Upgrade Unbound to 1.9.2.
This commit is contained in:
commit
a26dd17d56
16
contrib/unbound/.travis.yml
Normal file
16
contrib/unbound/.travis.yml
Normal file
@ -0,0 +1,16 @@
|
||||
sudo: false
|
||||
language: c
|
||||
compiler:
|
||||
- gcc
|
||||
addons:
|
||||
apt:
|
||||
packages:
|
||||
- libssl-dev
|
||||
- libevent-dev
|
||||
- libexpat-dev
|
||||
- clang
|
||||
script:
|
||||
- ./configure --enable-debug --disable-flto
|
||||
- make
|
||||
- make test
|
||||
- (cd testdata/clang-analysis.tdir; bash clang-analysis.test)
|
File diff suppressed because it is too large
Load Diff
37
contrib/unbound/README.md
Normal file
37
contrib/unbound/README.md
Normal file
@ -0,0 +1,37 @@
|
||||
# Unbound
|
||||
|
||||
[![Travis Build Status](https://travis-ci.org/NLnetLabs/unbound.svg?branch=master)](https://travis-ci.org/NLnetLabs/unbound)
|
||||
[![Packaging status](https://repology.org/badge/tiny-repos/unbound.svg)](https://repology.org/project/unbound/versions)
|
||||
|
||||
Unbound is a validating, recursive, caching DNS resolver. It is designed to be
|
||||
fast and lean and incorporates modern features based on open standards. If you
|
||||
have any feedback, we would love to hear from you. Don’t hesitate to
|
||||
[create an issue on Github](https://github.com/NLnetLabs/unbound/issues/new)
|
||||
or post a message on the [Unbound mailing list](https://nlnetlabs.nl/mailman/listinfo/unbound-users).
|
||||
You can lean more about Unbound by reading our
|
||||
[documentation](https://nlnetlabs.nl/documentation/unbound/).
|
||||
|
||||
## Compiling
|
||||
|
||||
Make sure you have the C toolchain, OpenSSL and its include files, and libexpat
|
||||
installed. Unbound can be compiled and installed using:
|
||||
|
||||
```
|
||||
./configure && make && make install
|
||||
```
|
||||
|
||||
You can use libevent if you want. libevent is useful when using many (10000)
|
||||
outgoing ports. By default max 256 ports are opened at the same time and the
|
||||
builtin alternative is equally capable and a little faster.
|
||||
|
||||
Use the `--with-libevent=dir` configure option to compile Unbound with libevent
|
||||
support.
|
||||
|
||||
## Unbound configuration
|
||||
|
||||
All of Unbound's configuration options are described in the man pages, which
|
||||
will be installed and are available on the Unbound
|
||||
[documentation page](https://nlnetlabs.nl/documentation/unbound/).
|
||||
|
||||
An example configuration file is located in
|
||||
[doc/example.conf](https://github.com/NLnetLabs/unbound/blob/master/doc/example.conf.in).
|
8
contrib/unbound/aclocal.m4
vendored
8
contrib/unbound/aclocal.m4
vendored
@ -1,6 +1,6 @@
|
||||
# generated automatically by aclocal 1.15.1 -*- Autoconf -*-
|
||||
# generated automatically by aclocal 1.16.1 -*- Autoconf -*-
|
||||
|
||||
# Copyright (C) 1996-2017 Free Software Foundation, Inc.
|
||||
# Copyright (C) 1996-2018 Free Software Foundation, Inc.
|
||||
|
||||
# This file is free software; the Free Software Foundation
|
||||
# gives unlimited permission to copy and/or distribute it,
|
||||
@ -9390,7 +9390,7 @@ AS_IF([test "$AS_TR_SH([with_]m4_tolower([$1]))" = "yes"],
|
||||
|
||||
# AM_CONDITIONAL -*- Autoconf -*-
|
||||
|
||||
# Copyright (C) 1997-2017 Free Software Foundation, Inc.
|
||||
# Copyright (C) 1997-2018 Free Software Foundation, Inc.
|
||||
#
|
||||
# This file is free software; the Free Software Foundation
|
||||
# gives unlimited permission to copy and/or distribute it,
|
||||
@ -9421,7 +9421,7 @@ AC_CONFIG_COMMANDS_PRE(
|
||||
Usually this means the macro was only invoked conditionally.]])
|
||||
fi])])
|
||||
|
||||
# Copyright (C) 2006-2017 Free Software Foundation, Inc.
|
||||
# Copyright (C) 2006-2018 Free Software Foundation, Inc.
|
||||
#
|
||||
# This file is free software; the Free Software Foundation
|
||||
# gives unlimited permission to copy and/or distribute it,
|
||||
|
@ -72,6 +72,19 @@
|
||||
# define be64toh(x) OSSwapBigToHostInt64(x)
|
||||
#endif
|
||||
|
||||
/* Some compilers do not define __BYTE_ORDER__, like IBM XLC on AIX */
|
||||
#ifndef be64toh
|
||||
#if defined(__sun) || defined(_AIX)
|
||||
# if __BIG_ENDIAN__
|
||||
# define be64toh(n) (n)
|
||||
# define htobe64(n) (n)
|
||||
# else
|
||||
# define be64toh(n) (((uint64_t)htonl((n) & 0xFFFFFFFF) << 32) | htonl((n) >> 32))
|
||||
# define htobe64(n) (((uint64_t)htonl((n) & 0xFFFFFFFF) << 32) | htonl((n) >> 32))
|
||||
# endif
|
||||
#endif
|
||||
#endif /* be64toh */
|
||||
|
||||
/** the unit test testframe for cachedb, its module state contains
|
||||
* a cache for a couple queries (in memory). */
|
||||
struct testframe_moddata {
|
||||
|
@ -140,6 +140,7 @@ fallback_getentropy_urandom(void *buf, size_t len)
|
||||
static inline void
|
||||
_rs_init(u_char *buf, size_t n)
|
||||
{
|
||||
assert(buf);
|
||||
if (n < KEYSZ + IVSZ)
|
||||
return;
|
||||
|
||||
|
2
contrib/unbound/config.guess
vendored
2
contrib/unbound/config.guess
vendored
@ -1,4 +1,4 @@
|
||||
#! /bin/sh
|
||||
#!/usr/bin/sh
|
||||
# Attempt to guess a canonical system name.
|
||||
# Copyright 1992-2016 Free Software Foundation, Inc.
|
||||
|
||||
|
@ -70,6 +70,9 @@
|
||||
/* Define to 1 if you have the `CRYPTO_cleanup_all_ex_data' function. */
|
||||
/* #undef HAVE_CRYPTO_CLEANUP_ALL_EX_DATA */
|
||||
|
||||
/* Define to 1 if you have the `CRYPTO_THREADID_set_callback' function. */
|
||||
/* #undef HAVE_CRYPTO_THREADID_SET_CALLBACK */
|
||||
|
||||
/* Define to 1 if you have the `ctime_r' function. */
|
||||
#define HAVE_CTIME_R 1
|
||||
|
||||
@ -84,6 +87,10 @@
|
||||
if you don't. */
|
||||
/* #undef HAVE_DECL_ARC4RANDOM_UNIFORM */
|
||||
|
||||
/* Define to 1 if you have the declaration of `evsignal_assign', and to 0 if
|
||||
you don't. */
|
||||
/* #undef HAVE_DECL_EVSIGNAL_ASSIGN */
|
||||
|
||||
/* Define to 1 if you have the declaration of `inet_ntop', and to 0 if you
|
||||
don't. */
|
||||
#define HAVE_DECL_INET_NTOP 1
|
||||
@ -164,6 +171,9 @@
|
||||
/* Define to 1 if you have the `ERR_load_crypto_strings' function. */
|
||||
/* #undef HAVE_ERR_LOAD_CRYPTO_STRINGS */
|
||||
|
||||
/* Define to 1 if you have the `event_assign' function. */
|
||||
/* #undef HAVE_EVENT_ASSIGN */
|
||||
|
||||
/* Define to 1 if you have the `event_base_free' function. */
|
||||
/* #undef HAVE_EVENT_BASE_FREE */
|
||||
|
||||
@ -179,6 +189,9 @@
|
||||
/* Define to 1 if you have the <event.h> header file. */
|
||||
/* #undef HAVE_EVENT_H */
|
||||
|
||||
/* Define to 1 if you have the `EVP_aes_256_cbc' function. */
|
||||
#define HAVE_EVP_AES_256_CBC 1
|
||||
|
||||
/* Define to 1 if you have the `EVP_cleanup' function. */
|
||||
/* #undef HAVE_EVP_CLEANUP */
|
||||
|
||||
@ -188,6 +201,9 @@
|
||||
/* Define to 1 if you have the `EVP_dss1' function. */
|
||||
/* #undef HAVE_EVP_DSS1 */
|
||||
|
||||
/* Define to 1 if you have the `EVP_EncryptInit_ex' function. */
|
||||
#define HAVE_EVP_ENCRYPTINIT_EX 1
|
||||
|
||||
/* Define to 1 if you have the `EVP_MD_CTX_new' function. */
|
||||
#define HAVE_EVP_MD_CTX_NEW 1
|
||||
|
||||
@ -260,6 +276,9 @@
|
||||
/* Define to 1 if you have the <hiredis/hiredis.h> header file. */
|
||||
/* #undef HAVE_HIREDIS_HIREDIS_H */
|
||||
|
||||
/* Define to 1 if you have the `HMAC_Init_ex' function. */
|
||||
#define HAVE_HMAC_INIT_EX 1
|
||||
|
||||
/* If you have HMAC_Update */
|
||||
#define HAVE_HMAC_UPDATE 1
|
||||
|
||||
@ -395,7 +414,7 @@
|
||||
/* Define to 1 if you have the `RAND_cleanup' function. */
|
||||
/* #undef HAVE_RAND_CLEANUP */
|
||||
|
||||
/* Define to 1 if you have the `reallocarray' function. */
|
||||
/* If we have reallocarray(3) */
|
||||
#define HAVE_REALLOCARRAY 1
|
||||
|
||||
/* Define to 1 if you have the `recvmsg' function. */
|
||||
@ -452,9 +471,15 @@
|
||||
/* Define if you have the SSL libraries installed. */
|
||||
#define HAVE_SSL /**/
|
||||
|
||||
/* Define to 1 if you have the `SSL_CTX_set_ciphersuites' function. */
|
||||
#define HAVE_SSL_CTX_SET_CIPHERSUITES 1
|
||||
|
||||
/* Define to 1 if you have the `SSL_CTX_set_security_level' function. */
|
||||
#define HAVE_SSL_CTX_SET_SECURITY_LEVEL 1
|
||||
|
||||
/* Define to 1 if you have the `SSL_CTX_set_tlsext_ticket_key_cb' function. */
|
||||
/* #undef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_CB */
|
||||
|
||||
/* Define to 1 if you have the `SSL_get0_peername' function. */
|
||||
#define HAVE_SSL_GET0_PEERNAME 1
|
||||
|
||||
@ -587,6 +612,9 @@
|
||||
/* Define to 1 if you have the <ws2tcpip.h> header file. */
|
||||
/* #undef HAVE_WS2TCPIP_H */
|
||||
|
||||
/* Define to 1 if you have the `X509_VERIFY_PARAM_set1_host' function. */
|
||||
#define HAVE_X509_VERIFY_PARAM_SET1_HOST 1
|
||||
|
||||
/* Define to 1 if you have the `_beginthreadex' function. */
|
||||
/* #undef HAVE__BEGINTHREADEX */
|
||||
|
||||
@ -643,7 +671,7 @@
|
||||
#define PACKAGE_NAME "unbound"
|
||||
|
||||
/* Define to the full name and version of this package. */
|
||||
#define PACKAGE_STRING "unbound 1.8.1"
|
||||
#define PACKAGE_STRING "unbound 1.9.2"
|
||||
|
||||
/* Define to the one symbol short name of this package. */
|
||||
#define PACKAGE_TARNAME "unbound"
|
||||
@ -652,7 +680,7 @@
|
||||
#define PACKAGE_URL ""
|
||||
|
||||
/* Define to the version of this package. */
|
||||
#define PACKAGE_VERSION "1.8.1"
|
||||
#define PACKAGE_VERSION "1.9.2"
|
||||
|
||||
/* default pidfile location */
|
||||
#define PIDFILE "/var/unbound/unbound.pid"
|
||||
@ -674,7 +702,7 @@
|
||||
#define ROOT_CERT_FILE "/var/unbound/icannbundle.pem"
|
||||
|
||||
/* version number for resource files */
|
||||
#define RSRC_PACKAGE_VERSION 1,8,1,0
|
||||
#define RSRC_PACKAGE_VERSION 1,9,2,0
|
||||
|
||||
/* Directory to chdir to */
|
||||
#define RUN_DIR "/var/unbound"
|
||||
@ -945,8 +973,14 @@
|
||||
|
||||
|
||||
|
||||
#ifndef _OPENBSD_SOURCE
|
||||
#define _OPENBSD_SOURCE 1
|
||||
#endif
|
||||
|
||||
#ifndef UNBOUND_DEBUG
|
||||
# ifndef NDEBUG
|
||||
# define NDEBUG
|
||||
# endif
|
||||
#endif
|
||||
|
||||
/** Use small-ldns codebase */
|
||||
|
@ -69,6 +69,9 @@
|
||||
/* Define to 1 if you have the `CRYPTO_cleanup_all_ex_data' function. */
|
||||
#undef HAVE_CRYPTO_CLEANUP_ALL_EX_DATA
|
||||
|
||||
/* Define to 1 if you have the `CRYPTO_THREADID_set_callback' function. */
|
||||
#undef HAVE_CRYPTO_THREADID_SET_CALLBACK
|
||||
|
||||
/* Define to 1 if you have the `ctime_r' function. */
|
||||
#undef HAVE_CTIME_R
|
||||
|
||||
@ -83,6 +86,10 @@
|
||||
if you don't. */
|
||||
#undef HAVE_DECL_ARC4RANDOM_UNIFORM
|
||||
|
||||
/* Define to 1 if you have the declaration of `evsignal_assign', and to 0 if
|
||||
you don't. */
|
||||
#undef HAVE_DECL_EVSIGNAL_ASSIGN
|
||||
|
||||
/* Define to 1 if you have the declaration of `inet_ntop', and to 0 if you
|
||||
don't. */
|
||||
#undef HAVE_DECL_INET_NTOP
|
||||
@ -163,6 +170,9 @@
|
||||
/* Define to 1 if you have the `ERR_load_crypto_strings' function. */
|
||||
#undef HAVE_ERR_LOAD_CRYPTO_STRINGS
|
||||
|
||||
/* Define to 1 if you have the `event_assign' function. */
|
||||
#undef HAVE_EVENT_ASSIGN
|
||||
|
||||
/* Define to 1 if you have the `event_base_free' function. */
|
||||
#undef HAVE_EVENT_BASE_FREE
|
||||
|
||||
@ -178,6 +188,9 @@
|
||||
/* Define to 1 if you have the <event.h> header file. */
|
||||
#undef HAVE_EVENT_H
|
||||
|
||||
/* Define to 1 if you have the `EVP_aes_256_cbc' function. */
|
||||
#undef HAVE_EVP_AES_256_CBC
|
||||
|
||||
/* Define to 1 if you have the `EVP_cleanup' function. */
|
||||
#undef HAVE_EVP_CLEANUP
|
||||
|
||||
@ -187,6 +200,9 @@
|
||||
/* Define to 1 if you have the `EVP_dss1' function. */
|
||||
#undef HAVE_EVP_DSS1
|
||||
|
||||
/* Define to 1 if you have the `EVP_EncryptInit_ex' function. */
|
||||
#undef HAVE_EVP_ENCRYPTINIT_EX
|
||||
|
||||
/* Define to 1 if you have the `EVP_MD_CTX_new' function. */
|
||||
#undef HAVE_EVP_MD_CTX_NEW
|
||||
|
||||
@ -259,6 +275,9 @@
|
||||
/* Define to 1 if you have the <hiredis/hiredis.h> header file. */
|
||||
#undef HAVE_HIREDIS_HIREDIS_H
|
||||
|
||||
/* Define to 1 if you have the `HMAC_Init_ex' function. */
|
||||
#undef HAVE_HMAC_INIT_EX
|
||||
|
||||
/* If you have HMAC_Update */
|
||||
#undef HAVE_HMAC_UPDATE
|
||||
|
||||
@ -394,7 +413,7 @@
|
||||
/* Define to 1 if you have the `RAND_cleanup' function. */
|
||||
#undef HAVE_RAND_CLEANUP
|
||||
|
||||
/* Define to 1 if you have the `reallocarray' function. */
|
||||
/* If we have reallocarray(3) */
|
||||
#undef HAVE_REALLOCARRAY
|
||||
|
||||
/* Define to 1 if you have the `recvmsg' function. */
|
||||
@ -451,9 +470,15 @@
|
||||
/* Define if you have the SSL libraries installed. */
|
||||
#undef HAVE_SSL
|
||||
|
||||
/* Define to 1 if you have the `SSL_CTX_set_ciphersuites' function. */
|
||||
#undef HAVE_SSL_CTX_SET_CIPHERSUITES
|
||||
|
||||
/* Define to 1 if you have the `SSL_CTX_set_security_level' function. */
|
||||
#undef HAVE_SSL_CTX_SET_SECURITY_LEVEL
|
||||
|
||||
/* Define to 1 if you have the `SSL_CTX_set_tlsext_ticket_key_cb' function. */
|
||||
#undef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_CB
|
||||
|
||||
/* Define to 1 if you have the `SSL_get0_peername' function. */
|
||||
#undef HAVE_SSL_GET0_PEERNAME
|
||||
|
||||
@ -586,6 +611,9 @@
|
||||
/* Define to 1 if you have the <ws2tcpip.h> header file. */
|
||||
#undef HAVE_WS2TCPIP_H
|
||||
|
||||
/* Define to 1 if you have the `X509_VERIFY_PARAM_set1_host' function. */
|
||||
#undef HAVE_X509_VERIFY_PARAM_SET1_HOST
|
||||
|
||||
/* Define to 1 if you have the `_beginthreadex' function. */
|
||||
#undef HAVE__BEGINTHREADEX
|
||||
|
||||
@ -944,8 +972,14 @@
|
||||
|
||||
|
||||
|
||||
#ifndef _OPENBSD_SOURCE
|
||||
#define _OPENBSD_SOURCE 1
|
||||
#endif
|
||||
|
||||
#ifndef UNBOUND_DEBUG
|
||||
# ifndef NDEBUG
|
||||
# define NDEBUG
|
||||
# endif
|
||||
#endif
|
||||
|
||||
/** Use small-ldns codebase */
|
||||
|
2
contrib/unbound/config.sub
vendored
2
contrib/unbound/config.sub
vendored
@ -1,4 +1,4 @@
|
||||
#! /bin/sh
|
||||
#!/usr/bin/sh
|
||||
# Configuration validation subroutine script.
|
||||
# Copyright 1992-2016 Free Software Foundation, Inc.
|
||||
|
||||
|
361
contrib/unbound/configure
vendored
361
contrib/unbound/configure
vendored
@ -1,6 +1,6 @@
|
||||
#! /bin/sh
|
||||
# Guess values for system-dependent variables and create Makefiles.
|
||||
# Generated by GNU Autoconf 2.69 for unbound 1.8.1.
|
||||
# Generated by GNU Autoconf 2.69 for unbound 1.9.2.
|
||||
#
|
||||
# Report bugs to <unbound-bugs@nlnetlabs.nl>.
|
||||
#
|
||||
@ -590,8 +590,8 @@ MAKEFLAGS=
|
||||
# Identity of this package.
|
||||
PACKAGE_NAME='unbound'
|
||||
PACKAGE_TARNAME='unbound'
|
||||
PACKAGE_VERSION='1.8.1'
|
||||
PACKAGE_STRING='unbound 1.8.1'
|
||||
PACKAGE_VERSION='1.9.2'
|
||||
PACKAGE_STRING='unbound 1.9.2'
|
||||
PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl'
|
||||
PACKAGE_URL=''
|
||||
|
||||
@ -694,9 +694,6 @@ swig
|
||||
SWIG_LIB
|
||||
SWIG
|
||||
PC_PY_DEPENDENCY
|
||||
PKG_CONFIG_LIBDIR
|
||||
PKG_CONFIG_PATH
|
||||
PKG_CONFIG
|
||||
PY_MAJOR_VERSION
|
||||
PYTHON_SITE_PKG
|
||||
PYTHON_LDFLAGS
|
||||
@ -710,6 +707,9 @@ PTHREAD_CC
|
||||
ax_pthread_config
|
||||
RUNTIME_PATH
|
||||
LIBOBJS
|
||||
PKG_CONFIG_LIBDIR
|
||||
PKG_CONFIG_PATH
|
||||
PKG_CONFIG
|
||||
LT_SYS_LIBRARY_PATH
|
||||
OTOOL64
|
||||
OTOOL
|
||||
@ -892,10 +892,10 @@ CPP
|
||||
YACC
|
||||
YFLAGS
|
||||
LT_SYS_LIBRARY_PATH
|
||||
PYTHON_VERSION
|
||||
PKG_CONFIG
|
||||
PKG_CONFIG_PATH
|
||||
PKG_CONFIG_LIBDIR
|
||||
PYTHON_VERSION
|
||||
SYSTEMD_CFLAGS
|
||||
SYSTEMD_LIBS
|
||||
SYSTEMD_DAEMON_CFLAGS
|
||||
@ -1440,7 +1440,7 @@ if test "$ac_init_help" = "long"; then
|
||||
# Omit some internal or obsolete options to make the list less imposing.
|
||||
# This message is too long to be a string in the A/UX 3.1 sh.
|
||||
cat <<_ACEOF
|
||||
\`configure' configures unbound 1.8.1 to adapt to many kinds of systems.
|
||||
\`configure' configures unbound 1.9.2 to adapt to many kinds of systems.
|
||||
|
||||
Usage: $0 [OPTION]... [VAR=VALUE]...
|
||||
|
||||
@ -1505,7 +1505,7 @@ fi
|
||||
|
||||
if test -n "$ac_init_help"; then
|
||||
case $ac_init_help in
|
||||
short | recursive ) echo "Configuration of unbound 1.8.1:";;
|
||||
short | recursive ) echo "Configuration of unbound 1.9.2:";;
|
||||
esac
|
||||
cat <<\_ACEOF
|
||||
|
||||
@ -1638,15 +1638,15 @@ Some influential environment variables:
|
||||
default value of `-d' given by some make applications.
|
||||
LT_SYS_LIBRARY_PATH
|
||||
User-defined run-time library search path.
|
||||
PYTHON_VERSION
|
||||
The installed Python version to use, for example '2.3'. This
|
||||
string will be appended to the Python interpreter canonical
|
||||
name.
|
||||
PKG_CONFIG path to pkg-config utility
|
||||
PKG_CONFIG_PATH
|
||||
directories to add to pkg-config's search path
|
||||
PKG_CONFIG_LIBDIR
|
||||
path overriding pkg-config's built-in search path
|
||||
PYTHON_VERSION
|
||||
The installed Python version to use, for example '2.3'. This
|
||||
string will be appended to the Python interpreter canonical
|
||||
name.
|
||||
SYSTEMD_CFLAGS
|
||||
C compiler flags for SYSTEMD, overriding pkg-config
|
||||
SYSTEMD_LIBS
|
||||
@ -1722,7 +1722,7 @@ fi
|
||||
test -n "$ac_init_help" && exit $ac_status
|
||||
if $ac_init_version; then
|
||||
cat <<\_ACEOF
|
||||
unbound configure 1.8.1
|
||||
unbound configure 1.9.2
|
||||
generated by GNU Autoconf 2.69
|
||||
|
||||
Copyright (C) 2012 Free Software Foundation, Inc.
|
||||
@ -2431,7 +2431,7 @@ cat >config.log <<_ACEOF
|
||||
This file contains any messages produced by compilers while
|
||||
running configure, to aid debugging if configure makes a mistake.
|
||||
|
||||
It was created by unbound $as_me 1.8.1, which was
|
||||
It was created by unbound $as_me 1.9.2, which was
|
||||
generated by GNU Autoconf 2.69. Invocation command line was
|
||||
|
||||
$ $0 $@
|
||||
@ -2781,14 +2781,14 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
|
||||
|
||||
UNBOUND_VERSION_MAJOR=1
|
||||
|
||||
UNBOUND_VERSION_MINOR=8
|
||||
UNBOUND_VERSION_MINOR=9
|
||||
|
||||
UNBOUND_VERSION_MICRO=1
|
||||
UNBOUND_VERSION_MICRO=2
|
||||
|
||||
|
||||
LIBUNBOUND_CURRENT=8
|
||||
LIBUNBOUND_REVISION=1
|
||||
LIBUNBOUND_AGE=0
|
||||
LIBUNBOUND_CURRENT=9
|
||||
LIBUNBOUND_REVISION=2
|
||||
LIBUNBOUND_AGE=1
|
||||
# 1.0.0 had 0:12:0
|
||||
# 1.0.1 had 0:13:0
|
||||
# 1.0.2 had 0:14:0
|
||||
@ -2852,6 +2852,11 @@ LIBUNBOUND_AGE=0
|
||||
# 1.7.3 had 7:11:5
|
||||
# 1.8.0 had 8:0:0 # changes the event callback function signature
|
||||
# 1.8.1 had 8:1:0
|
||||
# 1.8.2 had 8:2:0
|
||||
# 1.8.3 had 8:3:0
|
||||
# 1.9.0 had 9:0:1 # add ub_ctx_set_tls
|
||||
# 1.9.1 had 9:1:1
|
||||
# 1.9.2 had 9:2:1
|
||||
|
||||
# Current -- the number of the binary API that we're implementing
|
||||
# Revision -- which iteration of the implementation of the binary
|
||||
@ -14555,6 +14560,127 @@ CC=$lt_save_CC
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then
|
||||
if test -n "$ac_tool_prefix"; then
|
||||
# Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args.
|
||||
set dummy ${ac_tool_prefix}pkg-config; ac_word=$2
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
|
||||
$as_echo_n "checking for $ac_word... " >&6; }
|
||||
if ${ac_cv_path_PKG_CONFIG+:} false; then :
|
||||
$as_echo_n "(cached) " >&6
|
||||
else
|
||||
case $PKG_CONFIG in
|
||||
[\\/]* | ?:[\\/]*)
|
||||
ac_cv_path_PKG_CONFIG="$PKG_CONFIG" # Let the user override the test with a path.
|
||||
;;
|
||||
*)
|
||||
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
|
||||
for as_dir in $PATH
|
||||
do
|
||||
IFS=$as_save_IFS
|
||||
test -z "$as_dir" && as_dir=.
|
||||
for ac_exec_ext in '' $ac_executable_extensions; do
|
||||
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
|
||||
ac_cv_path_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
|
||||
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
|
||||
break 2
|
||||
fi
|
||||
done
|
||||
done
|
||||
IFS=$as_save_IFS
|
||||
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
PKG_CONFIG=$ac_cv_path_PKG_CONFIG
|
||||
if test -n "$PKG_CONFIG"; then
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $PKG_CONFIG" >&5
|
||||
$as_echo "$PKG_CONFIG" >&6; }
|
||||
else
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
$as_echo "no" >&6; }
|
||||
fi
|
||||
|
||||
|
||||
fi
|
||||
if test -z "$ac_cv_path_PKG_CONFIG"; then
|
||||
ac_pt_PKG_CONFIG=$PKG_CONFIG
|
||||
# Extract the first word of "pkg-config", so it can be a program name with args.
|
||||
set dummy pkg-config; ac_word=$2
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
|
||||
$as_echo_n "checking for $ac_word... " >&6; }
|
||||
if ${ac_cv_path_ac_pt_PKG_CONFIG+:} false; then :
|
||||
$as_echo_n "(cached) " >&6
|
||||
else
|
||||
case $ac_pt_PKG_CONFIG in
|
||||
[\\/]* | ?:[\\/]*)
|
||||
ac_cv_path_ac_pt_PKG_CONFIG="$ac_pt_PKG_CONFIG" # Let the user override the test with a path.
|
||||
;;
|
||||
*)
|
||||
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
|
||||
for as_dir in $PATH
|
||||
do
|
||||
IFS=$as_save_IFS
|
||||
test -z "$as_dir" && as_dir=.
|
||||
for ac_exec_ext in '' $ac_executable_extensions; do
|
||||
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
|
||||
ac_cv_path_ac_pt_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
|
||||
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
|
||||
break 2
|
||||
fi
|
||||
done
|
||||
done
|
||||
IFS=$as_save_IFS
|
||||
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
ac_pt_PKG_CONFIG=$ac_cv_path_ac_pt_PKG_CONFIG
|
||||
if test -n "$ac_pt_PKG_CONFIG"; then
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_pt_PKG_CONFIG" >&5
|
||||
$as_echo "$ac_pt_PKG_CONFIG" >&6; }
|
||||
else
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
$as_echo "no" >&6; }
|
||||
fi
|
||||
|
||||
if test "x$ac_pt_PKG_CONFIG" = x; then
|
||||
PKG_CONFIG=""
|
||||
else
|
||||
case $cross_compiling:$ac_tool_warned in
|
||||
yes:)
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
|
||||
$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
|
||||
ac_tool_warned=yes ;;
|
||||
esac
|
||||
PKG_CONFIG=$ac_pt_PKG_CONFIG
|
||||
fi
|
||||
else
|
||||
PKG_CONFIG="$ac_cv_path_PKG_CONFIG"
|
||||
fi
|
||||
|
||||
fi
|
||||
if test -n "$PKG_CONFIG"; then
|
||||
_pkg_min_version=0.9.0
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking pkg-config is at least version $_pkg_min_version" >&5
|
||||
$as_echo_n "checking pkg-config is at least version $_pkg_min_version... " >&6; }
|
||||
if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
|
||||
$as_echo "yes" >&6; }
|
||||
else
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
$as_echo "no" >&6; }
|
||||
PKG_CONFIG=""
|
||||
fi
|
||||
fi
|
||||
|
||||
# Checks for header files.
|
||||
for ac_header in stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h
|
||||
do :
|
||||
@ -17012,126 +17138,6 @@ $as_echo "#define HAVE_PYTHON 1" >>confdefs.h
|
||||
CPPFLAGS="$PYTHON_CPPFLAGS"
|
||||
fi
|
||||
ub_have_python=yes
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then
|
||||
if test -n "$ac_tool_prefix"; then
|
||||
# Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args.
|
||||
set dummy ${ac_tool_prefix}pkg-config; ac_word=$2
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
|
||||
$as_echo_n "checking for $ac_word... " >&6; }
|
||||
if ${ac_cv_path_PKG_CONFIG+:} false; then :
|
||||
$as_echo_n "(cached) " >&6
|
||||
else
|
||||
case $PKG_CONFIG in
|
||||
[\\/]* | ?:[\\/]*)
|
||||
ac_cv_path_PKG_CONFIG="$PKG_CONFIG" # Let the user override the test with a path.
|
||||
;;
|
||||
*)
|
||||
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
|
||||
for as_dir in $PATH
|
||||
do
|
||||
IFS=$as_save_IFS
|
||||
test -z "$as_dir" && as_dir=.
|
||||
for ac_exec_ext in '' $ac_executable_extensions; do
|
||||
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
|
||||
ac_cv_path_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
|
||||
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
|
||||
break 2
|
||||
fi
|
||||
done
|
||||
done
|
||||
IFS=$as_save_IFS
|
||||
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
PKG_CONFIG=$ac_cv_path_PKG_CONFIG
|
||||
if test -n "$PKG_CONFIG"; then
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $PKG_CONFIG" >&5
|
||||
$as_echo "$PKG_CONFIG" >&6; }
|
||||
else
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
$as_echo "no" >&6; }
|
||||
fi
|
||||
|
||||
|
||||
fi
|
||||
if test -z "$ac_cv_path_PKG_CONFIG"; then
|
||||
ac_pt_PKG_CONFIG=$PKG_CONFIG
|
||||
# Extract the first word of "pkg-config", so it can be a program name with args.
|
||||
set dummy pkg-config; ac_word=$2
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
|
||||
$as_echo_n "checking for $ac_word... " >&6; }
|
||||
if ${ac_cv_path_ac_pt_PKG_CONFIG+:} false; then :
|
||||
$as_echo_n "(cached) " >&6
|
||||
else
|
||||
case $ac_pt_PKG_CONFIG in
|
||||
[\\/]* | ?:[\\/]*)
|
||||
ac_cv_path_ac_pt_PKG_CONFIG="$ac_pt_PKG_CONFIG" # Let the user override the test with a path.
|
||||
;;
|
||||
*)
|
||||
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
|
||||
for as_dir in $PATH
|
||||
do
|
||||
IFS=$as_save_IFS
|
||||
test -z "$as_dir" && as_dir=.
|
||||
for ac_exec_ext in '' $ac_executable_extensions; do
|
||||
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
|
||||
ac_cv_path_ac_pt_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
|
||||
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
|
||||
break 2
|
||||
fi
|
||||
done
|
||||
done
|
||||
IFS=$as_save_IFS
|
||||
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
ac_pt_PKG_CONFIG=$ac_cv_path_ac_pt_PKG_CONFIG
|
||||
if test -n "$ac_pt_PKG_CONFIG"; then
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_pt_PKG_CONFIG" >&5
|
||||
$as_echo "$ac_pt_PKG_CONFIG" >&6; }
|
||||
else
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
$as_echo "no" >&6; }
|
||||
fi
|
||||
|
||||
if test "x$ac_pt_PKG_CONFIG" = x; then
|
||||
PKG_CONFIG=""
|
||||
else
|
||||
case $cross_compiling:$ac_tool_warned in
|
||||
yes:)
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
|
||||
$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
|
||||
ac_tool_warned=yes ;;
|
||||
esac
|
||||
PKG_CONFIG=$ac_pt_PKG_CONFIG
|
||||
fi
|
||||
else
|
||||
PKG_CONFIG="$ac_cv_path_PKG_CONFIG"
|
||||
fi
|
||||
|
||||
fi
|
||||
if test -n "$PKG_CONFIG"; then
|
||||
_pkg_min_version=0.9.0
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking pkg-config is at least version $_pkg_min_version" >&5
|
||||
$as_echo_n "checking pkg-config is at least version $_pkg_min_version... " >&6; }
|
||||
if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
|
||||
$as_echo "yes" >&6; }
|
||||
else
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
$as_echo "no" >&6; }
|
||||
PKG_CONFIG=""
|
||||
fi
|
||||
fi
|
||||
if test -n "$PKG_CONFIG" && \
|
||||
{ { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"\"python\${PY_MAJOR_VERSION}\"\""; } >&5
|
||||
($PKG_CONFIG --exists --print-errors ""python${PY_MAJOR_VERSION}"") 2>&5
|
||||
@ -17990,7 +17996,7 @@ fi
|
||||
|
||||
done
|
||||
|
||||
for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify
|
||||
for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_tlsext_ticket_key_cb EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback
|
||||
do :
|
||||
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
|
||||
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
|
||||
@ -18006,7 +18012,7 @@ done
|
||||
# these check_funcs need -lssl
|
||||
BAKLIBS="$LIBS"
|
||||
LIBS="-lssl $LIBS"
|
||||
for ac_func in OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername
|
||||
for ac_func in OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites
|
||||
do :
|
||||
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
|
||||
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
|
||||
@ -19007,6 +19013,35 @@ _ACEOF
|
||||
fi
|
||||
done
|
||||
# only in libev. (tested on 4.00)
|
||||
for ac_func in event_assign
|
||||
do :
|
||||
ac_fn_c_check_func "$LINENO" "event_assign" "ac_cv_func_event_assign"
|
||||
if test "x$ac_cv_func_event_assign" = xyes; then :
|
||||
cat >>confdefs.h <<_ACEOF
|
||||
#define HAVE_EVENT_ASSIGN 1
|
||||
_ACEOF
|
||||
|
||||
fi
|
||||
done
|
||||
# in libevent, for thread-safety
|
||||
ac_fn_c_check_decl "$LINENO" "evsignal_assign" "ac_cv_have_decl_evsignal_assign" "$ac_includes_default
|
||||
#ifdef HAVE_EVENT_H
|
||||
# include <event.h>
|
||||
#else
|
||||
# include \"event2/event.h\"
|
||||
#endif
|
||||
|
||||
"
|
||||
if test "x$ac_cv_have_decl_evsignal_assign" = xyes; then :
|
||||
ac_have_decl=1
|
||||
else
|
||||
ac_have_decl=0
|
||||
fi
|
||||
|
||||
cat >>confdefs.h <<_ACEOF
|
||||
#define HAVE_DECL_EVSIGNAL_ASSIGN $ac_have_decl
|
||||
_ACEOF
|
||||
|
||||
PC_LIBEVENT_DEPENDENCY="libevent"
|
||||
|
||||
if test -n "$BAK_LDFLAGS_SET"; then
|
||||
@ -20109,20 +20144,44 @@ fi
|
||||
|
||||
LIBOBJ_WITHOUT_CTIMEARC4="$LIBOBJS"
|
||||
|
||||
ac_fn_c_check_func "$LINENO" "reallocarray" "ac_cv_func_reallocarray"
|
||||
if test "x$ac_cv_func_reallocarray" = xyes; then :
|
||||
$as_echo "#define HAVE_REALLOCARRAY 1" >>confdefs.h
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for reallocarray" >&5
|
||||
$as_echo_n "checking for reallocarray... " >&6; }
|
||||
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||
/* end confdefs.h. */
|
||||
$ac_includes_default
|
||||
|
||||
#ifndef _OPENBSD_SOURCE
|
||||
#define _OPENBSD_SOURCE 1
|
||||
#endif
|
||||
#include <stdlib.h>
|
||||
int main(void) {
|
||||
void* p = reallocarray(NULL, 10, 100);
|
||||
free(p);
|
||||
return 0;
|
||||
}
|
||||
|
||||
_ACEOF
|
||||
if ac_fn_c_try_link "$LINENO"; then :
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
|
||||
$as_echo "yes" >&6; }
|
||||
|
||||
$as_echo "#define HAVE_REALLOCARRAY 1" >>confdefs.h
|
||||
|
||||
|
||||
else
|
||||
case " $LIBOBJS " in
|
||||
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
$as_echo "no" >&6; }
|
||||
case " $LIBOBJS " in
|
||||
*" reallocarray.$ac_objext "* ) ;;
|
||||
*) LIBOBJS="$LIBOBJS reallocarray.$ac_objext"
|
||||
;;
|
||||
esac
|
||||
|
||||
|
||||
fi
|
||||
|
||||
|
||||
rm -f core conftest.err conftest.$ac_objext \
|
||||
conftest$ac_exeext conftest.$ac_ext
|
||||
if test "$USE_NSS" = "no"; then
|
||||
ac_fn_c_check_func "$LINENO" "arc4random" "ac_cv_func_arc4random"
|
||||
if test "x$ac_cv_func_arc4random" = xyes; then :
|
||||
@ -21145,7 +21204,7 @@ _ACEOF
|
||||
|
||||
|
||||
|
||||
version=1.8.1
|
||||
version=1.9.2
|
||||
|
||||
date=`date +'%b %e, %Y'`
|
||||
|
||||
@ -21664,7 +21723,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
|
||||
# report actual input values of CONFIG_FILES etc. instead of their
|
||||
# values after options handling.
|
||||
ac_log="
|
||||
This file was extended by unbound $as_me 1.8.1, which was
|
||||
This file was extended by unbound $as_me 1.9.2, which was
|
||||
generated by GNU Autoconf 2.69. Invocation command line was
|
||||
|
||||
CONFIG_FILES = $CONFIG_FILES
|
||||
@ -21730,7 +21789,7 @@ _ACEOF
|
||||
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
|
||||
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
|
||||
ac_cs_version="\\
|
||||
unbound config.status 1.8.1
|
||||
unbound config.status 1.9.2
|
||||
configured by $0, generated by GNU Autoconf 2.69,
|
||||
with options \\"\$ac_cs_config\\"
|
||||
|
||||
|
@ -10,16 +10,16 @@ sinclude(dnscrypt/dnscrypt.m4)
|
||||
|
||||
# must be numbers. ac_defun because of later processing
|
||||
m4_define([VERSION_MAJOR],[1])
|
||||
m4_define([VERSION_MINOR],[8])
|
||||
m4_define([VERSION_MICRO],[1])
|
||||
m4_define([VERSION_MINOR],[9])
|
||||
m4_define([VERSION_MICRO],[2])
|
||||
AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl, unbound)
|
||||
AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
|
||||
AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
|
||||
AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
|
||||
|
||||
LIBUNBOUND_CURRENT=8
|
||||
LIBUNBOUND_REVISION=1
|
||||
LIBUNBOUND_AGE=0
|
||||
LIBUNBOUND_CURRENT=9
|
||||
LIBUNBOUND_REVISION=2
|
||||
LIBUNBOUND_AGE=1
|
||||
# 1.0.0 had 0:12:0
|
||||
# 1.0.1 had 0:13:0
|
||||
# 1.0.2 had 0:14:0
|
||||
@ -83,6 +83,11 @@ LIBUNBOUND_AGE=0
|
||||
# 1.7.3 had 7:11:5
|
||||
# 1.8.0 had 8:0:0 # changes the event callback function signature
|
||||
# 1.8.1 had 8:1:0
|
||||
# 1.8.2 had 8:2:0
|
||||
# 1.8.3 had 8:3:0
|
||||
# 1.9.0 had 9:0:1 # add ub_ctx_set_tls
|
||||
# 1.9.1 had 9:1:1
|
||||
# 1.9.2 had 9:2:1
|
||||
|
||||
# Current -- the number of the binary API that we're implementing
|
||||
# Revision -- which iteration of the implementation of the binary
|
||||
@ -379,6 +384,8 @@ AC_CHECK_PROG(doxygen, doxygen, doxygen)
|
||||
AC_CHECK_TOOL(STRIP, strip)
|
||||
ACX_LIBTOOL_C_ONLY
|
||||
|
||||
PKG_PROG_PKG_CONFIG
|
||||
|
||||
# Checks for header files.
|
||||
AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h],,, [AC_INCLUDES_DEFAULT])
|
||||
|
||||
@ -638,7 +645,6 @@ if test x_$ub_test_python != x_no; then
|
||||
CPPFLAGS="$PYTHON_CPPFLAGS"
|
||||
fi
|
||||
ub_have_python=yes
|
||||
PKG_PROG_PKG_CONFIG
|
||||
PKG_CHECK_EXISTS(["python${PY_MAJOR_VERSION}"],
|
||||
[PC_PY_DEPENDENCY="python${PY_MAJOR_VERSION}"],
|
||||
[PC_PY_DEPENDENCY="python"])
|
||||
@ -778,12 +784,12 @@ else
|
||||
AC_MSG_RESULT([no])
|
||||
fi
|
||||
AC_CHECK_HEADERS([openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h],,, [AC_INCLUDES_DEFAULT])
|
||||
AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify])
|
||||
AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_tlsext_ticket_key_cb EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback])
|
||||
|
||||
# these check_funcs need -lssl
|
||||
BAKLIBS="$LIBS"
|
||||
LIBS="-lssl $LIBS"
|
||||
AC_CHECK_FUNCS([OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername])
|
||||
AC_CHECK_FUNCS([OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites])
|
||||
LIBS="$BAKLIBS"
|
||||
|
||||
AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [
|
||||
@ -1194,6 +1200,14 @@ large outgoing port ranges. ])
|
||||
AC_CHECK_FUNCS([event_base_get_method]) # only in libevent 1.4.3 and later
|
||||
AC_CHECK_FUNCS([ev_loop]) # only in libev. (tested on 3.51)
|
||||
AC_CHECK_FUNCS([ev_default_loop]) # only in libev. (tested on 4.00)
|
||||
AC_CHECK_FUNCS([event_assign]) # in libevent, for thread-safety
|
||||
AC_CHECK_DECLS([evsignal_assign], [], [], [AC_INCLUDES_DEFAULT
|
||||
#ifdef HAVE_EVENT_H
|
||||
# include <event.h>
|
||||
#else
|
||||
# include "event2/event.h"
|
||||
#endif
|
||||
])
|
||||
PC_LIBEVENT_DEPENDENCY="libevent"
|
||||
AC_SUBST(PC_LIBEVENT_DEPENDENCY)
|
||||
if test -n "$BAK_LDFLAGS_SET"; then
|
||||
@ -1433,7 +1447,24 @@ AC_REPLACE_FUNCS(explicit_bzero)
|
||||
dnl without CTIME, ARC4-functions and without reallocarray.
|
||||
LIBOBJ_WITHOUT_CTIMEARC4="$LIBOBJS"
|
||||
AC_SUBST(LIBOBJ_WITHOUT_CTIMEARC4)
|
||||
AC_REPLACE_FUNCS(reallocarray)
|
||||
AC_MSG_CHECKING([for reallocarray])
|
||||
AC_LINK_IFELSE([AC_LANG_SOURCE(AC_INCLUDES_DEFAULT
|
||||
[[
|
||||
#ifndef _OPENBSD_SOURCE
|
||||
#define _OPENBSD_SOURCE 1
|
||||
#endif
|
||||
#include <stdlib.h>
|
||||
int main(void) {
|
||||
void* p = reallocarray(NULL, 10, 100);
|
||||
free(p);
|
||||
return 0;
|
||||
}
|
||||
]])], [AC_MSG_RESULT(yes)
|
||||
AC_DEFINE(HAVE_REALLOCARRAY, 1, [If we have reallocarray(3)])
|
||||
], [
|
||||
AC_MSG_RESULT(no)
|
||||
AC_LIBOBJ(reallocarray)
|
||||
])
|
||||
if test "$USE_NSS" = "no"; then
|
||||
AC_REPLACE_FUNCS(arc4random)
|
||||
AC_REPLACE_FUNCS(arc4random_uniform)
|
||||
@ -1646,8 +1677,14 @@ AHX_CONFIG_EXT_FLAGS
|
||||
|
||||
dnl includes
|
||||
[
|
||||
#ifndef _OPENBSD_SOURCE
|
||||
#define _OPENBSD_SOURCE 1
|
||||
#endif
|
||||
|
||||
#ifndef UNBOUND_DEBUG
|
||||
# ifndef NDEBUG
|
||||
# define NDEBUG
|
||||
# endif
|
||||
#endif
|
||||
|
||||
/** Use small-ldns codebase */
|
||||
|
@ -38,3 +38,5 @@ distribution but may be helpful.
|
||||
* unbound-querycachedb.py: utility to show data stored in cachedb backend
|
||||
for a particular query name and type. It requires dnspython and (for
|
||||
redis backend) redis Python modules.
|
||||
* unbound-fuzzme.patch: adds unbound-fuzzme program that parses a packet from
|
||||
stdin. Used with fuzzers, patch from Jacob Hoffman-Andrews.
|
||||
|
@ -1,11 +1,11 @@
|
||||
Description: based on the included patch contrib/fastrpz.patch
|
||||
Author: fastrpz@farsightsecurity.com
|
||||
---
|
||||
Index: unboundfastrpz/Makefile.in
|
||||
===================================================================
|
||||
--- unboundfastrpz/Makefile.in (revision 4923)
|
||||
+++ unboundfastrpz/Makefile.in (working copy)
|
||||
@@ -23,6 +23,8 @@
|
||||
diff --git a/Makefile.in b/Makefile.in
|
||||
index 03a6347..6758bea 100644
|
||||
--- a/Makefile.in
|
||||
+++ b/Makefile.in
|
||||
@@ -23,6 +23,8 @@ CHECKLOCK_SRC=testcode/checklocks.c
|
||||
CHECKLOCK_OBJ=@CHECKLOCK_OBJ@
|
||||
DNSTAP_SRC=@DNSTAP_SRC@
|
||||
DNSTAP_OBJ=@DNSTAP_OBJ@
|
||||
@ -14,7 +14,7 @@ Index: unboundfastrpz/Makefile.in
|
||||
DNSCRYPT_SRC=@DNSCRYPT_SRC@
|
||||
DNSCRYPT_OBJ=@DNSCRYPT_OBJ@
|
||||
WITH_PYTHONMODULE=@WITH_PYTHONMODULE@
|
||||
@@ -126,7 +128,7 @@
|
||||
@@ -126,7 +128,7 @@ validator/val_sigcrypt.c validator/val_utils.c dns64/dns64.c \
|
||||
edns-subnet/edns-subnet.c edns-subnet/subnetmod.c \
|
||||
edns-subnet/addrtree.c edns-subnet/subnet-whitelist.c \
|
||||
cachedb/cachedb.c cachedb/redis.c respip/respip.c $(CHECKLOCK_SRC) \
|
||||
@ -23,7 +23,7 @@ Index: unboundfastrpz/Makefile.in
|
||||
COMMON_OBJ_WITHOUT_NETCALL=dns.lo infra.lo rrset.lo dname.lo msgencode.lo \
|
||||
as112.lo msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \
|
||||
iter_donotq.lo iter_fwd.lo iter_hints.lo iter_priv.lo iter_resptype.lo \
|
||||
@@ -139,7 +141,7 @@
|
||||
@@ -139,7 +141,7 @@ autotrust.lo val_anchor.lo \
|
||||
validator.lo val_kcache.lo val_kentry.lo val_neg.lo val_nsec3.lo val_nsec.lo \
|
||||
val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo cachedb.lo redis.lo authzone.lo \
|
||||
$(SUBNET_OBJ) $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ) $(DNSTAP_OBJ) $(DNSCRYPT_OBJ) \
|
||||
@ -32,7 +32,7 @@ Index: unboundfastrpz/Makefile.in
|
||||
COMMON_OBJ_WITHOUT_UB_EVENT=$(COMMON_OBJ_WITHOUT_NETCALL) netevent.lo listen_dnsport.lo \
|
||||
outside_network.lo
|
||||
COMMON_OBJ=$(COMMON_OBJ_WITHOUT_UB_EVENT) ub_event.lo
|
||||
@@ -405,6 +407,11 @@
|
||||
@@ -405,6 +407,11 @@ dnscrypt.lo dnscrypt.o: $(srcdir)/dnscrypt/dnscrypt.c config.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/util/netevent.h
|
||||
|
||||
@ -44,11 +44,11 @@ Index: unboundfastrpz/Makefile.in
|
||||
# Python Module
|
||||
pythonmod.lo pythonmod.o: $(srcdir)/pythonmod/pythonmod.c config.h \
|
||||
pythonmod/interface.h \
|
||||
Index: unboundfastrpz/config.h.in
|
||||
===================================================================
|
||||
--- unboundfastrpz/config.h.in (revision 4923)
|
||||
+++ unboundfastrpz/config.h.in (working copy)
|
||||
@@ -1272,4 +1272,11 @@
|
||||
diff --git a/config.h.in b/config.h.in
|
||||
index 74c14d1..a18f4ff 100644
|
||||
--- a/config.h.in
|
||||
+++ b/config.h.in
|
||||
@@ -1305,4 +1305,11 @@ void *unbound_stat_realloc_log(void *ptr, size_t size, const char* file,
|
||||
/** the version of unbound-control that this software implements */
|
||||
#define UNBOUND_CONTROL_VERSION 1
|
||||
|
||||
@ -61,11 +61,11 @@ Index: unboundfastrpz/config.h.in
|
||||
+#undef FASTRPZ_LIB_OPEN
|
||||
+/** turn on fastrpz response policy zones */
|
||||
+#undef ENABLE_FASTRPZ
|
||||
Index: unboundfastrpz/configure.ac
|
||||
===================================================================
|
||||
--- unboundfastrpz/configure.ac (revision 4923)
|
||||
+++ unboundfastrpz/configure.ac (working copy)
|
||||
@@ -6,6 +6,7 @@
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index abbecf0..6454274 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -6,6 +6,7 @@ sinclude(ax_pthread.m4)
|
||||
sinclude(acx_python.m4)
|
||||
sinclude(ac_pkg_swig.m4)
|
||||
sinclude(dnstap/dnstap.m4)
|
||||
@ -73,7 +73,7 @@ Index: unboundfastrpz/configure.ac
|
||||
sinclude(dnscrypt/dnscrypt.m4)
|
||||
|
||||
# must be numbers. ac_defun because of later processing
|
||||
@@ -1565,6 +1566,9 @@
|
||||
@@ -1586,6 +1587,9 @@ case "$enable_ipsecmod" in
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -83,10 +83,10 @@ Index: unboundfastrpz/configure.ac
|
||||
AC_MSG_CHECKING([if ${MAKE:-make} supports $< with implicit rule in scope])
|
||||
# on openBSD, the implicit rule make $< work.
|
||||
# on Solaris, it does not work ($? is changed sources, $^ lists dependencies).
|
||||
Index: unboundfastrpz/daemon/daemon.c
|
||||
===================================================================
|
||||
--- unboundfastrpz/daemon/daemon.c (revision 4923)
|
||||
+++ unboundfastrpz/daemon/daemon.c (working copy)
|
||||
diff --git a/daemon/daemon.c b/daemon/daemon.c
|
||||
index 7461a26..706f8f6 100644
|
||||
--- a/daemon/daemon.c
|
||||
+++ b/daemon/daemon.c
|
||||
@@ -91,6 +91,9 @@
|
||||
#include "sldns/keyraw.h"
|
||||
#include "respip/respip.h"
|
||||
@ -97,36 +97,36 @@ Index: unboundfastrpz/daemon/daemon.c
|
||||
|
||||
#ifdef HAVE_SYSTEMD
|
||||
#include <systemd/sd-daemon.h>
|
||||
@@ -462,6 +465,14 @@
|
||||
@@ -460,6 +463,14 @@ daemon_create_workers(struct daemon* daemon)
|
||||
dt_apply_cfg(daemon->dtenv, daemon->cfg);
|
||||
#else
|
||||
fatal_exit("dnstap enabled in config but not built with dnstap support");
|
||||
#endif
|
||||
}
|
||||
+#endif
|
||||
+ }
|
||||
+ if(daemon->cfg->rpz_enable) {
|
||||
+#ifdef ENABLE_FASTRPZ
|
||||
+ rpz_init(&daemon->rpz_clist, &daemon->rpz_client, daemon->cfg);
|
||||
+#else
|
||||
+ fatal_exit("fastrpz enabled in config"
|
||||
+ " but not built with fastrpz");
|
||||
+#endif
|
||||
+ }
|
||||
#endif
|
||||
}
|
||||
for(i=0; i<daemon->num; i++) {
|
||||
if(!(daemon->workers[i] = worker_create(daemon, i,
|
||||
shufport+numport*i/daemon->num,
|
||||
@@ -719,6 +730,9 @@
|
||||
@@ -718,6 +729,9 @@ daemon_cleanup(struct daemon* daemon)
|
||||
#ifdef USE_DNSCRYPT
|
||||
dnsc_delete(daemon->dnscenv);
|
||||
daemon->dnscenv = NULL;
|
||||
#endif
|
||||
+#endif
|
||||
+#ifdef ENABLE_FASTRPZ
|
||||
+ rpz_delete(&daemon->rpz_clist, &daemon->rpz_client);
|
||||
+#endif
|
||||
#endif
|
||||
daemon->cfg = NULL;
|
||||
}
|
||||
|
||||
Index: unboundfastrpz/daemon/daemon.h
|
||||
===================================================================
|
||||
--- unboundfastrpz/daemon/daemon.h (revision 4923)
|
||||
+++ unboundfastrpz/daemon/daemon.h (working copy)
|
||||
@@ -136,6 +136,11 @@
|
||||
diff --git a/daemon/daemon.h b/daemon/daemon.h
|
||||
index 5749dbe..64ce230 100644
|
||||
--- a/daemon/daemon.h
|
||||
+++ b/daemon/daemon.h
|
||||
@@ -136,6 +136,11 @@ struct daemon {
|
||||
/** the dnscrypt environment */
|
||||
struct dnsc_env* dnscenv;
|
||||
#endif
|
||||
@ -138,10 +138,10 @@ Index: unboundfastrpz/daemon/daemon.h
|
||||
};
|
||||
|
||||
/**
|
||||
Index: unboundfastrpz/daemon/worker.c
|
||||
===================================================================
|
||||
--- unboundfastrpz/daemon/worker.c (revision 4923)
|
||||
+++ unboundfastrpz/daemon/worker.c (working copy)
|
||||
diff --git a/daemon/worker.c b/daemon/worker.c
|
||||
index fc93817..e435226 100644
|
||||
--- a/daemon/worker.c
|
||||
+++ b/daemon/worker.c
|
||||
@@ -75,6 +75,9 @@
|
||||
#include "libunbound/context.h"
|
||||
#include "libunbound/libworker.h"
|
||||
@ -152,7 +152,7 @@ Index: unboundfastrpz/daemon/worker.c
|
||||
#include "sldns/wire2str.h"
|
||||
#include "util/shm_side/shm_main.h"
|
||||
#include "dnscrypt/dnscrypt.h"
|
||||
@@ -533,8 +536,27 @@
|
||||
@@ -533,8 +536,27 @@ answer_norec_from_cache(struct worker* worker, struct query_info* qinfo,
|
||||
/* not secure */
|
||||
secure = 0;
|
||||
break;
|
||||
@ -180,7 +180,7 @@ Index: unboundfastrpz/daemon/worker.c
|
||||
/* return this delegation from the cache */
|
||||
edns_bak = *edns;
|
||||
edns->edns_version = EDNS_ADVERTISED_VERSION;
|
||||
@@ -702,6 +724,23 @@
|
||||
@@ -699,6 +721,23 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
|
||||
secure = 0;
|
||||
}
|
||||
} else secure = 0;
|
||||
@ -204,7 +204,7 @@ Index: unboundfastrpz/daemon/worker.c
|
||||
|
||||
edns_bak = *edns;
|
||||
edns->edns_version = EDNS_ADVERTISED_VERSION;
|
||||
@@ -1407,6 +1446,15 @@
|
||||
@@ -1409,6 +1448,15 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
|
||||
log_addr(VERB_ALGO, "refused nonrec (cache snoop) query from",
|
||||
&repinfo->addr, repinfo->addrlen);
|
||||
goto send_reply;
|
||||
@ -220,7 +220,7 @@ Index: unboundfastrpz/daemon/worker.c
|
||||
}
|
||||
|
||||
/* If we've found a local alias, replace the qname with the alias
|
||||
@@ -1455,12 +1503,21 @@
|
||||
@@ -1457,12 +1505,21 @@ lookup_cache:
|
||||
h = query_info_hash(lookup_qinfo, sldns_buffer_read_u16_at(c->buffer, 2));
|
||||
if((e=slabhash_lookup(worker->env.msg_cache, h, lookup_qinfo, 0))) {
|
||||
/* answer from cache - we have acquired a readlock on it */
|
||||
@ -244,7 +244,7 @@ Index: unboundfastrpz/daemon/worker.c
|
||||
/* prefetch it if the prefetch TTL expired.
|
||||
* Note that if there is more than one pass
|
||||
* its qname must be that used for cache
|
||||
@@ -1514,11 +1571,19 @@
|
||||
@@ -1516,11 +1573,19 @@ lookup_cache:
|
||||
lock_rw_unlock(&e->lock);
|
||||
}
|
||||
if(!LDNS_RD_WIRE(sldns_buffer_begin(c->buffer))) {
|
||||
@ -266,11 +266,11 @@ Index: unboundfastrpz/daemon/worker.c
|
||||
goto send_reply;
|
||||
}
|
||||
verbose(VERB_ALGO, "answer norec from cache -- "
|
||||
Index: unboundfastrpz/doc/unbound.conf.5.in
|
||||
===================================================================
|
||||
--- unboundfastrpz/doc/unbound.conf.5.in (revision 4923)
|
||||
+++ unboundfastrpz/doc/unbound.conf.5.in (working copy)
|
||||
@@ -1728,6 +1728,81 @@
|
||||
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
|
||||
index c14ee27..0b71eaf 100644
|
||||
--- a/doc/unbound.conf.5.in
|
||||
+++ b/doc/unbound.conf.5.in
|
||||
@@ -1795,6 +1795,81 @@ List domain for which the AAAA records are ignored and the A record is
|
||||
used by dns64 processing instead. Can be entered multiple times, list a
|
||||
new domain for which it applies, one per line. Applies also to names
|
||||
underneath the name given.
|
||||
@ -352,10 +352,11 @@ Index: unboundfastrpz/doc/unbound.conf.5.in
|
||||
.SS "DNSCrypt Options"
|
||||
.LP
|
||||
The
|
||||
Index: unboundfastrpz/fastrpz/librpz.h
|
||||
===================================================================
|
||||
--- unboundfastrpz/fastrpz/librpz.h (nonexistent)
|
||||
+++ unboundfastrpz/fastrpz/librpz.h (working copy)
|
||||
diff --git a/fastrpz/librpz.h b/fastrpz/librpz.h
|
||||
new file mode 100644
|
||||
index 0000000..645279d
|
||||
--- /dev/null
|
||||
+++ b/fastrpz/librpz.h
|
||||
@@ -0,0 +1,957 @@
|
||||
+/*
|
||||
+ * Define the interface from a DNS resolver to the Response Policy Zone
|
||||
@ -1314,10 +1315,11 @@ Index: unboundfastrpz/fastrpz/librpz.h
|
||||
+#endif /* LIBRPZ_LIB_OPEN */
|
||||
+
|
||||
+#endif /* LIBRPZ_H */
|
||||
Index: unboundfastrpz/fastrpz/rpz.c
|
||||
===================================================================
|
||||
--- unboundfastrpz/fastrpz/rpz.c (nonexistent)
|
||||
+++ unboundfastrpz/fastrpz/rpz.c (working copy)
|
||||
diff --git a/fastrpz/rpz.c b/fastrpz/rpz.c
|
||||
new file mode 100644
|
||||
index 0000000..c5ab780
|
||||
--- /dev/null
|
||||
+++ b/fastrpz/rpz.c
|
||||
@@ -0,0 +1,1352 @@
|
||||
+/*
|
||||
+ * fastrpz/rpz.c - interface to the fastrpz response policy zone library
|
||||
@ -2671,10 +2673,11 @@ Index: unboundfastrpz/fastrpz/rpz.c
|
||||
+}
|
||||
+
|
||||
+#endif /* ENABLE_FASTRPZ */
|
||||
Index: unboundfastrpz/fastrpz/rpz.h
|
||||
===================================================================
|
||||
--- unboundfastrpz/fastrpz/rpz.h (nonexistent)
|
||||
+++ unboundfastrpz/fastrpz/rpz.h (working copy)
|
||||
diff --git a/fastrpz/rpz.h b/fastrpz/rpz.h
|
||||
new file mode 100644
|
||||
index 0000000..5d7e31c
|
||||
--- /dev/null
|
||||
+++ b/fastrpz/rpz.h
|
||||
@@ -0,0 +1,138 @@
|
||||
+/*
|
||||
+ * fastrpz/rpz.h - interface to the fastrpz response policy zone library
|
||||
@ -2814,10 +2817,11 @@ Index: unboundfastrpz/fastrpz/rpz.h
|
||||
+
|
||||
+#endif /* ENABLE_FASTRPZ */
|
||||
+#endif /* UNBOUND_FASTRPZ_RPZ_H */
|
||||
Index: unboundfastrpz/fastrpz/rpz.m4
|
||||
===================================================================
|
||||
--- unboundfastrpz/fastrpz/rpz.m4 (nonexistent)
|
||||
+++ unboundfastrpz/fastrpz/rpz.m4 (working copy)
|
||||
diff --git a/fastrpz/rpz.m4 b/fastrpz/rpz.m4
|
||||
new file mode 100644
|
||||
index 0000000..2123535
|
||||
--- /dev/null
|
||||
+++ b/fastrpz/rpz.m4
|
||||
@@ -0,0 +1,64 @@
|
||||
+# fastrpz/rpz.m4
|
||||
+
|
||||
@ -2883,10 +2887,10 @@ Index: unboundfastrpz/fastrpz/rpz.m4
|
||||
+ AC_MSG_WARN([[dlopen and librpz.so needed for fastrpz]])
|
||||
+ fi
|
||||
+])
|
||||
Index: unboundfastrpz/iterator/iterator.c
|
||||
===================================================================
|
||||
--- unboundfastrpz/iterator/iterator.c (revision 4923)
|
||||
+++ unboundfastrpz/iterator/iterator.c (working copy)
|
||||
diff --git a/iterator/iterator.c b/iterator/iterator.c
|
||||
index c906c27..55bf218 100644
|
||||
--- a/iterator/iterator.c
|
||||
+++ b/iterator/iterator.c
|
||||
@@ -68,6 +68,9 @@
|
||||
#include "sldns/str2wire.h"
|
||||
#include "sldns/parseutil.h"
|
||||
@ -2895,9 +2899,9 @@ Index: unboundfastrpz/iterator/iterator.c
|
||||
+#include "fastrpz/rpz.h"
|
||||
+#endif
|
||||
|
||||
int
|
||||
iter_init(struct module_env* env, int id)
|
||||
@@ -525,6 +528,23 @@
|
||||
/* in msec */
|
||||
int UNKNOWN_SERVER_NICENESS = 376;
|
||||
@@ -551,6 +554,23 @@ handle_cname_response(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
if(ntohs(r->rk.type) == LDNS_RR_TYPE_CNAME &&
|
||||
query_dname_compare(*mname, r->rk.dname) == 0 &&
|
||||
!iter_find_rrset_in_prepend_answer(iq, r)) {
|
||||
@ -2921,7 +2925,7 @@ Index: unboundfastrpz/iterator/iterator.c
|
||||
/* Add this relevant CNAME rrset to the prepend list.*/
|
||||
if(!iter_add_prepend_answer(qstate, iq, r))
|
||||
return 0;
|
||||
@@ -533,6 +553,9 @@
|
||||
@@ -559,6 +579,9 @@ handle_cname_response(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
|
||||
/* Other rrsets in the section are ignored. */
|
||||
}
|
||||
@ -2931,7 +2935,7 @@ Index: unboundfastrpz/iterator/iterator.c
|
||||
/* add authority rrsets to authority prepend, for wildcarded CNAMEs */
|
||||
for(i=msg->rep->an_numrrsets; i<msg->rep->an_numrrsets +
|
||||
msg->rep->ns_numrrsets; i++) {
|
||||
@@ -1216,6 +1239,7 @@
|
||||
@@ -1195,6 +1218,7 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
uint8_t* delname;
|
||||
size_t delnamelen;
|
||||
struct dns_msg* msg = NULL;
|
||||
@ -2939,7 +2943,7 @@ Index: unboundfastrpz/iterator/iterator.c
|
||||
|
||||
log_query_info(VERB_DETAIL, "resolving", &qstate->qinfo);
|
||||
/* check effort */
|
||||
@@ -1302,8 +1326,7 @@
|
||||
@@ -1281,8 +1305,7 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
}
|
||||
if(msg) {
|
||||
/* handle positive cache response */
|
||||
@ -2949,7 +2953,7 @@ Index: unboundfastrpz/iterator/iterator.c
|
||||
if(verbosity >= VERB_ALGO) {
|
||||
log_dns_msg("msg from cache lookup", &msg->qinfo,
|
||||
msg->rep);
|
||||
@@ -1311,7 +1334,22 @@
|
||||
@@ -1290,7 +1313,22 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
(int)msg->rep->ttl,
|
||||
(int)msg->rep->prefetch_ttl);
|
||||
}
|
||||
@ -2972,7 +2976,7 @@ Index: unboundfastrpz/iterator/iterator.c
|
||||
if(type == RESPONSE_TYPE_CNAME) {
|
||||
uint8_t* sname = 0;
|
||||
size_t slen = 0;
|
||||
@@ -2716,6 +2754,62 @@
|
||||
@@ -2714,6 +2752,62 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
sock_list_insert(&qstate->reply_origin,
|
||||
&qstate->reply->addr, qstate->reply->addrlen,
|
||||
qstate->region);
|
||||
@ -3035,7 +3039,7 @@ Index: unboundfastrpz/iterator/iterator.c
|
||||
if(iq->minimisation_state != DONOT_MINIMISE_STATE
|
||||
&& !(iq->chase_flags & BIT_RD)) {
|
||||
if(FLAGS_GET_RCODE(iq->response->rep->flags) !=
|
||||
@@ -3462,6 +3556,10 @@
|
||||
@@ -3467,12 +3561,44 @@ processFinished(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
* but only if we did recursion. The nonrecursion referral
|
||||
* from cache does not need to be stored in the msg cache. */
|
||||
if(!qstate->no_cache_store && qstate->query_flags&BIT_RD) {
|
||||
@ -3046,7 +3050,6 @@ Index: unboundfastrpz/iterator/iterator.c
|
||||
iter_dns_store(qstate->env, &qstate->qinfo,
|
||||
iq->response->rep, 0, qstate->prefetch_leeway,
|
||||
iq->dp&&iq->dp->has_parent_side_NS,
|
||||
@@ -3468,6 +3566,34 @@
|
||||
qstate->region, qstate->query_flags);
|
||||
}
|
||||
}
|
||||
@ -3081,11 +3084,11 @@ Index: unboundfastrpz/iterator/iterator.c
|
||||
qstate->return_rcode = LDNS_RCODE_NOERROR;
|
||||
qstate->return_msg = iq->response;
|
||||
return 0;
|
||||
Index: unboundfastrpz/iterator/iterator.h
|
||||
===================================================================
|
||||
--- unboundfastrpz/iterator/iterator.h (revision 4923)
|
||||
+++ unboundfastrpz/iterator/iterator.h (working copy)
|
||||
@@ -386,6 +386,16 @@
|
||||
diff --git a/iterator/iterator.h b/iterator/iterator.h
|
||||
index a2f1b57..e1e4a73 100644
|
||||
--- a/iterator/iterator.h
|
||||
+++ b/iterator/iterator.h
|
||||
@@ -386,6 +386,16 @@ struct iter_qstate {
|
||||
*/
|
||||
int minimise_count;
|
||||
|
||||
@ -3102,11 +3105,11 @@ Index: unboundfastrpz/iterator/iterator.h
|
||||
/**
|
||||
* Count number of time-outs. Used to prevent resolving failures when
|
||||
* the QNAME minimisation QTYPE is blocked. */
|
||||
Index: unboundfastrpz/services/cache/dns.c
|
||||
===================================================================
|
||||
--- unboundfastrpz/services/cache/dns.c (revision 4923)
|
||||
+++ unboundfastrpz/services/cache/dns.c (working copy)
|
||||
@@ -928,6 +928,14 @@
|
||||
diff --git a/services/cache/dns.c b/services/cache/dns.c
|
||||
index aa4efec..5dd3412 100644
|
||||
--- a/services/cache/dns.c
|
||||
+++ b/services/cache/dns.c
|
||||
@@ -945,6 +945,14 @@ dns_cache_store(struct module_env* env, struct query_info* msgqinf,
|
||||
struct regional* region, uint32_t flags)
|
||||
{
|
||||
struct reply_info* rep = NULL;
|
||||
@ -3121,10 +3124,10 @@ Index: unboundfastrpz/services/cache/dns.c
|
||||
/* alloc, malloc properly (not in region, like msg is) */
|
||||
rep = reply_info_copy(msgrep, env->alloc, NULL);
|
||||
if(!rep)
|
||||
Index: unboundfastrpz/services/mesh.c
|
||||
===================================================================
|
||||
--- unboundfastrpz/services/mesh.c (revision 4923)
|
||||
+++ unboundfastrpz/services/mesh.c (working copy)
|
||||
diff --git a/services/mesh.c b/services/mesh.c
|
||||
index d96289e..2e9f267 100644
|
||||
--- a/services/mesh.c
|
||||
+++ b/services/mesh.c
|
||||
@@ -60,6 +60,9 @@
|
||||
#include "sldns/wire2str.h"
|
||||
#include "services/localzone.h"
|
||||
@ -3133,9 +3136,9 @@ Index: unboundfastrpz/services/mesh.c
|
||||
+#include "fastrpz/rpz.h"
|
||||
+#endif
|
||||
#include "respip/respip.h"
|
||||
#include "services/listen_dnsport.h"
|
||||
|
||||
/** subtract timers and the values do not overflow or become negative */
|
||||
@@ -1057,6 +1060,13 @@
|
||||
@@ -1072,6 +1075,13 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
|
||||
else secure = 0;
|
||||
if(!rep && rcode == LDNS_RCODE_NOERROR)
|
||||
rcode = LDNS_RCODE_SERVFAIL;
|
||||
@ -3149,7 +3152,7 @@ Index: unboundfastrpz/services/mesh.c
|
||||
/* send the reply */
|
||||
/* We don't reuse the encoded answer if either the previous or current
|
||||
* response has a local alias. We could compare the alias records
|
||||
@@ -1230,6 +1240,7 @@
|
||||
@@ -1247,6 +1257,7 @@ struct mesh_state* mesh_area_find(struct mesh_area* mesh,
|
||||
key.s.is_valrec = valrec;
|
||||
key.s.qinfo = *qinfo;
|
||||
key.s.query_flags = qflags;
|
||||
@ -3157,7 +3160,7 @@ Index: unboundfastrpz/services/mesh.c
|
||||
/* We are searching for a similar mesh state when we DO want to
|
||||
* aggregate the state. Thus unique is set to NULL. (default when we
|
||||
* desire aggregation).*/
|
||||
@@ -1276,6 +1287,10 @@
|
||||
@@ -1293,6 +1304,10 @@ int mesh_state_add_reply(struct mesh_state* s, struct edns_data* edns,
|
||||
if(!r)
|
||||
return 0;
|
||||
r->query_reply = *rep;
|
||||
@ -3168,11 +3171,11 @@ Index: unboundfastrpz/services/mesh.c
|
||||
r->edns = *edns;
|
||||
if(edns->opt_list) {
|
||||
r->edns.opt_list = edns_opt_copy_region(edns->opt_list,
|
||||
Index: unboundfastrpz/util/config_file.c
|
||||
===================================================================
|
||||
--- unboundfastrpz/util/config_file.c (revision 4923)
|
||||
+++ unboundfastrpz/util/config_file.c (working copy)
|
||||
@@ -1386,6 +1386,8 @@
|
||||
diff --git a/util/config_file.c b/util/config_file.c
|
||||
index 9b60254..d791f8f 100644
|
||||
--- a/util/config_file.c
|
||||
+++ b/util/config_file.c
|
||||
@@ -1418,6 +1418,8 @@ config_delete(struct config_file* cfg)
|
||||
free(cfg->dnstap_socket_path);
|
||||
free(cfg->dnstap_identity);
|
||||
free(cfg->dnstap_version);
|
||||
@ -3181,11 +3184,11 @@ Index: unboundfastrpz/util/config_file.c
|
||||
config_deldblstrlist(cfg->ratelimit_for_domain);
|
||||
config_deldblstrlist(cfg->ratelimit_below_domain);
|
||||
#ifdef USE_IPSECMOD
|
||||
Index: unboundfastrpz/util/config_file.h
|
||||
===================================================================
|
||||
--- unboundfastrpz/util/config_file.h (revision 4923)
|
||||
+++ unboundfastrpz/util/config_file.h (working copy)
|
||||
@@ -468,6 +468,11 @@
|
||||
diff --git a/util/config_file.h b/util/config_file.h
|
||||
index 3cffdbf..e0fa1c8 100644
|
||||
--- a/util/config_file.h
|
||||
+++ b/util/config_file.h
|
||||
@@ -490,6 +490,11 @@ struct config_file {
|
||||
/** true to disable DNSSEC lameness check in iterator */
|
||||
int disable_dnssec_lame_check;
|
||||
|
||||
@ -3197,11 +3200,11 @@ Index: unboundfastrpz/util/config_file.h
|
||||
/** ratelimit for ip addresses. 0 is off, otherwise qps (unless overridden) */
|
||||
int ip_ratelimit;
|
||||
/** number of slabs for ip_ratelimit cache */
|
||||
Index: unboundfastrpz/util/configlexer.lex
|
||||
===================================================================
|
||||
--- unboundfastrpz/util/configlexer.lex (revision 4923)
|
||||
+++ unboundfastrpz/util/configlexer.lex (working copy)
|
||||
@@ -429,6 +429,10 @@
|
||||
diff --git a/util/configlexer.lex b/util/configlexer.lex
|
||||
index 16b5bc5..038045d 100644
|
||||
--- a/util/configlexer.lex
|
||||
+++ b/util/configlexer.lex
|
||||
@@ -439,6 +439,10 @@ dnstap-log-forwarder-query-messages{COLON} {
|
||||
YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES) }
|
||||
dnstap-log-forwarder-response-messages{COLON} {
|
||||
YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES) }
|
||||
@ -3212,11 +3215,11 @@ Index: unboundfastrpz/util/configlexer.lex
|
||||
disable-dnssec-lame-check{COLON} { YDVAR(1, VAR_DISABLE_DNSSEC_LAME_CHECK) }
|
||||
ip-ratelimit{COLON} { YDVAR(1, VAR_IP_RATELIMIT) }
|
||||
ratelimit{COLON} { YDVAR(1, VAR_RATELIMIT) }
|
||||
Index: unboundfastrpz/util/configparser.y
|
||||
===================================================================
|
||||
--- unboundfastrpz/util/configparser.y (revision 4923)
|
||||
+++ unboundfastrpz/util/configparser.y (working copy)
|
||||
@@ -125,6 +125,7 @@
|
||||
diff --git a/util/configparser.y b/util/configparser.y
|
||||
index c7b9169..bef15b5 100644
|
||||
--- a/util/configparser.y
|
||||
+++ b/util/configparser.y
|
||||
@@ -125,6 +125,7 @@ extern struct config_parser_state* cfg_parser;
|
||||
%token VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES
|
||||
%token VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES
|
||||
%token VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES
|
||||
@ -3224,7 +3227,7 @@ Index: unboundfastrpz/util/configparser.y
|
||||
%token VAR_RESPONSE_IP_TAG VAR_RESPONSE_IP VAR_RESPONSE_IP_DATA
|
||||
%token VAR_HARDEN_ALGO_DOWNGRADE VAR_IP_TRANSPARENT
|
||||
%token VAR_DISABLE_DNSSEC_LAME_CHECK
|
||||
@@ -164,7 +165,7 @@
|
||||
@@ -170,7 +171,7 @@ extern struct config_parser_state* cfg_parser;
|
||||
|
||||
%%
|
||||
toplevelvars: /* empty */ | toplevelvars toplevelvar ;
|
||||
@ -3233,8 +3236,8 @@ Index: unboundfastrpz/util/configparser.y
|
||||
forwardstart contents_forward | pythonstart contents_py |
|
||||
rcstart contents_rc | dtstart contents_dt | viewstart contents_view |
|
||||
dnscstart contents_dnsc | cachedbstart contents_cachedb |
|
||||
@@ -2546,6 +2547,50 @@
|
||||
(strcmp($2, "yes")==0);
|
||||
@@ -2710,6 +2711,50 @@ dt_dnstap_log_forwarder_response_messages: VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MES
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
+rpzstart: VAR_RPZ
|
||||
@ -3284,11 +3287,11 @@ Index: unboundfastrpz/util/configparser.y
|
||||
pythonstart: VAR_PYTHON
|
||||
{
|
||||
OUTYY(("\nP(python:)\n"));
|
||||
Index: unboundfastrpz/util/data/msgencode.c
|
||||
===================================================================
|
||||
--- unboundfastrpz/util/data/msgencode.c (revision 4923)
|
||||
+++ unboundfastrpz/util/data/msgencode.c (working copy)
|
||||
@@ -585,6 +585,35 @@
|
||||
diff --git a/util/data/msgencode.c b/util/data/msgencode.c
|
||||
index 4c0a555..e51e9b8 100644
|
||||
--- a/util/data/msgencode.c
|
||||
+++ b/util/data/msgencode.c
|
||||
@@ -590,6 +590,35 @@ insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
|
||||
return RETVAL_OK;
|
||||
}
|
||||
|
||||
@ -3324,7 +3327,7 @@ Index: unboundfastrpz/util/data/msgencode.c
|
||||
/** store query section in wireformat buffer, return RETVAL */
|
||||
static int
|
||||
insert_query(struct query_info* qinfo, struct compress_tree_node** tree,
|
||||
@@ -748,6 +777,19 @@
|
||||
@@ -753,6 +782,19 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
|
||||
return 0;
|
||||
}
|
||||
sldns_buffer_write_u16_at(buffer, 10, arcount);
|
||||
@ -3344,11 +3347,11 @@ Index: unboundfastrpz/util/data/msgencode.c
|
||||
}
|
||||
sldns_buffer_flip(buffer);
|
||||
return 1;
|
||||
Index: unboundfastrpz/util/data/packed_rrset.c
|
||||
===================================================================
|
||||
--- unboundfastrpz/util/data/packed_rrset.c (revision 4923)
|
||||
+++ unboundfastrpz/util/data/packed_rrset.c (working copy)
|
||||
@@ -255,6 +255,10 @@
|
||||
diff --git a/util/data/packed_rrset.c b/util/data/packed_rrset.c
|
||||
index 7b9d549..e44b2ce 100644
|
||||
--- a/util/data/packed_rrset.c
|
||||
+++ b/util/data/packed_rrset.c
|
||||
@@ -255,6 +255,10 @@ sec_status_to_string(enum sec_status s)
|
||||
case sec_status_insecure: return "sec_status_insecure";
|
||||
case sec_status_secure_sentinel_fail: return "sec_status_secure_sentinel_fail";
|
||||
case sec_status_secure: return "sec_status_secure";
|
||||
@ -3359,11 +3362,11 @@ Index: unboundfastrpz/util/data/packed_rrset.c
|
||||
}
|
||||
return "unknown_sec_status_value";
|
||||
}
|
||||
Index: unboundfastrpz/util/data/packed_rrset.h
|
||||
===================================================================
|
||||
--- unboundfastrpz/util/data/packed_rrset.h (revision 4923)
|
||||
+++ unboundfastrpz/util/data/packed_rrset.h (working copy)
|
||||
@@ -193,7 +193,15 @@
|
||||
diff --git a/util/data/packed_rrset.h b/util/data/packed_rrset.h
|
||||
index 3a5335d..2011321 100644
|
||||
--- a/util/data/packed_rrset.h
|
||||
+++ b/util/data/packed_rrset.h
|
||||
@@ -193,7 +193,15 @@ enum sec_status {
|
||||
sec_status_secure_sentinel_fail,
|
||||
/** SECURE means that the object (RRset or message) validated
|
||||
* according to local policy. */
|
||||
@ -3380,11 +3383,11 @@ Index: unboundfastrpz/util/data/packed_rrset.h
|
||||
};
|
||||
|
||||
/**
|
||||
Index: unboundfastrpz/util/netevent.c
|
||||
===================================================================
|
||||
--- unboundfastrpz/util/netevent.c (revision 4923)
|
||||
+++ unboundfastrpz/util/netevent.c (working copy)
|
||||
@@ -56,6 +56,9 @@
|
||||
diff --git a/util/netevent.c b/util/netevent.c
|
||||
index b8b2a09..5ccc29a 100644
|
||||
--- a/util/netevent.c
|
||||
+++ b/util/netevent.c
|
||||
@@ -57,6 +57,9 @@
|
||||
#ifdef HAVE_OPENSSL_ERR_H
|
||||
#include <openssl/err.h>
|
||||
#endif
|
||||
@ -3394,7 +3397,7 @@ Index: unboundfastrpz/util/netevent.c
|
||||
|
||||
/* -------- Start of local definitions -------- */
|
||||
/** if CMSG_ALIGN is not defined on this platform, a workaround */
|
||||
@@ -588,6 +591,9 @@
|
||||
@@ -590,6 +593,9 @@ comm_point_udp_ancil_callback(int fd, short event, void* arg)
|
||||
struct cmsghdr* cmsg;
|
||||
#endif /* S_SPLINT_S */
|
||||
|
||||
@ -3404,7 +3407,7 @@ Index: unboundfastrpz/util/netevent.c
|
||||
rep.c = (struct comm_point*)arg;
|
||||
log_assert(rep.c->type == comm_udp);
|
||||
|
||||
@@ -677,6 +683,9 @@
|
||||
@@ -679,6 +685,9 @@ comm_point_udp_callback(int fd, short event, void* arg)
|
||||
int i;
|
||||
struct sldns_buffer *buffer;
|
||||
|
||||
@ -3414,7 +3417,7 @@ Index: unboundfastrpz/util/netevent.c
|
||||
rep.c = (struct comm_point*)arg;
|
||||
log_assert(rep.c->type == comm_udp);
|
||||
|
||||
@@ -720,6 +729,9 @@
|
||||
@@ -722,6 +731,9 @@ comm_point_udp_callback(int fd, short event, void* arg)
|
||||
(void)comm_point_send_udp_msg(rep.c, buffer,
|
||||
(struct sockaddr*)&rep.addr, rep.addrlen);
|
||||
}
|
||||
@ -3424,9 +3427,9 @@ Index: unboundfastrpz/util/netevent.c
|
||||
if(!rep.c || rep.c->fd != fd) /* commpoint closed to -1 or reused for
|
||||
another UDP port. Note rep.c cannot be reused with TCP fd. */
|
||||
break;
|
||||
@@ -3035,6 +3047,9 @@
|
||||
comm_point_start_listening(repinfo->c, -1,
|
||||
repinfo->c->tcp_timeout_msec);
|
||||
@@ -3142,6 +3154,9 @@ comm_point_send_reply(struct comm_reply *repinfo)
|
||||
repinfo->c->tcp_timeout_msec);
|
||||
}
|
||||
}
|
||||
+#ifdef ENABLE_FASTRPZ
|
||||
+ rpz_end(repinfo);
|
||||
@ -3434,7 +3437,7 @@ Index: unboundfastrpz/util/netevent.c
|
||||
}
|
||||
|
||||
void
|
||||
@@ -3044,6 +3059,9 @@
|
||||
@@ -3151,6 +3166,9 @@ comm_point_drop_reply(struct comm_reply* repinfo)
|
||||
return;
|
||||
log_assert(repinfo && repinfo->c);
|
||||
log_assert(repinfo->c->type != comm_tcp_accept);
|
||||
@ -3443,22 +3446,22 @@ Index: unboundfastrpz/util/netevent.c
|
||||
+#endif
|
||||
if(repinfo->c->type == comm_udp)
|
||||
return;
|
||||
reclaim_tcp_handler(repinfo->c);
|
||||
@@ -3063,6 +3081,9 @@
|
||||
if(repinfo->c->tcp_req_info)
|
||||
@@ -3172,6 +3190,9 @@ comm_point_start_listening(struct comm_point* c, int newfd, int msec)
|
||||
{
|
||||
verbose(VERB_ALGO, "comm point start listening %d",
|
||||
c->fd==-1?newfd:c->fd);
|
||||
verbose(VERB_ALGO, "comm point start listening %d (%d msec)",
|
||||
c->fd==-1?newfd:c->fd, msec);
|
||||
+#ifdef ENABLE_FASTRPZ
|
||||
+ rpz_end(&c->repinfo);
|
||||
+#endif
|
||||
if(c->type == comm_tcp_accept && !c->tcp_free) {
|
||||
/* no use to start listening no free slots. */
|
||||
return;
|
||||
Index: unboundfastrpz/util/netevent.h
|
||||
===================================================================
|
||||
--- unboundfastrpz/util/netevent.h (revision 4923)
|
||||
+++ unboundfastrpz/util/netevent.h (working copy)
|
||||
@@ -120,6 +120,10 @@
|
||||
diff --git a/util/netevent.h b/util/netevent.h
|
||||
index d80c72b..0233292 100644
|
||||
--- a/util/netevent.h
|
||||
+++ b/util/netevent.h
|
||||
@@ -120,6 +120,10 @@ struct comm_reply {
|
||||
/** return type 0 (none), 4(IP4), 6(IP6) */
|
||||
int srctype;
|
||||
/* DnsCrypt context */
|
||||
@ -3469,11 +3472,11 @@ Index: unboundfastrpz/util/netevent.h
|
||||
#ifdef USE_DNSCRYPT
|
||||
uint8_t client_nonce[crypto_box_HALF_NONCEBYTES];
|
||||
uint8_t nmkey[crypto_box_BEFORENMBYTES];
|
||||
Index: unboundfastrpz/validator/validator.c
|
||||
===================================================================
|
||||
--- unboundfastrpz/validator/validator.c (revision 4923)
|
||||
+++ unboundfastrpz/validator/validator.c (working copy)
|
||||
@@ -2755,6 +2755,12 @@
|
||||
diff --git a/validator/validator.c b/validator/validator.c
|
||||
index fa8d541..5628ef0 100644
|
||||
--- a/validator/validator.c
|
||||
+++ b/validator/validator.c
|
||||
@@ -2755,6 +2755,12 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
|
||||
default:
|
||||
/* NSEC proof did not work, try next */
|
||||
break;
|
||||
@ -3486,7 +3489,7 @@ Index: unboundfastrpz/validator/validator.c
|
||||
}
|
||||
|
||||
sec = nsec3_prove_nods(qstate->env, ve,
|
||||
@@ -2788,6 +2794,12 @@
|
||||
@@ -2788,6 +2794,12 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
|
||||
default:
|
||||
/* NSEC3 proof did not work */
|
||||
break;
|
||||
|
@ -14,6 +14,7 @@ int ub_ctx_set_option(ub_ctx*, string, string);
|
||||
int ub_ctx_get_option(ub_ctx*, string, +string*);
|
||||
int ub_ctx_config(ub_ctx*, string);
|
||||
int ub_ctx_set_fwd(ub_ctx*, string);
|
||||
int ub_ctx_set_tls(ub_ctx*, bool(int));
|
||||
int ub_ctx_set_stub(ub_ctx*, string, string, bool(int));
|
||||
int ub_ctx_resolvconf(ub_ctx*, string);
|
||||
int ub_ctx_hosts(ub_ctx*, string);
|
||||
|
148
contrib/unbound/contrib/unbound-fuzzme.patch
Normal file
148
contrib/unbound/contrib/unbound-fuzzme.patch
Normal file
@ -0,0 +1,148 @@
|
||||
>From cc9b927f8f29d989ddb8415fe6508a538546abca Mon Sep 17 00:00:00 2001
|
||||
From: Jacob Hoffman-Andrews <github@hoffman-andrews.com>
|
||||
Date: Wed, 2 Jan 2019 22:52:51 -0800
|
||||
Subject: [PATCH] Add unbound-fuzzme.
|
||||
|
||||
This is a small program that simply parses a packet provided on stdout,
|
||||
for the purposes of fuzzing.
|
||||
---
|
||||
.gitignore | 1 +
|
||||
Makefile.in | 22 ++++++++++++++++++++--
|
||||
smallapp/unbound-fuzzme.c | 38 ++++++++++++++++++++++++++++++++++++++
|
||||
3 files changed, 59 insertions(+), 2 deletions(-)
|
||||
create mode 100644 smallapp/unbound-fuzzme.c
|
||||
|
||||
diff --git a/.gitignore b/.gitignore
|
||||
index f4527fd8..6163f905 100644
|
||||
--- a/.gitignore
|
||||
+++ b/.gitignore
|
||||
@@ -24,6 +24,7 @@
|
||||
/unbound-checkconf
|
||||
/unbound-control
|
||||
/unbound-control-setup
|
||||
+/unbound-fuzzme
|
||||
/unbound-host
|
||||
/unbound.h
|
||||
/asynclook
|
||||
diff --git a/Makefile.in b/Makefile.in
|
||||
index af5b10f6..dacf1ab5 100644
|
||||
--- a/Makefile.in
|
||||
+++ b/Makefile.in
|
||||
@@ -177,6 +177,10 @@ shm_main.lo remote.lo stats.lo unbound.lo \
|
||||
worker.lo @WIN_DAEMON_OBJ@
|
||||
DAEMON_OBJ_LINK=$(DAEMON_OBJ) $(COMMON_OBJ_ALL_SYMBOLS) $(SLDNS_OBJ) \
|
||||
$(COMPAT_OBJ) @WIN_DAEMON_OBJ_LINK@
|
||||
+FUZZME_SRC=smallapp/unbound-fuzzme.c
|
||||
+FUZZME_OBJ=unbound-fuzzme.lo
|
||||
+FUZZME_OBJ_LINK=$(FUZZME_OBJ) worker_cb.lo $(COMMON_OBJ_ALL_SYMBOLS) $(SLDNS_OBJ) \
|
||||
+$(COMPAT_OBJ)
|
||||
CHECKCONF_SRC=smallapp/unbound-checkconf.c smallapp/worker_cb.c
|
||||
CHECKCONF_OBJ=unbound-checkconf.lo worker_cb.lo
|
||||
CHECKCONF_OBJ_LINK=$(CHECKCONF_OBJ) $(COMMON_OBJ_ALL_SYMBOLS) $(SLDNS_OBJ) \
|
||||
@@ -252,6 +256,7 @@ RSRC_OBJ=rsrc_svcinst.o rsrc_svcuninst.o rsrc_anchorupd.o rsrc_unbound.o \
|
||||
rsrc_unbound_checkconf.o
|
||||
|
||||
ALL_SRC=$(COMMON_SRC) $(UNITTEST_SRC) $(DAEMON_SRC) \
|
||||
+ $(FUZZME_SRC) \
|
||||
$(TESTBOUND_SRC) $(LOCKVERIFY_SRC) $(PKTVIEW_SRC) \
|
||||
$(MEMSTATS_SRC) $(CHECKCONF_SRC) $(LIBUNBOUND_SRC) $(HOST_SRC) \
|
||||
$(ASYNCLOOK_SRC) $(STREAMTCP_SRC) $(PERF_SRC) $(DELAYER_SRC) \
|
||||
@@ -259,6 +264,7 @@ ALL_SRC=$(COMMON_SRC) $(UNITTEST_SRC) $(DAEMON_SRC) \
|
||||
$(PYTHONMOD_SRC) $(PYUNBOUND_SRC) $(WIN_DAEMON_THE_SRC)\
|
||||
$(SVCINST_SRC) $(SVCUNINST_SRC) $(ANCHORUPD_SRC) $(SLDNS_SRC)
|
||||
ALL_OBJ=$(COMMON_OBJ) $(UNITTEST_OBJ) $(DAEMON_OBJ) \
|
||||
+ $(FUZZME_OBJ) \
|
||||
$(TESTBOUND_OBJ) $(LOCKVERIFY_OBJ) $(PKTVIEW_OBJ) \
|
||||
$(MEMSTATS_OBJ) $(CHECKCONF_OBJ) $(LIBUNBOUND_OBJ) $(HOST_OBJ) \
|
||||
$(ASYNCLOOK_OBJ) $(STREAMTCP_OBJ) $(PERF_OBJ) $(DELAYER_OBJ) \
|
||||
@@ -274,7 +280,7 @@ LINK_LIB=$(LIBTOOL) --tag=CC --mode=link $(CC) $(RUNTIME_PATH) $(CPPFLAGS) $(CFL
|
||||
|
||||
all: $(COMMON_OBJ) $(ALLTARGET)
|
||||
|
||||
-alltargets: unbound$(EXEEXT) unbound-checkconf$(EXEEXT) lib unbound-host$(EXEEXT) unbound-control$(EXEEXT) unbound-anchor$(EXEEXT) unbound-control-setup $(WINAPPS) $(PYUNBOUND_TARGET)
|
||||
+alltargets: unbound$(EXEEXT) unbound-checkconf$(EXEEXT) lib unbound-host$(EXEEXT) unbound-control$(EXEEXT) unbound-anchor$(EXEEXT) unbound-control-setup unbound-fuzzme$(EXEEXT) $(WINAPPS) $(PYUNBOUND_TARGET)
|
||||
|
||||
# compat with BSD make, register suffix, and an implicit rule to actualise it.
|
||||
.SUFFIXES: .lo
|
||||
@@ -325,6 +331,9 @@ libunbound.la: $(LIBUNBOUND_OBJ_LINK)
|
||||
unbound$(EXEEXT): $(DAEMON_OBJ_LINK) libunbound.la
|
||||
$(LINK) -o $@ $(DAEMON_OBJ_LINK) $(EXTRALINK) $(SSLLIB) $(LIBS)
|
||||
|
||||
+unbound-fuzzme$(EXEEXT): $(FUZZME_OBJ_LINK) libunbound.la
|
||||
+ $(LINK) -o $@ $(FUZZME_OBJ_LINK) $(EXTRALINK) $(SSLLIB) $(LIBS)
|
||||
+
|
||||
unbound-checkconf$(EXEEXT): $(CHECKCONF_OBJ_LINK) libunbound.la
|
||||
$(LINK) -o $@ $(CHECKCONF_OBJ_LINK) $(EXTRALINK) $(SSLLIB) $(LIBS)
|
||||
|
||||
@@ -447,7 +456,7 @@ util/configparser.c util/configparser.h: $(srcdir)/util/configparser.y
|
||||
|
||||
clean:
|
||||
rm -f *.o *.d *.lo *~ tags
|
||||
- rm -f unbound$(EXEEXT) unbound-checkconf$(EXEEXT) unbound-host$(EXEEXT) unbound-control$(EXEEXT) unbound-anchor$(EXEEXT) unbound-control-setup libunbound.la unbound.h
|
||||
+ rm -f unbound$(EXEEXT) unbound-checkconf$(EXEEXT) unbound-fuzzme$(EXEEXT) unbound-host$(EXEEXT) unbound-control$(EXEEXT) unbound-anchor$(EXEEXT) unbound-control-setup libunbound.la unbound.h
|
||||
rm -f $(ALL_SRC:.c=.lint)
|
||||
rm -f _unbound.la libunbound/python/libunbound_wrap.c libunbound/python/unbound.py pythonmod/interface.h pythonmod/unboundmodule.py
|
||||
rm -rf autom4te.cache .libs build doc/html doc/xml
|
||||
@@ -1183,6 +1192,15 @@ stats.lo stats.o: $(srcdir)/daemon/stats.c config.h $(srcdir)/daemon/stats.h $(s
|
||||
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
|
||||
$(srcdir)/util/rtt.h $(srcdir)/services/authzone.h $(srcdir)/validator/val_kcache.h \
|
||||
$(srcdir)/validator/val_neg.h
|
||||
+unbound-fuzzme.lo unbound-fuzzme.o: $(srcdir)/smallapp/unbound-fuzzme.c \
|
||||
+ $(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
|
||||
+ $(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h \
|
||||
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h $(srcdir)/services/listen_dnsport.h \
|
||||
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/services/cache/rrset.h \
|
||||
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
|
||||
+ $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/fptr_wlist.h \
|
||||
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
|
||||
+ $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/net_help.h $(srcdir)/util/ub_event.h
|
||||
unbound.lo unbound.o: $(srcdir)/daemon/unbound.c config.h $(srcdir)/util/log.h $(srcdir)/daemon/daemon.h \
|
||||
$(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/daemon/remote.h \
|
||||
diff --git a/smallapp/unbound-fuzzme.c b/smallapp/unbound-fuzzme.c
|
||||
new file mode 100644
|
||||
index 00000000..74ae5204
|
||||
--- /dev/null
|
||||
+++ b/smallapp/unbound-fuzzme.c
|
||||
@@ -0,0 +1,38 @@
|
||||
+/*
|
||||
+ * unbound-fuzzme.c - parse a packet provided on stdin (for fuzzing).
|
||||
+ *
|
||||
+ */
|
||||
+#include "config.h"
|
||||
+#include "util/regional.h"
|
||||
+#include "util/fptr_wlist.h"
|
||||
+#include "sldns/sbuffer.h"
|
||||
+
|
||||
+#define SZ 10000
|
||||
+
|
||||
+int main() {
|
||||
+ char buffer[SZ];
|
||||
+ size_t n_read = fread(buffer, 1, SZ, stdin);
|
||||
+ if (n_read == SZ) {
|
||||
+ printf("input too big\n");
|
||||
+ return 1;
|
||||
+ }
|
||||
+ sldns_buffer *pkt = sldns_buffer_new(n_read);
|
||||
+ sldns_buffer_init_frm_data(pkt, buffer, n_read);
|
||||
+
|
||||
+ struct regional *region = regional_create();
|
||||
+
|
||||
+ struct msg_parse* prs;
|
||||
+ struct edns_data edns;
|
||||
+ prs = (struct msg_parse*)malloc(sizeof(struct msg_parse));
|
||||
+ if(!prs) {
|
||||
+ printf("out of memory on incoming message\n");
|
||||
+ return 1;
|
||||
+ }
|
||||
+ memset(prs, 0, sizeof(*prs));
|
||||
+ memset(&edns, 0, sizeof(edns));
|
||||
+ sldns_buffer_set_position(pkt, 0);
|
||||
+ if(parse_packet(pkt, prs, region) != LDNS_RCODE_NOERROR) {
|
||||
+ printf("parse error\n");
|
||||
+ return 1;
|
||||
+ }
|
||||
+}
|
||||
--
|
||||
2.17.1
|
||||
|
@ -39,13 +39,13 @@ start() {
|
||||
# setup root jail
|
||||
if [ -s /etc/localtime ]; then
|
||||
[ -d ${rootdir}/etc ] || mkdir -p ${rootdir}/etc ;
|
||||
if [ ! -e ${rootdir}/etc/localtime ] || /usr/bin/cmp -s /etc/localtime ${rootdir}/etc/localtime; then
|
||||
if [ ! -e ${rootdir}/etc/localtime ] || ! /usr/bin/cmp -s /etc/localtime ${rootdir}/etc/localtime; then
|
||||
cp -fp /etc/localtime ${rootdir}/etc/localtime
|
||||
fi;
|
||||
fi;
|
||||
if [ -s /etc/resolv.conf ]; then
|
||||
[ -d ${rootdir}/etc ] || mkdir -p ${rootdir}/etc ;
|
||||
if [ ! -e ${rootdir}/etc/resolv.conf ] || /usr/bin/cmp -s /etc/resolv.conf ${rootdir}/etc/resolv.conf; then
|
||||
if [ ! -e ${rootdir}/etc/resolv.conf ] || ! /usr/bin/cmp -s /etc/resolv.conf ${rootdir}/etc/resolv.conf; then
|
||||
cp -fp /etc/resolv.conf ${rootdir}/etc/resolv.conf
|
||||
fi;
|
||||
fi;
|
||||
|
@ -749,6 +749,7 @@ daemon_delete(struct daemon* daemon)
|
||||
free(daemon->pidfile);
|
||||
free(daemon->env);
|
||||
#ifdef HAVE_SSL
|
||||
listen_sslctx_delete_ticket_keys();
|
||||
SSL_CTX_free((SSL_CTX*)daemon->listen_sslctx);
|
||||
SSL_CTX_free((SSL_CTX*)daemon->connect_sslctx);
|
||||
#endif
|
||||
@ -769,7 +770,7 @@ daemon_delete(struct daemon* daemon)
|
||||
# endif
|
||||
# ifdef HAVE_OPENSSL_CONFIG
|
||||
EVP_cleanup();
|
||||
# if OPENSSL_VERSION_NUMBER < 0x10100000
|
||||
# if (OPENSSL_VERSION_NUMBER < 0x10100000) && !defined(OPENSSL_NO_ENGINE)
|
||||
ENGINE_cleanup();
|
||||
# endif
|
||||
CONF_modules_free();
|
||||
|
@ -789,7 +789,8 @@ print_longnum(RES* ssl, const char* desc, size_t x)
|
||||
|
||||
/** print mem stats */
|
||||
static int
|
||||
print_mem(RES* ssl, struct worker* worker, struct daemon* daemon)
|
||||
print_mem(RES* ssl, struct worker* worker, struct daemon* daemon,
|
||||
struct ub_stats_info* s)
|
||||
{
|
||||
size_t msg, rrset, val, iter, respip;
|
||||
#ifdef CLIENT_SUBNET
|
||||
@ -847,6 +848,9 @@ print_mem(RES* ssl, struct worker* worker, struct daemon* daemon)
|
||||
dnscrypt_nonce))
|
||||
return 0;
|
||||
#endif /* USE_DNSCRYPT */
|
||||
if(!print_longnum(ssl, "mem.streamwait"SQ,
|
||||
(size_t)s->svr.mem_stream_wait))
|
||||
return 0;
|
||||
return 1;
|
||||
}
|
||||
|
||||
@ -969,6 +973,8 @@ print_ext(RES* ssl, struct ub_stats_info* s)
|
||||
(unsigned long)s->svr.qtcp_outgoing)) return 0;
|
||||
if(!ssl_printf(ssl, "num.query.tls"SQ"%lu\n",
|
||||
(unsigned long)s->svr.qtls)) return 0;
|
||||
if(!ssl_printf(ssl, "num.query.tls.resume"SQ"%lu\n",
|
||||
(unsigned long)s->svr.qtls_resume)) return 0;
|
||||
if(!ssl_printf(ssl, "num.query.ipv6"SQ"%lu\n",
|
||||
(unsigned long)s->svr.qipv6)) return 0;
|
||||
/* flags */
|
||||
@ -1088,7 +1094,7 @@ do_stats(RES* ssl, struct daemon_remote* rc, int reset)
|
||||
if(!print_uptime(ssl, rc->worker, reset))
|
||||
return;
|
||||
if(daemon->cfg->stat_extended) {
|
||||
if(!print_mem(ssl, rc->worker, daemon))
|
||||
if(!print_mem(ssl, rc->worker, daemon, &total))
|
||||
return;
|
||||
if(!print_hist(ssl, &total))
|
||||
return;
|
||||
@ -1428,6 +1434,28 @@ do_view_data_add(RES* ssl, struct worker* worker, char* arg)
|
||||
lock_rw_unlock(&v->lock);
|
||||
}
|
||||
|
||||
/** Add new RR data from stdin to view */
|
||||
static void
|
||||
do_view_datas_add(RES* ssl, struct worker* worker, char* arg)
|
||||
{
|
||||
struct view* v;
|
||||
v = views_find_view(worker->daemon->views,
|
||||
arg, 1 /* get write lock*/);
|
||||
if(!v) {
|
||||
ssl_printf(ssl,"no view with name: %s\n", arg);
|
||||
return;
|
||||
}
|
||||
if(!v->local_zones) {
|
||||
if(!(v->local_zones = local_zones_create())){
|
||||
lock_rw_unlock(&v->lock);
|
||||
ssl_printf(ssl,"error out of memory\n");
|
||||
return;
|
||||
}
|
||||
}
|
||||
do_datas_add(ssl, v->local_zones);
|
||||
lock_rw_unlock(&v->lock);
|
||||
}
|
||||
|
||||
/** Remove RR data from view */
|
||||
static void
|
||||
do_view_data_remove(RES* ssl, struct worker* worker, char* arg)
|
||||
@ -1959,7 +1987,7 @@ parse_delegpt(RES* ssl, char* args, uint8_t* nm, int allow_names)
|
||||
return NULL;
|
||||
}
|
||||
} else {
|
||||
#ifndef HAVE_SSL_SET1_HOST
|
||||
#if ! defined(HAVE_SSL_SET1_HOST) && ! defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
|
||||
if(auth_name)
|
||||
log_err("no name verification functionality in "
|
||||
"ssl library, ignored name for %s", todo);
|
||||
@ -2456,7 +2484,7 @@ do_auth_zone_reload(RES* ssl, struct worker* worker, char* arg)
|
||||
(void)ssl_printf(ssl, "error no auth-zone %s\n", arg);
|
||||
return;
|
||||
}
|
||||
if(!auth_zone_read_zonefile(z)) {
|
||||
if(!auth_zone_read_zonefile(z, worker->env.cfg)) {
|
||||
lock_rw_unlock(&z->lock);
|
||||
(void)ssl_printf(ssl, "error failed to read %s\n", arg);
|
||||
return;
|
||||
@ -2963,6 +2991,8 @@ execute_cmd(struct daemon_remote* rc, RES* ssl, char* cmd,
|
||||
do_view_data_remove(ssl, worker, skipwhite(p+22));
|
||||
} else if(cmdcmp(p, "view_local_data", 15)) {
|
||||
do_view_data_add(ssl, worker, skipwhite(p+15));
|
||||
} else if(cmdcmp(p, "view_local_datas", 16)) {
|
||||
do_view_datas_add(ssl, worker, skipwhite(p+16));
|
||||
} else if(cmdcmp(p, "flush_zone", 10)) {
|
||||
do_flush_zone(ssl, worker, skipwhite(p+10));
|
||||
} else if(cmdcmp(p, "flush_type", 10)) {
|
||||
|
@ -66,6 +66,9 @@
|
||||
#ifdef CLIENT_SUBNET
|
||||
#include "edns-subnet/subnetmod.h"
|
||||
#endif
|
||||
#ifdef HAVE_SSL
|
||||
#include <openssl/ssl.h>
|
||||
#endif
|
||||
|
||||
/** add timers and the values do not overflow or become negative */
|
||||
static void
|
||||
@ -328,6 +331,8 @@ server_stats_compile(struct worker* worker, struct ub_stats_info* s, int reset)
|
||||
}
|
||||
lock_rw_unlock(&worker->env.auth_zones->lock);
|
||||
}
|
||||
s->svr.mem_stream_wait =
|
||||
(long long)tcp_req_info_get_stream_buffer_size();
|
||||
|
||||
/* Set neg cache usage numbers */
|
||||
set_neg_cache_stats(worker, &s->svr, reset);
|
||||
@ -412,6 +417,7 @@ void server_stats_add(struct ub_stats_info* total, struct ub_stats_info* a)
|
||||
total->svr.qtcp += a->svr.qtcp;
|
||||
total->svr.qtcp_outgoing += a->svr.qtcp_outgoing;
|
||||
total->svr.qtls += a->svr.qtls;
|
||||
total->svr.qtls_resume += a->svr.qtls_resume;
|
||||
total->svr.qipv6 += a->svr.qipv6;
|
||||
total->svr.qbit_QR += a->svr.qbit_QR;
|
||||
total->svr.qbit_AA += a->svr.qbit_AA;
|
||||
@ -468,8 +474,13 @@ void server_stats_insquery(struct ub_server_stats* stats, struct comm_point* c,
|
||||
stats->qopcode[ LDNS_OPCODE_WIRE(sldns_buffer_begin(c->buffer)) ]++;
|
||||
if(c->type != comm_udp) {
|
||||
stats->qtcp++;
|
||||
if(c->ssl != NULL)
|
||||
if(c->ssl != NULL) {
|
||||
stats->qtls++;
|
||||
#ifdef HAVE_SSL
|
||||
if(SSL_session_reused(c->ssl))
|
||||
stats->qtls_resume++;
|
||||
#endif
|
||||
}
|
||||
}
|
||||
if(repinfo && addr_is_ip6(&repinfo->addr, repinfo->addrlen))
|
||||
stats->qipv6++;
|
||||
|
@ -67,6 +67,7 @@
|
||||
#ifdef HAVE_GRP_H
|
||||
#include <grp.h>
|
||||
#endif
|
||||
#include <openssl/ssl.h>
|
||||
|
||||
#ifndef S_SPLINT_S
|
||||
/* splint chokes on this system header file */
|
||||
@ -430,6 +431,24 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
|
||||
if(!(daemon->listen_sslctx = listen_sslctx_create(
|
||||
cfg->ssl_service_key, cfg->ssl_service_pem, NULL)))
|
||||
fatal_exit("could not set up listen SSL_CTX");
|
||||
if(cfg->tls_ciphers && cfg->tls_ciphers[0]) {
|
||||
if (!SSL_CTX_set_cipher_list(daemon->listen_sslctx, cfg->tls_ciphers)) {
|
||||
fatal_exit("failed to set tls-cipher %s", cfg->tls_ciphers);
|
||||
}
|
||||
}
|
||||
#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
|
||||
if(cfg->tls_ciphersuites && cfg->tls_ciphersuites[0]) {
|
||||
if (!SSL_CTX_set_ciphersuites(daemon->listen_sslctx, cfg->tls_ciphersuites)) {
|
||||
fatal_exit("failed to set tls-ciphersuites %s", cfg->tls_ciphersuites);
|
||||
}
|
||||
}
|
||||
#endif
|
||||
if(cfg->tls_session_ticket_keys.first &&
|
||||
cfg->tls_session_ticket_keys.first->str[0] != 0) {
|
||||
if(!listen_sslctx_setup_ticket_keys(daemon->listen_sslctx, cfg->tls_session_ticket_keys.first)) {
|
||||
fatal_exit("could not set session ticket SSL_CTX");
|
||||
}
|
||||
}
|
||||
}
|
||||
if(!(daemon->connect_sslctx = connect_sslctx_create(NULL, NULL,
|
||||
cfg->tls_cert_bundle, cfg->tls_win_cert)))
|
||||
|
@ -660,10 +660,7 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
|
||||
if(!reply_check_cname_chain(qinfo, rep)) {
|
||||
/* cname chain invalid, redo iterator steps */
|
||||
verbose(VERB_ALGO, "Cache reply: cname chain broken");
|
||||
bail_out:
|
||||
rrset_array_unlock_touch(worker->env.rrset_cache,
|
||||
worker->scratchpad, rep->ref, rep->rrset_count);
|
||||
return 0;
|
||||
goto bail_out;
|
||||
}
|
||||
}
|
||||
/* check security status of the cached answer */
|
||||
@ -758,6 +755,11 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
|
||||
}
|
||||
/* go and return this buffer to the client */
|
||||
return 1;
|
||||
|
||||
bail_out:
|
||||
rrset_array_unlock_touch(worker->env.rrset_cache,
|
||||
worker->scratchpad, rep->ref, rep->rrset_count);
|
||||
return 0;
|
||||
}
|
||||
|
||||
/** Reply to client and perform prefetch to keep cache up to date.
|
||||
@ -770,8 +772,14 @@ reply_and_prefetch(struct worker* worker, struct query_info* qinfo,
|
||||
{
|
||||
/* first send answer to client to keep its latency
|
||||
* as small as a cachereply */
|
||||
if(sldns_buffer_limit(repinfo->c->buffer) != 0)
|
||||
if(sldns_buffer_limit(repinfo->c->buffer) != 0) {
|
||||
if(repinfo->c->tcp_req_info) {
|
||||
sldns_buffer_copy(
|
||||
repinfo->c->tcp_req_info->spool_buffer,
|
||||
repinfo->c->buffer);
|
||||
}
|
||||
comm_point_send_reply(repinfo);
|
||||
}
|
||||
server_stats_prefetch(&worker->stats, worker);
|
||||
|
||||
/* create the prefetch in the mesh as a normal lookup without
|
||||
@ -1088,7 +1096,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
|
||||
struct ub_packed_rrset_key* alias_rrset = NULL;
|
||||
struct reply_info* partial_rep = NULL;
|
||||
struct query_info* lookup_qinfo = &qinfo;
|
||||
struct query_info qinfo_tmp; /* placeholdoer for lookup_qinfo */
|
||||
struct query_info qinfo_tmp; /* placeholder for lookup_qinfo */
|
||||
struct respip_client_info* cinfo = NULL, cinfo_tmp;
|
||||
memset(&qinfo, 0, sizeof(qinfo));
|
||||
|
||||
@ -1171,11 +1179,11 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
|
||||
|
||||
/* check if this query should be dropped based on source ip rate limiting */
|
||||
if(!infra_ip_ratelimit_inc(worker->env.infra_cache, repinfo,
|
||||
*worker->env.now)) {
|
||||
*worker->env.now, c->buffer)) {
|
||||
/* See if we are passed through with slip factor */
|
||||
if(worker->env.cfg->ip_ratelimit_factor != 0 &&
|
||||
ub_random_max(worker->env.rnd,
|
||||
worker->env.cfg->ip_ratelimit_factor) == 1) {
|
||||
worker->env.cfg->ip_ratelimit_factor) == 0) {
|
||||
|
||||
char addrbuf[128];
|
||||
addr_to_str(&repinfo->addr, repinfo->addrlen,
|
||||
@ -1208,7 +1216,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
|
||||
if(worker->env.cfg->log_queries) {
|
||||
char ip[128];
|
||||
addr_to_str(&repinfo->addr, repinfo->addrlen, ip, sizeof(ip));
|
||||
log_nametypeclass(0, ip, qinfo.qname, qinfo.qtype, qinfo.qclass);
|
||||
log_query_in(ip, qinfo.qname, qinfo.qtype, qinfo.qclass);
|
||||
}
|
||||
if(qinfo.qtype == LDNS_RR_TYPE_AXFR ||
|
||||
qinfo.qtype == LDNS_RR_TYPE_IXFR) {
|
||||
@ -1559,8 +1567,17 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
|
||||
if(worker->env.cfg->log_replies)
|
||||
{
|
||||
struct timeval tv = {0, 0};
|
||||
log_reply_info(0, &qinfo, &repinfo->addr, repinfo->addrlen,
|
||||
tv, 1, c->buffer);
|
||||
if(qinfo.local_alias && qinfo.local_alias->rrset &&
|
||||
qinfo.local_alias->rrset->rk.dname) {
|
||||
/* log original qname, before the local alias was
|
||||
* used to resolve that CNAME to something else */
|
||||
qinfo.qname = qinfo.local_alias->rrset->rk.dname;
|
||||
log_reply_info(0, &qinfo, &repinfo->addr, repinfo->addrlen,
|
||||
tv, 1, c->buffer);
|
||||
} else {
|
||||
log_reply_info(0, &qinfo, &repinfo->addr, repinfo->addrlen,
|
||||
tv, 1, c->buffer);
|
||||
}
|
||||
}
|
||||
#ifdef USE_DNSCRYPT
|
||||
if(!dnsc_handle_uncurved_request(repinfo)) {
|
||||
@ -1802,8 +1819,6 @@ worker_init(struct worker* worker, struct config_file *cfg,
|
||||
alloc_set_id_cleanup(&worker->alloc, &worker_alloc_cleanup, worker);
|
||||
worker->env = *worker->daemon->env;
|
||||
comm_base_timept(worker->base, &worker->env.now, &worker->env.now_tv);
|
||||
if(worker->thread_num == 0)
|
||||
log_set_time(worker->env.now);
|
||||
worker->env.worker = worker;
|
||||
worker->env.worker_base = worker->base;
|
||||
worker->env.send_query = &worker_send_query;
|
||||
@ -1909,7 +1924,6 @@ worker_delete(struct worker* worker)
|
||||
comm_timer_delete(worker->env.probe_timer);
|
||||
free(worker->ports);
|
||||
if(worker->thread_num == 0) {
|
||||
log_set_time(NULL);
|
||||
#ifdef UB_ON_WINDOWS
|
||||
wsvc_desetup_worker(worker);
|
||||
#endif /* UB_ON_WINDOWS */
|
||||
|
@ -70,12 +70,9 @@ static const char DEFAULT_DNS64_PREFIX[] = "64:ff9b::/96";
|
||||
#define MAX_PTR_QNAME_IPV4 30
|
||||
|
||||
/**
|
||||
* Per-query module-specific state. This is usually a dynamically-allocated
|
||||
* structure, but in our case we only need to store one variable describing the
|
||||
* state the query is in. So we repurpose the minfo pointer by storing an
|
||||
* integer in there.
|
||||
* State of DNS64 processing for a query.
|
||||
*/
|
||||
enum dns64_qstate {
|
||||
enum dns64_state {
|
||||
DNS64_INTERNAL_QUERY, /**< Internally-generated query, no DNS64
|
||||
processing. */
|
||||
DNS64_NEW_QUERY, /**< Query for which we're the first module in
|
||||
@ -84,6 +81,19 @@ enum dns64_qstate {
|
||||
for which this sub-query is finished. */
|
||||
};
|
||||
|
||||
/**
|
||||
* Per-query module-specific state. For the DNS64 module.
|
||||
*/
|
||||
struct dns64_qstate {
|
||||
/** State of the DNS64 module. */
|
||||
enum dns64_state state;
|
||||
/** If the dns64 module started with no_cache bool set in the qstate,
|
||||
* a message to tell it to not modify the cache contents, then this
|
||||
* is true. The dns64 module is then free to modify that flag for
|
||||
* its own purposes.
|
||||
* Otherwise, it is false, the dns64 module was not told to no_cache */
|
||||
int started_no_cache_store;
|
||||
};
|
||||
|
||||
/******************************************************************************
|
||||
* *
|
||||
@ -470,7 +480,7 @@ handle_ipv6_ptr(struct module_qstate* qstate, int id)
|
||||
if (subq) {
|
||||
subq->curmod = id;
|
||||
subq->ext_state[id] = module_state_initial;
|
||||
subq->minfo[id] = NULL;
|
||||
subq->minfo[id] = NULL;
|
||||
}
|
||||
|
||||
return module_wait_subquery;
|
||||
@ -540,7 +550,8 @@ dns64_always_synth_for_qname(struct module_qstate* qstate, int id)
|
||||
static enum module_ext_state
|
||||
handle_event_pass(struct module_qstate* qstate, int id)
|
||||
{
|
||||
if ((uintptr_t)qstate->minfo[id] == DNS64_NEW_QUERY
|
||||
struct dns64_qstate* iq = (struct dns64_qstate*)qstate->minfo[id];
|
||||
if (iq && iq->state == DNS64_NEW_QUERY
|
||||
&& qstate->qinfo.qtype == LDNS_RR_TYPE_PTR
|
||||
&& qstate->qinfo.qname_len == 74
|
||||
&& !strcmp((char*)&qstate->qinfo.qname[64], "\03ip6\04arpa"))
|
||||
@ -548,12 +559,12 @@ handle_event_pass(struct module_qstate* qstate, int id)
|
||||
return handle_ipv6_ptr(qstate, id);
|
||||
|
||||
if (qstate->env->cfg->dns64_synthall &&
|
||||
(uintptr_t)qstate->minfo[id] == DNS64_NEW_QUERY
|
||||
iq && iq->state == DNS64_NEW_QUERY
|
||||
&& qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA)
|
||||
return generate_type_A_query(qstate, id);
|
||||
|
||||
if(dns64_always_synth_for_qname(qstate, id) &&
|
||||
(uintptr_t)qstate->minfo[id] == DNS64_NEW_QUERY
|
||||
iq && iq->state == DNS64_NEW_QUERY
|
||||
&& !(qstate->query_flags & BIT_CD)
|
||||
&& qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA) {
|
||||
verbose(VERB_ALGO, "dns64: ignore-aaaa and synthesize anyway");
|
||||
@ -561,7 +572,7 @@ handle_event_pass(struct module_qstate* qstate, int id)
|
||||
}
|
||||
|
||||
/* We are finished when our sub-query is finished. */
|
||||
if ((uintptr_t)qstate->minfo[id] == DNS64_SUBQUERY_FINISHED)
|
||||
if (iq && iq->state == DNS64_SUBQUERY_FINISHED)
|
||||
return module_finished;
|
||||
|
||||
/* Otherwise, pass request to next module. */
|
||||
@ -582,6 +593,7 @@ handle_event_pass(struct module_qstate* qstate, int id)
|
||||
static enum module_ext_state
|
||||
handle_event_moddone(struct module_qstate* qstate, int id)
|
||||
{
|
||||
struct dns64_qstate* iq = (struct dns64_qstate*)qstate->minfo[id];
|
||||
/*
|
||||
* In many cases we have nothing special to do. From most to least common:
|
||||
*
|
||||
@ -593,7 +605,7 @@ handle_event_moddone(struct module_qstate* qstate, int id)
|
||||
* synthesize in (sec 5.1.2 of RFC6147).
|
||||
* - A successful AAAA query with an answer.
|
||||
*/
|
||||
if((enum dns64_qstate)qstate->minfo[id] != DNS64_INTERNAL_QUERY
|
||||
if((!iq || iq->state != DNS64_INTERNAL_QUERY)
|
||||
&& qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA
|
||||
&& !(qstate->query_flags & BIT_CD)
|
||||
&& !(qstate->return_msg &&
|
||||
@ -604,7 +616,7 @@ handle_event_moddone(struct module_qstate* qstate, int id)
|
||||
* So, this is a AAAA noerror/nodata answer */
|
||||
return generate_type_A_query(qstate, id);
|
||||
|
||||
if((enum dns64_qstate)qstate->minfo[id] != DNS64_INTERNAL_QUERY
|
||||
if((!iq || iq->state != DNS64_INTERNAL_QUERY)
|
||||
&& qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA
|
||||
&& !(qstate->query_flags & BIT_CD)
|
||||
&& dns64_always_synth_for_qname(qstate, id)) {
|
||||
@ -614,6 +626,13 @@ handle_event_moddone(struct module_qstate* qstate, int id)
|
||||
return generate_type_A_query(qstate, id);
|
||||
}
|
||||
|
||||
/* Store the response in cache. */
|
||||
if ( (!iq || !iq->started_no_cache_store) &&
|
||||
qstate->return_msg && qstate->return_msg->rep &&
|
||||
!dns_cache_store(qstate->env, &qstate->qinfo, qstate->return_msg->rep,
|
||||
0, 0, 0, NULL, qstate->query_flags))
|
||||
log_err("out of memory");
|
||||
|
||||
/* do nothing */
|
||||
return module_finished;
|
||||
}
|
||||
@ -634,6 +653,7 @@ void
|
||||
dns64_operate(struct module_qstate* qstate, enum module_ev event, int id,
|
||||
struct outbound_entry* outbound)
|
||||
{
|
||||
struct dns64_qstate* iq;
|
||||
(void)outbound;
|
||||
verbose(VERB_QUERY, "dns64[module %d] operate: extstate:%s event:%s",
|
||||
id, strextstate(qstate->ext_state[id]),
|
||||
@ -643,7 +663,12 @@ dns64_operate(struct module_qstate* qstate, enum module_ev event, int id,
|
||||
switch(event) {
|
||||
case module_event_new:
|
||||
/* Tag this query as being new and fall through. */
|
||||
qstate->minfo[id] = (void*)DNS64_NEW_QUERY;
|
||||
iq = (struct dns64_qstate*)regional_alloc(
|
||||
qstate->region, sizeof(*iq));
|
||||
qstate->minfo[id] = iq;
|
||||
iq->state = DNS64_NEW_QUERY;
|
||||
iq->started_no_cache_store = qstate->no_cache_store;
|
||||
qstate->no_cache_store = 1;
|
||||
/* fallthrough */
|
||||
case module_event_pass:
|
||||
qstate->ext_state[id] = handle_event_pass(qstate, id);
|
||||
@ -655,6 +680,11 @@ dns64_operate(struct module_qstate* qstate, enum module_ev event, int id,
|
||||
qstate->ext_state[id] = module_finished;
|
||||
break;
|
||||
}
|
||||
if(qstate->ext_state[id] == module_finished) {
|
||||
iq = (struct dns64_qstate*)qstate->minfo[id];
|
||||
if(iq && iq->state != DNS64_INTERNAL_QUERY)
|
||||
qstate->no_cache_store = iq->started_no_cache_store;
|
||||
}
|
||||
}
|
||||
|
||||
static void
|
||||
@ -867,9 +897,10 @@ dns64_adjust_ptr(struct module_qstate* qstate, struct module_qstate* super)
|
||||
* initial query's domain name.
|
||||
*/
|
||||
answer = reply_find_answer_rrset(&qstate->qinfo, super->return_msg->rep);
|
||||
log_assert(answer);
|
||||
answer->rk.dname = super->qinfo.qname;
|
||||
answer->rk.dname_len = super->qinfo.qname_len;
|
||||
if(answer) {
|
||||
answer->rk.dname = super->qinfo.qname;
|
||||
answer->rk.dname_len = super->qinfo.qname_len;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
@ -885,6 +916,7 @@ void
|
||||
dns64_inform_super(struct module_qstate* qstate, int id,
|
||||
struct module_qstate* super)
|
||||
{
|
||||
struct dns64_qstate* super_dq = (struct dns64_qstate*)super->minfo[id];
|
||||
log_query_info(VERB_ALGO, "dns64: inform_super, sub is",
|
||||
&qstate->qinfo);
|
||||
log_query_info(VERB_ALGO, "super is", &super->qinfo);
|
||||
@ -893,15 +925,21 @@ dns64_inform_super(struct module_qstate* qstate, int id,
|
||||
* Signal that the sub-query is finished, no matter whether we are
|
||||
* successful or not. This lets the state machine terminate.
|
||||
*/
|
||||
super->minfo[id] = (void*)DNS64_SUBQUERY_FINISHED;
|
||||
if(!super_dq) {
|
||||
super_dq = (struct dns64_qstate*)regional_alloc(super->region,
|
||||
sizeof(*super_dq));
|
||||
super->minfo[id] = super_dq;
|
||||
memset(super_dq, 0, sizeof(*super_dq));
|
||||
super_dq->started_no_cache_store = super->no_cache_store;
|
||||
}
|
||||
super_dq->state = DNS64_SUBQUERY_FINISHED;
|
||||
|
||||
/* If there is no successful answer, we're done. */
|
||||
if (qstate->return_rcode != LDNS_RCODE_NOERROR
|
||||
|| !qstate->return_msg
|
||||
|| !qstate->return_msg->rep
|
||||
|| !reply_find_answer_rrset(&qstate->qinfo,
|
||||
qstate->return_msg->rep))
|
||||
|| !qstate->return_msg->rep) {
|
||||
return;
|
||||
}
|
||||
|
||||
/* Use return code from A query in response to client. */
|
||||
if (super->return_rcode != LDNS_RCODE_NOERROR)
|
||||
@ -916,7 +954,7 @@ dns64_inform_super(struct module_qstate* qstate, int id,
|
||||
}
|
||||
|
||||
/* Store the generated response in cache. */
|
||||
if (!super->no_cache_store &&
|
||||
if ( (!super_dq || !super_dq->started_no_cache_store) &&
|
||||
!dns_cache_store(super->env, &super->qinfo, super->return_msg->rep,
|
||||
0, 0, 0, NULL, super->query_flags))
|
||||
log_err("out of memory");
|
||||
|
@ -772,12 +772,13 @@ key_get_es_version(uint8_t version[2])
|
||||
const char *name;
|
||||
};
|
||||
|
||||
const int num_versions = 2;
|
||||
struct es_version es_versions[] = {
|
||||
{{0x00, 0x01}, "X25519-XSalsa20Poly1305"},
|
||||
{{0x00, 0x02}, "X25519-XChacha20Poly1305"},
|
||||
};
|
||||
int i;
|
||||
for(i=0; i < (int)sizeof(es_versions); i++){
|
||||
for(i=0; i < num_versions; i++){
|
||||
if(es_versions[i].es_version[0] == version[0] &&
|
||||
es_versions[i].es_version[1] == version[1]){
|
||||
return es_versions[i].name;
|
||||
|
@ -39,6 +39,10 @@
|
||||
#include "config.h"
|
||||
#include <string.h>
|
||||
#include <sys/time.h>
|
||||
#ifdef HAVE_SYS_STAT_H
|
||||
#include <sys/stat.h>
|
||||
#endif
|
||||
#include <errno.h>
|
||||
#include "sldns/sbuffer.h"
|
||||
#include "util/config_file.h"
|
||||
#include "util/net_help.h"
|
||||
@ -118,6 +122,18 @@ dt_msg_init(const struct dt_env *env,
|
||||
}
|
||||
}
|
||||
|
||||
/* check that the socket file can be opened and exists, print error if not */
|
||||
static void
|
||||
check_socket_file(const char* socket_path)
|
||||
{
|
||||
struct stat statbuf;
|
||||
memset(&statbuf, 0, sizeof(statbuf));
|
||||
if(stat(socket_path, &statbuf) < 0) {
|
||||
log_warn("could not open dnstap-socket-path: %s, %s",
|
||||
socket_path, strerror(errno));
|
||||
}
|
||||
}
|
||||
|
||||
struct dt_env *
|
||||
dt_create(const char *socket_path, unsigned num_workers)
|
||||
{
|
||||
@ -134,6 +150,7 @@ dt_create(const char *socket_path, unsigned num_workers)
|
||||
socket_path);
|
||||
log_assert(socket_path != NULL);
|
||||
log_assert(num_workers > 0);
|
||||
check_socket_file(socket_path);
|
||||
|
||||
env = (struct dt_env *) calloc(1, sizeof(struct dt_env));
|
||||
if (!env)
|
||||
|
@ -1,8 +1,527 @@
|
||||
12 June 2019: Wouter
|
||||
- Fix another spoolbuf storage code point, in prefetch.
|
||||
- 1.9.2rc3 release candidate tag.
|
||||
|
||||
11 June 2019: Wouter
|
||||
- Fix that fixes the Fix that spoolbuf is not used to store tcp
|
||||
pipelined response between mesh send and callback end, this fixes
|
||||
error cases that did not use the correct spoolbuf.
|
||||
- 1.9.2rc2 release candidate tag.
|
||||
|
||||
6 June 2019: Wouter
|
||||
- 1.9.2rc1 release candidate tag.
|
||||
|
||||
4 June 2019: Wouter
|
||||
- iana portlist updated.
|
||||
|
||||
29 May 2019: Wouter
|
||||
- Fix to guard _OPENBSD_SOURCE from redefinition.
|
||||
|
||||
28 May 2019: Wouter
|
||||
- Fix to define _OPENBSD_SOURCE to get reallocarray on NetBSD.
|
||||
- gitignore config.h.in~.
|
||||
|
||||
27 May 2019: Wouter
|
||||
- Fix double file close in tcp pipelined response code.
|
||||
|
||||
24 May 2019: Wouter
|
||||
- Fix that spoolbuf is not used to store tcp pipelined response
|
||||
between mesh send and callback end.
|
||||
|
||||
20 May 2019: Wouter
|
||||
- Note that so-reuseport at extreme load is better turned off,
|
||||
otherwise queries are not distributed evenly, on Linux 4.4.x.
|
||||
|
||||
16 May 2019: Wouter
|
||||
- Fix #31: swig 4.0 and python module.
|
||||
|
||||
13 May 2019: Wouter
|
||||
- Squelch log messages from tcp send about connection reset by peer.
|
||||
They can be enabled with verbosity at higher values for diagnosing
|
||||
network connectivity issues.
|
||||
- Attempt to fix malformed tcp response.
|
||||
|
||||
9 May 2019: Wouter
|
||||
- Revert fix for oss-fuzz, error is in that build script that
|
||||
unconditionally includes .o files detected by configure, also
|
||||
when the machine architecture uses different LIBOBJS files.
|
||||
|
||||
8 May 2019: Wouter
|
||||
- Attempt to fix build failure in oss-fuzz because of reallocarray.
|
||||
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14648.
|
||||
Does not omit compile flags from commandline.
|
||||
|
||||
7 May 2019: Wouter
|
||||
- Fix edns-subnet locks, in error cases the lock was not unlocked.
|
||||
- Fix doxygen output error on readme markdown vignettes.
|
||||
|
||||
6 May 2019: Wouter
|
||||
- Fix #29: Solaris 11.3 and missing symbols be64toh, htobe64.
|
||||
- Fix #30: AddressSanitizer finding in lookup3.c. This sets the
|
||||
hash function to use a slower but better auditable code that does
|
||||
not read beyond array boundaries. This makes code better security
|
||||
checkable, and is better for security. It is fixed to be slower,
|
||||
but not read outside of the array.
|
||||
|
||||
2 May 2019: Wouter
|
||||
- contrib/fastrpz.patch updated for code changes, and with git diff.
|
||||
- Fix .gitignore, add pythonmod and dnstap generated files.
|
||||
And unit test generated files, and generated doc files.
|
||||
|
||||
1 May 2019: Wouter
|
||||
- Update makedist for git.
|
||||
- Nicer travis output for clang analysis.
|
||||
- PR #16: XoT support, AXFR over TLS, turn it on with
|
||||
master: <ip>#<authname> in unbound.conf. This uses TLS to
|
||||
download the AXFR (or IXFR).
|
||||
|
||||
25 April 2019: Wouter
|
||||
- Fix wrong query name in local zone redirect answers with a CNAME,
|
||||
the copy of the local alias is in unpacked form.
|
||||
|
||||
18 April 2019: Ralph
|
||||
- Scrub RRs from answer section when reusing NXDOMAIN message for
|
||||
subdomain answers.
|
||||
- For harden-below-nxdomain: do not consider a name to be non-exitent
|
||||
when message contains a CNAME record.
|
||||
|
||||
18 April 2019: Wouter
|
||||
- travis build file.
|
||||
|
||||
16 April 2019: Wouter
|
||||
- Better braces in if statement in TCP fastopen code.
|
||||
- iana portlist updated.
|
||||
|
||||
15 April 2019: Wouter
|
||||
- Fix tls write event for read state change to re-call SSL_write and
|
||||
not resume the TLS handshake.
|
||||
|
||||
11 April 2019: George
|
||||
- Update python documentation for init_standard().
|
||||
- Typos.
|
||||
|
||||
11 April 2019: Wouter
|
||||
- Fix that auth zone uses correct network type for sockets for
|
||||
SOA serial probes. This fixes that probes fail because earlier
|
||||
probe addresses are unreachable.
|
||||
- Fix that auth zone fails over to next master for timeout in tcp.
|
||||
- Squelch SSL read and write connection reset by peer and broken pipe
|
||||
messages. Verbosity 2 and higher enables them.
|
||||
|
||||
8 April 2019: Wouter
|
||||
- Fix to use event_assign with libevent for thread-safety.
|
||||
- verbose information about auth zone lookup process, also lookup
|
||||
start, timeout and fail.
|
||||
- Fix #17: Add python module example from Jan Janak, that is a
|
||||
plugin for the Unbound DNS resolver to resolve DNS records in
|
||||
multicast DNS [RFC 6762] via Avahi. The plugin communicates
|
||||
with Avahi via DBus. The comment section at the beginning of
|
||||
the file contains detailed documentation.
|
||||
- Fix to wipe ssl ticket keys from memory with explicit_bzero,
|
||||
if available.
|
||||
|
||||
5 April 2019: Wouter
|
||||
- Fix to reinit event structure for accepted TCP (and TLS) sockets.
|
||||
|
||||
4 April 2019: Wouter
|
||||
- Fix spelling error in log output for event method.
|
||||
|
||||
3 April 2019: Wouter
|
||||
- Move goto label in answer_from_cache to the end of the function
|
||||
where it is more visible.
|
||||
- Fix auth-zone NSEC3 response for wildcard nodata answers,
|
||||
include the closest encloser in the answer.
|
||||
|
||||
2 April 2019: Wouter
|
||||
- Fix auth-zone NSEC3 response for empty nonterminals with exact
|
||||
match nsec3 records.
|
||||
- Fix for out of bounds integers, thanks to OSTIF audit. It is in
|
||||
allocation debug code.
|
||||
- Fix for auth zone nsec3 ent fix for wildcard nodata.
|
||||
|
||||
25 March 2019: Wouter
|
||||
- Fix that tls-session-ticket-keys: "" on its own in unbound.conf
|
||||
disables the tls session ticker key calls into the OpenSSL API.
|
||||
- Fix crash if tls-servic-pem not filled in when necessary.
|
||||
|
||||
21 March 2019: Wouter
|
||||
- Fix #4240: Fix whitespace cleanup in example.conf.
|
||||
|
||||
19 March 2019: Wouter
|
||||
- add type CAA to libpyunbound (accessing libunbound from python).
|
||||
|
||||
18 March 2019: Wouter
|
||||
- Add log message, at verbosity 4, that says the query is encrypted
|
||||
with TLS, if that is enabled for the query.
|
||||
- Fix #4239: set NOTIMPL when deny-any is enabled, for RFC8482.
|
||||
|
||||
7 March 2019: Wouter
|
||||
- Fix for #4233: guard use of NDEBUG, so that it can be passed in
|
||||
CFLAGS into configure.
|
||||
|
||||
5 March 2019: Wouter
|
||||
- Tag release 1.9.1rc1. Which became 1.9.1 on 12 March 2019. Trunk
|
||||
has 1.9.2 in development.
|
||||
|
||||
1 March 2019: Wouter
|
||||
- output forwarder log in ssl_req_order test.
|
||||
|
||||
28 February 2019: Wouter
|
||||
- Remove memory leak on pythonmod python2 script file init.
|
||||
- Remove swig gcc8 python function cast warnings, they are ignored.
|
||||
- Print correct module that failed when module-config is wrong.
|
||||
|
||||
27 February 2019: Wouter
|
||||
- Fix #4229: Unbound man pages lack information, about access-control
|
||||
order and local zone tags, and elements in views.
|
||||
- Fix #14: contrib/unbound.init: Fix wrong comparison judgment
|
||||
before copying.
|
||||
- Fix for python module on Windows, fix fopen.
|
||||
|
||||
25 February 2019: Wouter
|
||||
- Fix #4227: pair event del and add for libevent for tcp_req_info.
|
||||
|
||||
21 February 2019: Wouter
|
||||
- Fix the error for unknown module in module-config is understandable,
|
||||
and explains it was not compiled in and where to see the list.
|
||||
- In example.conf explain where to put cachedb module in module-config.
|
||||
- In man page and example config explain that most modules have to
|
||||
be listed at the start of module-config.
|
||||
|
||||
20 February 2019: Wouter
|
||||
- Fix pythonmod include and sockaddr_un ifdefs for compile on
|
||||
Windows, and for libunbound.
|
||||
|
||||
18 February 2019: Wouter
|
||||
- Print query name with ip_ratelimit exceeded log lines.
|
||||
- Spaces instead of tabs in that log message.
|
||||
- Print query name and IP address when domain rate limit exceeded.
|
||||
|
||||
14 February 2019: Wouter
|
||||
- Fix capsforid canonical sort qsort callback.
|
||||
|
||||
11 February 2019: Wouter
|
||||
- Note default for module-config in man page.
|
||||
- Fix recursion lame test for qname minimisation asked queries,
|
||||
that were not present in the set of prepared answers.
|
||||
- Fix #13: Remove left-over requirements on OpenSSL >= 1.1.0 for
|
||||
cert name matching, from man page.
|
||||
- make depend, with newer gcc, nicer layout.
|
||||
|
||||
7 February 2019: Wouter
|
||||
- Fix #4206: OpenSSL 1.0.2 hostname verification for FreeBSD 11.2.
|
||||
- Fix that qname minimisation does not skip a label when missing
|
||||
nameserver targets need to be fetched.
|
||||
- Fix #4225: clients seem to erroneously receive no answer with
|
||||
DNS-over-TLS and qname-minimisation.
|
||||
|
||||
4 February 2019: Wouter
|
||||
- Fix that log-replies prints the correct name for local-alias
|
||||
names, for names that have a CNAME in local-data configuration.
|
||||
It logs the original query name, not the target of the CNAME.
|
||||
- Add local-zone type inform_redirect, which logs like type inform,
|
||||
and redirects like type redirect.
|
||||
- Perform canonical sort for 0x20 capsforid compare of replies,
|
||||
this sorts rrsets in the authority and additional section before
|
||||
comparison, so that out of order rrsets do not cause failure.
|
||||
|
||||
31 January 2019: Wouter
|
||||
- Set ub_ctx_set_tls call signature in ltrace config file for
|
||||
libunbound in contrib/libunbound.so.conf.
|
||||
- improve documentation for tls-service-key and forward-first.
|
||||
- #10: fixed pkg-config operations, PKG_PROG_PKG_CONFIG moved out of
|
||||
conditional section, fixes systemd builds, from Enrico Scholz.
|
||||
- #9: For openssl 1.0.2 use the CRYPTO_THREADID locking callbacks,
|
||||
still supports the set_id_callback previous API. And for 1.1.0
|
||||
no locking callbacks are needed.
|
||||
- #8: Fix OpenSSL without ENGINE support compilation.
|
||||
- Wipe TLS session key data from memory on exit.
|
||||
|
||||
30 January 2019: Ralph
|
||||
- Fix case in which query timeout can result in marking delegation
|
||||
as edns_lame_known.
|
||||
|
||||
29 January 2019: Wouter
|
||||
- Fix spelling of tls-ciphers in example.conf.in.
|
||||
- Fix #4224: auth_xfr_notify.rpl test broken due to typo
|
||||
- Fix locking for libunbound context setup with broken port config.
|
||||
|
||||
28 January 2019: Wouter
|
||||
- ub_ctx_set_tls call for libunbound that enables DoT for the machines
|
||||
set with ub_ctx_set_fwd. Patch from Florian Obser.
|
||||
- Set build system for added call in the libunbound API.
|
||||
- List example config for root zone copy locally hosted with auth-zone
|
||||
as suggested from draft-ietf-dnsop-7706-bis-02. But with updated
|
||||
B root address.
|
||||
- set version to 1.9.0 for release. And this was released with the
|
||||
spelling for tls-ciphers fix as 1.9.0 on Feb 5. Trunk has 1.9.1 in
|
||||
development.
|
||||
|
||||
25 January 2019: Wouter
|
||||
- Fix that tcp for auth zone and outgoing does not remove and
|
||||
then gets the ssl read again applied to the deleted commpoint.
|
||||
- updated contrib/fastrpz.patch to cleanly diff.
|
||||
- no lock when threads disabled in tcp request buffer count.
|
||||
- remove compile warnings from libnettle compile.
|
||||
- output of newer lex 2.6.1 and bison 3.0.5.
|
||||
|
||||
24 January 2019: Wouter
|
||||
- Newer aclocal and libtoolize used for generating configure scripts,
|
||||
aclocal 1.16.1 and libtoolize 2.4.6.
|
||||
- Fix unit test for python 3.7 new keyword 'async'.
|
||||
- clang analysis fixes, assert arc4random buffer in init,
|
||||
no check for already checked delegation pointer in iterator,
|
||||
in testcode check for NULL packet matches, in perf do not copy
|
||||
from NULL start list when growing capacity. Adjust host and file
|
||||
only when present in test header read to please checker. In
|
||||
testcode for unknown macro operand give zero result. Initialise the
|
||||
passed argv array in test code. In test code add EDNS data
|
||||
segment copy only when nonempty.
|
||||
- Patch from Florian Obser fixes some compiler warnings:
|
||||
include mini_event.h to have a prototype for mini_ev_cmp
|
||||
include edns.h to have a prototype for apply_edns_options
|
||||
sldns_wire2str_edns_keepalive_print is only called in the wire2str,
|
||||
module declare it static to get rid of compiler warning:
|
||||
no previous prototype for function
|
||||
infra_find_ip_ratedata() is only called in the infra module,
|
||||
declare it static to get rid of compiler warning:
|
||||
no previous prototype for function
|
||||
do not shadow local variable buf in authzone
|
||||
auth_chunks_delete and az_nsec3_findnode are only called in the
|
||||
authzone module, declare them static to get rid of compiler warning:
|
||||
no previous prototype for function...
|
||||
copy_rrset() is only called in the respip module, declare it
|
||||
static to get rid of compiler warning:
|
||||
no previous prototype for function 'copy_rrset'
|
||||
no need for another variable "r"; gets rid of compiler warning:
|
||||
declaration shadows a local variable in libunbound.c
|
||||
no need for another variable "ns"; gets rid of compiler warning:
|
||||
declaration shadows a local variable in iterator.c
|
||||
- Moved includes and make depend.
|
||||
|
||||
23 January 2019: Wouter
|
||||
- Patch from Manabu Sonoda with tls-ciphers and tls-ciphersuites
|
||||
options for unbound.conf.
|
||||
- Fixes for the patch, and man page entry.
|
||||
- Fix configure to detect SSL_CTX_set_ciphersuites, for better
|
||||
library compatibility when compiling.
|
||||
- Patch for TLS session resumption from Manabu Sonoda,
|
||||
enable with tls-session-ticket-keys in unbound.conf.
|
||||
- Fixes for patch (includes, declarations, warnings). Free at end
|
||||
and keep config options in order read from file to keep the first
|
||||
one as the first one.
|
||||
- Fix for IXFR fallback to reset counter when IXFR does not timeout.
|
||||
|
||||
22 January 2019: Wouter
|
||||
- Fix space calculation for tcp req buffer size.
|
||||
- Doc for stream-wait-size and unit test.
|
||||
- unbound-control stats has mem.streamwait that counts TCP and TLS
|
||||
waiting result buffers.
|
||||
- Fix for #4219: secondaries not updated after serial change, unbound
|
||||
falls back to AXFR after IXFR gives several timeout failures.
|
||||
- Fix that auth zone after IXFR fallback tries the same master.
|
||||
|
||||
21 January 2019: Wouter
|
||||
- Fix tcp idle timeout test, for difference in the tcp reply code.
|
||||
- Unit test for tcp request reorder and timeouts.
|
||||
- Unit tests for ssl out of order processing.
|
||||
- Fix that multiple dns fragments can be carried in one TLS frame.
|
||||
- Add stream-wait-size: 4m config option to limit the maximum
|
||||
memory used by waiting tcp and tls stream replies. This avoids
|
||||
a denial of service where these replies use up all of the memory.
|
||||
|
||||
17 January 2019: Wouter
|
||||
- For caps-for-id fallback, use the whitelist to avoid timeout
|
||||
starting a fallback sequence for it.
|
||||
- increase mesh max activation count for capsforid long fetches.
|
||||
|
||||
16 January 2019: Ralph
|
||||
- Get ready for the DNS flag day: remove EDNS lame procedure, do not
|
||||
re-query without EDNS after timeout.
|
||||
|
||||
15 January 2019: Wouter
|
||||
- In the out of order processing, reset byte count for (potential)
|
||||
partial read.
|
||||
- Review fixes in out of order processing.
|
||||
|
||||
14 January 2019: Wouter
|
||||
- streamtcp option -a send queries consecutively and prints answers
|
||||
as they arrive.
|
||||
- Fix for out of order processing administration quit cleanup.
|
||||
- unit test for tcp out of order processing.
|
||||
|
||||
11 January 2019: Wouter
|
||||
- Initial commit for out-of-order processing for TCP and TLS.
|
||||
|
||||
9 January 2019: Wouter
|
||||
- Log query name for looping module errors.
|
||||
|
||||
8 January 2019: Wouter
|
||||
- Fix syntax in comment of local alias processing.
|
||||
- Fix NSEC3 record that is returned in wildcard replies from
|
||||
auth-zone zones with NSEC3 and wildcards.
|
||||
|
||||
7 January 2019: Wouter
|
||||
- On FreeBSD warn if systcl settings do not allow server TCP FASTOPEN,
|
||||
and server tcp fastopen is enabled at compile time.
|
||||
- Document interaction between the tls-upstream option in the server
|
||||
section and forward-tls-upstream option in the forward-zone sections.
|
||||
- Add contrib/unbound-fuzzme.patch from Jacob Hoffman-Andrews,
|
||||
the patch adds a program used for fuzzing.
|
||||
|
||||
12 December 2018: Wouter
|
||||
- Fix for crash in dns64 module if response is null.
|
||||
|
||||
10 December 2018: Wouter
|
||||
- Fix config parser memory leaks.
|
||||
- ip-ratelimit-factor of 1 allows all traffic through, instead of the
|
||||
previous blocking everything.
|
||||
- Fix for FreeBSD port make with dnscrypt and dnstap enabled.
|
||||
- Fix #4206: support openssl 1.0.2 for TLS hostname verification,
|
||||
alongside the 1.1.0 and later support that is already there.
|
||||
- Fixup openssl 1.0.2 compile
|
||||
|
||||
6 December 2018: Wouter
|
||||
- Fix dns64 allocation in wrong region for returned internal queries.
|
||||
|
||||
3 December 2018: Wouter
|
||||
- Fix icon, no ragged edges and nicer resolutions available, for eg.
|
||||
Win 7 and Windows 10 display.
|
||||
- cache-max-ttl also defines upperbound of initial TTL in response.
|
||||
|
||||
30 November 2018: Wouter
|
||||
- Patch for typo in unbound.conf man page.
|
||||
- log-tag-queryreply: yes in unbound.conf tags the log-queries and
|
||||
log-replies in the log file for easier log filter maintenance.
|
||||
|
||||
29 November 2018: Wouter
|
||||
- iana portlist updated.
|
||||
- Fix chroot auth-zone fix to remove chroot prefix.
|
||||
- tag for 1.8.2rc1, which became 1.8.2 on 4 dec 2018, with icon
|
||||
updated. Trunk contains 1.8.3 in development.
|
||||
Which became 1.8.3 on 11 december with only the dns64 fix of 6 dec.
|
||||
Trunk then became 1.8.4 in development.
|
||||
- Fix that unbound-checkconf does not complains if the config file
|
||||
is not placed inside the chroot.
|
||||
- Refuse to start with no ports.
|
||||
- Remove clang analysis warnings.
|
||||
|
||||
28 November 2018: Wouter
|
||||
- Fix leak in chroot fix for auth-zone.
|
||||
- Fix clang analysis for outside directory build test.
|
||||
|
||||
27 November 2018: Wouter
|
||||
- Fix DNS64 to not store intermediate results in cache, this avoids
|
||||
other threads from picking up the wrong data. The module restores
|
||||
the previous no_cache_store setting when the the module is finished.
|
||||
- Fix #4208: 'stub-no-cache' and 'forward-no-cache' not work.
|
||||
- New and better fix for Fix #4193: Fix that prefetch failure does
|
||||
not overwrite valid cache entry with SERVFAIL.
|
||||
- auth-zone give SERVFAIL when expired, fallback activates when
|
||||
expired, and this is documented in the man page.
|
||||
- stat count SERVFAIL downstream auth-zone queries for expired zones.
|
||||
- Put new logos into windows installer.
|
||||
- Fix windows compile for new rrset roundrobin fix.
|
||||
- Update contrib fastrpz patch for latest release.
|
||||
|
||||
26 November 2018: Wouter
|
||||
- Fix to not set GLOB_NOSORT so the unbound.conf include: files are
|
||||
sorted and in a predictable order.
|
||||
- Fix #4193: Fix that prefetch failure does not overwrite valid cache
|
||||
entry with SERVFAIL.
|
||||
- Add unbound-control view_local_datas command, like local_datas.
|
||||
- Fix that unbound-control can send file for view_local_datas.
|
||||
|
||||
22 November 2018: Wouter
|
||||
- With ./configure --with-pyunbound --with-pythonmodule
|
||||
PYTHON_VERSION=3.6 or with 2.7 unbound can compile and unit tests
|
||||
succeed for the python module.
|
||||
- pythonmod logs the python error and traceback on failure.
|
||||
- ignore debug python module for test in doxygen output.
|
||||
- review fixes for python module.
|
||||
- Fix #4209: Crash in libunbound when called from getdns.
|
||||
- auth zone zonefiles can be in a chroot, the chroot directory
|
||||
components are removed before use.
|
||||
- Fix that empty zonefile means the zonefile is not set and not used.
|
||||
- make depend.
|
||||
|
||||
21 November 2018: Wouter
|
||||
- Scrub NS records from NODATA responses as well.
|
||||
|
||||
20 November 2018: Wouter
|
||||
- Scrub NS records from NXDOMAIN responses to stop fragmentation
|
||||
poisoning of the cache.
|
||||
- Add patch from Jan Vcelak for pythonmod,
|
||||
add sockaddr_storage getters, add support for query callbacks,
|
||||
allow raw address access via comm_reply and update API documentation.
|
||||
- Removed compile warnings in pythonmod sockaddr routines.
|
||||
|
||||
19 November 2018: Wouter
|
||||
- Support SO_REUSEPORT_LB in FreeBSD 12 with the so-reuseport: yes
|
||||
option in unbound.conf.
|
||||
|
||||
6 November 2018: Ralph
|
||||
- Bugfix min-client-subnet-ipv6
|
||||
|
||||
25 October 2018: Ralph
|
||||
- Add min-client-subnet-ipv6 and min-client-subnet-ipv4 options.
|
||||
|
||||
25 October 2018: Wouter
|
||||
- Fix #4191: NXDOMAIN vs SERVFAIL during dns64 PTR query.
|
||||
- Fix #4190: Please create a "ANY" deny option, adds the option
|
||||
deny-any: yes in unbound.conf. This responds with an empty message
|
||||
to queries of type ANY.
|
||||
- Fix #4141: More randomness to rrset-roundrobin.
|
||||
- Fix #4132: Openness/closeness of RANGE intervals in rpl files.
|
||||
- Fix #4126: RTT_band too low on VSAT links with 600+ms latency,
|
||||
adds the option unknown-server-time-limit to unbound.conf that
|
||||
can be increased to avoid the problem.
|
||||
- remade makefile dependencies.
|
||||
- Fix #4152: Logs shows wrong time when using log-time-ascii: yes.
|
||||
|
||||
24 October 2018: Ralph
|
||||
- Add markdel function to ECS slabhash.
|
||||
- Limit ECS scope returned to client to the scope used for caching.
|
||||
- Make lint like previous #4154 fix.
|
||||
|
||||
22 October 2018: Wouter
|
||||
- Fix #4192: unbound-control-setup generates keys not readable by
|
||||
group.
|
||||
- check that the dnstap socket file can be opened and exists, print
|
||||
error if not.
|
||||
- Fix #4154: make ECS_MAX_TREESIZE configurable, with
|
||||
the max-ecs-tree-size-ipv4 and max-ecs-tree-size-ipv6 options.
|
||||
|
||||
22 October 2018: Ralph
|
||||
- Change fast-server-num default to 3.
|
||||
|
||||
8 October 2018: Ralph
|
||||
- Add fast-server-permil and fast-server-num options.
|
||||
- Deprecate low-rtt and low-rtt-permil options.
|
||||
|
||||
8 October 2018: Wouter
|
||||
- fastrpz.patch fix included.
|
||||
- Squelch log of failed to tcp initiate after TCP Fastopen failure.
|
||||
|
||||
5 October 2018: Wouter
|
||||
- Squelch EADDRNOTAVAIL errors when the interface goes away,
|
||||
this omits 'can't assign requested address' errors unless
|
||||
verbosity is set to a high value.
|
||||
- Set default for so-reuseport to no for FreeBSD. It is enabled
|
||||
by default for Linux and DragonFlyBSD. The setting can
|
||||
be configured in unbound.conf to override the default.
|
||||
- iana port update.
|
||||
|
||||
2 October 2018: Wouter
|
||||
- updated contrib/fastrpz.patch to apply for this version
|
||||
- dnscrypt.c removed sizeof to get array bounds.
|
||||
- Fix testlock code to set noreturn on error routine.
|
||||
- Remove unused variable from contrib fastrpz/rpz.c and
|
||||
remove unused diagnostic pragmas that themselves generate warnings
|
||||
- clang analyze test is used only when assertions are enabled.
|
||||
|
||||
1 October 2018: Wouter
|
||||
- tag for release 1.8.1rc1.
|
||||
- tag for release 1.8.1rc1. Became release 1.8.1 on 8 oct, with
|
||||
fastrpz.patch fix included. Trunk has 1.8.2 in development.
|
||||
|
||||
27 September 2018: Wouter
|
||||
- Fix #4188: IPv6 forwarders without ipv6 result in SERVFAIL, fixes
|
||||
|
@ -1,4 +1,4 @@
|
||||
README for Unbound 1.8.1
|
||||
README for Unbound 1.9.2
|
||||
Copyright 2007 NLnet Labs
|
||||
http://unbound.net
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
#
|
||||
# Example configuration file.
|
||||
#
|
||||
# See unbound.conf(5) man page, version 1.8.1.
|
||||
# See unbound.conf(5) man page, version 1.9.2.
|
||||
#
|
||||
# this is a comment.
|
||||
|
||||
@ -103,6 +103,7 @@ server:
|
||||
# so-sndbuf: 0
|
||||
|
||||
# use SO_REUSEPORT to distribute queries over threads.
|
||||
# at extreme load it could be better to turn it off to distribute even.
|
||||
# so-reuseport: yes
|
||||
|
||||
# use IP_TRANSPARENT so the interface: addresses can be non-local
|
||||
@ -123,6 +124,9 @@ server:
|
||||
# Suggested values are 512 to 4096. Default is 4096. 65536 disables it.
|
||||
# max-udp-size: 4096
|
||||
|
||||
# max memory to use for stream(tcp and tls) waiting result buffers.
|
||||
# stream-wait-size: 4m
|
||||
|
||||
# buffer size for handling DNS data. No messages larger than this
|
||||
# size can be sent or received, by UDP or TCP. In bytes.
|
||||
# msg-buffer-size: 65552
|
||||
@ -145,6 +149,10 @@ server:
|
||||
# msec to wait before close of port on timeout UDP. 0 disables.
|
||||
# delay-close: 0
|
||||
|
||||
# msec for waiting for an unknown server to reply. Increase if you
|
||||
# are behind a slow satellite link, to eg. 1128.
|
||||
# unknown-server-time-limit: 376
|
||||
|
||||
# the amount of memory to use for the RRset cache.
|
||||
# plain value in bytes or you can append k, m or G. default is "4Mb".
|
||||
# rrset-cache-size: 4m
|
||||
@ -318,6 +326,10 @@ server:
|
||||
# timetoresolve, fromcache and responsesize.
|
||||
# log-replies: no
|
||||
|
||||
# log with tag 'query' and 'reply' instead of 'info' for
|
||||
# filtering log-queries and log-replies from the log.
|
||||
# log-tag-queryreply: no
|
||||
|
||||
# log the local-zone actions, like local-zone type inform is enabled
|
||||
# also for the other local zone types.
|
||||
# log-local-actions: no
|
||||
@ -449,6 +461,9 @@ server:
|
||||
# if yes, perform key lookups adjacent to normal lookups.
|
||||
# prefetch-key: no
|
||||
|
||||
# deny queries of type ANY with an empty response.
|
||||
# deny-any: no
|
||||
|
||||
# if yes, Unbound rotates RRSet order in response.
|
||||
# rrset-roundrobin: no
|
||||
|
||||
@ -461,6 +476,9 @@ server:
|
||||
|
||||
# module configuration of the server. A string with identifiers
|
||||
# separated by spaces. Syntax: "[dns64] [validator] iterator"
|
||||
# most modules have to be listed at the beginning of the line,
|
||||
# except cachedb(just before iterator), and python (at the beginning,
|
||||
# or, just before the iterator).
|
||||
# module-config: "validator iterator"
|
||||
|
||||
# File with trusted keys, kept uptodate using RFC5011 probes,
|
||||
@ -475,7 +493,7 @@ server:
|
||||
|
||||
# trust anchor signaling sends a RFC8145 key tag query after priming.
|
||||
# trust-anchor-signaling: yes
|
||||
|
||||
|
||||
# Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel)
|
||||
# root-key-sentinel: yes
|
||||
|
||||
@ -659,6 +677,7 @@ server:
|
||||
# o typetransparent resolves normally for other types and other names
|
||||
# o inform acts like transparent, but logs client IP address
|
||||
# o inform_deny drops queries and logs client IP address
|
||||
# o inform_redirect redirects queries and logs client IP address
|
||||
# o always_transparent, always_refuse, always_nxdomain, resolve in
|
||||
# that way but ignore local data for that name
|
||||
# o noview breaks out of that view towards global local-zones.
|
||||
@ -701,6 +720,19 @@ server:
|
||||
# tls-service-pem: "path/to/publiccertfile.pem"
|
||||
# tls-port: 853
|
||||
|
||||
# cipher setting for TLSv1.2
|
||||
# tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256"
|
||||
# cipher setting for TLSv1.3
|
||||
# tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
|
||||
|
||||
# Add the secret file for TLS Session Ticket.
|
||||
# Secret file must be 80 bytes of random data.
|
||||
# First key use to encrypt and decrypt TLS session tickets.
|
||||
# Other keys use to decrypt only.
|
||||
# requires restart to take effect.
|
||||
# tls-session-ticket-keys: "path/to/secret_file1"
|
||||
# tls-session-ticket-keys: "path/to/secret_file2"
|
||||
|
||||
# request upstream over TLS (with plain DNS inside the TLS stream).
|
||||
# Default is no. Can be turned on and off with unbound-control.
|
||||
# tls-upstream: no
|
||||
@ -757,11 +789,11 @@ server:
|
||||
# Limit the number of connections simultaneous from a netblock
|
||||
# tcp-connection-limit: 192.0.2.0/24 12
|
||||
|
||||
# what is considered a low rtt (ping time for upstream server), in msec
|
||||
# low-rtt: 45
|
||||
# select low rtt this many times out of 1000. 0 means the fast server
|
||||
# select is disabled. prefetches are not sped up.
|
||||
# low-rtt-permil: 0
|
||||
# select from the fastest servers this many times out of 1000. 0 means
|
||||
# the fast server select is disabled. prefetches are not sped up.
|
||||
# fast-server-permil: 0
|
||||
# the number of servers that will be used in the fast server selection.
|
||||
# fast-server-num: 3
|
||||
|
||||
# Specific options for ipsecmod. unbound needs to be configured with
|
||||
# --enable-ipsecmod for these to take effect.
|
||||
@ -795,6 +827,8 @@ server:
|
||||
# Python config section. To enable:
|
||||
# o use --with-pythonmodule to configure before compiling.
|
||||
# o list python in the module-config string (above) to enable.
|
||||
# It can be at the start, it gets validated results, or just before
|
||||
# the iterator and process before DNSSEC validation.
|
||||
# o and give a python-script to run.
|
||||
python:
|
||||
# Script file to load
|
||||
@ -879,15 +913,25 @@ remote-control:
|
||||
# notifies.
|
||||
# auth-zone:
|
||||
# name: "."
|
||||
# master: 199.9.14.201 # b.root-servers.net
|
||||
# master: 192.33.4.12 # c.root-servers.net
|
||||
# master: 199.7.91.13 # d.root-servers.net
|
||||
# master: 192.5.5.241 # f.root-servers.net
|
||||
# master: 192.112.36.4 # g.root-servers.net
|
||||
# master: 193.0.14.129 # k.root-servers.net
|
||||
# master: 192.0.47.132 # xfr.cjr.dns.icann.org
|
||||
# master: 192.0.32.132 # xfr.lax.dns.icann.org
|
||||
# master: 2001:500:200::b # b.root-servers.net
|
||||
# master: 2001:500:2::c # c.root-servers.net
|
||||
# master: 2001:500:2d::d # d.root-servers.net
|
||||
# master: 2001:500:2f::f # f.root-servers.net
|
||||
# master: 2001:500:12::d0d # g.root-servers.net
|
||||
# master: 2001:7fd::1 # k.root-servers.net
|
||||
# master: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
|
||||
# master: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org
|
||||
# fallback-enabled: yes
|
||||
# for-downstream: no
|
||||
# for-upstream: yes
|
||||
# fallback-enabled: yes
|
||||
# master: b.root-servers.net
|
||||
# master: c.root-servers.net
|
||||
# master: e.root-servers.net
|
||||
# master: f.root-servers.net
|
||||
# master: g.root-servers.net
|
||||
# master: k.root-servers.net
|
||||
# auth-zone:
|
||||
# name: "example.org"
|
||||
# for-downstream: yes
|
||||
@ -935,7 +979,7 @@ remote-control:
|
||||
# Enable external backend DB as auxiliary cache. Specify the backend name
|
||||
# (default is "testframe", which has no use other than for debugging and
|
||||
# testing) and backend-specific options. The 'cachedb' module must be
|
||||
# included in module-config.
|
||||
# included in module-config, just before the iterator module.
|
||||
# cachedb:
|
||||
# backend: "testframe"
|
||||
# # secret seed string to calculate hashed keys
|
||||
|
@ -1,7 +1,7 @@
|
||||
#
|
||||
# Example configuration file.
|
||||
#
|
||||
# See unbound.conf(5) man page, version 1.8.1.
|
||||
# See unbound.conf(5) man page, version 1.9.2.
|
||||
#
|
||||
# this is a comment.
|
||||
|
||||
@ -103,6 +103,7 @@ server:
|
||||
# so-sndbuf: 0
|
||||
|
||||
# use SO_REUSEPORT to distribute queries over threads.
|
||||
# at extreme load it could be better to turn it off to distribute even.
|
||||
# so-reuseport: yes
|
||||
|
||||
# use IP_TRANSPARENT so the interface: addresses can be non-local
|
||||
@ -123,6 +124,9 @@ server:
|
||||
# Suggested values are 512 to 4096. Default is 4096. 65536 disables it.
|
||||
# max-udp-size: 4096
|
||||
|
||||
# max memory to use for stream(tcp and tls) waiting result buffers.
|
||||
# stream-wait-size: 4m
|
||||
|
||||
# buffer size for handling DNS data. No messages larger than this
|
||||
# size can be sent or received, by UDP or TCP. In bytes.
|
||||
# msg-buffer-size: 65552
|
||||
@ -145,6 +149,10 @@ server:
|
||||
# msec to wait before close of port on timeout UDP. 0 disables.
|
||||
# delay-close: 0
|
||||
|
||||
# msec for waiting for an unknown server to reply. Increase if you
|
||||
# are behind a slow satellite link, to eg. 1128.
|
||||
# unknown-server-time-limit: 376
|
||||
|
||||
# the amount of memory to use for the RRset cache.
|
||||
# plain value in bytes or you can append k, m or G. default is "4Mb".
|
||||
# rrset-cache-size: 4m
|
||||
@ -318,6 +326,10 @@ server:
|
||||
# timetoresolve, fromcache and responsesize.
|
||||
# log-replies: no
|
||||
|
||||
# log with tag 'query' and 'reply' instead of 'info' for
|
||||
# filtering log-queries and log-replies from the log.
|
||||
# log-tag-queryreply: no
|
||||
|
||||
# log the local-zone actions, like local-zone type inform is enabled
|
||||
# also for the other local zone types.
|
||||
# log-local-actions: no
|
||||
@ -449,6 +461,9 @@ server:
|
||||
# if yes, perform key lookups adjacent to normal lookups.
|
||||
# prefetch-key: no
|
||||
|
||||
# deny queries of type ANY with an empty response.
|
||||
# deny-any: no
|
||||
|
||||
# if yes, Unbound rotates RRSet order in response.
|
||||
# rrset-roundrobin: no
|
||||
|
||||
@ -461,6 +476,9 @@ server:
|
||||
|
||||
# module configuration of the server. A string with identifiers
|
||||
# separated by spaces. Syntax: "[dns64] [validator] iterator"
|
||||
# most modules have to be listed at the beginning of the line,
|
||||
# except cachedb(just before iterator), and python (at the beginning,
|
||||
# or, just before the iterator).
|
||||
# module-config: "validator iterator"
|
||||
|
||||
# File with trusted keys, kept uptodate using RFC5011 probes,
|
||||
@ -475,7 +493,7 @@ server:
|
||||
|
||||
# trust anchor signaling sends a RFC8145 key tag query after priming.
|
||||
# trust-anchor-signaling: yes
|
||||
|
||||
|
||||
# Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel)
|
||||
# root-key-sentinel: yes
|
||||
|
||||
@ -659,6 +677,7 @@ server:
|
||||
# o typetransparent resolves normally for other types and other names
|
||||
# o inform acts like transparent, but logs client IP address
|
||||
# o inform_deny drops queries and logs client IP address
|
||||
# o inform_redirect redirects queries and logs client IP address
|
||||
# o always_transparent, always_refuse, always_nxdomain, resolve in
|
||||
# that way but ignore local data for that name
|
||||
# o noview breaks out of that view towards global local-zones.
|
||||
@ -701,6 +720,19 @@ server:
|
||||
# tls-service-pem: "path/to/publiccertfile.pem"
|
||||
# tls-port: 853
|
||||
|
||||
# cipher setting for TLSv1.2
|
||||
# tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256"
|
||||
# cipher setting for TLSv1.3
|
||||
# tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
|
||||
|
||||
# Add the secret file for TLS Session Ticket.
|
||||
# Secret file must be 80 bytes of random data.
|
||||
# First key use to encrypt and decrypt TLS session tickets.
|
||||
# Other keys use to decrypt only.
|
||||
# requires restart to take effect.
|
||||
# tls-session-ticket-keys: "path/to/secret_file1"
|
||||
# tls-session-ticket-keys: "path/to/secret_file2"
|
||||
|
||||
# request upstream over TLS (with plain DNS inside the TLS stream).
|
||||
# Default is no. Can be turned on and off with unbound-control.
|
||||
# tls-upstream: no
|
||||
@ -757,11 +789,11 @@ server:
|
||||
# Limit the number of connections simultaneous from a netblock
|
||||
# tcp-connection-limit: 192.0.2.0/24 12
|
||||
|
||||
# what is considered a low rtt (ping time for upstream server), in msec
|
||||
# low-rtt: 45
|
||||
# select low rtt this many times out of 1000. 0 means the fast server
|
||||
# select is disabled. prefetches are not sped up.
|
||||
# low-rtt-permil: 0
|
||||
# select from the fastest servers this many times out of 1000. 0 means
|
||||
# the fast server select is disabled. prefetches are not sped up.
|
||||
# fast-server-permil: 0
|
||||
# the number of servers that will be used in the fast server selection.
|
||||
# fast-server-num: 3
|
||||
|
||||
# Specific options for ipsecmod. unbound needs to be configured with
|
||||
# --enable-ipsecmod for these to take effect.
|
||||
@ -795,6 +827,8 @@ server:
|
||||
# Python config section. To enable:
|
||||
# o use --with-pythonmodule to configure before compiling.
|
||||
# o list python in the module-config string (above) to enable.
|
||||
# It can be at the start, it gets validated results, or just before
|
||||
# the iterator and process before DNSSEC validation.
|
||||
# o and give a python-script to run.
|
||||
python:
|
||||
# Script file to load
|
||||
@ -879,15 +913,25 @@ remote-control:
|
||||
# notifies.
|
||||
# auth-zone:
|
||||
# name: "."
|
||||
# master: 199.9.14.201 # b.root-servers.net
|
||||
# master: 192.33.4.12 # c.root-servers.net
|
||||
# master: 199.7.91.13 # d.root-servers.net
|
||||
# master: 192.5.5.241 # f.root-servers.net
|
||||
# master: 192.112.36.4 # g.root-servers.net
|
||||
# master: 193.0.14.129 # k.root-servers.net
|
||||
# master: 192.0.47.132 # xfr.cjr.dns.icann.org
|
||||
# master: 192.0.32.132 # xfr.lax.dns.icann.org
|
||||
# master: 2001:500:200::b # b.root-servers.net
|
||||
# master: 2001:500:2::c # c.root-servers.net
|
||||
# master: 2001:500:2d::d # d.root-servers.net
|
||||
# master: 2001:500:2f::f # f.root-servers.net
|
||||
# master: 2001:500:12::d0d # g.root-servers.net
|
||||
# master: 2001:7fd::1 # k.root-servers.net
|
||||
# master: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
|
||||
# master: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org
|
||||
# fallback-enabled: yes
|
||||
# for-downstream: no
|
||||
# for-upstream: yes
|
||||
# fallback-enabled: yes
|
||||
# master: b.root-servers.net
|
||||
# master: c.root-servers.net
|
||||
# master: e.root-servers.net
|
||||
# master: f.root-servers.net
|
||||
# master: g.root-servers.net
|
||||
# master: k.root-servers.net
|
||||
# auth-zone:
|
||||
# name: "example.org"
|
||||
# for-downstream: yes
|
||||
@ -935,7 +979,7 @@ remote-control:
|
||||
# Enable external backend DB as auxiliary cache. Specify the backend name
|
||||
# (default is "testframe", which has no use other than for debugging and
|
||||
# testing) and backend-specific options. The 'cachedb' module must be
|
||||
# included in module-config.
|
||||
# included in module-config, just before the iterator module.
|
||||
# cachedb:
|
||||
# backend: "testframe"
|
||||
# # secret seed string to calculate hashed keys
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "libunbound" "3" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1"
|
||||
.TH "libunbound" "3" "Jun 17, 2019" "NLnet Labs" "unbound 1.9.2"
|
||||
.\"
|
||||
.\" libunbound.3 -- unbound library functions manual
|
||||
.\"
|
||||
@ -20,6 +20,7 @@
|
||||
.B ub_ctx_config,
|
||||
.B ub_ctx_set_fwd,
|
||||
.B ub_ctx_set_stub,
|
||||
.B ub_ctx_set_tls,
|
||||
.B ub_ctx_resolvconf,
|
||||
.B ub_ctx_hosts,
|
||||
.B ub_ctx_add_ta,
|
||||
@ -43,7 +44,7 @@
|
||||
.B ub_ctx_zone_remove,
|
||||
.B ub_ctx_data_add,
|
||||
.B ub_ctx_data_remove
|
||||
\- Unbound DNS validating resolver 1.8.1 functions.
|
||||
\- Unbound DNS validating resolver 1.9.2 functions.
|
||||
.SH "SYNOPSIS"
|
||||
.B #include <unbound.h>
|
||||
.LP
|
||||
@ -72,6 +73,9 @@
|
||||
\fIint\fR isprime);
|
||||
.LP
|
||||
\fIint\fR
|
||||
\fBub_ctx_set_tls\fR(\fIstruct ub_ctx*\fR ctx, \fIint\fR tls);
|
||||
.LP
|
||||
\fIint\fR
|
||||
\fBub_ctx_resolvconf\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname);
|
||||
.LP
|
||||
\fIint\fR
|
||||
@ -227,6 +231,12 @@ for different zones, or to add multiple addresses for a particular zone.
|
||||
At this time it is only possible to set configuration before the
|
||||
first resolve is done.
|
||||
.TP
|
||||
.B ub_ctx_set_tls
|
||||
Enable DNS over TLS (DoT) for machines set with
|
||||
.B ub_ctx_set_fwd.
|
||||
At this time it is only possible to set configuration before the
|
||||
first resolve is done.
|
||||
.TP
|
||||
.B ub_ctx_resolvconf
|
||||
By default the root servers are queried and full resolver mode is used, but
|
||||
you can use this call to read the list of nameservers to use from the
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "libunbound" "3" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1"
|
||||
.TH "libunbound" "3" "Jun 17, 2019" "NLnet Labs" "unbound 1.9.2"
|
||||
.\"
|
||||
.\" libunbound.3 -- unbound library functions manual
|
||||
.\"
|
||||
@ -20,6 +20,7 @@
|
||||
.B ub_ctx_config,
|
||||
.B ub_ctx_set_fwd,
|
||||
.B ub_ctx_set_stub,
|
||||
.B ub_ctx_set_tls,
|
||||
.B ub_ctx_resolvconf,
|
||||
.B ub_ctx_hosts,
|
||||
.B ub_ctx_add_ta,
|
||||
@ -43,7 +44,7 @@
|
||||
.B ub_ctx_zone_remove,
|
||||
.B ub_ctx_data_add,
|
||||
.B ub_ctx_data_remove
|
||||
\- Unbound DNS validating resolver 1.8.1 functions.
|
||||
\- Unbound DNS validating resolver 1.9.2 functions.
|
||||
.SH "SYNOPSIS"
|
||||
.B #include <unbound.h>
|
||||
.LP
|
||||
@ -72,6 +73,9 @@
|
||||
\fIint\fR isprime);
|
||||
.LP
|
||||
\fIint\fR
|
||||
\fBub_ctx_set_tls\fR(\fIstruct ub_ctx*\fR ctx, \fIint\fR tls);
|
||||
.LP
|
||||
\fIint\fR
|
||||
\fBub_ctx_resolvconf\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname);
|
||||
.LP
|
||||
\fIint\fR
|
||||
@ -227,6 +231,12 @@ for different zones, or to add multiple addresses for a particular zone.
|
||||
At this time it is only possible to set configuration before the
|
||||
first resolve is done.
|
||||
.TP
|
||||
.B ub_ctx_set_tls
|
||||
Enable DNS over TLS (DoT) for machines set with
|
||||
.B ub_ctx_set_fwd.
|
||||
At this time it is only possible to set configuration before the
|
||||
first resolve is done.
|
||||
.TP
|
||||
.B ub_ctx_resolvconf
|
||||
By default the root servers are queried and full resolver mode is used, but
|
||||
you can use this call to read the list of nameservers to use from the
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound-anchor" "8" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1"
|
||||
.TH "unbound-anchor" "8" "Jun 17, 2019" "NLnet Labs" "unbound 1.9.2"
|
||||
.\"
|
||||
.\" unbound-anchor.8 -- unbound anchor maintenance utility manual
|
||||
.\"
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound-anchor" "8" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1"
|
||||
.TH "unbound-anchor" "8" "Jun 17, 2019" "NLnet Labs" "unbound 1.9.2"
|
||||
.\"
|
||||
.\" unbound-anchor.8 -- unbound anchor maintenance utility manual
|
||||
.\"
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound-checkconf" "8" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1"
|
||||
.TH "unbound-checkconf" "8" "Jun 17, 2019" "NLnet Labs" "unbound 1.9.2"
|
||||
.\"
|
||||
.\" unbound-checkconf.8 -- unbound configuration checker manual
|
||||
.\"
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound-checkconf" "8" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1"
|
||||
.TH "unbound-checkconf" "8" "Jun 17, 2019" "NLnet Labs" "unbound 1.9.2"
|
||||
.\"
|
||||
.\" unbound-checkconf.8 -- unbound configuration checker manual
|
||||
.\"
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound-control" "8" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1"
|
||||
.TH "unbound-control" "8" "Jun 17, 2019" "NLnet Labs" "unbound 1.9.2"
|
||||
.\"
|
||||
.\" unbound-control.8 -- unbound remote control manual
|
||||
.\"
|
||||
@ -322,6 +322,9 @@ serial check). And then the zone is transferred for a newer zone version.
|
||||
.TP
|
||||
.B view_local_data_remove \fIview\fR \fIname
|
||||
\fIlocal_data_remove\fR for given view.
|
||||
.TP
|
||||
.B view_local_datas \fIview\fR
|
||||
Add a list of \fIlocal_data\fR for given view from stdin. Like local_datas.
|
||||
.SH "EXIT CODE"
|
||||
The unbound\-control program exits with status code 1 on error, 0 on success.
|
||||
.SH "SET UP"
|
||||
@ -496,6 +499,10 @@ Memory in bytes in use by the iterator module.
|
||||
Memory in bytes in use by the validator module. Includes the key cache and
|
||||
negative cache.
|
||||
.TP
|
||||
.I mem.streamwait
|
||||
Memory in bytes in used by the TCP and TLS stream wait buffers. These are
|
||||
answers waiting to be written back to the clients.
|
||||
.TP
|
||||
.I histogram.<sec>.<usec>.to.<sec>.<usec>
|
||||
Shows a histogram, summed over all threads. Every element counts the
|
||||
recursive queries whose reply time fit between the lower and upper bound.
|
||||
@ -531,6 +538,10 @@ other servers.
|
||||
Number of queries that were made using TLS towards the unbound server.
|
||||
These are also counted in num.query.tcp, because TLS uses TCP.
|
||||
.TP
|
||||
.I num.query.tls.resume
|
||||
Number of TLS session resumptions, these are queries over TLS towards
|
||||
the unbound server where the client negotiated a TLS session resumption key.
|
||||
.TP
|
||||
.I num.query.ipv6
|
||||
Number of queries that were made using IPv6 towards the unbound server.
|
||||
.TP
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound-control" "8" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1"
|
||||
.TH "unbound-control" "8" "Jun 17, 2019" "NLnet Labs" "unbound 1.9.2"
|
||||
.\"
|
||||
.\" unbound-control.8 -- unbound remote control manual
|
||||
.\"
|
||||
@ -322,6 +322,9 @@ serial check). And then the zone is transferred for a newer zone version.
|
||||
.TP
|
||||
.B view_local_data_remove \fIview\fR \fIname
|
||||
\fIlocal_data_remove\fR for given view.
|
||||
.TP
|
||||
.B view_local_datas \fIview\fR
|
||||
Add a list of \fIlocal_data\fR for given view from stdin. Like local_datas.
|
||||
.SH "EXIT CODE"
|
||||
The unbound\-control program exits with status code 1 on error, 0 on success.
|
||||
.SH "SET UP"
|
||||
@ -496,6 +499,10 @@ Memory in bytes in use by the iterator module.
|
||||
Memory in bytes in use by the validator module. Includes the key cache and
|
||||
negative cache.
|
||||
.TP
|
||||
.I mem.streamwait
|
||||
Memory in bytes in used by the TCP and TLS stream wait buffers. These are
|
||||
answers waiting to be written back to the clients.
|
||||
.TP
|
||||
.I histogram.<sec>.<usec>.to.<sec>.<usec>
|
||||
Shows a histogram, summed over all threads. Every element counts the
|
||||
recursive queries whose reply time fit between the lower and upper bound.
|
||||
@ -531,6 +538,10 @@ other servers.
|
||||
Number of queries that were made using TLS towards the unbound server.
|
||||
These are also counted in num.query.tcp, because TLS uses TCP.
|
||||
.TP
|
||||
.I num.query.tls.resume
|
||||
Number of TLS session resumptions, these are queries over TLS towards
|
||||
the unbound server where the client negotiated a TLS session resumption key.
|
||||
.TP
|
||||
.I num.query.ipv6
|
||||
Number of queries that were made using IPv6 towards the unbound server.
|
||||
.TP
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound\-host" "1" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1"
|
||||
.TH "unbound\-host" "1" "Jun 17, 2019" "NLnet Labs" "unbound 1.9.2"
|
||||
.\"
|
||||
.\" unbound-host.1 -- unbound DNS lookup utility
|
||||
.\"
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound\-host" "1" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1"
|
||||
.TH "unbound\-host" "1" "Jun 17, 2019" "NLnet Labs" "unbound 1.9.2"
|
||||
.\"
|
||||
.\" unbound-host.1 -- unbound DNS lookup utility
|
||||
.\"
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound" "8" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1"
|
||||
.TH "unbound" "8" "Jun 17, 2019" "NLnet Labs" "unbound 1.9.2"
|
||||
.\"
|
||||
.\" unbound.8 -- unbound manual
|
||||
.\"
|
||||
@ -9,7 +9,7 @@
|
||||
.\"
|
||||
.SH "NAME"
|
||||
.B unbound
|
||||
\- Unbound DNS validating resolver 1.8.1.
|
||||
\- Unbound DNS validating resolver 1.9.2.
|
||||
.SH "SYNOPSIS"
|
||||
.B unbound
|
||||
.RB [ \-h ]
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound" "8" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1"
|
||||
.TH "unbound" "8" "Jun 17, 2019" "NLnet Labs" "unbound 1.9.2"
|
||||
.\"
|
||||
.\" unbound.8 -- unbound manual
|
||||
.\"
|
||||
@ -9,7 +9,7 @@
|
||||
.\"
|
||||
.SH "NAME"
|
||||
.B unbound
|
||||
\- Unbound DNS validating resolver 1.8.1.
|
||||
\- Unbound DNS validating resolver 1.9.2.
|
||||
.SH "SYNOPSIS"
|
||||
.B unbound
|
||||
.RB [ \-h ]
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound.conf" "5" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1"
|
||||
.TH "unbound.conf" "5" "Jun 17, 2019" "NLnet Labs" "unbound 1.9.2"
|
||||
.\"
|
||||
.\" unbound.conf.5 -- unbound.conf manual
|
||||
.\"
|
||||
@ -207,6 +207,16 @@ Maximum UDP response size (not applied to TCP response). 65536 disables the
|
||||
udp response size maximum, and uses the choice from the client, always.
|
||||
Suggested values are 512 to 4096. Default is 4096.
|
||||
.TP
|
||||
.B stream\-wait\-size: \fI<number>
|
||||
Number of bytes size maximum to use for waiting stream buffers. Default is
|
||||
4 megabytes. A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes,
|
||||
megabytes or gigabytes (1024*1024 bytes in a megabyte). As TCP and TLS streams
|
||||
queue up multiple results, the amount of memory used for these buffers does
|
||||
not exceed this number, otherwise the responses are dropped. This manages
|
||||
the total memory usage of the server (under heavy use), the number of requests
|
||||
that can be queued up per connection is also limited, with further requests
|
||||
waiting in TCP buffers.
|
||||
.TP
|
||||
.B msg\-buffer\-size: \fI<number>
|
||||
Number of bytes size of the message buffers. Default is 65552 bytes, enough
|
||||
for 64 Kb packets, the maximum DNS message size. No message larger than this
|
||||
@ -253,6 +263,12 @@ eg. 1500 msec. When timeouts happen you need extra sockets, it checks
|
||||
the ID and remote IP of packets, and unwanted packets are added to the
|
||||
unwanted packet counter.
|
||||
.TP
|
||||
.B unknown\-server\-time\-limit: \fI<msec>
|
||||
The wait time in msec for waiting for an unknown server to reply.
|
||||
Increase this if you are behind a slow satellite link, to eg. 1128.
|
||||
That would then avoid re\-querying every initial query because it times out.
|
||||
Default is 376 msec.
|
||||
.TP
|
||||
.B so\-rcvbuf: \fI<number>
|
||||
If not 0, then set the SO_RCVBUF socket option to get more buffer
|
||||
space on UDP port 53 incoming queries. So that short spikes on busy
|
||||
@ -284,6 +300,8 @@ it may also work. You can enable it (on any platform and kernel),
|
||||
it then attempts to open the port and passes the option if it was available
|
||||
at compile time, if that works it is used, if it fails, it continues
|
||||
silently (unless verbosity 3) without the option.
|
||||
At extreme load it could be better to turn it off to distribute the queries
|
||||
evenly, reported for Linux systems (4.4.x).
|
||||
.TP
|
||||
.B ip\-transparent: \fI<yes or no>
|
||||
If yes, then use IP_TRANSPARENT socket option on sockets where unbound
|
||||
@ -314,11 +332,9 @@ Must be set to a power of 2.
|
||||
.TP
|
||||
.B cache\-max\-ttl: \fI<seconds>
|
||||
Time to live maximum for RRsets and messages in the cache. Default is
|
||||
86400 seconds (1 day). If the maximum kicks in, responses to clients
|
||||
still get decrementing TTLs based on the original (larger) values.
|
||||
When the internal TTL expires, the cache item has expired.
|
||||
86400 seconds (1 day). When the TTL expires, the cache item has expired.
|
||||
Can be set lower to force the resolver to query for data often, and not
|
||||
trust (very large) TTL values.
|
||||
trust (very large) TTL values. Downstream clients also see the lower TTL.
|
||||
.TP
|
||||
.B cache\-min\-ttl: \fI<seconds>
|
||||
Time to live minimum for RRsets and messages in the cache. Default is 0.
|
||||
@ -436,20 +452,23 @@ TCP wireformat. The other server must support this (see
|
||||
\fBtls\-service\-key\fR).
|
||||
If you enable this, also configure a tls\-cert\-bundle or use tls\-win\-cert to
|
||||
load CA certs, otherwise the connections cannot be authenticated.
|
||||
This option enables TLS for all of them, but if you do not set this you can
|
||||
configure TLS specifically for some forward zones with forward\-tls\-upstream. And also with stub\-tls\-upstream.
|
||||
.TP
|
||||
.B ssl\-upstream: \fI<yes or no>
|
||||
Alternate syntax for \fBtls\-upstream\fR. If both are present in the config
|
||||
file the last is used.
|
||||
.TP
|
||||
.B tls\-service\-key: \fI<file>
|
||||
If enabled, the server provider TLS service on its TCP sockets. The clients
|
||||
have to use tls\-upstream: yes. The file is the private key for the TLS
|
||||
session. The public certificate is in the tls\-service\-pem file. Default
|
||||
is "", turned off. Requires a restart (a reload is not enough) if changed,
|
||||
because the private key is read while root permissions are held and before
|
||||
chroot (if any). Normal DNS TCP service is not provided and gives errors,
|
||||
this service is best run with a different \fBport:\fR config or \fI@port\fR
|
||||
suffixes in the \fBinterface\fR config.
|
||||
If enabled, the server provides TLS service on the TCP ports marked
|
||||
implicitly or explicitly for TLS service with tls\-port. The file must
|
||||
contain the private key for the TLS session, the public certificate is in
|
||||
the tls\-service\-pem file and it must also be specified if tls\-service\-key
|
||||
is specified. The default is "", turned off. Enabling or disabling
|
||||
this service requires a restart (a reload is not enough), because the
|
||||
key is read while root permissions are held and before chroot (if any).
|
||||
The ports enabled implicitly or explicitly via \fBtls\-port:\fR do not provide
|
||||
normal DNS TCP service.
|
||||
.TP
|
||||
.B ssl\-service\-key: \fI<file>
|
||||
Alternate syntax for \fBtls\-service\-key\fR.
|
||||
@ -488,6 +507,27 @@ List portnumbers as tls\-additional\-port, and when interfaces are defined,
|
||||
eg. with the @port suffix, as this port number, they provide dns over TLS
|
||||
service. Can list multiple, each on a new statement.
|
||||
.TP
|
||||
.B tls-session-ticket-keys: \fI<file>
|
||||
If not "", lists files with 80 bytes of random contents that are used to
|
||||
perform TLS session resumption for clients using the unbound server.
|
||||
These files contain the secret key for the TLS session tickets.
|
||||
First key use to encrypt and decrypt TLS session tickets.
|
||||
Other keys use to decrypt only. With this you can roll over to new keys,
|
||||
by generating a new first file and allowing decrypt of the old file by
|
||||
listing it after the first file for some time, after the wait clients are not
|
||||
using the old key any more and the old key can be removed.
|
||||
One way to create the file is dd if=/dev/random bs=1 count=80 of=ticket.dat
|
||||
The first 16 bytes should be different from the old one if you create a second key, that is the name used to identify the key. Then there is 32 bytes random
|
||||
data for an AES key and then 32 bytes random data for the HMAC key.
|
||||
.TP
|
||||
.B tls\-ciphers: \fI<string with cipher list>
|
||||
Set the list of ciphers to allow when serving TLS. Use "" for defaults,
|
||||
and that is the default.
|
||||
.TP
|
||||
.B tls\-ciphersuites: \fI<string with ciphersuites list>
|
||||
Set the list of ciphersuites to allow when serving TLS. This is for newer
|
||||
TLS 1.3 connections. Use "" for defaults, and that is the default.
|
||||
.TP
|
||||
.B use\-systemd: \fI<yes or no>
|
||||
Enable or disable systemd socket activation.
|
||||
Default is no.
|
||||
@ -508,6 +548,7 @@ classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
|
||||
\fIallow\fR, \fIallow_setrd\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or
|
||||
\fIrefuse_non_local\fR.
|
||||
The most specific netblock match is used, if none match \fIdeny\fR is used.
|
||||
The order of the access\-control statements therefore does not matter.
|
||||
.IP
|
||||
The action \fIdeny\fR stops queries from hosts from that netblock.
|
||||
.IP
|
||||
@ -655,6 +696,11 @@ Default is no. Note that it takes time to print these
|
||||
lines which makes the server (significantly) slower. Odd (nonprintable)
|
||||
characters in names are printed as '?'.
|
||||
.TP
|
||||
.B log\-tag\-queryreply: \fI<yes or no>
|
||||
Prints the word 'query' and 'reply' with log\-queries and log\-replies.
|
||||
This makes filtering logs easier. The default is off (for backwards
|
||||
compatibility).
|
||||
.TP
|
||||
.B log\-local\-actions: \fI<yes or no>
|
||||
Print log lines to inform about local zone actions. These lines are like the
|
||||
local\-zone type inform prints out, but they are also printed for the other
|
||||
@ -784,7 +830,7 @@ Can be given multiple times, for different domains.
|
||||
.TP
|
||||
.B qname\-minimisation: \fI<yes or no>
|
||||
Send minimum amount of information to upstream servers to enhance privacy.
|
||||
Only sent minimum required labels of the QNAME and set QTYPE to A when
|
||||
Only send minimum required labels of the QNAME and set QTYPE to A when
|
||||
possible. Best effort approach; full QNAME and original QTYPE will be sent when
|
||||
upstream replies with a RCODE other than NOERROR, except when receiving
|
||||
NXDOMAIN from a DNSSEC signed zone. Default is yes.
|
||||
@ -848,12 +894,18 @@ keep the cache up to date. Default is no. Turning it on gives about
|
||||
10 percent more traffic and load on the machine, but popular items do
|
||||
not expire from the cache.
|
||||
.TP
|
||||
.B prefetch-key: \fI<yes or no>
|
||||
.B prefetch\-key: \fI<yes or no>
|
||||
If yes, fetch the DNSKEYs earlier in the validation process, when a DS
|
||||
record is encountered. This lowers the latency of requests. It does use
|
||||
a little more CPU. Also if the cache is set to 0, it is no use. Default is no.
|
||||
.TP
|
||||
.B rrset-roundrobin: \fI<yes or no>
|
||||
.B deny\-any: \fI<yes or no>
|
||||
If yes, deny queries of type ANY with an empty response. Default is no.
|
||||
If disabled, unbound responds with a short list of resource records if some
|
||||
can be found in the cache and makes the upstream type ANY query if there
|
||||
are none.
|
||||
.TP
|
||||
.B rrset\-roundrobin: \fI<yes or no>
|
||||
If yes, Unbound rotates RRSet order in response (the random number is taken
|
||||
from the query ID, for speed and thread safety). Default is no.
|
||||
.TP
|
||||
@ -881,6 +933,12 @@ Setting this to "iterator" will result in a non\-validating server.
|
||||
Setting this to "validator iterator" will turn on DNSSEC validation.
|
||||
The ordering of the modules is important.
|
||||
You must also set trust\-anchors for validation to be useful.
|
||||
The default is "validator iterator". When the server is built with
|
||||
EDNS client subnet support the default is "subnetcache validator iterator".
|
||||
Most modules that need to be listed here have to be listed at the beginning
|
||||
of the line. The cachedb module has to be listed just before the iterator.
|
||||
The python module can be listed in different places, it then processes the
|
||||
output of the module it is just before.
|
||||
.TP
|
||||
.B trust\-anchor\-file: \fI<filename>
|
||||
File with trusted keys for validation. Both DS and DNSKEY entries can appear
|
||||
@ -1092,7 +1150,7 @@ address space are not validated. This is usually required whenever
|
||||
Configure a local zone. The type determines the answer to give if
|
||||
there is no match from local\-data. The types are deny, refuse, static,
|
||||
transparent, redirect, nodefault, typetransparent, inform, inform_deny,
|
||||
always_transparent, always_refuse, always_nxdomain, noview,
|
||||
inform_redirect, always_transparent, always_refuse, always_nxdomain, noview,
|
||||
and are explained below. After that the default settings are listed. Use
|
||||
local\-data: to enter data into the local zone. Answers for local zones
|
||||
are authoritative DNS answers. By default the zones are class IN.
|
||||
@ -1153,6 +1211,10 @@ looking up infected names are logged, eg. to run antivirus on them.
|
||||
The query is dropped, like 'deny', and logged, like 'inform'. Ie. find
|
||||
infected machines without answering the queries.
|
||||
.TP 10
|
||||
\h'5'\fIinform_redirect\fR
|
||||
The query is redirected, like 'redirect', and logged, like 'inform'.
|
||||
Ie. answer queries with fixed data and also log the machines that ask.
|
||||
.TP 10
|
||||
\h'5'\fIalways_transparent\fR
|
||||
Like transparent, but ignores local data and resolves normally.
|
||||
.TP 10
|
||||
@ -1308,7 +1370,8 @@ TTL can be inserted like this: "2001:DB8::4 7200 www.example.com"
|
||||
Assign tags to localzones. Tagged localzones will only be applied when the
|
||||
used access-control element has a matching tag. Tags must be defined in
|
||||
\fIdefine\-tags\fR. Enclose list of tags in quotes ("") and put spaces between
|
||||
tags.
|
||||
tags. When there are multiple tags it checks if the intersection of the
|
||||
list of tags for the query and local\-zone\-tag is non-empty.
|
||||
.TP 5
|
||||
.B local\-zone\-override: \fI<zone> <IP netblock> <type>
|
||||
Override the localzone type for queries from addresses matching netblock.
|
||||
@ -1391,22 +1454,20 @@ This can make ordinary queries complete (if repeatedly queried for),
|
||||
and enter the cache, whilst also mitigating the traffic flow by the
|
||||
factor given.
|
||||
.TP 5
|
||||
.B low\-rtt: \fI<msec time>
|
||||
Set the time in millisecond that is considere a low ping time for fast
|
||||
server selection with the low\-rtt\-permil option, that turns this on or off.
|
||||
The default is 45 msec, a number from IPv6 quick response documents.
|
||||
.B fast\-server\-permil: \fI<number>
|
||||
Specify how many times out of 1000 to pick from the set of fastest servers.
|
||||
0 turns the feature off. A value of 900 would pick from the fastest
|
||||
servers 90 percent of the time, and would perform normal exploration of random
|
||||
servers for the remaining time. When prefetch is enabled (or serve\-expired),
|
||||
such prefetches are not sped up, because there is no one waiting for it, and it
|
||||
presents a good moment to perform server exploration. The
|
||||
\fBfast\-server\-num\fR option can be used to specify the size of the fastest
|
||||
servers set. The default for fast\-server\-permil is 0.
|
||||
.TP 5
|
||||
.B low\-rtt\-permil: \fI<number>
|
||||
Specify how many times out of 1000 to pick the fast server from the low
|
||||
rtt band. 0 turns the feature off. A value of 900 would pick the fast
|
||||
server when such fast servers are available 90 percent of the time, and
|
||||
the remaining time perform normal exploration of random servers.
|
||||
When prefetch is enabled (or serve\-expired), such prefetches are not
|
||||
sped up, because there is no one waiting for it, and it presents a good
|
||||
moment to perform server exploration. The low\-rtt option can be used
|
||||
to specify which servers are picked for fast server selection, servers
|
||||
with a ping roundtrip time below that value are considered.
|
||||
The default for low\-rtt\-permil is 0.
|
||||
.B fast\-server\-num: \fI<number>
|
||||
Set the number of servers that should be used for fast server selection. Only
|
||||
use the fastest specified number of servers with the fast\-server\-permil
|
||||
option, that turns this on or off. The default is to use the fastest 3 servers.
|
||||
.SS "Remote Control Options"
|
||||
In the
|
||||
.B remote\-control:
|
||||
@ -1568,13 +1629,11 @@ the '@' and '#', the '@' comes first.
|
||||
At high verbosity it logs the TLS certificate, with TLS enabled.
|
||||
If you leave out the '#' and auth name from the forward\-addr, any
|
||||
name is accepted. The cert must also match a CA from the tls\-cert\-bundle.
|
||||
The cert name match code needs OpenSSL 1.1.0 or later to be enabled.
|
||||
.TP
|
||||
.B forward\-first: \fI<yes or no>
|
||||
If enabled, a query is attempted without the forward clause if it fails.
|
||||
The data could not be retrieved and would have caused SERVFAIL because
|
||||
the servers are unreachable, instead it is tried without this clause.
|
||||
The default is no.
|
||||
If a forwarded query is met with a SERVFAIL error, and this option is
|
||||
enabled, unbound will fall back to normal recursive resolution for this
|
||||
query as if no query forwarding had been specified. The default is "no".
|
||||
.TP
|
||||
.B forward\-tls\-upstream: \fI<yes or no>
|
||||
Enabled or disable whether the queries to this forwarder use TLS for transport.
|
||||
@ -1604,6 +1663,13 @@ lookups of that data.
|
||||
Authority zones can be read from zonefile. And can be kept updated via
|
||||
AXFR and IXFR. After update the zonefile is rewritten. The update mechanism
|
||||
uses the SOA timer values and performs SOA UDP queries to detect zone changes.
|
||||
.LP
|
||||
If the update fetch fails, the timers in the SOA record are used to time
|
||||
another fetch attempt. Until the SOA expiry timer is reached. Then the
|
||||
zone is expired. When a zone is expired, queries are SERVFAIL, and
|
||||
any new serial number is accepted from the master (even if older), and if
|
||||
fallback is enabled, the fallback activates to fetch from the upstream instead
|
||||
of the SERVFAIL.
|
||||
.TP
|
||||
.B name: \fI<zone name>
|
||||
Name of the authority zone.
|
||||
@ -1611,6 +1677,7 @@ Name of the authority zone.
|
||||
.B master: \fI<IP address or host name>
|
||||
Where to download a copy of the zone from, with AXFR and IXFR. Multiple
|
||||
masters can be specified. They are all tried if one fails.
|
||||
With the "ip#name" notation a AXFR over TLS can be used.
|
||||
.TP
|
||||
.B url: \fI<url to zonefile>
|
||||
Where to download a zonefile for the zone. With http or https. An example
|
||||
@ -1662,7 +1729,9 @@ data (eg. from the master servers).
|
||||
There may be multiple
|
||||
.B view:
|
||||
clauses. Each with a \fBname:\fR and zero or more \fBlocal\-zone\fR and
|
||||
\fBlocal\-data\fR elements. View can be mapped to requests by specifying the
|
||||
\fBlocal\-data\fR elements. Views can also contain view\-first,
|
||||
response\-ip, response\-ip\-data and local\-data\-ptr elements.
|
||||
View can be mapped to requests by specifying the
|
||||
view name in an \fBaccess\-control\-view\fR element. Options from matching
|
||||
views will override global options. Global options will be used if no matching
|
||||
view is found, or when the matching view does not have the option specified.
|
||||
@ -1843,6 +1912,24 @@ to expose to third parties for IPv6. Defaults to 56.
|
||||
.B max\-client\-subnet\-ipv4: \fI<number>\fR
|
||||
Specifies the maximum prefix length of the client source address we are willing
|
||||
to expose to third parties for IPv4. Defaults to 24.
|
||||
.TP
|
||||
.B min\-client\-subnet\-ipv6: \fI<number>\fR
|
||||
Specifies the minimum prefix length of the IPv6 source mask we are willing to
|
||||
accept in queries. Shorter source masks result in REFUSED answers. Source mask
|
||||
of 0 is always accepted. Default is 0.
|
||||
.TP
|
||||
.B min\-client\-subnet\-ipv4: \fI<number>\fR
|
||||
Specifies the minimum prefix length of the IPv4 source mask we are willing to
|
||||
accept in queries. Shorter source masks result in REFUSED answers. Source mask
|
||||
of 0 is always accepted. Default is 0.
|
||||
.TP
|
||||
.B max\-ecs\-tree\-size\-ipv4: \fI<number>\fR
|
||||
Specifies the maximum number of subnets ECS answers kept in the ECS radix tree.
|
||||
This number applies for each qname/qclass/qtype tuple. Defaults to 100.
|
||||
.TP
|
||||
.B max\-ecs\-tree\-size\-ipv6: \fI<number>\fR
|
||||
Specifies the maximum number of subnets ECS answers kept in the ECS radix tree.
|
||||
This number applies for each qname/qclass/qtype tuple. Defaults to 100.
|
||||
.SS "Opportunistic IPsec Support Module Options"
|
||||
.LP
|
||||
The IPsec module must be configured in the \fBmodule\-config:\fR "ipsecmod
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound.conf" "5" "Oct 8, 2018" "NLnet Labs" "unbound 1.8.1"
|
||||
.TH "unbound.conf" "5" "Jun 17, 2019" "NLnet Labs" "unbound 1.9.2"
|
||||
.\"
|
||||
.\" unbound.conf.5 -- unbound.conf manual
|
||||
.\"
|
||||
@ -207,6 +207,16 @@ Maximum UDP response size (not applied to TCP response). 65536 disables the
|
||||
udp response size maximum, and uses the choice from the client, always.
|
||||
Suggested values are 512 to 4096. Default is 4096.
|
||||
.TP
|
||||
.B stream\-wait\-size: \fI<number>
|
||||
Number of bytes size maximum to use for waiting stream buffers. Default is
|
||||
4 megabytes. A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes,
|
||||
megabytes or gigabytes (1024*1024 bytes in a megabyte). As TCP and TLS streams
|
||||
queue up multiple results, the amount of memory used for these buffers does
|
||||
not exceed this number, otherwise the responses are dropped. This manages
|
||||
the total memory usage of the server (under heavy use), the number of requests
|
||||
that can be queued up per connection is also limited, with further requests
|
||||
waiting in TCP buffers.
|
||||
.TP
|
||||
.B msg\-buffer\-size: \fI<number>
|
||||
Number of bytes size of the message buffers. Default is 65552 bytes, enough
|
||||
for 64 Kb packets, the maximum DNS message size. No message larger than this
|
||||
@ -253,6 +263,12 @@ eg. 1500 msec. When timeouts happen you need extra sockets, it checks
|
||||
the ID and remote IP of packets, and unwanted packets are added to the
|
||||
unwanted packet counter.
|
||||
.TP
|
||||
.B unknown\-server\-time\-limit: \fI<msec>
|
||||
The wait time in msec for waiting for an unknown server to reply.
|
||||
Increase this if you are behind a slow satellite link, to eg. 1128.
|
||||
That would then avoid re\-querying every initial query because it times out.
|
||||
Default is 376 msec.
|
||||
.TP
|
||||
.B so\-rcvbuf: \fI<number>
|
||||
If not 0, then set the SO_RCVBUF socket option to get more buffer
|
||||
space on UDP port 53 incoming queries. So that short spikes on busy
|
||||
@ -284,6 +300,8 @@ it may also work. You can enable it (on any platform and kernel),
|
||||
it then attempts to open the port and passes the option if it was available
|
||||
at compile time, if that works it is used, if it fails, it continues
|
||||
silently (unless verbosity 3) without the option.
|
||||
At extreme load it could be better to turn it off to distribute the queries
|
||||
evenly, reported for Linux systems (4.4.x).
|
||||
.TP
|
||||
.B ip\-transparent: \fI<yes or no>
|
||||
If yes, then use IP_TRANSPARENT socket option on sockets where unbound
|
||||
@ -314,11 +332,9 @@ Must be set to a power of 2.
|
||||
.TP
|
||||
.B cache\-max\-ttl: \fI<seconds>
|
||||
Time to live maximum for RRsets and messages in the cache. Default is
|
||||
86400 seconds (1 day). If the maximum kicks in, responses to clients
|
||||
still get decrementing TTLs based on the original (larger) values.
|
||||
When the internal TTL expires, the cache item has expired.
|
||||
86400 seconds (1 day). When the TTL expires, the cache item has expired.
|
||||
Can be set lower to force the resolver to query for data often, and not
|
||||
trust (very large) TTL values.
|
||||
trust (very large) TTL values. Downstream clients also see the lower TTL.
|
||||
.TP
|
||||
.B cache\-min\-ttl: \fI<seconds>
|
||||
Time to live minimum for RRsets and messages in the cache. Default is 0.
|
||||
@ -436,20 +452,23 @@ TCP wireformat. The other server must support this (see
|
||||
\fBtls\-service\-key\fR).
|
||||
If you enable this, also configure a tls\-cert\-bundle or use tls\-win\-cert to
|
||||
load CA certs, otherwise the connections cannot be authenticated.
|
||||
This option enables TLS for all of them, but if you do not set this you can
|
||||
configure TLS specifically for some forward zones with forward\-tls\-upstream. And also with stub\-tls\-upstream.
|
||||
.TP
|
||||
.B ssl\-upstream: \fI<yes or no>
|
||||
Alternate syntax for \fBtls\-upstream\fR. If both are present in the config
|
||||
file the last is used.
|
||||
.TP
|
||||
.B tls\-service\-key: \fI<file>
|
||||
If enabled, the server provider TLS service on its TCP sockets. The clients
|
||||
have to use tls\-upstream: yes. The file is the private key for the TLS
|
||||
session. The public certificate is in the tls\-service\-pem file. Default
|
||||
is "", turned off. Requires a restart (a reload is not enough) if changed,
|
||||
because the private key is read while root permissions are held and before
|
||||
chroot (if any). Normal DNS TCP service is not provided and gives errors,
|
||||
this service is best run with a different \fBport:\fR config or \fI@port\fR
|
||||
suffixes in the \fBinterface\fR config.
|
||||
If enabled, the server provides TLS service on the TCP ports marked
|
||||
implicitly or explicitly for TLS service with tls\-port. The file must
|
||||
contain the private key for the TLS session, the public certificate is in
|
||||
the tls\-service\-pem file and it must also be specified if tls\-service\-key
|
||||
is specified. The default is "", turned off. Enabling or disabling
|
||||
this service requires a restart (a reload is not enough), because the
|
||||
key is read while root permissions are held and before chroot (if any).
|
||||
The ports enabled implicitly or explicitly via \fBtls\-port:\fR do not provide
|
||||
normal DNS TCP service.
|
||||
.TP
|
||||
.B ssl\-service\-key: \fI<file>
|
||||
Alternate syntax for \fBtls\-service\-key\fR.
|
||||
@ -488,6 +507,27 @@ List portnumbers as tls\-additional\-port, and when interfaces are defined,
|
||||
eg. with the @port suffix, as this port number, they provide dns over TLS
|
||||
service. Can list multiple, each on a new statement.
|
||||
.TP
|
||||
.B tls-session-ticket-keys: \fI<file>
|
||||
If not "", lists files with 80 bytes of random contents that are used to
|
||||
perform TLS session resumption for clients using the unbound server.
|
||||
These files contain the secret key for the TLS session tickets.
|
||||
First key use to encrypt and decrypt TLS session tickets.
|
||||
Other keys use to decrypt only. With this you can roll over to new keys,
|
||||
by generating a new first file and allowing decrypt of the old file by
|
||||
listing it after the first file for some time, after the wait clients are not
|
||||
using the old key any more and the old key can be removed.
|
||||
One way to create the file is dd if=/dev/random bs=1 count=80 of=ticket.dat
|
||||
The first 16 bytes should be different from the old one if you create a second key, that is the name used to identify the key. Then there is 32 bytes random
|
||||
data for an AES key and then 32 bytes random data for the HMAC key.
|
||||
.TP
|
||||
.B tls\-ciphers: \fI<string with cipher list>
|
||||
Set the list of ciphers to allow when serving TLS. Use "" for defaults,
|
||||
and that is the default.
|
||||
.TP
|
||||
.B tls\-ciphersuites: \fI<string with ciphersuites list>
|
||||
Set the list of ciphersuites to allow when serving TLS. This is for newer
|
||||
TLS 1.3 connections. Use "" for defaults, and that is the default.
|
||||
.TP
|
||||
.B use\-systemd: \fI<yes or no>
|
||||
Enable or disable systemd socket activation.
|
||||
Default is no.
|
||||
@ -508,6 +548,7 @@ classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
|
||||
\fIallow\fR, \fIallow_setrd\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or
|
||||
\fIrefuse_non_local\fR.
|
||||
The most specific netblock match is used, if none match \fIdeny\fR is used.
|
||||
The order of the access\-control statements therefore does not matter.
|
||||
.IP
|
||||
The action \fIdeny\fR stops queries from hosts from that netblock.
|
||||
.IP
|
||||
@ -655,6 +696,11 @@ Default is no. Note that it takes time to print these
|
||||
lines which makes the server (significantly) slower. Odd (nonprintable)
|
||||
characters in names are printed as '?'.
|
||||
.TP
|
||||
.B log\-tag\-queryreply: \fI<yes or no>
|
||||
Prints the word 'query' and 'reply' with log\-queries and log\-replies.
|
||||
This makes filtering logs easier. The default is off (for backwards
|
||||
compatibility).
|
||||
.TP
|
||||
.B log\-local\-actions: \fI<yes or no>
|
||||
Print log lines to inform about local zone actions. These lines are like the
|
||||
local\-zone type inform prints out, but they are also printed for the other
|
||||
@ -784,7 +830,7 @@ Can be given multiple times, for different domains.
|
||||
.TP
|
||||
.B qname\-minimisation: \fI<yes or no>
|
||||
Send minimum amount of information to upstream servers to enhance privacy.
|
||||
Only sent minimum required labels of the QNAME and set QTYPE to A when
|
||||
Only send minimum required labels of the QNAME and set QTYPE to A when
|
||||
possible. Best effort approach; full QNAME and original QTYPE will be sent when
|
||||
upstream replies with a RCODE other than NOERROR, except when receiving
|
||||
NXDOMAIN from a DNSSEC signed zone. Default is yes.
|
||||
@ -848,12 +894,18 @@ keep the cache up to date. Default is no. Turning it on gives about
|
||||
10 percent more traffic and load on the machine, but popular items do
|
||||
not expire from the cache.
|
||||
.TP
|
||||
.B prefetch-key: \fI<yes or no>
|
||||
.B prefetch\-key: \fI<yes or no>
|
||||
If yes, fetch the DNSKEYs earlier in the validation process, when a DS
|
||||
record is encountered. This lowers the latency of requests. It does use
|
||||
a little more CPU. Also if the cache is set to 0, it is no use. Default is no.
|
||||
.TP
|
||||
.B rrset-roundrobin: \fI<yes or no>
|
||||
.B deny\-any: \fI<yes or no>
|
||||
If yes, deny queries of type ANY with an empty response. Default is no.
|
||||
If disabled, unbound responds with a short list of resource records if some
|
||||
can be found in the cache and makes the upstream type ANY query if there
|
||||
are none.
|
||||
.TP
|
||||
.B rrset\-roundrobin: \fI<yes or no>
|
||||
If yes, Unbound rotates RRSet order in response (the random number is taken
|
||||
from the query ID, for speed and thread safety). Default is no.
|
||||
.TP
|
||||
@ -881,6 +933,12 @@ Setting this to "iterator" will result in a non\-validating server.
|
||||
Setting this to "validator iterator" will turn on DNSSEC validation.
|
||||
The ordering of the modules is important.
|
||||
You must also set trust\-anchors for validation to be useful.
|
||||
The default is "validator iterator". When the server is built with
|
||||
EDNS client subnet support the default is "subnetcache validator iterator".
|
||||
Most modules that need to be listed here have to be listed at the beginning
|
||||
of the line. The cachedb module has to be listed just before the iterator.
|
||||
The python module can be listed in different places, it then processes the
|
||||
output of the module it is just before.
|
||||
.TP
|
||||
.B trust\-anchor\-file: \fI<filename>
|
||||
File with trusted keys for validation. Both DS and DNSKEY entries can appear
|
||||
@ -1092,7 +1150,7 @@ address space are not validated. This is usually required whenever
|
||||
Configure a local zone. The type determines the answer to give if
|
||||
there is no match from local\-data. The types are deny, refuse, static,
|
||||
transparent, redirect, nodefault, typetransparent, inform, inform_deny,
|
||||
always_transparent, always_refuse, always_nxdomain, noview,
|
||||
inform_redirect, always_transparent, always_refuse, always_nxdomain, noview,
|
||||
and are explained below. After that the default settings are listed. Use
|
||||
local\-data: to enter data into the local zone. Answers for local zones
|
||||
are authoritative DNS answers. By default the zones are class IN.
|
||||
@ -1153,6 +1211,10 @@ looking up infected names are logged, eg. to run antivirus on them.
|
||||
The query is dropped, like 'deny', and logged, like 'inform'. Ie. find
|
||||
infected machines without answering the queries.
|
||||
.TP 10
|
||||
\h'5'\fIinform_redirect\fR
|
||||
The query is redirected, like 'redirect', and logged, like 'inform'.
|
||||
Ie. answer queries with fixed data and also log the machines that ask.
|
||||
.TP 10
|
||||
\h'5'\fIalways_transparent\fR
|
||||
Like transparent, but ignores local data and resolves normally.
|
||||
.TP 10
|
||||
@ -1308,7 +1370,8 @@ TTL can be inserted like this: "2001:DB8::4 7200 www.example.com"
|
||||
Assign tags to localzones. Tagged localzones will only be applied when the
|
||||
used access-control element has a matching tag. Tags must be defined in
|
||||
\fIdefine\-tags\fR. Enclose list of tags in quotes ("") and put spaces between
|
||||
tags.
|
||||
tags. When there are multiple tags it checks if the intersection of the
|
||||
list of tags for the query and local\-zone\-tag is non-empty.
|
||||
.TP 5
|
||||
.B local\-zone\-override: \fI<zone> <IP netblock> <type>
|
||||
Override the localzone type for queries from addresses matching netblock.
|
||||
@ -1391,22 +1454,20 @@ This can make ordinary queries complete (if repeatedly queried for),
|
||||
and enter the cache, whilst also mitigating the traffic flow by the
|
||||
factor given.
|
||||
.TP 5
|
||||
.B low\-rtt: \fI<msec time>
|
||||
Set the time in millisecond that is considere a low ping time for fast
|
||||
server selection with the low\-rtt\-permil option, that turns this on or off.
|
||||
The default is 45 msec, a number from IPv6 quick response documents.
|
||||
.B fast\-server\-permil: \fI<number>
|
||||
Specify how many times out of 1000 to pick from the set of fastest servers.
|
||||
0 turns the feature off. A value of 900 would pick from the fastest
|
||||
servers 90 percent of the time, and would perform normal exploration of random
|
||||
servers for the remaining time. When prefetch is enabled (or serve\-expired),
|
||||
such prefetches are not sped up, because there is no one waiting for it, and it
|
||||
presents a good moment to perform server exploration. The
|
||||
\fBfast\-server\-num\fR option can be used to specify the size of the fastest
|
||||
servers set. The default for fast\-server\-permil is 0.
|
||||
.TP 5
|
||||
.B low\-rtt\-permil: \fI<number>
|
||||
Specify how many times out of 1000 to pick the fast server from the low
|
||||
rtt band. 0 turns the feature off. A value of 900 would pick the fast
|
||||
server when such fast servers are available 90 percent of the time, and
|
||||
the remaining time perform normal exploration of random servers.
|
||||
When prefetch is enabled (or serve\-expired), such prefetches are not
|
||||
sped up, because there is no one waiting for it, and it presents a good
|
||||
moment to perform server exploration. The low\-rtt option can be used
|
||||
to specify which servers are picked for fast server selection, servers
|
||||
with a ping roundtrip time below that value are considered.
|
||||
The default for low\-rtt\-permil is 0.
|
||||
.B fast\-server\-num: \fI<number>
|
||||
Set the number of servers that should be used for fast server selection. Only
|
||||
use the fastest specified number of servers with the fast\-server\-permil
|
||||
option, that turns this on or off. The default is to use the fastest 3 servers.
|
||||
.SS "Remote Control Options"
|
||||
In the
|
||||
.B remote\-control:
|
||||
@ -1568,13 +1629,11 @@ the '@' and '#', the '@' comes first.
|
||||
At high verbosity it logs the TLS certificate, with TLS enabled.
|
||||
If you leave out the '#' and auth name from the forward\-addr, any
|
||||
name is accepted. The cert must also match a CA from the tls\-cert\-bundle.
|
||||
The cert name match code needs OpenSSL 1.1.0 or later to be enabled.
|
||||
.TP
|
||||
.B forward\-first: \fI<yes or no>
|
||||
If enabled, a query is attempted without the forward clause if it fails.
|
||||
The data could not be retrieved and would have caused SERVFAIL because
|
||||
the servers are unreachable, instead it is tried without this clause.
|
||||
The default is no.
|
||||
If a forwarded query is met with a SERVFAIL error, and this option is
|
||||
enabled, unbound will fall back to normal recursive resolution for this
|
||||
query as if no query forwarding had been specified. The default is "no".
|
||||
.TP
|
||||
.B forward\-tls\-upstream: \fI<yes or no>
|
||||
Enabled or disable whether the queries to this forwarder use TLS for transport.
|
||||
@ -1604,6 +1663,13 @@ lookups of that data.
|
||||
Authority zones can be read from zonefile. And can be kept updated via
|
||||
AXFR and IXFR. After update the zonefile is rewritten. The update mechanism
|
||||
uses the SOA timer values and performs SOA UDP queries to detect zone changes.
|
||||
.LP
|
||||
If the update fetch fails, the timers in the SOA record are used to time
|
||||
another fetch attempt. Until the SOA expiry timer is reached. Then the
|
||||
zone is expired. When a zone is expired, queries are SERVFAIL, and
|
||||
any new serial number is accepted from the master (even if older), and if
|
||||
fallback is enabled, the fallback activates to fetch from the upstream instead
|
||||
of the SERVFAIL.
|
||||
.TP
|
||||
.B name: \fI<zone name>
|
||||
Name of the authority zone.
|
||||
@ -1611,6 +1677,7 @@ Name of the authority zone.
|
||||
.B master: \fI<IP address or host name>
|
||||
Where to download a copy of the zone from, with AXFR and IXFR. Multiple
|
||||
masters can be specified. They are all tried if one fails.
|
||||
With the "ip#name" notation a AXFR over TLS can be used.
|
||||
.TP
|
||||
.B url: \fI<url to zonefile>
|
||||
Where to download a zonefile for the zone. With http or https. An example
|
||||
@ -1662,7 +1729,9 @@ data (eg. from the master servers).
|
||||
There may be multiple
|
||||
.B view:
|
||||
clauses. Each with a \fBname:\fR and zero or more \fBlocal\-zone\fR and
|
||||
\fBlocal\-data\fR elements. View can be mapped to requests by specifying the
|
||||
\fBlocal\-data\fR elements. Views can also contain view\-first,
|
||||
response\-ip, response\-ip\-data and local\-data\-ptr elements.
|
||||
View can be mapped to requests by specifying the
|
||||
view name in an \fBaccess\-control\-view\fR element. Options from matching
|
||||
views will override global options. Global options will be used if no matching
|
||||
view is found, or when the matching view does not have the option specified.
|
||||
@ -1843,6 +1912,24 @@ to expose to third parties for IPv6. Defaults to 56.
|
||||
.B max\-client\-subnet\-ipv4: \fI<number>\fR
|
||||
Specifies the maximum prefix length of the client source address we are willing
|
||||
to expose to third parties for IPv4. Defaults to 24.
|
||||
.TP
|
||||
.B min\-client\-subnet\-ipv6: \fI<number>\fR
|
||||
Specifies the minimum prefix length of the IPv6 source mask we are willing to
|
||||
accept in queries. Shorter source masks result in REFUSED answers. Source mask
|
||||
of 0 is always accepted. Default is 0.
|
||||
.TP
|
||||
.B min\-client\-subnet\-ipv4: \fI<number>\fR
|
||||
Specifies the minimum prefix length of the IPv4 source mask we are willing to
|
||||
accept in queries. Shorter source masks result in REFUSED answers. Source mask
|
||||
of 0 is always accepted. Default is 0.
|
||||
.TP
|
||||
.B max\-ecs\-tree\-size\-ipv4: \fI<number>\fR
|
||||
Specifies the maximum number of subnets ECS answers kept in the ECS radix tree.
|
||||
This number applies for each qname/qclass/qtype tuple. Defaults to 100.
|
||||
.TP
|
||||
.B max\-ecs\-tree\-size\-ipv6: \fI<number>\fR
|
||||
Specifies the maximum number of subnets ECS answers kept in the ECS radix tree.
|
||||
This number applies for each qname/qclass/qtype tuple. Defaults to 100.
|
||||
.SS "Opportunistic IPsec Support Module Options"
|
||||
.LP
|
||||
The IPsec module must be configured in the \fBmodule\-config:\fR "ipsecmod
|
||||
|
@ -612,18 +612,24 @@ RECURSIVE = YES
|
||||
|
||||
EXCLUDE = ./build \
|
||||
./compat \
|
||||
./contrib \
|
||||
util/configparser.c \
|
||||
util/configparser.h \
|
||||
util/configlexer.c \
|
||||
util/locks.h \
|
||||
pythonmod/doc \
|
||||
pythonmod/examples \
|
||||
pythonmod/unboundmodule.py \
|
||||
pythonmod/interface.h \
|
||||
pythonmod/examples/resgen.py \
|
||||
pythonmod/examples/resmod.py \
|
||||
pythonmod/examples/resip.py \
|
||||
pythonmod/ubmodule-msg.py \
|
||||
pythonmod/ubmodule-tst.py \
|
||||
unboundmodule.py \
|
||||
libunbound/python/unbound.py \
|
||||
libunbound/python/libunbound_wrap.c \
|
||||
libunbound/python/doc \
|
||||
libunbound/python/examples \
|
||||
./ldns-src \
|
||||
README.md \
|
||||
doc/control_proto_spec.txt \
|
||||
doc/requirements.txt
|
||||
|
||||
|
@ -119,7 +119,7 @@ node_size(const struct addrtree *tree, const struct addrnode *n)
|
||||
|
||||
struct addrtree *
|
||||
addrtree_create(addrlen_t max_depth, void (*delfunc)(void *, void *),
|
||||
size_t (*sizefunc)(void *), void *env, unsigned int max_node_count)
|
||||
size_t (*sizefunc)(void *), void *env, uint32_t max_node_count)
|
||||
{
|
||||
struct addrtree *tree;
|
||||
log_assert(delfunc != NULL);
|
||||
|
@ -66,10 +66,10 @@ struct addrtree {
|
||||
struct addrnode *root;
|
||||
/** Number of elements in the tree (not always equal to number of
|
||||
* nodes) */
|
||||
unsigned int node_count;
|
||||
uint32_t node_count;
|
||||
/** Maximum number of allowed nodes, will be enforced by LRU list.
|
||||
* Excluding the root node, 0 for unlimited */
|
||||
unsigned int max_node_count;
|
||||
uint32_t max_node_count;
|
||||
/** Size of tree in bytes */
|
||||
size_t size_bytes;
|
||||
/** Maximum prefix length we are willing to cache. */
|
||||
@ -137,7 +137,7 @@ size_t addrtree_size(const struct addrtree *tree);
|
||||
*/
|
||||
struct addrtree *
|
||||
addrtree_create(addrlen_t max_depth, void (*delfunc)(void *, void *),
|
||||
size_t (*sizefunc)(void *), void *env, unsigned int max_node_count);
|
||||
size_t (*sizefunc)(void *), void *env, uint32_t max_node_count);
|
||||
|
||||
/**
|
||||
* Free tree and all nodes below.
|
||||
|
@ -55,8 +55,7 @@
|
||||
#include "util/config_file.h"
|
||||
#include "util/data/msgreply.h"
|
||||
#include "sldns/sbuffer.h"
|
||||
|
||||
#define ECS_MAX_TREESIZE 100
|
||||
#include "iterator/iter_utils.h"
|
||||
|
||||
/** externally called */
|
||||
void
|
||||
@ -93,6 +92,7 @@ subnet_new_qstate(struct module_qstate *qstate, int id)
|
||||
return 0;
|
||||
qstate->minfo[id] = sq;
|
||||
memset(sq, 0, sizeof(*sq));
|
||||
sq->started_no_cache_store = qstate->no_cache_store;
|
||||
return 1;
|
||||
}
|
||||
|
||||
@ -150,7 +150,9 @@ int ecs_whitelist_check(struct query_info* qinfo,
|
||||
|
||||
/* Cache by default, might be disabled after parsing EDNS option
|
||||
* received from nameserver. */
|
||||
qstate->no_cache_store = 0;
|
||||
if(!iter_stub_fwd_no_cache(qstate, &qstate->qinfo)) {
|
||||
qstate->no_cache_store = 0;
|
||||
}
|
||||
|
||||
if(sq->ecs_server_out.subnet_validdata && ((sq->subnet_downstream &&
|
||||
qstate->env->cfg->client_subnet_always_forward) ||
|
||||
@ -177,6 +179,14 @@ int ecs_whitelist_check(struct query_info* qinfo,
|
||||
}
|
||||
|
||||
|
||||
void
|
||||
subnet_markdel(void* key)
|
||||
{
|
||||
struct msgreply_entry *e = (struct msgreply_entry*)key;
|
||||
e->key.qtype = 0;
|
||||
e->key.qclass = 0;
|
||||
}
|
||||
|
||||
int
|
||||
subnetmod_init(struct module_env *env, int id)
|
||||
{
|
||||
@ -193,6 +203,7 @@ subnetmod_init(struct module_env *env, int id)
|
||||
HASH_DEFAULT_STARTARRAY, env->cfg->msg_cache_size,
|
||||
msg_cache_sizefunc, query_info_compare, query_entry_delete,
|
||||
subnet_data_delete, NULL);
|
||||
slabhash_setmarkdel(sn_env->subnet_msg_cache, &subnet_markdel);
|
||||
if(!sn_env->subnet_msg_cache) {
|
||||
log_err("subnet: could not create cache");
|
||||
free(sn_env);
|
||||
@ -291,13 +302,13 @@ get_tree(struct subnet_msg_cache_data *data, struct ecs_data *edns,
|
||||
if (!data->tree4)
|
||||
data->tree4 = addrtree_create(
|
||||
cfg->max_client_subnet_ipv4, &delfunc,
|
||||
&sizefunc, env, ECS_MAX_TREESIZE);
|
||||
&sizefunc, env, cfg->max_ecs_tree_size_ipv4);
|
||||
tree = data->tree4;
|
||||
} else {
|
||||
if (!data->tree6)
|
||||
data->tree6 = addrtree_create(
|
||||
cfg->max_client_subnet_ipv6, &delfunc,
|
||||
&sizefunc, env, ECS_MAX_TREESIZE);
|
||||
&sizefunc, env, cfg->max_ecs_tree_size_ipv6);
|
||||
tree = data->tree6;
|
||||
}
|
||||
return tree;
|
||||
@ -323,33 +334,37 @@ update_cache(struct module_qstate *qstate, int id)
|
||||
/* Step 1, general qinfo lookup */
|
||||
struct lruhash_entry *lru_entry = slabhash_lookup(subnet_msg_cache, h,
|
||||
&qstate->qinfo, 1);
|
||||
int acquired_lock = (lru_entry != NULL);
|
||||
int need_to_insert = (lru_entry == NULL);
|
||||
if (!lru_entry) {
|
||||
void* data = calloc(1,
|
||||
sizeof(struct subnet_msg_cache_data));
|
||||
if(!data) {
|
||||
log_err("malloc failed");
|
||||
return;
|
||||
}
|
||||
qinf = qstate->qinfo;
|
||||
qinf.qname = memdup(qstate->qinfo.qname,
|
||||
qstate->qinfo.qname_len);
|
||||
if(!qinf.qname) {
|
||||
free(data);
|
||||
log_err("memdup failed");
|
||||
return;
|
||||
}
|
||||
mrep_entry = query_info_entrysetup(&qinf, NULL, h);
|
||||
mrep_entry = query_info_entrysetup(&qinf, data, h);
|
||||
free(qinf.qname); /* if qname 'consumed', it is set to NULL */
|
||||
if (!mrep_entry) {
|
||||
free(data);
|
||||
log_err("query_info_entrysetup failed");
|
||||
return;
|
||||
}
|
||||
lru_entry = &mrep_entry->entry;
|
||||
lock_rw_wrlock(&lru_entry->lock);
|
||||
lru_entry->data = calloc(1,
|
||||
sizeof(struct subnet_msg_cache_data));
|
||||
if (!lru_entry->data) {
|
||||
log_err("malloc failed");
|
||||
return;
|
||||
}
|
||||
}
|
||||
/* lru_entry->lock is locked regardless of how we got here,
|
||||
* either from the slabhash_lookup, or above in the new allocated */
|
||||
/* Step 2, find the correct tree */
|
||||
if (!(tree = get_tree(lru_entry->data, edns, sne, qstate->env->cfg))) {
|
||||
if (acquired_lock) lock_rw_unlock(&lru_entry->lock);
|
||||
lock_rw_unlock(&lru_entry->lock);
|
||||
log_err("Subnet cache insertion failed");
|
||||
return;
|
||||
}
|
||||
@ -357,7 +372,7 @@ update_cache(struct module_qstate *qstate, int id)
|
||||
rep = reply_info_copy(qstate->return_msg->rep, &sne->alloc, NULL);
|
||||
lock_quick_unlock(&sne->alloc.lock);
|
||||
if (!rep) {
|
||||
if (acquired_lock) lock_rw_unlock(&lru_entry->lock);
|
||||
lock_rw_unlock(&lru_entry->lock);
|
||||
log_err("Subnet cache insertion failed");
|
||||
return;
|
||||
}
|
||||
@ -374,10 +389,9 @@ update_cache(struct module_qstate *qstate, int id)
|
||||
edns->subnet_source_mask,
|
||||
sq->ecs_server_in.subnet_scope_mask, rep,
|
||||
rep->ttl, *qstate->env->now);
|
||||
if (acquired_lock) {
|
||||
lock_rw_unlock(&lru_entry->lock);
|
||||
} else {
|
||||
lock_rw_unlock(&lru_entry->lock);
|
||||
|
||||
lock_rw_unlock(&lru_entry->lock);
|
||||
if (need_to_insert) {
|
||||
slabhash_insert(subnet_msg_cache, h, lru_entry, lru_entry->data,
|
||||
NULL);
|
||||
}
|
||||
@ -487,9 +501,11 @@ eval_response(struct module_qstate *qstate, int id, struct subnet_qstate *sq)
|
||||
* is still usefull to put it in the edns subnet cache for
|
||||
* when a client explicitly asks for subnet specific answer. */
|
||||
verbose(VERB_QUERY, "subnet: Authority indicates no support");
|
||||
lock_rw_wrlock(&sne->biglock);
|
||||
update_cache(qstate, id);
|
||||
lock_rw_unlock(&sne->biglock);
|
||||
if(!sq->started_no_cache_store) {
|
||||
lock_rw_wrlock(&sne->biglock);
|
||||
update_cache(qstate, id);
|
||||
lock_rw_unlock(&sne->biglock);
|
||||
}
|
||||
if (sq->subnet_downstream)
|
||||
cp_edns_bad_response(c_out, c_in);
|
||||
return module_finished;
|
||||
@ -515,7 +531,9 @@ eval_response(struct module_qstate *qstate, int id, struct subnet_qstate *sq)
|
||||
}
|
||||
|
||||
lock_rw_wrlock(&sne->biglock);
|
||||
update_cache(qstate, id);
|
||||
if(!sq->started_no_cache_store) {
|
||||
update_cache(qstate, id);
|
||||
}
|
||||
sne->num_msg_nocache++;
|
||||
lock_rw_unlock(&sne->biglock);
|
||||
|
||||
@ -526,6 +544,19 @@ eval_response(struct module_qstate *qstate, int id, struct subnet_qstate *sq)
|
||||
c_out->subnet_source_mask = c_in->subnet_source_mask;
|
||||
memcpy(&c_out->subnet_addr, &c_in->subnet_addr, INET6_SIZE);
|
||||
c_out->subnet_scope_mask = s_in->subnet_scope_mask;
|
||||
/* Limit scope returned to client to scope used for caching. */
|
||||
if(c_out->subnet_addr_fam == EDNSSUBNET_ADDRFAM_IP4) {
|
||||
if(c_out->subnet_scope_mask >
|
||||
qstate->env->cfg->max_client_subnet_ipv4) {
|
||||
c_out->subnet_scope_mask =
|
||||
qstate->env->cfg->max_client_subnet_ipv4;
|
||||
}
|
||||
}
|
||||
else if(c_out->subnet_scope_mask >
|
||||
qstate->env->cfg->max_client_subnet_ipv6) {
|
||||
c_out->subnet_scope_mask =
|
||||
qstate->env->cfg->max_client_subnet_ipv6;
|
||||
}
|
||||
c_out->subnet_validdata = 1;
|
||||
}
|
||||
return module_finished;
|
||||
@ -697,6 +728,17 @@ subnetmod_operate(struct module_qstate *qstate, enum module_ev event,
|
||||
return;
|
||||
}
|
||||
|
||||
/* Limit to minimum allowed source mask */
|
||||
if(sq->ecs_client_in.subnet_source_mask != 0 && (
|
||||
(sq->ecs_client_in.subnet_addr_fam == EDNSSUBNET_ADDRFAM_IP4 &&
|
||||
sq->ecs_client_in.subnet_source_mask < qstate->env->cfg->min_client_subnet_ipv4) ||
|
||||
(sq->ecs_client_in.subnet_addr_fam == EDNSSUBNET_ADDRFAM_IP6 &&
|
||||
sq->ecs_client_in.subnet_source_mask < qstate->env->cfg->min_client_subnet_ipv6))) {
|
||||
qstate->return_rcode = LDNS_RCODE_REFUSED;
|
||||
qstate->ext_state[id] = module_finished;
|
||||
return;
|
||||
}
|
||||
|
||||
lock_rw_wrlock(&sne->biglock);
|
||||
if (lookup_and_reply(qstate, id, sq)) {
|
||||
sne->num_msg_cache++;
|
||||
@ -753,6 +795,7 @@ subnetmod_operate(struct module_qstate *qstate, enum module_ev event,
|
||||
ecs_opt_list_append(&sq->ecs_client_out,
|
||||
&qstate->edns_opts_front_out, qstate);
|
||||
}
|
||||
qstate->no_cache_store = sq->started_no_cache_store;
|
||||
return;
|
||||
}
|
||||
if(sq && outbound) {
|
||||
|
@ -83,6 +83,8 @@ struct subnet_qstate {
|
||||
struct ecs_data ecs_server_out;
|
||||
int subnet_downstream;
|
||||
int subnet_sent;
|
||||
/** has the subnet module been started with no_cache_store? */
|
||||
int started_no_cache_store;
|
||||
};
|
||||
|
||||
void subnet_data_delete(void* d, void* ATTR_UNUSED(arg));
|
||||
@ -131,4 +133,7 @@ int ecs_edns_back_parsed(struct module_qstate* qstate, int id, void* cbargs);
|
||||
int ecs_query_response(struct module_qstate* qstate, struct dns_msg* response,
|
||||
int id, void* cbargs);
|
||||
|
||||
/** mark subnet msg to be deleted */
|
||||
void subnet_markdel(void* key);
|
||||
|
||||
#endif /* SUBNETMOD_H */
|
||||
|
@ -1,4 +1,4 @@
|
||||
#!/bin/sh
|
||||
#!/usr/bin/sh
|
||||
# install - install a program, script, or datafile
|
||||
|
||||
scriptversion=2013-12-25.23; # UTC
|
||||
|
@ -239,7 +239,7 @@ read_fwds_addr(struct config_stub* s, struct delegpt* dp)
|
||||
s->name, p->str);
|
||||
return 0;
|
||||
}
|
||||
#ifndef HAVE_SSL_SET1_HOST
|
||||
#if ! defined(HAVE_SSL_SET1_HOST) && ! defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
|
||||
if(tls_auth_name)
|
||||
log_err("no name verification functionality in "
|
||||
"ssl library, ignored name for %s", p->str);
|
||||
|
@ -252,7 +252,7 @@ read_stubs_addr(struct config_stub* s, struct delegpt* dp)
|
||||
s->name, p->str);
|
||||
return 0;
|
||||
}
|
||||
#ifndef HAVE_SSL_SET1_HOST
|
||||
#if ! defined(HAVE_SSL_SET1_HOST) && ! defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
|
||||
if(auth_name)
|
||||
log_err("no name verification functionality in "
|
||||
"ssl library, ignored name for %s", p->str);
|
||||
|
@ -316,6 +316,18 @@ sub_of_pkt(sldns_buffer* pkt, uint8_t* zone, uint8_t* comprname)
|
||||
return dname_subdomain_c(zone, buf);
|
||||
}
|
||||
|
||||
/** Check if there are SOA records in the authority section (negative) */
|
||||
static int
|
||||
soa_in_auth(struct msg_parse* msg)
|
||||
{
|
||||
struct rrset_parse* rrset;
|
||||
for(rrset = msg->rrset_first; rrset; rrset = rrset->rrset_all_next)
|
||||
if(rrset->type == LDNS_RR_TYPE_SOA &&
|
||||
rrset->section == LDNS_SECTION_AUTHORITY)
|
||||
return 1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* This routine normalizes a response. This includes removing "irrelevant"
|
||||
* records from the answer and additional sections and (re)synthesizing
|
||||
@ -497,6 +509,19 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
|
||||
"RRset:", pkt, msg, prev, &rrset);
|
||||
continue;
|
||||
}
|
||||
/* we don't want NS sets for NXDOMAIN answers,
|
||||
* because they could contain poisonous contents,
|
||||
* from. eg. fragmentation attacks, inserted after
|
||||
* long RRSIGs in the packet get to the packet
|
||||
* border and such */
|
||||
/* also for NODATA answers */
|
||||
if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NXDOMAIN ||
|
||||
(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR
|
||||
&& soa_in_auth(msg) && msg->an_rrsets == 0)) {
|
||||
remove_rrset("normalize: removing irrelevant "
|
||||
"RRset:", pkt, msg, prev, &rrset);
|
||||
continue;
|
||||
}
|
||||
if(nsset == NULL) {
|
||||
nsset = rrset;
|
||||
} else {
|
||||
@ -595,18 +620,6 @@ store_rrset(sldns_buffer* pkt, struct msg_parse* msg, struct module_env* env,
|
||||
(void)rrset_cache_update(env->rrset_cache, &ref, env->alloc, now);
|
||||
}
|
||||
|
||||
/** Check if there are SOA records in the authority section (negative) */
|
||||
static int
|
||||
soa_in_auth(struct msg_parse* msg)
|
||||
{
|
||||
struct rrset_parse* rrset;
|
||||
for(rrset = msg->rrset_first; rrset; rrset = rrset->rrset_all_next)
|
||||
if(rrset->type == LDNS_RR_TYPE_SOA &&
|
||||
rrset->section == LDNS_SECTION_AUTHORITY)
|
||||
return 1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if right hand name in NSEC is within zone
|
||||
* @param rrset: the NSEC rrset
|
||||
|
@ -282,10 +282,13 @@ iter_filter_unsuitable(struct iter_env* iter_env, struct module_env* env,
|
||||
static int
|
||||
iter_fill_rtt(struct iter_env* iter_env, struct module_env* env,
|
||||
uint8_t* name, size_t namelen, uint16_t qtype, time_t now,
|
||||
struct delegpt* dp, int* best_rtt, struct sock_list* blacklist)
|
||||
struct delegpt* dp, int* best_rtt, struct sock_list* blacklist,
|
||||
size_t* num_suitable_results)
|
||||
{
|
||||
int got_it = 0;
|
||||
struct delegpt_addr* a;
|
||||
*num_suitable_results = 0;
|
||||
|
||||
if(dp->bogus)
|
||||
return 0; /* NS bogus, all bogus, nothing found */
|
||||
for(a=dp->result_list; a; a = a->next_result) {
|
||||
@ -301,11 +304,58 @@ iter_fill_rtt(struct iter_env* iter_env, struct module_env* env,
|
||||
} else if(a->sel_rtt < *best_rtt) {
|
||||
*best_rtt = a->sel_rtt;
|
||||
}
|
||||
(*num_suitable_results)++;
|
||||
}
|
||||
}
|
||||
return got_it;
|
||||
}
|
||||
|
||||
/** compare two rtts, return -1, 0 or 1 */
|
||||
static int
|
||||
rtt_compare(const void* x, const void* y)
|
||||
{
|
||||
if(*(int*)x == *(int*)y)
|
||||
return 0;
|
||||
if(*(int*)x > *(int*)y)
|
||||
return 1;
|
||||
return -1;
|
||||
}
|
||||
|
||||
/** get RTT for the Nth fastest server */
|
||||
static int
|
||||
nth_rtt(struct delegpt_addr* result_list, size_t num_results, size_t n)
|
||||
{
|
||||
int rtt_band;
|
||||
size_t i;
|
||||
int* rtt_list, *rtt_index;
|
||||
|
||||
if(num_results < 1 || n >= num_results) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
rtt_list = calloc(num_results, sizeof(int));
|
||||
if(!rtt_list) {
|
||||
log_err("malloc failure: allocating rtt_list");
|
||||
return -1;
|
||||
}
|
||||
rtt_index = rtt_list;
|
||||
|
||||
for(i=0; i<num_results && result_list; i++) {
|
||||
if(result_list->sel_rtt != -1) {
|
||||
*rtt_index = result_list->sel_rtt;
|
||||
rtt_index++;
|
||||
}
|
||||
result_list=result_list->next_result;
|
||||
}
|
||||
qsort(rtt_list, num_results, sizeof(*rtt_list), rtt_compare);
|
||||
|
||||
log_assert(n > 0);
|
||||
rtt_band = rtt_list[n-1];
|
||||
free(rtt_list);
|
||||
|
||||
return rtt_band;
|
||||
}
|
||||
|
||||
/** filter the address list, putting best targets at front,
|
||||
* returns number of best targets (or 0, no suitable targets) */
|
||||
static int
|
||||
@ -314,12 +364,13 @@ iter_filter_order(struct iter_env* iter_env, struct module_env* env,
|
||||
struct delegpt* dp, int* selected_rtt, int open_target,
|
||||
struct sock_list* blacklist, time_t prefetch)
|
||||
{
|
||||
int got_num = 0, low_rtt = 0, swap_to_front, rtt_band = RTT_BAND;
|
||||
int got_num = 0, low_rtt = 0, swap_to_front, rtt_band = RTT_BAND, nth;
|
||||
size_t num_results;
|
||||
struct delegpt_addr* a, *n, *prev=NULL;
|
||||
|
||||
/* fillup sel_rtt and find best rtt in the bunch */
|
||||
got_num = iter_fill_rtt(iter_env, env, name, namelen, qtype, now, dp,
|
||||
&low_rtt, blacklist);
|
||||
&low_rtt, blacklist, &num_results);
|
||||
if(got_num == 0)
|
||||
return 0;
|
||||
if(low_rtt >= USEFUL_SERVER_TOP_TIMEOUT &&
|
||||
@ -329,14 +380,19 @@ iter_filter_order(struct iter_env* iter_env, struct module_env* env,
|
||||
return 0 to force the caller to fetch more */
|
||||
}
|
||||
|
||||
if(env->cfg->low_rtt_permil != 0 && prefetch == 0 &&
|
||||
low_rtt < env->cfg->low_rtt &&
|
||||
ub_random_max(env->rnd, 1000) < env->cfg->low_rtt_permil) {
|
||||
if(env->cfg->fast_server_permil != 0 && prefetch == 0 &&
|
||||
num_results > env->cfg->fast_server_num &&
|
||||
ub_random_max(env->rnd, 1000) < env->cfg->fast_server_permil) {
|
||||
/* the query is not prefetch, but for a downstream client,
|
||||
* there is a low_rtt (fast) server. We choose that x% of the
|
||||
* time */
|
||||
/* pick rtt numbers from 0..LOWBAND_RTT */
|
||||
rtt_band = env->cfg->low_rtt - low_rtt;
|
||||
* there are more servers available then the fastest N we want
|
||||
* to choose from. Limit our choice to the fastest servers. */
|
||||
nth = nth_rtt(dp->result_list, num_results,
|
||||
env->cfg->fast_server_num);
|
||||
if(nth > 0) {
|
||||
rtt_band = nth - low_rtt;
|
||||
if(rtt_band > RTT_BAND)
|
||||
rtt_band = RTT_BAND;
|
||||
}
|
||||
}
|
||||
|
||||
got_num = 0;
|
||||
@ -826,10 +882,35 @@ rrset_equal(struct ub_packed_rrset_key* k1, struct ub_packed_rrset_key* k2)
|
||||
return 1;
|
||||
}
|
||||
|
||||
/** compare rrsets and sort canonically. Compares rrset name, type, class.
|
||||
* return 0 if equal, +1 if x > y, and -1 if x < y.
|
||||
*/
|
||||
static int
|
||||
rrset_canonical_sort_cmp(const void* x, const void* y)
|
||||
{
|
||||
struct ub_packed_rrset_key* rrx = *(struct ub_packed_rrset_key**)x;
|
||||
struct ub_packed_rrset_key* rry = *(struct ub_packed_rrset_key**)y;
|
||||
int r = dname_canonical_compare(rrx->rk.dname, rry->rk.dname);
|
||||
if(r != 0)
|
||||
return r;
|
||||
if(rrx->rk.type != rry->rk.type) {
|
||||
if(ntohs(rrx->rk.type) > ntohs(rry->rk.type))
|
||||
return 1;
|
||||
else return -1;
|
||||
}
|
||||
if(rrx->rk.rrset_class != rry->rk.rrset_class) {
|
||||
if(ntohs(rrx->rk.rrset_class) > ntohs(rry->rk.rrset_class))
|
||||
return 1;
|
||||
else return -1;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
int
|
||||
reply_equal(struct reply_info* p, struct reply_info* q, struct regional* region)
|
||||
{
|
||||
size_t i;
|
||||
struct ub_packed_rrset_key** sorted_p, **sorted_q;
|
||||
if(p->flags != q->flags ||
|
||||
p->qdcount != q->qdcount ||
|
||||
/* do not check TTL, this may differ */
|
||||
@ -843,16 +924,43 @@ reply_equal(struct reply_info* p, struct reply_info* q, struct regional* region)
|
||||
p->ar_numrrsets != q->ar_numrrsets ||
|
||||
p->rrset_count != q->rrset_count)
|
||||
return 0;
|
||||
/* sort the rrsets in the authority and additional sections before
|
||||
* compare, the query and answer sections are ordered in the sequence
|
||||
* they should have (eg. one after the other for aliases). */
|
||||
sorted_p = (struct ub_packed_rrset_key**)regional_alloc_init(
|
||||
region, p->rrsets, sizeof(*sorted_p)*p->rrset_count);
|
||||
if(!sorted_p) return 0;
|
||||
log_assert(p->an_numrrsets + p->ns_numrrsets + p->ar_numrrsets <=
|
||||
p->rrset_count);
|
||||
qsort(sorted_p + p->an_numrrsets, p->ns_numrrsets,
|
||||
sizeof(*sorted_p), rrset_canonical_sort_cmp);
|
||||
qsort(sorted_p + p->an_numrrsets + p->ns_numrrsets, p->ar_numrrsets,
|
||||
sizeof(*sorted_p), rrset_canonical_sort_cmp);
|
||||
|
||||
sorted_q = (struct ub_packed_rrset_key**)regional_alloc_init(
|
||||
region, q->rrsets, sizeof(*sorted_q)*q->rrset_count);
|
||||
if(!sorted_q) {
|
||||
regional_free_all(region);
|
||||
return 0;
|
||||
}
|
||||
log_assert(q->an_numrrsets + q->ns_numrrsets + q->ar_numrrsets <=
|
||||
q->rrset_count);
|
||||
qsort(sorted_q + q->an_numrrsets, q->ns_numrrsets,
|
||||
sizeof(*sorted_q), rrset_canonical_sort_cmp);
|
||||
qsort(sorted_q + q->an_numrrsets + q->ns_numrrsets, q->ar_numrrsets,
|
||||
sizeof(*sorted_q), rrset_canonical_sort_cmp);
|
||||
|
||||
/* compare the rrsets */
|
||||
for(i=0; i<p->rrset_count; i++) {
|
||||
if(!rrset_equal(p->rrsets[i], q->rrsets[i])) {
|
||||
if(!rrset_canonical_equal(region, p->rrsets[i],
|
||||
q->rrsets[i])) {
|
||||
if(!rrset_equal(sorted_p[i], sorted_q[i])) {
|
||||
if(!rrset_canonical_equal(region, sorted_p[i],
|
||||
sorted_q[i])) {
|
||||
regional_free_all(region);
|
||||
return 0;
|
||||
}
|
||||
regional_free_all(region);
|
||||
}
|
||||
}
|
||||
regional_free_all(region);
|
||||
return 1;
|
||||
}
|
||||
|
||||
@ -1103,6 +1211,19 @@ iter_scrub_ds(struct dns_msg* msg, struct ub_packed_rrset_key* ns, uint8_t* z)
|
||||
}
|
||||
}
|
||||
|
||||
void
|
||||
iter_scrub_nxdomain(struct dns_msg* msg)
|
||||
{
|
||||
if(msg->rep->an_numrrsets == 0)
|
||||
return;
|
||||
|
||||
memmove(msg->rep->rrsets, msg->rep->rrsets+msg->rep->an_numrrsets,
|
||||
sizeof(struct ub_packed_rrset_key*) *
|
||||
(msg->rep->rrset_count-msg->rep->an_numrrsets));
|
||||
msg->rep->rrset_count -= msg->rep->an_numrrsets;
|
||||
msg->rep->an_numrrsets = 0;
|
||||
}
|
||||
|
||||
void iter_dec_attempts(struct delegpt* dp, int d)
|
||||
{
|
||||
struct delegpt_addr* a;
|
||||
@ -1210,3 +1331,50 @@ int iter_dp_cangodown(struct query_info* qinfo, struct delegpt* dp)
|
||||
return 0;
|
||||
return 1;
|
||||
}
|
||||
|
||||
int
|
||||
iter_stub_fwd_no_cache(struct module_qstate *qstate, struct query_info *qinf)
|
||||
{
|
||||
struct iter_hints_stub *stub;
|
||||
struct delegpt *dp;
|
||||
|
||||
/* Check for stub. */
|
||||
stub = hints_lookup_stub(qstate->env->hints, qinf->qname,
|
||||
qinf->qclass, NULL);
|
||||
dp = forwards_lookup(qstate->env->fwds, qinf->qname, qinf->qclass);
|
||||
|
||||
/* see if forward or stub is more pertinent */
|
||||
if(stub && stub->dp && dp) {
|
||||
if(dname_strict_subdomain(dp->name, dp->namelabs,
|
||||
stub->dp->name, stub->dp->namelabs)) {
|
||||
stub = NULL; /* ignore stub, forward is lower */
|
||||
} else {
|
||||
dp = NULL; /* ignore forward, stub is lower */
|
||||
}
|
||||
}
|
||||
|
||||
/* check stub */
|
||||
if (stub != NULL && stub->dp != NULL) {
|
||||
if(stub->dp->no_cache) {
|
||||
char qname[255+1];
|
||||
char dpname[255+1];
|
||||
dname_str(qinf->qname, qname);
|
||||
dname_str(stub->dp->name, dpname);
|
||||
verbose(VERB_ALGO, "stub for %s %s has no_cache", qname, dpname);
|
||||
}
|
||||
return (stub->dp->no_cache);
|
||||
}
|
||||
|
||||
/* Check for forward. */
|
||||
if (dp) {
|
||||
if(dp->no_cache) {
|
||||
char qname[255+1];
|
||||
char dpname[255+1];
|
||||
dname_str(qinf->qname, qname);
|
||||
dname_str(dp->name, dpname);
|
||||
verbose(VERB_ALGO, "forward for %s %s has no_cache", qname, dpname);
|
||||
}
|
||||
return (dp->no_cache);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
@ -334,6 +334,13 @@ int iter_get_next_root(struct iter_hints* hints, struct iter_forwards* fwd,
|
||||
void iter_scrub_ds(struct dns_msg* msg, struct ub_packed_rrset_key* ns,
|
||||
uint8_t* z);
|
||||
|
||||
/**
|
||||
* Prepare an NXDOMAIN message to be used for a subdomain answer by removing all
|
||||
* RRs from the ANSWER section.
|
||||
* @param msg: the response to scrub.
|
||||
*/
|
||||
void iter_scrub_nxdomain(struct dns_msg* msg);
|
||||
|
||||
/**
|
||||
* Remove query attempts from all available ips. For 0x20.
|
||||
* @param dp: delegpt.
|
||||
@ -369,4 +376,13 @@ int iter_ds_toolow(struct dns_msg* msg, struct delegpt* dp);
|
||||
*/
|
||||
int iter_dp_cangodown(struct query_info* qinfo, struct delegpt* dp);
|
||||
|
||||
/**
|
||||
* Lookup if no_cache is set in stub or fwd.
|
||||
* @param qstate: query state with env with hints and fwds.
|
||||
* @param qinf: query name to lookup for.
|
||||
* @return true if no_cache is set in stub or fwd.
|
||||
*/
|
||||
int iter_stub_fwd_no_cache(struct module_qstate *qstate,
|
||||
struct query_info *qinf);
|
||||
|
||||
#endif /* ITERATOR_ITER_UTILS_H */
|
||||
|
@ -69,6 +69,9 @@
|
||||
#include "sldns/parseutil.h"
|
||||
#include "sldns/sbuffer.h"
|
||||
|
||||
/* in msec */
|
||||
int UNKNOWN_SERVER_NICENESS = 376;
|
||||
|
||||
int
|
||||
iter_init(struct module_env* env, int id)
|
||||
{
|
||||
@ -324,6 +327,29 @@ error_response_cache(struct module_qstate* qstate, int id, int rcode)
|
||||
/* serving expired contents, but nothing is cached
|
||||
* at all, so the servfail cache entry is useful
|
||||
* (stops waste of time on this servfail NORR_TTL) */
|
||||
} else {
|
||||
/* don't overwrite existing (non-expired) data in
|
||||
* cache with a servfail */
|
||||
struct msgreply_entry* msg;
|
||||
if((msg=msg_cache_lookup(qstate->env,
|
||||
qstate->qinfo.qname, qstate->qinfo.qname_len,
|
||||
qstate->qinfo.qtype, qstate->qinfo.qclass,
|
||||
qstate->query_flags, *qstate->env->now, 0))
|
||||
!= NULL) {
|
||||
struct reply_info* rep = (struct reply_info*)
|
||||
msg->entry.data;
|
||||
if(FLAGS_GET_RCODE(rep->flags) ==
|
||||
LDNS_RCODE_NOERROR ||
|
||||
FLAGS_GET_RCODE(rep->flags) ==
|
||||
LDNS_RCODE_NXDOMAIN) {
|
||||
/* we have a good entry,
|
||||
* don't overwrite */
|
||||
lock_rw_unlock(&msg->entry.lock);
|
||||
return error_response(qstate, id, rcode);
|
||||
}
|
||||
lock_rw_unlock(&msg->entry.lock);
|
||||
}
|
||||
|
||||
}
|
||||
memset(&err, 0, sizeof(err));
|
||||
err.flags = (uint16_t)(BIT_QR | BIT_RA);
|
||||
@ -1144,53 +1170,6 @@ forward_request(struct module_qstate* qstate, struct iter_qstate* iq)
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int
|
||||
iter_stub_fwd_no_cache(struct module_qstate *qstate, struct iter_qstate *iq)
|
||||
{
|
||||
struct iter_hints_stub *stub;
|
||||
struct delegpt *dp;
|
||||
|
||||
/* Check for stub. */
|
||||
stub = hints_lookup_stub(qstate->env->hints, iq->qchase.qname,
|
||||
iq->qchase.qclass, iq->dp);
|
||||
dp = forwards_lookup(qstate->env->fwds, iq->qchase.qname, iq->qchase.qclass);
|
||||
|
||||
/* see if forward or stub is more pertinent */
|
||||
if(stub && stub->dp && dp) {
|
||||
if(dname_strict_subdomain(dp->name, dp->namelabs,
|
||||
stub->dp->name, stub->dp->namelabs)) {
|
||||
stub = NULL; /* ignore stub, forward is lower */
|
||||
} else {
|
||||
dp = NULL; /* ignore forward, stub is lower */
|
||||
}
|
||||
}
|
||||
|
||||
/* check stub */
|
||||
if (stub != NULL && stub->dp != NULL) {
|
||||
if(stub->dp->no_cache) {
|
||||
char qname[255+1];
|
||||
char dpname[255+1];
|
||||
dname_str(iq->qchase.qname, qname);
|
||||
dname_str(stub->dp->name, dpname);
|
||||
verbose(VERB_ALGO, "stub for %s %s has no_cache", qname, dpname);
|
||||
}
|
||||
return (stub->dp->no_cache);
|
||||
}
|
||||
|
||||
/* Check for forward. */
|
||||
if (dp) {
|
||||
if(dp->no_cache) {
|
||||
char qname[255+1];
|
||||
char dpname[255+1];
|
||||
dname_str(iq->qchase.qname, qname);
|
||||
dname_str(dp->name, dpname);
|
||||
verbose(VERB_ALGO, "forward for %s %s has no_cache", qname, dpname);
|
||||
}
|
||||
return (dp->no_cache);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* Process the initial part of the request handling. This state roughly
|
||||
* corresponds to resolver algorithms steps 1 (find answer in cache) and 2
|
||||
@ -1268,7 +1247,7 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
/* This either results in a query restart (CNAME cache response), a
|
||||
* terminating response (ANSWER), or a cache miss (null). */
|
||||
|
||||
if (iter_stub_fwd_no_cache(qstate, iq)) {
|
||||
if (iter_stub_fwd_no_cache(qstate, &iq->qchase)) {
|
||||
/* Asked to not query cache. */
|
||||
verbose(VERB_ALGO, "no-cache set, going to the network");
|
||||
qstate->no_cache_lookup = 1;
|
||||
@ -1469,7 +1448,8 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
* now will also exceed the rate, keeping cache fresh */
|
||||
(void)infra_ratelimit_inc(qstate->env->infra_cache,
|
||||
iq->dp->name, iq->dp->namelen,
|
||||
*qstate->env->now);
|
||||
*qstate->env->now, &qstate->qinfo,
|
||||
qstate->reply);
|
||||
/* see if we are passed through with slip factor */
|
||||
if(qstate->env->cfg->ratelimit_factor != 0 &&
|
||||
ub_random_max(qstate->env->rnd,
|
||||
@ -1903,7 +1883,6 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
struct delegpt* p = hints_lookup_root(qstate->env->hints,
|
||||
iq->qchase.qclass);
|
||||
if(p) {
|
||||
struct delegpt_ns* ns;
|
||||
struct delegpt_addr* a;
|
||||
iq->chase_flags &= ~BIT_RD; /* go to authorities */
|
||||
for(ns = p->nslist; ns; ns=ns->next) {
|
||||
@ -2127,6 +2106,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
struct delegpt_addr* target;
|
||||
struct outbound_entry* outq;
|
||||
int auth_fallback = 0;
|
||||
uint8_t* qout_orig = NULL;
|
||||
size_t qout_orig_len = 0;
|
||||
|
||||
/* NOTE: a request will encounter this state for each target it
|
||||
* needs to send a query to. That is, at least one per referral,
|
||||
@ -2200,6 +2181,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
int labdiff = qchaselabs -
|
||||
dname_count_labels(iq->qinfo_out.qname);
|
||||
|
||||
qout_orig = iq->qinfo_out.qname;
|
||||
qout_orig_len = iq->qinfo_out.qname_len;
|
||||
iq->qinfo_out.qname = iq->qchase.qname;
|
||||
iq->qinfo_out.qname_len = iq->qchase.qname_len;
|
||||
iq->minimise_count++;
|
||||
@ -2320,7 +2303,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
errinf(qstate, "auth zone lookup failed, fallback is off");
|
||||
return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
|
||||
}
|
||||
if(iq->dp && iq->dp->auth_dp) {
|
||||
if(iq->dp->auth_dp) {
|
||||
/* we wanted to fallback, but had no delegpt, only the
|
||||
* auth zone generated delegpt, create an actual one */
|
||||
iq->auth_zone_avoid = 1;
|
||||
@ -2352,6 +2335,13 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
/* wait to get all targets, we want to try em */
|
||||
verbose(VERB_ALGO, "wait for all targets for fallback");
|
||||
qstate->ext_state[id] = module_wait_reply;
|
||||
/* undo qname minimise step because we'll get back here
|
||||
* to do it again */
|
||||
if(qout_orig && iq->minimise_count > 0) {
|
||||
iq->minimise_count--;
|
||||
iq->qinfo_out.qname = qout_orig;
|
||||
iq->qinfo_out.qname_len = qout_orig_len;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
/* did we do enough fallback queries already? */
|
||||
@ -2485,13 +2475,21 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
iq->num_current_queries);
|
||||
qstate->ext_state[id] = module_wait_reply;
|
||||
}
|
||||
/* undo qname minimise step because we'll get back here
|
||||
* to do it again */
|
||||
if(qout_orig && iq->minimise_count > 0) {
|
||||
iq->minimise_count--;
|
||||
iq->qinfo_out.qname = qout_orig;
|
||||
iq->qinfo_out.qname_len = qout_orig_len;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* if not forwarding, check ratelimits per delegationpoint name */
|
||||
if(!(iq->chase_flags & BIT_RD) && !iq->ratelimit_ok) {
|
||||
if(!infra_ratelimit_inc(qstate->env->infra_cache, iq->dp->name,
|
||||
iq->dp->namelen, *qstate->env->now)) {
|
||||
iq->dp->namelen, *qstate->env->now, &qstate->qinfo,
|
||||
qstate->reply)) {
|
||||
lock_basic_lock(&ie->queries_ratelimit_lock);
|
||||
ie->num_queries_ratelimited++;
|
||||
lock_basic_unlock(&ie->queries_ratelimit_lock);
|
||||
@ -2720,8 +2718,15 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
&& !(iq->chase_flags & BIT_RD)) {
|
||||
if(FLAGS_GET_RCODE(iq->response->rep->flags) !=
|
||||
LDNS_RCODE_NOERROR) {
|
||||
if(qstate->env->cfg->qname_minimisation_strict)
|
||||
return final_state(iq);
|
||||
if(qstate->env->cfg->qname_minimisation_strict) {
|
||||
if(FLAGS_GET_RCODE(iq->response->rep->flags) ==
|
||||
LDNS_RCODE_NXDOMAIN) {
|
||||
iter_scrub_nxdomain(iq->response);
|
||||
return final_state(iq);
|
||||
}
|
||||
return error_response(qstate, id,
|
||||
LDNS_RCODE_SERVFAIL);
|
||||
}
|
||||
/* Best effort qname-minimisation.
|
||||
* Stop minimising and send full query when
|
||||
* RCODE is not NOERROR. */
|
||||
@ -3592,7 +3597,7 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
if(event == module_event_noreply || event == module_event_error) {
|
||||
if(event == module_event_noreply && iq->sent_count >= 3 &&
|
||||
qstate->env->cfg->use_caps_bits_for_id &&
|
||||
!iq->caps_fallback) {
|
||||
!iq->caps_fallback && !is_caps_whitelisted(ie, iq)) {
|
||||
/* start fallback */
|
||||
iq->caps_fallback = 1;
|
||||
iq->caps_server = 0;
|
||||
|
@ -83,7 +83,7 @@ struct rbtree_type;
|
||||
/** how nice is a server without further information, in msec
|
||||
* Equals rtt initial timeout value.
|
||||
*/
|
||||
#define UNKNOWN_SERVER_NICENESS 376
|
||||
extern int UNKNOWN_SERVER_NICENESS;
|
||||
/** maximum timeout before a host is deemed unsuitable, in msec.
|
||||
* After host_ttl this will be timed out and the host will be tried again.
|
||||
* Equals RTT_MAX_TIMEOUT
|
||||
|
@ -724,7 +724,7 @@ ub_resolve_event(struct ub_ctx* ctx, const char* name, int rrtype,
|
||||
*async_id = 0;
|
||||
lock_basic_lock(&ctx->cfglock);
|
||||
if(!ctx->finalized) {
|
||||
int r = context_finalize(ctx);
|
||||
r = context_finalize(ctx);
|
||||
if(r) {
|
||||
lock_basic_unlock(&ctx->cfglock);
|
||||
return r;
|
||||
@ -966,6 +966,19 @@ ub_ctx_set_fwd(struct ub_ctx* ctx, const char* addr)
|
||||
return UB_NOERROR;
|
||||
}
|
||||
|
||||
int ub_ctx_set_tls(struct ub_ctx* ctx, int tls)
|
||||
{
|
||||
lock_basic_lock(&ctx->cfglock);
|
||||
if(ctx->finalized) {
|
||||
lock_basic_unlock(&ctx->cfglock);
|
||||
errno=EINVAL;
|
||||
return UB_AFTERFINAL;
|
||||
}
|
||||
ctx->env->cfg->ssl_upstream = tls;
|
||||
lock_basic_unlock(&ctx->cfglock);
|
||||
return UB_NOERROR;
|
||||
}
|
||||
|
||||
int ub_ctx_set_stub(struct ub_ctx* ctx, const char* zone, const char* addr,
|
||||
int isprime)
|
||||
{
|
||||
|
@ -222,11 +222,10 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
|
||||
}
|
||||
numports = cfg_condense_ports(cfg, &ports);
|
||||
if(numports == 0) {
|
||||
int locked = !w->is_bg || w->is_bg_thread;
|
||||
libworker_delete(w);
|
||||
if(locked) {
|
||||
if(!w->is_bg || w->is_bg_thread) {
|
||||
lock_basic_unlock(&ctx->cfglock);
|
||||
}
|
||||
libworker_delete(w);
|
||||
return NULL;
|
||||
}
|
||||
w->back = outside_network_create(w->base, cfg->msg_buffer_size,
|
||||
@ -657,8 +656,8 @@ libworker_event_done_cb(void* arg, int rcode, sldns_buffer* buf,
|
||||
sec = 1;
|
||||
else if(s == sec_status_secure)
|
||||
sec = 2;
|
||||
(*cb)(cb_arg, rcode, (void*)sldns_buffer_begin(buf),
|
||||
(int)sldns_buffer_limit(buf), sec, why_bogus, was_ratelimited);
|
||||
(*cb)(cb_arg, rcode, (buf?(void*)sldns_buffer_begin(buf):NULL),
|
||||
(buf?(int)sldns_buffer_limit(buf):0), sec, why_bogus, was_ratelimited);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -20,6 +20,7 @@ ub_ctx_set_event
|
||||
ub_ctx_set_fwd
|
||||
ub_ctx_set_option
|
||||
ub_ctx_set_stub
|
||||
ub_ctx_set_tls
|
||||
ub_ctx_trustedkeys
|
||||
ub_ctx_zone_add
|
||||
ub_ctx_zone_remove
|
||||
|
@ -309,6 +309,17 @@ int ub_ctx_config(struct ub_ctx* ctx, const char* fname);
|
||||
*/
|
||||
int ub_ctx_set_fwd(struct ub_ctx* ctx, const char* addr);
|
||||
|
||||
/**
|
||||
* Use DNS over TLS to send queries to machines set with ub_ctx_set_fwd().
|
||||
*
|
||||
* @param ctx: context.
|
||||
* At this time it is only possible to set configuration before the
|
||||
* first resolve is done.
|
||||
* @param tls: enable or disable DNS over TLS
|
||||
* @return 0 if OK, else error.
|
||||
*/
|
||||
int ub_ctx_set_tls(struct ub_ctx* ctx, int tls);
|
||||
|
||||
/**
|
||||
* Add a stub zone, with given address to send to. This is for custom
|
||||
* root hints or pointing to a local authoritative dns server.
|
||||
@ -770,6 +781,10 @@ struct ub_server_stats {
|
||||
/** number of queries answered from edns-subnet specific data, and
|
||||
* the answer was from the edns-subnet cache. */
|
||||
long long num_query_subnet_cache;
|
||||
/** number of bytes in the stream wait buffers */
|
||||
long long mem_stream_wait;
|
||||
/** number of TLS connection resume */
|
||||
long long qtls_resume;
|
||||
};
|
||||
|
||||
/**
|
||||
|
@ -2124,7 +2124,7 @@ fi
|
||||
# a configuration failure hint, and exit.
|
||||
func_fatal_configuration ()
|
||||
{
|
||||
func__fatal_error ${1+"$@"} \
|
||||
func_fatal_error ${1+"$@"} \
|
||||
"See the $PACKAGE documentation for more information." \
|
||||
"Fatal configuration error."
|
||||
}
|
||||
@ -7272,10 +7272,12 @@ func_mode_link ()
|
||||
# -tp=* Portland pgcc target processor selection
|
||||
# --sysroot=* for sysroot support
|
||||
# -O*, -g*, -flto*, -fwhopr*, -fuse-linker-plugin GCC link-time optimization
|
||||
# -specs=* GCC specs files
|
||||
# -stdlib=* select c++ std lib with clang
|
||||
-64|-mips[0-9]|-r[0-9][0-9]*|-xarch=*|-xtarget=*|+DA*|+DD*|-q*|-m*| \
|
||||
-t[45]*|-txscale*|-p|-pg|--coverage|-fprofile-*|-F*|@*|-tp=*|--sysroot=*| \
|
||||
-O*|-g*|-flto*|-fwhopr*|-fuse-linker-plugin|-fstack-protector*|-stdlib=*)
|
||||
-O*|-g*|-flto*|-fwhopr*|-fuse-linker-plugin|-fstack-protector*|-stdlib=*| \
|
||||
-specs=*)
|
||||
func_quote_for_eval "$arg"
|
||||
arg=$func_quote_for_eval_result
|
||||
func_append compile_command " $arg"
|
||||
|
@ -183,6 +183,8 @@ respip_action_cfg(struct respip_set* set, const char* ipstr,
|
||||
action = respip_inform;
|
||||
else if(strcmp(actnstr, "inform_deny") == 0)
|
||||
action = respip_inform_deny;
|
||||
else if(strcmp(actnstr, "inform_redirect") == 0)
|
||||
action = respip_inform_redirect;
|
||||
else if(strcmp(actnstr, "always_transparent") == 0)
|
||||
action = respip_always_transparent;
|
||||
else if(strcmp(actnstr, "always_refuse") == 0)
|
||||
@ -245,7 +247,8 @@ respip_enter_rr(struct regional* region, struct resp_addr* raddr,
|
||||
struct packed_rrset_data* pd;
|
||||
struct sockaddr* sa;
|
||||
int ret;
|
||||
if(raddr->action != respip_redirect) {
|
||||
if(raddr->action != respip_redirect
|
||||
&& raddr->action != respip_inform_redirect) {
|
||||
log_err("cannot parse response-ip-data %s: response-ip "
|
||||
"action for %s is not redirect", rrstr, netblock);
|
||||
return 0;
|
||||
@ -750,7 +753,8 @@ respip_nodata_answer(uint16_t qtype, enum respip_action action,
|
||||
*new_repp = new_rep;
|
||||
return 1;
|
||||
} else if(action == respip_static || action == respip_redirect ||
|
||||
action == respip_always_nxdomain) {
|
||||
action == respip_always_nxdomain ||
|
||||
action == respip_inform_redirect) {
|
||||
/* Since we don't know about other types of the owner name,
|
||||
* we generally return NOERROR/NODATA unless an NXDOMAIN action
|
||||
* is explicitly specified. */
|
||||
|
@ -88,6 +88,9 @@
|
||||
#define AUTH_HTTPS_PORT 443
|
||||
/* max depth for nested $INCLUDEs */
|
||||
#define MAX_INCLUDE_DEPTH 10
|
||||
/** number of timeouts before we fallback from IXFR to AXFR,
|
||||
* because some versions of servers (eg. dnsmasq) drop IXFR packets. */
|
||||
#define NUM_TIMEOUTS_FALLBACK_IXFR 3
|
||||
|
||||
/** pick up nextprobe task to start waiting to perform transfer actions */
|
||||
static void xfr_set_timeout(struct auth_xfer* xfr, struct module_env* env,
|
||||
@ -1450,11 +1453,13 @@ az_remove_rr_decompress(struct auth_zone* z, uint8_t* pkt, size_t pktlen,
|
||||
* The lineno is set at 1 and then increased by the function.
|
||||
* @param fname: file name.
|
||||
* @param depth: recursion depth for includes
|
||||
* @param cfg: config for chroot.
|
||||
* returns false on failure, has printed an error message
|
||||
*/
|
||||
static int
|
||||
az_parse_file(struct auth_zone* z, FILE* in, uint8_t* rr, size_t rrbuflen,
|
||||
struct sldns_file_parse_state* state, char* fname, int depth)
|
||||
struct sldns_file_parse_state* state, char* fname, int depth,
|
||||
struct config_file* cfg)
|
||||
{
|
||||
size_t rr_len, dname_len;
|
||||
int status;
|
||||
@ -1480,6 +1485,11 @@ az_parse_file(struct auth_zone* z, FILE* in, uint8_t* rr, size_t rrbuflen,
|
||||
/* skip spaces */
|
||||
while(*incfile == ' ' || *incfile == '\t')
|
||||
incfile++;
|
||||
/* adjust for chroot on include file */
|
||||
if(cfg->chrootdir && cfg->chrootdir[0] &&
|
||||
strncmp(incfile, cfg->chrootdir,
|
||||
strlen(cfg->chrootdir)) == 0)
|
||||
incfile += strlen(cfg->chrootdir);
|
||||
incfile = strdup(incfile);
|
||||
if(!incfile) {
|
||||
log_err("malloc failure");
|
||||
@ -1490,7 +1500,7 @@ az_parse_file(struct auth_zone* z, FILE* in, uint8_t* rr, size_t rrbuflen,
|
||||
inc = fopen(incfile, "r");
|
||||
if(!inc) {
|
||||
log_err("%s:%d cannot open include "
|
||||
"file %s: %s", z->zonefile,
|
||||
"file %s: %s", fname,
|
||||
lineno_orig, incfile,
|
||||
strerror(errno));
|
||||
free(incfile);
|
||||
@ -1498,7 +1508,7 @@ az_parse_file(struct auth_zone* z, FILE* in, uint8_t* rr, size_t rrbuflen,
|
||||
}
|
||||
/* recurse read that file now */
|
||||
if(!az_parse_file(z, inc, rr, rrbuflen,
|
||||
state, incfile, depth+1)) {
|
||||
state, incfile, depth+1, cfg)) {
|
||||
log_err("%s:%d cannot parse include "
|
||||
"file %s", fname,
|
||||
lineno_orig, incfile);
|
||||
@ -1538,30 +1548,36 @@ az_parse_file(struct auth_zone* z, FILE* in, uint8_t* rr, size_t rrbuflen,
|
||||
}
|
||||
|
||||
int
|
||||
auth_zone_read_zonefile(struct auth_zone* z)
|
||||
auth_zone_read_zonefile(struct auth_zone* z, struct config_file* cfg)
|
||||
{
|
||||
uint8_t rr[LDNS_RR_BUF_SIZE];
|
||||
struct sldns_file_parse_state state;
|
||||
char* zfilename;
|
||||
FILE* in;
|
||||
if(!z || !z->zonefile || z->zonefile[0]==0)
|
||||
return 1; /* no file, or "", nothing to read */
|
||||
|
||||
zfilename = z->zonefile;
|
||||
if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(zfilename,
|
||||
cfg->chrootdir, strlen(cfg->chrootdir)) == 0)
|
||||
zfilename += strlen(cfg->chrootdir);
|
||||
if(verbosity >= VERB_ALGO) {
|
||||
char nm[255+1];
|
||||
dname_str(z->name, nm);
|
||||
verbose(VERB_ALGO, "read zonefile %s for %s", z->zonefile, nm);
|
||||
verbose(VERB_ALGO, "read zonefile %s for %s", zfilename, nm);
|
||||
}
|
||||
in = fopen(z->zonefile, "r");
|
||||
in = fopen(zfilename, "r");
|
||||
if(!in) {
|
||||
char* n = sldns_wire2str_dname(z->name, z->namelen);
|
||||
if(z->zone_is_slave && errno == ENOENT) {
|
||||
/* we fetch the zone contents later, no file yet */
|
||||
verbose(VERB_ALGO, "no zonefile %s for %s",
|
||||
z->zonefile, n?n:"error");
|
||||
zfilename, n?n:"error");
|
||||
free(n);
|
||||
return 1;
|
||||
}
|
||||
log_err("cannot open zonefile %s for %s: %s",
|
||||
z->zonefile, n?n:"error", strerror(errno));
|
||||
zfilename, n?n:"error", strerror(errno));
|
||||
free(n);
|
||||
return 0;
|
||||
}
|
||||
@ -1579,10 +1595,10 @@ auth_zone_read_zonefile(struct auth_zone* z)
|
||||
state.origin_len = z->namelen;
|
||||
}
|
||||
/* parse the (toplevel) file */
|
||||
if(!az_parse_file(z, in, rr, sizeof(rr), &state, z->zonefile, 0)) {
|
||||
if(!az_parse_file(z, in, rr, sizeof(rr), &state, zfilename, 0, cfg)) {
|
||||
char* n = sldns_wire2str_dname(z->name, z->namelen);
|
||||
log_err("error parsing zonefile %s for %s",
|
||||
z->zonefile, n?n:"error");
|
||||
zfilename, n?n:"error");
|
||||
free(n);
|
||||
fclose(in);
|
||||
return 0;
|
||||
@ -1710,13 +1726,13 @@ int auth_zone_write_file(struct auth_zone* z, const char* fname)
|
||||
|
||||
/** read all auth zones from file (if they have) */
|
||||
static int
|
||||
auth_zones_read_zones(struct auth_zones* az)
|
||||
auth_zones_read_zones(struct auth_zones* az, struct config_file* cfg)
|
||||
{
|
||||
struct auth_zone* z;
|
||||
lock_rw_wrlock(&az->lock);
|
||||
RBTREE_FOR(z, struct auth_zone*, &az->ztree) {
|
||||
lock_rw_wrlock(&z->lock);
|
||||
if(!auth_zone_read_zonefile(z)) {
|
||||
if(!auth_zone_read_zonefile(z, cfg)) {
|
||||
lock_rw_unlock(&z->lock);
|
||||
lock_rw_unlock(&az->lock);
|
||||
return 0;
|
||||
@ -1953,7 +1969,7 @@ int auth_zones_apply_cfg(struct auth_zones* az, struct config_file* cfg,
|
||||
}
|
||||
}
|
||||
az_delete_deleted_zones(az);
|
||||
if(!auth_zones_read_zones(az))
|
||||
if(!auth_zones_read_zones(az, cfg))
|
||||
return 0;
|
||||
if(setup) {
|
||||
if(!auth_zones_setup_zones(az))
|
||||
@ -2026,11 +2042,13 @@ auth_xfer_delete(struct auth_xfer* xfr)
|
||||
if(xfr->task_probe) {
|
||||
auth_free_masters(xfr->task_probe->masters);
|
||||
comm_point_delete(xfr->task_probe->cp);
|
||||
comm_timer_delete(xfr->task_probe->timer);
|
||||
free(xfr->task_probe);
|
||||
}
|
||||
if(xfr->task_transfer) {
|
||||
auth_free_masters(xfr->task_transfer->masters);
|
||||
comm_point_delete(xfr->task_transfer->cp);
|
||||
comm_timer_delete(xfr->task_transfer->timer);
|
||||
if(xfr->task_transfer->chunks_first) {
|
||||
auth_chunks_delete(xfr->task_transfer);
|
||||
}
|
||||
@ -2730,13 +2748,16 @@ az_nsec3_insert(struct auth_zone* z, struct regional* region,
|
||||
* that is an exact match that should exist for it.
|
||||
* If that does not exist, a higher exact match + nxproof is enabled
|
||||
* (for some sort of opt-out empty nonterminal cases).
|
||||
* nodataproof: search for exact match and include that instead.
|
||||
* ceproof: include ce proof NSEC3 (omitted for wildcard replies).
|
||||
* nxproof: include denial of the qname.
|
||||
* wcproof: include denial of wildcard (wildcard.ce).
|
||||
*/
|
||||
static int
|
||||
az_add_nsec3_proof(struct auth_zone* z, struct regional* region,
|
||||
struct dns_msg* msg, uint8_t* cenm, size_t cenmlen, uint8_t* qname,
|
||||
size_t qname_len, int nxproof, int wcproof)
|
||||
size_t qname_len, int nodataproof, int ceproof, int nxproof,
|
||||
int wcproof)
|
||||
{
|
||||
int algo;
|
||||
size_t iter, saltlen;
|
||||
@ -2747,12 +2768,27 @@ az_add_nsec3_proof(struct auth_zone* z, struct regional* region,
|
||||
/* find parameters of nsec3 proof */
|
||||
if(!az_nsec3_param(z, &algo, &iter, &salt, &saltlen))
|
||||
return 1; /* no nsec3 */
|
||||
if(nodataproof) {
|
||||
/* see if the node has a hash of itself for the nodata
|
||||
* proof nsec3, this has to be an exact match nsec3. */
|
||||
struct auth_data* match;
|
||||
match = az_nsec3_find_exact(z, qname, qname_len, algo,
|
||||
iter, salt, saltlen);
|
||||
if(match) {
|
||||
if(!az_nsec3_insert(z, region, msg, match))
|
||||
return 0;
|
||||
/* only nodata NSEC3 needed, no CE or others. */
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
/* find ce that has an NSEC3 */
|
||||
node = az_nsec3_find_ce(z, &cenm, &cenmlen, &no_exact_ce,
|
||||
algo, iter, salt, saltlen);
|
||||
if(no_exact_ce) nxproof = 1;
|
||||
if(!az_nsec3_insert(z, region, msg, node))
|
||||
return 0;
|
||||
if(ceproof) {
|
||||
node = az_nsec3_find_ce(z, &cenm, &cenmlen, &no_exact_ce,
|
||||
algo, iter, salt, saltlen);
|
||||
if(no_exact_ce) nxproof = 1;
|
||||
if(!az_nsec3_insert(z, region, msg, node))
|
||||
return 0;
|
||||
}
|
||||
|
||||
if(nxproof) {
|
||||
uint8_t* nx;
|
||||
@ -2828,7 +2864,7 @@ az_generate_any_answer(struct auth_zone* z, struct regional* region,
|
||||
if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0;
|
||||
added++;
|
||||
}
|
||||
if(added == 0 && node->rrsets) {
|
||||
if(added == 0 && node && node->rrsets) {
|
||||
if(!msg_add_rrset_an(z, region, msg, node,
|
||||
node->rrsets)) return 0;
|
||||
}
|
||||
@ -2897,7 +2933,7 @@ az_generate_notype_answer(struct auth_zone* z, struct regional* region,
|
||||
/* DNSSEC denial NSEC3 */
|
||||
if(!az_add_nsec3_proof(z, region, msg, node->name,
|
||||
node->namelen, msg->qinfo.qname,
|
||||
msg->qinfo.qname_len, 0, 0))
|
||||
msg->qinfo.qname_len, 1, 1, 0, 0))
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
@ -2924,7 +2960,7 @@ az_generate_referral_answer(struct auth_zone* z, struct regional* region,
|
||||
} else {
|
||||
if(!az_add_nsec3_proof(z, region, msg, ce->name,
|
||||
ce->namelen, msg->qinfo.qname,
|
||||
msg->qinfo.qname_len, 0, 0))
|
||||
msg->qinfo.qname_len, 1, 1, 0, 0))
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
@ -2963,6 +2999,7 @@ az_generate_wildcard_answer(struct auth_zone* z, struct query_info* qinfo,
|
||||
struct auth_data* wildcard, struct auth_data* node)
|
||||
{
|
||||
struct auth_rrset* rrset, *nsec;
|
||||
int insert_ce = 0;
|
||||
if((rrset=az_domain_rrset(wildcard, qinfo->qtype)) != NULL) {
|
||||
/* wildcard has type, add it */
|
||||
if(!msg_add_rrset_an(z, region, msg, wildcard, rrset))
|
||||
@ -2989,15 +3026,22 @@ az_generate_wildcard_answer(struct auth_zone* z, struct query_info* qinfo,
|
||||
/* call other notype routine for dnssec notype denials */
|
||||
if(!az_generate_notype_answer(z, region, msg, wildcard))
|
||||
return 0;
|
||||
/* because the notype, there is no positive data with an
|
||||
* RRSIG that indicates the wildcard position. Thus the
|
||||
* wildcard qname denial needs to have a CE nsec3. */
|
||||
insert_ce = 1;
|
||||
}
|
||||
|
||||
/* ce and node for dnssec denial of wildcard original name */
|
||||
if((nsec=az_find_nsec_cover(z, &node)) != NULL) {
|
||||
if(!msg_add_rrset_ns(z, region, msg, node, nsec)) return 0;
|
||||
} else if(ce) {
|
||||
if(!az_add_nsec3_proof(z, region, msg, ce->name,
|
||||
ce->namelen, msg->qinfo.qname,
|
||||
msg->qinfo.qname_len, 1, 0))
|
||||
uint8_t* wildup = wildcard->name;
|
||||
size_t wilduplen= wildcard->namelen;
|
||||
dname_remove_label(&wildup, &wilduplen);
|
||||
if(!az_add_nsec3_proof(z, region, msg, wildup,
|
||||
wilduplen, msg->qinfo.qname,
|
||||
msg->qinfo.qname_len, 0, insert_ce, 1, 0))
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -3023,7 +3067,7 @@ az_generate_nxdomain_answer(struct auth_zone* z, struct regional* region,
|
||||
} else if(ce) {
|
||||
if(!az_add_nsec3_proof(z, region, msg, ce->name,
|
||||
ce->namelen, msg->qinfo.qname,
|
||||
msg->qinfo.qname_len, 1, 1))
|
||||
msg->qinfo.qname_len, 0, 1, 1, 1))
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
@ -3163,6 +3207,11 @@ int auth_zones_lookup(struct auth_zones* az, struct query_info* qinfo,
|
||||
*fallback = 1;
|
||||
return 0;
|
||||
}
|
||||
if(z->zone_expired) {
|
||||
*fallback = z->fallback_enabled;
|
||||
lock_rw_unlock(&z->lock);
|
||||
return 0;
|
||||
}
|
||||
/* see what answer that zone would generate */
|
||||
r = auth_zone_generate_answer(z, qinfo, region, msg, fallback);
|
||||
lock_rw_unlock(&z->lock);
|
||||
@ -3250,6 +3299,19 @@ int auth_zones_answer(struct auth_zones* az, struct module_env* env,
|
||||
lock_rw_unlock(&z->lock);
|
||||
return 0;
|
||||
}
|
||||
if(z->zone_expired) {
|
||||
if(z->fallback_enabled) {
|
||||
lock_rw_unlock(&z->lock);
|
||||
return 0;
|
||||
}
|
||||
lock_rw_unlock(&z->lock);
|
||||
lock_rw_wrlock(&az->lock);
|
||||
az->num_query_down++;
|
||||
lock_rw_unlock(&az->lock);
|
||||
auth_error_encode(qinfo, env, edns, repinfo, buf, temp,
|
||||
LDNS_RCODE_SERVFAIL);
|
||||
return 1;
|
||||
}
|
||||
|
||||
/* answer it from zone z */
|
||||
r = auth_zone_generate_answer(z, qinfo, temp, &msg, &fallback);
|
||||
@ -4773,8 +4835,10 @@ auth_zone_write_chunks(struct auth_xfer* xfr, const char* fname)
|
||||
static void
|
||||
xfr_write_after_update(struct auth_xfer* xfr, struct module_env* env)
|
||||
{
|
||||
struct config_file* cfg = env->cfg;
|
||||
struct auth_zone* z;
|
||||
char tmpfile[1024];
|
||||
char* zfilename;
|
||||
lock_basic_unlock(&xfr->lock);
|
||||
|
||||
/* get lock again, so it is a readlock and concurrently queries
|
||||
@ -4792,20 +4856,24 @@ xfr_write_after_update(struct auth_xfer* xfr, struct module_env* env)
|
||||
lock_basic_lock(&xfr->lock);
|
||||
lock_rw_unlock(&env->auth_zones->lock);
|
||||
|
||||
if(z->zonefile == NULL) {
|
||||
if(z->zonefile == NULL || z->zonefile[0] == 0) {
|
||||
lock_rw_unlock(&z->lock);
|
||||
/* no write needed, no zonefile set */
|
||||
return;
|
||||
}
|
||||
zfilename = z->zonefile;
|
||||
if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(zfilename,
|
||||
cfg->chrootdir, strlen(cfg->chrootdir)) == 0)
|
||||
zfilename += strlen(cfg->chrootdir);
|
||||
|
||||
/* write to tempfile first */
|
||||
if((size_t)strlen(z->zonefile) + 16 > sizeof(tmpfile)) {
|
||||
if((size_t)strlen(zfilename) + 16 > sizeof(tmpfile)) {
|
||||
verbose(VERB_ALGO, "tmpfilename too long, cannot update "
|
||||
" zonefile %s", z->zonefile);
|
||||
" zonefile %s", zfilename);
|
||||
lock_rw_unlock(&z->lock);
|
||||
return;
|
||||
}
|
||||
snprintf(tmpfile, sizeof(tmpfile), "%s.tmp%u", z->zonefile,
|
||||
snprintf(tmpfile, sizeof(tmpfile), "%s.tmp%u", zfilename,
|
||||
(unsigned)getpid());
|
||||
if(xfr->task_transfer->master->http) {
|
||||
/* use the stored chunk list to write them */
|
||||
@ -4818,8 +4886,8 @@ xfr_write_after_update(struct auth_xfer* xfr, struct module_env* env)
|
||||
lock_rw_unlock(&z->lock);
|
||||
return;
|
||||
}
|
||||
if(rename(tmpfile, z->zonefile) < 0) {
|
||||
log_err("could not rename(%s, %s): %s", tmpfile, z->zonefile,
|
||||
if(rename(tmpfile, zfilename) < 0) {
|
||||
log_err("could not rename(%s, %s): %s", tmpfile, zfilename,
|
||||
strerror(errno));
|
||||
unlink(tmpfile);
|
||||
lock_rw_unlock(&z->lock);
|
||||
@ -4907,6 +4975,9 @@ xfr_process_chunk_list(struct auth_xfer* xfr, struct module_env* env,
|
||||
static void
|
||||
xfr_transfer_disown(struct auth_xfer* xfr)
|
||||
{
|
||||
/* remove timer (from this worker's event base) */
|
||||
comm_timer_delete(xfr->task_transfer->timer);
|
||||
xfr->task_transfer->timer = NULL;
|
||||
/* remove the commpoint */
|
||||
comm_point_delete(xfr->task_transfer->cp);
|
||||
xfr->task_transfer->cp = NULL;
|
||||
@ -4951,12 +5022,12 @@ xfr_transfer_lookup_host(struct auth_xfer* xfr, struct module_env* env)
|
||||
qinfo.qtype = LDNS_RR_TYPE_AAAA;
|
||||
qinfo.local_alias = NULL;
|
||||
if(verbosity >= VERB_ALGO) {
|
||||
char buf[512];
|
||||
char buf1[512];
|
||||
char buf2[LDNS_MAX_DOMAINLEN+1];
|
||||
dname_str(xfr->name, buf2);
|
||||
snprintf(buf, sizeof(buf), "auth zone %s: master lookup"
|
||||
snprintf(buf1, sizeof(buf1), "auth zone %s: master lookup"
|
||||
" for task_transfer", buf2);
|
||||
log_query_info(VERB_ALGO, buf, &qinfo);
|
||||
log_query_info(VERB_ALGO, buf1, &qinfo);
|
||||
}
|
||||
edns.edns_present = 1;
|
||||
edns.ext_rcode = 0;
|
||||
@ -4988,6 +5059,9 @@ xfr_transfer_init_fetch(struct auth_xfer* xfr, struct module_env* env)
|
||||
struct sockaddr_storage addr;
|
||||
socklen_t addrlen = 0;
|
||||
struct auth_master* master = xfr->task_transfer->master;
|
||||
char *auth_name = NULL;
|
||||
struct timeval t;
|
||||
int timeout;
|
||||
if(!master) return 0;
|
||||
if(master->allow_notify) return 0; /* only for notify */
|
||||
|
||||
@ -4996,7 +5070,7 @@ xfr_transfer_init_fetch(struct auth_xfer* xfr, struct module_env* env)
|
||||
addrlen = xfr->task_transfer->scan_addr->addrlen;
|
||||
memmove(&addr, &xfr->task_transfer->scan_addr->addr, addrlen);
|
||||
} else {
|
||||
if(!extstrtoaddr(master->host, &addr, &addrlen)) {
|
||||
if(!authextstrtoaddr(master->host, &addr, &addrlen, &auth_name)) {
|
||||
/* the ones that are not in addr format are supposed
|
||||
* to be looked up. The lookup has failed however,
|
||||
* so skip them */
|
||||
@ -5013,25 +5087,46 @@ xfr_transfer_init_fetch(struct auth_xfer* xfr, struct module_env* env)
|
||||
comm_point_delete(xfr->task_transfer->cp);
|
||||
xfr->task_transfer->cp = NULL;
|
||||
}
|
||||
if(!xfr->task_transfer->timer) {
|
||||
xfr->task_transfer->timer = comm_timer_create(env->worker_base,
|
||||
auth_xfer_transfer_timer_callback, xfr);
|
||||
if(!xfr->task_transfer->timer) {
|
||||
log_err("malloc failure");
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
timeout = AUTH_TRANSFER_TIMEOUT;
|
||||
#ifndef S_SPLINT_S
|
||||
t.tv_sec = timeout/1000;
|
||||
t.tv_usec = (timeout%1000)*1000;
|
||||
#endif
|
||||
|
||||
if(master->http) {
|
||||
/* perform http fetch */
|
||||
/* store http port number into sockaddr,
|
||||
* unless someone used unbound's host@port notation */
|
||||
xfr->task_transfer->on_ixfr = 0;
|
||||
if(strchr(master->host, '@') == NULL)
|
||||
sockaddr_store_port(&addr, addrlen, master->port);
|
||||
xfr->task_transfer->cp = outnet_comm_point_for_http(
|
||||
env->outnet, auth_xfer_transfer_http_callback, xfr,
|
||||
&addr, addrlen, AUTH_TRANSFER_TIMEOUT, master->ssl,
|
||||
master->host, master->file);
|
||||
&addr, addrlen, -1, master->ssl, master->host,
|
||||
master->file);
|
||||
if(!xfr->task_transfer->cp) {
|
||||
char zname[255+1];
|
||||
char zname[255+1], as[256];
|
||||
dname_str(xfr->name, zname);
|
||||
addr_to_str(&addr, addrlen, as, sizeof(as));
|
||||
verbose(VERB_ALGO, "cannot create http cp "
|
||||
"connection for %s to %s", zname,
|
||||
master->host);
|
||||
"connection for %s to %s", zname, as);
|
||||
return 0;
|
||||
}
|
||||
comm_timer_set(xfr->task_transfer->timer, &t);
|
||||
if(verbosity >= VERB_ALGO) {
|
||||
char zname[255+1], as[256];
|
||||
dname_str(xfr->name, zname);
|
||||
addr_to_str(&addr, addrlen, as, sizeof(as));
|
||||
verbose(VERB_ALGO, "auth zone %s transfer next HTTP fetch from %s started", zname, as);
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
@ -5045,14 +5140,24 @@ xfr_transfer_init_fetch(struct auth_xfer* xfr, struct module_env* env)
|
||||
/* connect on fd */
|
||||
xfr->task_transfer->cp = outnet_comm_point_for_tcp(env->outnet,
|
||||
auth_xfer_transfer_tcp_callback, xfr, &addr, addrlen,
|
||||
env->scratch_buffer, AUTH_TRANSFER_TIMEOUT);
|
||||
env->scratch_buffer, -1,
|
||||
auth_name != NULL, auth_name);
|
||||
if(!xfr->task_transfer->cp) {
|
||||
char zname[255+1];
|
||||
dname_str(xfr->name, zname);
|
||||
char zname[255+1], as[256];
|
||||
dname_str(xfr->name, zname);
|
||||
addr_to_str(&addr, addrlen, as, sizeof(as));
|
||||
verbose(VERB_ALGO, "cannot create tcp cp connection for "
|
||||
"xfr %s to %s", zname, master->host);
|
||||
"xfr %s to %s", zname, as);
|
||||
return 0;
|
||||
}
|
||||
comm_timer_set(xfr->task_transfer->timer, &t);
|
||||
if(verbosity >= VERB_ALGO) {
|
||||
char zname[255+1], as[256];
|
||||
dname_str(xfr->name, zname);
|
||||
addr_to_str(&addr, addrlen, as, sizeof(as));
|
||||
verbose(VERB_ALGO, "auth zone %s transfer next %s fetch from %s started", zname,
|
||||
(xfr->task_transfer->on_ixfr?"IXFR":"AXFR"), as);
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
@ -5070,6 +5175,11 @@ xfr_transfer_nexttarget_or_end(struct auth_xfer* xfr, struct module_env* env)
|
||||
* and we may then get an instant cache response,
|
||||
* and that calls the callback just like a full
|
||||
* lookup and lookup failures also call callback */
|
||||
if(verbosity >= VERB_ALGO) {
|
||||
char zname[255+1];
|
||||
dname_str(xfr->name, zname);
|
||||
verbose(VERB_ALGO, "auth zone %s transfer next target lookup", zname);
|
||||
}
|
||||
lock_basic_unlock(&xfr->lock);
|
||||
return;
|
||||
}
|
||||
@ -5088,6 +5198,11 @@ xfr_transfer_nexttarget_or_end(struct auth_xfer* xfr, struct module_env* env)
|
||||
/* failed to fetch, next master */
|
||||
xfr_transfer_nextmaster(xfr);
|
||||
}
|
||||
if(verbosity >= VERB_ALGO) {
|
||||
char zname[255+1];
|
||||
dname_str(xfr->name, zname);
|
||||
verbose(VERB_ALGO, "auth zone %s transfer failed, wait", zname);
|
||||
}
|
||||
|
||||
/* we failed to fetch the zone, move to wait task
|
||||
* use the shorter retry timeout */
|
||||
@ -5185,7 +5300,25 @@ void auth_xfer_transfer_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
|
||||
if(answer) {
|
||||
xfr_master_add_addrs(xfr->task_transfer->
|
||||
lookup_target, answer, wanted_qtype);
|
||||
} else {
|
||||
if(verbosity >= VERB_ALGO) {
|
||||
char zname[255+1];
|
||||
dname_str(xfr->name, zname);
|
||||
verbose(VERB_ALGO, "auth zone %s host %s type %s transfer lookup has nodata", zname, xfr->task_transfer->lookup_target->host, (xfr->task_transfer->lookup_aaaa?"AAAA":"A"));
|
||||
}
|
||||
}
|
||||
} else {
|
||||
if(verbosity >= VERB_ALGO) {
|
||||
char zname[255+1];
|
||||
dname_str(xfr->name, zname);
|
||||
verbose(VERB_ALGO, "auth zone %s host %s type %s transfer lookup has no answer", zname, xfr->task_transfer->lookup_target->host, (xfr->task_transfer->lookup_aaaa?"AAAA":"A"));
|
||||
}
|
||||
}
|
||||
} else {
|
||||
if(verbosity >= VERB_ALGO) {
|
||||
char zname[255+1];
|
||||
dname_str(xfr->name, zname);
|
||||
verbose(VERB_ALGO, "auth zone %s host %s type %s transfer lookup failed", zname, xfr->task_transfer->lookup_target->host, (xfr->task_transfer->lookup_aaaa?"AAAA":"A"));
|
||||
}
|
||||
}
|
||||
if(xfr->task_transfer->lookup_target->list &&
|
||||
@ -5570,6 +5703,46 @@ process_list_end_transfer(struct auth_xfer* xfr, struct module_env* env)
|
||||
xfr_transfer_nexttarget_or_end(xfr, env);
|
||||
}
|
||||
|
||||
/** callback for the task_transfer timer */
|
||||
void
|
||||
auth_xfer_transfer_timer_callback(void* arg)
|
||||
{
|
||||
struct auth_xfer* xfr = (struct auth_xfer*)arg;
|
||||
struct module_env* env;
|
||||
int gonextonfail = 1;
|
||||
log_assert(xfr->task_transfer);
|
||||
lock_basic_lock(&xfr->lock);
|
||||
env = xfr->task_transfer->env;
|
||||
if(env->outnet->want_to_quit) {
|
||||
lock_basic_unlock(&xfr->lock);
|
||||
return; /* stop on quit */
|
||||
}
|
||||
|
||||
verbose(VERB_ALGO, "xfr stopped, connection timeout to %s",
|
||||
xfr->task_transfer->master->host);
|
||||
|
||||
/* see if IXFR caused the failure, if so, try AXFR */
|
||||
if(xfr->task_transfer->on_ixfr) {
|
||||
xfr->task_transfer->ixfr_possible_timeout_count++;
|
||||
if(xfr->task_transfer->ixfr_possible_timeout_count >=
|
||||
NUM_TIMEOUTS_FALLBACK_IXFR) {
|
||||
verbose(VERB_ALGO, "xfr to %s, fallback "
|
||||
"from IXFR to AXFR (because of timeouts)",
|
||||
xfr->task_transfer->master->host);
|
||||
xfr->task_transfer->ixfr_fail = 1;
|
||||
gonextonfail = 0;
|
||||
}
|
||||
}
|
||||
|
||||
/* delete transferred data from list */
|
||||
auth_chunks_delete(xfr->task_transfer);
|
||||
comm_point_delete(xfr->task_transfer->cp);
|
||||
xfr->task_transfer->cp = NULL;
|
||||
if(gonextonfail)
|
||||
xfr_transfer_nextmaster(xfr);
|
||||
xfr_transfer_nexttarget_or_end(xfr, env);
|
||||
}
|
||||
|
||||
/** callback for task_transfer tcp connections */
|
||||
int
|
||||
auth_xfer_transfer_tcp_callback(struct comm_point* c, void* arg, int err,
|
||||
@ -5586,6 +5759,8 @@ auth_xfer_transfer_tcp_callback(struct comm_point* c, void* arg, int err,
|
||||
lock_basic_unlock(&xfr->lock);
|
||||
return 0; /* stop on quit */
|
||||
}
|
||||
/* stop the timer */
|
||||
comm_timer_disable(xfr->task_transfer->timer);
|
||||
|
||||
if(err != NETEVENT_NOERROR) {
|
||||
/* connection failed, closed, or timeout */
|
||||
@ -5593,15 +5768,33 @@ auth_xfer_transfer_tcp_callback(struct comm_point* c, void* arg, int err,
|
||||
* and continue task_transfer*/
|
||||
verbose(VERB_ALGO, "xfr stopped, connection lost to %s",
|
||||
xfr->task_transfer->master->host);
|
||||
|
||||
/* see if IXFR caused the failure, if so, try AXFR */
|
||||
if(xfr->task_transfer->on_ixfr) {
|
||||
xfr->task_transfer->ixfr_possible_timeout_count++;
|
||||
if(xfr->task_transfer->ixfr_possible_timeout_count >=
|
||||
NUM_TIMEOUTS_FALLBACK_IXFR) {
|
||||
verbose(VERB_ALGO, "xfr to %s, fallback "
|
||||
"from IXFR to AXFR (because of timeouts)",
|
||||
xfr->task_transfer->master->host);
|
||||
xfr->task_transfer->ixfr_fail = 1;
|
||||
gonextonfail = 0;
|
||||
}
|
||||
}
|
||||
|
||||
failed:
|
||||
/* delete transferred data from list */
|
||||
auth_chunks_delete(xfr->task_transfer);
|
||||
comm_point_delete(xfr->task_transfer->cp);
|
||||
xfr->task_transfer->cp = NULL;
|
||||
xfr_transfer_nextmaster(xfr);
|
||||
if(gonextonfail)
|
||||
xfr_transfer_nextmaster(xfr);
|
||||
xfr_transfer_nexttarget_or_end(xfr, env);
|
||||
return 0;
|
||||
}
|
||||
/* note that IXFR worked without timeout */
|
||||
if(xfr->task_transfer->on_ixfr)
|
||||
xfr->task_transfer->ixfr_possible_timeout_count = 0;
|
||||
|
||||
/* handle returned packet */
|
||||
/* if it fails, cleanup and end this transfer */
|
||||
@ -5648,6 +5841,8 @@ auth_xfer_transfer_http_callback(struct comm_point* c, void* arg, int err,
|
||||
return 0; /* stop on quit */
|
||||
}
|
||||
verbose(VERB_ALGO, "auth zone transfer http callback");
|
||||
/* stop the timer */
|
||||
comm_timer_disable(xfr->task_transfer->timer);
|
||||
|
||||
if(err != NETEVENT_NOERROR && err != NETEVENT_DONE) {
|
||||
/* connection failed, closed, or timeout */
|
||||
@ -5745,6 +5940,7 @@ xfr_probe_send_probe(struct auth_xfer* xfr, struct module_env* env,
|
||||
struct timeval t;
|
||||
/* pick master */
|
||||
struct auth_master* master = xfr_probe_current_master(xfr);
|
||||
char *auth_name = NULL;
|
||||
if(!master) return 0;
|
||||
if(master->allow_notify) return 0; /* only for notify */
|
||||
if(master->http) return 0; /* only masters get SOA UDP probe,
|
||||
@ -5755,7 +5951,7 @@ xfr_probe_send_probe(struct auth_xfer* xfr, struct module_env* env,
|
||||
addrlen = xfr->task_probe->scan_addr->addrlen;
|
||||
memmove(&addr, &xfr->task_probe->scan_addr->addr, addrlen);
|
||||
} else {
|
||||
if(!extstrtoaddr(master->host, &addr, &addrlen)) {
|
||||
if(!authextstrtoaddr(master->host, &addr, &addrlen, &auth_name)) {
|
||||
/* the ones that are not in addr format are supposed
|
||||
* to be looked up. The lookup has failed however,
|
||||
* so skip them */
|
||||
@ -5765,6 +5961,18 @@ xfr_probe_send_probe(struct auth_xfer* xfr, struct module_env* env,
|
||||
zname, master->host);
|
||||
return 0;
|
||||
}
|
||||
if (auth_name != NULL) {
|
||||
if (addr.ss_family == AF_INET
|
||||
&& ntohs(((struct sockaddr_in *)&addr)->sin_port)
|
||||
== env->cfg->ssl_port)
|
||||
((struct sockaddr_in *)&addr)->sin_port
|
||||
= htons(env->cfg->port);
|
||||
else if (addr.ss_family == AF_INET6
|
||||
&& ntohs(((struct sockaddr_in6 *)&addr)->sin6_port)
|
||||
== env->cfg->ssl_port)
|
||||
((struct sockaddr_in6 *)&addr)->sin6_port
|
||||
= htons(env->cfg->port);
|
||||
}
|
||||
}
|
||||
|
||||
/* create packet */
|
||||
@ -5774,14 +5982,26 @@ xfr_probe_send_probe(struct auth_xfer* xfr, struct module_env* env,
|
||||
xfr->task_probe->id = (uint16_t)(ub_random(env->rnd)&0xffff);
|
||||
xfr_create_soa_probe_packet(xfr, env->scratch_buffer,
|
||||
xfr->task_probe->id);
|
||||
/* we need to remove the cp if we have a different ip4/ip6 type now */
|
||||
if(xfr->task_probe->cp &&
|
||||
((xfr->task_probe->cp_is_ip6 && !addr_is_ip6(&addr, addrlen)) ||
|
||||
(!xfr->task_probe->cp_is_ip6 && addr_is_ip6(&addr, addrlen)))
|
||||
) {
|
||||
comm_point_delete(xfr->task_probe->cp);
|
||||
xfr->task_probe->cp = NULL;
|
||||
}
|
||||
if(!xfr->task_probe->cp) {
|
||||
if(addr_is_ip6(&addr, addrlen))
|
||||
xfr->task_probe->cp_is_ip6 = 1;
|
||||
else xfr->task_probe->cp_is_ip6 = 0;
|
||||
xfr->task_probe->cp = outnet_comm_point_for_udp(env->outnet,
|
||||
auth_xfer_probe_udp_callback, xfr, &addr, addrlen);
|
||||
if(!xfr->task_probe->cp) {
|
||||
char zname[255+1];
|
||||
char zname[255+1], as[256];
|
||||
dname_str(xfr->name, zname);
|
||||
addr_to_str(&addr, addrlen, as, sizeof(as));
|
||||
verbose(VERB_ALGO, "cannot create udp cp for "
|
||||
"probe %s to %s", zname, master->host);
|
||||
"probe %s to %s", zname, as);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
@ -5797,12 +6017,20 @@ xfr_probe_send_probe(struct auth_xfer* xfr, struct module_env* env,
|
||||
/* send udp packet */
|
||||
if(!comm_point_send_udp_msg(xfr->task_probe->cp, env->scratch_buffer,
|
||||
(struct sockaddr*)&addr, addrlen)) {
|
||||
char zname[255+1];
|
||||
char zname[255+1], as[256];
|
||||
dname_str(xfr->name, zname);
|
||||
addr_to_str(&addr, addrlen, as, sizeof(as));
|
||||
verbose(VERB_ALGO, "failed to send soa probe for %s to %s",
|
||||
zname, master->host);
|
||||
zname, as);
|
||||
return 0;
|
||||
}
|
||||
if(verbosity >= VERB_ALGO) {
|
||||
char zname[255+1], as[256];
|
||||
dname_str(xfr->name, zname);
|
||||
addr_to_str(&addr, addrlen, as, sizeof(as));
|
||||
verbose(VERB_ALGO, "auth zone %s soa probe sent to %s", zname,
|
||||
as);
|
||||
}
|
||||
xfr->task_probe->timeout = timeout;
|
||||
#ifndef S_SPLINT_S
|
||||
t.tv_sec = timeout/1000;
|
||||
@ -5827,6 +6055,11 @@ auth_xfer_probe_timer_callback(void* arg)
|
||||
return; /* stop on quit */
|
||||
}
|
||||
|
||||
if(verbosity >= VERB_ALGO) {
|
||||
char zname[255+1];
|
||||
dname_str(xfr->name, zname);
|
||||
verbose(VERB_ALGO, "auth zone %s soa probe timeout", zname);
|
||||
}
|
||||
if(xfr->task_probe->timeout <= AUTH_PROBE_TIMEOUT_STOP) {
|
||||
/* try again with bigger timeout */
|
||||
if(xfr_probe_send_probe(xfr, env, xfr->task_probe->timeout*2)) {
|
||||
@ -5973,12 +6206,12 @@ xfr_probe_lookup_host(struct auth_xfer* xfr, struct module_env* env)
|
||||
qinfo.qtype = LDNS_RR_TYPE_AAAA;
|
||||
qinfo.local_alias = NULL;
|
||||
if(verbosity >= VERB_ALGO) {
|
||||
char buf[512];
|
||||
char buf1[512];
|
||||
char buf2[LDNS_MAX_DOMAINLEN+1];
|
||||
dname_str(xfr->name, buf2);
|
||||
snprintf(buf, sizeof(buf), "auth zone %s: master lookup"
|
||||
snprintf(buf1, sizeof(buf1), "auth zone %s: master lookup"
|
||||
" for task_probe", buf2);
|
||||
log_query_info(VERB_ALGO, buf, &qinfo);
|
||||
log_query_info(VERB_ALGO, buf1, &qinfo);
|
||||
}
|
||||
edns.edns_present = 1;
|
||||
edns.ext_rcode = 0;
|
||||
@ -6014,6 +6247,11 @@ xfr_probe_send_or_end(struct auth_xfer* xfr, struct module_env* env)
|
||||
* and we may then get an instant cache response,
|
||||
* and that calls the callback just like a full
|
||||
* lookup and lookup failures also call callback */
|
||||
if(verbosity >= VERB_ALGO) {
|
||||
char zname[255+1];
|
||||
dname_str(xfr->name, zname);
|
||||
verbose(VERB_ALGO, "auth zone %s probe next target lookup", zname);
|
||||
}
|
||||
lock_basic_unlock(&xfr->lock);
|
||||
return;
|
||||
}
|
||||
@ -6022,9 +6260,19 @@ xfr_probe_send_or_end(struct auth_xfer* xfr, struct module_env* env)
|
||||
/* probe of list has ended. Create or refresh the list of of
|
||||
* allow_notify addrs */
|
||||
probe_copy_masters_for_allow_notify(xfr);
|
||||
if(verbosity >= VERB_ALGO) {
|
||||
char zname[255+1];
|
||||
dname_str(xfr->name, zname);
|
||||
verbose(VERB_ALGO, "auth zone %s probe: notify addrs updated", zname);
|
||||
}
|
||||
if(xfr->task_probe->only_lookup) {
|
||||
/* only wanted lookups for copy, stop probe and start wait */
|
||||
xfr->task_probe->only_lookup = 0;
|
||||
if(verbosity >= VERB_ALGO) {
|
||||
char zname[255+1];
|
||||
dname_str(xfr->name, zname);
|
||||
verbose(VERB_ALGO, "auth zone %s probe: finished only_lookup", zname);
|
||||
}
|
||||
xfr_probe_disown(xfr);
|
||||
if(xfr->task_nextprobe->worker == NULL)
|
||||
xfr_set_timeout(xfr, env, 0, 0);
|
||||
@ -6046,13 +6294,22 @@ xfr_probe_send_or_end(struct auth_xfer* xfr, struct module_env* env)
|
||||
/* done with probe sequence, wait */
|
||||
if(xfr->task_probe->have_new_lease) {
|
||||
/* if zone not updated, start the wait timer again */
|
||||
verbose(VERB_ALGO, "auth_zone unchanged, new lease, wait");
|
||||
if(verbosity >= VERB_ALGO) {
|
||||
char zname[255+1];
|
||||
dname_str(xfr->name, zname);
|
||||
verbose(VERB_ALGO, "auth_zone %s unchanged, new lease, wait", zname);
|
||||
}
|
||||
xfr_probe_disown(xfr);
|
||||
if(xfr->have_zone)
|
||||
xfr->lease_time = *env->now;
|
||||
if(xfr->task_nextprobe->worker == NULL)
|
||||
xfr_set_timeout(xfr, env, 0, 0);
|
||||
} else {
|
||||
if(verbosity >= VERB_ALGO) {
|
||||
char zname[255+1];
|
||||
dname_str(xfr->name, zname);
|
||||
verbose(VERB_ALGO, "auth zone %s soa probe failed, wait to retry", zname);
|
||||
}
|
||||
/* we failed to send this as well, move to the wait task,
|
||||
* use the shorter retry timeout */
|
||||
xfr_probe_disown(xfr);
|
||||
@ -6097,7 +6354,25 @@ void auth_xfer_probe_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
|
||||
if(answer) {
|
||||
xfr_master_add_addrs(xfr->task_probe->
|
||||
lookup_target, answer, wanted_qtype);
|
||||
} else {
|
||||
if(verbosity >= VERB_ALGO) {
|
||||
char zname[255+1];
|
||||
dname_str(xfr->name, zname);
|
||||
verbose(VERB_ALGO, "auth zone %s host %s type %s probe lookup has nodata", zname, xfr->task_probe->lookup_target->host, (xfr->task_probe->lookup_aaaa?"AAAA":"A"));
|
||||
}
|
||||
}
|
||||
} else {
|
||||
if(verbosity >= VERB_ALGO) {
|
||||
char zname[255+1];
|
||||
dname_str(xfr->name, zname);
|
||||
verbose(VERB_ALGO, "auth zone %s host %s type %s probe lookup has no address", zname, xfr->task_probe->lookup_target->host, (xfr->task_probe->lookup_aaaa?"AAAA":"A"));
|
||||
}
|
||||
}
|
||||
} else {
|
||||
if(verbosity >= VERB_ALGO) {
|
||||
char zname[255+1];
|
||||
dname_str(xfr->name, zname);
|
||||
verbose(VERB_ALGO, "auth zone %s host %s type %s probe lookup failed", zname, xfr->task_probe->lookup_target->host, (xfr->task_probe->lookup_aaaa?"AAAA":"A"));
|
||||
}
|
||||
}
|
||||
if(xfr->task_probe->lookup_target->list &&
|
||||
|
@ -327,6 +327,8 @@ struct auth_probe {
|
||||
/** the SOA probe udp event.
|
||||
* on the workers event base. */
|
||||
struct comm_point* cp;
|
||||
/** is the cp for ip6 or ip4 */
|
||||
int cp_is_ip6;
|
||||
/** timeout for packets.
|
||||
* on the workers event base. */
|
||||
struct comm_timer* timer;
|
||||
@ -378,6 +380,8 @@ struct auth_transfer {
|
||||
* data or add of duplicate data). Flag is cleared once the retry
|
||||
* with axfr is done. */
|
||||
int ixfr_fail;
|
||||
/** we saw an ixfr-indicating timeout, count of them */
|
||||
int ixfr_possible_timeout_count;
|
||||
/** we are doing IXFR right now */
|
||||
int on_ixfr;
|
||||
/** did we detect the current AXFR/IXFR serial number yet, 0 not yet,
|
||||
@ -396,6 +400,9 @@ struct auth_transfer {
|
||||
/** the transfer (TCP) to the master.
|
||||
* on the workers event base. */
|
||||
struct comm_point* cp;
|
||||
/** timeout for the transfer.
|
||||
* on the workers event base. */
|
||||
struct comm_timer* timer;
|
||||
};
|
||||
|
||||
/** list of addresses */
|
||||
@ -599,7 +606,7 @@ int auth_zones_startprobesequence(struct auth_zones* az,
|
||||
struct module_env* env, uint8_t* nm, size_t nmlen, uint16_t dclass);
|
||||
|
||||
/** read auth zone from zonefile. caller must lock zone. false on failure */
|
||||
int auth_zone_read_zonefile(struct auth_zone* z);
|
||||
int auth_zone_read_zonefile(struct auth_zone* z, struct config_file* cfg);
|
||||
|
||||
/** find serial number of zone or false if none (no SOA record) */
|
||||
int auth_zone_get_serial(struct auth_zone* z, uint32_t* serial);
|
||||
@ -645,6 +652,8 @@ int auth_xfer_transfer_http_callback(struct comm_point* c, void* arg, int err,
|
||||
struct comm_reply* repinfo);
|
||||
/** xfer probe timeout callback, part of task_probe */
|
||||
void auth_xfer_probe_timer_callback(void* arg);
|
||||
/** xfer transfer timeout callback, part of task_transfer */
|
||||
void auth_xfer_transfer_timer_callback(void* arg);
|
||||
/** mesh callback for task_probe on lookup of host names */
|
||||
void auth_xfer_probe_lookup_callback(void* arg, int rcode,
|
||||
struct sldns_buffer* buf, enum sec_status sec, char* why_bogus,
|
||||
|
17
contrib/unbound/services/cache/dns.c
vendored
17
contrib/unbound/services/cache/dns.c
vendored
@ -40,6 +40,7 @@
|
||||
*/
|
||||
#include "config.h"
|
||||
#include "iterator/iter_delegpt.h"
|
||||
#include "iterator/iter_utils.h"
|
||||
#include "validator/val_nsec.h"
|
||||
#include "validator/val_utils.h"
|
||||
#include "services/cache/dns.h"
|
||||
@ -721,6 +722,19 @@ fill_any(struct module_env* env,
|
||||
int i, num=6; /* number of RR types to look up */
|
||||
log_assert(lookup[num] == 0);
|
||||
|
||||
if(env->cfg->deny_any) {
|
||||
/* return empty message */
|
||||
msg = dns_msg_create(qname, qnamelen, qtype, qclass,
|
||||
region, 0);
|
||||
if(!msg) {
|
||||
return NULL;
|
||||
}
|
||||
/* set NOTIMPL for RFC 8482 */
|
||||
msg->rep->flags |= LDNS_RCODE_NOTIMPL;
|
||||
msg->rep->security = sec_status_indeterminate;
|
||||
return msg;
|
||||
}
|
||||
|
||||
for(i=0; i<num; i++) {
|
||||
/* look up this RR for inclusion in type ANY response */
|
||||
struct ub_packed_rrset_key* rrset = rrset_cache_lookup(
|
||||
@ -901,12 +915,15 @@ dns_cache_lookup(struct module_env* env,
|
||||
struct dns_msg* msg;
|
||||
if(FLAGS_GET_RCODE(data->flags) == LDNS_RCODE_NXDOMAIN
|
||||
&& data->security == sec_status_secure
|
||||
&& (data->an_numrrsets == 0 ||
|
||||
ntohs(data->rrsets[0]->rk.type) != LDNS_RR_TYPE_CNAME)
|
||||
&& (msg=tomsg(env, &k, data, region, now, scratch))){
|
||||
lock_rw_unlock(&e->lock);
|
||||
msg->qinfo.qname=qname;
|
||||
msg->qinfo.qname_len=qnamelen;
|
||||
/* check that DNSSEC really works out */
|
||||
msg->rep->security = sec_status_unchecked;
|
||||
iter_scrub_nxdomain(msg);
|
||||
return msg;
|
||||
}
|
||||
lock_rw_unlock(&e->lock);
|
||||
|
44
contrib/unbound/services/cache/infra.c
vendored
44
contrib/unbound/services/cache/infra.c
vendored
@ -41,6 +41,8 @@
|
||||
#include "config.h"
|
||||
#include "sldns/rrdef.h"
|
||||
#include "sldns/str2wire.h"
|
||||
#include "sldns/sbuffer.h"
|
||||
#include "sldns/wire2str.h"
|
||||
#include "services/cache/infra.h"
|
||||
#include "util/storage/slabhash.h"
|
||||
#include "util/storage/lookup3.h"
|
||||
@ -907,7 +909,8 @@ int infra_rate_max(void* data, time_t now)
|
||||
}
|
||||
|
||||
int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name,
|
||||
size_t namelen, time_t timenow)
|
||||
size_t namelen, time_t timenow, struct query_info* qinfo,
|
||||
struct comm_reply* replylist)
|
||||
{
|
||||
int lim, max;
|
||||
struct lruhash_entry* entry;
|
||||
@ -930,9 +933,19 @@ int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name,
|
||||
lock_rw_unlock(&entry->lock);
|
||||
|
||||
if(premax < lim && max >= lim) {
|
||||
char buf[257];
|
||||
char buf[257], qnm[257], ts[12], cs[12], ip[128];
|
||||
dname_str(name, buf);
|
||||
verbose(VERB_OPS, "ratelimit exceeded %s %d", buf, lim);
|
||||
dname_str(qinfo->qname, qnm);
|
||||
sldns_wire2str_type_buf(qinfo->qtype, ts, sizeof(ts));
|
||||
sldns_wire2str_class_buf(qinfo->qclass, cs, sizeof(cs));
|
||||
ip[0]=0;
|
||||
if(replylist) {
|
||||
addr_to_str((struct sockaddr_storage *)&replylist->addr,
|
||||
replylist->addrlen, ip, sizeof(ip));
|
||||
verbose(VERB_OPS, "ratelimit exceeded %s %d query %s %s %s from %s", buf, lim, qnm, cs, ts, ip);
|
||||
} else {
|
||||
verbose(VERB_OPS, "ratelimit exceeded %s %d query %s %s %s", buf, lim, qnm, cs, ts);
|
||||
}
|
||||
}
|
||||
return (max < lim);
|
||||
}
|
||||
@ -991,7 +1004,7 @@ infra_get_mem(struct infra_cache* infra)
|
||||
}
|
||||
|
||||
int infra_ip_ratelimit_inc(struct infra_cache* infra,
|
||||
struct comm_reply* repinfo, time_t timenow)
|
||||
struct comm_reply* repinfo, time_t timenow, struct sldns_buffer* buffer)
|
||||
{
|
||||
int max;
|
||||
struct lruhash_entry* entry;
|
||||
@ -1010,11 +1023,28 @@ int infra_ip_ratelimit_inc(struct infra_cache* infra,
|
||||
lock_rw_unlock(&entry->lock);
|
||||
|
||||
if(premax < infra_ip_ratelimit && max >= infra_ip_ratelimit) {
|
||||
char client_ip[128];
|
||||
char client_ip[128], qnm[LDNS_MAX_DOMAINLEN+1+12+12];
|
||||
addr_to_str((struct sockaddr_storage *)&repinfo->addr,
|
||||
repinfo->addrlen, client_ip, sizeof(client_ip));
|
||||
verbose(VERB_OPS, "ip_ratelimit exceeded %s %d",
|
||||
client_ip, infra_ip_ratelimit);
|
||||
qnm[0]=0;
|
||||
if(sldns_buffer_limit(buffer)>LDNS_HEADER_SIZE &&
|
||||
LDNS_QDCOUNT(sldns_buffer_begin(buffer))!=0) {
|
||||
(void)sldns_wire2str_rrquestion_buf(
|
||||
sldns_buffer_at(buffer, LDNS_HEADER_SIZE),
|
||||
sldns_buffer_limit(buffer)-LDNS_HEADER_SIZE,
|
||||
qnm, sizeof(qnm));
|
||||
if(strlen(qnm)>0 && qnm[strlen(qnm)-1]=='\n')
|
||||
qnm[strlen(qnm)-1] = 0; /*remove newline*/
|
||||
if(strchr(qnm, '\t'))
|
||||
*strchr(qnm, '\t') = ' ';
|
||||
if(strchr(qnm, '\t'))
|
||||
*strchr(qnm, '\t') = ' ';
|
||||
verbose(VERB_OPS, "ip_ratelimit exceeded %s %d %s",
|
||||
client_ip, infra_ip_ratelimit, qnm);
|
||||
} else {
|
||||
verbose(VERB_OPS, "ip_ratelimit exceeded %s %d (no query name)",
|
||||
client_ip, infra_ip_ratelimit);
|
||||
}
|
||||
}
|
||||
return (max <= infra_ip_ratelimit);
|
||||
}
|
||||
|
9
contrib/unbound/services/cache/infra.h
vendored
9
contrib/unbound/services/cache/infra.h
vendored
@ -366,12 +366,15 @@ long long infra_get_host_rto(struct infra_cache* infra,
|
||||
* @param name: zone name
|
||||
* @param namelen: zone name length
|
||||
* @param timenow: what time it is now.
|
||||
* @param qinfo: for logging, query name.
|
||||
* @param replylist: for logging, querier's address (if any).
|
||||
* @return 1 if it could be incremented. 0 if the increment overshot the
|
||||
* ratelimit or if in the previous second the ratelimit was exceeded.
|
||||
* Failures like alloc failures are not returned (probably as 1).
|
||||
*/
|
||||
int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name,
|
||||
size_t namelen, time_t timenow);
|
||||
size_t namelen, time_t timenow, struct query_info* qinfo,
|
||||
struct comm_reply* replylist);
|
||||
|
||||
/**
|
||||
* Decrement the query rate counter for a delegation point.
|
||||
@ -410,10 +413,12 @@ int infra_find_ratelimit(struct infra_cache* infra, uint8_t* name,
|
||||
* @param infra: infra cache
|
||||
* @param repinfo: information about client
|
||||
* @param timenow: what time it is now.
|
||||
* @param buffer: with query for logging.
|
||||
* @return 1 if it could be incremented. 0 if the increment overshot the
|
||||
* ratelimit and the query should be dropped. */
|
||||
int infra_ip_ratelimit_inc(struct infra_cache* infra,
|
||||
struct comm_reply* repinfo, time_t timenow);
|
||||
struct comm_reply* repinfo, time_t timenow,
|
||||
struct sldns_buffer* buffer);
|
||||
|
||||
/**
|
||||
* Get memory used by the infra cache.
|
||||
|
@ -53,6 +53,9 @@
|
||||
#include "util/config_file.h"
|
||||
#include "util/net_help.h"
|
||||
#include "sldns/sbuffer.h"
|
||||
#include "services/mesh.h"
|
||||
#include "util/fptr_wlist.h"
|
||||
#include "util/locks.h"
|
||||
|
||||
#ifdef HAVE_NETDB_H
|
||||
#include <netdb.h>
|
||||
@ -70,6 +73,18 @@
|
||||
/** number of queued TCP connections for listen() */
|
||||
#define TCP_BACKLOG 256
|
||||
|
||||
/** number of simultaneous requests a client can have */
|
||||
#define TCP_MAX_REQ_SIMULTANEOUS 32
|
||||
|
||||
#ifndef THREADS_DISABLED
|
||||
/** lock on the counter of stream buffer memory */
|
||||
static lock_basic_type stream_wait_count_lock;
|
||||
#endif
|
||||
/** size (in bytes) of stream wait buffers */
|
||||
static size_t stream_wait_count = 0;
|
||||
/** is the lock initialised for stream wait buffers */
|
||||
static int stream_wait_lock_inited = 0;
|
||||
|
||||
/**
|
||||
* Debug print of the getaddrinfo returned address.
|
||||
* @param addr: the address returned.
|
||||
@ -247,6 +262,26 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
|
||||
}
|
||||
#endif /* SO_REUSEADDR */
|
||||
#ifdef SO_REUSEPORT
|
||||
# ifdef SO_REUSEPORT_LB
|
||||
/* on FreeBSD 12 we have SO_REUSEPORT_LB that does loadbalance
|
||||
* like SO_REUSEPORT on Linux. This is what the users want
|
||||
* with the config option in unbound.conf; if we actually
|
||||
* need local address and port reuse they'll also need to
|
||||
* have SO_REUSEPORT set for them, assume it was _LB they want.
|
||||
*/
|
||||
if (reuseport && *reuseport &&
|
||||
setsockopt(s, SOL_SOCKET, SO_REUSEPORT_LB, (void*)&on,
|
||||
(socklen_t)sizeof(on)) < 0) {
|
||||
#ifdef ENOPROTOOPT
|
||||
if(errno != ENOPROTOOPT || verbosity >= 3)
|
||||
log_warn("setsockopt(.. SO_REUSEPORT_LB ..) failed: %s",
|
||||
strerror(errno));
|
||||
#endif
|
||||
/* this option is not essential, we can continue */
|
||||
*reuseport = 0;
|
||||
}
|
||||
# else /* no SO_REUSEPORT_LB */
|
||||
|
||||
/* try to set SO_REUSEPORT so that incoming
|
||||
* queries are distributed evenly among the receiving threads.
|
||||
* Each thread must have its own socket bound to the same port,
|
||||
@ -263,6 +298,7 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
|
||||
/* this option is not essential, we can continue */
|
||||
*reuseport = 0;
|
||||
}
|
||||
# endif /* SO_REUSEPORT_LB */
|
||||
#else
|
||||
(void)reuseport;
|
||||
#endif /* defined(SO_REUSEPORT) */
|
||||
@ -565,7 +601,11 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
|
||||
if(family==AF_INET6 && errno==EINVAL)
|
||||
*noproto = 1;
|
||||
else if(errno != EADDRINUSE &&
|
||||
!(errno == EACCES && verbosity < 4 && !listen)) {
|
||||
!(errno == EACCES && verbosity < 4 && !listen)
|
||||
#ifdef EADDRNOTAVAIL
|
||||
&& !(errno == EADDRNOTAVAIL && verbosity < 4 && !listen)
|
||||
#endif
|
||||
) {
|
||||
log_err_addr("can't bind socket", strerror(errno),
|
||||
(struct sockaddr_storage*)addr, addrlen);
|
||||
}
|
||||
@ -811,9 +851,16 @@ create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto,
|
||||
#ifdef ENOPROTOOPT
|
||||
/* squelch ENOPROTOOPT: freebsd server mode with kernel support
|
||||
disabled, except when verbosity enabled for debugging */
|
||||
if(errno != ENOPROTOOPT || verbosity >= 3)
|
||||
if(errno != ENOPROTOOPT || verbosity >= 3) {
|
||||
#endif
|
||||
if(errno == EPERM) {
|
||||
log_warn("Setting TCP Fast Open as server failed: %s ; this could likely be because sysctl net.inet.tcp.fastopen.enabled, net.inet.tcp.fastopen.server_enable, or net.ipv4.tcp_fastopen is disabled", strerror(errno));
|
||||
} else {
|
||||
log_err("Setting TCP Fast Open as server failed: %s", strerror(errno));
|
||||
}
|
||||
#ifdef ENOPROTOOPT
|
||||
}
|
||||
#endif
|
||||
log_err("Setting TCP Fast Open as server failed: %s", strerror(errno));
|
||||
}
|
||||
#endif
|
||||
return s;
|
||||
@ -1235,6 +1282,10 @@ listen_create(struct comm_base* base, struct listen_port* ports,
|
||||
free(front);
|
||||
return NULL;
|
||||
}
|
||||
if(!stream_wait_lock_inited) {
|
||||
lock_basic_init(&stream_wait_count_lock);
|
||||
stream_wait_lock_inited = 1;
|
||||
}
|
||||
|
||||
/* create comm points as needed */
|
||||
while(ports) {
|
||||
@ -1247,11 +1298,13 @@ listen_create(struct comm_base* base, struct listen_port* ports,
|
||||
ports->ftype == listen_type_tcp_dnscrypt)
|
||||
cp = comm_point_create_tcp(base, ports->fd,
|
||||
tcp_accept_count, tcp_idle_timeout,
|
||||
tcp_conn_limit, bufsize, cb, cb_arg);
|
||||
tcp_conn_limit, bufsize, front->udp_buff,
|
||||
cb, cb_arg);
|
||||
else if(ports->ftype == listen_type_ssl) {
|
||||
cp = comm_point_create_tcp(base, ports->fd,
|
||||
tcp_accept_count, tcp_idle_timeout,
|
||||
tcp_conn_limit, bufsize, cb, cb_arg);
|
||||
tcp_conn_limit, bufsize, front->udp_buff,
|
||||
cb, cb_arg);
|
||||
cp->ssl = sslctx;
|
||||
} else if(ports->ftype == listen_type_udpancil ||
|
||||
ports->ftype == listen_type_udpancil_dnscrypt)
|
||||
@ -1322,6 +1375,10 @@ listen_delete(struct listen_dnsport* front)
|
||||
#endif
|
||||
sldns_buffer_free(front->udp_buff);
|
||||
free(front);
|
||||
if(stream_wait_lock_inited) {
|
||||
stream_wait_lock_inited = 0;
|
||||
lock_basic_destroy(&stream_wait_count_lock);
|
||||
}
|
||||
}
|
||||
|
||||
struct listen_port*
|
||||
@ -1479,3 +1536,373 @@ void listen_start_accept(struct listen_dnsport* listen)
|
||||
}
|
||||
}
|
||||
|
||||
struct tcp_req_info*
|
||||
tcp_req_info_create(struct sldns_buffer* spoolbuf)
|
||||
{
|
||||
struct tcp_req_info* req = (struct tcp_req_info*)malloc(sizeof(*req));
|
||||
if(!req) {
|
||||
log_err("malloc failure for new stream outoforder processing structure");
|
||||
return NULL;
|
||||
}
|
||||
memset(req, 0, sizeof(*req));
|
||||
req->spool_buffer = spoolbuf;
|
||||
return req;
|
||||
}
|
||||
|
||||
void
|
||||
tcp_req_info_delete(struct tcp_req_info* req)
|
||||
{
|
||||
if(!req) return;
|
||||
tcp_req_info_clear(req);
|
||||
/* cp is pointer back to commpoint that owns this struct and
|
||||
* called delete on us */
|
||||
/* spool_buffer is shared udp buffer, not deleted here */
|
||||
free(req);
|
||||
}
|
||||
|
||||
void tcp_req_info_clear(struct tcp_req_info* req)
|
||||
{
|
||||
struct tcp_req_open_item* open, *nopen;
|
||||
struct tcp_req_done_item* item, *nitem;
|
||||
if(!req) return;
|
||||
|
||||
/* free outstanding request mesh reply entries */
|
||||
open = req->open_req_list;
|
||||
while(open) {
|
||||
nopen = open->next;
|
||||
mesh_state_remove_reply(open->mesh, open->mesh_state, req->cp);
|
||||
free(open);
|
||||
open = nopen;
|
||||
}
|
||||
req->open_req_list = NULL;
|
||||
req->num_open_req = 0;
|
||||
|
||||
/* free pending writable result packets */
|
||||
item = req->done_req_list;
|
||||
while(item) {
|
||||
nitem = item->next;
|
||||
lock_basic_lock(&stream_wait_count_lock);
|
||||
stream_wait_count -= (sizeof(struct tcp_req_done_item)
|
||||
+item->len);
|
||||
lock_basic_unlock(&stream_wait_count_lock);
|
||||
free(item->buf);
|
||||
free(item);
|
||||
item = nitem;
|
||||
}
|
||||
req->done_req_list = NULL;
|
||||
req->num_done_req = 0;
|
||||
req->read_is_closed = 0;
|
||||
}
|
||||
|
||||
void
|
||||
tcp_req_info_remove_mesh_state(struct tcp_req_info* req, struct mesh_state* m)
|
||||
{
|
||||
struct tcp_req_open_item* open, *prev = NULL;
|
||||
if(!req || !m) return;
|
||||
open = req->open_req_list;
|
||||
while(open) {
|
||||
if(open->mesh_state == m) {
|
||||
struct tcp_req_open_item* next;
|
||||
if(prev) prev->next = open->next;
|
||||
else req->open_req_list = open->next;
|
||||
/* caller has to manage the mesh state reply entry */
|
||||
next = open->next;
|
||||
free(open);
|
||||
req->num_open_req --;
|
||||
|
||||
/* prev = prev; */
|
||||
open = next;
|
||||
continue;
|
||||
}
|
||||
prev = open;
|
||||
open = open->next;
|
||||
}
|
||||
}
|
||||
|
||||
/** setup listening for read or write */
|
||||
static void
|
||||
tcp_req_info_setup_listen(struct tcp_req_info* req)
|
||||
{
|
||||
int wr = 0;
|
||||
int rd = 0;
|
||||
|
||||
if(req->cp->tcp_byte_count != 0) {
|
||||
/* cannot change, halfway through */
|
||||
return;
|
||||
}
|
||||
|
||||
if(!req->cp->tcp_is_reading)
|
||||
wr = 1;
|
||||
if(req->num_open_req + req->num_done_req < TCP_MAX_REQ_SIMULTANEOUS &&
|
||||
!req->read_is_closed)
|
||||
rd = 1;
|
||||
|
||||
if(wr) {
|
||||
req->cp->tcp_is_reading = 0;
|
||||
comm_point_stop_listening(req->cp);
|
||||
comm_point_start_listening(req->cp, -1,
|
||||
req->cp->tcp_timeout_msec);
|
||||
} else if(rd) {
|
||||
req->cp->tcp_is_reading = 1;
|
||||
comm_point_stop_listening(req->cp);
|
||||
comm_point_start_listening(req->cp, -1,
|
||||
req->cp->tcp_timeout_msec);
|
||||
/* and also read it (from SSL stack buffers), so
|
||||
* no event read event is expected since the remainder of
|
||||
* the TLS frame is sitting in the buffers. */
|
||||
req->read_again = 1;
|
||||
} else {
|
||||
comm_point_stop_listening(req->cp);
|
||||
comm_point_start_listening(req->cp, -1,
|
||||
req->cp->tcp_timeout_msec);
|
||||
comm_point_listen_for_rw(req->cp, 0, 0);
|
||||
}
|
||||
}
|
||||
|
||||
/** remove first item from list of pending results */
|
||||
static struct tcp_req_done_item*
|
||||
tcp_req_info_pop_done(struct tcp_req_info* req)
|
||||
{
|
||||
struct tcp_req_done_item* item;
|
||||
log_assert(req->num_done_req > 0 && req->done_req_list);
|
||||
item = req->done_req_list;
|
||||
lock_basic_lock(&stream_wait_count_lock);
|
||||
stream_wait_count -= (sizeof(struct tcp_req_done_item)+item->len);
|
||||
lock_basic_unlock(&stream_wait_count_lock);
|
||||
req->done_req_list = req->done_req_list->next;
|
||||
req->num_done_req --;
|
||||
return item;
|
||||
}
|
||||
|
||||
/** Send given buffer and setup to write */
|
||||
static void
|
||||
tcp_req_info_start_write_buf(struct tcp_req_info* req, uint8_t* buf,
|
||||
size_t len)
|
||||
{
|
||||
sldns_buffer_clear(req->cp->buffer);
|
||||
sldns_buffer_write(req->cp->buffer, buf, len);
|
||||
sldns_buffer_flip(req->cp->buffer);
|
||||
|
||||
req->cp->tcp_is_reading = 0; /* we are now writing */
|
||||
}
|
||||
|
||||
/** pick up the next result and start writing it to the channel */
|
||||
static void
|
||||
tcp_req_pickup_next_result(struct tcp_req_info* req)
|
||||
{
|
||||
if(req->num_done_req > 0) {
|
||||
/* unlist the done item from the list of pending results */
|
||||
struct tcp_req_done_item* item = tcp_req_info_pop_done(req);
|
||||
tcp_req_info_start_write_buf(req, item->buf, item->len);
|
||||
free(item->buf);
|
||||
free(item);
|
||||
}
|
||||
}
|
||||
|
||||
/** the read channel has closed */
|
||||
int
|
||||
tcp_req_info_handle_read_close(struct tcp_req_info* req)
|
||||
{
|
||||
verbose(VERB_ALGO, "tcp channel read side closed %d", req->cp->fd);
|
||||
/* reset byte count for (potential) partial read */
|
||||
req->cp->tcp_byte_count = 0;
|
||||
/* if we still have results to write, pick up next and write it */
|
||||
if(req->num_done_req != 0) {
|
||||
tcp_req_pickup_next_result(req);
|
||||
tcp_req_info_setup_listen(req);
|
||||
return 1;
|
||||
}
|
||||
/* if nothing to do, this closes the connection */
|
||||
if(req->num_open_req == 0 && req->num_done_req == 0)
|
||||
return 0;
|
||||
/* otherwise, we must be waiting for dns resolve, wait with timeout */
|
||||
req->read_is_closed = 1;
|
||||
tcp_req_info_setup_listen(req);
|
||||
return 1;
|
||||
}
|
||||
|
||||
void
|
||||
tcp_req_info_handle_writedone(struct tcp_req_info* req)
|
||||
{
|
||||
/* back to reading state, we finished this write event */
|
||||
sldns_buffer_clear(req->cp->buffer);
|
||||
if(req->num_done_req == 0 && req->read_is_closed) {
|
||||
/* no more to write and nothing to read, close it */
|
||||
comm_point_drop_reply(&req->cp->repinfo);
|
||||
return;
|
||||
}
|
||||
req->cp->tcp_is_reading = 1;
|
||||
/* see if another result needs writing */
|
||||
tcp_req_pickup_next_result(req);
|
||||
|
||||
/* see if there is more to write, if not stop_listening for writing */
|
||||
/* see if new requests are allowed, if so, start_listening
|
||||
* for reading */
|
||||
tcp_req_info_setup_listen(req);
|
||||
}
|
||||
|
||||
void
|
||||
tcp_req_info_handle_readdone(struct tcp_req_info* req)
|
||||
{
|
||||
struct comm_point* c = req->cp;
|
||||
|
||||
/* we want to read up several requests, unless there are
|
||||
* pending answers */
|
||||
|
||||
req->is_drop = 0;
|
||||
req->is_reply = 0;
|
||||
req->in_worker_handle = 1;
|
||||
sldns_buffer_set_limit(req->spool_buffer, 0);
|
||||
/* handle the current request */
|
||||
/* this calls the worker handle request routine that could give
|
||||
* a cache response, or localdata response, or drop the reply,
|
||||
* or schedule a mesh entry for later */
|
||||
fptr_ok(fptr_whitelist_comm_point(c->callback));
|
||||
if( (*c->callback)(c, c->cb_arg, NETEVENT_NOERROR, &c->repinfo) ) {
|
||||
req->in_worker_handle = 0;
|
||||
/* there is an answer, put it up. It is already in the
|
||||
* c->buffer, just send it. */
|
||||
/* since we were just reading a query, the channel is
|
||||
* clear to write to */
|
||||
send_it:
|
||||
c->tcp_is_reading = 0;
|
||||
comm_point_stop_listening(c);
|
||||
comm_point_start_listening(c, -1, c->tcp_timeout_msec);
|
||||
return;
|
||||
}
|
||||
req->in_worker_handle = 0;
|
||||
/* it should be waiting in the mesh for recursion.
|
||||
* If mesh failed to add a new entry and called commpoint_drop_reply.
|
||||
* Then the mesh state has been cleared. */
|
||||
if(req->is_drop) {
|
||||
/* the reply has been dropped, stream has been closed. */
|
||||
return;
|
||||
}
|
||||
/* If mesh failed(mallocfail) and called commpoint_send_reply with
|
||||
* something like servfail then we pick up that reply below. */
|
||||
if(req->is_reply) {
|
||||
goto send_it;
|
||||
}
|
||||
|
||||
sldns_buffer_clear(c->buffer);
|
||||
/* if pending answers, pick up an answer and start sending it */
|
||||
tcp_req_pickup_next_result(req);
|
||||
|
||||
/* if answers pending, start sending answers */
|
||||
/* read more requests if we can have more requests */
|
||||
tcp_req_info_setup_listen(req);
|
||||
}
|
||||
|
||||
int
|
||||
tcp_req_info_add_meshstate(struct tcp_req_info* req,
|
||||
struct mesh_area* mesh, struct mesh_state* m)
|
||||
{
|
||||
struct tcp_req_open_item* item;
|
||||
log_assert(req && mesh && m);
|
||||
item = (struct tcp_req_open_item*)malloc(sizeof(*item));
|
||||
if(!item) return 0;
|
||||
item->next = req->open_req_list;
|
||||
item->mesh = mesh;
|
||||
item->mesh_state = m;
|
||||
req->open_req_list = item;
|
||||
req->num_open_req++;
|
||||
return 1;
|
||||
}
|
||||
|
||||
/** Add a result to the result list. At the end. */
|
||||
static int
|
||||
tcp_req_info_add_result(struct tcp_req_info* req, uint8_t* buf, size_t len)
|
||||
{
|
||||
struct tcp_req_done_item* last = NULL;
|
||||
struct tcp_req_done_item* item;
|
||||
size_t space;
|
||||
|
||||
/* see if we have space */
|
||||
space = sizeof(struct tcp_req_done_item) + len;
|
||||
lock_basic_lock(&stream_wait_count_lock);
|
||||
if(stream_wait_count + space > stream_wait_max) {
|
||||
lock_basic_unlock(&stream_wait_count_lock);
|
||||
verbose(VERB_ALGO, "drop stream reply, no space left, in stream-wait-size");
|
||||
return 0;
|
||||
}
|
||||
stream_wait_count += space;
|
||||
lock_basic_unlock(&stream_wait_count_lock);
|
||||
|
||||
/* find last element */
|
||||
last = req->done_req_list;
|
||||
while(last && last->next)
|
||||
last = last->next;
|
||||
|
||||
/* create new element */
|
||||
item = (struct tcp_req_done_item*)malloc(sizeof(*item));
|
||||
if(!item) {
|
||||
log_err("malloc failure, for stream result list");
|
||||
return 0;
|
||||
}
|
||||
item->next = NULL;
|
||||
item->len = len;
|
||||
item->buf = memdup(buf, len);
|
||||
if(!item->buf) {
|
||||
free(item);
|
||||
log_err("malloc failure, adding reply to stream result list");
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* link in */
|
||||
if(last) last->next = item;
|
||||
else req->done_req_list = item;
|
||||
req->num_done_req++;
|
||||
return 1;
|
||||
}
|
||||
|
||||
void
|
||||
tcp_req_info_send_reply(struct tcp_req_info* req)
|
||||
{
|
||||
if(req->in_worker_handle) {
|
||||
/* reply from mesh is in the spool_buffer */
|
||||
/* copy now, so that the spool buffer is free for other tasks
|
||||
* before the callback is done */
|
||||
sldns_buffer_clear(req->cp->buffer);
|
||||
sldns_buffer_write(req->cp->buffer,
|
||||
sldns_buffer_begin(req->spool_buffer),
|
||||
sldns_buffer_limit(req->spool_buffer));
|
||||
sldns_buffer_flip(req->cp->buffer);
|
||||
req->is_reply = 1;
|
||||
return;
|
||||
}
|
||||
/* now that the query has been handled, that mesh_reply entry
|
||||
* should be removed, from the tcp_req_info list,
|
||||
* the mesh state cleanup removes then with region_cleanup and
|
||||
* replies_sent true. */
|
||||
/* see if we can send it straight away (we are not doing
|
||||
* anything else). If so, copy to buffer and start */
|
||||
if(req->cp->tcp_is_reading && req->cp->tcp_byte_count == 0) {
|
||||
/* buffer is free, and was ready to read new query into,
|
||||
* but we are now going to use it to send this answer */
|
||||
tcp_req_info_start_write_buf(req,
|
||||
sldns_buffer_begin(req->spool_buffer),
|
||||
sldns_buffer_limit(req->spool_buffer));
|
||||
/* switch to listen to write events */
|
||||
comm_point_stop_listening(req->cp);
|
||||
comm_point_start_listening(req->cp, -1,
|
||||
req->cp->tcp_timeout_msec);
|
||||
return;
|
||||
}
|
||||
/* queue up the answer behind the others already pending */
|
||||
if(!tcp_req_info_add_result(req, sldns_buffer_begin(req->spool_buffer),
|
||||
sldns_buffer_limit(req->spool_buffer))) {
|
||||
/* drop the connection, we are out of resources */
|
||||
comm_point_drop_reply(&req->cp->repinfo);
|
||||
}
|
||||
}
|
||||
|
||||
size_t tcp_req_info_get_stream_buffer_size(void)
|
||||
{
|
||||
size_t s;
|
||||
if(!stream_wait_lock_inited)
|
||||
return stream_wait_count;
|
||||
lock_basic_lock(&stream_wait_count_lock);
|
||||
s = stream_wait_count;
|
||||
lock_basic_unlock(&stream_wait_count_lock);
|
||||
return s;
|
||||
}
|
||||
|
@ -237,4 +237,134 @@ int create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto,
|
||||
*/
|
||||
int create_local_accept_sock(const char* path, int* noproto, int use_systemd);
|
||||
|
||||
/**
|
||||
* TCP request info. List of requests outstanding on the channel, that
|
||||
* are asked for but not yet answered back.
|
||||
*/
|
||||
struct tcp_req_info {
|
||||
/** the TCP comm point for this. Its buffer is used for read/write */
|
||||
struct comm_point* cp;
|
||||
/** the buffer to use to spool reply from mesh into,
|
||||
* it can then be copied to the result list and written.
|
||||
* it is a pointer to the shared udp buffer. */
|
||||
struct sldns_buffer* spool_buffer;
|
||||
/** are we in worker_handle function call (for recursion callback)*/
|
||||
int in_worker_handle;
|
||||
/** is the comm point dropped (by worker handle).
|
||||
* That means we have to disconnect the channel. */
|
||||
int is_drop;
|
||||
/** is the comm point set to send_reply (by mesh new client in worker
|
||||
* handle), if so answer is available in c.buffer */
|
||||
int is_reply;
|
||||
/** read channel has closed, just write pending results */
|
||||
int read_is_closed;
|
||||
/** read again */
|
||||
int read_again;
|
||||
/** number of outstanding requests */
|
||||
int num_open_req;
|
||||
/** list of outstanding requests */
|
||||
struct tcp_req_open_item* open_req_list;
|
||||
/** number of pending writeable results */
|
||||
int num_done_req;
|
||||
/** list of pending writable result packets, malloced one at a time */
|
||||
struct tcp_req_done_item* done_req_list;
|
||||
};
|
||||
|
||||
/**
|
||||
* List of open items in TCP channel
|
||||
*/
|
||||
struct tcp_req_open_item {
|
||||
/** next in list */
|
||||
struct tcp_req_open_item* next;
|
||||
/** the mesh area of the mesh_state */
|
||||
struct mesh_area* mesh;
|
||||
/** the mesh state */
|
||||
struct mesh_state* mesh_state;
|
||||
};
|
||||
|
||||
/**
|
||||
* List of done items in TCP channel
|
||||
*/
|
||||
struct tcp_req_done_item {
|
||||
/** next in list */
|
||||
struct tcp_req_done_item* next;
|
||||
/** the buffer with packet contents */
|
||||
uint8_t* buf;
|
||||
/** length of the buffer */
|
||||
size_t len;
|
||||
};
|
||||
|
||||
/**
|
||||
* Create tcp request info structure that keeps track of open
|
||||
* requests on the TCP channel that are resolved at the same time,
|
||||
* and the pending results that have to get written back to that client.
|
||||
* @param spoolbuf: shared buffer
|
||||
* @return new structure or NULL on alloc failure.
|
||||
*/
|
||||
struct tcp_req_info* tcp_req_info_create(struct sldns_buffer* spoolbuf);
|
||||
|
||||
/**
|
||||
* Delete tcp request structure. Called by owning commpoint.
|
||||
* Removes mesh entry references and stored results from the lists.
|
||||
* @param req: the tcp request info
|
||||
*/
|
||||
void tcp_req_info_delete(struct tcp_req_info* req);
|
||||
|
||||
/**
|
||||
* Clear tcp request structure. Removes list entries, sets it up ready
|
||||
* for the next connection.
|
||||
* @param req: tcp request info structure.
|
||||
*/
|
||||
void tcp_req_info_clear(struct tcp_req_info* req);
|
||||
|
||||
/**
|
||||
* Remove mesh state entry from list in tcp_req_info.
|
||||
* caller has to manage the mesh state reply entry in the mesh state.
|
||||
* @param req: the tcp req info that has the entry removed from the list.
|
||||
* @param m: the state removed from the list.
|
||||
*/
|
||||
void tcp_req_info_remove_mesh_state(struct tcp_req_info* req,
|
||||
struct mesh_state* m);
|
||||
|
||||
/**
|
||||
* Handle write done of the last result packet
|
||||
* @param req: the tcp req info.
|
||||
*/
|
||||
void tcp_req_info_handle_writedone(struct tcp_req_info* req);
|
||||
|
||||
/**
|
||||
* Handle read done of a new request from the client
|
||||
* @param req: the tcp req info.
|
||||
*/
|
||||
void tcp_req_info_handle_readdone(struct tcp_req_info* req);
|
||||
|
||||
/**
|
||||
* Add mesh state to the tcp req list of open requests.
|
||||
* So the comm_reply can be removed off the mesh reply list when
|
||||
* the tcp channel has to be closed (for other reasons then that that
|
||||
* request was done, eg. channel closed by client or some format error).
|
||||
* @param req: tcp req info structure. It keeps track of the simultaneous
|
||||
* requests and results on a tcp (or TLS) channel.
|
||||
* @param mesh: mesh area for the state.
|
||||
* @param m: mesh state to add.
|
||||
* @return 0 on failure (malloc failure).
|
||||
*/
|
||||
int tcp_req_info_add_meshstate(struct tcp_req_info* req,
|
||||
struct mesh_area* mesh, struct mesh_state* m);
|
||||
|
||||
/**
|
||||
* Send reply on tcp simultaneous answer channel. May queue it up.
|
||||
* @param req: request info structure.
|
||||
*/
|
||||
void tcp_req_info_send_reply(struct tcp_req_info* req);
|
||||
|
||||
/** the read channel has closed
|
||||
* @param req: request. remaining queries are looked up and answered.
|
||||
* @return zero if nothing to do, just close the tcp.
|
||||
*/
|
||||
int tcp_req_info_handle_read_close(struct tcp_req_info* req);
|
||||
|
||||
/** get the size of currently used tcp stream wait buffers (in bytes) */
|
||||
size_t tcp_req_info_get_stream_buffer_size(void);
|
||||
|
||||
#endif /* LISTEN_DNSPORT_H */
|
||||
|
@ -464,7 +464,8 @@ lz_enter_rr_into_zone(struct local_zone* z, const char* rrstr)
|
||||
return 0;
|
||||
}
|
||||
log_assert(z->dclass == rrclass);
|
||||
if(z->type == local_zone_redirect &&
|
||||
if((z->type == local_zone_redirect ||
|
||||
z->type == local_zone_inform_redirect) &&
|
||||
query_dname_compare(z->name, nm) != 0) {
|
||||
log_err("local-data in redirect zone must reside at top of zone"
|
||||
", not at %s", rrstr);
|
||||
@ -481,7 +482,8 @@ lz_enter_rr_into_zone(struct local_zone* z, const char* rrstr)
|
||||
|
||||
/* Reject it if we would end up having CNAME and other data (including
|
||||
* another CNAME) for a redirect zone. */
|
||||
if(z->type == local_zone_redirect && node->rrsets) {
|
||||
if((z->type == local_zone_redirect ||
|
||||
z->type == local_zone_inform_redirect) && node->rrsets) {
|
||||
const char* othertype = NULL;
|
||||
if (rrtype == LDNS_RR_TYPE_CNAME)
|
||||
othertype = "other";
|
||||
@ -1323,7 +1325,8 @@ local_data_answer(struct local_zone* z, struct module_env* env,
|
||||
key.name = qinfo->qname;
|
||||
key.namelen = qinfo->qname_len;
|
||||
key.namelabs = labs;
|
||||
if(lz_type == local_zone_redirect) {
|
||||
if(lz_type == local_zone_redirect ||
|
||||
lz_type == local_zone_inform_redirect) {
|
||||
key.name = z->name;
|
||||
key.namelen = z->namelen;
|
||||
key.namelabs = z->namelabs;
|
||||
@ -1355,7 +1358,8 @@ local_data_answer(struct local_zone* z, struct module_env* env,
|
||||
return 0;
|
||||
|
||||
/* Special case for alias matching. See local_data_answer(). */
|
||||
if(lz_type == local_zone_redirect &&
|
||||
if((lz_type == local_zone_redirect ||
|
||||
lz_type == local_zone_inform_redirect) &&
|
||||
qinfo->qtype != LDNS_RR_TYPE_CNAME &&
|
||||
lr->rrset->rk.type == htons(LDNS_RR_TYPE_CNAME)) {
|
||||
qinfo->local_alias =
|
||||
@ -1370,7 +1374,8 @@ local_data_answer(struct local_zone* z, struct module_env* env,
|
||||
qinfo->local_alias->rrset->rk.dname_len = qinfo->qname_len;
|
||||
return 1;
|
||||
}
|
||||
if(lz_type == local_zone_redirect) {
|
||||
if(lz_type == local_zone_redirect ||
|
||||
lz_type == local_zone_inform_redirect) {
|
||||
/* convert rrset name to query name; like a wildcard */
|
||||
struct ub_packed_rrset_key r = *lr->rrset;
|
||||
r.rk.dname = qinfo->qname;
|
||||
@ -1442,6 +1447,7 @@ lz_zone_answer(struct local_zone* z, struct module_env* env,
|
||||
return 1;
|
||||
} else if(lz_type == local_zone_static ||
|
||||
lz_type == local_zone_redirect ||
|
||||
lz_type == local_zone_inform_redirect ||
|
||||
lz_type == local_zone_always_nxdomain) {
|
||||
/* for static, reply nodata or nxdomain
|
||||
* for redirect, reply nodata */
|
||||
@ -1450,7 +1456,8 @@ lz_zone_answer(struct local_zone* z, struct module_env* env,
|
||||
* or using closest match for NSEC.
|
||||
* or using closest match for returning delegation downwards
|
||||
*/
|
||||
int rcode = (ld || lz_type == local_zone_redirect)?
|
||||
int rcode = (ld || lz_type == local_zone_redirect ||
|
||||
lz_type == local_zone_inform_redirect)?
|
||||
LDNS_RCODE_NOERROR:LDNS_RCODE_NXDOMAIN;
|
||||
if(z->soa)
|
||||
return local_encode(qinfo, env, edns, repinfo, buf, temp,
|
||||
@ -1624,7 +1631,9 @@ local_zones_answer(struct local_zones* zones, struct module_env* env,
|
||||
}
|
||||
}
|
||||
if((env->cfg->log_local_actions ||
|
||||
lzt == local_zone_inform || lzt == local_zone_inform_deny)
|
||||
lzt == local_zone_inform ||
|
||||
lzt == local_zone_inform_deny ||
|
||||
lzt == local_zone_inform_redirect)
|
||||
&& repinfo)
|
||||
lz_inform_print(z, qinfo, repinfo);
|
||||
|
||||
@ -1656,6 +1665,7 @@ const char* local_zone_type2str(enum localzone_type t)
|
||||
case local_zone_nodefault: return "nodefault";
|
||||
case local_zone_inform: return "inform";
|
||||
case local_zone_inform_deny: return "inform_deny";
|
||||
case local_zone_inform_redirect: return "inform_redirect";
|
||||
case local_zone_always_transparent: return "always_transparent";
|
||||
case local_zone_always_refuse: return "always_refuse";
|
||||
case local_zone_always_nxdomain: return "always_nxdomain";
|
||||
@ -1682,6 +1692,8 @@ int local_zone_str2type(const char* type, enum localzone_type* t)
|
||||
*t = local_zone_inform;
|
||||
else if(strcmp(type, "inform_deny") == 0)
|
||||
*t = local_zone_inform_deny;
|
||||
else if(strcmp(type, "inform_redirect") == 0)
|
||||
*t = local_zone_inform_redirect;
|
||||
else if(strcmp(type, "always_transparent") == 0)
|
||||
*t = local_zone_always_transparent;
|
||||
else if(strcmp(type, "always_refuse") == 0)
|
||||
|
@ -83,6 +83,8 @@ enum localzone_type {
|
||||
local_zone_inform,
|
||||
/** log client address, and block (drop) */
|
||||
local_zone_inform_deny,
|
||||
/** log client address, and direct */
|
||||
local_zone_inform_redirect,
|
||||
/** resolve normally, even when there is local data */
|
||||
local_zone_always_transparent,
|
||||
/** answer with error, even when there is local data */
|
||||
@ -491,6 +493,8 @@ enum respip_action {
|
||||
respip_inform = local_zone_inform,
|
||||
/** log query source and don't answer query */
|
||||
respip_inform_deny = local_zone_inform_deny,
|
||||
/** log query source and redirect */
|
||||
respip_inform_redirect = local_zone_inform_redirect,
|
||||
/** resolve normally, even when there is response-ip data */
|
||||
respip_always_transparent = local_zone_always_transparent,
|
||||
/** answer with 'refused' response */
|
||||
|
@ -61,6 +61,7 @@
|
||||
#include "services/localzone.h"
|
||||
#include "util/data/dname.h"
|
||||
#include "respip/respip.h"
|
||||
#include "services/listen_dnsport.h"
|
||||
|
||||
/** subtract timers and the values do not overflow or become negative */
|
||||
static void
|
||||
@ -353,6 +354,10 @@ void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo,
|
||||
int was_detached = 0;
|
||||
int was_noreply = 0;
|
||||
int added = 0;
|
||||
struct sldns_buffer* r_buffer = rep->c->buffer;
|
||||
if(rep->c->tcp_req_info) {
|
||||
r_buffer = rep->c->tcp_req_info->spool_buffer;
|
||||
}
|
||||
if(!unique)
|
||||
s = mesh_area_find(mesh, cinfo, qinfo, qflags&(BIT_RD|BIT_CD), 0, 0);
|
||||
/* does this create a new reply state? */
|
||||
@ -388,7 +393,7 @@ void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo,
|
||||
if(!inplace_cb_reply_servfail_call(mesh->env, qinfo, NULL, NULL,
|
||||
LDNS_RCODE_SERVFAIL, edns, rep, mesh->env->scratch))
|
||||
edns->opt_list = NULL;
|
||||
error_encode(rep->c->buffer, LDNS_RCODE_SERVFAIL,
|
||||
error_encode(r_buffer, LDNS_RCODE_SERVFAIL,
|
||||
qinfo, qid, qflags, edns);
|
||||
comm_point_send_reply(rep);
|
||||
return;
|
||||
@ -404,7 +409,7 @@ void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo,
|
||||
if(!inplace_cb_reply_servfail_call(mesh->env, qinfo, NULL,
|
||||
NULL, LDNS_RCODE_SERVFAIL, edns, rep, mesh->env->scratch))
|
||||
edns->opt_list = NULL;
|
||||
error_encode(rep->c->buffer, LDNS_RCODE_SERVFAIL,
|
||||
error_encode(r_buffer, LDNS_RCODE_SERVFAIL,
|
||||
qinfo, qid, qflags, edns);
|
||||
comm_point_send_reply(rep);
|
||||
return;
|
||||
@ -429,16 +434,23 @@ void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo,
|
||||
/* add reply to s */
|
||||
if(!mesh_state_add_reply(s, edns, rep, qid, qflags, qinfo)) {
|
||||
log_err("mesh_new_client: out of memory; SERVFAIL");
|
||||
servfail_mem:
|
||||
if(!inplace_cb_reply_servfail_call(mesh->env, qinfo, &s->s,
|
||||
NULL, LDNS_RCODE_SERVFAIL, edns, rep, mesh->env->scratch))
|
||||
edns->opt_list = NULL;
|
||||
error_encode(rep->c->buffer, LDNS_RCODE_SERVFAIL,
|
||||
error_encode(r_buffer, LDNS_RCODE_SERVFAIL,
|
||||
qinfo, qid, qflags, edns);
|
||||
comm_point_send_reply(rep);
|
||||
if(added)
|
||||
mesh_state_delete(&s->s);
|
||||
return;
|
||||
}
|
||||
if(rep->c->tcp_req_info) {
|
||||
if(!tcp_req_info_add_meshstate(rep->c->tcp_req_info, mesh, s)) {
|
||||
log_err("mesh_new_client: out of memory add tcpreqinfo");
|
||||
goto servfail_mem;
|
||||
}
|
||||
}
|
||||
/* update statistics */
|
||||
if(was_detached) {
|
||||
log_assert(mesh->num_detached_states > 0);
|
||||
@ -732,9 +744,13 @@ mesh_state_cleanup(struct mesh_state* mstate)
|
||||
mesh = mstate->s.env->mesh;
|
||||
/* drop unsent replies */
|
||||
if(!mstate->replies_sent) {
|
||||
struct mesh_reply* rep;
|
||||
struct mesh_reply* rep = mstate->reply_list;
|
||||
struct mesh_cb* cb;
|
||||
for(rep=mstate->reply_list; rep; rep=rep->next) {
|
||||
/* in tcp_req_info, the mstates linked are removed, but
|
||||
* the reply_list is now NULL, so the remove-from-empty-list
|
||||
* takes no time and also it does not do the mesh accounting */
|
||||
mstate->reply_list = NULL;
|
||||
for(; rep; rep=rep->next) {
|
||||
comm_point_drop_reply(&rep->query_reply);
|
||||
mesh->num_reply_addrs--;
|
||||
}
|
||||
@ -1031,11 +1047,14 @@ mesh_do_callback(struct mesh_state* m, int rcode, struct reply_info* rep,
|
||||
* @param rcode: if not 0, error code.
|
||||
* @param rep: reply to send (or NULL if rcode is set).
|
||||
* @param r: reply entry
|
||||
* @param r_buffer: buffer to use for reply entry.
|
||||
* @param prev: previous reply, already has its answer encoded in buffer.
|
||||
* @param prev_buffer: buffer for previous reply.
|
||||
*/
|
||||
static void
|
||||
mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
|
||||
struct mesh_reply* r, struct mesh_reply* prev)
|
||||
struct mesh_reply* r, struct sldns_buffer* r_buffer,
|
||||
struct mesh_reply* prev, struct sldns_buffer* prev_buffer)
|
||||
{
|
||||
struct timeval end_time;
|
||||
struct timeval duration;
|
||||
@ -1063,7 +1082,7 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
|
||||
* and still reuse the previous answer if they are the same, but that
|
||||
* would be complicated and error prone for the relatively minor case.
|
||||
* So we err on the side of safety. */
|
||||
if(prev && prev->qflags == r->qflags &&
|
||||
if(prev && prev_buffer && prev->qflags == r->qflags &&
|
||||
!prev->local_alias && !r->local_alias &&
|
||||
prev->edns.edns_present == r->edns.edns_present &&
|
||||
prev->edns.bits == r->edns.bits &&
|
||||
@ -1071,13 +1090,11 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
|
||||
edns_opt_list_compare(prev->edns.opt_list, r->edns.opt_list)
|
||||
== 0) {
|
||||
/* if the previous reply is identical to this one, fix ID */
|
||||
if(prev->query_reply.c->buffer != r->query_reply.c->buffer)
|
||||
sldns_buffer_copy(r->query_reply.c->buffer,
|
||||
prev->query_reply.c->buffer);
|
||||
sldns_buffer_write_at(r->query_reply.c->buffer, 0,
|
||||
&r->qid, sizeof(uint16_t));
|
||||
sldns_buffer_write_at(r->query_reply.c->buffer, 12,
|
||||
r->qname, m->s.qinfo.qname_len);
|
||||
if(prev_buffer != r_buffer)
|
||||
sldns_buffer_copy(r_buffer, prev_buffer);
|
||||
sldns_buffer_write_at(r_buffer, 0, &r->qid, sizeof(uint16_t));
|
||||
sldns_buffer_write_at(r_buffer, 12, r->qname,
|
||||
m->s.qinfo.qname_len);
|
||||
comm_point_send_reply(&r->query_reply);
|
||||
} else if(rcode) {
|
||||
m->s.qinfo.qname = r->qname;
|
||||
@ -1091,8 +1108,8 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
|
||||
&r->edns, NULL, m->s.region))
|
||||
r->edns.opt_list = NULL;
|
||||
}
|
||||
error_encode(r->query_reply.c->buffer, rcode, &m->s.qinfo,
|
||||
r->qid, r->qflags, &r->edns);
|
||||
error_encode(r_buffer, rcode, &m->s.qinfo, r->qid,
|
||||
r->qflags, &r->edns);
|
||||
comm_point_send_reply(&r->query_reply);
|
||||
} else {
|
||||
size_t udp_size = r->edns.udp_size;
|
||||
@ -1108,16 +1125,15 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
|
||||
m->s.env->cfg, r->query_reply.c,
|
||||
m->s.region) ||
|
||||
!reply_info_answer_encode(&m->s.qinfo, rep, r->qid,
|
||||
r->qflags, r->query_reply.c->buffer, 0, 1,
|
||||
m->s.env->scratch, udp_size, &r->edns,
|
||||
(int)(r->edns.bits & EDNS_DO), secure))
|
||||
r->qflags, r_buffer, 0, 1, m->s.env->scratch,
|
||||
udp_size, &r->edns, (int)(r->edns.bits & EDNS_DO),
|
||||
secure))
|
||||
{
|
||||
if(!inplace_cb_reply_servfail_call(m->s.env, &m->s.qinfo, &m->s,
|
||||
rep, LDNS_RCODE_SERVFAIL, &r->edns, NULL, m->s.region))
|
||||
r->edns.opt_list = NULL;
|
||||
error_encode(r->query_reply.c->buffer,
|
||||
LDNS_RCODE_SERVFAIL, &m->s.qinfo, r->qid,
|
||||
r->qflags, &r->edns);
|
||||
error_encode(r_buffer, LDNS_RCODE_SERVFAIL,
|
||||
&m->s.qinfo, r->qid, r->qflags, &r->edns);
|
||||
}
|
||||
r->edns = edns_bak;
|
||||
comm_point_send_reply(&r->query_reply);
|
||||
@ -1132,19 +1148,17 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
|
||||
timeval_add(&m->s.env->mesh->replies_sum_wait, &duration);
|
||||
timehist_insert(m->s.env->mesh->histogram, &duration);
|
||||
if(m->s.env->cfg->stat_extended) {
|
||||
uint16_t rc = FLAGS_GET_RCODE(sldns_buffer_read_u16_at(r->
|
||||
query_reply.c->buffer, 2));
|
||||
uint16_t rc = FLAGS_GET_RCODE(sldns_buffer_read_u16_at(
|
||||
r_buffer, 2));
|
||||
if(secure) m->s.env->mesh->ans_secure++;
|
||||
m->s.env->mesh->ans_rcode[ rc ] ++;
|
||||
if(rc == 0 && LDNS_ANCOUNT(sldns_buffer_begin(r->
|
||||
query_reply.c->buffer)) == 0)
|
||||
if(rc == 0 && LDNS_ANCOUNT(sldns_buffer_begin(r_buffer)) == 0)
|
||||
m->s.env->mesh->ans_nodata++;
|
||||
}
|
||||
/* Log reply sent */
|
||||
if(m->s.env->cfg->log_replies) {
|
||||
log_reply_info(0, &m->s.qinfo, &r->query_reply.addr,
|
||||
r->query_reply.addrlen, duration, 0,
|
||||
r->query_reply.c->buffer);
|
||||
r->query_reply.addrlen, duration, 0, r_buffer);
|
||||
}
|
||||
}
|
||||
|
||||
@ -1152,6 +1166,7 @@ void mesh_query_done(struct mesh_state* mstate)
|
||||
{
|
||||
struct mesh_reply* r;
|
||||
struct mesh_reply* prev = NULL;
|
||||
struct sldns_buffer* prev_buffer = NULL;
|
||||
struct mesh_cb* c;
|
||||
struct reply_info* rep = (mstate->s.return_msg?
|
||||
mstate->s.return_msg->rep:NULL);
|
||||
@ -1180,9 +1195,19 @@ void mesh_query_done(struct mesh_state* mstate)
|
||||
if(mstate->s.is_drop)
|
||||
comm_point_drop_reply(&r->query_reply);
|
||||
else {
|
||||
struct sldns_buffer* r_buffer = r->query_reply.c->buffer;
|
||||
if(r->query_reply.c->tcp_req_info) {
|
||||
r_buffer = r->query_reply.c->tcp_req_info->spool_buffer;
|
||||
prev_buffer = NULL;
|
||||
}
|
||||
mesh_send_reply(mstate, mstate->s.return_rcode, rep,
|
||||
r, prev);
|
||||
r, r_buffer, prev, prev_buffer);
|
||||
if(r->query_reply.c->tcp_req_info) {
|
||||
tcp_req_info_remove_mesh_state(r->query_reply.c->tcp_req_info, mstate);
|
||||
r_buffer = NULL;
|
||||
}
|
||||
prev = r;
|
||||
prev_buffer = r_buffer;
|
||||
}
|
||||
}
|
||||
mstate->replies_sent = 1;
|
||||
@ -1324,21 +1349,14 @@ int mesh_state_add_reply(struct mesh_state* s, struct edns_data* edns,
|
||||
log_assert(qinfo->local_alias->rrset->rk.dname ==
|
||||
sldns_buffer_at(rep->c->buffer, LDNS_HEADER_SIZE));
|
||||
|
||||
d = regional_alloc_init(s->s.region, dsrc,
|
||||
sizeof(struct packed_rrset_data)
|
||||
+ sizeof(size_t) + sizeof(uint8_t*) + sizeof(time_t));
|
||||
/* the rrset is not packed, like in the cache, but it is
|
||||
* individualy allocated with an allocator from localzone. */
|
||||
d = regional_alloc_zero(s->s.region, sizeof(*d));
|
||||
if(!d)
|
||||
return 0;
|
||||
r->local_alias->rrset->entry.data = d;
|
||||
d->rr_len = (size_t*)((uint8_t*)d +
|
||||
sizeof(struct packed_rrset_data));
|
||||
d->rr_data = (uint8_t**)&(d->rr_len[1]);
|
||||
d->rr_ttl = (time_t*)&(d->rr_data[1]);
|
||||
d->rr_len[0] = dsrc->rr_len[0];
|
||||
d->rr_ttl[0] = dsrc->rr_ttl[0];
|
||||
d->rr_data[0] = regional_alloc_init(s->s.region,
|
||||
dsrc->rr_data[0], d->rr_len[0]);
|
||||
if(!d->rr_data[0])
|
||||
if(!rrset_insert_rr(s->s.region, d, dsrc->rr_data[0],
|
||||
dsrc->rr_len[0], dsrc->rr_ttl[0], "CNAME local alias"))
|
||||
return 0;
|
||||
} else
|
||||
r->local_alias = NULL;
|
||||
@ -1392,7 +1410,7 @@ mesh_continue(struct mesh_area* mesh, struct mesh_state* mstate,
|
||||
/* module is looping. Stop it. */
|
||||
log_err("internal error: looping module (%s) stopped",
|
||||
mesh->mods.mod[mstate->s.curmod]->name);
|
||||
log_query_info(VERB_QUERY, "pass error for qstate",
|
||||
log_query_info(0, "pass error for qstate",
|
||||
&mstate->s.qinfo);
|
||||
s = module_error;
|
||||
}
|
||||
@ -1613,3 +1631,38 @@ void mesh_list_remove(struct mesh_state* m, struct mesh_state** fp,
|
||||
m->prev->next = m->next;
|
||||
else *fp = m->next;
|
||||
}
|
||||
|
||||
void mesh_state_remove_reply(struct mesh_area* mesh, struct mesh_state* m,
|
||||
struct comm_point* cp)
|
||||
{
|
||||
struct mesh_reply* n, *prev = NULL;
|
||||
n = m->reply_list;
|
||||
/* when in mesh_cleanup, it sets the reply_list to NULL, so that
|
||||
* there is no accounting twice */
|
||||
if(!n) return; /* nothing to remove, also no accounting needed */
|
||||
while(n) {
|
||||
if(n->query_reply.c == cp) {
|
||||
/* unlink it */
|
||||
if(prev) prev->next = n->next;
|
||||
else m->reply_list = n->next;
|
||||
/* delete it, but allocated in m region */
|
||||
mesh->num_reply_addrs--;
|
||||
|
||||
/* prev = prev; */
|
||||
n = n->next;
|
||||
continue;
|
||||
}
|
||||
prev = n;
|
||||
n = n->next;
|
||||
}
|
||||
/* it was not detached (because it had a reply list), could be now */
|
||||
if(!m->reply_list && !m->cb_list
|
||||
&& m->super_set.count == 0) {
|
||||
mesh->num_detached_states++;
|
||||
}
|
||||
/* if not replies any more in mstate, it is no longer a reply_state */
|
||||
if(!m->reply_list && !m->cb_list) {
|
||||
log_assert(mesh->num_reply_states > 0);
|
||||
mesh->num_reply_states--;
|
||||
}
|
||||
}
|
||||
|
@ -65,7 +65,7 @@ struct respip_client_info;
|
||||
* Maximum number of mesh state activations. Any more is likely an
|
||||
* infinite loop in the module. It is then terminated.
|
||||
*/
|
||||
#define MESH_MAX_ACTIVATION 3000
|
||||
#define MESH_MAX_ACTIVATION 10000
|
||||
|
||||
/**
|
||||
* Max number of references-to-references-to-references.. search size.
|
||||
@ -633,4 +633,14 @@ void mesh_list_insert(struct mesh_state* m, struct mesh_state** fp,
|
||||
void mesh_list_remove(struct mesh_state* m, struct mesh_state** fp,
|
||||
struct mesh_state** lp);
|
||||
|
||||
/**
|
||||
* Remove mesh reply entry from the reply entry list. Searches for
|
||||
* the comm_point pointer.
|
||||
* @param mesh: to update the counters.
|
||||
* @param m: the mesh state.
|
||||
* @param cp: the comm_point to remove from the list.
|
||||
*/
|
||||
void mesh_state_remove_reply(struct mesh_area* mesh, struct mesh_state* m,
|
||||
struct comm_point* cp);
|
||||
|
||||
#endif /* SERVICES_MESH_H */
|
||||
|
@ -113,8 +113,14 @@ modstack_config(struct module_stack* stack, const char* module_conf)
|
||||
for(i=0; i<stack->num; i++) {
|
||||
stack->mod[i] = module_factory(&module_conf);
|
||||
if(!stack->mod[i]) {
|
||||
log_err("Unknown value for next module: '%s'",
|
||||
module_conf);
|
||||
char md[256];
|
||||
snprintf(md, sizeof(md), "%s", module_conf);
|
||||
if(strchr(md, ' ')) *(strchr(md, ' ')) = 0;
|
||||
if(strchr(md, '\t')) *(strchr(md, '\t')) = 0;
|
||||
log_err("Unknown value in module-config, module: '%s'."
|
||||
" This module is not present (not compiled in),"
|
||||
" See the list of linked modules with unbound -h",
|
||||
md);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
@ -63,6 +63,9 @@
|
||||
#ifdef HAVE_OPENSSL_SSL_H
|
||||
#include <openssl/ssl.h>
|
||||
#endif
|
||||
#ifdef HAVE_X509_VERIFY_PARAM_SET1_HOST
|
||||
#include <openssl/x509v3.h>
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_NETDB_H
|
||||
#include <netdb.h>
|
||||
@ -361,6 +364,8 @@ outnet_tcp_take_into_use(struct waiting_tcp* w, uint8_t* pkt, size_t pkt_len)
|
||||
comm_point_close(pend->c);
|
||||
return 0;
|
||||
}
|
||||
verbose(VERB_ALGO, "the query is using TLS encryption, for %s",
|
||||
(w->tls_auth_name?w->tls_auth_name:"an unauthenticated connection"));
|
||||
#ifdef USE_WINSOCK
|
||||
comm_point_tcp_win_bio_cb(pend->c, pend->c->ssl);
|
||||
#endif
|
||||
@ -385,6 +390,24 @@ outnet_tcp_take_into_use(struct waiting_tcp* w, uint8_t* pkt, size_t pkt_len)
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
#elif defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
|
||||
/* openssl 1.0.2 has this function that can be used for
|
||||
* set1_host like verification */
|
||||
if(w->tls_auth_name) {
|
||||
X509_VERIFY_PARAM* param = SSL_get0_param(pend->c->ssl);
|
||||
X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
|
||||
if(!X509_VERIFY_PARAM_set1_host(param, w->tls_auth_name, strlen(w->tls_auth_name))) {
|
||||
log_err("X509_VERIFY_PARAM_set1_host failed");
|
||||
pend->c->fd = s;
|
||||
SSL_free(pend->c->ssl);
|
||||
pend->c->ssl = NULL;
|
||||
comm_point_close(pend->c);
|
||||
return 0;
|
||||
}
|
||||
SSL_set_verify(pend->c->ssl, SSL_VERIFY_PEER, NULL);
|
||||
}
|
||||
#else
|
||||
verbose(VERB_ALGO, "the query has an auth_name, but libssl has no call to perform TLS authentication");
|
||||
#endif /* HAVE_SSL_SET1_HOST */
|
||||
}
|
||||
w->pkt = NULL;
|
||||
@ -759,7 +782,7 @@ outside_network_create(struct comm_base *base, size_t bufsize,
|
||||
outnet->delay_tv.tv_usec = (delayclose%1000)*1000;
|
||||
}
|
||||
#endif
|
||||
if(numavailports == 0) {
|
||||
if(numavailports == 0 || num_ports == 0) {
|
||||
log_err("no outgoing ports available");
|
||||
outside_network_delete(outnet);
|
||||
return NULL;
|
||||
@ -1487,7 +1510,6 @@ serviced_delete(struct serviced_query* sq)
|
||||
/* clear up the pending query */
|
||||
if(sq->status == serviced_query_UDP_EDNS ||
|
||||
sq->status == serviced_query_UDP ||
|
||||
sq->status == serviced_query_PROBE_EDNS ||
|
||||
sq->status == serviced_query_UDP_EDNS_FRAG ||
|
||||
sq->status == serviced_query_UDP_EDNS_fallback) {
|
||||
struct pending* p = (struct pending*)sq->pending;
|
||||
@ -1614,15 +1636,7 @@ serviced_udp_send(struct serviced_query* sq, sldns_buffer* buff)
|
||||
sq->last_rtt = rtt;
|
||||
verbose(VERB_ALGO, "EDNS lookup known=%d vs=%d", edns_lame_known, vs);
|
||||
if(sq->status == serviced_initial) {
|
||||
if(edns_lame_known == 0 && rtt > 5000 && rtt < 10001) {
|
||||
/* perform EDNS lame probe - check if server is
|
||||
* EDNS lame (EDNS queries to it are dropped) */
|
||||
verbose(VERB_ALGO, "serviced query: send probe to see "
|
||||
" if use of EDNS causes timeouts");
|
||||
/* even 700 msec may be too small */
|
||||
rtt = 1000;
|
||||
sq->status = serviced_query_PROBE_EDNS;
|
||||
} else if(vs != -1) {
|
||||
if(vs != -1) {
|
||||
sq->status = serviced_query_UDP_EDNS;
|
||||
} else {
|
||||
sq->status = serviced_query_UDP;
|
||||
@ -1876,7 +1890,7 @@ serviced_tcp_initiate(struct serviced_query* sq, sldns_buffer* buff)
|
||||
if(!sq->pending) {
|
||||
/* delete from tree so that a retry by above layer does not
|
||||
* clash with this entry */
|
||||
log_err("serviced_tcp_initiate: failed to send tcp query");
|
||||
verbose(VERB_ALGO, "serviced_tcp_initiate: failed to send tcp query");
|
||||
serviced_callbacks(sq, NETEVENT_CLOSED, NULL, NULL);
|
||||
}
|
||||
}
|
||||
@ -1954,17 +1968,10 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
|
||||
struct serviced_query* sq = (struct serviced_query*)arg;
|
||||
struct outside_network* outnet = sq->outnet;
|
||||
struct timeval now = *sq->outnet->now_tv;
|
||||
int fallback_tcp = 0;
|
||||
|
||||
sq->pending = NULL; /* removed after callback */
|
||||
if(error == NETEVENT_TIMEOUT) {
|
||||
int rto = 0;
|
||||
if(sq->status == serviced_query_PROBE_EDNS) {
|
||||
/* non-EDNS probe failed; we do not know its status,
|
||||
* keep trying with EDNS, timeout may not be caused
|
||||
* by EDNS. */
|
||||
sq->status = serviced_query_UDP_EDNS;
|
||||
}
|
||||
if(sq->status == serviced_query_UDP_EDNS && sq->last_rtt < 5000) {
|
||||
/* fallback to 1480/1280 */
|
||||
sq->status = serviced_query_UDP_EDNS_FRAG;
|
||||
@ -1992,14 +1999,8 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
if(rto >= RTT_MAX_TIMEOUT) {
|
||||
/* fallback_tcp = 1; */
|
||||
/* UDP does not work, fallback to TCP below */
|
||||
} else {
|
||||
serviced_callbacks(sq, NETEVENT_TIMEOUT, c, rep);
|
||||
return 0;
|
||||
}
|
||||
} else if(error != NETEVENT_NOERROR) {
|
||||
}
|
||||
if(error != NETEVENT_NOERROR) {
|
||||
/* udp returns error (due to no ID or interface available) */
|
||||
serviced_callbacks(sq, error, c, rep);
|
||||
return 0;
|
||||
@ -2012,9 +2013,8 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
|
||||
sq->zone, sq->zonelen, sq->qbuf, sq->qbuflen,
|
||||
&sq->last_sent_time, sq->outnet->now_tv, c->buffer);
|
||||
#endif
|
||||
if(!fallback_tcp) {
|
||||
if( (sq->status == serviced_query_UDP_EDNS
|
||||
||sq->status == serviced_query_UDP_EDNS_FRAG)
|
||||
if( (sq->status == serviced_query_UDP_EDNS
|
||||
||sq->status == serviced_query_UDP_EDNS_FRAG)
|
||||
&& (LDNS_RCODE_WIRE(sldns_buffer_begin(c->buffer))
|
||||
== LDNS_RCODE_FORMERR || LDNS_RCODE_WIRE(
|
||||
sldns_buffer_begin(c->buffer)) == LDNS_RCODE_NOTIMPL
|
||||
@ -2028,19 +2028,7 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
|
||||
serviced_callbacks(sq, NETEVENT_CLOSED, c, rep);
|
||||
}
|
||||
return 0;
|
||||
} else if(sq->status == serviced_query_PROBE_EDNS) {
|
||||
/* probe without EDNS succeeds, so we conclude that this
|
||||
* host likely has EDNS packets dropped */
|
||||
log_addr(VERB_DETAIL, "timeouts, concluded that connection to "
|
||||
"host drops EDNS packets", &sq->addr, sq->addrlen);
|
||||
/* only store noEDNS in cache if domain is noDNSSEC */
|
||||
if(!sq->want_dnssec)
|
||||
if(!infra_edns_update(outnet->infra, &sq->addr, sq->addrlen,
|
||||
sq->zone, sq->zonelen, -1, (time_t)now.tv_sec)) {
|
||||
log_err("Out of memory caching no edns for host");
|
||||
}
|
||||
sq->status = serviced_query_UDP;
|
||||
} else if(sq->status == serviced_query_UDP_EDNS &&
|
||||
} else if(sq->status == serviced_query_UDP_EDNS &&
|
||||
!sq->edns_lame_known) {
|
||||
/* now we know that edns queries received answers store that */
|
||||
log_addr(VERB_ALGO, "serviced query: EDNS works for",
|
||||
@ -2050,7 +2038,7 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
|
||||
log_err("Out of memory caching edns works");
|
||||
}
|
||||
sq->edns_lame_known = 1;
|
||||
} else if(sq->status == serviced_query_UDP_EDNS_fallback &&
|
||||
} else if(sq->status == serviced_query_UDP_EDNS_fallback &&
|
||||
!sq->edns_lame_known && (LDNS_RCODE_WIRE(
|
||||
sldns_buffer_begin(c->buffer)) == LDNS_RCODE_NOERROR ||
|
||||
LDNS_RCODE_WIRE(sldns_buffer_begin(c->buffer)) ==
|
||||
@ -2068,12 +2056,12 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
|
||||
}
|
||||
} else {
|
||||
log_addr(VERB_ALGO, "serviced query: EDNS fails, but "
|
||||
"not stored because need DNSSEC for", &sq->addr,
|
||||
"not stored because need DNSSEC for", &sq->addr,
|
||||
sq->addrlen);
|
||||
}
|
||||
sq->status = serviced_query_UDP;
|
||||
}
|
||||
if(now.tv_sec > sq->last_sent_time.tv_sec ||
|
||||
}
|
||||
if(now.tv_sec > sq->last_sent_time.tv_sec ||
|
||||
(now.tv_sec == sq->last_sent_time.tv_sec &&
|
||||
now.tv_usec > sq->last_sent_time.tv_usec)) {
|
||||
/* convert from microseconds to milliseconds */
|
||||
@ -2089,11 +2077,10 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
|
||||
sq->last_rtt, (time_t)now.tv_sec))
|
||||
log_err("out of memory noting rtt.");
|
||||
}
|
||||
}
|
||||
} /* end of if_!fallback_tcp */
|
||||
}
|
||||
/* perform TC flag check and TCP fallback after updating our
|
||||
* cache entries for EDNS status and RTT times */
|
||||
if(LDNS_TC_WIRE(sldns_buffer_begin(c->buffer)) || fallback_tcp) {
|
||||
if(LDNS_TC_WIRE(sldns_buffer_begin(c->buffer))) {
|
||||
/* fallback to TCP */
|
||||
/* this discards partial UDP contents */
|
||||
if(sq->status == serviced_query_UDP_EDNS ||
|
||||
@ -2294,11 +2281,60 @@ outnet_comm_point_for_udp(struct outside_network* outnet,
|
||||
return cp;
|
||||
}
|
||||
|
||||
/** setup SSL for comm point */
|
||||
static int
|
||||
setup_comm_ssl(struct comm_point* cp, struct outside_network* outnet,
|
||||
int fd, char* host)
|
||||
{
|
||||
cp->ssl = outgoing_ssl_fd(outnet->sslctx, fd);
|
||||
if(!cp->ssl) {
|
||||
log_err("cannot create SSL object");
|
||||
return 0;
|
||||
}
|
||||
#ifdef USE_WINSOCK
|
||||
comm_point_tcp_win_bio_cb(cp, cp->ssl);
|
||||
#endif
|
||||
cp->ssl_shake_state = comm_ssl_shake_write;
|
||||
/* https verification */
|
||||
#ifdef HAVE_SSL_SET1_HOST
|
||||
if((SSL_CTX_get_verify_mode(outnet->sslctx)&SSL_VERIFY_PEER)) {
|
||||
/* because we set SSL_VERIFY_PEER, in netevent in
|
||||
* ssl_handshake, it'll check if the certificate
|
||||
* verification has succeeded */
|
||||
/* SSL_VERIFY_PEER is set on the sslctx */
|
||||
/* and the certificates to verify with are loaded into
|
||||
* it with SSL_load_verify_locations or
|
||||
* SSL_CTX_set_default_verify_paths */
|
||||
/* setting the hostname makes openssl verify the
|
||||
* host name in the x509 certificate in the
|
||||
* SSL connection*/
|
||||
if(!SSL_set1_host(cp->ssl, host)) {
|
||||
log_err("SSL_set1_host failed");
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
#elif defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
|
||||
/* openssl 1.0.2 has this function that can be used for
|
||||
* set1_host like verification */
|
||||
if((SSL_CTX_get_verify_mode(outnet->sslctx)&SSL_VERIFY_PEER)) {
|
||||
X509_VERIFY_PARAM* param = SSL_get0_param(cp->ssl);
|
||||
X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
|
||||
if(!X509_VERIFY_PARAM_set1_host(param, host, strlen(host))) {
|
||||
log_err("X509_VERIFY_PARAM_set1_host failed");
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
#else
|
||||
(void)host;
|
||||
#endif /* HAVE_SSL_SET1_HOST */
|
||||
return 1;
|
||||
}
|
||||
|
||||
struct comm_point*
|
||||
outnet_comm_point_for_tcp(struct outside_network* outnet,
|
||||
comm_point_callback_type* cb, void* cb_arg,
|
||||
struct sockaddr_storage* to_addr, socklen_t to_addrlen,
|
||||
sldns_buffer* query, int timeout)
|
||||
sldns_buffer* query, int timeout, int ssl, char* host)
|
||||
{
|
||||
struct comm_point* cp;
|
||||
int fd = outnet_get_tcp_fd(to_addr, to_addrlen, outnet->tcp_mss);
|
||||
@ -2318,6 +2354,16 @@ outnet_comm_point_for_tcp(struct outside_network* outnet,
|
||||
}
|
||||
cp->repinfo.addrlen = to_addrlen;
|
||||
memcpy(&cp->repinfo.addr, to_addr, to_addrlen);
|
||||
|
||||
/* setup for SSL (if needed) */
|
||||
if(ssl) {
|
||||
if(!setup_comm_ssl(cp, outnet, fd, host)) {
|
||||
log_err("cannot setup XoT");
|
||||
comm_point_delete(cp);
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
|
||||
/* set timeout on TCP connection */
|
||||
comm_point_start_listening(cp, fd, timeout);
|
||||
/* copy scratch buffer to cp->buffer */
|
||||
@ -2374,36 +2420,11 @@ outnet_comm_point_for_http(struct outside_network* outnet,
|
||||
|
||||
/* setup for SSL (if needed) */
|
||||
if(ssl) {
|
||||
cp->ssl = outgoing_ssl_fd(outnet->sslctx, fd);
|
||||
if(!cp->ssl) {
|
||||
if(!setup_comm_ssl(cp, outnet, fd, host)) {
|
||||
log_err("cannot setup https");
|
||||
comm_point_delete(cp);
|
||||
return NULL;
|
||||
}
|
||||
#ifdef USE_WINSOCK
|
||||
comm_point_tcp_win_bio_cb(cp, cp->ssl);
|
||||
#endif
|
||||
cp->ssl_shake_state = comm_ssl_shake_write;
|
||||
/* https verification */
|
||||
#ifdef HAVE_SSL_SET1_HOST
|
||||
if((SSL_CTX_get_verify_mode(outnet->sslctx)&SSL_VERIFY_PEER)) {
|
||||
/* because we set SSL_VERIFY_PEER, in netevent in
|
||||
* ssl_handshake, it'll check if the certificate
|
||||
* verification has succeeded */
|
||||
/* SSL_VERIFY_PEER is set on the sslctx */
|
||||
/* and the certificates to verify with are loaded into
|
||||
* it with SSL_load_verify_locations or
|
||||
* SSL_CTX_set_default_verify_paths */
|
||||
/* setting the hostname makes openssl verify the
|
||||
* host name in the x509 certificate in the
|
||||
* SSL connection*/
|
||||
if(!SSL_set1_host(cp->ssl, host)) {
|
||||
log_err("SSL_set1_host failed");
|
||||
comm_point_delete(cp);
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
#endif /* HAVE_SSL_SET1_HOST */
|
||||
}
|
||||
|
||||
/* set timeout on TCP connection */
|
||||
@ -2508,7 +2529,6 @@ serviced_get_mem(struct serviced_query* sq)
|
||||
s += sizeof(*sb);
|
||||
if(sq->status == serviced_query_UDP_EDNS ||
|
||||
sq->status == serviced_query_UDP ||
|
||||
sq->status == serviced_query_PROBE_EDNS ||
|
||||
sq->status == serviced_query_UDP_EDNS_FRAG ||
|
||||
sq->status == serviced_query_UDP_EDNS_fallback) {
|
||||
s += sizeof(struct pending);
|
||||
|
@ -359,8 +359,6 @@ struct serviced_query {
|
||||
serviced_query_TCP_EDNS,
|
||||
/** TCP without EDNS sent */
|
||||
serviced_query_TCP,
|
||||
/** probe to test EDNS lameness (EDNS is dropped) */
|
||||
serviced_query_PROBE_EDNS,
|
||||
/** probe to test noEDNS0 (EDNS gives FORMERRorNOTIMP) */
|
||||
serviced_query_UDP_EDNS_fallback,
|
||||
/** probe to test TCP noEDNS0 (EDNS gives FORMERRorNOTIMP) */
|
||||
@ -572,12 +570,14 @@ struct comm_point* outnet_comm_point_for_udp(struct outside_network* outnet,
|
||||
* @param timeout: timeout for the TCP connection.
|
||||
* timeout in milliseconds, or -1 for no (change to the) timeout.
|
||||
* So seconds*1000.
|
||||
* @param ssl: set to true for TLS.
|
||||
* @param host: hostname for host name verification of TLS (or NULL if no TLS).
|
||||
* @return tcp_out commpoint, or NULL.
|
||||
*/
|
||||
struct comm_point* outnet_comm_point_for_tcp(struct outside_network* outnet,
|
||||
comm_point_callback_type* cb, void* cb_arg,
|
||||
struct sockaddr_storage* to_addr, socklen_t to_addrlen,
|
||||
struct sldns_buffer* query, int timeout);
|
||||
struct sldns_buffer* query, int timeout, int ssl, char* host);
|
||||
|
||||
/**
|
||||
* Create http commpoint suitable for communication to the destination.
|
||||
|
@ -1908,8 +1908,8 @@ int sldns_wire2str_edns_subnet_print(char** s, size_t* sl, uint8_t* data,
|
||||
return w;
|
||||
}
|
||||
|
||||
static int sldns_wire2str_edns_keepalive_print(char** s, size_t* sl, uint8_t* data,
|
||||
size_t len)
|
||||
static int sldns_wire2str_edns_keepalive_print(char** s, size_t* sl,
|
||||
uint8_t* data, size_t len)
|
||||
{
|
||||
int w = 0;
|
||||
uint16_t timeout;
|
||||
|
@ -431,7 +431,7 @@ check_modules_exist(const char* module_conf)
|
||||
|
||||
/** check configuration for errors */
|
||||
static void
|
||||
morechecks(struct config_file* cfg, const char* fname)
|
||||
morechecks(struct config_file* cfg)
|
||||
{
|
||||
warn_hosts("stub-host", cfg->stubs);
|
||||
warn_hosts("forward-host", cfg->forwards);
|
||||
@ -463,19 +463,6 @@ morechecks(struct config_file* cfg, const char* fname)
|
||||
!is_dir(cfg->chrootdir)) {
|
||||
fatal_exit("bad chroot directory");
|
||||
}
|
||||
if(cfg->chrootdir && cfg->chrootdir[0]) {
|
||||
char buf[10240];
|
||||
buf[0] = 0;
|
||||
if(fname[0] != '/') {
|
||||
if(getcwd(buf, sizeof(buf)) == NULL)
|
||||
fatal_exit("getcwd: %s", strerror(errno));
|
||||
(void)strlcat(buf, "/", sizeof(buf));
|
||||
}
|
||||
(void)strlcat(buf, fname, sizeof(buf));
|
||||
if(strncmp(buf, cfg->chrootdir, strlen(cfg->chrootdir)) != 0)
|
||||
fatal_exit("config file %s is not inside chroot %s",
|
||||
buf, cfg->chrootdir);
|
||||
}
|
||||
if(cfg->directory && cfg->directory[0]) {
|
||||
char* ad = fname_after_chroot(cfg->directory, cfg, 0);
|
||||
if(!ad) fatal_exit("out of memory");
|
||||
@ -680,7 +667,7 @@ checkconf(const char* cfgfile, const char* opt, int final)
|
||||
config_delete(cfg);
|
||||
return;
|
||||
}
|
||||
morechecks(cfg, cfgfile);
|
||||
morechecks(cfg);
|
||||
check_mod(cfg, iter_get_funcblock());
|
||||
check_mod(cfg, val_get_funcblock());
|
||||
#ifdef WITH_PYTHONMODULE
|
||||
|
@ -148,8 +148,8 @@ test -f $CTL_BASE.pem || error "could not create $CTL_BASE.pem"
|
||||
# echo "empty password is used, simply click OK on the password dialog box."
|
||||
# openssl pkcs12 -export -in $CTL_BASE"_trust.pem" -inkey $CTL_BASE.key -name "unbound remote control client cert" -out $CTL_BASE"_browser.pfx" -password "pass:" || error "could not create browser certificate"
|
||||
|
||||
# remove unused permissions
|
||||
chmod o-rw $SVR_BASE.pem $SVR_BASE.key $CTL_BASE.pem $CTL_BASE.key
|
||||
# set desired permissions
|
||||
chmod 0640 $SVR_BASE.pem $SVR_BASE.key $CTL_BASE.pem $CTL_BASE.key
|
||||
|
||||
# remove crap
|
||||
rm -f request.cfg
|
||||
|
@ -148,8 +148,8 @@ test -f $CTL_BASE.pem || error "could not create $CTL_BASE.pem"
|
||||
# echo "empty password is used, simply click OK on the password dialog box."
|
||||
# openssl pkcs12 -export -in $CTL_BASE"_trust.pem" -inkey $CTL_BASE.key -name "unbound remote control client cert" -out $CTL_BASE"_browser.pfx" -password "pass:" || error "could not create browser certificate"
|
||||
|
||||
# remove unused permissions
|
||||
chmod o-rw $SVR_BASE.pem $SVR_BASE.key $CTL_BASE.pem $CTL_BASE.key
|
||||
# set desired permissions
|
||||
chmod 0640 $SVR_BASE.pem $SVR_BASE.key $CTL_BASE.pem $CTL_BASE.key
|
||||
|
||||
# remove crap
|
||||
rm -f request.cfg
|
||||
|
@ -154,6 +154,8 @@ usage(void)
|
||||
printf(" view_local_zone view name type add local-zone in view\n");
|
||||
printf(" view_local_zone_remove view name remove local-zone in view\n");
|
||||
printf(" view_local_data view RR... add local-data in view\n");
|
||||
printf(" view_local_datas view add list of local-data to view\n");
|
||||
printf(" one entry per line read from stdin\n");
|
||||
printf(" view_local_data_remove view name remove local-data in view\n");
|
||||
printf("Version %s\n", PACKAGE_VERSION);
|
||||
printf("BSD licensed, see LICENSE in source package for details.\n");
|
||||
@ -245,7 +247,8 @@ static void print_uptime(struct ub_shm_stat_info* shm_stat)
|
||||
}
|
||||
|
||||
/** print memory usage */
|
||||
static void print_mem(struct ub_shm_stat_info* shm_stat)
|
||||
static void print_mem(struct ub_shm_stat_info* shm_stat,
|
||||
struct ub_stats_info* s)
|
||||
{
|
||||
PR_LL("mem.cache.rrset", shm_stat->mem.rrset);
|
||||
PR_LL("mem.cache.message", shm_stat->mem.msg);
|
||||
@ -264,6 +267,7 @@ static void print_mem(struct ub_shm_stat_info* shm_stat)
|
||||
PR_LL("mem.cache.dnscrypt_nonce",
|
||||
shm_stat->mem.dnscrypt_nonce);
|
||||
#endif
|
||||
PR_LL("mem.streamwait", s->svr.mem_stream_wait);
|
||||
}
|
||||
|
||||
/** print histogram */
|
||||
@ -326,6 +330,7 @@ static void print_extended(struct ub_stats_info* s)
|
||||
PR_UL("num.query.tcp", s->svr.qtcp);
|
||||
PR_UL("num.query.tcpout", s->svr.qtcp_outgoing);
|
||||
PR_UL("num.query.tls", s->svr.qtls);
|
||||
PR_UL("num.query.tls_resume", s->svr.qtls_resume);
|
||||
PR_UL("num.query.ipv6", s->svr.qipv6);
|
||||
|
||||
/* flags */
|
||||
@ -397,7 +402,7 @@ static void do_stats_shm(struct config_file* cfg, struct ub_stats_info* stats,
|
||||
pr_stats("total", &stats[0]);
|
||||
print_uptime(shm_stat);
|
||||
if(cfg->stat_extended) {
|
||||
print_mem(shm_stat);
|
||||
print_mem(shm_stat, &stats[0]);
|
||||
print_hist(stats);
|
||||
print_extended(stats);
|
||||
}
|
||||
@ -717,9 +722,10 @@ go_cmd(SSL* ssl, int fd, int quiet, int argc, char* argv[])
|
||||
if(argc == 1 && strcmp(argv[0], "load_cache") == 0) {
|
||||
send_file(ssl, fd, stdin, buf, sizeof(buf));
|
||||
}
|
||||
else if(argc == 1 && (strcmp(argv[0], "local_zones") == 0 ||
|
||||
else if(argc >= 1 && (strcmp(argv[0], "local_zones") == 0 ||
|
||||
strcmp(argv[0], "local_zones_remove") == 0 ||
|
||||
strcmp(argv[0], "local_datas") == 0 ||
|
||||
strcmp(argv[0], "view_local_datas") == 0 ||
|
||||
strcmp(argv[0], "local_datas_remove") == 0)) {
|
||||
send_file(ssl, fd, stdin, buf, sizeof(buf));
|
||||
send_eof(ssl, fd);
|
||||
|
@ -376,6 +376,7 @@ void *unbound_stat_malloc(size_t size)
|
||||
{
|
||||
void* res;
|
||||
if(size == 0) size = 1;
|
||||
log_assert(size <= SIZE_MAX-16);
|
||||
res = malloc(size+16);
|
||||
if(!res) return NULL;
|
||||
unbound_mem_alloc += size;
|
||||
@ -398,6 +399,7 @@ void *unbound_stat_calloc(size_t nmemb, size_t size)
|
||||
if(nmemb != 0 && INT_MAX/nmemb < size)
|
||||
return NULL; /* integer overflow check */
|
||||
s = (nmemb*size==0)?(size_t)1:nmemb*size;
|
||||
log_assert(s <= SIZE_MAX-16);
|
||||
res = calloc(1, s+16);
|
||||
if(!res) return NULL;
|
||||
log_info("stat %p=calloc(%u, %u)", res+16, (unsigned)nmemb, (unsigned)size);
|
||||
@ -447,6 +449,7 @@ void *unbound_stat_realloc(void *ptr, size_t size)
|
||||
/* nothing changes */
|
||||
return ptr;
|
||||
}
|
||||
log_assert(size <= SIZE_MAX-16);
|
||||
res = malloc(size+16);
|
||||
if(!res) return NULL;
|
||||
unbound_mem_alloc += size;
|
||||
@ -521,7 +524,9 @@ void *unbound_stat_malloc_lite(size_t size, const char* file, int line,
|
||||
const char* func)
|
||||
{
|
||||
/* [prefix .. len .. actual data .. suffix] */
|
||||
void* res = malloc(size+lite_pad*2+sizeof(size_t));
|
||||
void* res;
|
||||
log_assert(size <= SIZE_MAX-(lite_pad*2+sizeof(size_t)));
|
||||
res = malloc(size+lite_pad*2+sizeof(size_t));
|
||||
if(!res) return NULL;
|
||||
memmove(res, lite_pre, lite_pad);
|
||||
memmove(res+lite_pad, &size, sizeof(size_t));
|
||||
@ -538,6 +543,7 @@ void *unbound_stat_calloc_lite(size_t nmemb, size_t size, const char* file,
|
||||
if(nmemb != 0 && INT_MAX/nmemb < size)
|
||||
return NULL; /* integer overflow check */
|
||||
req = nmemb * size;
|
||||
log_assert(req <= SIZE_MAX-(lite_pad*2+sizeof(size_t)));
|
||||
res = malloc(req+lite_pad*2+sizeof(size_t));
|
||||
if(!res) return NULL;
|
||||
memmove(res, lite_pre, lite_pad);
|
||||
|
@ -59,6 +59,7 @@
|
||||
#include "services/cache/infra.h"
|
||||
#include "sldns/wire2str.h"
|
||||
#include "sldns/parseutil.h"
|
||||
#include "iterator/iterator.h"
|
||||
#ifdef HAVE_GLOB_H
|
||||
# include <glob.h>
|
||||
#endif
|
||||
@ -75,6 +76,8 @@ uid_t cfg_uid = (uid_t)-1;
|
||||
gid_t cfg_gid = (gid_t)-1;
|
||||
/** for debug allow small timeout values for fast rollovers */
|
||||
int autr_permit_small_holddown = 0;
|
||||
/** size (in bytes) of stream wait buffers max */
|
||||
size_t stream_wait_max = 4 * 1024 * 1024;
|
||||
|
||||
/** global config during parsing */
|
||||
struct config_parser_state* cfg_parser = 0;
|
||||
@ -118,6 +121,7 @@ config_create(void)
|
||||
cfg->log_time_ascii = 0;
|
||||
cfg->log_queries = 0;
|
||||
cfg->log_replies = 0;
|
||||
cfg->log_tag_queryreply = 0;
|
||||
cfg->log_local_actions = 0;
|
||||
cfg->log_servfail = 0;
|
||||
#ifndef USE_WINSOCK
|
||||
@ -138,6 +142,7 @@ config_create(void)
|
||||
cfg->outgoing_num_tcp = 2; /* leaves 64-52=12 for: 4if,1stop,thread4 */
|
||||
cfg->incoming_num_tcp = 2;
|
||||
#endif
|
||||
cfg->stream_wait_size = 4 * 1024 * 1024;
|
||||
cfg->edns_buffer_size = 4096; /* 4k from rfc recommendation */
|
||||
cfg->msg_buffer_size = 65552; /* 64 k + a small margin */
|
||||
cfg->msg_cache_size = 4 * 1024 * 1024;
|
||||
@ -152,6 +157,7 @@ config_create(void)
|
||||
cfg->max_negative_ttl = 3600;
|
||||
cfg->prefetch = 0;
|
||||
cfg->prefetch_key = 0;
|
||||
cfg->deny_any = 0;
|
||||
cfg->infra_cache_slabs = 4;
|
||||
cfg->infra_cache_numhosts = 10000;
|
||||
cfg->infra_cache_min_rtt = 50;
|
||||
@ -167,8 +173,8 @@ config_create(void)
|
||||
if(!(cfg->logfile = strdup(""))) goto error_exit;
|
||||
if(!(cfg->pidfile = strdup(PIDFILE))) goto error_exit;
|
||||
if(!(cfg->target_fetch_policy = strdup("3 2 1 0 0"))) goto error_exit;
|
||||
cfg->low_rtt_permil = 0;
|
||||
cfg->low_rtt = 45;
|
||||
cfg->fast_server_permil = 0;
|
||||
cfg->fast_server_num = 3;
|
||||
cfg->donotqueryaddrs = NULL;
|
||||
cfg->donotquery_localhost = 1;
|
||||
cfg->root_hints = NULL;
|
||||
@ -194,6 +200,10 @@ config_create(void)
|
||||
cfg->client_subnet_always_forward = 0;
|
||||
cfg->max_client_subnet_ipv4 = 24;
|
||||
cfg->max_client_subnet_ipv6 = 56;
|
||||
cfg->min_client_subnet_ipv4 = 0;
|
||||
cfg->min_client_subnet_ipv6 = 0;
|
||||
cfg->max_ecs_tree_size_ipv4 = 100;
|
||||
cfg->max_ecs_tree_size_ipv6 = 100;
|
||||
#endif
|
||||
cfg->views = NULL;
|
||||
cfg->acls = NULL;
|
||||
@ -258,6 +268,7 @@ config_create(void)
|
||||
cfg->control_use_cert = 1;
|
||||
cfg->minimal_responses = 1;
|
||||
cfg->rrset_roundrobin = 0;
|
||||
cfg->unknown_server_time_limit = 376;
|
||||
cfg->max_udp_size = 4096;
|
||||
if(!(cfg->server_key_file = strdup(RUN_DIR"/unbound_server.key")))
|
||||
goto error_exit;
|
||||
@ -476,6 +487,9 @@ int config_set_option(struct config_file* cfg, const char* opt,
|
||||
else S_STRLIST("additional-tls-port:", tls_additional_port)
|
||||
else S_STRLIST("tls-additional-ports:", tls_additional_port)
|
||||
else S_STRLIST("tls-additional-port:", tls_additional_port)
|
||||
else S_STRLIST_APPEND("tls-session-ticket-keys:", tls_session_ticket_keys)
|
||||
else S_STR("tls-ciphers:", tls_ciphers)
|
||||
else S_STR("tls-ciphersuites:", tls_ciphersuites)
|
||||
else S_YNO("interface-automatic:", if_automatic)
|
||||
else S_YNO("use-systemd:", use_systemd)
|
||||
else S_YNO("do-daemonize:", do_daemonize)
|
||||
@ -483,6 +497,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
|
||||
else S_NUMBER_NONZERO("outgoing-range:", outgoing_num_ports)
|
||||
else S_SIZET_OR_ZERO("outgoing-num-tcp:", outgoing_num_tcp)
|
||||
else S_SIZET_OR_ZERO("incoming-num-tcp:", incoming_num_tcp)
|
||||
else S_MEMSIZE("stream-wait-size:", stream_wait_size)
|
||||
else S_SIZET_NONZERO("edns-buffer-size:", edns_buffer_size)
|
||||
else S_SIZET_NONZERO("msg-buffer-size:", msg_buffer_size)
|
||||
else S_MEMSIZE("msg-cache-size:", msg_cache_size)
|
||||
@ -498,6 +513,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
|
||||
else S_POW2("rrset-cache-slabs:", rrset_cache_slabs)
|
||||
else S_YNO("prefetch:", prefetch)
|
||||
else S_YNO("prefetch-key:", prefetch_key)
|
||||
else S_YNO("deny-any:", deny_any)
|
||||
else if(strcmp(opt, "cache-max-ttl:") == 0)
|
||||
{ IS_NUMBER_OR_ZERO; cfg->max_ttl = atoi(val); MAX_TTL=(time_t)cfg->max_ttl;}
|
||||
else if(strcmp(opt, "cache-max-negative-ttl:") == 0)
|
||||
@ -552,6 +568,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
|
||||
else S_YNO("val-log-squelch:", val_log_squelch)
|
||||
else S_YNO("log-queries:", log_queries)
|
||||
else S_YNO("log-replies:", log_replies)
|
||||
else S_YNO("log-tag-queryreply:", log_tag_queryreply)
|
||||
else S_YNO("log-local-actions:", log_local_actions)
|
||||
else S_YNO("log-servfail:", log_servfail)
|
||||
else S_YNO("val-permissive-mode:", val_permissive_mode)
|
||||
@ -573,6 +590,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
|
||||
else S_MEMSIZE("neg-cache-size:", neg_cache_size)
|
||||
else S_YNO("minimal-responses:", minimal_responses)
|
||||
else S_YNO("rrset-roundrobin:", rrset_roundrobin)
|
||||
else S_NUMBER_OR_ZERO("unknown-server-time-limit:", unknown_server_time_limit)
|
||||
else S_STRLIST("local-data:", local_data)
|
||||
else S_YNO("unblock-lan-zones:", unblock_lan_zones)
|
||||
else S_YNO("insecure-lan-zones:", insecure_lan_zones)
|
||||
@ -642,9 +660,8 @@ int config_set_option(struct config_file* cfg, const char* opt,
|
||||
else S_POW2("ratelimit-slabs:", ratelimit_slabs)
|
||||
else S_NUMBER_OR_ZERO("ip-ratelimit-factor:", ip_ratelimit_factor)
|
||||
else S_NUMBER_OR_ZERO("ratelimit-factor:", ratelimit_factor)
|
||||
else S_NUMBER_OR_ZERO("low-rtt:", low_rtt)
|
||||
else S_NUMBER_OR_ZERO("low-rtt-pct:", low_rtt_permil)
|
||||
else S_NUMBER_OR_ZERO("low-rtt-permil:", low_rtt_permil)
|
||||
else S_SIZET_NONZERO("fast-server-num:", fast_server_num)
|
||||
else S_NUMBER_OR_ZERO("fast-server-permil:", fast_server_permil)
|
||||
else S_YNO("qname-minimisation:", qname_minimisation)
|
||||
else S_YNO("qname-minimisation-strict:", qname_minimisation_strict)
|
||||
#ifdef USE_IPSECMOD
|
||||
@ -683,7 +700,9 @@ int config_set_option(struct config_file* cfg, const char* opt,
|
||||
* ratelimit-for-domain, ratelimit-below-domain,
|
||||
* local-zone-tag, access-control-view,
|
||||
* send-client-subnet, client-subnet-always-forward,
|
||||
* max-client-subnet-ipv4, max-client-subnet-ipv6, ipsecmod_hook,
|
||||
* max-client-subnet-ipv4, max-client-subnet-ipv6,
|
||||
* min-client-subnet-ipv4, min-client-subnet-ipv6,
|
||||
* max-ecs-tree-size-ipv4, max-ecs-tree-size-ipv6, ipsecmod_hook,
|
||||
* ipsecmod_whitelist. */
|
||||
return 0;
|
||||
}
|
||||
@ -865,6 +884,7 @@ config_get_option(struct config_file* cfg, const char* opt,
|
||||
else O_DEC(opt, "outgoing-range", outgoing_num_ports)
|
||||
else O_DEC(opt, "outgoing-num-tcp", outgoing_num_tcp)
|
||||
else O_DEC(opt, "incoming-num-tcp", incoming_num_tcp)
|
||||
else O_MEM(opt, "stream-wait-size", stream_wait_size)
|
||||
else O_DEC(opt, "edns-buffer-size", edns_buffer_size)
|
||||
else O_DEC(opt, "msg-buffer-size", msg_buffer_size)
|
||||
else O_MEM(opt, "msg-cache-size", msg_cache_size)
|
||||
@ -880,6 +900,7 @@ config_get_option(struct config_file* cfg, const char* opt,
|
||||
else O_DEC(opt, "rrset-cache-slabs", rrset_cache_slabs)
|
||||
else O_YNO(opt, "prefetch-key", prefetch_key)
|
||||
else O_YNO(opt, "prefetch", prefetch)
|
||||
else O_YNO(opt, "deny-any", deny_any)
|
||||
else O_DEC(opt, "cache-max-ttl", max_ttl)
|
||||
else O_DEC(opt, "cache-max-negative-ttl", max_negative_ttl)
|
||||
else O_DEC(opt, "cache-min-ttl", min_ttl)
|
||||
@ -906,6 +927,9 @@ config_get_option(struct config_file* cfg, const char* opt,
|
||||
else O_STR(opt, "tls-cert-bundle", tls_cert_bundle)
|
||||
else O_YNO(opt, "tls-win-cert", tls_win_cert)
|
||||
else O_LST(opt, "tls-additional-port", tls_additional_port)
|
||||
else O_LST(opt, "tls-session-ticket-keys", tls_session_ticket_keys.first)
|
||||
else O_STR(opt, "tls-ciphers", tls_ciphers)
|
||||
else O_STR(opt, "tls-ciphersuites", tls_ciphersuites)
|
||||
else O_YNO(opt, "use-systemd", use_systemd)
|
||||
else O_YNO(opt, "do-daemonize", do_daemonize)
|
||||
else O_STR(opt, "chroot", chrootdir)
|
||||
@ -914,6 +938,7 @@ config_get_option(struct config_file* cfg, const char* opt,
|
||||
else O_STR(opt, "logfile", logfile)
|
||||
else O_YNO(opt, "log-queries", log_queries)
|
||||
else O_YNO(opt, "log-replies", log_replies)
|
||||
else O_YNO(opt, "log-tag-queryreply", log_tag_queryreply)
|
||||
else O_YNO(opt, "log-local-actions", log_local_actions)
|
||||
else O_YNO(opt, "log-servfail", log_servfail)
|
||||
else O_STR(opt, "pidfile", pidfile)
|
||||
@ -977,11 +1002,16 @@ config_get_option(struct config_file* cfg, const char* opt,
|
||||
else O_UNS(opt, "val-override-date", val_date_override)
|
||||
else O_YNO(opt, "minimal-responses", minimal_responses)
|
||||
else O_YNO(opt, "rrset-roundrobin", rrset_roundrobin)
|
||||
else O_DEC(opt, "unknown-server-time-limit", unknown_server_time_limit)
|
||||
#ifdef CLIENT_SUBNET
|
||||
else O_LST(opt, "send-client-subnet", client_subnet)
|
||||
else O_LST(opt, "client-subnet-zone", client_subnet_zone)
|
||||
else O_DEC(opt, "max-client-subnet-ipv4", max_client_subnet_ipv4)
|
||||
else O_DEC(opt, "max-client-subnet-ipv6", max_client_subnet_ipv6)
|
||||
else O_DEC(opt, "min-client-subnet-ipv4", min_client_subnet_ipv4)
|
||||
else O_DEC(opt, "min-client-subnet-ipv6", min_client_subnet_ipv6)
|
||||
else O_DEC(opt, "max-ecs-tree-size-ipv4", max_ecs_tree_size_ipv4)
|
||||
else O_DEC(opt, "max-ecs-tree-size-ipv6", max_ecs_tree_size_ipv6)
|
||||
else O_YNO(opt, "client-subnet-always-forward:",
|
||||
client_subnet_always_forward)
|
||||
#endif
|
||||
@ -1036,9 +1066,8 @@ config_get_option(struct config_file* cfg, const char* opt,
|
||||
else O_LS2(opt, "ratelimit-below-domain", ratelimit_below_domain)
|
||||
else O_DEC(opt, "ip-ratelimit-factor", ip_ratelimit_factor)
|
||||
else O_DEC(opt, "ratelimit-factor", ratelimit_factor)
|
||||
else O_DEC(opt, "low-rtt", low_rtt)
|
||||
else O_DEC(opt, "low-rtt-pct", low_rtt_permil)
|
||||
else O_DEC(opt, "low-rtt-permil", low_rtt_permil)
|
||||
else O_DEC(opt, "fast-server-num", fast_server_num)
|
||||
else O_DEC(opt, "fast-server-permil", fast_server_permil)
|
||||
else O_DEC(opt, "val-sig-skew-min", val_sig_skew_min)
|
||||
else O_DEC(opt, "val-sig-skew-max", val_sig_skew_max)
|
||||
else O_YNO(opt, "qname-minimisation", qname_minimisation)
|
||||
@ -1335,6 +1364,9 @@ config_delete(struct config_file* cfg)
|
||||
free(cfg->ssl_service_pem);
|
||||
free(cfg->tls_cert_bundle);
|
||||
config_delstrlist(cfg->tls_additional_port);
|
||||
config_delstrlist(cfg->tls_session_ticket_keys.first);
|
||||
free(cfg->tls_ciphers);
|
||||
free(cfg->tls_ciphersuites);
|
||||
free(cfg->log_identity);
|
||||
config_del_strarray(cfg->ifs, cfg->num_ifs);
|
||||
config_del_strarray(cfg->out_ifs, cfg->num_out_ifs);
|
||||
@ -1888,8 +1920,11 @@ config_apply(struct config_file* config)
|
||||
EDNS_ADVERTISED_SIZE = (uint16_t)config->edns_buffer_size;
|
||||
MINIMAL_RESPONSES = config->minimal_responses;
|
||||
RRSET_ROUNDROBIN = config->rrset_roundrobin;
|
||||
LOG_TAG_QUERYREPLY = config->log_tag_queryreply;
|
||||
UNKNOWN_SERVER_NICENESS = config->unknown_server_time_limit;
|
||||
log_set_time_asc(config->log_time_ascii);
|
||||
autr_permit_small_holddown = config->permit_small_holddown;
|
||||
stream_wait_max = config->stream_wait_size;
|
||||
}
|
||||
|
||||
void config_lookup_uid(struct config_file* cfg)
|
||||
|
@ -120,6 +120,12 @@ struct config_file {
|
||||
int tls_win_cert;
|
||||
/** additional tls ports */
|
||||
struct config_strlist* tls_additional_port;
|
||||
/** secret key used to encrypt and decrypt TLS session ticket */
|
||||
struct config_strlist_head tls_session_ticket_keys;
|
||||
/** TLS ciphers */
|
||||
char* tls_ciphers;
|
||||
/** TLS chiphersuites (TLSv1.3) */
|
||||
char* tls_ciphersuites;
|
||||
|
||||
/** outgoing port range number of ports (per thread) */
|
||||
int outgoing_num_ports;
|
||||
@ -132,6 +138,8 @@ struct config_file {
|
||||
|
||||
/** EDNS buffer size to use */
|
||||
size_t edns_buffer_size;
|
||||
/** size of the stream wait buffers, max */
|
||||
size_t stream_wait_size;
|
||||
/** number of bytes buffer size for DNS messages */
|
||||
size_t msg_buffer_size;
|
||||
/** size of the message cache */
|
||||
@ -159,10 +167,11 @@ struct config_file {
|
||||
|
||||
/** the target fetch policy for the iterator */
|
||||
char* target_fetch_policy;
|
||||
/** percent*10, how many times in 1000 to pick low rtt destinations */
|
||||
int low_rtt_permil;
|
||||
/** what time in msec is a low rtt destination */
|
||||
int low_rtt;
|
||||
/** percent*10, how many times in 1000 to pick from the fastest
|
||||
* destinations */
|
||||
int fast_server_permil;
|
||||
/** number of fastest server to select from */
|
||||
size_t fast_server_num;
|
||||
|
||||
/** automatic interface for incoming messages. Uses ipv6 remapping,
|
||||
* and recvmsg/sendmsg ancillary data to detect interfaces, boolean */
|
||||
@ -214,6 +223,12 @@ struct config_file {
|
||||
/** Subnet length we are willing to give up privacy for */
|
||||
uint8_t max_client_subnet_ipv4;
|
||||
uint8_t max_client_subnet_ipv6;
|
||||
/** Minimum subnet length we are willing to answer */
|
||||
uint8_t min_client_subnet_ipv4;
|
||||
uint8_t min_client_subnet_ipv6;
|
||||
/** Max number of nodes in the ECS radix tree */
|
||||
uint32_t max_ecs_tree_size_ipv4;
|
||||
uint32_t max_ecs_tree_size_ipv6;
|
||||
#endif
|
||||
/** list of access control entries, linked list */
|
||||
struct config_str2list* acls;
|
||||
@ -257,6 +272,8 @@ struct config_file {
|
||||
int prefetch;
|
||||
/** if prefetching of DNSKEYs should be performed. */
|
||||
int prefetch_key;
|
||||
/** deny queries of type ANY with an empty answer */
|
||||
int deny_any;
|
||||
|
||||
/** chrootdir, if not "" or chroot will be done */
|
||||
char* chrootdir;
|
||||
@ -277,6 +294,8 @@ struct config_file {
|
||||
int log_queries;
|
||||
/** log replies with one line per reply */
|
||||
int log_replies;
|
||||
/** tag log_queries and log_replies for filtering */
|
||||
int log_tag_queryreply;
|
||||
/** log every local-zone hit **/
|
||||
int log_local_actions;
|
||||
/** log servfails with a reason */
|
||||
@ -428,6 +447,9 @@ struct config_file {
|
||||
/* RRSet roundrobin */
|
||||
int rrset_roundrobin;
|
||||
|
||||
/* wait time for unknown server in msec */
|
||||
int unknown_server_time_limit;
|
||||
|
||||
/* maximum UDP response size */
|
||||
size_t max_udp_size;
|
||||
|
||||
@ -561,6 +583,8 @@ extern uid_t cfg_uid;
|
||||
extern gid_t cfg_gid;
|
||||
/** debug and enable small timeouts */
|
||||
extern int autr_permit_small_holddown;
|
||||
/** size (in bytes) of stream wait buffers max */
|
||||
extern size_t stream_wait_max;
|
||||
|
||||
/**
|
||||
* Stub config options
|
||||
|
@ -121,9 +121,8 @@ static void config_start_include_glob(const char* filename)
|
||||
#ifdef GLOB_ERR
|
||||
| GLOB_ERR
|
||||
#endif
|
||||
#ifdef GLOB_NOSORT
|
||||
| GLOB_NOSORT
|
||||
#endif
|
||||
/* do not set GLOB_NOSORT so the results are sorted
|
||||
and in a predictable order. */
|
||||
#ifdef GLOB_BRACE
|
||||
| GLOB_BRACE
|
||||
#endif
|
||||
@ -247,6 +246,9 @@ additional-ssl-port{COLON} { YDVAR(1, VAR_TLS_ADDITIONAL_PORT) }
|
||||
additional-tls-port{COLON} { YDVAR(1, VAR_TLS_ADDITIONAL_PORT) }
|
||||
tls-additional-ports{COLON} { YDVAR(1, VAR_TLS_ADDITIONAL_PORT) }
|
||||
tls-additional-port{COLON} { YDVAR(1, VAR_TLS_ADDITIONAL_PORT) }
|
||||
tls-session-ticket-keys{COLON} { YDVAR(1, VAR_TLS_SESSION_TICKET_KEYS) }
|
||||
tls-ciphers{COLON} { YDVAR(1, VAR_TLS_CIPHERS) }
|
||||
tls-ciphersuites{COLON} { YDVAR(1, VAR_TLS_CIPHERSUITES) }
|
||||
use-systemd{COLON} { YDVAR(1, VAR_USE_SYSTEMD) }
|
||||
do-daemonize{COLON} { YDVAR(1, VAR_DO_DAEMONIZE) }
|
||||
interface{COLON} { YDVAR(1, VAR_INTERFACE) }
|
||||
@ -264,6 +266,7 @@ directory{COLON} { YDVAR(1, VAR_DIRECTORY) }
|
||||
logfile{COLON} { YDVAR(1, VAR_LOGFILE) }
|
||||
pidfile{COLON} { YDVAR(1, VAR_PIDFILE) }
|
||||
root-hints{COLON} { YDVAR(1, VAR_ROOT_HINTS) }
|
||||
stream-wait-size{COLON} { YDVAR(1, VAR_STREAM_WAIT_SIZE) }
|
||||
edns-buffer-size{COLON} { YDVAR(1, VAR_EDNS_BUFFER_SIZE) }
|
||||
msg-buffer-size{COLON} { YDVAR(1, VAR_MSG_BUFFER_SIZE) }
|
||||
msg-cache-size{COLON} { YDVAR(1, VAR_MSG_CACHE_SIZE) }
|
||||
@ -297,6 +300,7 @@ private-address{COLON} { YDVAR(1, VAR_PRIVATE_ADDRESS) }
|
||||
private-domain{COLON} { YDVAR(1, VAR_PRIVATE_DOMAIN) }
|
||||
prefetch-key{COLON} { YDVAR(1, VAR_PREFETCH_KEY) }
|
||||
prefetch{COLON} { YDVAR(1, VAR_PREFETCH) }
|
||||
deny-any{COLON} { YDVAR(1, VAR_DENY_ANY) }
|
||||
stub-zone{COLON} { YDVAR(0, VAR_STUB_ZONE) }
|
||||
name{COLON} { YDVAR(1, VAR_NAME) }
|
||||
stub-addr{COLON} { YDVAR(1, VAR_STUB_ADDR) }
|
||||
@ -332,6 +336,10 @@ client-subnet-always-forward{COLON} { YDVAR(1, VAR_CLIENT_SUBNET_ALWAYS_FORWARD)
|
||||
client-subnet-opcode{COLON} { YDVAR(1, VAR_CLIENT_SUBNET_OPCODE) }
|
||||
max-client-subnet-ipv4{COLON} { YDVAR(1, VAR_MAX_CLIENT_SUBNET_IPV4) }
|
||||
max-client-subnet-ipv6{COLON} { YDVAR(1, VAR_MAX_CLIENT_SUBNET_IPV6) }
|
||||
min-client-subnet-ipv4{COLON} { YDVAR(1, VAR_MIN_CLIENT_SUBNET_IPV4) }
|
||||
min-client-subnet-ipv6{COLON} { YDVAR(1, VAR_MIN_CLIENT_SUBNET_IPV6) }
|
||||
max-ecs-tree-size-ipv4{COLON} { YDVAR(1, VAR_MAX_ECS_TREE_SIZE_IPV4) }
|
||||
max-ecs-tree-size-ipv6{COLON} { YDVAR(1, VAR_MAX_ECS_TREE_SIZE_IPV6) }
|
||||
hide-identity{COLON} { YDVAR(1, VAR_HIDE_IDENTITY) }
|
||||
hide-version{COLON} { YDVAR(1, VAR_HIDE_VERSION) }
|
||||
hide-trustanchor{COLON} { YDVAR(1, VAR_HIDE_TRUSTANCHOR) }
|
||||
@ -374,6 +382,7 @@ log-identity{COLON} { YDVAR(1, VAR_LOG_IDENTITY) }
|
||||
log-time-ascii{COLON} { YDVAR(1, VAR_LOG_TIME_ASCII) }
|
||||
log-queries{COLON} { YDVAR(1, VAR_LOG_QUERIES) }
|
||||
log-replies{COLON} { YDVAR(1, VAR_LOG_REPLIES) }
|
||||
log-tag-queryreply{COLON} { YDVAR(1, VAR_LOG_TAG_QUERYREPLY) }
|
||||
log-local-actions{COLON} { YDVAR(1, VAR_LOG_LOCAL_ACTIONS) }
|
||||
log-servfail{COLON} { YDVAR(1, VAR_LOG_SERVFAIL) }
|
||||
local-zone{COLON} { YDVAR(2, VAR_LOCAL_ZONE) }
|
||||
@ -400,6 +409,7 @@ python{COLON} { YDVAR(0, VAR_PYTHON) }
|
||||
domain-insecure{COLON} { YDVAR(1, VAR_DOMAIN_INSECURE) }
|
||||
minimal-responses{COLON} { YDVAR(1, VAR_MINIMAL_RESPONSES) }
|
||||
rrset-roundrobin{COLON} { YDVAR(1, VAR_RRSET_ROUNDROBIN) }
|
||||
unknown-server-time-limit{COLON} { YDVAR(1, VAR_UNKNOWN_SERVER_TIME_LIMIT) }
|
||||
max-udp-size{COLON} { YDVAR(1, VAR_MAX_UDP_SIZE) }
|
||||
dns64-prefix{COLON} { YDVAR(1, VAR_DNS64_PREFIX) }
|
||||
dns64-synthall{COLON} { YDVAR(1, VAR_DNS64_SYNTHALL) }
|
||||
@ -442,8 +452,10 @@ ratelimit-below-domain{COLON} { YDVAR(2, VAR_RATELIMIT_BELOW_DOMAIN) }
|
||||
ip-ratelimit-factor{COLON} { YDVAR(1, VAR_IP_RATELIMIT_FACTOR) }
|
||||
ratelimit-factor{COLON} { YDVAR(1, VAR_RATELIMIT_FACTOR) }
|
||||
low-rtt{COLON} { YDVAR(1, VAR_LOW_RTT) }
|
||||
low-rtt-pct{COLON} { YDVAR(1, VAR_LOW_RTT_PERMIL) }
|
||||
low-rtt-permil{COLON} { YDVAR(1, VAR_LOW_RTT_PERMIL) }
|
||||
fast-server-num{COLON} { YDVAR(1, VAR_FAST_SERVER_NUM) }
|
||||
low-rtt-pct{COLON} { YDVAR(1, VAR_FAST_SERVER_PERMIL) }
|
||||
low-rtt-permil{COLON} { YDVAR(1, VAR_FAST_SERVER_PERMIL) }
|
||||
fast-server-permil{COLON} { YDVAR(1, VAR_FAST_SERVER_PERMIL) }
|
||||
response-ip-tag{COLON} { YDVAR(2, VAR_RESPONSE_IP_TAG) }
|
||||
response-ip{COLON} { YDVAR(2, VAR_RESPONSE_IP) }
|
||||
response-ip-data{COLON} { YDVAR(2, VAR_RESPONSE_IP_DATA) }
|
||||
|
@ -135,6 +135,8 @@ extern struct config_parser_state* cfg_parser;
|
||||
%token VAR_SEND_CLIENT_SUBNET VAR_CLIENT_SUBNET_ZONE
|
||||
%token VAR_CLIENT_SUBNET_ALWAYS_FORWARD VAR_CLIENT_SUBNET_OPCODE
|
||||
%token VAR_MAX_CLIENT_SUBNET_IPV4 VAR_MAX_CLIENT_SUBNET_IPV6
|
||||
%token VAR_MIN_CLIENT_SUBNET_IPV4 VAR_MIN_CLIENT_SUBNET_IPV6
|
||||
%token VAR_MAX_ECS_TREE_SIZE_IPV4 VAR_MAX_ECS_TREE_SIZE_IPV6
|
||||
%token VAR_CAPS_WHITELIST VAR_CACHE_MAX_NEGATIVE_TTL VAR_PERMIT_SMALL_HOLDDOWN
|
||||
%token VAR_QNAME_MINIMISATION VAR_QNAME_MINIMISATION_STRICT VAR_IP_FREEBIND
|
||||
%token VAR_DEFINE_TAG VAR_LOCAL_ZONE_TAG VAR_ACCESS_CONTROL_TAG
|
||||
@ -159,8 +161,12 @@ extern struct config_parser_state* cfg_parser;
|
||||
%token VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM VAR_FOR_UPSTREAM
|
||||
%token VAR_AUTH_ZONE VAR_ZONEFILE VAR_MASTER VAR_URL VAR_FOR_DOWNSTREAM
|
||||
%token VAR_FALLBACK_ENABLED VAR_TLS_ADDITIONAL_PORT VAR_LOW_RTT VAR_LOW_RTT_PERMIL
|
||||
%token VAR_FAST_SERVER_PERMIL VAR_FAST_SERVER_NUM
|
||||
%token VAR_ALLOW_NOTIFY VAR_TLS_WIN_CERT VAR_TCP_CONNECTION_LIMIT
|
||||
%token VAR_FORWARD_NO_CACHE VAR_STUB_NO_CACHE VAR_LOG_SERVFAIL
|
||||
%token VAR_FORWARD_NO_CACHE VAR_STUB_NO_CACHE VAR_LOG_SERVFAIL VAR_DENY_ANY
|
||||
%token VAR_UNKNOWN_SERVER_TIME_LIMIT VAR_LOG_TAG_QUERYREPLY
|
||||
%token VAR_STREAM_WAIT_SIZE VAR_TLS_CIPHERS VAR_TLS_CIPHERSUITES
|
||||
%token VAR_TLS_SESSION_TICKET_KEYS
|
||||
|
||||
%%
|
||||
toplevelvars: /* empty */ | toplevelvars toplevelvar ;
|
||||
@ -237,6 +243,8 @@ content_server: server_num_threads | server_verbosity | server_port |
|
||||
server_client_subnet_zone | server_client_subnet_always_forward |
|
||||
server_client_subnet_opcode |
|
||||
server_max_client_subnet_ipv4 | server_max_client_subnet_ipv6 |
|
||||
server_min_client_subnet_ipv4 | server_min_client_subnet_ipv6 |
|
||||
server_max_ecs_tree_size_ipv4 | server_max_ecs_tree_size_ipv6 |
|
||||
server_caps_whitelist | server_cache_max_negative_ttl |
|
||||
server_permit_small_holddown | server_qname_minimisation |
|
||||
server_ip_freebind | server_define_tag | server_local_zone_tag |
|
||||
@ -255,8 +263,11 @@ content_server: server_num_threads | server_verbosity | server_port |
|
||||
server_ipsecmod_whitelist | server_ipsecmod_strict |
|
||||
server_udp_upstream_without_downstream | server_aggressive_nsec |
|
||||
server_tls_cert_bundle | server_tls_additional_port | server_low_rtt |
|
||||
server_low_rtt_permil | server_tls_win_cert |
|
||||
server_tcp_connection_limit | server_log_servfail
|
||||
server_fast_server_permil | server_fast_server_num | server_tls_win_cert |
|
||||
server_tcp_connection_limit | server_log_servfail | server_deny_any |
|
||||
server_unknown_server_time_limit | server_log_tag_queryreply |
|
||||
server_stream_wait_size | server_tls_ciphers |
|
||||
server_tls_ciphersuites | server_tls_session_ticket_keys
|
||||
;
|
||||
stubstart: VAR_STUB_ZONE
|
||||
{
|
||||
@ -493,6 +504,70 @@ server_max_client_subnet_ipv6: VAR_MAX_CLIENT_SUBNET_IPV6 STRING_ARG
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
server_min_client_subnet_ipv4: VAR_MIN_CLIENT_SUBNET_IPV4 STRING_ARG
|
||||
{
|
||||
#ifdef CLIENT_SUBNET
|
||||
OUTYY(("P(min_client_subnet_ipv4:%s)\n", $2));
|
||||
if(atoi($2) == 0 && strcmp($2, "0") != 0)
|
||||
yyerror("IPv4 subnet length expected");
|
||||
else if (atoi($2) > 32)
|
||||
cfg_parser->cfg->min_client_subnet_ipv4 = 32;
|
||||
else if (atoi($2) < 0)
|
||||
cfg_parser->cfg->min_client_subnet_ipv4 = 0;
|
||||
else cfg_parser->cfg->min_client_subnet_ipv4 = (uint8_t)atoi($2);
|
||||
#else
|
||||
OUTYY(("P(Compiled without edns subnet option, ignoring)\n"));
|
||||
#endif
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
server_min_client_subnet_ipv6: VAR_MIN_CLIENT_SUBNET_IPV6 STRING_ARG
|
||||
{
|
||||
#ifdef CLIENT_SUBNET
|
||||
OUTYY(("P(min_client_subnet_ipv6:%s)\n", $2));
|
||||
if(atoi($2) == 0 && strcmp($2, "0") != 0)
|
||||
yyerror("Ipv6 subnet length expected");
|
||||
else if (atoi($2) > 128)
|
||||
cfg_parser->cfg->min_client_subnet_ipv6 = 128;
|
||||
else if (atoi($2) < 0)
|
||||
cfg_parser->cfg->min_client_subnet_ipv6 = 0;
|
||||
else cfg_parser->cfg->min_client_subnet_ipv6 = (uint8_t)atoi($2);
|
||||
#else
|
||||
OUTYY(("P(Compiled without edns subnet option, ignoring)\n"));
|
||||
#endif
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
server_max_ecs_tree_size_ipv4: VAR_MAX_ECS_TREE_SIZE_IPV4 STRING_ARG
|
||||
{
|
||||
#ifdef CLIENT_SUBNET
|
||||
OUTYY(("P(max_ecs_tree_size_ipv4:%s)\n", $2));
|
||||
if(atoi($2) == 0 && strcmp($2, "0") != 0)
|
||||
yyerror("IPv4 ECS tree size expected");
|
||||
else if (atoi($2) < 0)
|
||||
cfg_parser->cfg->max_ecs_tree_size_ipv4 = 0;
|
||||
else cfg_parser->cfg->max_ecs_tree_size_ipv4 = (uint32_t)atoi($2);
|
||||
#else
|
||||
OUTYY(("P(Compiled without edns subnet option, ignoring)\n"));
|
||||
#endif
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
server_max_ecs_tree_size_ipv6: VAR_MAX_ECS_TREE_SIZE_IPV6 STRING_ARG
|
||||
{
|
||||
#ifdef CLIENT_SUBNET
|
||||
OUTYY(("P(max_ecs_tree_size_ipv6:%s)\n", $2));
|
||||
if(atoi($2) == 0 && strcmp($2, "0") != 0)
|
||||
yyerror("IPv6 ECS tree size expected");
|
||||
else if (atoi($2) < 0)
|
||||
cfg_parser->cfg->max_ecs_tree_size_ipv6 = 0;
|
||||
else cfg_parser->cfg->max_ecs_tree_size_ipv6 = (uint32_t)atoi($2);
|
||||
#else
|
||||
OUTYY(("P(Compiled without edns subnet option, ignoring)\n"));
|
||||
#endif
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
server_interface: VAR_INTERFACE STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_interface:%s)\n", $2));
|
||||
@ -747,6 +822,28 @@ server_tls_additional_port: VAR_TLS_ADDITIONAL_PORT STRING_ARG
|
||||
yyerror("out of memory");
|
||||
}
|
||||
;
|
||||
server_tls_ciphers: VAR_TLS_CIPHERS STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_tls_ciphers:%s)\n", $2));
|
||||
free(cfg_parser->cfg->tls_ciphers);
|
||||
cfg_parser->cfg->tls_ciphers = $2;
|
||||
}
|
||||
;
|
||||
server_tls_ciphersuites: VAR_TLS_CIPHERSUITES STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_tls_ciphersuites:%s)\n", $2));
|
||||
free(cfg_parser->cfg->tls_ciphersuites);
|
||||
cfg_parser->cfg->tls_ciphersuites = $2;
|
||||
}
|
||||
;
|
||||
server_tls_session_ticket_keys: VAR_TLS_SESSION_TICKET_KEYS STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_tls_session_ticket_keys:%s)\n", $2));
|
||||
if(!cfg_strlist_append(&cfg_parser->cfg->tls_session_ticket_keys,
|
||||
$2))
|
||||
yyerror("out of memory");
|
||||
}
|
||||
;
|
||||
server_use_systemd: VAR_USE_SYSTEMD STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_use_systemd:%s)\n", $2));
|
||||
@ -806,6 +903,15 @@ server_log_replies: VAR_LOG_REPLIES STRING_ARG
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
server_log_tag_queryreply: VAR_LOG_TAG_QUERYREPLY STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_log_tag_queryreply:%s)\n", $2));
|
||||
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
|
||||
yyerror("expected yes or no.");
|
||||
else cfg_parser->cfg->log_tag_queryreply = (strcmp($2, "yes")==0);
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
server_log_servfail: VAR_LOG_SERVFAIL STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_log_servfail:%s)\n", $2));
|
||||
@ -1047,6 +1153,14 @@ server_ip_freebind: VAR_IP_FREEBIND STRING_ARG
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
server_stream_wait_size: VAR_STREAM_WAIT_SIZE STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_stream_wait_size:%s)\n", $2));
|
||||
if(!cfg_parse_memsize($2, &cfg_parser->cfg->stream_wait_size))
|
||||
yyerror("memory size expected");
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
server_edns_buffer_size: VAR_EDNS_BUFFER_SIZE STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_edns_buffer_size:%s)\n", $2));
|
||||
@ -1342,6 +1456,15 @@ server_prefetch_key: VAR_PREFETCH_KEY STRING_ARG
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
server_deny_any: VAR_DENY_ANY STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_deny_any:%s)\n", $2));
|
||||
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
|
||||
yyerror("expected yes or no.");
|
||||
else cfg_parser->cfg->deny_any = (strcmp($2, "yes")==0);
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
server_unwanted_reply_threshold: VAR_UNWANTED_REPLY_THRESHOLD STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_unwanted_reply_threshold:%s)\n", $2));
|
||||
@ -1380,6 +1503,8 @@ server_access_control: VAR_ACCESS_CONTROL STRING_ARG STRING_ARG
|
||||
yyerror("expected deny, refuse, deny_non_local, "
|
||||
"refuse_non_local, allow, allow_setrd or "
|
||||
"allow_snoop in access control action");
|
||||
free($2);
|
||||
free($3);
|
||||
} else {
|
||||
if(!cfg_str2list_insert(&cfg_parser->cfg->acls, $2, $3))
|
||||
fatal_exit("out of memory adding acl");
|
||||
@ -1658,13 +1783,17 @@ server_local_zone: VAR_LOCAL_ZONE STRING_ARG STRING_ARG
|
||||
&& strcmp($3, "always_refuse")!=0
|
||||
&& strcmp($3, "always_nxdomain")!=0
|
||||
&& strcmp($3, "noview")!=0
|
||||
&& strcmp($3, "inform")!=0 && strcmp($3, "inform_deny")!=0)
|
||||
&& strcmp($3, "inform")!=0 && strcmp($3, "inform_deny")!=0
|
||||
&& strcmp($3, "inform_redirect") != 0) {
|
||||
yyerror("local-zone type: expected static, deny, "
|
||||
"refuse, redirect, transparent, "
|
||||
"typetransparent, inform, inform_deny, "
|
||||
"always_transparent, always_refuse, "
|
||||
"always_nxdomain, noview or nodefault");
|
||||
else if(strcmp($3, "nodefault")==0) {
|
||||
"inform_redirect, always_transparent, "
|
||||
"always_refuse, always_nxdomain, noview "
|
||||
"or nodefault");
|
||||
free($2);
|
||||
free($3);
|
||||
} else if(strcmp($3, "nodefault")==0) {
|
||||
if(!cfg_strlist_insert(&cfg_parser->cfg->
|
||||
local_zones_nodefault, $2))
|
||||
fatal_exit("out of memory adding local-zone");
|
||||
@ -1718,6 +1847,13 @@ server_rrset_roundrobin: VAR_RRSET_ROUNDROBIN STRING_ARG
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
server_unknown_server_time_limit: VAR_UNKNOWN_SERVER_TIME_LIMIT STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_unknown_server_time_limit:%s)\n", $2));
|
||||
cfg_parser->cfg->unknown_server_time_limit = atoi($2);
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
server_max_udp_size: VAR_MAX_UDP_SIZE STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_max_udp_size:%s)\n", $2));
|
||||
@ -1770,8 +1906,10 @@ server_local_zone_tag: VAR_LOCAL_ZONE_TAG STRING_ARG STRING_ARG
|
||||
&len);
|
||||
free($3);
|
||||
OUTYY(("P(server_local_zone_tag:%s)\n", $2));
|
||||
if(!bitlist)
|
||||
if(!bitlist) {
|
||||
yyerror("could not parse tags, (define-tag them first)");
|
||||
free($2);
|
||||
}
|
||||
if(bitlist) {
|
||||
if(!cfg_strbytelist_insert(
|
||||
&cfg_parser->cfg->local_zone_tags,
|
||||
@ -1789,8 +1927,10 @@ server_access_control_tag: VAR_ACCESS_CONTROL_TAG STRING_ARG STRING_ARG
|
||||
&len);
|
||||
free($3);
|
||||
OUTYY(("P(server_access_control_tag:%s)\n", $2));
|
||||
if(!bitlist)
|
||||
if(!bitlist) {
|
||||
yyerror("could not parse tags, (define-tag them first)");
|
||||
free($2);
|
||||
}
|
||||
if(bitlist) {
|
||||
if(!cfg_strbytelist_insert(
|
||||
&cfg_parser->cfg->acl_tags,
|
||||
@ -1843,8 +1983,6 @@ server_access_control_view: VAR_ACCESS_CONTROL_VIEW STRING_ARG STRING_ARG
|
||||
if(!cfg_str2list_insert(&cfg_parser->cfg->acl_view,
|
||||
$2, $3)) {
|
||||
yyerror("out of memory");
|
||||
free($2);
|
||||
free($3);
|
||||
}
|
||||
}
|
||||
;
|
||||
@ -1855,8 +1993,10 @@ server_response_ip_tag: VAR_RESPONSE_IP_TAG STRING_ARG STRING_ARG
|
||||
&len);
|
||||
free($3);
|
||||
OUTYY(("P(response_ip_tag:%s)\n", $2));
|
||||
if(!bitlist)
|
||||
if(!bitlist) {
|
||||
yyerror("could not parse tags, (define-tag them first)");
|
||||
free($2);
|
||||
}
|
||||
if(bitlist) {
|
||||
if(!cfg_strbytelist_insert(
|
||||
&cfg_parser->cfg->respip_tags,
|
||||
@ -1933,6 +2073,8 @@ server_ratelimit_for_domain: VAR_RATELIMIT_FOR_DOMAIN STRING_ARG STRING_ARG
|
||||
OUTYY(("P(server_ratelimit_for_domain:%s %s)\n", $2, $3));
|
||||
if(atoi($3) == 0 && strcmp($3, "0") != 0) {
|
||||
yyerror("number expected");
|
||||
free($2);
|
||||
free($3);
|
||||
} else {
|
||||
if(!cfg_str2list_insert(&cfg_parser->cfg->
|
||||
ratelimit_for_domain, $2, $3))
|
||||
@ -1946,6 +2088,8 @@ server_ratelimit_below_domain: VAR_RATELIMIT_BELOW_DOMAIN STRING_ARG STRING_ARG
|
||||
OUTYY(("P(server_ratelimit_below_domain:%s %s)\n", $2, $3));
|
||||
if(atoi($3) == 0 && strcmp($3, "0") != 0) {
|
||||
yyerror("number expected");
|
||||
free($2);
|
||||
free($3);
|
||||
} else {
|
||||
if(!cfg_str2list_insert(&cfg_parser->cfg->
|
||||
ratelimit_below_domain, $2, $3))
|
||||
@ -1974,19 +2118,25 @@ server_ratelimit_factor: VAR_RATELIMIT_FACTOR STRING_ARG
|
||||
;
|
||||
server_low_rtt: VAR_LOW_RTT STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_low_rtt:%s)\n", $2));
|
||||
if(atoi($2) == 0 && strcmp($2, "0") != 0)
|
||||
yyerror("number expected");
|
||||
else cfg_parser->cfg->low_rtt = atoi($2);
|
||||
OUTYY(("P(low-rtt option is deprecated, use fast-server-num instead)\n"));
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
server_low_rtt_permil: VAR_LOW_RTT_PERMIL STRING_ARG
|
||||
server_fast_server_num: VAR_FAST_SERVER_NUM STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_low_rtt_permil:%s)\n", $2));
|
||||
OUTYY(("P(server_fast_server_num:%s)\n", $2));
|
||||
if(atoi($2) <= 0)
|
||||
yyerror("number expected");
|
||||
else cfg_parser->cfg->fast_server_num = atoi($2);
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
server_fast_server_permil: VAR_FAST_SERVER_PERMIL STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_fast_server_permil:%s)\n", $2));
|
||||
if(atoi($2) == 0 && strcmp($2, "0") != 0)
|
||||
yyerror("number expected");
|
||||
else cfg_parser->cfg->low_rtt_permil = atoi($2);
|
||||
else cfg_parser->cfg->fast_server_permil = atoi($2);
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
@ -2017,10 +2167,10 @@ server_ipsecmod_enabled: VAR_IPSECMOD_ENABLED STRING_ARG
|
||||
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
|
||||
yyerror("expected yes or no.");
|
||||
else cfg_parser->cfg->ipsecmod_enabled = (strcmp($2, "yes")==0);
|
||||
free($2);
|
||||
#else
|
||||
OUTYY(("P(Compiled without IPsec module, ignoring)\n"));
|
||||
#endif
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
server_ipsecmod_ignore_bogus: VAR_IPSECMOD_IGNORE_BOGUS STRING_ARG
|
||||
@ -2030,10 +2180,10 @@ server_ipsecmod_ignore_bogus: VAR_IPSECMOD_IGNORE_BOGUS STRING_ARG
|
||||
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
|
||||
yyerror("expected yes or no.");
|
||||
else cfg_parser->cfg->ipsecmod_ignore_bogus = (strcmp($2, "yes")==0);
|
||||
free($2);
|
||||
#else
|
||||
OUTYY(("P(Compiled without IPsec module, ignoring)\n"));
|
||||
#endif
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
server_ipsecmod_hook: VAR_IPSECMOD_HOOK STRING_ARG
|
||||
@ -2044,6 +2194,7 @@ server_ipsecmod_hook: VAR_IPSECMOD_HOOK STRING_ARG
|
||||
cfg_parser->cfg->ipsecmod_hook = $2;
|
||||
#else
|
||||
OUTYY(("P(Compiled without IPsec module, ignoring)\n"));
|
||||
free($2);
|
||||
#endif
|
||||
}
|
||||
;
|
||||
@ -2057,6 +2208,7 @@ server_ipsecmod_max_ttl: VAR_IPSECMOD_MAX_TTL STRING_ARG
|
||||
free($2);
|
||||
#else
|
||||
OUTYY(("P(Compiled without IPsec module, ignoring)\n"));
|
||||
free($2);
|
||||
#endif
|
||||
}
|
||||
;
|
||||
@ -2068,6 +2220,7 @@ server_ipsecmod_whitelist: VAR_IPSECMOD_WHITELIST STRING_ARG
|
||||
yyerror("out of memory");
|
||||
#else
|
||||
OUTYY(("P(Compiled without IPsec module, ignoring)\n"));
|
||||
free($2);
|
||||
#endif
|
||||
}
|
||||
;
|
||||
@ -2081,6 +2234,7 @@ server_ipsecmod_strict: VAR_IPSECMOD_STRICT STRING_ARG
|
||||
free($2);
|
||||
#else
|
||||
OUTYY(("P(Compiled without IPsec module, ignoring)\n"));
|
||||
free($2);
|
||||
#endif
|
||||
}
|
||||
;
|
||||
@ -2288,13 +2442,15 @@ view_local_zone: VAR_LOCAL_ZONE STRING_ARG STRING_ARG
|
||||
&& strcmp($3, "always_refuse")!=0
|
||||
&& strcmp($3, "always_nxdomain")!=0
|
||||
&& strcmp($3, "noview")!=0
|
||||
&& strcmp($3, "inform")!=0 && strcmp($3, "inform_deny")!=0)
|
||||
&& strcmp($3, "inform")!=0 && strcmp($3, "inform_deny")!=0) {
|
||||
yyerror("local-zone type: expected static, deny, "
|
||||
"refuse, redirect, transparent, "
|
||||
"typetransparent, inform, inform_deny, "
|
||||
"always_transparent, always_refuse, "
|
||||
"always_nxdomain, noview or nodefault");
|
||||
else if(strcmp($3, "nodefault")==0) {
|
||||
free($2);
|
||||
free($3);
|
||||
} else if(strcmp($3, "nodefault")==0) {
|
||||
if(!cfg_strlist_insert(&cfg_parser->cfg->views->
|
||||
local_zones_nodefault, $2))
|
||||
fatal_exit("out of memory adding local-zone");
|
||||
@ -2330,7 +2486,6 @@ view_local_data: VAR_LOCAL_DATA STRING_ARG
|
||||
OUTYY(("P(view_local_data:%s)\n", $2));
|
||||
if(!cfg_strlist_insert(&cfg_parser->cfg->views->local_data, $2)) {
|
||||
fatal_exit("out of memory adding local-data");
|
||||
free($2);
|
||||
}
|
||||
}
|
||||
;
|
||||
@ -2453,6 +2608,7 @@ dt_dnstap_enable: VAR_DNSTAP_ENABLE STRING_ARG
|
||||
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
|
||||
yyerror("expected yes or no.");
|
||||
else cfg_parser->cfg->dnstap = (strcmp($2, "yes")==0);
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
dt_dnstap_socket_path: VAR_DNSTAP_SOCKET_PATH STRING_ARG
|
||||
@ -2468,6 +2624,7 @@ dt_dnstap_send_identity: VAR_DNSTAP_SEND_IDENTITY STRING_ARG
|
||||
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
|
||||
yyerror("expected yes or no.");
|
||||
else cfg_parser->cfg->dnstap_send_identity = (strcmp($2, "yes")==0);
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
dt_dnstap_send_version: VAR_DNSTAP_SEND_VERSION STRING_ARG
|
||||
@ -2476,6 +2633,7 @@ dt_dnstap_send_version: VAR_DNSTAP_SEND_VERSION STRING_ARG
|
||||
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
|
||||
yyerror("expected yes or no.");
|
||||
else cfg_parser->cfg->dnstap_send_version = (strcmp($2, "yes")==0);
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
dt_dnstap_identity: VAR_DNSTAP_IDENTITY STRING_ARG
|
||||
@ -2499,6 +2657,7 @@ dt_dnstap_log_resolver_query_messages: VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES ST
|
||||
yyerror("expected yes or no.");
|
||||
else cfg_parser->cfg->dnstap_log_resolver_query_messages =
|
||||
(strcmp($2, "yes")==0);
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
dt_dnstap_log_resolver_response_messages: VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES STRING_ARG
|
||||
@ -2508,6 +2667,7 @@ dt_dnstap_log_resolver_response_messages: VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSA
|
||||
yyerror("expected yes or no.");
|
||||
else cfg_parser->cfg->dnstap_log_resolver_response_messages =
|
||||
(strcmp($2, "yes")==0);
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
dt_dnstap_log_client_query_messages: VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES STRING_ARG
|
||||
@ -2517,6 +2677,7 @@ dt_dnstap_log_client_query_messages: VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES STRING
|
||||
yyerror("expected yes or no.");
|
||||
else cfg_parser->cfg->dnstap_log_client_query_messages =
|
||||
(strcmp($2, "yes")==0);
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
dt_dnstap_log_client_response_messages: VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES STRING_ARG
|
||||
@ -2526,6 +2687,7 @@ dt_dnstap_log_client_response_messages: VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES
|
||||
yyerror("expected yes or no.");
|
||||
else cfg_parser->cfg->dnstap_log_client_response_messages =
|
||||
(strcmp($2, "yes")==0);
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
dt_dnstap_log_forwarder_query_messages: VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES STRING_ARG
|
||||
@ -2535,6 +2697,7 @@ dt_dnstap_log_forwarder_query_messages: VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES
|
||||
yyerror("expected yes or no.");
|
||||
else cfg_parser->cfg->dnstap_log_forwarder_query_messages =
|
||||
(strcmp($2, "yes")==0);
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
dt_dnstap_log_forwarder_response_messages: VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES STRING_ARG
|
||||
@ -2544,6 +2707,7 @@ dt_dnstap_log_forwarder_response_messages: VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MES
|
||||
yyerror("expected yes or no.");
|
||||
else cfg_parser->cfg->dnstap_log_forwarder_response_messages =
|
||||
(strcmp($2, "yes")==0);
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
pythonstart: VAR_PYTHON
|
||||
@ -2590,15 +2754,14 @@ server_response_ip: VAR_RESPONSE_IP STRING_ARG STRING_ARG
|
||||
server_response_ip_data: VAR_RESPONSE_IP_DATA STRING_ARG STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_response_ip_data:%s)\n", $2));
|
||||
if(!cfg_str2list_insert(&cfg_parser->cfg->respip_data,
|
||||
$2, $3))
|
||||
fatal_exit("out of memory adding response-ip-data");
|
||||
if(!cfg_str2list_insert(&cfg_parser->cfg->respip_data,
|
||||
$2, $3))
|
||||
fatal_exit("out of memory adding response-ip-data");
|
||||
}
|
||||
;
|
||||
dnscstart: VAR_DNSCRYPT
|
||||
{
|
||||
OUTYY(("\nP(dnscrypt:)\n"));
|
||||
OUTYY(("\nP(dnscrypt:)\n"));
|
||||
}
|
||||
;
|
||||
contents_dnsc: contents_dnsc content_dnsc
|
||||
@ -2625,7 +2788,6 @@ dnsc_dnscrypt_enable: VAR_DNSCRYPT_ENABLE STRING_ARG
|
||||
dnsc_dnscrypt_port: VAR_DNSCRYPT_PORT STRING_ARG
|
||||
{
|
||||
OUTYY(("P(dnsc_dnscrypt_port:%s)\n", $2));
|
||||
|
||||
if(atoi($2) == 0)
|
||||
yyerror("port number expected");
|
||||
else cfg_parser->cfg->dnscrypt_port = atoi($2);
|
||||
@ -2727,6 +2889,7 @@ cachedb_backend_name: VAR_CACHEDB_BACKEND STRING_ARG
|
||||
cfg_parser->cfg->cachedb_backend = $2;
|
||||
#else
|
||||
OUTYY(("P(Compiled without cachedb, ignoring)\n"));
|
||||
free($2);
|
||||
#endif
|
||||
}
|
||||
;
|
||||
|
@ -50,6 +50,11 @@
|
||||
#include "sldns/sbuffer.h"
|
||||
#include "services/localzone.h"
|
||||
|
||||
#ifdef HAVE_TIME_H
|
||||
#include <time.h>
|
||||
#endif
|
||||
#include <sys/time.h>
|
||||
|
||||
/** return code that means the function ran out of memory. negative so it does
|
||||
* not conflict with DNS rcodes. */
|
||||
#define RETVAL_OUTMEM -2
|
||||
@ -672,7 +677,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
|
||||
}
|
||||
/* roundrobin offset. using query id for random number. With ntohs
|
||||
* for different roundrobins for sequential id client senders. */
|
||||
rr_offset = RRSET_ROUNDROBIN?ntohs(id):0;
|
||||
rr_offset = RRSET_ROUNDROBIN?ntohs(id)+(timenow?timenow:time(NULL)):0;
|
||||
|
||||
/* "prepend" any local alias records in the answer section if this
|
||||
* response is supposed to be authoritative. Currently it should
|
||||
|
@ -195,6 +195,8 @@ rdata_copy(sldns_buffer* pkt, struct packed_rrset_data* data, uint8_t* to,
|
||||
}
|
||||
if(*rr_ttl < MIN_TTL)
|
||||
*rr_ttl = MIN_TTL;
|
||||
if(*rr_ttl > MAX_TTL)
|
||||
*rr_ttl = MAX_TTL;
|
||||
if(*rr_ttl < data->ttl)
|
||||
data->ttl = *rr_ttl;
|
||||
|
||||
@ -853,7 +855,9 @@ log_reply_info(enum verbosity_value v, struct query_info *qinf,
|
||||
addr_to_str(addr, addrlen, clientip_buf, sizeof(clientip_buf));
|
||||
if(rcode == LDNS_RCODE_FORMERR)
|
||||
{
|
||||
log_info("%s - - - %s - - - ", clientip_buf, rcode_buf);
|
||||
if(LOG_TAG_QUERYREPLY)
|
||||
log_reply("%s - - - %s - - - ", clientip_buf, rcode_buf);
|
||||
else log_info("%s - - - %s - - - ", clientip_buf, rcode_buf);
|
||||
} else {
|
||||
if(qinf->qname)
|
||||
dname_str(qinf->qname, qname_buf);
|
||||
@ -861,7 +865,11 @@ log_reply_info(enum verbosity_value v, struct query_info *qinf,
|
||||
pktlen = sldns_buffer_limit(rmsg);
|
||||
sldns_wire2str_type_buf(qinf->qtype, type_buf, sizeof(type_buf));
|
||||
sldns_wire2str_class_buf(qinf->qclass, class_buf, sizeof(class_buf));
|
||||
log_info("%s %s %s %s %s " ARG_LL "d.%6.6d %d %d",
|
||||
if(LOG_TAG_QUERYREPLY)
|
||||
log_reply("%s %s %s %s %s " ARG_LL "d.%6.6d %d %d",
|
||||
clientip_buf, qname_buf, type_buf, class_buf,
|
||||
rcode_buf, (long long)dur.tv_sec, (int)dur.tv_usec, cached, (int)pktlen);
|
||||
else log_info("%s %s %s %s %s " ARG_LL "d.%6.6d %d %d",
|
||||
clientip_buf, qname_buf, type_buf, class_buf,
|
||||
rcode_buf, (long long)dur.tv_sec, (int)dur.tv_usec, cached, (int)pktlen);
|
||||
}
|
||||
|
@ -157,7 +157,7 @@ struct reply_info {
|
||||
time_t prefetch_ttl;
|
||||
|
||||
/**
|
||||
* Reply TTL extended with serve exipred TTL, to limit time to serve
|
||||
* Reply TTL extended with serve expired TTL, to limit time to serve
|
||||
* expired message.
|
||||
*/
|
||||
time_t serve_expired_ttl;
|
||||
|
@ -40,7 +40,7 @@
|
||||
*/
|
||||
|
||||
#include "config.h"
|
||||
|
||||
#include "util/edns.h"
|
||||
#include "util/config_file.h"
|
||||
#include "util/netevent.h"
|
||||
#include "util/regional.h"
|
||||
|
@ -127,6 +127,7 @@ fptr_whitelist_comm_timer(void (*fptr)(void*))
|
||||
#endif
|
||||
else if(fptr == &auth_xfer_timer) return 1;
|
||||
else if(fptr == &auth_xfer_probe_timer_callback) return 1;
|
||||
else if(fptr == &auth_xfer_transfer_timer_callback) return 1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -303,6 +304,9 @@ fptr_whitelist_hash_markdelfunc(lruhash_markdelfunc_type fptr)
|
||||
{
|
||||
if(fptr == NULL) return 1;
|
||||
else if(fptr == &rrset_markdel) return 1;
|
||||
#ifdef CLIENT_SUBNET
|
||||
else if(fptr == &subnet_markdel) return 1;
|
||||
#endif
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -561,9 +565,12 @@ int fptr_whitelist_inplace_cb_query(inplace_cb_query_func_type* fptr)
|
||||
#ifdef CLIENT_SUBNET
|
||||
if(fptr == &ecs_whitelist_check)
|
||||
return 1;
|
||||
#else
|
||||
(void)fptr;
|
||||
#endif
|
||||
#ifdef WITH_PYTHONMODULE
|
||||
if(fptr == &python_inplace_cb_query_generic)
|
||||
return 1;
|
||||
#endif
|
||||
(void)fptr;
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -4768,6 +4768,7 @@
|
||||
8088,
|
||||
8097,
|
||||
8100,
|
||||
8111,
|
||||
8115,
|
||||
8116,
|
||||
8118,
|
||||
@ -4796,10 +4797,12 @@
|
||||
8206,
|
||||
8207,
|
||||
8208,
|
||||
8211,
|
||||
8230,
|
||||
8231,
|
||||
8232,
|
||||
8243,
|
||||
8266,
|
||||
8276,
|
||||
8280,
|
||||
8282,
|
||||
@ -4862,6 +4865,7 @@
|
||||
8805,
|
||||
8807,
|
||||
8808,
|
||||
8809,
|
||||
8873,
|
||||
8880,
|
||||
8883,
|
||||
|
@ -78,8 +78,6 @@ static const char* ident="unbound";
|
||||
/** are we using syslog(3) to log to */
|
||||
static int logging_to_syslog = 0;
|
||||
#endif /* HAVE_SYSLOG_H */
|
||||
/** time to print in log, if NULL, use time(2) */
|
||||
static time_t* log_now = NULL;
|
||||
/** print time in UTC or in secondsfrom1970 */
|
||||
static int log_time_asc = 0;
|
||||
|
||||
@ -181,11 +179,6 @@ void log_ident_set(const char* id)
|
||||
ident = id;
|
||||
}
|
||||
|
||||
void log_set_time(time_t* t)
|
||||
{
|
||||
log_now = t;
|
||||
}
|
||||
|
||||
void log_set_time_asc(int use_asc)
|
||||
{
|
||||
log_time_asc = use_asc;
|
||||
@ -255,9 +248,7 @@ log_vmsg(int pri, const char* type,
|
||||
lock_quick_unlock(&log_lock);
|
||||
return;
|
||||
}
|
||||
if(log_now)
|
||||
now = (time_t)*log_now;
|
||||
else now = (time_t)time(NULL);
|
||||
now = (time_t)time(NULL);
|
||||
#if defined(HAVE_STRFTIME) && defined(HAVE_LOCALTIME_R)
|
||||
if(log_time_asc && strftime(tmbuf, sizeof(tmbuf), "%b %d %H:%M:%S",
|
||||
localtime_r(&now, &tm))%(sizeof(tmbuf)) != 0) {
|
||||
@ -391,6 +382,24 @@ log_hex(const char* msg, void* data, size_t length)
|
||||
log_hex_f(verbosity, msg, data, length);
|
||||
}
|
||||
|
||||
void
|
||||
log_query(const char *format, ...)
|
||||
{
|
||||
va_list args;
|
||||
va_start(args, format);
|
||||
log_vmsg(LOG_INFO, "query", format, args);
|
||||
va_end(args);
|
||||
}
|
||||
|
||||
void
|
||||
log_reply(const char *format, ...)
|
||||
{
|
||||
va_list args;
|
||||
va_start(args, format);
|
||||
log_vmsg(LOG_INFO, "reply", format, args);
|
||||
va_end(args);
|
||||
}
|
||||
|
||||
void log_buf(enum verbosity_value level, const char* msg, sldns_buffer* buf)
|
||||
{
|
||||
if(verbosity < level)
|
||||
|
@ -112,13 +112,6 @@ int log_thread_get(void);
|
||||
*/
|
||||
void log_ident_set(const char* id);
|
||||
|
||||
/**
|
||||
* Set the time value to print in log entries.
|
||||
* @param t: the point is copied and used to find the time.
|
||||
* if NULL, time(2) is used.
|
||||
*/
|
||||
void log_set_time(time_t* t);
|
||||
|
||||
/**
|
||||
* Set if the time value is printed ascii or decimal in log entries.
|
||||
* @param use_asc: if true, ascii is printed, otherwise decimal.
|
||||
@ -160,6 +153,20 @@ void log_warn(const char* format, ...) ATTR_FORMAT(printf, 1, 2);
|
||||
*/
|
||||
void log_hex(const char* msg, void* data, size_t length);
|
||||
|
||||
/**
|
||||
* Log query.
|
||||
* Pass printf formatted arguments. No trailing newline is needed.
|
||||
* @param format: printf-style format string. Arguments follow.
|
||||
*/
|
||||
void log_query(const char* format, ...) ATTR_FORMAT(printf, 1, 2);
|
||||
|
||||
/**
|
||||
* Log reply.
|
||||
* Pass printf formatted arguments. No trailing newline is needed.
|
||||
* @param format: printf-style format string. Arguments follow.
|
||||
*/
|
||||
void log_reply(const char* format, ...) ATTR_FORMAT(printf, 1, 2);
|
||||
|
||||
/**
|
||||
* Easy alternative for log_hex, takes a sldns_buffer.
|
||||
* @param level: verbosity level for this message, compared to global
|
||||
|
@ -41,6 +41,7 @@
|
||||
*/
|
||||
|
||||
#include "config.h"
|
||||
#include "util/mini_event.h"
|
||||
#ifdef HAVE_TIME_H
|
||||
#include <time.h>
|
||||
#endif
|
||||
@ -48,7 +49,6 @@
|
||||
|
||||
#if defined(USE_MINI_EVENT) && !defined(USE_WINSOCK)
|
||||
#include <signal.h>
|
||||
#include "util/mini_event.h"
|
||||
#include "util/fptr_wlist.h"
|
||||
|
||||
/** compare events in tree, based on timevalue, ptr for uniqueness */
|
||||
|
@ -43,11 +43,14 @@
|
||||
#include "util/data/dname.h"
|
||||
#include "util/module.h"
|
||||
#include "util/regional.h"
|
||||
#include "util/config_file.h"
|
||||
#include "sldns/parseutil.h"
|
||||
#include "sldns/wire2str.h"
|
||||
#include <fcntl.h>
|
||||
#ifdef HAVE_OPENSSL_SSL_H
|
||||
#include <openssl/ssl.h>
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/rand.h>
|
||||
#endif
|
||||
#ifdef HAVE_OPENSSL_ERR_H
|
||||
#include <openssl/err.h>
|
||||
@ -67,6 +70,15 @@ int MINIMAL_RESPONSES = 0;
|
||||
/** rrset order roundrobin: default is no */
|
||||
int RRSET_ROUNDROBIN = 0;
|
||||
|
||||
/** log tag queries with name instead of 'info' for filtering */
|
||||
int LOG_TAG_QUERYREPLY = 0;
|
||||
|
||||
static struct tls_session_ticket_key {
|
||||
unsigned char *key_name;
|
||||
unsigned char *aes_key;
|
||||
unsigned char *hmac_key;
|
||||
} *ticket_keys;
|
||||
|
||||
/* returns true is string addr is an ip6 specced address */
|
||||
int
|
||||
str_is_ip6(const char* str)
|
||||
@ -361,6 +373,37 @@ log_nametypeclass(enum verbosity_value v, const char* str, uint8_t* name,
|
||||
log_info("%s %s %s %s", str, buf, ts, cs);
|
||||
}
|
||||
|
||||
void
|
||||
log_query_in(const char* str, uint8_t* name, uint16_t type, uint16_t dclass)
|
||||
{
|
||||
char buf[LDNS_MAX_DOMAINLEN+1];
|
||||
char t[12], c[12];
|
||||
const char *ts, *cs;
|
||||
dname_str(name, buf);
|
||||
if(type == LDNS_RR_TYPE_TSIG) ts = "TSIG";
|
||||
else if(type == LDNS_RR_TYPE_IXFR) ts = "IXFR";
|
||||
else if(type == LDNS_RR_TYPE_AXFR) ts = "AXFR";
|
||||
else if(type == LDNS_RR_TYPE_MAILB) ts = "MAILB";
|
||||
else if(type == LDNS_RR_TYPE_MAILA) ts = "MAILA";
|
||||
else if(type == LDNS_RR_TYPE_ANY) ts = "ANY";
|
||||
else if(sldns_rr_descript(type) && sldns_rr_descript(type)->_name)
|
||||
ts = sldns_rr_descript(type)->_name;
|
||||
else {
|
||||
snprintf(t, sizeof(t), "TYPE%d", (int)type);
|
||||
ts = t;
|
||||
}
|
||||
if(sldns_lookup_by_id(sldns_rr_classes, (int)dclass) &&
|
||||
sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name)
|
||||
cs = sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name;
|
||||
else {
|
||||
snprintf(c, sizeof(c), "CLASS%d", (int)dclass);
|
||||
cs = c;
|
||||
}
|
||||
if(LOG_TAG_QUERYREPLY)
|
||||
log_query("%s %s %s %s", str, buf, ts, cs);
|
||||
else log_info("%s %s %s %s", str, buf, ts, cs);
|
||||
}
|
||||
|
||||
void log_name_addr(enum verbosity_value v, const char* str, uint8_t* zone,
|
||||
struct sockaddr_storage* addr, socklen_t addrlen)
|
||||
{
|
||||
@ -759,6 +802,16 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem)
|
||||
log_crypto_err("could not SSL_CTX_new");
|
||||
return NULL;
|
||||
}
|
||||
if(!key || key[0] == 0) {
|
||||
log_err("error: no tls-service-key file specified");
|
||||
SSL_CTX_free(ctx);
|
||||
return NULL;
|
||||
}
|
||||
if(!pem || pem[0] == 0) {
|
||||
log_err("error: no tls-service-pem file specified");
|
||||
SSL_CTX_free(ctx);
|
||||
return NULL;
|
||||
}
|
||||
if(!listen_sslctx_setup(ctx)) {
|
||||
SSL_CTX_free(ctx);
|
||||
return NULL;
|
||||
@ -1006,11 +1059,19 @@ void* outgoing_ssl_fd(void* sslctx, int fd)
|
||||
static lock_basic_type *ub_openssl_locks = NULL;
|
||||
|
||||
/** callback that gets thread id for openssl */
|
||||
#ifdef HAVE_CRYPTO_THREADID_SET_CALLBACK
|
||||
static void
|
||||
ub_crypto_id_cb(CRYPTO_THREADID *id)
|
||||
{
|
||||
CRYPTO_THREADID_set_numeric(id, (unsigned long)log_thread_get());
|
||||
}
|
||||
#else
|
||||
static unsigned long
|
||||
ub_crypto_id_cb(void)
|
||||
{
|
||||
return (unsigned long)log_thread_get();
|
||||
}
|
||||
#endif
|
||||
|
||||
static void
|
||||
ub_crypto_lock_cb(int mode, int type, const char *ATTR_UNUSED(file),
|
||||
@ -1035,7 +1096,11 @@ int ub_openssl_lock_init(void)
|
||||
for(i=0; i<CRYPTO_num_locks(); i++) {
|
||||
lock_basic_init(&ub_openssl_locks[i]);
|
||||
}
|
||||
# ifdef HAVE_CRYPTO_THREADID_SET_CALLBACK
|
||||
CRYPTO_THREADID_set_callback(&ub_crypto_id_cb);
|
||||
# else
|
||||
CRYPTO_set_id_callback(&ub_crypto_id_cb);
|
||||
# endif
|
||||
CRYPTO_set_locking_callback(&ub_crypto_lock_cb);
|
||||
#endif /* OPENSSL_THREADS */
|
||||
return 1;
|
||||
@ -1047,7 +1112,11 @@ void ub_openssl_lock_delete(void)
|
||||
int i;
|
||||
if(!ub_openssl_locks)
|
||||
return;
|
||||
# ifdef HAVE_CRYPTO_THREADID_SET_CALLBACK
|
||||
CRYPTO_THREADID_set_callback(NULL);
|
||||
# else
|
||||
CRYPTO_set_id_callback(NULL);
|
||||
# endif
|
||||
CRYPTO_set_locking_callback(NULL);
|
||||
for(i=0; i<CRYPTO_num_locks(); i++) {
|
||||
lock_basic_destroy(&ub_openssl_locks[i]);
|
||||
@ -1056,3 +1125,134 @@ void ub_openssl_lock_delete(void)
|
||||
#endif /* OPENSSL_THREADS */
|
||||
}
|
||||
|
||||
int listen_sslctx_setup_ticket_keys(void* sslctx, struct config_strlist* tls_session_ticket_keys) {
|
||||
#ifdef HAVE_SSL
|
||||
size_t s = 1;
|
||||
struct config_strlist* p;
|
||||
struct tls_session_ticket_key *keys;
|
||||
for(p = tls_session_ticket_keys; p; p = p->next) {
|
||||
s++;
|
||||
}
|
||||
keys = calloc(s, sizeof(struct tls_session_ticket_key));
|
||||
memset(keys, 0, s*sizeof(*keys));
|
||||
ticket_keys = keys;
|
||||
|
||||
for(p = tls_session_ticket_keys; p; p = p->next) {
|
||||
size_t n;
|
||||
unsigned char *data = (unsigned char *)malloc(80);
|
||||
FILE *f = fopen(p->str, "r");
|
||||
if(!f) {
|
||||
log_err("could not read tls-session-ticket-key %s: %s", p->str, strerror(errno));
|
||||
free(data);
|
||||
return 0;
|
||||
}
|
||||
n = fread(data, 1, 80, f);
|
||||
fclose(f);
|
||||
|
||||
if(n != 80) {
|
||||
log_err("tls-session-ticket-key %s is %d bytes, must be 80 bytes", p->str, (int)n);
|
||||
free(data);
|
||||
return 0;
|
||||
}
|
||||
verbose(VERB_OPS, "read tls-session-ticket-key: %s", p->str);
|
||||
|
||||
keys->key_name = data;
|
||||
keys->aes_key = data + 16;
|
||||
keys->hmac_key = data + 48;
|
||||
keys++;
|
||||
}
|
||||
/* terminate array with NULL key name entry */
|
||||
keys->key_name = NULL;
|
||||
if(SSL_CTX_set_tlsext_ticket_key_cb(sslctx, tls_session_ticket_key_cb) == 0) {
|
||||
log_err("no support for TLS session ticket");
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
#else
|
||||
(void)sslctx;
|
||||
(void)tls_session_ticket_keys;
|
||||
return 0;
|
||||
#endif
|
||||
|
||||
}
|
||||
|
||||
int tls_session_ticket_key_cb(void *ATTR_UNUSED(sslctx), unsigned char* key_name, unsigned char* iv, void *evp_sctx, void *hmac_ctx, int enc)
|
||||
{
|
||||
#ifdef HAVE_SSL
|
||||
const EVP_MD *digest;
|
||||
const EVP_CIPHER *cipher;
|
||||
int evp_cipher_length;
|
||||
digest = EVP_sha256();
|
||||
cipher = EVP_aes_256_cbc();
|
||||
evp_cipher_length = EVP_CIPHER_iv_length(cipher);
|
||||
if( enc == 1 ) {
|
||||
/* encrypt */
|
||||
verbose(VERB_CLIENT, "start session encrypt");
|
||||
memcpy(key_name, ticket_keys->key_name, 16);
|
||||
if (RAND_bytes(iv, evp_cipher_length) != 1) {
|
||||
verbose(VERB_CLIENT, "RAND_bytes failed");
|
||||
return -1;
|
||||
}
|
||||
if (EVP_EncryptInit_ex(evp_sctx, cipher, NULL, ticket_keys->aes_key, iv) != 1) {
|
||||
verbose(VERB_CLIENT, "EVP_EncryptInit_ex failed");
|
||||
return -1;
|
||||
}
|
||||
if (HMAC_Init_ex(hmac_ctx, ticket_keys->hmac_key, 32, digest, NULL) != 1) {
|
||||
verbose(VERB_CLIENT, "HMAC_Init_ex failed");
|
||||
return -1;
|
||||
}
|
||||
return 1;
|
||||
} else if (enc == 0) {
|
||||
/* decrypt */
|
||||
struct tls_session_ticket_key *key;
|
||||
verbose(VERB_CLIENT, "start session decrypt");
|
||||
for(key = ticket_keys; key->key_name != NULL; key++) {
|
||||
if (!memcmp(key_name, key->key_name, 16)) {
|
||||
verbose(VERB_CLIENT, "Found session_key");
|
||||
break;
|
||||
}
|
||||
}
|
||||
if(key->key_name == NULL) {
|
||||
verbose(VERB_CLIENT, "Not found session_key");
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (HMAC_Init_ex(hmac_ctx, key->hmac_key, 32, digest, NULL) != 1) {
|
||||
verbose(VERB_CLIENT, "HMAC_Init_ex failed");
|
||||
return -1;
|
||||
}
|
||||
if (EVP_DecryptInit_ex(evp_sctx, cipher, NULL, key->aes_key, iv) != 1) {
|
||||
log_err("EVP_DecryptInit_ex failed");
|
||||
return -1;
|
||||
}
|
||||
|
||||
return (key == ticket_keys) ? 1 : 2;
|
||||
}
|
||||
return -1;
|
||||
#else
|
||||
(void)key_name;
|
||||
(void)iv;
|
||||
(void)evp_sctx;
|
||||
(void)hmac_ctx;
|
||||
(void)enc;
|
||||
return 0;
|
||||
#endif
|
||||
}
|
||||
|
||||
void
|
||||
listen_sslctx_delete_ticket_keys(void)
|
||||
{
|
||||
struct tls_session_ticket_key *key;
|
||||
if(!ticket_keys) return;
|
||||
for(key = ticket_keys; key->key_name != NULL; key++) {
|
||||
/* wipe key data from memory*/
|
||||
#ifdef HAVE_EXPLICIT_BZERO
|
||||
explicit_bzero(key->key_name, 80);
|
||||
#else
|
||||
memset(key->key_name, 0xdd, 80);
|
||||
#endif
|
||||
free(key->key_name);
|
||||
}
|
||||
free(ticket_keys);
|
||||
ticket_keys = NULL;
|
||||
}
|
||||
|
@ -44,6 +44,7 @@
|
||||
#include "util/log.h"
|
||||
struct sock_list;
|
||||
struct regional;
|
||||
struct config_strlist;
|
||||
|
||||
/** DNS constants for uint16_t style flag manipulation. host byteorder.
|
||||
* 1 1 1 1 1 1
|
||||
@ -99,6 +100,9 @@ extern int MINIMAL_RESPONSES;
|
||||
/** rrset order roundrobin */
|
||||
extern int RRSET_ROUNDROBIN;
|
||||
|
||||
/** log tag queries with name instead of 'info' for filtering */
|
||||
extern int LOG_TAG_QUERYREPLY;
|
||||
|
||||
/**
|
||||
* See if string is ip4 or ip6.
|
||||
* @param str: IP specification.
|
||||
@ -235,6 +239,12 @@ void sockaddr_store_port(struct sockaddr_storage* addr, socklen_t addrlen,
|
||||
void log_nametypeclass(enum verbosity_value v, const char* str,
|
||||
uint8_t* name, uint16_t type, uint16_t dclass);
|
||||
|
||||
/**
|
||||
* Like log_nametypeclass, but logs with log_query for query logging
|
||||
*/
|
||||
void log_query_in(const char* str, uint8_t* name, uint16_t type,
|
||||
uint16_t dclass);
|
||||
|
||||
/**
|
||||
* Compare two sockaddrs. Imposes an ordering on the addresses.
|
||||
* Compares address and port.
|
||||
@ -428,4 +438,30 @@ int ub_openssl_lock_init(void);
|
||||
*/
|
||||
void ub_openssl_lock_delete(void);
|
||||
|
||||
/**
|
||||
* setup TLS session ticket
|
||||
* @param sslctx: the SSL_CTX to use (from connect_sslctx_create())
|
||||
* @param tls_session_ticket_keys: TLS ticket secret filenames
|
||||
* @return false on failure (alloc failure).
|
||||
*/
|
||||
int listen_sslctx_setup_ticket_keys(void* sslctx,
|
||||
struct config_strlist* tls_session_ticket_keys);
|
||||
|
||||
/**
|
||||
* callback TLS session ticket encrypt and decrypt
|
||||
* For use with SSL_CTX_set_tlsext_ticket_key_cb
|
||||
* @param s: the SSL_CTX to use (from connect_sslctx_create())
|
||||
* @param key_name: secret name, 16 bytes
|
||||
* @param iv: up to EVP_MAX_IV_LENGTH.
|
||||
* @param evp_ctx: the evp cipher context, function sets this.
|
||||
* @param hmac_ctx: the hmax context, function sets this.
|
||||
* @param enc: 1 is encrypt, 0 is decrypt
|
||||
* @return 0 on no ticket, 1 for okay, and 2 for okay but renew the ticket
|
||||
* (the ticket is decrypt only). and <0 for failures.
|
||||
*/
|
||||
int tls_session_ticket_key_cb(void *s, unsigned char* key_name,unsigned char* iv, void *evp_ctx, void *hmac_ctx, int enc);
|
||||
|
||||
/** Free memory used for TLS session ticket keys */
|
||||
void listen_sslctx_delete_ticket_keys(void);
|
||||
|
||||
#endif /* NET_HELP_H */
|
||||
|
@ -50,6 +50,7 @@
|
||||
#include "sldns/str2wire.h"
|
||||
#include "dnstap/dnstap.h"
|
||||
#include "dnscrypt/dnscrypt.h"
|
||||
#include "services/listen_dnsport.h"
|
||||
#ifdef HAVE_OPENSSL_SSL_H
|
||||
#include <openssl/ssl.h>
|
||||
#endif
|
||||
@ -150,7 +151,8 @@ struct internal_signal {
|
||||
/** create a tcp handler with a parent */
|
||||
static struct comm_point* comm_point_create_tcp_handler(
|
||||
struct comm_base *base, struct comm_point* parent, size_t bufsize,
|
||||
comm_point_callback_type* callback, void* callback_arg);
|
||||
struct sldns_buffer* spoolbuf, comm_point_callback_type* callback,
|
||||
void* callback_arg);
|
||||
|
||||
/* -------- End of local definitions -------- */
|
||||
|
||||
@ -176,7 +178,7 @@ comm_base_create(int sigs)
|
||||
}
|
||||
ub_comm_base_now(b);
|
||||
ub_get_event_sys(b->eb->base, &evnm, &evsys, &evmethod);
|
||||
verbose(VERB_ALGO, "%s %s user %s method.", evnm, evsys, evmethod);
|
||||
verbose(VERB_ALGO, "%s %s uses %s method.", evnm, evsys, evmethod);
|
||||
return b;
|
||||
}
|
||||
|
||||
@ -924,6 +926,14 @@ comm_point_tcp_accept_callback(int fd, short event, void* arg)
|
||||
}
|
||||
/* accept incoming connection. */
|
||||
c_hdl = c->tcp_free;
|
||||
/* clear leftover flags from previous use, and then set the
|
||||
* correct event base for the event structure for libevent */
|
||||
ub_event_free(c_hdl->ev->ev);
|
||||
c_hdl->ev->ev = ub_event_new(c_hdl->ev->base->eb->base, -1, UB_EV_PERSIST | UB_EV_READ | UB_EV_TIMEOUT, comm_point_tcp_handle_callback, c_hdl);
|
||||
if(!c_hdl->ev->ev) {
|
||||
log_warn("could not ub_event_new, dropped tcp");
|
||||
return;
|
||||
}
|
||||
log_assert(fd != -1);
|
||||
(void)fd;
|
||||
new_fd = comm_point_perform_accept(c, &c_hdl->repinfo.addr,
|
||||
@ -987,8 +997,12 @@ tcp_callback_writer(struct comm_point* c)
|
||||
c->tcp_is_reading = 1;
|
||||
c->tcp_byte_count = 0;
|
||||
/* switch from listening(write) to listening(read) */
|
||||
comm_point_stop_listening(c);
|
||||
comm_point_start_listening(c, -1, -1);
|
||||
if(c->tcp_req_info) {
|
||||
tcp_req_info_handle_writedone(c->tcp_req_info);
|
||||
} else {
|
||||
comm_point_stop_listening(c);
|
||||
comm_point_start_listening(c, -1, -1);
|
||||
}
|
||||
}
|
||||
|
||||
/** do the callback when reading is done */
|
||||
@ -1000,11 +1014,15 @@ tcp_callback_reader(struct comm_point* c)
|
||||
if(c->tcp_do_toggle_rw)
|
||||
c->tcp_is_reading = 0;
|
||||
c->tcp_byte_count = 0;
|
||||
if(c->type == comm_tcp)
|
||||
comm_point_stop_listening(c);
|
||||
fptr_ok(fptr_whitelist_comm_point(c->callback));
|
||||
if( (*c->callback)(c, c->cb_arg, NETEVENT_NOERROR, &c->repinfo) ) {
|
||||
comm_point_start_listening(c, -1, c->tcp_timeout_msec);
|
||||
if(c->tcp_req_info) {
|
||||
tcp_req_info_handle_readdone(c->tcp_req_info);
|
||||
} else {
|
||||
if(c->type == comm_tcp)
|
||||
comm_point_stop_listening(c);
|
||||
fptr_ok(fptr_whitelist_comm_point(c->callback));
|
||||
if( (*c->callback)(c, c->cb_arg, NETEVENT_NOERROR, &c->repinfo) ) {
|
||||
comm_point_start_listening(c, -1, c->tcp_timeout_msec);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -1163,6 +1181,8 @@ ssl_handle_read(struct comm_point* c)
|
||||
c->tcp_byte_count))) <= 0) {
|
||||
int want = SSL_get_error(c->ssl, r);
|
||||
if(want == SSL_ERROR_ZERO_RETURN) {
|
||||
if(c->tcp_req_info)
|
||||
return tcp_req_info_handle_read_close(c->tcp_req_info);
|
||||
return 0; /* shutdown, closed */
|
||||
} else if(want == SSL_ERROR_WANT_READ) {
|
||||
ub_winsock_tcp_wouldblock(c->ev->ev, UB_EV_READ);
|
||||
@ -1172,6 +1192,10 @@ ssl_handle_read(struct comm_point* c)
|
||||
comm_point_listen_for_rw(c, 0, 1);
|
||||
return 1;
|
||||
} else if(want == SSL_ERROR_SYSCALL) {
|
||||
#ifdef ECONNRESET
|
||||
if(errno == ECONNRESET && verbosity < 2)
|
||||
return 0; /* silence reset by peer */
|
||||
#endif
|
||||
if(errno != 0)
|
||||
log_err("SSL_read syscall: %s",
|
||||
strerror(errno));
|
||||
@ -1205,6 +1229,8 @@ ssl_handle_read(struct comm_point* c)
|
||||
if(r <= 0) {
|
||||
int want = SSL_get_error(c->ssl, r);
|
||||
if(want == SSL_ERROR_ZERO_RETURN) {
|
||||
if(c->tcp_req_info)
|
||||
return tcp_req_info_handle_read_close(c->tcp_req_info);
|
||||
return 0; /* shutdown, closed */
|
||||
} else if(want == SSL_ERROR_WANT_READ) {
|
||||
ub_winsock_tcp_wouldblock(c->ev->ev, UB_EV_READ);
|
||||
@ -1214,6 +1240,10 @@ ssl_handle_read(struct comm_point* c)
|
||||
comm_point_listen_for_rw(c, 0, 1);
|
||||
return 1;
|
||||
} else if(want == SSL_ERROR_SYSCALL) {
|
||||
#ifdef ECONNRESET
|
||||
if(errno == ECONNRESET && verbosity < 2)
|
||||
return 0; /* silence reset by peer */
|
||||
#endif
|
||||
if(errno != 0)
|
||||
log_err("SSL_read syscall: %s",
|
||||
strerror(errno));
|
||||
@ -1274,13 +1304,17 @@ ssl_handle_write(struct comm_point* c)
|
||||
if(want == SSL_ERROR_ZERO_RETURN) {
|
||||
return 0; /* closed */
|
||||
} else if(want == SSL_ERROR_WANT_READ) {
|
||||
c->ssl_shake_state = comm_ssl_shake_read;
|
||||
c->ssl_shake_state = comm_ssl_shake_hs_read;
|
||||
comm_point_listen_for_rw(c, 1, 0);
|
||||
return 1; /* wait for read condition */
|
||||
} else if(want == SSL_ERROR_WANT_WRITE) {
|
||||
ub_winsock_tcp_wouldblock(c->ev->ev, UB_EV_WRITE);
|
||||
return 1; /* write more later */
|
||||
} else if(want == SSL_ERROR_SYSCALL) {
|
||||
#ifdef EPIPE
|
||||
if(errno == EPIPE && verbosity < 2)
|
||||
return 0; /* silence 'broken pipe' */
|
||||
#endif
|
||||
if(errno != 0)
|
||||
log_err("SSL_write syscall: %s",
|
||||
strerror(errno));
|
||||
@ -1308,13 +1342,17 @@ ssl_handle_write(struct comm_point* c)
|
||||
if(want == SSL_ERROR_ZERO_RETURN) {
|
||||
return 0; /* closed */
|
||||
} else if(want == SSL_ERROR_WANT_READ) {
|
||||
c->ssl_shake_state = comm_ssl_shake_read;
|
||||
c->ssl_shake_state = comm_ssl_shake_hs_read;
|
||||
comm_point_listen_for_rw(c, 1, 0);
|
||||
return 1; /* wait for read condition */
|
||||
} else if(want == SSL_ERROR_WANT_WRITE) {
|
||||
ub_winsock_tcp_wouldblock(c->ev->ev, UB_EV_WRITE);
|
||||
return 1; /* write more later */
|
||||
} else if(want == SSL_ERROR_SYSCALL) {
|
||||
#ifdef EPIPE
|
||||
if(errno == EPIPE && verbosity < 2)
|
||||
return 0; /* silence 'broken pipe' */
|
||||
#endif
|
||||
if(errno != 0)
|
||||
log_err("SSL_write syscall: %s",
|
||||
strerror(errno));
|
||||
@ -1365,9 +1403,11 @@ comm_point_tcp_handle_read(int fd, struct comm_point* c, int short_ok)
|
||||
/* read length bytes */
|
||||
r = recv(fd,(void*)sldns_buffer_at(c->buffer,c->tcp_byte_count),
|
||||
sizeof(uint16_t)-c->tcp_byte_count, 0);
|
||||
if(r == 0)
|
||||
if(r == 0) {
|
||||
if(c->tcp_req_info)
|
||||
return tcp_req_info_handle_read_close(c->tcp_req_info);
|
||||
return 0;
|
||||
else if(r == -1) {
|
||||
} else if(r == -1) {
|
||||
#ifndef USE_WINSOCK
|
||||
if(errno == EINTR || errno == EAGAIN)
|
||||
return 1;
|
||||
@ -1416,6 +1456,8 @@ comm_point_tcp_handle_read(int fd, struct comm_point* c, int short_ok)
|
||||
r = recv(fd, (void*)sldns_buffer_current(c->buffer),
|
||||
sldns_buffer_remaining(c->buffer), 0);
|
||||
if(r == 0) {
|
||||
if(c->tcp_req_info)
|
||||
return tcp_req_info_handle_read_close(c->tcp_req_info);
|
||||
return 0;
|
||||
} else if(r == -1) {
|
||||
#ifndef USE_WINSOCK
|
||||
@ -1525,7 +1567,6 @@ comm_point_tcp_handle_write(int fd, struct comm_point* c)
|
||||
iov[1].iov_base = sldns_buffer_begin(buffer);
|
||||
iov[1].iov_len = sldns_buffer_limit(buffer);
|
||||
log_assert(iov[0].iov_len > 0);
|
||||
log_assert(iov[1].iov_len > 0);
|
||||
msg.msg_name = &c->repinfo.addr;
|
||||
msg.msg_namelen = c->repinfo.addrlen;
|
||||
msg.msg_iov = iov;
|
||||
@ -1592,7 +1633,6 @@ comm_point_tcp_handle_write(int fd, struct comm_point* c)
|
||||
iov[1].iov_base = sldns_buffer_begin(buffer);
|
||||
iov[1].iov_len = sldns_buffer_limit(buffer);
|
||||
log_assert(iov[0].iov_len > 0);
|
||||
log_assert(iov[1].iov_len > 0);
|
||||
r = writev(fd, iov, 2);
|
||||
#else /* HAVE_WRITEV */
|
||||
r = send(fd, (void*)(((uint8_t*)&len)+c->tcp_byte_count),
|
||||
@ -1606,6 +1646,10 @@ comm_point_tcp_handle_write(int fd, struct comm_point* c)
|
||||
#endif
|
||||
if(errno == EINTR || errno == EAGAIN)
|
||||
return 1;
|
||||
#ifdef ECONNRESET
|
||||
if(errno == ECONNRESET && verbosity < 2)
|
||||
return 0; /* silence reset by peer */
|
||||
#endif
|
||||
# ifdef HAVE_WRITEV
|
||||
log_err_addr("tcp writev", strerror(errno),
|
||||
&c->repinfo.addr, c->repinfo.addrlen);
|
||||
@ -1623,6 +1667,8 @@ comm_point_tcp_handle_write(int fd, struct comm_point* c)
|
||||
UB_EV_WRITE);
|
||||
return 1;
|
||||
}
|
||||
if(WSAGetLastError() == WSAECONNRESET && verbosity < 2)
|
||||
return 0; /* silence reset by peer */
|
||||
log_err_addr("tcp send s",
|
||||
wsa_strerror(WSAGetLastError()),
|
||||
&c->repinfo.addr, c->repinfo.addrlen);
|
||||
@ -1646,6 +1692,10 @@ comm_point_tcp_handle_write(int fd, struct comm_point* c)
|
||||
#ifndef USE_WINSOCK
|
||||
if(errno == EINTR || errno == EAGAIN)
|
||||
return 1;
|
||||
#ifdef ECONNRESET
|
||||
if(errno == ECONNRESET && verbosity < 2)
|
||||
return 0; /* silence reset by peer */
|
||||
#endif
|
||||
log_err_addr("tcp send r", strerror(errno),
|
||||
&c->repinfo.addr, c->repinfo.addrlen);
|
||||
#else
|
||||
@ -1655,6 +1705,8 @@ comm_point_tcp_handle_write(int fd, struct comm_point* c)
|
||||
ub_winsock_tcp_wouldblock(c->ev->ev, UB_EV_WRITE);
|
||||
return 1;
|
||||
}
|
||||
if(WSAGetLastError() == WSAECONNRESET && verbosity < 2)
|
||||
return 0; /* silence reset by peer */
|
||||
log_err_addr("tcp send r", wsa_strerror(WSAGetLastError()),
|
||||
&c->repinfo.addr, c->repinfo.addrlen);
|
||||
#endif
|
||||
@ -1669,6 +1721,29 @@ comm_point_tcp_handle_write(int fd, struct comm_point* c)
|
||||
return 1;
|
||||
}
|
||||
|
||||
/** read again to drain buffers when there could be more to read */
|
||||
static void
|
||||
tcp_req_info_read_again(int fd, struct comm_point* c)
|
||||
{
|
||||
while(c->tcp_req_info->read_again) {
|
||||
int r;
|
||||
c->tcp_req_info->read_again = 0;
|
||||
if(c->tcp_is_reading)
|
||||
r = comm_point_tcp_handle_read(fd, c, 0);
|
||||
else r = comm_point_tcp_handle_write(fd, c);
|
||||
if(!r) {
|
||||
reclaim_tcp_handler(c);
|
||||
if(!c->tcp_do_close) {
|
||||
fptr_ok(fptr_whitelist_comm_point(
|
||||
c->callback));
|
||||
(void)(*c->callback)(c, c->cb_arg,
|
||||
NETEVENT_CLOSED, NULL);
|
||||
}
|
||||
return;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
void
|
||||
comm_point_tcp_handle_callback(int fd, short event, void* arg)
|
||||
{
|
||||
@ -1697,7 +1772,18 @@ comm_point_tcp_handle_callback(int fd, short event, void* arg)
|
||||
}
|
||||
#endif
|
||||
|
||||
if(event&UB_EV_TIMEOUT) {
|
||||
verbose(VERB_QUERY, "tcp took too long, dropped");
|
||||
reclaim_tcp_handler(c);
|
||||
if(!c->tcp_do_close) {
|
||||
fptr_ok(fptr_whitelist_comm_point(c->callback));
|
||||
(void)(*c->callback)(c, c->cb_arg,
|
||||
NETEVENT_TIMEOUT, NULL);
|
||||
}
|
||||
return;
|
||||
}
|
||||
if(event&UB_EV_READ) {
|
||||
int has_tcpq = (c->tcp_req_info != NULL);
|
||||
if(!comm_point_tcp_handle_read(fd, c, 0)) {
|
||||
reclaim_tcp_handler(c);
|
||||
if(!c->tcp_do_close) {
|
||||
@ -1707,9 +1793,12 @@ comm_point_tcp_handle_callback(int fd, short event, void* arg)
|
||||
NETEVENT_CLOSED, NULL);
|
||||
}
|
||||
}
|
||||
if(has_tcpq && c->tcp_req_info && c->tcp_req_info->read_again)
|
||||
tcp_req_info_read_again(fd, c);
|
||||
return;
|
||||
}
|
||||
if(event&UB_EV_WRITE) {
|
||||
int has_tcpq = (c->tcp_req_info != NULL);
|
||||
if(!comm_point_tcp_handle_write(fd, c)) {
|
||||
reclaim_tcp_handler(c);
|
||||
if(!c->tcp_do_close) {
|
||||
@ -1719,16 +1808,8 @@ comm_point_tcp_handle_callback(int fd, short event, void* arg)
|
||||
NETEVENT_CLOSED, NULL);
|
||||
}
|
||||
}
|
||||
return;
|
||||
}
|
||||
if(event&UB_EV_TIMEOUT) {
|
||||
verbose(VERB_QUERY, "tcp took too long, dropped");
|
||||
reclaim_tcp_handler(c);
|
||||
if(!c->tcp_do_close) {
|
||||
fptr_ok(fptr_whitelist_comm_point(c->callback));
|
||||
(void)(*c->callback)(c, c->cb_arg,
|
||||
NETEVENT_TIMEOUT, NULL);
|
||||
}
|
||||
if(has_tcpq && c->tcp_req_info && c->tcp_req_info->read_again)
|
||||
tcp_req_info_read_again(fd, c);
|
||||
return;
|
||||
}
|
||||
log_err("Ignored event %d for tcphdl.", event);
|
||||
@ -1779,6 +1860,10 @@ ssl_http_read_more(struct comm_point* c)
|
||||
comm_point_listen_for_rw(c, 0, 1);
|
||||
return 1;
|
||||
} else if(want == SSL_ERROR_SYSCALL) {
|
||||
#ifdef ECONNRESET
|
||||
if(errno == ECONNRESET && verbosity < 2)
|
||||
return 0; /* silence reset by peer */
|
||||
#endif
|
||||
if(errno != 0)
|
||||
log_err("SSL_read syscall: %s",
|
||||
strerror(errno));
|
||||
@ -2221,12 +2306,16 @@ ssl_http_write_more(struct comm_point* c)
|
||||
if(want == SSL_ERROR_ZERO_RETURN) {
|
||||
return 0; /* closed */
|
||||
} else if(want == SSL_ERROR_WANT_READ) {
|
||||
c->ssl_shake_state = comm_ssl_shake_read;
|
||||
c->ssl_shake_state = comm_ssl_shake_hs_read;
|
||||
comm_point_listen_for_rw(c, 1, 0);
|
||||
return 1; /* wait for read condition */
|
||||
} else if(want == SSL_ERROR_WANT_WRITE) {
|
||||
return 1; /* write more later */
|
||||
} else if(want == SSL_ERROR_SYSCALL) {
|
||||
#ifdef EPIPE
|
||||
if(errno == EPIPE && verbosity < 2)
|
||||
return 0; /* silence 'broken pipe' */
|
||||
#endif
|
||||
if(errno != 0)
|
||||
log_err("SSL_write syscall: %s",
|
||||
strerror(errno));
|
||||
@ -2335,6 +2424,16 @@ comm_point_http_handle_callback(int fd, short event, void* arg)
|
||||
log_assert(c->type == comm_http);
|
||||
ub_comm_base_now(c->ev->base);
|
||||
|
||||
if(event&UB_EV_TIMEOUT) {
|
||||
verbose(VERB_QUERY, "http took too long, dropped");
|
||||
reclaim_http_handler(c);
|
||||
if(!c->tcp_do_close) {
|
||||
fptr_ok(fptr_whitelist_comm_point(c->callback));
|
||||
(void)(*c->callback)(c, c->cb_arg,
|
||||
NETEVENT_TIMEOUT, NULL);
|
||||
}
|
||||
return;
|
||||
}
|
||||
if(event&UB_EV_READ) {
|
||||
if(!comm_point_http_handle_read(fd, c)) {
|
||||
reclaim_http_handler(c);
|
||||
@ -2359,16 +2458,6 @@ comm_point_http_handle_callback(int fd, short event, void* arg)
|
||||
}
|
||||
return;
|
||||
}
|
||||
if(event&UB_EV_TIMEOUT) {
|
||||
verbose(VERB_QUERY, "http took too long, dropped");
|
||||
reclaim_http_handler(c);
|
||||
if(!c->tcp_do_close) {
|
||||
fptr_ok(fptr_whitelist_comm_point(c->callback));
|
||||
(void)(*c->callback)(c, c->cb_arg,
|
||||
NETEVENT_TIMEOUT, NULL);
|
||||
}
|
||||
return;
|
||||
}
|
||||
log_err("Ignored event %d for httphdl.", event);
|
||||
}
|
||||
|
||||
@ -2523,7 +2612,8 @@ comm_point_create_udp_ancil(struct comm_base *base, int fd,
|
||||
static struct comm_point*
|
||||
comm_point_create_tcp_handler(struct comm_base *base,
|
||||
struct comm_point* parent, size_t bufsize,
|
||||
comm_point_callback_type* callback, void* callback_arg)
|
||||
struct sldns_buffer* spoolbuf, comm_point_callback_type* callback,
|
||||
void* callback_arg)
|
||||
{
|
||||
struct comm_point* c = (struct comm_point*)calloc(1,
|
||||
sizeof(struct comm_point));
|
||||
@ -2579,6 +2669,20 @@ comm_point_create_tcp_handler(struct comm_base *base,
|
||||
c->repinfo.c = c;
|
||||
c->callback = callback;
|
||||
c->cb_arg = callback_arg;
|
||||
if(spoolbuf) {
|
||||
c->tcp_req_info = tcp_req_info_create(spoolbuf);
|
||||
if(!c->tcp_req_info) {
|
||||
log_err("could not create tcp commpoint");
|
||||
sldns_buffer_free(c->buffer);
|
||||
free(c->timeout);
|
||||
free(c->ev);
|
||||
free(c);
|
||||
return NULL;
|
||||
}
|
||||
c->tcp_req_info->cp = c;
|
||||
c->tcp_do_close = 1;
|
||||
c->tcp_do_toggle_rw = 0;
|
||||
}
|
||||
/* add to parent free list */
|
||||
c->tcp_free = parent->tcp_free;
|
||||
parent->tcp_free = c;
|
||||
@ -2590,6 +2694,9 @@ comm_point_create_tcp_handler(struct comm_base *base,
|
||||
{
|
||||
log_err("could not basetset tcphdl event");
|
||||
parent->tcp_free = c->tcp_free;
|
||||
tcp_req_info_delete(c->tcp_req_info);
|
||||
sldns_buffer_free(c->buffer);
|
||||
free(c->timeout);
|
||||
free(c->ev);
|
||||
free(c);
|
||||
return NULL;
|
||||
@ -2600,7 +2707,8 @@ comm_point_create_tcp_handler(struct comm_base *base,
|
||||
struct comm_point*
|
||||
comm_point_create_tcp(struct comm_base *base, int fd, int num,
|
||||
int idle_timeout, struct tcl_list* tcp_conn_limit, size_t bufsize,
|
||||
comm_point_callback_type* callback, void* callback_arg)
|
||||
struct sldns_buffer* spoolbuf, comm_point_callback_type* callback,
|
||||
void* callback_arg)
|
||||
{
|
||||
struct comm_point* c = (struct comm_point*)calloc(1,
|
||||
sizeof(struct comm_point));
|
||||
@ -2667,7 +2775,7 @@ comm_point_create_tcp(struct comm_base *base, int fd, int num,
|
||||
/* now prealloc the tcp handlers */
|
||||
for(i=0; i<num; i++) {
|
||||
c->tcp_handlers[i] = comm_point_create_tcp_handler(base,
|
||||
c, bufsize, callback, callback_arg);
|
||||
c, bufsize, spoolbuf, callback, callback_arg);
|
||||
if(!c->tcp_handlers[i]) {
|
||||
comm_point_delete(c);
|
||||
return NULL;
|
||||
@ -2949,6 +3057,8 @@ comm_point_close(struct comm_point* c)
|
||||
}
|
||||
}
|
||||
tcl_close_connection(c->tcl_addr);
|
||||
if(c->tcp_req_info)
|
||||
tcp_req_info_clear(c->tcp_req_info);
|
||||
/* close fd after removing from event lists, or epoll.. is messed up */
|
||||
if(c->fd != -1 && !c->do_not_close) {
|
||||
if(c->type == comm_tcp || c->type == comm_http) {
|
||||
@ -2992,6 +3102,9 @@ comm_point_delete(struct comm_point* c)
|
||||
sldns_buffer_free(c->dnscrypt_buffer);
|
||||
}
|
||||
#endif
|
||||
if(c->tcp_req_info) {
|
||||
tcp_req_info_delete(c->tcp_req_info);
|
||||
}
|
||||
}
|
||||
ub_event_free(c->ev->ev);
|
||||
free(c->ev);
|
||||
@ -3032,8 +3145,12 @@ comm_point_send_reply(struct comm_reply *repinfo)
|
||||
dt_msg_send_client_response(repinfo->c->tcp_parent->dtenv,
|
||||
&repinfo->addr, repinfo->c->type, repinfo->c->buffer);
|
||||
#endif
|
||||
comm_point_start_listening(repinfo->c, -1,
|
||||
repinfo->c->tcp_timeout_msec);
|
||||
if(repinfo->c->tcp_req_info) {
|
||||
tcp_req_info_send_reply(repinfo->c->tcp_req_info);
|
||||
} else {
|
||||
comm_point_start_listening(repinfo->c, -1,
|
||||
repinfo->c->tcp_timeout_msec);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -3046,6 +3163,8 @@ comm_point_drop_reply(struct comm_reply* repinfo)
|
||||
log_assert(repinfo->c->type != comm_tcp_accept);
|
||||
if(repinfo->c->type == comm_udp)
|
||||
return;
|
||||
if(repinfo->c->tcp_req_info)
|
||||
repinfo->c->tcp_req_info->is_drop = 1;
|
||||
reclaim_tcp_handler(repinfo->c);
|
||||
}
|
||||
|
||||
@ -3061,8 +3180,8 @@ comm_point_stop_listening(struct comm_point* c)
|
||||
void
|
||||
comm_point_start_listening(struct comm_point* c, int newfd, int msec)
|
||||
{
|
||||
verbose(VERB_ALGO, "comm point start listening %d",
|
||||
c->fd==-1?newfd:c->fd);
|
||||
verbose(VERB_ALGO, "comm point start listening %d (%d msec)",
|
||||
c->fd==-1?newfd:c->fd, msec);
|
||||
if(c->type == comm_tcp_accept && !c->tcp_free) {
|
||||
/* no use to start listening no free slots. */
|
||||
return;
|
||||
|
@ -268,6 +268,9 @@ struct comm_point {
|
||||
/** the entry for the connection. */
|
||||
struct tcl_addr* tcl_addr;
|
||||
|
||||
/** the structure to keep track of open requests on this channel */
|
||||
struct tcp_req_info* tcp_req_info;
|
||||
|
||||
#ifdef USE_MSG_FASTOPEN
|
||||
/** used to track if the sendto() call should be done when using TFO. */
|
||||
int tcp_do_fastopen;
|
||||
@ -455,6 +458,8 @@ struct comm_point* comm_point_create_udp_ancil(struct comm_base* base,
|
||||
* @param idle_timeout: TCP idle timeout in ms.
|
||||
* @param tcp_conn_limit: TCP connection limit info.
|
||||
* @param bufsize: size of buffer to create for handlers.
|
||||
* @param spoolbuf: shared spool buffer for tcp_req_info structures.
|
||||
* or NULL to not create those structures in the tcp handlers.
|
||||
* @param callback: callback function pointer for TCP handlers.
|
||||
* @param callback_arg: will be passed to your callback function.
|
||||
* @return: returns the TCP listener commpoint. You can find the
|
||||
@ -464,7 +469,8 @@ struct comm_point* comm_point_create_udp_ancil(struct comm_base* base,
|
||||
*/
|
||||
struct comm_point* comm_point_create_tcp(struct comm_base* base,
|
||||
int fd, int num, int idle_timeout, struct tcl_list* tcp_conn_limit,
|
||||
size_t bufsize, comm_point_callback_type* callback, void* callback_arg);
|
||||
size_t bufsize, struct sldns_buffer* spoolbuf,
|
||||
comm_point_callback_type* callback, void* callback_arg);
|
||||
|
||||
/**
|
||||
* Create an outgoing TCP commpoint. No file descriptor is opened, left at -1.
|
||||
|
@ -1,4 +1,7 @@
|
||||
/*
|
||||
May 2019(Wouter) patch to enable the valgrind clean implementation all the
|
||||
time. This enables better security audit and checks, which is better
|
||||
than the speedup. Git issue #30. Renamed the define ARRAY_CLEAN_ACCESS.
|
||||
February 2013(Wouter) patch defines for BSD endianness, from Brad Smith.
|
||||
January 2012(Wouter) added randomised initial value, fallout from 28c3.
|
||||
March 2007(Wouter) adapted from lookup3.c original, add config.h include.
|
||||
@ -44,6 +47,7 @@ on 1 byte), but shoehorning those bytes into integers efficiently is messy.
|
||||
-------------------------------------------------------------------------------
|
||||
*/
|
||||
/*#define SELF_TEST 1*/
|
||||
#define ARRAY_CLEAN_ACCESS 1
|
||||
|
||||
#include "config.h"
|
||||
#include "util/storage/lookup3.h"
|
||||
@ -336,7 +340,7 @@ uint32_t hashlittle( const void *key, size_t length, uint32_t initval)
|
||||
u.ptr = key;
|
||||
if (HASH_LITTLE_ENDIAN && ((u.i & 0x3) == 0)) {
|
||||
const uint32_t *k = (const uint32_t *)key; /* read 32-bit chunks */
|
||||
#ifdef VALGRIND
|
||||
#ifdef ARRAY_CLEAN_ACCESS
|
||||
const uint8_t *k8;
|
||||
#endif
|
||||
|
||||
@ -361,7 +365,7 @@ uint32_t hashlittle( const void *key, size_t length, uint32_t initval)
|
||||
* still catch it and complain. The masking trick does make the hash
|
||||
* noticeably faster for short strings (like English words).
|
||||
*/
|
||||
#ifndef VALGRIND
|
||||
#ifndef ARRAY_CLEAN_ACCESS
|
||||
|
||||
switch(length)
|
||||
{
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user