Upgrade to Unbound 1.5.5.
This commit is contained in:
commit
b75612f8e7
@ -168,7 +168,7 @@ HOST_OBJ=unbound-host.lo
|
||||
HOST_OBJ_LINK=$(HOST_OBJ) $(SLDNS_OBJ) $(COMPAT_OBJ_WITHOUT_CTIMEARC4) @WIN_HOST_OBJ_LINK@
|
||||
UBANCHOR_SRC=smallapp/unbound-anchor.c
|
||||
UBANCHOR_OBJ=unbound-anchor.lo
|
||||
UBANCHOR_OBJ_LINK=$(UBANCHOR_OBJ) \
|
||||
UBANCHOR_OBJ_LINK=$(UBANCHOR_OBJ) parseutil.lo \
|
||||
$(COMPAT_OBJ_WITHOUT_CTIME) @WIN_UBANCHOR_OBJ_LINK@
|
||||
TESTBOUND_SRC=testcode/testbound.c testcode/testpkts.c \
|
||||
daemon/worker.c daemon/acl_list.c daemon/daemon.c daemon/stats.c \
|
||||
@ -1175,7 +1175,7 @@ delayer.lo delayer.o: $(srcdir)/testcode/delayer.c config.h $(srcdir)/util/net_h
|
||||
unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c config.h \
|
||||
$(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h
|
||||
unbound-anchor.lo unbound-anchor.o: $(srcdir)/smallapp/unbound-anchor.c config.h $(srcdir)/libunbound/unbound.h \
|
||||
$(srcdir)/sldns/rrdef.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h \
|
||||
|
||||
petal.lo petal.o: $(srcdir)/testcode/petal.c config.h \
|
||||
|
||||
|
@ -2,7 +2,8 @@
|
||||
# Copyright 2009, Wouter Wijngaards, NLnet Labs.
|
||||
# BSD licensed.
|
||||
#
|
||||
# Version 27
|
||||
# Version 28
|
||||
# 2015-08-28 ACX_CHECK_PIE and ACX_CHECK_RELRO_NOW added.
|
||||
# 2015-03-17 AHX_CONFIG_REALLOCARRAY added
|
||||
# 2013-09-19 FLTO help text improved.
|
||||
# 2013-07-18 Enable ACX_CHECK_COMPILER_FLAG to test for -Wstrict-prototypes
|
||||
@ -94,6 +95,8 @@
|
||||
# ACX_CHECK_MEMCMP_SIGNED - check if memcmp uses signed characters.
|
||||
# AHX_MEMCMP_BROKEN - replace memcmp func for CHECK_MEMCMP_SIGNED.
|
||||
# ACX_CHECK_SS_FAMILY - check for sockaddr_storage.ss_family
|
||||
# ACX_CHECK_PIE - add --enable-pie option and check if works
|
||||
# ACX_CHECK_RELRO_NOW - add --enable-relro-now option and check it
|
||||
#
|
||||
|
||||
dnl Escape backslashes as \\, for C:\ paths, for the C preprocessor defines.
|
||||
@ -1386,4 +1389,46 @@ AC_DEFUN([ACX_CHECK_SS_FAMILY],
|
||||
#endif
|
||||
]) ])
|
||||
|
||||
dnl Check if CC and linker support -fPIE and -pie.
|
||||
dnl If so, sets them in CFLAGS / LDFLAGS.
|
||||
AC_DEFUN([ACX_CHECK_PIE], [
|
||||
AC_ARG_ENABLE([pie], AS_HELP_STRING([--enable-pie], [Enable Position-Independent Executable (eg. to fully benefit from ASLR, small performance penalty)]))
|
||||
AS_IF([test "x$enable_pie" = "xyes"], [
|
||||
AC_MSG_CHECKING([if $CC supports PIE])
|
||||
BAKLDFLAGS="$LDFLAGS"
|
||||
BAKCFLAGS="$CFLAGS"
|
||||
LDFLAGS="$LDFLAGS -pie"
|
||||
CFLAGS="$CFLAGS -fPIE"
|
||||
AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], [
|
||||
if $CC $CFLAGS $LDFLAGS -o conftest conftest.c 2>&1 | grep "warning: no debug symbols in executable" >/dev/null; then
|
||||
LDFLAGS="$BAKLDFLAGS"
|
||||
AC_MSG_RESULT(no)
|
||||
else
|
||||
AC_MSG_RESULT(yes)
|
||||
fi
|
||||
rm -f conftest conftest.c conftest.o
|
||||
], [LDFLAGS="$BAKLDFLAGS" ; CFLAGS="$BAKCFLAGS" ; AC_MSG_RESULT(no)])
|
||||
])
|
||||
])
|
||||
|
||||
dnl Check if linker supports -Wl,-z,relro,-z,now.
|
||||
dnl If so, adds it to LDFLAGS.
|
||||
AC_DEFUN([ACX_CHECK_RELRO_NOW], [
|
||||
AC_ARG_ENABLE([relro_now], AS_HELP_STRING([--enable-relro-now], [Enable full relocation binding at load-time (RELRO NOW, to protect GOT and .dtor areas)]))
|
||||
AS_IF([test "x$enable_relro_now" = "xyes"], [
|
||||
AC_MSG_CHECKING([if $CC supports -Wl,-z,relro,-z,now])
|
||||
BAKLDFLAGS="$LDFLAGS"
|
||||
LDFLAGS="$LDFLAGS -Wl,-z,relro,-z,now"
|
||||
AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], [
|
||||
if $CC $CFLAGS $LDFLAGS -o conftest conftest.c 2>&1 | grep "warning: no debug symbols in executable" >/dev/null; then
|
||||
LDFLAGS="$BAKLDFLAGS"
|
||||
AC_MSG_RESULT(no)
|
||||
else
|
||||
AC_MSG_RESULT(yes)
|
||||
fi
|
||||
rm -f conftest conftest.c conftest.o
|
||||
], [LDFLAGS="$BAKLDFLAGS" ; AC_MSG_RESULT(no)])
|
||||
])
|
||||
])
|
||||
|
||||
dnl End of file
|
||||
|
@ -83,6 +83,10 @@
|
||||
`SSL_COMP_get_compression_methods', and to 0 if you don't. */
|
||||
#define HAVE_DECL_SSL_COMP_GET_COMPRESSION_METHODS 1
|
||||
|
||||
/* Define to 1 if you have the declaration of `SSL_CTX_set_ecdh_auto', and to
|
||||
0 if you don't. */
|
||||
#define HAVE_DECL_SSL_CTX_SET_ECDH_AUTO 0
|
||||
|
||||
/* Define to 1 if you have the declaration of `strlcat', and to 0 if you
|
||||
don't. */
|
||||
/* #undef HAVE_DECL_STRLCAT */
|
||||
@ -493,7 +497,7 @@
|
||||
#define PACKAGE_NAME "unbound"
|
||||
|
||||
/* Define to the full name and version of this package. */
|
||||
#define PACKAGE_STRING "unbound 1.5.4"
|
||||
#define PACKAGE_STRING "unbound 1.5.5"
|
||||
|
||||
/* Define to the one symbol short name of this package. */
|
||||
#define PACKAGE_TARNAME "unbound"
|
||||
@ -502,7 +506,7 @@
|
||||
#define PACKAGE_URL ""
|
||||
|
||||
/* Define to the version of this package. */
|
||||
#define PACKAGE_VERSION "1.5.4"
|
||||
#define PACKAGE_VERSION "1.5.5"
|
||||
|
||||
/* default pidfile location */
|
||||
#define PIDFILE "/var/unbound/unbound.pid"
|
||||
@ -521,7 +525,7 @@
|
||||
#define ROOT_CERT_FILE "/var/unbound/icannbundle.pem"
|
||||
|
||||
/* version number for resource files */
|
||||
#define RSRC_PACKAGE_VERSION 1,5,4,0
|
||||
#define RSRC_PACKAGE_VERSION 1,5,5,0
|
||||
|
||||
/* Directory to chdir to */
|
||||
#define RUN_DIR "/var/unbound"
|
||||
|
@ -82,6 +82,10 @@
|
||||
`SSL_COMP_get_compression_methods', and to 0 if you don't. */
|
||||
#undef HAVE_DECL_SSL_COMP_GET_COMPRESSION_METHODS
|
||||
|
||||
/* Define to 1 if you have the declaration of `SSL_CTX_set_ecdh_auto', and to
|
||||
0 if you don't. */
|
||||
#undef HAVE_DECL_SSL_CTX_SET_ECDH_AUTO
|
||||
|
||||
/* Define to 1 if you have the declaration of `strlcat', and to 0 if you
|
||||
don't. */
|
||||
#undef HAVE_DECL_STRLCAT
|
||||
|
155
contrib/unbound/configure
vendored
155
contrib/unbound/configure
vendored
@ -1,6 +1,6 @@
|
||||
#! /bin/sh
|
||||
# Guess values for system-dependent variables and create Makefiles.
|
||||
# Generated by GNU Autoconf 2.69 for unbound 1.5.4.
|
||||
# Generated by GNU Autoconf 2.69 for unbound 1.5.5.
|
||||
#
|
||||
# Report bugs to <unbound-bugs@nlnetlabs.nl>.
|
||||
#
|
||||
@ -590,8 +590,8 @@ MAKEFLAGS=
|
||||
# Identity of this package.
|
||||
PACKAGE_NAME='unbound'
|
||||
PACKAGE_TARNAME='unbound'
|
||||
PACKAGE_VERSION='1.5.4'
|
||||
PACKAGE_STRING='unbound 1.5.4'
|
||||
PACKAGE_VERSION='1.5.5'
|
||||
PACKAGE_STRING='unbound 1.5.5'
|
||||
PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl'
|
||||
PACKAGE_URL=''
|
||||
|
||||
@ -804,6 +804,8 @@ with_username
|
||||
enable_checking
|
||||
enable_debug
|
||||
enable_flto
|
||||
enable_pie
|
||||
enable_relro_now
|
||||
enable_shared
|
||||
enable_static
|
||||
with_pic
|
||||
@ -1389,7 +1391,7 @@ if test "$ac_init_help" = "long"; then
|
||||
# Omit some internal or obsolete options to make the list less imposing.
|
||||
# This message is too long to be a string in the A/UX 3.1 sh.
|
||||
cat <<_ACEOF
|
||||
\`configure' configures unbound 1.5.4 to adapt to many kinds of systems.
|
||||
\`configure' configures unbound 1.5.5 to adapt to many kinds of systems.
|
||||
|
||||
Usage: $0 [OPTION]... [VAR=VALUE]...
|
||||
|
||||
@ -1454,7 +1456,7 @@ fi
|
||||
|
||||
if test -n "$ac_init_help"; then
|
||||
case $ac_init_help in
|
||||
short | recursive ) echo "Configuration of unbound 1.5.4:";;
|
||||
short | recursive ) echo "Configuration of unbound 1.5.5:";;
|
||||
esac
|
||||
cat <<\_ACEOF
|
||||
|
||||
@ -1465,6 +1467,10 @@ Optional Features:
|
||||
--enable-checking Enable warnings, asserts, makefile-dependencies
|
||||
--enable-debug same as enable-checking
|
||||
--disable-flto Disable link-time optimization (gcc specific option)
|
||||
--enable-pie Enable Position-Independent Executable (eg. to fully
|
||||
benefit from ASLR, small performance penalty)
|
||||
--enable-relro-now Enable full relocation binding at load-time (RELRO
|
||||
NOW, to protect GOT and .dtor areas)
|
||||
--enable-shared[=PKGS] build shared libraries [default=yes]
|
||||
--enable-static[=PKGS] build static libraries [default=yes]
|
||||
--enable-fast-install[=PKGS]
|
||||
@ -1629,7 +1635,7 @@ fi
|
||||
test -n "$ac_init_help" && exit $ac_status
|
||||
if $ac_init_version; then
|
||||
cat <<\_ACEOF
|
||||
unbound configure 1.5.4
|
||||
unbound configure 1.5.5
|
||||
generated by GNU Autoconf 2.69
|
||||
|
||||
Copyright (C) 2012 Free Software Foundation, Inc.
|
||||
@ -2338,7 +2344,7 @@ cat >config.log <<_ACEOF
|
||||
This file contains any messages produced by compilers while
|
||||
running configure, to aid debugging if configure makes a mistake.
|
||||
|
||||
It was created by unbound $as_me 1.5.4, which was
|
||||
It was created by unbound $as_me 1.5.5, which was
|
||||
generated by GNU Autoconf 2.69. Invocation command line was
|
||||
|
||||
$ $0 $@
|
||||
@ -2690,11 +2696,11 @@ UNBOUND_VERSION_MAJOR=1
|
||||
|
||||
UNBOUND_VERSION_MINOR=5
|
||||
|
||||
UNBOUND_VERSION_MICRO=4
|
||||
UNBOUND_VERSION_MICRO=5
|
||||
|
||||
|
||||
LIBUNBOUND_CURRENT=5
|
||||
LIBUNBOUND_REVISION=7
|
||||
LIBUNBOUND_REVISION=8
|
||||
LIBUNBOUND_AGE=3
|
||||
# 1.0.0 had 0:12:0
|
||||
# 1.0.1 had 0:13:0
|
||||
@ -2738,6 +2744,7 @@ LIBUNBOUND_AGE=3
|
||||
# 1.5.2 had 5:5:3
|
||||
# 1.5.3 had 5:6:3
|
||||
# 1.5.4 had 5:7:3
|
||||
# 1.5.5 had 5:8:3
|
||||
|
||||
# Current -- the number of the binary API that we're implementing
|
||||
# Revision -- which iteration of the implementation of the binary
|
||||
@ -5879,6 +5886,96 @@ rm -f core conftest.err conftest.$ac_objext \
|
||||
fi
|
||||
|
||||
|
||||
# Check whether --enable-pie was given.
|
||||
if test "${enable_pie+set}" = set; then :
|
||||
enableval=$enable_pie;
|
||||
fi
|
||||
|
||||
if test "x$enable_pie" = "xyes"; then :
|
||||
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports PIE" >&5
|
||||
$as_echo_n "checking if $CC supports PIE... " >&6; }
|
||||
BAKLDFLAGS="$LDFLAGS"
|
||||
BAKCFLAGS="$CFLAGS"
|
||||
LDFLAGS="$LDFLAGS -pie"
|
||||
CFLAGS="$CFLAGS -fPIE"
|
||||
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||
/* end confdefs.h. */
|
||||
|
||||
int
|
||||
main ()
|
||||
{
|
||||
|
||||
;
|
||||
return 0;
|
||||
}
|
||||
_ACEOF
|
||||
if ac_fn_c_try_link "$LINENO"; then :
|
||||
|
||||
if $CC $CFLAGS $LDFLAGS -o conftest conftest.c 2>&1 | grep "warning: no debug symbols in executable" >/dev/null; then
|
||||
LDFLAGS="$BAKLDFLAGS"
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
$as_echo "no" >&6; }
|
||||
else
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
|
||||
$as_echo "yes" >&6; }
|
||||
fi
|
||||
rm -f conftest conftest.c conftest.o
|
||||
|
||||
else
|
||||
LDFLAGS="$BAKLDFLAGS" ; CFLAGS="$BAKCFLAGS" ; { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
$as_echo "no" >&6; }
|
||||
fi
|
||||
rm -f core conftest.err conftest.$ac_objext \
|
||||
conftest$ac_exeext conftest.$ac_ext
|
||||
|
||||
fi
|
||||
|
||||
|
||||
# Check whether --enable-relro_now was given.
|
||||
if test "${enable_relro_now+set}" = set; then :
|
||||
enableval=$enable_relro_now;
|
||||
fi
|
||||
|
||||
if test "x$enable_relro_now" = "xyes"; then :
|
||||
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports -Wl,-z,relro,-z,now" >&5
|
||||
$as_echo_n "checking if $CC supports -Wl,-z,relro,-z,now... " >&6; }
|
||||
BAKLDFLAGS="$LDFLAGS"
|
||||
LDFLAGS="$LDFLAGS -Wl,-z,relro,-z,now"
|
||||
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||
/* end confdefs.h. */
|
||||
|
||||
int
|
||||
main ()
|
||||
{
|
||||
|
||||
;
|
||||
return 0;
|
||||
}
|
||||
_ACEOF
|
||||
if ac_fn_c_try_link "$LINENO"; then :
|
||||
|
||||
if $CC $CFLAGS $LDFLAGS -o conftest conftest.c 2>&1 | grep "warning: no debug symbols in executable" >/dev/null; then
|
||||
LDFLAGS="$BAKLDFLAGS"
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
$as_echo "no" >&6; }
|
||||
else
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
|
||||
$as_echo "yes" >&6; }
|
||||
fi
|
||||
rm -f conftest conftest.c conftest.o
|
||||
|
||||
else
|
||||
LDFLAGS="$BAKLDFLAGS" ; { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
$as_echo "no" >&6; }
|
||||
fi
|
||||
rm -f core conftest.err conftest.$ac_objext \
|
||||
conftest$ac_exeext conftest.$ac_ext
|
||||
|
||||
fi
|
||||
|
||||
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for inline" >&5
|
||||
$as_echo_n "checking for inline... " >&6; }
|
||||
if ${ac_cv_c_inline+:} false; then :
|
||||
@ -16101,7 +16198,7 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
|
||||
as_fn_error $? "Python version >= 2.4.0 is required" "$LINENO" 5
|
||||
fi
|
||||
|
||||
PY_MAJOR_VERSION="`$PYTHON -c "import sys; print(sys.version_info.major)"`"
|
||||
PY_MAJOR_VERSION="`$PYTHON -c \"import sys; print(sys.version_info[0])\"`"
|
||||
|
||||
# Have Python
|
||||
|
||||
@ -16684,7 +16781,7 @@ rm -f core conftest.err conftest.$ac_objext \
|
||||
conftest$ac_exeext conftest.$ac_ext
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for LibreSSL" >&5
|
||||
$as_echo_n "checking for LibreSSL... " >&6; }
|
||||
if grep OPENSSL_VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
|
||||
if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
|
||||
$as_echo "yes" >&6; }
|
||||
|
||||
@ -16845,6 +16942,36 @@ fi
|
||||
cat >>confdefs.h <<_ACEOF
|
||||
#define HAVE_DECL_SK_SSL_COMP_POP_FREE $ac_have_decl
|
||||
_ACEOF
|
||||
ac_fn_c_check_decl "$LINENO" "SSL_CTX_set_ecdh_auto" "ac_cv_have_decl_SSL_CTX_set_ecdh_auto" "
|
||||
$ac_includes_default
|
||||
#ifdef HAVE_OPENSSL_ERR_H
|
||||
#include <openssl/err.h>
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_OPENSSL_RAND_H
|
||||
#include <openssl/rand.h>
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_OPENSSL_CONF_H
|
||||
#include <openssl/conf.h>
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_OPENSSL_ENGINE_H
|
||||
#include <openssl/engine.h>
|
||||
#endif
|
||||
#include <openssl/ssl.h>
|
||||
#include <openssl/evp.h>
|
||||
|
||||
"
|
||||
if test "x$ac_cv_have_decl_SSL_CTX_set_ecdh_auto" = xyes; then :
|
||||
ac_have_decl=1
|
||||
else
|
||||
ac_have_decl=0
|
||||
fi
|
||||
|
||||
cat >>confdefs.h <<_ACEOF
|
||||
#define HAVE_DECL_SSL_CTX_SET_ECDH_AUTO $ac_have_decl
|
||||
_ACEOF
|
||||
|
||||
fi
|
||||
|
||||
@ -18890,7 +19017,7 @@ _ACEOF
|
||||
|
||||
|
||||
|
||||
version=1.5.4
|
||||
version=1.5.5
|
||||
|
||||
date=`date +'%b %e, %Y'`
|
||||
|
||||
@ -19405,7 +19532,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
|
||||
# report actual input values of CONFIG_FILES etc. instead of their
|
||||
# values after options handling.
|
||||
ac_log="
|
||||
This file was extended by unbound $as_me 1.5.4, which was
|
||||
This file was extended by unbound $as_me 1.5.5, which was
|
||||
generated by GNU Autoconf 2.69. Invocation command line was
|
||||
|
||||
CONFIG_FILES = $CONFIG_FILES
|
||||
@ -19471,7 +19598,7 @@ _ACEOF
|
||||
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
|
||||
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
|
||||
ac_cs_version="\\
|
||||
unbound config.status 1.5.4
|
||||
unbound config.status 1.5.5
|
||||
configured by $0, generated by GNU Autoconf 2.69,
|
||||
with options \\"\$ac_cs_config\\"
|
||||
|
||||
|
@ -10,14 +10,14 @@ sinclude(dnstap/dnstap.m4)
|
||||
# must be numbers. ac_defun because of later processing
|
||||
m4_define([VERSION_MAJOR],[1])
|
||||
m4_define([VERSION_MINOR],[5])
|
||||
m4_define([VERSION_MICRO],[4])
|
||||
m4_define([VERSION_MICRO],[5])
|
||||
AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl, unbound)
|
||||
AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
|
||||
AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
|
||||
AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
|
||||
|
||||
LIBUNBOUND_CURRENT=5
|
||||
LIBUNBOUND_REVISION=7
|
||||
LIBUNBOUND_REVISION=8
|
||||
LIBUNBOUND_AGE=3
|
||||
# 1.0.0 had 0:12:0
|
||||
# 1.0.1 had 0:13:0
|
||||
@ -61,6 +61,7 @@ LIBUNBOUND_AGE=3
|
||||
# 1.5.2 had 5:5:3
|
||||
# 1.5.3 had 5:6:3
|
||||
# 1.5.4 had 5:7:3
|
||||
# 1.5.5 had 5:8:3
|
||||
|
||||
# Current -- the number of the binary API that we're implementing
|
||||
# Revision -- which iteration of the implementation of the binary
|
||||
@ -246,6 +247,8 @@ case "$debug_enabled" in
|
||||
;;
|
||||
esac
|
||||
ACX_CHECK_FLTO
|
||||
ACX_CHECK_PIE
|
||||
ACX_CHECK_RELRO_NOW
|
||||
|
||||
AC_C_INLINE
|
||||
ACX_CHECK_FORMAT_ATTRIBUTE
|
||||
@ -475,7 +478,7 @@ if test x_$ub_test_python != x_no; then
|
||||
AC_ERROR([Python version >= 2.4.0 is required])
|
||||
fi
|
||||
|
||||
PY_MAJOR_VERSION="`$PYTHON -c "import sys; print(sys.version_info.major)"`"
|
||||
[PY_MAJOR_VERSION="`$PYTHON -c \"import sys; print(sys.version_info[0])\"`"]
|
||||
AC_SUBST(PY_MAJOR_VERSION)
|
||||
# Have Python
|
||||
AC_DEFINE(HAVE_PYTHON,1,[Define if you have Python libraries and header files.])
|
||||
@ -566,7 +569,7 @@ if test $USE_NSS = "no"; then
|
||||
ACX_WITH_SSL
|
||||
ACX_LIB_SSL
|
||||
AC_MSG_CHECKING([for LibreSSL])
|
||||
if grep OPENSSL_VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
|
||||
if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
|
||||
AC_MSG_RESULT([yes])
|
||||
AC_DEFINE([HAVE_LIBRESSL], [1], [Define if we have LibreSSL])
|
||||
# libressl provides these compat functions, but they may also be
|
||||
@ -578,7 +581,7 @@ fi
|
||||
AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
|
||||
AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
|
||||
AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode])
|
||||
AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free], [], [], [
|
||||
AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [
|
||||
AC_INCLUDES_DEFAULT
|
||||
#ifdef HAVE_OPENSSL_ERR_H
|
||||
#include <openssl/err.h>
|
||||
|
@ -399,6 +399,12 @@ daemon_create_workers(struct daemon* daemon)
|
||||
verbose(VERB_ALGO, "total of %d outgoing ports available", numport);
|
||||
|
||||
daemon->num = (daemon->cfg->num_threads?daemon->cfg->num_threads:1);
|
||||
if(daemon->reuseport && (int)daemon->num < (int)daemon->num_ports) {
|
||||
log_warn("cannot reduce num-threads to %d because so-reuseport "
|
||||
"so continuing with %d threads.", (int)daemon->num,
|
||||
(int)daemon->num_ports);
|
||||
daemon->num = (int)daemon->num_ports;
|
||||
}
|
||||
daemon->workers = (struct worker**)calloc((size_t)daemon->num,
|
||||
sizeof(struct worker*));
|
||||
if(daemon->cfg->dnstap) {
|
||||
@ -464,7 +470,7 @@ thread_start(void* arg)
|
||||
#endif
|
||||
#ifdef SO_REUSEPORT
|
||||
if(worker->daemon->cfg->so_reuseport)
|
||||
port_num = worker->thread_num;
|
||||
port_num = worker->thread_num % worker->daemon->num_ports;
|
||||
else
|
||||
port_num = 0;
|
||||
#endif
|
||||
|
@ -243,9 +243,9 @@ daemon_remote_create(struct config_file* cfg)
|
||||
goto setup_error;
|
||||
}
|
||||
verbose(VERB_ALGO, "setup SSL certificates");
|
||||
if (!SSL_CTX_use_certificate_file(rc->ctx,s_cert,SSL_FILETYPE_PEM)) {
|
||||
if (!SSL_CTX_use_certificate_chain_file(rc->ctx,s_cert)) {
|
||||
log_err("Error for server-cert-file: %s", s_cert);
|
||||
log_crypto_err("Error in SSL_CTX use_certificate_file");
|
||||
log_crypto_err("Error in SSL_CTX use_certificate_chain_file");
|
||||
goto setup_error;
|
||||
}
|
||||
if(!SSL_CTX_use_PrivateKey_file(rc->ctx,s_key,SSL_FILETYPE_PEM)) {
|
||||
@ -258,6 +258,23 @@ daemon_remote_create(struct config_file* cfg)
|
||||
log_crypto_err("Error in SSL_CTX check_private_key");
|
||||
goto setup_error;
|
||||
}
|
||||
#if HAVE_DECL_SSL_CTX_SET_ECDH_AUTO
|
||||
if(!SSL_CTX_set_ecdh_auto(rc->ctx,1)) {
|
||||
log_crypto_err("Error in SSL_CTX_ecdh_auto, not enabling ECDHE");
|
||||
}
|
||||
#elif defined(USE_ECDSA)
|
||||
if(1) {
|
||||
EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
|
||||
if (!ecdh) {
|
||||
log_crypto_err("could not find p256, not enabling ECDHE");
|
||||
} else {
|
||||
if (1 != SSL_CTX_set_tmp_ecdh (rc->ctx, ecdh)) {
|
||||
log_crypto_err("Error in SSL_CTX_set_tmp_ecdh, not enabling ECDHE");
|
||||
}
|
||||
EC_KEY_free (ecdh);
|
||||
}
|
||||
}
|
||||
#endif
|
||||
if(!SSL_CTX_load_verify_locations(rc->ctx, s_cert, NULL)) {
|
||||
log_crypto_err("Error setting up SSL_CTX verify locations");
|
||||
setup_error:
|
||||
@ -1242,8 +1259,6 @@ struct del_info {
|
||||
size_t len;
|
||||
/** labels */
|
||||
int labs;
|
||||
/** now */
|
||||
time_t now;
|
||||
/** time to invalidate to */
|
||||
time_t expired;
|
||||
/** number of rrsets removed */
|
||||
@ -1272,7 +1287,7 @@ infra_del_host(struct lruhash_entry* e, void* arg)
|
||||
d->timeout_AAAA = 0;
|
||||
d->timeout_other = 0;
|
||||
rtt_init(&d->rtt);
|
||||
if(d->ttl >= inf->now) {
|
||||
if(d->ttl > inf->expired) {
|
||||
d->ttl = inf->expired;
|
||||
inf->num_keys++;
|
||||
}
|
||||
@ -1301,7 +1316,6 @@ do_flush_infra(SSL* ssl, struct worker* worker, char* arg)
|
||||
inf.name = 0;
|
||||
inf.len = 0;
|
||||
inf.labs = 0;
|
||||
inf.now = *worker->env.now;
|
||||
inf.expired = *worker->env.now;
|
||||
inf.expired -= 3; /* handle 3 seconds skew between threads */
|
||||
inf.num_rrsets = 0;
|
||||
@ -1332,7 +1346,7 @@ zone_del_rrset(struct lruhash_entry* e, void* arg)
|
||||
if(dname_subdomain_c(k->rk.dname, inf->name)) {
|
||||
struct packed_rrset_data* d =
|
||||
(struct packed_rrset_data*)e->data;
|
||||
if(d->ttl >= inf->now) {
|
||||
if(d->ttl > inf->expired) {
|
||||
d->ttl = inf->expired;
|
||||
inf->num_rrsets++;
|
||||
}
|
||||
@ -1348,7 +1362,7 @@ zone_del_msg(struct lruhash_entry* e, void* arg)
|
||||
struct msgreply_entry* k = (struct msgreply_entry*)e->key;
|
||||
if(dname_subdomain_c(k->key.qname, inf->name)) {
|
||||
struct reply_info* d = (struct reply_info*)e->data;
|
||||
if(d->ttl >= inf->now) {
|
||||
if(d->ttl > inf->expired) {
|
||||
d->ttl = inf->expired;
|
||||
inf->num_msgs++;
|
||||
}
|
||||
@ -1364,7 +1378,7 @@ zone_del_kcache(struct lruhash_entry* e, void* arg)
|
||||
struct key_entry_key* k = (struct key_entry_key*)e->key;
|
||||
if(dname_subdomain_c(k->name, inf->name)) {
|
||||
struct key_entry_data* d = (struct key_entry_data*)e->data;
|
||||
if(d->ttl >= inf->now) {
|
||||
if(d->ttl > inf->expired) {
|
||||
d->ttl = inf->expired;
|
||||
inf->num_keys++;
|
||||
}
|
||||
@ -1387,7 +1401,6 @@ do_flush_zone(SSL* ssl, struct worker* worker, char* arg)
|
||||
inf.name = nm;
|
||||
inf.len = nmlen;
|
||||
inf.labs = nmlabs;
|
||||
inf.now = *worker->env.now;
|
||||
inf.expired = *worker->env.now;
|
||||
inf.expired -= 3; /* handle 3 seconds skew between threads */
|
||||
inf.num_rrsets = 0;
|
||||
@ -1457,7 +1470,6 @@ do_flush_bogus(SSL* ssl, struct worker* worker)
|
||||
struct del_info inf;
|
||||
/* what we do is to set them all expired */
|
||||
inf.worker = worker;
|
||||
inf.now = *worker->env.now;
|
||||
inf.expired = *worker->env.now;
|
||||
inf.expired -= 3; /* handle 3 seconds skew between threads */
|
||||
inf.num_rrsets = 0;
|
||||
@ -1533,7 +1545,6 @@ do_flush_negative(SSL* ssl, struct worker* worker)
|
||||
struct del_info inf;
|
||||
/* what we do is to set them all expired */
|
||||
inf.worker = worker;
|
||||
inf.now = *worker->env.now;
|
||||
inf.expired = *worker->env.now;
|
||||
inf.expired -= 3; /* handle 3 seconds skew between threads */
|
||||
inf.num_rrsets = 0;
|
||||
@ -1683,6 +1694,7 @@ parse_delegpt(SSL* ssl, char* args, uint8_t* nm, int allow_names)
|
||||
}
|
||||
}
|
||||
}
|
||||
dp->has_parent_side_NS = 1;
|
||||
return dp;
|
||||
}
|
||||
|
||||
@ -2265,11 +2277,17 @@ do_list_local_data(SSL* ssl, struct worker* worker)
|
||||
for(i=0; i<d->count + d->rrsig_count; i++) {
|
||||
if(!packed_rr_to_string(p->rrset, i,
|
||||
0, s, slen)) {
|
||||
if(!ssl_printf(ssl, "BADRR\n"))
|
||||
if(!ssl_printf(ssl, "BADRR\n")) {
|
||||
lock_rw_unlock(&z->lock);
|
||||
lock_rw_unlock(&zones->lock);
|
||||
return;
|
||||
}
|
||||
}
|
||||
if(!ssl_printf(ssl, "%s\n", s))
|
||||
if(!ssl_printf(ssl, "%s\n", s)) {
|
||||
lock_rw_unlock(&z->lock);
|
||||
lock_rw_unlock(&zones->lock);
|
||||
return;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -1,3 +1,92 @@
|
||||
28 September 2015: Wouter
|
||||
- MAX_TARGET_COUNT increased to 64, to fix up sporadic resolution
|
||||
failures.
|
||||
- tag for 1.5.5rc1 release.
|
||||
- makedist.sh: pgp sig echo commands.
|
||||
|
||||
25 September 2015: Wouter
|
||||
- Fix unbound-control flush that does not succeed in removing data.
|
||||
|
||||
22 September 2015: Wouter
|
||||
- Fix config globbed include chroot treatment, this fixes reload of
|
||||
globs (patch from Dag-Erling Smørgrav).
|
||||
- iana portlist update.
|
||||
- Fix #702: New IPs for for h.root-servers.net.
|
||||
- Remove confusion comment from canonical_compare() function.
|
||||
- Fix #705: ub_ctx_set_fwd() return value mishandled on windows.
|
||||
- testbound selftest also works in non-debug mode.
|
||||
- Fix minor error in unbound.conf.5.in
|
||||
- Fix unbound.conf(5) access-control description for precedence
|
||||
and default.
|
||||
|
||||
31 August 2015: Wouter
|
||||
- changed windows setup compression to be more transparent.
|
||||
|
||||
28 August 2015: Wouter
|
||||
- Fix #697: Get PY_MAJOR_VERSION failure at configure for python
|
||||
2.4 to 2.6.
|
||||
- Feature #699: --enable-pie option to that builds PIE binary.
|
||||
- Feature #700: --enable-relro-now option that enables full read-only
|
||||
relocation.
|
||||
|
||||
24 August 2015: Wouter
|
||||
- Fix deadlock for local data add and zone add when unbound-control
|
||||
list_local_data printout is interrupted.
|
||||
- iana portlist update.
|
||||
- Change default of harden-algo-downgrade to off. This is lenient
|
||||
for algorithm rollover.
|
||||
|
||||
13 August 2015: Wouter
|
||||
- 5011 implementation does not insist on all algorithms, when
|
||||
harden-algo-downgrade is turned off.
|
||||
- Reap the child process that libunbound spawns.
|
||||
|
||||
11 August 2015: Wouter
|
||||
- Fix #694: configure script does not detect LibreSSL 2.2.2
|
||||
|
||||
4 August 2015: Wouter
|
||||
- Document that local-zone nodefault matches exactly and transparent
|
||||
can be used to release a subzone.
|
||||
|
||||
3 August 2015: Wouter
|
||||
- Document in the manual more text about configuring locally served
|
||||
zones.
|
||||
- Fix 5011 anchor update timer after reload.
|
||||
- Fix mktime in unbound-anchor not using UTC.
|
||||
|
||||
30 July 2015: Wouter
|
||||
- please afl-gcc (llvm) for uninitialised variable warning.
|
||||
- Added permit-small-holddown config to debug fast 5011 rollover.
|
||||
|
||||
24 July 2015: Wouter
|
||||
- Fix #690: Reload fails when so-reuseport is yes after changing
|
||||
num-threads.
|
||||
- iana portlist update.
|
||||
|
||||
21 July 2015: Wouter
|
||||
- Fix configure to detect SSL_CTX_set_ecdh_auto.
|
||||
- iana portlist update.
|
||||
|
||||
20 July 2015: Wouter
|
||||
- Enable ECDHE for servers. Where available, use
|
||||
SSL_CTX_set_ecdh_auto() for TLS-wrapped server configurations to
|
||||
enable ECDHE. Otherwise, manually offer curve p256.
|
||||
Client connections should automatically use ECDHE when available.
|
||||
(thanks Daniel Kahn Gillmor)
|
||||
|
||||
18 July 2015: Willem
|
||||
- Allow certificate chain files to allow for intermediate certificates.
|
||||
(thanks Daniel Kahn Gillmor)
|
||||
|
||||
13 July 2015: Wouter
|
||||
- makedist produces sha1 and sha256 files for created binaries too.
|
||||
|
||||
9 July 2015: Wouter
|
||||
- 1.5.4 release tag
|
||||
- trunk has 1.5.5 in development.
|
||||
- Fix #681: Setting forwarders with unbound-control forward
|
||||
implicitly turns on forward-first.
|
||||
|
||||
29 June 2015: Wouter
|
||||
- iana portlist update.
|
||||
- Fix alloc with log for allocation size checks.
|
||||
|
@ -1,4 +1,4 @@
|
||||
README for Unbound 1.5.4
|
||||
README for Unbound 1.5.5
|
||||
Copyright 2007 NLnet Labs
|
||||
http://unbound.net
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
#
|
||||
# Example configuration file.
|
||||
#
|
||||
# See unbound.conf(5) man page, version 1.5.4.
|
||||
# See unbound.conf(5) man page, version 1.5.5.
|
||||
#
|
||||
# this is a comment.
|
||||
|
||||
@ -294,7 +294,7 @@ server:
|
||||
# Harden against algorithm downgrade when multiple algorithms are
|
||||
# advertised in the DS record. If no, allows the weakest algorithm
|
||||
# to validate the zone.
|
||||
# harden-algo-downgrade: yes
|
||||
# harden-algo-downgrade: no
|
||||
|
||||
# Use 0x20-encoded random bits in the query to foil spoof attempts.
|
||||
# This feature is an experimental implementation of draft dns-0x20.
|
||||
@ -444,6 +444,9 @@ server:
|
||||
# If the value 0 is given, missing anchors are not removed.
|
||||
# keep-missing: 31622400 # 366 days
|
||||
|
||||
# debug option that allows very small holddown times for key rollover
|
||||
# permit-small-holddown: no
|
||||
|
||||
# the amount of memory to use for the key cache.
|
||||
# plain value in bytes or you can append k, m or G. default is "4Mb".
|
||||
# key-cache-size: 4m
|
||||
@ -623,6 +626,8 @@ remote-control:
|
||||
# nameservers by hostname or by ipaddress. If you set stub-prime to yes,
|
||||
# the list is treated as priming hints (default is no).
|
||||
# With stub-first yes, it attempts without the stub if it fails.
|
||||
# Consider adding domain-insecure: name and local-zone: name nodefault
|
||||
# to the server: section if the stub is a locally served zone.
|
||||
# stub-zone:
|
||||
# name: "example.com"
|
||||
# stub-addr: 192.0.2.68
|
||||
|
@ -1,7 +1,7 @@
|
||||
#
|
||||
# Example configuration file.
|
||||
#
|
||||
# See unbound.conf(5) man page, version 1.5.4.
|
||||
# See unbound.conf(5) man page, version 1.5.5.
|
||||
#
|
||||
# this is a comment.
|
||||
|
||||
@ -294,7 +294,7 @@ server:
|
||||
# Harden against algorithm downgrade when multiple algorithms are
|
||||
# advertised in the DS record. If no, allows the weakest algorithm
|
||||
# to validate the zone.
|
||||
# harden-algo-downgrade: yes
|
||||
# harden-algo-downgrade: no
|
||||
|
||||
# Use 0x20-encoded random bits in the query to foil spoof attempts.
|
||||
# This feature is an experimental implementation of draft dns-0x20.
|
||||
@ -444,6 +444,9 @@ server:
|
||||
# If the value 0 is given, missing anchors are not removed.
|
||||
# keep-missing: 31622400 # 366 days
|
||||
|
||||
# debug option that allows very small holddown times for key rollover
|
||||
# permit-small-holddown: no
|
||||
|
||||
# the amount of memory to use for the key cache.
|
||||
# plain value in bytes or you can append k, m or G. default is "4Mb".
|
||||
# key-cache-size: 4m
|
||||
@ -623,6 +626,8 @@ remote-control:
|
||||
# nameservers by hostname or by ipaddress. If you set stub-prime to yes,
|
||||
# the list is treated as priming hints (default is no).
|
||||
# With stub-first yes, it attempts without the stub if it fails.
|
||||
# Consider adding domain-insecure: name and local-zone: name nodefault
|
||||
# to the server: section if the stub is a locally served zone.
|
||||
# stub-zone:
|
||||
# name: "example.com"
|
||||
# stub-addr: 192.0.2.68
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "libunbound" "3" "Jul 9, 2015" "NLnet Labs" "unbound 1.5.4"
|
||||
.TH "libunbound" "3" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5"
|
||||
.\"
|
||||
.\" libunbound.3 -- unbound library functions manual
|
||||
.\"
|
||||
@ -42,7 +42,7 @@
|
||||
.B ub_ctx_zone_remove,
|
||||
.B ub_ctx_data_add,
|
||||
.B ub_ctx_data_remove
|
||||
\- Unbound DNS validating resolver 1.5.4 functions.
|
||||
\- Unbound DNS validating resolver 1.5.5 functions.
|
||||
.SH "SYNOPSIS"
|
||||
.B #include <unbound.h>
|
||||
.LP
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "libunbound" "3" "Jul 9, 2015" "NLnet Labs" "unbound 1.5.4"
|
||||
.TH "libunbound" "3" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5"
|
||||
.\"
|
||||
.\" libunbound.3 -- unbound library functions manual
|
||||
.\"
|
||||
@ -42,7 +42,7 @@
|
||||
.B ub_ctx_zone_remove,
|
||||
.B ub_ctx_data_add,
|
||||
.B ub_ctx_data_remove
|
||||
\- Unbound DNS validating resolver 1.5.4 functions.
|
||||
\- Unbound DNS validating resolver 1.5.5 functions.
|
||||
.SH "SYNOPSIS"
|
||||
.B #include <unbound.h>
|
||||
.LP
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound-anchor" "8" "Jul 9, 2015" "NLnet Labs" "unbound 1.5.4"
|
||||
.TH "unbound-anchor" "8" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5"
|
||||
.\"
|
||||
.\" unbound-anchor.8 -- unbound anchor maintenance utility manual
|
||||
.\"
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound-anchor" "8" "Jul 9, 2015" "NLnet Labs" "unbound 1.5.4"
|
||||
.TH "unbound-anchor" "8" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5"
|
||||
.\"
|
||||
.\" unbound-anchor.8 -- unbound anchor maintenance utility manual
|
||||
.\"
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound-checkconf" "8" "Jul 9, 2015" "NLnet Labs" "unbound 1.5.4"
|
||||
.TH "unbound-checkconf" "8" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5"
|
||||
.\"
|
||||
.\" unbound-checkconf.8 -- unbound configuration checker manual
|
||||
.\"
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound-checkconf" "8" "Jul 9, 2015" "NLnet Labs" "unbound 1.5.4"
|
||||
.TH "unbound-checkconf" "8" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5"
|
||||
.\"
|
||||
.\" unbound-checkconf.8 -- unbound configuration checker manual
|
||||
.\"
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound-control" "8" "Jul 9, 2015" "NLnet Labs" "unbound 1.5.4"
|
||||
.TH "unbound-control" "8" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5"
|
||||
.\"
|
||||
.\" unbound-control.8 -- unbound remote control manual
|
||||
.\"
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound-control" "8" "Jul 9, 2015" "NLnet Labs" "unbound 1.5.4"
|
||||
.TH "unbound-control" "8" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5"
|
||||
.\"
|
||||
.\" unbound-control.8 -- unbound remote control manual
|
||||
.\"
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound\-host" "1" "Jul 9, 2015" "NLnet Labs" "unbound 1.5.4"
|
||||
.TH "unbound\-host" "1" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5"
|
||||
.\"
|
||||
.\" unbound-host.1 -- unbound DNS lookup utility
|
||||
.\"
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound\-host" "1" "Jul 9, 2015" "NLnet Labs" "unbound 1.5.4"
|
||||
.TH "unbound\-host" "1" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5"
|
||||
.\"
|
||||
.\" unbound-host.1 -- unbound DNS lookup utility
|
||||
.\"
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound" "8" "Jul 9, 2015" "NLnet Labs" "unbound 1.5.4"
|
||||
.TH "unbound" "8" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5"
|
||||
.\"
|
||||
.\" unbound.8 -- unbound manual
|
||||
.\"
|
||||
@ -9,7 +9,7 @@
|
||||
.\"
|
||||
.SH "NAME"
|
||||
.B unbound
|
||||
\- Unbound DNS validating resolver 1.5.4.
|
||||
\- Unbound DNS validating resolver 1.5.5.
|
||||
.SH "SYNOPSIS"
|
||||
.B unbound
|
||||
.RB [ \-h ]
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound" "8" "Jul 9, 2015" "NLnet Labs" "unbound 1.5.4"
|
||||
.TH "unbound" "8" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5"
|
||||
.\"
|
||||
.\" unbound.8 -- unbound manual
|
||||
.\"
|
||||
@ -9,7 +9,7 @@
|
||||
.\"
|
||||
.SH "NAME"
|
||||
.B unbound
|
||||
\- Unbound DNS validating resolver 1.5.4.
|
||||
\- Unbound DNS validating resolver 1.5.5.
|
||||
.SH "SYNOPSIS"
|
||||
.B unbound
|
||||
.RB [ \-h ]
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound.conf" "5" "Jul 9, 2015" "NLnet Labs" "unbound 1.5.4"
|
||||
.TH "unbound.conf" "5" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5"
|
||||
.\"
|
||||
.\" unbound.conf.5 -- unbound.conf manual
|
||||
.\"
|
||||
@ -296,7 +296,7 @@ trust (very large) TTL values.
|
||||
.TP
|
||||
.B cache\-min\-ttl: \fI<seconds>
|
||||
Time to live minimum for RRsets and messages in the cache. Default is 0.
|
||||
If the the minimum kicks in, the data is cached for longer than the domain
|
||||
If the minimum kicks in, the data is cached for longer than the domain
|
||||
owner intended, and thus less queries are made to look up the data.
|
||||
Zero makes sure the data in the cache is as the domain owner intended,
|
||||
higher values, especially more than an hour or so, can lead to trouble as
|
||||
@ -373,6 +373,7 @@ a daemon. Default is yes.
|
||||
The netblock is given as an IP4 or IP6 address with /size appended for a
|
||||
classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
|
||||
\fIallow\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or \fIrefuse_non_local\fR.
|
||||
The most specific netblock match is used, if none match \fIdeny\fR is used.
|
||||
.IP
|
||||
The action \fIdeny\fR stops queries from hosts from that netblock.
|
||||
.IP
|
||||
@ -567,7 +568,7 @@ to increase the max depth that is checked to.
|
||||
.B harden\-algo\-downgrade: \fI<yes or no>
|
||||
Harden against algorithm downgrade when multiple algorithms are
|
||||
advertised in the DS record. If no, allows the weakest algorithm to
|
||||
validate the zone. Default is yes. Zone signers must produce zones
|
||||
validate the zone. Default is no. Zone signers must produce zones
|
||||
that allow this feature to work, but sometimes they do not, and turning
|
||||
this option off avoids that validation failure.
|
||||
.TP
|
||||
@ -801,6 +802,10 @@ mechanism work with zones that perform regular (non\-5011) rollovers.
|
||||
The default is 366 days. The value 0 does not remove missing anchors,
|
||||
as per the RFC.
|
||||
.TP
|
||||
.B permit\-small\-holddown: \fI<yes or no>
|
||||
Debug option that allows the autotrust 5011 rollover timers to assume
|
||||
very small values. Default is no.
|
||||
.TP
|
||||
.B key\-cache\-size: \fI<number>
|
||||
Number of bytes size of the key cache. Default is 4 megabytes.
|
||||
A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
|
||||
@ -895,7 +900,8 @@ infected machines without answering the queries.
|
||||
Used to turn off default contents for AS112 zones. The other types
|
||||
also turn off default contents for the zone. The 'nodefault' option
|
||||
has no other effect than turning off default contents for the
|
||||
given zone.
|
||||
given zone. Use \fInodefault\fR if you use exactly that zone, if you want to
|
||||
use a subzone, use \fItransparent\fR.
|
||||
.P
|
||||
The default zones are localhost, reverse 127.0.0.1 and ::1, and the AS112
|
||||
zones. The AS112 zones are reverse DNS zones for private use and reserved
|
||||
@ -1124,6 +1130,12 @@ bit on replies for the private zone (authoritative servers do not set the
|
||||
AD bit). This setup makes unbound capable of answering queries for the
|
||||
private zone, and can even set the AD bit ('authentic'), but the AA
|
||||
('authoritative') bit is not set on these replies.
|
||||
.P
|
||||
Consider adding \fBserver:\fR statements for \fBdomain\-insecure:\fR and
|
||||
for \fBlocal\-zone:\fI name nodefault\fR for the zone if it is a locally
|
||||
served zone. The insecure clause stops DNSSEC from invalidating the
|
||||
zone. The local zone nodefault (or \fItransparent\fR) clause makes the
|
||||
(reverse\-) zone bypass unbound's filtering of RFC1918 zones.
|
||||
.TP
|
||||
.B name: \fI<domain name>
|
||||
Name of the stub zone.
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound.conf" "5" "Jul 9, 2015" "NLnet Labs" "unbound 1.5.4"
|
||||
.TH "unbound.conf" "5" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5"
|
||||
.\"
|
||||
.\" unbound.conf.5 -- unbound.conf manual
|
||||
.\"
|
||||
@ -296,7 +296,7 @@ trust (very large) TTL values.
|
||||
.TP
|
||||
.B cache\-min\-ttl: \fI<seconds>
|
||||
Time to live minimum for RRsets and messages in the cache. Default is 0.
|
||||
If the the minimum kicks in, the data is cached for longer than the domain
|
||||
If the minimum kicks in, the data is cached for longer than the domain
|
||||
owner intended, and thus less queries are made to look up the data.
|
||||
Zero makes sure the data in the cache is as the domain owner intended,
|
||||
higher values, especially more than an hour or so, can lead to trouble as
|
||||
@ -373,6 +373,7 @@ a daemon. Default is yes.
|
||||
The netblock is given as an IP4 or IP6 address with /size appended for a
|
||||
classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
|
||||
\fIallow\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or \fIrefuse_non_local\fR.
|
||||
The most specific netblock match is used, if none match \fIdeny\fR is used.
|
||||
.IP
|
||||
The action \fIdeny\fR stops queries from hosts from that netblock.
|
||||
.IP
|
||||
@ -567,7 +568,7 @@ to increase the max depth that is checked to.
|
||||
.B harden\-algo\-downgrade: \fI<yes or no>
|
||||
Harden against algorithm downgrade when multiple algorithms are
|
||||
advertised in the DS record. If no, allows the weakest algorithm to
|
||||
validate the zone. Default is yes. Zone signers must produce zones
|
||||
validate the zone. Default is no. Zone signers must produce zones
|
||||
that allow this feature to work, but sometimes they do not, and turning
|
||||
this option off avoids that validation failure.
|
||||
.TP
|
||||
@ -801,6 +802,10 @@ mechanism work with zones that perform regular (non\-5011) rollovers.
|
||||
The default is 366 days. The value 0 does not remove missing anchors,
|
||||
as per the RFC.
|
||||
.TP
|
||||
.B permit\-small\-holddown: \fI<yes or no>
|
||||
Debug option that allows the autotrust 5011 rollover timers to assume
|
||||
very small values. Default is no.
|
||||
.TP
|
||||
.B key\-cache\-size: \fI<number>
|
||||
Number of bytes size of the key cache. Default is 4 megabytes.
|
||||
A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
|
||||
@ -895,7 +900,8 @@ infected machines without answering the queries.
|
||||
Used to turn off default contents for AS112 zones. The other types
|
||||
also turn off default contents for the zone. The 'nodefault' option
|
||||
has no other effect than turning off default contents for the
|
||||
given zone.
|
||||
given zone. Use \fInodefault\fR if you use exactly that zone, if you want to
|
||||
use a subzone, use \fItransparent\fR.
|
||||
.P
|
||||
The default zones are localhost, reverse 127.0.0.1 and ::1, and the AS112
|
||||
zones. The AS112 zones are reverse DNS zones for private use and reserved
|
||||
@ -1124,6 +1130,12 @@ bit on replies for the private zone (authoritative servers do not set the
|
||||
AD bit). This setup makes unbound capable of answering queries for the
|
||||
private zone, and can even set the AD bit ('authentic'), but the AA
|
||||
('authoritative') bit is not set on these replies.
|
||||
.P
|
||||
Consider adding \fBserver:\fR statements for \fBdomain\-insecure:\fR and
|
||||
for \fBlocal\-zone:\fI name nodefault\fR for the zone if it is a locally
|
||||
served zone. The insecure clause stops DNSSEC from invalidating the
|
||||
zone. The local zone nodefault (or \fItransparent\fR) clause makes the
|
||||
(reverse\-) zone bypass unbound's filtering of RFC1918 zones.
|
||||
.TP
|
||||
.B name: \fI<domain name>
|
||||
Name of the stub zone.
|
||||
|
@ -135,7 +135,7 @@ compile_time_root_prime(int do_ip4, int do_ip6)
|
||||
if(!ah(dp, "E.ROOT-SERVERS.NET.", "192.203.230.10")) goto failed;
|
||||
if(!ah(dp, "F.ROOT-SERVERS.NET.", "192.5.5.241")) goto failed;
|
||||
if(!ah(dp, "G.ROOT-SERVERS.NET.", "192.112.36.4")) goto failed;
|
||||
if(!ah(dp, "H.ROOT-SERVERS.NET.", "128.63.2.53")) goto failed;
|
||||
if(!ah(dp, "H.ROOT-SERVERS.NET.", "198.97.190.53")) goto failed;
|
||||
if(!ah(dp, "I.ROOT-SERVERS.NET.", "192.36.148.17")) goto failed;
|
||||
if(!ah(dp, "J.ROOT-SERVERS.NET.", "192.58.128.30")) goto failed;
|
||||
if(!ah(dp, "K.ROOT-SERVERS.NET.", "193.0.14.129")) goto failed;
|
||||
@ -148,7 +148,7 @@ compile_time_root_prime(int do_ip4, int do_ip6)
|
||||
if(!ah(dp, "C.ROOT-SERVERS.NET.", "2001:500:2::c")) goto failed;
|
||||
if(!ah(dp, "D.ROOT-SERVERS.NET.", "2001:500:2d::d")) goto failed;
|
||||
if(!ah(dp, "F.ROOT-SERVERS.NET.", "2001:500:2f::f")) goto failed;
|
||||
if(!ah(dp, "H.ROOT-SERVERS.NET.", "2001:500:1::803f:235")) goto failed;
|
||||
if(!ah(dp, "H.ROOT-SERVERS.NET.", "2001:500:1::53")) goto failed;
|
||||
if(!ah(dp, "I.ROOT-SERVERS.NET.", "2001:7fe::53")) goto failed;
|
||||
if(!ah(dp, "J.ROOT-SERVERS.NET.", "2001:503:c27::2:30")) goto failed;
|
||||
if(!ah(dp, "K.ROOT-SERVERS.NET.", "2001:7fd::1")) goto failed;
|
||||
|
@ -54,7 +54,7 @@ struct iter_priv;
|
||||
struct rbtree_t;
|
||||
|
||||
/** max number of targets spawned for a query and its subqueries */
|
||||
#define MAX_TARGET_COUNT 32
|
||||
#define MAX_TARGET_COUNT 64
|
||||
/** max number of query restarts. Determines max number of CNAME chain. */
|
||||
#define MAX_RESTART_COUNT 8
|
||||
/** max number of referrals. Makes sure resolver does not run away */
|
||||
|
@ -65,6 +65,9 @@
|
||||
#ifdef HAVE_PTHREAD
|
||||
#include <signal.h>
|
||||
#endif
|
||||
#ifdef HAVE_SYS_WAIT_H
|
||||
#include <sys/wait.h>
|
||||
#endif
|
||||
|
||||
#if defined(UB_ON_WINDOWS) && defined (HAVE_WINDOWS_H)
|
||||
#include <windows.h>
|
||||
@ -218,6 +221,12 @@ static void ub_stop_bg(struct ub_ctx* ctx)
|
||||
ub_thread_join(ctx->bg_tid);
|
||||
} else {
|
||||
lock_basic_unlock(&ctx->cfglock);
|
||||
#ifndef UB_ON_WINDOWS
|
||||
if(waitpid(ctx->bg_pid, NULL, 0) == -1) {
|
||||
if(verbosity > 2)
|
||||
log_err("waitpid: %s", strerror(errno));
|
||||
}
|
||||
#endif
|
||||
}
|
||||
}
|
||||
else {
|
||||
@ -946,7 +955,7 @@ ub_ctx_resolvconf(struct ub_ctx* ctx, const char* fname)
|
||||
while (ptr) {
|
||||
numserv++;
|
||||
if((retval=ub_ctx_set_fwd(ctx,
|
||||
ptr->IpAddress.String)!=0)) {
|
||||
ptr->IpAddress.String))!=0) {
|
||||
free(info);
|
||||
return retval;
|
||||
}
|
||||
|
@ -342,7 +342,7 @@ enum sldns_enum_rdf_type
|
||||
|
||||
/** A <character-string> encoding of the value field as specified
|
||||
* [RFC1035], Section 5.1., encoded as remaining rdata.
|
||||
* For CAA.
|
||||
* For CAA, URI.
|
||||
*/
|
||||
LDNS_RDF_TYPE_LONG_STR,
|
||||
|
||||
|
@ -117,6 +117,7 @@
|
||||
#include "config.h"
|
||||
#include "libunbound/unbound.h"
|
||||
#include "sldns/rrdef.h"
|
||||
#include "sldns/parseutil.h"
|
||||
#include <expat.h>
|
||||
#ifndef HAVE_EXPAT_H
|
||||
#error "need libexpat to parse root-anchors.xml file."
|
||||
@ -1328,7 +1329,7 @@ xml_convertdate(const char* str)
|
||||
/* but ignore, (lenient) */
|
||||
}
|
||||
|
||||
t = mktime(&tm);
|
||||
t = sldns_mktime_from_utc(&tm);
|
||||
if(t == (time_t)-1) {
|
||||
if(verb) printf("xml_convertdate mktime failure\n");
|
||||
return 0;
|
||||
|
@ -161,7 +161,7 @@ setup_ctx(struct config_file* cfg)
|
||||
if(cfg->remote_control_use_cert) {
|
||||
if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3))
|
||||
ssl_err("could not set SSL_OP_NO_SSLv3");
|
||||
if(!SSL_CTX_use_certificate_file(ctx,c_cert,SSL_FILETYPE_PEM) ||
|
||||
if(!SSL_CTX_use_certificate_chain_file(ctx,c_cert) ||
|
||||
!SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM)
|
||||
|| !SSL_CTX_check_private_key(ctx))
|
||||
ssl_err("Error setting up SSL_CTX client key and cert");
|
||||
|
@ -70,6 +70,8 @@
|
||||
uid_t cfg_uid = (uid_t)-1;
|
||||
/** from cfg username, after daemonise setup performed */
|
||||
gid_t cfg_gid = (gid_t)-1;
|
||||
/** for debug allow small timeout values for fast rollovers */
|
||||
int autr_permit_small_holddown = 0;
|
||||
|
||||
/** global config during parsing */
|
||||
struct config_parser_state* cfg_parser = 0;
|
||||
@ -172,7 +174,7 @@ config_create(void)
|
||||
cfg->harden_dnssec_stripped = 1;
|
||||
cfg->harden_below_nxdomain = 0;
|
||||
cfg->harden_referral_path = 0;
|
||||
cfg->harden_algo_downgrade = 1;
|
||||
cfg->harden_algo_downgrade = 0;
|
||||
cfg->use_caps_bits_for_id = 0;
|
||||
cfg->caps_whitelist = NULL;
|
||||
cfg->private_address = NULL;
|
||||
@ -200,6 +202,7 @@ config_create(void)
|
||||
cfg->add_holddown = 30*24*3600;
|
||||
cfg->del_holddown = 30*24*3600;
|
||||
cfg->keep_missing = 366*24*3600; /* one year plus a little leeway */
|
||||
cfg->permit_small_holddown = 0;
|
||||
cfg->key_cache_size = 4 * 1024 * 1024;
|
||||
cfg->key_cache_slabs = 4;
|
||||
cfg->neg_cache_size = 1 * 1024 * 1024;
|
||||
@ -444,6 +447,9 @@ int config_set_option(struct config_file* cfg, const char* opt,
|
||||
else S_UNSIGNED_OR_ZERO("add-holddown:", add_holddown)
|
||||
else S_UNSIGNED_OR_ZERO("del-holddown:", del_holddown)
|
||||
else S_UNSIGNED_OR_ZERO("keep-missing:", keep_missing)
|
||||
else if(strcmp(opt, "permit-small-holddown:") == 0)
|
||||
{ IS_YES_OR_NO; cfg->permit_small_holddown = (strcmp(val, "yes") == 0);
|
||||
autr_permit_small_holddown = cfg->permit_small_holddown; }
|
||||
else S_MEMSIZE("key-cache-size:", key_cache_size)
|
||||
else S_POW2("key-cache-slabs:", key_cache_slabs)
|
||||
else S_MEMSIZE("neg-cache-size:", neg_cache_size)
|
||||
@ -705,6 +711,7 @@ config_get_option(struct config_file* cfg, const char* opt,
|
||||
else O_UNS(opt, "add-holddown", add_holddown)
|
||||
else O_UNS(opt, "del-holddown", del_holddown)
|
||||
else O_UNS(opt, "keep-missing", keep_missing)
|
||||
else O_YNO(opt, "permit-small-holddown", permit_small_holddown)
|
||||
else O_MEM(opt, "key-cache-size", key_cache_size)
|
||||
else O_DEC(opt, "key-cache-slabs", key_cache_slabs)
|
||||
else O_MEM(opt, "neg-cache-size", neg_cache_size)
|
||||
@ -1243,6 +1250,7 @@ config_apply(struct config_file* config)
|
||||
MINIMAL_RESPONSES = config->minimal_responses;
|
||||
RRSET_ROUNDROBIN = config->rrset_roundrobin;
|
||||
log_set_time_asc(config->log_time_ascii);
|
||||
autr_permit_small_holddown = config->permit_small_holddown;
|
||||
}
|
||||
|
||||
void config_lookup_uid(struct config_file* cfg)
|
||||
|
@ -269,6 +269,8 @@ struct config_file {
|
||||
unsigned int del_holddown;
|
||||
/** autotrust keep_missing time, in seconds. 0 is forever. */
|
||||
unsigned int keep_missing;
|
||||
/** permit small holddown values, allowing 5011 rollover very fast */
|
||||
int permit_small_holddown;
|
||||
|
||||
/** size of the key cache */
|
||||
size_t key_cache_size;
|
||||
@ -368,6 +370,8 @@ struct config_file {
|
||||
extern uid_t cfg_uid;
|
||||
/** from cfg username, after daemonise setup performed */
|
||||
extern gid_t cfg_gid;
|
||||
/** debug and enable small timeouts */
|
||||
extern int autr_permit_small_holddown;
|
||||
|
||||
/**
|
||||
* Stub config options
|
||||
|
@ -312,6 +312,7 @@ val-nsec3-keysize-iterations{COLON} {
|
||||
add-holddown{COLON} { YDVAR(1, VAR_ADD_HOLDDOWN) }
|
||||
del-holddown{COLON} { YDVAR(1, VAR_DEL_HOLDDOWN) }
|
||||
keep-missing{COLON} { YDVAR(1, VAR_KEEP_MISSING) }
|
||||
permit-small-holddown{COLON} { YDVAR(1, VAR_PERMIT_SMALL_HOLDDOWN) }
|
||||
use-syslog{COLON} { YDVAR(1, VAR_USE_SYSLOG) }
|
||||
log-time-ascii{COLON} { YDVAR(1, VAR_LOG_TIME_ASCII) }
|
||||
log-queries{COLON} { YDVAR(1, VAR_LOG_QUERIES) }
|
||||
|
@ -121,7 +121,7 @@ extern struct config_parser_state* cfg_parser;
|
||||
%token VAR_HARDEN_ALGO_DOWNGRADE VAR_IP_TRANSPARENT
|
||||
%token VAR_RATELIMIT VAR_RATELIMIT_SLABS VAR_RATELIMIT_SIZE
|
||||
%token VAR_RATELIMIT_FOR_DOMAIN VAR_RATELIMIT_BELOW_DOMAIN VAR_RATELIMIT_FACTOR
|
||||
%token VAR_CAPS_WHITELIST VAR_CACHE_MAX_NEGATIVE_TTL
|
||||
%token VAR_CAPS_WHITELIST VAR_CACHE_MAX_NEGATIVE_TTL VAR_PERMIT_SMALL_HOLDDOWN
|
||||
|
||||
%%
|
||||
toplevelvars: /* empty */ | toplevelvars toplevelvar ;
|
||||
@ -185,7 +185,8 @@ content_server: server_num_threads | server_verbosity | server_port |
|
||||
server_ip_transparent | server_ratelimit | server_ratelimit_slabs |
|
||||
server_ratelimit_size | server_ratelimit_for_domain |
|
||||
server_ratelimit_below_domain | server_ratelimit_factor |
|
||||
server_caps_whitelist | server_cache_max_negative_ttl
|
||||
server_caps_whitelist | server_cache_max_negative_ttl |
|
||||
server_permit_small_holddown
|
||||
;
|
||||
stubstart: VAR_STUB_ZONE
|
||||
{
|
||||
@ -1125,6 +1126,15 @@ server_keep_missing: VAR_KEEP_MISSING STRING_ARG
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
server_permit_small_holddown: VAR_PERMIT_SMALL_HOLDDOWN STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_permit_small_holddown:%s)\n", $2));
|
||||
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
|
||||
yyerror("expected yes or no.");
|
||||
else cfg_parser->cfg->permit_small_holddown =
|
||||
(strcmp($2, "yes")==0);
|
||||
free($2);
|
||||
}
|
||||
server_key_cache_size: VAR_KEY_CACHE_SIZE STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_key_cache_size:%s)\n", $2));
|
||||
|
@ -283,7 +283,7 @@ compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
|
||||
size_t owner_pos, uint16_t* owner_ptr, int owner_labs)
|
||||
{
|
||||
struct compress_tree_node* p;
|
||||
struct compress_tree_node** insertpt;
|
||||
struct compress_tree_node** insertpt = NULL;
|
||||
if(!*owner_ptr) {
|
||||
/* compress first time dname */
|
||||
if((p = compress_tree_lookup(tree, key->rk.dname,
|
||||
|
@ -3840,6 +3840,8 @@
|
||||
4404,
|
||||
4405,
|
||||
4406,
|
||||
4412,
|
||||
4413,
|
||||
4425,
|
||||
4426,
|
||||
4430,
|
||||
@ -4666,6 +4668,7 @@
|
||||
7725,
|
||||
7726,
|
||||
7727,
|
||||
7728,
|
||||
7734,
|
||||
7738,
|
||||
7741,
|
||||
@ -4780,6 +4783,7 @@
|
||||
8301,
|
||||
8320,
|
||||
8321,
|
||||
8322,
|
||||
8351,
|
||||
8376,
|
||||
8377,
|
||||
@ -5170,6 +5174,8 @@
|
||||
17220,
|
||||
17221,
|
||||
17222,
|
||||
17224,
|
||||
17225,
|
||||
17234,
|
||||
17235,
|
||||
17500,
|
||||
|
@ -629,9 +629,9 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem)
|
||||
SSL_CTX_free(ctx);
|
||||
return NULL;
|
||||
}
|
||||
if(!SSL_CTX_use_certificate_file(ctx, pem, SSL_FILETYPE_PEM)) {
|
||||
if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) {
|
||||
log_err("error for cert file: %s", pem);
|
||||
log_crypto_err("error in SSL_CTX use_certificate_file");
|
||||
log_crypto_err("error in SSL_CTX use_certificate_chain_file");
|
||||
SSL_CTX_free(ctx);
|
||||
return NULL;
|
||||
}
|
||||
@ -647,6 +647,23 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem)
|
||||
SSL_CTX_free(ctx);
|
||||
return NULL;
|
||||
}
|
||||
#if HAVE_DECL_SSL_CTX_SET_ECDH_AUTO
|
||||
if(!SSL_CTX_set_ecdh_auto(ctx,1)) {
|
||||
log_crypto_err("Error in SSL_CTX_ecdh_auto, not enabling ECDHE");
|
||||
}
|
||||
#elif defined(USE_ECDSA)
|
||||
if(1) {
|
||||
EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
|
||||
if (!ecdh) {
|
||||
log_crypto_err("could not find p256, not enabling ECDHE");
|
||||
} else {
|
||||
if (1 != SSL_CTX_set_tmp_ecdh (ctx, ecdh)) {
|
||||
log_crypto_err("Error in SSL_CTX_set_tmp_ecdh, not enabling ECDHE");
|
||||
}
|
||||
EC_KEY_free (ecdh);
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
if(verifypem && verifypem[0]) {
|
||||
if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) {
|
||||
@ -684,7 +701,7 @@ void* connect_sslctx_create(char* key, char* pem, char* verifypem)
|
||||
return NULL;
|
||||
}
|
||||
if(key && key[0]) {
|
||||
if(!SSL_CTX_use_certificate_file(ctx, pem, SSL_FILETYPE_PEM)) {
|
||||
if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) {
|
||||
log_err("error in client certificate %s", pem);
|
||||
log_crypto_err("error in certificate file");
|
||||
SSL_CTX_free(ctx);
|
||||
|
@ -1225,7 +1225,7 @@ verify_dnskey(struct module_env* env, struct val_env* ve,
|
||||
{
|
||||
char* reason = NULL;
|
||||
uint8_t sigalg[ALGO_NEEDS_MAX+1];
|
||||
int downprot = 1;
|
||||
int downprot = env->cfg->harden_algo_downgrade;
|
||||
enum sec_status sec = val_verify_DNSKEY_with_TA(env, ve, rrset,
|
||||
tp->ds_rrset, tp->dnskey_rrset, downprot?sigalg:NULL, &reason);
|
||||
/* sigalg is ignored, it returns algorithms signalled to exist, but
|
||||
@ -1447,9 +1447,11 @@ set_tp_times(struct trust_anchor* tp, time_t rrsig_exp_interval,
|
||||
if(rrsig_exp_interval/2 < x)
|
||||
x = rrsig_exp_interval/2;
|
||||
/* MAX(1hr, x) */
|
||||
if(x < 3600)
|
||||
tp->autr->query_interval = 3600;
|
||||
else tp->autr->query_interval = x;
|
||||
if(!autr_permit_small_holddown) {
|
||||
if(x < 3600)
|
||||
tp->autr->query_interval = 3600;
|
||||
else tp->autr->query_interval = x;
|
||||
} else tp->autr->query_interval = x;
|
||||
|
||||
/* x= MIN(1day, ttl/10, expire/10) */
|
||||
x = 24 * 3600;
|
||||
@ -1458,9 +1460,11 @@ set_tp_times(struct trust_anchor* tp, time_t rrsig_exp_interval,
|
||||
if(rrsig_exp_interval/10 < x)
|
||||
x = rrsig_exp_interval/10;
|
||||
/* MAX(1hr, x) */
|
||||
if(x < 3600)
|
||||
tp->autr->retry_time = 3600;
|
||||
else tp->autr->retry_time = x;
|
||||
if(!autr_permit_small_holddown) {
|
||||
if(x < 3600)
|
||||
tp->autr->retry_time = 3600;
|
||||
else tp->autr->retry_time = x;
|
||||
} else tp->autr->retry_time = x;
|
||||
|
||||
if(qi != tp->autr->query_interval || rt != tp->autr->retry_time) {
|
||||
*changed = 1;
|
||||
@ -1959,8 +1963,12 @@ calc_next_probe(struct module_env* env, time_t wait)
|
||||
{
|
||||
/* make it random, 90-100% */
|
||||
time_t rnd, rest;
|
||||
if(wait < 3600)
|
||||
wait = 3600;
|
||||
if(!autr_permit_small_holddown) {
|
||||
if(wait < 3600)
|
||||
wait = 3600;
|
||||
} else {
|
||||
if(wait == 0) wait = 1;
|
||||
}
|
||||
rnd = wait/10;
|
||||
rest = wait-rnd;
|
||||
rnd = (time_t)ub_random_max(env->rnd, (long int)rnd);
|
||||
@ -2349,6 +2357,8 @@ todo_probe(struct module_env* env, time_t* next)
|
||||
if( (el=rbtree_first(&env->anchors->autr->probe)) == RBTREE_NULL) {
|
||||
/* in case of revoked anchors */
|
||||
lock_basic_unlock(&env->anchors->lock);
|
||||
/* signal that there are no anchors to probe */
|
||||
*next = 0;
|
||||
return NULL;
|
||||
}
|
||||
tp = (struct trust_anchor*)el->key;
|
||||
@ -2378,6 +2388,7 @@ autr_probe_timer(struct module_env* env)
|
||||
struct trust_anchor* tp;
|
||||
time_t next_probe = 3600;
|
||||
int num = 0;
|
||||
if(autr_permit_small_holddown) next_probe = 1;
|
||||
verbose(VERB_ALGO, "autotrust probe timer callback");
|
||||
/* while there are still anchors to probe */
|
||||
while( (tp = todo_probe(env, &next_probe)) ) {
|
||||
@ -2386,7 +2397,7 @@ autr_probe_timer(struct module_env* env)
|
||||
num++;
|
||||
}
|
||||
regional_free_all(env->scratch);
|
||||
if(num == 0)
|
||||
if(next_probe == 0)
|
||||
return 0; /* no trust points to probe */
|
||||
verbose(VERB_ALGO, "autotrust probe timer %d callbacks done", num);
|
||||
return next_probe;
|
||||
|
@ -795,10 +795,6 @@ canonical_compare(struct ub_packed_rrset_key* rrset, size_t i, size_t j)
|
||||
|
||||
if(i==j)
|
||||
return 0;
|
||||
/* in case rdata-len is to be compared for canonical order
|
||||
c = memcmp(d->rr_data[i], d->rr_data[j], 2);
|
||||
if(c != 0)
|
||||
return c; */
|
||||
|
||||
switch(type) {
|
||||
/* These RR types have only a name as RDATA.
|
||||
|
@ -2769,7 +2769,7 @@ process_dnskey_response(struct module_qstate* qstate, struct val_qstate* vq,
|
||||
vq->state = VAL_VALIDATE_STATE;
|
||||
return;
|
||||
}
|
||||
downprot = 1;
|
||||
downprot = qstate->env->cfg->harden_algo_downgrade;
|
||||
vq->key_entry = val_verify_new_DNSKEYs(qstate->region, qstate->env,
|
||||
ve, dnskey, vq->ds_rrset, downprot, &reason);
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user