Upgrade Unbound to 1.6.4. More to follow.
This commit is contained in:
Dag-Erling Smørgrav
commit
c7f4d7ad9b
@ -100,6 +100,9 @@ PYUNBOUND_OBJ=@PYUNBOUND_OBJ@
|
||||
SUBNET_SRC=edns-subnet/edns-subnet.c edns-subnet/subnetmod.c edns-subnet/addrtree.c edns-subnet/subnet-whitelist.c
|
||||
SUBNET_OBJ=@SUBNET_OBJ@
|
||||
SUBNET_HEADER=@SUBNET_HEADER@
|
||||
IPSECMOD_SRC=ipsecmod/ipsecmod.c ipsecmod/ipsecmod-whitelist.c
|
||||
IPSECMOD_OBJ=@IPSECMOD_OBJ@
|
||||
IPSECMOD_HEADER=@IPSECMOD_HEADER@
|
||||
COMMON_SRC=services/cache/dns.c services/cache/infra.c services/cache/rrset.c \
|
||||
util/as112.c util/data/dname.c util/data/msgencode.c util/data/msgparse.c \
|
||||
util/data/msgreply.c util/data/packed_rrset.c iterator/iterator.c \
|
||||
@ -109,7 +112,7 @@ iterator/iter_scrub.c iterator/iter_utils.c services/listen_dnsport.c \
|
||||
services/localzone.c services/mesh.c services/modstack.c services/view.c \
|
||||
services/outbound_list.c services/outside_network.c util/alloc.c \
|
||||
util/config_file.c util/configlexer.c util/configparser.c \
|
||||
util/shm_side/shm_main.c \
|
||||
util/shm_side/shm_main.c services/authzone.c\
|
||||
util/fptr_wlist.c util/locks.c util/log.c util/mini_event.c util/module.c \
|
||||
util/netevent.c util/net_help.c util/random.c util/rbtree.c util/regional.c \
|
||||
util/rtt.c util/storage/dnstree.c util/storage/lookup3.c \
|
||||
@ -122,7 +125,7 @@ validator/val_sigcrypt.c validator/val_utils.c dns64/dns64.c \
|
||||
edns-subnet/edns-subnet.c edns-subnet/subnetmod.c \
|
||||
edns-subnet/addrtree.c edns-subnet/subnet-whitelist.c \
|
||||
cachedb/cachedb.c respip/respip.c $(CHECKLOCK_SRC) \
|
||||
$(DNSTAP_SRC) $(DNSCRYPT_SRC)
|
||||
$(DNSTAP_SRC) $(DNSCRYPT_SRC) $(IPSECMOD_SRC)
|
||||
COMMON_OBJ_WITHOUT_NETCALL=dns.lo infra.lo rrset.lo dname.lo msgencode.lo \
|
||||
as112.lo msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \
|
||||
iter_donotq.lo iter_fwd.lo iter_hints.lo iter_priv.lo iter_resptype.lo \
|
||||
@ -132,8 +135,9 @@ fptr_wlist.lo locks.lo log.lo mini_event.lo module.lo net_help.lo \
|
||||
random.lo rbtree.lo regional.lo rtt.lo dnstree.lo lookup3.lo lruhash.lo \
|
||||
slabhash.lo timehist.lo tube.lo winsock_event.lo autotrust.lo val_anchor.lo \
|
||||
validator.lo val_kcache.lo val_kentry.lo val_neg.lo val_nsec3.lo val_nsec.lo \
|
||||
val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo cachedb.lo \
|
||||
$(SUBNET_OBJ) $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ) $(DNSTAP_OBJ) $(DNSCRYPT_OBJ)
|
||||
val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo cachedb.lo authzone.lo\
|
||||
$(SUBNET_OBJ) $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ) $(DNSTAP_OBJ) $(DNSCRYPT_OBJ) \
|
||||
$(IPSECMOD_OBJ)
|
||||
COMMON_OBJ_WITHOUT_NETCALL+=respip.lo
|
||||
COMMON_OBJ_WITHOUT_UB_EVENT=$(COMMON_OBJ_WITHOUT_NETCALL) netevent.lo listen_dnsport.lo \
|
||||
outside_network.lo
|
||||
@ -159,10 +163,10 @@ UNITTEST_SRC=testcode/unitanchor.c testcode/unitdname.c \
|
||||
testcode/unitlruhash.c testcode/unitmain.c testcode/unitmsgparse.c \
|
||||
testcode/unitneg.c testcode/unitregional.c testcode/unitslabhash.c \
|
||||
testcode/unitverify.c testcode/readhex.c testcode/testpkts.c testcode/unitldns.c \
|
||||
testcode/unitecs.c
|
||||
testcode/unitecs.c testcode/unitauth.c
|
||||
UNITTEST_OBJ=unitanchor.lo unitdname.lo unitlruhash.lo unitmain.lo \
|
||||
unitmsgparse.lo unitneg.lo unitregional.lo unitslabhash.lo unitverify.lo \
|
||||
readhex.lo testpkts.lo unitldns.lo unitecs.lo
|
||||
readhex.lo testpkts.lo unitldns.lo unitecs.lo unitauth.lo
|
||||
UNITTEST_OBJ_LINK=$(UNITTEST_OBJ) worker_cb.lo $(COMMON_OBJ) $(SLDNS_OBJ) \
|
||||
$(COMPAT_OBJ)
|
||||
DAEMON_SRC=daemon/acl_list.c daemon/cachedump.c daemon/daemon.c \
|
||||
@ -605,6 +609,7 @@ depend:
|
||||
-e 's?$$(srcdir)/dnscrypt/dnscrypt_config.h??g' \
|
||||
-e 's?$$(srcdir)/pythonmod/pythonmod.h?$$(PYTHONMOD_HEADER)?g' \
|
||||
-e 's?$$(srcdir)/edns-subnet/subnetmod.h $$(srcdir)/edns-subnet/subnet-whitelist.h $$(srcdir)/edns-subnet/edns-subnet.h $$(srcdir)/edns-subnet/addrtree.h?$$(SUBNET_HEADER)?g' \
|
||||
-e 's?$$(srcdir)/ipsecmod/ipsecmod.h $$(srcdir)/ipsecmod/ipsecmod-whitelist.h?$$(IPSECMOD_HEADER)?g' \
|
||||
-e 's!\(.*\)\.o[ :]*!\1.lo \1.o: !g' \
|
||||
> $(DEPEND_TMP)
|
||||
cp $(DEPEND_TARGET) $(DEPEND_TMP2)
|
||||
@ -622,18 +627,19 @@ depend:
|
||||
# Dependencies
|
||||
dns.lo dns.o: $(srcdir)/services/cache/dns.c config.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/util/locks.h $(srcdir)/services/cache/dns.h $(srcdir)/util/data/msgreply.h \
|
||||
$(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/data/dname.h \
|
||||
$(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
|
||||
$(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h
|
||||
$(srcdir)/util/locks.h $(srcdir)/validator/val_utils.h $(srcdir)/services/cache/dns.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
|
||||
$(srcdir)/util/data/dname.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h \
|
||||
$(srcdir)/sldns/sbuffer.h
|
||||
infra.lo infra.o: $(srcdir)/services/cache/infra.c config.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h \
|
||||
$(srcdir)/services/cache/infra.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h \
|
||||
$(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgreply.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lookup3.h \
|
||||
$(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/iterator/iterator.h \
|
||||
$(srcdir)/services/outbound_list.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \
|
||||
$(srcdir)/sldns/pkthdr.h
|
||||
$(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/slabhash.h \
|
||||
$(srcdir)/util/storage/lookup3.h $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \
|
||||
$(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h
|
||||
rrset.lo rrset.o: $(srcdir)/services/cache/rrset.c config.h $(srcdir)/services/cache/rrset.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/slabhash.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/config_file.h \
|
||||
@ -656,11 +662,11 @@ msgparse.lo msgparse.o: $(srcdir)/util/data/msgparse.c config.h $(srcdir)/util/d
|
||||
msgreply.lo msgreply.o: $(srcdir)/util/data/msgreply.c config.h $(srcdir)/util/data/msgreply.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h \
|
||||
$(srcdir)/util/storage/lookup3.h $(srcdir)/util/alloc.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h \
|
||||
$(srcdir)/util/regional.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
|
||||
$(srcdir)/util/data/msgencode.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/module.h \
|
||||
$(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/services/modstack.h
|
||||
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/net_help.h \
|
||||
$(srcdir)/util/data/dname.h $(srcdir)/util/regional.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgencode.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h \
|
||||
$(srcdir)/util/module.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \
|
||||
$(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h
|
||||
packed_rrset.lo packed_rrset.o: $(srcdir)/util/data/packed_rrset.c config.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/util/data/dname.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/alloc.h $(srcdir)/util/regional.h \
|
||||
@ -674,10 +680,11 @@ iterator.lo iterator.o: $(srcdir)/iterator/iterator.c config.h $(srcdir)/iterato
|
||||
$(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_scrub.h $(srcdir)/iterator/iter_priv.h \
|
||||
$(srcdir)/validator/val_neg.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/infra.h \
|
||||
$(srcdir)/util/rtt.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/util/net_help.h $(srcdir)/util/regional.h \
|
||||
$(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
|
||||
$(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/util/config_file.h $(srcdir)/util/random.h \
|
||||
$(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/sbuffer.h
|
||||
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/net_help.h \
|
||||
$(srcdir)/util/regional.h $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h \
|
||||
$(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/util/random.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h \
|
||||
$(srcdir)/sldns/parseutil.h $(srcdir)/sldns/sbuffer.h
|
||||
iter_delegpt.lo iter_delegpt.o: $(srcdir)/iterator/iter_delegpt.c config.h $(srcdir)/iterator/iter_delegpt.h \
|
||||
$(srcdir)/util/log.h $(srcdir)/services/cache/dns.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/regional.h \
|
||||
@ -719,17 +726,18 @@ iter_utils.lo iter_utils.o: $(srcdir)/iterator/iter_utils.c config.h $(srcdir)/i
|
||||
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_fwd.h \
|
||||
$(srcdir)/iterator/iter_donotq.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_priv.h \
|
||||
$(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h \
|
||||
$(srcdir)/util/storage/slabhash.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h \
|
||||
$(srcdir)/util/regional.h $(srcdir)/util/data/dname.h $(srcdir)/util/random.h $(srcdir)/util/fptr_wlist.h \
|
||||
$(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/validator/val_anchor.h \
|
||||
$(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_kentry.h $(srcdir)/validator/val_utils.h \
|
||||
$(srcdir)/validator/val_sigcrypt.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h
|
||||
$(srcdir)/dnscrypt/cert.h $(srcdir)/services/cache/dns.h \
|
||||
$(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/net_help.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/data/dname.h $(srcdir)/util/random.h \
|
||||
$(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/validator/val_anchor.h $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_kentry.h \
|
||||
$(srcdir)/validator/val_utils.h $(srcdir)/validator/val_sigcrypt.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/sldns/str2wire.h
|
||||
listen_dnsport.lo listen_dnsport.o: $(srcdir)/services/listen_dnsport.c config.h \
|
||||
$(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \
|
||||
$(srcdir)/sldns/sbuffer.h
|
||||
$(srcdir)/dnscrypt/cert.h $(srcdir)/services/outside_network.h \
|
||||
$(srcdir)/util/rbtree.h $(srcdir)/util/log.h $(srcdir)/util/config_file.h \
|
||||
$(srcdir)/util/net_help.h $(srcdir)/sldns/sbuffer.h
|
||||
localzone.lo localzone.o: $(srcdir)/services/localzone.c config.h $(srcdir)/services/localzone.h \
|
||||
$(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h \
|
||||
$(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h \
|
||||
@ -737,27 +745,30 @@ localzone.lo localzone.o: $(srcdir)/services/localzone.c config.h $(srcdir)/serv
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/services/view.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h \
|
||||
$(srcdir)/util/data/msgencode.h $(srcdir)/util/net_help.h $(srcdir)/util/netevent.h \
|
||||
$(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/as112.h
|
||||
$(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
|
||||
$(srcdir)/util/as112.h
|
||||
mesh.lo mesh.o: $(srcdir)/services/mesh.c config.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/services/modstack.h $(srcdir)/services/outbound_list.h \
|
||||
$(srcdir)/services/cache/dns.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \
|
||||
$(srcdir)/util/data/msgencode.h $(srcdir)/util/timehist.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
|
||||
$(srcdir)/util/alloc.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h \
|
||||
$(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
|
||||
$(srcdir)/util/data/dname.h $(srcdir)/respip/respip.h
|
||||
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
|
||||
$(srcdir)/util/log.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/services/outbound_list.h $(srcdir)/services/cache/dns.h $(srcdir)/util/net_help.h \
|
||||
$(srcdir)/util/regional.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/timehist.h $(srcdir)/util/fptr_wlist.h \
|
||||
$(srcdir)/util/tube.h $(srcdir)/util/alloc.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/sldns/wire2str.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
|
||||
$(srcdir)/services/view.h $(srcdir)/util/data/dname.h $(srcdir)/respip/respip.h
|
||||
modstack.lo modstack.o: $(srcdir)/services/modstack.c config.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
|
||||
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \
|
||||
$(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/tube.h \
|
||||
$(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/dns64/dns64.h $(srcdir)/iterator/iterator.h \
|
||||
$(srcdir)/services/outbound_list.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \
|
||||
$(srcdir)/respip/respip.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
|
||||
$(srcdir)/services/view.h $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/util/alloc.h $(srcdir)/util/net_help.h \
|
||||
$(srcdir)/util/storage/slabhash.h $(srcdir)/edns-subnet/addrtree.h $(srcdir)/edns-subnet/edns-subnet.h
|
||||
$(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
|
||||
$(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/dns64/dns64.h \
|
||||
$(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/validator/validator.h \
|
||||
$(srcdir)/validator/val_utils.h $(srcdir)/respip/respip.h $(srcdir)/services/localzone.h \
|
||||
$(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(PYTHONMOD_HEADER) \
|
||||
$(srcdir)/cachedb/cachedb.h $(srcdir)/ipsecmod/ipsecmod.h $(srcdir)/edns-subnet/subnetmod.h \
|
||||
$(srcdir)/util/alloc.h $(srcdir)/util/net_help.h $(srcdir)/util/storage/slabhash.h \
|
||||
$(srcdir)/edns-subnet/addrtree.h $(srcdir)/edns-subnet/edns-subnet.h
|
||||
view.lo view.o: $(srcdir)/services/view.c config.h $(srcdir)/services/view.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
|
||||
$(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h \
|
||||
@ -766,31 +777,32 @@ view.lo view.o: $(srcdir)/services/view.c config.h $(srcdir)/services/view.h $(s
|
||||
outbound_list.lo outbound_list.o: $(srcdir)/services/outbound_list.c config.h \
|
||||
$(srcdir)/services/outbound_list.h $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
|
||||
$(srcdir)/dnscrypt/cert.h
|
||||
outside_network.lo outside_network.o: $(srcdir)/services/outside_network.c config.h \
|
||||
$(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h $(srcdir)/util/netevent.h \
|
||||
$(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
|
||||
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h \
|
||||
$(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \
|
||||
$(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/dnstap/dnstap.h
|
||||
$(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
|
||||
$(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/infra.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h \
|
||||
$(srcdir)/util/rtt.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
|
||||
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgencode.h \
|
||||
$(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/fptr_wlist.h \
|
||||
$(srcdir)/util/module.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/sldns/sbuffer.h $(srcdir)/dnstap/dnstap.h \
|
||||
|
||||
alloc.lo alloc.o: $(srcdir)/util/alloc.c config.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/util/regional.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
|
||||
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
|
||||
$(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h
|
||||
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/module.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
|
||||
$(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h
|
||||
config_file.lo config_file.o: $(srcdir)/util/config_file.c config.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/util/configyyrename.h $(srcdir)/util/config_file.h util/configparser.h \
|
||||
$(srcdir)/util/net_help.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
|
||||
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/regional.h $(srcdir)/util/fptr_wlist.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/util/data/dname.h $(srcdir)/util/rtt.h $(srcdir)/services/cache/infra.h \
|
||||
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/services/modstack.h $(srcdir)/util/data/dname.h $(srcdir)/util/rtt.h $(srcdir)/services/cache/infra.h \
|
||||
$(srcdir)/util/storage/dnstree.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h \
|
||||
$(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/util/iana_ports.inc
|
||||
configlexer.lo configlexer.o: util/configlexer.c config.h $(srcdir)/util/configyyrename.h \
|
||||
@ -798,24 +810,33 @@ configlexer.lo configlexer.o: util/configlexer.c config.h $(srcdir)/util/configy
|
||||
configparser.lo configparser.o: util/configparser.c config.h $(srcdir)/util/configyyrename.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h
|
||||
shm_main.lo shm_main.o: $(srcdir)/util/shm_side/shm_main.c config.h $(srcdir)/util/shm_side/shm_main.h \
|
||||
$(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/daemon/worker.h \
|
||||
$(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
|
||||
$(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
|
||||
$(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/cache/rrset.h \
|
||||
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
|
||||
$(srcdir)/util/rtt.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h
|
||||
$(srcdir)/libunbound/unbound.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
|
||||
$(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h $(srcdir)/util/data/msgreply.h \
|
||||
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \
|
||||
$(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/services/mesh.h \
|
||||
$(srcdir)/util/rbtree.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
|
||||
$(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h \
|
||||
$(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/util/config_file.h \
|
||||
$(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h
|
||||
authzone.lo authzone.o: $(srcdir)/services/authzone.c config.h $(srcdir)/services/authzone.h \
|
||||
$(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/dname.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
|
||||
$(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/services/cache/dns.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h \
|
||||
$(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h $(srcdir)/validator/val_nsec3.h \
|
||||
$(srcdir)/validator/val_secalgo.h
|
||||
fptr_wlist.lo fptr_wlist.o: $(srcdir)/util/fptr_wlist.c config.h $(srcdir)/util/fptr_wlist.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/module.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
|
||||
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/services/modstack.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/services/outside_network.h $(srcdir)/services/localzone.h \
|
||||
$(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
|
||||
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
|
||||
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
|
||||
$(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/util/mini_event.h \
|
||||
$(srcdir)/util/rbtree.h $(srcdir)/services/outside_network.h \
|
||||
$(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
|
||||
$(srcdir)/services/authzone.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
|
||||
$(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/dns64/dns64.h \
|
||||
$(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h \
|
||||
$(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_anchor.h \
|
||||
@ -823,38 +844,42 @@ fptr_wlist.lo fptr_wlist.o: $(srcdir)/util/fptr_wlist.c config.h $(srcdir)/util/
|
||||
$(srcdir)/validator/val_neg.h $(srcdir)/validator/autotrust.h $(srcdir)/libunbound/libworker.h \
|
||||
$(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/libunbound/unbound.h \
|
||||
$(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/respip/respip.h \
|
||||
$(PYTHONMOD_HEADER) $(srcdir)/cachedb/cachedb.h $(srcdir)/ipsecmod/ipsecmod.h \
|
||||
$(srcdir)/edns-subnet/subnetmod.h $(srcdir)/util/net_help.h $(srcdir)/edns-subnet/addrtree.h \
|
||||
$(srcdir)/edns-subnet/edns-subnet.h
|
||||
locks.lo locks.o: $(srcdir)/util/locks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h
|
||||
log.lo log.o: $(srcdir)/util/log.c config.h $(srcdir)/util/log.h $(srcdir)/util/locks.h $(srcdir)/sldns/sbuffer.h
|
||||
mini_event.lo mini_event.o: $(srcdir)/util/mini_event.c config.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
|
||||
$(srcdir)/util/log.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
|
||||
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
|
||||
$(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h
|
||||
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/services/modstack.h
|
||||
module.lo module.o: $(srcdir)/util/module.c config.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
|
||||
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h
|
||||
netevent.lo netevent.o: $(srcdir)/util/netevent.c config.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/util/ub_event.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
|
||||
$(srcdir)/util/fptr_wlist.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
|
||||
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/services/modstack.h $(srcdir)/sldns/sbuffer.h $(srcdir)/dnstap/dnstap.h \
|
||||
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/ub_event.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/util/net_help.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
|
||||
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
|
||||
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
|
||||
$(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/dnstap/dnstap.h \
|
||||
|
||||
net_help.lo net_help.o: $(srcdir)/util/net_help.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
|
||||
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h $(srcdir)/sldns/parseutil.h \
|
||||
$(srcdir)/sldns/wire2str.h
|
||||
$(srcdir)/sldns/wire2str.h \
|
||||
|
||||
random.lo random.o: $(srcdir)/util/random.c config.h $(srcdir)/util/random.h $(srcdir)/util/log.h
|
||||
rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c config.h $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/module.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
|
||||
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/services/modstack.h
|
||||
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
|
||||
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
|
||||
$(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h
|
||||
regional.lo regional.o: $(srcdir)/util/regional.c config.h $(srcdir)/util/log.h $(srcdir)/util/regional.h
|
||||
rtt.lo rtt.o: $(srcdir)/util/rtt.c config.h $(srcdir)/util/rtt.h
|
||||
dnstree.lo dnstree.o: $(srcdir)/util/storage/dnstree.c config.h $(srcdir)/util/storage/dnstree.h \
|
||||
@ -863,25 +888,25 @@ dnstree.lo dnstree.o: $(srcdir)/util/storage/dnstree.c config.h $(srcdir)/util/s
|
||||
lookup3.lo lookup3.o: $(srcdir)/util/storage/lookup3.c config.h $(srcdir)/util/storage/lookup3.h
|
||||
lruhash.lo lruhash.o: $(srcdir)/util/storage/lruhash.c config.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \
|
||||
$(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/module.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
|
||||
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/services/modstack.h
|
||||
$(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
|
||||
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
|
||||
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
|
||||
$(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h
|
||||
slabhash.lo slabhash.o: $(srcdir)/util/storage/slabhash.c config.h $(srcdir)/util/storage/slabhash.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h
|
||||
timehist.lo timehist.o: $(srcdir)/util/timehist.c config.h $(srcdir)/util/timehist.h $(srcdir)/util/log.h
|
||||
tube.lo tube.o: $(srcdir)/util/tube.c config.h $(srcdir)/util/tube.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/util/fptr_wlist.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
|
||||
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/services/modstack.h $(srcdir)/util/ub_event.h
|
||||
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
|
||||
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
|
||||
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/services/mesh.h \
|
||||
$(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/util/ub_event.h
|
||||
ub_event.lo ub_event.o: $(srcdir)/util/ub_event.c config.h $(srcdir)/util/ub_event.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/util/tube.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
|
||||
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/tube.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
|
||||
ub_event_pluggable.lo ub_event_pluggable.o: $(srcdir)/util/ub_event_pluggable.c config.h $(srcdir)/util/ub_event.h \
|
||||
$(srcdir)/libunbound/unbound-event.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h \
|
||||
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
|
||||
@ -894,9 +919,10 @@ autotrust.lo autotrust.o: $(srcdir)/validator/autotrust.c config.h $(srcdir)/val
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
|
||||
$(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/random.h \
|
||||
$(srcdir)/services/mesh.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/services/modstack.h $(srcdir)/services/cache/rrset.h \
|
||||
$(srcdir)/util/storage/slabhash.h $(srcdir)/validator/val_kcache.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/keyraw.h
|
||||
$(srcdir)/dnscrypt/cert.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/validator/val_kcache.h \
|
||||
$(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/keyraw.h \
|
||||
|
||||
val_anchor.lo val_anchor.o: $(srcdir)/validator/val_anchor.c config.h $(srcdir)/validator/val_anchor.h \
|
||||
$(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_sigcrypt.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/validator/autotrust.h \
|
||||
@ -912,7 +938,8 @@ validator.lo validator.o: $(srcdir)/validator/validator.c config.h $(srcdir)/val
|
||||
$(srcdir)/validator/autotrust.h $(srcdir)/services/cache/dns.h $(srcdir)/util/data/dname.h \
|
||||
$(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/fptr_wlist.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/sldns/wire2str.h
|
||||
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
|
||||
val_kcache.lo val_kcache.o: $(srcdir)/validator/val_kcache.c config.h $(srcdir)/validator/val_kcache.h \
|
||||
$(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/validator/val_kentry.h $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h \
|
||||
@ -921,13 +948,15 @@ val_kcache.lo val_kcache.o: $(srcdir)/validator/val_kcache.c config.h $(srcdir)/
|
||||
val_kentry.lo val_kentry.o: $(srcdir)/validator/val_kentry.c config.h $(srcdir)/validator/val_kentry.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h \
|
||||
$(srcdir)/util/data/dname.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h
|
||||
val_neg.lo val_neg.o: $(srcdir)/validator/val_neg.c config.h $(srcdir)/validator/val_neg.h $(srcdir)/util/locks.h \
|
||||
$(srcdir)/util/log.h $(srcdir)/util/rbtree.h $(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_utils.h \
|
||||
$(srcdir)/util/data/dname.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/net_help.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
|
||||
$(srcdir)/services/cache/dns.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
|
||||
|
||||
val_neg.lo val_neg.o: $(srcdir)/validator/val_neg.c config.h \
|
||||
$(srcdir)/validator/val_neg.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_utils.h $(srcdir)/util/data/dname.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h \
|
||||
$(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h
|
||||
val_nsec3.lo val_nsec3.o: $(srcdir)/validator/val_nsec3.c config.h $(srcdir)/validator/val_nsec3.h \
|
||||
$(srcdir)/util/rbtree.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_secalgo.h $(srcdir)/validator/validator.h \
|
||||
@ -943,14 +972,16 @@ val_nsec.lo val_nsec.o: $(srcdir)/validator/val_nsec.c config.h $(srcdir)/valida
|
||||
val_secalgo.lo val_secalgo.o: $(srcdir)/validator/val_secalgo.c config.h $(srcdir)/util/data/packed_rrset.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_secalgo.h \
|
||||
$(srcdir)/validator/val_nsec3.h $(srcdir)/util/rbtree.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
|
||||
$(srcdir)/sldns/sbuffer.h
|
||||
$(srcdir)/sldns/sbuffer.h \
|
||||
|
||||
val_sigcrypt.lo val_sigcrypt.o: $(srcdir)/validator/val_sigcrypt.c config.h \
|
||||
$(srcdir)/validator/val_sigcrypt.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_secalgo.h $(srcdir)/validator/validator.h \
|
||||
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_utils.h $(srcdir)/util/data/dname.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h \
|
||||
$(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h
|
||||
$(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h \
|
||||
|
||||
val_utils.lo val_utils.o: $(srcdir)/validator/val_utils.c config.h $(srcdir)/validator/val_utils.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/validator/validator.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
|
||||
@ -958,15 +989,16 @@ val_utils.lo val_utils.o: $(srcdir)/validator/val_utils.c config.h $(srcdir)/val
|
||||
$(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/val_anchor.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/validator/val_nsec.h $(srcdir)/validator/val_neg.h $(srcdir)/services/cache/rrset.h \
|
||||
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h $(srcdir)/util/data/dname.h \
|
||||
$(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h
|
||||
$(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/wire2str.h \
|
||||
$(srcdir)/sldns/parseutil.h
|
||||
dns64.lo dns64.o: $(srcdir)/dns64/dns64.c config.h $(srcdir)/dns64/dns64.h $(srcdir)/util/module.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h \
|
||||
$(srcdir)/util/storage/slabhash.h $(srcdir)/util/config_file.h $(srcdir)/util/fptr_wlist.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/util/net_help.h $(srcdir)/util/regional.h
|
||||
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/services/modstack.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h
|
||||
edns-subnet.lo edns-subnet.o: $(srcdir)/edns-subnet/edns-subnet.c config.h \
|
||||
$(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h
|
||||
subnetmod.lo subnetmod.o: $(srcdir)/edns-subnet/subnetmod.c config.h $(srcdir)/edns-subnet/subnetmod.h \
|
||||
@ -976,8 +1008,9 @@ subnetmod.lo subnetmod.o: $(srcdir)/edns-subnet/subnetmod.c config.h $(srcdir)/e
|
||||
$(srcdir)/util/net_help.h $(srcdir)/util/storage/slabhash.h $(srcdir)/edns-subnet/addrtree.h \
|
||||
$(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/edns-subnet/subnet-whitelist.h \
|
||||
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h \
|
||||
$(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/services/cache/dns.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h
|
||||
$(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
|
||||
$(srcdir)/services/modstack.h $(srcdir)/services/cache/dns.h $(srcdir)/util/regional.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h
|
||||
addrtree.lo addrtree.o: $(srcdir)/edns-subnet/addrtree.c config.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \
|
||||
@ -985,18 +1018,43 @@ addrtree.lo addrtree.o: $(srcdir)/edns-subnet/addrtree.c config.h $(srcdir)/util
|
||||
subnet-whitelist.lo subnet-whitelist.o: $(srcdir)/edns-subnet/subnet-whitelist.c config.h \
|
||||
$(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/edns-subnet/subnet-whitelist.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/util/regional.h $(srcdir)/util/config_file.h
|
||||
cachedb.lo cachedb.o: $(srcdir)/cachedb/cachedb.c config.h
|
||||
$(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h \
|
||||
$(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h
|
||||
cachedb.lo cachedb.o: $(srcdir)/cachedb/cachedb.c config.h $(srcdir)/cachedb/cachedb.h $(srcdir)/util/module.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h \
|
||||
$(srcdir)/util/data/msgencode.h $(srcdir)/services/cache/dns.h $(srcdir)/validator/val_neg.h \
|
||||
$(srcdir)/util/rbtree.h $(srcdir)/validator/val_secalgo.h $(srcdir)/iterator/iter_utils.h \
|
||||
$(srcdir)/iterator/iter_resptype.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h \
|
||||
$(srcdir)/sldns/sbuffer.h
|
||||
respip.lo respip.o: $(srcdir)/respip/respip.c config.h $(srcdir)/services/localzone.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/module.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
|
||||
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/services/view.h \
|
||||
$(srcdir)/services/cache/dns.h $(srcdir)/sldns/str2wire.h $(srcdir)/util/config_file.h \
|
||||
$(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/util/tube.h $(srcdir)/services/mesh.h \
|
||||
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \
|
||||
$(srcdir)/services/modstack.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/respip/respip.h
|
||||
checklocks.lo checklocks.o: $(srcdir)/testcode/checklocks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/testcode/checklocks.h
|
||||
dnscrypt.lo dnscrypt.o: $(srcdir)/dnscrypt/dnscrypt.c config.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h \
|
||||
$(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h
|
||||
ipsecmod.lo ipsecmod.o: $(srcdir)/ipsecmod/ipsecmod.c config.h $(srcdir)/ipsecmod/ipsecmod.h \
|
||||
$(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
|
||||
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/rbtree.h $(srcdir)/ipsecmod/ipsecmod-whitelist.h \
|
||||
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \
|
||||
$(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
|
||||
$(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/util/regional.h \
|
||||
$(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/services/cache/dns.h $(srcdir)/sldns/wire2str.h
|
||||
ipsecmod-whitelist.lo ipsecmod-whitelist.o: $(srcdir)/ipsecmod/ipsecmod-whitelist.c config.h \
|
||||
$(srcdir)/ipsecmod/ipsecmod.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
|
||||
$(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
|
||||
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/ipsecmod/ipsecmod-whitelist.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/regional.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/str2wire.h
|
||||
unitanchor.lo unitanchor.o: $(srcdir)/testcode/unitanchor.c config.h $(srcdir)/util/log.h $(srcdir)/util/data/dname.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/testcode/unitmain.h \
|
||||
$(srcdir)/validator/val_anchor.h $(srcdir)/util/rbtree.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h
|
||||
@ -1005,14 +1063,15 @@ unitdname.lo unitdname.o: $(srcdir)/testcode/unitdname.c config.h $(srcdir)/util
|
||||
$(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h
|
||||
unitlruhash.lo unitlruhash.o: $(srcdir)/testcode/unitlruhash.c config.h $(srcdir)/testcode/unitmain.h \
|
||||
$(srcdir)/util/log.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/storage/slabhash.h
|
||||
unitmain.lo unitmain.o: $(srcdir)/testcode/unitmain.c config.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
|
||||
unitmain.lo unitmain.o: $(srcdir)/testcode/unitmain.c config.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
|
||||
$(srcdir)/util/log.h $(srcdir)/testcode/unitmain.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/util/rtt.h $(srcdir)/services/cache/infra.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/random.h \
|
||||
$(srcdir)/respip/respip.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
|
||||
$(srcdir)/services/localzone.h $(srcdir)/services/view.h
|
||||
$(srcdir)/util/config_file.h $(srcdir)/util/rtt.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
|
||||
$(srcdir)/services/cache/infra.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/storage/dnstree.h \
|
||||
$(srcdir)/util/rbtree.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/data/msgreply.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/random.h $(srcdir)/respip/respip.h $(srcdir)/util/module.h \
|
||||
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h
|
||||
unitmsgparse.lo unitmsgparse.o: $(srcdir)/testcode/unitmsgparse.c config.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/testcode/unitmain.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
|
||||
@ -1049,18 +1108,24 @@ unitecs.lo unitecs.o: $(srcdir)/testcode/unitecs.c config.h $(srcdir)/util/log.h
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/testcode/unitmain.h $(srcdir)/edns-subnet/addrtree.h \
|
||||
$(srcdir)/edns-subnet/subnetmod.h $(srcdir)/services/outbound_list.h $(srcdir)/util/alloc.h \
|
||||
$(srcdir)/util/net_help.h $(srcdir)/util/storage/slabhash.h $(srcdir)/edns-subnet/edns-subnet.h
|
||||
unitauth.lo unitauth.o: $(srcdir)/testcode/unitauth.c config.h $(srcdir)/services/authzone.h \
|
||||
$(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/testcode/unitmain.h \
|
||||
$(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/data/msgreply.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/dns.h \
|
||||
$(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/sbuffer.h
|
||||
acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/acl_list.h \
|
||||
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/locks.h \
|
||||
$(srcdir)/util/log.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \
|
||||
$(srcdir)/services/localzone.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
|
||||
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h
|
||||
cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h $(srcdir)/daemon/cachedump.h \
|
||||
$(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \
|
||||
cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h \
|
||||
$(srcdir)/daemon/cachedump.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
|
||||
$(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/alloc.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
|
||||
$(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h \
|
||||
$(srcdir)/dnstap/dnstap.h $(srcdir)/services/cache/rrset.h \
|
||||
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/infra.h \
|
||||
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/regional.h \
|
||||
@ -1068,24 +1133,27 @@ cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h $(srcdir)/daemon
|
||||
$(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_utils.h \
|
||||
$(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \
|
||||
$(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
|
||||
daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h \
|
||||
$(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
|
||||
$(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgreply.h \
|
||||
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \
|
||||
$(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
|
||||
daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h \
|
||||
$(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/daemon/worker.h \
|
||||
$(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
|
||||
$(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
|
||||
$(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/util/shm_side/shm_main.h $(srcdir)/util/storage/lookup3.h \
|
||||
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
|
||||
$(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/services/localzone.h $(srcdir)/util/random.h \
|
||||
$(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/sldns/keyraw.h $(srcdir)/respip/respip.h
|
||||
remote.lo remote.o: $(srcdir)/daemon/remote.c config.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h \
|
||||
$(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h \
|
||||
$(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/alloc.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
|
||||
$(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
|
||||
remote.lo remote.o: $(srcdir)/daemon/remote.c config.h \
|
||||
$(srcdir)/daemon/remote.h \
|
||||
$(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
|
||||
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
|
||||
$(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
|
||||
$(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/daemon/cachedump.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \
|
||||
$(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
|
||||
@ -1098,48 +1166,51 @@ remote.lo remote.o: $(srcdir)/daemon/remote.c config.h $(srcdir)/daemon/remote.h
|
||||
$(srcdir)/services/outside_network.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/parseutil.h \
|
||||
$(srcdir)/sldns/wire2str.h
|
||||
stats.lo stats.o: $(srcdir)/daemon/stats.c config.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
|
||||
$(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/libunbound/unbound.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
|
||||
$(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/services/outside_network.h $(srcdir)/services/listen_dnsport.h $(srcdir)/util/config_file.h \
|
||||
$(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \
|
||||
$(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h \
|
||||
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h $(srcdir)/validator/val_kcache.h
|
||||
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
|
||||
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
|
||||
$(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/outside_network.h \
|
||||
$(srcdir)/services/listen_dnsport.h $(srcdir)/util/config_file.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h \
|
||||
$(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/services/cache/rrset.h \
|
||||
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
|
||||
$(srcdir)/util/rtt.h $(srcdir)/validator/val_kcache.h
|
||||
unbound.lo unbound.o: $(srcdir)/daemon/unbound.c config.h $(srcdir)/util/log.h $(srcdir)/daemon/daemon.h \
|
||||
$(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h \
|
||||
$(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h $(srcdir)/services/listen_dnsport.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/services/cache/rrset.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
|
||||
$(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/fptr_wlist.h \
|
||||
$(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
|
||||
$(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/net_help.h $(srcdir)/util/ub_event.h
|
||||
$(srcdir)/daemon/remote.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/dnscrypt/cert.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/data/packed_rrset.h \
|
||||
$(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \
|
||||
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
|
||||
$(srcdir)/services/mesh.h $(srcdir)/util/net_help.h $(srcdir)/util/ub_event.h
|
||||
worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
|
||||
$(srcdir)/util/random.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \
|
||||
$(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \
|
||||
$(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h \
|
||||
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/config_file.h \
|
||||
$(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h \
|
||||
$(srcdir)/services/outside_network.h $(srcdir)/services/outbound_list.h \
|
||||
$(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
|
||||
$(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \
|
||||
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
|
||||
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
|
||||
$(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
|
||||
$(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/daemon/remote.h \
|
||||
$(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h \
|
||||
$(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
|
||||
$(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
|
||||
$(srcdir)/util/rtt.h $(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \
|
||||
$(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
|
||||
$(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/validator/autotrust.h \
|
||||
$(srcdir)/validator/val_anchor.h $(srcdir)/respip/respip.h $(srcdir)/libunbound/context.h \
|
||||
$(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/libworker.h $(srcdir)/sldns/wire2str.h \
|
||||
$(srcdir)/util/shm_side/shm_main.h
|
||||
$(srcdir)/libunbound/libworker.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/shm_side/shm_main.h
|
||||
testbound.lo testbound.o: $(srcdir)/testcode/testbound.c config.h $(srcdir)/testcode/testpkts.h \
|
||||
$(srcdir)/testcode/replay.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/util/rbtree.h $(srcdir)/testcode/fake_event.h \
|
||||
$(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h $(srcdir)/daemon/unbound.c \
|
||||
$(srcdir)/util/log.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/testcode/fake_event.h $(srcdir)/daemon/remote.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h $(srcdir)/daemon/unbound.c $(srcdir)/util/log.h \
|
||||
$(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
|
||||
@ -1153,69 +1224,72 @@ worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(sr
|
||||
$(srcdir)/util/random.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \
|
||||
$(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \
|
||||
$(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h \
|
||||
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/config_file.h \
|
||||
$(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h \
|
||||
$(srcdir)/services/outside_network.h $(srcdir)/services/outbound_list.h \
|
||||
$(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
|
||||
$(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \
|
||||
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
|
||||
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
|
||||
$(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
|
||||
$(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/daemon/remote.h \
|
||||
$(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h \
|
||||
$(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
|
||||
$(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
|
||||
$(srcdir)/util/rtt.h $(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \
|
||||
$(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
|
||||
$(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/validator/autotrust.h \
|
||||
$(srcdir)/validator/val_anchor.h $(srcdir)/respip/respip.h $(srcdir)/libunbound/context.h \
|
||||
$(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/libworker.h $(srcdir)/sldns/wire2str.h \
|
||||
$(srcdir)/util/shm_side/shm_main.h
|
||||
$(srcdir)/libunbound/libworker.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/shm_side/shm_main.h
|
||||
acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/acl_list.h \
|
||||
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/locks.h \
|
||||
$(srcdir)/util/log.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \
|
||||
$(srcdir)/services/localzone.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
|
||||
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h
|
||||
daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h \
|
||||
$(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
|
||||
$(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgreply.h \
|
||||
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \
|
||||
$(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
|
||||
daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h \
|
||||
$(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/daemon/worker.h \
|
||||
$(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
|
||||
$(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
|
||||
$(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/util/shm_side/shm_main.h $(srcdir)/util/storage/lookup3.h \
|
||||
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
|
||||
$(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/services/localzone.h $(srcdir)/util/random.h \
|
||||
$(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/sldns/keyraw.h $(srcdir)/respip/respip.h
|
||||
stats.lo stats.o: $(srcdir)/daemon/stats.c config.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
|
||||
$(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/libunbound/unbound.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
|
||||
$(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/services/outside_network.h $(srcdir)/services/listen_dnsport.h $(srcdir)/util/config_file.h \
|
||||
$(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \
|
||||
$(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h \
|
||||
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h $(srcdir)/validator/val_kcache.h
|
||||
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
|
||||
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
|
||||
$(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/outside_network.h \
|
||||
$(srcdir)/services/listen_dnsport.h $(srcdir)/util/config_file.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h \
|
||||
$(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/services/cache/rrset.h \
|
||||
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
|
||||
$(srcdir)/util/rtt.h $(srcdir)/validator/val_kcache.h
|
||||
replay.lo replay.o: $(srcdir)/testcode/replay.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/testcode/replay.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/testcode/testpkts.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/testcode/fake_event.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h
|
||||
$(srcdir)/dnscrypt/cert.h $(srcdir)/testcode/testpkts.h \
|
||||
$(srcdir)/util/rbtree.h $(srcdir)/testcode/fake_event.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h
|
||||
fake_event.lo fake_event.o: $(srcdir)/testcode/fake_event.c config.h $(srcdir)/testcode/fake_event.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
|
||||
$(srcdir)/util/rbtree.h $(srcdir)/services/cache/infra.h \
|
||||
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h $(srcdir)/testcode/replay.h $(srcdir)/testcode/testpkts.h \
|
||||
$(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \
|
||||
$(srcdir)/services/modstack.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
|
||||
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/data/msgparse.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h \
|
||||
$(srcdir)/util/data/dname.h $(srcdir)/util/config_file.h $(srcdir)/services/listen_dnsport.h \
|
||||
$(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h \
|
||||
$(srcdir)/testcode/replay.h $(srcdir)/testcode/testpkts.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \
|
||||
$(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
|
||||
lock_verify.lo lock_verify.o: $(srcdir)/testcode/lock_verify.c config.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/util/locks.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
|
||||
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \
|
||||
$(srcdir)/services/modstack.h
|
||||
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
|
||||
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
|
||||
$(srcdir)/services/mesh.h $(srcdir)/services/modstack.h
|
||||
pktview.lo pktview.o: $(srcdir)/testcode/pktview.c config.h $(srcdir)/util/log.h $(srcdir)/util/data/dname.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/testcode/unitmain.h $(srcdir)/testcode/readhex.h $(srcdir)/sldns/sbuffer.h \
|
||||
@ -1224,10 +1298,10 @@ readhex.lo readhex.o: $(srcdir)/testcode/readhex.c config.h $(srcdir)/testcode/r
|
||||
$(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h
|
||||
memstats.lo memstats.o: $(srcdir)/testcode/memstats.c config.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/util/locks.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
|
||||
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \
|
||||
$(srcdir)/services/modstack.h
|
||||
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
|
||||
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
|
||||
$(srcdir)/services/mesh.h $(srcdir)/services/modstack.h
|
||||
unbound-checkconf.lo unbound-checkconf.o: $(srcdir)/smallapp/unbound-checkconf.c config.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
|
||||
@ -1235,14 +1309,14 @@ unbound-checkconf.lo unbound-checkconf.o: $(srcdir)/smallapp/unbound-checkconf.c
|
||||
$(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h \
|
||||
$(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_hints.h $(srcdir)/util/storage/dnstree.h \
|
||||
$(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/services/localzone.h \
|
||||
$(srcdir)/services/view.h $(srcdir)/respip/respip.h $(srcdir)/sldns/sbuffer.h
|
||||
$(srcdir)/services/view.h $(srcdir)/respip/respip.h $(srcdir)/sldns/sbuffer.h $(PYTHONMOD_HEADER)
|
||||
worker_cb.lo worker_cb.o: $(srcdir)/smallapp/worker_cb.c config.h $(srcdir)/libunbound/context.h \
|
||||
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/libunbound/unbound.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \
|
||||
$(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/module.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
|
||||
$(srcdir)/util/tube.h $(srcdir)/services/mesh.h
|
||||
$(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
|
||||
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h
|
||||
context.lo context.o: $(srcdir)/libunbound/context.c config.h $(srcdir)/libunbound/context.h \
|
||||
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/libunbound/unbound.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
|
||||
@ -1251,7 +1325,7 @@ context.lo context.o: $(srcdir)/libunbound/context.c config.h $(srcdir)/libunbou
|
||||
$(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/services/cache/rrset.h \
|
||||
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/sldns/sbuffer.h
|
||||
$(srcdir)/dnscrypt/cert.h $(srcdir)/sldns/sbuffer.h
|
||||
libunbound.lo libunbound.o: $(srcdir)/libunbound/libunbound.c $(srcdir)/libunbound/unbound.h \
|
||||
$(srcdir)/libunbound/unbound-event.h config.h $(srcdir)/libunbound/context.h $(srcdir)/util/locks.h \
|
||||
$(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
|
||||
@ -1261,22 +1335,22 @@ libunbound.lo libunbound.o: $(srcdir)/libunbound/libunbound.c $(srcdir)/libunbou
|
||||
$(srcdir)/util/random.h $(srcdir)/util/net_help.h $(srcdir)/util/tube.h $(srcdir)/util/ub_event.h \
|
||||
$(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
|
||||
$(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/services/cache/rrset.h \
|
||||
$(srcdir)/dnscrypt/cert.h $(srcdir)/services/cache/rrset.h \
|
||||
$(srcdir)/util/storage/slabhash.h $(srcdir)/sldns/sbuffer.h
|
||||
libworker.lo libworker.o: $(srcdir)/libunbound/libworker.c config.h $(srcdir)/libunbound/libworker.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/libunbound/unbound-event.h $(srcdir)/services/outside_network.h $(srcdir)/util/netevent.h \
|
||||
$(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/services/mesh.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
|
||||
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/services/localzone.h \
|
||||
$(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/services/cache/rrset.h \
|
||||
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/outbound_list.h $(srcdir)/util/fptr_wlist.h \
|
||||
$(srcdir)/util/tube.h $(srcdir)/util/regional.h $(srcdir)/util/random.h $(srcdir)/util/config_file.h \
|
||||
$(srcdir)/util/storage/lookup3.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h \
|
||||
$(srcdir)/util/data/msgencode.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \
|
||||
$(srcdir)/sldns/str2wire.h
|
||||
libworker.lo libworker.o: $(srcdir)/libunbound/libworker.c config.h \
|
||||
$(srcdir)/libunbound/libworker.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/services/modstack.h $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/worker.h \
|
||||
$(srcdir)/sldns/sbuffer.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/services/outside_network.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/dnscrypt/cert.h $(srcdir)/services/mesh.h \
|
||||
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
|
||||
$(srcdir)/services/view.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
|
||||
$(srcdir)/services/outbound_list.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/regional.h \
|
||||
$(srcdir)/util/random.h $(srcdir)/util/config_file.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/net_help.h \
|
||||
$(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h $(srcdir)/iterator/iter_fwd.h \
|
||||
$(srcdir)/iterator/iter_hints.h $(srcdir)/sldns/str2wire.h
|
||||
unbound-host.lo unbound-host.o: $(srcdir)/smallapp/unbound-host.c config.h $(srcdir)/libunbound/unbound.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h
|
||||
asynclook.lo asynclook.o: $(srcdir)/testcode/asynclook.c config.h $(srcdir)/libunbound/unbound.h \
|
||||
@ -1287,34 +1361,40 @@ streamtcp.lo streamtcp.o: $(srcdir)/testcode/streamtcp.c config.h $(srcdir)/util
|
||||
$(srcdir)/util/net_help.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgparse.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h
|
||||
$(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h \
|
||||
|
||||
perf.lo perf.o: $(srcdir)/testcode/perf.c config.h $(srcdir)/util/log.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
|
||||
$(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
|
||||
delayer.lo delayer.o: $(srcdir)/testcode/delayer.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h
|
||||
unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c config.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h $(srcdir)/util/shm_side/shm_main.h \
|
||||
$(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/pkthdr.h
|
||||
unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c config.h \
|
||||
$(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
|
||||
$(srcdir)/util/shm_side/shm_main.h $(srcdir)/libunbound/unbound.h $(srcdir)/daemon/stats.h \
|
||||
$(srcdir)/util/timehist.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/pkthdr.h
|
||||
unbound-anchor.lo unbound-anchor.o: $(srcdir)/smallapp/unbound-anchor.c config.h $(srcdir)/libunbound/unbound.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h
|
||||
petal.lo petal.o: $(srcdir)/testcode/petal.c config.h
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h \
|
||||
|
||||
petal.lo petal.o: $(srcdir)/testcode/petal.c config.h \
|
||||
|
||||
pythonmod_utils.lo pythonmod_utils.o: $(srcdir)/pythonmod/pythonmod_utils.c config.h $(srcdir)/util/module.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/util/net_help.h $(srcdir)/services/cache/dns.h \
|
||||
$(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/regional.h \
|
||||
$(srcdir)/iterator/iter_delegpt.h $(srcdir)/sldns/sbuffer.h
|
||||
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/net_help.h \
|
||||
$(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
|
||||
$(srcdir)/util/regional.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/sldns/sbuffer.h \
|
||||
|
||||
win_svc.lo win_svc.o: $(srcdir)/winrc/win_svc.c config.h $(srcdir)/winrc/win_svc.h $(srcdir)/winrc/w_inst.h \
|
||||
$(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/daemon/worker.h \
|
||||
$(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
|
||||
$(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
|
||||
$(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h $(srcdir)/util/ub_event.h
|
||||
$(srcdir)/dnscrypt/cert.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
|
||||
$(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/util/ub_event.h
|
||||
w_inst.lo w_inst.o: $(srcdir)/winrc/w_inst.c config.h $(srcdir)/winrc/w_inst.h $(srcdir)/winrc/win_svc.h
|
||||
unbound-service-install.lo unbound-service-install.o: $(srcdir)/winrc/unbound-service-install.c config.h \
|
||||
$(srcdir)/winrc/w_inst.h
|
||||
@ -1322,11 +1402,14 @@ unbound-service-remove.lo unbound-service-remove.o: $(srcdir)/winrc/unbound-serv
|
||||
$(srcdir)/winrc/w_inst.h
|
||||
anchor-update.lo anchor-update.o: $(srcdir)/winrc/anchor-update.c config.h $(srcdir)/libunbound/unbound.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/wire2str.h
|
||||
keyraw.lo keyraw.o: $(srcdir)/sldns/keyraw.c config.h $(srcdir)/sldns/keyraw.h $(srcdir)/sldns/rrdef.h
|
||||
keyraw.lo keyraw.o: $(srcdir)/sldns/keyraw.c config.h $(srcdir)/sldns/keyraw.h \
|
||||
$(srcdir)/sldns/rrdef.h \
|
||||
|
||||
sbuffer.lo sbuffer.o: $(srcdir)/sldns/sbuffer.c config.h $(srcdir)/sldns/sbuffer.h
|
||||
wire2str.lo wire2str.o: $(srcdir)/sldns/wire2str.c config.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/sldns/keyraw.h
|
||||
$(srcdir)/sldns/keyraw.h \
|
||||
|
||||
parse.lo parse.o: $(srcdir)/sldns/parse.c config.h $(srcdir)/sldns/parse.h $(srcdir)/sldns/parseutil.h \
|
||||
$(srcdir)/sldns/sbuffer.h
|
||||
parseutil.lo parseutil.o: $(srcdir)/sldns/parseutil.c config.h $(srcdir)/sldns/parseutil.h
|
||||
@ -1346,9 +1429,11 @@ snprintf.lo snprintf.o: $(srcdir)/compat/snprintf.c config.h
|
||||
strlcat.lo strlcat.o: $(srcdir)/compat/strlcat.c config.h
|
||||
strlcpy.lo strlcpy.o: $(srcdir)/compat/strlcpy.c config.h
|
||||
strptime.lo strptime.o: $(srcdir)/compat/strptime.c config.h
|
||||
getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c config.h
|
||||
getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c config.h \
|
||||
|
||||
getentropy_osx.lo getentropy_osx.o: $(srcdir)/compat/getentropy_osx.c config.h
|
||||
getentropy_solaris.lo getentropy_solaris.o: $(srcdir)/compat/getentropy_solaris.c config.h
|
||||
getentropy_solaris.lo getentropy_solaris.o: $(srcdir)/compat/getentropy_solaris.c config.h \
|
||||
|
||||
getentropy_win.lo getentropy_win.o: $(srcdir)/compat/getentropy_win.c
|
||||
explicit_bzero.lo explicit_bzero.o: $(srcdir)/compat/explicit_bzero.c config.h
|
||||
arc4random.lo arc4random.o: $(srcdir)/compat/arc4random.c config.h $(srcdir)/compat/chacha_private.h
|
||||
|
||||
@ -171,12 +171,13 @@ static int
|
||||
cachedb_apply_cfg(struct cachedb_env* cachedb_env, struct config_file* cfg)
|
||||
{
|
||||
const char* backend_str = "testframe"; /* TODO get from cfg */
|
||||
(void)cfg; /* need this until the TODO is implemented */
|
||||
if(backend_str && backend_str[0]) {
|
||||
cachedb_env->backend = cachedb_find_backend(backend_str);
|
||||
if(!cachedb_env->backend) {
|
||||
log_err("cachedb: cannot find backend name '%s",
|
||||
backend_str);
|
||||
return NULL;
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
/* TODO see if more configuration needs to be applied or not */
|
||||
@ -374,6 +375,36 @@ good_expiry_and_qinfo(struct module_qstate* qstate, struct sldns_buffer* buf)
|
||||
return 1;
|
||||
}
|
||||
|
||||
static void
|
||||
packed_rrset_ttl_subtract(struct packed_rrset_data* data, time_t subtract)
|
||||
{
|
||||
size_t i;
|
||||
size_t total = data->count + data->rrsig_count;
|
||||
if(data->ttl > subtract)
|
||||
data->ttl -= subtract;
|
||||
else data->ttl = 0;
|
||||
for(i=0; i<total; i++) {
|
||||
if(data->rr_ttl[i] > subtract)
|
||||
data->rr_ttl[i] -= subtract;
|
||||
else data->rr_ttl[i] = 0;
|
||||
}
|
||||
}
|
||||
|
||||
static void
|
||||
adjust_msg_ttl(struct dns_msg* msg, time_t adjust)
|
||||
{
|
||||
size_t i;
|
||||
if(msg->rep->ttl > adjust)
|
||||
msg->rep->ttl -= adjust;
|
||||
else msg->rep->ttl = 0;
|
||||
msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl);
|
||||
|
||||
for(i=0; i<msg->rep->rrset_count; i++) {
|
||||
packed_rrset_ttl_subtract((struct packed_rrset_data*)msg->
|
||||
rep->rrsets[i]->entry.data, adjust);
|
||||
}
|
||||
}
|
||||
|
||||
/** convert dns message in buffer to return_msg */
|
||||
static int
|
||||
parse_data(struct module_qstate* qstate, struct sldns_buffer* buf)
|
||||
@ -420,24 +451,18 @@ parse_data(struct module_qstate* qstate, struct sldns_buffer* buf)
|
||||
qstate->return_rcode = LDNS_RCODE_NOERROR;
|
||||
|
||||
/* see how much of the TTL expired, and remove it */
|
||||
if(*qstate->env->now <= (time_t)timestamp) {
|
||||
verbose(VERB_ALGO, "cachedb msg adjust by zero");
|
||||
return 1; /* message from the future (clock skew?) */
|
||||
}
|
||||
adjust = *qstate->env->now - (time_t)timestamp;
|
||||
if(qstate->return_msg->rep->ttl < adjust) {
|
||||
verbose(VERB_ALGO, "cachedb msg expired");
|
||||
return 0; /* message expired */
|
||||
}
|
||||
verbose(VERB_ALGO, "cachedb msg adjusted down by %d", (int)adjust);
|
||||
/*adjust_msg(qstate->return_msg, adjust);*/
|
||||
/* TODO:
|
||||
msg->rep->ttl = r->ttl - adjust;
|
||||
msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl);
|
||||
for(i=0; i<d->count + d->rrsig_count; i++) {
|
||||
if(d->rr_ttl[i] < adjust)
|
||||
d->rr_ttl[i] = 0;
|
||||
else d->rr_ttl[i] -= adjust;
|
||||
}
|
||||
if(d->ttl < adjust)
|
||||
d->ttl = 0;
|
||||
else d->ttl -= adjust;
|
||||
*/
|
||||
/* TODO */
|
||||
|
||||
return 0;
|
||||
adjust_msg_ttl(qstate->return_msg, adjust);
|
||||
return 1;
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@ -80,6 +80,10 @@
|
||||
don't. */
|
||||
#define HAVE_DECL_INET_PTON 1
|
||||
|
||||
/* Define to 1 if you have the declaration of `NID_ED25519', and to 0 if you
|
||||
don't. */
|
||||
#define HAVE_DECL_NID_ED25519 0
|
||||
|
||||
/* Define to 1 if you have the declaration of `NID_secp384r1', and to 0 if you
|
||||
don't. */
|
||||
#define HAVE_DECL_NID_SECP384R1 1
|
||||
@ -158,6 +162,9 @@
|
||||
/* Define to 1 if you have the `EVP_cleanup' function. */
|
||||
#define HAVE_EVP_CLEANUP 1
|
||||
|
||||
/* Define to 1 if you have the `EVP_DigestVerify' function. */
|
||||
/* #undef HAVE_EVP_DIGESTVERIFY */
|
||||
|
||||
/* Define to 1 if you have the `EVP_dss1' function. */
|
||||
#define HAVE_EVP_DSS1 1
|
||||
|
||||
@ -595,7 +602,7 @@
|
||||
#define PACKAGE_NAME "unbound"
|
||||
|
||||
/* Define to the full name and version of this package. */
|
||||
#define PACKAGE_STRING "unbound 1.6.3"
|
||||
#define PACKAGE_STRING "unbound 1.6.4"
|
||||
|
||||
/* Define to the one symbol short name of this package. */
|
||||
#define PACKAGE_TARNAME "unbound"
|
||||
@ -604,7 +611,7 @@
|
||||
#define PACKAGE_URL ""
|
||||
|
||||
/* Define to the version of this package. */
|
||||
#define PACKAGE_VERSION "1.6.3"
|
||||
#define PACKAGE_VERSION "1.6.4"
|
||||
|
||||
/* default pidfile location */
|
||||
#define PIDFILE "/var/unbound/unbound.pid"
|
||||
@ -623,7 +630,7 @@
|
||||
#define ROOT_CERT_FILE "/var/unbound/icannbundle.pem"
|
||||
|
||||
/* version number for resource files */
|
||||
#define RSRC_PACKAGE_VERSION 1,6,3,0
|
||||
#define RSRC_PACKAGE_VERSION 1,6,4,0
|
||||
|
||||
/* Directory to chdir to */
|
||||
#define RUN_DIR "/var/unbound"
|
||||
@ -667,6 +674,9 @@
|
||||
/* Define to 1 to enable dnscrypt support */
|
||||
/* #undef USE_DNSCRYPT */
|
||||
|
||||
/* Define to 1 to enable dnscrypt with xchacha20 support */
|
||||
/* #undef USE_DNSCRYPT_XCHACHA20 */
|
||||
|
||||
/* Define to 1 to enable dnstap support */
|
||||
/* #undef USE_DNSTAP */
|
||||
|
||||
@ -679,9 +689,15 @@
|
||||
/* Define this to enable an EVP workaround for older openssl */
|
||||
/* #undef USE_ECDSA_EVP_WORKAROUND */
|
||||
|
||||
/* Define this to enable ED25519 support. */
|
||||
/* #undef USE_ED25519 */
|
||||
|
||||
/* Define this to enable GOST support. */
|
||||
#define USE_GOST 1
|
||||
|
||||
/* Define to 1 to use ipsecmod support. */
|
||||
/* #undef USE_IPSECMOD */
|
||||
|
||||
/* Define if you want to use internal select based events */
|
||||
#define USE_MINI_EVENT 1
|
||||
|
||||
|
||||
@ -79,6 +79,10 @@
|
||||
don't. */
|
||||
#undef HAVE_DECL_INET_PTON
|
||||
|
||||
/* Define to 1 if you have the declaration of `NID_ED25519', and to 0 if you
|
||||
don't. */
|
||||
#undef HAVE_DECL_NID_ED25519
|
||||
|
||||
/* Define to 1 if you have the declaration of `NID_secp384r1', and to 0 if you
|
||||
don't. */
|
||||
#undef HAVE_DECL_NID_SECP384R1
|
||||
@ -157,6 +161,9 @@
|
||||
/* Define to 1 if you have the `EVP_cleanup' function. */
|
||||
#undef HAVE_EVP_CLEANUP
|
||||
|
||||
/* Define to 1 if you have the `EVP_DigestVerify' function. */
|
||||
#undef HAVE_EVP_DIGESTVERIFY
|
||||
|
||||
/* Define to 1 if you have the `EVP_dss1' function. */
|
||||
#undef HAVE_EVP_DSS1
|
||||
|
||||
@ -666,6 +673,9 @@
|
||||
/* Define to 1 to enable dnscrypt support */
|
||||
#undef USE_DNSCRYPT
|
||||
|
||||
/* Define to 1 to enable dnscrypt with xchacha20 support */
|
||||
#undef USE_DNSCRYPT_XCHACHA20
|
||||
|
||||
/* Define to 1 to enable dnstap support */
|
||||
#undef USE_DNSTAP
|
||||
|
||||
@ -678,9 +688,15 @@
|
||||
/* Define this to enable an EVP workaround for older openssl */
|
||||
#undef USE_ECDSA_EVP_WORKAROUND
|
||||
|
||||
/* Define this to enable ED25519 support. */
|
||||
#undef USE_ED25519
|
||||
|
||||
/* Define this to enable GOST support. */
|
||||
#undef USE_GOST
|
||||
|
||||
/* Define to 1 to use ipsecmod support. */
|
||||
#undef USE_IPSECMOD
|
||||
|
||||
/* Define if you want to use internal select based events */
|
||||
#undef USE_MINI_EVENT
|
||||
|
||||
|
||||
180
contrib/unbound/configure
vendored
180
contrib/unbound/configure
vendored
@ -1,6 +1,6 @@
|
||||
#! /bin/sh
|
||||
# Guess values for system-dependent variables and create Makefiles.
|
||||
# Generated by GNU Autoconf 2.69 for unbound 1.6.3.
|
||||
# Generated by GNU Autoconf 2.69 for unbound 1.6.4.
|
||||
#
|
||||
# Report bugs to <unbound-bugs@nlnetlabs.nl>.
|
||||
#
|
||||
@ -590,8 +590,8 @@ MAKEFLAGS=
|
||||
# Identity of this package.
|
||||
PACKAGE_NAME='unbound'
|
||||
PACKAGE_TARNAME='unbound'
|
||||
PACKAGE_VERSION='1.6.3'
|
||||
PACKAGE_STRING='unbound 1.6.3'
|
||||
PACKAGE_VERSION='1.6.4'
|
||||
PACKAGE_STRING='unbound 1.6.4'
|
||||
PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl'
|
||||
PACKAGE_URL=''
|
||||
|
||||
@ -638,9 +638,12 @@ INSTALLTARGET
|
||||
ALLTARGET
|
||||
SOURCEFILE
|
||||
SOURCEDETERMINE
|
||||
IPSECMOD_HEADER
|
||||
IPSECMOD_OBJ
|
||||
DNSCRYPT_OBJ
|
||||
DNSCRYPT_SRC
|
||||
ENABLE_DNSCRYPT
|
||||
ENABLE_DNSCRYPT_XCHACHA20
|
||||
DNSTAP_OBJ
|
||||
DNSTAP_SRC
|
||||
opt_dnstap_socket_path
|
||||
@ -755,6 +758,9 @@ UNBOUND_CHROOT_DIR
|
||||
UNBOUND_RUN_DIR
|
||||
ub_conf_dir
|
||||
ub_conf_file
|
||||
UNBOUND_LOCALSTATE_DIR
|
||||
UNBOUND_SYSCONF_DIR
|
||||
UNBOUND_SBIN_DIR
|
||||
EGREP
|
||||
GREP
|
||||
CPP
|
||||
@ -851,6 +857,7 @@ enable_subnet
|
||||
enable_gost
|
||||
enable_ecdsa
|
||||
enable_dsa
|
||||
enable_ed25519
|
||||
enable_event_api
|
||||
enable_tfo_client
|
||||
enable_tfo_server
|
||||
@ -867,6 +874,7 @@ with_libfstrm
|
||||
enable_dnscrypt
|
||||
with_libsodium
|
||||
enable_cachedb
|
||||
enable_ipsecmod
|
||||
with_libunbound_only
|
||||
'
|
||||
ac_precious_vars='build_alias
|
||||
@ -1429,7 +1437,7 @@ if test "$ac_init_help" = "long"; then
|
||||
# Omit some internal or obsolete options to make the list less imposing.
|
||||
# This message is too long to be a string in the A/UX 3.1 sh.
|
||||
cat <<_ACEOF
|
||||
\`configure' configures unbound 1.6.3 to adapt to many kinds of systems.
|
||||
\`configure' configures unbound 1.6.4 to adapt to many kinds of systems.
|
||||
|
||||
Usage: $0 [OPTION]... [VAR=VALUE]...
|
||||
|
||||
@ -1494,7 +1502,7 @@ fi
|
||||
|
||||
if test -n "$ac_init_help"; then
|
||||
case $ac_init_help in
|
||||
short | recursive ) echo "Configuration of unbound 1.6.3:";;
|
||||
short | recursive ) echo "Configuration of unbound 1.6.4:";;
|
||||
esac
|
||||
cat <<\_ACEOF
|
||||
|
||||
@ -1531,6 +1539,7 @@ Optional Features:
|
||||
--disable-gost Disable GOST support
|
||||
--disable-ecdsa Disable ECDSA support
|
||||
--disable-dsa Disable DSA support
|
||||
--disable-ed25519 Disable ED25519 support
|
||||
--enable-event-api Enable (experimental) pluggable event base
|
||||
libunbound API installed to unbound-event.h
|
||||
--enable-tfo-client Enable TCP Fast Open for client mode
|
||||
@ -1547,6 +1556,8 @@ Optional Features:
|
||||
--enable-dnscrypt Enable dnscrypt support (requires libsodium)
|
||||
--enable-cachedb enable cachedb module that can use external cache
|
||||
storage
|
||||
--enable-ipsecmod Enable ipsecmod module that facilitates
|
||||
opportunistic IPsec
|
||||
|
||||
Optional Packages:
|
||||
--with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
|
||||
@ -1703,7 +1714,7 @@ fi
|
||||
test -n "$ac_init_help" && exit $ac_status
|
||||
if $ac_init_version; then
|
||||
cat <<\_ACEOF
|
||||
unbound configure 1.6.3
|
||||
unbound configure 1.6.4
|
||||
generated by GNU Autoconf 2.69
|
||||
|
||||
Copyright (C) 2012 Free Software Foundation, Inc.
|
||||
@ -2412,7 +2423,7 @@ cat >config.log <<_ACEOF
|
||||
This file contains any messages produced by compilers while
|
||||
running configure, to aid debugging if configure makes a mistake.
|
||||
|
||||
It was created by unbound $as_me 1.6.3, which was
|
||||
It was created by unbound $as_me 1.6.4, which was
|
||||
generated by GNU Autoconf 2.69. Invocation command line was
|
||||
|
||||
$ $0 $@
|
||||
@ -2764,11 +2775,11 @@ UNBOUND_VERSION_MAJOR=1
|
||||
|
||||
UNBOUND_VERSION_MINOR=6
|
||||
|
||||
UNBOUND_VERSION_MICRO=3
|
||||
UNBOUND_VERSION_MICRO=4
|
||||
|
||||
|
||||
LIBUNBOUND_CURRENT=7
|
||||
LIBUNBOUND_REVISION=2
|
||||
LIBUNBOUND_REVISION=3
|
||||
LIBUNBOUND_AGE=5
|
||||
# 1.0.0 had 0:12:0
|
||||
# 1.0.1 had 0:13:0
|
||||
@ -2822,6 +2833,7 @@ LIBUNBOUND_AGE=5
|
||||
# 1.6.1 had 7:0:5 # ub_callback_t typedef renamed to ub_callback_type
|
||||
# 1.6.2 had 7:1:5
|
||||
# 1.6.3 had 7:2:5
|
||||
# 1.6.4 had 7:3:5
|
||||
|
||||
# Current -- the number of the binary API that we're implementing
|
||||
# Revision -- which iteration of the implementation of the binary
|
||||
@ -4106,6 +4118,11 @@ case "$prefix" in
|
||||
prefix="/usr/local"
|
||||
;;
|
||||
esac
|
||||
case "$exec_prefix" in
|
||||
NONE)
|
||||
exec_prefix="$prefix"
|
||||
;;
|
||||
esac
|
||||
|
||||
# are we on MinGW?
|
||||
if uname -s 2>&1 | grep MINGW32 >/dev/null; then on_mingw="yes"
|
||||
@ -4117,6 +4134,12 @@ fi
|
||||
#
|
||||
# Determine configuration file
|
||||
# the eval is to evaluate shell expansion twice
|
||||
UNBOUND_SBIN_DIR=`eval echo "${sbindir}"`
|
||||
|
||||
UNBOUND_SYSCONF_DIR=`eval echo "${sysconfdir}"`
|
||||
|
||||
UNBOUND_LOCALSTATE_DIR=`eval echo "${localstatedir}"`
|
||||
|
||||
if test $on_mingw = "no"; then
|
||||
ub_conf_file=`eval echo "${sysconfdir}/unbound/unbound.conf"`
|
||||
else
|
||||
@ -17598,7 +17621,7 @@ fi
|
||||
|
||||
done
|
||||
|
||||
for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1
|
||||
for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify
|
||||
do :
|
||||
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
|
||||
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
|
||||
@ -18046,6 +18069,47 @@ fi
|
||||
;;
|
||||
esac
|
||||
|
||||
# Check whether --enable-ed25519 was given.
|
||||
if test "${enable_ed25519+set}" = set; then :
|
||||
enableval=$enable_ed25519;
|
||||
fi
|
||||
|
||||
use_ed25519="no"
|
||||
case "$enable_ed25519" in
|
||||
no)
|
||||
;;
|
||||
*)
|
||||
if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
|
||||
ac_fn_c_check_decl "$LINENO" "NID_ED25519" "ac_cv_have_decl_NID_ED25519" "$ac_includes_default
|
||||
#include <openssl/evp.h>
|
||||
|
||||
"
|
||||
if test "x$ac_cv_have_decl_NID_ED25519" = xyes; then :
|
||||
ac_have_decl=1
|
||||
else
|
||||
ac_have_decl=0
|
||||
fi
|
||||
|
||||
cat >>confdefs.h <<_ACEOF
|
||||
#define HAVE_DECL_NID_ED25519 $ac_have_decl
|
||||
_ACEOF
|
||||
if test $ac_have_decl = 1; then :
|
||||
|
||||
|
||||
cat >>confdefs.h <<_ACEOF
|
||||
#define USE_ED25519 1
|
||||
_ACEOF
|
||||
|
||||
use_ed25519="yes"
|
||||
|
||||
else
|
||||
if test "x$enable_ed25519" = "xyes"; then as_fn_error $? "OpenSSL does not support ED25519 and you used --enable-ed25519." "$LINENO" 5
|
||||
fi
|
||||
fi
|
||||
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
# Check whether --enable-event-api was given.
|
||||
if test "${enable_event_api+set}" = set; then :
|
||||
@ -20309,6 +20373,73 @@ else
|
||||
as_fn_error $? "The sodium library was not found. Please install sodium!" "$LINENO" 5
|
||||
fi
|
||||
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing crypto_box_curve25519xchacha20poly1305_beforenm" >&5
|
||||
$as_echo_n "checking for library containing crypto_box_curve25519xchacha20poly1305_beforenm... " >&6; }
|
||||
if ${ac_cv_search_crypto_box_curve25519xchacha20poly1305_beforenm+:} false; then :
|
||||
$as_echo_n "(cached) " >&6
|
||||
else
|
||||
ac_func_search_save_LIBS=$LIBS
|
||||
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||
/* end confdefs.h. */
|
||||
|
||||
/* Override any GCC internal prototype to avoid an error.
|
||||
Use char because int might match the return type of a GCC
|
||||
builtin and then its argument prototype would still apply. */
|
||||
#ifdef __cplusplus
|
||||
extern "C"
|
||||
#endif
|
||||
char crypto_box_curve25519xchacha20poly1305_beforenm ();
|
||||
int
|
||||
main ()
|
||||
{
|
||||
return crypto_box_curve25519xchacha20poly1305_beforenm ();
|
||||
;
|
||||
return 0;
|
||||
}
|
||||
_ACEOF
|
||||
for ac_lib in '' sodium; do
|
||||
if test -z "$ac_lib"; then
|
||||
ac_res="none required"
|
||||
else
|
||||
ac_res=-l$ac_lib
|
||||
LIBS="-l$ac_lib $ac_func_search_save_LIBS"
|
||||
fi
|
||||
if ac_fn_c_try_link "$LINENO"; then :
|
||||
ac_cv_search_crypto_box_curve25519xchacha20poly1305_beforenm=$ac_res
|
||||
fi
|
||||
rm -f core conftest.err conftest.$ac_objext \
|
||||
conftest$ac_exeext
|
||||
if ${ac_cv_search_crypto_box_curve25519xchacha20poly1305_beforenm+:} false; then :
|
||||
break
|
||||
fi
|
||||
done
|
||||
if ${ac_cv_search_crypto_box_curve25519xchacha20poly1305_beforenm+:} false; then :
|
||||
|
||||
else
|
||||
ac_cv_search_crypto_box_curve25519xchacha20poly1305_beforenm=no
|
||||
fi
|
||||
rm conftest.$ac_ext
|
||||
LIBS=$ac_func_search_save_LIBS
|
||||
fi
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_crypto_box_curve25519xchacha20poly1305_beforenm" >&5
|
||||
$as_echo "$ac_cv_search_crypto_box_curve25519xchacha20poly1305_beforenm" >&6; }
|
||||
ac_res=$ac_cv_search_crypto_box_curve25519xchacha20poly1305_beforenm
|
||||
if test "$ac_res" != no; then :
|
||||
test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
|
||||
|
||||
ENABLE_DNSCRYPT_XCHACHA20=1
|
||||
|
||||
|
||||
$as_echo "#define USE_DNSCRYPT_XCHACHA20 1" >>confdefs.h
|
||||
|
||||
|
||||
else
|
||||
|
||||
ENABLE_DNSCRYPT_XCHACHA20=0
|
||||
|
||||
|
||||
fi
|
||||
|
||||
|
||||
|
||||
$as_echo "#define USE_DNSCRYPT 1" >>confdefs.h
|
||||
@ -20322,6 +20453,8 @@ $as_echo "#define USE_DNSCRYPT 1" >>confdefs.h
|
||||
|
||||
|
||||
else
|
||||
ENABLE_DNSCRYPT_XCHACHA20=0
|
||||
|
||||
|
||||
ENABLE_DNSCRYPT=0
|
||||
|
||||
@ -20347,6 +20480,27 @@ $as_echo "#define USE_CACHEDB 1" >>confdefs.h
|
||||
;;
|
||||
esac
|
||||
|
||||
# check for ipsecmod if requested
|
||||
# Check whether --enable-ipsecmod was given.
|
||||
if test "${enable_ipsecmod+set}" = set; then :
|
||||
enableval=$enable_ipsecmod;
|
||||
fi
|
||||
|
||||
case "$enable_ipsecmod" in
|
||||
yes)
|
||||
|
||||
$as_echo "#define USE_IPSECMOD 1" >>confdefs.h
|
||||
|
||||
IPSECMOD_OBJ="ipsecmod.lo ipsecmod-whitelist.lo"
|
||||
|
||||
IPSECMOD_HEADER='$(srcdir)/ipsecmod/ipsecmod.h $(srcdir)/ipsecmod/ipsecmod-whitelist.h'
|
||||
|
||||
;;
|
||||
no|*)
|
||||
# nothing
|
||||
;;
|
||||
esac
|
||||
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if ${MAKE:-make} supports $< with implicit rule in scope" >&5
|
||||
$as_echo_n "checking if ${MAKE:-make} supports $< with implicit rule in scope... " >&6; }
|
||||
# on openBSD, the implicit rule make $< work.
|
||||
@ -20488,7 +20642,7 @@ _ACEOF
|
||||
|
||||
|
||||
|
||||
version=1.6.3
|
||||
version=1.6.4
|
||||
|
||||
date=`date +'%b %e, %Y'`
|
||||
|
||||
@ -21007,7 +21161,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
|
||||
# report actual input values of CONFIG_FILES etc. instead of their
|
||||
# values after options handling.
|
||||
ac_log="
|
||||
This file was extended by unbound $as_me 1.6.3, which was
|
||||
This file was extended by unbound $as_me 1.6.4, which was
|
||||
generated by GNU Autoconf 2.69. Invocation command line was
|
||||
|
||||
CONFIG_FILES = $CONFIG_FILES
|
||||
@ -21073,7 +21227,7 @@ _ACEOF
|
||||
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
|
||||
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
|
||||
ac_cs_version="\\
|
||||
unbound config.status 1.6.3
|
||||
unbound config.status 1.6.4
|
||||
configured by $0, generated by GNU Autoconf 2.69,
|
||||
with options \\"\$ac_cs_config\\"
|
||||
|
||||
|
||||
@ -11,14 +11,14 @@ sinclude(dnscrypt/dnscrypt.m4)
|
||||
# must be numbers. ac_defun because of later processing
|
||||
m4_define([VERSION_MAJOR],[1])
|
||||
m4_define([VERSION_MINOR],[6])
|
||||
m4_define([VERSION_MICRO],[3])
|
||||
m4_define([VERSION_MICRO],[4])
|
||||
AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl, unbound)
|
||||
AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
|
||||
AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
|
||||
AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
|
||||
|
||||
LIBUNBOUND_CURRENT=7
|
||||
LIBUNBOUND_REVISION=2
|
||||
LIBUNBOUND_REVISION=3
|
||||
LIBUNBOUND_AGE=5
|
||||
# 1.0.0 had 0:12:0
|
||||
# 1.0.1 had 0:13:0
|
||||
@ -72,6 +72,7 @@ LIBUNBOUND_AGE=5
|
||||
# 1.6.1 had 7:0:5 # ub_callback_t typedef renamed to ub_callback_type
|
||||
# 1.6.2 had 7:1:5
|
||||
# 1.6.3 had 7:2:5
|
||||
# 1.6.4 had 7:3:5
|
||||
|
||||
# Current -- the number of the binary API that we're implementing
|
||||
# Revision -- which iteration of the implementation of the binary
|
||||
@ -109,6 +110,11 @@ case "$prefix" in
|
||||
prefix="/usr/local"
|
||||
;;
|
||||
esac
|
||||
case "$exec_prefix" in
|
||||
NONE)
|
||||
exec_prefix="$prefix"
|
||||
;;
|
||||
esac
|
||||
|
||||
# are we on MinGW?
|
||||
if uname -s 2>&1 | grep MINGW32 >/dev/null; then on_mingw="yes"
|
||||
@ -120,6 +126,12 @@ fi
|
||||
#
|
||||
# Determine configuration file
|
||||
# the eval is to evaluate shell expansion twice
|
||||
UNBOUND_SBIN_DIR=`eval echo "${sbindir}"`
|
||||
AC_SUBST(UNBOUND_SBIN_DIR)
|
||||
UNBOUND_SYSCONF_DIR=`eval echo "${sysconfdir}"`
|
||||
AC_SUBST(UNBOUND_SYSCONF_DIR)
|
||||
UNBOUND_LOCALSTATE_DIR=`eval echo "${localstatedir}"`
|
||||
AC_SUBST(UNBOUND_LOCALSTATE_DIR)
|
||||
if test $on_mingw = "no"; then
|
||||
ub_conf_file=`eval echo "${sysconfdir}/unbound/unbound.conf"`
|
||||
else
|
||||
@ -680,7 +692,7 @@ else
|
||||
AC_MSG_RESULT([no])
|
||||
fi
|
||||
AC_CHECK_HEADERS([openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h],,, [AC_INCLUDES_DEFAULT])
|
||||
AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1])
|
||||
AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify])
|
||||
|
||||
# these check_funcs need -lssl
|
||||
BAKLIBS="$LIBS"
|
||||
@ -906,6 +918,23 @@ case "$enable_dsa" in
|
||||
;;
|
||||
esac
|
||||
|
||||
AC_ARG_ENABLE(ed25519, AC_HELP_STRING([--disable-ed25519], [Disable ED25519 support]))
|
||||
use_ed25519="no"
|
||||
case "$enable_ed25519" in
|
||||
no)
|
||||
;;
|
||||
*)
|
||||
if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
|
||||
AC_CHECK_DECLS([NID_ED25519], [
|
||||
AC_DEFINE_UNQUOTED([USE_ED25519], [1], [Define this to enable ED25519 support.])
|
||||
use_ed25519="yes"
|
||||
], [ if test "x$enable_ed25519" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support ED25519 and you used --enable-ed25519.])
|
||||
fi ], [AC_INCLUDES_DEFAULT
|
||||
#include <openssl/evp.h>
|
||||
])
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
AC_ARG_ENABLE(event-api, AC_HELP_STRING([--enable-event-api], [Enable (experimental) pluggable event base libunbound API installed to unbound-event.h]))
|
||||
case "$enable_event_api" in
|
||||
@ -1353,6 +1382,21 @@ case "$enable_cachedb" in
|
||||
;;
|
||||
esac
|
||||
|
||||
# check for ipsecmod if requested
|
||||
AC_ARG_ENABLE(ipsecmod, AC_HELP_STRING([--enable-ipsecmod], [Enable ipsecmod module that facilitates opportunistic IPsec]))
|
||||
case "$enable_ipsecmod" in
|
||||
yes)
|
||||
AC_DEFINE([USE_IPSECMOD], [1], [Define to 1 to use ipsecmod support.])
|
||||
IPSECMOD_OBJ="ipsecmod.lo ipsecmod-whitelist.lo"
|
||||
AC_SUBST(IPSECMOD_OBJ)
|
||||
IPSECMOD_HEADER='$(srcdir)/ipsecmod/ipsecmod.h $(srcdir)/ipsecmod/ipsecmod-whitelist.h'
|
||||
AC_SUBST(IPSECMOD_HEADER)
|
||||
;;
|
||||
no|*)
|
||||
# nothing
|
||||
;;
|
||||
esac
|
||||
|
||||
AC_MSG_CHECKING([if ${MAKE:-make} supports $< with implicit rule in scope])
|
||||
# on openBSD, the implicit rule make $< work.
|
||||
# on Solaris, it does not work ($? is changed sources, $^ lists dependencies).
|
||||
|
||||
@ -31,3 +31,6 @@ distribution but may be helpful.
|
||||
Contributed by Yuri Voinov.
|
||||
* unbound.socket and unbound.service: systemd files for unbound, install them
|
||||
in /usr/lib/systemd/system. Contributed by Sami Kerola and Pavel Odintsov.
|
||||
* redirect-bogus.patch: Return configured address for bogus A and AAAA answers,
|
||||
instead of SERVFAIL. Contributed by SIDN.
|
||||
* fastrpz.patch: fastrpz support from Farsight Security.
|
||||
|
||||
3552
contrib/unbound/contrib/fastrpz.patch
Normal file
3552
contrib/unbound/contrib/fastrpz.patch
Normal file
File diff suppressed because it is too large
Load Diff
344
contrib/unbound/contrib/redirect-bogus.patch
Normal file
344
contrib/unbound/contrib/redirect-bogus.patch
Normal file
@ -0,0 +1,344 @@
|
||||
Index: daemon/worker.c
|
||||
===================================================================
|
||||
--- daemon/worker.c (revision 4191)
|
||||
+++ daemon/worker.c (working copy)
|
||||
@@ -663,8 +663,21 @@
|
||||
if(!inplace_cb_reply_servfail_call(&worker->env, qinfo, NULL, rep,
|
||||
LDNS_RCODE_SERVFAIL, edns, worker->scratchpad))
|
||||
goto bail_out;
|
||||
- error_encode(repinfo->c->buffer, LDNS_RCODE_SERVFAIL,
|
||||
- qinfo, id, flags, edns);
|
||||
+ if (qinfo->qtype == LDNS_RR_TYPE_A &&
|
||||
+ worker->env.cfg->redirect_bogus_ipv4) {
|
||||
+ /* BAD cached */
|
||||
+ fixed_address_encode(repinfo->c->buffer,
|
||||
+ LDNS_RCODE_NOERROR, qinfo, id, flags, edns,
|
||||
+ worker->env.cfg->redirect_bogus_ipv4);
|
||||
+ } else if (qinfo->qtype == LDNS_RR_TYPE_AAAA &&
|
||||
+ worker->env.cfg->redirect_bogus_ipv6) {
|
||||
+ fixed_address_encode(repinfo->c->buffer,
|
||||
+ LDNS_RCODE_NOERROR, qinfo, id, flags, edns,
|
||||
+ worker->env.cfg->redirect_bogus_ipv6);
|
||||
+ } else {
|
||||
+ error_encode(repinfo->c->buffer, LDNS_RCODE_SERVFAIL,
|
||||
+ qinfo, id, flags, edns);
|
||||
+ }
|
||||
rrset_array_unlock_touch(worker->env.rrset_cache,
|
||||
worker->scratchpad, rep->ref, rep->rrset_count);
|
||||
if(worker->stats.extended) {
|
||||
Index: doc/unbound.conf.5.in
|
||||
===================================================================
|
||||
--- doc/unbound.conf.5.in (revision 4191)
|
||||
+++ doc/unbound.conf.5.in (working copy)
|
||||
@@ -1244,6 +1244,18 @@
|
||||
This can make ordinary queries complete (if repeatedly queried for),
|
||||
and enter the cache, whilst also mitigating the traffic flow by the
|
||||
factor given.
|
||||
+.TP 5
|
||||
+.B redirect-bogus-ipv4: \fI<IPv4 address>
|
||||
+Set a fixed address for DNSSEC failures that are cached
|
||||
+Instead of responding to A queries with SERVFAIL, respond
|
||||
+with NOERROR and the address specified here
|
||||
+The TTL of the response will be 5 seconds
|
||||
+.TP 5
|
||||
+.B redirect-bogus-ipv6: \fI<IPv4 address>
|
||||
+Set a fixed address for DNSSEC failures that are cached
|
||||
+Instead of responding to AAAA queries with SERVFAIL, respond
|
||||
+with NOERROR and the address specified here
|
||||
+The TTL of the response will be 5 seconds
|
||||
.SS "Remote Control Options"
|
||||
In the
|
||||
.B remote\-control:
|
||||
Index: services/mesh.c
|
||||
===================================================================
|
||||
--- services/mesh.c (revision 4191)
|
||||
+++ services/mesh.c (working copy)
|
||||
@@ -1006,6 +1006,7 @@
|
||||
struct timeval end_time;
|
||||
struct timeval duration;
|
||||
int secure;
|
||||
+ int bogus_override = 0;
|
||||
/* Copy the client's EDNS for later restore, to make sure the edns
|
||||
* compare is with the correct edns options. */
|
||||
struct edns_data edns_bak = r->edns;
|
||||
@@ -1016,6 +1017,7 @@
|
||||
rcode = LDNS_RCODE_SERVFAIL;
|
||||
if(m->s.env->cfg->stat_extended)
|
||||
m->s.env->mesh->ans_bogus++;
|
||||
+ bogus_override = 1;
|
||||
}
|
||||
if(rep && rep->security == sec_status_secure)
|
||||
secure = 1;
|
||||
@@ -1047,17 +1049,34 @@
|
||||
} else if(rcode) {
|
||||
m->s.qinfo.qname = r->qname;
|
||||
m->s.qinfo.local_alias = r->local_alias;
|
||||
- if(rcode == LDNS_RCODE_SERVFAIL) {
|
||||
- if(!inplace_cb_reply_servfail_call(m->s.env, &m->s.qinfo, &m->s,
|
||||
- rep, rcode, &r->edns, m->s.region))
|
||||
- r->edns.opt_list = NULL;
|
||||
- } else {
|
||||
- if(!inplace_cb_reply_call(m->s.env, &m->s.qinfo, &m->s, rep, rcode,
|
||||
- &r->edns, m->s.region))
|
||||
- r->edns.opt_list = NULL;
|
||||
+ if(bogus_override && m->s.qinfo.qtype == LDNS_RR_TYPE_A &&
|
||||
+ m->s.env->cfg->redirect_bogus_ipv4) {
|
||||
+ fixed_address_encode(r->query_reply.c->buffer,
|
||||
+ LDNS_RCODE_NOERROR, &m->s.qinfo, r->qid,
|
||||
+ r->qflags, &r->edns,
|
||||
+ m->s.env->cfg->redirect_bogus_ipv4);
|
||||
+ } else if(bogus_override &&
|
||||
+ m->s.qinfo.qtype == LDNS_RR_TYPE_AAAA &&
|
||||
+ m->s.env->cfg->redirect_bogus_ipv6) {
|
||||
+ fixed_address_encode(r->query_reply.c->buffer,
|
||||
+ LDNS_RCODE_NOERROR, &m->s.qinfo, r->qid,
|
||||
+ r->qflags, &r->edns,
|
||||
+ m->s.env->cfg->redirect_bogus_ipv6);
|
||||
+ } else {
|
||||
+ if(rcode == LDNS_RCODE_SERVFAIL) {
|
||||
+ if(!inplace_cb_reply_servfail_call(m->s.env,
|
||||
+ &m->s.qinfo, &m->s,
|
||||
+ rep, rcode, &r->edns, m->s.region))
|
||||
+ r->edns.opt_list = NULL;
|
||||
+ } else {
|
||||
+ if(!inplace_cb_reply_call(m->s.env, &m->s.qinfo,
|
||||
+ &m->s, rep, rcode, &r->edns,
|
||||
+ m->s.region))
|
||||
+ r->edns.opt_list = NULL;
|
||||
+ }
|
||||
+ error_encode(r->query_reply.c->buffer, rcode,
|
||||
+ &m->s.qinfo, r->qid, r->qflags, &r->edns);
|
||||
}
|
||||
- error_encode(r->query_reply.c->buffer, rcode, &m->s.qinfo,
|
||||
- r->qid, r->qflags, &r->edns);
|
||||
comm_point_send_reply(&r->query_reply);
|
||||
} else {
|
||||
size_t udp_size = r->edns.udp_size;
|
||||
Index: util/config_file.c
|
||||
===================================================================
|
||||
--- util/config_file.c (revision 4191)
|
||||
+++ util/config_file.c (working copy)
|
||||
@@ -273,6 +273,8 @@
|
||||
cfg->ratelimit_factor = 10;
|
||||
cfg->qname_minimisation = 0;
|
||||
cfg->qname_minimisation_strict = 0;
|
||||
+ cfg->redirect_bogus_ipv4 = NULL;
|
||||
+ cfg->redirect_bogus_ipv6 = NULL;
|
||||
cfg->shm_enable = 0;
|
||||
cfg->shm_key = 11777;
|
||||
cfg->dnscrypt = 0;
|
||||
@@ -602,6 +604,10 @@
|
||||
}
|
||||
oi[cfg->num_out_ifs++] = d;
|
||||
cfg->out_ifs = oi;
|
||||
+ } else if (strcmp(opt, "redirect-bogus-ipv4:") == 0) {
|
||||
+ cfg->redirect_bogus_ipv4 = strdup(val);
|
||||
+ } else if (strcmp(opt, "redirect-bogus-ipv6:") == 0) {
|
||||
+ cfg->redirect_bogus_ipv6 = strdup(val);
|
||||
} else {
|
||||
/* unknown or unsupported (from the set_option interface):
|
||||
* interface, outgoing-interface, access-control,
|
||||
@@ -1250,6 +1256,12 @@
|
||||
free(cfg->dnstap_version);
|
||||
config_deldblstrlist(cfg->ratelimit_for_domain);
|
||||
config_deldblstrlist(cfg->ratelimit_below_domain);
|
||||
+ if (cfg->redirect_bogus_ipv4) {
|
||||
+ free(cfg->redirect_bogus_ipv4);
|
||||
+ }
|
||||
+ if (cfg->redirect_bogus_ipv6) {
|
||||
+ free(cfg->redirect_bogus_ipv6);
|
||||
+ }
|
||||
#ifdef USE_IPSECMOD
|
||||
free(cfg->ipsecmod_hook);
|
||||
config_delstrlist(cfg->ipsecmod_whitelist);
|
||||
Index: util/config_file.h
|
||||
===================================================================
|
||||
--- util/config_file.h (revision 4191)
|
||||
+++ util/config_file.h (working copy)
|
||||
@@ -444,6 +444,9 @@
|
||||
/** minimise QNAME in strict mode, minimise according to RFC.
|
||||
* Do not apply fallback */
|
||||
int qname_minimisation_strict;
|
||||
+ /** construct fake responses for DNSSEC failures */
|
||||
+ char *redirect_bogus_ipv4;
|
||||
+ char *redirect_bogus_ipv6;
|
||||
/** SHM data - true if shm is enabled */
|
||||
int shm_enable;
|
||||
/** SHM data - key for the shm */
|
||||
Index: util/configlexer.lex
|
||||
===================================================================
|
||||
--- util/configlexer.lex (revision 4191)
|
||||
+++ util/configlexer.lex (working copy)
|
||||
@@ -410,6 +410,8 @@
|
||||
response-ip-tag{COLON} { YDVAR(2, VAR_RESPONSE_IP_TAG) }
|
||||
response-ip{COLON} { YDVAR(2, VAR_RESPONSE_IP) }
|
||||
response-ip-data{COLON} { YDVAR(2, VAR_RESPONSE_IP_DATA) }
|
||||
+redirect-bogus-ipv4{COLON} { YDVAR(1, VAR_REDIRECT_BOGUS_IPV4) }
|
||||
+redirect-bogus-ipv6{COLON} { YDVAR(1, VAR_REDIRECT_BOGUS_IPV6) }
|
||||
dnscrypt{COLON} { YDVAR(0, VAR_DNSCRYPT) }
|
||||
dnscrypt-enable{COLON} { YDVAR(1, VAR_DNSCRYPT_ENABLE) }
|
||||
dnscrypt-port{COLON} { YDVAR(1, VAR_DNSCRYPT_PORT) }
|
||||
Index: util/configparser.y
|
||||
===================================================================
|
||||
--- util/configparser.y (revision 4191)
|
||||
+++ util/configparser.y (working copy)
|
||||
@@ -44,6 +44,7 @@
|
||||
#include <stdlib.h>
|
||||
#include <assert.h>
|
||||
|
||||
+#include "sldns/str2wire.h"
|
||||
#include "util/configyyrename.h"
|
||||
#include "util/config_file.h"
|
||||
#include "util/net_help.h"
|
||||
@@ -141,6 +142,7 @@
|
||||
%token VAR_ACCESS_CONTROL_TAG_DATA VAR_VIEW VAR_ACCESS_CONTROL_VIEW
|
||||
%token VAR_VIEW_FIRST VAR_SERVE_EXPIRED VAR_FAKE_DSA VAR_FAKE_SHA1
|
||||
%token VAR_LOG_IDENTITY VAR_HIDE_TRUSTANCHOR VAR_TRUST_ANCHOR_SIGNALING
|
||||
+%token VAR_REDIRECT_BOGUS_IPV4 VAR_REDIRECT_BOGUS_IPV6
|
||||
%token VAR_USE_SYSTEMD VAR_SHM_ENABLE VAR_SHM_KEY
|
||||
%token VAR_DNSCRYPT VAR_DNSCRYPT_ENABLE VAR_DNSCRYPT_PORT VAR_DNSCRYPT_PROVIDER
|
||||
%token VAR_DNSCRYPT_SECRET_KEY VAR_DNSCRYPT_PROVIDER_CERT
|
||||
@@ -228,6 +230,7 @@
|
||||
server_access_control_tag_data | server_access_control_view |
|
||||
server_qname_minimisation_strict | server_serve_expired |
|
||||
server_fake_dsa | server_log_identity | server_use_systemd |
|
||||
+ server_redirect_bogus_ipv4 | server_redirect_bogus_ipv6 |
|
||||
server_response_ip_tag | server_response_ip | server_response_ip_data |
|
||||
server_shm_enable | server_shm_key | server_fake_sha1 |
|
||||
server_hide_trustanchor | server_trust_anchor_signaling |
|
||||
@@ -1873,6 +1876,34 @@
|
||||
#endif
|
||||
}
|
||||
;
|
||||
+server_redirect_bogus_ipv4: VAR_REDIRECT_BOGUS_IPV4 STRING_ARG
|
||||
+ {
|
||||
+ uint8_t data[4];
|
||||
+ size_t data_len = 4;
|
||||
+ OUTYY(("P(name:%s)\n", $2));
|
||||
+ if(cfg_parser->cfg->redirect_bogus_ipv4) {
|
||||
+ yyerror("redirect-bogus-ipv4, can only use one address");
|
||||
+ }
|
||||
+ if(sldns_str2wire_a_buf($2, data, &data_len) != LDNS_WIREPARSE_ERR_OK) {
|
||||
+ yyerror("redirect-bogus-ipv4, not a valid IPv4 address");
|
||||
+ }
|
||||
+ free(cfg_parser->cfg->redirect_bogus_ipv4);
|
||||
+ cfg_parser->cfg->redirect_bogus_ipv4 = $2;
|
||||
+ }
|
||||
+server_redirect_bogus_ipv6: VAR_REDIRECT_BOGUS_IPV6 STRING_ARG
|
||||
+ {
|
||||
+ uint8_t data[16];
|
||||
+ size_t data_len = 16;
|
||||
+ OUTYY(("P(name:%s)\n", $2));
|
||||
+ if(cfg_parser->cfg->redirect_bogus_ipv6) {
|
||||
+ yyerror("redirect-bogus-ipv6, can only use one address");
|
||||
+ }
|
||||
+ if(sldns_str2wire_aaaa_buf($2, data, &data_len) != LDNS_WIREPARSE_ERR_OK) {
|
||||
+ yyerror("redirect-bogus-ipv6, not a valid IPv6 address");
|
||||
+ }
|
||||
+ free(cfg_parser->cfg->redirect_bogus_ipv6);
|
||||
+ cfg_parser->cfg->redirect_bogus_ipv6 = $2;
|
||||
+ }
|
||||
stub_name: VAR_NAME STRING_ARG
|
||||
{
|
||||
OUTYY(("P(name:%s)\n", $2));
|
||||
Index: util/data/msgencode.c
|
||||
===================================================================
|
||||
--- util/data/msgencode.c (revision 4191)
|
||||
+++ util/data/msgencode.c (working copy)
|
||||
@@ -48,6 +48,7 @@
|
||||
#include "util/regional.h"
|
||||
#include "util/net_help.h"
|
||||
#include "sldns/sbuffer.h"
|
||||
+#include "sldns/str2wire.h"
|
||||
#include "services/localzone.h"
|
||||
|
||||
/** return code that means the function ran out of memory. negative so it does
|
||||
@@ -914,3 +915,63 @@
|
||||
attach_edns_record(buf, &es);
|
||||
}
|
||||
}
|
||||
+
|
||||
+void
|
||||
+fixed_address_encode(sldns_buffer* buf, int r, struct query_info* qinfo,
|
||||
+ uint16_t qid, uint16_t qflags, struct edns_data* edns, char* data)
|
||||
+{
|
||||
+ uint16_t flags;
|
||||
+ uint8_t addr_data[16];
|
||||
+ size_t addr_len = 16;
|
||||
+ if (qinfo->qtype == LDNS_RR_TYPE_A) {
|
||||
+ sldns_str2wire_a_buf(data, addr_data, &addr_len);
|
||||
+ } else if (qinfo->qtype == LDNS_RR_TYPE_AAAA) {
|
||||
+ sldns_str2wire_aaaa_buf(data, addr_data, &addr_len);
|
||||
+ } else {
|
||||
+ return error_encode(buf, LDNS_RCODE_NOERROR, qinfo, qid, qflags, edns);
|
||||
+ }
|
||||
+ sldns_buffer_clear(buf);
|
||||
+ sldns_buffer_write(buf, &qid, sizeof(uint16_t));
|
||||
+ flags = (uint16_t)(BIT_QR | BIT_RA | r); /* QR and retcode*/
|
||||
+ flags |= (qflags & (BIT_RD|BIT_CD)); /* copy RD and CD bit */
|
||||
+ sldns_buffer_write_u16(buf, flags);
|
||||
+ if(qinfo) flags = 1;
|
||||
+ else flags = 0;
|
||||
+ sldns_buffer_write_u16(buf, flags);
|
||||
+ sldns_buffer_write_u16(buf, 1);
|
||||
+ flags = 0;
|
||||
+ sldns_buffer_write(buf, &flags, sizeof(uint16_t));
|
||||
+ sldns_buffer_write(buf, &flags, sizeof(uint16_t));
|
||||
+ if(qinfo) {
|
||||
+ // query
|
||||
+ if(sldns_buffer_current(buf) == qinfo->qname)
|
||||
+ sldns_buffer_skip(buf, (ssize_t)qinfo->qname_len);
|
||||
+ else sldns_buffer_write(buf, qinfo->qname, qinfo->qname_len);
|
||||
+ sldns_buffer_write_u16(buf, qinfo->qtype);
|
||||
+ sldns_buffer_write_u16(buf, qinfo->qclass);
|
||||
+ // faked answer
|
||||
+ if(sldns_buffer_current(buf) == qinfo->qname)
|
||||
+ sldns_buffer_skip(buf, (ssize_t)qinfo->qname_len);
|
||||
+ else sldns_buffer_write(buf, qinfo->qname, qinfo->qname_len);
|
||||
+ sldns_buffer_write_u16(buf, qinfo->qtype);
|
||||
+ sldns_buffer_write_u16(buf, qinfo->qclass);
|
||||
+ sldns_buffer_write_u16(buf, 0);
|
||||
+ // TTL. Should we make this configurable too?
|
||||
+ sldns_buffer_write_u16(buf, 5);
|
||||
+ sldns_buffer_write_u16(buf, addr_len);
|
||||
+ sldns_buffer_write(buf, addr_data, addr_len);
|
||||
+ fflush(stderr);
|
||||
+ }
|
||||
+ sldns_buffer_flip(buf);
|
||||
+ if(edns) {
|
||||
+ struct edns_data es = *edns;
|
||||
+ es.edns_version = EDNS_ADVERTISED_VERSION;
|
||||
+ es.udp_size = EDNS_ADVERTISED_SIZE;
|
||||
+ es.ext_rcode = 0;
|
||||
+ es.bits &= EDNS_DO;
|
||||
+ if(sldns_buffer_limit(buf) + calc_edns_field_size(&es) >
|
||||
+ edns->udp_size)
|
||||
+ return;
|
||||
+ attach_edns_record(buf, &es);
|
||||
+ }
|
||||
+}
|
||||
Index: util/data/msgencode.h
|
||||
===================================================================
|
||||
--- util/data/msgencode.h (revision 4191)
|
||||
+++ util/data/msgencode.h (working copy)
|
||||
@@ -128,4 +128,20 @@
|
||||
void error_encode(struct sldns_buffer* pkt, int r, struct query_info* qinfo,
|
||||
uint16_t qid, uint16_t qflags, struct edns_data* edns);
|
||||
|
||||
+/**
|
||||
+ * Encode a fixed address response.
|
||||
+ * This is a fake answer to either an A or AAA query
|
||||
+ *
|
||||
+ * It will answer with that address
|
||||
+ *
|
||||
+ * @param pkt: where to store the packet.
|
||||
+ * @param r: RCODE value to encode.
|
||||
+ * @param qinfo: if not NULL, the query is included.
|
||||
+ * @param qid: query ID to set in packet. network order.
|
||||
+ * @param qflags: original query flags (to copy RD and CD bits). host order.
|
||||
+ * @param edns: if not NULL, this is the query edns info,
|
||||
+ * and an edns reply is attached. Only attached if EDNS record fits reply.
|
||||
+ */
|
||||
+void fixed_address_encode(struct sldns_buffer* pkt, int r, struct query_info* qinfo,
|
||||
+ uint16_t qid, uint16_t qflags, struct edns_data* edns, char* address);
|
||||
#endif /* UTIL_DATA_MSGENCODE_H */
|
||||
@ -7,7 +7,7 @@ WantedBy=multi-user.target
|
||||
|
||||
[Service]
|
||||
ExecReload=/bin/kill -HUP $MAINPID
|
||||
ExecStart=/home/vagrant/unbound_systemd/unbound
|
||||
ExecStart=@UNBOUND_SBIN_DIR@/unbound
|
||||
NotifyAccess=main
|
||||
Type=notify
|
||||
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
|
||||
@ -20,7 +20,7 @@ ProtectControlGroups=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectSystem=strict
|
||||
ReadWritePaths=/etc/unbound /run
|
||||
ReadWritePaths=@UNBOUND_SYSCONF_DIR@ @UNBOUND_LOCALSTATE_DIR@ /run @UNBOUND_RUN_DIR@
|
||||
RestrictAddressFamilies=AF_INET AF_UNIX
|
||||
RestrictRealtime=true
|
||||
SystemCallArchitectures=native
|
||||
|
||||
@ -124,7 +124,7 @@ timeval_subtract(struct timeval* d, const struct timeval* end,
|
||||
|
||||
/** divide sum of timers to get average */
|
||||
static void
|
||||
timeval_divide(struct timeval* avg, const struct timeval* sum, size_t d)
|
||||
timeval_divide(struct timeval* avg, const struct timeval* sum, long long d)
|
||||
{
|
||||
#ifndef S_SPLINT_S
|
||||
size_t leftover;
|
||||
@ -260,10 +260,10 @@ daemon_remote_create(struct config_file* cfg)
|
||||
return NULL;
|
||||
}
|
||||
#endif
|
||||
#ifdef SHA256_DIGEST_LENGTH
|
||||
#if defined(SHA256_DIGEST_LENGTH) && defined(USE_ECDSA)
|
||||
/* if we have sha256, set the cipher list to have no known vulns */
|
||||
if(!SSL_CTX_set_cipher_list(rc->ctx, "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"))
|
||||
log_crypto_err("coult not set cipher list with SSL_CTX_set_cipher_list");
|
||||
log_crypto_err("could not set cipher list with SSL_CTX_set_cipher_list");
|
||||
#endif
|
||||
|
||||
if (cfg->remote_control_use_cert == 0) {
|
||||
@ -780,9 +780,9 @@ do_verbosity(SSL* ssl, char* str)
|
||||
|
||||
/** print stats from statinfo */
|
||||
static int
|
||||
print_stats(SSL* ssl, const char* nm, struct stats_info* s)
|
||||
print_stats(SSL* ssl, const char* nm, struct ub_stats_info* s)
|
||||
{
|
||||
struct timeval avg;
|
||||
struct timeval sumwait, avg;
|
||||
if(!ssl_printf(ssl, "%s.num.queries"SQ"%lu\n", nm,
|
||||
(unsigned long)s->svr.num_queries)) return 0;
|
||||
if(!ssl_printf(ssl, "%s.num.queries_ip_ratelimited"SQ"%lu\n", nm,
|
||||
@ -799,19 +799,19 @@ print_stats(SSL* ssl, const char* nm, struct stats_info* s)
|
||||
if(!ssl_printf(ssl, "%s.num.recursivereplies"SQ"%lu\n", nm,
|
||||
(unsigned long)s->mesh_replies_sent)) return 0;
|
||||
#ifdef USE_DNSCRYPT
|
||||
if(!ssl_printf(ssl, "%s.num.dnscrypt.crypted"SQ"%lu\n", nm,
|
||||
(unsigned long)s->svr.num_query_dnscrypt_crypted)) return 0;
|
||||
if(!ssl_printf(ssl, "%s.num.dnscrypt.cert"SQ"%lu\n", nm,
|
||||
(unsigned long)s->svr.num_query_dnscrypt_cert)) return 0;
|
||||
if(!ssl_printf(ssl, "%s.num.dnscrypt.cleartext"SQ"%lu\n", nm,
|
||||
(unsigned long)s->svr.num_query_dnscrypt_cleartext)) return 0;
|
||||
if(!ssl_printf(ssl, "%s.num.dnscrypt.malformed"SQ"%lu\n", nm,
|
||||
(unsigned long)s->svr.num_query_dnscrypt_crypted_malformed)) return 0;
|
||||
if(!ssl_printf(ssl, "%s.num.dnscrypt.crypted"SQ"%lu\n", nm,
|
||||
(unsigned long)s->svr.num_query_dnscrypt_crypted)) return 0;
|
||||
if(!ssl_printf(ssl, "%s.num.dnscrypt.cert"SQ"%lu\n", nm,
|
||||
(unsigned long)s->svr.num_query_dnscrypt_cert)) return 0;
|
||||
if(!ssl_printf(ssl, "%s.num.dnscrypt.cleartext"SQ"%lu\n", nm,
|
||||
(unsigned long)s->svr.num_query_dnscrypt_cleartext)) return 0;
|
||||
if(!ssl_printf(ssl, "%s.num.dnscrypt.malformed"SQ"%lu\n", nm,
|
||||
(unsigned long)s->svr.num_query_dnscrypt_crypted_malformed)) return 0;
|
||||
#endif
|
||||
if(!ssl_printf(ssl, "%s.requestlist.avg"SQ"%g\n", nm,
|
||||
(s->svr.num_queries_missed_cache+s->svr.num_queries_prefetch)?
|
||||
(double)s->svr.sum_query_list_size/
|
||||
(s->svr.num_queries_missed_cache+
|
||||
(double)(s->svr.num_queries_missed_cache+
|
||||
s->svr.num_queries_prefetch) : 0.0)) return 0;
|
||||
if(!ssl_printf(ssl, "%s.requestlist.max"SQ"%lu\n", nm,
|
||||
(unsigned long)s->svr.max_query_list_size)) return 0;
|
||||
@ -823,7 +823,11 @@ print_stats(SSL* ssl, const char* nm, struct stats_info* s)
|
||||
(unsigned long)s->mesh_num_states)) return 0;
|
||||
if(!ssl_printf(ssl, "%s.requestlist.current.user"SQ"%lu\n", nm,
|
||||
(unsigned long)s->mesh_num_reply_states)) return 0;
|
||||
timeval_divide(&avg, &s->mesh_replies_sum_wait, s->mesh_replies_sent);
|
||||
#ifndef S_SPLINT_S
|
||||
sumwait.tv_sec = s->mesh_replies_sum_wait_sec;
|
||||
sumwait.tv_usec = s->mesh_replies_sum_wait_usec;
|
||||
#endif
|
||||
timeval_divide(&avg, &sumwait, s->mesh_replies_sent);
|
||||
if(!ssl_printf(ssl, "%s.recursion.time.avg"SQ ARG_LL "d.%6.6d\n", nm,
|
||||
(long long)avg.tv_sec, (int)avg.tv_usec)) return 0;
|
||||
if(!ssl_printf(ssl, "%s.recursion.time.median"SQ"%g\n", nm,
|
||||
@ -835,7 +839,7 @@ print_stats(SSL* ssl, const char* nm, struct stats_info* s)
|
||||
|
||||
/** print stats for one thread */
|
||||
static int
|
||||
print_thread_stats(SSL* ssl, int i, struct stats_info* s)
|
||||
print_thread_stats(SSL* ssl, int i, struct ub_stats_info* s)
|
||||
{
|
||||
char nm[16];
|
||||
snprintf(nm, sizeof(nm), "thread%d", i);
|
||||
@ -862,46 +866,24 @@ print_longnum(SSL* ssl, const char* desc, size_t x)
|
||||
static int
|
||||
print_mem(SSL* ssl, struct worker* worker, struct daemon* daemon)
|
||||
{
|
||||
int m;
|
||||
size_t msg, rrset, val, iter, respip;
|
||||
#ifdef CLIENT_SUBNET
|
||||
size_t subnet = 0;
|
||||
#endif /* CLIENT_SUBNET */
|
||||
#ifdef USE_IPSECMOD
|
||||
size_t ipsecmod = 0;
|
||||
#endif /* USE_IPSECMOD */
|
||||
msg = slabhash_get_mem(daemon->env->msg_cache);
|
||||
rrset = slabhash_get_mem(&daemon->env->rrset_cache->table);
|
||||
val=0;
|
||||
iter=0;
|
||||
respip=0;
|
||||
m = modstack_find(&worker->env.mesh->mods, "validator");
|
||||
if(m != -1) {
|
||||
fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh->
|
||||
mods.mod[m]->get_mem));
|
||||
val = (*worker->env.mesh->mods.mod[m]->get_mem)
|
||||
(&worker->env, m);
|
||||
}
|
||||
m = modstack_find(&worker->env.mesh->mods, "iterator");
|
||||
if(m != -1) {
|
||||
fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh->
|
||||
mods.mod[m]->get_mem));
|
||||
iter = (*worker->env.mesh->mods.mod[m]->get_mem)
|
||||
(&worker->env, m);
|
||||
}
|
||||
m = modstack_find(&worker->env.mesh->mods, "respip");
|
||||
if(m != -1) {
|
||||
fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh->
|
||||
mods.mod[m]->get_mem));
|
||||
respip = (*worker->env.mesh->mods.mod[m]->get_mem)
|
||||
(&worker->env, m);
|
||||
}
|
||||
val = mod_get_mem(&worker->env, "validator");
|
||||
iter = mod_get_mem(&worker->env, "iterator");
|
||||
respip = mod_get_mem(&worker->env, "respip");
|
||||
#ifdef CLIENT_SUBNET
|
||||
m = modstack_find(&worker->env.mesh->mods, "subnet");
|
||||
if(m != -1) {
|
||||
fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh->
|
||||
mods.mod[m]->get_mem));
|
||||
subnet = (*worker->env.mesh->mods.mod[m]->get_mem)
|
||||
(&worker->env, m);
|
||||
}
|
||||
subnet = mod_get_mem(&worker->env, "subnet");
|
||||
#endif /* CLIENT_SUBNET */
|
||||
#ifdef USE_IPSECMOD
|
||||
ipsecmod = mod_get_mem(&worker->env, "ipsecmod");
|
||||
#endif /* USE_IPSECMOD */
|
||||
|
||||
if(!print_longnum(ssl, "mem.cache.rrset"SQ, rrset))
|
||||
return 0;
|
||||
@ -917,6 +899,10 @@ print_mem(SSL* ssl, struct worker* worker, struct daemon* daemon)
|
||||
if(!print_longnum(ssl, "mem.mod.subnet"SQ, subnet))
|
||||
return 0;
|
||||
#endif /* CLIENT_SUBNET */
|
||||
#ifdef USE_IPSECMOD
|
||||
if(!print_longnum(ssl, "mem.mod.ipsecmod"SQ, ipsecmod))
|
||||
return 0;
|
||||
#endif /* USE_IPSECMOD */
|
||||
return 1;
|
||||
}
|
||||
|
||||
@ -941,7 +927,7 @@ print_uptime(SSL* ssl, struct worker* worker, int reset)
|
||||
|
||||
/** print extended histogram */
|
||||
static int
|
||||
print_hist(SSL* ssl, struct stats_info* s)
|
||||
print_hist(SSL* ssl, struct ub_stats_info* s)
|
||||
{
|
||||
struct timehist* hist;
|
||||
size_t i;
|
||||
@ -969,14 +955,14 @@ print_hist(SSL* ssl, struct stats_info* s)
|
||||
|
||||
/** print extended stats */
|
||||
static int
|
||||
print_ext(SSL* ssl, struct stats_info* s)
|
||||
print_ext(SSL* ssl, struct ub_stats_info* s)
|
||||
{
|
||||
int i;
|
||||
char nm[16];
|
||||
const sldns_rr_descriptor* desc;
|
||||
const sldns_lookup_table* lt;
|
||||
/* TYPE */
|
||||
for(i=0; i<STATS_QTYPE_NUM; i++) {
|
||||
for(i=0; i<UB_STATS_QTYPE_NUM; i++) {
|
||||
if(inhibit_zero && s->svr.qtype[i] == 0)
|
||||
continue;
|
||||
desc = sldns_rr_descript((uint16_t)i);
|
||||
@ -1003,7 +989,7 @@ print_ext(SSL* ssl, struct stats_info* s)
|
||||
(unsigned long)s->svr.qtype_big)) return 0;
|
||||
}
|
||||
/* CLASS */
|
||||
for(i=0; i<STATS_QCLASS_NUM; i++) {
|
||||
for(i=0; i<UB_STATS_QCLASS_NUM; i++) {
|
||||
if(inhibit_zero && s->svr.qclass[i] == 0)
|
||||
continue;
|
||||
lt = sldns_lookup_by_id(sldns_rr_classes, i);
|
||||
@ -1020,7 +1006,7 @@ print_ext(SSL* ssl, struct stats_info* s)
|
||||
(unsigned long)s->svr.qclass_big)) return 0;
|
||||
}
|
||||
/* OPCODE */
|
||||
for(i=0; i<STATS_OPCODE_NUM; i++) {
|
||||
for(i=0; i<UB_STATS_OPCODE_NUM; i++) {
|
||||
if(inhibit_zero && s->svr.qopcode[i] == 0)
|
||||
continue;
|
||||
lt = sldns_lookup_by_id(sldns_opcodes, i);
|
||||
@ -1062,7 +1048,7 @@ print_ext(SSL* ssl, struct stats_info* s)
|
||||
(unsigned long)s->svr.qEDNS_DO)) return 0;
|
||||
|
||||
/* RCODE */
|
||||
for(i=0; i<STATS_RCODE_NUM; i++) {
|
||||
for(i=0; i<UB_STATS_RCODE_NUM; i++) {
|
||||
/* Always include RCODEs 0-5 */
|
||||
if(inhibit_zero && i > LDNS_RCODE_REFUSED && s->svr.ans_rcode[i] == 0)
|
||||
continue;
|
||||
@ -1108,8 +1094,8 @@ static void
|
||||
do_stats(SSL* ssl, struct daemon_remote* rc, int reset)
|
||||
{
|
||||
struct daemon* daemon = rc->worker->daemon;
|
||||
struct stats_info total;
|
||||
struct stats_info s;
|
||||
struct ub_stats_info total;
|
||||
struct ub_stats_info s;
|
||||
int i;
|
||||
log_assert(daemon->num > 0);
|
||||
/* gather all thread statistics in one place */
|
||||
@ -1407,6 +1393,14 @@ do_view_zone_add(SSL* ssl, struct worker* worker, char* arg)
|
||||
ssl_printf(ssl,"error out of memory\n");
|
||||
return;
|
||||
}
|
||||
if(!v->isfirst) {
|
||||
/* Global local-zone is not used for this view,
|
||||
* therefore add defaults to this view-specic
|
||||
* local-zone. */
|
||||
struct config_file lz_cfg;
|
||||
memset(&lz_cfg, 0, sizeof(lz_cfg));
|
||||
local_zone_enter_defaults(v->local_zones, &lz_cfg);
|
||||
}
|
||||
}
|
||||
do_zone_add(ssl, v->local_zones, arg2);
|
||||
lock_rw_unlock(&v->lock);
|
||||
|
||||
@ -63,42 +63,42 @@
|
||||
|
||||
/** add timers and the values do not overflow or become negative */
|
||||
static void
|
||||
timeval_add(struct timeval* d, const struct timeval* add)
|
||||
stats_timeval_add(long long* d_sec, long long* d_usec, long long add_sec, long long add_usec)
|
||||
{
|
||||
#ifndef S_SPLINT_S
|
||||
d->tv_sec += add->tv_sec;
|
||||
d->tv_usec += add->tv_usec;
|
||||
if(d->tv_usec > 1000000) {
|
||||
d->tv_usec -= 1000000;
|
||||
d->tv_sec++;
|
||||
(*d_sec) += add_sec;
|
||||
(*d_usec) += add_usec;
|
||||
if((*d_usec) > 1000000) {
|
||||
(*d_usec) -= 1000000;
|
||||
(*d_sec)++;
|
||||
}
|
||||
#endif
|
||||
}
|
||||
|
||||
void server_stats_init(struct server_stats* stats, struct config_file* cfg)
|
||||
void server_stats_init(struct ub_server_stats* stats, struct config_file* cfg)
|
||||
{
|
||||
memset(stats, 0, sizeof(*stats));
|
||||
stats->extended = cfg->stat_extended;
|
||||
}
|
||||
|
||||
void server_stats_querymiss(struct server_stats* stats, struct worker* worker)
|
||||
void server_stats_querymiss(struct ub_server_stats* stats, struct worker* worker)
|
||||
{
|
||||
stats->num_queries_missed_cache++;
|
||||
stats->sum_query_list_size += worker->env.mesh->all.count;
|
||||
if(worker->env.mesh->all.count > stats->max_query_list_size)
|
||||
stats->max_query_list_size = worker->env.mesh->all.count;
|
||||
if((long long)worker->env.mesh->all.count > stats->max_query_list_size)
|
||||
stats->max_query_list_size = (long long)worker->env.mesh->all.count;
|
||||
}
|
||||
|
||||
void server_stats_prefetch(struct server_stats* stats, struct worker* worker)
|
||||
void server_stats_prefetch(struct ub_server_stats* stats, struct worker* worker)
|
||||
{
|
||||
stats->num_queries_prefetch++;
|
||||
/* changes the query list size so account that, like a querymiss */
|
||||
stats->sum_query_list_size += worker->env.mesh->all.count;
|
||||
if(worker->env.mesh->all.count > stats->max_query_list_size)
|
||||
stats->max_query_list_size = worker->env.mesh->all.count;
|
||||
if((long long)worker->env.mesh->all.count > stats->max_query_list_size)
|
||||
stats->max_query_list_size = (long long)worker->env.mesh->all.count;
|
||||
}
|
||||
|
||||
void server_stats_log(struct server_stats* stats, struct worker* worker,
|
||||
void server_stats_log(struct ub_server_stats* stats, struct worker* worker,
|
||||
int threadnum)
|
||||
{
|
||||
log_info("server stats for thread %d: %u queries, "
|
||||
@ -115,7 +115,7 @@ void server_stats_log(struct server_stats* stats, struct worker* worker,
|
||||
(unsigned)stats->max_query_list_size,
|
||||
(stats->num_queries_missed_cache+stats->num_queries_prefetch)?
|
||||
(double)stats->sum_query_list_size/
|
||||
(stats->num_queries_missed_cache+
|
||||
(double)(stats->num_queries_missed_cache+
|
||||
stats->num_queries_prefetch) : 0.0,
|
||||
(unsigned)worker->env.mesh->stats_dropped,
|
||||
(unsigned)worker->env.mesh->stats_jostled);
|
||||
@ -140,49 +140,50 @@ get_rrset_bogus(struct worker* worker)
|
||||
}
|
||||
|
||||
void
|
||||
server_stats_compile(struct worker* worker, struct stats_info* s, int reset)
|
||||
server_stats_compile(struct worker* worker, struct ub_stats_info* s, int reset)
|
||||
{
|
||||
int i;
|
||||
struct listen_list* lp;
|
||||
|
||||
s->svr = worker->stats;
|
||||
s->mesh_num_states = worker->env.mesh->all.count;
|
||||
s->mesh_num_reply_states = worker->env.mesh->num_reply_states;
|
||||
s->mesh_jostled = worker->env.mesh->stats_jostled;
|
||||
s->mesh_dropped = worker->env.mesh->stats_dropped;
|
||||
s->mesh_replies_sent = worker->env.mesh->replies_sent;
|
||||
s->mesh_replies_sum_wait = worker->env.mesh->replies_sum_wait;
|
||||
s->mesh_num_states = (long long)worker->env.mesh->all.count;
|
||||
s->mesh_num_reply_states = (long long)worker->env.mesh->num_reply_states;
|
||||
s->mesh_jostled = (long long)worker->env.mesh->stats_jostled;
|
||||
s->mesh_dropped = (long long)worker->env.mesh->stats_dropped;
|
||||
s->mesh_replies_sent = (long long)worker->env.mesh->replies_sent;
|
||||
s->mesh_replies_sum_wait_sec = (long long)worker->env.mesh->replies_sum_wait.tv_sec;
|
||||
s->mesh_replies_sum_wait_usec = (long long)worker->env.mesh->replies_sum_wait.tv_usec;
|
||||
s->mesh_time_median = timehist_quartile(worker->env.mesh->histogram,
|
||||
0.50);
|
||||
|
||||
/* add in the values from the mesh */
|
||||
s->svr.ans_secure += worker->env.mesh->ans_secure;
|
||||
s->svr.ans_bogus += worker->env.mesh->ans_bogus;
|
||||
s->svr.ans_rcode_nodata += worker->env.mesh->ans_nodata;
|
||||
s->svr.ans_secure += (long long)worker->env.mesh->ans_secure;
|
||||
s->svr.ans_bogus += (long long)worker->env.mesh->ans_bogus;
|
||||
s->svr.ans_rcode_nodata += (long long)worker->env.mesh->ans_nodata;
|
||||
for(i=0; i<16; i++)
|
||||
s->svr.ans_rcode[i] += worker->env.mesh->ans_rcode[i];
|
||||
s->svr.ans_rcode[i] += (long long)worker->env.mesh->ans_rcode[i];
|
||||
timehist_export(worker->env.mesh->histogram, s->svr.hist,
|
||||
NUM_BUCKETS_HIST);
|
||||
/* values from outside network */
|
||||
s->svr.unwanted_replies = worker->back->unwanted_replies;
|
||||
s->svr.qtcp_outgoing = worker->back->num_tcp_outgoing;
|
||||
s->svr.unwanted_replies = (long long)worker->back->unwanted_replies;
|
||||
s->svr.qtcp_outgoing = (long long)worker->back->num_tcp_outgoing;
|
||||
|
||||
/* get and reset validator rrset bogus number */
|
||||
s->svr.rrset_bogus = get_rrset_bogus(worker);
|
||||
s->svr.rrset_bogus = (long long)get_rrset_bogus(worker);
|
||||
|
||||
/* get cache sizes */
|
||||
s->svr.msg_cache_count = count_slabhash_entries(worker->env.msg_cache);
|
||||
s->svr.rrset_cache_count = count_slabhash_entries(&worker->env.rrset_cache->table);
|
||||
s->svr.infra_cache_count = count_slabhash_entries(worker->env.infra_cache->hosts);
|
||||
s->svr.msg_cache_count = (long long)count_slabhash_entries(worker->env.msg_cache);
|
||||
s->svr.rrset_cache_count = (long long)count_slabhash_entries(&worker->env.rrset_cache->table);
|
||||
s->svr.infra_cache_count = (long long)count_slabhash_entries(worker->env.infra_cache->hosts);
|
||||
if(worker->env.key_cache)
|
||||
s->svr.key_cache_count = count_slabhash_entries(worker->env.key_cache->slab);
|
||||
s->svr.key_cache_count = (long long)count_slabhash_entries(worker->env.key_cache->slab);
|
||||
else s->svr.key_cache_count = 0;
|
||||
|
||||
/* get tcp accept usage */
|
||||
s->svr.tcp_accept_usage = 0;
|
||||
for(lp = worker->front->cps; lp; lp = lp->next) {
|
||||
if(lp->com->type == comm_tcp_accept)
|
||||
s->svr.tcp_accept_usage += lp->com->cur_tcp_count;
|
||||
s->svr.tcp_accept_usage += (long long)lp->com->cur_tcp_count;
|
||||
}
|
||||
|
||||
if(reset && !worker->env.cfg->stat_cumulative) {
|
||||
@ -191,7 +192,7 @@ server_stats_compile(struct worker* worker, struct stats_info* s, int reset)
|
||||
}
|
||||
|
||||
void server_stats_obtain(struct worker* worker, struct worker* who,
|
||||
struct stats_info* s, int reset)
|
||||
struct ub_stats_info* s, int reset)
|
||||
{
|
||||
uint8_t *reply = NULL;
|
||||
uint32_t len = 0;
|
||||
@ -217,7 +218,7 @@ void server_stats_obtain(struct worker* worker, struct worker* who,
|
||||
|
||||
void server_stats_reply(struct worker* worker, int reset)
|
||||
{
|
||||
struct stats_info s;
|
||||
struct ub_stats_info s;
|
||||
server_stats_compile(worker, &s, reset);
|
||||
verbose(VERB_ALGO, "write stats replymsg");
|
||||
if(!tube_write_msg(worker->daemon->workers[0]->cmd,
|
||||
@ -225,7 +226,7 @@ void server_stats_reply(struct worker* worker, int reset)
|
||||
fatal_exit("could not write stat values over cmd channel");
|
||||
}
|
||||
|
||||
void server_stats_add(struct stats_info* total, struct stats_info* a)
|
||||
void server_stats_add(struct ub_stats_info* total, struct ub_stats_info* a)
|
||||
{
|
||||
total->svr.num_queries += a->svr.num_queries;
|
||||
total->svr.num_queries_ip_ratelimited += a->svr.num_queries_ip_ratelimited;
|
||||
@ -233,12 +234,12 @@ void server_stats_add(struct stats_info* total, struct stats_info* a)
|
||||
total->svr.num_queries_prefetch += a->svr.num_queries_prefetch;
|
||||
total->svr.sum_query_list_size += a->svr.sum_query_list_size;
|
||||
#ifdef USE_DNSCRYPT
|
||||
total->svr.num_query_dnscrypt_crypted += a->svr.num_query_dnscrypt_crypted;
|
||||
total->svr.num_query_dnscrypt_cert += a->svr.num_query_dnscrypt_cert;
|
||||
total->svr.num_query_dnscrypt_cleartext += \
|
||||
a->svr.num_query_dnscrypt_cleartext;
|
||||
total->svr.num_query_dnscrypt_crypted_malformed += \
|
||||
a->svr.num_query_dnscrypt_crypted_malformed;
|
||||
total->svr.num_query_dnscrypt_crypted += a->svr.num_query_dnscrypt_crypted;
|
||||
total->svr.num_query_dnscrypt_cert += a->svr.num_query_dnscrypt_cert;
|
||||
total->svr.num_query_dnscrypt_cleartext += \
|
||||
a->svr.num_query_dnscrypt_cleartext;
|
||||
total->svr.num_query_dnscrypt_crypted_malformed += \
|
||||
a->svr.num_query_dnscrypt_crypted_malformed;
|
||||
#endif
|
||||
/* the max size reached is upped to higher of both */
|
||||
if(a->svr.max_query_list_size > total->svr.max_query_list_size)
|
||||
@ -269,13 +270,13 @@ void server_stats_add(struct stats_info* total, struct stats_info* a)
|
||||
total->svr.unwanted_replies += a->svr.unwanted_replies;
|
||||
total->svr.unwanted_queries += a->svr.unwanted_queries;
|
||||
total->svr.tcp_accept_usage += a->svr.tcp_accept_usage;
|
||||
for(i=0; i<STATS_QTYPE_NUM; i++)
|
||||
for(i=0; i<UB_STATS_QTYPE_NUM; i++)
|
||||
total->svr.qtype[i] += a->svr.qtype[i];
|
||||
for(i=0; i<STATS_QCLASS_NUM; i++)
|
||||
for(i=0; i<UB_STATS_QCLASS_NUM; i++)
|
||||
total->svr.qclass[i] += a->svr.qclass[i];
|
||||
for(i=0; i<STATS_OPCODE_NUM; i++)
|
||||
for(i=0; i<UB_STATS_OPCODE_NUM; i++)
|
||||
total->svr.qopcode[i] += a->svr.qopcode[i];
|
||||
for(i=0; i<STATS_RCODE_NUM; i++)
|
||||
for(i=0; i<UB_STATS_RCODE_NUM; i++)
|
||||
total->svr.ans_rcode[i] += a->svr.ans_rcode[i];
|
||||
for(i=0; i<NUM_BUCKETS_HIST; i++)
|
||||
total->svr.hist[i] += a->svr.hist[i];
|
||||
@ -286,22 +287,22 @@ void server_stats_add(struct stats_info* total, struct stats_info* a)
|
||||
total->mesh_jostled += a->mesh_jostled;
|
||||
total->mesh_dropped += a->mesh_dropped;
|
||||
total->mesh_replies_sent += a->mesh_replies_sent;
|
||||
timeval_add(&total->mesh_replies_sum_wait, &a->mesh_replies_sum_wait);
|
||||
stats_timeval_add(&total->mesh_replies_sum_wait_sec, &total->mesh_replies_sum_wait_usec, a->mesh_replies_sum_wait_sec, a->mesh_replies_sum_wait_usec);
|
||||
/* the medians are averaged together, this is not as accurate as
|
||||
* taking the median over all of the data, but is good and fast
|
||||
* added up here, division later*/
|
||||
total->mesh_time_median += a->mesh_time_median;
|
||||
}
|
||||
|
||||
void server_stats_insquery(struct server_stats* stats, struct comm_point* c,
|
||||
void server_stats_insquery(struct ub_server_stats* stats, struct comm_point* c,
|
||||
uint16_t qtype, uint16_t qclass, struct edns_data* edns,
|
||||
struct comm_reply* repinfo)
|
||||
{
|
||||
uint16_t flags = sldns_buffer_read_u16_at(c->buffer, 2);
|
||||
if(qtype < STATS_QTYPE_NUM)
|
||||
if(qtype < UB_STATS_QTYPE_NUM)
|
||||
stats->qtype[qtype]++;
|
||||
else stats->qtype_big++;
|
||||
if(qclass < STATS_QCLASS_NUM)
|
||||
if(qclass < UB_STATS_QCLASS_NUM)
|
||||
stats->qclass[qclass]++;
|
||||
else stats->qclass_big++;
|
||||
stats->qopcode[ LDNS_OPCODE_WIRE(sldns_buffer_begin(c->buffer)) ]++;
|
||||
@ -332,7 +333,7 @@ void server_stats_insquery(struct server_stats* stats, struct comm_point* c,
|
||||
}
|
||||
}
|
||||
|
||||
void server_stats_insrcode(struct server_stats* stats, sldns_buffer* buf)
|
||||
void server_stats_insrcode(struct ub_server_stats* stats, sldns_buffer* buf)
|
||||
{
|
||||
if(stats->extended && sldns_buffer_limit(buf) != 0) {
|
||||
int r = (int)LDNS_RCODE_WIRE( sldns_buffer_begin(buf) );
|
||||
|
||||
@ -43,7 +43,6 @@
|
||||
#ifndef DAEMON_STATS_H
|
||||
#define DAEMON_STATS_H
|
||||
#include "util/timehist.h"
|
||||
#include "dnscrypt/dnscrypt_config.h"
|
||||
struct worker;
|
||||
struct config_file;
|
||||
struct comm_point;
|
||||
@ -51,156 +50,24 @@ struct comm_reply;
|
||||
struct edns_data;
|
||||
struct sldns_buffer;
|
||||
|
||||
/** number of qtype that is stored for in array */
|
||||
#define STATS_QTYPE_NUM 256
|
||||
/** number of qclass that is stored for in array */
|
||||
#define STATS_QCLASS_NUM 256
|
||||
/** number of rcodes in stats */
|
||||
#define STATS_RCODE_NUM 16
|
||||
/** number of opcodes in stats */
|
||||
#define STATS_OPCODE_NUM 16
|
||||
|
||||
/** per worker statistics */
|
||||
struct server_stats {
|
||||
/** number of queries from clients received. */
|
||||
size_t num_queries;
|
||||
/** number of queries that have been dropped/ratelimited by ip. */
|
||||
size_t num_queries_ip_ratelimited;
|
||||
/** number of queries that had a cache-miss. */
|
||||
size_t num_queries_missed_cache;
|
||||
/** number of prefetch queries - cachehits with prefetch */
|
||||
size_t num_queries_prefetch;
|
||||
|
||||
/**
|
||||
* Sum of the querylistsize of the worker for
|
||||
* every query that missed cache. To calculate average.
|
||||
*/
|
||||
size_t sum_query_list_size;
|
||||
/** max value of query list size reached. */
|
||||
size_t max_query_list_size;
|
||||
|
||||
/** Extended stats below (bool) */
|
||||
int extended;
|
||||
|
||||
/** qtype stats */
|
||||
size_t qtype[STATS_QTYPE_NUM];
|
||||
/** bigger qtype values not in array */
|
||||
size_t qtype_big;
|
||||
/** qclass stats */
|
||||
size_t qclass[STATS_QCLASS_NUM];
|
||||
/** bigger qclass values not in array */
|
||||
size_t qclass_big;
|
||||
/** query opcodes */
|
||||
size_t qopcode[STATS_OPCODE_NUM];
|
||||
/** number of queries over TCP */
|
||||
size_t qtcp;
|
||||
/** number of outgoing queries over TCP */
|
||||
size_t qtcp_outgoing;
|
||||
/** number of queries over IPv6 */
|
||||
size_t qipv6;
|
||||
/** number of queries with QR bit */
|
||||
size_t qbit_QR;
|
||||
/** number of queries with AA bit */
|
||||
size_t qbit_AA;
|
||||
/** number of queries with TC bit */
|
||||
size_t qbit_TC;
|
||||
/** number of queries with RD bit */
|
||||
size_t qbit_RD;
|
||||
/** number of queries with RA bit */
|
||||
size_t qbit_RA;
|
||||
/** number of queries with Z bit */
|
||||
size_t qbit_Z;
|
||||
/** number of queries with AD bit */
|
||||
size_t qbit_AD;
|
||||
/** number of queries with CD bit */
|
||||
size_t qbit_CD;
|
||||
/** number of queries with EDNS OPT record */
|
||||
size_t qEDNS;
|
||||
/** number of queries with EDNS with DO flag */
|
||||
size_t qEDNS_DO;
|
||||
/** answer rcodes */
|
||||
size_t ans_rcode[STATS_RCODE_NUM];
|
||||
/** answers with pseudo rcode 'nodata' */
|
||||
size_t ans_rcode_nodata;
|
||||
/** answers that were secure (AD) */
|
||||
size_t ans_secure;
|
||||
/** answers that were bogus (withheld as SERVFAIL) */
|
||||
size_t ans_bogus;
|
||||
/** rrsets marked bogus by validator */
|
||||
size_t rrset_bogus;
|
||||
/** unwanted traffic received on server-facing ports */
|
||||
size_t unwanted_replies;
|
||||
/** unwanted traffic received on client-facing ports */
|
||||
size_t unwanted_queries;
|
||||
/** usage of tcp accept list */
|
||||
size_t tcp_accept_usage;
|
||||
/** answers served from expired cache */
|
||||
size_t zero_ttl_responses;
|
||||
/** histogram data exported to array
|
||||
* if the array is the same size, no data is lost, and
|
||||
* if all histograms are same size (is so by default) then
|
||||
* adding up works well. */
|
||||
size_t hist[NUM_BUCKETS_HIST];
|
||||
|
||||
/** number of message cache entries */
|
||||
size_t msg_cache_count;
|
||||
/** number of rrset cache entries */
|
||||
size_t rrset_cache_count;
|
||||
/** number of infra cache entries */
|
||||
size_t infra_cache_count;
|
||||
/** number of key cache entries */
|
||||
size_t key_cache_count;
|
||||
#ifdef USE_DNSCRYPT
|
||||
/** number of queries that used dnscrypt */
|
||||
size_t num_query_dnscrypt_crypted;
|
||||
/** number of queries that queried dnscrypt certificates */
|
||||
size_t num_query_dnscrypt_cert;
|
||||
/** number of queries in clear text and not asking for the certificates */
|
||||
size_t num_query_dnscrypt_cleartext;
|
||||
/** number of malformed encrypted queries */
|
||||
size_t num_query_dnscrypt_crypted_malformed;
|
||||
#endif
|
||||
};
|
||||
|
||||
/**
|
||||
* Statistics to send over the control pipe when asked
|
||||
* This struct is made to be memcpied, sent in binary.
|
||||
*/
|
||||
struct stats_info {
|
||||
/** the thread stats */
|
||||
struct server_stats svr;
|
||||
|
||||
/** mesh stats: current number of states */
|
||||
size_t mesh_num_states;
|
||||
/** mesh stats: current number of reply (user) states */
|
||||
size_t mesh_num_reply_states;
|
||||
/** mesh stats: number of reply states overwritten with a new one */
|
||||
size_t mesh_jostled;
|
||||
/** mesh stats: number of incoming queries dropped */
|
||||
size_t mesh_dropped;
|
||||
/** mesh stats: replies sent */
|
||||
size_t mesh_replies_sent;
|
||||
/** mesh stats: sum of waiting times for the replies */
|
||||
struct timeval mesh_replies_sum_wait;
|
||||
/** mesh stats: median of waiting times for replies (in sec) */
|
||||
double mesh_time_median;
|
||||
};
|
||||
/* stats struct */
|
||||
#include "libunbound/unbound.h"
|
||||
|
||||
/**
|
||||
* Initialize server stats to 0.
|
||||
* @param stats: what to init (this is alloced by the caller).
|
||||
* @param cfg: with extended statistics option.
|
||||
*/
|
||||
void server_stats_init(struct server_stats* stats, struct config_file* cfg);
|
||||
void server_stats_init(struct ub_server_stats* stats, struct config_file* cfg);
|
||||
|
||||
/** add query if it missed the cache */
|
||||
void server_stats_querymiss(struct server_stats* stats, struct worker* worker);
|
||||
void server_stats_querymiss(struct ub_server_stats* stats, struct worker* worker);
|
||||
|
||||
/** add query if was cached and also resulted in a prefetch */
|
||||
void server_stats_prefetch(struct server_stats* stats, struct worker* worker);
|
||||
void server_stats_prefetch(struct ub_server_stats* stats, struct worker* worker);
|
||||
|
||||
/** display the stats to the log */
|
||||
void server_stats_log(struct server_stats* stats, struct worker* worker,
|
||||
void server_stats_log(struct ub_server_stats* stats, struct worker* worker,
|
||||
int threadnum);
|
||||
|
||||
/**
|
||||
@ -211,7 +78,7 @@ void server_stats_log(struct server_stats* stats, struct worker* worker,
|
||||
* @param reset: if stats can be reset.
|
||||
*/
|
||||
void server_stats_obtain(struct worker* worker, struct worker* who,
|
||||
struct stats_info* s, int reset);
|
||||
struct ub_stats_info* s, int reset);
|
||||
|
||||
/**
|
||||
* Compile stats into structure for this thread worker.
|
||||
@ -221,7 +88,7 @@ void server_stats_obtain(struct worker* worker, struct worker* who,
|
||||
* @param reset: if true, depending on config stats are reset.
|
||||
* if false, statistics are not reset.
|
||||
*/
|
||||
void server_stats_compile(struct worker* worker, struct stats_info* s,
|
||||
void server_stats_compile(struct worker* worker, struct ub_stats_info* s,
|
||||
int reset);
|
||||
|
||||
/**
|
||||
@ -237,7 +104,7 @@ void server_stats_reply(struct worker* worker, int reset);
|
||||
* @param total: sum of the two entries.
|
||||
* @param a: to add to it.
|
||||
*/
|
||||
void server_stats_add(struct stats_info* total, struct stats_info* a);
|
||||
void server_stats_add(struct ub_stats_info* total, struct ub_stats_info* a);
|
||||
|
||||
/**
|
||||
* Add stats for this query
|
||||
@ -248,7 +115,7 @@ void server_stats_add(struct stats_info* total, struct stats_info* a);
|
||||
* @param edns: edns record
|
||||
* @param repinfo: reply info with remote address
|
||||
*/
|
||||
void server_stats_insquery(struct server_stats* stats, struct comm_point* c,
|
||||
void server_stats_insquery(struct ub_server_stats* stats, struct comm_point* c,
|
||||
uint16_t qtype, uint16_t qclass, struct edns_data* edns,
|
||||
struct comm_reply* repinfo);
|
||||
|
||||
@ -257,6 +124,6 @@ void server_stats_insquery(struct server_stats* stats, struct comm_point* c,
|
||||
* @param stats: the stats
|
||||
* @param buf: buffer with rcode. If buffer is length0: not counted.
|
||||
*/
|
||||
void server_stats_insrcode(struct server_stats* stats, struct sldns_buffer* buf);
|
||||
void server_stats_insrcode(struct ub_server_stats* stats, struct sldns_buffer* buf);
|
||||
|
||||
#endif /* DAEMON_STATS_H */
|
||||
|
||||
@ -811,7 +811,9 @@ chaos_replystr(sldns_buffer* pkt, char** str, int num, struct edns_data* edns,
|
||||
if(!inplace_cb_reply_local_call(&worker->env, NULL, NULL, NULL,
|
||||
LDNS_RCODE_NOERROR, edns, worker->scratchpad))
|
||||
edns->opt_list = NULL;
|
||||
attach_edns_record(pkt, edns);
|
||||
if(sldns_buffer_capacity(pkt) >=
|
||||
sldns_buffer_limit(pkt)+calc_edns_field_size(edns))
|
||||
attach_edns_record(pkt, edns);
|
||||
}
|
||||
|
||||
/** Reply with one string */
|
||||
@ -1014,43 +1016,48 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
|
||||
return 0;
|
||||
}
|
||||
#ifdef USE_DNSCRYPT
|
||||
repinfo->max_udp_size = worker->daemon->cfg->max_udp_size;
|
||||
if(!dnsc_handle_curved_request(worker->daemon->dnscenv, repinfo)) {
|
||||
worker->stats.num_query_dnscrypt_crypted_malformed++;
|
||||
return 0;
|
||||
}
|
||||
if(c->dnscrypt && !repinfo->is_dnscrypted) {
|
||||
char buf[LDNS_MAX_DOMAINLEN+1];
|
||||
// Check if this is unencrypted and asking for certs
|
||||
if(worker_check_request(c->buffer, worker) != 0) {
|
||||
verbose(VERB_ALGO, "dnscrypt: worker check request: bad query.");
|
||||
log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
|
||||
comm_point_drop_reply(repinfo);
|
||||
return 0;
|
||||
}
|
||||
if(!query_info_parse(&qinfo, c->buffer)) {
|
||||
verbose(VERB_ALGO, "dnscrypt: worker parse request: formerror.");
|
||||
log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
|
||||
comm_point_drop_reply(repinfo);
|
||||
return 0;
|
||||
}
|
||||
dname_str(qinfo.qname, buf);
|
||||
if(!(qinfo.qtype == LDNS_RR_TYPE_TXT &&
|
||||
strcasecmp(buf, worker->daemon->dnscenv->provider_name) == 0)) {
|
||||
verbose(VERB_ALGO,
|
||||
"dnscrypt: not TXT %s. Receive: %s %s",
|
||||
worker->daemon->dnscenv->provider_name,
|
||||
sldns_rr_descript(qinfo.qtype)->_name,
|
||||
buf);
|
||||
comm_point_drop_reply(repinfo);
|
||||
worker->stats.num_query_dnscrypt_cleartext++;
|
||||
return 0;
|
||||
}
|
||||
worker->stats.num_query_dnscrypt_cert++;
|
||||
sldns_buffer_rewind(c->buffer);
|
||||
} else if(c->dnscrypt && repinfo->is_dnscrypted) {
|
||||
worker->stats.num_query_dnscrypt_crypted++;
|
||||
}
|
||||
repinfo->max_udp_size = worker->daemon->cfg->max_udp_size;
|
||||
if(!dnsc_handle_curved_request(worker->daemon->dnscenv, repinfo)) {
|
||||
worker->stats.num_query_dnscrypt_crypted_malformed++;
|
||||
return 0;
|
||||
}
|
||||
if(c->dnscrypt && !repinfo->is_dnscrypted) {
|
||||
char buf[LDNS_MAX_DOMAINLEN+1];
|
||||
/* Check if this is unencrypted and asking for certs */
|
||||
if(worker_check_request(c->buffer, worker) != 0) {
|
||||
verbose(VERB_ALGO,
|
||||
"dnscrypt: worker check request: bad query.");
|
||||
log_addr(VERB_CLIENT,"from",&repinfo->addr,
|
||||
repinfo->addrlen);
|
||||
comm_point_drop_reply(repinfo);
|
||||
return 0;
|
||||
}
|
||||
if(!query_info_parse(&qinfo, c->buffer)) {
|
||||
verbose(VERB_ALGO,
|
||||
"dnscrypt: worker parse request: formerror.");
|
||||
log_addr(VERB_CLIENT, "from", &repinfo->addr,
|
||||
repinfo->addrlen);
|
||||
comm_point_drop_reply(repinfo);
|
||||
return 0;
|
||||
}
|
||||
dname_str(qinfo.qname, buf);
|
||||
if(!(qinfo.qtype == LDNS_RR_TYPE_TXT &&
|
||||
strcasecmp(buf,
|
||||
worker->daemon->dnscenv->provider_name) == 0)) {
|
||||
verbose(VERB_ALGO,
|
||||
"dnscrypt: not TXT %s. Receive: %s %s",
|
||||
worker->daemon->dnscenv->provider_name,
|
||||
sldns_rr_descript(qinfo.qtype)->_name,
|
||||
buf);
|
||||
comm_point_drop_reply(repinfo);
|
||||
worker->stats.num_query_dnscrypt_cleartext++;
|
||||
return 0;
|
||||
}
|
||||
worker->stats.num_query_dnscrypt_cert++;
|
||||
sldns_buffer_rewind(c->buffer);
|
||||
} else if(c->dnscrypt && repinfo->is_dnscrypted) {
|
||||
worker->stats.num_query_dnscrypt_crypted++;
|
||||
}
|
||||
#endif
|
||||
#ifdef USE_DNSTAP
|
||||
if(worker->dtenv.log_client_query_messages)
|
||||
@ -1182,7 +1189,9 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
|
||||
error_encode(c->buffer, EDNS_RCODE_BADVERS&0xf, &qinfo,
|
||||
*(uint16_t*)(void *)sldns_buffer_begin(c->buffer),
|
||||
sldns_buffer_read_u16_at(c->buffer, 2), NULL);
|
||||
attach_edns_record(c->buffer, &edns);
|
||||
if(sldns_buffer_capacity(c->buffer) >=
|
||||
sldns_buffer_limit(c->buffer)+calc_edns_field_size(&edns))
|
||||
attach_edns_record(c->buffer, &edns);
|
||||
regional_free_all(worker->scratchpad);
|
||||
goto send_reply;
|
||||
}
|
||||
@ -1420,9 +1429,9 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
|
||||
tv, 1, c->buffer);
|
||||
}
|
||||
#ifdef USE_DNSCRYPT
|
||||
if(!dnsc_handle_uncurved_request(repinfo)) {
|
||||
return 0;
|
||||
}
|
||||
if(!dnsc_handle_uncurved_request(repinfo)) {
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
return rc;
|
||||
}
|
||||
@ -1664,6 +1673,7 @@ worker_init(struct worker* worker, struct config_file *cfg,
|
||||
worker->env.mesh = mesh_create(&worker->daemon->mods, &worker->env);
|
||||
worker->env.detach_subs = &mesh_detach_subs;
|
||||
worker->env.attach_sub = &mesh_attach_sub;
|
||||
worker->env.add_sub = &mesh_add_sub;
|
||||
worker->env.kill_sub = &mesh_state_delete;
|
||||
worker->env.detect_cycle = &mesh_detect_cycle;
|
||||
worker->env.scratch_buffer = sldns_buffer_new(cfg->msg_buffer_size);
|
||||
|
||||
@ -116,7 +116,7 @@ struct worker {
|
||||
/** allocation cache for this thread */
|
||||
struct alloc_cache alloc;
|
||||
/** per thread statistics */
|
||||
struct server_stats stats;
|
||||
struct ub_server_stats stats;
|
||||
/** thread scratch regional */
|
||||
struct regional* scratchpad;
|
||||
|
||||
|
||||
@ -20,12 +20,12 @@ struct SignedCert {
|
||||
uint8_t version_minor[2];
|
||||
|
||||
// Signed Content
|
||||
uint8_t signed_content[64];
|
||||
uint8_t server_publickey[crypto_box_PUBLICKEYBYTES];
|
||||
uint8_t magic_query[8];
|
||||
uint8_t serial[4];
|
||||
uint8_t ts_begin[4];
|
||||
uint8_t ts_end[4];
|
||||
uint8_t end[64];
|
||||
};
|
||||
|
||||
|
||||
|
||||
@ -15,6 +15,7 @@
|
||||
|
||||
#include "dnscrypt/cert.h"
|
||||
#include "dnscrypt/dnscrypt.h"
|
||||
#include "dnscrypt/dnscrypt_config.h"
|
||||
|
||||
#include <ctype.h>
|
||||
|
||||
@ -35,18 +36,18 @@
|
||||
(DNSCRYPT_MAGIC_HEADER_LEN + crypto_box_HALF_NONCEBYTES + crypto_box_HALF_NONCEBYTES)
|
||||
|
||||
/**
|
||||
* Decrypt a query using the keypair that was found using dnsc_find_keypair.
|
||||
* Decrypt a query using the dnsccert that was found using dnsc_find_cert.
|
||||
* The client nonce will be extracted from the encrypted query and stored in
|
||||
* client_nonce, a shared secret will be computed and stored in nmkey and the
|
||||
* buffer will be decrypted inplace.
|
||||
* \param[in] keypair the keypair that matches this encrypted query.
|
||||
* \param[in] cert the cert that matches this encrypted query.
|
||||
* \param[in] client_nonce where the client nonce will be stored.
|
||||
* \param[in] nmkey where the shared secret key will be written.
|
||||
* \param[in] buffer the encrypted buffer.
|
||||
* \return 0 on success.
|
||||
*/
|
||||
static int
|
||||
dnscrypt_server_uncurve(const KeyPair *keypair,
|
||||
dnscrypt_server_uncurve(const dnsccert *cert,
|
||||
uint8_t client_nonce[crypto_box_HALF_NONCEBYTES],
|
||||
uint8_t nmkey[crypto_box_BEFORENMBYTES],
|
||||
struct sldns_buffer* buffer)
|
||||
@ -62,25 +63,48 @@ dnscrypt_server_uncurve(const KeyPair *keypair,
|
||||
|
||||
query_header = (struct dnscrypt_query_header *)buf;
|
||||
memcpy(nmkey, query_header->publickey, crypto_box_PUBLICKEYBYTES);
|
||||
if (crypto_box_beforenm(nmkey, nmkey, keypair->crypt_secretkey) != 0) {
|
||||
if(cert->es_version[1] == 2) {
|
||||
#ifdef USE_DNSCRYPT_XCHACHA20
|
||||
if (crypto_box_curve25519xchacha20poly1305_beforenm(
|
||||
nmkey, nmkey, cert->keypair->crypt_secretkey) != 0) {
|
||||
return -1;
|
||||
}
|
||||
#else
|
||||
return -1;
|
||||
#endif
|
||||
} else {
|
||||
if (crypto_box_beforenm(nmkey, nmkey, cert->keypair->crypt_secretkey) != 0) {
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
memcpy(nonce, query_header->nonce, crypto_box_HALF_NONCEBYTES);
|
||||
memset(nonce + crypto_box_HALF_NONCEBYTES, 0, crypto_box_HALF_NONCEBYTES);
|
||||
|
||||
sldns_buffer_set_at(buffer,
|
||||
DNSCRYPT_QUERY_BOX_OFFSET - crypto_box_BOXZEROBYTES,
|
||||
0, crypto_box_BOXZEROBYTES);
|
||||
|
||||
if (crypto_box_open_afternm
|
||||
(buf + DNSCRYPT_QUERY_BOX_OFFSET - crypto_box_BOXZEROBYTES,
|
||||
buf + DNSCRYPT_QUERY_BOX_OFFSET - crypto_box_BOXZEROBYTES,
|
||||
len - DNSCRYPT_QUERY_BOX_OFFSET + crypto_box_BOXZEROBYTES, nonce,
|
||||
nmkey) != 0) {
|
||||
if(cert->es_version[1] == 2) {
|
||||
#ifdef USE_DNSCRYPT_XCHACHA20
|
||||
if (crypto_box_curve25519xchacha20poly1305_open_easy_afternm
|
||||
(buf,
|
||||
buf + DNSCRYPT_QUERY_BOX_OFFSET,
|
||||
len - DNSCRYPT_QUERY_BOX_OFFSET, nonce,
|
||||
nmkey) != 0) {
|
||||
return -1;
|
||||
}
|
||||
#else
|
||||
return -1;
|
||||
#endif
|
||||
} else {
|
||||
if (crypto_box_open_easy_afternm
|
||||
(buf,
|
||||
buf + DNSCRYPT_QUERY_BOX_OFFSET,
|
||||
len - DNSCRYPT_QUERY_BOX_OFFSET, nonce,
|
||||
nmkey) != 0) {
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
len -= DNSCRYPT_QUERY_HEADER_SIZE;
|
||||
|
||||
while (*sldns_buffer_at(buffer, --len) == 0)
|
||||
;
|
||||
|
||||
@ -89,12 +113,9 @@ dnscrypt_server_uncurve(const KeyPair *keypair,
|
||||
}
|
||||
|
||||
memcpy(client_nonce, nonce, crypto_box_HALF_NONCEBYTES);
|
||||
memmove(sldns_buffer_begin(buffer),
|
||||
sldns_buffer_at(buffer, DNSCRYPT_QUERY_HEADER_SIZE),
|
||||
len - DNSCRYPT_QUERY_HEADER_SIZE);
|
||||
|
||||
sldns_buffer_set_position(buffer, 0);
|
||||
sldns_buffer_set_limit(buffer, len - DNSCRYPT_QUERY_HEADER_SIZE);
|
||||
sldns_buffer_set_limit(buffer, len);
|
||||
|
||||
return 0;
|
||||
}
|
||||
@ -182,10 +203,10 @@ add_server_nonce(uint8_t *nonce)
|
||||
}
|
||||
|
||||
/**
|
||||
* Encrypt a reply using the keypair that was used with the query.
|
||||
* Encrypt a reply using the dnsccert that was used with the query.
|
||||
* The client nonce will be extracted from the encrypted query and stored in
|
||||
* The buffer will be encrypted inplace.
|
||||
* \param[in] keypair the keypair that matches this encrypted query.
|
||||
* \param[in] cert the dnsccert that matches this encrypted query.
|
||||
* \param[in] client_nonce client nonce used during the query
|
||||
* \param[in] nmkey shared secret key used during the query.
|
||||
* \param[in] buffer the buffer where to encrypt the reply.
|
||||
@ -194,7 +215,7 @@ add_server_nonce(uint8_t *nonce)
|
||||
* \return 0 on success.
|
||||
*/
|
||||
static int
|
||||
dnscrypt_server_curve(const KeyPair *keypair,
|
||||
dnscrypt_server_curve(const dnsccert *cert,
|
||||
uint8_t client_nonce[crypto_box_HALF_NONCEBYTES],
|
||||
uint8_t nmkey[crypto_box_BEFORENMBYTES],
|
||||
struct sldns_buffer* buffer,
|
||||
@ -223,7 +244,7 @@ dnscrypt_server_curve(const KeyPair *keypair,
|
||||
memmove(boxed + crypto_box_MACBYTES, buf, len);
|
||||
len = dnscrypt_pad(boxed + crypto_box_MACBYTES, len,
|
||||
max_len - DNSCRYPT_REPLY_HEADER_SIZE, nonce,
|
||||
keypair->crypt_secretkey);
|
||||
cert->keypair->crypt_secretkey);
|
||||
sldns_buffer_set_at(buffer,
|
||||
DNSCRYPT_REPLY_BOX_OFFSET - crypto_box_BOXZEROBYTES,
|
||||
0, crypto_box_ZEROBYTES);
|
||||
@ -231,10 +252,20 @@ dnscrypt_server_curve(const KeyPair *keypair,
|
||||
// add server nonce extension
|
||||
add_server_nonce(nonce);
|
||||
|
||||
if (crypto_box_afternm
|
||||
(boxed - crypto_box_BOXZEROBYTES, boxed - crypto_box_BOXZEROBYTES,
|
||||
len + crypto_box_ZEROBYTES, nonce, nmkey) != 0) {
|
||||
if(cert->es_version[1] == 2) {
|
||||
#ifdef USE_DNSCRYPT_XCHACHA20
|
||||
if (crypto_box_curve25519xchacha20poly1305_easy_afternm
|
||||
(boxed, boxed + crypto_box_MACBYTES, len, nonce, nmkey) != 0) {
|
||||
return -1;
|
||||
}
|
||||
#else
|
||||
return -1;
|
||||
#endif
|
||||
} else {
|
||||
if (crypto_box_easy_afternm
|
||||
(boxed, boxed + crypto_box_MACBYTES, len, nonce, nmkey) != 0) {
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
sldns_buffer_write_at(buffer, 0, DNSCRYPT_MAGIC_RESPONSE, DNSCRYPT_MAGIC_HEADER_LEN);
|
||||
@ -266,6 +297,25 @@ dnsc_read_from_file(char *fname, char *buf, size_t count)
|
||||
return 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* Given an absolute path on the original root, returns the absolute path
|
||||
* within the chroot. If chroot is disabled, the path is not modified.
|
||||
* No char * is malloced so there is no need to free this.
|
||||
* \param[in] cfg the configuration.
|
||||
* \param[in] path the path from the original root.
|
||||
* \return the path from inside the chroot.
|
||||
*/
|
||||
static char *
|
||||
dnsc_chroot_path(struct config_file *cfg, char *path)
|
||||
{
|
||||
char *nm;
|
||||
nm = path;
|
||||
if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(nm,
|
||||
cfg->chrootdir, strlen(cfg->chrootdir)) == 0)
|
||||
nm += strlen(cfg->chrootdir);
|
||||
return nm;
|
||||
}
|
||||
|
||||
/**
|
||||
* Parse certificates files provided by the configuration and load them into
|
||||
* dnsc_env.
|
||||
@ -278,6 +328,7 @@ dnsc_parse_certs(struct dnsc_env *env, struct config_file *cfg)
|
||||
{
|
||||
struct config_strlist *head;
|
||||
size_t signed_cert_id;
|
||||
char *nm;
|
||||
|
||||
env->signed_certs_count = 0U;
|
||||
for (head = cfg->dnscrypt_provider_cert; head; head = head->next) {
|
||||
@ -288,8 +339,9 @@ dnsc_parse_certs(struct dnsc_env *env, struct config_file *cfg)
|
||||
|
||||
signed_cert_id = 0U;
|
||||
for(head = cfg->dnscrypt_provider_cert; head; head = head->next, signed_cert_id++) {
|
||||
nm = dnsc_chroot_path(cfg, head->str);
|
||||
if(dnsc_read_from_file(
|
||||
head->str,
|
||||
nm,
|
||||
(char *)(env->signed_certs + signed_cert_id),
|
||||
sizeof(struct SignedCert)) != 0) {
|
||||
fatal_exit("dnsc_parse_certs: failed to load %s: %s", head->str, strerror(errno));
|
||||
@ -326,16 +378,17 @@ dnsc_key_to_fingerprint(char fingerprint[80U], const uint8_t * const key)
|
||||
}
|
||||
|
||||
/**
|
||||
* Find the keypair matching a DNSCrypt query.
|
||||
* \param[in] dnscenv The DNSCrypt enviroment, which contains the list of keys
|
||||
* Find the cert matching a DNSCrypt query.
|
||||
* \param[in] dnscenv The DNSCrypt enviroment, which contains the list of certs
|
||||
* supported by the server.
|
||||
* \param[in] buffer The encrypted DNS query.
|
||||
* \return a KeyPair * if we found a key pair matching the query, NULL otherwise.
|
||||
* \return a dnsccert * if we found a cert matching the magic_number of the
|
||||
* query, NULL otherwise.
|
||||
*/
|
||||
static const KeyPair *
|
||||
dnsc_find_keypair(struct dnsc_env* dnscenv, struct sldns_buffer* buffer)
|
||||
static const dnsccert *
|
||||
dnsc_find_cert(struct dnsc_env* dnscenv, struct sldns_buffer* buffer)
|
||||
{
|
||||
const KeyPair *keypairs = dnscenv->keypairs;
|
||||
const dnsccert *certs = dnscenv->certs;
|
||||
struct dnscrypt_query_header *dnscrypt_header;
|
||||
size_t i;
|
||||
|
||||
@ -343,10 +396,10 @@ dnsc_find_keypair(struct dnsc_env* dnscenv, struct sldns_buffer* buffer)
|
||||
return NULL;
|
||||
}
|
||||
dnscrypt_header = (struct dnscrypt_query_header *)sldns_buffer_begin(buffer);
|
||||
for (i = 0U; i < dnscenv->keypairs_count; i++) {
|
||||
if (memcmp(keypairs[i].crypt_publickey, dnscrypt_header->magic_query,
|
||||
for (i = 0U; i < dnscenv->signed_certs_count; i++) {
|
||||
if (memcmp(certs[i].magic_query, dnscrypt_header->magic_query,
|
||||
DNSCRYPT_MAGIC_HEADER_LEN) == 0) {
|
||||
return &keypairs[i];
|
||||
return &certs[i];
|
||||
}
|
||||
}
|
||||
return NULL;
|
||||
@ -404,9 +457,33 @@ dnsc_load_local_data(struct dnsc_env* dnscenv, struct config_file *cfg)
|
||||
return dnscenv->signed_certs_count;
|
||||
}
|
||||
|
||||
static const char *
|
||||
key_get_es_version(uint8_t version[2])
|
||||
{
|
||||
struct es_version {
|
||||
uint8_t es_version[2];
|
||||
const char *name;
|
||||
};
|
||||
|
||||
struct es_version es_versions[] = {
|
||||
{{0x00, 0x01}, "X25519-XSalsa20Poly1305"},
|
||||
{{0x00, 0x02}, "X25519-XChacha20Poly1305"},
|
||||
};
|
||||
int i;
|
||||
for(i=0; i < (int)sizeof(es_versions); i++){
|
||||
if(es_versions[i].es_version[0] == version[0] &&
|
||||
es_versions[i].es_version[1] == version[1]){
|
||||
return es_versions[i].name;
|
||||
}
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Parse the secret key files from `dnscrypt-secret-key` config and populates
|
||||
* a list of secret/public keys supported by dnscrypt listener.
|
||||
* a list of dnsccert with es_version, magic number and secret/public keys
|
||||
* supported by dnscrypt listener.
|
||||
* \param[in] env The dnsc_env structure which will hold the keypairs.
|
||||
* \param[in] cfg The config with the secret key file paths.
|
||||
*/
|
||||
@ -414,33 +491,76 @@ static int
|
||||
dnsc_parse_keys(struct dnsc_env *env, struct config_file *cfg)
|
||||
{
|
||||
struct config_strlist *head;
|
||||
size_t keypair_id;
|
||||
size_t cert_id, keypair_id;
|
||||
size_t c;
|
||||
char *nm;
|
||||
|
||||
env->keypairs_count = 0U;
|
||||
for (head = cfg->dnscrypt_secret_key; head; head = head->next) {
|
||||
env->keypairs_count++;
|
||||
}
|
||||
env->keypairs = sodium_allocarray(env->keypairs_count,
|
||||
sizeof *env->keypairs);
|
||||
|
||||
env->keypairs = sodium_allocarray(env->keypairs_count,
|
||||
sizeof *env->keypairs);
|
||||
env->certs = sodium_allocarray(env->signed_certs_count,
|
||||
sizeof *env->certs);
|
||||
|
||||
cert_id = 0U;
|
||||
keypair_id = 0U;
|
||||
for(head = cfg->dnscrypt_secret_key; head; head = head->next, keypair_id++) {
|
||||
char fingerprint[80];
|
||||
int found_cert = 0;
|
||||
KeyPair *current_keypair = &env->keypairs[keypair_id];
|
||||
nm = dnsc_chroot_path(cfg, head->str);
|
||||
if(dnsc_read_from_file(
|
||||
head->str,
|
||||
(char *)(env->keypairs[keypair_id].crypt_secretkey),
|
||||
nm,
|
||||
(char *)(current_keypair->crypt_secretkey),
|
||||
crypto_box_SECRETKEYBYTES) != 0) {
|
||||
fatal_exit("dnsc_parse_keys: failed to load %s: %s", head->str, strerror(errno));
|
||||
}
|
||||
verbose(VERB_OPS, "Loaded key %s", head->str);
|
||||
if (crypto_scalarmult_base(env->keypairs[keypair_id].crypt_publickey,
|
||||
env->keypairs[keypair_id].crypt_secretkey) != 0) {
|
||||
if (crypto_scalarmult_base(current_keypair->crypt_publickey,
|
||||
current_keypair->crypt_secretkey) != 0) {
|
||||
fatal_exit("dnsc_parse_keys: could not generate public key from %s", head->str);
|
||||
}
|
||||
dnsc_key_to_fingerprint(fingerprint, env->keypairs[keypair_id].crypt_publickey);
|
||||
dnsc_key_to_fingerprint(fingerprint, current_keypair->crypt_publickey);
|
||||
verbose(VERB_OPS, "Crypt public key fingerprint for %s: %s", head->str, fingerprint);
|
||||
// find the cert matching this key
|
||||
for(c = 0; c < env->signed_certs_count; c++) {
|
||||
if(memcmp(current_keypair->crypt_publickey,
|
||||
env->signed_certs[c].server_publickey,
|
||||
crypto_box_PUBLICKEYBYTES) == 0) {
|
||||
dnsccert *current_cert = &env->certs[cert_id++];
|
||||
found_cert = 1;
|
||||
current_cert->keypair = current_keypair;
|
||||
memcpy(current_cert->magic_query,
|
||||
env->signed_certs[c].magic_query,
|
||||
sizeof env->signed_certs[c].magic_query);
|
||||
memcpy(current_cert->es_version,
|
||||
env->signed_certs[c].version_major,
|
||||
sizeof env->signed_certs[c].version_major
|
||||
);
|
||||
dnsc_key_to_fingerprint(fingerprint,
|
||||
current_cert->keypair->crypt_publickey);
|
||||
verbose(VERB_OPS, "Crypt public key fingerprint for %s: %s",
|
||||
head->str, fingerprint);
|
||||
verbose(VERB_OPS, "Using %s",
|
||||
key_get_es_version(current_cert->es_version));
|
||||
#ifndef USE_DNSCRYPT_XCHACHA20
|
||||
if (current_cert->es_version[1] == 0x02) {
|
||||
fatal_exit("Certificate for XChacha20 but libsodium does not support it.");
|
||||
}
|
||||
#endif
|
||||
|
||||
}
|
||||
}
|
||||
if (!found_cert) {
|
||||
fatal_exit("dnsc_parse_keys: could not match certificate for key "
|
||||
"%s. Unable to determine ES version.",
|
||||
head->str);
|
||||
}
|
||||
}
|
||||
return keypair_id;
|
||||
return cert_id;
|
||||
}
|
||||
|
||||
|
||||
@ -463,8 +583,8 @@ dnsc_handle_curved_request(struct dnsc_env* dnscenv,
|
||||
// Attempt to decrypt the query. If it is not crypted, we may still need
|
||||
// to serve the certificate.
|
||||
verbose(VERB_ALGO, "handle request called on DNSCrypt socket");
|
||||
if ((repinfo->keypair = dnsc_find_keypair(dnscenv, c->buffer)) != NULL) {
|
||||
if(dnscrypt_server_uncurve(repinfo->keypair,
|
||||
if ((repinfo->dnsc_cert = dnsc_find_cert(dnscenv, c->buffer)) != NULL) {
|
||||
if(dnscrypt_server_uncurve(repinfo->dnsc_cert,
|
||||
repinfo->client_nonce,
|
||||
repinfo->nmkey,
|
||||
c->buffer) != 0){
|
||||
@ -488,7 +608,7 @@ dnsc_handle_uncurved_request(struct comm_reply *repinfo)
|
||||
if(!repinfo->is_dnscrypted) {
|
||||
return 1;
|
||||
}
|
||||
if(dnscrypt_server_curve(repinfo->keypair,
|
||||
if(dnscrypt_server_curve(repinfo->dnsc_cert,
|
||||
repinfo->client_nonce,
|
||||
repinfo->nmkey,
|
||||
repinfo->c->dnscrypt_buffer,
|
||||
|
||||
@ -44,8 +44,15 @@ typedef struct KeyPair_ {
|
||||
uint8_t crypt_secretkey[crypto_box_SECRETKEYBYTES];
|
||||
} KeyPair;
|
||||
|
||||
typedef struct cert_ {
|
||||
uint8_t magic_query[DNSCRYPT_MAGIC_HEADER_LEN];
|
||||
uint8_t es_version[2];
|
||||
KeyPair *keypair;
|
||||
} dnsccert;
|
||||
|
||||
struct dnsc_env {
|
||||
struct SignedCert *signed_certs;
|
||||
dnsccert *certs;
|
||||
size_t signed_certs_count;
|
||||
uint8_t provider_publickey[crypto_sign_ed25519_PUBLICKEYBYTES];
|
||||
uint8_t provider_secretkey[crypto_sign_ed25519_SECRETKEYBYTES];
|
||||
|
||||
@ -18,8 +18,19 @@ AC_DEFUN([dnsc_DNSCRYPT],
|
||||
])
|
||||
AC_SEARCH_LIBS([sodium_init], [sodium], [],
|
||||
AC_MSG_ERROR([The sodium library was not found. Please install sodium!]))
|
||||
AC_SEARCH_LIBS([crypto_box_curve25519xchacha20poly1305_beforenm], [sodium],
|
||||
[
|
||||
AC_SUBST([ENABLE_DNSCRYPT_XCHACHA20], [1])
|
||||
AC_DEFINE(
|
||||
[USE_DNSCRYPT_XCHACHA20], [1],
|
||||
[Define to 1 to enable dnscrypt with xchacha20 support])
|
||||
],
|
||||
[
|
||||
AC_SUBST([ENABLE_DNSCRYPT_XCHACHA20], [0])
|
||||
])
|
||||
$1
|
||||
else
|
||||
AC_SUBST([ENABLE_DNSCRYPT_XCHACHA20], [0])
|
||||
$2
|
||||
fi
|
||||
])
|
||||
|
||||
@ -1,12 +1,198 @@
|
||||
22 June 2017: Wouter
|
||||
- Tag 1.6.4rc2
|
||||
|
||||
22 June 2017: Ralph
|
||||
- Added fastrpz patch to contrib
|
||||
|
||||
21 June 2017: Wouter
|
||||
- Fix #1316: heap read buffer overflow in parse_edns_options.
|
||||
|
||||
20 June 2017: Wouter
|
||||
- Fix warning in pythonmod under clang compiler.
|
||||
- Tag 1.6.4rc1
|
||||
- Fix lintian typo.
|
||||
|
||||
16 June 2017: Ralph
|
||||
- Fix #1277: disable domain ratelimit by setting value to 0.
|
||||
|
||||
16 June 2017: Wouter
|
||||
- Fix #1301: memory leak in respip and tests.
|
||||
- Free callback in edns-subnetmod on exit and restart.
|
||||
- Fix memory leak in sldns_buffer_new_frm_data.
|
||||
- Fix memory leak in dnscrypt config read.
|
||||
- Fix dnscrypt chacha cert support ifdefs.
|
||||
- Fix dnscrypt chacha cert unit test escapes in grep.
|
||||
- Remove asynclook tests that cause test and purifier problems.
|
||||
- Fix to unlock view in view test.
|
||||
|
||||
15 June 2017: Wouter
|
||||
- Fix stub zone queries leaking to the internet for
|
||||
harden-referral-path ns checks.
|
||||
- Fix query for refetch_glue of stub leaking to internet.
|
||||
|
||||
13 June 2017: Wouter
|
||||
- Fix #1279: Memory leak on reload when python module is enabled.
|
||||
- Fix #1280: Unbound fails assert when response from authoritative
|
||||
contains malformed qname. When 0x20 caps-for-id is enabled, when
|
||||
assertions are not enabled the malformed qname is handled correctly.
|
||||
- tag for 1.6.3
|
||||
- 1.6.3 tag created, with only #1280 fix, trunk is 1.6.4 development.
|
||||
- More fixes in depth for buffer checks in 0x20 qname checks.
|
||||
|
||||
12 June 2017: Wouter
|
||||
- Fix #1278: Incomplete wildcard proof.
|
||||
|
||||
8 June 2017: Ralph
|
||||
- Added domain name based ECS whitelist.
|
||||
|
||||
8 June 2017: Wouter
|
||||
- Detect chacha for dnscrypt at configure time.
|
||||
- dnscrypt unit tests with chacha.
|
||||
|
||||
7 June 2017: Wouter
|
||||
- Fix that unbound-control can set val_clean_additional and val_permissive_mode.
|
||||
- Add dnscrypt XChaCha20 tests.
|
||||
|
||||
6 June 2017: Wouter
|
||||
- Add an explicit type cast for TCP FASTOPEN fix.
|
||||
- renumbering B-Root's IPv6 address to 2001:500:200::b.
|
||||
- Fix #1275: cached data in cachedb is never used.
|
||||
- Fix #1276: [dnscrypt] add XChaCha20-Poly1305 cipher.
|
||||
|
||||
1 June 2017: Ralph
|
||||
- Fix #1274: automatically trim chroot path from dnscrypt key/cert paths
|
||||
(from Manu Bretelle).
|
||||
|
||||
1 June 2017: Wouter
|
||||
- Fix fastopen EPIPE fallthrough to perform connect.
|
||||
|
||||
31 May 2017: Ralph
|
||||
- Also use global local-zones when there is a matching view that does
|
||||
not have any local-zone specified.
|
||||
|
||||
31 May 2017: Wouter
|
||||
- Fix #1273: cachedb.c doesn't compile with -Wextra.
|
||||
- If MSG_FASTOPEN gives EPIPE fallthrough to try normal tcp write.
|
||||
|
||||
30 May 2017: Ralph
|
||||
- Fix #1269: inconsistent use of built-in local zones with views.
|
||||
- Add defaults for new local-zone trees added to views using
|
||||
unbound-control.
|
||||
|
||||
30 May 2017: Wouter
|
||||
- Support for openssl EVP_DigestVerify.
|
||||
- Support for the ED25519 algorithm with openssl (from openssl 1.1.1).
|
||||
|
||||
29 May 2017: Wouter
|
||||
- Fix assertion for low buffer size and big edns payload when worker
|
||||
overrides udpsize.
|
||||
|
||||
26 May 2017: Ralph
|
||||
- Added redirect-bogus.patch to contrib directory.
|
||||
|
||||
26 May 2017: Wouter
|
||||
- Fix #1270: unitauth.c doesn't compile with higher warning level
|
||||
and optimization
|
||||
- exec_prefix is by default equal to prefix.
|
||||
- printout localzone for duplicate local-zone warnings.
|
||||
|
||||
24 May 2017: Wouter
|
||||
- authzone cname chain, no rrset duplicates, wildcard doesn't change
|
||||
rrsets added for cname chain.
|
||||
|
||||
23 May 2017: Wouter
|
||||
- first services/authzone check in, it compiles and reads and writes
|
||||
zonefiles.
|
||||
- iana portlist update
|
||||
|
||||
22 May 2017: Wouter
|
||||
- Fix #1268: SIGSEGV after log_reopen.
|
||||
|
||||
18 May 2017: Wouter
|
||||
- Fix #1265 to use /bin/kill.
|
||||
- Fix #1267: Libunbound validator/val_secalgo.c uses obsolete APIs,
|
||||
and compatibility with BoringSSL.
|
||||
|
||||
17 May 2017: Wouter
|
||||
- Fix #1265: contrib/unbound.service contains hardcoded path.
|
||||
|
||||
17 May 2017: George
|
||||
- Use qstate's region for IPSECKEY rrset (ipsecmod).
|
||||
|
||||
16 May 2017: George
|
||||
- Implemented opportunistic IPsec support module (ipsecmod).
|
||||
- Some whitespace fixup.
|
||||
|
||||
16 May 2017: Wouter
|
||||
- updated dependencies in the makefile.
|
||||
- document trust-anchor-signaling in example config file.
|
||||
- updated configure, dependencies and flex output.
|
||||
- better module memory lookup, fix of unbound-control shm names for
|
||||
module memory printout of statistics.
|
||||
- Fix type AVC sldns rrdef.
|
||||
|
||||
12 May 2017: Wouter
|
||||
- Adjust servfail by iterator to not store in cache when serve-expired
|
||||
is enabled, to avoid overwriting useful information there.
|
||||
- Fix queries for nameservers under a stub leaking to the internet.
|
||||
|
||||
9 May 2017: Ralph
|
||||
- Add 'c' to getopt() in testbound.
|
||||
- iana portlist update
|
||||
|
||||
8 May 2017: Wouter
|
||||
- Fix tcp-mss failure printout text.
|
||||
- Set SO_REUSEADDR on outgoing tcp connections to fix the bind before
|
||||
connect limited tcp connections. With the option tcp connections
|
||||
can share the same source port (for different destinations).
|
||||
|
||||
2 May 2017: Ralph
|
||||
- Added mesh_add_sub to add detached mesh entries.
|
||||
- Use mesh_add_sub for key tag signaling query.
|
||||
|
||||
2 May 2017: Wouter
|
||||
- Added test for leak of stub information.
|
||||
- Fix sldns wire2str printout of RR type CAA tags.
|
||||
- Fix sldns int16_data parse.
|
||||
- Fix sldns parse and printout of TSIG RRs.
|
||||
- sldns SMIMEA and AVC definitions, same as getdns definitions.
|
||||
|
||||
1 May 2017: Wouter
|
||||
- Fix #1259: "--disable-ecdsa" argument overwritten
|
||||
by "#ifdef SHA256_DIGEST_LENGTH@daemon/remote.c".
|
||||
- iana portlist update
|
||||
- Fix #1258: Windows 10 X64 unbound 1.6.2 service will not start.
|
||||
and fix that 64bit getting installed in C:\Program Files (x86).
|
||||
|
||||
26 April 2017: Ralph
|
||||
- Implemented trust anchor signaling using key tag query.
|
||||
|
||||
26 April 2017: Wouter
|
||||
- Based on #1257: check parse limit before t increment in sldns RR
|
||||
string parse routine.
|
||||
|
||||
24 April 2017: Wouter
|
||||
- unbound-checkconf -o allows query of dnstap config variables.
|
||||
Also unbound-control get_option. Also for dnscrypt.
|
||||
- trunk contains 1.6.3 version number (changes from 1.6.2 back from
|
||||
when the 1.6.2rc1 tag has been created).
|
||||
|
||||
21 April 2017: Ralph
|
||||
- Fix #1254: clarify ratelimit-{for,below}-domain (from Manu Bretelle).
|
||||
- iana portlist update
|
||||
|
||||
18 April 2017: Ralph
|
||||
- Fix #1252: more indentation inconsistencies.
|
||||
- Fix #1253: unused variable in edns-subnet/addrtree.c:getbit().
|
||||
|
||||
13 April 2017: Ralph
|
||||
- Added ECS unit test (from Manu Bretelle).
|
||||
- ECS documentation fix (from Manu Bretelle).
|
||||
|
||||
13 April 2017: Wouter
|
||||
- Fix #1250: inconsistent indentation in services/listen_dnsport.c.
|
||||
- tag for 1.6.2rc1
|
||||
- (for 1.6.3:) unbound.h exports the shm stats structures. They use
|
||||
type long long and no ifdefs, and ub_ before the typenames.
|
||||
|
||||
12 April 2017: Wouter
|
||||
- subnet mem value is available in shm, also when not enabled,
|
||||
@ -243,7 +429,7 @@
|
||||
- Fix #1184: Log DNS replies. This includes the same logging
|
||||
information that DNS queries and response code and response size,
|
||||
patch from Larissa Feng.
|
||||
- Fix #1185: Source IP rate limiting, patch from Larissa Feng.
|
||||
- Fix #1187: Source IP rate limiting, patch from Larissa Feng.
|
||||
|
||||
3 January 2017: Wouter
|
||||
- configure --enable-systemd and lets unbound use systemd sockets if
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
README for Unbound 1.6.3
|
||||
README for Unbound 1.6.4
|
||||
Copyright 2007 NLnet Labs
|
||||
http://unbound.net
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
#
|
||||
# Example configuration file.
|
||||
#
|
||||
# See unbound.conf(5) man page, version 1.6.3.
|
||||
# See unbound.conf(5) man page, version 1.6.4.
|
||||
#
|
||||
# this is a comment.
|
||||
|
||||
@ -448,6 +448,9 @@ server:
|
||||
# and under the terms of our LICENSE (see that file in the source).
|
||||
# auto-trust-anchor-file: "/var/unbound/root.key"
|
||||
|
||||
# trust anchor signaling sends a RFC8145 key tag query after priming.
|
||||
# trust-anchor-signaling: no
|
||||
|
||||
# File with DLV trusted keys. Same format as trust-anchor-file.
|
||||
# There can be only one DLV configured, it is trusted from root down.
|
||||
# DLV is going to be decommissioned. Please do not use it any more.
|
||||
@ -698,6 +701,34 @@ server:
|
||||
# 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through
|
||||
# ip-ratelimit-factor: 10
|
||||
|
||||
# Specific options for ipsecmod. unbound needs to be configured with
|
||||
# --enable-ipsecmod for these to take effect.
|
||||
#
|
||||
# Enable or disable ipsecmod (it still needs to be defined in
|
||||
# module-config above). Can be used when ipsecmod needs to be
|
||||
# enabled/disabled via remote-control(below).
|
||||
# ipsecmod-enabled: yes
|
||||
#
|
||||
# Path to executable external hook. It must be defined when ipsecmod is
|
||||
# listed in module-config (above).
|
||||
# ipsecmod-hook: "./my_executable"
|
||||
#
|
||||
# When enabled unbound will reply with SERVFAIL if the return value of
|
||||
# the ipsecmod-hook is not 0.
|
||||
# ipsecmod-strict: no
|
||||
#
|
||||
# Maximum time to live (TTL) for cached A/AAAA records with IPSECKEY.
|
||||
# ipsecmod-max-ttl: 3600
|
||||
#
|
||||
# Reply with A/AAAA even if the relevant IPSECKEY is bogus. Mainly used for
|
||||
# testing.
|
||||
# ipsecmod-ignore-bogus: no
|
||||
#
|
||||
# Domains for which ipsecmod will be triggered. If not defined (default)
|
||||
# all domains are treated as being whitelisted.
|
||||
# ipsecmod-whitelist: "example.com"
|
||||
# ipsecmod-whitelist: "nlnetlabs.nl"
|
||||
|
||||
|
||||
# Python config section. To enable:
|
||||
# o use --with-pythonmodule to configure before compiling.
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
#
|
||||
# Example configuration file.
|
||||
#
|
||||
# See unbound.conf(5) man page, version 1.6.3.
|
||||
# See unbound.conf(5) man page, version 1.6.4.
|
||||
#
|
||||
# this is a comment.
|
||||
|
||||
@ -448,6 +448,9 @@ server:
|
||||
# and under the terms of our LICENSE (see that file in the source).
|
||||
# auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
|
||||
|
||||
# trust anchor signaling sends a RFC8145 key tag query after priming.
|
||||
# trust-anchor-signaling: no
|
||||
|
||||
# File with DLV trusted keys. Same format as trust-anchor-file.
|
||||
# There can be only one DLV configured, it is trusted from root down.
|
||||
# DLV is going to be decommissioned. Please do not use it any more.
|
||||
@ -698,6 +701,34 @@ server:
|
||||
# 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through
|
||||
# ip-ratelimit-factor: 10
|
||||
|
||||
# Specific options for ipsecmod. unbound needs to be configured with
|
||||
# --enable-ipsecmod for these to take effect.
|
||||
#
|
||||
# Enable or disable ipsecmod (it still needs to be defined in
|
||||
# module-config above). Can be used when ipsecmod needs to be
|
||||
# enabled/disabled via remote-control(below).
|
||||
# ipsecmod-enabled: yes
|
||||
#
|
||||
# Path to executable external hook. It must be defined when ipsecmod is
|
||||
# listed in module-config (above).
|
||||
# ipsecmod-hook: "./my_executable"
|
||||
#
|
||||
# When enabled unbound will reply with SERVFAIL if the return value of
|
||||
# the ipsecmod-hook is not 0.
|
||||
# ipsecmod-strict: no
|
||||
#
|
||||
# Maximum time to live (TTL) for cached A/AAAA records with IPSECKEY.
|
||||
# ipsecmod-max-ttl: 3600
|
||||
#
|
||||
# Reply with A/AAAA even if the relevant IPSECKEY is bogus. Mainly used for
|
||||
# testing.
|
||||
# ipsecmod-ignore-bogus: no
|
||||
#
|
||||
# Domains for which ipsecmod will be triggered. If not defined (default)
|
||||
# all domains are treated as being whitelisted.
|
||||
# ipsecmod-whitelist: "example.com"
|
||||
# ipsecmod-whitelist: "nlnetlabs.nl"
|
||||
|
||||
|
||||
# Python config section. To enable:
|
||||
# o use --with-pythonmodule to configure before compiling.
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
.TH "libunbound" "3" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
|
||||
.TH "libunbound" "3" "Jun 27, 2017" "NLnet Labs" "unbound 1.6.4"
|
||||
.\"
|
||||
.\" libunbound.3 -- unbound library functions manual
|
||||
.\"
|
||||
@ -43,7 +43,7 @@
|
||||
.B ub_ctx_zone_remove,
|
||||
.B ub_ctx_data_add,
|
||||
.B ub_ctx_data_remove
|
||||
\- Unbound DNS validating resolver 1.6.3 functions.
|
||||
\- Unbound DNS validating resolver 1.6.4 functions.
|
||||
.SH "SYNOPSIS"
|
||||
.B #include <unbound.h>
|
||||
.LP
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
.TH "libunbound" "3" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
|
||||
.TH "libunbound" "3" "Jun 27, 2017" "NLnet Labs" "unbound 1.6.4"
|
||||
.\"
|
||||
.\" libunbound.3 -- unbound library functions manual
|
||||
.\"
|
||||
@ -43,7 +43,7 @@
|
||||
.B ub_ctx_zone_remove,
|
||||
.B ub_ctx_data_add,
|
||||
.B ub_ctx_data_remove
|
||||
\- Unbound DNS validating resolver 1.6.3 functions.
|
||||
\- Unbound DNS validating resolver 1.6.4 functions.
|
||||
.SH "SYNOPSIS"
|
||||
.B #include <unbound.h>
|
||||
.LP
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
.TH "unbound-anchor" "8" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
|
||||
.TH "unbound-anchor" "8" "Jun 27, 2017" "NLnet Labs" "unbound 1.6.4"
|
||||
.\"
|
||||
.\" unbound-anchor.8 -- unbound anchor maintenance utility manual
|
||||
.\"
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
.TH "unbound-anchor" "8" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
|
||||
.TH "unbound-anchor" "8" "Jun 27, 2017" "NLnet Labs" "unbound 1.6.4"
|
||||
.\"
|
||||
.\" unbound-anchor.8 -- unbound anchor maintenance utility manual
|
||||
.\"
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
.TH "unbound-checkconf" "8" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
|
||||
.TH "unbound-checkconf" "8" "Jun 27, 2017" "NLnet Labs" "unbound 1.6.4"
|
||||
.\"
|
||||
.\" unbound-checkconf.8 -- unbound configuration checker manual
|
||||
.\"
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
.TH "unbound-checkconf" "8" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
|
||||
.TH "unbound-checkconf" "8" "Jun 27, 2017" "NLnet Labs" "unbound 1.6.4"
|
||||
.\"
|
||||
.\" unbound-checkconf.8 -- unbound configuration checker manual
|
||||
.\"
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
.TH "unbound-control" "8" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
|
||||
.TH "unbound-control" "8" "Jun 27, 2017" "NLnet Labs" "unbound 1.6.4"
|
||||
.\"
|
||||
.\" unbound-control.8 -- unbound remote control manual
|
||||
.\"
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
.TH "unbound-control" "8" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
|
||||
.TH "unbound-control" "8" "Jun 27, 2017" "NLnet Labs" "unbound 1.6.4"
|
||||
.\"
|
||||
.\" unbound-control.8 -- unbound remote control manual
|
||||
.\"
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
.TH "unbound\-host" "1" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
|
||||
.TH "unbound\-host" "1" "Jun 27, 2017" "NLnet Labs" "unbound 1.6.4"
|
||||
.\"
|
||||
.\" unbound-host.1 -- unbound DNS lookup utility
|
||||
.\"
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
.TH "unbound\-host" "1" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
|
||||
.TH "unbound\-host" "1" "Jun 27, 2017" "NLnet Labs" "unbound 1.6.4"
|
||||
.\"
|
||||
.\" unbound-host.1 -- unbound DNS lookup utility
|
||||
.\"
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
.TH "unbound" "8" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
|
||||
.TH "unbound" "8" "Jun 27, 2017" "NLnet Labs" "unbound 1.6.4"
|
||||
.\"
|
||||
.\" unbound.8 -- unbound manual
|
||||
.\"
|
||||
@ -9,7 +9,7 @@
|
||||
.\"
|
||||
.SH "NAME"
|
||||
.B unbound
|
||||
\- Unbound DNS validating resolver 1.6.3.
|
||||
\- Unbound DNS validating resolver 1.6.4.
|
||||
.SH "SYNOPSIS"
|
||||
.B unbound
|
||||
.RB [ \-h ]
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
.TH "unbound" "8" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
|
||||
.TH "unbound" "8" "Jun 27, 2017" "NLnet Labs" "unbound 1.6.4"
|
||||
.\"
|
||||
.\" unbound.8 -- unbound manual
|
||||
.\"
|
||||
@ -9,7 +9,7 @@
|
||||
.\"
|
||||
.SH "NAME"
|
||||
.B unbound
|
||||
\- Unbound DNS validating resolver 1.6.3.
|
||||
\- Unbound DNS validating resolver 1.6.4.
|
||||
.SH "SYNOPSIS"
|
||||
.B unbound
|
||||
.RB [ \-h ]
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
.TH "unbound.conf" "5" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
|
||||
.TH "unbound.conf" "5" "Jun 27, 2017" "NLnet Labs" "unbound 1.6.4"
|
||||
.\"
|
||||
.\" unbound.conf.5 -- unbound.conf manual
|
||||
.\"
|
||||
@ -16,13 +16,14 @@
|
||||
.B unbound.conf
|
||||
is used to configure
|
||||
\fIunbound\fR(8).
|
||||
The file format has attributes and values. Some attributes have attributes inside them.
|
||||
The file format has attributes and values. Some attributes have attributes
|
||||
inside them.
|
||||
The notation is: attribute: value.
|
||||
.P
|
||||
Comments start with # and last to the end of line. Empty lines are
|
||||
ignored as is whitespace at the beginning of a line.
|
||||
.P
|
||||
The utility
|
||||
The utility
|
||||
\fIunbound\-checkconf\fR(8)
|
||||
can be used to check unbound.conf prior to usage.
|
||||
.SH "EXAMPLE"
|
||||
@ -30,7 +31,7 @@ An example config file is shown below. Copy this to /etc/unbound/unbound.conf
|
||||
and start the server with:
|
||||
.P
|
||||
.nf
|
||||
$ unbound \-c /etc/unbound/unbound.conf
|
||||
$ unbound \-c /etc/unbound/unbound.conf
|
||||
.fi
|
||||
.P
|
||||
Most settings are the defaults. Stop the server with:
|
||||
@ -62,8 +63,8 @@ server:
|
||||
access\-control: 2001:DB8::/64 allow
|
||||
.fi
|
||||
.SH "FILE FORMAT"
|
||||
There must be whitespace between keywords. Attribute keywords end with a colon ':'. An attribute
|
||||
is followed by its containing attributes, or a value.
|
||||
There must be whitespace between keywords. Attribute keywords end with a colon ':'.
|
||||
An attribute is followed by its containing attributes, or a value.
|
||||
.P
|
||||
Files can be included using the
|
||||
.B include:
|
||||
@ -71,7 +72,7 @@ directive. It can appear anywhere, it accepts a single file name as argument.
|
||||
Processing continues as if the text from the included file was copied into
|
||||
the config file at that point. If also using chroot, using full path names
|
||||
for the included files works, relative pathnames for the included names work
|
||||
if the directory where the daemon is started equals its chroot/working
|
||||
if the directory where the daemon is started equals its chroot/working
|
||||
directory or is specified before the include statement with directory: dir.
|
||||
Wildcards can be used to include multiple files, see \fIglob\fR(7).
|
||||
.SS "Server Options"
|
||||
@ -80,17 +81,17 @@ These options are part of the
|
||||
clause.
|
||||
.TP
|
||||
.B verbosity: \fI<number>
|
||||
The verbosity number, level 0 means no verbosity, only errors. Level 1
|
||||
The verbosity number, level 0 means no verbosity, only errors. Level 1
|
||||
gives operational information. Level 2 gives detailed operational
|
||||
information. Level 3 gives query level information, output per query.
|
||||
Level 4 gives algorithm level information. Level 5 logs client
|
||||
identification for cache misses. Default is level 1.
|
||||
information. Level 3 gives query level information, output per query.
|
||||
Level 4 gives algorithm level information. Level 5 logs client
|
||||
identification for cache misses. Default is level 1.
|
||||
The verbosity can also be increased from the commandline, see \fIunbound\fR(8).
|
||||
.TP
|
||||
.B statistics\-interval: \fI<seconds>
|
||||
The number of seconds between printing statistics to the log for every thread.
|
||||
Disable with value 0 or "". Default is disabled. The histogram statistics
|
||||
are only printed if replies were sent during the statistics interval,
|
||||
are only printed if replies were sent during the statistics interval,
|
||||
requestlist statistics are printed for every interval (but can be 0).
|
||||
This is because the median calculation requires data to be present.
|
||||
.TP
|
||||
@ -99,7 +100,7 @@ If enabled, statistics are cumulative since starting unbound, without clearing
|
||||
the statistics counters after logging the statistics. Default is no.
|
||||
.TP
|
||||
.B extended\-statistics: \fI<yes or no>
|
||||
If enabled, extended statistics are printed from \fIunbound\-control\fR(8).
|
||||
If enabled, extended statistics are printed from \fIunbound\-control\fR(8).
|
||||
Default is off, because keeping track of more statistics takes time. The
|
||||
counters are listed in \fIunbound\-control\fR(8).
|
||||
.TP
|
||||
@ -112,7 +113,7 @@ The port number, default 53, on which the server responds to queries.
|
||||
.B interface: \fI<ip address[@port]>
|
||||
Interface to use to connect to the network. This interface is listened to
|
||||
for queries from clients, and answers to clients are given from it.
|
||||
Can be given multiple times to work on several interfaces. If none are
|
||||
Can be given multiple times to work on several interfaces. If none are
|
||||
given the default is to listen to localhost.
|
||||
The interfaces are not changed on a reload (kill \-HUP) but only on restart.
|
||||
A port number can be specified with @port (without spaces between
|
||||
@ -123,19 +124,19 @@ interface and port number), if not specified the default port (from
|
||||
Same as interface: (for easy of compatibility with nsd.conf).
|
||||
.TP
|
||||
.B interface\-automatic: \fI<yes or no>
|
||||
Detect source interface on UDP queries and copy them to replies. This
|
||||
Detect source interface on UDP queries and copy them to replies. This
|
||||
feature is experimental, and needs support in your OS for particular socket
|
||||
options. Default value is no.
|
||||
.TP
|
||||
.B outgoing\-interface: \fI<ip address or ip6 netblock>
|
||||
Interface to use to connect to the network. This interface is used to send
|
||||
queries to authoritative servers and receive their replies. Can be given
|
||||
multiple times to work on several interfaces. If none are given the
|
||||
default (all) is used. You can specify the same interfaces in
|
||||
queries to authoritative servers and receive their replies. Can be given
|
||||
multiple times to work on several interfaces. If none are given the
|
||||
default (all) is used. You can specify the same interfaces in
|
||||
.B interface:
|
||||
and
|
||||
.B outgoing\-interface:
|
||||
lines, the interfaces are then used for both purposes. Outgoing queries are
|
||||
lines, the interfaces are then used for both purposes. Outgoing queries are
|
||||
sent via a random outgoing interface to counter spoofing.
|
||||
.IP
|
||||
If an IPv6 netblock is specified instead of an individual IPv6 address,
|
||||
@ -155,26 +156,26 @@ ip \-6 addr add mynetblock/64 dev lo &&
|
||||
ip \-6 route add local mynetblock/64 dev lo
|
||||
.TP
|
||||
.B outgoing\-range: \fI<number>
|
||||
Number of ports to open. This number of file descriptors can be opened per
|
||||
thread. Must be at least 1. Default depends on compile options. Larger
|
||||
Number of ports to open. This number of file descriptors can be opened per
|
||||
thread. Must be at least 1. Default depends on compile options. Larger
|
||||
numbers need extra resources from the operating system. For performance a
|
||||
very large value is best, use libevent to make this possible.
|
||||
.TP
|
||||
.B outgoing\-port\-permit: \fI<port number or range>
|
||||
Permit unbound to open this port or range of ports for use to send queries.
|
||||
A larger number of permitted outgoing ports increases resilience against
|
||||
spoofing attempts. Make sure these ports are not needed by other daemons.
|
||||
spoofing attempts. Make sure these ports are not needed by other daemons.
|
||||
By default only ports above 1024 that have not been assigned by IANA are used.
|
||||
Give a port number or a range of the form "low\-high", without spaces.
|
||||
.IP
|
||||
The \fBoutgoing\-port\-permit\fR and \fBoutgoing\-port\-avoid\fR statements
|
||||
are processed in the line order of the config file, adding the permitted ports
|
||||
and subtracting the avoided ports from the set of allowed ports. The
|
||||
processing starts with the non IANA allocated ports above 1024 in the set
|
||||
The \fBoutgoing\-port\-permit\fR and \fBoutgoing\-port\-avoid\fR statements
|
||||
are processed in the line order of the config file, adding the permitted ports
|
||||
and subtracting the avoided ports from the set of allowed ports. The
|
||||
processing starts with the non IANA allocated ports above 1024 in the set
|
||||
of allowed ports.
|
||||
.TP
|
||||
.B outgoing\-port\-avoid: \fI<port number or range>
|
||||
Do not permit unbound to open this port or range of ports for use to send
|
||||
Do not permit unbound to open this port or range of ports for use to send
|
||||
queries. Use this to make sure unbound does not grab a port that another
|
||||
daemon needs. The port is avoided on all outgoing interfaces, both IP4 and IP6.
|
||||
By default only ports above 1024 that have not been assigned by IANA are used.
|
||||
@ -204,13 +205,13 @@ consider tuning the outgoing tcp number).
|
||||
.B max\-udp\-size: \fI<number>
|
||||
Maximum UDP response size (not applied to TCP response). 65536 disables the
|
||||
udp response size maximum, and uses the choice from the client, always.
|
||||
Suggested values are 512 to 4096. Default is 4096.
|
||||
Suggested values are 512 to 4096. Default is 4096.
|
||||
.TP
|
||||
.B msg\-buffer\-size: \fI<number>
|
||||
Number of bytes size of the message buffers. Default is 65552 bytes, enough
|
||||
for 64 Kb packets, the maximum DNS message size. No message larger than this
|
||||
can be sent or received. Can be reduced to use less memory, but some requests
|
||||
for DNS data, such as for huge resource records, will result in a SERVFAIL
|
||||
for DNS data, such as for huge resource records, will result in a SERVFAIL
|
||||
reply to the client.
|
||||
.TP
|
||||
.B msg\-cache\-size: \fI<number>
|
||||
@ -220,7 +221,7 @@ or gigabytes (1024*1024 bytes in a megabyte).
|
||||
.TP
|
||||
.B msg\-cache\-slabs: \fI<number>
|
||||
Number of slabs in the message cache. Slabs reduce lock contention by threads.
|
||||
Must be set to a power of 2. Setting (close) to the number of cpus is a
|
||||
Must be set to a power of 2. Setting (close) to the number of cpus is a
|
||||
reasonable guess.
|
||||
.TP
|
||||
.B num\-queries\-per\-thread: \fI<number>
|
||||
@ -232,12 +233,12 @@ the existing queries. Default depends on compile options, 512 or 1024.
|
||||
.TP
|
||||
.B jostle\-timeout: \fI<msec>
|
||||
Timeout used when the server is very busy. Set to a value that usually
|
||||
results in one roundtrip to the authority servers. If too many queries
|
||||
results in one roundtrip to the authority servers. If too many queries
|
||||
arrive, then 50% of the queries are allowed to run to completion, and
|
||||
the other 50% are replaced with the new incoming query if they have already
|
||||
spent more than their allowed time. This protects against denial of
|
||||
the other 50% are replaced with the new incoming query if they have already
|
||||
spent more than their allowed time. This protects against denial of
|
||||
service by slow queries or high query rates. Default 200 milliseconds.
|
||||
The effect is that the qps for long-lasting queries is about
|
||||
The effect is that the qps for long-lasting queries is about
|
||||
(numqueriesperthread / 2) / (average time for such long queries) qps.
|
||||
The qps for short queries can be about (numqueriesperthread / 2)
|
||||
/ (jostletimeout in whole seconds) qps per thread, about (1024/2)*5 = 2560
|
||||
@ -308,12 +309,12 @@ or gigabytes (1024*1024 bytes in a megabyte).
|
||||
.TP
|
||||
.B rrset\-cache\-slabs: \fI<number>
|
||||
Number of slabs in the RRset cache. Slabs reduce lock contention by threads.
|
||||
Must be set to a power of 2.
|
||||
Must be set to a power of 2.
|
||||
.TP
|
||||
.B cache\-max\-ttl: \fI<seconds>
|
||||
Time to live maximum for RRsets and messages in the cache. Default is
|
||||
86400 seconds (1 day). If the maximum kicks in, responses to clients
|
||||
still get decrementing TTLs based on the original (larger) values.
|
||||
Time to live maximum for RRsets and messages in the cache. Default is
|
||||
86400 seconds (1 day). If the maximum kicks in, responses to clients
|
||||
still get decrementing TTLs based on the original (larger) values.
|
||||
When the internal TTL expires, the cache item has expired.
|
||||
Can be set lower to force the resolver to query for data often, and not
|
||||
trust (very large) TTL values.
|
||||
@ -323,7 +324,7 @@ Time to live minimum for RRsets and messages in the cache. Default is 0.
|
||||
If the minimum kicks in, the data is cached for longer than the domain
|
||||
owner intended, and thus less queries are made to look up the data.
|
||||
Zero makes sure the data in the cache is as the domain owner intended,
|
||||
higher values, especially more than an hour or so, can lead to trouble as
|
||||
higher values, especially more than an hour or so, can lead to trouble as
|
||||
the data in the cache does not match up with the actual data any more.
|
||||
.TP
|
||||
.B cache\-max\-negative\-ttl: \fI<seconds>
|
||||
@ -331,12 +332,12 @@ Time to live maximum for negative responses, these have a SOA in the
|
||||
authority section that is limited in time. Default is 3600.
|
||||
.TP
|
||||
.B infra\-host\-ttl: \fI<seconds>
|
||||
Time to live for entries in the host cache. The host cache contains
|
||||
Time to live for entries in the host cache. The host cache contains
|
||||
roundtrip timing, lameness and EDNS support information. Default is 900.
|
||||
.TP
|
||||
.B infra\-cache\-slabs: \fI<number>
|
||||
Number of slabs in the infrastructure cache. Slabs reduce lock contention
|
||||
by threads. Must be set to a power of 2.
|
||||
Number of slabs in the infrastructure cache. Slabs reduce lock contention
|
||||
by threads. Must be set to a power of 2.
|
||||
.TP
|
||||
.B infra\-cache\-numhosts: \fI<number>
|
||||
Number of hosts for which information is cached. Default is 10000.
|
||||
@ -372,7 +373,7 @@ Enable or disable whether TCP queries are answered or issued. Default is yes.
|
||||
.TP
|
||||
.B tcp\-mss: \fI<number>
|
||||
Maximum segment size (MSS) of TCP socket on which the server responds
|
||||
to queries. Value lower than common MSS on Ethernet
|
||||
to queries. Value lower than common MSS on Ethernet
|
||||
(1220 for example) will address path MTU problem.
|
||||
Note that not all platform supports socket option to set MSS (TCP_MAXSEG).
|
||||
Default is system default MSS determined by interface MTU and
|
||||
@ -393,7 +394,8 @@ Default is no. Useful in tunneling scenarios.
|
||||
.B ssl\-upstream: \fI<yes or no>
|
||||
Enabled or disable whether the upstream queries use SSL only for transport.
|
||||
Default is no. Useful in tunneling scenarios. The SSL contains plain DNS in
|
||||
TCP wireformat. The other server must support this (see \fBssl\-service\-key\fR).
|
||||
TCP wireformat. The other server must support this (see
|
||||
\fBssl\-service\-key\fR).
|
||||
.TP
|
||||
.B ssl\-service-key: \fI<file>
|
||||
If enabled, the server provider SSL service on its TCP sockets. The clients
|
||||
@ -423,37 +425,37 @@ a daemon. Set the value to \fIno\fR when unbound runs as systemd service.
|
||||
Default is yes.
|
||||
.TP
|
||||
.B access\-control: \fI<IP netblock> <action>
|
||||
The netblock is given as an IP4 or IP6 address with /size appended for a
|
||||
classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
|
||||
The netblock is given as an IP4 or IP6 address with /size appended for a
|
||||
classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
|
||||
\fIallow\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or \fIrefuse_non_local\fR.
|
||||
The most specific netblock match is used, if none match \fIdeny\fR is used.
|
||||
.IP
|
||||
The action \fIdeny\fR stops queries from hosts from that netblock.
|
||||
.IP
|
||||
The action \fIrefuse\fR stops queries too, but sends a DNS rcode REFUSED
|
||||
The action \fIrefuse\fR stops queries too, but sends a DNS rcode REFUSED
|
||||
error message back.
|
||||
.IP
|
||||
The action \fIallow\fR gives access to clients from that netblock.
|
||||
It gives only access for recursion clients (which is
|
||||
The action \fIallow\fR gives access to clients from that netblock.
|
||||
It gives only access for recursion clients (which is
|
||||
what almost all clients need). Nonrecursive queries are refused.
|
||||
.IP
|
||||
The \fIallow\fR action does allow nonrecursive queries to access the
|
||||
The \fIallow\fR action does allow nonrecursive queries to access the
|
||||
local\-data that is configured. The reason is that this does not involve
|
||||
the unbound server recursive lookup algorithm, and static data is served
|
||||
in the reply. This supports normal operations where nonrecursive queries
|
||||
are made for the authoritative data. For nonrecursive queries any replies
|
||||
the unbound server recursive lookup algorithm, and static data is served
|
||||
in the reply. This supports normal operations where nonrecursive queries
|
||||
are made for the authoritative data. For nonrecursive queries any replies
|
||||
from the dynamic cache are refused.
|
||||
.IP
|
||||
The action \fIallow_snoop\fR gives nonrecursive access too. This give
|
||||
both recursive and non recursive access. The name \fIallow_snoop\fR refers
|
||||
The action \fIallow_snoop\fR gives nonrecursive access too. This give
|
||||
both recursive and non recursive access. The name \fIallow_snoop\fR refers
|
||||
to cache snooping, a technique to use nonrecursive queries to examine
|
||||
the cache contents (for malicious acts). However, nonrecursive queries can
|
||||
also be a valuable debugging tool (when you want to examine the cache
|
||||
the cache contents (for malicious acts). However, nonrecursive queries can
|
||||
also be a valuable debugging tool (when you want to examine the cache
|
||||
contents). In that case use \fIallow_snoop\fR for your administration host.
|
||||
.IP
|
||||
By default only localhost is \fIallow\fRed, the rest is \fIrefuse\fRd.
|
||||
The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS
|
||||
protocol is not designed to handle dropped packets due to policy, and
|
||||
The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS
|
||||
protocol is not designed to handle dropped packets due to policy, and
|
||||
dropping may result in (possibly excessive) retried queries.
|
||||
.IP
|
||||
The deny_non_local and refuse_non_local settings are for hosts that are
|
||||
@ -485,8 +487,8 @@ Set view for given access control element.
|
||||
.B chroot: \fI<directory>
|
||||
If chroot is enabled, you should pass the configfile (from the
|
||||
commandline) as a full path from the original root. After the
|
||||
chroot has been performed the now defunct portion of the config
|
||||
file path is removed to be able to reread the config after a reload.
|
||||
chroot has been performed the now defunct portion of the config
|
||||
file path is removed to be able to reread the config after a reload.
|
||||
.IP
|
||||
All other file paths (working dir, logfile, roothints, and
|
||||
key files) can be specified in several ways:
|
||||
@ -497,22 +499,22 @@ In the last case the path is adjusted to remove the unused portion.
|
||||
.IP
|
||||
The pidfile can be either a relative path to the working directory, or
|
||||
an absolute path relative to the original root. It is written just prior
|
||||
to chroot and dropping permissions. This allows the pidfile to be
|
||||
to chroot and dropping permissions. This allows the pidfile to be
|
||||
/var/run/unbound.pid and the chroot to be /var/unbound, for example.
|
||||
.IP
|
||||
Additionally, unbound may need to access /dev/random (for entropy)
|
||||
from inside the chroot.
|
||||
.IP
|
||||
If given a chroot is done to the given directory. The default is
|
||||
If given a chroot is done to the given directory. The default is
|
||||
"/var/unbound". If you give "" no chroot is performed.
|
||||
.TP
|
||||
.B username: \fI<name>
|
||||
If given, after binding the port the user privileges are dropped. Default is
|
||||
"unbound". If you give username: "" no user change is performed.
|
||||
"unbound". If you give username: "" no user change is performed.
|
||||
.IP
|
||||
If this user is not capable of binding the
|
||||
port, reloads (by signal HUP) will still retain the opened ports.
|
||||
If you change the port number in the config file, and that new port number
|
||||
If you change the port number in the config file, and that new port number
|
||||
requires privileges, then a reload will fail; a restart is needed.
|
||||
.TP
|
||||
.B directory: \fI<directory>
|
||||
@ -524,17 +526,17 @@ then those includes can be relative to the working directory.
|
||||
.TP
|
||||
.B logfile: \fI<filename>
|
||||
If "" is given, logging goes to stderr, or nowhere once daemonized.
|
||||
The logfile is appended to, in the following format:
|
||||
The logfile is appended to, in the following format:
|
||||
.nf
|
||||
[seconds since 1970] unbound[pid:tid]: type: message.
|
||||
[seconds since 1970] unbound[pid:tid]: type: message.
|
||||
.fi
|
||||
If this option is given, the use\-syslog is option is set to "no".
|
||||
The logfile is reopened (for append) when the config file is reread, on
|
||||
The logfile is reopened (for append) when the config file is reread, on
|
||||
SIGHUP.
|
||||
.TP
|
||||
.B use\-syslog: \fI<yes or no>
|
||||
Sets unbound to send log messages to the syslogd, using
|
||||
\fIsyslog\fR(3).
|
||||
Sets unbound to send log messages to the syslogd, using
|
||||
\fIsyslog\fR(3).
|
||||
The log facility LOG_DAEMON is used, with identity "unbound".
|
||||
The logfile setting is overridden when use\-syslog is turned on.
|
||||
The default is to log to syslog.
|
||||
@ -565,20 +567,20 @@ lines which makes the server (significantly) slower. Odd (nonprintable)
|
||||
characters in names are printed as '?'.
|
||||
.TP
|
||||
.B pidfile: \fI<filename>
|
||||
The process id is written to the file. Default is "/var/unbound/unbound.pid".
|
||||
The process id is written to the file. Default is "/var/unbound/unbound.pid".
|
||||
So,
|
||||
.nf
|
||||
kill \-HUP `cat /var/unbound/unbound.pid`
|
||||
kill \-HUP `cat /var/unbound/unbound.pid`
|
||||
.fi
|
||||
triggers a reload,
|
||||
.nf
|
||||
kill \-TERM `cat /var/unbound/unbound.pid`
|
||||
kill \-TERM `cat /var/unbound/unbound.pid`
|
||||
.fi
|
||||
gracefully terminates.
|
||||
.TP
|
||||
.B root\-hints: \fI<filename>
|
||||
Read the root hints from this file. Default is nothing, using builtin hints
|
||||
for the IN class. The file has the format of zone files, with root
|
||||
for the IN class. The file has the format of zone files, with root
|
||||
nameserver names and addresses only. The default may become outdated,
|
||||
when servers change, therefore it is good practice to use a root\-hints file.
|
||||
.TP
|
||||
@ -602,22 +604,22 @@ If enabled trustanchor.unbound queries are refused.
|
||||
.B target\-fetch\-policy: \fI<"list of numbers">
|
||||
Set the target fetch policy used by unbound to determine if it should fetch
|
||||
nameserver target addresses opportunistically. The policy is described per
|
||||
dependency depth.
|
||||
dependency depth.
|
||||
.IP
|
||||
The number of values determines the maximum dependency depth
|
||||
that unbound will pursue in answering a query.
|
||||
that unbound will pursue in answering a query.
|
||||
A value of \-1 means to fetch all targets opportunistically for that dependency
|
||||
depth. A value of 0 means to fetch on demand only. A positive value fetches
|
||||
that many targets opportunistically.
|
||||
that many targets opportunistically.
|
||||
.IP
|
||||
Enclose the list between quotes ("") and put spaces between numbers.
|
||||
The default is "3 2 1 0 0". Setting all zeroes, "0 0 0 0 0" gives behaviour
|
||||
closer to that of BIND 9, while setting "\-1 \-1 \-1 \-1 \-1" gives behaviour
|
||||
closer to that of BIND 9, while setting "\-1 \-1 \-1 \-1 \-1" gives behaviour
|
||||
rumoured to be closer to that of BIND 8.
|
||||
.TP
|
||||
.B harden\-short\-bufsize: \fI<yes or no>
|
||||
Very small EDNS buffer sizes from queries are ignored. Default is off, since
|
||||
it is legal protocol wise to send these, and unbound tries to give very
|
||||
it is legal protocol wise to send these, and unbound tries to give very
|
||||
small answers to these queries, where possible.
|
||||
.TP
|
||||
.B harden\-large\-queries: \fI<yes or no>
|
||||
@ -631,11 +633,11 @@ Will trust glue only if it is within the servers authority. Default is on.
|
||||
.B harden\-dnssec\-stripped: \fI<yes or no>
|
||||
Require DNSSEC data for trust\-anchored zones, if such data is absent,
|
||||
the zone becomes bogus. If turned off, and no DNSSEC data is received
|
||||
(or the DNSKEY data fails to validate), then the zone is made insecure,
|
||||
this behaves like there is no trust anchor. You could turn this off if
|
||||
you are sometimes behind an intrusive firewall (of some sort) that
|
||||
removes DNSSEC data from packets, or a zone changes from signed to
|
||||
unsigned to badly signed often. If turned off you run the risk of a
|
||||
(or the DNSKEY data fails to validate), then the zone is made insecure,
|
||||
this behaves like there is no trust anchor. You could turn this off if
|
||||
you are sometimes behind an intrusive firewall (of some sort) that
|
||||
removes DNSSEC data from packets, or a zone changes from signed to
|
||||
unsigned to badly signed often. If turned off you run the risk of a
|
||||
downgrade attack that disables security for a zone. Default is on.
|
||||
.TP
|
||||
.B harden\-below\-nxdomain: \fI<yes or no>
|
||||
@ -653,7 +655,7 @@ The nxdomain must be secure, this means nsec3 with optout is insufficient.
|
||||
Harden the referral path by performing additional queries for
|
||||
infrastructure data. Validates the replies if trust anchors are configured
|
||||
and the zones are signed. This enforces DNSSEC validation on nameserver
|
||||
NS sets and the nameserver addresses that are encountered on the referral
|
||||
NS sets and the nameserver addresses that are encountered on the referral
|
||||
path to the answer.
|
||||
Default off, because it burdens the authority servers, and it is
|
||||
not RFC standard, and could lead to performance problems because of the
|
||||
@ -670,9 +672,9 @@ this option off avoids that validation failure.
|
||||
.TP
|
||||
.B use\-caps\-for\-id: \fI<yes or no>
|
||||
Use 0x20\-encoded random bits in the query to foil spoof attempts.
|
||||
This perturbs the lowercase and uppercase of query names sent to
|
||||
authority servers and checks if the reply still has the correct casing.
|
||||
Disabled by default.
|
||||
This perturbs the lowercase and uppercase of query names sent to
|
||||
authority servers and checks if the reply still has the correct casing.
|
||||
Disabled by default.
|
||||
This feature is an experimental implementation of draft dns\-0x20.
|
||||
.TP
|
||||
.B caps\-whitelist: \fI<domain>
|
||||
@ -683,7 +685,7 @@ Can be given multiple times, for different domains.
|
||||
.TP
|
||||
.B qname\-minimisation: \fI<yes or no>
|
||||
Send minimum amount of information to upstream servers to enhance privacy.
|
||||
Only sent minimum required labels of the QNAME and set QTYPE to NS when
|
||||
Only sent minimum required labels of the QNAME and set QTYPE to NS when
|
||||
possible. Best effort approach; full QNAME and original QTYPE will be sent when
|
||||
upstream replies with a RCODE other than NOERROR, except when receiving
|
||||
NXDOMAIN from a DNSSEC signed zone. Default is off.
|
||||
@ -715,7 +717,7 @@ stops IPv4-mapped IPv6 addresses from bypassing the filter.
|
||||
.TP
|
||||
.B private\-domain: \fI<domain name>
|
||||
Allow this domain, and all its subdomains to contain private addresses.
|
||||
Give multiple times to allow multiple domain names to contain private
|
||||
Give multiple times to allow multiple domain names to contain private
|
||||
addresses. Default is none.
|
||||
.TP
|
||||
.B unwanted\-reply\-threshold: \fI<number>
|
||||
@ -726,7 +728,7 @@ message caches, hopefully flushing away any poison. A value of 10 million
|
||||
is suggested. Default is 0 (turned off).
|
||||
.TP
|
||||
.B do\-not\-query\-address: \fI<IP address>
|
||||
Do not query the given IP address. Can be IP4 or IP6. Append /num to
|
||||
Do not query the given IP address. Can be IP4 or IP6. Append /num to
|
||||
indicate a classless delegation netblock, for example like
|
||||
10.2.3.4/24 or 2001::11/64.
|
||||
.TP
|
||||
@ -793,17 +795,20 @@ A DS or DNSKEY RR for a key to use for validation. Multiple entries can be
|
||||
given to specify multiple trusted keys, in addition to the trust\-anchor\-files.
|
||||
The resource record is entered in the same format as 'dig' or 'drill' prints
|
||||
them, the same format as in the zone file. Has to be on a single line, with
|
||||
"" around it. A TTL can be specified for ease of cut and paste, but is ignored.
|
||||
"" around it. A TTL can be specified for ease of cut and paste, but is ignored.
|
||||
A class can be specified, but class IN is default.
|
||||
.TP
|
||||
.B trusted\-keys\-file: \fI<filename>
|
||||
File with trusted keys for validation. Specify more than one file
|
||||
with several entries, one file per entry. Like \fBtrust\-anchor\-file\fR
|
||||
but has a different file format. Format is BIND\-9 style format,
|
||||
but has a different file format. Format is BIND\-9 style format,
|
||||
the trusted\-keys { name flag proto algo "key"; }; clauses are read.
|
||||
It is possible to use wildcards with this statement, the wildcard is
|
||||
expanded on start and on reload.
|
||||
.TP
|
||||
.B trust\-anchor\-signaling: \fI<yes or no>
|
||||
Send RFC8145 key tag query after trust anchor priming. Default is off.
|
||||
.TP
|
||||
.B dlv\-anchor\-file: \fI<filename>
|
||||
This option was used during early days DNSSEC deployment when no parent-side
|
||||
DS record registrations were easily available. Nowadays, it is best to have
|
||||
@ -811,9 +816,9 @@ DS records registered with the parent zone (many top level zones are signed).
|
||||
File with trusted keys for DLV (DNSSEC Lookaside Validation). Both DS and
|
||||
DNSKEY entries can be used in the file, in the same format as for
|
||||
\fItrust\-anchor\-file:\fR statements. Only one DLV can be configured, more
|
||||
would be slow. The DLV configured is used as a root trusted DLV, this
|
||||
means that it is a lookaside for the root. Default is "", or no dlv anchor file.
|
||||
DLV is going to be decommissioned. Please do not use it any more.
|
||||
would be slow. The DLV configured is used as a root trusted DLV, this
|
||||
means that it is a lookaside for the root. Default is "", or no dlv anchor
|
||||
file. DLV is going to be decommissioned. Please do not use it any more.
|
||||
.TP
|
||||
.B dlv\-anchor: \fI<"Resource Record">
|
||||
Much like trust\-anchor, this is a DLV anchor with the DS or DNSKEY inline.
|
||||
@ -825,17 +830,17 @@ the domain name. So a trust anchor above the domain name can not make the
|
||||
domain secure with a DS record, such a DS record is then ignored.
|
||||
Also keys from DLV are ignored for the domain. Can be given multiple times
|
||||
to specify multiple domains that are treated as if unsigned. If you set
|
||||
trust anchors for the domain they override this setting (and the domain
|
||||
trust anchors for the domain they override this setting (and the domain
|
||||
is secured).
|
||||
.IP
|
||||
This can be useful if you want to make sure a trust anchor for external
|
||||
lookups does not affect an (unsigned) internal domain. A DS record
|
||||
lookups does not affect an (unsigned) internal domain. A DS record
|
||||
externally can create validation failures for that internal domain.
|
||||
.TP
|
||||
.B val\-override\-date: \fI<rrsig\-style date spec>
|
||||
Default is "" or "0", which disables this debugging feature. If enabled by
|
||||
giving a RRSIG style date, that date is used for verifying RRSIG inception
|
||||
and expiration dates, instead of the current date. Do not set this unless
|
||||
and expiration dates, instead of the current date. Do not set this unless
|
||||
you are debugging signature inception and expiration. The value \-1 ignores
|
||||
the date altogether, useful for some special applications.
|
||||
.TP
|
||||
@ -865,7 +870,7 @@ The time interval prevents repeated revalidation of bogus data.
|
||||
Instruct the validator to remove data from the additional section of secure
|
||||
messages that are not signed properly. Messages that are insecure, bogus,
|
||||
indeterminate or unchecked are not affected. Default is yes. Use this setting
|
||||
to protect the users that rely on this validator for authentication from
|
||||
to protect the users that rely on this validator for authentication from
|
||||
potentially bad data in the additional section.
|
||||
.TP
|
||||
.B val\-log\-level: \fI<number>
|
||||
@ -880,10 +885,10 @@ it was wrong and which server sent the faulty data.
|
||||
.B val\-permissive\-mode: \fI<yes or no>
|
||||
Instruct the validator to mark bogus messages as indeterminate. The security
|
||||
checks are performed, but if the result is bogus (failed security), the
|
||||
reply is not withheld from the client with SERVFAIL as usual. The client
|
||||
receives the bogus data. For messages that are found to be secure the AD bit
|
||||
reply is not withheld from the client with SERVFAIL as usual. The client
|
||||
receives the bogus data. For messages that are found to be secure the AD bit
|
||||
is set in replies. Also logging is performed as for full validation.
|
||||
The default value is "no".
|
||||
The default value is "no".
|
||||
.TP
|
||||
.B ignore\-cd\-flag: \fI<yes or no>
|
||||
Instruct unbound to ignore the CD flag from clients and refuse to
|
||||
@ -903,7 +908,7 @@ List of keysize and iteration count values, separated by spaces, surrounded
|
||||
by quotes. Default is "1024 150 2048 500 4096 2500". This determines the
|
||||
maximum allowed NSEC3 iteration count before a message is simply marked
|
||||
insecure instead of performing the many hashing iterations. The list must
|
||||
be in ascending order and have at least one entry. If you set it to
|
||||
be in ascending order and have at least one entry. If you set it to
|
||||
"1024 65535" there is no restriction to NSEC3 iteration values.
|
||||
This table must be kept short; a very long list could cause slower operation.
|
||||
.TP
|
||||
@ -938,7 +943,7 @@ or gigabytes (1024*1024 bytes in a megabyte).
|
||||
.TP
|
||||
.B key\-cache\-slabs: \fI<number>
|
||||
Number of slabs in the key cache. Slabs reduce lock contention by threads.
|
||||
Must be set to a power of 2. Setting (close) to the number of cpus is a
|
||||
Must be set to a power of 2. Setting (close) to the number of cpus is a
|
||||
reasonable guess.
|
||||
.TP
|
||||
.B neg\-cache\-size: \fI<number>
|
||||
@ -989,7 +994,7 @@ Otherwise, the query is answered with nodata or nxdomain.
|
||||
For a negative answer a SOA is included in the answer if present
|
||||
as local\-data for the zone apex domain.
|
||||
.TP 10
|
||||
\h'5'\fItransparent\fR
|
||||
\h'5'\fItransparent\fR
|
||||
If there is a match from local data, the query is answered.
|
||||
Otherwise if the query has a different name, the query is resolved normally.
|
||||
If the query is for a name given in localdata but no such type of data is
|
||||
@ -997,49 +1002,49 @@ given in localdata, then a noerror nodata answer is returned.
|
||||
If no local\-zone is given local\-data causes a transparent zone
|
||||
to be created by default.
|
||||
.TP 10
|
||||
\h'5'\fItypetransparent\fR
|
||||
\h'5'\fItypetransparent\fR
|
||||
If there is a match from local data, the query is answered. If the query
|
||||
is for a different name, or for the same name but for a different type,
|
||||
the query is resolved normally. So, similar to transparent but types
|
||||
that are not listed in local data are resolved normally, so if an A record
|
||||
is in the local data that does not cause a nodata reply for AAAA queries.
|
||||
.TP 10
|
||||
\h'5'\fIredirect\fR
|
||||
\h'5'\fIredirect\fR
|
||||
The query is answered from the local data for the zone name.
|
||||
There may be no local data beneath the zone name.
|
||||
This answers queries for the zone, and all subdomains of the zone
|
||||
with the local data for the zone.
|
||||
It can be used to redirect a domain to return a different address record
|
||||
to the end user, with
|
||||
local\-zone: "example.com." redirect and
|
||||
to the end user, with
|
||||
local\-zone: "example.com." redirect and
|
||||
local\-data: "example.com. A 127.0.0.1"
|
||||
queries for www.example.com and www.foo.example.com are redirected, so
|
||||
that users with web browsers cannot access sites with suffix example.com.
|
||||
.TP 10
|
||||
\h'5'\fIinform\fR
|
||||
\h'5'\fIinform\fR
|
||||
The query is answered normally, same as transparent. The client IP
|
||||
address (@portnumber) is printed to the logfile. The log message is:
|
||||
timestamp, unbound-pid, info: zonename inform IP@port queryname type
|
||||
class. This option can be used for normal resolution, but machines
|
||||
looking up infected names are logged, eg. to run antivirus on them.
|
||||
.TP 10
|
||||
\h'5'\fIinform_deny\fR
|
||||
\h'5'\fIinform_deny\fR
|
||||
The query is dropped, like 'deny', and logged, like 'inform'. Ie. find
|
||||
infected machines without answering the queries.
|
||||
.TP 10
|
||||
\h'5'\fIalways_transparent\fR
|
||||
\h'5'\fIalways_transparent\fR
|
||||
Like transparent, but ignores local data and resolves normally.
|
||||
.TP 10
|
||||
\h'5'\fIalways_refuse\fR
|
||||
\h'5'\fIalways_refuse\fR
|
||||
Like refuse, but ignores local data and refuses the query.
|
||||
.TP 10
|
||||
\h'5'\fIalways_nxdomain\fR
|
||||
\h'5'\fIalways_nxdomain\fR
|
||||
Like static, but ignores local data and returns nxdomain for the query.
|
||||
.TP 10
|
||||
\h'5'\fInodefault\fR
|
||||
\h'5'\fInodefault\fR
|
||||
Used to turn off default contents for AS112 zones. The other types
|
||||
also turn off default contents for the zone. The 'nodefault' option
|
||||
has no other effect than turning off default contents for the
|
||||
also turn off default contents for the zone. The 'nodefault' option
|
||||
has no other effect than turning off default contents for the
|
||||
given zone. Use \fInodefault\fR if you use exactly that zone, if you want to
|
||||
use a subzone, use \fItransparent\fR.
|
||||
.P
|
||||
@ -1048,71 +1053,71 @@ the AS112 zones. The AS112 zones are reverse DNS zones for private use and
|
||||
reserved IP addresses for which the servers on the internet cannot provide
|
||||
correct answers. They are configured by default to give nxdomain (no reverse
|
||||
information) answers. The defaults can be turned off by specifying your
|
||||
own local\-zone of that name, or using the 'nodefault' type. Below is a
|
||||
own local\-zone of that name, or using the 'nodefault' type. Below is a
|
||||
list of the default zone contents.
|
||||
.TP 10
|
||||
\h'5'\fIlocalhost\fR
|
||||
\h'5'\fIlocalhost\fR
|
||||
The IP4 and IP6 localhost information is given. NS and SOA records are provided
|
||||
for completeness and to satisfy some DNS update tools. Default content:
|
||||
.nf
|
||||
local\-zone: "localhost." static
|
||||
local\-data: "localhost. 10800 IN NS localhost."
|
||||
local\-data: "localhost. 10800 IN
|
||||
local\-data: "localhost. 10800 IN
|
||||
SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
|
||||
local\-data: "localhost. 10800 IN A 127.0.0.1"
|
||||
local\-data: "localhost. 10800 IN AAAA ::1"
|
||||
.fi
|
||||
.TP 10
|
||||
\h'5'\fIreverse IPv4 loopback\fR
|
||||
\h'5'\fIreverse IPv4 loopback\fR
|
||||
Default content:
|
||||
.nf
|
||||
local\-zone: "127.in\-addr.arpa." static
|
||||
local\-data: "127.in\-addr.arpa. 10800 IN NS localhost."
|
||||
local\-data: "127.in\-addr.arpa. 10800 IN
|
||||
local\-data: "127.in\-addr.arpa. 10800 IN
|
||||
SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
|
||||
local\-data: "1.0.0.127.in\-addr.arpa. 10800 IN
|
||||
local\-data: "1.0.0.127.in\-addr.arpa. 10800 IN
|
||||
PTR localhost."
|
||||
.fi
|
||||
.TP 10
|
||||
\h'5'\fIreverse IPv6 loopback\fR
|
||||
\h'5'\fIreverse IPv6 loopback\fR
|
||||
Default content:
|
||||
.nf
|
||||
local\-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
|
||||
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." static
|
||||
local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
|
||||
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
|
||||
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
|
||||
NS localhost."
|
||||
local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
|
||||
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
|
||||
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
|
||||
SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
|
||||
local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
|
||||
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
|
||||
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
|
||||
PTR localhost."
|
||||
.fi
|
||||
.TP 10
|
||||
\h'5'\fIonion (RFC 7686)\fR
|
||||
\h'5'\fIonion (RFC 7686)\fR
|
||||
Default content:
|
||||
.nf
|
||||
local\-zone: "onion." static
|
||||
local\-data: "onion. 10800 IN NS localhost."
|
||||
local\-data: "onion. 10800 IN
|
||||
local\-data: "onion. 10800 IN
|
||||
SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
|
||||
.fi
|
||||
.TP 10
|
||||
\h'5'\fIreverse RFC1918 local use zones\fR
|
||||
Reverse data for zones 10.in\-addr.arpa, 16.172.in\-addr.arpa to
|
||||
\h'5'\fIreverse RFC1918 local use zones\fR
|
||||
Reverse data for zones 10.in\-addr.arpa, 16.172.in\-addr.arpa to
|
||||
31.172.in\-addr.arpa, 168.192.in\-addr.arpa.
|
||||
The \fBlocal\-zone:\fR is set static and as \fBlocal\-data:\fR SOA and NS
|
||||
The \fBlocal\-zone:\fR is set static and as \fBlocal\-data:\fR SOA and NS
|
||||
records are provided.
|
||||
.TP 10
|
||||
\h'5'\fIreverse RFC3330 IP4 this, link\-local, testnet and broadcast\fR
|
||||
Reverse data for zones 0.in\-addr.arpa, 254.169.in\-addr.arpa,
|
||||
\h'5'\fIreverse RFC3330 IP4 this, link\-local, testnet and broadcast\fR
|
||||
Reverse data for zones 0.in\-addr.arpa, 254.169.in\-addr.arpa,
|
||||
2.0.192.in\-addr.arpa (TEST NET 1), 100.51.198.in\-addr.arpa (TEST NET 2),
|
||||
113.0.203.in\-addr.arpa (TEST NET 3), 255.255.255.255.in\-addr.arpa.
|
||||
And from 64.100.in\-addr.arpa to 127.100.in\-addr.arpa (Shared Address Space).
|
||||
.TP 10
|
||||
\h'5'\fIreverse RFC4291 IP6 unspecified\fR
|
||||
Reverse data for zone
|
||||
Reverse data for zone
|
||||
.nf
|
||||
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
|
||||
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.
|
||||
@ -1137,11 +1142,11 @@ This also works with the other default zones.
|
||||
.TP 5
|
||||
.B local\-data: \fI"<resource record string>"
|
||||
Configure local data, which is served in reply to queries for it.
|
||||
The query has to match exactly unless you configure the local\-zone as
|
||||
The query has to match exactly unless you configure the local\-zone as
|
||||
redirect. If not matched exactly, the local\-zone type determines
|
||||
further processing. If local\-data is configured that is not a subdomain of
|
||||
a local\-zone, a transparent local\-zone is configured.
|
||||
For record types such as TXT, use single quotes, as in
|
||||
a local\-zone, a transparent local\-zone is configured.
|
||||
For record types such as TXT, use single quotes, as in
|
||||
local\-data: 'example. TXT "text"'.
|
||||
.IP
|
||||
If you need more complicated authoritative data, with referrals, wildcards,
|
||||
@ -1160,7 +1165,7 @@ used access-control element has a matching tag. Tags must be defined in
|
||||
tags.
|
||||
.TP 5
|
||||
.B local\-zone\-override: \fI<zone> <IP netblock> <type>
|
||||
Override the localzone type for queries from addresses matching netblock.
|
||||
Override the localzone type for queries from addresses matching netblock.
|
||||
Use this localzone type, regardless the type configured for the local-zone
|
||||
(both tagged and untagged) and regardless the type configured using
|
||||
access\-control\-tag\-action.
|
||||
@ -1197,18 +1202,20 @@ This can make ordinary queries complete (if repeatedly queried for),
|
||||
and enter the cache, whilst also mitigating the traffic flow by the
|
||||
factor given.
|
||||
.TP 5
|
||||
.B ratelimit\-for\-domain: \fI<domain> <number qps>
|
||||
.B ratelimit\-for\-domain: \fI<domain> <number qps or 0>
|
||||
Override the global ratelimit for an exact match domain name with the listed
|
||||
number. You can give this for any number of names. For example, for
|
||||
a top\-level\-domain you may want to have a higher limit than other names.
|
||||
A value of 0 will disable ratelimiting for that domain.
|
||||
.TP 5
|
||||
.B ratelimit\-below\-domain: \fI<domain> <number qps>
|
||||
.B ratelimit\-below\-domain: \fI<domain> <number qps or 0>
|
||||
Override the global ratelimit for a domain name that ends in this name.
|
||||
You can give this multiple times, it then describes different settings
|
||||
in different parts of the namespace. The closest matching suffix is used
|
||||
to determine the qps limit. The rate for the exact matching domain name
|
||||
is not changed, use ratelimit\-for\-domain to set that, you might want
|
||||
to use different settings for a top\-level\-domain and subdomains.
|
||||
A value of 0 will disable ratelimiting for domain names that end in this name.
|
||||
.TP 5
|
||||
.B ip\-ratelimit: \fI<number or 0>
|
||||
Enable global ratelimiting of queries accepted per ip address.
|
||||
@ -1304,21 +1311,21 @@ the recursive processing itself for stub zones.
|
||||
.P
|
||||
The stub zone can be used to configure authoritative data to be used
|
||||
by the resolver that cannot be accessed using the public internet servers.
|
||||
This is useful for company\-local data or private zones. Setup an
|
||||
authoritative server on a different host (or different port). Enter a config
|
||||
entry for unbound with
|
||||
This is useful for company\-local data or private zones. Setup an
|
||||
authoritative server on a different host (or different port). Enter a config
|
||||
entry for unbound with
|
||||
.B stub\-addr:
|
||||
<ip address of host[@port]>.
|
||||
The unbound resolver can then access the data, without referring to the
|
||||
public internet for it.
|
||||
<ip address of host[@port]>.
|
||||
The unbound resolver can then access the data, without referring to the
|
||||
public internet for it.
|
||||
.P
|
||||
This setup allows DNSSEC signed zones to be served by that
|
||||
This setup allows DNSSEC signed zones to be served by that
|
||||
authoritative server, in which case a trusted key entry with the public key
|
||||
can be put in config, so that unbound can validate the data and set the AD
|
||||
bit on replies for the private zone (authoritative servers do not set the
|
||||
AD bit). This setup makes unbound capable of answering queries for the
|
||||
private zone, and can even set the AD bit ('authentic'), but the AA
|
||||
('authoritative') bit is not set on these replies.
|
||||
can be put in config, so that unbound can validate the data and set the AD
|
||||
bit on replies for the private zone (authoritative servers do not set the
|
||||
AD bit). This setup makes unbound capable of answering queries for the
|
||||
private zone, and can even set the AD bit ('authentic'), but the AA
|
||||
('authoritative') bit is not set on these replies.
|
||||
.P
|
||||
Consider adding \fBserver:\fR statements for \fBdomain\-insecure:\fR and
|
||||
for \fBlocal\-zone:\fI name nodefault\fR for the zone if it is a locally
|
||||
@ -1337,8 +1344,8 @@ IP address of stub zone nameserver. Can be IP 4 or IP 6.
|
||||
To use a nondefault port for DNS communication append '@' with the port number.
|
||||
.TP
|
||||
.B stub\-prime: \fI<yes or no>
|
||||
This option is by default off. If enabled it performs NS set priming,
|
||||
which is similar to root hints, where it starts using the list of nameservers
|
||||
This option is by default off. If enabled it performs NS set priming,
|
||||
which is similar to root hints, where it starts using the list of nameservers
|
||||
currently published by the zone. Thus, if the hint list is slightly outdated,
|
||||
the resolver picks up a correct list online.
|
||||
.TP
|
||||
@ -1390,10 +1397,10 @@ Default is no.
|
||||
There may be multiple
|
||||
.B view:
|
||||
clauses. Each with a \fBname:\fR and zero or more \fBlocal\-zone\fR and
|
||||
\fBlocal\-data\fR elements. View can be mapped to requests by specifying the view
|
||||
name in an \fBaccess\-control\-view\fR element. Options from matching views will
|
||||
override global options. Global options will be used if no matching view
|
||||
is found.
|
||||
\fBlocal\-data\fR elements. View can be mapped to requests by specifying the
|
||||
view name in an \fBaccess\-control\-view\fR element. Options from matching
|
||||
views will override global options. Global options will be used if no matching
|
||||
view is found, or when the matching view does not have the option specified.
|
||||
.TP
|
||||
.B name: \fI<view name>
|
||||
Name of the view. Must be unique. This name is used in access\-control\-view
|
||||
@ -1401,7 +1408,11 @@ elements.
|
||||
.TP
|
||||
.B local\-zone: \fI<zone> <type>
|
||||
View specific local\-zone elements. Has the same types and behaviour as the
|
||||
global local\-zone elements.
|
||||
global local\-zone elements. When there is at least one local\-zone specified
|
||||
and view\-first is no, the default local-zones will be added to this view.
|
||||
Defaults can be disabled using the nodefault type. When view\-first is yes or
|
||||
when a view does not have a local\-zone, the global local\-zone will be used
|
||||
including it's default zones.
|
||||
.TP
|
||||
.B local\-data: \fI"<resource record string>"
|
||||
View specific local\-data elements. Has the same behaviour as the global
|
||||
@ -1454,7 +1465,8 @@ clause give the settings of the dnscrypt channel. While those options are
|
||||
available, they are only meaningful if unbound was compiled with
|
||||
\fB\-\-enable\-dnscrypt\fR.
|
||||
Currently certificate and secret/public keys cannot be generated by unbound.
|
||||
You can use dnscrypt-wrapper to generate those: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage
|
||||
You can use dnscrypt-wrapper to generate those: https://github.com/cofyc/\
|
||||
dnscrypt-wrapper/blob/master/README.md#usage
|
||||
.TP
|
||||
.B dnscrypt\-enable: \fI<yes or no>\fR
|
||||
Whether or not the \fBdnscrypt\fR config should be enabled. You may define
|
||||
@ -1475,23 +1487,24 @@ Path to the time limited secret key file. This option may be specified multiple
|
||||
times.
|
||||
.TP
|
||||
.B dnscrypt\-provider\-cert: \fI<path to cert file>\fR
|
||||
Path to the certificate related to the \fBdnscrypt\-secret\-key\fRs. This option
|
||||
may be specified multiple times.
|
||||
Path to the certificate related to the \fBdnscrypt\-secret\-key\fRs.
|
||||
This option may be specified multiple times.
|
||||
.SS "EDNS Client Subnet Module Options"
|
||||
.LP
|
||||
The ECS module must be configured in the \fBmodule\-config:\fR "subnetcache
|
||||
validator iterator" directive and be compiled into the daemon to be
|
||||
enabled. These settings go in the \fBserver:\fR section.
|
||||
.LP
|
||||
If the destination address is whitelisted with Unbound will add the EDNS0 option
|
||||
to the query containing the relevant part of the client's address. When an
|
||||
answer contains the ECS option the response and the option are placed in a
|
||||
specialized cache. If the authority indicated no support, the response is stored
|
||||
in the regular cache.
|
||||
If the destination address is whitelisted with Unbound will add the EDNS0
|
||||
option to the query containing the relevant part of the client's address. When
|
||||
an answer contains the ECS option the response and the option are placed in a
|
||||
specialized cache. If the authority indicated no support, the response is
|
||||
stored in the regular cache.
|
||||
.LP
|
||||
Additionally, when a client includes the option in its queries, Unbound will
|
||||
forward the option to the authority regardless of the authorities presence in
|
||||
the whitelist. In this case the lookup in the regular cache is skipped.
|
||||
forward the option to the authority if prensent in the whitelist, or
|
||||
\fBclient\-subnet\-always\-forward\fR is set to yes. In this case the lookup in
|
||||
the regular cache is skipped.
|
||||
.LP
|
||||
The maximum size of the ECS cache is controlled by 'msg-cache-size' in the
|
||||
configuration file. On top of that, for each query only 100 different subnets
|
||||
@ -1502,7 +1515,12 @@ entries will be purged from cache.
|
||||
Send client source address to this authority. Append /num to indicate a
|
||||
classless delegation netblock, for example like 10.2.3.4/24 or 2001::11/64. Can
|
||||
be given multiple times. Authorities not listed will not receive edns-subnet
|
||||
information.
|
||||
information, unless domain in query is specified in \fBclient\-subnet\-zone\fR.
|
||||
.TP
|
||||
.B client\-subnet\-zone: \fI<domain>\fR
|
||||
Send client source address in queries for this domain and its subdomains. Can be
|
||||
given multiple times. Zones not listed will not receive edns-subnet information,
|
||||
unless hosted by authority specified in \fBsend\-client\-subnet\fR.
|
||||
.TP
|
||||
.B client\-subnet\-always\-forward: \fI<yes or no>\fR
|
||||
Specify whether the ECS whitelist check (configured using
|
||||
@ -1519,6 +1537,72 @@ to expose to third parties for IPv6. Defaults to 56.
|
||||
.B max\-client\-subnet\-ipv4: \fI<number>\fR
|
||||
Specifies the maximum prefix length of the client source address we are willing
|
||||
to expose to third parties for IPv4. Defaults to 24.
|
||||
.SS "Opportunistic IPsec Support Module Options"
|
||||
.LP
|
||||
The IPsec module must be configured in the \fBmodule\-config:\fR "ipsecmod
|
||||
validator iterator" directive and be compiled into the daemon to be
|
||||
enabled. These settings go in the \fBserver:\fR section.
|
||||
.LP
|
||||
When unbound receives an A/AAAA query that is not in the cache and finds a
|
||||
valid answer, it will withhold returning the answer and instead will generate
|
||||
an IPSECKEY subquery for the same domain name. If an answer was found, unbound
|
||||
will call an external hook passing the following arguments:
|
||||
.TP 10
|
||||
\h'5'\fIQNAME\fR
|
||||
Domain name of the A/AAAA and IPSECKEY query. In string format.
|
||||
.TP 10
|
||||
\h'5'\fIIPSECKEY TTL\fR
|
||||
TTL of the IPSECKEY RRset.
|
||||
.TP 10
|
||||
\h'5'\fIA/AAAA\fR
|
||||
String of space separated IP addresses present in the A/AAAA RRset. The IP
|
||||
addresses are in string format.
|
||||
.TP 10
|
||||
\h'5'\fIIPSECKEY\fR
|
||||
String of space separated IPSECKEY RDATA present in the IPSECKEY RRset. The
|
||||
IPSECKEY RDATA are in DNS presentation format.
|
||||
.LP
|
||||
The A/AAAA answer is then cached and returned to the client. If the external
|
||||
hook was called the TTL changes to ensure it doesn't surpass
|
||||
\fBipsecmod-max-ttl\fR.
|
||||
.LP
|
||||
The same procedure is also followed when \fBprefetch:\fR is used, but the
|
||||
A/AAAA answer is given to the client before the hook is called.
|
||||
\fBipsecmod-max-ttl\fR ensures that the A/AAAA answer given from cache is still
|
||||
relevant for opportunistic IPsec.
|
||||
.TP
|
||||
.B ipsecmod-enabled: \fI<yes or no>\fR
|
||||
Specifies whether the IPsec module is enabled or not. The IPsec module still
|
||||
needs to be defined in the \fBmodule\-config:\fR directive. This option
|
||||
facilitates turning on/off the module without restarting/reloading unbound.
|
||||
Defaults to yes.
|
||||
.TP
|
||||
.B ipsecmod\-hook: \fI<filename>\fR
|
||||
Specifies the external hook that unbound will call with \fIsystem\fR(3). The
|
||||
file can be specified as an absolute/relative path. The file needs the proper
|
||||
permissions to be able to be executed by the same user that runs unbound. It
|
||||
must be present when the IPsec module is defined in the \fBmodule\-config:\fR
|
||||
directive.
|
||||
.TP
|
||||
.B ipsecmod-strict: \fI<yes or no>\fR
|
||||
If enabled unbound requires the external hook to return a success value of 0.
|
||||
Failing to do so unbound will reply with SERVFAIL. The A/AAAA answer will also
|
||||
not be cached. Defaults to no.
|
||||
.TP
|
||||
.B ipsecmod\-max-ttl: \fI<seconds>\fR
|
||||
Time to live maximum for A/AAAA cached records after calling the external hook.
|
||||
Defaults to 3600.
|
||||
.TP
|
||||
.B ipsecmod-ignore-bogus: \fI<yes or no>\fR
|
||||
Specifies the behaviour of unbound when the IPSECKEY answer is bogus. If set
|
||||
to yes, the hook will be called and the A/AAAA answer will be returned to the
|
||||
client. If set to no, the hook will not be called and the answer to the
|
||||
A/AAAA query will be SERVFAIL. Mainly used for testing. Defaults to no.
|
||||
.TP
|
||||
.B ipsecmod\-whitelist: \fI<domain>\fR
|
||||
Whitelist the domain so that the module logic will be executed. Can
|
||||
be given multiple times, for different domains. If the option is not
|
||||
specified, all domains are treated as being whitelisted (default).
|
||||
.SH "MEMORY CONTROL EXAMPLE"
|
||||
In the example config settings below memory usage is reduced. Some service
|
||||
levels are lower, notable very large data and a high TCP load are no longer
|
||||
@ -1526,7 +1610,7 @@ supported. Very large data and high TCP loads are exceptional for the DNS.
|
||||
DNSSEC validation is enabled, just add trust anchors.
|
||||
If you do not have to worry about programs using more than 3 Mb of memory,
|
||||
the below example is not for you. Use the defaults to receive full service,
|
||||
which on BSD\-32bit tops out at 30\-40 Mb after heavy usage.
|
||||
which on BSD\-32bit tops out at 30\-40 Mb after heavy usage.
|
||||
.P
|
||||
.nf
|
||||
# example settings that reduce memory usage
|
||||
@ -1567,12 +1651,12 @@ unbound configuration file.
|
||||
default unbound pidfile with process ID of the running daemon.
|
||||
.TP
|
||||
.I unbound.log
|
||||
unbound log file. default is to log to
|
||||
\fIsyslog\fR(3).
|
||||
unbound log file. default is to log to
|
||||
\fIsyslog\fR(3).
|
||||
.SH "SEE ALSO"
|
||||
\fIunbound\fR(8),
|
||||
\fIunbound\fR(8),
|
||||
\fIunbound\-checkconf\fR(8).
|
||||
.SH "AUTHORS"
|
||||
.B Unbound
|
||||
.B Unbound
|
||||
was written by NLnet Labs. Please see CREDITS file
|
||||
in the distribution for further details.
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
.TH "unbound.conf" "5" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
|
||||
.TH "unbound.conf" "5" "Jun 27, 2017" "NLnet Labs" "unbound 1.6.4"
|
||||
.\"
|
||||
.\" unbound.conf.5 -- unbound.conf manual
|
||||
.\"
|
||||
@ -16,13 +16,14 @@
|
||||
.B unbound.conf
|
||||
is used to configure
|
||||
\fIunbound\fR(8).
|
||||
The file format has attributes and values. Some attributes have attributes inside them.
|
||||
The file format has attributes and values. Some attributes have attributes
|
||||
inside them.
|
||||
The notation is: attribute: value.
|
||||
.P
|
||||
Comments start with # and last to the end of line. Empty lines are
|
||||
ignored as is whitespace at the beginning of a line.
|
||||
.P
|
||||
The utility
|
||||
The utility
|
||||
\fIunbound\-checkconf\fR(8)
|
||||
can be used to check unbound.conf prior to usage.
|
||||
.SH "EXAMPLE"
|
||||
@ -30,7 +31,7 @@ An example config file is shown below. Copy this to /etc/unbound/unbound.conf
|
||||
and start the server with:
|
||||
.P
|
||||
.nf
|
||||
$ unbound \-c /etc/unbound/unbound.conf
|
||||
$ unbound \-c /etc/unbound/unbound.conf
|
||||
.fi
|
||||
.P
|
||||
Most settings are the defaults. Stop the server with:
|
||||
@ -62,8 +63,8 @@ server:
|
||||
access\-control: 2001:DB8::/64 allow
|
||||
.fi
|
||||
.SH "FILE FORMAT"
|
||||
There must be whitespace between keywords. Attribute keywords end with a colon ':'. An attribute
|
||||
is followed by its containing attributes, or a value.
|
||||
There must be whitespace between keywords. Attribute keywords end with a colon ':'.
|
||||
An attribute is followed by its containing attributes, or a value.
|
||||
.P
|
||||
Files can be included using the
|
||||
.B include:
|
||||
@ -71,7 +72,7 @@ directive. It can appear anywhere, it accepts a single file name as argument.
|
||||
Processing continues as if the text from the included file was copied into
|
||||
the config file at that point. If also using chroot, using full path names
|
||||
for the included files works, relative pathnames for the included names work
|
||||
if the directory where the daemon is started equals its chroot/working
|
||||
if the directory where the daemon is started equals its chroot/working
|
||||
directory or is specified before the include statement with directory: dir.
|
||||
Wildcards can be used to include multiple files, see \fIglob\fR(7).
|
||||
.SS "Server Options"
|
||||
@ -80,17 +81,17 @@ These options are part of the
|
||||
clause.
|
||||
.TP
|
||||
.B verbosity: \fI<number>
|
||||
The verbosity number, level 0 means no verbosity, only errors. Level 1
|
||||
The verbosity number, level 0 means no verbosity, only errors. Level 1
|
||||
gives operational information. Level 2 gives detailed operational
|
||||
information. Level 3 gives query level information, output per query.
|
||||
Level 4 gives algorithm level information. Level 5 logs client
|
||||
identification for cache misses. Default is level 1.
|
||||
information. Level 3 gives query level information, output per query.
|
||||
Level 4 gives algorithm level information. Level 5 logs client
|
||||
identification for cache misses. Default is level 1.
|
||||
The verbosity can also be increased from the commandline, see \fIunbound\fR(8).
|
||||
.TP
|
||||
.B statistics\-interval: \fI<seconds>
|
||||
The number of seconds between printing statistics to the log for every thread.
|
||||
Disable with value 0 or "". Default is disabled. The histogram statistics
|
||||
are only printed if replies were sent during the statistics interval,
|
||||
are only printed if replies were sent during the statistics interval,
|
||||
requestlist statistics are printed for every interval (but can be 0).
|
||||
This is because the median calculation requires data to be present.
|
||||
.TP
|
||||
@ -99,7 +100,7 @@ If enabled, statistics are cumulative since starting unbound, without clearing
|
||||
the statistics counters after logging the statistics. Default is no.
|
||||
.TP
|
||||
.B extended\-statistics: \fI<yes or no>
|
||||
If enabled, extended statistics are printed from \fIunbound\-control\fR(8).
|
||||
If enabled, extended statistics are printed from \fIunbound\-control\fR(8).
|
||||
Default is off, because keeping track of more statistics takes time. The
|
||||
counters are listed in \fIunbound\-control\fR(8).
|
||||
.TP
|
||||
@ -112,7 +113,7 @@ The port number, default 53, on which the server responds to queries.
|
||||
.B interface: \fI<ip address[@port]>
|
||||
Interface to use to connect to the network. This interface is listened to
|
||||
for queries from clients, and answers to clients are given from it.
|
||||
Can be given multiple times to work on several interfaces. If none are
|
||||
Can be given multiple times to work on several interfaces. If none are
|
||||
given the default is to listen to localhost.
|
||||
The interfaces are not changed on a reload (kill \-HUP) but only on restart.
|
||||
A port number can be specified with @port (without spaces between
|
||||
@ -123,19 +124,19 @@ interface and port number), if not specified the default port (from
|
||||
Same as interface: (for easy of compatibility with nsd.conf).
|
||||
.TP
|
||||
.B interface\-automatic: \fI<yes or no>
|
||||
Detect source interface on UDP queries and copy them to replies. This
|
||||
Detect source interface on UDP queries and copy them to replies. This
|
||||
feature is experimental, and needs support in your OS for particular socket
|
||||
options. Default value is no.
|
||||
.TP
|
||||
.B outgoing\-interface: \fI<ip address or ip6 netblock>
|
||||
Interface to use to connect to the network. This interface is used to send
|
||||
queries to authoritative servers and receive their replies. Can be given
|
||||
multiple times to work on several interfaces. If none are given the
|
||||
default (all) is used. You can specify the same interfaces in
|
||||
queries to authoritative servers and receive their replies. Can be given
|
||||
multiple times to work on several interfaces. If none are given the
|
||||
default (all) is used. You can specify the same interfaces in
|
||||
.B interface:
|
||||
and
|
||||
.B outgoing\-interface:
|
||||
lines, the interfaces are then used for both purposes. Outgoing queries are
|
||||
lines, the interfaces are then used for both purposes. Outgoing queries are
|
||||
sent via a random outgoing interface to counter spoofing.
|
||||
.IP
|
||||
If an IPv6 netblock is specified instead of an individual IPv6 address,
|
||||
@ -155,26 +156,26 @@ ip \-6 addr add mynetblock/64 dev lo &&
|
||||
ip \-6 route add local mynetblock/64 dev lo
|
||||
.TP
|
||||
.B outgoing\-range: \fI<number>
|
||||
Number of ports to open. This number of file descriptors can be opened per
|
||||
thread. Must be at least 1. Default depends on compile options. Larger
|
||||
Number of ports to open. This number of file descriptors can be opened per
|
||||
thread. Must be at least 1. Default depends on compile options. Larger
|
||||
numbers need extra resources from the operating system. For performance a
|
||||
very large value is best, use libevent to make this possible.
|
||||
.TP
|
||||
.B outgoing\-port\-permit: \fI<port number or range>
|
||||
Permit unbound to open this port or range of ports for use to send queries.
|
||||
A larger number of permitted outgoing ports increases resilience against
|
||||
spoofing attempts. Make sure these ports are not needed by other daemons.
|
||||
spoofing attempts. Make sure these ports are not needed by other daemons.
|
||||
By default only ports above 1024 that have not been assigned by IANA are used.
|
||||
Give a port number or a range of the form "low\-high", without spaces.
|
||||
.IP
|
||||
The \fBoutgoing\-port\-permit\fR and \fBoutgoing\-port\-avoid\fR statements
|
||||
are processed in the line order of the config file, adding the permitted ports
|
||||
and subtracting the avoided ports from the set of allowed ports. The
|
||||
processing starts with the non IANA allocated ports above 1024 in the set
|
||||
The \fBoutgoing\-port\-permit\fR and \fBoutgoing\-port\-avoid\fR statements
|
||||
are processed in the line order of the config file, adding the permitted ports
|
||||
and subtracting the avoided ports from the set of allowed ports. The
|
||||
processing starts with the non IANA allocated ports above 1024 in the set
|
||||
of allowed ports.
|
||||
.TP
|
||||
.B outgoing\-port\-avoid: \fI<port number or range>
|
||||
Do not permit unbound to open this port or range of ports for use to send
|
||||
Do not permit unbound to open this port or range of ports for use to send
|
||||
queries. Use this to make sure unbound does not grab a port that another
|
||||
daemon needs. The port is avoided on all outgoing interfaces, both IP4 and IP6.
|
||||
By default only ports above 1024 that have not been assigned by IANA are used.
|
||||
@ -204,13 +205,13 @@ consider tuning the outgoing tcp number).
|
||||
.B max\-udp\-size: \fI<number>
|
||||
Maximum UDP response size (not applied to TCP response). 65536 disables the
|
||||
udp response size maximum, and uses the choice from the client, always.
|
||||
Suggested values are 512 to 4096. Default is 4096.
|
||||
Suggested values are 512 to 4096. Default is 4096.
|
||||
.TP
|
||||
.B msg\-buffer\-size: \fI<number>
|
||||
Number of bytes size of the message buffers. Default is 65552 bytes, enough
|
||||
for 64 Kb packets, the maximum DNS message size. No message larger than this
|
||||
can be sent or received. Can be reduced to use less memory, but some requests
|
||||
for DNS data, such as for huge resource records, will result in a SERVFAIL
|
||||
for DNS data, such as for huge resource records, will result in a SERVFAIL
|
||||
reply to the client.
|
||||
.TP
|
||||
.B msg\-cache\-size: \fI<number>
|
||||
@ -220,7 +221,7 @@ or gigabytes (1024*1024 bytes in a megabyte).
|
||||
.TP
|
||||
.B msg\-cache\-slabs: \fI<number>
|
||||
Number of slabs in the message cache. Slabs reduce lock contention by threads.
|
||||
Must be set to a power of 2. Setting (close) to the number of cpus is a
|
||||
Must be set to a power of 2. Setting (close) to the number of cpus is a
|
||||
reasonable guess.
|
||||
.TP
|
||||
.B num\-queries\-per\-thread: \fI<number>
|
||||
@ -232,12 +233,12 @@ the existing queries. Default depends on compile options, 512 or 1024.
|
||||
.TP
|
||||
.B jostle\-timeout: \fI<msec>
|
||||
Timeout used when the server is very busy. Set to a value that usually
|
||||
results in one roundtrip to the authority servers. If too many queries
|
||||
results in one roundtrip to the authority servers. If too many queries
|
||||
arrive, then 50% of the queries are allowed to run to completion, and
|
||||
the other 50% are replaced with the new incoming query if they have already
|
||||
spent more than their allowed time. This protects against denial of
|
||||
the other 50% are replaced with the new incoming query if they have already
|
||||
spent more than their allowed time. This protects against denial of
|
||||
service by slow queries or high query rates. Default 200 milliseconds.
|
||||
The effect is that the qps for long-lasting queries is about
|
||||
The effect is that the qps for long-lasting queries is about
|
||||
(numqueriesperthread / 2) / (average time for such long queries) qps.
|
||||
The qps for short queries can be about (numqueriesperthread / 2)
|
||||
/ (jostletimeout in whole seconds) qps per thread, about (1024/2)*5 = 2560
|
||||
@ -308,12 +309,12 @@ or gigabytes (1024*1024 bytes in a megabyte).
|
||||
.TP
|
||||
.B rrset\-cache\-slabs: \fI<number>
|
||||
Number of slabs in the RRset cache. Slabs reduce lock contention by threads.
|
||||
Must be set to a power of 2.
|
||||
Must be set to a power of 2.
|
||||
.TP
|
||||
.B cache\-max\-ttl: \fI<seconds>
|
||||
Time to live maximum for RRsets and messages in the cache. Default is
|
||||
86400 seconds (1 day). If the maximum kicks in, responses to clients
|
||||
still get decrementing TTLs based on the original (larger) values.
|
||||
Time to live maximum for RRsets and messages in the cache. Default is
|
||||
86400 seconds (1 day). If the maximum kicks in, responses to clients
|
||||
still get decrementing TTLs based on the original (larger) values.
|
||||
When the internal TTL expires, the cache item has expired.
|
||||
Can be set lower to force the resolver to query for data often, and not
|
||||
trust (very large) TTL values.
|
||||
@ -323,7 +324,7 @@ Time to live minimum for RRsets and messages in the cache. Default is 0.
|
||||
If the minimum kicks in, the data is cached for longer than the domain
|
||||
owner intended, and thus less queries are made to look up the data.
|
||||
Zero makes sure the data in the cache is as the domain owner intended,
|
||||
higher values, especially more than an hour or so, can lead to trouble as
|
||||
higher values, especially more than an hour or so, can lead to trouble as
|
||||
the data in the cache does not match up with the actual data any more.
|
||||
.TP
|
||||
.B cache\-max\-negative\-ttl: \fI<seconds>
|
||||
@ -331,12 +332,12 @@ Time to live maximum for negative responses, these have a SOA in the
|
||||
authority section that is limited in time. Default is 3600.
|
||||
.TP
|
||||
.B infra\-host\-ttl: \fI<seconds>
|
||||
Time to live for entries in the host cache. The host cache contains
|
||||
Time to live for entries in the host cache. The host cache contains
|
||||
roundtrip timing, lameness and EDNS support information. Default is 900.
|
||||
.TP
|
||||
.B infra\-cache\-slabs: \fI<number>
|
||||
Number of slabs in the infrastructure cache. Slabs reduce lock contention
|
||||
by threads. Must be set to a power of 2.
|
||||
Number of slabs in the infrastructure cache. Slabs reduce lock contention
|
||||
by threads. Must be set to a power of 2.
|
||||
.TP
|
||||
.B infra\-cache\-numhosts: \fI<number>
|
||||
Number of hosts for which information is cached. Default is 10000.
|
||||
@ -372,7 +373,7 @@ Enable or disable whether TCP queries are answered or issued. Default is yes.
|
||||
.TP
|
||||
.B tcp\-mss: \fI<number>
|
||||
Maximum segment size (MSS) of TCP socket on which the server responds
|
||||
to queries. Value lower than common MSS on Ethernet
|
||||
to queries. Value lower than common MSS on Ethernet
|
||||
(1220 for example) will address path MTU problem.
|
||||
Note that not all platform supports socket option to set MSS (TCP_MAXSEG).
|
||||
Default is system default MSS determined by interface MTU and
|
||||
@ -393,7 +394,8 @@ Default is no. Useful in tunneling scenarios.
|
||||
.B ssl\-upstream: \fI<yes or no>
|
||||
Enabled or disable whether the upstream queries use SSL only for transport.
|
||||
Default is no. Useful in tunneling scenarios. The SSL contains plain DNS in
|
||||
TCP wireformat. The other server must support this (see \fBssl\-service\-key\fR).
|
||||
TCP wireformat. The other server must support this (see
|
||||
\fBssl\-service\-key\fR).
|
||||
.TP
|
||||
.B ssl\-service-key: \fI<file>
|
||||
If enabled, the server provider SSL service on its TCP sockets. The clients
|
||||
@ -423,37 +425,37 @@ a daemon. Set the value to \fIno\fR when unbound runs as systemd service.
|
||||
Default is yes.
|
||||
.TP
|
||||
.B access\-control: \fI<IP netblock> <action>
|
||||
The netblock is given as an IP4 or IP6 address with /size appended for a
|
||||
classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
|
||||
The netblock is given as an IP4 or IP6 address with /size appended for a
|
||||
classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
|
||||
\fIallow\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or \fIrefuse_non_local\fR.
|
||||
The most specific netblock match is used, if none match \fIdeny\fR is used.
|
||||
.IP
|
||||
The action \fIdeny\fR stops queries from hosts from that netblock.
|
||||
.IP
|
||||
The action \fIrefuse\fR stops queries too, but sends a DNS rcode REFUSED
|
||||
The action \fIrefuse\fR stops queries too, but sends a DNS rcode REFUSED
|
||||
error message back.
|
||||
.IP
|
||||
The action \fIallow\fR gives access to clients from that netblock.
|
||||
It gives only access for recursion clients (which is
|
||||
The action \fIallow\fR gives access to clients from that netblock.
|
||||
It gives only access for recursion clients (which is
|
||||
what almost all clients need). Nonrecursive queries are refused.
|
||||
.IP
|
||||
The \fIallow\fR action does allow nonrecursive queries to access the
|
||||
The \fIallow\fR action does allow nonrecursive queries to access the
|
||||
local\-data that is configured. The reason is that this does not involve
|
||||
the unbound server recursive lookup algorithm, and static data is served
|
||||
in the reply. This supports normal operations where nonrecursive queries
|
||||
are made for the authoritative data. For nonrecursive queries any replies
|
||||
the unbound server recursive lookup algorithm, and static data is served
|
||||
in the reply. This supports normal operations where nonrecursive queries
|
||||
are made for the authoritative data. For nonrecursive queries any replies
|
||||
from the dynamic cache are refused.
|
||||
.IP
|
||||
The action \fIallow_snoop\fR gives nonrecursive access too. This give
|
||||
both recursive and non recursive access. The name \fIallow_snoop\fR refers
|
||||
The action \fIallow_snoop\fR gives nonrecursive access too. This give
|
||||
both recursive and non recursive access. The name \fIallow_snoop\fR refers
|
||||
to cache snooping, a technique to use nonrecursive queries to examine
|
||||
the cache contents (for malicious acts). However, nonrecursive queries can
|
||||
also be a valuable debugging tool (when you want to examine the cache
|
||||
the cache contents (for malicious acts). However, nonrecursive queries can
|
||||
also be a valuable debugging tool (when you want to examine the cache
|
||||
contents). In that case use \fIallow_snoop\fR for your administration host.
|
||||
.IP
|
||||
By default only localhost is \fIallow\fRed, the rest is \fIrefuse\fRd.
|
||||
The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS
|
||||
protocol is not designed to handle dropped packets due to policy, and
|
||||
The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS
|
||||
protocol is not designed to handle dropped packets due to policy, and
|
||||
dropping may result in (possibly excessive) retried queries.
|
||||
.IP
|
||||
The deny_non_local and refuse_non_local settings are for hosts that are
|
||||
@ -485,8 +487,8 @@ Set view for given access control element.
|
||||
.B chroot: \fI<directory>
|
||||
If chroot is enabled, you should pass the configfile (from the
|
||||
commandline) as a full path from the original root. After the
|
||||
chroot has been performed the now defunct portion of the config
|
||||
file path is removed to be able to reread the config after a reload.
|
||||
chroot has been performed the now defunct portion of the config
|
||||
file path is removed to be able to reread the config after a reload.
|
||||
.IP
|
||||
All other file paths (working dir, logfile, roothints, and
|
||||
key files) can be specified in several ways:
|
||||
@ -497,22 +499,22 @@ In the last case the path is adjusted to remove the unused portion.
|
||||
.IP
|
||||
The pidfile can be either a relative path to the working directory, or
|
||||
an absolute path relative to the original root. It is written just prior
|
||||
to chroot and dropping permissions. This allows the pidfile to be
|
||||
to chroot and dropping permissions. This allows the pidfile to be
|
||||
/var/run/unbound.pid and the chroot to be /var/unbound, for example.
|
||||
.IP
|
||||
Additionally, unbound may need to access /dev/random (for entropy)
|
||||
from inside the chroot.
|
||||
.IP
|
||||
If given a chroot is done to the given directory. The default is
|
||||
If given a chroot is done to the given directory. The default is
|
||||
"@UNBOUND_CHROOT_DIR@". If you give "" no chroot is performed.
|
||||
.TP
|
||||
.B username: \fI<name>
|
||||
If given, after binding the port the user privileges are dropped. Default is
|
||||
"@UNBOUND_USERNAME@". If you give username: "" no user change is performed.
|
||||
"@UNBOUND_USERNAME@". If you give username: "" no user change is performed.
|
||||
.IP
|
||||
If this user is not capable of binding the
|
||||
port, reloads (by signal HUP) will still retain the opened ports.
|
||||
If you change the port number in the config file, and that new port number
|
||||
If you change the port number in the config file, and that new port number
|
||||
requires privileges, then a reload will fail; a restart is needed.
|
||||
.TP
|
||||
.B directory: \fI<directory>
|
||||
@ -524,17 +526,17 @@ then those includes can be relative to the working directory.
|
||||
.TP
|
||||
.B logfile: \fI<filename>
|
||||
If "" is given, logging goes to stderr, or nowhere once daemonized.
|
||||
The logfile is appended to, in the following format:
|
||||
The logfile is appended to, in the following format:
|
||||
.nf
|
||||
[seconds since 1970] unbound[pid:tid]: type: message.
|
||||
[seconds since 1970] unbound[pid:tid]: type: message.
|
||||
.fi
|
||||
If this option is given, the use\-syslog is option is set to "no".
|
||||
The logfile is reopened (for append) when the config file is reread, on
|
||||
The logfile is reopened (for append) when the config file is reread, on
|
||||
SIGHUP.
|
||||
.TP
|
||||
.B use\-syslog: \fI<yes or no>
|
||||
Sets unbound to send log messages to the syslogd, using
|
||||
\fIsyslog\fR(3).
|
||||
Sets unbound to send log messages to the syslogd, using
|
||||
\fIsyslog\fR(3).
|
||||
The log facility LOG_DAEMON is used, with identity "unbound".
|
||||
The logfile setting is overridden when use\-syslog is turned on.
|
||||
The default is to log to syslog.
|
||||
@ -565,20 +567,20 @@ lines which makes the server (significantly) slower. Odd (nonprintable)
|
||||
characters in names are printed as '?'.
|
||||
.TP
|
||||
.B pidfile: \fI<filename>
|
||||
The process id is written to the file. Default is "@UNBOUND_PIDFILE@".
|
||||
The process id is written to the file. Default is "@UNBOUND_PIDFILE@".
|
||||
So,
|
||||
.nf
|
||||
kill \-HUP `cat @UNBOUND_PIDFILE@`
|
||||
kill \-HUP `cat @UNBOUND_PIDFILE@`
|
||||
.fi
|
||||
triggers a reload,
|
||||
.nf
|
||||
kill \-TERM `cat @UNBOUND_PIDFILE@`
|
||||
kill \-TERM `cat @UNBOUND_PIDFILE@`
|
||||
.fi
|
||||
gracefully terminates.
|
||||
.TP
|
||||
.B root\-hints: \fI<filename>
|
||||
Read the root hints from this file. Default is nothing, using builtin hints
|
||||
for the IN class. The file has the format of zone files, with root
|
||||
for the IN class. The file has the format of zone files, with root
|
||||
nameserver names and addresses only. The default may become outdated,
|
||||
when servers change, therefore it is good practice to use a root\-hints file.
|
||||
.TP
|
||||
@ -602,22 +604,22 @@ If enabled trustanchor.unbound queries are refused.
|
||||
.B target\-fetch\-policy: \fI<"list of numbers">
|
||||
Set the target fetch policy used by unbound to determine if it should fetch
|
||||
nameserver target addresses opportunistically. The policy is described per
|
||||
dependency depth.
|
||||
dependency depth.
|
||||
.IP
|
||||
The number of values determines the maximum dependency depth
|
||||
that unbound will pursue in answering a query.
|
||||
that unbound will pursue in answering a query.
|
||||
A value of \-1 means to fetch all targets opportunistically for that dependency
|
||||
depth. A value of 0 means to fetch on demand only. A positive value fetches
|
||||
that many targets opportunistically.
|
||||
that many targets opportunistically.
|
||||
.IP
|
||||
Enclose the list between quotes ("") and put spaces between numbers.
|
||||
The default is "3 2 1 0 0". Setting all zeroes, "0 0 0 0 0" gives behaviour
|
||||
closer to that of BIND 9, while setting "\-1 \-1 \-1 \-1 \-1" gives behaviour
|
||||
closer to that of BIND 9, while setting "\-1 \-1 \-1 \-1 \-1" gives behaviour
|
||||
rumoured to be closer to that of BIND 8.
|
||||
.TP
|
||||
.B harden\-short\-bufsize: \fI<yes or no>
|
||||
Very small EDNS buffer sizes from queries are ignored. Default is off, since
|
||||
it is legal protocol wise to send these, and unbound tries to give very
|
||||
it is legal protocol wise to send these, and unbound tries to give very
|
||||
small answers to these queries, where possible.
|
||||
.TP
|
||||
.B harden\-large\-queries: \fI<yes or no>
|
||||
@ -631,11 +633,11 @@ Will trust glue only if it is within the servers authority. Default is on.
|
||||
.B harden\-dnssec\-stripped: \fI<yes or no>
|
||||
Require DNSSEC data for trust\-anchored zones, if such data is absent,
|
||||
the zone becomes bogus. If turned off, and no DNSSEC data is received
|
||||
(or the DNSKEY data fails to validate), then the zone is made insecure,
|
||||
this behaves like there is no trust anchor. You could turn this off if
|
||||
you are sometimes behind an intrusive firewall (of some sort) that
|
||||
removes DNSSEC data from packets, or a zone changes from signed to
|
||||
unsigned to badly signed often. If turned off you run the risk of a
|
||||
(or the DNSKEY data fails to validate), then the zone is made insecure,
|
||||
this behaves like there is no trust anchor. You could turn this off if
|
||||
you are sometimes behind an intrusive firewall (of some sort) that
|
||||
removes DNSSEC data from packets, or a zone changes from signed to
|
||||
unsigned to badly signed often. If turned off you run the risk of a
|
||||
downgrade attack that disables security for a zone. Default is on.
|
||||
.TP
|
||||
.B harden\-below\-nxdomain: \fI<yes or no>
|
||||
@ -653,7 +655,7 @@ The nxdomain must be secure, this means nsec3 with optout is insufficient.
|
||||
Harden the referral path by performing additional queries for
|
||||
infrastructure data. Validates the replies if trust anchors are configured
|
||||
and the zones are signed. This enforces DNSSEC validation on nameserver
|
||||
NS sets and the nameserver addresses that are encountered on the referral
|
||||
NS sets and the nameserver addresses that are encountered on the referral
|
||||
path to the answer.
|
||||
Default off, because it burdens the authority servers, and it is
|
||||
not RFC standard, and could lead to performance problems because of the
|
||||
@ -670,9 +672,9 @@ this option off avoids that validation failure.
|
||||
.TP
|
||||
.B use\-caps\-for\-id: \fI<yes or no>
|
||||
Use 0x20\-encoded random bits in the query to foil spoof attempts.
|
||||
This perturbs the lowercase and uppercase of query names sent to
|
||||
authority servers and checks if the reply still has the correct casing.
|
||||
Disabled by default.
|
||||
This perturbs the lowercase and uppercase of query names sent to
|
||||
authority servers and checks if the reply still has the correct casing.
|
||||
Disabled by default.
|
||||
This feature is an experimental implementation of draft dns\-0x20.
|
||||
.TP
|
||||
.B caps\-whitelist: \fI<domain>
|
||||
@ -683,7 +685,7 @@ Can be given multiple times, for different domains.
|
||||
.TP
|
||||
.B qname\-minimisation: \fI<yes or no>
|
||||
Send minimum amount of information to upstream servers to enhance privacy.
|
||||
Only sent minimum required labels of the QNAME and set QTYPE to NS when
|
||||
Only sent minimum required labels of the QNAME and set QTYPE to NS when
|
||||
possible. Best effort approach; full QNAME and original QTYPE will be sent when
|
||||
upstream replies with a RCODE other than NOERROR, except when receiving
|
||||
NXDOMAIN from a DNSSEC signed zone. Default is off.
|
||||
@ -715,7 +717,7 @@ stops IPv4-mapped IPv6 addresses from bypassing the filter.
|
||||
.TP
|
||||
.B private\-domain: \fI<domain name>
|
||||
Allow this domain, and all its subdomains to contain private addresses.
|
||||
Give multiple times to allow multiple domain names to contain private
|
||||
Give multiple times to allow multiple domain names to contain private
|
||||
addresses. Default is none.
|
||||
.TP
|
||||
.B unwanted\-reply\-threshold: \fI<number>
|
||||
@ -726,7 +728,7 @@ message caches, hopefully flushing away any poison. A value of 10 million
|
||||
is suggested. Default is 0 (turned off).
|
||||
.TP
|
||||
.B do\-not\-query\-address: \fI<IP address>
|
||||
Do not query the given IP address. Can be IP4 or IP6. Append /num to
|
||||
Do not query the given IP address. Can be IP4 or IP6. Append /num to
|
||||
indicate a classless delegation netblock, for example like
|
||||
10.2.3.4/24 or 2001::11/64.
|
||||
.TP
|
||||
@ -793,17 +795,20 @@ A DS or DNSKEY RR for a key to use for validation. Multiple entries can be
|
||||
given to specify multiple trusted keys, in addition to the trust\-anchor\-files.
|
||||
The resource record is entered in the same format as 'dig' or 'drill' prints
|
||||
them, the same format as in the zone file. Has to be on a single line, with
|
||||
"" around it. A TTL can be specified for ease of cut and paste, but is ignored.
|
||||
"" around it. A TTL can be specified for ease of cut and paste, but is ignored.
|
||||
A class can be specified, but class IN is default.
|
||||
.TP
|
||||
.B trusted\-keys\-file: \fI<filename>
|
||||
File with trusted keys for validation. Specify more than one file
|
||||
with several entries, one file per entry. Like \fBtrust\-anchor\-file\fR
|
||||
but has a different file format. Format is BIND\-9 style format,
|
||||
but has a different file format. Format is BIND\-9 style format,
|
||||
the trusted\-keys { name flag proto algo "key"; }; clauses are read.
|
||||
It is possible to use wildcards with this statement, the wildcard is
|
||||
expanded on start and on reload.
|
||||
.TP
|
||||
.B trust\-anchor\-signaling: \fI<yes or no>
|
||||
Send RFC8145 key tag query after trust anchor priming. Default is off.
|
||||
.TP
|
||||
.B dlv\-anchor\-file: \fI<filename>
|
||||
This option was used during early days DNSSEC deployment when no parent-side
|
||||
DS record registrations were easily available. Nowadays, it is best to have
|
||||
@ -811,9 +816,9 @@ DS records registered with the parent zone (many top level zones are signed).
|
||||
File with trusted keys for DLV (DNSSEC Lookaside Validation). Both DS and
|
||||
DNSKEY entries can be used in the file, in the same format as for
|
||||
\fItrust\-anchor\-file:\fR statements. Only one DLV can be configured, more
|
||||
would be slow. The DLV configured is used as a root trusted DLV, this
|
||||
means that it is a lookaside for the root. Default is "", or no dlv anchor file.
|
||||
DLV is going to be decommissioned. Please do not use it any more.
|
||||
would be slow. The DLV configured is used as a root trusted DLV, this
|
||||
means that it is a lookaside for the root. Default is "", or no dlv anchor
|
||||
file. DLV is going to be decommissioned. Please do not use it any more.
|
||||
.TP
|
||||
.B dlv\-anchor: \fI<"Resource Record">
|
||||
Much like trust\-anchor, this is a DLV anchor with the DS or DNSKEY inline.
|
||||
@ -825,17 +830,17 @@ the domain name. So a trust anchor above the domain name can not make the
|
||||
domain secure with a DS record, such a DS record is then ignored.
|
||||
Also keys from DLV are ignored for the domain. Can be given multiple times
|
||||
to specify multiple domains that are treated as if unsigned. If you set
|
||||
trust anchors for the domain they override this setting (and the domain
|
||||
trust anchors for the domain they override this setting (and the domain
|
||||
is secured).
|
||||
.IP
|
||||
This can be useful if you want to make sure a trust anchor for external
|
||||
lookups does not affect an (unsigned) internal domain. A DS record
|
||||
lookups does not affect an (unsigned) internal domain. A DS record
|
||||
externally can create validation failures for that internal domain.
|
||||
.TP
|
||||
.B val\-override\-date: \fI<rrsig\-style date spec>
|
||||
Default is "" or "0", which disables this debugging feature. If enabled by
|
||||
giving a RRSIG style date, that date is used for verifying RRSIG inception
|
||||
and expiration dates, instead of the current date. Do not set this unless
|
||||
and expiration dates, instead of the current date. Do not set this unless
|
||||
you are debugging signature inception and expiration. The value \-1 ignores
|
||||
the date altogether, useful for some special applications.
|
||||
.TP
|
||||
@ -865,7 +870,7 @@ The time interval prevents repeated revalidation of bogus data.
|
||||
Instruct the validator to remove data from the additional section of secure
|
||||
messages that are not signed properly. Messages that are insecure, bogus,
|
||||
indeterminate or unchecked are not affected. Default is yes. Use this setting
|
||||
to protect the users that rely on this validator for authentication from
|
||||
to protect the users that rely on this validator for authentication from
|
||||
potentially bad data in the additional section.
|
||||
.TP
|
||||
.B val\-log\-level: \fI<number>
|
||||
@ -880,10 +885,10 @@ it was wrong and which server sent the faulty data.
|
||||
.B val\-permissive\-mode: \fI<yes or no>
|
||||
Instruct the validator to mark bogus messages as indeterminate. The security
|
||||
checks are performed, but if the result is bogus (failed security), the
|
||||
reply is not withheld from the client with SERVFAIL as usual. The client
|
||||
receives the bogus data. For messages that are found to be secure the AD bit
|
||||
reply is not withheld from the client with SERVFAIL as usual. The client
|
||||
receives the bogus data. For messages that are found to be secure the AD bit
|
||||
is set in replies. Also logging is performed as for full validation.
|
||||
The default value is "no".
|
||||
The default value is "no".
|
||||
.TP
|
||||
.B ignore\-cd\-flag: \fI<yes or no>
|
||||
Instruct unbound to ignore the CD flag from clients and refuse to
|
||||
@ -903,7 +908,7 @@ List of keysize and iteration count values, separated by spaces, surrounded
|
||||
by quotes. Default is "1024 150 2048 500 4096 2500". This determines the
|
||||
maximum allowed NSEC3 iteration count before a message is simply marked
|
||||
insecure instead of performing the many hashing iterations. The list must
|
||||
be in ascending order and have at least one entry. If you set it to
|
||||
be in ascending order and have at least one entry. If you set it to
|
||||
"1024 65535" there is no restriction to NSEC3 iteration values.
|
||||
This table must be kept short; a very long list could cause slower operation.
|
||||
.TP
|
||||
@ -938,7 +943,7 @@ or gigabytes (1024*1024 bytes in a megabyte).
|
||||
.TP
|
||||
.B key\-cache\-slabs: \fI<number>
|
||||
Number of slabs in the key cache. Slabs reduce lock contention by threads.
|
||||
Must be set to a power of 2. Setting (close) to the number of cpus is a
|
||||
Must be set to a power of 2. Setting (close) to the number of cpus is a
|
||||
reasonable guess.
|
||||
.TP
|
||||
.B neg\-cache\-size: \fI<number>
|
||||
@ -989,7 +994,7 @@ Otherwise, the query is answered with nodata or nxdomain.
|
||||
For a negative answer a SOA is included in the answer if present
|
||||
as local\-data for the zone apex domain.
|
||||
.TP 10
|
||||
\h'5'\fItransparent\fR
|
||||
\h'5'\fItransparent\fR
|
||||
If there is a match from local data, the query is answered.
|
||||
Otherwise if the query has a different name, the query is resolved normally.
|
||||
If the query is for a name given in localdata but no such type of data is
|
||||
@ -997,49 +1002,49 @@ given in localdata, then a noerror nodata answer is returned.
|
||||
If no local\-zone is given local\-data causes a transparent zone
|
||||
to be created by default.
|
||||
.TP 10
|
||||
\h'5'\fItypetransparent\fR
|
||||
\h'5'\fItypetransparent\fR
|
||||
If there is a match from local data, the query is answered. If the query
|
||||
is for a different name, or for the same name but for a different type,
|
||||
the query is resolved normally. So, similar to transparent but types
|
||||
that are not listed in local data are resolved normally, so if an A record
|
||||
is in the local data that does not cause a nodata reply for AAAA queries.
|
||||
.TP 10
|
||||
\h'5'\fIredirect\fR
|
||||
\h'5'\fIredirect\fR
|
||||
The query is answered from the local data for the zone name.
|
||||
There may be no local data beneath the zone name.
|
||||
This answers queries for the zone, and all subdomains of the zone
|
||||
with the local data for the zone.
|
||||
It can be used to redirect a domain to return a different address record
|
||||
to the end user, with
|
||||
local\-zone: "example.com." redirect and
|
||||
to the end user, with
|
||||
local\-zone: "example.com." redirect and
|
||||
local\-data: "example.com. A 127.0.0.1"
|
||||
queries for www.example.com and www.foo.example.com are redirected, so
|
||||
that users with web browsers cannot access sites with suffix example.com.
|
||||
.TP 10
|
||||
\h'5'\fIinform\fR
|
||||
\h'5'\fIinform\fR
|
||||
The query is answered normally, same as transparent. The client IP
|
||||
address (@portnumber) is printed to the logfile. The log message is:
|
||||
timestamp, unbound-pid, info: zonename inform IP@port queryname type
|
||||
class. This option can be used for normal resolution, but machines
|
||||
looking up infected names are logged, eg. to run antivirus on them.
|
||||
.TP 10
|
||||
\h'5'\fIinform_deny\fR
|
||||
\h'5'\fIinform_deny\fR
|
||||
The query is dropped, like 'deny', and logged, like 'inform'. Ie. find
|
||||
infected machines without answering the queries.
|
||||
.TP 10
|
||||
\h'5'\fIalways_transparent\fR
|
||||
\h'5'\fIalways_transparent\fR
|
||||
Like transparent, but ignores local data and resolves normally.
|
||||
.TP 10
|
||||
\h'5'\fIalways_refuse\fR
|
||||
\h'5'\fIalways_refuse\fR
|
||||
Like refuse, but ignores local data and refuses the query.
|
||||
.TP 10
|
||||
\h'5'\fIalways_nxdomain\fR
|
||||
\h'5'\fIalways_nxdomain\fR
|
||||
Like static, but ignores local data and returns nxdomain for the query.
|
||||
.TP 10
|
||||
\h'5'\fInodefault\fR
|
||||
\h'5'\fInodefault\fR
|
||||
Used to turn off default contents for AS112 zones. The other types
|
||||
also turn off default contents for the zone. The 'nodefault' option
|
||||
has no other effect than turning off default contents for the
|
||||
also turn off default contents for the zone. The 'nodefault' option
|
||||
has no other effect than turning off default contents for the
|
||||
given zone. Use \fInodefault\fR if you use exactly that zone, if you want to
|
||||
use a subzone, use \fItransparent\fR.
|
||||
.P
|
||||
@ -1048,71 +1053,71 @@ the AS112 zones. The AS112 zones are reverse DNS zones for private use and
|
||||
reserved IP addresses for which the servers on the internet cannot provide
|
||||
correct answers. They are configured by default to give nxdomain (no reverse
|
||||
information) answers. The defaults can be turned off by specifying your
|
||||
own local\-zone of that name, or using the 'nodefault' type. Below is a
|
||||
own local\-zone of that name, or using the 'nodefault' type. Below is a
|
||||
list of the default zone contents.
|
||||
.TP 10
|
||||
\h'5'\fIlocalhost\fR
|
||||
\h'5'\fIlocalhost\fR
|
||||
The IP4 and IP6 localhost information is given. NS and SOA records are provided
|
||||
for completeness and to satisfy some DNS update tools. Default content:
|
||||
.nf
|
||||
local\-zone: "localhost." static
|
||||
local\-data: "localhost. 10800 IN NS localhost."
|
||||
local\-data: "localhost. 10800 IN
|
||||
local\-data: "localhost. 10800 IN
|
||||
SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
|
||||
local\-data: "localhost. 10800 IN A 127.0.0.1"
|
||||
local\-data: "localhost. 10800 IN AAAA ::1"
|
||||
.fi
|
||||
.TP 10
|
||||
\h'5'\fIreverse IPv4 loopback\fR
|
||||
\h'5'\fIreverse IPv4 loopback\fR
|
||||
Default content:
|
||||
.nf
|
||||
local\-zone: "127.in\-addr.arpa." static
|
||||
local\-data: "127.in\-addr.arpa. 10800 IN NS localhost."
|
||||
local\-data: "127.in\-addr.arpa. 10800 IN
|
||||
local\-data: "127.in\-addr.arpa. 10800 IN
|
||||
SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
|
||||
local\-data: "1.0.0.127.in\-addr.arpa. 10800 IN
|
||||
local\-data: "1.0.0.127.in\-addr.arpa. 10800 IN
|
||||
PTR localhost."
|
||||
.fi
|
||||
.TP 10
|
||||
\h'5'\fIreverse IPv6 loopback\fR
|
||||
\h'5'\fIreverse IPv6 loopback\fR
|
||||
Default content:
|
||||
.nf
|
||||
local\-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
|
||||
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." static
|
||||
local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
|
||||
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
|
||||
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
|
||||
NS localhost."
|
||||
local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
|
||||
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
|
||||
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
|
||||
SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
|
||||
local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
|
||||
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
|
||||
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
|
||||
PTR localhost."
|
||||
.fi
|
||||
.TP 10
|
||||
\h'5'\fIonion (RFC 7686)\fR
|
||||
\h'5'\fIonion (RFC 7686)\fR
|
||||
Default content:
|
||||
.nf
|
||||
local\-zone: "onion." static
|
||||
local\-data: "onion. 10800 IN NS localhost."
|
||||
local\-data: "onion. 10800 IN
|
||||
local\-data: "onion. 10800 IN
|
||||
SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
|
||||
.fi
|
||||
.TP 10
|
||||
\h'5'\fIreverse RFC1918 local use zones\fR
|
||||
Reverse data for zones 10.in\-addr.arpa, 16.172.in\-addr.arpa to
|
||||
\h'5'\fIreverse RFC1918 local use zones\fR
|
||||
Reverse data for zones 10.in\-addr.arpa, 16.172.in\-addr.arpa to
|
||||
31.172.in\-addr.arpa, 168.192.in\-addr.arpa.
|
||||
The \fBlocal\-zone:\fR is set static and as \fBlocal\-data:\fR SOA and NS
|
||||
The \fBlocal\-zone:\fR is set static and as \fBlocal\-data:\fR SOA and NS
|
||||
records are provided.
|
||||
.TP 10
|
||||
\h'5'\fIreverse RFC3330 IP4 this, link\-local, testnet and broadcast\fR
|
||||
Reverse data for zones 0.in\-addr.arpa, 254.169.in\-addr.arpa,
|
||||
\h'5'\fIreverse RFC3330 IP4 this, link\-local, testnet and broadcast\fR
|
||||
Reverse data for zones 0.in\-addr.arpa, 254.169.in\-addr.arpa,
|
||||
2.0.192.in\-addr.arpa (TEST NET 1), 100.51.198.in\-addr.arpa (TEST NET 2),
|
||||
113.0.203.in\-addr.arpa (TEST NET 3), 255.255.255.255.in\-addr.arpa.
|
||||
And from 64.100.in\-addr.arpa to 127.100.in\-addr.arpa (Shared Address Space).
|
||||
.TP 10
|
||||
\h'5'\fIreverse RFC4291 IP6 unspecified\fR
|
||||
Reverse data for zone
|
||||
Reverse data for zone
|
||||
.nf
|
||||
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
|
||||
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.
|
||||
@ -1137,11 +1142,11 @@ This also works with the other default zones.
|
||||
.TP 5
|
||||
.B local\-data: \fI"<resource record string>"
|
||||
Configure local data, which is served in reply to queries for it.
|
||||
The query has to match exactly unless you configure the local\-zone as
|
||||
The query has to match exactly unless you configure the local\-zone as
|
||||
redirect. If not matched exactly, the local\-zone type determines
|
||||
further processing. If local\-data is configured that is not a subdomain of
|
||||
a local\-zone, a transparent local\-zone is configured.
|
||||
For record types such as TXT, use single quotes, as in
|
||||
a local\-zone, a transparent local\-zone is configured.
|
||||
For record types such as TXT, use single quotes, as in
|
||||
local\-data: 'example. TXT "text"'.
|
||||
.IP
|
||||
If you need more complicated authoritative data, with referrals, wildcards,
|
||||
@ -1160,7 +1165,7 @@ used access-control element has a matching tag. Tags must be defined in
|
||||
tags.
|
||||
.TP 5
|
||||
.B local\-zone\-override: \fI<zone> <IP netblock> <type>
|
||||
Override the localzone type for queries from addresses matching netblock.
|
||||
Override the localzone type for queries from addresses matching netblock.
|
||||
Use this localzone type, regardless the type configured for the local-zone
|
||||
(both tagged and untagged) and regardless the type configured using
|
||||
access\-control\-tag\-action.
|
||||
@ -1197,18 +1202,20 @@ This can make ordinary queries complete (if repeatedly queried for),
|
||||
and enter the cache, whilst also mitigating the traffic flow by the
|
||||
factor given.
|
||||
.TP 5
|
||||
.B ratelimit\-for\-domain: \fI<domain> <number qps>
|
||||
.B ratelimit\-for\-domain: \fI<domain> <number qps or 0>
|
||||
Override the global ratelimit for an exact match domain name with the listed
|
||||
number. You can give this for any number of names. For example, for
|
||||
a top\-level\-domain you may want to have a higher limit than other names.
|
||||
A value of 0 will disable ratelimiting for that domain.
|
||||
.TP 5
|
||||
.B ratelimit\-below\-domain: \fI<domain> <number qps>
|
||||
.B ratelimit\-below\-domain: \fI<domain> <number qps or 0>
|
||||
Override the global ratelimit for a domain name that ends in this name.
|
||||
You can give this multiple times, it then describes different settings
|
||||
in different parts of the namespace. The closest matching suffix is used
|
||||
to determine the qps limit. The rate for the exact matching domain name
|
||||
is not changed, use ratelimit\-for\-domain to set that, you might want
|
||||
to use different settings for a top\-level\-domain and subdomains.
|
||||
A value of 0 will disable ratelimiting for domain names that end in this name.
|
||||
.TP 5
|
||||
.B ip\-ratelimit: \fI<number or 0>
|
||||
Enable global ratelimiting of queries accepted per ip address.
|
||||
@ -1304,21 +1311,21 @@ the recursive processing itself for stub zones.
|
||||
.P
|
||||
The stub zone can be used to configure authoritative data to be used
|
||||
by the resolver that cannot be accessed using the public internet servers.
|
||||
This is useful for company\-local data or private zones. Setup an
|
||||
authoritative server on a different host (or different port). Enter a config
|
||||
entry for unbound with
|
||||
This is useful for company\-local data or private zones. Setup an
|
||||
authoritative server on a different host (or different port). Enter a config
|
||||
entry for unbound with
|
||||
.B stub\-addr:
|
||||
<ip address of host[@port]>.
|
||||
The unbound resolver can then access the data, without referring to the
|
||||
public internet for it.
|
||||
<ip address of host[@port]>.
|
||||
The unbound resolver can then access the data, without referring to the
|
||||
public internet for it.
|
||||
.P
|
||||
This setup allows DNSSEC signed zones to be served by that
|
||||
This setup allows DNSSEC signed zones to be served by that
|
||||
authoritative server, in which case a trusted key entry with the public key
|
||||
can be put in config, so that unbound can validate the data and set the AD
|
||||
bit on replies for the private zone (authoritative servers do not set the
|
||||
AD bit). This setup makes unbound capable of answering queries for the
|
||||
private zone, and can even set the AD bit ('authentic'), but the AA
|
||||
('authoritative') bit is not set on these replies.
|
||||
can be put in config, so that unbound can validate the data and set the AD
|
||||
bit on replies for the private zone (authoritative servers do not set the
|
||||
AD bit). This setup makes unbound capable of answering queries for the
|
||||
private zone, and can even set the AD bit ('authentic'), but the AA
|
||||
('authoritative') bit is not set on these replies.
|
||||
.P
|
||||
Consider adding \fBserver:\fR statements for \fBdomain\-insecure:\fR and
|
||||
for \fBlocal\-zone:\fI name nodefault\fR for the zone if it is a locally
|
||||
@ -1337,8 +1344,8 @@ IP address of stub zone nameserver. Can be IP 4 or IP 6.
|
||||
To use a nondefault port for DNS communication append '@' with the port number.
|
||||
.TP
|
||||
.B stub\-prime: \fI<yes or no>
|
||||
This option is by default off. If enabled it performs NS set priming,
|
||||
which is similar to root hints, where it starts using the list of nameservers
|
||||
This option is by default off. If enabled it performs NS set priming,
|
||||
which is similar to root hints, where it starts using the list of nameservers
|
||||
currently published by the zone. Thus, if the hint list is slightly outdated,
|
||||
the resolver picks up a correct list online.
|
||||
.TP
|
||||
@ -1390,10 +1397,10 @@ Default is no.
|
||||
There may be multiple
|
||||
.B view:
|
||||
clauses. Each with a \fBname:\fR and zero or more \fBlocal\-zone\fR and
|
||||
\fBlocal\-data\fR elements. View can be mapped to requests by specifying the view
|
||||
name in an \fBaccess\-control\-view\fR element. Options from matching views will
|
||||
override global options. Global options will be used if no matching view
|
||||
is found.
|
||||
\fBlocal\-data\fR elements. View can be mapped to requests by specifying the
|
||||
view name in an \fBaccess\-control\-view\fR element. Options from matching
|
||||
views will override global options. Global options will be used if no matching
|
||||
view is found, or when the matching view does not have the option specified.
|
||||
.TP
|
||||
.B name: \fI<view name>
|
||||
Name of the view. Must be unique. This name is used in access\-control\-view
|
||||
@ -1401,7 +1408,11 @@ elements.
|
||||
.TP
|
||||
.B local\-zone: \fI<zone> <type>
|
||||
View specific local\-zone elements. Has the same types and behaviour as the
|
||||
global local\-zone elements.
|
||||
global local\-zone elements. When there is at least one local\-zone specified
|
||||
and view\-first is no, the default local-zones will be added to this view.
|
||||
Defaults can be disabled using the nodefault type. When view\-first is yes or
|
||||
when a view does not have a local\-zone, the global local\-zone will be used
|
||||
including it's default zones.
|
||||
.TP
|
||||
.B local\-data: \fI"<resource record string>"
|
||||
View specific local\-data elements. Has the same behaviour as the global
|
||||
@ -1454,7 +1465,8 @@ clause give the settings of the dnscrypt channel. While those options are
|
||||
available, they are only meaningful if unbound was compiled with
|
||||
\fB\-\-enable\-dnscrypt\fR.
|
||||
Currently certificate and secret/public keys cannot be generated by unbound.
|
||||
You can use dnscrypt-wrapper to generate those: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage
|
||||
You can use dnscrypt-wrapper to generate those: https://github.com/cofyc/\
|
||||
dnscrypt-wrapper/blob/master/README.md#usage
|
||||
.TP
|
||||
.B dnscrypt\-enable: \fI<yes or no>\fR
|
||||
Whether or not the \fBdnscrypt\fR config should be enabled. You may define
|
||||
@ -1475,23 +1487,24 @@ Path to the time limited secret key file. This option may be specified multiple
|
||||
times.
|
||||
.TP
|
||||
.B dnscrypt\-provider\-cert: \fI<path to cert file>\fR
|
||||
Path to the certificate related to the \fBdnscrypt\-secret\-key\fRs. This option
|
||||
may be specified multiple times.
|
||||
Path to the certificate related to the \fBdnscrypt\-secret\-key\fRs.
|
||||
This option may be specified multiple times.
|
||||
.SS "EDNS Client Subnet Module Options"
|
||||
.LP
|
||||
The ECS module must be configured in the \fBmodule\-config:\fR "subnetcache
|
||||
validator iterator" directive and be compiled into the daemon to be
|
||||
enabled. These settings go in the \fBserver:\fR section.
|
||||
.LP
|
||||
If the destination address is whitelisted with Unbound will add the EDNS0 option
|
||||
to the query containing the relevant part of the client's address. When an
|
||||
answer contains the ECS option the response and the option are placed in a
|
||||
specialized cache. If the authority indicated no support, the response is stored
|
||||
in the regular cache.
|
||||
If the destination address is whitelisted with Unbound will add the EDNS0
|
||||
option to the query containing the relevant part of the client's address. When
|
||||
an answer contains the ECS option the response and the option are placed in a
|
||||
specialized cache. If the authority indicated no support, the response is
|
||||
stored in the regular cache.
|
||||
.LP
|
||||
Additionally, when a client includes the option in its queries, Unbound will
|
||||
forward the option to the authority regardless of the authorities presence in
|
||||
the whitelist. In this case the lookup in the regular cache is skipped.
|
||||
forward the option to the authority if prensent in the whitelist, or
|
||||
\fBclient\-subnet\-always\-forward\fR is set to yes. In this case the lookup in
|
||||
the regular cache is skipped.
|
||||
.LP
|
||||
The maximum size of the ECS cache is controlled by 'msg-cache-size' in the
|
||||
configuration file. On top of that, for each query only 100 different subnets
|
||||
@ -1502,7 +1515,12 @@ entries will be purged from cache.
|
||||
Send client source address to this authority. Append /num to indicate a
|
||||
classless delegation netblock, for example like 10.2.3.4/24 or 2001::11/64. Can
|
||||
be given multiple times. Authorities not listed will not receive edns-subnet
|
||||
information.
|
||||
information, unless domain in query is specified in \fBclient\-subnet\-zone\fR.
|
||||
.TP
|
||||
.B client\-subnet\-zone: \fI<domain>\fR
|
||||
Send client source address in queries for this domain and its subdomains. Can be
|
||||
given multiple times. Zones not listed will not receive edns-subnet information,
|
||||
unless hosted by authority specified in \fBsend\-client\-subnet\fR.
|
||||
.TP
|
||||
.B client\-subnet\-always\-forward: \fI<yes or no>\fR
|
||||
Specify whether the ECS whitelist check (configured using
|
||||
@ -1519,6 +1537,72 @@ to expose to third parties for IPv6. Defaults to 56.
|
||||
.B max\-client\-subnet\-ipv4: \fI<number>\fR
|
||||
Specifies the maximum prefix length of the client source address we are willing
|
||||
to expose to third parties for IPv4. Defaults to 24.
|
||||
.SS "Opportunistic IPsec Support Module Options"
|
||||
.LP
|
||||
The IPsec module must be configured in the \fBmodule\-config:\fR "ipsecmod
|
||||
validator iterator" directive and be compiled into the daemon to be
|
||||
enabled. These settings go in the \fBserver:\fR section.
|
||||
.LP
|
||||
When unbound receives an A/AAAA query that is not in the cache and finds a
|
||||
valid answer, it will withhold returning the answer and instead will generate
|
||||
an IPSECKEY subquery for the same domain name. If an answer was found, unbound
|
||||
will call an external hook passing the following arguments:
|
||||
.TP 10
|
||||
\h'5'\fIQNAME\fR
|
||||
Domain name of the A/AAAA and IPSECKEY query. In string format.
|
||||
.TP 10
|
||||
\h'5'\fIIPSECKEY TTL\fR
|
||||
TTL of the IPSECKEY RRset.
|
||||
.TP 10
|
||||
\h'5'\fIA/AAAA\fR
|
||||
String of space separated IP addresses present in the A/AAAA RRset. The IP
|
||||
addresses are in string format.
|
||||
.TP 10
|
||||
\h'5'\fIIPSECKEY\fR
|
||||
String of space separated IPSECKEY RDATA present in the IPSECKEY RRset. The
|
||||
IPSECKEY RDATA are in DNS presentation format.
|
||||
.LP
|
||||
The A/AAAA answer is then cached and returned to the client. If the external
|
||||
hook was called the TTL changes to ensure it doesn't surpass
|
||||
\fBipsecmod-max-ttl\fR.
|
||||
.LP
|
||||
The same procedure is also followed when \fBprefetch:\fR is used, but the
|
||||
A/AAAA answer is given to the client before the hook is called.
|
||||
\fBipsecmod-max-ttl\fR ensures that the A/AAAA answer given from cache is still
|
||||
relevant for opportunistic IPsec.
|
||||
.TP
|
||||
.B ipsecmod-enabled: \fI<yes or no>\fR
|
||||
Specifies whether the IPsec module is enabled or not. The IPsec module still
|
||||
needs to be defined in the \fBmodule\-config:\fR directive. This option
|
||||
facilitates turning on/off the module without restarting/reloading unbound.
|
||||
Defaults to yes.
|
||||
.TP
|
||||
.B ipsecmod\-hook: \fI<filename>\fR
|
||||
Specifies the external hook that unbound will call with \fIsystem\fR(3). The
|
||||
file can be specified as an absolute/relative path. The file needs the proper
|
||||
permissions to be able to be executed by the same user that runs unbound. It
|
||||
must be present when the IPsec module is defined in the \fBmodule\-config:\fR
|
||||
directive.
|
||||
.TP
|
||||
.B ipsecmod-strict: \fI<yes or no>\fR
|
||||
If enabled unbound requires the external hook to return a success value of 0.
|
||||
Failing to do so unbound will reply with SERVFAIL. The A/AAAA answer will also
|
||||
not be cached. Defaults to no.
|
||||
.TP
|
||||
.B ipsecmod\-max-ttl: \fI<seconds>\fR
|
||||
Time to live maximum for A/AAAA cached records after calling the external hook.
|
||||
Defaults to 3600.
|
||||
.TP
|
||||
.B ipsecmod-ignore-bogus: \fI<yes or no>\fR
|
||||
Specifies the behaviour of unbound when the IPSECKEY answer is bogus. If set
|
||||
to yes, the hook will be called and the A/AAAA answer will be returned to the
|
||||
client. If set to no, the hook will not be called and the answer to the
|
||||
A/AAAA query will be SERVFAIL. Mainly used for testing. Defaults to no.
|
||||
.TP
|
||||
.B ipsecmod\-whitelist: \fI<domain>\fR
|
||||
Whitelist the domain so that the module logic will be executed. Can
|
||||
be given multiple times, for different domains. If the option is not
|
||||
specified, all domains are treated as being whitelisted (default).
|
||||
.SH "MEMORY CONTROL EXAMPLE"
|
||||
In the example config settings below memory usage is reduced. Some service
|
||||
levels are lower, notable very large data and a high TCP load are no longer
|
||||
@ -1526,7 +1610,7 @@ supported. Very large data and high TCP loads are exceptional for the DNS.
|
||||
DNSSEC validation is enabled, just add trust anchors.
|
||||
If you do not have to worry about programs using more than 3 Mb of memory,
|
||||
the below example is not for you. Use the defaults to receive full service,
|
||||
which on BSD\-32bit tops out at 30\-40 Mb after heavy usage.
|
||||
which on BSD\-32bit tops out at 30\-40 Mb after heavy usage.
|
||||
.P
|
||||
.nf
|
||||
# example settings that reduce memory usage
|
||||
@ -1567,12 +1651,12 @@ unbound configuration file.
|
||||
default unbound pidfile with process ID of the running daemon.
|
||||
.TP
|
||||
.I unbound.log
|
||||
unbound log file. default is to log to
|
||||
\fIsyslog\fR(3).
|
||||
unbound log file. default is to log to
|
||||
\fIsyslog\fR(3).
|
||||
.SH "SEE ALSO"
|
||||
\fIunbound\fR(8),
|
||||
\fIunbound\fR(8),
|
||||
\fIunbound\-checkconf\fR(8).
|
||||
.SH "AUTHORS"
|
||||
.B Unbound
|
||||
.B Unbound
|
||||
was written by NLnet Labs. Please see CREDITS file
|
||||
in the distribution for further details.
|
||||
|
||||
@ -302,6 +302,7 @@ static int
|
||||
getbit(const addrkey_t *addr, addrlen_t addrlen, addrlen_t n)
|
||||
{
|
||||
log_assert(addrlen > n);
|
||||
(void)addrlen;
|
||||
return (int)(addr[n/KEYWIDTH]>>((KEYWIDTH-1)-(n%KEYWIDTH))) & 1;
|
||||
}
|
||||
|
||||
|
||||
@ -50,42 +50,44 @@
|
||||
#include "util/config_file.h"
|
||||
#include "util/net_help.h"
|
||||
#include "util/storage/dnstree.h"
|
||||
#include "sldns/str2wire.h"
|
||||
#include "util/data/dname.h"
|
||||
|
||||
struct ednssubnet_upstream*
|
||||
upstream_create(void)
|
||||
struct ecs_whitelist*
|
||||
ecs_whitelist_create(void)
|
||||
{
|
||||
struct ednssubnet_upstream* upstream =
|
||||
(struct ednssubnet_upstream*)calloc(1,
|
||||
sizeof(struct ednssubnet_upstream));
|
||||
if(!upstream)
|
||||
struct ecs_whitelist* whitelist =
|
||||
(struct ecs_whitelist*)calloc(1,
|
||||
sizeof(struct ecs_whitelist));
|
||||
if(!whitelist)
|
||||
return NULL;
|
||||
upstream->region = regional_create();
|
||||
if(!upstream->region) {
|
||||
upstream_delete(upstream);
|
||||
whitelist->region = regional_create();
|
||||
if(!whitelist->region) {
|
||||
ecs_whitelist_delete(whitelist);
|
||||
return NULL;
|
||||
}
|
||||
return upstream;
|
||||
return whitelist;
|
||||
}
|
||||
|
||||
void
|
||||
upstream_delete(struct ednssubnet_upstream* upstream)
|
||||
ecs_whitelist_delete(struct ecs_whitelist* whitelist)
|
||||
{
|
||||
if(!upstream)
|
||||
if(!whitelist)
|
||||
return;
|
||||
regional_destroy(upstream->region);
|
||||
free(upstream);
|
||||
regional_destroy(whitelist->region);
|
||||
free(whitelist);
|
||||
}
|
||||
|
||||
/** insert new address into upstream structure */
|
||||
/** insert new address into whitelist structure */
|
||||
static int
|
||||
upstream_insert(struct ednssubnet_upstream* upstream,
|
||||
upstream_insert(struct ecs_whitelist* whitelist,
|
||||
struct sockaddr_storage* addr, socklen_t addrlen, int net)
|
||||
{
|
||||
struct addr_tree_node* node = (struct addr_tree_node*)regional_alloc(
|
||||
upstream->region, sizeof(*node));
|
||||
whitelist->region, sizeof(*node));
|
||||
if(!node)
|
||||
return 0;
|
||||
if(!addr_tree_insert(&upstream->tree, node, addr, addrlen, net)) {
|
||||
if(!addr_tree_insert(&whitelist->upstream, node, addr, addrlen, net)) {
|
||||
verbose(VERB_QUERY,
|
||||
"duplicate send-client-subnet address ignored.");
|
||||
}
|
||||
@ -94,7 +96,7 @@ upstream_insert(struct ednssubnet_upstream* upstream,
|
||||
|
||||
/** apply edns-subnet string */
|
||||
static int
|
||||
upstream_str_cfg(struct ednssubnet_upstream* upstream, const char* str)
|
||||
upstream_str_cfg(struct ecs_whitelist* whitelist, const char* str)
|
||||
{
|
||||
struct sockaddr_storage addr;
|
||||
int net;
|
||||
@ -104,7 +106,7 @@ upstream_str_cfg(struct ednssubnet_upstream* upstream, const char* str)
|
||||
log_err("cannot parse send-client-subnet netblock: %s", str);
|
||||
return 0;
|
||||
}
|
||||
if(!upstream_insert(upstream, &addr, addrlen, net)) {
|
||||
if(!upstream_insert(whitelist, &addr, addrlen, net)) {
|
||||
log_err("out of memory");
|
||||
return 0;
|
||||
}
|
||||
@ -113,41 +115,93 @@ upstream_str_cfg(struct ednssubnet_upstream* upstream, const char* str)
|
||||
|
||||
/** read client_subnet config */
|
||||
static int
|
||||
read_upstream(struct ednssubnet_upstream* upstream, struct config_file* cfg)
|
||||
read_upstream(struct ecs_whitelist* whitelist, struct config_file* cfg)
|
||||
{
|
||||
struct config_strlist* p;
|
||||
for(p = cfg->client_subnet; p; p = p->next) {
|
||||
log_assert(p->str);
|
||||
if(!upstream_str_cfg(upstream, p->str))
|
||||
if(!upstream_str_cfg(whitelist, p->str))
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
int
|
||||
upstream_apply_cfg(struct ednssubnet_upstream* upstream,
|
||||
struct config_file* cfg)
|
||||
/** read client_subnet_zone config */
|
||||
static int
|
||||
read_names(struct ecs_whitelist* whitelist, struct config_file* cfg)
|
||||
{
|
||||
regional_free_all(upstream->region);
|
||||
addr_tree_init(&upstream->tree);
|
||||
if(!read_upstream(upstream, cfg))
|
||||
return 0;
|
||||
addr_tree_init_parents(&upstream->tree);
|
||||
/* parse names, report errors, insert into tree */
|
||||
struct config_strlist* p;
|
||||
struct name_tree_node* n;
|
||||
uint8_t* nm, *nmr;
|
||||
size_t nm_len;
|
||||
int nm_labs;
|
||||
|
||||
for(p = cfg->client_subnet_zone; p; p = p->next) {
|
||||
log_assert(p->str);
|
||||
nm = sldns_str2wire_dname(p->str, &nm_len);
|
||||
if(!nm) {
|
||||
log_err("cannot parse client-subnet-zone: %s", p->str);
|
||||
return 0;
|
||||
}
|
||||
nm_labs = dname_count_size_labels(nm, &nm_len);
|
||||
nmr = (uint8_t*)regional_alloc_init(whitelist->region, nm,
|
||||
nm_len);
|
||||
free(nm);
|
||||
if(!nmr) {
|
||||
log_err("out of memory");
|
||||
return 0;
|
||||
}
|
||||
n = (struct name_tree_node*)regional_alloc(whitelist->region,
|
||||
sizeof(*n));
|
||||
if(!n) {
|
||||
log_err("out of memory");
|
||||
return 0;
|
||||
}
|
||||
if(!name_tree_insert(&whitelist->dname, n, nmr, nm_len, nm_labs,
|
||||
LDNS_RR_CLASS_IN)) {
|
||||
verbose(VERB_QUERY, "ignoring duplicate "
|
||||
"client-subnet-zone: %s", p->str);
|
||||
}
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
int
|
||||
upstream_is_whitelisted(struct ednssubnet_upstream* upstream,
|
||||
struct sockaddr_storage* addr, socklen_t addrlen)
|
||||
ecs_whitelist_apply_cfg(struct ecs_whitelist* whitelist,
|
||||
struct config_file* cfg)
|
||||
{
|
||||
return addr_tree_lookup(&upstream->tree, addr, addrlen) != NULL;
|
||||
regional_free_all(whitelist->region);
|
||||
addr_tree_init(&whitelist->upstream);
|
||||
name_tree_init(&whitelist->dname);
|
||||
if(!read_upstream(whitelist, cfg))
|
||||
return 0;
|
||||
if(!read_names(whitelist, cfg))
|
||||
return 0;
|
||||
addr_tree_init_parents(&whitelist->upstream);
|
||||
name_tree_init_parents(&whitelist->dname);
|
||||
return 1;
|
||||
}
|
||||
|
||||
int
|
||||
ecs_is_whitelisted(struct ecs_whitelist* whitelist,
|
||||
struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* qname,
|
||||
size_t qname_len, uint16_t qclass)
|
||||
{
|
||||
int labs;
|
||||
if(addr_tree_lookup(&whitelist->upstream, addr, addrlen))
|
||||
return 1;
|
||||
/* Not in upstream whitelist, check dname whitelist. */
|
||||
labs = dname_count_labels(qname);
|
||||
return name_tree_lookup(&whitelist->dname, qname, qname_len, labs,
|
||||
qclass) != NULL;
|
||||
}
|
||||
|
||||
size_t
|
||||
upstream_get_mem(struct ednssubnet_upstream* upstream)
|
||||
ecs_whitelist_get_mem(struct ecs_whitelist* whitelist)
|
||||
{
|
||||
if(!upstream) return 0;
|
||||
return sizeof(*upstream) + regional_get_mem(upstream->region);
|
||||
if(!whitelist) return 0;
|
||||
return sizeof(*whitelist) + regional_get_mem(whitelist->region);
|
||||
}
|
||||
|
||||
#endif /* CLIENT_SUBNET */
|
||||
|
||||
@ -36,8 +36,8 @@
|
||||
/**
|
||||
* \file
|
||||
*
|
||||
* Keep track of the white listed servers for subnet option. Based
|
||||
* on acl_list.c|h
|
||||
* Keep track of the white listed servers and domain names for subnet option.
|
||||
* Based on acl_list.c|h
|
||||
*/
|
||||
|
||||
#ifndef EDNSSUBNET_WHITELIST_H
|
||||
@ -48,9 +48,9 @@ struct config_file;
|
||||
struct regional;
|
||||
|
||||
/**
|
||||
* ednssubnet_upstream structure
|
||||
* ecs_whitelist structure
|
||||
*/
|
||||
struct ednssubnet_upstream {
|
||||
struct ecs_whitelist {
|
||||
/** regional for allocation */
|
||||
struct regional* region;
|
||||
/**
|
||||
@ -58,45 +58,54 @@ struct ednssubnet_upstream {
|
||||
* contents of type addr_tree_node. Each node is an address span
|
||||
* Unbound will append subnet option for.
|
||||
*/
|
||||
rbtree_type tree;
|
||||
rbtree_type upstream;
|
||||
/**
|
||||
* Tree of domain names for which Unbound will append an ECS option.
|
||||
* rbtree of struct name_tree_node.
|
||||
*/
|
||||
rbtree_type dname;
|
||||
};
|
||||
|
||||
/**
|
||||
* Create ednssubnet_upstream structure
|
||||
* Create ecs_whitelist structure
|
||||
* @return new structure or NULL on error.
|
||||
*/
|
||||
struct ednssubnet_upstream* upstream_create(void);
|
||||
struct ecs_whitelist* ecs_whitelist_create(void);
|
||||
|
||||
/**
|
||||
* Delete ednssubnet_upstream structure.
|
||||
* @param upstream: to delete.
|
||||
* Delete ecs_whitelist structure.
|
||||
* @param whitelist: to delete.
|
||||
*/
|
||||
void upstream_delete(struct ednssubnet_upstream* upstream);
|
||||
void ecs_whitelist_delete(struct ecs_whitelist* whitelist);
|
||||
|
||||
/**
|
||||
* Process ednssubnet_upstream config.
|
||||
* @param upstream: where to store.
|
||||
* Process ecs_whitelist config.
|
||||
* @param whitelist: where to store.
|
||||
* @param cfg: config options.
|
||||
* @return 0 on error.
|
||||
*/
|
||||
int upstream_apply_cfg(struct ednssubnet_upstream* upstream,
|
||||
int ecs_whitelist_apply_cfg(struct ecs_whitelist* whitelist,
|
||||
struct config_file* cfg);
|
||||
|
||||
/**
|
||||
* See if an address is whitelisted.
|
||||
* @param upstream: structure for address storage.
|
||||
* See if an address or domain is whitelisted.
|
||||
* @param whitelist: structure for address storage.
|
||||
* @param addr: address to check
|
||||
* @param addrlen: length of addr.
|
||||
* @param qname: dname in query
|
||||
* @param qname_len: length of dname
|
||||
* @param qclass: class in query
|
||||
* @return: true if the address is whitelisted for subnet option.
|
||||
*/
|
||||
int upstream_is_whitelisted(struct ednssubnet_upstream* upstream,
|
||||
struct sockaddr_storage* addr, socklen_t addrlen);
|
||||
int ecs_is_whitelisted(struct ecs_whitelist* whitelist,
|
||||
struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* qname,
|
||||
size_t qname_len, uint16_t qclass);
|
||||
|
||||
/**
|
||||
* Get memory used by ednssubnet_upstream structure.
|
||||
* @param upstream: structure for address storage.
|
||||
* Get memory used by ecs_whitelist structure.
|
||||
* @param whitelist: structure for address storage.
|
||||
* @return bytes in use.
|
||||
*/
|
||||
size_t upstream_get_mem(struct ednssubnet_upstream* upstream);
|
||||
size_t ecs_whitelist_get_mem(struct ecs_whitelist* whitelist);
|
||||
|
||||
#endif /* EDNSSUBNET_WHITELIST_H */
|
||||
|
||||
@ -135,7 +135,7 @@ ecs_opt_list_append(struct ecs_data* ecs, struct edns_option** list,
|
||||
}
|
||||
}
|
||||
|
||||
int ecs_whitelist_check(struct query_info* ATTR_UNUSED(qinfo),
|
||||
int ecs_whitelist_check(struct query_info* qinfo,
|
||||
uint16_t ATTR_UNUSED(flags), struct module_qstate* qstate,
|
||||
struct sockaddr_storage* addr, socklen_t addrlen,
|
||||
uint8_t* ATTR_UNUSED(zone), size_t ATTR_UNUSED(zonelen),
|
||||
@ -154,8 +154,9 @@ int ecs_whitelist_check(struct query_info* ATTR_UNUSED(qinfo),
|
||||
|
||||
if(sq->ecs_server_out.subnet_validdata && ((sq->subnet_downstream &&
|
||||
qstate->env->cfg->client_subnet_always_forward) ||
|
||||
upstream_is_whitelisted(sn_env->edns_subnet_upstreams,
|
||||
addr, addrlen))) {
|
||||
ecs_is_whitelisted(sn_env->whitelist,
|
||||
addr, addrlen, qinfo->qname, qinfo->qname_len,
|
||||
qinfo->qclass))) {
|
||||
/* Address on whitelist or client query contains ECS option, we
|
||||
* want to sent out ECS. Only add option if it is not already
|
||||
* set. */
|
||||
@ -199,9 +200,9 @@ subnetmod_init(struct module_env *env, int id)
|
||||
return 0;
|
||||
}
|
||||
/* whitelist for edns subnet capable servers */
|
||||
sn_env->edns_subnet_upstreams = upstream_create();
|
||||
if(!sn_env->edns_subnet_upstreams ||
|
||||
!upstream_apply_cfg(sn_env->edns_subnet_upstreams, env->cfg)) {
|
||||
sn_env->whitelist = ecs_whitelist_create();
|
||||
if(!sn_env->whitelist ||
|
||||
!ecs_whitelist_apply_cfg(sn_env->whitelist, env->cfg)) {
|
||||
log_err("subnet: could not create ECS whitelist");
|
||||
slabhash_delete(sn_env->subnet_msg_cache);
|
||||
free(sn_env);
|
||||
@ -217,7 +218,7 @@ subnetmod_init(struct module_env *env, int id)
|
||||
env->cfg->client_subnet_always_forward /* bypass cache */,
|
||||
0 /* no aggregation */, env)) {
|
||||
log_err("subnet: could not register opcode");
|
||||
upstream_delete(sn_env->edns_subnet_upstreams);
|
||||
ecs_whitelist_delete(sn_env->whitelist);
|
||||
slabhash_delete(sn_env->subnet_msg_cache);
|
||||
free(sn_env);
|
||||
env->modinfo[id] = NULL;
|
||||
@ -243,7 +244,8 @@ subnetmod_deinit(struct module_env *env, int id)
|
||||
lock_rw_destroy(&sn_env->biglock);
|
||||
inplace_cb_delete(env, inplace_cb_edns_back_parsed, id);
|
||||
inplace_cb_delete(env, inplace_cb_query, id);
|
||||
upstream_delete(sn_env->edns_subnet_upstreams);
|
||||
inplace_cb_delete(env, inplace_cb_query_response, id);
|
||||
ecs_whitelist_delete(sn_env->whitelist);
|
||||
slabhash_delete(sn_env->subnet_msg_cache);
|
||||
alloc_clear(&sn_env->alloc);
|
||||
free(sn_env);
|
||||
@ -781,7 +783,7 @@ subnetmod_get_mem(struct module_env *env, int id)
|
||||
if (!sn_env) return 0;
|
||||
return sizeof(*sn_env) +
|
||||
slabhash_get_mem(sn_env->subnet_msg_cache) +
|
||||
upstream_get_mem(sn_env->edns_subnet_upstreams);
|
||||
ecs_whitelist_get_mem(sn_env->whitelist);
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@ -57,7 +57,7 @@ struct subnet_env {
|
||||
* data: struct subnet_msg_cache_data* */
|
||||
struct slabhash* subnet_msg_cache;
|
||||
/** access control, which upstream servers we send client address */
|
||||
struct ednssubnet_upstream* edns_subnet_upstreams;
|
||||
struct ecs_whitelist* whitelist;
|
||||
/** allocation service */
|
||||
struct alloc_cache alloc;
|
||||
lock_rw_type biglock;
|
||||
|
||||
158
contrib/unbound/ipsecmod/ipsecmod-whitelist.c
Normal file
158
contrib/unbound/ipsecmod/ipsecmod-whitelist.c
Normal file
@ -0,0 +1,158 @@
|
||||
/*
|
||||
* ipsecmod/ipsecmod-whitelist.h - White listed domains for the ipsecmod to
|
||||
* operate on.
|
||||
*
|
||||
* Copyright (c) 2017, NLnet Labs. All rights reserved.
|
||||
*
|
||||
* This software is open source.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
*
|
||||
* Redistributions of source code must retain the above copyright notice,
|
||||
* this list of conditions and the following disclaimer.
|
||||
*
|
||||
* Redistributions in binary form must reproduce the above copyright notice,
|
||||
* this list of conditions and the following disclaimer in the documentation
|
||||
* and/or other materials provided with the distribution.
|
||||
*
|
||||
* Neither the name of the NLNET LABS nor the names of its contributors may
|
||||
* be used to endorse or promote products derived from this software without
|
||||
* specific prior written permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
|
||||
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
||||
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
||||
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
||||
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
||||
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
/**
|
||||
* \file
|
||||
*
|
||||
* Keep track of the white listed domains for ipsecmod.
|
||||
*/
|
||||
|
||||
#include "config.h"
|
||||
|
||||
#ifdef USE_IPSECMOD
|
||||
#include "ipsecmod/ipsecmod.h"
|
||||
#include "ipsecmod/ipsecmod-whitelist.h"
|
||||
#include "util/regional.h"
|
||||
#include "util/log.h"
|
||||
#include "util/config_file.h"
|
||||
#include "util/rbtree.h"
|
||||
#include "util/data/dname.h"
|
||||
#include "util/storage/dnstree.h"
|
||||
#include "sldns/str2wire.h"
|
||||
|
||||
/** Apply ipsecmod-whitelist string. */
|
||||
static int
|
||||
whitelist_str_cfg(rbtree_type* whitelist, const char* name)
|
||||
{
|
||||
struct name_tree_node* n;
|
||||
size_t len;
|
||||
uint8_t* nm = sldns_str2wire_dname(name, &len);
|
||||
if(!nm) {
|
||||
log_err("ipsecmod: could not parse %s for whitelist.", name);
|
||||
return 0;
|
||||
}
|
||||
n = (struct name_tree_node*)calloc(1, sizeof(*n));
|
||||
if(!n) {
|
||||
log_err("ipsecmod: out of memory while creating whitelist.");
|
||||
free(nm);
|
||||
return 0;
|
||||
}
|
||||
n->node.key = n;
|
||||
n->name = nm;
|
||||
n->len = len;
|
||||
n->labs = dname_count_labels(nm);
|
||||
n->dclass = LDNS_RR_CLASS_IN;
|
||||
if(!name_tree_insert(whitelist, n, nm, len, n->labs, n->dclass)) {
|
||||
/* duplicate element ignored, idempotent */
|
||||
free(n->name);
|
||||
free(n);
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
/** Read ipsecmod-whitelist config. */
|
||||
static int
|
||||
read_whitelist(rbtree_type* whitelist, struct config_file* cfg)
|
||||
{
|
||||
struct config_strlist* p;
|
||||
for(p = cfg->ipsecmod_whitelist; p; p = p->next) {
|
||||
log_assert(p->str);
|
||||
if(!whitelist_str_cfg(whitelist, p->str))
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
int
|
||||
ipsecmod_whitelist_apply_cfg(struct ipsecmod_env* ie,
|
||||
struct config_file* cfg)
|
||||
{
|
||||
ie->whitelist = rbtree_create(name_tree_compare);
|
||||
if(!read_whitelist(ie->whitelist, cfg))
|
||||
return 0;
|
||||
name_tree_init_parents(ie->whitelist);
|
||||
return 1;
|
||||
}
|
||||
|
||||
/** Delete ipsecmod_env->whitelist element. */
|
||||
static void
|
||||
whitelist_free(struct rbnode_type* n, void* ATTR_UNUSED(d))
|
||||
{
|
||||
if(n) {
|
||||
free(((struct name_tree_node*)n)->name);
|
||||
free(n);
|
||||
}
|
||||
}
|
||||
|
||||
/** Get memory usage of ipsecmod_env->whitelist element. */
|
||||
static void
|
||||
whitelist_get_mem(struct rbnode_type* n, void* arg)
|
||||
{
|
||||
struct name_tree_node* node = (struct name_tree_node*)n;
|
||||
size_t* size = (size_t*) arg;
|
||||
if(node) {
|
||||
*size += sizeof(node) + node->len;
|
||||
}
|
||||
}
|
||||
|
||||
void
|
||||
ipsecmod_whitelist_delete(rbtree_type* whitelist)
|
||||
{
|
||||
if(whitelist) {
|
||||
traverse_postorder(whitelist, whitelist_free, NULL);
|
||||
free(whitelist);
|
||||
}
|
||||
}
|
||||
|
||||
int
|
||||
ipsecmod_domain_is_whitelisted(struct ipsecmod_env* ie, uint8_t* dname,
|
||||
size_t dname_len, uint16_t qclass)
|
||||
{
|
||||
if(!ie->whitelist) return 1; /* No whitelist, treat as whitelisted. */
|
||||
return name_tree_lookup(ie->whitelist, dname, dname_len,
|
||||
dname_count_labels(dname), qclass) != NULL;
|
||||
}
|
||||
|
||||
size_t
|
||||
ipsecmod_whitelist_get_mem(rbtree_type* whitelist)
|
||||
{
|
||||
size_t size = 0;
|
||||
if(whitelist) {
|
||||
traverse_postorder(whitelist, whitelist_get_mem, &size);
|
||||
}
|
||||
return size;
|
||||
}
|
||||
|
||||
#endif /* USE_IPSECMOD */
|
||||
82
contrib/unbound/ipsecmod/ipsecmod-whitelist.h
Normal file
82
contrib/unbound/ipsecmod/ipsecmod-whitelist.h
Normal file
@ -0,0 +1,82 @@
|
||||
/*
|
||||
* ipsecmod/ipsecmod-whitelist.h - White listed domains for the ipsecmod to
|
||||
* operate on.
|
||||
*
|
||||
* Copyright (c) 2017, NLnet Labs. All rights reserved.
|
||||
*
|
||||
* This software is open source.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
*
|
||||
* Redistributions of source code must retain the above copyright notice,
|
||||
* this list of conditions and the following disclaimer.
|
||||
*
|
||||
* Redistributions in binary form must reproduce the above copyright notice,
|
||||
* this list of conditions and the following disclaimer in the documentation
|
||||
* and/or other materials provided with the distribution.
|
||||
*
|
||||
* Neither the name of the NLNET LABS nor the names of its contributors may
|
||||
* be used to endorse or promote products derived from this software without
|
||||
* specific prior written permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
|
||||
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
||||
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
||||
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
||||
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
||||
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
/**
|
||||
* \file
|
||||
*
|
||||
* Keep track of the white listed domains for ipsecmod.
|
||||
*/
|
||||
|
||||
#ifndef IPSECMOD_WHITELIST_H
|
||||
#define IPSECMOD_WHITELIST_H
|
||||
#include "util/storage/dnstree.h"
|
||||
|
||||
struct config_file;
|
||||
struct regional;
|
||||
|
||||
/**
|
||||
* Process ipsecmod_whitelist config.
|
||||
* @param ie: ipsecmod environment.
|
||||
* @param cfg: config options.
|
||||
* @return 0 on error.
|
||||
*/
|
||||
int ipsecmod_whitelist_apply_cfg(struct ipsecmod_env* ie,
|
||||
struct config_file* cfg);
|
||||
|
||||
/**
|
||||
* Delete the ipsecmod whitelist.
|
||||
* @param whitelist: ipsecmod whitelist.
|
||||
*/
|
||||
void ipsecmod_whitelist_delete(rbtree_type* whitelist);
|
||||
|
||||
/**
|
||||
* See if a domain is whitelisted.
|
||||
* @param ie: ipsecmod environment.
|
||||
* @param dname: domain name to check.
|
||||
* @param dname_len: length of domain name.
|
||||
* @param qclass: query CLASS.
|
||||
* @return: true if the domain is whitelisted for the ipsecmod.
|
||||
*/
|
||||
int ipsecmod_domain_is_whitelisted(struct ipsecmod_env* ie, uint8_t* dname,
|
||||
size_t dname_len, uint16_t qclass);
|
||||
|
||||
/**
|
||||
* Get memory used by ipsecmod whitelist.
|
||||
* @param whitelist: structure for domain storage.
|
||||
* @return bytes in use.
|
||||
*/
|
||||
size_t ipsecmod_whitelist_get_mem(rbtree_type* whitelist);
|
||||
|
||||
#endif /* IPSECMOD_WHITELIST_H */
|
||||
515
contrib/unbound/ipsecmod/ipsecmod.c
Normal file
515
contrib/unbound/ipsecmod/ipsecmod.c
Normal file
@ -0,0 +1,515 @@
|
||||
/*
|
||||
* ipsecmod/ipsecmod.c - facilitate opportunistic IPsec module
|
||||
*
|
||||
* Copyright (c) 2017, NLnet Labs. All rights reserved.
|
||||
*
|
||||
* This software is open source.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
*
|
||||
* Redistributions of source code must retain the above copyright notice,
|
||||
* this list of conditions and the following disclaimer.
|
||||
*
|
||||
* Redistributions in binary form must reproduce the above copyright notice,
|
||||
* this list of conditions and the following disclaimer in the documentation
|
||||
* and/or other materials provided with the distribution.
|
||||
*
|
||||
* Neither the name of the NLNET LABS nor the names of its contributors may
|
||||
* be used to endorse or promote products derived from this software without
|
||||
* specific prior written permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
|
||||
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
||||
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
||||
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
||||
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
||||
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
/**
|
||||
* \file
|
||||
*
|
||||
* This file contains a module that facilitates opportunistic IPsec. It does so
|
||||
* by also quering for the IPSECKEY for A/AAAA queries and calling a
|
||||
* configurable hook (eg. signaling an IKE daemon) before replying.
|
||||
*/
|
||||
|
||||
#include "config.h"
|
||||
#ifdef USE_IPSECMOD
|
||||
#include "ipsecmod/ipsecmod.h"
|
||||
#include "ipsecmod/ipsecmod-whitelist.h"
|
||||
#include "util/fptr_wlist.h"
|
||||
#include "util/regional.h"
|
||||
#include "util/net_help.h"
|
||||
#include "util/config_file.h"
|
||||
#include "services/cache/dns.h"
|
||||
#include "sldns/wire2str.h"
|
||||
|
||||
/** Apply configuration to ipsecmod module 'global' state. */
|
||||
static int
|
||||
ipsecmod_apply_cfg(struct ipsecmod_env* ipsecmod_env, struct config_file* cfg)
|
||||
{
|
||||
if(!cfg->ipsecmod_hook || (cfg->ipsecmod_hook && !cfg->ipsecmod_hook[0])) {
|
||||
log_err("ipsecmod: missing ipsecmod-hook.");
|
||||
return 0;
|
||||
}
|
||||
if(cfg->ipsecmod_whitelist &&
|
||||
!ipsecmod_whitelist_apply_cfg(ipsecmod_env, cfg))
|
||||
return 0;
|
||||
return 1;
|
||||
}
|
||||
|
||||
int
|
||||
ipsecmod_init(struct module_env* env, int id)
|
||||
{
|
||||
struct ipsecmod_env* ipsecmod_env = (struct ipsecmod_env*)calloc(1,
|
||||
sizeof(struct ipsecmod_env));
|
||||
if(!ipsecmod_env) {
|
||||
log_err("malloc failure");
|
||||
return 0;
|
||||
}
|
||||
env->modinfo[id] = (void*)ipsecmod_env;
|
||||
ipsecmod_env->whitelist = NULL;
|
||||
if(!ipsecmod_apply_cfg(ipsecmod_env, env->cfg)) {
|
||||
log_err("ipsecmod: could not apply configuration settings.");
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
void
|
||||
ipsecmod_deinit(struct module_env* env, int id)
|
||||
{
|
||||
struct ipsecmod_env* ipsecmod_env;
|
||||
if(!env || !env->modinfo[id])
|
||||
return;
|
||||
ipsecmod_env = (struct ipsecmod_env*)env->modinfo[id];
|
||||
/* Free contents. */
|
||||
ipsecmod_whitelist_delete(ipsecmod_env->whitelist);
|
||||
free(ipsecmod_env);
|
||||
env->modinfo[id] = NULL;
|
||||
}
|
||||
|
||||
/** New query for ipsecmod. */
|
||||
static int
|
||||
ipsecmod_new(struct module_qstate* qstate, int id)
|
||||
{
|
||||
struct ipsecmod_qstate* iq = (struct ipsecmod_qstate*)regional_alloc(
|
||||
qstate->region, sizeof(struct ipsecmod_qstate));
|
||||
memset(iq, 0, sizeof(*iq));
|
||||
qstate->minfo[id] = iq;
|
||||
if(!iq)
|
||||
return 0;
|
||||
/* Initialise it. */
|
||||
iq->enabled = qstate->env->cfg->ipsecmod_enabled;
|
||||
iq->is_whitelisted = ipsecmod_domain_is_whitelisted(
|
||||
(struct ipsecmod_env*)qstate->env->modinfo[id], qstate->qinfo.qname,
|
||||
qstate->qinfo.qname_len, qstate->qinfo.qclass);
|
||||
return 1;
|
||||
}
|
||||
|
||||
/**
|
||||
* Exit module with an error status.
|
||||
* @param qstate: query state
|
||||
* @param id: module id.
|
||||
*/
|
||||
static void
|
||||
ipsecmod_error(struct module_qstate* qstate, int id)
|
||||
{
|
||||
qstate->ext_state[id] = module_error;
|
||||
qstate->return_rcode = LDNS_RCODE_SERVFAIL;
|
||||
}
|
||||
|
||||
/**
|
||||
* Generate a request for the IPSECKEY.
|
||||
*
|
||||
* @param qstate: query state that is the parent.
|
||||
* @param id: module id.
|
||||
* @param name: what name to query for.
|
||||
* @param namelen: length of name.
|
||||
* @param qtype: query type.
|
||||
* @param qclass: query class.
|
||||
* @param flags: additional flags, such as the CD bit (BIT_CD), or 0.
|
||||
* @return false on alloc failure.
|
||||
*/
|
||||
static int
|
||||
generate_request(struct module_qstate* qstate, int id, uint8_t* name,
|
||||
size_t namelen, uint16_t qtype, uint16_t qclass, uint16_t flags)
|
||||
{
|
||||
struct module_qstate* newq;
|
||||
struct query_info ask;
|
||||
ask.qname = name;
|
||||
ask.qname_len = namelen;
|
||||
ask.qtype = qtype;
|
||||
ask.qclass = qclass;
|
||||
ask.local_alias = NULL;
|
||||
log_query_info(VERB_ALGO, "ipsecmod: generate request", &ask);
|
||||
fptr_ok(fptr_whitelist_modenv_attach_sub(qstate->env->attach_sub));
|
||||
if(!(*qstate->env->attach_sub)(qstate, &ask,
|
||||
(uint16_t)(BIT_RD|flags), 0, 0, &newq)){
|
||||
log_err("Could not generate request: out of memory");
|
||||
return 0;
|
||||
}
|
||||
qstate->ext_state[id] = module_wait_subquery;
|
||||
return 1;
|
||||
}
|
||||
|
||||
/**
|
||||
* Prepare the data and call the hook.
|
||||
*
|
||||
* @param qstate: query state.
|
||||
* @param iq: ipsecmod qstate.
|
||||
* @param ie: ipsecmod environment.
|
||||
* @return true on success, false otherwise.
|
||||
*/
|
||||
static int
|
||||
call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq,
|
||||
struct ipsecmod_env* ATTR_UNUSED(ie))
|
||||
{
|
||||
size_t slen, tempdata_len, tempstring_len, i;
|
||||
char str[65535], *s, *tempstring;
|
||||
int w;
|
||||
struct ub_packed_rrset_key* rrset_key;
|
||||
struct packed_rrset_data* rrset_data;
|
||||
uint8_t *tempdata;
|
||||
|
||||
/* Check if a shell is available */
|
||||
if(system(NULL) == 0) {
|
||||
log_err("ipsecmod: no shell available for ipsecmod-hook");
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* Zero the buffer. */
|
||||
s = str;
|
||||
slen = sizeof(str);
|
||||
memset(s, 0, slen);
|
||||
|
||||
/* Copy the hook into the buffer. */
|
||||
sldns_str_print(&s, &slen, "%s", qstate->env->cfg->ipsecmod_hook);
|
||||
/* Put space into the buffer. */
|
||||
sldns_str_print(&s, &slen, " ");
|
||||
/* Copy the qname into the buffer. */
|
||||
tempstring = sldns_wire2str_dname(qstate->qinfo.qname,
|
||||
qstate->qinfo.qname_len);
|
||||
if(!tempstring) {
|
||||
log_err("ipsecmod: out of memory when calling the hook");
|
||||
return 0;
|
||||
}
|
||||
sldns_str_print(&s, &slen, "\"%s\"", tempstring);
|
||||
free(tempstring);
|
||||
/* Put space into the buffer. */
|
||||
sldns_str_print(&s, &slen, " ");
|
||||
/* Copy the IPSECKEY TTL into the buffer. */
|
||||
rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data;
|
||||
sldns_str_print(&s, &slen, "\"%ld\"", (long)rrset_data->ttl);
|
||||
/* Put space into the buffer. */
|
||||
sldns_str_print(&s, &slen, " ");
|
||||
/* Copy the A/AAAA record(s) into the buffer. Start and end this section
|
||||
* with a double quote. */
|
||||
rrset_key = reply_find_answer_rrset(&qstate->return_msg->qinfo,
|
||||
qstate->return_msg->rep);
|
||||
rrset_data = (struct packed_rrset_data*)rrset_key->entry.data;
|
||||
sldns_str_print(&s, &slen, "\"");
|
||||
for(i=0; i<rrset_data->count; i++) {
|
||||
if(i > 0) {
|
||||
/* Put space into the buffer. */
|
||||
sldns_str_print(&s, &slen, " ");
|
||||
}
|
||||
/* Ignore the first two bytes, they are the rr_data len. */
|
||||
w = sldns_wire2str_rdata_buf(rrset_data->rr_data[i] + 2,
|
||||
rrset_data->rr_len[i] - 2, s, slen, qstate->qinfo.qtype);
|
||||
if(w < 0) {
|
||||
/* Error in printout. */
|
||||
return -1;
|
||||
} else if((size_t)w >= slen) {
|
||||
s = NULL; /* We do not want str to point outside of buffer. */
|
||||
slen = 0;
|
||||
return -1;
|
||||
} else {
|
||||
s += w;
|
||||
slen -= w;
|
||||
}
|
||||
}
|
||||
sldns_str_print(&s, &slen, "\"");
|
||||
/* Put space into the buffer. */
|
||||
sldns_str_print(&s, &slen, " ");
|
||||
/* Copy the IPSECKEY record(s) into the buffer. Start and end this section
|
||||
* with a double quote. */
|
||||
sldns_str_print(&s, &slen, "\"");
|
||||
rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data;
|
||||
for(i=0; i<rrset_data->count; i++) {
|
||||
if(i > 0) {
|
||||
/* Put space into the buffer. */
|
||||
sldns_str_print(&s, &slen, " ");
|
||||
}
|
||||
/* Ignore the first two bytes, they are the rr_data len. */
|
||||
tempdata = rrset_data->rr_data[i] + 2;
|
||||
tempdata_len = rrset_data->rr_len[i] - 2;
|
||||
/* Save the buffer pointers. */
|
||||
tempstring = s; tempstring_len = slen;
|
||||
w = sldns_wire2str_ipseckey_scan(&tempdata, &tempdata_len, &s, &slen,
|
||||
NULL, 0);
|
||||
/* There was an error when parsing the IPSECKEY; reset the buffer
|
||||
* pointers to their previous values. */
|
||||
if(w == -1){
|
||||
s = tempstring; slen = tempstring_len;
|
||||
}
|
||||
}
|
||||
sldns_str_print(&s, &slen, "\"");
|
||||
verbose(VERB_ALGO, "ipsecmod: hook command: '%s'", str);
|
||||
/* ipsecmod-hook should return 0 on success. */
|
||||
if(system(str) != 0)
|
||||
return 0;
|
||||
return 1;
|
||||
}
|
||||
|
||||
/**
|
||||
* Handle an ipsecmod module event with a query
|
||||
* @param qstate: query state (from the mesh), passed between modules.
|
||||
* contains qstate->env module environment with global caches and so on.
|
||||
* @param iq: query state specific for this module. per-query.
|
||||
* @param ie: environment specific for this module. global.
|
||||
* @param id: module id.
|
||||
*/
|
||||
static void
|
||||
ipsecmod_handle_query(struct module_qstate* qstate,
|
||||
struct ipsecmod_qstate* iq, struct ipsecmod_env* ie, int id)
|
||||
{
|
||||
struct ub_packed_rrset_key* rrset_key;
|
||||
struct packed_rrset_data* rrset_data;
|
||||
size_t i;
|
||||
/* Pass to next module if we are not enabled and whitelisted. */
|
||||
if(!(iq->enabled && iq->is_whitelisted)) {
|
||||
qstate->ext_state[id] = module_wait_module;
|
||||
return;
|
||||
}
|
||||
/* New query, check if the query is for an A/AAAA record and disable
|
||||
* caching for other modules. */
|
||||
if(!iq->ipseckey_done) {
|
||||
if(qstate->qinfo.qtype == LDNS_RR_TYPE_A ||
|
||||
qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA) {
|
||||
char type[16];
|
||||
sldns_wire2str_type_buf(qstate->qinfo.qtype, type,
|
||||
sizeof(type));
|
||||
verbose(VERB_ALGO, "ipsecmod: query for %s; engaging",
|
||||
type);
|
||||
qstate->no_cache_store = 1;
|
||||
}
|
||||
/* Pass request to next module. */
|
||||
qstate->ext_state[id] = module_wait_module;
|
||||
return;
|
||||
}
|
||||
/* IPSECKEY subquery is finished. */
|
||||
/* We have an IPSECKEY answer. */
|
||||
if(iq->ipseckey_rrset) {
|
||||
rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data;
|
||||
if(rrset_data) {
|
||||
/* If bogus return SERVFAIL. */
|
||||
if(!qstate->env->cfg->ipsecmod_ignore_bogus &&
|
||||
rrset_data->security == sec_status_bogus) {
|
||||
log_err("ipsecmod: bogus IPSECKEY");
|
||||
ipsecmod_error(qstate, id);
|
||||
return;
|
||||
}
|
||||
/* We have a valid IPSECKEY reply, call hook. */
|
||||
if(!call_hook(qstate, iq, ie) &&
|
||||
qstate->env->cfg->ipsecmod_strict) {
|
||||
log_err("ipsecmod: ipsecmod-hook failed");
|
||||
ipsecmod_error(qstate, id);
|
||||
return;
|
||||
}
|
||||
/* Make sure the A/AAAA's TTL is equal/less than the
|
||||
* ipsecmod_max_ttl. */
|
||||
rrset_key = reply_find_answer_rrset(&qstate->return_msg->qinfo,
|
||||
qstate->return_msg->rep);
|
||||
rrset_data = (struct packed_rrset_data*)rrset_key->entry.data;
|
||||
if(rrset_data->ttl > (time_t)qstate->env->cfg->ipsecmod_max_ttl) {
|
||||
/* Update TTL for rrset to fixed value. */
|
||||
rrset_data->ttl = qstate->env->cfg->ipsecmod_max_ttl;
|
||||
for(i=0; i<rrset_data->count+rrset_data->rrsig_count; i++)
|
||||
rrset_data->rr_ttl[i] = qstate->env->cfg->ipsecmod_max_ttl;
|
||||
/* Also update reply_info's TTL */
|
||||
if(qstate->return_msg->rep->ttl > (time_t)qstate->env->cfg->ipsecmod_max_ttl) {
|
||||
qstate->return_msg->rep->ttl =
|
||||
qstate->env->cfg->ipsecmod_max_ttl;
|
||||
qstate->return_msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(
|
||||
qstate->return_msg->rep->ttl);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
/* Store A/AAAA in cache. */
|
||||
if(!dns_cache_store(qstate->env, &qstate->qinfo,
|
||||
qstate->return_msg->rep, 0, qstate->prefetch_leeway,
|
||||
0, qstate->region, qstate->query_flags)) {
|
||||
log_err("ipsecmod: out of memory caching record");
|
||||
}
|
||||
qstate->ext_state[id] = module_finished;
|
||||
}
|
||||
|
||||
/**
|
||||
* Handle an ipsecmod module event with a response from the iterator.
|
||||
* @param qstate: query state (from the mesh), passed between modules.
|
||||
* contains qstate->env module environment with global caches and so on.
|
||||
* @param iq: query state specific for this module. per-query.
|
||||
* @param ie: environment specific for this module. global.
|
||||
* @param id: module id.
|
||||
*/
|
||||
static void
|
||||
ipsecmod_handle_response(struct module_qstate* qstate,
|
||||
struct ipsecmod_qstate* ATTR_UNUSED(iq),
|
||||
struct ipsecmod_env* ATTR_UNUSED(ie), int id)
|
||||
{
|
||||
/* Pass to previous module if we are not enabled and whitelisted. */
|
||||
if(!(iq->enabled && iq->is_whitelisted)) {
|
||||
qstate->ext_state[id] = module_finished;
|
||||
return;
|
||||
}
|
||||
/* check if the response is for an A/AAAA query. */
|
||||
if((qstate->qinfo.qtype == LDNS_RR_TYPE_A ||
|
||||
qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA) &&
|
||||
/* check that we had an answer for the A/AAAA query. */
|
||||
qstate->return_msg &&
|
||||
reply_find_answer_rrset(&qstate->return_msg->qinfo,
|
||||
qstate->return_msg->rep) &&
|
||||
/* check that another module didn't SERVFAIL. */
|
||||
qstate->return_rcode == LDNS_RCODE_NOERROR) {
|
||||
char type[16];
|
||||
sldns_wire2str_type_buf(qstate->qinfo.qtype, type,
|
||||
sizeof(type));
|
||||
verbose(VERB_ALGO, "ipsecmod: response for %s; generating IPSECKEY "
|
||||
"subquery", type);
|
||||
/* generate an IPSECKEY query. */
|
||||
if(!generate_request(qstate, id, qstate->qinfo.qname,
|
||||
qstate->qinfo.qname_len, LDNS_RR_TYPE_IPSECKEY,
|
||||
qstate->qinfo.qclass, 0)) {
|
||||
log_err("ipsecmod: could not generate subquery.");
|
||||
ipsecmod_error(qstate, id);
|
||||
}
|
||||
return;
|
||||
}
|
||||
/* we are done with the query. */
|
||||
qstate->ext_state[id] = module_finished;
|
||||
}
|
||||
|
||||
void
|
||||
ipsecmod_operate(struct module_qstate* qstate, enum module_ev event, int id,
|
||||
struct outbound_entry* outbound)
|
||||
{
|
||||
struct ipsecmod_env* ie = (struct ipsecmod_env*)qstate->env->modinfo[id];
|
||||
struct ipsecmod_qstate* iq = (struct ipsecmod_qstate*)qstate->minfo[id];
|
||||
verbose(VERB_QUERY, "ipsecmod[module %d] operate: extstate:%s event:%s",
|
||||
id, strextstate(qstate->ext_state[id]), strmodulevent(event));
|
||||
if(iq) log_query_info(VERB_QUERY, "ipsecmod operate: query",
|
||||
&qstate->qinfo);
|
||||
|
||||
/* create ipsecmod_qstate. */
|
||||
if((event == module_event_new || event == module_event_pass) &&
|
||||
iq == NULL) {
|
||||
if(!ipsecmod_new(qstate, id)) {
|
||||
ipsecmod_error(qstate, id);
|
||||
return;
|
||||
}
|
||||
iq = (struct ipsecmod_qstate*)qstate->minfo[id];
|
||||
}
|
||||
if(iq && (event == module_event_pass || event == module_event_new)) {
|
||||
ipsecmod_handle_query(qstate, iq, ie, id);
|
||||
return;
|
||||
}
|
||||
if(iq && (event == module_event_moddone)) {
|
||||
ipsecmod_handle_response(qstate, iq, ie, id);
|
||||
return;
|
||||
}
|
||||
if(iq && outbound) {
|
||||
/* cachedb does not need to process responses at this time
|
||||
* ignore it.
|
||||
cachedb_process_response(qstate, iq, ie, id, outbound, event);
|
||||
*/
|
||||
return;
|
||||
}
|
||||
if(event == module_event_error) {
|
||||
verbose(VERB_ALGO, "got called with event error, giving up");
|
||||
ipsecmod_error(qstate, id);
|
||||
return;
|
||||
}
|
||||
if(!iq && (event == module_event_moddone)) {
|
||||
/* during priming, module done but we never started. */
|
||||
qstate->ext_state[id] = module_finished;
|
||||
return;
|
||||
}
|
||||
|
||||
log_err("ipsecmod: bad event %s", strmodulevent(event));
|
||||
ipsecmod_error(qstate, id);
|
||||
return;
|
||||
}
|
||||
|
||||
void
|
||||
ipsecmod_inform_super(struct module_qstate* qstate, int id,
|
||||
struct module_qstate* super)
|
||||
{
|
||||
struct ipsecmod_qstate* siq;
|
||||
log_query_info(VERB_ALGO, "ipsecmod: inform_super, sub is",
|
||||
&qstate->qinfo);
|
||||
log_query_info(VERB_ALGO, "super is", &super->qinfo);
|
||||
siq = (struct ipsecmod_qstate*)super->minfo[id];
|
||||
if(!siq) {
|
||||
verbose(VERB_ALGO, "super has no ipsecmod state");
|
||||
return;
|
||||
}
|
||||
|
||||
if(qstate->return_msg) {
|
||||
struct ub_packed_rrset_key* rrset_key = reply_find_answer_rrset(
|
||||
&qstate->return_msg->qinfo, qstate->return_msg->rep);
|
||||
if(rrset_key) {
|
||||
/* We have an answer. */
|
||||
/* Copy to super's region. */
|
||||
rrset_key = packed_rrset_copy_region(rrset_key, super->region, 0);
|
||||
siq->ipseckey_rrset = rrset_key;
|
||||
if(!rrset_key) {
|
||||
log_err("ipsecmod: out of memory.");
|
||||
}
|
||||
}
|
||||
}
|
||||
/* Notify super to proceed. */
|
||||
siq->ipseckey_done = 1;
|
||||
}
|
||||
|
||||
void
|
||||
ipsecmod_clear(struct module_qstate* qstate, int id)
|
||||
{
|
||||
if(!qstate)
|
||||
return;
|
||||
qstate->minfo[id] = NULL;
|
||||
}
|
||||
|
||||
size_t
|
||||
ipsecmod_get_mem(struct module_env* env, int id)
|
||||
{
|
||||
struct ipsecmod_env* ie = (struct ipsecmod_env*)env->modinfo[id];
|
||||
if(!ie)
|
||||
return 0;
|
||||
return sizeof(*ie) + ipsecmod_whitelist_get_mem(ie->whitelist);
|
||||
}
|
||||
|
||||
/**
|
||||
* The ipsecmod function block
|
||||
*/
|
||||
static struct module_func_block ipsecmod_block = {
|
||||
"ipsecmod",
|
||||
&ipsecmod_init, &ipsecmod_deinit, &ipsecmod_operate,
|
||||
&ipsecmod_inform_super, &ipsecmod_clear, &ipsecmod_get_mem
|
||||
};
|
||||
|
||||
struct module_func_block*
|
||||
ipsecmod_get_funcblock(void)
|
||||
{
|
||||
return &ipsecmod_block;
|
||||
}
|
||||
#endif /* USE_IPSECMOD */
|
||||
97
contrib/unbound/ipsecmod/ipsecmod.h
Normal file
97
contrib/unbound/ipsecmod/ipsecmod.h
Normal file
@ -0,0 +1,97 @@
|
||||
/*
|
||||
* ipsecmod/ipsecmod.h - facilitate opportunistic IPsec module
|
||||
*
|
||||
* Copyright (c) 2017, NLnet Labs. All rights reserved.
|
||||
*
|
||||
* This software is open source.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
*
|
||||
* Redistributions of source code must retain the above copyright notice,
|
||||
* this list of conditions and the following disclaimer.
|
||||
*
|
||||
* Redistributions in binary form must reproduce the above copyright notice,
|
||||
* this list of conditions and the following disclaimer in the documentation
|
||||
* and/or other materials provided with the distribution.
|
||||
*
|
||||
* Neither the name of the NLNET LABS nor the names of its contributors may
|
||||
* be used to endorse or promote products derived from this software without
|
||||
* specific prior written permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
|
||||
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
||||
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
||||
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
||||
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
||||
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
/**
|
||||
* \file
|
||||
*
|
||||
* This file contains a module that facilitates opportunistic IPsec. It does so
|
||||
* by also quering for the IPSECKEY for A/AAAA queries and calling a
|
||||
* configurable hook (eg. signaling an IKE daemon) before replying.
|
||||
*/
|
||||
|
||||
#ifndef IPSECMOD_H
|
||||
#define IPSECMOD_H
|
||||
#include "util/module.h"
|
||||
#include "util/rbtree.h"
|
||||
|
||||
/**
|
||||
* The global variable environment contents for the ipsecmod
|
||||
* Shared between threads, this represents long term information.
|
||||
*/
|
||||
struct ipsecmod_env {
|
||||
/** White listed domains for ipsecmod. */
|
||||
rbtree_type* whitelist;
|
||||
};
|
||||
|
||||
/**
|
||||
* Per query state for the ipsecmod module.
|
||||
*/
|
||||
struct ipsecmod_qstate {
|
||||
/** State of the IPsec module. */
|
||||
/** NOTE: This value is copied here from the configuration so that a change
|
||||
* with unbound-control would not complicate an already running mesh. */
|
||||
int enabled;
|
||||
/** If the qname is whitelisted or not. */
|
||||
/** NOTE: No whitelist means all qnames are whitelisted. */
|
||||
int is_whitelisted;
|
||||
/** Pointer to IPSECKEY rrset allocated in the qstate region. NULL if there
|
||||
* was no IPSECKEY reply from the subquery. */
|
||||
struct ub_packed_rrset_key* ipseckey_rrset;
|
||||
/** If the IPSECKEY subquery has finished. */
|
||||
int ipseckey_done;
|
||||
};
|
||||
|
||||
/** Init the ipsecmod module */
|
||||
int ipsecmod_init(struct module_env* env, int id);
|
||||
/** Deinit the ipsecmod module */
|
||||
void ipsecmod_deinit(struct module_env* env, int id);
|
||||
/** Operate on an event on a query (in qstate). */
|
||||
void ipsecmod_operate(struct module_qstate* qstate, enum module_ev event,
|
||||
int id, struct outbound_entry* outbound);
|
||||
/** Subordinate query done, inform this super request of its conclusion */
|
||||
void ipsecmod_inform_super(struct module_qstate* qstate, int id,
|
||||
struct module_qstate* super);
|
||||
/** clear the ipsecmod query-specific contents out of qstate */
|
||||
void ipsecmod_clear(struct module_qstate* qstate, int id);
|
||||
/** return memory estimate for the ipsecmod module */
|
||||
size_t ipsecmod_get_mem(struct module_env* env, int id);
|
||||
|
||||
/**
|
||||
* Get the function block with pointers to the ipsecmod functions
|
||||
* @return the function block for "ipsecmod".
|
||||
*/
|
||||
struct module_func_block* ipsecmod_get_funcblock(void);
|
||||
|
||||
#endif /* IPSECMOD_H */
|
||||
@ -144,7 +144,7 @@ compile_time_root_prime(int do_ip4, int do_ip6)
|
||||
}
|
||||
if(do_ip6) {
|
||||
if(!ah(dp, "A.ROOT-SERVERS.NET.", "2001:503:ba3e::2:30")) goto failed;
|
||||
if(!ah(dp, "B.ROOT-SERVERS.NET.", "2001:500:84::b")) goto failed;
|
||||
if(!ah(dp, "B.ROOT-SERVERS.NET.", "2001:500:200::b")) goto failed;
|
||||
if(!ah(dp, "C.ROOT-SERVERS.NET.", "2001:500:2::c")) goto failed;
|
||||
if(!ah(dp, "D.ROOT-SERVERS.NET.", "2001:500:2d::d")) goto failed;
|
||||
if(!ah(dp, "E.ROOT-SERVERS.NET.", "2001:500:a8::e")) goto failed;
|
||||
|
||||
@ -288,6 +288,22 @@ error_response_cache(struct module_qstate* qstate, int id, int rcode)
|
||||
return error_response(qstate, id, rcode);
|
||||
/* if that fails (not in cache), fall through to store err */
|
||||
}
|
||||
if(qstate->env->cfg->serve_expired) {
|
||||
/* if serving expired contents, and such content is
|
||||
* already available, don't overwrite this servfail */
|
||||
struct msgreply_entry* msg;
|
||||
if((msg=msg_cache_lookup(qstate->env,
|
||||
qstate->qinfo.qname, qstate->qinfo.qname_len,
|
||||
qstate->qinfo.qtype, qstate->qinfo.qclass,
|
||||
qstate->query_flags, 0, 0))
|
||||
!= NULL) {
|
||||
lock_rw_unlock(&msg->entry.lock);
|
||||
return error_response(qstate, id, rcode);
|
||||
}
|
||||
/* serving expired contents, but nothing is cached
|
||||
* at all, so the servfail cache entry is useful
|
||||
* (stops waste of time on this servfail NORR_TTL) */
|
||||
}
|
||||
memset(&err, 0, sizeof(err));
|
||||
err.flags = (uint16_t)(BIT_QR | BIT_RA);
|
||||
FLAGS_SET_RCODE(err.flags, rcode);
|
||||
@ -509,6 +525,33 @@ handle_cname_response(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
return 1;
|
||||
}
|
||||
|
||||
/** see if last resort is possible - does config allow queries to parent */
|
||||
static int
|
||||
can_have_last_resort(struct module_env* env, uint8_t* nm, size_t nmlen,
|
||||
uint16_t qclass)
|
||||
{
|
||||
struct delegpt* fwddp;
|
||||
struct iter_hints_stub* stub;
|
||||
int labs = dname_count_labels(nm);
|
||||
/* do not process a last resort (the parent side) if a stub
|
||||
* or forward is configured, because we do not want to go 'above'
|
||||
* the configured servers */
|
||||
if(!dname_is_root(nm) && (stub = (struct iter_hints_stub*)
|
||||
name_tree_find(&env->hints->tree, nm, nmlen, labs, qclass)) &&
|
||||
/* has_parent side is turned off for stub_first, where we
|
||||
* are allowed to go to the parent */
|
||||
stub->dp->has_parent_side_NS) {
|
||||
return 0;
|
||||
}
|
||||
if((fwddp = forwards_find(env->fwds, nm, qclass)) &&
|
||||
/* has_parent_side is turned off for forward_first, where
|
||||
* we are allowed to go to the parent */
|
||||
fwddp->has_parent_side_NS) {
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
/** see if target name is caps-for-id whitelisted */
|
||||
static int
|
||||
is_caps_whitelisted(struct iter_env* ie, struct iter_qstate* iq)
|
||||
@ -853,6 +896,9 @@ generate_ns_check(struct module_qstate* qstate, struct iter_qstate* iq, int id)
|
||||
|
||||
if(iq->depth == ie->max_dependency_depth)
|
||||
return;
|
||||
if(!can_have_last_resort(qstate->env, iq->dp->name, iq->dp->namelen,
|
||||
iq->qchase.qclass))
|
||||
return;
|
||||
/* is this query the same as the nscheck? */
|
||||
if(qstate->qinfo.qtype == LDNS_RR_TYPE_NS &&
|
||||
query_dname_compare(iq->dp->name, qstate->qinfo.qname)==0 &&
|
||||
@ -1025,6 +1071,20 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
return next_state(iq, COLLECT_CLASS_STATE);
|
||||
}
|
||||
|
||||
/*
|
||||
* If we are restricted by a forward-zone or a stub-zone, we
|
||||
* can't re-fetch glue for this delegation point.
|
||||
* we won’t try to re-fetch glue if the iq->dp is null.
|
||||
*/
|
||||
if (iq->refetch_glue &&
|
||||
iq->dp &&
|
||||
!can_have_last_resort(qstate->env,
|
||||
iq->dp->name,
|
||||
iq->dp->namelen,
|
||||
iq->qchase.qclass)) {
|
||||
iq->refetch_glue = 0;
|
||||
}
|
||||
|
||||
/* Resolver Algorithm Step 1 -- Look for the answer in local data. */
|
||||
|
||||
/* This either results in a query restart (CNAME cache response), a
|
||||
@ -1558,35 +1618,6 @@ query_for_targets(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
return 1;
|
||||
}
|
||||
|
||||
/** see if last resort is possible - does config allow queries to parent */
|
||||
static int
|
||||
can_have_last_resort(struct module_env* env, struct delegpt* dp,
|
||||
struct iter_qstate* iq)
|
||||
{
|
||||
struct delegpt* fwddp;
|
||||
struct iter_hints_stub* stub;
|
||||
/* do not process a last resort (the parent side) if a stub
|
||||
* or forward is configured, because we do not want to go 'above'
|
||||
* the configured servers */
|
||||
if(!dname_is_root(dp->name) && (stub = (struct iter_hints_stub*)
|
||||
name_tree_find(&env->hints->tree, dp->name, dp->namelen,
|
||||
dp->namelabs, iq->qchase.qclass)) &&
|
||||
/* has_parent side is turned off for stub_first, where we
|
||||
* are allowed to go to the parent */
|
||||
stub->dp->has_parent_side_NS) {
|
||||
verbose(VERB_QUERY, "configured stub servers failed -- returning SERVFAIL");
|
||||
return 0;
|
||||
}
|
||||
if((fwddp = forwards_find(env->fwds, dp->name, iq->qchase.qclass)) &&
|
||||
/* has_parent_side is turned off for forward_first, where
|
||||
* we are allowed to go to the parent */
|
||||
fwddp->has_parent_side_NS) {
|
||||
verbose(VERB_QUERY, "configured forward servers failed -- returning SERVFAIL");
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
/**
|
||||
* Called by processQueryTargets when it would like extra targets to query
|
||||
* but it seems to be out of options. At last resort some less appealing
|
||||
@ -1608,9 +1639,11 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
verbose(VERB_ALGO, "No more query targets, attempting last resort");
|
||||
log_assert(iq->dp);
|
||||
|
||||
if(!can_have_last_resort(qstate->env, iq->dp, iq)) {
|
||||
if(!can_have_last_resort(qstate->env, iq->dp->name, iq->dp->namelen,
|
||||
iq->qchase.qclass)) {
|
||||
/* fail -- no more targets, no more hope of targets, no hope
|
||||
* of a response. */
|
||||
verbose(VERB_QUERY, "configured stub or forward servers failed -- returning SERVFAIL");
|
||||
return error_response_cache(qstate, id, LDNS_RCODE_SERVFAIL);
|
||||
}
|
||||
if(!iq->dp->has_parent_side_NS && dname_is_root(iq->dp->name)) {
|
||||
@ -1695,6 +1728,19 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
/* see if we can issue queries to get nameserver addresses */
|
||||
/* this lookup is not randomized, but sequential. */
|
||||
for(ns = iq->dp->nslist; ns; ns = ns->next) {
|
||||
/* if this nameserver is at a delegation point, but that
|
||||
* delegation point is a stub and we cannot go higher, skip*/
|
||||
if( ((ie->supports_ipv6 && !ns->done_pside6) ||
|
||||
(ie->supports_ipv4 && !ns->done_pside4)) &&
|
||||
!can_have_last_resort(qstate->env, ns->name, ns->namelen,
|
||||
iq->qchase.qclass)) {
|
||||
log_nametypeclass(VERB_ALGO, "cannot pside lookup ns "
|
||||
"because it is also a stub/forward,",
|
||||
ns->name, LDNS_RR_TYPE_NS, iq->qchase.qclass);
|
||||
if(ie->supports_ipv6) ns->done_pside6 = 1;
|
||||
if(ie->supports_ipv4) ns->done_pside4 = 1;
|
||||
continue;
|
||||
}
|
||||
/* query for parent-side A and AAAA for nameservers */
|
||||
if(ie->supports_ipv6 && !ns->done_pside6) {
|
||||
/* Send the AAAA request. */
|
||||
|
||||
@ -601,6 +601,167 @@ int ub_ctx_data_remove(struct ub_ctx* ctx, const char *data);
|
||||
*/
|
||||
const char* ub_version(void);
|
||||
|
||||
/**
|
||||
* Some global statistics that are not in struct stats_info,
|
||||
* this struct is shared on a shm segment (shm-key in unbound.conf)
|
||||
*/
|
||||
struct ub_shm_stat_info {
|
||||
int num_threads;
|
||||
|
||||
struct {
|
||||
long long now_sec, now_usec;
|
||||
long long up_sec, up_usec;
|
||||
long long elapsed_sec, elapsed_usec;
|
||||
} time;
|
||||
|
||||
struct {
|
||||
long long msg;
|
||||
long long rrset;
|
||||
long long val;
|
||||
long long iter;
|
||||
long long subnet;
|
||||
long long ipsecmod;
|
||||
long long respip;
|
||||
} mem;
|
||||
};
|
||||
|
||||
/** number of qtype that is stored for in array */
|
||||
#define UB_STATS_QTYPE_NUM 256
|
||||
/** number of qclass that is stored for in array */
|
||||
#define UB_STATS_QCLASS_NUM 256
|
||||
/** number of rcodes in stats */
|
||||
#define UB_STATS_RCODE_NUM 16
|
||||
/** number of opcodes in stats */
|
||||
#define UB_STATS_OPCODE_NUM 16
|
||||
/** number of histogram buckets */
|
||||
#define UB_STATS_BUCKET_NUM 40
|
||||
|
||||
/** per worker statistics. */
|
||||
struct ub_server_stats {
|
||||
/** number of queries from clients received. */
|
||||
long long num_queries;
|
||||
/** number of queries that have been dropped/ratelimited by ip. */
|
||||
long long num_queries_ip_ratelimited;
|
||||
/** number of queries that had a cache-miss. */
|
||||
long long num_queries_missed_cache;
|
||||
/** number of prefetch queries - cachehits with prefetch */
|
||||
long long num_queries_prefetch;
|
||||
|
||||
/**
|
||||
* Sum of the querylistsize of the worker for
|
||||
* every query that missed cache. To calculate average.
|
||||
*/
|
||||
long long sum_query_list_size;
|
||||
/** max value of query list size reached. */
|
||||
long long max_query_list_size;
|
||||
|
||||
/** Extended stats below (bool) */
|
||||
int extended;
|
||||
|
||||
/** qtype stats */
|
||||
long long qtype[UB_STATS_QTYPE_NUM];
|
||||
/** bigger qtype values not in array */
|
||||
long long qtype_big;
|
||||
/** qclass stats */
|
||||
long long qclass[UB_STATS_QCLASS_NUM];
|
||||
/** bigger qclass values not in array */
|
||||
long long qclass_big;
|
||||
/** query opcodes */
|
||||
long long qopcode[UB_STATS_OPCODE_NUM];
|
||||
/** number of queries over TCP */
|
||||
long long qtcp;
|
||||
/** number of outgoing queries over TCP */
|
||||
long long qtcp_outgoing;
|
||||
/** number of queries over IPv6 */
|
||||
long long qipv6;
|
||||
/** number of queries with QR bit */
|
||||
long long qbit_QR;
|
||||
/** number of queries with AA bit */
|
||||
long long qbit_AA;
|
||||
/** number of queries with TC bit */
|
||||
long long qbit_TC;
|
||||
/** number of queries with RD bit */
|
||||
long long qbit_RD;
|
||||
/** number of queries with RA bit */
|
||||
long long qbit_RA;
|
||||
/** number of queries with Z bit */
|
||||
long long qbit_Z;
|
||||
/** number of queries with AD bit */
|
||||
long long qbit_AD;
|
||||
/** number of queries with CD bit */
|
||||
long long qbit_CD;
|
||||
/** number of queries with EDNS OPT record */
|
||||
long long qEDNS;
|
||||
/** number of queries with EDNS with DO flag */
|
||||
long long qEDNS_DO;
|
||||
/** answer rcodes */
|
||||
long long ans_rcode[UB_STATS_RCODE_NUM];
|
||||
/** answers with pseudo rcode 'nodata' */
|
||||
long long ans_rcode_nodata;
|
||||
/** answers that were secure (AD) */
|
||||
long long ans_secure;
|
||||
/** answers that were bogus (withheld as SERVFAIL) */
|
||||
long long ans_bogus;
|
||||
/** rrsets marked bogus by validator */
|
||||
long long rrset_bogus;
|
||||
/** unwanted traffic received on server-facing ports */
|
||||
long long unwanted_replies;
|
||||
/** unwanted traffic received on client-facing ports */
|
||||
long long unwanted_queries;
|
||||
/** usage of tcp accept list */
|
||||
long long tcp_accept_usage;
|
||||
/** answers served from expired cache */
|
||||
long long zero_ttl_responses;
|
||||
/** histogram data exported to array
|
||||
* if the array is the same size, no data is lost, and
|
||||
* if all histograms are same size (is so by default) then
|
||||
* adding up works well. */
|
||||
long long hist[UB_STATS_BUCKET_NUM];
|
||||
|
||||
/** number of message cache entries */
|
||||
long long msg_cache_count;
|
||||
/** number of rrset cache entries */
|
||||
long long rrset_cache_count;
|
||||
/** number of infra cache entries */
|
||||
long long infra_cache_count;
|
||||
/** number of key cache entries */
|
||||
long long key_cache_count;
|
||||
|
||||
/** number of queries that used dnscrypt */
|
||||
long long num_query_dnscrypt_crypted;
|
||||
/** number of queries that queried dnscrypt certificates */
|
||||
long long num_query_dnscrypt_cert;
|
||||
/** number of queries in clear text and not asking for the certificates */
|
||||
long long num_query_dnscrypt_cleartext;
|
||||
/** number of malformed encrypted queries */
|
||||
long long num_query_dnscrypt_crypted_malformed;
|
||||
};
|
||||
|
||||
/**
|
||||
* Statistics to send over the control pipe when asked
|
||||
* This struct is made to be memcpied, sent in binary.
|
||||
* shm mapped with (number+1) at num_threads+1, with first as total
|
||||
*/
|
||||
struct ub_stats_info {
|
||||
/** the thread stats */
|
||||
struct ub_server_stats svr;
|
||||
|
||||
/** mesh stats: current number of states */
|
||||
long long mesh_num_states;
|
||||
/** mesh stats: current number of reply (user) states */
|
||||
long long mesh_num_reply_states;
|
||||
/** mesh stats: number of reply states overwritten with a new one */
|
||||
long long mesh_jostled;
|
||||
/** mesh stats: number of incoming queries dropped */
|
||||
long long mesh_dropped;
|
||||
/** mesh stats: replies sent */
|
||||
long long mesh_replies_sent;
|
||||
/** mesh stats: sum of waiting times for the replies */
|
||||
long long mesh_replies_sum_wait_sec, mesh_replies_sum_wait_usec;
|
||||
/** mesh stats: median of waiting times for replies (in sec) */
|
||||
double mesh_time_median;
|
||||
};
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
|
||||
@ -261,6 +261,7 @@ respip_enter_rr(struct regional* region, struct resp_addr* raddr,
|
||||
log_err("bad response-ip-data: %s", rrstr);
|
||||
return 0;
|
||||
}
|
||||
free(nm);
|
||||
sa = (struct sockaddr*)&raddr->node.addr;
|
||||
if (rrtype == LDNS_RR_TYPE_CNAME && raddr->data) {
|
||||
log_err("CNAME response-ip data (%s) can not co-exist with other "
|
||||
|
||||
2369
contrib/unbound/services/authzone.c
Normal file
2369
contrib/unbound/services/authzone.c
Normal file
File diff suppressed because it is too large
Load Diff
209
contrib/unbound/services/authzone.h
Normal file
209
contrib/unbound/services/authzone.h
Normal file
@ -0,0 +1,209 @@
|
||||
/*
|
||||
* services/authzone.h - authoritative zone that is locally hosted.
|
||||
*
|
||||
* Copyright (c) 2017, NLnet Labs. All rights reserved.
|
||||
*
|
||||
* This software is open source.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
*
|
||||
* Redistributions of source code must retain the above copyright notice,
|
||||
* this list of conditions and the following disclaimer.
|
||||
*
|
||||
* Redistributions in binary form must reproduce the above copyright notice,
|
||||
* this list of conditions and the following disclaimer in the documentation
|
||||
* and/or other materials provided with the distribution.
|
||||
*
|
||||
* Neither the name of the NLNET LABS nor the names of its contributors may
|
||||
* be used to endorse or promote products derived from this software without
|
||||
* specific prior written permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
|
||||
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
||||
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
||||
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
||||
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
||||
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
/**
|
||||
* \file
|
||||
*
|
||||
* This file contains the functions for an authority zone. This zone
|
||||
* is queried by the iterator, just like a stub or forward zone, but then
|
||||
* the data is locally held.
|
||||
*/
|
||||
|
||||
#ifndef SERVICES_AUTHZONE_H
|
||||
#define SERVICES_AUTHZONE_H
|
||||
#include "util/rbtree.h"
|
||||
#include "util/locks.h"
|
||||
struct ub_packed_rrset_key;
|
||||
struct regional;
|
||||
struct config_file;
|
||||
struct query_info;
|
||||
struct dns_msg;
|
||||
|
||||
/**
|
||||
* Authoritative zones, shared.
|
||||
*/
|
||||
struct auth_zones {
|
||||
/** lock on the authzone tree */
|
||||
lock_rw_type lock;
|
||||
/** rbtree of struct auth_zone */
|
||||
rbtree_type ztree;
|
||||
};
|
||||
|
||||
/**
|
||||
* Auth zone. Authoritative data, that is fetched from instead of sending
|
||||
* packets to the internet.
|
||||
*/
|
||||
struct auth_zone {
|
||||
/** rbtree node, key is name and class */
|
||||
rbnode_type node;
|
||||
|
||||
/** zone name, in uncompressed wireformat */
|
||||
uint8_t* name;
|
||||
/** length of zone name */
|
||||
size_t namelen;
|
||||
/** number of labels in zone name */
|
||||
int namelabs;
|
||||
/** the class of this zone, in host byteorder.
|
||||
* uses 'dclass' to not conflict with c++ keyword class. */
|
||||
uint16_t dclass;
|
||||
|
||||
/** lock on the data in the structure
|
||||
* For the node, parent, name, namelen, namelabs, dclass, you
|
||||
* need to also hold the zones_tree lock to change them (or to
|
||||
* delete this zone) */
|
||||
lock_rw_type lock;
|
||||
|
||||
/** auth data for this zone
|
||||
* rbtree of struct auth_data */
|
||||
rbtree_type data;
|
||||
|
||||
/* zonefile name (or NULL for no zonefile) */
|
||||
char* zonefile;
|
||||
/* fallback to the internet on failure or ttl-expiry of auth zone */
|
||||
int fallback_enabled;
|
||||
};
|
||||
|
||||
/**
|
||||
* Auth data. One domain name, and the RRs to go with it.
|
||||
*/
|
||||
struct auth_data {
|
||||
/** rbtree node, key is name only */
|
||||
rbnode_type node;
|
||||
/** domain name */
|
||||
uint8_t* name;
|
||||
/** length of name */
|
||||
size_t namelen;
|
||||
/** number of labels in name */
|
||||
int namelabs;
|
||||
/** the data rrsets, with different types, linked list.
|
||||
* if the list if NULL the node would be an empty non-terminal,
|
||||
* but in this data structure such nodes that represent an empty
|
||||
* non-terminal are not needed; they just don't exist.
|
||||
*/
|
||||
struct auth_rrset* rrsets;
|
||||
};
|
||||
|
||||
/**
|
||||
* A auth data RRset
|
||||
*/
|
||||
struct auth_rrset {
|
||||
/** next in list */
|
||||
struct auth_rrset* next;
|
||||
/** RR type in host byteorder */
|
||||
uint16_t type;
|
||||
/** RRset data item */
|
||||
struct packed_rrset_data* data;
|
||||
};
|
||||
|
||||
/**
|
||||
* Create auth zones structure
|
||||
*/
|
||||
struct auth_zones* auth_zones_create(void);
|
||||
|
||||
/**
|
||||
* Apply configuration to auth zones. Reads zonefiles.
|
||||
*/
|
||||
int auth_zones_apply_config(struct auth_zones* az, struct config_file* cfg);
|
||||
|
||||
/**
|
||||
* Delete auth zones structure
|
||||
*/
|
||||
void auth_zones_delete(struct auth_zones* az);
|
||||
|
||||
/**
|
||||
* Write auth zone data to file, in zonefile format.
|
||||
*/
|
||||
int auth_zone_write_file(struct auth_zone* z, const char* fname);
|
||||
|
||||
/**
|
||||
* Use auth zones to lookup the answer to a query.
|
||||
* The query is from the iterator. And the auth zones attempts to provide
|
||||
* the answer instead of going to the internet.
|
||||
*
|
||||
* @param az: auth zones structure.
|
||||
* @param qinfo: query info to lookup.
|
||||
* @param region: region to use to allocate the reply in.
|
||||
* @param msg: reply is stored here (if one).
|
||||
* @param fallback: if true, fallback to making a query to the internet.
|
||||
* @param dp_nm: name of delegation point to look for. This zone is used
|
||||
* to answer the query.
|
||||
* If the dp_nm is not found, fallback is set to true and false returned.
|
||||
* @param dp_nmlen: length of dp_nm.
|
||||
* @return 0: failure (an error of some sort, like servfail).
|
||||
* if 0 and fallback is true, fallback to the internet.
|
||||
* if 0 and fallback is false, like getting servfail.
|
||||
* If true, an answer is available.
|
||||
*/
|
||||
int auth_zones_lookup(struct auth_zones* az, struct query_info* qinfo,
|
||||
struct regional* region, struct dns_msg** msg, int* fallback,
|
||||
uint8_t* dp_nm, size_t dp_nmlen);
|
||||
|
||||
/**
|
||||
* Find the auth zone that is above the given qname.
|
||||
* Return NULL when there is no auth_zone above the give name, otherwise
|
||||
* returns the closest auth_zone above the qname that pertains to it.
|
||||
* @param az: auth zones structure.
|
||||
* @param qinfo: query info to lookup.
|
||||
* @return NULL or auth_zone that pertains to the query.
|
||||
*/
|
||||
struct auth_zone* auth_zones_find_zone(struct auth_zones* az,
|
||||
struct query_info* qinfo);
|
||||
|
||||
/** find an auth zone by name (exact match by name or NULL returned) */
|
||||
struct auth_zone* auth_zone_find(struct auth_zones* az, uint8_t* nm,
|
||||
size_t nmlen, uint16_t dclass);
|
||||
|
||||
/** create an auth zone. returns wrlocked zone. caller must have wrlock
|
||||
* on az. returns NULL on malloc failure */
|
||||
struct auth_zone* auth_zone_create(struct auth_zones* az, uint8_t* nm,
|
||||
size_t nmlen, uint16_t dclass);
|
||||
|
||||
/** set auth zone zonefile string. caller must have lock on zone */
|
||||
int auth_zone_set_zonefile(struct auth_zone* z, char* zonefile);
|
||||
|
||||
/** set auth zone fallback. caller must have lock on zone.
|
||||
* fallbackstr is "yes" or "no". false on parse failure. */
|
||||
int auth_zone_set_fallback(struct auth_zone* z, char* fallbackstr);
|
||||
|
||||
/** read auth zone from zonefile. caller must lock zone. false on failure */
|
||||
int auth_zone_read_zonefile(struct auth_zone* z);
|
||||
|
||||
/** compare auth_zones for sorted rbtree */
|
||||
int auth_zone_cmp(const void* z1, const void* z2);
|
||||
|
||||
/** compare auth_data for sorted rbtree */
|
||||
int auth_data_cmp(const void* z1, const void* z2);
|
||||
|
||||
#endif /* SERVICES_AUTHZONE_H */
|
||||
17
contrib/unbound/services/cache/dns.c
vendored
17
contrib/unbound/services/cache/dns.c
vendored
@ -41,6 +41,7 @@
|
||||
#include "config.h"
|
||||
#include "iterator/iter_delegpt.h"
|
||||
#include "validator/val_nsec.h"
|
||||
#include "validator/val_utils.h"
|
||||
#include "services/cache/dns.h"
|
||||
#include "services/cache/rrset.h"
|
||||
#include "util/data/msgreply.h"
|
||||
@ -182,7 +183,7 @@ addr_to_additional(struct ub_packed_rrset_key* rrset, struct regional* region,
|
||||
}
|
||||
|
||||
/** lookup message in message cache */
|
||||
static struct msgreply_entry*
|
||||
struct msgreply_entry*
|
||||
msg_cache_lookup(struct module_env* env, uint8_t* qname, size_t qnamelen,
|
||||
uint16_t qtype, uint16_t qclass, uint16_t flags, time_t now, int wr)
|
||||
{
|
||||
@ -755,10 +756,16 @@ dns_cache_lookup(struct module_env* env,
|
||||
if( qtype != LDNS_RR_TYPE_DS &&
|
||||
(rrset=rrset_cache_lookup(env->rrset_cache, qname, qnamelen,
|
||||
LDNS_RR_TYPE_CNAME, qclass, 0, now, 0))) {
|
||||
struct dns_msg* msg = rrset_msg(rrset, region, now, &k);
|
||||
if(msg) {
|
||||
lock_rw_unlock(&rrset->entry.lock);
|
||||
return msg;
|
||||
uint8_t* wc = NULL;
|
||||
/* if the rrset is not a wildcard expansion, with wcname */
|
||||
/* because, if we return that CNAME rrset on its own, it is
|
||||
* missing the NSEC or NSEC3 proof */
|
||||
if(!(val_rrset_wildcard(rrset, &wc) && wc != NULL)) {
|
||||
struct dns_msg* msg = rrset_msg(rrset, region, now, &k);
|
||||
if(msg) {
|
||||
lock_rw_unlock(&rrset->entry.lock);
|
||||
return msg;
|
||||
}
|
||||
}
|
||||
lock_rw_unlock(&rrset->entry.lock);
|
||||
}
|
||||
|
||||
6
contrib/unbound/services/cache/dns.h
vendored
6
contrib/unbound/services/cache/dns.h
vendored
@ -208,4 +208,10 @@ int dns_msg_authadd(struct dns_msg* msg, struct regional* region,
|
||||
int dns_cache_prefetch_adjust(struct module_env* env, struct query_info* qinfo,
|
||||
time_t adjust, uint16_t flags);
|
||||
|
||||
/** lookup message in message cache
|
||||
* the returned nonNULL entry is locked and has to be unlocked by the caller */
|
||||
struct msgreply_entry* msg_cache_lookup(struct module_env* env,
|
||||
uint8_t* qname, size_t qnamelen, uint16_t qtype, uint16_t qclass,
|
||||
uint16_t flags, time_t now, int wr);
|
||||
|
||||
#endif /* SERVICES_CACHE_DNS_H */
|
||||
|
||||
4
contrib/unbound/services/cache/infra.c
vendored
4
contrib/unbound/services/cache/infra.c
vendored
@ -893,6 +893,8 @@ int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name,
|
||||
|
||||
/* find ratelimit */
|
||||
lim = infra_find_ratelimit(infra, name, namelen);
|
||||
if(!lim)
|
||||
return 1; /* disabled for this domain */
|
||||
|
||||
/* find or insert ratedata */
|
||||
entry = infra_find_ratedata(infra, name, namelen, 1);
|
||||
@ -941,6 +943,8 @@ int infra_ratelimit_exceeded(struct infra_cache* infra, uint8_t* name,
|
||||
|
||||
/* find ratelimit */
|
||||
lim = infra_find_ratelimit(infra, name, namelen);
|
||||
if(!lim)
|
||||
return 0; /* disabled for this domain */
|
||||
|
||||
/* find current rate */
|
||||
entry = infra_find_ratedata(infra, name, namelen, 0);
|
||||
|
||||
2
contrib/unbound/services/cache/infra.h
vendored
2
contrib/unbound/services/cache/infra.h
vendored
@ -401,7 +401,7 @@ int infra_ratelimit_exceeded(struct infra_cache* infra, uint8_t* name,
|
||||
/** find the maximum rate stored, not too old. 0 if no information. */
|
||||
int infra_rate_max(void* data, time_t now);
|
||||
|
||||
/** find the ratelimit in qps for a domain */
|
||||
/** find the ratelimit in qps for a domain. 0 if no limit for domain. */
|
||||
int infra_find_ratelimit(struct infra_cache* infra, uint8_t* name,
|
||||
size_t namelen);
|
||||
|
||||
|
||||
@ -1223,15 +1223,15 @@ listen_create(struct comm_base* base, struct listen_port* ports,
|
||||
ports->ftype == listen_type_tcp_dnscrypt ||
|
||||
ports->ftype == listen_type_udpancil_dnscrypt) {
|
||||
cp->dnscrypt = 1;
|
||||
cp->dnscrypt_buffer = sldns_buffer_new(bufsize);
|
||||
if(!cp->dnscrypt_buffer) {
|
||||
log_err("can't alloc dnscrypt_buffer");
|
||||
comm_point_delete(cp);
|
||||
listen_delete(front);
|
||||
return NULL;
|
||||
}
|
||||
front->dnscrypt_udp_buff = cp->dnscrypt_buffer;
|
||||
}
|
||||
cp->dnscrypt_buffer = sldns_buffer_new(bufsize);
|
||||
if(!cp->dnscrypt_buffer) {
|
||||
log_err("can't alloc dnscrypt_buffer");
|
||||
comm_point_delete(cp);
|
||||
listen_delete(front);
|
||||
return NULL;
|
||||
}
|
||||
front->dnscrypt_udp_buff = cp->dnscrypt_buffer;
|
||||
}
|
||||
#endif
|
||||
if(!listen_cp_insert(cp, front)) {
|
||||
log_err("malloc failed");
|
||||
@ -1269,10 +1269,10 @@ listen_delete(struct listen_dnsport* front)
|
||||
return;
|
||||
listen_list_delete(front->cps);
|
||||
#ifdef USE_DNSCRYPT
|
||||
if(front->dnscrypt_udp_buff &&
|
||||
front->udp_buff != front->dnscrypt_udp_buff) {
|
||||
sldns_buffer_free(front->dnscrypt_udp_buff);
|
||||
}
|
||||
if(front->dnscrypt_udp_buff &&
|
||||
front->udp_buff != front->dnscrypt_udp_buff) {
|
||||
sldns_buffer_free(front->dnscrypt_udp_buff);
|
||||
}
|
||||
#endif
|
||||
sldns_buffer_free(front->udp_buff);
|
||||
free(front);
|
||||
|
||||
@ -187,7 +187,9 @@ lz_enter_zone_dname(struct local_zones* zones, uint8_t* nm, size_t len,
|
||||
lock_rw_wrlock(&z->lock);
|
||||
if(!rbtree_insert(&zones->ztree, &z->node)) {
|
||||
struct local_zone* oldz;
|
||||
log_warn("duplicate local-zone");
|
||||
char str[256];
|
||||
dname_str(nm, str);
|
||||
log_warn("duplicate local-zone %s", str);
|
||||
lock_rw_unlock(&z->lock);
|
||||
/* save zone name locally before deallocation,
|
||||
* otherwise, nm is gone if we zone_delete now. */
|
||||
@ -744,12 +746,15 @@ add_as112_default(struct local_zones* zones, struct config_file* cfg,
|
||||
}
|
||||
|
||||
/** enter default zones */
|
||||
static int
|
||||
lz_enter_defaults(struct local_zones* zones, struct config_file* cfg)
|
||||
int local_zone_enter_defaults(struct local_zones* zones, struct config_file* cfg)
|
||||
{
|
||||
struct local_zone* z;
|
||||
const char** zstr;
|
||||
|
||||
/* Do not add any default */
|
||||
if(cfg->local_zones_disable_default)
|
||||
return 1;
|
||||
|
||||
/* this list of zones is from RFC 6303 and RFC 7686 */
|
||||
|
||||
/* block localhost level zones first, then onion and later the LAN zones */
|
||||
@ -1019,7 +1024,7 @@ local_zones_apply_cfg(struct local_zones* zones, struct config_file* cfg)
|
||||
return 0;
|
||||
}
|
||||
/* apply default zones+content (unless disabled, or overridden) */
|
||||
if(!lz_enter_defaults(zones, cfg)) {
|
||||
if(!local_zone_enter_defaults(zones, cfg)) {
|
||||
return 0;
|
||||
}
|
||||
/* enter local zone overrides */
|
||||
@ -1585,7 +1590,7 @@ local_zones_answer(struct local_zones* zones, struct module_env* env,
|
||||
lock_rw_rdlock(&z->lock);
|
||||
lzt = z->type;
|
||||
}
|
||||
if(!z && !view->isfirst){
|
||||
if(view->local_zones && !z && !view->isfirst){
|
||||
lock_rw_unlock(&view->lock);
|
||||
return 0;
|
||||
}
|
||||
@ -1670,6 +1675,8 @@ int local_zone_str2type(const char* type, enum localzone_type* t)
|
||||
*t = local_zone_always_refuse;
|
||||
else if(strcmp(type, "always_nxdomain") == 0)
|
||||
*t = local_zone_always_nxdomain;
|
||||
else if(strcmp(type, "nodefault") == 0)
|
||||
*t = local_zone_nodefault;
|
||||
else return 0;
|
||||
return 1;
|
||||
}
|
||||
|
||||
@ -427,6 +427,15 @@ enum localzone_type local_data_find_tag_action(const uint8_t* taglist,
|
||||
const uint8_t* tagactions, size_t tagactionssize,
|
||||
enum localzone_type lzt, int* tag, char* const* tagname, int num_tags);
|
||||
|
||||
/**
|
||||
* Enter defaults to local zone.
|
||||
* @param zones: to add defaults to
|
||||
* @param cfg: containing list of zones to exclude from default set.
|
||||
* @return 1 on success; 0 otherwise.
|
||||
*/
|
||||
int local_zone_enter_defaults(struct local_zones* zones,
|
||||
struct config_file* cfg);
|
||||
|
||||
/**
|
||||
* Parses resource record string into wire format, also returning its field values.
|
||||
* @param str: input resource record
|
||||
|
||||
@ -174,7 +174,7 @@ client_info_compare(const struct respip_client_info* ci_a,
|
||||
* but we check that just in case. */
|
||||
if(ci_a->respip_set != ci_b->respip_set)
|
||||
return ci_a->respip_set < ci_b->respip_set ? -1 : 1;
|
||||
return 0;
|
||||
return 0;
|
||||
}
|
||||
|
||||
int
|
||||
@ -821,26 +821,26 @@ void mesh_detach_subs(struct module_qstate* qstate)
|
||||
rbtree_init(&qstate->mesh_info->sub_set, &mesh_state_ref_compare);
|
||||
}
|
||||
|
||||
int mesh_attach_sub(struct module_qstate* qstate, struct query_info* qinfo,
|
||||
uint16_t qflags, int prime, int valrec, struct module_qstate** newq)
|
||||
int mesh_add_sub(struct module_qstate* qstate, struct query_info* qinfo,
|
||||
uint16_t qflags, int prime, int valrec, struct module_qstate** newq,
|
||||
struct mesh_state** sub)
|
||||
{
|
||||
/* find it, if not, create it */
|
||||
struct mesh_area* mesh = qstate->env->mesh;
|
||||
struct mesh_state* sub = mesh_area_find(mesh, NULL, qinfo, qflags,
|
||||
*sub = mesh_area_find(mesh, NULL, qinfo, qflags,
|
||||
prime, valrec);
|
||||
int was_detached;
|
||||
if(mesh_detect_cycle_found(qstate, sub)) {
|
||||
if(mesh_detect_cycle_found(qstate, *sub)) {
|
||||
verbose(VERB_ALGO, "attach failed, cycle detected");
|
||||
return 0;
|
||||
}
|
||||
if(!sub) {
|
||||
if(!*sub) {
|
||||
#ifdef UNBOUND_DEBUG
|
||||
struct rbnode_type* n;
|
||||
#endif
|
||||
/* create a new one */
|
||||
sub = mesh_state_create(qstate->env, qinfo, NULL, qflags, prime,
|
||||
*sub = mesh_state_create(qstate->env, qinfo, NULL, qflags, prime,
|
||||
valrec);
|
||||
if(!sub) {
|
||||
if(!*sub) {
|
||||
log_err("mesh_attach_sub: out of memory");
|
||||
return 0;
|
||||
}
|
||||
@ -849,7 +849,7 @@ int mesh_attach_sub(struct module_qstate* qstate, struct query_info* qinfo,
|
||||
#else
|
||||
(void)
|
||||
#endif
|
||||
rbtree_insert(&mesh->all, &sub->node);
|
||||
rbtree_insert(&mesh->all, &(*sub)->node);
|
||||
log_assert(n != NULL);
|
||||
/* set detached (it is now) */
|
||||
mesh->num_detached_states++;
|
||||
@ -859,11 +859,22 @@ int mesh_attach_sub(struct module_qstate* qstate, struct query_info* qinfo,
|
||||
#else
|
||||
(void)
|
||||
#endif
|
||||
rbtree_insert(&mesh->run, &sub->run_node);
|
||||
rbtree_insert(&mesh->run, &(*sub)->run_node);
|
||||
log_assert(n != NULL);
|
||||
*newq = &sub->s;
|
||||
*newq = &(*sub)->s;
|
||||
} else
|
||||
*newq = NULL;
|
||||
return 1;
|
||||
}
|
||||
|
||||
int mesh_attach_sub(struct module_qstate* qstate, struct query_info* qinfo,
|
||||
uint16_t qflags, int prime, int valrec, struct module_qstate** newq)
|
||||
{
|
||||
struct mesh_area* mesh = qstate->env->mesh;
|
||||
struct mesh_state* sub = NULL;
|
||||
int was_detached;
|
||||
if(!mesh_add_sub(qstate, qinfo, qflags, prime, valrec, newq, &sub))
|
||||
return 0;
|
||||
was_detached = (sub->super_set.count == 0);
|
||||
if(!mesh_state_attachment(qstate->mesh_info, sub))
|
||||
return 0;
|
||||
|
||||
@ -370,6 +370,35 @@ void mesh_detach_subs(struct module_qstate* qstate);
|
||||
int mesh_attach_sub(struct module_qstate* qstate, struct query_info* qinfo,
|
||||
uint16_t qflags, int prime, int valrec, struct module_qstate** newq);
|
||||
|
||||
/**
|
||||
* Add detached query.
|
||||
* Creates it if it does not exist already.
|
||||
* Does not make super/sub references.
|
||||
* Performs a cycle detection - for double check - and fails if there is one.
|
||||
* Updates stat items in mesh_area structure.
|
||||
* Pass if it is priming query or not.
|
||||
* return:
|
||||
* o if error (malloc) happened.
|
||||
* o need to initialise the new state (module init; it is a new state).
|
||||
* so that the next run of the query with this module is successful.
|
||||
* o no init needed, attachment successful.
|
||||
* o added subquery, created if it did not exist already.
|
||||
*
|
||||
* @param qstate: the state to find mesh state, and that wants to receive
|
||||
* the results from the new subquery.
|
||||
* @param qinfo: what to query for (copied).
|
||||
* @param qflags: what flags to use (RD / CD flag or not).
|
||||
* @param prime: if it is a (stub) priming query.
|
||||
* @param valrec: if it is a validation recursion query (lookup of key, DS).
|
||||
* @param newq: If the new subquery needs initialisation, it is returned,
|
||||
* otherwise NULL is returned.
|
||||
* @param sub: The added mesh state, created if it did not exist already.
|
||||
* @return: false on error, true if success (and init may be needed).
|
||||
*/
|
||||
int mesh_add_sub(struct module_qstate* qstate, struct query_info* qinfo,
|
||||
uint16_t qflags, int prime, int valrec, struct module_qstate** newq,
|
||||
struct mesh_state** sub);
|
||||
|
||||
/**
|
||||
* Query state is done, send messages to reply entries.
|
||||
* Encode messages using reply entry values and the querystate (with original
|
||||
|
||||
@ -54,6 +54,9 @@
|
||||
#ifdef USE_CACHEDB
|
||||
#include "cachedb/cachedb.h"
|
||||
#endif
|
||||
#ifdef USE_IPSECMOD
|
||||
#include "ipsecmod/ipsecmod.h"
|
||||
#endif
|
||||
#ifdef CLIENT_SUBNET
|
||||
#include "edns-subnet/subnetmod.h"
|
||||
#endif
|
||||
@ -126,17 +129,20 @@ module_list_avail(void)
|
||||
static const char* names[] = {
|
||||
"dns64",
|
||||
#ifdef WITH_PYTHONMODULE
|
||||
"python",
|
||||
"python",
|
||||
#endif
|
||||
#ifdef USE_CACHEDB
|
||||
"cachedb",
|
||||
#endif
|
||||
#ifdef USE_IPSECMOD
|
||||
"ipsecmod",
|
||||
#endif
|
||||
#ifdef CLIENT_SUBNET
|
||||
"subnetcache",
|
||||
"subnetcache",
|
||||
#endif
|
||||
"respip",
|
||||
"validator",
|
||||
"iterator",
|
||||
"validator",
|
||||
"iterator",
|
||||
NULL};
|
||||
return names;
|
||||
}
|
||||
@ -151,22 +157,25 @@ module_funcs_avail(void)
|
||||
static struct module_func_block* (*fb[])(void) = {
|
||||
&dns64_get_funcblock,
|
||||
#ifdef WITH_PYTHONMODULE
|
||||
&pythonmod_get_funcblock,
|
||||
&pythonmod_get_funcblock,
|
||||
#endif
|
||||
#ifdef USE_CACHEDB
|
||||
&cachedb_get_funcblock,
|
||||
#endif
|
||||
#ifdef USE_IPSECMOD
|
||||
&ipsecmod_get_funcblock,
|
||||
#endif
|
||||
#ifdef CLIENT_SUBNET
|
||||
&subnetmod_get_funcblock,
|
||||
&subnetmod_get_funcblock,
|
||||
#endif
|
||||
&respip_get_funcblock,
|
||||
&val_get_funcblock,
|
||||
&iter_get_funcblock,
|
||||
&val_get_funcblock,
|
||||
&iter_get_funcblock,
|
||||
NULL};
|
||||
return fb;
|
||||
}
|
||||
|
||||
struct
|
||||
struct
|
||||
module_func_block* module_factory(const char** str)
|
||||
{
|
||||
int i = 0;
|
||||
@ -234,3 +243,15 @@ modstack_find(struct module_stack* stack, const char* name)
|
||||
}
|
||||
return -1;
|
||||
}
|
||||
|
||||
size_t
|
||||
mod_get_mem(struct module_env* env, const char* name)
|
||||
{
|
||||
int m = modstack_find(&env->mesh->mods, name);
|
||||
if(m != -1) {
|
||||
fptr_ok(fptr_whitelist_mod_get_mem(env->mesh->
|
||||
mods.mod[m]->get_mem));
|
||||
return (*env->mesh->mods.mod[m]->get_mem)(env, m);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -110,4 +110,7 @@ void modstack_desetup(struct module_stack* stack, struct module_env* env);
|
||||
*/
|
||||
int modstack_find(struct module_stack* stack, const char* name);
|
||||
|
||||
/** fetch memory for a module by name, returns 0 if module not there */
|
||||
size_t mod_get_mem(struct module_env* env, const char* name);
|
||||
|
||||
#endif /* SERVICES_MODSTACK_H */
|
||||
|
||||
@ -204,6 +204,9 @@ outnet_tcp_take_into_use(struct waiting_tcp* w, uint8_t* pkt, size_t pkt_len)
|
||||
{
|
||||
struct pending_tcp* pend = w->outnet->tcp_free;
|
||||
int s;
|
||||
#ifdef SO_REUSEADDR
|
||||
int on = 1;
|
||||
#endif
|
||||
log_assert(pend);
|
||||
log_assert(pkt);
|
||||
log_assert(w->addrlen > 0);
|
||||
@ -225,13 +228,20 @@ outnet_tcp_take_into_use(struct waiting_tcp* w, uint8_t* pkt, size_t pkt_len)
|
||||
return 0;
|
||||
}
|
||||
|
||||
#ifdef SO_REUSEADDR
|
||||
if(setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void*)&on,
|
||||
(socklen_t)sizeof(on)) < 0) {
|
||||
verbose(VERB_ALGO, "outgoing tcp:"
|
||||
" setsockopt(.. SO_REUSEADDR ..) failed");
|
||||
}
|
||||
#endif
|
||||
if (w->outnet->tcp_mss > 0) {
|
||||
#if defined(IPPROTO_TCP) && defined(TCP_MAXSEG)
|
||||
if(setsockopt(s, IPPROTO_TCP, TCP_MAXSEG,
|
||||
(void*)&w->outnet->tcp_mss,
|
||||
(socklen_t)sizeof(w->outnet->tcp_mss)) < 0) {
|
||||
verbose(VERB_ALGO, "outgoing tcp:"
|
||||
" setsockopt(.. SO_REUSEADDR ..) failed");
|
||||
" setsockopt(.. TCP_MAXSEG ..) failed");
|
||||
}
|
||||
#else
|
||||
verbose(VERB_ALGO, "outgoing tcp:"
|
||||
@ -1538,18 +1548,22 @@ serviced_udp_send(struct serviced_query* sq, sldns_buffer* buff)
|
||||
static int
|
||||
serviced_check_qname(sldns_buffer* pkt, uint8_t* qbuf, size_t qbuflen)
|
||||
{
|
||||
uint8_t* d1 = sldns_buffer_at(pkt, 12);
|
||||
uint8_t* d1 = sldns_buffer_begin(pkt)+12;
|
||||
uint8_t* d2 = qbuf+10;
|
||||
uint8_t len1, len2;
|
||||
int count = 0;
|
||||
if(sldns_buffer_limit(pkt) < 12+1+4) /* packet too small for qname */
|
||||
return 0;
|
||||
log_assert(qbuflen >= 15 /* 10 header, root, type, class */);
|
||||
len1 = *d1++;
|
||||
len2 = *d2++;
|
||||
if(sldns_buffer_limit(pkt) < 12+1+4) /* packet too small for qname */
|
||||
return 0;
|
||||
while(len1 != 0 || len2 != 0) {
|
||||
if(LABEL_IS_PTR(len1)) {
|
||||
/* check if we can read *d1 with compression ptr rest */
|
||||
if(d1 >= sldns_buffer_at(pkt, sldns_buffer_limit(pkt)))
|
||||
return 0;
|
||||
d1 = sldns_buffer_begin(pkt)+PTR_OFFSET(len1, *d1);
|
||||
/* check if we can read the destination *d1 */
|
||||
if(d1 >= sldns_buffer_at(pkt, sldns_buffer_limit(pkt)))
|
||||
return 0;
|
||||
len1 = *d1++;
|
||||
@ -1563,6 +1577,9 @@ serviced_check_qname(sldns_buffer* pkt, uint8_t* qbuf, size_t qbuflen)
|
||||
return 0;
|
||||
if(len1 > LDNS_MAX_LABELLEN)
|
||||
return 0;
|
||||
/* check len1 + 1(next length) are okay to read */
|
||||
if(d1+len1 >= sldns_buffer_at(pkt, sldns_buffer_limit(pkt)))
|
||||
return 0;
|
||||
log_assert(len1 <= LDNS_MAX_LABELLEN);
|
||||
log_assert(len2 <= LDNS_MAX_LABELLEN);
|
||||
log_assert(len1 == len2 && len1 != 0);
|
||||
|
||||
@ -167,6 +167,44 @@ views_apply_cfg(struct views* vs, struct config_file* cfg)
|
||||
lz_cfg.local_data = cv->local_data;
|
||||
lz_cfg.local_zones_nodefault =
|
||||
cv->local_zones_nodefault;
|
||||
if(v->isfirst) {
|
||||
/* Do not add defaults to view-specific
|
||||
* local-zone when global local zone will be
|
||||
* used. */
|
||||
struct config_strlist* nd;
|
||||
lz_cfg.local_zones_disable_default = 1;
|
||||
/* Add nodefault zones to list of zones to add,
|
||||
* so they will be used as if they are
|
||||
* configured as type transparent */
|
||||
for(nd = cv->local_zones_nodefault; nd;
|
||||
nd = nd->next) {
|
||||
char* nd_str, *nd_type;
|
||||
nd_str = strdup(nd->str);
|
||||
if(!nd_str) {
|
||||
log_err("out of memory");
|
||||
lock_rw_unlock(&v->lock);
|
||||
return 0;
|
||||
}
|
||||
nd_type = strdup("nodefault");
|
||||
if(!nd_type) {
|
||||
log_err("out of memory");
|
||||
free(nd_str);
|
||||
lock_rw_unlock(&v->lock);
|
||||
return 0;
|
||||
}
|
||||
if(!cfg_str2list_insert(
|
||||
&lz_cfg.local_zones, nd_str,
|
||||
nd_type)) {
|
||||
log_err("failed to insert "
|
||||
"default zones into "
|
||||
"local-zone list");
|
||||
free(nd_str);
|
||||
free(nd_type);
|
||||
lock_rw_unlock(&v->lock);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
}
|
||||
if(!local_zones_apply_cfg(v->local_zones, &lz_cfg)){
|
||||
lock_rw_unlock(&v->lock);
|
||||
return 0;
|
||||
|
||||
@ -388,6 +388,27 @@ sldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo)
|
||||
}
|
||||
#endif /* USE_ECDSA */
|
||||
|
||||
#ifdef USE_ED25519
|
||||
EVP_PKEY*
|
||||
sldns_ed255192pkey_raw(const unsigned char* key, size_t keylen)
|
||||
{
|
||||
/* ASN1 for ED25519 is 302a300506032b6570032100 <32byteskey> */
|
||||
uint8_t pre[] = {0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65,
|
||||
0x70, 0x03, 0x21, 0x00};
|
||||
int pre_len = 12;
|
||||
uint8_t buf[256];
|
||||
EVP_PKEY *evp_key;
|
||||
/* pp gets modified by d2i() */
|
||||
const unsigned char* pp = (unsigned char*)buf;
|
||||
if(keylen != 32 || keylen + pre_len > sizeof(buf))
|
||||
return NULL; /* wrong length */
|
||||
memmove(buf, pre, pre_len);
|
||||
memmove(buf+pre_len, key, keylen);
|
||||
evp_key = d2i_PUBKEY(NULL, &pp, (int)(pre_len+keylen));
|
||||
return evp_key;
|
||||
}
|
||||
#endif /* USE_ED25519 */
|
||||
|
||||
int
|
||||
sldns_digest_evp(unsigned char* data, unsigned int len, unsigned char* dest,
|
||||
const EVP_MD* md)
|
||||
|
||||
@ -92,6 +92,15 @@ EVP_PKEY* sldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo);
|
||||
*/
|
||||
RSA *sldns_key_buf2rsa_raw(unsigned char* key, size_t len);
|
||||
|
||||
/**
|
||||
* Converts a holding buffer with key material to EVP PKEY in openssl.
|
||||
* Only available if ldns was compiled with ED25519.
|
||||
* \param[in] key the uncompressed wireformat of the key.
|
||||
* \param[in] len length of key data
|
||||
* \return the key or NULL on error.
|
||||
*/
|
||||
EVP_PKEY* sldns_ed255192pkey_raw(const unsigned char* key, size_t len);
|
||||
|
||||
/**
|
||||
* Utility function to calculate hash using generic EVP_MD pointer.
|
||||
* \param[in] data the data to hash.
|
||||
|
||||
@ -120,6 +120,10 @@ sldns_fget_token_l(FILE *f, char *token, const char *delim, size_t limit, int *l
|
||||
if (line_nr) {
|
||||
*line_nr = *line_nr + 1;
|
||||
}
|
||||
if (limit > 0 && (i >= limit || (size_t)(t-token) >= limit)) {
|
||||
*t = '\0';
|
||||
return -1;
|
||||
}
|
||||
*t++ = ' ';
|
||||
prev_c = c;
|
||||
continue;
|
||||
|
||||
@ -175,7 +175,7 @@ static const sldns_rdf_type type_tkey_wireformat[] = {
|
||||
LDNS_RDF_TYPE_TIME,
|
||||
LDNS_RDF_TYPE_TIME,
|
||||
LDNS_RDF_TYPE_INT16,
|
||||
LDNS_RDF_TYPE_INT16,
|
||||
LDNS_RDF_TYPE_TSIGERROR,
|
||||
LDNS_RDF_TYPE_INT16_DATA,
|
||||
LDNS_RDF_TYPE_INT16_DATA,
|
||||
};
|
||||
@ -185,7 +185,7 @@ static const sldns_rdf_type type_tsig_wireformat[] = {
|
||||
LDNS_RDF_TYPE_INT16,
|
||||
LDNS_RDF_TYPE_INT16_DATA,
|
||||
LDNS_RDF_TYPE_INT16,
|
||||
LDNS_RDF_TYPE_INT16,
|
||||
LDNS_RDF_TYPE_TSIGERROR,
|
||||
LDNS_RDF_TYPE_INT16_DATA
|
||||
};
|
||||
static const sldns_rdf_type type_tlsa_wireformat[] = {
|
||||
@ -341,8 +341,12 @@ static sldns_rr_descriptor rdata_field_descriptors[] = {
|
||||
{LDNS_RR_TYPE_NSEC3PARAM, "NSEC3PARAM", 4, 4, type_nsec3param_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
|
||||
/* 52 */
|
||||
{LDNS_RR_TYPE_TLSA, "TLSA", 4, 4, type_tlsa_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
|
||||
|
||||
/*53 */
|
||||
#ifdef DRAFT_RRTYPES
|
||||
{LDNS_RR_TYPE_SMIMEA, "SMIMEA", 4, 4, type_tlsa_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
|
||||
#else
|
||||
{LDNS_RR_TYPE_NULL, "TYPE53", 1, 1, type_0_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
|
||||
#endif
|
||||
{LDNS_RR_TYPE_NULL, "TYPE54", 1, 1, type_0_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
|
||||
/* 55
|
||||
* Hip ends with 0 or more Rendezvous Servers represented as dname's.
|
||||
@ -600,6 +604,12 @@ static sldns_rr_descriptor rdata_field_descriptors[] = {
|
||||
{LDNS_RR_TYPE_URI, "URI", 3, 3, type_uri_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
|
||||
/* 257 */
|
||||
{LDNS_RR_TYPE_CAA, "CAA", 3, 3, type_caa_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
|
||||
#ifdef DRAFT_RRTYPES
|
||||
/* 258 */
|
||||
{LDNS_RR_TYPE_AVC, "AVC", 1, 0, NULL, LDNS_RDF_TYPE_STR, LDNS_RR_NO_COMPRESS, 0 },
|
||||
#else
|
||||
{LDNS_RR_TYPE_NULL, "TYPE258", 1, 1, type_0_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
|
||||
#endif
|
||||
|
||||
/* split in array, no longer contiguous */
|
||||
|
||||
|
||||
@ -38,7 +38,7 @@ extern "C" {
|
||||
#define LDNS_KEY_REVOKE_KEY 0x0080 /* used to revoke KSK, rfc 5011 */
|
||||
|
||||
/* The first fields are contiguous and can be referenced instantly */
|
||||
#define LDNS_RDATA_FIELD_DESCRIPTORS_COMMON 258
|
||||
#define LDNS_RDATA_FIELD_DESCRIPTORS_COMMON 259
|
||||
|
||||
/** lookuptable for rr classes */
|
||||
extern struct sldns_struct_lookup_table* sldns_rr_classes;
|
||||
@ -226,6 +226,7 @@ enum sldns_enum_rr_type
|
||||
LDNS_RR_TYPE_ANY = 255,
|
||||
LDNS_RR_TYPE_URI = 256, /* RFC 7553 */
|
||||
LDNS_RR_TYPE_CAA = 257, /* RFC 6844 */
|
||||
LDNS_RR_TYPE_AVC = 258,
|
||||
|
||||
/** DNSSEC Trust Authorities */
|
||||
LDNS_RR_TYPE_TA = 32768,
|
||||
@ -350,6 +351,9 @@ enum sldns_enum_rdf_type
|
||||
*/
|
||||
LDNS_RDF_TYPE_LONG_STR,
|
||||
|
||||
/** TSIG extended 16bit error value */
|
||||
LDNS_RDF_TYPE_TSIGERROR,
|
||||
|
||||
/* Aliases */
|
||||
LDNS_RDF_TYPE_BITMAP = LDNS_RDF_TYPE_NSEC
|
||||
};
|
||||
@ -430,6 +434,15 @@ typedef enum sldns_enum_edns_option sldns_edns_option;
|
||||
|
||||
#define LDNS_EDNS_MASK_DO_BIT 0x8000
|
||||
|
||||
/** TSIG and TKEY extended rcodes (16bit), 0-15 are the normal rcodes. */
|
||||
#define LDNS_TSIG_ERROR_NOERROR 0
|
||||
#define LDNS_TSIG_ERROR_BADSIG 16
|
||||
#define LDNS_TSIG_ERROR_BADKEY 17
|
||||
#define LDNS_TSIG_ERROR_BADTIME 18
|
||||
#define LDNS_TSIG_ERROR_BADMODE 19
|
||||
#define LDNS_TSIG_ERROR_BADNAME 20
|
||||
#define LDNS_TSIG_ERROR_BADALG 21
|
||||
|
||||
/**
|
||||
* Contains all information about resource record types.
|
||||
*
|
||||
|
||||
@ -50,6 +50,8 @@ sldns_buffer_new_frm_data(sldns_buffer *buffer, void *data, size_t size)
|
||||
buffer->_limit = buffer->_capacity = size;
|
||||
buffer->_fixed = 0;
|
||||
buffer->_vfixed = 0;
|
||||
if (!buffer->_fixed && buffer->_data)
|
||||
free(buffer->_data);
|
||||
buffer->_data = malloc(size);
|
||||
if(!buffer->_data) {
|
||||
buffer->_status_err = 1;
|
||||
|
||||
@ -664,6 +664,14 @@ rrinternal_parse_rdata(sldns_buffer* strbuf, char* token, size_t token_len,
|
||||
&pre_data_pos, delimiters,
|
||||
rdftype, &token_strlen))
|
||||
break;
|
||||
} else if(rdftype == LDNS_RDF_TYPE_INT16_DATA &&
|
||||
strcmp(token, "0")!=0) {
|
||||
/* affix len and b64 fields */
|
||||
if(!sldns_affix_token(strbuf, token,
|
||||
&token_len, "ed, &parens,
|
||||
&pre_data_pos, delimiters,
|
||||
rdftype, &token_strlen))
|
||||
break;
|
||||
}
|
||||
|
||||
/* normal RR */
|
||||
@ -861,6 +869,8 @@ int sldns_fp2wire_rr_buf(FILE* in, uint8_t* rr, size_t* len, size_t* dname_len,
|
||||
/* we can have the situation, where we've read ok, but still got
|
||||
* no bytes to play with, in this case size is 0 */
|
||||
if(size == 0) {
|
||||
if(*len > 0)
|
||||
rr[0] = 0;
|
||||
*len = 0;
|
||||
*dname_len = 0;
|
||||
return LDNS_WIREPARSE_ERR_OK;
|
||||
@ -868,6 +878,7 @@ int sldns_fp2wire_rr_buf(FILE* in, uint8_t* rr, size_t* len, size_t* dname_len,
|
||||
|
||||
if(strncmp(line, "$ORIGIN", 7) == 0 && isspace((unsigned char)line[7])) {
|
||||
int s;
|
||||
strlcpy((char*)rr, line, *len);
|
||||
*len = 0;
|
||||
*dname_len = 0;
|
||||
if(!parse_state) return LDNS_WIREPARSE_ERR_OK;
|
||||
@ -878,12 +889,19 @@ int sldns_fp2wire_rr_buf(FILE* in, uint8_t* rr, size_t* len, size_t* dname_len,
|
||||
return s;
|
||||
} else if(strncmp(line, "$TTL", 4) == 0 && isspace((unsigned char)line[4])) {
|
||||
const char* end = NULL;
|
||||
strlcpy((char*)rr, line, *len);
|
||||
*len = 0;
|
||||
*dname_len = 0;
|
||||
if(!parse_state) return LDNS_WIREPARSE_ERR_OK;
|
||||
parse_state->default_ttl = sldns_str2period(
|
||||
sldns_strip_ws(line+5), &end);
|
||||
} else if (strncmp(line, "$INCLUDE", 8) == 0) {
|
||||
strlcpy((char*)rr, line, *len);
|
||||
*len = 0;
|
||||
*dname_len = 0;
|
||||
return LDNS_WIREPARSE_ERR_INCLUDE;
|
||||
} else if (strncmp(line, "$", 1) == 0) {
|
||||
strlcpy((char*)rr, line, *len);
|
||||
*len = 0;
|
||||
*dname_len = 0;
|
||||
return LDNS_WIREPARSE_ERR_INCLUDE;
|
||||
@ -940,6 +958,8 @@ int sldns_str2wire_rdf_buf(const char* str, uint8_t* rd, size_t* len,
|
||||
return sldns_str2wire_time_buf(str, rd, len);
|
||||
case LDNS_RDF_TYPE_PERIOD:
|
||||
return sldns_str2wire_period_buf(str, rd, len);
|
||||
case LDNS_RDF_TYPE_TSIGTIME:
|
||||
return sldns_str2wire_tsigtime_buf(str, rd, len);
|
||||
case LDNS_RDF_TYPE_LOC:
|
||||
return sldns_str2wire_loc_buf(str, rd, len);
|
||||
case LDNS_RDF_TYPE_WKS:
|
||||
@ -964,6 +984,8 @@ int sldns_str2wire_rdf_buf(const char* str, uint8_t* rd, size_t* len,
|
||||
return sldns_str2wire_tag_buf(str, rd, len);
|
||||
case LDNS_RDF_TYPE_LONG_STR:
|
||||
return sldns_str2wire_long_str_buf(str, rd, len);
|
||||
case LDNS_RDF_TYPE_TSIGERROR:
|
||||
return sldns_str2wire_tsigerror_buf(str, rd, len);
|
||||
case LDNS_RDF_TYPE_HIP:
|
||||
return sldns_str2wire_hip_buf(str, rd, len);
|
||||
case LDNS_RDF_TYPE_INT16_DATA:
|
||||
@ -1341,6 +1363,21 @@ int sldns_str2wire_alg_buf(const char* str, uint8_t* rd, size_t* len)
|
||||
return LDNS_WIREPARSE_ERR_OK;
|
||||
}
|
||||
|
||||
int sldns_str2wire_tsigerror_buf(const char* str, uint8_t* rd, size_t* len)
|
||||
{
|
||||
sldns_lookup_table *lt = sldns_lookup_by_name(sldns_tsig_errors, str);
|
||||
if(*len < 2)
|
||||
return LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
|
||||
if(lt) {
|
||||
sldns_write_uint16(rd, (uint16_t)lt->id);
|
||||
*len = 2;
|
||||
} else {
|
||||
/* try as-is (a number) */
|
||||
return sldns_str2wire_int16_buf(str, rd, len);
|
||||
}
|
||||
return LDNS_WIREPARSE_ERR_OK;
|
||||
}
|
||||
|
||||
int sldns_str2wire_time_buf(const char* str, uint8_t* rd, size_t* len)
|
||||
{
|
||||
/* convert a time YYYYDDMMHHMMSS to wireformat */
|
||||
@ -1383,6 +1420,24 @@ int sldns_str2wire_time_buf(const char* str, uint8_t* rd, size_t* len)
|
||||
return LDNS_WIREPARSE_ERR_OK;
|
||||
}
|
||||
|
||||
int sldns_str2wire_tsigtime_buf(const char* str, uint8_t* rd, size_t* len)
|
||||
{
|
||||
char* end;
|
||||
uint64_t t = (uint64_t)strtol((char*)str, &end, 10);
|
||||
uint16_t high;
|
||||
uint32_t low;
|
||||
if(*end != 0)
|
||||
return RET_ERR(LDNS_WIREPARSE_ERR_SYNTAX_TIME, end-str);
|
||||
if(*len < 6)
|
||||
return LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
|
||||
high = (uint16_t)(t>>32);
|
||||
low = (uint32_t)(t);
|
||||
sldns_write_uint16(rd, high);
|
||||
sldns_write_uint32(rd+2, low);
|
||||
*len = 6;
|
||||
return LDNS_WIREPARSE_ERR_OK;
|
||||
}
|
||||
|
||||
int sldns_str2wire_period_buf(const char* str, uint8_t* rd, size_t* len)
|
||||
{
|
||||
const char* end;
|
||||
@ -2008,16 +2063,29 @@ int sldns_str2wire_hip_buf(const char* str, uint8_t* rd, size_t* len)
|
||||
|
||||
int sldns_str2wire_int16_data_buf(const char* str, uint8_t* rd, size_t* len)
|
||||
{
|
||||
size_t sz = sldns_b64_pton_calculate_size(strlen(str));
|
||||
char* s;
|
||||
int n;
|
||||
if(*len < sz+2)
|
||||
n = strtol(str, &s, 10);
|
||||
if(*len < ((size_t)n)+2)
|
||||
return LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
|
||||
if(sz > 65535)
|
||||
if(n > 65535)
|
||||
return LDNS_WIREPARSE_ERR_LABEL_OVERFLOW;
|
||||
n = sldns_b64_pton(str, rd+2, (*len)-2);
|
||||
|
||||
if(n == 0) {
|
||||
sldns_write_uint16(rd, 0);
|
||||
*len = 2;
|
||||
return LDNS_WIREPARSE_ERR_OK;
|
||||
}
|
||||
if(*s != ' ')
|
||||
return RET_ERR(LDNS_WIREPARSE_ERR_SYNTAX_INT, s-(char*)str);
|
||||
s++;
|
||||
while(*s == ' ')
|
||||
s++;
|
||||
|
||||
n = sldns_b64_pton(s, rd+2, (*len)-2);
|
||||
if(n < 0)
|
||||
return LDNS_WIREPARSE_ERR_SYNTAX_B64;
|
||||
sldns_write_uint16(rd, (uint16_t)n);
|
||||
*len = (size_t)n;
|
||||
*len = ((size_t)n)+2;
|
||||
return LDNS_WIREPARSE_ERR_OK;
|
||||
}
|
||||
|
||||
@ -237,6 +237,8 @@ struct sldns_file_parse_state {
|
||||
* @param rr: this is malloced by the user and the result is stored here,
|
||||
* if an RR is read. If no RR is read this is signalled with the
|
||||
* return len set to 0 (for ORIGIN, TTL directives).
|
||||
* The read line is available in the rr_buf (zero terminated), for
|
||||
* $DIRECTIVE style elements.
|
||||
* @param len: on input, the length of the rr buffer. on output the rr len.
|
||||
* Buffer size of 64k should be enough.
|
||||
* @param dname_len: returns the length of the dname initial part of the rr.
|
||||
@ -417,6 +419,24 @@ int sldns_str2wire_time_buf(const char* str, uint8_t* rd, size_t* len);
|
||||
*/
|
||||
int sldns_str2wire_period_buf(const char* str, uint8_t* rd, size_t* len);
|
||||
|
||||
/**
|
||||
* Convert rdf of type LDNS_RDF_TYPE_TSIGTIME from string to wireformat.
|
||||
* @param str: the text to convert for this rdata element.
|
||||
* @param rd: rdata buffer for the wireformat.
|
||||
* @param len: length of rd buffer on input, used length on output.
|
||||
* @return 0 on success, error on failure.
|
||||
*/
|
||||
int sldns_str2wire_tsigtime_buf(const char* str, uint8_t* rd, size_t* len);
|
||||
|
||||
/**
|
||||
* Convert rdf of type LDNS_RDF_TYPE_TSIGERROR from string to wireformat.
|
||||
* @param str: the text to convert for this rdata element.
|
||||
* @param rd: rdata buffer for the wireformat.
|
||||
* @param len: length of rd buffer on input, used length on output.
|
||||
* @return 0 on success, error on failure.
|
||||
*/
|
||||
int sldns_str2wire_tsigerror_buf(const char* str, uint8_t* rd, size_t* len);
|
||||
|
||||
/**
|
||||
* Convert rdf of type LDNS_RDF_TYPE_LOC from string to wireformat.
|
||||
* @param str: the text to convert for this rdata element.
|
||||
|
||||
@ -173,6 +173,28 @@ static sldns_lookup_table sldns_edns_options_data[] = {
|
||||
};
|
||||
sldns_lookup_table* sldns_edns_options = sldns_edns_options_data;
|
||||
|
||||
static sldns_lookup_table sldns_tsig_errors_data[] = {
|
||||
{ LDNS_TSIG_ERROR_NOERROR, "NOERROR" },
|
||||
{ LDNS_RCODE_FORMERR, "FORMERR" },
|
||||
{ LDNS_RCODE_SERVFAIL, "SERVFAIL" },
|
||||
{ LDNS_RCODE_NXDOMAIN, "NXDOMAIN" },
|
||||
{ LDNS_RCODE_NOTIMPL, "NOTIMPL" },
|
||||
{ LDNS_RCODE_REFUSED, "REFUSED" },
|
||||
{ LDNS_RCODE_YXDOMAIN, "YXDOMAIN" },
|
||||
{ LDNS_RCODE_YXRRSET, "YXRRSET" },
|
||||
{ LDNS_RCODE_NXRRSET, "NXRRSET" },
|
||||
{ LDNS_RCODE_NOTAUTH, "NOTAUTH" },
|
||||
{ LDNS_RCODE_NOTZONE, "NOTZONE" },
|
||||
{ LDNS_TSIG_ERROR_BADSIG, "BADSIG" },
|
||||
{ LDNS_TSIG_ERROR_BADKEY, "BADKEY" },
|
||||
{ LDNS_TSIG_ERROR_BADTIME, "BADTIME" },
|
||||
{ LDNS_TSIG_ERROR_BADMODE, "BADMODE" },
|
||||
{ LDNS_TSIG_ERROR_BADNAME, "BADNAME" },
|
||||
{ LDNS_TSIG_ERROR_BADALG, "BADALG" },
|
||||
{ 0, NULL }
|
||||
};
|
||||
sldns_lookup_table* sldns_tsig_errors = sldns_tsig_errors_data;
|
||||
|
||||
char* sldns_wire2str_pkt(uint8_t* data, size_t len)
|
||||
{
|
||||
size_t slen = (size_t)sldns_wire2str_pkt_buf(data, len, NULL, 0);
|
||||
@ -976,6 +998,8 @@ int sldns_wire2str_rdf_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen,
|
||||
return sldns_wire2str_tag_scan(d, dlen, s, slen);
|
||||
case LDNS_RDF_TYPE_LONG_STR:
|
||||
return sldns_wire2str_long_str_scan(d, dlen, s, slen);
|
||||
case LDNS_RDF_TYPE_TSIGERROR:
|
||||
return sldns_wire2str_tsigerror_scan(d, dlen, s, slen);
|
||||
}
|
||||
/* unknown rdf type */
|
||||
return -1;
|
||||
@ -1574,6 +1598,7 @@ int sldns_wire2str_hip_scan(uint8_t** d, size_t* dl, char** s, size_t* sl)
|
||||
|
||||
int sldns_wire2str_int16_data_scan(uint8_t** d, size_t* dl, char** s, size_t* sl)
|
||||
{
|
||||
int w;
|
||||
uint16_t n;
|
||||
if(*dl < 2)
|
||||
return -1;
|
||||
@ -1582,7 +1607,12 @@ int sldns_wire2str_int16_data_scan(uint8_t** d, size_t* dl, char** s, size_t* sl
|
||||
return -1;
|
||||
(*d)+=2;
|
||||
(*dl)-=2;
|
||||
return sldns_wire2str_b64_scan_num(d, dl, s, sl, n);
|
||||
if(n == 0) {
|
||||
return sldns_str_print(s, sl, "0");
|
||||
}
|
||||
w = sldns_str_print(s, sl, "%u ", (unsigned)n);
|
||||
w += sldns_wire2str_b64_scan_num(d, dl, s, sl, n);
|
||||
return w;
|
||||
}
|
||||
|
||||
int sldns_wire2str_nsec3_next_owner_scan(uint8_t** d, size_t* dl, char** s,
|
||||
@ -1639,10 +1669,10 @@ int sldns_wire2str_tag_scan(uint8_t** d, size_t* dl, char** s, size_t* sl)
|
||||
if(*dl < 1+n)
|
||||
return -1;
|
||||
for(i=0; i<n; i++)
|
||||
if(!isalnum((unsigned char)(*d)[i]))
|
||||
if(!isalnum((unsigned char)(*d)[i+1]))
|
||||
return -1;
|
||||
for(i=0; i<n; i++)
|
||||
w += sldns_str_print(s, sl, "%c", (char)(*d)[i]);
|
||||
w += sldns_str_print(s, sl, "%c", (char)(*d)[i+1]);
|
||||
(*d)+=n+1;
|
||||
(*dl)-=(n+1);
|
||||
return w;
|
||||
@ -1661,6 +1691,21 @@ int sldns_wire2str_long_str_scan(uint8_t** d, size_t* dl, char** s, size_t* sl)
|
||||
return w;
|
||||
}
|
||||
|
||||
int sldns_wire2str_tsigerror_scan(uint8_t** d, size_t* dl, char** s, size_t* sl)
|
||||
{
|
||||
sldns_lookup_table *lt;
|
||||
int data, w;
|
||||
if(*dl < 2) return -1;
|
||||
data = (int)sldns_read_uint16(*d);
|
||||
lt = sldns_lookup_by_id(sldns_tsig_errors, data);
|
||||
if(lt && lt->name)
|
||||
w = sldns_str_print(s, sl, "%s", lt->name);
|
||||
else w = sldns_str_print(s, sl, "%d", data);
|
||||
(*dl)-=2;
|
||||
(*d)+=2;
|
||||
return w;
|
||||
}
|
||||
|
||||
int sldns_wire2str_edns_llq_print(char** s, size_t* sl, uint8_t* data,
|
||||
size_t len)
|
||||
{
|
||||
|
||||
@ -38,6 +38,8 @@ extern struct sldns_struct_lookup_table* sldns_edns_flags;
|
||||
extern struct sldns_struct_lookup_table* sldns_edns_options;
|
||||
/** error string from wireparse */
|
||||
extern struct sldns_struct_lookup_table* sldns_wireparse_errors;
|
||||
/** tsig errors are the rcodes with extra (higher) values */
|
||||
extern struct sldns_struct_lookup_table* sldns_tsig_errors;
|
||||
|
||||
/**
|
||||
* Convert wireformat packet to a string representation
|
||||
@ -807,6 +809,19 @@ int sldns_wire2str_hip_scan(uint8_t** data, size_t* data_len, char** str,
|
||||
int sldns_wire2str_int16_data_scan(uint8_t** data, size_t* data_len, char** str,
|
||||
size_t* str_len);
|
||||
|
||||
/**
|
||||
* Scan wireformat tsigerror field to string, with user buffers.
|
||||
* It shifts the arguments to move along (see sldns_wire2str_pkt_scan).
|
||||
* @param data: wireformat data.
|
||||
* @param data_len: length of data buffer.
|
||||
* @param str: string buffer.
|
||||
* @param str_len: length of string buffer.
|
||||
* @return number of characters (except null) needed to print.
|
||||
* Can return -1 on failure.
|
||||
*/
|
||||
int sldns_wire2str_tsigerror_scan(uint8_t** data, size_t* data_len, char** str,
|
||||
size_t* str_len);
|
||||
|
||||
/**
|
||||
* Scan wireformat nsec3_next_owner field to string, with user buffers.
|
||||
* It shifts the arguments to move along (see sldns_wire2str_pkt_scan).
|
||||
|
||||
@ -241,6 +241,8 @@ static const char*
|
||||
get_builtin_ds(void)
|
||||
{
|
||||
return
|
||||
/* The anchors must start on a new line with ". IN DS and end with \n"[;]
|
||||
* because the makedist script greps on the source here */
|
||||
/* anchor 19036 is from 2010 */
|
||||
/* anchor 20326 is from 2017 */
|
||||
". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n"
|
||||
|
||||
@ -4,22 +4,22 @@
|
||||
* Copyright (c) 2007, NLnet Labs. All rights reserved.
|
||||
*
|
||||
* This software is open source.
|
||||
*
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
*
|
||||
*
|
||||
* Redistributions of source code must retain the above copyright notice,
|
||||
* this list of conditions and the following disclaimer.
|
||||
*
|
||||
*
|
||||
* Redistributions in binary form must reproduce the above copyright notice,
|
||||
* this list of conditions and the following disclaimer in the documentation
|
||||
* and/or other materials provided with the distribution.
|
||||
*
|
||||
*
|
||||
* Neither the name of the NLNET LABS nor the names of its contributors may
|
||||
* be used to endorse or promote products derived from this software without
|
||||
* specific prior written permission.
|
||||
*
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
@ -88,10 +88,10 @@ usage(void)
|
||||
exit(1);
|
||||
}
|
||||
|
||||
/**
|
||||
* Print given option to stdout
|
||||
/**
|
||||
* Print given option to stdout
|
||||
* @param cfg: config
|
||||
* @param opt: option name without trailing :.
|
||||
* @param opt: option name without trailing :.
|
||||
* This is different from config_set_option.
|
||||
* @param final: if final pathname with chroot applied has to be printed.
|
||||
*/
|
||||
@ -156,9 +156,9 @@ view_and_respipchecks(struct config_file* cfg)
|
||||
fatal_exit("Could not create respip set: out of memory");
|
||||
if(!views_apply_cfg(views, cfg))
|
||||
fatal_exit("Could not set up views");
|
||||
if(!respip_global_apply_cfg(respip, cfg))
|
||||
if(!respip_global_apply_cfg(respip, cfg))
|
||||
fatal_exit("Could not setup respip set");
|
||||
if(!respip_views_apply_cfg(views, cfg, &ignored))
|
||||
if(!respip_views_apply_cfg(views, cfg, &ignored))
|
||||
fatal_exit("Could not setup per-view respip sets");
|
||||
views_delete(views);
|
||||
respip_set_delete(respip);
|
||||
@ -178,7 +178,7 @@ warn_hosts(const char* typ, struct config_stub* list)
|
||||
fprintf(stderr, "unbound-checkconf: warning:"
|
||||
" %s %s: \"%s\" is an IP%s address, "
|
||||
"and when looked up as a host name "
|
||||
"during use may not resolve.\n",
|
||||
"during use may not resolve.\n",
|
||||
s->name, typ, h->str,
|
||||
addr_is_ip6(&a, alen)?"6":"4");
|
||||
}
|
||||
@ -230,7 +230,7 @@ aclchecks(struct config_file* cfg)
|
||||
socklen_t alen;
|
||||
struct config_str2list* acl;
|
||||
for(acl=cfg->acls; acl; acl = acl->next) {
|
||||
if(!netblockstrtoaddr(acl->str, UNBOUND_DNS_PORT, &a, &alen,
|
||||
if(!netblockstrtoaddr(acl->str, UNBOUND_DNS_PORT, &a, &alen,
|
||||
&d)) {
|
||||
fatal_exit("cannot parse access control address %s %s",
|
||||
acl->str, acl->str2);
|
||||
@ -240,7 +240,7 @@ aclchecks(struct config_file* cfg)
|
||||
|
||||
/** true if fname is a file */
|
||||
static int
|
||||
is_file(const char* fname)
|
||||
is_file(const char* fname)
|
||||
{
|
||||
struct stat buf;
|
||||
if(stat(fname, &buf) < 0) {
|
||||
@ -260,7 +260,7 @@ is_file(const char* fname)
|
||||
|
||||
/** true if fname is a directory */
|
||||
static int
|
||||
is_dir(const char* fname)
|
||||
is_dir(const char* fname)
|
||||
{
|
||||
struct stat buf;
|
||||
if(stat(fname, &buf) < 0) {
|
||||
@ -305,7 +305,7 @@ check_chroot_string(const char* desc, char** ss,
|
||||
fatal_exit("%s: \"%s\" does not exist in "
|
||||
"chrootdir %s", desc, str, chrootdir);
|
||||
else
|
||||
fatal_exit("%s: \"%s\" does not exist",
|
||||
fatal_exit("%s: \"%s\" does not exist",
|
||||
desc, str);
|
||||
}
|
||||
/* put in a new full path for continued checking */
|
||||
@ -332,8 +332,8 @@ check_chroot_filelist_wild(const char* desc, struct config_strlist* list,
|
||||
struct config_strlist* p;
|
||||
for(p=list; p; p=p->next) {
|
||||
#ifdef HAVE_GLOB
|
||||
if(strchr(p->str, '*') || strchr(p->str, '[') ||
|
||||
strchr(p->str, '?') || strchr(p->str, '{') ||
|
||||
if(strchr(p->str, '*') || strchr(p->str, '[') ||
|
||||
strchr(p->str, '?') || strchr(p->str, '{') ||
|
||||
strchr(p->str, '~')) {
|
||||
char* s = p->str;
|
||||
/* adjust whole pattern for chroot and check later */
|
||||
@ -370,11 +370,11 @@ morechecks(struct config_file* cfg, const char* fname)
|
||||
#ifdef UB_ON_WINDOWS
|
||||
w_config_adjust_directory(cfg);
|
||||
#endif
|
||||
if(cfg->chrootdir && cfg->chrootdir[0] &&
|
||||
if(cfg->chrootdir && cfg->chrootdir[0] &&
|
||||
cfg->chrootdir[strlen(cfg->chrootdir)-1] == '/')
|
||||
fatal_exit("chootdir %s has trailing slash '/' please remove.",
|
||||
cfg->chrootdir);
|
||||
if(cfg->chrootdir && cfg->chrootdir[0] &&
|
||||
if(cfg->chrootdir && cfg->chrootdir[0] &&
|
||||
!is_dir(cfg->chrootdir)) {
|
||||
fatal_exit("bad chroot directory");
|
||||
}
|
||||
@ -416,16 +416,20 @@ morechecks(struct config_file* cfg, const char* fname)
|
||||
}
|
||||
}
|
||||
|
||||
check_chroot_filelist("file with root-hints",
|
||||
check_chroot_filelist("file with root-hints",
|
||||
cfg->root_hints, cfg->chrootdir, cfg);
|
||||
check_chroot_filelist("trust-anchor-file",
|
||||
check_chroot_filelist("trust-anchor-file",
|
||||
cfg->trust_anchor_file_list, cfg->chrootdir, cfg);
|
||||
check_chroot_filelist("auto-trust-anchor-file",
|
||||
check_chroot_filelist("auto-trust-anchor-file",
|
||||
cfg->auto_trust_anchor_file_list, cfg->chrootdir, cfg);
|
||||
check_chroot_filelist_wild("trusted-keys-file",
|
||||
check_chroot_filelist_wild("trusted-keys-file",
|
||||
cfg->trusted_keys_file_list, cfg->chrootdir, cfg);
|
||||
check_chroot_string("dlv-anchor-file", &cfg->dlv_anchor_file,
|
||||
check_chroot_string("dlv-anchor-file", &cfg->dlv_anchor_file,
|
||||
cfg->chrootdir, cfg);
|
||||
#ifdef USE_IPSECMOD
|
||||
check_chroot_string("ipsecmod-hook", &cfg->ipsecmod_hook, cfg->chrootdir,
|
||||
cfg);
|
||||
#endif
|
||||
/* remove chroot setting so that modules are not stripping pathnames*/
|
||||
free(cfg->chrootdir);
|
||||
cfg->chrootdir = NULL;
|
||||
@ -434,21 +438,21 @@ morechecks(struct config_file* cfg, const char* fname)
|
||||
* dns64, but it's not explicitly confirmed, so the combination is
|
||||
* excluded below. It's simply unknown yet for the combination of
|
||||
* respip and other modules. */
|
||||
if(strcmp(cfg->module_conf, "iterator") != 0
|
||||
if(strcmp(cfg->module_conf, "iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "validator iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "dns64 validator iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "dns64 iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "respip iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "respip validator iterator") != 0
|
||||
#ifdef WITH_PYTHONMODULE
|
||||
&& strcmp(cfg->module_conf, "python iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "python validator iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "python iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "python validator iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "validator python iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "dns64 python iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "dns64 python validator iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "dns64 python iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "dns64 python validator iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "dns64 validator python iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "python dns64 iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "python dns64 validator iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "python dns64 iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "python dns64 validator iterator") != 0
|
||||
#endif
|
||||
#ifdef USE_CACHEDB
|
||||
&& strcmp(cfg->module_conf, "validator cachedb iterator") != 0
|
||||
@ -468,16 +472,28 @@ morechecks(struct config_file* cfg, const char* fname)
|
||||
&& strcmp(cfg->module_conf, "validator python cachedb iterator") != 0
|
||||
#endif
|
||||
#ifdef CLIENT_SUBNET
|
||||
&& strcmp(cfg->module_conf, "subnetcache iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "subnetcache iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "subnetcache validator iterator") != 0
|
||||
#endif
|
||||
#if defined(WITH_PYTHONMODULE) && defined(CLIENT_SUBNET)
|
||||
&& strcmp(cfg->module_conf, "python subnetcache iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "subnetcache python iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "subnetcache python iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "subnetcache validator iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "python subnetcache validator iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "subnetcache python validator iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "subnetcache validator python iterator") != 0
|
||||
#endif
|
||||
#ifdef USE_IPSECMOD
|
||||
&& strcmp(cfg->module_conf, "ipsecmod iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "ipsecmod validator iterator") != 0
|
||||
#endif
|
||||
#if defined(WITH_PYTHONMODULE) && defined(USE_IPSECMOD)
|
||||
&& strcmp(cfg->module_conf, "python ipsecmod iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "ipsecmod python iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "ipsecmod validator iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "python ipsecmod validator iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "ipsecmod python validator iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "ipsecmod validator python iterator") != 0
|
||||
#endif
|
||||
) {
|
||||
fatal_exit("module conf '%s' is not known to work",
|
||||
|
||||
@ -161,7 +161,7 @@ usage(void)
|
||||
static const int inhibit_zero = 1;
|
||||
/** divide sum of timers to get average */
|
||||
static void
|
||||
timeval_divide(struct timeval* avg, const struct timeval* sum, size_t d)
|
||||
timeval_divide(struct timeval* avg, const struct timeval* sum, long long d)
|
||||
{
|
||||
#ifndef S_SPLINT_S
|
||||
size_t leftover;
|
||||
@ -184,12 +184,14 @@ timeval_divide(struct timeval* avg, const struct timeval* sum, size_t d)
|
||||
#define PR_UL_SUB(str, nm, var) printf(str".%s"SQ"%lu\n", nm, (unsigned long)(var));
|
||||
#define PR_TIMEVAL(str, var) printf(str SQ ARG_LL "d.%6.6d\n", \
|
||||
(long long)var.tv_sec, (int)var.tv_usec);
|
||||
#define PR_STATSTIME(str, var) printf(str SQ ARG_LL "d.%6.6d\n", \
|
||||
(long long)var ## _sec, (int)var ## _usec);
|
||||
#define PR_LL(str, var) printf(str SQ ARG_LL"d\n", (long long)(var));
|
||||
|
||||
/** print stat block */
|
||||
static void pr_stats(const char* nm, struct stats_info* s)
|
||||
static void pr_stats(const char* nm, struct ub_stats_info* s)
|
||||
{
|
||||
struct timeval avg;
|
||||
struct timeval sumwait, avg;
|
||||
PR_UL_NM("num.queries", s->svr.num_queries);
|
||||
PR_UL_NM("num.queries_ip_ratelimited",
|
||||
s->svr.num_queries_ip_ratelimited);
|
||||
@ -209,14 +211,18 @@ static void pr_stats(const char* nm, struct stats_info* s)
|
||||
printf("%s.requestlist.avg"SQ"%g\n", nm,
|
||||
(s->svr.num_queries_missed_cache+s->svr.num_queries_prefetch)?
|
||||
(double)s->svr.sum_query_list_size/
|
||||
(s->svr.num_queries_missed_cache+
|
||||
(double)(s->svr.num_queries_missed_cache+
|
||||
s->svr.num_queries_prefetch) : 0.0);
|
||||
PR_UL_NM("requestlist.max", s->svr.max_query_list_size);
|
||||
PR_UL_NM("requestlist.overwritten", s->mesh_jostled);
|
||||
PR_UL_NM("requestlist.exceeded", s->mesh_dropped);
|
||||
PR_UL_NM("requestlist.current.all", s->mesh_num_states);
|
||||
PR_UL_NM("requestlist.current.user", s->mesh_num_reply_states);
|
||||
timeval_divide(&avg, &s->mesh_replies_sum_wait, s->mesh_replies_sent);
|
||||
#ifndef S_SPLINT_S
|
||||
sumwait.tv_sec = s->mesh_replies_sum_wait_sec;
|
||||
sumwait.tv_usec = s->mesh_replies_sum_wait_usec;
|
||||
#endif
|
||||
timeval_divide(&avg, &sumwait, s->mesh_replies_sent);
|
||||
printf("%s.", nm);
|
||||
PR_TIMEVAL("recursion.time.avg", avg);
|
||||
printf("%s.recursion.time.median"SQ"%g\n", nm, s->mesh_time_median);
|
||||
@ -224,27 +230,31 @@ static void pr_stats(const char* nm, struct stats_info* s)
|
||||
}
|
||||
|
||||
/** print uptime */
|
||||
static void print_uptime(struct shm_stat_info* shm_stat)
|
||||
static void print_uptime(struct ub_shm_stat_info* shm_stat)
|
||||
{
|
||||
PR_TIMEVAL("time.now", shm_stat->time.now);
|
||||
PR_TIMEVAL("time.up", shm_stat->time.up);
|
||||
PR_TIMEVAL("time.elapsed", shm_stat->time.elapsed);
|
||||
PR_STATSTIME("time.now", shm_stat->time.now);
|
||||
PR_STATSTIME("time.up", shm_stat->time.up);
|
||||
PR_STATSTIME("time.elapsed", shm_stat->time.elapsed);
|
||||
}
|
||||
|
||||
/** print memory usage */
|
||||
static void print_mem(struct shm_stat_info* shm_stat)
|
||||
static void print_mem(struct ub_shm_stat_info* shm_stat)
|
||||
{
|
||||
PR_LL("mem.cache.rrset", shm_stat->mem.rrset);
|
||||
PR_LL("mem.cache.message", shm_stat->mem.msg);
|
||||
PR_LL("mem.cache.iterator", shm_stat->mem.iter);
|
||||
PR_LL("mem.cache.validator", shm_stat->mem.val);
|
||||
PR_LL("mem.mod.iterator", shm_stat->mem.iter);
|
||||
PR_LL("mem.mod.validator", shm_stat->mem.val);
|
||||
PR_LL("mem.mod.respip", shm_stat->mem.respip);
|
||||
#ifdef CLIENT_SUBNET
|
||||
PR_LL("mem.cache.subnet", shm_stat->mem.subnet);
|
||||
PR_LL("mem.mod.subnet", shm_stat->mem.subnet);
|
||||
#endif
|
||||
#ifdef USE_IPSECMOD
|
||||
PR_LL("mem.mod.ipsecmod", shm_stat->mem.ipsecmod);
|
||||
#endif
|
||||
}
|
||||
|
||||
/** print histogram */
|
||||
static void print_hist(struct stats_info* s)
|
||||
static void print_hist(struct ub_stats_info* s)
|
||||
{
|
||||
struct timehist* hist;
|
||||
size_t i;
|
||||
@ -264,13 +274,13 @@ static void print_hist(struct stats_info* s)
|
||||
}
|
||||
|
||||
/** print extended */
|
||||
static void print_extended(struct stats_info* s)
|
||||
static void print_extended(struct ub_stats_info* s)
|
||||
{
|
||||
int i;
|
||||
char nm[16];
|
||||
|
||||
/* TYPE */
|
||||
for(i=0; i<STATS_QTYPE_NUM; i++) {
|
||||
for(i=0; i<UB_STATS_QTYPE_NUM; i++) {
|
||||
if(inhibit_zero && s->svr.qtype[i] == 0)
|
||||
continue;
|
||||
sldns_wire2str_type_buf((uint16_t)i, nm, sizeof(nm));
|
||||
@ -281,7 +291,7 @@ static void print_extended(struct stats_info* s)
|
||||
}
|
||||
|
||||
/* CLASS */
|
||||
for(i=0; i<STATS_QCLASS_NUM; i++) {
|
||||
for(i=0; i<UB_STATS_QCLASS_NUM; i++) {
|
||||
if(inhibit_zero && s->svr.qclass[i] == 0)
|
||||
continue;
|
||||
sldns_wire2str_class_buf((uint16_t)i, nm, sizeof(nm));
|
||||
@ -292,7 +302,7 @@ static void print_extended(struct stats_info* s)
|
||||
}
|
||||
|
||||
/* OPCODE */
|
||||
for(i=0; i<STATS_OPCODE_NUM; i++) {
|
||||
for(i=0; i<UB_STATS_OPCODE_NUM; i++) {
|
||||
if(inhibit_zero && s->svr.qopcode[i] == 0)
|
||||
continue;
|
||||
sldns_wire2str_opcode_buf(i, nm, sizeof(nm));
|
||||
@ -317,7 +327,7 @@ static void print_extended(struct stats_info* s)
|
||||
PR_UL("num.query.edns.DO", s->svr.qEDNS_DO);
|
||||
|
||||
/* RCODE */
|
||||
for(i=0; i<STATS_RCODE_NUM; i++) {
|
||||
for(i=0; i<UB_STATS_RCODE_NUM; i++) {
|
||||
/* Always include RCODEs 0-5 */
|
||||
if(inhibit_zero && i > LDNS_RCODE_REFUSED && s->svr.ans_rcode[i] == 0)
|
||||
continue;
|
||||
@ -342,8 +352,8 @@ static void print_extended(struct stats_info* s)
|
||||
}
|
||||
|
||||
/** print statistics out of memory structures */
|
||||
static void do_stats_shm(struct config_file* cfg, struct stats_info* stats,
|
||||
struct shm_stat_info* shm_stat)
|
||||
static void do_stats_shm(struct config_file* cfg, struct ub_stats_info* stats,
|
||||
struct ub_shm_stat_info* shm_stat)
|
||||
{
|
||||
int i;
|
||||
char nm[16];
|
||||
@ -366,8 +376,8 @@ static void print_stats_shm(const char* cfgfile)
|
||||
{
|
||||
#ifdef HAVE_SHMGET
|
||||
struct config_file* cfg;
|
||||
struct stats_info* stats;
|
||||
struct shm_stat_info* shm_stat;
|
||||
struct ub_stats_info* stats;
|
||||
struct ub_shm_stat_info* shm_stat;
|
||||
int id_ctl, id_arr;
|
||||
/* read config */
|
||||
if(!(cfg = config_create()))
|
||||
@ -383,11 +393,11 @@ static void print_stats_shm(const char* cfgfile)
|
||||
if(id_arr == -1) {
|
||||
fatal_exit("shmget(%d): %s", cfg->shm_key+1, strerror(errno));
|
||||
}
|
||||
shm_stat = (struct shm_stat_info*)shmat(id_ctl, NULL, 0);
|
||||
shm_stat = (struct ub_shm_stat_info*)shmat(id_ctl, NULL, 0);
|
||||
if(shm_stat == (void*)-1) {
|
||||
fatal_exit("shmat(%d): %s", id_ctl, strerror(errno));
|
||||
}
|
||||
stats = (struct stats_info*)shmat(id_arr, NULL, 0);
|
||||
stats = (struct ub_stats_info*)shmat(id_arr, NULL, 0);
|
||||
if(stats == (void*)-1) {
|
||||
fatal_exit("shmat(%d): %s", id_arr, strerror(errno));
|
||||
}
|
||||
|
||||
@ -178,6 +178,7 @@ config_create(void)
|
||||
cfg->forwards = NULL;
|
||||
#ifdef CLIENT_SUBNET
|
||||
cfg->client_subnet = NULL;
|
||||
cfg->client_subnet_zone = NULL;
|
||||
cfg->client_subnet_opcode = LDNS_EDNS_CLIENT_SUBNET;
|
||||
cfg->client_subnet_always_forward = 0;
|
||||
cfg->max_client_subnet_ipv4 = 24;
|
||||
@ -206,6 +207,7 @@ config_create(void)
|
||||
cfg->trust_anchor_file_list = NULL;
|
||||
cfg->trust_anchor_list = NULL;
|
||||
cfg->trusted_keys_file_list = NULL;
|
||||
cfg->trust_anchor_signaling = 0;
|
||||
cfg->dlv_anchor_file = NULL;
|
||||
cfg->dlv_anchor_list = NULL;
|
||||
cfg->domain_insecure = NULL;
|
||||
@ -227,6 +229,7 @@ config_create(void)
|
||||
cfg->neg_cache_size = 1 * 1024 * 1024;
|
||||
cfg->local_zones = NULL;
|
||||
cfg->local_zones_nodefault = NULL;
|
||||
cfg->local_zones_disable_default = 0;
|
||||
cfg->local_data = NULL;
|
||||
cfg->local_zone_overrides = NULL;
|
||||
cfg->unblock_lan_zones = 0;
|
||||
@ -279,6 +282,14 @@ config_create(void)
|
||||
cfg->dnscrypt_provider = NULL;
|
||||
cfg->dnscrypt_provider_cert = NULL;
|
||||
cfg->dnscrypt_secret_key = NULL;
|
||||
#ifdef USE_IPSECMOD
|
||||
cfg->ipsecmod_enabled = 1;
|
||||
cfg->ipsecmod_ignore_bogus = 0;
|
||||
cfg->ipsecmod_hook = NULL;
|
||||
cfg->ipsecmod_max_ttl = 3600;
|
||||
cfg->ipsecmod_whitelist = NULL;
|
||||
cfg->ipsecmod_strict = 0;
|
||||
#endif
|
||||
return cfg;
|
||||
error_exit:
|
||||
config_delete(cfg);
|
||||
@ -480,6 +491,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
|
||||
else S_STRLIST("trust-anchor-file:", trust_anchor_file_list)
|
||||
else S_STRLIST("trust-anchor:", trust_anchor_list)
|
||||
else S_STRLIST("trusted-keys-file:", trusted_keys_file_list)
|
||||
else S_YNO("trust-anchor-signaling:", trust_anchor_signaling)
|
||||
else S_STR("dlv-anchor-file:", dlv_anchor_file)
|
||||
else S_STRLIST("dlv-anchor:", dlv_anchor_list)
|
||||
else S_STRLIST("domain-insecure:", domain_insecure)
|
||||
@ -522,6 +534,33 @@ int config_set_option(struct config_file* cfg, const char* opt,
|
||||
* generating the address tree. */
|
||||
/* No client-subnet-always-forward here, module registration depends on
|
||||
* this option. */
|
||||
#endif
|
||||
#ifdef USE_DNSTAP
|
||||
else S_YNO("dnstap-enable:", dnstap)
|
||||
else S_STR("dnstap-socket-path:", dnstap_socket_path)
|
||||
else S_YNO("dnstap-send-identity:", dnstap_send_identity)
|
||||
else S_YNO("dnstap-send-version:", dnstap_send_version)
|
||||
else S_STR("dnstap-identity:", dnstap_identity)
|
||||
else S_STR("dnstap-version:", dnstap_version)
|
||||
else S_YNO("dnstap-log-resolver-query-messages:",
|
||||
dnstap_log_resolver_query_messages)
|
||||
else S_YNO("dnstap-log-resolver-response-messages:",
|
||||
dnstap_log_resolver_response_messages)
|
||||
else S_YNO("dnstap-log-client-query-messages:",
|
||||
dnstap_log_client_query_messages)
|
||||
else S_YNO("dnstap-log-client-response-messages:",
|
||||
dnstap_log_client_response_messages)
|
||||
else S_YNO("dnstap-log-forwarder-query-messages:",
|
||||
dnstap_log_forwarder_query_messages)
|
||||
else S_YNO("dnstap-log-forwarder-response-messages:",
|
||||
dnstap_log_forwarder_response_messages)
|
||||
#endif
|
||||
#ifdef USE_DNSCRYPT
|
||||
else S_YNO("dnscrypt-enable:", dnscrypt)
|
||||
else S_NUMBER_NONZERO("dnscrypt-port:", dnscrypt_port)
|
||||
else S_STR("dnscrypt-provider:", dnscrypt_provider)
|
||||
else S_STRLIST("dnscrypt-provider-cert:", dnscrypt_provider_cert)
|
||||
else S_STRLIST("dnscrypt-secret-key:", dnscrypt_secret_key)
|
||||
#endif
|
||||
else if(strcmp(opt, "ip-ratelimit:") == 0) {
|
||||
IS_NUMBER_OR_ZERO; cfg->ip_ratelimit = atoi(val);
|
||||
@ -539,6 +578,13 @@ int config_set_option(struct config_file* cfg, const char* opt,
|
||||
else S_NUMBER_OR_ZERO("ratelimit-factor:", ratelimit_factor)
|
||||
else S_YNO("qname-minimisation:", qname_minimisation)
|
||||
else S_YNO("qname-minimisation-strict:", qname_minimisation_strict)
|
||||
#ifdef USE_IPSECMOD
|
||||
else S_YNO("ipsecmod-enabled:", ipsecmod_enabled)
|
||||
else S_YNO("ipsecmod-ignore-bogus:", ipsecmod_ignore_bogus)
|
||||
else if(strcmp(opt, "ipsecmod-max-ttl:") == 0)
|
||||
{ IS_NUMBER_OR_ZERO; cfg->ipsecmod_max_ttl = atoi(val); }
|
||||
else S_YNO("ipsecmod-strict:", ipsecmod_strict)
|
||||
#endif
|
||||
else if(strcmp(opt, "define-tag:") ==0) {
|
||||
return config_add_tag(cfg, val);
|
||||
/* val_sig_skew_min and max are copied into val_env during init,
|
||||
@ -560,15 +606,16 @@ int config_set_option(struct config_file* cfg, const char* opt,
|
||||
cfg->out_ifs = oi;
|
||||
} else {
|
||||
/* unknown or unsupported (from the set_option interface):
|
||||
* interface, outgoing-interface, access-control,
|
||||
* interface, outgoing-interface, access-control,
|
||||
* stub-zone, name, stub-addr, stub-host, stub-prime
|
||||
* forward-first, stub-first, forward-ssl-upstream,
|
||||
* stub-ssl-upstream, forward-zone,
|
||||
* name, forward-addr, forward-host,
|
||||
* ratelimit-for-domain, ratelimit-below-domain,
|
||||
* local-zone-tag, access-control-view
|
||||
* send-client-subnet client-subnet-always-forward
|
||||
* max-client-subnet-ipv4 max-client-subnet-ipv6 */
|
||||
* local-zone-tag, access-control-view,
|
||||
* send-client-subnet, client-subnet-always-forward,
|
||||
* max-client-subnet-ipv4, max-client-subnet-ipv6, ipsecmod_hook,
|
||||
* ipsecmod_whitelist. */
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
@ -834,6 +881,7 @@ config_get_option(struct config_file* cfg, const char* opt,
|
||||
else O_LST(opt, "trust-anchor-file", trust_anchor_file_list)
|
||||
else O_LST(opt, "trust-anchor", trust_anchor_list)
|
||||
else O_LST(opt, "trusted-keys-file", trusted_keys_file_list)
|
||||
else O_YNO(opt, "trust-anchor-signaling", trust_anchor_signaling)
|
||||
else O_LST(opt, "dlv-anchor", dlv_anchor_list)
|
||||
else O_LST(opt, "control-interface", control_ifs)
|
||||
else O_LST(opt, "domain-insecure", domain_insecure)
|
||||
@ -842,10 +890,38 @@ config_get_option(struct config_file* cfg, const char* opt,
|
||||
else O_YNO(opt, "rrset-roundrobin", rrset_roundrobin)
|
||||
#ifdef CLIENT_SUBNET
|
||||
else O_LST(opt, "send-client-subnet", client_subnet)
|
||||
else O_LST(opt, "client-subnet-zone", client_subnet_zone)
|
||||
else O_DEC(opt, "max-client-subnet-ipv4", max_client_subnet_ipv4)
|
||||
else O_DEC(opt, "max-client-subnet-ipv6", max_client_subnet_ipv6)
|
||||
else O_YNO(opt, "client-subnet-always-forward:",
|
||||
client_subnet_always_forward)
|
||||
#endif
|
||||
#ifdef USE_DNSTAP
|
||||
else O_YNO(opt, "dnstap-enable", dnstap)
|
||||
else O_STR(opt, "dnstap-socket-path", dnstap_socket_path)
|
||||
else O_YNO(opt, "dnstap-send-identity", dnstap_send_identity)
|
||||
else O_YNO(opt, "dnstap-send-version", dnstap_send_version)
|
||||
else O_STR(opt, "dnstap-identity", dnstap_identity)
|
||||
else O_STR(opt, "dnstap-version", dnstap_version)
|
||||
else O_YNO(opt, "dnstap-log-resolver-query-messages",
|
||||
dnstap_log_resolver_query_messages)
|
||||
else O_YNO(opt, "dnstap-log-resolver-response-messages",
|
||||
dnstap_log_resolver_response_messages)
|
||||
else O_YNO(opt, "dnstap-log-client-query-messages",
|
||||
dnstap_log_client_query_messages)
|
||||
else O_YNO(opt, "dnstap-log-client-response-messages",
|
||||
dnstap_log_client_response_messages)
|
||||
else O_YNO(opt, "dnstap-log-forwarder-query-messages",
|
||||
dnstap_log_forwarder_query_messages)
|
||||
else O_YNO(opt, "dnstap-log-forwarder-response-messages",
|
||||
dnstap_log_forwarder_response_messages)
|
||||
#endif
|
||||
#ifdef USE_DNSCRYPT
|
||||
else O_YNO(opt, "dnscrypt-enable", dnscrypt)
|
||||
else O_DEC(opt, "dnscrypt-port", dnscrypt_port)
|
||||
else O_STR(opt, "dnscrypt-provider", dnscrypt_provider)
|
||||
else O_LST(opt, "dnscrypt-provider-cert", dnscrypt_provider_cert)
|
||||
else O_LST(opt, "dnscrypt-secret-key", dnscrypt_secret_key)
|
||||
#endif
|
||||
else O_YNO(opt, "unblock-lan-zones", unblock_lan_zones)
|
||||
else O_YNO(opt, "insecure-lan-zones", insecure_lan_zones)
|
||||
@ -874,6 +950,14 @@ config_get_option(struct config_file* cfg, const char* opt,
|
||||
else O_LS3(opt, "access-control-tag-action", acl_tag_actions)
|
||||
else O_LS3(opt, "access-control-tag-data", acl_tag_datas)
|
||||
else O_LS2(opt, "access-control-view", acl_view)
|
||||
#ifdef USE_IPSECMOD
|
||||
else O_YNO(opt, "ipsecmod-enabled", ipsecmod_enabled)
|
||||
else O_YNO(opt, "ipsecmod-ignore-bogus", ipsecmod_ignore_bogus)
|
||||
else O_STR(opt, "ipsecmod-hook", ipsecmod_hook)
|
||||
else O_DEC(opt, "ipsecmod-max-ttl", ipsecmod_max_ttl)
|
||||
else O_LST(opt, "ipsecmod-whitelist", ipsecmod_whitelist)
|
||||
else O_YNO(opt, "ipsecmod-strict", ipsecmod_strict)
|
||||
#endif
|
||||
/* not here:
|
||||
* outgoing-permit, outgoing-avoid - have list of ports
|
||||
* local-zone - zones and nodefault variables
|
||||
@ -1131,11 +1215,13 @@ config_delete(struct config_file* cfg)
|
||||
config_delstrlist(cfg->root_hints);
|
||||
#ifdef CLIENT_SUBNET
|
||||
config_delstrlist(cfg->client_subnet);
|
||||
config_delstrlist(cfg->client_subnet_zone);
|
||||
#endif
|
||||
free(cfg->identity);
|
||||
free(cfg->version);
|
||||
free(cfg->module_conf);
|
||||
free(cfg->outgoing_avail_ports);
|
||||
free(cfg->python_script);
|
||||
config_delstrlist(cfg->caps_whitelist);
|
||||
config_delstrlist(cfg->private_address);
|
||||
config_delstrlist(cfg->private_domain);
|
||||
@ -1169,6 +1255,10 @@ config_delete(struct config_file* cfg)
|
||||
free(cfg->dnstap_version);
|
||||
config_deldblstrlist(cfg->ratelimit_for_domain);
|
||||
config_deldblstrlist(cfg->ratelimit_below_domain);
|
||||
#ifdef USE_IPSECMOD
|
||||
free(cfg->ipsecmod_hook);
|
||||
config_delstrlist(cfg->ipsecmod_whitelist);
|
||||
#endif
|
||||
free(cfg);
|
||||
}
|
||||
|
||||
|
||||
@ -176,6 +176,8 @@ struct config_file {
|
||||
/** list of servers we send edns-client-subnet option to and
|
||||
* accept option from, linked list */
|
||||
struct config_strlist* client_subnet;
|
||||
/** list of zones we send edns-client-subnet option for */
|
||||
struct config_strlist* client_subnet_zone;
|
||||
/** opcode assigned by IANA for edns0-client-subnet option */
|
||||
uint16_t client_subnet_opcode;
|
||||
/** Do not check whitelist if incoming query contains an ECS record */
|
||||
@ -274,6 +276,8 @@ struct config_file {
|
||||
struct config_strlist* dlv_anchor_list;
|
||||
/** insecure domain list */
|
||||
struct config_strlist* domain_insecure;
|
||||
/** send key tag query */
|
||||
int trust_anchor_signaling;
|
||||
|
||||
/** if not 0, this value is the validation date for RRSIGs */
|
||||
int32_t val_date_override;
|
||||
@ -317,6 +321,8 @@ struct config_file {
|
||||
struct config_str2list* local_zones;
|
||||
/** local zones nodefault list */
|
||||
struct config_strlist* local_zones_nodefault;
|
||||
/** do not add any default local zone */
|
||||
int local_zones_disable_default;
|
||||
/** local data RRs configured */
|
||||
struct config_strlist* local_data;
|
||||
/** local zone override types per netblock */
|
||||
@ -458,6 +464,22 @@ struct config_file {
|
||||
struct config_strlist* dnscrypt_secret_key;
|
||||
/** dnscrypt provider certs 1.cert */
|
||||
struct config_strlist* dnscrypt_provider_cert;
|
||||
|
||||
/** IPsec module */
|
||||
#ifdef USE_IPSECMOD
|
||||
/** false to bypass the IPsec module */
|
||||
int ipsecmod_enabled;
|
||||
/** whitelisted domains for ipsecmod */
|
||||
struct config_strlist* ipsecmod_whitelist;
|
||||
/** path to external hook */
|
||||
char* ipsecmod_hook;
|
||||
/** true to proceed even with a bogus IPSECKEY */
|
||||
int ipsecmod_ignore_bogus;
|
||||
/** max TTL for the A/AAAA records that call the hook */
|
||||
int ipsecmod_max_ttl;
|
||||
/** false to proceed even when ipsecmod_hook fails */
|
||||
int ipsecmod_strict;
|
||||
#endif
|
||||
};
|
||||
|
||||
/** from cfg username, after daemonise setup performed */
|
||||
|
||||
@ -302,6 +302,7 @@ do-not-query-address{COLON} { YDVAR(1, VAR_DO_NOT_QUERY_ADDRESS) }
|
||||
do-not-query-localhost{COLON} { YDVAR(1, VAR_DO_NOT_QUERY_LOCALHOST) }
|
||||
access-control{COLON} { YDVAR(2, VAR_ACCESS_CONTROL) }
|
||||
send-client-subnet{COLON} { YDVAR(1, VAR_SEND_CLIENT_SUBNET) }
|
||||
client-subnet-zone{COLON} { YDVAR(1, VAR_CLIENT_SUBNET_ZONE) }
|
||||
client-subnet-always-forward{COLON} { YDVAR(1, VAR_CLIENT_SUBNET_ALWAYS_FORWARD) }
|
||||
client-subnet-opcode{COLON} { YDVAR(1, VAR_CLIENT_SUBNET_OPCODE) }
|
||||
max-client-subnet-ipv4{COLON} { YDVAR(1, VAR_MAX_CLIENT_SUBNET_IPV4) }
|
||||
@ -318,6 +319,7 @@ trust-anchor-file{COLON} { YDVAR(1, VAR_TRUST_ANCHOR_FILE) }
|
||||
auto-trust-anchor-file{COLON} { YDVAR(1, VAR_AUTO_TRUST_ANCHOR_FILE) }
|
||||
trusted-keys-file{COLON} { YDVAR(1, VAR_TRUSTED_KEYS_FILE) }
|
||||
trust-anchor{COLON} { YDVAR(1, VAR_TRUST_ANCHOR) }
|
||||
trust-anchor-signaling{COLON} { YDVAR(1, VAR_TRUST_ANCHOR_SIGNALING) }
|
||||
val-override-date{COLON} { YDVAR(1, VAR_VAL_OVERRIDE_DATE) }
|
||||
val-sig-skew-min{COLON} { YDVAR(1, VAR_VAL_SIG_SKEW_MIN) }
|
||||
val-sig-skew-max{COLON} { YDVAR(1, VAR_VAL_SIG_SKEW_MAX) }
|
||||
@ -416,6 +418,12 @@ dnscrypt-port{COLON} { YDVAR(1, VAR_DNSCRYPT_PORT) }
|
||||
dnscrypt-provider{COLON} { YDVAR(1, VAR_DNSCRYPT_PROVIDER) }
|
||||
dnscrypt-secret-key{COLON} { YDVAR(1, VAR_DNSCRYPT_SECRET_KEY) }
|
||||
dnscrypt-provider-cert{COLON} { YDVAR(1, VAR_DNSCRYPT_PROVIDER_CERT) }
|
||||
ipsecmod-enabled{COLON} { YDVAR(1, VAR_IPSECMOD_ENABLED) }
|
||||
ipsecmod-ignore-bogus{COLON} { YDVAR(1, VAR_IPSECMOD_IGNORE_BOGUS) }
|
||||
ipsecmod-hook{COLON} { YDVAR(1, VAR_IPSECMOD_HOOK) }
|
||||
ipsecmod-max-ttl{COLON} { YDVAR(1, VAR_IPSECMOD_MAX_TTL) }
|
||||
ipsecmod-whitelist{COLON} { YDVAR(1, VAR_IPSECMOD_WHITELIST) }
|
||||
ipsecmod-strict{COLON} { YDVAR(1, VAR_IPSECMOD_STRICT) }
|
||||
<INITIAL,val>{NEWLINE} { LEXOUT(("NL\n")); cfg_parser->line++; }
|
||||
|
||||
/* Quoted strings. Strip leading and ending quotes */
|
||||
|
||||
@ -131,8 +131,8 @@ extern struct config_parser_state* cfg_parser;
|
||||
%token VAR_RATELIMIT VAR_RATELIMIT_SLABS VAR_RATELIMIT_SIZE
|
||||
%token VAR_RATELIMIT_FOR_DOMAIN VAR_RATELIMIT_BELOW_DOMAIN
|
||||
%token VAR_IP_RATELIMIT_FACTOR VAR_RATELIMIT_FACTOR
|
||||
%token VAR_SEND_CLIENT_SUBNET VAR_CLIENT_SUBNET_ALWAYS_FORWARD
|
||||
%token VAR_CLIENT_SUBNET_OPCODE
|
||||
%token VAR_SEND_CLIENT_SUBNET VAR_CLIENT_SUBNET_ZONE
|
||||
%token VAR_CLIENT_SUBNET_ALWAYS_FORWARD VAR_CLIENT_SUBNET_OPCODE
|
||||
%token VAR_MAX_CLIENT_SUBNET_IPV4 VAR_MAX_CLIENT_SUBNET_IPV6
|
||||
%token VAR_CAPS_WHITELIST VAR_CACHE_MAX_NEGATIVE_TTL VAR_PERMIT_SMALL_HOLDDOWN
|
||||
%token VAR_QNAME_MINIMISATION VAR_QNAME_MINIMISATION_STRICT VAR_IP_FREEBIND
|
||||
@ -140,10 +140,12 @@ extern struct config_parser_state* cfg_parser;
|
||||
%token VAR_LOCAL_ZONE_OVERRIDE VAR_ACCESS_CONTROL_TAG_ACTION
|
||||
%token VAR_ACCESS_CONTROL_TAG_DATA VAR_VIEW VAR_ACCESS_CONTROL_VIEW
|
||||
%token VAR_VIEW_FIRST VAR_SERVE_EXPIRED VAR_FAKE_DSA VAR_FAKE_SHA1
|
||||
%token VAR_LOG_IDENTITY VAR_HIDE_TRUSTANCHOR
|
||||
%token VAR_LOG_IDENTITY VAR_HIDE_TRUSTANCHOR VAR_TRUST_ANCHOR_SIGNALING
|
||||
%token VAR_USE_SYSTEMD VAR_SHM_ENABLE VAR_SHM_KEY
|
||||
%token VAR_DNSCRYPT VAR_DNSCRYPT_ENABLE VAR_DNSCRYPT_PORT VAR_DNSCRYPT_PROVIDER
|
||||
%token VAR_DNSCRYPT_SECRET_KEY VAR_DNSCRYPT_PROVIDER_CERT
|
||||
%token VAR_IPSECMOD_ENABLED VAR_IPSECMOD_HOOK VAR_IPSECMOD_IGNORE_BOGUS
|
||||
%token VAR_IPSECMOD_MAX_TTL VAR_IPSECMOD_WHITELIST VAR_IPSECMOD_STRICT
|
||||
|
||||
%%
|
||||
toplevelvars: /* empty */ | toplevelvars toplevelvar ;
|
||||
@ -215,7 +217,7 @@ content_server: server_num_threads | server_verbosity | server_port |
|
||||
server_ratelimit_for_domain |
|
||||
server_ratelimit_below_domain | server_ratelimit_factor |
|
||||
server_ip_ratelimit_factor | server_send_client_subnet |
|
||||
server_client_subnet_always_forward |
|
||||
server_client_subnet_zone | server_client_subnet_always_forward |
|
||||
server_client_subnet_opcode |
|
||||
server_max_client_subnet_ipv4 | server_max_client_subnet_ipv6 |
|
||||
server_caps_whitelist | server_cache_max_negative_ttl |
|
||||
@ -228,7 +230,10 @@ content_server: server_num_threads | server_verbosity | server_port |
|
||||
server_fake_dsa | server_log_identity | server_use_systemd |
|
||||
server_response_ip_tag | server_response_ip | server_response_ip_data |
|
||||
server_shm_enable | server_shm_key | server_fake_sha1 |
|
||||
server_hide_trustanchor
|
||||
server_hide_trustanchor | server_trust_anchor_signaling |
|
||||
server_ipsecmod_enabled | server_ipsecmod_hook |
|
||||
server_ipsecmod_ignore_bogus | server_ipsecmod_max_ttl |
|
||||
server_ipsecmod_whitelist | server_ipsecmod_strict
|
||||
;
|
||||
stubstart: VAR_STUB_ZONE
|
||||
{
|
||||
@ -370,6 +375,18 @@ server_send_client_subnet: VAR_SEND_CLIENT_SUBNET STRING_ARG
|
||||
#endif
|
||||
}
|
||||
;
|
||||
server_client_subnet_zone: VAR_CLIENT_SUBNET_ZONE STRING_ARG
|
||||
{
|
||||
#ifdef CLIENT_SUBNET
|
||||
OUTYY(("P(server_client_subnet_zone:%s)\n", $2));
|
||||
if(!cfg_strlist_insert(&cfg_parser->cfg->client_subnet_zone,
|
||||
$2))
|
||||
fatal_exit("out of memory adding client-subnet-zone");
|
||||
#else
|
||||
OUTYY(("P(Compiled without edns subnet option, ignoring)\n"));
|
||||
#endif
|
||||
}
|
||||
;
|
||||
server_client_subnet_always_forward:
|
||||
VAR_CLIENT_SUBNET_ALWAYS_FORWARD STRING_ARG
|
||||
{
|
||||
@ -783,6 +800,17 @@ server_trust_anchor: VAR_TRUST_ANCHOR STRING_ARG
|
||||
yyerror("out of memory");
|
||||
}
|
||||
;
|
||||
server_trust_anchor_signaling: VAR_TRUST_ANCHOR_SIGNALING STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_trust_anchor_signaling:%s)\n", $2));
|
||||
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
|
||||
yyerror("expected yes or no.");
|
||||
else
|
||||
cfg_parser->cfg->trust_anchor_signaling =
|
||||
(strcmp($2, "yes")==0);
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
server_domain_insecure: VAR_DOMAIN_INSECURE STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_domain_insecure:%s)\n", $2));
|
||||
@ -1783,6 +1811,80 @@ server_qname_minimisation_strict: VAR_QNAME_MINIMISATION_STRICT STRING_ARG
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
server_ipsecmod_enabled: VAR_IPSECMOD_ENABLED STRING_ARG
|
||||
{
|
||||
#ifdef USE_IPSECMOD
|
||||
OUTYY(("P(server_ipsecmod_enabled:%s)\n", $2));
|
||||
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
|
||||
yyerror("expected yes or no.");
|
||||
else cfg_parser->cfg->ipsecmod_enabled = (strcmp($2, "yes")==0);
|
||||
free($2);
|
||||
#else
|
||||
OUTYY(("P(Compiled without IPsec module, ignoring)\n"));
|
||||
#endif
|
||||
}
|
||||
;
|
||||
server_ipsecmod_ignore_bogus: VAR_IPSECMOD_IGNORE_BOGUS STRING_ARG
|
||||
{
|
||||
#ifdef USE_IPSECMOD
|
||||
OUTYY(("P(server_ipsecmod_ignore_bogus:%s)\n", $2));
|
||||
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
|
||||
yyerror("expected yes or no.");
|
||||
else cfg_parser->cfg->ipsecmod_ignore_bogus = (strcmp($2, "yes")==0);
|
||||
free($2);
|
||||
#else
|
||||
OUTYY(("P(Compiled without IPsec module, ignoring)\n"));
|
||||
#endif
|
||||
}
|
||||
;
|
||||
server_ipsecmod_hook: VAR_IPSECMOD_HOOK STRING_ARG
|
||||
{
|
||||
#ifdef USE_IPSECMOD
|
||||
OUTYY(("P(server_ipsecmod_hook:%s)\n", $2));
|
||||
free(cfg_parser->cfg->ipsecmod_hook);
|
||||
cfg_parser->cfg->ipsecmod_hook = $2;
|
||||
#else
|
||||
OUTYY(("P(Compiled without IPsec module, ignoring)\n"));
|
||||
#endif
|
||||
}
|
||||
;
|
||||
server_ipsecmod_max_ttl: VAR_IPSECMOD_MAX_TTL STRING_ARG
|
||||
{
|
||||
#ifdef USE_IPSECMOD
|
||||
OUTYY(("P(server_ipsecmod_max_ttl:%s)\n", $2));
|
||||
if(atoi($2) == 0 && strcmp($2, "0") != 0)
|
||||
yyerror("number expected");
|
||||
else cfg_parser->cfg->ipsecmod_max_ttl = atoi($2);
|
||||
free($2);
|
||||
#else
|
||||
OUTYY(("P(Compiled without IPsec module, ignoring)\n"));
|
||||
#endif
|
||||
}
|
||||
;
|
||||
server_ipsecmod_whitelist: VAR_IPSECMOD_WHITELIST STRING_ARG
|
||||
{
|
||||
#ifdef USE_IPSECMOD
|
||||
OUTYY(("P(server_ipsecmod_whitelist:%s)\n", $2));
|
||||
if(!cfg_strlist_insert(&cfg_parser->cfg->ipsecmod_whitelist, $2))
|
||||
yyerror("out of memory");
|
||||
#else
|
||||
OUTYY(("P(Compiled without IPsec module, ignoring)\n"));
|
||||
#endif
|
||||
}
|
||||
;
|
||||
server_ipsecmod_strict: VAR_IPSECMOD_STRICT STRING_ARG
|
||||
{
|
||||
#ifdef USE_IPSECMOD
|
||||
OUTYY(("P(server_ipsecmod_strict:%s)\n", $2));
|
||||
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
|
||||
yyerror("expected yes or no.");
|
||||
else cfg_parser->cfg->ipsecmod_strict = (strcmp($2, "yes")==0);
|
||||
free($2);
|
||||
#else
|
||||
OUTYY(("P(Compiled without IPsec module, ignoring)\n"));
|
||||
#endif
|
||||
}
|
||||
;
|
||||
stub_name: VAR_NAME STRING_ARG
|
||||
{
|
||||
OUTYY(("P(name:%s)\n", $2));
|
||||
@ -2227,6 +2329,7 @@ dnsc_dnscrypt_enable: VAR_DNSCRYPT_ENABLE STRING_ARG
|
||||
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
|
||||
yyerror("expected yes or no.");
|
||||
else cfg_parser->cfg->dnscrypt = (strcmp($2, "yes")==0);
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
|
||||
|
||||
@ -647,6 +647,8 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
|
||||
sldns_buffer_clear(buffer);
|
||||
if(udpsize < sldns_buffer_limit(buffer))
|
||||
sldns_buffer_set_limit(buffer, udpsize);
|
||||
else if(sldns_buffer_limit(buffer) < udpsize)
|
||||
udpsize = sldns_buffer_limit(buffer);
|
||||
if(sldns_buffer_remaining(buffer) < LDNS_HEADER_SIZE)
|
||||
return 0;
|
||||
|
||||
@ -810,7 +812,7 @@ reply_info_answer_encode(struct query_info* qinf, struct reply_info* rep,
|
||||
struct edns_data* edns, int dnssec, int secure)
|
||||
{
|
||||
uint16_t flags;
|
||||
int attach_edns = 1;
|
||||
unsigned int attach_edns = 0;
|
||||
|
||||
if(!cached || rep->authoritative) {
|
||||
/* original flags, copy RD and CD bits from query. */
|
||||
@ -833,12 +835,15 @@ reply_info_answer_encode(struct query_info* qinf, struct reply_info* rep,
|
||||
log_assert(flags & BIT_QR); /* QR bit must be on in our replies */
|
||||
if(udpsize < LDNS_HEADER_SIZE)
|
||||
return 0;
|
||||
if(sldns_buffer_capacity(pkt) < udpsize)
|
||||
udpsize = sldns_buffer_capacity(pkt);
|
||||
if(udpsize < LDNS_HEADER_SIZE + calc_edns_field_size(edns)) {
|
||||
/* packet too small to contain edns, omit it. */
|
||||
attach_edns = 0;
|
||||
} else {
|
||||
/* reserve space for edns record */
|
||||
udpsize -= calc_edns_field_size(edns);
|
||||
attach_edns = (unsigned int)calc_edns_field_size(edns);
|
||||
udpsize -= attach_edns;
|
||||
}
|
||||
|
||||
if(!reply_info_encode(qinf, rep, id, flags, pkt, timenow, region,
|
||||
@ -846,7 +851,8 @@ reply_info_answer_encode(struct query_info* qinf, struct reply_info* rep,
|
||||
log_err("reply encode: out of memory");
|
||||
return 0;
|
||||
}
|
||||
if(attach_edns)
|
||||
if(attach_edns && sldns_buffer_capacity(pkt) >=
|
||||
sldns_buffer_limit(pkt)+attach_edns)
|
||||
attach_edns_record(pkt, edns);
|
||||
return 1;
|
||||
}
|
||||
|
||||
@ -1018,7 +1018,7 @@ parse_extract_edns(struct msg_parse* msg, struct edns_data* edns,
|
||||
edns->opt_list = NULL;
|
||||
|
||||
/* take the options */
|
||||
rdata_len = found->rr_first->size;
|
||||
rdata_len = found->rr_first->size-2;
|
||||
rdata_ptr = found->rr_first->ttl_data+6;
|
||||
if(!parse_edns_options(rdata_ptr, rdata_len, edns, region))
|
||||
return 0;
|
||||
|
||||
@ -49,6 +49,7 @@
|
||||
#include "services/outside_network.h"
|
||||
#include "services/mesh.h"
|
||||
#include "services/localzone.h"
|
||||
#include "services/authzone.h"
|
||||
#include "services/cache/infra.h"
|
||||
#include "services/cache/rrset.h"
|
||||
#include "services/view.h"
|
||||
@ -83,6 +84,9 @@
|
||||
#ifdef USE_CACHEDB
|
||||
#include "cachedb/cachedb.h"
|
||||
#endif
|
||||
#ifdef USE_IPSECMOD
|
||||
#include "ipsecmod/ipsecmod.h"
|
||||
#endif
|
||||
#ifdef CLIENT_SUBNET
|
||||
#include "edns-subnet/subnetmod.h"
|
||||
#endif
|
||||
@ -209,6 +213,8 @@ fptr_whitelist_rbtree_cmp(int (*fptr) (const void *, const void *))
|
||||
else if(fptr == &probetree_cmp) return 1;
|
||||
else if(fptr == &replay_var_compare) return 1;
|
||||
else if(fptr == &view_cmp) return 1;
|
||||
else if(fptr == &auth_zone_cmp) return 1;
|
||||
else if(fptr == &auth_data_cmp) return 1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -306,6 +312,16 @@ fptr_whitelist_modenv_attach_sub(int (*fptr)(
|
||||
return 0;
|
||||
}
|
||||
|
||||
int
|
||||
fptr_whitelist_modenv_add_sub(int (*fptr)(
|
||||
struct module_qstate* qstate, struct query_info* qinfo,
|
||||
uint16_t qflags, int prime, int valrec, struct module_qstate** newq,
|
||||
struct mesh_state** sub))
|
||||
{
|
||||
if(fptr == &mesh_add_sub) return 1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
int
|
||||
fptr_whitelist_modenv_kill_sub(void (*fptr)(struct module_qstate* newq))
|
||||
{
|
||||
@ -335,6 +351,9 @@ fptr_whitelist_mod_init(int (*fptr)(struct module_env* env, int id))
|
||||
#ifdef USE_CACHEDB
|
||||
else if(fptr == &cachedb_init) return 1;
|
||||
#endif
|
||||
#ifdef USE_IPSECMOD
|
||||
else if(fptr == &ipsecmod_init) return 1;
|
||||
#endif
|
||||
#ifdef CLIENT_SUBNET
|
||||
else if(fptr == &subnetmod_init) return 1;
|
||||
#endif
|
||||
@ -354,6 +373,9 @@ fptr_whitelist_mod_deinit(void (*fptr)(struct module_env* env, int id))
|
||||
#ifdef USE_CACHEDB
|
||||
else if(fptr == &cachedb_deinit) return 1;
|
||||
#endif
|
||||
#ifdef USE_IPSECMOD
|
||||
else if(fptr == &ipsecmod_deinit) return 1;
|
||||
#endif
|
||||
#ifdef CLIENT_SUBNET
|
||||
else if(fptr == &subnetmod_deinit) return 1;
|
||||
#endif
|
||||
@ -374,6 +396,9 @@ fptr_whitelist_mod_operate(void (*fptr)(struct module_qstate* qstate,
|
||||
#ifdef USE_CACHEDB
|
||||
else if(fptr == &cachedb_operate) return 1;
|
||||
#endif
|
||||
#ifdef USE_IPSECMOD
|
||||
else if(fptr == &ipsecmod_operate) return 1;
|
||||
#endif
|
||||
#ifdef CLIENT_SUBNET
|
||||
else if(fptr == &subnetmod_operate) return 1;
|
||||
#endif
|
||||
@ -394,6 +419,9 @@ fptr_whitelist_mod_inform_super(void (*fptr)(
|
||||
#ifdef USE_CACHEDB
|
||||
else if(fptr == &cachedb_inform_super) return 1;
|
||||
#endif
|
||||
#ifdef USE_IPSECMOD
|
||||
else if(fptr == &ipsecmod_inform_super) return 1;
|
||||
#endif
|
||||
#ifdef CLIENT_SUBNET
|
||||
else if(fptr == &subnetmod_inform_super) return 1;
|
||||
#endif
|
||||
@ -414,6 +442,9 @@ fptr_whitelist_mod_clear(void (*fptr)(struct module_qstate* qstate,
|
||||
#ifdef USE_CACHEDB
|
||||
else if(fptr == &cachedb_clear) return 1;
|
||||
#endif
|
||||
#ifdef USE_IPSECMOD
|
||||
else if(fptr == &ipsecmod_clear) return 1;
|
||||
#endif
|
||||
#ifdef CLIENT_SUBNET
|
||||
else if(fptr == &subnetmod_clear) return 1;
|
||||
#endif
|
||||
@ -433,6 +464,9 @@ fptr_whitelist_mod_get_mem(size_t (*fptr)(struct module_env* env, int id))
|
||||
#ifdef USE_CACHEDB
|
||||
else if(fptr == &cachedb_get_mem) return 1;
|
||||
#endif
|
||||
#ifdef USE_IPSECMOD
|
||||
else if(fptr == &ipsecmod_get_mem) return 1;
|
||||
#endif
|
||||
#ifdef CLIENT_SUBNET
|
||||
else if(fptr == &subnetmod_get_mem) return 1;
|
||||
#endif
|
||||
|
||||
@ -233,6 +233,15 @@ int fptr_whitelist_modenv_attach_sub(int (*fptr)(
|
||||
struct module_qstate* qstate, struct query_info* qinfo,
|
||||
uint16_t qflags, int prime, int valrec, struct module_qstate** newq));
|
||||
|
||||
/**
|
||||
* Check function pointer whitelist for module_env add_sub callback values.
|
||||
*
|
||||
* @param fptr: function pointer to check.
|
||||
* @return false if not in whitelist.
|
||||
*/
|
||||
int fptr_whitelist_modenv_add_sub(int (*fptr)(struct module_qstate* qstate,
|
||||
struct query_info* qinfo, uint16_t qflags, int prime, int valrec,
|
||||
struct module_qstate** newq, struct mesh_state** sub));
|
||||
/**
|
||||
* Check function pointer whitelist for module_env kill_sub callback values.
|
||||
*
|
||||
|
||||
@ -29,7 +29,6 @@
|
||||
44,
|
||||
45,
|
||||
46,
|
||||
47,
|
||||
48,
|
||||
49,
|
||||
50,
|
||||
@ -41,7 +40,6 @@
|
||||
57,
|
||||
58,
|
||||
59,
|
||||
61,
|
||||
62,
|
||||
63,
|
||||
64,
|
||||
@ -4575,6 +4573,7 @@
|
||||
7014,
|
||||
7015,
|
||||
7016,
|
||||
7017,
|
||||
7019,
|
||||
7020,
|
||||
7021,
|
||||
@ -4855,6 +4854,7 @@
|
||||
8793,
|
||||
8800,
|
||||
8804,
|
||||
8805,
|
||||
8808,
|
||||
8873,
|
||||
8880,
|
||||
@ -5463,3 +5463,4 @@
|
||||
48556,
|
||||
48619,
|
||||
48653,
|
||||
49001,
|
||||
|
||||
@ -103,8 +103,12 @@ log_init(const char* filename, int use_syslog, const char* chrootdir)
|
||||
use_syslog?"syslog":(filename&&filename[0]?filename:"stderr"));
|
||||
lock_quick_lock(&log_lock);
|
||||
}
|
||||
if(logfile && logfile != stderr)
|
||||
fclose(logfile);
|
||||
if(logfile && logfile != stderr) {
|
||||
FILE* cl = logfile;
|
||||
logfile = NULL; /* set to NULL before it is closed, so that
|
||||
other threads have a valid logfile or NULL */
|
||||
fclose(cl);
|
||||
}
|
||||
#ifdef HAVE_SYSLOG_H
|
||||
if(logging_to_syslog) {
|
||||
closelog();
|
||||
|
||||
@ -382,6 +382,37 @@ struct module_env {
|
||||
struct query_info* qinfo, uint16_t qflags, int prime,
|
||||
int valrec, struct module_qstate** newq);
|
||||
|
||||
/**
|
||||
* Add detached query.
|
||||
* Creates it if it does not exist already.
|
||||
* Does not make super/sub references.
|
||||
* Performs a cycle detection - for double check - and fails if there is
|
||||
* one.
|
||||
* Updates stat items in mesh_area structure.
|
||||
* Pass if it is priming query or not.
|
||||
* return:
|
||||
* o if error (malloc) happened.
|
||||
* o need to initialise the new state (module init; it is a new state).
|
||||
* so that the next run of the query with this module is successful.
|
||||
* o no init needed, attachment successful.
|
||||
* o added subquery, created if it did not exist already.
|
||||
*
|
||||
* @param qstate: the state to find mesh state, and that wants to receive
|
||||
* the results from the new subquery.
|
||||
* @param qinfo: what to query for (copied).
|
||||
* @param qflags: what flags to use (RD / CD flag or not).
|
||||
* @param prime: if it is a (stub) priming query.
|
||||
* @param valrec: if it is a validation recursion query (lookup of key, DS).
|
||||
* @param newq: If the new subquery needs initialisation, it is returned,
|
||||
* otherwise NULL is returned.
|
||||
* @param sub: The added mesh state, created if it did not exist already.
|
||||
* @return: false on error, true if success (and init may be needed).
|
||||
*/
|
||||
int (*add_sub)(struct module_qstate* qstate,
|
||||
struct query_info* qinfo, uint16_t qflags, int prime,
|
||||
int valrec, struct module_qstate** newq,
|
||||
struct mesh_state** sub);
|
||||
|
||||
/**
|
||||
* Kill newly attached sub. If attach_sub returns newq for
|
||||
* initialisation, but that fails, then this routine will cleanup and
|
||||
|
||||
@ -666,7 +666,7 @@ comm_point_udp_callback(int fd, short event, void* arg)
|
||||
struct comm_reply rep;
|
||||
ssize_t rcv;
|
||||
int i;
|
||||
struct sldns_buffer *buffer;
|
||||
struct sldns_buffer *buffer;
|
||||
|
||||
rep.c = (struct comm_point*)arg;
|
||||
log_assert(rep.c->type == comm_udp);
|
||||
@ -704,9 +704,9 @@ comm_point_udp_callback(int fd, short event, void* arg)
|
||||
if((*rep.c->callback)(rep.c, rep.c->cb_arg, NETEVENT_NOERROR, &rep)) {
|
||||
/* send back immediate reply */
|
||||
#ifdef USE_DNSCRYPT
|
||||
buffer = rep.c->dnscrypt_buffer;
|
||||
buffer = rep.c->dnscrypt_buffer;
|
||||
#else
|
||||
buffer = rep.c->buffer;
|
||||
buffer = rep.c->buffer;
|
||||
#endif
|
||||
(void)comm_point_send_udp_msg(rep.c, buffer,
|
||||
(struct sockaddr*)&rep.addr, rep.addrlen);
|
||||
@ -725,8 +725,8 @@ setup_tcp_handler(struct comm_point* c, int fd, int cur, int max)
|
||||
log_assert(c->fd == -1);
|
||||
sldns_buffer_clear(c->buffer);
|
||||
#ifdef USE_DNSCRYPT
|
||||
if (c->dnscrypt)
|
||||
sldns_buffer_clear(c->dnscrypt_buffer);
|
||||
if (c->dnscrypt)
|
||||
sldns_buffer_clear(c->dnscrypt_buffer);
|
||||
#endif
|
||||
c->tcp_is_reading = 1;
|
||||
c->tcp_byte_count = 0;
|
||||
@ -1407,12 +1407,34 @@ comm_point_tcp_handle_write(int fd, struct comm_point* c)
|
||||
if(errno == EINTR || errno == EAGAIN)
|
||||
return 1;
|
||||
/* Not handling EISCONN here as shouldn't ever hit that case.*/
|
||||
if(errno != 0 && verbosity < 2)
|
||||
if(errno != EPIPE && errno != 0 && verbosity < 2)
|
||||
return 0; /* silence lots of chatter in the logs */
|
||||
else if(errno != 0)
|
||||
if(errno != EPIPE && errno != 0) {
|
||||
log_err_addr("tcp sendmsg", strerror(errno),
|
||||
&c->repinfo.addr, c->repinfo.addrlen);
|
||||
return 0;
|
||||
return 0;
|
||||
}
|
||||
/* fallthrough to nonFASTOPEN
|
||||
* (MSG_FASTOPEN on Linux 3 produces EPIPE)
|
||||
* we need to perform connect() */
|
||||
if(connect(fd, (struct sockaddr *)&c->repinfo.addr, c->repinfo.addrlen) == -1) {
|
||||
#ifdef EINPROGRESS
|
||||
if(errno == EINPROGRESS)
|
||||
return 1; /* wait until connect done*/
|
||||
#endif
|
||||
#ifdef USE_WINSOCK
|
||||
if(WSAGetLastError() == WSAEINPROGRESS ||
|
||||
WSAGetLastError() == WSAEWOULDBLOCK)
|
||||
return 1; /* wait until connect done*/
|
||||
#endif
|
||||
if(tcp_connect_errno_needs_log(
|
||||
(struct sockaddr *)&c->repinfo.addr, c->repinfo.addrlen)) {
|
||||
log_err_addr("outgoing tcp: connect after EPIPE for fastopen",
|
||||
strerror(errno), &c->repinfo.addr, c->repinfo.addrlen);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
} else {
|
||||
c->tcp_byte_count += r;
|
||||
if(c->tcp_byte_count < sizeof(uint16_t))
|
||||
@ -1525,13 +1547,13 @@ comm_point_tcp_handle_callback(int fd, short event, void* arg)
|
||||
if(c->tcp_parent) {
|
||||
c->dnscrypt = c->tcp_parent->dnscrypt;
|
||||
}
|
||||
if(c->dnscrypt && c->dnscrypt_buffer == c->buffer) {
|
||||
c->dnscrypt_buffer = sldns_buffer_new(sldns_buffer_capacity(c->buffer));
|
||||
if(!c->dnscrypt_buffer) {
|
||||
log_err("Could not allocate dnscrypt buffer");
|
||||
return;
|
||||
}
|
||||
}
|
||||
if(c->dnscrypt && c->dnscrypt_buffer == c->buffer) {
|
||||
c->dnscrypt_buffer = sldns_buffer_new(sldns_buffer_capacity(c->buffer));
|
||||
if(!c->dnscrypt_buffer) {
|
||||
log_err("Could not allocate dnscrypt buffer");
|
||||
return;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
if(event&UB_EV_READ) {
|
||||
@ -1691,8 +1713,8 @@ comm_point_create_udp_ancil(struct comm_base *base, int fd,
|
||||
c->tcp_do_close = 0;
|
||||
c->do_not_close = 0;
|
||||
#ifdef USE_DNSCRYPT
|
||||
c->dnscrypt = 0;
|
||||
c->dnscrypt_buffer = buffer;
|
||||
c->dnscrypt = 0;
|
||||
c->dnscrypt_buffer = buffer;
|
||||
#endif
|
||||
c->inuse = 0;
|
||||
c->tcp_do_toggle_rw = 0;
|
||||
@ -1766,10 +1788,10 @@ comm_point_create_tcp_handler(struct comm_base *base,
|
||||
c->tcp_do_fastopen = 0;
|
||||
#endif
|
||||
#ifdef USE_DNSCRYPT
|
||||
c->dnscrypt = 0;
|
||||
// We don't know just yet if this is a dnscrypt channel. Allocation
|
||||
// will be done when handling the callback.
|
||||
c->dnscrypt_buffer = c->buffer;
|
||||
c->dnscrypt = 0;
|
||||
/* We don't know just yet if this is a dnscrypt channel. Allocation
|
||||
* will be done when handling the callback. */
|
||||
c->dnscrypt_buffer = c->buffer;
|
||||
#endif
|
||||
c->repinfo.c = c;
|
||||
c->callback = callback;
|
||||
@ -2098,11 +2120,11 @@ comm_point_delete(struct comm_point* c)
|
||||
if(c->type == comm_tcp || c->type == comm_local) {
|
||||
sldns_buffer_free(c->buffer);
|
||||
#ifdef USE_DNSCRYPT
|
||||
if(c->dnscrypt && c->dnscrypt_buffer != c->buffer) {
|
||||
sldns_buffer_free(c->dnscrypt_buffer);
|
||||
}
|
||||
if(c->dnscrypt && c->dnscrypt_buffer != c->buffer) {
|
||||
sldns_buffer_free(c->dnscrypt_buffer);
|
||||
}
|
||||
#endif
|
||||
}
|
||||
}
|
||||
ub_event_free(c->ev->ev);
|
||||
free(c->ev);
|
||||
free(c);
|
||||
@ -2115,7 +2137,7 @@ comm_point_send_reply(struct comm_reply *repinfo)
|
||||
log_assert(repinfo && repinfo->c);
|
||||
#ifdef USE_DNSCRYPT
|
||||
buffer = repinfo->c->dnscrypt_buffer;
|
||||
if(!dnsc_handle_uncurved_request(repinfo)) {
|
||||
if(!dnsc_handle_uncurved_request(repinfo)) {
|
||||
return;
|
||||
}
|
||||
#else
|
||||
@ -2239,12 +2261,12 @@ size_t comm_point_get_mem(struct comm_point* c)
|
||||
if(c->type == comm_tcp || c->type == comm_local) {
|
||||
s += sizeof(*c->buffer) + sldns_buffer_capacity(c->buffer);
|
||||
#ifdef USE_DNSCRYPT
|
||||
s += sizeof(*c->dnscrypt_buffer);
|
||||
if(c->buffer != c->dnscrypt_buffer) {
|
||||
s += sldns_buffer_capacity(c->dnscrypt_buffer);
|
||||
}
|
||||
s += sizeof(*c->dnscrypt_buffer);
|
||||
if(c->buffer != c->dnscrypt_buffer) {
|
||||
s += sldns_buffer_capacity(c->dnscrypt_buffer);
|
||||
}
|
||||
#endif
|
||||
}
|
||||
}
|
||||
if(c->type == comm_tcp_accept) {
|
||||
int i;
|
||||
for(i=0; i<c->max_tcp_count; i++)
|
||||
|
||||
@ -120,7 +120,7 @@ struct comm_reply {
|
||||
#ifdef USE_DNSCRYPT
|
||||
uint8_t client_nonce[crypto_box_HALF_NONCEBYTES];
|
||||
uint8_t nmkey[crypto_box_BEFORENMBYTES];
|
||||
const KeyPair *keypair;
|
||||
const dnsccert *dnsc_cert;
|
||||
int is_dnscrypted;
|
||||
#endif
|
||||
/** the return source interface data */
|
||||
@ -133,11 +133,11 @@ struct comm_reply {
|
||||
#elif defined(IP_RECVDSTADDR)
|
||||
struct in_addr v4addr;
|
||||
#endif
|
||||
}
|
||||
}
|
||||
/** variable with return source data */
|
||||
pktinfo;
|
||||
/** max udp size for udp packets */
|
||||
size_t max_udp_size;
|
||||
/** max udp size for udp packets */
|
||||
size_t max_udp_size;
|
||||
};
|
||||
|
||||
/**
|
||||
@ -248,7 +248,7 @@ struct comm_point {
|
||||
#endif
|
||||
|
||||
#ifdef USE_DNSCRYPT
|
||||
/** Is this a dnscrypt channel */
|
||||
/** Is this a dnscrypt channel */
|
||||
int dnscrypt;
|
||||
/** encrypted buffer pointer. Either to perthread, or own buffer or NULL */
|
||||
struct sldns_buffer* dnscrypt_buffer;
|
||||
|
||||
@ -65,17 +65,17 @@
|
||||
#ifdef HAVE_SHMGET
|
||||
/** subtract timers and the values do not overflow or become negative */
|
||||
static void
|
||||
timeval_subtract(struct timeval* d, const struct timeval* end,
|
||||
stat_timeval_subtract(long long *d_sec, long long *d_usec, const struct timeval* end,
|
||||
const struct timeval* start)
|
||||
{
|
||||
#ifndef S_SPLINT_S
|
||||
time_t end_usec = end->tv_usec;
|
||||
d->tv_sec = end->tv_sec - start->tv_sec;
|
||||
*d_sec = end->tv_sec - start->tv_sec;
|
||||
if(end_usec < start->tv_usec) {
|
||||
end_usec += 1000000;
|
||||
d->tv_sec--;
|
||||
(*d_sec)--;
|
||||
}
|
||||
d->tv_usec = end_usec - start->tv_usec;
|
||||
*d_usec = end_usec - start->tv_usec;
|
||||
#endif
|
||||
}
|
||||
#endif /* HAVE_SHMGET */
|
||||
@ -83,7 +83,7 @@ timeval_subtract(struct timeval* d, const struct timeval* end,
|
||||
int shm_main_init(struct daemon* daemon)
|
||||
{
|
||||
#ifdef HAVE_SHMGET
|
||||
struct shm_stat_info *shm_stat;
|
||||
struct ub_shm_stat_info *shm_stat;
|
||||
size_t shm_size;
|
||||
|
||||
/* sanitize */
|
||||
@ -95,7 +95,7 @@ int shm_main_init(struct daemon* daemon)
|
||||
log_warn("shm-enable is yes but statistics-interval is 0");
|
||||
|
||||
/* Statistics to maintain the number of thread + total */
|
||||
shm_size = (sizeof(struct stats_info) * (daemon->num + 1));
|
||||
shm_size = (sizeof(struct ub_stats_info) * (daemon->num + 1));
|
||||
|
||||
/* Allocation of needed memory */
|
||||
daemon->shm_info = (struct shm_main_info*)calloc(1, shm_size);
|
||||
@ -121,7 +121,7 @@ int shm_main_init(struct daemon* daemon)
|
||||
shmctl(daemon->shm_info->id_arr, IPC_RMID, NULL);
|
||||
|
||||
/* SHM: Create the segment */
|
||||
daemon->shm_info->id_ctl = shmget(daemon->shm_info->key, sizeof(struct shm_stat_info), IPC_CREAT | 0666);
|
||||
daemon->shm_info->id_ctl = shmget(daemon->shm_info->key, sizeof(struct ub_shm_stat_info), IPC_CREAT | 0666);
|
||||
|
||||
if (daemon->shm_info->id_ctl < 0)
|
||||
{
|
||||
@ -148,7 +148,7 @@ int shm_main_init(struct daemon* daemon)
|
||||
}
|
||||
|
||||
/* SHM: attach the segment */
|
||||
daemon->shm_info->ptr_ctl = (struct shm_stat_info*)
|
||||
daemon->shm_info->ptr_ctl = (struct ub_shm_stat_info*)
|
||||
shmat(daemon->shm_info->id_ctl, NULL, 0);
|
||||
if(daemon->shm_info->ptr_ctl == (void *) -1) {
|
||||
log_err("SHM failed(ctl) cannot shmat(%d) %s",
|
||||
@ -160,7 +160,7 @@ int shm_main_init(struct daemon* daemon)
|
||||
return 0;
|
||||
}
|
||||
|
||||
daemon->shm_info->ptr_arr = (struct stats_info*)
|
||||
daemon->shm_info->ptr_arr = (struct ub_stats_info*)
|
||||
shmat(daemon->shm_info->id_arr, NULL, 0);
|
||||
|
||||
if (daemon->shm_info->ptr_arr == (void *) -1)
|
||||
@ -175,7 +175,7 @@ int shm_main_init(struct daemon* daemon)
|
||||
}
|
||||
|
||||
/* Zero fill SHM to stand clean while is not filled by other events */
|
||||
memset(daemon->shm_info->ptr_ctl, 0, sizeof(struct shm_stat_info));
|
||||
memset(daemon->shm_info->ptr_ctl, 0, sizeof(struct ub_shm_stat_info));
|
||||
memset(daemon->shm_info->ptr_arr, 0, shm_size);
|
||||
|
||||
shm_stat = daemon->shm_info->ptr_ctl;
|
||||
@ -218,10 +218,9 @@ void shm_main_shutdown(struct daemon* daemon)
|
||||
void shm_main_run(struct worker *worker)
|
||||
{
|
||||
#ifdef HAVE_SHMGET
|
||||
struct shm_stat_info *shm_stat;
|
||||
struct stats_info *stat_total;
|
||||
struct stats_info *stat_info;
|
||||
int modstack;
|
||||
struct ub_shm_stat_info *shm_stat;
|
||||
struct ub_stats_info *stat_total;
|
||||
struct ub_stats_info *stat_info;
|
||||
int offset;
|
||||
|
||||
verbose(VERB_DETAIL, "SHM run - worker [%d] - daemon [%p] - timenow(%u) - timeboot(%u)",
|
||||
@ -238,40 +237,40 @@ void shm_main_run(struct worker *worker)
|
||||
if (worker->thread_num == 0) {
|
||||
|
||||
/* Copy data to the current position */
|
||||
memset(stat_total, 0, sizeof(struct stats_info));
|
||||
memset(stat_total, 0, sizeof(struct ub_stats_info));
|
||||
|
||||
/* Point to data into SHM */
|
||||
shm_stat = worker->daemon->shm_info->ptr_ctl;
|
||||
shm_stat->time.now = *worker->env.now_tv;
|
||||
shm_stat->time.now_sec = (long long)worker->env.now_tv->tv_sec;
|
||||
shm_stat->time.now_usec = (long long)worker->env.now_tv->tv_usec;
|
||||
|
||||
timeval_subtract(&shm_stat->time.up, &shm_stat->time.now, &worker->daemon->time_boot);
|
||||
timeval_subtract(&shm_stat->time.elapsed, &shm_stat->time.now, &worker->daemon->time_last_stat);
|
||||
stat_timeval_subtract(&shm_stat->time.up_sec, &shm_stat->time.up_usec, worker->env.now_tv, &worker->daemon->time_boot);
|
||||
stat_timeval_subtract(&shm_stat->time.elapsed_sec, &shm_stat->time.elapsed_usec, worker->env.now_tv, &worker->daemon->time_last_stat);
|
||||
|
||||
shm_stat->mem.msg = slabhash_get_mem(worker->env.msg_cache);
|
||||
shm_stat->mem.rrset = slabhash_get_mem(&worker->env.rrset_cache->table);
|
||||
shm_stat->mem.val = 0;
|
||||
shm_stat->mem.iter = 0;
|
||||
shm_stat->mem.msg = (long long)slabhash_get_mem(worker->env.msg_cache);
|
||||
shm_stat->mem.rrset = (long long)slabhash_get_mem(&worker->env.rrset_cache->table);
|
||||
shm_stat->mem.val = (long long)mod_get_mem(&worker->env,
|
||||
"validator");
|
||||
shm_stat->mem.iter = (long long)mod_get_mem(&worker->env,
|
||||
"iterator");
|
||||
shm_stat->mem.respip = (long long)mod_get_mem(&worker->env,
|
||||
"respip");
|
||||
|
||||
modstack = modstack_find(&worker->env.mesh->mods, "validator");
|
||||
if(modstack != -1) {
|
||||
fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh->mods.mod[modstack]->get_mem));
|
||||
shm_stat->mem.val = (*worker->env.mesh->mods.mod[modstack]->get_mem)(&worker->env, modstack);
|
||||
}
|
||||
modstack = modstack_find(&worker->env.mesh->mods, "iterator");
|
||||
if(modstack != -1) {
|
||||
fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh->mods.mod[modstack]->get_mem));
|
||||
shm_stat->mem.iter = (*worker->env.mesh->mods.mod[modstack]->get_mem)(&worker->env, modstack);
|
||||
}
|
||||
/* subnet mem value is available in shm, also when not enabled,
|
||||
* to make the struct easier to memmap by other applications,
|
||||
* independent of the configuration of unbound */
|
||||
shm_stat->mem.subnet = 0;
|
||||
#ifdef CLIENT_SUBNET
|
||||
modstack = modstack_find(&worker->env.mesh->mods, "subnet");
|
||||
if(modstack != -1) {
|
||||
fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh->mods.mod[modstack]->get_mem));
|
||||
shm_stat->mem.subnet = (*worker->env.mesh->mods.mod[modstack]->get_mem)(&worker->env, modstack);
|
||||
}
|
||||
shm_stat->mem.subnet = (long long)mod_get_mem(&worker->env,
|
||||
"subnet");
|
||||
#endif
|
||||
/* ipsecmod mem value is available in shm, also when not enabled,
|
||||
* to make the struct easier to memmap by other applications,
|
||||
* independent of the configuration of unbound */
|
||||
shm_stat->mem.ipsecmod = 0;
|
||||
#ifdef USE_IPSECMOD
|
||||
shm_stat->mem.ipsecmod = (long long)mod_get_mem(&worker->env,
|
||||
"ipsecmod");
|
||||
#endif
|
||||
}
|
||||
|
||||
|
||||
@ -44,26 +44,8 @@
|
||||
struct daemon;
|
||||
struct worker;
|
||||
|
||||
/** Some global statistics that are not in struct stats_info,
|
||||
* this struct is shared on a shm segment */
|
||||
struct shm_stat_info {
|
||||
|
||||
int num_threads;
|
||||
|
||||
struct {
|
||||
struct timeval now;
|
||||
struct timeval up;
|
||||
struct timeval elapsed;
|
||||
} time;
|
||||
|
||||
struct {
|
||||
size_t msg;
|
||||
size_t rrset;
|
||||
size_t val;
|
||||
size_t iter;
|
||||
size_t subnet;
|
||||
} mem;
|
||||
};
|
||||
/* get struct ub_shm_stat_info */
|
||||
#include "libunbound/unbound.h"
|
||||
|
||||
/**
|
||||
* The SHM info.
|
||||
@ -71,9 +53,9 @@ struct shm_stat_info {
|
||||
struct shm_main_info {
|
||||
/** stats_info array, shared memory segment.
|
||||
* [0] is totals, [1..thread_num] are per-thread stats */
|
||||
struct stats_info* ptr_arr;
|
||||
struct ub_stats_info* ptr_arr;
|
||||
/** the global stats block, shared memory segment */
|
||||
struct shm_stat_info* ptr_ctl;
|
||||
struct ub_shm_stat_info* ptr_ctl;
|
||||
int key;
|
||||
int id_ctl;
|
||||
int id_arr;
|
||||
|
||||
@ -225,23 +225,23 @@ timehist_quartile(struct timehist* hist, double q)
|
||||
}
|
||||
|
||||
void
|
||||
timehist_export(struct timehist* hist, size_t* array, size_t sz)
|
||||
timehist_export(struct timehist* hist, long long* array, size_t sz)
|
||||
{
|
||||
size_t i;
|
||||
if(!hist) return;
|
||||
if(sz > hist->num)
|
||||
sz = hist->num;
|
||||
for(i=0; i<sz; i++)
|
||||
array[i] = hist->buckets[i].count;
|
||||
array[i] = (long long)hist->buckets[i].count;
|
||||
}
|
||||
|
||||
void
|
||||
timehist_import(struct timehist* hist, size_t* array, size_t sz)
|
||||
timehist_import(struct timehist* hist, long long* array, size_t sz)
|
||||
{
|
||||
size_t i;
|
||||
if(!hist) return;
|
||||
if(sz > hist->num)
|
||||
sz = hist->num;
|
||||
for(i=0; i<sz; i++)
|
||||
hist->buckets[i].count = array[i];
|
||||
hist->buckets[i].count = (size_t)array[i];
|
||||
}
|
||||
|
||||
@ -121,7 +121,7 @@ void timehist_log(struct timehist* hist, const char* name);
|
||||
* @param array: the array to export to.
|
||||
* @param sz: number of items in array.
|
||||
*/
|
||||
void timehist_export(struct timehist* hist, size_t* array, size_t sz);
|
||||
void timehist_export(struct timehist* hist, long long* array, size_t sz);
|
||||
|
||||
/**
|
||||
* Import histogram from an array.
|
||||
@ -129,6 +129,6 @@ void timehist_export(struct timehist* hist, size_t* array, size_t sz);
|
||||
* @param array: the array to import from.
|
||||
* @param sz: number of items in array.
|
||||
*/
|
||||
void timehist_import(struct timehist* hist, size_t* array, size_t sz);
|
||||
void timehist_import(struct timehist* hist, long long* array, size_t sz);
|
||||
|
||||
#endif /* UTIL_TIMEHIST_H */
|
||||
|
||||
@ -228,6 +228,9 @@ dnskey_algo_id_is_supported(int id)
|
||||
case LDNS_ECDSAP256SHA256:
|
||||
case LDNS_ECDSAP384SHA384:
|
||||
#endif
|
||||
#ifdef USE_ED25519
|
||||
case LDNS_ED25519:
|
||||
#endif
|
||||
#if (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) || defined(USE_ECDSA)
|
||||
return 1;
|
||||
#endif
|
||||
@ -555,6 +558,17 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
|
||||
#endif
|
||||
break;
|
||||
#endif /* USE_ECDSA */
|
||||
#ifdef USE_ED25519
|
||||
case LDNS_ED25519:
|
||||
*evp_key = sldns_ed255192pkey_raw(key, keylen);
|
||||
if(!*evp_key) {
|
||||
verbose(VERB_QUERY, "verify: "
|
||||
"sldns_ed255192pkey_raw failed");
|
||||
return 0;
|
||||
}
|
||||
*digest_type = NULL;
|
||||
break;
|
||||
#endif /* USE_ED25519 */
|
||||
default:
|
||||
verbose(VERB_QUERY, "verify: unknown algorithm %d",
|
||||
algo);
|
||||
@ -644,18 +658,29 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
|
||||
else if(docrypto_free) OPENSSL_free(sigblock);
|
||||
return sec_status_unchecked;
|
||||
}
|
||||
if(EVP_VerifyInit(ctx, digest_type) == 0) {
|
||||
verbose(VERB_QUERY, "verify: EVP_VerifyInit failed");
|
||||
#ifndef HAVE_EVP_DIGESTVERIFY
|
||||
if(EVP_DigestInit(ctx, digest_type) == 0) {
|
||||
verbose(VERB_QUERY, "verify: EVP_DigestInit failed");
|
||||
#ifdef HAVE_EVP_MD_CTX_NEW
|
||||
EVP_MD_CTX_destroy(ctx);
|
||||
#else
|
||||
EVP_MD_CTX_cleanup(ctx);
|
||||
free(ctx);
|
||||
#endif
|
||||
EVP_PKEY_free(evp_key);
|
||||
if(dofree) free(sigblock);
|
||||
else if(docrypto_free) OPENSSL_free(sigblock);
|
||||
return sec_status_unchecked;
|
||||
}
|
||||
if(EVP_VerifyUpdate(ctx, (unsigned char*)sldns_buffer_begin(buf),
|
||||
if(EVP_DigestUpdate(ctx, (unsigned char*)sldns_buffer_begin(buf),
|
||||
(unsigned int)sldns_buffer_limit(buf)) == 0) {
|
||||
verbose(VERB_QUERY, "verify: EVP_VerifyUpdate failed");
|
||||
verbose(VERB_QUERY, "verify: EVP_DigestUpdate failed");
|
||||
#ifdef HAVE_EVP_MD_CTX_NEW
|
||||
EVP_MD_CTX_destroy(ctx);
|
||||
#else
|
||||
EVP_MD_CTX_cleanup(ctx);
|
||||
free(ctx);
|
||||
#endif
|
||||
EVP_PKEY_free(evp_key);
|
||||
if(dofree) free(sigblock);
|
||||
else if(docrypto_free) OPENSSL_free(sigblock);
|
||||
@ -663,6 +688,24 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
|
||||
}
|
||||
|
||||
res = EVP_VerifyFinal(ctx, sigblock, sigblock_len, evp_key);
|
||||
#else /* HAVE_EVP_DIGESTVERIFY */
|
||||
if(EVP_DigestVerifyInit(ctx, NULL, digest_type, NULL, evp_key) == 0) {
|
||||
verbose(VERB_QUERY, "verify: EVP_DigestVerifyInit failed");
|
||||
#ifdef HAVE_EVP_MD_CTX_NEW
|
||||
EVP_MD_CTX_destroy(ctx);
|
||||
#else
|
||||
EVP_MD_CTX_cleanup(ctx);
|
||||
free(ctx);
|
||||
#endif
|
||||
EVP_PKEY_free(evp_key);
|
||||
if(dofree) free(sigblock);
|
||||
else if(docrypto_free) OPENSSL_free(sigblock);
|
||||
return sec_status_unchecked;
|
||||
}
|
||||
res = EVP_DigestVerify(ctx, sigblock, sigblock_len,
|
||||
(unsigned char*)sldns_buffer_begin(buf),
|
||||
sldns_buffer_limit(buf));
|
||||
#endif
|
||||
#ifdef HAVE_EVP_MD_CTX_NEW
|
||||
EVP_MD_CTX_destroy(ctx);
|
||||
#else
|
||||
|
||||
@ -54,6 +54,7 @@
|
||||
#include "util/net_help.h"
|
||||
#include "util/module.h"
|
||||
#include "util/regional.h"
|
||||
#include "util/config_file.h"
|
||||
#include "sldns/wire2str.h"
|
||||
#include "sldns/parseutil.h"
|
||||
|
||||
@ -914,7 +915,7 @@ void val_reply_remove_auth(struct reply_info* rep, size_t index)
|
||||
}
|
||||
|
||||
void
|
||||
val_check_nonsecure(struct val_env* ve, struct reply_info* rep)
|
||||
val_check_nonsecure(struct module_env* env, struct reply_info* rep)
|
||||
{
|
||||
size_t i;
|
||||
/* authority */
|
||||
@ -955,7 +956,7 @@ val_check_nonsecure(struct val_env* ve, struct reply_info* rep)
|
||||
}
|
||||
}
|
||||
/* additional */
|
||||
if(!ve->clean_additional)
|
||||
if(!env->cfg->val_clean_additional)
|
||||
return;
|
||||
for(i=rep->an_numrrsets+rep->ns_numrrsets; i<rep->rrset_count; i++) {
|
||||
if(((struct packed_rrset_data*)rep->rrsets[i]->entry.data)
|
||||
|
||||
@ -306,10 +306,10 @@ void val_reply_remove_auth(struct reply_info* rep, size_t index);
|
||||
* So that unsigned data does not get let through to clients, when we have
|
||||
* found the data to be secure.
|
||||
*
|
||||
* @param ve: validator environment with cleaning options.
|
||||
* @param env: environment with cleaning options.
|
||||
* @param rep: reply to dump all nonsecure stuff out of.
|
||||
*/
|
||||
void val_check_nonsecure(struct val_env* ve, struct reply_info* rep);
|
||||
void val_check_nonsecure(struct module_env* env, struct reply_info* rep);
|
||||
|
||||
/**
|
||||
* Mark all unchecked rrset entries not below a trust anchor as indeterminate.
|
||||
|
||||
@ -60,6 +60,7 @@
|
||||
#include "util/fptr_wlist.h"
|
||||
#include "sldns/rrdef.h"
|
||||
#include "sldns/wire2str.h"
|
||||
#include "sldns/str2wire.h"
|
||||
|
||||
/* forward decl for cache response and normal super inform calls of a DS */
|
||||
static void process_ds_response(struct module_qstate* qstate,
|
||||
@ -112,8 +113,6 @@ val_apply_cfg(struct module_env* env, struct val_env* val_env,
|
||||
{
|
||||
int c;
|
||||
val_env->bogus_ttl = (uint32_t)cfg->bogus_ttl;
|
||||
val_env->clean_additional = cfg->val_clean_additional;
|
||||
val_env->permissive_mode = cfg->val_permissive_mode;
|
||||
if(!env->anchors)
|
||||
env->anchors = anchors_create();
|
||||
if(!env->anchors) {
|
||||
@ -170,7 +169,6 @@ val_init(struct module_env* env, int id)
|
||||
}
|
||||
env->modinfo[id] = (void*)val_env;
|
||||
env->need_to_validate = 1;
|
||||
val_env->permissive_mode = 0;
|
||||
lock_basic_init(&val_env->bogus_lock);
|
||||
lock_protect(&val_env->bogus_lock, &val_env->num_rrset_bogus,
|
||||
sizeof(val_env->num_rrset_bogus));
|
||||
@ -364,14 +362,17 @@ already_validated(struct dns_msg* ret_msg)
|
||||
* @param qtype: query type.
|
||||
* @param qclass: query class.
|
||||
* @param flags: additional flags, such as the CD bit (BIT_CD), or 0.
|
||||
* @param newq: If the subquery is newly created, it is returned,
|
||||
* otherwise NULL is returned
|
||||
* @param detached: true if this qstate should not attach to the subquery
|
||||
* @return false on alloc failure.
|
||||
*/
|
||||
static int
|
||||
generate_request(struct module_qstate* qstate, int id, uint8_t* name,
|
||||
size_t namelen, uint16_t qtype, uint16_t qclass, uint16_t flags)
|
||||
size_t namelen, uint16_t qtype, uint16_t qclass, uint16_t flags,
|
||||
struct module_qstate** newq, int detached)
|
||||
{
|
||||
struct val_qstate* vq = (struct val_qstate*)qstate->minfo[id];
|
||||
struct module_qstate* newq;
|
||||
struct query_info ask;
|
||||
int valrec;
|
||||
ask.qname = name;
|
||||
@ -380,28 +381,101 @@ generate_request(struct module_qstate* qstate, int id, uint8_t* name,
|
||||
ask.qclass = qclass;
|
||||
ask.local_alias = NULL;
|
||||
log_query_info(VERB_ALGO, "generate request", &ask);
|
||||
fptr_ok(fptr_whitelist_modenv_attach_sub(qstate->env->attach_sub));
|
||||
/* enable valrec flag to avoid recursion to the same validation
|
||||
* routine, this lookup is simply a lookup. DLVs need validation */
|
||||
if(qtype == LDNS_RR_TYPE_DLV)
|
||||
valrec = 0;
|
||||
else valrec = 1;
|
||||
if(!(*qstate->env->attach_sub)(qstate, &ask,
|
||||
(uint16_t)(BIT_RD|flags), 0, valrec, &newq)){
|
||||
log_err("Could not generate request: out of memory");
|
||||
return 0;
|
||||
if(detached) {
|
||||
struct mesh_state* sub = NULL;
|
||||
fptr_ok(fptr_whitelist_modenv_add_sub(
|
||||
qstate->env->add_sub));
|
||||
if(!(*qstate->env->add_sub)(qstate, &ask,
|
||||
(uint16_t)(BIT_RD|flags), 0, valrec, newq, &sub)){
|
||||
log_err("Could not generate request: out of memory");
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
else {
|
||||
fptr_ok(fptr_whitelist_modenv_attach_sub(
|
||||
qstate->env->attach_sub));
|
||||
if(!(*qstate->env->attach_sub)(qstate, &ask,
|
||||
(uint16_t)(BIT_RD|flags), 0, valrec, newq)){
|
||||
log_err("Could not generate request: out of memory");
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
/* newq; validator does not need state created for that
|
||||
* query, and its a 'normal' for iterator as well */
|
||||
if(newq) {
|
||||
if(*newq) {
|
||||
/* add our blacklist to the query blacklist */
|
||||
sock_list_merge(&newq->blacklist, newq->region,
|
||||
sock_list_merge(&(*newq)->blacklist, (*newq)->region,
|
||||
vq->chain_blacklist);
|
||||
}
|
||||
qstate->ext_state[id] = module_wait_subquery;
|
||||
return 1;
|
||||
}
|
||||
|
||||
/**
|
||||
* Generate, send and detach key tag signaling query.
|
||||
*
|
||||
* @param qstate: query state.
|
||||
* @param id: module id.
|
||||
* @param ta: trust anchor, locked.
|
||||
* @return false on a processing error.
|
||||
*/
|
||||
static int
|
||||
generate_keytag_query(struct module_qstate* qstate, int id,
|
||||
struct trust_anchor* ta)
|
||||
{
|
||||
/* 3 bytes for "_ta", 5 bytes per tag (4 bytes + "-") */
|
||||
#define MAX_LABEL_TAGS (LDNS_MAX_LABELLEN-3)/5
|
||||
size_t i, numtag;
|
||||
uint16_t tags[MAX_LABEL_TAGS];
|
||||
char tagstr[LDNS_MAX_LABELLEN+1] = "_ta"; /* +1 for NULL byte */
|
||||
size_t tagstr_left = sizeof(tagstr) - strlen(tagstr);
|
||||
char* tagstr_pos = tagstr + strlen(tagstr);
|
||||
uint8_t dnamebuf[LDNS_MAX_DOMAINLEN+1]; /* +1 for label length byte */
|
||||
size_t dnamebuf_len = sizeof(dnamebuf);
|
||||
uint8_t* keytagdname;
|
||||
struct module_qstate* newq = NULL;
|
||||
enum module_ext_state ext_state = qstate->ext_state[id];
|
||||
|
||||
numtag = anchor_list_keytags(ta, tags, MAX_LABEL_TAGS);
|
||||
if(numtag == 0)
|
||||
return 0;
|
||||
|
||||
for(i=0; i<numtag; i++) {
|
||||
/* Buffer can't overflow; numtag is limited to tags that fit in
|
||||
* the buffer. */
|
||||
snprintf(tagstr_pos, tagstr_left, "-%04x", (unsigned)tags[i]);
|
||||
tagstr_left -= strlen(tagstr_pos);
|
||||
tagstr_pos += strlen(tagstr_pos);
|
||||
}
|
||||
|
||||
sldns_str2wire_dname_buf_origin(tagstr, dnamebuf, &dnamebuf_len,
|
||||
ta->name, ta->namelen);
|
||||
if(!(keytagdname = (uint8_t*)regional_alloc_init(qstate->region,
|
||||
dnamebuf, dnamebuf_len))) {
|
||||
log_err("could not generate key tag query: out of memory");
|
||||
return 0;
|
||||
}
|
||||
|
||||
log_nametypeclass(VERB_ALGO, "keytag query", keytagdname,
|
||||
LDNS_RR_TYPE_NULL, ta->dclass);
|
||||
if(!generate_request(qstate, id, keytagdname, dnamebuf_len,
|
||||
LDNS_RR_TYPE_NULL, ta->dclass, 0, &newq, 1)) {
|
||||
log_err("failed to generate key tag signaling request");
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* Not interrested in subquery response. Restore the ext_state,
|
||||
* that might be changed by generate_request() */
|
||||
qstate->ext_state[id] = ext_state;
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
/**
|
||||
* Prime trust anchor for use.
|
||||
* Generate and dispatch a priming query for the given trust anchor.
|
||||
@ -417,8 +491,16 @@ static int
|
||||
prime_trust_anchor(struct module_qstate* qstate, struct val_qstate* vq,
|
||||
int id, struct trust_anchor* toprime)
|
||||
{
|
||||
struct module_qstate* newq = NULL;
|
||||
int ret = generate_request(qstate, id, toprime->name, toprime->namelen,
|
||||
LDNS_RR_TYPE_DNSKEY, toprime->dclass, BIT_CD);
|
||||
LDNS_RR_TYPE_DNSKEY, toprime->dclass, BIT_CD, &newq, 0);
|
||||
|
||||
if(newq && qstate->env->cfg->trust_anchor_signaling &&
|
||||
!generate_keytag_query(qstate, id, toprime)) {
|
||||
log_err("keytag signaling query failed");
|
||||
return 0;
|
||||
}
|
||||
|
||||
if(!ret) {
|
||||
log_err("Could not prime trust anchor: out of memory");
|
||||
return 0;
|
||||
@ -534,9 +616,11 @@ validate_msg_signatures(struct module_qstate* qstate, struct module_env* env,
|
||||
}
|
||||
}
|
||||
|
||||
/* attempt to validate the ADDITIONAL section rrsets */
|
||||
if(!ve->clean_additional)
|
||||
/* If set, the validator should clean the additional section of
|
||||
* secure messages. */
|
||||
if(!env->cfg->val_clean_additional)
|
||||
return 1;
|
||||
/* attempt to validate the ADDITIONAL section rrsets */
|
||||
for(i=chase_reply->an_numrrsets+chase_reply->ns_numrrsets;
|
||||
i<chase_reply->rrset_count; i++) {
|
||||
s = chase_reply->rrsets[i];
|
||||
@ -1510,6 +1594,7 @@ processFindKey(struct module_qstate* qstate, struct val_qstate* vq, int id)
|
||||
uint8_t* target_key_name, *current_key_name;
|
||||
size_t target_key_len;
|
||||
int strip_lab;
|
||||
struct module_qstate* newq = NULL;
|
||||
|
||||
log_query_info(VERB_ALGO, "validator: FindKey", &vq->qchase);
|
||||
/* We know that state.key_entry is not 0 or bad key -- if it were,
|
||||
@ -1522,7 +1607,7 @@ processFindKey(struct module_qstate* qstate, struct val_qstate* vq, int id)
|
||||
if(key_entry_isnull(vq->key_entry)) {
|
||||
if(!generate_request(qstate, id, vq->ds_rrset->rk.dname,
|
||||
vq->ds_rrset->rk.dname_len, LDNS_RR_TYPE_DNSKEY,
|
||||
vq->qchase.qclass, BIT_CD)) {
|
||||
vq->qchase.qclass, BIT_CD, &newq, 0)) {
|
||||
log_err("mem error generating DNSKEY request");
|
||||
return val_error(qstate, id);
|
||||
}
|
||||
@ -1594,7 +1679,7 @@ processFindKey(struct module_qstate* qstate, struct val_qstate* vq, int id)
|
||||
vq->key_entry->name) != 0) {
|
||||
if(!generate_request(qstate, id, vq->ds_rrset->rk.dname,
|
||||
vq->ds_rrset->rk.dname_len, LDNS_RR_TYPE_DNSKEY,
|
||||
vq->qchase.qclass, BIT_CD)) {
|
||||
vq->qchase.qclass, BIT_CD, &newq, 0)) {
|
||||
log_err("mem error generating DNSKEY request");
|
||||
return val_error(qstate, id);
|
||||
}
|
||||
@ -1623,7 +1708,7 @@ processFindKey(struct module_qstate* qstate, struct val_qstate* vq, int id)
|
||||
}
|
||||
if(!generate_request(qstate, id, target_key_name,
|
||||
target_key_len, LDNS_RR_TYPE_DS, vq->qchase.qclass,
|
||||
BIT_CD)) {
|
||||
BIT_CD, &newq, 0)) {
|
||||
log_err("mem error generating DS request");
|
||||
return val_error(qstate, id);
|
||||
}
|
||||
@ -1633,7 +1718,7 @@ processFindKey(struct module_qstate* qstate, struct val_qstate* vq, int id)
|
||||
/* Otherwise, it is time to query for the DNSKEY */
|
||||
if(!generate_request(qstate, id, vq->ds_rrset->rk.dname,
|
||||
vq->ds_rrset->rk.dname_len, LDNS_RR_TYPE_DNSKEY,
|
||||
vq->qchase.qclass, BIT_CD)) {
|
||||
vq->qchase.qclass, BIT_CD, &newq, 0)) {
|
||||
log_err("mem error generating DNSKEY request");
|
||||
return val_error(qstate, id);
|
||||
}
|
||||
@ -1847,6 +1932,7 @@ val_dlv_init(struct module_qstate* qstate, struct val_qstate* vq,
|
||||
{
|
||||
uint8_t* nm;
|
||||
size_t nm_len;
|
||||
struct module_qstate* newq = NULL;
|
||||
/* there must be a DLV configured */
|
||||
log_assert(qstate->env->anchors->dlv_anchor);
|
||||
/* this bool is true to avoid looping in the DLV checks */
|
||||
@ -1948,7 +2034,7 @@ val_dlv_init(struct module_qstate* qstate, struct val_qstate* vq,
|
||||
vq->state = VAL_DLVLOOKUP_STATE;
|
||||
if(!generate_request(qstate, id, vq->dlv_lookup_name,
|
||||
vq->dlv_lookup_name_len, LDNS_RR_TYPE_DLV,
|
||||
vq->qchase.qclass, 0)) {
|
||||
vq->qchase.qclass, 0, &newq, 0)) {
|
||||
return val_error(qstate, id);
|
||||
}
|
||||
|
||||
@ -2042,7 +2128,7 @@ processFinished(struct module_qstate* qstate, struct val_qstate* vq,
|
||||
* a different signer name). And drop additional rrsets
|
||||
* that are not secure (if clean-additional option is set) */
|
||||
/* this may cause the msg to be marked bogus */
|
||||
val_check_nonsecure(ve, vq->orig_msg->rep);
|
||||
val_check_nonsecure(qstate->env, vq->orig_msg->rep);
|
||||
if(vq->orig_msg->rep->security == sec_status_secure) {
|
||||
log_query_info(VERB_DETAIL, "validation success",
|
||||
&qstate->qinfo);
|
||||
@ -2083,8 +2169,14 @@ processFinished(struct module_qstate* qstate, struct val_qstate* vq,
|
||||
free(err);
|
||||
}
|
||||
}
|
||||
/*
|
||||
* If set, the validator will not make messages bogus, instead
|
||||
* indeterminate is issued, so that no clients receive SERVFAIL.
|
||||
* This allows an operator to run validation 'shadow' without
|
||||
* hurting responses to clients.
|
||||
*/
|
||||
/* If we are in permissive mode, bogus gets indeterminate */
|
||||
if(ve->permissive_mode)
|
||||
if(qstate->env->cfg->val_permissive_mode)
|
||||
vq->orig_msg->rep->security = sec_status_indeterminate;
|
||||
}
|
||||
|
||||
@ -2128,6 +2220,7 @@ static int
|
||||
processDLVLookup(struct module_qstate* qstate, struct val_qstate* vq,
|
||||
struct val_env* ve, int id)
|
||||
{
|
||||
struct module_qstate* newq = NULL;
|
||||
/* see if this we are ready to continue normal resolution */
|
||||
/* we may need more DLV lookups */
|
||||
if(vq->dlv_status==dlv_error)
|
||||
@ -2176,7 +2269,7 @@ processDLVLookup(struct module_qstate* qstate, struct val_qstate* vq,
|
||||
|
||||
if(!generate_request(qstate, id, vq->ds_rrset->rk.dname,
|
||||
vq->ds_rrset->rk.dname_len, LDNS_RR_TYPE_DNSKEY,
|
||||
vq->qchase.qclass, BIT_CD)) {
|
||||
vq->qchase.qclass, BIT_CD, &newq, 0)) {
|
||||
log_err("mem error generating DNSKEY request");
|
||||
return val_error(qstate, id);
|
||||
}
|
||||
@ -2218,7 +2311,7 @@ processDLVLookup(struct module_qstate* qstate, struct val_qstate* vq,
|
||||
|
||||
if(!generate_request(qstate, id, vq->dlv_lookup_name,
|
||||
vq->dlv_lookup_name_len, LDNS_RR_TYPE_DLV,
|
||||
vq->qchase.qclass, 0)) {
|
||||
vq->qchase.qclass, 0, &newq, 0)) {
|
||||
return val_error(qstate, id);
|
||||
}
|
||||
|
||||
@ -2857,6 +2950,7 @@ process_prime_response(struct module_qstate* qstate, struct val_qstate* vq,
|
||||
ta->name, ta->namelen, LDNS_RR_TYPE_DNSKEY,
|
||||
ta->dclass);
|
||||
}
|
||||
|
||||
if(ta->autr) {
|
||||
if(!autr_process_prime(qstate->env, ve, ta, dnskey_rrset)) {
|
||||
/* trust anchor revoked, restart with less anchors */
|
||||
|
||||
@ -93,19 +93,6 @@ struct val_env {
|
||||
* seconds. */
|
||||
uint32_t bogus_ttl;
|
||||
|
||||
/** If set, the validator should clean the additional section of
|
||||
* secure messages.
|
||||
*/
|
||||
int clean_additional;
|
||||
|
||||
/**
|
||||
* If set, the validator will not make messages bogus, instead
|
||||
* indeterminate is issued, so that no clients receive SERVFAIL.
|
||||
* This allows an operator to run validation 'shadow' without
|
||||
* hurting responses to clients.
|
||||
*/
|
||||
int permissive_mode;
|
||||
|
||||
/**
|
||||
* Number of entries in the NSEC3 maximum iteration count table.
|
||||
* Keep this table short, and sorted by size
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user