d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Upgrade to Unbound 1.5.10.

Browse Source
This commit is contained in:
des 2016-09-29 18:24:29 +00:00
commit 8443fee657
99 changed files with 5537 additions and 342 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
contrib/unbound/Makefile.in
View File

@ -81,7 +81,7 @@ LINTFLAGS+=@NETBSD_LINTFLAGS@
# compat with OpenBSD
LINTFLAGS+="-Dsigset_t=long"
# FreeBSD
LINTFLAGS+="-D__uint16_t=uint16_t" "-DEVP_PKEY_ASN1_METHOD=int" "-D_RuneLocale=int" "-D__va_list=va_list"
LINTFLAGS+="-D__uint16_t=uint16_t" "-DEVP_PKEY_ASN1_METHOD=int" "-D_RuneLocale=int" "-D__va_list=va_list" "-D__uint32_t=uint32_t"
INSTALL=$(SHELL) $(srcdir)/install-sh
@ -228,7 +228,7 @@ SVCUNINST_OBJ_LINK=$(SVCUNINST_OBJ) w_inst.lo rsrc_svcuninst.o \
$(COMPAT_OBJ_WITHOUT_CTIMEARC4)
ANCHORUPD_SRC=winrc/anchor-update.c
ANCHORUPD_OBJ=anchor-update.lo
ANCHORUPD_OBJ_LINK=$(ANCHORUPD_OBJ) rsrc_anchorupd.o $(COMPAT_OBJ_WITHOUT_CTIMEARC4)
ANCHORUPD_OBJ_LINK=$(ANCHORUPD_OBJ) rsrc_anchorupd.o $(COMPAT_OBJ_WITHOUT_CTIMEARC4) wire2str.lo str2wire.lo parseutil.lo sbuffer.lo rrdef.lo keyraw.lo parse.lo
RSRC_OBJ=rsrc_svcinst.o rsrc_svcuninst.o rsrc_anchorupd.o rsrc_unbound.o \
rsrc_unbound_host.o rsrc_unbound_anchor.o rsrc_unbound_control.o \
rsrc_unbound_checkconf.o
@ -704,11 +704,12 @@ listen_dnsport.lo listen_dnsport.o: $(srcdir)/services/listen_dnsport.c config.h
$(srcdir)/util/rbtree.h $(srcdir)/util/log.h $(srcdir)/util/config_file.h \
$(srcdir)/util/net_help.h $(srcdir)/sldns/sbuffer.h
localzone.lo localzone.o: $(srcdir)/services/localzone.c config.h $(srcdir)/services/localzone.h \
$(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h \
$(srcdir)/sldns/sbuffer.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h \
$(srcdir)/util/net_help.h $(srcdir)/util/netevent.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/as112.h
$(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h \
$(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/regional.h \
$(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/net_help.h \
$(srcdir)/util/netevent.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/util/as112.h
mesh.lo mesh.o: $(srcdir)/services/mesh.c config.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/netevent.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
$(srcdir)/util/log.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h \
@ -759,7 +760,7 @@ fptr_wlist.lo fptr_wlist.o: $(srcdir)/util/fptr_wlist.c config.h $(srcdir)/util/
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
$(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/util/mini_event.h \
$(srcdir)/util/rbtree.h $(srcdir)/services/outside_network.h \
$(srcdir)/services/localzone.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
$(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/cache/infra.h \
$(srcdir)/util/rtt.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/dns64/dns64.h \
$(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h \
$(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_anchor.h \
@ -956,7 +957,8 @@ unitldns.lo unitldns.o: $(srcdir)/testcode/unitldns.c config.h $(srcdir)/util/lo
$(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h
acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/acl_list.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/regional.h $(srcdir)/util/log.h \
$(srcdir)/util/config_file.h $(srcdir)/util/net_help.h
$(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/services/localzone.h $(srcdir)/util/locks.h \
$(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h
cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h $(srcdir)/daemon/cachedump.h \
$(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
@ -1063,7 +1065,8 @@ worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(sr
$(srcdir)/libunbound/libworker.h
acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/acl_list.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/regional.h $(srcdir)/util/log.h \
$(srcdir)/util/config_file.h $(srcdir)/util/net_help.h
$(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/services/localzone.h $(srcdir)/util/locks.h \
$(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h
daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h \
$(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
$(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
@ -1134,8 +1137,8 @@ context.lo context.o: $(srcdir)/libunbound/context.c config.h $(srcdir)/libunbou
$(srcdir)/libunbound/unbound.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/services/localzone.h \
$(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h $(srcdir)/sldns/sbuffer.h
$(srcdir)/util/storage/dnstree.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
$(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/sldns/sbuffer.h
libunbound.lo libunbound.o: $(srcdir)/libunbound/libunbound.c $(srcdir)/libunbound/unbound.h \
$(srcdir)/libunbound/unbound-event.h config.h $(srcdir)/libunbound/context.h $(srcdir)/util/locks.h \
$(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
@ -1143,7 +1146,7 @@ libunbound.lo libunbound.o: $(srcdir)/libunbound/libunbound.c $(srcdir)/libunbou
$(srcdir)/util/config_file.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h \
$(srcdir)/util/random.h $(srcdir)/util/net_help.h $(srcdir)/util/tube.h $(srcdir)/util/ub_event.h \
$(srcdir)/services/localzone.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
$(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/cache/infra.h \
$(srcdir)/util/rtt.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
$(srcdir)/sldns/sbuffer.h
libworker.lo libworker.o: $(srcdir)/libunbound/libworker.c config.h $(srcdir)/libunbound/libworker.h \
@ -1153,11 +1156,12 @@ libworker.lo libworker.o: $(srcdir)/libunbound/libworker.c config.h $(srcdir)/li
$(srcdir)/libunbound/unbound-event.h $(srcdir)/services/outside_network.h $(srcdir)/util/netevent.h \
$(srcdir)/services/mesh.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/services/localzone.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
$(srcdir)/services/outbound_list.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/regional.h \
$(srcdir)/util/random.h $(srcdir)/util/config_file.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/net_help.h \
$(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h $(srcdir)/iterator/iter_fwd.h \
$(srcdir)/iterator/iter_hints.h $(srcdir)/util/storage/dnstree.h $(srcdir)/sldns/str2wire.h
$(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/outbound_list.h $(srcdir)/util/fptr_wlist.h \
$(srcdir)/util/tube.h $(srcdir)/util/regional.h $(srcdir)/util/random.h $(srcdir)/util/config_file.h \
$(srcdir)/util/storage/lookup3.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h \
$(srcdir)/util/data/msgencode.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \
$(srcdir)/sldns/str2wire.h
unbound-host.lo unbound-host.o: $(srcdir)/smallapp/unbound-host.c config.h $(srcdir)/libunbound/unbound.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h
asynclook.lo asynclook.o: $(srcdir)/testcode/asynclook.c config.h $(srcdir)/libunbound/unbound.h \
@ -1225,7 +1229,6 @@ snprintf.lo snprintf.o: $(srcdir)/compat/snprintf.c config.h
strlcat.lo strlcat.o: $(srcdir)/compat/strlcat.c config.h
strlcpy.lo strlcpy.o: $(srcdir)/compat/strlcpy.c config.h
strptime.lo strptime.o: $(srcdir)/compat/strptime.c config.h
strsep.lo strsep.o: $(srcdir)/compat/strsep.c config.h
getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c config.h
getentropy_osx.lo getentropy_osx.o: $(srcdir)/compat/getentropy_osx.c config.h
getentropy_solaris.lo getentropy_solaris.o: $(srcdir)/compat/getentropy_solaris.c config.h
@ -1237,3 +1240,4 @@ arc4_lock.lo arc4_lock.o: $(srcdir)/compat/arc4_lock.c config.h $(srcdir)/util/l
sha512.lo sha512.o: $(srcdir)/compat/sha512.c config.h
reallocarray.lo reallocarray.o: $(srcdir)/compat/reallocarray.c config.h
isblank.lo isblank.o: $(srcdir)/compat/isblank.c config.h
strsep.lo strsep.o: $(srcdir)/compat/strsep.c config.h

2
contrib/unbound/acx_python.m4
View File

@ -54,7 +54,7 @@ $ac_distutils_result])
AC_MSG_CHECKING([for Python library path])
if test -z "$PYTHON_LDFLAGS"; then
PYTHON_LDFLAGS=`$PYTHON -c "from distutils.sysconfig import *; \
print(get_config_var('BLDLIBRARY'));"`
print('-L'+get_config_var('LIBDIR')+' -L'+get_config_var('LIBDEST')+' '+get_config_var('BLDLIBRARY'));"`
fi
AC_MSG_RESULT([$PYTHON_LDFLAGS])
AC_SUBST([PYTHON_LDFLAGS])

3
contrib/unbound/compat/arc4random.c
View File

@ -48,6 +48,9 @@
#else /* !__GNUC__ */
#define inline
#endif /* !__GNUC__ */
#ifndef MAP_ANON
#define MAP_ANON MAP_ANONYMOUS
#endif
#define KEYSZ 32
#define IVSZ 8

3
contrib/unbound/compat/getentropy_linux.c
View File

@ -60,6 +60,9 @@
#include <sys/auxv.h>
#endif
#include <sys/vfs.h>
#ifndef MAP_ANON
#define MAP_ANON MAP_ANONYMOUS
#endif
#define REPEAT 5
#define min(a, b) (((a) < (b)) ? (a) : (b))

57
contrib/unbound/config.h
View File

@ -52,6 +52,9 @@
/* Define to 1 if you have the `chroot' function. */
#define HAVE_CHROOT 1
/* Define to 1 if you have the `CRYPTO_cleanup_all_ex_data' function. */
#define HAVE_CRYPTO_CLEANUP_ALL_EX_DATA 1
/* Define to 1 if you have the `ctime_r' function. */
#define HAVE_CTIME_R 1
@ -111,9 +114,18 @@
/* Define to 1 if you have the `endprotoent' function. */
#define HAVE_ENDPROTOENT 1
/* Define to 1 if you have the `endpwent' function. */
#define HAVE_ENDPWENT 1
/* Define to 1 if you have the `endservent' function. */
#define HAVE_ENDSERVENT 1
/* Define to 1 if you have the `ERR_free_strings' function. */
#define HAVE_ERR_FREE_STRINGS 1
/* Define to 1 if you have the `ERR_load_crypto_strings' function. */
#define HAVE_ERR_LOAD_CRYPTO_STRINGS 1
/* Define to 1 if you have the `event_base_free' function. */
/* #undef HAVE_EVENT_BASE_FREE */
@ -129,6 +141,9 @@
/* Define to 1 if you have the <event.h> header file. */
/* #undef HAVE_EVENT_H */
/* Define to 1 if you have the `EVP_cleanup' function. */
#define HAVE_EVP_CLEANUP 1
/* Define to 1 if you have the `EVP_MD_CTX_new' function. */
/* #undef HAVE_EVP_MD_CTX_NEW */
@ -255,24 +270,48 @@
/* Use libnettle for crypto */
/* #undef HAVE_NETTLE */
/* Define to 1 if you have the <nettle/dsa-compat.h> header file. */
/* #undef HAVE_NETTLE_DSA_COMPAT_H */
/* Use libnss for crypto */
/* #undef HAVE_NSS */
/* Define to 1 if you have the `OpenSSL_add_all_digests' function. */
#define HAVE_OPENSSL_ADD_ALL_DIGESTS 1
/* Define to 1 if you have the <openssl/bn.h> header file. */
#define HAVE_OPENSSL_BN_H 1
/* Define to 1 if you have the `OPENSSL_config' function. */
#define HAVE_OPENSSL_CONFIG 1
/* Define to 1 if you have the <openssl/conf.h> header file. */
#define HAVE_OPENSSL_CONF_H 1
/* Define to 1 if you have the <openssl/dh.h> header file. */
#define HAVE_OPENSSL_DH_H 1
/* Define to 1 if you have the <openssl/dsa.h> header file. */
#define HAVE_OPENSSL_DSA_H 1
/* Define to 1 if you have the <openssl/engine.h> header file. */
#define HAVE_OPENSSL_ENGINE_H 1
/* Define to 1 if you have the <openssl/err.h> header file. */
#define HAVE_OPENSSL_ERR_H 1
/* Define to 1 if you have the `OPENSSL_init_crypto' function. */
/* #undef HAVE_OPENSSL_INIT_CRYPTO */
/* Define to 1 if you have the `OPENSSL_init_ssl' function. */
/* #undef HAVE_OPENSSL_INIT_SSL */
/* Define to 1 if you have the <openssl/rand.h> header file. */
#define HAVE_OPENSSL_RAND_H 1
/* Define to 1 if you have the <openssl/rsa.h> header file. */
#define HAVE_OPENSSL_RSA_H 1
/* Define to 1 if you have the <openssl/ssl.h> header file. */
#define HAVE_OPENSSL_SSL_H 1
@ -297,6 +336,9 @@
/* Define to 1 if you have the `random' function. */
#define HAVE_RANDOM 1
/* Define to 1 if you have the `RAND_cleanup' function. */
#define HAVE_RAND_CLEANUP 1
/* Define to 1 if you have the `reallocarray' function. */
#define HAVE_REALLOCARRAY 1
@ -524,7 +566,7 @@
#define PACKAGE_NAME "unbound"
/* Define to the full name and version of this package. */
#define PACKAGE_STRING "unbound 1.5.9"
#define PACKAGE_STRING "unbound 1.5.10"
/* Define to the one symbol short name of this package. */
#define PACKAGE_TARNAME "unbound"
@ -533,7 +575,7 @@
#define PACKAGE_URL ""
/* Define to the version of this package. */
#define PACKAGE_VERSION "1.5.9"
#define PACKAGE_VERSION "1.5.10"
/* default pidfile location */
#define PIDFILE "/var/unbound/unbound.pid"
@ -552,7 +594,7 @@
#define ROOT_CERT_FILE "/var/unbound/icannbundle.pem"
/* version number for resource files */
#define RSRC_PACKAGE_VERSION 1,5,9,0
#define RSRC_PACKAGE_VERSION 1,5,10,0
/* Directory to chdir to */
#define RUN_DIR "/var/unbound"
@ -611,6 +653,12 @@
/* Define if you want to use internal select based events */
#define USE_MINI_EVENT 1
/* Define this to enable client TCP Fast Open. */
/* #undef USE_MSG_FASTOPEN */
/* Define this to enable client TCP Fast Open. */
/* #undef USE_OSX_MSG_FASTOPEN */
/* Define this to enable SHA256 and SHA512 support. */
#define USE_SHA2 1
@ -636,6 +684,9 @@
#endif
/* Define this to enable server TCP Fast Open. */
/* #undef USE_TCP_FASTOPEN */
/* Whether the windows socket API is used */
/* #undef USE_WINSOCK */

51
contrib/unbound/config.h.in
View File

@ -51,6 +51,9 @@
/* Define to 1 if you have the `chroot' function. */
#undef HAVE_CHROOT
/* Define to 1 if you have the `CRYPTO_cleanup_all_ex_data' function. */
#undef HAVE_CRYPTO_CLEANUP_ALL_EX_DATA
/* Define to 1 if you have the `ctime_r' function. */
#undef HAVE_CTIME_R
@ -110,9 +113,18 @@
/* Define to 1 if you have the `endprotoent' function. */
#undef HAVE_ENDPROTOENT
/* Define to 1 if you have the `endpwent' function. */
#undef HAVE_ENDPWENT
/* Define to 1 if you have the `endservent' function. */
#undef HAVE_ENDSERVENT
/* Define to 1 if you have the `ERR_free_strings' function. */
#undef HAVE_ERR_FREE_STRINGS
/* Define to 1 if you have the `ERR_load_crypto_strings' function. */
#undef HAVE_ERR_LOAD_CRYPTO_STRINGS
/* Define to 1 if you have the `event_base_free' function. */
#undef HAVE_EVENT_BASE_FREE
@ -128,6 +140,9 @@
/* Define to 1 if you have the <event.h> header file. */
#undef HAVE_EVENT_H
/* Define to 1 if you have the `EVP_cleanup' function. */
#undef HAVE_EVP_CLEANUP
/* Define to 1 if you have the `EVP_MD_CTX_new' function. */
#undef HAVE_EVP_MD_CTX_NEW
@ -254,24 +269,48 @@
/* Use libnettle for crypto */
#undef HAVE_NETTLE
/* Define to 1 if you have the <nettle/dsa-compat.h> header file. */
#undef HAVE_NETTLE_DSA_COMPAT_H
/* Use libnss for crypto */
#undef HAVE_NSS
/* Define to 1 if you have the `OpenSSL_add_all_digests' function. */
#undef HAVE_OPENSSL_ADD_ALL_DIGESTS
/* Define to 1 if you have the <openssl/bn.h> header file. */
#undef HAVE_OPENSSL_BN_H
/* Define to 1 if you have the `OPENSSL_config' function. */
#undef HAVE_OPENSSL_CONFIG
/* Define to 1 if you have the <openssl/conf.h> header file. */
#undef HAVE_OPENSSL_CONF_H
/* Define to 1 if you have the <openssl/dh.h> header file. */
#undef HAVE_OPENSSL_DH_H
/* Define to 1 if you have the <openssl/dsa.h> header file. */
#undef HAVE_OPENSSL_DSA_H
/* Define to 1 if you have the <openssl/engine.h> header file. */
#undef HAVE_OPENSSL_ENGINE_H
/* Define to 1 if you have the <openssl/err.h> header file. */
#undef HAVE_OPENSSL_ERR_H
/* Define to 1 if you have the `OPENSSL_init_crypto' function. */
#undef HAVE_OPENSSL_INIT_CRYPTO
/* Define to 1 if you have the `OPENSSL_init_ssl' function. */
#undef HAVE_OPENSSL_INIT_SSL
/* Define to 1 if you have the <openssl/rand.h> header file. */
#undef HAVE_OPENSSL_RAND_H
/* Define to 1 if you have the <openssl/rsa.h> header file. */
#undef HAVE_OPENSSL_RSA_H
/* Define to 1 if you have the <openssl/ssl.h> header file. */
#undef HAVE_OPENSSL_SSL_H
@ -296,6 +335,9 @@
/* Define to 1 if you have the `random' function. */
#undef HAVE_RANDOM
/* Define to 1 if you have the `RAND_cleanup' function. */
#undef HAVE_RAND_CLEANUP
/* Define to 1 if you have the `reallocarray' function. */
#undef HAVE_REALLOCARRAY
@ -610,6 +652,12 @@
/* Define if you want to use internal select based events */
#undef USE_MINI_EVENT
/* Define this to enable client TCP Fast Open. */
#undef USE_MSG_FASTOPEN
/* Define this to enable client TCP Fast Open. */
#undef USE_OSX_MSG_FASTOPEN
/* Define this to enable SHA256 and SHA512 support. */
#undef USE_SHA2
@ -635,6 +683,9 @@
#endif
/* Define this to enable server TCP Fast Open. */
#undef USE_TCP_FASTOPEN
/* Whether the windows socket API is used */
#undef USE_WINSOCK

221
contrib/unbound/configure vendored
View File

@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for unbound 1.5.9.
# Generated by GNU Autoconf 2.69 for unbound 1.5.10.
#
# Report bugs to <unbound-bugs@nlnetlabs.nl>.
#
@ -590,8 +590,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='unbound'
PACKAGE_TARNAME='unbound'
PACKAGE_VERSION='1.5.9'
PACKAGE_STRING='unbound 1.5.9'
PACKAGE_VERSION='1.5.10'
PACKAGE_STRING='unbound 1.5.10'
PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl'
PACKAGE_URL=''
@ -834,6 +834,8 @@ enable_gost
enable_ecdsa
enable_dsa
enable_event_api
enable_tfo_client
enable_tfo_server
with_libevent
with_libexpat
enable_static_exe
@ -1399,7 +1401,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures unbound 1.5.9 to adapt to many kinds of systems.
\`configure' configures unbound 1.5.10 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@ -1464,7 +1466,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of unbound 1.5.9:";;
short | recursive ) echo "Configuration of unbound 1.5.10:";;
esac
cat <<\_ACEOF
@ -1500,6 +1502,8 @@ Optional Features:
--disable-dsa Disable DSA support
--enable-event-api Enable (experimental) pluggable event base
libunbound API installed to unbound-event.h
--enable-tfo-client Enable TCP Fast Open for client mode
--enable-tfo-server Enable TCP Fast Open for server mode
--enable-static-exe enable to compile executables statically against
(event) libs, for debug purposes
--enable-lock-checks enable to check lock and unlock calls, for debug
@ -1652,7 +1656,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
unbound configure 1.5.9
unbound configure 1.5.10
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@ -2361,7 +2365,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by unbound $as_me 1.5.9, which was
It was created by unbound $as_me 1.5.10, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@ -2713,11 +2717,11 @@ UNBOUND_VERSION_MAJOR=1
UNBOUND_VERSION_MINOR=5
UNBOUND_VERSION_MICRO=9
UNBOUND_VERSION_MICRO=10
LIBUNBOUND_CURRENT=6
LIBUNBOUND_REVISION=1
LIBUNBOUND_REVISION=2
LIBUNBOUND_AGE=4
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
@ -2766,6 +2770,7 @@ LIBUNBOUND_AGE=4
# 1.5.7 had 5:10:3
# 1.5.8 had 6:0:4 # adds ub_ctx_set_stub
# 1.5.9 had 6:1:4
# 1.5.10 had 6:2:4
# Current -- the number of the binary API that we're implementing
# Revision -- which iteration of the implementation of the binary
@ -4054,7 +4059,7 @@ esac
# are we on MinGW?
if uname -s 2>&1 | grep MINGW32 >/dev/null; then on_mingw="yes"
else
if echo $target | grep mingw32 >/dev/null; then on_mingw="yes"
if echo $host $target | grep mingw32 >/dev/null; then on_mingw="yes"
else on_mingw="no"; fi
fi
@ -4064,7 +4069,7 @@ fi
if test $on_mingw = "no"; then
ub_conf_file=`eval echo "${sysconfdir}/unbound/unbound.conf"`
else
ub_conf_file="C:\\Program Files\\Unbound\\service.conf"
ub_conf_file="C:\\Program Files (x86)\\Unbound\\service.conf"
fi
# Check whether --with-conf_file was given.
@ -4195,7 +4200,7 @@ else
if test $on_mingw = no; then
UNBOUND_ROOTKEY_FILE="$UNBOUND_RUN_DIR/root.key"
else
UNBOUND_ROOTKEY_FILE="C:\\Program Files\\Unbound\\root.key"
UNBOUND_ROOTKEY_FILE="C:\\Program Files (x86)\\Unbound\\root.key"
fi
fi
@ -4217,7 +4222,7 @@ else
if test $on_mingw = no; then
UNBOUND_ROOTCERT_FILE="$UNBOUND_RUN_DIR/icannbundle.pem"
else
UNBOUND_ROOTCERT_FILE="C:\\Program Files\\Unbound\\icannbundle.pem"
UNBOUND_ROOTCERT_FILE="C:\\Program Files (x86)\\Unbound\\icannbundle.pem"
fi
fi
@ -16714,7 +16719,7 @@ $as_echo "$PYTHON_CPPFLAGS" >&6; }
$as_echo_n "checking for Python library path... " >&6; }
if test -z "$PYTHON_LDFLAGS"; then
PYTHON_LDFLAGS=`$PYTHON -c "from distutils.sysconfig import *; \
print(get_config_var('BLDLIBRARY'));"`
print('-L'+get_config_var('LIBDIR')+' -L'+get_config_var('LIBDEST')+' '+get_config_var('BLDLIBRARY'));"`
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $PYTHON_LDFLAGS" >&5
$as_echo "$PYTHON_LDFLAGS" >&6; }
@ -17033,6 +17038,19 @@ if test "${with_nettle+set}" = set; then :
$as_echo "#define HAVE_NETTLE 1" >>confdefs.h
for ac_header in nettle/dsa-compat.h
do :
ac_fn_c_check_header_compile "$LINENO" "nettle/dsa-compat.h" "ac_cv_header_nettle_dsa_compat_h" "$ac_includes_default
"
if test "x$ac_cv_header_nettle_dsa_compat_h" = xyes; then :
cat >>confdefs.h <<_ACEOF
#define HAVE_NETTLE_DSA_COMPAT_H 1
_ACEOF
fi
done
if test "$withval" != "" -a "$withval" != "yes"; then
CPPFLAGS="$CPPFLAGS -I$withval/include/nettle"
LDFLAGS="$LDFLAGS -L$withval/lib"
@ -17397,6 +17415,47 @@ fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
SSLLIB="-lssl"
# check if -lcrypt32 is needed because CAPIENG needs that. (on windows)
BAKLIBS="$LIBS"
LIBS="-lssl $LIBS"
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if libssl needs -lcrypt32" >&5
$as_echo_n "checking if libssl needs -lcrypt32... " >&6; }
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
/* Override any GCC internal prototype to avoid an error.
Use char because int might match the return type of a GCC
builtin and then its argument prototype would still apply. */
#ifdef __cplusplus
extern "C"
#endif
char HMAC_Update ();
int
main ()
{
return HMAC_Update ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
LIBS="$BAKLIBS"
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
LIBS="$BAKLIBS"
LIBS="$LIBS -lcrypt32"
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for LibreSSL" >&5
$as_echo_n "checking for LibreSSL... " >&6; }
if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
@ -17462,33 +17521,21 @@ else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi
for ac_header in openssl/conf.h
for ac_header in openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h
do :
ac_fn_c_check_header_compile "$LINENO" "openssl/conf.h" "ac_cv_header_openssl_conf_h" "$ac_includes_default
as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default
"
if test "x$ac_cv_header_openssl_conf_h" = xyes; then :
if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
cat >>confdefs.h <<_ACEOF
#define HAVE_OPENSSL_CONF_H 1
#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
_ACEOF
fi
done
for ac_header in openssl/engine.h
do :
ac_fn_c_check_header_compile "$LINENO" "openssl/engine.h" "ac_cv_header_openssl_engine_h" "$ac_includes_default
"
if test "x$ac_cv_header_openssl_engine_h" = xyes; then :
cat >>confdefs.h <<_ACEOF
#define HAVE_OPENSSL_ENGINE_H 1
_ACEOF
fi
done
for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new
for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup
do :
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@ -17500,6 +17547,23 @@ _ACEOF
fi
done
# these check_funcs need -lssl
BAKLIBS="$LIBS"
LIBS="-lssl $LIBS"
for ac_func in OPENSSL_init_ssl
do :
ac_fn_c_check_func "$LINENO" "OPENSSL_init_ssl" "ac_cv_func_OPENSSL_init_ssl"
if test "x$ac_cv_func_OPENSSL_init_ssl" = xyes; then :
cat >>confdefs.h <<_ACEOF
#define HAVE_OPENSSL_INIT_SSL 1
_ACEOF
fi
done
LIBS="$BAKLIBS"
ac_fn_c_check_decl "$LINENO" "SSL_COMP_get_compression_methods" "ac_cv_have_decl_SSL_COMP_get_compression_methods" "
$ac_includes_default
#ifdef HAVE_OPENSSL_ERR_H
@ -17900,6 +17964,82 @@ case "$enable_event_api" in
;;
esac
# Check whether --enable-tfo-client was given.
if test "${enable_tfo_client+set}" = set; then :
enableval=$enable_tfo_client;
fi
case "$enable_tfo_client" in
yes)
case `uname` in
Linux) ac_fn_c_check_decl "$LINENO" "MSG_FASTOPEN" "ac_cv_have_decl_MSG_FASTOPEN" "$ac_includes_default
#include <netinet/tcp.h>
"
if test "x$ac_cv_have_decl_MSG_FASTOPEN" = xyes; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Check the platform specific TFO kernel parameters are correctly configured to support client mode TFO" >&5
$as_echo "$as_me: WARNING: Check the platform specific TFO kernel parameters are correctly configured to support client mode TFO" >&2;}
else
as_fn_error $? "TCP Fast Open is not available for client mode: please rerun without --enable-tfo-client" "$LINENO" 5
fi
cat >>confdefs.h <<_ACEOF
#define USE_MSG_FASTOPEN 1
_ACEOF
;;
Darwin) ac_fn_c_check_decl "$LINENO" "CONNECT_RESUME_ON_READ_WRITE" "ac_cv_have_decl_CONNECT_RESUME_ON_READ_WRITE" "$ac_includes_default
#include <sys/socket.h>
"
if test "x$ac_cv_have_decl_CONNECT_RESUME_ON_READ_WRITE" = xyes; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Check the platform specific TFO kernel parameters are correctly configured to support client mode TFO" >&5
$as_echo "$as_me: WARNING: Check the platform specific TFO kernel parameters are correctly configured to support client mode TFO" >&2;}
else
as_fn_error $? "TCP Fast Open is not available for client mode: please rerun without --enable-tfo-client" "$LINENO" 5
fi
cat >>confdefs.h <<_ACEOF
#define USE_OSX_MSG_FASTOPEN 1
_ACEOF
;;
esac
;;
no|*)
;;
esac
# Check whether --enable-tfo-server was given.
if test "${enable_tfo_server+set}" = set; then :
enableval=$enable_tfo_server;
fi
case "$enable_tfo_server" in
yes)
ac_fn_c_check_decl "$LINENO" "TCP_FASTOPEN" "ac_cv_have_decl_TCP_FASTOPEN" "$ac_includes_default
#include <netinet/tcp.h>
"
if test "x$ac_cv_have_decl_TCP_FASTOPEN" = xyes; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Check the platform specific TFO kernel parameters are correctly configured to support server mode TFO" >&5
$as_echo "$as_me: WARNING: Check the platform specific TFO kernel parameters are correctly configured to support server mode TFO" >&2;}
else
as_fn_error $? "TCP Fast Open is not available for server mode: please rerun without --enable-tfo-server" "$LINENO" 5
fi
cat >>confdefs.h <<_ACEOF
#define USE_TCP_FASTOPEN 1
_ACEOF
;;
no|*)
;;
esac
# check for libevent
# Check whether --with-libevent was given.
@ -18314,10 +18454,8 @@ if test x_$enable_static_exe = x_yes; then
staticexe="-static"
if test "$on_mingw" = yes; then
staticexe="-all-static"
# for static crosscompile, include gdi32 and zlib here.
if test "`uname`" = "Linux"; then
LIBS="$LIBS -lgdi32 -lz"
fi
# for static compile, include gdi32 and zlib here.
LIBS="$LIBS -lgdi32 -lz"
fi
fi
@ -18762,7 +18900,7 @@ if test "$ac_res" != no; then :
fi
for ac_func in tzset sigprocmask fcntl getpwnam getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync
for ac_func in tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync
do :
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@ -19801,12 +19939,12 @@ _ACEOF
version=1.5.9
version=1.5.10
date=`date +'%b %e, %Y'`
ac_config_files="$ac_config_files Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8 doc/unbound-host.1 smallapp/unbound-control-setup.sh dnstap/dnstap_config.h"
ac_config_files="$ac_config_files Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8 doc/unbound-host.1 smallapp/unbound-control-setup.sh dnstap/dnstap_config.h contrib/libunbound.pc"
ac_config_headers="$ac_config_headers config.h"
@ -20316,7 +20454,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by unbound $as_me 1.5.9, which was
This file was extended by unbound $as_me 1.5.10, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@ -20382,7 +20520,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
unbound config.status 1.5.9
unbound config.status 1.5.10
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
@ -20804,6 +20942,7 @@ do
"doc/unbound-host.1") CONFIG_FILES="$CONFIG_FILES doc/unbound-host.1" ;;
"smallapp/unbound-control-setup.sh") CONFIG_FILES="$CONFIG_FILES smallapp/unbound-control-setup.sh" ;;
"dnstap/dnstap_config.h") CONFIG_FILES="$CONFIG_FILES dnstap/dnstap_config.h" ;;
"contrib/libunbound.pc") CONFIG_FILES="$CONFIG_FILES contrib/libunbound.pc" ;;
"config.h") CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;;
*) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;

86
contrib/unbound/configure.ac
View File

@ -10,14 +10,14 @@ sinclude(dnstap/dnstap.m4)
# must be numbers. ac_defun because of later processing
m4_define([VERSION_MAJOR],[1])
m4_define([VERSION_MINOR],[5])
m4_define([VERSION_MICRO],[9])
m4_define([VERSION_MICRO],[10])
AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl, unbound)
AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
LIBUNBOUND_CURRENT=6
LIBUNBOUND_REVISION=1
LIBUNBOUND_REVISION=2
LIBUNBOUND_AGE=4
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
@ -66,6 +66,7 @@ LIBUNBOUND_AGE=4
# 1.5.7 had 5:10:3
# 1.5.8 had 6:0:4 # adds ub_ctx_set_stub
# 1.5.9 had 6:1:4
# 1.5.10 had 6:2:4
# Current -- the number of the binary API that we're implementing
# Revision -- which iteration of the implementation of the binary
@ -107,7 +108,7 @@ esac
# are we on MinGW?
if uname -s 2>&1 | grep MINGW32 >/dev/null; then on_mingw="yes"
else
if echo $target | grep mingw32 >/dev/null; then on_mingw="yes"
if echo $host $target | grep mingw32 >/dev/null; then on_mingw="yes"
else on_mingw="no"; fi
fi
@ -117,7 +118,7 @@ fi
if test $on_mingw = "no"; then
ub_conf_file=`eval echo "${sysconfdir}/unbound/unbound.conf"`
else
ub_conf_file="C:\\Program Files\\Unbound\\service.conf"
ub_conf_file="C:\\Program Files (x86)\\Unbound\\service.conf"
fi
AC_ARG_WITH([conf_file],
AC_HELP_STRING([--with-conf-file=path],
@ -187,7 +188,7 @@ AC_ARG_WITH(rootkey-file,
if test $on_mingw = no; then
UNBOUND_ROOTKEY_FILE="$UNBOUND_RUN_DIR/root.key"
else
UNBOUND_ROOTKEY_FILE="C:\\Program Files\\Unbound\\root.key"
UNBOUND_ROOTKEY_FILE="C:\\Program Files (x86)\\Unbound\\root.key"
fi
)
AC_SUBST(UNBOUND_ROOTKEY_FILE)
@ -201,7 +202,7 @@ AC_ARG_WITH(rootcert-file,
if test $on_mingw = no; then
UNBOUND_ROOTCERT_FILE="$UNBOUND_RUN_DIR/icannbundle.pem"
else
UNBOUND_ROOTCERT_FILE="C:\\Program Files\\Unbound\\icannbundle.pem"
UNBOUND_ROOTCERT_FILE="C:\\Program Files (x86)\\Unbound\\icannbundle.pem"
fi
)
AC_SUBST(UNBOUND_ROOTCERT_FILE)
@ -629,6 +630,7 @@ AC_ARG_WITH([nettle], AC_HELP_STRING([--with-nettle=path],
[
USE_NETTLE="yes"
AC_DEFINE(HAVE_NETTLE, 1, [Use libnettle for crypto])
AC_CHECK_HEADERS([nettle/dsa-compat.h],,, [AC_INCLUDES_DEFAULT])
if test "$withval" != "" -a "$withval" != "yes"; then
CPPFLAGS="$CPPFLAGS -I$withval/include/nettle"
LDFLAGS="$LDFLAGS -L$withval/lib"
@ -646,6 +648,20 @@ if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
ACX_WITH_SSL
ACX_LIB_SSL
SSLLIB="-lssl"
# check if -lcrypt32 is needed because CAPIENG needs that. (on windows)
BAKLIBS="$LIBS"
LIBS="-lssl $LIBS"
AC_MSG_CHECKING([if libssl needs -lcrypt32])
AC_TRY_LINK_FUNC([HMAC_Update], [
AC_MSG_RESULT([no])
LIBS="$BAKLIBS"
], [
AC_MSG_RESULT([yes])
LIBS="$BAKLIBS"
LIBS="$LIBS -lcrypt32"
])
AC_MSG_CHECKING([for LibreSSL])
if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
AC_MSG_RESULT([yes])
@ -656,9 +672,15 @@ if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/
else
AC_MSG_RESULT([no])
fi
AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new])
AC_CHECK_HEADERS([openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup])
# these check_funcs need -lssl
BAKLIBS="$LIBS"
LIBS="-lssl $LIBS"
AC_CHECK_FUNCS([OPENSSL_init_ssl])
LIBS="$BAKLIBS"
AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [
AC_INCLUDES_DEFAULT
#ifdef HAVE_OPENSSL_ERR_H
@ -865,6 +887,42 @@ case "$enable_event_api" in
;;
esac
AC_ARG_ENABLE(tfo-client, AC_HELP_STRING([--enable-tfo-client], [Enable TCP Fast Open for client mode]))
case "$enable_tfo_client" in
yes)
case `uname` in
Linux) AC_CHECK_DECL([MSG_FASTOPEN], [AC_MSG_WARN([Check the platform specific TFO kernel parameters are correctly configured to support client mode TFO])],
[AC_MSG_ERROR([TCP Fast Open is not available for client mode: please rerun without --enable-tfo-client])],
[AC_INCLUDES_DEFAULT
#include <netinet/tcp.h>
])
AC_DEFINE_UNQUOTED([USE_MSG_FASTOPEN], [1], [Define this to enable client TCP Fast Open.])
;;
Darwin) AC_CHECK_DECL([CONNECT_RESUME_ON_READ_WRITE], [AC_MSG_WARN([Check the platform specific TFO kernel parameters are correctly configured to support client mode TFO])],
[AC_MSG_ERROR([TCP Fast Open is not available for client mode: please rerun without --enable-tfo-client])],
[AC_INCLUDES_DEFAULT
#include <sys/socket.h>
])
AC_DEFINE_UNQUOTED([USE_OSX_MSG_FASTOPEN], [1], [Define this to enable client TCP Fast Open.])
;;
esac
;;
no|*)
;;
esac
AC_ARG_ENABLE(tfo-server, AC_HELP_STRING([--enable-tfo-server], [Enable TCP Fast Open for server mode]))
case "$enable_tfo_server" in
yes)
AC_CHECK_DECL([TCP_FASTOPEN], [AC_MSG_WARN([Check the platform specific TFO kernel parameters are correctly configured to support server mode TFO])], [AC_MSG_ERROR([TCP Fast Open is not available for server mode: please rerun without --enable-tfo-server])], [AC_INCLUDES_DEFAULT
#include <netinet/tcp.h>
])
AC_DEFINE_UNQUOTED([USE_TCP_FASTOPEN], [1], [Define this to enable server TCP Fast Open.])
;;
no|*)
;;
esac
# check for libevent
AC_ARG_WITH(libevent, AC_HELP_STRING([--with-libevent=pathname],
[use libevent (will check /usr/local /opt/local /usr/lib /usr/pkg /usr/sfw /usr or you can specify an explicit path). Slower, but allows use of large outgoing port ranges.]),
@ -985,10 +1043,8 @@ if test x_$enable_static_exe = x_yes; then
staticexe="-static"
if test "$on_mingw" = yes; then
staticexe="-all-static"
# for static crosscompile, include gdi32 and zlib here.
if test "`uname`" = "Linux"; then
LIBS="$LIBS -lgdi32 -lz"
fi
# for static compile, include gdi32 and zlib here.
LIBS="$LIBS -lgdi32 -lz"
fi
fi
@ -1082,7 +1138,7 @@ AC_INCLUDES_DEFAULT
#endif
])
AC_SEARCH_LIBS([setusercontext], [util])
AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync])
AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync])
AC_CHECK_FUNCS([setresuid],,[AC_CHECK_FUNCS([setreuid])])
AC_CHECK_FUNCS([setresgid],,[AC_CHECK_FUNCS([setregid])])
@ -1523,6 +1579,6 @@ dnl if this is a distro tarball, that was already done by makedist.sh
AC_SUBST(version, [VERSION_MAJOR.VERSION_MINOR.VERSION_MICRO])
AC_SUBST(date, [`date +'%b %e, %Y'`])
AC_CONFIG_FILES([Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8 doc/unbound-host.1 smallapp/unbound-control-setup.sh dnstap/dnstap_config.h])
AC_CONFIG_FILES([Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8 doc/unbound-host.1 smallapp/unbound-control-setup.sh dnstap/dnstap_config.h contrib/libunbound.pc])
AC_CONFIG_HEADER([config.h])
AC_OUTPUT

31
contrib/unbound/contrib/README Normal file
View File

@ -0,0 +1,31 @@
These files are contributed to unbound, and are not part of the official
distribution but may be helpful.
* rc_d_unbound: FreeBSD compatible /etc/rc.d script.
* parseunbound.pl: perl script to run from cron that parses statistics from
the log file and stores them.
* unbound.spec and unbound.init: RPM specfile and Linux rc.d initfile.
* update-anchor.sh: shell script that uses unbound-host to update a set
of trust anchor files. Run from cron twice a month.
* unbound_munin_ : plugin for munin statistics report
* unbound_cacti.tar.gz : setup files for cacti statistics report
* selinux: the .fc and .te files for SElinux protection of the unbound daemon
* unbound.plist: launchd configuration file for MacOSX.
* build-unbound-localzone-from-hosts.pl: perl script to turn /etc/hosts into
a local-zone and local-data include file for unbound.conf.
* unbound-host.nagios.patch: makes unbound-host return status that fits right
in with the nagios monitoring framework. Contributed by Migiel de Vos.
* patch_rsamd5_enable.diff: this patch enables RSAMD5 validation (otherwise
it is treated as insecure). The RSAMD5 algorithm is deprecated (RFC6725).
* create_unbound_ad_servers.sh: shell script to enter anti-ad server lists.
* create_unbound_ad_servers.cmd: windows script to enter anti-ad server lists.
* unbound_cache.sh: shell script to save and load the cache.
* unbound_cache.cmd: windows script to save and load the cache.
* warmup.sh: shell script to warm up DNS cache by your own MRU domains.
* warmup.cmd: windows script to warm up DNS cache by your own MRU domains.
* aaaa-filter-iterator.patch: adds config option aaaa-filter: yes that
works like the BIND feature (removes AAAA records unless AAAA-only domain).
Useful for certain 'broken IPv6 default route' scenarios.
Patch from Stephane Lapie for ASAHI Net.
* unbound_smf22.tar.gz: Solaris SMF installation/removal scripts.
Contributed by Yuri Voinov.

413
contrib/unbound/contrib/aaaa-filter-iterator.patch Normal file
View File

@ -0,0 +1,413 @@
Index: trunk/doc/unbound.conf.5.in
===================================================================
--- trunk/doc/unbound.conf.5.in (revision 3587)
+++ trunk/doc/unbound.conf.5.in (working copy)
@@ -593,6 +593,13 @@
possible. Best effort approach, full QNAME and original QTYPE will be sent when
upstream replies with a RCODE other than NOERROR. Default is off.
.TP
+.B aaaa\-filter: \fI<yes or no>
+Activate behavior similar to BIND's AAAA-filter.
+This forces the dropping of all AAAA records, unless in the case of
+explicit AAAA queries, when no A records have been confirmed.
+This also causes an additional A query to be sent for each AAAA query.
+This breaks DNSSEC!
+.TP
.B private\-address: \fI<IP address or subnet>
Give IPv4 of IPv6 addresses or classless subnets. These are addresses
on your private network, and are not allowed to be returned for
Index: trunk/iterator/iter_scrub.c
===================================================================
--- trunk/iterator/iter_scrub.c (revision 3587)
+++ trunk/iterator/iter_scrub.c (working copy)
@@ -617,6 +617,32 @@
}
/**
+ * ASN: Lookup A records from rrset cache.
+ * @param qinfo: the question originally asked.
+ * @param env: module environment with config and cache.
+ * @param ie: iterator environment with private address data.
+ * @return 0 if no A record found, 1 if A record found.
+ */
+static int
+asn_lookup_a_record_from_cache(struct query_info* qinfo,
+ struct module_env* env, struct iter_env* ATTR_UNUSED(ie))
+{
+ struct ub_packed_rrset_key* akey;
+
+ /* get cached A records for queried name */
+ akey = rrset_cache_lookup(env->rrset_cache, qinfo->qname,
+ qinfo->qname_len, LDNS_RR_TYPE_A, qinfo->qclass,
+ 0, *env->now, 0);
+ if(akey) { /* we had some. */
+ log_rrset_key(VERB_ALGO, "ASN-AAAA-filter: found A record",
+ akey);
+ lock_rw_unlock(&akey->entry.lock);
+ return 1;
+ }
+ return 0;
+}
+
+/**
* Given a response event, remove suspect RRsets from the response.
* "Suspect" rrsets are potentially poison. Note that this routine expects
* the response to be in a "normalized" state -- that is, all "irrelevant"
@@ -635,6 +661,7 @@
struct query_info* qinfo, uint8_t* zonename, struct module_env* env,
struct iter_env* ie)
{
+ int found_a_record = 0; /* ASN: do we have a A record? */
int del_addi = 0; /* if additional-holding rrsets are deleted, we
do not trust the normalized additional-A-AAAA any more */
struct rrset_parse* rrset, *prev;
@@ -670,6 +697,13 @@
rrset = rrset->rrset_all_next;
}
+ /* ASN: Locate any A record we can find */
+ if((ie->aaaa_filter) && (qinfo->qtype == LDNS_RR_TYPE_AAAA)) {
+ found_a_record = asn_lookup_a_record_from_cache(qinfo,
+ env, ie);
+ }
+ /* ASN: End of added code */
+
/* At this point, we brutally remove ALL rrsets that aren't
* children of the originating zone. The idea here is that,
* as far as we know, the server that we contacted is ONLY
@@ -681,6 +715,24 @@
rrset = msg->rrset_first;
while(rrset) {
+ /* ASN: For AAAA records only... */
+ if((ie->aaaa_filter) && (rrset->type == LDNS_RR_TYPE_AAAA)) {
+ /* ASN: If this is not a AAAA query, then remove AAAA
+ * records, no questions asked. If this IS a AAAA query
+ * then remove AAAA records if we have an A record.
+ * Otherwise, leave things be. */
+ if((qinfo->qtype != LDNS_RR_TYPE_AAAA) ||
+ (found_a_record)) {
+ remove_rrset("ASN-AAAA-filter: removing AAAA "
+ "for record", pkt, msg, prev, &rrset);
+ continue;
+ }
+ log_nametypeclass(VERB_ALGO, "ASN-AAAA-filter: "
+ "keep AAAA for", zonename,
+ LDNS_RR_TYPE_AAAA, qinfo->qclass);
+ }
+ /* ASN: End of added code */
+
/* remove private addresses */
if( (rrset->type == LDNS_RR_TYPE_A ||
rrset->type == LDNS_RR_TYPE_AAAA)) {
Index: trunk/iterator/iter_utils.c
===================================================================
--- trunk/iterator/iter_utils.c (revision 3587)
+++ trunk/iterator/iter_utils.c (working copy)
@@ -175,6 +175,7 @@
}
iter_env->supports_ipv6 = cfg->do_ip6;
iter_env->supports_ipv4 = cfg->do_ip4;
+ iter_env->aaaa_filter = cfg->aaaa_filter;
return 1;
}
Index: trunk/iterator/iterator.c
===================================================================
--- trunk/iterator/iterator.c (revision 3587)
+++ trunk/iterator/iterator.c (working copy)
@@ -1776,6 +1776,53 @@
return 0;
}
+
+/**
+ * ASN: This event state was added as an intermediary step between
+ * QUERYTARGETS_STATE and the next step, in order to cast a subquery for the
+ * purpose of caching A records for the queried name.
+ *
+ * @param qstate: query state.
+ * @param iq: iterator query state.
+ * @param ie: iterator shared global environment.
+ * @param id: module id.
+ * @return true if the event requires more request processing immediately,
+ * false if not. This state only returns true when it is generating
+ * a SERVFAIL response because the query has hit a dead end.
+ */
+static int
+asn_processQueryAAAA(struct module_qstate* qstate, struct iter_qstate* iq,
+ struct iter_env* ATTR_UNUSED(ie), int id)
+{
+ struct module_qstate* subq = NULL;
+
+ log_assert(iq->fetch_a_for_aaaa == 0);
+
+ /* flag the query properly in order to not loop */
+ iq->fetch_a_for_aaaa = 1;
+
+ /* re-throw same query, but with a different type */
+ if(!generate_sub_request(iq->qchase.qname,
+ iq->qchase.qname_len, LDNS_RR_TYPE_A,
+ iq->qchase.qclass, qstate, id, iq,
+ INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1)) {
+ log_nametypeclass(VERB_ALGO, "ASN-AAAA-filter: failed "
+ "preloading of A record for",
+ iq->qchase.qname, LDNS_RR_TYPE_A,
+ iq->qchase.qclass);
+ return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
+ }
+ log_nametypeclass(VERB_ALGO, "ASN-AAAA-filter: "
+ "preloading records in cache for",
+ iq->qchase.qname, LDNS_RR_TYPE_A,
+ iq->qchase.qclass);
+
+ /* set this query as waiting */
+ qstate->ext_state[id] = module_wait_subquery;
+ /* at this point break loop */
+ return 0;
+}
+/* ASN: End of added code */
/**
* This is the request event state where the request will be sent to one of
@@ -1823,6 +1870,13 @@
return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
}
+ /* ASN: If we have a AAAA query, then also query for A records */
+ if((ie->aaaa_filter) && (iq->qchase.qtype == LDNS_RR_TYPE_AAAA) &&
+ (iq->fetch_a_for_aaaa == 0)) {
+ return next_state(iq, ASN_FETCH_A_FOR_AAAA_STATE);
+ }
+ /* ASN: End of added code */
+
/* Make sure we have a delegation point, otherwise priming failed
* or another failure occurred */
if(!iq->dp) {
@@ -2922,6 +2976,61 @@
return 0;
}
+/**
+ * ASN: Do final processing on responses to A queries originated from AAAA
+ * queries. Events reach this state after the iterative resolution algorithm
+ * terminates.
+ * This is required down the road to decide whether to scrub AAAA records
+ * from the results or not.
+ *
+ * @param qstate: query state.
+ * @param id: module id.
+ * @param forq: super query state.
+ */
+static void
+asn_processAAAAResponse(struct module_qstate* qstate, int id,
+ struct module_qstate* super)
+{
+ /*struct iter_qstate* iq = (struct iter_qstate*)qstate->minfo[id];*/
+ struct iter_qstate* super_iq = (struct iter_qstate*)super->minfo[id];
+ struct delegpt_ns* dpns = NULL;
+ int error = (qstate->return_rcode != LDNS_RCODE_NOERROR);
+
+ log_assert(super_iq->fetch_a_for_aaaa > 0);
+
+ /* let super go to evaluation of targets after this */
+ super_iq->state = QUERYTARGETS_STATE;
+
+ log_query_info(VERB_ALGO, "ASN-AAAA-filter: processAAAAResponse",
+ &qstate->qinfo);
+ log_query_info(VERB_ALGO, "ASN-AAAA-filter: processAAAAResponse super",
+ &super->qinfo);
+
+ if(super_iq->dp)
+ dpns = delegpt_find_ns(super_iq->dp,
+ qstate->qinfo.qname, qstate->qinfo.qname_len);
+ if (!dpns) {
+ /* not interested */
+ verbose(VERB_ALGO, "ASN-AAAA-filter: subq: %s, but parent not "
+ "interested%s", (error ? "error, but" : "success"),
+ (super_iq->dp ? "anymore" : " (was reset)"));
+ log_query_info(VERB_ALGO, "ASN-AAAA-filter: superq", &super->qinfo);
+ if(super_iq->dp && error)
+ delegpt_log(VERB_ALGO, super_iq->dp);
+ return;
+ } else if (error) {
+ verbose(VERB_ALGO, "ASN-AAAA-filter: mark as failed, "
+ "and go to target query.");
+ /* see if the failure did get (parent-lame) info */
+ if(!cache_fill_missing(super->env,
+ super_iq->qchase.qclass, super->region,
+ super_iq->dp))
+ log_err("ASN-AAAA-filter: out of memory adding missing");
+ dpns->resolved = 1; /* mark as failed */
+ }
+}
+/* ASN: End of added code */
+
/*
* Return priming query results to interestes super querystates.
*
@@ -2941,6 +3050,9 @@
else if(super->qinfo.qtype == LDNS_RR_TYPE_DS && ((struct iter_qstate*)
super->minfo[id])->state == DSNS_FIND_STATE)
processDSNSResponse(qstate, id, super);
+ else if (super->qinfo.qtype == LDNS_RR_TYPE_AAAA && ((struct iter_qstate*)
+ super->minfo[id])->state == ASN_FETCH_A_FOR_AAAA_STATE)
+ asn_processAAAAResponse(qstate, id, super);
else if(qstate->return_rcode != LDNS_RCODE_NOERROR)
error_supers(qstate, id, super);
else if(qstate->is_priming)
@@ -2978,6 +3090,9 @@
case INIT_REQUEST_3_STATE:
cont = processInitRequest3(qstate, iq, id);
break;
+ case ASN_FETCH_A_FOR_AAAA_STATE:
+ cont = asn_processQueryAAAA(qstate, iq, ie, id);
+ break;
case QUERYTARGETS_STATE:
cont = processQueryTargets(qstate, iq, ie, id);
break;
@@ -3270,6 +3385,8 @@
return "INIT REQUEST STATE (stage 2)";
case INIT_REQUEST_3_STATE:
return "INIT REQUEST STATE (stage 3)";
+ case ASN_FETCH_A_FOR_AAAA_STATE:
+ return "ASN_FETCH_A_FOR_AAAA_STATE";
case QUERYTARGETS_STATE :
return "QUERY TARGETS STATE";
case PRIME_RESP_STATE :
@@ -3294,6 +3411,7 @@
case INIT_REQUEST_STATE :
case INIT_REQUEST_2_STATE :
case INIT_REQUEST_3_STATE :
+ case ASN_FETCH_A_FOR_AAAA_STATE :
case QUERYTARGETS_STATE :
case COLLECT_CLASS_STATE :
return 0;
Index: trunk/iterator/iterator.h
===================================================================
--- trunk/iterator/iterator.h (revision 3587)
+++ trunk/iterator/iterator.h (working copy)
@@ -113,6 +113,9 @@
*/
int* target_fetch_policy;
+ /** ASN: AAAA-filter flag */
+ int aaaa_filter;
+
/** ip6.arpa dname in wireformat, used for qname-minimisation */
uint8_t* ip6arpa_dname;
};
@@ -163,6 +166,14 @@
INIT_REQUEST_3_STATE,
/**
+ * This state is responsible for intercepting AAAA queries,
+ * and launch a A subquery on the same target, to populate the
+ * cache with A records, so the AAAA filter scrubbing logic can
+ * work.
+ */
+ ASN_FETCH_A_FOR_AAAA_STATE,
+
+ /**
* Each time a delegation point changes for a given query or a
* query times out and/or wakes up, this state is (re)visited.
* This state is reponsible for iterating through a list of
@@ -346,6 +357,13 @@
*/
int refetch_glue;
+ /**
+ * ASN: This is a flag that, if true, means that this query is
+ * for fetching A records to populate cache and determine if we must
+ * return AAAA records or not.
+ */
+ int fetch_a_for_aaaa;
+
/** list of pending queries to authoritative servers. */
struct outbound_list outlist;
Index: trunk/pythonmod/interface.i
===================================================================
--- trunk/pythonmod/interface.i (revision 3587)
+++ trunk/pythonmod/interface.i (working copy)
@@ -632,6 +632,7 @@
int harden_dnssec_stripped;
int harden_referral_path;
int use_caps_bits_for_id;
+ int aaaa_filter; /* ASN */
struct config_strlist* private_address;
struct config_strlist* private_domain;
size_t unwanted_threshold;
Index: trunk/util/config_file.c
===================================================================
--- trunk/util/config_file.c (revision 3587)
+++ trunk/util/config_file.c (working copy)
@@ -176,6 +176,7 @@
cfg->harden_referral_path = 0;
cfg->harden_algo_downgrade = 0;
cfg->use_caps_bits_for_id = 0;
+ cfg->aaaa_filter = 0; /* ASN: default is disabled */
cfg->caps_whitelist = NULL;
cfg->private_address = NULL;
cfg->private_domain = NULL;
Index: trunk/util/config_file.h
===================================================================
--- trunk/util/config_file.h (revision 3587)
+++ trunk/util/config_file.h (working copy)
@@ -179,6 +179,8 @@
int harden_algo_downgrade;
/** use 0x20 bits in query as random ID bits */
int use_caps_bits_for_id;
+ /** ASN: enable AAAA filter? */
+ int aaaa_filter;
/** 0x20 whitelist, domains that do not use capsforid */
struct config_strlist* caps_whitelist;
/** strip away these private addrs from answers, no DNS Rebinding */
Index: trunk/util/configlexer.lex
===================================================================
--- trunk/util/configlexer.lex (revision 3587)
+++ trunk/util/configlexer.lex (working copy)
@@ -267,6 +267,7 @@
use-caps-for-id{COLON} { YDVAR(1, VAR_USE_CAPS_FOR_ID) }
caps-whitelist{COLON} { YDVAR(1, VAR_CAPS_WHITELIST) }
unwanted-reply-threshold{COLON} { YDVAR(1, VAR_UNWANTED_REPLY_THRESHOLD) }
+aaaa-filter{COLON} { YDVAR(1, VAR_AAAA_FILTER) }
private-address{COLON} { YDVAR(1, VAR_PRIVATE_ADDRESS) }
private-domain{COLON} { YDVAR(1, VAR_PRIVATE_DOMAIN) }
prefetch-key{COLON} { YDVAR(1, VAR_PREFETCH_KEY) }
Index: trunk/util/configparser.y
===================================================================
--- trunk/util/configparser.y (revision 3587)
+++ trunk/util/configparser.y (working copy)
@@ -92,6 +92,7 @@
%token VAR_STATISTICS_CUMULATIVE VAR_OUTGOING_PORT_PERMIT
%token VAR_OUTGOING_PORT_AVOID VAR_DLV_ANCHOR_FILE VAR_DLV_ANCHOR
%token VAR_NEG_CACHE_SIZE VAR_HARDEN_REFERRAL_PATH VAR_PRIVATE_ADDRESS
+%token VAR_AAAA_FILTER
%token VAR_PRIVATE_DOMAIN VAR_REMOTE_CONTROL VAR_CONTROL_ENABLE
%token VAR_CONTROL_INTERFACE VAR_CONTROL_PORT VAR_SERVER_KEY_FILE
%token VAR_SERVER_CERT_FILE VAR_CONTROL_KEY_FILE VAR_CONTROL_CERT_FILE
@@ -169,6 +170,7 @@
server_dlv_anchor_file | server_dlv_anchor | server_neg_cache_size |
server_harden_referral_path | server_private_address |
server_private_domain | server_extended_statistics |
+ server_aaaa_filter |
server_local_data_ptr | server_jostle_timeout |
server_unwanted_reply_threshold | server_log_time_ascii |
server_domain_insecure | server_val_sig_skew_min |
@@ -893,6 +895,15 @@
yyerror("out of memory");
}
;
+server_aaaa_filter: VAR_AAAA_FILTER STRING_ARG
+ {
+ OUTYY(("P(server_aaaa_filter:%s)\n", $2));
+ if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+ yyerror("expected yes or no.");
+ else cfg_parser->cfg->aaaa_filter = (strcmp($2, "yes")==0);
+ free($2);
+ }
+ ;
server_private_address: VAR_PRIVATE_ADDRESS STRING_ARG
{
OUTYY(("P(server_private_address:%s)\n", $2));

67
contrib/unbound/contrib/build-unbound-localzone-from-hosts.pl Executable file
View File

@ -0,0 +1,67 @@
#!/usr/bin/perl -WT
use strict;
use warnings;
my $hostsfile = '/etc/hosts';
my $localzonefile = '/etc/unbound/localzone.conf.new';
my $localzone = 'example.com';
open( HOSTS,"<${hostsfile}" ) or die( "Could not open ${hostsfile}: $!" );
open( ZONE,">${localzonefile}" ) or die( "Could not open ${localzonefile}: $!" );
print ZONE "server:\n\n";
print ZONE "local-zone: \"${localzone}\" transparent\n\n";
my %ptrhash;
while ( my $hostline = <HOSTS> ) {
# Skip comments
if ( $hostline !~ "^#" and $hostline !~ '^\s+$' ) {
my @entries = split( /\s+/, $hostline );
my $ip;
my $count = 0;
foreach my $entry ( @entries ) {
if ( $count == 0 ) {
$ip = $entry;
} else {
if ( $count == 1) {
# Only return localhost for 127.0.0.1 and ::1
if ( ($ip ne '127.0.0.1' and $ip ne '::1') or $entry =~ 'localhost' ) {
if ( ! defined $ptrhash{$ip} ) {
$ptrhash{$ip} = $entry;
print ZONE "local-data-ptr: \"$ip $entry\"\n";
}
}
}
# Use AAAA for IPv6 addresses
my $a = 'A';
if ( $ip =~ ':' ) {
$a = 'AAAA';
}
print ZONE "local-data: \"$entry ${a} $ip\"\n";
}
$count++;
}
print ZONE "\n";
}
}
__END__

33
contrib/unbound/contrib/create_unbound_ad_servers.cmd Normal file
View File

@ -0,0 +1,33 @@
@Echo off
rem Convert the Yoyo.org anti-ad server listing
rem into an unbound dns spoof redirection list.
rem Written by Y.Voinov (c) 2014
rem Note: Wget required!
rem Variables
set prefix="C:\Program Files (x86)"
set dst_dir=%prefix%\Unbound
set work_dir=%TEMP%
set list_addr="http://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml&showintro=1&startdate%5Bday%5D=&startdate%5Bmonth%5D=&startdate%5Byear%5D="
rem Check Wget installed
for /f "delims=" %%a in ('where wget') do @set wget=%%a
if /I "%wget%"=="" echo Wget not found. If installed, add path to PATH environment variable. & exit 1
echo Wget found: %wget%
"%wget%" -O %work_dir%\yoyo_ad_servers %list_addr%
del /Q /F /S %dst_dir%\unbound_ad_servers
for /F "eol=; tokens=*" %%a in (%work_dir%\yoyo_ad_servers) do (
echo local-zone: %%a redirect>>%dst_dir%\unbound_ad_servers
echo local-data: "%%a A 127.0.0.1">>%dst_dir%\unbound_ad_servers
)
echo Done.
rem then add an include line to your unbound.conf pointing to the full path of
rem the unbound_ad_servers file:
rem
rem include: $dst_dir/unbound_ad_servers
rem

39
contrib/unbound/contrib/create_unbound_ad_servers.sh Executable file
View File

@ -0,0 +1,39 @@
#!/bin/sh
#
# Convert the Yoyo.org anti-ad server listing
# into an unbound dns spoof redirection list.
# Modified by Y.Voinov (c) 2014
# Note: Wget required!
# Variables
dst_dir="/etc/opt/csw/unbound"
work_dir="/tmp"
list_addr="http://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml&showintro=1&startdate%5Bday%5D=&startdate%5Bmonth%5D=&startdate%5Byear%5D="
# OS commands
CAT=`which cat`
ECHO=`which echo`
WGET=`which wget`
# Check Wget installed
if [ ! -f $WGET ]; then
echo "Wget not found. Exiting..."
exit 1
fi
$WGET -O $work_dir/yoyo_ad_servers "$list_addr" && \
$CAT $work_dir/yoyo_ad_servers | \
while read line ; \
do \
$ECHO "local-zone: \"$line\" redirect" ;\
$ECHO "local-data: \"$line A 127.0.0.1\"" ;\
done > \
$dst_dir/unbound_ad_servers
echo "Done."
# then add an include line to your unbound.conf pointing to the full path of
# the unbound_ad_servers file:
#
# include: $dst_dir/unbound_ad_servers
#

13
contrib/unbound/contrib/libunbound.pc.in Normal file
View File

@ -0,0 +1,13 @@
prefix=@prefix@
exec_prefix=@exec_prefix@
libdir=@libdir@
includedir=@includedir@
Name: unbound
Description: Library with validating, recursive, and caching DNS resolver
URL: http://www.unbound.net
Version: @PACKAGE_VERSION@
Requires:
Libs: -L${libdir} -lunbound @SSLLIB@ @LIBS@
Libs.private: @LDFLAGS@
Cflags: -I${includedir}

140
contrib/unbound/contrib/parseunbound.pl Executable file
View File

@ -0,0 +1,140 @@
#!/usr/local/bin/perl -w
#
# Script to parse the output from the unbound namedaemon.
# Unbound supports a threading model, and outputs a multiline log-blob for
# every thread.
#
# This script should parse all threads of the once, and store it
# in a local cached file for speedy results when queried lots.
#
use strict;
use POSIX qw(SEEK_END);
use Storable;
use FileHandle;
use Carp qw(croak carp);
use constant UNBOUND_CACHE => "/var/tmp/unbound-cache.stor";
my $run_from_cron = @ARGV && $ARGV[0] eq "--cron" && shift;
my $DEBUG = -t STDERR;
# NB. VERY IMPORTANTES: set this when running this script.
my $numthreads = 4;
### if cache exists, read it in. and is newer than 3 minutes
if ( -r UNBOUND_CACHE ) {
my $result = retrieve(UNBOUND_CACHE);
if (-M _ < 3/24/60 && !$run_from_cron ) {
print STDERR "Cached results:\n" if $DEBUG;
print join("\n", @$result), "\n";
exit;
}
}
my $logfile = shift or die "Usage: parseunbound.pl --cron unboundlogfile";
my $in = new FileHandle $logfile or die "Cannot open $logfile: $!\n";
# there is a special key 'thread' that indicates the thread. its not used, but returned anyway.
my @records = ('thread', 'queries', 'cachehits', 'recursions', 'recursionavg',
'outstandingmax', 'outstandingavg', 'outstandingexc',
'median25', 'median50', 'median75',
'us_0', 'us_1', 'us_2', 'us_4', 'us_8', 'us_16', 'us_32',
'us_64', 'us_128', 'us_256', 'us_512', 'us_1024', 'us_2048',
'us_4096', 'us_8192', 'us_16384', 'us_32768', 'us_65536',
'us_131072', 'us_262144', 'us_524288', 's_1', 's_2', 's_4',
's_8', 's_16', 's_32', 's_64', 's_128', 's_256', 's_512');
# Stats hash containing one or more keys. for every thread, 1 key.
my %allstats = (); # key="$threadid", stats={key => value}
my %startstats = (); # when we got a queries entry for this thread
my %donestats = (); # same, but only when we got a histogram entry for it
# stats hash contains name/value pairs of the actual numbers for that thread.
my $offset = 0;
my $inthread=0;
my $inpid;
# We should continue looping untill we meet these conditions:
# a) more total queries than the previous run (which defaults to 0) AND
# b) parsed all $numthreads threads in the log.
my $numqueries = $previousresult ? $previousresult->[1] : 0;
# Main loop
while ( scalar keys %startstats < $numthreads || scalar keys %donestats < $numthreads) {
$offset += 10000;
if ( $offset > -s $logfile or $offset > 10_000_000 ) {
die "Cannot find stats in $logfile\n";
}
$in->seek(-$offset, SEEK_END) or croak "cannot seek $logfile: $!\n";
for my $line ( <$in> ) {
chomp($line);
#[1208777234] unbound[6705:0]
if ($line =~ m/^\[\d+\] unbound\[\d+:(\d+)\]/) {
$inthread = $1;
if ($inthread + 1 > $numthreads) {
die "Hey. lazy. change \$numthreads in this script to ($inthread)\n";
}
}
# this line doesn't contain a pid:thread. skip.
else {
next;
}
if ( $line =~ m/info: server stats for thread \d+: (\d+) queries, (\d+) answers from cache, (\d+) recursions/ ) {
$startstats{$inthread} = 1;
$allstats{$inthread}->{thread} = $inthread;
$allstats{$inthread}->{queries} = $1;
$allstats{$inthread}->{cachehits} = $2;
$allstats{$inthread}->{recursions} = $3;
}
elsif ( $line =~ m/info: server stats for thread (\d+): requestlist max (\d+) avg ([0-9\.]+) exceeded (\d+)/ ) {
$allstats{$inthread}->{outstandingmax} = $2;
$allstats{$inthread}->{outstandingavg} = int($3); # This is a float; rrdtool only handles ints.
$allstats{$inthread}->{outstandingexc} = $4;
}
elsif ( $line =~ m/info: average recursion processing time ([0-9\.]+) sec/ ) {
$allstats{$inthread}->{recursionavg} = int($1 * 1000); # change sec to milisec.
}
elsif ( $line =~ m/info: histogram of recursion processing times/ ) {
next;
}
elsif ( $line =~ m/info: \[25%\]=([0-9\.]+) median\[50%\]=([0-9\.]+) \[75%\]=([0-9\.]+)/ ) {
$allstats{$inthread}->{median25} = int($1 * 1000000); # change seconds to usec
$allstats{$inthread}->{median50} = int($2 * 1000000);
$allstats{$inthread}->{median75} = int($3 * 1000000);
}
elsif ( $line =~ m/info: lower\(secs\) upper\(secs\) recursions/ ) {
# since after this line we're unsure if we get these numbers
# at all, we sould consider this marker as the end of the
# block. Chances that we're parsing a file halfway written
# at this stage are small. Bold statement.
$donestats{$inthread} = 1;
next;
}
elsif ( $line =~ m/info:\s+(\d+)\.(\d+)\s+(\d+)\.(\d+)\s+(\d+)/ ) {
my ($froms, $fromus, $toms, $tous, $counter) = ($1, $2, $3, $4, $5);
my $prefix = '';
if ($froms > 0) {
$allstats{$inthread}->{'s_' . int($froms)} = $counter;
} else {
$allstats{$inthread}->{'us_' . int($fromus)} = $counter;
}
}
}
}
my @result;
# loop on the records we want to store
for my $key ( @records ) {
my $sum = 0;
# these are the different threads parsed
foreach my $thread ( 0 .. $numthreads - 1 ) {
$sum += ($allstats{$thread}->{$key} || 0);
}
print STDERR "$key = " . $sum . "\n" if $DEBUG;
push @result, $sum;
}
print join("\n", @result), "\n";
store \@result, UNBOUND_CACHE;
if ($DEBUG) {
print STDERR "Threads: " . (scalar keys %allstats) . "\n";
}

22
contrib/unbound/contrib/patch_rsamd5_enable.diff Normal file
View File

@ -0,0 +1,22 @@
Index: validator/val_secalgo.c
===================================================================
--- validator/val_secalgo.c (revision 2759)
+++ validator/val_secalgo.c (working copy)
@@ -153,7 +153,7 @@
switch(id) {
case LDNS_RSAMD5:
/* RFC 6725 deprecates RSAMD5 */
- return 0;
+ return 1;
case LDNS_DSA:
case LDNS_DSA_NSEC3:
case LDNS_RSASHA1:
@@ -617,7 +617,7 @@
switch(id) {
case LDNS_RSAMD5:
/* RFC 6725 deprecates RSAMD5 */
- return 0;
+ return 1;
case LDNS_DSA:
case LDNS_DSA_NSEC3:
case LDNS_RSASHA1:

25
contrib/unbound/contrib/rc_d_unbound Executable file
View File

@ -0,0 +1,25 @@
#!/bin/sh
#
# unbound freebsd startup rc.d script, modified from the named script.
# uses the default unbound installation path and pidfile location.
# copy this to /etc/rc.d/unbound
# and put unbound_enable="YES" into rc.conf
#
# PROVIDE: unbound
# REQUIRE: SERVERS cleanvar
# KEYWORD: shutdown
. /etc/rc.subr
name="unbound"
rcvar=`set_rcvar`
load_rc_config $name
command="/usr/local/sbin/unbound"
pidfile=${unbound_pidfile:-"/usr/local/etc/unbound/unbound.pid"}
command_args=${unbound_flags:-"-c /usr/local/etc/unbound/unbound.conf"}
extra_commands="reload"
run_rc_command "$1"

4
contrib/unbound/contrib/selinux/unbound.fc Normal file
View File

@ -0,0 +1,4 @@
/etc/unbound(/.*)? system_u:object_r:unbound_conf_t:s0
/etc/rc\.d/init\.d/unbound -- system_u:object_r:unbound_initrc_exec_t:s0
/usr/sbin/unbound -- system_u:object_r:unbound_exec_t:s0
/var/run/unbound(/.*)? system_u:object_r:unbound_var_run_t:s0

42
contrib/unbound/contrib/selinux/unbound.te Normal file
View File

@ -0,0 +1,42 @@
policy_module(unbound, 0.1.0)
type unbound_t;
type unbound_conf_t;
type unbound_exec_t;
type unbound_initrc_exec_t;
type unbound_var_run_t;
init_daemon_domain(unbound_t, unbound_exec_t)
init_script_file(unbound_initrc_exec_t)
role system_r types unbound_t;
# XXX
# unbound-{checkconf,control} are not protected. Do we need protect them?
# Unbound daemon
auth_use_nsswitch(unbound_t)
dev_read_urand(unbound_t)
corenet_all_recvfrom_unlabeled(unbound_t)
corenet_tcp_bind_all_nodes(unbound_t)
corenet_tcp_bind_dns_port(unbound_t)
corenet_tcp_bind_rndc_port(unbound_t)
corenet_udp_bind_all_nodes(unbound_t)
corenet_udp_bind_all_unreserved_ports(unbound_t)
corenet_udp_bind_dns_port(unbound_t)
files_read_etc_files(unbound_t)
files_pid_file(unbound_var_run_t)
files_type(unbound_conf_t)
libs_use_ld_so(unbound_t)
libs_use_shared_libs(unbound_t)
logging_send_syslog_msg(unbound_t)
manage_files_pattern(unbound_t, unbound_var_run_t, unbound_var_run_t)
miscfiles_read_localization(unbound_t)
read_files_pattern(unbound_t, unbound_conf_t, unbound_conf_t)
allow unbound_t self:capability { setuid chown net_bind_service setgid dac_override };
allow unbound_t self:tcp_socket create_stream_socket_perms;
allow unbound_t self:udp_socket create_socket_perms;
###################################################

134
contrib/unbound/contrib/unbound-host.nagios.patch Normal file
View File

@ -0,0 +1,134 @@
Index: smallapp/unbound-host.c
===================================================================
--- smallapp/unbound-host.c (revision 2115)
+++ smallapp/unbound-host.c (working copy)
@@ -62,9 +62,18 @@
#include "libunbound/unbound.h"
#include <ldns/ldns.h>
+/** status variable ala nagios */
+#define FINAL_STATUS_OK 0
+#define FINAL_STATUS_WARNING 1
+#define FINAL_STATUS_CRITICAL 2
+#define FINAL_STATUS_UNKNOWN 3
+
/** verbosity for unbound-host app */
static int verb = 0;
+/** variable to determine final output */
+static int final_status = FINAL_STATUS_UNKNOWN;
+
/** Give unbound-host usage, and exit (1). */
static void
usage()
@@ -93,7 +102,7 @@
printf("Version %s\n", PACKAGE_VERSION);
printf("BSD licensed, see LICENSE in source package for details.\n");
printf("Report bugs to %s\n", PACKAGE_BUGREPORT);
- exit(1);
+ exit(FINAL_STATUS_UNKNOWN);
}
/** determine if str is ip4 and put into reverse lookup format */
@@ -138,7 +147,7 @@
*res = strdup(buf);
if(!*res) {
fprintf(stderr, "error: out of memory\n");
- exit(1);
+ exit(FINAL_STATUS_UNKNOWN);
}
return 1;
}
@@ -158,7 +167,7 @@
}
if(!res) {
fprintf(stderr, "error: out of memory\n");
- exit(1);
+ exit(FINAL_STATUS_UNKNOWN);
}
return res;
}
@@ -172,7 +181,7 @@
if(r == 0 && strcasecmp(t, "TYPE0") != 0 &&
strcmp(t, "") != 0) {
fprintf(stderr, "error unknown type %s\n", t);
- exit(1);
+ exit(FINAL_STATUS_UNKNOWN);
}
return r;
}
@@ -191,7 +200,7 @@
if(r == 0 && strcasecmp(c, "CLASS0") != 0 &&
strcmp(c, "") != 0) {
fprintf(stderr, "error unknown class %s\n", c);
- exit(1);
+ exit(FINAL_STATUS_UNKNOWN);
}
return r;
}
@@ -207,6 +216,19 @@
return "(insecure)";
}
+/** update the final status for the exit code */
+void
+update_final_status(struct ub_result* result)
+{
+ if (final_status == FINAL_STATUS_UNKNOWN || final_status == FINAL_STATUS_OK) {
+ if (result->secure) final_status = FINAL_STATUS_OK;
+ else if (result->bogus) final_status = FINAL_STATUS_CRITICAL;
+ else final_status = FINAL_STATUS_WARNING;
+ }
+ else if (final_status == FINAL_STATUS_WARNING && result->bogus)
+ final_status = FINAL_STATUS_CRITICAL;
+}
+
/** nice string for type */
static void
pretty_type(char* s, size_t len, int t)
@@ -353,7 +375,7 @@
} else {
fprintf(stderr, "could not parse "
"reply packet to ANY query\n");
- exit(1);
+ exit(FINAL_STATUS_UNKNOWN);
}
ldns_pkt_free(p);
@@ -388,9 +410,10 @@
ret = ub_resolve(ctx, q, t, c, &result);
if(ret != 0) {
fprintf(stderr, "resolve error: %s\n", ub_strerror(ret));
- exit(1);
+ exit(FINAL_STATUS_UNKNOWN);
}
pretty_output(q, t, c, result, docname);
+ update_final_status(result);
ret = result->nxdomain;
ub_resolve_free(result);
return ret;
@@ -427,7 +450,7 @@
{
if(r != 0) {
fprintf(stderr, "error: %s\n", ub_strerror(r));
- exit(1);
+ exit(FINAL_STATUS_UNKNOWN);
}
}
@@ -448,7 +471,7 @@
ctx = ub_ctx_create();
if(!ctx) {
fprintf(stderr, "error: out of memory\n");
- exit(1);
+ exit(FINAL_STATUS_UNKNOWN);
}
/* parse the options */
@@ -509,5 +532,5 @@
usage();
lookup(ctx, argv[0], qtype, qclass);
- return 0;
+ return final_status;
}

139
contrib/unbound/contrib/unbound.init Normal file
View File

@ -0,0 +1,139 @@
#!/bin/sh
#
# unbound This shell script takes care of starting and stopping
# unbound (DNS server).
#
# chkconfig: - 14 86
# description: unbound is a Domain Name Server (DNS) \
# that is used to resolve host names to IP addresses.
### BEGIN INIT INFO
# Provides: $named unbound
# Required-Start: $network $local_fs
# Required-Stop: $network $local_fs
# Should-Start: $syslog
# Should-Stop: $syslog
# Short-Description: unbound recursive Domain Name Server.
# Description: unbound is a Domain Name Server (DNS)
# that is used to resolve host names to IP addresses.
### END INIT INFO
# Source function library.
. /etc/rc.d/init.d/functions
exec="/usr/sbin/unbound"
prog="unbound"
config="/var/unbound/unbound.conf"
pidfile="/var/unbound/unbound.pid"
rootdir="/var/unbound"
[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog
lockfile=/var/lock/subsys/$prog
start() {
[ -x $exec ] || exit 5
[ -f $config ] || exit 6
echo -n $"Starting $prog: "
# setup root jail
if [ -s /etc/localtime ]; then
[ -d ${rootdir}/etc ] || mkdir -p ${rootdir}/etc ;
if [ ! -e ${rootdir}/etc/localtime ] || /usr/bin/cmp -s /etc/localtime ${rootdir}/etc/localtime; then
cp -fp /etc/localtime ${rootdir}/etc/localtime
fi;
fi;
if [ -s /etc/resolv.conf ]; then
[ -d ${rootdir}/etc ] || mkdir -p ${rootdir}/etc ;
if [ ! -e ${rootdir}/etc/resolv.conf ] || /usr/bin/cmp -s /etc/resolv.conf ${rootdir}/etc/resolv.conf; then
cp -fp /etc/resolv.conf ${rootdir}/etc/resolv.conf
fi;
fi;
if ! egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/log' /proc/mounts; then
[ -d ${rootdir}/dev ] || mkdir -p ${rootdir}/dev ;
[ -e ${rootdir}/dev/log ] || touch ${rootdir}/dev/log
mount --bind -n /dev/log ${rootdir}/dev/log >/dev/null 2>&1;
fi;
if ! egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/random' /proc/mounts; then
[ -d ${rootdir}/dev ] || mkdir -p ${rootdir}/dev ;
[ -e ${rootdir}/dev/random ] || touch ${rootdir}/dev/random
mount --bind -n /dev/random ${rootdir}/dev/random >/dev/null 2>&1;
fi;
# if not running, start it up here
daemon $exec
retval=$?
echo
[ $retval -eq 0 ] && touch $lockfile
return $retval
}
stop() {
echo -n $"Stopping $prog: "
# stop it here, often "killproc $prog"
killproc -p $pidfile $prog
retval=$?
echo
[ $retval -eq 0 ] && rm -f $lockfile
if egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/log' /proc/mounts; then
umount ${rootdir}/dev/log >/dev/null 2>&1
fi;
if egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/random' /proc/mounts; then
umount ${rootdir}/dev/random >/dev/null 2>&1
fi;
return $retval
}
restart() {
stop
start
}
reload() {
kill -HUP `cat $pidfile`
}
force_reload() {
restart
}
rh_status() {
# run checks to determine if the service is running or use generic status
status -p $pidfile $prog
}
rh_status_q() {
rh_status -p $pidfile >/dev/null 2>&1
}
case "$1" in
start)
rh_status_q && exit 0
$1
;;
stop)
rh_status_q || exit 0
$1
;;
restart)
$1
;;
reload)
rh_status_q || exit 7
$1
;;
force-reload)
force_reload
;;
status)
rh_status
;;
condrestart|try-restart)
rh_status_q || exit 0
restart
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
exit 2
esac
exit $?

119
contrib/unbound/contrib/unbound.init_fedora Normal file
View File

@ -0,0 +1,119 @@
#!/bin/sh
#
# unbound This shell script takes care of starting and stopping
# unbound (DNS server).
#
# chkconfig: - 14 86
# description: unbound is a Domain Name Server (DNS) \
# that is used to resolve host names to IP addresses.
### BEGIN INIT INFO
# Provides: unbound
# Required-Start: $network $local_fs
# Required-Stop: $network $local_fs
# Should-Start: $syslog
# Should-Stop: $syslog
# Short-Description: unbound recursive Domain Name Server.
# Description: unbound is a Domain Name Server (DNS)
# that is used to resolve host names to IP addresses.
### END INIT INFO
# Source function library.
. /etc/rc.d/init.d/functions
exec="/usr/sbin/unbound"
config="/var/lib/unbound/unbound.conf"
rootdir="/var/lib/unbound"
pidfile="/var/run/unbound/unbound.pid"
[ -e /etc/sysconfig/unbound ] && . /etc/sysconfig/unbound
lockfile=/var/lock/subsys/unbound
start() {
[ -x $exec ] || exit 5
[ -f $config ] || exit 6
echo -n $"Starting unbound: "
if [ ! -e ${rootdir}/etc/resolv.conf ] || /usr/bin/cmp -s /etc/resolv.conf ${rootdir}/etc/resolv.conf; then
cp -fp /etc/resolv.conf ${rootdir}/etc/resolv.conf
fi;
if [ ! -e ${rootdir}/etc/localtime ] || /usr/bin/cmp -s /etc/localtime ${rootdir}/etc/localtime; then
cp -fp /etc/localtime ${rootdir}/etc/localtime
fi;
mount --bind -n /dev/log ${rootdir}/dev/log >/dev/null 2>&1;
mount --bind -n /dev/random ${rootdir}/dev/random >/dev/null 2>&1;
mount --bind -n /var/run/unbound ${rootdir}/var/run/unbound >/dev/null 2>&1;
# if not running, start it up here
daemon $exec
retval=$?
[ $retval -eq 0 ] && touch $lockfile
echo
}
stop() {
echo -n $"Stopping unbound: "
# stop it here, often "killproc unbound"
killproc -p $pidfile unbound
retval=$?
[ $retval -eq 0 ] && rm -f $lockfile
for mountfile in /dev/log /dev/random /etc/localtime /etc/resolv.conf /var/run/unbound
do
if egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}''${mountfile}'' /proc/mounts; then
umount ${rootdir}$mountfile >/dev/null 2>&1
fi;
done
echo
}
restart() {
stop
start
}
reload() {
kill -HUP `cat $pidfile`
}
force_reload() {
restart
}
rh_status() {
# run checks to determine if the service is running or use generic status
status -p $pidfile unbound
}
rh_status_q() {
rh_status -p $pidfile >/dev/null 2>&1
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
reload)
reload
;;
force-reload)
force_reload
;;
status)
rh_status
;;
condrestart|try-restart)
rh_status_q || exit 0
restart
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
exit 2
esac
exit $?

42
contrib/unbound/contrib/unbound.plist Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC -//Apple Computer//DTD PLIST 1.0//EN http://www.apple.com/DTDs/PropertyList-1.0.dtd >
<plist version="1.0">
<!--
Unbound plist file for use by MacOSX launchd(8) using launchctl(1).
Copy this file to /Library/LaunchDaemons. Launchd keeps unbound running.
Setup your unbound.conf with the following additional settings.
server:
do-daemonize: no
username: ""
chroot: ""
directory: ""
These actions are performed by launchd (for the option values, see below).
-->
<dict>
<key>Label</key>
<string>unbound</string>
<key>ProgramArguments</key>
<array>
<string>unbound</string>
</array>
<key>UserName</key>
<string>unbound</string>
<key>RootDirectory</key>
<string>/usr/local/etc/unbound</string>
<key>WorkingDirectory</key>
<string>/usr/local/etc/unbound</string>
<key>KeepAlive</key>
<true/>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>

112
contrib/unbound/contrib/unbound.spec Normal file
View File

@ -0,0 +1,112 @@
Summary: Validating, recursive, and caching DNS resolver
Name: unbound
Version: 1.4.18
Release: 1%{?dist}
License: BSD
Url: http://www.nlnetlabs.nl/unbound/
Source: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz
#Source1: unbound.init
Group: System Environment/Daemons
Requires: ldns
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: flex, openssl-devel, expat-devel, ldns-devel
%description
Unbound is a validating, recursive, and caching DNS resolver.
The C implementation of Unbound is developed and maintained by NLnet
Labs. It is based on ideas and algorithms taken from a java prototype
developed by Verisign labs, Nominet, Kirei and ep.net.
Unbound is designed as a set of modular components, so that also
DNSSEC (secure DNS) validation and stub-resolvers (that do not run
as a server, but are linked into an application) are easily possible.
The source code is under a BSD License.
%prep
%setup -q
# configure with /var/unbound/unbound.conf so that all default chroot,
# pidfile and config file are in /var/unbound, ready for chroot jail set up.
%configure --with-conf-file=%{_localstatedir}/%{name}/unbound.conf --disable-rpath
%build
#%{__make} %{?_smp_mflags}
make
%install
rm -rf %{buildroot}
%{__make} DESTDIR=%{buildroot} install
install -d 0700 %{buildroot}%{_localstatedir}/%{name}
install -d 0755 %{buildroot}%{_initrddir}
install -m 0755 contrib/unbound.init %{buildroot}%{_initrddir}/unbound
# add symbolic link from /etc/unbound.conf -> /var/unbound/unbound.conf
ln -s %{_localstatedir}/unbound/unbound.conf %{buildroot}%{_sysconfdir}/unbound.conf
# remove static library from install (fedora packaging guidelines)
rm -f %{buildroot}%{_libdir}/libunbound.a %{buildroot}%{_libdir}/libunbound.la
%clean
rm -rf ${RPM_BUILD_ROOT}
%files
%defattr(-,root,root,-)
%doc doc/README doc/CREDITS doc/LICENSE doc/FEATURES
%attr(0755,root,root) %{_initrddir}/%{name}
%attr(0700,%{name},%{name}) %dir %{_localstatedir}/%{name}
%attr(0644,%{name},%{name}) %config(noreplace) %{_localstatedir}/%{name}/unbound.conf
%attr(0644,%{name},%{name}) %config(noreplace) %{_sysconfdir}/unbound.conf
%{_sbindir}/*
%{_mandir}/*/*
%{_includedir}/*
%{_libdir}/libunbound*
%pre
getent group unbound >/dev/null || groupadd -r unbound
getent passwd unbound >/dev/null || \
useradd -r -g unbound -d /var/unbound -s /sbin/nologin \
-c "unbound name daemon" unbound
exit 0
%post
# This adds the proper /etc/rc*.d links for the script
/sbin/chkconfig --add %{name}
%preun
if [ $1 -eq 0 ]; then
/sbin/service %{name} stop >/dev/null 2>&1
/sbin/chkconfig --del %{name}
# remove root jail
rm -f /var/unbound/dev/log /var/unbound/dev/random /var/unbound/etc/localtime /var/unbound/etc/resolv.conf >/dev/null 2>&1
rmdir /var/unbound/dev >/dev/null 2>&1 || :
rmdir /var/unbound/etc >/dev/null 2>&1 || :
rmdir /var/unbound >/dev/null 2>&1 || :
fi
%postun
if [ "$1" -ge "1" ]; then
/sbin/service %{name} condrestart >/dev/null 2>&1 || :
fi
%changelog
* Thu Jul 13 2011 Wouter Wijngaards <wouter@nlnetlabs.nl> - 1.4.8
- ldns required and ldns-devel required for build, no more ldns-builtin.
* Thu Mar 17 2011 Wouter Wijngaards <wouter@nlnetlabs.nl> - 1.4.8
- removed --disable-gost, assume recent openssl on the destination platform.
* Wed Mar 16 2011 Harold Jones <hajones@verisign.com> - 1.4.8
- Bump version number to latest
- Add expat-devel to BuildRequires
- Added --disable-gost for building on CentOS 5.x
- Added --with-ldns-builtin for CentOS 5.x
* Thu May 22 2008 Wouter Wijngaards <wouter@nlnetlabs.nl> - 1.0.0
- contrib changes from Patrick Vande Walle.
* Thu Apr 25 2008 Wouter Wijngaards <wouter@nlnetlabs.nl> - 0.12
- Using parts from ports collection entry by Jaap Akkerhuis.
- Using Fedoraproject wiki guidelines.
* Wed Apr 23 2008 Wouter Wijngaards <wouter@nlnetlabs.nl> - 0.11
- Initial version.

433
contrib/unbound/contrib/unbound.spec_fedora Normal file
View File

@ -0,0 +1,433 @@
# not ready yet
%{?!with_python: %global with_python 1}
%if %{with_python}
%{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")}
%{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
%endif
Summary: Validating, recursive, and caching DNS(SEC) resolver
Name: unbound
Version: 1.4.13
Release: 1%{?dist}
License: BSD
Url: http://www.nlnetlabs.nl/unbound/
Source: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz
Source1: unbound.init
Source2: unbound.conf
Source3: unbound.munin
Source4: unbound_munin_
Source5: root.key
Patch1: unbound-1.2-glob.patch
Group: System Environment/Daemons
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: flex, openssl-devel , ldns-devel >= 1.5.0,
BuildRequires: libevent-devel expat-devel
%if %{with_python}
BuildRequires: python-devel swig
%endif
# Required for SVN versions
# BuildRequires: bison
Requires(post): chkconfig
Requires(preun): chkconfig
Requires(preun): initscripts
Requires(postun): initscripts
Requires: ldns >= 1.5.0
Requires(pre): shadow-utils
Obsoletes: dnssec-conf < 1.27-2
Provides: dnssec-conf = 1.27-1
%description
Unbound is a validating, recursive, and caching DNS(SEC) resolver.
The C implementation of Unbound is developed and maintained by NLnet
Labs. It is based on ideas and algorithms taken from a java prototype
developed by Verisign labs, Nominet, Kirei and ep.net.
Unbound is designed as a set of modular components, so that also
DNSSEC (secure DNS) validation and stub-resolvers (that do not run
as a server, but are linked into an application) are easily possible.
%package munin
Summary: Plugin for the munin / munin-node monitoring package
Group: System Environment/Daemons
Requires: munin-node
Requires: %{name} = %{version}-%{release}, bc
%description munin
Plugin for the munin / munin-node monitoring package
%package devel
Summary: Development package that includes the unbound header files
Group: Development/Libraries
Requires: %{name}-libs = %{version}-%{release}, openssl-devel, ldns-devel
%description devel
The devel package contains the unbound library and the include files
%package libs
Summary: Libraries used by the unbound server and client applications
Group: Applications/System
Requires(post): /sbin/ldconfig
Requires(postun): /sbin/ldconfig
Requires: openssl
%description libs
Contains libraries used by the unbound server and client applications
%if %{with_python}
%package python
Summary: Python modules and extensions for unbound
Group: Applications/System
Requires: %{name}-libs = %{version}-%{release}
%description python
Python modules and extensions for unbound
%endif
%prep
%setup -q
%patch1 -p1
%build
%configure --with-ldns= --with-libevent --with-pthreads --with-ssl \
--disable-rpath --disable-static \
--with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \
--with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid \
%if %{with_python}
--with-pythonmodule --with-pyunbound \
%endif
--enable-sha2 --disable-gost
%{__make} %{?_smp_mflags}
%install
rm -rf %{buildroot}
%{__make} DESTDIR=%{buildroot} install
install -d 0755 %{buildroot}%{_initrddir}
install -m 0755 %{SOURCE1} %{buildroot}%{_initrddir}/unbound
install -m 0755 %{SOURCE2} %{buildroot}%{_sysconfdir}/unbound
# Install munin plugin and its softlinks
install -d 0755 %{buildroot}%{_sysconfdir}/munin/plugin-conf.d
install -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/munin/plugin-conf.d/unbound
install -d 0755 %{buildroot}%{_datadir}/munin/plugins/
install -m 0755 %{SOURCE4} %{buildroot}%{_datadir}/munin/plugins/unbound
for plugin in unbound_munin_hits unbound_munin_queue unbound_munin_memory unbound_munin_by_type unbound_munin_by_class unbound_munin_by_opcode unbound_munin_by_rcode unbound_munin_by_flags unbound_munin_histogram; do
ln -s unbound %{buildroot}%{_datadir}/munin/plugins/$plugin
done
# install root and DLV key
install -m 0644 %{SOURCE5} %{SOURCE6} %{buildroot}%{_sysconfdir}/unbound/
# remove static library from install (fedora packaging guidelines)
rm %{buildroot}%{_libdir}/*.la
%if %{with_python}
rm %{buildroot}%{python_sitearch}/*.la
%endif
mkdir -p %{buildroot}%{_localstatedir}/run/unbound
%clean
rm -rf ${RPM_BUILD_ROOT}
%files
%defattr(-,root,root,-)
%doc doc/README doc/CREDITS doc/LICENSE doc/FEATURES
%attr(0755,root,root) %{_initrddir}/%{name}
%attr(0755,root,root) %dir %{_sysconfdir}/%{name}
%ghost %attr(0755,unbound,unbound) %dir %{_localstatedir}/run/%{name}
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.key
%{_sbindir}/*
%{_mandir}/*/*
%if %{with_python}
%files python
%defattr(-,root,root,-)
%{python_sitearch}/*
%doc libunbound/python/examples/*
%doc pythonmod/examples/*
%endif
%files munin
%defattr(-,root,root,-)
%config(noreplace) %{_sysconfdir}/munin/plugin-conf.d/unbound
%{_datadir}/munin/plugins/unbound*
%files devel
%defattr(-,root,root,-)
%{_libdir}/libunbound.so
%{_includedir}/unbound.h
%doc README
%files libs
%defattr(-,root,root,-)
%{_libdir}/libunbound.so.*
%doc doc/README doc/LICENSE
%pre
getent group unbound >/dev/null || groupadd -r unbound
getent passwd unbound >/dev/null || \
useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \
-c "Unbound DNS resolver" unbound
exit 0
%post
/sbin/chkconfig --add %{name}
%post libs -p /sbin/ldconfig
%preun
if [ "$1" -eq 0 ]; then
/sbin/service %{name} stop >/dev/null 2>&1
/sbin/chkconfig --del %{name}
fi
%postun
if [ "$1" -ge "1" ]; then
/sbin/service %{name} condrestart >/dev/null 2>&1 || :
fi
%postun libs -p /sbin/ldconfig
%changelog
* Tue Sep 06 2011 Paul Wouters <paul@xelerance.com> - 1.4.13-1
- Updated to 1.4.13
- Fix install location of pythonmod from sitelib to sitearch
- Removed patches merged in by upstream
- Removed versioned openssl dep, it differs per branch
* Mon Aug 08 2011 Paul Wouters <paul@xelerance.com> - 1.4.12-3
- Added pythonmod docs and examples
- Fix for python module load in the server (Tom Hendrikx)
- No longer enable --enable-debug as it causes degraded performance
under load.
* Mon Jul 18 2011 Paul Wouters <paul@xelerance.com> - 1.4.12-1
- Updated to 1.4.12
* Sun Jul 03 2011 Paul Wouters <paul@xelerance.com> - 1.4.11-1
- Updated to 1.4.11
- removed integrated CVE patch
- updated stock unbound.conf for new options introduced
* Mon Jun 06 2011 Paul Wouters <paul@xelerance.com> - 1.4.10-1
- Added ghost for /var/run/unbound (bz#656710)
* Mon Jun 06 2011 Paul Wouters <paul@xelerance.com> - 1.4.9-3
- rebuilt
* Wed May 25 2011 Paul Wouters <paul@xelerance.com> - 1.4.9-2
- Applied patch for CVE-2011-1922 DoS vulnerability
* Sun Mar 27 2011 Paul Wouters <paul@xelerance.com> - 1.4.9-1
- Updated to 1.4.9
* Sat Feb 12 2011 Paul Wouters <paul@xelerance.com> - 1.4.8-2
- rebuilt
* Tue Jan 25 2011 Paul Wouters <paul@xelerance.com> - 1.4.8-1
- Updated to 1.4.8
- Enable root key for DNSSEC
- Fix unbound-munin to use proper file (could cause excessive logging)
- Build unbound-python per default
- Disable gost as Fedora/EPEL does not allow ECC and has mangled openssl
* Tue Oct 26 2010 Paul Wouters <paul@xelerance.com> - 1.4.5-4
- Revert last build - it was on the wrong branch
* Tue Oct 26 2010 Paul Wouters <paul@xelerance.com> - 1.4.5-3
- Disable do-ipv6 per default - causes severe degradation on non-ipv6 machines
(see comments in inbound.conf)
* Tue Jun 15 2010 Paul Wouters <paul@xelerance.com> - 1.4.5-2
- Bump release - forgot to upload the new tar ball.
* Tue Jun 15 2010 Paul Wouters <paul@xelerance.com> - 1.4.5-1
- Upgraded to 1.4.5
* Mon May 31 2010 Paul Wouters <paul@xelerance.com> - 1.4.4-2
- Added accidentally omitted svn patches to cvs
* Mon May 31 2010 Paul Wouters <paul@xelerance.com> - 1.4.4-1
- Upgraded to 1.4.4 with svn patches
- Obsolete dnssec-conf to ensure it is de-installed
* Thu Mar 11 2010 Paul Wouters <paul@xelerance.com> - 1.4.3-1
- Update to 1.4.3 that fixes 64bit crasher
* Tue Mar 09 2010 Paul Wouters <paul@xelerance.com> - 1.4.2-1
- Updated to 1.4.2
- Updated unbound.conf with new options
- Enabled pre-fetching DNSKEY records (DNSSEC speedup)
- Enabled re-fetching popular records before they expire
- Enabled logging of DNSSEC validation errors
* Mon Mar 01 2010 Paul Wouters <paul@xelerance.com> - 1.4.1-5
- Overriding -D_GNU_SOURCE is no longer needed. This fixes DSO issues
with pthreads
* Wed Feb 24 2010 Paul Wouters <paul@xelerance.com> - 1.4.1-3
- Change make/configure lines to attempt to fix -lphtread linking issue
* Thu Feb 18 2010 Paul Wouters <paul@xelerance.com> - 1.4.1-2
- Removed dependency for dnssec-conf
- Added ISC DLV key (formerly in dnssec-conf)
- Fixup old DLV locations in unbound.conf file via %%post
- Fix parent child disagreement handling and no-ipv6 present [svn r1953]
* Tue Jan 05 2010 Paul Wouters <paul@xelerance.com> - 1.4.1-1
- Updated to 1.4.1
- Changed %%define to %%global
* Thu Oct 08 2009 Paul Wouters <paul@xelerance.com> - 1.3.4-2
- Bump version
* Thu Oct 08 2009 Paul Wouters <paul@xelerance.com> - 1.3.4-1
- Upgraded to 1.3.4. Security fix with validating NSEC3 records
* Fri Aug 21 2009 Tomas Mraz <tmraz@redhat.com> - 1.3.3-2
- rebuilt with new openssl
* Mon Aug 17 2009 Paul Wouters <paul@xelerance.com> - 1.3.3-1
- Updated to 1.3.3
* Sun Jul 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
* Sat Jun 20 2009 Paul Wouters <paul@xelerance.com> - 1.3.0-2
- Added missing glob patch to cvs
- Place python macros within the %%with_python check
* Sat Jun 20 2009 Paul Wouters <paul@xelerance.com> - 1.3.0-1
- Updated to 1.3.0
- Added unbound-python sub package. disabled for now
- Patch from svn to fix DLV lookups
- Patches from svn to detect wrong truncated response from BIND 9.6.1 with
minimal-responses)
- Added Default-Start and Default-Stop to unbound.init
- Re-enabled --enable-sha2
- Re-enabled glob.patch
* Wed May 20 2009 Paul Wouters <paul@xelerance.com> - 1.2.1-7
- unbound-iterator.patch was not committed
* Wed May 20 2009 Paul Wouters <paul@xelerance.com> - 1.2.1-6
- Fix for https://bugzilla.redhat.com/show_bug.cgi?id=499793
* Tue Mar 17 2009 Paul Wouters <paul@xelerance.com> - 1.2.1-5
- Use --nocheck to avoid giving an error on missing unbound-remote certs/keys
* Tue Mar 10 2009 Adam Tkac <atkac redhat com> - 1.2.1-4
- enable DNSSEC only if it is enabled in sysconfig/dnssec
* Mon Mar 09 2009 Adam Tkac <atkac redhat com> - 1.2.1-3
- add DNSSEC support to initscript and enabled it per default
- add requires dnssec-conf
* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
* Tue Feb 10 2009 Paul Wouters <paul@xelerance.com - 1.2.1-1
- updated to 1.2.1
* Sun Jan 18 2009 Tomas Mraz <tmraz@redhat.com> - 1.2.0-2
- rebuild with new openssl
* Wed Jan 14 2009 Paul Wouters <paul@xelerance.com - 1.2.0-1
- Updated to 1.2.0
- Added dependency on minimum SSL for CVE-2008-5077
- Added dependency on bc for unbound-munin
- Added minimum requirement of libevent 1.4.5. Crashes with older versions
(note: libevent is stale in EL-4 and not in EL-5, needs fixing there)
- Removed dependency on selinux-policy (will get used when available)
- Enable options as per draft-wijngaards-dnsext-resolver-side-mitigation-00.txt
- Enable unwanted-reply-threshold to mitigate against a Kaminsky attack
- Enable val-clean-additional to drop addition unsigned data from signed
response.
- Removed patches (got merged into upstream)
* Mon Jan 5 2009 Paul Wouters <paul@xelerance.com> - 1.1.1-7
- Modified scandir patch to silently fail when wildcard matches nothing
- Patch to allow unbound-checkconf to find empty wildcard matches
* Mon Jan 5 2009 Paul Wouters <paul@xelerance.com> - 1.1.1-6
- Added scandir patch for trusted-keys-file: option, which
is used to load multiple dnssec keys in bind file format
* Mon Dec 8 2008 Paul Wouters <paul@xelerance.com> - 1.1.1-4
- Added Requires: for selinux-policy >= 3.5.13-33 for proper SElinux rules.
* Mon Dec 1 2008 Paul Wouters <paul@xelerance.com> - 1.1.1-3
- We did not own the /etc/unbound directory (#474020)
- Fixed cvs anomalies
* Fri Nov 28 2008 Adam Tkac <atkac redhat com> - 1.1.1-2
- removed all obsolete chroot related stuff
- label control certs after generation correctly
* Thu Nov 20 2008 Paul Wouters <paul@xelerance.com> - 1.1.1-1
- Updated to unbound 1.1.1 which fixes a crasher and
addresses nlnetlabs bug #219
* Wed Nov 19 2008 Paul Wouters <paul@xelerance.com> - 1.1.0-3
- Remove the chroot, obsoleted by SElinux
- Add additional munin plugin links supported by unbound plugin
- Move configuration directory from /var/lib/unbound to /etc/unbound
- Modified unbound.init and unbound.conf to account for chroot changes
- Updated unbound.conf with new available options
- Enabled dns-0x20 protection per default
* Wed Nov 19 2008 Adam Tkac <atkac redhat com> - 1.1.0-2
- unbound-1.1.0-log_open.patch
- make sure log is opened before chroot call
- tracked as http://www.nlnetlabs.nl/bugs/show_bug.cgi?id=219
- removed /dev/log and /var/run/unbound and /etc/resolv.conf from
chroot, not needed
- don't mount files in chroot, it causes problems during updates
- fixed typo in default config file
* Fri Nov 14 2008 Paul Wouters <paul@xelerance.com> - 1.1.0-1
- Updated to version 1.1.0
- Updated unbound.conf's statistics options and remote-control
to work properly for munin
- Added unbound-munin package
- Generate unbound remote-control key/certs on first startup
- Required ldns is now 1.4.0
* Wed Oct 22 2008 Paul Wouters <paul@xelerance.com> - 1.0.2-5
- Only call ldconfig in -libs package
- Move configure into build section
- devel subpackage should only depend on libs subpackage
* Tue Oct 21 2008 Paul Wouters <paul@xelerance.com> - 1.0.2-4
- Fix CFLAGS getting lost in build
- Don't enable interface-automatic:yes because that
causes unbound to listen on 0.0.0.0 instead of 127.0.0.1
* Sun Oct 19 2008 Paul Wouters <paul@xelerance.com> - 1.0.2-3
- Split off unbound-libs, make build verbose
* Thu Oct 9 2008 Paul Wouters <paul@xelerance.com> - 1.0.2-2
- FSB compliance, chroot fixes, initscript fixes
* Thu Sep 11 2008 Paul Wouters <paul@xelerance.com> - 1.0.2-1
- Upgraded to 1.0.2
* Wed Jul 16 2008 Paul Wouters <paul@xelerance.com> - 1.0.1-1
- upgraded to new release
* Wed May 21 2008 Paul Wouters <paul@xelerance.com> - 1.0.0-2
- Build against ldns-1.3.0
* Wed May 21 2008 Paul Wouters <paul@xelerance.com> - 1.0.0-1
- Split of -devel package, fixed dependencies, make rpmlint happy
* Thu Apr 25 2008 Wouter Wijngaards <wouter@nlnetlabs.nl> - 0.12
- Using parts from ports collection entry by Jaap Akkerhuis.
- Using Fedoraproject wiki guidelines.
* Wed Apr 23 2008 Wouter Wijngaards <wouter@nlnetlabs.nl> - 0.11
- Initial version.

105
contrib/unbound/contrib/unbound_cache.cmd Normal file
View File

@ -0,0 +1,105 @@
@echo off
rem --------------------------------------------------------------
rem -- DNS cache save/load script
rem --
rem -- Version 1.2
rem -- By Yuri Voinov (c) 2014
rem --------------------------------------------------------------
rem Variables
set prefix="C:\Program Files (x86)"
set program_path=%prefix%\Unbound
set uc=%program_path%\unbound-control.exe
set fname="unbound_cache.dmp"
rem Check Unbound installed
if exist %uc% goto start
echo Unbound control not found. Exiting...
exit 1
:start
rem arg1 - command (optional)
rem arg2 - file name (optional)
set arg1=%1
set arg2=%2
if /I "%arg1%" == "-h" goto help
if "%arg1%" == "" (
echo Loading cache from %program_path%\%fname%
dir /a %program_path%\%fname%
type %program_path%\%fname%|%uc% load_cache
goto end
)
if defined %arg2% (goto Not_Defined) else (goto Defined)
rem If file not specified; use default dump file
:Not_defined
if /I "%arg1%" == "-s" (
echo Saving cache to %program_path%\%fname%
%uc% dump_cache>%program_path%\%fname%
dir /a %program_path%\%fname%
echo ok
goto end
)
if /I "%arg1%" == "-l" (
echo Loading cache from %program_path%\%fname%
dir /a %program_path%\%fname%
type %program_path%\%fname%|%uc% load_cache
goto end
)
if /I "%arg1%" == "-r" (
echo Saving cache to %program_path%\%fname%
dir /a %program_path%\%fname%
%uc% dump_cache>%program_path%\%fname%
echo ok
echo Loading cache from %program_path%\%fname%
type %program_path%\%fname%|%uc% load_cache
goto end
)
rem If file name specified; use this filename
:Defined
if /I "%arg1%" == "-s" (
echo Saving cache to %arg2%
%uc% dump_cache>%arg2%
dir /a %arg2%
echo ok
goto end
)
if /I "%arg1%" == "-l" (
echo Loading cache from %arg2%
dir /a %arg2%
type %arg2%|%uc% load_cache
goto end
)
if /I "%arg1%" == "-r" (
echo Saving cache to %arg2%
dir /a %arg2%
%uc% dump_cache>%arg2%
echo ok
echo Loading cache from %arg2%
type %arg2%|%uc% load_cache
goto end
)
:help
echo Usage: unbound_cache.cmd [-s] or [-l] or [-r] or [-h] [filename]
echo.
echo l - Load - default mode. Warming up Unbound DNS cache from saved file. cache-ttl must be high value.
echo s - Save - save Unbound DNS cache contents to plain file with domain names.
echo r - Reload - reloadind new cache entries and refresh existing cache
echo h - this screen.
echo filename - file to save/load dumped cache. If not specified, %program_path%\%fname% will be used instead.
echo Note: Run without any arguments will be in default mode.
echo Also, unbound-control must be configured.
exit 1
:end
exit 0

174
contrib/unbound/contrib/unbound_cache.sh Executable file
View File

@ -0,0 +1,174 @@
#!/sbin/sh
# --------------------------------------------------------------
# -- DNS cache save/load script
# --
# -- Version 1.2
# -- By Yuri Voinov (c) 2006, 2014
# --------------------------------------------------------------
#
# ident "@(#)unbound_cache.sh 1.2 14/10/30 YV"
#
#############
# Variables #
#############
# Installation base dir
CONF="/etc/opt/csw/unbound"
BASE="/opt/csw"
# Unbound binaries
UC="$BASE/sbin/unbound-control"
FNAME="unbound_cache.dmp"
# OS utilities
BASENAME=`which basename`
CAT=`which cat`
CUT=`which cut`
ECHO=`which echo`
EXPR=`which expr`
GETOPT=`which getopt`
ID=`which id`
LS=`which ls`
###############
# Subroutines #
###############
usage_note ()
{
# Script usage note
$ECHO "Usage: `$BASENAME $0` [-s] or [-l] or [-r] or [-h] [filename]"
$ECHO .
$ECHO "l - Load - default mode. Warming up Unbound DNS cache from saved file. cache-ttl must be high value."
$ECHO "s - Save - save Unbound DNS cache contents to plain file with domain names."
$ECHO "r - Reload - reloadind new cache entries and refresh existing cache"
$ECHO "h - this screen."
$ECHO "filename - file to save/load dumped cache. If not specified, $CONF/$FNAME will be used instead."
$ECHO "Note: Run without any arguments will be in default mode."
$ECHO " Also, unbound-control must be configured."
exit 0
}
root_check ()
{
if [ ! `$ID | $CUT -f1 -d" "` = "uid=0(root)" ]; then
$ECHO "ERROR: You must be super-user to run this script."
exit 1
fi
}
check_uc ()
{
if [ ! -f "$UC" ]; then
$ECHO .
$ECHO "ERROR: $UC not found. Exiting..."
exit 1
fi
}
check_saved_file ()
{
filename=$1
if [ ! -z "$filename" -a ! -f "$filename" ]; then
$ECHO .
$ECHO "ERROR: File $filename does not exists. Save it first."
exit 1
elif [ ! -f "$CONF/$FNAME" ]; then
$ECHO .
$ECHO "ERROR: File $CONF/$FNAME does not exists. Save it first."
exit 1
fi
}
save_cache ()
{
# Save unbound cache
filename=$1
if [ -z "$filename" ]; then
$ECHO "Saving cache in $CONF/$FNAME..."
$UC dump_cache>$CONF/$FNAME
$LS -lh $CONF/$FNAME
else
$ECHO "Saving cache in $filename..."
$UC dump_cache>$filename
$LS -lh $filename
fi
$ECHO "ok"
}
load_cache ()
{
# Load saved cache contents and warmup cache
filename=$1
if [ -z "$filename" ]; then
$ECHO "Loading cache from saved $CONF/$FNAME..."
$LS -lh $CONF/$FNAME
check_saved_file $filename
$CAT $CONF/$FNAME|$UC load_cache
else
$ECHO "Loading cache from saved $filename..."
$LS -lh $filename
check_saved_file $filename
$CAT $filename|$UC load_cache
fi
}
reload_cache ()
{
# Reloading and refresh existing cache and saved dump
filename=$1
save_cache $filename
load_cache $filename
}
##############
# Main block #
##############
# Root check
root_check
# Check unbound-control
check_uc
# Check command-line arguments
if [ "x$*" = "x" ]; then
# If arguments list empty,load cache by default
load_cache
else
arg_list=$*
# Parse command line
set -- `$GETOPT sSlLrRhH: $arg_list` || {
usage_note 1>&2
}
# Read arguments
for i in $arg_list
do
case $i in
-s | -S) save="1";;
-l | -L) save="0";;
-r | -R) save="2";;
-h | -H | \?) usage_note;;
*) shift
file=$1
break;;
esac
shift
done
# Remove trailing --
shift `$EXPR $OPTIND - 1`
fi
if [ "$save" = "1" ]; then
save_cache $file
elif [ "$save" = "0" ]; then
load_cache $file
elif [ "$save" = "2" ]; then
reload_cache $file
fi
exit 0

BIN
contrib/unbound/contrib/unbound_cacti.tar.gz Normal file
View File

Binary file not shown.

574
contrib/unbound/contrib/unbound_munin_ Executable file
View File

@ -0,0 +1,574 @@
#!/bin/sh
#
# plugin for munin to monitor usage of unbound servers.
# To install copy this to /usr/local/share/munin/plugins/unbound_munin_
# and use munin-node-configure (--suggest, --shell).
#
# (C) 2008 W.C.A. Wijngaards. BSD Licensed.
#
# To install; enable statistics and unbound-control in unbound.conf
# server: extended-statistics: yes
# statistics-cumulative: no
# statistics-interval: 0
# remote-control: control-enable: yes
# Run the command unbound-control-setup to generate the key files.
#
# Environment variables for this script
# statefile - where to put temporary statefile.
# unbound_conf - where the unbound.conf file is located.
# unbound_control - where to find unbound-control executable.
# spoof_warn - what level to warn about spoofing
# spoof_crit - what level to crit about spoofing
#
# You can set them in your munin/plugin-conf.d/plugins.conf file
# with:
# [unbound*]
# user root
# env.statefile /usr/local/var/munin/plugin-state/unbound-state
# env.unbound_conf /usr/local/etc/unbound/unbound.conf
# env.unbound_control /usr/local/sbin/unbound-control
# env.spoof_warn 1000
# env.spoof_crit 100000
#
# This plugin can create different graphs depending on what name
# you link it as (with ln -s) into the plugins directory
# You can link it multiple times.
# If you are only a casual user, the _hits and _by_type are most interesting,
# possibly followed by _by_rcode.
#
# unbound_munin_hits - base volume, cache hits, unwanted traffic
# unbound_munin_queue - to monitor the internal requestlist
# unbound_munin_memory - memory usage
# unbound_munin_by_type - incoming queries by type
# unbound_munin_by_class - incoming queries by class
# unbound_munin_by_opcode - incoming queries by opcode
# unbound_munin_by_rcode - answers by rcode, validation status
# unbound_munin_by_flags - incoming queries by flags
# unbound_munin_histogram - histogram of query resolving times
#
# Magic markers - optional - used by installation scripts and
# munin-config: (originally contrib family but munin-node-configure ignores it)
#
#%# family=auto
#%# capabilities=autoconf suggest
# POD documentation
: <<=cut
=head1 NAME
unbound_munin_ - Munin plugin to monitor the Unbound DNS resolver.
=head1 APPLICABLE SYSTEMS
System with unbound daemon.
=head1 CONFIGURATION
[unbound*]
user root
env.statefile /usr/local/var/munin/plugin-state/unbound-state
env.unbound_conf /usr/local/etc/unbound/unbound.conf
env.unbound_control /usr/local/sbin/unbound-control
env.spoof_warn 1000
env.spoof_crit 100000
Use the .env settings to override the defaults.
=head1 USAGE
Can be used to present different graphs. Use ln -s for that name in
the plugins directory to enable the graph.
unbound_munin_hits - base volume, cache hits, unwanted traffic
unbound_munin_queue - to monitor the internal requestlist
unbound_munin_memory - memory usage
unbound_munin_by_type - incoming queries by type
unbound_munin_by_class - incoming queries by class
unbound_munin_by_opcode - incoming queries by opcode
unbound_munin_by_rcode - answers by rcode, validation status
unbound_munin_by_flags - incoming queries by flags
unbound_munin_histogram - histogram of query resolving times
=head1 AUTHOR
Copyright 2008 W.C.A. Wijngaards
=head1 LICENSE
BSD
=cut
state=${statefile:-/usr/local/var/munin/plugin-state/unbound-state}
conf=${unbound_conf:-/usr/local/etc/unbound/unbound.conf}
ctrl=${unbound_control:-/usr/local/sbin/unbound-control}
warn=${spoof_warn:-1000}
crit=${spoof_crit:-100000}
lock=$state.lock
# number of seconds between polling attempts.
# makes the statefile hang around for at least this many seconds,
# so that multiple links of this script can share the results.
lee=55
# to keep things within 19 characters
ABBREV="-e s/total/t/ -e s/thread/t/ -e s/num/n/ -e s/query/q/ -e s/answer/a/ -e s/unwanted/u/ -e s/requestlist/ql/ -e s/type/t/ -e s/class/c/ -e s/opcode/o/ -e s/rcode/r/ -e s/edns/e/ -e s/mem/m/ -e s/cache/c/ -e s/mod/m/"
# get value from $1 into return variable $value
get_value ( ) {
value="`grep '^'$1'=' $state | sed -e 's/^.*=//'`"
if test "$value"x = ""x; then
value="0"
fi
}
# download the state from the unbound server.
get_state ( ) {
# obtain lock for fetching the state
# because there is a race condition in fetching and writing to file
# see if the lock is stale, if so, take it
if test -f $lock ; then
pid="`cat $lock 2>&1`"
kill -0 "$pid" >/dev/null 2>&1
if test $? -ne 0 -a "$pid" != $$ ; then
echo $$ >$lock
fi
fi
i=0
while test ! -f $lock || test "`cat $lock 2>&1`" != $$; do
while test -f $lock; do
# wait
i=`expr $i + 1`
if test $i -gt 1000; then
sleep 1;
fi
if test $i -gt 1500; then
echo "error locking $lock" "=" `cat $lock`
rm -f $lock
exit 1
fi
done
# try to get it
echo $$ >$lock
done
# do not refetch if the file exists and only LEE seconds old
if test -f $state; then
now=`date +%s`
get_value "time.now"
value="`echo $value | sed -e 's/\..*$//'`"
if test $now -lt `expr $value + $lee`; then
rm -f $lock
return
fi
fi
$ctrl -c $conf stats > $state
if test $? -ne 0; then
echo "error retrieving data from unbound server"
rm -f $lock
exit 1
fi
rm -f $lock
}
if test "$1" = "autoconf" ; then
if test ! -f $conf; then
echo no "($conf does not exist)"
exit 1
fi
if test ! -d `dirname $state`; then
echo no "(`dirname $state` directory does not exist)"
exit 1
fi
echo yes
exit 0
fi
if test "$1" = "suggest" ; then
echo "hits"
echo "queue"
echo "memory"
echo "by_type"
echo "by_class"
echo "by_opcode"
echo "by_rcode"
echo "by_flags"
echo "histogram"
exit 0
fi
# determine my type, by name
id=`echo $0 | sed -e 's/^.*unbound_munin_//'`
if test "$id"x = ""x; then
# some default to keep people sane.
id="hits"
fi
# if $1 exists in statefile, config is echoed with label $2
exist_config ( ) {
mn=`echo $1 | sed $ABBREV | tr . _`
if grep '^'$1'=' $state >/dev/null 2>&1; then
echo "$mn.label $2"
echo "$mn.min 0"
echo "$mn.type ABSOLUTE"
fi
}
# print label and min 0 for a name $1 in unbound format
p_config ( ) {
mn=`echo $1 | sed $ABBREV | tr . _`
echo $mn.label "$2"
echo $mn.min 0
echo $mn.type $3
}
if test "$1" = "config" ; then
if test ! -f $state; then
get_state
fi
case $id in
hits)
echo "graph_title Unbound DNS traffic and cache hits"
echo "graph_args --base 1000 -l 0"
echo "graph_vlabel queries / \${graph_period}"
echo "graph_scale no"
echo "graph_category DNS"
for x in `grep "^thread[0-9][0-9]*\.num\.queries=" $state |
sed -e 's/=.*//'`; do
exist_config $x "queries handled by `basename $x .num.queries`"
done
p_config "total.num.queries" "total queries from clients" "ABSOLUTE"
p_config "total.num.cachehits" "cache hits" "ABSOLUTE"
p_config "total.num.prefetch" "cache prefetch" "ABSOLUTE"
p_config "num.query.tcp" "TCP queries" "ABSOLUTE"
p_config "num.query.tcpout" "TCP out queries" "ABSOLUTE"
p_config "num.query.ipv6" "IPv6 queries" "ABSOLUTE"
p_config "unwanted.queries" "queries that failed acl" "ABSOLUTE"
p_config "unwanted.replies" "unwanted or unsolicited replies" "ABSOLUTE"
echo "u_replies.warning $warn"
echo "u_replies.critical $crit"
echo "graph_info DNS queries to the recursive resolver. The unwanted replies could be innocent duplicate packets, late replies, or spoof threats."
;;
queue)
echo "graph_title Unbound requestlist size"
echo "graph_args --base 1000 -l 0"
echo "graph_vlabel number of queries"
echo "graph_scale no"
echo "graph_category DNS"
p_config "total.requestlist.avg" "Average size of queue on insert" "GAUGE"
p_config "total.requestlist.max" "Max size of queue (in 5 min)" "GAUGE"
p_config "total.requestlist.overwritten" "Number of queries replaced by new ones" "GAUGE"
p_config "total.requestlist.exceeded" "Number of queries dropped due to lack of space" "GAUGE"
echo "graph_info The queries that did not hit the cache and need recursion service take up space in the requestlist. If there are too many queries, first queries get overwritten, and at last resort dropped."
;;
memory)
echo "graph_title Unbound memory usage"
echo "graph_args --base 1024 -l 0"
echo "graph_vlabel memory used in bytes"
echo "graph_category DNS"
p_config "mem.total.sbrk" "Total memory" "GAUGE"
p_config "mem.cache.rrset" "RRset cache memory" "GAUGE"
p_config "mem.cache.message" "Message cache memory" "GAUGE"
p_config "mem.mod.iterator" "Iterator module memory" "GAUGE"
p_config "mem.mod.validator" "Validator module and key cache memory" "GAUGE"
p_config "msg.cache.count" "msg cache count" "GAUGE"
p_config "rrset.cache.count" "rrset cache count" "GAUGE"
p_config "infra.cache.count" "infra cache count" "GAUGE"
p_config "key.cache.count" "key cache count" "GAUGE"
echo "graph_info The memory used by unbound."
;;
by_type)
echo "graph_title Unbound DNS queries by type"
echo "graph_args --base 1000 -l 0"
echo "graph_vlabel queries / \${graph_period}"
echo "graph_scale no"
echo "graph_category DNS"
for x in `grep "^num.query.type" $state`; do
nm=`echo $x | sed -e 's/=.*$//'`
tp=`echo $nm | sed -e s/num.query.type.//`
p_config "$nm" "$tp" "ABSOLUTE"
done
echo "graph_info queries by DNS RR type queried for"
;;
by_class)
echo "graph_title Unbound DNS queries by class"
echo "graph_args --base 1000 -l 0"
echo "graph_vlabel queries / \${graph_period}"
echo "graph_scale no"
echo "graph_category DNS"
for x in `grep "^num.query.class" $state`; do
nm=`echo $x | sed -e 's/=.*$//'`
tp=`echo $nm | sed -e s/num.query.class.//`
p_config "$nm" "$tp" "ABSOLUTE"
done
echo "graph_info queries by DNS RR class queried for."
;;
by_opcode)
echo "graph_title Unbound DNS queries by opcode"
echo "graph_args --base 1000 -l 0"
echo "graph_vlabel queries / \${graph_period}"
echo "graph_scale no"
echo "graph_category DNS"
for x in `grep "^num.query.opcode" $state`; do
nm=`echo $x | sed -e 's/=.*$//'`
tp=`echo $nm | sed -e s/num.query.opcode.//`
p_config "$nm" "$tp" "ABSOLUTE"
done
echo "graph_info queries by opcode in the query packet."
;;
by_rcode)
echo "graph_title Unbound DNS answers by return code"
echo "graph_args --base 1000 -l 0"
echo "graph_vlabel answer packets / \${graph_period}"
echo "graph_scale no"
echo "graph_category DNS"
for x in `grep "^num.answer.rcode" $state`; do
nm=`echo $x | sed -e 's/=.*$//'`
tp=`echo $nm | sed -e s/num.answer.rcode.//`
p_config "$nm" "$tp" "ABSOLUTE"
done
p_config "num.answer.secure" "answer secure" "ABSOLUTE"
p_config "num.answer.bogus" "answer bogus" "ABSOLUTE"
p_config "num.rrset.bogus" "num rrsets marked bogus" "ABSOLUTE"
echo "graph_info answers sorted by return value. rrsets bogus is the number of rrsets marked bogus per \${graph_period} by the validator"
;;
by_flags)
echo "graph_title Unbound DNS incoming queries by flags"
echo "graph_args --base 1000 -l 0"
echo "graph_vlabel queries / \${graph_period}"
echo "graph_scale no"
echo "graph_category DNS"
p_config "num.query.flags.QR" "QR (query reply) flag" "ABSOLUTE"
p_config "num.query.flags.AA" "AA (auth answer) flag" "ABSOLUTE"
p_config "num.query.flags.TC" "TC (truncated) flag" "ABSOLUTE"
p_config "num.query.flags.RD" "RD (recursion desired) flag" "ABSOLUTE"
p_config "num.query.flags.RA" "RA (rec avail) flag" "ABSOLUTE"
p_config "num.query.flags.Z" "Z (zero) flag" "ABSOLUTE"
p_config "num.query.flags.AD" "AD (auth data) flag" "ABSOLUTE"
p_config "num.query.flags.CD" "CD (check disabled) flag" "ABSOLUTE"
p_config "num.query.edns.present" "EDNS OPT present" "ABSOLUTE"
p_config "num.query.edns.DO" "DO (DNSSEC OK) flag" "ABSOLUTE"
echo "graph_info This graphs plots the flags inside incoming queries. For example, if QR, AA, TC, RA, Z flags are set, the query can be rejected. RD, AD, CD and DO are legitimately set by some software."
;;
histogram)
echo "graph_title Unbound DNS histogram of reply time"
echo "graph_args --base 1000 -l 0"
echo "graph_vlabel queries / \${graph_period}"
echo "graph_scale no"
echo "graph_category DNS"
echo hcache.label "cache hits"
echo hcache.min 0
echo hcache.type ABSOLUTE
echo hcache.draw AREA
echo hcache.colour 999999
echo h64ms.label "0 msec - 66 msec"
echo h64ms.min 0
echo h64ms.type ABSOLUTE
echo h64ms.draw STACK
echo h64ms.colour 0000FF
echo h128ms.label "66 msec - 131 msec"
echo h128ms.min 0
echo h128ms.type ABSOLUTE
echo h128ms.colour 1F00DF
echo h128ms.draw STACK
echo h256ms.label "131 msec - 262 msec"
echo h256ms.min 0
echo h256ms.type ABSOLUTE
echo h256ms.draw STACK
echo h256ms.colour 3F00BF
echo h512ms.label "262 msec - 524 msec"
echo h512ms.min 0
echo h512ms.type ABSOLUTE
echo h512ms.draw STACK
echo h512ms.colour 5F009F
echo h1s.label "524 msec - 1 sec"
echo h1s.min 0
echo h1s.type ABSOLUTE
echo h1s.draw STACK
echo h1s.colour 7F007F
echo h2s.label "1 sec - 2 sec"
echo h2s.min 0
echo h2s.type ABSOLUTE
echo h2s.draw STACK
echo h2s.colour 9F005F
echo h4s.label "2 sec - 4 sec"
echo h4s.min 0
echo h4s.type ABSOLUTE
echo h4s.draw STACK
echo h4s.colour BF003F
echo h8s.label "4 sec - 8 sec"
echo h8s.min 0
echo h8s.type ABSOLUTE
echo h8s.draw STACK
echo h8s.colour DF001F
echo h16s.label "8 sec - ..."
echo h16s.min 0
echo h16s.type ABSOLUTE
echo h16s.draw STACK
echo h16s.colour FF0000
echo "graph_info Histogram of the reply times for queries."
;;
esac
exit 0
fi
# do the stats itself
get_state
# get the time elapsed
get_value "time.elapsed"
if test $value = 0 || test $value = "0.000000"; then
echo "error: time elapsed 0 or could not retrieve data"
exit 1
fi
elapsed="$value"
# print value for $1
print_value ( ) {
mn=`echo $1 | sed $ABBREV | tr . _`
get_value $1
echo "$mn.value" $value
}
# print value if line already found in $2
print_value_line ( ) {
mn=`echo $1 | sed $ABBREV | tr . _`
value="`echo $2 | sed -e 's/^.*=//'`"
echo "$mn.value" $value
}
case $id in
hits)
for x in `grep "^thread[0-9][0-9]*\.num\.queries=" $state |
sed -e 's/=.*//'` total.num.queries \
total.num.cachehits total.num.prefetch num.query.tcp \
num.query.tcpout num.query.ipv6 unwanted.queries \
unwanted.replies; do
if grep "^"$x"=" $state >/dev/null 2>&1; then
print_value $x
fi
done
;;
queue)
for x in total.requestlist.avg total.requestlist.max \
total.requestlist.overwritten total.requestlist.exceeded; do
print_value $x
done
;;
memory)
mn=`echo mem.total.sbrk | sed $ABBREV | tr . _`
get_value 'mem.total.sbrk'
if test $value -eq 0; then
chk=`echo $ctrl | sed -e 's/-control$/-checkconf/'`
pidf=`$chk -o pidfile $conf 2>&1`
pid=`cat $pidf 2>&1`
value=`ps -p "$pid" -o rss= 2>&1`
if test "`expr $value + 1 - 1 2>&1`" -eq "$value" 2>&1; then
value=`expr $value \* 1024`
else
value=0
fi
fi
echo "$mn.value" $value
for x in mem.cache.rrset mem.cache.message mem.mod.iterator \
mem.mod.validator msg.cache.count rrset.cache.count \
infra.cache.count key.cache.count; do
print_value $x
done
;;
by_type)
for x in `grep "^num.query.type" $state`; do
nm=`echo $x | sed -e 's/=.*$//'`
print_value_line $nm $x
done
;;
by_class)
for x in `grep "^num.query.class" $state`; do
nm=`echo $x | sed -e 's/=.*$//'`
print_value_line $nm $x
done
;;
by_opcode)
for x in `grep "^num.query.opcode" $state`; do
nm=`echo $x | sed -e 's/=.*$//'`
print_value_line $nm $x
done
;;
by_rcode)
for x in `grep "^num.answer.rcode" $state`; do
nm=`echo $x | sed -e 's/=.*$//'`
print_value_line $nm $x
done
print_value "num.answer.secure"
print_value "num.answer.bogus"
print_value "num.rrset.bogus"
;;
by_flags)
for x in num.query.flags.QR num.query.flags.AA num.query.flags.TC num.query.flags.RD num.query.flags.RA num.query.flags.Z num.query.flags.AD num.query.flags.CD num.query.edns.present num.query.edns.DO; do
print_value $x
done
;;
histogram)
get_value total.num.cachehits
echo hcache.value $value
r=0
for x in histogram.000000.000000.to.000000.000001 \
histogram.000000.000001.to.000000.000002 \
histogram.000000.000002.to.000000.000004 \
histogram.000000.000004.to.000000.000008 \
histogram.000000.000008.to.000000.000016 \
histogram.000000.000016.to.000000.000032 \
histogram.000000.000032.to.000000.000064 \
histogram.000000.000064.to.000000.000128 \
histogram.000000.000128.to.000000.000256 \
histogram.000000.000256.to.000000.000512 \
histogram.000000.000512.to.000000.001024 \
histogram.000000.001024.to.000000.002048 \
histogram.000000.002048.to.000000.004096 \
histogram.000000.004096.to.000000.008192 \
histogram.000000.008192.to.000000.016384 \
histogram.000000.016384.to.000000.032768 \
histogram.000000.032768.to.000000.065536; do
get_value $x
r=`expr $r + $value`
done
echo h64ms.value $r
get_value histogram.000000.065536.to.000000.131072
echo h128ms.value $value
get_value histogram.000000.131072.to.000000.262144
echo h256ms.value $value
get_value histogram.000000.262144.to.000000.524288
echo h512ms.value $value
get_value histogram.000000.524288.to.000001.000000
echo h1s.value $value
get_value histogram.000001.000000.to.000002.000000
echo h2s.value $value
get_value histogram.000002.000000.to.000004.000000
echo h4s.value $value
get_value histogram.000004.000000.to.000008.000000
echo h8s.value $value
r=0
for x in histogram.000008.000000.to.000016.000000 \
histogram.000016.000000.to.000032.000000 \
histogram.000032.000000.to.000064.000000 \
histogram.000064.000000.to.000128.000000 \
histogram.000128.000000.to.000256.000000 \
histogram.000256.000000.to.000512.000000 \
histogram.000512.000000.to.001024.000000 \
histogram.001024.000000.to.002048.000000 \
histogram.002048.000000.to.004096.000000 \
histogram.004096.000000.to.008192.000000 \
histogram.008192.000000.to.016384.000000 \
histogram.016384.000000.to.032768.000000 \
histogram.032768.000000.to.065536.000000 \
histogram.065536.000000.to.131072.000000 \
histogram.131072.000000.to.262144.000000 \
histogram.262144.000000.to.524288.000000; do
get_value $x
r=`expr $r + $value`
done
echo h16s.value $r
;;
esac

BIN
contrib/unbound/contrib/unbound_smf22.tar.gz Normal file
View File

Binary file not shown.

158
contrib/unbound/contrib/update-anchor.sh Executable file
View File

@ -0,0 +1,158 @@
#!/bin/sh
# update-anchor.sh, update a trust anchor.
# Copyright 2008, W.C.A. Wijngaards
# This file is BSD licensed, see doc/LICENSE.
# which validating lookup to use.
ubhost=unbound-host
usage ( )
{
echo "usage: update-anchor [-r hs] [-b] <zone name> <trust anchor file>"
echo " performs an update of trust anchor file"
echo " the trust anchor file is overwritten with the latest keys"
echo " the trust anchor file should contain only keys for one zone"
echo " -b causes keyfile to be made in bind format."
echo " without -b the file is made in unbound format."
echo " "
echo "alternate:"
echo " update-anchor [-r hints] [-b] -d directory"
echo " update all <zone>.anchor files in the directory."
echo " "
echo " name the files br.anchor se.anchor ..., and include them in"
echo " the validating resolver config file."
echo " put keys for the root in a file with the name root.anchor."
echo ""
echo "-r root.hints use different root hints. Strict option order."
echo ""
echo "Exit code 0 means anchors updated, 1 no changes, others are errors."
exit 2
}
if test $# -eq 0; then
usage
fi
bindformat="no"
filearg='-f'
roothints=""
if test X"$1" = "X-r"; then
shift
roothints="$1"
shift
fi
if test X"$1" = "X-b"; then
shift
bindformat="yes"
filearg='-F'
fi
if test $# -ne 2; then
echo "arguments wrong."
usage
fi
do_update ( ) {
# arguments: <zonename> <keyfile>
zonename="$1"
keyfile="$2"
tmpfile="/tmp/update-anchor.$$"
tmp2=$tmpfile.2
tmp3=$tmpfile.3
rh=""
if test -n "$roothints"; then
echo "server: root-hints: '$roothints'" > $tmp3
rh="-C $tmp3"
fi
$ubhost -v $rh $filearg "$keyfile" -t DNSKEY "$zonename" >$tmpfile
if test $? -ne 0; then
rm -f $tmpfile
echo "Error: Could not update zone $zonename anchor file $keyfile"
echo "Cause: $ubhost lookup failed"
echo " (Is the domain decommissioned? Is connectivity lost?)"
return 2
fi
# has the lookup been DNSSEC validated?
if grep '(secure)$' $tmpfile >/dev/null 2>&1; then
:
else
rm -f $tmpfile
echo "Error: Could not update zone $zonename anchor file $keyfile"
echo "Cause: result of lookup was not secure"
echo " (keys too far out of date? domain changed ownership? need root hints?)"
return 3
fi
if test $bindformat = "yes"; then
# are there any KSK keys on board?
echo 'trusted-keys {' > "$tmp2"
if grep ' has DNSKEY record 257' $tmpfile >/dev/null 2>&1; then
# store KSK keys in anchor file
grep '(secure)$' $tmpfile | \
grep ' has DNSKEY record 257' | \
sed -e 's/ (secure)$/";/' | \
sed -e 's/ has DNSKEY record \([0-9]*\) \([0-9]*\) \([0-9]*\) /. \1 \2 \3 "/' | \
sed -e 's/^\.\././' | sort >> "$tmp2"
else
# store all keys in the anchor file
grep '(secure)$' $tmpfile | \
sed -e 's/ (secure)$/";/' | \
sed -e 's/ has DNSKEY record \([0-9]*\) \([0-9]*\) \([0-9]*\) /. \1 \2 \3 "/' | \
sed -e 's/^\.\././' | sort >> "$tmp2"
fi
echo '};' >> "$tmp2"
else #not bindformat
# are there any KSK keys on board?
if grep ' has DNSKEY record 257' $tmpfile >/dev/null 2>&1; then
# store KSK keys in anchor file
grep '(secure)$' $tmpfile | \
grep ' has DNSKEY record 257' | \
sed -e 's/ (secure)$//' | \
sed -e 's/ has DNSKEY record /. IN DNSKEY /' | \
sed -e 's/^\.\././' | sort > "$tmp2"
else
# store all keys in the anchor file
grep '(secure)$' $tmpfile | \
sed -e 's/ (secure)$//' | \
sed -e 's/ has DNSKEY record /. IN DNSKEY /' | \
sed -e 's/^\.\././' | sort > "$tmp2"
fi
fi # endif-bindformat
# copy over if changed
diff $tmp2 $keyfile >/dev/null 2>&1
if test $? -eq 1; then # 0 means no change, 2 means trouble.
cat $tmp2 > $keyfile
no_updated=0
echo "$zonename key file $keyfile updated."
else
echo "$zonename key file $keyfile unchanged."
fi
rm -f $tmpfile $tmp2 $tmp3
}
no_updated=1
if test X"$1" = "X-d"; then
tdir="$2"
echo "start updating in $2"
for x in $tdir/*.anchor; do
if test `basename "$x"` = "root.anchor"; then
zname="."
else
zname=`basename "$x" .anchor`
fi
do_update "$zname" "$x"
done
echo "done updating in $2"
else
# regular invocation
if test X"$1" = "X."; then
zname="$1"
else
# strip trailing dot from zone name
zname="`echo $1 | sed -e 's/\.$//'`"
fi
kfile="$2"
do_update $zname $kfile
fi
exit $no_updated

117
contrib/unbound/contrib/validation-reporter.sh Executable file
View File

@ -0,0 +1,117 @@
#!/bin/sh
# validation reporter - reports validation failures to a collection server.
# Copyright NLnet Labs, 2010
# BSD license.
###
# Here is the configuration for the validation reporter
# it greps the failure lines out of the log and sends them to a server.
# The pidfile for the reporter daemon.
pidfile="/var/run/validation-reporter.pid"
# The logfile to watch for logged validation failures.
logfile="/var/log/unbound.log"
# how to notify the upstream
# nc is netcat, it sends tcp to given host port. It makes a tcp connection
# and writes one log-line to it (grepped from the logfile).
# the notify command can be: "nc the.server.name.org 1234"
# the listening daemon could be: nc -lk 127.0.0.1 1234 >> outputfile &
notify_cmd="nc localhost 1234"
###
# Below this line is the code for the validation reporter,
# first the daemon itself, then the controller for the daemon.
reporter_daemon() {
trap "rm -f \"$pidfile\"" EXIT
tail -F $logfile | grep --line-buffered "unbound.*info: validation failure" | \
while read x; do
echo "$x" | $notify_cmd
done
}
###
# controller for daemon.
start_daemon() {
echo "starting reporter"
nohup $0 rundaemon </dev/null >/dev/null 2>&1 &
echo $! > "$pidfile"
}
kill_daemon() {
echo "stopping reporter"
if test -s "$pidfile"; then
kill `cat "$pidfile"`
# check it is really dead
if kill -0 `cat "$pidfile"` >/dev/null 2>&1; then
sleep 1
while kill -0 `cat "$pidfile"` >/dev/null 2>&1; do
kill `cat "$pidfile"` >/dev/null 2>&1
echo "waiting for reporter to stop"
sleep 1
done
fi
fi
}
get_status_daemon() {
if test -s "$pidfile"; then
if kill -0 `cat "$pidfile"`; then
return 0;
fi
fi
return 1;
}
restart_daemon() {
kill_daemon
start_daemon
}
condrestart_daemon() {
if get_status_daemon; then
echo "reporter ("`cat "$pidfile"`") is running"
exit 0
fi
start_daemon
exit 0
}
status_daemon() {
if get_status_daemon; then
echo "reporter ("`cat "$pidfile"`") is running"
exit 0
fi
echo "reporter is not running"
exit 1
}
case "$1" in
rundaemon)
reporter_daemon
;;
start)
start_daemon
;;
stop)
kill_daemon
;;
restart)
restart_daemon
;;
condrestart)
condrestart_daemon
;;
status)
status_daemon
;;
*)
echo "Usage: $0 {start|stop|restart|condrestart|status}"
exit 2
;;
esac
exit $?

153
contrib/unbound/contrib/warmup.cmd Normal file
View File

@ -0,0 +1,153 @@
@echo off
rem --------------------------------------------------------------
rem -- Warm up DNS cache script by your own MRU domains or from
rem -- file when it specified as script argument.
rem --
rem -- Version 1.1
rem -- By Yuri Voinov (c) 2014
rem --------------------------------------------------------------
rem DNS host address
set address="127.0.0.1"
rem Check dig installed
for /f "delims=" %%a in ('where dig') do @set dig=%%a
if /I "%dig%"=="" echo Dig not found. If installed, add path to PATH environment variable. & exit 1
echo Dig found: %dig%
set arg=%1%
if defined %arg% (goto builtin) else (goto from_file)
:builtin
echo Warming up cache by MRU domains...
for %%a in (
2gis.ru
admir.kz
adobe.com
agent.mail.ru
aimp.ru
akamai.com
akamai.net
almaty.tele2.kz
aol.com
apple.com
arin.com
artlebedev.ru
auto.mail.ru
beeline.kz
bing.com
blogspot.com
comodo.com
dnscrypt.org
drive.google.com
drive.mail.ru
facebook.com
farmanager.com
fb.com
firefox.com
forum.farmanager.com
gazeta.ru
getsharex.com
gismeteo.ru
google.com
google.kz
google.ru
googlevideo.com
goto.kz
iana.org
icq.com
imap.mail.ru
instagram.com
intel.com
irr.kz
java.com
kaspersky.com
kaspersky.ru
kcell.kz
krisha.kz
lady.mail.ru
lenta.ru
libreoffice.org
linkedin.com
livejournal.com
mail.google.com
mail.ru
microsoft.com
mozilla.org
mra.mail.ru
munin-monitoring.org
my.mail.ru
news.bbcimg.co.uk
news.mail.ru
newsimg.bbc.net.uk
nvidia.com
odnoklassniki.ru
ok.ru
opencsw.org
opendns.com
opendns.org
opennet.ru
opera.com
oracle.com
peerbet.ru
piriform.com
plugring.farmanager.com
privoxy.org
qip.ru
raidcall.com
rambler.ru
reddit.com
ru.wikipedia.org
shallalist.de
skype.com
snob.ru
squid-cache.org
squidclamav.darold.net
squidguard.org
ssl.comodo.com
ssl.verisign.com
symantec.com
symantecliveupdate.com
tele2.kz
tengrinews.kz
thunderbird.com
torproject.org
torstatus.blutmagie.de
translate.google.com
unbound.net
verisign.com
vk.com
vk.me
vk.ru
vkontakte.com
vkontakte.ru
vlc.org
watsapp.net
weather.mail.ru
windowsupdate.com
www.baidu.com
www.bbc.co.uk
www.internic.net
www.opennet.ru
www.topgear.com
ya.ru
yahoo.com
yandex.com
yandex.ru
youtube.com
ytimg.com
) do "%dig%" %%a @%address% 1>nul 2>nul
goto end
:from_file
echo Warming up cache from %1% file...
%dig% -f %arg% @%address% 1>nul 2>nul
:end
echo Saving cache...
if exist unbound_cache.cmd unbound_cache.cmd -s
echo Done.
exit 0

150
contrib/unbound/contrib/warmup.sh Executable file
View File

@ -0,0 +1,150 @@
#!/bin/sh
# --------------------------------------------------------------
# -- Warm up DNS cache script by your own MRU domains or from
# -- file when it specified as script argument.
# --
# -- Version 1.1
# -- By Yuri Voinov (c) 2014
# --------------------------------------------------------------
# Default DNS host address
address="127.0.0.1"
cat=`which cat`
dig=`which dig`
if [ -z "$1" ]; then
echo "Warming up cache by MRU domains..."
$dig -f - @$address >/dev/null 2>&1 <<EOT
2gis.ru
admir.kz
adobe.com
agent.mail.ru
aimp.ru
akamai.com
akamai.net
almaty.tele2.kz
aol.com
apple.com
arin.com
artlebedev.ru
auto.mail.ru
beeline.kz
bing.com
blogspot.com
clamav.net
comodo.com
dnscrypt.org
drive.google.com
drive.mail.ru
facebook.com
farmanager.com
fb.com
firefox.com
forum.farmanager.com
gazeta.ru
getsharex.com
gismeteo.ru
google.com
google.kz
google.ru
googlevideo.com
goto.kz
iana.org
icq.com
imap.mail.ru
instagram.com
instagram.com
intel.com
irr.kz
java.com
kaspersky.com
kaspersky.ru
kcell.kz
krisha.kz
lady.mail.ru
lenta.ru
libreoffice.org
linkedin.com
livejournal.com
mail.google.com
mail.ru
microsoft.com
mozilla.org
mra.mail.ru
munin-monitoring.org
my.mail.ru
news.bbcimg.co.uk
news.mail.ru
newsimg.bbc.net.uk
nvidia.com
odnoklassniki.ru
ok.ru
opencsw.org
opendns.com
opendns.org
opennet.ru
opera.com
oracle.com
peerbet.ru
piriform.com
plugring.farmanager.com
privoxy.org
qip.ru
raidcall.com
rambler.ru
reddit.com
ru.wikipedia.org
shallalist.de
skype.com
snob.ru
squid-cache.org
squidclamav.darold.net
squidguard.org
ssl.comodo.com
ssl.verisign.com
symantec.com
symantecliveupdate.com
tele2.kz
tengrinews.kz
thunderbird.com
torproject.org
torstatus.blutmagie.de
translate.google.com
unbound.net
verisign.com
vk.com
vk.me
vk.ru
vkontakte.com
vkontakte.ru
vlc.org
watsapp.net
weather.mail.ru
windowsupdate.com
www.baidu.com
www.bbc.co.uk
www.internic.net
www.opennet.ru
www.topgear.com
ya.ru
yahoo.com
yandex.com
yandex.ru
youtube.com
ytimg.com
EOT
else
echo "Warming up cache from $1 file..."
$cat $1 | $dig -f - @$address >/dev/null 2>&1
fi
echo "Done."
echo "Saving cache..."
script=`which unbound_cache.sh`
[ -f "$script" ] && $script -s
echo "Done."
exit 0

250
contrib/unbound/daemon/acl_list.c
View File

@ -45,6 +45,8 @@
#include "util/log.h"
#include "util/config_file.h"
#include "util/net_help.h"
#include "services/localzone.h"
#include "sldns/str2wire.h"
struct acl_list*
acl_list_create(void)
@ -71,21 +73,21 @@ acl_list_delete(struct acl_list* acl)
}
/** insert new address into acl_list structure */
static int
static struct acl_addr*
acl_list_insert(struct acl_list* acl, struct sockaddr_storage* addr,
socklen_t addrlen, int net, enum acl_access control,
int complain_duplicates)
{
struct acl_addr* node = regional_alloc(acl->region,
struct acl_addr* node = regional_alloc_zero(acl->region,
sizeof(struct acl_addr));
if(!node)
return 0;
return NULL;
node->control = control;
if(!addr_tree_insert(&acl->tree, &node->node, addr, addrlen, net)) {
if(complain_duplicates)
verbose(VERB_QUERY, "duplicate acl address ignored.");
}
return 1;
return node;
}
/** apply acl_list string */
@ -125,6 +127,156 @@ acl_list_str_cfg(struct acl_list* acl, const char* str, const char* s2,
return 1;
}
/** find or create node (NULL on parse or error) */
static struct acl_addr*
acl_find_or_create(struct acl_list* acl, const char* str)
{
struct acl_addr* node;
struct sockaddr_storage addr;
int net;
socklen_t addrlen;
if(!netblockstrtoaddr(str, UNBOUND_DNS_PORT, &addr, &addrlen, &net)) {
log_err("cannot parse netblock: %s", str);
return NULL;
}
/* find or create node */
if(!(node=(struct acl_addr*)addr_tree_find(&acl->tree, &addr,
addrlen, net))) {
/* create node, type 'allow' since otherwise tags are
* pointless, can override with specific access-control: cfg */
if(!(node=(struct acl_addr*)acl_list_insert(acl, &addr,
addrlen, net, acl_allow, 1))) {
log_err("out of memory");
return NULL;
}
}
return node;
}
/** apply acl_tag string */
static int
acl_list_tags_cfg(struct acl_list* acl, const char* str, uint8_t* bitmap,
size_t bitmaplen)
{
struct acl_addr* node;
if(!(node=acl_find_or_create(acl, str)))
return 0;
node->taglen = bitmaplen;
node->taglist = regional_alloc_init(acl->region, bitmap, bitmaplen);
if(!node->taglist) {
log_err("out of memory");
return 0;
}
return 1;
}
/** apply acl_tag_action string */
static int
acl_list_tag_action_cfg(struct acl_list* acl, struct config_file* cfg,
const char* str, const char* tag, const char* action)
{
struct acl_addr* node;
int tagid;
enum localzone_type t;
if(!(node=acl_find_or_create(acl, str)))
return 0;
/* allocate array if not yet */
if(!node->tag_actions) {
node->tag_actions = (uint8_t*)regional_alloc_zero(acl->region,
sizeof(*node->tag_actions)*cfg->num_tags);
if(!node->tag_actions) {
log_err("out of memory");
return 0;
}
node->tag_actions_size = (size_t)cfg->num_tags;
}
/* parse tag */
if((tagid=find_tag_id(cfg, tag)) == -1) {
log_err("cannot parse tag (define-tag it): %s %s", str, tag);
return 0;
}
if((size_t)tagid >= node->tag_actions_size) {
log_err("tagid too large for array %s %s", str, tag);
return 0;
}
if(!local_zone_str2type(action, &t)) {
log_err("cannot parse access control action type: %s %s %s",
str, tag, action);
return 0;
}
node->tag_actions[tagid] = (uint8_t)t;
return 1;
}
/** check wire data parse */
static int
check_data(const char* data)
{
char buf[65536];
uint8_t rr[LDNS_RR_BUF_SIZE];
size_t len = sizeof(rr);
int res;
snprintf(buf, sizeof(buf), "%s %s", "example.com.", data);
res = sldns_str2wire_rr_buf(buf, rr, &len, NULL, 3600, NULL, 0,
NULL, 0);
if(res == 0)
return 1;
log_err("rr data [char %d] parse error %s",
(int)LDNS_WIREPARSE_OFFSET(res)-13,
sldns_get_errorstr_parse(res));
return 0;
}
/** apply acl_tag_data string */
static int
acl_list_tag_data_cfg(struct acl_list* acl, struct config_file* cfg,
const char* str, const char* tag, const char* data)
{
struct acl_addr* node;
int tagid;
char* dupdata;
if(!(node=acl_find_or_create(acl, str)))
return 0;
/* allocate array if not yet */
if(!node->tag_datas) {
node->tag_datas = (struct config_strlist**)regional_alloc_zero(
acl->region, sizeof(*node->tag_datas)*cfg->num_tags);
if(!node->tag_datas) {
log_err("out of memory");
return 0;
}
node->tag_datas_size = (size_t)cfg->num_tags;
}
/* parse tag */
if((tagid=find_tag_id(cfg, tag)) == -1) {
log_err("cannot parse tag (define-tag it): %s %s", str, tag);
return 0;
}
if((size_t)tagid >= node->tag_datas_size) {
log_err("tagid too large for array %s %s", str, tag);
return 0;
}
/* check data? */
if(!check_data(data)) {
log_err("cannot parse access-control-tag data: %s %s '%s'",
str, tag, data);
return 0;
}
dupdata = regional_strdup(acl->region, data);
if(!dupdata) {
log_err("out of memory");
return 0;
}
if(!cfg_region_strlist_insert(acl->region,
&(node->tag_datas[tagid]), dupdata)) {
log_err("out of memory");
return 0;
}
return 1;
}
/** read acl_list config */
static int
read_acl_list(struct acl_list* acl, struct config_file* cfg)
@ -138,6 +290,77 @@ read_acl_list(struct acl_list* acl, struct config_file* cfg)
return 1;
}
/** read acl tags config */
static int
read_acl_tags(struct acl_list* acl, struct config_file* cfg)
{
struct config_strbytelist* np, *p = cfg->acl_tags;
cfg->acl_tags = NULL;
while(p) {
log_assert(p->str && p->str2);
if(!acl_list_tags_cfg(acl, p->str, p->str2, p->str2len)) {
config_del_strbytelist(p);
return 0;
}
/* free the items as we go to free up memory */
np = p->next;
free(p->str);
free(p->str2);
free(p);
p = np;
}
return 1;
}
/** read acl tag actions config */
static int
read_acl_tag_actions(struct acl_list* acl, struct config_file* cfg)
{
struct config_str3list* p, *np;
p = cfg->acl_tag_actions;
cfg->acl_tag_actions = NULL;
while(p) {
log_assert(p->str && p->str2 && p->str3);
if(!acl_list_tag_action_cfg(acl, cfg, p->str, p->str2,
p->str3)) {
config_deltrplstrlist(p);
return 0;
}
/* free the items as we go to free up memory */
np = p->next;
free(p->str);
free(p->str2);
free(p->str3);
free(p);
p = np;
}
return 1;
}
/** read acl tag datas config */
static int
read_acl_tag_datas(struct acl_list* acl, struct config_file* cfg)
{
struct config_str3list* p, *np;
p = cfg->acl_tag_datas;
cfg->acl_tag_datas = NULL;
while(p) {
log_assert(p->str && p->str2 && p->str3);
if(!acl_list_tag_data_cfg(acl, cfg, p->str, p->str2, p->str3)) {
config_deltrplstrlist(p);
return 0;
}
/* free the items as we go to free up memory */
np = p->next;
free(p->str);
free(p->str2);
free(p->str3);
free(p);
p = np;
}
return 1;
}
int
acl_list_apply_cfg(struct acl_list* acl, struct config_file* cfg)
{
@ -145,6 +368,12 @@ acl_list_apply_cfg(struct acl_list* acl, struct config_file* cfg)
addr_tree_init(&acl->tree);
if(!read_acl_list(acl, cfg))
return 0;
if(!read_acl_tags(acl, cfg))
return 0;
if(!read_acl_tag_actions(acl, cfg))
return 0;
if(!read_acl_tag_datas(acl, cfg))
return 0;
/* insert defaults, with '0' to ignore them if they are duplicates */
if(!acl_list_str_cfg(acl, "0.0.0.0/0", "refuse", 0))
return 0;
@ -163,13 +392,18 @@ acl_list_apply_cfg(struct acl_list* acl, struct config_file* cfg)
}
enum acl_access
acl_list_lookup(struct acl_list* acl, struct sockaddr_storage* addr,
acl_get_control(struct acl_addr* acl)
{
if(acl) return acl->control;
return acl_deny;
}
struct acl_addr*
acl_addr_lookup(struct acl_list* acl, struct sockaddr_storage* addr,
socklen_t addrlen)
{
struct acl_addr* r = (struct acl_addr*)addr_tree_lookup(&acl->tree,
return (struct acl_addr*)addr_tree_lookup(&acl->tree,
addr, addrlen);
if(r) return r->control;
return acl_deny;
}
size_t

29
contrib/unbound/daemon/acl_list.h
View File

@ -87,6 +87,19 @@ struct acl_addr {
struct addr_tree_node node;
/** access control on this netblock */
enum acl_access control;
/** tag bitlist */
uint8_t* taglist;
/** length of the taglist (in bytes) */
size_t taglen;
/** array per tagnumber of localzonetype(in one byte). NULL if none. */
uint8_t* tag_actions;
/** size of the tag_actions_array */
size_t tag_actions_size;
/** array per tagnumber, with per tag a list of rdata strings.
* NULL if none. strings are like 'A 127.0.0.1' 'AAAA ::1' */
struct config_strlist** tag_datas;
/** size of the tag_datas array */
size_t tag_datas_size;
};
/**
@ -110,14 +123,22 @@ void acl_list_delete(struct acl_list* acl);
int acl_list_apply_cfg(struct acl_list* acl, struct config_file* cfg);
/**
* Lookup address to see its access control status.
* Lookup access control status for acl structure.
* @param acl: structure for acl storage.
* @return: what to do with message from this address.
*/
enum acl_access acl_get_control(struct acl_addr* acl);
/**
* Lookup address to see its acl structure
* @param acl: structure for address storage.
* @param addr: address to check
* @param addrlen: length of addr.
* @return: what to do with message from this address.
* @return: acl structure from this address.
*/
enum acl_access acl_list_lookup(struct acl_list* acl,
struct sockaddr_storage* addr, socklen_t addrlen);
struct acl_addr*
acl_addr_lookup(struct acl_list* acl, struct sockaddr_storage* addr,
socklen_t addrlen);
/**
* Get memory used by acl structure.

23
contrib/unbound/daemon/daemon.c
View File

@ -204,17 +204,29 @@ daemon_init(void)
signal_handling_record();
checklock_start();
#ifdef HAVE_SSL
# ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS
ERR_load_crypto_strings();
# endif
ERR_load_SSL_strings();
# ifdef USE_GOST
(void)sldns_key_EVP_load_gost_id();
# endif
# if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_CRYPTO)
OpenSSL_add_all_algorithms();
# else
OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS
| OPENSSL_INIT_ADD_ALL_DIGESTS
| OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
# endif
# if HAVE_DECL_SSL_COMP_GET_COMPRESSION_METHODS
/* grab the COMP method ptr because openssl leaks it */
comp_meth = (void*)SSL_COMP_get_compression_methods();
# endif
# if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL)
(void)SSL_library_init();
# else
(void)OPENSSL_init_ssl(0, NULL);
# endif
# if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED)
if(!ub_openssl_lock_init())
fatal_exit("could not init openssl locks");
@ -404,6 +416,8 @@ daemon_create_workers(struct daemon* daemon)
}
daemon->workers = (struct worker**)calloc((size_t)daemon->num,
sizeof(struct worker*));
if(!daemon->workers)
fatal_exit("out of memory during daemon init");
if(daemon->cfg->dnstap) {
#ifdef USE_DNSTAP
daemon->dtenv = dt_create(daemon->cfg->dnstap_socket_path,
@ -586,13 +600,12 @@ daemon_cleanup(struct daemon* daemon)
log_thread_set(NULL);
/* clean up caches because
* a) RRset IDs will be recycled after a reload, causing collisions
* b) validation config can change, thus rrset, msg, keycache clear
* The infra cache is kept, the timing and edns info is still valid */
* b) validation config can change, thus rrset, msg, keycache clear */
slabhash_clear(&daemon->env->rrset_cache->table);
slabhash_clear(daemon->env->msg_cache);
local_zones_delete(daemon->local_zones);
daemon->local_zones = NULL;
/* key cache is cleared by module desetup during next daemon_init() */
/* key cache is cleared by module desetup during next daemon_fork() */
daemon_remote_clear(daemon->rc);
for(i=0; i<daemon->num; i++)
worker_delete(daemon->workers[i]);
@ -656,8 +669,12 @@ daemon_delete(struct daemon* daemon)
# endif
CONF_modules_free();
# endif
# ifdef HAVE_CRYPTO_CLEANUP_ALL_EX_DATA
CRYPTO_cleanup_all_ex_data(); /* safe, no more threads right now */
# endif
# ifdef HAVE_ERR_FREE_STRINGS
ERR_free_strings();
# endif
# if OPENSSL_VERSION_NUMBER < 0x10100000
RAND_cleanup();
# endif

48
contrib/unbound/daemon/remote.c
View File

@ -46,9 +46,12 @@
#ifdef HAVE_OPENSSL_ERR_H
#include <openssl/err.h>
#endif
#ifndef HEADER_DH_H
#ifdef HAVE_OPENSSL_DH_H
#include <openssl/dh.h>
#endif
#ifdef HAVE_OPENSSL_BN_H
#include <openssl/bn.h>
#endif
#include <ctype.h>
#include "daemon/remote.h"
@ -144,7 +147,7 @@ timeval_divide(struct timeval* avg, const struct timeval* sum, size_t d)
* (some openssl versions reject DH that is 'too small', eg. 512).
*/
#ifndef S_SPLINT_S
DH *get_dh2048()
static DH *get_dh2048(void)
{
static unsigned char dh2048_p[]={
0xE7,0x36,0x28,0x3B,0xE4,0xC3,0x32,0x1C,0x01,0xC3,0x67,0xD6,
@ -173,14 +176,31 @@ DH *get_dh2048()
static unsigned char dh2048_g[]={
0x02,
};
DH *dh;
DH *dh = NULL;
BIGNUM *p = NULL, *g = NULL;
if ((dh=DH_new()) == NULL) return(NULL);
dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
if ((dh->p == NULL) || (dh->g == NULL))
{ DH_free(dh); return(NULL); }
return(dh);
dh = DH_new();
p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL);
if (!dh || !p || !g)
goto err;
#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
dh->p = p;
dh->g = g;
#else
if (!DH_set0_pqg(dh, p, NULL, g))
goto err;
#endif
return dh;
err:
if (p)
BN_free(p);
if (g)
BN_free(g);
if (dh)
DH_free(dh);
return NULL;
}
#endif /* SPLINT */
@ -225,6 +245,7 @@ daemon_remote_create(struct config_file* cfg)
/* No certificates are requested */
if(!SSL_CTX_set_cipher_list(rc->ctx, "aNULL")) {
log_crypto_err("Failed to set aNULL cipher list");
daemon_remote_delete(rc);
return NULL;
}
@ -233,6 +254,7 @@ daemon_remote_create(struct config_file* cfg)
*/
if(!SSL_CTX_set_tmp_dh(rc->ctx,get_dh2048())) {
log_crypto_err("Wanted to set DH param, but failed");
daemon_remote_delete(rc);
return NULL;
}
return rc;
@ -359,8 +381,12 @@ add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err,
if(fd != -1) {
#ifdef HAVE_CHOWN
if (cfg->username && cfg->username[0] &&
cfg_uid != (uid_t)-1)
chown(ip, cfg_uid, cfg_gid);
cfg_uid != (uid_t)-1) {
if(chown(ip, cfg_uid, cfg_gid) == -1)
log_err("cannot chown %u.%u %s: %s",
(unsigned)cfg_uid, (unsigned)cfg_gid,
ip, strerror(errno));
}
chmod(ip, (mode_t)(S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP));
#else
(void)cfg;

4
contrib/unbound/daemon/remote.h
View File

@ -56,8 +56,8 @@ struct comm_reply;
struct comm_point;
struct daemon_remote;
/** number of seconds timeout on incoming remote control handshake */
#define REMOTE_CONTROL_TCP_TIMEOUT 120
/** number of milliseconds timeout on incoming remote control handshake */
#define REMOTE_CONTROL_TCP_TIMEOUT 120000
/**
* a busy control command connection, SSL state

15
contrib/unbound/daemon/unbound.c
View File

@ -93,10 +93,13 @@ void* unbound_start_brk = 0;
#endif
/** print usage. */
static void usage()
static void usage(void)
{
const char** m;
const char *evnm="event", *evsys="", *evmethod="";
time_t t;
struct timeval now;
struct ub_event_base* base;
printf("usage: unbound [options]\n");
printf(" start unbound daemon DNS resolver.\n");
printf("-h this help\n");
@ -110,11 +113,16 @@ static void usage()
printf(" service - used to start from services control panel\n");
#endif
printf("Version %s\n", PACKAGE_VERSION);
ub_get_event_sys(NULL, &evnm, &evsys, &evmethod);
base = ub_default_event_base(0,&t,&now);
ub_get_event_sys(base, &evnm, &evsys, &evmethod);
printf("linked libs: %s %s (it uses %s), %s\n",
evnm, evsys, evmethod,
#ifdef HAVE_SSL
# ifdef SSLEAY_VERSION
SSLeay_version(SSLEAY_VERSION)
# else
OpenSSL_version(OPENSSL_VERSION)
# endif
#elif defined(HAVE_NSS)
NSS_GetVersion()
#elif defined(HAVE_NETTLE)
@ -127,6 +135,7 @@ static void usage()
printf("\n");
printf("BSD licensed, see LICENSE in source package for details.\n");
printf("Report bugs to %s\n", PACKAGE_BUGREPORT);
ub_event_base_free(base);
}
#ifndef unbound_testbound
@ -539,7 +548,9 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
log_warn("unable to initgroups %s: %s",
cfg->username, strerror(errno));
# endif /* HAVE_INITGROUPS */
# ifdef HAVE_ENDPWENT
endpwent();
# endif
#ifdef HAVE_SETRESGID
if(setresgid(cfg_gid,cfg_gid,cfg_gid) != 0)

12
contrib/unbound/daemon/worker.c
View File

@ -773,6 +773,8 @@ deny_refuse(struct comm_point* c, enum acl_access acl,
LDNS_QR_SET(sldns_buffer_begin(c->buffer));
LDNS_RCODE_SET(sldns_buffer_begin(c->buffer),
LDNS_RCODE_REFUSED);
sldns_buffer_set_position(c->buffer, LDNS_HEADER_SIZE);
sldns_buffer_flip(c->buffer);
return 1;
}
@ -804,6 +806,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
struct query_info qinfo;
struct edns_data edns;
enum acl_access acl;
struct acl_addr* acladdr;
int rc = 0;
if(error != NETEVENT_NOERROR) {
@ -816,8 +819,9 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
dt_msg_send_client_query(&worker->dtenv, &repinfo->addr, c->type,
c->buffer);
#endif
acl = acl_list_lookup(worker->daemon->acl, &repinfo->addr,
acladdr = acl_addr_lookup(worker->daemon->acl, &repinfo->addr,
repinfo->addrlen);
acl = acl_get_control(acladdr);
if((ret=deny_refuse_all(c, acl, worker, repinfo)) != -1)
{
if(ret == 1)
@ -941,7 +945,11 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
goto send_reply;
}
if(local_zones_answer(worker->daemon->local_zones, &qinfo, &edns,
c->buffer, worker->scratchpad, repinfo)) {
c->buffer, worker->scratchpad, repinfo,
acladdr->taglist, acladdr->taglen, acladdr->tag_actions,
acladdr->tag_actions_size, acladdr->tag_datas,
acladdr->tag_datas_size, worker->daemon->cfg->tagname,
worker->daemon->cfg->num_tags)) {
regional_free_all(worker->scratchpad);
if(sldns_buffer_limit(c->buffer) == 0) {
comm_point_drop_reply(repinfo);

2
contrib/unbound/dns64/dns64.c
View File

@ -872,7 +872,7 @@ static struct module_func_block dns64_block = {
* Function for returning the above function block.
*/
struct module_func_block *
dns64_get_funcblock()
dns64_get_funcblock(void)
{
return &dns64_block;
}

211
contrib/unbound/doc/Changelog
View File

@ -1,8 +1,219 @@
20 September 2016: Wouter
- iana portlist update.
- Fix #835: fix --disable-dsa with nettle verify.
- tag for 1.5.10rc1 release.
15 September 2016: Wouter
- Fix 883: error for duplicate local zone entry.
- Test for openssl init_crypto and init_ssl functions.
15 September 2016: Ralph
- fix potential memory leak in daemon/remote.c and nullpointer
dereference in validator/autotrust.
- iana portlist update.
13 September 2016: Wouter
- Silenced flex-generated sign-unsigned warning print with gcc
diagnostic pragma.
- Fix for new splint on FreeBSD. Fix cast for sockaddr_un.sun_len.
9 September 2016: Wouter
- Fix #831: workaround for spurious fread_chk warning against petal.c
5 September 2016: Ralph
- Take configured minimum TTL into consideration when reducing TTL
to original TTL from RRSIG.
5 September 2016: Wouter
- Fix #829: doc of sldns_wire2str_rdata_buf() return value has an
off-by-one typo, from Jinmei Tatuya (Infoblox).
- Fix incomplete prototypes reported by Dag-Erling Smørgrav.
- Fix #828: missing type in access-control-tag-action redirect results
in NXDOMAIN.
2 September 2016: Wouter
- Fix compile with openssl 1.1.0 with api=1.1.0.
1 September 2016: Wouter
- RFC 7958 is now out, updated docs for unbound-anchor.
- Fix for compile without warnings with openssl 1.1.0.
- Fix #826: Fix refuse_non_local could result in a broken response.
- iana portlist update.
29 August 2016: Wouter
- Fix #777: OpenSSL 1.1.0 compatibility, patch from Sebastian A.
Siewior.
- Add default root hints for IPv6 E.ROOT-SERVERS.NET, 2001:500:a8::e.
25 August 2016: Ralph
- Clarify local-zone-override entry in unbound.conf.5
25 August 2016: Wouter
- 64bit build option for makedist windows compile, -w64.
24 August 2016: Ralph
- Fix #820: set sldns_str2wire_rr_buf() dual meaning len parameter
in each iteration in find_tag_datas().
- unbound.conf.5 entries for define-tag, access-control-tag,
access-control-tag-action, access-control-tag-data, local-zone-tag,
and local-zone-override.
23 August 2016: Wouter
- Fix #804: unbound stops responding after outage. Fixes queries
that attempt to wait for an empty list of subqueries.
- Fix #804: lower num_target_queries for iterator also for failed
lookups.
8 August 2016: Wouter
- Note that OPENPGPKEY type is RFC 7929.
4 August 2016: Wouter
- Fix #807: workaround for possible some "unused" function parameters
in test code, from Jinmei Tatuya.
3 August 2016: Wouter
- use sendmsg instead of sendto for TFO.
28 July 2016: Wouter
- Fix #806: wrong comment removed.
26 July 2016: Wouter
- nicer ratelimit-below-domain explanation.
22 July 2016: Wouter
- Fix #801: missing error condition handling in
daemon_create_workers().
- Fix #802: workaround for function parameters that are "unused"
without log_assert.
- Fix #803: confusing (and incorrect) code comment in daemon_cleanup().
20 July 2016: Wouter
- Fix typo in unbound.conf.
18 July 2016: Wouter
- Fix #798: Client-side TCP fast open fails (Linux).
14 July 2016: Wouter
- TCP Fast open patch from Sara Dickinson.
- Fixed unbound.doxygen for 1.8.11.
7 July 2016: Wouter
- access-control-tag-data implemented. verbose(4) prints tag debug.
5 July 2016: Wouter
- Fix dynamic link of anchor-update.exe on windows.
- Fix detect of mingw for MXE package build.
- Fixes for 64bit windows compile.
- Fix #788 for nettle 3.0: Failed to build with Nettle >= 3.0 and
--with-libunbound-only --with-nettle.
4 July 2016: Wouter
- For #787: prefer-ip6 option for unbound.conf prefers to send
upstream queries to ipv6 servers.
- Fix #787: outgoing-interface netblock/64 ipv6 option to use linux
freebind to use 64bits of entropy for every query with random local
part.
30 June 2016: Wouter
- Document always_transparent, always_refuse, always_nxdomain types.
29 June 2016: Wouter
- Fix static compile on windows missing gdi32.
28 June 2016: Wouter
- Create a pkg-config file for libunbound in contrib.
27 June 2016: Wouter
- Fix #784: Build configure assumess that having getpwnam means there
is endpwent function available.
- Updated repository with newer flex and bison output.
24 June 2016: Ralph
- Possibility to specify local-zone type for an acl/tag pair
- Possibility to specify (override) local-zone type for a source address
block
16 June 2016: Ralph
- Decrease dp attempts at each QNAME minimisation iteration
16 June 2016: Wouter
- Fix tcp timeouts in tv.usec.
15 June 2016: Wouter
- TCP_TIMEOUT is specified in milliseconds.
- If more than half of tcp connections are in use, a shorter timeout
is used (200 msec, vs 2 minutes) to pressure tcp for new connects.
14 June 2016: Ralph
- QNAME minimisation unit test for dropped QTYPE=A queries.
14 June 2016: Wouter
- Fix 775: unbound-host and unbound-anchor crash on windows, ignore
null delete for wsaevent.
- Fix spelling in freebind option man page text.
- Fix windows link of ssl with crypt32.
- Fix 779: Union casting is non-portable.
- Fix 780: MAP_ANON not defined in HP-UX 11.31.
- Fix 781: prealloc() is an HP-UX system library call.
13 June 2016: Ralph
- Use QTYPE=A for QNAME minimisation.
- Keep track of number of time-outs when performing QNAME minimisation.
Stop minimising when number of time-outs for a QNAME/QTYPE pair is
more than three.
13 June 2016: Wouter
- Fix #778: unbound 1.5.9: -h segfault (null deref).
- Fix directory: fix for unbound-checkconf, it restores cwd.
10 June 2016: Wouter
- And delete service.conf.shipped on uninstall.
- In unbound.conf directory: dir immediately changes to that directory,
so that include: file below that is relative to that directory.
With chroot, make the directory an absolute path inside chroot.
- keep debug symbols in windows build.
- do not delete service.conf on windows uninstall.
- document directory immediate fix and allow EXECUTABLE syntax in it
on windows.
9 June 2016: Wouter
- Trunk is called 1.5.10 (with previous fixes already in there to 2
june).
- Revert fix for NetworkService account on windows due to breakage
it causes.
- Fix that windows install will not overwrite existing service.conf
file (and ignore gui config choices if it exists).
7 June 2016: Ralph
- Lookup localzones by taglist from acl.
- Possibility to lookup local_zone, regardless the taglist.
- Added local_zone/taglist/acl unit test.
7 June 2016: Wouter
- Fix #773: Non-standard Python location build failure with pyunbound.
- Improve threadsafety for openssl 0.9.8 ecdsa dnssec signatures.
6 June 2016: Wouter
- Better help text from -h (from Ray Griffith).
- access-control-tag config directive.
- local-zone-override config directive.
- access-control-tag-action and access-control-tag-data config
directives.
- free acl-tags, acltag-action and acltag-data config lists during
initialisation to free up memory for more entries.
3 June 2016: Wouter
- Fix to not ignore return value of chown() in daemon startup.
2 June 2016: Wouter
- Fix libubound for edns optlist feature.
- Fix distinction between free and CRYPTO_free in dsa and ecdsa alloc.
- Fix #752: retry resource temporarily unavailable on control pipe.
- un-document localzone tags.
- tag for release 1.5.9rc1.
And this also became release 1.5.9.
- Fix (for 1.5.10): Fix unbound-anchor.exe file location defaults to
Program Files with (x86) appended.
- re-documented localzone tags in example.conf.
31 May 2016: Wouter
- Fix windows service to be created run with limited rights, as a

2
contrib/unbound/doc/README
View File

@ -1,4 +1,4 @@
README for Unbound 1.5.9
README for Unbound 1.5.10
Copyright 2007 NLnet Labs
http://unbound.net

42
contrib/unbound/doc/example.conf
View File

@ -1,7 +1,7 @@
#
# Example configuration file.
#
# See unbound.conf(5) man page, version 1.5.9.
# See unbound.conf(5) man page, version 1.5.10.
#
# this is a comment.
@ -52,6 +52,15 @@ server:
# outgoing-interface: 192.0.2.153
# outgoing-interface: 2001:DB8::5
# outgoing-interface: 2001:DB8::6
# Specify a netblock to use remainder 64 bits as random bits for
# upstream queries. Uses freebind option (Linux).
# outgoing-interface: 2001:DB8::/64
# Also (Linux:) ip -6 addr add 2001:db8::/64 dev lo
# And: ip -6 route add local 2001:db8::/64 dev lo
# And set prefer-ip6: yes to use the ip6 randomness from a netblock.
# Set this to yes to prefer ipv6 upstream servers over ipv4.
# prefer-ip6: no
# number of ports to allocate per thread, determines the size of the
# port range that can be open simultaneously. About double the
@ -162,6 +171,10 @@ server:
# the maximum number of hosts that are cached (roundtrip, EDNS, lame).
# infra-cache-numhosts: 10000
# define a number of tags here, use with local-zone, access-control.
# repeat the define-tag statement to add additional tags.
# define-tag: "tag1 tag2 tag3"
# Enable IPv4, "yes" or "no".
# do-ip4: yes
@ -203,6 +216,20 @@ server:
# access-control: ::1 allow
# access-control: ::ffff:127.0.0.1 allow
# tag access-control with list of tags (in "" with spaces between)
# Clients using this access control element use localzones that
# are tagged with one of these tags.
# access-control-tag: 192.0.2.0/24 "tag2 tag3"
# set action for particular tag for given access control element
# if you have multiple tag values, the tag used to lookup the action
# is the first tag match between access-control-tag and local-zone-tag
# where "first" comes from the order of the define-tag values.
# access-control-tag-action: 192.0.2.0/24 tag3 refuse
# set redirect data for particular tag for access control element
# access-control-tag-data: 192.0.2.0/24 tag2 "A 127.0.0.1"
# if given, a chroot(2) is done to the given directory.
# i.e. you can chroot to the working directory, for example,
# for extra security, but make sure all files are in that directory.
@ -236,6 +263,8 @@ server:
# the working directory. The relative files in this config are
# relative to this directory. If you give "" the working directory
# is not changed.
# If you give a server: directory: dir before include: file statements
# then those includes can be relative to the working directory.
# directory: "/var/unbound"
# the log file, "" means log to stderr.
@ -322,6 +351,7 @@ server:
# Domains (and domains in them) without support for dns-0x20 and
# the fallback fails because they keep sending different answers.
# caps-whitelist: "licdn.com"
# caps-whitelist: "senderbase.org"
# Enforce privacy of these addresses. Strips them away from answers.
# It may cause DNSSEC validation to additionally mark it as bogus.
@ -550,6 +580,8 @@ server:
# o typetransparent resolves normally for other types and other names
# o inform resolves normally, but logs client IP address
# o inform_deny drops queries and logs client IP address
# o always_transparent, always_refuse, always_nxdomain, resolve in
# that way but ignore local data for that name.
#
# defaults are localhost address, reverse for 127.0.0.1 and ::1
# and nxdomain for AS112 zones. If you configure one of these zones
@ -576,6 +608,12 @@ server:
# you need to do the reverse notation yourself.
# local-data-ptr: "192.0.2.3 www.example.com"
# tag a localzone with a list of tag names (in "" with spaces between)
# local-zone-tag: "example.com" "tag2 tag3"
# add a netblock specific override to a localzone, with zone type
# local-zone-override: "example.com" 192.0.2.0/24 refuse
# service clients over SSL (on the TCP sockets), with plain DNS inside
# the SSL stream. Give the certificate to use and private key.
# default is "" (disabled). requires restart to take effect.
@ -609,7 +647,7 @@ server:
# ratelimit-for-domain: example.com 1000
# override the ratelimits for all domains below a domain name
# can give this multiple times, the name closest to the zone is used.
# ratelimit-below-domain: example 1000
# ratelimit-below-domain: com 1000
# Python config section. To enable:
# o use --with-pythonmodule to configure before compiling.

42
contrib/unbound/doc/example.conf.in
View File

@ -1,7 +1,7 @@
#
# Example configuration file.
#
# See unbound.conf(5) man page, version 1.5.9.
# See unbound.conf(5) man page, version 1.5.10.
#
# this is a comment.
@ -52,6 +52,15 @@ server:
# outgoing-interface: 192.0.2.153
# outgoing-interface: 2001:DB8::5
# outgoing-interface: 2001:DB8::6
# Specify a netblock to use remainder 64 bits as random bits for
# upstream queries. Uses freebind option (Linux).
# outgoing-interface: 2001:DB8::/64
# Also (Linux:) ip -6 addr add 2001:db8::/64 dev lo
# And: ip -6 route add local 2001:db8::/64 dev lo
# And set prefer-ip6: yes to use the ip6 randomness from a netblock.
# Set this to yes to prefer ipv6 upstream servers over ipv4.
# prefer-ip6: no
# number of ports to allocate per thread, determines the size of the
# port range that can be open simultaneously. About double the
@ -162,6 +171,10 @@ server:
# the maximum number of hosts that are cached (roundtrip, EDNS, lame).
# infra-cache-numhosts: 10000
# define a number of tags here, use with local-zone, access-control.
# repeat the define-tag statement to add additional tags.
# define-tag: "tag1 tag2 tag3"
# Enable IPv4, "yes" or "no".
# do-ip4: yes
@ -203,6 +216,20 @@ server:
# access-control: ::1 allow
# access-control: ::ffff:127.0.0.1 allow
# tag access-control with list of tags (in "" with spaces between)
# Clients using this access control element use localzones that
# are tagged with one of these tags.
# access-control-tag: 192.0.2.0/24 "tag2 tag3"
# set action for particular tag for given access control element
# if you have multiple tag values, the tag used to lookup the action
# is the first tag match between access-control-tag and local-zone-tag
# where "first" comes from the order of the define-tag values.
# access-control-tag-action: 192.0.2.0/24 tag3 refuse
# set redirect data for particular tag for access control element
# access-control-tag-data: 192.0.2.0/24 tag2 "A 127.0.0.1"
# if given, a chroot(2) is done to the given directory.
# i.e. you can chroot to the working directory, for example,
# for extra security, but make sure all files are in that directory.
@ -236,6 +263,8 @@ server:
# the working directory. The relative files in this config are
# relative to this directory. If you give "" the working directory
# is not changed.
# If you give a server: directory: dir before include: file statements
# then those includes can be relative to the working directory.
# directory: "@UNBOUND_RUN_DIR@"
# the log file, "" means log to stderr.
@ -322,6 +351,7 @@ server:
# Domains (and domains in them) without support for dns-0x20 and
# the fallback fails because they keep sending different answers.
# caps-whitelist: "licdn.com"
# caps-whitelist: "senderbase.org"
# Enforce privacy of these addresses. Strips them away from answers.
# It may cause DNSSEC validation to additionally mark it as bogus.
@ -550,6 +580,8 @@ server:
# o typetransparent resolves normally for other types and other names
# o inform resolves normally, but logs client IP address
# o inform_deny drops queries and logs client IP address
# o always_transparent, always_refuse, always_nxdomain, resolve in
# that way but ignore local data for that name.
#
# defaults are localhost address, reverse for 127.0.0.1 and ::1
# and nxdomain for AS112 zones. If you configure one of these zones
@ -576,6 +608,12 @@ server:
# you need to do the reverse notation yourself.
# local-data-ptr: "192.0.2.3 www.example.com"
# tag a localzone with a list of tag names (in "" with spaces between)
# local-zone-tag: "example.com" "tag2 tag3"
# add a netblock specific override to a localzone, with zone type
# local-zone-override: "example.com" 192.0.2.0/24 refuse
# service clients over SSL (on the TCP sockets), with plain DNS inside
# the SSL stream. Give the certificate to use and private key.
# default is "" (disabled). requires restart to take effect.
@ -609,7 +647,7 @@ server:
# ratelimit-for-domain: example.com 1000
# override the ratelimits for all domains below a domain name
# can give this multiple times, the name closest to the zone is used.
# ratelimit-below-domain: example 1000
# ratelimit-below-domain: com 1000
# Python config section. To enable:
# o use --with-pythonmodule to configure before compiling.

4
contrib/unbound/doc/libunbound.3
View File

@ -1,4 +1,4 @@
.TH "libunbound" "3" "Jun 9, 2016" "NLnet Labs" "unbound 1.5.9"
.TH "libunbound" "3" "Sep 27, 2016" "NLnet Labs" "unbound 1.5.10"
.\"
.\" libunbound.3 -- unbound library functions manual
.\"
@ -43,7 +43,7 @@
.B ub_ctx_zone_remove,
.B ub_ctx_data_add,
.B ub_ctx_data_remove
\- Unbound DNS validating resolver 1.5.9 functions.
\- Unbound DNS validating resolver 1.5.10 functions.
.SH "SYNOPSIS"
.B #include <unbound.h>
.LP

4
contrib/unbound/doc/libunbound.3.in
View File

@ -1,4 +1,4 @@
.TH "libunbound" "3" "Jun 9, 2016" "NLnet Labs" "unbound 1.5.9"
.TH "libunbound" "3" "Sep 27, 2016" "NLnet Labs" "unbound 1.5.10"
.\"
.\" libunbound.3 -- unbound library functions manual
.\"
@ -43,7 +43,7 @@
.B ub_ctx_zone_remove,
.B ub_ctx_data_add,
.B ub_ctx_data_remove
\- Unbound DNS validating resolver 1.5.9 functions.
\- Unbound DNS validating resolver 1.5.10 functions.
.SH "SYNOPSIS"
.B #include <unbound.h>
.LP

8
contrib/unbound/doc/unbound-anchor.8
View File

@ -1,4 +1,4 @@
.TH "unbound-anchor" "8" "Jun 9, 2016" "NLnet Labs" "unbound 1.5.9"
.TH "unbound-anchor" "8" "Sep 27, 2016" "NLnet Labs" "unbound 1.5.10"
.\"
.\" unbound-anchor.8 -- unbound anchor maintenance utility manual
.\"
@ -16,6 +16,8 @@
.SH "DESCRIPTION"
.B Unbound\-anchor
performs setup or update of the root trust anchor for DNSSEC validation.
The program fetches the trust anchor with the method from RFC7958 when
regular RFC5011 update fails to bring it up to date.
It can be run (as root) from the commandline, or run as part of startup
scripts. Before you start the \fIunbound\fR(8) DNS server.
.P
@ -39,8 +41,8 @@ update certificate files.
.P
It tests if the root anchor file works, and if not, and an update is possible,
attempts to update the root anchor using the root update certificate.
It performs a https fetch of root-anchors.xml and checks the results, if
all checks are successful, it updates the root anchor file. Otherwise
It performs a https fetch of root-anchors.xml and checks the results (RFC7958),
if all checks are successful, it updates the root anchor file. Otherwise
the root anchor file is unchanged. It performs RFC5011 tracking if the
DNSSEC information available via the DNS makes that possible.
.P

8
contrib/unbound/doc/unbound-anchor.8.in
View File

@ -1,4 +1,4 @@
.TH "unbound-anchor" "8" "Jun 9, 2016" "NLnet Labs" "unbound 1.5.9"
.TH "unbound-anchor" "8" "Sep 27, 2016" "NLnet Labs" "unbound 1.5.10"
.\"
.\" unbound-anchor.8 -- unbound anchor maintenance utility manual
.\"
@ -16,6 +16,8 @@
.SH "DESCRIPTION"
.B Unbound\-anchor
performs setup or update of the root trust anchor for DNSSEC validation.
The program fetches the trust anchor with the method from RFC7958 when
regular RFC5011 update fails to bring it up to date.
It can be run (as root) from the commandline, or run as part of startup
scripts. Before you start the \fIunbound\fR(8) DNS server.
.P
@ -39,8 +41,8 @@ update certificate files.
.P
It tests if the root anchor file works, and if not, and an update is possible,
attempts to update the root anchor using the root update certificate.
It performs a https fetch of root-anchors.xml and checks the results, if
all checks are successful, it updates the root anchor file. Otherwise
It performs a https fetch of root-anchors.xml and checks the results (RFC7958),
if all checks are successful, it updates the root anchor file. Otherwise
the root anchor file is unchanged. It performs RFC5011 tracking if the
DNSSEC information available via the DNS makes that possible.
.P

2
contrib/unbound/doc/unbound-checkconf.8
View File

@ -1,4 +1,4 @@
.TH "unbound-checkconf" "8" "Jun 9, 2016" "NLnet Labs" "unbound 1.5.9"
.TH "unbound-checkconf" "8" "Sep 27, 2016" "NLnet Labs" "unbound 1.5.10"
.\"
.\" unbound-checkconf.8 -- unbound configuration checker manual
.\"

2
contrib/unbound/doc/unbound-checkconf.8.in
View File

@ -1,4 +1,4 @@
.TH "unbound-checkconf" "8" "Jun 9, 2016" "NLnet Labs" "unbound 1.5.9"
.TH "unbound-checkconf" "8" "Sep 27, 2016" "NLnet Labs" "unbound 1.5.10"
.\"
.\" unbound-checkconf.8 -- unbound configuration checker manual
.\"

2
contrib/unbound/doc/unbound-control.8
View File

@ -1,4 +1,4 @@
.TH "unbound-control" "8" "Jun 9, 2016" "NLnet Labs" "unbound 1.5.9"
.TH "unbound-control" "8" "Sep 27, 2016" "NLnet Labs" "unbound 1.5.10"
.\"
.\" unbound-control.8 -- unbound remote control manual
.\"

2
contrib/unbound/doc/unbound-control.8.in
View File

@ -1,4 +1,4 @@
.TH "unbound-control" "8" "Jun 9, 2016" "NLnet Labs" "unbound 1.5.9"
.TH "unbound-control" "8" "Sep 27, 2016" "NLnet Labs" "unbound 1.5.10"
.\"
.\" unbound-control.8 -- unbound remote control manual
.\"

2
contrib/unbound/doc/unbound-host.1
View File

@ -1,4 +1,4 @@
.TH "unbound\-host" "1" "Jun 9, 2016" "NLnet Labs" "unbound 1.5.9"
.TH "unbound\-host" "1" "Sep 27, 2016" "NLnet Labs" "unbound 1.5.10"
.\"
.\" unbound-host.1 -- unbound DNS lookup utility
.\"

2
contrib/unbound/doc/unbound-host.1.in
View File

@ -1,4 +1,4 @@
.TH "unbound\-host" "1" "Jun 9, 2016" "NLnet Labs" "unbound 1.5.9"
.TH "unbound\-host" "1" "Sep 27, 2016" "NLnet Labs" "unbound 1.5.10"
.\"
.\" unbound-host.1 -- unbound DNS lookup utility
.\"

4
contrib/unbound/doc/unbound.8
View File

@ -1,4 +1,4 @@
.TH "unbound" "8" "Jun 9, 2016" "NLnet Labs" "unbound 1.5.9"
.TH "unbound" "8" "Sep 27, 2016" "NLnet Labs" "unbound 1.5.10"
.\"
.\" unbound.8 -- unbound manual
.\"
@ -9,7 +9,7 @@
.\"
.SH "NAME"
.B unbound
\- Unbound DNS validating resolver 1.5.9.
\- Unbound DNS validating resolver 1.5.10.
.SH "SYNOPSIS"
.B unbound
.RB [ \-h ]

4
contrib/unbound/doc/unbound.8.in
View File

@ -1,4 +1,4 @@
.TH "unbound" "8" "Jun 9, 2016" "NLnet Labs" "unbound 1.5.9"
.TH "unbound" "8" "Sep 27, 2016" "NLnet Labs" "unbound 1.5.10"
.\"
.\" unbound.8 -- unbound manual
.\"
@ -9,7 +9,7 @@
.\"
.SH "NAME"
.B unbound
\- Unbound DNS validating resolver 1.5.9.
\- Unbound DNS validating resolver 1.5.10.
.SH "SYNOPSIS"
.B unbound
.RB [ \-h ]

76
contrib/unbound/doc/unbound.conf.5
View File

@ -1,4 +1,4 @@
.TH "unbound.conf" "5" "Jun 9, 2016" "NLnet Labs" "unbound 1.5.9"
.TH "unbound.conf" "5" "Sep 27, 2016" "NLnet Labs" "unbound 1.5.10"
.\"
.\" unbound.conf.5 -- unbound.conf manual
.\"
@ -72,7 +72,8 @@ Processing continues as if the text from the included file was copied into
the config file at that point. If also using chroot, using full path names
for the included files works, relative pathnames for the included names work
if the directory where the daemon is started equals its chroot/working
directory. Wildcards can be used to include multiple files, see \fIglob\fR(7).
directory or is specified before the include statement with directory: dir.
Wildcards can be used to include multiple files, see \fIglob\fR(7).
.SS "Server Options"
These options are part of the
.B server:
@ -126,7 +127,7 @@ Detect source interface on UDP queries and copy them to replies. This
feature is experimental, and needs support in your OS for particular socket
options. Default value is no.
.TP
.B outgoing\-interface: \fI<ip address>
.B outgoing\-interface: \fI<ip address or ip6 netblock>
Interface to use to connect to the network. This interface is used to send
queries to authoritative servers and receive their replies. Can be given
multiple times to work on several interfaces. If none are given the
@ -136,12 +137,28 @@ and
.B outgoing\-interface:
lines, the interfaces are then used for both purposes. Outgoing queries are
sent via a random outgoing interface to counter spoofing.
.IP
If an IPv6 netblock is specified instead of an individual IPv6 address,
outgoing UDP queries will use a randomised source address taken from the
netblock to counter spoofing. Requires the IPv6 netblock to be routed to the
host running unbound, and requires OS support for unprivileged non-local binds
(currently only supported on Linux). Several netblocks may be specified with
multiple
.B outgoing\-interface:
options, but do not specify both an individual IPv6 address and an IPv6
netblock, or the randomisation will be compromised. Consider combining with
.B prefer\-ip6: yes
to increase the likelihood of IPv6 nameservers being selected for queries.
On Linux you need these two commands to be able to use the freebind socket
option to receive traffic for the ip6 netblock:
ip -6 addr add mynetblock/64 dev lo &&
ip -6 route add local mynetblock/64 dev lo
.TP
.B outgoing\-range: \fI<number>
Number of ports to open. This number of file descriptors can be opened per
thread. Must be at least 1. Default depends on compile options. Larger
numbers need extra resources from the operating system. For performance a
a very large value is best, use libevent to make this possible.
very large value is best, use libevent to make this possible.
.TP
.B outgoing\-port\-permit: \fI<port number or range>
Permit unbound to open this port or range of ports for use to send queries.
@ -281,7 +298,7 @@ permissions on some systems. The option uses IP_BINDANY on FreeBSD systems.
If yes, then use IP_FREEBIND socket option on sockets where unbound
is listening to incoming traffic. Default no. Allows you to bind to
IP addresses that are nonlocal or do not exist, like when the network
interface or IP adress is down. Exists only on Linux, where the similar
interface or IP address is down. Exists only on Linux, where the similar
ip\-transparent option is also available.
.TP
.B rrset\-cache\-size: \fI<number>
@ -329,6 +346,10 @@ Lower limit for dynamic retransmit timeout calculation in infrastructure
cache. Default is 50 milliseconds. Increase this value if using forwarders
needing more time to do recursive name resolution.
.TP
.B define\-tag: \fI<"list of tags">
Define the tags that can be used with local\-zone and access\-control.
Enclose the list between quotes ("") and put spaces between tags.
.TP
.B do\-ip4: \fI<yes or no>
Enable or disable whether ip4 queries are answered or issued. Default is yes.
.TP
@ -339,6 +360,10 @@ IPv6 to the internet nameservers. With this option you can disable the
ipv6 transport for sending DNS traffic, it does not impact the contents of
the DNS traffic, which may have ip4 and ip6 addresses in it.
.TP
.B prefer\-ip6: \fI<yes or no>
If enabled, prefer IPv6 transport for sending DNS queries to internet
nameservers. Default is no.
.TP
.B do\-udp: \fI<yes or no>
Enable or disable whether UDP queries are answered or issued. Default is yes.
.TP
@ -432,6 +457,23 @@ allowed full recursion but only the static data. With deny_non_local,
messages that are disallowed are dropped, with refuse_non_local they
receive error code REFUSED.
.TP
.B access\-control\-tag: \fI<IP netblock> <"list of tags">
Assign tags to access-control elements. Clients using this access control
element use localzones that are tagged with one of these tags. Tags must be
defined in \fIdefine\-tags\fR. Enclose list of tags in quotes ("") and put
spaces between tags. If access\-control\-tag is configured for a netblock that
does not have an access\-control, an access\-control element with action
\fIallow\fR is configured for this netblock.
.TP
.B access\-control\-tag\-action: \fI<IP netblock> <tag> <action>
Set action for particular tag for given access control element. If you have
multiple tag values, the tag used to lookup the action is the first tag match
between access\-control\-tag and local\-zone\-tag where "first" comes from the
order of the define-tag values.
.TP
.B access\-control\-tag\-data: \fI<IP netblock> <tag> <"resource record string">
Set redirect data for particular tag for given access control element.
.TP
.B chroot: \fI<directory>
If chroot is enabled, you should pass the configfile (from the
commandline) as a full path from the original root. After the
@ -469,6 +511,8 @@ requires privileges, then a reload will fail; a restart is needed.
Sets the working directory for the program. Default is "/var/unbound".
On Windows the string "%EXECUTABLE%" tries to change to the directory
that unbound.exe resides in.
If you give a server: directory: dir before include: file statements
then those includes can be relative to the working directory.
.TP
.B logfile: \fI<filename>
If "" is given, logging goes to stderr, or nowhere once daemonized.
@ -883,6 +927,7 @@ address space are not validated. This is usually required whenever
Configure a local zone. The type determines the answer to give if
there is no match from local\-data. The types are deny, refuse, static,
transparent, redirect, nodefault, typetransparent, inform, inform_deny,
always_transparent, always_refuse, always_nxdomain,
and are explained below. After that the default settings are listed. Use
local\-data: to enter data into the local zone. Answers for local zones
are authoritative DNS answers. By default the zones are class IN.
@ -943,6 +988,15 @@ logged, eg. to run antivirus on them.
The query is dropped, like 'deny', and logged, like 'inform'. Ie. find
infected machines without answering the queries.
.TP 10
\h'5'\fIalways_transparent\fR
Like transparent, but ignores local data and resolves normally.
.TP 10
\h'5'\fIalways_refuse\fR
Like refuse, but ignores local data and refuses the query.
.TP 10
\h'5'\fIalways_nxdomain\fR
Like static, but ignores local data and returns nxdomain for the query.
.TP 10
\h'5'\fInodefault\fR
Used to turn off default contents for AS112 zones. The other types
also turn off default contents for the zone. The 'nodefault' option
@ -1060,6 +1114,18 @@ Configure local data shorthand for a PTR record with the reversed IPv4 or
IPv6 address and the host name. For example "192.0.2.4 www.example.com".
TTL can be inserted like this: "2001:DB8::4 7200 www.example.com"
.TP 5
.B local\-zone\-tag: \fI<zone> <"list of tags">
Assign tags to localzones. Tagged localzones will only be applied when the
used access-control element has a matching tag. Tags must be defined in
\fIdefine\-tags\fR. Enclose list of tags in quotes ("") and put spaces between
tags.
.TP 5
.B local\-zone\-override: \fI<zone> <IP netblock> <type>
Override the localzone type for queries from addresses matching netblock.
Use this localzone type, regardless the type configured for the local-zone
(both tagged and untagged) and regardless the type configured using
access\-control\-tag\-action.
.TP 5
.B ratelimit: \fI<number or 0>
Enable ratelimiting of queries sent to nameserver for performing recursion.
If 0, the default, it is disabled. This option is experimental at this time.

76
contrib/unbound/doc/unbound.conf.5.in
View File

@ -1,4 +1,4 @@
.TH "unbound.conf" "5" "Jun 9, 2016" "NLnet Labs" "unbound 1.5.9"
.TH "unbound.conf" "5" "Sep 27, 2016" "NLnet Labs" "unbound 1.5.10"
.\"
.\" unbound.conf.5 -- unbound.conf manual
.\"
@ -72,7 +72,8 @@ Processing continues as if the text from the included file was copied into
the config file at that point. If also using chroot, using full path names
for the included files works, relative pathnames for the included names work
if the directory where the daemon is started equals its chroot/working
directory. Wildcards can be used to include multiple files, see \fIglob\fR(7).
directory or is specified before the include statement with directory: dir.
Wildcards can be used to include multiple files, see \fIglob\fR(7).
.SS "Server Options"
These options are part of the
.B server:
@ -126,7 +127,7 @@ Detect source interface on UDP queries and copy them to replies. This
feature is experimental, and needs support in your OS for particular socket
options. Default value is no.
.TP
.B outgoing\-interface: \fI<ip address>
.B outgoing\-interface: \fI<ip address or ip6 netblock>
Interface to use to connect to the network. This interface is used to send
queries to authoritative servers and receive their replies. Can be given
multiple times to work on several interfaces. If none are given the
@ -136,12 +137,28 @@ and
.B outgoing\-interface:
lines, the interfaces are then used for both purposes. Outgoing queries are
sent via a random outgoing interface to counter spoofing.
.IP
If an IPv6 netblock is specified instead of an individual IPv6 address,
outgoing UDP queries will use a randomised source address taken from the
netblock to counter spoofing. Requires the IPv6 netblock to be routed to the
host running unbound, and requires OS support for unprivileged non-local binds
(currently only supported on Linux). Several netblocks may be specified with
multiple
.B outgoing\-interface:
options, but do not specify both an individual IPv6 address and an IPv6
netblock, or the randomisation will be compromised. Consider combining with
.B prefer\-ip6: yes
to increase the likelihood of IPv6 nameservers being selected for queries.
On Linux you need these two commands to be able to use the freebind socket
option to receive traffic for the ip6 netblock:
ip -6 addr add mynetblock/64 dev lo &&
ip -6 route add local mynetblock/64 dev lo
.TP
.B outgoing\-range: \fI<number>
Number of ports to open. This number of file descriptors can be opened per
thread. Must be at least 1. Default depends on compile options. Larger
numbers need extra resources from the operating system. For performance a
a very large value is best, use libevent to make this possible.
very large value is best, use libevent to make this possible.
.TP
.B outgoing\-port\-permit: \fI<port number or range>
Permit unbound to open this port or range of ports for use to send queries.
@ -281,7 +298,7 @@ permissions on some systems. The option uses IP_BINDANY on FreeBSD systems.
If yes, then use IP_FREEBIND socket option on sockets where unbound
is listening to incoming traffic. Default no. Allows you to bind to
IP addresses that are nonlocal or do not exist, like when the network
interface or IP adress is down. Exists only on Linux, where the similar
interface or IP address is down. Exists only on Linux, where the similar
ip\-transparent option is also available.
.TP
.B rrset\-cache\-size: \fI<number>
@ -329,6 +346,10 @@ Lower limit for dynamic retransmit timeout calculation in infrastructure
cache. Default is 50 milliseconds. Increase this value if using forwarders
needing more time to do recursive name resolution.
.TP
.B define\-tag: \fI<"list of tags">
Define the tags that can be used with local\-zone and access\-control.
Enclose the list between quotes ("") and put spaces between tags.
.TP
.B do\-ip4: \fI<yes or no>
Enable or disable whether ip4 queries are answered or issued. Default is yes.
.TP
@ -339,6 +360,10 @@ IPv6 to the internet nameservers. With this option you can disable the
ipv6 transport for sending DNS traffic, it does not impact the contents of
the DNS traffic, which may have ip4 and ip6 addresses in it.
.TP
.B prefer\-ip6: \fI<yes or no>
If enabled, prefer IPv6 transport for sending DNS queries to internet
nameservers. Default is no.
.TP
.B do\-udp: \fI<yes or no>
Enable or disable whether UDP queries are answered or issued. Default is yes.
.TP
@ -432,6 +457,23 @@ allowed full recursion but only the static data. With deny_non_local,
messages that are disallowed are dropped, with refuse_non_local they
receive error code REFUSED.
.TP
.B access\-control\-tag: \fI<IP netblock> <"list of tags">
Assign tags to access-control elements. Clients using this access control
element use localzones that are tagged with one of these tags. Tags must be
defined in \fIdefine\-tags\fR. Enclose list of tags in quotes ("") and put
spaces between tags. If access\-control\-tag is configured for a netblock that
does not have an access\-control, an access\-control element with action
\fIallow\fR is configured for this netblock.
.TP
.B access\-control\-tag\-action: \fI<IP netblock> <tag> <action>
Set action for particular tag for given access control element. If you have
multiple tag values, the tag used to lookup the action is the first tag match
between access\-control\-tag and local\-zone\-tag where "first" comes from the
order of the define-tag values.
.TP
.B access\-control\-tag\-data: \fI<IP netblock> <tag> <"resource record string">
Set redirect data for particular tag for given access control element.
.TP
.B chroot: \fI<directory>
If chroot is enabled, you should pass the configfile (from the
commandline) as a full path from the original root. After the
@ -469,6 +511,8 @@ requires privileges, then a reload will fail; a restart is needed.
Sets the working directory for the program. Default is "@UNBOUND_RUN_DIR@".
On Windows the string "%EXECUTABLE%" tries to change to the directory
that unbound.exe resides in.
If you give a server: directory: dir before include: file statements
then those includes can be relative to the working directory.
.TP
.B logfile: \fI<filename>
If "" is given, logging goes to stderr, or nowhere once daemonized.
@ -883,6 +927,7 @@ address space are not validated. This is usually required whenever
Configure a local zone. The type determines the answer to give if
there is no match from local\-data. The types are deny, refuse, static,
transparent, redirect, nodefault, typetransparent, inform, inform_deny,
always_transparent, always_refuse, always_nxdomain,
and are explained below. After that the default settings are listed. Use
local\-data: to enter data into the local zone. Answers for local zones
are authoritative DNS answers. By default the zones are class IN.
@ -943,6 +988,15 @@ logged, eg. to run antivirus on them.
The query is dropped, like 'deny', and logged, like 'inform'. Ie. find
infected machines without answering the queries.
.TP 10
\h'5'\fIalways_transparent\fR
Like transparent, but ignores local data and resolves normally.
.TP 10
\h'5'\fIalways_refuse\fR
Like refuse, but ignores local data and refuses the query.
.TP 10
\h'5'\fIalways_nxdomain\fR
Like static, but ignores local data and returns nxdomain for the query.
.TP 10
\h'5'\fInodefault\fR
Used to turn off default contents for AS112 zones. The other types
also turn off default contents for the zone. The 'nodefault' option
@ -1060,6 +1114,18 @@ Configure local data shorthand for a PTR record with the reversed IPv4 or
IPv6 address and the host name. For example "192.0.2.4 www.example.com".
TTL can be inserted like this: "2001:DB8::4 7200 www.example.com"
.TP 5
.B local\-zone\-tag: \fI<zone> <"list of tags">
Assign tags to localzones. Tagged localzones will only be applied when the
used access-control element has a matching tag. Tags must be defined in
\fIdefine\-tags\fR. Enclose list of tags in quotes ("") and put spaces between
tags.
.TP 5
.B local\-zone\-override: \fI<zone> <IP netblock> <type>
Override the localzone type for queries from addresses matching netblock.
Use this localzone type, regardless the type configured for the local-zone
(both tagged and untagged) and regardless the type configured using
access\-control\-tag\-action.
.TP 5
.B ratelimit: \fI<number or 0>
Enable ratelimiting of queries sent to nameserver for performing recursion.
If 0, the default, it is disabled. This option is experimental at this time.

4
contrib/unbound/doc/unbound.doxygen
View File

@ -623,7 +623,9 @@ EXCLUDE = ./build \
pythonmod/examples/resip.py \
libunbound/python/unbound.py \
libunbound/python/libunbound_wrap.c \
./ldns-src
./ldns-src \
doc/control_proto_spec.txt \
doc/requirements.txt
# The EXCLUDE_SYMLINKS tag can be used select whether or not files or
# directories that are symbolic links (a Unix filesystem feature) are excluded

1
contrib/unbound/iterator/iter_hints.c
View File

@ -147,6 +147,7 @@ compile_time_root_prime(int do_ip4, int do_ip6)
if(!ah(dp, "B.ROOT-SERVERS.NET.", "2001:500:84::b")) goto failed;
if(!ah(dp, "C.ROOT-SERVERS.NET.", "2001:500:2::c")) goto failed;
if(!ah(dp, "D.ROOT-SERVERS.NET.", "2001:500:2d::d")) goto failed;
if(!ah(dp, "E.ROOT-SERVERS.NET.", "2001:500:a8::e")) goto failed;
if(!ah(dp, "F.ROOT-SERVERS.NET.", "2001:500:2f::f")) goto failed;
if(!ah(dp, "H.ROOT-SERVERS.NET.", "2001:500:1::53")) goto failed;
if(!ah(dp, "I.ROOT-SERVERS.NET.", "2001:7fe::53")) goto failed;

33
contrib/unbound/iterator/iter_utils.c
View File

@ -360,6 +360,39 @@ iter_filter_order(struct iter_env* iter_env, struct module_env* env,
}
}
*selected_rtt = low_rtt;
if (env->cfg->prefer_ip6) {
int got_num6 = 0;
int low_rtt6 = 0;
int i;
prev = NULL;
a = dp->result_list;
for(i = 0; i < got_num; i++) {
swap_to_front = 0;
if(a->addr.ss_family == AF_INET6) {
got_num6++;
swap_to_front = 1;
if(low_rtt6 == 0 || a->sel_rtt < low_rtt6) {
low_rtt6 = a->sel_rtt;
}
}
/* swap to front if IPv6, or move to next result */
if(swap_to_front && prev) {
n = a->next_result;
prev->next_result = n;
a->next_result = dp->result_list;
dp->result_list = a;
a = n;
} else {
prev = a;
a = a->next_result;
}
}
if(got_num6 > 0) {
got_num = got_num6;
*selected_rtt = low_rtt6;
}
}
return got_num;
}

38
contrib/unbound/iterator/iterator.c
View File

@ -148,6 +148,7 @@ iter_new(struct module_qstate* qstate, int id)
iq->qchase = qstate->qinfo;
outbound_list_init(&iq->outlist);
iq->minimise_count = 0;
iq->minimise_timeout_count = 0;
if (qstate->env->cfg->qname_minimisation)
iq->minimisation_state = INIT_MINIMISE_STATE;
else
@ -215,6 +216,7 @@ error_supers(struct module_qstate* qstate, int id, struct module_qstate* super)
qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA) {
/* mark address as failed. */
struct delegpt_ns* dpns = NULL;
super_iq->num_target_queries--;
if(super_iq->dp)
dpns = delegpt_find_ns(super_iq->dp,
qstate->qinfo.qname, qstate->qinfo.qname_len);
@ -234,7 +236,6 @@ error_supers(struct module_qstate* qstate, int id, struct module_qstate* super)
log_err("out of memory adding missing");
}
dpns->resolved = 1; /* mark as failed */
super_iq->num_target_queries--;
}
if(qstate->qinfo.qtype == LDNS_RR_TYPE_NS) {
/* prime failed to get delegation */
@ -2008,7 +2009,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
iq->dp->name))) {
iq->qinfo_out.qname = iq->dp->name;
iq->qinfo_out.qname_len = iq->dp->namelen;
iq->qinfo_out.qtype = LDNS_RR_TYPE_NS;
iq->qinfo_out.qtype = LDNS_RR_TYPE_A;
iq->qinfo_out.qclass = iq->qchase.qclass;
iq->minimise_count = 0;
}
@ -2023,6 +2024,9 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
iq->qinfo_out.qname = iq->qchase.qname;
iq->qinfo_out.qname_len = iq->qchase.qname_len;
iq->minimise_count++;
iq->minimise_timeout_count = 0;
iter_dec_attempts(iq->dp, 1);
/* Limit number of iterations for QNAMEs with more
* than MAX_MINIMISE_COUNT labels. Send first MINIMISE_ONE_LAB
@ -2059,8 +2063,9 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
&iq->qinfo_out.qname_len,
labdiff-1);
}
if(labdiff < 1 ||
(labdiff < 2 && iq->qchase.qtype == LDNS_RR_TYPE_DS))
if(labdiff < 1 || (labdiff < 2
&& (iq->qchase.qtype == LDNS_RR_TYPE_DS
|| iq->qchase.qtype == LDNS_RR_TYPE_A)))
/* Stop minimising this query, resolve "as usual" */
iq->minimisation_state = DONOT_MINIMISE_STATE;
else {
@ -2077,10 +2082,17 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
return 1;
}
}
if(iq->minimisation_state == SKIP_MINIMISE_STATE)
/* Do not increment qname, continue incrementing next
* iteration */
iq->minimisation_state = MINIMISE_STATE;
if(iq->minimisation_state == SKIP_MINIMISE_STATE) {
iq->minimise_timeout_count++;
if(iq->minimise_timeout_count < MAX_MINIMISE_TIMEOUT_COUNT)
/* Do not increment qname, continue incrementing next
* iteration */
iq->minimisation_state = MINIMISE_STATE;
else
/* Too many time-outs detected for this QNAME and QTYPE.
* We give up, disable QNAME minimisation. */
iq->minimisation_state = DONOT_MINIMISE_STATE;
}
if(iq->minimisation_state == DONOT_MINIMISE_STATE)
iq->qinfo_out = iq->qchase;
@ -2158,7 +2170,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
iq->num_current_queries--;
if(iq->response == NULL) {
/* Don't increment qname when QNAME minimisation is enabled */
if (qstate->env->cfg->qname_minimisation)
if(qstate->env->cfg->qname_minimisation)
iq->minimisation_state = SKIP_MINIMISE_STATE;
iq->chase_to_rd = 0;
iq->dnssec_lame_query = 0;
@ -2649,6 +2661,10 @@ processTargetResponse(struct module_qstate* qstate, int id,
log_query_info(VERB_ALGO, "processTargetResponse", &qstate->qinfo);
log_query_info(VERB_ALGO, "processTargetResponse super", &forq->qinfo);
/* Tell the originating event that this target query has finished
* (regardless if it succeeded or not). */
foriq->num_target_queries--;
/* check to see if parent event is still interested (in orig name). */
if(!foriq->dp) {
verbose(VERB_ALGO, "subq: parent not interested, was reset");
@ -2664,10 +2680,6 @@ processTargetResponse(struct module_qstate* qstate, int id,
return;
}
/* Tell the originating event that this target query has finished
* (regardless if it succeeded or not). */
foriq->num_target_queries--;
/* if iq->query_for_pside_glue then add the pside_glue (marked lame) */
if(iq->pside_glue) {
/* if the pside_glue is NULL, then it could not be found,

8
contrib/unbound/iterator/iterator.h
View File

@ -69,6 +69,9 @@ struct rbtree_t;
* QNAMEs with a lot of labels.
*/
#define MAX_MINIMISE_COUNT 10
/* max number of time-outs for minimised query. Prevents resolving failures
* when the QNAME minimisation QTYPE is blocked. */
#define MAX_MINIMISE_TIMEOUT_COUNT 3
/**
* number of labels from QNAME that are always send individually when using
* QNAME minimisation, even when the number of labels of the QNAME is bigger
@ -377,6 +380,11 @@ struct iter_qstate {
* outgoing queries when QNAME minimisation is enabled.
*/
int minimise_count;
/**
* Count number of time-outs. Used to prevent resolving failures when
* the QNAME minimisation QTYPE is blocked. */
int minimise_timeout_count;
};
/**

9
contrib/unbound/libunbound/libworker.c
View File

@ -608,7 +608,8 @@ int libworker_fg(struct ub_ctx* ctx, struct ctx_query* q)
sldns_buffer_write_u16_at(w->back->udp_buff, 0, qid);
sldns_buffer_write_u16_at(w->back->udp_buff, 2, qflags);
if(local_zones_answer(ctx->local_zones, &qinfo, &edns,
w->back->udp_buff, w->env->scratch, NULL)) {
w->back->udp_buff, w->env->scratch, NULL, NULL, 0, NULL, 0,
NULL, 0, NULL, 0)) {
regional_free_all(w->env->scratch);
libworker_fillup_fg(q, LDNS_RCODE_NOERROR,
w->back->udp_buff, sec_status_insecure, NULL);
@ -678,7 +679,8 @@ int libworker_attach_mesh(struct ub_ctx* ctx, struct ctx_query* q,
sldns_buffer_write_u16_at(w->back->udp_buff, 0, qid);
sldns_buffer_write_u16_at(w->back->udp_buff, 2, qflags);
if(local_zones_answer(ctx->local_zones, &qinfo, &edns,
w->back->udp_buff, w->env->scratch, NULL)) {
w->back->udp_buff, w->env->scratch, NULL, NULL, 0, NULL, 0,
NULL, 0, NULL, 0)) {
regional_free_all(w->env->scratch);
free(qinfo.qname);
libworker_event_done_cb(q, LDNS_RCODE_NOERROR,
@ -798,7 +800,8 @@ handle_newq(struct libworker* w, uint8_t* buf, uint32_t len)
sldns_buffer_write_u16_at(w->back->udp_buff, 0, qid);
sldns_buffer_write_u16_at(w->back->udp_buff, 2, qflags);
if(local_zones_answer(w->ctx->local_zones, &qinfo, &edns,
w->back->udp_buff, w->env->scratch, NULL)) {
w->back->udp_buff, w->env->scratch, NULL, NULL, 0, NULL, 0,
NULL, 0, NULL, 0)) {
regional_free_all(w->env->scratch);
q->msg_security = sec_status_insecure;
add_bg_result(w, q, w->back->udp_buff, UB_NOERROR, NULL);

40
contrib/unbound/services/listen_dnsport.c
View File

@ -43,6 +43,9 @@
# include <sys/types.h>
#endif
#include <sys/time.h>
#ifdef USE_TCP_FASTOPEN
#include <netinet/tcp.h>
#endif
#include "services/listen_dnsport.h"
#include "services/outside_network.h"
#include "util/netevent.h"
@ -184,14 +187,6 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
#else
(void)reuseport;
#endif /* defined(SO_REUSEPORT) */
#ifdef IP_FREEBIND
if (freebind &&
setsockopt(s, IPPROTO_IP, IP_FREEBIND, (void*)&on,
(socklen_t)sizeof(on)) < 0) {
log_warn("setsockopt(.. IP_FREEBIND ..) failed: %s",
strerror(errno));
}
#endif /* IP_FREEBIND */
#ifdef IP_TRANSPARENT
if (transparent &&
setsockopt(s, IPPROTO_IP, IP_TRANSPARENT, (void*)&on,
@ -209,6 +204,14 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
}
#endif /* IP_TRANSPARENT || IP_BINDANY */
}
#ifdef IP_FREEBIND
if(freebind &&
setsockopt(s, IPPROTO_IP, IP_FREEBIND, (void*)&on,
(socklen_t)sizeof(on)) < 0) {
log_warn("setsockopt(.. IP_FREEBIND ..) failed: %s",
strerror(errno));
}
#endif /* IP_FREEBIND */
if(rcv) {
#ifdef SO_RCVBUF
int got;
@ -509,6 +512,9 @@ create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto,
#if defined(SO_REUSEADDR) || defined(SO_REUSEPORT) || defined(IPV6_V6ONLY) || defined(IP_TRANSPARENT) || defined(IP_BINDANY) || defined(IP_FREEBIND)
int on = 1;
#endif
#ifdef USE_TCP_FASTOPEN
int qlen;
#endif
#if !defined(IP_TRANSPARENT) && !defined(IP_BINDANY)
(void)transparent;
#endif
@ -669,6 +675,22 @@ create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto,
#endif
return -1;
}
#ifdef USE_TCP_FASTOPEN
/* qlen specifies how many outstanding TFO requests to allow. Limit is a defense
against IP spoofing attacks as suggested in RFC7413 */
#ifdef __APPLE__
/* OS X implementation only supports qlen of 1 via this call. Actual
value is configured by the net.inet.tcp.fastopen_backlog kernel parm. */
qlen = 1;
#else
/* 5 is recommended on linux */
qlen = 5;
#endif
if ((setsockopt(s, IPPROTO_TCP, TCP_FASTOPEN, &qlen,
sizeof(qlen))) == -1 ) {
log_err("Setting TCP Fast Open as server failed: %s", strerror(errno));
}
#endif
return s;
}
@ -682,7 +704,7 @@ create_local_accept_sock(const char *path, int* noproto)
verbose(VERB_ALGO, "creating unix socket %s", path);
#ifdef HAVE_STRUCT_SOCKADDR_UN_SUN_LEN
/* this member exists on BSDs, not Linux */
usock.sun_len = (socklen_t)sizeof(usock);
usock.sun_len = (unsigned)sizeof(usock);
#endif
usock.sun_family = AF_LOCAL;
/* length is 92-108, 104 on FreeBSD */

373
contrib/unbound/services/localzone.c
View File

@ -184,8 +184,11 @@ lz_enter_zone_dname(struct local_zones* zones, uint8_t* nm, size_t len,
log_warn("duplicate local-zone");
lock_rw_unlock(&z->lock);
local_zone_delete(z);
/* find the correct zone, so not an error for duplicate */
z = local_zones_find(zones, nm, len, labs, c);
lock_rw_wrlock(&z->lock);
lock_rw_unlock(&zones->lock);
return NULL;
return z;
}
lock_rw_unlock(&zones->lock);
return z;
@ -525,7 +528,7 @@ lz_enter_zone_tag(struct local_zones* zones, char* zname, uint8_t* list,
dname_labs = dname_count_labels(dname);
lock_rw_rdlock(&zones->lock);
z = local_zones_lookup(zones, dname, dname_len, dname_labs, rr_class);
z = local_zones_find(zones, dname, dname_len, dname_labs, rr_class);
if(!z) {
lock_rw_unlock(&zones->lock);
log_err("no local-zone for tag %s", zname);
@ -542,6 +545,89 @@ lz_enter_zone_tag(struct local_zones* zones, char* zname, uint8_t* list,
return r;
}
/** enter override into zone */
static int
lz_enter_override(struct local_zones* zones, char* zname, char* netblock,
char* type, uint16_t rr_class)
{
uint8_t dname[LDNS_MAX_DOMAINLEN+1];
size_t dname_len = sizeof(dname);
int dname_labs;
struct sockaddr_storage addr;
int net;
socklen_t addrlen;
struct local_zone* z;
enum localzone_type t;
/* parse zone name */
if(sldns_str2wire_dname_buf(zname, dname, &dname_len) != 0) {
log_err("cannot parse zone name in local-zone-override: %s %s",
zname, netblock);
return 0;
}
dname_labs = dname_count_labels(dname);
/* parse netblock */
if(!netblockstrtoaddr(netblock, UNBOUND_DNS_PORT, &addr, &addrlen,
&net)) {
log_err("cannot parse netblock in local-zone-override: %s %s",
zname, netblock);
return 0;
}
/* parse zone type */
if(!local_zone_str2type(type, &t)) {
log_err("cannot parse type in local-zone-override: %s %s %s",
zname, netblock, type);
return 0;
}
/* find localzone entry */
lock_rw_rdlock(&zones->lock);
z = local_zones_find(zones, dname, dname_len, dname_labs, rr_class);
if(!z) {
lock_rw_unlock(&zones->lock);
log_err("no local-zone for local-zone-override %s", zname);
return 0;
}
lock_rw_wrlock(&z->lock);
lock_rw_unlock(&zones->lock);
/* create netblock addr_tree if not present yet */
if(!z->override_tree) {
z->override_tree = (struct rbtree_t*)regional_alloc_zero(
z->region, sizeof(*z->override_tree));
if(!z->override_tree) {
lock_rw_unlock(&z->lock);
log_err("out of memory");
return 0;
}
addr_tree_init(z->override_tree);
}
/* add new elem to tree */
if(z->override_tree) {
struct local_zone_override* n;
n = (struct local_zone_override*)regional_alloc_zero(
z->region, sizeof(*n));
if(!n) {
lock_rw_unlock(&z->lock);
log_err("out of memory");
return 0;
}
n->type = t;
if(!addr_tree_insert(z->override_tree,
(struct addr_tree_node*)n, &addr, addrlen, net)) {
lock_rw_unlock(&z->lock);
log_err("duplicate local-zone-override %s %s",
zname, netblock);
return 1;
}
}
lock_rw_unlock(&z->lock);
return 1;
}
/** parse local-zone: statements */
static int
lz_enter_zones(struct local_zones* zones, struct config_file* cfg)
@ -720,6 +806,19 @@ lz_enter_defaults(struct local_zones* zones, struct config_file* cfg)
return 1;
}
/** parse local-zone-override: statements */
static int
lz_enter_overrides(struct local_zones* zones, struct config_file* cfg)
{
struct config_str3list* p;
for(p = cfg->local_zone_overrides; p; p = p->next) {
if(!lz_enter_override(zones, p->str, p->str2, p->str3,
LDNS_RR_CLASS_IN))
return 0;
}
return 1;
}
/** setup parent pointers, so that a lookup can be done for closest match */
static void
init_parents(struct local_zones* zones)
@ -749,6 +848,9 @@ init_parents(struct local_zones* zones)
break;
}
prev = node;
if(node->override_tree)
addr_tree_init_parents(node->override_tree);
lock_rw_unlock(&node->lock);
}
lock_rw_unlock(&zones->lock);
@ -887,6 +989,10 @@ local_zones_apply_cfg(struct local_zones* zones, struct config_file* cfg)
if(!lz_enter_defaults(zones, cfg)) {
return 0;
}
/* enter local zone overrides */
if(!lz_enter_overrides(zones, cfg)) {
return 0;
}
/* create implicit transparent zone from data. */
if(!lz_setup_implicit(zones, cfg)) {
return 0;
@ -910,34 +1016,42 @@ local_zones_apply_cfg(struct local_zones* zones, struct config_file* cfg)
struct local_zone*
local_zones_lookup(struct local_zones* zones,
uint8_t* name, size_t len, int labs, uint16_t dclass)
{
return local_zones_tags_lookup(zones, name, len, labs,
dclass, NULL, 0, 1);
}
struct local_zone*
local_zones_tags_lookup(struct local_zones* zones,
uint8_t* name, size_t len, int labs, uint16_t dclass,
uint8_t* taglist, size_t taglen, int ignoretags)
{
rbnode_t* res = NULL;
struct local_zone *result;
struct local_zone key;
int m;
key.node.key = &key;
key.dclass = dclass;
key.name = name;
key.namelen = len;
key.namelabs = labs;
if(rbtree_find_less_equal(&zones->ztree, &key, &res)) {
/* exact */
return (struct local_zone*)res;
} else {
/* smaller element (or no element) */
int m;
result = (struct local_zone*)res;
if(!result || result->dclass != dclass)
return NULL;
/* count number of labels matched */
(void)dname_lab_cmp(result->name, result->namelabs, key.name,
key.namelabs, &m);
while(result) { /* go up until qname is subdomain of zone */
if(result->namelabs <= m)
break;
result = result->parent;
}
return result;
rbtree_find_less_equal(&zones->ztree, &key, &res);
result = (struct local_zone*)res;
/* exact or smaller element (or no element) */
if(!result || result->dclass != dclass)
return NULL;
/* count number of labels matched */
(void)dname_lab_cmp(result->name, result->namelabs, key.name,
key.namelabs, &m);
while(result) { /* go up until qname is zone or subdomain of zone */
if(result->namelabs <= m)
if(ignoretags || !result->taglist ||
taglist_intersect(result->taglist,
result->taglen, taglist, taglen))
break;
result = result->parent;
}
return result;
}
struct local_zone*
@ -1009,6 +1123,18 @@ void local_zones_print(struct local_zones* zones)
log_nametypeclass(0, "inform_deny zone",
z->name, 0, z->dclass);
break;
case local_zone_always_transparent:
log_nametypeclass(0, "always_transparent zone",
z->name, 0, z->dclass);
break;
case local_zone_always_refuse:
log_nametypeclass(0, "always_refuse zone",
z->name, 0, z->dclass);
break;
case local_zone_always_nxdomain:
log_nametypeclass(0, "always_nxdomain zone",
z->name, 0, z->dclass);
break;
default:
log_nametypeclass(0, "badtyped zone",
z->name, 0, z->dclass);
@ -1054,11 +1180,99 @@ local_encode(struct query_info* qinfo, struct edns_data* edns,
return 1;
}
/** find local data tag string match for the given type in the list */
static int
find_tag_datas(struct query_info* qinfo, struct config_strlist* list,
struct ub_packed_rrset_key* r, struct regional* temp,
uint8_t* zname, size_t zlen)
{
struct config_strlist* p;
char buf[65536];
uint8_t rr[LDNS_RR_BUF_SIZE];
size_t len;
int res;
struct packed_rrset_data* d;
for(p=list; p; p=p->next) {
len = sizeof(rr);
/* does this element match the type? */
snprintf(buf, sizeof(buf), ". %s", p->str);
res = sldns_str2wire_rr_buf(buf, rr, &len, NULL, 3600,
zname, zlen, NULL, 0);
if(res != 0)
/* parse errors are already checked before, in
* acllist check_data, skip this for robustness */
continue;
if(len < 1 /* . */ + 8 /* typeclassttl*/ + 2 /*rdatalen*/)
continue;
if(sldns_wirerr_get_type(rr, len, 1) != qinfo->qtype)
continue;
/* do we have entries already? if not setup key */
if(r->rk.dname == NULL) {
r->entry.key = r;
r->rk.dname = qinfo->qname;
r->rk.dname_len = qinfo->qname_len;
r->rk.type = htons(qinfo->qtype);
r->rk.rrset_class = htons(qinfo->qclass);
r->rk.flags = 0;
d = (struct packed_rrset_data*)regional_alloc_zero(
temp, sizeof(struct packed_rrset_data)
+ sizeof(size_t) + sizeof(uint8_t*) +
sizeof(time_t));
if(!d) return 0; /* out of memory */
r->entry.data = d;
d->ttl = sldns_wirerr_get_ttl(rr, len, 1);
d->rr_len = (size_t*)((uint8_t*)d +
sizeof(struct packed_rrset_data));
d->rr_data = (uint8_t**)&(d->rr_len[1]);
d->rr_ttl = (time_t*)&(d->rr_data[1]);
}
d = (struct packed_rrset_data*)r->entry.data;
/* add entry to the data */
if(d->count != 0) {
size_t* oldlen = d->rr_len;
uint8_t** olddata = d->rr_data;
time_t* oldttl = d->rr_ttl;
/* increase arrays for lookup */
/* this is of course slow for very many records,
* but most redirects are expected with few records */
d->rr_len = (size_t*)regional_alloc_zero(temp,
(d->count+1)*sizeof(size_t));
d->rr_data = (uint8_t**)regional_alloc_zero(temp,
(d->count+1)*sizeof(uint8_t*));
d->rr_ttl = (time_t*)regional_alloc_zero(temp,
(d->count+1)*sizeof(time_t));
if(!d->rr_len || !d->rr_data || !d->rr_ttl)
return 0; /* out of memory */
/* first one was allocated after struct d, but new
* ones get their own array increment alloc, so
* copy old content */
memmove(d->rr_len, oldlen, d->count*sizeof(size_t));
memmove(d->rr_data, olddata, d->count*sizeof(uint8_t*));
memmove(d->rr_ttl, oldttl, d->count*sizeof(time_t));
}
d->rr_len[d->count] = sldns_wirerr_get_rdatalen(rr, len, 1)+2;
d->rr_ttl[d->count] = sldns_wirerr_get_ttl(rr, len, 1);
d->rr_data[d->count] = regional_alloc_init(temp,
sldns_wirerr_get_rdatawl(rr, len, 1),
d->rr_len[d->count]);
if(!d->rr_data[d->count])
if(!d) return 0; /* out of memory */
d->count++;
}
if(r->rk.dname)
return 1;
return 0;
}
/** answer local data match */
static int
local_data_answer(struct local_zone* z, struct query_info* qinfo,
struct edns_data* edns, sldns_buffer* buf, struct regional* temp,
int labs, struct local_data** ldp)
int labs, struct local_data** ldp, enum localzone_type lz_type,
int tag, struct config_strlist** tag_datas, size_t tag_datas_size,
char** tagname, int num_tags)
{
struct local_data key;
struct local_data* ld;
@ -1067,10 +1281,21 @@ local_data_answer(struct local_zone* z, struct query_info* qinfo,
key.name = qinfo->qname;
key.namelen = qinfo->qname_len;
key.namelabs = labs;
if(z->type == local_zone_redirect) {
if(lz_type == local_zone_redirect) {
key.name = z->name;
key.namelen = z->namelen;
key.namelabs = z->namelabs;
if(tag != -1 && (size_t)tag<tag_datas_size && tag_datas[tag]) {
struct ub_packed_rrset_key r;
memset(&r, 0, sizeof(r));
if(find_tag_datas(qinfo, tag_datas[tag], &r, temp,
z->name, z->namelen)) {
verbose(VERB_ALGO, "redirect with tag data [%d] %s",
tag, (tag<num_tags?tagname[tag]:"null"));
return local_encode(qinfo, edns, buf, temp,
&r, 1, LDNS_RCODE_NOERROR);
}
}
}
ld = (struct local_data*)rbtree_search(&z->data, &key.node);
*ldp = ld;
@ -1080,7 +1305,7 @@ local_data_answer(struct local_zone* z, struct query_info* qinfo,
lr = local_data_find_type(ld, qinfo->qtype);
if(!lr)
return 0;
if(z->type == local_zone_redirect) {
if(lz_type == local_zone_redirect) {
/* convert rrset name to query name; like a wildcard */
struct ub_packed_rrset_key r = *lr->rrset;
r.rk.dname = qinfo->qname;
@ -1100,25 +1325,28 @@ local_data_answer(struct local_zone* z, struct query_info* qinfo,
* @param buf: buffer for answer.
* @param temp: temp region for encoding
* @param ld: local data, if NULL, no such name exists in localdata.
* @param lz_type: type of the local zone
* @return 1 if a reply is to be sent, 0 if not.
*/
static int
lz_zone_answer(struct local_zone* z, struct query_info* qinfo,
struct edns_data* edns, sldns_buffer* buf, struct regional* temp,
struct local_data* ld)
struct local_data* ld, enum localzone_type lz_type)
{
if(z->type == local_zone_deny || z->type == local_zone_inform_deny) {
if(lz_type == local_zone_deny || lz_type == local_zone_inform_deny) {
/** no reply at all, signal caller by clearing buffer. */
sldns_buffer_clear(buf);
sldns_buffer_flip(buf);
return 1;
} else if(z->type == local_zone_refuse) {
} else if(lz_type == local_zone_refuse
|| lz_type == local_zone_always_refuse) {
error_encode(buf, (LDNS_RCODE_REFUSED|BIT_AA), qinfo,
*(uint16_t*)sldns_buffer_begin(buf),
sldns_buffer_read_u16_at(buf, 2), edns);
return 1;
} else if(z->type == local_zone_static ||
z->type == local_zone_redirect) {
} else if(lz_type == local_zone_static ||
lz_type == local_zone_redirect ||
lz_type == local_zone_always_nxdomain) {
/* for static, reply nodata or nxdomain
* for redirect, reply nodata */
/* no additional section processing,
@ -1126,7 +1354,8 @@ lz_zone_answer(struct local_zone* z, struct query_info* qinfo,
* or using closest match for NSEC.
* or using closest match for returning delegation downwards
*/
int rcode = ld?LDNS_RCODE_NOERROR:LDNS_RCODE_NXDOMAIN;
int rcode = (ld || lz_type == local_zone_redirect)?
LDNS_RCODE_NOERROR:LDNS_RCODE_NXDOMAIN;
if(z->soa)
return local_encode(qinfo, edns, buf, temp,
z->soa, 0, rcode);
@ -1134,11 +1363,12 @@ lz_zone_answer(struct local_zone* z, struct query_info* qinfo,
*(uint16_t*)sldns_buffer_begin(buf),
sldns_buffer_read_u16_at(buf, 2), edns);
return 1;
} else if(z->type == local_zone_typetransparent) {
} else if(lz_type == local_zone_typetransparent
|| lz_type == local_zone_always_transparent) {
/* no NODATA or NXDOMAINS for this zone type */
return 0;
}
/* else z->type == local_zone_transparent */
/* else lz_type == local_zone_transparent */
/* if the zone is transparent and the name exists, but the type
* does not, then we should make this noerror/nodata */
@ -1172,21 +1402,70 @@ lz_inform_print(struct local_zone* z, struct query_info* qinfo,
log_nametypeclass(0, txt, qinfo->qname, qinfo->qtype, qinfo->qclass);
}
static enum localzone_type
lz_type(uint8_t *taglist, size_t taglen, uint8_t *taglist2, size_t taglen2,
uint8_t *tagactions, size_t tagactionssize, enum localzone_type lzt,
struct comm_reply* repinfo, struct rbtree_t* override_tree, int* tag,
char** tagname, int num_tags)
{
size_t i, j;
uint8_t tagmatch;
struct local_zone_override* lzo;
if(repinfo && override_tree) {
lzo = (struct local_zone_override*)addr_tree_lookup(
override_tree, &repinfo->addr, repinfo->addrlen);
if(lzo && lzo->type) {
verbose(VERB_ALGO, "local zone override to type %s",
local_zone_type2str(lzo->type));
return lzo->type;
}
}
if(!taglist || !taglist2)
return lzt;
for(i=0; i<taglen && i<taglen2; i++) {
tagmatch = (taglist[i] & taglist2[i]);
for(j=0; j<8 && tagmatch>0; j++) {
if((tagmatch & 0x1)) {
*tag = (int)(i*8+j);
verbose(VERB_ALGO, "matched tag [%d] %s",
*tag, (*tag<num_tags?tagname[*tag]:"null"));
/* does this tag have a tag action? */
if(i*8+j < tagactionssize && tagactions
&& tagactions[i*8+j] != 0) {
verbose(VERB_ALGO, "tag action [%d] %s to type %s",
*tag, (*tag<num_tags?tagname[*tag]:"null"),
local_zone_type2str(
(enum localzone_type)
tagactions[i*8+j]));
return (enum localzone_type)tagactions[i*8+j];
}
return lzt;
}
tagmatch >>= 1;
}
}
return lzt;
}
int
local_zones_answer(struct local_zones* zones, struct query_info* qinfo,
struct edns_data* edns, sldns_buffer* buf, struct regional* temp,
struct comm_reply* repinfo)
struct comm_reply* repinfo, uint8_t* taglist, size_t taglen,
uint8_t* tagactions, size_t tagactionssize,
struct config_strlist** tag_datas, size_t tag_datas_size,
char** tagname, int num_tags)
{
/* see if query is covered by a zone,
* if so: - try to match (exact) local data
* - look at zone type for negative response. */
int labs = dname_count_labels(qinfo->qname);
struct local_data* ld;
struct local_data* ld = NULL;
struct local_zone* z;
int r;
enum localzone_type lzt;
int r, tag = -1;
lock_rw_rdlock(&zones->lock);
z = local_zones_lookup(zones, qinfo->qname,
qinfo->qname_len, labs, qinfo->qclass);
z = local_zones_tags_lookup(zones, qinfo->qname,
qinfo->qname_len, labs, qinfo->qclass, taglist, taglen, 0);
if(!z) {
lock_rw_unlock(&zones->lock);
return 0;
@ -1194,15 +1473,22 @@ local_zones_answer(struct local_zones* zones, struct query_info* qinfo,
lock_rw_rdlock(&z->lock);
lock_rw_unlock(&zones->lock);
if((z->type == local_zone_inform || z->type == local_zone_inform_deny)
lzt = lz_type(taglist, taglen, z->taglist, z->taglen, tagactions,
tagactionssize, z->type, repinfo, z->override_tree, &tag,
tagname, num_tags);
if((lzt == local_zone_inform || lzt == local_zone_inform_deny)
&& repinfo)
lz_inform_print(z, qinfo, repinfo);
if(local_data_answer(z, qinfo, edns, buf, temp, labs, &ld)) {
if(lzt != local_zone_always_refuse && lzt != local_zone_always_transparent
&& lzt != local_zone_always_nxdomain
&& local_data_answer(z, qinfo, edns, buf, temp, labs, &ld, lzt,
tag, tag_datas, tag_datas_size, tagname, num_tags)) {
lock_rw_unlock(&z->lock);
return 1;
}
r = lz_zone_answer(z, qinfo, edns, buf, temp, ld);
r = lz_zone_answer(z, qinfo, edns, buf, temp, ld, lzt);
lock_rw_unlock(&z->lock);
return r;
}
@ -1219,6 +1505,9 @@ const char* local_zone_type2str(enum localzone_type t)
case local_zone_nodefault: return "nodefault";
case local_zone_inform: return "inform";
case local_zone_inform_deny: return "inform_deny";
case local_zone_always_transparent: return "always_transparent";
case local_zone_always_refuse: return "always_refuse";
case local_zone_always_nxdomain: return "always_nxdomain";
}
return "badtyped";
}
@ -1241,6 +1530,12 @@ int local_zone_str2type(const char* type, enum localzone_type* t)
*t = local_zone_inform;
else if(strcmp(type, "inform_deny") == 0)
*t = local_zone_inform_deny;
else if(strcmp(type, "always_transparent") == 0)
*t = local_zone_always_transparent;
else if(strcmp(type, "always_refuse") == 0)
*t = local_zone_always_refuse;
else if(strcmp(type, "always_nxdomain") == 0)
*t = local_zone_always_nxdomain;
else return 0;
return 1;
}

54
contrib/unbound/services/localzone.h
View File

@ -43,6 +43,7 @@
#define SERVICES_LOCALZONE_H
#include "util/rbtree.h"
#include "util/locks.h"
#include "util/storage/dnstree.h"
struct ub_packed_rrset_key;
struct regional;
struct config_file;
@ -50,6 +51,7 @@ struct edns_data;
struct query_info;
struct sldns_buffer;
struct comm_reply;
struct config_strlist;
/**
* Local zone type
@ -75,7 +77,13 @@ enum localzone_type {
/** log client address, but no block (transparent) */
local_zone_inform,
/** log client address, and block (drop) */
local_zone_inform_deny
local_zone_inform_deny,
/** resolve normally, even when there is local data */
local_zone_always_transparent,
/** answer with error, even when there is local data */
local_zone_always_refuse,
/** answer with nxdomain, even when there is local data */
local_zone_always_nxdomain
};
/**
@ -119,6 +127,9 @@ struct local_zone {
uint8_t* taglist;
/** length of the taglist (in bytes) */
size_t taglen;
/** netblock addr_tree with struct local_zone_override information
* or NULL if there are no override elements */
struct rbtree_t* override_tree;
/** in this region the zone's data is allocated.
* the struct local_zone itself is malloced. */
@ -157,6 +168,16 @@ struct local_rrset {
struct ub_packed_rrset_key* rrset;
};
/**
* Local zone override information
*/
struct local_zone_override {
/** node in addrtree */
struct addr_tree_node node;
/** override for local zone type */
enum localzone_type type;
};
/**
* Create local zones storage
* @return new struct or NULL on error.
@ -201,6 +222,24 @@ int local_data_cmp(const void* d1, const void* d2);
*/
void local_zone_delete(struct local_zone* z);
/**
* Lookup zone that contains the given name, class and taglist.
* User must lock the tree or result zone.
* @param zones: the zones tree
* @param name: dname to lookup
* @param len: length of name.
* @param labs: labelcount of name.
* @param dclass: class to lookup.
* @param taglist: taglist to lookup.
* @param taglen: lenth of taglist.
* @param ignoretags: lookup zone by name and class, regardless the
* local-zone's tags.
* @return closest local_zone or NULL if no covering zone is found.
*/
struct local_zone* local_zones_tags_lookup(struct local_zones* zones,
uint8_t* name, size_t len, int labs, uint16_t dclass,
uint8_t* taglist, size_t taglen, int ignoretags);
/**
* Lookup zone that contains the given name, class.
* User must lock the tree or result zone.
@ -230,13 +269,24 @@ void local_zones_print(struct local_zones* zones);
* @param buf: buffer with query ID and flags, also for reply.
* @param temp: temporary storage region.
* @param repinfo: source address for checks. may be NULL.
* @param taglist: taglist for checks. May be NULL.
* @param taglen: length of the taglist.
* @param tagactions: local zone actions for tags. May be NULL.
* @param tagactionssize: length of the tagactions.
* @param tag_datas: array per tag of strlist with rdata strings. or NULL.
* @param tag_datas_size: size of tag_datas array.
* @param tagname: array of tag name strings (for debug output).
* @param num_tags: number of items in tagname array.
* @return true if answer is in buffer. false if query is not answered
* by authority data. If the reply should be dropped altogether, the return
* value is true, but the buffer is cleared (empty).
*/
int local_zones_answer(struct local_zones* zones, struct query_info* qinfo,
struct edns_data* edns, struct sldns_buffer* buf, struct regional* temp,
struct comm_reply* repinfo);
struct comm_reply* repinfo, uint8_t* taglist, size_t taglen,
uint8_t* tagactions, size_t tagactionssize,
struct config_strlist** tag_datas, size_t tag_datas_size,
char** tagname, int num_tags);
/**
* Parse the string into localzone type.

6
contrib/unbound/services/mesh.c
View File

@ -1069,6 +1069,12 @@ mesh_continue(struct mesh_area* mesh, struct mesh_state* mstate,
*ev = module_event_pass;
return 1;
}
if(s == module_wait_subquery && mstate->sub_set.count == 0) {
log_err("module cannot wait for subquery, subquery list empty");
log_query_info(VERB_QUERY, "pass error for qstate",
&mstate->s.qinfo);
s = module_error;
}
if(s == module_error && mstate->s.return_rcode == LDNS_RCODE_NOERROR) {
/* error is bad, handle pass back up below */
mstate->s.return_rcode = LDNS_RCODE_SERVFAIL;

72
contrib/unbound/services/outside_network.c
View File

@ -243,7 +243,33 @@ outnet_tcp_take_into_use(struct waiting_tcp* w, uint8_t* pkt, size_t pkt_len)
return 0;
fd_set_nonblock(s);
#ifdef USE_OSX_MSG_FASTOPEN
/* API for fast open is different here. We use a connectx() function and
then writes can happen as normal even using SSL.*/
/* connectx requires that the len be set in the sockaddr struct*/
struct sockaddr_in *addr_in = (struct sockaddr_in *)&w->addr;
addr_in->sin_len = w->addrlen;
sa_endpoints_t endpoints;
endpoints.sae_srcif = 0;
endpoints.sae_srcaddr = NULL;
endpoints.sae_srcaddrlen = 0;
endpoints.sae_dstaddr = (struct sockaddr *)&w->addr;
endpoints.sae_dstaddrlen = w->addrlen;
if (connectx(s, &endpoints, SAE_ASSOCID_ANY,
CONNECT_DATA_IDEMPOTENT | CONNECT_RESUME_ON_READ_WRITE,
NULL, 0, NULL, NULL) == -1) {
#else /* USE_OSX_MSG_FASTOPEN*/
#ifdef USE_MSG_FASTOPEN
pend->c->tcp_do_fastopen = 1;
/* Only do TFO for TCP in which case no connect() is required here.
Don't combine client TFO with SSL, since OpenSSL can't
currently support doing a handshake on fd that already isn't connected*/
if (w->outnet->sslctx && w->ssl_upstream) {
if(connect(s, (struct sockaddr*)&w->addr, w->addrlen) == -1) {
#else /* USE_MSG_FASTOPEN*/
if(connect(s, (struct sockaddr*)&w->addr, w->addrlen) == -1) {
#endif /* USE_MSG_FASTOPEN*/
#endif /* USE_OSX_MSG_FASTOPEN*/
#ifndef USE_WINSOCK
#ifdef EINPROGRESS
if(errno != EINPROGRESS) {
@ -263,6 +289,9 @@ outnet_tcp_take_into_use(struct waiting_tcp* w, uint8_t* pkt, size_t pkt_len)
return 0;
}
}
#ifdef USE_MSG_FASTOPEN
}
#endif /* USE_MSG_FASTOPEN */
if(w->outnet->sslctx && w->ssl_upstream) {
pend->c->ssl = outgoing_ssl_fd(w->outnet->sslctx, s);
if(!pend->c->ssl) {
@ -591,7 +620,9 @@ static int setup_if(struct port_if* pif, const char* addrstr,
pif->avail_ports = (int*)memdup(avail, (size_t)numavail*sizeof(int));
if(!pif->avail_ports)
return 0;
if(!ipstrtoaddr(addrstr, UNBOUND_DNS_PORT, &pif->addr, &pif->addrlen))
if(!ipstrtoaddr(addrstr, UNBOUND_DNS_PORT, &pif->addr, &pif->addrlen) &&
!netblockstrtoaddr(addrstr, UNBOUND_DNS_PORT,
&pif->addr, &pif->addrlen, &pif->pfxlen))
return 0;
pif->maxout = (int)numfd;
pif->inuse = 0;
@ -893,26 +924,49 @@ pending_delete(struct outside_network* outnet, struct pending* p)
free(p);
}
static void
sai6_putrandom(struct sockaddr_in6 *sa, int pfxlen, struct ub_randstate *rnd)
{
int i, last;
if(!(pfxlen > 0 && pfxlen < 128))
return;
for(i = 0; i < (128 - pfxlen) / 8; i++) {
sa->sin6_addr.s6_addr[15-i] = (uint8_t)ub_random_max(rnd, 256);
}
last = pfxlen & 7;
if(last != 0) {
sa->sin6_addr.s6_addr[15-i] |=
((0xFF >> last) & ub_random_max(rnd, 256));
}
}
/**
* Try to open a UDP socket for outgoing communication.
* Sets sockets options as needed.
* @param addr: socket address.
* @param addrlen: length of address.
* @param pfxlen: length of network prefix (for address randomisation).
* @param port: port override for addr.
* @param inuse: if -1 is returned, this bool means the port was in use.
* @param rnd: random state (for address randomisation).
* @return fd or -1
*/
static int
udp_sockport(struct sockaddr_storage* addr, socklen_t addrlen, int port,
int* inuse)
udp_sockport(struct sockaddr_storage* addr, socklen_t addrlen, int pfxlen,
int port, int* inuse, struct ub_randstate* rnd)
{
int fd, noproto;
if(addr_is_ip6(addr, addrlen)) {
struct sockaddr_in6* sa = (struct sockaddr_in6*)addr;
sa->sin6_port = (in_port_t)htons((uint16_t)port);
int freebind = 0;
struct sockaddr_in6 sa = *(struct sockaddr_in6*)addr;
sa.sin6_port = (in_port_t)htons((uint16_t)port);
if(pfxlen != 0) {
freebind = 1;
sai6_putrandom(&sa, pfxlen, rnd);
}
fd = create_udp_sock(AF_INET6, SOCK_DGRAM,
(struct sockaddr*)addr, addrlen, 1, inuse, &noproto,
0, 0, 0, NULL, 0, 0);
(struct sockaddr*)&sa, addrlen, 1, inuse, &noproto,
0, 0, 0, NULL, 0, freebind);
} else {
struct sockaddr_in* sa = (struct sockaddr_in*)addr;
sa->sin_port = (in_port_t)htons((uint16_t)port);
@ -978,7 +1032,8 @@ select_ifport(struct outside_network* outnet, struct pending* pend,
/* try to open new port, if fails, loop to try again */
log_assert(pif->inuse < pif->maxout);
portno = pif->avail_ports[my_port - pif->inuse];
fd = udp_sockport(&pif->addr, pif->addrlen, portno, &inuse);
fd = udp_sockport(&pif->addr, pif->addrlen, pif->pfxlen,
portno, &inuse, outnet->rnd);
if(fd == -1 && !inuse) {
/* nonrecoverable error making socket */
return 0;
@ -1361,6 +1416,7 @@ serviced_perturb_qname(struct ub_randstate* rnd, uint8_t* qbuf, size_t len)
long int random = 0;
int bits = 0;
log_assert(len >= 10 + 5 /* offset qname, root, qtype, qclass */);
(void)len;
lablen = *d++;
while(lablen) {
while(lablen--) {

4
contrib/unbound/services/outside_network.h
View File

@ -165,6 +165,10 @@ struct port_if {
/** length of addr field */
socklen_t addrlen;
/** prefix length of network address (in bits), for randomisation.
* if 0, no randomisation. */
int pfxlen;
/** the available ports array. These are unused.
* Only the first total-inuse part is filled. */
int* avail_ports;

39
contrib/unbound/sldns/keyraw.c
View File

@ -23,6 +23,15 @@
#ifdef HAVE_OPENSSL_ENGINE_H
# include <openssl/engine.h>
#endif
#ifdef HAVE_OPENSSL_BN_H
#include <openssl/bn.h>
#endif
#ifdef HAVE_OPENSSL_RSA_H
#include <openssl/rsa.h>
#endif
#ifdef HAVE_OPENSSL_DSA_H
#include <openssl/dsa.h>
#endif
#endif /* HAVE_SSL */
size_t
@ -215,6 +224,7 @@ sldns_key_buf2dsa_raw(unsigned char* key, size_t len)
BN_free(Y);
return NULL;
}
#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
#ifndef S_SPLINT_S
dsa->p = P;
dsa->q = Q;
@ -222,6 +232,25 @@ sldns_key_buf2dsa_raw(unsigned char* key, size_t len)
dsa->pub_key = Y;
#endif /* splint */
#else /* OPENSSL_VERSION_NUMBER */
if (!DSA_set0_pqg(dsa, P, Q, G)) {
/* QPG not yet attached, need to free */
BN_free(Q);
BN_free(P);
BN_free(G);
DSA_free(dsa);
BN_free(Y);
return NULL;
}
if (!DSA_set0_key(dsa, Y, NULL)) {
/* QPG attached, cleaned up by DSA_fre() */
DSA_free(dsa);
BN_free(Y);
return NULL;
}
#endif
return dsa;
}
@ -273,11 +302,21 @@ sldns_key_buf2rsa_raw(unsigned char* key, size_t len)
BN_free(modulus);
return NULL;
}
#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
#ifndef S_SPLINT_S
rsa->n = modulus;
rsa->e = exponent;
#endif /* splint */
#else /* OPENSSL_VERSION_NUMBER */
if (!RSA_set0_key(rsa, modulus, exponent, NULL)) {
BN_free(exponent);
BN_free(modulus);
RSA_free(rsa);
return NULL;
}
#endif
return rsa;
}

2
contrib/unbound/sldns/rrdef.h
View File

@ -195,7 +195,7 @@ enum sldns_enum_rr_type
LDNS_RR_TYPE_TALINK = 58,
LDNS_RR_TYPE_CDS = 59, /** RFC 7344 */
LDNS_RR_TYPE_CDNSKEY = 60, /** RFC 7344 */
LDNS_RR_TYPE_OPENPGPKEY = 61, /* draft-ietf-dane-openpgpkey */
LDNS_RR_TYPE_OPENPGPKEY = 61, /* RFC 7929 */
LDNS_RR_TYPE_CSYNC = 62, /* RFC 7477 */
LDNS_RR_TYPE_SPF = 99, /* RFC 4408 */

18
contrib/unbound/sldns/wire2str.h
View File

@ -118,7 +118,7 @@ int sldns_str_print(char** str, size_t* slen, const char* format, ...)
* @param str_len: the size of the string buffer. If more is needed, it'll
* silently truncate the output to fit in the buffer.
* @return the number of characters for this element, excluding zerobyte.
* Is larger than str_len if output was truncated.
* Is larger or equal than str_len if output was truncated.
*/
int sldns_wire2str_pkt_buf(uint8_t* data, size_t data_len, char* str,
size_t str_len);
@ -351,7 +351,7 @@ int sldns_wire2str_edns_option_code_print(char** str, size_t* str_len,
* @param str_len: the size of the string buffer. If more is needed, it'll
* silently truncate the output to fit in the buffer.
* @return the number of characters for this element, excluding zerobyte.
* Is larger than str_len if output was truncated.
* Is larger or equal than str_len if output was truncated.
*/
int sldns_wire2str_rr_buf(uint8_t* rr, size_t rr_len, char* str,
size_t str_len);
@ -369,7 +369,7 @@ int sldns_wire2str_rr_buf(uint8_t* rr, size_t rr_len, char* str,
* @param str_len: the size of the string buffer. If more is needed, it'll
* silently truncate the output to fit in the buffer.
* @return the number of characters for this element, excluding zerobyte.
* Is larger than str_len if output was truncated.
* Is larger or equal than str_len if output was truncated.
*/
int sldns_wire2str_rr_unknown_buf(uint8_t* rr, size_t rr_len, char* str,
size_t str_len);
@ -389,7 +389,7 @@ int sldns_wire2str_rr_unknown_buf(uint8_t* rr, size_t rr_len, char* str,
* @param str_len: the size of the string buffer. If more is needed, it'll
* silently truncate the output to fit in the buffer.
* @return the number of characters for this element, excluding zerobyte.
* Is larger than str_len if output was truncated.
* Is larger or equal than str_len if output was truncated.
*/
int sldns_wire2str_rr_comment_buf(uint8_t* rr, size_t rr_len, size_t dname_len,
char* str, size_t str_len);
@ -406,7 +406,7 @@ int sldns_wire2str_rr_comment_buf(uint8_t* rr, size_t rr_len, size_t dname_len,
* silently truncate the output to fit in the buffer.
* @param rrtype: rr type of the data
* @return the number of characters for this element, excluding zerobyte.
* Is larger than str_len if output was truncated.
* Is larger or equal than str_len if output was truncated.
*/
int sldns_wire2str_rdata_buf(uint8_t* rdata, size_t rdata_len, char* str,
size_t str_len, uint16_t rrtype);
@ -417,7 +417,7 @@ int sldns_wire2str_rdata_buf(uint8_t* rdata, size_t rdata_len, char* str,
* @param str: the string to write to.
* @param len: length of str.
* @return the number of characters for this element, excluding zerobyte.
* Is larger than str_len if output was truncated.
* Is larger or equal than str_len if output was truncated.
*/
int sldns_wire2str_type_buf(uint16_t rrtype, char* str, size_t len);
@ -427,7 +427,7 @@ int sldns_wire2str_type_buf(uint16_t rrtype, char* str, size_t len);
* @param str: the string to write to.
* @param len: length of str.
* @return the number of characters for this element, excluding zerobyte.
* Is larger than str_len if output was truncated.
* Is larger or equal than str_len if output was truncated.
*/
int sldns_wire2str_class_buf(uint16_t rrclass, char* str, size_t len);
@ -437,7 +437,7 @@ int sldns_wire2str_class_buf(uint16_t rrclass, char* str, size_t len);
* @param str: the string to write to.
* @param len: length of str.
* @return the number of characters for this element, excluding zerobyte.
* Is larger than str_len if output was truncated.
* Is larger or equal than str_len if output was truncated.
*/
int sldns_wire2str_rcode_buf(int rcode, char* str, size_t len);
@ -448,7 +448,7 @@ int sldns_wire2str_rcode_buf(int rcode, char* str, size_t len);
* @param str: the string to write to.
* @param len: length of string.
* @return the number of characters for this element, excluding zerobyte.
* Is larger than str_len if output was truncated.
* Is larger or equal than str_len if output was truncated.
*/
int sldns_wire2str_dname_buf(uint8_t* dname, size_t dname_len, char* str,
size_t len);

27
contrib/unbound/smallapp/unbound-anchor.c
View File

@ -37,7 +37,8 @@
* \file
*
* This file checks to see that the current 5011 keys work to prime the
* current root anchor. If not a certificate is used to update the anchor.
* current root anchor. If not a certificate is used to update the anchor,
* with RFC7958 https xml fetch.
*
* This is a concept solution for distribution of the DNSSEC root
* trust anchor. It is a small tool, called "unbound-anchor", that
@ -47,7 +48,7 @@
* Management-Abstract:
* * first run: fill root.key file with hardcoded DS record.
* * mostly: use RFC5011 tracking, quick . DNSKEY UDP query.
* * failover: use builtin certificate, do https and update.
* * failover: use RFC7958 builtin certificate, do https and update.
* Special considerations:
* * 30-days RFC5011 timer saves a lot of https traffic.
* * DNSKEY probe must be NOERROR, saves a lot of https traffic.
@ -77,7 +78,7 @@
* the file contains a list of normal DNSKEY/DS records, and uses that to
* bootstrap 5011 (the KSK is made VALID).
*
* The certificate update is done by fetching root-anchors.xml and
* The certificate RFC7958 update is done by fetching root-anchors.xml and
* root-anchors.p7s via SSL. The HTTPS certificate can be logged but is
* not validated (https for channel security; the security comes from the
* certificate). The 'data.iana.org' domain name A and AAAA are resolved
@ -171,7 +172,7 @@ struct ip_list {
/** Give unbound-anchor usage, and exit (1). */
static void
usage()
usage(void)
{
printf("Usage: unbound-anchor [opts]\n");
printf(" Setup or update root anchor. "
@ -419,7 +420,7 @@ read_builtin_cert(void)
{
const char* builtin_cert = get_builtin_cert();
STACK_OF(X509)* sk;
BIO *bio = BIO_new_mem_buf((void*)builtin_cert,
BIO *bio = BIO_new_mem_buf(builtin_cert,
(int)strlen(builtin_cert));
if(!bio) {
if(verb) printf("out of memory\n");
@ -1836,7 +1837,7 @@ write_unsigned_root(const char* root_anchor_file)
#ifdef HAVE_FSYNC
fsync(fileno(out));
#else
FlushFileBuffers((HANDLE)_fileno(out));
FlushFileBuffers((HANDLE)_get_osfhandle(_fileno(out)));
#endif
fclose(out);
}
@ -1868,7 +1869,7 @@ write_root_anchor(const char* root_anchor_file, BIO* ds)
#ifdef HAVE_FSYNC
fsync(fileno(out));
#else
FlushFileBuffers((HANDLE)_fileno(out));
FlushFileBuffers((HANDLE)_get_osfhandle(_fileno(out)));
#endif
fclose(out);
}
@ -2310,10 +2311,22 @@ int main(int argc, char* argv[])
if(argc != 0)
usage();
#ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS
ERR_load_crypto_strings();
#endif
ERR_load_SSL_strings();
#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_CRYPTO)
OpenSSL_add_all_algorithms();
#else
OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS
| OPENSSL_INIT_ADD_ALL_DIGESTS
| OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
#endif
#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL)
(void)SSL_library_init();
#else
(void)OPENSSL_init_ssl(0, NULL);
#endif
if(dolist) do_list_builtin();

19
contrib/unbound/smallapp/unbound-checkconf.c
View File

@ -72,7 +72,7 @@
/** Give checkconf usage, and exit (1). */
static void
usage()
usage(void)
{
printf("Usage: unbound-checkconf [file]\n");
printf(" Checks unbound configuration file for errors.\n");
@ -161,6 +161,7 @@ warn_hosts(const char* typ, struct config_stub* list)
static void
interfacechecks(struct config_file* cfg)
{
int d;
struct sockaddr_storage a;
socklen_t alen;
int i, j;
@ -177,8 +178,8 @@ interfacechecks(struct config_file* cfg)
}
}
for(i=0; i<cfg->num_out_ifs; i++) {
if(!ipstrtoaddr(cfg->out_ifs[i], UNBOUND_DNS_PORT,
&a, &alen)) {
if(!ipstrtoaddr(cfg->out_ifs[i], UNBOUND_DNS_PORT, &a, &alen) &&
!netblockstrtoaddr(cfg->out_ifs[i], UNBOUND_DNS_PORT, &a, &alen, &d)) {
fatal_exit("cannot parse outgoing-interface "
"specified as '%s'", cfg->out_ifs[i]);
}
@ -330,6 +331,8 @@ morechecks(struct config_file* cfg, const char* fname)
fatal_exit("num_threads value weird");
if(!cfg->do_ip4 && !cfg->do_ip6)
fatal_exit("ip4 and ip6 are both disabled, pointless");
if(!cfg->do_ip6 && cfg->prefer_ip6)
fatal_exit("cannot prefer and disable ip6, pointless");
if(!cfg->do_udp && !cfg->do_tcp)
fatal_exit("udp and tcp are both disabled, pointless");
if(cfg->edns_buffer_size > cfg->msg_buffer_size)
@ -436,7 +439,9 @@ morechecks(struct config_file* cfg, const char* fname)
if(cfg->username && cfg->username[0]) {
if(getpwnam(cfg->username) == NULL)
fatal_exit("user '%s' does not exist.", cfg->username);
# ifdef HAVE_ENDPWENT
endpwent();
# endif
}
#endif
if(cfg->remote_control_enable && cfg->remote_control_use_cert) {
@ -481,14 +486,22 @@ check_hints(struct config_file* cfg)
static void
checkconf(const char* cfgfile, const char* opt, int final)
{
char oldwd[PATH_MAX];
struct config_file* cfg = config_create();
if(!cfg)
fatal_exit("out of memory");
oldwd[0] = 0;
if(!getcwd(oldwd, sizeof(oldwd))) {
log_err("cannot getcwd: %s", strerror(errno));
oldwd[0] = 0;
}
if(!config_read(cfg, cfgfile, NULL)) {
/* config_read prints messages to stderr */
config_delete(cfg);
exit(1);
}
if(oldwd[0] && chdir(oldwd) == -1)
log_err("cannot chdir(%s): %s", oldwd, strerror(errno));
if(opt) {
print_option(cfg, opt, final);
config_delete(cfg);

16
contrib/unbound/smallapp/unbound-control.c
View File

@ -65,7 +65,7 @@
/** Give unbound-control usage, and exit (1). */
static void
usage()
usage(void)
{
printf("Usage: unbound-control [options] command\n");
printf(" Remote control utility for unbound server.\n");
@ -212,7 +212,7 @@ contact_server(const char* svr, struct config_file* cfg, int statuscmd)
struct sockaddr_un* usock = (struct sockaddr_un *) &addr;
usock->sun_family = AF_LOCAL;
#ifdef HAVE_STRUCT_SOCKADDR_UN_SUN_LEN
usock->sun_len = (socklen_t)sizeof(usock);
usock->sun_len = (unsigned)sizeof(usock);
#endif
(void)strlcpy(usock->sun_path, svr, sizeof(usock->sun_path));
addrlen = (socklen_t)sizeof(struct sockaddr_un);
@ -418,10 +418,22 @@ int main(int argc, char* argv[])
cfgfile = CONFIGFILE;
#endif
#ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS
ERR_load_crypto_strings();
#endif
ERR_load_SSL_strings();
#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_CRYPTO)
OpenSSL_add_all_algorithms();
#else
OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS
| OPENSSL_INIT_ADD_ALL_DIGESTS
| OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
#endif
#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL)
(void)SSL_library_init();
#else
(void)OPENSSL_init_ssl(0, NULL);
#endif
if(!RAND_status()) {
/* try to seed it */

4
contrib/unbound/smallapp/unbound-host.c
View File

@ -72,7 +72,7 @@ static int verb = 0;
/** Give unbound-host usage, and exit (1). */
static void
usage()
usage(void)
{
printf("Usage: unbound-host [-vdhr46] [-c class] [-t type] hostname\n");
printf(" [-y key] [-f keyfile] [-F namedkeyfile]\n");
@ -91,7 +91,7 @@ usage()
printf(" -F keyfile read named.conf-style trust anchors.\n");
printf(" -C config use the specified unbound.conf (none read by default)\n");
printf(" -r read forwarder information from /etc/resolv.conf\n");
printf(" breaks validation if the fwder does not do DNSSEC.\n");
printf(" breaks validation if the forwarder does not do DNSSEC.\n");
printf(" -v be more verbose, shows nodata and security.\n");
printf(" -d debug, traces the action, -d -d shows more.\n");
printf(" -4 use ipv4 network, avoid ipv6.\n");

6
contrib/unbound/smallapp/worker_cb.c
View File

@ -225,8 +225,8 @@ struct order_id {
int order_lock_cmp(const void* e1, const void* e2)
{
struct order_id* o1 = (struct order_id*)e1;
struct order_id* o2 = (struct order_id*)e2;
const struct order_id* o1 = e1;
const struct order_id* o2 = e2;
if(o1->thr < o2->thr) return -1;
if(o1->thr > o2->thr) return 1;
if(o1->instance < o2->instance) return -1;
@ -237,7 +237,7 @@ int order_lock_cmp(const void* e1, const void* e2)
int
codeline_cmp(const void* a, const void* b)
{
return strcmp((const char*)a, (const char*)b);
return strcmp(a, b);
}
int replay_var_compare(const void* ATTR_UNUSED(a), const void* ATTR_UNUSED(b))

4
contrib/unbound/util/alloc.c
View File

@ -64,7 +64,7 @@ alloc_setup_special(alloc_special_t* t)
* @param alloc: the structure to fill up.
*/
static void
prealloc(struct alloc_cache* alloc)
prealloc_setup(struct alloc_cache* alloc)
{
alloc_special_t* p;
int i;
@ -216,7 +216,7 @@ alloc_special_obtain(struct alloc_cache* alloc)
}
}
/* allocate new */
prealloc(alloc);
prealloc_setup(alloc);
if(!(p = (alloc_special_t*)malloc(sizeof(alloc_special_t)))) {
log_err("alloc_special_obtain: out of memory");
return NULL;

70
contrib/unbound/util/config_file.c
View File

@ -212,6 +212,7 @@ config_create(void)
cfg->local_zones = NULL;
cfg->local_zones_nodefault = NULL;
cfg->local_data = NULL;
cfg->local_zone_overrides = NULL;
cfg->unblock_lan_zones = 0;
cfg->insecure_lan_zones = 0;
cfg->python_script = NULL;
@ -640,6 +641,14 @@ config_collate_cat(struct config_strlist* list)
func(buf, arg); \
} \
}
/** compare and print list option */
#define O_LS3(opt, name, lst) if(strcmp(opt, name)==0) { \
struct config_str3list* p = cfg->lst; \
for(p = cfg->lst; p; p = p->next) { \
snprintf(buf, len, "%s %s %s", p->str, p->str2, p->str3); \
func(buf, arg); \
} \
}
/** compare and print taglist option */
#define O_LTG(opt, name, lst) if(strcmp(opt, name)==0) { \
char* tmpstr = NULL; \
@ -784,6 +793,10 @@ config_get_option(struct config_file* cfg, const char* opt,
else O_YNO(opt, "qname-minimisation", qname_minimisation)
else O_IFC(opt, "define-tag", num_tags, tagname)
else O_LTG(opt, "local-zone-tag", local_zone_tags)
else O_LTG(opt, "access-control-tag", acl_tags)
else O_LS3(opt, "local-zone-override", local_zone_overrides)
else O_LS3(opt, "access-control-tag-action", acl_tag_actions)
else O_LS3(opt, "access-control-tag-data", acl_tag_datas)
/* not here:
* outgoing-permit, outgoing-avoid - have list of ports
* local-zone - zones and nodefault variables
@ -935,6 +948,20 @@ config_deldblstrlist(struct config_str2list* p)
}
}
void
config_deltrplstrlist(struct config_str3list* p)
{
struct config_str3list *np;
while(p) {
np = p->next;
free(p->str);
free(p->str2);
free(p->str3);
free(p);
p = np;
}
}
void
config_delstub(struct config_stub* p)
{
@ -969,8 +996,7 @@ config_del_strarray(char** array, int num)
free(array);
}
/** delete stringbytelist */
static void
void
config_del_strbytelist(struct config_strbytelist* p)
{
struct config_strbytelist* np;
@ -1020,8 +1046,12 @@ config_delete(struct config_file* cfg)
config_deldblstrlist(cfg->local_zones);
config_delstrlist(cfg->local_zones_nodefault);
config_delstrlist(cfg->local_data);
config_deltrplstrlist(cfg->local_zone_overrides);
config_del_strarray(cfg->tagname, cfg->num_tags);
config_del_strbytelist(cfg->local_zone_tags);
config_del_strbytelist(cfg->acl_tags);
config_deltrplstrlist(cfg->acl_tag_actions);
config_deltrplstrlist(cfg->acl_tag_datas);
config_delstrlist(cfg->control_ifs);
free(cfg->server_key_file);
free(cfg->server_cert_file);
@ -1179,6 +1209,23 @@ int cfg_strlist_append(struct config_strlist_head* list, char* item)
return 1;
}
int
cfg_region_strlist_insert(struct regional* region,
struct config_strlist** head, char* item)
{
struct config_strlist *s;
if(!item || !head)
return 0;
s = (struct config_strlist*)regional_alloc_zero(region,
sizeof(struct config_strlist));
if(!s)
return 0;
s->str = item;
s->next = *head;
*head = s;
return 1;
}
int
cfg_strlist_insert(struct config_strlist** head, char* item)
{
@ -1210,6 +1257,24 @@ cfg_str2list_insert(struct config_str2list** head, char* item, char* i2)
return 1;
}
int
cfg_str3list_insert(struct config_str3list** head, char* item, char* i2,
char* i3)
{
struct config_str3list *s;
if(!item || !i2 || !i3 || !head)
return 0;
s = (struct config_str3list*)calloc(1, sizeof(struct config_str3list));
if(!s)
return 0;
s->str = item;
s->str2 = i2;
s->str3 = i3;
s->next = *head;
*head = s;
return 1;
}
int
cfg_strbytelist_insert(struct config_strbytelist** head, char* item,
uint8_t* i2, size_t i2len)
@ -1373,6 +1438,7 @@ cfg_set_bit(uint8_t* bitlist, size_t len, int id)
{
int pos = id/8;
log_assert((size_t)pos < len);
(void)len;
bitlist[pos] |= 1<<(id%8);
}

53
contrib/unbound/util/config_file.h
View File

@ -44,10 +44,12 @@
struct config_stub;
struct config_strlist;
struct config_str2list;
struct config_str3list;
struct config_strbytelist;
struct module_qstate;
struct sock_list;
struct ub_packed_rrset_key;
struct regional;
/**
* The configuration options.
@ -73,6 +75,8 @@ struct config_file {
int do_ip4;
/** do ip6 query support. */
int do_ip6;
/** prefer ip6 upstream queries. */
int prefer_ip6;
/** do udp query support. */
int do_udp;
/** do tcp query support. */
@ -292,12 +296,20 @@ struct config_file {
struct config_strlist* local_zones_nodefault;
/** local data RRs configured */
struct config_strlist* local_data;
/** local zone override types per netblock */
struct config_str3list* local_zone_overrides;
/** unblock lan zones (reverse lookups for AS112 zones) */
int unblock_lan_zones;
/** insecure lan zones (don't validate AS112 zones) */
int insecure_lan_zones;
/** list of zonename, tagbitlist */
struct config_strbytelist* local_zone_tags;
/** list of aclname, tagbitlist */
struct config_strbytelist* acl_tags;
/** list of aclname, tagname, localzonetype */
struct config_str3list* acl_tag_actions;
/** list of aclname, tagname, redirectdata */
struct config_str3list* acl_tag_datas;
/** tag list, array with tagname[i] is malloced string */
char** tagname;
/** number of items in the taglist */
@ -433,6 +445,21 @@ struct config_str2list {
char* str2;
};
/**
* List of three strings for config options
*/
struct config_str3list {
/** next item in list */
struct config_str3list* next;
/** first string */
char* str;
/** second string */
char* str2;
/** third string */
char* str3;
};
/**
* List of string, bytestring for config options
*/
@ -575,6 +602,10 @@ int cfg_strlist_append(struct config_strlist_head* list, char* item);
*/
int cfg_strlist_insert(struct config_strlist** head, char* item);
/** insert with region for allocation. */
int cfg_region_strlist_insert(struct regional* region,
struct config_strlist** head, char* item);
/**
* Insert string into str2list.
* @param head: pointer to str2list head variable.
@ -584,9 +615,20 @@ int cfg_strlist_insert(struct config_strlist** head, char* item);
*/
int cfg_str2list_insert(struct config_str2list** head, char* item, char* i2);
/**
* Insert string into str3list.
* @param head: pointer to str3list head variable.
* @param item: new item. malloced by caller. If NULL the insertion fails.
* @param i2: 2nd string, malloced by caller. If NULL the insertion fails.
* @param i3: 3rd string, malloced by caller. If NULL the insertion fails.
* @return: true on success.
*/
int cfg_str3list_insert(struct config_str3list** head, char* item, char* i2,
char* i3);
/**
* Insert string into strbytelist.
* @param head: pointer to str2list head variable.
* @param head: pointer to strbytelist head variable.
* @param item: new item. malloced by caller. If NULL the insertion fails.
* @param i2: 2nd string, malloced by caller. If NULL the insertion fails.
* @param i2len: length of the i2 bytestring.
@ -618,6 +660,15 @@ void config_delstrlist(struct config_strlist* list);
*/
void config_deldblstrlist(struct config_str2list* list);
/**
* Delete items in config triple string list.
* @param list: list.
*/
void config_deltrplstrlist(struct config_str3list* list);
/** delete stringbytelist */
void config_del_strbytelist(struct config_strbytelist* list);
/**
* Delete a stub item
* @param p: stub item

8
contrib/unbound/util/configlexer.lex
View File

@ -9,6 +9,9 @@
*/
#include "config.h"
/* because flex keeps having sign-unsigned compare problems that are unfixed*/
#pragma GCC diagnostic ignored "-Wsign-compare"
#include <ctype.h>
#include <string.h>
#include <strings.h>
@ -218,6 +221,7 @@ outgoing-num-tcp{COLON} { YDVAR(1, VAR_OUTGOING_NUM_TCP) }
incoming-num-tcp{COLON} { YDVAR(1, VAR_INCOMING_NUM_TCP) }
do-ip4{COLON} { YDVAR(1, VAR_DO_IP4) }
do-ip6{COLON} { YDVAR(1, VAR_DO_IP6) }
prefer-ip6{COLON} { YDVAR(1, VAR_PREFER_IP6) }
do-udp{COLON} { YDVAR(1, VAR_DO_UDP) }
do-tcp{COLON} { YDVAR(1, VAR_DO_TCP) }
tcp-upstream{COLON} { YDVAR(1, VAR_TCP_UPSTREAM) }
@ -347,6 +351,10 @@ dns64-prefix{COLON} { YDVAR(1, VAR_DNS64_PREFIX) }
dns64-synthall{COLON} { YDVAR(1, VAR_DNS64_SYNTHALL) }
define-tag{COLON} { YDVAR(1, VAR_DEFINE_TAG) }
local-zone-tag{COLON} { YDVAR(2, VAR_LOCAL_ZONE_TAG) }
access-control-tag{COLON} { YDVAR(2, VAR_ACCESS_CONTROL_TAG) }
access-control-tag-action{COLON} { YDVAR(3, VAR_ACCESS_CONTROL_TAG_ACTION) }
access-control-tag-data{COLON} { YDVAR(3, VAR_ACCESS_CONTROL_TAG_DATA) }
local-zone-override{COLON} { YDVAR(3, VAR_LOCAL_ZONE_OVERRIDE) }
dnstap{COLON} { YDVAR(0, VAR_DNSTAP) }
dnstap-enable{COLON} { YDVAR(1, VAR_DNSTAP_ENABLE) }
dnstap-socket-path{COLON} { YDVAR(1, VAR_DNSTAP_SOCKET_PATH) }

104
contrib/unbound/util/configparser.y
View File

@ -69,7 +69,7 @@ extern struct config_parser_state* cfg_parser;
%token <str> STRING_ARG
%token VAR_SERVER VAR_VERBOSITY VAR_NUM_THREADS VAR_PORT
%token VAR_OUTGOING_RANGE VAR_INTERFACE
%token VAR_DO_IP4 VAR_DO_IP6 VAR_DO_UDP VAR_DO_TCP
%token VAR_DO_IP4 VAR_DO_IP6 VAR_PREFER_IP6 VAR_DO_UDP VAR_DO_TCP
%token VAR_TCP_MSS VAR_OUTGOING_TCP_MSS
%token VAR_CHROOT VAR_USERNAME VAR_DIRECTORY VAR_LOGFILE VAR_PIDFILE
%token VAR_MSG_CACHE_SIZE VAR_MSG_CACHE_SLABS VAR_NUM_QUERIES_PER_THREAD
@ -126,6 +126,8 @@ extern struct config_parser_state* cfg_parser;
%token VAR_RATELIMIT_FOR_DOMAIN VAR_RATELIMIT_BELOW_DOMAIN VAR_RATELIMIT_FACTOR
%token VAR_CAPS_WHITELIST VAR_CACHE_MAX_NEGATIVE_TTL VAR_PERMIT_SMALL_HOLDDOWN
%token VAR_QNAME_MINIMISATION VAR_IP_FREEBIND VAR_DEFINE_TAG VAR_LOCAL_ZONE_TAG
%token VAR_ACCESS_CONTROL_TAG VAR_LOCAL_ZONE_OVERRIDE
%token VAR_ACCESS_CONTROL_TAG_ACTION VAR_ACCESS_CONTROL_TAG_DATA
%%
toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@ -144,7 +146,8 @@ contents_server: contents_server content_server
| ;
content_server: server_num_threads | server_verbosity | server_port |
server_outgoing_range | server_do_ip4 |
server_do_ip6 | server_do_udp | server_do_tcp |
server_do_ip6 | server_prefer_ip6 |
server_do_udp | server_do_tcp |
server_tcp_mss | server_outgoing_tcp_mss |
server_interface | server_chroot | server_username |
server_directory | server_logfile | server_pidfile |
@ -194,7 +197,9 @@ content_server: server_num_threads | server_verbosity | server_port |
server_caps_whitelist | server_cache_max_negative_ttl |
server_permit_small_holddown | server_qname_minimisation |
server_ip_freebind | server_define_tag | server_local_zone_tag |
server_disable_dnssec_lame_check
server_disable_dnssec_lame_check | server_access_control_tag |
server_local_zone_override | server_access_control_tag_action |
server_access_control_tag_data
;
stubstart: VAR_STUB_ZONE
{
@ -402,6 +407,15 @@ server_do_tcp: VAR_DO_TCP STRING_ARG
free($2);
}
;
server_prefer_ip6: VAR_PREFER_IP6 STRING_ARG
{
OUTYY(("P(server_prefer_ip6:%s)\n", $2));
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
yyerror("expected yes or no.");
else cfg_parser->cfg->prefer_ip6 = (strcmp($2, "yes")==0);
free($2);
}
;
server_tcp_mss: VAR_TCP_MSS STRING_ARG
{
OUTYY(("P(server_tcp_mss:%s)\n", $2));
@ -521,6 +535,23 @@ server_directory: VAR_DIRECTORY STRING_ARG
OUTYY(("P(server_directory:%s)\n", $2));
free(cfg_parser->cfg->directory);
cfg_parser->cfg->directory = $2;
/* change there right away for includes relative to this */
if($2[0]) {
char* d;
#ifdef UB_ON_WINDOWS
w_config_adjust_directory(cfg_parser->cfg);
#endif
d = cfg_parser->cfg->directory;
/* adjust directory if we have already chroot,
* like, we reread after sighup */
if(cfg_parser->chroot && cfg_parser->chroot[0] &&
strncmp(d, cfg_parser->chroot, strlen(
cfg_parser->chroot)) == 0)
d += strlen(cfg_parser->chroot);
if(chdir(d))
log_err("cannot chdir to directory: %s (%s)",
d, strerror(errno));
}
}
;
server_logfile: VAR_LOGFILE STRING_ARG
@ -1216,12 +1247,16 @@ server_local_zone: VAR_LOCAL_ZONE STRING_ARG STRING_ARG
if(strcmp($3, "static")!=0 && strcmp($3, "deny")!=0 &&
strcmp($3, "refuse")!=0 && strcmp($3, "redirect")!=0 &&
strcmp($3, "transparent")!=0 && strcmp($3, "nodefault")!=0
&& strcmp($3, "typetransparent")!=0 &&
strcmp($3, "inform")!=0 && strcmp($3, "inform_deny")!=0)
&& strcmp($3, "typetransparent")!=0
&& strcmp($3, "always_transparent")!=0
&& strcmp($3, "always_refuse")!=0
&& strcmp($3, "always_nxdomain")!=0
&& strcmp($3, "inform")!=0 && strcmp($3, "inform_deny")!=0)
yyerror("local-zone type: expected static, deny, "
"refuse, redirect, transparent, "
"typetransparent, inform, inform_deny "
"or nodefault");
"typetransparent, inform, inform_deny, "
"always_transparent, always_refuse, "
"always_nxdomain or nodefault");
else if(strcmp($3, "nodefault")==0) {
if(!cfg_strlist_insert(&cfg_parser->cfg->
local_zones_nodefault, $2))
@ -1332,6 +1367,61 @@ server_local_zone_tag: VAR_LOCAL_ZONE_TAG STRING_ARG STRING_ARG
}
}
;
server_access_control_tag: VAR_ACCESS_CONTROL_TAG STRING_ARG STRING_ARG
{
size_t len = 0;
uint8_t* bitlist = config_parse_taglist(cfg_parser->cfg, $3,
&len);
free($3);
OUTYY(("P(server_access_control_tag:%s)\n", $2));
if(!bitlist)
yyerror("could not parse tags, (define-tag them first)");
if(bitlist) {
if(!cfg_strbytelist_insert(
&cfg_parser->cfg->acl_tags,
$2, bitlist, len)) {
yyerror("out of memory");
free($2);
}
}
}
;
server_access_control_tag_action: VAR_ACCESS_CONTROL_TAG_ACTION STRING_ARG STRING_ARG STRING_ARG
{
OUTYY(("P(server_access_control_tag_action:%s %s %s)\n", $2, $3, $4));
if(!cfg_str3list_insert(&cfg_parser->cfg->acl_tag_actions,
$2, $3, $4)) {
yyerror("out of memory");
free($2);
free($3);
free($4);
}
}
;
server_access_control_tag_data: VAR_ACCESS_CONTROL_TAG_DATA STRING_ARG STRING_ARG STRING_ARG
{
OUTYY(("P(server_access_control_tag_data:%s %s %s)\n", $2, $3, $4));
if(!cfg_str3list_insert(&cfg_parser->cfg->acl_tag_datas,
$2, $3, $4)) {
yyerror("out of memory");
free($2);
free($3);
free($4);
}
}
;
server_local_zone_override: VAR_LOCAL_ZONE_OVERRIDE STRING_ARG STRING_ARG STRING_ARG
{
OUTYY(("P(server_local_zone_override:%s %s %s)\n", $2, $3, $4));
if(!cfg_str3list_insert(&cfg_parser->cfg->local_zone_overrides,
$2, $3, $4)) {
yyerror("out of memory");
free($2);
free($3);
free($4);
}
}
;
server_ratelimit: VAR_RATELIMIT STRING_ARG
{
OUTYY(("P(server_ratelimit:%s)\n", $2));

3
contrib/unbound/util/iana_ports.inc
View File

@ -1186,6 +1186,7 @@
1525,
1526,
1527,
1528,
1529,
1530,
1531,
@ -4526,7 +4527,6 @@
6786,
6787,
6788,
6789,
6790,
6791,
6801,
@ -5425,6 +5425,7 @@
44900,
45000,
45054,
45514,
45678,
45825,
45966,

6
contrib/unbound/util/net_help.c
View File

@ -783,7 +783,7 @@ void* outgoing_ssl_fd(void* sslctx, int fd)
#endif
}
#if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) && defined(CRYPTO_LOCK)
#if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) && defined(CRYPTO_LOCK) && OPENSSL_VERSION_NUMBER < 0x10100000L
/** global lock list for openssl locks */
static lock_basic_t *ub_openssl_locks = NULL;
@ -808,7 +808,7 @@ ub_crypto_lock_cb(int mode, int type, const char *ATTR_UNUSED(file),
int ub_openssl_lock_init(void)
{
#if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) && defined(CRYPTO_LOCK)
#if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) && defined(CRYPTO_LOCK) && OPENSSL_VERSION_NUMBER < 0x10100000L
int i;
ub_openssl_locks = (lock_basic_t*)reallocarray(
NULL, (size_t)CRYPTO_num_locks(), sizeof(lock_basic_t));
@ -825,7 +825,7 @@ int ub_openssl_lock_init(void)
void ub_openssl_lock_delete(void)
{
#if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) && defined(CRYPTO_LOCK)
#if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) && defined(CRYPTO_LOCK) && OPENSSL_VERSION_NUMBER < 0x10100000L
int i;
if(!ub_openssl_locks)
return;

110
contrib/unbound/util/netevent.c
View File

@ -80,8 +80,10 @@
# endif
#endif
/** The TCP reading or writing query timeout in seconds */
#define TCP_QUERY_TIMEOUT 120
/** The TCP reading or writing query timeout in milliseconds */
#define TCP_QUERY_TIMEOUT 120000
/** The TCP timeout in msec for fast queries, above half are used */
#define TCP_QUERY_TIMEOUT_FAST 200
#ifndef NONBLOCKING_IS_BROKEN
/** number of UDP reads to perform per read indication from select */
@ -710,14 +712,20 @@ comm_point_udp_callback(int fd, short event, void* arg)
/** Use a new tcp handler for new query fd, set to read query */
static void
setup_tcp_handler(struct comm_point* c, int fd)
setup_tcp_handler(struct comm_point* c, int fd, int cur, int max)
{
log_assert(c->type == comm_tcp);
log_assert(c->fd == -1);
sldns_buffer_clear(c->buffer);
c->tcp_is_reading = 1;
c->tcp_byte_count = 0;
comm_point_start_listening(c, fd, TCP_QUERY_TIMEOUT);
c->tcp_timeout_msec = TCP_QUERY_TIMEOUT;
/* if more than half the tcp handlers are in use, use a shorter
* timeout for this TCP connection, we need to make space for
* other connections to be able to get attention */
if(cur > max/2)
c->tcp_timeout_msec = TCP_QUERY_TIMEOUT_FAST;
comm_point_start_listening(c, fd, c->tcp_timeout_msec);
}
void comm_base_handle_slow_accept(int ATTR_UNUSED(fd),
@ -769,7 +777,7 @@ int comm_point_perform_accept(struct comm_point* c,
(*b->stop_accept)(b->cb_arg);
/* set timeout, no mallocs */
tv.tv_sec = NETEVENT_SLOW_ACCEPT_TIME/1000;
tv.tv_usec = NETEVENT_SLOW_ACCEPT_TIME%1000;
tv.tv_usec = (NETEVENT_SLOW_ACCEPT_TIME%1000)*1000;
b->eb->slow_accept = ub_event_new(b->eb->base,
-1, UB_EV_TIMEOUT,
comm_base_handle_slow_accept, b);
@ -862,6 +870,7 @@ comm_point_tcp_accept_callback(int fd, short event, void* arg)
/* accept incoming connection. */
c_hdl = c->tcp_free;
log_assert(fd != -1);
(void)fd;
new_fd = comm_point_perform_accept(c, &c_hdl->repinfo.addr,
&c_hdl->repinfo.addrlen);
if(new_fd == -1)
@ -886,7 +895,7 @@ comm_point_tcp_accept_callback(int fd, short event, void* arg)
/* stop accepting incoming queries for now. */
comm_point_stop_listening(c);
}
setup_tcp_handler(c_hdl, new_fd);
setup_tcp_handler(c_hdl, new_fd, c->cur_tcp_count, c->max_tcp_count);
}
/** Make tcp handler free for next assignment */
@ -940,7 +949,7 @@ tcp_callback_reader(struct comm_point* c)
comm_point_stop_listening(c);
fptr_ok(fptr_whitelist_comm_point(c->callback));
if( (*c->callback)(c, c->cb_arg, NETEVENT_NOERROR, &c->repinfo) ) {
comm_point_start_listening(c, -1, TCP_QUERY_TIMEOUT);
comm_point_start_listening(c, -1, c->tcp_timeout_msec);
}
}
@ -1348,6 +1357,59 @@ comm_point_tcp_handle_write(int fd, struct comm_point* c)
if(c->ssl)
return ssl_handle_it(c);
#ifdef USE_MSG_FASTOPEN
/* Only try this on first use of a connection that uses tfo,
otherwise fall through to normal write */
/* Also, TFO support on WINDOWS not implemented at the moment */
if(c->tcp_do_fastopen == 1) {
/* this form of sendmsg() does both a connect() and send() so need to
look for various flavours of error*/
uint16_t len = htons(sldns_buffer_limit(c->buffer));
struct msghdr msg;
struct iovec iov[2];
c->tcp_do_fastopen = 0;
memset(&msg, 0, sizeof(msg));
iov[0].iov_base = (uint8_t*)&len + c->tcp_byte_count;
iov[0].iov_len = sizeof(uint16_t) - c->tcp_byte_count;
iov[1].iov_base = sldns_buffer_begin(c->buffer);
iov[1].iov_len = sldns_buffer_limit(c->buffer);
log_assert(iov[0].iov_len > 0);
log_assert(iov[1].iov_len > 0);
msg.msg_name = &c->repinfo.addr;
msg.msg_namelen = c->repinfo.addrlen;
msg.msg_iov = iov;
msg.msg_iovlen = 2;
r = sendmsg(fd, &msg, MSG_FASTOPEN);
if (r == -1) {
#if defined(EINPROGRESS) && defined(EWOULDBLOCK)
/* Handshake is underway, maybe because no TFO cookie available.
Come back to write the messsage*/
if(errno == EINPROGRESS || errno == EWOULDBLOCK)
return 1;
#endif
if(errno == EINTR || errno == EAGAIN)
return 1;
/* Not handling EISCONN here as shouldn't ever hit that case.*/
if(errno != 0 && verbosity < 2)
return 0; /* silence lots of chatter in the logs */
else if(errno != 0)
log_err_addr("tcp sendmsg", strerror(errno),
&c->repinfo.addr, c->repinfo.addrlen);
return 0;
} else {
c->tcp_byte_count += r;
if(c->tcp_byte_count < sizeof(uint16_t))
return 1;
sldns_buffer_set_position(c->buffer, c->tcp_byte_count -
sizeof(uint16_t));
if(sldns_buffer_remaining(c->buffer) == 0) {
tcp_callback_writer(c);
return 1;
}
}
}
#endif /* USE_MSG_FASTOPEN */
if(c->tcp_byte_count < sizeof(uint16_t)) {
uint16_t len = htons(sldns_buffer_limit(c->buffer));
#ifdef HAVE_WRITEV
@ -1540,6 +1602,9 @@ comm_point_create_udp(struct comm_base *base, int fd, sldns_buffer* buffer,
c->do_not_close = 0;
c->tcp_do_toggle_rw = 0;
c->tcp_check_nb_connect = 0;
#ifdef USE_MSG_FASTOPEN
c->tcp_do_fastopen = 0;
#endif
c->inuse = 0;
c->callback = callback;
c->cb_arg = callback_arg;
@ -1593,6 +1658,9 @@ comm_point_create_udp_ancil(struct comm_base *base, int fd,
c->inuse = 0;
c->tcp_do_toggle_rw = 0;
c->tcp_check_nb_connect = 0;
#ifdef USE_MSG_FASTOPEN
c->tcp_do_fastopen = 0;
#endif
c->callback = callback;
c->cb_arg = callback_arg;
evbits = UB_EV_READ | UB_EV_PERSIST;
@ -1655,6 +1723,9 @@ comm_point_create_tcp_handler(struct comm_base *base,
c->do_not_close = 0;
c->tcp_do_toggle_rw = 1;
c->tcp_check_nb_connect = 0;
#ifdef USE_MSG_FASTOPEN
c->tcp_do_fastopen = 0;
#endif
c->repinfo.c = c;
c->callback = callback;
c->cb_arg = callback_arg;
@ -1715,6 +1786,9 @@ comm_point_create_tcp(struct comm_base *base, int fd, int num, size_t bufsize,
c->do_not_close = 0;
c->tcp_do_toggle_rw = 0;
c->tcp_check_nb_connect = 0;
#ifdef USE_MSG_FASTOPEN
c->tcp_do_fastopen = 0;
#endif
c->callback = NULL;
c->cb_arg = NULL;
evbits = UB_EV_READ | UB_EV_PERSIST;
@ -1780,6 +1854,9 @@ comm_point_create_tcp_out(struct comm_base *base, size_t bufsize,
c->do_not_close = 0;
c->tcp_do_toggle_rw = 1;
c->tcp_check_nb_connect = 1;
#ifdef USE_MSG_FASTOPEN
c->tcp_do_fastopen = 1;
#endif
c->repinfo.c = c;
c->callback = callback;
c->cb_arg = callback_arg;
@ -1834,6 +1911,9 @@ comm_point_create_local(struct comm_base *base, int fd, size_t bufsize,
c->do_not_close = 1;
c->tcp_do_toggle_rw = 0;
c->tcp_check_nb_connect = 0;
#ifdef USE_MSG_FASTOPEN
c->tcp_do_fastopen = 0;
#endif
c->callback = callback;
c->cb_arg = callback_arg;
/* ub_event stuff */
@ -1887,6 +1967,9 @@ comm_point_create_raw(struct comm_base* base, int fd, int writing,
c->do_not_close = 1;
c->tcp_do_toggle_rw = 0;
c->tcp_check_nb_connect = 0;
#ifdef USE_MSG_FASTOPEN
c->tcp_do_fastopen = 0;
#endif
c->callback = callback;
c->cb_arg = callback_arg;
/* ub_event stuff */
@ -1983,7 +2066,8 @@ comm_point_send_reply(struct comm_reply *repinfo)
dt_msg_send_client_response(repinfo->c->tcp_parent->dtenv,
&repinfo->addr, repinfo->c->type, repinfo->c->buffer);
#endif
comm_point_start_listening(repinfo->c, -1, TCP_QUERY_TIMEOUT);
comm_point_start_listening(repinfo->c, -1,
repinfo->c->tcp_timeout_msec);
}
}
@ -2009,7 +2093,7 @@ comm_point_stop_listening(struct comm_point* c)
}
void
comm_point_start_listening(struct comm_point* c, int newfd, int sec)
comm_point_start_listening(struct comm_point* c, int newfd, int msec)
{
verbose(VERB_ALGO, "comm point start listening %d",
c->fd==-1?newfd:c->fd);
@ -2017,7 +2101,7 @@ comm_point_start_listening(struct comm_point* c, int newfd, int sec)
/* no use to start listening no free slots. */
return;
}
if(sec != -1 && sec != 0) {
if(msec != -1 && msec != 0) {
if(!c->timeout) {
c->timeout = (struct timeval*)malloc(sizeof(
struct timeval));
@ -2028,8 +2112,8 @@ comm_point_start_listening(struct comm_point* c, int newfd, int sec)
}
ub_event_add_bits(c->ev->ev, UB_EV_TIMEOUT);
#ifndef S_SPLINT_S /* splint fails on struct timeval. */
c->timeout->tv_sec = sec;
c->timeout->tv_usec = 0;
c->timeout->tv_sec = msec/1000;
c->timeout->tv_usec = (msec%1000)*1000;
#endif /* S_SPLINT_S */
}
if(c->type == comm_tcp) {
@ -2049,7 +2133,7 @@ comm_point_start_listening(struct comm_point* c, int newfd, int sec)
c->fd = newfd;
ub_event_set_fd(c->ev->ev, c->fd);
}
if(ub_event_add(c->ev->ev, sec==0?NULL:c->timeout) != 0) {
if(ub_event_add(c->ev->ev, msec==0?NULL:c->timeout) != 0) {
log_err("event_add failed. in cpsl.");
}
}

13
contrib/unbound/util/netevent.h
View File

@ -225,9 +225,17 @@ struct comm_point {
So that when that is done the callback is called. */
int tcp_do_toggle_rw;
/** timeout in msec for TCP wait times for this connection */
int tcp_timeout_msec;
/** if set, checks for pending error from nonblocking connect() call.*/
int tcp_check_nb_connect;
#ifdef USE_MSG_FASTOPEN
/** used to track if the sendto() call should be done when using TFO. */
int tcp_do_fastopen;
#endif
/** number of queries outstanding on this socket, used by
* outside network for udp ports */
int inuse;
@ -496,9 +504,10 @@ void comm_point_stop_listening(struct comm_point* c);
* Start listening again for input on the comm point.
* @param c: commpoint to enable again.
* @param newfd: new fd, or -1 to leave fd be.
* @param sec: timeout in seconds, or -1 for no (change to the) timeout.
* @param msec: timeout in milliseconds, or -1 for no (change to the) timeout.
* So seconds*1000.
*/
void comm_point_start_listening(struct comm_point* c, int newfd, int sec);
void comm_point_start_listening(struct comm_point* c, int newfd, int msec);
/**
* Stop listening and start listening again for reading or writing.

13
contrib/unbound/util/storage/dnstree.c
View File

@ -231,6 +231,19 @@ struct addr_tree_node* addr_tree_lookup(rbtree_t* tree,
return result;
}
struct addr_tree_node* addr_tree_find(rbtree_t* tree,
struct sockaddr_storage* addr, socklen_t addrlen, int net)
{
rbnode_t* res = NULL;
struct addr_tree_node key;
key.node.key = &key;
memcpy(&key.addr, addr, addrlen);
key.addrlen = addrlen;
key.net = net;
res = rbtree_search(tree, &key);
return (struct addr_tree_node*)res;
}
int
name_tree_next_root(rbtree_t* tree, uint16_t* dclass)
{

11
contrib/unbound/util/storage/dnstree.h
View File

@ -183,6 +183,17 @@ void addr_tree_init_parents(rbtree_t* tree);
struct addr_tree_node* addr_tree_lookup(rbtree_t* tree,
struct sockaddr_storage* addr, socklen_t addrlen);
/**
* Find element in addr tree. (search a netblock, not a match for an address)
* @param tree: addr tree
* @param addr: netblock to lookup.
* @param addrlen: length of addr
* @param net: size of subnet
* @return addr tree element, or NULL if not found.
*/
struct addr_tree_node* addr_tree_find(rbtree_t* tree,
struct sockaddr_storage* addr, socklen_t addrlen, int net);
/** compare name tree nodes */
int name_tree_compare(const void* k1, const void* k2);

10
contrib/unbound/util/storage/lookup3.c
View File

@ -820,7 +820,7 @@ uint32_t hashbig( const void *key, size_t length, uint32_t initval)
#ifdef SELF_TEST
/* used for timings */
void driver1()
void driver1(void)
{
uint8_t buf[256];
uint32_t i;
@ -842,7 +842,7 @@ void driver1()
#define HASHLEN 1
#define MAXPAIR 60
#define MAXLEN 70
void driver2()
void driver2(void)
{
uint8_t qa[MAXLEN+1], qb[MAXLEN+2], *a = &qa[0], *b = &qb[1];
uint32_t c[HASHSTATE], d[HASHSTATE], i=0, j=0, k, l, m=0, z;
@ -912,7 +912,7 @@ void driver2()
}
/* Check for reading beyond the end of the buffer and alignment problems */
void driver3()
void driver3(void)
{
uint8_t buf[MAXLEN+20], *b;
uint32_t len;
@ -1003,7 +1003,7 @@ void driver3()
}
/* check for problems with nulls */
void driver4()
void driver4(void)
{
uint8_t buf[1];
uint32_t h,i,state[HASHSTATE];
@ -1020,7 +1020,7 @@ void driver3()
}
int main()
int main(void)
{
driver1(); /* test that the key is hashed: used for timings */
driver2(); /* test that whole key is hashed thoroughly */

14
contrib/unbound/util/ub_event.c
View File

@ -132,16 +132,12 @@ static void (*NATIVE_BITS_CB(void (*cb)(int, short, void*)))(int, short, void*)
#define EVFLAG_AUTO 0
#endif
#define AS_EVENT_BASE(x) \
(((union {struct ub_event_base* a; struct event_base* b;})x).b)
#define AS_UB_EVENT_BASE(x) \
(((union {struct event_base* a; struct ub_event_base* b;})x).b)
#define AS_EVENT(x) \
(((union {struct ub_event* a; struct event* b;})x).b)
#define AS_UB_EVENT(x) \
(((union {struct event* a; struct ub_event* b;})x).b)
#define AS_EVENT_BASE(x) ((struct event_base*)x)
#define AS_UB_EVENT_BASE(x) ((struct ub_event_base*)x)
#define AS_EVENT(x) ((struct event*)x)
#define AS_UB_EVENT(x) ((struct ub_event*)x)
const char* ub_event_get_version()
const char* ub_event_get_version(void)
{
return event_get_version();
}

16
contrib/unbound/util/ub_event_pluggable.c
View File

@ -144,12 +144,10 @@ struct my_event {
struct event ev;
};
#define AS_MY_EVENT_BASE(x) \
(((union {struct ub_event_base* a; struct my_event_base* b;})x).b)
#define AS_MY_EVENT(x) \
(((union {struct ub_event* a; struct my_event* b;})x).b)
#define AS_MY_EVENT_BASE(x) ((struct my_event_base*)x)
#define AS_MY_EVENT(x) ((struct my_event*)x)
const char* ub_event_get_version()
const char* ub_event_get_version(void)
{
return "pluggable-event"PACKAGE_VERSION;
}
@ -597,7 +595,7 @@ ub_event_add(struct ub_event* ev, struct timeval* tv)
int
ub_event_del(struct ub_event* ev)
{
if (ev->magic == UB_EVENT_MAGIC) {
if (ev && ev->magic == UB_EVENT_MAGIC) {
fptr_ok(ev->vmt != &default_event_vmt ||
ev->vmt->del == my_event_del);
return (*ev->vmt->del)(ev);
@ -620,7 +618,7 @@ ub_timer_add(struct ub_event* ev, struct ub_event_base* base,
int
ub_timer_del(struct ub_event* ev)
{
if (ev->magic == UB_EVENT_MAGIC) {
if (ev && ev->magic == UB_EVENT_MAGIC) {
fptr_ok(ev->vmt != &default_event_vmt ||
ev->vmt->del_timer == my_timer_del);
return (*ev->vmt->del_timer)(ev);
@ -642,7 +640,7 @@ ub_signal_add(struct ub_event* ev, struct timeval* tv)
int
ub_signal_del(struct ub_event* ev)
{
if (ev->magic == UB_EVENT_MAGIC) {
if (ev && ev->magic == UB_EVENT_MAGIC) {
fptr_ok(ev->vmt != &default_event_vmt ||
ev->vmt->del_signal == my_signal_del);
return (*ev->vmt->del_signal)(ev);
@ -653,7 +651,7 @@ ub_signal_del(struct ub_event* ev)
void
ub_winsock_unregister_wsaevent(struct ub_event* ev)
{
if (ev->magic == UB_EVENT_MAGIC) {
if (ev && ev->magic == UB_EVENT_MAGIC) {
fptr_ok(ev->vmt != &default_event_vmt ||
ev->vmt->winsock_unregister_wsaevent ==
my_winsock_unregister_wsaevent);

5
contrib/unbound/util/winsock_event.c
View File

@ -262,8 +262,9 @@ static int handle_select(struct event_base* base, struct timeval* wait)
break; /* sanity check */
}
log_assert(numwait <= WSA_MAXIMUM_WAIT_EVENTS);
verbose(VERB_CLIENT, "winsock_event bmax=%d numwait=%d wait=%x "
"timeout=%d", base->max, numwait, (int)wait, (int)timeout);
verbose(VERB_CLIENT, "winsock_event bmax=%d numwait=%d wait=%s "
"timeout=%d", base->max, numwait, (wait?"<wait>":"<null>"),
(int)timeout);
/* do the wait */
if(numwait == 0) {

4
contrib/unbound/validator/autotrust.c
View File

@ -430,6 +430,8 @@ find_add_tp(struct val_anchors* anchors, uint8_t* rr, size_t rr_len,
}
tp = autr_tp_create(anchors, rr, dname_len, sldns_wirerr_get_class(rr,
rr_len, dname_len));
if(!tp)
return NULL;
lock_basic_lock(&tp->lock);
return tp;
}
@ -1201,7 +1203,7 @@ void autr_write_file(struct module_env* env, struct trust_anchor* tp)
if(fsync(fileno(out)) != 0)
log_err("could not fsync(%s): %s", fname, strerror(errno));
#else
FlushFileBuffers((HANDLE)_fileno(out));
FlushFileBuffers((HANDLE)_get_osfhandle(_fileno(out)));
#endif
if(fclose(out) != 0) {
fatal_exit("could not complete write: %s: %s",

60
contrib/unbound/validator/val_secalgo.c
View File

@ -350,6 +350,23 @@ i * the '44' is the total remaining length.
}
#endif /* USE_ECDSA */
#ifdef USE_ECDSA_EVP_WORKAROUND
static EVP_MD ecdsa_evp_256_md;
static EVP_MD ecdsa_evp_384_md;
void ecdsa_evp_workaround_init(void)
{
/* openssl before 1.0.0 fixes RSA with the SHA256
* hash in EVP. We create one for ecdsa_sha256 */
ecdsa_evp_256_md = *EVP_sha256();
ecdsa_evp_256_md.required_pkey_type[0] = EVP_PKEY_EC;
ecdsa_evp_256_md.verify = (void*)ECDSA_verify;
ecdsa_evp_384_md = *EVP_sha384();
ecdsa_evp_384_md.required_pkey_type[0] = EVP_PKEY_EC;
ecdsa_evp_384_md.verify = (void*)ECDSA_verify;
}
#endif /* USE_ECDSA_EVP_WORKAROUND */
/**
* Setup key and digest for verification. Adjust sig if necessary.
*
@ -478,20 +495,7 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
return 0;
}
#ifdef USE_ECDSA_EVP_WORKAROUND
/* openssl before 1.0.0 fixes RSA with the SHA256
* hash in EVP. We create one for ecdsa_sha256 */
{
static int md_ecdsa_256_done = 0;
static EVP_MD md;
if(!md_ecdsa_256_done) {
EVP_MD m = *EVP_sha256();
md_ecdsa_256_done = 1;
m.required_pkey_type[0] = (*evp_key)->type;
m.verify = (void*)ECDSA_verify;
md = m;
}
*digest_type = &md;
}
*digest_type = &ecdsa_evp_256_md;
#else
*digest_type = EVP_sha256();
#endif
@ -505,20 +509,7 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
return 0;
}
#ifdef USE_ECDSA_EVP_WORKAROUND
/* openssl before 1.0.0 fixes RSA with the SHA384
* hash in EVP. We create one for ecdsa_sha384 */
{
static int md_ecdsa_384_done = 0;
static EVP_MD md;
if(!md_ecdsa_384_done) {
EVP_MD m = *EVP_sha384();
md_ecdsa_384_done = 1;
m.required_pkey_type[0] = (*evp_key)->type;
m.verify = (void*)ECDSA_verify;
md = m;
}
*digest_type = &md;
}
*digest_type = &ecdsa_evp_384_md;
#else
*digest_type = EVP_sha384();
#endif
@ -601,7 +592,7 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
log_err("EVP_MD_CTX_new: malloc failure");
EVP_PKEY_free(evp_key);
if(dofree) free(sigblock);
else if(docrypto_free) CRYPTO_free(sigblock);
else if(docrypto_free) OPENSSL_free(sigblock);
return sec_status_unchecked;
}
if(EVP_VerifyInit(ctx, digest_type) == 0) {
@ -609,7 +600,7 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
EVP_MD_CTX_destroy(ctx);
EVP_PKEY_free(evp_key);
if(dofree) free(sigblock);
else if(docrypto_free) CRYPTO_free(sigblock);
else if(docrypto_free) OPENSSL_free(sigblock);
return sec_status_unchecked;
}
if(EVP_VerifyUpdate(ctx, (unsigned char*)sldns_buffer_begin(buf),
@ -618,7 +609,7 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
EVP_MD_CTX_destroy(ctx);
EVP_PKEY_free(evp_key);
if(dofree) free(sigblock);
else if(docrypto_free) CRYPTO_free(sigblock);
else if(docrypto_free) OPENSSL_free(sigblock);
return sec_status_unchecked;
}
@ -632,7 +623,7 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
EVP_PKEY_free(evp_key);
if(dofree) free(sigblock);
else if(docrypto_free) CRYPTO_free(sigblock);
else if(docrypto_free) OPENSSL_free(sigblock);
if(res == 1) {
return sec_status_secure;
@ -1207,6 +1198,9 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
#include "macros.h"
#include "rsa.h"
#include "dsa.h"
#ifdef HAVE_NETTLE_DSA_COMPAT_H
#include "dsa-compat.h"
#endif
#include "asn1.h"
#ifdef USE_ECDSA
#include "ecdsa.h"
@ -1367,6 +1361,7 @@ dnskey_algo_id_is_supported(int id)
}
}
#ifdef USE_DSA
static char *
_verify_nettle_dsa(sldns_buffer* buf, unsigned char* sigblock,
unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
@ -1454,6 +1449,7 @@ _verify_nettle_dsa(sldns_buffer* buf, unsigned char* sigblock,
else
return NULL;
}
#endif /* USE_DSA */
static char *
_verify_nettle_rsa(sldns_buffer* buf, unsigned int digest_size, char* sigblock,

16
contrib/unbound/validator/val_sigcrypt.c
View File

@ -1283,15 +1283,23 @@ adjust_ttl(struct val_env* ve, uint32_t unow,
/* so now:
* d->ttl: rrset ttl read from message or cache. May be reduced
* origttl: original TTL from signature, authoritative TTL max.
* MIN_TTL: minimum TTL from config.
* expittl: TTL until the signature expires.
*
* Use the smallest of these.
* Use the smallest of these, but don't let origttl set the TTL
* below the minimum.
*/
if(d->ttl > (time_t)origttl) {
verbose(VERB_QUERY, "rrset TTL larger than original TTL,"
" adjusting TTL downwards");
if(MIN_TTL > (time_t)origttl && d->ttl > MIN_TTL) {
verbose(VERB_QUERY, "rrset TTL larger than original and minimum"
" TTL, adjusting TTL downwards to mimimum ttl");
d->ttl = MIN_TTL;
}
else if(MIN_TTL <= origttl && d->ttl > (time_t)origttl) {
verbose(VERB_QUERY, "rrset TTL larger than original TTL, "
"adjusting TTL downwards to original ttl");
d->ttl = origttl;
}
if(expittl > 0 && d->ttl > (time_t)expittl) {
verbose(VERB_ALGO, "rrset TTL larger than sig expiration ttl,"
" adjusting TTL downwards");

6
contrib/unbound/validator/validator.c
View File

@ -156,6 +156,9 @@ val_apply_cfg(struct module_env* env, struct val_env* val_env,
return 1;
}
#ifdef USE_ECDSA_EVP_WORKAROUND
void ecdsa_evp_workaround_init(void);
#endif
int
val_init(struct module_env* env, int id)
{
@ -171,6 +174,9 @@ val_init(struct module_env* env, int id)
lock_basic_init(&val_env->bogus_lock);
lock_protect(&val_env->bogus_lock, &val_env->num_rrset_bogus,
sizeof(val_env->num_rrset_bogus));
#ifdef USE_ECDSA_EVP_WORKAROUND
ecdsa_evp_workaround_init();
#endif
if(!val_apply_cfg(env, val_env, env->cfg)) {
log_err("validator: could not apply configuration settings.");
return 0;