d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

unbound: Vendor import 1.17.1

Browse Source 
Release notes at
    https://www.nlnetlabs.nl/news/2023/Jan/12/unbound-1.17.1-released/.

MFC after:      1 month

Merge commit '7699e1386a16236002b26107ffd2dcbde375e197' into main
This commit is contained in:
Cy Schubert 2023-01-14 21:39:31 -08:00
commit 1838dec318
48 changed files with 1169 additions and 139 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
contrib/unbound/Makefile.in
View File

@ -616,7 +616,7 @@ install-all: all $(PYTHONMOD_INSTALL) $(PYUNBOUND_INSTALL) $(UNBOUND_EVENT_INSTA
$(INSTALL) -c -m 644 doc/unbound.conf.5 $(DESTDIR)$(mandir)/man5
$(INSTALL) -c -m 644 doc/unbound-host.1 $(DESTDIR)$(mandir)/man1
$(INSTALL) -c -m 755 unbound-control-setup $(DESTDIR)$(sbindir)/unbound-control-setup
if test ! -e $(DESTDIR)$(configfile); then $(INSTALL) -d `dirname $(DESTDIR)$(configfile)`; $(INSTALL) -c -m 644 doc/example.conf $(DESTDIR)$(configfile); fi
if test ! -e "$(DESTDIR)$(configfile)"; then $(INSTALL) -d `dirname "$(DESTDIR)$(configfile)"`; $(INSTALL) -c -m 644 doc/example.conf "$(DESTDIR)$(configfile)"; fi
pythonmod-uninstall:
rm -f -- $(DESTDIR)$(PYTHON_SITE_PKG)/unboundmodule.py
@ -645,7 +645,7 @@ uninstall: $(PYTHONMOD_UNINSTALL) $(PYUNBOUND_UNINSTALL) $(UNBOUND_EVENT_UNINSTA
rm -f -- $(DESTDIR)$(includedir)/unbound.h
$(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/libunbound.la
@echo
@echo "You still need to remove "`dirname $(DESTDIR)$(configfile)`" , $(DESTDIR)$(configfile) by hand"
@echo "You still need to remove "`dirname "$(DESTDIR)$(configfile)"`" , $(DESTDIR)$(configfile) by hand"
iana_update:
curl -o port-numbers.tmp https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml --compressed

1
contrib/unbound/README.md
View File

@ -4,6 +4,7 @@
[![Packaging status](https://repology.org/badge/tiny-repos/unbound.svg)](https://repology.org/project/unbound/versions)
[![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/unbound.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:unbound)
[![Documentation Status](https://readthedocs.org/projects/unbound/badge/?version=latest)](https://unbound.readthedocs.io/en/latest/?badge=latest)
[![Mastodon Follow](https://img.shields.io/mastodon/follow/109262826617293067?domain=https%3A%2F%2Ffosstodon.org&style=social)](https://fosstodon.org/@nlnetlabs)
Unbound is a validating, recursive, caching DNS resolver. It is designed to be
fast and lean and incorporates modern features based on open standards. If you

21
contrib/unbound/cachedb/cachedb.c
View File

@ -390,6 +390,15 @@ prep_data(struct module_qstate* qstate, struct sldns_buffer* buf)
if(!qstate->return_msg || !qstate->return_msg->rep)
return 0;
/* do not store failures like SERVFAIL in the cachedb, this avoids
* overwriting expired, valid, content with broken content. */
if(FLAGS_GET_RCODE(qstate->return_msg->rep->flags) !=
LDNS_RCODE_NOERROR &&
FLAGS_GET_RCODE(qstate->return_msg->rep->flags) !=
LDNS_RCODE_NXDOMAIN &&
FLAGS_GET_RCODE(qstate->return_msg->rep->flags) !=
LDNS_RCODE_YXDOMAIN)
return 0;
/* We don't store the reply if its TTL is 0 unless serve-expired is
* enabled. Such a reply won't be reusable and simply be a waste for
* the backend. It's also compatible with the default behavior of
@ -542,10 +551,16 @@ parse_data(struct module_qstate* qstate, struct sldns_buffer* buf)
verbose(VERB_ALGO, "cachedb msg expired");
/* If serve-expired is enabled, we still use an expired message
* setting the TTL to 0. */
if(qstate->env->cfg->serve_expired)
adjust = -1;
else
if(!qstate->env->cfg->serve_expired ||
(FLAGS_GET_RCODE(qstate->return_msg->rep->flags)
!= LDNS_RCODE_NOERROR &&
FLAGS_GET_RCODE(qstate->return_msg->rep->flags)
!= LDNS_RCODE_NXDOMAIN &&
FLAGS_GET_RCODE(qstate->return_msg->rep->flags)
!= LDNS_RCODE_YXDOMAIN))
return 0; /* message expired */
else
adjust = -1;
}
verbose(VERB_ALGO, "cachedb msg adjusted down by %d", (int)adjust);
adjust_msg_ttl(qstate->return_msg, adjust);

25
contrib/unbound/configure vendored
View File

@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for unbound 1.17.0.
# Generated by GNU Autoconf 2.69 for unbound 1.17.1.
#
# Report bugs to <unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues>.
#
@ -591,8 +591,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='unbound'
PACKAGE_TARNAME='unbound'
PACKAGE_VERSION='1.17.0'
PACKAGE_STRING='unbound 1.17.0'
PACKAGE_VERSION='1.17.1'
PACKAGE_STRING='unbound 1.17.1'
PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues'
PACKAGE_URL=''
@ -1477,7 +1477,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures unbound 1.17.0 to adapt to many kinds of systems.
\`configure' configures unbound 1.17.1 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@ -1543,7 +1543,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of unbound 1.17.0:";;
short | recursive ) echo "Configuration of unbound 1.17.1:";;
esac
cat <<\_ACEOF
@ -1785,7 +1785,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
unbound configure 1.17.0
unbound configure 1.17.1
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@ -2494,7 +2494,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by unbound $as_me 1.17.0, which was
It was created by unbound $as_me 1.17.1, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@ -2846,11 +2846,11 @@ UNBOUND_VERSION_MAJOR=1
UNBOUND_VERSION_MINOR=17
UNBOUND_VERSION_MICRO=0
UNBOUND_VERSION_MICRO=1
LIBUNBOUND_CURRENT=9
LIBUNBOUND_REVISION=20
LIBUNBOUND_REVISION=21
LIBUNBOUND_AGE=1
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
@ -2938,6 +2938,7 @@ LIBUNBOUND_AGE=1
# 1.16.2 had 9:18:1
# 1.16.3 had 9:19:1
# 1.17.0 had 9:20:1
# 1.17.1 had 9:21:1
# Current -- the number of the binary API that we're implementing
# Revision -- which iteration of the implementation of the binary
@ -22085,7 +22086,7 @@ _ACEOF
version=1.17.0
version=1.17.1
date=`date +'%b %e, %Y'`
@ -22604,7 +22605,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by unbound $as_me 1.17.0, which was
This file was extended by unbound $as_me 1.17.1, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@ -22670,7 +22671,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
unbound config.status 1.17.0
unbound config.status 1.17.1
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"

5
contrib/unbound/configure.ac
View File

@ -11,14 +11,14 @@ sinclude(dnscrypt/dnscrypt.m4)
# must be numbers. ac_defun because of later processing
m4_define([VERSION_MAJOR],[1])
m4_define([VERSION_MINOR],[17])
m4_define([VERSION_MICRO],[0])
m4_define([VERSION_MICRO],[1])
AC_INIT([unbound],m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]),[unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues],[unbound])
AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
LIBUNBOUND_CURRENT=9
LIBUNBOUND_REVISION=20
LIBUNBOUND_REVISION=21
LIBUNBOUND_AGE=1
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
@ -106,6 +106,7 @@ LIBUNBOUND_AGE=1
# 1.16.2 had 9:18:1
# 1.16.3 had 9:19:1
# 1.17.0 had 9:20:1
# 1.17.1 had 9:21:1
# Current -- the number of the binary API that we're implementing
# Revision -- which iteration of the implementation of the binary

5
contrib/unbound/contrib/unbound.service.in
View File

@ -42,9 +42,8 @@
[Unit]
Description=Validating, recursive, and caching DNS resolver
Documentation=man:unbound(8)
After=network-online.target
Before=nss-lookup.target
Wants=network-online.target nss-lookup.target
After=network.target
Before=network-online.target nss-lookup.target
[Install]
WantedBy=multi-user.target

9
contrib/unbound/daemon/cachedump.c
View File

@ -387,7 +387,7 @@ move_into_cache(struct ub_packed_rrset_key* k,
struct rrset_ref ref;
uint8_t* p;
ak = alloc_special_obtain(&worker->alloc);
ak = alloc_special_obtain(worker->alloc);
if(!ak) {
log_warn("error out of memory");
return 0;
@ -398,7 +398,7 @@ move_into_cache(struct ub_packed_rrset_key* k,
ak->rk.dname = (uint8_t*)memdup(k->rk.dname, k->rk.dname_len);
if(!ak->rk.dname) {
log_warn("error out of memory");
ub_packed_rrset_parsedelete(ak, &worker->alloc);
ub_packed_rrset_parsedelete(ak, worker->alloc);
return 0;
}
s = sizeof(*ad) + (sizeof(size_t) + sizeof(uint8_t*) +
@ -408,7 +408,7 @@ move_into_cache(struct ub_packed_rrset_key* k,
ad = (struct packed_rrset_data*)malloc(s);
if(!ad) {
log_warn("error out of memory");
ub_packed_rrset_parsedelete(ak, &worker->alloc);
ub_packed_rrset_parsedelete(ak, worker->alloc);
return 0;
}
p = (uint8_t*)ad;
@ -431,7 +431,8 @@ move_into_cache(struct ub_packed_rrset_key* k,
ref.key = ak;
ref.id = ak->id;
(void)rrset_cache_update(worker->env.rrset_cache, &ref,
&worker->alloc, *worker->env.now);
worker->alloc, *worker->env.now);
return 1;
}

91
contrib/unbound/daemon/daemon.c
View File

@ -488,6 +488,27 @@ static int daemon_get_shufport(struct daemon* daemon, int* shufport)
return avail;
}
/**
* Clear and delete per-worker alloc caches, and free memory maintained in
* superalloc.
* The rrset and message caches must be empty at the time of call.
* @param daemon: the daemon that maintains the alloc caches to be cleared.
*/
static void
daemon_clear_allocs(struct daemon* daemon)
{
int i;
for(i=0; i<daemon->num; i++) {
alloc_clear(daemon->worker_allocs[i]);
free(daemon->worker_allocs[i]);
}
free(daemon->worker_allocs);
daemon->worker_allocs = NULL;
alloc_clear_special(&daemon->superalloc);
}
/**
* Allocate empty worker structures. With backptr and thread-number,
* from 0..numthread initialised. Used as user arguments to new threads.
@ -540,6 +561,21 @@ daemon_create_workers(struct daemon* daemon)
/* the above is not ports/numthr, due to rounding */
fatal_exit("could not create worker");
}
/* create per-worker alloc caches if not reusing existing ones. */
if(!daemon->worker_allocs) {
daemon->worker_allocs = (struct alloc_cache**)calloc(
(size_t)daemon->num, sizeof(struct alloc_cache*));
if(!daemon->worker_allocs)
fatal_exit("could not allocate worker allocs");
for(i=0; i<daemon->num; i++) {
struct alloc_cache* alloc = calloc(1,
sizeof(struct alloc_cache));
if (!alloc)
fatal_exit("could not allocate worker alloc");
alloc_init(alloc, &daemon->superalloc, i);
daemon->worker_allocs[i] = alloc;
}
}
free(shufport);
}
@ -771,6 +807,7 @@ daemon_fork(struct daemon* daemon)
/* Shutdown SHM */
shm_main_shutdown(daemon);
daemon->reuse_cache = daemon->workers[0]->reuse_cache;
daemon->need_to_exit = daemon->workers[0]->need_to_exit;
}
@ -785,9 +822,16 @@ daemon_cleanup(struct daemon* daemon)
log_thread_set(NULL);
/* clean up caches because
* a) RRset IDs will be recycled after a reload, causing collisions
* b) validation config can change, thus rrset, msg, keycache clear */
slabhash_clear(&daemon->env->rrset_cache->table);
slabhash_clear(daemon->env->msg_cache);
* b) validation config can change, thus rrset, msg, keycache clear
*
* If we are trying to keep the cache as long as possible, we should
* defer the cleanup until we know whether the new configuration allows
* the reuse. (If we're exiting, cleanup should be done here). */
if(!daemon->reuse_cache || daemon->need_to_exit) {
slabhash_clear(&daemon->env->rrset_cache->table);
slabhash_clear(daemon->env->msg_cache);
}
daemon->old_num = daemon->num; /* save the current num */
local_zones_delete(daemon->local_zones);
daemon->local_zones = NULL;
respip_set_delete(daemon->respip_set);
@ -802,8 +846,13 @@ daemon_cleanup(struct daemon* daemon)
worker_delete(daemon->workers[i]);
free(daemon->workers);
daemon->workers = NULL;
/* Unless we're trying to keep the cache, worker alloc_caches should be
* cleared and freed here. We do this after deleting workers to
* guarantee that the alloc caches are valid throughout the lifetime
* of workers. */
if(!daemon->reuse_cache || daemon->need_to_exit)
daemon_clear_allocs(daemon);
daemon->num = 0;
alloc_clear_special(&daemon->superalloc);
#ifdef USE_DNSTAP
dt_delete(daemon->dtenv);
daemon->dtenv = NULL;
@ -900,8 +949,42 @@ daemon_delete(struct daemon* daemon)
void daemon_apply_cfg(struct daemon* daemon, struct config_file* cfg)
{
int new_num = cfg->num_threads?cfg->num_threads:1;
daemon->cfg = cfg;
config_apply(cfg);
/* If this is a reload and we deferred the decision on whether to
* reuse the alloc, RRset, and message caches, then check to see if
* it's safe to keep the caches:
* - changing the number of threads is obviously incompatible with
* keeping the per-thread alloc caches. It also means we have to
* clear RRset and message caches. (note that 'new_num' may be
* adjusted in daemon_create_workers, but for our purpose we can
* simply compare it with 'old_num'; if they are equal here,
* 'new_num' won't be adjusted to a different value than 'old_num').
* - changing RRset cache size effectively clears any remaining cache
* entries. We could keep their keys in alloc caches, but it would
* be more consistent with the sense of the change to clear allocs
* and free memory. To do so we also have to clear message cache.
* - only changing message cache size does not necessarily affect
* RRset or alloc cache. But almost all new subsequent queries will
* require recursive resolution anyway, so it doesn't help much to
* just keep RRset and alloc caches. For simplicity we clear/free
* the other two, too. */
if(daemon->worker_allocs &&
(new_num != daemon->old_num ||
!slabhash_is_size(daemon->env->msg_cache, cfg->msg_cache_size,
cfg->msg_cache_slabs) ||
!slabhash_is_size(&daemon->env->rrset_cache->table,
cfg->rrset_cache_size, cfg->rrset_cache_slabs)))
{
log_warn("cannot reuse caches due to critical config change");
slabhash_clear(&daemon->env->rrset_cache->table);
slabhash_clear(daemon->env->msg_cache);
daemon_clear_allocs(daemon);
}
if(!slabhash_is_size(daemon->env->msg_cache, cfg->msg_cache_size,
cfg->msg_cache_slabs)) {
slabhash_delete(daemon->env->msg_cache);

6
contrib/unbound/daemon/daemon.h
View File

@ -99,8 +99,12 @@ struct daemon {
void* listen_sslctx, *connect_sslctx;
/** num threads allocated */
int num;
/** num threads allocated in the previous config or 0 at first */
int old_num;
/** the worker entries */
struct worker** workers;
/** per-worker allocation cache */
struct alloc_cache **worker_allocs;
/** do we need to exit unbound (or is it only a reload?) */
int need_to_exit;
/** master random table ; used for port div between threads on reload*/
@ -140,6 +144,8 @@ struct daemon {
/** the dnscrypt environment */
struct dnsc_env* dnscenv;
#endif
/** reuse existing cache on reload if other conditions allow it. */
int reuse_cache;
};
/**

16
contrib/unbound/daemon/remote.c
View File

@ -105,8 +105,6 @@
/** what to put on statistics lines between var and value, ": " or "=" */
#define SQ "="
/** if true, inhibits a lot of =0 lines from the stats output */
static const int inhibit_zero = 1;
/** subtract timers and the values do not overflow or become negative */
static void
@ -684,8 +682,9 @@ do_stop(RES* ssl, struct worker* worker)
/** do the reload command */
static void
do_reload(RES* ssl, struct worker* worker)
do_reload(RES* ssl, struct worker* worker, int reuse_cache)
{
worker->reuse_cache = reuse_cache;
worker->need_to_exit = 0;
comm_base_exit(worker->base);
send_ok(ssl);
@ -920,7 +919,7 @@ print_hist(RES* ssl, struct ub_stats_info* s)
/** print extended stats */
static int
print_ext(RES* ssl, struct ub_stats_info* s)
print_ext(RES* ssl, struct ub_stats_info* s, int inhibit_zero)
{
int i;
char nm[32];
@ -1129,7 +1128,7 @@ do_stats(RES* ssl, struct worker* worker, int reset)
return;
if(!print_hist(ssl, &total))
return;
if(!print_ext(ssl, &total))
if(!print_ext(ssl, &total, daemon->cfg->stat_inhibit_zero))
return;
}
}
@ -1963,6 +1962,8 @@ do_flush_name(RES* ssl, struct worker* w, char* arg)
do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_PTR, LDNS_RR_CLASS_IN);
do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_SRV, LDNS_RR_CLASS_IN);
do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_NAPTR, LDNS_RR_CLASS_IN);
do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_SVCB, LDNS_RR_CLASS_IN);
do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_HTTPS, LDNS_RR_CLASS_IN);
free(nm);
send_ok(ssl);
@ -3029,8 +3030,11 @@ execute_cmd(struct daemon_remote* rc, RES* ssl, char* cmd,
if(cmdcmp(p, "stop", 4)) {
do_stop(ssl, worker);
return;
} else if(cmdcmp(p, "reload_keep_cache", 17)) {
do_reload(ssl, worker, 1);
return;
} else if(cmdcmp(p, "reload", 6)) {
do_reload(ssl, worker);
do_reload(ssl, worker, 0);
return;
} else if(cmdcmp(p, "stats_noreset", 13)) {
do_stats(ssl, worker, 0);

21
contrib/unbound/daemon/worker.c
View File

@ -133,7 +133,7 @@ worker_mem_report(struct worker* ATTR_UNUSED(worker),
rrset = slabhash_get_mem(&worker->env.rrset_cache->table);
infra = infra_get_mem(worker->env.infra_cache);
mesh = mesh_get_mem(worker->env.mesh);
ac = alloc_get_mem(&worker->alloc);
ac = alloc_get_mem(worker->alloc);
superac = alloc_get_mem(&worker->daemon->superalloc);
anch = anchors_get_mem(worker->env.anchors);
iter = 0;
@ -623,6 +623,14 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
if(worker->env.cfg->serve_expired_ttl &&
rep->serve_expired_ttl < timenow)
return 0;
/* Ignore expired failure answers */
if(FLAGS_GET_RCODE(rep->flags) !=
LDNS_RCODE_NOERROR &&
FLAGS_GET_RCODE(rep->flags) !=
LDNS_RCODE_NXDOMAIN &&
FLAGS_GET_RCODE(rep->flags) !=
LDNS_RCODE_YXDOMAIN)
return 0;
if(!rrset_array_lock(rep->ref, rep->rrset_count, 0))
return 0;
*is_expired_answer = 1;
@ -730,8 +738,6 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
goto bail_out;
}
} else {
/* We don't check the global ede as this is a warning, not
* an error */
if (*is_expired_answer == 1 &&
worker->env.cfg->ede_serve_expired && worker->env.cfg->ede) {
EDNS_OPT_LIST_APPEND_EDE(&edns->opt_list_out,
@ -2059,15 +2065,14 @@ worker_init(struct worker* worker, struct config_file *cfg,
}
server_stats_init(&worker->stats, cfg);
alloc_init(&worker->alloc, &worker->daemon->superalloc,
worker->thread_num);
alloc_set_id_cleanup(&worker->alloc, &worker_alloc_cleanup, worker);
worker->alloc = worker->daemon->worker_allocs[worker->thread_num];
alloc_set_id_cleanup(worker->alloc, &worker_alloc_cleanup, worker);
worker->env = *worker->daemon->env;
comm_base_timept(worker->base, &worker->env.now, &worker->env.now_tv);
worker->env.worker = worker;
worker->env.worker_base = worker->base;
worker->env.send_query = &worker_send_query;
worker->env.alloc = &worker->alloc;
worker->env.alloc = worker->alloc;
worker->env.outnet = worker->back;
worker->env.rnd = worker->rndstate;
/* If case prefetch is triggered, the corresponding mesh will clear
@ -2211,7 +2216,7 @@ worker_delete(struct worker* worker)
#endif /* USE_DNSTAP */
comm_base_delete(worker->base);
ub_randfree(worker->rndstate);
alloc_clear(&worker->alloc);
/* don't touch worker->alloc, as it's maintained in daemon */
regional_destroy(worker->env.scratch);
regional_destroy(worker->scratchpad);
free(worker);

4
contrib/unbound/daemon/worker.h
View File

@ -118,7 +118,7 @@ struct worker {
/** do we need to restart or quit (on signal) */
int need_to_exit;
/** allocation cache for this thread */
struct alloc_cache alloc;
struct alloc_cache *alloc;
/** per thread statistics */
struct ub_server_stats stats;
/** thread scratch regional */
@ -131,6 +131,8 @@ struct worker {
/** dnstap environment, changed for this thread */
struct dt_env dtenv;
#endif
/** reuse existing cache on reload if other conditions allow it. */
int reuse_cache;
};
/**

86
contrib/unbound/doc/Changelog
View File

@ -1,7 +1,93 @@
5 January 2023: Wouter
- Tag for 1.17.1 release.
2 January 2023: Wouter
- Fix windows compile for libunbound subprocess reap comm point closes.
- Update github workflows to use checkout v3.
14 December 2022: George
- Merge #569 from JINMEI Tatuya: add keep-cache option to
'unbound-control reload' to keep caches.
13 December 2022: George
- Expose 'statistics-inhibit-zero' as a configuration option; the
default value retains Unbound's behavior.
- Expose 'max-sent-count' as a configuration option; the
default value retains Unbound's behavior.
- Merge #461 from Christian Allred: Add max-query-restarts option.
Exposes an internal configuration but the default value retains
Unbound's behavior.
13 December 2022: Wouter
- Merge #808: Wrap Makefile script's directory variables in quotes.
- Fix to wrap Makefile scripts directory in quotes for uninstall.
1 December 2022: Wouter
- Fix #773: When used with systemd-networkd, unbound does not start
until systemd-networkd-wait-online.service times out.
30 November 2022: George
- Add SVCB and HTTPS to the types removed by 'unbound-control flush'.
- Clear documentation for interactivity between the subnet module and
the serve-expired and prefetch configuration options.
30 November 2022: Wouter
- Fix #782: Segmentation fault in stats.c:404.
28 November 2022: Wouter
- Fix for the ignore of tcp events for closed comm points, preserve
the use after free protection features.
23 November 2022: Philip
- Merge #720 from jonathangray: fix use after free when
WSACreateEvent() fails.
22 November 2022: George
- Ignore expired error responses.
11 November 2022: Wouter
- Fix #779: [doc] Missing documention in ub_resolve_event() for
callback parameter was_ratelimited.
9 November 2022: George
- Complementary fix for distutils.sysconfig deprecation in Python 3.10
to commit 62c5039ab9da42713e006e840b7578e01d66e7f2.
8 November 2022: Wouter
- Fix to ignore tcp events for closed comm points.
- Fix to make sure to not read again after a tcp comm point is closed.
- Fix #775: libunbound: subprocess reap causes parent process reap
to hang.
- iana portlist update.
21 October 2022: George
- Merge #767 from jonathangray: consistently use IPv4/IPv6 in
unbound.conf.5.
21 October 2022: Wouter
- Fix that cachedb does not store failures in the external cache.
18 October 2022: George
- Clarify the use of MAX_SENT_COUNT in the iterator code.
17 October 2022: Wouter
- testcode/dohclient sets log identity to its name.
14 October 2022: Wouter
- Merge #768 from fobser: Arithmetic on a pointer to void is a GNU
extension.
- In unit test, print python script name list correctly.
13 October 2022: Wouter
- Tag for 1.17.0 release. The code repository continues with 1.17.1.
11 October 2022: George
- Fix PROXYv2 header read for TCP connections when no proxied addresses
are provided.
7 October 2022: Wouter
- Tag for 1.17.0rc1 release.
7 October 2022: George
- Fix to stop possible loops in the tcp reuse code (write_wait list
and tcp_wait list). Based on analysis and patch from Prad Seniappan

2
contrib/unbound/doc/README
View File

@ -1,4 +1,4 @@
README for Unbound 1.17.0
README for Unbound 1.17.1
Copyright 2007 NLnet Labs
http://unbound.net

18
contrib/unbound/doc/example.conf.in
View File

@ -1,7 +1,7 @@
#
# Example configuration file.
#
# See unbound.conf(5) man page, version 1.17.0.
# See unbound.conf(5) man page, version 1.17.1.
#
# this is a comment.
@ -35,9 +35,14 @@ server:
# statistics-cumulative: no
# enable extended statistics (query types, answer codes, status)
# printed from unbound-control. default off, because of speed.
# printed from unbound-control. Default off, because of speed.
# extended-statistics: no
# Inhibits selected extended statistics (qtype, qclass, qopcode, rcode,
# rpz-actions) from printing if their value is 0.
# Default on.
# statistics-inhibit-zero: yes
# number of threads to create. 1 disables threading.
# num-threads: 1
@ -173,6 +178,15 @@ server:
# a throwaway response (also timeouts) is received.
# outbound-msg-retry: 5
# Hard limit on the number of outgoing queries Unbound will make while
# resolving a name, making sure large NS sets do not loop.
# It resets on query restarts (e.g., CNAME) and referrals.
# max-sent-count: 32
# Hard limit on the number of times Unbound is allowed to restart a
# query upon encountering a CNAME record.
# max-query-restarts: 11
# msec for waiting for an unknown server to reply. Increase if you
# are behind a slow satellite link, to eg. 1128.
# unknown-server-time-limit: 376

4
contrib/unbound/doc/libunbound.3.in
View File

@ -1,4 +1,4 @@
.TH "libunbound" "3" "Oct 13, 2022" "NLnet Labs" "unbound 1.17.0"
.TH "libunbound" "3" "Jan 12, 2023" "NLnet Labs" "unbound 1.17.1"
.\"
.\" libunbound.3 -- unbound library functions manual
.\"
@ -44,7 +44,7 @@
.B ub_ctx_zone_remove,
.B ub_ctx_data_add,
.B ub_ctx_data_remove
\- Unbound DNS validating resolver 1.17.0 functions.
\- Unbound DNS validating resolver 1.17.1 functions.
.SH "SYNOPSIS"
.B #include <unbound.h>
.LP

2
contrib/unbound/doc/unbound-anchor.8.in
View File

@ -1,4 +1,4 @@
.TH "unbound-anchor" "8" "Oct 13, 2022" "NLnet Labs" "unbound 1.17.0"
.TH "unbound-anchor" "8" "Jan 12, 2023" "NLnet Labs" "unbound 1.17.1"
.\"
.\" unbound-anchor.8 -- unbound anchor maintenance utility manual
.\"

2
contrib/unbound/doc/unbound-checkconf.8.in
View File

@ -1,4 +1,4 @@
.TH "unbound-checkconf" "8" "Oct 13, 2022" "NLnet Labs" "unbound 1.17.0"
.TH "unbound-checkconf" "8" "Jan 12, 2023" "NLnet Labs" "unbound 1.17.1"
.\"
.\" unbound-checkconf.8 -- unbound configuration checker manual
.\"

10
contrib/unbound/doc/unbound-control.8.in
View File

@ -1,4 +1,4 @@
.TH "unbound-control" "8" "Oct 13, 2022" "NLnet Labs" "unbound 1.17.0"
.TH "unbound-control" "8" "Jan 12, 2023" "NLnet Labs" "unbound 1.17.1"
.\"
.\" unbound-control.8 -- unbound remote control manual
.\"
@ -54,6 +54,12 @@ Stop the server. The server daemon exits.
.B reload
Reload the server. This flushes the cache and reads the config file fresh.
.TP
.B reload_keep_cache
Reload the server but try to keep the RRset and message cache if
(re)configuration allows for it.
That means the caches sizes and the number of threads must not change between
reloads.
.TP
.B verbosity \fInumber
Change verbosity value for logging. Same values as \fBverbosity\fR keyword in
\fIunbound.conf\fR(5). This new setting lasts until the server is issued
@ -130,7 +136,7 @@ name specified.
.TP
.B flush \fIname
Remove the name from the cache. Removes the types
A, AAAA, NS, SOA, CNAME, DNAME, MX, PTR, SRV and NAPTR.
A, AAAA, NS, SOA, CNAME, DNAME, MX, PTR, SRV, NAPTR, SVCB and HTTPS.
Because that is fast to do. Other record types can be removed using
.B flush_type
or

2
contrib/unbound/doc/unbound-host.1.in
View File

@ -1,4 +1,4 @@
.TH "unbound\-host" "1" "Oct 13, 2022" "NLnet Labs" "unbound 1.17.0"
.TH "unbound\-host" "1" "Jan 12, 2023" "NLnet Labs" "unbound 1.17.1"
.\"
.\" unbound-host.1 -- unbound DNS lookup utility
.\"

4
contrib/unbound/doc/unbound.8.in
View File

@ -1,4 +1,4 @@
.TH "unbound" "8" "Oct 13, 2022" "NLnet Labs" "unbound 1.17.0"
.TH "unbound" "8" "Jan 12, 2023" "NLnet Labs" "unbound 1.17.1"
.\"
.\" unbound.8 -- unbound manual
.\"
@ -9,7 +9,7 @@
.\"
.SH "NAME"
.B unbound
\- Unbound DNS validating resolver 1.17.0.
\- Unbound DNS validating resolver 1.17.1.
.SH "SYNOPSIS"
.B unbound
.RB [ \-h ]

36
contrib/unbound/doc/unbound.conf.5.in
View File

@ -1,4 +1,4 @@
.TH "unbound.conf" "5" "Oct 13, 2022" "NLnet Labs" "unbound 1.17.0"
.TH "unbound.conf" "5" "Jan 12, 2023" "NLnet Labs" "unbound 1.17.1"
.\"
.\" unbound.conf.5 -- unbound.conf manual
.\"
@ -112,6 +112,14 @@ If enabled, extended statistics are printed from \fIunbound\-control\fR(8).
Default is off, because keeping track of more statistics takes time. The
counters are listed in \fIunbound\-control\fR(8).
.TP
.B statistics\-inhibit\-zero: \fI<yes or no>
If enabled, selected extended statistics with a value of 0 are inhibited from
printing with \fIunbound\-control\fR(8).
These are query types, query classes, query opcodes, answer rcodes
(except NOERROR, FORMERR, SERVFAIL, NXDOMAIN, NOTIMPL, REFUSED) and
RPZ actions.
Default is on.
.TP
.B num\-threads: \fI<number>
The number of threads to create to serve clients. Use 1 for no threading.
.TP
@ -349,7 +357,7 @@ ip\-transparent option is also available.
The value of the Differentiated Services Codepoint (DSCP) in the
differentiated services field (DS) of the outgoing IP packet headers.
The field replaces the outdated IPv4 Type-Of-Service field and the
IPV6 traffic class field.
IPv6 traffic class field.
.TP
.B rrset\-cache\-size: \fI<number>
Number of bytes size of the RRset cache. Default is 4 megabytes.
@ -416,7 +424,7 @@ Enable or disable whether ip4 queries are answered or issued. Default is yes.
Enable or disable whether ip6 queries are answered or issued. Default is yes.
If disabled, queries are not answered on IPv6, and queries are not sent on
IPv6 to the internet nameservers. With this option you can disable the
ipv6 transport for sending DNS traffic, it does not impact the contents of
IPv6 transport for sending DNS traffic, it does not impact the contents of
the DNS traffic, which may have ip4 and ip6 addresses in it.
.TP
.B prefer\-ip4: \fI<yes or no>
@ -1671,7 +1679,7 @@ This specifies the action data for \fIresponse-ip\fR with action being
to redirect as specified by "\fIresource record string\fR". "Resource
record string" is similar to that of \fIaccess-control-tag-action\fR,
but it must be of either AAAA, A or CNAME types.
If the IP-netblock is an IPv6/IPV4 prefix, the record
If the IP-netblock is an IPv6/IPv4 prefix, the record
must be AAAA/A respectively, unless it is a CNAME (which can be used
for both versions of IP netblocks). If it is CNAME there must not be
more than one \fIresponse-ip-data\fR for the same IP-netblock.
@ -1820,6 +1828,21 @@ If a forward/stub zone is used, this is the number of retries per nameserver in
the zone.
Default is 5.
.TP 5
.B max\-sent\-count: \fI<number>
Hard limit on the number of outgoing queries Unbound will make while resolving
a name, making sure large NS sets do not loop.
Results in SERVFAIL when reached.
It resets on query restarts (e.g., CNAME) and referrals.
Default is 32.
.TP 5
.B max\-query\-restarts: \fI<number>
Hard limit on the number of times Unbound is allowed to restart a query upon
encountering a CNAME record.
Results in SERVFAIL when reached.
Changing this value needs caution as it can allow long CNAME chains to be
accepted, where Unbound needs to verify (resolve) each link individually.
Default is 11.
.TP 5
.B fast\-server\-permil: \fI<number>
Specify how many times out of 1000 to pick from the set of fastest servers.
0 turns the feature off. A value of 900 would pick from the fastest
@ -1853,7 +1876,7 @@ errors. Default is "no".
When the \fBval-log-level\fR option is also set to \fB2\fR, responses with
Extended DNS Errors concerning DNSSEC failures that are not served from cache,
will also contain a descriptive text message about the reason for the failure.
.TP
.TP 5
.B ede\-serve\-expired: \fI<yes or no>
If enabled, Unbound will attach an Extended DNS Error (RFC8914) Code 3 - Stale
Answer as EDNS0 option to the expired response. Note that this will not attach
@ -2358,6 +2381,9 @@ The maximum size of the ECS cache is controlled by 'msg-cache-size' in the
configuration file. On top of that, for each query only 100 different subnets
are allowed to be stored for each address family. Exceeding that number, older
entries will be purged from cache.
.LP
This module does not interact with the \fBserve\-expired*\fR and
\fBprefetch:\fR options.
.TP
.B send\-client\-subnet: \fI<IP address>\fR
Send client source address to this authority. Append /num to indicate a

11
contrib/unbound/edns-subnet/subnetmod.c
View File

@ -204,6 +204,17 @@ subnetmod_init(struct module_env *env, int id)
}
alloc_init(&sn_env->alloc, NULL, 0);
env->modinfo[id] = (void*)sn_env;
/* Warn that serve-expired and prefetch do not work with the subnet
* module cache. */
if(env->cfg->serve_expired)
log_warn(
"subnetcache: serve-expired is set but not working "
"for data originating from the subnet module cache.");
if(env->cfg->prefetch)
log_warn(
"subnetcache: prefetch is set but not working "
"for data originating from the subnet module cache.");
/* Copy msg_cache settings */
sn_env->subnet_msg_cache = slabhash_create(env->cfg->msg_cache_slabs,
HASH_DEFAULT_STARTARRAY, env->cfg->msg_cache_size,

2
contrib/unbound/iterator/iter_utils.c
View File

@ -175,6 +175,8 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg)
iter_env->supports_ipv6 = cfg->do_ip6;
iter_env->supports_ipv4 = cfg->do_ip4;
iter_env->outbound_msg_retry = cfg->outbound_msg_retry;
iter_env->max_sent_count = cfg->max_sent_count;
iter_env->max_query_restarts = cfg->max_query_restarts;
return 1;
}

7
contrib/unbound/iterator/iterator.c
View File

@ -1314,7 +1314,7 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
/* We enforce a maximum number of query restarts. This is primarily a
* cheap way to prevent CNAME loops. */
if(iq->query_restart_count > MAX_RESTART_COUNT) {
if(iq->query_restart_count > ie->max_query_restarts) {
verbose(VERB_QUERY, "request has exceeded the maximum number"
" of query restarts with %d", iq->query_restart_count);
errinf(qstate, "request has exceeded the maximum number "
@ -2276,14 +2276,13 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
iq->num_current_queries, iq->sent_count);
/* Make sure that we haven't run away */
/* FIXME: is this check even necessary? */
if(iq->referral_count > MAX_REFERRAL_COUNT) {
verbose(VERB_QUERY, "request has exceeded the maximum "
"number of referrrals with %d", iq->referral_count);
errinf(qstate, "exceeded the maximum of referrals");
return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
}
if(iq->sent_count > MAX_SENT_COUNT) {
if(iq->sent_count > ie->max_sent_count) {
verbose(VERB_QUERY, "request has exceeded the maximum "
"number of sends with %d", iq->sent_count);
errinf(qstate, "exceeded the maximum number of sends");
@ -2630,7 +2629,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
* the original query is one that matched too, so we have
* caps_server+1 number of matching queries now */
if(iq->caps_server+1 >= naddr*3 ||
iq->caps_server*2+2 >= MAX_SENT_COUNT) {
iq->caps_server*2+2 >= (size_t)ie->max_sent_count) {
/* *2 on sentcount check because ipv6 may fail */
/* we're done, process the response */
verbose(VERB_ALGO, "0x20 fallback had %d responses "

10
contrib/unbound/iterator/iterator.h
View File

@ -63,12 +63,8 @@ struct rbtree_type;
/** max number of nxdomains allowed for target lookups for a query and
* its subqueries when fallback has kicked in */
#define MAX_TARGET_NX_FALLBACK (MAX_TARGET_NX*2)
/** max number of query restarts. Determines max number of CNAME chain. */
#define MAX_RESTART_COUNT 11
/** max number of referrals. Makes sure resolver does not run away */
#define MAX_REFERRAL_COUNT 130
/** max number of queries-sent-out. Make sure large NS set does not loop */
#define MAX_SENT_COUNT 32
/** max number of queries for which to perform dnsseclameness detection,
* (rrsigs missing detection) after that, just pick up that response */
#define DNSSEC_LAME_DETECT_COUNT 4
@ -145,6 +141,12 @@ struct iter_env {
/** number of retries on outgoing queries */
int outbound_msg_retry;
/** number of queries_sent */
int max_sent_count;
/** max number of query restarts to limit length of CNAME chain */
int max_query_restarts;
};
/**

1
contrib/unbound/libunbound/context.c
View File

@ -70,6 +70,7 @@ context_finalize(struct ub_ctx* ctx)
} else {
log_init(cfg->logfile, cfg->use_syslog, NULL);
}
ctx->pipe_pid = getpid();
cfg_apply_local_port_policy(cfg, 65536);
config_apply(cfg);
if(!modstack_setup(&ctx->mods, cfg->module_conf, ctx->env))

6
contrib/unbound/libunbound/context.h
View File

@ -89,6 +89,12 @@ struct ub_ctx {
pid_t bg_pid;
/** tid of bg worker thread */
ub_thread_type bg_tid;
/** pid when pipes are created. This was the process when the
* setup was called. Helps with clean up, so we can tell after a fork
* which side of the fork the delete is on. */
pid_t pipe_pid;
/** when threaded, the worker that exists in the created thread. */
struct libworker* thread_worker;
/** do threading (instead of forking) for async resolution */
int dothread;

39
contrib/unbound/libunbound/libunbound.c
View File

@ -305,11 +305,31 @@ ub_ctx_delete(struct ub_ctx* ctx)
int do_stop = 1;
if(!ctx) return;
/* if the delete is called but it has forked, and before the fork
* the context was finalized, then the bg worker is not stopped
* from here. There is one worker, but two contexts that refer to
* it and only one should clean up, the one with getpid == pipe_pid.*/
if(ctx->created_bg && ctx->pipe_pid != getpid()) {
do_stop = 0;
#ifndef USE_WINSOCK
/* Stop events from getting deregistered, if the backend is
* epoll, the epoll fd is the same as the other process.
* That process should deregister them. */
if(ctx->qq_pipe->listen_com)
ctx->qq_pipe->listen_com->event_added = 0;
if(ctx->qq_pipe->res_com)
ctx->qq_pipe->res_com->event_added = 0;
if(ctx->rr_pipe->listen_com)
ctx->rr_pipe->listen_com->event_added = 0;
if(ctx->rr_pipe->res_com)
ctx->rr_pipe->res_com->event_added = 0;
#endif
}
/* see if bg thread is created and if threads have been killed */
/* no locks, because those may be held by terminated threads */
/* for processes the read pipe is closed and we see that on read */
#ifdef HAVE_PTHREAD
if(ctx->created_bg && ctx->dothread) {
if(ctx->created_bg && ctx->dothread && do_stop) {
if(pthread_kill(ctx->bg_tid, 0) == ESRCH) {
/* thread has been killed */
do_stop = 0;
@ -318,6 +338,23 @@ ub_ctx_delete(struct ub_ctx* ctx)
#endif /* HAVE_PTHREAD */
if(do_stop)
ub_stop_bg(ctx);
if(ctx->created_bg && ctx->pipe_pid != getpid() && ctx->thread_worker) {
/* This delete is happening from a different process. Delete
* the thread worker from this process memory space. The
* thread is not there to do so, so it is freed here. */
struct ub_event_base* evbase = comm_base_internal(
ctx->thread_worker->base);
libworker_delete_event(ctx->thread_worker);
ctx->thread_worker = NULL;
#ifdef USE_MINI_EVENT
ub_event_base_free(evbase);
#else
/* cannot event_base_free, because the epoll_fd cleanup
* in libevent could stop the original event_base in the
* other process from working. */
free(evbase);
#endif
}
libworker_delete_event(ctx->event_worker);
modstack_desetup(&ctx->mods, ctx->env);

1
contrib/unbound/libunbound/libworker.c
View File

@ -395,6 +395,7 @@ int libworker_bg(struct ub_ctx* ctx)
w = libworker_setup(ctx, 1, NULL);
if(!w) return UB_NOMEM;
w->is_bg_thread = 1;
ctx->thread_worker = w;
#ifdef ENABLE_LOCK_CHECKS
w->thread_num = 1; /* for nicer DEBUG checklocks */
#endif

3
contrib/unbound/libunbound/unbound-event.h
View File

@ -230,7 +230,7 @@ int ub_ctx_set_event(struct ub_ctx* ctx, struct event_base* base);
* @param callback: this is called on completion of the resolution.
* It is called as:
* void callback(void* mydata, int rcode, void* packet, int packet_len,
* int sec, char* why_bogus)
* int sec, char* why_bogus, int was_ratelimited)
* with mydata: the same as passed here, you may pass NULL,
* with rcode: 0 on no error, nonzero for mostly SERVFAIL situations,
* this is a DNS rcode.
@ -241,6 +241,7 @@ int ub_ctx_set_event(struct ub_ctx* ctx, struct event_base* base);
* with packet_len: length in bytes of the packet buffer.
* with sec: 0 if insecure, 1 if bogus, 2 if DNSSEC secure.
* with why_bogus: text string explaining why it is bogus (or NULL).
* with was_ratelimited: if the query was ratelimited.
* These point to buffers inside unbound; do not deallocate the packet or
* error string.
*

1
contrib/unbound/services/authzone.c
View File

@ -2756,6 +2756,7 @@ az_change_dnames(struct dns_msg* msg, uint8_t* oldname, uint8_t* newname,
== 0) {
msg->rep->rrsets[i]->rk.dname = newname;
msg->rep->rrsets[i]->rk.dname_len = newlen;
msg->rep->rrsets[i]->entry.hash = rrset_key_hash(&msg->rep->rrsets[i]->rk);
}
}
}

8
contrib/unbound/services/cache/dns.c vendored
View File

@ -636,6 +636,14 @@ tomsg(struct module_env* env, struct query_info* q, struct reply_info* r,
r->serve_expired_ttl < now) {
return NULL;
}
/* Ignore expired failure answers */
if(FLAGS_GET_RCODE(r->flags) !=
LDNS_RCODE_NOERROR &&
FLAGS_GET_RCODE(r->flags) !=
LDNS_RCODE_NXDOMAIN &&
FLAGS_GET_RCODE(r->flags) !=
LDNS_RCODE_YXDOMAIN)
return 0;
} else {
return NULL;
}

4
contrib/unbound/sldns/rrdef.h
View File

@ -196,8 +196,8 @@ enum sldns_enum_rr_type
LDNS_RR_TYPE_OPENPGPKEY = 61, /* RFC 7929 */
LDNS_RR_TYPE_CSYNC = 62, /* RFC 7477 */
LDNS_RR_TYPE_ZONEMD = 63, /* draft-ietf-dnsop-dns-zone-digest-12 */
LDNS_RR_TYPE_SVCB = 64, /* draft-ietf-dnsop-svcb-https-04 */
LDNS_RR_TYPE_HTTPS = 65, /* draft-ietf-dnsop-svcb-https-04 */
LDNS_RR_TYPE_SVCB = 64, /* draft-ietf-dnsop-svcb-https-04 */
LDNS_RR_TYPE_HTTPS = 65, /* draft-ietf-dnsop-svcb-https-04 */
LDNS_RR_TYPE_SPF = 99, /* RFC 4408 */

12
contrib/unbound/smallapp/unbound-control.c
View File

@ -102,6 +102,12 @@ usage(void)
printf(" stop stops the server\n");
printf(" reload reloads the server\n");
printf(" (this flushes data, stats, requestlist)\n");
printf(" reload_keep_cache reloads the server but tries to\n");
printf(" keep the RRset and message cache\n");
printf(" if (re)configuration allows for it.\n");
printf(" That means the caches sizes and\n");
printf(" the number of threads must not\n");
printf(" change between reloads.\n");
printf(" stats print statistics\n");
printf(" stats_noreset peek at statistics\n");
#ifdef HAVE_SHMGET
@ -180,8 +186,6 @@ usage(void)
#ifdef HAVE_SHMGET
/** what to put on statistics lines between var and value, ": " or "=" */
#define SQ "="
/** if true, inhibits a lot of =0 lines from the stats output */
static const int inhibit_zero = 1;
/** divide sum of timers to get average */
static void
timeval_divide(struct timeval* avg, const struct timeval* sum, long long d)
@ -316,7 +320,7 @@ static void print_hist(struct ub_stats_info* s)
}
/** print extended */
static void print_extended(struct ub_stats_info* s)
static void print_extended(struct ub_stats_info* s, int inhibit_zero)
{
int i;
char nm[16];
@ -439,7 +443,7 @@ static void do_stats_shm(struct config_file* cfg, struct ub_stats_info* stats,
if(cfg->stat_extended) {
print_mem(shm_stat, &stats[0]);
print_hist(stats);
print_extended(stats);
print_extended(stats, cfg->stat_inhibit_zero);
}
}
#endif /* HAVE_SHMGET */

5
contrib/unbound/testdata/09-unbound-control.tdir/conf.bad_credentials vendored Normal file
View File

@ -0,0 +1,5 @@
remote-control:
server-key-file: bad_server.key
server-cert-file: bad_server.pem
control-key-file: bad_control.key
control-cert-file: bad_control.pem

5
contrib/unbound/testdata/09-unbound-control.tdir/conf.spoofed_credentials vendored Normal file
View File

@ -0,0 +1,5 @@
remote-control:
server-key-file: unbound_server.key
server-cert-file: unbound_server.pem
control-key-file: bad_control.key
control-cert-file: bad_control.pem

181
contrib/unbound/testdata/cachedb_servfail_cname.crpl vendored Normal file
View File

@ -0,0 +1,181 @@
; config options
server:
target-fetch-policy: "0 0 0 0 0"
qname-minimisation: no
minimal-responses: no
;serve-expired: yes
module-config: "cachedb iterator"
cachedb:
backend: "testframe"
secret-seed: "testvalue"
stub-zone:
name: "."
stub-addr: 193.0.14.129
CONFIG_END
SCENARIO_BEGIN Test cachedb store and servfail reply from cname.
; the servfail reply should not overwrite the cache contents.
; K.ROOT-SERVERS.NET.
RANGE_BEGIN 0 100
ADDRESS 193.0.14.129
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
. IN NS
SECTION ANSWER
. IN NS K.ROOT-SERVERS.NET.
SECTION ADDITIONAL
K.ROOT-SERVERS.NET. IN A 193.0.14.129
ENTRY_END
ENTRY_BEGIN
MATCH opcode subdomain
ADJUST copy_id copy_query
REPLY QR NOERROR
SECTION QUESTION
com. IN NS
SECTION AUTHORITY
com. IN NS a.gtld-servers.net.
SECTION ADDITIONAL
a.gtld-servers.net. IN A 192.5.6.30
ENTRY_END
RANGE_END
; a.gtld-servers.net.
RANGE_BEGIN 0 100
ADDRESS 192.5.6.30
ENTRY_BEGIN
MATCH opcode subdomain
ADJUST copy_id copy_query
REPLY QR NOERROR
SECTION QUESTION
example.com. IN NS
SECTION AUTHORITY
example.com. IN NS ns2.example.com.
SECTION ADDITIONAL
ns2.example.com. IN A 1.2.3.5
ENTRY_END
ENTRY_BEGIN
MATCH opcode subdomain
ADJUST copy_id copy_query
REPLY QR NOERROR
SECTION QUESTION
foo.com. IN NS
SECTION AUTHORITY
foo.com. IN NS ns.example.com.
ENTRY_END
RANGE_END
; ns2.example.com.
RANGE_BEGIN 0 20
ADDRESS 1.2.3.5
ENTRY_BEGIN
MATCH opcode qname qtype
REPLY QR AA NOERROR
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
www.example.com. 10 IN A 1.2.3.4
ENTRY_END
RANGE_END
; ns2.example.com., now failing
RANGE_BEGIN 20 100
ADDRESS 1.2.3.5
ENTRY_BEGIN
MATCH opcode qname qtype
REPLY QR AA NOERROR
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
www.example.com. 10 IN CNAME foo.example.com.
ENTRY_END
ENTRY_BEGIN
MATCH opcode qname qtype
REPLY QR AA SERVFAIL
SECTION QUESTION
foo.example.com. IN A
ENTRY_END
ENTRY_BEGIN
MATCH opcode qname qtype
REPLY QR AA SERVFAIL
SECTION QUESTION
ns2.example.com. IN A
SECTION ANSWER
ENTRY_END
ENTRY_BEGIN
MATCH opcode qname qtype
REPLY QR AA SERVFAIL
SECTION QUESTION
ns2.example.com. IN AAAA
SECTION ANSWER
ENTRY_END
RANGE_END
; get and entry in cache, to make it expired.
STEP 1 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
www.example.com. IN A
ENTRY_END
; get the answer for it
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA NOERROR
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
www.example.com. 10 IN A 1.2.3.4
ENTRY_END
; it is now expired
STEP 20 TIME_PASSES ELAPSE 20
; get a servfail in cache for the destination
STEP 30 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
foo.example.com. IN A
ENTRY_END
STEP 40 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA SERVFAIL
SECTION QUESTION
foo.example.com. IN A
ENTRY_END
; the query is now a CNAME to servfail.
; there is a valid, but expired, entry in cache.
STEP 50 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
www.example.com. IN A
ENTRY_END
STEP 60 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA SERVFAIL
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
www.example.com. 10 IN CNAME foo.example.com.
ENTRY_END
SCENARIO_END

130
contrib/unbound/testdata/serve_expired_cached_servfail.rpl vendored Normal file
View File

@ -0,0 +1,130 @@
; config options
server:
module-config: "validator iterator"
qname-minimisation: "no"
minimal-responses: no
serve-expired: yes
serve-expired-reply-ttl: 123
log-servfail: yes
ede: yes
ede-serve-expired: yes
stub-zone:
name: "example.com"
stub-addr: 1.2.3.4
CONFIG_END
SCENARIO_BEGIN Test serve-expired with client-timeout and a SERVFAIL upstream reply
; Scenario overview:
; - query for example.com. IN A
; - answer from upstream is SERVFAIL; will be cached for NORR_TTL(5)
; - check that the client gets the SERVFAIL; also cached
; - query again right after the TTL expired
; - cached SERVFAIL should be ignored and upstream queried
; - check that we get the correct answer
; ns.example.com.
RANGE_BEGIN 0 20
ADDRESS 1.2.3.4
; response to A query
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR AA SERVFAIL
SECTION QUESTION
example.com. IN A
ENTRY_END
RANGE_END
; ns.example.com.
RANGE_BEGIN 30 100
ADDRESS 1.2.3.4
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
example.com. 10 IN NS
SECTION ANSWER
example.com. 10 IN NS ns.example.com.
SECTION ADDITIONAL
ns.example.com. 10 IN A 1.2.3.4
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
example.com. IN A
SECTION ANSWER
example.com. 10 IN A 5.6.7.8
SECTION AUTHORITY
example.com. 10 IN NS ns.example.com.
SECTION ADDITIONAL
ns.example.com. 10 IN A 1.2.3.4
ENTRY_END
RANGE_END
; Query with RD flag
STEP 0 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
example.com. IN A
ENTRY_END
; Check that we get the SERVFAIL (will be cached)
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA SERVFAIL
SECTION QUESTION
example.com. IN A
ENTRY_END
; Query again
STEP 20 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
example.com. IN A
ENTRY_END
; Check that we get the cached SERVFAIL
STEP 30 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA SERVFAIL
SECTION QUESTION
example.com. IN A
ENTRY_END
; Wait for the SERVFAIL to expire
STEP 31 TIME_PASSES ELAPSE 6
; Query again
STEP 40 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
example.com. IN A
ENTRY_END
; Check that we got the correct answer
STEP 50 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ttl
REPLY QR RD RA NOERROR
SECTION QUESTION
example.com. IN A
SECTION ANSWER
example.com. 10 IN A 5.6.7.8
SECTION AUTHORITY
example.com. 10 IN NS ns.example.com.
SECTION ADDITIONAL
ns.example.com. 10 IN A 1.2.3.4
ENTRY_END
SCENARIO_END

167
contrib/unbound/testdata/subnet_cached_servfail.crpl vendored Normal file
View File

@ -0,0 +1,167 @@
; Check if an expired SERVFAIL answer stored in the global cache does not block
; ECS queries to reach the ECS cache.
server:
trust-anchor-signaling: no
target-fetch-policy: "0 0 0 0 0"
send-client-subnet: 1.2.3.4
max-client-subnet-ipv4: 21
module-config: "subnetcache iterator"
verbosity: 3
access-control: 127.0.0.1 allow_snoop
qname-minimisation: no
minimal-responses: no
serve-expired: yes
prefetch: yes
stub-zone:
name: "example.com."
stub-addr: 1.2.3.4
CONFIG_END
SCENARIO_BEGIN Test that expired SERVFAIL in global cache does not block clients to reach the ECS cache
; ns.example.com.
RANGE_BEGIN 0 10
ADDRESS 1.2.3.4
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
example.com. IN NS
SECTION ANSWER
example.com. IN NS ns.example.com.
SECTION ADDITIONAL
ns.example.com. IN A 1.2.3.4
ENTRY_END
; response to query of interest
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR SERVFAIL
SECTION QUESTION
www.example.com. IN A
ENTRY_END
RANGE_END
; ns.example.com.
RANGE_BEGIN 11 100
ADDRESS 1.2.3.4
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
example.com. IN NS
SECTION ANSWER
example.com. IN NS ns.example.com.
SECTION ADDITIONAL
ns.example.com. IN A 1.2.3.4
ENTRY_END
; response to query of interest
ENTRY_BEGIN
MATCH opcode qtype qname ednsdata
ADJUST copy_id copy_ednsdata_assume_clientsubnet
REPLY QR NOERROR
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
www.example.com. 10 IN A 10.20.30.40
SECTION AUTHORITY
example.com. IN NS ns.example.com.
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
; client is 127.0.0.1
00 08 ; OPC
00 05 ; option length
00 01 ; Family
08 00 ; source mask, scopemask
7f ; address
HEX_EDNSDATA_END
ns.example.com. IN A 1.2.3.4
ENTRY_END
RANGE_END
STEP 1 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
www.example.com. IN A
ENTRY_END
; This answer should be in the global cache
STEP 2 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA SERVFAIL
SECTION QUESTION
www.example.com. IN A
ENTRY_END
; Bring the cached SERVFAIL to prefetch time
STEP 10 TIME_PASSES ELAPSE 5
STEP 11 QUERY
ENTRY_BEGIN
REPLY RD DO
SECTION QUESTION
www.example.com. IN A
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
00 08 00 05 ; OPC, optlen
00 01 08 00 ; ip4, source 8, scope 0
7f ; 127.0.0.0/8
HEX_EDNSDATA_END
ENTRY_END
; This answer was cached but a prefetch was triggerred
STEP 12 CHECK_ANSWER
ENTRY_BEGIN
MATCH opcode qtype qname
REPLY QR RD RA SERVFAIL
SECTION QUESTION
www.example.com. IN A
ENTRY_END
; Wait for the SERVFAIL to expire
STEP 13 TIME_PASSES ELAPSE 2
; Query again to verify that the record was prefetched and stored in the ECS
; cache (because the server replied with ECS this time)
STEP 14 QUERY
ENTRY_BEGIN
REPLY RD DO
SECTION QUESTION
www.example.com. IN A
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
00 08 00 05 ; OPC, optlen
00 01 08 00 ; ip4, source 8, scope 0
7f ; 127.0.0.0/8
HEX_EDNSDATA_END
ENTRY_END
; This record came from the ECS cache
STEP 15 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ttl
REPLY QR RD RA DO NOERROR
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
www.example.com. 8 IN A 10.20.30.40
SECTION AUTHORITY
example.com. 3598 IN NS ns.example.com.
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
00 08 00 05 ; OPC, optlen
00 01 08 08 ; ip4, source 8, scope 0
7f ; 127.0.0.0/8
HEX_EDNSDATA_END
ns.example.com. 3598 IN A 1.2.3.4
ENTRY_END
SCENARIO_END

9
contrib/unbound/util/config_file.c
View File

@ -99,6 +99,7 @@ config_create(void)
cfg->stat_interval = 0;
cfg->stat_cumulative = 0;
cfg->stat_extended = 0;
cfg->stat_inhibit_zero = 1;
cfg->num_threads = 1;
cfg->port = UNBOUND_DNS_PORT;
cfg->do_ip4 = 1;
@ -336,6 +337,8 @@ config_create(void)
cfg->ip_ratelimit_backoff = 0;
cfg->ratelimit_backoff = 0;
cfg->outbound_msg_retry = 5;
cfg->max_sent_count = 32;
cfg->max_query_restarts = 11;
cfg->qname_minimisation = 1;
cfg->qname_minimisation_strict = 0;
cfg->shm_enable = 0;
@ -516,6 +519,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
else S_YNO("use-syslog:", use_syslog)
else S_STR("log-identity:", log_identity)
else S_YNO("extended-statistics:", stat_extended)
else S_YNO("statistics-inhibit-zero:", stat_inhibit_zero)
else S_YNO("statistics-cumulative:", stat_cumulative)
else S_YNO("shm-enable:", shm_enable)
else S_NUMBER_OR_ZERO("shm-key:", shm_key)
@ -778,6 +782,8 @@ int config_set_option(struct config_file* cfg, const char* opt,
else S_YNO("ip-ratelimit-backoff:", ip_ratelimit_backoff)
else S_YNO("ratelimit-backoff:", ratelimit_backoff)
else S_NUMBER_NONZERO("outbound-msg-retry:", outbound_msg_retry)
else S_NUMBER_NONZERO("max-sent-count:", max_sent_count)
else S_NUMBER_NONZERO("max-query-restarts:", max_query_restarts)
else S_SIZET_NONZERO("fast-server-num:", fast_server_num)
else S_NUMBER_OR_ZERO("fast-server-permil:", fast_server_permil)
else S_YNO("qname-minimisation:", qname_minimisation)
@ -996,6 +1002,7 @@ config_get_option(struct config_file* cfg, const char* opt,
else O_DEC(opt, "statistics-interval", stat_interval)
else O_YNO(opt, "statistics-cumulative", stat_cumulative)
else O_YNO(opt, "extended-statistics", stat_extended)
else O_YNO(opt, "statistics-inhibit-zero", stat_inhibit_zero)
else O_YNO(opt, "shm-enable", shm_enable)
else O_DEC(opt, "shm-key", shm_key)
else O_YNO(opt, "use-syslog", use_syslog)
@ -1238,6 +1245,8 @@ config_get_option(struct config_file* cfg, const char* opt,
else O_YNO(opt, "ip-ratelimit-backoff", ip_ratelimit_backoff)
else O_YNO(opt, "ratelimit-backoff", ratelimit_backoff)
else O_UNS(opt, "outbound-msg-retry", outbound_msg_retry)
else O_UNS(opt, "max-sent-count", max_sent_count)
else O_UNS(opt, "max-query-restarts", max_query_restarts)
else O_DEC(opt, "fast-server-num", fast_server_num)
else O_DEC(opt, "fast-server-permil", fast_server_permil)
else O_DEC(opt, "val-sig-skew-min", val_sig_skew_min)

7
contrib/unbound/util/config_file.h
View File

@ -76,6 +76,8 @@ struct config_file {
int stat_cumulative;
/** if true, the statistics are kept in greater detail */
int stat_extended;
/** if true, inhibits a lot of =0 lines from the extended stats output */
int stat_inhibit_zero;
/** number of threads to create */
int num_threads;
@ -608,6 +610,11 @@ struct config_file {
/** number of retries on outgoing queries */
int outbound_msg_retry;
/** max sent queries per qstate; resets on query restarts (e.g.,
* CNAMES) and referrals */
int max_sent_count;
/** max number of query restarts; determines max length of CNAME chain */
int max_query_restarts;
/** minimise outgoing QNAME and hide original QTYPE if possible */
int qname_minimisation;
/** minimise QNAME in strict mode, minimise according to RFC.

3
contrib/unbound/util/configlexer.lex
View File

@ -439,6 +439,7 @@ insecure-lan-zones{COLON} { YDVAR(1, VAR_INSECURE_LAN_ZONES) }
statistics-interval{COLON} { YDVAR(1, VAR_STATISTICS_INTERVAL) }
statistics-cumulative{COLON} { YDVAR(1, VAR_STATISTICS_CUMULATIVE) }
extended-statistics{COLON} { YDVAR(1, VAR_EXTENDED_STATISTICS) }
statistics-inhibit-zero{COLON} { YDVAR(1, VAR_STATISTICS_INHIBIT_ZERO) }
shm-enable{COLON} { YDVAR(1, VAR_SHM_ENABLE) }
shm-key{COLON} { YDVAR(1, VAR_SHM_KEY) }
remote-control{COLON} { YDVAR(0, VAR_REMOTE_CONTROL) }
@ -515,6 +516,8 @@ ratelimit-factor{COLON} { YDVAR(1, VAR_RATELIMIT_FACTOR) }
ip-ratelimit-backoff{COLON} { YDVAR(1, VAR_IP_RATELIMIT_BACKOFF) }
ratelimit-backoff{COLON} { YDVAR(1, VAR_RATELIMIT_BACKOFF) }
outbound-msg-retry{COLON} { YDVAR(1, VAR_OUTBOUND_MSG_RETRY) }
max-sent-count{COLON} { YDVAR(1, VAR_MAX_SENT_COUNT) }
max-query-restarts{COLON} { YDVAR(1, VAR_MAX_QUERY_RESTARTS) }
low-rtt{COLON} { YDVAR(1, VAR_LOW_RTT) }
fast-server-num{COLON} { YDVAR(1, VAR_FAST_SERVER_NUM) }
low-rtt-pct{COLON} { YDVAR(1, VAR_FAST_SERVER_PERMIL) }

34
contrib/unbound/util/configparser.y
View File

@ -140,7 +140,7 @@ extern struct config_parser_state* cfg_parser;
%token VAR_DISABLE_DNSSEC_LAME_CHECK
%token VAR_IP_RATELIMIT VAR_IP_RATELIMIT_SLABS VAR_IP_RATELIMIT_SIZE
%token VAR_RATELIMIT VAR_RATELIMIT_SLABS VAR_RATELIMIT_SIZE
%token VAR_OUTBOUND_MSG_RETRY
%token VAR_OUTBOUND_MSG_RETRY VAR_MAX_SENT_COUNT VAR_MAX_QUERY_RESTARTS
%token VAR_RATELIMIT_FOR_DOMAIN VAR_RATELIMIT_BELOW_DOMAIN
%token VAR_IP_RATELIMIT_FACTOR VAR_RATELIMIT_FACTOR
%token VAR_IP_RATELIMIT_BACKOFF VAR_RATELIMIT_BACKOFF
@ -193,7 +193,7 @@ extern struct config_parser_state* cfg_parser;
%token VAR_RPZ_SIGNAL_NXDOMAIN_RA VAR_INTERFACE_AUTOMATIC_PORTS VAR_EDE
%token VAR_INTERFACE_ACTION VAR_INTERFACE_VIEW VAR_INTERFACE_TAG
%token VAR_INTERFACE_TAG_ACTION VAR_INTERFACE_TAG_DATA
%token VAR_PROXY_PROTOCOL_PORT
%token VAR_PROXY_PROTOCOL_PORT VAR_STATISTICS_INHIBIT_ZERO
%%
toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@ -282,6 +282,7 @@ content_server: server_num_threads | server_verbosity | server_port |
server_ratelimit_below_domain | server_ratelimit_factor |
server_ip_ratelimit_factor | server_ratelimit_backoff |
server_ip_ratelimit_backoff | server_outbound_msg_retry |
server_max_sent_count | server_max_query_restarts |
server_send_client_subnet | server_client_subnet_zone |
server_client_subnet_always_forward | server_client_subnet_opcode |
server_max_client_subnet_ipv4 | server_max_client_subnet_ipv6 |
@ -322,7 +323,7 @@ content_server: server_num_threads | server_verbosity | server_port |
server_zonemd_permissive_mode | server_max_reuse_tcp_queries |
server_tcp_reuse_timeout | server_tcp_auth_query_timeout |
server_interface_automatic_ports | server_ede |
server_proxy_protocol_port
server_proxy_protocol_port | server_statistics_inhibit_zero
;
stubstart: VAR_STUB_ZONE
{
@ -554,6 +555,15 @@ server_extended_statistics: VAR_EXTENDED_STATISTICS STRING_ARG
free($2);
}
;
server_statistics_inhibit_zero: VAR_STATISTICS_INHIBIT_ZERO STRING_ARG
{
OUTYY(("P(server_statistics_inhibit_zero:%s)\n", $2));
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
yyerror("expected yes or no.");
else cfg_parser->cfg->stat_inhibit_zero = (strcmp($2, "yes")==0);
free($2);
}
;
server_shm_enable: VAR_SHM_ENABLE STRING_ARG
{
OUTYY(("P(server_shm_enable:%s)\n", $2));
@ -2636,6 +2646,24 @@ server_outbound_msg_retry: VAR_OUTBOUND_MSG_RETRY STRING_ARG
free($2);
}
;
server_max_sent_count: VAR_MAX_SENT_COUNT STRING_ARG
{
OUTYY(("P(server_max_sent_count:%s)\n", $2));
if(atoi($2) == 0 && strcmp($2, "0") != 0)
yyerror("number expected");
else cfg_parser->cfg->max_sent_count = atoi($2);
free($2);
}
;
server_max_query_restarts: VAR_MAX_QUERY_RESTARTS STRING_ARG
{
OUTYY(("P(server_max_query_restarts:%s)\n", $2));
if(atoi($2) == 0 && strcmp($2, "0") != 0)
yyerror("number expected");
else cfg_parser->cfg->max_query_restarts = atoi($2);
free($2);
}
;
server_low_rtt: VAR_LOW_RTT STRING_ARG
{
OUTYY(("P(low-rtt option is deprecated, use fast-server-num instead)\n"));

1
contrib/unbound/util/iana_ports.inc
View File

@ -4840,6 +4840,7 @@
8403,
8416,
8417,
8433,
8442,
8443,
8444,

30
contrib/unbound/util/netevent.c
View File

@ -810,7 +810,7 @@ static int consume_pp2_header(struct sldns_buffer* buf, struct comm_reply* rep,
/* We are reading a whole packet;
* Move the rest of the data to overwrite the PROXYv2 header */
/* XXX can we do better to avoid memmove? */
memmove(header, ((void*)header)+size,
memmove(header, ((char*)header)+size,
sldns_buffer_limit(buf)-size);
sldns_buffer_set_limit(buf, sldns_buffer_limit(buf)-size);
}
@ -2545,8 +2545,9 @@ comm_point_tcp_handle_write(int fd, struct comm_point* c)
return 1;
}
/** read again to drain buffers when there could be more to read */
static void
/** read again to drain buffers when there could be more to read, returns 0
* on failure which means the comm point is closed. */
static int
tcp_req_info_read_again(int fd, struct comm_point* c)
{
while(c->tcp_req_info->read_again) {
@ -2563,9 +2564,10 @@ tcp_req_info_read_again(int fd, struct comm_point* c)
(void)(*c->callback)(c, c->cb_arg,
NETEVENT_CLOSED, NULL);
}
return;
return 0;
}
}
return 1;
}
/** read again to drain buffers when there could be more to read */
@ -2623,6 +2625,9 @@ comm_point_tcp_handle_callback(int fd, short event, void* arg)
log_assert(c->type == comm_tcp);
ub_comm_base_now(c->ev->base);
if(c->fd == -1 || c->fd != fd)
return; /* duplicate event, but commpoint closed. */
#ifdef USE_DNSCRYPT
/* Initialize if this is a dnscrypt socket */
if(c->tcp_parent) {
@ -2671,8 +2676,10 @@ comm_point_tcp_handle_callback(int fd, short event, void* arg)
}
return;
}
if(has_tcpq && c->tcp_req_info && c->tcp_req_info->read_again)
tcp_req_info_read_again(fd, c);
if(has_tcpq && c->tcp_req_info && c->tcp_req_info->read_again) {
if(!tcp_req_info_read_again(fd, c))
return;
}
if(moreread && *moreread)
tcp_more_read_again(fd, c);
return;
@ -2690,8 +2697,10 @@ comm_point_tcp_handle_callback(int fd, short event, void* arg)
}
return;
}
if(has_tcpq && c->tcp_req_info && c->tcp_req_info->read_again)
tcp_req_info_read_again(fd, c);
if(has_tcpq && c->tcp_req_info && c->tcp_req_info->read_again) {
if(!tcp_req_info_read_again(fd, c))
return;
}
if(morewrite && *morewrite)
tcp_more_write_again(fd, c);
return;
@ -4488,6 +4497,11 @@ comm_point_close(struct comm_point* c)
tcp_req_info_clear(c->tcp_req_info);
if(c->h2_session)
http2_session_server_delete(c->h2_session);
/* stop the comm point from reading or writing after it is closed. */
if(c->tcp_more_read_again && *c->tcp_more_read_again)
*c->tcp_more_read_again = 0;
if(c->tcp_more_write_again && *c->tcp_more_write_again)
*c->tcp_more_write_again = 0;
/* close fd after removing from event lists, or epoll.. is messed up */
if(c->fd != -1 && !c->do_not_close) {

53
contrib/unbound/util/tube.c
View File

@ -45,6 +45,9 @@
#include "util/netevent.h"
#include "util/fptr_wlist.h"
#include "util/ub_event.h"
#ifdef HAVE_POLL_H
#include <poll.h>
#endif
#ifndef USE_WINSOCK
/* on unix */
@ -396,20 +399,28 @@ int tube_read_msg(struct tube* tube, uint8_t** buf, uint32_t* len,
return 1;
}
/** perform a select() on the fd */
/** perform poll() on the fd */
static int
pollit(int fd, struct timeval* t)
{
fd_set r;
struct pollfd fds;
int pret;
int msec = -1;
memset(&fds, 0, sizeof(fds));
fds.fd = fd;
fds.events = POLLIN | POLLERR | POLLHUP;
#ifndef S_SPLINT_S
FD_ZERO(&r);
FD_SET(FD_SET_T fd, &r);
if(t)
msec = t->tv_sec*1000 + t->tv_usec/1000;
#endif
if(select(fd+1, &r, NULL, NULL, t) == -1) {
pret = poll(&fds, 1, msec);
if(pret == -1)
return 0;
}
errno = 0;
return (int)(FD_ISSET(fd, &r));
if(pret != 0)
return 1;
return 0;
}
int tube_poll(struct tube* tube)
@ -426,24 +437,27 @@ int tube_wait(struct tube* tube)
int tube_wait_timeout(struct tube* tube, int msec)
{
struct timeval t;
int fd = tube->sr;
fd_set r;
t.tv_sec = msec/1000;
t.tv_usec = (msec%1000)*1000;
#ifndef S_SPLINT_S
FD_ZERO(&r);
FD_SET(FD_SET_T fd, &r);
#endif
int ret = 0;
while(1) {
if(select(fd+1, &r, NULL, NULL, &t) == -1) {
struct pollfd fds;
memset(&fds, 0, sizeof(fds));
fds.fd = tube->sr;
fds.events = POLLIN | POLLERR | POLLHUP;
ret = poll(&fds, 1, msec);
if(ret == -1) {
if(errno == EAGAIN || errno == EINTR)
continue;
return -1;
}
break;
}
return (int)(FD_ISSET(fd, &r));
if(ret != 0)
return 1;
return 0;
}
int tube_read_fd(struct tube* tube)
@ -529,6 +543,7 @@ struct tube* tube_create(void)
if(tube->event == WSA_INVALID_EVENT) {
free(tube);
log_err("WSACreateEvent: %s", wsa_strerror(WSAGetLastError()));
return NULL;
}
if(!WSAResetEvent(tube->event)) {
log_err("WSAResetEvent: %s", wsa_strerror(WSAGetLastError()));

204
usr.sbin/unbound/config.h
View File

@ -21,7 +21,7 @@
#define CONFCMDLINE "--with-ssl=/usr --with-libexpat=/usr --disable-dnscrypt --disable-dnstap --enable-ecdsa --disable-event-api --enable-gost --with-libevent --disable-subnet --disable-tfo-client --disable-tfo-server --with-pthreads--prefix=/usr --localstatedir=/var/unbound --mandir=/usr/share/man --build=freebsd"
/* Pathname to the Unbound configuration file */
#define CONFIGFILE "/var/unbound/unbound.conf"
#define CONFIGFILE "/usr/local/etc/unbound/unbound.conf"
/* Define this if on macOSX10.4-darwin8 and setreuid and setregid do not work
*/
@ -30,6 +30,12 @@
/* Whether daemon is deprecated */
/* #undef DEPRECATED_DAEMON */
/* Deprecate RSA 1024 bit length, makes that an unsupported key */
/* #undef DEPRECATE_RSA_1024 */
/* Deprecate RSA 1024 bit length, makes that an unsupported key */
/* #undef DEPRECATE_RSA_1024 */
/* Define this to enable kernel based UDP source port randomization. */
/* #undef DISABLE_EXPLICIT_PORT_RANDOMISATION */
@ -71,6 +77,12 @@
/* If we have be64toh */
/* #undef HAVE_BE64TOH */
/* Define to 1 if you have the `BIO_set_callback_ex' function. */
/* #undef HAVE_BIO_SET_CALLBACK_EX */
/* Define to 1 if you have the `BIO_set_callback_ex' function. */
/* #undef HAVE_BIO_SET_CALLBACK_EX */
/* Define to 1 if you have the <bsd/stdlib.h> header file. */
/* #undef HAVE_BSD_STDLIB_H */
@ -105,7 +117,7 @@
/* Define to 1 if you have the declaration of `evsignal_assign', and to 0 if
you don't. */
/* #undef HAVE_DECL_EVSIGNAL_ASSIGN */
#define HAVE_DECL_EVSIGNAL_ASSIGN 1
/* Define to 1 if you have the declaration of `inet_ntop', and to 0 if you
don't. */
@ -218,6 +230,15 @@
/* Define to 1 if you have the `EVP_cleanup' function. */
/* #undef HAVE_EVP_CLEANUP */
/* Define to 1 if you have the `EVP_default_properties_is_fips_enabled'
function. */
/* #undef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED */
/* Define to 1 if you have the `EVP_default_properties_is_fips_enabled'
function. */
/* #undef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED */
/* Define to 1 if you have the `EVP_DigestVerify' function. */
#define HAVE_EVP_DIGESTVERIFY 1
@ -290,6 +311,12 @@
/* Define to 1 if you have the `getrlimit' function. */
#define HAVE_GETRLIMIT 1
/* Define to 1 if you have the `gettid' function. */
/* #undef HAVE_GETTID */
/* Define to 1 if you have the `gettid' function. */
/* #undef HAVE_GETTID */
/* Define to 1 if you have the `glob' function. */
#define HAVE_GLOB 1
@ -314,6 +341,12 @@
/* Define to 1 if you have the <ifaddrs.h> header file. */
#define HAVE_IFADDRS_H 1
/* Define to 1 if you have the `if_nametoindex' function. */
#define HAVE_IF_NAMETOINDEX 1
/* Define to 1 if you have the `if_nametoindex' function. */
#define HAVE_IF_NAMETOINDEX 1
/* Define to 1 if you have the `inet_aton' function. */
#define HAVE_INET_ATON 1
@ -362,8 +395,8 @@
/* Define to 1 if you have the `memmove' function. */
#define HAVE_MEMMOVE 1
/* Define to 1 if you have the <memory.h> header file. */
#define HAVE_MEMORY_H 1
/* Define to 1 if you have the <minix/config.h> header file. */
/* #undef HAVE_MINIX_CONFIG_H */
/* Define to 1 if you have the <netdb.h> header file. */
#define HAVE_NETDB_H 1
@ -374,6 +407,9 @@
/* Define to 1 if you have the <netinet/tcp.h> header file. */
#define HAVE_NETINET_TCP_H 1
/* Define to 1 if you have the <netioapi.h> header file. */
/* #undef HAVE_NETIOAPI_H */
/* Use libnettle for crypto */
/* #undef HAVE_NETTLE */
@ -428,6 +464,9 @@
/* Define to 1 if you have the `OPENSSL_init_ssl' function. */
#define HAVE_OPENSSL_INIT_SSL 1
/* Define to 1 if you have the <openssl/param_build.h> header file. */
/* #undef HAVE_OPENSSL_PARAM_BUILD_H */
/* Define to 1 if you have the <openssl/rand.h> header file. */
#define HAVE_OPENSSL_RAND_H 1
@ -437,6 +476,15 @@
/* Define to 1 if you have the <openssl/ssl.h> header file. */
#define HAVE_OPENSSL_SSL_H 1
/* Define to 1 if you have the `OSSL_PARAM_BLD_new' function. */
/* #undef HAVE_OSSL_PARAM_BLD_NEW */
/* Define to 1 if you have the `poll' function. */
#define HAVE_POLL 1
/* Define to 1 if you have the <poll.h> header file. */
#define HAVE_POLL_H 1
/* Define if you have POSIX threads libraries and header files. */
#define HAVE_PTHREAD 1
@ -518,6 +566,9 @@
/* Define if you have the SSL libraries installed. */
#define HAVE_SSL /**/
/* Define to 1 if you have the `SSL_CTX_set_alpn_protos' function. */
#define HAVE_SSL_CTX_SET_ALPN_PROTOS 1
/* Define to 1 if you have the `SSL_CTX_set_alpn_select_cb' function. */
#define HAVE_SSL_CTX_SET_ALPN_SELECT_CB 1
@ -531,9 +582,15 @@
function. */
/* #undef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB */
/* Define to 1 if you have the `SSL_get0_alpn_selected' function. */
#define HAVE_SSL_GET0_ALPN_SELECTED 1
/* Define to 1 if you have the `SSL_get0_peername' function. */
#define HAVE_SSL_GET0_PEERNAME 1
/* Define to 1 if you have the `SSL_get1_peer_certificate' function. */
/* #undef HAVE_SSL_GET1_PEER_CERTIFICATE */
/* Define to 1 if you have the `SSL_set1_host' function. */
#define HAVE_SSL_SET1_HOST 1
@ -546,6 +603,9 @@
/* Define to 1 if you have the <stdint.h> header file. */
#define HAVE_STDINT_H 1
/* Define to 1 if you have the <stdio.h> header file. */
#define HAVE_STDIO_H 1
/* Define to 1 if you have the <stdlib.h> header file. */
#define HAVE_STDLIB_H 1
@ -648,6 +708,9 @@
/* Define to 1 if you have the <vfork.h> header file. */
/* #undef HAVE_VFORK_H */
/* Define to 1 if you have the <wchar.h> header file. */
#define HAVE_WCHAR_H 1
/* Define to 1 if you have the <windows.h> header file. */
/* #undef HAVE_WINDOWS_H */
@ -731,7 +794,7 @@
#define PACKAGE_NAME "unbound"
/* Define to the full name and version of this package. */
#define PACKAGE_STRING "unbound 1.17.0"
#define PACKAGE_STRING "unbound 1.17.1"
/* Define to the one symbol short name of this package. */
#define PACKAGE_TARNAME "unbound"
@ -740,7 +803,7 @@
#define PACKAGE_URL ""
/* Define to the version of this package. */
#define PACKAGE_VERSION "1.17.0"
#define PACKAGE_VERSION "1.17.1"
/* default pidfile location */
#define PIDFILE "/var/unbound/unbound.pid"
@ -749,7 +812,8 @@
your system. */
/* #undef PTHREAD_CREATE_JOINABLE */
/* Define as the return type of signal handlers (`int' or `void'). */
/* Return type of signal handlers, but autoconf 2.70 says 'your code may
safely assume C89 semantics that RETSIGTYPE is void.' */
#define RETSIGTYPE void
/* if REUSEPORT is enabled by default */
@ -762,7 +826,7 @@
#define ROOT_CERT_FILE "/var/unbound/icannbundle.pem"
/* version number for resource files */
#define RSRC_PACKAGE_VERSION 1,17,0,0
#define RSRC_PACKAGE_VERSION 1,17,1,0
/* Directory to chdir to */
#define RUN_DIR "/var/unbound"
@ -770,11 +834,17 @@
/* Shared data */
#define SHARE_DIR "/var/unbound"
/* The size of `size_t'. */
#ifdef __LP64__
/* The size of `size_t', as computed by sizeof. */
#define SIZEOF_SIZE_T 8
/* The size of `size_t'. */
/* The size of `pthread_t', as computed by sizeof. */
#define SIZEOF_PTHREAD_T 8
#else
#define SIZEOF_SIZE_T 4
/* The size of `size_t'. */
/* The size of `pthread_t', as computed by sizeof. */
#define SIZEOF_PTHREAD_T 4
#endif
/* The size of `time_t', as computed by sizeof. */
@ -784,13 +854,22 @@
#define SIZEOF_TIME_T 8
#endif
/* The size of `unsigned long', as computed by sizeof. */
#ifdef __LP64__
#define SIZEOF_UNSIGNED_LONG 8
#else
#define SIZEOF_UNSIGNED_LONG 4
#endif
/* define if (v)snprintf does not return length needed, (but length used) */
/* #undef SNPRINTF_RET_BROKEN */
/* Define to 1 if libsodium supports sodium_set_misuse_handler */
/* #undef SODIUM_MISUSE_HANDLER */
/* Define to 1 if you have the ANSI C header files. */
/* Define to 1 if all of the C90 standard headers exist (not just the ones
required in a freestanding environment). This macro is provided for
backward compatibility; new code need not use it. */
#define STDC_HEADERS 1
/* use default strptime. */
@ -856,6 +935,14 @@
/* Define if you enable libevent */
#define USE_LIBEVENT 1
/* Define this to enable use of /proc/sys/net/ipv4/ip_local_port_range as a
default outgoing port range. This is only for the libunbound on Linux and
does not affect unbound resolving daemon itself. This may severely limit
the number of available outgoing ports and thus decrease randomness. Define
this only when the target system restricts (e.g. some of SELinux enabled
distributions) the use of non-ephemeral ports. */
/* #undef USE_LINUX_IP_LOCAL_PORT_RANGE */
/* Define if you want to use internal select based events */
#define USE_MINI_EVENT 1
@ -878,21 +965,87 @@
#ifndef _ALL_SOURCE
# define _ALL_SOURCE 1
#endif
/* Enable general extensions on macOS. */
#ifndef _DARWIN_C_SOURCE
# define _DARWIN_C_SOURCE 1
#endif
/* Enable general extensions on Solaris. */
#ifndef __EXTENSIONS__
# define __EXTENSIONS__ 1
#endif
/* Enable GNU extensions on systems that have them. */
#ifndef _GNU_SOURCE
# define _GNU_SOURCE 1
#endif
/* Enable threading extensions on Solaris. */
/* Enable X/Open compliant socket functions that do not require linking
with -lxnet on HP-UX 11.11. */
#ifndef _HPUX_ALT_XOPEN_SOCKET_API
# define _HPUX_ALT_XOPEN_SOCKET_API 1
#endif
/* Identify the host operating system as Minix.
This macro does not affect the system headers' behavior.
A future release of Autoconf may stop defining this macro. */
#ifndef _MINIX
/* # undef _MINIX */
#endif
/* Enable general extensions on NetBSD.
Enable NetBSD compatibility extensions on Minix. */
#ifndef _NETBSD_SOURCE
# define _NETBSD_SOURCE 1
#endif
/* Enable OpenBSD compatibility extensions on NetBSD.
Oddly enough, this does nothing on OpenBSD. */
#ifndef _OPENBSD_SOURCE
# define _OPENBSD_SOURCE 1
#endif
/* Define to 1 if needed for POSIX-compatible behavior. */
#ifndef _POSIX_SOURCE
/* # undef _POSIX_SOURCE */
#endif
/* Define to 2 if needed for POSIX-compatible behavior. */
#ifndef _POSIX_1_SOURCE
/* # undef _POSIX_1_SOURCE */
#endif
/* Enable POSIX-compatible threading on Solaris. */
#ifndef _POSIX_PTHREAD_SEMANTICS
# define _POSIX_PTHREAD_SEMANTICS 1
#endif
/* Enable extensions specified by ISO/IEC TS 18661-5:2014. */
#ifndef __STDC_WANT_IEC_60559_ATTRIBS_EXT__
# define __STDC_WANT_IEC_60559_ATTRIBS_EXT__ 1
#endif
/* Enable extensions specified by ISO/IEC TS 18661-1:2014. */
#ifndef __STDC_WANT_IEC_60559_BFP_EXT__
# define __STDC_WANT_IEC_60559_BFP_EXT__ 1
#endif
/* Enable extensions specified by ISO/IEC TS 18661-2:2015. */
#ifndef __STDC_WANT_IEC_60559_DFP_EXT__
# define __STDC_WANT_IEC_60559_DFP_EXT__ 1
#endif
/* Enable extensions specified by ISO/IEC TS 18661-4:2015. */
#ifndef __STDC_WANT_IEC_60559_FUNCS_EXT__
# define __STDC_WANT_IEC_60559_FUNCS_EXT__ 1
#endif
/* Enable extensions specified by ISO/IEC TS 18661-3:2015. */
#ifndef __STDC_WANT_IEC_60559_TYPES_EXT__
# define __STDC_WANT_IEC_60559_TYPES_EXT__ 1
#endif
/* Enable extensions specified by ISO/IEC TR 24731-2:2010. */
#ifndef __STDC_WANT_LIB_EXT2__
# define __STDC_WANT_LIB_EXT2__ 1
#endif
/* Enable extensions specified by ISO/IEC 24747:2009. */
#ifndef __STDC_WANT_MATH_SPEC_FUNCS__
# define __STDC_WANT_MATH_SPEC_FUNCS__ 1
#endif
/* Enable extensions on HP NonStop. */
#ifndef _TANDEM_SOURCE
# define _TANDEM_SOURCE 1
#endif
/* Enable general extensions on Solaris. */
#ifndef __EXTENSIONS__
# define __EXTENSIONS__ 1
/* Enable X/Open extensions. Define to 500 only if necessary
to make mbstate_t available. */
#ifndef _XOPEN_SOURCE
/* # undef _XOPEN_SOURCE */
#endif
@ -918,11 +1071,6 @@
`char[]'. */
#define YYTEXT_POINTER 1
/* Enable large inode numbers on Mac OS X 10.5. */
#ifndef _DARWIN_USE_64_BIT_INODE
# define _DARWIN_USE_64_BIT_INODE 1
#endif
/* Number of bits in a file offset, on hosts where this is settable. */
/* #undef _FILE_OFFSET_BITS */
@ -932,18 +1080,12 @@
/* Define for large files, on AIX-style hosts. */
/* #undef _LARGE_FILES */
/* Define to 1 if on MINIX. */
/* #undef _MINIX */
/* Enable for compile on Minix */
/* #undef _NETBSD_SOURCE */
#define _NETBSD_SOURCE 1
/* Define to 2 if the system does not provide POSIX.1 features except with
this defined. */
/* #undef _POSIX_1_SOURCE */
/* Define to 1 if you need to in order for `stat' and other things to work. */
/* #undef _POSIX_SOURCE */
/* defined to use gcc ansi snprintf and sscanf that understands %lld when
compiled for windows. */
/* #undef __USE_MINGW_ANSI_STDIO */
/* Define to empty if `const' does not conform to ANSI C. */
/* #undef const */
@ -981,7 +1123,7 @@
/* Define to `long int' if <sys/types.h> does not define. */
/* #undef off_t */
/* Define to `int' if <sys/types.h> does not define. */
/* Define as a signed integer type capable of holding a process identifier. */
/* #undef pid_t */
/* Define to 'int' if not defined */
@ -1124,7 +1266,7 @@
#include <ws2tcpip.h>
#endif
#ifndef USE_WINSOCK
#if !defined(USE_WINSOCK) || !defined(HAVE_SNPRINTF) || defined(SNPRINTF_RET_BROKEN) || defined(__USE_MINGW_ANSI_STDIO)
#define ARG_LL "%ll"
#else
#define ARG_LL "%I64"