mirror of
https://github.com/freebsd/freebsd-src
synced 2024-07-23 03:06:48 +00:00
unbound: Vendor import 1.18.0
Release notes at https://www.nlnetlabs.nl/news/2023/Aug/30/unbound-1.18.0-released/ MFC after: 2 weeks Merge commit '401770e05c71ecb5ae61a59d316069b4b78bf622' into main
This commit is contained in:
commit
8f76bb7dad
|
@ -122,15 +122,15 @@ iterator/iter_delegpt.c iterator/iter_donotq.c iterator/iter_fwd.c \
|
|||
iterator/iter_hints.c iterator/iter_priv.c iterator/iter_resptype.c \
|
||||
iterator/iter_scrub.c iterator/iter_utils.c services/listen_dnsport.c \
|
||||
services/localzone.c services/mesh.c services/modstack.c services/view.c \
|
||||
services/rpz.c \
|
||||
services/rpz.c util/rfc_1982.c \
|
||||
services/outbound_list.c services/outside_network.c util/alloc.c \
|
||||
util/config_file.c util/configlexer.c util/configparser.c \
|
||||
util/shm_side/shm_main.c services/authzone.c \
|
||||
util/fptr_wlist.c util/locks.c util/log.c util/mini_event.c util/module.c \
|
||||
util/netevent.c util/net_help.c util/random.c util/rbtree.c util/regional.c \
|
||||
util/rtt.c util/edns.c util/storage/dnstree.c util/storage/lookup3.c \
|
||||
util/rtt.c util/siphash.c util/edns.c util/storage/dnstree.c util/storage/lookup3.c \
|
||||
util/storage/lruhash.c util/storage/slabhash.c util/tcp_conn_limit.c \
|
||||
util/timehist.c util/tube.c util/proxy_protocol.c \
|
||||
util/timehist.c util/tube.c util/proxy_protocol.c util/timeval_func.c \
|
||||
util/ub_event.c util/ub_event_pluggable.c util/winsock_event.c \
|
||||
validator/autotrust.c validator/val_anchor.c validator/validator.c \
|
||||
validator/val_kcache.c validator/val_kentry.c validator/val_neg.c \
|
||||
|
@ -145,14 +145,14 @@ as112.lo msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \
|
|||
iter_donotq.lo iter_fwd.lo iter_hints.lo iter_priv.lo iter_resptype.lo \
|
||||
iter_scrub.lo iter_utils.lo localzone.lo mesh.lo modstack.lo view.lo \
|
||||
outbound_list.lo alloc.lo config_file.lo configlexer.lo configparser.lo \
|
||||
fptr_wlist.lo edns.lo locks.lo log.lo mini_event.lo module.lo net_help.lo \
|
||||
fptr_wlist.lo siphash.lo edns.lo locks.lo log.lo mini_event.lo module.lo net_help.lo \
|
||||
random.lo rbtree.lo regional.lo rtt.lo dnstree.lo lookup3.lo lruhash.lo \
|
||||
slabhash.lo tcp_conn_limit.lo timehist.lo tube.lo winsock_event.lo \
|
||||
autotrust.lo val_anchor.lo rpz.lo proxy_protocol.lo \
|
||||
autotrust.lo val_anchor.lo rpz.lo rfc_1982.lo proxy_protocol.lo \
|
||||
validator.lo val_kcache.lo val_kentry.lo val_neg.lo val_nsec3.lo val_nsec.lo \
|
||||
val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo $(CACHEDB_OBJ) authzone.lo \
|
||||
$(SUBNET_OBJ) $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ) $(DNSTAP_OBJ) $(DNSCRYPT_OBJ) \
|
||||
$(IPSECMOD_OBJ) $(IPSET_OBJ) $(DYNLIBMOD_OBJ) respip.lo
|
||||
$(IPSECMOD_OBJ) $(IPSET_OBJ) $(DYNLIBMOD_OBJ) respip.lo timeval_func.lo
|
||||
COMMON_OBJ_WITHOUT_UB_EVENT=$(COMMON_OBJ_WITHOUT_NETCALL) netevent.lo listen_dnsport.lo \
|
||||
outside_network.lo
|
||||
COMMON_OBJ=$(COMMON_OBJ_WITHOUT_UB_EVENT) ub_event.lo
|
||||
|
@ -198,7 +198,7 @@ CHECKCONF_OBJ=unbound-checkconf.lo worker_cb.lo
|
|||
CHECKCONF_OBJ_LINK=$(CHECKCONF_OBJ) $(COMMON_OBJ_ALL_SYMBOLS) $(SLDNS_OBJ) \
|
||||
$(COMPAT_OBJ) @WIN_CHECKCONF_OBJ_LINK@
|
||||
CONTROL_SRC=smallapp/unbound-control.c
|
||||
CONTROL_OBJ=unbound-control.lo
|
||||
CONTROL_OBJ=unbound-control.lo
|
||||
CONTROL_OBJ_LINK=$(CONTROL_OBJ) worker_cb.lo $(COMMON_OBJ_ALL_SYMBOLS) \
|
||||
$(SLDNS_OBJ) $(COMPAT_OBJ) @WIN_CONTROL_OBJ_LINK@
|
||||
HOST_SRC=smallapp/unbound-host.c
|
||||
|
@ -455,6 +455,7 @@ unbound-dnstap-socket.lo unbound-dnstap-socket.o: $(srcdir)/dnstap/unbound-dnsta
|
|||
dynlibmod.lo dynlibdmod.o: $(srcdir)/dynlibmod/dynlibmod.c config.h $(srcdir)/dynlibmod/dynlibmod.h
|
||||
cachedb.lo cachedb.o: $(srcdir)/cachedb/cachedb.c config.h $(srcdir)/cachedb/cachedb.h
|
||||
redis.lo redis.o: $(srcdir)/cachedb/redis.c config.h $(srcdir)/cachedb/redis.h
|
||||
timeval_func.lo timeval_func.o: $(srcdir)/util/timeval_func.c $(srcdir)/util/timeval_func.h
|
||||
|
||||
# dnscrypt
|
||||
dnscrypt.lo dnscrypt.o: $(srcdir)/dnscrypt/dnscrypt.c config.h \
|
||||
|
@ -498,6 +499,7 @@ util/configlexer.c: $(srcdir)/util/configlexer.lex util/configparser.h
|
|||
echo "#include \"util/configyyrename.h\"" >> $@ ;\
|
||||
$(LEX) -t $(srcdir)/util/configlexer.lex >> $@ ;\
|
||||
fi
|
||||
@if test ! -f $@; then echo "No $@ : need flex and bison to compile from source repository"; exit 1; fi
|
||||
|
||||
util/configparser.c util/configparser.h: $(srcdir)/util/configparser.y
|
||||
@-if test ! -d util; then $(INSTALL) -d util; fi
|
||||
|
@ -516,7 +518,7 @@ distclean: clean
|
|||
rm -f doc/example.conf doc/libunbound.3 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound-control.8 doc/unbound.8 doc/unbound.conf.5 doc/unbound-host.1
|
||||
rm -f smallapp/unbound-control-setup.sh dnstap/dnstap_config.h dnscrypt/dnscrypt_config.h contrib/libunbound.pc contrib/unbound.socket contrib/unbound.service
|
||||
rm -f $(TEST_BIN)
|
||||
rm -f Makefile
|
||||
rm -f Makefile
|
||||
|
||||
maintainer-clean: distclean
|
||||
rm -f util/configlexer.c util/configparser.c util/configparser.h
|
||||
|
@ -649,7 +651,7 @@ uninstall: $(PYTHONMOD_UNINSTALL) $(PYUNBOUND_UNINSTALL) $(UNBOUND_EVENT_UNINSTA
|
|||
|
||||
iana_update:
|
||||
curl -o port-numbers.tmp https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml --compressed
|
||||
if file port-numbers.tmp | grep 'gzip' >/dev/null; then zcat port-numbers.tmp; else cat port-numbers.tmp; fi | awk '/<record>/ {p=0;} /<protocol>udp/ {p=1;} /<protocol>[^u]/ {p=0;} /Decomissioned|Decommissioned|Removed|De-registered|unassigned|Unassigned|Reserved/ {u=1;} /<number>/ { if(u==1) {u=0;} else { if(p==1) { match($$0,/[0-9]+/); print substr($$0, RSTART, RLENGTH) ","}}}' | sort -nu > util/iana_ports.inc
|
||||
if file port-numbers.tmp | grep 'gzip' >/dev/null; then zcat port-numbers.tmp; else cat port-numbers.tmp; fi | awk '/<record>/ {p=0;} /<protocol>udp/ {p=1;} /<protocol>[^u]/ {p=0;} /Decomissioned|Decommissioned|Removed|De-registered|unassigned|Unassigned|Reserved/ {u=1;} /<number>/ { if(u==1) {u=0;} else { if(p==1) { match($$0,/[0-9]+/); print substr($$0, RSTART, RLENGTH) ","}}}' | sort -nu > util/iana_ports.inc
|
||||
rm -f port-numbers.tmp
|
||||
|
||||
# dependency generation
|
||||
|
@ -877,7 +879,7 @@ rpz.lo rpz.o: $(srcdir)/services/rpz.c config.h $(srcdir)/services/rpz.h $(srcdi
|
|||
outbound_list.lo outbound_list.o: $(srcdir)/services/outbound_list.c config.h \
|
||||
$(srcdir)/services/outbound_list.h $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
|
||||
|
||||
outside_network.lo outside_network.o: $(srcdir)/services/outside_network.c config.h \
|
||||
$(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h $(srcdir)/util/netevent.h \
|
||||
$(srcdir)/dnscrypt/dnscrypt.h \
|
||||
|
@ -915,7 +917,8 @@ config_file.lo config_file.o: $(srcdir)/util/config_file.c config.h $(srcdir)/ut
|
|||
configlexer.lo configlexer.o: util/configlexer.c config.h $(srcdir)/util/configyyrename.h \
|
||||
$(srcdir)/util/config_file.h util/configparser.h
|
||||
configparser.lo configparser.o: util/configparser.c config.h $(srcdir)/util/configyyrename.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h
|
||||
$(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/sldns/str2wire.h \
|
||||
$(srcdir)/sldns/rrdef.h
|
||||
shm_main.lo shm_main.o: $(srcdir)/util/shm_side/shm_main.c config.h $(srcdir)/util/shm_side/shm_main.h \
|
||||
$(srcdir)/libunbound/unbound.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
|
||||
|
@ -928,7 +931,7 @@ shm_main.lo shm_main.o: $(srcdir)/util/shm_side/shm_main.c config.h $(srcdir)/ut
|
|||
$(srcdir)/services/view.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/respip/respip.h \
|
||||
$(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h \
|
||||
$(srcdir)/util/rtt.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/util/fptr_wlist.h \
|
||||
$(srcdir)/util/tube.h
|
||||
$(srcdir)/util/tube.h $(srcdir)/util/timeval_func.h
|
||||
authzone.lo authzone.o: $(srcdir)/services/authzone.c config.h $(srcdir)/services/authzone.h \
|
||||
$(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h \
|
||||
$(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgparse.h \
|
||||
|
@ -983,7 +986,7 @@ netevent.lo netevent.o: $(srcdir)/util/netevent.c config.h $(srcdir)/util/neteve
|
|||
$(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h \
|
||||
$(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
|
||||
$(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/sldns/str2wire.h \
|
||||
$(srcdir)/dnstap/dnstap.h $(srcdir)/services/listen_dnsport.h
|
||||
$(srcdir)/dnstap/dnstap.h $(srcdir)/services/listen_dnsport.h $(srcdir)/util/timeval_func.h
|
||||
proxy_protocol.lo proxy_protocol.o: $(srcdir)/util/proxy_protocol.c config.h \
|
||||
$(srcdir)/util/proxy_protocol.h $(srcdir)/sldns/sbuffer.h
|
||||
net_help.lo net_help.o: $(srcdir)/util/net_help.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
|
||||
|
@ -1006,6 +1009,8 @@ rtt.lo rtt.o: $(srcdir)/util/rtt.c config.h $(srcdir)/util/rtt.h $(srcdir)/itera
|
|||
$(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h \
|
||||
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h
|
||||
siphash.lo siphash.o: $(srcdir)/util/siphash.c
|
||||
rfc_1982.lo rfc_1982.o: $(srcdir)/util/rfc_1982.c
|
||||
edns.lo edns.o: $(srcdir)/util/edns.c config.h $(srcdir)/util/edns.h $(srcdir)/util/storage/dnstree.h \
|
||||
$(srcdir)/util/rbtree.h $(srcdir)/util/config_file.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/regional.h \
|
||||
|
@ -1186,7 +1191,7 @@ unitmain.lo unitmain.o: $(srcdir)/testcode/unitmain.c config.h $(srcdir)/sldns/r
|
|||
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/util/random.h $(srcdir)/respip/respip.h \
|
||||
$(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/services/outside_network.h
|
||||
$(srcdir)/services/outside_network.h
|
||||
unitmsgparse.lo unitmsgparse.o: $(srcdir)/testcode/unitmsgparse.c config.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/testcode/unitmain.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h \
|
||||
$(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
|
||||
|
@ -1321,7 +1326,7 @@ unbound.lo unbound.o: $(srcdir)/daemon/unbound.c config.h $(srcdir)/util/log.h $
|
|||
worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
|
||||
$(srcdir)/util/random.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/timeval_func.h \
|
||||
$(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
|
||||
$(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \
|
||||
|
@ -1343,7 +1348,7 @@ testbound.lo testbound.o: $(srcdir)/testcode/testbound.c config.h $(srcdir)/test
|
|||
$(srcdir)/daemon/remote.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h $(srcdir)/daemon/unbound.c $(srcdir)/daemon/daemon.h \
|
||||
$(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/util/alloc.h $(srcdir)/util/timeval_func.h $(srcdir)/services/modstack.h \
|
||||
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
|
||||
$(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \
|
||||
|
@ -1357,7 +1362,7 @@ testpkts.lo testpkts.o: $(srcdir)/testcode/testpkts.c config.h $(srcdir)/testcod
|
|||
worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
|
||||
$(srcdir)/util/random.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/timeval_func.h \
|
||||
$(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
|
||||
$(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
|
||||
$(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \
|
||||
|
@ -1409,7 +1414,7 @@ stats.lo stats.o: $(srcdir)/daemon/stats.c config.h $(srcdir)/daemon/stats.h $(s
|
|||
$(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_neg.h
|
||||
replay.lo replay.o: $(srcdir)/testcode/replay.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/testcode/replay.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
$(srcdir)/testcode/testpkts.h $(srcdir)/util/rbtree.h \
|
||||
$(srcdir)/testcode/testpkts.h $(srcdir)/util/rbtree.h $(srcdir)/util/timeval_func.h \
|
||||
$(srcdir)/testcode/fake_event.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h
|
||||
fake_event.lo fake_event.o: $(srcdir)/testcode/fake_event.c config.h $(srcdir)/testcode/fake_event.h \
|
||||
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
|
||||
|
@ -1417,7 +1422,7 @@ fake_event.lo fake_event.o: $(srcdir)/testcode/fake_event.c config.h $(srcdir)/t
|
|||
$(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h \
|
||||
$(srcdir)/util/edns.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/config_file.h \
|
||||
$(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
|
||||
$(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h $(srcdir)/util/timeval_func.h \
|
||||
$(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
|
||||
$(srcdir)/testcode/replay.h $(srcdir)/testcode/testpkts.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \
|
||||
$(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Unbound
|
||||
|
||||
[![Travis Build Status](https://travis-ci.org/NLnetLabs/unbound.svg?branch=master)](https://travis-ci.org/NLnetLabs/unbound)
|
||||
[![Github Build Status](https://github.com/NLnetLabs/unbound/actions/workflows/ci.yml/badge.svg?branch=master)](https://github.com/NLnetLabs/unbound/actions)
|
||||
[![Packaging status](https://repology.org/badge/tiny-repos/unbound.svg)](https://repology.org/project/unbound/versions)
|
||||
[![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/unbound.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:unbound)
|
||||
[![Documentation Status](https://readthedocs.org/projects/unbound/badge/?version=latest)](https://unbound.readthedocs.io/en/latest/?badge=latest)
|
||||
|
|
|
@ -2,7 +2,9 @@
|
|||
# Copyright 2009, Wouter Wijngaards, NLnet Labs.
|
||||
# BSD licensed.
|
||||
#
|
||||
# Version 44
|
||||
# Version 46
|
||||
# 2023-05-04 fix to remove unused whitespace.
|
||||
# 2023-01-26 fix -Wstrict-prototypes.
|
||||
# 2022-09-01 fix checking if nonblocking sockets work on OpenBSD.
|
||||
# 2021-08-17 fix sed script in ssldir split handling.
|
||||
# 2021-08-17 fix for openssl to detect split version, with ssldir_include
|
||||
|
@ -187,7 +189,7 @@ dnl cache=`echo $1 | sed 'y%.=/+- %___p__%'`
|
|||
AC_CACHE_VAL(cv_prog_cc_flag_needed_$cache,
|
||||
[
|
||||
echo '$2' > conftest.c
|
||||
echo 'void f(){}' >>conftest.c
|
||||
echo 'void f(void){}' >>conftest.c
|
||||
if test -z "`$CC $CPPFLAGS $CFLAGS $ERRFLAG -c conftest.c 2>&1`"; then
|
||||
eval "cv_prog_cc_flag_needed_$cache=no"
|
||||
else
|
||||
|
@ -233,7 +235,7 @@ dnl DEPFLAG: set to flag that generates dependencies.
|
|||
AC_DEFUN([ACX_DEPFLAG],
|
||||
[
|
||||
AC_MSG_CHECKING([$CC dependency flag])
|
||||
echo 'void f(){}' >conftest.c
|
||||
echo 'void f(void){}' >conftest.c
|
||||
if test "`$CC -MM conftest.c 2>&1`" = "conftest.o: conftest.c"; then
|
||||
DEPFLAG="-MM"
|
||||
else
|
||||
|
@ -272,7 +274,7 @@ ACX_CHECK_COMPILER_FLAG_NEEDED($C99FLAG -D__EXTENSIONS__ -D_BSD_SOURCE -D_DEFAUL
|
|||
#include <getopt.h>
|
||||
#endif
|
||||
|
||||
int test() {
|
||||
int test(void) {
|
||||
int a;
|
||||
char **opts = NULL;
|
||||
struct timeval tv;
|
||||
|
@ -309,7 +311,7 @@ ACX_CHECK_COMPILER_FLAG_NEEDED($C99FLAG -D__EXTENSIONS__ -D_BSD_SOURCE -D_DEFAUL
|
|||
#include <getopt.h>
|
||||
#endif
|
||||
|
||||
int test() {
|
||||
int test(void) {
|
||||
int a;
|
||||
char **opts = NULL;
|
||||
struct timeval tv;
|
||||
|
@ -335,7 +337,7 @@ ACX_CHECK_COMPILER_FLAG_NEEDED($C99FLAG,
|
|||
[
|
||||
#include <stdbool.h>
|
||||
#include <ctype.h>
|
||||
int test() {
|
||||
int test(void) {
|
||||
int a = 0;
|
||||
return a;
|
||||
}
|
||||
|
@ -345,7 +347,7 @@ ACX_CHECK_COMPILER_FLAG_NEEDED(-D_BSD_SOURCE -D_DEFAULT_SOURCE,
|
|||
[
|
||||
#include <ctype.h>
|
||||
|
||||
int test() {
|
||||
int test(void) {
|
||||
int a;
|
||||
a = isascii(32);
|
||||
return a;
|
||||
|
@ -356,7 +358,7 @@ ACX_CHECK_COMPILER_FLAG_NEEDED(-D_GNU_SOURCE,
|
|||
[
|
||||
#include <netinet/in.h>
|
||||
|
||||
int test() {
|
||||
int test(void) {
|
||||
struct in6_pktinfo inf;
|
||||
int a = (int)sizeof(inf);
|
||||
return a;
|
||||
|
@ -370,7 +372,7 @@ ACX_CHECK_COMPILER_FLAG_NEEDED(-D_GNU_SOURCE -D_FRSRESGID,
|
|||
[
|
||||
#include <unistd.h>
|
||||
|
||||
int test() {
|
||||
int test(void) {
|
||||
int a = setresgid(0,0,0);
|
||||
a = setresuid(0,0,0);
|
||||
return a;
|
||||
|
@ -385,7 +387,7 @@ ACX_CHECK_COMPILER_FLAG_NEEDED(-D_POSIX_C_SOURCE=200112,
|
|||
#endif
|
||||
#include <netdb.h>
|
||||
|
||||
int test() {
|
||||
int test(void) {
|
||||
int a = 0;
|
||||
char *t;
|
||||
time_t time = 0;
|
||||
|
@ -413,7 +415,7 @@ ACX_CHECK_COMPILER_FLAG_NEEDED(-D__EXTENSIONS__,
|
|||
#include <getopt.h>
|
||||
#endif
|
||||
|
||||
int test() {
|
||||
int test(void) {
|
||||
int a;
|
||||
char **opts = NULL;
|
||||
struct timeval tv;
|
||||
|
@ -475,7 +477,7 @@ fi
|
|||
dnl Setup ATTR_FORMAT config.h parts.
|
||||
dnl make sure you call ACX_CHECK_FORMAT_ATTRIBUTE also.
|
||||
AC_DEFUN([AHX_CONFIG_FORMAT_ATTRIBUTE],
|
||||
[
|
||||
[
|
||||
#ifdef HAVE_ATTR_FORMAT
|
||||
# define ATTR_FORMAT(archetype, string_index, first_to_check) \
|
||||
__attribute__ ((format (archetype, string_index, first_to_check)))
|
||||
|
@ -834,7 +836,7 @@ dnl try to see if an additional _LARGEFILE_SOURCE 1 is needed to get fseeko
|
|||
ACX_CHECK_COMPILER_FLAG_NEEDED(-D_LARGEFILE_SOURCE=1,
|
||||
[
|
||||
#include <stdio.h>
|
||||
int test() {
|
||||
int test(void) {
|
||||
int a = fseeko(stdin, 0, 0);
|
||||
return a;
|
||||
}
|
||||
|
@ -859,7 +861,7 @@ char* (*f) () = getaddrinfo;
|
|||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
int main() {
|
||||
int main(void) {
|
||||
;
|
||||
return 0;
|
||||
}
|
||||
|
@ -923,7 +925,7 @@ cache=`echo $1 | sed 'y%.=/+-%___p_%'`
|
|||
AC_CACHE_VAL(cv_cc_deprecated_$cache,
|
||||
[
|
||||
echo '$3' >conftest.c
|
||||
echo 'void f(){ $2 }' >>conftest.c
|
||||
echo 'void f(void){ $2 }' >>conftest.c
|
||||
if test -z "`$CC $CPPFLAGS $CFLAGS -c conftest.c 2>&1 | grep -e deprecated -e unavailable`"; then
|
||||
eval "cv_cc_deprecated_$cache=no"
|
||||
else
|
||||
|
@ -1317,7 +1319,7 @@ AC_DEFUN([AHX_CONFIG_W32_FD_SET_T],
|
|||
#ifdef HAVE_WINSOCK2_H
|
||||
#define FD_SET_T (u_int)
|
||||
#else
|
||||
#define FD_SET_T
|
||||
#define FD_SET_T
|
||||
#endif
|
||||
])
|
||||
|
||||
|
@ -1355,7 +1357,7 @@ dnl $3: define value, 1
|
|||
AC_DEFUN([AHX_CONFIG_FLAG_OMITTED],
|
||||
[#if defined($1) && !defined($2)
|
||||
#define $2 $3
|
||||
[#]endif ])
|
||||
[#]endif])
|
||||
|
||||
dnl Wrapper for AHX_CONFIG_FLAG_OMITTED for -D style flags
|
||||
dnl $1: the -DNAME or -DNAME=value string.
|
||||
|
|
|
@ -17,33 +17,62 @@ AC_DEFUN([AC_PYTHON_DEVEL],[
|
|||
PYTHON_VERSION=`$PYTHON -c "import sys; \
|
||||
print(sys.version.split()[[0]])"`
|
||||
fi
|
||||
# calculate the version number components.
|
||||
[
|
||||
v="$PYTHON_VERSION"
|
||||
PYTHON_VERSION_MAJOR=`echo $v | sed 's/[^0-9].*//'`
|
||||
if test -z "$PYTHON_VERSION_MAJOR"; then PYTHON_VERSION_MAJOR="0"; fi
|
||||
v=`echo $v | sed -e 's/^[0-9]*$//' -e 's/[0-9]*[^0-9]//'`
|
||||
PYTHON_VERSION_MINOR=`echo $v | sed 's/[^0-9].*//'`
|
||||
if test -z "$PYTHON_VERSION_MINOR"; then PYTHON_VERSION_MINOR="0"; fi
|
||||
v=`echo $v | sed -e 's/^[0-9]*$//' -e 's/[0-9]*[^0-9]//'`
|
||||
PYTHON_VERSION_PATCH=`echo $v | sed 's/[^0-9].*//'`
|
||||
if test -z "$PYTHON_VERSION_PATCH"; then PYTHON_VERSION_PATCH="0"; fi
|
||||
]
|
||||
|
||||
# Check if you have sysconfig
|
||||
AC_MSG_CHECKING([for the sysconfig Python module])
|
||||
if ac_sysconfig_result=`$PYTHON -c "import sysconfig" 2>&1`; then
|
||||
# For some systems, sysconfig exists, but has the wrong paths,
|
||||
# on Debian 10, for python 2.7 and 3.7. So, we check the version,
|
||||
# and for older versions try distutils.sysconfig first. For newer
|
||||
# versions>=3.10, where distutils.sysconfig is deprecated, use
|
||||
# sysconfig first and then attempt the other one.
|
||||
py_distutils_first="no"
|
||||
if test $PYTHON_VERSION_MAJOR -lt 3; then
|
||||
py_distutils_first="yes"
|
||||
fi
|
||||
if test $PYTHON_VERSION_MAJOR -eq 3 -a $PYTHON_VERSION_MINOR -lt 10; then
|
||||
py_distutils_first="yes"
|
||||
fi
|
||||
|
||||
# Check if you have the first module
|
||||
if test "$py_distutils_first" = "yes"; then m="distutils"; else m="sysconfig"; fi
|
||||
sysconfig_module=""
|
||||
AC_MSG_CHECKING([for the $m Python module])
|
||||
if ac_modulecheck_result1=`$PYTHON -c "import $m" 2>&1`; then
|
||||
AC_MSG_RESULT([yes])
|
||||
sysconfig_module="sysconfig"
|
||||
# if yes, use sysconfig, because distutils is deprecated.
|
||||
sysconfig_module="$m"
|
||||
else
|
||||
AC_MSG_RESULT([no])
|
||||
# if no, try to use distutils
|
||||
fi
|
||||
|
||||
#
|
||||
# Check if you have distutils, else fail
|
||||
#
|
||||
AC_MSG_CHECKING([for the distutils Python package])
|
||||
if ac_distutils_result=`$PYTHON -c "import distutils" 2>&1`; then
|
||||
# if not found, try the other one.
|
||||
if test -z "$sysconfig_module"; then
|
||||
if test "$py_distutils_first" = "yes"; then m2="sysconfig"; else m2="distutils"; fi
|
||||
AC_MSG_CHECKING([for the $m2 Python module])
|
||||
if ac_modulecheck_result2=`$PYTHON -c "import $m2" 2>&1`; then
|
||||
AC_MSG_RESULT([yes])
|
||||
sysconfig_module="$m2"
|
||||
else
|
||||
AC_MSG_RESULT([no])
|
||||
AC_MSG_ERROR([cannot import Python module "distutils".
|
||||
Please check your Python installation. The error was:
|
||||
$ac_distutils_result])
|
||||
AC_MSG_ERROR([cannot import Python module "$m", or "$m2".
|
||||
Please check your Python installation. The errors are:
|
||||
$m
|
||||
$ac_modulecheck_result1
|
||||
$m2
|
||||
$ac_modulecheck_result2])
|
||||
PYTHON_VERSION=""
|
||||
fi
|
||||
|
||||
sysconfig_module="distutils.sysconfig"
|
||||
fi
|
||||
if test "$sysconfig_module" = "distutils"; then sysconfig_module="distutils.sysconfig"; fi
|
||||
|
||||
#
|
||||
# Check for Python include path
|
||||
|
|
|
@ -102,7 +102,6 @@ static int
|
|||
testframe_init(struct module_env* env, struct cachedb_env* cachedb_env)
|
||||
{
|
||||
struct testframe_moddata* d;
|
||||
(void)env;
|
||||
verbose(VERB_ALGO, "testframe_init");
|
||||
d = (struct testframe_moddata*)calloc(1,
|
||||
sizeof(struct testframe_moddata));
|
||||
|
@ -111,6 +110,15 @@ testframe_init(struct module_env* env, struct cachedb_env* cachedb_env)
|
|||
log_err("out of memory");
|
||||
return 0;
|
||||
}
|
||||
/* Register an EDNS option (65534) to bypass the worker cache lookup
|
||||
* for testing */
|
||||
if(!edns_register_option(LDNS_EDNS_UNBOUND_CACHEDB_TESTFRAME_TEST,
|
||||
1 /* bypass cache */,
|
||||
0 /* no aggregation */, env)) {
|
||||
log_err("testframe_init, could not register test opcode");
|
||||
free(d);
|
||||
return 0;
|
||||
}
|
||||
lock_basic_init(&d->lock);
|
||||
lock_protect(&d->lock, d, sizeof(*d));
|
||||
return 1;
|
||||
|
@ -218,6 +226,8 @@ static int
|
|||
cachedb_apply_cfg(struct cachedb_env* cachedb_env, struct config_file* cfg)
|
||||
{
|
||||
const char* backend_str = cfg->cachedb_backend;
|
||||
if(!backend_str || *backend_str==0)
|
||||
return 1;
|
||||
cachedb_env->backend = cachedb_find_backend(backend_str);
|
||||
if(!cachedb_env->backend) {
|
||||
log_err("cachedb: cannot find backend name '%s'", backend_str);
|
||||
|
@ -228,7 +238,7 @@ cachedb_apply_cfg(struct cachedb_env* cachedb_env, struct config_file* cfg)
|
|||
return 1;
|
||||
}
|
||||
|
||||
int
|
||||
int
|
||||
cachedb_init(struct module_env* env, int id)
|
||||
{
|
||||
struct cachedb_env* cachedb_env = (struct cachedb_env*)calloc(1,
|
||||
|
@ -267,19 +277,16 @@ cachedb_init(struct module_env* env, int id)
|
|||
return 1;
|
||||
}
|
||||
|
||||
void
|
||||
void
|
||||
cachedb_deinit(struct module_env* env, int id)
|
||||
{
|
||||
struct cachedb_env* cachedb_env;
|
||||
if(!env || !env->modinfo[id])
|
||||
return;
|
||||
cachedb_env = (struct cachedb_env*)env->modinfo[id];
|
||||
/* free contents */
|
||||
/* TODO */
|
||||
if(cachedb_env->enabled) {
|
||||
(*cachedb_env->backend->deinit)(env, cachedb_env);
|
||||
}
|
||||
|
||||
free(cachedb_env);
|
||||
env->modinfo[id] = NULL;
|
||||
}
|
||||
|
@ -406,6 +413,14 @@ prep_data(struct module_qstate* qstate, struct sldns_buffer* buf)
|
|||
if(qstate->return_msg->rep->ttl == 0 &&
|
||||
!qstate->env->cfg->serve_expired)
|
||||
return 0;
|
||||
|
||||
/* The EDE is added to the out-list so it is encoded in the cached message */
|
||||
if (qstate->env->cfg->ede && qstate->return_msg->rep->reason_bogus != LDNS_EDE_NONE) {
|
||||
edns_opt_list_append_ede(&edns.opt_list_out, qstate->env->scratch,
|
||||
qstate->return_msg->rep->reason_bogus,
|
||||
qstate->return_msg->rep->reason_bogus_str);
|
||||
}
|
||||
|
||||
if(verbosity >= VERB_ALGO)
|
||||
log_dns_msg("cachedb encoding", &qstate->return_msg->qinfo,
|
||||
qstate->return_msg->rep);
|
||||
|
@ -502,6 +517,7 @@ parse_data(struct module_qstate* qstate, struct sldns_buffer* buf)
|
|||
{
|
||||
struct msg_parse* prs;
|
||||
struct edns_data edns;
|
||||
struct edns_option* ede;
|
||||
uint64_t timestamp, expiry;
|
||||
time_t adjust;
|
||||
size_t lim = sldns_buffer_limit(buf);
|
||||
|
@ -539,6 +555,24 @@ parse_data(struct module_qstate* qstate, struct sldns_buffer* buf)
|
|||
if(!qstate->return_msg)
|
||||
return 0;
|
||||
|
||||
/* We find the EDE in the in-list after parsing */
|
||||
if(qstate->env->cfg->ede &&
|
||||
(ede = edns_opt_list_find(edns.opt_list_in, LDNS_EDNS_EDE))) {
|
||||
if(ede->opt_len >= 2) {
|
||||
qstate->return_msg->rep->reason_bogus =
|
||||
sldns_read_uint16(ede->opt_data);
|
||||
}
|
||||
/* allocate space and store the error string and it's size */
|
||||
if(ede->opt_len > 2) {
|
||||
size_t ede_len = ede->opt_len - 2;
|
||||
qstate->return_msg->rep->reason_bogus_str = regional_alloc(
|
||||
qstate->region, sizeof(char) * (ede_len+1));
|
||||
memcpy(qstate->return_msg->rep->reason_bogus_str,
|
||||
ede->opt_data+2, ede_len);
|
||||
qstate->return_msg->rep->reason_bogus_str[ede_len] = 0;
|
||||
}
|
||||
}
|
||||
|
||||
qstate->return_rcode = LDNS_RCODE_NOERROR;
|
||||
|
||||
/* see how much of the TTL expired, and remove it */
|
||||
|
@ -630,11 +664,15 @@ cachedb_extcache_store(struct module_qstate* qstate, struct cachedb_env* ie)
|
|||
* See if unbound's internal cache can answer the query
|
||||
*/
|
||||
static int
|
||||
cachedb_intcache_lookup(struct module_qstate* qstate)
|
||||
cachedb_intcache_lookup(struct module_qstate* qstate, struct cachedb_env* cde)
|
||||
{
|
||||
uint8_t* dpname=NULL;
|
||||
size_t dpnamelen=0;
|
||||
struct dns_msg* msg;
|
||||
/* for testframe bypass this lookup */
|
||||
if(cde->backend == &testframe_backend) {
|
||||
return 0;
|
||||
}
|
||||
if(iter_stub_fwd_no_cache(qstate, &qstate->qinfo,
|
||||
&dpname, &dpnamelen))
|
||||
return 0; /* no cache for these queries */
|
||||
|
@ -693,6 +731,7 @@ cachedb_handle_query(struct module_qstate* qstate,
|
|||
struct cachedb_qstate* ATTR_UNUSED(iq),
|
||||
struct cachedb_env* ie, int id)
|
||||
{
|
||||
qstate->is_cachedb_answer = 0;
|
||||
/* check if we are enabled, and skip if so */
|
||||
if(!ie->enabled) {
|
||||
/* pass request to next module */
|
||||
|
@ -709,7 +748,7 @@ cachedb_handle_query(struct module_qstate* qstate,
|
|||
|
||||
/* lookup inside unbound's internal cache.
|
||||
* This does not look for expired entries. */
|
||||
if(cachedb_intcache_lookup(qstate)) {
|
||||
if(cachedb_intcache_lookup(qstate, ie)) {
|
||||
if(verbosity >= VERB_ALGO) {
|
||||
if(qstate->return_msg->rep)
|
||||
log_dns_msg("cachedb internal cache lookup",
|
||||
|
@ -746,6 +785,7 @@ cachedb_handle_query(struct module_qstate* qstate,
|
|||
qstate->ext_state[id] = module_wait_module;
|
||||
return;
|
||||
}
|
||||
qstate->is_cachedb_answer = 1;
|
||||
/* we are done with the query */
|
||||
qstate->ext_state[id] = module_finished;
|
||||
return;
|
||||
|
@ -768,6 +808,7 @@ static void
|
|||
cachedb_handle_response(struct module_qstate* qstate,
|
||||
struct cachedb_qstate* ATTR_UNUSED(iq), struct cachedb_env* ie, int id)
|
||||
{
|
||||
qstate->is_cachedb_answer = 0;
|
||||
/* check if we are not enabled or instructed to not cache, and skip */
|
||||
if(!ie->enabled || qstate->no_cache_store) {
|
||||
/* we are done with the query */
|
||||
|
|
|
@ -56,6 +56,8 @@ struct redis_moddata {
|
|||
int numctxs; /* number of ctx entries */
|
||||
const char* server_host; /* server's IP address or host name */
|
||||
int server_port; /* server's TCP port */
|
||||
const char* server_path; /* server's unix path, or "", NULL if unused */
|
||||
const char* server_password; /* server's AUTH password, or "", NULL if unused */
|
||||
struct timeval timeout; /* timeout for connection setup and commands */
|
||||
};
|
||||
|
||||
|
@ -67,8 +69,13 @@ redis_connect(const struct redis_moddata* moddata)
|
|||
{
|
||||
redisContext* ctx;
|
||||
|
||||
ctx = redisConnectWithTimeout(moddata->server_host,
|
||||
moddata->server_port, moddata->timeout);
|
||||
if(moddata->server_path && moddata->server_path[0]!=0) {
|
||||
ctx = redisConnectUnixWithTimeout(moddata->server_path,
|
||||
moddata->timeout);
|
||||
} else {
|
||||
ctx = redisConnectWithTimeout(moddata->server_host,
|
||||
moddata->server_port, moddata->timeout);
|
||||
}
|
||||
if(!ctx || ctx->err) {
|
||||
const char *errstr = "out of memory";
|
||||
if(ctx)
|
||||
|
@ -80,6 +87,17 @@ redis_connect(const struct redis_moddata* moddata)
|
|||
log_err("failed to set redis timeout");
|
||||
goto fail;
|
||||
}
|
||||
if(moddata->server_password && moddata->server_password[0]!=0) {
|
||||
redisReply* rep;
|
||||
rep = redisCommand(ctx, "AUTH %s", moddata->server_password);
|
||||
if(!rep || rep->type == REDIS_REPLY_ERROR) {
|
||||
log_err("failed to authenticate with password");
|
||||
freeReplyObject(rep);
|
||||
goto fail;
|
||||
}
|
||||
freeReplyObject(rep);
|
||||
}
|
||||
verbose(VERB_OPS, "Connection to Redis established");
|
||||
return ctx;
|
||||
|
||||
fail:
|
||||
|
@ -94,7 +112,7 @@ redis_init(struct module_env* env, struct cachedb_env* cachedb_env)
|
|||
int i;
|
||||
struct redis_moddata* moddata = NULL;
|
||||
|
||||
verbose(VERB_ALGO, "redis_init");
|
||||
verbose(VERB_OPS, "Redis initialization");
|
||||
|
||||
moddata = calloc(1, sizeof(struct redis_moddata));
|
||||
if(!moddata) {
|
||||
|
@ -112,6 +130,8 @@ redis_init(struct module_env* env, struct cachedb_env* cachedb_env)
|
|||
* we don't have to free it in this module. */
|
||||
moddata->server_host = env->cfg->redis_server_host;
|
||||
moddata->server_port = env->cfg->redis_server_port;
|
||||
moddata->server_path = env->cfg->redis_server_path;
|
||||
moddata->server_password = env->cfg->redis_server_password;
|
||||
moddata->timeout.tv_sec = env->cfg->redis_timeout / 1000;
|
||||
moddata->timeout.tv_usec = (env->cfg->redis_timeout % 1000) * 1000;
|
||||
for(i = 0; i < moddata->numctxs; i++)
|
||||
|
@ -154,7 +174,7 @@ redis_deinit(struct module_env* env, struct cachedb_env* cachedb_env)
|
|||
cachedb_env->backend_data;
|
||||
(void)env;
|
||||
|
||||
verbose(VERB_ALGO, "redis_deinit");
|
||||
verbose(VERB_OPS, "Redis deinitialization");
|
||||
|
||||
if(!moddata)
|
||||
return;
|
||||
|
|
|
@ -47,7 +47,7 @@
|
|||
#define SHA512_Update SHA512Update
|
||||
#define SHA512_Final SHA512Final
|
||||
#else
|
||||
#include "openssl/sha.h"
|
||||
#include <openssl/sha.h>
|
||||
#endif
|
||||
|
||||
#include <sys/vfs.h>
|
||||
|
|
51
contrib/unbound/config.guess
vendored
51
contrib/unbound/config.guess
vendored
|
@ -1,10 +1,10 @@
|
|||
#! /bin/sh
|
||||
# Attempt to guess a canonical system name.
|
||||
# Copyright 1992-2022 Free Software Foundation, Inc.
|
||||
# Copyright 1992-2023 Free Software Foundation, Inc.
|
||||
|
||||
# shellcheck disable=SC2006,SC2268 # see below for rationale
|
||||
|
||||
timestamp='2022-09-17'
|
||||
timestamp='2023-07-20'
|
||||
|
||||
# This file is free software; you can redistribute it and/or modify it
|
||||
# under the terms of the GNU General Public License as published by
|
||||
|
@ -47,7 +47,7 @@ me=`echo "$0" | sed -e 's,.*/,,'`
|
|||
usage="\
|
||||
Usage: $0 [OPTION]
|
||||
|
||||
Output the configuration name of the system \`$me' is run on.
|
||||
Output the configuration name of the system '$me' is run on.
|
||||
|
||||
Options:
|
||||
-h, --help print this help, then exit
|
||||
|
@ -60,13 +60,13 @@ version="\
|
|||
GNU config.guess ($timestamp)
|
||||
|
||||
Originally written by Per Bothner.
|
||||
Copyright 1992-2022 Free Software Foundation, Inc.
|
||||
Copyright 1992-2023 Free Software Foundation, Inc.
|
||||
|
||||
This is free software; see the source for copying conditions. There is NO
|
||||
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
|
||||
|
||||
help="
|
||||
Try \`$me --help' for more information."
|
||||
Try '$me --help' for more information."
|
||||
|
||||
# Parse command line
|
||||
while test $# -gt 0 ; do
|
||||
|
@ -102,8 +102,8 @@ GUESS=
|
|||
# temporary files to be created and, as you can see below, it is a
|
||||
# headache to deal with in a portable fashion.
|
||||
|
||||
# Historically, `CC_FOR_BUILD' used to be named `HOST_CC'. We still
|
||||
# use `HOST_CC' if defined, but it is deprecated.
|
||||
# Historically, 'CC_FOR_BUILD' used to be named 'HOST_CC'. We still
|
||||
# use 'HOST_CC' if defined, but it is deprecated.
|
||||
|
||||
# Portable tmp directory creation inspired by the Autoconf team.
|
||||
|
||||
|
@ -459,7 +459,7 @@ case $UNAME_MACHINE:$UNAME_SYSTEM:$UNAME_RELEASE:$UNAME_VERSION in
|
|||
UNAME_RELEASE=`uname -v`
|
||||
;;
|
||||
esac
|
||||
# Japanese Language versions have a version number like `4.1.3-JL'.
|
||||
# Japanese Language versions have a version number like '4.1.3-JL'.
|
||||
SUN_REL=`echo "$UNAME_RELEASE" | sed -e 's/-/_/'`
|
||||
GUESS=sparc-sun-sunos$SUN_REL
|
||||
;;
|
||||
|
@ -976,7 +976,27 @@ EOF
|
|||
GUESS=$UNAME_MACHINE-unknown-minix
|
||||
;;
|
||||
aarch64:Linux:*:*)
|
||||
GUESS=$UNAME_MACHINE-unknown-linux-$LIBC
|
||||
set_cc_for_build
|
||||
CPU=$UNAME_MACHINE
|
||||
LIBCABI=$LIBC
|
||||
if test "$CC_FOR_BUILD" != no_compiler_found; then
|
||||
ABI=64
|
||||
sed 's/^ //' << EOF > "$dummy.c"
|
||||
#ifdef __ARM_EABI__
|
||||
#ifdef __ARM_PCS_VFP
|
||||
ABI=eabihf
|
||||
#else
|
||||
ABI=eabi
|
||||
#endif
|
||||
#endif
|
||||
EOF
|
||||
cc_set_abi=`$CC_FOR_BUILD -E "$dummy.c" 2>/dev/null | grep '^ABI' | sed 's, ,,g'`
|
||||
eval "$cc_set_abi"
|
||||
case $ABI in
|
||||
eabi | eabihf) CPU=armv8l; LIBCABI=$LIBC$ABI ;;
|
||||
esac
|
||||
fi
|
||||
GUESS=$CPU-unknown-linux-$LIBCABI
|
||||
;;
|
||||
aarch64_be:Linux:*:*)
|
||||
UNAME_MACHINE=aarch64_be
|
||||
|
@ -1042,6 +1062,15 @@ EOF
|
|||
k1om:Linux:*:*)
|
||||
GUESS=$UNAME_MACHINE-unknown-linux-$LIBC
|
||||
;;
|
||||
kvx:Linux:*:*)
|
||||
GUESS=$UNAME_MACHINE-unknown-linux-$LIBC
|
||||
;;
|
||||
kvx:cos:*:*)
|
||||
GUESS=$UNAME_MACHINE-unknown-cos
|
||||
;;
|
||||
kvx:mbr:*:*)
|
||||
GUESS=$UNAME_MACHINE-unknown-mbr
|
||||
;;
|
||||
loongarch32:Linux:*:* | loongarch64:Linux:*:*)
|
||||
GUESS=$UNAME_MACHINE-unknown-linux-$LIBC
|
||||
;;
|
||||
|
@ -1197,7 +1226,7 @@ EOF
|
|||
GUESS=$UNAME_MACHINE-pc-sysv4.2uw$UNAME_VERSION
|
||||
;;
|
||||
i*86:OS/2:*:*)
|
||||
# If we were able to find `uname', then EMX Unix compatibility
|
||||
# If we were able to find 'uname', then EMX Unix compatibility
|
||||
# is probably installed.
|
||||
GUESS=$UNAME_MACHINE-pc-os2-emx
|
||||
;;
|
||||
|
@ -1338,7 +1367,7 @@ EOF
|
|||
GUESS=ns32k-sni-sysv
|
||||
fi
|
||||
;;
|
||||
PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort
|
||||
PENTIUM:*:4.0*:*) # Unisys 'ClearPath HMP IX 4000' SVR4/MP effort
|
||||
# says <Richard.M.Bartel@ccMail.Census.GOV>
|
||||
GUESS=i586-unisys-sysv4
|
||||
;;
|
||||
|
|
|
@ -364,6 +364,9 @@
|
|||
/* Define if we have LibreSSL */
|
||||
#undef HAVE_LIBRESSL
|
||||
|
||||
/* Define to 1 if you have the <linux/net_tstamp.h> header file. */
|
||||
#undef HAVE_LINUX_NET_TSTAMP_H
|
||||
|
||||
/* Define to 1 if you have the `localtime_r' function. */
|
||||
#undef HAVE_LOCALTIME_R
|
||||
|
||||
|
@ -1068,39 +1071,39 @@
|
|||
|
||||
#if defined(OMITTED__D_GNU_SOURCE) && !defined(_GNU_SOURCE)
|
||||
#define _GNU_SOURCE 1
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#if defined(OMITTED__D_BSD_SOURCE) && !defined(_BSD_SOURCE)
|
||||
#define _BSD_SOURCE 1
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#if defined(OMITTED__D_DEFAULT_SOURCE) && !defined(_DEFAULT_SOURCE)
|
||||
#define _DEFAULT_SOURCE 1
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#if defined(OMITTED__D__EXTENSIONS__) && !defined(__EXTENSIONS__)
|
||||
#define __EXTENSIONS__ 1
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#if defined(OMITTED__D_POSIX_C_SOURCE_200112) && !defined(_POSIX_C_SOURCE)
|
||||
#define _POSIX_C_SOURCE 200112
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#if defined(OMITTED__D_XOPEN_SOURCE_600) && !defined(_XOPEN_SOURCE)
|
||||
#define _XOPEN_SOURCE 600
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#if defined(OMITTED__D_XOPEN_SOURCE_EXTENDED_1) && !defined(_XOPEN_SOURCE_EXTENDED)
|
||||
#define _XOPEN_SOURCE_EXTENDED 1
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#if defined(OMITTED__D_ALL_SOURCE) && !defined(_ALL_SOURCE)
|
||||
#define _ALL_SOURCE 1
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#if defined(OMITTED__D_LARGEFILE_SOURCE_1) && !defined(_LARGEFILE_SOURCE)
|
||||
#define _LARGEFILE_SOURCE 1
|
||||
#endif
|
||||
#endif
|
||||
|
||||
|
||||
|
||||
|
@ -1184,7 +1187,7 @@
|
|||
#endif
|
||||
|
||||
|
||||
|
||||
|
||||
#ifdef HAVE_ATTR_FORMAT
|
||||
# define ATTR_FORMAT(archetype, string_index, first_to_check) \
|
||||
__attribute__ ((format (archetype, string_index, first_to_check)))
|
||||
|
@ -1294,7 +1297,7 @@ void* reallocarray(void *ptr, size_t nmemb, size_t size);
|
|||
#ifdef HAVE_WINSOCK2_H
|
||||
#define FD_SET_T (u_int)
|
||||
#else
|
||||
#define FD_SET_T
|
||||
#define FD_SET_T
|
||||
#endif
|
||||
|
||||
|
||||
|
|
1456
contrib/unbound/config.h.in~
Normal file
1456
contrib/unbound/config.h.in~
Normal file
File diff suppressed because it is too large
Load diff
72
contrib/unbound/config.sub
vendored
72
contrib/unbound/config.sub
vendored
|
@ -1,10 +1,10 @@
|
|||
#! /bin/sh
|
||||
# Configuration validation subroutine script.
|
||||
# Copyright 1992-2022 Free Software Foundation, Inc.
|
||||
# Copyright 1992-2023 Free Software Foundation, Inc.
|
||||
|
||||
# shellcheck disable=SC2006,SC2268 # see below for rationale
|
||||
|
||||
timestamp='2022-09-17'
|
||||
timestamp='2023-07-31'
|
||||
|
||||
# This file is free software; you can redistribute it and/or modify it
|
||||
# under the terms of the GNU General Public License as published by
|
||||
|
@ -76,13 +76,13 @@ Report bugs and patches to <config-patches@gnu.org>."
|
|||
version="\
|
||||
GNU config.sub ($timestamp)
|
||||
|
||||
Copyright 1992-2022 Free Software Foundation, Inc.
|
||||
Copyright 1992-2023 Free Software Foundation, Inc.
|
||||
|
||||
This is free software; see the source for copying conditions. There is NO
|
||||
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
|
||||
|
||||
help="
|
||||
Try \`$me --help' for more information."
|
||||
Try '$me --help' for more information."
|
||||
|
||||
# Parse command line
|
||||
while test $# -gt 0 ; do
|
||||
|
@ -130,7 +130,7 @@ IFS=$saved_IFS
|
|||
# Separate into logical components for further validation
|
||||
case $1 in
|
||||
*-*-*-*-*)
|
||||
echo Invalid configuration \`"$1"\': more than four components >&2
|
||||
echo "Invalid configuration '$1': more than four components" >&2
|
||||
exit 1
|
||||
;;
|
||||
*-*-*-*)
|
||||
|
@ -145,7 +145,8 @@ case $1 in
|
|||
nto-qnx* | linux-* | uclinux-uclibc* \
|
||||
| uclinux-gnu* | kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* \
|
||||
| netbsd*-eabi* | kopensolaris*-gnu* | cloudabi*-eabi* \
|
||||
| storm-chaos* | os2-emx* | rtmk-nova* | managarm-*)
|
||||
| storm-chaos* | os2-emx* | rtmk-nova* | managarm-* \
|
||||
| windows-* )
|
||||
basic_machine=$field1
|
||||
basic_os=$maybe_os
|
||||
;;
|
||||
|
@ -943,7 +944,7 @@ $basic_machine
|
|||
EOF
|
||||
IFS=$saved_IFS
|
||||
;;
|
||||
# We use `pc' rather than `unknown'
|
||||
# We use 'pc' rather than 'unknown'
|
||||
# because (1) that's what they normally are, and
|
||||
# (2) the word "unknown" tends to confuse beginning users.
|
||||
i*86 | x86_64)
|
||||
|
@ -1075,7 +1076,7 @@ case $cpu-$vendor in
|
|||
pentium-* | p5-* | k5-* | k6-* | nexgen-* | viac3-*)
|
||||
cpu=i586
|
||||
;;
|
||||
pentiumpro-* | p6-* | 6x86-* | athlon-* | athalon_*-*)
|
||||
pentiumpro-* | p6-* | 6x86-* | athlon-* | athlon_*-*)
|
||||
cpu=i686
|
||||
;;
|
||||
pentiumii-* | pentium2-* | pentiumiii-* | pentium3-*)
|
||||
|
@ -1205,6 +1206,7 @@ case $cpu-$vendor in
|
|||
| i370 | i*86 | i860 | i960 | ia16 | ia64 \
|
||||
| ip2k | iq2000 \
|
||||
| k1om \
|
||||
| kvx \
|
||||
| le32 | le64 \
|
||||
| lm32 \
|
||||
| loongarch32 | loongarch64 \
|
||||
|
@ -1213,31 +1215,7 @@ case $cpu-$vendor in
|
|||
| m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x \
|
||||
| m88110 | m88k | maxq | mb | mcore | mep | metag \
|
||||
| microblaze | microblazeel \
|
||||
| mips | mipsbe | mipseb | mipsel | mipsle \
|
||||
| mips16 \
|
||||
| mips64 | mips64eb | mips64el \
|
||||
| mips64octeon | mips64octeonel \
|
||||
| mips64orion | mips64orionel \
|
||||
| mips64r5900 | mips64r5900el \
|
||||
| mips64vr | mips64vrel \
|
||||
| mips64vr4100 | mips64vr4100el \
|
||||
| mips64vr4300 | mips64vr4300el \
|
||||
| mips64vr5000 | mips64vr5000el \
|
||||
| mips64vr5900 | mips64vr5900el \
|
||||
| mipsisa32 | mipsisa32el \
|
||||
| mipsisa32r2 | mipsisa32r2el \
|
||||
| mipsisa32r3 | mipsisa32r3el \
|
||||
| mipsisa32r5 | mipsisa32r5el \
|
||||
| mipsisa32r6 | mipsisa32r6el \
|
||||
| mipsisa64 | mipsisa64el \
|
||||
| mipsisa64r2 | mipsisa64r2el \
|
||||
| mipsisa64r3 | mipsisa64r3el \
|
||||
| mipsisa64r5 | mipsisa64r5el \
|
||||
| mipsisa64r6 | mipsisa64r6el \
|
||||
| mipsisa64sb1 | mipsisa64sb1el \
|
||||
| mipsisa64sr71k | mipsisa64sr71kel \
|
||||
| mipsr5900 | mipsr5900el \
|
||||
| mipstx39 | mipstx39el \
|
||||
| mips* \
|
||||
| mmix \
|
||||
| mn10200 | mn10300 \
|
||||
| moxie \
|
||||
|
@ -1285,7 +1263,7 @@ case $cpu-$vendor in
|
|||
;;
|
||||
|
||||
*)
|
||||
echo Invalid configuration \`"$1"\': machine \`"$cpu-$vendor"\' not recognized 1>&2
|
||||
echo "Invalid configuration '$1': machine '$cpu-$vendor' not recognized" 1>&2
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
@ -1732,7 +1710,7 @@ case $os in
|
|||
| hpux* | unos* | osf* | luna* | dgux* | auroraux* | solaris* \
|
||||
| sym* | plan9* | psp* | sim* | xray* | os68k* | v88r* \
|
||||
| hiux* | abug | nacl* | netware* | windows* \
|
||||
| os9* | macos* | osx* | ios* \
|
||||
| os9* | macos* | osx* | ios* | tvos* | watchos* \
|
||||
| mpw* | magic* | mmixware* | mon960* | lnews* \
|
||||
| amigaos* | amigados* | msdos* | newsos* | unicos* | aof* \
|
||||
| aos* | aros* | cloudabi* | sortix* | twizzler* \
|
||||
|
@ -1758,7 +1736,7 @@ case $os in
|
|||
| onefs* | tirtos* | phoenix* | fuchsia* | redox* | bme* \
|
||||
| midnightbsd* | amdhsa* | unleashed* | emscripten* | wasi* \
|
||||
| nsk* | powerunix* | genode* | zvmoe* | qnx* | emx* | zephyr* \
|
||||
| fiwix* | mlibc* )
|
||||
| fiwix* | mlibc* | cos* | mbr* )
|
||||
;;
|
||||
# This one is extra strict with allowed versions
|
||||
sco3.2v2 | sco3.2v[4-9]* | sco5v6*)
|
||||
|
@ -1766,11 +1744,11 @@ case $os in
|
|||
;;
|
||||
none)
|
||||
;;
|
||||
kernel* )
|
||||
kernel* | msvc* )
|
||||
# Restricted further below
|
||||
;;
|
||||
*)
|
||||
echo Invalid configuration \`"$1"\': OS \`"$os"\' not recognized 1>&2
|
||||
echo "Invalid configuration '$1': OS '$os' not recognized" 1>&2
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
@ -1785,18 +1763,24 @@ case $kernel-$os in
|
|||
;;
|
||||
managarm-mlibc* | managarm-kernel* )
|
||||
;;
|
||||
windows*-gnu* | windows*-msvc*)
|
||||
;;
|
||||
-dietlibc* | -newlib* | -musl* | -relibc* | -uclibc* | -mlibc* )
|
||||
# These are just libc implementations, not actual OSes, and thus
|
||||
# require a kernel.
|
||||
echo "Invalid configuration \`$1': libc \`$os' needs explicit kernel." 1>&2
|
||||
echo "Invalid configuration '$1': libc '$os' needs explicit kernel." 1>&2
|
||||
exit 1
|
||||
;;
|
||||
-kernel* )
|
||||
echo "Invalid configuration \`$1': \`$os' needs explicit kernel." 1>&2
|
||||
echo "Invalid configuration '$1': '$os' needs explicit kernel." 1>&2
|
||||
exit 1
|
||||
;;
|
||||
*-kernel* )
|
||||
echo "Invalid configuration \`$1': \`$kernel' does not support \`$os'." 1>&2
|
||||
echo "Invalid configuration '$1': '$kernel' does not support '$os'." 1>&2
|
||||
exit 1
|
||||
;;
|
||||
*-msvc* )
|
||||
echo "Invalid configuration '$1': '$os' needs 'windows'." 1>&2
|
||||
exit 1
|
||||
;;
|
||||
kfreebsd*-gnu* | kopensolaris*-gnu*)
|
||||
|
@ -1809,11 +1793,15 @@ case $kernel-$os in
|
|||
;;
|
||||
*-eabi* | *-gnueabi*)
|
||||
;;
|
||||
none-coff* | none-elf*)
|
||||
# None (no kernel, i.e. freestanding / bare metal),
|
||||
# can be paired with an output format "OS"
|
||||
;;
|
||||
-*)
|
||||
# Blank kernel with real OS is always fine.
|
||||
;;
|
||||
*-*)
|
||||
echo "Invalid configuration \`$1': Kernel \`$kernel' not known to work with OS \`$os'." 1>&2
|
||||
echo "Invalid configuration '$1': Kernel '$kernel' not known to work with OS '$os'." 1>&2
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
|
168
contrib/unbound/configure
vendored
168
contrib/unbound/configure
vendored
|
@ -1,6 +1,6 @@
|
|||
#! /bin/sh
|
||||
# Guess values for system-dependent variables and create Makefiles.
|
||||
# Generated by GNU Autoconf 2.69 for unbound 1.17.1.
|
||||
# Generated by GNU Autoconf 2.69 for unbound 1.18.0.
|
||||
#
|
||||
# Report bugs to <unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues>.
|
||||
#
|
||||
|
@ -591,8 +591,8 @@ MAKEFLAGS=
|
|||
# Identity of this package.
|
||||
PACKAGE_NAME='unbound'
|
||||
PACKAGE_TARNAME='unbound'
|
||||
PACKAGE_VERSION='1.17.1'
|
||||
PACKAGE_STRING='unbound 1.17.1'
|
||||
PACKAGE_VERSION='1.18.0'
|
||||
PACKAGE_STRING='unbound 1.18.0'
|
||||
PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues'
|
||||
PACKAGE_URL=''
|
||||
|
||||
|
@ -1477,7 +1477,7 @@ if test "$ac_init_help" = "long"; then
|
|||
# Omit some internal or obsolete options to make the list less imposing.
|
||||
# This message is too long to be a string in the A/UX 3.1 sh.
|
||||
cat <<_ACEOF
|
||||
\`configure' configures unbound 1.17.1 to adapt to many kinds of systems.
|
||||
\`configure' configures unbound 1.18.0 to adapt to many kinds of systems.
|
||||
|
||||
Usage: $0 [OPTION]... [VAR=VALUE]...
|
||||
|
||||
|
@ -1543,7 +1543,7 @@ fi
|
|||
|
||||
if test -n "$ac_init_help"; then
|
||||
case $ac_init_help in
|
||||
short | recursive ) echo "Configuration of unbound 1.17.1:";;
|
||||
short | recursive ) echo "Configuration of unbound 1.18.0:";;
|
||||
esac
|
||||
cat <<\_ACEOF
|
||||
|
||||
|
@ -1785,7 +1785,7 @@ fi
|
|||
test -n "$ac_init_help" && exit $ac_status
|
||||
if $ac_init_version; then
|
||||
cat <<\_ACEOF
|
||||
unbound configure 1.17.1
|
||||
unbound configure 1.18.0
|
||||
generated by GNU Autoconf 2.69
|
||||
|
||||
Copyright (C) 2012 Free Software Foundation, Inc.
|
||||
|
@ -2494,7 +2494,7 @@ cat >config.log <<_ACEOF
|
|||
This file contains any messages produced by compilers while
|
||||
running configure, to aid debugging if configure makes a mistake.
|
||||
|
||||
It was created by unbound $as_me 1.17.1, which was
|
||||
It was created by unbound $as_me 1.18.0, which was
|
||||
generated by GNU Autoconf 2.69. Invocation command line was
|
||||
|
||||
$ $0 $@
|
||||
|
@ -2844,13 +2844,13 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
|
|||
|
||||
UNBOUND_VERSION_MAJOR=1
|
||||
|
||||
UNBOUND_VERSION_MINOR=17
|
||||
UNBOUND_VERSION_MINOR=18
|
||||
|
||||
UNBOUND_VERSION_MICRO=1
|
||||
UNBOUND_VERSION_MICRO=0
|
||||
|
||||
|
||||
LIBUNBOUND_CURRENT=9
|
||||
LIBUNBOUND_REVISION=21
|
||||
LIBUNBOUND_REVISION=22
|
||||
LIBUNBOUND_AGE=1
|
||||
# 1.0.0 had 0:12:0
|
||||
# 1.0.1 had 0:13:0
|
||||
|
@ -2939,6 +2939,7 @@ LIBUNBOUND_AGE=1
|
|||
# 1.16.3 had 9:19:1
|
||||
# 1.17.0 had 9:20:1
|
||||
# 1.17.1 had 9:21:1
|
||||
# 1.18.0 had 9:22:1
|
||||
|
||||
# Current -- the number of the binary API that we're implementing
|
||||
# Revision -- which iteration of the implementation of the binary
|
||||
|
@ -5145,7 +5146,7 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
|
|||
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking $CC dependency flag" >&5
|
||||
$as_echo_n "checking $CC dependency flag... " >&6; }
|
||||
echo 'void f(){}' >conftest.c
|
||||
echo 'void f(void){}' >conftest.c
|
||||
if test "`$CC -MM conftest.c 2>&1`" = "conftest.o: conftest.c"; then
|
||||
DEPFLAG="-MM"
|
||||
else
|
||||
|
@ -5327,7 +5328,7 @@ echo '
|
|||
#include <getopt.h>
|
||||
#endif
|
||||
|
||||
int test() {
|
||||
int test(void) {
|
||||
int a;
|
||||
char **opts = NULL;
|
||||
struct timeval tv;
|
||||
|
@ -5348,7 +5349,7 @@ int test() {
|
|||
return a;
|
||||
}
|
||||
' > conftest.c
|
||||
echo 'void f(){}' >>conftest.c
|
||||
echo 'void f(void){}' >>conftest.c
|
||||
if test -z "`$CC $CPPFLAGS $CFLAGS $ERRFLAG -c conftest.c 2>&1`"; then
|
||||
eval "cv_prog_cc_flag_needed_$cache=no"
|
||||
else
|
||||
|
@ -5418,7 +5419,7 @@ echo '
|
|||
#include <getopt.h>
|
||||
#endif
|
||||
|
||||
int test() {
|
||||
int test(void) {
|
||||
int a;
|
||||
char **opts = NULL;
|
||||
struct timeval tv;
|
||||
|
@ -5439,7 +5440,7 @@ int test() {
|
|||
return a;
|
||||
}
|
||||
' > conftest.c
|
||||
echo 'void f(){}' >>conftest.c
|
||||
echo 'void f(void){}' >>conftest.c
|
||||
if test -z "`$CC $CPPFLAGS $CFLAGS $ERRFLAG -c conftest.c 2>&1`"; then
|
||||
eval "cv_prog_cc_flag_needed_$cache=no"
|
||||
else
|
||||
|
@ -5498,12 +5499,12 @@ else
|
|||
echo '
|
||||
#include <stdbool.h>
|
||||
#include <ctype.h>
|
||||
int test() {
|
||||
int test(void) {
|
||||
int a = 0;
|
||||
return a;
|
||||
}
|
||||
' > conftest.c
|
||||
echo 'void f(){}' >>conftest.c
|
||||
echo 'void f(void){}' >>conftest.c
|
||||
if test -z "`$CC $CPPFLAGS $CFLAGS $ERRFLAG -c conftest.c 2>&1`"; then
|
||||
eval "cv_prog_cc_flag_needed_$cache=no"
|
||||
else
|
||||
|
@ -5562,13 +5563,13 @@ else
|
|||
echo '
|
||||
#include <ctype.h>
|
||||
|
||||
int test() {
|
||||
int test(void) {
|
||||
int a;
|
||||
a = isascii(32);
|
||||
return a;
|
||||
}
|
||||
' > conftest.c
|
||||
echo 'void f(){}' >>conftest.c
|
||||
echo 'void f(void){}' >>conftest.c
|
||||
if test -z "`$CC $CPPFLAGS $CFLAGS $ERRFLAG -c conftest.c 2>&1`"; then
|
||||
eval "cv_prog_cc_flag_needed_$cache=no"
|
||||
else
|
||||
|
@ -5627,13 +5628,13 @@ else
|
|||
echo '
|
||||
#include <netinet/in.h>
|
||||
|
||||
int test() {
|
||||
int test(void) {
|
||||
struct in6_pktinfo inf;
|
||||
int a = (int)sizeof(inf);
|
||||
return a;
|
||||
}
|
||||
' > conftest.c
|
||||
echo 'void f(){}' >>conftest.c
|
||||
echo 'void f(void){}' >>conftest.c
|
||||
if test -z "`$CC $CPPFLAGS $CFLAGS $ERRFLAG -c conftest.c 2>&1`"; then
|
||||
eval "cv_prog_cc_flag_needed_$cache=no"
|
||||
else
|
||||
|
@ -5695,13 +5696,13 @@ else
|
|||
echo '
|
||||
#include <unistd.h>
|
||||
|
||||
int test() {
|
||||
int test(void) {
|
||||
int a = setresgid(0,0,0);
|
||||
a = setresuid(0,0,0);
|
||||
return a;
|
||||
}
|
||||
' > conftest.c
|
||||
echo 'void f(){}' >>conftest.c
|
||||
echo 'void f(void){}' >>conftest.c
|
||||
if test -z "`$CC $CPPFLAGS $CFLAGS $ERRFLAG -c conftest.c 2>&1`"; then
|
||||
eval "cv_prog_cc_flag_needed_$cache=no"
|
||||
else
|
||||
|
@ -5764,7 +5765,7 @@ echo '
|
|||
#endif
|
||||
#include <netdb.h>
|
||||
|
||||
int test() {
|
||||
int test(void) {
|
||||
int a = 0;
|
||||
char *t;
|
||||
time_t time = 0;
|
||||
|
@ -5777,7 +5778,7 @@ int test() {
|
|||
return a;
|
||||
}
|
||||
' > conftest.c
|
||||
echo 'void f(){}' >>conftest.c
|
||||
echo 'void f(void){}' >>conftest.c
|
||||
if test -z "`$CC $CPPFLAGS $CFLAGS $ERRFLAG -c conftest.c 2>&1`"; then
|
||||
eval "cv_prog_cc_flag_needed_$cache=no"
|
||||
else
|
||||
|
@ -5846,7 +5847,7 @@ echo '
|
|||
#include <getopt.h>
|
||||
#endif
|
||||
|
||||
int test() {
|
||||
int test(void) {
|
||||
int a;
|
||||
char **opts = NULL;
|
||||
struct timeval tv;
|
||||
|
@ -5859,7 +5860,7 @@ int test() {
|
|||
return a;
|
||||
}
|
||||
' > conftest.c
|
||||
echo 'void f(){}' >>conftest.c
|
||||
echo 'void f(void){}' >>conftest.c
|
||||
if test -z "`$CC $CPPFLAGS $CFLAGS $ERRFLAG -c conftest.c 2>&1`"; then
|
||||
eval "cv_prog_cc_flag_needed_$cache=no"
|
||||
else
|
||||
|
@ -6610,6 +6611,11 @@ $as_echo "no" >&6; };
|
|||
fi
|
||||
|
||||
fi
|
||||
if test "$LEX" = "" -o "$LEX" = ":"; then
|
||||
if test ! -f util/configlexer.c; then
|
||||
as_fn_error $? "no lex and no util/configlexer.c: need flex and bison to compile from source repository." "$LINENO" 5
|
||||
fi
|
||||
fi
|
||||
for ac_prog in 'bison -y' byacc
|
||||
do
|
||||
# Extract the first word of "$ac_prog", so it can be a program name with args.
|
||||
|
@ -6653,6 +6659,11 @@ fi
|
|||
done
|
||||
test -n "$YACC" || YACC="yacc"
|
||||
|
||||
if test "$YACC" = "" -o "$YACC" = ":"; then
|
||||
if test ! -f util/configparser.c; then
|
||||
as_fn_error $? "no yacc and no util/configparser.c: need flex and bison to compile from source repository." "$LINENO" 5
|
||||
fi
|
||||
fi
|
||||
# Extract the first word of "doxygen", so it can be a program name with args.
|
||||
set dummy doxygen; ac_word=$2
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
|
||||
|
@ -14877,6 +14888,21 @@ fi
|
|||
done
|
||||
|
||||
|
||||
# Check for Linux timestamping headers
|
||||
for ac_header in linux/net_tstamp.h
|
||||
do :
|
||||
ac_fn_c_check_header_compile "$LINENO" "linux/net_tstamp.h" "ac_cv_header_linux_net_tstamp_h" "$ac_includes_default
|
||||
"
|
||||
if test "x$ac_cv_header_linux_net_tstamp_h" = xyes; then :
|
||||
cat >>confdefs.h <<_ACEOF
|
||||
#define HAVE_LINUX_NET_TSTAMP_H 1
|
||||
_ACEOF
|
||||
|
||||
fi
|
||||
|
||||
done
|
||||
|
||||
|
||||
# check for types.
|
||||
# Using own tests for int64* because autoconf builtin only give 32bit.
|
||||
ac_fn_c_check_type "$LINENO" "int8_t" "ac_cv_type_int8_t" "$ac_includes_default"
|
||||
|
@ -15954,12 +15980,12 @@ else
|
|||
|
||||
echo '
|
||||
#include <stdio.h>
|
||||
int test() {
|
||||
int test(void) {
|
||||
int a = fseeko(stdin, 0, 0);
|
||||
return a;
|
||||
}
|
||||
' > conftest.c
|
||||
echo 'void f(){}' >>conftest.c
|
||||
echo 'void f(void){}' >>conftest.c
|
||||
if test -z "`$CC $CPPFLAGS $CFLAGS $ERRFLAG -c conftest.c 2>&1`"; then
|
||||
eval "cv_prog_cc_flag_needed_$cache=no"
|
||||
else
|
||||
|
@ -17541,39 +17567,68 @@ fi
|
|||
PYTHON_VERSION=`$PYTHON -c "import sys; \
|
||||
print(sys.version.split()[0])"`
|
||||
fi
|
||||
# calculate the version number components.
|
||||
|
||||
# Check if you have sysconfig
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for the sysconfig Python module" >&5
|
||||
$as_echo_n "checking for the sysconfig Python module... " >&6; }
|
||||
if ac_sysconfig_result=`$PYTHON -c "import sysconfig" 2>&1`; then
|
||||
v="$PYTHON_VERSION"
|
||||
PYTHON_VERSION_MAJOR=`echo $v | sed 's/[^0-9].*//'`
|
||||
if test -z "$PYTHON_VERSION_MAJOR"; then PYTHON_VERSION_MAJOR="0"; fi
|
||||
v=`echo $v | sed -e 's/^[0-9]*$//' -e 's/[0-9]*[^0-9]//'`
|
||||
PYTHON_VERSION_MINOR=`echo $v | sed 's/[^0-9].*//'`
|
||||
if test -z "$PYTHON_VERSION_MINOR"; then PYTHON_VERSION_MINOR="0"; fi
|
||||
v=`echo $v | sed -e 's/^[0-9]*$//' -e 's/[0-9]*[^0-9]//'`
|
||||
PYTHON_VERSION_PATCH=`echo $v | sed 's/[^0-9].*//'`
|
||||
if test -z "$PYTHON_VERSION_PATCH"; then PYTHON_VERSION_PATCH="0"; fi
|
||||
|
||||
|
||||
# For some systems, sysconfig exists, but has the wrong paths,
|
||||
# on Debian 10, for python 2.7 and 3.7. So, we check the version,
|
||||
# and for older versions try distutils.sysconfig first. For newer
|
||||
# versions>=3.10, where distutils.sysconfig is deprecated, use
|
||||
# sysconfig first and then attempt the other one.
|
||||
py_distutils_first="no"
|
||||
if test $PYTHON_VERSION_MAJOR -lt 3; then
|
||||
py_distutils_first="yes"
|
||||
fi
|
||||
if test $PYTHON_VERSION_MAJOR -eq 3 -a $PYTHON_VERSION_MINOR -lt 10; then
|
||||
py_distutils_first="yes"
|
||||
fi
|
||||
|
||||
# Check if you have the first module
|
||||
if test "$py_distutils_first" = "yes"; then m="distutils"; else m="sysconfig"; fi
|
||||
sysconfig_module=""
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for the $m Python module" >&5
|
||||
$as_echo_n "checking for the $m Python module... " >&6; }
|
||||
if ac_modulecheck_result1=`$PYTHON -c "import $m" 2>&1`; then
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
|
||||
$as_echo "yes" >&6; }
|
||||
sysconfig_module="sysconfig"
|
||||
# if yes, use sysconfig, because distutils is deprecated.
|
||||
sysconfig_module="$m"
|
||||
else
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
$as_echo "no" >&6; }
|
||||
# if no, try to use distutils
|
||||
fi
|
||||
|
||||
#
|
||||
# Check if you have distutils, else fail
|
||||
#
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for the distutils Python package" >&5
|
||||
$as_echo_n "checking for the distutils Python package... " >&6; }
|
||||
if ac_distutils_result=`$PYTHON -c "import distutils" 2>&1`; then
|
||||
# if not found, try the other one.
|
||||
if test -z "$sysconfig_module"; then
|
||||
if test "$py_distutils_first" = "yes"; then m2="sysconfig"; else m2="distutils"; fi
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for the $m2 Python module" >&5
|
||||
$as_echo_n "checking for the $m2 Python module... " >&6; }
|
||||
if ac_modulecheck_result2=`$PYTHON -c "import $m2" 2>&1`; then
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
|
||||
$as_echo "yes" >&6; }
|
||||
sysconfig_module="$m2"
|
||||
else
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
$as_echo "no" >&6; }
|
||||
as_fn_error $? "cannot import Python module \"distutils\".
|
||||
Please check your Python installation. The error was:
|
||||
$ac_distutils_result" "$LINENO" 5
|
||||
as_fn_error $? "cannot import Python module \"$m\", or \"$m2\".
|
||||
Please check your Python installation. The errors are:
|
||||
$m
|
||||
$ac_modulecheck_result1
|
||||
$m2
|
||||
$ac_modulecheck_result2" "$LINENO" 5
|
||||
PYTHON_VERSION=""
|
||||
fi
|
||||
|
||||
sysconfig_module="distutils.sysconfig"
|
||||
fi
|
||||
if test "$sysconfig_module" = "distutils"; then sysconfig_module="distutils.sysconfig"; fi
|
||||
|
||||
#
|
||||
# Check for Python include path
|
||||
|
@ -17705,7 +17760,14 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
|
|||
#
|
||||
|
||||
if test ! -z "$PYTHON_VERSION"; then
|
||||
if test `$PYTHON -c "print('$PYTHON_VERSION' >= '2.4.0')"` = "False"; then
|
||||
badversion="no"
|
||||
if test "$PYTHON_VERSION_MAJOR" -lt 2; then
|
||||
badversion="yes"
|
||||
fi
|
||||
if test "$PYTHON_VERSION_MAJOR" -eq 2 -a "$PYTHON_VERSION_MINOR" -lt 4; then
|
||||
badversion="yes"
|
||||
fi
|
||||
if test "$badversion" = "yes"; then
|
||||
as_fn_error $? "Python version >= 2.4.0 is required" "$LINENO" 5
|
||||
fi
|
||||
|
||||
|
@ -20174,7 +20236,7 @@ char* (*f) () = getaddrinfo;
|
|||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
int main() {
|
||||
int main(void) {
|
||||
;
|
||||
return 0;
|
||||
}
|
||||
|
@ -20448,7 +20510,7 @@ echo '
|
|||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
' >conftest.c
|
||||
echo 'void f(){ (void)daemon(0, 0); }' >>conftest.c
|
||||
echo 'void f(void){ (void)daemon(0, 0); }' >>conftest.c
|
||||
if test -z "`$CC $CPPFLAGS $CFLAGS -c conftest.c 2>&1 | grep -e deprecated -e unavailable`"; then
|
||||
eval "cv_cc_deprecated_$cache=no"
|
||||
else
|
||||
|
@ -22086,7 +22148,7 @@ _ACEOF
|
|||
|
||||
|
||||
|
||||
version=1.17.1
|
||||
version=1.18.0
|
||||
|
||||
date=`date +'%b %e, %Y'`
|
||||
|
||||
|
@ -22605,7 +22667,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
|
|||
# report actual input values of CONFIG_FILES etc. instead of their
|
||||
# values after options handling.
|
||||
ac_log="
|
||||
This file was extended by unbound $as_me 1.17.1, which was
|
||||
This file was extended by unbound $as_me 1.18.0, which was
|
||||
generated by GNU Autoconf 2.69. Invocation command line was
|
||||
|
||||
CONFIG_FILES = $CONFIG_FILES
|
||||
|
@ -22671,7 +22733,7 @@ _ACEOF
|
|||
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
|
||||
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
|
||||
ac_cs_version="\\
|
||||
unbound config.status 1.17.1
|
||||
unbound config.status 1.18.0
|
||||
configured by $0, generated by GNU Autoconf 2.69,
|
||||
with options \\"\$ac_cs_config\\"
|
||||
|
||||
|
|
|
@ -10,15 +10,15 @@ sinclude(dnscrypt/dnscrypt.m4)
|
|||
|
||||
# must be numbers. ac_defun because of later processing
|
||||
m4_define([VERSION_MAJOR],[1])
|
||||
m4_define([VERSION_MINOR],[17])
|
||||
m4_define([VERSION_MICRO],[1])
|
||||
m4_define([VERSION_MINOR],[18])
|
||||
m4_define([VERSION_MICRO],[0])
|
||||
AC_INIT([unbound],m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]),[unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues],[unbound])
|
||||
AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
|
||||
AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
|
||||
AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
|
||||
|
||||
LIBUNBOUND_CURRENT=9
|
||||
LIBUNBOUND_REVISION=21
|
||||
LIBUNBOUND_REVISION=22
|
||||
LIBUNBOUND_AGE=1
|
||||
# 1.0.0 had 0:12:0
|
||||
# 1.0.1 had 0:13:0
|
||||
|
@ -107,6 +107,7 @@ LIBUNBOUND_AGE=1
|
|||
# 1.16.3 had 9:19:1
|
||||
# 1.17.0 had 9:20:1
|
||||
# 1.17.1 had 9:21:1
|
||||
# 1.18.0 had 9:22:1
|
||||
|
||||
# Current -- the number of the binary API that we're implementing
|
||||
# Revision -- which iteration of the implementation of the binary
|
||||
|
@ -156,7 +157,7 @@ esac
|
|||
|
||||
# are we on MinGW?
|
||||
if uname -s 2>&1 | grep MINGW >/dev/null; then on_mingw="yes"
|
||||
else
|
||||
else
|
||||
if echo $host | grep mingw >/dev/null; then on_mingw="yes"
|
||||
else on_mingw="no"; fi
|
||||
fi
|
||||
|
@ -185,9 +186,9 @@ ub_conf_dir=`AS_DIRNAME(["$ub_conf_file"])`
|
|||
AC_SUBST(ub_conf_dir)
|
||||
|
||||
# Determine run, chroot directory and pidfile locations
|
||||
AC_ARG_WITH(run-dir,
|
||||
AS_HELP_STRING([--with-run-dir=path],[set default directory to chdir to (by default dir part of cfg file)]),
|
||||
UNBOUND_RUN_DIR="$withval",
|
||||
AC_ARG_WITH(run-dir,
|
||||
AS_HELP_STRING([--with-run-dir=path],[set default directory to chdir to (by default dir part of cfg file)]),
|
||||
UNBOUND_RUN_DIR="$withval",
|
||||
if test $on_mingw = no; then
|
||||
UNBOUND_RUN_DIR=`dirname "$ub_conf_file"`
|
||||
else
|
||||
|
@ -198,9 +199,9 @@ AC_SUBST(UNBOUND_RUN_DIR)
|
|||
ACX_ESCAPE_BACKSLASH($UNBOUND_RUN_DIR, hdr_run)
|
||||
AC_DEFINE_UNQUOTED(RUN_DIR, ["$hdr_run"], [Directory to chdir to])
|
||||
|
||||
AC_ARG_WITH(chroot-dir,
|
||||
AS_HELP_STRING([--with-chroot-dir=path],[set default directory to chroot to (by default same as run-dir)]),
|
||||
UNBOUND_CHROOT_DIR="$withval",
|
||||
AC_ARG_WITH(chroot-dir,
|
||||
AS_HELP_STRING([--with-chroot-dir=path],[set default directory to chroot to (by default same as run-dir)]),
|
||||
UNBOUND_CHROOT_DIR="$withval",
|
||||
if test $on_mingw = no; then
|
||||
UNBOUND_CHROOT_DIR="$UNBOUND_RUN_DIR"
|
||||
else
|
||||
|
@ -218,9 +219,9 @@ AC_ARG_WITH(share-dir,
|
|||
AC_SUBST(UNBOUND_SHARE_DIR)
|
||||
AC_DEFINE_UNQUOTED(SHARE_DIR, ["$UNBOUND_SHARE_DIR"], [Shared data])
|
||||
|
||||
AC_ARG_WITH(pidfile,
|
||||
AS_HELP_STRING([--with-pidfile=filename],[set default pathname to unbound pidfile (default run-dir/unbound.pid)]),
|
||||
UNBOUND_PIDFILE="$withval",
|
||||
AC_ARG_WITH(pidfile,
|
||||
AS_HELP_STRING([--with-pidfile=filename],[set default pathname to unbound pidfile (default run-dir/unbound.pid)]),
|
||||
UNBOUND_PIDFILE="$withval",
|
||||
if test $on_mingw = no; then
|
||||
UNBOUND_PIDFILE="$UNBOUND_RUN_DIR/unbound.pid"
|
||||
else
|
||||
|
@ -231,9 +232,9 @@ AC_SUBST(UNBOUND_PIDFILE)
|
|||
ACX_ESCAPE_BACKSLASH($UNBOUND_PIDFILE, hdr_pid)
|
||||
AC_DEFINE_UNQUOTED(PIDFILE, ["$hdr_pid"], [default pidfile location])
|
||||
|
||||
AC_ARG_WITH(rootkey-file,
|
||||
AS_HELP_STRING([--with-rootkey-file=filename],[set default pathname to root key file (default run-dir/root.key). This file is read and written.]),
|
||||
UNBOUND_ROOTKEY_FILE="$withval",
|
||||
AC_ARG_WITH(rootkey-file,
|
||||
AS_HELP_STRING([--with-rootkey-file=filename],[set default pathname to root key file (default run-dir/root.key). This file is read and written.]),
|
||||
UNBOUND_ROOTKEY_FILE="$withval",
|
||||
if test $on_mingw = no; then
|
||||
UNBOUND_ROOTKEY_FILE="$UNBOUND_RUN_DIR/root.key"
|
||||
else
|
||||
|
@ -244,9 +245,9 @@ AC_SUBST(UNBOUND_ROOTKEY_FILE)
|
|||
ACX_ESCAPE_BACKSLASH($UNBOUND_ROOTKEY_FILE, hdr_rkey)
|
||||
AC_DEFINE_UNQUOTED(ROOT_ANCHOR_FILE, ["$hdr_rkey"], [default rootkey location])
|
||||
|
||||
AC_ARG_WITH(rootcert-file,
|
||||
AS_HELP_STRING([--with-rootcert-file=filename],[set default pathname to root update certificate file (default run-dir/icannbundle.pem). This file need not exist if you are content with the builtin.]),
|
||||
UNBOUND_ROOTCERT_FILE="$withval",
|
||||
AC_ARG_WITH(rootcert-file,
|
||||
AS_HELP_STRING([--with-rootcert-file=filename],[set default pathname to root update certificate file (default run-dir/icannbundle.pem). This file need not exist if you are content with the builtin.]),
|
||||
UNBOUND_ROOTCERT_FILE="$withval",
|
||||
if test $on_mingw = no; then
|
||||
UNBOUND_ROOTCERT_FILE="$UNBOUND_RUN_DIR/icannbundle.pem"
|
||||
else
|
||||
|
@ -257,9 +258,9 @@ AC_SUBST(UNBOUND_ROOTCERT_FILE)
|
|||
ACX_ESCAPE_BACKSLASH($UNBOUND_ROOTCERT_FILE, hdr_rpem)
|
||||
AC_DEFINE_UNQUOTED(ROOT_CERT_FILE, ["$hdr_rpem"], [default rootcert location])
|
||||
|
||||
AC_ARG_WITH(username,
|
||||
AS_HELP_STRING([--with-username=user],[set default user that unbound changes to (default user is unbound)]),
|
||||
UNBOUND_USERNAME="$withval",
|
||||
AC_ARG_WITH(username,
|
||||
AS_HELP_STRING([--with-username=user],[set default user that unbound changes to (default user is unbound)]),
|
||||
UNBOUND_USERNAME="$withval",
|
||||
UNBOUND_USERNAME="unbound")
|
||||
AC_SUBST(UNBOUND_USERNAME)
|
||||
AC_DEFINE_UNQUOTED(UB_USERNAME, ["$UNBOUND_USERNAME"], [default username])
|
||||
|
@ -285,7 +286,7 @@ ACX_DETERMINE_EXT_FLAGS_UNBOUND
|
|||
# debug mode flags warnings
|
||||
AC_ARG_ENABLE(checking, AS_HELP_STRING([--enable-checking],[Enable warnings, asserts, makefile-dependencies]))
|
||||
AC_ARG_ENABLE(debug, AS_HELP_STRING([--enable-debug],[same as enable-checking]))
|
||||
if test "$enable_debug" = "yes"; then debug_enabled="$enable_debug";
|
||||
if test "$enable_debug" = "yes"; then debug_enabled="$enable_debug";
|
||||
else debug_enabled="$enable_checking"; fi
|
||||
AC_SUBST(debug_enabled)
|
||||
case "$debug_enabled" in
|
||||
|
@ -388,7 +389,17 @@ fi
|
|||
if test "$LEX" != "" -a "$LEX" != ":"; then
|
||||
ACX_YYLEX_OPTION
|
||||
fi
|
||||
if test "$LEX" = "" -o "$LEX" = ":"; then
|
||||
if test ! -f util/configlexer.c; then
|
||||
AC_MSG_ERROR([no lex and no util/configlexer.c: need flex and bison to compile from source repository.])
|
||||
fi
|
||||
fi
|
||||
AC_PROG_YACC
|
||||
if test "$YACC" = "" -o "$YACC" = ":"; then
|
||||
if test ! -f util/configparser.c; then
|
||||
AC_MSG_ERROR([no yacc and no util/configparser.c: need flex and bison to compile from source repository.])
|
||||
fi
|
||||
fi
|
||||
AC_CHECK_PROG(doxygen, doxygen, doxygen)
|
||||
AC_CHECK_TOOL(STRIP, strip)
|
||||
ACX_LIBTOOL_C_ONLY
|
||||
|
@ -453,6 +464,9 @@ AC_CHECK_HEADERS([netioapi.h],,, [AC_INCLUDES_DEFAULT
|
|||
#endif
|
||||
])
|
||||
|
||||
# Check for Linux timestamping headers
|
||||
AC_CHECK_HEADERS([linux/net_tstamp.h],,, [AC_INCLUDES_DEFAULT])
|
||||
|
||||
# check for types.
|
||||
# Using own tests for int64* because autoconf builtin only give 32bit.
|
||||
AC_CHECK_TYPE(int8_t, signed char)
|
||||
|
@ -548,11 +562,11 @@ sinclude(systemd.m4)
|
|||
# Include systemd.m4 - end
|
||||
|
||||
# set memory allocation checking if requested
|
||||
AC_ARG_ENABLE(alloc-checks, AS_HELP_STRING([--enable-alloc-checks],[ enable to memory allocation statistics, for debug purposes ]),
|
||||
AC_ARG_ENABLE(alloc-checks, AS_HELP_STRING([--enable-alloc-checks],[ enable to memory allocation statistics, for debug purposes ]),
|
||||
, )
|
||||
AC_ARG_ENABLE(alloc-lite, AS_HELP_STRING([--enable-alloc-lite],[ enable for lightweight alloc assertions, for debug purposes ]),
|
||||
AC_ARG_ENABLE(alloc-lite, AS_HELP_STRING([--enable-alloc-lite],[ enable for lightweight alloc assertions, for debug purposes ]),
|
||||
, )
|
||||
AC_ARG_ENABLE(alloc-nonregional, AS_HELP_STRING([--enable-alloc-nonregional],[ enable nonregional allocs, slow but exposes regional allocations to other memory purifiers, for debug purposes ]),
|
||||
AC_ARG_ENABLE(alloc-nonregional, AS_HELP_STRING([--enable-alloc-nonregional],[ enable nonregional allocs, slow but exposes regional allocations to other memory purifiers, for debug purposes ]),
|
||||
, )
|
||||
if test x_$enable_alloc_nonregional = x_yes; then
|
||||
AC_DEFINE(UNBOUND_ALLOC_NONREGIONAL, 1, [use malloc not regions, for debug use])
|
||||
|
@ -585,7 +599,7 @@ if test "$on_mingw" = "yes"; then
|
|||
])],
|
||||
AC_MSG_RESULT(yes)
|
||||
AC_DEFINE(HAVE_WINDOWS_THREADS, 1, [Using Windows threads])
|
||||
,
|
||||
,
|
||||
AC_MSG_RESULT(no)
|
||||
)
|
||||
|
||||
|
@ -596,7 +610,7 @@ else
|
|||
# check this first, so that the pthread lib does not get linked in via
|
||||
# libssl or libpython, and thus distorts the tests, and we end up using
|
||||
# the non-threadsafe C libraries.
|
||||
AC_ARG_WITH(pthreads, AS_HELP_STRING([--with-pthreads],[use pthreads library, or --without-pthreads to disable threading support.]),
|
||||
AC_ARG_WITH(pthreads, AS_HELP_STRING([--with-pthreads],[use pthreads library, or --without-pthreads to disable threading support.]),
|
||||
[ ],[ withval="yes" ])
|
||||
ub_have_pthreads=no
|
||||
if test x_$withval != x_no; then
|
||||
|
@ -623,7 +637,7 @@ int main(void) {return 0;}
|
|||
# first compile
|
||||
echo "$CC $CFLAGS -c conftest.c -o conftest.o" >&AS_MESSAGE_LOG_FD
|
||||
$CC $CFLAGS -c conftest.c -o conftest.o 2>&AS_MESSAGE_LOG_FD >&AS_MESSAGE_LOG_FD
|
||||
if test $? = 0; then
|
||||
if test $? = 0; then
|
||||
# then link
|
||||
echo "$CC $CFLAGS -Werror $LDFLAGS $LIBS -o conftest contest.o" >&AS_MESSAGE_LOG_FD
|
||||
$CC $CFLAGS -Werror $LDFLAGS $LIBS -o conftest conftest.o 2>&AS_MESSAGE_LOG_FD >&AS_MESSAGE_LOG_FD
|
||||
|
@ -644,7 +658,7 @@ int main(void) {return 0;}
|
|||
])
|
||||
fi
|
||||
|
||||
# check solaris thread library
|
||||
# check solaris thread library
|
||||
AC_ARG_WITH(solaris-threads, AS_HELP_STRING([--with-solaris-threads],[use solaris native thread library.]), [ ],[ withval="no" ])
|
||||
ub_have_sol_threads=no
|
||||
if test x_$withval != x_no; then
|
||||
|
@ -658,8 +672,8 @@ if test x_$withval != x_no; then
|
|||
ACX_CHECK_COMPILER_FLAG(mt, [CFLAGS="$CFLAGS -mt"],
|
||||
[CFLAGS="$CFLAGS -D_REENTRANT"])
|
||||
ub_have_sol_threads=yes
|
||||
] , [
|
||||
AC_MSG_ERROR([no solaris threads found.])
|
||||
] , [
|
||||
AC_MSG_ERROR([no solaris threads found.])
|
||||
])
|
||||
fi
|
||||
fi
|
||||
|
@ -734,7 +748,14 @@ if test x_$ub_test_python != x_no; then
|
|||
ac_save_LIBS="$LIBS" dnl otherwise AC_PYTHON_DEVEL thrashes $LIBS
|
||||
AC_PYTHON_DEVEL
|
||||
if test ! -z "$PYTHON_VERSION"; then
|
||||
if test `$PYTHON -c "print('$PYTHON_VERSION' >= '2.4.0')"` = "False"; then
|
||||
badversion="no"
|
||||
if test "$PYTHON_VERSION_MAJOR" -lt 2; then
|
||||
badversion="yes"
|
||||
fi
|
||||
if test "$PYTHON_VERSION_MAJOR" -eq 2 -a "$PYTHON_VERSION_MINOR" -lt 4; then
|
||||
badversion="yes"
|
||||
fi
|
||||
if test "$badversion" = "yes"; then
|
||||
AC_MSG_ERROR([Python version >= 2.4.0 is required])
|
||||
fi
|
||||
|
||||
|
@ -1085,7 +1106,7 @@ int load_gost_id(void)
|
|||
EVP_PKEY_asn1_get0_info(&gost_id, NULL, NULL, NULL, NULL, meth);
|
||||
return gost_id;
|
||||
}
|
||||
int main(void) {
|
||||
int main(void) {
|
||||
EVP_MD_CTX* ctx;
|
||||
const EVP_MD* md;
|
||||
unsigned char digest[64]; /* its a 256-bit digest, so uses 32 bytes */
|
||||
|
@ -1529,7 +1550,7 @@ if test x_$enable_fully_static = x_yes; then
|
|||
fi
|
||||
|
||||
# set lock checking if requested
|
||||
AC_ARG_ENABLE(lock_checks, AS_HELP_STRING([--enable-lock-checks],[ enable to check lock and unlock calls, for debug purposes ]),
|
||||
AC_ARG_ENABLE(lock_checks, AS_HELP_STRING([--enable-lock-checks],[ enable to check lock and unlock calls, for debug purposes ]),
|
||||
, )
|
||||
if test x_$enable_lock_checks = x_yes; then
|
||||
AC_DEFINE(ENABLE_LOCK_CHECKS, 1, [Define if you want to use debug lock checking (slow).])
|
||||
|
@ -1980,11 +2001,11 @@ AC_ARG_WITH(libunbound-only, AS_HELP_STRING([--with-libunbound-only],[do not bui
|
|||
fi
|
||||
])
|
||||
if test $ALLTARGET = "alltargets"; then
|
||||
if test $USE_NSS = "yes"; then
|
||||
AC_MSG_ERROR([--with-nss can only be used in combination with --with-libunbound-only.])
|
||||
if test $USE_NSS = "yes"; then
|
||||
AC_MSG_ERROR([--with-nss can only be used in combination with --with-libunbound-only.])
|
||||
fi
|
||||
if test $USE_NETTLE = "yes"; then
|
||||
AC_MSG_ERROR([--with-nettle can only be used in combination with --with-libunbound-only.])
|
||||
AC_MSG_ERROR([--with-nettle can only be used in combination with --with-libunbound-only.])
|
||||
fi
|
||||
fi
|
||||
|
||||
|
@ -1995,7 +2016,7 @@ ACX_STRIP_EXT_FLAGS
|
|||
if test -n "$LATE_LDFLAGS"; then
|
||||
LDFLAGS="$LATE_LDFLAGS $LDFLAGS"
|
||||
fi
|
||||
# remove start spaces
|
||||
# remove start spaces
|
||||
LDFLAGS=`echo "$LDFLAGS"|sed -e 's/^ *//'`
|
||||
LIBS=`echo "$LIBS"|sed -e 's/^ *//'`
|
||||
|
||||
|
|
|
@ -1,10 +1,8 @@
|
|||
FROM gcc:latest
|
||||
WORKDIR /usr/src/unbound
|
||||
RUN apt-get update
|
||||
# install semantic parser & lexical analyzer
|
||||
RUN apt-get install -y bison flex
|
||||
# install packages used in tests
|
||||
RUN apt-get install -y ldnsutils dnsutils xxd splint doxygen netcat
|
||||
RUN apt-get update && apt-get install -y bison flex ldnsutils dnsutils xxd splint doxygen netcat-openbsd
|
||||
# accept short rsa keys, which are used in tests
|
||||
RUN sed -i 's/SECLEVEL=2/SECLEVEL=1/g' /usr/lib/ssl/openssl.cnf
|
||||
|
||||
|
|
|
@ -55,3 +55,6 @@ distribution but may be helpful.
|
|||
contributed by Andreas Schulze.
|
||||
* metrics.awk: awk script that can convert unbound-control stats to
|
||||
Prometheus metrics format output.
|
||||
* unbound.init_yocto: An init script to start and stop the server. Put it
|
||||
in /etc/init.d/unbound to use it. It is for the Yocto Project, in
|
||||
embedded systems, contributed by beni-sandu.
|
||||
|
|
|
@ -105,9 +105,9 @@ index 2482a1f4..bd5ba243 100644
|
|||
--- a/iterator/iter_utils.c
|
||||
+++ b/iterator/iter_utils.c
|
||||
@@ -177,6 +177,7 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg)
|
||||
iter_env->supports_ipv6 = cfg->do_ip6;
|
||||
iter_env->supports_ipv4 = cfg->do_ip4;
|
||||
iter_env->outbound_msg_retry = cfg->outbound_msg_retry;
|
||||
iter_env->max_sent_count = cfg->max_sent_count;
|
||||
iter_env->max_query_restarts = cfg->max_query_restarts;
|
||||
+ iter_env->aaaa_filter = cfg->aaaa_filter;
|
||||
return 1;
|
||||
}
|
||||
|
|
139
contrib/unbound/contrib/unbound.init_yocto
Normal file
139
contrib/unbound/contrib/unbound.init_yocto
Normal file
|
@ -0,0 +1,139 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# unbound This shell script takes care of starting and stopping
|
||||
# unbound (DNS server).
|
||||
#
|
||||
# chkconfig: - 14 86
|
||||
# description: unbound is a Domain Name Server (DNS) \
|
||||
# that is used to resolve host names to IP addresses.
|
||||
|
||||
### BEGIN INIT INFO
|
||||
# Provides: $named unbound
|
||||
# Required-Start: $network $local_fs
|
||||
# Required-Stop: $network $local_fs
|
||||
# Should-Start: $syslog
|
||||
# Should-Stop: $syslog
|
||||
# Short-Description: unbound recursive Domain Name Server.
|
||||
# Description: unbound is a Domain Name Server (DNS)
|
||||
# that is used to resolve host names to IP addresses.
|
||||
### END INIT INFO
|
||||
|
||||
# Source function library.
|
||||
. /etc/init.d/functions
|
||||
|
||||
exec="/usr/sbin/unbound"
|
||||
prog="unbound"
|
||||
config="/etc/unbound/unbound.conf"
|
||||
pidfile="/var/unbound/unbound.pid"
|
||||
rootdir="/var/unbound"
|
||||
|
||||
[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog
|
||||
|
||||
lockfile=/var/lock/subsys/$prog
|
||||
|
||||
start() {
|
||||
[ -x $exec ] || exit 5
|
||||
[ -f $config ] || exit 6
|
||||
echo -n $"Starting $prog: "
|
||||
|
||||
# setup root jail
|
||||
if [ -s /etc/localtime ]; then
|
||||
[ -d ${rootdir}/etc ] || mkdir -p ${rootdir}/etc ;
|
||||
if [ ! -e ${rootdir}/etc/localtime ] || ! /usr/bin/cmp -s /etc/localtime ${rootdir}/etc/localtime; then
|
||||
cp -fp /etc/localtime ${rootdir}/etc/localtime
|
||||
fi;
|
||||
fi;
|
||||
if [ -s /etc/resolv.conf ]; then
|
||||
[ -d ${rootdir}/etc ] || mkdir -p ${rootdir}/etc ;
|
||||
if [ ! -e ${rootdir}/etc/resolv.conf ] || ! /usr/bin/cmp -s /etc/resolv.conf ${rootdir}/etc/resolv.conf; then
|
||||
cp -fp /etc/resolv.conf ${rootdir}/etc/resolv.conf
|
||||
fi;
|
||||
fi;
|
||||
if ! egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/log' /proc/mounts; then
|
||||
[ -d ${rootdir}/dev ] || mkdir -p ${rootdir}/dev ;
|
||||
[ -e ${rootdir}/dev/log ] || touch ${rootdir}/dev/log
|
||||
mount --bind -n /dev/log ${rootdir}/dev/log >/dev/null 2>&1;
|
||||
fi;
|
||||
if ! egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/random' /proc/mounts; then
|
||||
[ -d ${rootdir}/dev ] || mkdir -p ${rootdir}/dev ;
|
||||
[ -e ${rootdir}/dev/random ] || touch ${rootdir}/dev/random
|
||||
mount --bind -n /dev/random ${rootdir}/dev/random >/dev/null 2>&1;
|
||||
fi;
|
||||
|
||||
# if not running, start it up here
|
||||
daemonize $exec
|
||||
retval=$?
|
||||
echo
|
||||
[ $retval -eq 0 ] && touch $lockfile
|
||||
return $retval
|
||||
}
|
||||
|
||||
stop() {
|
||||
echo -n $"Stopping $prog: "
|
||||
# stop it here, often "killproc $prog"
|
||||
killproc $prog
|
||||
retval=$?
|
||||
echo
|
||||
[ $retval -eq 0 ] && rm -f $lockfile
|
||||
if egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/log' /proc/mounts; then
|
||||
umount ${rootdir}/dev/log >/dev/null 2>&1
|
||||
fi;
|
||||
if egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/random' /proc/mounts; then
|
||||
umount ${rootdir}/dev/random >/dev/null 2>&1
|
||||
fi;
|
||||
return $retval
|
||||
}
|
||||
|
||||
restart() {
|
||||
stop
|
||||
start
|
||||
}
|
||||
|
||||
reload() {
|
||||
kill -HUP `cat $pidfile`
|
||||
}
|
||||
|
||||
force_reload() {
|
||||
restart
|
||||
}
|
||||
|
||||
rh_status() {
|
||||
# run checks to determine if the service is running or use generic status
|
||||
status $prog
|
||||
}
|
||||
|
||||
rh_status_q() {
|
||||
rh_status -p $pidfile >/dev/null 2>&1
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
rh_status_q && exit 0
|
||||
$1
|
||||
;;
|
||||
stop)
|
||||
rh_status_q || exit 0
|
||||
$1
|
||||
;;
|
||||
restart)
|
||||
$1
|
||||
;;
|
||||
reload)
|
||||
rh_status_q || exit 7
|
||||
$1
|
||||
;;
|
||||
force-reload)
|
||||
force_reload
|
||||
;;
|
||||
status)
|
||||
rh_status
|
||||
;;
|
||||
condrestart|try-restart)
|
||||
rh_status_q || exit 0
|
||||
restart
|
||||
;;
|
||||
*)
|
||||
echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
|
||||
exit 2
|
||||
esac
|
||||
exit $?
|
|
@ -109,6 +109,8 @@ parse_acl_access(const char* str, enum acl_access* control)
|
|||
*control = acl_allow_snoop;
|
||||
else if(strcmp(str, "allow_setrd") == 0)
|
||||
*control = acl_allow_setrd;
|
||||
else if (strcmp(str, "allow_cookie") == 0)
|
||||
*control = acl_allow_cookie;
|
||||
else {
|
||||
log_err("access control type %s unknown", str);
|
||||
return 0;
|
||||
|
|
|
@ -64,8 +64,12 @@ enum acl_access {
|
|||
acl_allow,
|
||||
/** allow full access for all queries, recursion and cache snooping */
|
||||
acl_allow_snoop,
|
||||
/** allow full access for recursion queries and set RD flag regardless of request */
|
||||
acl_allow_setrd
|
||||
/** allow full access for recursion queries and set RD flag regardless
|
||||
* of request */
|
||||
acl_allow_setrd,
|
||||
/** allow full access for recursion (+RD) queries if valid cookie
|
||||
* present or stateful transport */
|
||||
acl_allow_cookie
|
||||
};
|
||||
|
||||
/**
|
||||
|
|
|
@ -166,8 +166,7 @@ dump_msg_ref(RES* ssl, struct ub_packed_rrset_key* k)
|
|||
|
||||
/** dump message entry */
|
||||
static int
|
||||
dump_msg(RES* ssl, struct query_info* k, struct reply_info* d,
|
||||
time_t now)
|
||||
dump_msg(RES* ssl, struct query_info* k, struct reply_info* d, time_t now)
|
||||
{
|
||||
size_t i;
|
||||
char* nm, *tp, *cl;
|
||||
|
@ -192,13 +191,15 @@ dump_msg(RES* ssl, struct query_info* k, struct reply_info* d,
|
|||
}
|
||||
|
||||
/* meta line */
|
||||
if(!ssl_printf(ssl, "msg %s %s %s %d %d " ARG_LL "d %d %u %u %u\n",
|
||||
if(!ssl_printf(ssl, "msg %s %s %s %d %d " ARG_LL "d %d %u %u %u %d %s\n",
|
||||
nm, cl, tp,
|
||||
(int)d->flags, (int)d->qdcount,
|
||||
(long long)(d->ttl-now), (int)d->security,
|
||||
(unsigned)d->an_numrrsets,
|
||||
(unsigned)d->an_numrrsets,
|
||||
(unsigned)d->ns_numrrsets,
|
||||
(unsigned)d->ar_numrrsets)) {
|
||||
(unsigned)d->ar_numrrsets,
|
||||
(int)d->reason_bogus,
|
||||
d->reason_bogus_str?d->reason_bogus_str:"")) {
|
||||
free(nm);
|
||||
free(tp);
|
||||
free(cl);
|
||||
|
@ -633,6 +634,9 @@ load_msg(RES* ssl, sldns_buffer* buf, struct worker* worker)
|
|||
long long ttl;
|
||||
size_t i;
|
||||
int go_on = 1;
|
||||
int ede;
|
||||
int consumed = 0;
|
||||
char* ede_str = NULL;
|
||||
|
||||
regional_free_all(region);
|
||||
|
||||
|
@ -647,11 +651,16 @@ load_msg(RES* ssl, sldns_buffer* buf, struct worker* worker)
|
|||
}
|
||||
|
||||
/* read remainder of line */
|
||||
if(sscanf(s, " %u %u " ARG_LL "d %u %u %u %u", &flags, &qdcount, &ttl,
|
||||
&security, &an, &ns, &ar) != 7) {
|
||||
/* note the last space before any possible EDE text */
|
||||
if(sscanf(s, " %u %u " ARG_LL "d %u %u %u %u %d %n", &flags, &qdcount, &ttl,
|
||||
&security, &an, &ns, &ar, &ede, &consumed) != 8) {
|
||||
log_warn("error cannot parse numbers: %s", s);
|
||||
return 0;
|
||||
}
|
||||
/* there may be EDE text after the numbers */
|
||||
if(consumed > 0 && (size_t)consumed < strlen(s))
|
||||
ede_str = s + consumed;
|
||||
memset(&rep, 0, sizeof(rep));
|
||||
rep.flags = (uint16_t)flags;
|
||||
rep.qdcount = (uint16_t)qdcount;
|
||||
rep.ttl = (time_t)ttl;
|
||||
|
@ -666,6 +675,8 @@ load_msg(RES* ssl, sldns_buffer* buf, struct worker* worker)
|
|||
rep.ns_numrrsets = (size_t)ns;
|
||||
rep.ar_numrrsets = (size_t)ar;
|
||||
rep.rrset_count = (size_t)an+(size_t)ns+(size_t)ar;
|
||||
rep.reason_bogus = (sldns_ede_code)ede;
|
||||
rep.reason_bogus_str = ede_str?(char*)regional_strdup(region, ede_str):NULL;
|
||||
rep.rrsets = (struct ub_packed_rrset_key**)regional_alloc_zero(
|
||||
region, sizeof(struct ub_packed_rrset_key*)*rep.rrset_count);
|
||||
|
||||
|
@ -860,7 +871,8 @@ int print_deleg_lookup(RES* ssl, struct worker* worker, uint8_t* nm,
|
|||
/* go up? */
|
||||
if(iter_dp_is_useless(&qinfo, BIT_RD, dp,
|
||||
(worker->env.cfg->do_ip4 && worker->back->num_ip4 != 0),
|
||||
(worker->env.cfg->do_ip6 && worker->back->num_ip6 != 0))) {
|
||||
(worker->env.cfg->do_ip6 && worker->back->num_ip6 != 0),
|
||||
worker->env.cfg->do_nat64)) {
|
||||
print_dp_main(ssl, dp, msg);
|
||||
print_dp_details(ssl, worker, dp);
|
||||
if(!ssl_printf(ssl, "cache delegation was "
|
||||
|
|
|
@ -4,22 +4,22 @@
|
|||
* Copyright (c) 2008, NLnet Labs. All rights reserved.
|
||||
*
|
||||
* This software is open source.
|
||||
*
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
*
|
||||
*
|
||||
* Redistributions of source code must retain the above copyright notice,
|
||||
* this list of conditions and the following disclaimer.
|
||||
*
|
||||
*
|
||||
* Redistributions in binary form must reproduce the above copyright notice,
|
||||
* this list of conditions and the following disclaimer in the documentation
|
||||
* and/or other materials provided with the distribution.
|
||||
*
|
||||
*
|
||||
* Neither the name of the NLNET LABS nor the names of its contributors may
|
||||
* be used to endorse or promote products derived from this software without
|
||||
* specific prior written permission.
|
||||
*
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
|
@ -38,7 +38,7 @@
|
|||
*
|
||||
* This file contains the remote control functionality for the daemon.
|
||||
* The remote control can be performed using either the commandline
|
||||
* unbound-control tool, or a TLS capable web browser.
|
||||
* unbound-control tool, or a TLS capable web browser.
|
||||
* The channel is secured using TLSv1, and certificates.
|
||||
* Both the server and the client(control tool) have their own keys.
|
||||
*/
|
||||
|
@ -87,6 +87,7 @@
|
|||
#include "sldns/parseutil.h"
|
||||
#include "sldns/wire2str.h"
|
||||
#include "sldns/sbuffer.h"
|
||||
#include "util/timeval_func.h"
|
||||
|
||||
#ifdef HAVE_SYS_TYPES_H
|
||||
# include <sys/types.h>
|
||||
|
@ -106,47 +107,6 @@
|
|||
/** what to put on statistics lines between var and value, ": " or "=" */
|
||||
#define SQ "="
|
||||
|
||||
/** subtract timers and the values do not overflow or become negative */
|
||||
static void
|
||||
timeval_subtract(struct timeval* d, const struct timeval* end,
|
||||
const struct timeval* start)
|
||||
{
|
||||
#ifndef S_SPLINT_S
|
||||
time_t end_usec = end->tv_usec;
|
||||
d->tv_sec = end->tv_sec - start->tv_sec;
|
||||
if(end_usec < start->tv_usec) {
|
||||
end_usec += 1000000;
|
||||
d->tv_sec--;
|
||||
}
|
||||
d->tv_usec = end_usec - start->tv_usec;
|
||||
#endif
|
||||
}
|
||||
|
||||
/** divide sum of timers to get average */
|
||||
static void
|
||||
timeval_divide(struct timeval* avg, const struct timeval* sum, long long d)
|
||||
{
|
||||
#ifndef S_SPLINT_S
|
||||
size_t leftover;
|
||||
if(d <= 0) {
|
||||
avg->tv_sec = 0;
|
||||
avg->tv_usec = 0;
|
||||
return;
|
||||
}
|
||||
avg->tv_sec = sum->tv_sec / d;
|
||||
avg->tv_usec = sum->tv_usec / d;
|
||||
/* handle fraction from seconds divide */
|
||||
leftover = sum->tv_sec - avg->tv_sec*d;
|
||||
if(leftover <= 0)
|
||||
leftover = 0;
|
||||
avg->tv_usec += (((long long)leftover)*((long long)1000000))/d;
|
||||
if(avg->tv_sec < 0)
|
||||
avg->tv_sec = 0;
|
||||
if(avg->tv_usec < 0)
|
||||
avg->tv_usec = 0;
|
||||
#endif
|
||||
}
|
||||
|
||||
static int
|
||||
remote_setup_ctx(struct daemon_remote* rc, struct config_file* cfg)
|
||||
{
|
||||
|
@ -201,7 +161,7 @@ remote_setup_ctx(struct daemon_remote* rc, struct config_file* cfg)
|
|||
struct daemon_remote*
|
||||
daemon_remote_create(struct config_file* cfg)
|
||||
{
|
||||
struct daemon_remote* rc = (struct daemon_remote*)calloc(1,
|
||||
struct daemon_remote* rc = (struct daemon_remote*)calloc(1,
|
||||
sizeof(*rc));
|
||||
if(!rc) {
|
||||
log_err("out of memory in daemon_remote_create");
|
||||
|
@ -410,7 +370,7 @@ accept_open(struct daemon_remote* rc, int fd)
|
|||
n->next = rc->accept_list;
|
||||
rc->accept_list = n;
|
||||
/* open commpt */
|
||||
n->com = comm_point_create_raw(rc->worker->base, fd, 0,
|
||||
n->com = comm_point_create_raw(rc->worker->base, fd, 0,
|
||||
&remote_accept_callback, rc);
|
||||
if(!n->com)
|
||||
return 0;
|
||||
|
@ -419,7 +379,7 @@ accept_open(struct daemon_remote* rc, int fd)
|
|||
return 1;
|
||||
}
|
||||
|
||||
int daemon_remote_open_accept(struct daemon_remote* rc,
|
||||
int daemon_remote_open_accept(struct daemon_remote* rc,
|
||||
struct listen_port* ports, struct worker* worker)
|
||||
{
|
||||
struct listen_port* p;
|
||||
|
@ -437,7 +397,7 @@ void daemon_remote_stop_accept(struct daemon_remote* rc)
|
|||
{
|
||||
struct listen_list* p;
|
||||
for(p=rc->accept_list; p; p=p->next) {
|
||||
comm_point_stop_listening(p->com);
|
||||
comm_point_stop_listening(p->com);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -445,11 +405,11 @@ void daemon_remote_start_accept(struct daemon_remote* rc)
|
|||
{
|
||||
struct listen_list* p;
|
||||
for(p=rc->accept_list; p; p=p->next) {
|
||||
comm_point_start_listening(p->com, -1, -1);
|
||||
comm_point_start_listening(p->com, -1, -1);
|
||||
}
|
||||
}
|
||||
|
||||
int remote_accept_callback(struct comm_point* c, void* arg, int err,
|
||||
int remote_accept_callback(struct comm_point* c, void* arg, int err,
|
||||
struct comm_reply* ATTR_UNUSED(rep))
|
||||
{
|
||||
struct daemon_remote* rc = (struct daemon_remote*)arg;
|
||||
|
@ -481,7 +441,7 @@ int remote_accept_callback(struct comm_point* c, void* arg, int err,
|
|||
}
|
||||
n->fd = newfd;
|
||||
/* start in reading state */
|
||||
n->c = comm_point_create_raw(rc->worker->base, newfd, 0,
|
||||
n->c = comm_point_create_raw(rc->worker->base, newfd, 0,
|
||||
&remote_control_callback, n);
|
||||
if(!n->c) {
|
||||
log_err("out of memory");
|
||||
|
@ -521,7 +481,7 @@ int remote_accept_callback(struct comm_point* c, void* arg, int err,
|
|||
rc->busy_list = n;
|
||||
rc->active ++;
|
||||
|
||||
/* perform the first nonblocking read already, for windows,
|
||||
/* perform the first nonblocking read already, for windows,
|
||||
* so it can return wouldblock. could be faster too. */
|
||||
(void)remote_control_callback(n->c, n, NETEVENT_NOERROR, NULL);
|
||||
return 0;
|
||||
|
@ -558,7 +518,7 @@ int
|
|||
ssl_print_text(RES* res, const char* text)
|
||||
{
|
||||
int r;
|
||||
if(!res)
|
||||
if(!res)
|
||||
return 0;
|
||||
if(res->ssl) {
|
||||
ERR_clear_error();
|
||||
|
@ -660,7 +620,7 @@ static char*
|
|||
skipwhite(char* str)
|
||||
{
|
||||
/* EOS \0 is not a space */
|
||||
while( isspace((unsigned char)*str) )
|
||||
while( isspace((unsigned char)*str) )
|
||||
str++;
|
||||
return str;
|
||||
}
|
||||
|
@ -708,20 +668,30 @@ static int
|
|||
print_stats(RES* ssl, const char* nm, struct ub_stats_info* s)
|
||||
{
|
||||
struct timeval sumwait, avg;
|
||||
if(!ssl_printf(ssl, "%s.num.queries"SQ"%lu\n", nm,
|
||||
if(!ssl_printf(ssl, "%s.num.queries"SQ"%lu\n", nm,
|
||||
(unsigned long)s->svr.num_queries)) return 0;
|
||||
if(!ssl_printf(ssl, "%s.num.queries_ip_ratelimited"SQ"%lu\n", nm,
|
||||
(unsigned long)s->svr.num_queries_ip_ratelimited)) return 0;
|
||||
if(!ssl_printf(ssl, "%s.num.cachehits"SQ"%lu\n", nm,
|
||||
(unsigned long)(s->svr.num_queries
|
||||
if(!ssl_printf(ssl, "%s.num.queries_cookie_valid"SQ"%lu\n", nm,
|
||||
(unsigned long)s->svr.num_queries_cookie_valid)) return 0;
|
||||
if(!ssl_printf(ssl, "%s.num.queries_cookie_client"SQ"%lu\n", nm,
|
||||
(unsigned long)s->svr.num_queries_cookie_client)) return 0;
|
||||
if(!ssl_printf(ssl, "%s.num.queries_cookie_invalid"SQ"%lu\n", nm,
|
||||
(unsigned long)s->svr.num_queries_cookie_invalid)) return 0;
|
||||
if(!ssl_printf(ssl, "%s.num.cachehits"SQ"%lu\n", nm,
|
||||
(unsigned long)(s->svr.num_queries
|
||||
- s->svr.num_queries_missed_cache))) return 0;
|
||||
if(!ssl_printf(ssl, "%s.num.cachemiss"SQ"%lu\n", nm,
|
||||
if(!ssl_printf(ssl, "%s.num.cachemiss"SQ"%lu\n", nm,
|
||||
(unsigned long)s->svr.num_queries_missed_cache)) return 0;
|
||||
if(!ssl_printf(ssl, "%s.num.prefetch"SQ"%lu\n", nm,
|
||||
if(!ssl_printf(ssl, "%s.num.prefetch"SQ"%lu\n", nm,
|
||||
(unsigned long)s->svr.num_queries_prefetch)) return 0;
|
||||
if(!ssl_printf(ssl, "%s.num.queries_timed_out"SQ"%lu\n", nm,
|
||||
(unsigned long)s->svr.num_queries_timed_out)) return 0;
|
||||
if(!ssl_printf(ssl, "%s.query.queue_time_us.max"SQ"%lu\n", nm,
|
||||
(unsigned long)s->svr.max_query_time_us)) return 0;
|
||||
if(!ssl_printf(ssl, "%s.num.expired"SQ"%lu\n", nm,
|
||||
(unsigned long)s->svr.ans_expired)) return 0;
|
||||
if(!ssl_printf(ssl, "%s.num.recursivereplies"SQ"%lu\n", nm,
|
||||
if(!ssl_printf(ssl, "%s.num.recursivereplies"SQ"%lu\n", nm,
|
||||
(unsigned long)s->mesh_replies_sent)) return 0;
|
||||
#ifdef USE_DNSCRYPT
|
||||
if(!ssl_printf(ssl, "%s.num.dnscrypt.crypted"SQ"%lu\n", nm,
|
||||
|
@ -755,7 +725,7 @@ print_stats(RES* ssl, const char* nm, struct ub_stats_info* s)
|
|||
timeval_divide(&avg, &sumwait, s->mesh_replies_sent);
|
||||
if(!ssl_printf(ssl, "%s.recursion.time.avg"SQ ARG_LL "d.%6.6d\n", nm,
|
||||
(long long)avg.tv_sec, (int)avg.tv_usec)) return 0;
|
||||
if(!ssl_printf(ssl, "%s.recursion.time.median"SQ"%g\n", nm,
|
||||
if(!ssl_printf(ssl, "%s.recursion.time.median"SQ"%g\n", nm,
|
||||
s->mesh_time_median)) return 0;
|
||||
if(!ssl_printf(ssl, "%s.tcpusage"SQ"%lu\n", nm,
|
||||
(unsigned long)s->svr.tcp_accept_usage)) return 0;
|
||||
|
@ -780,7 +750,7 @@ print_longnum(RES* ssl, const char* desc, size_t x)
|
|||
/* more than a Gb */
|
||||
size_t front = x / (size_t)1000000;
|
||||
size_t back = x % (size_t)1000000;
|
||||
return ssl_printf(ssl, "%s%u%6.6u\n", desc,
|
||||
return ssl_printf(ssl, "%s%u%6.6u\n", desc,
|
||||
(unsigned)front, (unsigned)back);
|
||||
} else {
|
||||
return ssl_printf(ssl, "%s%lu\n", desc, (unsigned long)x);
|
||||
|
@ -880,11 +850,11 @@ print_uptime(RES* ssl, struct worker* worker, int reset)
|
|||
timeval_subtract(&dt, &now, &worker->daemon->time_last_stat);
|
||||
if(reset)
|
||||
worker->daemon->time_last_stat = now;
|
||||
if(!ssl_printf(ssl, "time.now"SQ ARG_LL "d.%6.6d\n",
|
||||
if(!ssl_printf(ssl, "time.now"SQ ARG_LL "d.%6.6d\n",
|
||||
(long long)now.tv_sec, (unsigned)now.tv_usec)) return 0;
|
||||
if(!ssl_printf(ssl, "time.up"SQ ARG_LL "d.%6.6d\n",
|
||||
if(!ssl_printf(ssl, "time.up"SQ ARG_LL "d.%6.6d\n",
|
||||
(long long)up.tv_sec, (unsigned)up.tv_usec)) return 0;
|
||||
if(!ssl_printf(ssl, "time.elapsed"SQ ARG_LL "d.%6.6d\n",
|
||||
if(!ssl_printf(ssl, "time.elapsed"SQ ARG_LL "d.%6.6d\n",
|
||||
(long long)dt.tv_sec, (unsigned)dt.tv_usec)) return 0;
|
||||
return 1;
|
||||
}
|
||||
|
@ -902,7 +872,7 @@ print_hist(RES* ssl, struct ub_stats_info* s)
|
|||
}
|
||||
timehist_import(hist, s->svr.hist, NUM_BUCKETS_HIST);
|
||||
for(i=0; i<hist->num; i++) {
|
||||
if(!ssl_printf(ssl,
|
||||
if(!ssl_printf(ssl,
|
||||
"histogram.%6.6d.%6.6d.to.%6.6d.%6.6d=%lu\n",
|
||||
(int)hist->buckets[i].lower.tv_sec,
|
||||
(int)hist->buckets[i].lower.tv_usec,
|
||||
|
@ -945,11 +915,11 @@ print_ext(RES* ssl, struct ub_stats_info* s, int inhibit_zero)
|
|||
} else {
|
||||
snprintf(nm, sizeof(nm), "TYPE%d", i);
|
||||
}
|
||||
if(!ssl_printf(ssl, "num.query.type.%s"SQ"%lu\n",
|
||||
if(!ssl_printf(ssl, "num.query.type.%s"SQ"%lu\n",
|
||||
nm, (unsigned long)s->svr.qtype[i])) return 0;
|
||||
}
|
||||
if(!inhibit_zero || s->svr.qtype_big) {
|
||||
if(!ssl_printf(ssl, "num.query.type.other"SQ"%lu\n",
|
||||
if(!ssl_printf(ssl, "num.query.type.other"SQ"%lu\n",
|
||||
(unsigned long)s->svr.qtype_big)) return 0;
|
||||
}
|
||||
/* CLASS */
|
||||
|
@ -962,11 +932,11 @@ print_ext(RES* ssl, struct ub_stats_info* s, int inhibit_zero)
|
|||
} else {
|
||||
snprintf(nm, sizeof(nm), "CLASS%d", i);
|
||||
}
|
||||
if(!ssl_printf(ssl, "num.query.class.%s"SQ"%lu\n",
|
||||
if(!ssl_printf(ssl, "num.query.class.%s"SQ"%lu\n",
|
||||
nm, (unsigned long)s->svr.qclass[i])) return 0;
|
||||
}
|
||||
if(!inhibit_zero || s->svr.qclass_big) {
|
||||
if(!ssl_printf(ssl, "num.query.class.other"SQ"%lu\n",
|
||||
if(!ssl_printf(ssl, "num.query.class.other"SQ"%lu\n",
|
||||
(unsigned long)s->svr.qclass_big)) return 0;
|
||||
}
|
||||
/* OPCODE */
|
||||
|
@ -979,44 +949,44 @@ print_ext(RES* ssl, struct ub_stats_info* s, int inhibit_zero)
|
|||
} else {
|
||||
snprintf(nm, sizeof(nm), "OPCODE%d", i);
|
||||
}
|
||||
if(!ssl_printf(ssl, "num.query.opcode.%s"SQ"%lu\n",
|
||||
if(!ssl_printf(ssl, "num.query.opcode.%s"SQ"%lu\n",
|
||||
nm, (unsigned long)s->svr.qopcode[i])) return 0;
|
||||
}
|
||||
/* transport */
|
||||
if(!ssl_printf(ssl, "num.query.tcp"SQ"%lu\n",
|
||||
if(!ssl_printf(ssl, "num.query.tcp"SQ"%lu\n",
|
||||
(unsigned long)s->svr.qtcp)) return 0;
|
||||
if(!ssl_printf(ssl, "num.query.tcpout"SQ"%lu\n",
|
||||
if(!ssl_printf(ssl, "num.query.tcpout"SQ"%lu\n",
|
||||
(unsigned long)s->svr.qtcp_outgoing)) return 0;
|
||||
if(!ssl_printf(ssl, "num.query.udpout"SQ"%lu\n",
|
||||
(unsigned long)s->svr.qudp_outgoing)) return 0;
|
||||
if(!ssl_printf(ssl, "num.query.tls"SQ"%lu\n",
|
||||
if(!ssl_printf(ssl, "num.query.tls"SQ"%lu\n",
|
||||
(unsigned long)s->svr.qtls)) return 0;
|
||||
if(!ssl_printf(ssl, "num.query.tls.resume"SQ"%lu\n",
|
||||
if(!ssl_printf(ssl, "num.query.tls.resume"SQ"%lu\n",
|
||||
(unsigned long)s->svr.qtls_resume)) return 0;
|
||||
if(!ssl_printf(ssl, "num.query.ipv6"SQ"%lu\n",
|
||||
if(!ssl_printf(ssl, "num.query.ipv6"SQ"%lu\n",
|
||||
(unsigned long)s->svr.qipv6)) return 0;
|
||||
if(!ssl_printf(ssl, "num.query.https"SQ"%lu\n",
|
||||
(unsigned long)s->svr.qhttps)) return 0;
|
||||
/* flags */
|
||||
if(!ssl_printf(ssl, "num.query.flags.QR"SQ"%lu\n",
|
||||
if(!ssl_printf(ssl, "num.query.flags.QR"SQ"%lu\n",
|
||||
(unsigned long)s->svr.qbit_QR)) return 0;
|
||||
if(!ssl_printf(ssl, "num.query.flags.AA"SQ"%lu\n",
|
||||
if(!ssl_printf(ssl, "num.query.flags.AA"SQ"%lu\n",
|
||||
(unsigned long)s->svr.qbit_AA)) return 0;
|
||||
if(!ssl_printf(ssl, "num.query.flags.TC"SQ"%lu\n",
|
||||
if(!ssl_printf(ssl, "num.query.flags.TC"SQ"%lu\n",
|
||||
(unsigned long)s->svr.qbit_TC)) return 0;
|
||||
if(!ssl_printf(ssl, "num.query.flags.RD"SQ"%lu\n",
|
||||
if(!ssl_printf(ssl, "num.query.flags.RD"SQ"%lu\n",
|
||||
(unsigned long)s->svr.qbit_RD)) return 0;
|
||||
if(!ssl_printf(ssl, "num.query.flags.RA"SQ"%lu\n",
|
||||
if(!ssl_printf(ssl, "num.query.flags.RA"SQ"%lu\n",
|
||||
(unsigned long)s->svr.qbit_RA)) return 0;
|
||||
if(!ssl_printf(ssl, "num.query.flags.Z"SQ"%lu\n",
|
||||
if(!ssl_printf(ssl, "num.query.flags.Z"SQ"%lu\n",
|
||||
(unsigned long)s->svr.qbit_Z)) return 0;
|
||||
if(!ssl_printf(ssl, "num.query.flags.AD"SQ"%lu\n",
|
||||
if(!ssl_printf(ssl, "num.query.flags.AD"SQ"%lu\n",
|
||||
(unsigned long)s->svr.qbit_AD)) return 0;
|
||||
if(!ssl_printf(ssl, "num.query.flags.CD"SQ"%lu\n",
|
||||
if(!ssl_printf(ssl, "num.query.flags.CD"SQ"%lu\n",
|
||||
(unsigned long)s->svr.qbit_CD)) return 0;
|
||||
if(!ssl_printf(ssl, "num.query.edns.present"SQ"%lu\n",
|
||||
if(!ssl_printf(ssl, "num.query.edns.present"SQ"%lu\n",
|
||||
(unsigned long)s->svr.qEDNS)) return 0;
|
||||
if(!ssl_printf(ssl, "num.query.edns.DO"SQ"%lu\n",
|
||||
if(!ssl_printf(ssl, "num.query.edns.DO"SQ"%lu\n",
|
||||
(unsigned long)s->svr.qEDNS_DO)) return 0;
|
||||
|
||||
/* RCODE */
|
||||
|
@ -1030,31 +1000,31 @@ print_ext(RES* ssl, struct ub_stats_info* s, int inhibit_zero)
|
|||
} else {
|
||||
snprintf(nm, sizeof(nm), "RCODE%d", i);
|
||||
}
|
||||
if(!ssl_printf(ssl, "num.answer.rcode.%s"SQ"%lu\n",
|
||||
if(!ssl_printf(ssl, "num.answer.rcode.%s"SQ"%lu\n",
|
||||
nm, (unsigned long)s->svr.ans_rcode[i])) return 0;
|
||||
}
|
||||
if(!inhibit_zero || s->svr.ans_rcode_nodata) {
|
||||
if(!ssl_printf(ssl, "num.answer.rcode.nodata"SQ"%lu\n",
|
||||
if(!ssl_printf(ssl, "num.answer.rcode.nodata"SQ"%lu\n",
|
||||
(unsigned long)s->svr.ans_rcode_nodata)) return 0;
|
||||
}
|
||||
/* iteration */
|
||||
if(!ssl_printf(ssl, "num.query.ratelimited"SQ"%lu\n",
|
||||
if(!ssl_printf(ssl, "num.query.ratelimited"SQ"%lu\n",
|
||||
(unsigned long)s->svr.queries_ratelimited)) return 0;
|
||||
/* validation */
|
||||
if(!ssl_printf(ssl, "num.answer.secure"SQ"%lu\n",
|
||||
if(!ssl_printf(ssl, "num.answer.secure"SQ"%lu\n",
|
||||
(unsigned long)s->svr.ans_secure)) return 0;
|
||||
if(!ssl_printf(ssl, "num.answer.bogus"SQ"%lu\n",
|
||||
if(!ssl_printf(ssl, "num.answer.bogus"SQ"%lu\n",
|
||||
(unsigned long)s->svr.ans_bogus)) return 0;
|
||||
if(!ssl_printf(ssl, "num.rrset.bogus"SQ"%lu\n",
|
||||
if(!ssl_printf(ssl, "num.rrset.bogus"SQ"%lu\n",
|
||||
(unsigned long)s->svr.rrset_bogus)) return 0;
|
||||
if(!ssl_printf(ssl, "num.query.aggressive.NOERROR"SQ"%lu\n",
|
||||
if(!ssl_printf(ssl, "num.query.aggressive.NOERROR"SQ"%lu\n",
|
||||
(unsigned long)s->svr.num_neg_cache_noerror)) return 0;
|
||||
if(!ssl_printf(ssl, "num.query.aggressive.NXDOMAIN"SQ"%lu\n",
|
||||
if(!ssl_printf(ssl, "num.query.aggressive.NXDOMAIN"SQ"%lu\n",
|
||||
(unsigned long)s->svr.num_neg_cache_nxdomain)) return 0;
|
||||
/* threat detection */
|
||||
if(!ssl_printf(ssl, "unwanted.queries"SQ"%lu\n",
|
||||
if(!ssl_printf(ssl, "unwanted.queries"SQ"%lu\n",
|
||||
(unsigned long)s->svr.unwanted_queries)) return 0;
|
||||
if(!ssl_printf(ssl, "unwanted.replies"SQ"%lu\n",
|
||||
if(!ssl_printf(ssl, "unwanted.replies"SQ"%lu\n",
|
||||
(unsigned long)s->svr.unwanted_replies)) return 0;
|
||||
/* cache counts */
|
||||
if(!ssl_printf(ssl, "msg.cache.count"SQ"%u\n",
|
||||
|
@ -1065,6 +1035,11 @@ print_ext(RES* ssl, struct ub_stats_info* s, int inhibit_zero)
|
|||
(unsigned)s->svr.infra_cache_count)) return 0;
|
||||
if(!ssl_printf(ssl, "key.cache.count"SQ"%u\n",
|
||||
(unsigned)s->svr.key_cache_count)) return 0;
|
||||
/* max collisions */
|
||||
if(!ssl_printf(ssl, "msg.cache.max_collisions"SQ"%u\n",
|
||||
(unsigned)s->svr.msg_cache_max_collisions)) return 0;
|
||||
if(!ssl_printf(ssl, "rrset.cache.max_collisions"SQ"%u\n",
|
||||
(unsigned)s->svr.rrset_cache_max_collisions)) return 0;
|
||||
/* applied RPZ actions */
|
||||
for(i=0; i<UB_STATS_RPZ_ACTION_NUM; i++) {
|
||||
if(i == RPZ_NO_OVERRIDE_ACTION)
|
||||
|
@ -1095,6 +1070,10 @@ print_ext(RES* ssl, struct ub_stats_info* s, int inhibit_zero)
|
|||
if(!ssl_printf(ssl, "num.query.subnet_cache"SQ"%lu\n",
|
||||
(unsigned long)s->svr.num_query_subnet_cache)) return 0;
|
||||
#endif /* CLIENT_SUBNET */
|
||||
#ifdef USE_CACHEDB
|
||||
if(!ssl_printf(ssl, "num.query.cachedb"SQ"%lu\n",
|
||||
(unsigned long)s->svr.num_query_cachedb)) return 0;
|
||||
#endif /* USE_CACHEDB */
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
@ -1119,7 +1098,7 @@ do_stats(RES* ssl, struct worker* worker, int reset)
|
|||
}
|
||||
/* print the thread statistics */
|
||||
total.mesh_time_median /= (double)daemon->num;
|
||||
if(!print_stats(ssl, "total", &total))
|
||||
if(!print_stats(ssl, "total", &total))
|
||||
return;
|
||||
if(!print_uptime(ssl, worker, reset))
|
||||
return;
|
||||
|
@ -1208,7 +1187,7 @@ perform_zone_add(RES* ssl, struct local_zones* zones, char* arg)
|
|||
return 0;
|
||||
}
|
||||
lock_rw_wrlock(&zones->lock);
|
||||
if((z=local_zones_find(zones, nm, nmlen,
|
||||
if((z=local_zones_find(zones, nm, nmlen,
|
||||
nmlabs, LDNS_RR_CLASS_IN))) {
|
||||
/* already present in tree */
|
||||
lock_rw_wrlock(&z->lock);
|
||||
|
@ -1218,7 +1197,7 @@ perform_zone_add(RES* ssl, struct local_zones* zones, char* arg)
|
|||
lock_rw_unlock(&zones->lock);
|
||||
return 1;
|
||||
}
|
||||
if(!local_zones_add_zone(zones, nm, nmlen,
|
||||
if(!local_zones_add_zone(zones, nm, nmlen,
|
||||
nmlabs, LDNS_RR_CLASS_IN, t)) {
|
||||
lock_rw_unlock(&zones->lock);
|
||||
ssl_printf(ssl, "error out of memory\n");
|
||||
|
@ -1267,7 +1246,7 @@ perform_zone_remove(RES* ssl, struct local_zones* zones, char* arg)
|
|||
if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs))
|
||||
return 0;
|
||||
lock_rw_wrlock(&zones->lock);
|
||||
if((z=local_zones_find(zones, nm, nmlen,
|
||||
if((z=local_zones_find(zones, nm, nmlen,
|
||||
nmlabs, LDNS_RR_CLASS_IN))) {
|
||||
/* present in tree */
|
||||
local_zones_del_zone(zones, z);
|
||||
|
@ -1608,8 +1587,11 @@ do_flush_type(RES* ssl, struct worker* worker, char* arg)
|
|||
if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs))
|
||||
return;
|
||||
t = sldns_get_rr_type_by_name(arg2);
|
||||
if(t == 0 && strcmp(arg2, "TYPE0") != 0) {
|
||||
return;
|
||||
}
|
||||
do_cache_remove(worker, nm, nmlen, t, LDNS_RR_CLASS_IN);
|
||||
|
||||
|
||||
free(nm);
|
||||
send_ok(ssl);
|
||||
}
|
||||
|
@ -1719,7 +1701,7 @@ zone_del_rrset(struct lruhash_entry* e, void* arg)
|
|||
struct del_info* inf = (struct del_info*)arg;
|
||||
struct ub_packed_rrset_key* k = (struct ub_packed_rrset_key*)e->key;
|
||||
if(dname_subdomain_c(k->rk.dname, inf->name)) {
|
||||
struct packed_rrset_data* d =
|
||||
struct packed_rrset_data* d =
|
||||
(struct packed_rrset_data*)e->data;
|
||||
if(d->ttl > inf->expired) {
|
||||
d->ttl = inf->expired;
|
||||
|
@ -1783,21 +1765,21 @@ do_flush_zone(RES* ssl, struct worker* worker, char* arg)
|
|||
inf.num_rrsets = 0;
|
||||
inf.num_msgs = 0;
|
||||
inf.num_keys = 0;
|
||||
slabhash_traverse(&worker->env.rrset_cache->table, 1,
|
||||
slabhash_traverse(&worker->env.rrset_cache->table, 1,
|
||||
&zone_del_rrset, &inf);
|
||||
|
||||
slabhash_traverse(worker->env.msg_cache, 1, &zone_del_msg, &inf);
|
||||
|
||||
/* and validator cache */
|
||||
if(worker->env.key_cache) {
|
||||
slabhash_traverse(worker->env.key_cache->slab, 1,
|
||||
slabhash_traverse(worker->env.key_cache->slab, 1,
|
||||
&zone_del_kcache, &inf);
|
||||
}
|
||||
|
||||
free(nm);
|
||||
|
||||
(void)ssl_printf(ssl, "ok removed %lu rrsets, %lu messages "
|
||||
"and %lu key entries\n", (unsigned long)inf.num_rrsets,
|
||||
"and %lu key entries\n", (unsigned long)inf.num_rrsets,
|
||||
(unsigned long)inf.num_msgs, (unsigned long)inf.num_keys);
|
||||
}
|
||||
|
||||
|
@ -1852,19 +1834,19 @@ do_flush_bogus(RES* ssl, struct worker* worker)
|
|||
inf.num_rrsets = 0;
|
||||
inf.num_msgs = 0;
|
||||
inf.num_keys = 0;
|
||||
slabhash_traverse(&worker->env.rrset_cache->table, 1,
|
||||
slabhash_traverse(&worker->env.rrset_cache->table, 1,
|
||||
&bogus_del_rrset, &inf);
|
||||
|
||||
slabhash_traverse(worker->env.msg_cache, 1, &bogus_del_msg, &inf);
|
||||
|
||||
/* and validator cache */
|
||||
if(worker->env.key_cache) {
|
||||
slabhash_traverse(worker->env.key_cache->slab, 1,
|
||||
slabhash_traverse(worker->env.key_cache->slab, 1,
|
||||
&bogus_del_kcache, &inf);
|
||||
}
|
||||
|
||||
(void)ssl_printf(ssl, "ok removed %lu rrsets, %lu messages "
|
||||
"and %lu key entries\n", (unsigned long)inf.num_rrsets,
|
||||
"and %lu key entries\n", (unsigned long)inf.num_rrsets,
|
||||
(unsigned long)inf.num_msgs, (unsigned long)inf.num_keys);
|
||||
}
|
||||
|
||||
|
@ -1927,19 +1909,19 @@ do_flush_negative(RES* ssl, struct worker* worker)
|
|||
inf.num_rrsets = 0;
|
||||
inf.num_msgs = 0;
|
||||
inf.num_keys = 0;
|
||||
slabhash_traverse(&worker->env.rrset_cache->table, 1,
|
||||
slabhash_traverse(&worker->env.rrset_cache->table, 1,
|
||||
&negative_del_rrset, &inf);
|
||||
|
||||
slabhash_traverse(worker->env.msg_cache, 1, &negative_del_msg, &inf);
|
||||
|
||||
/* and validator cache */
|
||||
if(worker->env.key_cache) {
|
||||
slabhash_traverse(worker->env.key_cache->slab, 1,
|
||||
slabhash_traverse(worker->env.key_cache->slab, 1,
|
||||
&negative_del_kcache, &inf);
|
||||
}
|
||||
|
||||
(void)ssl_printf(ssl, "ok removed %lu rrsets, %lu messages "
|
||||
"and %lu key entries\n", (unsigned long)inf.num_rrsets,
|
||||
"and %lu key entries\n", (unsigned long)inf.num_rrsets,
|
||||
(unsigned long)inf.num_msgs, (unsigned long)inf.num_keys);
|
||||
}
|
||||
|
||||
|
@ -1964,7 +1946,7 @@ do_flush_name(RES* ssl, struct worker* w, char* arg)
|
|||
do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_NAPTR, LDNS_RR_CLASS_IN);
|
||||
do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_SVCB, LDNS_RR_CLASS_IN);
|
||||
do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_HTTPS, LDNS_RR_CLASS_IN);
|
||||
|
||||
|
||||
free(nm);
|
||||
send_ok(ssl);
|
||||
}
|
||||
|
@ -2334,7 +2316,7 @@ do_status(RES* ssl, struct worker* worker)
|
|||
uptime = (time_t)time(NULL) - (time_t)worker->daemon->time_boot.tv_sec;
|
||||
if(!ssl_printf(ssl, "uptime: " ARG_LL "d seconds\n", (long long)uptime))
|
||||
return;
|
||||
if(!ssl_printf(ssl, "options:%s%s%s%s\n" ,
|
||||
if(!ssl_printf(ssl, "options:%s%s%s%s\n" ,
|
||||
(worker->daemon->reuseport?" reuseport":""),
|
||||
(worker->daemon->rc->accept_list?" control":""),
|
||||
(worker->daemon->rc->accept_list && worker->daemon->rc->use_cert?"(ssl)":""),
|
||||
|
@ -2348,7 +2330,7 @@ do_status(RES* ssl, struct worker* worker)
|
|||
|
||||
/** get age for the mesh state */
|
||||
static void
|
||||
get_mesh_age(struct mesh_state* m, char* buf, size_t len,
|
||||
get_mesh_age(struct mesh_state* m, char* buf, size_t len,
|
||||
struct module_env* env)
|
||||
{
|
||||
if(m->reply_list) {
|
||||
|
@ -2367,7 +2349,7 @@ get_mesh_age(struct mesh_state* m, char* buf, size_t len,
|
|||
|
||||
/** get status of a mesh state */
|
||||
static void
|
||||
get_mesh_status(struct mesh_area* mesh, struct mesh_state* m,
|
||||
get_mesh_status(struct mesh_area* mesh, struct mesh_state* m,
|
||||
char* buf, size_t len)
|
||||
{
|
||||
enum module_ext_state s = m->s.ext_state[m->s.curmod];
|
||||
|
@ -2389,7 +2371,7 @@ get_mesh_status(struct mesh_area* mesh, struct mesh_state* m,
|
|||
snprintf(buf, len, " ");
|
||||
l = strlen(buf);
|
||||
buf += l; len -= l;
|
||||
addr_to_str(&e->qsent->addr, e->qsent->addrlen,
|
||||
addr_to_str(&e->qsent->addr, e->qsent->addrlen,
|
||||
buf, len);
|
||||
l = strlen(buf);
|
||||
buf += l; len -= l;
|
||||
|
@ -2442,7 +2424,7 @@ do_dump_requestlist(RES* ssl, struct worker* worker)
|
|||
dname_str(m->s.qinfo.qname, buf);
|
||||
get_mesh_age(m, timebuf, sizeof(timebuf), &worker->env);
|
||||
get_mesh_status(mesh, m, statbuf, sizeof(statbuf));
|
||||
if(!ssl_printf(ssl, "%3d %4s %2s %s %s %s\n",
|
||||
if(!ssl_printf(ssl, "%3d %4s %2s %s %s %s\n",
|
||||
num, (t?t:"TYPE??"), (c?c:"CLASS??"), buf, timebuf,
|
||||
statbuf)) {
|
||||
free(t);
|
||||
|
@ -2632,7 +2614,7 @@ do_auth_zone_transfer(RES* ssl, struct worker* worker, char* arg)
|
|||
free(nm);
|
||||
send_ok(ssl);
|
||||
}
|
||||
|
||||
|
||||
/** do the set_option command */
|
||||
static void
|
||||
do_set_option(RES* ssl, struct worker* worker, char* arg)
|
||||
|
@ -2770,7 +2752,7 @@ do_list_local_zones(RES* ssl, struct local_zones* zones)
|
|||
RBTREE_FOR(z, struct local_zone*, &zones->ztree) {
|
||||
lock_rw_rdlock(&z->lock);
|
||||
dname_str(z->name, buf);
|
||||
if(!ssl_printf(ssl, "%s %s\n", buf,
|
||||
if(!ssl_printf(ssl, "%s %s\n", buf,
|
||||
local_zone_type2str(z->type))) {
|
||||
/* failure to print */
|
||||
lock_rw_unlock(&z->lock);
|
||||
|
@ -2999,7 +2981,7 @@ static void
|
|||
distribute_cmd(struct daemon_remote* rc, RES* ssl, char* cmd)
|
||||
{
|
||||
int i;
|
||||
if(!cmd || !ssl)
|
||||
if(!cmd || !ssl)
|
||||
return;
|
||||
/* skip i=0 which is me */
|
||||
for(i=1; i<rc->worker->daemon->num; i++) {
|
||||
|
@ -3022,7 +3004,7 @@ cmdcmp(char* p, const char* cmd, size_t len)
|
|||
|
||||
/** execute a remote control command */
|
||||
static void
|
||||
execute_cmd(struct daemon_remote* rc, RES* ssl, char* cmd,
|
||||
execute_cmd(struct daemon_remote* rc, RES* ssl, char* cmd,
|
||||
struct worker* worker)
|
||||
{
|
||||
char* p = skipwhite(cmd);
|
||||
|
@ -3206,7 +3188,7 @@ execute_cmd(struct daemon_remote* rc, RES* ssl, char* cmd,
|
|||
}
|
||||
}
|
||||
|
||||
void
|
||||
void
|
||||
daemon_remote_exec(struct worker* worker)
|
||||
{
|
||||
/* read the cmd string */
|
||||
|
@ -3315,7 +3297,7 @@ remote_handshake_later(struct daemon_remote* rc, struct rc_state* s,
|
|||
return 0;
|
||||
}
|
||||
|
||||
int remote_control_callback(struct comm_point* c, void* arg, int err,
|
||||
int remote_control_callback(struct comm_point* c, void* arg, int err,
|
||||
struct comm_reply* ATTR_UNUSED(rep))
|
||||
{
|
||||
RES res;
|
||||
|
@ -3323,7 +3305,7 @@ int remote_control_callback(struct comm_point* c, void* arg, int err,
|
|||
struct daemon_remote* rc = s->rc;
|
||||
int r;
|
||||
if(err != NETEVENT_NOERROR) {
|
||||
if(err==NETEVENT_TIMEOUT)
|
||||
if(err==NETEVENT_TIMEOUT)
|
||||
log_err("remote control timed out");
|
||||
clean_point(rc, s);
|
||||
return 0;
|
||||
|
|
|
@ -46,7 +46,7 @@
|
|||
#ifndef DAEMON_REMOTE_H
|
||||
#define DAEMON_REMOTE_H
|
||||
#ifdef HAVE_OPENSSL_SSL_H
|
||||
#include "openssl/ssl.h"
|
||||
#include <openssl/ssl.h>
|
||||
#endif
|
||||
struct config_file;
|
||||
struct listen_list;
|
||||
|
|
|
@ -4,22 +4,22 @@
|
|||
* Copyright (c) 2007, NLnet Labs. All rights reserved.
|
||||
*
|
||||
* This software is open source.
|
||||
*
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
*
|
||||
*
|
||||
* Redistributions of source code must retain the above copyright notice,
|
||||
* this list of conditions and the following disclaimer.
|
||||
*
|
||||
*
|
||||
* Redistributions in binary form must reproduce the above copyright notice,
|
||||
* this list of conditions and the following disclaimer in the documentation
|
||||
* and/or other materials provided with the distribution.
|
||||
*
|
||||
*
|
||||
* Neither the name of the NLNET LABS nor the names of its contributors may
|
||||
* be used to endorse or promote products derived from this software without
|
||||
* specific prior written permission.
|
||||
*
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
|
@ -116,8 +116,8 @@ void server_stats_log(struct ub_server_stats* stats, struct worker* worker,
|
|||
log_info("server stats for thread %d: %u queries, "
|
||||
"%u answers from cache, %u recursions, %u prefetch, %u rejected by "
|
||||
"ip ratelimiting",
|
||||
threadnum, (unsigned)stats->num_queries,
|
||||
(unsigned)(stats->num_queries -
|
||||
threadnum, (unsigned)stats->num_queries,
|
||||
(unsigned)(stats->num_queries -
|
||||
stats->num_queries_missed_cache),
|
||||
(unsigned)stats->num_queries_missed_cache,
|
||||
(unsigned)stats->num_queries_prefetch,
|
||||
|
@ -279,7 +279,7 @@ server_stats_compile(struct worker* worker, struct ub_stats_info* s, int reset)
|
|||
s->svr.ans_rcode[i] += (long long)worker->env.mesh->ans_rcode[i];
|
||||
for(i=0; i<UB_STATS_RPZ_ACTION_NUM; i++)
|
||||
s->svr.rpz_action[i] += (long long)worker->env.mesh->rpz_action[i];
|
||||
timehist_export(worker->env.mesh->histogram, s->svr.hist,
|
||||
timehist_export(worker->env.mesh->histogram, s->svr.hist,
|
||||
NUM_BUCKETS_HIST);
|
||||
/* values from outside network */
|
||||
s->svr.unwanted_replies = (long long)worker->back->unwanted_replies;
|
||||
|
@ -293,8 +293,10 @@ server_stats_compile(struct worker* worker, struct ub_stats_info* s, int reset)
|
|||
s->svr.queries_ratelimited = (long long)get_queries_ratelimit(worker, reset);
|
||||
|
||||
/* get cache sizes */
|
||||
s->svr.msg_cache_count = (long long)count_slabhash_entries(worker->env.msg_cache);
|
||||
s->svr.rrset_cache_count = (long long)count_slabhash_entries(&worker->env.rrset_cache->table);
|
||||
get_slabhash_stats(worker->env.msg_cache,
|
||||
&s->svr.msg_cache_count, &s->svr.msg_cache_max_collisions);
|
||||
get_slabhash_stats(&worker->env.rrset_cache->table,
|
||||
&s->svr.rrset_cache_count, &s->svr.rrset_cache_max_collisions);
|
||||
s->svr.infra_cache_count = (long long)count_slabhash_entries(worker->env.infra_cache->hosts);
|
||||
if(worker->env.key_cache)
|
||||
s->svr.key_cache_count = (long long)count_slabhash_entries(worker->env.key_cache->slab);
|
||||
|
@ -354,6 +356,11 @@ server_stats_compile(struct worker* worker, struct ub_stats_info* s, int reset)
|
|||
s->svr.num_query_subnet = 0;
|
||||
s->svr.num_query_subnet_cache = 0;
|
||||
#endif
|
||||
#ifdef USE_CACHEDB
|
||||
s->svr.num_query_cachedb = (long long)worker->env.mesh->ans_cachedb;
|
||||
#else
|
||||
s->svr.num_query_cachedb = 0;
|
||||
#endif
|
||||
|
||||
/* get tcp accept usage */
|
||||
s->svr.tcp_accept_usage = 0;
|
||||
|
@ -419,7 +426,7 @@ void server_stats_reply(struct worker* worker, int reset)
|
|||
struct ub_stats_info s;
|
||||
server_stats_compile(worker, &s, reset);
|
||||
verbose(VERB_ALGO, "write stats replymsg");
|
||||
if(!tube_write_msg(worker->daemon->workers[0]->cmd,
|
||||
if(!tube_write_msg(worker->daemon->workers[0]->cmd,
|
||||
(uint8_t*)&s, sizeof(s), 0))
|
||||
fatal_exit("could not write stat values over cmd channel");
|
||||
}
|
||||
|
@ -428,8 +435,14 @@ void server_stats_add(struct ub_stats_info* total, struct ub_stats_info* a)
|
|||
{
|
||||
total->svr.num_queries += a->svr.num_queries;
|
||||
total->svr.num_queries_ip_ratelimited += a->svr.num_queries_ip_ratelimited;
|
||||
total->svr.num_queries_cookie_valid += a->svr.num_queries_cookie_valid;
|
||||
total->svr.num_queries_cookie_client += a->svr.num_queries_cookie_client;
|
||||
total->svr.num_queries_cookie_invalid += a->svr.num_queries_cookie_invalid;
|
||||
total->svr.num_queries_missed_cache += a->svr.num_queries_missed_cache;
|
||||
total->svr.num_queries_prefetch += a->svr.num_queries_prefetch;
|
||||
total->svr.num_queries_timed_out += a->svr.num_queries_timed_out;
|
||||
if (total->svr.max_query_time_us < a->svr.max_query_time_us)
|
||||
total->svr.max_query_time_us = a->svr.max_query_time_us;
|
||||
total->svr.sum_query_list_size += a->svr.sum_query_list_size;
|
||||
total->svr.ans_expired += a->svr.ans_expired;
|
||||
#ifdef USE_DNSCRYPT
|
||||
|
@ -471,6 +484,9 @@ void server_stats_add(struct ub_stats_info* total, struct ub_stats_info* a)
|
|||
total->svr.unwanted_replies += a->svr.unwanted_replies;
|
||||
total->svr.unwanted_queries += a->svr.unwanted_queries;
|
||||
total->svr.tcp_accept_usage += a->svr.tcp_accept_usage;
|
||||
#ifdef USE_CACHEDB
|
||||
total->svr.num_query_cachedb += a->svr.num_query_cachedb;
|
||||
#endif
|
||||
for(i=0; i<UB_STATS_QTYPE_NUM; i++)
|
||||
total->svr.qtype[i] += a->svr.qtype[i];
|
||||
for(i=0; i<UB_STATS_QCLASS_NUM; i++)
|
||||
|
@ -514,7 +530,7 @@ void server_stats_insquery(struct ub_server_stats* stats, struct comm_point* c,
|
|||
if(c->ssl != NULL) {
|
||||
stats->qtls++;
|
||||
#ifdef HAVE_SSL
|
||||
if(SSL_session_reused(c->ssl))
|
||||
if(SSL_session_reused(c->ssl))
|
||||
stats->qtls_resume++;
|
||||
#endif
|
||||
if(c->type == comm_http)
|
||||
|
@ -555,3 +571,16 @@ void server_stats_insrcode(struct ub_server_stats* stats, sldns_buffer* buf)
|
|||
stats->ans_rcode_nodata ++;
|
||||
}
|
||||
}
|
||||
|
||||
void server_stats_downstream_cookie(struct ub_server_stats* stats,
|
||||
struct edns_data* edns)
|
||||
{
|
||||
if(!(edns->edns_present && edns->cookie_present)) return;
|
||||
if(edns->cookie_valid) {
|
||||
stats->num_queries_cookie_valid++;
|
||||
} else if(edns->cookie_client) {
|
||||
stats->num_queries_cookie_client++;
|
||||
} else {
|
||||
stats->num_queries_cookie_invalid++;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -126,4 +126,11 @@ void server_stats_insquery(struct ub_server_stats* stats, struct comm_point* c,
|
|||
*/
|
||||
void server_stats_insrcode(struct ub_server_stats* stats, struct sldns_buffer* buf);
|
||||
|
||||
/**
|
||||
* Add DNS Cookie stats for this query
|
||||
* @param stats: the stats
|
||||
* @param edns: edns record
|
||||
*/
|
||||
void server_stats_downstream_cookie(struct ub_server_stats* stats,
|
||||
struct edns_data* edns);
|
||||
#endif /* DAEMON_STATS_H */
|
||||
|
|
File diff suppressed because it is too large
Load diff
|
@ -59,7 +59,7 @@
|
|||
******************************************************************************/
|
||||
|
||||
/**
|
||||
* This is the default DNS64 prefix that is used whent he dns64 module is listed
|
||||
* This is the default DNS64 prefix that is used when the dns64 module is listed
|
||||
* in module-config but when the dns64-prefix variable is not present.
|
||||
*/
|
||||
static const char DEFAULT_DNS64_PREFIX[] = "64:ff9b::/96";
|
||||
|
@ -841,7 +841,7 @@ dns64_adjust_a(int id, struct module_qstate* super, struct module_qstate* qstate
|
|||
cp = construct_reply_info_base(super->region, rep->flags, rep->qdcount,
|
||||
rep->ttl, rep->prefetch_ttl, rep->serve_expired_ttl,
|
||||
rep->an_numrrsets, rep->ns_numrrsets, rep->ar_numrrsets,
|
||||
rep->rrset_count, rep->security);
|
||||
rep->rrset_count, rep->security, LDNS_EDE_NONE);
|
||||
if(!cp)
|
||||
return;
|
||||
|
||||
|
|
|
@ -388,12 +388,15 @@ dt_msg_send_client_query(struct dt_env *env,
|
|||
struct sockaddr_storage *qsock,
|
||||
struct sockaddr_storage *rsock,
|
||||
enum comm_point_type cptype,
|
||||
sldns_buffer *qmsg)
|
||||
sldns_buffer *qmsg,
|
||||
struct timeval* tstamp)
|
||||
{
|
||||
struct dt_msg dm;
|
||||
struct timeval qtime;
|
||||
|
||||
gettimeofday(&qtime, NULL);
|
||||
if(tstamp)
|
||||
memcpy(&qtime, tstamp, sizeof(qtime));
|
||||
else gettimeofday(&qtime, NULL);
|
||||
|
||||
/* type */
|
||||
dt_msg_init(env, &dm, DNSTAP__MESSAGE__TYPE__CLIENT_QUERY);
|
||||
|
|
|
@ -126,13 +126,15 @@ dt_delete(struct dt_env *env);
|
|||
* @param rsock: local (service) address/port.
|
||||
* @param cptype: comm_udp or comm_tcp.
|
||||
* @param qmsg: query message.
|
||||
* @param tstamp: timestamp or NULL if none provided.
|
||||
*/
|
||||
void
|
||||
dt_msg_send_client_query(struct dt_env *env,
|
||||
struct sockaddr_storage *qsock,
|
||||
struct sockaddr_storage *rsock,
|
||||
enum comm_point_type cptype,
|
||||
struct sldns_buffer *qmsg);
|
||||
struct sldns_buffer *qmsg,
|
||||
struct timeval* tstamp);
|
||||
|
||||
/**
|
||||
* Create and send a new dnstap "Message" event of type CLIENT_RESPONSE.
|
||||
|
|
|
@ -61,6 +61,7 @@
|
|||
#include "services/listen_dnsport.h"
|
||||
#include "sldns/sbuffer.h"
|
||||
#include "sldns/wire2str.h"
|
||||
#include "sldns/pkthdr.h"
|
||||
#ifdef USE_DNSTAP
|
||||
#include <protobuf-c/protobuf-c.h>
|
||||
#include "dnstap/dnstap.pb-c.h"
|
||||
|
@ -448,6 +449,7 @@ static char* q_of_msg(ProtobufCBinaryData message)
|
|||
char buf[300];
|
||||
/* header, name, type, class minimum to get the query tuple */
|
||||
if(message.len < 12 + 1 + 4 + 4) return NULL;
|
||||
if(LDNS_QDCOUNT(message.data) < 1) return NULL;
|
||||
if(sldns_wire2str_rrquestion_buf(message.data+12, message.len-12,
|
||||
buf, sizeof(buf)) != 0) {
|
||||
/* remove trailing newline, tabs to spaces */
|
||||
|
@ -502,7 +504,7 @@ static char* tv_to_str(protobuf_c_boolean has_time_sec, uint64_t time_sec,
|
|||
time_t time_t_sec;
|
||||
memset(&tv, 0, sizeof(tv));
|
||||
if(has_time_sec) tv.tv_sec = time_sec;
|
||||
if(has_time_nsec) tv.tv_usec = time_nsec;
|
||||
if(has_time_nsec) tv.tv_usec = time_nsec/1000;
|
||||
|
||||
buf[0]=0;
|
||||
time_t_sec = tv.tv_sec;
|
||||
|
@ -789,7 +791,7 @@ static int reply_with_accept(struct tap_data* data)
|
|||
|
||||
/** reply with FINISH control frame to bidirectional client,
|
||||
* returns 0 on error */
|
||||
static int reply_with_finish(int fd)
|
||||
static int reply_with_finish(struct tap_data* data)
|
||||
{
|
||||
#ifdef USE_DNSTAP
|
||||
size_t len = 0;
|
||||
|
@ -799,21 +801,34 @@ static int reply_with_finish(int fd)
|
|||
return 0;
|
||||
}
|
||||
|
||||
fd_set_block(fd);
|
||||
if(send(fd, finishframe, len, 0) == -1) {
|
||||
log_err("send failed: %s", sock_strerror(errno));
|
||||
fd_set_nonblock(fd);
|
||||
free(finishframe);
|
||||
return 0;
|
||||
fd_set_block(data->fd);
|
||||
if(data->ssl) {
|
||||
int r;
|
||||
if((r=SSL_write(data->ssl, finishframe, len)) <= 0) {
|
||||
if(SSL_get_error(data->ssl, r) == SSL_ERROR_ZERO_RETURN)
|
||||
log_err("SSL_write, peer closed connection");
|
||||
else
|
||||
log_err("could not SSL_write");
|
||||
fd_set_nonblock(data->fd);
|
||||
free(finishframe);
|
||||
return 0;
|
||||
}
|
||||
} else {
|
||||
if(send(data->fd, finishframe, len, 0) == -1) {
|
||||
log_err("send failed: %s", sock_strerror(errno));
|
||||
fd_set_nonblock(data->fd);
|
||||
free(finishframe);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
if(verbosity) log_info("sent control frame(finish)");
|
||||
|
||||
fd_set_nonblock(fd);
|
||||
fd_set_nonblock(data->fd);
|
||||
free(finishframe);
|
||||
return 1;
|
||||
#else
|
||||
log_err("no dnstap compiled, no reply");
|
||||
(void)fd;
|
||||
(void)data;
|
||||
return 0;
|
||||
#endif
|
||||
}
|
||||
|
@ -933,7 +948,7 @@ static int tap_handshake(struct tap_data* data)
|
|||
#endif /* HAVE_SSL */
|
||||
|
||||
/** callback for dnstap listener */
|
||||
void dtio_tap_callback(int fd, short ATTR_UNUSED(bits), void* arg)
|
||||
void dtio_tap_callback(int ATTR_UNUSED(fd), short ATTR_UNUSED(bits), void* arg)
|
||||
{
|
||||
struct tap_data* data = (struct tap_data*)arg;
|
||||
if(verbosity>=3) log_info("tap callback");
|
||||
|
@ -1016,7 +1031,7 @@ void dtio_tap_callback(int fd, short ATTR_UNUSED(bits), void* arg)
|
|||
}
|
||||
} else if(data->len >= 4 && sldns_read_uint32(data->frame) ==
|
||||
FSTRM_CONTROL_FRAME_STOP && data->is_bidirectional) {
|
||||
if(!reply_with_finish(fd)) {
|
||||
if(!reply_with_finish(data)) {
|
||||
tap_data_free(data);
|
||||
return;
|
||||
}
|
||||
|
|
|
@ -1,3 +1,326 @@
|
|||
25 August 2023: Wouter
|
||||
- Fix compile error on NetBSD in util/netevent.h.
|
||||
|
||||
23 August 2023: Wouter
|
||||
- Tag for 1.18.0rc1 release.
|
||||
|
||||
22 August 2023: Wouter
|
||||
- Set version number to 1.18.0.
|
||||
|
||||
21 August 2023: Wouter
|
||||
- Debug Windows ci workflow.
|
||||
- Fix windows ci workflow to install bison and flex.
|
||||
- Fix for #925: unbound.service: Main process exited, code=killed,
|
||||
status=11/SEGV. Fixes cachedb configuration handling.
|
||||
- Fix #923: processQueryResponse() THROWAWAY should be mindful of
|
||||
fail_reply.
|
||||
- Fix unit test for unbound-control to work when threads are disabled,
|
||||
and fix cache dump check.
|
||||
|
||||
18 August 2023: Wouter
|
||||
- Fix for iter_dec_attempts that could cause a hang, part of
|
||||
capsforid and qname minimisation, depending on the settings.
|
||||
- Fix uninitialized memory passed in padding bytes of cmsg to sendmsg.
|
||||
- Fix stat_values test to work with dig that enables DNS cookies.
|
||||
|
||||
17 August 2023: Wouter
|
||||
- Merge PR #762: Downstream DNS Server Cookies a la RFC7873 and
|
||||
RFC9018. Create server cookies for clients that send client cookies.
|
||||
This needs to be explicitly turned on in the config file with:
|
||||
`answer-cookie: yes`. A `cookie-secret:` can be configured for
|
||||
anycast setups. Without one, a random cookie secret is generated.
|
||||
The acl option `allow_cookie` allows queries with either a valid
|
||||
cookie or over a stateful transport. The statistics output has
|
||||
`queries_cookie_valid` and `queries_cookie_client` and
|
||||
`queries_cookie_invalid` information. The `ip\-ratelimit\-cookie:`
|
||||
value determines a rate limit for queries with cookies, if desired.
|
||||
- Fix regional_alloc_init for potential unaligned source of the copy.
|
||||
- Fix ip_ratelimit test to work with dig that enables DNS cookies.
|
||||
|
||||
2 August 2023: George
|
||||
- Move a cache reply callback in worker.c closer to the cache reply
|
||||
generation.
|
||||
|
||||
1 August 2023: George
|
||||
- Merge #911 from natalie-reece: Exclude EDE before other EDNS options
|
||||
when there isn't enough space.
|
||||
- For #911: Try to trim EXTRA-TEXT (and LDNS_EDE_OTHER options
|
||||
altogether) before giving up on attaching EDE options.
|
||||
- More braces and formatting for Fix for EDNS EDE size calculation to
|
||||
avoid future bugs.
|
||||
- Fix to use the now cached EDE, if any, for CD_bit queries.
|
||||
|
||||
1 August 2023: Wouter
|
||||
- Fix for EDNS EDE size calculation.
|
||||
|
||||
31 July 2023: George
|
||||
- Merge #790 from Tom Carpay: Add support for EDE caching in cachedb
|
||||
and subnetcache.
|
||||
|
||||
31 July 2023: Wouter
|
||||
- iana portlist update.
|
||||
|
||||
30 July 2023: George
|
||||
- Merge #759 from Tom Carpay: Add EDE (RFC8914) caching.
|
||||
|
||||
28 July 2023: George
|
||||
- Fix unused variable compile warning for kernel timestamps in
|
||||
netevent.c
|
||||
|
||||
21 July 2023: George
|
||||
- Merge #857 from eaglegai: fix potential memory leaks when errors
|
||||
happen.
|
||||
- For #857: fix mixed declarations and code.
|
||||
- Merge #118 from mibere: Changed verbosity level for Redis init &
|
||||
deinit.
|
||||
- Merge #390 from Frank Riley: Add missing callbacks to the python
|
||||
module.
|
||||
- Cleaner failure code for callback functions in interface.i.
|
||||
- Merge #889 from borisVanhoof: Free memory in error case + remove
|
||||
unused function.
|
||||
- For #889: use netcat-openbsd instead of netcat-traditional.
|
||||
- For #889: Account for num_detached_states before possible
|
||||
mesh_state_delete when erroring out.
|
||||
|
||||
20 July 2023: George
|
||||
- Merge #909 from headshog: Numeric truncation when parsing TYPEXX and
|
||||
CLASSXX representation.
|
||||
- For #909: Fix return values.
|
||||
- Merge #901 from Sergei Trofimovich: config: improve handling of
|
||||
unknown modules.
|
||||
|
||||
20 July 2023: Wouter
|
||||
- For #909: Fix RR class comparison.
|
||||
|
||||
14 July 2023: George
|
||||
- More clear description of the different auth-zone behaviors on the
|
||||
man page.
|
||||
|
||||
13 July 2023: George
|
||||
- Merge #880 from chipitsine: services/authzone.c: remove redundant
|
||||
check.
|
||||
|
||||
11 July 2023: George
|
||||
- Merge #664 from tilan7763: Add prefetch support for subnet cache
|
||||
entries.
|
||||
- For #664: Easier code flow for subnetcache prefetching.
|
||||
- For #664: Add testcase.
|
||||
- For #664: Rename subnet_prefetch tests to subnet_global_prefetch to
|
||||
differentiate from the new subnet prefetch support.
|
||||
|
||||
3 July 2023: George
|
||||
- Merge #739: Add SVCB dohpath support.
|
||||
- Code cleanup for sldns_str2wire_svcparam_key_lookup.
|
||||
- Merge #802: add validation EDEs to queries where the CD bit is set.
|
||||
- For #802: Cleanup comments and add RCODE check for CD bit test case.
|
||||
- Skip the 00-lint test. splint is not maintained; it either does not
|
||||
work or produces false positives. Static analysis is handled in the
|
||||
clang test.
|
||||
|
||||
3 July 2023: Wouter
|
||||
- Fix #906: warning: ‘Py_SetProgramName’ is deprecated.
|
||||
- Fix dereference of NULL variable warning in mesh_do_callback.
|
||||
|
||||
29 June 2023: George
|
||||
- More fixes for reference counting for python module and clean up
|
||||
failure code.
|
||||
- Merge #827 from rcmcdonald91: Eliminate unnecessary Python reloading
|
||||
which causes memory leaks.
|
||||
|
||||
29 June 2023: Wouter
|
||||
- Fix python modules with multiple scripts, by incrementing reference
|
||||
counts.
|
||||
|
||||
27 June 2023: George
|
||||
- Merge #892: Add cachedb hit stat. Introduces 'num.query.cachedb' as
|
||||
a new statistical counter.
|
||||
- Remove warning about unknown cast-function-type warning pragma.
|
||||
|
||||
22 June 2023: Wouter
|
||||
- Merge #903: contrib: add yocto compatible init script.
|
||||
|
||||
15 June 2023: Philip
|
||||
- Fix for issue #887 (Timeouts to forward servers on BSD based
|
||||
system with ASLR)
|
||||
- Probably fixes #516 (Stream reuse does not work on Windows) as well
|
||||
|
||||
14 June 2023: George
|
||||
- Properly handle all return values of worker_check_request during
|
||||
early EDE code.
|
||||
- Do not check the incoming request more than once.
|
||||
|
||||
12 June 2023: Wouter
|
||||
- Merge #896: Fix: #895: pythonmodule: add all site-packages
|
||||
directories to sys.path.
|
||||
- Fix #895: python + sysconfig gives ANOTHER path comparing to
|
||||
distutils.
|
||||
- Fix for uncertain unit test for doh buffer size events.
|
||||
|
||||
25 May 2023: Wouter
|
||||
- Fix unbound-dnstap-socket printout when no query is present.
|
||||
- Fix unbound-dnstap-socket time fraction conversion for printout.
|
||||
|
||||
19 May 2023: Wouter
|
||||
- Fix RPZ removal of client-ip, nsip, nsdname triggers from IXFR.
|
||||
- Fix to remove unused variables from RPZ clientip data structure.
|
||||
|
||||
16 May 2023: Wouter
|
||||
- Fix #888: [FR] Use kernel timestamps for dnstap.
|
||||
- Fix to print debug log for ancillary data with correct IP address.
|
||||
|
||||
11 May 2023: Wouter
|
||||
- Fix warning in windows compile, in set_recvtimestamp.
|
||||
|
||||
4 May 2023: Wouter
|
||||
- Fix #885: Error: util/configlexer.c: No such file or directory,
|
||||
adds error messages explaining to install flex and bison.
|
||||
- Fix to remove unused whitespace from acx_nlnetlabs.m4 and config.h.
|
||||
- Fix doxygen in addr_to_nat64 header definition.
|
||||
|
||||
1 May 2023: George
|
||||
- Merge #722 from David 'eqvinox' Lamparter: NAT64 support.
|
||||
- For #722: minor fixes, formatting, refactoring.
|
||||
|
||||
1 May 2023: Wouter
|
||||
- Fix RPZ IP responses with trigger rpz-drop on cache entries, that
|
||||
they are dropped.
|
||||
|
||||
26 April 2023: Philip
|
||||
- Fix issue #860: Bad interaction with 0 TTL records and serve-expired
|
||||
|
||||
26 April 2023: Wouter
|
||||
- Merge #882 from vvfedorenko: Features/dropqueuedpackets, with
|
||||
sock-queue-timeout option that drops packets that have been in the
|
||||
socket queue for too long. Added statistics num.queries_timed_out
|
||||
and query.queue_time_us.max that track the socket queue timeouts.
|
||||
- Fix for #882: small changes, date updated in Copyright for
|
||||
util/timeval_func.c and util/timeval_func.h. Man page entries and
|
||||
example entry.
|
||||
- Fix for #882: document variable to stop doxygen warning.
|
||||
|
||||
19 April 2023: Wouter
|
||||
- Fix for #878: Invalid IP address in unbound.conf causes Segmentation
|
||||
Fault on OpenBSD.
|
||||
|
||||
14 April 2023: Wouter
|
||||
- Merge #875: change obsolete txt URL in unbound-anchor.c to point
|
||||
to RFC 7958, and Fix #874.
|
||||
|
||||
13 April 2023: Wouter
|
||||
- Fix build badge, from failing travis link to github ci action link.
|
||||
|
||||
6 April 2023: Wouter
|
||||
- Fix for #870: Add test case for the qname minimisation and CNAME.
|
||||
|
||||
4 April 2023: Wouter
|
||||
- Fix #870: NXDOMAIN instead of NOERROR rcode when asked for existing
|
||||
CNAME record.
|
||||
|
||||
24 March 2023: Philip
|
||||
- Fix issue #676: Unencrypted query is sent when
|
||||
forward-tls-upstream: yes is used without tls-cert-bundle
|
||||
- Extra consistency check to make sure that when TLS is requested,
|
||||
either we set up a TLS connection or we return an error.
|
||||
|
||||
21 March 2023: Philip
|
||||
- Fix issue #851: reserved identifier violation
|
||||
|
||||
20 March 2023: Wouter
|
||||
- iana portlist update.
|
||||
|
||||
17 March 2023: George
|
||||
- Fix #812, fix #846, by using the SSL_OP_IGNORE_UNEXPECTED_EOF option
|
||||
to ignore the unexpected eof while reading in openssl >= 3.
|
||||
|
||||
16 March 2023: Wouter
|
||||
- Fix ssl.h include brackets, instead of quotes.
|
||||
|
||||
14 March 2023: Wouter
|
||||
- Fix unbound-dnstap-socket test program to reply the finish frame
|
||||
over a TLS connection correctly.
|
||||
|
||||
23 February 2023: Wouter
|
||||
- Fix for #852: Completion of error handling.
|
||||
|
||||
21 February 2023: Philip
|
||||
- Fix #825: Unexpected behavior with client-subnet-always-forward
|
||||
and serve-expired
|
||||
|
||||
10 February 2023: George
|
||||
- Clean up iterator/iterator.c::error_response_cache() and allow for
|
||||
better interaction with serve-expired, prefetch and cached error
|
||||
responses.
|
||||
|
||||
9 February 2023: George
|
||||
- Allow TTL refresh of expired error responses.
|
||||
- Add testcase for refreshing expired error responses.
|
||||
|
||||
9 February 2023: Wouter
|
||||
- Fix to ignore entirely empty responses, and try at another authority.
|
||||
This turns completely empty responses, a type of noerror/nodata into
|
||||
a servfail, but they do not conform to RFC2308, and the retry can
|
||||
fetch improved content.
|
||||
- Fix unit tests for spurious empty messages.
|
||||
- Fix consistency of unit test without roundrobin answers for the
|
||||
cnametooptout unit test.
|
||||
- Fix to git ignore the library symbol file that configure can create.
|
||||
|
||||
8 February 2023: Wouter
|
||||
- Fix #841: Unbound won't build with aaaa-filter-iterator.patch.
|
||||
|
||||
30 January 2023: George
|
||||
- Add duration variable for speed_local.test.
|
||||
|
||||
26 January 2023: Wouter
|
||||
- Fix acx_nlnetlabs.m4 for -Wstrict-prototypes.
|
||||
|
||||
23 January 2023: George
|
||||
- Fix #833: [FR] Ability to set the Redis password.
|
||||
|
||||
23 January 2023: Wouter
|
||||
- Fix #835: [FR] Ability to use Redis unix sockets.
|
||||
|
||||
20 January 2023: Wouter
|
||||
- Merge #819: Added new static zone type block_a to suppress all A
|
||||
queries for specific zones.
|
||||
|
||||
19 January 2023: Wouter
|
||||
- Set max-udp-size default to 1232. This is the same default value as
|
||||
the default value for edns-buffer-size. It restricts client edns
|
||||
buffer size choices, and makes unbound behave similar to other DNS
|
||||
resolvers. The new choice, down from 4096 means it is harder to get
|
||||
large responses from Unbound. Thanks to Xiang Li, from NISL Lab,
|
||||
Tsinghua University.
|
||||
- Add harden-unknown-additional option. It removes
|
||||
unknown records from the authority section and additional section.
|
||||
Thanks to Xiang Li, from NISL Lab, Tsinghua University.
|
||||
- Set default for harden-unknown-additional to no. So that it does
|
||||
not hamper future protocol developments.
|
||||
- Fix test for new default.
|
||||
|
||||
18 January 2023: Wouter
|
||||
- Fix not following cleared RD flags potentially enables amplification
|
||||
DDoS attacks, reported by Xiang Li and Wei Xu from NISL Lab,
|
||||
Tsinghua University. The fix stops query loops, by refusing to send
|
||||
RD=0 queries to a forwarder, they still get answered from cache.
|
||||
|
||||
13 January 2023: Wouter
|
||||
- Merge #826: Аdd a metric about the maximum number of collisions in
|
||||
lrushah.
|
||||
- Improve documentation for #826, describe the large collisions amount.
|
||||
|
||||
9 January 2023: Wouter
|
||||
- Fix python module install path detection.
|
||||
- Fix python version detection in configure.
|
||||
|
||||
6 January 2023: Wouter
|
||||
- Fix #823: Response change to NODATA for some ANY queries since
|
||||
1.12, tested on 1.16.1.
|
||||
- Fix wildcard in hyperlocal zone service degradation, reported
|
||||
by Sergey Kacheev. This fix is included in 1.17.1rc2.
|
||||
That became 1.17.1 on 12 Jan 2023, the code repo continues
|
||||
with 1.17.2. 1.17.1 excludes fix #823, it is included forwards.
|
||||
|
||||
5 January 2023: Wouter
|
||||
- Tag for 1.17.1 release.
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
README for Unbound 1.17.1
|
||||
README for Unbound 1.18.0
|
||||
Copyright 2007 NLnet Labs
|
||||
http://unbound.net
|
||||
|
||||
|
|
|
@ -28,3 +28,23 @@ prefix. For example:
|
|||
;; ANSWER SECTION:
|
||||
jazz-v4.viagenie.ca. 86400 IN AAAA 64:ff9b::ce7b:1f02
|
||||
|
||||
|
||||
NAT64 support was added by David Lamparter in 2022; license(s) of the
|
||||
surrounding code apply. Note that NAT64 is closely related but functionally
|
||||
orthogonal to DNS64; it allows Unbound to send outgoing queries to IPv4-only
|
||||
servers over IPv6 through the configured NAT64 prefix. This allows running
|
||||
an Unbound instance on an IPv6-only host without breaking every single domain
|
||||
that only has IPv4 servers. Whether that Unbound instance also does DNS64 is
|
||||
an independent choice.
|
||||
|
||||
To enable NAT64 in Unbound, add to unbound.conf's "server" section:
|
||||
|
||||
do-nat64: yes
|
||||
|
||||
The NAT64 prefix defaults to the DNS64 prefix, which in turn defaults to the
|
||||
standard 64:FF9B::/96 prefix. You can reconfigure it with:
|
||||
|
||||
nat64-prefix: 64:FF9B::/96
|
||||
|
||||
To test NAT64 operation, pick a domain that only has IPv4 reachability for its
|
||||
nameservers and try resolving any names in that domain.
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#
|
||||
# Example configuration file.
|
||||
#
|
||||
# See unbound.conf(5) man page, version 1.17.1.
|
||||
# See unbound.conf(5) man page, version 1.18.0.
|
||||
#
|
||||
# this is a comment.
|
||||
|
||||
|
@ -143,8 +143,8 @@ server:
|
|||
# edns-buffer-size: 1232
|
||||
|
||||
# Maximum UDP response size (not applied to TCP response).
|
||||
# Suggested values are 512 to 4096. Default is 4096. 65536 disables it.
|
||||
# max-udp-size: 4096
|
||||
# Suggested values are 512 to 4096. Default is 1232. 65536 disables it.
|
||||
# max-udp-size: 1232
|
||||
|
||||
# max memory to use for stream(tcp and tls) waiting result buffers.
|
||||
# stream-wait-size: 4m
|
||||
|
@ -243,6 +243,18 @@ server:
|
|||
# Enable IPv6, "yes" or "no".
|
||||
# do-ip6: yes
|
||||
|
||||
# If running unbound on an IPv6-only host, domains that only have
|
||||
# IPv4 servers would become unresolveable. If NAT64 is available in
|
||||
# the network, unbound can use NAT64 to reach these servers with
|
||||
# the following option. This is NOT needed for enabling DNS64 on a
|
||||
# system that has IPv4 connectivity.
|
||||
# Consider also enabling prefer-ip6 to prefer native IPv6 connections
|
||||
# to nameservers.
|
||||
# do-nat64: no
|
||||
|
||||
# NAT64 prefix. Defaults to using dns64-prefix value.
|
||||
# nat64-prefix: 64:ff9b::0/96
|
||||
|
||||
# Enable UDP, "yes" or "no".
|
||||
# do-udp: yes
|
||||
|
||||
|
@ -274,6 +286,10 @@ server:
|
|||
# Timeout for EDNS TCP keepalive, in msec.
|
||||
# edns-tcp-keepalive-timeout: 120000
|
||||
|
||||
# UDP queries that have waited in the socket buffer for a long time
|
||||
# can be dropped. Default is 0, disabled. In seconds, such as 3.
|
||||
# sock-queue-timeout: 0
|
||||
|
||||
# Use systemd socket activation for UDP, TCP, and control sockets.
|
||||
# use-systemd: no
|
||||
|
||||
|
@ -503,6 +519,10 @@ server:
|
|||
# to validate the zone.
|
||||
# harden-algo-downgrade: no
|
||||
|
||||
# Harden against unknown records in the authority section and the
|
||||
# additional section.
|
||||
# harden-unknown-additional: no
|
||||
|
||||
# Sent minimum amount of information to upstream servers to enhance
|
||||
# privacy. Only sent minimum required labels of the QNAME and set QTYPE
|
||||
# to A when possible.
|
||||
|
@ -810,6 +830,8 @@ server:
|
|||
# o always_transparent, always_refuse, always_nxdomain, always_nodata,
|
||||
# always_deny resolve in that way but ignore local data for
|
||||
# that name
|
||||
# o block_a resolves all records normally but returns
|
||||
# NODATA for A queries and ignores local data for that name
|
||||
# o always_null returns 0.0.0.0 or ::0 for any name in the zone.
|
||||
# o noview breaks out of that view towards global local-zones.
|
||||
#
|
||||
|
@ -1206,6 +1228,10 @@ remote-control:
|
|||
# redis-server-host: 127.0.0.1
|
||||
# # redis server's TCP port
|
||||
# redis-server-port: 6379
|
||||
# # if the server uses a unix socket, set its path, or "" when not used.
|
||||
# # redis-server-path: "/var/lib/redis/redis-server.sock"
|
||||
# # if the server uses an AUTH password, specify here, or "" when not used.
|
||||
# # redis-server-password: ""
|
||||
# # timeout (in ms) for communication with the redis server
|
||||
# redis-timeout: 100
|
||||
# # set timeout on redis records based on DNS response TTL
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
.TH "libunbound" "3" "Jan 12, 2023" "NLnet Labs" "unbound 1.17.1"
|
||||
.TH "libunbound" "3" "Aug 30, 2023" "NLnet Labs" "unbound 1.18.0"
|
||||
.\"
|
||||
.\" libunbound.3 -- unbound library functions manual
|
||||
.\"
|
||||
|
@ -44,7 +44,7 @@
|
|||
.B ub_ctx_zone_remove,
|
||||
.B ub_ctx_data_add,
|
||||
.B ub_ctx_data_remove
|
||||
\- Unbound DNS validating resolver 1.17.1 functions.
|
||||
\- Unbound DNS validating resolver 1.18.0 functions.
|
||||
.SH "SYNOPSIS"
|
||||
.B #include <unbound.h>
|
||||
.LP
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
.TH "unbound-anchor" "8" "Jan 12, 2023" "NLnet Labs" "unbound 1.17.1"
|
||||
.TH "unbound-anchor" "8" "Aug 30, 2023" "NLnet Labs" "unbound 1.18.0"
|
||||
.\"
|
||||
.\" unbound-anchor.8 -- unbound anchor maintenance utility manual
|
||||
.\"
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
.TH "unbound-checkconf" "8" "Jan 12, 2023" "NLnet Labs" "unbound 1.17.1"
|
||||
.TH "unbound-checkconf" "8" "Aug 30, 2023" "NLnet Labs" "unbound 1.18.0"
|
||||
.\"
|
||||
.\" unbound-checkconf.8 -- unbound configuration checker manual
|
||||
.\"
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
.TH "unbound-control" "8" "Jan 12, 2023" "NLnet Labs" "unbound 1.17.1"
|
||||
.TH "unbound-control" "8" "Aug 30, 2023" "NLnet Labs" "unbound 1.18.0"
|
||||
.\"
|
||||
.\" unbound-control.8 -- unbound remote control manual
|
||||
.\"
|
||||
|
@ -369,6 +369,15 @@ number of queries received by thread
|
|||
.I threadX.num.queries_ip_ratelimited
|
||||
number of queries rate limited by thread
|
||||
.TP
|
||||
.I threadX.num.queries_cookie_valid
|
||||
number of queries with a valid DNS Cookie by thread
|
||||
.TP
|
||||
.I threadX.num.queries_cookie_client
|
||||
number of queries with a client part only DNS Cookie by thread
|
||||
.TP
|
||||
.I threadX.num.queries_cookie_invalid
|
||||
number of queries with an invalid DNS Cookie by thread
|
||||
.TP
|
||||
.I threadX.num.cachehits
|
||||
number of queries that were successfully answered using a cache lookup
|
||||
.TP
|
||||
|
@ -398,6 +407,14 @@ as a cache response was sent.
|
|||
.I threadX.num.expired
|
||||
number of replies that served an expired cache entry.
|
||||
.TP
|
||||
.I threadX.num.queries_timed_out
|
||||
number of queries that are dropped because they waited in the UDP socket buffer
|
||||
for too long.
|
||||
.TP
|
||||
.I threadX.query.queue_time_us.max
|
||||
The maximum wait time for packets in the socket buffer, in microseconds. This
|
||||
is only reported when sock-queue-timeout is enabled.
|
||||
.TP
|
||||
.I threadX.num.recursivereplies
|
||||
The number of replies sent to queries that needed recursive processing. Could be smaller than threadX.num.cachemiss if due to timeouts no replies were sent for some queries.
|
||||
.TP
|
||||
|
@ -438,6 +455,18 @@ buffers are full.
|
|||
.I total.num.queries
|
||||
summed over threads.
|
||||
.TP
|
||||
.I total.num.queries_ip_ratelimited
|
||||
summed over threads.
|
||||
.TP
|
||||
.I total.num.queries_cookie_valid
|
||||
summed over threads.
|
||||
.TP
|
||||
.I total.num.queries_cookie_client
|
||||
summed over threads.
|
||||
.TP
|
||||
.I total.num.queries_cookie_invalid
|
||||
summed over threads.
|
||||
.TP
|
||||
.I total.num.cachehits
|
||||
summed over threads.
|
||||
.TP
|
||||
|
@ -462,6 +491,12 @@ summed over threads.
|
|||
.I total.num.expired
|
||||
summed over threads.
|
||||
.TP
|
||||
.I total.num.queries_timed_out
|
||||
summed over threads.
|
||||
.TP
|
||||
.I total.query.queue_time_us.max
|
||||
the maximum of the thread values.
|
||||
.TP
|
||||
.I total.num.recursivereplies
|
||||
summed over threads.
|
||||
.TP
|
||||
|
@ -597,7 +632,7 @@ ratelimiting.
|
|||
.TP
|
||||
.I num.query.dnscrypt.shared_secret.cachemiss
|
||||
The number of dnscrypt queries that did not find a shared secret in the cache.
|
||||
The can be use to compute the shared secret hitrate.
|
||||
This can be used to compute the shared secret hitrate.
|
||||
.TP
|
||||
.I num.query.dnscrypt.replay
|
||||
The number of dnscrypt queries that found a nonce hit in the nonce cache and
|
||||
|
@ -653,6 +688,18 @@ timing and protocol support information.
|
|||
The number of items in the key cache. These are DNSSEC keys, one item
|
||||
per delegation point, and their validation status.
|
||||
.TP
|
||||
.I msg.cache.max_collisions
|
||||
The maximum number of hash table collisions in the msg cache. This is the
|
||||
number of hashes that are identical when a new element is inserted in the
|
||||
hash table. If the value is very large, like hundreds, something is wrong
|
||||
with the performance of the hash table, hash values are incorrect or malicious.
|
||||
.TP
|
||||
.I rrset.cache.max_collisions
|
||||
The maximum number of hash table collisions in the rrset cache. This is the
|
||||
number of hashes that are identical when a new element is inserted in the
|
||||
hash table. If the value is very large, like hundreds, something is wrong
|
||||
with the performance of the hash table, hash values are incorrect or malicious.
|
||||
.TP
|
||||
.I dnscrypt_shared_secret.cache.count
|
||||
The number of items in the shared secret cache. These are precomputed shared
|
||||
secrets for a given client public key/server secret key pair. Shared secrets
|
||||
|
@ -692,7 +739,12 @@ Number of queries that got an answer that contained EDNS client subnet data.
|
|||
.I num.query.subnet_cache
|
||||
Number of queries answered from the edns client subnet cache. These are
|
||||
counted as cachemiss by the main counters, but hit the client subnet
|
||||
specific cache, after getting processed by the edns client subnet module.
|
||||
specific cache after getting processed by the edns client subnet module.
|
||||
.TP
|
||||
.I num.query.cachedb
|
||||
Number of queries answered from the external cache of cachedb.
|
||||
These are counted as cachemiss by the main counters, but hit the cachedb
|
||||
external cache after getting processed by the cachedb module.
|
||||
.TP
|
||||
.I num.rpz.action.<rpz_action>
|
||||
Number of queries answered using configured RPZ policy, per RPZ action type.
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
.TH "unbound\-host" "1" "Jan 12, 2023" "NLnet Labs" "unbound 1.17.1"
|
||||
.TH "unbound\-host" "1" "Aug 30, 2023" "NLnet Labs" "unbound 1.18.0"
|
||||
.\"
|
||||
.\" unbound-host.1 -- unbound DNS lookup utility
|
||||
.\"
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
.TH "unbound" "8" "Jan 12, 2023" "NLnet Labs" "unbound 1.17.1"
|
||||
.TH "unbound" "8" "Aug 30, 2023" "NLnet Labs" "unbound 1.18.0"
|
||||
.\"
|
||||
.\" unbound.8 -- unbound manual
|
||||
.\"
|
||||
|
@ -9,7 +9,7 @@
|
|||
.\"
|
||||
.SH "NAME"
|
||||
.B unbound
|
||||
\- Unbound DNS validating resolver 1.17.1.
|
||||
\- Unbound DNS validating resolver 1.18.0.
|
||||
.SH "SYNOPSIS"
|
||||
.B unbound
|
||||
.RB [ \-h ]
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
.TH "unbound.conf" "5" "Jan 12, 2023" "NLnet Labs" "unbound 1.17.1"
|
||||
.TH "unbound.conf" "5" "Aug 30, 2023" "NLnet Labs" "unbound 1.18.0"
|
||||
.\"
|
||||
.\" unbound.conf.5 -- unbound.conf manual
|
||||
.\"
|
||||
|
@ -233,7 +233,8 @@ number).
|
|||
.B max\-udp\-size: \fI<number>
|
||||
Maximum UDP response size (not applied to TCP response). 65536 disables the
|
||||
udp response size maximum, and uses the choice from the client, always.
|
||||
Suggested values are 512 to 4096. Default is 4096.
|
||||
Suggested values are 512 to 4096. Default is 1232. The default value is the
|
||||
same as the default for edns\-buffer\-size.
|
||||
.TP
|
||||
.B stream\-wait\-size: \fI<number>
|
||||
Number of bytes size maximum to use for waiting stream buffers. Default is
|
||||
|
@ -504,6 +505,14 @@ configured, and finally to 0 if the number of free buffers falls below
|
|||
A minimum actual timeout of 200 milliseconds is observed regardless of the
|
||||
advertised timeout.
|
||||
.TP
|
||||
.B sock\-queue\-timeout: \fI<sec>\fR
|
||||
UDP queries that have waited in the socket buffer for a long time can be
|
||||
dropped. Default is 0, disabled. The time is set in seconds, 3 could be a
|
||||
good value to ignore old queries that likely the client does not need a reply
|
||||
for any more. This could happen if the host has not been able to service
|
||||
the queries for a while, i.e. Unbound is not running, and then is enabled
|
||||
again. It uses timestamp socket options.
|
||||
.TP
|
||||
.B tcp\-upstream: \fI<yes or no>
|
||||
Enable or disable whether the upstream queries use TCP only for transport.
|
||||
Default is no. Useful in tunneling scenarios. If set to no you can specify
|
||||
|
@ -692,17 +701,17 @@ This option is experimental at this time.
|
|||
.B access\-control: \fI<IP netblock> <action>
|
||||
The netblock is given as an IP4 or IP6 address with /size appended for a
|
||||
classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
|
||||
\fIallow\fR, \fIallow_setrd\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or
|
||||
\fIrefuse_non_local\fR.
|
||||
\fIallow\fR, \fIallow_setrd\fR, \fIallow_snoop\fR, \fIallow_cookie\fR,
|
||||
\fIdeny_non_local\fR or \fIrefuse_non_local\fR.
|
||||
The most specific netblock match is used, if none match \fIrefuse\fR is used.
|
||||
The order of the access\-control statements therefore does not matter.
|
||||
.IP
|
||||
The action \fIdeny\fR stops queries from hosts from that netblock.
|
||||
The \fIdeny\fR action stops queries from hosts from that netblock.
|
||||
.IP
|
||||
The action \fIrefuse\fR stops queries too, but sends a DNS rcode REFUSED
|
||||
The \fIrefuse\fR action stops queries too, but sends a DNS rcode REFUSED
|
||||
error message back.
|
||||
.IP
|
||||
The action \fIallow\fR gives access to clients from that netblock.
|
||||
The \fIallow\fR action gives access to clients from that netblock.
|
||||
It gives only access for recursion clients (which is
|
||||
what almost all clients need). Nonrecursive queries are refused.
|
||||
.IP
|
||||
|
@ -722,13 +731,27 @@ may be useful if another DNS server must forward requests for specific
|
|||
zones to a resolver DNS server, but only supports stub domains and
|
||||
sends queries to the resolver DNS server with the RD bit cleared.
|
||||
.IP
|
||||
The action \fIallow_snoop\fR gives nonrecursive access too. This give
|
||||
The \fIallow_snoop\fR action gives nonrecursive access too. This give
|
||||
both recursive and non recursive access. The name \fIallow_snoop\fR refers
|
||||
to cache snooping, a technique to use nonrecursive queries to examine
|
||||
the cache contents (for malicious acts). However, nonrecursive queries can
|
||||
also be a valuable debugging tool (when you want to examine the cache
|
||||
contents). In that case use \fIallow_snoop\fR for your administration host.
|
||||
.IP
|
||||
The \fIallow_cookie\fR action allows access to UDP queries that contain a
|
||||
valid DNS Cookie as specified in RFC 7873 and RFC 9018, when the
|
||||
\fBanswer\-cookie\fR option is enabled.
|
||||
UDP queries containing only a DNS Client Cookie and no Server Cookie, or an
|
||||
invalid DNS Cookie, will receive a BADCOOKIE response including a newly
|
||||
generated DNS Cookie, allowing clients to retry with that DNS Cookie.
|
||||
The \fIallow_cookie\fR action will also accept requests over stateful
|
||||
transports, regardless of the presence of an DNS Cookie and regardless of the
|
||||
\fBanswer\-cookie\fR setting.
|
||||
If \fBip\-ratelimit\fR is used, clients with a valid DNS Cookie will bypass the
|
||||
ratelimit.
|
||||
If a ratelimit for such clients is still needed, \fBip\-ratelimit\-cookie\fR
|
||||
can be used instead.
|
||||
.IP
|
||||
By default only localhost is \fIallow\fRed, the rest is \fIrefuse\fRd.
|
||||
The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS
|
||||
protocol is not designed to handle dropped packets due to policy, and
|
||||
|
@ -1019,6 +1042,12 @@ validate the zone. Default is no. Zone signers must produce zones
|
|||
that allow this feature to work, but sometimes they do not, and turning
|
||||
this option off avoids that validation failure.
|
||||
.TP
|
||||
.B harden\-unknown\-additional: \fI<yes or no>
|
||||
Harden against unknown records in the authority section and additional
|
||||
section. Default is no. If no, such records are copied from the upstream
|
||||
and presented to the client together with the answer. If yes, it could
|
||||
hamper future protocol developments that want to add records.
|
||||
.TP
|
||||
.B use\-caps\-for\-id: \fI<yes or no>
|
||||
Use 0x20\-encoded random bits in the query to foil spoof attempts.
|
||||
This perturbs the lowercase and uppercase of query names sent to
|
||||
|
@ -1391,10 +1420,10 @@ address space are not validated. This is usually required whenever
|
|||
Configure a local zone. The type determines the answer to give if
|
||||
there is no match from local\-data. The types are deny, refuse, static,
|
||||
transparent, redirect, nodefault, typetransparent, inform, inform_deny,
|
||||
inform_redirect, always_transparent, always_refuse, always_nxdomain, always_null, noview,
|
||||
and are explained below. After that the default settings are listed. Use
|
||||
local\-data: to enter data into the local zone. Answers for local zones
|
||||
are authoritative DNS answers. By default the zones are class IN.
|
||||
inform_redirect, always_transparent, block_a, always_refuse, always_nxdomain,
|
||||
always_null, noview, and are explained below. After that the default settings
|
||||
are listed. Use local\-data: to enter data into the local zone. Answers for
|
||||
local zones are authoritative DNS answers. By default the zones are class IN.
|
||||
.IP
|
||||
If you need more complicated authoritative data, with referrals, wildcards,
|
||||
CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for
|
||||
|
@ -1469,6 +1498,12 @@ Ie. answer queries with fixed data and also log the machines that ask.
|
|||
\h'5'\fIalways_transparent\fR
|
||||
Like transparent, but ignores local data and resolves normally.
|
||||
.TP 10
|
||||
\h'5'\fIblock_a\fR
|
||||
Like transparent, but ignores local data and resolves normally all query
|
||||
types excluding A. For A queries it unconditionally returns NODATA.
|
||||
Useful in cases when there is a need to explicitly force all apps to use
|
||||
IPv6 protocol and avoid any queries to IPv4.
|
||||
.TP 10
|
||||
\h'5'\fIalways_refuse\fR
|
||||
Like refuse, but ignores local data and refuses the query.
|
||||
.TP 10
|
||||
|
@ -1785,11 +1820,27 @@ A value of 0 will disable ratelimiting for domain names that end in this name.
|
|||
.TP 5
|
||||
.B ip\-ratelimit: \fI<number or 0>
|
||||
Enable global ratelimiting of queries accepted per IP address.
|
||||
If 0, the default, it is disabled. This option is experimental at this time.
|
||||
This option is experimental at this time.
|
||||
The ratelimit is in queries per second that are allowed. More queries are
|
||||
completely dropped and will not receive a reply, SERVFAIL or otherwise.
|
||||
IP ratelimiting happens before looking in the cache. This may be useful for
|
||||
mitigating amplification attacks.
|
||||
Default is 0 (disabled).
|
||||
.TP 5
|
||||
.B ip\-ratelimit\-cookie: \fI<number or 0>
|
||||
Enable global ratelimiting of queries accepted per IP address with a valid DNS
|
||||
Cookie.
|
||||
This option is experimental at this time.
|
||||
The ratelimit is in queries per second that are allowed.
|
||||
More queries are completely dropped and will not receive a reply, SERVFAIL or
|
||||
otherwise.
|
||||
IP ratelimiting happens before looking in the cache.
|
||||
This option could be useful in combination with \fIallow_cookie\fR in an
|
||||
attempt to mitigate other amplification attacks than UDP reflections (e.g.,
|
||||
attacks targeting Unbound itself) which are already handled with DNS Cookies.
|
||||
If used, the value is suggested to be higher than \fBip\-ratelimit\fR e.g.,
|
||||
tenfold.
|
||||
Default is 0 (disabled).
|
||||
.TP 5
|
||||
.B ip\-ratelimit\-size: \fI<memory size>
|
||||
Give the size of the data structure in which the current ongoing rates are
|
||||
|
@ -1858,6 +1909,18 @@ Set the number of servers that should be used for fast server selection. Only
|
|||
use the fastest specified number of servers with the fast\-server\-permil
|
||||
option, that turns this on or off. The default is to use the fastest 3 servers.
|
||||
.TP 5
|
||||
.B answer\-cookie: \fI<yes or no>
|
||||
If enabled, Unbound will answer to requests containing DNS Cookies as
|
||||
specified in RFC 7873 and RFC 9018.
|
||||
Default is no.
|
||||
.TP 5
|
||||
.B cookie\-secret: \fI<128 bit hex string>
|
||||
Server's secret for DNS Cookie generation.
|
||||
Useful to explicitly set for servers in an anycast deployment that need to
|
||||
share the secret in order to verify each other's Server Cookies.
|
||||
An example hex string would be "000102030405060708090a0b0c0d0e0f".
|
||||
Default is a 128 bits random secret generated at startup time.
|
||||
.TP 5
|
||||
.B edns\-client\-string: \fI<IP netblock> <string>
|
||||
Include an EDNS0 option containing configured ascii string in queries with
|
||||
destination address matching the configured IP netblock. This configuration
|
||||
|
@ -2091,13 +2154,32 @@ useful when you want immediate changes to be visible.
|
|||
Authority zones are configured with \fBauth\-zone:\fR, and each one must
|
||||
have a \fBname:\fR. There can be multiple ones, by listing multiple auth\-zone clauses, each with a different name, pertaining to that part of the namespace.
|
||||
The authority zone with the name closest to the name looked up is used.
|
||||
Authority zones are processed after \fBlocal\-zones\fR and before
|
||||
cache (\fBfor\-downstream:\fR \fIyes\fR), and when used in this manner
|
||||
make Unbound respond like an authority server. Authority zones are also
|
||||
processed after cache, just before going to the network to fetch
|
||||
information for recursion (\fBfor\-upstream:\fR \fIyes\fR), and when used
|
||||
in this manner provide a local copy of an authority server that speeds up
|
||||
lookups of that data.
|
||||
Authority zones can be processed on two distinct, non-exclusive, configurable
|
||||
stages.
|
||||
.LP
|
||||
With \fBfor\-downstream:\fR \fIyes\fR (default), authority zones are processed
|
||||
after \fBlocal\-zones\fR and before cache.
|
||||
When used in this manner, Unbound responds like an authority server with no
|
||||
further processing other than returning an answer from the zone contents.
|
||||
A notable example, in this case, is CNAME records which are returned verbatim
|
||||
to downstream clients without further resolution.
|
||||
.LP
|
||||
With \fBfor\-upstream:\fR \fIyes\fR (default), authority zones are processed
|
||||
after the cache lookup, just before going to the network to fetch
|
||||
information for recursion.
|
||||
When used in this manner they provide a local copy of an authority server
|
||||
that speeds up lookups for that data during resolving.
|
||||
.LP
|
||||
If both options are enabled (default), client queries for an authority zone are
|
||||
answered authoritatively from Unbound, while internal queries that require data
|
||||
from the authority zone consult the local zone data instead of going to the
|
||||
network.
|
||||
.LP
|
||||
An interesting configuration is \fBfor\-downstream:\fR \fIno\fR,
|
||||
\fBfor\-upstream:\fR \fIyes\fR that allows for hyperlocal behavior where both
|
||||
client and internal queries consult the local zone data while resolving.
|
||||
In this case, the aforementioned CNAME example will result in a thoroughly
|
||||
resolved answer.
|
||||
.LP
|
||||
Authority zones can be read from zonefile. And can be kept updated via
|
||||
AXFR and IXFR. After update the zonefile is rewritten. The update mechanism
|
||||
|
@ -2291,6 +2373,21 @@ List domain for which the AAAA records are ignored and the A record is
|
|||
used by dns64 processing instead. Can be entered multiple times, list a
|
||||
new domain for which it applies, one per line. Applies also to names
|
||||
underneath the name given.
|
||||
.SS "NAT64 Operation"
|
||||
.LP
|
||||
NAT64 operation allows using a NAT64 prefix for outbound requests to IPv4-only
|
||||
servers. It is controlled by two options in the \fBserver:\fR section:
|
||||
.TP
|
||||
.B do\-nat64: \fI<yes or no>\fR
|
||||
Use NAT64 to reach IPv4-only servers.
|
||||
Consider also enabling \fBprefer\-ip6\fR to prefer native IPv6 connections to
|
||||
nameservers.
|
||||
Default no.
|
||||
.TP
|
||||
.B nat64\-prefix: \fI<IPv6 prefix>\fR
|
||||
Use a specific NAT64 prefix to reach IPv4-only servers. Defaults to using
|
||||
the prefix configured in \fBdns64\-prefix\fR, which in turn defaults to
|
||||
64:ff9b::/96. The prefix length must be one of /32, /40, /48, /56, /64 or /96.
|
||||
.SS "DNSCrypt Options"
|
||||
.LP
|
||||
The
|
||||
|
@ -2586,6 +2683,16 @@ This option defaults to "127.0.0.1".
|
|||
The TCP port number of the Redis server.
|
||||
This option defaults to 6379.
|
||||
.TP
|
||||
.B redis-server-path: \fI<unix socket path>\fR
|
||||
The unix socket path to connect to the redis server. Off by default, and it
|
||||
can be set to "" to turn this off. Unix sockets may have better throughput
|
||||
than the IP address option.
|
||||
.TP
|
||||
.B redis-server-password: \fI"<password>"\fR
|
||||
The Redis AUTH password to use for the redis server.
|
||||
Only relevant if Redis is configured for client password authorisation.
|
||||
Off by default, and it can be set to "" to turn this off.
|
||||
.TP
|
||||
.B redis-timeout: \fI<msec>\fR
|
||||
The period until when Unbound waits for a response from the Redis sever.
|
||||
If this timeout expires Unbound closes the connection, treats it as
|
||||
|
|
|
@ -352,7 +352,7 @@ update_cache(struct module_qstate *qstate, int id)
|
|||
((struct subnet_qstate*)qstate->minfo[id])->qinfo_hash :
|
||||
query_info_hash(&qstate->qinfo, qstate->query_flags);
|
||||
/* Step 1, general qinfo lookup */
|
||||
struct lruhash_entry *lru_entry = slabhash_lookup(subnet_msg_cache, h,
|
||||
struct lruhash_entry* lru_entry = slabhash_lookup(subnet_msg_cache, h,
|
||||
&qstate->qinfo, 1);
|
||||
int need_to_insert = (lru_entry == NULL);
|
||||
if (!lru_entry) {
|
||||
|
@ -396,7 +396,7 @@ update_cache(struct module_qstate *qstate, int id)
|
|||
log_err("subnetcache: cache insertion failed");
|
||||
return;
|
||||
}
|
||||
|
||||
|
||||
/* store RRsets */
|
||||
for(i=0; i<rep->rrset_count; i++) {
|
||||
rep->ref[i].key = rep->rrsets[i];
|
||||
|
@ -421,7 +421,7 @@ update_cache(struct module_qstate *qstate, int id)
|
|||
|
||||
/** Lookup in cache and reply true iff reply is sent. */
|
||||
static int
|
||||
lookup_and_reply(struct module_qstate *qstate, int id, struct subnet_qstate *sq)
|
||||
lookup_and_reply(struct module_qstate *qstate, int id, struct subnet_qstate *sq, int prefetch)
|
||||
{
|
||||
struct lruhash_entry *e;
|
||||
struct module_env *env = qstate->env;
|
||||
|
@ -473,6 +473,10 @@ lookup_and_reply(struct module_qstate *qstate, int id, struct subnet_qstate *sq)
|
|||
INET6_SIZE);
|
||||
sq->ecs_client_out.subnet_validdata = 1;
|
||||
}
|
||||
|
||||
if (prefetch && *qstate->env->now >= ((struct reply_info *)node->elem)->prefetch_ttl) {
|
||||
qstate->need_refetch = 1;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
@ -509,7 +513,7 @@ eval_response(struct module_qstate *qstate, int id, struct subnet_qstate *sq)
|
|||
* module_finished */
|
||||
return module_finished;
|
||||
}
|
||||
|
||||
|
||||
/* We have not asked for subnet data */
|
||||
if (!sq->subnet_sent) {
|
||||
if (s_in->subnet_validdata)
|
||||
|
@ -518,7 +522,7 @@ eval_response(struct module_qstate *qstate, int id, struct subnet_qstate *sq)
|
|||
cp_edns_bad_response(c_out, c_in);
|
||||
return module_finished;
|
||||
}
|
||||
|
||||
|
||||
/* subnet sent but nothing came back */
|
||||
if (!s_in->subnet_validdata) {
|
||||
/* The authority indicated no support for edns subnet. As a
|
||||
|
@ -535,11 +539,11 @@ eval_response(struct module_qstate *qstate, int id, struct subnet_qstate *sq)
|
|||
cp_edns_bad_response(c_out, c_in);
|
||||
return module_finished;
|
||||
}
|
||||
|
||||
|
||||
/* Being here means we have asked for and got a subnet specific
|
||||
* answer. Also, the answer from the authority is not yet cached
|
||||
* anywhere. */
|
||||
|
||||
|
||||
/* can we accept response? */
|
||||
if(s_out->subnet_addr_fam != s_in->subnet_addr_fam ||
|
||||
s_out->subnet_source_mask != s_in->subnet_source_mask ||
|
||||
|
@ -779,6 +783,11 @@ subnetmod_operate(struct module_qstate *qstate, enum module_ev event,
|
|||
&qstate->mesh_info->reply_list->query_reply.client_addr,
|
||||
&sq->ecs_client_in, qstate->env->cfg);
|
||||
}
|
||||
else if(qstate->client_addr.ss_family != AF_UNSPEC) {
|
||||
subnet_option_from_ss(
|
||||
&qstate->client_addr,
|
||||
&sq->ecs_client_in, qstate->env->cfg);
|
||||
}
|
||||
|
||||
if(sq->ecs_client_in.subnet_validdata == 0) {
|
||||
/* No clients are interested in result or we could not
|
||||
|
@ -802,7 +811,9 @@ subnetmod_operate(struct module_qstate *qstate, enum module_ev event,
|
|||
|
||||
if(!sq->started_no_cache_lookup && !qstate->blacklist) {
|
||||
lock_rw_wrlock(&sne->biglock);
|
||||
if(lookup_and_reply(qstate, id, sq)) {
|
||||
if(qstate->mesh_info->reply_list &&
|
||||
lookup_and_reply(qstate, id, sq,
|
||||
qstate->env->cfg->prefetch)) {
|
||||
sne->num_msg_cache++;
|
||||
lock_rw_unlock(&sne->biglock);
|
||||
verbose(VERB_QUERY, "subnetcache: answered from cache");
|
||||
|
|
|
@ -321,6 +321,45 @@ void delegpt_log(enum verbosity_value v, struct delegpt* dp)
|
|||
}
|
||||
}
|
||||
|
||||
int
|
||||
delegpt_addr_on_result_list(struct delegpt* dp, struct delegpt_addr* find)
|
||||
{
|
||||
struct delegpt_addr* a = dp->result_list;
|
||||
while(a) {
|
||||
if(a == find)
|
||||
return 1;
|
||||
a = a->next_result;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
void
|
||||
delegpt_usable_list_remove_addr(struct delegpt* dp, struct delegpt_addr* del)
|
||||
{
|
||||
struct delegpt_addr* usa = dp->usable_list, *prev = NULL;
|
||||
while(usa) {
|
||||
if(usa == del) {
|
||||
/* snip off the usable list */
|
||||
if(prev)
|
||||
prev->next_usable = usa->next_usable;
|
||||
else dp->usable_list = usa->next_usable;
|
||||
return;
|
||||
}
|
||||
prev = usa;
|
||||
usa = usa->next_usable;
|
||||
}
|
||||
}
|
||||
|
||||
void
|
||||
delegpt_add_to_result_list(struct delegpt* dp, struct delegpt_addr* a)
|
||||
{
|
||||
if(delegpt_addr_on_result_list(dp, a))
|
||||
return;
|
||||
delegpt_usable_list_remove_addr(dp, a);
|
||||
a->next_result = dp->result_list;
|
||||
dp->result_list = a;
|
||||
}
|
||||
|
||||
void
|
||||
delegpt_add_unused_targets(struct delegpt* dp)
|
||||
{
|
||||
|
|
|
@ -457,4 +457,29 @@ int delegpt_add_target_mlc(struct delegpt* dp, uint8_t* name, size_t namelen,
|
|||
/** get memory in use by dp */
|
||||
size_t delegpt_get_mem(struct delegpt* dp);
|
||||
|
||||
/**
|
||||
* See if the addr is on the result list.
|
||||
* @param dp: delegation point.
|
||||
* @param find: the pointer is searched for on the result list.
|
||||
* @return 1 if found, 0 if not found.
|
||||
*/
|
||||
int delegpt_addr_on_result_list(struct delegpt* dp, struct delegpt_addr* find);
|
||||
|
||||
/**
|
||||
* Remove the addr from the usable list.
|
||||
* @param dp: the delegation point.
|
||||
* @param del: the addr to remove from the list, the pointer is searched for.
|
||||
*/
|
||||
void delegpt_usable_list_remove_addr(struct delegpt* dp,
|
||||
struct delegpt_addr* del);
|
||||
|
||||
/**
|
||||
* Add the delegpt_addr back to the result list, if it is not already on
|
||||
* the result list. Also removes it from the usable list.
|
||||
* @param dp: delegation point.
|
||||
* @param a: addr to add, nothing happens if it is already on the result list.
|
||||
* It is removed from the usable list.
|
||||
*/
|
||||
void delegpt_add_to_result_list(struct delegpt* dp, struct delegpt_addr* a);
|
||||
|
||||
#endif /* ITERATOR_ITER_DELEGPT_H */
|
||||
|
|
|
@ -284,6 +284,13 @@ response_type_from_server(int rdset,
|
|||
|
||||
/* If we've gotten this far, this is NOERROR/NODATA (which could
|
||||
* be an entirely empty message) */
|
||||
/* but ignore entirely empty messages, noerror/nodata has a soa
|
||||
* negative ttl value in the authority section, this makes it try
|
||||
* again at another authority. And turns it from a 5 second empty
|
||||
* message into a 5 second servfail response. */
|
||||
if(msg->rep->an_numrrsets == 0 && msg->rep->ns_numrrsets == 0 &&
|
||||
msg->rep->ar_numrrsets == 0)
|
||||
return RESPONSE_TYPE_THROWAWAY;
|
||||
/* check if recursive answer; saying it has empty cache */
|
||||
if( (msg->rep->flags&BIT_RA) && !(msg->rep->flags&BIT_AA) && !rdset)
|
||||
return RESPONSE_TYPE_REC_LAME;
|
||||
|
|
|
@ -346,6 +346,26 @@ soa_in_auth(struct msg_parse* msg)
|
|||
return 0;
|
||||
}
|
||||
|
||||
/** Check if type is allowed in the authority section */
|
||||
static int
|
||||
type_allowed_in_authority_section(uint16_t tp)
|
||||
{
|
||||
if(tp == LDNS_RR_TYPE_SOA || tp == LDNS_RR_TYPE_NS ||
|
||||
tp == LDNS_RR_TYPE_DS || tp == LDNS_RR_TYPE_NSEC ||
|
||||
tp == LDNS_RR_TYPE_NSEC3)
|
||||
return 1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
/** Check if type is allowed in the additional section */
|
||||
static int
|
||||
type_allowed_in_additional_section(uint16_t tp)
|
||||
{
|
||||
if(tp == LDNS_RR_TYPE_A || tp == LDNS_RR_TYPE_AAAA)
|
||||
return 1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* This routine normalizes a response. This includes removing "irrelevant"
|
||||
* records from the answer and additional sections and (re)synthesizing
|
||||
|
@ -355,11 +375,13 @@ soa_in_auth(struct msg_parse* msg)
|
|||
* @param msg: msg to normalize.
|
||||
* @param qinfo: original query.
|
||||
* @param region: where to allocate synthesized CNAMEs.
|
||||
* @param env: module env with config options.
|
||||
* @return 0 on error.
|
||||
*/
|
||||
static int
|
||||
scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
|
||||
struct query_info* qinfo, struct regional* region)
|
||||
struct query_info* qinfo, struct regional* region,
|
||||
struct module_env* env)
|
||||
{
|
||||
uint8_t* sname = qinfo->qname;
|
||||
size_t snamelen = qinfo->qname_len;
|
||||
|
@ -511,6 +533,7 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
|
|||
|
||||
/* Mark additional names from AUTHORITY */
|
||||
while(rrset && rrset->section == LDNS_SECTION_AUTHORITY) {
|
||||
/* protect internals of recursor by making sure to del these */
|
||||
if(rrset->type==LDNS_RR_TYPE_DNAME ||
|
||||
rrset->type==LDNS_RR_TYPE_CNAME ||
|
||||
rrset->type==LDNS_RR_TYPE_A ||
|
||||
|
@ -519,6 +542,13 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
|
|||
"RRset:", pkt, msg, prev, &rrset);
|
||||
continue;
|
||||
}
|
||||
/* Allowed list of types in the authority section */
|
||||
if(env->cfg->harden_unknown_additional &&
|
||||
!type_allowed_in_authority_section(rrset->type)) {
|
||||
remove_rrset("normalize: removing irrelevant "
|
||||
"RRset:", pkt, msg, prev, &rrset);
|
||||
continue;
|
||||
}
|
||||
/* only one NS set allowed in authority section */
|
||||
if(rrset->type==LDNS_RR_TYPE_NS) {
|
||||
/* NS set must be pertinent to the query */
|
||||
|
@ -576,7 +606,6 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
|
|||
* found in ANSWER and AUTHORITY. */
|
||||
/* These records have not been marked OK previously */
|
||||
while(rrset && rrset->section == LDNS_SECTION_ADDITIONAL) {
|
||||
/* FIXME: what about other types? */
|
||||
if(rrset->type==LDNS_RR_TYPE_A ||
|
||||
rrset->type==LDNS_RR_TYPE_AAAA)
|
||||
{
|
||||
|
@ -589,6 +618,7 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
|
|||
continue;
|
||||
}
|
||||
}
|
||||
/* protect internals of recursor by making sure to del these */
|
||||
if(rrset->type==LDNS_RR_TYPE_DNAME ||
|
||||
rrset->type==LDNS_RR_TYPE_CNAME ||
|
||||
rrset->type==LDNS_RR_TYPE_NS) {
|
||||
|
@ -596,6 +626,13 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
|
|||
"RRset:", pkt, msg, prev, &rrset);
|
||||
continue;
|
||||
}
|
||||
/* Allowed list of types in the additional section */
|
||||
if(env->cfg->harden_unknown_additional &&
|
||||
!type_allowed_in_additional_section(rrset->type)) {
|
||||
remove_rrset("normalize: removing irrelevant "
|
||||
"RRset:", pkt, msg, prev, &rrset);
|
||||
continue;
|
||||
}
|
||||
prev = rrset;
|
||||
rrset = rrset->rrset_all_next;
|
||||
}
|
||||
|
@ -846,7 +883,7 @@ scrub_message(sldns_buffer* pkt, struct msg_parse* msg,
|
|||
}
|
||||
|
||||
/* normalize the response, this cleans up the additional. */
|
||||
if(!scrub_normalize(pkt, msg, qinfo, region))
|
||||
if(!scrub_normalize(pkt, msg, qinfo, region, env))
|
||||
return 0;
|
||||
/* delete all out-of-zone information */
|
||||
if(!scrub_sanitize(pkt, msg, qinfo, zonename, env, ie))
|
||||
|
|
|
@ -71,6 +71,11 @@
|
|||
/** time when nameserver glue is said to be 'recent' */
|
||||
#define SUSPICION_RECENT_EXPIRY 86400
|
||||
|
||||
/** if NAT64 is enabled and no NAT64 prefix is configured, first fall back to
|
||||
* DNS64 prefix. If that is not configured, fall back to this default value.
|
||||
*/
|
||||
static const char DEFAULT_NAT64_PREFIX[] = "64:ff9b::/96";
|
||||
|
||||
/** fillup fetch policy array */
|
||||
static void
|
||||
fetch_fill(struct iter_env* ie, const char* str)
|
||||
|
@ -142,6 +147,7 @@ caps_white_apply_cfg(rbtree_type* ntree, struct config_file* cfg)
|
|||
int
|
||||
iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg)
|
||||
{
|
||||
const char *nat64_prefix;
|
||||
int i;
|
||||
/* target fetch policy */
|
||||
if(!read_fetch_policy(iter_env, cfg->target_fetch_policy))
|
||||
|
@ -172,8 +178,32 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg)
|
|||
}
|
||||
|
||||
}
|
||||
|
||||
nat64_prefix = cfg->nat64_prefix;
|
||||
if(!nat64_prefix)
|
||||
nat64_prefix = cfg->dns64_prefix;
|
||||
if(!nat64_prefix)
|
||||
nat64_prefix = DEFAULT_NAT64_PREFIX;
|
||||
if(!netblockstrtoaddr(nat64_prefix, 0, &iter_env->nat64_prefix_addr,
|
||||
&iter_env->nat64_prefix_addrlen,
|
||||
&iter_env->nat64_prefix_net)) {
|
||||
log_err("cannot parse nat64-prefix netblock: %s", nat64_prefix);
|
||||
return 0;
|
||||
}
|
||||
if(!addr_is_ip6(&iter_env->nat64_prefix_addr,
|
||||
iter_env->nat64_prefix_addrlen)) {
|
||||
log_err("nat64-prefix is not IPv6: %s", cfg->nat64_prefix);
|
||||
return 0;
|
||||
}
|
||||
if(!prefixnet_is_nat64(iter_env->nat64_prefix_net)) {
|
||||
log_err("nat64-prefix length it not 32, 40, 48, 56, 64 or 96: %s",
|
||||
nat64_prefix);
|
||||
return 0;
|
||||
}
|
||||
|
||||
iter_env->supports_ipv6 = cfg->do_ip6;
|
||||
iter_env->supports_ipv4 = cfg->do_ip4;
|
||||
iter_env->use_nat64 = cfg->do_nat64;
|
||||
iter_env->outbound_msg_retry = cfg->outbound_msg_retry;
|
||||
iter_env->max_sent_count = cfg->max_sent_count;
|
||||
iter_env->max_query_restarts = cfg->max_query_restarts;
|
||||
|
@ -240,7 +270,8 @@ iter_filter_unsuitable(struct iter_env* iter_env, struct module_env* env,
|
|||
if(!iter_env->supports_ipv6 && addr_is_ip6(&a->addr, a->addrlen)) {
|
||||
return -1; /* there is no ip6 available */
|
||||
}
|
||||
if(!iter_env->supports_ipv4 && !addr_is_ip6(&a->addr, a->addrlen)) {
|
||||
if(!iter_env->supports_ipv4 && !iter_env->use_nat64 &&
|
||||
!addr_is_ip6(&a->addr, a->addrlen)) {
|
||||
return -1; /* there is no ip4 available */
|
||||
}
|
||||
/* check lameness - need zone , class info */
|
||||
|
@ -747,10 +778,15 @@ iter_mark_pside_cycle_targets(struct module_qstate* qstate, struct delegpt* dp)
|
|||
|
||||
int
|
||||
iter_dp_is_useless(struct query_info* qinfo, uint16_t qflags,
|
||||
struct delegpt* dp, int supports_ipv4, int supports_ipv6)
|
||||
struct delegpt* dp, int supports_ipv4, int supports_ipv6,
|
||||
int use_nat64)
|
||||
{
|
||||
struct delegpt_ns* ns;
|
||||
struct delegpt_addr* a;
|
||||
|
||||
if(supports_ipv6 && use_nat64)
|
||||
supports_ipv4 = 1;
|
||||
|
||||
/* check:
|
||||
* o RD qflag is on.
|
||||
* o no addresses are provided.
|
||||
|
@ -1310,8 +1346,7 @@ void iter_dec_attempts(struct delegpt* dp, int d, int outbound_msg_retry)
|
|||
for(a=dp->target_list; a; a = a->next_target) {
|
||||
if(a->attempts >= outbound_msg_retry) {
|
||||
/* add back to result list */
|
||||
a->next_result = dp->result_list;
|
||||
dp->result_list = a;
|
||||
delegpt_add_to_result_list(dp, a);
|
||||
}
|
||||
if(a->attempts > d)
|
||||
a->attempts -= d;
|
||||
|
|
|
@ -189,10 +189,13 @@ void iter_mark_pside_cycle_targets(struct module_qstate* qstate,
|
|||
* if not, then the IPv4 addresses are useless.
|
||||
* @param supports_ipv6: if we support ipv6 for lookups to the target.
|
||||
* if not, then the IPv6 addresses are useless.
|
||||
* @param use_nat64: if we support NAT64 for lookups to the target.
|
||||
* if yes, IPv4 addresses are useful even if we don't support IPv4.
|
||||
* @return true if dp is useless.
|
||||
*/
|
||||
int iter_dp_is_useless(struct query_info* qinfo, uint16_t qflags,
|
||||
struct delegpt* dp, int supports_ipv4, int supports_ipv6);
|
||||
int iter_dp_is_useless(struct query_info* qinfo, uint16_t qflags,
|
||||
struct delegpt* dp, int supports_ipv4, int supports_ipv6,
|
||||
int use_nat64);
|
||||
|
||||
/**
|
||||
* See if qname has DNSSEC needs. This is true if there is a trust anchor above
|
||||
|
|
|
@ -255,7 +255,7 @@ error_supers(struct module_qstate* qstate, int id, struct module_qstate* super)
|
|||
log_err("out of memory adding missing");
|
||||
}
|
||||
delegpt_mark_neg(dpns, qstate->qinfo.qtype);
|
||||
if((dpns->got4 == 2 || !ie->supports_ipv4) &&
|
||||
if((dpns->got4 == 2 || (!ie->supports_ipv4 && !ie->use_nat64)) &&
|
||||
(dpns->got6 == 2 || !ie->supports_ipv6)) {
|
||||
dpns->resolved = 1; /* mark as failed */
|
||||
target_count_increase_nx(super_iq, 1);
|
||||
|
@ -302,81 +302,65 @@ error_response(struct module_qstate* qstate, int id, int rcode)
|
|||
static int
|
||||
error_response_cache(struct module_qstate* qstate, int id, int rcode)
|
||||
{
|
||||
if(!qstate->no_cache_store) {
|
||||
/* store in cache */
|
||||
struct reply_info err;
|
||||
if(qstate->prefetch_leeway > NORR_TTL) {
|
||||
verbose(VERB_ALGO, "error response for prefetch in cache");
|
||||
/* attempt to adjust the cache entry prefetch */
|
||||
if(dns_cache_prefetch_adjust(qstate->env, &qstate->qinfo,
|
||||
NORR_TTL, qstate->query_flags))
|
||||
return error_response(qstate, id, rcode);
|
||||
/* if that fails (not in cache), fall through to store err */
|
||||
}
|
||||
if(qstate->env->cfg->serve_expired) {
|
||||
/* if serving expired contents, and such content is
|
||||
* already available, don't overwrite this servfail */
|
||||
struct msgreply_entry* msg;
|
||||
if((msg=msg_cache_lookup(qstate->env,
|
||||
qstate->qinfo.qname, qstate->qinfo.qname_len,
|
||||
qstate->qinfo.qtype, qstate->qinfo.qclass,
|
||||
qstate->query_flags, 0,
|
||||
qstate->env->cfg->serve_expired_ttl_reset))
|
||||
!= NULL) {
|
||||
if(qstate->env->cfg->serve_expired_ttl_reset) {
|
||||
struct reply_info* rep =
|
||||
(struct reply_info*)msg->entry.data;
|
||||
if(rep && *qstate->env->now +
|
||||
qstate->env->cfg->serve_expired_ttl >
|
||||
rep->serve_expired_ttl) {
|
||||
rep->serve_expired_ttl =
|
||||
*qstate->env->now +
|
||||
qstate->env->cfg->serve_expired_ttl;
|
||||
}
|
||||
}
|
||||
lock_rw_unlock(&msg->entry.lock);
|
||||
return error_response(qstate, id, rcode);
|
||||
}
|
||||
/* serving expired contents, but nothing is cached
|
||||
* at all, so the servfail cache entry is useful
|
||||
* (stops waste of time on this servfail NORR_TTL) */
|
||||
} else {
|
||||
/* don't overwrite existing (non-expired) data in
|
||||
* cache with a servfail */
|
||||
struct msgreply_entry* msg;
|
||||
if((msg=msg_cache_lookup(qstate->env,
|
||||
qstate->qinfo.qname, qstate->qinfo.qname_len,
|
||||
qstate->qinfo.qtype, qstate->qinfo.qclass,
|
||||
qstate->query_flags, *qstate->env->now, 0))
|
||||
!= NULL) {
|
||||
struct reply_info* rep = (struct reply_info*)
|
||||
msg->entry.data;
|
||||
if(FLAGS_GET_RCODE(rep->flags) ==
|
||||
LDNS_RCODE_NOERROR ||
|
||||
FLAGS_GET_RCODE(rep->flags) ==
|
||||
LDNS_RCODE_NXDOMAIN) {
|
||||
/* we have a good entry,
|
||||
* don't overwrite */
|
||||
lock_rw_unlock(&msg->entry.lock);
|
||||
return error_response(qstate, id, rcode);
|
||||
}
|
||||
lock_rw_unlock(&msg->entry.lock);
|
||||
}
|
||||
|
||||
}
|
||||
memset(&err, 0, sizeof(err));
|
||||
err.flags = (uint16_t)(BIT_QR | BIT_RA);
|
||||
FLAGS_SET_RCODE(err.flags, rcode);
|
||||
err.qdcount = 1;
|
||||
err.ttl = NORR_TTL;
|
||||
err.prefetch_ttl = PREFETCH_TTL_CALC(err.ttl);
|
||||
err.serve_expired_ttl = NORR_TTL;
|
||||
/* do not waste time trying to validate this servfail */
|
||||
err.security = sec_status_indeterminate;
|
||||
verbose(VERB_ALGO, "store error response in message cache");
|
||||
iter_dns_store(qstate->env, &qstate->qinfo, &err, 0, 0, 0, NULL,
|
||||
qstate->query_flags, qstate->qstarttime);
|
||||
struct reply_info err;
|
||||
struct msgreply_entry* msg;
|
||||
if(qstate->no_cache_store) {
|
||||
return error_response(qstate, id, rcode);
|
||||
}
|
||||
if(qstate->prefetch_leeway > NORR_TTL) {
|
||||
verbose(VERB_ALGO, "error response for prefetch in cache");
|
||||
/* attempt to adjust the cache entry prefetch */
|
||||
if(dns_cache_prefetch_adjust(qstate->env, &qstate->qinfo,
|
||||
NORR_TTL, qstate->query_flags))
|
||||
return error_response(qstate, id, rcode);
|
||||
/* if that fails (not in cache), fall through to store err */
|
||||
}
|
||||
if((msg=msg_cache_lookup(qstate->env,
|
||||
qstate->qinfo.qname, qstate->qinfo.qname_len,
|
||||
qstate->qinfo.qtype, qstate->qinfo.qclass,
|
||||
qstate->query_flags, 0,
|
||||
qstate->env->cfg->serve_expired_ttl_reset)) != NULL) {
|
||||
struct reply_info* rep = (struct reply_info*)msg->entry.data;
|
||||
if(qstate->env->cfg->serve_expired &&
|
||||
qstate->env->cfg->serve_expired_ttl_reset && rep &&
|
||||
*qstate->env->now + qstate->env->cfg->serve_expired_ttl
|
||||
> rep->serve_expired_ttl) {
|
||||
verbose(VERB_ALGO, "reset serve-expired-ttl for "
|
||||
"response in cache");
|
||||
rep->serve_expired_ttl = *qstate->env->now +
|
||||
qstate->env->cfg->serve_expired_ttl;
|
||||
}
|
||||
if(rep && (FLAGS_GET_RCODE(rep->flags) ==
|
||||
LDNS_RCODE_NOERROR ||
|
||||
FLAGS_GET_RCODE(rep->flags) ==
|
||||
LDNS_RCODE_NXDOMAIN ||
|
||||
FLAGS_GET_RCODE(rep->flags) ==
|
||||
LDNS_RCODE_YXDOMAIN) &&
|
||||
(qstate->env->cfg->serve_expired ||
|
||||
*qstate->env->now <= rep->ttl)) {
|
||||
/* we have a good entry, don't overwrite */
|
||||
lock_rw_unlock(&msg->entry.lock);
|
||||
return error_response(qstate, id, rcode);
|
||||
}
|
||||
lock_rw_unlock(&msg->entry.lock);
|
||||
/* nothing interesting is cached (already error response or
|
||||
* expired good record when we don't serve expired), so this
|
||||
* servfail cache entry is useful (stops waste of time on this
|
||||
* servfail NORR_TTL) */
|
||||
}
|
||||
/* store in cache */
|
||||
memset(&err, 0, sizeof(err));
|
||||
err.flags = (uint16_t)(BIT_QR | BIT_RA);
|
||||
FLAGS_SET_RCODE(err.flags, rcode);
|
||||
err.qdcount = 1;
|
||||
err.ttl = NORR_TTL;
|
||||
err.prefetch_ttl = PREFETCH_TTL_CALC(err.ttl);
|
||||
err.serve_expired_ttl = NORR_TTL;
|
||||
/* do not waste time trying to validate this servfail */
|
||||
err.security = sec_status_indeterminate;
|
||||
verbose(VERB_ALGO, "store error response in message cache");
|
||||
iter_dns_store(qstate->env, &qstate->qinfo, &err, 0, 0, 0, NULL,
|
||||
qstate->query_flags, qstate->qstarttime);
|
||||
return error_response(qstate, id, rcode);
|
||||
}
|
||||
|
||||
|
@ -590,6 +574,54 @@ handle_cname_response(struct module_qstate* qstate, struct iter_qstate* iq,
|
|||
return 1;
|
||||
}
|
||||
|
||||
/** fill fail address for later recovery */
|
||||
static void
|
||||
fill_fail_addr(struct iter_qstate* iq, struct sockaddr_storage* addr,
|
||||
socklen_t addrlen)
|
||||
{
|
||||
if(addrlen == 0) {
|
||||
iq->fail_addr_type = 0;
|
||||
return;
|
||||
}
|
||||
if(((struct sockaddr_in*)addr)->sin_family == AF_INET) {
|
||||
iq->fail_addr_type = 4;
|
||||
memcpy(&iq->fail_addr.in,
|
||||
&((struct sockaddr_in*)addr)->sin_addr,
|
||||
sizeof(iq->fail_addr.in));
|
||||
}
|
||||
#ifdef AF_INET6
|
||||
else if(((struct sockaddr_in*)addr)->sin_family == AF_INET6) {
|
||||
iq->fail_addr_type = 6;
|
||||
memcpy(&iq->fail_addr.in6,
|
||||
&((struct sockaddr_in6*)addr)->sin6_addr,
|
||||
sizeof(iq->fail_addr.in6));
|
||||
}
|
||||
#endif
|
||||
else {
|
||||
iq->fail_addr_type = 0;
|
||||
}
|
||||
}
|
||||
|
||||
/** print fail addr to string */
|
||||
static void
|
||||
print_fail_addr(struct iter_qstate* iq, char* buf, size_t len)
|
||||
{
|
||||
if(iq->fail_addr_type == 4) {
|
||||
if(inet_ntop(AF_INET, &iq->fail_addr.in, buf,
|
||||
(socklen_t)len) == 0)
|
||||
(void)strlcpy(buf, "(inet_ntop error)", len);
|
||||
}
|
||||
#ifdef AF_INET6
|
||||
else if(iq->fail_addr_type == 6) {
|
||||
if(inet_ntop(AF_INET6, &iq->fail_addr.in6, buf,
|
||||
(socklen_t)len) == 0)
|
||||
(void)strlcpy(buf, "(inet_ntop error)", len);
|
||||
}
|
||||
#endif
|
||||
else
|
||||
(void)strlcpy(buf, "", len);
|
||||
}
|
||||
|
||||
/** add response specific error information for log servfail */
|
||||
static void
|
||||
errinf_reply(struct module_qstate* qstate, struct iter_qstate* iq)
|
||||
|
@ -597,16 +629,14 @@ errinf_reply(struct module_qstate* qstate, struct iter_qstate* iq)
|
|||
if(qstate->env->cfg->val_log_level < 2 && !qstate->env->cfg->log_servfail)
|
||||
return;
|
||||
if((qstate->reply && qstate->reply->remote_addrlen != 0) ||
|
||||
(iq->fail_reply && iq->fail_reply->remote_addrlen != 0)) {
|
||||
(iq->fail_addr_type != 0)) {
|
||||
char from[256], frm[512];
|
||||
if(qstate->reply && qstate->reply->remote_addrlen != 0)
|
||||
addr_to_str(&qstate->reply->remote_addr,
|
||||
qstate->reply->remote_addrlen, from,
|
||||
sizeof(from));
|
||||
else
|
||||
addr_to_str(&iq->fail_reply->remote_addr,
|
||||
iq->fail_reply->remote_addrlen, from,
|
||||
sizeof(from));
|
||||
print_fail_addr(iq, from, sizeof(from));
|
||||
snprintf(frm, sizeof(frm), "from %s", from);
|
||||
errinf(qstate, frm);
|
||||
}
|
||||
|
@ -1137,7 +1167,7 @@ generate_a_aaaa_check(struct module_qstate* qstate, struct iter_qstate* iq,
|
|||
* Generate a NS check request to obtain authoritative information
|
||||
* on an NS rrset.
|
||||
*
|
||||
* @param qstate: the qtstate that triggered the need to prime.
|
||||
* @param qstate: the qstate that triggered the need to prime.
|
||||
* @param iq: iterator query state.
|
||||
* @param id: module id.
|
||||
*/
|
||||
|
@ -1451,6 +1481,19 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
|
|||
errinf(qstate, "malloc failure for forward zone");
|
||||
return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
|
||||
}
|
||||
if((qstate->query_flags&BIT_RD)==0) {
|
||||
/* If the server accepts RD=0 queries and forwards
|
||||
* with RD=1, then if the server is listed as an NS
|
||||
* entry, it starts query loops. Stop that loop by
|
||||
* disallowing the query. The RD=0 was previously used
|
||||
* to check the cache with allow_snoop. For stubs,
|
||||
* the iterator pass would have primed the stub and
|
||||
* then cached information can be used for further
|
||||
* queries. */
|
||||
verbose(VERB_ALGO, "cannot forward RD=0 query, to stop query loops");
|
||||
errinf(qstate, "cannot forward RD=0 query");
|
||||
return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
|
||||
}
|
||||
iq->refetch_glue = 0;
|
||||
iq->minimisation_state = DONOT_MINIMISE_STATE;
|
||||
/* the request has been forwarded.
|
||||
|
@ -1560,18 +1603,19 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
|
|||
|
||||
/* see if this dp not useless.
|
||||
* It is useless if:
|
||||
* o all NS items are required glue.
|
||||
* o all NS items are required glue.
|
||||
* or the query is for NS item that is required glue.
|
||||
* o no addresses are provided.
|
||||
* o RD qflag is on.
|
||||
* Instead, go up one level, and try to get even further
|
||||
* If the root was useless, use safety belt information.
|
||||
* If the root was useless, use safety belt information.
|
||||
* Only check cache returns, because replies for servers
|
||||
* could be useless but lead to loops (bumping into the
|
||||
* same server reply) if useless-checked.
|
||||
*/
|
||||
if(iter_dp_is_useless(&qstate->qinfo, qstate->query_flags,
|
||||
iq->dp, ie->supports_ipv4, ie->supports_ipv6)) {
|
||||
if(iter_dp_is_useless(&qstate->qinfo, qstate->query_flags,
|
||||
iq->dp, ie->supports_ipv4, ie->supports_ipv6,
|
||||
ie->use_nat64)) {
|
||||
struct delegpt* retdp = NULL;
|
||||
if(!can_have_last_resort(qstate->env, iq->dp->name, iq->dp->namelen, iq->qchase.qclass, &retdp)) {
|
||||
if(retdp) {
|
||||
|
@ -1932,7 +1976,7 @@ query_for_targets(struct module_qstate* qstate, struct iter_qstate* iq,
|
|||
break;
|
||||
}
|
||||
/* Send the A request. */
|
||||
if(ie->supports_ipv4 &&
|
||||
if((ie->supports_ipv4 || ie->use_nat64) &&
|
||||
((ns->lame && !ns->done_pside4) ||
|
||||
(!ns->lame && !ns->got4))) {
|
||||
if(!generate_target_query(qstate, iq, id,
|
||||
|
@ -2085,14 +2129,14 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
|
|||
/* if this nameserver is at a delegation point, but that
|
||||
* delegation point is a stub and we cannot go higher, skip*/
|
||||
if( ((ie->supports_ipv6 && !ns->done_pside6) ||
|
||||
(ie->supports_ipv4 && !ns->done_pside4)) &&
|
||||
((ie->supports_ipv4 || ie->use_nat64) && !ns->done_pside4)) &&
|
||||
!can_have_last_resort(qstate->env, ns->name, ns->namelen,
|
||||
iq->qchase.qclass, NULL)) {
|
||||
log_nametypeclass(VERB_ALGO, "cannot pside lookup ns "
|
||||
"because it is also a stub/forward,",
|
||||
ns->name, LDNS_RR_TYPE_NS, iq->qchase.qclass);
|
||||
if(ie->supports_ipv6) ns->done_pside6 = 1;
|
||||
if(ie->supports_ipv4) ns->done_pside4 = 1;
|
||||
if(ie->supports_ipv4 || ie->use_nat64) ns->done_pside4 = 1;
|
||||
continue;
|
||||
}
|
||||
/* query for parent-side A and AAAA for nameservers */
|
||||
|
@ -2117,7 +2161,7 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
|
|||
return 0;
|
||||
}
|
||||
}
|
||||
if(ie->supports_ipv4 && !ns->done_pside4) {
|
||||
if((ie->supports_ipv4 || ie->use_nat64) && !ns->done_pside4) {
|
||||
/* Send the A request. */
|
||||
if(!generate_parentside_target_query(qstate, iq, id,
|
||||
ns->name, ns->namelen,
|
||||
|
@ -2259,6 +2303,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
|
|||
int tf_policy;
|
||||
struct delegpt_addr* target;
|
||||
struct outbound_entry* outq;
|
||||
struct sockaddr_storage real_addr;
|
||||
socklen_t real_addrlen;
|
||||
int auth_fallback = 0;
|
||||
uint8_t* qout_orig = NULL;
|
||||
size_t qout_orig_len = 0;
|
||||
|
@ -2384,7 +2430,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
|
|||
}
|
||||
if(!ie->supports_ipv6)
|
||||
delegpt_no_ipv6(iq->dp);
|
||||
if(!ie->supports_ipv4)
|
||||
if(!ie->supports_ipv4 && !ie->use_nat64)
|
||||
delegpt_no_ipv4(iq->dp);
|
||||
delegpt_log(VERB_ALGO, iq->dp);
|
||||
|
||||
|
@ -2805,12 +2851,24 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
|
|||
/* We have a valid target. */
|
||||
if(verbosity >= VERB_QUERY) {
|
||||
log_query_info(VERB_QUERY, "sending query:", &iq->qinfo_out);
|
||||
log_name_addr(VERB_QUERY, "sending to target:", iq->dp->name,
|
||||
log_name_addr(VERB_QUERY, "sending to target:", iq->dp->name,
|
||||
&target->addr, target->addrlen);
|
||||
verbose(VERB_ALGO, "dnssec status: %s%s",
|
||||
iq->dnssec_expected?"expected": "not expected",
|
||||
iq->dnssec_lame_query?" but lame_query anyway": "");
|
||||
}
|
||||
|
||||
real_addr = target->addr;
|
||||
real_addrlen = target->addrlen;
|
||||
|
||||
if(ie->use_nat64 && target->addr.ss_family == AF_INET) {
|
||||
addr_to_nat64(&target->addr, &ie->nat64_prefix_addr,
|
||||
ie->nat64_prefix_addrlen, ie->nat64_prefix_net,
|
||||
&real_addr, &real_addrlen);
|
||||
log_name_addr(VERB_QUERY, "applied NAT64:",
|
||||
iq->dp->name, &real_addr, real_addrlen);
|
||||
}
|
||||
|
||||
fptr_ok(fptr_whitelist_modenv_send_query(qstate->env->send_query));
|
||||
outq = (*qstate->env->send_query)(&iq->qinfo_out,
|
||||
iq->chase_flags | (iq->chase_to_rd?BIT_RD:0),
|
||||
|
@ -2821,7 +2879,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
|
|||
!qstate->blacklist&&(!iter_qname_indicates_dnssec(qstate->env,
|
||||
&iq->qinfo_out)||target->attempts==1)?0:BIT_CD),
|
||||
iq->dnssec_expected, iq->caps_fallback || is_caps_whitelisted(
|
||||
ie, iq), sq_check_ratelimit, &target->addr, target->addrlen,
|
||||
ie, iq), sq_check_ratelimit, &real_addr, real_addrlen,
|
||||
iq->dp->name, iq->dp->namelen,
|
||||
(iq->dp->tcp_upstream || qstate->env->cfg->tcp_upstream),
|
||||
(iq->dp->ssl_upstream || qstate->env->cfg->ssl_upstream),
|
||||
|
@ -2838,7 +2896,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
|
|||
return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
|
||||
}
|
||||
log_addr(VERB_QUERY, "error sending query to auth server",
|
||||
&target->addr, target->addrlen);
|
||||
&real_addr, real_addrlen);
|
||||
if(qstate->env->cfg->qname_minimisation)
|
||||
iq->minimisation_state = SKIP_MINIMISE_STATE;
|
||||
return next_state(iq, QUERYTARGETS_STATE);
|
||||
|
@ -2882,7 +2940,7 @@ static int
|
|||
processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
struct iter_env* ie, int id)
|
||||
{
|
||||
int dnsseclame = 0;
|
||||
int dnsseclame = 0, origtypecname = 0;
|
||||
enum response_type type;
|
||||
|
||||
iq->num_current_queries--;
|
||||
|
@ -2965,6 +3023,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
|
|||
/* YXDOMAIN is a permanent error, no need to retry */
|
||||
type = RESPONSE_TYPE_ANSWER;
|
||||
}
|
||||
if(type == RESPONSE_TYPE_CNAME)
|
||||
origtypecname = 1;
|
||||
if(type == RESPONSE_TYPE_CNAME && iq->response->rep->an_numrrsets >= 1
|
||||
&& ntohs(iq->response->rep->rrsets[0]->rk.type) == LDNS_RR_TYPE_DNAME) {
|
||||
uint8_t* sname = NULL;
|
||||
|
@ -3050,11 +3110,14 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
|
|||
iq->minimisation_state = DONOT_MINIMISE_STATE;
|
||||
}
|
||||
if(FLAGS_GET_RCODE(iq->response->rep->flags) ==
|
||||
LDNS_RCODE_NXDOMAIN) {
|
||||
LDNS_RCODE_NXDOMAIN && !origtypecname) {
|
||||
/* Stop resolving when NXDOMAIN is DNSSEC
|
||||
* signed. Based on assumption that nameservers
|
||||
* serving signed zones do not return NXDOMAIN
|
||||
* for empty-non-terminals. */
|
||||
/* If this response is actually a CNAME type,
|
||||
* the nxdomain rcode may not be for the qname,
|
||||
* and so it is not the final response. */
|
||||
if(iq->dnssec_expected)
|
||||
return final_state(iq);
|
||||
/* Make subrequest to validate intermediate
|
||||
|
@ -3182,7 +3245,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
|
|||
(*qstate->env->detach_subs)(qstate);
|
||||
iq->num_target_queries = 0;
|
||||
iq->response = NULL;
|
||||
iq->fail_reply = NULL;
|
||||
iq->fail_addr_type = 0;
|
||||
verbose(VERB_ALGO, "cleared outbound list for next round");
|
||||
return next_state(iq, QUERYTARGETS_STATE);
|
||||
} else if(type == RESPONSE_TYPE_CNAME) {
|
||||
|
@ -3564,7 +3627,7 @@ processTargetResponse(struct module_qstate* qstate, int id,
|
|||
} else {
|
||||
verbose(VERB_ALGO, "iterator TargetResponse failed");
|
||||
delegpt_mark_neg(dpns, qstate->qinfo.qtype);
|
||||
if((dpns->got4 == 2 || !ie->supports_ipv4) &&
|
||||
if((dpns->got4 == 2 || (!ie->supports_ipv4 && !ie->use_nat64)) &&
|
||||
(dpns->got6 == 2 || !ie->supports_ipv6)) {
|
||||
dpns->resolved = 1; /* fail the target */
|
||||
/* do not count cached answers */
|
||||
|
@ -3809,6 +3872,9 @@ processFinished(struct module_qstate* qstate, struct iter_qstate* iq,
|
|||
/* make sure QR flag is on */
|
||||
iq->response->rep->flags |= BIT_QR;
|
||||
|
||||
/* explicitly set the EDE string to NULL */
|
||||
iq->response->rep->reason_bogus_str = NULL;
|
||||
|
||||
/* we have finished processing this query */
|
||||
qstate->ext_state[id] = module_finished;
|
||||
|
||||
|
@ -3987,7 +4053,8 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
|
|||
}
|
||||
|
||||
/* parse message */
|
||||
iq->fail_reply = qstate->reply;
|
||||
fill_fail_addr(iq, &qstate->reply->remote_addr,
|
||||
qstate->reply->remote_addrlen);
|
||||
prs = (struct msg_parse*)regional_alloc(qstate->env->scratch,
|
||||
sizeof(struct msg_parse));
|
||||
if(!prs) {
|
||||
|
|
|
@ -103,7 +103,7 @@ extern int BLACKLIST_PENALTY;
|
|||
#define RTT_BAND 400
|
||||
|
||||
/**
|
||||
* Global state for the iterator.
|
||||
* Global state for the iterator.
|
||||
*/
|
||||
struct iter_env {
|
||||
/** A flag to indicate whether or not we have an IPv6 route */
|
||||
|
@ -112,6 +112,18 @@ struct iter_env {
|
|||
/** A flag to indicate whether or not we have an IPv4 route */
|
||||
int supports_ipv4;
|
||||
|
||||
/** A flag to locally apply NAT64 to make IPv4 addrs into IPv6 */
|
||||
int use_nat64;
|
||||
|
||||
/** NAT64 prefix address, cf. dns64_env->prefix_addr */
|
||||
struct sockaddr_storage nat64_prefix_addr;
|
||||
|
||||
/** sizeof(sockaddr_in6) */
|
||||
socklen_t nat64_prefix_addrlen;
|
||||
|
||||
/** CIDR mask length of NAT64 prefix */
|
||||
int nat64_prefix_net;
|
||||
|
||||
/** A set of inetaddrs that should never be queried. */
|
||||
struct iter_donotq* donotq;
|
||||
|
||||
|
@ -439,7 +451,14 @@ struct iter_qstate {
|
|||
/** true if there have been parse failures of reply packets */
|
||||
int parse_failures;
|
||||
/** a failure printout address for last received answer */
|
||||
struct comm_reply* fail_reply;
|
||||
union {
|
||||
struct in_addr in;
|
||||
#ifdef AF_INET6
|
||||
struct in6_addr in6;
|
||||
#endif
|
||||
} fail_addr;
|
||||
/** which fail_addr, 0 is nothing, 4 or 6 */
|
||||
int fail_addr_type;
|
||||
};
|
||||
|
||||
/**
|
||||
|
|
|
@ -168,14 +168,12 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
|
|||
hints_delete(w->env->hints);
|
||||
w->env->hints = NULL;
|
||||
}
|
||||
if(cfg->ssl_upstream || (cfg->tls_cert_bundle && cfg->tls_cert_bundle[0]) || cfg->tls_win_cert) {
|
||||
w->sslctx = connect_sslctx_create(NULL, NULL,
|
||||
cfg->tls_cert_bundle, cfg->tls_win_cert);
|
||||
if(!w->sslctx) {
|
||||
/* to make the setup fail after unlock */
|
||||
hints_delete(w->env->hints);
|
||||
w->env->hints = NULL;
|
||||
}
|
||||
w->sslctx = connect_sslctx_create(NULL, NULL,
|
||||
cfg->tls_cert_bundle, cfg->tls_win_cert);
|
||||
if(!w->sslctx) {
|
||||
/* to make the setup fail after unlock */
|
||||
hints_delete(w->env->hints);
|
||||
w->env->hints = NULL;
|
||||
}
|
||||
if(!w->is_bg || w->is_bg_thread) {
|
||||
lock_basic_unlock(&ctx->cfglock);
|
||||
|
@ -605,6 +603,8 @@ setup_qinfo_edns(struct libworker* w, struct ctx_query* q,
|
|||
edns->opt_list_out = NULL;
|
||||
edns->opt_list_inplace_cb_out = NULL;
|
||||
edns->padding_block_size = 0;
|
||||
edns->cookie_present = 0;
|
||||
edns->cookie_valid = 0;
|
||||
if(sldns_buffer_capacity(w->back->udp_buff) < 65535)
|
||||
edns->udp_size = (uint16_t)sldns_buffer_capacity(
|
||||
w->back->udp_buff);
|
||||
|
|
|
@ -52,8 +52,8 @@
|
|||
* unbound was compiled with, otherwise it wouldn't work, the event and
|
||||
* event_base structures would be different.
|
||||
*/
|
||||
#ifndef _UB_UNBOUND_EVENT_H
|
||||
#define _UB_UNBOUND_EVENT_H
|
||||
#ifndef UB_UNBOUND_EVENT_H
|
||||
#define UB_UNBOUND_EVENT_H
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C" {
|
||||
|
@ -262,4 +262,4 @@ int ub_resolve_event(struct ub_ctx* ctx, const char* name, int rrtype,
|
|||
}
|
||||
#endif
|
||||
|
||||
#endif /* _UB_UNBOUND_H */
|
||||
#endif /* UB_UNBOUND_EVENT_H */
|
||||
|
|
|
@ -4,22 +4,22 @@
|
|||
* Copyright (c) 2007, NLnet Labs. All rights reserved.
|
||||
*
|
||||
* This software is open source.
|
||||
*
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
*
|
||||
*
|
||||
* Redistributions of source code must retain the above copyright notice,
|
||||
* this list of conditions and the following disclaimer.
|
||||
*
|
||||
*
|
||||
* Redistributions in binary form must reproduce the above copyright notice,
|
||||
* this list of conditions and the following disclaimer in the documentation
|
||||
* and/or other materials provided with the distribution.
|
||||
*
|
||||
*
|
||||
* Neither the name of the NLNET LABS nor the names of its contributors may
|
||||
* be used to endorse or promote products derived from this software without
|
||||
* specific prior written permission.
|
||||
*
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
|
@ -36,7 +36,7 @@
|
|||
/**
|
||||
* \file
|
||||
*
|
||||
* This file contains functions to resolve DNS queries and
|
||||
* This file contains functions to resolve DNS queries and
|
||||
* validate the answers. Synchronously and asynchronously.
|
||||
*
|
||||
* Several ways to use this interface from an application wishing
|
||||
|
@ -65,7 +65,7 @@
|
|||
* ... or process() calls my_callback() with results.
|
||||
*
|
||||
* ... if the application has nothing more to do, wait for answer
|
||||
* ub_wait(ctx);
|
||||
* ub_wait(ctx);
|
||||
*
|
||||
* Application threaded. Blocking.
|
||||
* Blocking, same as above. The current thread does the work.
|
||||
|
@ -83,7 +83,7 @@
|
|||
* CRYPTO_set_id_callback and CRYPTO_set_locking_callback.
|
||||
*
|
||||
* If no threading is compiled in, the above async example uses fork(2) to
|
||||
* create a process to perform the work. The forked process exits when the
|
||||
* create a process to perform the work. The forked process exits when the
|
||||
* calling process exits, or ctx_delete() is called.
|
||||
* Otherwise, for asynchronous with threading, a worker thread is created.
|
||||
*
|
||||
|
@ -94,8 +94,8 @@
|
|||
* The second calls another worker thread (or process) to perform the work.
|
||||
* And no buffers need to be set up, but a context-switch happens.
|
||||
*/
|
||||
#ifndef _UB_UNBOUND_H
|
||||
#define _UB_UNBOUND_H
|
||||
#ifndef UB_UNBOUND_H
|
||||
#define UB_UNBOUND_H
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C" {
|
||||
|
@ -128,10 +128,10 @@ struct ub_result {
|
|||
/** the class asked for */
|
||||
int qclass;
|
||||
|
||||
/**
|
||||
* a list of network order DNS rdata items, terminated with a
|
||||
/**
|
||||
* a list of network order DNS rdata items, terminated with a
|
||||
* NULL pointer, so that data[0] is the first result entry,
|
||||
* data[1] the second, and the last entry is NULL.
|
||||
* data[1] the second, and the last entry is NULL.
|
||||
* If there was no data, data[0] is NULL.
|
||||
*/
|
||||
char** data;
|
||||
|
@ -139,8 +139,8 @@ struct ub_result {
|
|||
/** the length in bytes of the data items, len[i] for data[i] */
|
||||
int* len;
|
||||
|
||||
/**
|
||||
* canonical name for the result (the final cname).
|
||||
/**
|
||||
* canonical name for the result (the final cname).
|
||||
* zero terminated string.
|
||||
* May be NULL if no canonical name exists.
|
||||
*/
|
||||
|
@ -165,9 +165,9 @@ struct ub_result {
|
|||
*/
|
||||
int havedata;
|
||||
|
||||
/**
|
||||
/**
|
||||
* If there was no data, and the domain did not exist, this is true.
|
||||
* If it is false, and there was no data, then the domain name
|
||||
* If it is false, and there was no data, then the domain name
|
||||
* is purported to exist, but the requested data type is not available.
|
||||
*/
|
||||
int nxdomain;
|
||||
|
@ -182,19 +182,19 @@ struct ub_result {
|
|||
*/
|
||||
int secure;
|
||||
|
||||
/**
|
||||
* If the result was not secure (secure==0), and this result is due
|
||||
/**
|
||||
* If the result was not secure (secure==0), and this result is due
|
||||
* to a security failure, bogus is true.
|
||||
* This means the data has been actively tampered with, signatures
|
||||
* failed, expected signatures were not present, timestamps on
|
||||
* failed, expected signatures were not present, timestamps on
|
||||
* signatures were out of date and so on.
|
||||
*
|
||||
* If !secure and !bogus, this can happen if the data is not secure
|
||||
* because security is disabled for that domain name.
|
||||
* If !secure and !bogus, this can happen if the data is not secure
|
||||
* because security is disabled for that domain name.
|
||||
* This means the data is from a domain where data is not signed.
|
||||
*/
|
||||
int bogus;
|
||||
|
||||
|
||||
/**
|
||||
* If the result is bogus this contains a string (zero terminated)
|
||||
* that describes the failure. There may be other errors as well
|
||||
|
@ -222,7 +222,7 @@ struct ub_result {
|
|||
* The readable function definition looks like:
|
||||
* void my_callback(void* my_arg, int err, struct ub_result* result);
|
||||
* It is called with
|
||||
* void* my_arg: your pointer to a (struct of) data of your choice,
|
||||
* void* my_arg: your pointer to a (struct of) data of your choice,
|
||||
* or NULL.
|
||||
* int err: if 0 all is OK, otherwise an error occurred and no results
|
||||
* are forthcoming.
|
||||
|
@ -301,8 +301,8 @@ int ub_ctx_set_option(struct ub_ctx* ctx, const char* opt, const char* val);
|
|||
* This is a power-users interface that lets you specify all sorts
|
||||
* of options.
|
||||
* @param str: the string is malloced and returned here. NULL on error.
|
||||
* The caller must free() the string. In cases with multiple
|
||||
* entries (auto-trust-anchor-file), a newline delimited list is
|
||||
* The caller must free() the string. In cases with multiple
|
||||
* entries (auto-trust-anchor-file), a newline delimited list is
|
||||
* returned in the string.
|
||||
* @return 0 if OK else an error code (malloc failure, syntax error).
|
||||
*/
|
||||
|
@ -321,10 +321,10 @@ int ub_ctx_get_option(struct ub_ctx* ctx, const char* opt, char** str);
|
|||
int ub_ctx_config(struct ub_ctx* ctx, const char* fname);
|
||||
|
||||
/**
|
||||
* Set machine to forward DNS queries to, the caching resolver to use.
|
||||
* IP4 or IP6 address. Forwards all DNS requests to that machine, which
|
||||
* is expected to run a recursive resolver. If the proxy is not
|
||||
* DNSSEC-capable, validation may fail. Can be called several times, in
|
||||
* Set machine to forward DNS queries to, the caching resolver to use.
|
||||
* IP4 or IP6 address. Forwards all DNS requests to that machine, which
|
||||
* is expected to run a recursive resolver. If the proxy is not
|
||||
* DNSSEC-capable, validation may fail. Can be called several times, in
|
||||
* that case the addresses are used as backup servers.
|
||||
*
|
||||
* To read the list of nameservers from /etc/resolv.conf (from DHCP or so),
|
||||
|
@ -389,7 +389,7 @@ int ub_ctx_resolvconf(struct ub_ctx* ctx, const char* fname);
|
|||
|
||||
/**
|
||||
* Read list of hosts from the filename given.
|
||||
* Usually "/etc/hosts".
|
||||
* Usually "/etc/hosts".
|
||||
* These addresses are not flagged as DNSSEC secure when queried for.
|
||||
*
|
||||
* @param ctx: context.
|
||||
|
@ -403,7 +403,7 @@ int ub_ctx_hosts(struct ub_ctx* ctx, const char* fname);
|
|||
/**
|
||||
* Add a trust anchor to the given context.
|
||||
* The trust anchor is a string, on one line, that holds a valid DNSKEY or
|
||||
* DS RR.
|
||||
* DS RR.
|
||||
* @param ctx: context.
|
||||
* At this time it is only possible to add trusted keys before the
|
||||
* first resolve is done.
|
||||
|
@ -465,7 +465,7 @@ int ub_ctx_debugout(struct ub_ctx* ctx, void* out);
|
|||
* Set debug verbosity for the context
|
||||
* Output is directed to stderr.
|
||||
* @param ctx: context.
|
||||
* @param d: debug level, 0 is off, 1 is very minimal, 2 is detailed,
|
||||
* @param d: debug level, 0 is off, 1 is very minimal, 2 is detailed,
|
||||
* and 3 is lots.
|
||||
* @return 0 if OK, else error.
|
||||
*/
|
||||
|
@ -474,10 +474,10 @@ int ub_ctx_debuglevel(struct ub_ctx* ctx, int d);
|
|||
/**
|
||||
* Set a context behaviour for asynchronous action.
|
||||
* @param ctx: context.
|
||||
* @param dothread: if true, enables threading and a call to resolve_async()
|
||||
* @param dothread: if true, enables threading and a call to resolve_async()
|
||||
* creates a thread to handle work in the background.
|
||||
* If false, a process is forked to handle work in the background.
|
||||
* Changes to this setting after async() calls have been made have
|
||||
* Changes to this setting after async() calls have been made have
|
||||
* no effect (delete and re-create the context to change).
|
||||
* @return 0 if OK, else error.
|
||||
*/
|
||||
|
@ -495,7 +495,7 @@ int ub_poll(struct ub_ctx* ctx);
|
|||
|
||||
/**
|
||||
* Wait for a context to finish with results. Calls ub_process() after
|
||||
* the wait for you. After the wait, there are no more outstanding
|
||||
* the wait for you. After the wait, there are no more outstanding
|
||||
* asynchronous queries.
|
||||
* @param ctx: context.
|
||||
* @return: 0 if OK, else error.
|
||||
|
@ -530,11 +530,11 @@ int ub_process(struct ub_ctx* ctx);
|
|||
* @param rrtype: type of RR in host order, 1 is A (address).
|
||||
* @param rrclass: class of RR in host order, 1 is IN (for internet).
|
||||
* @param result: the result data is returned in a newly allocated result
|
||||
* structure. May be NULL on return, return value is set to an error
|
||||
* structure. May be NULL on return, return value is set to an error
|
||||
* in that case (out of memory).
|
||||
* @return 0 if OK, else error.
|
||||
*/
|
||||
int ub_resolve(struct ub_ctx* ctx, const char* name, int rrtype,
|
||||
int ub_resolve(struct ub_ctx* ctx, const char* name, int rrtype,
|
||||
int rrclass, struct ub_result** result);
|
||||
|
||||
/**
|
||||
|
@ -561,11 +561,11 @@ int ub_resolve(struct ub_ctx* ctx, const char* name, int rrtype,
|
|||
* If an error happens during processing, your callback will be called
|
||||
* with error set to a nonzero value (and result==NULL).
|
||||
* @param async_id: if you pass a non-NULL value, an identifier number is
|
||||
* returned for the query as it is in progress. It can be used to
|
||||
* returned for the query as it is in progress. It can be used to
|
||||
* cancel the query.
|
||||
* @return 0 if OK, else error.
|
||||
*/
|
||||
int ub_resolve_async(struct ub_ctx* ctx, const char* name, int rrtype,
|
||||
int ub_resolve_async(struct ub_ctx* ctx, const char* name, int rrtype,
|
||||
int rrclass, void* mydata, ub_callback_type callback, int* async_id);
|
||||
|
||||
/**
|
||||
|
@ -589,7 +589,7 @@ int ub_cancel(struct ub_ctx* ctx, int async_id);
|
|||
*/
|
||||
void ub_resolve_free(struct ub_result* result);
|
||||
|
||||
/**
|
||||
/**
|
||||
* Convert error value to a human readable string.
|
||||
* @param err: error code from one of the libunbound functions.
|
||||
* The error codes are from the type enum ub_ctx_err.
|
||||
|
@ -605,7 +605,7 @@ const char* ub_strerror(int err);
|
|||
int ub_ctx_print_local_zones(struct ub_ctx* ctx);
|
||||
|
||||
/**
|
||||
* Add a new zone with the zonetype to the local authority info of the
|
||||
* Add a new zone with the zonetype to the local authority info of the
|
||||
* library.
|
||||
* @param ctx: context. Is finalized by the routine.
|
||||
* @param zone_name: name of the zone in text, "example.com"
|
||||
|
@ -613,7 +613,7 @@ int ub_ctx_print_local_zones(struct ub_ctx* ctx);
|
|||
* @param zone_type: type of the zone (like for unbound.conf) in text.
|
||||
* @return 0 if OK, else error.
|
||||
*/
|
||||
int ub_ctx_zone_add(struct ub_ctx* ctx, const char *zone_name,
|
||||
int ub_ctx_zone_add(struct ub_ctx* ctx, const char *zone_name,
|
||||
const char *zone_type);
|
||||
|
||||
/**
|
||||
|
@ -649,7 +649,7 @@ int ub_ctx_data_remove(struct ub_ctx* ctx, const char *data);
|
|||
*/
|
||||
const char* ub_version(void);
|
||||
|
||||
/**
|
||||
/**
|
||||
* Some global statistics that are not in struct stats_info,
|
||||
* this struct is shared on a shm segment (shm-key in unbound.conf)
|
||||
*/
|
||||
|
@ -695,13 +695,22 @@ struct ub_server_stats {
|
|||
long long num_queries;
|
||||
/** number of queries that have been dropped/ratelimited by ip. */
|
||||
long long num_queries_ip_ratelimited;
|
||||
/** number of queries with a valid DNS Cookie. */
|
||||
long long num_queries_cookie_valid;
|
||||
/** number of queries with only the client part of the DNS Cookie. */
|
||||
long long num_queries_cookie_client;
|
||||
/** number of queries with invalid DNS Cookie. */
|
||||
long long num_queries_cookie_invalid;
|
||||
/** number of queries that had a cache-miss. */
|
||||
long long num_queries_missed_cache;
|
||||
/** number of prefetch queries - cachehits with prefetch */
|
||||
long long num_queries_prefetch;
|
||||
|
||||
/** number of queries which are too late to process */
|
||||
long long num_queries_timed_out;
|
||||
/** the longest wait time in the queue */
|
||||
long long max_query_time_us;
|
||||
/**
|
||||
* Sum of the querylistsize of the worker for
|
||||
* Sum of the querylistsize of the worker for
|
||||
* every query that missed cache. To calculate average.
|
||||
*/
|
||||
long long sum_query_list_size;
|
||||
|
@ -773,12 +782,12 @@ struct ub_server_stats {
|
|||
long long tcp_accept_usage;
|
||||
/** expired answers served from cache */
|
||||
long long ans_expired;
|
||||
/** histogram data exported to array
|
||||
/** histogram data exported to array
|
||||
* if the array is the same size, no data is lost, and
|
||||
* if all histograms are same size (is so by default) then
|
||||
* adding up works well. */
|
||||
long long hist[UB_STATS_BUCKET_NUM];
|
||||
|
||||
|
||||
/** number of message cache entries */
|
||||
long long msg_cache_count;
|
||||
/** number of rrset cache entries */
|
||||
|
@ -788,6 +797,11 @@ struct ub_server_stats {
|
|||
/** number of key cache entries */
|
||||
long long key_cache_count;
|
||||
|
||||
/** maximum number of collisions in the msg cache */
|
||||
long long msg_cache_max_collisions;
|
||||
/** maximum number of collisions in the rrset cache */
|
||||
long long rrset_cache_max_collisions;
|
||||
|
||||
/** number of queries that used dnscrypt */
|
||||
long long num_query_dnscrypt_crypted;
|
||||
/** number of queries that queried dnscrypt certificates */
|
||||
|
@ -819,6 +833,8 @@ struct ub_server_stats {
|
|||
/** number of queries answered from edns-subnet specific data, and
|
||||
* the answer was from the edns-subnet cache. */
|
||||
long long num_query_subnet_cache;
|
||||
/** number of queries served from cachedb */
|
||||
long long num_query_cachedb;
|
||||
/** number of bytes in the stream wait buffers */
|
||||
long long mem_stream_wait;
|
||||
/** number of bytes in the HTTP2 query buffers */
|
||||
|
@ -831,7 +847,7 @@ struct ub_server_stats {
|
|||
long long rpz_action[UB_STATS_RPZ_ACTION_NUM];
|
||||
};
|
||||
|
||||
/**
|
||||
/**
|
||||
* Statistics to send over the control pipe when asked
|
||||
* This struct is made to be memcopied, sent in binary.
|
||||
* shm mapped with (number+1) at num_threads+1, with first as total
|
||||
|
@ -860,4 +876,4 @@ struct ub_stats_info {
|
|||
}
|
||||
#endif
|
||||
|
||||
#endif /* _UB_UNBOUND_H */
|
||||
#endif /* UB_UNBOUND_H */
|
||||
|
|
|
@ -1306,8 +1306,8 @@ az_remove_rr(struct auth_zone* z, uint8_t* rr, size_t rr_len,
|
|||
auth_data_delete(node);
|
||||
}
|
||||
if(z->rpz) {
|
||||
rpz_remove_rr(z->rpz, z->namelen, dname, dname_len, rr_type,
|
||||
rr_class, rdata, rdatalen);
|
||||
rpz_remove_rr(z->rpz, z->name, z->namelen, dname, dname_len,
|
||||
rr_type, rr_class, rdata, rdatalen);
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
@ -5420,6 +5420,8 @@ xfr_transfer_lookup_host(struct auth_xfer* xfr, struct module_env* env)
|
|||
edns.opt_list_out = NULL;
|
||||
edns.opt_list_inplace_cb_out = NULL;
|
||||
edns.padding_block_size = 0;
|
||||
edns.cookie_present = 0;
|
||||
edns.cookie_valid = 0;
|
||||
if(sldns_buffer_capacity(buf) < 65535)
|
||||
edns.udp_size = (uint16_t)sldns_buffer_capacity(buf);
|
||||
else edns.udp_size = 65535;
|
||||
|
@ -6613,6 +6615,8 @@ xfr_probe_lookup_host(struct auth_xfer* xfr, struct module_env* env)
|
|||
edns.opt_list_out = NULL;
|
||||
edns.opt_list_inplace_cb_out = NULL;
|
||||
edns.padding_block_size = 0;
|
||||
edns.cookie_present = 0;
|
||||
edns.cookie_valid = 0;
|
||||
if(sldns_buffer_capacity(buf) < 65535)
|
||||
edns.udp_size = (uint16_t)sldns_buffer_capacity(buf);
|
||||
else edns.udp_size = 65535;
|
||||
|
@ -7510,7 +7514,7 @@ static void add_rrlist_rrsigs_into_data(struct packed_rrset_data* data,
|
|||
size_t j;
|
||||
if(!rrlist[i])
|
||||
continue;
|
||||
if(rrlist[i] && rrlist[i]->type == LDNS_RR_TYPE_ZONEMD &&
|
||||
if(rrlist[i]->type == LDNS_RR_TYPE_ZONEMD &&
|
||||
query_dname_compare(z->name, node->name)==0) {
|
||||
/* omit RRSIGs over type ZONEMD at apex */
|
||||
continue;
|
||||
|
|
50
contrib/unbound/services/cache/dns.c
vendored
50
contrib/unbound/services/cache/dns.c
vendored
|
@ -132,31 +132,6 @@ msg_cache_remove(struct module_env* env, uint8_t* qname, size_t qnamelen,
|
|||
slabhash_remove(env->msg_cache, h, &k);
|
||||
}
|
||||
|
||||
/** remove servfail msg cache entry */
|
||||
static void
|
||||
msg_del_servfail(struct module_env* env, struct query_info* qinfo,
|
||||
uint32_t flags)
|
||||
{
|
||||
struct msgreply_entry* e;
|
||||
/* see if the entry is servfail, and then remove it, so that
|
||||
* lookups move from the cacheresponse stage to the recursionresponse
|
||||
* stage */
|
||||
e = msg_cache_lookup(env, qinfo->qname, qinfo->qname_len,
|
||||
qinfo->qtype, qinfo->qclass, flags, 0, 0);
|
||||
if(!e) return;
|
||||
/* we don't check for the ttl here, also expired servfail entries
|
||||
* are removed. If the user uses serve-expired, they would still be
|
||||
* used to answer from cache */
|
||||
if(FLAGS_GET_RCODE(((struct reply_info*)e->entry.data)->flags)
|
||||
!= LDNS_RCODE_SERVFAIL) {
|
||||
lock_rw_unlock(&e->entry.lock);
|
||||
return;
|
||||
}
|
||||
lock_rw_unlock(&e->entry.lock);
|
||||
msg_cache_remove(env, qinfo->qname, qinfo->qname_len, qinfo->qtype,
|
||||
qinfo->qclass, flags);
|
||||
}
|
||||
|
||||
void
|
||||
dns_cache_store_msg(struct module_env* env, struct query_info* qinfo,
|
||||
hashvalue_type hash, struct reply_info* rep, time_t leeway, int pside,
|
||||
|
@ -182,13 +157,20 @@ dns_cache_store_msg(struct module_env* env, struct query_info* qinfo,
|
|||
/* we do not store the message, but we did store the RRs,
|
||||
* which could be useful for delegation information */
|
||||
verbose(VERB_ALGO, "TTL 0: dropped msg from cache");
|
||||
free(rep);
|
||||
/* if the message is SERVFAIL in cache, remove that SERVFAIL,
|
||||
reply_info_delete(rep, NULL);
|
||||
/* if the message is in the cache, remove that msg,
|
||||
* so that the TTL 0 response can be returned for future
|
||||
* responses (i.e. don't get answered by the servfail from
|
||||
* responses (i.e. don't get answered from
|
||||
* cache, but instead go to recursion to get this TTL0
|
||||
* response). */
|
||||
msg_del_servfail(env, qinfo, flags);
|
||||
* response).
|
||||
* Possible messages that could be in the cache:
|
||||
* - SERVFAIL
|
||||
* - NXDOMAIN
|
||||
* - NODATA
|
||||
* - an older record that is expired
|
||||
* - an older record that did not yet expire */
|
||||
msg_cache_remove(env, qinfo->qname, qinfo->qname_len,
|
||||
qinfo->qtype, qinfo->qclass, flags);
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -610,6 +592,7 @@ gen_dns_msg(struct regional* region, struct query_info* q, size_t num)
|
|||
if(!msg->rep)
|
||||
return NULL;
|
||||
msg->rep->reason_bogus = LDNS_EDE_NONE;
|
||||
msg->rep->reason_bogus_str = NULL;
|
||||
if(num > RR_COUNT_MAX)
|
||||
return NULL; /* integer overflow protection */
|
||||
msg->rep->rrsets = (struct ub_packed_rrset_key**)
|
||||
|
@ -672,6 +655,10 @@ tomsg(struct module_env* env, struct query_info* q, struct reply_info* r,
|
|||
msg->rep->rrset_count = r->rrset_count;
|
||||
msg->rep->authoritative = r->authoritative;
|
||||
msg->rep->reason_bogus = r->reason_bogus;
|
||||
if(r->reason_bogus_str) {
|
||||
msg->rep->reason_bogus_str = regional_strdup(region, r->reason_bogus_str);
|
||||
}
|
||||
|
||||
if(!rrset_array_lock(r->ref, r->rrset_count, now_control)) {
|
||||
return NULL;
|
||||
}
|
||||
|
@ -1075,7 +1062,6 @@ dns_cache_store(struct module_env* env, struct query_info* msgqinf,
|
|||
/* ttl must be relative ;i.e. 0..86400 not time(0)+86400.
|
||||
* the env->now is added to message and RRsets in this routine. */
|
||||
/* the leeway is used to invalidate other rrsets earlier */
|
||||
|
||||
if(is_referral) {
|
||||
/* store rrsets */
|
||||
struct rrset_ref ref;
|
||||
|
@ -1092,7 +1078,7 @@ dns_cache_store(struct module_env* env, struct query_info* msgqinf,
|
|||
((ntohs(ref.key->rk.type)==LDNS_RR_TYPE_NS
|
||||
&& !pside) ? qstarttime:*env->now + leeway));
|
||||
}
|
||||
free(rep);
|
||||
reply_info_delete(rep, NULL);
|
||||
return 1;
|
||||
} else {
|
||||
/* store msg, and rrsets */
|
||||
|
|
75
contrib/unbound/services/cache/infra.c
vendored
75
contrib/unbound/services/cache/infra.c
vendored
|
@ -67,6 +67,11 @@ int infra_dp_ratelimit = 0;
|
|||
* in queries per second. */
|
||||
int infra_ip_ratelimit = 0;
|
||||
|
||||
/** ratelimit value for client ip addresses,
|
||||
* in queries per second.
|
||||
* For clients with a valid DNS Cookie. */
|
||||
int infra_ip_ratelimit_cookie = 0;
|
||||
|
||||
size_t
|
||||
infra_sizefunc(void* k, void* ATTR_UNUSED(d))
|
||||
{
|
||||
|
@ -1051,9 +1056,50 @@ infra_get_mem(struct infra_cache* infra)
|
|||
return s;
|
||||
}
|
||||
|
||||
/* Returns 1 if the limit has not been exceeded, 0 otherwise. */
|
||||
static int
|
||||
check_ip_ratelimit(struct sockaddr_storage* addr, socklen_t addrlen,
|
||||
struct sldns_buffer* buffer, int premax, int max, int has_cookie)
|
||||
{
|
||||
int limit;
|
||||
|
||||
if(has_cookie) limit = infra_ip_ratelimit_cookie;
|
||||
else limit = infra_ip_ratelimit;
|
||||
|
||||
/* Disabled */
|
||||
if(limit == 0) return 1;
|
||||
|
||||
if(premax <= limit && max > limit) {
|
||||
char client_ip[128], qnm[LDNS_MAX_DOMAINLEN+1+12+12];
|
||||
addr_to_str(addr, addrlen, client_ip, sizeof(client_ip));
|
||||
qnm[0]=0;
|
||||
if(sldns_buffer_limit(buffer)>LDNS_HEADER_SIZE &&
|
||||
LDNS_QDCOUNT(sldns_buffer_begin(buffer))!=0) {
|
||||
(void)sldns_wire2str_rrquestion_buf(
|
||||
sldns_buffer_at(buffer, LDNS_HEADER_SIZE),
|
||||
sldns_buffer_limit(buffer)-LDNS_HEADER_SIZE,
|
||||
qnm, sizeof(qnm));
|
||||
if(strlen(qnm)>0 && qnm[strlen(qnm)-1]=='\n')
|
||||
qnm[strlen(qnm)-1] = 0; /*remove newline*/
|
||||
if(strchr(qnm, '\t'))
|
||||
*strchr(qnm, '\t') = ' ';
|
||||
if(strchr(qnm, '\t'))
|
||||
*strchr(qnm, '\t') = ' ';
|
||||
verbose(VERB_OPS, "ip_ratelimit exceeded %s %d%s %s",
|
||||
client_ip, limit,
|
||||
has_cookie?"(cookie)":"", qnm);
|
||||
} else {
|
||||
verbose(VERB_OPS, "ip_ratelimit exceeded %s %d%s (no query name)",
|
||||
client_ip, limit,
|
||||
has_cookie?"(cookie)":"");
|
||||
}
|
||||
}
|
||||
return (max <= limit);
|
||||
}
|
||||
|
||||
int infra_ip_ratelimit_inc(struct infra_cache* infra,
|
||||
struct sockaddr_storage* addr, socklen_t addrlen, time_t timenow,
|
||||
int backoff, struct sldns_buffer* buffer)
|
||||
int has_cookie, int backoff, struct sldns_buffer* buffer)
|
||||
{
|
||||
int max;
|
||||
struct lruhash_entry* entry;
|
||||
|
@ -1070,31 +1116,8 @@ int infra_ip_ratelimit_inc(struct infra_cache* infra,
|
|||
(*cur)++;
|
||||
max = infra_rate_max(entry->data, timenow, backoff);
|
||||
lock_rw_unlock(&entry->lock);
|
||||
|
||||
if(premax <= infra_ip_ratelimit && max > infra_ip_ratelimit) {
|
||||
char client_ip[128], qnm[LDNS_MAX_DOMAINLEN+1+12+12];
|
||||
addr_to_str(addr, addrlen, client_ip, sizeof(client_ip));
|
||||
qnm[0]=0;
|
||||
if(sldns_buffer_limit(buffer)>LDNS_HEADER_SIZE &&
|
||||
LDNS_QDCOUNT(sldns_buffer_begin(buffer))!=0) {
|
||||
(void)sldns_wire2str_rrquestion_buf(
|
||||
sldns_buffer_at(buffer, LDNS_HEADER_SIZE),
|
||||
sldns_buffer_limit(buffer)-LDNS_HEADER_SIZE,
|
||||
qnm, sizeof(qnm));
|
||||
if(strlen(qnm)>0 && qnm[strlen(qnm)-1]=='\n')
|
||||
qnm[strlen(qnm)-1] = 0; /*remove newline*/
|
||||
if(strchr(qnm, '\t'))
|
||||
*strchr(qnm, '\t') = ' ';
|
||||
if(strchr(qnm, '\t'))
|
||||
*strchr(qnm, '\t') = ' ';
|
||||
verbose(VERB_OPS, "ip_ratelimit exceeded %s %d %s",
|
||||
client_ip, infra_ip_ratelimit, qnm);
|
||||
} else {
|
||||
verbose(VERB_OPS, "ip_ratelimit exceeded %s %d (no query name)",
|
||||
client_ip, infra_ip_ratelimit);
|
||||
}
|
||||
}
|
||||
return (max <= infra_ip_ratelimit);
|
||||
return check_ip_ratelimit(addr, addrlen, buffer, premax, max,
|
||||
has_cookie);
|
||||
}
|
||||
|
||||
/* create */
|
||||
|
|
5
contrib/unbound/services/cache/infra.h
vendored
5
contrib/unbound/services/cache/infra.h
vendored
|
@ -153,6 +153,8 @@ struct rate_key {
|
|||
|
||||
/** ip ratelimit, 0 is off */
|
||||
extern int infra_ip_ratelimit;
|
||||
/** ip ratelimit for DNS Cookie clients, 0 is off */
|
||||
extern int infra_ip_ratelimit_cookie;
|
||||
|
||||
/**
|
||||
* key for ip_ratelimit lookups, a source IP.
|
||||
|
@ -419,13 +421,14 @@ int infra_find_ratelimit(struct infra_cache* infra, uint8_t* name,
|
|||
* @param addr: client address
|
||||
* @param addrlen: client address length
|
||||
* @param timenow: what time it is now.
|
||||
* @param has_cookie: if the request came with a DNS Cookie.
|
||||
* @param backoff: if backoff is enabled.
|
||||
* @param buffer: with query for logging.
|
||||
* @return 1 if it could be incremented. 0 if the increment overshot the
|
||||
* ratelimit and the query should be dropped. */
|
||||
int infra_ip_ratelimit_inc(struct infra_cache* infra,
|
||||
struct sockaddr_storage* addr, socklen_t addrlen, time_t timenow,
|
||||
int backoff, struct sldns_buffer* buffer);
|
||||
int has_cookie, int backoff, struct sldns_buffer* buffer);
|
||||
|
||||
/**
|
||||
* Get memory used by the infra cache.
|
||||
|
|
|
@ -4,22 +4,22 @@
|
|||
* Copyright (c) 2007, NLnet Labs. All rights reserved.
|
||||
*
|
||||
* This software is open source.
|
||||
*
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
*
|
||||
*
|
||||
* Redistributions of source code must retain the above copyright notice,
|
||||
* this list of conditions and the following disclaimer.
|
||||
*
|
||||
*
|
||||
* Redistributions in binary form must reproduce the above copyright notice,
|
||||
* this list of conditions and the following disclaimer in the documentation
|
||||
* and/or other materials provided with the distribution.
|
||||
*
|
||||
*
|
||||
* Neither the name of the NLNET LABS nor the names of its contributors may
|
||||
* be used to endorse or promote products derived from this software without
|
||||
* specific prior written permission.
|
||||
*
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
|
@ -79,9 +79,11 @@
|
|||
#ifdef HAVE_NET_IF_H
|
||||
#include <net/if.h>
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_LINUX_NET_TSTAMP_H
|
||||
#include <linux/net_tstamp.h>
|
||||
#endif
|
||||
/** number of queued TCP connections for listen() */
|
||||
#define TCP_BACKLOG 256
|
||||
#define TCP_BACKLOG 256
|
||||
|
||||
#ifndef THREADS_DISABLED
|
||||
/** lock on the counter of stream buffer memory */
|
||||
|
@ -187,7 +189,7 @@ systemd_get_activated(int family, int socktype, int listen,
|
|||
log_err("systemd sd_listen_fds(): %s", strerror(-r));
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
||||
for(i = 0; i < r; i++) {
|
||||
if(sd_is_socket(SD_LISTEN_FDS_START + i, family, socktype, listen)) {
|
||||
s = SD_LISTEN_FDS_START + i;
|
||||
|
@ -253,7 +255,7 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
|
|||
return -1;
|
||||
}
|
||||
#else
|
||||
if(WSAGetLastError() == WSAEAFNOSUPPORT ||
|
||||
if(WSAGetLastError() == WSAEAFNOSUPPORT ||
|
||||
WSAGetLastError() == WSAEPROTONOSUPPORT) {
|
||||
*noproto = 1;
|
||||
return -1;
|
||||
|
@ -270,7 +272,7 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
|
|||
#endif
|
||||
if(listen) {
|
||||
#ifdef SO_REUSEADDR
|
||||
if(setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void*)&on,
|
||||
if(setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void*)&on,
|
||||
(socklen_t)sizeof(on)) < 0) {
|
||||
log_err("setsockopt(.. SO_REUSEADDR ..) failed: %s",
|
||||
sock_strerror(errno));
|
||||
|
@ -368,9 +370,9 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
|
|||
socklen_t slen = (socklen_t)sizeof(got);
|
||||
# ifdef SO_RCVBUFFORCE
|
||||
/* Linux specific: try to use root permission to override
|
||||
* system limits on rcvbuf. The limit is stored in
|
||||
* system limits on rcvbuf. The limit is stored in
|
||||
* /proc/sys/net/core/rmem_max or sysctl net.core.rmem_max */
|
||||
if(setsockopt(s, SOL_SOCKET, SO_RCVBUFFORCE, (void*)&rcv,
|
||||
if(setsockopt(s, SOL_SOCKET, SO_RCVBUFFORCE, (void*)&rcv,
|
||||
(socklen_t)sizeof(rcv)) < 0) {
|
||||
if(errno != EPERM) {
|
||||
log_err("setsockopt(..., SO_RCVBUFFORCE, "
|
||||
|
@ -381,7 +383,7 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
|
|||
return -1;
|
||||
}
|
||||
# endif /* SO_RCVBUFFORCE */
|
||||
if(setsockopt(s, SOL_SOCKET, SO_RCVBUF, (void*)&rcv,
|
||||
if(setsockopt(s, SOL_SOCKET, SO_RCVBUF, (void*)&rcv,
|
||||
(socklen_t)sizeof(rcv)) < 0) {
|
||||
log_err("setsockopt(..., SO_RCVBUF, "
|
||||
"...) failed: %s", sock_strerror(errno));
|
||||
|
@ -392,7 +394,7 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
|
|||
}
|
||||
/* check if we got the right thing or if system
|
||||
* reduced to some system max. Warn if so */
|
||||
if(getsockopt(s, SOL_SOCKET, SO_RCVBUF, (void*)&got,
|
||||
if(getsockopt(s, SOL_SOCKET, SO_RCVBUF, (void*)&got,
|
||||
&slen) >= 0 && got < rcv/2) {
|
||||
log_warn("so-rcvbuf %u was not granted. "
|
||||
"Got %u. To fix: start with "
|
||||
|
@ -413,9 +415,9 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
|
|||
socklen_t slen = (socklen_t)sizeof(got);
|
||||
# ifdef SO_SNDBUFFORCE
|
||||
/* Linux specific: try to use root permission to override
|
||||
* system limits on sndbuf. The limit is stored in
|
||||
* system limits on sndbuf. The limit is stored in
|
||||
* /proc/sys/net/core/wmem_max or sysctl net.core.wmem_max */
|
||||
if(setsockopt(s, SOL_SOCKET, SO_SNDBUFFORCE, (void*)&snd,
|
||||
if(setsockopt(s, SOL_SOCKET, SO_SNDBUFFORCE, (void*)&snd,
|
||||
(socklen_t)sizeof(snd)) < 0) {
|
||||
if(errno != EPERM) {
|
||||
log_err("setsockopt(..., SO_SNDBUFFORCE, "
|
||||
|
@ -426,7 +428,7 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
|
|||
return -1;
|
||||
}
|
||||
# endif /* SO_SNDBUFFORCE */
|
||||
if(setsockopt(s, SOL_SOCKET, SO_SNDBUF, (void*)&snd,
|
||||
if(setsockopt(s, SOL_SOCKET, SO_SNDBUF, (void*)&snd,
|
||||
(socklen_t)sizeof(snd)) < 0) {
|
||||
log_err("setsockopt(..., SO_SNDBUF, "
|
||||
"...) failed: %s", sock_strerror(errno));
|
||||
|
@ -437,7 +439,7 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
|
|||
}
|
||||
/* check if we got the right thing or if system
|
||||
* reduced to some system max. Warn if so */
|
||||
if(getsockopt(s, SOL_SOCKET, SO_SNDBUF, (void*)&got,
|
||||
if(getsockopt(s, SOL_SOCKET, SO_SNDBUF, (void*)&got,
|
||||
&slen) >= 0 && got < snd/2) {
|
||||
log_warn("so-sndbuf %u was not granted. "
|
||||
"Got %u. To fix: start with "
|
||||
|
@ -469,7 +471,7 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
|
|||
# endif
|
||||
) {
|
||||
int val=(v6only==2)?0:1;
|
||||
if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY,
|
||||
if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY,
|
||||
(void*)&val, (socklen_t)sizeof(val)) < 0) {
|
||||
log_err("setsockopt(..., IPV6_V6ONLY"
|
||||
", ...) failed: %s", sock_strerror(errno));
|
||||
|
@ -576,7 +578,7 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
|
|||
int action;
|
||||
# if defined(IP_PMTUDISC_OMIT)
|
||||
action = IP_PMTUDISC_OMIT;
|
||||
if (setsockopt(s, IPPROTO_IP, IP_MTU_DISCOVER,
|
||||
if (setsockopt(s, IPPROTO_IP, IP_MTU_DISCOVER,
|
||||
&action, (socklen_t)sizeof(action)) < 0) {
|
||||
|
||||
if (errno != EINVAL) {
|
||||
|
@ -609,7 +611,7 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
|
|||
/* the IP_DONTFRAG option if defined in the 11.0 OSX headers,
|
||||
* but does not work on that version, so we exclude it */
|
||||
int off = 0;
|
||||
if (setsockopt(s, IPPROTO_IP, IP_DONTFRAG,
|
||||
if (setsockopt(s, IPPROTO_IP, IP_DONTFRAG,
|
||||
&off, (socklen_t)sizeof(off)) < 0) {
|
||||
log_err("setsockopt(..., IP_DONTFRAG, ...) failed: %s",
|
||||
strerror(errno));
|
||||
|
@ -647,7 +649,7 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
|
|||
if(WSAGetLastError() != WSAEADDRINUSE &&
|
||||
WSAGetLastError() != WSAEADDRNOTAVAIL &&
|
||||
!(WSAGetLastError() == WSAEACCES && verbosity < 4 && !listen)) {
|
||||
log_err_addr("can't bind socket",
|
||||
log_err_addr("can't bind socket",
|
||||
wsa_strerror(WSAGetLastError()),
|
||||
(struct sockaddr_storage*)addr, addrlen);
|
||||
}
|
||||
|
@ -749,7 +751,7 @@ create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto,
|
|||
}
|
||||
#endif
|
||||
#ifdef SO_REUSEADDR
|
||||
if(setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void*)&on,
|
||||
if(setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void*)&on,
|
||||
(socklen_t)sizeof(on)) < 0) {
|
||||
log_err("setsockopt(.. SO_REUSEADDR ..) failed: %s",
|
||||
sock_strerror(errno));
|
||||
|
@ -793,7 +795,7 @@ create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto,
|
|||
&& !got_fd_from_systemd
|
||||
# endif
|
||||
) {
|
||||
if(setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY,
|
||||
if(setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY,
|
||||
(void*)&on, (socklen_t)sizeof(on)) < 0) {
|
||||
log_err("setsockopt(..., IPV6_V6ONLY, ...) failed: %s",
|
||||
sock_strerror(errno));
|
||||
|
@ -845,7 +847,7 @@ create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto,
|
|||
addr->ai_addrlen);
|
||||
}
|
||||
#else
|
||||
log_err_addr("can't bind socket",
|
||||
log_err_addr("can't bind socket",
|
||||
wsa_strerror(WSAGetLastError()),
|
||||
(struct sockaddr_storage*)addr->ai_addr,
|
||||
addr->ai_addrlen);
|
||||
|
@ -873,7 +875,7 @@ create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto,
|
|||
/* 5 is recommended on linux */
|
||||
qlen = 5;
|
||||
#endif
|
||||
if ((setsockopt(s, IPPROTO_TCP, TCP_FASTOPEN, &qlen,
|
||||
if ((setsockopt(s, IPPROTO_TCP, TCP_FASTOPEN, &qlen,
|
||||
sizeof(qlen))) == -1 ) {
|
||||
#ifdef ENOPROTOOPT
|
||||
/* squelch ENOPROTOOPT: freebsd server mode with kernel support
|
||||
|
@ -999,7 +1001,7 @@ create_local_accept_sock(const char *path, int* noproto, int use_systemd)
|
|||
* Create socket from getaddrinfo results
|
||||
*/
|
||||
static int
|
||||
make_sock(int stype, const char* ifname, const char* port,
|
||||
make_sock(int stype, const char* ifname, const char* port,
|
||||
struct addrinfo *hints, int v6only, int* noip6, size_t rcv, size_t snd,
|
||||
int* reuseport, int transparent, int tcp_mss, int nodelay, int freebind,
|
||||
int use_systemd, int dscp, struct unbound_socket* ub_sock)
|
||||
|
@ -1015,10 +1017,10 @@ make_sock(int stype, const char* ifname, const char* port,
|
|||
return -1;
|
||||
}
|
||||
#endif
|
||||
log_err("node %s:%s getaddrinfo: %s %s",
|
||||
log_err("node %s:%s getaddrinfo: %s %s",
|
||||
ifname?ifname:"default", port, gai_strerror(r),
|
||||
#ifdef EAI_SYSTEM
|
||||
r==EAI_SYSTEM?(char*)strerror(errno):""
|
||||
(r==EAI_SYSTEM?(char*)strerror(errno):"")
|
||||
#else
|
||||
""
|
||||
#endif
|
||||
|
@ -1055,7 +1057,7 @@ make_sock(int stype, const char* ifname, const char* port,
|
|||
|
||||
/** make socket and first see if ifname contains port override info */
|
||||
static int
|
||||
make_sock_port(int stype, const char* ifname, const char* port,
|
||||
make_sock_port(int stype, const char* ifname, const char* port,
|
||||
struct addrinfo *hints, int v6only, int* noip6, size_t rcv, size_t snd,
|
||||
int* reuseport, int transparent, int tcp_mss, int nodelay, int freebind,
|
||||
int use_systemd, int dscp, struct unbound_socket* ub_sock)
|
||||
|
@ -1114,9 +1116,28 @@ port_insert(struct listen_port** list, int s, enum listen_type ftype,
|
|||
return 1;
|
||||
}
|
||||
|
||||
/** set fd to receive software timestamps */
|
||||
static int
|
||||
set_recvtimestamp(int s)
|
||||
{
|
||||
#ifdef HAVE_LINUX_NET_TSTAMP_H
|
||||
int opt = SOF_TIMESTAMPING_RX_SOFTWARE | SOF_TIMESTAMPING_SOFTWARE;
|
||||
if (setsockopt(s, SOL_SOCKET, SO_TIMESTAMPNS, (void*)&opt, (socklen_t)sizeof(opt)) < 0) {
|
||||
log_err("setsockopt(..., SO_TIMESTAMPNS, ...) failed: %s",
|
||||
strerror(errno));
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
#else
|
||||
log_err("packets timestamping is not supported on this platform");
|
||||
(void)s;
|
||||
return 0;
|
||||
#endif
|
||||
}
|
||||
|
||||
/** set fd to receive source address packet info */
|
||||
static int
|
||||
set_recvpktinfo(int s, int family)
|
||||
set_recvpktinfo(int s, int family)
|
||||
{
|
||||
#if defined(IPV6_RECVPKTINFO) || defined(IPV6_PKTINFO) || (defined(IP_RECVDSTADDR) && defined(IP_SENDSRCADDR)) || defined(IP_PKTINFO)
|
||||
int on = 1;
|
||||
|
@ -1214,6 +1235,9 @@ if_is_ssl(const char* ifname, const char* port, int ssl_port,
|
|||
* @param use_systemd: if true, fetch sockets from systemd.
|
||||
* @param dnscrypt_port: dnscrypt service port number
|
||||
* @param dscp: DSCP to use.
|
||||
* @param sock_queue_timeout: the sock_queue_timeout from config. Seconds to
|
||||
* wait to discard if UDP packets have waited for long in the socket
|
||||
* buffer.
|
||||
* @return: returns false on error.
|
||||
*/
|
||||
static int
|
||||
|
@ -1223,7 +1247,8 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
|
|||
struct config_strlist* tls_additional_port, int https_port,
|
||||
struct config_strlist* proxy_protocol_port,
|
||||
int* reuseport, int transparent, int tcp_mss, int freebind,
|
||||
int http2_nodelay, int use_systemd, int dnscrypt_port, int dscp)
|
||||
int http2_nodelay, int use_systemd, int dnscrypt_port, int dscp,
|
||||
int sock_queue_timeout)
|
||||
{
|
||||
int s, noip6=0;
|
||||
int is_https = if_is_https(ifname, port, https_port);
|
||||
|
@ -1252,7 +1277,8 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
|
|||
if((s = make_sock_port(SOCK_DGRAM, ifname, port, hints, 1,
|
||||
&noip6, rcv, snd, reuseport, transparent,
|
||||
tcp_mss, nodelay, freebind, use_systemd, dscp, ub_sock)) == -1) {
|
||||
freeaddrinfo(ub_sock->addr);
|
||||
if(ub_sock->addr)
|
||||
freeaddrinfo(ub_sock->addr);
|
||||
free(ub_sock);
|
||||
if(noip6) {
|
||||
log_warn("IPv6 protocol not available");
|
||||
|
@ -1263,15 +1289,20 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
|
|||
/* getting source addr packet info is highly non-portable */
|
||||
if(!set_recvpktinfo(s, hints->ai_family)) {
|
||||
sock_close(s);
|
||||
freeaddrinfo(ub_sock->addr);
|
||||
if(ub_sock->addr)
|
||||
freeaddrinfo(ub_sock->addr);
|
||||
free(ub_sock);
|
||||
return 0;
|
||||
}
|
||||
if (sock_queue_timeout && !set_recvtimestamp(s)) {
|
||||
log_warn("socket timestamping is not available");
|
||||
}
|
||||
if(!port_insert(list, s, is_dnscrypt
|
||||
?listen_type_udpancil_dnscrypt:listen_type_udpancil,
|
||||
is_pp2, ub_sock)) {
|
||||
sock_close(s);
|
||||
freeaddrinfo(ub_sock->addr);
|
||||
if(ub_sock->addr)
|
||||
freeaddrinfo(ub_sock->addr);
|
||||
free(ub_sock);
|
||||
return 0;
|
||||
}
|
||||
|
@ -1283,7 +1314,8 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
|
|||
if((s = make_sock_port(SOCK_DGRAM, ifname, port, hints, 1,
|
||||
&noip6, rcv, snd, reuseport, transparent,
|
||||
tcp_mss, nodelay, freebind, use_systemd, dscp, ub_sock)) == -1) {
|
||||
freeaddrinfo(ub_sock->addr);
|
||||
if(ub_sock->addr)
|
||||
freeaddrinfo(ub_sock->addr);
|
||||
free(ub_sock);
|
||||
if(noip6) {
|
||||
log_warn("IPv6 protocol not available");
|
||||
|
@ -1291,11 +1323,15 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
|
|||
}
|
||||
return 0;
|
||||
}
|
||||
if (sock_queue_timeout && !set_recvtimestamp(s)) {
|
||||
log_warn("socket timestamping is not available");
|
||||
}
|
||||
if(!port_insert(list, s, is_dnscrypt
|
||||
?listen_type_udp_dnscrypt:listen_type_udp,
|
||||
is_pp2, ub_sock)) {
|
||||
sock_close(s);
|
||||
freeaddrinfo(ub_sock->addr);
|
||||
if(ub_sock->addr)
|
||||
freeaddrinfo(ub_sock->addr);
|
||||
free(ub_sock);
|
||||
return 0;
|
||||
}
|
||||
|
@ -1318,7 +1354,8 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
|
|||
if((s = make_sock_port(SOCK_STREAM, ifname, port, hints, 1,
|
||||
&noip6, 0, 0, reuseport, transparent, tcp_mss, nodelay,
|
||||
freebind, use_systemd, dscp, ub_sock)) == -1) {
|
||||
freeaddrinfo(ub_sock->addr);
|
||||
if(ub_sock->addr)
|
||||
freeaddrinfo(ub_sock->addr);
|
||||
free(ub_sock);
|
||||
if(noip6) {
|
||||
/*log_warn("IPv6 protocol not available");*/
|
||||
|
@ -1330,7 +1367,8 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
|
|||
verbose(VERB_ALGO, "setup TCP for SSL service");
|
||||
if(!port_insert(list, s, port_type, is_pp2, ub_sock)) {
|
||||
sock_close(s);
|
||||
freeaddrinfo(ub_sock->addr);
|
||||
if(ub_sock->addr)
|
||||
freeaddrinfo(ub_sock->addr);
|
||||
free(ub_sock);
|
||||
return 0;
|
||||
}
|
||||
|
@ -1338,7 +1376,7 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
|
|||
return 1;
|
||||
}
|
||||
|
||||
/**
|
||||
/**
|
||||
* Add items to commpoint list in front.
|
||||
* @param c: commpoint to add.
|
||||
* @param front: listen struct.
|
||||
|
@ -1389,7 +1427,7 @@ void listen_desetup_locks(void)
|
|||
}
|
||||
}
|
||||
|
||||
struct listen_dnsport*
|
||||
struct listen_dnsport*
|
||||
listen_create(struct comm_base* base, struct listen_port* ports,
|
||||
size_t bufsize, int tcp_accept_count, int tcp_idle_timeout,
|
||||
int harden_large_queries, uint32_t http_max_streams,
|
||||
|
@ -1525,10 +1563,10 @@ listen_list_delete(struct listen_list* list)
|
|||
}
|
||||
}
|
||||
|
||||
void
|
||||
void
|
||||
listen_delete(struct listen_dnsport* front)
|
||||
{
|
||||
if(!front)
|
||||
if(!front)
|
||||
return;
|
||||
listen_list_delete(front->cps);
|
||||
#ifdef USE_DNSCRYPT
|
||||
|
@ -1802,7 +1840,7 @@ listening_ports_open(struct config_file* cfg, char** ifs, int num_ifs,
|
|||
reuseport, cfg->ip_transparent,
|
||||
cfg->tcp_mss, cfg->ip_freebind,
|
||||
cfg->http_nodelay, cfg->use_systemd,
|
||||
cfg->dnscrypt_port, cfg->ip_dscp)) {
|
||||
cfg->dnscrypt_port, cfg->ip_dscp, cfg->sock_queue_timeout)) {
|
||||
listening_ports_free(list);
|
||||
return NULL;
|
||||
}
|
||||
|
@ -1819,7 +1857,7 @@ listening_ports_open(struct config_file* cfg, char** ifs, int num_ifs,
|
|||
reuseport, cfg->ip_transparent,
|
||||
cfg->tcp_mss, cfg->ip_freebind,
|
||||
cfg->http_nodelay, cfg->use_systemd,
|
||||
cfg->dnscrypt_port, cfg->ip_dscp)) {
|
||||
cfg->dnscrypt_port, cfg->ip_dscp, cfg->sock_queue_timeout)) {
|
||||
listening_ports_free(list);
|
||||
return NULL;
|
||||
}
|
||||
|
@ -1838,7 +1876,7 @@ listening_ports_open(struct config_file* cfg, char** ifs, int num_ifs,
|
|||
reuseport, cfg->ip_transparent,
|
||||
cfg->tcp_mss, cfg->ip_freebind,
|
||||
cfg->http_nodelay, cfg->use_systemd,
|
||||
cfg->dnscrypt_port, cfg->ip_dscp)) {
|
||||
cfg->dnscrypt_port, cfg->ip_dscp, cfg->sock_queue_timeout)) {
|
||||
listening_ports_free(list);
|
||||
return NULL;
|
||||
}
|
||||
|
@ -1854,7 +1892,7 @@ listening_ports_open(struct config_file* cfg, char** ifs, int num_ifs,
|
|||
reuseport, cfg->ip_transparent,
|
||||
cfg->tcp_mss, cfg->ip_freebind,
|
||||
cfg->http_nodelay, cfg->use_systemd,
|
||||
cfg->dnscrypt_port, cfg->ip_dscp)) {
|
||||
cfg->dnscrypt_port, cfg->ip_dscp, cfg->sock_queue_timeout)) {
|
||||
listening_ports_free(list);
|
||||
return NULL;
|
||||
}
|
||||
|
@ -1872,7 +1910,7 @@ listening_ports_open(struct config_file* cfg, char** ifs, int num_ifs,
|
|||
reuseport, cfg->ip_transparent,
|
||||
cfg->tcp_mss, cfg->ip_freebind,
|
||||
cfg->http_nodelay, cfg->use_systemd,
|
||||
cfg->dnscrypt_port, cfg->ip_dscp)) {
|
||||
cfg->dnscrypt_port, cfg->ip_dscp, cfg->sock_queue_timeout)) {
|
||||
listening_ports_free(list);
|
||||
return NULL;
|
||||
}
|
||||
|
@ -1888,7 +1926,7 @@ listening_ports_open(struct config_file* cfg, char** ifs, int num_ifs,
|
|||
reuseport, cfg->ip_transparent,
|
||||
cfg->tcp_mss, cfg->ip_freebind,
|
||||
cfg->http_nodelay, cfg->use_systemd,
|
||||
cfg->dnscrypt_port, cfg->ip_dscp)) {
|
||||
cfg->dnscrypt_port, cfg->ip_dscp, cfg->sock_queue_timeout)) {
|
||||
listening_ports_free(list);
|
||||
return NULL;
|
||||
}
|
||||
|
@ -1908,7 +1946,8 @@ void listening_ports_free(struct listen_port* list)
|
|||
}
|
||||
/* rc_ports don't have ub_socket */
|
||||
if(list->socket) {
|
||||
freeaddrinfo(list->socket->addr);
|
||||
if(list->socket->addr)
|
||||
freeaddrinfo(list->socket->addr);
|
||||
free(list->socket);
|
||||
}
|
||||
free(list);
|
||||
|
@ -1919,8 +1958,8 @@ void listening_ports_free(struct listen_port* list)
|
|||
size_t listen_get_mem(struct listen_dnsport* listen)
|
||||
{
|
||||
struct listen_list* p;
|
||||
size_t s = sizeof(*listen) + sizeof(*listen->base) +
|
||||
sizeof(*listen->udp_buff) +
|
||||
size_t s = sizeof(*listen) + sizeof(*listen->base) +
|
||||
sizeof(*listen->udp_buff) +
|
||||
sldns_buffer_capacity(listen->udp_buff);
|
||||
#ifdef USE_DNSCRYPT
|
||||
s += sizeof(*listen->dnscrypt_udp_buff);
|
||||
|
@ -2001,7 +2040,7 @@ void tcp_req_info_clear(struct tcp_req_info* req)
|
|||
}
|
||||
req->open_req_list = NULL;
|
||||
req->num_open_req = 0;
|
||||
|
||||
|
||||
/* free pending writable result packets */
|
||||
item = req->done_req_list;
|
||||
while(item) {
|
||||
|
@ -2060,7 +2099,7 @@ tcp_req_info_setup_listen(struct tcp_req_info* req)
|
|||
wr = 1;
|
||||
if(!req->read_is_closed)
|
||||
rd = 1;
|
||||
|
||||
|
||||
if(wr) {
|
||||
req->cp->tcp_is_reading = 0;
|
||||
comm_point_stop_listening(req->cp);
|
||||
|
@ -2196,7 +2235,7 @@ tcp_req_info_handle_readdone(struct tcp_req_info* req)
|
|||
}
|
||||
req->in_worker_handle = 0;
|
||||
/* it should be waiting in the mesh for recursion.
|
||||
* If mesh failed to add a new entry and called commpoint_drop_reply.
|
||||
* If mesh failed to add a new entry and called commpoint_drop_reply.
|
||||
* Then the mesh state has been cleared. */
|
||||
if(req->is_drop) {
|
||||
/* the reply has been dropped, stream has been closed. */
|
||||
|
@ -2256,7 +2295,7 @@ tcp_req_info_add_result(struct tcp_req_info* req, uint8_t* buf, size_t len)
|
|||
last = req->done_req_list;
|
||||
while(last && last->next)
|
||||
last = last->next;
|
||||
|
||||
|
||||
/* create new element */
|
||||
item = (struct tcp_req_done_item*)malloc(sizeof(*item));
|
||||
if(!item) {
|
||||
|
@ -2615,7 +2654,7 @@ static int http2_query_read_done(struct http2_session* h2_session,
|
|||
"buffer already assigned to stream");
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
||||
/* the c->buffer might be used by mesh_send_reply and no be cleard
|
||||
* need to be cleared before use */
|
||||
sldns_buffer_clear(h2_session->c->buffer);
|
||||
|
|
|
@ -1308,6 +1308,7 @@ local_encode(struct query_info* qinfo, struct module_env* env,
|
|||
else rep.ns_numrrsets = 1;
|
||||
rep.rrset_count = 1;
|
||||
rep.rrsets = &rrset;
|
||||
rep.reason_bogus = LDNS_EDE_NONE;
|
||||
udpsize = edns->udp_size;
|
||||
edns->edns_version = EDNS_ADVERTISED_VERSION;
|
||||
edns->udp_size = EDNS_ADVERTISED_SIZE;
|
||||
|
@ -1603,7 +1604,7 @@ local_zone_does_not_cover(struct local_zone* z, struct query_info* qinfo,
|
|||
struct local_data key;
|
||||
struct local_data* ld = NULL;
|
||||
struct local_rrset* lr = NULL;
|
||||
if(z->type == local_zone_always_transparent)
|
||||
if(z->type == local_zone_always_transparent || z->type == local_zone_block_a)
|
||||
return 1;
|
||||
if(z->type != local_zone_transparent
|
||||
&& z->type != local_zone_typetransparent
|
||||
|
@ -1679,6 +1680,16 @@ local_zones_zone_answer(struct local_zone* z, struct module_env* env,
|
|||
} else if(lz_type == local_zone_typetransparent
|
||||
|| lz_type == local_zone_always_transparent) {
|
||||
/* no NODATA or NXDOMAINS for this zone type */
|
||||
return 0;
|
||||
} else if(lz_type == local_zone_block_a) {
|
||||
/* Return NODATA for all A queries */
|
||||
if(qinfo->qtype == LDNS_RR_TYPE_A) {
|
||||
local_error_encode(qinfo, env, edns, repinfo, buf, temp,
|
||||
LDNS_RCODE_NOERROR, (LDNS_RCODE_NOERROR|BIT_AA),
|
||||
LDNS_EDE_NONE, NULL);
|
||||
return 1;
|
||||
}
|
||||
|
||||
return 0;
|
||||
} else if(lz_type == local_zone_always_null) {
|
||||
/* 0.0.0.0 or ::0 or noerror/nodata for this zone type,
|
||||
|
@ -1846,7 +1857,8 @@ local_zones_answer(struct local_zones* zones, struct module_env* env,
|
|||
if(z && (lzt == local_zone_transparent ||
|
||||
lzt == local_zone_typetransparent ||
|
||||
lzt == local_zone_inform ||
|
||||
lzt == local_zone_always_transparent) &&
|
||||
lzt == local_zone_always_transparent ||
|
||||
lzt == local_zone_block_a) &&
|
||||
local_zone_does_not_cover(z, qinfo, labs)) {
|
||||
lock_rw_unlock(&z->lock);
|
||||
z = NULL;
|
||||
|
@ -1894,6 +1906,7 @@ local_zones_answer(struct local_zones* zones, struct module_env* env,
|
|||
|
||||
if(lzt != local_zone_always_refuse
|
||||
&& lzt != local_zone_always_transparent
|
||||
&& lzt != local_zone_block_a
|
||||
&& lzt != local_zone_always_nxdomain
|
||||
&& lzt != local_zone_always_nodata
|
||||
&& lzt != local_zone_always_deny
|
||||
|
@ -1924,6 +1937,7 @@ const char* local_zone_type2str(enum localzone_type t)
|
|||
case local_zone_inform_deny: return "inform_deny";
|
||||
case local_zone_inform_redirect: return "inform_redirect";
|
||||
case local_zone_always_transparent: return "always_transparent";
|
||||
case local_zone_block_a: return "block_a";
|
||||
case local_zone_always_refuse: return "always_refuse";
|
||||
case local_zone_always_nxdomain: return "always_nxdomain";
|
||||
case local_zone_always_nodata: return "always_nodata";
|
||||
|
@ -1958,6 +1972,8 @@ int local_zone_str2type(const char* type, enum localzone_type* t)
|
|||
*t = local_zone_inform_redirect;
|
||||
else if(strcmp(type, "always_transparent") == 0)
|
||||
*t = local_zone_always_transparent;
|
||||
else if(strcmp(type, "block_a") == 0)
|
||||
*t = local_zone_block_a;
|
||||
else if(strcmp(type, "always_refuse") == 0)
|
||||
*t = local_zone_always_refuse;
|
||||
else if(strcmp(type, "always_nxdomain") == 0)
|
||||
|
|
|
@ -88,6 +88,8 @@ enum localzone_type {
|
|||
local_zone_inform_redirect,
|
||||
/** resolve normally, even when there is local data */
|
||||
local_zone_always_transparent,
|
||||
/** resolve normally, even when there is local data but return NODATA for A queries */
|
||||
local_zone_block_a,
|
||||
/** answer with error, even when there is local data */
|
||||
local_zone_always_refuse,
|
||||
/** answer with nxdomain, even when there is local data */
|
||||
|
|
|
@ -4,22 +4,22 @@
|
|||
* Copyright (c) 2007, NLnet Labs. All rights reserved.
|
||||
*
|
||||
* This software is open source.
|
||||
*
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
*
|
||||
*
|
||||
* Redistributions of source code must retain the above copyright notice,
|
||||
* this list of conditions and the following disclaimer.
|
||||
*
|
||||
*
|
||||
* Redistributions in binary form must reproduce the above copyright notice,
|
||||
* this list of conditions and the following disclaimer in the documentation
|
||||
* and/or other materials provided with the distribution.
|
||||
*
|
||||
*
|
||||
* Neither the name of the NLNET LABS nor the names of its contributors may
|
||||
* be used to endorse or promote products derived from this software without
|
||||
* specific prior written permission.
|
||||
*
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
|
@ -63,82 +63,13 @@
|
|||
#include "util/data/dname.h"
|
||||
#include "respip/respip.h"
|
||||
#include "services/listen_dnsport.h"
|
||||
#include "util/timeval_func.h"
|
||||
|
||||
#ifdef CLIENT_SUBNET
|
||||
#include "edns-subnet/subnetmod.h"
|
||||
#include "edns-subnet/edns-subnet.h"
|
||||
#endif
|
||||
|
||||
/** subtract timers and the values do not overflow or become negative */
|
||||
static void
|
||||
timeval_subtract(struct timeval* d, const struct timeval* end, const struct timeval* start)
|
||||
{
|
||||
#ifndef S_SPLINT_S
|
||||
time_t end_usec = end->tv_usec;
|
||||
d->tv_sec = end->tv_sec - start->tv_sec;
|
||||
if(end_usec < start->tv_usec) {
|
||||
end_usec += 1000000;
|
||||
d->tv_sec--;
|
||||
}
|
||||
d->tv_usec = end_usec - start->tv_usec;
|
||||
#endif
|
||||
}
|
||||
|
||||
/** add timers and the values do not overflow or become negative */
|
||||
static void
|
||||
timeval_add(struct timeval* d, const struct timeval* add)
|
||||
{
|
||||
#ifndef S_SPLINT_S
|
||||
d->tv_sec += add->tv_sec;
|
||||
d->tv_usec += add->tv_usec;
|
||||
if(d->tv_usec >= 1000000 ) {
|
||||
d->tv_usec -= 1000000;
|
||||
d->tv_sec++;
|
||||
}
|
||||
#endif
|
||||
}
|
||||
|
||||
/** divide sum of timers to get average */
|
||||
static void
|
||||
timeval_divide(struct timeval* avg, const struct timeval* sum, size_t d)
|
||||
{
|
||||
#ifndef S_SPLINT_S
|
||||
size_t leftover;
|
||||
if(d <= 0) {
|
||||
avg->tv_sec = 0;
|
||||
avg->tv_usec = 0;
|
||||
return;
|
||||
}
|
||||
avg->tv_sec = sum->tv_sec / d;
|
||||
avg->tv_usec = sum->tv_usec / d;
|
||||
/* handle fraction from seconds divide */
|
||||
leftover = sum->tv_sec - avg->tv_sec*d;
|
||||
if(leftover <= 0)
|
||||
leftover = 0;
|
||||
avg->tv_usec += (((long long)leftover)*((long long)1000000))/d;
|
||||
if(avg->tv_sec < 0)
|
||||
avg->tv_sec = 0;
|
||||
if(avg->tv_usec < 0)
|
||||
avg->tv_usec = 0;
|
||||
#endif
|
||||
}
|
||||
|
||||
/** histogram compare of time values */
|
||||
static int
|
||||
timeval_smaller(const struct timeval* x, const struct timeval* y)
|
||||
{
|
||||
#ifndef S_SPLINT_S
|
||||
if(x->tv_sec < y->tv_sec)
|
||||
return 1;
|
||||
else if(x->tv_sec == y->tv_sec) {
|
||||
if(x->tv_usec <= y->tv_usec)
|
||||
return 1;
|
||||
else return 0;
|
||||
}
|
||||
else return 0;
|
||||
#endif
|
||||
}
|
||||
|
||||
/**
|
||||
* Compare two response-ip client info entries for the purpose of mesh state
|
||||
* compare. It returns 0 if ci_a and ci_b are considered equal; otherwise
|
||||
|
@ -249,7 +180,7 @@ mesh_state_ref_compare(const void* ap, const void* bp)
|
|||
return mesh_state_compare(a->s, b->s);
|
||||
}
|
||||
|
||||
struct mesh_area*
|
||||
struct mesh_area*
|
||||
mesh_create(struct module_stack* stack, struct module_env* env)
|
||||
{
|
||||
struct mesh_area* mesh = calloc(1, sizeof(struct mesh_area));
|
||||
|
@ -275,6 +206,7 @@ mesh_create(struct module_stack* stack, struct module_env* env)
|
|||
mesh->stats_jostled = 0;
|
||||
mesh->stats_dropped = 0;
|
||||
mesh->ans_expired = 0;
|
||||
mesh->ans_cachedb = 0;
|
||||
mesh->max_reply_states = env->cfg->num_queries_per_thread;
|
||||
mesh->max_forever_states = (mesh->max_reply_states+1)/2;
|
||||
#ifndef S_SPLINT_S
|
||||
|
@ -298,7 +230,7 @@ mesh_delete_helper(rbnode_type* n)
|
|||
* traversal and rbtree rebalancing do not work together */
|
||||
}
|
||||
|
||||
void
|
||||
void
|
||||
mesh_delete(struct mesh_area* mesh)
|
||||
{
|
||||
if(!mesh)
|
||||
|
@ -341,7 +273,7 @@ int mesh_make_new_space(struct mesh_area* mesh, sldns_buffer* qbuf)
|
|||
if(m && m->reply_list && m->list_select == mesh_jostle_list) {
|
||||
/* how old is it? */
|
||||
struct timeval age;
|
||||
timeval_subtract(&age, mesh->env->now_tv,
|
||||
timeval_subtract(&age, mesh->env->now_tv,
|
||||
&m->reply_list->start_time);
|
||||
if(timeval_smaller(&mesh->jostle_max, &age)) {
|
||||
/* its a goner */
|
||||
|
@ -517,6 +449,8 @@ void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo,
|
|||
comm_point_send_reply(rep);
|
||||
return;
|
||||
}
|
||||
/* set detached (it is now) */
|
||||
mesh->num_detached_states++;
|
||||
if(unique)
|
||||
mesh_state_make_unique(s);
|
||||
s->s.rpz_passthru = rpz_passthru;
|
||||
|
@ -525,13 +459,14 @@ void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo,
|
|||
s->s.edns_opts_front_in = edns_opt_copy_region(edns->opt_list_in,
|
||||
s->s.region);
|
||||
if(!s->s.edns_opts_front_in) {
|
||||
log_err("mesh_state_create: out of memory; SERVFAIL");
|
||||
log_err("edns_opt_copy_region: out of memory; SERVFAIL");
|
||||
if(!inplace_cb_reply_servfail_call(mesh->env, qinfo, NULL,
|
||||
NULL, LDNS_RCODE_SERVFAIL, edns, rep, mesh->env->scratch, mesh->env->now_tv))
|
||||
edns->opt_list_inplace_cb_out = NULL;
|
||||
error_encode(r_buffer, LDNS_RCODE_SERVFAIL,
|
||||
qinfo, qid, qflags, edns);
|
||||
comm_point_send_reply(rep);
|
||||
mesh_state_delete(&s->s);
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
@ -543,8 +478,6 @@ void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo,
|
|||
#endif
|
||||
rbtree_insert(&mesh->all, &s->node);
|
||||
log_assert(n != NULL);
|
||||
/* set detached (it is now) */
|
||||
mesh->num_detached_states++;
|
||||
added = 1;
|
||||
}
|
||||
if(!s->reply_list && !s->cb_list) {
|
||||
|
@ -585,11 +518,11 @@ void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo,
|
|||
/* move to either the forever or the jostle_list */
|
||||
if(mesh->num_forever_states < mesh->max_forever_states) {
|
||||
mesh->num_forever_states ++;
|
||||
mesh_list_insert(s, &mesh->forever_first,
|
||||
mesh_list_insert(s, &mesh->forever_first,
|
||||
&mesh->forever_last);
|
||||
s->list_select = mesh_forever_list;
|
||||
} else {
|
||||
mesh_list_insert(s, &mesh->jostle_first,
|
||||
mesh_list_insert(s, &mesh->jostle_first,
|
||||
&mesh->jostle_last);
|
||||
s->list_select = mesh_jostle_list;
|
||||
}
|
||||
|
@ -610,9 +543,9 @@ void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo,
|
|||
return;
|
||||
}
|
||||
|
||||
int
|
||||
int
|
||||
mesh_new_callback(struct mesh_area* mesh, struct query_info* qinfo,
|
||||
uint16_t qflags, struct edns_data* edns, sldns_buffer* buf,
|
||||
uint16_t qflags, struct edns_data* edns, sldns_buffer* buf,
|
||||
uint16_t qid, mesh_cb_func_type cb, void* cb_arg, int rpz_passthru)
|
||||
{
|
||||
struct mesh_state* s = NULL;
|
||||
|
@ -637,6 +570,8 @@ mesh_new_callback(struct mesh_area* mesh, struct query_info* qinfo,
|
|||
if(!s) {
|
||||
return 0;
|
||||
}
|
||||
/* set detached (it is now) */
|
||||
mesh->num_detached_states++;
|
||||
if(unique)
|
||||
mesh_state_make_unique(s);
|
||||
s->s.rpz_passthru = rpz_passthru;
|
||||
|
@ -644,6 +579,7 @@ mesh_new_callback(struct mesh_area* mesh, struct query_info* qinfo,
|
|||
s->s.edns_opts_front_in = edns_opt_copy_region(edns->opt_list_in,
|
||||
s->s.region);
|
||||
if(!s->s.edns_opts_front_in) {
|
||||
mesh_state_delete(&s->s);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
@ -654,8 +590,6 @@ mesh_new_callback(struct mesh_area* mesh, struct query_info* qinfo,
|
|||
#endif
|
||||
rbtree_insert(&mesh->all, &s->node);
|
||||
log_assert(n != NULL);
|
||||
/* set detached (it is now) */
|
||||
mesh->num_detached_states++;
|
||||
added = 1;
|
||||
}
|
||||
if(!s->reply_list && !s->cb_list) {
|
||||
|
@ -672,6 +606,8 @@ mesh_new_callback(struct mesh_area* mesh, struct query_info* qinfo,
|
|||
}
|
||||
/* add serve expired timer if not already there */
|
||||
if(timeout && !mesh_serve_expired_init(s, timeout)) {
|
||||
if(added)
|
||||
mesh_state_delete(&s->s);
|
||||
return 0;
|
||||
}
|
||||
/* update statistics */
|
||||
|
@ -773,7 +709,7 @@ static void mesh_schedule_prefetch(struct mesh_area* mesh,
|
|||
* attached its own ECS data. */
|
||||
static void mesh_schedule_prefetch_subnet(struct mesh_area* mesh,
|
||||
struct query_info* qinfo, uint16_t qflags, time_t leeway, int run,
|
||||
int rpz_passthru, struct comm_reply* rep, struct edns_option* edns_list)
|
||||
int rpz_passthru, struct sockaddr_storage* addr, struct edns_option* edns_list)
|
||||
{
|
||||
struct mesh_state* s = NULL;
|
||||
struct edns_option* opt = NULL;
|
||||
|
@ -803,20 +739,10 @@ static void mesh_schedule_prefetch_subnet(struct mesh_area* mesh,
|
|||
return;
|
||||
}
|
||||
} else {
|
||||
/* Fake the ECS data from the client's IP */
|
||||
struct ecs_data ecs;
|
||||
memset(&ecs, 0, sizeof(ecs));
|
||||
subnet_option_from_ss(&rep->client_addr, &ecs, mesh->env->cfg);
|
||||
if(ecs.subnet_validdata == 0) {
|
||||
log_err("prefetch_subnet subnet_option_from_ss: invalid data");
|
||||
return;
|
||||
}
|
||||
subnet_ecs_opt_list_append(&ecs, &s->s.edns_opts_front_in,
|
||||
&s->s, s->s.region);
|
||||
if(!s->s.edns_opts_front_in) {
|
||||
log_err("prefetch_subnet subnet_ecs_opt_list_append: out of memory");
|
||||
return;
|
||||
}
|
||||
/* Store the client's address. Later in the subnet module,
|
||||
* it is decided whether to include an ECS option or not.
|
||||
*/
|
||||
s->s.client_addr = *addr;
|
||||
}
|
||||
#ifdef UNBOUND_DEBUG
|
||||
n =
|
||||
|
@ -863,14 +789,14 @@ static void mesh_schedule_prefetch_subnet(struct mesh_area* mesh,
|
|||
|
||||
void mesh_new_prefetch(struct mesh_area* mesh, struct query_info* qinfo,
|
||||
uint16_t qflags, time_t leeway, int rpz_passthru,
|
||||
struct comm_reply* rep, struct edns_option* opt_list)
|
||||
struct sockaddr_storage* addr, struct edns_option* opt_list)
|
||||
{
|
||||
(void)addr;
|
||||
(void)opt_list;
|
||||
(void)rep;
|
||||
#ifdef CLIENT_SUBNET
|
||||
if(rep)
|
||||
if(addr)
|
||||
mesh_schedule_prefetch_subnet(mesh, qinfo, qflags, leeway, 1,
|
||||
rpz_passthru, rep, opt_list);
|
||||
rpz_passthru, addr, opt_list);
|
||||
else
|
||||
#endif
|
||||
mesh_schedule_prefetch(mesh, qinfo, qflags, leeway, 1,
|
||||
|
@ -900,7 +826,7 @@ mesh_state_create(struct module_env* env, struct query_info* qinfo,
|
|||
int i;
|
||||
if(!region)
|
||||
return NULL;
|
||||
mstate = (struct mesh_state*)regional_alloc(region,
|
||||
mstate = (struct mesh_state*)regional_alloc(region,
|
||||
sizeof(struct mesh_state));
|
||||
if(!mstate) {
|
||||
alloc_reg_release(env->alloc, region);
|
||||
|
@ -970,19 +896,13 @@ mesh_state_create(struct module_env* env, struct query_info* qinfo,
|
|||
return mstate;
|
||||
}
|
||||
|
||||
int
|
||||
mesh_state_is_unique(struct mesh_state* mstate)
|
||||
{
|
||||
return mstate->unique != NULL;
|
||||
}
|
||||
|
||||
void
|
||||
mesh_state_make_unique(struct mesh_state* mstate)
|
||||
{
|
||||
mstate->unique = mstate;
|
||||
}
|
||||
|
||||
void
|
||||
void
|
||||
mesh_state_cleanup(struct mesh_state* mstate)
|
||||
{
|
||||
struct mesh_area* mesh;
|
||||
|
@ -1028,7 +948,7 @@ mesh_state_cleanup(struct mesh_state* mstate)
|
|||
alloc_reg_release(mstate->s.env->alloc, mstate->s.region);
|
||||
}
|
||||
|
||||
void
|
||||
void
|
||||
mesh_state_delete(struct module_qstate* qstate)
|
||||
{
|
||||
struct mesh_area* mesh;
|
||||
|
@ -1041,10 +961,10 @@ mesh_state_delete(struct module_qstate* qstate)
|
|||
mesh_detach_subs(&mstate->s);
|
||||
if(mstate->list_select == mesh_forever_list) {
|
||||
mesh->num_forever_states --;
|
||||
mesh_list_remove(mstate, &mesh->forever_first,
|
||||
mesh_list_remove(mstate, &mesh->forever_first,
|
||||
&mesh->forever_last);
|
||||
} else if(mstate->list_select == mesh_jostle_list) {
|
||||
mesh_list_remove(mstate, &mesh->jostle_first,
|
||||
mesh_list_remove(mstate, &mesh->jostle_first,
|
||||
&mesh->jostle_last);
|
||||
}
|
||||
if(!mstate->reply_list && !mstate->cb_list
|
||||
|
@ -1116,7 +1036,7 @@ void mesh_detach_subs(struct module_qstate* qstate)
|
|||
if(!ref->s->reply_list && !ref->s->cb_list
|
||||
&& ref->s->super_set.count == 0) {
|
||||
mesh->num_detached_states++;
|
||||
log_assert(mesh->num_detached_states +
|
||||
log_assert(mesh->num_detached_states +
|
||||
mesh->num_reply_states <= mesh->all.count);
|
||||
}
|
||||
}
|
||||
|
@ -1181,7 +1101,7 @@ int mesh_attach_sub(struct module_qstate* qstate, struct query_info* qinfo,
|
|||
if(!mesh_state_attachment(qstate->mesh_info, sub))
|
||||
return 0;
|
||||
/* if it was a duplicate attachment, the count was not zero before */
|
||||
if(!sub->reply_list && !sub->cb_list && was_detached &&
|
||||
if(!sub->reply_list && !sub->cb_list && was_detached &&
|
||||
sub->super_set.count == 1) {
|
||||
/* it used to be detached, before this one got added */
|
||||
log_assert(mesh->num_detached_states > 0);
|
||||
|
@ -1251,7 +1171,7 @@ mesh_do_callback(struct mesh_state* m, int rcode, struct reply_info* rep,
|
|||
else secure = 0;
|
||||
if(!rep && rcode == LDNS_RCODE_NOERROR)
|
||||
rcode = LDNS_RCODE_SERVFAIL;
|
||||
if(!rcode && (rep->security == sec_status_bogus ||
|
||||
if(!rcode && rep && (rep->security == sec_status_bogus ||
|
||||
rep->security == sec_status_secure_sentinel_fail)) {
|
||||
if(!(reason = errinf_to_str_bogus(&m->s)))
|
||||
rcode = LDNS_RCODE_SERVFAIL;
|
||||
|
@ -1280,10 +1200,10 @@ mesh_do_callback(struct mesh_state* m, int rcode, struct reply_info* rep,
|
|||
|
||||
if(!inplace_cb_reply_call(m->s.env, &m->s.qinfo, &m->s, rep,
|
||||
LDNS_RCODE_NOERROR, &r->edns, NULL, m->s.region, start_time) ||
|
||||
!reply_info_answer_encode(&m->s.qinfo, rep, r->qid,
|
||||
r->qflags, r->buf, 0, 1,
|
||||
m->s.env->scratch, udp_size, &r->edns,
|
||||
(int)(r->edns.bits & EDNS_DO), secure))
|
||||
!reply_info_answer_encode(&m->s.qinfo, rep, r->qid,
|
||||
r->qflags, r->buf, 0, 1,
|
||||
m->s.env->scratch, udp_size, &r->edns,
|
||||
(int)(r->edns.bits & EDNS_DO), secure))
|
||||
{
|
||||
fptr_ok(fptr_whitelist_mesh_cb(r->cb));
|
||||
(*r->cb)(r->cb_arg, LDNS_RCODE_SERVFAIL, r->buf,
|
||||
|
@ -1291,7 +1211,8 @@ mesh_do_callback(struct mesh_state* m, int rcode, struct reply_info* rep,
|
|||
} else {
|
||||
fptr_ok(fptr_whitelist_mesh_cb(r->cb));
|
||||
(*r->cb)(r->cb_arg, LDNS_RCODE_NOERROR, r->buf,
|
||||
rep->security, reason, was_ratelimited);
|
||||
(rep?rep->security:sec_status_unchecked),
|
||||
reason, was_ratelimited);
|
||||
}
|
||||
}
|
||||
free(reason);
|
||||
|
@ -1311,10 +1232,36 @@ mesh_is_rpz_respip_tcponly_action(struct mesh_state const* m)
|
|||
}
|
||||
|
||||
static inline int
|
||||
mesh_is_udp(struct mesh_reply const* r) {
|
||||
mesh_is_udp(struct mesh_reply const* r)
|
||||
{
|
||||
return r->query_reply.c->type == comm_udp;
|
||||
}
|
||||
|
||||
static inline void
|
||||
mesh_find_and_attach_ede_and_reason(struct mesh_state* m,
|
||||
struct reply_info* rep, struct mesh_reply* r)
|
||||
{
|
||||
/* OLD note:
|
||||
* During validation the EDE code can be received via two
|
||||
* code paths. One code path fills the reply_info EDE, and
|
||||
* the other fills it in the errinf_strlist. These paths
|
||||
* intersect at some points, but where is opaque due to
|
||||
* the complexity of the validator. At the time of writing
|
||||
* we make the choice to prefer the EDE from errinf_strlist
|
||||
* but a compelling reason to do otherwise is just as valid
|
||||
* NEW note:
|
||||
* The compelling reason is that with caching support, the value
|
||||
* in the reply_info is cached.
|
||||
* The reason members of the reply_info struct should be
|
||||
* updated as they are already cached. No reason to
|
||||
* try and find the EDE information in errinf anymore.
|
||||
*/
|
||||
if(rep->reason_bogus != LDNS_EDE_NONE) {
|
||||
edns_opt_list_append_ede(&r->edns.opt_list_out,
|
||||
m->s.region, rep->reason_bogus, rep->reason_bogus_str);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Send reply to mesh reply entry
|
||||
* @param m: mesh state to send it for.
|
||||
|
@ -1346,7 +1293,7 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
|
|||
|
||||
/* examine security status */
|
||||
if(m->s.env->need_to_validate && (!(r->qflags&BIT_CD) ||
|
||||
m->s.env->cfg->ignore_cd) && rep &&
|
||||
m->s.env->cfg->ignore_cd) && rep &&
|
||||
(rep->security <= sec_status_bogus ||
|
||||
rep->security == sec_status_secure_sentinel_fail)) {
|
||||
rcode = LDNS_RCODE_SERVFAIL;
|
||||
|
@ -1401,40 +1348,17 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
|
|||
if(!inplace_cb_reply_servfail_call(m->s.env, &m->s.qinfo, &m->s,
|
||||
rep, rcode, &r->edns, &r->query_reply, m->s.region, &r->start_time))
|
||||
r->edns.opt_list_inplace_cb_out = NULL;
|
||||
} else {
|
||||
} else {
|
||||
if(!inplace_cb_reply_call(m->s.env, &m->s.qinfo, &m->s, rep, rcode,
|
||||
&r->edns, &r->query_reply, m->s.region, &r->start_time))
|
||||
r->edns.opt_list_inplace_cb_out = NULL;
|
||||
}
|
||||
/* Send along EDE BOGUS EDNS0 option when answer is bogus */
|
||||
if(m->s.env->cfg->ede && rcode == LDNS_RCODE_SERVFAIL &&
|
||||
m->s.env->need_to_validate && (!(r->qflags&BIT_CD) ||
|
||||
m->s.env->cfg->ignore_cd) && rep &&
|
||||
(rep->security <= sec_status_bogus ||
|
||||
rep->security == sec_status_secure_sentinel_fail)) {
|
||||
char *reason = m->s.env->cfg->val_log_level >= 2
|
||||
? errinf_to_str_bogus(&m->s) : NULL;
|
||||
|
||||
/* During validation the EDE code can be received via two
|
||||
* code paths. One code path fills the reply_info EDE, and
|
||||
* the other fills it in the errinf_strlist. These paths
|
||||
* intersect at some points, but where is opaque due to
|
||||
* the complexity of the validator. At the time of writing
|
||||
* we make the choice to prefer the EDE from errinf_strlist
|
||||
* but a compelling reason to do otherwise is just as valid
|
||||
*/
|
||||
sldns_ede_code reason_bogus = errinf_to_reason_bogus(&m->s);
|
||||
if ((reason_bogus == LDNS_EDE_DNSSEC_BOGUS &&
|
||||
rep->reason_bogus != LDNS_EDE_NONE) ||
|
||||
reason_bogus == LDNS_EDE_NONE) {
|
||||
reason_bogus = rep->reason_bogus;
|
||||
}
|
||||
|
||||
if(reason_bogus != LDNS_EDE_NONE) {
|
||||
edns_opt_list_append_ede(&r->edns.opt_list_out,
|
||||
m->s.region, reason_bogus, reason);
|
||||
}
|
||||
free(reason);
|
||||
/* Send along EDE EDNS0 option when SERVFAILing; usually
|
||||
* DNSSEC validation failures */
|
||||
/* Since we are SERVFAILing here, CD bit and rep->security
|
||||
* is already handled. */
|
||||
if(m->s.env->cfg->ede && rep) {
|
||||
mesh_find_and_attach_ede_and_reason(m, rep, r);
|
||||
}
|
||||
error_encode(r_buffer, rcode, &m->s.qinfo, r->qid,
|
||||
r->qflags, &r->edns);
|
||||
|
@ -1449,12 +1373,22 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
|
|||
r->edns.bits &= EDNS_DO;
|
||||
m->s.qinfo.qname = r->qname;
|
||||
m->s.qinfo.local_alias = r->local_alias;
|
||||
|
||||
/* Attach EDE without SERVFAIL if the validation failed.
|
||||
* Need to explicitly check for rep->security otherwise failed
|
||||
* validation paths may attach to a secure answer. */
|
||||
if(m->s.env->cfg->ede && rep &&
|
||||
(rep->security <= sec_status_bogus ||
|
||||
rep->security == sec_status_secure_sentinel_fail)) {
|
||||
mesh_find_and_attach_ede_and_reason(m, rep, r);
|
||||
}
|
||||
|
||||
if(!inplace_cb_reply_call(m->s.env, &m->s.qinfo, &m->s, rep,
|
||||
LDNS_RCODE_NOERROR, &r->edns, &r->query_reply, m->s.region, &r->start_time) ||
|
||||
!reply_info_answer_encode(&m->s.qinfo, rep, r->qid,
|
||||
!reply_info_answer_encode(&m->s.qinfo, rep, r->qid,
|
||||
r->qflags, r_buffer, 0, 1, m->s.env->scratch,
|
||||
udp_size, &r->edns, (int)(r->edns.bits & EDNS_DO),
|
||||
secure))
|
||||
secure))
|
||||
{
|
||||
if(!inplace_cb_reply_servfail_call(m->s.env, &m->s.qinfo, &m->s,
|
||||
rep, LDNS_RCODE_SERVFAIL, &r->edns, &r->query_reply, m->s.region, &r->start_time))
|
||||
|
@ -1503,6 +1437,7 @@ void mesh_query_done(struct mesh_state* mstate)
|
|||
struct reply_info* rep = (mstate->s.return_msg?
|
||||
mstate->s.return_msg->rep:NULL);
|
||||
struct timeval tv = {0, 0};
|
||||
int i = 0;
|
||||
/* No need for the serve expired timer anymore; we are going to reply. */
|
||||
if(mstate->s.serve_expired_data) {
|
||||
comm_timer_delete(mstate->s.serve_expired_data->timer);
|
||||
|
@ -1522,6 +1457,7 @@ void mesh_query_done(struct mesh_state* mstate)
|
|||
}
|
||||
}
|
||||
for(r = mstate->reply_list; r; r = r->next) {
|
||||
i++;
|
||||
tv = r->start_time;
|
||||
|
||||
/* if a response-ip address block has been stored the
|
||||
|
@ -1533,16 +1469,6 @@ void mesh_query_done(struct mesh_state* mstate)
|
|||
mstate->s.qinfo.qclass, r->local_alias,
|
||||
&r->query_reply.client_addr,
|
||||
r->query_reply.client_addrlen);
|
||||
if(mstate->s.env->cfg->stat_extended &&
|
||||
mstate->s.respip_action_info->rpz_used) {
|
||||
if(mstate->s.respip_action_info->rpz_disabled)
|
||||
mstate->s.env->mesh->rpz_action[RPZ_DISABLED_ACTION]++;
|
||||
if(mstate->s.respip_action_info->rpz_cname_override)
|
||||
mstate->s.env->mesh->rpz_action[RPZ_CNAME_OVERRIDE_ACTION]++;
|
||||
else
|
||||
mstate->s.env->mesh->rpz_action[respip_action_to_rpz_action(
|
||||
mstate->s.respip_action_info->action)]++;
|
||||
}
|
||||
}
|
||||
|
||||
/* if this query is determined to be dropped during the
|
||||
|
@ -1573,6 +1499,27 @@ void mesh_query_done(struct mesh_state* mstate)
|
|||
prev_buffer = r_buffer;
|
||||
}
|
||||
}
|
||||
/* Account for each reply sent. */
|
||||
if(i > 0 && mstate->s.respip_action_info &&
|
||||
mstate->s.respip_action_info->addrinfo &&
|
||||
mstate->s.env->cfg->stat_extended &&
|
||||
mstate->s.respip_action_info->rpz_used) {
|
||||
if(mstate->s.respip_action_info->rpz_disabled)
|
||||
mstate->s.env->mesh->rpz_action[RPZ_DISABLED_ACTION] += i;
|
||||
if(mstate->s.respip_action_info->rpz_cname_override)
|
||||
mstate->s.env->mesh->rpz_action[RPZ_CNAME_OVERRIDE_ACTION] += i;
|
||||
else
|
||||
mstate->s.env->mesh->rpz_action[respip_action_to_rpz_action(
|
||||
mstate->s.respip_action_info->action)] += i;
|
||||
}
|
||||
if(!mstate->s.is_drop && i > 0) {
|
||||
if(mstate->s.env->cfg->stat_extended
|
||||
&& mstate->s.is_cachedb_answer) {
|
||||
mstate->s.env->mesh->ans_cachedb += i;
|
||||
}
|
||||
}
|
||||
|
||||
/* Mesh area accounting */
|
||||
if(mstate->reply_list) {
|
||||
mstate->reply_list = NULL;
|
||||
if(!mstate->reply_list && !mstate->cb_list) {
|
||||
|
@ -1585,6 +1532,7 @@ void mesh_query_done(struct mesh_state* mstate)
|
|||
mstate->s.env->mesh->num_detached_states++;
|
||||
}
|
||||
mstate->replies_sent = 1;
|
||||
|
||||
while((c = mstate->cb_list) != NULL) {
|
||||
/* take this cb off the list; so that the list can be
|
||||
* changed, eg. by adds from the callback routine */
|
||||
|
@ -1611,7 +1559,7 @@ void mesh_walk_supers(struct mesh_area* mesh, struct mesh_state* mstate)
|
|||
/* callback the function to inform super of result */
|
||||
fptr_ok(fptr_whitelist_mod_inform_super(
|
||||
mesh->mods.mod[ref->s->s.curmod]->inform_super));
|
||||
(*mesh->mods.mod[ref->s->s.curmod]->inform_super)(&mstate->s,
|
||||
(*mesh->mods.mod[ref->s->s.curmod]->inform_super)(&mstate->s,
|
||||
ref->s->s.curmod, &ref->s->s);
|
||||
/* copy state that is always relevant to super */
|
||||
copy_state_to_super(&mstate->s, ref->s->s.curmod, &ref->s->s);
|
||||
|
@ -1635,7 +1583,7 @@ struct mesh_state* mesh_area_find(struct mesh_area* mesh,
|
|||
* desire aggregation).*/
|
||||
key.unique = NULL;
|
||||
key.s.client_info = cinfo;
|
||||
|
||||
|
||||
result = (struct mesh_state*)rbtree_search(&mesh->all, &key);
|
||||
return result;
|
||||
}
|
||||
|
@ -1644,7 +1592,7 @@ int mesh_state_add_cb(struct mesh_state* s, struct edns_data* edns,
|
|||
sldns_buffer* buf, mesh_cb_func_type cb, void* cb_arg,
|
||||
uint16_t qid, uint16_t qflags)
|
||||
{
|
||||
struct mesh_cb* r = regional_alloc(s->s.region,
|
||||
struct mesh_cb* r = regional_alloc(s->s.region,
|
||||
sizeof(struct mesh_cb));
|
||||
if(!r)
|
||||
return 0;
|
||||
|
@ -1776,7 +1724,7 @@ mesh_copy_qinfo(struct mesh_state* mstate, struct query_info** qinfop,
|
|||
* Handles module finished.
|
||||
* @param mesh: the mesh area.
|
||||
* @param mstate: currently active mesh state.
|
||||
* Deleted if finished, calls _done and _supers to
|
||||
* Deleted if finished, calls _done and _supers to
|
||||
* send replies to clients and inform other mesh states.
|
||||
* This in turn may create additional runnable mesh states.
|
||||
* @param s: state at which the current module exited.
|
||||
|
@ -1810,7 +1758,7 @@ mesh_continue(struct mesh_area* mesh, struct mesh_state* mstate,
|
|||
}
|
||||
if(s == module_restart_next) {
|
||||
int curmod = mstate->s.curmod;
|
||||
for(; mstate->s.curmod < mesh->mods.num;
|
||||
for(; mstate->s.curmod < mesh->mods.num;
|
||||
mstate->s.curmod++) {
|
||||
fptr_ok(fptr_whitelist_mod_clear(
|
||||
mesh->mods.mod[mstate->s.curmod]->clear));
|
||||
|
@ -1842,9 +1790,21 @@ mesh_continue(struct mesh_area* mesh, struct mesh_state* mstate,
|
|||
if(s == module_finished) {
|
||||
if(mstate->s.curmod == 0) {
|
||||
struct query_info* qinfo = NULL;
|
||||
struct edns_option* opt_list = NULL;
|
||||
struct sockaddr_storage addr;
|
||||
uint16_t qflags;
|
||||
int rpz_p = 0;
|
||||
|
||||
#ifdef CLIENT_SUBNET
|
||||
struct edns_option* ecs;
|
||||
if(mstate->s.need_refetch && mstate->reply_list &&
|
||||
modstack_find(&mesh->mods, "subnetcache") != -1 &&
|
||||
mstate->s.env->unique_mesh) {
|
||||
addr = mstate->reply_list->query_reply.client_addr;
|
||||
} else
|
||||
#endif
|
||||
memset(&addr, 0, sizeof(addr));
|
||||
|
||||
mesh_query_done(mstate);
|
||||
mesh_walk_supers(mesh, mstate);
|
||||
|
||||
|
@ -1854,13 +1814,28 @@ mesh_continue(struct mesh_area* mesh, struct mesh_state* mstate,
|
|||
* we need to make a copy of the query info here. */
|
||||
if(mstate->s.need_refetch) {
|
||||
mesh_copy_qinfo(mstate, &qinfo, &qflags);
|
||||
#ifdef CLIENT_SUBNET
|
||||
/* Make also a copy of the ecs option if any */
|
||||
if((ecs = edns_opt_list_find(
|
||||
mstate->s.edns_opts_front_in,
|
||||
mstate->s.env->cfg->client_subnet_opcode)) != NULL) {
|
||||
(void)edns_opt_list_append(&opt_list,
|
||||
ecs->opt_code, ecs->opt_len,
|
||||
ecs->opt_data,
|
||||
mstate->s.env->scratch);
|
||||
}
|
||||
#endif
|
||||
rpz_p = mstate->s.rpz_passthru;
|
||||
}
|
||||
|
||||
mesh_state_delete(&mstate->s);
|
||||
if(qinfo) {
|
||||
mesh_schedule_prefetch(mesh, qinfo, qflags,
|
||||
0, 1, rpz_p);
|
||||
mesh_state_delete(&mstate->s);
|
||||
mesh_new_prefetch(mesh, qinfo, qflags, 0,
|
||||
rpz_p,
|
||||
addr.ss_family!=AF_UNSPEC?&addr:NULL,
|
||||
opt_list);
|
||||
} else {
|
||||
mesh_state_delete(&mstate->s);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
@ -1888,7 +1863,7 @@ void mesh_run(struct mesh_area* mesh, struct mesh_state* mstate,
|
|||
mstate->s.reply = NULL;
|
||||
regional_free_all(mstate->s.env->scratch);
|
||||
s = mstate->s.ext_state[mstate->s.curmod];
|
||||
verbose(VERB_ALGO, "mesh_run: %s module exit state is %s",
|
||||
verbose(VERB_ALGO, "mesh_run: %s module exit state is %s",
|
||||
mesh->mods.mod[mstate->s.curmod]->name, strextstate(s));
|
||||
e = NULL;
|
||||
if(mesh_continue(mesh, mstate, s, &ev))
|
||||
|
@ -1908,14 +1883,14 @@ void mesh_run(struct mesh_area* mesh, struct mesh_state* mstate,
|
|||
}
|
||||
}
|
||||
|
||||
void
|
||||
void
|
||||
mesh_log_list(struct mesh_area* mesh)
|
||||
{
|
||||
char buf[30];
|
||||
struct mesh_state* m;
|
||||
int num = 0;
|
||||
RBTREE_FOR(m, struct mesh_state*, &mesh->all) {
|
||||
snprintf(buf, sizeof(buf), "%d%s%s%s%s%s%s mod%d %s%s",
|
||||
snprintf(buf, sizeof(buf), "%d%s%s%s%s%s%s mod%d %s%s",
|
||||
num++, (m->s.is_priming)?"p":"", /* prime */
|
||||
(m->s.is_valrec)?"v":"", /* prime */
|
||||
(m->s.query_flags&BIT_RD)?"RD":"",
|
||||
|
@ -1924,18 +1899,18 @@ mesh_log_list(struct mesh_area* mesh)
|
|||
(m->sub_set.count!=0)?"c":"", /* children */
|
||||
m->s.curmod, (m->reply_list)?"rep":"", /*hasreply*/
|
||||
(m->cb_list)?"cb":"" /* callbacks */
|
||||
);
|
||||
);
|
||||
log_query_info(VERB_ALGO, buf, &m->s.qinfo);
|
||||
}
|
||||
}
|
||||
|
||||
void
|
||||
void
|
||||
mesh_stats(struct mesh_area* mesh, const char* str)
|
||||
{
|
||||
verbose(VERB_DETAIL, "%s %u recursion states (%u with reply, "
|
||||
"%u detached), %u waiting replies, %u recursion replies "
|
||||
"sent, %d replies dropped, %d states jostled out",
|
||||
str, (unsigned)mesh->all.count,
|
||||
"sent, %d replies dropped, %d states jostled out",
|
||||
str, (unsigned)mesh->all.count,
|
||||
(unsigned)mesh->num_reply_states,
|
||||
(unsigned)mesh->num_detached_states,
|
||||
(unsigned)mesh->num_reply_addrs,
|
||||
|
@ -1944,7 +1919,7 @@ mesh_stats(struct mesh_area* mesh, const char* str)
|
|||
(unsigned)mesh->stats_jostled);
|
||||
if(mesh->replies_sent > 0) {
|
||||
struct timeval avg;
|
||||
timeval_divide(&avg, &mesh->replies_sum_wait,
|
||||
timeval_divide(&avg, &mesh->replies_sum_wait,
|
||||
mesh->replies_sent);
|
||||
log_info("average recursion processing time "
|
||||
ARG_LL "d.%6.6d sec",
|
||||
|
@ -1954,7 +1929,7 @@ mesh_stats(struct mesh_area* mesh, const char* str)
|
|||
}
|
||||
}
|
||||
|
||||
void
|
||||
void
|
||||
mesh_stats_clear(struct mesh_area* mesh)
|
||||
{
|
||||
if(!mesh)
|
||||
|
@ -1968,12 +1943,13 @@ mesh_stats_clear(struct mesh_area* mesh)
|
|||
mesh->ans_secure = 0;
|
||||
mesh->ans_bogus = 0;
|
||||
mesh->ans_expired = 0;
|
||||
mesh->ans_cachedb = 0;
|
||||
memset(&mesh->ans_rcode[0], 0, sizeof(size_t)*UB_STATS_RCODE_NUM);
|
||||
memset(&mesh->rpz_action[0], 0, sizeof(size_t)*UB_STATS_RPZ_ACTION_NUM);
|
||||
mesh->ans_nodata = 0;
|
||||
}
|
||||
|
||||
size_t
|
||||
size_t
|
||||
mesh_get_mem(struct mesh_area* mesh)
|
||||
{
|
||||
struct mesh_state* m;
|
||||
|
@ -1987,7 +1963,7 @@ mesh_get_mem(struct mesh_area* mesh)
|
|||
return s;
|
||||
}
|
||||
|
||||
int
|
||||
int
|
||||
mesh_detect_cycle(struct module_qstate* qstate, struct query_info* qinfo,
|
||||
uint16_t flags, int prime, int valrec)
|
||||
{
|
||||
|
@ -2104,6 +2080,7 @@ mesh_serve_expired_callback(void* arg)
|
|||
struct timeval tv = {0, 0};
|
||||
int must_validate = (!(qstate->query_flags&BIT_CD)
|
||||
|| qstate->env->cfg->ignore_cd) && qstate->env->need_to_validate;
|
||||
int i = 0;
|
||||
if(!qstate->serve_expired_data) return;
|
||||
verbose(VERB_ALGO, "Serve expired: Trying to reply with expired data");
|
||||
comm_timer_delete(qstate->serve_expired_data->timer);
|
||||
|
@ -2175,6 +2152,7 @@ mesh_serve_expired_callback(void* arg)
|
|||
log_dns_msg("Serve expired lookup", &qstate->qinfo, msg->rep);
|
||||
|
||||
for(r = mstate->reply_list; r; r = r->next) {
|
||||
i++;
|
||||
tv = r->start_time;
|
||||
|
||||
/* If address info is returned, it means the action should be an
|
||||
|
@ -2184,16 +2162,6 @@ mesh_serve_expired_callback(void* arg)
|
|||
qstate->qinfo.qtype, qstate->qinfo.qclass,
|
||||
r->local_alias, &r->query_reply.client_addr,
|
||||
r->query_reply.client_addrlen);
|
||||
|
||||
if(qstate->env->cfg->stat_extended && actinfo.rpz_used) {
|
||||
if(actinfo.rpz_disabled)
|
||||
qstate->env->mesh->rpz_action[RPZ_DISABLED_ACTION]++;
|
||||
if(actinfo.rpz_cname_override)
|
||||
qstate->env->mesh->rpz_action[RPZ_CNAME_OVERRIDE_ACTION]++;
|
||||
else
|
||||
qstate->env->mesh->rpz_action[
|
||||
respip_action_to_rpz_action(actinfo.action)]++;
|
||||
}
|
||||
}
|
||||
|
||||
/* Add EDE Stale Answer (RCF8914). Ignore global ede as this is
|
||||
|
@ -2213,11 +2181,23 @@ mesh_serve_expired_callback(void* arg)
|
|||
tcp_req_info_remove_mesh_state(r->query_reply.c->tcp_req_info, mstate);
|
||||
prev = r;
|
||||
prev_buffer = r_buffer;
|
||||
|
||||
/* Account for each reply sent. */
|
||||
mesh->ans_expired++;
|
||||
|
||||
}
|
||||
/* Account for each reply sent. */
|
||||
if(i > 0) {
|
||||
mesh->ans_expired += i;
|
||||
if(actinfo.addrinfo && qstate->env->cfg->stat_extended &&
|
||||
actinfo.rpz_used) {
|
||||
if(actinfo.rpz_disabled)
|
||||
qstate->env->mesh->rpz_action[RPZ_DISABLED_ACTION] += i;
|
||||
if(actinfo.rpz_cname_override)
|
||||
qstate->env->mesh->rpz_action[RPZ_CNAME_OVERRIDE_ACTION] += i;
|
||||
else
|
||||
qstate->env->mesh->rpz_action[
|
||||
respip_action_to_rpz_action(actinfo.action)] += i;
|
||||
}
|
||||
}
|
||||
|
||||
/* Mesh area accounting */
|
||||
if(mstate->reply_list) {
|
||||
mstate->reply_list = NULL;
|
||||
if(!mstate->reply_list && !mstate->cb_list) {
|
||||
|
@ -2228,6 +2208,7 @@ mesh_serve_expired_callback(void* arg)
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
while((c = mstate->cb_list) != NULL) {
|
||||
/* take this cb off the list; so that the list can be
|
||||
* changed, eg. by adds from the callback routine */
|
||||
|
|
|
@ -114,6 +114,8 @@ struct mesh_area {
|
|||
size_t stats_dropped;
|
||||
/** stats, number of expired replies sent */
|
||||
size_t ans_expired;
|
||||
/** stats, number of cached replies from cachedb */
|
||||
size_t ans_cachedb;
|
||||
/** number of replies sent */
|
||||
size_t replies_sent;
|
||||
/** sum of waiting times for the replies */
|
||||
|
@ -335,13 +337,13 @@ int mesh_new_callback(struct mesh_area* mesh, struct query_info* qinfo,
|
|||
* @param leeway: TTL leeway what to expire earlier for this update.
|
||||
* @param rpz_passthru: if true, the rpz passthru was previously found and
|
||||
* further rpz processing is stopped.
|
||||
* @param rep: comm_reply for the client; to be used when subnet is enabled.
|
||||
* @param addr: sockaddr_storage for the client; to be used with subnet.
|
||||
* @param opt_list: edns opt_list from the client; to be used when subnet is
|
||||
* enabled.
|
||||
*/
|
||||
void mesh_new_prefetch(struct mesh_area* mesh, struct query_info* qinfo,
|
||||
uint16_t qflags, time_t leeway, int rpz_passthru,
|
||||
struct comm_reply* rep, struct edns_option* opt_list);
|
||||
struct sockaddr_storage* addr, struct edns_option* opt_list);
|
||||
|
||||
/**
|
||||
* Handle new event from the wire. A serviced query has returned.
|
||||
|
@ -478,14 +480,6 @@ struct mesh_state* mesh_state_create(struct module_env* env,
|
|||
struct query_info* qinfo, struct respip_client_info* cinfo,
|
||||
uint16_t qflags, int prime, int valrec);
|
||||
|
||||
/**
|
||||
* Check if the mesh state is unique.
|
||||
* A unique mesh state uses it's unique member to point to itself, else NULL.
|
||||
* @param mstate: mesh state to check.
|
||||
* @return true if the mesh state is unique, false otherwise.
|
||||
*/
|
||||
int mesh_state_is_unique(struct mesh_state* mstate);
|
||||
|
||||
/**
|
||||
* Make a mesh state unique.
|
||||
* A unique mesh state uses it's unique member to point to itself.
|
||||
|
|
|
@ -120,12 +120,16 @@ modstack_config(struct module_stack* stack, const char* module_conf)
|
|||
stack->mod[i] = module_factory(&module_conf);
|
||||
if(!stack->mod[i]) {
|
||||
char md[256];
|
||||
char * s = md;
|
||||
snprintf(md, sizeof(md), "%s", module_conf);
|
||||
if(strchr(md, ' ')) *(strchr(md, ' ')) = 0;
|
||||
if(strchr(md, '\t')) *(strchr(md, '\t')) = 0;
|
||||
/* Leading spaces are present on errors. */
|
||||
while (*s && isspace((unsigned char)*s))
|
||||
s++;
|
||||
if(strchr(s, ' ')) *(strchr(s, ' ')) = 0;
|
||||
if(strchr(s, '\t')) *(strchr(s, '\t')) = 0;
|
||||
log_err("Unknown value in module-config, module: '%s'."
|
||||
" This module is not present (not compiled in),"
|
||||
" See the list of linked modules with unbound -V", md);
|
||||
" See the list of linked modules with unbound -V", s);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -551,8 +551,27 @@ reuse_tcp_find(struct outside_network* outnet, struct sockaddr_storage* addr,
|
|||
log_assert(&key_p != ((struct reuse_tcp*)result)->pending);
|
||||
}
|
||||
/* not found, return null */
|
||||
|
||||
/* It is possible that we search for something before the first element
|
||||
* in the tree. Replace a null pointer with the first element.
|
||||
*/
|
||||
if (!result) {
|
||||
verbose(VERB_CLIENT, "reuse_tcp_find: taking first");
|
||||
result = rbtree_first(&outnet->tcp_reuse);
|
||||
}
|
||||
|
||||
if(!result || result == RBTREE_NULL)
|
||||
return NULL;
|
||||
|
||||
/* It is possible that we got the previous address, but that the
|
||||
* address we are looking for is in the tree. If the address we got
|
||||
* is less than the address we are looking, then take the next entry.
|
||||
*/
|
||||
if (reuse_cmp_addrportssl(result->key, &key_p.reuse) < 0) {
|
||||
verbose(VERB_CLIENT, "reuse_tcp_find: key too low");
|
||||
result = rbtree_next(result);
|
||||
}
|
||||
|
||||
verbose(VERB_CLIENT, "reuse_tcp_find check inexact match");
|
||||
/* inexact match, find one of possibly several connections to the
|
||||
* same destination address, with the correct port, ssl, and
|
||||
|
@ -620,6 +639,15 @@ outnet_tcp_take_into_use(struct waiting_tcp* w)
|
|||
log_assert(w->addrlen > 0);
|
||||
pend->c->tcp_do_toggle_rw = 0;
|
||||
pend->c->tcp_do_close = 0;
|
||||
|
||||
/* Consistency check, if we have ssl_upstream but no sslctx, then
|
||||
* log an error and return failure.
|
||||
*/
|
||||
if (w->ssl_upstream && !w->outnet->sslctx) {
|
||||
log_err("SSL upstream requested but no SSL context");
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* open socket */
|
||||
s = outnet_get_tcp_fd(&w->addr, w->addrlen, w->outnet->tcp_mss, w->outnet->ip_dscp);
|
||||
|
||||
|
|
|
@ -1188,6 +1188,22 @@ rpz_find_zone(struct local_zones* zones, uint8_t* qname, size_t qname_len, uint1
|
|||
return z;
|
||||
}
|
||||
|
||||
/** Find entry for RR type in the list of rrsets for the clientip. */
|
||||
static struct local_rrset*
|
||||
rpz_find_synthesized_rrset(uint16_t qtype,
|
||||
struct clientip_synthesized_rr* data)
|
||||
{
|
||||
struct local_rrset* cursor = data->data;
|
||||
while( cursor != NULL) {
|
||||
struct packed_rrset_key* packed_rrset = &cursor->rrset->rk;
|
||||
if(htons(qtype) == packed_rrset->type) {
|
||||
return cursor;
|
||||
}
|
||||
cursor = cursor->next;
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/**
|
||||
* Remove RR from RPZ's local-data
|
||||
* @param z: local-zone for RPZ, holding write lock
|
||||
|
@ -1270,15 +1286,15 @@ rpz_rrset_delete_rr(struct resp_addr* raddr, uint16_t rr_type, uint8_t* rdata,
|
|||
|
||||
}
|
||||
|
||||
/** Remove RR from RPZ's local-zone */
|
||||
/** Remove RR from rpz localzones structure */
|
||||
static void
|
||||
rpz_remove_qname_trigger(struct rpz* r, uint8_t* dname, size_t dnamelen,
|
||||
enum rpz_action a, uint16_t rr_type, uint16_t rr_class,
|
||||
uint8_t* rdatawl, size_t rdatalen)
|
||||
rpz_remove_local_zones_trigger(struct local_zones* zones, uint8_t* dname,
|
||||
size_t dnamelen, enum rpz_action a, uint16_t rr_type,
|
||||
uint16_t rr_class, uint8_t* rdatawl, size_t rdatalen)
|
||||
{
|
||||
struct local_zone* z;
|
||||
int delete_zone = 1;
|
||||
z = rpz_find_zone(r->local_zones, dname, dnamelen, rr_class,
|
||||
z = rpz_find_zone(zones, dname, dnamelen, rr_class,
|
||||
1 /* only exact */, 1 /* wr lock */, 1 /* keep lock*/);
|
||||
if(!z) {
|
||||
verbose(VERB_ALGO, "rpz: cannot remove RR from IXFR, "
|
||||
|
@ -1290,15 +1306,24 @@ rpz_remove_qname_trigger(struct rpz* r, uint8_t* dname, size_t dnamelen,
|
|||
dnamelen, rr_type, rdatawl, rdatalen);
|
||||
else if(a != localzone_type_to_rpz_action(z->type)) {
|
||||
lock_rw_unlock(&z->lock);
|
||||
lock_rw_unlock(&r->local_zones->lock);
|
||||
lock_rw_unlock(&zones->lock);
|
||||
return;
|
||||
}
|
||||
lock_rw_unlock(&z->lock);
|
||||
if(delete_zone) {
|
||||
local_zones_del_zone(r->local_zones, z);
|
||||
local_zones_del_zone(zones, z);
|
||||
}
|
||||
lock_rw_unlock(&r->local_zones->lock);
|
||||
return;
|
||||
lock_rw_unlock(&zones->lock);
|
||||
}
|
||||
|
||||
/** Remove RR from RPZ's local-zone */
|
||||
static void
|
||||
rpz_remove_qname_trigger(struct rpz* r, uint8_t* dname, size_t dnamelen,
|
||||
enum rpz_action a, uint16_t rr_type, uint16_t rr_class,
|
||||
uint8_t* rdatawl, size_t rdatalen)
|
||||
{
|
||||
rpz_remove_local_zones_trigger(r->local_zones, dname, dnamelen,
|
||||
a, rr_type, rr_class, rdatawl, rdatalen);
|
||||
}
|
||||
|
||||
static void
|
||||
|
@ -1335,15 +1360,159 @@ rpz_remove_response_ip_trigger(struct rpz* r, uint8_t* dname, size_t dnamelen,
|
|||
lock_rw_unlock(&r->respip_set->lock);
|
||||
}
|
||||
|
||||
/** find and remove type from list of local_rrset entries*/
|
||||
static void
|
||||
del_local_rrset_from_list(struct local_rrset** list_head, uint16_t dtype)
|
||||
{
|
||||
struct local_rrset* prev=NULL, *p=*list_head;
|
||||
while(p && ntohs(p->rrset->rk.type) != dtype) {
|
||||
prev = p;
|
||||
p = p->next;
|
||||
}
|
||||
if(!p)
|
||||
return; /* rrset type not found */
|
||||
/* unlink it */
|
||||
if(prev) prev->next = p->next;
|
||||
else *list_head = p->next;
|
||||
/* no memory recycling for zone deletions ... */
|
||||
}
|
||||
|
||||
/** Delete client-ip trigger RR from its RRset and perhaps also the rrset
|
||||
* from the linked list. Returns if the local data is empty and the node can
|
||||
* be deleted too, or not. */
|
||||
static int rpz_remove_clientip_rr(struct clientip_synthesized_rr* node,
|
||||
uint16_t rr_type, uint8_t* rdatawl, size_t rdatalen)
|
||||
{
|
||||
struct local_rrset* rrset;
|
||||
struct packed_rrset_data* d;
|
||||
size_t index;
|
||||
rrset = rpz_find_synthesized_rrset(rr_type, node);
|
||||
if(rrset == NULL)
|
||||
return 0; /* type not found, ignore */
|
||||
d = (struct packed_rrset_data*)rrset->rrset->entry.data;
|
||||
if(!packed_rrset_find_rr(d, rdatawl, rdatalen, &index))
|
||||
return 0; /* RR not found, ignore */
|
||||
if(d->count == 1) {
|
||||
/* regional alloc'd */
|
||||
/* delete the type entry from the list */
|
||||
del_local_rrset_from_list(&node->data, rr_type);
|
||||
/* if the list is empty, the node can be removed too */
|
||||
if(node->data == NULL)
|
||||
return 1;
|
||||
} else if (d->count > 1) {
|
||||
if(!local_rrset_remove_rr(d, index))
|
||||
return 0;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
/** remove trigger RR from clientip_syntheized set tree. */
|
||||
static void
|
||||
rpz_clientip_remove_trigger_rr(struct clientip_synthesized_rrset* set,
|
||||
struct sockaddr_storage* addr, socklen_t addrlen, int net,
|
||||
enum rpz_action a, uint16_t rr_type, uint8_t* rdatawl, size_t rdatalen)
|
||||
{
|
||||
struct clientip_synthesized_rr* node;
|
||||
int delete_node = 1;
|
||||
|
||||
lock_rw_wrlock(&set->lock);
|
||||
node = (struct clientip_synthesized_rr*)addr_tree_find(&set->entries,
|
||||
addr, addrlen, net);
|
||||
if(node == NULL) {
|
||||
/* netblock not found */
|
||||
verbose(VERB_ALGO, "rpz: cannot remove RR from IXFR, "
|
||||
"RPZ address, netblock not found");
|
||||
lock_rw_unlock(&set->lock);
|
||||
return;
|
||||
}
|
||||
lock_rw_wrlock(&node->lock);
|
||||
if(a == RPZ_LOCAL_DATA_ACTION) {
|
||||
/* remove RR, signal whether entry can be removed */
|
||||
delete_node = rpz_remove_clientip_rr(node, rr_type, rdatawl,
|
||||
rdatalen);
|
||||
} else if(a != node->action) {
|
||||
/* ignore the RR with different action specification */
|
||||
delete_node = 0;
|
||||
}
|
||||
if(delete_node) {
|
||||
rbtree_delete(&set->entries, node->node.node.key);
|
||||
}
|
||||
lock_rw_unlock(&set->lock);
|
||||
lock_rw_unlock(&node->lock);
|
||||
if(delete_node) {
|
||||
lock_rw_destroy(&node->lock);
|
||||
}
|
||||
}
|
||||
|
||||
/** Remove clientip trigger RR from RPZ. */
|
||||
static void
|
||||
rpz_remove_clientip_trigger(struct rpz* r, uint8_t* dname, size_t dnamelen,
|
||||
enum rpz_action a, uint16_t rr_type, uint8_t* rdatawl, size_t rdatalen)
|
||||
{
|
||||
struct sockaddr_storage addr;
|
||||
socklen_t addrlen;
|
||||
int net, af;
|
||||
if(a == RPZ_INVALID_ACTION)
|
||||
return;
|
||||
if(!netblockdnametoaddr(dname, dnamelen, &addr, &addrlen, &net, &af))
|
||||
return;
|
||||
rpz_clientip_remove_trigger_rr(r->client_set, &addr, addrlen, net,
|
||||
a, rr_type, rdatawl, rdatalen);
|
||||
}
|
||||
|
||||
/** Remove nsip trigger RR from RPZ. */
|
||||
static void
|
||||
rpz_remove_nsip_trigger(struct rpz* r, uint8_t* dname, size_t dnamelen,
|
||||
enum rpz_action a, uint16_t rr_type, uint8_t* rdatawl, size_t rdatalen)
|
||||
{
|
||||
struct sockaddr_storage addr;
|
||||
socklen_t addrlen;
|
||||
int net, af;
|
||||
if(a == RPZ_INVALID_ACTION)
|
||||
return;
|
||||
if(!netblockdnametoaddr(dname, dnamelen, &addr, &addrlen, &net, &af))
|
||||
return;
|
||||
rpz_clientip_remove_trigger_rr(r->ns_set, &addr, addrlen, net,
|
||||
a, rr_type, rdatawl, rdatalen);
|
||||
}
|
||||
|
||||
/** Remove nsdname trigger RR from RPZ. */
|
||||
static void
|
||||
rpz_remove_nsdname_trigger(struct rpz* r, uint8_t* dname, size_t dnamelen,
|
||||
enum rpz_action a, uint16_t rr_type, uint16_t rr_class,
|
||||
uint8_t* rdatawl, size_t rdatalen)
|
||||
{
|
||||
uint8_t* dname_stripped = NULL;
|
||||
size_t dnamelen_stripped = 0;
|
||||
if(a == RPZ_INVALID_ACTION)
|
||||
return;
|
||||
if(!rpz_strip_nsdname_suffix(dname, dnamelen, &dname_stripped,
|
||||
&dnamelen_stripped))
|
||||
return;
|
||||
rpz_remove_local_zones_trigger(r->nsdname_zones, dname_stripped,
|
||||
dnamelen_stripped, a, rr_type, rr_class, rdatawl, rdatalen);
|
||||
free(dname_stripped);
|
||||
}
|
||||
|
||||
void
|
||||
rpz_remove_rr(struct rpz* r, size_t aznamelen, uint8_t* dname, size_t dnamelen,
|
||||
uint16_t rr_type, uint16_t rr_class, uint8_t* rdatawl, size_t rdatalen)
|
||||
rpz_remove_rr(struct rpz* r, uint8_t* azname, size_t aznamelen, uint8_t* dname,
|
||||
size_t dnamelen, uint16_t rr_type, uint16_t rr_class, uint8_t* rdatawl,
|
||||
size_t rdatalen)
|
||||
{
|
||||
size_t policydnamelen;
|
||||
enum rpz_trigger t;
|
||||
enum rpz_action a;
|
||||
uint8_t* policydname;
|
||||
|
||||
if(rpz_type_ignored(rr_type)) {
|
||||
/* this rpz action is not valid, eg. this is the SOA or NS RR */
|
||||
return;
|
||||
}
|
||||
if(!dname_subdomain_c(dname, azname)) {
|
||||
/* not subdomain of the RPZ zone. */
|
||||
return;
|
||||
}
|
||||
|
||||
if(!(policydname = calloc(1, LDNS_MAX_DOMAINLEN + 1)))
|
||||
return;
|
||||
|
||||
|
@ -1358,13 +1527,28 @@ rpz_remove_rr(struct rpz* r, size_t aznamelen, uint8_t* dname, size_t dnamelen,
|
|||
return;
|
||||
}
|
||||
t = rpz_dname_to_trigger(policydname, policydnamelen);
|
||||
if(t == RPZ_INVALID_TRIGGER) {
|
||||
/* skipping invalid trigger */
|
||||
free(policydname);
|
||||
return;
|
||||
}
|
||||
if(t == RPZ_QNAME_TRIGGER) {
|
||||
rpz_remove_qname_trigger(r, policydname, policydnamelen, a,
|
||||
rr_type, rr_class, rdatawl, rdatalen);
|
||||
} else if(t == RPZ_RESPONSE_IP_TRIGGER) {
|
||||
rpz_remove_response_ip_trigger(r, policydname, policydnamelen,
|
||||
a, rr_type, rdatawl, rdatalen);
|
||||
} else if(t == RPZ_CLIENT_IP_TRIGGER) {
|
||||
rpz_remove_clientip_trigger(r, policydname, policydnamelen, a,
|
||||
rr_type, rdatawl, rdatalen);
|
||||
} else if(t == RPZ_NSIP_TRIGGER) {
|
||||
rpz_remove_nsip_trigger(r, policydname, policydnamelen, a,
|
||||
rr_type, rdatawl, rdatalen);
|
||||
} else if(t == RPZ_NSDNAME_TRIGGER) {
|
||||
rpz_remove_nsdname_trigger(r, policydname, policydnamelen, a,
|
||||
rr_type, rr_class, rdatawl, rdatalen);
|
||||
}
|
||||
/* else it was an unsupported trigger, also skipped. */
|
||||
free(policydname);
|
||||
}
|
||||
|
||||
|
@ -1563,21 +1747,6 @@ rpz_local_encode(struct module_env* env, struct query_info* qinfo,
|
|||
return 1;
|
||||
}
|
||||
|
||||
static struct local_rrset*
|
||||
rpz_find_synthesized_rrset(uint16_t qtype,
|
||||
struct clientip_synthesized_rr* data)
|
||||
{
|
||||
struct local_rrset* cursor = data->data;
|
||||
while( cursor != NULL) {
|
||||
struct packed_rrset_key* packed_rrset = &cursor->rrset->rk;
|
||||
if(htons(qtype) == packed_rrset->type) {
|
||||
return cursor;
|
||||
}
|
||||
cursor = cursor->next;
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/** allocate SOA record ubrrsetkey in region */
|
||||
static struct ub_packed_rrset_key*
|
||||
make_soa_ubrrset(struct auth_zone* auth_zone, struct auth_rrset* soa,
|
||||
|
@ -1713,7 +1882,8 @@ rpz_synthesize_nodata(struct rpz* ATTR_UNUSED(r), struct module_qstate* ms,
|
|||
0, /* ns */
|
||||
0, /* ar */
|
||||
0, /* total */
|
||||
sec_status_insecure);
|
||||
sec_status_insecure,
|
||||
LDNS_EDE_NONE);
|
||||
if(msg->rep)
|
||||
msg->rep->authoritative = 1;
|
||||
if(!rpz_add_soa(msg->rep, ms, az))
|
||||
|
@ -1742,7 +1912,8 @@ rpz_synthesize_nxdomain(struct rpz* r, struct module_qstate* ms,
|
|||
0, /* ns */
|
||||
0, /* ar */
|
||||
0, /* total */
|
||||
sec_status_insecure);
|
||||
sec_status_insecure,
|
||||
LDNS_EDE_NONE);
|
||||
if(msg->rep)
|
||||
msg->rep->authoritative = 1;
|
||||
if(!rpz_add_soa(msg->rep, ms, az))
|
||||
|
@ -1772,7 +1943,8 @@ rpz_synthesize_localdata_from_rrset(struct rpz* ATTR_UNUSED(r), struct module_qs
|
|||
0, /* ns */
|
||||
0, /* ar */
|
||||
1, /* total */
|
||||
sec_status_insecure);
|
||||
sec_status_insecure,
|
||||
LDNS_EDE_NONE);
|
||||
if(new_reply_info == NULL) {
|
||||
log_err("out of memory");
|
||||
return NULL;
|
||||
|
|
|
@ -84,10 +84,11 @@ enum rpz_action {
|
|||
RPZ_CNAME_OVERRIDE_ACTION, /* RPZ CNAME action override*/
|
||||
};
|
||||
|
||||
struct clientip_synthesized_rrset{
|
||||
struct clientip_synthesized_rrset {
|
||||
struct regional* region;
|
||||
struct rbtree_type entries;
|
||||
lock_rw_type lock; /* lock on the respip tree */
|
||||
/** lock on the entries tree */
|
||||
lock_rw_type lock;
|
||||
};
|
||||
|
||||
struct clientip_synthesized_rr {
|
||||
|
@ -95,10 +96,6 @@ struct clientip_synthesized_rr {
|
|||
struct addr_tree_node node;
|
||||
/** lock on the node item */
|
||||
lock_rw_type lock;
|
||||
/** tag bitlist */
|
||||
uint8_t* taglist;
|
||||
/** length of the taglist (in bytes) */
|
||||
size_t taglen;
|
||||
/** action for this address span */
|
||||
enum rpz_action action;
|
||||
/** "local data" for this node */
|
||||
|
@ -152,6 +149,7 @@ int rpz_insert_rr(struct rpz* r, uint8_t* azname, size_t aznamelen, uint8_t* dna
|
|||
/**
|
||||
* Delete policy matching RR, used for IXFR.
|
||||
* @param r: the rpz to add the policy to.
|
||||
* @param azname: dname of the auth-zone
|
||||
* @param aznamelen: the length of the auth-zone name
|
||||
* @param dname: dname of the RR
|
||||
* @param dnamelen: length of the dname
|
||||
|
@ -160,9 +158,9 @@ int rpz_insert_rr(struct rpz* r, uint8_t* azname, size_t aznamelen, uint8_t* dna
|
|||
* @param rdatawl: rdata of the RR, prepended with the rdata size
|
||||
* @param rdatalen: length if the RR, including the prepended rdata size
|
||||
*/
|
||||
void rpz_remove_rr(struct rpz* r, size_t aznamelen, uint8_t* dname,
|
||||
size_t dnamelen, uint16_t rr_type, uint16_t rr_class, uint8_t* rdatawl,
|
||||
size_t rdatalen);
|
||||
void rpz_remove_rr(struct rpz* r, uint8_t* azname, size_t aznamelen,
|
||||
uint8_t* dname, size_t dnamelen, uint16_t rr_type, uint16_t rr_class,
|
||||
uint8_t* rdatawl, size_t rdatalen);
|
||||
|
||||
/**
|
||||
* Walk over the RPZ zones to find and apply a QNAME trigger policy.
|
||||
|
|
|
@ -702,7 +702,11 @@ sldns_get_rr_type_by_name(const char *name)
|
|||
|
||||
/* TYPEXX representation */
|
||||
if (strlen(name) > 4 && strncasecmp(name, "TYPE", 4) == 0) {
|
||||
return atoi(name + 4);
|
||||
unsigned int a = atoi(name + 4);
|
||||
if (a > LDNS_RR_TYPE_LAST) {
|
||||
return (enum sldns_enum_rr_type)0;
|
||||
}
|
||||
return a;
|
||||
}
|
||||
|
||||
/* Normal types */
|
||||
|
@ -740,7 +744,11 @@ sldns_get_rr_class_by_name(const char *name)
|
|||
|
||||
/* CLASSXX representation */
|
||||
if (strlen(name) > 5 && strncasecmp(name, "CLASS", 5) == 0) {
|
||||
return atoi(name + 5);
|
||||
unsigned int a = atoi(name + 5);
|
||||
if (a > LDNS_RR_CLASS_LAST) {
|
||||
return (enum sldns_enum_rr_class)0;
|
||||
}
|
||||
return a;
|
||||
}
|
||||
|
||||
/* Normal types */
|
||||
|
|
|
@ -433,10 +433,12 @@ enum sldns_enum_edns_option
|
|||
LDNS_EDNS_DHU = 6, /* RFC6975 */
|
||||
LDNS_EDNS_N3U = 7, /* RFC6975 */
|
||||
LDNS_EDNS_CLIENT_SUBNET = 8, /* RFC7871 */
|
||||
LDNS_EDNS_COOKIE = 10, /* RFC7873 */
|
||||
LDNS_EDNS_KEEPALIVE = 11, /* draft-ietf-dnsop-edns-tcp-keepalive*/
|
||||
LDNS_EDNS_PADDING = 12, /* RFC7830 */
|
||||
LDNS_EDNS_EDE = 15, /* RFC8914 */
|
||||
LDNS_EDNS_CLIENT_TAG = 16 /* draft-bellis-dnsop-edns-tags-01 */
|
||||
LDNS_EDNS_CLIENT_TAG = 16, /* draft-bellis-dnsop-edns-tags-01 */
|
||||
LDNS_EDNS_UNBOUND_CACHEDB_TESTFRAME_TEST = 65534
|
||||
};
|
||||
typedef enum sldns_enum_edns_option sldns_edns_option;
|
||||
|
||||
|
@ -482,6 +484,9 @@ typedef enum sldns_enum_ede_code sldns_ede_code;
|
|||
#define LDNS_TSIG_ERROR_BADNAME 20
|
||||
#define LDNS_TSIG_ERROR_BADALG 21
|
||||
|
||||
/** DNS Cookie extended rcode */
|
||||
#define LDNS_EXT_RCODE_BADCOOKIE 23
|
||||
|
||||
/**
|
||||
* Contains all information about resource record types.
|
||||
*
|
||||
|
|
|
@ -357,7 +357,7 @@ rrinternal_get_delims(sldns_rdf_type rdftype, size_t r_cnt, size_t r_max)
|
|||
break;
|
||||
default : break;
|
||||
}
|
||||
return "\n\t ";
|
||||
return "\n\t ";
|
||||
}
|
||||
|
||||
/* Syntactic sugar for sldns_rr_new_frm_str_internal */
|
||||
|
@ -448,7 +448,7 @@ rrinternal_parse_unknown(sldns_buffer* strbuf, char* token, size_t token_len,
|
|||
sldns_buffer_position(strbuf));
|
||||
}
|
||||
hex_data_size = (size_t)atoi(token);
|
||||
if(hex_data_size > LDNS_MAX_RDFLEN ||
|
||||
if(hex_data_size > LDNS_MAX_RDFLEN ||
|
||||
*rr_cur_len + hex_data_size > *rr_len) {
|
||||
return RET_ERR(LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL,
|
||||
sldns_buffer_position(strbuf));
|
||||
|
@ -567,7 +567,7 @@ sldns_parse_rdf_token(sldns_buffer* strbuf, char* token, size_t token_len,
|
|||
/* check if not quoted yet, and we have encountered quotes */
|
||||
if(!*quoted && sldns_rdf_type_maybe_quoted(rdftype) &&
|
||||
slen >= 2 &&
|
||||
(token[0] == '"' || token[0] == '\'') &&
|
||||
(token[0] == '"' || token[0] == '\'') &&
|
||||
(token[slen-1] == '"' || token[slen-1] == '\'')) {
|
||||
/* move token two smaller (quotes) with endnull */
|
||||
memmove(token, token+1, slen-2);
|
||||
|
@ -698,7 +698,7 @@ static int sldns_str2wire_check_svcbparams(uint8_t* rdata, uint16_t rdata_len)
|
|||
mandatory = svcparams[i];
|
||||
}
|
||||
|
||||
/* 4. verify that all the SvcParamKeys in mandatory are present */
|
||||
/* Verify that all the SvcParamKeys in mandatory are present */
|
||||
if(mandatory) {
|
||||
/* Divide by sizeof(uint16_t)*/
|
||||
uint16_t mandatory_nkeys = sldns_read_uint16(mandatory + 2) / sizeof(uint16_t);
|
||||
|
@ -785,7 +785,7 @@ rrinternal_parse_rdata(sldns_buffer* strbuf, char* token, size_t token_len,
|
|||
token[2]=='\t')) {
|
||||
was_unknown_rr_format = 1;
|
||||
if((status=rrinternal_parse_unknown(strbuf, token,
|
||||
token_len, rr, rr_len, &rr_cur_len,
|
||||
token_len, rr, rr_len, &rr_cur_len,
|
||||
pre_data_pos)) != 0)
|
||||
return status;
|
||||
} else if(token_strlen > 0 || quoted) {
|
||||
|
@ -844,7 +844,7 @@ rrinternal_parse_rdata(sldns_buffer* strbuf, char* token, size_t token_len,
|
|||
if (rr_type == LDNS_RR_TYPE_SVCB || rr_type == LDNS_RR_TYPE_HTTPS) {
|
||||
size_t rdata_len = rr_cur_len - dname_len - 10;
|
||||
uint8_t *rdata = rr+dname_len + 10;
|
||||
|
||||
|
||||
/* skip 1st rdata field SvcPriority (uint16_t) */
|
||||
if (rdata_len < sizeof(uint16_t))
|
||||
return LDNS_WIREPARSE_ERR_OK;
|
||||
|
@ -1123,36 +1123,40 @@ sldns_str2wire_svcparam_key_lookup(const char *key, size_t key_len)
|
|||
return key_value;
|
||||
|
||||
} else switch (key_len) {
|
||||
case sizeof("mandatory")-1:
|
||||
if (!strncmp(key, "mandatory", sizeof("mandatory")-1))
|
||||
return SVCB_KEY_MANDATORY;
|
||||
if (!strncmp(key, "echconfig", sizeof("echconfig")-1))
|
||||
return SVCB_KEY_ECH; /* allow "echconfig" as well as "ech" */
|
||||
case 3:
|
||||
if (!strncmp(key, "ech", key_len))
|
||||
return SVCB_KEY_ECH;
|
||||
break;
|
||||
|
||||
case sizeof("alpn")-1:
|
||||
if (!strncmp(key, "alpn", sizeof("alpn")-1))
|
||||
case 4:
|
||||
if (!strncmp(key, "alpn", key_len))
|
||||
return SVCB_KEY_ALPN;
|
||||
if (!strncmp(key, "port", sizeof("port")-1))
|
||||
if (!strncmp(key, "port", key_len))
|
||||
return SVCB_KEY_PORT;
|
||||
break;
|
||||
|
||||
case sizeof("no-default-alpn")-1:
|
||||
if (!strncmp( key , "no-default-alpn"
|
||||
, sizeof("no-default-alpn")-1))
|
||||
return SVCB_KEY_NO_DEFAULT_ALPN;
|
||||
case 7:
|
||||
if (!strncmp(key, "dohpath", key_len))
|
||||
return SVCB_KEY_DOHPATH;
|
||||
break;
|
||||
|
||||
case sizeof("ipv4hint")-1:
|
||||
if (!strncmp(key, "ipv4hint", sizeof("ipv4hint")-1))
|
||||
case 8:
|
||||
if (!strncmp(key, "ipv4hint", key_len))
|
||||
return SVCB_KEY_IPV4HINT;
|
||||
if (!strncmp(key, "ipv6hint", sizeof("ipv6hint")-1))
|
||||
if (!strncmp(key, "ipv6hint", key_len))
|
||||
return SVCB_KEY_IPV6HINT;
|
||||
break;
|
||||
|
||||
case sizeof("ech")-1:
|
||||
if (!strncmp(key, "ech", sizeof("ech")-1))
|
||||
return SVCB_KEY_ECH;
|
||||
case 9:
|
||||
if (!strncmp(key, "mandatory", key_len))
|
||||
return SVCB_KEY_MANDATORY;
|
||||
if (!strncmp(key, "echconfig", key_len))
|
||||
return SVCB_KEY_ECH; /* allow "echconfig" as well as "ech" */
|
||||
break;
|
||||
|
||||
case 15:
|
||||
if (!strncmp(key, "no-default-alpn", key_len))
|
||||
return SVCB_KEY_NO_DEFAULT_ALPN;
|
||||
break;
|
||||
|
||||
default:
|
||||
|
@ -1477,7 +1481,7 @@ sldns_str2wire_svcbparam_alpn_value(const char* val,
|
|||
size_t str_len;
|
||||
size_t dst_len;
|
||||
size_t val_len;
|
||||
|
||||
|
||||
val_len = strlen(val);
|
||||
|
||||
if (val_len > sizeof(unescaped_dst)) {
|
||||
|
@ -1511,7 +1515,34 @@ sldns_str2wire_svcbparam_alpn_value(const char* val,
|
|||
sldns_write_uint16(rd + 2, dst_len);
|
||||
memcpy(rd + 4, unescaped_dst, dst_len);
|
||||
*rd_len = 4 + dst_len;
|
||||
|
||||
|
||||
return LDNS_WIREPARSE_ERR_OK;
|
||||
}
|
||||
|
||||
static int
|
||||
sldns_str2wire_svcbparam_dohpath_value(const char* val,
|
||||
uint8_t* rd, size_t* rd_len)
|
||||
{
|
||||
size_t val_len;
|
||||
|
||||
/* RFC6570#section-2.1
|
||||
* "The characters outside of expressions in a URI Template string are
|
||||
* intended to be copied literally"
|
||||
* Practically this means we do not have to look for "double escapes"
|
||||
* like in the alpn value list.
|
||||
*/
|
||||
|
||||
val_len = strlen(val);
|
||||
|
||||
if (*rd_len < 4 + val_len) {
|
||||
return LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
|
||||
}
|
||||
|
||||
sldns_write_uint16(rd, SVCB_KEY_DOHPATH);
|
||||
sldns_write_uint16(rd + 2, val_len);
|
||||
memcpy(rd + 4, val, val_len);
|
||||
*rd_len = 4 + val_len;
|
||||
|
||||
return LDNS_WIREPARSE_ERR_OK;
|
||||
}
|
||||
|
||||
|
@ -1535,6 +1566,7 @@ sldns_str2wire_svcparam_value(const char *key, size_t key_len,
|
|||
case SVCB_KEY_PORT:
|
||||
case SVCB_KEY_IPV4HINT:
|
||||
case SVCB_KEY_IPV6HINT:
|
||||
case SVCB_KEY_DOHPATH:
|
||||
return LDNS_WIREPARSE_ERR_SVCB_MISSING_PARAM;
|
||||
#endif
|
||||
default:
|
||||
|
@ -1566,6 +1598,8 @@ sldns_str2wire_svcparam_value(const char *key, size_t key_len,
|
|||
return sldns_str2wire_svcbparam_ech_value(val, rd, rd_len);
|
||||
case SVCB_KEY_ALPN:
|
||||
return sldns_str2wire_svcbparam_alpn_value(val, rd, rd_len);
|
||||
case SVCB_KEY_DOHPATH:
|
||||
return sldns_str2wire_svcbparam_dohpath_value(val, rd, rd_len);
|
||||
default:
|
||||
str_len = strlen(val);
|
||||
if (*rd_len < 4 + str_len)
|
||||
|
@ -1593,7 +1627,7 @@ static int sldns_str2wire_svcparam_buf(const char* str, uint8_t* rd, size_t* rd_
|
|||
/* case: key=value */
|
||||
if (eq_pos != NULL && eq_pos[1]) {
|
||||
val_in = eq_pos + 1;
|
||||
|
||||
|
||||
/* unescape characters and "" blocks */
|
||||
if (*val_in == '"') {
|
||||
val_in++;
|
||||
|
@ -1610,11 +1644,11 @@ static int sldns_str2wire_svcparam_buf(const char* str, uint8_t* rd, size_t* rd_
|
|||
}
|
||||
*val_out = 0;
|
||||
|
||||
return sldns_str2wire_svcparam_value(str, eq_pos - str,
|
||||
unescaped_val[0] ? unescaped_val : NULL, rd, rd_len);
|
||||
return sldns_str2wire_svcparam_value(str, eq_pos - str,
|
||||
unescaped_val[0] ? unescaped_val : NULL, rd, rd_len);
|
||||
}
|
||||
/* case: key= */
|
||||
else if (eq_pos != NULL && !(eq_pos[1])) {
|
||||
else if (eq_pos != NULL && !(eq_pos[1])) {
|
||||
return sldns_str2wire_svcparam_value(str, eq_pos - str, NULL, rd, rd_len);
|
||||
}
|
||||
/* case: key */
|
||||
|
|
|
@ -38,7 +38,8 @@ struct sldns_struct_lookup_table;
|
|||
#define SVCB_KEY_IPV4HINT 4
|
||||
#define SVCB_KEY_ECH 5
|
||||
#define SVCB_KEY_IPV6HINT 6
|
||||
#define SVCPARAMKEY_COUNT 7
|
||||
#define SVCB_KEY_DOHPATH 7
|
||||
#define SVCPARAMKEY_COUNT 8
|
||||
|
||||
#define MAX_NUMBER_OF_SVCPARAMS 64
|
||||
|
||||
|
@ -236,6 +237,7 @@ uint8_t* sldns_wirerr_get_rdatawl(uint8_t* rr, size_t len, size_t dname_len);
|
|||
#define LDNS_WIREPARSE_ERR_SVCB_NO_DEFAULT_ALPN_VALUE 385
|
||||
#define LDNS_WIREPARSE_ERR_SVCPARAM_BROKEN_RDATA 386
|
||||
|
||||
|
||||
/**
|
||||
* Get reference to a constant string for the (parse) error.
|
||||
* @param e: error return value
|
||||
|
|
|
@ -159,7 +159,7 @@ static sldns_lookup_table sldns_wireparse_errors_data[] = {
|
|||
"Mandatory SvcParamKey is missing"},
|
||||
{ LDNS_WIREPARSE_ERR_SVCB_MANDATORY_DUPLICATE_KEY,
|
||||
"Keys in SvcParam mandatory MUST be unique" },
|
||||
{ LDNS_WIREPARSE_ERR_SVCB_MANDATORY_IN_MANDATORY,
|
||||
{ LDNS_WIREPARSE_ERR_SVCB_MANDATORY_IN_MANDATORY,
|
||||
"mandatory MUST not be included as mandatory parameter" },
|
||||
{ LDNS_WIREPARSE_ERR_SVCB_PORT_VALUE_SYNTAX,
|
||||
"Could not parse port SvcParamValue" },
|
||||
|
@ -224,7 +224,7 @@ sldns_lookup_table* sldns_tsig_errors = sldns_tsig_errors_data;
|
|||
/* draft-ietf-dnsop-svcb-https-06: 6. Initial SvcParamKeys */
|
||||
const char *svcparamkey_strs[] = {
|
||||
"mandatory", "alpn", "no-default-alpn", "port",
|
||||
"ipv4hint", "ech", "ipv6hint"
|
||||
"ipv4hint", "ech", "ipv6hint", "dohpath"
|
||||
};
|
||||
|
||||
char* sldns_wire2str_pkt(uint8_t* data, size_t len)
|
||||
|
@ -487,7 +487,7 @@ int sldns_wire2str_rr_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen,
|
|||
uint8_t* rr = *d;
|
||||
size_t rrlen = *dlen, dname_off, rdlen, ordlen;
|
||||
uint16_t rrtype = 0;
|
||||
|
||||
|
||||
if(*dlen >= 3 && (*d)[0]==0 &&
|
||||
sldns_read_uint16((*d)+1)==LDNS_RR_TYPE_OPT) {
|
||||
/* perform EDNS OPT processing */
|
||||
|
@ -1119,7 +1119,7 @@ static int sldns_wire2str_svcparam_alpn2str(char** s,
|
|||
w += sldns_str_print(s, slen, "%s", ",");
|
||||
}
|
||||
w += sldns_str_print(s, slen, "\"");
|
||||
|
||||
|
||||
return w;
|
||||
}
|
||||
|
||||
|
@ -1139,7 +1139,7 @@ static int sldns_wire2str_svcparam_ech2str(char** s,
|
|||
(*s) += size;
|
||||
(*slen) -= size;
|
||||
|
||||
w += sldns_str_print(s, slen, "\"");
|
||||
w += sldns_str_print(s, slen, "\"");
|
||||
|
||||
return w + size;
|
||||
}
|
||||
|
@ -1162,7 +1162,7 @@ int sldns_wire2str_svcparam_scan(uint8_t** d, size_t* dlen, char** s, size_t* sl
|
|||
|
||||
/* verify that we have data_len data */
|
||||
if (data_len > *dlen)
|
||||
return -1;
|
||||
return -1;
|
||||
|
||||
written_chars += sldns_print_svcparamkey(s, slen, svcparamkey);
|
||||
if (!data_len) {
|
||||
|
@ -1174,6 +1174,7 @@ int sldns_wire2str_svcparam_scan(uint8_t** d, size_t* dlen, char** s, size_t* sl
|
|||
case SVCB_KEY_IPV4HINT:
|
||||
case SVCB_KEY_IPV6HINT:
|
||||
case SVCB_KEY_MANDATORY:
|
||||
case SVCB_KEY_DOHPATH:
|
||||
return -1;
|
||||
default:
|
||||
return written_chars;
|
||||
|
@ -1201,6 +1202,8 @@ int sldns_wire2str_svcparam_scan(uint8_t** d, size_t* dlen, char** s, size_t* sl
|
|||
case SVCB_KEY_ECH:
|
||||
r = sldns_wire2str_svcparam_ech2str(s, slen, data_len, *d);
|
||||
break;
|
||||
case SVCB_KEY_DOHPATH:
|
||||
/* fallthrough */
|
||||
default:
|
||||
r = sldns_str_print(s, slen, "=\"");
|
||||
|
||||
|
@ -1222,7 +1225,7 @@ int sldns_wire2str_svcparam_scan(uint8_t** d, size_t* dlen, char** s, size_t* sl
|
|||
}
|
||||
if (r <= 0)
|
||||
return -1; /* wireformat error */
|
||||
|
||||
|
||||
written_chars += r;
|
||||
*d += data_len;
|
||||
*dlen -= data_len;
|
||||
|
@ -1551,7 +1554,7 @@ int sldns_wire2str_nsec_scan(uint8_t** d, size_t* dl, char** s, size_t* sl)
|
|||
unsigned i, bit, window, block_len;
|
||||
uint16_t t;
|
||||
int w = 0;
|
||||
|
||||
|
||||
/* check for errors */
|
||||
while(pl) {
|
||||
if(pl < 2) return -1;
|
||||
|
|
|
@ -1582,8 +1582,7 @@ xml_parse_setup(XML_Parser parser, struct xml_data* data, time_t now)
|
|||
|
||||
/**
|
||||
* Perform XML parsing of the root-anchors file
|
||||
* Its format description can be read here
|
||||
* https://data.iana.org/root-anchors/draft-icann-dnssec-trust-anchor.txt
|
||||
* Its format description can be found in RFC 7958.
|
||||
* It uses libexpat.
|
||||
* @param xml: BIO with xml data.
|
||||
* @param now: the current time for checking DS validity periods.
|
||||
|
|
|
@ -714,7 +714,7 @@ morechecks(struct config_file* cfg)
|
|||
cfg->chrootdir, cfg);
|
||||
}
|
||||
#endif
|
||||
/* remove chroot setting so that modules are not stripping pathnames*/
|
||||
/* remove chroot setting so that modules are not stripping pathnames */
|
||||
free(cfg->chrootdir);
|
||||
cfg->chrootdir = NULL;
|
||||
|
||||
|
|
|
@ -4,22 +4,22 @@
|
|||
* Copyright (c) 2008, NLnet Labs. All rights reserved.
|
||||
*
|
||||
* This software is open source.
|
||||
*
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
*
|
||||
*
|
||||
* Redistributions of source code must retain the above copyright notice,
|
||||
* this list of conditions and the following disclaimer.
|
||||
*
|
||||
*
|
||||
* Redistributions in binary form must reproduce the above copyright notice,
|
||||
* this list of conditions and the following disclaimer in the documentation
|
||||
* and/or other materials provided with the distribution.
|
||||
*
|
||||
*
|
||||
* Neither the name of the NLNET LABS nor the names of its contributors may
|
||||
* be used to endorse or promote products derived from this software without
|
||||
* specific prior written permission.
|
||||
*
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
|
@ -59,6 +59,7 @@
|
|||
#include "util/locks.h"
|
||||
#include "util/net_help.h"
|
||||
#include "util/shm_side/shm_main.h"
|
||||
#include "util/timeval_func.h"
|
||||
#include "daemon/stats.h"
|
||||
#include "sldns/wire2str.h"
|
||||
#include "sldns/pkthdr.h"
|
||||
|
@ -186,31 +187,6 @@ usage(void)
|
|||
#ifdef HAVE_SHMGET
|
||||
/** what to put on statistics lines between var and value, ": " or "=" */
|
||||
#define SQ "="
|
||||
/** divide sum of timers to get average */
|
||||
static void
|
||||
timeval_divide(struct timeval* avg, const struct timeval* sum, long long d)
|
||||
{
|
||||
#ifndef S_SPLINT_S
|
||||
size_t leftover;
|
||||
if(d <= 0) {
|
||||
avg->tv_sec = 0;
|
||||
avg->tv_usec = 0;
|
||||
return;
|
||||
}
|
||||
avg->tv_sec = sum->tv_sec / d;
|
||||
avg->tv_usec = sum->tv_usec / d;
|
||||
/* handle fraction from seconds divide */
|
||||
leftover = sum->tv_sec - avg->tv_sec*d;
|
||||
if(leftover <= 0)
|
||||
leftover = 0;
|
||||
avg->tv_usec += (((long long)leftover)*((long long)1000000))/d;
|
||||
if(avg->tv_sec < 0)
|
||||
avg->tv_sec = 0;
|
||||
if(avg->tv_usec < 0)
|
||||
avg->tv_usec = 0;
|
||||
#endif
|
||||
}
|
||||
|
||||
/** print unsigned long stats value */
|
||||
#define PR_UL_NM(str, var) printf("%s."str SQ"%lu\n", nm, (unsigned long)(var));
|
||||
#define PR_UL(str, var) printf(str SQ"%lu\n", (unsigned long)(var));
|
||||
|
@ -226,12 +202,20 @@ static void pr_stats(const char* nm, struct ub_stats_info* s)
|
|||
{
|
||||
struct timeval sumwait, avg;
|
||||
PR_UL_NM("num.queries", s->svr.num_queries);
|
||||
PR_UL_NM("num.queries_ip_ratelimited",
|
||||
PR_UL_NM("num.queries_ip_ratelimited",
|
||||
s->svr.num_queries_ip_ratelimited);
|
||||
PR_UL_NM("num.queries_cookie_valid",
|
||||
s->svr.num_queries_cookie_valid);
|
||||
PR_UL_NM("num.queries_cookie_client",
|
||||
s->svr.num_queries_cookie_client);
|
||||
PR_UL_NM("num.queries_cookie_invalid",
|
||||
s->svr.num_queries_cookie_invalid);
|
||||
PR_UL_NM("num.cachehits",
|
||||
s->svr.num_queries - s->svr.num_queries_missed_cache);
|
||||
PR_UL_NM("num.cachemiss", s->svr.num_queries_missed_cache);
|
||||
PR_UL_NM("num.prefetch", s->svr.num_queries_prefetch);
|
||||
PR_UL_NM("num.queries_timed_out", s->svr.num_queries_timed_out);
|
||||
PR_UL_NM("query.queue_time_us.max", s->svr.max_query_time_us);
|
||||
PR_UL_NM("num.expired", s->svr.ans_expired);
|
||||
PR_UL_NM("num.recursivereplies", s->mesh_replies_sent);
|
||||
#ifdef USE_DNSCRYPT
|
||||
|
@ -403,6 +387,9 @@ static void print_extended(struct ub_stats_info* s, int inhibit_zero)
|
|||
PR_UL("rrset.cache.count", s->svr.rrset_cache_count);
|
||||
PR_UL("infra.cache.count", s->svr.infra_cache_count);
|
||||
PR_UL("key.cache.count", s->svr.key_cache_count);
|
||||
/* max collisions */
|
||||
PR_UL("msg.cache.max_collisions", s->svr.msg_cache_max_collisions);
|
||||
PR_UL("rrset.cache.max_collisions", s->svr.rrset_cache_max_collisions);
|
||||
/* applied RPZ actions */
|
||||
for(i=0; i<UB_STATS_RPZ_ACTION_NUM; i++) {
|
||||
if(i == RPZ_NO_OVERRIDE_ACTION)
|
||||
|
@ -426,6 +413,9 @@ static void print_extended(struct ub_stats_info* s, int inhibit_zero)
|
|||
PR_UL("num.query.subnet", s->svr.num_query_subnet);
|
||||
PR_UL("num.query.subnet_cache", s->svr.num_query_subnet_cache);
|
||||
#endif
|
||||
#ifdef USE_CACHEDB
|
||||
PR_UL("num.query.cachedb", s->svr.num_query_cachedb);
|
||||
#endif
|
||||
}
|
||||
|
||||
/** print statistics out of memory structures */
|
||||
|
@ -989,7 +979,7 @@ int main(int argc, char* argv[])
|
|||
fatal_exit("could not exec unbound: %s",
|
||||
strerror(ENOSYS));
|
||||
#else
|
||||
if(execlp("unbound", "unbound", "-c", cfgfile,
|
||||
if(execlp("unbound", "unbound", "-c", cfgfile,
|
||||
(char*)NULL) < 0) {
|
||||
fatal_exit("could not exec unbound: %s",
|
||||
strerror(errno));
|
||||
|
|
|
@ -482,6 +482,7 @@ int main(int argc, char* argv[])
|
|||
case '?':
|
||||
case 'h':
|
||||
default:
|
||||
ub_ctx_delete(ctx);
|
||||
usage();
|
||||
}
|
||||
}
|
||||
|
@ -495,8 +496,10 @@ int main(int argc, char* argv[])
|
|||
}
|
||||
argc -= optind;
|
||||
argv += optind;
|
||||
if(argc != 1)
|
||||
if(argc != 1) {
|
||||
ub_ctx_delete(ctx);
|
||||
usage();
|
||||
}
|
||||
|
||||
#ifdef HAVE_SSL
|
||||
#ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS
|
||||
|
|
14
contrib/unbound/testdata/00-lint.tdir/00-lint.pre
vendored
Normal file
14
contrib/unbound/testdata/00-lint.tdir/00-lint.pre
vendored
Normal file
|
@ -0,0 +1,14 @@
|
|||
# #-- 00-lint.pre--#
|
||||
# source the master var file when it's there
|
||||
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
|
||||
# use .tpkg.var.test for in test variable passing
|
||||
[ -f .tpkg.var.test ] && source .tpkg.var.test
|
||||
|
||||
. ../common.sh
|
||||
PRE="../.."
|
||||
|
||||
if test -f $PRE/unbound_test_00-lint ; then
|
||||
echo test enabled
|
||||
else
|
||||
skip_test "test skipped; clang linter preferred over splint"
|
||||
fi
|
91
contrib/unbound/testdata/cachedb_cached_ede.crpl
vendored
Normal file
91
contrib/unbound/testdata/cachedb_cached_ede.crpl
vendored
Normal file
|
@ -0,0 +1,91 @@
|
|||
; config options
|
||||
server:
|
||||
target-fetch-policy: "0 0 0 0 0"
|
||||
qname-minimisation: no
|
||||
minimal-responses: no
|
||||
module-config: "cachedb validator iterator"
|
||||
trust-anchor-signaling: no
|
||||
verbosity: 4
|
||||
ede: yes
|
||||
val-log-level: 2
|
||||
trust-anchor: "example.nl. DS 50602 8 2 FA8EE175C47325F4BD46D8A4083C3EBEB11C977D689069F2B41F1A29B22446B1"
|
||||
|
||||
|
||||
cachedb:
|
||||
backend: "testframe"
|
||||
secret-seed: "testvalue"
|
||||
|
||||
stub-zone:
|
||||
name: "example.nl"
|
||||
stub-addr: 193.0.14.129
|
||||
CONFIG_END
|
||||
|
||||
SCENARIO_BEGIN Test cachedb support for caching EDEs.
|
||||
|
||||
RANGE_BEGIN 0 10
|
||||
ADDRESS 193.0.14.129
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
example.nl. IN DNSKEY
|
||||
SECTION ANSWER
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
example.nl. IN A
|
||||
SECTION ANSWER
|
||||
example.nl. IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; get the entry in cache.
|
||||
STEP 1 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD DO
|
||||
SECTION QUESTION
|
||||
example.nl. IN A
|
||||
SECTION ADDITIONAL
|
||||
HEX_EDNSDATA_BEGIN
|
||||
FF FE ; option code = 65534 (LDNS_EDNS_UNBOUND_CACHEDB_TESTFRAME_TEST)
|
||||
00 00 ; option length
|
||||
HEX_EDNSDATA_END
|
||||
ENTRY_END
|
||||
|
||||
; get the answer for it
|
||||
STEP 10 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all ede=9
|
||||
REPLY QR RD RA DO SERVFAIL
|
||||
SECTION QUESTION
|
||||
example.nl. IN A
|
||||
ENTRY_END
|
||||
|
||||
; query again for the cached entry
|
||||
STEP 20 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
example.nl. IN A
|
||||
SECTION ADDITIONAL
|
||||
HEX_EDNSDATA_BEGIN
|
||||
FF FE ; option code = 65534 (LDNS_EDNS_UNBOUND_CACHEDB_TESTFRAME_TEST)
|
||||
00 00 ; option length
|
||||
HEX_EDNSDATA_END
|
||||
ENTRY_END
|
||||
|
||||
; this must be a cached answer since stub is not answering in this range
|
||||
STEP 30 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all ede=9
|
||||
REPLY QR RD RA DO SERVFAIL
|
||||
SECTION QUESTION
|
||||
example.nl. IN A
|
||||
ENTRY_END
|
||||
|
||||
SCENARIO_END
|
235
contrib/unbound/testdata/edns_downstream_cookies.rpl
vendored
Normal file
235
contrib/unbound/testdata/edns_downstream_cookies.rpl
vendored
Normal file
|
@ -0,0 +1,235 @@
|
|||
; config options
|
||||
server:
|
||||
answer-cookie: yes
|
||||
cookie-secret: "000102030405060708090a0b0c0d0e0f"
|
||||
access-control: 127.0.0.1 allow_cookie
|
||||
access-control: 1.2.3.4 allow
|
||||
local-data: "test. TXT test"
|
||||
|
||||
CONFIG_END
|
||||
|
||||
SCENARIO_BEGIN Test downstream DNS Cookies
|
||||
|
||||
; Note: When a valid hash was required, it was generated by running this test
|
||||
; with an invalid one and checking the output for the valid one.
|
||||
; Actual hash generation is tested with unit tests.
|
||||
|
||||
; Query without a client cookie ...
|
||||
STEP 0 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
test. IN TXT
|
||||
ENTRY_END
|
||||
; ... get TC and refused
|
||||
STEP 1 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA TC REFUSED
|
||||
SECTION QUESTION
|
||||
test. IN TXT
|
||||
ENTRY_END
|
||||
|
||||
; Query without a client cookie on TCP ...
|
||||
STEP 10 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
MATCH TCP
|
||||
SECTION QUESTION
|
||||
test. IN TXT
|
||||
ENTRY_END
|
||||
; ... get an answer
|
||||
STEP 11 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA AA NOERROR
|
||||
SECTION QUESTION
|
||||
test. IN TXT
|
||||
SECTION ANSWER
|
||||
test. IN TXT "test"
|
||||
ENTRY_END
|
||||
|
||||
; Query with only a client cookie ...
|
||||
STEP 20 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
test. IN TXT
|
||||
SECTION ADDITIONAL
|
||||
HEX_EDNSDATA_BEGIN
|
||||
00 0a ; Opcode 10
|
||||
00 08 ; Length 8
|
||||
31 32 33 34 35 36 37 38 ; Random bits
|
||||
HEX_EDNSDATA_END
|
||||
ENTRY_END
|
||||
; ... get BADCOOKIE and a new cookie
|
||||
STEP 21 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all server_cookie
|
||||
REPLY QR RD RA DO YXRRSET ; BADCOOKIE is an extended rcode
|
||||
SECTION QUESTION
|
||||
test. IN TXT
|
||||
ENTRY_END
|
||||
|
||||
; Query with an invalid cookie ...
|
||||
STEP 30 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
test. IN TXT
|
||||
SECTION ADDITIONAL
|
||||
HEX_EDNSDATA_BEGIN
|
||||
00 0a ; Opcode 10
|
||||
00 18 ; Length 24
|
||||
31 32 33 34 35 36 37 38 ; Random bits
|
||||
02 00 00 00 ; wrong version
|
||||
00 00 00 00 ; Timestamp
|
||||
31 32 33 34 35 36 37 38 ; wrong hash
|
||||
HEX_EDNSDATA_END
|
||||
ENTRY_END
|
||||
; ... get BADCOOKIE and a new cookie
|
||||
STEP 31 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all server_cookie
|
||||
REPLY QR RD RA DO YXRRSET ; BADCOOKIE is an extended rcode
|
||||
SECTION QUESTION
|
||||
test. IN TXT
|
||||
ENTRY_END
|
||||
|
||||
; Query with an invalid cookie from a non-cookie protected address ...
|
||||
STEP 40 QUERY ADDRESS 1.2.3.4
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
test. IN TXT
|
||||
SECTION ADDITIONAL
|
||||
HEX_EDNSDATA_BEGIN
|
||||
00 0a ; Opcode 10
|
||||
00 18 ; Length 24
|
||||
31 32 33 34 35 36 37 38 ; Random bits
|
||||
02 00 00 00 ; wrong version
|
||||
00 00 00 00 ; Timestamp
|
||||
31 32 33 34 35 36 37 38 ; wrong hash
|
||||
HEX_EDNSDATA_END
|
||||
ENTRY_END
|
||||
; ... get answer and a cookie
|
||||
STEP 41 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all server_cookie
|
||||
REPLY QR RD RA AA DO NOERROR
|
||||
SECTION QUESTION
|
||||
test. IN TXT
|
||||
SECTION ANSWER
|
||||
test. IN TXT "test"
|
||||
ENTRY_END
|
||||
|
||||
; Query with a valid cookie ...
|
||||
STEP 50 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
test. IN TXT
|
||||
SECTION ADDITIONAL
|
||||
HEX_EDNSDATA_BEGIN
|
||||
00 0a ; Opcode 10
|
||||
00 18 ; Length 24
|
||||
31 32 33 34 35 36 37 38 ; Random bits
|
||||
01 00 00 00 ; Version/Reserved
|
||||
00 00 00 00 ; Timestamp
|
||||
38 52 7b a8 c6 a4 ea 96 ; Hash
|
||||
HEX_EDNSDATA_END
|
||||
ENTRY_END
|
||||
; ... get answer and the cookie
|
||||
STEP 51 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all server_cookie
|
||||
REPLY QR RD RA AA DO NOERROR
|
||||
SECTION QUESTION
|
||||
test. IN TXT
|
||||
SECTION ANSWER
|
||||
test. IN TXT "test"
|
||||
ENTRY_END
|
||||
|
||||
; Query with a valid >30 minutes old cookie ...
|
||||
STEP 59 TIME_PASSES ELAPSE 1801
|
||||
STEP 60 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
test. IN TXT
|
||||
SECTION ADDITIONAL
|
||||
HEX_EDNSDATA_BEGIN
|
||||
00 0a ; Opcode 10
|
||||
00 18 ; Length 24
|
||||
31 32 33 34 35 36 37 38 ; Random bits
|
||||
01 00 00 00 ; Version/Reserved
|
||||
00 00 00 00 ; Timestamp
|
||||
38 52 7b a8 c6 a4 ea 96 ; Hash
|
||||
HEX_EDNSDATA_END
|
||||
ENTRY_END
|
||||
; ... Get answer and a refreshed cookie
|
||||
; (we don't check the re-freshness here; it has its own unit test)
|
||||
STEP 61 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all server_cookie
|
||||
REPLY QR RD RA AA DO NOERROR
|
||||
SECTION QUESTION
|
||||
test. IN TXT
|
||||
SECTION ANSWER
|
||||
test. IN TXT "test"
|
||||
ENTRY_END
|
||||
|
||||
; Query with a hash-valid >60 minutes old cookie ...
|
||||
STEP 69 TIME_PASSES ELAPSE 3601
|
||||
STEP 70 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
test. IN TXT
|
||||
SECTION ADDITIONAL
|
||||
HEX_EDNSDATA_BEGIN
|
||||
00 0a ; Opcode 10
|
||||
00 18 ; Length 24
|
||||
31 32 33 34 35 36 37 38 ; Random bits
|
||||
01 00 00 00 ; Version/Reserved
|
||||
00 00 07 09 ; Timestamp (1801)
|
||||
77 81 38 e3 8f aa 72 86 ; Hash
|
||||
HEX_EDNSDATA_END
|
||||
ENTRY_END
|
||||
; ... get BADCOOKIE and a new cookie
|
||||
STEP 71 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all server_cookie
|
||||
REPLY QR RD RA DO YXRRSET ; BADCOOKIE is an extended rcode
|
||||
SECTION QUESTION
|
||||
test. IN TXT
|
||||
ENTRY_END
|
||||
|
||||
; Query with a valid future (<5 minutes) cookie ...
|
||||
STEP 80 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
test. IN TXT
|
||||
SECTION ADDITIONAL
|
||||
HEX_EDNSDATA_BEGIN
|
||||
00 0a ; Opcode 10
|
||||
00 18 ; Length 24
|
||||
31 32 33 34 35 36 37 38 ; Random bits
|
||||
01 00 00 00 ; Version/Reserved
|
||||
00 00 16 45 ; Timestamp (1801 + 3601 + 299)
|
||||
4a f5 0f df f0 e8 c7 09 ; Hash
|
||||
HEX_EDNSDATA_END
|
||||
ENTRY_END
|
||||
; ... get an answer
|
||||
STEP 81 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all server_cookie
|
||||
REPLY QR RD RA AA DO NOERROR
|
||||
SECTION QUESTION
|
||||
test. IN TXT
|
||||
SECTION ANSWER
|
||||
test. IN TXT "test"
|
||||
ENTRY_END
|
||||
|
||||
SCENARIO_END
|
28
contrib/unbound/testdata/ip_ratelimit.tdir/ip_ratelimit.conf
vendored
Normal file
28
contrib/unbound/testdata/ip_ratelimit.tdir/ip_ratelimit.conf
vendored
Normal file
|
@ -0,0 +1,28 @@
|
|||
server:
|
||||
verbosity: 5
|
||||
# num-threads: 1
|
||||
interface: 127.0.0.1
|
||||
port: @PORT@
|
||||
use-syslog: no
|
||||
directory: .
|
||||
pidfile: "unbound.pid"
|
||||
chroot: ""
|
||||
username: ""
|
||||
local-data: "test. IN TXT localdata"
|
||||
|
||||
ip-ratelimit: 1
|
||||
ip-ratelimit-cookie: 0
|
||||
ip-ratelimit-factor: 0
|
||||
ip-ratelimit-backoff: yes
|
||||
answer-cookie: yes
|
||||
access-control: 127.0.0.0/8 allow_cookie
|
||||
|
||||
remote-control:
|
||||
control-enable: yes
|
||||
control-interface: 127.0.0.1
|
||||
# control-interface: ::1
|
||||
control-port: @CONTROL_PORT@
|
||||
server-key-file: "unbound_server.key"
|
||||
server-cert-file: "unbound_server.pem"
|
||||
control-key-file: "unbound_control.key"
|
||||
control-cert-file: "unbound_control.pem"
|
16
contrib/unbound/testdata/ip_ratelimit.tdir/ip_ratelimit.dsc
vendored
Normal file
16
contrib/unbound/testdata/ip_ratelimit.tdir/ip_ratelimit.dsc
vendored
Normal file
|
@ -0,0 +1,16 @@
|
|||
BaseName: ip_ratelimit
|
||||
Version: 1.0
|
||||
Description: Test IP source ratelimit.
|
||||
CreationDate: Tue Aug 8 00:00:00 CET 2023
|
||||
Maintainer: Yorgos Thessalonikefs
|
||||
Category:
|
||||
Component:
|
||||
CmdDepends:
|
||||
Depends:
|
||||
Help:
|
||||
Pre: ip_ratelimit.pre
|
||||
Post: ip_ratelimit.post
|
||||
Test: ip_ratelimit.test
|
||||
AuxFiles:
|
||||
Passed:
|
||||
Failure:
|
13
contrib/unbound/testdata/ip_ratelimit.tdir/ip_ratelimit.post
vendored
Normal file
13
contrib/unbound/testdata/ip_ratelimit.tdir/ip_ratelimit.post
vendored
Normal file
|
@ -0,0 +1,13 @@
|
|||
# #-- ip_ratelimit.post --#
|
||||
# source the master var file when it's there
|
||||
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
|
||||
# source the test var file when it's there
|
||||
[ -f .tpkg.var.test ] && source .tpkg.var.test
|
||||
#
|
||||
# do your teardown here
|
||||
. ../common.sh
|
||||
kill_pid $UNBOUND_PID
|
||||
if test -f unbound.log; then
|
||||
echo ">>> unbound log"
|
||||
cat unbound.log
|
||||
fi
|
24
contrib/unbound/testdata/ip_ratelimit.tdir/ip_ratelimit.pre
vendored
Normal file
24
contrib/unbound/testdata/ip_ratelimit.tdir/ip_ratelimit.pre
vendored
Normal file
|
@ -0,0 +1,24 @@
|
|||
# #-- ip_ratelimit.pre--#
|
||||
# source the master var file when it's there
|
||||
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
|
||||
# use .tpkg.var.test for in test variable passing
|
||||
[ -f .tpkg.var.test ] && source .tpkg.var.test
|
||||
|
||||
PRE="../.."
|
||||
. ../common.sh
|
||||
get_random_port 2
|
||||
UNBOUND_PORT=$RND_PORT
|
||||
CONTROL_PORT=$(($RND_PORT + 1))
|
||||
echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
|
||||
echo "CONTROL_PORT=$CONTROL_PORT" >> .tpkg.var.test
|
||||
|
||||
# make config file
|
||||
sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@CONTROL_PORT\@/'$CONTROL_PORT'/' < ip_ratelimit.conf > ub.conf
|
||||
# start unbound in the background
|
||||
$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
|
||||
UNBOUND_PID=$!
|
||||
echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
|
||||
|
||||
wait_unbound_up unbound.log
|
||||
|
||||
cat .tpkg.var.test
|
165
contrib/unbound/testdata/ip_ratelimit.tdir/ip_ratelimit.test
vendored
Normal file
165
contrib/unbound/testdata/ip_ratelimit.tdir/ip_ratelimit.test
vendored
Normal file
|
@ -0,0 +1,165 @@
|
|||
# #-- ip_ratelimit.test --#
|
||||
# source the master var file when it's there
|
||||
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
|
||||
# use .tpkg.var.test for in test variable passing
|
||||
[ -f .tpkg.var.test ] && source .tpkg.var.test
|
||||
|
||||
PRE="../.."
|
||||
. ../common.sh
|
||||
|
||||
get_make
|
||||
(cd $PRE; $MAKE streamtcp)
|
||||
|
||||
# These tests rely on second time precision. To combat false negatives the
|
||||
# tests run multiple times and we allow 1/3 of the runs to fail.
|
||||
total_runs=6
|
||||
success_threshold=4 # 2/3*total_runs
|
||||
|
||||
if dig -h 2>&1 | grep "cookie" >/dev/null; then
|
||||
nocookie="+nocookie"
|
||||
else
|
||||
nocookie=""
|
||||
fi
|
||||
|
||||
echo "> First get a valid cookie"
|
||||
dig @127.0.0.1 -p $UNBOUND_PORT +ednsopt=10:0102030405060708 $nocookie +tcp +retry=0 +time=1 test. TXT >outfile 2>&1
|
||||
if test "$?" -ne 0; then
|
||||
echo "exit status not OK"
|
||||
echo "> cat logfiles"
|
||||
cat outfile
|
||||
cat unbound.log
|
||||
echo "Not OK"
|
||||
exit 1
|
||||
fi
|
||||
if test `grep "COOKIE: " outfile | wc -l` -ne 1; then
|
||||
echo "Could not get cookie"
|
||||
echo "> cat logfiles"
|
||||
cat outfile
|
||||
cat unbound.log
|
||||
echo "Not OK"
|
||||
exit 1
|
||||
fi
|
||||
cookie=`grep "COOKIE: " outfile | cut -d ' ' -f 3`
|
||||
|
||||
successes=0
|
||||
echo "> Three parallel queries with backoff and cookie"
|
||||
# For this test we send three parallel queries. The ratelimit should be reached
|
||||
# for that second. We send a query to verify that there is no reply.
|
||||
# Then for the next second we again send three parallel queries and we expect
|
||||
# none of them to be allowed through because of the backoff logic that keeps
|
||||
# rolling the RATE_WINDOW based on demand.
|
||||
# Again we send another query but with a valid cookie and we expect to receive
|
||||
# an answer.
|
||||
for i in $(seq 1 $total_runs); do
|
||||
# Try to hit limit
|
||||
$PRE/streamtcp -nu -f 127.0.0.1@$UNBOUND_PORT test. TXT IN test. TXT IN test. TXT IN >outfile 2>&1
|
||||
if test "$?" -ne 0; then
|
||||
echo "exit status not OK"
|
||||
echo "> cat logfiles"
|
||||
cat outfile
|
||||
cat unbound.log
|
||||
echo "Not OK"
|
||||
exit 1
|
||||
fi
|
||||
# Expect no answer because of limit
|
||||
dig @127.0.0.1 -p $UNBOUND_PORT $nocookie +retry=0 +time=1 test. TXT >outfile 2>&1
|
||||
if test "$?" -eq 0; then
|
||||
continue
|
||||
fi
|
||||
# Try to keep limit
|
||||
$PRE/streamtcp -nu -f 127.0.0.1@$UNBOUND_PORT test. TXT IN test. TXT IN test. TXT IN >outfile 2>&1
|
||||
if test "$?" -ne 0; then
|
||||
echo "exit status not OK"
|
||||
echo "> cat logfiles"
|
||||
cat outfile
|
||||
cat unbound.log
|
||||
echo "Not OK"
|
||||
exit 1
|
||||
fi
|
||||
# Expect answer because of DNS cookie
|
||||
dig @127.0.0.1 -p $UNBOUND_PORT +ednsopt=10:$cookie $nocookie +retry=0 +time=1 test. TXT >outfile 2>&1
|
||||
if test "$?" -ne 0; then
|
||||
continue
|
||||
fi
|
||||
((successes++))
|
||||
# We don't have to wait for all the runs to complete if we know
|
||||
# we passed the threshold.
|
||||
if test $successes -ge $success_threshold; then
|
||||
break
|
||||
fi
|
||||
done
|
||||
|
||||
if test $successes -ge $success_threshold; then
|
||||
echo "Three parallel queries with backoff and cookie OK"
|
||||
else
|
||||
echo "Three parallel queries with backoff and cookie NOT OK"
|
||||
echo "> cat logfiles"
|
||||
cat outfile
|
||||
cat unbound.log
|
||||
echo "Three parallel queries with backoff and cookie NOT OK"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "> Activating ip-ratelimit-cookie"
|
||||
echo "$PRE/unbound-control -c ub.conf set_option ip-ratelimit-cookie: 1"
|
||||
$PRE/unbound-control -c ub.conf set_option ip-ratelimit-cookie: 1
|
||||
if test $? -ne 0; then
|
||||
echo "wrong exit value after success"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
successes=0
|
||||
echo "> Three parallel queries with backoff and cookie with ip-ratelimit-cookie"
|
||||
# This is the exact same test as above with the exception that we don't expect
|
||||
# an answer on the last query because ip-ratelimit-cookie is now enabled.
|
||||
for i in $(seq 1 $total_runs); do
|
||||
# Try to hit limit
|
||||
$PRE/streamtcp -nu -f 127.0.0.1@$UNBOUND_PORT test. TXT IN test. TXT IN test. TXT IN >outfile 2>&1
|
||||
if test "$?" -ne 0; then
|
||||
echo "exit status not OK"
|
||||
echo "> cat logfiles"
|
||||
cat outfile
|
||||
cat unbound.log
|
||||
echo "Not OK"
|
||||
exit 1
|
||||
fi
|
||||
# Expect no answer because of limit
|
||||
dig @127.0.0.1 -p $UNBOUND_PORT $nocookie +retry=0 +time=1 test. TXT >outfile 2>&1
|
||||
if test "$?" -eq 0; then
|
||||
continue
|
||||
fi
|
||||
# Try to keep limit
|
||||
$PRE/streamtcp -nu -f 127.0.0.1@$UNBOUND_PORT test. TXT IN test. TXT IN test. TXT IN >outfile 2>&1
|
||||
if test "$?" -ne 0; then
|
||||
echo "exit status not OK"
|
||||
echo "> cat logfiles"
|
||||
cat outfile
|
||||
cat unbound.log
|
||||
echo "Not OK"
|
||||
exit 1
|
||||
fi
|
||||
# Expect no answer because of ip-ratelimit-cookie
|
||||
dig @127.0.0.1 -p $UNBOUND_PORT +ednsopt=10:$cookie $nocookie +retry=0 +time=1 test. TXT >outfile 2>&1
|
||||
if test "$?" -eq 0; then
|
||||
continue
|
||||
fi
|
||||
((successes++))
|
||||
# We don't have to wait for all the runs to complete if we know
|
||||
# we passed the threshold.
|
||||
if test $successes -ge $success_threshold; then
|
||||
break
|
||||
fi
|
||||
done
|
||||
|
||||
if test $successes -ge $success_threshold; then
|
||||
echo "Three parallel queries with backoff and cookie with ip-ratelimit-cookie OK"
|
||||
else
|
||||
echo "Three parallel queries with backoff and cookie with ip-ratelimit-cookie NOT OK"
|
||||
echo "> cat logfiles"
|
||||
cat outfile
|
||||
cat unbound.log
|
||||
echo "Three parallel queries with backoff and cookie with ip-ratelimit-cookie NOT OK"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
exit 0
|
39
contrib/unbound/testdata/ip_ratelimit.tdir/unbound_control.key
vendored
Normal file
39
contrib/unbound/testdata/ip_ratelimit.tdir/unbound_control.key
vendored
Normal file
|
@ -0,0 +1,39 @@
|
|||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIG4gIBAAKCAYEAstEp+Pyh8XGrtZ77A4FhYjvbeB3dMa7Q2rGWxobzlA9przhA
|
||||
1aChAvUtCOAuM+rB6NTNB8YWfZJbQHawyMNpmC77cg6vXLYCGUQHZyAqidN049RJ
|
||||
F5T7j4N8Vniv17LiRdr0S6swy4PRvEnIPPV43EQHZqC5jVvHsKkhIfmBF/Dj5TXR
|
||||
ypeawWV/m5jeU6/4HRYMfytBZdO1mPXuWLh0lgbQ4SCbgrOUVD3rniMk1yZIbQOm
|
||||
vlDHYqekjDb/vOW2KxUQLG04aZMJ1mWfdbwG0CKQkSjISEDZ1l76vhM6mTM0fwXb
|
||||
IvyFZ9yPPCle1mF5aSlxS2cmGuGVSRQaw8XF9fe3a9ACJJTr33HdSpyaZkKRAUzL
|
||||
cKqLCl323daKv3NwwAT03Tj4iQM416ASMoiyfFa/2GWTKQVjddu8Crar7tGaf5xr
|
||||
lig4DBmrBvdYA3njy72/RD71hLwmlRoCGU7dRuDr9O6KASUm1Ri91ONZ/qdjMvov
|
||||
15l2vj4GV+KXR00dAgMBAAECggGAHepIL1N0dEQkCdpy+/8lH54L9WhpnOo2HqAf
|
||||
LU9eaKK7d4jdr9+TkD8cLaPzltPrZNxVALvu/0sA4SP6J1wpyj/x6P7z73qzly5+
|
||||
Xo5PD4fEwmi9YaiW/UduAblnEZrnp/AddptJKoL/D5T4XtpiQddPtael4zQ7kB57
|
||||
YIexRSQTvEDovA/o3/nvA0TrzOxfgd4ycQP3iOWGN/TMzyLsvjydrUwbOB567iz9
|
||||
whL3Etdgvnwh5Sz2blbFfH+nAR8ctvFFz+osPvuIVR21VMEI6wm7kTpSNnQ6sh/c
|
||||
lrLb/bTADn4g7z/LpIZJ+MrLvyEcoqValrLYeFBhM9CV8woPxvkO2P3pU47HVGax
|
||||
tC7GV6a/kt5RoKFd/TNdiA3OC7NGZtaeXv9VkPf4fVwBtSO9d5ZZXTGEynDD/rUQ
|
||||
U4KFJe6OD23APjse08HiiKqTPhsOneOONU67iqoaTdIkT2R4EdlkVEDpXVtWb+G9
|
||||
Q+IqYzVljlzuyHrhWXLJw/FMa2aBAoHBAOnZbi4gGpH+P6886WDWVgIlTccuXoyc
|
||||
Mg9QQYk9UDeXxL0AizR5bZy49Sduegz9vkHpAiZARQsUnizHjZ8YlRcrmn4t6tx3
|
||||
ahTIKAjdprnxJfYINM580j8CGbXvX5LhIlm3O267D0Op+co3+7Ujy+cjsIuFQrP+
|
||||
1MqMgXSeBjzC1APivmps7HeFE+4w0k2PfN5wSMDNCzLo99PZuUG5XZ93OVOS5dpN
|
||||
b+WskdcD8NOoJy/X/5A08veEI/jYO/DyqQKBwQDDwUQCOWf41ecvJLtBHKmEnHDz
|
||||
ftzHino9DRKG8a9XaN4rmetnoWEaM2vHGX3pf3mwH+dAe8vJdAQueDhBKYeEpm6C
|
||||
TYNOpou1+Zs5s99BilCTNYo8fkMOAyqwRwmz9zgHS6QxXuPwsghKefLJGt6o6RFF
|
||||
tfWVTfLlYJ+I3GQe3ySsk3wjVz4oUTKiyiq5+KzD+HhEkS7u+RQ7Z0ZI2xd2cF8Y
|
||||
aN2hjKDpcOiFf3CDoqka5D1qMNLgIHO52AHww1UCgcA1h7o7AMpURRka6hyaODY0
|
||||
A4oMYEbwdQjYjIyT998W+rzkbu1us6UtzQEBZ760npkgyU/epbOoV63lnkCC/MOU
|
||||
LD0PST+L/CHiY/cWIHb79YG1EifUZKpUFg0Aoq0EGFkepF0MefGCkbRGYA5UZr9U
|
||||
R80wAu9D+L+JJiS0J0BSRF74DL196zUuHt5zFeXuLzxsRtPAnq9DliS08BACRYZy
|
||||
7H3I7cWD9Vn5/0jbKWHFcaaWwyETR6uekTcSzZzbCRECgcBeoE3/xUA9SSk34Mmj
|
||||
7/cB4522Ft0imA3+9RK/qJTZ7Bd5fC4PKjOGNtUiqW/0L2rjeIiQ40bfWvWqgPKw
|
||||
jSK1PL6uvkl6+4cNsFsYyZpiVDoe7wKju2UuoNlB3RUTqa2r2STFuNj2wRjA57I1
|
||||
BIgdnox65jqQsd14g/yaa+75/WP9CE45xzKEyrtvdcqxm0Pod3OrsYK+gikFjiar
|
||||
kT0GQ8u0QPzh2tjt/2ZnIfOBrl+QYERP0MofDZDjhUdq2wECgcB0Lu841+yP5cdR
|
||||
qbJhXO4zJNh7oWNcJlOuQp3ZMNFrA1oHpe9pmLukiROOy01k9WxIMQDzU5GSqRv3
|
||||
VLkYOIcbhJ3kClKAcM3j95SkKbU2H5/RENb3Ck52xtl4pNU1x/3PnVFZfDVuuHO9
|
||||
MZ9YBcIeK98MyP2jr5JtFKnOyPE7xKq0IHIhXadpbc2wjje5FtZ1cUtMyEECCXNa
|
||||
C1TpXebHGyXGpY9WdWXhjdE/1jPvfS+uO5WyuDpYPr339gsdq1g=
|
||||
-----END RSA PRIVATE KEY-----
|
22
contrib/unbound/testdata/ip_ratelimit.tdir/unbound_control.pem
vendored
Normal file
22
contrib/unbound/testdata/ip_ratelimit.tdir/unbound_control.pem
vendored
Normal file
|
@ -0,0 +1,22 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDszCCAhsCFGD5193whHQ2bVdzbaQfdf1gc4SkMA0GCSqGSIb3DQEBCwUAMBIx
|
||||
EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMjMwWhcNNDAwMzI1MTMzMjMw
|
||||
WjAaMRgwFgYDVQQDDA91bmJvdW5kLWNvbnRyb2wwggGiMA0GCSqGSIb3DQEBAQUA
|
||||
A4IBjwAwggGKAoIBgQCy0Sn4/KHxcau1nvsDgWFiO9t4Hd0xrtDasZbGhvOUD2mv
|
||||
OEDVoKEC9S0I4C4z6sHo1M0HxhZ9kltAdrDIw2mYLvtyDq9ctgIZRAdnICqJ03Tj
|
||||
1EkXlPuPg3xWeK/XsuJF2vRLqzDLg9G8Scg89XjcRAdmoLmNW8ewqSEh+YEX8OPl
|
||||
NdHKl5rBZX+bmN5Tr/gdFgx/K0Fl07WY9e5YuHSWBtDhIJuCs5RUPeueIyTXJkht
|
||||
A6a+UMdip6SMNv+85bYrFRAsbThpkwnWZZ91vAbQIpCRKMhIQNnWXvq+EzqZMzR/
|
||||
Bdsi/IVn3I88KV7WYXlpKXFLZyYa4ZVJFBrDxcX197dr0AIklOvfcd1KnJpmQpEB
|
||||
TMtwqosKXfbd1oq/c3DABPTdOPiJAzjXoBIyiLJ8Vr/YZZMpBWN127wKtqvu0Zp/
|
||||
nGuWKDgMGasG91gDeePLvb9EPvWEvCaVGgIZTt1G4Ov07ooBJSbVGL3U41n+p2My
|
||||
+i/XmXa+PgZX4pdHTR0CAwEAATANBgkqhkiG9w0BAQsFAAOCAYEAd++Wen6l8Ifj
|
||||
4h3p/y16PhSsWJWuJ4wdNYy3/GM84S26wGjzlEEwiW76HpH6VJzPOiBAeWnFKE83
|
||||
hFyetEIxgJeIPbcs9ZP/Uoh8GZH9tRISBSN9Hgk2Slr9llo4t1H0g/XTgA5HqMQU
|
||||
9YydlBh43G7Vw3FVwh09OM6poNOGQKNc/tq2/QdKeUMtyBbLWpRmjH5XcCT35fbn
|
||||
ZiVOUldqSHD4kKrFO4nJYXZyipRbcXybsLiX9GP0GLemc3IgIvOXyJ2RPp06o/SJ
|
||||
pzlMlkcAfLJaSuEW57xRakhuNK7m051TKKzJzIEX+NFYOVdafFHS8VwGrYsdrFvD
|
||||
72tMfu+Fu55y3awdWWGc6YlaGogZiuMnJkvQphwgn+5qE/7CGEckoKEsH601rqIZ
|
||||
muaIc85+nEcHJeijd/ZlBN9zeltjFoMuqTUENgmv8+tUAdVm/UMY9Vjme6b43ydP
|
||||
uv6DS02+k9z8toxXworLiPr94BGaiGV1NxgwZKLZigYJt/Fi2Qte
|
||||
-----END CERTIFICATE-----
|
39
contrib/unbound/testdata/ip_ratelimit.tdir/unbound_server.key
vendored
Normal file
39
contrib/unbound/testdata/ip_ratelimit.tdir/unbound_server.key
vendored
Normal file
|
@ -0,0 +1,39 @@
|
|||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIG5AIBAAKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI
|
||||
0x41iG32a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+Nqq
|
||||
GRS7XVQ24vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Z
|
||||
uh9MDgotaBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8K
|
||||
WaBe1ca4TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5
|
||||
FzUReSXZuTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xP
|
||||
q6O9UPj4+nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XL
|
||||
A5UoZgRzXgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP
|
||||
7kFZSngxdy1+A/bNAgMBAAECggGBALpTOIqQwVg4CFBylL/a8K1IWJTI/I65sklf
|
||||
XxYL7G7SB2HlEJ//z+E+F0+S4Vlao1vyLQ5QkgE82pAUB8FoMWvY1qF0Y8A5wtm6
|
||||
iZSGk4OLK488ZbT8Ii9i+AGKgPe2XbVxsJwj8N4k7Zooqec9hz73Up8ATEWJkRz7
|
||||
2u7oMGG4z91E0PULA64dOi3l/vOQe5w/Aa+CwVbAWtI05o7kMvQEBMDJn6C7CByo
|
||||
MB5op9wueJMnz7PM7hns+U7Dy6oE4ljuolJUy51bDzFWwoM54cRoQqLFNHd8JVQj
|
||||
WxldCkbfF43iyprlsEcUrTyUjtdA+ZeiG39vg/mtdmgNpGmdupHJZQvSuG8IcVlz
|
||||
O+eMSeQS1QXPD6Ik8UK4SU0h+zOl8xIWtRrsxQuh4fnTN40udm/YUWl/6gOebsBI
|
||||
IrVLlKGqJSfB3tMjpCRqdTzJ0dA9keVpkqm2ugZkxEf1+/efq/rFIQ2pUBLCqNTN
|
||||
qpNqruK8y8FphP30I2uI4Ej2UIB8AQKBwQDd2Yptj2FyDyaXCycsyde0wYkNyzGU
|
||||
dRnzdibfHnMZwjgTjwAwgIUBVIS8H0/z7ZJQKN7osJfddMrtjJtYYUk9g/dCpHXs
|
||||
bNh2QSoWah3FdzNGuWd0iRf9+LFxhjAAMo/FS8zFJAJKrFsBdCGTfFUMdsLC0bjr
|
||||
YjiWBuvV72uKf8XIZX5KIZruKdWBBcWukcb21R1UDyFYyXRBsly5XHaIYKZql3km
|
||||
7pV7MKWO0IYgHbHIqGUqPQlzZ/lkunS1jKECgcEA23wHffD6Ou9/x3okPx2AWpTr
|
||||
gh8rgqbyo6hQkBW5Y90Wz824cqaYebZDaBR/xlVx/YwjKkohv8Bde2lpH/ZxRZ1Z
|
||||
5Sk2s6GJ/vU0L9RsJZgCgj4L6Coal1NMxuZtCXAlnOpiCdxSZgfqbshbTVz30KsG
|
||||
ZJG361Cua1ScdAHxlZBxT52/1Sm0zRC2hnxL7h4qo7Idmtzs40LAJvYOKekR0pPN
|
||||
oWeJfra7vgx/jVNvMFWoOoSLpidVO4g+ot4ery6tAoHAdW3rCic1C2zdnmH28Iw+
|
||||
s50l8Lk3mz+I5wgJd1zkzCO0DxZIoWPGA3g7cmCYr6N3KRsZMs4W9NAXgjpFGDkW
|
||||
zYsG3K21BdpvkdjYcFjnPVjlOXB2RIc0vehf9Jl02wXoeCSxVUDEPcaRvWk9RJYx
|
||||
ZpGOchUU7vNkxHURbIJ4yCzuAi9G8/Jp0dsu+kaV5tufF5SjG5WOrzKjaQsCbdN1
|
||||
oqaWMCHRrTvov/Z2C+xwsptFOdN5CSyZzg6hQiI4GMlBAoHAXyb6KINcOEi0YMp3
|
||||
BFXJ23tMTnEs78tozcKeipigcsbaqORK3omS+NEnj+uzKUzJyl4CsMbKstK2tFYS
|
||||
mSTCHqgE3PBtIpsZtEqhgUraR8IK9GPpzZDTTl9ynZgwFTNlWw3RyuyVXF56J+T8
|
||||
kCGJ3hEHCHqT/ZRQyX85BKIDFhA0z4tYKxWVqIFiYBNq56R0X9tMMmMs36mEnF93
|
||||
7Ht6mowxTZQRa7nU0qOgeKh/P7ki4Zus3y+WJ+T9IqahLtlRAoHBAIhqMrcxSAB8
|
||||
RpB9jukJlAnidw2jCMPgrFE8tP0khhVvGrXMldxAUsMKntDIo8dGCnG1KTcWDI0O
|
||||
jepvSPHSsxVLFugL79h0eVIS5z4huW48i9xgU8VlHdgAcgEPIAOFcOw2BCu/s0Vp
|
||||
O+MM/EyUOdo3NsibB3qc/GJI6iNBYS7AljYEVo6rXo5V/MZvZUF4vClen6Obzsre
|
||||
MTTb+4sJjfqleWuvr1XNMeu2mBfXBQkWGZP1byBK0MvD/aQ2PWq92A==
|
||||
-----END RSA PRIVATE KEY-----
|
22
contrib/unbound/testdata/ip_ratelimit.tdir/unbound_server.pem
vendored
Normal file
22
contrib/unbound/testdata/ip_ratelimit.tdir/unbound_server.pem
vendored
Normal file
|
@ -0,0 +1,22 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDqzCCAhMCFBHWXeQ6ZIa9QcQbXLFfC6tj+KA+MA0GCSqGSIb3DQEBCwUAMBIx
|
||||
EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMjI5WhcNNDAwMzI1MTMzMjI5
|
||||
WjASMRAwDgYDVQQDDAd1bmJvdW5kMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIB
|
||||
igKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI0x41iG32
|
||||
a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+NqqGRS7XVQ2
|
||||
4vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Zuh9MDgot
|
||||
aBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8KWaBe1ca4
|
||||
TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5FzUReSXZ
|
||||
uTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xPq6O9UPj4
|
||||
+nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XLA5UoZgRz
|
||||
XgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP7kFZSngx
|
||||
dy1+A/bNAgMBAAEwDQYJKoZIhvcNAQELBQADggGBABunf93MKaCUHiZgnoOTinsW
|
||||
84/EgInrgtKzAyH+BhnKkJOhhR0kkIAx5d9BpDlaSiRTACFon9moWCgDIIsK/Ar7
|
||||
JE0Kln9cV//wiiNoFU0O4mnzyGUIMvlaEX6QHMJJQYvL05+w/3AAcf5XmMJtR5ca
|
||||
fJ8FqvGC34b2WxX9lTQoyT52sRt+1KnQikiMEnEyAdKktMG+MwKsFDdOwDXyZhZg
|
||||
XZhRrfX3/NVJolqB6EahjWIGXDeKuSSKZVtCyib6LskyeMzN5lcRfvubKDdlqFVF
|
||||
qlD7rHBsKhQUWK/IO64mGf7y/de+CgHtED5vDvr/p2uj/9sABATfbrOQR3W/Of25
|
||||
sLBj4OEfrJ7lX8hQgFaxkMI3x6VFT3W8dTCp7xnQgb6bgROWB5fNEZ9jk/gjSRmD
|
||||
yIU+r0UbKe5kBk/CmZVFXL2TyJ92V5NYEQh8V4DGy19qZ6u/XKYyNJL4ocs35GGe
|
||||
CA8SBuyrmdhx38h1RHErR2Skzadi1S7MwGf1y431fQ==
|
||||
-----END CERTIFICATE-----
|
246
contrib/unbound/testdata/iter_cname_minimise_nx.rpl
vendored
Normal file
246
contrib/unbound/testdata/iter_cname_minimise_nx.rpl
vendored
Normal file
|
@ -0,0 +1,246 @@
|
|||
; config options
|
||||
server:
|
||||
target-fetch-policy: "0 0 0 0 0"
|
||||
qname-minimisation: yes
|
||||
module-config: "validator iterator"
|
||||
trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
|
||||
val-override-date: "20070916134226"
|
||||
fake-sha1: yes
|
||||
trust-anchor-signaling: no
|
||||
|
||||
stub-zone:
|
||||
name: "."
|
||||
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
|
||||
CONFIG_END
|
||||
|
||||
SCENARIO_BEGIN Test cname chain resolution of nxdomain with qname minimisation.
|
||||
; the qtype CNAME lookup has NXDOMAIN.
|
||||
|
||||
; K.ROOT-SERVERS.NET.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 193.0.14.129
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
. IN NS
|
||||
SECTION ANSWER
|
||||
. IN NS K.ROOT-SERVERS.NET.
|
||||
SECTION ADDITIONAL
|
||||
K.ROOT-SERVERS.NET. IN A 193.0.14.129
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode subdomain
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
com. IN NS
|
||||
SECTION AUTHORITY
|
||||
com. IN NS a.gtld-servers.net.
|
||||
SECTION ADDITIONAL
|
||||
a.gtld-servers.net. IN A 192.5.6.30
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; a.gtld-servers.net.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 192.5.6.30
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
com. IN NS
|
||||
SECTION ANSWER
|
||||
com. IN NS a.gtld-servers.net.
|
||||
SECTION ADDITIONAL
|
||||
a.gtld-servers.net. IN A 192.5.6.30
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode subdomain
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. IN NS
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.44
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; ns.example.com.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 1.2.3.44
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. IN NS
|
||||
SECTION ANSWER
|
||||
example.com. IN NS ns.example.com.
|
||||
example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.44
|
||||
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. AAZrcta3WCyz0iq2p78gmcPpXbmXPP9nQXM/czH1R9ilCaEoV8E27UU=
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
ns.example.com. IN A
|
||||
SECTION ANSWER
|
||||
ns.example.com. IN A 1.2.3.44
|
||||
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. AAZrcta3WCyz0iq2p78gmcPpXbmXPP9nQXM/czH1R9ilCaEoV8E27UU=
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
|
||||
ENTRY_END
|
||||
|
||||
; response to DNSKEY priming query
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. IN DNSKEY
|
||||
SECTION ANSWER
|
||||
example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
|
||||
example.com. 3600 IN RRSIG DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.44
|
||||
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. AAZrcta3WCyz0iq2p78gmcPpXbmXPP9nQXM/czH1R9ilCaEoV8E27UU=
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
ns.example.com. IN AAAA
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.44
|
||||
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. AAZrcta3WCyz0iq2p78gmcPpXbmXPP9nQXM/czH1R9ilCaEoV8E27UU=
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NXDOMAIN
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
SECTION AUTHORITY
|
||||
example.com. 300 IN SOA a. b. 1 2 3 4 300
|
||||
example.com. 300 IN RRSIG SOA 3 2 300 20070926134150 20070829134150 2854 example.com. AFPx1ZhcHixnxfB90ha4zgp7A+EdM8L63tUnVdlI5B14NiRIXONPDB4=
|
||||
v.example.com. IN NSEC x.example.com. A AAAA RRSIG NSEC
|
||||
v.example.com. 3600 IN RRSIG NSEC 3 3 3600 20070926134150 20070829134150 2854 example.com. AFT0Ao01lUN8Ppa9QPayQIN9ZtNIj4TzyhUQV31+FhNRK5uSQhiVwMc=
|
||||
example.com. 3600 IN NSEC abc.example.com. NS SOA RRSIG NSEC DNSKEY
|
||||
example.com. 3600 IN RRSIG NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. ABEOu6iietfjKY1MS0TutZZxUtRYA6XKsC1rMTrenwBF2darY3/Emco=
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NXDOMAIN
|
||||
SECTION QUESTION
|
||||
c.example.com. IN A
|
||||
SECTION ANSWER
|
||||
c.example.com. 10 IN CNAME www.example.com.
|
||||
c.example.com. 10 IN RRSIG CNAME 3 3 10 20070926134150 20070829134150 2854 example.com. ABT7twnK5qkCBKnaOHxFthUOK+3rBge1wEMItoFPdf16OoVdfccYU2U=
|
||||
SECTION AUTHORITY
|
||||
example.com. 300 IN SOA a. b. 1 2 3 4 300
|
||||
example.com. 300 IN RRSIG SOA 3 2 300 20070926134150 20070829134150 2854 example.com. AFPx1ZhcHixnxfB90ha4zgp7A+EdM8L63tUnVdlI5B14NiRIXONPDB4=
|
||||
v.example.com. IN NSEC x.example.com. A AAAA RRSIG NSEC
|
||||
v.example.com. 3600 IN RRSIG NSEC 3 3 3600 20070926134150 20070829134150 2854 example.com. AFT0Ao01lUN8Ppa9QPayQIN9ZtNIj4TzyhUQV31+FhNRK5uSQhiVwMc=
|
||||
example.com. 3600 IN NSEC abc.example.com. NS SOA RRSIG NSEC DNSKEY
|
||||
example.com. 3600 IN RRSIG NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. ABEOu6iietfjKY1MS0TutZZxUtRYA6XKsC1rMTrenwBF2darY3/Emco=
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
c.example.com. IN CNAME
|
||||
SECTION ANSWER
|
||||
c.example.com. 10 IN CNAME www.example.com.
|
||||
c.example.com. 10 IN RRSIG CNAME 3 3 10 20070926134150 20070829134150 2854 example.com. ABT7twnK5qkCBKnaOHxFthUOK+3rBge1wEMItoFPdf16OoVdfccYU2U=
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
STEP 1 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD DO
|
||||
SECTION QUESTION
|
||||
c.example.com. IN CNAME
|
||||
ENTRY_END
|
||||
|
||||
STEP 20 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA AD DO NOERROR
|
||||
SECTION QUESTION
|
||||
c.example.com. IN CNAME
|
||||
SECTION ANSWER
|
||||
c.example.com. 10 IN CNAME www.example.com.
|
||||
c.example.com. 10 IN RRSIG CNAME 3 3 10 20070926134150 20070829134150 2854 example.com. ABT7twnK5qkCBKnaOHxFthUOK+3rBge1wEMItoFPdf16OoVdfccYU2U=
|
||||
ENTRY_END
|
||||
|
||||
STEP 30 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD DO
|
||||
SECTION QUESTION
|
||||
c.example.com. IN CNAME
|
||||
ENTRY_END
|
||||
|
||||
STEP 40 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA AD DO NOERROR
|
||||
SECTION QUESTION
|
||||
c.example.com. IN CNAME
|
||||
SECTION ANSWER
|
||||
c.example.com. 10 IN CNAME www.example.com.
|
||||
c.example.com. 10 IN RRSIG CNAME 3 3 10 20070926134150 20070829134150 2854 example.com. ABT7twnK5qkCBKnaOHxFthUOK+3rBge1wEMItoFPdf16OoVdfccYU2U=
|
||||
ENTRY_END
|
||||
|
||||
STEP 50 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD DO
|
||||
SECTION QUESTION
|
||||
c.example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
STEP 60 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA AD DO NXDOMAIN
|
||||
SECTION QUESTION
|
||||
c.example.com. IN A
|
||||
SECTION ANSWER
|
||||
c.example.com. 10 IN CNAME www.example.com.
|
||||
c.example.com. 10 IN RRSIG CNAME 3 3 10 20070926134150 20070829134150 2854 example.com. ABT7twnK5qkCBKnaOHxFthUOK+3rBge1wEMItoFPdf16OoVdfccYU2U=
|
||||
SECTION AUTHORITY
|
||||
example.com. 300 IN SOA a. b. 1 2 3 4 300
|
||||
example.com. 300 IN RRSIG SOA 3 2 300 20070926134150 20070829134150 2854 example.com. AFPx1ZhcHixnxfB90ha4zgp7A+EdM8L63tUnVdlI5B14NiRIXONPDB4=
|
||||
v.example.com. IN NSEC x.example.com. A AAAA RRSIG NSEC
|
||||
v.example.com. 3600 IN RRSIG NSEC 3 3 3600 20070926134150 20070829134150 2854 example.com. AFT0Ao01lUN8Ppa9QPayQIN9ZtNIj4TzyhUQV31+FhNRK5uSQhiVwMc=
|
||||
example.com. 3600 IN NSEC abc.example.com. NS SOA RRSIG NSEC DNSKEY
|
||||
example.com. 3600 IN RRSIG NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. ABEOu6iietfjKY1MS0TutZZxUtRYA6XKsC1rMTrenwBF2darY3/Emco=
|
||||
ENTRY_END
|
||||
ENTRY_END
|
||||
|
||||
SCENARIO_END
|
132
contrib/unbound/testdata/iter_failreply.rpl
vendored
Normal file
132
contrib/unbound/testdata/iter_failreply.rpl
vendored
Normal file
|
@ -0,0 +1,132 @@
|
|||
; config options
|
||||
server:
|
||||
target-fetch-policy: "0 0 0 0 0"
|
||||
qname-minimisation: "no"
|
||||
minimal-responses: no
|
||||
log-servfail: yes
|
||||
|
||||
stub-zone:
|
||||
name: "."
|
||||
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
|
||||
CONFIG_END
|
||||
|
||||
SCENARIO_BEGIN Test iterator fail_reply report
|
||||
|
||||
; K.ROOT-SERVERS.NET.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 193.0.14.129
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
. IN NS
|
||||
SECTION ANSWER
|
||||
. IN NS K.ROOT-SERVERS.NET.
|
||||
SECTION ADDITIONAL
|
||||
K.ROOT-SERVERS.NET. IN A 193.0.14.129
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode subdomain
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. IN NS
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
example.com. IN NS ns2.example.net.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ns.example.com. IN AAAA ::1
|
||||
ns2.example.net. IN AAAA ::1
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
ns2.example.net. IN A
|
||||
SECTION ANSWER
|
||||
ns2.example.net. IN A 1.2.3.5
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
ns2.example.net. IN AAAA
|
||||
SECTION ANSWER
|
||||
ns2.example.net. IN AAAA ::1
|
||||
ENTRY_END
|
||||
|
||||
RANGE_END
|
||||
|
||||
RANGE_END
|
||||
|
||||
; ns.example.com.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 1.2.3.4
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR SERVFAIL
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR SERVFAIL
|
||||
SECTION QUESTION
|
||||
ns.example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR SERVFAIL
|
||||
SECTION QUESTION
|
||||
ns.example.com. IN AAAA
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
STEP 1 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
STEP 20 CHECK_OUT_QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
STEP 21 TIMEOUT
|
||||
STEP 22 TIMEOUT
|
||||
STEP 23 TIMEOUT
|
||||
STEP 24 TIMEOUT
|
||||
STEP 25 TIMEOUT
|
||||
|
||||
STEP 31 TIMEOUT
|
||||
STEP 32 TIMEOUT
|
||||
STEP 33 TIMEOUT
|
||||
STEP 34 TIMEOUT
|
||||
|
||||
; recursion happens here.
|
||||
STEP 50 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA SERVFAIL
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
ENTRY_END
|
||||
|
||||
SCENARIO_END
|
198
contrib/unbound/testdata/iter_ignore_empty.rpl
vendored
Normal file
198
contrib/unbound/testdata/iter_ignore_empty.rpl
vendored
Normal file
|
@ -0,0 +1,198 @@
|
|||
; config options
|
||||
server:
|
||||
target-fetch-policy: "0 0 0 0 0"
|
||||
qname-minimisation: "no"
|
||||
minimal-responses: no
|
||||
|
||||
stub-zone:
|
||||
name: "."
|
||||
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
|
||||
CONFIG_END
|
||||
|
||||
SCENARIO_BEGIN Test ignore of an empty response.
|
||||
|
||||
; K.ROOT-SERVERS.NET.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 193.0.14.129
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
. IN NS
|
||||
SECTION ANSWER
|
||||
. IN NS K.ROOT-SERVERS.NET.
|
||||
SECTION ADDITIONAL
|
||||
K.ROOT-SERVERS.NET. IN A 193.0.14.129
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode subdomain
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
com. IN NS
|
||||
SECTION AUTHORITY
|
||||
com. IN NS a.gtld-servers.net.
|
||||
SECTION ADDITIONAL
|
||||
a.gtld-servers.net. IN A 192.5.6.30
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; a.gtld-servers.net.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 192.5.6.30
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
com. IN NS
|
||||
SECTION ANSWER
|
||||
com. IN NS a.gtld-servers.net.
|
||||
SECTION ADDITIONAL
|
||||
a.gtld-servers.net. IN A 192.5.6.30
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode subdomain
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. IN NS
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
example.com. IN NS ns2.example2.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode subdomain
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example2.com. IN NS
|
||||
SECTION AUTHORITY
|
||||
example2.com. IN NS ns2.example2.com.
|
||||
SECTION ADDITIONAL
|
||||
ns2.example2.com. IN A 1.2.3.5
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; ns.example.com.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 1.2.3.4
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. IN NS
|
||||
SECTION ANSWER
|
||||
example.com. IN NS ns.example.com.
|
||||
example.com. IN NS ns2.example.net.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
ns.example.com. IN A
|
||||
SECTION ANSWER
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
ns.example.com. IN AAAA
|
||||
SECTION AUTHORITY
|
||||
example.com. IN SOA ns root 4 14400 3600 604800 3600
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
SECTION AUTHORITY
|
||||
SECTION ADDITIONAL
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; ns2.example2.com.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 1.2.3.5
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
example2.com. IN NS
|
||||
SECTION ANSWER
|
||||
example2.com. IN NS ns2.example2.com.
|
||||
SECTION ADDITIONAL
|
||||
ns2.example2.com. IN A 1.2.3.5
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
ns2.example2.com. IN A
|
||||
SECTION ANSWER
|
||||
ns2.example2.com. IN A 1.2.3.5
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
ns2.example2.com. IN AAAA
|
||||
SECTION AUTHORITY
|
||||
example2.com. IN SOA ns2 root 4 14400 3600 604800 3600
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. IN A 10.20.30.40
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
STEP 1 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
; recursion happens here.
|
||||
STEP 10 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. IN A 10.20.30.40
|
||||
ENTRY_END
|
||||
|
||||
; wait for pending nameserver lookups.
|
||||
STEP 20 TRAFFIC
|
||||
|
||||
SCENARIO_END
|
117
contrib/unbound/testdata/iter_nat64.rpl
vendored
Normal file
117
contrib/unbound/testdata/iter_nat64.rpl
vendored
Normal file
|
@ -0,0 +1,117 @@
|
|||
; config options
|
||||
server:
|
||||
do-nat64: yes
|
||||
target-fetch-policy: "0 0 0 0 0"
|
||||
|
||||
stub-zone:
|
||||
name: "."
|
||||
stub-addr: 2001:db8::1
|
||||
CONFIG_END
|
||||
|
||||
SCENARIO_BEGIN Test NAT64 transport for a v4-only server.
|
||||
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 2001:db8::1
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
. IN NS
|
||||
SECTION ANSWER
|
||||
. IN NS FAKE.ROOT.
|
||||
SECTION ADDITIONAL
|
||||
FAKE.ROOT. IN AAAA 2001:db8::1
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode subdomain
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
v4only. IN NS
|
||||
SECTION AUTHORITY
|
||||
v4only. IN NS ns.v4only.
|
||||
SECTION ADDITIONAL
|
||||
ns.v4only. IN A 192.0.2.1
|
||||
ENTRY_END
|
||||
|
||||
RANGE_END
|
||||
|
||||
; replies from NS over "NAT64"
|
||||
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 64:ff9b::c000:0201
|
||||
|
||||
; A over NAT64
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY AA QR NOERROR
|
||||
SECTION QUESTION
|
||||
ns.v4only. IN A
|
||||
SECTION ANSWER
|
||||
ns.v4only. IN A 192.0.2.1
|
||||
SECTION AUTHORITY
|
||||
v4only. IN NS ns.v4only.
|
||||
ENTRY_END
|
||||
|
||||
; no AAAA
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY AA QR NOERROR
|
||||
SECTION QUESTION
|
||||
ns.v4only. IN AAAA
|
||||
SECTION AUTHORITY
|
||||
v4only. IN NS ns.v4only.
|
||||
SECTION ADDITIONAL
|
||||
ns.v4only. IN A 192.0.2.1
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY AA QR NOERROR
|
||||
SECTION QUESTION
|
||||
v4only. IN NS
|
||||
SECTION ANSWER
|
||||
v4only. IN NS ns.v4only.
|
||||
SECTION ADDITIONAL
|
||||
ns.v4only. IN A 192.0.2.1
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY AA QR NOERROR
|
||||
SECTION QUESTION
|
||||
test.v4only. IN A
|
||||
SECTION ANSWER
|
||||
test.v4only. IN A 192.0.2.2
|
||||
SECTION AUTHORITY
|
||||
v4only. IN NS ns.v4only.
|
||||
SECTION ADDITIONAL
|
||||
ns.v4only. IN A 192.0.2.1
|
||||
ENTRY_END
|
||||
|
||||
RANGE_END
|
||||
|
||||
STEP 1 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
test.v4only. IN A
|
||||
ENTRY_END
|
||||
|
||||
STEP 20 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
test.v4only. IN A
|
||||
SECTION ANSWER
|
||||
test.v4only. IN A 192.0.2.2
|
||||
ENTRY_END
|
||||
|
||||
SCENARIO_END
|
119
contrib/unbound/testdata/iter_nat64_prefix.rpl
vendored
Normal file
119
contrib/unbound/testdata/iter_nat64_prefix.rpl
vendored
Normal file
|
@ -0,0 +1,119 @@
|
|||
; config options
|
||||
server:
|
||||
do-nat64: yes
|
||||
nat64-prefix: 2001:db8:1234::/96
|
||||
target-fetch-policy: "0 0 0 0 0"
|
||||
do-ip4: no
|
||||
|
||||
stub-zone:
|
||||
name: "."
|
||||
stub-addr: 2001:db8::1
|
||||
CONFIG_END
|
||||
|
||||
SCENARIO_BEGIN Test NAT64 transport for a v4-only server, custom NAT64 prefix.
|
||||
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 2001:db8::1
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
. IN NS
|
||||
SECTION ANSWER
|
||||
. IN NS FAKE.ROOT.
|
||||
SECTION ADDITIONAL
|
||||
FAKE.ROOT. IN AAAA 2001:db8::1
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode subdomain
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
v4only. IN NS
|
||||
SECTION AUTHORITY
|
||||
v4only. IN NS ns.v4only.
|
||||
SECTION ADDITIONAL
|
||||
ns.v4only. IN A 192.0.2.1
|
||||
ENTRY_END
|
||||
|
||||
RANGE_END
|
||||
|
||||
; replies from NS over "NAT64"
|
||||
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 2001:db8:1234::c000:0201
|
||||
|
||||
; A over NAT64
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY AA QR NOERROR
|
||||
SECTION QUESTION
|
||||
ns.v4only. IN A
|
||||
SECTION ANSWER
|
||||
ns.v4only. IN A 192.0.2.1
|
||||
SECTION AUTHORITY
|
||||
v4only. IN NS ns.v4only.
|
||||
ENTRY_END
|
||||
|
||||
; no AAAA
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY AA QR NOERROR
|
||||
SECTION QUESTION
|
||||
ns.v4only. IN AAAA
|
||||
SECTION AUTHORITY
|
||||
v4only. IN NS ns.v4only.
|
||||
SECTION ADDITIONAL
|
||||
ns.v4only. IN A 192.0.2.1
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY AA QR NOERROR
|
||||
SECTION QUESTION
|
||||
v4only. IN NS
|
||||
SECTION ANSWER
|
||||
v4only. IN NS ns.v4only.
|
||||
SECTION ADDITIONAL
|
||||
ns.v4only. IN A 192.0.2.1
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY AA QR NOERROR
|
||||
SECTION QUESTION
|
||||
test.v4only. IN A
|
||||
SECTION ANSWER
|
||||
test.v4only. IN A 192.0.2.2
|
||||
SECTION AUTHORITY
|
||||
v4only. IN NS ns.v4only.
|
||||
SECTION ADDITIONAL
|
||||
ns.v4only. IN A 192.0.2.1
|
||||
ENTRY_END
|
||||
|
||||
RANGE_END
|
||||
|
||||
STEP 1 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
test.v4only. IN A
|
||||
ENTRY_END
|
||||
|
||||
STEP 20 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
test.v4only. IN A
|
||||
SECTION ANSWER
|
||||
test.v4only. IN A 192.0.2.2
|
||||
ENTRY_END
|
||||
|
||||
SCENARIO_END
|
118
contrib/unbound/testdata/iter_nat64_prefix48.rpl
vendored
Normal file
118
contrib/unbound/testdata/iter_nat64_prefix48.rpl
vendored
Normal file
|
@ -0,0 +1,118 @@
|
|||
; config options
|
||||
server:
|
||||
do-nat64: yes
|
||||
nat64-prefix: 2001:db8:2345::/48
|
||||
target-fetch-policy: "0 0 0 0 0"
|
||||
|
||||
stub-zone:
|
||||
name: "."
|
||||
stub-addr: 2001:db8::1
|
||||
CONFIG_END
|
||||
|
||||
SCENARIO_BEGIN Test NAT64 transport, this time with /48 NAT64 prefix.
|
||||
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 2001:db8::1
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
. IN NS
|
||||
SECTION ANSWER
|
||||
. IN NS FAKE.ROOT.
|
||||
SECTION ADDITIONAL
|
||||
FAKE.ROOT. IN AAAA 2001:db8::1
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode subdomain
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
v4only. IN NS
|
||||
SECTION AUTHORITY
|
||||
v4only. IN NS ns.v4only.
|
||||
SECTION ADDITIONAL
|
||||
ns.v4only. IN A 192.0.2.1
|
||||
ENTRY_END
|
||||
|
||||
RANGE_END
|
||||
|
||||
; replies from NS over "NAT64"
|
||||
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 2001:db8:2345:c000:0002:0100::
|
||||
|
||||
; A over NAT64
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY AA QR NOERROR
|
||||
SECTION QUESTION
|
||||
ns.v4only. IN A
|
||||
SECTION ANSWER
|
||||
ns.v4only. IN A 192.0.2.1
|
||||
SECTION AUTHORITY
|
||||
v4only. IN NS ns.v4only.
|
||||
ENTRY_END
|
||||
|
||||
; no AAAA
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY AA QR NOERROR
|
||||
SECTION QUESTION
|
||||
ns.v4only. IN AAAA
|
||||
SECTION AUTHORITY
|
||||
v4only. IN NS ns.v4only.
|
||||
SECTION ADDITIONAL
|
||||
ns.v4only. IN A 192.0.2.1
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY AA QR NOERROR
|
||||
SECTION QUESTION
|
||||
v4only. IN NS
|
||||
SECTION ANSWER
|
||||
v4only. IN NS ns.v4only.
|
||||
SECTION ADDITIONAL
|
||||
ns.v4only. IN A 192.0.2.1
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY AA QR NOERROR
|
||||
SECTION QUESTION
|
||||
test.v4only. IN A
|
||||
SECTION ANSWER
|
||||
test.v4only. IN A 192.0.2.2
|
||||
SECTION AUTHORITY
|
||||
v4only. IN NS ns.v4only.
|
||||
SECTION ADDITIONAL
|
||||
ns.v4only. IN A 192.0.2.1
|
||||
ENTRY_END
|
||||
|
||||
RANGE_END
|
||||
|
||||
STEP 1 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
test.v4only. IN A
|
||||
ENTRY_END
|
||||
|
||||
STEP 20 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
test.v4only. IN A
|
||||
SECTION ANSWER
|
||||
test.v4only. IN A 192.0.2.2
|
||||
ENTRY_END
|
||||
|
||||
SCENARIO_END
|
154
contrib/unbound/testdata/serve_expired_0ttl_nodata.rpl
vendored
Normal file
154
contrib/unbound/testdata/serve_expired_0ttl_nodata.rpl
vendored
Normal file
|
@ -0,0 +1,154 @@
|
|||
; config options
|
||||
server:
|
||||
module-config: "validator iterator"
|
||||
qname-minimisation: "no"
|
||||
minimal-responses: no
|
||||
serve-expired: yes
|
||||
log-servfail: yes
|
||||
ede: yes
|
||||
ede-serve-expired: yes
|
||||
|
||||
|
||||
stub-zone:
|
||||
name: "example.com"
|
||||
stub-addr: 1.2.3.4
|
||||
CONFIG_END
|
||||
|
||||
SCENARIO_BEGIN Test serve-expired with NXDOMAIN followed by 0 TTL
|
||||
; Scenario overview:
|
||||
; - query for 0ttl.example.com. IN A
|
||||
; - answer from upstream is NODATA; will be cached for the SOA negative TTL.
|
||||
; - check that the client gets the NODATA; also cached
|
||||
; - query again right after the TTL expired
|
||||
; - this time the server answers with a 0 TTL RRset
|
||||
; - check that we get the correct answer
|
||||
|
||||
; ns.example.com.
|
||||
RANGE_BEGIN 0 20
|
||||
ADDRESS 1.2.3.4
|
||||
; response to A query
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
0ttl.example.com. IN A
|
||||
SECTION AUTHORITY
|
||||
example.com IN SOA ns.example.com dns.example.com 1 7200 3600 2419200 10
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; ns.example.com.
|
||||
RANGE_BEGIN 30 100
|
||||
ADDRESS 1.2.3.4
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. 10 IN NS
|
||||
SECTION ANSWER
|
||||
example.com. 10 IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. 10 IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
0ttl.example.com. IN A
|
||||
SECTION ANSWER
|
||||
0ttl.example.com. 0 IN A 5.6.7.8
|
||||
SECTION AUTHORITY
|
||||
example.com. 10 IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. 10 IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; Query with RD flag
|
||||
STEP 0 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
0ttl.example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
; Check that we get the NODATA (will be cached)
|
||||
STEP 10 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
0ttl.example.com. IN A
|
||||
SECTION AUTHORITY
|
||||
example.com IN SOA ns.example.com dns.example.com 1 7200 3600 2419200 10
|
||||
ENTRY_END
|
||||
|
||||
; Query again
|
||||
STEP 20 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
0ttl.example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
; Check that we get the cached NODATA
|
||||
STEP 30 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
0ttl.example.com. IN A
|
||||
SECTION AUTHORITY
|
||||
example.com IN SOA ns.example.com dns.example.com 1 7200 3600 2419200 10
|
||||
ENTRY_END
|
||||
|
||||
; Wait for the NXDOMAIN to expire
|
||||
STEP 31 TIME_PASSES ELAPSE 32
|
||||
|
||||
; Query again
|
||||
STEP 40 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
0ttl.example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
; Check that we get the cached NODATA
|
||||
STEP 50 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
0ttl.example.com. IN A
|
||||
SECTION AUTHORITY
|
||||
example.com IN SOA ns.example.com dns.example.com 1 7200 3600 2419200 10
|
||||
ENTRY_END
|
||||
|
||||
; Query again
|
||||
STEP 60 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
0ttl.example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
; Check that we got the correct answer
|
||||
STEP 70 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all ttl
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
0ttl.example.com. IN A
|
||||
SECTION ANSWER
|
||||
0ttl.example.com. 0 IN A 5.6.7.8
|
||||
SECTION AUTHORITY
|
||||
example.com. 10 IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. 10 IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
SCENARIO_END
|
154
contrib/unbound/testdata/serve_expired_0ttl_nxdomain.rpl
vendored
Normal file
154
contrib/unbound/testdata/serve_expired_0ttl_nxdomain.rpl
vendored
Normal file
|
@ -0,0 +1,154 @@
|
|||
; config options
|
||||
server:
|
||||
module-config: "validator iterator"
|
||||
qname-minimisation: "no"
|
||||
minimal-responses: no
|
||||
serve-expired: yes
|
||||
log-servfail: yes
|
||||
ede: yes
|
||||
ede-serve-expired: yes
|
||||
|
||||
|
||||
stub-zone:
|
||||
name: "example.com"
|
||||
stub-addr: 1.2.3.4
|
||||
CONFIG_END
|
||||
|
||||
SCENARIO_BEGIN Test serve-expired with NXDOMAIN followed by 0 TTL
|
||||
; Scenario overview:
|
||||
; - query for 0ttl.example.com. IN A
|
||||
; - answer from upstream is NXDOMAIN; will be cached for the SOA negative TTL.
|
||||
; - check that the client gets the NXDOMAIN; also cached
|
||||
; - query again right after the TTL expired
|
||||
; - this time the server answers with a 0 TTL RRset
|
||||
; - check that we get the correct answer
|
||||
|
||||
; ns.example.com.
|
||||
RANGE_BEGIN 0 20
|
||||
ADDRESS 1.2.3.4
|
||||
; response to A query
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NXDOMAIN
|
||||
SECTION QUESTION
|
||||
0ttl.example.com. IN A
|
||||
SECTION AUTHORITY
|
||||
example.com IN SOA ns.example.com dns.example.com 1 7200 3600 2419200 10
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; ns.example.com.
|
||||
RANGE_BEGIN 30 100
|
||||
ADDRESS 1.2.3.4
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. 10 IN NS
|
||||
SECTION ANSWER
|
||||
example.com. 10 IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. 10 IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
0ttl.example.com. IN A
|
||||
SECTION ANSWER
|
||||
0ttl.example.com. 0 IN A 5.6.7.8
|
||||
SECTION AUTHORITY
|
||||
example.com. 10 IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. 10 IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; Query with RD flag
|
||||
STEP 0 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
0ttl.example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
; Check that we get the SERVFAIL (will be cached)
|
||||
STEP 10 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA NXDOMAIN
|
||||
SECTION QUESTION
|
||||
0ttl.example.com. IN A
|
||||
SECTION AUTHORITY
|
||||
example.com IN SOA ns.example.com dns.example.com 1 7200 3600 2419200 10
|
||||
ENTRY_END
|
||||
|
||||
; Query again
|
||||
STEP 20 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
0ttl.example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
; Check that we get the cached NXDOMAIN
|
||||
STEP 30 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA NXDOMAIN
|
||||
SECTION QUESTION
|
||||
0ttl.example.com. IN A
|
||||
SECTION AUTHORITY
|
||||
example.com IN SOA ns.example.com dns.example.com 1 7200 3600 2419200 10
|
||||
ENTRY_END
|
||||
|
||||
; Wait for the NXDOMAIN to expire
|
||||
STEP 31 TIME_PASSES ELAPSE 32
|
||||
|
||||
; Query again
|
||||
STEP 40 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
0ttl.example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
; Check that we get the cached NXDOMAIN
|
||||
STEP 50 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA NXDOMAIN
|
||||
SECTION QUESTION
|
||||
0ttl.example.com. IN A
|
||||
SECTION AUTHORITY
|
||||
example.com IN SOA ns.example.com dns.example.com 1 7200 3600 2419200 10
|
||||
ENTRY_END
|
||||
|
||||
; Query again
|
||||
STEP 60 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
0ttl.example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
; Check that we got the correct answer
|
||||
STEP 70 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all ttl
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
0ttl.example.com. IN A
|
||||
SECTION ANSWER
|
||||
0ttl.example.com. 0 IN A 5.6.7.8
|
||||
SECTION AUTHORITY
|
||||
example.com. 10 IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. 10 IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
SCENARIO_END
|
129
contrib/unbound/testdata/serve_expired_0ttl_servfail.rpl
vendored
Normal file
129
contrib/unbound/testdata/serve_expired_0ttl_servfail.rpl
vendored
Normal file
|
@ -0,0 +1,129 @@
|
|||
; config options
|
||||
server:
|
||||
module-config: "validator iterator"
|
||||
qname-minimisation: "no"
|
||||
minimal-responses: no
|
||||
serve-expired: yes
|
||||
log-servfail: yes
|
||||
ede: yes
|
||||
ede-serve-expired: yes
|
||||
|
||||
|
||||
stub-zone:
|
||||
name: "example.com"
|
||||
stub-addr: 1.2.3.4
|
||||
CONFIG_END
|
||||
|
||||
SCENARIO_BEGIN Test serve-expired with SERVFAIL followed by 0 TTL
|
||||
; Scenario overview:
|
||||
; - query for 0ttl.example.com. IN A
|
||||
; - answer from upstream is SERVFAIL; will be cached for NORR_TTL(5)
|
||||
; - check that the client gets the SERVFAIL; also cached
|
||||
; - query again right after the TTL expired
|
||||
; - this time the server answers with a 0 TTL RRset
|
||||
; - check that we get the correct answer
|
||||
|
||||
; ns.example.com.
|
||||
RANGE_BEGIN 0 20
|
||||
ADDRESS 1.2.3.4
|
||||
; response to A query
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA SERVFAIL
|
||||
SECTION QUESTION
|
||||
0ttl.example.com. IN A
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; ns.example.com.
|
||||
RANGE_BEGIN 30 100
|
||||
ADDRESS 1.2.3.4
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. 10 IN NS
|
||||
SECTION ANSWER
|
||||
example.com. 10 IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. 10 IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
0ttl.example.com. IN A
|
||||
SECTION ANSWER
|
||||
0ttl.example.com. 0 IN A 5.6.7.8
|
||||
SECTION AUTHORITY
|
||||
example.com. 10 IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. 10 IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; Query with RD flag
|
||||
STEP 0 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
0ttl.example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
; Check that we get the SERVFAIL (will be cached)
|
||||
STEP 10 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA SERVFAIL
|
||||
SECTION QUESTION
|
||||
0ttl.example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
; Query again
|
||||
STEP 20 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
0ttl.example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
; Check that we get the cached SERVFAIL
|
||||
STEP 30 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA SERVFAIL
|
||||
SECTION QUESTION
|
||||
0ttl.example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
; Wait for the SERVFAIL to expire
|
||||
STEP 31 TIME_PASSES ELAPSE 32
|
||||
|
||||
; Query again
|
||||
STEP 40 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
0ttl.example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
; Check that we got the correct answer
|
||||
STEP 50 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all ttl
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
0ttl.example.com. IN A
|
||||
SECTION ANSWER
|
||||
0ttl.example.com. 0 IN A 5.6.7.8
|
||||
SECTION AUTHORITY
|
||||
example.com. 10 IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. 10 IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
SCENARIO_END
|
145
contrib/unbound/testdata/serve_expired_cached_servfail_refresh.rpl
vendored
Normal file
145
contrib/unbound/testdata/serve_expired_cached_servfail_refresh.rpl
vendored
Normal file
|
@ -0,0 +1,145 @@
|
|||
; config options
|
||||
server:
|
||||
module-config: "validator iterator"
|
||||
qname-minimisation: "no"
|
||||
minimal-responses: no
|
||||
serve-expired: yes
|
||||
serve-expired-reply-ttl: 123
|
||||
log-servfail: yes
|
||||
ede: yes
|
||||
ede-serve-expired: yes
|
||||
|
||||
|
||||
stub-zone:
|
||||
name: "example.com"
|
||||
stub-addr: 1.2.3.4
|
||||
CONFIG_END
|
||||
|
||||
SCENARIO_BEGIN Test serve-expired with client-timeout and a SERVFAIL upstream reply
|
||||
; Scenario overview:
|
||||
; - query for example.com. IN A
|
||||
; - answer from upstream is SERVFAIL; will be cached for NORR_TTL(5)
|
||||
; - check that the client gets the SERVFAIL; also cached
|
||||
; - query again right after the TTL expired
|
||||
; - cached SERVFAIL should be ignored and upstream queried
|
||||
; - answer from upstream is still SERVFAIL; the cached error response will be
|
||||
; refreshed for another NORR_TTL(5)
|
||||
; - check that the client gets the SERVFAIL
|
||||
; - query again; the upstream now has the answer available
|
||||
; - check that we get the refreshed cached response instead
|
||||
|
||||
; ns.example.com.
|
||||
RANGE_BEGIN 0 50
|
||||
ADDRESS 1.2.3.4
|
||||
; response to A query
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA SERVFAIL
|
||||
SECTION QUESTION
|
||||
example.com. IN A
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; ns.example.com.
|
||||
RANGE_BEGIN 60 100
|
||||
ADDRESS 1.2.3.4
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. 10 IN NS
|
||||
SECTION ANSWER
|
||||
example.com. 10 IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. 10 IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. IN A
|
||||
SECTION ANSWER
|
||||
example.com. 10 IN A 5.6.7.8
|
||||
SECTION AUTHORITY
|
||||
example.com. 10 IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. 10 IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; Query with RD flag
|
||||
STEP 0 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
; Check that we get the SERVFAIL (will be cached)
|
||||
STEP 10 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA SERVFAIL
|
||||
SECTION QUESTION
|
||||
example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
; Query again
|
||||
STEP 20 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
; Check that we get the cached SERVFAIL
|
||||
STEP 30 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA SERVFAIL
|
||||
SECTION QUESTION
|
||||
example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
; Wait for the SERVFAIL to expire
|
||||
STEP 31 TIME_PASSES ELAPSE 6
|
||||
|
||||
; Query again
|
||||
STEP 40 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
; Check that we get the SERVFAIL (will be refreshed)
|
||||
STEP 50 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA SERVFAIL
|
||||
SECTION QUESTION
|
||||
example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
; Query again, upstream has the real answer available
|
||||
STEP 60 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
; Check that we get the refreshed cached SERVFAIL
|
||||
STEP 70 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA SERVFAIL
|
||||
SECTION QUESTION
|
||||
example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
SCENARIO_END
|
36
contrib/unbound/testdata/stat_values.tdir/stat_values_cachedb.conf
vendored
Normal file
36
contrib/unbound/testdata/stat_values.tdir/stat_values_cachedb.conf
vendored
Normal file
|
@ -0,0 +1,36 @@
|
|||
server:
|
||||
verbosity: 5
|
||||
module-config: "cachedb iterator"
|
||||
serve-expired: yes
|
||||
num-threads: 1
|
||||
interface: 127.0.0.1
|
||||
port: @PORT@
|
||||
use-syslog: no
|
||||
directory: ""
|
||||
pidfile: "unbound.pid"
|
||||
chroot: ""
|
||||
username: ""
|
||||
do-not-query-localhost: no
|
||||
extended-statistics: yes
|
||||
identity: "stat_values"
|
||||
outbound-msg-retry: 0
|
||||
root-key-sentinel: no
|
||||
trust-anchor-signaling: no
|
||||
|
||||
local-zone: local.zone static
|
||||
local-data: "www.local.zone A 192.0.2.1"
|
||||
remote-control:
|
||||
control-enable: yes
|
||||
control-interface: 127.0.0.1
|
||||
# control-interface: ::1
|
||||
control-port: @CONTROL_PORT@
|
||||
server-key-file: "unbound_server.key"
|
||||
server-cert-file: "unbound_server.pem"
|
||||
control-key-file: "unbound_control.key"
|
||||
control-cert-file: "unbound_control.pem"
|
||||
forward-zone:
|
||||
name: "."
|
||||
forward-addr: "127.0.0.1@@TOPORT@"
|
||||
forward-zone:
|
||||
name: "expired."
|
||||
forward-addr: "127.0.0.1@@EXPIREDPORT@"
|
32
contrib/unbound/testdata/stat_values.tdir/stat_values_downstream_cookies.conf
vendored
Normal file
32
contrib/unbound/testdata/stat_values.tdir/stat_values_downstream_cookies.conf
vendored
Normal file
|
@ -0,0 +1,32 @@
|
|||
server:
|
||||
verbosity: 5
|
||||
module-config: "iterator"
|
||||
num-threads: 1
|
||||
interface: 127.0.0.1
|
||||
port: @PORT@
|
||||
use-syslog: no
|
||||
directory: ""
|
||||
pidfile: "unbound.pid"
|
||||
chroot: ""
|
||||
username: ""
|
||||
extended-statistics: yes
|
||||
identity: "stat_values"
|
||||
outbound-msg-retry: 0
|
||||
root-key-sentinel: no
|
||||
trust-anchor-signaling: no
|
||||
|
||||
local-zone: local.zone static
|
||||
local-data: "www.local.zone A 192.0.2.1"
|
||||
|
||||
answer-cookie: yes
|
||||
access-control: 127.0.0.1 allow_cookie
|
||||
|
||||
remote-control:
|
||||
control-enable: yes
|
||||
control-interface: 127.0.0.1
|
||||
# control-interface: ::1
|
||||
control-port: @CONTROL_PORT@
|
||||
server-key-file: "unbound_server.key"
|
||||
server-cert-file: "unbound_server.pem"
|
||||
control-key-file: "unbound_control.key"
|
||||
control-cert-file: "unbound_control.pem"
|
114
contrib/unbound/testdata/subnet_cached_ede.crpl
vendored
Normal file
114
contrib/unbound/testdata/subnet_cached_ede.crpl
vendored
Normal file
|
@ -0,0 +1,114 @@
|
|||
; Ask the same question twice. Check to see second is answered
|
||||
; from cache
|
||||
|
||||
server:
|
||||
trust-anchor-signaling: no
|
||||
target-fetch-policy: "0 0 0 0 0"
|
||||
send-client-subnet: 1.2.3.4
|
||||
max-client-subnet-ipv4: 17
|
||||
module-config: "subnetcache validator iterator"
|
||||
verbosity: 3
|
||||
qname-minimisation: no
|
||||
minimal-responses: no
|
||||
ede: yes
|
||||
val-log-level: 2
|
||||
trust-anchor: "example.nl. DS 50602 8 2 FA8EE175C47325F4BD46D8A4083C3EBEB11C977D689069F2B41F1A29B22446B1"
|
||||
|
||||
stub-zone:
|
||||
name: "example.nl"
|
||||
stub-addr: 1.2.3.4
|
||||
CONFIG_END
|
||||
|
||||
SCENARIO_BEGIN Test subnetcache support for caching EDEs.
|
||||
|
||||
; ns.example.com.
|
||||
RANGE_BEGIN 0 10
|
||||
ADDRESS 1.2.3.4
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
example.nl. IN DNSKEY
|
||||
SECTION ANSWER
|
||||
SECTION ADDITIONAL
|
||||
HEX_EDNSDATA_BEGIN
|
||||
; client is 127.0.0.1
|
||||
00 08 ; OPC
|
||||
00 07 ; option length
|
||||
00 01 ; Family
|
||||
11 00 ; source mask, scopemask
|
||||
7f 00 00 ; address
|
||||
HEX_EDNSDATA_END
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
example.nl. IN A
|
||||
SECTION ANSWER
|
||||
example.nl. IN A 1.2.3.4
|
||||
SECTION ADDITIONAL
|
||||
HEX_EDNSDATA_BEGIN
|
||||
; client is 127.0.0.1
|
||||
00 08 ; OPC
|
||||
00 07 ; option length
|
||||
00 01 ; Family
|
||||
11 00 ; source mask, scopemask
|
||||
7f 00 00 ; address
|
||||
HEX_EDNSDATA_END
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; get the entry in cache.
|
||||
STEP 1 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD DO
|
||||
SECTION QUESTION
|
||||
example.nl. IN A
|
||||
SECTION ADDITIONAL
|
||||
HEX_EDNSDATA_BEGIN
|
||||
00 08 00 07 ; OPC, optlen
|
||||
00 01 11 00 ; ip4, scope 17, source 0
|
||||
7f 00 00 ; 127.0.0.0/17
|
||||
HEX_EDNSDATA_END
|
||||
ENTRY_END
|
||||
|
||||
; get the answer for it
|
||||
STEP 10 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all ede=9
|
||||
REPLY QR RD RA DO SERVFAIL
|
||||
SECTION QUESTION
|
||||
example.nl. IN A
|
||||
ENTRY_END
|
||||
|
||||
; query again for the cached entry
|
||||
STEP 20 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
example.nl. IN A
|
||||
SECTION ADDITIONAL
|
||||
HEX_EDNSDATA_BEGIN
|
||||
00 08 00 07 ; OPC, optlen
|
||||
00 01 11 00 ; ip4, scope 17, source 0
|
||||
7f 00 00 ; 127.0.0.0/17
|
||||
HEX_EDNSDATA_END
|
||||
ENTRY_END
|
||||
|
||||
; this must be a cached answer since stub is not answering in this range
|
||||
STEP 30 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all ede=9
|
||||
REPLY QR RD RA DO SERVFAIL
|
||||
SECTION QUESTION
|
||||
example.nl. IN A
|
||||
ENTRY_END
|
||||
|
||||
SCENARIO_END
|
236
contrib/unbound/testdata/subnet_global_prefetch.crpl
vendored
Normal file
236
contrib/unbound/testdata/subnet_global_prefetch.crpl
vendored
Normal file
|
@ -0,0 +1,236 @@
|
|||
; Check if the prefetch option works properly for messages stored in the global
|
||||
; cache for non-ECS clients. The prefetch query needs to result in an ECS
|
||||
; outgoing query based on the client's IP.
|
||||
|
||||
server:
|
||||
trust-anchor-signaling: no
|
||||
target-fetch-policy: "0 0 0 0 0"
|
||||
send-client-subnet: 1.2.3.4
|
||||
max-client-subnet-ipv4: 21
|
||||
module-config: "subnetcache iterator"
|
||||
verbosity: 3
|
||||
access-control: 127.0.0.1 allow_snoop
|
||||
qname-minimisation: no
|
||||
minimal-responses: no
|
||||
prefetch: yes
|
||||
|
||||
stub-zone:
|
||||
name: "."
|
||||
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
|
||||
CONFIG_END
|
||||
|
||||
SCENARIO_BEGIN Test prefetch option for global cache with ECS enabled
|
||||
|
||||
; K.ROOT-SERVERS.NET.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 193.0.14.129
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname ednsdata
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
. IN NS
|
||||
SECTION ANSWER
|
||||
. IN NS K.ROOT-SERVERS.NET.
|
||||
SECTION ADDITIONAL
|
||||
HEX_EDNSDATA_BEGIN
|
||||
;; we expect to receive empty
|
||||
HEX_EDNSDATA_END
|
||||
K.ROOT-SERVERS.NET. IN A 193.0.14.129
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION AUTHORITY
|
||||
com. IN NS a.gtld-servers.net.
|
||||
SECTION ADDITIONAL
|
||||
a.gtld-servers.net. IN A 192.5.6.30
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; a.gtld-servers.net.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 192.5.6.30
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname ednsdata
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
com. IN NS
|
||||
SECTION ANSWER
|
||||
com. IN NS a.gtld-servers.net.
|
||||
SECTION ADDITIONAL
|
||||
HEX_EDNSDATA_BEGIN
|
||||
;; we expect to receive empty
|
||||
HEX_EDNSDATA_END
|
||||
a.gtld-servers.net. IN A 192.5.6.30
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; ns.example.com.
|
||||
RANGE_BEGIN 0 10
|
||||
ADDRESS 1.2.3.4
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. IN NS
|
||||
SECTION ANSWER
|
||||
example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
HEX_EDNSDATA_BEGIN
|
||||
;; we expect to receive empty
|
||||
HEX_EDNSDATA_END
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
; response to query of interest
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. 10 IN A 10.20.30.40
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; ns.example.com.
|
||||
RANGE_BEGIN 11 100
|
||||
ADDRESS 1.2.3.4
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. IN NS
|
||||
SECTION ANSWER
|
||||
example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
HEX_EDNSDATA_BEGIN
|
||||
;; we expect to receive empty
|
||||
HEX_EDNSDATA_END
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
; response to query of interest
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname ednsdata
|
||||
ADJUST copy_id copy_ednsdata_assume_clientsubnet
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. 10 IN A 10.20.30.40
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
HEX_EDNSDATA_BEGIN
|
||||
; client is 127.0.0.1
|
||||
00 08 ; OPC
|
||||
00 07 ; option length
|
||||
00 01 ; Family
|
||||
15 00 ; source mask, scopemask
|
||||
7f 00 00 ; address
|
||||
HEX_EDNSDATA_END
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
STEP 1 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
; This answer should be in the global cache (because no ECS from upstream)
|
||||
STEP 2 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. IN A 10.20.30.40
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
; Try to trigger a prefetch
|
||||
STEP 3 TIME_PASSES ELAPSE 9
|
||||
|
||||
STEP 11 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
; This record came from the global cache and a prefetch was triggered.
|
||||
STEP 12 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all ttl
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. 1 IN A 10.20.30.40
|
||||
SECTION AUTHORITY
|
||||
example.com. 3591 IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. 3591 IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
; Allow time to pass so that the global cache record is expired.
|
||||
STEP 13 TIME_PASSES ELAPSE 2
|
||||
|
||||
; Query again to verify that the record was prefetched and stored in the ECS
|
||||
; cache.
|
||||
STEP 15 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
; This record came from the ECS cache.
|
||||
STEP 16 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all ttl
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. 8 IN A 10.20.30.40
|
||||
SECTION AUTHORITY
|
||||
example.com. 3598 IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. 3598 IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
SCENARIO_END
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue