system/freebsd-src
system/freebsd-src
1
0
Fork 0
mirror of https://github.com/freebsd/freebsd-src synced 2024-07-22 02:37:15 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

unbound: Vendor import 1.15.0

Browse source 
Vendor import GA release of unbound 1.15.0.

MFC after:      2 weeks
This commit is contained in:
Cy Schubert 2022-02-17 16:05:15 -08:00
parent 11c4d4b966 3574dc0bd8
commit 9cf5bc93f6
78 changed files with 2541 additions and 825 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
contrib/unbound/README.md
View file

@ -11,7 +11,7 @@ have any feedback, we would love to hear from you. Dont hesitate to
[create an issue on Github](https://github.com/NLnetLabs/unbound/issues/new)
or post a message on the [Unbound mailing list](https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users).
You can learn more about Unbound by reading our
[documentation](https://nlnetlabs.nl/documentation/unbound/).
[documentation](https://unbound.docs.nlnetlabs.nl/).
## Compiling
@ -33,7 +33,7 @@ support.
All of Unbound's configuration options are described in the man pages, which
will be installed and are available on the Unbound
[documentation page](https://nlnetlabs.nl/documentation/unbound/).
[documentation page](https://unbound.docs.nlnetlabs.nl/).
An example configuration file is located in
[doc/example.conf](https://github.com/NLnetLabs/unbound/blob/master/doc/example.conf.in).

16
contrib/unbound/config.guess vendored
View file

@ -1,14 +1,14 @@
#! /bin/sh
# Attempt to guess a canonical system name.
# Copyright 1992-2021 Free Software Foundation, Inc.
# Copyright 1992-2022 Free Software Foundation, Inc.
# shellcheck disable=SC2006,SC2268 # see below for rationale
timestamp='2021-06-03'
timestamp='2022-01-09'
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful, but
@ -60,7 +60,7 @@ version="\
GNU config.guess ($timestamp)
Originally written by Per Bothner.
Copyright 1992-2021 Free Software Foundation, Inc.
Copyright 1992-2022 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@ -437,7 +437,7 @@ case $UNAME_MACHINE:$UNAME_SYSTEM:$UNAME_RELEASE:$UNAME_VERSION in
# This test works for both compilers.
if test "$CC_FOR_BUILD" != no_compiler_found; then
if (echo '#ifdef __amd64'; echo IS_64BIT_ARCH; echo '#endif') | \
(CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \
(CCOPTS="" $CC_FOR_BUILD -m64 -E - 2>/dev/null) | \
grep IS_64BIT_ARCH >/dev/null
then
SUN_ARCH=x86_64
@ -929,6 +929,9 @@ EOF
i*:PW*:*)
GUESS=$UNAME_MACHINE-pc-pw32
;;
*:SerenityOS:*:*)
GUESS=$UNAME_MACHINE-pc-serenity
;;
*:Interix*:*)
case $UNAME_MACHINE in
x86)
@ -1522,6 +1525,9 @@ EOF
i*86:rdos:*:*)
GUESS=$UNAME_MACHINE-pc-rdos
;;
i*86:Fiwix:*:*)
GUESS=$UNAME_MACHINE-pc-fiwix
;;
*:AROS:*:*)
GUESS=$UNAME_MACHINE-unknown-aros
;;

3
contrib/unbound/config.h.in
View file

@ -381,6 +381,9 @@
/* Define to 1 if you have the <netinet/tcp.h> header file. */
#undef HAVE_NETINET_TCP_H
/* Define to 1 if you have the <netioapi.h> header file. */
#undef HAVE_NETIOAPI_H
/* Use libnettle for crypto */
#undef HAVE_NETTLE

20
contrib/unbound/config.sub vendored
View file

@ -1,14 +1,14 @@
#! /bin/sh
# Configuration validation subroutine script.
# Copyright 1992-2021 Free Software Foundation, Inc.
# Copyright 1992-2022 Free Software Foundation, Inc.
# shellcheck disable=SC2006,SC2268 # see below for rationale
timestamp='2021-08-14'
timestamp='2022-01-03'
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful, but
@ -76,7 +76,7 @@ Report bugs and patches to <config-patches@gnu.org>."
version="\
GNU config.sub ($timestamp)
Copyright 1992-2021 Free Software Foundation, Inc.
Copyright 1992-2022 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@ -1020,6 +1020,11 @@ case $cpu-$vendor in
;;
# Here we normalize CPU types with a missing or matching vendor
armh-unknown | armh-alt)
cpu=armv7l
vendor=alt
basic_os=${basic_os:-linux-gnueabihf}
;;
dpx20-unknown | dpx20-bull)
cpu=rs6000
vendor=bull
@ -1121,7 +1126,7 @@ case $cpu-$vendor in
xscale-* | xscalee[bl]-*)
cpu=`echo "$cpu" | sed 's/^xscale/arm/'`
;;
arm64-*)
arm64-* | aarch64le-*)
cpu=aarch64
;;
@ -1304,7 +1309,7 @@ esac
if test x$basic_os != x
then
# First recognize some ad-hoc caes, or perhaps split kernel-os, or else just
# First recognize some ad-hoc cases, or perhaps split kernel-os, or else just
# set os.
case $basic_os in
gnu/linux*)
@ -1748,7 +1753,8 @@ case $os in
| skyos* | haiku* | rdos* | toppers* | drops* | es* \
| onefs* | tirtos* | phoenix* | fuchsia* | redox* | bme* \
| midnightbsd* | amdhsa* | unleashed* | emscripten* | wasi* \
| nsk* | powerunix* | genode* | zvmoe* | qnx* | emx* | zephyr*)
| nsk* | powerunix* | genode* | zvmoe* | qnx* | emx* | zephyr* \
| fiwix* )
;;
# This one is extra strict with allowed versions
sco3.2v2 | sco3.2v[4-9]* | sco5v6*)

72
contrib/unbound/configure vendored
View file

@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for unbound 1.14.0.
# Generated by GNU Autoconf 2.69 for unbound 1.15.0.
#
# Report bugs to <unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues>.
#
@ -591,8 +591,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='unbound'
PACKAGE_TARNAME='unbound'
PACKAGE_VERSION='1.14.0'
PACKAGE_STRING='unbound 1.14.0'
PACKAGE_VERSION='1.15.0'
PACKAGE_STRING='unbound 1.15.0'
PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues'
PACKAGE_URL=''
@ -1466,7 +1466,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures unbound 1.14.0 to adapt to many kinds of systems.
\`configure' configures unbound 1.15.0 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@ -1531,7 +1531,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of unbound 1.14.0:";;
short | recursive ) echo "Configuration of unbound 1.15.0:";;
esac
cat <<\_ACEOF
@ -1773,7 +1773,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
unbound configure 1.14.0
unbound configure 1.15.0
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@ -2482,7 +2482,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by unbound $as_me 1.14.0, which was
It was created by unbound $as_me 1.15.0, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@ -2832,13 +2832,13 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
UNBOUND_VERSION_MAJOR=1
UNBOUND_VERSION_MINOR=14
UNBOUND_VERSION_MINOR=15
UNBOUND_VERSION_MICRO=0
LIBUNBOUND_CURRENT=9
LIBUNBOUND_REVISION=14
LIBUNBOUND_REVISION=15
LIBUNBOUND_AGE=1
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
@ -2920,6 +2920,7 @@ LIBUNBOUND_AGE=1
# 1.13.1 had 9:12:1
# 1.13.2 had 9:13:1
# 1.14.0 had 9:14:1
# 1.15.0 had 9:15:1
# Current -- the number of the binary API that we're implementing
# Revision -- which iteration of the implementation of the binary
@ -14812,6 +14813,51 @@ fi
done
for ac_header in netioapi.h
do :
ac_fn_c_check_header_compile "$LINENO" "netioapi.h" "ac_cv_header_netioapi_h" "$ac_includes_default
#if HAVE_SYS_PARAM_H
#include <sys/param.h>
#endif
#ifdef HAVE_SYS_SOCKET_H
#include <sys/socket.h>
#endif
#ifdef HAVE_SYS_UIO_H
#include <sys/uio.h>
#endif
#ifdef HAVE_NETINET_IN_H
#include <netinet/in.h>
#endif
#ifdef HAVE_NETINET_TCP_H
#include <netinet/tcp.h>
#endif
#ifdef HAVE_ARPA_INET_H
#include <arpa/inet.h>
#endif
#ifdef HAVE_WINSOCK2_H
#include <winsock2.h>
#endif
#ifdef HAVE_WS2TCPIP_H
#include <ws2tcpip.h>
#endif
"
if test "x$ac_cv_header_netioapi_h" = xyes; then :
cat >>confdefs.h <<_ACEOF
#define HAVE_NETIOAPI_H 1
_ACEOF
fi
done
# check for types.
# Using own tests for int64* because autoconf builtin only give 32bit.
@ -17895,7 +17941,7 @@ if test "`uname`" = "NetBSD"; then
fi
if test "`uname -o`" = "GNU/Linux"; then
if test "`uname`" = "Linux"; then
# splint cannot parse modern c99 header files
GCC_DOCKER_LINTFLAGS='-syntax'
@ -21840,7 +21886,7 @@ _ACEOF
version=1.14.0
version=1.15.0
date=`date +'%b %e, %Y'`
@ -22359,7 +22405,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by unbound $as_me 1.14.0, which was
This file was extended by unbound $as_me 1.15.0, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@ -22425,7 +22471,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
unbound config.status 1.14.0
unbound config.status 1.15.0
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"

40
contrib/unbound/configure.ac
View file

@ -10,7 +10,7 @@ sinclude(dnscrypt/dnscrypt.m4)
# must be numbers. ac_defun because of later processing
m4_define([VERSION_MAJOR],[1])
m4_define([VERSION_MINOR],[14])
m4_define([VERSION_MINOR],[15])
m4_define([VERSION_MICRO],[0])
AC_INIT([unbound],m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]),[unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues],[unbound])
AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
@ -18,7 +18,7 @@ AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
LIBUNBOUND_CURRENT=9
LIBUNBOUND_REVISION=14
LIBUNBOUND_REVISION=15
LIBUNBOUND_AGE=1
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
@ -100,6 +100,7 @@ LIBUNBOUND_AGE=1
# 1.13.1 had 9:12:1
# 1.13.2 had 9:13:1
# 1.14.0 had 9:14:1
# 1.15.0 had 9:15:1
# Current -- the number of the binary API that we're implementing
# Revision -- which iteration of the implementation of the binary
@ -412,6 +413,39 @@ AC_CHECK_HEADERS([net/if.h],,, [
# Check for Apple header. This uncovers TARGET_OS_IPHONE, TARGET_OS_TV or TARGET_OS_WATCH
AC_CHECK_HEADERS([TargetConditionals.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_HEADERS([netioapi.h],,, [AC_INCLUDES_DEFAULT
#if HAVE_SYS_PARAM_H
#include <sys/param.h>
#endif
#ifdef HAVE_SYS_SOCKET_H
#include <sys/socket.h>
#endif
#ifdef HAVE_SYS_UIO_H
#include <sys/uio.h>
#endif
#ifdef HAVE_NETINET_IN_H
#include <netinet/in.h>
#endif
#ifdef HAVE_NETINET_TCP_H
#include <netinet/tcp.h>
#endif
#ifdef HAVE_ARPA_INET_H
#include <arpa/inet.h>
#endif
#ifdef HAVE_WINSOCK2_H
#include <winsock2.h>
#endif
#ifdef HAVE_WS2TCPIP_H
#include <ws2tcpip.h>
#endif
])
# check for types.
# Using own tests for int64* because autoconf builtin only give 32bit.
@ -782,7 +816,7 @@ if test "`uname`" = "NetBSD"; then
AC_SUBST(NETBSD_LINTFLAGS)
fi
if test "`uname -o`" = "GNU/Linux"; then
if test "`uname`" = "Linux"; then
# splint cannot parse modern c99 header files
GCC_DOCKER_LINTFLAGS='-syntax'
AC_SUBST(GCC_DOCKER_LINTFLAGS)

78
contrib/unbound/contrib/aaaa-filter-iterator.patch
View file

@ -1,8 +1,8 @@
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index f426ac5f..147fbfa9 100644
index 5a75e319..c6c6dbe2 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -872,6 +872,13 @@ potentially broken nameservers. A lot of domains will not be resolvable when
@@ -970,6 +970,13 @@ potentially broken nameservers. A lot of domains will not be resolvable when
this option in enabled. Only use if you know what you are doing.
This option only has effect when qname-minimisation is enabled. Default is no.
.TP
@ -17,10 +17,10 @@ index f426ac5f..147fbfa9 100644
Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
and other denials, using information from previous NXDOMAINs answers.
diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c
index aae934dd..55c55de0 100644
index f093c1bf..e55a2246 100644
--- a/iterator/iter_scrub.c
+++ b/iterator/iter_scrub.c
@@ -667,6 +667,32 @@ static int sanitize_nsec_is_overreach(struct rrset_parse* rrset,
@@ -679,6 +679,32 @@ static int sanitize_nsec_is_overreach(sldns_buffer* pkt,
return 0;
}
@ -53,7 +53,7 @@ index aae934dd..55c55de0 100644
/**
* Given a response event, remove suspect RRsets from the response.
* "Suspect" rrsets are potentially poison. Note that this routine expects
@@ -686,6 +712,7 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
@@ -698,6 +724,7 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
struct query_info* qinfo, uint8_t* zonename, struct module_env* env,
struct iter_env* ie)
{
@ -61,7 +61,7 @@ index aae934dd..55c55de0 100644
int del_addi = 0; /* if additional-holding rrsets are deleted, we
do not trust the normalized additional-A-AAAA any more */
struct rrset_parse* rrset, *prev;
@@ -721,6 +748,13 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
@@ -733,6 +760,13 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
rrset = rrset->rrset_all_next;
}
@ -75,7 +75,7 @@ index aae934dd..55c55de0 100644
/* At this point, we brutally remove ALL rrsets that aren't
* children of the originating zone. The idea here is that,
* as far as we know, the server that we contacted is ONLY
@@ -732,6 +766,24 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
@@ -744,6 +778,24 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
rrset = msg->rrset_first;
while(rrset) {
@ -101,22 +101,22 @@ index aae934dd..55c55de0 100644
if( (rrset->type == LDNS_RR_TYPE_A ||
rrset->type == LDNS_RR_TYPE_AAAA)) {
diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c
index 7bc67da6..e10f547a 100644
index 2482a1f4..bd5ba243 100644
--- a/iterator/iter_utils.c
+++ b/iterator/iter_utils.c
@@ -175,6 +175,7 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg)
}
@@ -177,6 +177,7 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg)
iter_env->supports_ipv6 = cfg->do_ip6;
iter_env->supports_ipv4 = cfg->do_ip4;
iter_env->outbound_msg_retry = cfg->outbound_msg_retry;
+ iter_env->aaaa_filter = cfg->aaaa_filter;
return 1;
}
diff --git a/iterator/iterator.c b/iterator/iterator.c
index 23b07ea9..ca29b48c 100644
index 54006940..768fe202 100644
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -2127,6 +2127,53 @@ processDSNSFind(struct module_qstate* qstate, struct iter_qstate* iq, int id)
@@ -2155,6 +2155,53 @@ processDSNSFind(struct module_qstate* qstate, struct iter_qstate* iq, int id)
return 0;
}
@ -170,7 +170,7 @@ index 23b07ea9..ca29b48c 100644
/**
* This is the request event state where the request will be sent to one of
@@ -2186,6 +2233,13 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
@@ -2216,6 +2263,13 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
}
@ -184,7 +184,7 @@ index 23b07ea9..ca29b48c 100644
/* Make sure we have a delegation point, otherwise priming failed
* or another failure occurred */
if(!iq->dp) {
@@ -3574,6 +3628,61 @@ processFinished(struct module_qstate* qstate, struct iter_qstate* iq,
@@ -3648,6 +3702,61 @@ processFinished(struct module_qstate* qstate, struct iter_qstate* iq,
return 0;
}
@ -246,7 +246,7 @@ index 23b07ea9..ca29b48c 100644
/*
* Return priming query results to interested super querystates.
*
@@ -3593,6 +3702,9 @@ iter_inform_super(struct module_qstate* qstate, int id,
@@ -3667,6 +3776,9 @@ iter_inform_super(struct module_qstate* qstate, int id,
else if(super->qinfo.qtype == LDNS_RR_TYPE_DS && ((struct iter_qstate*)
super->minfo[id])->state == DSNS_FIND_STATE)
processDSNSResponse(qstate, id, super);
@ -256,7 +256,7 @@ index 23b07ea9..ca29b48c 100644
else if(qstate->return_rcode != LDNS_RCODE_NOERROR)
error_supers(qstate, id, super);
else if(qstate->is_priming)
@@ -3630,6 +3742,9 @@ iter_handle(struct module_qstate* qstate, struct iter_qstate* iq,
@@ -3704,6 +3816,9 @@ iter_handle(struct module_qstate* qstate, struct iter_qstate* iq,
case INIT_REQUEST_3_STATE:
cont = processInitRequest3(qstate, iq, id);
break;
@ -266,7 +266,7 @@ index 23b07ea9..ca29b48c 100644
case QUERYTARGETS_STATE:
cont = processQueryTargets(qstate, iq, ie, id);
break;
@@ -3961,6 +4076,8 @@ iter_state_to_string(enum iter_state state)
@@ -4040,6 +4155,8 @@ iter_state_to_string(enum iter_state state)
return "INIT REQUEST STATE (stage 2)";
case INIT_REQUEST_3_STATE:
return "INIT REQUEST STATE (stage 3)";
@ -275,7 +275,7 @@ index 23b07ea9..ca29b48c 100644
case QUERYTARGETS_STATE :
return "QUERY TARGETS STATE";
case PRIME_RESP_STATE :
@@ -3985,6 +4102,7 @@ iter_state_is_responsestate(enum iter_state s)
@@ -4064,6 +4181,7 @@ iter_state_is_responsestate(enum iter_state s)
case INIT_REQUEST_STATE :
case INIT_REQUEST_2_STATE :
case INIT_REQUEST_3_STATE :
@ -284,10 +284,10 @@ index 23b07ea9..ca29b48c 100644
case COLLECT_CLASS_STATE :
return 0;
diff --git a/iterator/iterator.h b/iterator/iterator.h
index 342ac207..731948d1 100644
index 8b840528..a61c4195 100644
--- a/iterator/iterator.h
+++ b/iterator/iterator.h
@@ -135,6 +135,9 @@ struct iter_env {
@@ -133,6 +133,9 @@ struct iter_env {
*/
int* target_fetch_policy;
@ -297,7 +297,7 @@ index 342ac207..731948d1 100644
/** lock on ratelimit counter */
lock_basic_type queries_ratelimit_lock;
/** number of queries that have been ratelimited */
@@ -186,6 +189,14 @@ enum iter_state {
@@ -187,6 +190,14 @@ enum iter_state {
*/
INIT_REQUEST_3_STATE,
@ -312,7 +312,7 @@ index 342ac207..731948d1 100644
/**
* Each time a delegation point changes for a given query or a
* query times out and/or wakes up, this state is (re)visited.
@@ -375,6 +386,13 @@ struct iter_qstate {
@@ -376,6 +387,13 @@ struct iter_qstate {
*/
int refetch_glue;
@ -327,10 +327,10 @@ index 342ac207..731948d1 100644
struct outbound_list outlist;
diff --git a/pythonmod/interface.i b/pythonmod/interface.i
index f08b575d..47f1bb2e 100644
index 1ca8686a..d91b19ec 100644
--- a/pythonmod/interface.i
+++ b/pythonmod/interface.i
@@ -975,6 +975,7 @@ struct config_file {
@@ -995,6 +995,7 @@ struct config_file {
int harden_dnssec_stripped;
int harden_referral_path;
int use_caps_bits_for_id;
@ -339,10 +339,10 @@ index f08b575d..47f1bb2e 100644
struct config_strlist* private_domain;
size_t unwanted_threshold;
diff --git a/util/config_file.c b/util/config_file.c
index 0ab8614a..729fb147 100644
index 969d664b..8d94b008 100644
--- a/util/config_file.c
+++ b/util/config_file.c
@@ -218,6 +218,7 @@ config_create(void)
@@ -231,6 +231,7 @@ config_create(void)
cfg->harden_referral_path = 0;
cfg->harden_algo_downgrade = 0;
cfg->use_caps_bits_for_id = 0;
@ -351,10 +351,10 @@ index 0ab8614a..729fb147 100644
cfg->private_address = NULL;
cfg->private_domain = NULL;
diff --git a/util/config_file.h b/util/config_file.h
index e61257a3..dabaa7bb 100644
index c7c9a0a4..e3aa15b0 100644
--- a/util/config_file.h
+++ b/util/config_file.h
@@ -260,6 +260,8 @@ struct config_file {
@@ -285,6 +285,8 @@ struct config_file {
int harden_algo_downgrade;
/** use 0x20 bits in query as random ID bits */
int use_caps_bits_for_id;
@ -364,38 +364,38 @@ index e61257a3..dabaa7bb 100644
struct config_strlist* caps_whitelist;
/** strip away these private addrs from answers, no DNS Rebinding */
diff --git a/util/configlexer.lex b/util/configlexer.lex
index 79a0edca..4eaec678 100644
index 34a0e5dd..c890be2a 100644
--- a/util/configlexer.lex
+++ b/util/configlexer.lex
@@ -304,6 +304,7 @@ harden-algo-downgrade{COLON} { YDVAR(1, VAR_HARDEN_ALGO_DOWNGRADE) }
use-caps-for-id{COLON} { YDVAR(1, VAR_USE_CAPS_FOR_ID) }
@@ -317,6 +317,7 @@ use-caps-for-id{COLON} { YDVAR(1, VAR_USE_CAPS_FOR_ID) }
caps-whitelist{COLON} { YDVAR(1, VAR_CAPS_WHITELIST) }
caps-exempt{COLON} { YDVAR(1, VAR_CAPS_WHITELIST) }
unwanted-reply-threshold{COLON} { YDVAR(1, VAR_UNWANTED_REPLY_THRESHOLD) }
+aaaa-filter{COLON} { YDVAR(1, VAR_AAAA_FILTER) }
private-address{COLON} { YDVAR(1, VAR_PRIVATE_ADDRESS) }
private-domain{COLON} { YDVAR(1, VAR_PRIVATE_DOMAIN) }
prefetch-key{COLON} { YDVAR(1, VAR_PREFETCH_KEY) }
diff --git a/util/configparser.y b/util/configparser.y
index 1d0e8658..f284dd43 100644
index d4f965f9..8cc237c6 100644
--- a/util/configparser.y
+++ b/util/configparser.y
@@ -97,6 +97,7 @@ extern struct config_parser_state* cfg_parser;
%token VAR_STATISTICS_CUMULATIVE VAR_OUTGOING_PORT_PERMIT
%token VAR_STATISTICS_CUMULATIVE VAR_OUTGOING_PORT_PERMIT
%token VAR_OUTGOING_PORT_AVOID VAR_DLV_ANCHOR_FILE VAR_DLV_ANCHOR
%token VAR_NEG_CACHE_SIZE VAR_HARDEN_REFERRAL_PATH VAR_PRIVATE_ADDRESS
+%token VAR_AAAA_FILTER
%token VAR_PRIVATE_DOMAIN VAR_REMOTE_CONTROL VAR_CONTROL_ENABLE
%token VAR_CONTROL_INTERFACE VAR_CONTROL_PORT VAR_SERVER_KEY_FILE
%token VAR_SERVER_CERT_FILE VAR_CONTROL_KEY_FILE VAR_CONTROL_CERT_FILE
@@ -233,6 +234,7 @@ content_server: server_num_threads | server_verbosity | server_port |
@@ -247,6 +248,7 @@ content_server: server_num_threads | server_verbosity | server_port |
server_dlv_anchor_file | server_dlv_anchor | server_neg_cache_size |
server_harden_referral_path | server_private_address |
server_private_domain | server_extended_statistics |
server_private_domain | server_extended_statistics |
+ server_aaaa_filter |
server_local_data_ptr | server_jostle_timeout |
server_unwanted_reply_threshold | server_log_time_ascii |
server_domain_insecure | server_val_sig_skew_min |
@@ -1563,6 +1565,15 @@ server_caps_whitelist: VAR_CAPS_WHITELIST STRING_ARG
server_local_data_ptr | server_jostle_timeout |
server_unwanted_reply_threshold | server_log_time_ascii |
server_domain_insecure | server_val_sig_skew_min |
@@ -1754,6 +1756,15 @@ server_caps_whitelist: VAR_CAPS_WHITELIST STRING_ARG
yyerror("out of memory");
}
;

57
contrib/unbound/daemon/remote.c
View file

@ -300,6 +300,7 @@ add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err,
*/
if(fd != -1) {
#ifdef HAVE_CHOWN
chmod(ip, (mode_t)(S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP));
if (cfg->username && cfg->username[0] &&
cfg_uid != (uid_t)-1) {
if(chown(ip, cfg_uid, cfg_gid) == -1)
@ -307,7 +308,6 @@ add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err,
(unsigned)cfg_uid, (unsigned)cfg_gid,
ip, strerror(errno));
}
chmod(ip, (mode_t)(S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP));
#else
(void)cfg;
#endif
@ -2015,7 +2015,7 @@ print_root_fwds(RES* ssl, struct iter_forwards* fwds, uint8_t* root)
/** parse args into delegpt */
static struct delegpt*
parse_delegpt(RES* ssl, char* args, uint8_t* nm, int allow_names)
parse_delegpt(RES* ssl, char* args, uint8_t* nm)
{
/* parse args and add in */
char* p = args;
@ -2037,40 +2037,35 @@ parse_delegpt(RES* ssl, char* args, uint8_t* nm, int allow_names)
}
/* parse address */
if(!authextstrtoaddr(todo, &addr, &addrlen, &auth_name)) {
if(allow_names) {
uint8_t* n = NULL;
size_t ln;
int lb;
if(!parse_arg_name(ssl, todo, &n, &ln, &lb)) {
(void)ssl_printf(ssl, "error cannot "
"parse IP address or name "
"'%s'\n", todo);
delegpt_free_mlc(dp);
return NULL;
}
if(!delegpt_add_ns_mlc(dp, n, 0)) {
(void)ssl_printf(ssl, "error out of memory\n");
free(n);
delegpt_free_mlc(dp);
return NULL;
}
free(n);
} else {
uint8_t* dname= NULL;
int port;
dname = authextstrtodname(todo, &port, &auth_name);
if(!dname) {
(void)ssl_printf(ssl, "error cannot parse"
" IP address '%s'\n", todo);
" '%s'\n", todo);
delegpt_free_mlc(dp);
return NULL;
}
#if ! defined(HAVE_SSL_SET1_HOST) && ! defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
if(auth_name)
log_err("no name verification functionality in "
"ssl library, ignored name for %s", todo);
#endif
if(!delegpt_add_ns_mlc(dp, dname, 0, auth_name, port)) {
(void)ssl_printf(ssl, "error out of memory\n");
free(dname);
delegpt_free_mlc(dp);
return NULL;
}
} else {
#if ! defined(HAVE_SSL_SET1_HOST) && ! defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
if(auth_name)
log_err("no name verification functionality in "
log_err("no name verification functionality in "
"ssl library, ignored name for %s", todo);
#endif
/* add address */
if(!delegpt_add_addr_mlc(dp, &addr, addrlen, 0, 0,
auth_name)) {
auth_name, -1)) {
(void)ssl_printf(ssl, "error out of memory\n");
delegpt_free_mlc(dp);
return NULL;
@ -2103,7 +2098,7 @@ do_forward(RES* ssl, struct worker* worker, char* args)
forwards_delete_zone(fwd, LDNS_RR_CLASS_IN, root);
} else {
struct delegpt* dp;
if(!(dp = parse_delegpt(ssl, args, root, 0)))
if(!(dp = parse_delegpt(ssl, args, root)))
return;
if(!forwards_add_zone(fwd, LDNS_RR_CLASS_IN, dp)) {
(void)ssl_printf(ssl, "error out of memory\n");
@ -2149,7 +2144,7 @@ parse_fs_args(RES* ssl, char* args, uint8_t** nm, struct delegpt** dp,
/* parse dp */
if(dp) {
if(!(*dp = parse_delegpt(ssl, args, *nm, 1))) {
if(!(*dp = parse_delegpt(ssl, args, *nm))) {
free(*nm);
return 0;
}
@ -2865,6 +2860,8 @@ struct ratelimit_list_arg {
int all;
/** current time */
time_t now;
/** if backoff is enabled */
int backoff;
};
#define ip_ratelimit_list_arg ratelimit_list_arg
@ -2878,7 +2875,7 @@ rate_list(struct lruhash_entry* e, void* arg)
struct rate_data* d = (struct rate_data*)e->data;
char buf[257];
int lim = infra_find_ratelimit(a->infra, k->name, k->namelen);
int max = infra_rate_max(d, a->now);
int max = infra_rate_max(d, a->now, a->backoff);
if(a->all == 0) {
if(max < lim)
return;
@ -2896,7 +2893,7 @@ ip_rate_list(struct lruhash_entry* e, void* arg)
struct ip_rate_key* k = (struct ip_rate_key*)e->key;
struct ip_rate_data* d = (struct ip_rate_data*)e->data;
int lim = infra_ip_ratelimit;
int max = infra_rate_max(d, a->now);
int max = infra_rate_max(d, a->now, a->backoff);
if(a->all == 0) {
if(max < lim)
return;
@ -2914,6 +2911,7 @@ do_ratelimit_list(RES* ssl, struct worker* worker, char* arg)
a.infra = worker->env.infra_cache;
a.now = *worker->env.now;
a.ssl = ssl;
a.backoff = worker->env.cfg->ratelimit_backoff;
arg = skipwhite(arg);
if(strcmp(arg, "+a") == 0)
a.all = 1;
@ -2932,6 +2930,7 @@ do_ip_ratelimit_list(RES* ssl, struct worker* worker, char* arg)
a.infra = worker->env.infra_cache;
a.now = *worker->env.now;
a.ssl = ssl;
a.backoff = worker->env.cfg->ip_ratelimit_backoff;
arg = skipwhite(arg);
if(strcmp(arg, "+a") == 0)
a.all = 1;

18
contrib/unbound/daemon/worker.c
View file

@ -1167,7 +1167,8 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
/* check if this query should be dropped based on source ip rate limiting */
if(!infra_ip_ratelimit_inc(worker->env.infra_cache, repinfo,
*worker->env.now, c->buffer)) {
*worker->env.now,
worker->env.cfg->ip_ratelimit_backoff, c->buffer)) {
/* See if we are passed through with slip factor */
if(worker->env.cfg->ip_ratelimit_factor != 0 &&
ub_random_max(worker->env.rnd,
@ -1967,9 +1968,10 @@ worker_delete(struct worker* worker)
struct outbound_entry*
worker_send_query(struct query_info* qinfo, uint16_t flags, int dnssec,
int want_dnssec, int nocaps, struct sockaddr_storage* addr,
socklen_t addrlen, uint8_t* zone, size_t zonelen, int tcp_upstream,
int ssl_upstream, char* tls_auth_name, struct module_qstate* q)
int want_dnssec, int nocaps, int check_ratelimit,
struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone,
size_t zonelen, int tcp_upstream, int ssl_upstream, char* tls_auth_name,
struct module_qstate* q, int* was_ratelimited)
{
struct worker* worker = q->env->worker;
struct outbound_entry* e = (struct outbound_entry*)regional_alloc(
@ -1978,9 +1980,10 @@ worker_send_query(struct query_info* qinfo, uint16_t flags, int dnssec,
return NULL;
e->qstate = q;
e->qsent = outnet_serviced_query(worker->back, qinfo, flags, dnssec,
want_dnssec, nocaps, tcp_upstream,
want_dnssec, nocaps, check_ratelimit, tcp_upstream,
ssl_upstream, tls_auth_name, addr, addrlen, zone, zonelen, q,
worker_handle_service_reply, e, worker->back->udp_buff, q->env);
worker_handle_service_reply, e, worker->back->udp_buff, q->env,
was_ratelimited);
if(!e->qsent) {
return NULL;
}
@ -2024,10 +2027,11 @@ struct outbound_entry* libworker_send_query(
struct query_info* ATTR_UNUSED(qinfo),
uint16_t ATTR_UNUSED(flags), int ATTR_UNUSED(dnssec),
int ATTR_UNUSED(want_dnssec), int ATTR_UNUSED(nocaps),
int ATTR_UNUSED(check_ratelimit),
struct sockaddr_storage* ATTR_UNUSED(addr), socklen_t ATTR_UNUSED(addrlen),
uint8_t* ATTR_UNUSED(zone), size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(tcp_upstream),
int ATTR_UNUSED(ssl_upstream), char* ATTR_UNUSED(tls_auth_name),
struct module_qstate* ATTR_UNUSED(q))
struct module_qstate* ATTR_UNUSED(q), int* ATTR_UNUSED(was_ratelimited))
{
log_assert(0);
return 0;

25
contrib/unbound/dnstap/dtstream.c
View file

@ -188,9 +188,9 @@ mq_wakeup_cb(void* arg)
/** start timer to wakeup dtio because there is content in the queue */
static void
dt_msg_queue_start_timer(struct dt_msg_queue* mq)
dt_msg_queue_start_timer(struct dt_msg_queue* mq, int wakeupnow)
{
struct timeval tv;
struct timeval tv = {0};
/* Start a timer to process messages to be logged.
* If we woke up the dtio thread for every message, the wakeup
* messages take up too much processing power. If the queue
@ -204,19 +204,26 @@ dt_msg_queue_start_timer(struct dt_msg_queue* mq)
/* do not start the timer if a timer already exists, perhaps
* in another worker. So this variable is protected by a lock in
* dtio */
* dtio. */
/* If we need to wakeupnow, 0 the timer to force the callback. */
lock_basic_lock(&mq->dtio->wakeup_timer_lock);
if(mq->dtio->wakeup_timer_enabled) {
if(wakeupnow) {
comm_timer_set(mq->wakeup_timer, &tv);
}
lock_basic_unlock(&mq->dtio->wakeup_timer_lock);
return;
}
mq->dtio->wakeup_timer_enabled = 1; /* we are going to start one */
lock_basic_unlock(&mq->dtio->wakeup_timer_lock);
/* start the timer, in mq, in the event base of our worker */
tv.tv_sec = 1;
tv.tv_usec = 0;
if(!wakeupnow) {
tv.tv_sec = 1;
tv.tv_usec = 0;
}
comm_timer_set(mq->wakeup_timer, &tv);
lock_basic_unlock(&mq->dtio->wakeup_timer_lock);
}
void
@ -283,10 +290,8 @@ dt_msg_queue_submit(struct dt_msg_queue* mq, void* buf, size_t len)
/* release lock */
lock_basic_unlock(&mq->lock);
if(wakeupnow) {
dtio_wakeup(mq->dtio);
} else if(wakeupstarttimer) {
dt_msg_queue_start_timer(mq);
if(wakeupnow || wakeupstarttimer) {
dt_msg_queue_start_timer(mq, wakeupnow);
}
}

10
contrib/unbound/dnstap/unbound-dnstap-socket.c
View file

@ -1413,11 +1413,12 @@ void worker_sighandler(int ATTR_UNUSED(sig), void* ATTR_UNUSED(arg))
struct outbound_entry* worker_send_query(
struct query_info* ATTR_UNUSED(qinfo), uint16_t ATTR_UNUSED(flags),
int ATTR_UNUSED(dnssec), int ATTR_UNUSED(want_dnssec),
int ATTR_UNUSED(nocaps), struct sockaddr_storage* ATTR_UNUSED(addr),
int ATTR_UNUSED(nocaps), int ATTR_UNUSED(check_ratelimit),
struct sockaddr_storage* ATTR_UNUSED(addr),
socklen_t ATTR_UNUSED(addrlen), uint8_t* ATTR_UNUSED(zone),
size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(tcp_upstream),
int ATTR_UNUSED(ssl_upstream), char* ATTR_UNUSED(tls_auth_name),
struct module_qstate* ATTR_UNUSED(q))
struct module_qstate* ATTR_UNUSED(q), int* ATTR_UNUSED(was_ratelimited))
{
log_assert(0);
return 0;
@ -1446,11 +1447,12 @@ worker_alloc_cleanup(void* ATTR_UNUSED(arg))
struct outbound_entry* libworker_send_query(
struct query_info* ATTR_UNUSED(qinfo), uint16_t ATTR_UNUSED(flags),
int ATTR_UNUSED(dnssec), int ATTR_UNUSED(want_dnssec),
int ATTR_UNUSED(nocaps), struct sockaddr_storage* ATTR_UNUSED(addr),
int ATTR_UNUSED(nocaps), int ATTR_UNUSED(check_ratelimit),
struct sockaddr_storage* ATTR_UNUSED(addr),
socklen_t ATTR_UNUSED(addrlen), uint8_t* ATTR_UNUSED(zone),
size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(tcp_upstream),
int ATTR_UNUSED(ssl_upstream), char* ATTR_UNUSED(tls_auth_name),
struct module_qstate* ATTR_UNUSED(q))
struct module_qstate* ATTR_UNUSED(q), int* ATTR_UNUSED(was_ratelimited))
{
log_assert(0);
return 0;

133
contrib/unbound/doc/Changelog
View file

@ -1,5 +1,138 @@
3 February 2022: Wouter
- Fix for #611: Integer overflow in sldns_wire2str_pkt_scan.
2 February 2022: George
- Merge PR #532 from Shchelk: Fix: buffer overflow bug.
- Merge PR #616: Update ratelimit logic. It also introduces
ratelimit-backoff and ip-ratelimit-backoff configuration options.
- Change aggressive-nsec default to yes.
- Merge PR #617: Update stub/forward-host notation to accept port and
tls-auth-name.
- Update stream_ssl.tdir test to also use the new forward-host
notation.
2 February 2022: Wouter
- Update version number in repo to 1.15.0 for upcoming release,
since it changes the aggressive-nsec default and the ratelimit change.
- Fix header comment for doxygen for authextstrtoaddr.
- please clang analyzer for loop in test code.
- Fix docker splint test to use more portable uname.
- Update contrib/aaaa-filter-iterator.patch with diff for current
software version.
1 February 2022: George
- Merge PR #603 from fobser: Use OpenSSL 1.1 API to access DSA and RSA
internals.
31 January 2022: George
- Fix review comment for use-after-free when failing to send UDP out.
31 January 2022: Wouter
- iana portlist update.
29 January 2022: George
- Fix tls-* and ssl-* documented alternate syntax to also be available
through remote-control and unbound-checkconf.
- Better cleanup on failed DoT/DoH listening socket creation.
26 January 2022: George
- Fix #599: [FR] RFC 9156 (obsoletes RFC 7816), by noting the new RFC
document.
26 January 2022: Wouter
- Test for NSID in SERVFAIL response due to DNSSEC bogus.
25 January 2022: George
- Fix #588: Unbound 1.13.2 crashes due to p->pc is NULL in
serviced_udp_callback.
- Merge PR #612: TCP race condition.
25 January 2022: Wouter
- Fix #610: Undefine-shift in sldns_str2wire_hip_buf.
19 January 2022: George
- For dnstap, do not wakeupnow right there. Instead zero the timer to
force the wakeup callback asap.
14 January 2022: George
- Merge PR #605:
- Fix EDNS to upstream where the same option could be attached
more than once.
- Add a region to serviced_query for allocations.
14 January 2022: Wouter
- Add rpz: for-downstream: yesno option, where the RPZ zone is
authoritatively answered for, so the RPZ zone contents can be
checked with DNS queries directed at the RPZ zone.
- For #602: Allow the module-config "subnetcache validator cachedb
iterator".
11 January 2022: George
- Fix prematurely terminated TCP queries when a reply has the same ID.
7 January 2022: Wouter
- Merge #600 from pemensik: Change file mode before changing file
owner.
5 January 2022: Wouter
- Fix for #596: fix that rpz return message is returned and not just
the rcode from the iterator return path. This fixes signal unset RA
after a CNAME.
- Fix unit tests for rpz now that the AA flag returns successfully from
the iterator loop.
- Fix for #596: add unit test for nsdname trigger and signal unset RA.
- Fix for #596: add unit test for nsip trigger and signal unset RA.
- Fix #598: Fix unbound-checkconf fatal error: module conf
'respip dns64 validator iterator' is not known to work.
- Fix for #596: Fix rpz-signal-nxdomain-ra to work for clientip
triggered operation.
4 January 2022: Wouter
- Fix #596: unset the RA bit when a query is blocked by an unbound
RPZ nxdomain reply. The option rpz-signal-nxdomain-ra allows to
signal that a domain is externally blocked to clients when it
is blocked with NXDOMAIN by unsetting RA.
- Fix to add test for rpz-signal-nxdomain-ra.
- Fix #596: only unset RA when NXDOMAIN is signalled.
- Fix that RPZ does not set RD flag on replies, it should be copied
from the query.
22 December 2021: George
- contrib/aaaa-filter-iterator.patch file renewed diff content to
apply cleanly to the current coderepo for the current code version.
20 December 2021: George
- Fix #591: Unbound-anchor manpage links to non-existent license file.
13 December 2021: George
- Add missing configure flags for optional features in the
documentation.
- Fix Unbound capitalization in the documentation.
13 December 2021: Wouter
- Fix to pick up other class local zone information before unlock.
10 December 2021: George
- Allow local-data for classes other than IN to inherit a configured
local-zone's type if possible, instead of defaulting to type
transparent as per the implicit rule.
10 December 2021: Wouter
- Add code similar to fix for ldns for tab between strings, for
consistency, the test case was not broken.
6 December 2021: Wouter
- Merge PR #581 from fobser: Fix -Wmissing-prototypes and -Wshadow
warnings in rpz.
- Fix validator debug output about DS support, print correct algorithm.
3 December 2021: Wouter
- Fix compile warning for if_nametoindex on windows 64bit.
1 December 2021: Wouter
- configure is set to 1.14.0, and release branch.
This was released as version 1.14.0 on 9 Dec 2021, with the doxygen
fix below included. The main branch continues as 1.14.1.
- Fix doc/unbound.doxygen to remove obsolete tag warning.
1 December 2021: George

2
contrib/unbound/doc/README
View file

@ -1,4 +1,4 @@
README for Unbound 1.14.0
README for Unbound 1.15.0
Copyright 2007 NLnet Labs
http://unbound.net

63
contrib/unbound/doc/example.conf
View file

@ -1,7 +1,7 @@
#
# Example configuration file.
#
# See unbound.conf(5) man page, version 1.14.0.
# See unbound.conf(5) man page, version 1.15.0.
#
# this is a comment.
@ -82,13 +82,13 @@ server:
# num-queries-per-thread, or, use as many as the OS will allow you.
# outgoing-range: 4096
# permit unbound to use this port number or port range for
# permit Unbound to use this port number or port range for
# making outgoing queries, using an outgoing interface.
# outgoing-port-permit: 32768
# deny unbound the use this of port number or port range for
# deny Unbound the use this of port number or port range for
# making outgoing queries, using an outgoing interface.
# Use this to make sure unbound does not grab a UDP port that some
# Use this to make sure Unbound does not grab a UDP port that some
# other server on this computer needs. The default is to avoid
# IANA-assigned port numbers.
# If multiple outgoing-port-permit and outgoing-port-avoid options
@ -254,7 +254,7 @@ server:
# use-systemd: no
# Detach from the terminal, run in background, "yes" or "no".
# Set the value to "no" when unbound runs as systemd service.
# Set the value to "no" when Unbound runs as systemd service.
# do-daemonize: yes
# control which clients are allowed to make (recursive) queries
@ -307,7 +307,7 @@ server:
# The pid file can be absolute and outside of the chroot, it is
# written just prior to performing the chroot and dropping permissions.
#
# Additionally, unbound may need to access /dev/urandom (for entropy).
# Additionally, Unbound may need to access /dev/urandom (for entropy).
# How to do this is specific to your OS.
#
# If you give "" no chroot is performed. The path must not end in a /.
@ -442,7 +442,7 @@ server:
# Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
# and other denials, using information from previous NXDOMAINs answers.
# aggressive-nsec: no
# aggressive-nsec: yes
# Use 0x20-encoded random bits in the query to foil spoof attempts.
# This feature is an experimental implementation of draft dns-0x20.
@ -517,7 +517,7 @@ server:
# Use several entries, one per domain name, to track multiple zones.
#
# If you want to perform DNSSEC validation, run unbound-anchor before
# you start unbound (i.e. in the system boot scripts).
# you start Unbound (i.e. in the system boot scripts).
# And then enable the auto-trust-anchor-file config item.
# Please note usage of unbound-anchor root anchor is at your own risk
# and under the terms of our LICENSE (see that file in the source).
@ -585,7 +585,7 @@ server:
# val-permissive-mode: no
# Ignore the CD flag in incoming queries and refuse them bogus data.
# Enable it if the only clients of unbound are legacy servers (w2008)
# Enable it if the only clients of Unbound are legacy servers (w2008)
# that set CD but cannot validate themselves.
# ignore-cd-flag: no
@ -615,7 +615,7 @@ server:
# Return the original TTL as received from the upstream name server rather
# than the decrementing TTL as stored in the cache. Enabling this feature
# does not impact cache expiry, it only changes the TTL unbound embeds in
# does not impact cache expiry, it only changes the TTL Unbound embeds in
# responses to queries. Note that enabling this feature implicitly disables
# enforcement of the configured minimum and maximum TTL.
# serve-original-ttl: no
@ -709,9 +709,9 @@ server:
# Add example.com into ipset
# local-zone: "example.com" ipset
# If unbound is running service for the local host then it is useful
# If Unbound is running service for the local host then it is useful
# to perform lan-wide lookups to the upstream, and unblock the
# long list of local-zones above. If this unbound is a dns server
# long list of local-zones above. If this Unbound is a dns server
# for a network of computers, disabled is better and stops information
# leakage of local lan information.
# unblock-lan-zones: no
@ -860,6 +860,10 @@ server:
# 0 blocks when ratelimited, otherwise let 1/xth traffic through
# ratelimit-factor: 10
# Aggressive rate limit when the limit is reached and until demand has
# decreased in a 2 second rate window.
# ratelimit-backoff: no
# override the ratelimit for a specific domain name.
# give this setting multiple times to have multiple overrides.
# ratelimit-for-domain: example.com 1000
@ -880,6 +884,10 @@ server:
# 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through
# ip-ratelimit-factor: 10
# Aggressive rate limit when the limit is reached and until demand has
# decreased in a 2 second rate window.
# ip-ratelimit-backoff: no
# Limit the number of connections simultaneous from a netblock
# tcp-connection-limit: 192.0.2.0/24 12
@ -889,7 +897,7 @@ server:
# the number of servers that will be used in the fast server selection.
# fast-server-num: 3
# Specific options for ipsecmod. unbound needs to be configured with
# Specific options for ipsecmod. Unbound needs to be configured with
# --enable-ipsecmod for these to take effect.
#
# Enable or disable ipsecmod (it still needs to be defined in
@ -901,7 +909,7 @@ server:
# listed in module-config (above).
# ipsecmod-hook: "./my_executable"
#
# When enabled unbound will reply with SERVFAIL if the return value of
# When enabled Unbound will reply with SERVFAIL if the return value of
# the ipsecmod-hook is not 0.
# ipsecmod-strict: no
#
@ -966,10 +974,10 @@ remote-control:
# For local sockets this option is ignored, and TLS is not used.
# control-use-cert: "yes"
# unbound server key file.
# Unbound server key file.
# server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key"
# unbound server certificate file.
# Unbound server certificate file.
# server-cert-file: "@UNBOUND_RUN_DIR@/unbound_server.pem"
# unbound-control key file.
@ -1072,8 +1080,9 @@ remote-control:
# local-zone: "example.com" refuse
# DNSCrypt
# To enable, use --enable-dnscrypt to configure before compiling.
# Caveats:
# 1. the keys/certs cannot be produced by unbound. You can use dnscrypt-wrapper
# 1. the keys/certs cannot be produced by Unbound. You can use dnscrypt-wrapper
# for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage
# 2. dnscrypt channel attaches to an interface. you MUST set interfaces to
# listen on `dnscrypt-port` with the follo0wing snippet:
@ -1092,7 +1101,9 @@ remote-control:
# dnscrypt-provider-cert: /path/unbound-conf/keys2/1.cert
# CacheDB
# Enable external backend DB as auxiliary cache. Specify the backend name
# External backend DB as auxiliary cache.
# To enable, use --enable-cachedb to configure before compiling.
# Specify the backend name
# (default is "testframe", which has no use other than for debugging and
# testing) and backend-specific options. The 'cachedb' module must be
# included in module-config, just before the iterator module.
@ -1102,6 +1113,7 @@ remote-control:
# secret-seed: "default"
#
# # For "redis" backend:
# # (to enable, use --with-libhiredis to configure before compiling)
# # redis server's IP address or host name
# redis-server-host: 127.0.0.1
# # redis server's TCP port
@ -1113,7 +1125,9 @@ remote-control:
# IPSet
# Add specify domain into set via ipset.
# Note: To enable ipset unbound needs to run as root user.
# To enable:
# o use --enable-ipset to configure before compiling;
# o Unbound then needs to run as root user.
# ipset:
# # set name for ip v4 addresses
# name-v4: "list-v4"
@ -1121,9 +1135,10 @@ remote-control:
# name-v6: "list-v6"
#
# Dnstap logging support, if compiled in. To enable, set the dnstap-enable
# to yes and also some of dnstap-log-..-messages to yes. And select an
# upstream log destination, by socket path, TCP or TLS destination.
# Dnstap logging support, if compiled in by using --enable-dnstap to configure.
# To enable, set the dnstap-enable to yes and also some of
# dnstap-log-..-messages to yes. And select an upstream log destination, by
# socket path, TCP or TLS destination.
# dnstap:
# dnstap-enable: no
# # if set to yes frame streams will be used in bidirectional mode
@ -1136,7 +1151,7 @@ remote-control:
# dnstap-tls: yes
# # name for authenticating the upstream server. or "" disabled.
# dnstap-tls-server-name: ""
# # if "", it uses the cert bundle from the main unbound config.
# # if "", it uses the cert bundle from the main Unbound config.
# dnstap-tls-cert-bundle: ""
# # key file for client authentication, or "" disabled.
# dnstap-tls-client-key-file: ""
@ -1172,4 +1187,6 @@ remote-control:
# rpz-cname-override: www.example.org
# rpz-log: yes
# rpz-log-name: "example policy"
# rpz-signal-nxdomain-ra: no
# for-downstream: no
# tags: "example"

63
contrib/unbound/doc/example.conf.in
View file

@ -1,7 +1,7 @@
#
# Example configuration file.
#
# See unbound.conf(5) man page, version 1.14.0.
# See unbound.conf(5) man page, version 1.15.0.
#
# this is a comment.
@ -82,13 +82,13 @@ server:
# num-queries-per-thread, or, use as many as the OS will allow you.
# outgoing-range: 4096
# permit unbound to use this port number or port range for
# permit Unbound to use this port number or port range for
# making outgoing queries, using an outgoing interface.
# outgoing-port-permit: 32768
# deny unbound the use this of port number or port range for
# deny Unbound the use this of port number or port range for
# making outgoing queries, using an outgoing interface.
# Use this to make sure unbound does not grab a UDP port that some
# Use this to make sure Unbound does not grab a UDP port that some
# other server on this computer needs. The default is to avoid
# IANA-assigned port numbers.
# If multiple outgoing-port-permit and outgoing-port-avoid options
@ -254,7 +254,7 @@ server:
# use-systemd: no
# Detach from the terminal, run in background, "yes" or "no".
# Set the value to "no" when unbound runs as systemd service.
# Set the value to "no" when Unbound runs as systemd service.
# do-daemonize: yes
# control which clients are allowed to make (recursive) queries
@ -307,7 +307,7 @@ server:
# The pid file can be absolute and outside of the chroot, it is
# written just prior to performing the chroot and dropping permissions.
#
# Additionally, unbound may need to access /dev/urandom (for entropy).
# Additionally, Unbound may need to access /dev/urandom (for entropy).
# How to do this is specific to your OS.
#
# If you give "" no chroot is performed. The path must not end in a /.
@ -442,7 +442,7 @@ server:
# Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
# and other denials, using information from previous NXDOMAINs answers.
# aggressive-nsec: no
# aggressive-nsec: yes
# Use 0x20-encoded random bits in the query to foil spoof attempts.
# This feature is an experimental implementation of draft dns-0x20.
@ -517,7 +517,7 @@ server:
# Use several entries, one per domain name, to track multiple zones.
#
# If you want to perform DNSSEC validation, run unbound-anchor before
# you start unbound (i.e. in the system boot scripts).
# you start Unbound (i.e. in the system boot scripts).
# And then enable the auto-trust-anchor-file config item.
# Please note usage of unbound-anchor root anchor is at your own risk
# and under the terms of our LICENSE (see that file in the source).
@ -585,7 +585,7 @@ server:
# val-permissive-mode: no
# Ignore the CD flag in incoming queries and refuse them bogus data.
# Enable it if the only clients of unbound are legacy servers (w2008)
# Enable it if the only clients of Unbound are legacy servers (w2008)
# that set CD but cannot validate themselves.
# ignore-cd-flag: no
@ -615,7 +615,7 @@ server:
# Return the original TTL as received from the upstream name server rather
# than the decrementing TTL as stored in the cache. Enabling this feature
# does not impact cache expiry, it only changes the TTL unbound embeds in
# does not impact cache expiry, it only changes the TTL Unbound embeds in
# responses to queries. Note that enabling this feature implicitly disables
# enforcement of the configured minimum and maximum TTL.
# serve-original-ttl: no
@ -709,9 +709,9 @@ server:
# Add example.com into ipset
# local-zone: "example.com" ipset
# If unbound is running service for the local host then it is useful
# If Unbound is running service for the local host then it is useful
# to perform lan-wide lookups to the upstream, and unblock the
# long list of local-zones above. If this unbound is a dns server
# long list of local-zones above. If this Unbound is a dns server
# for a network of computers, disabled is better and stops information
# leakage of local lan information.
# unblock-lan-zones: no
@ -860,6 +860,10 @@ server:
# 0 blocks when ratelimited, otherwise let 1/xth traffic through
# ratelimit-factor: 10
# Aggressive rate limit when the limit is reached and until demand has
# decreased in a 2 second rate window.
# ratelimit-backoff: no
# override the ratelimit for a specific domain name.
# give this setting multiple times to have multiple overrides.
# ratelimit-for-domain: example.com 1000
@ -880,6 +884,10 @@ server:
# 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through
# ip-ratelimit-factor: 10
# Aggressive rate limit when the limit is reached and until demand has
# decreased in a 2 second rate window.
# ip-ratelimit-backoff: no
# Limit the number of connections simultaneous from a netblock
# tcp-connection-limit: 192.0.2.0/24 12
@ -889,7 +897,7 @@ server:
# the number of servers that will be used in the fast server selection.
# fast-server-num: 3
# Specific options for ipsecmod. unbound needs to be configured with
# Specific options for ipsecmod. Unbound needs to be configured with
# --enable-ipsecmod for these to take effect.
#
# Enable or disable ipsecmod (it still needs to be defined in
@ -901,7 +909,7 @@ server:
# listed in module-config (above).
# ipsecmod-hook: "./my_executable"
#
# When enabled unbound will reply with SERVFAIL if the return value of
# When enabled Unbound will reply with SERVFAIL if the return value of
# the ipsecmod-hook is not 0.
# ipsecmod-strict: no
#
@ -966,10 +974,10 @@ remote-control:
# For local sockets this option is ignored, and TLS is not used.
# control-use-cert: "yes"
# unbound server key file.
# Unbound server key file.
# server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key"
# unbound server certificate file.
# Unbound server certificate file.
# server-cert-file: "@UNBOUND_RUN_DIR@/unbound_server.pem"
# unbound-control key file.
@ -1072,8 +1080,9 @@ remote-control:
# local-zone: "example.com" refuse
# DNSCrypt
# To enable, use --enable-dnscrypt to configure before compiling.
# Caveats:
# 1. the keys/certs cannot be produced by unbound. You can use dnscrypt-wrapper
# 1. the keys/certs cannot be produced by Unbound. You can use dnscrypt-wrapper
# for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage
# 2. dnscrypt channel attaches to an interface. you MUST set interfaces to
# listen on `dnscrypt-port` with the follo0wing snippet:
@ -1092,7 +1101,9 @@ remote-control:
# dnscrypt-provider-cert: /path/unbound-conf/keys2/1.cert
# CacheDB
# Enable external backend DB as auxiliary cache. Specify the backend name
# External backend DB as auxiliary cache.
# To enable, use --enable-cachedb to configure before compiling.
# Specify the backend name
# (default is "testframe", which has no use other than for debugging and
# testing) and backend-specific options. The 'cachedb' module must be
# included in module-config, just before the iterator module.
@ -1102,6 +1113,7 @@ remote-control:
# secret-seed: "default"
#
# # For "redis" backend:
# # (to enable, use --with-libhiredis to configure before compiling)
# # redis server's IP address or host name
# redis-server-host: 127.0.0.1
# # redis server's TCP port
@ -1113,7 +1125,9 @@ remote-control:
# IPSet
# Add specify domain into set via ipset.
# Note: To enable ipset unbound needs to run as root user.
# To enable:
# o use --enable-ipset to configure before compiling;
# o Unbound then needs to run as root user.
# ipset:
# # set name for ip v4 addresses
# name-v4: "list-v4"
@ -1121,9 +1135,10 @@ remote-control:
# name-v6: "list-v6"
#
# Dnstap logging support, if compiled in. To enable, set the dnstap-enable
# to yes and also some of dnstap-log-..-messages to yes. And select an
# upstream log destination, by socket path, TCP or TLS destination.
# Dnstap logging support, if compiled in by using --enable-dnstap to configure.
# To enable, set the dnstap-enable to yes and also some of
# dnstap-log-..-messages to yes. And select an upstream log destination, by
# socket path, TCP or TLS destination.
# dnstap:
# dnstap-enable: no
# # if set to yes frame streams will be used in bidirectional mode
@ -1136,7 +1151,7 @@ remote-control:
# dnstap-tls: yes
# # name for authenticating the upstream server. or "" disabled.
# dnstap-tls-server-name: ""
# # if "", it uses the cert bundle from the main unbound config.
# # if "", it uses the cert bundle from the main Unbound config.
# dnstap-tls-cert-bundle: ""
# # key file for client authentication, or "" disabled.
# dnstap-tls-client-key-file: ""
@ -1172,4 +1187,6 @@ remote-control:
# rpz-cname-override: www.example.org
# rpz-log: yes
# rpz-log-name: "example policy"
# rpz-signal-nxdomain-ra: no
# for-downstream: no
# tags: "example"

4
contrib/unbound/doc/libunbound.3
View file

@ -1,4 +1,4 @@
.TH "libunbound" "3" "Dec 9, 2021" "NLnet Labs" "unbound 1.14.0"
.TH "libunbound" "3" "Feb 10, 2022" "NLnet Labs" "unbound 1.15.0"
.\"
.\" libunbound.3 -- unbound library functions manual
.\"
@ -44,7 +44,7 @@
.B ub_ctx_zone_remove,
.B ub_ctx_data_add,
.B ub_ctx_data_remove
\- Unbound DNS validating resolver 1.14.0 functions.
\- Unbound DNS validating resolver 1.15.0 functions.
.SH "SYNOPSIS"
.B #include <unbound.h>
.LP

4
contrib/unbound/doc/libunbound.3.in
View file

@ -1,4 +1,4 @@
.TH "libunbound" "3" "Dec 9, 2021" "NLnet Labs" "unbound 1.14.0"
.TH "libunbound" "3" "Feb 10, 2022" "NLnet Labs" "unbound 1.15.0"
.\"
.\" libunbound.3 -- unbound library functions manual
.\"
@ -44,7 +44,7 @@
.B ub_ctx_zone_remove,
.B ub_ctx_data_add,
.B ub_ctx_data_remove
\- Unbound DNS validating resolver 1.14.0 functions.
\- Unbound DNS validating resolver 1.15.0 functions.
.SH "SYNOPSIS"
.B #include <unbound.h>
.LP

8
contrib/unbound/doc/unbound-anchor.8
View file

@ -1,4 +1,4 @@
.TH "unbound-anchor" "8" "Dec 9, 2021" "NLnet Labs" "unbound 1.14.0"
.TH "unbound-anchor" "8" "Feb 10, 2022" "NLnet Labs" "unbound 1.15.0"
.\"
.\" unbound-anchor.8 -- unbound anchor maintenance utility manual
.\"
@ -41,7 +41,7 @@ update certificate files.
.P
It tests if the root anchor file works, and if not, and an update is possible,
attempts to update the root anchor using the root update certificate.
It performs a https fetch of root-anchors.xml and checks the results (RFC7958),
It performs a https fetch of root-anchors.xml and checks the results (RFC7958),
if all checks are successful, it updates the root anchor file. Otherwise
the root anchor file is unchanged. It performs RFC5011 tracking if the
DNSSEC information available via the DNS makes that possible.
@ -159,7 +159,7 @@ Or something more suitable for your operational environment.
The root keys and update certificate included in this tool
are provided for convenience and under the terms of our
license (see the LICENSE file in the source distribution or
http://unbound.nlnetlabs.nl/svn/trunk/LICENSE) and might be stale or
https://github.com/NLnetLabs/unbound/blob/master/LICENSE) and might be stale or
not suitable to your purpose.
.P
By running "unbound\-anchor \-l" the keys and certificate that are
@ -185,5 +185,5 @@ Source for the root key information.
.I https://data.iana.org/root\-anchors/root\-anchors.p7s
Signature on the root key information.
.SH "SEE ALSO"
\fIunbound.conf\fR(5),
\fIunbound.conf\fR(5),
\fIunbound\fR(8).

8
contrib/unbound/doc/unbound-anchor.8.in
View file

@ -1,4 +1,4 @@
.TH "unbound-anchor" "8" "Dec 9, 2021" "NLnet Labs" "unbound 1.14.0"
.TH "unbound-anchor" "8" "Feb 10, 2022" "NLnet Labs" "unbound 1.15.0"
.\"
.\" unbound-anchor.8 -- unbound anchor maintenance utility manual
.\"
@ -41,7 +41,7 @@ update certificate files.
.P
It tests if the root anchor file works, and if not, and an update is possible,
attempts to update the root anchor using the root update certificate.
It performs a https fetch of root-anchors.xml and checks the results (RFC7958),
It performs a https fetch of root-anchors.xml and checks the results (RFC7958),
if all checks are successful, it updates the root anchor file. Otherwise
the root anchor file is unchanged. It performs RFC5011 tracking if the
DNSSEC information available via the DNS makes that possible.
@ -159,7 +159,7 @@ Or something more suitable for your operational environment.
The root keys and update certificate included in this tool
are provided for convenience and under the terms of our
license (see the LICENSE file in the source distribution or
http://unbound.nlnetlabs.nl/svn/trunk/LICENSE) and might be stale or
https://github.com/NLnetLabs/unbound/blob/master/LICENSE) and might be stale or
not suitable to your purpose.
.P
By running "unbound\-anchor \-l" the keys and certificate that are
@ -185,5 +185,5 @@ Source for the root key information.
.I https://data.iana.org/root\-anchors/root\-anchors.p7s
Signature on the root key information.
.SH "SEE ALSO"
\fIunbound.conf\fR(5),
\fIunbound.conf\fR(5),
\fIunbound\fR(8).

20
contrib/unbound/doc/unbound-checkconf.8
View file

@ -1,4 +1,4 @@
.TH "unbound-checkconf" "8" "Dec 9, 2021" "NLnet Labs" "unbound 1.14.0"
.TH "unbound-checkconf" "8" "Feb 10, 2022" "NLnet Labs" "unbound 1.15.0"
.\"
.\" unbound-checkconf.8 -- unbound configuration checker manual
.\"
@ -8,8 +8,8 @@
.\"
.\"
.SH "NAME"
.B unbound\-checkconf
\- Check unbound configuration file for errors.
unbound\-checkconf
\- Check Unbound configuration file for errors.
.SH "SYNOPSIS"
.B unbound\-checkconf
.RB [ \-h ]
@ -21,8 +21,8 @@
.B Unbound\-checkconf
checks the configuration file for the
\fIunbound\fR(8)
DNS resolver for syntax and other errors.
The config file syntax is described in
DNS resolver for syntax and other errors.
The config file syntax is described in
\fIunbound.conf\fR(5).
.P
The available options are:
@ -34,19 +34,19 @@ Show the version and commandline option help.
Print full pathname, with chroot applied to it. Use with the \-o option.
.TP
.B \-o\fI option
If given, after checking the config file the value of this option is
If given, after checking the config file the value of this option is
printed to stdout. For "" (disabled) options an empty line is printed.
.TP
.I cfgfile
The config file to read with settings for unbound. It is checked.
The config file to read with settings for Unbound. It is checked.
If omitted, the config file at the default location is checked.
.SH "EXIT CODE"
The unbound\-checkconf program exits with status code 1 on error,
The unbound\-checkconf program exits with status code 1 on error,
0 for a correct config file.
.SH "FILES"
.TP
.I @ub_conf_file@
unbound configuration file.
Unbound configuration file.
.SH "SEE ALSO"
\fIunbound.conf\fR(5),
\fIunbound.conf\fR(5),
\fIunbound\fR(8).

20
contrib/unbound/doc/unbound-checkconf.8.in
View file

@ -1,4 +1,4 @@
.TH "unbound-checkconf" "8" "Dec 9, 2021" "NLnet Labs" "unbound 1.14.0"
.TH "unbound-checkconf" "8" "Feb 10, 2022" "NLnet Labs" "unbound 1.15.0"
.\"
.\" unbound-checkconf.8 -- unbound configuration checker manual
.\"
@ -8,8 +8,8 @@
.\"
.\"
.SH "NAME"
.B unbound\-checkconf
\- Check unbound configuration file for errors.
unbound\-checkconf
\- Check Unbound configuration file for errors.
.SH "SYNOPSIS"
.B unbound\-checkconf
.RB [ \-h ]
@ -21,8 +21,8 @@
.B Unbound\-checkconf
checks the configuration file for the
\fIunbound\fR(8)
DNS resolver for syntax and other errors.
The config file syntax is described in
DNS resolver for syntax and other errors.
The config file syntax is described in
\fIunbound.conf\fR(5).
.P
The available options are:
@ -34,19 +34,19 @@ Show the version and commandline option help.
Print full pathname, with chroot applied to it. Use with the \-o option.
.TP
.B \-o\fI option
If given, after checking the config file the value of this option is
If given, after checking the config file the value of this option is
printed to stdout. For "" (disabled) options an empty line is printed.
.TP
.I cfgfile
The config file to read with settings for unbound. It is checked.
The config file to read with settings for Unbound. It is checked.
If omitted, the config file at the default location is checked.
.SH "EXIT CODE"
The unbound\-checkconf program exits with status code 1 on error,
The unbound\-checkconf program exits with status code 1 on error,
0 for a correct config file.
.SH "FILES"
.TP
.I @ub_conf_file@
unbound configuration file.
Unbound configuration file.
.SH "SEE ALSO"
\fIunbound.conf\fR(5),
\fIunbound.conf\fR(5),
\fIunbound\fR(8).

80
contrib/unbound/doc/unbound-control.8
View file

@ -1,4 +1,4 @@
.TH "unbound-control" "8" "Dec 9, 2021" "NLnet Labs" "unbound 1.14.0"
.TH "unbound-control" "8" "Feb 10, 2022" "NLnet Labs" "unbound 1.15.0"
.\"
.\" unbound-control.8 -- unbound remote control manual
.\"
@ -14,15 +14,15 @@
.SH "SYNOPSIS"
.B unbound\-control
.RB [ \-hq ]
.RB [ \-c
.RB [ \-c
.IR cfgfile ]
.RB [ \-s
.RB [ \-s
.IR server ]
.IR command
.SH "DESCRIPTION"
.B Unbound\-control
performs remote administration on the \fIunbound\fR(8) DNS server.
It reads the configuration file, contacts the unbound server over SSL
It reads the configuration file, contacts the Unbound server over SSL
sends the command and displays the result.
.P
The available options are:
@ -44,8 +44,8 @@ quiet, if the option is given it does not print anything if it works ok.
There are several commands that the server understands.
.TP
.B start
Start the server. Simply execs \fIunbound\fR(8). The unbound executable
is searched for in the \fBPATH\fR set in the environment. It is started
Start the server. Simply execs \fIunbound\fR(8). The Unbound executable
is searched for in the \fBPATH\fR set in the environment. It is started
with the config file specified using \fI\-c\fR or the default config file.
.TP
.B stop
@ -65,8 +65,8 @@ daemon release the file it is logging to. If you are using syslog it will
attempt to close and open the syslog (which may not work if chrooted).
.TP
.B stats
Print statistics. Resets the internal counters to zero, this can be
controlled using the \fBstatistics\-cumulative\fR config statement.
Print statistics. Resets the internal counters to zero, this can be
controlled using the \fBstatistics\-cumulative\fR config statement.
Statistics are printed with one [name]: [value] per line.
.TP
.B stats_noreset
@ -74,7 +74,7 @@ Peek at statistics. Prints them like the \fBstats\fR command does, but does not
reset the internal counters to zero.
.TP
.B status
Display server status. Exit code 3 if not running (the connection to the
Display server status. Exit code 3 if not running (the connection to the
port is refused), 1 on error, 0 if running.
.TP
.B local_zone \fIname\fR \fItype
@ -88,14 +88,14 @@ it. If the zone does not exist, the command succeeds.
.B local_data \fIRR data...
Add new local data, the given resource record. Like \fBlocal\-data\fR
config statement, except for when no covering zone exists. In that case
this remote control command creates a transparent zone with the same
this remote control command creates a transparent zone with the same
name as this record.
.TP
.B local_data_remove \fIname
Remove all RR data from local name. If the name already has no items,
nothing happens. Often results in NXDOMAIN for the name (in a static zone),
but if the name has become an empty nonterminal (there is still data in
domain names below the removed name), NOERROR nodata answers are the
but if the name has become an empty nonterminal (there is still data in
domain names below the removed name), NOERROR nodata answers are the
result for that name.
.TP
.B local_zones
@ -125,22 +125,22 @@ in old or wrong data returned to clients. Loading data into the cache
in this way is supported in order to aid with debugging.
.TP
.B lookup \fIname
Print to stdout the name servers that would be used to look up the
Print to stdout the name servers that would be used to look up the
name specified.
.TP
.B flush \fIname
Remove the name from the cache. Removes the types
A, AAAA, NS, SOA, CNAME, DNAME, MX, PTR, SRV and NAPTR.
Because that is fast to do. Other record types can be removed using
.B flush_type
or
Because that is fast to do. Other record types can be removed using
.B flush_type
or
.B flush_zone\fR.
.TP
.B flush_type \fIname\fR \fItype
Remove the name, type information from the cache.
.TP
.B flush_zone \fIname
Remove all information at or below the name from the cache.
Remove all information at or below the name from the cache.
The rrsets and key entries are removed so that new lookups will be performed.
This needs to walk and inspect the entire cache, and is a slow operation.
The entries are set to expired in the implementation of this command (so,
@ -187,7 +187,7 @@ therefore not flushed. The option must end with a ':' and whitespace
must be between the option and the value. Some values may not have an
effect if set this way, the new values are not written to the config file,
not all options are supported. This is different from the set_option call
in libunbound, where all values work because unbound has not been initialized.
in libunbound, where all values work because Unbound has not been initialized.
.IP
The values that work are: statistics\-interval, statistics\-cumulative,
do\-not\-query\-localhost, harden\-short\-bufsize, harden\-large\-queries,
@ -227,36 +227,36 @@ List the local data RRs in use. The resource records are printed.
.TP
.B insecure_add \fIzone
Add a \fBdomain\-insecure\fR for the given zone, like the statement in unbound.conf.
Adds to the running unbound without affecting the cache contents (which may
Adds to the running Unbound without affecting the cache contents (which may
still be bogus, use \fBflush_zone\fR to remove it), does not affect the config file.
.TP
.B insecure_remove \fIzone
Removes domain\-insecure for the given zone.
.TP
.B forward_add \fR[\fI+i\fR] \fIzone addr ...
Add a new forward zone to running unbound. With +i option also adds a
Add a new forward zone to running Unbound. With +i option also adds a
\fIdomain\-insecure\fR for the zone (so it can resolve insecurely if you have
a DNSSEC root trust anchor configured for other names).
The addr can be IP4, IP6 or nameserver names, like \fIforward-zone\fR config
in unbound.conf.
.TP
.B forward_remove \fR[\fI+i\fR] \fIzone
Remove a forward zone from running unbound. The +i also removes a
Remove a forward zone from running Unbound. The +i also removes a
\fIdomain\-insecure\fR for the zone.
.TP
.B stub_add \fR[\fI+ip\fR] \fIzone addr ...
Add a new stub zone to running unbound. With +i option also adds a
Add a new stub zone to running Unbound. With +i option also adds a
\fIdomain\-insecure\fR for the zone. With +p the stub zone is set to prime,
without it it is set to notprime. The addr can be IP4, IP6 or nameserver
names, like the \fIstub-zone\fR config in unbound.conf.
.TP
.B stub_remove \fR[\fI+i\fR] \fIzone
Remove a stub zone from running unbound. The +i also removes a
Remove a stub zone from running Unbound. The +i also removes a
\fIdomain\-insecure\fR for the zone.
.TP
.B forward \fR[\fIoff\fR | \fIaddr ...\fR ]
Setup forwarding mode. Configures if the server should ask other upstream
nameservers, should go to the internet root nameservers itself, or show
nameservers, should go to the internet root nameservers itself, or show
the current config. You could pass the nameservers after a DHCP update.
.IP
Without arguments the current list of addresses used to forward all queries
@ -296,7 +296,7 @@ status, indicating if the zone is expired and current serial number.
Reload the auth zone from zonefile. The zonefile is read in overwriting
the current contents of the zone in memory. This changes the auth zone
contents itself, not the cache contents. Such cache contents exists if
you set unbound to validate with for-upstream yes and that can be cleared
you set Unbound to validate with for-upstream yes and that can be cleared
with \fBflush_zone\fR \fIzone\fR.
.TP
.B auth_zone_transfer \fIzone\fR
@ -336,7 +336,7 @@ Add a list of \fIlocal_data\fR for given view from stdin. Like local_datas.
.SH "EXIT CODE"
The unbound\-control program exits with status code 1 on error, 0 on success.
.SH "SET UP"
The setup requires a self\-signed certificate and private keys for both
The setup requires a self\-signed certificate and private keys for both
the server and client. The script \fIunbound\-control\-setup\fR generates
these in the default run directory, or with \-d in another directory.
If you change the access control permissions on the key files you can decide
@ -350,7 +350,7 @@ If you have not configured
a username in unbound.conf, the keys need read permission for the user
credentials under which the daemon is started.
The script preserves private keys present in the directory.
After running the script as root, turn on \fBcontrol\-enable\fR in
After running the script as root, turn on \fBcontrol\-enable\fR in
\fIunbound.conf\fR.
.SH "STATISTIC COUNTERS"
The \fIstats\fR command shows a number of statistic counters.
@ -417,8 +417,8 @@ Average time it took to answer queries that needed recursive processing. Note th
.TP
.I threadX.recursion.time.median
The median of the time it took to answer queries that needed recursive
processing. The median means that 50% of the user queries were answered in
less than this time. Because of big outliers (usually queries to non
processing. The median means that 50% of the user queries were answered in
less than this time. Because of big outliers (usually queries to non
responsive servers), the average can be bigger than the median. This median
has been calculated by interpolation from a histogram.
.TP
@ -544,32 +544,32 @@ The total number of queries over all threads with query opcode QUERY.
Also printed for other opcodes, UPDATE, ...
.TP
.I num.query.tcp
Number of queries that were made using TCP towards the unbound server.
Number of queries that were made using TCP towards the Unbound server.
.TP
.I num.query.tcpout
Number of queries that the unbound server made using TCP outgoing towards
Number of queries that the Unbound server made using TCP outgoing towards
other servers.
.TP
.I num.query.tls
Number of queries that were made using TLS towards the unbound server.
Number of queries that were made using TLS towards the Unbound server.
These are also counted in num.query.tcp, because TLS uses TCP.
.TP
.I num.query.tls.resume
Number of TLS session resumptions, these are queries over TLS towards
the unbound server where the client negotiated a TLS session resumption key.
the Unbound server where the client negotiated a TLS session resumption key.
.TP
.I num.query.https
Number of queries that were made using HTTPS towards the unbound server.
Number of queries that were made using HTTPS towards the Unbound server.
These are also counted in num.query.tcp and num.query.tls, because HTTPS
uses TLS and TCP.
.TP
.I num.query.ipv6
Number of queries that were made using IPv6 towards the unbound server.
Number of queries that were made using IPv6 towards the Unbound server.
.TP
.I num.query.flags.RD
The number of queries that had the RD flag set in the header.
Also printed for flags QR, AA, TC, RA, Z, AD, CD.
Note that queries with flags QR, AA or TC may have been rejected
Note that queries with flags QR, AA or TC may have been rejected
because of that.
.TP
.I num.query.edns.present
@ -603,7 +603,7 @@ These queries are also included in the num.answer.rcode.NOERROR number.
Common for AAAA lookups when an A record exists, and no AAAA.
.TP
.I num.answer.secure
Number of answers that were secure. The answer validated correctly.
Number of answers that were secure. The answer validated correctly.
The AD bit might have been set in some of these answers, where the client
signalled (with DO or AD bit in the query) that they were ready to accept
the AD bit in the answer.
@ -644,7 +644,7 @@ per delegation point, and their validation status.
.I dnscrypt_shared_secret.cache.count
The number of items in the shared secret cache. These are precomputed shared
secrets for a given client public key/server secret key pair. Shared secrets
are CPU intensive and this cache allows unbound to avoid recomputing the
are CPU intensive and this cache allows Unbound to avoid recomputing the
shared secret when multiple dnscrypt queries are sent from the same client.
.TP
.I dnscrypt_nonce.cache.count
@ -689,11 +689,11 @@ disabled, and cname\-override.
.SH "FILES"
.TP
.I @ub_conf_file@
unbound configuration file.
Unbound configuration file.
.TP
.I @UNBOUND_RUN_DIR@
directory with private keys (unbound_server.key and unbound_control.key) and
self\-signed certificates (unbound_server.pem and unbound_control.pem).
.SH "SEE ALSO"
\fIunbound.conf\fR(5),
\fIunbound.conf\fR(5),
\fIunbound\fR(8).

80
contrib/unbound/doc/unbound-control.8.in
View file

@ -1,4 +1,4 @@
.TH "unbound-control" "8" "Dec 9, 2021" "NLnet Labs" "unbound 1.14.0"
.TH "unbound-control" "8" "Feb 10, 2022" "NLnet Labs" "unbound 1.15.0"
.\"
.\" unbound-control.8 -- unbound remote control manual
.\"
@ -14,15 +14,15 @@
.SH "SYNOPSIS"
.B unbound\-control
.RB [ \-hq ]
.RB [ \-c
.RB [ \-c
.IR cfgfile ]
.RB [ \-s
.RB [ \-s
.IR server ]
.IR command
.SH "DESCRIPTION"
.B Unbound\-control
performs remote administration on the \fIunbound\fR(8) DNS server.
It reads the configuration file, contacts the unbound server over SSL
It reads the configuration file, contacts the Unbound server over SSL
sends the command and displays the result.
.P
The available options are:
@ -44,8 +44,8 @@ quiet, if the option is given it does not print anything if it works ok.
There are several commands that the server understands.
.TP
.B start
Start the server. Simply execs \fIunbound\fR(8). The unbound executable
is searched for in the \fBPATH\fR set in the environment. It is started
Start the server. Simply execs \fIunbound\fR(8). The Unbound executable
is searched for in the \fBPATH\fR set in the environment. It is started
with the config file specified using \fI\-c\fR or the default config file.
.TP
.B stop
@ -65,8 +65,8 @@ daemon release the file it is logging to. If you are using syslog it will
attempt to close and open the syslog (which may not work if chrooted).
.TP
.B stats
Print statistics. Resets the internal counters to zero, this can be
controlled using the \fBstatistics\-cumulative\fR config statement.
Print statistics. Resets the internal counters to zero, this can be
controlled using the \fBstatistics\-cumulative\fR config statement.
Statistics are printed with one [name]: [value] per line.
.TP
.B stats_noreset
@ -74,7 +74,7 @@ Peek at statistics. Prints them like the \fBstats\fR command does, but does not
reset the internal counters to zero.
.TP
.B status
Display server status. Exit code 3 if not running (the connection to the
Display server status. Exit code 3 if not running (the connection to the
port is refused), 1 on error, 0 if running.
.TP
.B local_zone \fIname\fR \fItype
@ -88,14 +88,14 @@ it. If the zone does not exist, the command succeeds.
.B local_data \fIRR data...
Add new local data, the given resource record. Like \fBlocal\-data\fR
config statement, except for when no covering zone exists. In that case
this remote control command creates a transparent zone with the same
this remote control command creates a transparent zone with the same
name as this record.
.TP
.B local_data_remove \fIname
Remove all RR data from local name. If the name already has no items,
nothing happens. Often results in NXDOMAIN for the name (in a static zone),
but if the name has become an empty nonterminal (there is still data in
domain names below the removed name), NOERROR nodata answers are the
but if the name has become an empty nonterminal (there is still data in
domain names below the removed name), NOERROR nodata answers are the
result for that name.
.TP
.B local_zones
@ -125,22 +125,22 @@ in old or wrong data returned to clients. Loading data into the cache
in this way is supported in order to aid with debugging.
.TP
.B lookup \fIname
Print to stdout the name servers that would be used to look up the
Print to stdout the name servers that would be used to look up the
name specified.
.TP
.B flush \fIname
Remove the name from the cache. Removes the types
A, AAAA, NS, SOA, CNAME, DNAME, MX, PTR, SRV and NAPTR.
Because that is fast to do. Other record types can be removed using
.B flush_type
or
Because that is fast to do. Other record types can be removed using
.B flush_type
or
.B flush_zone\fR.
.TP
.B flush_type \fIname\fR \fItype
Remove the name, type information from the cache.
.TP
.B flush_zone \fIname
Remove all information at or below the name from the cache.
Remove all information at or below the name from the cache.
The rrsets and key entries are removed so that new lookups will be performed.
This needs to walk and inspect the entire cache, and is a slow operation.
The entries are set to expired in the implementation of this command (so,
@ -187,7 +187,7 @@ therefore not flushed. The option must end with a ':' and whitespace
must be between the option and the value. Some values may not have an
effect if set this way, the new values are not written to the config file,
not all options are supported. This is different from the set_option call
in libunbound, where all values work because unbound has not been initialized.
in libunbound, where all values work because Unbound has not been initialized.
.IP
The values that work are: statistics\-interval, statistics\-cumulative,
do\-not\-query\-localhost, harden\-short\-bufsize, harden\-large\-queries,
@ -227,36 +227,36 @@ List the local data RRs in use. The resource records are printed.
.TP
.B insecure_add \fIzone
Add a \fBdomain\-insecure\fR for the given zone, like the statement in unbound.conf.
Adds to the running unbound without affecting the cache contents (which may
Adds to the running Unbound without affecting the cache contents (which may
still be bogus, use \fBflush_zone\fR to remove it), does not affect the config file.
.TP
.B insecure_remove \fIzone
Removes domain\-insecure for the given zone.
.TP
.B forward_add \fR[\fI+i\fR] \fIzone addr ...
Add a new forward zone to running unbound. With +i option also adds a
Add a new forward zone to running Unbound. With +i option also adds a
\fIdomain\-insecure\fR for the zone (so it can resolve insecurely if you have
a DNSSEC root trust anchor configured for other names).
The addr can be IP4, IP6 or nameserver names, like \fIforward-zone\fR config
in unbound.conf.
.TP
.B forward_remove \fR[\fI+i\fR] \fIzone
Remove a forward zone from running unbound. The +i also removes a
Remove a forward zone from running Unbound. The +i also removes a
\fIdomain\-insecure\fR for the zone.
.TP
.B stub_add \fR[\fI+ip\fR] \fIzone addr ...
Add a new stub zone to running unbound. With +i option also adds a
Add a new stub zone to running Unbound. With +i option also adds a
\fIdomain\-insecure\fR for the zone. With +p the stub zone is set to prime,
without it it is set to notprime. The addr can be IP4, IP6 or nameserver
names, like the \fIstub-zone\fR config in unbound.conf.
.TP
.B stub_remove \fR[\fI+i\fR] \fIzone
Remove a stub zone from running unbound. The +i also removes a
Remove a stub zone from running Unbound. The +i also removes a
\fIdomain\-insecure\fR for the zone.
.TP
.B forward \fR[\fIoff\fR | \fIaddr ...\fR ]
Setup forwarding mode. Configures if the server should ask other upstream
nameservers, should go to the internet root nameservers itself, or show
nameservers, should go to the internet root nameservers itself, or show
the current config. You could pass the nameservers after a DHCP update.
.IP
Without arguments the current list of addresses used to forward all queries
@ -296,7 +296,7 @@ status, indicating if the zone is expired and current serial number.
Reload the auth zone from zonefile. The zonefile is read in overwriting
the current contents of the zone in memory. This changes the auth zone
contents itself, not the cache contents. Such cache contents exists if
you set unbound to validate with for-upstream yes and that can be cleared
you set Unbound to validate with for-upstream yes and that can be cleared
with \fBflush_zone\fR \fIzone\fR.
.TP
.B auth_zone_transfer \fIzone\fR
@ -336,7 +336,7 @@ Add a list of \fIlocal_data\fR for given view from stdin. Like local_datas.
.SH "EXIT CODE"
The unbound\-control program exits with status code 1 on error, 0 on success.
.SH "SET UP"
The setup requires a self\-signed certificate and private keys for both
The setup requires a self\-signed certificate and private keys for both
the server and client. The script \fIunbound\-control\-setup\fR generates
these in the default run directory, or with \-d in another directory.
If you change the access control permissions on the key files you can decide
@ -350,7 +350,7 @@ If you have not configured
a username in unbound.conf, the keys need read permission for the user
credentials under which the daemon is started.
The script preserves private keys present in the directory.
After running the script as root, turn on \fBcontrol\-enable\fR in
After running the script as root, turn on \fBcontrol\-enable\fR in
\fIunbound.conf\fR.
.SH "STATISTIC COUNTERS"
The \fIstats\fR command shows a number of statistic counters.
@ -417,8 +417,8 @@ Average time it took to answer queries that needed recursive processing. Note th
.TP
.I threadX.recursion.time.median
The median of the time it took to answer queries that needed recursive
processing. The median means that 50% of the user queries were answered in
less than this time. Because of big outliers (usually queries to non
processing. The median means that 50% of the user queries were answered in
less than this time. Because of big outliers (usually queries to non
responsive servers), the average can be bigger than the median. This median
has been calculated by interpolation from a histogram.
.TP
@ -544,32 +544,32 @@ The total number of queries over all threads with query opcode QUERY.
Also printed for other opcodes, UPDATE, ...
.TP
.I num.query.tcp
Number of queries that were made using TCP towards the unbound server.
Number of queries that were made using TCP towards the Unbound server.
.TP
.I num.query.tcpout
Number of queries that the unbound server made using TCP outgoing towards
Number of queries that the Unbound server made using TCP outgoing towards
other servers.
.TP
.I num.query.tls
Number of queries that were made using TLS towards the unbound server.
Number of queries that were made using TLS towards the Unbound server.
These are also counted in num.query.tcp, because TLS uses TCP.
.TP
.I num.query.tls.resume
Number of TLS session resumptions, these are queries over TLS towards
the unbound server where the client negotiated a TLS session resumption key.
the Unbound server where the client negotiated a TLS session resumption key.
.TP
.I num.query.https
Number of queries that were made using HTTPS towards the unbound server.
Number of queries that were made using HTTPS towards the Unbound server.
These are also counted in num.query.tcp and num.query.tls, because HTTPS
uses TLS and TCP.
.TP
.I num.query.ipv6
Number of queries that were made using IPv6 towards the unbound server.
Number of queries that were made using IPv6 towards the Unbound server.
.TP
.I num.query.flags.RD
The number of queries that had the RD flag set in the header.
Also printed for flags QR, AA, TC, RA, Z, AD, CD.
Note that queries with flags QR, AA or TC may have been rejected
Note that queries with flags QR, AA or TC may have been rejected
because of that.
.TP
.I num.query.edns.present
@ -603,7 +603,7 @@ These queries are also included in the num.answer.rcode.NOERROR number.
Common for AAAA lookups when an A record exists, and no AAAA.
.TP
.I num.answer.secure
Number of answers that were secure. The answer validated correctly.
Number of answers that were secure. The answer validated correctly.
The AD bit might have been set in some of these answers, where the client
signalled (with DO or AD bit in the query) that they were ready to accept
the AD bit in the answer.
@ -644,7 +644,7 @@ per delegation point, and their validation status.
.I dnscrypt_shared_secret.cache.count
The number of items in the shared secret cache. These are precomputed shared
secrets for a given client public key/server secret key pair. Shared secrets
are CPU intensive and this cache allows unbound to avoid recomputing the
are CPU intensive and this cache allows Unbound to avoid recomputing the
shared secret when multiple dnscrypt queries are sent from the same client.
.TP
.I dnscrypt_nonce.cache.count
@ -689,11 +689,11 @@ disabled, and cname\-override.
.SH "FILES"
.TP
.I @ub_conf_file@
unbound configuration file.
Unbound configuration file.
.TP
.I @UNBOUND_RUN_DIR@
directory with private keys (unbound_server.key and unbound_control.key) and
self\-signed certificates (unbound_server.pem and unbound_control.pem).
.SH "SEE ALSO"
\fIunbound.conf\fR(5),
\fIunbound.conf\fR(5),
\fIunbound\fR(8).

16
contrib/unbound/doc/unbound-host.1
View file

@ -1,4 +1,4 @@
.TH "unbound\-host" "1" "Dec 9, 2021" "NLnet Labs" "unbound 1.14.0"
.TH "unbound\-host" "1" "Feb 10, 2022" "NLnet Labs" "unbound 1.15.0"
.\"
.\" unbound-host.1 -- unbound DNS lookup utility
.\"
@ -15,7 +15,7 @@
.RB [ \-C
.IR configfile ]
.RB [ \-vdhr46D ]
.RB [ \-c
.RB [ \-c
.IR class ]
.RB [ \-t
.IR type ]
@ -28,12 +28,12 @@
.I hostname
.SH "DESCRIPTION"
.B Unbound\-host
uses the unbound validating resolver to query for the hostname and display
results. With the \fB\-v\fR option it displays validation
uses the Unbound validating resolver to query for the hostname and display
results. With the \fB\-v\fR option it displays validation
status: secure, insecure, bogus (security failure).
.P
By default it reads no configuration file whatsoever. It attempts to reach
the internet root servers. With \fB\-C\fR an unbound config file and with
the internet root servers. With \fB\-C\fR an Unbound config file and with
\fB\-r\fR resolv.conf can be read.
.P
The available options are:
@ -73,7 +73,7 @@ For example \-y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546
.TP
.B \-D
Enables DNSSEC validation. Reads the root anchor from the default configured
root anchor at the default location, \fI@UNBOUND_ROOTKEY_FILE@\fR.
root anchor at the default location, \fI@UNBOUND_ROOTKEY_FILE@\fR.
.TP
.B \-f \fIkeyfile
Reads keys from a file. Every line has a DS or DNSKEY record, in the format
@ -110,9 +110,9 @@ $ unbound\-host \-v \-y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325
.P
$ unbound\-host \-v \-y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546CD" 192.0.2.153
.SH "EXIT CODE"
The unbound\-host program exits with status code 1 on error,
The unbound\-host program exits with status code 1 on error,
0 on no error. The data may not be available on exit code 0, exit code 1
means the lookup encountered a fatal error.
.SH "SEE ALSO"
\fIunbound.conf\fR(5),
\fIunbound.conf\fR(5),
\fIunbound\fR(8).

16
contrib/unbound/doc/unbound-host.1.in
View file

@ -1,4 +1,4 @@
.TH "unbound\-host" "1" "Dec 9, 2021" "NLnet Labs" "unbound 1.14.0"
.TH "unbound\-host" "1" "Feb 10, 2022" "NLnet Labs" "unbound 1.15.0"
.\"
.\" unbound-host.1 -- unbound DNS lookup utility
.\"
@ -15,7 +15,7 @@
.RB [ \-C
.IR configfile ]
.RB [ \-vdhr46D ]
.RB [ \-c
.RB [ \-c
.IR class ]
.RB [ \-t
.IR type ]
@ -28,12 +28,12 @@
.I hostname
.SH "DESCRIPTION"
.B Unbound\-host
uses the unbound validating resolver to query for the hostname and display
results. With the \fB\-v\fR option it displays validation
uses the Unbound validating resolver to query for the hostname and display
results. With the \fB\-v\fR option it displays validation
status: secure, insecure, bogus (security failure).
.P
By default it reads no configuration file whatsoever. It attempts to reach
the internet root servers. With \fB\-C\fR an unbound config file and with
the internet root servers. With \fB\-C\fR an Unbound config file and with
\fB\-r\fR resolv.conf can be read.
.P
The available options are:
@ -73,7 +73,7 @@ For example \-y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546
.TP
.B \-D
Enables DNSSEC validation. Reads the root anchor from the default configured
root anchor at the default location, \fI@UNBOUND_ROOTKEY_FILE@\fR.
root anchor at the default location, \fI@UNBOUND_ROOTKEY_FILE@\fR.
.TP
.B \-f \fIkeyfile
Reads keys from a file. Every line has a DS or DNSKEY record, in the format
@ -110,9 +110,9 @@ $ unbound\-host \-v \-y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325
.P
$ unbound\-host \-v \-y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546CD" 192.0.2.153
.SH "EXIT CODE"
The unbound\-host program exits with status code 1 on error,
The unbound\-host program exits with status code 1 on error,
0 on no error. The data may not be available on exit code 0, exit code 1
means the lookup encountered a fatal error.
.SH "SEE ALSO"
\fIunbound.conf\fR(5),
\fIunbound.conf\fR(5),
\fIunbound\fR(8).

8
contrib/unbound/doc/unbound.8
View file

@ -1,4 +1,4 @@
.TH "unbound" "8" "Dec 9, 2021" "NLnet Labs" "unbound 1.14.0"
.TH "unbound" "8" "Feb 10, 2022" "NLnet Labs" "unbound 1.15.0"
.\"
.\" unbound.8 -- unbound manual
.\"
@ -9,7 +9,7 @@
.\"
.SH "NAME"
.B unbound
\- Unbound DNS validating resolver 1.14.0.
\- Unbound DNS validating resolver 1.15.0.
.SH "SYNOPSIS"
.B unbound
.RB [ \-h ]
@ -57,7 +57,7 @@ The available options are:
Show the version number and commandline option help, and exit.
.TP
.B \-c\fI cfgfile
Set the config file with settings for unbound to read instead of reading the
Set the config file with settings for Unbound to read instead of reading the
file at the default location, @ub_conf_file@. The syntax is
described in \fIunbound.conf\fR(5).
.TP
@ -70,7 +70,7 @@ or to syslog, but the log messages are printed to stderr all the time.
.TP
.B \-p
Don't use a pidfile. This argument should only be used by supervision
systems which can ensure that only one instance of unbound will run
systems which can ensure that only one instance of Unbound will run
concurrently.
.TP
.B \-v

8
contrib/unbound/doc/unbound.8.in
View file

@ -1,4 +1,4 @@
.TH "unbound" "8" "Dec 9, 2021" "NLnet Labs" "unbound 1.14.0"
.TH "unbound" "8" "Feb 10, 2022" "NLnet Labs" "unbound 1.15.0"
.\"
.\" unbound.8 -- unbound manual
.\"
@ -9,7 +9,7 @@
.\"
.SH "NAME"
.B unbound
\- Unbound DNS validating resolver 1.14.0.
\- Unbound DNS validating resolver 1.15.0.
.SH "SYNOPSIS"
.B unbound
.RB [ \-h ]
@ -57,7 +57,7 @@ The available options are:
Show the version number and commandline option help, and exit.
.TP
.B \-c\fI cfgfile
Set the config file with settings for unbound to read instead of reading the
Set the config file with settings for Unbound to read instead of reading the
file at the default location, @ub_conf_file@. The syntax is
described in \fIunbound.conf\fR(5).
.TP
@ -70,7 +70,7 @@ or to syslog, but the log messages are printed to stderr all the time.
.TP
.B \-p
Don't use a pidfile. This argument should only be used by supervision
systems which can ensure that only one instance of unbound will run
systems which can ensure that only one instance of Unbound will run
concurrently.
.TP
.B \-v

242
contrib/unbound/doc/unbound.conf.5
View file

@ -1,4 +1,4 @@
.TH "unbound.conf" "5" "Dec 9, 2021" "NLnet Labs" "unbound 1.14.0"
.TH "unbound.conf" "5" "Feb 10, 2022" "NLnet Labs" "unbound 1.15.0"
.\"
.\" unbound.conf.5 -- unbound.conf manual
.\"
@ -104,7 +104,7 @@ requestlist statistics are printed for every interval (but can be 0).
This is because the median calculation requires data to be present.
.TP
.B statistics\-cumulative: \fI<yes or no>
If enabled, statistics are cumulative since starting unbound, without clearing
If enabled, statistics are cumulative since starting Unbound, without clearing
the statistics counters after logging the statistics. Default is no.
.TP
.B extended\-statistics: \fI<yes or no>
@ -136,7 +136,7 @@ Same as interface: (for ease of compatibility with nsd.conf).
Listen on all addresses on all (current and future) interfaces, detect the
source interface on UDP queries and copy them to replies. This is a lot like
ip\-transparent, but this option services all interfaces whilst with
ip\-transparent you can select which (future) interfaces unbound provides
ip\-transparent you can select which (future) interfaces Unbound provides
service on. This feature is experimental, and needs support in your OS for
particular socket options. Default value is no.
.TP
@ -154,7 +154,7 @@ sent via a random outgoing interface to counter spoofing.
If an IPv6 netblock is specified instead of an individual IPv6 address,
outgoing UDP queries will use a randomised source address taken from the
netblock to counter spoofing. Requires the IPv6 netblock to be routed to the
host running unbound, and requires OS support for unprivileged non-local binds
host running Unbound, and requires OS support for unprivileged non-local binds
(currently only supported on Linux). Several netblocks may be specified with
multiple
.B outgoing\-interface:
@ -174,7 +174,7 @@ numbers need extra resources from the operating system. For performance a
very large value is best, use libevent to make this possible.
.TP
.B outgoing\-port\-permit: \fI<port number or range>
Permit unbound to open this port or range of ports for use to send queries.
Permit Unbound to open this port or range of ports for use to send queries.
A larger number of permitted outgoing ports increases resilience against
spoofing attempts. Make sure these ports are not needed by other daemons.
By default only ports above 1024 that have not been assigned by IANA are used.
@ -187,8 +187,8 @@ processing starts with the non IANA allocated ports above 1024 in the set
of allowed ports.
.TP
.B outgoing\-port\-avoid: \fI<port number or range>
Do not permit unbound to open this port or range of ports for use to send
queries. Use this to make sure unbound does not grab a port that another
Do not permit Unbound to open this port or range of ports for use to send
queries. Use this to make sure Unbound does not grab a port that another
daemon needs. The port is avoided on all outgoing interfaces, both IP4 and IP6.
By default only ports above 1024 that have not been assigned by IANA are used.
Give a port number or a range of the form "low\-high", without spaces.
@ -289,7 +289,7 @@ If not 0, then set the SO_RCVBUF socket option to get more buffer
space on UDP port 53 incoming queries. So that short spikes on busy
servers do not drop packets (see counter in netstat \-su). Default is
0 (use system value). Otherwise, the number of bytes to ask for, try
"4m" on a busy server. The OS caps it at a maximum, on linux unbound
"4m" on a busy server. The OS caps it at a maximum, on linux Unbound
needs root permission to bypass the limit, or the admin can use sysctl
net.core.rmem_max. On BSD change kern.ipc.maxsockbuf in /etc/sysctl.conf.
On OpenBSD change header and recompile kernel. On Solaris ndd \-set
@ -302,7 +302,7 @@ in answer traffic, otherwise 'send: resource temporarily unavailable'
can get logged, the buffer overrun is also visible by netstat \-su.
Default is 0 (use system value). Specify the number of bytes to ask
for, try "4m" on a very busy server. The OS caps it at a maximum, on
linux unbound needs root permission to bypass the limit, or the admin
linux Unbound needs root permission to bypass the limit, or the admin
can use sysctl net.core.wmem_max. On BSD, Solaris changes are similar
to so\-rcvbuf.
.TP
@ -319,18 +319,18 @@ At extreme load it could be better to turn it off to distribute the queries
evenly, reported for Linux systems (4.4.x).
.TP
.B ip\-transparent: \fI<yes or no>
If yes, then use IP_TRANSPARENT socket option on sockets where unbound
If yes, then use IP_TRANSPARENT socket option on sockets where Unbound
is listening for incoming traffic. Default no. Allows you to bind to
non\-local interfaces. For example for non\-existent IP addresses that
are going to exist later on, with host failover configuration. This is
a lot like interface\-automatic, but that one services all interfaces
and with this option you can select which (future) interfaces unbound
provides service on. This option needs unbound to be started with root
and with this option you can select which (future) interfaces Unbound
provides service on. This option needs Unbound to be started with root
permissions on some systems. The option uses IP_BINDANY on FreeBSD systems
and SO_BINDANY on OpenBSD systems.
.TP
.B ip\-freebind: \fI<yes or no>
If yes, then use IP_FREEBIND socket option on sockets where unbound
If yes, then use IP_FREEBIND socket option on sockets where Unbound
is listening to incoming traffic. Default no. Allows you to bind to
IP addresses that are nonlocal or do not exist, like when the network
interface or IP address is down. Exists only on Linux, where the similar
@ -560,7 +560,7 @@ service. Can list multiple, each on a new statement.
.TP
.B tls-session-ticket-keys: \fI<file>
If not "", lists files with 80 bytes of random contents that are used to
perform TLS session resumption for clients using the unbound server.
perform TLS session resumption for clients using the Unbound server.
These files contain the secret key for the TLS session tickets.
First key use to encrypt and decrypt TLS session tickets.
Other keys use to decrypt only. With this you can roll over to new keys,
@ -642,8 +642,8 @@ Enable or disable systemd socket activation.
Default is no.
.TP
.B do\-daemonize: \fI<yes or no>
Enable or disable whether the unbound server forks into the background as
a daemon. Set the value to \fIno\fR when unbound runs as systemd service.
Enable or disable whether the Unbound server forks into the background as
a daemon. Set the value to \fIno\fR when Unbound runs as systemd service.
Default is yes.
.TP
.B tcp\-connection\-limit: \fI<IP netblock> <limit>
@ -670,7 +670,7 @@ what almost all clients need). Nonrecursive queries are refused.
.IP
The \fIallow\fR action does allow nonrecursive queries to access the
local\-data that is configured. The reason is that this does not involve
the unbound server recursive lookup algorithm, and static data is served
the Unbound server recursive lookup algorithm, and static data is served
in the reply. This supports normal operations where nonrecursive queries
are made for the authoritative data. For nonrecursive queries any replies
from the dynamic cache are refused.
@ -742,7 +742,7 @@ to chroot and dropping permissions. This allows the pidfile to be
Unbound is not able to remove the pidfile after termination when it is located
outside of the chroot directory.
.IP
Additionally, unbound may need to access /dev/urandom (for entropy)
Additionally, Unbound may need to access /dev/urandom (for entropy)
from inside the chroot.
.IP
If given a chroot is done to the given directory. By default chroot is
@ -776,7 +776,7 @@ The logfile is reopened (for append) when the config file is reread, on
SIGHUP.
.TP
.B use\-syslog: \fI<yes or no>
Sets unbound to send log messages to the syslogd, using
Sets Unbound to send log messages to the syslogd, using
\fIsyslog\fR(3).
The log facility LOG_DAEMON is used, with identity "unbound".
The logfile setting is overridden when use\-syslog is turned on.
@ -786,7 +786,7 @@ The default is to log to syslog.
If "" is given (default), then the name of the executable, usually "unbound"
is used to report to the log. Enter a string to override it
with that, which is useful on systems that run more than one instance of
unbound, with different configurations, so that the logs can be easily
Unbound, with different configurations, so that the logs can be easily
distinguished against.
.TP
.B log\-time\-ascii: \fI<yes or no>
@ -874,12 +874,12 @@ with ascii_ prefix and then an ascii string.
If enabled trustanchor.unbound queries are refused.
.TP
.B target\-fetch\-policy: \fI<"list of numbers">
Set the target fetch policy used by unbound to determine if it should fetch
Set the target fetch policy used by Unbound to determine if it should fetch
nameserver target addresses opportunistically. The policy is described per
dependency depth.
.IP
The number of values determines the maximum dependency depth
that unbound will pursue in answering a query.
that Unbound will pursue in answering a query.
A value of \-1 means to fetch all targets opportunistically for that dependency
depth. A value of 0 means to fetch on demand only. A positive value fetches
that many targets opportunistically.
@ -973,7 +973,7 @@ This option only has effect when qname-minimisation is enabled. Default is no.
.B aggressive\-nsec: \fI<yes or no>
Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
and other denials, using information from previous NXDOMAINs answers.
Default is no. It helps to reduce the query rate towards targets that get
Default is yes. It helps to reduce the query rate towards targets that get
a very high nonexistent name lookup rate.
.TP
.B private\-address: \fI<IP address or subnet>
@ -1030,7 +1030,7 @@ a little more CPU. Also if the cache is set to 0, it is no use. Default is no.
.TP
.B deny\-any: \fI<yes or no>
If yes, deny queries of type ANY with an empty response. Default is no.
If disabled, unbound responds with a short list of resource records if some
If disabled, Unbound responds with a short list of resource records if some
can be found in the cache and makes the upstream type ANY query if there
are none.
.TP
@ -1090,7 +1090,7 @@ File with trust anchor for one zone, which is tracked with RFC5011 probes.
The probes are run several times per month, thus the machine must be online
frequently. The initial file can be one with contents as described in
\fBtrust\-anchor\-file\fR. The file is written to when the anchor is updated,
so the unbound user must have write permission. Write permission to the file,
so the Unbound user must have write permission. Write permission to the file,
but also to the directory it is in (to create a temporary file, which is
necessary to deal with filesystem full events), it must also be inside the
chroot (if that is used).
@ -1176,7 +1176,7 @@ the verbosity setting. Default is 0, off. At 1, for every user query
that fails a line is printed to the logs. This way you can monitor what
happens with validation. Use a diagnosis tool, such as dig or drill,
to find out why validation is failing for these queries. At 2, not only
the query that failed is printed but also the reason why unbound thought
the query that failed is printed but also the reason why Unbound thought
it was wrong and which server sent the faulty data.
.TP
.B val\-permissive\-mode: \fI<yes or no>
@ -1188,15 +1188,15 @@ is set in replies. Also logging is performed as for full validation.
The default value is "no".
.TP
.B ignore\-cd\-flag: \fI<yes or no>
Instruct unbound to ignore the CD flag from clients and refuse to
Instruct Unbound to ignore the CD flag from clients and refuse to
return bogus answers to them. Thus, the CD (Checking Disabled) flag
does not disable checking any more. This is useful if legacy (w2008)
servers that set the CD flag but cannot validate DNSSEC themselves are
the clients, and then unbound provides them with DNSSEC protection.
the clients, and then Unbound provides them with DNSSEC protection.
The default value is "no".
.TP
.B serve\-expired: \fI<yes or no>
If enabled, unbound attempts to serve old responses from cache with a
If enabled, Unbound attempts to serve old responses from cache with a
TTL of \fBserve\-expired\-reply\-ttl\fR in the response without waiting for the
actual resolution to finish. The actual resolution answer ends up in the cache
later on. Default is "no".
@ -1227,14 +1227,14 @@ RFC 8767 is 1800. Setting this to 0 will disable this
behavior. Default is 0.
.TP
.B serve\-original\-ttl: \fI<yes or no>
If enabled, unbound will always return the original TTL as received from
If enabled, Unbound will always return the original TTL as received from
the upstream name server rather than the decrementing TTL as
stored in the cache. This feature may be useful if unbound serves as a
front-end to a hidden authoritative name server. Enabling this feature does
not impact cache expiry, it only changes the TTL unbound embeds in responses to
stored in the cache. This feature may be useful if Unbound serves as a
front-end to a hidden authoritative name server. Enabling this feature does
not impact cache expiry, it only changes the TTL Unbound embeds in responses to
queries. Note that enabling this feature implicitly disables enforcement of
the configured minimum and maximum TTL, as it is assumed users who enable this
feature do not want unbound to change the TTL obtained from an upstream server.
the configured minimum and maximum TTL, as it is assumed users who enable this
feature do not want Unbound to change the TTL obtained from an upstream server.
Thus, the values set using \fBcache\-min\-ttl\fR and \fBcache\-max\-ttl\fR are
ignored.
Default is "no".
@ -1295,11 +1295,11 @@ or gigabytes (1024*1024 bytes in a megabyte).
.TP
.B unblock\-lan\-zones: \fI<yes or no>
Default is disabled. If enabled, then for private address space,
the reverse lookups are no longer filtered. This allows unbound when
the reverse lookups are no longer filtered. This allows Unbound when
running as dns service on a host where it provides service for that host,
to put out all of the queries for the 'lan' upstream. When enabled,
only localhost, 127.0.0.1 reverse and ::1 reverse zones are configured
with default local zones. Disable the option when unbound is running
with default local zones. Disable the option when Unbound is running
as a (DHCP-) DNS network resolver for a group of machines, where such
lookups should be filtered (RFC compliance), this also stops potential
data leakage about the local network to the upstream DNS servers.
@ -1403,7 +1403,7 @@ Breaks out of that view and moves towards the global local zones for answer
to the query. If the view first is no, it'll resolve normally. If view first
is enabled, it'll break perform that step and check the global answers.
For when the view has view specific overrides but some zone has to be
answered from global local zone contents.
answered from global local zone contents.
.TP 10
\h'5'\fInodefault\fR
Used to turn off default contents for AS112 zones. The other types
@ -1647,8 +1647,9 @@ query names, but not spoofed reflection floods. Cached responses are not
ratelimited by this setting. The zone of the query is determined by examining
the nameservers for it, the zone name is used to keep track of the rate.
For example, 1000 may be a suitable value to stop the server from being
overloaded with random names, and keeps unbound from sending traffic to the
nameservers for those zones.
overloaded with random names, and keeps Unbound from sending traffic to the
nameservers for those zones. Configured forwarders are excluded from
ratelimiting.
.TP 5
.B ratelimit\-size: \fI<memory size>
Give the size of the data structure in which the current ongoing rates are
@ -1670,6 +1671,15 @@ This can make ordinary queries complete (if repeatedly queried for),
and enter the cache, whilst also mitigating the traffic flow by the
factor given.
.TP 5
.B ratelimit\-backoff: \fI<yes or no>
If enabled, the ratelimit is treated as a hard failure instead of the default
maximum allowed constant rate. When the limit is reached, traffic is
ratelimited and demand continues to be kept track of for a 2 second rate
window. No traffic is allowed, except for ratelimit\-factor, until demand
decreases below the configured ratelimit for a 2 second rate window. Useful to
set ratelimit to a suspicious rate to aggressively limit unusually high
traffic. Default is off.
.TP 5
.B ratelimit\-for\-domain: \fI<domain> <number qps or 0>
Override the global ratelimit for an exact match domain name with the listed
number. You can give this for any number of names. For example, for
@ -1686,7 +1696,7 @@ to use different settings for a top\-level\-domain and subdomains.
A value of 0 will disable ratelimiting for domain names that end in this name.
.TP 5
.B ip\-ratelimit: \fI<number or 0>
Enable global ratelimiting of queries accepted per ip address.
Enable global ratelimiting of queries accepted per IP address.
If 0, the default, it is disabled. This option is experimental at this time.
The ratelimit is in queries per second that are allowed. More queries are
completely dropped and will not receive a reply, SERVFAIL or otherwise.
@ -1713,8 +1723,17 @@ This can make ordinary queries complete (if repeatedly queried for),
and enter the cache, whilst also mitigating the traffic flow by the
factor given.
.TP 5
.B ip\-ratelimit\-backoff: \fI<yes or no>
If enabled, the ratelimit is treated as a hard failure instead of the default
maximum allowed constant rate. When the limit is reached, traffic is
ratelimited and demand continues to be kept track of for a 2 second rate
window. No traffic is allowed, except for ip\-ratelimit\-factor, until demand
decreases below the configured ratelimit for a 2 second rate window. Useful to
set ip\-ratelimit to a suspicious rate to aggressively limit unusually high
traffic. Default is off.
.TP 5
.B outbound\-msg\-retry: \fI<number>
The number of retries unbound will do in case of a non positive response is
The number of retries Unbound will do in case of a non positive response is
received. If a forward nameserver is used, this is the number of retries per
forward nameserver in case of throwaway response.
.TP 5
@ -1747,7 +1766,7 @@ In the
.B remote\-control:
clause are the declarations for the remote control facility. If this is
enabled, the \fIunbound\-control\fR(8) utility can be used to send
commands to the running unbound server. The server uses these clauses
commands to the running Unbound server. The server uses these clauses
to setup TLSv1 security for the connection. The
\fIunbound\-control\fR(8) utility also reads the \fBremote\-control\fR
section for options. To setup the correct self\-signed certificates use the
@ -1767,7 +1786,7 @@ the server for the change to take effect.
.IP
If you set it to an absolute path, a local socket is used. The local socket
does not use the certificates and keys, so those files need not be present.
To restrict access, unbound sets permissions on the file to the user and
To restrict access, Unbound sets permissions on the file to the user and
group that is configured, the access bits are set to allow the group members
to access the control socket file. Put users that need to access the socket
in the that group. To restrict access further, create a directory to put
@ -1787,12 +1806,12 @@ and the value of this option is ignored.
.B server\-key\-file: \fI<private key file>
Path to the server private key, by default unbound_server.key.
This file is generated by the \fIunbound\-control\-setup\fR utility.
This file is used by the unbound server, but not by \fIunbound\-control\fR.
This file is used by the Unbound server, but not by \fIunbound\-control\fR.
.TP 5
.B server\-cert\-file: \fI<certificate file.pem>
Path to the server self signed certificate, by default unbound_server.pem.
This file is generated by the \fIunbound\-control\-setup\fR utility.
This file is used by the unbound server, and also by \fIunbound\-control\fR.
This file is used by the Unbound server, and also by \fIunbound\-control\fR.
.TP 5
.B control\-key\-file: \fI<private key file>
Path to the control client private key, by default unbound_control.key.
@ -1810,24 +1829,24 @@ There may be multiple
.B stub\-zone:
clauses. Each with a name: and zero or more hostnames or IP addresses.
For the stub zone this list of nameservers is used. Class IN is assumed.
The servers should be authority servers, not recursors; unbound performs
The servers should be authority servers, not recursors; Unbound performs
the recursive processing itself for stub zones.
.P
The stub zone can be used to configure authoritative data to be used
by the resolver that cannot be accessed using the public internet servers.
This is useful for company\-local data or private zones. Setup an
authoritative server on a different host (or different port). Enter a config
entry for unbound with
entry for Unbound with
.B stub\-addr:
<ip address of host[@port]>.
The unbound resolver can then access the data, without referring to the
The Unbound resolver can then access the data, without referring to the
public internet for it.
.P
This setup allows DNSSEC signed zones to be served by that
authoritative server, in which case a trusted key entry with the public key
can be put in config, so that unbound can validate the data and set the AD
can be put in config, so that Unbound can validate the data and set the AD
bit on replies for the private zone (authoritative servers do not set the
AD bit). This setup makes unbound capable of answering queries for the
AD bit). This setup makes Unbound capable of answering queries for the
private zone, and can even set the AD bit ('authentic'), but the AA
('authoritative') bit is not set on these replies.
.P
@ -1835,20 +1854,26 @@ Consider adding \fBserver:\fR statements for \fBdomain\-insecure:\fR and
for \fBlocal\-zone:\fI name nodefault\fR for the zone if it is a locally
served zone. The insecure clause stops DNSSEC from invalidating the
zone. The local zone nodefault (or \fItransparent\fR) clause makes the
(reverse\-) zone bypass unbound's filtering of RFC1918 zones.
(reverse\-) zone bypass Unbound's filtering of RFC1918 zones.
.TP
.B name: \fI<domain name>
Name of the stub zone. This is the full domain name of the zone.
.TP
.B stub\-host: \fI<domain name>
Name of stub zone nameserver. Is itself resolved before it is used.
To use a nondefault port for DNS communication append '@' with the port number.
If tls is enabled, then you can append a '#' and a name, then it'll check the
tls authentication certificates with that name. If you combine the '@'
and '#', the '@' comes first. If only '#' is used the default port is the
configured tls\-port.
.TP
.B stub\-addr: \fI<IP address>
IP address of stub zone nameserver. Can be IP 4 or IP 6.
To use a nondefault port for DNS communication append '@' with the port number.
If tls is enabled, then you can append a '#' and a name, then it'll check
the tls authentication certificates with that name. If you combine
the '@' and '#', the '@' comes first.
If tls is enabled, then you can append a '#' and a name, then it'll check the
tls authentication certificates with that name. If you combine the '@'
and '#', the '@' comes first. If only '#' is used the default port is the
configured tls\-port.
.TP
.B stub\-prime: \fI<yes or no>
This option is by default no. If enabled it performs NS set priming,
@ -1884,10 +1909,10 @@ clauses. Each with a \fBname:\fR and zero or more hostnames or IP
addresses. For the forward zone this list of nameservers is used to
forward the queries to. The servers listed as \fBforward\-host:\fR and
\fBforward\-addr:\fR have to handle further recursion for the query. Thus,
those servers are not authority servers, but are (just like unbound is)
recursive servers too; unbound does not perform recursion itself for the
those servers are not authority servers, but are (just like Unbound is)
recursive servers too; Unbound does not perform recursion itself for the
forward zone, it lets the remote server do it. Class IN is assumed.
CNAMEs are chased by unbound itself, asking the remote server for every
CNAMEs are chased by Unbound itself, asking the remote server for every
name in the indirection chain, to protect the local cache from illegal
indirect referenced items.
A forward\-zone entry with name "." and a forward\-addr target will
@ -1899,13 +1924,19 @@ Name of the forward zone. This is the full domain name of the zone.
.TP
.B forward\-host: \fI<domain name>
Name of server to forward to. Is itself resolved before it is used.
To use a nondefault port for DNS communication append '@' with the port number.
If tls is enabled, then you can append a '#' and a name, then it'll check the
tls authentication certificates with that name. If you combine the '@'
and '#', the '@' comes first. If only '#' is used the default port is the
configured tls\-port.
.TP
.B forward\-addr: \fI<IP address>
IP address of server to forward to. Can be IP 4 or IP 6.
To use a nondefault port for DNS communication append '@' with the port number.
If tls is enabled, then you can append a '#' and a name, then it'll check
the tls authentication certificates with that name. If you combine
the '@' and '#', the '@' comes first.
If tls is enabled, then you can append a '#' and a name, then it'll check the
tls authentication certificates with that name. If you combine the '@'
and '#', the '@' comes first. If only '#' is used the default port is the
configured tls\-port.
.IP
At high verbosity it logs the TLS certificate, with TLS enabled.
If you leave out the '#' and auth name from the forward\-addr, any
@ -1913,7 +1944,7 @@ name is accepted. The cert must also match a CA from the tls\-cert\-bundle.
.TP
.B forward\-first: \fI<yes or no>
If a forwarded query is met with a SERVFAIL error, and this option is
enabled, unbound will fall back to normal recursive resolution for this
enabled, Unbound will fall back to normal recursive resolution for this
query as if no query forwarding had been specified. The default is "no".
.TP
.B forward\-tls\-upstream: \fI<yes or no>
@ -1939,7 +1970,7 @@ have a \fBname:\fR. There can be multiple ones, by listing multiple auth\-zone
The authority zone with the name closest to the name looked up is used.
Authority zones are processed after \fBlocal\-zones\fR and before
cache (\fBfor\-downstream:\fR \fIyes\fR), and when used in this manner
make unbound respond like an authority server. Authority zones are also
make Unbound respond like an authority server. Authority zones are also
processed after cache, just before going to the network to fetch
information for recursion (\fBfor\-upstream:\fR \fIyes\fR), and when used
in this manner provide a local copy of an authority server that speeds up
@ -2000,25 +2031,25 @@ file is downloaded when notified. The primaries from primary: statements are
allowed notify by default.
.TP
.B fallback\-enabled: \fI<yes or no>
Default no. If enabled, unbound falls back to querying the internet as
Default no. If enabled, Unbound falls back to querying the internet as
a resolver for this zone when lookups fail. For example for DNSSEC
validation failures.
.TP
.B for\-downstream: \fI<yes or no>
Default yes. If enabled, unbound serves authority responses to
downstream clients for this zone. This option makes unbound behave, for
Default yes. If enabled, Unbound serves authority responses to
downstream clients for this zone. This option makes Unbound behave, for
the queries with names in this zone, like one of the authority servers for
that zone. Turn it off if you want unbound to provide recursion for the
that zone. Turn it off if you want Unbound to provide recursion for the
zone but have a local copy of zone data. If for\-downstream is no and
for\-upstream is yes, then unbound will DNSSEC validate the contents of the
for\-upstream is yes, then Unbound will DNSSEC validate the contents of the
zone before serving the zone contents to clients and store validation
results in the cache.
.TP
.B for\-upstream: \fI<yes or no>
Default yes. If enabled, unbound fetches data from this data collection
Default yes. If enabled, Unbound fetches data from this data collection
for answering recursion queries. Instead of sending queries over the internet
to the authority servers for this zone, it'll fetch the data directly from
the zone data. Turn it on when you want unbound to provide recursion for
the zone data. Turn it on when you want Unbound to provide recursion for
downstream clients, and use the zone data as a local copy to speed up lookups.
.TP
.B zonemd\-check: \fI<yes or no>
@ -2042,14 +2073,14 @@ a ZONEMD is always a failure, also for nonDNSSEC signed zones.
.TP
.B zonefile: \fI<filename>
The filename where the zone is stored. If not given then no zonefile is used.
If the file does not exist or is empty, unbound will attempt to fetch zone
If the file does not exist or is empty, Unbound will attempt to fetch zone
data (eg. from the primary servers).
.SS "View Options"
.LP
There may be multiple
.B view:
clauses. Each with a \fBname:\fR and zero or more \fBlocal\-zone\fR and
\fBlocal\-data\fR elements. Views can also contain view\-first,
\fBlocal\-data\fR elements. Views can also contain view\-first,
response\-ip, response\-ip\-data and local\-data\-ptr elements.
View can be mapped to requests by specifying the
view name in an \fBaccess\-control\-view\fR element. Options from matching
@ -2142,9 +2173,9 @@ underneath the name given.
The
.B dnscrypt:
clause gives the settings of the dnscrypt channel. While those options are
available, they are only meaningful if unbound was compiled with
available, they are only meaningful if Unbound was compiled with
\fB\-\-enable\-dnscrypt\fR.
Currently certificate and secret/public keys cannot be generated by unbound.
Currently certificate and secret/public keys cannot be generated by Unbound.
You can use dnscrypt-wrapper to generate those: https://github.com/cofyc/\
dnscrypt-wrapper/blob/master/README.md#usage
.TP
@ -2263,7 +2294,7 @@ of 0 is always accepted. Default is 0.
.TP
.B min\-client\-subnet\-ipv4: \fI<number>\fR
Specifies the minimum prefix length of the IPv4 source mask we are willing to
accept in queries. Shorter source masks result in REFUSED answers. Source mask
accept in queries. Shorter source masks result in REFUSED answers. Source mask
of 0 is always accepted. Default is 0.
.TP
.B max\-ecs\-tree\-size\-ipv4: \fI<number>\fR
@ -2276,12 +2307,13 @@ This number applies for each qname/qclass/qtype tuple. Defaults to 100.
.SS "Opportunistic IPsec Support Module Options"
.LP
The IPsec module must be configured in the \fBmodule\-config:\fR "ipsecmod
validator iterator" directive and be compiled into the daemon to be
enabled. These settings go in the \fBserver:\fR section.
validator iterator" directive and be compiled into Unbound by using
\fB\-\-enable\-ipsecmod\fR to be enabled.
These settings go in the \fBserver:\fR section.
.LP
When unbound receives an A/AAAA query that is not in the cache and finds a
When Unbound receives an A/AAAA query that is not in the cache and finds a
valid answer, it will withhold returning the answer and instead will generate
an IPSECKEY subquery for the same domain name. If an answer was found, unbound
an IPSECKEY subquery for the same domain name. If an answer was found, Unbound
will call an external hook passing the following arguments:
.TP 10
\h'5'\fIQNAME\fR
@ -2310,19 +2342,19 @@ relevant for opportunistic IPsec.
.B ipsecmod-enabled: \fI<yes or no>\fR
Specifies whether the IPsec module is enabled or not. The IPsec module still
needs to be defined in the \fBmodule\-config:\fR directive. This option
facilitates turning on/off the module without restarting/reloading unbound.
facilitates turning on/off the module without restarting/reloading Unbound.
Defaults to yes.
.TP
.B ipsecmod\-hook: \fI<filename>\fR
Specifies the external hook that unbound will call with \fIsystem\fR(3). The
Specifies the external hook that Unbound will call with \fIsystem\fR(3). The
file can be specified as an absolute/relative path. The file needs the proper
permissions to be able to be executed by the same user that runs unbound. It
permissions to be able to be executed by the same user that runs Unbound. It
must be present when the IPsec module is defined in the \fBmodule\-config:\fR
directive.
.TP
.B ipsecmod-strict: \fI<yes or no>\fR
If enabled unbound requires the external hook to return a success value of 0.
Failing to do so unbound will reply with SERVFAIL. The A/AAAA answer will also
If enabled Unbound requires the external hook to return a success value of 0.
Failing to do so Unbound will reply with SERVFAIL. The A/AAAA answer will also
not be cached. Defaults to no.
.TP
.B ipsecmod\-max-ttl: \fI<seconds>\fR
@ -2330,7 +2362,7 @@ Time to live maximum for A/AAAA cached records after calling the external hook.
Defaults to 3600.
.TP
.B ipsecmod-ignore-bogus: \fI<yes or no>\fR
Specifies the behaviour of unbound when the IPSECKEY answer is bogus. If set
Specifies the behaviour of Unbound when the IPSECKEY answer is bogus. If set
to yes, the hook will be called and the A/AAAA answer will be returned to the
client. If set to no, the hook will not be called and the answer to the
A/AAAA query will be SERVFAIL. Mainly used for testing. Defaults to no.
@ -2357,7 +2389,7 @@ If Unbound cannot even find an answer in the backend, it resolves the
query as usual, and stores the answer in the backend.
.P
This module interacts with the \fBserve\-expired\-*\fR options and will reply
with expired data if unbound is configured for that. Currently the use
with expired data if Unbound is configured for that. Currently the use
of \fBserve\-expired\-client\-timeout:\fR and
\fBserve\-expired\-reply\-ttl:\fR is not consistent for data originating from
the external cache as these will result in a reply with 0 TTL without trying to
@ -2436,16 +2468,17 @@ re-establish a new connection later.
This option defaults to 100 milliseconds.
.TP
.B redis-expire-records: \fI<yes or no>
If Redis record expiration is enabled. If yes, unbound sets timeout for Redis
If Redis record expiration is enabled. If yes, Unbound sets timeout for Redis
records so that Redis can evict keys that have expired automatically. If
unbound is configured with \fBserve-expired\fR and \fBserve-expired-ttl\fR is 0,
Unbound is configured with \fBserve-expired\fR and \fBserve-expired-ttl\fR is 0,
this option is internally reverted to "no". Redis SETEX support is required
for this option (Redis >= 2.0.0).
This option defaults to no.
.SS DNSTAP Logging Options
DNSTAP support, when compiled in, is enabled in the \fBdnstap:\fR section.
DNSTAP support, when compiled in by using \fB\-\-enable\-dnstap\fR, is enabled
in the \fBdnstap:\fR section.
This starts an extra thread (when compiled with threading) that writes
the log information to the destination. If unbound is compiled without
the log information to the destination. If Unbound is compiled without
threading it does not spawn a thread, but connects per-process to the
destination.
.TP
@ -2503,19 +2536,19 @@ Default is "".
.TP
.B dnstap-log-resolver-query-messages: \fI<yes or no>
Enable to log resolver query messages. Default is no.
These are messages from unbound to upstream servers.
These are messages from Unbound to upstream servers.
.TP
.B dnstap-log-resolver-response-messages: \fI<yes or no>
Enable to log resolver response messages. Default is no.
These are replies from upstream servers to unbound.
These are replies from upstream servers to Unbound.
.TP
.B dnstap-log-client-query-messages: \fI<yes or no>
Enable to log client query messages. Default is no.
These are client queries to unbound.
These are client queries to Unbound.
.TP
.B dnstap-log-client-response-messages: \fI<yes or no>
Enable to log client response messages. Default is no.
These are responses from unbound to clients.
These are responses from Unbound to clients.
.TP
.B dnstap-log-forwarder-query-messages: \fI<yes or no>
Enable to log forwarder query messages. Default is no.
@ -2614,7 +2647,7 @@ allowed notify by default.
.TP
.B zonefile: \fI<filename>
The filename where the zone is stored. If not given then no zonefile is used.
If the file does not exist or is empty, unbound will attempt to fetch zone
If the file does not exist or is empty, Unbound will attempt to fetch zone
data (eg. from the primary servers).
.TP
.B rpz\-action\-override: \fI<action>
@ -2631,6 +2664,17 @@ Log all applied RPZ actions for this RPZ zone. Default is no.
.B rpz\-log\-name: \fI<name>
Specify a string to be part of the log line, for easy referencing.
.TP
.B rpz\-signal\-nxdomain\-ra: \fI<yes or no>
Signal when a query is blocked by the RPZ with NXDOMAIN with an unset RA flag.
This allows certain clients, like dnsmasq, to infer that the domain is
externally blocked. Default is no.
.TP
.B for\-downstream: \fI<yes or no>
If enabled the zone is authoritatively answered for and queries for the RPZ
zone information are answered to downstream clients. This is useful for
monitoring scripts, that can then access the SOA information to check if
the rpz information is up to date. Default is no.
.TP
.B tags: \fI<list of tags>
Limit the policies from this RPZ clause to clients with a matching tag. Tags
need to be defined in \fBdefine\-tag\fR and can be assigned to client addresses
@ -2671,7 +2715,7 @@ server:
.SH "FILES"
.TP
.I @UNBOUND_RUN_DIR@
default unbound working directory.
default Unbound working directory.
.TP
.I @UNBOUND_CHROOT_DIR@
default
@ -2679,13 +2723,13 @@ default
location.
.TP
.I @ub_conf_file@
unbound configuration file.
Unbound configuration file.
.TP
.I @UNBOUND_PIDFILE@
default unbound pidfile with process ID of the running daemon.
default Unbound pidfile with process ID of the running daemon.
.TP
.I unbound.log
unbound log file. default is to log to
Unbound log file. default is to log to
\fIsyslog\fR(3).
.SH "SEE ALSO"
\fIunbound\fR(8),

242
contrib/unbound/doc/unbound.conf.5.in
View file

@ -1,4 +1,4 @@
.TH "unbound.conf" "5" "Dec 9, 2021" "NLnet Labs" "unbound 1.14.0"
.TH "unbound.conf" "5" "Feb 10, 2022" "NLnet Labs" "unbound 1.15.0"
.\"
.\" unbound.conf.5 -- unbound.conf manual
.\"
@ -104,7 +104,7 @@ requestlist statistics are printed for every interval (but can be 0).
This is because the median calculation requires data to be present.
.TP
.B statistics\-cumulative: \fI<yes or no>
If enabled, statistics are cumulative since starting unbound, without clearing
If enabled, statistics are cumulative since starting Unbound, without clearing
the statistics counters after logging the statistics. Default is no.
.TP
.B extended\-statistics: \fI<yes or no>
@ -136,7 +136,7 @@ Same as interface: (for ease of compatibility with nsd.conf).
Listen on all addresses on all (current and future) interfaces, detect the
source interface on UDP queries and copy them to replies. This is a lot like
ip\-transparent, but this option services all interfaces whilst with
ip\-transparent you can select which (future) interfaces unbound provides
ip\-transparent you can select which (future) interfaces Unbound provides
service on. This feature is experimental, and needs support in your OS for
particular socket options. Default value is no.
.TP
@ -154,7 +154,7 @@ sent via a random outgoing interface to counter spoofing.
If an IPv6 netblock is specified instead of an individual IPv6 address,
outgoing UDP queries will use a randomised source address taken from the
netblock to counter spoofing. Requires the IPv6 netblock to be routed to the
host running unbound, and requires OS support for unprivileged non-local binds
host running Unbound, and requires OS support for unprivileged non-local binds
(currently only supported on Linux). Several netblocks may be specified with
multiple
.B outgoing\-interface:
@ -174,7 +174,7 @@ numbers need extra resources from the operating system. For performance a
very large value is best, use libevent to make this possible.
.TP
.B outgoing\-port\-permit: \fI<port number or range>
Permit unbound to open this port or range of ports for use to send queries.
Permit Unbound to open this port or range of ports for use to send queries.
A larger number of permitted outgoing ports increases resilience against
spoofing attempts. Make sure these ports are not needed by other daemons.
By default only ports above 1024 that have not been assigned by IANA are used.
@ -187,8 +187,8 @@ processing starts with the non IANA allocated ports above 1024 in the set
of allowed ports.
.TP
.B outgoing\-port\-avoid: \fI<port number or range>
Do not permit unbound to open this port or range of ports for use to send
queries. Use this to make sure unbound does not grab a port that another
Do not permit Unbound to open this port or range of ports for use to send
queries. Use this to make sure Unbound does not grab a port that another
daemon needs. The port is avoided on all outgoing interfaces, both IP4 and IP6.
By default only ports above 1024 that have not been assigned by IANA are used.
Give a port number or a range of the form "low\-high", without spaces.
@ -289,7 +289,7 @@ If not 0, then set the SO_RCVBUF socket option to get more buffer
space on UDP port 53 incoming queries. So that short spikes on busy
servers do not drop packets (see counter in netstat \-su). Default is
0 (use system value). Otherwise, the number of bytes to ask for, try
"4m" on a busy server. The OS caps it at a maximum, on linux unbound
"4m" on a busy server. The OS caps it at a maximum, on linux Unbound
needs root permission to bypass the limit, or the admin can use sysctl
net.core.rmem_max. On BSD change kern.ipc.maxsockbuf in /etc/sysctl.conf.
On OpenBSD change header and recompile kernel. On Solaris ndd \-set
@ -302,7 +302,7 @@ in answer traffic, otherwise 'send: resource temporarily unavailable'
can get logged, the buffer overrun is also visible by netstat \-su.
Default is 0 (use system value). Specify the number of bytes to ask
for, try "4m" on a very busy server. The OS caps it at a maximum, on
linux unbound needs root permission to bypass the limit, or the admin
linux Unbound needs root permission to bypass the limit, or the admin
can use sysctl net.core.wmem_max. On BSD, Solaris changes are similar
to so\-rcvbuf.
.TP
@ -319,18 +319,18 @@ At extreme load it could be better to turn it off to distribute the queries
evenly, reported for Linux systems (4.4.x).
.TP
.B ip\-transparent: \fI<yes or no>
If yes, then use IP_TRANSPARENT socket option on sockets where unbound
If yes, then use IP_TRANSPARENT socket option on sockets where Unbound
is listening for incoming traffic. Default no. Allows you to bind to
non\-local interfaces. For example for non\-existent IP addresses that
are going to exist later on, with host failover configuration. This is
a lot like interface\-automatic, but that one services all interfaces
and with this option you can select which (future) interfaces unbound
provides service on. This option needs unbound to be started with root
and with this option you can select which (future) interfaces Unbound
provides service on. This option needs Unbound to be started with root
permissions on some systems. The option uses IP_BINDANY on FreeBSD systems
and SO_BINDANY on OpenBSD systems.
.TP
.B ip\-freebind: \fI<yes or no>
If yes, then use IP_FREEBIND socket option on sockets where unbound
If yes, then use IP_FREEBIND socket option on sockets where Unbound
is listening to incoming traffic. Default no. Allows you to bind to
IP addresses that are nonlocal or do not exist, like when the network
interface or IP address is down. Exists only on Linux, where the similar
@ -560,7 +560,7 @@ service. Can list multiple, each on a new statement.
.TP
.B tls-session-ticket-keys: \fI<file>
If not "", lists files with 80 bytes of random contents that are used to
perform TLS session resumption for clients using the unbound server.
perform TLS session resumption for clients using the Unbound server.
These files contain the secret key for the TLS session tickets.
First key use to encrypt and decrypt TLS session tickets.
Other keys use to decrypt only. With this you can roll over to new keys,
@ -642,8 +642,8 @@ Enable or disable systemd socket activation.
Default is no.
.TP
.B do\-daemonize: \fI<yes or no>
Enable or disable whether the unbound server forks into the background as
a daemon. Set the value to \fIno\fR when unbound runs as systemd service.
Enable or disable whether the Unbound server forks into the background as
a daemon. Set the value to \fIno\fR when Unbound runs as systemd service.
Default is yes.
.TP
.B tcp\-connection\-limit: \fI<IP netblock> <limit>
@ -670,7 +670,7 @@ what almost all clients need). Nonrecursive queries are refused.
.IP
The \fIallow\fR action does allow nonrecursive queries to access the
local\-data that is configured. The reason is that this does not involve
the unbound server recursive lookup algorithm, and static data is served
the Unbound server recursive lookup algorithm, and static data is served
in the reply. This supports normal operations where nonrecursive queries
are made for the authoritative data. For nonrecursive queries any replies
from the dynamic cache are refused.
@ -742,7 +742,7 @@ to chroot and dropping permissions. This allows the pidfile to be
Unbound is not able to remove the pidfile after termination when it is located
outside of the chroot directory.
.IP
Additionally, unbound may need to access /dev/urandom (for entropy)
Additionally, Unbound may need to access /dev/urandom (for entropy)
from inside the chroot.
.IP
If given a chroot is done to the given directory. By default chroot is
@ -776,7 +776,7 @@ The logfile is reopened (for append) when the config file is reread, on
SIGHUP.
.TP
.B use\-syslog: \fI<yes or no>
Sets unbound to send log messages to the syslogd, using
Sets Unbound to send log messages to the syslogd, using
\fIsyslog\fR(3).
The log facility LOG_DAEMON is used, with identity "unbound".
The logfile setting is overridden when use\-syslog is turned on.
@ -786,7 +786,7 @@ The default is to log to syslog.
If "" is given (default), then the name of the executable, usually "unbound"
is used to report to the log. Enter a string to override it
with that, which is useful on systems that run more than one instance of
unbound, with different configurations, so that the logs can be easily
Unbound, with different configurations, so that the logs can be easily
distinguished against.
.TP
.B log\-time\-ascii: \fI<yes or no>
@ -874,12 +874,12 @@ with ascii_ prefix and then an ascii string.
If enabled trustanchor.unbound queries are refused.
.TP
.B target\-fetch\-policy: \fI<"list of numbers">
Set the target fetch policy used by unbound to determine if it should fetch
Set the target fetch policy used by Unbound to determine if it should fetch
nameserver target addresses opportunistically. The policy is described per
dependency depth.
.IP
The number of values determines the maximum dependency depth
that unbound will pursue in answering a query.
that Unbound will pursue in answering a query.
A value of \-1 means to fetch all targets opportunistically for that dependency
depth. A value of 0 means to fetch on demand only. A positive value fetches
that many targets opportunistically.
@ -973,7 +973,7 @@ This option only has effect when qname-minimisation is enabled. Default is no.
.B aggressive\-nsec: \fI<yes or no>
Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
and other denials, using information from previous NXDOMAINs answers.
Default is no. It helps to reduce the query rate towards targets that get
Default is yes. It helps to reduce the query rate towards targets that get
a very high nonexistent name lookup rate.
.TP
.B private\-address: \fI<IP address or subnet>
@ -1030,7 +1030,7 @@ a little more CPU. Also if the cache is set to 0, it is no use. Default is no.
.TP
.B deny\-any: \fI<yes or no>
If yes, deny queries of type ANY with an empty response. Default is no.
If disabled, unbound responds with a short list of resource records if some
If disabled, Unbound responds with a short list of resource records if some
can be found in the cache and makes the upstream type ANY query if there
are none.
.TP
@ -1090,7 +1090,7 @@ File with trust anchor for one zone, which is tracked with RFC5011 probes.
The probes are run several times per month, thus the machine must be online
frequently. The initial file can be one with contents as described in
\fBtrust\-anchor\-file\fR. The file is written to when the anchor is updated,
so the unbound user must have write permission. Write permission to the file,
so the Unbound user must have write permission. Write permission to the file,
but also to the directory it is in (to create a temporary file, which is
necessary to deal with filesystem full events), it must also be inside the
chroot (if that is used).
@ -1176,7 +1176,7 @@ the verbosity setting. Default is 0, off. At 1, for every user query
that fails a line is printed to the logs. This way you can monitor what
happens with validation. Use a diagnosis tool, such as dig or drill,
to find out why validation is failing for these queries. At 2, not only
the query that failed is printed but also the reason why unbound thought
the query that failed is printed but also the reason why Unbound thought
it was wrong and which server sent the faulty data.
.TP
.B val\-permissive\-mode: \fI<yes or no>
@ -1188,15 +1188,15 @@ is set in replies. Also logging is performed as for full validation.
The default value is "no".
.TP
.B ignore\-cd\-flag: \fI<yes or no>
Instruct unbound to ignore the CD flag from clients and refuse to
Instruct Unbound to ignore the CD flag from clients and refuse to
return bogus answers to them. Thus, the CD (Checking Disabled) flag
does not disable checking any more. This is useful if legacy (w2008)
servers that set the CD flag but cannot validate DNSSEC themselves are
the clients, and then unbound provides them with DNSSEC protection.
the clients, and then Unbound provides them with DNSSEC protection.
The default value is "no".
.TP
.B serve\-expired: \fI<yes or no>
If enabled, unbound attempts to serve old responses from cache with a
If enabled, Unbound attempts to serve old responses from cache with a
TTL of \fBserve\-expired\-reply\-ttl\fR in the response without waiting for the
actual resolution to finish. The actual resolution answer ends up in the cache
later on. Default is "no".
@ -1227,14 +1227,14 @@ RFC 8767 is 1800. Setting this to 0 will disable this
behavior. Default is 0.
.TP
.B serve\-original\-ttl: \fI<yes or no>
If enabled, unbound will always return the original TTL as received from
If enabled, Unbound will always return the original TTL as received from
the upstream name server rather than the decrementing TTL as
stored in the cache. This feature may be useful if unbound serves as a
front-end to a hidden authoritative name server. Enabling this feature does
not impact cache expiry, it only changes the TTL unbound embeds in responses to
stored in the cache. This feature may be useful if Unbound serves as a
front-end to a hidden authoritative name server. Enabling this feature does
not impact cache expiry, it only changes the TTL Unbound embeds in responses to
queries. Note that enabling this feature implicitly disables enforcement of
the configured minimum and maximum TTL, as it is assumed users who enable this
feature do not want unbound to change the TTL obtained from an upstream server.
the configured minimum and maximum TTL, as it is assumed users who enable this
feature do not want Unbound to change the TTL obtained from an upstream server.
Thus, the values set using \fBcache\-min\-ttl\fR and \fBcache\-max\-ttl\fR are
ignored.
Default is "no".
@ -1295,11 +1295,11 @@ or gigabytes (1024*1024 bytes in a megabyte).
.TP
.B unblock\-lan\-zones: \fI<yes or no>
Default is disabled. If enabled, then for private address space,
the reverse lookups are no longer filtered. This allows unbound when
the reverse lookups are no longer filtered. This allows Unbound when
running as dns service on a host where it provides service for that host,
to put out all of the queries for the 'lan' upstream. When enabled,
only localhost, 127.0.0.1 reverse and ::1 reverse zones are configured
with default local zones. Disable the option when unbound is running
with default local zones. Disable the option when Unbound is running
as a (DHCP-) DNS network resolver for a group of machines, where such
lookups should be filtered (RFC compliance), this also stops potential
data leakage about the local network to the upstream DNS servers.
@ -1403,7 +1403,7 @@ Breaks out of that view and moves towards the global local zones for answer
to the query. If the view first is no, it'll resolve normally. If view first
is enabled, it'll break perform that step and check the global answers.
For when the view has view specific overrides but some zone has to be
answered from global local zone contents.
answered from global local zone contents.
.TP 10
\h'5'\fInodefault\fR
Used to turn off default contents for AS112 zones. The other types
@ -1647,8 +1647,9 @@ query names, but not spoofed reflection floods. Cached responses are not
ratelimited by this setting. The zone of the query is determined by examining
the nameservers for it, the zone name is used to keep track of the rate.
For example, 1000 may be a suitable value to stop the server from being
overloaded with random names, and keeps unbound from sending traffic to the
nameservers for those zones.
overloaded with random names, and keeps Unbound from sending traffic to the
nameservers for those zones. Configured forwarders are excluded from
ratelimiting.
.TP 5
.B ratelimit\-size: \fI<memory size>
Give the size of the data structure in which the current ongoing rates are
@ -1670,6 +1671,15 @@ This can make ordinary queries complete (if repeatedly queried for),
and enter the cache, whilst also mitigating the traffic flow by the
factor given.
.TP 5
.B ratelimit\-backoff: \fI<yes or no>
If enabled, the ratelimit is treated as a hard failure instead of the default
maximum allowed constant rate. When the limit is reached, traffic is
ratelimited and demand continues to be kept track of for a 2 second rate
window. No traffic is allowed, except for ratelimit\-factor, until demand
decreases below the configured ratelimit for a 2 second rate window. Useful to
set ratelimit to a suspicious rate to aggressively limit unusually high
traffic. Default is off.
.TP 5
.B ratelimit\-for\-domain: \fI<domain> <number qps or 0>
Override the global ratelimit for an exact match domain name with the listed
number. You can give this for any number of names. For example, for
@ -1686,7 +1696,7 @@ to use different settings for a top\-level\-domain and subdomains.
A value of 0 will disable ratelimiting for domain names that end in this name.
.TP 5
.B ip\-ratelimit: \fI<number or 0>
Enable global ratelimiting of queries accepted per ip address.
Enable global ratelimiting of queries accepted per IP address.
If 0, the default, it is disabled. This option is experimental at this time.
The ratelimit is in queries per second that are allowed. More queries are
completely dropped and will not receive a reply, SERVFAIL or otherwise.
@ -1713,8 +1723,17 @@ This can make ordinary queries complete (if repeatedly queried for),
and enter the cache, whilst also mitigating the traffic flow by the
factor given.
.TP 5
.B ip\-ratelimit\-backoff: \fI<yes or no>
If enabled, the ratelimit is treated as a hard failure instead of the default
maximum allowed constant rate. When the limit is reached, traffic is
ratelimited and demand continues to be kept track of for a 2 second rate
window. No traffic is allowed, except for ip\-ratelimit\-factor, until demand
decreases below the configured ratelimit for a 2 second rate window. Useful to
set ip\-ratelimit to a suspicious rate to aggressively limit unusually high
traffic. Default is off.
.TP 5
.B outbound\-msg\-retry: \fI<number>
The number of retries unbound will do in case of a non positive response is
The number of retries Unbound will do in case of a non positive response is
received. If a forward nameserver is used, this is the number of retries per
forward nameserver in case of throwaway response.
.TP 5
@ -1747,7 +1766,7 @@ In the
.B remote\-control:
clause are the declarations for the remote control facility. If this is
enabled, the \fIunbound\-control\fR(8) utility can be used to send
commands to the running unbound server. The server uses these clauses
commands to the running Unbound server. The server uses these clauses
to setup TLSv1 security for the connection. The
\fIunbound\-control\fR(8) utility also reads the \fBremote\-control\fR
section for options. To setup the correct self\-signed certificates use the
@ -1767,7 +1786,7 @@ the server for the change to take effect.
.IP
If you set it to an absolute path, a local socket is used. The local socket
does not use the certificates and keys, so those files need not be present.
To restrict access, unbound sets permissions on the file to the user and
To restrict access, Unbound sets permissions on the file to the user and
group that is configured, the access bits are set to allow the group members
to access the control socket file. Put users that need to access the socket
in the that group. To restrict access further, create a directory to put
@ -1787,12 +1806,12 @@ and the value of this option is ignored.
.B server\-key\-file: \fI<private key file>
Path to the server private key, by default unbound_server.key.
This file is generated by the \fIunbound\-control\-setup\fR utility.
This file is used by the unbound server, but not by \fIunbound\-control\fR.
This file is used by the Unbound server, but not by \fIunbound\-control\fR.
.TP 5
.B server\-cert\-file: \fI<certificate file.pem>
Path to the server self signed certificate, by default unbound_server.pem.
This file is generated by the \fIunbound\-control\-setup\fR utility.
This file is used by the unbound server, and also by \fIunbound\-control\fR.
This file is used by the Unbound server, and also by \fIunbound\-control\fR.
.TP 5
.B control\-key\-file: \fI<private key file>
Path to the control client private key, by default unbound_control.key.
@ -1810,24 +1829,24 @@ There may be multiple
.B stub\-zone:
clauses. Each with a name: and zero or more hostnames or IP addresses.
For the stub zone this list of nameservers is used. Class IN is assumed.
The servers should be authority servers, not recursors; unbound performs
The servers should be authority servers, not recursors; Unbound performs
the recursive processing itself for stub zones.
.P
The stub zone can be used to configure authoritative data to be used
by the resolver that cannot be accessed using the public internet servers.
This is useful for company\-local data or private zones. Setup an
authoritative server on a different host (or different port). Enter a config
entry for unbound with
entry for Unbound with
.B stub\-addr:
<ip address of host[@port]>.
The unbound resolver can then access the data, without referring to the
The Unbound resolver can then access the data, without referring to the
public internet for it.
.P
This setup allows DNSSEC signed zones to be served by that
authoritative server, in which case a trusted key entry with the public key
can be put in config, so that unbound can validate the data and set the AD
can be put in config, so that Unbound can validate the data and set the AD
bit on replies for the private zone (authoritative servers do not set the
AD bit). This setup makes unbound capable of answering queries for the
AD bit). This setup makes Unbound capable of answering queries for the
private zone, and can even set the AD bit ('authentic'), but the AA
('authoritative') bit is not set on these replies.
.P
@ -1835,20 +1854,26 @@ Consider adding \fBserver:\fR statements for \fBdomain\-insecure:\fR and
for \fBlocal\-zone:\fI name nodefault\fR for the zone if it is a locally
served zone. The insecure clause stops DNSSEC from invalidating the
zone. The local zone nodefault (or \fItransparent\fR) clause makes the
(reverse\-) zone bypass unbound's filtering of RFC1918 zones.
(reverse\-) zone bypass Unbound's filtering of RFC1918 zones.
.TP
.B name: \fI<domain name>
Name of the stub zone. This is the full domain name of the zone.
.TP
.B stub\-host: \fI<domain name>
Name of stub zone nameserver. Is itself resolved before it is used.
To use a nondefault port for DNS communication append '@' with the port number.
If tls is enabled, then you can append a '#' and a name, then it'll check the
tls authentication certificates with that name. If you combine the '@'
and '#', the '@' comes first. If only '#' is used the default port is the
configured tls\-port.
.TP
.B stub\-addr: \fI<IP address>
IP address of stub zone nameserver. Can be IP 4 or IP 6.
To use a nondefault port for DNS communication append '@' with the port number.
If tls is enabled, then you can append a '#' and a name, then it'll check
the tls authentication certificates with that name. If you combine
the '@' and '#', the '@' comes first.
If tls is enabled, then you can append a '#' and a name, then it'll check the
tls authentication certificates with that name. If you combine the '@'
and '#', the '@' comes first. If only '#' is used the default port is the
configured tls\-port.
.TP
.B stub\-prime: \fI<yes or no>
This option is by default no. If enabled it performs NS set priming,
@ -1884,10 +1909,10 @@ clauses. Each with a \fBname:\fR and zero or more hostnames or IP
addresses. For the forward zone this list of nameservers is used to
forward the queries to. The servers listed as \fBforward\-host:\fR and
\fBforward\-addr:\fR have to handle further recursion for the query. Thus,
those servers are not authority servers, but are (just like unbound is)
recursive servers too; unbound does not perform recursion itself for the
those servers are not authority servers, but are (just like Unbound is)
recursive servers too; Unbound does not perform recursion itself for the
forward zone, it lets the remote server do it. Class IN is assumed.
CNAMEs are chased by unbound itself, asking the remote server for every
CNAMEs are chased by Unbound itself, asking the remote server for every
name in the indirection chain, to protect the local cache from illegal
indirect referenced items.
A forward\-zone entry with name "." and a forward\-addr target will
@ -1899,13 +1924,19 @@ Name of the forward zone. This is the full domain name of the zone.
.TP
.B forward\-host: \fI<domain name>
Name of server to forward to. Is itself resolved before it is used.
To use a nondefault port for DNS communication append '@' with the port number.
If tls is enabled, then you can append a '#' and a name, then it'll check the
tls authentication certificates with that name. If you combine the '@'
and '#', the '@' comes first. If only '#' is used the default port is the
configured tls\-port.
.TP
.B forward\-addr: \fI<IP address>
IP address of server to forward to. Can be IP 4 or IP 6.
To use a nondefault port for DNS communication append '@' with the port number.
If tls is enabled, then you can append a '#' and a name, then it'll check
the tls authentication certificates with that name. If you combine
the '@' and '#', the '@' comes first.
If tls is enabled, then you can append a '#' and a name, then it'll check the
tls authentication certificates with that name. If you combine the '@'
and '#', the '@' comes first. If only '#' is used the default port is the
configured tls\-port.
.IP
At high verbosity it logs the TLS certificate, with TLS enabled.
If you leave out the '#' and auth name from the forward\-addr, any
@ -1913,7 +1944,7 @@ name is accepted. The cert must also match a CA from the tls\-cert\-bundle.
.TP
.B forward\-first: \fI<yes or no>
If a forwarded query is met with a SERVFAIL error, and this option is
enabled, unbound will fall back to normal recursive resolution for this
enabled, Unbound will fall back to normal recursive resolution for this
query as if no query forwarding had been specified. The default is "no".
.TP
.B forward\-tls\-upstream: \fI<yes or no>
@ -1939,7 +1970,7 @@ have a \fBname:\fR. There can be multiple ones, by listing multiple auth\-zone
The authority zone with the name closest to the name looked up is used.
Authority zones are processed after \fBlocal\-zones\fR and before
cache (\fBfor\-downstream:\fR \fIyes\fR), and when used in this manner
make unbound respond like an authority server. Authority zones are also
make Unbound respond like an authority server. Authority zones are also
processed after cache, just before going to the network to fetch
information for recursion (\fBfor\-upstream:\fR \fIyes\fR), and when used
in this manner provide a local copy of an authority server that speeds up
@ -2000,25 +2031,25 @@ file is downloaded when notified. The primaries from primary: statements are
allowed notify by default.
.TP
.B fallback\-enabled: \fI<yes or no>
Default no. If enabled, unbound falls back to querying the internet as
Default no. If enabled, Unbound falls back to querying the internet as
a resolver for this zone when lookups fail. For example for DNSSEC
validation failures.
.TP
.B for\-downstream: \fI<yes or no>
Default yes. If enabled, unbound serves authority responses to
downstream clients for this zone. This option makes unbound behave, for
Default yes. If enabled, Unbound serves authority responses to
downstream clients for this zone. This option makes Unbound behave, for
the queries with names in this zone, like one of the authority servers for
that zone. Turn it off if you want unbound to provide recursion for the
that zone. Turn it off if you want Unbound to provide recursion for the
zone but have a local copy of zone data. If for\-downstream is no and
for\-upstream is yes, then unbound will DNSSEC validate the contents of the
for\-upstream is yes, then Unbound will DNSSEC validate the contents of the
zone before serving the zone contents to clients and store validation
results in the cache.
.TP
.B for\-upstream: \fI<yes or no>
Default yes. If enabled, unbound fetches data from this data collection
Default yes. If enabled, Unbound fetches data from this data collection
for answering recursion queries. Instead of sending queries over the internet
to the authority servers for this zone, it'll fetch the data directly from
the zone data. Turn it on when you want unbound to provide recursion for
the zone data. Turn it on when you want Unbound to provide recursion for
downstream clients, and use the zone data as a local copy to speed up lookups.
.TP
.B zonemd\-check: \fI<yes or no>
@ -2042,14 +2073,14 @@ a ZONEMD is always a failure, also for nonDNSSEC signed zones.
.TP
.B zonefile: \fI<filename>
The filename where the zone is stored. If not given then no zonefile is used.
If the file does not exist or is empty, unbound will attempt to fetch zone
If the file does not exist or is empty, Unbound will attempt to fetch zone
data (eg. from the primary servers).
.SS "View Options"
.LP
There may be multiple
.B view:
clauses. Each with a \fBname:\fR and zero or more \fBlocal\-zone\fR and
\fBlocal\-data\fR elements. Views can also contain view\-first,
\fBlocal\-data\fR elements. Views can also contain view\-first,
response\-ip, response\-ip\-data and local\-data\-ptr elements.
View can be mapped to requests by specifying the
view name in an \fBaccess\-control\-view\fR element. Options from matching
@ -2142,9 +2173,9 @@ underneath the name given.
The
.B dnscrypt:
clause gives the settings of the dnscrypt channel. While those options are
available, they are only meaningful if unbound was compiled with
available, they are only meaningful if Unbound was compiled with
\fB\-\-enable\-dnscrypt\fR.
Currently certificate and secret/public keys cannot be generated by unbound.
Currently certificate and secret/public keys cannot be generated by Unbound.
You can use dnscrypt-wrapper to generate those: https://github.com/cofyc/\
dnscrypt-wrapper/blob/master/README.md#usage
.TP
@ -2263,7 +2294,7 @@ of 0 is always accepted. Default is 0.
.TP
.B min\-client\-subnet\-ipv4: \fI<number>\fR
Specifies the minimum prefix length of the IPv4 source mask we are willing to
accept in queries. Shorter source masks result in REFUSED answers. Source mask
accept in queries. Shorter source masks result in REFUSED answers. Source mask
of 0 is always accepted. Default is 0.
.TP
.B max\-ecs\-tree\-size\-ipv4: \fI<number>\fR
@ -2276,12 +2307,13 @@ This number applies for each qname/qclass/qtype tuple. Defaults to 100.
.SS "Opportunistic IPsec Support Module Options"
.LP
The IPsec module must be configured in the \fBmodule\-config:\fR "ipsecmod
validator iterator" directive and be compiled into the daemon to be
enabled. These settings go in the \fBserver:\fR section.
validator iterator" directive and be compiled into Unbound by using
\fB\-\-enable\-ipsecmod\fR to be enabled.
These settings go in the \fBserver:\fR section.
.LP
When unbound receives an A/AAAA query that is not in the cache and finds a
When Unbound receives an A/AAAA query that is not in the cache and finds a
valid answer, it will withhold returning the answer and instead will generate
an IPSECKEY subquery for the same domain name. If an answer was found, unbound
an IPSECKEY subquery for the same domain name. If an answer was found, Unbound
will call an external hook passing the following arguments:
.TP 10
\h'5'\fIQNAME\fR
@ -2310,19 +2342,19 @@ relevant for opportunistic IPsec.
.B ipsecmod-enabled: \fI<yes or no>\fR
Specifies whether the IPsec module is enabled or not. The IPsec module still
needs to be defined in the \fBmodule\-config:\fR directive. This option
facilitates turning on/off the module without restarting/reloading unbound.
facilitates turning on/off the module without restarting/reloading Unbound.
Defaults to yes.
.TP
.B ipsecmod\-hook: \fI<filename>\fR
Specifies the external hook that unbound will call with \fIsystem\fR(3). The
Specifies the external hook that Unbound will call with \fIsystem\fR(3). The
file can be specified as an absolute/relative path. The file needs the proper
permissions to be able to be executed by the same user that runs unbound. It
permissions to be able to be executed by the same user that runs Unbound. It
must be present when the IPsec module is defined in the \fBmodule\-config:\fR
directive.
.TP
.B ipsecmod-strict: \fI<yes or no>\fR
If enabled unbound requires the external hook to return a success value of 0.
Failing to do so unbound will reply with SERVFAIL. The A/AAAA answer will also
If enabled Unbound requires the external hook to return a success value of 0.
Failing to do so Unbound will reply with SERVFAIL. The A/AAAA answer will also
not be cached. Defaults to no.
.TP
.B ipsecmod\-max-ttl: \fI<seconds>\fR
@ -2330,7 +2362,7 @@ Time to live maximum for A/AAAA cached records after calling the external hook.
Defaults to 3600.
.TP
.B ipsecmod-ignore-bogus: \fI<yes or no>\fR
Specifies the behaviour of unbound when the IPSECKEY answer is bogus. If set
Specifies the behaviour of Unbound when the IPSECKEY answer is bogus. If set
to yes, the hook will be called and the A/AAAA answer will be returned to the
client. If set to no, the hook will not be called and the answer to the
A/AAAA query will be SERVFAIL. Mainly used for testing. Defaults to no.
@ -2357,7 +2389,7 @@ If Unbound cannot even find an answer in the backend, it resolves the
query as usual, and stores the answer in the backend.
.P
This module interacts with the \fBserve\-expired\-*\fR options and will reply
with expired data if unbound is configured for that. Currently the use
with expired data if Unbound is configured for that. Currently the use
of \fBserve\-expired\-client\-timeout:\fR and
\fBserve\-expired\-reply\-ttl:\fR is not consistent for data originating from
the external cache as these will result in a reply with 0 TTL without trying to
@ -2436,16 +2468,17 @@ re-establish a new connection later.
This option defaults to 100 milliseconds.
.TP
.B redis-expire-records: \fI<yes or no>
If Redis record expiration is enabled. If yes, unbound sets timeout for Redis
If Redis record expiration is enabled. If yes, Unbound sets timeout for Redis
records so that Redis can evict keys that have expired automatically. If
unbound is configured with \fBserve-expired\fR and \fBserve-expired-ttl\fR is 0,
Unbound is configured with \fBserve-expired\fR and \fBserve-expired-ttl\fR is 0,
this option is internally reverted to "no". Redis SETEX support is required
for this option (Redis >= 2.0.0).
This option defaults to no.
.SS DNSTAP Logging Options
DNSTAP support, when compiled in, is enabled in the \fBdnstap:\fR section.
DNSTAP support, when compiled in by using \fB\-\-enable\-dnstap\fR, is enabled
in the \fBdnstap:\fR section.
This starts an extra thread (when compiled with threading) that writes
the log information to the destination. If unbound is compiled without
the log information to the destination. If Unbound is compiled without
threading it does not spawn a thread, but connects per-process to the
destination.
.TP
@ -2503,19 +2536,19 @@ Default is "".
.TP
.B dnstap-log-resolver-query-messages: \fI<yes or no>
Enable to log resolver query messages. Default is no.
These are messages from unbound to upstream servers.
These are messages from Unbound to upstream servers.
.TP
.B dnstap-log-resolver-response-messages: \fI<yes or no>
Enable to log resolver response messages. Default is no.
These are replies from upstream servers to unbound.
These are replies from upstream servers to Unbound.
.TP
.B dnstap-log-client-query-messages: \fI<yes or no>
Enable to log client query messages. Default is no.
These are client queries to unbound.
These are client queries to Unbound.
.TP
.B dnstap-log-client-response-messages: \fI<yes or no>
Enable to log client response messages. Default is no.
These are responses from unbound to clients.
These are responses from Unbound to clients.
.TP
.B dnstap-log-forwarder-query-messages: \fI<yes or no>
Enable to log forwarder query messages. Default is no.
@ -2614,7 +2647,7 @@ allowed notify by default.
.TP
.B zonefile: \fI<filename>
The filename where the zone is stored. If not given then no zonefile is used.
If the file does not exist or is empty, unbound will attempt to fetch zone
If the file does not exist or is empty, Unbound will attempt to fetch zone
data (eg. from the primary servers).
.TP
.B rpz\-action\-override: \fI<action>
@ -2631,6 +2664,17 @@ Log all applied RPZ actions for this RPZ zone. Default is no.
.B rpz\-log\-name: \fI<name>
Specify a string to be part of the log line, for easy referencing.
.TP
.B rpz\-signal\-nxdomain\-ra: \fI<yes or no>
Signal when a query is blocked by the RPZ with NXDOMAIN with an unset RA flag.
This allows certain clients, like dnsmasq, to infer that the domain is
externally blocked. Default is no.
.TP
.B for\-downstream: \fI<yes or no>
If enabled the zone is authoritatively answered for and queries for the RPZ
zone information are answered to downstream clients. This is useful for
monitoring scripts, that can then access the SOA information to check if
the rpz information is up to date. Default is no.
.TP
.B tags: \fI<list of tags>
Limit the policies from this RPZ clause to clients with a matching tag. Tags
need to be defined in \fBdefine\-tag\fR and can be assigned to client addresses
@ -2671,7 +2715,7 @@ server:
.SH "FILES"
.TP
.I @UNBOUND_RUN_DIR@
default unbound working directory.
default Unbound working directory.
.TP
.I @UNBOUND_CHROOT_DIR@
default
@ -2679,13 +2723,13 @@ default
location.
.TP
.I @ub_conf_file@
unbound configuration file.
Unbound configuration file.
.TP
.I @UNBOUND_PIDFILE@
default unbound pidfile with process ID of the running daemon.
default Unbound pidfile with process ID of the running daemon.
.TP
.I unbound.log
unbound log file. default is to log to
Unbound log file. default is to log to
\fIsyslog\fR(3).
.SH "SEE ALSO"
\fIunbound\fR(8),

71
contrib/unbound/iterator/iter_delegpt.c
View file

@ -75,7 +75,8 @@ struct delegpt* delegpt_copy(struct delegpt* dp, struct regional* region)
copy->ssl_upstream = dp->ssl_upstream;
copy->tcp_upstream = dp->tcp_upstream;
for(ns = dp->nslist; ns; ns = ns->next) {
if(!delegpt_add_ns(copy, region, ns->name, ns->lame))
if(!delegpt_add_ns(copy, region, ns->name, ns->lame,
ns->tls_auth_name, ns->port))
return NULL;
copy->nslist->resolved = ns->resolved;
copy->nslist->got4 = ns->got4;
@ -84,8 +85,8 @@ struct delegpt* delegpt_copy(struct delegpt* dp, struct regional* region)
copy->nslist->done_pside6 = ns->done_pside6;
}
for(a = dp->target_list; a; a = a->next_target) {
if(!delegpt_add_addr(copy, region, &a->addr, a->addrlen,
a->bogus, a->lame, a->tls_auth_name, NULL))
if(!delegpt_add_addr(copy, region, &a->addr, a->addrlen,
a->bogus, a->lame, a->tls_auth_name, -1, NULL))
return NULL;
}
return copy;
@ -102,7 +103,7 @@ delegpt_set_name(struct delegpt* dp, struct regional* region, uint8_t* name)
int
delegpt_add_ns(struct delegpt* dp, struct regional* region, uint8_t* name,
uint8_t lame)
uint8_t lame, char* tls_auth_name, int port)
{
struct delegpt_ns* ns;
size_t len;
@ -126,6 +127,14 @@ delegpt_add_ns(struct delegpt* dp, struct regional* region, uint8_t* name,
ns->lame = lame;
ns->done_pside4 = 0;
ns->done_pside6 = 0;
ns->port = port;
if(tls_auth_name) {
ns->tls_auth_name = regional_strdup(region, tls_auth_name);
if(!ns->tls_auth_name)
return 0;
} else {
ns->tls_auth_name = NULL;
}
return ns->name != 0;
}
@ -159,9 +168,9 @@ delegpt_find_addr(struct delegpt* dp, struct sockaddr_storage* addr,
return NULL;
}
int
delegpt_add_target(struct delegpt* dp, struct regional* region,
uint8_t* name, size_t namelen, struct sockaddr_storage* addr,
int
delegpt_add_target(struct delegpt* dp, struct regional* region,
uint8_t* name, size_t namelen, struct sockaddr_storage* addr,
socklen_t addrlen, uint8_t bogus, uint8_t lame, int* additions)
{
struct delegpt_ns* ns = delegpt_find_ns(dp, name, namelen);
@ -177,17 +186,22 @@ delegpt_add_target(struct delegpt* dp, struct regional* region,
if(ns->got4 && ns->got6)
ns->resolved = 1;
}
return delegpt_add_addr(dp, region, addr, addrlen, bogus, lame, NULL,
additions);
log_assert(ns->port>0);
return delegpt_add_addr(dp, region, addr, addrlen, bogus, lame,
ns->tls_auth_name, ns->port, additions);
}
int
delegpt_add_addr(struct delegpt* dp, struct regional* region,
struct sockaddr_storage* addr, socklen_t addrlen, uint8_t bogus,
uint8_t lame, char* tls_auth_name, int* additions)
int
delegpt_add_addr(struct delegpt* dp, struct regional* region,
struct sockaddr_storage* addr, socklen_t addrlen, uint8_t bogus,
uint8_t lame, char* tls_auth_name, int port, int* additions)
{
struct delegpt_addr* a;
log_assert(!dp->dp_type_mlc);
if(port != -1) {
log_assert(port>0);
sockaddr_store_port(addr, addrlen, port);
}
/* check for duplicates */
if((a = delegpt_find_addr(dp, addr, addrlen))) {
if(bogus)
@ -412,7 +426,8 @@ delegpt_rrset_add_ns(struct delegpt* dp, struct regional* region,
(size_t)sldns_read_uint16(nsdata->rr_data[i]))
continue; /* bad format */
/* add rdata of NS (= wirefmt dname), skip rdatalen bytes */
if(!delegpt_add_ns(dp, region, nsdata->rr_data[i]+2, lame))
if(!delegpt_add_ns(dp, region, nsdata->rr_data[i]+2, lame,
NULL, UNBOUND_DNS_PORT))
return 0;
}
return 1;
@ -429,7 +444,6 @@ delegpt_add_rrset_A(struct delegpt* dp, struct regional* region,
log_assert(!dp->dp_type_mlc);
memset(&sa, 0, len);
sa.sin_family = AF_INET;
sa.sin_port = (in_port_t)htons(UNBOUND_DNS_PORT);
for(i=0; i<d->count; i++) {
if(d->rr_len[i] != 2 + INET_SIZE)
continue;
@ -453,7 +467,6 @@ delegpt_add_rrset_AAAA(struct delegpt* dp, struct regional* region,
log_assert(!dp->dp_type_mlc);
memset(&sa, 0, len);
sa.sin6_family = AF_INET6;
sa.sin6_port = (in_port_t)htons(UNBOUND_DNS_PORT);
for(i=0; i<d->count; i++) {
if(d->rr_len[i] != 2 + INET6_SIZE) /* rdatalen + len of IP6 */
continue;
@ -555,6 +568,7 @@ void delegpt_free_mlc(struct delegpt* dp)
while(n) {
nn = n->next;
free(n->name);
free(n->tls_auth_name);
free(n);
n = nn;
}
@ -577,7 +591,8 @@ int delegpt_set_name_mlc(struct delegpt* dp, uint8_t* name)
return (dp->name != NULL);
}
int delegpt_add_ns_mlc(struct delegpt* dp, uint8_t* name, uint8_t lame)
int delegpt_add_ns_mlc(struct delegpt* dp, uint8_t* name, uint8_t lame,
char* tls_auth_name, int port)
{
struct delegpt_ns* ns;
size_t len;
@ -604,14 +619,30 @@ int delegpt_add_ns_mlc(struct delegpt* dp, uint8_t* name, uint8_t lame)
ns->lame = (uint8_t)lame;
ns->done_pside4 = 0;
ns->done_pside6 = 0;
ns->port = port;
if(tls_auth_name) {
ns->tls_auth_name = strdup(tls_auth_name);
if(!ns->tls_auth_name) {
free(ns->name);
free(ns);
return 0;
}
} else {
ns->tls_auth_name = NULL;
}
return 1;
}
int delegpt_add_addr_mlc(struct delegpt* dp, struct sockaddr_storage* addr,
socklen_t addrlen, uint8_t bogus, uint8_t lame, char* tls_auth_name)
socklen_t addrlen, uint8_t bogus, uint8_t lame, char* tls_auth_name,
int port)
{
struct delegpt_addr* a;
log_assert(dp->dp_type_mlc);
if(port != -1) {
log_assert(port>0);
sockaddr_store_port(addr, addrlen, port);
}
/* check for duplicates */
if((a = delegpt_find_addr(dp, addr, addrlen))) {
if(bogus)
@ -664,7 +695,9 @@ int delegpt_add_target_mlc(struct delegpt* dp, uint8_t* name, size_t namelen,
if(ns->got4 && ns->got6)
ns->resolved = 1;
}
return delegpt_add_addr_mlc(dp, addr, addrlen, bogus, lame, NULL);
log_assert(ns->port>0);
return delegpt_add_addr_mlc(dp, addr, addrlen, bogus, lame,
ns->tls_auth_name, ns->port);
}
size_t delegpt_get_mem(struct delegpt* dp)

28
contrib/unbound/iterator/iter_delegpt.h
View file

@ -126,6 +126,11 @@ struct delegpt_ns {
* Also enabled if a parent-side cache entry exists, or a parent-side
* negative-cache entry exists. */
uint8_t done_pside6;
/** the TLS authentication name, (if not NULL) to use. */
char* tls_auth_name;
/** the port to use; it should mosty be the default 53 but configured
* upstreams can provide nondefault ports. */
int port;
};
/**
@ -191,10 +196,12 @@ int delegpt_set_name(struct delegpt* dp, struct regional* regional,
* @param regional: where to allocate the info.
* @param name: domain name in wire format.
* @param lame: name is lame, disprefer it.
* @param tls_auth_name: TLS authentication name (or NULL).
* @param port: port to use for resolved addresses.
* @return false on error.
*/
int delegpt_add_ns(struct delegpt* dp, struct regional* regional,
uint8_t* name, uint8_t lame);
int delegpt_add_ns(struct delegpt* dp, struct regional* regional,
uint8_t* name, uint8_t lame, char* tls_auth_name, int port);
/**
* Add NS rrset; calls add_ns repeatedly.
@ -271,12 +278,14 @@ int delegpt_add_rrset(struct delegpt* dp, struct regional* regional,
* @param bogus: if address is bogus.
* @param lame: if address is lame.
* @param tls_auth_name: TLS authentication name (or NULL).
* @param port: the port to use; if -1 the port is taken from addr.
* @param additions: will be set to 1 if a new address is added
* @return false on error.
*/
int delegpt_add_addr(struct delegpt* dp, struct regional* regional,
int delegpt_add_addr(struct delegpt* dp, struct regional* regional,
struct sockaddr_storage* addr, socklen_t addrlen,
uint8_t bogus, uint8_t lame, char* tls_auth_name, int* additions);
uint8_t bogus, uint8_t lame, char* tls_auth_name, int port,
int* additions);
/**
* Find NS record in name list of delegation point.
@ -404,22 +413,27 @@ int delegpt_set_name_mlc(struct delegpt* dp, uint8_t* name);
* @param dp: must have been created with delegpt_create_mlc.
* @param name: the name to add.
* @param lame: the name is lame, disprefer.
* @param tls_auth_name: TLS authentication name (or NULL).
* @param port: port to use for resolved addresses.
* @return false on error.
*/
int delegpt_add_ns_mlc(struct delegpt* dp, uint8_t* name, uint8_t lame);
int delegpt_add_ns_mlc(struct delegpt* dp, uint8_t* name, uint8_t lame,
char* tls_auth_name, int port);
/**
* add an address to a malloced delegation point.
* @param dp: must have been created with delegpt_create_mlc.
* @param dp: must have been created with delegpt_create_mlc.
* @param addr: the address.
* @param addrlen: the length of addr.
* @param bogus: if address is bogus.
* @param lame: if address is lame.
* @param tls_auth_name: TLS authentication name (or NULL).
* @param port: the port to use; if -1 the port is taken from addr.
* @return false on error.
*/
int delegpt_add_addr_mlc(struct delegpt* dp, struct sockaddr_storage* addr,
socklen_t addrlen, uint8_t bogus, uint8_t lame, char* tls_auth_name);
socklen_t addrlen, uint8_t bogus, uint8_t lame, char* tls_auth_name,
int port);
/**
* Add target address to the delegation point.

16
contrib/unbound/iterator/iter_fwd.c
View file

@ -200,21 +200,27 @@ read_fwds_name(struct config_stub* s)
}
/** set fwd host names */
static int
static int
read_fwds_host(struct config_stub* s, struct delegpt* dp)
{
struct config_strlist* p;
uint8_t* dname;
size_t dname_len;
char* tls_auth_name;
int port;
for(p = s->hosts; p; p = p->next) {
log_assert(p->str);
dname = sldns_str2wire_dname(p->str, &dname_len);
dname = authextstrtodname(p->str, &port, &tls_auth_name);
if(!dname) {
log_err("cannot parse forward %s server name: '%s'",
s->name, p->str);
return 0;
}
if(!delegpt_add_ns_mlc(dp, dname, 0)) {
#if ! defined(HAVE_SSL_SET1_HOST) && ! defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
if(tls_auth_name)
log_err("no name verification functionality in "
"ssl library, ignored name for %s", p->str);
#endif
if(!delegpt_add_ns_mlc(dp, dname, 0, tls_auth_name, port)) {
free(dname);
log_err("out of memory");
return 0;
@ -245,7 +251,7 @@ read_fwds_addr(struct config_stub* s, struct delegpt* dp)
"ssl library, ignored name for %s", p->str);
#endif
if(!delegpt_add_addr_mlc(dp, &addr, addrlen, 0, 0,
tls_auth_name)) {
tls_auth_name, -1)) {
log_err("out of memory");
return 0;
}

20
contrib/unbound/iterator/iter_hints.c
View file

@ -99,7 +99,7 @@ ah(struct delegpt* dp, const char* sv, const char* ip)
log_err("could not parse %s", sv);
return 0;
}
if(!delegpt_add_ns_mlc(dp, dname, 0) ||
if(!delegpt_add_ns_mlc(dp, dname, 0, NULL, UNBOUND_DNS_PORT) ||
!extstrtoaddr(ip, &addr, &addrlen) ||
!delegpt_add_target_mlc(dp, dname, dname_len,
&addr, addrlen, 0, 0)) {
@ -213,21 +213,27 @@ read_stubs_name(struct config_stub* s)
}
/** set stub host names */
static int
static int
read_stubs_host(struct config_stub* s, struct delegpt* dp)
{
struct config_strlist* p;
size_t dname_len;
uint8_t* dname;
char* tls_auth_name;
int port;
for(p = s->hosts; p; p = p->next) {
log_assert(p->str);
dname = sldns_str2wire_dname(p->str, &dname_len);
dname = authextstrtodname(p->str, &port, &tls_auth_name);
if(!dname) {
log_err("cannot parse stub %s nameserver name: '%s'",
s->name, p->str);
return 0;
}
if(!delegpt_add_ns_mlc(dp, dname, 0)) {
#if ! defined(HAVE_SSL_SET1_HOST) && ! defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
if(tls_auth_name)
log_err("no name verification functionality in "
"ssl library, ignored name for %s", p->str);
#endif
if(!delegpt_add_ns_mlc(dp, dname, 0, tls_auth_name, port)) {
free(dname);
log_err("out of memory");
return 0;
@ -258,7 +264,7 @@ read_stubs_addr(struct config_stub* s, struct delegpt* dp)
"ssl library, ignored name for %s", p->str);
#endif
if(!delegpt_add_addr_mlc(dp, &addr, addrlen, 0, 0,
auth_name)) {
auth_name, -1)) {
log_err("out of memory");
return 0;
}
@ -338,7 +344,7 @@ read_root_hints(struct iter_hints* hints, char* fname)
if(sldns_wirerr_get_type(rr, rr_len, dname_len)
== LDNS_RR_TYPE_NS) {
if(!delegpt_add_ns_mlc(dp, sldns_wirerr_get_rdata(rr,
rr_len, dname_len), 0)) {
rr_len, dname_len), 0, NULL, UNBOUND_DNS_PORT)) {
log_err("out of memory reading root hints");
goto stop_read;
}

108
contrib/unbound/iterator/iterator.c
View file

@ -1533,36 +1533,6 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
if(!iq->ratelimit_ok && qstate->prefetch_leeway)
iq->ratelimit_ok = 1; /* allow prefetches, this keeps
otherwise valid data in the cache */
if(!iq->ratelimit_ok && infra_ratelimit_exceeded(
qstate->env->infra_cache, iq->dp->name,
iq->dp->namelen, *qstate->env->now)) {
/* and increment the rate, so that the rate for time
* now will also exceed the rate, keeping cache fresh */
(void)infra_ratelimit_inc(qstate->env->infra_cache,
iq->dp->name, iq->dp->namelen,
*qstate->env->now, &qstate->qinfo,
qstate->reply);
/* see if we are passed through with slip factor */
if(qstate->env->cfg->ratelimit_factor != 0 &&
ub_random_max(qstate->env->rnd,
qstate->env->cfg->ratelimit_factor) == 1) {
iq->ratelimit_ok = 1;
log_nametypeclass(VERB_ALGO, "ratelimit allowed through for "
"delegation point", iq->dp->name,
LDNS_RR_TYPE_NS, LDNS_RR_CLASS_IN);
} else {
lock_basic_lock(&ie->queries_ratelimit_lock);
ie->num_queries_ratelimited++;
lock_basic_unlock(&ie->queries_ratelimit_lock);
log_nametypeclass(VERB_ALGO, "ratelimit exceeded with "
"delegation point", iq->dp->name,
LDNS_RR_TYPE_NS, LDNS_RR_CLASS_IN);
qstate->was_ratelimited = 1;
errinf(qstate, "query was ratelimited");
errinf_dname(qstate, "for zone", iq->dp->name);
return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
}
}
/* see if this dp not useless.
* It is useless if:
@ -1988,12 +1958,13 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
iq->chase_flags &= ~BIT_RD; /* go to authorities */
for(ns = p->nslist; ns; ns=ns->next) {
(void)delegpt_add_ns(iq->dp, qstate->region,
ns->name, ns->lame);
ns->name, ns->lame, ns->tls_auth_name,
ns->port);
}
for(a = p->target_list; a; a=a->next_target) {
(void)delegpt_add_addr(iq->dp, qstate->region,
&a->addr, a->addrlen, a->bogus,
a->lame, a->tls_auth_name, NULL);
a->lame, a->tls_auth_name, -1, NULL);
}
}
iq->dp->has_parent_side_NS = 1;
@ -2211,9 +2182,11 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
int auth_fallback = 0;
uint8_t* qout_orig = NULL;
size_t qout_orig_len = 0;
int sq_check_ratelimit = 1;
int sq_was_ratelimited = 0;
/* NOTE: a request will encounter this state for each target it
* needs to send a query to. That is, at least one per referral,
/* NOTE: a request will encounter this state for each target it
* needs to send a query to. That is, at least one per referral,
* more if some targets timeout or return throwaway answers. */
log_query_info(VERB_QUERY, "processQueryTargets:", &qstate->qinfo);
@ -2534,7 +2507,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
struct dns_msg* forged_response = rpz_callback_from_iterator_module(qstate, iq);
if(forged_response != NULL) {
qstate->ext_state[id] = module_finished;
qstate->return_rcode = FLAGS_GET_RCODE(forged_response->rep->flags);
qstate->return_rcode = LDNS_RCODE_NOERROR;
qstate->return_msg = forged_response;
iq->response = forged_response;
next_state(iq, FINISHED_STATE);
@ -2646,22 +2619,9 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
return 0;
}
/* if not forwarding, check ratelimits per delegationpoint name */
if(!(iq->chase_flags & BIT_RD) && !iq->ratelimit_ok) {
if(!infra_ratelimit_inc(qstate->env->infra_cache, iq->dp->name,
iq->dp->namelen, *qstate->env->now, &qstate->qinfo,
qstate->reply)) {
lock_basic_lock(&ie->queries_ratelimit_lock);
ie->num_queries_ratelimited++;
lock_basic_unlock(&ie->queries_ratelimit_lock);
verbose(VERB_ALGO, "query exceeded ratelimits");
qstate->was_ratelimited = 1;
errinf_dname(qstate, "exceeded ratelimit for zone",
iq->dp->name);
return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
}
}
/* Do not check ratelimit for forwarding queries or if we already got a
* pass. */
sq_check_ratelimit = (!(iq->chase_flags & BIT_RD) && !iq->ratelimit_ok);
/* We have a valid target. */
if(verbosity >= VERB_QUERY) {
log_query_info(VERB_QUERY, "sending query:", &iq->qinfo_out);
@ -2673,25 +2633,32 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
}
fptr_ok(fptr_whitelist_modenv_send_query(qstate->env->send_query));
outq = (*qstate->env->send_query)(&iq->qinfo_out,
iq->chase_flags | (iq->chase_to_rd?BIT_RD:0),
iq->chase_flags | (iq->chase_to_rd?BIT_RD:0),
/* unset CD if to forwarder(RD set) and not dnssec retry
* (blacklist nonempty) and no trust-anchors are configured
* above the qname or on the first attempt when dnssec is on */
EDNS_DO| ((iq->chase_to_rd||(iq->chase_flags&BIT_RD)!=0)&&
!qstate->blacklist&&(!iter_qname_indicates_dnssec(qstate->env,
&iq->qinfo_out)||target->attempts==1)?0:BIT_CD),
&iq->qinfo_out)||target->attempts==1)?0:BIT_CD),
iq->dnssec_expected, iq->caps_fallback || is_caps_whitelisted(
ie, iq), &target->addr, target->addrlen,
ie, iq), sq_check_ratelimit, &target->addr, target->addrlen,
iq->dp->name, iq->dp->namelen,
(iq->dp->tcp_upstream || qstate->env->cfg->tcp_upstream),
(iq->dp->ssl_upstream || qstate->env->cfg->ssl_upstream),
target->tls_auth_name, qstate);
target->tls_auth_name, qstate, &sq_was_ratelimited);
if(!outq) {
if(sq_was_ratelimited) {
lock_basic_lock(&ie->queries_ratelimit_lock);
ie->num_queries_ratelimited++;
lock_basic_unlock(&ie->queries_ratelimit_lock);
verbose(VERB_ALGO, "query exceeded ratelimits");
qstate->was_ratelimited = 1;
errinf_dname(qstate, "exceeded ratelimit for zone",
iq->dp->name);
return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
}
log_addr(VERB_QUERY, "error sending query to auth server",
&target->addr, target->addrlen);
if(!(iq->chase_flags & BIT_RD) && !iq->ratelimit_ok)
infra_ratelimit_dec(qstate->env->infra_cache, iq->dp->name,
iq->dp->namelen, *qstate->env->now);
if(qstate->env->cfg->qname_minimisation)
iq->minimisation_state = SKIP_MINIMISE_STATE;
return next_state(iq, QUERYTARGETS_STATE);
@ -2935,14 +2902,6 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
* delegation point, and back to the QUERYTARGETS_STATE. */
verbose(VERB_DETAIL, "query response was REFERRAL");
if(!(iq->chase_flags & BIT_RD) && !iq->ratelimit_ok) {
/* we have a referral, no ratelimit, we can send
* our queries to the given name */
infra_ratelimit_dec(qstate->env->infra_cache,
iq->dp->name, iq->dp->namelen,
*qstate->env->now);
}
/* if hardened, only store referral if we asked for it */
if(!qstate->no_cache_store &&
(!qstate->env->cfg->harden_referral_path ||
@ -3103,7 +3062,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
}
if(forged_response != NULL) {
qstate->ext_state[id] = module_finished;
qstate->return_rcode = FLAGS_GET_RCODE(forged_response->rep->flags);
qstate->return_rcode = LDNS_RCODE_NOERROR;
qstate->return_msg = forged_response;
iq->response = forged_response;
next_state(iq, FINISHED_STATE);
@ -3384,21 +3343,22 @@ processTargetResponse(struct module_qstate* qstate, int id,
log_err("out of memory adding pside glue");
}
/* This response is relevant to the current query, so we
* add (attempt to add, anyway) this target(s) and reactivate
* the original event.
* NOTE: we could only look for the AnswerRRset if the
/* This response is relevant to the current query, so we
* add (attempt to add, anyway) this target(s) and reactivate
* the original event.
* NOTE: we could only look for the AnswerRRset if the
* response type was ANSWER. */
rrset = reply_find_answer_rrset(&iq->qchase, qstate->return_msg->rep);
if(rrset) {
int additions = 0;
/* if CNAMEs have been followed - add new NS to delegpt. */
/* BTW. RFC 1918 says NS should not have got CNAMEs. Robust. */
if(!delegpt_find_ns(foriq->dp, rrset->rk.dname,
if(!delegpt_find_ns(foriq->dp, rrset->rk.dname,
rrset->rk.dname_len)) {
/* if dpns->lame then set newcname ns lame too */
if(!delegpt_add_ns(foriq->dp, forq->region,
rrset->rk.dname, dpns->lame))
if(!delegpt_add_ns(foriq->dp, forq->region,
rrset->rk.dname, dpns->lame, dpns->tls_auth_name,
dpns->port))
log_err("out of memory adding cnamed-ns");
}
/* if dpns->lame then set the address(es) lame too */

4
contrib/unbound/iterator/iterator.h
View file

@ -80,7 +80,7 @@ struct rbtree_type;
/**
* number of labels from QNAME that are always send individually when using
* QNAME minimisation, even when the number of labels of the QNAME is bigger
* tham MAX_MINIMISE_COUNT */
* than MAX_MINIMISE_COUNT */
#define MINIMISE_ONE_LAB 4
#define MINIMISE_MULTIPLE_LABS (MAX_MINIMISE_COUNT - MINIMISE_ONE_LAB)
/** at what query-sent-count to stop target fetch policy */
@ -379,7 +379,7 @@ struct iter_qstate {
/** list of pending queries to authoritative servers. */
struct outbound_list outlist;
/** QNAME minimisation state, RFC7816 */
/** QNAME minimisation state, RFC9156 */
enum minimisation_state minimisation_state;
/** State for capsfail: QNAME minimisation state for comparisons. */

11
contrib/unbound/libunbound/libworker.c
View file

@ -882,9 +882,10 @@ void libworker_alloc_cleanup(void* arg)
struct outbound_entry* libworker_send_query(struct query_info* qinfo,
uint16_t flags, int dnssec, int want_dnssec, int nocaps,
int check_ratelimit,
struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone,
size_t zonelen, int tcp_upstream, int ssl_upstream, char* tls_auth_name,
struct module_qstate* q)
struct module_qstate* q, int* was_ratelimited)
{
struct libworker* w = (struct libworker*)q->env->worker;
struct outbound_entry* e = (struct outbound_entry*)regional_alloc(
@ -893,9 +894,10 @@ struct outbound_entry* libworker_send_query(struct query_info* qinfo,
return NULL;
e->qstate = q;
e->qsent = outnet_serviced_query(w->back, qinfo, flags, dnssec,
want_dnssec, nocaps, tcp_upstream, ssl_upstream,
want_dnssec, nocaps, check_ratelimit, tcp_upstream, ssl_upstream,
tls_auth_name, addr, addrlen, zone, zonelen, q,
libworker_handle_service_reply, e, w->back->udp_buff, q->env);
libworker_handle_service_reply, e, w->back->udp_buff, q->env,
was_ratelimited);
if(!e->qsent) {
return NULL;
}
@ -976,10 +978,11 @@ void worker_sighandler(int ATTR_UNUSED(sig), void* ATTR_UNUSED(arg))
struct outbound_entry* worker_send_query(struct query_info* ATTR_UNUSED(qinfo),
uint16_t ATTR_UNUSED(flags), int ATTR_UNUSED(dnssec),
int ATTR_UNUSED(want_dnssec), int ATTR_UNUSED(nocaps),
int ATTR_UNUSED(check_ratelimit),
struct sockaddr_storage* ATTR_UNUSED(addr), socklen_t ATTR_UNUSED(addrlen),
uint8_t* ATTR_UNUSED(zone), size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(tcp_upstream),
int ATTR_UNUSED(ssl_upstream), char* ATTR_UNUSED(tls_auth_name),
struct module_qstate* ATTR_UNUSED(q))
struct module_qstate* ATTR_UNUSED(q), int* ATTR_UNUSED(was_ratelimited))
{
log_assert(0);
return 0;

12
contrib/unbound/libunbound/worker.h
View file

@ -58,6 +58,7 @@ struct query_info;
* @param dnssec: if set, EDNS record will have DO bit set.
* @param want_dnssec: signatures needed.
* @param nocaps: ignore capsforid(if in config), do not perturb qname.
* @param check_ratelimit: if set, will check ratelimit before sending out.
* @param addr: where to.
* @param addrlen: length of addr.
* @param zone: delegation point name.
@ -67,14 +68,17 @@ struct query_info;
* @param tls_auth_name: if ssl_upstream, use this name with TLS
* authentication.
* @param q: which query state to reactivate upon return.
* @param was_ratelimited: it will signal back if the query failed to pass the
* ratelimit check.
* @return: false on failure (memory or socket related). no query was
* sent.
*/
struct outbound_entry* libworker_send_query(struct query_info* qinfo,
uint16_t flags, int dnssec, int want_dnssec, int nocaps,
int check_ratelimit,
struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone,
size_t zonelen, int tcp_upstream, int ssl_upstream, char* tls_auth_name,
struct module_qstate* q);
struct module_qstate* q, int* was_ratelimited);
/** process incoming serviced query replies from the network */
int libworker_handle_service_reply(struct comm_point* c, void* arg, int error,
@ -110,6 +114,7 @@ void worker_sighandler(int sig, void* arg);
* @param dnssec: if set, EDNS record will have DO bit set.
* @param want_dnssec: signatures needed.
* @param nocaps: ignore capsforid(if in config), do not perturb qname.
* @param check_ratelimit: if set, will check ratelimit before sending out.
* @param addr: where to.
* @param addrlen: length of addr.
* @param zone: wireformat dname of the zone.
@ -119,14 +124,17 @@ void worker_sighandler(int sig, void* arg);
* @param tls_auth_name: if ssl_upstream, use this name with TLS
* authentication.
* @param q: which query state to reactivate upon return.
* @param was_ratelimited: it will signal back if the query failed to pass the
* ratelimit check.
* @return: false on failure (memory or socket related). no query was
* sent.
*/
struct outbound_entry* worker_send_query(struct query_info* qinfo,
uint16_t flags, int dnssec, int want_dnssec, int nocaps,
int check_ratelimit,
struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone,
size_t zonelen, int tcp_upstream, int ssl_upstream, char* tls_auth_name,
struct module_qstate* q);
struct module_qstate* q, int* was_ratelimited);
/**
* process control messages from the main thread. Frees the control

66
contrib/unbound/services/cache/infra.c vendored
View file

@ -898,8 +898,9 @@ static void infra_ip_create_ratedata(struct infra_cache* infra,
slabhash_insert(infra->client_ip_rates, h, &k->entry, d, NULL);
}
/** find the second and return its rate counter, if none, remove oldest */
static int* infra_rate_find_second(void* data, time_t t)
/** Find the second and return its rate counter. If none and should_add, remove
* oldest to accommodate. Else return none. */
static int* infra_rate_find_second_or_none(void* data, time_t t, int should_add)
{
struct rate_data* d = (struct rate_data*)data;
int i, oldest;
@ -907,6 +908,7 @@ static int* infra_rate_find_second(void* data, time_t t)
if(d->timestamp[i] == t)
return &(d->qps[i]);
}
if(!should_add) return NULL;
/* remove oldest timestamp, and insert it at t with 0 qps */
oldest = 0;
for(i=0; i<RATE_WINDOW; i++) {
@ -918,21 +920,41 @@ static int* infra_rate_find_second(void* data, time_t t)
return &(d->qps[oldest]);
}
int infra_rate_max(void* data, time_t now)
/** find the second and return its rate counter, if none, remove oldest to
* accommodate */
static int* infra_rate_give_second(void* data, time_t t)
{
return infra_rate_find_second_or_none(data, t, 1);
}
/** find the second and return its rate counter only if it exists. Caller
* should check for NULL return value */
static int* infra_rate_get_second(void* data, time_t t)
{
return infra_rate_find_second_or_none(data, t, 0);
}
int infra_rate_max(void* data, time_t now, int backoff)
{
struct rate_data* d = (struct rate_data*)data;
int i, max = 0;
for(i=0; i<RATE_WINDOW; i++) {
if(now-d->timestamp[i] <= RATE_WINDOW) {
if(d->qps[i] > max)
if(backoff) {
if(now-d->timestamp[i] <= RATE_WINDOW &&
d->qps[i] > max) {
max = d->qps[i];
}
} else {
if(now == d->timestamp[i]) {
return d->qps[i];
}
}
}
return max;
}
int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name,
size_t namelen, time_t timenow, struct query_info* qinfo,
size_t namelen, time_t timenow, int backoff, struct query_info* qinfo,
struct comm_reply* replylist)
{
int lim, max;
@ -949,13 +971,13 @@ int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name,
/* find or insert ratedata */
entry = infra_find_ratedata(infra, name, namelen, 1);
if(entry) {
int premax = infra_rate_max(entry->data, timenow);
int* cur = infra_rate_find_second(entry->data, timenow);
int premax = infra_rate_max(entry->data, timenow, backoff);
int* cur = infra_rate_give_second(entry->data, timenow);
(*cur)++;
max = infra_rate_max(entry->data, timenow);
max = infra_rate_max(entry->data, timenow, backoff);
lock_rw_unlock(&entry->lock);
if(premax < lim && max >= lim) {
if(premax <= lim && max > lim) {
char buf[257], qnm[257], ts[12], cs[12], ip[128];
dname_str(name, buf);
dname_str(qinfo->qname, qnm);
@ -970,12 +992,12 @@ int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name,
verbose(VERB_OPS, "ratelimit exceeded %s %d query %s %s %s", buf, lim, qnm, cs, ts);
}
}
return (max < lim);
return (max <= lim);
}
/* create */
infra_create_ratedata(infra, name, namelen, timenow);
return (1 < lim);
return (1 <= lim);
}
void infra_ratelimit_dec(struct infra_cache* infra, uint8_t* name,
@ -987,14 +1009,19 @@ void infra_ratelimit_dec(struct infra_cache* infra, uint8_t* name,
return; /* not enabled */
entry = infra_find_ratedata(infra, name, namelen, 1);
if(!entry) return; /* not cached */
cur = infra_rate_find_second(entry->data, timenow);
cur = infra_rate_get_second(entry->data, timenow);
if(cur == NULL) {
/* our timenow is not available anymore; nothing to decrease */
lock_rw_unlock(&entry->lock);
return;
}
if((*cur) > 0)
(*cur)--;
lock_rw_unlock(&entry->lock);
}
int infra_ratelimit_exceeded(struct infra_cache* infra, uint8_t* name,
size_t namelen, time_t timenow)
size_t namelen, time_t timenow, int backoff)
{
struct lruhash_entry* entry;
int lim, max;
@ -1010,7 +1037,7 @@ int infra_ratelimit_exceeded(struct infra_cache* infra, uint8_t* name,
entry = infra_find_ratedata(infra, name, namelen, 0);
if(!entry)
return 0; /* not cached */
max = infra_rate_max(entry->data, timenow);
max = infra_rate_max(entry->data, timenow, backoff);
lock_rw_unlock(&entry->lock);
return (max >= lim);
@ -1027,7 +1054,8 @@ infra_get_mem(struct infra_cache* infra)
}
int infra_ip_ratelimit_inc(struct infra_cache* infra,
struct comm_reply* repinfo, time_t timenow, struct sldns_buffer* buffer)
struct comm_reply* repinfo, time_t timenow, int backoff,
struct sldns_buffer* buffer)
{
int max;
struct lruhash_entry* entry;
@ -1039,10 +1067,10 @@ int infra_ip_ratelimit_inc(struct infra_cache* infra,
/* find or insert ratedata */
entry = infra_find_ip_ratedata(infra, repinfo, 1);
if(entry) {
int premax = infra_rate_max(entry->data, timenow);
int* cur = infra_rate_find_second(entry->data, timenow);
int premax = infra_rate_max(entry->data, timenow, backoff);
int* cur = infra_rate_give_second(entry->data, timenow);
(*cur)++;
max = infra_rate_max(entry->data, timenow);
max = infra_rate_max(entry->data, timenow, backoff);
lock_rw_unlock(&entry->lock);
if(premax < infra_ip_ratelimit && max >= infra_ip_ratelimit) {

14
contrib/unbound/services/cache/infra.h vendored
View file

@ -368,6 +368,7 @@ long long infra_get_host_rto(struct infra_cache* infra,
* @param name: zone name
* @param namelen: zone name length
* @param timenow: what time it is now.
* @param backoff: if backoff is enabled.
* @param qinfo: for logging, query name.
* @param replylist: for logging, querier's address (if any).
* @return 1 if it could be incremented. 0 if the increment overshot the
@ -375,7 +376,7 @@ long long infra_get_host_rto(struct infra_cache* infra,
* Failures like alloc failures are not returned (probably as 1).
*/
int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name,
size_t namelen, time_t timenow, struct query_info* qinfo,
size_t namelen, time_t timenow, int backoff, struct query_info* qinfo,
struct comm_reply* replylist);
/**
@ -398,13 +399,15 @@ void infra_ratelimit_dec(struct infra_cache* infra, uint8_t* name,
* @param name: zone name
* @param namelen: zone name length
* @param timenow: what time it is now.
* @param backoff: if backoff is enabled.
* @return true if exceeded.
*/
int infra_ratelimit_exceeded(struct infra_cache* infra, uint8_t* name,
size_t namelen, time_t timenow);
size_t namelen, time_t timenow, int backoff);
/** find the maximum rate stored, not too old. 0 if no information. */
int infra_rate_max(void* data, time_t now);
/** find the maximum rate stored. 0 if no information.
* When backoff is enabled look for the maximum in the whole RATE_WINDOW. */
int infra_rate_max(void* data, time_t now, int backoff);
/** find the ratelimit in qps for a domain. 0 if no limit for domain. */
int infra_find_ratelimit(struct infra_cache* infra, uint8_t* name,
@ -415,11 +418,12 @@ int infra_find_ratelimit(struct infra_cache* infra, uint8_t* name,
* @param infra: infra cache
* @param repinfo: information about client
* @param timenow: what time it is now.
* @param backoff: if backoff is enabled.
* @param buffer: with query for logging.
* @return 1 if it could be incremented. 0 if the increment overshot the
* ratelimit and the query should be dropped. */
int infra_ip_ratelimit_inc(struct infra_cache* infra,
struct comm_reply* repinfo, time_t timenow,
struct comm_reply* repinfo, time_t timenow, int backoff,
struct sldns_buffer* buffer);
/**

37
contrib/unbound/services/listen_dnsport.c
View file

@ -1370,39 +1370,38 @@ listen_create(struct comm_base* base, struct listen_port* ports,
struct comm_point* cp = NULL;
if(ports->ftype == listen_type_udp ||
ports->ftype == listen_type_udp_dnscrypt)
cp = comm_point_create_udp(base, ports->fd,
cp = comm_point_create_udp(base, ports->fd,
front->udp_buff, cb, cb_arg, ports->socket);
else if(ports->ftype == listen_type_tcp ||
ports->ftype == listen_type_tcp_dnscrypt)
cp = comm_point_create_tcp(base, ports->fd,
cp = comm_point_create_tcp(base, ports->fd,
tcp_accept_count, tcp_idle_timeout,
harden_large_queries, 0, NULL,
tcp_conn_limit, bufsize, front->udp_buff,
ports->ftype, cb, cb_arg, ports->socket);
else if(ports->ftype == listen_type_ssl ||
ports->ftype == listen_type_http) {
cp = comm_point_create_tcp(base, ports->fd,
cp = comm_point_create_tcp(base, ports->fd,
tcp_accept_count, tcp_idle_timeout,
harden_large_queries,
http_max_streams, http_endpoint,
tcp_conn_limit, bufsize, front->udp_buff,
ports->ftype, cb, cb_arg, ports->socket);
if(http_notls && ports->ftype == listen_type_http)
cp->ssl = NULL;
else
cp->ssl = sslctx;
if(ports->ftype == listen_type_http) {
if(!sslctx && !http_notls) {
log_warn("HTTPS port configured, but no TLS "
"tls-service-key or tls-service-pem "
"set");
log_warn("HTTPS port configured, but "
"no TLS tls-service-key or "
"tls-service-pem set");
}
#ifndef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
if(!http_notls)
log_warn("Unbound is not compiled with an "
"OpenSSL version supporting ALPN "
" (OpenSSL >= 1.0.2). This is required "
"to use DNS-over-HTTPS");
if(!http_notls) {
log_warn("Unbound is not compiled "
"with an OpenSSL version "
"supporting ALPN "
"(OpenSSL >= 1.0.2). This "
"is required to use "
"DNS-over-HTTPS");
}
#endif
#ifndef HAVE_NGHTTP2_NGHTTP2_H
log_warn("Unbound is not compiled with "
@ -1412,13 +1411,17 @@ listen_create(struct comm_base* base, struct listen_port* ports,
}
} else if(ports->ftype == listen_type_udpancil ||
ports->ftype == listen_type_udpancil_dnscrypt)
cp = comm_point_create_udp_ancil(base, ports->fd,
cp = comm_point_create_udp_ancil(base, ports->fd,
front->udp_buff, cb, cb_arg, ports->socket);
if(!cp) {
log_err("can't create commpoint");
log_err("can't create commpoint");
listen_delete(front);
return NULL;
}
if(http_notls && ports->ftype == listen_type_http)
cp->ssl = NULL;
else
cp->ssl = sslctx;
cp->dtenv = dtenv;
cp->do_not_close = 1;
#ifdef USE_DNSCRYPT

102
contrib/unbound/services/localzone.c
View file

@ -56,6 +56,44 @@
* with 16 bytes for an A record, a 64K packet has about 4000 max */
#define LOCALZONE_RRSET_COUNT_MAX 4096
/** print all RRsets in local zone */
static void
local_zone_out(struct local_zone* z)
{
struct local_data* d;
struct local_rrset* p;
RBTREE_FOR(d, struct local_data*, &z->data) {
for(p = d->rrsets; p; p = p->next) {
log_nametypeclass(NO_VERBOSE, "rrset", d->name,
ntohs(p->rrset->rk.type),
ntohs(p->rrset->rk.rrset_class));
}
}
}
static void
local_zone_print(struct local_zone* z)
{
char buf[64];
lock_rw_rdlock(&z->lock);
snprintf(buf, sizeof(buf), "%s zone",
local_zone_type2str(z->type));
log_nametypeclass(NO_VERBOSE, buf, z->name, 0, z->dclass);
local_zone_out(z);
lock_rw_unlock(&z->lock);
}
void local_zones_print(struct local_zones* zones)
{
struct local_zone* z;
lock_rw_rdlock(&zones->lock);
log_info("number of auth zones %u", (unsigned)zones->ztree.count);
RBTREE_FOR(z, struct local_zone*, &zones->ztree) {
local_zone_print(z);
}
lock_rw_unlock(&zones->lock);
}
struct local_zones*
local_zones_create(void)
{
@ -1010,6 +1048,38 @@ lz_setup_implicit(struct local_zones* zones, struct config_file* cfg)
lock_rw_rdlock(&zones->lock);
if(!local_zones_lookup(zones, rr_name, len, labs, rr_class,
rr_type)) {
/* Check if there is a zone that this could go
* under but for different class; created zones are
* always for LDNS_RR_CLASS_IN. Create the zone with
* a different class but the same configured
* local_zone_type. */
struct local_zone* z = local_zones_lookup(zones,
rr_name, len, labs, LDNS_RR_CLASS_IN, rr_type);
if(z) {
uint8_t* name = memdup(z->name, z->namelen);
size_t znamelen = z->namelen;
int znamelabs = z->namelabs;
enum localzone_type ztype = z->type;
lock_rw_unlock(&zones->lock);
if(!name) {
log_err("out of memory");
free(rr_name);
return 0;
}
if(!(
#ifndef THREADS_DISABLED
z =
#endif
lz_enter_zone_dname(zones, name,
znamelen, znamelabs,
ztype, rr_class))) {
free(rr_name);
return 0;
}
lock_rw_unlock(&z->lock);
free(rr_name);
continue;
}
if(!have_name) {
dclass = rr_class;
nm = rr_name;
@ -1220,38 +1290,6 @@ local_zones_find_le(struct local_zones* zones,
return (struct local_zone*)node;
}
/** print all RRsets in local zone */
static void
local_zone_out(struct local_zone* z)
{
struct local_data* d;
struct local_rrset* p;
RBTREE_FOR(d, struct local_data*, &z->data) {
for(p = d->rrsets; p; p = p->next) {
log_nametypeclass(NO_VERBOSE, "rrset", d->name,
ntohs(p->rrset->rk.type),
ntohs(p->rrset->rk.rrset_class));
}
}
}
void local_zones_print(struct local_zones* zones)
{
struct local_zone* z;
lock_rw_rdlock(&zones->lock);
log_info("number of auth zones %u", (unsigned)zones->ztree.count);
RBTREE_FOR(z, struct local_zone*, &zones->ztree) {
char buf[64];
lock_rw_rdlock(&z->lock);
snprintf(buf, sizeof(buf), "%s zone",
local_zone_type2str(z->type));
log_nametypeclass(NO_VERBOSE, buf, z->name, 0, z->dclass);
local_zone_out(z);
lock_rw_unlock(&z->lock);
}
lock_rw_unlock(&zones->lock);
}
/** encode answer consisting of 1 rrset */
static int
local_encode(struct query_info* qinfo, struct module_env* env,

305
contrib/unbound/services/outside_network.c
View file

@ -94,6 +94,16 @@ static void waiting_list_remove(struct outside_network* outnet,
static uint16_t tcp_select_id(struct outside_network* outnet,
struct reuse_tcp* reuse);
/** Perform serviced query UDP sending operation */
static int serviced_udp_send(struct serviced_query* sq, sldns_buffer* buff);
/** Send serviced query over TCP return false on initial failure */
static int serviced_tcp_send(struct serviced_query* sq, sldns_buffer* buff);
/** call the callbacks for a serviced query */
static void serviced_callbacks(struct serviced_query* sq, int error,
struct comm_point* c, struct comm_reply* rep);
int
pending_cmp(const void* key1, const void* key2)
{
@ -836,6 +846,7 @@ outnet_add_tcp_waiting_first(struct outside_network* outnet,
if(w->on_tcp_waiting_list)
return;
w->next_waiting = outnet->tcp_wait_first;
log_assert(w->next_waiting != w);
if(!outnet->tcp_wait_last)
outnet->tcp_wait_last = w;
outnet->tcp_wait_first = w;
@ -1136,6 +1147,22 @@ static void reuse_cb_readwait_for_failure(rbtree_type* tree_by_id, int err)
}
}
/** mark the entry for being in the cb_and_decommission stage */
static void mark_for_cb_and_decommission(rbnode_type* node,
void* ATTR_UNUSED(arg))
{
struct waiting_tcp* w = (struct waiting_tcp*)node->key;
/* Mark the waiting_tcp to signal later code (serviced_delete) that
* this item is part of the backed up tree_by_id and will be deleted
* later. */
w->in_cb_and_decommission = 1;
/* Mark the serviced_query for deletion so that later code through
* callbacks (iter_clear .. outnet_serviced_query_stop) won't
* prematurely delete it. */
if(w->cb)
((struct serviced_query*)w->cb_arg)->to_be_deleted = 1;
}
/** perform callbacks for failure and also decommission pending tcp.
* the callbacks remove references in sq->pending to the waiting_tcp
* members of the tree_by_id in the pending tcp. The pending_tcp is
@ -1151,6 +1178,9 @@ static void reuse_cb_and_decommission(struct outside_network* outnet,
pend->reuse.write_wait_first = NULL;
pend->reuse.write_wait_last = NULL;
decommission_pending_tcp(outnet, pend);
if(store.root != NULL && store.root != RBTREE_NULL) {
traverse_postorder(&store, &mark_for_cb_and_decommission, NULL);
}
reuse_cb_readwait_for_failure(&store, error);
reuse_del_readwait(&store);
}
@ -1248,6 +1278,12 @@ outnet_tcp_cb(struct comm_point* c, void* arg, int error,
c->buffer));
/* find the query the reply is for */
w = reuse_tcp_by_id_find(&pend->reuse, id);
/* Make sure that the reply we got is at least for a
* sent query with the same ID; the waiting_tcp that
* gets a reply is assumed to not be waiting to be
* sent. */
if(w && (w->on_tcp_waiting_list || w->write_wait_queued))
w = NULL;
}
}
if(error == NETEVENT_NOERROR && !w) {
@ -1265,6 +1301,8 @@ outnet_tcp_cb(struct comm_point* c, void* arg, int error,
}
}
if(w) {
log_assert(!w->on_tcp_waiting_list);
log_assert(!w->write_wait_queued);
reuse_tree_by_id_delete(&pend->reuse, w);
verbose(VERB_CLIENT, "outnet tcp callback query err %d buflen %d",
error, (int)sldns_buffer_limit(c->buffer));
@ -1324,7 +1362,7 @@ outnet_send_wait_udp(struct outside_network* outnet)
{
struct pending* pend;
/* process waiting queries */
while(outnet->udp_wait_first && outnet->unused_fds
while(outnet->udp_wait_first && outnet->unused_fds
&& !outnet->want_to_quit) {
pend = outnet->udp_wait_first;
outnet->udp_wait_first = pend->next_waiting;
@ -1333,8 +1371,10 @@ outnet_send_wait_udp(struct outside_network* outnet)
sldns_buffer_write(outnet->udp_buff, pend->pkt, pend->pkt_len);
sldns_buffer_flip(outnet->udp_buff);
free(pend->pkt); /* freeing now makes get_mem correct */
pend->pkt = NULL;
pend->pkt = NULL;
pend->pkt_len = 0;
log_assert(!pend->sq->busy);
pend->sq->busy = 1;
if(!randomize_and_send_udp(pend, outnet->udp_buff,
pend->timeout)) {
/* callback error on pending */
@ -1344,6 +1384,8 @@ outnet_send_wait_udp(struct outside_network* outnet)
NETEVENT_CLOSED, NULL);
}
pending_delete(outnet, pend);
} else {
pend->sq->busy = 0;
}
}
}
@ -1454,7 +1496,6 @@ calc_num46(char** ifs, int num_ifs, int do_ip4, int do_ip6,
(*num_ip4)++;
}
}
}
void
@ -1708,16 +1749,9 @@ static void
serviced_node_del(rbnode_type* node, void* ATTR_UNUSED(arg))
{
struct serviced_query* sq = (struct serviced_query*)node;
struct service_callback* p = sq->cblist, *np;
free(sq->qbuf);
free(sq->zone);
free(sq->tls_auth_name);
edns_opt_list_free(sq->opt_list);
while(p) {
np = p->next;
free(p);
p = np;
}
alloc_reg_release(sq->alloc, sq->region);
if(sq->timer)
comm_timer_delete(sq->timer);
free(sq);
}
@ -2174,10 +2208,13 @@ pending_udp_query(struct serviced_query* sq, struct sldns_buffer* packet,
sq->outnet->udp_wait_last = pend;
return pend;
}
log_assert(!sq->busy);
sq->busy = 1;
if(!randomize_and_send_udp(pend, packet, timeout)) {
pending_delete(sq->outnet, pend);
return NULL;
}
sq->busy = 0;
return pend;
}
@ -2247,7 +2284,7 @@ reuse_tcp_select_id(struct reuse_tcp* reuse, struct outside_network* outnet)
}
/* equally pick a random unused element from the tree that is
* not in use. Pick a the n-th index of an ununused number,
* not in use. Pick a the n-th index of an unused number,
* then loop over the empty spaces in the tree and find it */
log_assert(reuse->tree_by_id.count < 0xffff);
select = ub_random_max(outnet->rnd, 0xffff - reuse->tree_by_id.count);
@ -2360,6 +2397,7 @@ pending_tcp_query(struct serviced_query* sq, sldns_buffer* packet,
#ifdef USE_DNSTAP
w->sq = NULL;
#endif
w->in_cb_and_decommission = 0;
if(pend) {
/* we have a buffer available right now */
if(reuse) {
@ -2456,30 +2494,62 @@ lookup_serviced(struct outside_network* outnet, sldns_buffer* buff, int dnssec,
return (struct serviced_query*)rbtree_search(outnet->serviced, &key);
}
void
serviced_timer_cb(void* arg)
{
struct serviced_query* sq = (struct serviced_query*)arg;
struct outside_network* outnet = sq->outnet;
verbose(VERB_ALGO, "serviced send timer");
/* By the time this cb is called, if we don't have any registered
* callbacks for this serviced_query anymore; do not send. */
if(!sq->cblist)
goto delete;
/* perform first network action */
if(outnet->do_udp && !(sq->tcp_upstream || sq->ssl_upstream)) {
if(!serviced_udp_send(sq, outnet->udp_buff))
goto delete;
} else {
if(!serviced_tcp_send(sq, outnet->udp_buff))
goto delete;
}
/* Maybe by this time we don't have callbacks attached anymore. Don't
* proactively try to delete; let it run and maybe another callback
* will get attached by the time we get an answer. */
return;
delete:
serviced_callbacks(sq, NETEVENT_CLOSED, NULL, NULL);
}
/** Create new serviced entry */
static struct serviced_query*
serviced_create(struct outside_network* outnet, sldns_buffer* buff, int dnssec,
int want_dnssec, int nocaps, int tcp_upstream, int ssl_upstream,
char* tls_auth_name, struct sockaddr_storage* addr, socklen_t addrlen,
uint8_t* zone, size_t zonelen, int qtype, struct edns_option* opt_list,
size_t pad_queries_block_size)
size_t pad_queries_block_size, struct alloc_cache* alloc,
struct regional* region)
{
struct serviced_query* sq = (struct serviced_query*)malloc(sizeof(*sq));
struct timeval t;
#ifdef UNBOUND_DEBUG
rbnode_type* ins;
#endif
if(!sq)
return NULL;
sq->node.key = sq;
sq->qbuf = memdup(sldns_buffer_begin(buff), sldns_buffer_limit(buff));
sq->alloc = alloc;
sq->region = region;
sq->qbuf = regional_alloc_init(region, sldns_buffer_begin(buff),
sldns_buffer_limit(buff));
if(!sq->qbuf) {
alloc_reg_release(alloc, region);
free(sq);
return NULL;
}
sq->qbuflen = sldns_buffer_limit(buff);
sq->zone = memdup(zone, zonelen);
sq->zone = regional_alloc_init(region, zone, zonelen);
if(!sq->zone) {
free(sq->qbuf);
alloc_reg_release(alloc, region);
free(sq);
return NULL;
}
@ -2491,10 +2561,9 @@ serviced_create(struct outside_network* outnet, sldns_buffer* buff, int dnssec,
sq->tcp_upstream = tcp_upstream;
sq->ssl_upstream = ssl_upstream;
if(tls_auth_name) {
sq->tls_auth_name = strdup(tls_auth_name);
sq->tls_auth_name = regional_strdup(region, tls_auth_name);
if(!sq->tls_auth_name) {
free(sq->zone);
free(sq->qbuf);
alloc_reg_release(alloc, region);
free(sq);
return NULL;
}
@ -2503,17 +2572,16 @@ serviced_create(struct outside_network* outnet, sldns_buffer* buff, int dnssec,
}
memcpy(&sq->addr, addr, addrlen);
sq->addrlen = addrlen;
sq->opt_list = NULL;
if(opt_list) {
sq->opt_list = edns_opt_copy_alloc(opt_list);
if(!sq->opt_list) {
free(sq->tls_auth_name);
free(sq->zone);
free(sq->qbuf);
free(sq);
return NULL;
}
sq->opt_list = opt_list;
sq->busy = 0;
sq->timer = comm_timer_create(outnet->base, serviced_timer_cb, sq);
if(!sq->timer) {
alloc_reg_release(alloc, region);
free(sq);
return NULL;
}
memset(&t, 0, sizeof(t));
comm_timer_set(sq->timer, &t);
sq->outnet = outnet;
sq->cblist = NULL;
sq->pending = NULL;
@ -2522,7 +2590,7 @@ serviced_create(struct outside_network* outnet, sldns_buffer* buff, int dnssec,
sq->to_be_deleted = 0;
sq->padding_block_size = pad_queries_block_size;
#ifdef UNBOUND_DEBUG
ins =
ins =
#else
(void)
#endif
@ -2620,29 +2688,38 @@ serviced_delete(struct serviced_query* sq)
struct waiting_tcp* w = (struct waiting_tcp*)
sq->pending;
verbose(VERB_CLIENT, "serviced_delete: TCP");
log_assert(!(w->write_wait_queued && w->on_tcp_waiting_list));
/* if on stream-write-waiting list then
* remove from waiting list and waiting_tcp_delete */
if(w->write_wait_queued) {
struct pending_tcp* pend =
(struct pending_tcp*)w->next_waiting;
verbose(VERB_CLIENT, "serviced_delete: writewait");
reuse_tree_by_id_delete(&pend->reuse, w);
if(!w->in_cb_and_decommission)
reuse_tree_by_id_delete(&pend->reuse, w);
reuse_write_wait_remove(&pend->reuse, w);
waiting_tcp_delete(w);
if(!w->in_cb_and_decommission)
waiting_tcp_delete(w);
} else if(!w->on_tcp_waiting_list) {
struct pending_tcp* pend =
(struct pending_tcp*)w->next_waiting;
verbose(VERB_CLIENT, "serviced_delete: tcpreusekeep");
/* w needs to stay on tree_by_id to not assign
* the same ID; remove the callback since its
* serviced_query will be gone. */
w->cb = NULL;
if(!reuse_tcp_remove_serviced_keep(w, sq)) {
reuse_cb_and_decommission(sq->outnet,
pend, NETEVENT_CLOSED);
if(!w->in_cb_and_decommission)
reuse_cb_and_decommission(sq->outnet,
pend, NETEVENT_CLOSED);
use_free_buffer(sq->outnet);
}
sq->pending = NULL;
} else {
verbose(VERB_CLIENT, "serviced_delete: tcpwait");
waiting_list_remove(sq->outnet, w);
waiting_tcp_delete(w);
if(!w->in_cb_and_decommission)
waiting_tcp_delete(w);
}
}
}
@ -2892,7 +2969,8 @@ serviced_callbacks(struct serviced_query* sq, int error, struct comm_point* c,
* use secondary buffer to store the query.
* This is a data copy, but faster than packet to server */
backlen = sldns_buffer_limit(c->buffer);
backup_p = memdup(sldns_buffer_begin(c->buffer), backlen);
backup_p = regional_alloc_init(sq->region,
sldns_buffer_begin(c->buffer), backlen);
if(!backup_p) {
log_err("malloc failure in serviced query callbacks");
error = NETEVENT_CLOSED;
@ -2910,10 +2988,8 @@ serviced_callbacks(struct serviced_query* sq, int error, struct comm_point* c,
}
fptr_ok(fptr_whitelist_serviced_query(p->cb));
(void)(*p->cb)(c, p->cb_arg, error, rep);
free(p);
}
if(backup_p) {
free(backup_p);
sq->outnet->svcd_overhead = 0;
}
verbose(VERB_ALGO, "svcd callbacks end");
@ -2931,7 +3007,7 @@ serviced_tcp_callback(struct comm_point* c, void* arg, int error,
struct waiting_tcp* w = (struct waiting_tcp*)sq->pending;
struct pending_tcp* pend_tcp = NULL;
struct port_if* pi = NULL;
if(!w->on_tcp_waiting_list && w->next_waiting) {
if(w && !w->on_tcp_waiting_list && w->next_waiting) {
pend_tcp = (struct pending_tcp*)w->next_waiting;
pi = pend_tcp->pi;
}
@ -3027,8 +3103,11 @@ serviced_tcp_initiate(struct serviced_query* sq, sldns_buffer* buff)
sq->status==serviced_query_TCP_EDNS?"EDNS":"");
serviced_encode(sq, buff, sq->status == serviced_query_TCP_EDNS);
sq->last_sent_time = *sq->outnet->now_tv;
log_assert(!sq->busy);
sq->busy = 1;
sq->pending = pending_tcp_query(sq, buff, sq->outnet->tcp_auth_query_timeout,
serviced_tcp_callback, sq);
sq->busy = 0;
if(!sq->pending) {
/* delete from tree so that a retry by above layer does not
* clash with this entry */
@ -3060,8 +3139,11 @@ serviced_tcp_send(struct serviced_query* sq, sldns_buffer* buff)
} else {
timeout = sq->outnet->tcp_auth_query_timeout;
}
log_assert(!sq->busy);
sq->busy = 1;
sq->pending = pending_tcp_query(sq, buff, timeout,
serviced_tcp_callback, sq);
sq->busy = 0;
return sq->pending != NULL;
}
@ -3112,7 +3194,6 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
struct timeval now = *sq->outnet->now_tv;
#ifdef USE_DNSTAP
struct pending* p = (struct pending*)sq->pending;
struct port_if* pi = p->pc->pif;
#endif
sq->pending = NULL; /* removed after callback */
@ -3154,14 +3235,16 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
/*
* sending src (local service)/dst (upstream) addresses over DNSTAP
*/
if(error == NETEVENT_NOERROR && outnet->dtenv &&
(outnet->dtenv->log_resolver_response_messages ||
outnet->dtenv->log_forwarder_response_messages)) {
if(error == NETEVENT_NOERROR && outnet->dtenv && p->pc &&
(outnet->dtenv->log_resolver_response_messages ||
outnet->dtenv->log_forwarder_response_messages)) {
log_addr(VERB_ALGO, "response from upstream", &sq->addr, sq->addrlen);
log_addr(VERB_ALGO, "to local addr", &pi->addr, pi->addrlen);
dt_msg_send_outside_response(outnet->dtenv, &sq->addr, &pi->addr, c->type,
sq->zone, sq->zonelen, sq->qbuf, sq->qbuflen,
&sq->last_sent_time, sq->outnet->now_tv, c->buffer);
log_addr(VERB_ALGO, "to local addr", &p->pc->pif->addr,
p->pc->pif->addrlen);
dt_msg_send_outside_response(outnet->dtenv, &sq->addr,
&p->pc->pif->addr, c->type, sq->zone, sq->zonelen,
sq->qbuf, sq->qbuflen, &sq->last_sent_time,
sq->outnet->now_tv, c->buffer);
}
#endif
if( (sq->status == serviced_query_UDP_EDNS
@ -3251,64 +3334,117 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
struct serviced_query*
outnet_serviced_query(struct outside_network* outnet,
struct query_info* qinfo, uint16_t flags, int dnssec, int want_dnssec,
int nocaps, int tcp_upstream, int ssl_upstream, char* tls_auth_name,
struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone,
size_t zonelen, struct module_qstate* qstate,
comm_point_callback_type* callback, void* callback_arg, sldns_buffer* buff,
struct module_env* env)
int nocaps, int check_ratelimit, int tcp_upstream, int ssl_upstream,
char* tls_auth_name, struct sockaddr_storage* addr, socklen_t addrlen,
uint8_t* zone, size_t zonelen, struct module_qstate* qstate,
comm_point_callback_type* callback, void* callback_arg,
sldns_buffer* buff, struct module_env* env, int* was_ratelimited)
{
struct serviced_query* sq;
struct service_callback* cb;
struct edns_string_addr* client_string_addr;
struct regional* region;
struct edns_option* backed_up_opt_list = qstate->edns_opts_back_out;
struct edns_option* per_upstream_opt_list = NULL;
time_t timenow = 0;
if(!inplace_cb_query_call(env, qinfo, flags, addr, addrlen, zone, zonelen,
qstate, qstate->region))
/* If we have an already populated EDNS option list make a copy since
* we may now add upstream specific EDNS options. */
/* Use a region that could be attached to a serviced_query, if it needs
* to be created. If an existing one is found then this region will be
* destroyed here. */
region = alloc_reg_obtain(env->alloc);
if(!region) return NULL;
if(qstate->edns_opts_back_out) {
per_upstream_opt_list = edns_opt_copy_region(
qstate->edns_opts_back_out, region);
if(!per_upstream_opt_list) {
alloc_reg_release(env->alloc, region);
return NULL;
}
qstate->edns_opts_back_out = per_upstream_opt_list;
}
if(!inplace_cb_query_call(env, qinfo, flags, addr, addrlen, zone,
zonelen, qstate, region)) {
alloc_reg_release(env->alloc, region);
return NULL;
}
/* Restore the option list; we can explicitly use the copied one from
* now on. */
per_upstream_opt_list = qstate->edns_opts_back_out;
qstate->edns_opts_back_out = backed_up_opt_list;
if((client_string_addr = edns_string_addr_lookup(
&env->edns_strings->client_strings, addr, addrlen))) {
edns_opt_list_append(&qstate->edns_opts_back_out,
edns_opt_list_append(&per_upstream_opt_list,
env->edns_strings->client_string_opcode,
client_string_addr->string_len,
client_string_addr->string, qstate->region);
client_string_addr->string, region);
}
serviced_gen_query(buff, qinfo->qname, qinfo->qname_len, qinfo->qtype,
qinfo->qclass, flags);
sq = lookup_serviced(outnet, buff, dnssec, addr, addrlen,
qstate->edns_opts_back_out);
/* duplicate entries are included in the callback list, because
* there is a counterpart registration by our caller that needs to
* be doubly-removed (with callbacks perhaps). */
if(!(cb = (struct service_callback*)malloc(sizeof(*cb))))
return NULL;
per_upstream_opt_list);
if(!sq) {
/* Check ratelimit only for new serviced_query */
if(check_ratelimit) {
timenow = *env->now;
if(!infra_ratelimit_inc(env->infra_cache, zone,
zonelen, timenow, env->cfg->ratelimit_backoff,
&qstate->qinfo, qstate->reply)) {
/* Can we pass through with slip factor? */
if(env->cfg->ratelimit_factor == 0 ||
ub_random_max(env->rnd,
env->cfg->ratelimit_factor) != 1) {
*was_ratelimited = 1;
alloc_reg_release(env->alloc, region);
return NULL;
}
log_nametypeclass(VERB_ALGO,
"ratelimit allowed through for "
"delegation point", zone,
LDNS_RR_TYPE_NS, LDNS_RR_CLASS_IN);
}
}
/* make new serviced query entry */
sq = serviced_create(outnet, buff, dnssec, want_dnssec, nocaps,
tcp_upstream, ssl_upstream, tls_auth_name, addr,
addrlen, zone, zonelen, (int)qinfo->qtype,
qstate->edns_opts_back_out,
per_upstream_opt_list,
( ssl_upstream && env->cfg->pad_queries
? env->cfg->pad_queries_block_size : 0 ));
? env->cfg->pad_queries_block_size : 0 ),
env->alloc, region);
if(!sq) {
free(cb);
if(check_ratelimit) {
infra_ratelimit_dec(env->infra_cache,
zone, zonelen, timenow);
}
alloc_reg_release(env->alloc, region);
return NULL;
}
/* perform first network action */
if(outnet->do_udp && !(tcp_upstream || ssl_upstream)) {
if(!serviced_udp_send(sq, buff)) {
(void)rbtree_delete(outnet->serviced, sq);
serviced_node_del(&sq->node, NULL);
free(cb);
return NULL;
}
} else {
if(!serviced_tcp_send(sq, buff)) {
(void)rbtree_delete(outnet->serviced, sq);
serviced_node_del(&sq->node, NULL);
free(cb);
return NULL;
if(!(cb = (struct service_callback*)regional_alloc(
sq->region, sizeof(*cb)))) {
if(check_ratelimit) {
infra_ratelimit_dec(env->infra_cache,
zone, zonelen, timenow);
}
(void)rbtree_delete(outnet->serviced, sq);
serviced_node_del(&sq->node, NULL);
return NULL;
}
/* No network action at this point; it will be invoked with the
* serviced_query timer instead to run outside of the mesh. */
} else {
/* We don't need this region anymore. */
alloc_reg_release(env->alloc, region);
/* duplicate entries are included in the callback list, because
* there is a counterpart registration by our caller that needs
* to be doubly-removed (with callbacks perhaps). */
if(!(cb = (struct service_callback*)regional_alloc(
sq->region, sizeof(*cb)))) {
return NULL;
}
}
/* add callback to list of callbacks */
@ -3328,7 +3464,6 @@ callback_list_remove(struct serviced_query* sq, void* cb_arg)
if((*pp)->cb_arg == cb_arg) {
struct service_callback* del = *pp;
*pp = del->next;
free(del);
return;
}
pp = &(*pp)->next;
@ -3337,13 +3472,13 @@ callback_list_remove(struct serviced_query* sq, void* cb_arg)
void outnet_serviced_query_stop(struct serviced_query* sq, void* cb_arg)
{
if(!sq)
if(!sq)
return;
callback_list_remove(sq, cb_arg);
/* if callbacks() routine scheduled deletion, let it do that */
if(!sq->cblist && !sq->to_be_deleted) {
if(!sq->cblist && !sq->busy && !sq->to_be_deleted) {
(void)rbtree_delete(sq->outnet->serviced, sq);
serviced_delete(sq);
serviced_delete(sq);
}
}

27
contrib/unbound/services/outside_network.h
View file

@ -43,7 +43,9 @@
#ifndef OUTSIDE_NETWORK_H
#define OUTSIDE_NETWORK_H
#include "util/alloc.h"
#include "util/rbtree.h"
#include "util/regional.h"
#include "util/netevent.h"
#include "dnstap/dnstap_config.h"
struct pending;
@ -412,6 +414,8 @@ struct waiting_tcp {
char* tls_auth_name;
/** the packet was involved in an error, to stop looping errors */
int error_count;
/** if true, the item is at the cb_and_decommission stage */
int in_cb_and_decommission;
#ifdef USE_DNSTAP
/** serviced query pointer for dnstap to get logging info, if nonNULL*/
struct serviced_query* sq;
@ -512,6 +516,15 @@ struct serviced_query {
void* pending;
/** block size with which to pad encrypted queries (default: 128) */
size_t padding_block_size;
/** region for this serviced query. Will be cleared when this
* serviced_query will be deleted */
struct regional* region;
/** allocation service for the region */
struct alloc_cache* alloc;
/** flash timer to start the net I/O as a separate event */
struct comm_timer* timer;
/** true if serviced_query is currently doing net I/O and may block */
int busy;
};
/**
@ -619,6 +632,7 @@ void pending_delete(struct outside_network* outnet, struct pending* p);
* @param want_dnssec: signatures are needed, without EDNS the answer is
* likely to be useless.
* @param nocaps: ignore use_caps_for_id and use unperturbed qname.
* @param check_ratelimit: if set, will check ratelimit before sending out.
* @param tcp_upstream: use TCP for upstream queries.
* @param ssl_upstream: use SSL for upstream queries.
* @param tls_auth_name: when ssl_upstream is true, use this name to check
@ -635,16 +649,18 @@ void pending_delete(struct outside_network* outnet, struct pending* p);
* @param callback_arg: user argument to callback function.
* @param buff: scratch buffer to create query contents in. Empty on exit.
* @param env: the module environment.
* @param was_ratelimited: it will signal back if the query failed to pass the
* ratelimit check.
* @return 0 on error, or pointer to serviced query that is used to answer
* this serviced query may be shared with other callbacks as well.
*/
struct serviced_query* outnet_serviced_query(struct outside_network* outnet,
struct query_info* qinfo, uint16_t flags, int dnssec, int want_dnssec,
int nocaps, int tcp_upstream, int ssl_upstream, char* tls_auth_name,
struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone,
size_t zonelen, struct module_qstate* qstate,
int nocaps, int check_ratelimit, int tcp_upstream, int ssl_upstream,
char* tls_auth_name, struct sockaddr_storage* addr, socklen_t addrlen,
uint8_t* zone, size_t zonelen, struct module_qstate* qstate,
comm_point_callback_type* callback, void* callback_arg,
struct sldns_buffer* buff, struct module_env* env);
struct sldns_buffer* buff, struct module_env* env, int* was_ratelimited);
/**
* Remove service query callback.
@ -785,6 +801,9 @@ void pending_udp_timer_delay_cb(void *arg);
/** callback for outgoing TCP timer event */
void outnet_tcptimer(void* arg);
/** callback to send serviced queries */
void serviced_timer_cb(void *arg);
/** callback for serviced query UDP answers */
int serviced_udp_callback(struct comm_point* c, void* arg, int error,
struct comm_reply* rep);

34
contrib/unbound/services/rpz.c
View file

@ -542,6 +542,7 @@ rpz_create(struct config_auth* p)
}
}
r->log = p->rpz_log;
r->signal_nxdomain_ra = p->rpz_signal_nxdomain_ra;
if(p->rpz_log_name) {
if(!(r->log_name = strdup(p->rpz_log_name))) {
log_err("malloc failure on RPZ log_name strdup");
@ -836,7 +837,7 @@ rpz_report_rrset_error(const char* msg, uint8_t* rr, size_t rr_len) {
}
/* from localzone.c; difference is we don't have a dname */
struct local_rrset*
static struct local_rrset*
rpz_clientip_new_rrset(struct regional* region,
struct clientip_synthesized_rr* raddr, uint16_t rrtype, uint16_t rrclass)
{
@ -1384,9 +1385,9 @@ log_rpz_apply(char* trigger, uint8_t* dname, struct addr_tree_node* addrnode,
if(dname) {
dname_str(dname, dnamestr);
} else if(addrnode) {
char a[128];
addr_to_str(&addrnode->addr, addrnode->addrlen, a, sizeof(a));
snprintf(dnamestr, sizeof(dnamestr), "%s/%d", a, addrnode->net);
char addrbuf[128];
addr_to_str(&addrnode->addr, addrnode->addrlen, addrbuf, sizeof(addrbuf));
snprintf(dnamestr, sizeof(dnamestr), "%s/%d", addrbuf, addrnode->net);
} else {
dnamestr[0]=0;
}
@ -1697,7 +1698,7 @@ rpz_synthesize_nodata(struct rpz* ATTR_UNUSED(r), struct module_qstate* ms,
if(msg == NULL) { return msg; }
msg->qinfo = *qinfo;
msg->rep = construct_reply_info_base(ms->region,
LDNS_RCODE_NOERROR | BIT_RD | BIT_QR | BIT_AA | BIT_RA,
LDNS_RCODE_NOERROR | BIT_QR | BIT_AA | BIT_RA,
1, /* qd */
0, /* ttl */
0, /* prettl */
@ -1715,14 +1716,18 @@ rpz_synthesize_nodata(struct rpz* ATTR_UNUSED(r), struct module_qstate* ms,
}
static inline struct dns_msg*
rpz_synthesize_nxdomain(struct rpz* ATTR_UNUSED(r), struct module_qstate* ms,
rpz_synthesize_nxdomain(struct rpz* r, struct module_qstate* ms,
struct query_info* qinfo, struct auth_zone* az)
{
struct dns_msg* msg = rpz_dns_msg_new(ms->region);
uint16_t flags;
if(msg == NULL) { return msg; }
msg->qinfo = *qinfo;
flags = LDNS_RCODE_NXDOMAIN | BIT_QR | BIT_AA | BIT_RA;
if(r->signal_nxdomain_ra)
flags &= ~BIT_RA;
msg->rep = construct_reply_info_base(ms->region,
LDNS_RCODE_NXDOMAIN | BIT_RD | BIT_QR | BIT_AA | BIT_RA,
flags,
1, /* qd */
0, /* ttl */
0, /* prettl */
@ -1752,7 +1757,7 @@ rpz_synthesize_localdata_from_rrset(struct rpz* ATTR_UNUSED(r), struct module_qs
if(msg == NULL) { return NULL; }
new_reply_info = construct_reply_info_base(ms->region,
LDNS_RCODE_NOERROR | BIT_RD | BIT_QR | BIT_AA | BIT_RA,
LDNS_RCODE_NOERROR | BIT_QR | BIT_AA | BIT_RA,
1, /* qd */
0, /* ttl */
0, /* prettl */
@ -1922,6 +1927,9 @@ rpz_synthesize_qname_localdata(struct module_env* env, struct rpz* r,
ret = local_zones_zone_answer(z, env, qinfo, edns, repinfo, buf, temp,
0 /* no local data used */, lzt);
if(r->signal_nxdomain_ra && LDNS_RCODE_WIRE(sldns_buffer_begin(buf))
== LDNS_RCODE_NXDOMAIN)
LDNS_RA_CLR(sldns_buffer_begin(buf));
if(r->log) {
log_rpz_apply("qname", z->name, NULL, localzone_type_to_rpz_action(lzt),
qinfo, repinfo, NULL, r->log_name);
@ -1930,7 +1938,7 @@ rpz_synthesize_qname_localdata(struct module_env* env, struct rpz* r,
return ret;
}
struct clientip_synthesized_rr*
static struct clientip_synthesized_rr*
rpz_delegation_point_ipbased_trigger_lookup(struct rpz* rpz, struct iter_qstate* is)
{
struct delegpt_addr* cursor;
@ -1947,7 +1955,7 @@ rpz_delegation_point_ipbased_trigger_lookup(struct rpz* rpz, struct iter_qstate*
return NULL;
}
struct dns_msg*
static struct dns_msg*
rpz_apply_nsip_trigger(struct module_qstate* ms, struct rpz* r,
struct clientip_synthesized_rr* raddr, struct auth_zone* az)
{
@ -2006,7 +2014,7 @@ rpz_apply_nsip_trigger(struct module_qstate* ms, struct rpz* r,
return ret;
}
struct dns_msg*
static struct dns_msg*
rpz_apply_nsdname_trigger(struct module_qstate* ms, struct rpz* r,
struct local_zone* z, struct matched_delegation_point const* match,
struct auth_zone* az)
@ -2295,6 +2303,10 @@ rpz_apply_maybe_clientip_trigger(struct auth_zones* az, struct module_env* env,
local_zones_zone_answer(*z_out /*likely NULL, no zone*/, env, qinfo, edns,
repinfo, buf, temp, 0 /* no local data used */,
rpz_action_to_localzone_type(client_action));
if(*r_out && (*r_out)->signal_nxdomain_ra &&
LDNS_RCODE_WIRE(sldns_buffer_begin(buf))
== LDNS_RCODE_NXDOMAIN)
LDNS_RA_CLR(sldns_buffer_begin(buf));
}
ret = 1;
goto done;

2
contrib/unbound/services/rpz.h
View file

@ -123,6 +123,8 @@ struct rpz {
struct ub_packed_rrset_key* cname_override;
int log;
char* log_name;
/** signal NXDOMAIN blocked with unset RA flag */
int signal_nxdomain_ra;
struct regional* region;
int disabled;
};

6
contrib/unbound/sldns/keyraw.c
View file

@ -250,7 +250,8 @@ sldns_key_buf2dsa_raw(unsigned char* key, size_t len)
if(!(dsa = DSA_new())) {
return NULL;
}
#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
#if OPENSSL_VERSION_NUMBER < 0x10100000 || \
(defined(HAVE_LIBRESSL) && LIBRESSL_VERSION_NUMBER < 0x02070000f)
#ifndef S_SPLINT_S
dsa->p = P;
dsa->q = Q;
@ -428,7 +429,8 @@ sldns_key_buf2rsa_raw(unsigned char* key, size_t len)
BN_free(modulus);
return NULL;
}
#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
#if OPENSSL_VERSION_NUMBER < 0x10100000 || \
(defined(HAVE_LIBRESSL) && LIBRESSL_VERSION_NUMBER < 0x02070000f)
#ifndef S_SPLINT_S
rsa->n = modulus;
rsa->e = exponent;

14
contrib/unbound/sldns/str2wire.c
View file

@ -25,8 +25,10 @@
#include <netdb.h>
#endif
/** bits for the offset */
#define RET_OFFSET_MASK (((unsigned)(~LDNS_WIREPARSE_MASK))>>LDNS_WIREPARSE_SHIFT)
/** return an error */
#define RET_ERR(e, off) ((int)((e)|((off)<<LDNS_WIREPARSE_SHIFT)))
#define RET_ERR(e, off) ((int)(((e)&LDNS_WIREPARSE_MASK)|(((off)&RET_OFFSET_MASK)<<LDNS_WIREPARSE_SHIFT)))
/** Move parse error but keep its ID */
#define RET_ERR_SHIFT(e, move) RET_ERR(LDNS_WIREPARSE_ERROR(e), LDNS_WIREPARSE_OFFSET(e)+(move));
@ -543,9 +545,10 @@ sldns_parse_rdf_token(sldns_buffer* strbuf, char* token, size_t token_len,
{
size_t slen;
/* skip spaces */
/* skip spaces and tabs */
while(sldns_buffer_remaining(strbuf) > 0 && !*quoted &&
*(sldns_buffer_current(strbuf)) == ' ') {
(*(sldns_buffer_current(strbuf)) == ' ' ||
*(sldns_buffer_current(strbuf)) == '\t')) {
sldns_buffer_skip(strbuf, 1);
}
@ -601,7 +604,10 @@ sldns_affix_token(sldns_buffer* strbuf, char* token, size_t* token_len,
size_t addstrlen = 0;
/* add space */
if(addlen < 1) return 0;
/* when addlen < 2, the token buffer is full considering the NULL byte
* from strlen and will lead to buffer overflow with the second
* assignement below. */
if(addlen < 2) return 0;
token[*token_strlen] = ' ';
token[++(*token_strlen)] = 0;

2
contrib/unbound/sldns/str2wire.h
View file

@ -187,7 +187,7 @@ uint8_t* sldns_wirerr_get_rdatawl(uint8_t* rr, size_t len, size_t dname_len);
#define LDNS_WIREPARSE_MASK 0x0fff
#define LDNS_WIREPARSE_SHIFT 12
#define LDNS_WIREPARSE_ERROR(e) ((e)&LDNS_WIREPARSE_MASK)
#define LDNS_WIREPARSE_OFFSET(e) (((e)&~LDNS_WIREPARSE_MASK)>>LDNS_WIREPARSE_SHIFT)
#define LDNS_WIREPARSE_OFFSET(e) ((((unsigned)(e))&~LDNS_WIREPARSE_MASK)>>LDNS_WIREPARSE_SHIFT)
/* use lookuptable to get error string, sldns_wireparse_errors */
#define LDNS_WIREPARSE_ERR_OK 0
#define LDNS_WIREPARSE_ERR_GENERAL 342

11
contrib/unbound/sldns/wire2str.c
View file

@ -817,6 +817,7 @@ int sldns_wire2str_dname_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen,
unsigned i, counter=0;
unsigned maxcompr = MAX_COMPRESS_PTRS; /* loop detection, max compr ptrs */
int in_buf = 1;
size_t dname_len = 0;
if(comprloop) {
if(*comprloop != 0)
maxcompr = 30; /* for like ipv6 reverse name, per label */
@ -872,6 +873,16 @@ int sldns_wire2str_dname_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen,
labellen = (uint8_t)*dlen;
else if(!in_buf && pos+(size_t)labellen > pkt+pktlen)
labellen = (uint8_t)(pkt + pktlen - pos);
dname_len += ((size_t)labellen)+1;
if(dname_len > LDNS_MAX_DOMAINLEN) {
/* dname_len counts the uncompressed length we have
* seen so far, and the domain name has become too
* long, prevent the loop from printing overly long
* content. */
w += sldns_str_print(s, slen,
"ErrorDomainNameTooLong");
return w;
}
for(i=0; i<(unsigned)labellen; i++) {
w += dname_char_print(s, slen, *pos++);
}

6
contrib/unbound/smallapp/unbound-checkconf.c
View file

@ -691,6 +691,8 @@ morechecks(struct config_file* cfg)
&& strcmp(cfg->module_conf, "dns64 iterator") != 0
&& strcmp(cfg->module_conf, "respip iterator") != 0
&& strcmp(cfg->module_conf, "respip validator iterator") != 0
&& strcmp(cfg->module_conf, "respip dns64 validator iterator") != 0
&& strcmp(cfg->module_conf, "respip dns64 iterator") != 0
#ifdef WITH_PYTHONMODULE
&& strcmp(cfg->module_conf, "python iterator") != 0
&& strcmp(cfg->module_conf, "python respip iterator") != 0
@ -785,6 +787,10 @@ morechecks(struct config_file* cfg)
&& strcmp(cfg->module_conf, "validator python cachedb iterator") != 0
&& strcmp(cfg->module_conf, "respip validator python cachedb iterator") != 0
#endif
#if defined(CLIENT_SUBNET) && defined(USE_CACHEDB)
&& strcmp(cfg->module_conf, "respip subnetcache validator cachedb iterator") != 0
&& strcmp(cfg->module_conf, "subnetcache validator cachedb iterator") != 0
#endif
#ifdef CLIENT_SUBNET
&& strcmp(cfg->module_conf, "subnetcache iterator") != 0
&& strcmp(cfg->module_conf, "respip subnetcache iterator") != 0

12
contrib/unbound/smallapp/worker_cb.c
View file

@ -97,10 +97,12 @@ void worker_sighandler(int ATTR_UNUSED(sig), void* ATTR_UNUSED(arg))
struct outbound_entry* worker_send_query(
struct query_info* ATTR_UNUSED(qinfo), uint16_t ATTR_UNUSED(flags),
int ATTR_UNUSED(dnssec), int ATTR_UNUSED(want_dnssec),
int ATTR_UNUSED(nocaps), struct sockaddr_storage* ATTR_UNUSED(addr),
int ATTR_UNUSED(nocaps), int ATTR_UNUSED(check_ratelimit),
struct sockaddr_storage* ATTR_UNUSED(addr),
socklen_t ATTR_UNUSED(addrlen), uint8_t* ATTR_UNUSED(zone),
size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(tcp_upstream), int ATTR_UNUSED(ssl_upstream),
char* ATTR_UNUSED(tls_auth_name), struct module_qstate* ATTR_UNUSED(q))
char* ATTR_UNUSED(tls_auth_name), struct module_qstate* ATTR_UNUSED(q),
int* ATTR_UNUSED(was_ratelimited))
{
log_assert(0);
return 0;
@ -129,10 +131,12 @@ worker_alloc_cleanup(void* ATTR_UNUSED(arg))
struct outbound_entry* libworker_send_query(
struct query_info* ATTR_UNUSED(qinfo), uint16_t ATTR_UNUSED(flags),
int ATTR_UNUSED(dnssec), int ATTR_UNUSED(want_dnssec),
int ATTR_UNUSED(nocaps), struct sockaddr_storage* ATTR_UNUSED(addr),
int ATTR_UNUSED(nocaps), int ATTR_UNUSED(check_ratelimit),
struct sockaddr_storage* ATTR_UNUSED(addr),
socklen_t ATTR_UNUSED(addrlen), uint8_t* ATTR_UNUSED(zone),
size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(tcp_upstream), int ATTR_UNUSED(ssl_upstream),
char* ATTR_UNUSED(tls_auth_name), struct module_qstate* ATTR_UNUSED(q))
char* ATTR_UNUSED(tls_auth_name), struct module_qstate* ATTR_UNUSED(q),
int* ATTR_UNUSED(was_ratelimited))
{
log_assert(0);
return 0;

90
contrib/unbound/testdata/edns_attached_once_per_upstream.rpl vendored Normal file
View file

@ -0,0 +1,90 @@
; config options
server:
edns-client-string: 10.0.0.0/24 "abc d"
outbound-msg-retry: 1
stub-zone:
name: "edns-string-abc."
stub-addr: 10.0.0.3
stub-first: yes
forward-zone:
name: "."
forward-addr: 10.0.0.1
CONFIG_END
SCENARIO_BEGIN Test that upstream specific EDNS is attached once; uses string tag option
RANGE_BEGIN 0 1000
ADDRESS 10.0.0.3
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR SERVFAIL
SECTION QUESTION
edns-string-abc. IN A
ENTRY_END
RANGE_END
RANGE_BEGIN 0 1000
ADDRESS 10.0.0.1
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
edns-string-abc. IN A
SECTION ANSWER
edns-string-abc. IN A 10.20.30.40
SECTION ADDITIONAL
ENTRY_END
RANGE_END
STEP 10 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
edns-string-abc. IN A
ENTRY_END
; This will receive SERVFAIL and the next address will be queried
STEP 20 CHECK_OUT_QUERY ADDRESS 10.0.0.3
ENTRY_BEGIN
MATCH qname qtype opcode ednsdata
SECTION QUESTION
edns-string-abc. IN A
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
fd e9 ; Opcode 65001
00 05 ; Length 5
61 62 63 20 64 ; "abc d"
HEX_EDNSDATA_END
ENTRY_END
; This will receive the answer; makes sure that EDNS is attached once
STEP 22 CHECK_OUT_QUERY ADDRESS 10.0.0.1
ENTRY_BEGIN
MATCH qname qtype opcode ednsdata
SECTION QUESTION
edns-string-abc. IN A
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
fd e9 ; Opcode 65001
00 05 ; Length 5
61 62 63 20 64 ; "abc d"
HEX_EDNSDATA_END
ENTRY_END
STEP 30 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA NOERROR
SECTION QUESTION
edns-string-abc. IN A
SECTION ANSWER
edns-string-abc. IN A 10.20.30.40
ENTRY_END
SCENARIO_END

174
contrib/unbound/testdata/nsid_bogus.rpl vendored Normal file
View file

@ -0,0 +1,174 @@
; config options
; The island of trust is at example.com
server:
trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
val-override-date: "20070916134226"
target-fetch-policy: "0 0 0 0 0"
qname-minimisation: "no"
fake-sha1: yes
trust-anchor-signaling: no
minimal-responses: no
nsid: "ascii_hopsa kidee"
stub-zone:
name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
SCENARIO_BEGIN Test for NSID in SERVFAIL response due to DNSSEC bogus
; K.ROOT-SERVERS.NET.
RANGE_BEGIN 0 100
ADDRESS 193.0.14.129
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
. IN NS
SECTION ANSWER
. IN NS K.ROOT-SERVERS.NET.
SECTION ADDITIONAL
K.ROOT-SERVERS.NET. IN A 193.0.14.129
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
www.example.com. IN A
SECTION AUTHORITY
com. IN NS a.gtld-servers.net.
SECTION ADDITIONAL
a.gtld-servers.net. IN A 192.5.6.30
ENTRY_END
RANGE_END
; a.gtld-servers.net.
RANGE_BEGIN 0 100
ADDRESS 192.5.6.30
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
com. IN NS
SECTION ANSWER
com. IN NS a.gtld-servers.net.
SECTION ADDITIONAL
a.gtld-servers.net. IN A 192.5.6.30
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
www.example.com. IN A
SECTION AUTHORITY
example.com. IN NS ns.example.com.
SECTION ADDITIONAL
ns.example.com. IN A 1.2.3.4
ENTRY_END
RANGE_END
; ns.example.com.
RANGE_BEGIN 0 100
ADDRESS 1.2.3.4
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
example.com. IN NS
SECTION ANSWER
example.com. IN NS ns.example.com.
example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
SECTION ADDITIONAL
ns.example.com. IN A 1.2.3.4
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
ENTRY_END
; response to DNSKEY priming query
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
example.com. IN DNSKEY
SECTION ANSWER
example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
example.com. 3600 IN RRSIG DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
SECTION AUTHORITY
example.com. IN NS ns.example.com.
example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
SECTION ADDITIONAL
ns.example.com. IN A 1.2.3.4
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
ENTRY_END
; nodata for ns.example.com AAAA
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR AA NOERROR
SECTION QUESTION
ns.example.com. IN AAAA
SECTION ANSWER
SECTION ADDITIONAL
ENTRY_END
; response to query of interest
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
www.example.com. IN A 10.20.30.40
;good signature
;www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854}
;missing
www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2855 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4=
SECTION AUTHORITY
example.com. IN NS ns.example.com.
example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
SECTION ADDITIONAL
ns.example.com. IN A 1.2.3.4
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854}
ENTRY_END
RANGE_END
STEP 1 QUERY
ENTRY_BEGIN
REPLY RD DO
SECTION QUESTION
www.example.com. IN A
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
00 03 ; Opcode NSID (3)
00 00 ; Length 0
HEX_EDNSDATA_END
ENTRY_END
; recursion happens here.
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
00 03 ; Opcode NSID (3)
00 0b ; Length 11
68 6F 70 73 61 20 ; "hopsa "
6B 69 64 65 65 ; "kidee"
HEX_EDNSDATA_END
ENTRY_END
SCENARIO_END

29
contrib/unbound/testdata/ratelimit.tdir/ratelimit.conf vendored Normal file
View file

@ -0,0 +1,29 @@
server:
verbosity: 5
# num-threads: 1
interface: 127.0.0.1
port: @PORT@
use-syslog: no
directory: .
pidfile: "unbound.pid"
chroot: ""
username: ""
do-not-query-localhost: no
ratelimit: 1
ratelimit-factor: 0
stub-zone:
name: "example.com."
stub-addr: "127.0.0.1@@TOPORT@"
stub-no-cache: yes
remote-control:
control-enable: yes
control-interface: 127.0.0.1
# control-interface: ::1
control-port: @CONTROL_PORT@
server-key-file: "unbound_server.key"
server-cert-file: "unbound_server.pem"
control-key-file: "unbound_control.key"
control-cert-file: "unbound_control.pem"

16
contrib/unbound/testdata/ratelimit.tdir/ratelimit.dsc vendored Normal file
View file

@ -0,0 +1,16 @@
BaseName: ratelimit
Version: 1.0
Description: Test ratelimit.
CreationDate: Sun Jan 30 00:40:00 CET 2022
Maintainer: Yorgos Thessalonikefs
Category:
Component:
CmdDepends:
Depends:
Help:
Pre: ratelimit.pre
Post: ratelimit.post
Test: ratelimit.test
AuxFiles:
Passed:
Failure:

14
contrib/unbound/testdata/ratelimit.tdir/ratelimit.post vendored Normal file
View file

@ -0,0 +1,14 @@
# #-- ratelimit.post --#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# source the test var file when it's there
[ -f .tpkg.var.test ] && source .tpkg.var.test
#
# do your teardown here
. ../common.sh
kill_pid $STUB_PID
kill_pid $UNBOUND_PID
if test -f unbound.log; then
echo ">>> unbound log"
cat unbound.log
fi

33
contrib/unbound/testdata/ratelimit.tdir/ratelimit.pre vendored Normal file
View file

@ -0,0 +1,33 @@
# #-- ratelimit.pre--#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# use .tpkg.var.test for in test variable passing
[ -f .tpkg.var.test ] && source .tpkg.var.test
PRE="../.."
. ../common.sh
get_random_port 2
UNBOUND_PORT=$RND_PORT
STUB_PORT=$(($RND_PORT + 1))
CONTROL_PORT=$(($RND_PORT + 2))
echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
echo "STUB_PORT=$STUB_PORT" >> .tpkg.var.test
echo "CONTROL_PORT=$CONTROL_PORT" >> .tpkg.var.test
# start ldns-testns
get_ldns_testns
$LDNS_TESTNS -v -p $STUB_PORT ratelimit.testns >stub.log 2>&1 &
STUB_PID=$!
echo "STUB_PID=$STUB_PID" >> .tpkg.var.test
# make config file
sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$STUB_PORT'/' -e 's/@CONTROL_PORT\@/'$CONTROL_PORT'/' < ratelimit.conf > ub.conf
# start unbound in the background
$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
UNBOUND_PID=$!
echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
wait_ldns_testns_up stub.log
wait_unbound_up unbound.log
cat .tpkg.var.test

183
contrib/unbound/testdata/ratelimit.tdir/ratelimit.test vendored Normal file
View file

@ -0,0 +1,183 @@
# #-- ratelimit.test --#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# use .tpkg.var.test for in test variable passing
[ -f .tpkg.var.test ] && source .tpkg.var.test
PRE="../.."
. ../common.sh
get_make
(cd $PRE; $MAKE streamtcp)
# These tests rely on second time precision. To combat false negatives the
# tests run multiple times and we allow 1/3 of the runs to fail.
total_runs=6
success_threshold=4 # 2/3*total_runs
successes=0
echo "> Three parallel queries"
# For this test we send three parallel queries and we expect only one of them
# to be allowed through each second.
for i in $(seq 1 $total_runs); do
$PRE/streamtcp -na -f 127.0.0.1@$UNBOUND_PORT www1.example.com. A IN www2.example.com. A IN www3.example.com. A IN >outfile 2>&1
if test "$?" -ne 0; then
echo "exit status not OK"
echo "> cat logfiles"
cat outfile
cat unbound.log
echo "Not OK"
exit 1
fi
cat outfile
if test `grep "rcode: SERVFAIL" outfile | wc -l` -eq 2; then
((successes++))
fi
# We don't have to wait for all the runs to complete if we know
# we passed the threshold.
if test $successes -ge $success_threshold; then
break
fi
sleep 1
done
if test $successes -ge $success_threshold; then
echo "Number of ratelimited queries OK for three parallel queries"
else
echo "Number of ratelimited queries not OK for three parallel queries"
echo "> cat logfiles"
cat outfile
cat unbound.log
echo "Number of ratelimited queries not OK for three parallel queries"
exit 1
fi
echo "> Activating ratelimit-factor"
echo "$PRE/unbound-control -c ub.conf set_option ratelimit-factor: 3"
$PRE/unbound-control -c ub.conf set_option ratelimit-factor: 3
if test $? -ne 0; then
echo "wrong exit value after success"
exit 1
fi
slipped_through=0
echo "> Three parallel queries with ratelimit-factor"
# For this test we send three parallel queries and we expect at least two of
# them to be allowed through at a given second; one from the ratelimit itself
# and one from the ratelimit-factor.
for i in {1..10}; do
$PRE/streamtcp -na -f 127.0.0.1@$UNBOUND_PORT www1.example.com. A IN www2.example.com. A IN www3.example.com. A IN >outfile 2>&1
if test "$?" -ne 0; then
echo "exit status not OK"
echo "> cat logfiles"
cat outfile
cat unbound.log
echo "Not OK"
exit 1
fi
cat outfile
if test `grep "rcode: SERVFAIL" outfile | wc -l` -lt 2; then
slipped_through=1
break
fi
sleep 2
done
if test $slipped_through -eq 0; then
echo "ratelimit-factor did not work"
echo "> cat logfiles"
cat outfile
cat unbound.log
echo "ratelimit-factor did not work"
exit 1
fi
echo "ratelimit-factor OK"
echo "> Disabling ratelimit-factor"
echo "$PRE/unbound-control -c ub.conf set_option ratelimit-factor: 0"
$PRE/unbound-control -c ub.conf set_option ratelimit-factor: 0
if test $? -ne 0; then
echo "wrong exit value after success"
exit 1
fi
echo "> Activating ratelimit-backoff"
echo "$PRE/unbound-control -c ub.conf set_option ratelimit-backoff: yes"
$PRE/unbound-control -c ub.conf set_option ratelimit-backoff: yes
if test $? -ne 0; then
echo "wrong exit value after success"
exit 1
fi
successes=0
echo "> Three parallel queries with backoff"
# For this test we send three parallel queries. The ratelimit should be reached
# for that second. Then for the next second we again send three parallel
# queries and we expect none of them to be allowed through because of the
# backoff logic that keeps rolling the RATE_WINDOW based on demand.
for i in $(seq 1 $total_runs); do
$PRE/streamtcp -na -f 127.0.0.1@$UNBOUND_PORT www1.example.com. A IN www2.example.com. A IN www3.example.com. A IN >outfile 2>&1
if test "$?" -ne 0; then
echo "exit status not OK"
echo "> cat logfiles"
cat outfile
cat unbound.log
echo "Not OK"
exit 1
fi
sleep 1 # Limit is reached; it should also be active for the next second
$PRE/streamtcp -na -f 127.0.0.1@$UNBOUND_PORT www1.example.com. A IN www2.example.com. A IN www3.example.com. A IN >outfile 2>&1
if test "$?" -ne 0; then
echo "exit status not OK"
echo "> cat logfiles"
cat outfile
cat unbound.log
echo "Not OK"
exit 1
fi
cat outfile
if test `grep "rcode: SERVFAIL" outfile | wc -l` -eq 3; then
((successes++))
fi
# We don't have to wait for all the runs to complete if we know
# we passed the threshold.
if test $successes -ge $success_threshold; then
break
fi
done
if test $successes -ge $success_threshold; then
echo "three parallel queries with backoff OK"
else
echo "Number of ratelimited queries not OK for three parallel queries with backoff"
echo "> cat logfiles"
cat outfile
cat unbound.log
echo "Number of ratelimited queries not OK for three parallel queries with backoff"
exit 1
fi
echo "> Three parallel queries after backoff RATE_WINDOW"
sleep 3 # Make sure the RATE_WINDOW is renewed
# For this test we make three parallel queries after the RATE_WINDOW has passed
# without any new demand and we expect at least one query to pass through. This
# is to check that the backoff logic does not insist on past (outside of
# RATE_WINDOW) limits.
$PRE/streamtcp -na -f 127.0.0.1@$UNBOUND_PORT www1.example.com. A IN www2.example.com. A IN www3.example.com. A IN >outfile 2>&1
if test "$?" -ne 0; then
echo "exit status not OK"
echo "> cat logfiles"
cat outfile
cat unbound.log
echo "Not OK"
exit 1
fi
cat outfile
if test `grep "rcode: NOERROR" outfile | wc -l` -gt 0; then
echo "Number of ratelimited queries OK for three parallel queries after backoff RATE_WINDOW"
else
echo "Number of ratelimited queries not OK for three parallel queries after backoff RATE_WINDOW"
echo "> cat logfiles"
cat outfile
cat unbound.log
echo "Number of ratelimited queries not OK for three parallel queries after backoff RATE_WINDOW"
exit 1
fi
exit 0

13
contrib/unbound/testdata/ratelimit.tdir/ratelimit.testns vendored Normal file
View file

@ -0,0 +1,13 @@
; nameserver test file
$ORIGIN example.com.
$TTL 3600
ENTRY_BEGIN
MATCH opcode qtype
REPLY QR AA NOERROR
ADJUST copy_id copy_query
SECTION QUESTION
wild IN A
SECTION ANSWER
wild IN A 10.20.30.40
ENTRY_END

39
contrib/unbound/testdata/ratelimit.tdir/unbound_control.key vendored Normal file
View file

@ -0,0 +1,39 @@
-----BEGIN RSA PRIVATE KEY-----
MIIG4gIBAAKCAYEAstEp+Pyh8XGrtZ77A4FhYjvbeB3dMa7Q2rGWxobzlA9przhA
1aChAvUtCOAuM+rB6NTNB8YWfZJbQHawyMNpmC77cg6vXLYCGUQHZyAqidN049RJ
F5T7j4N8Vniv17LiRdr0S6swy4PRvEnIPPV43EQHZqC5jVvHsKkhIfmBF/Dj5TXR
ypeawWV/m5jeU6/4HRYMfytBZdO1mPXuWLh0lgbQ4SCbgrOUVD3rniMk1yZIbQOm
vlDHYqekjDb/vOW2KxUQLG04aZMJ1mWfdbwG0CKQkSjISEDZ1l76vhM6mTM0fwXb
IvyFZ9yPPCle1mF5aSlxS2cmGuGVSRQaw8XF9fe3a9ACJJTr33HdSpyaZkKRAUzL
cKqLCl323daKv3NwwAT03Tj4iQM416ASMoiyfFa/2GWTKQVjddu8Crar7tGaf5xr
lig4DBmrBvdYA3njy72/RD71hLwmlRoCGU7dRuDr9O6KASUm1Ri91ONZ/qdjMvov
15l2vj4GV+KXR00dAgMBAAECggGAHepIL1N0dEQkCdpy+/8lH54L9WhpnOo2HqAf
LU9eaKK7d4jdr9+TkD8cLaPzltPrZNxVALvu/0sA4SP6J1wpyj/x6P7z73qzly5+
Xo5PD4fEwmi9YaiW/UduAblnEZrnp/AddptJKoL/D5T4XtpiQddPtael4zQ7kB57
YIexRSQTvEDovA/o3/nvA0TrzOxfgd4ycQP3iOWGN/TMzyLsvjydrUwbOB567iz9
whL3Etdgvnwh5Sz2blbFfH+nAR8ctvFFz+osPvuIVR21VMEI6wm7kTpSNnQ6sh/c
lrLb/bTADn4g7z/LpIZJ+MrLvyEcoqValrLYeFBhM9CV8woPxvkO2P3pU47HVGax
tC7GV6a/kt5RoKFd/TNdiA3OC7NGZtaeXv9VkPf4fVwBtSO9d5ZZXTGEynDD/rUQ
U4KFJe6OD23APjse08HiiKqTPhsOneOONU67iqoaTdIkT2R4EdlkVEDpXVtWb+G9
Q+IqYzVljlzuyHrhWXLJw/FMa2aBAoHBAOnZbi4gGpH+P6886WDWVgIlTccuXoyc
Mg9QQYk9UDeXxL0AizR5bZy49Sduegz9vkHpAiZARQsUnizHjZ8YlRcrmn4t6tx3
ahTIKAjdprnxJfYINM580j8CGbXvX5LhIlm3O267D0Op+co3+7Ujy+cjsIuFQrP+
1MqMgXSeBjzC1APivmps7HeFE+4w0k2PfN5wSMDNCzLo99PZuUG5XZ93OVOS5dpN
b+WskdcD8NOoJy/X/5A08veEI/jYO/DyqQKBwQDDwUQCOWf41ecvJLtBHKmEnHDz
ftzHino9DRKG8a9XaN4rmetnoWEaM2vHGX3pf3mwH+dAe8vJdAQueDhBKYeEpm6C
TYNOpou1+Zs5s99BilCTNYo8fkMOAyqwRwmz9zgHS6QxXuPwsghKefLJGt6o6RFF
tfWVTfLlYJ+I3GQe3ySsk3wjVz4oUTKiyiq5+KzD+HhEkS7u+RQ7Z0ZI2xd2cF8Y
aN2hjKDpcOiFf3CDoqka5D1qMNLgIHO52AHww1UCgcA1h7o7AMpURRka6hyaODY0
A4oMYEbwdQjYjIyT998W+rzkbu1us6UtzQEBZ760npkgyU/epbOoV63lnkCC/MOU
LD0PST+L/CHiY/cWIHb79YG1EifUZKpUFg0Aoq0EGFkepF0MefGCkbRGYA5UZr9U
R80wAu9D+L+JJiS0J0BSRF74DL196zUuHt5zFeXuLzxsRtPAnq9DliS08BACRYZy
7H3I7cWD9Vn5/0jbKWHFcaaWwyETR6uekTcSzZzbCRECgcBeoE3/xUA9SSk34Mmj
7/cB4522Ft0imA3+9RK/qJTZ7Bd5fC4PKjOGNtUiqW/0L2rjeIiQ40bfWvWqgPKw
jSK1PL6uvkl6+4cNsFsYyZpiVDoe7wKju2UuoNlB3RUTqa2r2STFuNj2wRjA57I1
BIgdnox65jqQsd14g/yaa+75/WP9CE45xzKEyrtvdcqxm0Pod3OrsYK+gikFjiar
kT0GQ8u0QPzh2tjt/2ZnIfOBrl+QYERP0MofDZDjhUdq2wECgcB0Lu841+yP5cdR
qbJhXO4zJNh7oWNcJlOuQp3ZMNFrA1oHpe9pmLukiROOy01k9WxIMQDzU5GSqRv3
VLkYOIcbhJ3kClKAcM3j95SkKbU2H5/RENb3Ck52xtl4pNU1x/3PnVFZfDVuuHO9
MZ9YBcIeK98MyP2jr5JtFKnOyPE7xKq0IHIhXadpbc2wjje5FtZ1cUtMyEECCXNa
C1TpXebHGyXGpY9WdWXhjdE/1jPvfS+uO5WyuDpYPr339gsdq1g=
-----END RSA PRIVATE KEY-----

22
contrib/unbound/testdata/ratelimit.tdir/unbound_control.pem vendored Normal file
View file

@ -0,0 +1,22 @@
-----BEGIN CERTIFICATE-----
MIIDszCCAhsCFGD5193whHQ2bVdzbaQfdf1gc4SkMA0GCSqGSIb3DQEBCwUAMBIx
EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMjMwWhcNNDAwMzI1MTMzMjMw
WjAaMRgwFgYDVQQDDA91bmJvdW5kLWNvbnRyb2wwggGiMA0GCSqGSIb3DQEBAQUA
A4IBjwAwggGKAoIBgQCy0Sn4/KHxcau1nvsDgWFiO9t4Hd0xrtDasZbGhvOUD2mv
OEDVoKEC9S0I4C4z6sHo1M0HxhZ9kltAdrDIw2mYLvtyDq9ctgIZRAdnICqJ03Tj
1EkXlPuPg3xWeK/XsuJF2vRLqzDLg9G8Scg89XjcRAdmoLmNW8ewqSEh+YEX8OPl
NdHKl5rBZX+bmN5Tr/gdFgx/K0Fl07WY9e5YuHSWBtDhIJuCs5RUPeueIyTXJkht
A6a+UMdip6SMNv+85bYrFRAsbThpkwnWZZ91vAbQIpCRKMhIQNnWXvq+EzqZMzR/
Bdsi/IVn3I88KV7WYXlpKXFLZyYa4ZVJFBrDxcX197dr0AIklOvfcd1KnJpmQpEB
TMtwqosKXfbd1oq/c3DABPTdOPiJAzjXoBIyiLJ8Vr/YZZMpBWN127wKtqvu0Zp/
nGuWKDgMGasG91gDeePLvb9EPvWEvCaVGgIZTt1G4Ov07ooBJSbVGL3U41n+p2My
+i/XmXa+PgZX4pdHTR0CAwEAATANBgkqhkiG9w0BAQsFAAOCAYEAd++Wen6l8Ifj
4h3p/y16PhSsWJWuJ4wdNYy3/GM84S26wGjzlEEwiW76HpH6VJzPOiBAeWnFKE83
hFyetEIxgJeIPbcs9ZP/Uoh8GZH9tRISBSN9Hgk2Slr9llo4t1H0g/XTgA5HqMQU
9YydlBh43G7Vw3FVwh09OM6poNOGQKNc/tq2/QdKeUMtyBbLWpRmjH5XcCT35fbn
ZiVOUldqSHD4kKrFO4nJYXZyipRbcXybsLiX9GP0GLemc3IgIvOXyJ2RPp06o/SJ
pzlMlkcAfLJaSuEW57xRakhuNK7m051TKKzJzIEX+NFYOVdafFHS8VwGrYsdrFvD
72tMfu+Fu55y3awdWWGc6YlaGogZiuMnJkvQphwgn+5qE/7CGEckoKEsH601rqIZ
muaIc85+nEcHJeijd/ZlBN9zeltjFoMuqTUENgmv8+tUAdVm/UMY9Vjme6b43ydP
uv6DS02+k9z8toxXworLiPr94BGaiGV1NxgwZKLZigYJt/Fi2Qte
-----END CERTIFICATE-----

39
contrib/unbound/testdata/ratelimit.tdir/unbound_server.key vendored Normal file
View file

@ -0,0 +1,39 @@
-----BEGIN RSA PRIVATE KEY-----
MIIG5AIBAAKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI
0x41iG32a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+Nqq
GRS7XVQ24vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Z
uh9MDgotaBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8K
WaBe1ca4TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5
FzUReSXZuTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xP
q6O9UPj4+nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XL
A5UoZgRzXgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP
7kFZSngxdy1+A/bNAgMBAAECggGBALpTOIqQwVg4CFBylL/a8K1IWJTI/I65sklf
XxYL7G7SB2HlEJ//z+E+F0+S4Vlao1vyLQ5QkgE82pAUB8FoMWvY1qF0Y8A5wtm6
iZSGk4OLK488ZbT8Ii9i+AGKgPe2XbVxsJwj8N4k7Zooqec9hz73Up8ATEWJkRz7
2u7oMGG4z91E0PULA64dOi3l/vOQe5w/Aa+CwVbAWtI05o7kMvQEBMDJn6C7CByo
MB5op9wueJMnz7PM7hns+U7Dy6oE4ljuolJUy51bDzFWwoM54cRoQqLFNHd8JVQj
WxldCkbfF43iyprlsEcUrTyUjtdA+ZeiG39vg/mtdmgNpGmdupHJZQvSuG8IcVlz
O+eMSeQS1QXPD6Ik8UK4SU0h+zOl8xIWtRrsxQuh4fnTN40udm/YUWl/6gOebsBI
IrVLlKGqJSfB3tMjpCRqdTzJ0dA9keVpkqm2ugZkxEf1+/efq/rFIQ2pUBLCqNTN
qpNqruK8y8FphP30I2uI4Ej2UIB8AQKBwQDd2Yptj2FyDyaXCycsyde0wYkNyzGU
dRnzdibfHnMZwjgTjwAwgIUBVIS8H0/z7ZJQKN7osJfddMrtjJtYYUk9g/dCpHXs
bNh2QSoWah3FdzNGuWd0iRf9+LFxhjAAMo/FS8zFJAJKrFsBdCGTfFUMdsLC0bjr
YjiWBuvV72uKf8XIZX5KIZruKdWBBcWukcb21R1UDyFYyXRBsly5XHaIYKZql3km
7pV7MKWO0IYgHbHIqGUqPQlzZ/lkunS1jKECgcEA23wHffD6Ou9/x3okPx2AWpTr
gh8rgqbyo6hQkBW5Y90Wz824cqaYebZDaBR/xlVx/YwjKkohv8Bde2lpH/ZxRZ1Z
5Sk2s6GJ/vU0L9RsJZgCgj4L6Coal1NMxuZtCXAlnOpiCdxSZgfqbshbTVz30KsG
ZJG361Cua1ScdAHxlZBxT52/1Sm0zRC2hnxL7h4qo7Idmtzs40LAJvYOKekR0pPN
oWeJfra7vgx/jVNvMFWoOoSLpidVO4g+ot4ery6tAoHAdW3rCic1C2zdnmH28Iw+
s50l8Lk3mz+I5wgJd1zkzCO0DxZIoWPGA3g7cmCYr6N3KRsZMs4W9NAXgjpFGDkW
zYsG3K21BdpvkdjYcFjnPVjlOXB2RIc0vehf9Jl02wXoeCSxVUDEPcaRvWk9RJYx
ZpGOchUU7vNkxHURbIJ4yCzuAi9G8/Jp0dsu+kaV5tufF5SjG5WOrzKjaQsCbdN1
oqaWMCHRrTvov/Z2C+xwsptFOdN5CSyZzg6hQiI4GMlBAoHAXyb6KINcOEi0YMp3
BFXJ23tMTnEs78tozcKeipigcsbaqORK3omS+NEnj+uzKUzJyl4CsMbKstK2tFYS
mSTCHqgE3PBtIpsZtEqhgUraR8IK9GPpzZDTTl9ynZgwFTNlWw3RyuyVXF56J+T8
kCGJ3hEHCHqT/ZRQyX85BKIDFhA0z4tYKxWVqIFiYBNq56R0X9tMMmMs36mEnF93
7Ht6mowxTZQRa7nU0qOgeKh/P7ki4Zus3y+WJ+T9IqahLtlRAoHBAIhqMrcxSAB8
RpB9jukJlAnidw2jCMPgrFE8tP0khhVvGrXMldxAUsMKntDIo8dGCnG1KTcWDI0O
jepvSPHSsxVLFugL79h0eVIS5z4huW48i9xgU8VlHdgAcgEPIAOFcOw2BCu/s0Vp
O+MM/EyUOdo3NsibB3qc/GJI6iNBYS7AljYEVo6rXo5V/MZvZUF4vClen6Obzsre
MTTb+4sJjfqleWuvr1XNMeu2mBfXBQkWGZP1byBK0MvD/aQ2PWq92A==
-----END RSA PRIVATE KEY-----

22
contrib/unbound/testdata/ratelimit.tdir/unbound_server.pem vendored Normal file
View file

@ -0,0 +1,22 @@
-----BEGIN CERTIFICATE-----
MIIDqzCCAhMCFBHWXeQ6ZIa9QcQbXLFfC6tj+KA+MA0GCSqGSIb3DQEBCwUAMBIx
EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMjI5WhcNNDAwMzI1MTMzMjI5
WjASMRAwDgYDVQQDDAd1bmJvdW5kMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIB
igKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI0x41iG32
a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+NqqGRS7XVQ2
4vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Zuh9MDgot
aBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8KWaBe1ca4
TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5FzUReSXZ
uTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xPq6O9UPj4
+nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XLA5UoZgRz
XgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP7kFZSngx
dy1+A/bNAgMBAAEwDQYJKoZIhvcNAQELBQADggGBABunf93MKaCUHiZgnoOTinsW
84/EgInrgtKzAyH+BhnKkJOhhR0kkIAx5d9BpDlaSiRTACFon9moWCgDIIsK/Ar7
JE0Kln9cV//wiiNoFU0O4mnzyGUIMvlaEX6QHMJJQYvL05+w/3AAcf5XmMJtR5ca
fJ8FqvGC34b2WxX9lTQoyT52sRt+1KnQikiMEnEyAdKktMG+MwKsFDdOwDXyZhZg
XZhRrfX3/NVJolqB6EahjWIGXDeKuSSKZVtCyib6LskyeMzN5lcRfvubKDdlqFVF
qlD7rHBsKhQUWK/IO64mGf7y/de+CgHtED5vDvr/p2uj/9sABATfbrOQR3W/Of25
sLBj4OEfrJ7lX8hQgFaxkMI3x6VFT3W8dTCp7xnQgb6bgROWB5fNEZ9jk/gjSRmD
yIU+r0UbKe5kBk/CmZVFXL2TyJ92V5NYEQh8V4DGy19qZ6u/XKYyNJL4ocs35GGe
CA8SBuyrmdhx38h1RHErR2Skzadi1S7MwGf1y431fQ==
-----END CERTIFICATE-----

2
contrib/unbound/testdata/rpz_nsdname.rpl vendored
View file

@ -348,7 +348,7 @@ ENTRY_END
STEP 11 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA NXDOMAIN
REPLY QR AA RD RA NXDOMAIN
SECTION QUESTION
gotham.aa. IN A
SECTION ANSWER

2
contrib/unbound/testdata/rpz_nsip.rpl vendored
View file

@ -348,7 +348,7 @@ ENTRY_END
STEP 11 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA NXDOMAIN
REPLY QR AA RD RA NXDOMAIN
SECTION QUESTION
gotham.aa. IN A
SECTION ANSWER

254
contrib/unbound/testdata/rpz_signal_nxdomain_ra.rpl vendored Normal file
View file

@ -0,0 +1,254 @@
; config options
server:
module-config: "respip validator iterator"
target-fetch-policy: "0 0 0 0 0"
qname-minimisation: no
access-control: 192.0.0.0/8 allow
rpz:
name: "rpz.example.com."
rpz-signal-nxdomain-ra: yes
zonefile:
TEMPFILE_NAME rpz.example.com
TEMPFILE_CONTENTS rpz.example.com
$ORIGIN example.com.
rpz 3600 IN SOA ns1.rpz.example.com. hostmaster.rpz.example.com. (
1379078166 28800 7200 604800 7200 )
3600 IN NS ns1.rpz.example.com.
3600 IN NS ns2.rpz.example.com.
$ORIGIN rpz.example.com.
a.a CNAME .
b.a CNAME .
ns1.a.rpz-nsdname CNAME .
24.0.0.0.192.rpz-nsip CNAME .
24.0.3.0.192.rpz-client-ip CNAME .
TEMPFILE_END
stub-zone:
name: "a."
stub-addr: 10.20.30.40
CONFIG_END
SCENARIO_BEGIN Test RPZ qname trigger and signal NXDOMAIN with unset RA.
RANGE_BEGIN 0 100
ADDRESS 10.20.30.40
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
a. IN NS
SECTION ANSWER
a. IN NS ns.a.
SECTION ADDITIONAL
ns.a IN A 10.20.30.40
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
a.a. IN TXT
SECTION ANSWER
a.a. IN TXT "upstream txt rr a.a."
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
b.a. IN TXT
SECTION ANSWER
b.a. IN TXT "upstream txt rr b.a."
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
c.a. IN TXT
SECTION ANSWER
c.a. IN CNAME b.a
ENTRY_END
ENTRY_BEGIN
MATCH opcode subdomain
ADJUST copy_id copy_query
REPLY QR NOERROR
SECTION QUESTION
d.a. IN NS
SECTION ANSWER
SECTION AUTHORITY
d.a. IN NS ns1.a.
SECTION ADDITIONAL
ns1.a. IN A 10.20.30.50
ENTRY_END
ENTRY_BEGIN
MATCH opcode subdomain
ADJUST copy_id copy_query
REPLY QR NOERROR
SECTION QUESTION
e.a. IN NS
SECTION ANSWER
SECTION AUTHORITY
e.a. IN NS ns2.a.
SECTION ADDITIONAL
ns2.a. IN A 192.0.0.5
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
f.a. IN TXT
SECTION ANSWER
f.a. IN TXT "upstream txt rr f.a."
ENTRY_END
RANGE_END
RANGE_BEGIN 0 100
ADDRESS 10.20.30.50
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
d.a. IN NS
SECTION ANSWER
d.a. IN NS ns1.a.
SECTION ADDITIONAL
ns1.a. IN A 10.20.30.50
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
d.d.a. IN TXT
SECTION ANSWER
d.d.a. IN TXT "upstream answer for d.d.a"
ENTRY_END
RANGE_END
RANGE_BEGIN 0 100
ADDRESS 192.0.0.5
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
e.a. IN NS
SECTION ANSWER
e.a. IN NS ns2.a.
SECTION ADDITIONAL
ns2.a. IN A 192.0.0.5
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
e.e.a. IN TXT
SECTION ANSWER
e.e.a. IN TXT "upstream answer for e.e.a"
ENTRY_END
RANGE_END
; qname trigger
STEP 10 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
a.a. IN TXT
ENTRY_END
STEP 11 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD AA NXDOMAIN
SECTION QUESTION
a.a. IN TXT
SECTION ANSWER
ENTRY_END
; qname trigger after cname
STEP 20 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
c.a. IN TXT
ENTRY_END
STEP 21 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD AA NXDOMAIN
SECTION QUESTION
c.a. IN TXT
SECTION ANSWER
c.a. IN CNAME b.a
ENTRY_END
; nsdname trigger
STEP 30 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
d.d.a. IN TXT
ENTRY_END
STEP 31 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD AA NXDOMAIN
SECTION QUESTION
d.d.a. IN TXT
SECTION ANSWER
ENTRY_END
; nsip trigger
STEP 40 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
e.e.a. IN TXT
ENTRY_END
STEP 41 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD AA NXDOMAIN
SECTION QUESTION
e.e.a. IN TXT
SECTION ANSWER
ENTRY_END
; clientip trigger
STEP 50 QUERY ADDRESS 192.0.3.1
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
f.a. IN TXT
ENTRY_END
STEP 51 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR AA RD NXDOMAIN
SECTION QUESTION
f.a. IN TXT
SECTION ANSWER
ENTRY_END
SCENARIO_END

24
contrib/unbound/util/config_file.c
View file

@ -260,7 +260,7 @@ config_create(void)
cfg->val_log_level = 0;
cfg->val_log_squelch = 0;
cfg->val_permissive_mode = 0;
cfg->aggressive_nsec = 0;
cfg->aggressive_nsec = 1;
cfg->ignore_cd = 0;
cfg->serve_expired = 0;
cfg->serve_expired_ttl = 0;
@ -328,9 +328,11 @@ config_create(void)
cfg->ratelimit_size = 4*1024*1024;
cfg->ratelimit_for_domain = NULL;
cfg->ratelimit_below_domain = NULL;
cfg->outbound_msg_retry = 5;
cfg->ip_ratelimit_factor = 10;
cfg->ratelimit_factor = 10;
cfg->ip_ratelimit_backoff = 0;
cfg->ratelimit_backoff = 0;
cfg->outbound_msg_retry = 5;
cfg->qname_minimisation = 1;
cfg->qname_minimisation_strict = 0;
cfg->shm_enable = 0;
@ -531,11 +533,17 @@ int config_set_option(struct config_file* cfg, const char* opt,
else S_YNO("edns-tcp-keepalive:", do_tcp_keepalive)
else S_NUMBER_NONZERO("edns-tcp-keepalive-timeout:", tcp_keepalive_timeout)
else S_YNO("ssl-upstream:", ssl_upstream)
else S_YNO("tls-upstream:", ssl_upstream)
else S_STR("ssl-service-key:", ssl_service_key)
else S_STR("tls-service-key:", ssl_service_key)
else S_STR("ssl-service-pem:", ssl_service_pem)
else S_STR("tls-service-pem:", ssl_service_pem)
else S_NUMBER_NONZERO("ssl-port:", ssl_port)
else S_NUMBER_NONZERO("tls-port:", ssl_port)
else S_STR("ssl-cert-bundle:", tls_cert_bundle)
else S_STR("tls-cert-bundle:", tls_cert_bundle)
else S_YNO("tls-win-cert:", tls_win_cert)
else S_STRLIST("additional-ssl-port:", tls_additional_port)
else S_STRLIST("additional-tls-port:", tls_additional_port)
else S_STRLIST("tls-additional-ports:", tls_additional_port)
else S_STRLIST("tls-additional-port:", tls_additional_port)
@ -753,6 +761,8 @@ int config_set_option(struct config_file* cfg, const char* opt,
else S_POW2("ratelimit-slabs:", ratelimit_slabs)
else S_NUMBER_OR_ZERO("ip-ratelimit-factor:", ip_ratelimit_factor)
else S_NUMBER_OR_ZERO("ratelimit-factor:", ratelimit_factor)
else S_YNO("ip-ratelimit-backoff:", ip_ratelimit_backoff)
else S_YNO("ratelimit-backoff:", ratelimit_backoff)
else S_NUMBER_NONZERO("outbound-msg-retry:", outbound_msg_retry)
else S_SIZET_NONZERO("fast-server-num:", fast_server_num)
else S_NUMBER_OR_ZERO("fast-server-permil:", fast_server_permil)
@ -1029,11 +1039,19 @@ config_get_option(struct config_file* cfg, const char* opt,
else O_YNO(opt, "edns-tcp-keepalive", do_tcp_keepalive)
else O_DEC(opt, "edns-tcp-keepalive-timeout", tcp_keepalive_timeout)
else O_YNO(opt, "ssl-upstream", ssl_upstream)
else O_YNO(opt, "tls-upstream", ssl_upstream)
else O_STR(opt, "ssl-service-key", ssl_service_key)
else O_STR(opt, "tls-service-key", ssl_service_key)
else O_STR(opt, "ssl-service-pem", ssl_service_pem)
else O_STR(opt, "tls-service-pem", ssl_service_pem)
else O_DEC(opt, "ssl-port", ssl_port)
else O_DEC(opt, "tls-port", ssl_port)
else O_STR(opt, "ssl-cert-bundle", tls_cert_bundle)
else O_STR(opt, "tls-cert-bundle", tls_cert_bundle)
else O_YNO(opt, "tls-win-cert", tls_win_cert)
else O_LST(opt, "additional-ssl-port", tls_additional_port)
else O_LST(opt, "additional-tls-port", tls_additional_port)
else O_LST(opt, "tls-additional-ports", tls_additional_port)
else O_LST(opt, "tls-additional-port", tls_additional_port)
else O_LST(opt, "tls-session-ticket-keys", tls_session_ticket_keys.first)
else O_STR(opt, "tls-ciphers", tls_ciphers)
@ -1197,6 +1215,8 @@ config_get_option(struct config_file* cfg, const char* opt,
else O_LS2(opt, "ratelimit-below-domain", ratelimit_below_domain)
else O_DEC(opt, "ip-ratelimit-factor", ip_ratelimit_factor)
else O_DEC(opt, "ratelimit-factor", ratelimit_factor)
else O_YNO(opt, "ip-ratelimit-backoff", ip_ratelimit_backoff)
else O_YNO(opt, "ratelimit-backoff", ratelimit_backoff)
else O_UNS(opt, "outbound-msg-retry", outbound_msg_retry)
else O_DEC(opt, "fast-server-num", fast_server_num)
else O_DEC(opt, "fast-server-permil", fast_server_permil)

11
contrib/unbound/util/config_file.h
View file

@ -565,6 +565,10 @@ struct config_file {
size_t ip_ratelimit_size;
/** ip_ratelimit factor, 0 blocks all, 10 allows 1/10 of traffic */
int ip_ratelimit_factor;
/** ratelimit backoff, when on, if the limit is reached it is
* considered an attack and it backs off until 'demand' decreases over
* the RATE_WINDOW. */
int ip_ratelimit_backoff;
/** ratelimit for domains. 0 is off, otherwise qps (unless overridden) */
int ratelimit;
@ -578,6 +582,11 @@ struct config_file {
struct config_str2list* ratelimit_below_domain;
/** ratelimit factor, 0 blocks all, 10 allows 1/10 of traffic */
int ratelimit_factor;
/** ratelimit backoff, when on, if the limit is reached it is
* considered an attack and it backs off until 'demand' decreases over
* the RATE_WINDOW. */
int ratelimit_backoff;
/** number of retries on outgoing queries */
int outbound_msg_retry;
/** minimise outgoing QNAME and hide original QTYPE if possible */
@ -745,6 +754,8 @@ struct config_auth {
/** Always reply with this CNAME target if the cname override action is
* used */
char* rpz_cname;
/** signal nxdomain block with unset RA */
int rpz_signal_nxdomain_ra;
/** Check ZONEMD records for this zone */
int zonemd_check;
/** Reject absence of ZONEMD records, zone must have one */

3
contrib/unbound/util/configlexer.lex
View file

@ -348,6 +348,7 @@ rpz-action-override{COLON} { YDVAR(1, VAR_RPZ_ACTION_OVERRIDE) }
rpz-cname-override{COLON} { YDVAR(1, VAR_RPZ_CNAME_OVERRIDE) }
rpz-log{COLON} { YDVAR(1, VAR_RPZ_LOG) }
rpz-log-name{COLON} { YDVAR(1, VAR_RPZ_LOG_NAME) }
rpz-signal-nxdomain-ra{COLON} { YDVAR(1, VAR_RPZ_SIGNAL_NXDOMAIN_RA) }
zonefile{COLON} { YDVAR(1, VAR_ZONEFILE) }
master{COLON} { YDVAR(1, VAR_MASTER) }
primary{COLON} { YDVAR(1, VAR_MASTER) }
@ -502,6 +503,8 @@ ratelimit-for-domain{COLON} { YDVAR(2, VAR_RATELIMIT_FOR_DOMAIN) }
ratelimit-below-domain{COLON} { YDVAR(2, VAR_RATELIMIT_BELOW_DOMAIN) }
ip-ratelimit-factor{COLON} { YDVAR(1, VAR_IP_RATELIMIT_FACTOR) }
ratelimit-factor{COLON} { YDVAR(1, VAR_RATELIMIT_FACTOR) }
ip-ratelimit-backoff{COLON} { YDVAR(1, VAR_IP_RATELIMIT_BACKOFF) }
ratelimit-backoff{COLON} { YDVAR(1, VAR_RATELIMIT_BACKOFF) }
outbound-msg-retry{COLON} { YDVAR(1, VAR_OUTBOUND_MSG_RETRY) }
low-rtt{COLON} { YDVAR(1, VAR_LOW_RTT) }
fast-server-num{COLON} { YDVAR(1, VAR_FAST_SERVER_NUM) }

36
contrib/unbound/util/configparser.y
View file

@ -142,6 +142,7 @@ extern struct config_parser_state* cfg_parser;
%token VAR_OUTBOUND_MSG_RETRY
%token VAR_RATELIMIT_FOR_DOMAIN VAR_RATELIMIT_BELOW_DOMAIN
%token VAR_IP_RATELIMIT_FACTOR VAR_RATELIMIT_FACTOR
%token VAR_IP_RATELIMIT_BACKOFF VAR_RATELIMIT_BACKOFF
%token VAR_SEND_CLIENT_SUBNET VAR_CLIENT_SUBNET_ZONE
%token VAR_CLIENT_SUBNET_ALWAYS_FORWARD VAR_CLIENT_SUBNET_OPCODE
%token VAR_MAX_CLIENT_SUBNET_IPV4 VAR_MAX_CLIENT_SUBNET_IPV6
@ -187,6 +188,7 @@ extern struct config_parser_state* cfg_parser;
%token VAR_DYNLIB VAR_DYNLIB_FILE VAR_EDNS_CLIENT_STRING
%token VAR_EDNS_CLIENT_STRING_OPCODE VAR_NSID
%token VAR_ZONEMD_PERMISSIVE_MODE VAR_ZONEMD_CHECK VAR_ZONEMD_REJECT_ABSENCE
%token VAR_RPZ_SIGNAL_NXDOMAIN_RA
%%
toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@ -271,7 +273,8 @@ content_server: server_num_threads | server_verbosity | server_port |
server_ip_ratelimit_size | server_ratelimit_size |
server_ratelimit_for_domain |
server_ratelimit_below_domain | server_ratelimit_factor |
server_ip_ratelimit_factor | server_outbound_msg_retry |
server_ip_ratelimit_factor | server_ratelimit_backoff |
server_ip_ratelimit_backoff | server_outbound_msg_retry |
server_send_client_subnet | server_client_subnet_zone |
server_client_subnet_always_forward | server_client_subnet_opcode |
server_max_client_subnet_ipv4 | server_max_client_subnet_ipv6 |
@ -455,6 +458,15 @@ rpz_log_name: VAR_RPZ_LOG_NAME STRING_ARG
cfg_parser->cfg->auths->rpz_log_name = $2;
}
;
rpz_signal_nxdomain_ra: VAR_RPZ_SIGNAL_NXDOMAIN_RA STRING_ARG
{
OUTYY(("P(rpz_signal_nxdomain_ra:%s)\n", $2));
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
yyerror("expected yes or no.");
else cfg_parser->cfg->auths->rpz_signal_nxdomain_ra = (strcmp($2, "yes")==0);
free($2);
}
;
rpzstart: VAR_RPZ
{
@ -478,7 +490,7 @@ contents_rpz: contents_rpz content_rpz
| ;
content_rpz: auth_name | auth_zonefile | rpz_tag | auth_master | auth_url |
auth_allow_notify | rpz_action_override | rpz_cname_override |
rpz_log | rpz_log_name
rpz_log | rpz_log_name | rpz_signal_nxdomain_ra | auth_for_downstream
;
server_num_threads: VAR_NUM_THREADS STRING_ARG
{
@ -2494,6 +2506,26 @@ server_ratelimit_factor: VAR_RATELIMIT_FACTOR STRING_ARG
free($2);
}
;
server_ip_ratelimit_backoff: VAR_IP_RATELIMIT_BACKOFF STRING_ARG
{
OUTYY(("P(server_ip_ratelimit_backoff:%s)\n", $2));
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
yyerror("expected yes or no.");
else cfg_parser->cfg->ip_ratelimit_backoff =
(strcmp($2, "yes")==0);
free($2);
}
;
server_ratelimit_backoff: VAR_RATELIMIT_BACKOFF STRING_ARG
{
OUTYY(("P(server_ratelimit_backoff:%s)\n", $2));
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
yyerror("expected yes or no.");
else cfg_parser->cfg->ratelimit_backoff =
(strcmp($2, "yes")==0);
free($2);
}
;
server_outbound_msg_retry: VAR_OUTBOUND_MSG_RETRY STRING_ARG
{
OUTYY(("P(server_outbound_msg_retry:%s)\n", $2));

8
contrib/unbound/util/fptr_wlist.c
View file

@ -138,6 +138,7 @@ fptr_whitelist_comm_timer(void (*fptr)(void*))
else if(fptr == &auth_xfer_probe_timer_callback) return 1;
else if(fptr == &auth_xfer_transfer_timer_callback) return 1;
else if(fptr == &mesh_serve_expired_callback) return 1;
else if(fptr == &serviced_timer_cb) return 1;
#ifdef USE_DNSTAP
else if(fptr == &mq_wakeup_cb) return 1;
#endif
@ -334,9 +335,10 @@ fptr_whitelist_hash_markdelfunc(lruhash_markdelfunc_type fptr)
int
fptr_whitelist_modenv_send_query(struct outbound_entry* (*fptr)(
struct query_info* qinfo, uint16_t flags, int dnssec, int want_dnssec,
int nocaps, struct sockaddr_storage* addr, socklen_t addrlen,
uint8_t* zone, size_t zonelen, int tcp_upstream, int ssl_upstream, char* tls_auth_name,
struct module_qstate* q))
int nocaps, int check_ratelimit, struct sockaddr_storage* addr,
socklen_t addrlen, uint8_t* zone, size_t zonelen, int tcp_upstream,
int ssl_upstream, char* tls_auth_name, struct module_qstate* q,
int* was_ratelimited))
{
if(fptr == &worker_send_query) return 1;
else if(fptr == &libworker_send_query) return 1;

7
contrib/unbound/util/fptr_wlist.h
View file

@ -211,9 +211,10 @@ int fptr_whitelist_hash_markdelfunc(lruhash_markdelfunc_type fptr);
*/
int fptr_whitelist_modenv_send_query(struct outbound_entry* (*fptr)(
struct query_info* qinfo, uint16_t flags, int dnssec, int want_dnssec,
int nocaps, struct sockaddr_storage* addr, socklen_t addrlen,
uint8_t* zone, size_t zonelen, int tcp_upstream, int ssl_upstream, char* tls_auth_name,
struct module_qstate* q));
int nocaps, int check_ratelimit, struct sockaddr_storage* addr,
socklen_t addrlen, uint8_t* zone, size_t zonelen, int tcp_upstream,
int ssl_upstream, char* tls_auth_name, struct module_qstate* q,
int* was_ratelimited));
/**
* Check function pointer whitelist for module_env detach_subs callback values.

2
contrib/unbound/util/iana_ports.inc
View file

@ -3784,6 +3784,7 @@
4308,
4309,
4310,
4319,
4320,
4321,
4322,
@ -4054,7 +4055,6 @@
5026,
5027,
5029,
5030,
5031,
5042,
5043,

6
contrib/unbound/util/module.h
View file

@ -350,6 +350,7 @@ struct module_env {
* EDNS, the answer is likely to be useless for this domain.
* @param nocaps: do not use caps_for_id, use the qname as given.
* (ignored if caps_for_id is disabled).
* @param check_ratelimit: if set, will check ratelimit before sending out.
* @param addr: where to.
* @param addrlen: length of addr.
* @param zone: delegation point name.
@ -359,6 +360,8 @@ struct module_env {
* @param tls_auth_name: if ssl_upstream, use this name with TLS
* authentication.
* @param q: which query state to reactivate upon return.
* @param was_ratelimited: it will signal back if the query failed to pass the
* ratelimit check.
* @return: false on failure (memory or socket related). no query was
* sent. Or returns an outbound entry with qsent and qstate set.
* This outbound_entry will be used on later module invocations
@ -366,9 +369,10 @@ struct module_env {
*/
struct outbound_entry* (*send_query)(struct query_info* qinfo,
uint16_t flags, int dnssec, int want_dnssec, int nocaps,
int check_ratelimit,
struct sockaddr_storage* addr, socklen_t addrlen,
uint8_t* zone, size_t zonelen, int tcp_upstream, int ssl_upstream,
char* tls_auth_name, struct module_qstate* q);
char* tls_auth_name, struct module_qstate* q, int* was_ratelimited);
/**
* Detach-subqueries.

40
contrib/unbound/util/net_help.c
View file

@ -44,6 +44,9 @@
#ifdef HAVE_NET_IF_H
#include <net/if.h>
#endif
#ifdef HAVE_NETIOAPI_H
#include <netioapi.h>
#endif
#include "util/net_help.h"
#include "util/log.h"
#include "util/data/dname.h"
@ -52,6 +55,7 @@
#include "util/config_file.h"
#include "sldns/parseutil.h"
#include "sldns/wire2str.h"
#include "sldns/str2wire.h"
#include <fcntl.h>
#ifdef HAVE_OPENSSL_SSL_H
#include <openssl/ssl.h>
@ -476,6 +480,42 @@ int authextstrtoaddr(char* str, struct sockaddr_storage* addr,
return ipstrtoaddr(str, port, addr, addrlen);
}
uint8_t* authextstrtodname(char* str, int* port, char** auth_name)
{
char* s;
uint8_t* dname;
size_t dname_len;
*port = UNBOUND_DNS_PORT;
*auth_name = NULL;
if((s=strchr(str, '@'))) {
char* hash = strchr(s+1, '#');
if(hash) {
*auth_name = hash+1;
} else {
*auth_name = NULL;
}
*port = atoi(s+1);
if(*port == 0) {
if(!hash && strcmp(s+1,"0")!=0)
return 0;
if(hash && strncmp(s+1,"0#",2)!=0)
return 0;
}
*s = 0;
dname = sldns_str2wire_dname(str, &dname_len);
*s = '@';
} else if((s=strchr(str, '#'))) {
*port = UNBOUND_DNS_OVER_TLS_PORT;
*auth_name = s+1;
*s = 0;
dname = sldns_str2wire_dname(str, &dname_len);
*s = '#';
} else {
dname = sldns_str2wire_dname(str, &dname_len);
}
return dname;
}
/** store port number into sockaddr structure */
void
sockaddr_store_port(struct sockaddr_storage* addr, socklen_t addrlen, int port)

19
contrib/unbound/util/net_help.h
View file

@ -210,17 +210,30 @@ int netblockstrtoaddr(const char* ip, int port, struct sockaddr_storage* addr,
/**
* Convert address string, with "@port" appendix, to sockaddr.
* It can also have an "#tls-auth-name" appendix (after the port).
* The returned tls-auth-name string is a pointer into the input string.
* Uses DNS port by default.
* The returned auth_name string is a pointer into the input string.
* Uses DNS port by default; TLS port when a "#tls-auth-name" is configured.
* @param str: the string
* @param addr: where to store sockaddr.
* @param addrlen: length of stored sockaddr is returned.
* @param auth_name: returned pointer to tls_auth_name, or NULL if none.
* @return 0 on error.
*/
int authextstrtoaddr(char* str, struct sockaddr_storage* addr,
int authextstrtoaddr(char* str, struct sockaddr_storage* addr,
socklen_t* addrlen, char** auth_name);
/**
* Convert domain string, with "@port" appendix, to dname.
* It can also have an "#tls-auth-name" appendix (after the port).
* The return port is the parsed port.
* Uses DNS port by default; TLS port when a "#tls-auth-name" is configured.
* The returned auth_name string is a pointer into the input string.
* @param str: the string
* @param port: pointer to be assigned the parsed port value.
* @param auth_name: returned pointer to tls_auth_name, or NULL if none.
* @return pointer to the dname.
*/
uint8_t* authextstrtodname(char* str, int* port, char** auth_name);
/**
* Store port number into sockaddr structure
* @param addr: sockaddr structure, ip4 or ip6.

2
contrib/unbound/util/netevent.c
View file

@ -1146,6 +1146,8 @@ reclaim_tcp_handler(struct comm_point* c)
}
c->tcp_more_read_again = NULL;
c->tcp_more_write_again = NULL;
c->tcp_byte_count = 0;
sldns_buffer_clear(c->buffer);
}
/** do the callback when writing is done */

8
contrib/unbound/validator/val_utils.c
View file

@ -767,15 +767,15 @@ val_dsset_isusable(struct ub_packed_rrset_key* ds_rrset)
sldns_lookup_table *lt;
char herr[64], aerr[64];
lt = sldns_lookup_by_id(sldns_hashes,
(int)ds_get_digest_algo(ds_rrset, i));
(int)ds_get_digest_algo(ds_rrset, 0));
if(lt) snprintf(herr, sizeof(herr), "%s", lt->name);
else snprintf(herr, sizeof(herr), "%d",
(int)ds_get_digest_algo(ds_rrset, i));
(int)ds_get_digest_algo(ds_rrset, 0));
lt = sldns_lookup_by_id(sldns_algorithms,
(int)ds_get_key_algo(ds_rrset, i));
(int)ds_get_key_algo(ds_rrset, 0));
if(lt) snprintf(aerr, sizeof(aerr), "%s", lt->name);
else snprintf(aerr, sizeof(aerr), "%d",
(int)ds_get_key_algo(ds_rrset, i));
(int)ds_get_key_algo(ds_rrset, 0));
verbose(VERB_ALGO, "DS unsupported, hash %s %s, "
"key algorithm %s %s", herr,
(ds_digest_algo_is_supported(ds_rrset, 0)?