Upgrade to Unbound 1.5.7.
This commit is contained in:
commit
05ab290102
38
contrib/unbound/.gitignore
vendored
Normal file
38
contrib/unbound/.gitignore
vendored
Normal file
@ -0,0 +1,38 @@
|
||||
*.lo
|
||||
*.o
|
||||
/.libs/
|
||||
/Makefile
|
||||
/autom4te.cache/
|
||||
/config.h
|
||||
/config.log
|
||||
/config.status
|
||||
/dnstap/dnstap_config.h
|
||||
/doc/example.conf
|
||||
/doc/libunbound.3
|
||||
/doc/unbound-anchor.8
|
||||
/doc/unbound-checkconf.8
|
||||
/doc/unbound-control.8
|
||||
/doc/unbound-host.1
|
||||
/doc/unbound.8
|
||||
/doc/unbound.conf.5
|
||||
/libtool
|
||||
/libunbound.la
|
||||
/smallapp/unbound-control-setup.sh
|
||||
/unbound
|
||||
/unbound-anchor
|
||||
/unbound-checkconf
|
||||
/unbound-control
|
||||
/unbound-control-setup
|
||||
/unbound-host
|
||||
/unbound.h
|
||||
/asynclook
|
||||
/delayer
|
||||
/lock-verify
|
||||
/memstats
|
||||
/perf
|
||||
/petal
|
||||
/pktview
|
||||
/streamtcp
|
||||
/testbound
|
||||
/unittest
|
||||
|
@ -38,6 +38,7 @@ UNBOUND_VERSION_MINOR=@UNBOUND_VERSION_MINOR@
|
||||
UNBOUND_VERSION_MICRO=@UNBOUND_VERSION_MICRO@
|
||||
ALLTARGET=@ALLTARGET@
|
||||
INSTALLTARGET=@INSTALLTARGET@
|
||||
SSLLIB=@SSLLIB@
|
||||
|
||||
# _unbound.la if pyunbound enabled.
|
||||
PYUNBOUND_TARGET=@PYUNBOUND_TARGET@
|
||||
@ -132,7 +133,7 @@ compat/memcmp.c compat/memmove.c compat/snprintf.c compat/strlcat.c \
|
||||
compat/strlcpy.c compat/strptime.c compat/getentropy_linux.c \
|
||||
compat/getentropy_osx.c compat/getentropy_solaris.c compat/getentropy_win.c \
|
||||
compat/explicit_bzero.c compat/arc4random.c compat/arc4random_uniform.c \
|
||||
compat/arc4_lock.c compat/sha512.c compat/reallocarray.c
|
||||
compat/arc4_lock.c compat/sha512.c compat/reallocarray.c compat/isblank.c
|
||||
COMPAT_OBJ=$(LIBOBJS:.o=.lo)
|
||||
COMPAT_OBJ_WITHOUT_CTIME=$(LIBOBJ_WITHOUT_CTIME:.o=.lo)
|
||||
COMPAT_OBJ_WITHOUT_CTIMEARC4=$(LIBOBJ_WITHOUT_CTIMEARC4:.o=.lo)
|
||||
@ -295,22 +296,22 @@ longtest: tests
|
||||
lib: libunbound.la unbound.h
|
||||
|
||||
libunbound.la: $(LIBUNBOUND_OBJ_LINK)
|
||||
$(LINK_LIB) $(UBSYMS) -o $@ $(LIBUNBOUND_OBJ_LINK) -rpath $(libdir) -lssl $(LIBS)
|
||||
$(LINK_LIB) $(UBSYMS) -o $@ $(LIBUNBOUND_OBJ_LINK) -rpath $(libdir) $(SSLLIB) $(LIBS)
|
||||
|
||||
unbound$(EXEEXT): $(DAEMON_OBJ_LINK) libunbound.la
|
||||
$(LINK) -o $@ $(DAEMON_OBJ_LINK) $(EXTRALINK) -lssl $(LIBS)
|
||||
$(LINK) -o $@ $(DAEMON_OBJ_LINK) $(EXTRALINK) $(SSLLIB) $(LIBS)
|
||||
|
||||
unbound-checkconf$(EXEEXT): $(CHECKCONF_OBJ_LINK) libunbound.la
|
||||
$(LINK) -o $@ $(CHECKCONF_OBJ_LINK) $(EXTRALINK) -lssl $(LIBS)
|
||||
$(LINK) -o $@ $(CHECKCONF_OBJ_LINK) $(EXTRALINK) $(SSLLIB) $(LIBS)
|
||||
|
||||
unbound-control$(EXEEXT): $(CONTROL_OBJ_LINK) libunbound.la
|
||||
$(LINK) -o $@ $(CONTROL_OBJ_LINK) $(EXTRALINK) -lssl $(LIBS)
|
||||
$(LINK) -o $@ $(CONTROL_OBJ_LINK) $(EXTRALINK) $(SSLLIB) $(LIBS)
|
||||
|
||||
unbound-host$(EXEEXT): $(HOST_OBJ_LINK) libunbound.la
|
||||
$(LINK) -o $@ $(HOST_OBJ_LINK) -L. -L.libs -lunbound $(LIBS)
|
||||
|
||||
unbound-anchor$(EXEEXT): $(UBANCHOR_OBJ_LINK) libunbound.la
|
||||
$(LINK) -o $@ $(UBANCHOR_OBJ_LINK) -L. -L.libs -lunbound -lexpat -lssl $(LIBS)
|
||||
$(LINK) -o $@ $(UBANCHOR_OBJ_LINK) -L. -L.libs -lunbound -lexpat $(SSLLIB) $(LIBS)
|
||||
|
||||
unbound-service-install$(EXEEXT): $(SVCINST_OBJ_LINK)
|
||||
$(LINK) -o $@ $(SVCINST_OBJ_LINK) $(LIBS)
|
||||
@ -322,37 +323,37 @@ anchor-update$(EXEEXT): $(ANCHORUPD_OBJ_LINK) libunbound.la
|
||||
$(LINK) -o $@ $(ANCHORUPD_OBJ_LINK) -L. -L.libs -lunbound $(LIBS)
|
||||
|
||||
unittest$(EXEEXT): $(UNITTEST_OBJ_LINK)
|
||||
$(LINK) -o $@ $(UNITTEST_OBJ_LINK) -lssl $(LIBS)
|
||||
$(LINK) -o $@ $(UNITTEST_OBJ_LINK) $(SSLLIB) $(LIBS)
|
||||
|
||||
testbound$(EXEEXT): $(TESTBOUND_OBJ_LINK)
|
||||
$(LINK) -o $@ $(TESTBOUND_OBJ_LINK) -lssl $(LIBS)
|
||||
$(LINK) -o $@ $(TESTBOUND_OBJ_LINK) $(SSLLIB) $(LIBS)
|
||||
|
||||
lock-verify$(EXEEXT): $(LOCKVERIFY_OBJ_LINK)
|
||||
$(LINK) -o $@ $(LOCKVERIFY_OBJ_LINK) -lssl $(LIBS)
|
||||
$(LINK) -o $@ $(LOCKVERIFY_OBJ_LINK) $(SSLLIB) $(LIBS)
|
||||
|
||||
petal$(EXEEXT): $(PETAL_OBJ_LINK)
|
||||
$(LINK) -o $@ $(PETAL_OBJ_LINK) -lssl $(LIBS)
|
||||
$(LINK) -o $@ $(PETAL_OBJ_LINK) $(SSLLIB) $(LIBS)
|
||||
|
||||
pktview$(EXEEXT): $(PKTVIEW_OBJ_LINK)
|
||||
$(LINK) -o $@ $(PKTVIEW_OBJ_LINK) -lssl $(LIBS)
|
||||
$(LINK) -o $@ $(PKTVIEW_OBJ_LINK) $(SSLLIB) $(LIBS)
|
||||
|
||||
memstats$(EXEEXT): $(MEMSTATS_OBJ_LINK)
|
||||
$(LINK) -o $@ $(MEMSTATS_OBJ_LINK) -lssl $(LIBS)
|
||||
$(LINK) -o $@ $(MEMSTATS_OBJ_LINK) $(SSLLIB) $(LIBS)
|
||||
|
||||
asynclook$(EXEEXT): $(ASYNCLOOK_OBJ_LINK) libunbound.la
|
||||
$(LINK) -o $@ $(ASYNCLOOK_OBJ_LINK) $(LIBS) -L. -L.libs -lunbound
|
||||
|
||||
streamtcp$(EXEEXT): $(STREAMTCP_OBJ_LINK)
|
||||
$(LINK) -o $@ $(STREAMTCP_OBJ_LINK) -lssl $(LIBS)
|
||||
$(LINK) -o $@ $(STREAMTCP_OBJ_LINK) $(SSLLIB) $(LIBS)
|
||||
|
||||
perf$(EXEEXT): $(PERF_OBJ_LINK)
|
||||
$(LINK) -o $@ $(PERF_OBJ_LINK) -lssl $(LIBS)
|
||||
$(LINK) -o $@ $(PERF_OBJ_LINK) $(SSLLIB) $(LIBS)
|
||||
|
||||
delayer$(EXEEXT): $(DELAYER_OBJ_LINK)
|
||||
$(LINK) -o $@ $(DELAYER_OBJ_LINK) -lssl $(LIBS)
|
||||
$(LINK) -o $@ $(DELAYER_OBJ_LINK) $(SSLLIB) $(LIBS)
|
||||
|
||||
signit$(EXEEXT): testcode/signit.c
|
||||
$(CC) $(CPPFLAGS) $(CFLAGS) -o $@ testcode/signit.c $(LDFLAGS) -lldns -lssl $(LIBS)
|
||||
$(CC) $(CPPFLAGS) $(CFLAGS) -o $@ testcode/signit.c $(LDFLAGS) -lldns $(SSLLIB) $(LIBS)
|
||||
|
||||
unbound.h: $(srcdir)/libunbound/unbound.h
|
||||
sed -e 's/@''UNBOUND_VERSION_MAJOR@/$(UNBOUND_VERSION_MAJOR)/' -e 's/@''UNBOUND_VERSION_MINOR@/$(UNBOUND_VERSION_MINOR)/' -e 's/@''UNBOUND_VERSION_MICRO@/$(UNBOUND_VERSION_MICRO)/' < $(srcdir)/libunbound/unbound.h > $@
|
||||
@ -644,7 +645,7 @@ iterator.lo iterator.o: $(srcdir)/iterator/iterator.c config.h $(srcdir)/iterato
|
||||
$(srcdir)/util/rtt.h $(srcdir)/util/netevent.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \
|
||||
$(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
|
||||
$(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/util/config_file.h $(srcdir)/util/random.h \
|
||||
$(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/sbuffer.h
|
||||
$(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/sbuffer.h
|
||||
iter_delegpt.lo iter_delegpt.o: $(srcdir)/iterator/iter_delegpt.c config.h $(srcdir)/iterator/iter_delegpt.h \
|
||||
$(srcdir)/util/log.h $(srcdir)/services/cache/dns.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/regional.h \
|
||||
@ -727,8 +728,7 @@ outside_network.lo outside_network.o: $(srcdir)/services/outside_network.c confi
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h \
|
||||
$(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/fptr_wlist.h \
|
||||
$(srcdir)/util/module.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/sldns/sbuffer.h $(srcdir)/dnstap/dnstap.h \
|
||||
|
||||
$(srcdir)/sldns/sbuffer.h $(srcdir)/dnstap/dnstap.h
|
||||
alloc.lo alloc.o: $(srcdir)/util/alloc.c config.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/util/regional.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
|
||||
@ -776,14 +776,12 @@ netevent.lo netevent.o: $(srcdir)/util/netevent.c config.h $(srcdir)/util/neteve
|
||||
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
|
||||
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
|
||||
$(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/dnstap/dnstap.h \
|
||||
$(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
|
||||
$(srcdir)/dnstap/dnstap.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
|
||||
net_help.lo net_help.o: $(srcdir)/util/net_help.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
|
||||
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h $(srcdir)/sldns/parseutil.h \
|
||||
$(srcdir)/sldns/wire2str.h \
|
||||
|
||||
$(srcdir)/sldns/wire2str.h
|
||||
random.lo random.o: $(srcdir)/util/random.c config.h $(srcdir)/util/random.h $(srcdir)/util/log.h
|
||||
rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c config.h $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
|
||||
@ -818,8 +816,7 @@ autotrust.lo autotrust.o: $(srcdir)/validator/autotrust.c config.h $(srcdir)/val
|
||||
$(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/random.h \
|
||||
$(srcdir)/services/mesh.h $(srcdir)/util/netevent.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/validator/val_kcache.h \
|
||||
$(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/keyraw.h \
|
||||
|
||||
$(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/keyraw.h
|
||||
val_anchor.lo val_anchor.o: $(srcdir)/validator/val_anchor.c config.h $(srcdir)/validator/val_anchor.h \
|
||||
$(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_sigcrypt.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/validator/autotrust.h \
|
||||
@ -844,18 +841,16 @@ val_kcache.lo val_kcache.o: $(srcdir)/validator/val_kcache.c config.h $(srcdir)/
|
||||
val_kentry.lo val_kentry.o: $(srcdir)/validator/val_kentry.c config.h $(srcdir)/validator/val_kentry.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h \
|
||||
$(srcdir)/util/data/dname.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
|
||||
|
||||
val_neg.lo val_neg.o: $(srcdir)/validator/val_neg.c config.h \
|
||||
$(srcdir)/validator/val_neg.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_utils.h $(srcdir)/util/data/dname.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h \
|
||||
$(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h
|
||||
val_nsec3.lo val_nsec3.o: $(srcdir)/validator/val_nsec3.c config.h \
|
||||
$(srcdir)/validator/val_nsec3.h $(srcdir)/util/rbtree.h $(srcdir)/util/data/packed_rrset.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/validator.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h
|
||||
val_neg.lo val_neg.o: $(srcdir)/validator/val_neg.c config.h $(srcdir)/validator/val_neg.h $(srcdir)/util/locks.h \
|
||||
$(srcdir)/util/log.h $(srcdir)/util/rbtree.h $(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_utils.h \
|
||||
$(srcdir)/util/data/dname.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/net_help.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
|
||||
$(srcdir)/services/cache/dns.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h
|
||||
val_nsec3.lo val_nsec3.o: $(srcdir)/validator/val_nsec3.c config.h $(srcdir)/validator/val_nsec3.h \
|
||||
$(srcdir)/util/rbtree.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_secalgo.h $(srcdir)/validator/validator.h \
|
||||
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_kentry.h \
|
||||
$(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/regional.h \
|
||||
@ -867,17 +862,15 @@ val_nsec.lo val_nsec.o: $(srcdir)/validator/val_nsec.c config.h $(srcdir)/valida
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h
|
||||
val_secalgo.lo val_secalgo.o: $(srcdir)/validator/val_secalgo.c config.h $(srcdir)/util/data/packed_rrset.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_secalgo.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
|
||||
$(srcdir)/sldns/sbuffer.h \
|
||||
|
||||
$(srcdir)/validator/val_nsec3.h $(srcdir)/util/rbtree.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
|
||||
$(srcdir)/sldns/sbuffer.h
|
||||
val_sigcrypt.lo val_sigcrypt.o: $(srcdir)/validator/val_sigcrypt.c config.h \
|
||||
$(srcdir)/validator/val_sigcrypt.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_secalgo.h $(srcdir)/validator/validator.h \
|
||||
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_utils.h $(srcdir)/util/data/dname.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/sldns/keyraw.h \
|
||||
$(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h \
|
||||
|
||||
$(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/sldns/keyraw.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h
|
||||
val_utils.lo val_utils.o: $(srcdir)/validator/val_utils.c config.h $(srcdir)/validator/val_utils.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/validator/validator.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
|
||||
@ -895,11 +888,6 @@ dns64.lo dns64.o: $(srcdir)/dns64/dns64.c config.h $(srcdir)/dns64/dns64.h $(src
|
||||
$(srcdir)/services/modstack.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h
|
||||
checklocks.lo checklocks.o: $(srcdir)/testcode/checklocks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/testcode/checklocks.h
|
||||
dnstap.lo dnstap.o: $(srcdir)/dnstap/dnstap.c config.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h \
|
||||
$(srcdir)/dnstap/dnstap.h \
|
||||
$(srcdir)/dnstap/dnstap.pb-c.h
|
||||
dnstap.pb-c.lo dnstap.pb-c.o: $(srcdir)/dnstap/dnstap.pb-c.c $(srcdir)/dnstap/dnstap.pb-c.h
|
||||
unitanchor.lo unitanchor.o: $(srcdir)/testcode/unitanchor.c config.h $(srcdir)/util/log.h $(srcdir)/util/data/dname.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/testcode/unitmain.h \
|
||||
$(srcdir)/validator/val_anchor.h $(srcdir)/util/rbtree.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h
|
||||
@ -908,8 +896,7 @@ unitdname.lo unitdname.o: $(srcdir)/testcode/unitdname.c config.h $(srcdir)/util
|
||||
$(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h
|
||||
unitlruhash.lo unitlruhash.o: $(srcdir)/testcode/unitlruhash.c config.h $(srcdir)/testcode/unitmain.h \
|
||||
$(srcdir)/util/log.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/storage/slabhash.h
|
||||
unitmain.lo unitmain.o: $(srcdir)/testcode/unitmain.c config.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
|
||||
unitmain.lo unitmain.o: $(srcdir)/testcode/unitmain.c config.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
|
||||
$(srcdir)/util/log.h $(srcdir)/testcode/unitmain.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/util/rtt.h $(srcdir)/services/cache/infra.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
|
||||
@ -947,38 +934,35 @@ unitldns.lo unitldns.o: $(srcdir)/testcode/unitldns.c config.h $(srcdir)/util/lo
|
||||
acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/acl_list.h \
|
||||
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/regional.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/util/net_help.h
|
||||
cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h \
|
||||
$(srcdir)/daemon/cachedump.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
|
||||
$(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h $(srcdir)/util/alloc.h \
|
||||
cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h $(srcdir)/daemon/cachedump.h \
|
||||
$(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
|
||||
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
|
||||
$(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
|
||||
$(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h \
|
||||
$(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h \
|
||||
$(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h $(srcdir)/iterator/iterator.h \
|
||||
$(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_utils.h \
|
||||
$(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \
|
||||
$(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
|
||||
daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h \
|
||||
$(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
|
||||
$(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
|
||||
$(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
|
||||
$(srcdir)/services/cache/dns.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
|
||||
$(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \
|
||||
$(srcdir)/util/data/dname.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \
|
||||
$(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h \
|
||||
$(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/sldns/wire2str.h \
|
||||
$(srcdir)/sldns/str2wire.h
|
||||
daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h \
|
||||
$(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
|
||||
$(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \
|
||||
$(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
|
||||
$(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/storage/slabhash.h \
|
||||
$(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
|
||||
$(srcdir)/util/rtt.h $(srcdir)/services/localzone.h $(srcdir)/util/random.h $(srcdir)/util/tube.h \
|
||||
$(srcdir)/util/net_help.h $(srcdir)/sldns/keyraw.h
|
||||
remote.lo remote.o: $(srcdir)/daemon/remote.c config.h \
|
||||
$(srcdir)/daemon/remote.h \
|
||||
$(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
|
||||
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
|
||||
$(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \
|
||||
remote.lo remote.o: $(srcdir)/daemon/remote.c config.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h \
|
||||
$(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h \
|
||||
$(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \
|
||||
$(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \
|
||||
$(srcdir)/services/modstack.h $(srcdir)/daemon/cachedump.h $(srcdir)/util/config_file.h \
|
||||
$(srcdir)/util/net_help.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
|
||||
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
|
||||
@ -1002,35 +986,33 @@ stats.lo stats.o: $(srcdir)/daemon/stats.c config.h $(srcdir)/daemon/stats.h $(s
|
||||
$(srcdir)/util/rtt.h $(srcdir)/validator/val_kcache.h
|
||||
unbound.lo unbound.o: $(srcdir)/daemon/unbound.c config.h $(srcdir)/util/log.h $(srcdir)/daemon/daemon.h \
|
||||
$(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/daemon/remote.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h $(srcdir)/services/cache/rrset.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
|
||||
$(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
|
||||
$(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/net_help.h $(srcdir)/util/mini_event.h \
|
||||
$(srcdir)/util/rbtree.h
|
||||
$(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h $(srcdir)/util/storage/slabhash.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h \
|
||||
$(srcdir)/services/cache/rrset.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h \
|
||||
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/fptr_wlist.h \
|
||||
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/net_help.h \
|
||||
$(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
|
||||
worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
|
||||
$(srcdir)/util/random.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
|
||||
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
|
||||
$(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \
|
||||
$(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h \
|
||||
$(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h \
|
||||
$(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
|
||||
$(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
|
||||
$(srcdir)/util/rtt.h $(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \
|
||||
$(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h \
|
||||
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/config_file.h $(srcdir)/util/regional.h \
|
||||
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h \
|
||||
$(srcdir)/services/outside_network.h $(srcdir)/services/outbound_list.h \
|
||||
$(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
|
||||
$(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \
|
||||
$(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
|
||||
$(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/validator/autotrust.h \
|
||||
$(srcdir)/validator/val_anchor.h $(srcdir)/libunbound/context.h $(srcdir)/libunbound/unbound.h \
|
||||
$(srcdir)/libunbound/libworker.h
|
||||
testbound.lo testbound.o: $(srcdir)/testcode/testbound.c config.h $(srcdir)/testcode/testpkts.h \
|
||||
$(srcdir)/testcode/replay.h $(srcdir)/util/netevent.h $(srcdir)/util/rbtree.h $(srcdir)/testcode/fake_event.h \
|
||||
$(srcdir)/daemon/remote.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h $(srcdir)/daemon/unbound.c $(srcdir)/util/log.h \
|
||||
$(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h $(srcdir)/daemon/unbound.c \
|
||||
$(srcdir)/util/log.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
|
||||
@ -1046,12 +1028,12 @@ worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(sr
|
||||
$(srcdir)/util/netevent.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
|
||||
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
|
||||
$(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \
|
||||
$(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h \
|
||||
$(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h \
|
||||
$(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
|
||||
$(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
|
||||
$(srcdir)/util/rtt.h $(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \
|
||||
$(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h \
|
||||
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/config_file.h $(srcdir)/util/regional.h \
|
||||
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h \
|
||||
$(srcdir)/services/outside_network.h $(srcdir)/services/outbound_list.h \
|
||||
$(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
|
||||
$(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \
|
||||
$(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
|
||||
$(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/validator/autotrust.h \
|
||||
$(srcdir)/validator/val_anchor.h $(srcdir)/libunbound/context.h $(srcdir)/libunbound/unbound.h \
|
||||
@ -1059,14 +1041,13 @@ worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(sr
|
||||
acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/acl_list.h \
|
||||
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/regional.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/util/net_help.h
|
||||
daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h \
|
||||
$(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
|
||||
$(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \
|
||||
$(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
|
||||
$(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
|
||||
daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h \
|
||||
$(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
|
||||
$(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
|
||||
$(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/storage/slabhash.h \
|
||||
$(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
|
||||
$(srcdir)/util/rtt.h $(srcdir)/services/localzone.h $(srcdir)/util/random.h $(srcdir)/util/tube.h \
|
||||
@ -1141,19 +1122,18 @@ libunbound.lo libunbound.o: $(srcdir)/libunbound/libunbound.c $(srcdir)/libunbou
|
||||
$(srcdir)/util/random.h $(srcdir)/util/net_help.h $(srcdir)/util/tube.h $(srcdir)/services/localzone.h \
|
||||
$(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h \
|
||||
$(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/sldns/sbuffer.h
|
||||
libworker.lo libworker.o: $(srcdir)/libunbound/libworker.c config.h \
|
||||
$(srcdir)/libunbound/libworker.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/services/modstack.h $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/worker.h \
|
||||
$(srcdir)/sldns/sbuffer.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/services/outside_network.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/services/mesh.h \
|
||||
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/services/localzone.h $(srcdir)/services/cache/rrset.h \
|
||||
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/outbound_list.h $(srcdir)/util/fptr_wlist.h \
|
||||
$(srcdir)/util/tube.h $(srcdir)/util/regional.h $(srcdir)/util/random.h $(srcdir)/util/config_file.h \
|
||||
$(srcdir)/util/storage/lookup3.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h \
|
||||
$(srcdir)/util/data/msgencode.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \
|
||||
$(srcdir)/util/storage/dnstree.h $(srcdir)/sldns/str2wire.h
|
||||
libworker.lo libworker.o: $(srcdir)/libunbound/libworker.c config.h $(srcdir)/libunbound/libworker.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/libunbound/unbound-event.h $(srcdir)/services/outside_network.h $(srcdir)/util/netevent.h \
|
||||
$(srcdir)/services/mesh.h $(srcdir)/util/data/msgparse.h \
|
||||
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
|
||||
$(srcdir)/services/localzone.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
|
||||
$(srcdir)/services/outbound_list.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/regional.h \
|
||||
$(srcdir)/util/random.h $(srcdir)/util/config_file.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/net_help.h \
|
||||
$(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h $(srcdir)/iterator/iter_fwd.h \
|
||||
$(srcdir)/iterator/iter_hints.h $(srcdir)/util/storage/dnstree.h $(srcdir)/sldns/str2wire.h
|
||||
unbound-host.lo unbound-host.o: $(srcdir)/smallapp/unbound-host.c config.h $(srcdir)/libunbound/unbound.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h
|
||||
asynclook.lo asynclook.o: $(srcdir)/testcode/asynclook.c config.h $(srcdir)/libunbound/unbound.h \
|
||||
@ -1164,21 +1144,18 @@ streamtcp.lo streamtcp.o: $(srcdir)/testcode/streamtcp.c config.h $(srcdir)/util
|
||||
$(srcdir)/util/net_help.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgparse.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h \
|
||||
|
||||
$(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h
|
||||
perf.lo perf.o: $(srcdir)/testcode/perf.c config.h $(srcdir)/util/log.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
|
||||
$(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
|
||||
delayer.lo delayer.o: $(srcdir)/testcode/delayer.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h
|
||||
unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c config.h \
|
||||
$(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h
|
||||
unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c config.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h
|
||||
unbound-anchor.lo unbound-anchor.o: $(srcdir)/smallapp/unbound-anchor.c config.h $(srcdir)/libunbound/unbound.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h \
|
||||
|
||||
petal.lo petal.o: $(srcdir)/testcode/petal.c config.h \
|
||||
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h
|
||||
petal.lo petal.o: $(srcdir)/testcode/petal.c config.h
|
||||
pythonmod_utils.lo pythonmod_utils.o: $(srcdir)/pythonmod/pythonmod_utils.c config.h $(srcdir)/util/module.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
|
||||
@ -1191,8 +1168,7 @@ win_svc.lo win_svc.o: $(srcdir)/winrc/win_svc.c config.h $(srcdir)/winrc/win_svc
|
||||
$(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \
|
||||
$(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/util/winsock_event.h
|
||||
$(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h $(srcdir)/util/winsock_event.h
|
||||
w_inst.lo w_inst.o: $(srcdir)/winrc/w_inst.c config.h $(srcdir)/winrc/w_inst.h $(srcdir)/winrc/win_svc.h
|
||||
unbound-service-install.lo unbound-service-install.o: $(srcdir)/winrc/unbound-service-install.c config.h \
|
||||
$(srcdir)/winrc/w_inst.h
|
||||
@ -1200,14 +1176,11 @@ unbound-service-remove.lo unbound-service-remove.o: $(srcdir)/winrc/unbound-serv
|
||||
$(srcdir)/winrc/w_inst.h
|
||||
anchor-update.lo anchor-update.o: $(srcdir)/winrc/anchor-update.c config.h $(srcdir)/libunbound/unbound.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/wire2str.h
|
||||
keyraw.lo keyraw.o: $(srcdir)/sldns/keyraw.c config.h $(srcdir)/sldns/keyraw.h \
|
||||
$(srcdir)/sldns/rrdef.h \
|
||||
|
||||
keyraw.lo keyraw.o: $(srcdir)/sldns/keyraw.c config.h $(srcdir)/sldns/keyraw.h $(srcdir)/sldns/rrdef.h
|
||||
sbuffer.lo sbuffer.o: $(srcdir)/sldns/sbuffer.c config.h $(srcdir)/sldns/sbuffer.h
|
||||
wire2str.lo wire2str.o: $(srcdir)/sldns/wire2str.c config.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/sldns/keyraw.h \
|
||||
|
||||
$(srcdir)/sldns/keyraw.h
|
||||
parse.lo parse.o: $(srcdir)/sldns/parse.c config.h $(srcdir)/sldns/parse.h $(srcdir)/sldns/parseutil.h \
|
||||
$(srcdir)/sldns/sbuffer.h
|
||||
parseutil.lo parseutil.o: $(srcdir)/sldns/parseutil.c config.h $(srcdir)/sldns/parseutil.h
|
||||
@ -1227,8 +1200,7 @@ snprintf.lo snprintf.o: $(srcdir)/compat/snprintf.c config.h
|
||||
strlcat.lo strlcat.o: $(srcdir)/compat/strlcat.c config.h
|
||||
strlcpy.lo strlcpy.o: $(srcdir)/compat/strlcpy.c config.h
|
||||
strptime.lo strptime.o: $(srcdir)/compat/strptime.c config.h
|
||||
getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c config.h \
|
||||
|
||||
getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c config.h
|
||||
getentropy_osx.lo getentropy_osx.o: $(srcdir)/compat/getentropy_osx.c config.h
|
||||
getentropy_solaris.lo getentropy_solaris.o: $(srcdir)/compat/getentropy_solaris.c config.h
|
||||
getentropy_win.lo getentropy_win.o: $(srcdir)/compat/getentropy_win.c
|
||||
@ -1238,3 +1210,4 @@ arc4random_uniform.lo arc4random_uniform.o: $(srcdir)/compat/arc4random_uniform.
|
||||
arc4_lock.lo arc4_lock.o: $(srcdir)/compat/arc4_lock.c config.h $(srcdir)/util/locks.h
|
||||
sha512.lo sha512.o: $(srcdir)/compat/sha512.c config.h
|
||||
reallocarray.lo reallocarray.o: $(srcdir)/compat/reallocarray.c config.h
|
||||
isblank.lo isblank.o: $(srcdir)/compat/isblank.c config.h
|
||||
|
@ -2,7 +2,9 @@
|
||||
# Copyright 2009, Wouter Wijngaards, NLnet Labs.
|
||||
# BSD licensed.
|
||||
#
|
||||
# Version 28
|
||||
# Version 30
|
||||
# 2015-11-18 spelling check fix.
|
||||
# 2015-11-05 ACX_SSL_CHECKS no longer adds -ldl needlessly.
|
||||
# 2015-08-28 ACX_CHECK_PIE and ACX_CHECK_RELRO_NOW added.
|
||||
# 2015-03-17 AHX_CONFIG_REALLOCARRAY added
|
||||
# 2013-09-19 FLTO help text improved.
|
||||
@ -24,7 +26,7 @@
|
||||
# 2010-07-02 Add check for ss_family (for minix).
|
||||
# 2010-04-26 Fix to use CPPFLAGS for CHECK_COMPILER_FLAGS.
|
||||
# 2010-03-01 Fix RPATH using CONFIG_COMMANDS to run at the very end.
|
||||
# 2010-02-18 WITH_SSL outputs the LIBSSL_LDFLAGS, LIBS, CPPFLAGS seperate, -ldl
|
||||
# 2010-02-18 WITH_SSL outputs the LIBSSL_LDFLAGS, LIBS, CPPFLAGS separate, -ldl
|
||||
# 2010-02-01 added ACX_CHECK_MEMCMP_SIGNED, AHX_MEMCMP_BROKEN
|
||||
# 2010-01-20 added AHX_COONFIG_STRLCAT
|
||||
# 2009-07-14 U_CHAR detection improved for windows crosscompile.
|
||||
@ -715,12 +717,6 @@ AC_DEFUN([ACX_SSL_CHECKS], [
|
||||
fi
|
||||
AC_SUBST(HAVE_SSL)
|
||||
AC_SUBST(RUNTIME_PATH)
|
||||
# openssl engine functionality needs dlopen().
|
||||
BAKLIBS="$LIBS"
|
||||
AC_SEARCH_LIBS([dlopen], [dl])
|
||||
if test "$LIBS" != "$BAKLIBS"; then
|
||||
LIBSSL_LIBS="$LIBSSL_LIBS -ldl"
|
||||
fi
|
||||
fi
|
||||
AC_CHECK_HEADERS([openssl/ssl.h],,, [AC_INCLUDES_DEFAULT])
|
||||
AC_CHECK_HEADERS([openssl/err.h],,, [AC_INCLUDES_DEFAULT])
|
||||
|
@ -26,7 +26,9 @@
|
||||
#include <fcntl.h>
|
||||
#include <limits.h>
|
||||
#include <signal.h>
|
||||
#ifdef HAVE_STDINT_H
|
||||
#include <stdint.h>
|
||||
#endif
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
@ -46,7 +46,12 @@
|
||||
#include <errno.h>
|
||||
#include <unistd.h>
|
||||
#include <time.h>
|
||||
|
||||
#if defined(HAVE_SSL)
|
||||
#include <openssl/sha.h>
|
||||
#elif defined(HAVE_NETTLE)
|
||||
#include <nettle/sha.h>
|
||||
#endif
|
||||
|
||||
#include <linux/types.h>
|
||||
#include <linux/random.h>
|
||||
@ -67,9 +72,21 @@
|
||||
HD(b); \
|
||||
} while (0)
|
||||
|
||||
#if defined(HAVE_SSL)
|
||||
#define CRYPTO_SHA512_CTX SHA512_CTX
|
||||
#define CRYPTO_SHA512_INIT(x) SHA512_Init(x)
|
||||
#define CRYPTO_SHA512_FINAL(r, c) SHA512_Final(r, c)
|
||||
#define HR(x, l) (SHA512_Update(&ctx, (char *)(x), (l)))
|
||||
#define HD(x) (SHA512_Update(&ctx, (char *)&(x), sizeof (x)))
|
||||
#define HF(x) (SHA512_Update(&ctx, (char *)&(x), sizeof (void*)))
|
||||
#elif defined(HAVE_NETTLE)
|
||||
#define CRYPTO_SHA512_CTX struct sha512_ctx
|
||||
#define CRYPTO_SHA512_INIT(x) sha512_init(x)
|
||||
#define CRYPTO_SHA512_FINAL(r, c) sha512_digest(c, SHA512_DIGEST_SIZE, r)
|
||||
#define HR(x, l) (sha512_update(&ctx, (l), (uint8_t *)(x)))
|
||||
#define HD(x) (sha512_update(&ctx, sizeof (x), (uint8_t *)&(x)))
|
||||
#define HF(x) (sha512_update(&ctx, sizeof (void*), (uint8_t *)&(x)))
|
||||
#endif
|
||||
|
||||
int getentropy(void *buf, size_t len);
|
||||
|
||||
@ -122,7 +139,7 @@ getentropy(void *buf, size_t len)
|
||||
* Try to use sysctl CTL_KERN, KERN_RANDOM, RANDOM_UUID.
|
||||
* sysctl is a failsafe API, so it guarantees a result. This
|
||||
* should work inside a chroot, or when file descriptors are
|
||||
* exhuasted.
|
||||
* exhausted.
|
||||
*
|
||||
* However this can fail if the Linux kernel removes support
|
||||
* for sysctl. Starting in 2007, there have been efforts to
|
||||
@ -337,7 +354,7 @@ getentropy_fallback(void *buf, size_t len)
|
||||
struct rusage ru;
|
||||
sigset_t sigset;
|
||||
struct stat st;
|
||||
SHA512_CTX ctx;
|
||||
CRYPTO_SHA512_CTX ctx;
|
||||
static pid_t lastpid;
|
||||
pid_t pid;
|
||||
size_t i, ii, m;
|
||||
@ -354,7 +371,7 @@ getentropy_fallback(void *buf, size_t len)
|
||||
}
|
||||
for (i = 0; i < len; ) {
|
||||
int j;
|
||||
SHA512_Init(&ctx);
|
||||
CRYPTO_SHA512_INIT(&ctx);
|
||||
for (j = 0; j < repeat; j++) {
|
||||
HX((e = gettimeofday(&tv, NULL)) == -1, tv);
|
||||
if (e != -1) {
|
||||
@ -526,7 +543,7 @@ getentropy_fallback(void *buf, size_t len)
|
||||
# endif
|
||||
#endif /* HAVE_GETAUXVAL */
|
||||
|
||||
SHA512_Final(results, &ctx);
|
||||
CRYPTO_SHA512_FINAL(results, &ctx);
|
||||
memcpy((char*)buf + i, results, min(sizeof(results), len - i));
|
||||
i += min(sizeof(results), len - i);
|
||||
}
|
||||
|
@ -30,7 +30,9 @@
|
||||
#include <sys/stat.h>
|
||||
#include <sys/time.h>
|
||||
#include <stdlib.h>
|
||||
#ifdef HAVE_STDINT_H
|
||||
#include <stdint.h>
|
||||
#endif
|
||||
#include <stdio.h>
|
||||
#include <termios.h>
|
||||
#include <fcntl.h>
|
||||
@ -39,10 +41,14 @@
|
||||
#include <errno.h>
|
||||
#include <unistd.h>
|
||||
#include <time.h>
|
||||
#ifdef HAVE_SYS_SHA2_H
|
||||
#include <sys/sha2.h>
|
||||
#define SHA512_Init SHA512Init
|
||||
#define SHA512_Update SHA512Update
|
||||
#define SHA512_Final SHA512Final
|
||||
#else
|
||||
#include "openssl/sha.h"
|
||||
#endif
|
||||
|
||||
#include <sys/vfs.h>
|
||||
#include <sys/statfs.h>
|
||||
|
45
contrib/unbound/compat/isblank.c
Normal file
45
contrib/unbound/compat/isblank.c
Normal file
@ -0,0 +1,45 @@
|
||||
/* isblank - compatibility implementation of isblank
|
||||
*
|
||||
* Copyright (c) 2015, NLnet Labs. All rights reserved.
|
||||
*
|
||||
* This software is open source.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
*
|
||||
* Redistributions of source code must retain the above copyright notice,
|
||||
* this list of conditions and the following disclaimer.
|
||||
*
|
||||
* Redistributions in binary form must reproduce the above copyright notice,
|
||||
* this list of conditions and the following disclaimer in the documentation
|
||||
* and/or other materials provided with the distribution.
|
||||
*
|
||||
* Neither the name of the NLNET LABS nor the names of its contributors may
|
||||
* be used to endorse or promote products derived from this software without
|
||||
* specific prior written permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
|
||||
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
||||
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
||||
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
||||
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
||||
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include "config.h"
|
||||
|
||||
/* return true for a blank character: space or tab */
|
||||
int isblank(int c);
|
||||
|
||||
/* implementation of isblank. unsigned char is the argument */
|
||||
int
|
||||
isblank(int c)
|
||||
{
|
||||
return (c==' ' || c=='\t');
|
||||
}
|
@ -18,7 +18,10 @@
|
||||
#include "config.h"
|
||||
#include <sys/types.h>
|
||||
#include <errno.h>
|
||||
#ifdef HAVE_STDINT_H
|
||||
#include <stdint.h>
|
||||
#endif
|
||||
#include <limits.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
/*
|
||||
|
@ -70,7 +70,7 @@ unsigned char *SHA512(void *data, unsigned int data_len, unsigned char *digest);
|
||||
* Please make sure that your system defines BYTE_ORDER. If your
|
||||
* architecture is little-endian, make sure it also defines
|
||||
* LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
|
||||
* equivilent.
|
||||
* equivalent.
|
||||
*
|
||||
* If your system does not define the above, then you can do so by
|
||||
* hand like this:
|
||||
|
@ -42,6 +42,7 @@
|
||||
#ifdef HAVE_STDINT_H
|
||||
#include <stdint.h>
|
||||
#endif
|
||||
#include <limits.h>
|
||||
|
||||
/* for test */
|
||||
/* #define SNPRINTF_TEST 1 */
|
||||
@ -428,7 +429,7 @@ print_num_llp(char** at, size_t* left, int* ret, void* value,
|
||||
char buf[PRINT_DEC_BUFSZ];
|
||||
int negative = 0;
|
||||
int zero = (value == 0);
|
||||
#if defined(UINTPTR_MAX) && defined(UINT32_MAX) && (UINTPTR_MAX == UINT32_MAX)
|
||||
#if defined(SIZE_MAX) && defined(UINT32_MAX) && (UINT32_MAX == SIZE_MAX || INT32_MAX == SIZE_MAX)
|
||||
/* avoid warning about upcast on 32bit systems */
|
||||
unsigned long long llvalue = (unsigned long)value;
|
||||
#else
|
||||
|
@ -85,7 +85,7 @@
|
||||
|
||||
/* Define to 1 if you have the declaration of `SSL_CTX_set_ecdh_auto', and to
|
||||
0 if you don't. */
|
||||
#define HAVE_DECL_SSL_CTX_SET_ECDH_AUTO 0
|
||||
#define HAVE_DECL_SSL_CTX_SET_ECDH_AUTO 1
|
||||
|
||||
/* Define to 1 if you have the declaration of `strlcat', and to 0 if you
|
||||
don't. */
|
||||
@ -95,6 +95,10 @@
|
||||
don't. */
|
||||
/* #undef HAVE_DECL_STRLCPY */
|
||||
|
||||
/* Define to 1 if you have the declaration of `XML_StopParser', and to 0 if
|
||||
you don't. */
|
||||
#define HAVE_DECL_XML_STOPPARSER 1
|
||||
|
||||
/* Define to 1 if you have the <dlfcn.h> header file. */
|
||||
#define HAVE_DLFCN_H 1
|
||||
|
||||
@ -152,6 +156,9 @@
|
||||
/* Define to 1 if fseeko (and presumably ftello) exists and is declared. */
|
||||
#define HAVE_FSEEKO 1
|
||||
|
||||
/* Define to 1 if you have the `fsync' function. */
|
||||
#define HAVE_FSYNC 1
|
||||
|
||||
/* Whether getaddrinfo is available */
|
||||
#define HAVE_GETADDRINFO 1
|
||||
|
||||
@ -206,6 +213,9 @@
|
||||
/* Define to 1 if you have the <iphlpapi.h> header file. */
|
||||
/* #undef HAVE_IPHLPAPI_H */
|
||||
|
||||
/* Define to 1 if you have the `isblank' function. */
|
||||
#define HAVE_ISBLANK 1
|
||||
|
||||
/* Define to 1 if you have the `kill' function. */
|
||||
#define HAVE_KILL 1
|
||||
|
||||
@ -233,6 +243,9 @@
|
||||
/* Define to 1 if you have the <netinet/in.h> header file. */
|
||||
#define HAVE_NETINET_IN_H 1
|
||||
|
||||
/* Use libnettle for crypto */
|
||||
/* #undef HAVE_NETTLE */
|
||||
|
||||
/* Use libnss for crypto */
|
||||
/* #undef HAVE_NSS */
|
||||
|
||||
@ -497,7 +510,7 @@
|
||||
#define PACKAGE_NAME "unbound"
|
||||
|
||||
/* Define to the full name and version of this package. */
|
||||
#define PACKAGE_STRING "unbound 1.5.5"
|
||||
#define PACKAGE_STRING "unbound 1.5.7"
|
||||
|
||||
/* Define to the one symbol short name of this package. */
|
||||
#define PACKAGE_TARNAME "unbound"
|
||||
@ -506,7 +519,7 @@
|
||||
#define PACKAGE_URL ""
|
||||
|
||||
/* Define to the version of this package. */
|
||||
#define PACKAGE_VERSION "1.5.5"
|
||||
#define PACKAGE_VERSION "1.5.7"
|
||||
|
||||
/* default pidfile location */
|
||||
#define PIDFILE "/var/unbound/unbound.pid"
|
||||
@ -525,7 +538,7 @@
|
||||
#define ROOT_CERT_FILE "/var/unbound/icannbundle.pem"
|
||||
|
||||
/* version number for resource files */
|
||||
#define RSRC_PACKAGE_VERSION 1,5,5,0
|
||||
#define RSRC_PACKAGE_VERSION 1,5,7,0
|
||||
|
||||
/* Directory to chdir to */
|
||||
#define RUN_DIR "/var/unbound"
|
||||
@ -536,6 +549,9 @@
|
||||
/* The size of `time_t', as computed by sizeof. */
|
||||
#define SIZEOF_TIME_T 8
|
||||
|
||||
/* define if (v)snprintf does not return length needed, (but length used) */
|
||||
/* #undef SNPRINTF_RET_BROKEN */
|
||||
|
||||
/* Define to 1 if you have the ANSI C header files. */
|
||||
#define STDC_HEADERS 1
|
||||
|
||||
@ -570,7 +586,7 @@
|
||||
/* #undef USE_ECDSA_EVP_WORKAROUND */
|
||||
|
||||
/* Define this to enable GOST support. */
|
||||
/* #undef USE_GOST */
|
||||
#define USE_GOST 1
|
||||
|
||||
/* Define if you want to use internal select based events */
|
||||
#define USE_MINI_EVENT 1
|
||||
@ -849,15 +865,13 @@
|
||||
#define MAXHOSTNAMELEN 256
|
||||
#endif
|
||||
|
||||
|
||||
#ifndef HAVE_SNPRINTF
|
||||
#if !defined(HAVE_SNPRINTF) || defined(SNPRINTF_RET_BROKEN)
|
||||
#define snprintf snprintf_unbound
|
||||
#define vsnprintf vsnprintf_unbound
|
||||
#include <stdarg.h>
|
||||
int snprintf (char *str, size_t count, const char *fmt, ...);
|
||||
int vsnprintf (char *str, size_t count, const char *fmt, va_list arg);
|
||||
#endif /* HAVE_SNPRINTF */
|
||||
|
||||
#endif /* HAVE_SNPRINTF or SNPRINTF_RET_BROKEN */
|
||||
|
||||
#ifndef HAVE_INET_PTON
|
||||
#define inet_pton inet_pton_unbound
|
||||
@ -953,6 +967,11 @@ int memcmp(const void *x, const void *y, size_t n);
|
||||
char *ctime_r(const time_t *timep, char *buf);
|
||||
#endif
|
||||
|
||||
#ifndef HAVE_ISBLANK
|
||||
#define isblank unbound_isblank
|
||||
int isblank(int c);
|
||||
#endif
|
||||
|
||||
#if !defined(HAVE_STRPTIME) || !defined(STRPTIME_WORKS)
|
||||
#define strptime unbound_strptime
|
||||
struct tm;
|
||||
|
@ -94,6 +94,10 @@
|
||||
don't. */
|
||||
#undef HAVE_DECL_STRLCPY
|
||||
|
||||
/* Define to 1 if you have the declaration of `XML_StopParser', and to 0 if
|
||||
you don't. */
|
||||
#undef HAVE_DECL_XML_STOPPARSER
|
||||
|
||||
/* Define to 1 if you have the <dlfcn.h> header file. */
|
||||
#undef HAVE_DLFCN_H
|
||||
|
||||
@ -151,6 +155,9 @@
|
||||
/* Define to 1 if fseeko (and presumably ftello) exists and is declared. */
|
||||
#undef HAVE_FSEEKO
|
||||
|
||||
/* Define to 1 if you have the `fsync' function. */
|
||||
#undef HAVE_FSYNC
|
||||
|
||||
/* Whether getaddrinfo is available */
|
||||
#undef HAVE_GETADDRINFO
|
||||
|
||||
@ -205,6 +212,9 @@
|
||||
/* Define to 1 if you have the <iphlpapi.h> header file. */
|
||||
#undef HAVE_IPHLPAPI_H
|
||||
|
||||
/* Define to 1 if you have the `isblank' function. */
|
||||
#undef HAVE_ISBLANK
|
||||
|
||||
/* Define to 1 if you have the `kill' function. */
|
||||
#undef HAVE_KILL
|
||||
|
||||
@ -232,6 +242,9 @@
|
||||
/* Define to 1 if you have the <netinet/in.h> header file. */
|
||||
#undef HAVE_NETINET_IN_H
|
||||
|
||||
/* Use libnettle for crypto */
|
||||
#undef HAVE_NETTLE
|
||||
|
||||
/* Use libnss for crypto */
|
||||
#undef HAVE_NSS
|
||||
|
||||
@ -535,6 +548,9 @@
|
||||
/* The size of `time_t', as computed by sizeof. */
|
||||
#undef SIZEOF_TIME_T
|
||||
|
||||
/* define if (v)snprintf does not return length needed, (but length used) */
|
||||
#undef SNPRINTF_RET_BROKEN
|
||||
|
||||
/* Define to 1 if you have the ANSI C header files. */
|
||||
#undef STDC_HEADERS
|
||||
|
||||
@ -848,15 +864,13 @@
|
||||
#define MAXHOSTNAMELEN 256
|
||||
#endif
|
||||
|
||||
|
||||
#ifndef HAVE_SNPRINTF
|
||||
#if !defined(HAVE_SNPRINTF) || defined(SNPRINTF_RET_BROKEN)
|
||||
#define snprintf snprintf_unbound
|
||||
#define vsnprintf vsnprintf_unbound
|
||||
#include <stdarg.h>
|
||||
int snprintf (char *str, size_t count, const char *fmt, ...);
|
||||
int vsnprintf (char *str, size_t count, const char *fmt, va_list arg);
|
||||
#endif /* HAVE_SNPRINTF */
|
||||
|
||||
#endif /* HAVE_SNPRINTF or SNPRINTF_RET_BROKEN */
|
||||
|
||||
#ifndef HAVE_INET_PTON
|
||||
#define inet_pton inet_pton_unbound
|
||||
@ -952,6 +966,11 @@ int memcmp(const void *x, const void *y, size_t n);
|
||||
char *ctime_r(const time_t *timep, char *buf);
|
||||
#endif
|
||||
|
||||
#ifndef HAVE_ISBLANK
|
||||
#define isblank unbound_isblank
|
||||
int isblank(int c);
|
||||
#endif
|
||||
|
||||
#if !defined(HAVE_STRPTIME) || !defined(STRPTIME_WORKS)
|
||||
#define strptime unbound_strptime
|
||||
struct tm;
|
||||
|
201
contrib/unbound/configure
vendored
201
contrib/unbound/configure
vendored
@ -1,6 +1,6 @@
|
||||
#! /bin/sh
|
||||
# Guess values for system-dependent variables and create Makefiles.
|
||||
# Generated by GNU Autoconf 2.69 for unbound 1.5.5.
|
||||
# Generated by GNU Autoconf 2.69 for unbound 1.5.7.
|
||||
#
|
||||
# Report bugs to <unbound-bugs@nlnetlabs.nl>.
|
||||
#
|
||||
@ -590,8 +590,8 @@ MAKEFLAGS=
|
||||
# Identity of this package.
|
||||
PACKAGE_NAME='unbound'
|
||||
PACKAGE_TARNAME='unbound'
|
||||
PACKAGE_VERSION='1.5.5'
|
||||
PACKAGE_STRING='unbound 1.5.5'
|
||||
PACKAGE_VERSION='1.5.7'
|
||||
PACKAGE_STRING='unbound 1.5.7'
|
||||
PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl'
|
||||
PACKAGE_URL=''
|
||||
|
||||
@ -661,6 +661,7 @@ CHECKLOCK_OBJ
|
||||
staticexe
|
||||
UNBOUND_EVENT_UNINSTALL
|
||||
UNBOUND_EVENT_INSTALL
|
||||
SSLLIB
|
||||
HAVE_SSL
|
||||
CONFIG_DATE
|
||||
NETBSD_LINTFLAGS
|
||||
@ -823,6 +824,7 @@ with_solaris_threads
|
||||
with_pyunbound
|
||||
with_pythonmodule
|
||||
with_nss
|
||||
with_nettle
|
||||
with_ssl
|
||||
enable_sha2
|
||||
enable_gost
|
||||
@ -1391,7 +1393,7 @@ if test "$ac_init_help" = "long"; then
|
||||
# Omit some internal or obsolete options to make the list less imposing.
|
||||
# This message is too long to be a string in the A/UX 3.1 sh.
|
||||
cat <<_ACEOF
|
||||
\`configure' configures unbound 1.5.5 to adapt to many kinds of systems.
|
||||
\`configure' configures unbound 1.5.7 to adapt to many kinds of systems.
|
||||
|
||||
Usage: $0 [OPTION]... [VAR=VALUE]...
|
||||
|
||||
@ -1456,7 +1458,7 @@ fi
|
||||
|
||||
if test -n "$ac_init_help"; then
|
||||
case $ac_init_help in
|
||||
short | recursive ) echo "Configuration of unbound 1.5.5:";;
|
||||
short | recursive ) echo "Configuration of unbound 1.5.7:";;
|
||||
esac
|
||||
cat <<\_ACEOF
|
||||
|
||||
@ -1534,6 +1536,7 @@ Optional Packages:
|
||||
--with-pythonmodule build Python module, or --without-pythonmodule to
|
||||
disable script engine. (default=no)
|
||||
--with-nss=path use libnss instead of openssl, installed at path.
|
||||
--with-nettle=path use libnettle as crypto library, installed at path.
|
||||
--with-ssl=pathname enable SSL (will check /usr/local/ssl /usr/lib/ssl
|
||||
/usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw
|
||||
/usr)
|
||||
@ -1635,7 +1638,7 @@ fi
|
||||
test -n "$ac_init_help" && exit $ac_status
|
||||
if $ac_init_version; then
|
||||
cat <<\_ACEOF
|
||||
unbound configure 1.5.5
|
||||
unbound configure 1.5.7
|
||||
generated by GNU Autoconf 2.69
|
||||
|
||||
Copyright (C) 2012 Free Software Foundation, Inc.
|
||||
@ -2344,7 +2347,7 @@ cat >config.log <<_ACEOF
|
||||
This file contains any messages produced by compilers while
|
||||
running configure, to aid debugging if configure makes a mistake.
|
||||
|
||||
It was created by unbound $as_me 1.5.5, which was
|
||||
It was created by unbound $as_me 1.5.7, which was
|
||||
generated by GNU Autoconf 2.69. Invocation command line was
|
||||
|
||||
$ $0 $@
|
||||
@ -2696,11 +2699,11 @@ UNBOUND_VERSION_MAJOR=1
|
||||
|
||||
UNBOUND_VERSION_MINOR=5
|
||||
|
||||
UNBOUND_VERSION_MICRO=5
|
||||
UNBOUND_VERSION_MICRO=7
|
||||
|
||||
|
||||
LIBUNBOUND_CURRENT=5
|
||||
LIBUNBOUND_REVISION=8
|
||||
LIBUNBOUND_REVISION=10
|
||||
LIBUNBOUND_AGE=3
|
||||
# 1.0.0 had 0:12:0
|
||||
# 1.0.1 had 0:13:0
|
||||
@ -2745,6 +2748,8 @@ LIBUNBOUND_AGE=3
|
||||
# 1.5.3 had 5:6:3
|
||||
# 1.5.4 had 5:7:3
|
||||
# 1.5.5 had 5:8:3
|
||||
# 1.5.6 had 5:9:3
|
||||
# 1.5.7 had 5:10:3
|
||||
|
||||
# Current -- the number of the binary API that we're implementing
|
||||
# Revision -- which iteration of the implementation of the binary
|
||||
@ -16406,13 +16411,44 @@ $as_echo "#define HAVE_NSS 1" >>confdefs.h
|
||||
CPPFLAGS="-I/usr/include/nspr4 $CPPFLAGS"
|
||||
fi
|
||||
LIBS="$LIBS -lnss3 -lnspr4"
|
||||
SSLLIB=""
|
||||
|
||||
|
||||
fi
|
||||
|
||||
|
||||
# libnettle
|
||||
USE_NETTLE="no"
|
||||
|
||||
# Check whether --with-nettle was given.
|
||||
if test "${with_nettle+set}" = set; then :
|
||||
withval=$with_nettle;
|
||||
USE_NETTLE="yes"
|
||||
|
||||
$as_echo "#define HAVE_NETTLE 1" >>confdefs.h
|
||||
|
||||
if test "$withval" != "" -a "$withval" != "yes"; then
|
||||
CPPFLAGS="$CPPFLAGS -I$withval/include/nettle"
|
||||
LDFLAGS="$LDFLAGS -L$withval/lib"
|
||||
|
||||
if test "x$enable_rpath" = xyes; then
|
||||
if echo "$withval/lib" | grep "^/" >/dev/null; then
|
||||
RUNTIME_PATH="$RUNTIME_PATH -R$withval/lib"
|
||||
fi
|
||||
fi
|
||||
|
||||
else
|
||||
CPPFLAGS="$CPPFLAGS -I/usr/include/nettle"
|
||||
fi
|
||||
LIBS="$LIBS -lhogweed -lnettle -lgmp"
|
||||
SSLLIB=""
|
||||
|
||||
|
||||
fi
|
||||
|
||||
|
||||
# openssl
|
||||
if test $USE_NSS = "no"; then
|
||||
if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
|
||||
|
||||
|
||||
# Check whether --with-ssl was given.
|
||||
@ -16581,67 +16617,6 @@ rm -f core conftest.err conftest.$ac_objext \
|
||||
fi
|
||||
|
||||
|
||||
# openssl engine functionality needs dlopen().
|
||||
BAKLIBS="$LIBS"
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing dlopen" >&5
|
||||
$as_echo_n "checking for library containing dlopen... " >&6; }
|
||||
if ${ac_cv_search_dlopen+:} false; then :
|
||||
$as_echo_n "(cached) " >&6
|
||||
else
|
||||
ac_func_search_save_LIBS=$LIBS
|
||||
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||
/* end confdefs.h. */
|
||||
|
||||
/* Override any GCC internal prototype to avoid an error.
|
||||
Use char because int might match the return type of a GCC
|
||||
builtin and then its argument prototype would still apply. */
|
||||
#ifdef __cplusplus
|
||||
extern "C"
|
||||
#endif
|
||||
char dlopen ();
|
||||
int
|
||||
main ()
|
||||
{
|
||||
return dlopen ();
|
||||
;
|
||||
return 0;
|
||||
}
|
||||
_ACEOF
|
||||
for ac_lib in '' dl; do
|
||||
if test -z "$ac_lib"; then
|
||||
ac_res="none required"
|
||||
else
|
||||
ac_res=-l$ac_lib
|
||||
LIBS="-l$ac_lib $ac_func_search_save_LIBS"
|
||||
fi
|
||||
if ac_fn_c_try_link "$LINENO"; then :
|
||||
ac_cv_search_dlopen=$ac_res
|
||||
fi
|
||||
rm -f core conftest.err conftest.$ac_objext \
|
||||
conftest$ac_exeext
|
||||
if ${ac_cv_search_dlopen+:} false; then :
|
||||
break
|
||||
fi
|
||||
done
|
||||
if ${ac_cv_search_dlopen+:} false; then :
|
||||
|
||||
else
|
||||
ac_cv_search_dlopen=no
|
||||
fi
|
||||
rm conftest.$ac_ext
|
||||
LIBS=$ac_func_search_save_LIBS
|
||||
fi
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_dlopen" >&5
|
||||
$as_echo "$ac_cv_search_dlopen" >&6; }
|
||||
ac_res=$ac_cv_search_dlopen
|
||||
if test "$ac_res" != no; then :
|
||||
test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
|
||||
|
||||
fi
|
||||
|
||||
if test "$LIBS" != "$BAKLIBS"; then
|
||||
LIBSSL_LIBS="$LIBSSL_LIBS -ldl"
|
||||
fi
|
||||
fi
|
||||
for ac_header in openssl/ssl.h
|
||||
do :
|
||||
@ -16779,6 +16754,7 @@ fi
|
||||
fi
|
||||
rm -f core conftest.err conftest.$ac_objext \
|
||||
conftest$ac_exeext conftest.$ac_ext
|
||||
SSLLIB="-lssl"
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for LibreSSL" >&5
|
||||
$as_echo_n "checking for LibreSSL... " >&6; }
|
||||
if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
|
||||
@ -16976,6 +16952,7 @@ _ACEOF
|
||||
fi
|
||||
|
||||
|
||||
|
||||
# Check whether --enable-sha2 was given.
|
||||
if test "${enable_sha2+set}" = set; then :
|
||||
enableval=$enable_sha2;
|
||||
@ -16999,7 +16976,7 @@ if test "${enable_gost+set}" = set; then :
|
||||
fi
|
||||
|
||||
use_gost="no"
|
||||
if test $USE_NSS = "no"; then
|
||||
if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
|
||||
case "$enable_gost" in
|
||||
no)
|
||||
;;
|
||||
@ -17152,7 +17129,7 @@ case "$enable_ecdsa" in
|
||||
no)
|
||||
;;
|
||||
*)
|
||||
if test $USE_NSS = "no"; then
|
||||
if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
|
||||
ac_fn_c_check_func "$LINENO" "ECDSA_sign" "ac_cv_func_ECDSA_sign"
|
||||
if test "x$ac_cv_func_ECDSA_sign" = xyes; then :
|
||||
|
||||
@ -17643,6 +17620,20 @@ fi
|
||||
|
||||
done
|
||||
|
||||
ac_fn_c_check_decl "$LINENO" "XML_StopParser" "ac_cv_have_decl_XML_StopParser" "$ac_includes_default
|
||||
#include <expat.h>
|
||||
|
||||
"
|
||||
if test "x$ac_cv_have_decl_XML_StopParser" = xyes; then :
|
||||
ac_have_decl=1
|
||||
else
|
||||
ac_have_decl=0
|
||||
fi
|
||||
|
||||
cat >>confdefs.h <<_ACEOF
|
||||
#define HAVE_DECL_XML_STOPPARSER $ac_have_decl
|
||||
_ACEOF
|
||||
|
||||
|
||||
# set static linking if requested
|
||||
|
||||
@ -18100,7 +18091,7 @@ if test "$ac_res" != no; then :
|
||||
|
||||
fi
|
||||
|
||||
for ac_func in tzset sigprocmask fcntl getpwnam getrlimit setrlimit setsid sbrk chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent
|
||||
for ac_func in tzset sigprocmask fcntl getpwnam getrlimit setrlimit setsid sbrk chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync
|
||||
do :
|
||||
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
|
||||
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
|
||||
@ -18221,6 +18212,48 @@ esac
|
||||
fi
|
||||
|
||||
|
||||
# test if snprintf return the proper length
|
||||
if test "x$ac_cv_func_snprintf" = xyes; then
|
||||
if test c${cross_compiling} = cno; then
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for correct snprintf return value" >&5
|
||||
$as_echo_n "checking for correct snprintf return value... " >&6; }
|
||||
if test "$cross_compiling" = yes; then :
|
||||
{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
|
||||
$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
|
||||
as_fn_error $? "cannot run test program while cross compiling
|
||||
See \`config.log' for more details" "$LINENO" 5; }
|
||||
else
|
||||
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||
/* end confdefs.h. */
|
||||
$ac_includes_default
|
||||
|
||||
int main(void) { return !(snprintf(NULL, 0, "test") == 4); }
|
||||
|
||||
_ACEOF
|
||||
if ac_fn_c_try_run "$LINENO"; then :
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
|
||||
$as_echo "yes" >&6; }
|
||||
else
|
||||
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
$as_echo "no" >&6; }
|
||||
|
||||
$as_echo "#define SNPRINTF_RET_BROKEN /**/" >>confdefs.h
|
||||
|
||||
case " $LIBOBJS " in
|
||||
*" snprintf.$ac_objext "* ) ;;
|
||||
*) LIBOBJS="$LIBOBJS snprintf.$ac_objext"
|
||||
;;
|
||||
esac
|
||||
|
||||
|
||||
fi
|
||||
rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
|
||||
conftest.$ac_objext conftest.beam conftest.$ac_ext
|
||||
fi
|
||||
|
||||
fi
|
||||
fi
|
||||
ac_fn_c_check_func "$LINENO" "strlcat" "ac_cv_func_strlcat"
|
||||
if test "x$ac_cv_func_strlcat" = xyes; then :
|
||||
$as_echo "#define HAVE_STRLCAT 1" >>confdefs.h
|
||||
@ -18277,6 +18310,20 @@ esac
|
||||
fi
|
||||
|
||||
|
||||
ac_fn_c_check_func "$LINENO" "isblank" "ac_cv_func_isblank"
|
||||
if test "x$ac_cv_func_isblank" = xyes; then :
|
||||
$as_echo "#define HAVE_ISBLANK 1" >>confdefs.h
|
||||
|
||||
else
|
||||
case " $LIBOBJS " in
|
||||
*" isblank.$ac_objext "* ) ;;
|
||||
*) LIBOBJS="$LIBOBJS isblank.$ac_objext"
|
||||
;;
|
||||
esac
|
||||
|
||||
fi
|
||||
|
||||
|
||||
LIBOBJ_WITHOUT_CTIMEARC4="$LIBOBJS"
|
||||
|
||||
ac_fn_c_check_func "$LINENO" "reallocarray" "ac_cv_func_reallocarray"
|
||||
@ -19017,7 +19064,7 @@ _ACEOF
|
||||
|
||||
|
||||
|
||||
version=1.5.5
|
||||
version=1.5.7
|
||||
|
||||
date=`date +'%b %e, %Y'`
|
||||
|
||||
@ -19532,7 +19579,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
|
||||
# report actual input values of CONFIG_FILES etc. instead of their
|
||||
# values after options handling.
|
||||
ac_log="
|
||||
This file was extended by unbound $as_me 1.5.5, which was
|
||||
This file was extended by unbound $as_me 1.5.7, which was
|
||||
generated by GNU Autoconf 2.69. Invocation command line was
|
||||
|
||||
CONFIG_FILES = $CONFIG_FILES
|
||||
@ -19598,7 +19645,7 @@ _ACEOF
|
||||
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
|
||||
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
|
||||
ac_cs_version="\\
|
||||
unbound config.status 1.5.5
|
||||
unbound config.status 1.5.7
|
||||
configured by $0, generated by GNU Autoconf 2.69,
|
||||
with options \\"\$ac_cs_config\\"
|
||||
|
||||
|
@ -10,14 +10,14 @@ sinclude(dnstap/dnstap.m4)
|
||||
# must be numbers. ac_defun because of later processing
|
||||
m4_define([VERSION_MAJOR],[1])
|
||||
m4_define([VERSION_MINOR],[5])
|
||||
m4_define([VERSION_MICRO],[5])
|
||||
m4_define([VERSION_MICRO],[7])
|
||||
AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl, unbound)
|
||||
AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
|
||||
AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
|
||||
AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
|
||||
|
||||
LIBUNBOUND_CURRENT=5
|
||||
LIBUNBOUND_REVISION=8
|
||||
LIBUNBOUND_REVISION=10
|
||||
LIBUNBOUND_AGE=3
|
||||
# 1.0.0 had 0:12:0
|
||||
# 1.0.1 had 0:13:0
|
||||
@ -62,6 +62,8 @@ LIBUNBOUND_AGE=3
|
||||
# 1.5.3 had 5:6:3
|
||||
# 1.5.4 had 5:7:3
|
||||
# 1.5.5 had 5:8:3
|
||||
# 1.5.6 had 5:9:3
|
||||
# 1.5.7 had 5:10:3
|
||||
|
||||
# Current -- the number of the binary API that we're implementing
|
||||
# Revision -- which iteration of the implementation of the binary
|
||||
@ -561,13 +563,34 @@ AC_ARG_WITH([nss], AC_HELP_STRING([--with-nss=path],
|
||||
CPPFLAGS="-I/usr/include/nspr4 $CPPFLAGS"
|
||||
fi
|
||||
LIBS="$LIBS -lnss3 -lnspr4"
|
||||
SSLLIB=""
|
||||
]
|
||||
)
|
||||
|
||||
# libnettle
|
||||
USE_NETTLE="no"
|
||||
AC_ARG_WITH([nettle], AC_HELP_STRING([--with-nettle=path],
|
||||
[use libnettle as crypto library, installed at path.]),
|
||||
[
|
||||
USE_NETTLE="yes"
|
||||
AC_DEFINE(HAVE_NETTLE, 1, [Use libnettle for crypto])
|
||||
if test "$withval" != "" -a "$withval" != "yes"; then
|
||||
CPPFLAGS="$CPPFLAGS -I$withval/include/nettle"
|
||||
LDFLAGS="$LDFLAGS -L$withval/lib"
|
||||
ACX_RUNTIME_PATH_ADD([$withval/lib])
|
||||
else
|
||||
CPPFLAGS="$CPPFLAGS -I/usr/include/nettle"
|
||||
fi
|
||||
LIBS="$LIBS -lhogweed -lnettle -lgmp"
|
||||
SSLLIB=""
|
||||
]
|
||||
)
|
||||
|
||||
# openssl
|
||||
if test $USE_NSS = "no"; then
|
||||
if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
|
||||
ACX_WITH_SSL
|
||||
ACX_LIB_SSL
|
||||
SSLLIB="-lssl"
|
||||
AC_MSG_CHECKING([for LibreSSL])
|
||||
if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
|
||||
AC_MSG_RESULT([yes])
|
||||
@ -602,6 +625,7 @@ AC_INCLUDES_DEFAULT
|
||||
#include <openssl/evp.h>
|
||||
])
|
||||
fi
|
||||
AC_SUBST(SSLLIB)
|
||||
|
||||
|
||||
AC_ARG_ENABLE(sha2, AC_HELP_STRING([--disable-sha2], [Disable SHA256 and SHA512 RRSIG support]))
|
||||
@ -713,7 +737,7 @@ AC_MSG_RESULT($ac_cv_c_gost_works)
|
||||
|
||||
AC_ARG_ENABLE(gost, AC_HELP_STRING([--disable-gost], [Disable GOST support]))
|
||||
use_gost="no"
|
||||
if test $USE_NSS = "no"; then
|
||||
if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
|
||||
case "$enable_gost" in
|
||||
no)
|
||||
;;
|
||||
@ -727,7 +751,7 @@ case "$enable_gost" in
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
fi dnl !USE_NSS
|
||||
fi dnl !USE_NSS && !USE_NETTLE
|
||||
|
||||
AC_ARG_ENABLE(ecdsa, AC_HELP_STRING([--disable-ecdsa], [Disable ECDSA support]))
|
||||
use_ecdsa="no"
|
||||
@ -735,7 +759,7 @@ case "$enable_ecdsa" in
|
||||
no)
|
||||
;;
|
||||
*)
|
||||
if test $USE_NSS = "no"; then
|
||||
if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
|
||||
AC_CHECK_FUNC(ECDSA_sign, [], [AC_MSG_ERROR([OpenSSL does not support ECDSA: please upgrade or rerun with --disable-ecdsa])])
|
||||
AC_CHECK_FUNC(SHA384_Init, [], [AC_MSG_ERROR([OpenSSL does not support SHA384: please upgrade or rerun with --disable-ecdsa])])
|
||||
AC_CHECK_DECLS([NID_X9_62_prime256v1, NID_secp384r1], [], [AC_MSG_ERROR([OpenSSL does not support the ECDSA curves: please upgrade or rerun with --disable-ecdsa])], [AC_INCLUDES_DEFAULT
|
||||
@ -881,6 +905,9 @@ if test x_$found_libexpat != x_yes; then
|
||||
AC_ERROR([Could not find libexpat, expat.h])
|
||||
fi
|
||||
AC_CHECK_HEADERS([expat.h],,, [AC_INCLUDES_DEFAULT])
|
||||
AC_CHECK_DECLS([XML_StopParser], [], [], [AC_INCLUDES_DEFAULT
|
||||
#include <expat.h>
|
||||
])
|
||||
|
||||
# set static linking if requested
|
||||
AC_SUBST(staticexe)
|
||||
@ -985,7 +1012,7 @@ AC_INCLUDES_DEFAULT
|
||||
#endif
|
||||
])
|
||||
AC_SEARCH_LIBS([setusercontext], [util])
|
||||
AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam getrlimit setrlimit setsid sbrk chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent])
|
||||
AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam getrlimit setrlimit setsid sbrk chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync])
|
||||
AC_CHECK_FUNCS([setresuid],,[AC_CHECK_FUNCS([setreuid])])
|
||||
AC_CHECK_FUNCS([setresgid],,[AC_CHECK_FUNCS([setregid])])
|
||||
|
||||
@ -997,10 +1024,25 @@ AC_REPLACE_FUNCS(inet_aton)
|
||||
AC_REPLACE_FUNCS(inet_pton)
|
||||
AC_REPLACE_FUNCS(inet_ntop)
|
||||
AC_REPLACE_FUNCS(snprintf)
|
||||
# test if snprintf return the proper length
|
||||
if test "x$ac_cv_func_snprintf" = xyes; then
|
||||
if test c${cross_compiling} = cno; then
|
||||
AC_MSG_CHECKING([for correct snprintf return value])
|
||||
AC_RUN_IFELSE([AC_LANG_SOURCE(AC_INCLUDES_DEFAULT
|
||||
[[
|
||||
int main(void) { return !(snprintf(NULL, 0, "test") == 4); }
|
||||
]])], [AC_MSG_RESULT(yes)], [
|
||||
AC_MSG_RESULT(no)
|
||||
AC_DEFINE([SNPRINTF_RET_BROKEN], [], [define if (v)snprintf does not return length needed, (but length used)])
|
||||
AC_LIBOBJ(snprintf)
|
||||
])
|
||||
fi
|
||||
fi
|
||||
AC_REPLACE_FUNCS(strlcat)
|
||||
AC_REPLACE_FUNCS(strlcpy)
|
||||
AC_REPLACE_FUNCS(memmove)
|
||||
AC_REPLACE_FUNCS(gmtime_r)
|
||||
AC_REPLACE_FUNCS(isblank)
|
||||
dnl without CTIME, ARC4-functions and without reallocarray.
|
||||
LIBOBJ_WITHOUT_CTIMEARC4="$LIBOBJS"
|
||||
AC_SUBST(LIBOBJ_WITHOUT_CTIMEARC4)
|
||||
@ -1235,7 +1277,13 @@ AHX_CONFIG_FORMAT_ATTRIBUTE
|
||||
AHX_CONFIG_UNUSED_ATTRIBUTE
|
||||
AHX_CONFIG_FSEEKO
|
||||
AHX_CONFIG_MAXHOSTNAMELEN
|
||||
AHX_CONFIG_SNPRINTF(unbound)
|
||||
#if !defined(HAVE_SNPRINTF) || defined(SNPRINTF_RET_BROKEN)
|
||||
#define snprintf snprintf_unbound
|
||||
#define vsnprintf vsnprintf_unbound
|
||||
#include <stdarg.h>
|
||||
int snprintf (char *str, size_t count, const char *fmt, ...);
|
||||
int vsnprintf (char *str, size_t count, const char *fmt, va_list arg);
|
||||
#endif /* HAVE_SNPRINTF or SNPRINTF_RET_BROKEN */
|
||||
AHX_CONFIG_INET_PTON(unbound)
|
||||
AHX_CONFIG_INET_NTOP(unbound)
|
||||
AHX_CONFIG_INET_ATON(unbound)
|
||||
@ -1258,6 +1306,11 @@ AHX_MEMCMP_BROKEN(unbound)
|
||||
char *ctime_r(const time_t *timep, char *buf);
|
||||
#endif
|
||||
|
||||
#ifndef HAVE_ISBLANK
|
||||
#define isblank unbound_isblank
|
||||
int isblank(int c);
|
||||
#endif
|
||||
|
||||
#if !defined(HAVE_STRPTIME) || !defined(STRPTIME_WORKS)
|
||||
#define strptime unbound_strptime
|
||||
struct tm;
|
||||
|
@ -208,12 +208,14 @@ daemon_remote_create(struct config_file* cfg)
|
||||
return NULL;
|
||||
}
|
||||
/* no SSLv2, SSLv3 because has defects */
|
||||
if(!(SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)){
|
||||
if((SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
|
||||
!= SSL_OP_NO_SSLv2){
|
||||
log_crypto_err("could not set SSL_OP_NO_SSLv2");
|
||||
daemon_remote_delete(rc);
|
||||
return NULL;
|
||||
}
|
||||
if(!(SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)){
|
||||
if((SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
|
||||
!= SSL_OP_NO_SSLv3){
|
||||
log_crypto_err("could not set SSL_OP_NO_SSLv3");
|
||||
daemon_remote_delete(rc);
|
||||
return NULL;
|
||||
|
@ -180,6 +180,8 @@ static void usage()
|
||||
SSLeay_version(SSLEAY_VERSION)
|
||||
#elif defined(HAVE_NSS)
|
||||
NSS_GetVersion()
|
||||
#elif defined(HAVE_NETTLE)
|
||||
"nettle"
|
||||
#endif
|
||||
);
|
||||
printf("linked modules:");
|
||||
@ -450,6 +452,9 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
|
||||
/* endpwent below, in case we need pwd for setusercontext */
|
||||
}
|
||||
#endif
|
||||
#ifdef UB_ON_WINDOWS
|
||||
w_config_adjust_directory(cfg);
|
||||
#endif
|
||||
|
||||
/* init syslog (as root) if needed, before daemonize, otherwise
|
||||
* a fork error could not be printed since daemonize closed stderr.*/
|
||||
|
@ -866,11 +866,16 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
|
||||
goto send_reply;
|
||||
}
|
||||
if((ret=parse_edns_from_pkt(c->buffer, &edns)) != 0) {
|
||||
struct edns_data reply_edns;
|
||||
verbose(VERB_ALGO, "worker parse edns: formerror.");
|
||||
log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
|
||||
sldns_buffer_rewind(c->buffer);
|
||||
LDNS_QR_SET(sldns_buffer_begin(c->buffer));
|
||||
memset(&reply_edns, 0, sizeof(reply_edns));
|
||||
reply_edns.edns_present = 1;
|
||||
reply_edns.udp_size = EDNS_ADVERTISED_SIZE;
|
||||
LDNS_RCODE_SET(sldns_buffer_begin(c->buffer), ret);
|
||||
error_encode(c->buffer, ret, &qinfo,
|
||||
*(uint16_t*)(void *)sldns_buffer_begin(c->buffer),
|
||||
sldns_buffer_read_u16_at(c->buffer, 2), &reply_edns);
|
||||
server_stats_insrcode(&worker->stats, c->buffer);
|
||||
goto send_reply;
|
||||
}
|
||||
|
@ -618,8 +618,10 @@ dns64_synth_aaaa_data(const struct ub_packed_rrset_key* fk,
|
||||
dd->rr_ttl = (time_t*)&dd->rr_data[dd->count];
|
||||
for(i = 0; i < fd->count; ++i) {
|
||||
if (fd->rr_len[i] != 6 || fd->rr_data[i][0] != 0
|
||||
|| fd->rr_data[i][1] != 4)
|
||||
|| fd->rr_data[i][1] != 4) {
|
||||
*dd_out = NULL;
|
||||
return;
|
||||
}
|
||||
dd->rr_len[i] = 18;
|
||||
dd->rr_data[i] =
|
||||
(uint8_t*)&dd->rr_ttl[dd->count] + 18*i;
|
||||
@ -638,6 +640,7 @@ dns64_synth_aaaa_data(const struct ub_packed_rrset_key* fk,
|
||||
*/
|
||||
if(!dk) {
|
||||
log_err("no key");
|
||||
*dd_out = NULL;
|
||||
return;
|
||||
}
|
||||
|
||||
@ -646,6 +649,7 @@ dns64_synth_aaaa_data(const struct ub_packed_rrset_key* fk,
|
||||
|
||||
if(!dk->rk.dname) {
|
||||
log_err("out of memory");
|
||||
*dd_out = NULL;
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -105,7 +105,7 @@ message Message {
|
||||
|
||||
enum Type {
|
||||
// AUTH_QUERY is a DNS query message received from a resolver by an
|
||||
// authoritative name server, from the perspective of the authorative
|
||||
// authoritative name server, from the perspective of the authoritative
|
||||
// name server.
|
||||
AUTH_QUERY = 1;
|
||||
|
||||
|
@ -1,3 +1,121 @@
|
||||
8 December 2015: Wouter
|
||||
- Fixup 724 for unbound-control.
|
||||
|
||||
7 December 2015: Ralph
|
||||
- Do not minimise forwarded requests.
|
||||
|
||||
4 December 2015: Wouter
|
||||
- Removed unneeded whitespace from example.conf.
|
||||
|
||||
3 December 2015: Ralph
|
||||
- (after rc1 tag)
|
||||
- Committed fix to qname minimisation and unit test case for it.
|
||||
|
||||
3 December 2015: Wouter
|
||||
- iana portlist update.
|
||||
- 1.5.7rc1 prerelease tag.
|
||||
|
||||
2 December 2015: Wouter
|
||||
- Fixup 724: Fix PCA prompt for unbound-service-install.exe.
|
||||
re-enable stdout printout.
|
||||
- For 724: Add Changelog to windows binary dist.
|
||||
|
||||
1 December 2015: Ralph
|
||||
- Qname minimisation review fixes
|
||||
|
||||
1 December 2015: Wouter
|
||||
- Fixup 724 fix for fname_after_chroot() calls.
|
||||
- Remove stdout printout for unbound-service-install.exe
|
||||
- .gitignore for git users.
|
||||
|
||||
30 November 2015: Ralph
|
||||
- Implemented qname minimisation
|
||||
|
||||
30 November 2015: Wouter
|
||||
- Fix for #724: conf syntax to read files from run dir (on Windows).
|
||||
|
||||
25 November 2015: Wouter
|
||||
- Fix for #720, fix unbound-control-setup windows batch file.
|
||||
|
||||
24 November 2015: Wouter
|
||||
- Fix #720: add windows scripts to zip bundle.
|
||||
- iana portlist update.
|
||||
|
||||
20 November 2015: Wouter
|
||||
- Added assert on rrset cache correctness.
|
||||
- Fix that malformed EDNS query gets a response without malformed EDNS.
|
||||
|
||||
18 November 2015: Wouter
|
||||
- newer acx_nlnetlabs.m4.
|
||||
- spelling fixes from Igor Sobrado Delgado.
|
||||
|
||||
17 November 2015: Wouter
|
||||
- Fix #594. libunbound: optionally use libnettle for crypto.
|
||||
Contributed by Luca Bruno. Added --with-nettle for use with
|
||||
--with-libunbound-only.
|
||||
- refactor nsec3 hash implementation to be more library-portable.
|
||||
- iana portlist update.
|
||||
- Fixup DER encoded DSA signatures for libnettle.
|
||||
|
||||
16 November 2015: Wouter
|
||||
- Fix for lenient accept of reverse order DNAME and CNAME.
|
||||
|
||||
6 November 2015: Wouter
|
||||
- Change example.conf: ftp.internic.net to https://www.internic.net
|
||||
|
||||
5 November 2015: Wouter
|
||||
- ACX_SSL_CHECKS no longer adds -ldl needlessly.
|
||||
|
||||
3 November 2015: Wouter
|
||||
- Fix #718: Fix unbound-control-setup with support for env
|
||||
without HEREDOC bash support.
|
||||
|
||||
29 October 2015: Wouter
|
||||
- patch from Doug Hogan for SSL_OP_NO_SSLvx options.
|
||||
- Fix #716: nodata proof with empty non-terminals and wildcards.
|
||||
|
||||
28 October 2015: Wouter
|
||||
- Fix checklock testcode for linux threads on exit.
|
||||
|
||||
27 October 2015: Wouter
|
||||
- isblank() compat implementation.
|
||||
- detect libexpat without xml_StopParser function.
|
||||
- portability fixes.
|
||||
- portability, replace snprintf if return value broken.
|
||||
|
||||
23 October 2015: Wouter
|
||||
- Fix #714: Document config to block private-address for IPv4
|
||||
mapped IPv6 addresses.
|
||||
|
||||
22 October 2015: Wouter
|
||||
- Fix #712: unbound-anchor appears to not fsync root.key.
|
||||
|
||||
20 October 2015: Wouter
|
||||
- 1.5.6 release.
|
||||
- trunk tracks development of 1.5.7.
|
||||
|
||||
15 October 2015: Wouter
|
||||
- Fix segfault in the dns64 module in the formaterror error path.
|
||||
- Fix sldns_wire2str_rdata_scan for malformed RRs.
|
||||
- tag for 1.5.6rc1 release.
|
||||
|
||||
14 October 2015: Wouter
|
||||
- ANY responses include DNAME records if present, as per Evan Hunt's
|
||||
remark in dnsop.
|
||||
- Fix manpage to suggest using SIGTERM to terminate the server.
|
||||
|
||||
9 October 2015: Wouter
|
||||
- Default for ssl-port is port 853, the temporary port assignment
|
||||
for secure domain name system traffic.
|
||||
If you used to rely on the older default of port 443, you have
|
||||
to put a clause in unbound.conf for that. The new value is likely
|
||||
going to be the standardised port number for this traffic.
|
||||
- iana portlist update.
|
||||
|
||||
6 October 2015: Wouter
|
||||
- 1.5.5 release.
|
||||
- trunk tracks the development of 1.5.6.
|
||||
|
||||
28 September 2015: Wouter
|
||||
- MAX_TARGET_COUNT increased to 64, to fix up sporadic resolution
|
||||
failures.
|
||||
@ -731,7 +849,7 @@
|
||||
existence in 4592. NSEC empty non-terminals exist and thus the
|
||||
RCODE should have been NOERROR. If this occurs, and the RRsets
|
||||
are secure, we set the RCODE to NOERROR and the security status
|
||||
of the reponse is also considered secure.
|
||||
of the response is also considered secure.
|
||||
|
||||
14 February 2014: Wouter
|
||||
- Works on Minix (3.2.1).
|
||||
@ -1503,7 +1621,7 @@
|
||||
- Fix getaddrinfowithincludes on windows with fedora16 mingw32-gcc.
|
||||
- Fix warnings with gcc 4.6 in compat/inet_ntop.c.
|
||||
- Fix warning unused in compat/strptime.c.
|
||||
- Fix malloc detection and double defintion.
|
||||
- Fix malloc detection and double definition.
|
||||
|
||||
2 December 2011: Wouter
|
||||
- configure generated with autoconf 2.68.
|
||||
@ -4948,7 +5066,7 @@
|
||||
- Advertise builtin select libevent alternative when no libevent
|
||||
is found.
|
||||
- signit can generate NSEC3 hashes, for generating tests.
|
||||
- multiple nsec3 paramaters in message test.
|
||||
- multiple nsec3 parameters in message test.
|
||||
- too high nsec3 iterations becomes insecure test.
|
||||
|
||||
21 September 2007: Wouter
|
||||
@ -5019,7 +5137,7 @@
|
||||
- testbound can replay a TCP query (set MATCH TCP in the QUERY).
|
||||
- DS and noDS referral validation test.
|
||||
- if you configure many trust anchors, parent trust anchors can
|
||||
securely deny existance of child trust anchors, if validated.
|
||||
securely deny existence of child trust anchors, if validated.
|
||||
- not all *.name NSECs are present because a wildcard was matched,
|
||||
and *.name NSECs can prove nodata for empty nonterminals.
|
||||
Also, for wildcard name NSECs, check they are not from the parent
|
||||
@ -5326,7 +5444,7 @@
|
||||
|
||||
17 July 2007: Wouter
|
||||
- forward zone options in config file.
|
||||
- forward per zone in iterator. takes precendence over stubs.
|
||||
- forward per zone in iterator. takes precedence over stubs.
|
||||
- fixup commithooks.
|
||||
- removed forward-to and forward-to-port features, subsumed by
|
||||
new forward zones.
|
||||
@ -5427,7 +5545,7 @@
|
||||
ldns and libevent are linked statically. Default is off.
|
||||
- make install and make uninstall. Works with static-exe and without.
|
||||
installation of unbound binary and manual pages.
|
||||
- alignement problem fix on solaris 64.
|
||||
- alignment problem fix on solaris 64.
|
||||
- fixup address in case of TCP error.
|
||||
|
||||
12 June 2007: Wouter
|
||||
@ -5510,7 +5628,7 @@
|
||||
- removed FLAG_CD from message and rrset caches. This was useful for
|
||||
an agnostic forwarder, but not for a sophisticated (trust value per
|
||||
rrset enabled) cache.
|
||||
- iterator reponse typing.
|
||||
- iterator response typing.
|
||||
- iterator cname handle.
|
||||
- iterator prime start.
|
||||
- subquery work.
|
||||
@ -5530,7 +5648,7 @@
|
||||
- Acknowledge use of unbound-java code in iterator. Nicer readme.
|
||||
- services/cache/dns.c DNS Cache. Hybrid cache uses msgcache and
|
||||
rrset cache from module environment.
|
||||
- packed rrset key has type and class as easily accessable struct
|
||||
- packed rrset key has type and class as easily accessible struct
|
||||
members. They are still kept in network format for fast msg encode.
|
||||
- dns cache find_delegation routine.
|
||||
- iterator main functions setup.
|
||||
@ -5614,7 +5732,7 @@
|
||||
- EDNS read from query, used to make reply smaller.
|
||||
- advertised edns value constants.
|
||||
- EDNS BADVERS response, if asked for too high edns version.
|
||||
- EDNS extended error reponses once the EDNS record from the query
|
||||
- EDNS extended error responses once the EDNS record from the query
|
||||
has successfully been parsed.
|
||||
|
||||
4 May 2007: Wouter
|
||||
|
@ -1,4 +1,4 @@
|
||||
README for Unbound 1.5.5
|
||||
README for Unbound 1.5.7
|
||||
Copyright 2007 NLnet Labs
|
||||
http://unbound.net
|
||||
|
||||
|
@ -1,14 +1,14 @@
|
||||
#
|
||||
# Example configuration file.
|
||||
#
|
||||
# See unbound.conf(5) man page, version 1.5.5.
|
||||
# See unbound.conf(5) man page, version 1.5.7.
|
||||
#
|
||||
# this is a comment.
|
||||
|
||||
#Use this to include other text into the file.
|
||||
#include: "otherfile.conf"
|
||||
|
||||
# The server clause sets the main parameters.
|
||||
# The server clause sets the main parameters.
|
||||
server:
|
||||
# whitespace is not necessary, but looks cleaner.
|
||||
|
||||
@ -40,7 +40,7 @@ server:
|
||||
# interface: 2001:DB8::5
|
||||
|
||||
# enable this feature to copy the source address of queries to reply.
|
||||
# Socket options are not supported on all platforms. experimental.
|
||||
# Socket options are not supported on all platforms. experimental.
|
||||
# interface-automatic: no
|
||||
|
||||
# port to answer queries from
|
||||
@ -84,10 +84,10 @@ server:
|
||||
# buffer size for UDP port 53 outgoing (SO_SNDBUF socket option).
|
||||
# 0 is system default. Use 4m to handle spikes on very busy servers.
|
||||
# so-sndbuf: 0
|
||||
|
||||
|
||||
# use SO_REUSEPORT to distribute queries over threads.
|
||||
# so-reuseport: no
|
||||
|
||||
|
||||
# use IP_TRANSPARENT so the interface: addresses can be non-local
|
||||
# and you can config non-existing IPs that are going to work later on
|
||||
# ip-transparent: no
|
||||
@ -105,7 +105,7 @@ server:
|
||||
# msg-buffer-size: 65552
|
||||
|
||||
# the amount of memory to use for the message cache.
|
||||
# plain value in bytes or you can append k, m or G. default is "4Mb".
|
||||
# plain value in bytes or you can append k, m or G. default is "4Mb".
|
||||
# msg-cache-size: 4m
|
||||
|
||||
# the number of slabs to use for the message cache.
|
||||
@ -118,12 +118,12 @@ server:
|
||||
|
||||
# if very busy, 50% queries run to completion, 50% get timeout in msec
|
||||
# jostle-timeout: 200
|
||||
|
||||
|
||||
# msec to wait before close of port on timeout UDP. 0 disables.
|
||||
# delay-close: 0
|
||||
|
||||
# the amount of memory to use for the RRset cache.
|
||||
# plain value in bytes or you can append k, m or G. default is "4Mb".
|
||||
# plain value in bytes or you can append k, m or G. default is "4Mb".
|
||||
# rrset-cache-size: 4m
|
||||
|
||||
# the number of slabs to use for the RRset cache.
|
||||
@ -145,7 +145,7 @@ server:
|
||||
# the time to live (TTL) value for cached roundtrip times, lameness and
|
||||
# EDNS version information for hosts. In seconds.
|
||||
# infra-host-ttl: 900
|
||||
|
||||
|
||||
# minimum wait time for responses, increase if uplink is long. In msec.
|
||||
# infra-cache-min-rtt: 50
|
||||
|
||||
@ -195,8 +195,8 @@ server:
|
||||
#
|
||||
# If chroot is enabled, you should pass the configfile (from the
|
||||
# commandline) as a full path from the original root. After the
|
||||
# chroot has been performed the now defunct portion of the config
|
||||
# file path is removed to be able to reread the config after a reload.
|
||||
# chroot has been performed the now defunct portion of the config
|
||||
# file path is removed to be able to reread the config after a reload.
|
||||
#
|
||||
# All other file paths (working dir, logfile, roothints, and
|
||||
# key files) can be specified in several ways:
|
||||
@ -205,7 +205,7 @@ server:
|
||||
# o as an absolute path relative to the original root.
|
||||
# In the last case the path is adjusted to remove the unused portion.
|
||||
#
|
||||
# The pid file can be absolute and outside of the chroot, it is
|
||||
# The pid file can be absolute and outside of the chroot, it is
|
||||
# written just prior to performing the chroot and dropping permissions.
|
||||
#
|
||||
# Additionally, unbound may need to access /dev/random (for entropy).
|
||||
@ -219,22 +219,22 @@ server:
|
||||
# If you give "" no privileges are dropped.
|
||||
# username: "unbound"
|
||||
|
||||
# the working directory. The relative files in this config are
|
||||
# the working directory. The relative files in this config are
|
||||
# relative to this directory. If you give "" the working directory
|
||||
# is not changed.
|
||||
# directory: "/var/unbound"
|
||||
|
||||
# the log file, "" means log to stderr.
|
||||
# the log file, "" means log to stderr.
|
||||
# Use of this option sets use-syslog to "no".
|
||||
# logfile: ""
|
||||
|
||||
# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
|
||||
# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
|
||||
# log to, with identity "unbound". If yes, it overrides the logfile.
|
||||
# use-syslog: yes
|
||||
# use-syslog: yes
|
||||
|
||||
# print UTC timestamp in ascii to logfile, default is epoch in seconds.
|
||||
# log-time-ascii: no
|
||||
|
||||
|
||||
# print one line with time, IP, name, type, class for every query.
|
||||
# log-queries: no
|
||||
|
||||
@ -242,7 +242,7 @@ server:
|
||||
# pidfile: "/var/unbound/unbound.pid"
|
||||
|
||||
# file to read root hints from.
|
||||
# get one from ftp://FTP.INTERNIC.NET/domain/named.cache
|
||||
# get one from https://www.internic.net/domain/named.cache
|
||||
# root-hints: ""
|
||||
|
||||
# enable to not answer id.server and hostname.bind queries.
|
||||
@ -258,8 +258,8 @@ server:
|
||||
# version: ""
|
||||
|
||||
# the target fetch policy.
|
||||
# series of integers describing the policy per dependency depth.
|
||||
# The number of values in the list determines the maximum dependency
|
||||
# series of integers describing the policy per dependency depth.
|
||||
# The number of values in the list determines the maximum dependency
|
||||
# depth the recursor will pursue before giving up. Each integer means:
|
||||
# -1 : fetch all targets opportunistically,
|
||||
# 0: fetch on demand,
|
||||
@ -267,17 +267,17 @@ server:
|
||||
# Enclose the list of numbers between quotes ("").
|
||||
# target-fetch-policy: "3 2 1 0 0"
|
||||
|
||||
# Harden against very small EDNS buffer sizes.
|
||||
# Harden against very small EDNS buffer sizes.
|
||||
# harden-short-bufsize: no
|
||||
|
||||
# Harden against unseemly large queries.
|
||||
# harden-large-queries: no
|
||||
|
||||
# Harden against out of zone rrsets, to avoid spoofing attempts.
|
||||
# Harden against out of zone rrsets, to avoid spoofing attempts.
|
||||
# harden-glue: yes
|
||||
|
||||
# Harden against receiving dnssec-stripped data. If you turn it
|
||||
# off, failing to validate dnskey data for a trustanchor will
|
||||
# off, failing to validate dnskey data for a trustanchor will
|
||||
# trigger insecure mode for that zone (like without a trustanchor).
|
||||
# Default on, which insists on dnssec data for trust-anchored zones.
|
||||
# harden-dnssec-stripped: yes
|
||||
@ -287,7 +287,7 @@ server:
|
||||
|
||||
# Harden the referral path by performing additional queries for
|
||||
# infrastructure data. Validates the replies (if possible).
|
||||
# Default off, because the lookups burden the server. Experimental
|
||||
# Default off, because the lookups burden the server. Experimental
|
||||
# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
|
||||
# harden-referral-path: no
|
||||
|
||||
@ -296,18 +296,23 @@ server:
|
||||
# to validate the zone.
|
||||
# harden-algo-downgrade: no
|
||||
|
||||
# Sent minimum amount of information to upstream servers to enhance
|
||||
# privacy. Only sent minimum required labels of the QNAME and set QTYPE
|
||||
# to NS when possible.
|
||||
# qname-minimisation: no
|
||||
|
||||
# Use 0x20-encoded random bits in the query to foil spoof attempts.
|
||||
# This feature is an experimental implementation of draft dns-0x20.
|
||||
# use-caps-for-id: no
|
||||
|
||||
|
||||
# Domains (and domains in them) without support for dns-0x20 and
|
||||
# the fallback fails because they keep sending different answers.
|
||||
# caps-whitelist: "licdn.com"
|
||||
|
||||
# Enforce privacy of these addresses. Strips them away from answers.
|
||||
# It may cause DNSSEC validation to additionally mark it as bogus.
|
||||
# Protects against 'DNS Rebinding' (uses browser as network proxy).
|
||||
# Only 'private-domain' and 'local-data' names are allowed to have
|
||||
# Enforce privacy of these addresses. Strips them away from answers.
|
||||
# It may cause DNSSEC validation to additionally mark it as bogus.
|
||||
# Protects against 'DNS Rebinding' (uses browser as network proxy).
|
||||
# Only 'private-domain' and 'local-data' names are allowed to have
|
||||
# these private addresses. No default.
|
||||
# private-address: 10.0.0.0/8
|
||||
# private-address: 172.16.0.0/12
|
||||
@ -315,6 +320,7 @@ server:
|
||||
# private-address: 169.254.0.0/16
|
||||
# private-address: fd00::/8
|
||||
# private-address: fe80::/10
|
||||
# private-address: ::ffff:0:0/96
|
||||
|
||||
# Allow the domain (and its subdomains) to contain private addresses.
|
||||
# local-data statements are allowed to contain private addresses too.
|
||||
@ -373,7 +379,7 @@ server:
|
||||
# Zone file format, with DS and DNSKEY entries.
|
||||
# Note this gets out of date, use auto-trust-anchor-file please.
|
||||
# trust-anchor-file: ""
|
||||
|
||||
|
||||
# Trusted key for validation. DS or DNSKEY. specify the RR on a
|
||||
# single line, surrounded by "". TTL is ignored. class is IN default.
|
||||
# Note this gets out of date, use auto-trust-anchor-file please.
|
||||
@ -383,7 +389,7 @@ server:
|
||||
|
||||
# File with trusted keys for validation. Specify more than one file
|
||||
# with several entries, one file per entry. Like trust-anchor-file
|
||||
# but has a different file format. Format is BIND-9 style format,
|
||||
# but has a different file format. Format is BIND-9 style format,
|
||||
# the trusted-keys { name flag proto algo "key"; }; clauses are read.
|
||||
# you need external update procedures to track changes in keys.
|
||||
# trusted-keys-file: ""
|
||||
@ -408,7 +414,7 @@ server:
|
||||
|
||||
# Should additional section of secure message also be kept clean of
|
||||
# unsecure data. Useful to shield the users of this validator from
|
||||
# potential bogus data in the additional section. All unsigned data
|
||||
# potential bogus data in the additional section. All unsigned data
|
||||
# in the additional section is removed from secure messages.
|
||||
# val-clean-additional: yes
|
||||
|
||||
@ -433,7 +439,7 @@ server:
|
||||
# A message with an NSEC3 with larger count is marked insecure.
|
||||
# List in ascending order the keysize and count values.
|
||||
# val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500"
|
||||
|
||||
|
||||
# instruct the auto-trust-anchor-file probing to add anchors after ttl.
|
||||
# add-holddown: 2592000 # 30 days
|
||||
|
||||
@ -448,7 +454,7 @@ server:
|
||||
# permit-small-holddown: no
|
||||
|
||||
# the amount of memory to use for the key cache.
|
||||
# plain value in bytes or you can append k, m or G. default is "4Mb".
|
||||
# plain value in bytes or you can append k, m or G. default is "4Mb".
|
||||
# key-cache-size: 4m
|
||||
|
||||
# the number of slabs to use for the key cache.
|
||||
@ -457,7 +463,7 @@ server:
|
||||
# key-cache-slabs: 4
|
||||
|
||||
# the amount of memory to use for the negative cache (used for DLV).
|
||||
# plain value in bytes or you can append k, m or G. default is "1Mb".
|
||||
# plain value in bytes or you can append k, m or G. default is "1Mb".
|
||||
# neg-cache-size: 1m
|
||||
|
||||
# By default, for a number of zones a small default 'nothing here'
|
||||
@ -501,7 +507,7 @@ server:
|
||||
# local-zone: "b.e.f.ip6.arpa." nodefault
|
||||
# local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
|
||||
# And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa.
|
||||
|
||||
|
||||
# if unbound is running service for the local host then it is useful
|
||||
# to perform lan-wide lookups to the upstream, and unblock the
|
||||
# long list of local-zones above. If this unbound is a dns server
|
||||
@ -512,7 +518,7 @@ server:
|
||||
# a number of locally served zones can be configured.
|
||||
# local-zone: <zone> <type>
|
||||
# local-data: "<resource record string>"
|
||||
# o deny serves local data (if any), else, drops queries.
|
||||
# o deny serves local data (if any), else, drops queries.
|
||||
# o refuse serves local data (if any), else, replies with error.
|
||||
# o static serves local data, else, nxdomain or nodata answer.
|
||||
# o transparent gives local data, but resolves normally for other names
|
||||
@ -525,7 +531,7 @@ server:
|
||||
# defaults are localhost address, reverse for 127.0.0.1 and ::1
|
||||
# and nxdomain for AS112 zones. If you configure one of these zones
|
||||
# the default content is omitted, or you can omit it with 'nodefault'.
|
||||
#
|
||||
#
|
||||
# If you configure local-data without specifying local-zone, by
|
||||
# default a transparent local-zone is created for the data.
|
||||
#
|
||||
@ -552,7 +558,7 @@ server:
|
||||
# default is "" (disabled). requires restart to take effect.
|
||||
# ssl-service-key: "path/to/privatekeyfile.key"
|
||||
# ssl-service-pem: "path/to/publiccertfile.pem"
|
||||
# ssl-port: 443
|
||||
# ssl-port: 853
|
||||
|
||||
# request upstream over SSL (with plain DNS inside the SSL stream).
|
||||
# Default is no. Can be turned on and off with unbound-control.
|
||||
@ -571,7 +577,7 @@ server:
|
||||
# ratelimit-size: 4m
|
||||
# ratelimit cache slabs, reduces lock contention if equal to cpucount.
|
||||
# ratelimit-slabs: 4
|
||||
|
||||
|
||||
# 0 blocks when ratelimited, otherwise let 1/xth traffic through
|
||||
# ratelimit-factor: 10
|
||||
|
||||
@ -590,7 +596,7 @@ python:
|
||||
# Script file to load
|
||||
# python-script: "/var/unbound/ubmodule-tst.py"
|
||||
|
||||
# Remote control config section.
|
||||
# Remote control config section.
|
||||
remote-control:
|
||||
# Enable remote control with unbound-control(8) here.
|
||||
# set up the keys and certificates with unbound-control-setup.
|
||||
@ -621,9 +627,9 @@ remote-control:
|
||||
# control-cert-file: "/var/unbound/unbound_control.pem"
|
||||
|
||||
# Stub zones.
|
||||
# Create entries like below, to make all queries for 'example.com' and
|
||||
# 'example.org' go to the given list of nameservers. list zero or more
|
||||
# nameservers by hostname or by ipaddress. If you set stub-prime to yes,
|
||||
# Create entries like below, to make all queries for 'example.com' and
|
||||
# 'example.org' go to the given list of nameservers. list zero or more
|
||||
# nameservers by hostname or by ipaddress. If you set stub-prime to yes,
|
||||
# the list is treated as priming hints (default is no).
|
||||
# With stub-first yes, it attempts without the stub if it fails.
|
||||
# Consider adding domain-insecure: name and local-zone: name nodefault
|
||||
|
@ -1,14 +1,14 @@
|
||||
#
|
||||
# Example configuration file.
|
||||
#
|
||||
# See unbound.conf(5) man page, version 1.5.5.
|
||||
# See unbound.conf(5) man page, version 1.5.7.
|
||||
#
|
||||
# this is a comment.
|
||||
|
||||
#Use this to include other text into the file.
|
||||
#include: "otherfile.conf"
|
||||
|
||||
# The server clause sets the main parameters.
|
||||
# The server clause sets the main parameters.
|
||||
server:
|
||||
# whitespace is not necessary, but looks cleaner.
|
||||
|
||||
@ -40,7 +40,7 @@ server:
|
||||
# interface: 2001:DB8::5
|
||||
|
||||
# enable this feature to copy the source address of queries to reply.
|
||||
# Socket options are not supported on all platforms. experimental.
|
||||
# Socket options are not supported on all platforms. experimental.
|
||||
# interface-automatic: no
|
||||
|
||||
# port to answer queries from
|
||||
@ -84,10 +84,10 @@ server:
|
||||
# buffer size for UDP port 53 outgoing (SO_SNDBUF socket option).
|
||||
# 0 is system default. Use 4m to handle spikes on very busy servers.
|
||||
# so-sndbuf: 0
|
||||
|
||||
|
||||
# use SO_REUSEPORT to distribute queries over threads.
|
||||
# so-reuseport: no
|
||||
|
||||
|
||||
# use IP_TRANSPARENT so the interface: addresses can be non-local
|
||||
# and you can config non-existing IPs that are going to work later on
|
||||
# ip-transparent: no
|
||||
@ -105,7 +105,7 @@ server:
|
||||
# msg-buffer-size: 65552
|
||||
|
||||
# the amount of memory to use for the message cache.
|
||||
# plain value in bytes or you can append k, m or G. default is "4Mb".
|
||||
# plain value in bytes or you can append k, m or G. default is "4Mb".
|
||||
# msg-cache-size: 4m
|
||||
|
||||
# the number of slabs to use for the message cache.
|
||||
@ -118,12 +118,12 @@ server:
|
||||
|
||||
# if very busy, 50% queries run to completion, 50% get timeout in msec
|
||||
# jostle-timeout: 200
|
||||
|
||||
|
||||
# msec to wait before close of port on timeout UDP. 0 disables.
|
||||
# delay-close: 0
|
||||
|
||||
# the amount of memory to use for the RRset cache.
|
||||
# plain value in bytes or you can append k, m or G. default is "4Mb".
|
||||
# plain value in bytes or you can append k, m or G. default is "4Mb".
|
||||
# rrset-cache-size: 4m
|
||||
|
||||
# the number of slabs to use for the RRset cache.
|
||||
@ -145,7 +145,7 @@ server:
|
||||
# the time to live (TTL) value for cached roundtrip times, lameness and
|
||||
# EDNS version information for hosts. In seconds.
|
||||
# infra-host-ttl: 900
|
||||
|
||||
|
||||
# minimum wait time for responses, increase if uplink is long. In msec.
|
||||
# infra-cache-min-rtt: 50
|
||||
|
||||
@ -195,8 +195,8 @@ server:
|
||||
#
|
||||
# If chroot is enabled, you should pass the configfile (from the
|
||||
# commandline) as a full path from the original root. After the
|
||||
# chroot has been performed the now defunct portion of the config
|
||||
# file path is removed to be able to reread the config after a reload.
|
||||
# chroot has been performed the now defunct portion of the config
|
||||
# file path is removed to be able to reread the config after a reload.
|
||||
#
|
||||
# All other file paths (working dir, logfile, roothints, and
|
||||
# key files) can be specified in several ways:
|
||||
@ -205,7 +205,7 @@ server:
|
||||
# o as an absolute path relative to the original root.
|
||||
# In the last case the path is adjusted to remove the unused portion.
|
||||
#
|
||||
# The pid file can be absolute and outside of the chroot, it is
|
||||
# The pid file can be absolute and outside of the chroot, it is
|
||||
# written just prior to performing the chroot and dropping permissions.
|
||||
#
|
||||
# Additionally, unbound may need to access /dev/random (for entropy).
|
||||
@ -219,22 +219,22 @@ server:
|
||||
# If you give "" no privileges are dropped.
|
||||
# username: "@UNBOUND_USERNAME@"
|
||||
|
||||
# the working directory. The relative files in this config are
|
||||
# the working directory. The relative files in this config are
|
||||
# relative to this directory. If you give "" the working directory
|
||||
# is not changed.
|
||||
# directory: "@UNBOUND_RUN_DIR@"
|
||||
|
||||
# the log file, "" means log to stderr.
|
||||
# the log file, "" means log to stderr.
|
||||
# Use of this option sets use-syslog to "no".
|
||||
# logfile: ""
|
||||
|
||||
# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
|
||||
# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
|
||||
# log to, with identity "unbound". If yes, it overrides the logfile.
|
||||
# use-syslog: yes
|
||||
# use-syslog: yes
|
||||
|
||||
# print UTC timestamp in ascii to logfile, default is epoch in seconds.
|
||||
# log-time-ascii: no
|
||||
|
||||
|
||||
# print one line with time, IP, name, type, class for every query.
|
||||
# log-queries: no
|
||||
|
||||
@ -242,7 +242,7 @@ server:
|
||||
# pidfile: "@UNBOUND_PIDFILE@"
|
||||
|
||||
# file to read root hints from.
|
||||
# get one from ftp://FTP.INTERNIC.NET/domain/named.cache
|
||||
# get one from https://www.internic.net/domain/named.cache
|
||||
# root-hints: ""
|
||||
|
||||
# enable to not answer id.server and hostname.bind queries.
|
||||
@ -258,8 +258,8 @@ server:
|
||||
# version: ""
|
||||
|
||||
# the target fetch policy.
|
||||
# series of integers describing the policy per dependency depth.
|
||||
# The number of values in the list determines the maximum dependency
|
||||
# series of integers describing the policy per dependency depth.
|
||||
# The number of values in the list determines the maximum dependency
|
||||
# depth the recursor will pursue before giving up. Each integer means:
|
||||
# -1 : fetch all targets opportunistically,
|
||||
# 0: fetch on demand,
|
||||
@ -267,17 +267,17 @@ server:
|
||||
# Enclose the list of numbers between quotes ("").
|
||||
# target-fetch-policy: "3 2 1 0 0"
|
||||
|
||||
# Harden against very small EDNS buffer sizes.
|
||||
# Harden against very small EDNS buffer sizes.
|
||||
# harden-short-bufsize: no
|
||||
|
||||
# Harden against unseemly large queries.
|
||||
# harden-large-queries: no
|
||||
|
||||
# Harden against out of zone rrsets, to avoid spoofing attempts.
|
||||
# Harden against out of zone rrsets, to avoid spoofing attempts.
|
||||
# harden-glue: yes
|
||||
|
||||
# Harden against receiving dnssec-stripped data. If you turn it
|
||||
# off, failing to validate dnskey data for a trustanchor will
|
||||
# off, failing to validate dnskey data for a trustanchor will
|
||||
# trigger insecure mode for that zone (like without a trustanchor).
|
||||
# Default on, which insists on dnssec data for trust-anchored zones.
|
||||
# harden-dnssec-stripped: yes
|
||||
@ -287,7 +287,7 @@ server:
|
||||
|
||||
# Harden the referral path by performing additional queries for
|
||||
# infrastructure data. Validates the replies (if possible).
|
||||
# Default off, because the lookups burden the server. Experimental
|
||||
# Default off, because the lookups burden the server. Experimental
|
||||
# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
|
||||
# harden-referral-path: no
|
||||
|
||||
@ -296,18 +296,23 @@ server:
|
||||
# to validate the zone.
|
||||
# harden-algo-downgrade: no
|
||||
|
||||
# Sent minimum amount of information to upstream servers to enhance
|
||||
# privacy. Only sent minimum required labels of the QNAME and set QTYPE
|
||||
# to NS when possible.
|
||||
# qname-minimisation: no
|
||||
|
||||
# Use 0x20-encoded random bits in the query to foil spoof attempts.
|
||||
# This feature is an experimental implementation of draft dns-0x20.
|
||||
# use-caps-for-id: no
|
||||
|
||||
|
||||
# Domains (and domains in them) without support for dns-0x20 and
|
||||
# the fallback fails because they keep sending different answers.
|
||||
# caps-whitelist: "licdn.com"
|
||||
|
||||
# Enforce privacy of these addresses. Strips them away from answers.
|
||||
# It may cause DNSSEC validation to additionally mark it as bogus.
|
||||
# Protects against 'DNS Rebinding' (uses browser as network proxy).
|
||||
# Only 'private-domain' and 'local-data' names are allowed to have
|
||||
# Enforce privacy of these addresses. Strips them away from answers.
|
||||
# It may cause DNSSEC validation to additionally mark it as bogus.
|
||||
# Protects against 'DNS Rebinding' (uses browser as network proxy).
|
||||
# Only 'private-domain' and 'local-data' names are allowed to have
|
||||
# these private addresses. No default.
|
||||
# private-address: 10.0.0.0/8
|
||||
# private-address: 172.16.0.0/12
|
||||
@ -315,6 +320,7 @@ server:
|
||||
# private-address: 169.254.0.0/16
|
||||
# private-address: fd00::/8
|
||||
# private-address: fe80::/10
|
||||
# private-address: ::ffff:0:0/96
|
||||
|
||||
# Allow the domain (and its subdomains) to contain private addresses.
|
||||
# local-data statements are allowed to contain private addresses too.
|
||||
@ -373,7 +379,7 @@ server:
|
||||
# Zone file format, with DS and DNSKEY entries.
|
||||
# Note this gets out of date, use auto-trust-anchor-file please.
|
||||
# trust-anchor-file: ""
|
||||
|
||||
|
||||
# Trusted key for validation. DS or DNSKEY. specify the RR on a
|
||||
# single line, surrounded by "". TTL is ignored. class is IN default.
|
||||
# Note this gets out of date, use auto-trust-anchor-file please.
|
||||
@ -383,7 +389,7 @@ server:
|
||||
|
||||
# File with trusted keys for validation. Specify more than one file
|
||||
# with several entries, one file per entry. Like trust-anchor-file
|
||||
# but has a different file format. Format is BIND-9 style format,
|
||||
# but has a different file format. Format is BIND-9 style format,
|
||||
# the trusted-keys { name flag proto algo "key"; }; clauses are read.
|
||||
# you need external update procedures to track changes in keys.
|
||||
# trusted-keys-file: ""
|
||||
@ -408,7 +414,7 @@ server:
|
||||
|
||||
# Should additional section of secure message also be kept clean of
|
||||
# unsecure data. Useful to shield the users of this validator from
|
||||
# potential bogus data in the additional section. All unsigned data
|
||||
# potential bogus data in the additional section. All unsigned data
|
||||
# in the additional section is removed from secure messages.
|
||||
# val-clean-additional: yes
|
||||
|
||||
@ -433,7 +439,7 @@ server:
|
||||
# A message with an NSEC3 with larger count is marked insecure.
|
||||
# List in ascending order the keysize and count values.
|
||||
# val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500"
|
||||
|
||||
|
||||
# instruct the auto-trust-anchor-file probing to add anchors after ttl.
|
||||
# add-holddown: 2592000 # 30 days
|
||||
|
||||
@ -448,7 +454,7 @@ server:
|
||||
# permit-small-holddown: no
|
||||
|
||||
# the amount of memory to use for the key cache.
|
||||
# plain value in bytes or you can append k, m or G. default is "4Mb".
|
||||
# plain value in bytes or you can append k, m or G. default is "4Mb".
|
||||
# key-cache-size: 4m
|
||||
|
||||
# the number of slabs to use for the key cache.
|
||||
@ -457,7 +463,7 @@ server:
|
||||
# key-cache-slabs: 4
|
||||
|
||||
# the amount of memory to use for the negative cache (used for DLV).
|
||||
# plain value in bytes or you can append k, m or G. default is "1Mb".
|
||||
# plain value in bytes or you can append k, m or G. default is "1Mb".
|
||||
# neg-cache-size: 1m
|
||||
|
||||
# By default, for a number of zones a small default 'nothing here'
|
||||
@ -501,7 +507,7 @@ server:
|
||||
# local-zone: "b.e.f.ip6.arpa." nodefault
|
||||
# local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
|
||||
# And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa.
|
||||
|
||||
|
||||
# if unbound is running service for the local host then it is useful
|
||||
# to perform lan-wide lookups to the upstream, and unblock the
|
||||
# long list of local-zones above. If this unbound is a dns server
|
||||
@ -512,7 +518,7 @@ server:
|
||||
# a number of locally served zones can be configured.
|
||||
# local-zone: <zone> <type>
|
||||
# local-data: "<resource record string>"
|
||||
# o deny serves local data (if any), else, drops queries.
|
||||
# o deny serves local data (if any), else, drops queries.
|
||||
# o refuse serves local data (if any), else, replies with error.
|
||||
# o static serves local data, else, nxdomain or nodata answer.
|
||||
# o transparent gives local data, but resolves normally for other names
|
||||
@ -525,7 +531,7 @@ server:
|
||||
# defaults are localhost address, reverse for 127.0.0.1 and ::1
|
||||
# and nxdomain for AS112 zones. If you configure one of these zones
|
||||
# the default content is omitted, or you can omit it with 'nodefault'.
|
||||
#
|
||||
#
|
||||
# If you configure local-data without specifying local-zone, by
|
||||
# default a transparent local-zone is created for the data.
|
||||
#
|
||||
@ -552,7 +558,7 @@ server:
|
||||
# default is "" (disabled). requires restart to take effect.
|
||||
# ssl-service-key: "path/to/privatekeyfile.key"
|
||||
# ssl-service-pem: "path/to/publiccertfile.pem"
|
||||
# ssl-port: 443
|
||||
# ssl-port: 853
|
||||
|
||||
# request upstream over SSL (with plain DNS inside the SSL stream).
|
||||
# Default is no. Can be turned on and off with unbound-control.
|
||||
@ -571,7 +577,7 @@ server:
|
||||
# ratelimit-size: 4m
|
||||
# ratelimit cache slabs, reduces lock contention if equal to cpucount.
|
||||
# ratelimit-slabs: 4
|
||||
|
||||
|
||||
# 0 blocks when ratelimited, otherwise let 1/xth traffic through
|
||||
# ratelimit-factor: 10
|
||||
|
||||
@ -590,7 +596,7 @@ python:
|
||||
# Script file to load
|
||||
# python-script: "@UNBOUND_SHARE_DIR@/ubmodule-tst.py"
|
||||
|
||||
# Remote control config section.
|
||||
# Remote control config section.
|
||||
remote-control:
|
||||
# Enable remote control with unbound-control(8) here.
|
||||
# set up the keys and certificates with unbound-control-setup.
|
||||
@ -621,9 +627,9 @@ remote-control:
|
||||
# control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem"
|
||||
|
||||
# Stub zones.
|
||||
# Create entries like below, to make all queries for 'example.com' and
|
||||
# 'example.org' go to the given list of nameservers. list zero or more
|
||||
# nameservers by hostname or by ipaddress. If you set stub-prime to yes,
|
||||
# Create entries like below, to make all queries for 'example.com' and
|
||||
# 'example.org' go to the given list of nameservers. list zero or more
|
||||
# nameservers by hostname or by ipaddress. If you set stub-prime to yes,
|
||||
# the list is treated as priming hints (default is no).
|
||||
# With stub-first yes, it attempts without the stub if it fails.
|
||||
# Consider adding domain-insecure: name and local-zone: name nodefault
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "libunbound" "3" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5"
|
||||
.TH "libunbound" "3" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
|
||||
.\"
|
||||
.\" libunbound.3 -- unbound library functions manual
|
||||
.\"
|
||||
@ -42,7 +42,7 @@
|
||||
.B ub_ctx_zone_remove,
|
||||
.B ub_ctx_data_add,
|
||||
.B ub_ctx_data_remove
|
||||
\- Unbound DNS validating resolver 1.5.5 functions.
|
||||
\- Unbound DNS validating resolver 1.5.7 functions.
|
||||
.SH "SYNOPSIS"
|
||||
.B #include <unbound.h>
|
||||
.LP
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "libunbound" "3" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5"
|
||||
.TH "libunbound" "3" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
|
||||
.\"
|
||||
.\" libunbound.3 -- unbound library functions manual
|
||||
.\"
|
||||
@ -42,7 +42,7 @@
|
||||
.B ub_ctx_zone_remove,
|
||||
.B ub_ctx_data_add,
|
||||
.B ub_ctx_data_remove
|
||||
\- Unbound DNS validating resolver 1.5.5 functions.
|
||||
\- Unbound DNS validating resolver 1.5.7 functions.
|
||||
.SH "SYNOPSIS"
|
||||
.B #include <unbound.h>
|
||||
.LP
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound-anchor" "8" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5"
|
||||
.TH "unbound-anchor" "8" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
|
||||
.\"
|
||||
.\" unbound-anchor.8 -- unbound anchor maintenance utility manual
|
||||
.\"
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound-anchor" "8" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5"
|
||||
.TH "unbound-anchor" "8" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
|
||||
.\"
|
||||
.\" unbound-anchor.8 -- unbound anchor maintenance utility manual
|
||||
.\"
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound-checkconf" "8" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5"
|
||||
.TH "unbound-checkconf" "8" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
|
||||
.\"
|
||||
.\" unbound-checkconf.8 -- unbound configuration checker manual
|
||||
.\"
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound-checkconf" "8" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5"
|
||||
.TH "unbound-checkconf" "8" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
|
||||
.\"
|
||||
.\" unbound-checkconf.8 -- unbound configuration checker manual
|
||||
.\"
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound-control" "8" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5"
|
||||
.TH "unbound-control" "8" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
|
||||
.\"
|
||||
.\" unbound-control.8 -- unbound remote control manual
|
||||
.\"
|
||||
@ -169,7 +169,7 @@ therefore not flushed. The option must end with a ':' and whitespace
|
||||
must be between the option and the value. Some values may not have an
|
||||
effect if set this way, the new values are not written to the config file,
|
||||
not all options are supported. This is different from the set_option call
|
||||
in libunbound, where all values work because unbound has not been inited.
|
||||
in libunbound, where all values work because unbound has not been initialized.
|
||||
.IP
|
||||
The values that work are: statistics\-interval, statistics\-cumulative,
|
||||
do\-not\-query\-localhost, harden\-short\-bufsize, harden\-large\-queries,
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound-control" "8" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5"
|
||||
.TH "unbound-control" "8" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
|
||||
.\"
|
||||
.\" unbound-control.8 -- unbound remote control manual
|
||||
.\"
|
||||
@ -169,7 +169,7 @@ therefore not flushed. The option must end with a ':' and whitespace
|
||||
must be between the option and the value. Some values may not have an
|
||||
effect if set this way, the new values are not written to the config file,
|
||||
not all options are supported. This is different from the set_option call
|
||||
in libunbound, where all values work because unbound has not been inited.
|
||||
in libunbound, where all values work because unbound has not been initialized.
|
||||
.IP
|
||||
The values that work are: statistics\-interval, statistics\-cumulative,
|
||||
do\-not\-query\-localhost, harden\-short\-bufsize, harden\-large\-queries,
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound\-host" "1" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5"
|
||||
.TH "unbound\-host" "1" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
|
||||
.\"
|
||||
.\" unbound-host.1 -- unbound DNS lookup utility
|
||||
.\"
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound\-host" "1" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5"
|
||||
.TH "unbound\-host" "1" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
|
||||
.\"
|
||||
.\" unbound-host.1 -- unbound DNS lookup utility
|
||||
.\"
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound" "8" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5"
|
||||
.TH "unbound" "8" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
|
||||
.\"
|
||||
.\" unbound.8 -- unbound manual
|
||||
.\"
|
||||
@ -9,7 +9,7 @@
|
||||
.\"
|
||||
.SH "NAME"
|
||||
.B unbound
|
||||
\- Unbound DNS validating resolver 1.5.5.
|
||||
\- Unbound DNS validating resolver 1.5.7.
|
||||
.SH "SYNOPSIS"
|
||||
.B unbound
|
||||
.RB [ \-h ]
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound" "8" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5"
|
||||
.TH "unbound" "8" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
|
||||
.\"
|
||||
.\" unbound.8 -- unbound manual
|
||||
.\"
|
||||
@ -9,7 +9,7 @@
|
||||
.\"
|
||||
.SH "NAME"
|
||||
.B unbound
|
||||
\- Unbound DNS validating resolver 1.5.5.
|
||||
\- Unbound DNS validating resolver 1.5.7.
|
||||
.SH "SYNOPSIS"
|
||||
.B unbound
|
||||
.RB [ \-h ]
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound.conf" "5" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5"
|
||||
.TH "unbound.conf" "5" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
|
||||
.\"
|
||||
.\" unbound.conf.5 -- unbound.conf manual
|
||||
.\"
|
||||
@ -362,7 +362,7 @@ The public key certificate pem file for the ssl service. Default is "",
|
||||
turned off.
|
||||
.TP
|
||||
.B ssl\-port: \fI<number>
|
||||
The port number on which to provide TCP SSL service, default 443, only
|
||||
The port number on which to provide TCP SSL service, default 853, only
|
||||
interfaces configured with that port number as @number get the SSL service.
|
||||
.TP
|
||||
.B do\-daemonize: \fI<yes or no>
|
||||
@ -444,6 +444,8 @@ requires privileges, then a reload will fail; a restart is needed.
|
||||
.TP
|
||||
.B directory: \fI<directory>
|
||||
Sets the working directory for the program. Default is "/var/unbound".
|
||||
On Windows the string "%EXECUTABLE%" tries to change to the directory
|
||||
that unbound.exe resides in.
|
||||
.TP
|
||||
.B logfile: \fI<filename>
|
||||
If "" is given, logging goes to stderr, or nowhere once daemonized.
|
||||
@ -481,7 +483,7 @@ kill \-HUP `cat /var/unbound/unbound.pid`
|
||||
.fi
|
||||
triggers a reload,
|
||||
.nf
|
||||
kill \-QUIT `cat /var/unbound/unbound.pid`
|
||||
kill \-TERM `cat /var/unbound/unbound.pid`
|
||||
.fi
|
||||
gracefully terminates.
|
||||
.TP
|
||||
@ -585,23 +587,30 @@ queries. For domains that do not support 0x20 and also fail with fallback
|
||||
because they keep sending different answers, like some load balancers.
|
||||
Can be given multiple times, for different domains.
|
||||
.TP
|
||||
.B qname\-minimisation: \fI<yes or no>
|
||||
Send minimum amount of information to upstream servers to enhance privacy.
|
||||
Only sent minimum required labels of the QNAME and set QTYPE to NS when
|
||||
possible. Best effort approach, full QNAME and original QTYPE will be sent when
|
||||
upstream replies with a RCODE other than NOERROR. Default is off.
|
||||
.TP
|
||||
.B private\-address: \fI<IP address or subnet>
|
||||
Give IPv4 of IPv6 addresses or classless subnets. These are addresses
|
||||
on your private network, and are not allowed to be returned for public
|
||||
internet names. Any occurence of such addresses are removed from
|
||||
DNS answers. Additionally, the DNSSEC validator may mark the answers
|
||||
bogus. This protects against so\-called DNS Rebinding, where a user browser
|
||||
is turned into a network proxy, allowing remote access through the browser
|
||||
to other parts of your private network. Some names can be allowed to
|
||||
contain your private addresses, by default all the \fBlocal\-data\fR
|
||||
that you configured is allowed to, and you can specify additional
|
||||
names using \fBprivate\-domain\fR. No private addresses are enabled
|
||||
by default. We consider to enable this for the RFC1918 private IP
|
||||
address space by default in later releases. That would enable private
|
||||
addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16
|
||||
fd00::/8 and fe80::/10, since the RFC standards say these addresses
|
||||
should not be visible on the public internet. Turning on 127.0.0.0/8
|
||||
would hinder many spamblocklists as they use that.
|
||||
on your private network, and are not allowed to be returned for
|
||||
public internet names. Any occurrence of such addresses are removed
|
||||
from DNS answers. Additionally, the DNSSEC validator may mark the
|
||||
answers bogus. This protects against so\-called DNS Rebinding, where
|
||||
a user browser is turned into a network proxy, allowing remote access
|
||||
through the browser to other parts of your private network. Some names
|
||||
can be allowed to contain your private addresses, by default all the
|
||||
\fBlocal\-data\fR that you configured is allowed to, and you can specify
|
||||
additional names using \fBprivate\-domain\fR. No private addresses are
|
||||
enabled by default. We consider to enable this for the RFC1918 private
|
||||
IP address space by default in later releases. That would enable private
|
||||
addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16
|
||||
fd00::/8 and fe80::/10, since the RFC standards say these addresses
|
||||
should not be visible on the public internet. Turning on 127.0.0.0/8
|
||||
would hinder many spamblocklists as they use that. Adding ::ffff:0:0/96
|
||||
stops IPv4-mapped IPv6 addresses from bypassing the filter.
|
||||
.TP
|
||||
.B private\-domain: \fI<domain name>
|
||||
Allow this domain, and all its subdomains to contain private addresses.
|
||||
@ -746,7 +755,7 @@ Instruct the validator to remove data from the additional section of secure
|
||||
messages that are not signed properly. Messages that are insecure, bogus,
|
||||
indeterminate or unchecked are not affected. Default is yes. Use this setting
|
||||
to protect the users that rely on this validator for authentication from
|
||||
protentially bad data in the additional section.
|
||||
potentially bad data in the additional section.
|
||||
.TP
|
||||
.B val\-log\-level: \fI<number>
|
||||
Have the validator print validation failures to the log. Regardless of
|
||||
@ -1033,7 +1042,7 @@ If set to 0, all queries are dropped for domains where the limit is
|
||||
exceeded. If set to another value, 1 in that number is allowed through
|
||||
to complete. Default is 10, allowing 1/10 traffic to flow normally.
|
||||
This can make ordinary queries complete (if repeatedly queried for),
|
||||
and enter the cache, whilst also mitigiting the traffic flow by the
|
||||
and enter the cache, whilst also mitigating the traffic flow by the
|
||||
factor given.
|
||||
.TP 5
|
||||
.B ratelimit\-for\-domain: \fI<domain> <number qps>
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound.conf" "5" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5"
|
||||
.TH "unbound.conf" "5" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
|
||||
.\"
|
||||
.\" unbound.conf.5 -- unbound.conf manual
|
||||
.\"
|
||||
@ -362,7 +362,7 @@ The public key certificate pem file for the ssl service. Default is "",
|
||||
turned off.
|
||||
.TP
|
||||
.B ssl\-port: \fI<number>
|
||||
The port number on which to provide TCP SSL service, default 443, only
|
||||
The port number on which to provide TCP SSL service, default 853, only
|
||||
interfaces configured with that port number as @number get the SSL service.
|
||||
.TP
|
||||
.B do\-daemonize: \fI<yes or no>
|
||||
@ -444,6 +444,8 @@ requires privileges, then a reload will fail; a restart is needed.
|
||||
.TP
|
||||
.B directory: \fI<directory>
|
||||
Sets the working directory for the program. Default is "@UNBOUND_RUN_DIR@".
|
||||
On Windows the string "%EXECUTABLE%" tries to change to the directory
|
||||
that unbound.exe resides in.
|
||||
.TP
|
||||
.B logfile: \fI<filename>
|
||||
If "" is given, logging goes to stderr, or nowhere once daemonized.
|
||||
@ -585,23 +587,30 @@ queries. For domains that do not support 0x20 and also fail with fallback
|
||||
because they keep sending different answers, like some load balancers.
|
||||
Can be given multiple times, for different domains.
|
||||
.TP
|
||||
.B qname\-minimisation: \fI<yes or no>
|
||||
Send minimum amount of information to upstream servers to enhance privacy.
|
||||
Only sent minimum required labels of the QNAME and set QTYPE to NS when
|
||||
possible. Best effort approach, full QNAME and original QTYPE will be sent when
|
||||
upstream replies with a RCODE other than NOERROR. Default is off.
|
||||
.TP
|
||||
.B private\-address: \fI<IP address or subnet>
|
||||
Give IPv4 of IPv6 addresses or classless subnets. These are addresses
|
||||
on your private network, and are not allowed to be returned for public
|
||||
internet names. Any occurence of such addresses are removed from
|
||||
DNS answers. Additionally, the DNSSEC validator may mark the answers
|
||||
bogus. This protects against so\-called DNS Rebinding, where a user browser
|
||||
is turned into a network proxy, allowing remote access through the browser
|
||||
to other parts of your private network. Some names can be allowed to
|
||||
contain your private addresses, by default all the \fBlocal\-data\fR
|
||||
that you configured is allowed to, and you can specify additional
|
||||
names using \fBprivate\-domain\fR. No private addresses are enabled
|
||||
by default. We consider to enable this for the RFC1918 private IP
|
||||
address space by default in later releases. That would enable private
|
||||
addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16
|
||||
fd00::/8 and fe80::/10, since the RFC standards say these addresses
|
||||
should not be visible on the public internet. Turning on 127.0.0.0/8
|
||||
would hinder many spamblocklists as they use that.
|
||||
on your private network, and are not allowed to be returned for
|
||||
public internet names. Any occurrence of such addresses are removed
|
||||
from DNS answers. Additionally, the DNSSEC validator may mark the
|
||||
answers bogus. This protects against so\-called DNS Rebinding, where
|
||||
a user browser is turned into a network proxy, allowing remote access
|
||||
through the browser to other parts of your private network. Some names
|
||||
can be allowed to contain your private addresses, by default all the
|
||||
\fBlocal\-data\fR that you configured is allowed to, and you can specify
|
||||
additional names using \fBprivate\-domain\fR. No private addresses are
|
||||
enabled by default. We consider to enable this for the RFC1918 private
|
||||
IP address space by default in later releases. That would enable private
|
||||
addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16
|
||||
fd00::/8 and fe80::/10, since the RFC standards say these addresses
|
||||
should not be visible on the public internet. Turning on 127.0.0.0/8
|
||||
would hinder many spamblocklists as they use that. Adding ::ffff:0:0/96
|
||||
stops IPv4-mapped IPv6 addresses from bypassing the filter.
|
||||
.TP
|
||||
.B private\-domain: \fI<domain name>
|
||||
Allow this domain, and all its subdomains to contain private addresses.
|
||||
@ -746,7 +755,7 @@ Instruct the validator to remove data from the additional section of secure
|
||||
messages that are not signed properly. Messages that are insecure, bogus,
|
||||
indeterminate or unchecked are not affected. Default is yes. Use this setting
|
||||
to protect the users that rely on this validator for authentication from
|
||||
protentially bad data in the additional section.
|
||||
potentially bad data in the additional section.
|
||||
.TP
|
||||
.B val\-log\-level: \fI<number>
|
||||
Have the validator print validation failures to the log. Regardless of
|
||||
@ -1033,7 +1042,7 @@ If set to 0, all queries are dropped for domains where the limit is
|
||||
exceeded. If set to another value, 1 in that number is allowed through
|
||||
to complete. Default is 10, allowing 1/10 traffic to flow normally.
|
||||
This can make ordinary queries complete (if repeatedly queried for),
|
||||
and enter the cache, whilst also mitigiting the traffic flow by the
|
||||
and enter the cache, whilst also mitigating the traffic flow by the
|
||||
factor given.
|
||||
.TP 5
|
||||
.B ratelimit\-for\-domain: \fI<domain> <number qps>
|
||||
|
@ -405,7 +405,43 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
|
||||
|
||||
/* Follow the CNAME chain. */
|
||||
if(rrset->type == LDNS_RR_TYPE_CNAME) {
|
||||
struct rrset_parse* nx = rrset->rrset_all_next;
|
||||
uint8_t* oldsname = sname;
|
||||
/* see if the next one is a DNAME, if so, swap them */
|
||||
if(nx && nx->section == LDNS_SECTION_ANSWER &&
|
||||
nx->type == LDNS_RR_TYPE_DNAME &&
|
||||
nx->rr_count == 1 &&
|
||||
pkt_strict_sub(pkt, sname, nx->dname)) {
|
||||
/* there is a DNAME after this CNAME, it
|
||||
* is in the ANSWER section, and the DNAME
|
||||
* applies to the name we cover */
|
||||
/* check if the alias of the DNAME equals
|
||||
* this CNAME */
|
||||
uint8_t alias[LDNS_MAX_DOMAINLEN+1];
|
||||
size_t aliaslen = 0;
|
||||
uint8_t* t = NULL;
|
||||
size_t tlen = 0;
|
||||
if(synth_cname(sname, snamelen, nx, alias,
|
||||
&aliaslen, pkt) &&
|
||||
parse_get_cname_target(rrset, &t, &tlen) &&
|
||||
dname_pkt_compare(pkt, alias, t) == 0) {
|
||||
/* the synthesized CNAME equals the
|
||||
* current CNAME. This CNAME is the
|
||||
* one that the DNAME creates, and this
|
||||
* CNAME is better capitalised */
|
||||
verbose(VERB_ALGO, "normalize: re-order of DNAME and its CNAME");
|
||||
if(prev) prev->rrset_all_next = nx;
|
||||
else msg->rrset_first = nx;
|
||||
if(nx->rrset_all_next == NULL)
|
||||
msg->rrset_last = rrset;
|
||||
rrset->rrset_all_next =
|
||||
nx->rrset_all_next;
|
||||
nx->rrset_all_next = rrset;
|
||||
prev = nx;
|
||||
}
|
||||
}
|
||||
|
||||
/* move to next name in CNAME chain */
|
||||
if(!parse_get_cname_target(rrset, &sname, &snamelen))
|
||||
return 0;
|
||||
prev = rrset;
|
||||
@ -638,7 +674,7 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
|
||||
* children of the originating zone. The idea here is that,
|
||||
* as far as we know, the server that we contacted is ONLY
|
||||
* authoritative for the originating zone. It, of course, MAY
|
||||
* be authoriative for any other zones, and of course, MAY
|
||||
* be authoritative for any other zones, and of course, MAY
|
||||
* NOT be authoritative for some subdomains of the originating
|
||||
* zone. */
|
||||
prev = NULL;
|
||||
|
@ -255,7 +255,7 @@ iter_filter_unsuitable(struct iter_env* iter_env, struct module_env* env,
|
||||
return -1; /* server is lame */
|
||||
else if(rtt >= USEFUL_SERVER_TOP_TIMEOUT)
|
||||
/* server is unresponsive,
|
||||
* we used to return TOP_TIMOUT, but fairly useless,
|
||||
* we used to return TOP_TIMEOUT, but fairly useless,
|
||||
* because if == TOP_TIMEOUT is dropped because
|
||||
* blacklisted later, instead, remove it here, so
|
||||
* other choices (that are not blacklisted) can be
|
||||
@ -306,7 +306,7 @@ iter_fill_rtt(struct iter_env* iter_env, struct module_env* env,
|
||||
return got_it;
|
||||
}
|
||||
|
||||
/** filter the addres list, putting best targets at front,
|
||||
/** filter the address list, putting best targets at front,
|
||||
* returns number of best targets (or 0, no suitable targets) */
|
||||
static int
|
||||
iter_filter_order(struct iter_env* iter_env, struct module_env* env,
|
||||
|
@ -64,6 +64,7 @@
|
||||
#include "util/random.h"
|
||||
#include "sldns/rrdef.h"
|
||||
#include "sldns/wire2str.h"
|
||||
#include "sldns/str2wire.h"
|
||||
#include "sldns/parseutil.h"
|
||||
#include "sldns/sbuffer.h"
|
||||
|
||||
@ -81,6 +82,21 @@ iter_init(struct module_env* env, int id)
|
||||
log_err("iterator: could not apply configuration settings.");
|
||||
return 0;
|
||||
}
|
||||
if(env->cfg->qname_minimisation) {
|
||||
uint8_t dname[LDNS_MAX_DOMAINLEN+1];
|
||||
size_t len = sizeof(dname);
|
||||
if(sldns_str2wire_dname_buf("ip6.arpa.", dname, &len) != 0) {
|
||||
log_err("ip6.arpa. parse error");
|
||||
return 0;
|
||||
}
|
||||
iter_env->ip6arpa_dname = (uint8_t*)malloc(len);
|
||||
if(!iter_env->ip6arpa_dname) {
|
||||
log_err("malloc failure");
|
||||
return 0;
|
||||
}
|
||||
memcpy(iter_env->ip6arpa_dname, dname, len);
|
||||
}
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
@ -101,6 +117,7 @@ iter_deinit(struct module_env* env, int id)
|
||||
if(!env || !env->modinfo[id])
|
||||
return;
|
||||
iter_env = (struct iter_env*)env->modinfo[id];
|
||||
free(iter_env->ip6arpa_dname);
|
||||
free(iter_env->target_fetch_policy);
|
||||
priv_delete(iter_env->priv);
|
||||
donotq_delete(iter_env->donotq);
|
||||
@ -145,6 +162,12 @@ iter_new(struct module_qstate* qstate, int id)
|
||||
/* Start with the (current) qname. */
|
||||
iq->qchase = qstate->qinfo;
|
||||
outbound_list_init(&iq->outlist);
|
||||
if (qstate->env->cfg->qname_minimisation)
|
||||
iq->minimisation_state = INIT_MINIMISE_STATE;
|
||||
else
|
||||
iq->minimisation_state = DONOT_MINIMISE_STATE;
|
||||
|
||||
memset(&iq->qinfo_out, 0, sizeof(struct query_info));
|
||||
return 1;
|
||||
}
|
||||
|
||||
@ -176,7 +199,7 @@ next_state(struct iter_qstate* iq, enum iter_state nextstate)
|
||||
/**
|
||||
* Transition an event to its final state. Final states always either return
|
||||
* a result up the module chain, or reactivate a dependent event. Which
|
||||
* final state to transtion to is set in the module state for the event when
|
||||
* final state to transition to is set in the module state for the event when
|
||||
* it was created, and depends on the original purpose of the event.
|
||||
*
|
||||
* The response is stored in the qstate->buf buffer.
|
||||
@ -506,7 +529,7 @@ target_count_increase(struct iter_qstate* iq, int num)
|
||||
/**
|
||||
* Generate a subrequest.
|
||||
* Generate a local request event. Local events are tied to this module, and
|
||||
* have a correponding (first tier) event that is waiting for this event to
|
||||
* have a corresponding (first tier) event that is waiting for this event to
|
||||
* resolve to continue.
|
||||
*
|
||||
* @param qname The query name for this request.
|
||||
@ -590,6 +613,11 @@ generate_sub_request(uint8_t* qname, size_t qnamelen, uint16_t qtype,
|
||||
subiq->qchase = subq->qinfo;
|
||||
subiq->chase_flags = subq->query_flags;
|
||||
subiq->refetch_glue = 0;
|
||||
if(qstate->env->cfg->qname_minimisation)
|
||||
subiq->minimisation_state = INIT_MINIMISE_STATE;
|
||||
else
|
||||
subiq->minimisation_state = DONOT_MINIMISE_STATE;
|
||||
memset(&subiq->qinfo_out, 0, sizeof(struct query_info));
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
@ -1042,6 +1070,8 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
iq->query_restart_count++;
|
||||
iq->sent_count = 0;
|
||||
sock_list_insert(&qstate->reply_origin, NULL, 0, qstate->region);
|
||||
if(qstate->env->cfg->qname_minimisation)
|
||||
iq->minimisation_state = INIT_MINIMISE_STATE;
|
||||
return next_state(iq, INIT_REQUEST_STATE);
|
||||
}
|
||||
|
||||
@ -1062,6 +1092,7 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
|
||||
}
|
||||
iq->refetch_glue = 0;
|
||||
iq->minimisation_state = DONOT_MINIMISE_STATE;
|
||||
/* the request has been forwarded.
|
||||
* forwarded requests need to be immediately sent to the
|
||||
* next state, QUERYTARGETS. */
|
||||
@ -1599,6 +1630,8 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
iq->refetch_glue = 1;
|
||||
iq->query_restart_count++;
|
||||
iq->sent_count = 0;
|
||||
if(qstate->env->cfg->qname_minimisation)
|
||||
iq->minimisation_state = INIT_MINIMISE_STATE;
|
||||
return next_state(iq, INIT_REQUEST_STATE);
|
||||
}
|
||||
}
|
||||
@ -1975,9 +2008,78 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
}
|
||||
}
|
||||
|
||||
if(iq->minimisation_state == INIT_MINIMISE_STATE) {
|
||||
/* (Re)set qinfo_out to (new) delegation point, except
|
||||
* when qinfo_out is already a subdomain of dp. This happens
|
||||
* when resolving ip6.arpa dnames. */
|
||||
if(!(iq->qinfo_out.qname_len
|
||||
&& dname_subdomain_c(iq->qchase.qname,
|
||||
iq->qinfo_out.qname)
|
||||
&& dname_subdomain_c(iq->qinfo_out.qname,
|
||||
iq->dp->name))) {
|
||||
iq->qinfo_out.qname = iq->dp->name;
|
||||
iq->qinfo_out.qname_len = iq->dp->namelen;
|
||||
iq->qinfo_out.qtype = LDNS_RR_TYPE_NS;
|
||||
iq->qinfo_out.qclass = iq->qchase.qclass;
|
||||
}
|
||||
|
||||
iq->minimisation_state = MINIMISE_STATE;
|
||||
}
|
||||
if(iq->minimisation_state == MINIMISE_STATE) {
|
||||
int labdiff = dname_count_labels(iq->qchase.qname) -
|
||||
dname_count_labels(iq->qinfo_out.qname);
|
||||
|
||||
iq->qinfo_out.qname = iq->qchase.qname;
|
||||
iq->qinfo_out.qname_len = iq->qchase.qname_len;
|
||||
|
||||
/* Special treatment for ip6.arpa lookups.
|
||||
* Reverse IPv6 dname has 34 labels, increment the IP part
|
||||
* (usually first 32 labels) by 8 labels (7 more than the
|
||||
* default 1 label increment). */
|
||||
if(labdiff <= 32 &&
|
||||
dname_subdomain_c(iq->qchase.qname, ie->ip6arpa_dname)) {
|
||||
labdiff -= 7;
|
||||
/* Small chance of zone cut after first label. Stop
|
||||
* minimising */
|
||||
if(labdiff <= 1)
|
||||
labdiff = 0;
|
||||
}
|
||||
|
||||
if(labdiff > 1) {
|
||||
verbose(VERB_QUERY, "removing %d labels", labdiff-1);
|
||||
dname_remove_labels(&iq->qinfo_out.qname,
|
||||
&iq->qinfo_out.qname_len,
|
||||
labdiff-1);
|
||||
}
|
||||
if(labdiff < 1 ||
|
||||
(labdiff < 2 && iq->qchase.qtype == LDNS_RR_TYPE_DS))
|
||||
/* Stop minimising this query, resolve "as usual" */
|
||||
iq->minimisation_state = DONOT_MINIMISE_STATE;
|
||||
else {
|
||||
struct dns_msg* msg = dns_cache_lookup(qstate->env,
|
||||
iq->qinfo_out.qname, iq->qinfo_out.qname_len,
|
||||
iq->qinfo_out.qtype, iq->qinfo_out.qclass,
|
||||
qstate->query_flags, qstate->region,
|
||||
qstate->env->scratch);
|
||||
if(msg && msg->rep->an_numrrsets == 0
|
||||
&& FLAGS_GET_RCODE(msg->rep->flags) ==
|
||||
LDNS_RCODE_NOERROR)
|
||||
/* no need to send query if it is already
|
||||
* cached as NOERROR/NODATA */
|
||||
return 1;
|
||||
}
|
||||
|
||||
}
|
||||
if(iq->minimisation_state == SKIP_MINIMISE_STATE)
|
||||
/* Do not increment qname, continue incrementing next
|
||||
* iteration */
|
||||
iq->minimisation_state = MINIMISE_STATE;
|
||||
if(iq->minimisation_state == DONOT_MINIMISE_STATE)
|
||||
iq->qinfo_out = iq->qchase;
|
||||
|
||||
/* We have a valid target. */
|
||||
if(verbosity >= VERB_QUERY) {
|
||||
log_query_info(VERB_QUERY, "sending query:", &iq->qchase);
|
||||
log_query_info(VERB_QUERY, "sending query:", &iq->qinfo_out);
|
||||
log_name_addr(VERB_QUERY, "sending to target:", iq->dp->name,
|
||||
&target->addr, target->addrlen);
|
||||
verbose(VERB_ALGO, "dnssec status: %s%s",
|
||||
@ -1986,8 +2088,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
}
|
||||
fptr_ok(fptr_whitelist_modenv_send_query(qstate->env->send_query));
|
||||
outq = (*qstate->env->send_query)(
|
||||
iq->qchase.qname, iq->qchase.qname_len,
|
||||
iq->qchase.qtype, iq->qchase.qclass,
|
||||
iq->qinfo_out.qname, iq->qinfo_out.qname_len,
|
||||
iq->qinfo_out.qtype, iq->qinfo_out.qclass,
|
||||
iq->chase_flags | (iq->chase_to_rd?BIT_RD:0), EDNS_DO|BIT_CD,
|
||||
iq->dnssec_expected, iq->caps_fallback || is_caps_whitelisted(
|
||||
ie, iq), &target->addr, target->addrlen, iq->dp->name,
|
||||
@ -2042,6 +2144,9 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
enum response_type type;
|
||||
iq->num_current_queries--;
|
||||
if(iq->response == NULL) {
|
||||
/* Don't increment qname when QNAME minimisation is enabled */
|
||||
if (qstate->env->cfg->qname_minimisation)
|
||||
iq->minimisation_state = SKIP_MINIMISE_STATE;
|
||||
iq->chase_to_rd = 0;
|
||||
iq->dnssec_lame_query = 0;
|
||||
verbose(VERB_ALGO, "query response was timeout");
|
||||
@ -2142,6 +2247,15 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
sock_list_insert(&qstate->reply_origin,
|
||||
&qstate->reply->addr, qstate->reply->addrlen,
|
||||
qstate->region);
|
||||
if(iq->minimisation_state != DONOT_MINIMISE_STATE) {
|
||||
/* Best effort qname-minimisation.
|
||||
* Stop minimising and send full query when RCODE
|
||||
* is not NOERROR */
|
||||
if(FLAGS_GET_RCODE(iq->response->rep->flags) !=
|
||||
LDNS_RCODE_NOERROR)
|
||||
iq->minimisation_state = DONOT_MINIMISE_STATE;
|
||||
return next_state(iq, QUERYTARGETS_STATE);
|
||||
}
|
||||
return final_state(iq);
|
||||
} else if(type == RESPONSE_TYPE_REFERRAL) {
|
||||
/* REFERRAL type responses get a reset of the
|
||||
@ -2201,6 +2315,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
* point to the referral. */
|
||||
iq->deleg_msg = iq->response;
|
||||
iq->dp = delegpt_from_message(iq->response, qstate->region);
|
||||
if (qstate->env->cfg->qname_minimisation)
|
||||
iq->minimisation_state = INIT_MINIMISE_STATE;
|
||||
if(!iq->dp)
|
||||
return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
|
||||
if(!cache_fill_missing(qstate->env, iq->qchase.qclass,
|
||||
@ -2280,6 +2396,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
/* set the current request's qname to the new value. */
|
||||
iq->qchase.qname = sname;
|
||||
iq->qchase.qname_len = snamelen;
|
||||
if (qstate->env->cfg->qname_minimisation)
|
||||
iq->minimisation_state = INIT_MINIMISE_STATE;
|
||||
/* Clear the query state, since this is a query restart. */
|
||||
iq->deleg_msg = NULL;
|
||||
iq->dp = NULL;
|
||||
@ -2353,6 +2471,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
/* LAME, THROWAWAY and "unknown" all end up here.
|
||||
* Recycle to the QUERYTARGETS state to hopefully try a
|
||||
* different target. */
|
||||
if (qstate->env->cfg->qname_minimisation)
|
||||
iq->minimisation_state = DONOT_MINIMISE_STATE;
|
||||
return next_state(iq, QUERYTARGETS_STATE);
|
||||
}
|
||||
|
||||
@ -2968,7 +3088,7 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
prs->flags &= ~BIT_CD;
|
||||
|
||||
/* normalize and sanitize: easy to delete items from linked lists */
|
||||
if(!scrub_message(pkt, prs, &iq->qchase, iq->dp->name,
|
||||
if(!scrub_message(pkt, prs, &iq->qinfo_out, iq->dp->name,
|
||||
qstate->env->scratch, qstate->env, ie)) {
|
||||
/* if 0x20 enabled, start fallback, but we have no message */
|
||||
if(event == module_event_capsfail && !iq->caps_fallback) {
|
||||
|
@ -112,6 +112,32 @@ struct iter_env {
|
||||
* array of max_dependency_depth+1 size.
|
||||
*/
|
||||
int* target_fetch_policy;
|
||||
|
||||
/** ip6.arpa dname in wireformat, used for qname-minimisation */
|
||||
uint8_t* ip6arpa_dname;
|
||||
};
|
||||
|
||||
/**
|
||||
* QNAME minimisation state
|
||||
*/
|
||||
enum minimisation_state {
|
||||
/**
|
||||
* (Re)start minimisation. Outgoing QNAME should be set to dp->name.
|
||||
* State entered on new query or after following refferal or CNAME.
|
||||
*/
|
||||
INIT_MINIMISE_STATE = 0,
|
||||
/**
|
||||
* QNAME minimisataion ongoing. Increase QNAME on every iteration.
|
||||
*/
|
||||
MINIMISE_STATE,
|
||||
/**
|
||||
* Don't increment QNAME this iteration
|
||||
*/
|
||||
SKIP_MINIMISE_STATE,
|
||||
/**
|
||||
* Send out full QNAME + original QTYPE
|
||||
*/
|
||||
DONOT_MINIMISE_STATE,
|
||||
};
|
||||
|
||||
/**
|
||||
@ -322,6 +348,15 @@ struct iter_qstate {
|
||||
|
||||
/** list of pending queries to authoritative servers. */
|
||||
struct outbound_list outlist;
|
||||
|
||||
/** QNAME minimisation state */
|
||||
enum minimisation_state minimisation_state;
|
||||
|
||||
/**
|
||||
* The query info that is sent upstream. Will be a subset of qchase
|
||||
* when qname minimisation is enabled.
|
||||
*/
|
||||
struct query_info qinfo_out;
|
||||
};
|
||||
|
||||
/**
|
||||
|
@ -68,6 +68,9 @@
|
||||
#ifdef HAVE_SYS_WAIT_H
|
||||
#include <sys/wait.h>
|
||||
#endif
|
||||
#ifdef HAVE_TIME_H
|
||||
#include <time.h>
|
||||
#endif
|
||||
|
||||
#if defined(UB_ON_WINDOWS) && defined (HAVE_WINDOWS_H)
|
||||
#include <windows.h>
|
||||
|
@ -36,7 +36,7 @@
|
||||
help:
|
||||
@echo "Please use \`make <target>' where <target> is one of"
|
||||
@echo " testenv to make test environment and run bash "
|
||||
@echo " usefull in case you don't want to install unbound but want to test examples"
|
||||
@echo " useful in case you don't want to install unbound but want to test examples"
|
||||
@echo " doc to make documentation"
|
||||
@echo " clean clean all"
|
||||
|
||||
|
@ -22,7 +22,7 @@ You need GNU make to compile sources; SWIG and Python devel libraries to compile
|
||||
|
||||
**Testing**
|
||||
|
||||
If the compilation is successfull, you can test the python LDNS extension module by::
|
||||
If the compilation is successful, you can test the python LDNS extension module by::
|
||||
|
||||
> cd contrib/python
|
||||
> make testenv
|
||||
|
@ -42,7 +42,7 @@ Class ub_result
|
||||
False, if validation failed or domain queried has no security info.
|
||||
|
||||
It is possible to get a result with no data (havedata is false),
|
||||
and secure is true. This means that the non-existance of the data
|
||||
and secure is true. This means that the non-existence of the data
|
||||
was cryptographically proven (with signatures).
|
||||
|
||||
.. attribute:: bogus
|
||||
|
@ -44,7 +44,7 @@
|
||||
ctx.debuglevel(2)
|
||||
|
||||
if os.path.isfile("keys"):
|
||||
ctx.add_ta_file("keys") #read public keys for DNSSEC verificatio
|
||||
ctx.add_ta_file("keys") #read public keys for DNSSEC verification
|
||||
|
||||
status, result = ctx.resolve("www.nic.cz", RR_TYPE_A, RR_CLASS_IN)
|
||||
if status == 0 and result.havedata:
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* libounbound.i: pyUnbound module (libunbound wrapper for Python)
|
||||
* libunbound.i: pyUnbound module (libunbound wrapper for Python)
|
||||
*
|
||||
* Copyright (c) 2009, Zdenek Vasicek (vasicek AT fit.vutbr.cz)
|
||||
* Marek Vavrusa (xvavru00 AT stud.fit.vutbr.cz)
|
||||
@ -455,7 +455,7 @@ Result: ['74.125.43.147', '74.125.43.99', '74.125.43.103', '74.125.43.104']
|
||||
#_UB_CTX_METHODS#
|
||||
|
||||
def zone_print(self):
|
||||
"""Print local zones using debougout"""
|
||||
"""Print local zones using debugout"""
|
||||
_unbound.ub_ctx_print_local_zones(self)
|
||||
|
||||
def zone_add(self,zonename,zonetype):
|
||||
|
@ -4394,7 +4394,7 @@ EOF
|
||||
{
|
||||
/* however, if there is an option in the LTWRAPPER_OPTION_PREFIX
|
||||
namespace, but it is not one of the ones we know about and
|
||||
have already dealt with, above (inluding dump-script), then
|
||||
have already dealt with, above (including dump-script), then
|
||||
report an error. Otherwise, targets might begin to believe
|
||||
they are allowed to use options in the LTWRAPPER_OPTION_PREFIX
|
||||
namespace. The first time any user complains about this, we'll
|
||||
|
5
contrib/unbound/services/cache/dns.c
vendored
5
contrib/unbound/services/cache/dns.c
vendored
@ -656,8 +656,9 @@ fill_any(struct module_env* env,
|
||||
time_t now = *env->now;
|
||||
struct dns_msg* msg = NULL;
|
||||
uint16_t lookup[] = {LDNS_RR_TYPE_A, LDNS_RR_TYPE_AAAA,
|
||||
LDNS_RR_TYPE_MX, LDNS_RR_TYPE_SOA, LDNS_RR_TYPE_NS, 0};
|
||||
int i, num=5; /* number of RR types to look up */
|
||||
LDNS_RR_TYPE_MX, LDNS_RR_TYPE_SOA, LDNS_RR_TYPE_NS,
|
||||
LDNS_RR_TYPE_DNAME, 0};
|
||||
int i, num=6; /* number of RR types to look up */
|
||||
log_assert(lookup[num] == 0);
|
||||
|
||||
for(i=0; i<num; i++) {
|
||||
|
1
contrib/unbound/services/cache/rrset.c
vendored
1
contrib/unbound/services/cache/rrset.c
vendored
@ -190,6 +190,7 @@ rrset_cache_update(struct rrset_cache* r, struct rrset_ref* ref,
|
||||
uint16_t rrset_type = ntohs(k->rk.type);
|
||||
int equal = 0;
|
||||
log_assert(ref->id != 0 && k->id != 0);
|
||||
log_assert(k->rk.dname != NULL);
|
||||
/* looks up item with a readlock - no editing! */
|
||||
if((e=slabhash_lookup(&r->table, h, k, 0)) != 0) {
|
||||
/* return id and key as they will be used in the cache
|
||||
|
@ -56,13 +56,13 @@ time_t sldns_mktime_from_utc(const struct tm *tm);
|
||||
|
||||
/**
|
||||
* The function interprets time as the number of seconds since epoch
|
||||
* with respect to now using serial arithmitics (rfc1982).
|
||||
* with respect to now using serial arithmetics (rfc1982).
|
||||
* That number of seconds is then converted to broken-out time information.
|
||||
* This is especially usefull when converting the inception and expiration
|
||||
* fields of RRSIG records.
|
||||
*
|
||||
* \param[in] time number of seconds since epoch (midnight, January 1st, 1970)
|
||||
* to be intepreted as a serial arithmitics number relative to now.
|
||||
* to be intepreted as a serial arithmetics number relative to now.
|
||||
* \param[in] now number of seconds since epoch (midnight, January 1st, 1970)
|
||||
* to which the time value is compared to determine the final value.
|
||||
* \param[out] result the struct with the broken-out time information
|
||||
|
@ -697,6 +697,9 @@ int sldns_wire2str_rdata_scan(uint8_t** d, size_t* dlen, char** s,
|
||||
}
|
||||
w += n;
|
||||
}
|
||||
if(*dlen != 0) {
|
||||
goto failed;
|
||||
}
|
||||
return w;
|
||||
}
|
||||
|
||||
|
@ -95,7 +95,7 @@
|
||||
* signed yet; avoids attacks on system clock). The
|
||||
* last-successful-RFC5011-probe (if available) has to be more than 30 days
|
||||
* in the past (otherwise, RFC5011 should have worked). This keeps
|
||||
* unneccesary https traffic down. If the main certificate is expired, it
|
||||
* unnecessary https traffic down. If the main certificate is expired, it
|
||||
* fails.
|
||||
*
|
||||
* The dates on the keys in the xml are checked (uses the libexpat xml
|
||||
@ -1520,7 +1520,11 @@ xml_entitydeclhandler(void *userData,
|
||||
const XML_Char *ATTR_UNUSED(publicId),
|
||||
const XML_Char *ATTR_UNUSED(notationName))
|
||||
{
|
||||
#if HAVE_DECL_XML_STOPPARSER
|
||||
(void)XML_StopParser((XML_Parser)userData, XML_FALSE);
|
||||
#else
|
||||
(void)userData;
|
||||
#endif
|
||||
}
|
||||
|
||||
/**
|
||||
@ -1828,6 +1832,12 @@ write_unsigned_root(const char* root_anchor_file)
|
||||
root_anchor_file);
|
||||
if(verb && errno != 0) printf("%s\n", strerror(errno));
|
||||
}
|
||||
fflush(out);
|
||||
#ifdef HAVE_FSYNC
|
||||
fsync(fileno(out));
|
||||
#else
|
||||
FlushFileBuffers((HANDLE)_fileno(out));
|
||||
#endif
|
||||
fclose(out);
|
||||
}
|
||||
|
||||
@ -1854,6 +1864,12 @@ write_root_anchor(const char* root_anchor_file, BIO* ds)
|
||||
root_anchor_file);
|
||||
if(verb && errno != 0) printf("%s\n", strerror(errno));
|
||||
}
|
||||
fflush(out);
|
||||
#ifdef HAVE_FSYNC
|
||||
fsync(fileno(out));
|
||||
#else
|
||||
FlushFileBuffers((HANDLE)_fileno(out));
|
||||
#endif
|
||||
fclose(out);
|
||||
}
|
||||
|
||||
|
@ -335,7 +335,9 @@ morechecks(struct config_file* cfg, const char* fname)
|
||||
if(cfg->edns_buffer_size > cfg->msg_buffer_size)
|
||||
fatal_exit("edns-buffer-size larger than msg-buffer-size, "
|
||||
"answers will not fit in processing buffer");
|
||||
|
||||
#ifdef UB_ON_WINDOWS
|
||||
w_config_adjust_directory(cfg);
|
||||
#endif
|
||||
if(cfg->chrootdir && cfg->chrootdir[0] &&
|
||||
cfg->chrootdir[strlen(cfg->chrootdir)-1] == '/')
|
||||
fatal_exit("chootdir %s has trailing slash '/' please remove.",
|
||||
|
@ -107,16 +107,15 @@ else
|
||||
fi
|
||||
|
||||
# create self-signed cert for server
|
||||
cat >request.cfg <<EOF
|
||||
[req]
|
||||
default_bits=$BITS
|
||||
default_md=$HASH
|
||||
prompt=no
|
||||
distinguished_name=req_distinguished_name
|
||||
echo "[req]\n" > request.cfg
|
||||
echo "default_bits=$BITS\n" >> request.cfg
|
||||
echo "default_md=$HASH\n" >> request.cfg
|
||||
echo "prompt=no\n" >> request.cfg
|
||||
echo "distinguished_name=req_distinguished_name\n" >> request.cfg
|
||||
echo "\n" >> request.cfg
|
||||
echo "[req_distinguished_name]\n" >> request.cfg
|
||||
echo "commonName=$SERVERNAME\n" >> request.cfg
|
||||
|
||||
[req_distinguished_name]
|
||||
commonName=$SERVERNAME
|
||||
EOF
|
||||
test -f request.cfg || error "could not create request.cfg"
|
||||
|
||||
echo "create $SVR_BASE.pem (self signed certificate)"
|
||||
@ -125,16 +124,15 @@ openssl req -key $SVR_BASE.key -config request.cfg -new -x509 -days $DAYS -out
|
||||
openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem"
|
||||
|
||||
# create client request and sign it, piped
|
||||
cat >request.cfg <<EOF
|
||||
[req]
|
||||
default_bits=$BITS
|
||||
default_md=$HASH
|
||||
prompt=no
|
||||
distinguished_name=req_distinguished_name
|
||||
echo "[req]\n" > request.cfg
|
||||
echo "default_bits=$BITS\n" >> request.cfg
|
||||
echo "default_md=$HASH\n" >> request.cfg
|
||||
echo "prompt=no\n" >> request.cfg
|
||||
echo "distinguished_name=req_distinguished_name\n" >> request.cfg
|
||||
echo "\n" >> request.cfg
|
||||
echo "[req_distinguished_name]\n" >> request.cfg
|
||||
echo "commonName=$CLIENTNAME" >> request.cfg
|
||||
|
||||
[req_distinguished_name]
|
||||
commonName=$CLIENTNAME
|
||||
EOF
|
||||
test -f request.cfg || error "could not create request.cfg"
|
||||
|
||||
echo "create $CTL_BASE.pem (signed client certificate)"
|
||||
|
@ -107,16 +107,15 @@ else
|
||||
fi
|
||||
|
||||
# create self-signed cert for server
|
||||
cat >request.cfg <<EOF
|
||||
[req]
|
||||
default_bits=$BITS
|
||||
default_md=$HASH
|
||||
prompt=no
|
||||
distinguished_name=req_distinguished_name
|
||||
echo "[req]\n" > request.cfg
|
||||
echo "default_bits=$BITS\n" >> request.cfg
|
||||
echo "default_md=$HASH\n" >> request.cfg
|
||||
echo "prompt=no\n" >> request.cfg
|
||||
echo "distinguished_name=req_distinguished_name\n" >> request.cfg
|
||||
echo "\n" >> request.cfg
|
||||
echo "[req_distinguished_name]\n" >> request.cfg
|
||||
echo "commonName=$SERVERNAME\n" >> request.cfg
|
||||
|
||||
[req_distinguished_name]
|
||||
commonName=$SERVERNAME
|
||||
EOF
|
||||
test -f request.cfg || error "could not create request.cfg"
|
||||
|
||||
echo "create $SVR_BASE.pem (self signed certificate)"
|
||||
@ -125,16 +124,15 @@ openssl req -key $SVR_BASE.key -config request.cfg -new -x509 -days $DAYS -out
|
||||
openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem"
|
||||
|
||||
# create client request and sign it, piped
|
||||
cat >request.cfg <<EOF
|
||||
[req]
|
||||
default_bits=$BITS
|
||||
default_md=$HASH
|
||||
prompt=no
|
||||
distinguished_name=req_distinguished_name
|
||||
echo "[req]\n" > request.cfg
|
||||
echo "default_bits=$BITS\n" >> request.cfg
|
||||
echo "default_md=$HASH\n" >> request.cfg
|
||||
echo "prompt=no\n" >> request.cfg
|
||||
echo "distinguished_name=req_distinguished_name\n" >> request.cfg
|
||||
echo "\n" >> request.cfg
|
||||
echo "[req_distinguished_name]\n" >> request.cfg
|
||||
echo "commonName=$CLIENTNAME" >> request.cfg
|
||||
|
||||
[req_distinguished_name]
|
||||
commonName=$CLIENTNAME
|
||||
EOF
|
||||
test -f request.cfg || error "could not create request.cfg"
|
||||
|
||||
echo "create $CTL_BASE.pem (signed client certificate)"
|
||||
|
@ -156,10 +156,12 @@ setup_ctx(struct config_file* cfg)
|
||||
ctx = SSL_CTX_new(SSLv23_client_method());
|
||||
if(!ctx)
|
||||
ssl_err("could not allocate SSL_CTX pointer");
|
||||
if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2))
|
||||
if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
|
||||
!= SSL_OP_NO_SSLv2)
|
||||
ssl_err("could not set SSL_OP_NO_SSLv2");
|
||||
if(cfg->remote_control_use_cert) {
|
||||
if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3))
|
||||
if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
|
||||
!= SSL_OP_NO_SSLv3)
|
||||
ssl_err("could not set SSL_OP_NO_SSLv3");
|
||||
if(!SSL_CTX_use_certificate_chain_file(ctx,c_cert) ||
|
||||
!SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM)
|
||||
@ -361,6 +363,9 @@ go(const char* cfgfile, char* svr, int quiet, int argc, char* argv[])
|
||||
fatal_exit("could not read config file");
|
||||
if(!cfg->remote_control_enable)
|
||||
log_warn("control-enable is 'no' in the config file.");
|
||||
#ifdef UB_ON_WINDOWS
|
||||
w_config_adjust_directory(cfg);
|
||||
#endif
|
||||
ctx = setup_ctx(cfg);
|
||||
|
||||
/* contact server */
|
||||
|
@ -100,7 +100,7 @@ config_create(void)
|
||||
cfg->tcp_upstream = 0;
|
||||
cfg->ssl_service_key = NULL;
|
||||
cfg->ssl_service_pem = NULL;
|
||||
cfg->ssl_port = 443;
|
||||
cfg->ssl_port = 853;
|
||||
cfg->ssl_upstream = 0;
|
||||
cfg->use_syslog = 1;
|
||||
cfg->log_time_ascii = 0;
|
||||
@ -240,6 +240,7 @@ config_create(void)
|
||||
cfg->ratelimit_for_domain = NULL;
|
||||
cfg->ratelimit_below_domain = NULL;
|
||||
cfg->ratelimit_factor = 10;
|
||||
cfg->qname_minimisation = 0;
|
||||
return cfg;
|
||||
error_exit:
|
||||
config_delete(cfg);
|
||||
@ -473,6 +474,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
|
||||
else S_MEMSIZE("ratelimit-size:", ratelimit_size)
|
||||
else S_POW2("ratelimit-slabs:", ratelimit_slabs)
|
||||
else S_NUMBER_OR_ZERO("ratelimit-factor:", ratelimit_factor)
|
||||
else S_YNO("qname-minimisation:", qname_minimisation)
|
||||
/* val_sig_skew_min and max are copied into val_env during init,
|
||||
* so this does not update val_env with set_option */
|
||||
else if(strcmp(opt, "val-sig-skew-min:") == 0)
|
||||
@ -747,6 +749,7 @@ config_get_option(struct config_file* cfg, const char* opt,
|
||||
else O_DEC(opt, "ratelimit-factor", ratelimit_factor)
|
||||
else O_DEC(opt, "val-sig-skew-min", val_sig_skew_min)
|
||||
else O_DEC(opt, "val-sig-skew-max", val_sig_skew_max)
|
||||
else O_YNO(opt, "qname-minimisation", qname_minimisation)
|
||||
/* not here:
|
||||
* outgoing-permit, outgoing-avoid - have list of ports
|
||||
* local-zone - zones and nodefault variables
|
||||
@ -1555,6 +1558,28 @@ w_lookup_reg_str(const char* key, const char* name)
|
||||
}
|
||||
return result;
|
||||
}
|
||||
|
||||
void w_config_adjust_directory(struct config_file* cfg)
|
||||
{
|
||||
if(cfg->directory && cfg->directory[0]) {
|
||||
TCHAR dirbuf[2*MAX_PATH+4];
|
||||
if(strcmp(cfg->directory, "%EXECUTABLE%") == 0) {
|
||||
/* get executable path, and if that contains
|
||||
* directories, snip off the filename part */
|
||||
dirbuf[0] = 0;
|
||||
if(!GetModuleFileName(NULL, dirbuf, MAX_PATH))
|
||||
log_err("could not GetModuleFileName");
|
||||
if(strrchr(dirbuf, '\\')) {
|
||||
(strrchr(dirbuf, '\\'))[0] = 0;
|
||||
} else log_err("GetModuleFileName had no path");
|
||||
if(dirbuf[0]) {
|
||||
/* adjust directory for later lookups to work*/
|
||||
free(cfg->directory);
|
||||
cfg->directory = memdup(dirbuf, strlen(dirbuf)+1);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
#endif /* UB_ON_WINDOWS */
|
||||
|
||||
void errinf(struct module_qstate* qstate, const char* str)
|
||||
|
@ -283,7 +283,7 @@ struct config_file {
|
||||
struct config_str2list* local_zones;
|
||||
/** local zones nodefault list */
|
||||
struct config_strlist* local_zones_nodefault;
|
||||
/** local data RRs configged */
|
||||
/** local data RRs configured */
|
||||
struct config_strlist* local_data;
|
||||
/** unblock lan zones (reverse lookups for 10/8 and so on) */
|
||||
int unblock_lan_zones;
|
||||
@ -364,6 +364,8 @@ struct config_file {
|
||||
struct config_str2list* ratelimit_below_domain;
|
||||
/** ratelimit factor, 0 blocks all, 10 allows 1/10 of traffic */
|
||||
int ratelimit_factor;
|
||||
/** minimise outgoing QNAME and hide original QTYPE if possible */
|
||||
int qname_minimisation;
|
||||
};
|
||||
|
||||
/** from cfg username, after daemonise setup performed */
|
||||
@ -739,6 +741,9 @@ void ub_c_error_msg(const char* fmt, ...) ATTR_FORMAT(printf, 1, 2);
|
||||
* exist on an error (logged with log_err) was encountered.
|
||||
*/
|
||||
char* w_lookup_reg_str(const char* key, const char* name);
|
||||
|
||||
/** Modify directory in options for module file name */
|
||||
void w_config_adjust_directory(struct config_file* cfg);
|
||||
#endif /* UB_ON_WINDOWS */
|
||||
|
||||
#endif /* UTIL_CONFIG_FILE_H */
|
||||
|
@ -207,6 +207,7 @@ SQANY [^\'\n\r\\]|\\.
|
||||
/* note that flex makes the longest match and '.' is any but not nl */
|
||||
LEXOUT(("comment(%s) ", ub_c_text)); /* ignore */ }
|
||||
server{COLON} { YDVAR(0, VAR_SERVER) }
|
||||
qname-minimisation{COLON} { YDVAR(1, VAR_QNAME_MINIMISATION) }
|
||||
num-threads{COLON} { YDVAR(1, VAR_NUM_THREADS) }
|
||||
verbosity{COLON} { YDVAR(1, VAR_VERBOSITY) }
|
||||
port{COLON} { YDVAR(1, VAR_PORT) }
|
||||
|
@ -122,6 +122,7 @@ extern struct config_parser_state* cfg_parser;
|
||||
%token VAR_RATELIMIT VAR_RATELIMIT_SLABS VAR_RATELIMIT_SIZE
|
||||
%token VAR_RATELIMIT_FOR_DOMAIN VAR_RATELIMIT_BELOW_DOMAIN VAR_RATELIMIT_FACTOR
|
||||
%token VAR_CAPS_WHITELIST VAR_CACHE_MAX_NEGATIVE_TTL VAR_PERMIT_SMALL_HOLDDOWN
|
||||
%token VAR_QNAME_MINIMISATION
|
||||
|
||||
%%
|
||||
toplevelvars: /* empty */ | toplevelvars toplevelvar ;
|
||||
@ -186,7 +187,7 @@ content_server: server_num_threads | server_verbosity | server_port |
|
||||
server_ratelimit_size | server_ratelimit_for_domain |
|
||||
server_ratelimit_below_domain | server_ratelimit_factor |
|
||||
server_caps_whitelist | server_cache_max_negative_ttl |
|
||||
server_permit_small_holddown
|
||||
server_permit_small_holddown | server_qname_minimisation
|
||||
;
|
||||
stubstart: VAR_STUB_ZONE
|
||||
{
|
||||
@ -1318,6 +1319,16 @@ server_ratelimit_factor: VAR_RATELIMIT_FACTOR STRING_ARG
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
server_qname_minimisation: VAR_QNAME_MINIMISATION STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_qname_minimisation:%s)\n", $2));
|
||||
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
|
||||
yyerror("expected yes or no.");
|
||||
else cfg_parser->cfg->qname_minimisation =
|
||||
(strcmp($2, "yes")==0);
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
stub_name: VAR_NAME STRING_ARG
|
||||
{
|
||||
OUTYY(("P(name:%s)\n", $2));
|
||||
|
@ -660,6 +660,7 @@
|
||||
833,
|
||||
847,
|
||||
848,
|
||||
853,
|
||||
860,
|
||||
861,
|
||||
862,
|
||||
@ -3842,6 +3843,7 @@
|
||||
4406,
|
||||
4412,
|
||||
4413,
|
||||
4416,
|
||||
4425,
|
||||
4426,
|
||||
4430,
|
||||
@ -4572,6 +4574,7 @@
|
||||
7070,
|
||||
7071,
|
||||
7080,
|
||||
7088,
|
||||
7095,
|
||||
7099,
|
||||
7100,
|
||||
@ -5383,6 +5386,7 @@
|
||||
38203,
|
||||
39681,
|
||||
40000,
|
||||
40023,
|
||||
40841,
|
||||
40842,
|
||||
40843,
|
||||
|
@ -232,7 +232,7 @@ void ub_thread_create(ub_thread_t* thr, void* (*func)(void*), void* arg)
|
||||
0, /* default flags, run immediately */
|
||||
NULL); /* do not store thread identifier anywhere */
|
||||
#else
|
||||
/* the begintheadex routine setups for the C lib; aligns stack */
|
||||
/* the beginthreadex routine setups for the C lib; aligns stack */
|
||||
*thr=(ub_thread_t)_beginthreadex(NULL, 0, (void*)func, arg, 0, NULL);
|
||||
#endif
|
||||
if(*thr == NULL) {
|
||||
|
@ -619,12 +619,14 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem)
|
||||
return NULL;
|
||||
}
|
||||
/* no SSLv2, SSLv3 because has defects */
|
||||
if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)){
|
||||
if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
|
||||
!= SSL_OP_NO_SSLv2){
|
||||
log_crypto_err("could not set SSL_OP_NO_SSLv2");
|
||||
SSL_CTX_free(ctx);
|
||||
return NULL;
|
||||
}
|
||||
if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)){
|
||||
if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
|
||||
!= SSL_OP_NO_SSLv3){
|
||||
log_crypto_err("could not set SSL_OP_NO_SSLv3");
|
||||
SSL_CTX_free(ctx);
|
||||
return NULL;
|
||||
@ -690,12 +692,14 @@ void* connect_sslctx_create(char* key, char* pem, char* verifypem)
|
||||
log_crypto_err("could not allocate SSL_CTX pointer");
|
||||
return NULL;
|
||||
}
|
||||
if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)) {
|
||||
if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
|
||||
!= SSL_OP_NO_SSLv2) {
|
||||
log_crypto_err("could not set SSL_OP_NO_SSLv2");
|
||||
SSL_CTX_free(ctx);
|
||||
return NULL;
|
||||
}
|
||||
if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)) {
|
||||
if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
|
||||
!= SSL_OP_NO_SSLv3) {
|
||||
log_crypto_err("could not set SSL_OP_NO_SSLv3");
|
||||
SSL_CTX_free(ctx);
|
||||
return NULL;
|
||||
|
@ -68,6 +68,8 @@
|
||||
/* nss3 */
|
||||
#include "secport.h"
|
||||
#include "pk11pub.h"
|
||||
#elif defined(HAVE_NETTLE)
|
||||
#include "yarrow.h"
|
||||
#endif
|
||||
|
||||
/**
|
||||
@ -76,7 +78,7 @@
|
||||
*/
|
||||
#define MAX_VALUE 0x7fffffff
|
||||
|
||||
#ifndef HAVE_NSS
|
||||
#if defined(HAVE_SSL)
|
||||
void
|
||||
ub_systemseed(unsigned int ATTR_UNUSED(seed))
|
||||
{
|
||||
@ -110,7 +112,7 @@ ub_random_max(struct ub_randstate* state, long int x)
|
||||
return (long)arc4random_uniform((uint32_t)x);
|
||||
}
|
||||
|
||||
#else
|
||||
#elif defined(HAVE_NSS)
|
||||
|
||||
/* not much to remember for NSS since we use its pk11_random, placeholder */
|
||||
struct ub_randstate {
|
||||
@ -144,6 +146,72 @@ long int ub_random(struct ub_randstate* ATTR_UNUSED(state))
|
||||
return x & MAX_VALUE;
|
||||
}
|
||||
|
||||
#elif defined(HAVE_NETTLE)
|
||||
|
||||
/**
|
||||
* libnettle implements a Yarrow-256 generator (SHA256 + AES),
|
||||
* and we have to ensure it is seeded before use.
|
||||
*/
|
||||
struct ub_randstate {
|
||||
struct yarrow256_ctx ctx;
|
||||
int seeded;
|
||||
};
|
||||
|
||||
void ub_systemseed(unsigned int ATTR_UNUSED(seed))
|
||||
{
|
||||
/**
|
||||
* We seed on init and not here, as we need the ctx to re-seed.
|
||||
* This also means that re-seeding is not supported.
|
||||
*/
|
||||
log_err("Re-seeding not supported, generator untouched");
|
||||
}
|
||||
|
||||
struct ub_randstate* ub_initstate(unsigned int seed,
|
||||
struct ub_randstate* ATTR_UNUSED(from))
|
||||
{
|
||||
struct ub_randstate* s = (struct ub_randstate*)calloc(1, sizeof(*s));
|
||||
uint8_t buf[YARROW256_SEED_FILE_SIZE];
|
||||
if(!s) {
|
||||
log_err("malloc failure in random init");
|
||||
return NULL;
|
||||
}
|
||||
/* Setup Yarrow context */
|
||||
yarrow256_init(&s->ctx, 0, NULL);
|
||||
|
||||
if(getentropy(buf, sizeof(buf)) != -1) {
|
||||
/* got entropy */
|
||||
yarrow256_seed(&s->ctx, YARROW256_SEED_FILE_SIZE, buf);
|
||||
s->seeded = yarrow256_is_seeded(&s->ctx);
|
||||
} else {
|
||||
/* Stretch the uint32 input seed and feed it to Yarrow */
|
||||
uint32_t v = seed;
|
||||
size_t i;
|
||||
for(i=0; i < (YARROW256_SEED_FILE_SIZE/sizeof(seed)); i++) {
|
||||
memmove(buf+i*sizeof(seed), &v, sizeof(seed));
|
||||
v = v*seed + (uint32_t)i;
|
||||
}
|
||||
yarrow256_seed(&s->ctx, YARROW256_SEED_FILE_SIZE, buf);
|
||||
s->seeded = yarrow256_is_seeded(&s->ctx);
|
||||
}
|
||||
|
||||
return s;
|
||||
}
|
||||
|
||||
long int ub_random(struct ub_randstate* s)
|
||||
{
|
||||
/* random 31 bit value. */
|
||||
long int x = 0;
|
||||
if (!s || !s->seeded) {
|
||||
log_err("Couldn't generate randomness, Yarrow-256 generator not yet seeded");
|
||||
} else {
|
||||
yarrow256_random(&s->ctx, sizeof(x), (uint8_t *)&x);
|
||||
}
|
||||
return x & MAX_VALUE;
|
||||
}
|
||||
#endif /* HAVE_SSL or HAVE_NSS or HAVE_NETTLE */
|
||||
|
||||
|
||||
#if defined(HAVE_NSS) || defined(HAVE_NETTLE)
|
||||
long int
|
||||
ub_random_max(struct ub_randstate* state, long int x)
|
||||
{
|
||||
@ -155,7 +223,7 @@ ub_random_max(struct ub_randstate* state, long int x)
|
||||
v = ub_random(state);
|
||||
return (v % x);
|
||||
}
|
||||
#endif /* HAVE_NSS */
|
||||
#endif /* HAVE_NSS or HAVE_NETTLE */
|
||||
|
||||
void
|
||||
ub_randfree(struct ub_randstate* s)
|
||||
|
@ -68,7 +68,7 @@ static void rbtree_insert_fixup(rbtree_t *rbtree, rbnode_t *node);
|
||||
static void rbtree_delete_fixup(rbtree_t* rbtree, rbnode_t* child, rbnode_t* child_parent);
|
||||
|
||||
/*
|
||||
* Creates a new red black tree, intializes and returns a pointer to it.
|
||||
* Creates a new red black tree, initializes and returns a pointer to it.
|
||||
*
|
||||
* Return NULL on failure.
|
||||
*
|
||||
|
@ -96,7 +96,7 @@ int rtt_notimeout(const struct rtt_info* rtt);
|
||||
void rtt_update(struct rtt_info* rtt, int ms);
|
||||
|
||||
/**
|
||||
* Update the statistics with a new timout expired observation.
|
||||
* Update the statistics with a new timeout expired observation.
|
||||
* @param rtt: round trip statistics structure.
|
||||
* @param orig: original rtt time given for the query that timed out.
|
||||
* Used to calculate the maximum responsible backed off time that
|
||||
|
@ -356,7 +356,7 @@ uint32_t hashlittle( const void *key, size_t length, uint32_t initval)
|
||||
* rest of the string. Every machine with memory protection I've seen
|
||||
* does it on word boundaries, so is OK with this. But VALGRIND will
|
||||
* still catch it and complain. The masking trick does make the hash
|
||||
* noticably faster for short strings (like English words).
|
||||
* noticeably faster for short strings (like English words).
|
||||
*/
|
||||
#ifndef VALGRIND
|
||||
|
||||
@ -544,7 +544,7 @@ void hashlittle2(
|
||||
* rest of the string. Every machine with memory protection I've seen
|
||||
* does it on word boundaries, so is OK with this. But VALGRIND will
|
||||
* still catch it and complain. The masking trick does make the hash
|
||||
* noticably faster for short strings (like English words).
|
||||
* noticeably faster for short strings (like English words).
|
||||
*/
|
||||
#ifndef VALGRIND
|
||||
|
||||
@ -725,7 +725,7 @@ uint32_t hashbig( const void *key, size_t length, uint32_t initval)
|
||||
* rest of the string. Every machine with memory protection I've seen
|
||||
* does it on word boundaries, so is OK with this. But VALGRIND will
|
||||
* still catch it and complain. The masking trick does make the hash
|
||||
* noticably faster for short strings (like English words).
|
||||
* noticeably faster for short strings (like English words).
|
||||
*/
|
||||
#ifndef VALGRIND
|
||||
|
||||
@ -858,7 +858,7 @@ void driver2()
|
||||
{
|
||||
for (j=0; j<8; ++j) /*------------------------ for each input bit, */
|
||||
{
|
||||
for (m=1; m<8; ++m) /*------------ for serveral possible initvals, */
|
||||
for (m=1; m<8; ++m) /*------------ for several possible initvals, */
|
||||
{
|
||||
for (l=0; l<HASHSTATE; ++l)
|
||||
e[l]=f[l]=g[l]=h[l]=x[l]=y[l]=~((uint32_t)0);
|
||||
|
@ -83,7 +83,7 @@ struct tube {
|
||||
|
||||
/** background write queue, commpoint to write results back */
|
||||
struct comm_point* res_com;
|
||||
/** are we curently writing a result, 0 if not, else bytecount into
|
||||
/** are we currently writing a result, 0 if not, else bytecount into
|
||||
* the res_list first entry. */
|
||||
size_t res_write;
|
||||
/** list of outstanding results to be written back */
|
||||
|
@ -201,7 +201,7 @@ struct event {
|
||||
int stick_events;
|
||||
|
||||
/** true if this event is a signaling WSAEvent by the user.
|
||||
* User created and user closed WSAEvent. Only signaled/unsigneled,
|
||||
* User created and user closed WSAEvent. Only signaled/unsignaled,
|
||||
* no read/write/distinctions needed. */
|
||||
int is_signal;
|
||||
/** used during callbacks to see which events were just checked */
|
||||
|
@ -1195,6 +1195,14 @@ void autr_write_file(struct module_env* env, struct trust_anchor* tp)
|
||||
fatal_exit("could not completely write: %s", fname);
|
||||
return;
|
||||
}
|
||||
if(fflush(out) != 0)
|
||||
log_err("could not fflush(%s): %s", fname, strerror(errno));
|
||||
#ifdef HAVE_FSYNC
|
||||
if(fsync(fileno(out)) != 0)
|
||||
log_err("could not fsync(%s): %s", fname, strerror(errno));
|
||||
#else
|
||||
FlushFileBuffers((HANDLE)_fileno(out));
|
||||
#endif
|
||||
if(fclose(out) != 0) {
|
||||
fatal_exit("could not complete write: %s: %s",
|
||||
fname, strerror(errno));
|
||||
@ -2162,7 +2170,7 @@ int autr_process_prime(struct module_env* env, struct val_env* ve,
|
||||
if(!verify_dnskey(env, ve, tp, dnskey_rrset)) {
|
||||
verbose(VERB_ALGO, "autotrust: dnskey did not verify.");
|
||||
/* only increase failure count if this is not the first prime,
|
||||
* this means there was a previous succesful probe */
|
||||
* this means there was a previous successful probe */
|
||||
if(tp->autr->last_success) {
|
||||
tp->autr->query_failed += 1;
|
||||
autr_write_file(env, tp);
|
||||
|
@ -38,7 +38,7 @@
|
||||
*
|
||||
* This file contains helper functions for the validator module.
|
||||
* The functions help with aggressive negative caching.
|
||||
* This creates new denials of existance, and proofs for absence of types
|
||||
* This creates new denials of existence, and proofs for absence of types
|
||||
* from cached NSEC records.
|
||||
*/
|
||||
#include "config.h"
|
||||
|
@ -38,7 +38,7 @@
|
||||
*
|
||||
* This file contains helper functions for the validator module.
|
||||
* The functions help with aggressive negative caching.
|
||||
* This creates new denials of existance, and proofs for absence of types
|
||||
* This creates new denials of existence, and proofs for absence of types
|
||||
* from cached NSEC records.
|
||||
*/
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* validator/val_nsec.c - validator NSEC denial of existance functions.
|
||||
* validator/val_nsec.c - validator NSEC denial of existence functions.
|
||||
*
|
||||
* Copyright (c) 2007, NLnet Labs. All rights reserved.
|
||||
*
|
||||
@ -38,7 +38,7 @@
|
||||
*
|
||||
* This file contains helper functions for the validator module.
|
||||
* The functions help with NSEC checking, the different NSEC proofs
|
||||
* for denial of existance, and proofs for presence of types.
|
||||
* for denial of existence, and proofs for presence of types.
|
||||
*/
|
||||
#include "config.h"
|
||||
#include "validator/val_nsec.h"
|
||||
@ -279,7 +279,7 @@ val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve,
|
||||
return sec_status_insecure;
|
||||
}
|
||||
|
||||
/* NSEC proof did not conlusively point to DS or no DS */
|
||||
/* NSEC proof did not conclusively point to DS or no DS */
|
||||
return sec_status_unchecked;
|
||||
}
|
||||
|
||||
@ -340,6 +340,28 @@ int nsec_proves_nodata(struct ub_packed_rrset_key* nsec,
|
||||
*wc = ce;
|
||||
return 1;
|
||||
}
|
||||
} else {
|
||||
/* See if the next owner name covers a wildcard
|
||||
* empty non-terminal. */
|
||||
while (dname_strict_subdomain_c(nm, nsec->rk.dname)) {
|
||||
/* wildcard does not apply if qname below
|
||||
* the name that exists under the '*' */
|
||||
if (dname_subdomain_c(qinfo->qname, nm))
|
||||
break;
|
||||
/* but if it is a wildcard and qname is below
|
||||
* it, then the wildcard applies. The wildcard
|
||||
* is an empty nonterminal. nodata proven. */
|
||||
if (dname_is_wild(nm)) {
|
||||
size_t ce_len = ln;
|
||||
uint8_t* ce = nm;
|
||||
dname_remove_label(&ce, &ce_len);
|
||||
if(dname_strict_subdomain_c(qinfo->qname, ce)) {
|
||||
*wc = ce;
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
dname_remove_label(&nm, &ln);
|
||||
}
|
||||
}
|
||||
|
||||
/* Otherwise, this NSEC does not prove ENT and is not a
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* validator/val_nsec.h - validator NSEC denial of existance functions.
|
||||
* validator/val_nsec.h - validator NSEC denial of existence functions.
|
||||
*
|
||||
* Copyright (c) 2007, NLnet Labs. All rights reserved.
|
||||
*
|
||||
@ -38,7 +38,7 @@
|
||||
*
|
||||
* This file contains helper functions for the validator module.
|
||||
* The functions help with NSEC checking, the different NSEC proofs
|
||||
* for denial of existance, and proofs for presence of types.
|
||||
* for denial of existence, and proofs for presence of types.
|
||||
*/
|
||||
|
||||
#ifndef VALIDATOR_VAL_NSEC_H
|
||||
@ -54,7 +54,7 @@ struct key_entry_key;
|
||||
/**
|
||||
* Check DS absence.
|
||||
* There is a NODATA reply to a DS that needs checking.
|
||||
* NSECs can prove this is not a delegation point, or sucessfully prove
|
||||
* NSECs can prove this is not a delegation point, or successfully prove
|
||||
* that there is no DS. Or this fails.
|
||||
*
|
||||
* @param env: module env for rrsig verification routines.
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* validator/val_nsec3.c - validator NSEC3 denial of existance functions.
|
||||
* validator/val_nsec3.c - validator NSEC3 denial of existence functions.
|
||||
*
|
||||
* Copyright (c) 2007, NLnet Labs. All rights reserved.
|
||||
*
|
||||
@ -38,18 +38,12 @@
|
||||
*
|
||||
* This file contains helper functions for the validator module.
|
||||
* The functions help with NSEC3 checking, the different NSEC3 proofs
|
||||
* for denial of existance, and proofs for presence of types.
|
||||
* for denial of existence, and proofs for presence of types.
|
||||
*/
|
||||
#include "config.h"
|
||||
#include <ctype.h>
|
||||
#ifdef HAVE_OPENSSL_SSL_H
|
||||
#include "openssl/ssl.h"
|
||||
#endif
|
||||
#ifdef HAVE_NSS
|
||||
/* nss3 */
|
||||
#include "sechash.h"
|
||||
#endif
|
||||
#include "validator/val_nsec3.h"
|
||||
#include "validator/val_secalgo.h"
|
||||
#include "validator/validator.h"
|
||||
#include "validator/val_kentry.h"
|
||||
#include "services/cache/rrset.h"
|
||||
@ -370,8 +364,8 @@ filter_next(struct nsec3_filter* filter, size_t* rrsetnum, int* rrnum)
|
||||
/**
|
||||
* Start iterating over NSEC3 records.
|
||||
* @param filter: the filter structure, must have been filter_init-ed.
|
||||
* @param rrsetnum: can be undefined on call, inited.
|
||||
* @param rrnum: can be undefined on call, inited.
|
||||
* @param rrsetnum: can be undefined on call, initialised.
|
||||
* @param rrnum: can be undefined on call, initialised.
|
||||
* @return first rrset of an NSEC3, together with rrnum this points to
|
||||
* the first RR to examine. Is NULL on empty list.
|
||||
*/
|
||||
@ -545,46 +539,24 @@ nsec3_get_hashed(sldns_buffer* buf, uint8_t* nm, size_t nmlen, int algo,
|
||||
query_dname_tolower(sldns_buffer_begin(buf));
|
||||
sldns_buffer_write(buf, salt, saltlen);
|
||||
sldns_buffer_flip(buf);
|
||||
switch(algo) {
|
||||
#if defined(HAVE_EVP_SHA1) || defined(HAVE_NSS)
|
||||
case NSEC3_HASH_SHA1:
|
||||
#ifdef HAVE_SSL
|
||||
hash_len = SHA_DIGEST_LENGTH;
|
||||
#else
|
||||
hash_len = SHA1_LENGTH;
|
||||
#endif
|
||||
if(hash_len > max)
|
||||
return 0;
|
||||
# ifdef HAVE_SSL
|
||||
(void)SHA1((unsigned char*)sldns_buffer_begin(buf),
|
||||
(unsigned long)sldns_buffer_limit(buf),
|
||||
(unsigned char*)res);
|
||||
# else
|
||||
(void)HASH_HashBuf(HASH_AlgSHA1, (unsigned char*)res,
|
||||
(unsigned char*)sldns_buffer_begin(buf),
|
||||
(unsigned long)sldns_buffer_limit(buf));
|
||||
# endif
|
||||
for(i=0; i<iter; i++) {
|
||||
sldns_buffer_clear(buf);
|
||||
sldns_buffer_write(buf, res, hash_len);
|
||||
sldns_buffer_write(buf, salt, saltlen);
|
||||
sldns_buffer_flip(buf);
|
||||
# ifdef HAVE_SSL
|
||||
(void)SHA1(
|
||||
(unsigned char*)sldns_buffer_begin(buf),
|
||||
(unsigned long)sldns_buffer_limit(buf),
|
||||
(unsigned char*)res);
|
||||
# else
|
||||
(void)HASH_HashBuf(HASH_AlgSHA1,
|
||||
(unsigned char*)res,
|
||||
(unsigned char*)sldns_buffer_begin(buf),
|
||||
(unsigned long)sldns_buffer_limit(buf));
|
||||
# endif
|
||||
}
|
||||
break;
|
||||
#endif /* HAVE_EVP_SHA1 or NSS */
|
||||
default:
|
||||
log_err("nsec3 hash of unknown algo %d", algo);
|
||||
hash_len = nsec3_hash_algo_size_supported(algo);
|
||||
if(hash_len == 0) {
|
||||
log_err("nsec3 hash of unknown algo %d", algo);
|
||||
return 0;
|
||||
}
|
||||
if(hash_len > max)
|
||||
return 0;
|
||||
if(!secalgo_nsec3_hash(algo, (unsigned char*)sldns_buffer_begin(buf),
|
||||
sldns_buffer_limit(buf), (unsigned char*)res))
|
||||
return 0;
|
||||
for(i=0; i<iter; i++) {
|
||||
sldns_buffer_clear(buf);
|
||||
sldns_buffer_write(buf, res, hash_len);
|
||||
sldns_buffer_write(buf, salt, saltlen);
|
||||
sldns_buffer_flip(buf);
|
||||
if(!secalgo_nsec3_hash(algo,
|
||||
(unsigned char*)sldns_buffer_begin(buf),
|
||||
sldns_buffer_limit(buf), (unsigned char*)res))
|
||||
return 0;
|
||||
}
|
||||
return hash_len;
|
||||
@ -607,50 +579,24 @@ nsec3_calc_hash(struct regional* region, sldns_buffer* buf,
|
||||
query_dname_tolower(sldns_buffer_begin(buf));
|
||||
sldns_buffer_write(buf, salt, saltlen);
|
||||
sldns_buffer_flip(buf);
|
||||
switch(algo) {
|
||||
#if defined(HAVE_EVP_SHA1) || defined(HAVE_NSS)
|
||||
case NSEC3_HASH_SHA1:
|
||||
#ifdef HAVE_SSL
|
||||
c->hash_len = SHA_DIGEST_LENGTH;
|
||||
#else
|
||||
c->hash_len = SHA1_LENGTH;
|
||||
#endif
|
||||
c->hash = (uint8_t*)regional_alloc(region,
|
||||
c->hash_len);
|
||||
if(!c->hash)
|
||||
return 0;
|
||||
# ifdef HAVE_SSL
|
||||
(void)SHA1((unsigned char*)sldns_buffer_begin(buf),
|
||||
(unsigned long)sldns_buffer_limit(buf),
|
||||
(unsigned char*)c->hash);
|
||||
# else
|
||||
(void)HASH_HashBuf(HASH_AlgSHA1,
|
||||
(unsigned char*)c->hash,
|
||||
(unsigned char*)sldns_buffer_begin(buf),
|
||||
(unsigned long)sldns_buffer_limit(buf));
|
||||
# endif
|
||||
for(i=0; i<iter; i++) {
|
||||
sldns_buffer_clear(buf);
|
||||
sldns_buffer_write(buf, c->hash, c->hash_len);
|
||||
sldns_buffer_write(buf, salt, saltlen);
|
||||
sldns_buffer_flip(buf);
|
||||
# ifdef HAVE_SSL
|
||||
(void)SHA1(
|
||||
(unsigned char*)sldns_buffer_begin(buf),
|
||||
(unsigned long)sldns_buffer_limit(buf),
|
||||
(unsigned char*)c->hash);
|
||||
# else
|
||||
(void)HASH_HashBuf(HASH_AlgSHA1,
|
||||
(unsigned char*)c->hash,
|
||||
(unsigned char*)sldns_buffer_begin(buf),
|
||||
(unsigned long)sldns_buffer_limit(buf));
|
||||
# endif
|
||||
}
|
||||
break;
|
||||
#endif /* HAVE_EVP_SHA1 or NSS */
|
||||
default:
|
||||
log_err("nsec3 hash of unknown algo %d", algo);
|
||||
return -1;
|
||||
c->hash_len = nsec3_hash_algo_size_supported(algo);
|
||||
if(c->hash_len == 0) {
|
||||
log_err("nsec3 hash of unknown algo %d", algo);
|
||||
return -1;
|
||||
}
|
||||
c->hash = (uint8_t*)regional_alloc(region, c->hash_len);
|
||||
if(!c->hash)
|
||||
return 0;
|
||||
(void)secalgo_nsec3_hash(algo, (unsigned char*)sldns_buffer_begin(buf),
|
||||
sldns_buffer_limit(buf), (unsigned char*)c->hash);
|
||||
for(i=0; i<iter; i++) {
|
||||
sldns_buffer_clear(buf);
|
||||
sldns_buffer_write(buf, c->hash, c->hash_len);
|
||||
sldns_buffer_write(buf, salt, saltlen);
|
||||
sldns_buffer_flip(buf);
|
||||
(void)secalgo_nsec3_hash(algo,
|
||||
(unsigned char*)sldns_buffer_begin(buf),
|
||||
sldns_buffer_limit(buf), (unsigned char*)c->hash);
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* validator/val_nsec3.h - validator NSEC3 denial of existance functions.
|
||||
* validator/val_nsec3.h - validator NSEC3 denial of existence functions.
|
||||
*
|
||||
* Copyright (c) 2007, NLnet Labs. All rights reserved.
|
||||
*
|
||||
@ -38,7 +38,7 @@
|
||||
*
|
||||
* This file contains helper functions for the validator module.
|
||||
* The functions help with NSEC3 checking, the different NSEC3 proofs
|
||||
* for denial of existance, and proofs for presence of types.
|
||||
* for denial of existence, and proofs for presence of types.
|
||||
*
|
||||
* NSEC3
|
||||
* 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
|
||||
@ -256,7 +256,7 @@ int nsec3_hash_cmp(const void* c1, const void* c2);
|
||||
* Used internally by the nsec3 proof functions in this file.
|
||||
* published to enable unit testing of hash algorithms and cache.
|
||||
*
|
||||
* @param table: the cache table. Must be inited at start.
|
||||
* @param table: the cache table. Must be initialised at start.
|
||||
* @param region: scratch region to use for allocation.
|
||||
* This region holds the tree, if you wipe the region, reinit the tree.
|
||||
* @param buf: temporary buffer.
|
||||
|
@ -44,12 +44,13 @@
|
||||
/* packed_rrset on top to define enum types (forced by c99 standard) */
|
||||
#include "util/data/packed_rrset.h"
|
||||
#include "validator/val_secalgo.h"
|
||||
#include "validator/val_nsec3.h"
|
||||
#include "util/log.h"
|
||||
#include "sldns/rrdef.h"
|
||||
#include "sldns/keyraw.h"
|
||||
#include "sldns/sbuffer.h"
|
||||
|
||||
#if !defined(HAVE_SSL) && !defined(HAVE_NSS)
|
||||
#if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE)
|
||||
#error "Need crypto library to do digital signature cryptography"
|
||||
#endif
|
||||
|
||||
@ -71,10 +72,36 @@
|
||||
#include <openssl/engine.h>
|
||||
#endif
|
||||
|
||||
/* return size of digest if supported, or 0 otherwise */
|
||||
size_t
|
||||
nsec3_hash_algo_size_supported(int id)
|
||||
{
|
||||
switch(id) {
|
||||
case NSEC3_HASH_SHA1:
|
||||
return SHA_DIGEST_LENGTH;
|
||||
default:
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
/* perform nsec3 hash. return false on failure */
|
||||
int
|
||||
secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
|
||||
unsigned char* res)
|
||||
{
|
||||
switch(algo) {
|
||||
case NSEC3_HASH_SHA1:
|
||||
(void)SHA1(buf, len, res);
|
||||
return 1;
|
||||
default:
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Return size of DS digest according to its hash algorithm.
|
||||
* @param algo: DS digest algo.
|
||||
* @return size in bytes of digest, or 0 if not supported.
|
||||
* @return size in bytes of digest, or 0 if not supported.
|
||||
*/
|
||||
size_t
|
||||
ds_digest_size_supported(int algo)
|
||||
@ -565,6 +592,32 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
|
||||
/* nspr4 */
|
||||
#include "prerror.h"
|
||||
|
||||
/* return size of digest if supported, or 0 otherwise */
|
||||
size_t
|
||||
nsec3_hash_algo_size_supported(int id)
|
||||
{
|
||||
switch(id) {
|
||||
case NSEC3_HASH_SHA1:
|
||||
return SHA1_LENGTH;
|
||||
default:
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
/* perform nsec3 hash. return false on failure */
|
||||
int
|
||||
secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
|
||||
unsigned char* res)
|
||||
{
|
||||
switch(algo) {
|
||||
case NSEC3_HASH_SHA1:
|
||||
(void)HASH_HashBuf(HASH_AlgSHA1, res, buf, (unsigned long)len);
|
||||
return 1;
|
||||
default:
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
size_t
|
||||
ds_digest_size_supported(int algo)
|
||||
{
|
||||
@ -1069,5 +1122,466 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
|
||||
return sec_status_bogus;
|
||||
}
|
||||
|
||||
#elif defined(HAVE_NETTLE)
|
||||
|
||||
#endif /* HAVE_SSL or HAVE_NSS */
|
||||
#include "sha.h"
|
||||
#include "bignum.h"
|
||||
#include "macros.h"
|
||||
#include "rsa.h"
|
||||
#include "dsa.h"
|
||||
#include "asn1.h"
|
||||
#ifdef USE_ECDSA
|
||||
#include "ecdsa.h"
|
||||
#include "ecc-curve.h"
|
||||
#endif
|
||||
|
||||
static int
|
||||
_digest_nettle(int algo, uint8_t* buf, size_t len,
|
||||
unsigned char* res)
|
||||
{
|
||||
switch(algo) {
|
||||
case SHA1_DIGEST_SIZE:
|
||||
{
|
||||
struct sha1_ctx ctx;
|
||||
sha1_init(&ctx);
|
||||
sha1_update(&ctx, len, buf);
|
||||
sha1_digest(&ctx, SHA1_DIGEST_SIZE, res);
|
||||
return 1;
|
||||
}
|
||||
case SHA256_DIGEST_SIZE:
|
||||
{
|
||||
struct sha256_ctx ctx;
|
||||
sha256_init(&ctx);
|
||||
sha256_update(&ctx, len, buf);
|
||||
sha256_digest(&ctx, SHA256_DIGEST_SIZE, res);
|
||||
return 1;
|
||||
}
|
||||
case SHA384_DIGEST_SIZE:
|
||||
{
|
||||
struct sha384_ctx ctx;
|
||||
sha384_init(&ctx);
|
||||
sha384_update(&ctx, len, buf);
|
||||
sha384_digest(&ctx, SHA384_DIGEST_SIZE, res);
|
||||
return 1;
|
||||
}
|
||||
case SHA512_DIGEST_SIZE:
|
||||
{
|
||||
struct sha512_ctx ctx;
|
||||
sha512_init(&ctx);
|
||||
sha512_update(&ctx, len, buf);
|
||||
sha512_digest(&ctx, SHA512_DIGEST_SIZE, res);
|
||||
return 1;
|
||||
}
|
||||
default:
|
||||
break;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* return size of digest if supported, or 0 otherwise */
|
||||
size_t
|
||||
nsec3_hash_algo_size_supported(int id)
|
||||
{
|
||||
switch(id) {
|
||||
case NSEC3_HASH_SHA1:
|
||||
return SHA1_DIGEST_SIZE;
|
||||
default:
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
/* perform nsec3 hash. return false on failure */
|
||||
int
|
||||
secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
|
||||
unsigned char* res)
|
||||
{
|
||||
switch(algo) {
|
||||
case NSEC3_HASH_SHA1:
|
||||
return _digest_nettle(SHA1_DIGEST_SIZE, (uint8_t*)buf, len,
|
||||
res);
|
||||
default:
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Return size of DS digest according to its hash algorithm.
|
||||
* @param algo: DS digest algo.
|
||||
* @return size in bytes of digest, or 0 if not supported.
|
||||
*/
|
||||
size_t
|
||||
ds_digest_size_supported(int algo)
|
||||
{
|
||||
switch(algo) {
|
||||
case LDNS_SHA1:
|
||||
return SHA1_DIGEST_SIZE;
|
||||
#ifdef USE_SHA2
|
||||
case LDNS_SHA256:
|
||||
return SHA256_DIGEST_SIZE;
|
||||
#endif
|
||||
#ifdef USE_ECDSA
|
||||
case LDNS_SHA384:
|
||||
return SHA384_DIGEST_SIZE;
|
||||
#endif
|
||||
/* GOST not supported */
|
||||
case LDNS_HASH_GOST:
|
||||
default:
|
||||
break;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
int
|
||||
secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
|
||||
unsigned char* res)
|
||||
{
|
||||
switch(algo) {
|
||||
case LDNS_SHA1:
|
||||
return _digest_nettle(SHA1_DIGEST_SIZE, buf, len, res);
|
||||
#if defined(USE_SHA2)
|
||||
case LDNS_SHA256:
|
||||
return _digest_nettle(SHA256_DIGEST_SIZE, buf, len, res);
|
||||
#endif
|
||||
#ifdef USE_ECDSA
|
||||
case LDNS_SHA384:
|
||||
return _digest_nettle(SHA384_DIGEST_SIZE, buf, len, res);
|
||||
|
||||
#endif
|
||||
case LDNS_HASH_GOST:
|
||||
default:
|
||||
verbose(VERB_QUERY, "unknown DS digest algorithm %d",
|
||||
algo);
|
||||
break;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
int
|
||||
dnskey_algo_id_is_supported(int id)
|
||||
{
|
||||
/* uses libnettle */
|
||||
switch(id) {
|
||||
case LDNS_DSA:
|
||||
case LDNS_DSA_NSEC3:
|
||||
case LDNS_RSASHA1:
|
||||
case LDNS_RSASHA1_NSEC3:
|
||||
#ifdef USE_SHA2
|
||||
case LDNS_RSASHA256:
|
||||
case LDNS_RSASHA512:
|
||||
#endif
|
||||
#ifdef USE_ECDSA
|
||||
case LDNS_ECDSAP256SHA256:
|
||||
case LDNS_ECDSAP384SHA384:
|
||||
#endif
|
||||
return 1;
|
||||
case LDNS_RSAMD5: /* RFC 6725 deprecates RSAMD5 */
|
||||
case LDNS_ECC_GOST:
|
||||
default:
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
static char *
|
||||
_verify_nettle_dsa(sldns_buffer* buf, unsigned char* sigblock,
|
||||
unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
|
||||
{
|
||||
uint8_t digest[SHA1_DIGEST_SIZE];
|
||||
uint8_t key_t;
|
||||
int res = 0;
|
||||
size_t offset;
|
||||
struct dsa_public_key pubkey;
|
||||
struct dsa_signature signature;
|
||||
unsigned int expected_len;
|
||||
|
||||
/* Extract DSA signature from the record */
|
||||
nettle_dsa_signature_init(&signature);
|
||||
/* Signature length: 41 bytes - RFC 2536 sec. 3 */
|
||||
if(sigblock_len == 41) {
|
||||
if(key[0] != sigblock[0])
|
||||
return "invalid T value in DSA signature or pubkey";
|
||||
nettle_mpz_set_str_256_u(signature.r, 20, sigblock+1);
|
||||
nettle_mpz_set_str_256_u(signature.s, 20, sigblock+1+20);
|
||||
} else {
|
||||
/* DER encoded, decode the ASN1 notated R and S bignums */
|
||||
/* SEQUENCE { r INTEGER, s INTEGER } */
|
||||
struct asn1_der_iterator i, seq;
|
||||
if(asn1_der_iterator_first(&i, sigblock_len,
|
||||
(uint8_t*)sigblock) != ASN1_ITERATOR_CONSTRUCTED
|
||||
|| i.type != ASN1_SEQUENCE)
|
||||
return "malformed DER encoded DSA signature";
|
||||
/* decode this element of i using the seq iterator */
|
||||
if(asn1_der_decode_constructed(&i, &seq) !=
|
||||
ASN1_ITERATOR_PRIMITIVE || seq.type != ASN1_INTEGER)
|
||||
return "malformed DER encoded DSA signature";
|
||||
if(!asn1_der_get_bignum(&seq, signature.r, 20*8))
|
||||
return "malformed DER encoded DSA signature";
|
||||
if(asn1_der_iterator_next(&seq) != ASN1_ITERATOR_PRIMITIVE
|
||||
|| seq.type != ASN1_INTEGER)
|
||||
return "malformed DER encoded DSA signature";
|
||||
if(!asn1_der_get_bignum(&seq, signature.s, 20*8))
|
||||
return "malformed DER encoded DSA signature";
|
||||
if(asn1_der_iterator_next(&i) != ASN1_ITERATOR_END)
|
||||
return "malformed DER encoded DSA signature";
|
||||
}
|
||||
|
||||
/* Validate T values constraints - RFC 2536 sec. 2 & sec. 3 */
|
||||
key_t = key[0];
|
||||
if (key_t > 8) {
|
||||
return "invalid T value in DSA pubkey";
|
||||
}
|
||||
|
||||
/* Pubkey minimum length: 21 bytes - RFC 2536 sec. 2 */
|
||||
if (keylen < 21) {
|
||||
return "DSA pubkey too short";
|
||||
}
|
||||
|
||||
expected_len = 1 + /* T */
|
||||
20 + /* Q */
|
||||
(64 + key_t*8) + /* P */
|
||||
(64 + key_t*8) + /* G */
|
||||
(64 + key_t*8); /* Y */
|
||||
if (keylen != expected_len ) {
|
||||
return "invalid DSA pubkey length";
|
||||
}
|
||||
|
||||
/* Extract DSA pubkey from the record */
|
||||
nettle_dsa_public_key_init(&pubkey);
|
||||
offset = 1;
|
||||
nettle_mpz_set_str_256_u(pubkey.q, 20, key+offset);
|
||||
offset += 20;
|
||||
nettle_mpz_set_str_256_u(pubkey.p, (64 + key_t*8), key+offset);
|
||||
offset += (64 + key_t*8);
|
||||
nettle_mpz_set_str_256_u(pubkey.g, (64 + key_t*8), key+offset);
|
||||
offset += (64 + key_t*8);
|
||||
nettle_mpz_set_str_256_u(pubkey.y, (64 + key_t*8), key+offset);
|
||||
|
||||
/* Digest content of "buf" and verify its DSA signature in "sigblock"*/
|
||||
res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
|
||||
(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
|
||||
res &= dsa_sha1_verify_digest(&pubkey, digest, &signature);
|
||||
|
||||
/* Clear and return */
|
||||
nettle_dsa_signature_clear(&signature);
|
||||
nettle_dsa_public_key_clear(&pubkey);
|
||||
if (!res)
|
||||
return "DSA signature verification failed";
|
||||
else
|
||||
return NULL;
|
||||
}
|
||||
|
||||
static char *
|
||||
_verify_nettle_rsa(sldns_buffer* buf, unsigned int digest_size, char* sigblock,
|
||||
unsigned int sigblock_len, uint8_t* key, unsigned int keylen)
|
||||
{
|
||||
uint16_t exp_len = 0;
|
||||
size_t exp_offset = 0, mod_offset = 0;
|
||||
struct rsa_public_key pubkey;
|
||||
mpz_t signature;
|
||||
int res = 0;
|
||||
|
||||
/* RSA pubkey parsing as per RFC 3110 sec. 2 */
|
||||
if( keylen <= 1) {
|
||||
return "null RSA key";
|
||||
}
|
||||
if (key[0] != 0) {
|
||||
/* 1-byte length */
|
||||
exp_len = key[0];
|
||||
exp_offset = 1;
|
||||
} else {
|
||||
/* 1-byte NUL + 2-bytes exponent length */
|
||||
if (keylen < 3) {
|
||||
return "incorrect RSA key length";
|
||||
}
|
||||
exp_len = READ_UINT16(key+1);
|
||||
if (exp_len == 0)
|
||||
return "null RSA exponent length";
|
||||
exp_offset = 3;
|
||||
}
|
||||
/* Check that we are not over-running input length */
|
||||
if (keylen < exp_offset + exp_len + 1) {
|
||||
return "RSA key content shorter than expected";
|
||||
}
|
||||
mod_offset = exp_offset + exp_len;
|
||||
nettle_rsa_public_key_init(&pubkey);
|
||||
pubkey.size = keylen - mod_offset;
|
||||
nettle_mpz_set_str_256_u(pubkey.e, exp_len, &key[exp_offset]);
|
||||
nettle_mpz_set_str_256_u(pubkey.n, pubkey.size, &key[mod_offset]);
|
||||
|
||||
/* Digest content of "buf" and verify its RSA signature in "sigblock"*/
|
||||
nettle_mpz_init_set_str_256_u(signature, sigblock_len, (uint8_t*)sigblock);
|
||||
switch (digest_size) {
|
||||
case SHA1_DIGEST_SIZE:
|
||||
{
|
||||
uint8_t digest[SHA1_DIGEST_SIZE];
|
||||
res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
|
||||
(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
|
||||
res &= rsa_sha1_verify_digest(&pubkey, digest, signature);
|
||||
break;
|
||||
}
|
||||
case SHA256_DIGEST_SIZE:
|
||||
{
|
||||
uint8_t digest[SHA256_DIGEST_SIZE];
|
||||
res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
|
||||
(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
|
||||
res &= rsa_sha256_verify_digest(&pubkey, digest, signature);
|
||||
break;
|
||||
}
|
||||
case SHA512_DIGEST_SIZE:
|
||||
{
|
||||
uint8_t digest[SHA512_DIGEST_SIZE];
|
||||
res = _digest_nettle(SHA512_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
|
||||
(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
|
||||
res &= rsa_sha512_verify_digest(&pubkey, digest, signature);
|
||||
break;
|
||||
}
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
/* Clear and return */
|
||||
nettle_rsa_public_key_clear(&pubkey);
|
||||
mpz_clear(signature);
|
||||
if (!res) {
|
||||
return "RSA signature verification failed";
|
||||
} else {
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
|
||||
#ifdef USE_ECDSA
|
||||
static char *
|
||||
_verify_nettle_ecdsa(sldns_buffer* buf, unsigned int digest_size, unsigned char* sigblock,
|
||||
unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
|
||||
{
|
||||
int res = 0;
|
||||
struct ecc_point pubkey;
|
||||
struct dsa_signature signature;
|
||||
|
||||
/* Always matched strength, as per RFC 6605 sec. 1 */
|
||||
if (sigblock_len != 2*digest_size || keylen != 2*digest_size) {
|
||||
return "wrong ECDSA signature length";
|
||||
}
|
||||
|
||||
/* Parse ECDSA signature as per RFC 6605 sec. 4 */
|
||||
nettle_dsa_signature_init(&signature);
|
||||
switch (digest_size) {
|
||||
case SHA256_DIGEST_SIZE:
|
||||
{
|
||||
uint8_t digest[SHA256_DIGEST_SIZE];
|
||||
mpz_t x, y;
|
||||
nettle_ecc_point_init(&pubkey, &nettle_secp_256r1);
|
||||
nettle_mpz_init_set_str_256_u(x, SHA256_DIGEST_SIZE, key);
|
||||
nettle_mpz_init_set_str_256_u(y, SHA256_DIGEST_SIZE, key+SHA256_DIGEST_SIZE);
|
||||
nettle_mpz_set_str_256_u(signature.r, SHA256_DIGEST_SIZE, sigblock);
|
||||
nettle_mpz_set_str_256_u(signature.s, SHA256_DIGEST_SIZE, sigblock+SHA256_DIGEST_SIZE);
|
||||
res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
|
||||
(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
|
||||
res &= nettle_ecc_point_set(&pubkey, x, y);
|
||||
res &= nettle_ecdsa_verify (&pubkey, SHA256_DIGEST_SIZE, digest, &signature);
|
||||
mpz_clear(x);
|
||||
mpz_clear(y);
|
||||
break;
|
||||
}
|
||||
case SHA384_DIGEST_SIZE:
|
||||
{
|
||||
uint8_t digest[SHA384_DIGEST_SIZE];
|
||||
mpz_t x, y;
|
||||
nettle_ecc_point_init(&pubkey, &nettle_secp_384r1);
|
||||
nettle_mpz_init_set_str_256_u(x, SHA384_DIGEST_SIZE, key);
|
||||
nettle_mpz_init_set_str_256_u(y, SHA384_DIGEST_SIZE, key+SHA384_DIGEST_SIZE);
|
||||
nettle_mpz_set_str_256_u(signature.r, SHA384_DIGEST_SIZE, sigblock);
|
||||
nettle_mpz_set_str_256_u(signature.s, SHA384_DIGEST_SIZE, sigblock+SHA384_DIGEST_SIZE);
|
||||
res = _digest_nettle(SHA384_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
|
||||
(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
|
||||
res &= nettle_ecc_point_set(&pubkey, x, y);
|
||||
res &= nettle_ecdsa_verify (&pubkey, SHA384_DIGEST_SIZE, digest, &signature);
|
||||
mpz_clear(x);
|
||||
mpz_clear(y);
|
||||
nettle_ecc_point_clear(&pubkey);
|
||||
break;
|
||||
}
|
||||
default:
|
||||
return "unknown ECDSA algorithm";
|
||||
}
|
||||
|
||||
/* Clear and return */
|
||||
nettle_dsa_signature_clear(&signature);
|
||||
if (!res)
|
||||
return "ECDSA signature verification failed";
|
||||
else
|
||||
return NULL;
|
||||
}
|
||||
#endif
|
||||
|
||||
/**
|
||||
* Check a canonical sig+rrset and signature against a dnskey
|
||||
* @param buf: buffer with data to verify, the first rrsig part and the
|
||||
* canonicalized rrset.
|
||||
* @param algo: DNSKEY algorithm.
|
||||
* @param sigblock: signature rdata field from RRSIG
|
||||
* @param sigblock_len: length of sigblock data.
|
||||
* @param key: public key data from DNSKEY RR.
|
||||
* @param keylen: length of keydata.
|
||||
* @param reason: bogus reason in more detail.
|
||||
* @return secure if verification succeeded, bogus on crypto failure,
|
||||
* unchecked on format errors and alloc failures.
|
||||
*/
|
||||
enum sec_status
|
||||
verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
|
||||
unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
|
||||
char** reason)
|
||||
{
|
||||
unsigned int digest_size = 0;
|
||||
|
||||
if (sigblock_len == 0 || keylen == 0) {
|
||||
*reason = "null signature";
|
||||
return sec_status_bogus;
|
||||
}
|
||||
|
||||
switch(algo) {
|
||||
case LDNS_DSA:
|
||||
case LDNS_DSA_NSEC3:
|
||||
*reason = _verify_nettle_dsa(buf, sigblock, sigblock_len, key, keylen);
|
||||
if (*reason != NULL)
|
||||
return sec_status_bogus;
|
||||
else
|
||||
return sec_status_secure;
|
||||
|
||||
case LDNS_RSASHA1:
|
||||
case LDNS_RSASHA1_NSEC3:
|
||||
digest_size = (digest_size ? digest_size : SHA1_DIGEST_SIZE);
|
||||
#ifdef USE_SHA2
|
||||
case LDNS_RSASHA256:
|
||||
digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE);
|
||||
case LDNS_RSASHA512:
|
||||
digest_size = (digest_size ? digest_size : SHA512_DIGEST_SIZE);
|
||||
|
||||
#endif
|
||||
*reason = _verify_nettle_rsa(buf, digest_size, (char*)sigblock,
|
||||
sigblock_len, key, keylen);
|
||||
if (*reason != NULL)
|
||||
return sec_status_bogus;
|
||||
else
|
||||
return sec_status_secure;
|
||||
|
||||
#ifdef USE_ECDSA
|
||||
case LDNS_ECDSAP256SHA256:
|
||||
digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE);
|
||||
case LDNS_ECDSAP384SHA384:
|
||||
digest_size = (digest_size ? digest_size : SHA384_DIGEST_SIZE);
|
||||
*reason = _verify_nettle_ecdsa(buf, digest_size, sigblock,
|
||||
sigblock_len, key, keylen);
|
||||
if (*reason != NULL)
|
||||
return sec_status_bogus;
|
||||
else
|
||||
return sec_status_secure;
|
||||
#endif
|
||||
case LDNS_RSAMD5:
|
||||
case LDNS_ECC_GOST:
|
||||
default:
|
||||
*reason = "unable to verify signature, unknown algorithm";
|
||||
return sec_status_bogus;
|
||||
}
|
||||
}
|
||||
|
||||
#endif /* HAVE_SSL or HAVE_NSS or HAVE_NETTLE */
|
||||
|
@ -44,6 +44,21 @@
|
||||
#define VALIDATOR_VAL_SECALGO_H
|
||||
struct sldns_buffer;
|
||||
|
||||
/** Return size of nsec3 hash algorithm, 0 if not supported */
|
||||
size_t nsec3_hash_algo_size_supported(int id);
|
||||
|
||||
/**
|
||||
* Hash a single hash call of an NSEC3 hash algorithm.
|
||||
* Iterations and salt are done by the caller.
|
||||
* @param algo: nsec3 hash algorithm.
|
||||
* @param buf: the buffer to digest
|
||||
* @param len: length of buffer to digest.
|
||||
* @param res: result stored here (must have sufficient space).
|
||||
* @return false on failure.
|
||||
*/
|
||||
int secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
|
||||
unsigned char* res);
|
||||
|
||||
/**
|
||||
* Return size of DS digest according to its hash algorithm.
|
||||
* @param algo: DS digest algo.
|
||||
|
@ -57,7 +57,7 @@
|
||||
#include "sldns/wire2str.h"
|
||||
|
||||
#include <ctype.h>
|
||||
#if !defined(HAVE_SSL) && !defined(HAVE_NSS)
|
||||
#if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE)
|
||||
#error "Need crypto library to do digital signature cryptography"
|
||||
#endif
|
||||
|
||||
|
@ -391,7 +391,7 @@ int val_favorite_ds_algo(struct ub_packed_rrset_key* ds_rrset);
|
||||
* Find DS denial message in cache. Saves new qstate allocation and allows
|
||||
* the validator to use partial content which is not enough to construct a
|
||||
* message for network (or user) consumption. Without SOA for example,
|
||||
* which is a common occurence in the unbound code since the referrals contain
|
||||
* which is a common occurrence in the unbound code since the referrals contain
|
||||
* NSEC/NSEC3 rrs without the SOA element, thus do not allow synthesis of a
|
||||
* full negative reply, but do allow synthesis of sufficient proof.
|
||||
* @param env: query env with caches and time.
|
||||
|
@ -749,7 +749,7 @@ validate_nodata_response(struct module_env* env, struct val_env* ve,
|
||||
/* Since we are here, there must be nothing in the ANSWER section to
|
||||
* validate. */
|
||||
/* (Note: CNAME/DNAME responses will not directly get here --
|
||||
* instead, they are chased down into indiviual CNAME validations,
|
||||
* instead, they are chased down into individual CNAME validations,
|
||||
* and at the end of the cname chain a POSITIVE, or CNAME_NOANSWER
|
||||
* validation.) */
|
||||
|
||||
@ -1597,7 +1597,7 @@ processFindKey(struct module_qstate* qstate, struct val_qstate* vq, int id)
|
||||
target_key_name) != 0) {
|
||||
/* check if there is a cache entry : pick up an NSEC if
|
||||
* there is no DS, check if that NSEC has DS-bit unset, and
|
||||
* thus can disprove the secure delagation we seek.
|
||||
* thus can disprove the secure delegation we seek.
|
||||
* We can then use that NSEC even in the absence of a SOA
|
||||
* record that would be required by the iterator to supply
|
||||
* a completely protocol-correct response.
|
||||
@ -1829,7 +1829,7 @@ processValidate(struct module_qstate* qstate, struct val_qstate* vq,
|
||||
* @return true if there is no DLV.
|
||||
* false: processing is finished for the validator operate().
|
||||
* This function may exit in three ways:
|
||||
* o no DLV (agressive cache), so insecure. (true)
|
||||
* o no DLV (aggressive cache), so insecure. (true)
|
||||
* o error - stop processing (false)
|
||||
* o DLV lookup was started, stop processing (false)
|
||||
*/
|
||||
|
Loading…
Reference in New Issue
Block a user