s)
s->svr.shared_secret_cache_count);
PR_UL("num.query.dnscrypt.shared_secret.cachemiss",
s->svr.num_query_dnscrypt_secret_missed_cache);
PR_UL("dnscrypt_nonce.cache.count", s->svr.nonce_cache_count);
PR_UL("num.query.dnscrypt.replay",
s->svr.num_query_dnscrypt_replay);
#endif /* USE_DNSCRYPT */
}
@ -721,7 +726,7 @@ int main(int argc, char* argv[])
WSADATA wsa_data;
#endif
#ifdef USE_THREAD_DEBUG
/* stop the file output from unbound-control, overwites the servers */
/* stop the file output from unbound-control, overwrites the servers */
extern int check_locking_order;
check_locking_order = 0;
#endif /* USE_THREAD_DEBUG */

1
contrib/unbound/smallapp/unbound-host.c
View File

@ -209,6 +209,7 @@ massage_class(const char* c)
static const char*
secure_str(struct ub_result* result)
{
if(result->rcode != 0 && result->rcode != 3) return "(error)";
if(result->secure) return "(secure)";
if(result->bogus) return "(BOGUS (security failure))";
return "(insecure)";

20
contrib/unbound/util/config_file.c
View File

@ -69,9 +69,9 @@
#include <pwd.h>
#endif
/** from cfg username, after daemonise setup performed */
/** from cfg username, after daemonize setup performed */
uid_t cfg_uid = (uid_t)-1;
/** from cfg username, after daemonise setup performed */
/** from cfg username, after daemonize setup performed */
gid_t cfg_gid = (gid_t)-1;
/** for debug allow small timeout values for fast rollovers */
int autr_permit_small_holddown = 0;
@ -101,6 +101,7 @@ config_create(void)
cfg->do_udp = 1;
cfg->do_tcp = 1;
cfg->tcp_upstream = 0;
cfg->udp_upstream_without_downstream = 0;
cfg->tcp_mss = 0;
cfg->outgoing_tcp_mss = 0;
cfg->ssl_service_key = NULL;
@ -207,7 +208,7 @@ config_create(void)
cfg->trust_anchor_file_list = NULL;
cfg->trust_anchor_list = NULL;
cfg->trusted_keys_file_list = NULL;
cfg->trust_anchor_signaling = 0;
cfg->trust_anchor_signaling = 1;
cfg->dlv_anchor_file = NULL;
cfg->dlv_anchor_list = NULL;
cfg->domain_insecure = NULL;
@ -284,6 +285,8 @@ config_create(void)
cfg->dnscrypt_secret_key = NULL;
cfg->dnscrypt_shared_secret_cache_size = 4*1024*1024;
cfg->dnscrypt_shared_secret_cache_slabs = 4;
cfg->dnscrypt_nonce_cache_size = 4*1024*1024;
cfg->dnscrypt_nonce_cache_slabs = 4;
#ifdef USE_IPSECMOD
cfg->ipsecmod_enabled = 1;
cfg->ipsecmod_ignore_bogus = 0;
@ -426,6 +429,8 @@ int config_set_option(struct config_file* cfg, const char* opt,
else S_YNO("do-udp:", do_udp)
else S_YNO("do-tcp:", do_tcp)
else S_YNO("tcp-upstream:", tcp_upstream)
else S_YNO("udp-upstream-without-downstream:",
udp_upstream_without_downstream)
else S_NUMBER_NONZERO("tcp-mss:", tcp_mss)
else S_NUMBER_NONZERO("outgoing-tcp-mss:", outgoing_tcp_mss)
else S_YNO("ssl-upstream:", ssl_upstream)
@ -571,6 +576,10 @@ int config_set_option(struct config_file* cfg, const char* opt,
dnscrypt_shared_secret_cache_size)
else S_POW2("dnscrypt-shared-secret-cache-slabs:",
dnscrypt_shared_secret_cache_slabs)
else S_MEMSIZE("dnscrypt-nonce-cache-size:",
dnscrypt_nonce_cache_size)
else S_POW2("dnscrypt-nonce-cache-slabs:",
dnscrypt_nonce_cache_slabs)
#endif
else if(strcmp(opt, "ip-ratelimit:") == 0) {
IS_NUMBER_OR_ZERO; cfg->ip_ratelimit = atoi(val);
@ -828,6 +837,7 @@ config_get_option(struct config_file* cfg, const char* opt,
else O_YNO(opt, "do-udp", do_udp)
else O_YNO(opt, "do-tcp", do_tcp)
else O_YNO(opt, "tcp-upstream", tcp_upstream)
else O_YNO(opt, "udp-upstream-without-downstream", udp_upstream_without_downstream)
else O_DEC(opt, "tcp-mss", tcp_mss)
else O_DEC(opt, "outgoing-tcp-mss", outgoing_tcp_mss)
else O_YNO(opt, "ssl-upstream", ssl_upstream)
@ -936,6 +946,10 @@ config_get_option(struct config_file* cfg, const char* opt,
dnscrypt_shared_secret_cache_size)
else O_DEC(opt, "dnscrypt-shared-secret-cache-slabs",
dnscrypt_shared_secret_cache_slabs)
else O_MEM(opt, "dnscrypt-nonce-cache-size",
dnscrypt_nonce_cache_size)
else O_DEC(opt, "dnscrypt-nonce-cache-slabs",
dnscrypt_nonce_cache_slabs)
#endif
else O_YNO(opt, "unblock-lan-zones", unblock_lan_zones)
else O_YNO(opt, "insecure-lan-zones", insecure_lan_zones)

11
contrib/unbound/util/config_file.h
View File

@ -84,6 +84,8 @@ struct config_file {
int do_tcp;
/** tcp upstream queries (no UDP upstream queries) */
int tcp_upstream;
/** udp upstream enabled when no UDP downstream is enabled (do_udp no)*/
int udp_upstream_without_downstream;
/** maximum segment size of tcp socket which queries are answered */
int tcp_mss;
/** maximum segment size of tcp socket for outgoing queries */
@ -468,7 +470,10 @@ struct config_file {
size_t dnscrypt_shared_secret_cache_size;
/** number of slabs for dnscrypt shared secrets cache */
size_t dnscrypt_shared_secret_cache_slabs;
/** memory size in bytes for dnscrypt nonces cache */
size_t dnscrypt_nonce_cache_size;
/** number of slabs for dnscrypt nonces cache */
size_t dnscrypt_nonce_cache_slabs;
/** IPsec module */
#ifdef USE_IPSECMOD
/** false to bypass the IPsec module */
@ -494,9 +499,9 @@ struct config_file {
#endif
};
/** from cfg username, after daemonise setup performed */
/** from cfg username, after daemonize setup performed */
extern uid_t cfg_uid;
/** from cfg username, after daemonise setup performed */
/** from cfg username, after daemonize setup performed */
extern gid_t cfg_gid;
/** debug and enable small timeouts */
extern int autr_permit_small_holddown;

3
contrib/unbound/util/configlexer.lex
View File

@ -422,6 +422,8 @@ dnscrypt-shared-secret-cache-size{COLON} {
YDVAR(1, VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE) }
dnscrypt-shared-secret-cache-slabs{COLON} {
YDVAR(1, VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS) }
dnscrypt-nonce-cache-size{COLON} { YDVAR(1, VAR_DNSCRYPT_NONCE_CACHE_SIZE) }
dnscrypt-nonce-cache-slabs{COLON} { YDVAR(1, VAR_DNSCRYPT_NONCE_CACHE_SLABS) }
ipsecmod-enabled{COLON} { YDVAR(1, VAR_IPSECMOD_ENABLED) }
ipsecmod-ignore-bogus{COLON} { YDVAR(1, VAR_IPSECMOD_IGNORE_BOGUS) }
ipsecmod-hook{COLON} { YDVAR(1, VAR_IPSECMOD_HOOK) }
@ -431,6 +433,7 @@ ipsecmod-strict{COLON} { YDVAR(1, VAR_IPSECMOD_STRICT) }
cachedb{COLON} { YDVAR(0, VAR_CACHEDB) }
backend{COLON} { YDVAR(1, VAR_CACHEDB_BACKEND) }
secret-seed{COLON} { YDVAR(1, VAR_CACHEDB_SECRETSEED) }
udp-upstream-without-downstream{COLON} { YDVAR(1, VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM) }
<INITIAL,val>{NEWLINE} { LEXOUT(("NL\n")); cfg_parser->line++; }
/* Quoted strings. Strip leading and ending quotes */

42
contrib/unbound/util/configparser.y
View File

@ -146,9 +146,12 @@ extern struct config_parser_state* cfg_parser;
%token VAR_DNSCRYPT_SECRET_KEY VAR_DNSCRYPT_PROVIDER_CERT
%token VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE
%token VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS
%token VAR_DNSCRYPT_NONCE_CACHE_SIZE
%token VAR_DNSCRYPT_NONCE_CACHE_SLABS
%token VAR_IPSECMOD_ENABLED VAR_IPSECMOD_HOOK VAR_IPSECMOD_IGNORE_BOGUS
%token VAR_IPSECMOD_MAX_TTL VAR_IPSECMOD_WHITELIST VAR_IPSECMOD_STRICT
%token VAR_CACHEDB VAR_CACHEDB_BACKEND VAR_CACHEDB_SECRETSEED
%token VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM
%%
toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@ -237,7 +240,8 @@ content_server: server_num_threads | server_verbosity | server_port |
server_hide_trustanchor | server_trust_anchor_signaling |
server_ipsecmod_enabled | server_ipsecmod_hook |
server_ipsecmod_ignore_bogus | server_ipsecmod_max_ttl |
server_ipsecmod_whitelist | server_ipsecmod_strict
server_ipsecmod_whitelist | server_ipsecmod_strict |
server_udp_upstream_without_downstream
;
stubstart: VAR_STUB_ZONE
{
@ -411,7 +415,7 @@ server_client_subnet_opcode: VAR_CLIENT_SUBNET_OPCODE STRING_ARG
{
#ifdef CLIENT_SUBNET
OUTYY(("P(client_subnet_opcode:%s)\n", $2));
OUTYY(("P(Depricated option, ignoring)\n"));
OUTYY(("P(Deprecated option, ignoring)\n"));
#else
OUTYY(("P(Compiled without edns subnet option, ignoring)\n"));
#endif
@ -606,6 +610,15 @@ server_tcp_upstream: VAR_TCP_UPSTREAM STRING_ARG
free($2);
}
;
server_udp_upstream_without_downstream: VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM STRING_ARG
{
OUTYY(("P(server_udp_upstream_without_downstream:%s)\n", $2));
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
yyerror("expected yes or no.");
else cfg_parser->cfg->udp_upstream_without_downstream = (strcmp($2, "yes")==0);
free($2);
}
;
server_ssl_upstream: VAR_SSL_UPSTREAM STRING_ARG
{
OUTYY(("P(server_ssl_upstream:%s)\n", $2));
@ -2327,7 +2340,9 @@ content_dnsc:
dnsc_dnscrypt_enable | dnsc_dnscrypt_port | dnsc_dnscrypt_provider |
dnsc_dnscrypt_secret_key | dnsc_dnscrypt_provider_cert |
dnsc_dnscrypt_shared_secret_cache_size |
dnsc_dnscrypt_shared_secret_cache_slabs
dnsc_dnscrypt_shared_secret_cache_slabs |
dnsc_dnscrypt_nonce_cache_size |
dnsc_dnscrypt_nonce_cache_slabs
;
dnsc_dnscrypt_enable: VAR_DNSCRYPT_ENABLE STRING_ARG
{
@ -2391,6 +2406,27 @@ dnsc_dnscrypt_shared_secret_cache_slabs: VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS
free($2);
}
;
dnsc_dnscrypt_nonce_cache_size: VAR_DNSCRYPT_NONCE_CACHE_SIZE STRING_ARG
{
OUTYY(("P(dnscrypt_nonce_cache_size:%s)\n", $2));
if(!cfg_parse_memsize($2, &cfg_parser->cfg->dnscrypt_nonce_cache_size))
yyerror("memory size expected");
free($2);
}
;
dnsc_dnscrypt_nonce_cache_slabs: VAR_DNSCRYPT_NONCE_CACHE_SLABS STRING_ARG
{
OUTYY(("P(dnscrypt_nonce_cache_slabs:%s)\n", $2));
if(atoi($2) == 0)
yyerror("number expected");
else {
cfg_parser->cfg->dnscrypt_nonce_cache_slabs = atoi($2);
if(!is_pow2(cfg_parser->cfg->dnscrypt_nonce_cache_slabs))
yyerror("must be a power of 2");
}
free($2);
}
;
cachedbstart: VAR_CACHEDB
{
OUTYY(("\nP(cachedb:)\n"));

3
contrib/unbound/util/data/msgreply.c
View File

@ -992,6 +992,9 @@ static int inplace_cb_reply_call_generic(
{
struct inplace_cb* cb;
struct edns_option* opt_list_out = NULL;
#if defined(EXPORT_ALL_SYMBOLS)
(void)type; /* param not used when fptr_ok disabled */
#endif
if(qstate)
opt_list_out = qstate->edns_opts_front_out;
for(cb=callback_list; cb; cb=cb->next) {

2
contrib/unbound/util/data/msgreply.h
View File

@ -634,7 +634,7 @@ int inplace_cb_edns_back_parsed_call(struct module_env* env,
struct module_qstate* qstate);
/**
* Call the registered functions in the inplace_cb_query_reponse linked list.
* Call the registered functions in the inplace_cb_query_response linked list.
* This function is going to get called after receiving a reply from a
* nameserver.
* @param env: module environment.

4
contrib/unbound/util/fptr_wlist.c
View File

@ -233,6 +233,7 @@ fptr_whitelist_hash_sizefunc(lruhash_sizefunc_type fptr)
#endif
#ifdef USE_DNSCRYPT
else if(fptr == &dnsc_shared_secrets_sizefunc) return 1;
else if(fptr == &dnsc_nonces_sizefunc) return 1;
#endif
return 0;
}
@ -249,6 +250,7 @@ fptr_whitelist_hash_compfunc(lruhash_compfunc_type fptr)
else if(fptr == &test_slabhash_compfunc) return 1;
#ifdef USE_DNSCRYPT
else if(fptr == &dnsc_shared_secrets_compfunc) return 1;
else if(fptr == &dnsc_nonces_compfunc) return 1;
#endif
return 0;
}
@ -265,6 +267,7 @@ fptr_whitelist_hash_delkeyfunc(lruhash_delkeyfunc_type fptr)
else if(fptr == &test_slabhash_delkey) return 1;
#ifdef USE_DNSCRYPT
else if(fptr == &dnsc_shared_secrets_delkeyfunc) return 1;
else if(fptr == &dnsc_nonces_delkeyfunc) return 1;
#endif
return 0;
}
@ -283,6 +286,7 @@ fptr_whitelist_hash_deldatafunc(lruhash_deldatafunc_type fptr)
#endif
#ifdef USE_DNSCRYPT
else if(fptr == &dnsc_shared_secrets_deldatafunc) return 1;
else if(fptr == &dnsc_nonces_deldatafunc) return 1;
#endif
return 0;
}

4
contrib/unbound/util/module.h
View File

@ -416,7 +416,7 @@ struct module_env {
/**
* Kill newly attached sub. If attach_sub returns newq for
* initialisation, but that fails, then this routine will cleanup and
* delete the fresly created sub.
* delete the freshly created sub.
* @param newq: the new subquery that is no longer needed.
* It is removed.
*/
@ -608,6 +608,8 @@ struct module_qstate {
int no_cache_lookup;
/** whether modules should store answer in the cache */
int no_cache_store;
/** whether to refetch a fresh answer on finishing this state*/
int need_refetch;
/**
* Attributes of clients that share the qstate that may affect IP-based

2
contrib/unbound/util/netevent.c
View File

@ -1400,7 +1400,7 @@ comm_point_tcp_handle_write(int fd, struct comm_point* c)
if (r == -1) {
#if defined(EINPROGRESS) && defined(EWOULDBLOCK)
/* Handshake is underway, maybe because no TFO cookie available.
Come back to write the messsage*/
Come back to write the message*/
if(errno == EINPROGRESS || errno == EWOULDBLOCK)
return 1;
#endif

2
contrib/unbound/util/shm_side/shm_main.c
View File

@ -254,6 +254,8 @@ void shm_main_run(struct worker *worker)
if(worker->daemon->dnscenv) {
shm_stat->mem.dnscrypt_shared_secret = (long long)slabhash_get_mem(
worker->daemon->dnscenv->shared_secrets_cache);
shm_stat->mem.dnscrypt_nonce = (long long)slabhash_get_mem(
worker->daemon->dnscenv->nonces_cache);
}
#endif
shm_stat->mem.val = (long long)mod_get_mem(&worker->env,

2
contrib/unbound/util/storage/slabhash.h
View File

@ -107,7 +107,7 @@ void slabhash_clear(struct slabhash* table);
* But entry->data is set to NULL before deletion, and put into
* the existing entry. The data is then freed.
* @param data: the data.
* @param cb_override: if not NULL overrides the cb_arg for deletfunc.
* @param cb_override: if not NULL overrides the cb_arg for deletefunc.
*/
void slabhash_insert(struct slabhash* table, hashvalue_type hash,
struct lruhash_entry* entry, void* data, void* cb_override);

2
contrib/unbound/util/ub_event.h
View File

@ -67,7 +67,7 @@ const char* ub_event_get_version(void);
/** Return the name, system and method for the pluggable event base */
void ub_get_event_sys(struct ub_event_base*, const char** n, const char** s,
const char** m);
/** Return a default event base. In the deamon thess will be the only event
/** Return a default event base. In the daemon this will be the only event
* bases used.
*/
struct ub_event_base* ub_default_event_base(int, time_t*, struct timeval*);

2
contrib/unbound/validator/autotrust.c
View File

@ -2154,7 +2154,7 @@ int autr_process_prime(struct module_env* env, struct val_env* ve,
verbose(VERB_ALGO, "autotrust: no dnskey rrset");
/* no update of query_failed, because then we would have
* to write to disk. But we cannot because we maybe are
* still 'initialising' with DS records, that we cannot write
* still 'initializing' with DS records, that we cannot write
* in the full format (which only contains KSKs). */
return 1; /* trust point exists */
}

2
contrib/unbound/validator/val_nsec3.c
View File

@ -1037,7 +1037,7 @@ nsec3_do_prove_nameerror(struct module_env* env, struct nsec3_filter* flt,
"nsec3 is an insecure delegation");
return sec;
}
log_nametypeclass(VERB_ALGO, "nsec3 namerror: proven ce=", ce.ce,0,0);
log_nametypeclass(VERB_ALGO, "nsec3 nameerror: proven ce=", ce.ce,0,0);
/* At this point, we know that qname does not exist. Now we need
* to prove that the wildcard does not exist. */

2
contrib/unbound/validator/val_secalgo.c
View File

@ -322,7 +322,7 @@ static int
setup_ecdsa_sig(unsigned char** sig, unsigned int* len)
{
/* convert from two BIGNUMs in the rdata buffer, to ASN notation.
* ASN preable: 30440220 <R 32bytefor256> 0220 <S 32bytefor256>
* ASN preamble: 30440220 <R 32bytefor256> 0220 <S 32bytefor256>
* the '20' is the length of that field (=bnsize).
i * the '44' is the total remaining length.
* if negative, start with leading zero.

2
contrib/unbound/validator/val_sigcrypt.c
View File

@ -906,7 +906,7 @@ canonical_sort(struct ub_packed_rrset_key* rrset, struct packed_rrset_data* d,
}
/**
* Inser canonical owner name into buffer.
* Insert canonical owner name into buffer.
* @param buf: buffer to insert into at current position.
* @param k: rrset with its owner name.
* @param sig: signature with signer name and label count.

2
contrib/unbound/validator/val_utils.h
View File

@ -70,7 +70,7 @@ enum val_classification {
/** A NXDOMAIN response. */
VAL_CLASS_NAMEERROR,
/** A CNAME/DNAME chain, and the offset is at the end of it,
* but there is no answer here, it can be NAMERROR or NODATA. */
* but there is no answer here, it can be NAMEERROR or NODATA. */
VAL_CLASS_CNAMENOANSWER,
/** A referral, from cache with a nonRD query. */
VAL_CLASS_REFERRAL,

2
contrib/unbound/validator/validator.c
View File

@ -1289,7 +1289,7 @@ validate_cname_noanswer_response(struct module_env* env, struct val_env* ve,
uint8_t* ce = NULL; /* for wildcard nodata responses. This is the
proven closest encloser. */
uint8_t* wc = NULL; /* for wildcard nodata responses. wildcard nsec */
int nxdomain_valid_nsec = 0; /* if true, namerror has been proven */
int nxdomain_valid_nsec = 0; /* if true, nameerror has been proven */
int nxdomain_valid_wnsec = 0;
int nsec3s_seen = 0; /* nsec3s seen */
struct ub_packed_rrset_key* s;