d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Vendor import of Unbound 1.6.7.

Browse Source
This commit is contained in:
Dag-Erling Smørgrav 2018-05-12 11:55:57 +00:00
parent a6c5280ea5
commit 2bda7bda43
284 changed files with 4430 additions and 3524 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
cachedb/cachedb.c
View File

@ -347,6 +347,13 @@ prep_data(struct module_qstate* qstate, struct sldns_buffer* buf)
if(!qstate->return_msg || !qstate->return_msg->rep)
return 0;
/* We don't store the reply if its TTL is 0 unless serve-expired is
* enabled. Such a reply won't be reusable and simply be a waste for
* the backend. It's also compatible with the default behavior of
* dns_cache_store_msg(). */
if(qstate->return_msg->rep->ttl == 0 &&
!qstate->env->cfg->serve_expired)
return 0;
if(verbosity >= VERB_ALGO)
log_dns_msg("cachedb encoding", &qstate->return_msg->qinfo,
qstate->return_msg->rep);
@ -387,32 +394,37 @@ good_expiry_and_qinfo(struct module_qstate* qstate, struct sldns_buffer* buf)
&expiry, sizeof(expiry));
expiry = be64toh(expiry);
if((time_t)expiry < *qstate->env->now)
if((time_t)expiry < *qstate->env->now &&
!qstate->env->cfg->serve_expired)
return 0;
return 1;
}
/* Adjust the TTL of the given RRset by 'subtract'. If 'subtract' is
* negative, set the TTL to 0. */
static void
packed_rrset_ttl_subtract(struct packed_rrset_data* data, time_t subtract)
{
size_t i;
size_t total = data->count + data->rrsig_count;
if(data->ttl > subtract)
if(subtract >= 0 && data->ttl > subtract)
data->ttl -= subtract;
else data->ttl = 0;
for(i=0; i<total; i++) {
if(data->rr_ttl[i] > subtract)
if(subtract >= 0 && data->rr_ttl[i] > subtract)
data->rr_ttl[i] -= subtract;
else data->rr_ttl[i] = 0;
}
}
/* Adjust the TTL of a DNS message and its RRs by 'adjust'. If 'adjust' is
* negative, set the TTLs to 0. */
static void
adjust_msg_ttl(struct dns_msg* msg, time_t adjust)
{
size_t i;
if(msg->rep->ttl > adjust)
if(adjust >= 0 && msg->rep->ttl > adjust)
msg->rep->ttl -= adjust;
else msg->rep->ttl = 0;
msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl);
@ -476,10 +488,26 @@ parse_data(struct module_qstate* qstate, struct sldns_buffer* buf)
adjust = *qstate->env->now - (time_t)timestamp;
if(qstate->return_msg->rep->ttl < adjust) {
verbose(VERB_ALGO, "cachedb msg expired");
return 0; /* message expired */
/* If serve-expired is enabled, we still use an expired message
* setting the TTL to 0. */
if(qstate->env->cfg->serve_expired)
adjust = -1;
else
return 0; /* message expired */
}
verbose(VERB_ALGO, "cachedb msg adjusted down by %d", (int)adjust);
adjust_msg_ttl(qstate->return_msg, adjust);
/* Similar to the unbound worker, if serve-expired is enabled and
* the msg would be considered to be expired, mark the state so a
* refetch will be scheduled. The comparison between 'expiry' and
* 'now' should be redundant given how these values were calculated,
* but we check it just in case as does good_expiry_and_qinfo(). */
if(qstate->env->cfg->serve_expired &&
(adjust == -1 || (time_t)expiry < *qstate->env->now)) {
qstate->need_refetch = 1;
}
return 1;
}
@ -563,11 +591,15 @@ cachedb_intcache_lookup(struct module_qstate* qstate)
static void
cachedb_intcache_store(struct module_qstate* qstate)
{
uint32_t store_flags = qstate->query_flags;
if(qstate->env->cfg->serve_expired)
store_flags |= DNSCACHE_STORE_ZEROTTL;
if(!qstate->return_msg)
return;
(void)dns_cache_store(qstate->env, &qstate->qinfo,
qstate->return_msg->rep, 0, qstate->prefetch_leeway, 0,
qstate->region, qstate->query_flags);
qstate->region, store_flags);
}
/**

27
configure vendored
View File

@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for unbound 1.6.6.
# Generated by GNU Autoconf 2.69 for unbound 1.6.7.
#
# Report bugs to <unbound-bugs@nlnetlabs.nl>.
#
@ -590,8 +590,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='unbound'
PACKAGE_TARNAME='unbound'
PACKAGE_VERSION='1.6.6'
PACKAGE_STRING='unbound 1.6.6'
PACKAGE_VERSION='1.6.7'
PACKAGE_STRING='unbound 1.6.7'
PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl'
PACKAGE_URL=''
@ -1437,7 +1437,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures unbound 1.6.6 to adapt to many kinds of systems.
\`configure' configures unbound 1.6.7 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@ -1502,7 +1502,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of unbound 1.6.6:";;
short | recursive ) echo "Configuration of unbound 1.6.7:";;
esac
cat <<\_ACEOF
@ -1714,7 +1714,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
unbound configure 1.6.6
unbound configure 1.6.7
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@ -2423,7 +2423,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by unbound $as_me 1.6.6, which was
It was created by unbound $as_me 1.6.7, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@ -2775,11 +2775,11 @@ UNBOUND_VERSION_MAJOR=1
UNBOUND_VERSION_MINOR=6
UNBOUND_VERSION_MICRO=6
UNBOUND_VERSION_MICRO=7
LIBUNBOUND_CURRENT=7
LIBUNBOUND_REVISION=5
LIBUNBOUND_REVISION=6
LIBUNBOUND_AGE=5
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
@ -2836,6 +2836,7 @@ LIBUNBOUND_AGE=5
# 1.6.4 had 7:3:5
# 1.6.5 had 7:4:5
# 1.6.6 had 7:5:5
# 1.6.7 had 7:6:5
# Current -- the number of the binary API that we're implementing
# Revision -- which iteration of the implementation of the binary
@ -2851,7 +2852,7 @@ LIBUNBOUND_AGE=5
# Current and Age. Set Revision to 0, since this is the first
# implementation of the new API.
#
# Otherwise, we're changing the binary API and breaking bakward
# Otherwise, we're changing the binary API and breaking backward
# compatibility with old binaries. Increment Current. Set Age to 0,
# since we're backward compatible with no previous APIs. Set Revision
# to 0 too.
@ -20693,7 +20694,7 @@ _ACEOF
version=1.6.6
version=1.6.7
date=`date +'%b %e, %Y'`
@ -21212,7 +21213,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by unbound $as_me 1.6.6, which was
This file was extended by unbound $as_me 1.6.7, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@ -21278,7 +21279,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
unbound config.status 1.6.6
unbound config.status 1.6.7
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"

7
configure.ac
View File

@ -11,14 +11,14 @@ sinclude(dnscrypt/dnscrypt.m4)
# must be numbers. ac_defun because of later processing
m4_define([VERSION_MAJOR],[1])
m4_define([VERSION_MINOR],[6])
m4_define([VERSION_MICRO],[6])
m4_define([VERSION_MICRO],[7])
AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl, unbound)
AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
LIBUNBOUND_CURRENT=7
LIBUNBOUND_REVISION=5
LIBUNBOUND_REVISION=6
LIBUNBOUND_AGE=5
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
@ -75,6 +75,7 @@ LIBUNBOUND_AGE=5
# 1.6.4 had 7:3:5
# 1.6.5 had 7:4:5
# 1.6.6 had 7:5:5
# 1.6.7 had 7:6:5
# Current -- the number of the binary API that we're implementing
# Revision -- which iteration of the implementation of the binary
@ -90,7 +91,7 @@ LIBUNBOUND_AGE=5
# Current and Age. Set Revision to 0, since this is the first
# implementation of the new API.
#
# Otherwise, we're changing the binary API and breaking bakward
# Otherwise, we're changing the binary API and breaking backward
# compatibility with old binaries. Increment Current. Set Age to 0,
# since we're backward compatible with no previous APIs. Set Revision
# to 0 too.

96
contrib/aaaa-filter-iterator.patch
View File

@ -1,10 +1,10 @@
Index: trunk/doc/unbound.conf.5.in
===================================================================
--- trunk/doc/unbound.conf.5.in (revision 3587)
--- trunk/doc/unbound.conf.5.in (revision 4357)
+++ trunk/doc/unbound.conf.5.in (working copy)
@@ -593,6 +593,13 @@
possible. Best effort approach, full QNAME and original QTYPE will be sent when
upstream replies with a RCODE other than NOERROR. Default is off.
@@ -701,6 +701,13 @@
this option in enabled. Only use if you know what you are doing.
This option only has effect when qname-minimisation is enabled. Default is off.
.TP
+.B aaaa\-filter: \fI<yes or no>
+Activate behavior similar to BIND's AAAA-filter.
@ -18,7 +18,7 @@ Index: trunk/doc/unbound.conf.5.in
on your private network, and are not allowed to be returned for
Index: trunk/iterator/iter_scrub.c
===================================================================
--- trunk/iterator/iter_scrub.c (revision 3587)
--- trunk/iterator/iter_scrub.c (revision 4357)
+++ trunk/iterator/iter_scrub.c (working copy)
@@ -617,6 +617,32 @@
}
@ -75,10 +75,11 @@ Index: trunk/iterator/iter_scrub.c
/* At this point, we brutally remove ALL rrsets that aren't
* children of the originating zone. The idea here is that,
* as far as we know, the server that we contacted is ONLY
@@ -681,6 +715,24 @@
@@ -680,6 +714,24 @@
prev = NULL;
rrset = msg->rrset_first;
while(rrset) {
+
+ /* ASN: For AAAA records only... */
+ if((ie->aaaa_filter) && (rrset->type == LDNS_RR_TYPE_AAAA)) {
+ /* ASN: If this is not a AAAA query, then remove AAAA
@ -96,13 +97,12 @@ Index: trunk/iterator/iter_scrub.c
+ LDNS_RR_TYPE_AAAA, qinfo->qclass);
+ }
+ /* ASN: End of added code */
+
/* remove private addresses */
if( (rrset->type == LDNS_RR_TYPE_A ||
rrset->type == LDNS_RR_TYPE_AAAA)) {
Index: trunk/iterator/iter_utils.c
===================================================================
--- trunk/iterator/iter_utils.c (revision 3587)
--- trunk/iterator/iter_utils.c (revision 4357)
+++ trunk/iterator/iter_utils.c (working copy)
@@ -175,6 +175,7 @@
}
@ -114,9 +114,9 @@ Index: trunk/iterator/iter_utils.c
Index: trunk/iterator/iterator.c
===================================================================
--- trunk/iterator/iterator.c (revision 3587)
--- trunk/iterator/iterator.c (revision 4357)
+++ trunk/iterator/iterator.c (working copy)
@@ -1776,6 +1776,53 @@
@@ -1847,6 +1847,53 @@
return 0;
}
@ -170,7 +170,7 @@ Index: trunk/iterator/iterator.c
/**
* This is the request event state where the request will be sent to one of
@@ -1823,6 +1870,13 @@
@@ -1894,6 +1941,13 @@
return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
}
@ -184,7 +184,7 @@ Index: trunk/iterator/iterator.c
/* Make sure we have a delegation point, otherwise priming failed
* or another failure occurred */
if(!iq->dp) {
@@ -2922,6 +2976,61 @@
@@ -3095,6 +3149,61 @@
return 0;
}
@ -244,9 +244,9 @@ Index: trunk/iterator/iterator.c
+/* ASN: End of added code */
+
/*
* Return priming query results to interestes super querystates.
* Return priming query results to interested super querystates.
*
@@ -2941,6 +3050,9 @@
@@ -3114,6 +3223,9 @@
else if(super->qinfo.qtype == LDNS_RR_TYPE_DS && ((struct iter_qstate*)
super->minfo[id])->state == DSNS_FIND_STATE)
processDSNSResponse(qstate, id, super);
@ -256,7 +256,7 @@ Index: trunk/iterator/iterator.c
else if(qstate->return_rcode != LDNS_RCODE_NOERROR)
error_supers(qstate, id, super);
else if(qstate->is_priming)
@@ -2978,6 +3090,9 @@
@@ -3151,6 +3263,9 @@
case INIT_REQUEST_3_STATE:
cont = processInitRequest3(qstate, iq, id);
break;
@ -266,7 +266,7 @@ Index: trunk/iterator/iterator.c
case QUERYTARGETS_STATE:
cont = processQueryTargets(qstate, iq, ie, id);
break;
@@ -3270,6 +3385,8 @@
@@ -3460,6 +3575,8 @@
return "INIT REQUEST STATE (stage 2)";
case INIT_REQUEST_3_STATE:
return "INIT REQUEST STATE (stage 3)";
@ -275,7 +275,7 @@ Index: trunk/iterator/iterator.c
case QUERYTARGETS_STATE :
return "QUERY TARGETS STATE";
case PRIME_RESP_STATE :
@@ -3294,6 +3411,7 @@
@@ -3484,6 +3601,7 @@
case INIT_REQUEST_STATE :
case INIT_REQUEST_2_STATE :
case INIT_REQUEST_3_STATE :
@ -285,19 +285,19 @@ Index: trunk/iterator/iterator.c
return 0;
Index: trunk/iterator/iterator.h
===================================================================
--- trunk/iterator/iterator.h (revision 3587)
--- trunk/iterator/iterator.h (revision 4357)
+++ trunk/iterator/iterator.h (working copy)
@@ -113,6 +113,9 @@
@@ -130,6 +130,9 @@
*/
int* target_fetch_policy;
+ /** ASN: AAAA-filter flag */
+ int aaaa_filter;
+
/** ip6.arpa dname in wireformat, used for qname-minimisation */
uint8_t* ip6arpa_dname;
};
@@ -163,6 +166,14 @@
/** lock on ratelimit counter */
lock_basic_type queries_ratelimit_lock;
/** number of queries that have been ratelimited */
@@ -182,6 +185,14 @@
INIT_REQUEST_3_STATE,
/**
@ -311,26 +311,26 @@ Index: trunk/iterator/iterator.h
+ /**
* Each time a delegation point changes for a given query or a
* query times out and/or wakes up, this state is (re)visited.
* This state is reponsible for iterating through a list of
@@ -346,6 +357,13 @@
* This state is responsible for iterating through a list of
@@ -364,6 +375,13 @@
* be used when creating the state. A higher one will be attempted.
*/
int refetch_glue;
+
+ /**
+ * ASN: This is a flag that, if true, means that this query is
+ * for fetching A records to populate cache and determine if we must
+ * return AAAA records or not.
+ */
+ int fetch_a_for_aaaa;
+
/** list of pending queries to authoritative servers. */
struct outbound_list outlist;
Index: trunk/pythonmod/interface.i
===================================================================
--- trunk/pythonmod/interface.i (revision 3587)
--- trunk/pythonmod/interface.i (revision 4357)
+++ trunk/pythonmod/interface.i (working copy)
@@ -632,6 +632,7 @@
@@ -851,6 +851,7 @@
int harden_dnssec_stripped;
int harden_referral_path;
int use_caps_bits_for_id;
@ -340,9 +340,9 @@ Index: trunk/pythonmod/interface.i
size_t unwanted_threshold;
Index: trunk/util/config_file.c
===================================================================
--- trunk/util/config_file.c (revision 3587)
--- trunk/util/config_file.c (revision 4357)
+++ trunk/util/config_file.c (working copy)
@@ -176,6 +176,7 @@
@@ -195,6 +195,7 @@
cfg->harden_referral_path = 0;
cfg->harden_algo_downgrade = 0;
cfg->use_caps_bits_for_id = 0;
@ -352,9 +352,9 @@ Index: trunk/util/config_file.c
cfg->private_domain = NULL;
Index: trunk/util/config_file.h
===================================================================
--- trunk/util/config_file.h (revision 3587)
--- trunk/util/config_file.h (revision 4357)
+++ trunk/util/config_file.h (working copy)
@@ -179,6 +179,8 @@
@@ -209,6 +209,8 @@
int harden_algo_downgrade;
/** use 0x20 bits in query as random ID bits */
int use_caps_bits_for_id;
@ -365,9 +365,9 @@ Index: trunk/util/config_file.h
/** strip away these private addrs from answers, no DNS Rebinding */
Index: trunk/util/configlexer.lex
===================================================================
--- trunk/util/configlexer.lex (revision 3587)
--- trunk/util/configlexer.lex (revision 4357)
+++ trunk/util/configlexer.lex (working copy)
@@ -267,6 +267,7 @@
@@ -279,6 +279,7 @@
use-caps-for-id{COLON} { YDVAR(1, VAR_USE_CAPS_FOR_ID) }
caps-whitelist{COLON} { YDVAR(1, VAR_CAPS_WHITELIST) }
unwanted-reply-threshold{COLON} { YDVAR(1, VAR_UNWANTED_REPLY_THRESHOLD) }
@ -377,9 +377,9 @@ Index: trunk/util/configlexer.lex
prefetch-key{COLON} { YDVAR(1, VAR_PREFETCH_KEY) }
Index: trunk/util/configparser.y
===================================================================
--- trunk/util/configparser.y (revision 3587)
--- trunk/util/configparser.y (revision 4357)
+++ trunk/util/configparser.y (working copy)
@@ -92,6 +92,7 @@
@@ -95,6 +95,7 @@
%token VAR_STATISTICS_CUMULATIVE VAR_OUTGOING_PORT_PERMIT
%token VAR_OUTGOING_PORT_AVOID VAR_DLV_ANCHOR_FILE VAR_DLV_ANCHOR
%token VAR_NEG_CACHE_SIZE VAR_HARDEN_REFERRAL_PATH VAR_PRIVATE_ADDRESS
@ -387,7 +387,7 @@ Index: trunk/util/configparser.y
%token VAR_PRIVATE_DOMAIN VAR_REMOTE_CONTROL VAR_CONTROL_ENABLE
%token VAR_CONTROL_INTERFACE VAR_CONTROL_PORT VAR_SERVER_KEY_FILE
%token VAR_SERVER_CERT_FILE VAR_CONTROL_KEY_FILE VAR_CONTROL_CERT_FILE
@@ -169,6 +170,7 @@
@@ -203,6 +204,7 @@
server_dlv_anchor_file | server_dlv_anchor | server_neg_cache_size |
server_harden_referral_path | server_private_address |
server_private_domain | server_extended_statistics |
@ -395,10 +395,12 @@ Index: trunk/util/configparser.y
server_local_data_ptr | server_jostle_timeout |
server_unwanted_reply_threshold | server_log_time_ascii |
server_domain_insecure | server_val_sig_skew_min |
@@ -893,6 +895,15 @@
@@ -1183,6 +1185,15 @@
OUTYY(("P(server_caps_whitelist:%s)\n", $2));
if(!cfg_strlist_insert(&cfg_parser->cfg->caps_whitelist, $2))
yyerror("out of memory");
}
;
+ }
+ ;
+server_aaaa_filter: VAR_AAAA_FILTER STRING_ARG
+ {
+ OUTYY(("P(server_aaaa_filter:%s)\n", $2));
@ -406,8 +408,6 @@ Index: trunk/util/configparser.y
+ yyerror("expected yes or no.");
+ else cfg_parser->cfg->aaaa_filter = (strcmp($2, "yes")==0);
+ free($2);
+ }
+ ;
}
;
server_private_address: VAR_PRIVATE_ADDRESS STRING_ARG
{
OUTYY(("P(server_private_address:%s)\n", $2));

4
contrib/parseunbound.pl
View File

@ -91,7 +91,7 @@ while ( scalar keys %startstats < $numthreads || scalar keys %donestats < $numth
$allstats{$inthread}->{outstandingexc} = $4;
}
elsif ( $line =~ m/info: average recursion processing time ([0-9\.]+) sec/ ) {
$allstats{$inthread}->{recursionavg} = int($1 * 1000); # change sec to milisec.
$allstats{$inthread}->{recursionavg} = int($1 * 1000); # change sec to millisec.
}
elsif ( $line =~ m/info: histogram of recursion processing times/ ) {
next;
@ -103,7 +103,7 @@ while ( scalar keys %startstats < $numthreads || scalar keys %donestats < $numth
}
elsif ( $line =~ m/info: lower\(secs\) upper\(secs\) recursions/ ) {
# since after this line we're unsure if we get these numbers
# at all, we sould consider this marker as the end of the
# at all, we should consider this marker as the end of the
# block. Chances that we're parsing a file halfway written
# at this stage are small. Bold statement.
$donestats{$inthread} = 1;

11
daemon/remote.c
View File

@ -827,6 +827,7 @@ print_mem(SSL* ssl, struct worker* worker, struct daemon* daemon)
#endif /* USE_IPSECMOD */
#ifdef USE_DNSCRYPT
size_t dnscrypt_shared_secret = 0;
size_t dnscrypt_nonce = 0;
#endif /* USE_DNSCRYPT */
msg = slabhash_get_mem(daemon->env->msg_cache);
rrset = slabhash_get_mem(&daemon->env->rrset_cache->table);
@ -843,6 +844,7 @@ print_mem(SSL* ssl, struct worker* worker, struct daemon* daemon)
if(daemon->dnscenv) {
dnscrypt_shared_secret = slabhash_get_mem(
daemon->dnscenv->shared_secrets_cache);
dnscrypt_nonce = slabhash_get_mem(daemon->dnscenv->nonces_cache);
}
#endif /* USE_DNSCRYPT */
@ -868,6 +870,9 @@ print_mem(SSL* ssl, struct worker* worker, struct daemon* daemon)
if(!print_longnum(ssl, "mem.cache.dnscrypt_shared_secret"SQ,
dnscrypt_shared_secret))
return 0;
if(!print_longnum(ssl, "mem.cache.dnscrypt_nonce"SQ,
dnscrypt_nonce))
return 0;
#endif /* USE_DNSCRYPT */
return 1;
}
@ -1058,8 +1063,12 @@ print_ext(SSL* ssl, struct ub_stats_info* s)
#ifdef USE_DNSCRYPT
if(!ssl_printf(ssl, "dnscrypt_shared_secret.cache.count"SQ"%u\n",
(unsigned)s->svr.shared_secret_cache_count)) return 0;
if(!ssl_printf(ssl, "dnscrypt_nonce.cache.count"SQ"%u\n",
(unsigned)s->svr.nonce_cache_count)) return 0;
if(!ssl_printf(ssl, "num.query.dnscrypt.shared_secret.cachemiss"SQ"%lu\n",
(unsigned long)s->svr.num_query_dnscrypt_secret_missed_cache)) return 0;
if(!ssl_printf(ssl, "num.query.dnscrypt.replay"SQ"%lu\n",
(unsigned long)s->svr.num_query_dnscrypt_replay)) return 0;
#endif /* USE_DNSCRYPT */
return 1;
}
@ -1771,7 +1780,7 @@ negative_del_rrset(struct lruhash_entry* e, void* arg)
struct ub_packed_rrset_key* k = (struct ub_packed_rrset_key*)e->key;
struct packed_rrset_data* d = (struct packed_rrset_data*)e->data;
/* delete the parentside negative cache rrsets,
* these are namerserver rrsets that failed lookup, rdata empty */
* these are nameserver rrsets that failed lookup, rdata empty */
if((k->rk.flags & PACKED_RRSET_PARENT_SIDE) && d->count == 1 &&
d->rrsig_count == 0 && d->rr_len[0] == 0) {
d->ttl = inf->expired;

23
daemon/stats.c
View File

@ -174,6 +174,21 @@ get_dnscrypt_cache_miss(struct worker* worker, int reset)
lock_basic_unlock(&de->shared_secrets_cache_lock);
return r;
}
/** get the number of replayed queries */
static size_t
get_dnscrypt_replay(struct worker* worker, int reset)
{
size_t r;
struct dnsc_env* de = worker->daemon->dnscenv;
lock_basic_lock(&de->nonces_cache_lock);
r = de->num_query_dnscrypt_replay;
if(reset && !worker->env.cfg->stat_cumulative)
de->num_query_dnscrypt_replay = 0;
lock_basic_unlock(&de->nonces_cache_lock);
return r;
}
#endif /* USE_DNSCRYPT */
void
@ -225,13 +240,21 @@ server_stats_compile(struct worker* worker, struct ub_stats_info* s, int reset)
(long long)get_dnscrypt_cache_miss(worker, reset);
s->svr.shared_secret_cache_count = (long long)count_slabhash_entries(
worker->daemon->dnscenv->shared_secrets_cache);
s->svr.nonce_cache_count = (long long)count_slabhash_entries(
worker->daemon->dnscenv->nonces_cache);
s->svr.num_query_dnscrypt_replay =
(long long)get_dnscrypt_replay(worker, reset);
} else {
s->svr.num_query_dnscrypt_secret_missed_cache = 0;
s->svr.shared_secret_cache_count = 0;
s->svr.nonce_cache_count = 0;
s->svr.num_query_dnscrypt_replay = 0;
}
#else
s->svr.num_query_dnscrypt_secret_missed_cache = 0;
s->svr.shared_secret_cache_count = 0;
s->svr.nonce_cache_count = 0;
s->svr.num_query_dnscrypt_replay = 0;
#endif /* USE_DNSCRYPT */
/* get tcp accept usage */

2
daemon/unbound.c
View File

@ -400,7 +400,7 @@ detach(void)
#endif /* HAVE_DAEMON */
}
/** daemonize, drop user priviliges and chroot if needed */
/** daemonize, drop user privileges and chroot if needed */
static void
perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
const char** cfgfile, int need_pidfile)

3
daemon/worker.c
View File

@ -1633,7 +1633,8 @@ worker_init(struct worker* worker, struct config_file *cfg,
cfg->use_caps_bits_for_id, worker->ports, worker->numports,
cfg->unwanted_threshold, cfg->outgoing_tcp_mss,
&worker_alloc_cleanup, worker,
cfg->do_udp, worker->daemon->connect_sslctx, cfg->delay_close,
cfg->do_udp || cfg->udp_upstream_without_downstream,
worker->daemon->connect_sslctx, cfg->delay_close,
dtenv);
if(!worker->back) {
log_err("could not create outgoing sockets");

4
dns64/dns64.c
View File

@ -792,6 +792,10 @@ dns64_inform_super(struct module_qstate* qstate, int id,
qstate->return_msg->rep))
return;
/* Use return code from A query in response to client. */
if (super->return_rcode != LDNS_RCODE_NOERROR)
super->return_rcode = qstate->return_rcode;
/* Generate a response suitable for the original query. */
if (qstate->qinfo.qtype == LDNS_RR_TYPE_A) {
dns64_adjust_a(id, super, qstate);

199
dnscrypt/dnscrypt.c
View File

@ -60,6 +60,17 @@ struct shared_secret_cache_key {
};
struct nonce_cache_key {
/** the nonce used by the client */
uint8_t nonce[crypto_box_HALF_NONCEBYTES];
/** the client_magic used by the client, this is associated to 1 cert only */
uint8_t magic_query[DNSCRYPT_MAGIC_HEADER_LEN];
/** the client public key */
uint8_t client_publickey[crypto_box_PUBLICKEYBYTES];
/** the hash table entry, data is uint8_t */
struct lruhash_entry entry;
};
/**
* Generate a key suitable to find shared secret in slabhash.
* \param[in] key: a uint8_t pointer of size DNSCRYPT_SHARED_SECRET_KEY_LENGTH
@ -135,6 +146,87 @@ dnsc_shared_secrets_lookup(struct slabhash* cache,
return slabhash_lookup(cache, hash, key, 0);
}
/**
* Generate a key hash suitable to find a nonce in slabhash.
* \param[in] nonce: a uint8_t pointer of size crypto_box_HALF_NONCEBYTES
* \param[in] magic_query: a uint8_t pointer of size DNSCRYPT_MAGIC_HEADER_LEN
* \param[in] pk: The public key of the client. uint8_t pointer of size
* crypto_box_PUBLICKEYBYTES.
* \return the hash of the key.
*/
static uint32_t
dnsc_nonce_cache_key_hash(const uint8_t nonce[crypto_box_HALF_NONCEBYTES],
const uint8_t magic_query[DNSCRYPT_MAGIC_HEADER_LEN],
const uint8_t pk[crypto_box_PUBLICKEYBYTES])
{
uint32_t h = 0;
h = hashlittle(nonce, crypto_box_HALF_NONCEBYTES, h);
h = hashlittle(magic_query, DNSCRYPT_MAGIC_HEADER_LEN, h);
return hashlittle(pk, crypto_box_PUBLICKEYBYTES, h);
}
/**
* Inserts a nonce, magic_query, pk tuple into the nonces_cache slabhash.
* \param[in] cache: the slabhash in which to look for the key.
* \param[in] nonce: a uint8_t pointer of size crypto_box_HALF_NONCEBYTES
* \param[in] magic_query: a uint8_t pointer of size DNSCRYPT_MAGIC_HEADER_LEN
* \param[in] pk: The public key of the client. uint8_t pointer of size
* crypto_box_PUBLICKEYBYTES.
* \param[in] hash: the hash of the key.
*/
static void
dnsc_nonce_cache_insert(struct slabhash *cache,
const uint8_t nonce[crypto_box_HALF_NONCEBYTES],
const uint8_t magic_query[DNSCRYPT_MAGIC_HEADER_LEN],
const uint8_t pk[crypto_box_PUBLICKEYBYTES],
uint32_t hash)
{
struct nonce_cache_key* k =
(struct nonce_cache_key*)calloc(1, sizeof(*k));
if(!k) {
free(k);
return;
}
lock_rw_init(&k->entry.lock);
memcpy(k->nonce, nonce, crypto_box_HALF_NONCEBYTES);
memcpy(k->magic_query, magic_query, DNSCRYPT_MAGIC_HEADER_LEN);
memcpy(k->client_publickey, pk, crypto_box_PUBLICKEYBYTES);
k->entry.hash = hash;
k->entry.key = k;
k->entry.data = NULL;
slabhash_insert(cache,
hash, &k->entry,
NULL,
NULL);
}
/**
* Lookup a record in nonces_cache.
* \param[in] cache: the slabhash in which to look for the key.
* \param[in] nonce: a uint8_t pointer of size crypto_box_HALF_NONCEBYTES
* \param[in] magic_query: a uint8_t pointer of size DNSCRYPT_MAGIC_HEADER_LEN
* \param[in] pk: The public key of the client. uint8_t pointer of size
* crypto_box_PUBLICKEYBYTES.
* \param[in] hash: the hash of the key.
* \return a pointer to the locked cache entry or NULL on failure.
*/
static struct lruhash_entry*
dnsc_nonces_lookup(struct slabhash* cache,
const uint8_t nonce[crypto_box_HALF_NONCEBYTES],
const uint8_t magic_query[DNSCRYPT_MAGIC_HEADER_LEN],
const uint8_t pk[crypto_box_PUBLICKEYBYTES],
uint32_t hash)
{
struct nonce_cache_key k;
memset(&k, 0, sizeof(k));
k.entry.hash = hash;
memcpy(k.nonce, nonce, crypto_box_HALF_NONCEBYTES);
memcpy(k.magic_query, magic_query, DNSCRYPT_MAGIC_HEADER_LEN);
memcpy(k.client_publickey, pk, crypto_box_PUBLICKEYBYTES);
return slabhash_lookup(cache, hash, &k, 0);
}
/**
* Decrypt a query using the dnsccert that was found using dnsc_find_cert.
* The client nonce will be extracted from the encrypted query and stored in
@ -163,11 +255,44 @@ dnscrypt_server_uncurve(struct dnsc_env* env,
struct lruhash_entry* entry;
uint32_t hash;
uint32_t nonce_hash;
if (len <= DNSCRYPT_QUERY_HEADER_SIZE) {
return -1;
}
query_header = (struct dnscrypt_query_header *)buf;
/* Detect replay attacks */
nonce_hash = dnsc_nonce_cache_key_hash(
query_header->nonce,
cert->magic_query,
query_header->publickey);
lock_basic_lock(&env->nonces_cache_lock);
entry = dnsc_nonces_lookup(
env->nonces_cache,
query_header->nonce,
cert->magic_query,
query_header->publickey,
nonce_hash);
if(entry) {
lock_rw_unlock(&entry->lock);
env->num_query_dnscrypt_replay++;
lock_basic_unlock(&env->nonces_cache_lock);
return -1;
}
dnsc_nonce_cache_insert(
env->nonces_cache,
query_header->nonce,
cert->magic_query,
query_header->publickey,
nonce_hash);
lock_basic_unlock(&env->nonces_cache_lock);
/* Find existing shared secret */
hash = dnsc_shared_secrets_cache_key(key,
cert->es_version[1],
query_header->publickey,
@ -547,7 +672,7 @@ dnsc_find_cert(struct dnsc_env* dnscenv, struct sldns_buffer* buffer)
* In order to be able to serve certs over TXT, we can reuse the local-zone and
* local-data config option. The zone and qname are infered from the
* provider_name and the content of the TXT record from the certificate content.
* returns the number of certtificate TXT record that were loaded.
* returns the number of certificate TXT record that were loaded.
* < 0 in case of error.
*/
static int
@ -770,8 +895,16 @@ dnsc_create(void)
env = (struct dnsc_env *) calloc(1, sizeof(struct dnsc_env));
lock_basic_init(&env->shared_secrets_cache_lock);
lock_protect(&env->shared_secrets_cache_lock,
&env->num_query_dnscrypt_secret_missed_cache,
sizeof(env->num_query_dnscrypt_secret_missed_cache));
&env->num_query_dnscrypt_secret_missed_cache,
sizeof(env->num_query_dnscrypt_secret_missed_cache));
lock_basic_init(&env->nonces_cache_lock);
lock_protect(&env->nonces_cache_lock,
&env->nonces_cache,
sizeof(env->nonces_cache));
lock_protect(&env->nonces_cache_lock,
&env->num_query_dnscrypt_replay,
sizeof(env->num_query_dnscrypt_replay));
return env;
}
@ -803,6 +936,16 @@ dnsc_apply_cfg(struct dnsc_env *env, struct config_file *cfg)
if(!env->shared_secrets_cache){
fatal_exit("dnsc_apply_cfg: could not create shared secrets cache.");
}
env->nonces_cache = slabhash_create(
cfg->dnscrypt_nonce_cache_slabs,
HASH_DEFAULT_STARTARRAY,
cfg->dnscrypt_nonce_cache_size,
dnsc_nonces_sizefunc,
dnsc_nonces_compfunc,
dnsc_nonces_delkeyfunc,
dnsc_nonces_deldatafunc,
NULL
);
return 0;
}
@ -817,7 +960,9 @@ dnsc_delete(struct dnsc_env *env)
sodium_free(env->certs);
sodium_free(env->keypairs);
slabhash_delete(env->shared_secrets_cache);
slabhash_delete(env->nonces_cache);
lock_basic_destroy(&env->shared_secrets_cache_lock);
lock_basic_destroy(&env->nonces_cache_lock);
free(env);
}
@ -858,3 +1003,51 @@ dnsc_shared_secrets_deldatafunc(void* d, void* ATTR_UNUSED(arg))
uint8_t* data = (uint8_t*)d;
free(data);
}
/**
* #########################################################
* ############### Nonces cache functions ##################
* #########################################################
*/
size_t
dnsc_nonces_sizefunc(void *k, void* ATTR_UNUSED(d))
{
struct nonce_cache_key* nk = (struct nonce_cache_key*)k;
size_t key_size = sizeof(struct nonce_cache_key)
+ lock_get_mem(&nk->entry.lock);
(void)nk; /* otherwise ssk is unused if no threading, or fixed locksize */
return key_size;
}
int
dnsc_nonces_compfunc(void *m1, void *m2)
{
struct nonce_cache_key *k1 = m1, *k2 = m2;
return
sodium_memcmp(
k1->nonce,
k2->nonce,
crypto_box_HALF_NONCEBYTES) != 0 ||
sodium_memcmp(
k1->magic_query,
k2->magic_query,
DNSCRYPT_MAGIC_HEADER_LEN) != 0 ||
sodium_memcmp(
k1->client_publickey, k2->client_publickey,
crypto_box_PUBLICKEYBYTES) != 0;
}
void
dnsc_nonces_delkeyfunc(void *k, void* ATTR_UNUSED(arg))
{
struct nonce_cache_key* nk = (struct nonce_cache_key*)k;
lock_rw_destroy(&nk->entry.lock);
free(nk);
}
void
dnsc_nonces_deldatafunc(void* ATTR_UNUSED(d), void* ATTR_UNUSED(arg))
{
return;
}

30
dnscrypt/dnscrypt.h
View File

@ -63,11 +63,20 @@ struct dnsc_env {
uint64_t nonce_ts_last;
unsigned char hash_key[crypto_shorthash_KEYBYTES];
char * provider_name;
/** Caches */
struct slabhash *shared_secrets_cache;
/** lock on shared secret cache counters */
lock_basic_type shared_secrets_cache_lock;
/** number of misses from shared_secrets_cache */
size_t num_query_dnscrypt_secret_missed_cache;
/** slabhash keeping track of nonce/cient pk/server sk pairs. */
struct slabhash *nonces_cache;
/** lock on nonces_cache, used to avoid race condition in updating the hash */
lock_basic_type nonces_cache_lock;
/** number of replayed queries */
size_t num_query_dnscrypt_replay;
};
struct dnscrypt_query_header {
@ -139,5 +148,26 @@ void dnsc_shared_secrets_delkeyfunc(void *k, void* arg);
*/
void dnsc_shared_secrets_deldatafunc(void* d, void* arg);
/**
* Computes the size of the nonce cache entry.
*/
size_t dnsc_nonces_sizefunc(void *k, void *d);
/**
* Compares two nonce cache keys.
*/
int dnsc_nonces_compfunc(void *m1, void *m2);
/**
* Function to delete a nonce cache key.
*/
void dnsc_nonces_delkeyfunc(void *k, void* arg);
/**
* Function to delete a nonce cache value.
*/
void dnsc_nonces_deldatafunc(void* d, void* arg);
#endif /* USE_DNSCRYPT */
#endif

52
doc/Changelog
View File

@ -1,5 +1,55 @@
10 October 2017: Wouter
- tag 1.6.7
6 October 2017: Wouter
- Fix spelling in unbound-control man page.
5 October 2017: Wouter
- Fix trust-anchor-signaling works in libunbound.
- Fix some more crpls in testdata for different signaling default.
- tag 1.6.7rc1
5 October 2017: Ralph
- Set trust-anchor-signaling default to yes
- Use RCODE from A query on DNS64 synthesized answer.
2 October 2017: Wouter
- Fix param unused warning for windows exportsymbol compile.
25 September 2017: Ralph
- Fix #1450: Generate again patch contrib/aaaa-filter-iterator.patch
(by Danilo G. Baio).
21 September 2017: Ralph
- Log name of looping module
19 September 2017: Wouter
- use a cachedb answer even if it's "expired" when serve-expired is yes
(patch from Jinmei Tatuya).
- trigger refetching of the answer in that case (this will bypass
cachedb lookup)
- allow storing a 0-TTL answer from cachedb in the in-memory message
cache when serve-expired is yes
- Fix DNSCACHE_STORE_ZEROTTL to be bigger than 0xffff.
18 September 2017: Ralph
- Fix #1400: allowing use of global cache on ECS-forwarding unless
always-forward.
18 September 2017: Wouter
- tag 1.6.6 (is 1.6.6rc2)
- Fix that looping modules always stop the query, and don't pass
control.
- Fix #1435: Please allow UDP to be disabled separately upstream and
downstream.
- Fix #1440: [dnscrypt] client nonce cache.
15 September 2017: Wouter
- Fix unbound-host to report error for DNSSEC state of failed lookups.
- Spelling fixes, from Josh Soref.
13 September 2017: Wouter
- tag 1.6.6rc2
- tag 1.6.6rc2, became 1.6.6 on 18 sep. trunk 1.6.7 in development.
12 September 2017: Wouter
- Add dns64 for client-subnet in unbound-checkconf.

2
doc/README
View File

@ -1,4 +1,4 @@
README for Unbound 1.6.6
README for Unbound 1.6.7
Copyright 2007 NLnet Labs
http://unbound.net

10
doc/example.conf.in
View File

@ -1,7 +1,7 @@
#
# Example configuration file.
#
# See unbound.conf(5) man page, version 1.6.6.
# See unbound.conf(5) man page, version 1.6.7.
#
# this is a comment.
@ -199,6 +199,10 @@ server:
# upstream connections use TCP only (and no UDP), "yes" or "no"
# useful for tunneling scenarios, default no.
# tcp-upstream: no
# upstream connections also use UDP (even if do-udp is no).
# useful if if you want UDP upstream, but don't provide UDP downstream.
# udp-upstream-without-downstream: no
# Maximum segment size (MSS) of TCP socket on which the server
# responds to queries. Default is 0, system default MSS.
@ -449,7 +453,7 @@ server:
# auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
# trust anchor signaling sends a RFC8145 key tag query after priming.
# trust-anchor-signaling: no
# trust-anchor-signaling: yes
# File with DLV trusted keys. Same format as trust-anchor-file.
# There can be only one DLV configured, it is trusted from root down.
@ -512,7 +516,7 @@ server:
# that set CD but cannot validate themselves.
# ignore-cd-flag: no
# Serve expired reponses from cache, with TTL 0 in the response,
# Serve expired responses from cache, with TTL 0 in the response,
# and then attempt to fetch the data afresh.
# serve-expired: no

4
doc/libunbound.3.in
View File

@ -1,4 +1,4 @@
.TH "libunbound" "3" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
.TH "libunbound" "3" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
.\"
.\" libunbound.3 -- unbound library functions manual
.\"
@ -43,7 +43,7 @@
.B ub_ctx_zone_remove,
.B ub_ctx_data_add,
.B ub_ctx_data_remove
\- Unbound DNS validating resolver 1.6.6 functions.
\- Unbound DNS validating resolver 1.6.7 functions.
.SH "SYNOPSIS"
.B #include <unbound.h>
.LP

2
doc/requirements.txt
View File

@ -81,7 +81,7 @@ o Too many Features.
5. Choices
----------
o rfc2181 decourages duplicates RRs in RRsets. unbound does not create
o rfc2181 discourages duplicates RRs in RRsets. unbound does not create
duplicates, but when presented with duplicates on the wire from the
authoritative servers, does not perform duplicate removal.
It does do some rrsig duplicate removal, in the msgparser, for dnssec qtype

2
doc/unbound-anchor.8.in
View File

@ -1,4 +1,4 @@
.TH "unbound-anchor" "8" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
.TH "unbound-anchor" "8" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
.\"
.\" unbound-anchor.8 -- unbound anchor maintenance utility manual
.\"

2
doc/unbound-checkconf.8.in
View File

@ -1,4 +1,4 @@
.TH "unbound-checkconf" "8" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
.TH "unbound-checkconf" "8" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
.\"
.\" unbound-checkconf.8 -- unbound configuration checker manual
.\"

54
doc/unbound-control.8.in
View File

@ -1,4 +1,4 @@
.TH "unbound-control" "8" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
.TH "unbound-control" "8" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
.\"
.\" unbound-control.8 -- unbound remote control manual
.\"
@ -337,6 +337,19 @@ number of queries that were successfully answered using a cache lookup
.I threadX.num.cachemiss
number of queries that needed recursive processing
.TP
.I threadX.num.dnscrypt.crypted
number of queries that were encrypted and successfully decapsulated by dnscrypt.
.TP
.I threadX.num.dnscrypt.cert
number of queries that were requesting dnscrypt certificates.
.TP
.I threadX.num.dnscrypt.cleartext
number of queries received on dnscrypt port that were cleartext and not a
request for certificates.
.TP
.I threadX.num.dnscrypt.malformed
number of request that were neither cleartext, not valid dnscrypt messages.
.TP
.I threadX.num.prefetch
number of cache prefetches performed. This number is included in
cachehits, as the original query had the unprefetched answer from cache,
@ -393,6 +406,18 @@ summed over threads.
.I total.num.cachemiss
summed over threads.
.TP
.I total.num.dnscrypt.crypted
summed over threads.
.TP
.I total.num.dnscrypt.cert
summed over threads.
.TP
.I total.num.dnscrypt.cleartext
summed over threads.
.TP
.I total.num.dnscrypt.malformed
summed over threads.
.TP
.I total.num.prefetch
summed over threads.
.TP
@ -439,6 +464,12 @@ Memory in bytes in use by the RRset cache.
.I mem.cache.message
Memory in bytes in use by the message cache.
.TP
.I mem.cache.dnscrypt_shared_secret
Memory in bytes in use by the dnscrypt shared secrets cache.
.TP
.I mem.cache.dnscrypt_nonce
Memory in bytes in use by the dnscrypt nonce cache.
.TP
.I mem.mod.iterator
Memory in bytes in use by the iterator module.
.TP
@ -497,6 +528,14 @@ These queries are also included in the num.query.edns.present number.
The number of queries that are turned away from being send to nameserver due to
ratelimiting.
.TP
.I num.query.dnscrypt.shared_secret.cachemiss
The number of dnscrypt queries that did not find a shared secret in the cache.
The can be use to compute the shared secret hitrate.
.TP
.I num.query.dnscrypt.replay
The number of dnscrypt queries that found a nonce hit in the nonce cache and
hence are considered a query replay.
.TP
.I num.answer.rcode.NXDOMAIN
The number of answers to queries, from cache or from recursion, that had the
return code NXDOMAIN. Also printed for the other return codes.
@ -546,6 +585,19 @@ timing and protocol support information.
.I key.cache.count
The number of items in the key cache. These are DNSSEC keys, one item
per delegation point, and their validation status.
.TP
.I dnscrypt_shared_secret.cache.count
The number of items in the shared secret cache. These are precomputed shared
secrets for a given client public key/server secret key pair. Shared secrets
are CPU intensive and this cache allows unbound to avoid recomputing the
shared secret when multiple dnscrypt queries are sent from the same client.
.TP
.I dnscrypt_nonce.cache.count
The number of items in the client nonce cache. This cache is used to prevent
dnscrypt queries replay. The client nonce must be unique for each client public
key/server secret key pair. This cache should be able to host QPS * `replay
window` interval keys to prevent replay of a query during `replay window`
seconds.
.SH "FILES"
.TP
.I @ub_conf_file@

2
doc/unbound-host.1.in
View File

@ -1,4 +1,4 @@
.TH "unbound\-host" "1" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
.TH "unbound\-host" "1" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
.\"
.\" unbound-host.1 -- unbound DNS lookup utility
.\"

4
doc/unbound.8.in
View File

@ -1,4 +1,4 @@
.TH "unbound" "8" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
.TH "unbound" "8" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
.\"
.\" unbound.8 -- unbound manual
.\"
@ -9,7 +9,7 @@
.\"
.SH "NAME"
.B unbound
\- Unbound DNS validating resolver 1.6.6.
\- Unbound DNS validating resolver 1.6.7.
.SH "SYNOPSIS"
.B unbound
.RB [ \-h ]

22
doc/unbound.conf.5.in
View File

@ -1,4 +1,4 @@
.TH "unbound.conf" "5" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
.TH "unbound.conf" "5" "Oct 10, 2017" "NLnet Labs" "unbound 1.6.7"
.\"
.\" unbound.conf.5 -- unbound.conf manual
.\"
@ -391,6 +391,11 @@ negotiation between Unbound and other servers.
Enable or disable whether the upstream queries use TCP only for transport.
Default is no. Useful in tunneling scenarios.
.TP
.B udp\-upstream\-without\-downstream: \fI<yes or no>
Enable udp upstream even if do-udp is no. Default is no, and this does not
change anything. Useful for TLS service providers, that want no udp downstream
but use udp to fetch data upstream.
.TP
.B ssl\-upstream: \fI<yes or no>
Enabled or disable whether the upstream queries use SSL only for transport.
Default is no. Useful in tunneling scenarios. The SSL contains plain DNS in
@ -807,7 +812,7 @@ It is possible to use wildcards with this statement, the wildcard is
expanded on start and on reload.
.TP
.B trust\-anchor\-signaling: \fI<yes or no>
Send RFC8145 key tag query after trust anchor priming. Default is off.
Send RFC8145 key tag query after trust anchor priming. Default is on.
.TP
.B dlv\-anchor\-file: \fI<filename>
This option was used during early days DNSSEC deployment when no parent-side
@ -1518,6 +1523,17 @@ using the same public key. It saves a substantial amount of CPU.
Give power of 2 number of slabs, this is used to reduce lock contention
in the dnscrypt shared secrets cache. Close to the number of cpus is
a fairly good setting.
.TP
.B dnscrypt\-nonce\-cache\-size: \fI<memory size>
Give the size of the data structure in which the client nonces are kept in.
Default 4m. In bytes or use m(mega), k(kilo), g(giga).
The nonce cache is used to prevent dnscrypt message replaying. Client nonce
should be unique for any pair of client pk/server sk.
.TP
.B dnscrypt\-nonce\-cache\-slabs: \fI<number>
Give power of 2 number of slabs, this is used to reduce lock contention
in the dnscrypt nonce cache. Close to the number of cpus is
a fairly good setting.
.SS "EDNS Client Subnet Module Options"
.LP
The ECS module must be configured in the \fBmodule\-config:\fR "subnetcache
@ -1531,7 +1547,7 @@ specialized cache. If the authority indicated no support, the response is
stored in the regular cache.
.LP
Additionally, when a client includes the option in its queries, Unbound will
forward the option to the authority if prensent in the whitelist, or
forward the option to the authority if present in the whitelist, or
\fBclient\-subnet\-always\-forward\fR is set to yes. In this case the lookup in
the regular cache is skipped.
.LP

2
edns-subnet/addrtree.h
View File

@ -108,7 +108,7 @@ struct addrnode {
struct addredge {
/** address of connected node */
addrkey_t *str;
/** lenght in bits of str */
/** length in bits of str */
addrlen_t len;
/** child node this edge is connected to */
struct addrnode *node;

7
edns-subnet/subnetmod.c
View File

@ -532,7 +532,7 @@ parse_subnet_option(struct edns_option* ecs_option, struct ecs_data* ecs)
ecs->subnet_addr_fam = sldns_read_uint16(ecs_option->opt_data);
ecs->subnet_source_mask = ecs_option->opt_data[2];
ecs->subnet_scope_mask = ecs_option->opt_data[3];
/* remaing bytes indicate address */
/* remaining bytes indicate address */
/* validate input*/
/* option length matches calculated length? */
@ -602,7 +602,7 @@ ecs_query_response(struct module_qstate* qstate, struct dns_msg* response,
if(sq->subnet_sent &&
FLAGS_GET_RCODE(response->rep->flags) == LDNS_RCODE_REFUSED) {
/* REFUSED reponse to ECS query, remove ECS option. */
/* REFUSED response to ECS query, remove ECS option. */
edns_opt_list_remove(&qstate->edns_opts_back_out,
qstate->env->cfg->client_subnet_opcode);
sq->subnet_sent = 0;
@ -628,7 +628,7 @@ ecs_edns_back_parsed(struct module_qstate* qstate, int id,
sq->ecs_server_in.subnet_validdata)
/* Only skip global cache store if we sent an ECS option
* and received one back. Answers from non-whitelisted
* servers will end up in global cache. Ansers for
* servers will end up in global cache. Answers for
* queries with 0 source will not (unless nameserver
* does not support ECS). */
qstate->no_cache_store = 1;
@ -722,6 +722,7 @@ subnetmod_operate(struct module_qstate *qstate, enum module_ev event,
sq->ecs_server_out.subnet_scope_mask = 0;
sq->ecs_server_out.subnet_validdata = 1;
if(sq->ecs_server_out.subnet_source_mask != 0 &&
qstate->env->cfg->client_subnet_always_forward &&
sq->subnet_downstream)
/* ECS specific data required, do not look at the global
* cache in other modules. */

2
edns-subnet/subnetmod.h
View File

@ -119,7 +119,7 @@ int ecs_whitelist_check(struct query_info* qinfo, uint16_t flags,
socklen_t addrlen, uint8_t* zone, size_t zonelen,
struct regional* region, int id, void* cbargs);
/** Check whether reponse from server contains ECS record, if so, skip cache
/** Check whether response from server contains ECS record, if so, skip cache
* store. Called just after parsing EDNS data from server. */
int ecs_edns_back_parsed(struct module_qstate* qstate, int id, void* cbargs);

2
iterator/iter_utils.h
View File

@ -252,7 +252,7 @@ void caps_strip_reply(struct reply_info* rep);
int caps_failed_rcode(struct reply_info* rep);
/**
* Store parent-side rrset in seperate rrset cache entries for later
* Store parent-side rrset in separate rrset cache entries for later
* last-resort * lookups in case the child-side versions of this information
* fails.
* @param env: environment with cache, time, ...

12
iterator/iterator.c
View File

@ -36,7 +36,7 @@
/**
* \file
*
* This file contains a module that performs recusive iterative DNS query
* This file contains a module that performs recursive iterative DNS query
* processing.
*/
@ -833,7 +833,7 @@ prime_stub(struct module_qstate* qstate, struct iter_qstate* iq, int id,
/**
* Generate A and AAAA checks for glue that is in-zone for the referral
* we just got to obtain authoritative information on the adresses.
* we just got to obtain authoritative information on the addresses.
*
* @param qstate: the qtstate that triggered the need to prime.
* @param iq: iterator query state.
@ -1353,7 +1353,7 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
* the same init processing as ones that do not. Request events that reach
* this state must have a valid currentDelegationPoint set.
*
* This part is primarly handling stub zone priming. Events that reach this
* This part is primarily handling stub zone priming. Events that reach this
* state must have a current delegation point.
*
* @param qstate: query state.
@ -2396,7 +2396,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
if(FLAGS_GET_RCODE(iq->response->rep->flags) ==
LDNS_RCODE_NXDOMAIN) {
/* Stop resolving when NXDOMAIN is DNSSEC
* signed. Based on assumption that namservers
* signed. Based on assumption that nameservers
* serving signed zones do not return NXDOMAIN
* for empty-non-terminals. */
if(iq->dnssec_expected)
@ -2753,7 +2753,7 @@ processPrimeResponse(struct module_qstate* qstate, int id)
/**
* Do final processing on responses to target queries. Events reach this
* state after the iterative resolution algorithm terminates. This state is
* responsible for reactiving the original event, and housekeeping related
* responsible for reactivating the original event, and housekeeping related
* to received target responses (caching, updating the current delegation
* point, etc).
* Callback from walk_supers for every super state that is interested in
@ -3096,7 +3096,7 @@ processFinished(struct module_qstate* qstate, struct iter_qstate* iq,
}
/*
* Return priming query results to interestes super querystates.
* Return priming query results to interested super querystates.
*
* Sets the delegation point and delegation message (not nonRD queries).
* This is a callback from walk_supers.

14
iterator/iterator.h
View File

@ -36,7 +36,7 @@
/**
* \file
*
* This file contains a module that performs recusive iterative DNS query
* This file contains a module that performs recursive iterative DNS query
* processing.
*/
@ -62,7 +62,7 @@ struct rbtree_type;
/** max number of queries-sent-out. Make sure large NS set does not loop */
#define MAX_SENT_COUNT 32
/** max number of queries for which to perform dnsseclameness detection,
* (rrsigs misssing detection) after that, just pick up that response */
* (rrsigs missing detection) after that, just pick up that response */
#define DNSSEC_LAME_DETECT_COUNT 4
/**
* max number of QNAME minimisation iterations. Limits number of queries for
@ -142,11 +142,11 @@ struct iter_env {
enum minimisation_state {
/**
* (Re)start minimisation. Outgoing QNAME should be set to dp->name.
* State entered on new query or after following refferal or CNAME.
* State entered on new query or after following referral or CNAME.
*/
INIT_MINIMISE_STATE = 0,
/**
* QNAME minimisataion ongoing. Increase QNAME on every iteration.
* QNAME minimisation ongoing. Increase QNAME on every iteration.
*/
MINIMISE_STATE,
/**
@ -184,7 +184,7 @@ enum iter_state {
/**
* Each time a delegation point changes for a given query or a
* query times out and/or wakes up, this state is (re)visited.
* This state is reponsible for iterating through a list of
* This state is responsible for iterating through a list of
* nameserver targets.
*/
QUERYTARGETS_STATE,
@ -378,7 +378,7 @@ struct iter_qstate {
struct query_info qinfo_out;
/**
* Count number of QNAME minisation iterations. Used to limit number of
* Count number of QNAME minimisation iterations. Used to limit number of
* outgoing queries when QNAME minimisation is enabled.
*/
int minimise_count;
@ -430,7 +430,7 @@ void iter_operate(struct module_qstate* qstate, enum module_ev event, int id,
struct outbound_entry* outbound);
/**
* Return priming query results to interestes super querystates.
* Return priming query results to interested super querystates.
*
* Sets the delegation point and delegation message (not nonRD queries).
* This is a callback from walk_supers.

2
libunbound/context.h
View File

@ -90,7 +90,7 @@ struct ub_ctx {
int dothread;
/** next thread number for new threads */
int thr_next_num;
/** if logfile is overriden */
/** if logfile is overridden */
int logfile_override;
/** what logfile to use instead */
FILE* log_out;

2
libunbound/libunbound.c
View File

@ -37,7 +37,7 @@
* \file
*
* This file contains functions to resolve DNS queries and
* validate the answers. Synchonously and asynchronously.
* validate the answers. Synchronously and asynchronously.
*
*/

5
libunbound/libworker.c
View File

@ -232,8 +232,8 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
cfg->do_tcp?cfg->outgoing_num_tcp:0,
w->env->infra_cache, w->env->rnd, cfg->use_caps_bits_for_id,
ports, numports, cfg->unwanted_threshold,
cfg->outgoing_tcp_mss,
&libworker_alloc_cleanup, w, cfg->do_udp, w->sslctx,
cfg->outgoing_tcp_mss, &libworker_alloc_cleanup, w,
cfg->do_udp || cfg->udp_upstream_without_downstream, w->sslctx,
cfg->delay_close, NULL);
if(!w->is_bg || w->is_bg_thread) {
lock_basic_unlock(&ctx->cfglock);
@ -251,6 +251,7 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
w->env->send_query = &libworker_send_query;
w->env->detach_subs = &mesh_detach_subs;
w->env->attach_sub = &mesh_attach_sub;
w->env->add_sub = &mesh_add_sub;
w->env->kill_sub = &mesh_state_delete;
w->env->detect_cycle = &mesh_detect_cycle;
comm_base_timept(w->base, &w->env->now, &w->env->now_tv);

2
libunbound/python/doc/examples/example7.rst
View File

@ -23,7 +23,7 @@ IDN converted attributes
The :class:`unbound.ub_data` class contains attributes suffix which converts
the dname to UTF string. These attributes have the ``_idn`` suffix.
Apart from this aproach, two conversion functions exist
Apart from this approach, two conversion functions exist
(:func:`unbound.idn2dname` and :func:`unbound.dname2idn`).
Source code

11
libunbound/unbound.h
View File

@ -37,7 +37,7 @@
* \file
*
* This file contains functions to resolve DNS queries and
* validate the answers. Synchonously and asynchronously.
* validate the answers. Synchronously and asynchronously.
*
* Several ways to use this interface from an application wishing
* to perform (validated) DNS lookups.
@ -177,7 +177,7 @@ struct ub_result {
* False, if validation failed or domain queried has no security info.
*
* It is possible to get a result with no data (havedata is false),
* and secure is true. This means that the non-existance of the data
* and secure is true. This means that the non-existence of the data
* was cryptographically proven (with signatures).
*/
int secure;
@ -623,6 +623,7 @@ struct ub_shm_stat_info {
long long ipsecmod;
long long respip;
long long dnscrypt_shared_secret;
long long dnscrypt_nonce;
} mem;
};
@ -742,11 +743,15 @@ struct ub_server_stats {
long long num_query_dnscrypt_secret_missed_cache;
/** number of dnscrypt shared secret cache entries */
long long shared_secret_cache_count;
/** number of queries which are replays */
long long num_query_dnscrypt_replay;
/** number of dnscrypt nonces cache entries */
long long nonce_cache_count;
};
/**
* Statistics to send over the control pipe when asked
* This struct is made to be memcpied, sent in binary.
* This struct is made to be memcopied, sent in binary.
* shm mapped with (number+1) at num_threads+1, with first as total
*/
struct ub_stats_info {

2
pythonmod/doc/examples/example2.rst
View File

@ -46,4 +46,4 @@ Dig produces the following output::
;; MSG SIZE rcvd: 54
As we handle (override) in the python module only queries ending with
``localdomain.``, unboud can still resolve host names.
``localdomain.``, unbound can still resolve host names.

2
pythonmod/doc/examples/example3.rst
View File

@ -10,7 +10,7 @@ As soon as the iterator module returns the response, we :
3. rewrite the data in cache
4. return modified packet
Note that the steps 1 and 3 are neccessary only in case, the python module is the first module in the processing chain.
Note that the steps 1 and 3 are necessary only in case, the python module is the first module in the processing chain.
In other cases, the validator module guarantees updating data which are produced by iterator module.
Complete source code

4
pythonmod/doc/examples/example5.rst
View File

@ -3,7 +3,7 @@ EDNS options
This example shows how to interact with EDNS options.
When quering unbound with the EDNS option ``65001`` and data ``0xc001`` we
When querying unbound with the EDNS option ``65001`` and data ``0xc001`` we
expect an answer with the same EDNS option code and data ``0xdeadbeef``.
@ -146,7 +146,7 @@ and use a valid script path::
python-script: "./examples/edns.py"
Quering with EDNS option ``65001:0xc001``:
Querying with EDNS option ``65001:0xc001``:
::

4
pythonmod/doc/examples/example6.rst
View File

@ -84,7 +84,7 @@ The callback function's prototype is the following:
:param rep: reply_info struct;
:param rcode: return code for the query;
:param edns: edns_data sent from the client side. The list with the EDNS
options is accesible through edns.opt_list. It SHOULD NOT be
options is accessible through edns.opt_list. It SHOULD NOT be
altered;
:param opt_list_out: the list with the EDNS options that will be sent as a
reply. It can be populated with EDNS options;
@ -120,7 +120,7 @@ The callback function's prototype is the following:
:param rep: reply_info struct;
:param rcode: return code for the query;
:param edns: edns_data sent from the client side. The list with the
EDNS options is accesible through edns.opt_list. It
EDNS options is accessible through edns.opt_list. It
SHOULD NOT be altered;
:param opt_list_out: the list with the EDNS options that will be sent as a
reply. It can be populated with EDNS options;

2
pythonmod/doc/modules/functions.rst
View File

@ -24,7 +24,7 @@ Cache
:param qstate: :class:`module_qstate`
:param qinfo: :class:`query_info`
:param msgrep: :class:`reply_info`
:param is_referal: integer
:param is_referral: integer
:rtype: boolean
.. function:: invalidateQueryInCache(qstate, qinfo)

2
pythonmod/doc/modules/struct.rst
View File

@ -108,7 +108,7 @@ query_info
.. attribute:: qname_len
Lenght of question name (number of bytes).
Length of question name (number of bytes).
.. attribute:: qname_list[]

2
pythonmod/doc/usecase.rst
View File

@ -25,7 +25,7 @@ Controled by secured queries secured with private key.
Dynamic translation service
---------------------------
DNS request can be translated to virtualy any answer, that's easy to implement in client side
DNS request can be translated to virtually any answer, that's easy to implement in client side
because of many DNS libraries available.
Examples :

4
pythonmod/examples/edns.py
View File

@ -77,7 +77,7 @@ def init_standard(id, env):
The function's signature is the same as the C counterpart and allows for
extra functionality during init.
..note:: This function is preferred by unbound over the old init function.
..note:: The previously accesible configuration options can now be found in
..note:: The previously accessible configuration options can now be found in
env.cgf.
"""
log_info("python: inited script {}".format(env.cfg.python_script))
@ -94,7 +94,7 @@ def init(id, cfg):
"""Previous version init function.
..note:: This function is still supported for backwards compatibility when
the init_standard function is missing. When init_standard is
present this function SHOULD be ommited to avoid confusion to the
present this function SHOULD be omitted to avoid confusion to the
reader.
"""
return True

12
pythonmod/examples/inplace_callbacks.py
View File

@ -99,7 +99,7 @@ def inplace_cache_callback(qinfo, qstate, rep, rcode, edns, opt_list_out,
:param rep: reply_info struct;
:param rcode: return code for the query;
:param edns: edns_data sent from the client side. The list with the EDNS
options is accesible through edns.opt_list. It SHOULD NOT be
options is accessible through edns.opt_list. It SHOULD NOT be
altered;
:param opt_list_out: the list with the EDNS options that will be sent as a
reply. It can be populated with EDNS options;
@ -107,7 +107,7 @@ def inplace_cache_callback(qinfo, qstate, rep, rcode, edns, opt_list_out,
want to append a new option to opt_list_out.
:return: True on success, False on failure.
For demostration purposes we want to see if EDNS option 65002 is present
For demonstration purposes we want to see if EDNS option 65002 is present
and reply with a new value.
"""
log_info("python: called back while answering from cache.")
@ -142,7 +142,7 @@ def inplace_local_callback(qinfo, qstate, rep, rcode, edns, opt_list_out,
:param rep: reply_info struct;
:param rcode: return code for the query;
:param edns: edns_data sent from the client side. The list with the
EDNS options is accesible through edns.opt_list. It
EDNS options is accessible through edns.opt_list. It
SHOULD NOT be altered;
:param opt_list_out: the list with the EDNS options that will be sent as a
reply. It can be populated with EDNS options;
@ -173,7 +173,7 @@ def inplace_servfail_callback(qinfo, qstate, rep, rcode, edns, opt_list_out,
want to append a new option to opt_list_out.
:return: True on success, False on failure.
For demostration purposes we want to reply with an empty EDNS code '65003'.
For demonstration purposes we want to reply with an empty EDNS code '65003'.
"""
log_info("python: called back while servfail.")
b = bytearray.fromhex("")
@ -186,7 +186,7 @@ def init_standard(id, env):
The function's signature is the same as the C counterpart and allows for
extra functionality during init.
..note:: This function is preferred by unbound over the old init function.
..note:: The previously accesible configuration options can now be found in
..note:: The previously accessible configuration options can now be found in
env.cgf.
"""
log_info("python: inited script {}".format(env.cfg.python_script))
@ -218,7 +218,7 @@ def init(id, cfg):
"""Previous version init function.
..note:: This function is still supported for backwards compatibility when
the init_standard function is missing. When init_standard is
present this function SHOULD be ommited to avoid confusion to the
present this function SHOULD be omitted to avoid confusion to the
reader.
"""
return True

2
pythonmod/interface.i
View File

@ -1277,7 +1277,7 @@ struct delegpt* find_delegation(struct module_qstate* qstate, char *nm, size_t n
Functions
* ************************************************************************************ */
/******************************
* Various debuging functions *
* Various debugging functions *
******************************/
void verbose(enum verbosity_value level, const char* format, ...);
void log_info(const char* format, ...);

10
services/cache/dns.c vendored
View File

@ -111,7 +111,7 @@ store_rrsets(struct module_env* env, struct reply_info* rep, time_t now,
void
dns_cache_store_msg(struct module_env* env, struct query_info* qinfo,
hashvalue_type hash, struct reply_info* rep, time_t leeway, int pside,
struct reply_info* qrep, struct regional* region)
struct reply_info* qrep, uint32_t flags, struct regional* region)
{
struct msgreply_entry* e;
time_t ttl = rep->ttl;
@ -127,7 +127,7 @@ dns_cache_store_msg(struct module_env* env, struct query_info* qinfo,
* unnecessary, because the cache gets locked per rrset. */
reply_info_set_ttls(rep, *env->now);
store_rrsets(env, rep, *env->now, leeway, pside, qrep, region);
if(ttl == 0) {
if(ttl == 0 && !(flags & DNSCACHE_STORE_ZEROTTL)) {
/* we do not store the message, but we did store the RRs,
* which could be useful for delegation information */
verbose(VERB_ALGO, "TTL 0: dropped msg from cache");
@ -845,7 +845,7 @@ dns_cache_lookup(struct module_env* env,
int
dns_cache_store(struct module_env* env, struct query_info* msgqinf,
struct reply_info* msgrep, int is_referral, time_t leeway, int pside,
struct regional* region, uint16_t flags)
struct regional* region, uint32_t flags)
{
struct reply_info* rep = NULL;
/* alloc, malloc properly (not in region, like msg is) */
@ -890,9 +890,9 @@ dns_cache_store(struct module_env* env, struct query_info* msgqinf,
* Not AA from cache. Not CD in cache (depends on client bit). */
rep->flags |= (BIT_RA | BIT_QR);
rep->flags &= ~(BIT_AA | BIT_CD);
h = query_info_hash(&qinf, flags);
h = query_info_hash(&qinf, (uint16_t)flags);
dns_cache_store_msg(env, &qinf, h, rep, leeway, pside, msgrep,
region);
flags, region);
/* qname is used inside query_info_entrysetup, and set to
* NULL. If it has not been used, free it. free(0) is safe. */
free(qinf.qname);

13
services/cache/dns.h vendored
View File

@ -49,6 +49,12 @@ struct reply_info;
struct regional;
struct delegpt;
/** Flags to control behavior of dns_cache_store() and dns_cache_store_msg().
* Must be an unsigned 32-bit value larger than 0xffff */
/** Allow caching a DNS message with a zero TTL. */
#define DNSCACHE_STORE_ZEROTTL 0x100000
/**
* Region allocated message reply
*/
@ -80,11 +86,13 @@ struct dns_msg {
* @param region: region to allocate better entries from cache into.
* (used when is_referral is false).
* @param flags: flags with BIT_CD for AAAA queries in dns64 translation.
* The higher 16 bits are used internally to customize the cache policy.
* (See DNSCACHE_STORE_xxx flags).
* @return 0 on alloc error (out of memory).
*/
int dns_cache_store(struct module_env* env, struct query_info* qinf,
struct reply_info* rep, int is_referral, time_t leeway, int pside,
struct regional* region, uint16_t flags);
struct regional* region, uint32_t flags);
/**
* Store message in the cache. Stores in message cache and rrset cache.
@ -103,11 +111,12 @@ int dns_cache_store(struct module_env* env, struct query_info* qinf,
* from the parentside of the zonecut. This means that the type NS
* can be updated to full TTL even in prefetch situations.
* @param qrep: message that can be altered with better rrs from cache.
* @param flags: customization flags for the cache policy.
* @param region: to allocate into for qmsg.
*/
void dns_cache_store_msg(struct module_env* env, struct query_info* qinfo,
hashvalue_type hash, struct reply_info* rep, time_t leeway, int pside,
struct reply_info* qrep, struct regional* region);
struct reply_info* qrep, uint32_t flags, struct regional* region);
/**
* Find a delegation from the cache.

77
services/mesh.c
View File

@ -533,8 +533,22 @@ mesh_new_callback(struct mesh_area* mesh, struct query_info* qinfo,
return 1;
}
static void mesh_schedule_prefetch(struct mesh_area* mesh,
struct query_info* qinfo, uint16_t qflags, time_t leeway, int run);
void mesh_new_prefetch(struct mesh_area* mesh, struct query_info* qinfo,
uint16_t qflags, time_t leeway)
{
mesh_schedule_prefetch(mesh, qinfo, qflags, leeway, 1);
}
/* Internal backend routine of mesh_new_prefetch(). It takes one additional
* parameter, 'run', which controls whether to run the prefetch state
* immediately. When this function is called internally 'run' could be
* 0 (false), in which case the new state is only made runnable so it
* will not be run recursively on top of the current state. */
static void mesh_schedule_prefetch(struct mesh_area* mesh,
struct query_info* qinfo, uint16_t qflags, time_t leeway, int run)
{
struct mesh_state* s = mesh_area_find(mesh, NULL, qinfo,
qflags&(BIT_RD|BIT_CD), 0, 0);
@ -589,6 +603,18 @@ void mesh_new_prefetch(struct mesh_area* mesh, struct query_info* qinfo,
s->list_select = mesh_jostle_list;
}
}
if(!run) {
#ifdef UNBOUND_DEBUG
n =
#else
(void)
#endif
rbtree_insert(&mesh->run, &s->run_node);
log_assert(n != NULL);
return;
}
mesh_run(mesh, s, module_event_new, NULL);
}
@ -666,6 +692,8 @@ mesh_state_create(struct module_env* env, struct query_info* qinfo,
mstate->s.prefetch_leeway = 0;
mstate->s.no_cache_lookup = 0;
mstate->s.no_cache_store = 0;
mstate->s.need_refetch = 0;
/* init modules */
for(i=0; i<env->mesh->mods.num; i++) {
mstate->s.minfo[i] = NULL;
@ -1288,9 +1316,30 @@ int mesh_state_add_reply(struct mesh_state* s, struct edns_data* edns,
return 1;
}
/* Extract the query info and flags from 'mstate' into '*qinfop' and '*qflags'.
* Since this is only used for internal refetch of otherwise-expired answer,
* we simply ignore the rare failure mode when memory allocation fails. */
static void
mesh_copy_qinfo(struct mesh_state* mstate, struct query_info** qinfop,
uint16_t* qflags)
{
struct regional* region = mstate->s.env->scratch;
struct query_info* qinfo;
qinfo = regional_alloc_init(region, &mstate->s.qinfo, sizeof(*qinfo));
if(!qinfo)
return;
qinfo->qname = regional_alloc_init(region, qinfo->qname,
qinfo->qname_len);
if(!qinfo->qname)
return;
*qinfop = qinfo;
*qflags = mstate->s.query_flags;
}
/**
* Continue processing the mesh state at another module.
* Handles module to modules tranfer of control.
* Handles module to modules transfer of control.
* Handles module finished.
* @param mesh: the mesh area.
* @param mstate: currently active mesh state.
@ -1310,7 +1359,8 @@ mesh_continue(struct mesh_area* mesh, struct mesh_state* mstate,
mstate->num_activated++;
if(mstate->num_activated > MESH_MAX_ACTIVATION) {
/* module is looping. Stop it. */
log_err("internal error: looping module stopped");
log_err("internal error: looping module (%s) stopped",
mesh->mods.mod[mstate->s.curmod]->name);
log_query_info(VERB_QUERY, "pass error for qstate",
&mstate->s.qinfo);
s = module_error;
@ -1350,11 +1400,32 @@ mesh_continue(struct mesh_area* mesh, struct mesh_state* mstate,
/* error is bad, handle pass back up below */
mstate->s.return_rcode = LDNS_RCODE_SERVFAIL;
}
if(s == module_error || s == module_finished) {
if(s == module_error) {
mesh_query_done(mstate);
mesh_walk_supers(mesh, mstate);
mesh_state_delete(&mstate->s);
return 0;
}
if(s == module_finished) {
if(mstate->s.curmod == 0) {
struct query_info* qinfo = NULL;
uint16_t qflags;
mesh_query_done(mstate);
mesh_walk_supers(mesh, mstate);
/* If the answer to the query needs to be refetched
* from an external DNS server, we'll need to schedule
* a prefetch after removing the current state, so
* we need to make a copy of the query info here. */
if(mstate->s.need_refetch)
mesh_copy_qinfo(mstate, &qinfo, &qflags);
mesh_state_delete(&mstate->s);
if(qinfo) {
mesh_schedule_prefetch(mesh, qinfo, qflags,
0, 1);
}
return 0;
}
/* pass along the locus of control */

8
services/outside_network.c
View File

@ -364,9 +364,9 @@ use_free_buffer(struct outside_network* outnet)
}
}
/** decomission a tcp buffer, closes commpoint and frees waiting_tcp entry */
/** decommission a tcp buffer, closes commpoint and frees waiting_tcp entry */
static void
decomission_pending_tcp(struct outside_network* outnet,
decommission_pending_tcp(struct outside_network* outnet,
struct pending_tcp* pend)
{
if(pend->c->ssl) {
@ -406,7 +406,7 @@ outnet_tcp_cb(struct comm_point* c, void* arg, int error,
}
fptr_ok(fptr_whitelist_pending_tcp(pend->query->cb));
(void)(*pend->query->cb)(c, pend->query->cb_arg, error, reply_info);
decomission_pending_tcp(outnet, pend);
decommission_pending_tcp(outnet, pend);
return 0;
}
@ -1416,7 +1416,7 @@ serviced_delete(struct serviced_query* sq)
struct waiting_tcp* p = (struct waiting_tcp*)
sq->pending;
if(p->pkt == NULL) {
decomission_pending_tcp(sq->outnet,
decommission_pending_tcp(sq->outnet,
(struct pending_tcp*)p->next_waiting);
} else {
waiting_list_remove(sq->outnet, p);

2
services/view.h
View File

@ -67,7 +67,7 @@ struct view {
/** rbtree node, key is name */
rbnode_type node;
/** view name.
* Has to be right after rbnode_t due to pointer arithmatic in
* Has to be right after rbnode_t due to pointer arithmetic in
* view_create's lock protect */
char* name;
/** view specific local authority zones */

6
sldns/parse.c
View File

@ -33,14 +33,14 @@ ssize_t
sldns_fget_token_l(FILE *f, char *token, const char *delim, size_t limit, int *line_nr)
{
int c, prev_c;
int p; /* 0 -> no parenthese seen, >0 nr of ( seen */
int p; /* 0 -> no parentheses seen, >0 nr of ( seen */
int com, quoted;
char *t;
size_t i;
const char *d;
const char *del;
/* standard delimeters */
/* standard delimiters */
if (!delim) {
/* from isspace(3) */
del = LDNS_PARSE_NORMAL;
@ -244,7 +244,7 @@ sldns_bget_token_par(sldns_buffer *b, char *token, const char *delim,
size_t limit, int* par, const char* skipw)
{
int c, lc;
int p; /* 0 -> no parenthese seen, >0 nr of ( seen */
int p; /* 0 -> no parentheses seen, >0 nr of ( seen */
int com, quoted;
char *t;
size_t i;

12
sldns/parse.h
View File

@ -103,9 +103,9 @@ ssize_t sldns_bget_token(struct sldns_buffer *b, char *token, const char *delim,
* after the keyword + k_del until we hit d_del
* \param[in] f file pointer to read from
* \param[in] keyword keyword to look for
* \param[in] k_del keyword delimeter
* \param[in] k_del keyword delimiter
* \param[out] data the data found
* \param[in] d_del the data delimeter
* \param[in] d_del the data delimiter
* \param[in] data_limit maximum size the the data buffer
* \return the number of character read
*/
@ -116,9 +116,9 @@ ssize_t sldns_fget_keyword_data(FILE *f, const char *keyword, const char *k_del,
* after the keyword + k_del until we hit d_del
* \param[in] f file pointer to read from
* \param[in] keyword keyword to look for
* \param[in] k_del keyword delimeter
* \param[in] k_del keyword delimiter
* \param[out] data the data found
* \param[in] d_del the data delimeter
* \param[in] d_del the data delimiter
* \param[in] data_limit maximum size the the data buffer
* \param[in] line_nr pointer to an integer containing the current line number (for
debugging purposes)
@ -131,9 +131,9 @@ ssize_t sldns_fget_keyword_data_l(FILE *f, const char *keyword, const char *k_de
* after the keyword + k_del until we hit d_del
* \param[in] b buffer pointer to read from
* \param[in] keyword keyword to look for
* \param[in] k_del keyword delimeter
* \param[in] k_del keyword delimiter
* \param[out] data the data found
* \param[in] d_del the data delimeter
* \param[in] d_del the data delimiter
* \param[in] data_limit maximum size the the data buffer
* \return the number of character read
*/

8
sldns/parseutil.c
View File

@ -165,20 +165,20 @@ sldns_gmtime64_r(int64_t clock, struct tm *result)
#endif /* SIZEOF_TIME_T <= 4 */
static int64_t
sldns_serial_arithmitics_time(int32_t time, time_t now)
sldns_serial_arithmetics_time(int32_t time, time_t now)
{
int32_t offset = time - (int32_t) now;
return (int64_t) now + offset;
}
struct tm *
sldns_serial_arithmitics_gmtime_r(int32_t time, time_t now, struct tm *result)
sldns_serial_arithmetics_gmtime_r(int32_t time, time_t now, struct tm *result)
{
#if SIZEOF_TIME_T <= 4
int64_t secs_since_epoch = sldns_serial_arithmitics_time(time, now);
int64_t secs_since_epoch = sldns_serial_arithmetics_time(time, now);
return sldns_gmtime64_r(secs_since_epoch, result);
#else
time_t secs_since_epoch = sldns_serial_arithmitics_time(time, now);
time_t secs_since_epoch = sldns_serial_arithmetics_time(time, now);
return gmtime_r(&secs_since_epoch, result);
#endif
}

4
sldns/parseutil.h
View File

@ -62,13 +62,13 @@ time_t sldns_mktime_from_utc(const struct tm *tm);
* fields of RRSIG records.
*
* \param[in] time number of seconds since epoch (midnight, January 1st, 1970)
* to be intepreted as a serial arithmetics number relative to now.
* to be interpreted as a serial arithmetics number relative to now.
* \param[in] now number of seconds since epoch (midnight, January 1st, 1970)
* to which the time value is compared to determine the final value.
* \param[out] result the struct with the broken-out time information
* \return result on success or NULL on error
*/
struct tm * sldns_serial_arithmitics_gmtime_r(int32_t time, time_t now, struct tm *result);
struct tm * sldns_serial_arithmetics_gmtime_r(int32_t time, time_t now, struct tm *result);
/**
* converts a ttl value (like 5d2h) to a long.

6
sldns/rrdef.h
View File

@ -331,13 +331,13 @@ enum sldns_enum_rdf_type
LDNS_RDF_TYPE_NSEC3_NEXT_OWNER,
/** 4 shorts represented as 4 * 16 bit hex numbers
* seperated by colons. For NID and L64.
* separated by colons. For NID and L64.
*/
LDNS_RDF_TYPE_ILNP64,
/** 6 * 8 bit hex numbers seperated by dashes. For EUI48. */
/** 6 * 8 bit hex numbers separated by dashes. For EUI48. */
LDNS_RDF_TYPE_EUI48,
/** 8 * 8 bit hex numbers seperated by dashes. For EUI64. */
/** 8 * 8 bit hex numbers separated by dashes. For EUI64. */
LDNS_RDF_TYPE_EUI64,
/** A non-zero sequence of US-ASCII letters and numbers in lower case.

2
sldns/sbuffer.h
View File

@ -497,7 +497,7 @@ sldns_buffer_set_at(sldns_buffer *buffer, size_t at, int c, size_t count)
* writes count bytes of data to the current position of the buffer
* \param[in] buffer the buffer
* \param[in] data the data to write
* \param[in] count the lenght of the data to write
* \param[in] count the length of the data to write
*/
INLINE void
sldns_buffer_write(sldns_buffer *buffer, const void *data, size_t count)

2
sldns/str2wire.c
View File

@ -1541,7 +1541,7 @@ int sldns_str2wire_loc_buf(const char* str, uint8_t* rd, size_t* len)
s = strtod(my_str, &my_str);
}
/* skip blanks before norterness */
/* skip blanks before northerness */
while (isblank((unsigned char) *my_str)) {
my_str++;
}

2
sldns/wire2str.c
View File

@ -1335,7 +1335,7 @@ int sldns_wire2str_time_scan(uint8_t** d, size_t* dl, char** s, size_t* sl)
if(*dl < 4) return -1;
t = sldns_read_uint32(*d);
date_buf[15]=0;
if(sldns_serial_arithmitics_gmtime_r(t, time(NULL), &tm) &&
if(sldns_serial_arithmetics_gmtime_r(t, time(NULL), &tm) &&
strftime(date_buf, 15, "%Y%m%d%H%M%S", &tm)) {
(*d) += 4;
(*dl) -= 4;

2
smallapp/unbound-anchor.c
View File

@ -669,7 +669,7 @@ wipe_ip_usage(struct ip_list* p)
}
}
/** cound unused IPs */
/** count unused IPs */
static int
count_unused(struct ip_list* p)
{

7
smallapp/unbound-control.c
View File

@ -254,6 +254,8 @@ static void print_mem(struct ub_shm_stat_info* shm_stat)
#ifdef USE_DNSCRYPT
PR_LL("mem.cache.dnscrypt_shared_secret",
shm_stat->mem.dnscrypt_shared_secret);
PR_LL("mem.cache.dnscrypt_nonce",
shm_stat->mem.dnscrypt_nonce);
#endif
}
@ -360,6 +362,9 @@ static void print_extended(struct ub_stats_info* s)
s->svr.shared_secret_cache_count);
PR_UL("num.query.dnscrypt.shared_secret.cachemiss",
s->svr.num_query_dnscrypt_secret_missed_cache);
PR_UL("dnscrypt_nonce.cache.count", s->svr.nonce_cache_count);
PR_UL("num.query.dnscrypt.replay",
s->svr.num_query_dnscrypt_replay);
#endif /* USE_DNSCRYPT */
}
@ -721,7 +726,7 @@ int main(int argc, char* argv[])
WSADATA wsa_data;
#endif
#ifdef USE_THREAD_DEBUG
/* stop the file output from unbound-control, overwites the servers */
/* stop the file output from unbound-control, overwrites the servers */
extern int check_locking_order;
check_locking_order = 0;
#endif /* USE_THREAD_DEBUG */

1
smallapp/unbound-host.c
View File

@ -209,6 +209,7 @@ massage_class(const char* c)
static const char*
secure_str(struct ub_result* result)
{
if(result->rcode != 0 && result->rcode != 3) return "(error)";
if(result->secure) return "(secure)";
if(result->bogus) return "(BOGUS (security failure))";
return "(insecure)";

2
testcode/checklocks.h
View File

@ -182,7 +182,7 @@ struct checked_lock {
* @param area: ptr to mem.
* @param size: length of area.
* You can call it multiple times with the same lock to give several areas.
* Call it when you are done initialising the area, since it will be copied
* Call it when you are done initializing the area, since it will be copied
* at this time and protected right away against unauthorised changes until
* the next lock() call is done.
*/

2
testcode/unitecs.c
View File

@ -86,7 +86,7 @@
*/
/* what should we check?
* X - is it balanced? (a node with 1 child shoudl not have
* X - is it balanced? (a node with 1 child should not have
* a node with 1 child MUST have elem
* child must be sub of parent
* edge must be longer than parent edge

1
testdata/autotrust_10key.rpl vendored
View File

@ -3,6 +3,7 @@ server:
target-fetch-policy: "0 0 0 0 0"
log-time-ascii: yes
fake-sha1: yes
trust-anchor-signaling: no
stub-zone:
name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.

1
testdata/autotrust_addpend_2exceed.rpl vendored
View File

@ -3,6 +3,7 @@ server:
target-fetch-policy: "0 0 0 0 0"
log-time-ascii: yes
fake-sha1: yes
trust-anchor-signaling: no
stub-zone:
name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.

1
testdata/autotrust_addpend_early.rpl vendored
View File

@ -3,6 +3,7 @@ server:
target-fetch-policy: "0 0 0 0 0"
log-time-ascii: yes
fake-sha1: yes
trust-anchor-signaling: no
stub-zone:
name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.

1
testdata/autotrust_addpend_nosign.rpl vendored
View File

@ -3,6 +3,7 @@ server:
target-fetch-policy: "0 0 0 0 0"
log-time-ascii: yes
fake-sha1: yes
trust-anchor-signaling: no
stub-zone:
name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.

1
testdata/autotrust_addpend_nosignnew.rpl vendored
View File

@ -3,6 +3,7 @@ server:
target-fetch-policy: "0 0 0 0 0"
log-time-ascii: yes
fake-sha1: yes
trust-anchor-signaling: no
stub-zone:
name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.

1
testdata/autotrust_addpend_once.rpl vendored
View File

@ -3,6 +3,7 @@ server:
target-fetch-policy: "0 0 0 0 0"
log-time-ascii: yes
fake-sha1: yes
trust-anchor-signaling: no
stub-zone:
name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.

1
testdata/autotrust_addpend_twice.rpl vendored
View File

@ -3,6 +3,7 @@ server:
target-fetch-policy: "0 0 0 0 0"
log-time-ascii: yes
fake-sha1: yes
trust-anchor-signaling: no
stub-zone:
name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.

1
testdata/autotrust_init.rpl vendored
View File

@ -3,6 +3,7 @@ server:
target-fetch-policy: "0 0 0 0 0"
log-time-ascii: yes
fake-sha1: yes
trust-anchor-signaling: no
stub-zone:
name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.

1
testdata/autotrust_init_ds.rpl vendored
View File

@ -3,6 +3,7 @@ server:
target-fetch-policy: "0 0 0 0 0"
log-time-ascii: yes
fake-sha1: yes
trust-anchor-signaling: no
stub-zone:
name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.

1
testdata/autotrust_init_fail.rpl vendored
View File

@ -3,6 +3,7 @@ server:
target-fetch-policy: "0 0 0 0 0"
log-time-ascii: yes
fake-sha1: yes
trust-anchor-signaling: no
stub-zone:
name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.

1
testdata/autotrust_init_failsig.rpl vendored
View File

@ -3,6 +3,7 @@ server:
target-fetch-policy: "0 0 0 0 0"
log-time-ascii: yes
fake-sha1: yes
trust-anchor-signaling: no
stub-zone:
name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.

1
testdata/autotrust_init_legacy.rpl vendored
View File

@ -3,6 +3,7 @@ server:
target-fetch-policy: "0 0 0 0 0"
log-time-ascii: yes
fake-sha1: yes
trust-anchor-signaling: no
stub-zone:
name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.

1
testdata/autotrust_init_sigs.rpl vendored
View File

@ -3,6 +3,7 @@ server:
target-fetch-policy: "0 0 0 0 0"
log-time-ascii: yes
fake-sha1: yes
trust-anchor-signaling: no
stub-zone:
name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.

1
testdata/autotrust_init_zsk.rpl vendored
View File

@ -3,6 +3,7 @@ server:
target-fetch-policy: "0 0 0 0 0"
log-time-ascii: yes
fake-sha1: yes
trust-anchor-signaling: no
stub-zone:
name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.

1
testdata/autotrust_missing.rpl vendored
View File

@ -3,6 +3,7 @@ server:
target-fetch-policy: "0 0 0 0 0"
log-time-ascii: yes
fake-sha1: yes
trust-anchor-signaling: no
stub-zone:
name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.

1
testdata/autotrust_missing_all.rpl vendored
View File

@ -3,6 +3,7 @@ server:
target-fetch-policy: "0 0 0 0 0"
log-time-ascii: yes
fake-sha1: yes
trust-anchor-signaling: no
stub-zone:
name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.

1
testdata/autotrust_missing_returns.rpl vendored
View File

@ -3,6 +3,7 @@ server:
target-fetch-policy: "0 0 0 0 0"
log-time-ascii: yes
fake-sha1: yes
trust-anchor-signaling: no
stub-zone:
name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.

1
testdata/autotrust_probefail.rpl vendored
View File

@ -3,6 +3,7 @@ server:
target-fetch-policy: "0 0 0 0 0"
log-time-ascii: yes
fake-sha1: yes
trust-anchor-signaling: no
stub-zone:
name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.

1
testdata/autotrust_probefailsig.rpl vendored
View File

@ -3,6 +3,7 @@ server:
target-fetch-policy: "0 0 0 0 0"
log-time-ascii: yes
fake-sha1: yes
trust-anchor-signaling: no
stub-zone:
name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.

1
testdata/autotrust_revoked_use.rpl vendored
View File

@ -3,6 +3,7 @@ server:
target-fetch-policy: "0 0 0 0 0"
log-time-ascii: yes
fake-sha1: yes
trust-anchor-signaling: no
stub-zone:
name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.

1
testdata/autotrust_revoked_with_invalid.rpl vendored
View File

@ -3,6 +3,7 @@ server:
target-fetch-policy: "0 0 0 0 0"
log-time-ascii: yes
fake-sha1: yes
trust-anchor-signaling: no
stub-zone:
name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.

1
testdata/autotrust_revtp.rpl vendored
View File

@ -3,6 +3,7 @@ server:
target-fetch-policy: "0 0 0 0 0"
log-time-ascii: yes
fake-sha1: yes
trust-anchor-signaling: no
stub-zone:
name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.

1
testdata/autotrust_revtp_use.rpl vendored
View File

@ -4,6 +4,7 @@ server:
log-time-ascii: yes
val-override-date: '20091018111500'
fake-sha1: yes
trust-anchor-signaling: no
stub-zone:
name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.

1
testdata/autotrust_rollalgo.rpl vendored
View File

@ -3,6 +3,7 @@ server:
target-fetch-policy: "0 0 0 0 0"
log-time-ascii: yes
fake-sha1: yes
trust-anchor-signaling: no
stub-zone:
name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.

1
testdata/autotrust_rollalgo_unknown.rpl vendored
View File

@ -3,6 +3,7 @@ server:
target-fetch-policy: "0 0 0 0 0"
log-time-ascii: yes
fake-sha1: yes
trust-anchor-signaling: no
stub-zone:
name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.

1
testdata/autotrust_rollover.rpl vendored
View File

@ -3,6 +3,7 @@ server:
target-fetch-policy: "0 0 0 0 0"
log-time-ascii: yes
fake-sha1: yes
trust-anchor-signaling: no
stub-zone:
name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.

1
testdata/autotrust_valid_use.rpl vendored
View File

@ -3,6 +3,7 @@ server:
target-fetch-policy: "0 0 0 0 0"
log-time-ascii: yes
fake-sha1: yes
trust-anchor-signaling: no
stub-zone:
name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.

1
testdata/black_data.rpl vendored
View File

@ -5,6 +5,7 @@ server:
val-override-date: "20070916134226"
target-fetch-policy: "0 0 0 0 0"
fake-sha1: yes
trust-anchor-signaling: no
stub-zone:
name: "."

1
testdata/black_dnskey.rpl vendored
View File

@ -5,6 +5,7 @@ server:
val-override-date: "20070916134226"
target-fetch-policy: "0 0 0 0 0"
fake-sha1: yes
trust-anchor-signaling: no
stub-zone:
name: "."

1
testdata/black_ds.rpl vendored
View File

@ -5,6 +5,7 @@ server:
val-override-date: "20070916134226"
target-fetch-policy: "0 0 0 0 0"
fake-sha1: yes
trust-anchor-signaling: no
stub-zone:
name: "."

1
testdata/black_ds_entry.rpl vendored
View File

@ -5,6 +5,7 @@ server:
val-override-date: "20070916134226"
target-fetch-policy: "0 0 0 0 0"
fake-sha1: yes
trust-anchor-signaling: no
stub-zone:
name: "."

1
testdata/black_ent.rpl vendored
View File

@ -5,6 +5,7 @@ server:
val-override-date: "20070916134226"
target-fetch-policy: "0 0 0 0 0"
fake-sha1: yes
trust-anchor-signaling: no
stub-zone:
name: "."

1
testdata/black_key_entry.rpl vendored
View File

@ -5,6 +5,7 @@ server:
val-override-date: "20070916134226"
target-fetch-policy: "0 0 0 0 0"
fake-sha1: yes
trust-anchor-signaling: no
stub-zone:
name: "."

1
testdata/black_prime.rpl vendored
View File

@ -5,6 +5,7 @@ server:
val-override-date: "20070916134226"
target-fetch-policy: "0 0 0 0 0"
fake-sha1: yes
trust-anchor-signaling: no
stub-zone:
name: "."

1
testdata/black_prime_entry.rpl vendored
View File

@ -5,6 +5,7 @@ server:
val-override-date: "20070916134226"
target-fetch-policy: "0 0 0 0 0"
fake-sha1: yes
trust-anchor-signaling: no
stub-zone:
name: "."

1
testdata/dlv_anchor.rpl vendored
View File

@ -5,6 +5,7 @@ server:
val-override-date: "20070916134226"
target-fetch-policy: "0 0 0 0 0"
fake-sha1: yes
trust-anchor-signaling: no
stub-zone:
name: "."

1
testdata/dlv_ask_higher.rpl vendored
View File

@ -5,6 +5,7 @@ server:
val-override-date: "20070916134226"
target-fetch-policy: "0 0 0 0 0"
fake-sha1: yes
trust-anchor-signaling: no
stub-zone:
name: "."

1
testdata/dlv_below_ta.rpl vendored
View File

@ -6,6 +6,7 @@ server:
val-override-date: "20070916134226"
target-fetch-policy: "0 0 0 0 0"
fake-sha1: yes
trust-anchor-signaling: no
stub-zone:
name: "."

Some files were not shown because too many files have changed in this diff Show More