mirror of
https://github.com/freebsd/freebsd-src
synced 2024-10-02 22:54:52 +00:00
unbound: Vendor import 1.19.3
Release notes at https://www.nlnetlabs.nl/news/2024/Mar/14/unbound-1.19.3-released/ MFC after: 1 week Merge commit '5a33598e88ad8fbc0affa74dee0a2d8cc4010fbc' into main
This commit is contained in:
commit
b7c0c8c18e
|
@ -2,7 +2,10 @@
|
|||
# Copyright 2009, Wouter Wijngaards, NLnet Labs.
|
||||
# BSD licensed.
|
||||
#
|
||||
# Version 46
|
||||
# Version 48
|
||||
# 2024-01-16 fix to add -l:libssp.a to -lcrypto link check.
|
||||
# and check for getaddrinfo with only header.
|
||||
# 2024-01-15 fix to add crypt32 to -lcrypto link check when checking for gdi32.
|
||||
# 2023-05-04 fix to remove unused whitespace.
|
||||
# 2023-01-26 fix -Wstrict-prototypes.
|
||||
# 2022-09-01 fix checking if nonblocking sockets work on OpenBSD.
|
||||
|
@ -707,7 +710,7 @@ AC_DEFUN([ACX_SSL_CHECKS], [
|
|||
LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir_lib"
|
||||
ACX_RUNTIME_PATH_ADD([$ssldir_lib])
|
||||
fi
|
||||
|
||||
|
||||
AC_MSG_CHECKING([for EVP_sha256 in -lcrypto])
|
||||
LIBS="$LIBS -lcrypto"
|
||||
LIBSSL_LIBS="$LIBSSL_LIBS -lcrypto"
|
||||
|
@ -732,40 +735,73 @@ AC_DEFUN([ACX_SSL_CHECKS], [
|
|||
]])],[
|
||||
AC_DEFINE([HAVE_EVP_SHA256], 1,
|
||||
[If you have EVP_sha256])
|
||||
AC_MSG_RESULT(yes)
|
||||
AC_MSG_RESULT(yes)
|
||||
],[
|
||||
AC_MSG_RESULT(no)
|
||||
LIBS="$BAKLIBS"
|
||||
LIBSSL_LIBS="$BAKSSLLIBS"
|
||||
LIBS="$LIBS -ldl"
|
||||
LIBSSL_LIBS="$LIBSSL_LIBS -ldl"
|
||||
AC_MSG_CHECKING([if -lcrypto needs -ldl])
|
||||
AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[
|
||||
int EVP_sha256(void);
|
||||
(void)EVP_sha256();
|
||||
]])],[
|
||||
AC_DEFINE([HAVE_EVP_SHA256], 1,
|
||||
[If you have EVP_sha256])
|
||||
AC_MSG_RESULT(yes)
|
||||
],[
|
||||
AC_MSG_RESULT(no)
|
||||
LIBS="$BAKLIBS"
|
||||
LIBSSL_LIBS="$BAKSSLLIBS"
|
||||
LIBS="$LIBS -ldl -pthread"
|
||||
LIBSSL_LIBS="$LIBSSL_LIBS -ldl -pthread"
|
||||
AC_MSG_CHECKING([if -lcrypto needs -ldl -pthread])
|
||||
AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[
|
||||
int EVP_sha256(void);
|
||||
(void)EVP_sha256();
|
||||
]])],[
|
||||
AC_DEFINE([HAVE_EVP_SHA256], 1,
|
||||
[If you have EVP_sha256])
|
||||
AC_MSG_RESULT(yes)
|
||||
],[
|
||||
AC_MSG_RESULT(no)
|
||||
AC_MSG_ERROR([OpenSSL found in $ssldir, but version 0.9.7 or higher is required])
|
||||
|
||||
LIBS="$LIBS -lgdi32 -lws2_32 -lcrypt32"
|
||||
LIBSSL_LIBS="$LIBSSL_LIBS -lgdi32 -lws2_32 -lcrypt32"
|
||||
AC_MSG_CHECKING([if -lcrypto needs -lgdi32 -lws2_32 -lcrypt32])
|
||||
AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[
|
||||
int EVP_sha256(void);
|
||||
(void)EVP_sha256();
|
||||
]])],[
|
||||
AC_DEFINE([HAVE_EVP_SHA256], 1,
|
||||
[If you have EVP_sha256])
|
||||
AC_MSG_RESULT(yes)
|
||||
],[
|
||||
AC_MSG_RESULT(no)
|
||||
LIBS="$BAKLIBS"
|
||||
LIBSSL_LIBS="$BAKSSLLIBS"
|
||||
|
||||
LIBS="$LIBS -lgdi32 -lws2_32 -lcrypt32 -l:libssp.a"
|
||||
LIBSSL_LIBS="$LIBSSL_LIBS -lgdi32 -lws2_32 -lcrypt32 -l:libssp.a"
|
||||
AC_MSG_CHECKING([if -lcrypto needs -lgdi32 -lws2_32 -lcrypt32 -l:libssp.a])
|
||||
AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[
|
||||
int EVP_sha256(void);
|
||||
(void)EVP_sha256();
|
||||
]])],[
|
||||
AC_DEFINE([HAVE_EVP_SHA256], 1,
|
||||
[If you have EVP_sha256])
|
||||
AC_MSG_RESULT(yes)
|
||||
],[
|
||||
AC_MSG_RESULT(no)
|
||||
LIBS="$BAKLIBS"
|
||||
LIBSSL_LIBS="$BAKSSLLIBS"
|
||||
|
||||
LIBS="$LIBS -ldl"
|
||||
LIBSSL_LIBS="$LIBSSL_LIBS -ldl"
|
||||
AC_MSG_CHECKING([if -lcrypto needs -ldl])
|
||||
AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[
|
||||
int EVP_sha256(void);
|
||||
(void)EVP_sha256();
|
||||
]])],[
|
||||
AC_DEFINE([HAVE_EVP_SHA256], 1,
|
||||
[If you have EVP_sha256])
|
||||
AC_MSG_RESULT(yes)
|
||||
],[
|
||||
AC_MSG_RESULT(no)
|
||||
LIBS="$BAKLIBS"
|
||||
LIBSSL_LIBS="$BAKSSLLIBS"
|
||||
LIBS="$LIBS -ldl -pthread"
|
||||
LIBSSL_LIBS="$LIBSSL_LIBS -ldl -pthread"
|
||||
AC_MSG_CHECKING([if -lcrypto needs -ldl -pthread])
|
||||
AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[
|
||||
int EVP_sha256(void);
|
||||
(void)EVP_sha256();
|
||||
]])],[
|
||||
AC_DEFINE([HAVE_EVP_SHA256], 1,
|
||||
[If you have EVP_sha256])
|
||||
AC_MSG_RESULT(yes)
|
||||
],[
|
||||
AC_MSG_RESULT(no)
|
||||
AC_MSG_ERROR([OpenSSL found in $ssldir, but version 0.9.7 or higher is required])
|
||||
])
|
||||
])
|
||||
])
|
||||
])
|
||||
])
|
||||
])
|
||||
])
|
||||
fi
|
||||
|
@ -779,7 +815,7 @@ AC_CHECK_HEADERS([openssl/rand.h],,, [AC_INCLUDES_DEFAULT])
|
|||
|
||||
dnl Check for SSL, where SSL is mandatory
|
||||
dnl Adds --with-ssl option, searches for openssl and defines HAVE_SSL if found
|
||||
dnl Setup of CPPFLAGS, CFLAGS. Adds -lcrypto to LIBS.
|
||||
dnl Setup of CPPFLAGS, CFLAGS. Adds -lcrypto to LIBS.
|
||||
dnl Checks main header files of SSL.
|
||||
dnl
|
||||
AC_DEFUN([ACX_WITH_SSL],
|
||||
|
@ -872,7 +908,7 @@ dnl see if on windows
|
|||
if test "$ac_cv_header_windows_h" = "yes"; then
|
||||
AC_DEFINE(USE_WINSOCK, 1, [Whether the windows socket API is used])
|
||||
USE_WINSOCK="1"
|
||||
if echo $LIBS | grep 'lws2_32' >/dev/null; then
|
||||
if echo "$LIBS" | grep 'lws2_32' >/dev/null; then
|
||||
:
|
||||
else
|
||||
LIBS="$LIBS -lws2_32"
|
||||
|
@ -880,6 +916,24 @@ if test "$ac_cv_header_windows_h" = "yes"; then
|
|||
fi
|
||||
],
|
||||
dnl no quick getaddrinfo, try mingw32 and winsock2 library.
|
||||
dnl perhaps getaddrinfo needs only the include
|
||||
AC_LINK_IFELSE(
|
||||
[AC_LANG_PROGRAM(
|
||||
[
|
||||
#ifdef HAVE_WS2TCPIP_H
|
||||
#include <ws2tcpip.h>
|
||||
#endif
|
||||
],
|
||||
[
|
||||
(void)getaddrinfo(NULL, NULL, NULL, NULL);
|
||||
]
|
||||
)],
|
||||
[
|
||||
ac_cv_func_getaddrinfo="yes"
|
||||
AC_DEFINE(USE_WINSOCK, 1, [Whether the windows socket API is used])
|
||||
USE_WINSOCK="1"
|
||||
],
|
||||
|
||||
ORIGLIBS="$LIBS"
|
||||
LIBS="$LIBS -lws2_32"
|
||||
AC_LINK_IFELSE(
|
||||
|
@ -904,6 +958,7 @@ ac_cv_func_getaddrinfo="no"
|
|||
LIBS="$ORIGLIBS"
|
||||
])
|
||||
)
|
||||
)
|
||||
|
||||
AC_MSG_RESULT($ac_cv_func_getaddrinfo)
|
||||
if test $ac_cv_func_getaddrinfo = yes; then
|
||||
|
|
350
contrib/unbound/configure
vendored
350
contrib/unbound/configure
vendored
|
@ -1,6 +1,6 @@
|
|||
#! /bin/sh
|
||||
# Guess values for system-dependent variables and create Makefiles.
|
||||
# Generated by GNU Autoconf 2.69 for unbound 1.19.1.
|
||||
# Generated by GNU Autoconf 2.69 for unbound 1.19.3.
|
||||
#
|
||||
# Report bugs to <unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues>.
|
||||
#
|
||||
|
@ -591,8 +591,8 @@ MAKEFLAGS=
|
|||
# Identity of this package.
|
||||
PACKAGE_NAME='unbound'
|
||||
PACKAGE_TARNAME='unbound'
|
||||
PACKAGE_VERSION='1.19.1'
|
||||
PACKAGE_STRING='unbound 1.19.1'
|
||||
PACKAGE_VERSION='1.19.3'
|
||||
PACKAGE_STRING='unbound 1.19.3'
|
||||
PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues'
|
||||
PACKAGE_URL=''
|
||||
|
||||
|
@ -655,6 +655,8 @@ DNSTAP_SOCKET_TESTBIN
|
|||
DNSTAP_SOCKET_PATH
|
||||
opt_dnstap_socket_path
|
||||
ENABLE_DNSTAP
|
||||
PROTOBUFC_LIBS
|
||||
PROTOBUFC_CFLAGS
|
||||
PROTOC_C
|
||||
UBSYMS
|
||||
EXTRALINK
|
||||
|
@ -926,7 +928,9 @@ SYSTEMD_CFLAGS
|
|||
SYSTEMD_LIBS
|
||||
SYSTEMD_DAEMON_CFLAGS
|
||||
SYSTEMD_DAEMON_LIBS
|
||||
PYTHON_VERSION'
|
||||
PYTHON_VERSION
|
||||
PROTOBUFC_CFLAGS
|
||||
PROTOBUFC_LIBS'
|
||||
|
||||
|
||||
# Initialize some variables set by options.
|
||||
|
@ -1477,7 +1481,7 @@ if test "$ac_init_help" = "long"; then
|
|||
# Omit some internal or obsolete options to make the list less imposing.
|
||||
# This message is too long to be a string in the A/UX 3.1 sh.
|
||||
cat <<_ACEOF
|
||||
\`configure' configures unbound 1.19.1 to adapt to many kinds of systems.
|
||||
\`configure' configures unbound 1.19.3 to adapt to many kinds of systems.
|
||||
|
||||
Usage: $0 [OPTION]... [VAR=VALUE]...
|
||||
|
||||
|
@ -1543,7 +1547,7 @@ fi
|
|||
|
||||
if test -n "$ac_init_help"; then
|
||||
case $ac_init_help in
|
||||
short | recursive ) echo "Configuration of unbound 1.19.1:";;
|
||||
short | recursive ) echo "Configuration of unbound 1.19.3:";;
|
||||
esac
|
||||
cat <<\_ACEOF
|
||||
|
||||
|
@ -1718,6 +1722,10 @@ Some influential environment variables:
|
|||
The installed Python version to use, for example '2.3'. This
|
||||
string will be appended to the Python interpreter canonical
|
||||
name.
|
||||
PROTOBUFC_CFLAGS
|
||||
C compiler flags for PROTOBUFC, overriding pkg-config
|
||||
PROTOBUFC_LIBS
|
||||
linker flags for PROTOBUFC, overriding pkg-config
|
||||
|
||||
Use these variables to override the choices made by `configure' or to help
|
||||
it to find libraries and programs with nonstandard names/locations.
|
||||
|
@ -1785,7 +1793,7 @@ fi
|
|||
test -n "$ac_init_help" && exit $ac_status
|
||||
if $ac_init_version; then
|
||||
cat <<\_ACEOF
|
||||
unbound configure 1.19.1
|
||||
unbound configure 1.19.3
|
||||
generated by GNU Autoconf 2.69
|
||||
|
||||
Copyright (C) 2012 Free Software Foundation, Inc.
|
||||
|
@ -2494,7 +2502,7 @@ cat >config.log <<_ACEOF
|
|||
This file contains any messages produced by compilers while
|
||||
running configure, to aid debugging if configure makes a mistake.
|
||||
|
||||
It was created by unbound $as_me 1.19.1, which was
|
||||
It was created by unbound $as_me 1.19.3, which was
|
||||
generated by GNU Autoconf 2.69. Invocation command line was
|
||||
|
||||
$ $0 $@
|
||||
|
@ -2846,11 +2854,11 @@ UNBOUND_VERSION_MAJOR=1
|
|||
|
||||
UNBOUND_VERSION_MINOR=19
|
||||
|
||||
UNBOUND_VERSION_MICRO=1
|
||||
UNBOUND_VERSION_MICRO=3
|
||||
|
||||
|
||||
LIBUNBOUND_CURRENT=9
|
||||
LIBUNBOUND_REVISION=24
|
||||
LIBUNBOUND_REVISION=26
|
||||
LIBUNBOUND_AGE=1
|
||||
# 1.0.0 had 0:12:0
|
||||
# 1.0.1 had 0:13:0
|
||||
|
@ -2942,6 +2950,8 @@ LIBUNBOUND_AGE=1
|
|||
# 1.18.0 had 9:22:1
|
||||
# 1.19.0 had 9:23:1
|
||||
# 1.19.1 had 9:24:1
|
||||
# 1.19.2 had 9:25:1
|
||||
# 1.19.3 had 9:26:1
|
||||
|
||||
# Current -- the number of the binary API that we're implementing
|
||||
# Revision -- which iteration of the implementation of the binary
|
||||
|
@ -14416,7 +14426,7 @@ CC=$lt_save_CC
|
|||
|
||||
|
||||
# pkg-config is only needed for these options, do not require it otherwise
|
||||
if test "$enable_systemd" = "yes" -o "$with_pyunbound" = "yes" -o "$with_pythonmod" = "yes"; then
|
||||
if test "$enable_systemd" = "yes" -o "$enable_dnstap" = "yes" -o "$with_pyunbound" = "yes" -o "$with_pythonmod" = "yes"; then
|
||||
|
||||
|
||||
|
||||
|
@ -18104,19 +18114,86 @@ else
|
|||
$as_echo "no" >&6; }
|
||||
LIBS="$BAKLIBS"
|
||||
LIBSSL_LIBS="$BAKSSLLIBS"
|
||||
LIBS="$LIBS -ldl"
|
||||
LIBSSL_LIBS="$LIBSSL_LIBS -ldl"
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if -lcrypto needs -ldl" >&5
|
||||
|
||||
LIBS="$LIBS -lgdi32 -lws2_32 -lcrypt32"
|
||||
LIBSSL_LIBS="$LIBSSL_LIBS -lgdi32 -lws2_32 -lcrypt32"
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if -lcrypto needs -lgdi32 -lws2_32 -lcrypt32" >&5
|
||||
$as_echo_n "checking if -lcrypto needs -lgdi32 -lws2_32 -lcrypt32... " >&6; }
|
||||
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||
/* end confdefs.h. */
|
||||
|
||||
int
|
||||
main ()
|
||||
{
|
||||
|
||||
int EVP_sha256(void);
|
||||
(void)EVP_sha256();
|
||||
|
||||
;
|
||||
return 0;
|
||||
}
|
||||
_ACEOF
|
||||
if ac_fn_c_try_link "$LINENO"; then :
|
||||
|
||||
|
||||
$as_echo "#define HAVE_EVP_SHA256 1" >>confdefs.h
|
||||
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
|
||||
$as_echo "yes" >&6; }
|
||||
|
||||
else
|
||||
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
$as_echo "no" >&6; }
|
||||
LIBS="$BAKLIBS"
|
||||
LIBSSL_LIBS="$BAKSSLLIBS"
|
||||
|
||||
LIBS="$LIBS -lgdi32 -lws2_32 -lcrypt32 -l:libssp.a"
|
||||
LIBSSL_LIBS="$LIBSSL_LIBS -lgdi32 -lws2_32 -lcrypt32 -l:libssp.a"
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if -lcrypto needs -lgdi32 -lws2_32 -lcrypt32 -l:libssp.a" >&5
|
||||
$as_echo_n "checking if -lcrypto needs -lgdi32 -lws2_32 -lcrypt32 -l:libssp.a... " >&6; }
|
||||
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||
/* end confdefs.h. */
|
||||
|
||||
int
|
||||
main ()
|
||||
{
|
||||
|
||||
int EVP_sha256(void);
|
||||
(void)EVP_sha256();
|
||||
|
||||
;
|
||||
return 0;
|
||||
}
|
||||
_ACEOF
|
||||
if ac_fn_c_try_link "$LINENO"; then :
|
||||
|
||||
|
||||
$as_echo "#define HAVE_EVP_SHA256 1" >>confdefs.h
|
||||
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
|
||||
$as_echo "yes" >&6; }
|
||||
|
||||
else
|
||||
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
$as_echo "no" >&6; }
|
||||
LIBS="$BAKLIBS"
|
||||
LIBSSL_LIBS="$BAKSSLLIBS"
|
||||
|
||||
LIBS="$LIBS -ldl"
|
||||
LIBSSL_LIBS="$LIBSSL_LIBS -ldl"
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if -lcrypto needs -ldl" >&5
|
||||
$as_echo_n "checking if -lcrypto needs -ldl... " >&6; }
|
||||
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||
/* end confdefs.h. */
|
||||
|
||||
int
|
||||
main ()
|
||||
{
|
||||
|
||||
int EVP_sha256(void);
|
||||
(void)EVP_sha256();
|
||||
int EVP_sha256(void);
|
||||
(void)EVP_sha256();
|
||||
|
||||
;
|
||||
return 0;
|
||||
|
@ -18127,28 +18204,28 @@ if ac_fn_c_try_link "$LINENO"; then :
|
|||
|
||||
$as_echo "#define HAVE_EVP_SHA256 1" >>confdefs.h
|
||||
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
|
||||
$as_echo "yes" >&6; }
|
||||
|
||||
else
|
||||
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
$as_echo "no" >&6; }
|
||||
LIBS="$BAKLIBS"
|
||||
LIBSSL_LIBS="$BAKSSLLIBS"
|
||||
LIBS="$LIBS -ldl -pthread"
|
||||
LIBSSL_LIBS="$LIBSSL_LIBS -ldl -pthread"
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if -lcrypto needs -ldl -pthread" >&5
|
||||
LIBS="$BAKLIBS"
|
||||
LIBSSL_LIBS="$BAKSSLLIBS"
|
||||
LIBS="$LIBS -ldl -pthread"
|
||||
LIBSSL_LIBS="$LIBSSL_LIBS -ldl -pthread"
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if -lcrypto needs -ldl -pthread" >&5
|
||||
$as_echo_n "checking if -lcrypto needs -ldl -pthread... " >&6; }
|
||||
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||
/* end confdefs.h. */
|
||||
|
||||
int
|
||||
main ()
|
||||
{
|
||||
|
||||
int EVP_sha256(void);
|
||||
(void)EVP_sha256();
|
||||
int EVP_sha256(void);
|
||||
(void)EVP_sha256();
|
||||
|
||||
;
|
||||
return 0;
|
||||
|
@ -18159,14 +18236,22 @@ if ac_fn_c_try_link "$LINENO"; then :
|
|||
|
||||
$as_echo "#define HAVE_EVP_SHA256 1" >>confdefs.h
|
||||
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
|
||||
$as_echo "yes" >&6; }
|
||||
|
||||
else
|
||||
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
$as_echo "no" >&6; }
|
||||
as_fn_error $? "OpenSSL found in $ssldir, but version 0.9.7 or higher is required" "$LINENO" 5
|
||||
as_fn_error $? "OpenSSL found in $ssldir, but version 0.9.7 or higher is required" "$LINENO" 5
|
||||
|
||||
fi
|
||||
rm -f core conftest.err conftest.$ac_objext \
|
||||
conftest$ac_exeext conftest.$ac_ext
|
||||
|
||||
fi
|
||||
rm -f core conftest.err conftest.$ac_objext \
|
||||
conftest$ac_exeext conftest.$ac_ext
|
||||
|
||||
fi
|
||||
rm -f core conftest.err conftest.$ac_objext \
|
||||
|
@ -19847,7 +19932,7 @@ if test x_$enable_static_exe = x_yes; then
|
|||
if test "$on_mingw" = yes; then
|
||||
staticexe="-all-static"
|
||||
# for static compile, include gdi32 and zlib here.
|
||||
if echo $LIBS | grep 'lgdi32' >/dev/null; then
|
||||
if echo "$LIBS" | grep 'lgdi32' >/dev/null; then
|
||||
:
|
||||
else
|
||||
LIBS="$LIBS -lgdi32"
|
||||
|
@ -19892,7 +19977,11 @@ if test "x$ac_cv_lib_z_compress" = xyes; then :
|
|||
LIBS="$LIBS -lz"
|
||||
fi
|
||||
|
||||
LIBS="$LIBS -l:libssp.a"
|
||||
if echo "$LIBS" | grep -e "libssp.a" -e "lssp" >/dev/null; then
|
||||
:
|
||||
else
|
||||
LIBS="$LIBS -l:libssp.a"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
|
@ -19951,7 +20040,11 @@ if test "x$ac_cv_lib_z_compress" = xyes; then :
|
|||
LIBS="$LIBS -lz"
|
||||
fi
|
||||
|
||||
LIBS="$LIBS -l:libssp.a"
|
||||
if echo "$LIBS" | grep -e "libssp.a" -e "lssp" >/dev/null; then
|
||||
:
|
||||
else
|
||||
LIBS="$LIBS -l:libssp.a"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
|
@ -19998,13 +20091,40 @@ if test "$ac_cv_header_windows_h" = "yes"; then
|
|||
$as_echo "#define USE_WINSOCK 1" >>confdefs.h
|
||||
|
||||
USE_WINSOCK="1"
|
||||
if echo $LIBS | grep 'lws2_32' >/dev/null; then
|
||||
if echo "$LIBS" | grep 'lws2_32' >/dev/null; then
|
||||
:
|
||||
else
|
||||
LIBS="$LIBS -lws2_32"
|
||||
fi
|
||||
fi
|
||||
|
||||
else
|
||||
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||
/* end confdefs.h. */
|
||||
|
||||
#ifdef HAVE_WS2TCPIP_H
|
||||
#include <ws2tcpip.h>
|
||||
#endif
|
||||
|
||||
int
|
||||
main ()
|
||||
{
|
||||
|
||||
(void)getaddrinfo(NULL, NULL, NULL, NULL);
|
||||
|
||||
|
||||
;
|
||||
return 0;
|
||||
}
|
||||
_ACEOF
|
||||
if ac_fn_c_try_link "$LINENO"; then :
|
||||
|
||||
ac_cv_func_getaddrinfo="yes"
|
||||
|
||||
$as_echo "#define USE_WINSOCK 1" >>confdefs.h
|
||||
|
||||
USE_WINSOCK="1"
|
||||
|
||||
else
|
||||
ORIGLIBS="$LIBS"
|
||||
LIBS="$LIBS -lws2_32"
|
||||
|
@ -20047,6 +20167,10 @@ fi
|
|||
rm -f core conftest.err conftest.$ac_objext \
|
||||
conftest$ac_exeext conftest.$ac_ext
|
||||
|
||||
fi
|
||||
rm -f core conftest.err conftest.$ac_objext \
|
||||
conftest$ac_exeext conftest.$ac_ext
|
||||
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_getaddrinfo" >&5
|
||||
$as_echo "$ac_cv_func_getaddrinfo" >&6; }
|
||||
if test $ac_cv_func_getaddrinfo = yes; then
|
||||
|
@ -20166,7 +20290,11 @@ else
|
|||
WINDRES="$ac_cv_prog_WINDRES"
|
||||
fi
|
||||
|
||||
LIBS="$LIBS -liphlpapi -lcrypt32"
|
||||
if echo "$LIBS" | grep crypt32 >/dev/null; then
|
||||
LIBS="$LIBS -liphlpapi"
|
||||
else
|
||||
LIBS="$LIBS -liphlpapi -lcrypt32"
|
||||
fi
|
||||
WINAPPS="unbound-service-install.exe unbound-service-remove.exe anchor-update.exe"
|
||||
|
||||
WIN_DAEMON_SRC="winrc/win_svc.c winrc/w_inst.c"
|
||||
|
@ -21199,7 +21327,7 @@ fi
|
|||
|
||||
# check for dnstap if requested
|
||||
|
||||
# Check whether --enable-dnstap was given.
|
||||
# Check whether --enable-dnstap was given.
|
||||
if test "${enable_dnstap+set}" = set; then :
|
||||
enableval=$enable_dnstap; opt_dnstap=$enableval
|
||||
else
|
||||
|
@ -21216,8 +21344,8 @@ else
|
|||
fi
|
||||
|
||||
|
||||
if test "x$opt_dnstap" != "xno"; then
|
||||
# Extract the first word of "protoc-c", so it can be a program name with args.
|
||||
if test "x$opt_dnstap" != "xno"; then
|
||||
# Extract the first word of "protoc-c", so it can be a program name with args.
|
||||
set dummy protoc-c; ac_word=$2
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
|
||||
$as_echo_n "checking for $ac_word... " >&6; }
|
||||
|
@ -21257,36 +21385,132 @@ $as_echo "no" >&6; }
|
|||
fi
|
||||
|
||||
|
||||
if test -z "$PROTOC_C"; then
|
||||
as_fn_error $? "The protoc-c program was not found. Please install protobuf-c!" "$LINENO" 5
|
||||
fi
|
||||
if test -z "$PROTOC_C"; then
|
||||
as_fn_error $? "The protoc-c program was not found. Please install protobuf-c!" "$LINENO" 5
|
||||
fi
|
||||
|
||||
# Check whether --with-protobuf-c was given.
|
||||
if test "${with_protobuf_c+set}" = set; then :
|
||||
withval=$with_protobuf_c;
|
||||
# workaround for protobuf-c includes at old dir before protobuf-c-1.0.0
|
||||
if test -f $withval/include/google/protobuf-c/protobuf-c.h; then
|
||||
CFLAGS="$CFLAGS -I$withval/include/google"
|
||||
else
|
||||
CFLAGS="$CFLAGS -I$withval/include"
|
||||
fi
|
||||
LDFLAGS="$LDFLAGS -L$withval/lib"
|
||||
# workaround for protobuf-c includes at old dir before protobuf-c-1.0.0
|
||||
if test -f $withval/include/google/protobuf-c/protobuf-c.h; then
|
||||
CFLAGS="$CFLAGS -I$withval/include/google"
|
||||
else
|
||||
CFLAGS="$CFLAGS -I$withval/include"
|
||||
fi
|
||||
LDFLAGS="$LDFLAGS -L$withval/lib"
|
||||
|
||||
else
|
||||
|
||||
# workaround for protobuf-c includes at old dir before protobuf-c-1.0.0
|
||||
if test -f /usr/include/google/protobuf-c/protobuf-c.h; then
|
||||
CFLAGS="$CFLAGS -I/usr/include/google"
|
||||
else
|
||||
if test -f /usr/local/include/google/protobuf-c/protobuf-c.h; then
|
||||
CFLAGS="$CFLAGS -I/usr/local/include/google"
|
||||
LDFLAGS="$LDFLAGS -L/usr/local/lib"
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
pkg_failed=no
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for PROTOBUFC" >&5
|
||||
$as_echo_n "checking for PROTOBUFC... " >&6; }
|
||||
|
||||
if test -n "$PROTOBUFC_CFLAGS"; then
|
||||
pkg_cv_PROTOBUFC_CFLAGS="$PROTOBUFC_CFLAGS"
|
||||
elif test -n "$PKG_CONFIG"; then
|
||||
if test -n "$PKG_CONFIG" && \
|
||||
{ { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libprotobuf-c\""; } >&5
|
||||
($PKG_CONFIG --exists --print-errors "libprotobuf-c") 2>&5
|
||||
ac_status=$?
|
||||
$as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
|
||||
test $ac_status = 0; }; then
|
||||
pkg_cv_PROTOBUFC_CFLAGS=`$PKG_CONFIG --cflags "libprotobuf-c" 2>/dev/null`
|
||||
test "x$?" != "x0" && pkg_failed=yes
|
||||
else
|
||||
pkg_failed=yes
|
||||
fi
|
||||
else
|
||||
pkg_failed=untried
|
||||
fi
|
||||
if test -n "$PROTOBUFC_LIBS"; then
|
||||
pkg_cv_PROTOBUFC_LIBS="$PROTOBUFC_LIBS"
|
||||
elif test -n "$PKG_CONFIG"; then
|
||||
if test -n "$PKG_CONFIG" && \
|
||||
{ { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libprotobuf-c\""; } >&5
|
||||
($PKG_CONFIG --exists --print-errors "libprotobuf-c") 2>&5
|
||||
ac_status=$?
|
||||
$as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
|
||||
test $ac_status = 0; }; then
|
||||
pkg_cv_PROTOBUFC_LIBS=`$PKG_CONFIG --libs "libprotobuf-c" 2>/dev/null`
|
||||
test "x$?" != "x0" && pkg_failed=yes
|
||||
else
|
||||
pkg_failed=yes
|
||||
fi
|
||||
else
|
||||
pkg_failed=untried
|
||||
fi
|
||||
|
||||
|
||||
|
||||
if test $pkg_failed = yes; then
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
$as_echo "no" >&6; }
|
||||
|
||||
if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
|
||||
_pkg_short_errors_supported=yes
|
||||
else
|
||||
_pkg_short_errors_supported=no
|
||||
fi
|
||||
if test $_pkg_short_errors_supported = yes; then
|
||||
PROTOBUFC_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libprotobuf-c" 2>&1`
|
||||
else
|
||||
PROTOBUFC_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libprotobuf-c" 2>&1`
|
||||
fi
|
||||
# Put the nasty error message in config.log where it belongs
|
||||
echo "$PROTOBUFC_PKG_ERRORS" >&5
|
||||
|
||||
|
||||
# pkg-config failed; try falling back to known values
|
||||
# workaround for protobuf-c includes at old dir before protobuf-c-1.0.0
|
||||
if test -f /usr/include/google/protobuf-c/protobuf-c.h; then
|
||||
CFLAGS="$CFLAGS -I/usr/include/google"
|
||||
else
|
||||
if test -f /usr/local/include/google/protobuf-c/protobuf-c.h; then
|
||||
CFLAGS="$CFLAGS -I/usr/local/include/google"
|
||||
LDFLAGS="$LDFLAGS -L/usr/local/lib"
|
||||
else
|
||||
as_fn_error $? "The protobuf-c package was not found with pkg-config. Please install protobuf-c!" "$LINENO" 5
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
elif test $pkg_failed = untried; then
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
$as_echo "no" >&6; }
|
||||
|
||||
# pkg-config failed; try falling back to known values
|
||||
# workaround for protobuf-c includes at old dir before protobuf-c-1.0.0
|
||||
if test -f /usr/include/google/protobuf-c/protobuf-c.h; then
|
||||
CFLAGS="$CFLAGS -I/usr/include/google"
|
||||
else
|
||||
if test -f /usr/local/include/google/protobuf-c/protobuf-c.h; then
|
||||
CFLAGS="$CFLAGS -I/usr/local/include/google"
|
||||
LDFLAGS="$LDFLAGS -L/usr/local/lib"
|
||||
else
|
||||
as_fn_error $? "The protobuf-c package was not found with pkg-config. Please install protobuf-c!" "$LINENO" 5
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
else
|
||||
PROTOBUFC_CFLAGS=$pkg_cv_PROTOBUFC_CFLAGS
|
||||
PROTOBUFC_LIBS=$pkg_cv_PROTOBUFC_LIBS
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
|
||||
$as_echo "yes" >&6; }
|
||||
|
||||
CFLAGS="$CFLAGS $PROTOBUFC_CFLAGS"
|
||||
LIBS="$LIBS $PROTOBUFC_LIBS"
|
||||
|
||||
fi
|
||||
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing protobuf_c_message_pack" >&5
|
||||
|
||||
|
||||
fi
|
||||
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing protobuf_c_message_pack" >&5
|
||||
$as_echo_n "checking for library containing protobuf_c_message_pack... " >&6; }
|
||||
if ${ac_cv_search_protobuf_c_message_pack+:} false; then :
|
||||
$as_echo_n "(cached) " >&6
|
||||
|
@ -21368,13 +21592,13 @@ _ACEOF
|
|||
DNSTAP_OBJ="dnstap.lo dnstap.pb-c.lo dnstap_fstrm.lo dtstream.lo"
|
||||
|
||||
|
||||
else
|
||||
else
|
||||
|
||||
ENABLE_DNSTAP=0
|
||||
|
||||
|
||||
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
# check for dnscrypt if requested
|
||||
|
@ -21895,7 +22119,7 @@ _ACEOF
|
|||
|
||||
|
||||
|
||||
version=1.19.1
|
||||
version=1.19.3
|
||||
|
||||
date=`date +'%b %e, %Y'`
|
||||
|
||||
|
@ -22414,7 +22638,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
|
|||
# report actual input values of CONFIG_FILES etc. instead of their
|
||||
# values after options handling.
|
||||
ac_log="
|
||||
This file was extended by unbound $as_me 1.19.1, which was
|
||||
This file was extended by unbound $as_me 1.19.3, which was
|
||||
generated by GNU Autoconf 2.69. Invocation command line was
|
||||
|
||||
CONFIG_FILES = $CONFIG_FILES
|
||||
|
@ -22480,7 +22704,7 @@ _ACEOF
|
|||
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
|
||||
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
|
||||
ac_cs_version="\\
|
||||
unbound config.status 1.19.1
|
||||
unbound config.status 1.19.3
|
||||
configured by $0, generated by GNU Autoconf 2.69,
|
||||
with options \\"\$ac_cs_config\\"
|
||||
|
||||
|
|
|
@ -11,14 +11,14 @@ sinclude(dnscrypt/dnscrypt.m4)
|
|||
# must be numbers. ac_defun because of later processing
|
||||
m4_define([VERSION_MAJOR],[1])
|
||||
m4_define([VERSION_MINOR],[19])
|
||||
m4_define([VERSION_MICRO],[1])
|
||||
m4_define([VERSION_MICRO],[3])
|
||||
AC_INIT([unbound],m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]),[unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues],[unbound])
|
||||
AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
|
||||
AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
|
||||
AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
|
||||
|
||||
LIBUNBOUND_CURRENT=9
|
||||
LIBUNBOUND_REVISION=24
|
||||
LIBUNBOUND_REVISION=26
|
||||
LIBUNBOUND_AGE=1
|
||||
# 1.0.0 had 0:12:0
|
||||
# 1.0.1 had 0:13:0
|
||||
|
@ -110,6 +110,8 @@ LIBUNBOUND_AGE=1
|
|||
# 1.18.0 had 9:22:1
|
||||
# 1.19.0 had 9:23:1
|
||||
# 1.19.1 had 9:24:1
|
||||
# 1.19.2 had 9:25:1
|
||||
# 1.19.3 had 9:26:1
|
||||
|
||||
# Current -- the number of the binary API that we're implementing
|
||||
# Revision -- which iteration of the implementation of the binary
|
||||
|
@ -407,7 +409,7 @@ AC_CHECK_TOOL(STRIP, strip)
|
|||
ACX_LIBTOOL_C_ONLY
|
||||
|
||||
# pkg-config is only needed for these options, do not require it otherwise
|
||||
if test "$enable_systemd" = "yes" -o "$with_pyunbound" = "yes" -o "$with_pythonmod" = "yes"; then
|
||||
if test "$enable_systemd" = "yes" -o "$enable_dnstap" = "yes" -o "$with_pyunbound" = "yes" -o "$with_pythonmod" = "yes"; then
|
||||
PKG_PROG_PKG_CONFIG
|
||||
fi
|
||||
|
||||
|
@ -1526,13 +1528,17 @@ if test x_$enable_static_exe = x_yes; then
|
|||
if test "$on_mingw" = yes; then
|
||||
staticexe="-all-static"
|
||||
# for static compile, include gdi32 and zlib here.
|
||||
if echo $LIBS | grep 'lgdi32' >/dev/null; then
|
||||
if echo "$LIBS" | grep 'lgdi32' >/dev/null; then
|
||||
:
|
||||
else
|
||||
LIBS="$LIBS -lgdi32"
|
||||
fi
|
||||
AC_CHECK_LIB([z], [compress], [ LIBS="$LIBS -lz" ])
|
||||
LIBS="$LIBS -l:libssp.a"
|
||||
if echo "$LIBS" | grep -e "libssp.a" -e "lssp" >/dev/null; then
|
||||
:
|
||||
else
|
||||
LIBS="$LIBS -l:libssp.a"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
|
@ -1549,7 +1555,11 @@ if test x_$enable_fully_static = x_yes; then
|
|||
LIBS="$LIBS -lgdi32"
|
||||
fi
|
||||
AC_CHECK_LIB([z], [compress], [ LIBS="$LIBS -lz" ])
|
||||
LIBS="$LIBS -l:libssp.a"
|
||||
if echo "$LIBS" | grep -e "libssp.a" -e "lssp" >/dev/null; then
|
||||
:
|
||||
else
|
||||
LIBS="$LIBS -l:libssp.a"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
|
@ -1569,7 +1579,11 @@ if test "$USE_WINSOCK" = 1; then
|
|||
#include <windows.h>
|
||||
])
|
||||
AC_CHECK_TOOL(WINDRES, windres)
|
||||
LIBS="$LIBS -liphlpapi -lcrypt32"
|
||||
if echo "$LIBS" | grep crypt32 >/dev/null; then
|
||||
LIBS="$LIBS -liphlpapi"
|
||||
else
|
||||
LIBS="$LIBS -liphlpapi -lcrypt32"
|
||||
fi
|
||||
WINAPPS="unbound-service-install.exe unbound-service-remove.exe anchor-update.exe"
|
||||
AC_SUBST(WINAPPS)
|
||||
WIN_DAEMON_SRC="winrc/win_svc.c winrc/w_inst.c"
|
||||
|
|
|
@ -553,7 +553,7 @@ ssl_print_text(RES* res, const char* text)
|
|||
static int
|
||||
ssl_print_vmsg(RES* ssl, const char* format, va_list args)
|
||||
{
|
||||
char msg[1024];
|
||||
char msg[65535];
|
||||
vsnprintf(msg, sizeof(msg), format, args);
|
||||
return ssl_print_text(ssl, msg);
|
||||
}
|
||||
|
@ -3181,10 +3181,10 @@ execute_cmd(struct daemon_remote* rc, RES* ssl, char* cmd,
|
|||
do_flush_bogus(ssl, worker);
|
||||
} else if(cmdcmp(p, "flush_negative", 14)) {
|
||||
do_flush_negative(ssl, worker);
|
||||
} else if(cmdcmp(p, "rpz_enable", 10)) {
|
||||
do_rpz_enable(ssl, worker, skipwhite(p+10));
|
||||
} else if(cmdcmp(p, "rpz_disable", 11)) {
|
||||
do_rpz_disable(ssl, worker, skipwhite(p+11));
|
||||
} else if(cmdcmp(p, "rpz_enable", 10)) {
|
||||
do_rpz_enable(ssl, worker, skipwhite(p+10));
|
||||
} else if(cmdcmp(p, "rpz_disable", 11)) {
|
||||
do_rpz_disable(ssl, worker, skipwhite(p+11));
|
||||
} else {
|
||||
(void)ssl_printf(ssl, "error unknown command '%s'\n", p);
|
||||
}
|
||||
|
|
|
@ -1151,7 +1151,7 @@ deny_refuse(struct comm_point* c, enum acl_access acl,
|
|||
log_assert(sldns_buffer_limit(c->buffer) >= LDNS_HEADER_SIZE
|
||||
&& LDNS_QDCOUNT(sldns_buffer_begin(c->buffer)) == 1);
|
||||
|
||||
sldns_buffer_skip(c->buffer, LDNS_HEADER_SIZE); /* skip header */
|
||||
sldns_buffer_set_position(c->buffer, LDNS_HEADER_SIZE); /* skip header */
|
||||
|
||||
/* check additional section is present and that we respond with EDEs */
|
||||
if(LDNS_ARCOUNT(sldns_buffer_begin(c->buffer)) != 1
|
||||
|
@ -1163,6 +1163,7 @@ deny_refuse(struct comm_point* c, enum acl_access acl,
|
|||
LDNS_QR_SET(sldns_buffer_begin(c->buffer));
|
||||
LDNS_RCODE_SET(sldns_buffer_begin(c->buffer),
|
||||
LDNS_RCODE_REFUSED);
|
||||
sldns_buffer_set_position(c->buffer, LDNS_HEADER_SIZE);
|
||||
sldns_buffer_flip(c->buffer);
|
||||
return 1;
|
||||
}
|
||||
|
@ -1326,15 +1327,6 @@ deny_refuse_non_local(struct comm_point* c, enum acl_access acl,
|
|||
worker, repinfo, acladdr, ede, check_result);
|
||||
}
|
||||
|
||||
/* Returns 1 if the ip rate limit check can happen before EDNS parsing,
|
||||
* else 0 */
|
||||
static int
|
||||
pre_edns_ip_ratelimit_check(enum acl_access acl)
|
||||
{
|
||||
if(acl == acl_allow_cookie) return 0;
|
||||
return 1;
|
||||
}
|
||||
|
||||
/* Check if the query is blocked by source IP rate limiting.
|
||||
* Returns 1 if it passes the check, 0 otherwise. */
|
||||
static int
|
||||
|
@ -1463,7 +1455,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
|
|||
if(worker->dtenv.log_client_query_messages) {
|
||||
log_addr(VERB_ALGO, "request from client", &repinfo->client_addr, repinfo->client_addrlen);
|
||||
log_addr(VERB_ALGO, "to local addr", (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->socket->addr->ai_addrlen);
|
||||
dt_msg_send_client_query(&worker->dtenv, &repinfo->client_addr, (void*)repinfo->c->socket->addr->ai_addr, c->type, c->buffer,
|
||||
dt_msg_send_client_query(&worker->dtenv, &repinfo->client_addr, (void*)repinfo->c->socket->addr->ai_addr, c->type, c->ssl, c->buffer,
|
||||
((worker->env.cfg->sock_queue_timeout && timeval_isset(&c->recv_tv))?&c->recv_tv:NULL));
|
||||
}
|
||||
#endif
|
||||
|
@ -1498,7 +1490,9 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
|
|||
}
|
||||
|
||||
worker->stats.num_queries++;
|
||||
pre_edns_ip_ratelimit = pre_edns_ip_ratelimit_check(acl);
|
||||
pre_edns_ip_ratelimit = !worker->env.cfg->do_answer_cookie
|
||||
|| sldns_buffer_limit(c->buffer) < LDNS_HEADER_SIZE
|
||||
|| LDNS_ARCOUNT(sldns_buffer_begin(c->buffer)) == 0;
|
||||
|
||||
/* If the IP rate limiting check needs extra EDNS information (e.g.,
|
||||
* DNS Cookies) postpone the check until after EDNS is parsed. */
|
||||
|
@ -1952,7 +1946,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
|
|||
if(worker->dtenv.log_client_response_messages) {
|
||||
log_addr(VERB_ALGO, "from local addr", (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->socket->addr->ai_addrlen);
|
||||
log_addr(VERB_ALGO, "response to client", &repinfo->client_addr, repinfo->client_addrlen);
|
||||
dt_msg_send_client_response(&worker->dtenv, &repinfo->client_addr, (void*)repinfo->c->socket->addr->ai_addr, c->type, c->buffer);
|
||||
dt_msg_send_client_response(&worker->dtenv, &repinfo->client_addr, (void*)repinfo->c->socket->addr->ai_addr, c->type, c->ssl, c->buffer);
|
||||
}
|
||||
#endif
|
||||
if(worker->env.cfg->log_replies)
|
||||
|
@ -1966,11 +1960,15 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
|
|||
qinfo.qname = qinfo.local_alias->rrset->rk.dname;
|
||||
log_reply_info(NO_VERBOSE, &qinfo,
|
||||
&repinfo->client_addr, repinfo->client_addrlen,
|
||||
tv, 1, c->buffer);
|
||||
tv, 1, c->buffer,
|
||||
(worker->env.cfg->log_destaddr?(void*)repinfo->c->socket->addr->ai_addr:NULL),
|
||||
c->type);
|
||||
} else {
|
||||
log_reply_info(NO_VERBOSE, &qinfo,
|
||||
&repinfo->client_addr, repinfo->client_addrlen,
|
||||
tv, 1, c->buffer);
|
||||
tv, 1, c->buffer,
|
||||
(worker->env.cfg->log_destaddr?(void*)repinfo->c->socket->addr->ai_addr:NULL),
|
||||
c->type);
|
||||
}
|
||||
}
|
||||
#ifdef USE_DNSCRYPT
|
||||
|
|
|
@ -305,6 +305,7 @@ dt_msg_fill_net(struct dt_msg *dm,
|
|||
struct sockaddr_storage *qs,
|
||||
struct sockaddr_storage *rs,
|
||||
enum comm_point_type cptype,
|
||||
void *cpssl,
|
||||
ProtobufCBinaryData *qaddr, protobuf_c_boolean *has_qaddr,
|
||||
uint32_t *qport, protobuf_c_boolean *has_qport,
|
||||
ProtobufCBinaryData *raddr, protobuf_c_boolean *has_raddr,
|
||||
|
@ -371,13 +372,26 @@ dt_msg_fill_net(struct dt_msg *dm,
|
|||
*has_rport = 1;
|
||||
}
|
||||
|
||||
log_assert(cptype == comm_udp || cptype == comm_tcp);
|
||||
if (cptype == comm_udp) {
|
||||
/* socket_protocol */
|
||||
dm->m.socket_protocol = DNSTAP__SOCKET_PROTOCOL__UDP;
|
||||
dm->m.has_socket_protocol = 1;
|
||||
} else if (cptype == comm_tcp) {
|
||||
if (cpssl == NULL) {
|
||||
/* socket_protocol */
|
||||
dm->m.socket_protocol = DNSTAP__SOCKET_PROTOCOL__TCP;
|
||||
dm->m.has_socket_protocol = 1;
|
||||
} else {
|
||||
/* socket_protocol */
|
||||
dm->m.socket_protocol = DNSTAP__SOCKET_PROTOCOL__DOT;
|
||||
dm->m.has_socket_protocol = 1;
|
||||
}
|
||||
} else if (cptype == comm_http) {
|
||||
/* socket_protocol */
|
||||
dm->m.socket_protocol = DNSTAP__SOCKET_PROTOCOL__DOH;
|
||||
dm->m.has_socket_protocol = 1;
|
||||
} else {
|
||||
/* other socket protocol */
|
||||
dm->m.socket_protocol = DNSTAP__SOCKET_PROTOCOL__TCP;
|
||||
dm->m.has_socket_protocol = 1;
|
||||
}
|
||||
|
@ -388,6 +402,7 @@ dt_msg_send_client_query(struct dt_env *env,
|
|||
struct sockaddr_storage *qsock,
|
||||
struct sockaddr_storage *rsock,
|
||||
enum comm_point_type cptype,
|
||||
void *cpssl,
|
||||
sldns_buffer *qmsg,
|
||||
struct timeval* tstamp)
|
||||
{
|
||||
|
@ -410,8 +425,7 @@ dt_msg_send_client_query(struct dt_env *env,
|
|||
dt_fill_buffer(qmsg, &dm.m.query_message, &dm.m.has_query_message);
|
||||
|
||||
/* socket_family, socket_protocol, query_address, query_port, response_address, response_port */
|
||||
log_assert(cptype == comm_udp || cptype == comm_tcp);
|
||||
dt_msg_fill_net(&dm, qsock, rsock, cptype,
|
||||
dt_msg_fill_net(&dm, qsock, rsock, cptype, cpssl,
|
||||
&dm.m.query_address, &dm.m.has_query_address,
|
||||
&dm.m.query_port, &dm.m.has_query_port,
|
||||
&dm.m.response_address, &dm.m.has_response_address,
|
||||
|
@ -427,6 +441,7 @@ dt_msg_send_client_response(struct dt_env *env,
|
|||
struct sockaddr_storage *qsock,
|
||||
struct sockaddr_storage *rsock,
|
||||
enum comm_point_type cptype,
|
||||
void *cpssl,
|
||||
sldns_buffer *rmsg)
|
||||
{
|
||||
struct dt_msg dm;
|
||||
|
@ -446,8 +461,7 @@ dt_msg_send_client_response(struct dt_env *env,
|
|||
dt_fill_buffer(rmsg, &dm.m.response_message, &dm.m.has_response_message);
|
||||
|
||||
/* socket_family, socket_protocol, query_address, query_port, response_address, response_port */
|
||||
log_assert(cptype == comm_udp || cptype == comm_tcp);
|
||||
dt_msg_fill_net(&dm, qsock, rsock, cptype,
|
||||
dt_msg_fill_net(&dm, qsock, rsock, cptype, cpssl,
|
||||
&dm.m.query_address, &dm.m.has_query_address,
|
||||
&dm.m.query_port, &dm.m.has_query_port,
|
||||
&dm.m.response_address, &dm.m.has_response_address,
|
||||
|
@ -462,6 +476,7 @@ dt_msg_send_outside_query(struct dt_env *env,
|
|||
struct sockaddr_storage *rsock,
|
||||
struct sockaddr_storage *qsock,
|
||||
enum comm_point_type cptype,
|
||||
void *cpssl,
|
||||
uint8_t *zone, size_t zone_len,
|
||||
sldns_buffer *qmsg)
|
||||
{
|
||||
|
@ -497,8 +512,7 @@ dt_msg_send_outside_query(struct dt_env *env,
|
|||
dt_fill_buffer(qmsg, &dm.m.query_message, &dm.m.has_query_message);
|
||||
|
||||
/* socket_family, socket_protocol, response_address, response_port, query_address, query_port */
|
||||
log_assert(cptype == comm_udp || cptype == comm_tcp);
|
||||
dt_msg_fill_net(&dm, rsock, qsock, cptype,
|
||||
dt_msg_fill_net(&dm, rsock, qsock, cptype, cpssl,
|
||||
&dm.m.response_address, &dm.m.has_response_address,
|
||||
&dm.m.response_port, &dm.m.has_response_port,
|
||||
&dm.m.query_address, &dm.m.has_query_address,
|
||||
|
@ -513,6 +527,7 @@ dt_msg_send_outside_response(struct dt_env *env,
|
|||
struct sockaddr_storage *rsock,
|
||||
struct sockaddr_storage *qsock,
|
||||
enum comm_point_type cptype,
|
||||
void *cpssl,
|
||||
uint8_t *zone, size_t zone_len,
|
||||
uint8_t *qbuf, size_t qbuf_len,
|
||||
const struct timeval *qtime,
|
||||
|
@ -556,8 +571,7 @@ dt_msg_send_outside_response(struct dt_env *env,
|
|||
dt_fill_buffer(rmsg, &dm.m.response_message, &dm.m.has_response_message);
|
||||
|
||||
/* socket_family, socket_protocol, response_address, response_port, query_address, query_port */
|
||||
log_assert(cptype == comm_udp || cptype == comm_tcp);
|
||||
dt_msg_fill_net(&dm, rsock, qsock, cptype,
|
||||
dt_msg_fill_net(&dm, rsock, qsock, cptype, cpssl,
|
||||
&dm.m.response_address, &dm.m.has_response_address,
|
||||
&dm.m.response_port, &dm.m.has_response_port,
|
||||
&dm.m.query_address, &dm.m.has_query_address,
|
||||
|
|
|
@ -133,6 +133,7 @@ dt_msg_send_client_query(struct dt_env *env,
|
|||
struct sockaddr_storage *qsock,
|
||||
struct sockaddr_storage *rsock,
|
||||
enum comm_point_type cptype,
|
||||
void *cpssl,
|
||||
struct sldns_buffer *qmsg,
|
||||
struct timeval* tstamp);
|
||||
|
||||
|
@ -149,6 +150,7 @@ dt_msg_send_client_response(struct dt_env *env,
|
|||
struct sockaddr_storage *qsock,
|
||||
struct sockaddr_storage *rsock,
|
||||
enum comm_point_type cptype,
|
||||
void *cpssl,
|
||||
struct sldns_buffer *rmsg);
|
||||
|
||||
/**
|
||||
|
@ -168,6 +170,7 @@ dt_msg_send_outside_query(struct dt_env *env,
|
|||
struct sockaddr_storage *rsock,
|
||||
struct sockaddr_storage *qsock,
|
||||
enum comm_point_type cptype,
|
||||
void *cpssl,
|
||||
uint8_t *zone, size_t zone_len,
|
||||
struct sldns_buffer *qmsg);
|
||||
|
||||
|
@ -192,6 +195,7 @@ dt_msg_send_outside_response(struct dt_env *env,
|
|||
struct sockaddr_storage *rsock,
|
||||
struct sockaddr_storage *qsock,
|
||||
enum comm_point_type cptype,
|
||||
void *cpssl,
|
||||
uint8_t *zone, size_t zone_len,
|
||||
uint8_t *qbuf, size_t qbuf_len,
|
||||
const struct timeval *qtime,
|
||||
|
|
|
@ -5,45 +5,76 @@
|
|||
# Check for required dnstap libraries and add dnstap configure args.
|
||||
AC_DEFUN([dt_DNSTAP],
|
||||
[
|
||||
AC_ARG_ENABLE([dnstap],
|
||||
AS_HELP_STRING([--enable-dnstap],
|
||||
[Enable dnstap support (requires protobuf-c)]),
|
||||
[opt_dnstap=$enableval], [opt_dnstap=no])
|
||||
AC_ARG_ENABLE([dnstap],
|
||||
AS_HELP_STRING([--enable-dnstap],
|
||||
[Enable dnstap support (requires protobuf-c)]),
|
||||
[opt_dnstap=$enableval],
|
||||
[opt_dnstap=no])
|
||||
|
||||
AC_ARG_WITH([dnstap-socket-path],
|
||||
AS_HELP_STRING([--with-dnstap-socket-path=pathname],
|
||||
[set default dnstap socket path]),
|
||||
[opt_dnstap_socket_path=$withval], [opt_dnstap_socket_path="$1"])
|
||||
AC_ARG_WITH([dnstap-socket-path],
|
||||
AS_HELP_STRING([--with-dnstap-socket-path=pathname],
|
||||
[set default dnstap socket path]),
|
||||
[opt_dnstap_socket_path=$withval],
|
||||
[opt_dnstap_socket_path="$1"])
|
||||
|
||||
if test "x$opt_dnstap" != "xno"; then
|
||||
AC_PATH_PROG([PROTOC_C], [protoc-c])
|
||||
if test -z "$PROTOC_C"; then
|
||||
AC_MSG_ERROR([The protoc-c program was not found. Please install protobuf-c!])
|
||||
if test "x$opt_dnstap" != "xno"; then
|
||||
AC_PATH_PROG([PROTOC_C], [protoc-c])
|
||||
if test -z "$PROTOC_C"; then
|
||||
AC_MSG_ERROR([The protoc-c program was not found. Please install protobuf-c!])
|
||||
fi
|
||||
AC_ARG_WITH([protobuf-c],
|
||||
AS_HELP_STRING([--with-protobuf-c=path], [Path where protobuf-c is installed, for dnstap]),
|
||||
[
|
||||
# workaround for protobuf-c includes at old dir before protobuf-c-1.0.0
|
||||
if test -f $withval/include/google/protobuf-c/protobuf-c.h; then
|
||||
CFLAGS="$CFLAGS -I$withval/include/google"
|
||||
else
|
||||
CFLAGS="$CFLAGS -I$withval/include"
|
||||
fi
|
||||
LDFLAGS="$LDFLAGS -L$withval/lib"
|
||||
],
|
||||
[
|
||||
ifdef([PKG_CHECK_MODULES],
|
||||
[
|
||||
PKG_CHECK_MODULES([PROTOBUFC], [libprotobuf-c],
|
||||
[
|
||||
CFLAGS="$CFLAGS $PROTOBUFC_CFLAGS"
|
||||
LIBS="$LIBS $PROTOBUFC_LIBS"
|
||||
],
|
||||
[
|
||||
# pkg-config failed; try falling back to known values
|
||||
# workaround for protobuf-c includes at old dir before protobuf-c-1.0.0
|
||||
if test -f /usr/include/google/protobuf-c/protobuf-c.h; then
|
||||
CFLAGS="$CFLAGS -I/usr/include/google"
|
||||
else
|
||||
if test -f /usr/local/include/google/protobuf-c/protobuf-c.h; then
|
||||
CFLAGS="$CFLAGS -I/usr/local/include/google"
|
||||
LDFLAGS="$LDFLAGS -L/usr/local/lib"
|
||||
else
|
||||
AC_MSG_ERROR([The protobuf-c package was not found with pkg-config. Please install protobuf-c!])
|
||||
fi
|
||||
fi
|
||||
]
|
||||
)
|
||||
],
|
||||
[
|
||||
# workaround for protobuf-c includes at old dir before protobuf-c-1.0.0
|
||||
if test -f /usr/include/google/protobuf-c/protobuf-c.h; then
|
||||
CFLAGS="$CFLAGS -I/usr/include/google"
|
||||
else
|
||||
if test -f /usr/local/include/google/protobuf-c/protobuf-c.h; then
|
||||
CFLAGS="$CFLAGS -I/usr/local/include/google"
|
||||
LDFLAGS="$LDFLAGS -L/usr/local/lib"
|
||||
fi
|
||||
fi
|
||||
]
|
||||
)
|
||||
]
|
||||
)
|
||||
AC_SEARCH_LIBS([protobuf_c_message_pack], [protobuf-c], [],
|
||||
AC_MSG_ERROR([The protobuf-c library was not found. Please install the development libraries for protobuf-c!]))
|
||||
$2
|
||||
else
|
||||
$3
|
||||
fi
|
||||
AC_ARG_WITH([protobuf-c], AS_HELP_STRING([--with-protobuf-c=path],
|
||||
[Path where protobuf-c is installed, for dnstap]), [
|
||||
# workaround for protobuf-c includes at old dir before protobuf-c-1.0.0
|
||||
if test -f $withval/include/google/protobuf-c/protobuf-c.h; then
|
||||
CFLAGS="$CFLAGS -I$withval/include/google"
|
||||
else
|
||||
CFLAGS="$CFLAGS -I$withval/include"
|
||||
fi
|
||||
LDFLAGS="$LDFLAGS -L$withval/lib"
|
||||
], [
|
||||
# workaround for protobuf-c includes at old dir before protobuf-c-1.0.0
|
||||
if test -f /usr/include/google/protobuf-c/protobuf-c.h; then
|
||||
CFLAGS="$CFLAGS -I/usr/include/google"
|
||||
else
|
||||
if test -f /usr/local/include/google/protobuf-c/protobuf-c.h; then
|
||||
CFLAGS="$CFLAGS -I/usr/local/include/google"
|
||||
LDFLAGS="$LDFLAGS -L/usr/local/lib"
|
||||
fi
|
||||
fi
|
||||
])
|
||||
AC_SEARCH_LIBS([protobuf_c_message_pack], [protobuf-c], [],
|
||||
AC_MSG_ERROR([The protobuf-c library was not found. Please install the development libraries for protobuf-c!]))
|
||||
$2
|
||||
else
|
||||
$3
|
||||
fi
|
||||
])
|
||||
|
|
|
@ -13,8 +13,8 @@
|
|||
// with this file. If not, see:
|
||||
//
|
||||
// <http://creativecommons.org/publicdomain/zero/1.0/>.
|
||||
syntax = "proto2";
|
||||
|
||||
syntax = "proto2";
|
||||
package dnstap;
|
||||
|
||||
// "Dnstap": this is the top-level dnstap type, which is a "union" type that
|
||||
|
@ -56,11 +56,60 @@ enum SocketFamily {
|
|||
INET6 = 2; // IPv6 (RFC 2460)
|
||||
}
|
||||
|
||||
// SocketProtocol: the transport protocol of a socket. This specifies how to
|
||||
// interpret "transport port" fields.
|
||||
// SocketProtocol: the protocol used to transport a DNS message.
|
||||
enum SocketProtocol {
|
||||
UDP = 1; // User Datagram Protocol (RFC 768)
|
||||
TCP = 2; // Transmission Control Protocol (RFC 793)
|
||||
UDP = 1; // DNS over UDP transport (RFC 1035 section 4.2.1)
|
||||
TCP = 2; // DNS over TCP transport (RFC 1035 section 4.2.2)
|
||||
DOT = 3; // DNS over TLS (RFC 7858)
|
||||
DOH = 4; // DNS over HTTPS (RFC 8484)
|
||||
DNSCryptUDP = 5; // DNSCrypt over UDP (https://dnscrypt.info/protocol)
|
||||
DNSCryptTCP = 6; // DNSCrypt over TCP (https://dnscrypt.info/protocol)
|
||||
DOQ = 7; // DNS over QUIC (RFC 9250)
|
||||
}
|
||||
|
||||
// Policy: information about any name server operator policy
|
||||
// applied to the processing of a DNS message.
|
||||
message Policy {
|
||||
|
||||
// Match: what aspect of the message or message exchange
|
||||
// triggered the application of the Policy.
|
||||
enum Match {
|
||||
QNAME = 1; // Name in question section of query
|
||||
CLIENT_IP = 2; // Client IP address
|
||||
RESPONSE_IP = 3; // Address in A/AAAA RRSet
|
||||
NS_NAME = 4; // Authoritative name server, by name
|
||||
NS_IP = 5; // Authoritative name server, by IP address
|
||||
}
|
||||
|
||||
// The Action taken to implement the Policy.
|
||||
enum Action {
|
||||
NXDOMAIN = 1; // Respond with NXDOMAIN
|
||||
NODATA = 2; // Respond with empty answer section
|
||||
PASS = 3; // Do not alter the response (passthrough)
|
||||
DROP = 4; // Do not respond.
|
||||
TRUNCATE = 5; // Truncate UDP response, forcing TCP retry
|
||||
LOCAL_DATA = 6; // Respond with local data from policy
|
||||
}
|
||||
|
||||
// type: the type of policy applied, e.g. "RPZ" for a
|
||||
// policy from a Response Policy Zone.
|
||||
optional string type = 1;
|
||||
|
||||
// rule: the rule matched by the message.
|
||||
//
|
||||
// In a RPZ context, this is the owner name of the rule in
|
||||
// the Reponse Policy Zone in wire format.
|
||||
optional bytes rule = 2;
|
||||
|
||||
// action: the policy action taken in response to the
|
||||
// rule match.
|
||||
optional Action action = 3;
|
||||
|
||||
// match: the feature of the message exchange which matched the rule.
|
||||
optional Match match = 4;
|
||||
|
||||
// The matched value. Format depends on the matched feature .
|
||||
optional bytes value = 5;
|
||||
}
|
||||
|
||||
// Message: a wire-format (RFC 1035 section 4) DNS message and associated
|
||||
|
@ -158,6 +207,24 @@ message Message {
|
|||
// STUB_RESPONSE is a DNS response message sent from a DNS server to a
|
||||
// stub resolver, from the perspective of the stub resolver.
|
||||
STUB_RESPONSE = 10;
|
||||
|
||||
// TOOL_QUERY is a DNS query message sent from a DNS software tool to a
|
||||
// DNS server, from the perspective of the tool.
|
||||
TOOL_QUERY = 11;
|
||||
|
||||
// TOOL_RESPONSE is a DNS response message received by a DNS software
|
||||
// tool from a DNS server, from the perspective of the tool.
|
||||
TOOL_RESPONSE = 12;
|
||||
|
||||
// UPDATE_QUERY is a Dynamic DNS Update request (RFC 2136) received
|
||||
// by an authoritative name server, from the perspective of the
|
||||
// authoritative name server.
|
||||
UPDATE_QUERY = 13;
|
||||
|
||||
// UPDATE_RESPONSE is a Dynamic DNS Update response (RFC 2136) sent
|
||||
// from an authoritative name server, from the perspective of the
|
||||
// authoritative name server.
|
||||
UPDATE_RESPONSE = 14;
|
||||
}
|
||||
|
||||
// One of the Type values described above.
|
||||
|
@ -215,6 +282,9 @@ message Message {
|
|||
|
||||
// The responder's original wire-format DNS response message, verbatim.
|
||||
optional bytes response_message = 14;
|
||||
|
||||
// Operator policy applied to the processing of this message, if any.
|
||||
optional Policy policy = 15;
|
||||
}
|
||||
|
||||
// All fields except for 'type' in the Message schema are optional.
|
||||
|
@ -236,7 +306,6 @@ message Message {
|
|||
|
||||
// RESOLVER_QUERY:
|
||||
// socket_family, socket_protocol
|
||||
// query_name, query_type, query_class
|
||||
// query_message
|
||||
// query_time_sec, query_time_nsec
|
||||
// query_zone
|
||||
|
@ -244,7 +313,6 @@ message Message {
|
|||
|
||||
// RESOLVER_RESPONSE:
|
||||
// socket_family, socket_protocol
|
||||
// query_name, query_type, query_class
|
||||
// query_time_sec, query_time_nsec
|
||||
// query_zone
|
||||
// response_address, response_port
|
||||
|
|
|
@ -1,6 +1,144 @@
|
|||
8 March 2024: Wouter
|
||||
- Fix unbound-control-setup.cmd to use 3072 bits so that certificates
|
||||
are long enough for newer OpenSSL versions.
|
||||
- Fix TTL of synthesized CNAME when a DNAME is used from cache.
|
||||
- Fix unbound-control-setup.cmd to have CA v3 basicConstraints,
|
||||
like unbound-control-setup.sh has.
|
||||
|
||||
7 March 2024: Wouter
|
||||
- Version set to 1.19.3 for release. After 1.19.2 point release with
|
||||
security fix for CVE-2024-1931, Denial of service when trimming
|
||||
EDE text on positive replies. The code repo includes the fix and
|
||||
is for version 1.19.3.
|
||||
|
||||
5 March 2024: Wouter
|
||||
- Fix for #1022: Fix ede prohibited in access control refused answers.
|
||||
|
||||
4 March 2024: Wouter
|
||||
- Fix edns subnet replies for scope zero answers to not get stored
|
||||
in the global cache, and in cachedb, when the upstream replies
|
||||
without an EDNS record.
|
||||
|
||||
28 February 2024: Wouter
|
||||
- Move github workflows to use checkoutv4.
|
||||
|
||||
23 February 2024: Yorgos
|
||||
- Document the suspend argument for process_ds_response().
|
||||
|
||||
22 February 2024: Wouter
|
||||
- Fix trim of EDE text from large udp responses from spinning cpu.
|
||||
|
||||
20 February 2024: Yorgos
|
||||
- Merge #1010: Mention REFUSED has the TC bit set with unmatched
|
||||
allow_cookie acl in the manpage. It also fixes the code to match the
|
||||
documentation about clients with a valid cookie that bypass the
|
||||
ratelimit regardless of the allow_cookie acl.
|
||||
|
||||
13 February 2024: Wouter
|
||||
- Fix CVE-2023-50387, DNSSEC verification complexity can be exploited
|
||||
to exhaust CPU resources and stall DNS resolvers.
|
||||
- Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU.
|
||||
- These fixes are part of the 1.19.1 release, that is a security
|
||||
point release on 1.19.0, the code repository continues with these
|
||||
fixes, with version number 1.19.2.
|
||||
|
||||
8 February 2024: Wouter
|
||||
- Fix documentation for access-control in the unbound.conf man page.
|
||||
|
||||
7 February 2024: Yorgos
|
||||
- Fix #1006: Can't find protobuf-c package since #999.
|
||||
|
||||
30 January 2024: Wouter
|
||||
- Merge #999: Search for protobuf-c with pkg-config.
|
||||
|
||||
23 January 2024: Yorgos
|
||||
- Update message TTL when using cached RRSETs. It could result in
|
||||
non-expired messages with expired RRSETs (non-usable messages by
|
||||
Unbound).
|
||||
|
||||
22 January 2024: Yorgos
|
||||
- Update error printout for duplicate trust anchors to include the
|
||||
trust anchor name (relates to #920).
|
||||
|
||||
22 January 2024: Wouter
|
||||
- Fix for #997: Print details for SSL certificate failure.
|
||||
|
||||
17 January 2024: Wouter
|
||||
- Update workflow for ports to use newer openssl on windows compile.
|
||||
- Fix warning for windres on resource files due to redefinition.
|
||||
|
||||
16 January 2024: Wouter
|
||||
- Fix to link with libssp for libcrypto and getaddrinfo check for
|
||||
only header. Also update crosscompile to remove ssp for 32bit.
|
||||
- Merge #993: Update b.root-servers.net also in example config file.
|
||||
|
||||
15 January 2024: Wouter
|
||||
- Fix to link with -lcrypt32 for OpenSSL 3.2.0 on Windows.
|
||||
|
||||
9 January 2024: Wouter
|
||||
- Merge #988: Fix NLnetLabs#981: dump_cache truncates large records.
|
||||
|
||||
5 January 2024: Wouter
|
||||
- Merge #987: skip edns frag retry if advertised udp payload size is
|
||||
not smaller.
|
||||
- Fix unit test for #987 change in udp1xxx retry packet send.
|
||||
|
||||
4 January 2024: Wouter
|
||||
- Remove unneeded newlines and improve indentation in remote control
|
||||
code.
|
||||
|
||||
3 January 2024: Wouter
|
||||
- Merge #980: DoH: reject non-h2 early. To fix #979: Improve errors
|
||||
for non-HTTP/2 DoH clients.
|
||||
- Merge #985: Add DoH and DoT to dnstap message.
|
||||
- Fix #983: Sha1 runtime insecure change was incomplete.
|
||||
|
||||
22 December 2023: Yorgos
|
||||
- Update example.conf with cookie options.
|
||||
|
||||
8 December 2023: Yorgos
|
||||
- Merge PR #973: Use the origin (DNAME) TTL for synthesized CNAMEs as
|
||||
per RFC 6672.
|
||||
|
||||
8 December 2023: Wouter
|
||||
- Fix root_zonemd unit test, it checks that the root ZONEMD verifies,
|
||||
now that the root has a valid ZONEMD.
|
||||
|
||||
7 December 2023: Wouter
|
||||
- Fix #974: doc: default number of outgoing ports without libevent.
|
||||
- Merge #975: Fixed some syntax errors in rpl files.
|
||||
|
||||
6 December 2023: Wouter
|
||||
- Fix to sync the tests script file common.sh.
|
||||
- iana portlist update.
|
||||
- Updated IPv4 and IPv6 address for b.root-servers.net in root hints.
|
||||
- Update test script file common.sh.
|
||||
- Fix tests to use new common.sh functions, wait_logfile and
|
||||
kill_from_pidfile.
|
||||
|
||||
5 December 2023: Wouter
|
||||
- Merge #971: fix 'WARNING: Message has 41 extra bytes at end'.
|
||||
- Fix #969: [FR] distinguish Do53, DoT and DoH in the logs.
|
||||
- Fix dnstap that assertion failed on logging other than UDP and TCP
|
||||
traffic. It lists it as TCP traffic.
|
||||
|
||||
27 November 2023: Yorgos
|
||||
- Merge #968: Replace the obsolescent fgrep with grep -F in tests.
|
||||
|
||||
27 November 2023: Wouter
|
||||
- Fix #964: config.h.in~ backup file in release tar balls.
|
||||
|
||||
24 November 2023: Yorgos
|
||||
- Use 127.0.0.1 explicitly in tests to avoid delays and errors on
|
||||
newer systems.
|
||||
|
||||
9 November 2023: Wouter
|
||||
- Fix unit test parse of origin syntax.
|
||||
|
||||
2 November 2023: Wouter
|
||||
- Set version number to 1.19.0.
|
||||
- Tag for 1.19.0rc1 release.
|
||||
- Tag for 1.19.0rc1 release. It became 1.19.0 release on 8 nov 2023.
|
||||
The repository continues with 1.19.1.
|
||||
|
||||
1 November 2023: George
|
||||
- Mention flex and bison in README.md when building from repository
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
README for Unbound 1.19.1
|
||||
README for Unbound 1.19.3
|
||||
Copyright 2007 NLnet Labs
|
||||
http://unbound.net
|
||||
|
||||
|
@ -19,11 +19,10 @@ The DNSTAP code has BSD license in dnstap/dnstap.c.
|
|||
* Make and install: ./configure; make; make install
|
||||
* --with-libevent=/path/to/libevent
|
||||
Can be set to either the system install or the build directory.
|
||||
--with-libevent=no (default) gives a builtin alternative
|
||||
implementation. libevent is useful when having many (thousands)
|
||||
of outgoing ports. This improves randomization and spoof
|
||||
resistance. For the default of 16 ports the builtin alternative
|
||||
works well and is a little faster.
|
||||
--with-libevent=no gives a builtin alternative implementation.
|
||||
Libevent is enabled by default, it is useful when having many
|
||||
(thousands) of outgoing ports. This improves randomization and spoof
|
||||
resistance. It also allows a higher number of outgoing queries.
|
||||
* --with-libexpat=/path/to/libexpat
|
||||
Can be set to the install directory of libexpat.
|
||||
* --without-pthreads
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#
|
||||
# Example configuration file.
|
||||
#
|
||||
# See unbound.conf(5) man page, version 1.19.1.
|
||||
# See unbound.conf(5) man page, version 1.19.3.
|
||||
#
|
||||
# this is a comment.
|
||||
|
||||
|
@ -303,6 +303,7 @@ server:
|
|||
# Choose deny (drop message), refuse (polite error reply),
|
||||
# allow (recursive ok), allow_setrd (recursive ok, rd bit is forced on),
|
||||
# allow_snoop (recursive and nonrecursive ok)
|
||||
# allow_cookie (allow UDP with valid cookie or stateful transport)
|
||||
# deny_non_local (drop queries unless can be answered from local-data)
|
||||
# refuse_non_local (like deny_non_local but polite error reply).
|
||||
# access-control: 127.0.0.0/8 allow
|
||||
|
@ -441,6 +442,9 @@ server:
|
|||
# filtering log-queries and log-replies from the log.
|
||||
# log-tag-queryreply: no
|
||||
|
||||
# log with destination address, port and type for log-replies.
|
||||
# log-destaddr: no
|
||||
|
||||
# log the local-zone actions, like local-zone type inform is enabled
|
||||
# also for the other local zone types.
|
||||
# log-local-actions: no
|
||||
|
@ -983,6 +987,13 @@ server:
|
|||
# if 0(default) it is disabled, otherwise states qps allowed per ip address
|
||||
# ip-ratelimit: 0
|
||||
|
||||
# global query ratelimit for all ip addresses with a valid DNS Cookie.
|
||||
# feature is experimental.
|
||||
# if 0(default) it is disabled, otherwise states qps allowed per ip address
|
||||
# useful in combination with 'allow_cookie'.
|
||||
# If used, suggested to be higher than ip-ratelimit, tenfold.
|
||||
# ip-ratelimit-cookie: 0
|
||||
|
||||
# ip ratelimits are tracked in a cache, size in bytes of cache (or k,m).
|
||||
# ip-ratelimit-size: 4m
|
||||
# ip ratelimit cache slabs, reduces lock contention if equal to cpucount.
|
||||
|
@ -1004,6 +1015,14 @@ server:
|
|||
# the number of servers that will be used in the fast server selection.
|
||||
# fast-server-num: 3
|
||||
|
||||
# reply to requests containing DNS Cookies as specified in RFC 7873 and RFC 9018.
|
||||
# answer-cookie: no
|
||||
|
||||
# secret for DNS Cookie generation.
|
||||
# useful for anycast deployments.
|
||||
# example value "000102030405060708090a0b0c0d0e0f".
|
||||
# cookie-secret: <128 bit random hex string>
|
||||
|
||||
# Enable to attach Extended DNS Error codes (RFC8914) to responses.
|
||||
# ede: no
|
||||
|
||||
|
@ -1150,7 +1169,7 @@ remote-control:
|
|||
# sources of notifies.
|
||||
# auth-zone:
|
||||
# name: "."
|
||||
# primary: 199.9.14.201 # b.root-servers.net
|
||||
# primary: 170.247.170.2 # b.root-servers.net
|
||||
# primary: 192.33.4.12 # c.root-servers.net
|
||||
# primary: 199.7.91.13 # d.root-servers.net
|
||||
# primary: 192.5.5.241 # f.root-servers.net
|
||||
|
@ -1158,7 +1177,7 @@ remote-control:
|
|||
# primary: 193.0.14.129 # k.root-servers.net
|
||||
# primary: 192.0.47.132 # xfr.cjr.dns.icann.org
|
||||
# primary: 192.0.32.132 # xfr.lax.dns.icann.org
|
||||
# primary: 2001:500:200::b # b.root-servers.net
|
||||
# primary: 2801:1b8:10::b # b.root-servers.net
|
||||
# primary: 2001:500:2::c # c.root-servers.net
|
||||
# primary: 2001:500:2d::d # d.root-servers.net
|
||||
# primary: 2001:500:2f::f # f.root-servers.net
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
.TH "libunbound" "3" "Feb 13, 2024" "NLnet Labs" "unbound 1.19.1"
|
||||
.TH "libunbound" "3" "Mar 14, 2024" "NLnet Labs" "unbound 1.19.3"
|
||||
.\"
|
||||
.\" libunbound.3 -- unbound library functions manual
|
||||
.\"
|
||||
|
@ -44,7 +44,7 @@
|
|||
.B ub_ctx_zone_remove,
|
||||
.B ub_ctx_data_add,
|
||||
.B ub_ctx_data_remove
|
||||
\- Unbound DNS validating resolver 1.19.1 functions.
|
||||
\- Unbound DNS validating resolver 1.19.3 functions.
|
||||
.SH "SYNOPSIS"
|
||||
.B #include <unbound.h>
|
||||
.LP
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
.TH "unbound-anchor" "8" "Feb 13, 2024" "NLnet Labs" "unbound 1.19.1"
|
||||
.TH "unbound-anchor" "8" "Mar 14, 2024" "NLnet Labs" "unbound 1.19.3"
|
||||
.\"
|
||||
.\" unbound-anchor.8 -- unbound anchor maintenance utility manual
|
||||
.\"
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
.TH "unbound-checkconf" "8" "Feb 13, 2024" "NLnet Labs" "unbound 1.19.1"
|
||||
.TH "unbound-checkconf" "8" "Mar 14, 2024" "NLnet Labs" "unbound 1.19.3"
|
||||
.\"
|
||||
.\" unbound-checkconf.8 -- unbound configuration checker manual
|
||||
.\"
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
.TH "unbound-control" "8" "Feb 13, 2024" "NLnet Labs" "unbound 1.19.1"
|
||||
.TH "unbound-control" "8" "Mar 14, 2024" "NLnet Labs" "unbound 1.19.3"
|
||||
.\"
|
||||
.\" unbound-control.8 -- unbound remote control manual
|
||||
.\"
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
.TH "unbound\-host" "1" "Feb 13, 2024" "NLnet Labs" "unbound 1.19.1"
|
||||
.TH "unbound\-host" "1" "Mar 14, 2024" "NLnet Labs" "unbound 1.19.3"
|
||||
.\"
|
||||
.\" unbound-host.1 -- unbound DNS lookup utility
|
||||
.\"
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
.TH "unbound" "8" "Feb 13, 2024" "NLnet Labs" "unbound 1.19.1"
|
||||
.TH "unbound" "8" "Mar 14, 2024" "NLnet Labs" "unbound 1.19.3"
|
||||
.\"
|
||||
.\" unbound.8 -- unbound manual
|
||||
.\"
|
||||
|
@ -9,7 +9,7 @@
|
|||
.\"
|
||||
.SH "NAME"
|
||||
.B unbound
|
||||
\- Unbound DNS validating resolver 1.19.1.
|
||||
\- Unbound DNS validating resolver 1.19.3.
|
||||
.SH "SYNOPSIS"
|
||||
.B unbound
|
||||
.RB [ \-h ]
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
.TH "unbound.conf" "5" "Feb 13, 2024" "NLnet Labs" "unbound 1.19.1"
|
||||
.TH "unbound.conf" "5" "Mar 14, 2024" "NLnet Labs" "unbound 1.19.3"
|
||||
.\"
|
||||
.\" unbound.conf.5 -- unbound.conf manual
|
||||
.\"
|
||||
|
@ -699,6 +699,12 @@ When at the limit, further connections are accepted but closed immediately.
|
|||
This option is experimental at this time.
|
||||
.TP
|
||||
.B access\-control: \fI<IP netblock> <action>
|
||||
Specify treatment of incoming queries from their originating IP address.
|
||||
Queries can be allowed to have access to this server that gives DNS
|
||||
answers, or refused, with other actions possible. The IP address range
|
||||
can be specified as a netblock, it is possible to give the statement
|
||||
several times in order to specify the treatment of different netblocks.
|
||||
.IP
|
||||
The netblock is given as an IP4 or IP6 address with /size appended for a
|
||||
classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
|
||||
\fIallow\fR, \fIallow_setrd\fR, \fIallow_snoop\fR, \fIallow_cookie\fR,
|
||||
|
@ -738,7 +744,7 @@ the cache contents (for malicious acts). However, nonrecursive queries can
|
|||
also be a valuable debugging tool (when you want to examine the cache
|
||||
contents). In that case use \fIallow_snoop\fR for your administration host.
|
||||
.IP
|
||||
The \fIallow_cookie\fR action allows access to UDP queries that contain a
|
||||
The \fIallow_cookie\fR action allows access only to UDP queries that contain a
|
||||
valid DNS Cookie as specified in RFC 7873 and RFC 9018, when the
|
||||
\fBanswer\-cookie\fR option is enabled.
|
||||
UDP queries containing only a DNS Client Cookie and no Server Cookie, or an
|
||||
|
@ -747,10 +753,8 @@ generated DNS Cookie, allowing clients to retry with that DNS Cookie.
|
|||
The \fIallow_cookie\fR action will also accept requests over stateful
|
||||
transports, regardless of the presence of an DNS Cookie and regardless of the
|
||||
\fBanswer\-cookie\fR setting.
|
||||
If \fBip\-ratelimit\fR is used, clients with a valid DNS Cookie will bypass the
|
||||
ratelimit.
|
||||
If a ratelimit for such clients is still needed, \fBip\-ratelimit\-cookie\fR
|
||||
can be used instead.
|
||||
UDP queries without a DNS Cookie receive REFUSED responses with the TC flag set,
|
||||
that may trigger fall back to TCP for those clients.
|
||||
.IP
|
||||
By default only localhost is \fIallow\fRed, the rest is \fIrefuse\fRd.
|
||||
The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS
|
||||
|
@ -913,6 +917,11 @@ Prints the word 'query' and 'reply' with log\-queries and log\-replies.
|
|||
This makes filtering logs easier. The default is off (for backwards
|
||||
compatibility).
|
||||
.TP
|
||||
.B log\-destaddr: \fI<yes or no>
|
||||
Prints the destination address, port and type in the log\-replies output.
|
||||
This disambiguates what type of traffic, eg. udp or tcp, and to what local
|
||||
port the traffic was sent to.
|
||||
.TP
|
||||
.B log\-local\-actions: \fI<yes or no>
|
||||
Print log lines to inform about local zone actions. These lines are like the
|
||||
local\-zone type inform prints out, but they are also printed for the other
|
||||
|
@ -1839,6 +1848,9 @@ The ratelimit is in queries per second that are allowed. More queries are
|
|||
completely dropped and will not receive a reply, SERVFAIL or otherwise.
|
||||
IP ratelimiting happens before looking in the cache. This may be useful for
|
||||
mitigating amplification attacks.
|
||||
Clients with a valid DNS Cookie will bypass the ratelimit.
|
||||
If a ratelimit for such clients is still needed, \fBip\-ratelimit\-cookie\fR
|
||||
can be used instead.
|
||||
Default is 0 (disabled).
|
||||
.TP 5
|
||||
.B ip\-ratelimit\-cookie: \fI<number or 0>
|
||||
|
|
|
@ -523,4 +523,3 @@ forwards_delete_stub_hole(struct iter_forwards* fwd, uint16_t c, uint8_t* nm)
|
|||
fwd_zone_free(z);
|
||||
fwd_init_parents(fwd);
|
||||
}
|
||||
|
||||
|
|
|
@ -129,7 +129,7 @@ compile_time_root_prime(int do_ip4, int do_ip6)
|
|||
dp->has_parent_side_NS = 1;
|
||||
if(do_ip4) {
|
||||
if(!ah(dp, "A.ROOT-SERVERS.NET.", "198.41.0.4")) goto failed;
|
||||
if(!ah(dp, "B.ROOT-SERVERS.NET.", "199.9.14.201")) goto failed;
|
||||
if(!ah(dp, "B.ROOT-SERVERS.NET.", "170.247.170.2")) goto failed;
|
||||
if(!ah(dp, "C.ROOT-SERVERS.NET.", "192.33.4.12")) goto failed;
|
||||
if(!ah(dp, "D.ROOT-SERVERS.NET.", "199.7.91.13")) goto failed;
|
||||
if(!ah(dp, "E.ROOT-SERVERS.NET.", "192.203.230.10")) goto failed;
|
||||
|
@ -144,7 +144,7 @@ compile_time_root_prime(int do_ip4, int do_ip6)
|
|||
}
|
||||
if(do_ip6) {
|
||||
if(!ah(dp, "A.ROOT-SERVERS.NET.", "2001:503:ba3e::2:30")) goto failed;
|
||||
if(!ah(dp, "B.ROOT-SERVERS.NET.", "2001:500:200::b")) goto failed;
|
||||
if(!ah(dp, "B.ROOT-SERVERS.NET.", "2801:1b8:10::b")) goto failed;
|
||||
if(!ah(dp, "C.ROOT-SERVERS.NET.", "2001:500:2::c")) goto failed;
|
||||
if(!ah(dp, "D.ROOT-SERVERS.NET.", "2001:500:2d::d")) goto failed;
|
||||
if(!ah(dp, "E.ROOT-SERVERS.NET.", "2001:500:a8::e")) goto failed;
|
||||
|
@ -560,4 +560,3 @@ hints_delete_stub(struct iter_hints* hints, uint16_t c, uint8_t* nm)
|
|||
hints_stub_free(z);
|
||||
name_tree_init_parents(&hints->tree);
|
||||
}
|
||||
|
||||
|
|
|
@ -283,7 +283,8 @@ synth_cname_rrset(uint8_t** sname, size_t* snamelen, uint8_t* alias,
|
|||
sizeof(uint32_t)+sizeof(uint16_t)+aliaslen);
|
||||
if(!cn->rr_first->ttl_data)
|
||||
return NULL;
|
||||
sldns_write_uint32(cn->rr_first->ttl_data, 0); /* TTL = 0 */
|
||||
memmove(cn->rr_first->ttl_data, rrset->rr_first->ttl_data,
|
||||
sizeof(uint32_t)); /* RFC6672: synth CNAME TTL == DNAME TTL */
|
||||
sldns_write_uint16(cn->rr_first->ttl_data+4, aliaslen);
|
||||
memmove(cn->rr_first->ttl_data+6, alias, aliaslen);
|
||||
cn->rr_first->size = sizeof(uint16_t)+aliaslen;
|
||||
|
|
|
@ -4151,10 +4151,10 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
|
|||
/* like packet got dropped */
|
||||
goto handle_it;
|
||||
}
|
||||
if(!inplace_cb_edns_back_parsed_call(qstate->env, qstate)) {
|
||||
log_err("unable to call edns_back_parsed callback");
|
||||
goto handle_it;
|
||||
}
|
||||
}
|
||||
if(!inplace_cb_edns_back_parsed_call(qstate->env, qstate)) {
|
||||
log_err("unable to call edns_back_parsed callback");
|
||||
goto handle_it;
|
||||
}
|
||||
|
||||
/* remove CD-bit, we asked for in case we handle validation ourself */
|
||||
|
|
|
@ -2702,7 +2702,7 @@ create_synth_cname(uint8_t* qname, size_t qname_len, struct regional* region,
|
|||
if(!d)
|
||||
return 0; /* out of memory */
|
||||
(*cname)->entry.data = d;
|
||||
d->ttl = 0; /* 0 for synthesized CNAME TTL */
|
||||
d->ttl = dname->data->ttl; /* RFC6672: synth CNAME TTL == DNAME TTL */
|
||||
d->count = 1;
|
||||
d->rrsig_count = 0;
|
||||
d->trust = rrset_trust_ans_noAA;
|
||||
|
|
12
contrib/unbound/services/cache/dns.c
vendored
12
contrib/unbound/services/cache/dns.c
vendored
|
@ -80,6 +80,7 @@ store_rrsets(struct module_env* env, struct reply_info* rep, time_t now,
|
|||
struct regional* region, time_t qstarttime)
|
||||
{
|
||||
size_t i;
|
||||
time_t ttl, min_ttl = rep->ttl;
|
||||
/* see if rrset already exists in cache, if not insert it. */
|
||||
for(i=0; i<rep->rrset_count; i++) {
|
||||
rep->ref[i].key = rep->rrsets[i];
|
||||
|
@ -112,6 +113,15 @@ store_rrsets(struct module_env* env, struct reply_info* rep, time_t now,
|
|||
case 1: /* ref updated, item inserted */
|
||||
rep->rrsets[i] = rep->ref[i].key;
|
||||
}
|
||||
/* if ref was updated make sure the message ttl is updated to
|
||||
* the minimum of the current rrsets. */
|
||||
ttl = ((struct packed_rrset_data*)rep->rrsets[i]->entry.data)->ttl;
|
||||
if(ttl < min_ttl) min_ttl = ttl;
|
||||
}
|
||||
if(min_ttl < rep->ttl) {
|
||||
rep->ttl = min_ttl;
|
||||
rep->prefetch_ttl = PREFETCH_TTL_CALC(rep->ttl);
|
||||
rep->serve_expired_ttl = rep->ttl + SERVE_EXPIRED_TTL;
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -818,7 +828,7 @@ synth_dname_msg(struct ub_packed_rrset_key* rrset, struct regional* region,
|
|||
if(!newd)
|
||||
return NULL;
|
||||
ck->entry.data = newd;
|
||||
newd->ttl = 0; /* 0 for synthesized CNAME TTL */
|
||||
newd->ttl = d->ttl - now; /* RFC6672: synth CNAME TTL == DNAME TTL */
|
||||
newd->count = 1;
|
||||
newd->rrsig_count = 0;
|
||||
newd->trust = rrset_trust_ans_noAA;
|
||||
|
|
|
@ -1532,7 +1532,7 @@ local_data_answer(struct local_zone* z, struct module_env* env,
|
|||
return 0; /* invalid cname */
|
||||
if(dname_is_wild(ctarget)) {
|
||||
/* synthesize cname target */
|
||||
struct packed_rrset_data* d;
|
||||
struct packed_rrset_data* d, *lr_d;
|
||||
/* -3 for wildcard label and root label from qname */
|
||||
size_t newtargetlen = qinfo->qname_len + ctargetlen - 3;
|
||||
|
||||
|
@ -1560,8 +1560,10 @@ local_data_answer(struct local_zone* z, struct module_env* env,
|
|||
+ newtargetlen);
|
||||
if(!d)
|
||||
return 0; /* out of memory */
|
||||
lr_d = (struct packed_rrset_data*)lr->rrset->entry.data;
|
||||
qinfo->local_alias->rrset->entry.data = d;
|
||||
d->ttl = 0; /* 0 for synthesized CNAME TTL */
|
||||
d->ttl = lr_d->rr_ttl[0]; /* RFC6672-like behavior:
|
||||
synth CNAME TTL uses original TTL*/
|
||||
d->count = 1;
|
||||
d->rrsig_count = 0;
|
||||
d->trust = rrset_trust_ans_noAA;
|
||||
|
|
|
@ -69,6 +69,12 @@
|
|||
#include "edns-subnet/subnetmod.h"
|
||||
#include "edns-subnet/edns-subnet.h"
|
||||
#endif
|
||||
#ifdef HAVE_SYS_TYPES_H
|
||||
# include <sys/types.h>
|
||||
#endif
|
||||
#ifdef HAVE_NETDB_H
|
||||
#include <netdb.h>
|
||||
#endif
|
||||
|
||||
/**
|
||||
* Compare two response-ip client info entries for the purpose of mesh state
|
||||
|
@ -1429,7 +1435,9 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
|
|||
if(m->s.env->cfg->log_replies) {
|
||||
log_reply_info(NO_VERBOSE, &m->s.qinfo,
|
||||
&r->query_reply.client_addr,
|
||||
r->query_reply.client_addrlen, duration, 0, r_buffer);
|
||||
r->query_reply.client_addrlen, duration, 0, r_buffer,
|
||||
(m->s.env->cfg->log_destaddr?(void*)r->query_reply.c->socket->addr->ai_addr:NULL),
|
||||
r->query_reply.c->type);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -1009,7 +1009,7 @@ use_free_buffer(struct outside_network* outnet)
|
|||
sldns_buffer tmp;
|
||||
sldns_buffer_init_frm_data(&tmp, w->pkt, w->pkt_len);
|
||||
dt_msg_send_outside_query(outnet->dtenv, &w->sq->addr,
|
||||
&pend_tcp->pi->addr, comm_tcp, w->sq->zone,
|
||||
&pend_tcp->pi->addr, comm_tcp, NULL, w->sq->zone,
|
||||
w->sq->zonelen, &tmp);
|
||||
}
|
||||
#endif
|
||||
|
@ -2237,7 +2237,7 @@ randomize_and_send_udp(struct pending* pend, sldns_buffer* packet, int timeout)
|
|||
outnet->dtenv->log_forwarder_query_messages)) {
|
||||
log_addr(VERB_ALGO, "from local addr", &pend->pc->pif->addr, pend->pc->pif->addrlen);
|
||||
log_addr(VERB_ALGO, "request to upstream", &pend->addr, pend->addrlen);
|
||||
dt_msg_send_outside_query(outnet->dtenv, &pend->addr, &pend->pc->pif->addr, comm_udp,
|
||||
dt_msg_send_outside_query(outnet->dtenv, &pend->addr, &pend->pc->pif->addr, comm_udp, NULL,
|
||||
pend->sq->zone, pend->sq->zonelen, packet);
|
||||
}
|
||||
#endif
|
||||
|
@ -2517,7 +2517,7 @@ pending_tcp_query(struct serviced_query* sq, sldns_buffer* packet,
|
|||
sldns_buffer tmp;
|
||||
sldns_buffer_init_frm_data(&tmp, w->pkt, w->pkt_len);
|
||||
dt_msg_send_outside_query(sq->outnet->dtenv, &sq->addr,
|
||||
&pend->pi->addr, comm_tcp, sq->zone,
|
||||
&pend->pi->addr, comm_tcp, NULL, sq->zone,
|
||||
sq->zonelen, &tmp);
|
||||
}
|
||||
#endif
|
||||
|
@ -2820,6 +2820,25 @@ serviced_perturb_qname(struct ub_randstate* rnd, uint8_t* qbuf, size_t len)
|
|||
}
|
||||
}
|
||||
|
||||
static uint16_t
|
||||
serviced_query_udp_size(struct serviced_query* sq, enum serviced_query_status status) {
|
||||
uint16_t udp_size;
|
||||
if(status == serviced_query_UDP_EDNS_FRAG) {
|
||||
if(addr_is_ip6(&sq->addr, sq->addrlen)) {
|
||||
if(EDNS_FRAG_SIZE_IP6 < EDNS_ADVERTISED_SIZE)
|
||||
udp_size = EDNS_FRAG_SIZE_IP6;
|
||||
else udp_size = EDNS_ADVERTISED_SIZE;
|
||||
} else {
|
||||
if(EDNS_FRAG_SIZE_IP4 < EDNS_ADVERTISED_SIZE)
|
||||
udp_size = EDNS_FRAG_SIZE_IP4;
|
||||
else udp_size = EDNS_ADVERTISED_SIZE;
|
||||
}
|
||||
} else {
|
||||
udp_size = EDNS_ADVERTISED_SIZE;
|
||||
}
|
||||
return udp_size;
|
||||
}
|
||||
|
||||
/** put serviced query into a buffer */
|
||||
static void
|
||||
serviced_encode(struct serviced_query* sq, sldns_buffer* buff, int with_edns)
|
||||
|
@ -2843,19 +2862,7 @@ serviced_encode(struct serviced_query* sq, sldns_buffer* buff, int with_edns)
|
|||
edns.opt_list_in = NULL;
|
||||
edns.opt_list_out = sq->opt_list;
|
||||
edns.opt_list_inplace_cb_out = NULL;
|
||||
if(sq->status == serviced_query_UDP_EDNS_FRAG) {
|
||||
if(addr_is_ip6(&sq->addr, sq->addrlen)) {
|
||||
if(EDNS_FRAG_SIZE_IP6 < EDNS_ADVERTISED_SIZE)
|
||||
edns.udp_size = EDNS_FRAG_SIZE_IP6;
|
||||
else edns.udp_size = EDNS_ADVERTISED_SIZE;
|
||||
} else {
|
||||
if(EDNS_FRAG_SIZE_IP4 < EDNS_ADVERTISED_SIZE)
|
||||
edns.udp_size = EDNS_FRAG_SIZE_IP4;
|
||||
else edns.udp_size = EDNS_ADVERTISED_SIZE;
|
||||
}
|
||||
} else {
|
||||
edns.udp_size = EDNS_ADVERTISED_SIZE;
|
||||
}
|
||||
edns.udp_size = serviced_query_udp_size(sq, sq->status);
|
||||
edns.bits = 0;
|
||||
if(sq->dnssec & EDNS_DO)
|
||||
edns.bits = EDNS_DO;
|
||||
|
@ -3083,7 +3090,7 @@ serviced_tcp_callback(struct comm_point* c, void* arg, int error,
|
|||
log_addr(VERB_ALGO, "response from upstream", &sq->addr, sq->addrlen);
|
||||
log_addr(VERB_ALGO, "to local addr", &pi->addr, pi->addrlen);
|
||||
dt_msg_send_outside_response(sq->outnet->dtenv, &sq->addr,
|
||||
&pi->addr, c->type, sq->zone, sq->zonelen, sq->qbuf,
|
||||
&pi->addr, c->type, c->ssl, sq->zone, sq->zonelen, sq->qbuf,
|
||||
sq->qbuflen, &sq->last_sent_time, sq->outnet->now_tv,
|
||||
c->buffer);
|
||||
}
|
||||
|
@ -3252,7 +3259,8 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
|
|||
|
||||
sq->pending = NULL; /* removed after callback */
|
||||
if(error == NETEVENT_TIMEOUT) {
|
||||
if(sq->status == serviced_query_UDP_EDNS && sq->last_rtt < 5000) {
|
||||
if(sq->status == serviced_query_UDP_EDNS && sq->last_rtt < 5000 &&
|
||||
(serviced_query_udp_size(sq, serviced_query_UDP_EDNS_FRAG) < serviced_query_udp_size(sq, serviced_query_UDP_EDNS))) {
|
||||
/* fallback to 1480/1280 */
|
||||
sq->status = serviced_query_UDP_EDNS_FRAG;
|
||||
log_name_addr(VERB_ALGO, "try edns1xx0", sq->qbuf+10,
|
||||
|
@ -3296,7 +3304,7 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
|
|||
log_addr(VERB_ALGO, "to local addr", &p->pc->pif->addr,
|
||||
p->pc->pif->addrlen);
|
||||
dt_msg_send_outside_response(outnet->dtenv, &sq->addr,
|
||||
&p->pc->pif->addr, c->type, sq->zone, sq->zonelen,
|
||||
&p->pc->pif->addr, c->type, c->ssl, sq->zone, sq->zonelen,
|
||||
sq->qbuf, sq->qbuflen, &sq->last_sent_time,
|
||||
sq->outnet->now_tv, c->buffer);
|
||||
}
|
||||
|
|
|
@ -16,5 +16,5 @@ if test -f fwd4.log; then cat fwd4.log; else echo "no fwd4.log"; fi
|
|||
cat unbound.log
|
||||
if test -f unbound2.log; then cat unbound2.log; else echo "no unbound2.log"; fi
|
||||
kill_pid $FWD_PID
|
||||
kill_pid `cat unbound.pid`
|
||||
kill_from_pidfile "unbound.pid"
|
||||
rm -f $CONTROL_PATH/controlpipe.$CONTROL_PID
|
||||
|
|
|
@ -13,7 +13,7 @@ get_ldns_testns
|
|||
# query for a text record that is stored by unbound's cache and cachedb
|
||||
# in the testframe cache.
|
||||
echo "> dig txt1.example.com."
|
||||
dig @localhost -p $UNBOUND_PORT txt1.example.com. TXT | tee outfile
|
||||
dig @127.0.0.1 -p $UNBOUND_PORT txt1.example.com. TXT | tee outfile
|
||||
if grep "example text message" outfile; then
|
||||
echo "OK"
|
||||
else
|
||||
|
@ -31,7 +31,7 @@ echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
|
|||
wait_ldns_testns_up fwd2.log
|
||||
|
||||
echo "> dig txt1.example.com. from unbound cache"
|
||||
dig @localhost -p $UNBOUND_PORT txt1.example.com. TXT | tee outfile
|
||||
dig @127.0.0.1 -p $UNBOUND_PORT txt1.example.com. TXT | tee outfile
|
||||
if grep "example text message" outfile; then
|
||||
echo "OK"
|
||||
else
|
||||
|
@ -50,7 +50,7 @@ else
|
|||
fi
|
||||
|
||||
echo "> dig txt1.example.com. from cachedb"
|
||||
dig @localhost -p $UNBOUND_PORT txt1.example.com. TXT | tee outfile
|
||||
dig @127.0.0.1 -p $UNBOUND_PORT txt1.example.com. TXT | tee outfile
|
||||
if grep "example text message" outfile; then
|
||||
echo "OK"
|
||||
else
|
||||
|
@ -69,7 +69,7 @@ wait_ldns_testns_up fwd3.log
|
|||
|
||||
# stop unbound to flush the cachedb cache
|
||||
echo "> stop unbound"
|
||||
kill_pid `cat unbound.pid`
|
||||
kill_from_pidfile "unbound.pid"
|
||||
|
||||
echo ""
|
||||
echo "> config unbound with cachedb-no-store: yes"
|
||||
|
@ -84,7 +84,7 @@ wait_unbound_up unbound2.log
|
|||
|
||||
echo ""
|
||||
echo "> dig txt1.example.com."
|
||||
dig @localhost -p $UNBOUND_PORT txt1.example.com. TXT | tee outfile
|
||||
dig @127.0.0.1 -p $UNBOUND_PORT txt1.example.com. TXT | tee outfile
|
||||
if grep "example text message" outfile; then
|
||||
echo "OK"
|
||||
else
|
||||
|
@ -102,7 +102,7 @@ echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
|
|||
wait_ldns_testns_up fwd4.log
|
||||
|
||||
echo "> dig txt1.example.com. from unbound cache"
|
||||
dig @localhost -p $UNBOUND_PORT txt1.example.com. TXT | tee outfile
|
||||
dig @127.0.0.1 -p $UNBOUND_PORT txt1.example.com. TXT | tee outfile
|
||||
if grep "example text message" outfile; then
|
||||
echo "OK"
|
||||
else
|
||||
|
@ -121,7 +121,7 @@ else
|
|||
fi
|
||||
|
||||
echo "> dig txt1.example.com. from cachedb, but that has no message stored"
|
||||
dig @localhost -p $UNBOUND_PORT txt1.example.com. TXT | tee outfile
|
||||
dig @127.0.0.1 -p $UNBOUND_PORT txt1.example.com. TXT | tee outfile
|
||||
if grep "SERVFAIL" outfile; then
|
||||
echo "OK"
|
||||
else
|
||||
|
|
|
@ -241,6 +241,5 @@ v.example.com. 3600 IN RRSIG NSEC 3 3 3600 20070926134150 20070829134150 2854 ex
|
|||
example.com. 3600 IN NSEC abc.example.com. NS SOA RRSIG NSEC DNSKEY
|
||||
example.com. 3600 IN RRSIG NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. ABEOu6iietfjKY1MS0TutZZxUtRYA6XKsC1rMTrenwBF2darY3/Emco=
|
||||
ENTRY_END
|
||||
ENTRY_END
|
||||
|
||||
SCENARIO_END
|
||||
|
|
310
contrib/unbound/testdata/iter_dname_ttl.rpl
vendored
Normal file
310
contrib/unbound/testdata/iter_dname_ttl.rpl
vendored
Normal file
|
@ -0,0 +1,310 @@
|
|||
; config options
|
||||
; The island of trust is at example.com
|
||||
; validation is enabled because the pickup of DNAME from cache wants
|
||||
; a DNSSEC signed DNAME.
|
||||
server:
|
||||
trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
|
||||
trust-anchor: "example.net. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}"
|
||||
val-override-date: "20070916134226"
|
||||
target-fetch-policy: "0 0 0 0 0"
|
||||
qname-minimisation: "no"
|
||||
fake-sha1: yes
|
||||
trust-anchor-signaling: no
|
||||
|
||||
stub-zone:
|
||||
name: "."
|
||||
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
|
||||
CONFIG_END
|
||||
|
||||
SCENARIO_BEGIN Test iterator for TTL of synthesized CNAME of a DNAME from cache.
|
||||
|
||||
; K.ROOT-SERVERS.NET.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 193.0.14.129
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
. IN NS
|
||||
SECTION ANSWER
|
||||
. IN NS K.ROOT-SERVERS.NET.
|
||||
SECTION ADDITIONAL
|
||||
K.ROOT-SERVERS.NET. IN A 193.0.14.129
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode subdomain
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
com. IN NS
|
||||
SECTION AUTHORITY
|
||||
com. IN NS a.gtld-servers.net.
|
||||
SECTION ADDITIONAL
|
||||
a.gtld-servers.net. IN A 192.5.6.30
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode subdomain
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
net. IN A
|
||||
SECTION AUTHORITY
|
||||
net. IN NS a.gtld-servers.net.
|
||||
SECTION ADDITIONAL
|
||||
a.gtld-servers.net. IN A 192.5.6.30
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; a.gtld-servers.net.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 192.5.6.30
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
com. IN NS
|
||||
SECTION ANSWER
|
||||
com. IN NS a.gtld-servers.net.
|
||||
SECTION ADDITIONAL
|
||||
a.gtld-servers.net. IN A 192.5.6.30
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
net. IN NS
|
||||
SECTION ANSWER
|
||||
net. IN NS a.gtld-servers.net.
|
||||
SECTION ADDITIONAL
|
||||
a.gtld-servers.net. IN A 192.5.6.30
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode subdomain
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. IN NS
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode subdomain
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.net. IN A
|
||||
SECTION AUTHORITY
|
||||
example.net. IN NS ns.example.net.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.net. IN A 1.2.3.5
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; ns.example.com.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 1.2.3.4
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. IN NS
|
||||
SECTION ANSWER
|
||||
example.com. IN NS ns.example.com.
|
||||
example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
|
||||
ENTRY_END
|
||||
|
||||
; response to DNSKEY priming query
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. IN DNSKEY
|
||||
SECTION ANSWER
|
||||
example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
|
||||
example.com. 3600 IN RRSIG DNSKEY DSA 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFBQRtlR4BEv9ohi+PGFjp+AHsJuHAhRCvz0shggvnvI88DFnBDCczHUcVA== ;{id = 2854}
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
|
||||
ENTRY_END
|
||||
|
||||
; response to query of interest
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN CNAME
|
||||
SECTION ANSWER
|
||||
www.example.com. IN CNAME www.example.net.
|
||||
www.example.com. 3600 IN RRSIG CNAME DSA 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFGcJxnNxpWCBzXejiSdl4p1BKRMnAhUApoJrugVBRwFgAoYAhhqlZFac7fE= ;{id = 2854}
|
||||
SECTION AUTHORITY
|
||||
SECTION ADDITIONAL
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
www2.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www2.example.com. 3600 IN CNAME www.example.net.
|
||||
www2.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AGgh6pDCL7VF0uJablClW7cgvsPuNzpHZ+M7nZIwi61+0RPhFZLHcN4=
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
foo.test-dname.example.com. IN A
|
||||
SECTION ANSWER
|
||||
test-dname.example.com. 3600 IN DNAME example.net.
|
||||
test-dname.example.com. 3600 IN RRSIG DNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. ACp31Evt1c6tKzmTh/smAuGFydZ1OO26Qkej/BW4Bw5RFBQiKaY22Z0=
|
||||
foo.test-dname.example.com. 3600 IN CNAME foo.example.net.
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; ns.example.net.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 1.2.3.5
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.net. IN NS
|
||||
SECTION ANSWER
|
||||
example.net. IN NS ns.example.net.
|
||||
example.net. 3600 IN RRSIG NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
|
||||
SECTION ADDITIONAL
|
||||
ns.example.net. IN A 1.2.3.5
|
||||
ns.example.net. 3600 IN RRSIG A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
|
||||
ENTRY_END
|
||||
|
||||
; response to DNSKEY priming query
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.net. IN DNSKEY
|
||||
SECTION ANSWER
|
||||
example.net. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
|
||||
example.net. 3600 IN RRSIG DNSKEY RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. hiFzlQ8VoYgCuvIsfVuxC3mfJDqsTh0yc6abs5xMx5uEcIjb0dndFQx7INOM+imlzveEN73Hqp4OLFpFhsWLlw== ;{id = 30899}
|
||||
SECTION AUTHORITY
|
||||
example.net. IN NS ns.example.net.
|
||||
example.net. 3600 IN RRSIG NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
|
||||
SECTION ADDITIONAL
|
||||
ns.example.net. IN A 1.2.3.5
|
||||
ns.example.net. 3600 IN RRSIG A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
|
||||
ENTRY_END
|
||||
|
||||
; response to query of interest
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.net. IN A
|
||||
SECTION ANSWER
|
||||
www.example.net. IN A 11.12.13.14
|
||||
www.example.net. 3600 IN RRSIG A 5 3 3600 20070926134150 20070829134150 30899 example.net. CPxF5hK9Kg5eT7W6LgZwr0ePYEm9HMcSY4vvqCS6gDWB4X9jvXLCfBkCLhsNybPBpGWlsLi5wM6MTdJXuPpsRA== ;{id = 30899}
|
||||
SECTION AUTHORITY
|
||||
SECTION ADDITIONAL
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
foo.example.net. IN A
|
||||
SECTION ANSWER
|
||||
foo.example.net. IN A 11.12.13.15
|
||||
foo.example.net. 3600 IN RRSIG A 5 3 3600 20070926134150 20070829134150 30899 example.net. X6T6SE9UzxAD/4zKpwGOxEDyE4g7lfYYw3lvw533uwRN8mWTcBvSva0/jjyhrogJcuLO32jPHK6zGb93w2xnuA==
|
||||
SECTION AUTHORITY
|
||||
SECTION ADDITIONAL
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
foo2.example.net. IN A
|
||||
SECTION ANSWER
|
||||
foo2.example.net. IN A 11.12.13.16
|
||||
foo2.example.net. 3600 IN RRSIG A 5 3 3600 20070926134150 20070829134150 30899 example.net. BZm+GljD8m9N+pNJN8D+LlSyHqM+InNUe0+heKILR9be+Goqv6SEb7LKtX6+kj3239Y5by7u+/Cuk8kkWistEQ==
|
||||
SECTION AUTHORITY
|
||||
SECTION ADDITIONAL
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
STEP 1 TIME_PASSES ELAPSE 10
|
||||
; Get DNAME in cache and then pick it up again from cache.
|
||||
STEP 10 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD DO
|
||||
SECTION QUESTION
|
||||
foo.test-dname.example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
STEP 20 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA AD DO NOERROR
|
||||
SECTION QUESTION
|
||||
foo.test-dname.example.com. IN A
|
||||
SECTION ANSWER
|
||||
test-dname.example.com. 3600 IN DNAME example.net.
|
||||
test-dname.example.com. 3600 IN RRSIG DNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. ACp31Evt1c6tKzmTh/smAuGFydZ1OO26Qkej/BW4Bw5RFBQiKaY22Z0=
|
||||
foo.test-dname.example.com. 3600 IN CNAME foo.example.net.
|
||||
foo.example.net. IN A 11.12.13.15
|
||||
foo.example.net. 3600 IN RRSIG A 5 3 3600 20070926134150 20070829134150 30899 example.net. X6T6SE9UzxAD/4zKpwGOxEDyE4g7lfYYw3lvw533uwRN8mWTcBvSva0/jjyhrogJcuLO32jPHK6zGb93w2xnuA==
|
||||
ENTRY_END
|
||||
|
||||
STEP 30 TIME_PASSES ELAPSE 10
|
||||
|
||||
; Use DNAME from cache
|
||||
STEP 40 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD DO
|
||||
SECTION QUESTION
|
||||
foo2.test-dname.example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
; Test the TTL on the synthesized CNAME for the DNAME record from cache.
|
||||
STEP 50 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all ttl
|
||||
REPLY QR RD RA AD DO NOERROR
|
||||
SECTION QUESTION
|
||||
foo2.test-dname.example.com. IN A
|
||||
SECTION ANSWER
|
||||
test-dname.example.com. 3590 IN DNAME example.net.
|
||||
test-dname.example.com. 3590 IN RRSIG DNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. ACp31Evt1c6tKzmTh/smAuGFydZ1OO26Qkej/BW4Bw5RFBQiKaY22Z0=
|
||||
foo2.test-dname.example.com. 3590 IN CNAME foo2.example.net.
|
||||
foo2.example.net. 3600 IN A 11.12.13.16
|
||||
foo2.example.net. 3600 IN RRSIG A 5 3 3600 20070926134150 20070829134150 30899 example.net. BZm+GljD8m9N+pNJN8D+LlSyHqM+InNUe0+heKILR9be+Goqv6SEb7LKtX6+kj3239Y5by7u+/Cuk8kkWistEQ==
|
||||
ENTRY_END
|
||||
|
||||
SCENARIO_END
|
|
@ -6,8 +6,8 @@
|
|||
|
||||
PRE="../.."
|
||||
# do the test
|
||||
echo "> dig www.example.com."
|
||||
dig @localhost -p $UNBOUND_PORT . SOA | tee outfile
|
||||
echo "> dig . SOA"
|
||||
dig @127.0.0.1 -p $UNBOUND_PORT . SOA | tee outfile
|
||||
echo "> check answer"
|
||||
if grep root-servers outfile | grep "nstld.verisign-grs.com"; then
|
||||
echo "OK"
|
||||
|
@ -26,7 +26,19 @@ else
|
|||
fi
|
||||
|
||||
# This is the output when an unsupported algorithm is used.
|
||||
if grep "auth zone . ZONEMD unsupported algorithm" unbound.log; then
|
||||
if grep "auth zone . zonemd DNSSEC verification of SOA and ZONEMD RRsets secure" unbound.log; then
|
||||
echo "OK"
|
||||
else
|
||||
echo "ZONEMD verification not OK"
|
||||
exit 1
|
||||
fi
|
||||
if grep "auth-zone . ZONEMD hash is correct" unbound.log; then
|
||||
echo "OK"
|
||||
else
|
||||
echo "ZONEMD verification not OK"
|
||||
exit 1
|
||||
fi
|
||||
if grep "auth zone . ZONEMD verification successful" unbound.log; then
|
||||
echo "OK"
|
||||
else
|
||||
echo "ZONEMD verification not OK"
|
||||
|
@ -40,12 +52,12 @@ if test $? -ne 0; then
|
|||
exit 1
|
||||
fi
|
||||
# The output of the reload can be checked.
|
||||
#echo "> check unbound-control output"
|
||||
#if grep "example.com: ZONEMD verification successful" outfile; then
|
||||
#echo "OK"
|
||||
#else
|
||||
#echo "Not OK"
|
||||
#exit 1
|
||||
#fi
|
||||
echo "> check unbound-control output"
|
||||
if grep ".: ZONEMD verification successful" outfile; then
|
||||
echo "OK"
|
||||
else
|
||||
echo "Not OK"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
exit 0
|
||||
|
|
151
contrib/unbound/testdata/rrset_use_cached.rpl
vendored
Normal file
151
contrib/unbound/testdata/rrset_use_cached.rpl
vendored
Normal file
|
@ -0,0 +1,151 @@
|
|||
server:
|
||||
minimal-responses: no
|
||||
serve-expired: yes
|
||||
# The value does not matter, we will not simulate delay.
|
||||
# We do not want only serve-expired because fetches from that
|
||||
# apply a generous PREFETCH_LEEWAY.
|
||||
serve-expired-client-timeout: 1000
|
||||
# So that we can only have to give one SERVFAIL answer.
|
||||
outbound-msg-retry: 0
|
||||
|
||||
forward-zone: name: "." forward-addr: 216.0.0.1
|
||||
CONFIG_END
|
||||
|
||||
SCENARIO_BEGIN RRset from cache updates the message TTL.
|
||||
|
||||
STEP 1 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
ENTRY_END
|
||||
; the query is sent to the forwarder - no cache yet.
|
||||
STEP 2 CHECK_OUT_QUERY
|
||||
ENTRY_BEGIN
|
||||
MATCH qname qtype opcode
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
ENTRY_END
|
||||
STEP 3 REPLY
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
; authoritative answer
|
||||
REPLY QR AA RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. 5 IN A 10.20.30.40
|
||||
SECTION AUTHORITY
|
||||
example.com. 10 IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. 10 IN A 10.20.30.50
|
||||
ENTRY_END
|
||||
STEP 4 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all ttl
|
||||
REPLY QR RD RA
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. 5 IN A 10.20.30.40
|
||||
SECTION AUTHORITY
|
||||
example.com. 10 IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. 10 IN A 10.20.30.50
|
||||
ENTRY_END
|
||||
|
||||
; Wait for the A RRSET to expire.
|
||||
STEP 5 TIME_PASSES ELAPSE 6
|
||||
|
||||
STEP 6 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
ENTRY_END
|
||||
; expired answer will not be served due to serve-expired-client-timeout.
|
||||
STEP 7 CHECK_OUT_QUERY
|
||||
ENTRY_BEGIN
|
||||
MATCH qname qtype opcode
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
ENTRY_END
|
||||
STEP 8 REPLY
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
; authoritative answer
|
||||
REPLY QR AA RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. 5 IN A 10.20.30.40
|
||||
SECTION AUTHORITY
|
||||
example.com. 10 IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. 10 IN A 10.20.30.50
|
||||
ENTRY_END
|
||||
; The cached NS related RRSETs will not be overwritten by the fresh answer.
|
||||
; The message should have a TTL of 4 instead of 5 from above.
|
||||
STEP 9 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all ttl
|
||||
REPLY QR RD RA
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. 5 IN A 10.20.30.40
|
||||
SECTION AUTHORITY
|
||||
example.com. 4 IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. 4 IN A 10.20.30.50
|
||||
ENTRY_END
|
||||
|
||||
; Wait for the NS RRSETs to expire.
|
||||
STEP 10 TIME_PASSES ELAPSE 5
|
||||
|
||||
STEP 11 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
ENTRY_END
|
||||
; The message should be expired, again no expired answer at this point due to
|
||||
; serve-expired-client-timeout.
|
||||
STEP 12 CHECK_OUT_QUERY
|
||||
ENTRY_BEGIN
|
||||
MATCH qname qtype opcode
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
ENTRY_END
|
||||
STEP 13 REPLY
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR RD RA SERVFAIL
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
ENTRY_END
|
||||
; The SERVFAIL will trigger the serve-expired-client-timeout logic to try and
|
||||
; replace the SERVFAIL with a possible cached (expired) answer.
|
||||
; The A RRSET would be at 0TTL left (not expired) but the message should have
|
||||
; been updated to use a TTL of 4 so expired by now.
|
||||
; If the message TTL was not updated (bug), this message would be treated as
|
||||
; non-expired and the now expired NS related RRSETs would fail sanity checks
|
||||
; for non-expired messages. The result would be SERVFAIL here.
|
||||
STEP 14 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all ttl
|
||||
REPLY QR RD RA
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. 0 IN A 10.20.30.40
|
||||
SECTION AUTHORITY
|
||||
example.com. 30 IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. 30 IN A 10.20.30.50
|
||||
ENTRY_END
|
||||
|
||||
SCENARIO_END
|
|
@ -46,7 +46,7 @@ RANGE_BEGIN 30 100
|
|||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. 10 IN NS
|
||||
example.com. IN NS
|
||||
SECTION ANSWER
|
||||
example.com. 10 IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
|
|
|
@ -46,7 +46,7 @@ RANGE_BEGIN 30 100
|
|||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. 10 IN NS
|
||||
example.com. IN NS
|
||||
SECTION ANSWER
|
||||
example.com. 10 IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
|
|
|
@ -44,7 +44,7 @@ RANGE_BEGIN 30 100
|
|||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. 10 IN NS
|
||||
example.com. IN NS
|
||||
SECTION ANSWER
|
||||
example.com. 10 IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
|
|
|
@ -45,7 +45,7 @@ RANGE_BEGIN 30 100
|
|||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. 10 IN NS
|
||||
example.com. IN NS
|
||||
SECTION ANSWER
|
||||
example.com. 10 IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
|
|
|
@ -49,7 +49,7 @@ RANGE_BEGIN 60 100
|
|||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. 10 IN NS
|
||||
example.com. IN NS
|
||||
SECTION ANSWER
|
||||
example.com. 10 IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
|
|
441
contrib/unbound/testdata/subnet_scopezero_noedns.crpl
vendored
Normal file
441
contrib/unbound/testdata/subnet_scopezero_noedns.crpl
vendored
Normal file
|
@ -0,0 +1,441 @@
|
|||
; scope of 0, if the query also had scope of 0, do not answer this
|
||||
; to everyone, but only for scope 0 queries. Otherwise can answer cached.
|
||||
|
||||
server:
|
||||
target-fetch-policy: "0 0 0 0 0"
|
||||
send-client-subnet: 1.2.3.4
|
||||
module-config: "subnetcache validator iterator"
|
||||
verbosity: 4
|
||||
qname-minimisation: no
|
||||
|
||||
stub-zone:
|
||||
name: "."
|
||||
stub-addr: 193.0.14.129
|
||||
|
||||
stub-zone:
|
||||
name: "example.com"
|
||||
stub-addr: 1.2.3.4
|
||||
CONFIG_END
|
||||
|
||||
SCENARIO_BEGIN Test subnet cache with scope zero response without EDNS.
|
||||
|
||||
; the upstream server.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 193.0.14.129
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname ednsdata
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
. IN NS
|
||||
SECTION ANSWER
|
||||
. IN NS K.ROOT-SERVERS.NET.
|
||||
SECTION ADDITIONAL
|
||||
HEX_EDNSDATA_BEGIN
|
||||
;; we expect to receive empty
|
||||
HEX_EDNSDATA_END
|
||||
K.ROOT-SERVERS.NET. IN A 193.0.14.129
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
RANGE_BEGIN 0 11
|
||||
ADDRESS 1.2.3.4
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
;copy_ednsdata_assume_clientsubnet
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. IN A 10.20.30.40
|
||||
SECTION AUTHORITY
|
||||
SECTION ADDITIONAL
|
||||
HEX_EDNSDATA_BEGIN
|
||||
; client is 127.0.0.1
|
||||
00 08 ; OPC
|
||||
00 07 ; option length
|
||||
00 01 ; Family
|
||||
18 11 ; source mask, scopemask
|
||||
7f 00 00 ; address
|
||||
HEX_EDNSDATA_END
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
RANGE_BEGIN 20 31
|
||||
ADDRESS 1.2.3.4
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
;copy_ednsdata_assume_clientsubnet
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. IN A 10.20.30.41
|
||||
SECTION AUTHORITY
|
||||
SECTION ADDITIONAL
|
||||
HEX_EDNSDATA_BEGIN
|
||||
; client is 127.0.0.1
|
||||
00 08 ; OPC
|
||||
00 07 ; option length
|
||||
00 01 ; Family
|
||||
18 11 ; source mask, scopemask
|
||||
7f 01 00 ; address
|
||||
HEX_EDNSDATA_END
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
RANGE_BEGIN 40 51
|
||||
ADDRESS 1.2.3.4
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
;copy_ednsdata_assume_clientsubnet
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. IN A 10.20.30.42
|
||||
SECTION AUTHORITY
|
||||
SECTION ADDITIONAL
|
||||
;no EDNS in this answer. Tests if the back_parsed callback
|
||||
;is called to process the lack of edns contents.
|
||||
;HEX_EDNSDATA_BEGIN
|
||||
;00 08 ; OPC
|
||||
;00 04 ; option length
|
||||
;00 01 ; Family
|
||||
;00 00 ; source mask, scopemask
|
||||
; ; address 0.0.0.0/0 scope 0
|
||||
;HEX_EDNSDATA_END
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
RANGE_BEGIN 120 131
|
||||
ADDRESS 1.2.3.4
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
;copy_ednsdata_assume_clientsubnet
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. IN A 10.20.30.43
|
||||
SECTION AUTHORITY
|
||||
SECTION ADDITIONAL
|
||||
HEX_EDNSDATA_BEGIN
|
||||
00 08 ; OPC
|
||||
00 07 ; option length
|
||||
00 01 ; Family
|
||||
18 00 ; source mask, scopemask
|
||||
7f 02 00 ; address 127.2.0.0/24 scope 0
|
||||
HEX_EDNSDATA_END
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; query for 127.0.0.0/24
|
||||
STEP 1 QUERY
|
||||
ENTRY_BEGIN
|
||||
HEX_ANSWER_BEGIN
|
||||
00 00 01 00 00 01 00 00 ;ID 0
|
||||
00 00 00 01 03 77 77 77 ; www.example.com A? (DO)
|
||||
07 65 78 61 6d 70 6c 65
|
||||
03 63 6f 6d 00 00 01 00
|
||||
01 00 00 29 10 00 00 00
|
||||
80 00 00 0b
|
||||
|
||||
00 08 00 07 ; OPC, optlen
|
||||
00 01 18 00 ; ip4, scope 24, source 0
|
||||
7f 00 00 ;127.0.0.0/24
|
||||
HEX_ANSWER_END
|
||||
ENTRY_END
|
||||
|
||||
; answer is 10.20.30.40 for 127.0.0.0/24 scope 17
|
||||
STEP 10 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all ednsdata
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. IN A 10.20.30.40
|
||||
SECTION AUTHORITY
|
||||
SECTION ADDITIONAL
|
||||
HEX_EDNSDATA_BEGIN
|
||||
; client is 127.0.0.1
|
||||
00 08 ; OPC
|
||||
00 07 ; option length
|
||||
00 01 ; Family
|
||||
18 11 ; source mask, scopemask
|
||||
7f 00 00 ; address
|
||||
HEX_EDNSDATA_END
|
||||
ENTRY_END
|
||||
|
||||
; query for 127.1.0.0/24
|
||||
STEP 20 QUERY
|
||||
ENTRY_BEGIN
|
||||
HEX_ANSWER_BEGIN
|
||||
00 00 01 00 00 01 00 00 ;ID 0
|
||||
00 00 00 01 03 77 77 77 ; www.example.com A? (DO)
|
||||
07 65 78 61 6d 70 6c 65
|
||||
03 63 6f 6d 00 00 01 00
|
||||
01 00 00 29 10 00 00 00
|
||||
80 00 00 0b
|
||||
|
||||
00 08 00 07 ; OPC, optlen
|
||||
00 01 18 00 ; ip4, scope 24, source 0
|
||||
7f 01 00 ;127.1.0.0/24
|
||||
HEX_ANSWER_END
|
||||
ENTRY_END
|
||||
|
||||
; answer is 10.20.30.41 for 127.1.0.0/24 scope 17
|
||||
STEP 30 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all ednsdata
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. IN A 10.20.30.41
|
||||
SECTION AUTHORITY
|
||||
SECTION ADDITIONAL
|
||||
HEX_EDNSDATA_BEGIN
|
||||
; client is 127.1.0.1
|
||||
00 08 ; OPC
|
||||
00 07 ; option length
|
||||
00 01 ; Family
|
||||
18 11 ; source mask, scopemask
|
||||
7f 01 00 ; address
|
||||
HEX_EDNSDATA_END
|
||||
ENTRY_END
|
||||
|
||||
; query for 0.0.0.0/0
|
||||
STEP 40 QUERY
|
||||
ENTRY_BEGIN
|
||||
HEX_ANSWER_BEGIN
|
||||
00 00 01 00 00 01 00 00 ;ID 0
|
||||
00 00 00 01 03 77 77 77 ; www.example.com A? (DO)
|
||||
07 65 78 61 6d 70 6c 65
|
||||
03 63 6f 6d 00 00 01 00
|
||||
01 00 00 29 10 00 00 00
|
||||
80 00 00 08
|
||||
|
||||
00 08 00 04 ; OPC, optlen
|
||||
00 01 00 00 ; ip4, scope 0, source 0
|
||||
;0.0.0.0/0
|
||||
HEX_ANSWER_END
|
||||
ENTRY_END
|
||||
|
||||
; answer is 10.20.30.42 for 0.0.0.0/0 scope 0
|
||||
STEP 50 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all ednsdata
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. IN A 10.20.30.42
|
||||
SECTION AUTHORITY
|
||||
SECTION ADDITIONAL
|
||||
HEX_EDNSDATA_BEGIN
|
||||
00 08 ; OPC
|
||||
00 04 ; option length
|
||||
00 01 ; Family
|
||||
00 00 ; source mask, scopemask
|
||||
; address
|
||||
HEX_EDNSDATA_END
|
||||
ENTRY_END
|
||||
|
||||
; query for 127.0.0.0/24, again, it should be in cache.
|
||||
; and not from the scope 0 answer.
|
||||
STEP 60 QUERY
|
||||
ENTRY_BEGIN
|
||||
HEX_ANSWER_BEGIN
|
||||
00 00 01 00 00 01 00 00 ;ID 0
|
||||
00 00 00 01 03 77 77 77 ; www.example.com A? (DO)
|
||||
07 65 78 61 6d 70 6c 65
|
||||
03 63 6f 6d 00 00 01 00
|
||||
01 00 00 29 10 00 00 00
|
||||
80 00 00 0b
|
||||
|
||||
00 08 00 07 ; OPC, optlen
|
||||
00 01 18 00 ; ip4, scope 24, source 0
|
||||
7f 00 00 ;127.0.0.0/24
|
||||
HEX_ANSWER_END
|
||||
ENTRY_END
|
||||
|
||||
; answer should be 10.20.30.40 for 127.0.0.0/24 scope 17
|
||||
STEP 70 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all ednsdata
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. IN A 10.20.30.40
|
||||
SECTION AUTHORITY
|
||||
SECTION ADDITIONAL
|
||||
HEX_EDNSDATA_BEGIN
|
||||
; client is 127.0.0.1
|
||||
00 08 ; OPC
|
||||
00 07 ; option length
|
||||
00 01 ; Family
|
||||
18 11 ; source mask, scopemask
|
||||
7f 00 00 ; address
|
||||
HEX_EDNSDATA_END
|
||||
ENTRY_END
|
||||
|
||||
; query for 127.1.0.0/24, again, it should be in cache.
|
||||
STEP 80 QUERY
|
||||
ENTRY_BEGIN
|
||||
HEX_ANSWER_BEGIN
|
||||
00 00 01 00 00 01 00 00 ;ID 0
|
||||
00 00 00 01 03 77 77 77 ; www.example.com A? (DO)
|
||||
07 65 78 61 6d 70 6c 65
|
||||
03 63 6f 6d 00 00 01 00
|
||||
01 00 00 29 10 00 00 00
|
||||
80 00 00 0b
|
||||
|
||||
00 08 00 07 ; OPC, optlen
|
||||
00 01 18 00 ; ip4, scope 24, source 0
|
||||
7f 01 00 ;127.1.0.0/24
|
||||
HEX_ANSWER_END
|
||||
ENTRY_END
|
||||
|
||||
; answer should be 10.20.30.41 for 127.1.0.0/24 scope 17
|
||||
STEP 90 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all ednsdata
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. IN A 10.20.30.41
|
||||
SECTION AUTHORITY
|
||||
SECTION ADDITIONAL
|
||||
HEX_EDNSDATA_BEGIN
|
||||
; client is 127.1.0.1
|
||||
00 08 ; OPC
|
||||
00 07 ; option length
|
||||
00 01 ; Family
|
||||
18 11 ; source mask, scopemask
|
||||
7f 01 00 ; address
|
||||
HEX_EDNSDATA_END
|
||||
ENTRY_END
|
||||
|
||||
; query for 0.0.0.0/0, again.
|
||||
STEP 100 QUERY
|
||||
ENTRY_BEGIN
|
||||
HEX_ANSWER_BEGIN
|
||||
00 00 01 00 00 01 00 00 ;ID 0
|
||||
00 00 00 01 03 77 77 77 ; www.example.com A? (DO)
|
||||
07 65 78 61 6d 70 6c 65
|
||||
03 63 6f 6d 00 00 01 00
|
||||
01 00 00 29 10 00 00 00
|
||||
80 00 00 08
|
||||
|
||||
00 08 00 04 ; OPC, optlen
|
||||
00 01 00 00 ; ip4, scope 0, source 0
|
||||
;0.0.0.0/0
|
||||
HEX_ANSWER_END
|
||||
ENTRY_END
|
||||
|
||||
; answer should be 10.20.30.42 for 0.0.0.0/0 scope 0
|
||||
STEP 110 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all ednsdata
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. IN A 10.20.30.42
|
||||
SECTION AUTHORITY
|
||||
SECTION ADDITIONAL
|
||||
HEX_EDNSDATA_BEGIN
|
||||
00 08 ; OPC
|
||||
00 04 ; option length
|
||||
00 01 ; Family
|
||||
00 00 ; source mask, scopemask
|
||||
; address
|
||||
HEX_EDNSDATA_END
|
||||
ENTRY_END
|
||||
|
||||
; now a query for a /24 that gets an answer for a /0.
|
||||
STEP 120 QUERY
|
||||
ENTRY_BEGIN
|
||||
HEX_ANSWER_BEGIN
|
||||
00 00 01 00 00 01 00 00 ;ID 0
|
||||
00 00 00 01 03 77 77 77 ; www.example.com A? (DO)
|
||||
07 65 78 61 6d 70 6c 65
|
||||
03 63 6f 6d 00 00 01 00
|
||||
01 00 00 29 10 00 00 00
|
||||
80 00 00 0b
|
||||
|
||||
00 08 00 07 ; OPC, optlen
|
||||
00 01 18 00 ; ip4, scope 24, source 0
|
||||
7f 02 00 ;127.2.0.0/24
|
||||
HEX_ANSWER_END
|
||||
ENTRY_END
|
||||
|
||||
; answer should be 10.20.30.43 for 127.2.0.0/24 scope 0
|
||||
STEP 130 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all ednsdata
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. IN A 10.20.30.43
|
||||
SECTION AUTHORITY
|
||||
SECTION ADDITIONAL
|
||||
HEX_EDNSDATA_BEGIN
|
||||
; client is 127.2.0.1
|
||||
00 08 ; OPC
|
||||
00 07 ; option length
|
||||
00 01 ; Family
|
||||
18 00 ; source mask, scopemask
|
||||
7f 02 00 ; address
|
||||
HEX_EDNSDATA_END
|
||||
ENTRY_END
|
||||
|
||||
; the scope 0 answer is now used to answer queries from
|
||||
; query for 127.0.0.0/24
|
||||
STEP 140 QUERY
|
||||
ENTRY_BEGIN
|
||||
HEX_ANSWER_BEGIN
|
||||
00 00 01 00 00 01 00 00 ;ID 0
|
||||
00 00 00 01 03 77 77 77 ; www.example.com A? (DO)
|
||||
07 65 78 61 6d 70 6c 65
|
||||
03 63 6f 6d 00 00 01 00
|
||||
01 00 00 29 10 00 00 00
|
||||
80 00 00 0b
|
||||
|
||||
00 08 00 07 ; OPC, optlen
|
||||
00 01 18 00 ; ip4, scope 24, source 0
|
||||
7f 00 00 ;127.0.0.0/24
|
||||
HEX_ANSWER_END
|
||||
ENTRY_END
|
||||
|
||||
STEP 150 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all ednsdata
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. IN A 10.20.30.43
|
||||
SECTION AUTHORITY
|
||||
SECTION ADDITIONAL
|
||||
HEX_EDNSDATA_BEGIN
|
||||
; client is 127.0.0.1
|
||||
00 08 ; OPC
|
||||
00 07 ; option length
|
||||
00 01 ; Family
|
||||
18 00 ; source mask, scopemask
|
||||
7f 00 00 ; address
|
||||
HEX_EDNSDATA_END
|
||||
ENTRY_END
|
||||
|
||||
SCENARIO_END
|
|
@ -142,6 +142,7 @@ config_create(void)
|
|||
cfg->log_tag_queryreply = 0;
|
||||
cfg->log_local_actions = 0;
|
||||
cfg->log_servfail = 0;
|
||||
cfg->log_destaddr = 0;
|
||||
#ifndef USE_WINSOCK
|
||||
# ifdef USE_MINI_EVENT
|
||||
/* select max 1024 sockets */
|
||||
|
@ -690,6 +691,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
|
|||
else S_YNO("log-tag-queryreply:", log_tag_queryreply)
|
||||
else S_YNO("log-local-actions:", log_local_actions)
|
||||
else S_YNO("log-servfail:", log_servfail)
|
||||
else S_YNO("log-destaddr:", log_destaddr)
|
||||
else S_YNO("val-permissive-mode:", val_permissive_mode)
|
||||
else S_YNO("aggressive-nsec:", aggressive_nsec)
|
||||
else S_YNO("ignore-cd-flag:", ignore_cd)
|
||||
|
@ -1127,6 +1129,7 @@ config_get_option(struct config_file* cfg, const char* opt,
|
|||
else O_YNO(opt, "log-tag-queryreply", log_tag_queryreply)
|
||||
else O_YNO(opt, "log-local-actions", log_local_actions)
|
||||
else O_YNO(opt, "log-servfail", log_servfail)
|
||||
else O_YNO(opt, "log-destaddr", log_destaddr)
|
||||
else O_STR(opt, "pidfile", pidfile)
|
||||
else O_YNO(opt, "hide-identity", hide_identity)
|
||||
else O_YNO(opt, "hide-version", hide_version)
|
||||
|
|
|
@ -349,6 +349,8 @@ struct config_file {
|
|||
int log_servfail;
|
||||
/** log identity to report */
|
||||
char* log_identity;
|
||||
/** log dest addr for log_replies */
|
||||
int log_destaddr;
|
||||
|
||||
/** do not report identity (id.server, hostname.bind) */
|
||||
int hide_identity;
|
||||
|
|
7627
contrib/unbound/util/configlexer.c
Normal file
7627
contrib/unbound/util/configlexer.c
Normal file
File diff suppressed because it is too large
Load diff
|
@ -435,6 +435,7 @@ log-replies{COLON} { YDVAR(1, VAR_LOG_REPLIES) }
|
|||
log-tag-queryreply{COLON} { YDVAR(1, VAR_LOG_TAG_QUERYREPLY) }
|
||||
log-local-actions{COLON} { YDVAR(1, VAR_LOG_LOCAL_ACTIONS) }
|
||||
log-servfail{COLON} { YDVAR(1, VAR_LOG_SERVFAIL) }
|
||||
log-destaddr{COLON} { YDVAR(1, VAR_LOG_DESTADDR) }
|
||||
local-zone{COLON} { YDVAR(2, VAR_LOCAL_ZONE) }
|
||||
local-data{COLON} { YDVAR(1, VAR_LOCAL_DATA) }
|
||||
local-data-ptr{COLON} { YDVAR(1, VAR_LOCAL_DATA_PTR) }
|
||||
|
|
7713
contrib/unbound/util/configparser.c
Normal file
7713
contrib/unbound/util/configparser.c
Normal file
File diff suppressed because it is too large
Load diff
781
contrib/unbound/util/configparser.h
Normal file
781
contrib/unbound/util/configparser.h
Normal file
|
@ -0,0 +1,781 @@
|
|||
/* A Bison parser, made by GNU Bison 3.7.6. */
|
||||
|
||||
/* Bison interface for Yacc-like parsers in C
|
||||
|
||||
Copyright (C) 1984, 1989-1990, 2000-2015, 2018-2021 Free Software Foundation,
|
||||
Inc.
|
||||
|
||||
This program is free software: you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation, either version 3 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with this program. If not, see <https://www.gnu.org/licenses/>. */
|
||||
|
||||
/* As a special exception, you may create a larger work that contains
|
||||
part or all of the Bison parser skeleton and distribute that work
|
||||
under terms of your choice, so long as that work isn't itself a
|
||||
parser generator using the skeleton or a modified version thereof
|
||||
as a parser skeleton. Alternatively, if you modify or redistribute
|
||||
the parser skeleton itself, you may (at your option) remove this
|
||||
special exception, which will cause the skeleton and the resulting
|
||||
Bison output files to be licensed under the GNU General Public
|
||||
License without this special exception.
|
||||
|
||||
This special exception was added by the Free Software Foundation in
|
||||
version 2.2 of Bison. */
|
||||
|
||||
/* DO NOT RELY ON FEATURES THAT ARE NOT DOCUMENTED in the manual,
|
||||
especially those whose name start with YY_ or yy_. They are
|
||||
private implementation details that can be changed or removed. */
|
||||
|
||||
#ifndef YY_YY_UTIL_CONFIGPARSER_H_INCLUDED
|
||||
# define YY_YY_UTIL_CONFIGPARSER_H_INCLUDED
|
||||
/* Debug traces. */
|
||||
#ifndef YYDEBUG
|
||||
# define YYDEBUG 0
|
||||
#endif
|
||||
#if YYDEBUG
|
||||
extern int yydebug;
|
||||
#endif
|
||||
|
||||
/* Token kinds. */
|
||||
#ifndef YYTOKENTYPE
|
||||
# define YYTOKENTYPE
|
||||
enum yytokentype
|
||||
{
|
||||
YYEMPTY = -2,
|
||||
YYEOF = 0, /* "end of file" */
|
||||
YYerror = 256, /* error */
|
||||
YYUNDEF = 257, /* "invalid token" */
|
||||
SPACE = 258, /* SPACE */
|
||||
LETTER = 259, /* LETTER */
|
||||
NEWLINE = 260, /* NEWLINE */
|
||||
COMMENT = 261, /* COMMENT */
|
||||
COLON = 262, /* COLON */
|
||||
ANY = 263, /* ANY */
|
||||
ZONESTR = 264, /* ZONESTR */
|
||||
STRING_ARG = 265, /* STRING_ARG */
|
||||
VAR_FORCE_TOPLEVEL = 266, /* VAR_FORCE_TOPLEVEL */
|
||||
VAR_SERVER = 267, /* VAR_SERVER */
|
||||
VAR_VERBOSITY = 268, /* VAR_VERBOSITY */
|
||||
VAR_NUM_THREADS = 269, /* VAR_NUM_THREADS */
|
||||
VAR_PORT = 270, /* VAR_PORT */
|
||||
VAR_OUTGOING_RANGE = 271, /* VAR_OUTGOING_RANGE */
|
||||
VAR_INTERFACE = 272, /* VAR_INTERFACE */
|
||||
VAR_PREFER_IP4 = 273, /* VAR_PREFER_IP4 */
|
||||
VAR_DO_IP4 = 274, /* VAR_DO_IP4 */
|
||||
VAR_DO_IP6 = 275, /* VAR_DO_IP6 */
|
||||
VAR_DO_NAT64 = 276, /* VAR_DO_NAT64 */
|
||||
VAR_PREFER_IP6 = 277, /* VAR_PREFER_IP6 */
|
||||
VAR_DO_UDP = 278, /* VAR_DO_UDP */
|
||||
VAR_DO_TCP = 279, /* VAR_DO_TCP */
|
||||
VAR_TCP_MSS = 280, /* VAR_TCP_MSS */
|
||||
VAR_OUTGOING_TCP_MSS = 281, /* VAR_OUTGOING_TCP_MSS */
|
||||
VAR_TCP_IDLE_TIMEOUT = 282, /* VAR_TCP_IDLE_TIMEOUT */
|
||||
VAR_EDNS_TCP_KEEPALIVE = 283, /* VAR_EDNS_TCP_KEEPALIVE */
|
||||
VAR_EDNS_TCP_KEEPALIVE_TIMEOUT = 284, /* VAR_EDNS_TCP_KEEPALIVE_TIMEOUT */
|
||||
VAR_SOCK_QUEUE_TIMEOUT = 285, /* VAR_SOCK_QUEUE_TIMEOUT */
|
||||
VAR_CHROOT = 286, /* VAR_CHROOT */
|
||||
VAR_USERNAME = 287, /* VAR_USERNAME */
|
||||
VAR_DIRECTORY = 288, /* VAR_DIRECTORY */
|
||||
VAR_LOGFILE = 289, /* VAR_LOGFILE */
|
||||
VAR_PIDFILE = 290, /* VAR_PIDFILE */
|
||||
VAR_MSG_CACHE_SIZE = 291, /* VAR_MSG_CACHE_SIZE */
|
||||
VAR_MSG_CACHE_SLABS = 292, /* VAR_MSG_CACHE_SLABS */
|
||||
VAR_NUM_QUERIES_PER_THREAD = 293, /* VAR_NUM_QUERIES_PER_THREAD */
|
||||
VAR_RRSET_CACHE_SIZE = 294, /* VAR_RRSET_CACHE_SIZE */
|
||||
VAR_RRSET_CACHE_SLABS = 295, /* VAR_RRSET_CACHE_SLABS */
|
||||
VAR_OUTGOING_NUM_TCP = 296, /* VAR_OUTGOING_NUM_TCP */
|
||||
VAR_INFRA_HOST_TTL = 297, /* VAR_INFRA_HOST_TTL */
|
||||
VAR_INFRA_LAME_TTL = 298, /* VAR_INFRA_LAME_TTL */
|
||||
VAR_INFRA_CACHE_SLABS = 299, /* VAR_INFRA_CACHE_SLABS */
|
||||
VAR_INFRA_CACHE_NUMHOSTS = 300, /* VAR_INFRA_CACHE_NUMHOSTS */
|
||||
VAR_INFRA_CACHE_LAME_SIZE = 301, /* VAR_INFRA_CACHE_LAME_SIZE */
|
||||
VAR_NAME = 302, /* VAR_NAME */
|
||||
VAR_STUB_ZONE = 303, /* VAR_STUB_ZONE */
|
||||
VAR_STUB_HOST = 304, /* VAR_STUB_HOST */
|
||||
VAR_STUB_ADDR = 305, /* VAR_STUB_ADDR */
|
||||
VAR_TARGET_FETCH_POLICY = 306, /* VAR_TARGET_FETCH_POLICY */
|
||||
VAR_HARDEN_SHORT_BUFSIZE = 307, /* VAR_HARDEN_SHORT_BUFSIZE */
|
||||
VAR_HARDEN_LARGE_QUERIES = 308, /* VAR_HARDEN_LARGE_QUERIES */
|
||||
VAR_FORWARD_ZONE = 309, /* VAR_FORWARD_ZONE */
|
||||
VAR_FORWARD_HOST = 310, /* VAR_FORWARD_HOST */
|
||||
VAR_FORWARD_ADDR = 311, /* VAR_FORWARD_ADDR */
|
||||
VAR_DO_NOT_QUERY_ADDRESS = 312, /* VAR_DO_NOT_QUERY_ADDRESS */
|
||||
VAR_HIDE_IDENTITY = 313, /* VAR_HIDE_IDENTITY */
|
||||
VAR_HIDE_VERSION = 314, /* VAR_HIDE_VERSION */
|
||||
VAR_IDENTITY = 315, /* VAR_IDENTITY */
|
||||
VAR_VERSION = 316, /* VAR_VERSION */
|
||||
VAR_HARDEN_GLUE = 317, /* VAR_HARDEN_GLUE */
|
||||
VAR_MODULE_CONF = 318, /* VAR_MODULE_CONF */
|
||||
VAR_TRUST_ANCHOR_FILE = 319, /* VAR_TRUST_ANCHOR_FILE */
|
||||
VAR_TRUST_ANCHOR = 320, /* VAR_TRUST_ANCHOR */
|
||||
VAR_VAL_OVERRIDE_DATE = 321, /* VAR_VAL_OVERRIDE_DATE */
|
||||
VAR_BOGUS_TTL = 322, /* VAR_BOGUS_TTL */
|
||||
VAR_VAL_CLEAN_ADDITIONAL = 323, /* VAR_VAL_CLEAN_ADDITIONAL */
|
||||
VAR_VAL_PERMISSIVE_MODE = 324, /* VAR_VAL_PERMISSIVE_MODE */
|
||||
VAR_INCOMING_NUM_TCP = 325, /* VAR_INCOMING_NUM_TCP */
|
||||
VAR_MSG_BUFFER_SIZE = 326, /* VAR_MSG_BUFFER_SIZE */
|
||||
VAR_KEY_CACHE_SIZE = 327, /* VAR_KEY_CACHE_SIZE */
|
||||
VAR_KEY_CACHE_SLABS = 328, /* VAR_KEY_CACHE_SLABS */
|
||||
VAR_TRUSTED_KEYS_FILE = 329, /* VAR_TRUSTED_KEYS_FILE */
|
||||
VAR_VAL_NSEC3_KEYSIZE_ITERATIONS = 330, /* VAR_VAL_NSEC3_KEYSIZE_ITERATIONS */
|
||||
VAR_USE_SYSLOG = 331, /* VAR_USE_SYSLOG */
|
||||
VAR_OUTGOING_INTERFACE = 332, /* VAR_OUTGOING_INTERFACE */
|
||||
VAR_ROOT_HINTS = 333, /* VAR_ROOT_HINTS */
|
||||
VAR_DO_NOT_QUERY_LOCALHOST = 334, /* VAR_DO_NOT_QUERY_LOCALHOST */
|
||||
VAR_CACHE_MAX_TTL = 335, /* VAR_CACHE_MAX_TTL */
|
||||
VAR_HARDEN_DNSSEC_STRIPPED = 336, /* VAR_HARDEN_DNSSEC_STRIPPED */
|
||||
VAR_ACCESS_CONTROL = 337, /* VAR_ACCESS_CONTROL */
|
||||
VAR_LOCAL_ZONE = 338, /* VAR_LOCAL_ZONE */
|
||||
VAR_LOCAL_DATA = 339, /* VAR_LOCAL_DATA */
|
||||
VAR_INTERFACE_AUTOMATIC = 340, /* VAR_INTERFACE_AUTOMATIC */
|
||||
VAR_STATISTICS_INTERVAL = 341, /* VAR_STATISTICS_INTERVAL */
|
||||
VAR_DO_DAEMONIZE = 342, /* VAR_DO_DAEMONIZE */
|
||||
VAR_USE_CAPS_FOR_ID = 343, /* VAR_USE_CAPS_FOR_ID */
|
||||
VAR_STATISTICS_CUMULATIVE = 344, /* VAR_STATISTICS_CUMULATIVE */
|
||||
VAR_OUTGOING_PORT_PERMIT = 345, /* VAR_OUTGOING_PORT_PERMIT */
|
||||
VAR_OUTGOING_PORT_AVOID = 346, /* VAR_OUTGOING_PORT_AVOID */
|
||||
VAR_DLV_ANCHOR_FILE = 347, /* VAR_DLV_ANCHOR_FILE */
|
||||
VAR_DLV_ANCHOR = 348, /* VAR_DLV_ANCHOR */
|
||||
VAR_NEG_CACHE_SIZE = 349, /* VAR_NEG_CACHE_SIZE */
|
||||
VAR_HARDEN_REFERRAL_PATH = 350, /* VAR_HARDEN_REFERRAL_PATH */
|
||||
VAR_PRIVATE_ADDRESS = 351, /* VAR_PRIVATE_ADDRESS */
|
||||
VAR_PRIVATE_DOMAIN = 352, /* VAR_PRIVATE_DOMAIN */
|
||||
VAR_REMOTE_CONTROL = 353, /* VAR_REMOTE_CONTROL */
|
||||
VAR_CONTROL_ENABLE = 354, /* VAR_CONTROL_ENABLE */
|
||||
VAR_CONTROL_INTERFACE = 355, /* VAR_CONTROL_INTERFACE */
|
||||
VAR_CONTROL_PORT = 356, /* VAR_CONTROL_PORT */
|
||||
VAR_SERVER_KEY_FILE = 357, /* VAR_SERVER_KEY_FILE */
|
||||
VAR_SERVER_CERT_FILE = 358, /* VAR_SERVER_CERT_FILE */
|
||||
VAR_CONTROL_KEY_FILE = 359, /* VAR_CONTROL_KEY_FILE */
|
||||
VAR_CONTROL_CERT_FILE = 360, /* VAR_CONTROL_CERT_FILE */
|
||||
VAR_CONTROL_USE_CERT = 361, /* VAR_CONTROL_USE_CERT */
|
||||
VAR_TCP_REUSE_TIMEOUT = 362, /* VAR_TCP_REUSE_TIMEOUT */
|
||||
VAR_MAX_REUSE_TCP_QUERIES = 363, /* VAR_MAX_REUSE_TCP_QUERIES */
|
||||
VAR_EXTENDED_STATISTICS = 364, /* VAR_EXTENDED_STATISTICS */
|
||||
VAR_LOCAL_DATA_PTR = 365, /* VAR_LOCAL_DATA_PTR */
|
||||
VAR_JOSTLE_TIMEOUT = 366, /* VAR_JOSTLE_TIMEOUT */
|
||||
VAR_STUB_PRIME = 367, /* VAR_STUB_PRIME */
|
||||
VAR_UNWANTED_REPLY_THRESHOLD = 368, /* VAR_UNWANTED_REPLY_THRESHOLD */
|
||||
VAR_LOG_TIME_ASCII = 369, /* VAR_LOG_TIME_ASCII */
|
||||
VAR_DOMAIN_INSECURE = 370, /* VAR_DOMAIN_INSECURE */
|
||||
VAR_PYTHON = 371, /* VAR_PYTHON */
|
||||
VAR_PYTHON_SCRIPT = 372, /* VAR_PYTHON_SCRIPT */
|
||||
VAR_VAL_SIG_SKEW_MIN = 373, /* VAR_VAL_SIG_SKEW_MIN */
|
||||
VAR_VAL_SIG_SKEW_MAX = 374, /* VAR_VAL_SIG_SKEW_MAX */
|
||||
VAR_VAL_MAX_RESTART = 375, /* VAR_VAL_MAX_RESTART */
|
||||
VAR_CACHE_MIN_TTL = 376, /* VAR_CACHE_MIN_TTL */
|
||||
VAR_VAL_LOG_LEVEL = 377, /* VAR_VAL_LOG_LEVEL */
|
||||
VAR_AUTO_TRUST_ANCHOR_FILE = 378, /* VAR_AUTO_TRUST_ANCHOR_FILE */
|
||||
VAR_KEEP_MISSING = 379, /* VAR_KEEP_MISSING */
|
||||
VAR_ADD_HOLDDOWN = 380, /* VAR_ADD_HOLDDOWN */
|
||||
VAR_DEL_HOLDDOWN = 381, /* VAR_DEL_HOLDDOWN */
|
||||
VAR_SO_RCVBUF = 382, /* VAR_SO_RCVBUF */
|
||||
VAR_EDNS_BUFFER_SIZE = 383, /* VAR_EDNS_BUFFER_SIZE */
|
||||
VAR_PREFETCH = 384, /* VAR_PREFETCH */
|
||||
VAR_PREFETCH_KEY = 385, /* VAR_PREFETCH_KEY */
|
||||
VAR_SO_SNDBUF = 386, /* VAR_SO_SNDBUF */
|
||||
VAR_SO_REUSEPORT = 387, /* VAR_SO_REUSEPORT */
|
||||
VAR_HARDEN_BELOW_NXDOMAIN = 388, /* VAR_HARDEN_BELOW_NXDOMAIN */
|
||||
VAR_IGNORE_CD_FLAG = 389, /* VAR_IGNORE_CD_FLAG */
|
||||
VAR_LOG_QUERIES = 390, /* VAR_LOG_QUERIES */
|
||||
VAR_LOG_REPLIES = 391, /* VAR_LOG_REPLIES */
|
||||
VAR_LOG_LOCAL_ACTIONS = 392, /* VAR_LOG_LOCAL_ACTIONS */
|
||||
VAR_TCP_UPSTREAM = 393, /* VAR_TCP_UPSTREAM */
|
||||
VAR_SSL_UPSTREAM = 394, /* VAR_SSL_UPSTREAM */
|
||||
VAR_TCP_AUTH_QUERY_TIMEOUT = 395, /* VAR_TCP_AUTH_QUERY_TIMEOUT */
|
||||
VAR_SSL_SERVICE_KEY = 396, /* VAR_SSL_SERVICE_KEY */
|
||||
VAR_SSL_SERVICE_PEM = 397, /* VAR_SSL_SERVICE_PEM */
|
||||
VAR_SSL_PORT = 398, /* VAR_SSL_PORT */
|
||||
VAR_FORWARD_FIRST = 399, /* VAR_FORWARD_FIRST */
|
||||
VAR_STUB_SSL_UPSTREAM = 400, /* VAR_STUB_SSL_UPSTREAM */
|
||||
VAR_FORWARD_SSL_UPSTREAM = 401, /* VAR_FORWARD_SSL_UPSTREAM */
|
||||
VAR_TLS_CERT_BUNDLE = 402, /* VAR_TLS_CERT_BUNDLE */
|
||||
VAR_STUB_TCP_UPSTREAM = 403, /* VAR_STUB_TCP_UPSTREAM */
|
||||
VAR_FORWARD_TCP_UPSTREAM = 404, /* VAR_FORWARD_TCP_UPSTREAM */
|
||||
VAR_HTTPS_PORT = 405, /* VAR_HTTPS_PORT */
|
||||
VAR_HTTP_ENDPOINT = 406, /* VAR_HTTP_ENDPOINT */
|
||||
VAR_HTTP_MAX_STREAMS = 407, /* VAR_HTTP_MAX_STREAMS */
|
||||
VAR_HTTP_QUERY_BUFFER_SIZE = 408, /* VAR_HTTP_QUERY_BUFFER_SIZE */
|
||||
VAR_HTTP_RESPONSE_BUFFER_SIZE = 409, /* VAR_HTTP_RESPONSE_BUFFER_SIZE */
|
||||
VAR_HTTP_NODELAY = 410, /* VAR_HTTP_NODELAY */
|
||||
VAR_HTTP_NOTLS_DOWNSTREAM = 411, /* VAR_HTTP_NOTLS_DOWNSTREAM */
|
||||
VAR_STUB_FIRST = 412, /* VAR_STUB_FIRST */
|
||||
VAR_MINIMAL_RESPONSES = 413, /* VAR_MINIMAL_RESPONSES */
|
||||
VAR_RRSET_ROUNDROBIN = 414, /* VAR_RRSET_ROUNDROBIN */
|
||||
VAR_MAX_UDP_SIZE = 415, /* VAR_MAX_UDP_SIZE */
|
||||
VAR_DELAY_CLOSE = 416, /* VAR_DELAY_CLOSE */
|
||||
VAR_UDP_CONNECT = 417, /* VAR_UDP_CONNECT */
|
||||
VAR_UNBLOCK_LAN_ZONES = 418, /* VAR_UNBLOCK_LAN_ZONES */
|
||||
VAR_INSECURE_LAN_ZONES = 419, /* VAR_INSECURE_LAN_ZONES */
|
||||
VAR_INFRA_CACHE_MIN_RTT = 420, /* VAR_INFRA_CACHE_MIN_RTT */
|
||||
VAR_INFRA_CACHE_MAX_RTT = 421, /* VAR_INFRA_CACHE_MAX_RTT */
|
||||
VAR_INFRA_KEEP_PROBING = 422, /* VAR_INFRA_KEEP_PROBING */
|
||||
VAR_DNS64_PREFIX = 423, /* VAR_DNS64_PREFIX */
|
||||
VAR_DNS64_SYNTHALL = 424, /* VAR_DNS64_SYNTHALL */
|
||||
VAR_DNS64_IGNORE_AAAA = 425, /* VAR_DNS64_IGNORE_AAAA */
|
||||
VAR_NAT64_PREFIX = 426, /* VAR_NAT64_PREFIX */
|
||||
VAR_DNSTAP = 427, /* VAR_DNSTAP */
|
||||
VAR_DNSTAP_ENABLE = 428, /* VAR_DNSTAP_ENABLE */
|
||||
VAR_DNSTAP_SOCKET_PATH = 429, /* VAR_DNSTAP_SOCKET_PATH */
|
||||
VAR_DNSTAP_IP = 430, /* VAR_DNSTAP_IP */
|
||||
VAR_DNSTAP_TLS = 431, /* VAR_DNSTAP_TLS */
|
||||
VAR_DNSTAP_TLS_SERVER_NAME = 432, /* VAR_DNSTAP_TLS_SERVER_NAME */
|
||||
VAR_DNSTAP_TLS_CERT_BUNDLE = 433, /* VAR_DNSTAP_TLS_CERT_BUNDLE */
|
||||
VAR_DNSTAP_TLS_CLIENT_KEY_FILE = 434, /* VAR_DNSTAP_TLS_CLIENT_KEY_FILE */
|
||||
VAR_DNSTAP_TLS_CLIENT_CERT_FILE = 435, /* VAR_DNSTAP_TLS_CLIENT_CERT_FILE */
|
||||
VAR_DNSTAP_SEND_IDENTITY = 436, /* VAR_DNSTAP_SEND_IDENTITY */
|
||||
VAR_DNSTAP_SEND_VERSION = 437, /* VAR_DNSTAP_SEND_VERSION */
|
||||
VAR_DNSTAP_BIDIRECTIONAL = 438, /* VAR_DNSTAP_BIDIRECTIONAL */
|
||||
VAR_DNSTAP_IDENTITY = 439, /* VAR_DNSTAP_IDENTITY */
|
||||
VAR_DNSTAP_VERSION = 440, /* VAR_DNSTAP_VERSION */
|
||||
VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 441, /* VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES */
|
||||
VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 442, /* VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES */
|
||||
VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 443, /* VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES */
|
||||
VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 444, /* VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES */
|
||||
VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 445, /* VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES */
|
||||
VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 446, /* VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES */
|
||||
VAR_RESPONSE_IP_TAG = 447, /* VAR_RESPONSE_IP_TAG */
|
||||
VAR_RESPONSE_IP = 448, /* VAR_RESPONSE_IP */
|
||||
VAR_RESPONSE_IP_DATA = 449, /* VAR_RESPONSE_IP_DATA */
|
||||
VAR_HARDEN_ALGO_DOWNGRADE = 450, /* VAR_HARDEN_ALGO_DOWNGRADE */
|
||||
VAR_IP_TRANSPARENT = 451, /* VAR_IP_TRANSPARENT */
|
||||
VAR_IP_DSCP = 452, /* VAR_IP_DSCP */
|
||||
VAR_DISABLE_DNSSEC_LAME_CHECK = 453, /* VAR_DISABLE_DNSSEC_LAME_CHECK */
|
||||
VAR_IP_RATELIMIT = 454, /* VAR_IP_RATELIMIT */
|
||||
VAR_IP_RATELIMIT_SLABS = 455, /* VAR_IP_RATELIMIT_SLABS */
|
||||
VAR_IP_RATELIMIT_SIZE = 456, /* VAR_IP_RATELIMIT_SIZE */
|
||||
VAR_RATELIMIT = 457, /* VAR_RATELIMIT */
|
||||
VAR_RATELIMIT_SLABS = 458, /* VAR_RATELIMIT_SLABS */
|
||||
VAR_RATELIMIT_SIZE = 459, /* VAR_RATELIMIT_SIZE */
|
||||
VAR_OUTBOUND_MSG_RETRY = 460, /* VAR_OUTBOUND_MSG_RETRY */
|
||||
VAR_MAX_SENT_COUNT = 461, /* VAR_MAX_SENT_COUNT */
|
||||
VAR_MAX_QUERY_RESTARTS = 462, /* VAR_MAX_QUERY_RESTARTS */
|
||||
VAR_RATELIMIT_FOR_DOMAIN = 463, /* VAR_RATELIMIT_FOR_DOMAIN */
|
||||
VAR_RATELIMIT_BELOW_DOMAIN = 464, /* VAR_RATELIMIT_BELOW_DOMAIN */
|
||||
VAR_IP_RATELIMIT_FACTOR = 465, /* VAR_IP_RATELIMIT_FACTOR */
|
||||
VAR_RATELIMIT_FACTOR = 466, /* VAR_RATELIMIT_FACTOR */
|
||||
VAR_IP_RATELIMIT_BACKOFF = 467, /* VAR_IP_RATELIMIT_BACKOFF */
|
||||
VAR_RATELIMIT_BACKOFF = 468, /* VAR_RATELIMIT_BACKOFF */
|
||||
VAR_SEND_CLIENT_SUBNET = 469, /* VAR_SEND_CLIENT_SUBNET */
|
||||
VAR_CLIENT_SUBNET_ZONE = 470, /* VAR_CLIENT_SUBNET_ZONE */
|
||||
VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 471, /* VAR_CLIENT_SUBNET_ALWAYS_FORWARD */
|
||||
VAR_CLIENT_SUBNET_OPCODE = 472, /* VAR_CLIENT_SUBNET_OPCODE */
|
||||
VAR_MAX_CLIENT_SUBNET_IPV4 = 473, /* VAR_MAX_CLIENT_SUBNET_IPV4 */
|
||||
VAR_MAX_CLIENT_SUBNET_IPV6 = 474, /* VAR_MAX_CLIENT_SUBNET_IPV6 */
|
||||
VAR_MIN_CLIENT_SUBNET_IPV4 = 475, /* VAR_MIN_CLIENT_SUBNET_IPV4 */
|
||||
VAR_MIN_CLIENT_SUBNET_IPV6 = 476, /* VAR_MIN_CLIENT_SUBNET_IPV6 */
|
||||
VAR_MAX_ECS_TREE_SIZE_IPV4 = 477, /* VAR_MAX_ECS_TREE_SIZE_IPV4 */
|
||||
VAR_MAX_ECS_TREE_SIZE_IPV6 = 478, /* VAR_MAX_ECS_TREE_SIZE_IPV6 */
|
||||
VAR_CAPS_WHITELIST = 479, /* VAR_CAPS_WHITELIST */
|
||||
VAR_CACHE_MAX_NEGATIVE_TTL = 480, /* VAR_CACHE_MAX_NEGATIVE_TTL */
|
||||
VAR_PERMIT_SMALL_HOLDDOWN = 481, /* VAR_PERMIT_SMALL_HOLDDOWN */
|
||||
VAR_QNAME_MINIMISATION = 482, /* VAR_QNAME_MINIMISATION */
|
||||
VAR_QNAME_MINIMISATION_STRICT = 483, /* VAR_QNAME_MINIMISATION_STRICT */
|
||||
VAR_IP_FREEBIND = 484, /* VAR_IP_FREEBIND */
|
||||
VAR_DEFINE_TAG = 485, /* VAR_DEFINE_TAG */
|
||||
VAR_LOCAL_ZONE_TAG = 486, /* VAR_LOCAL_ZONE_TAG */
|
||||
VAR_ACCESS_CONTROL_TAG = 487, /* VAR_ACCESS_CONTROL_TAG */
|
||||
VAR_LOCAL_ZONE_OVERRIDE = 488, /* VAR_LOCAL_ZONE_OVERRIDE */
|
||||
VAR_ACCESS_CONTROL_TAG_ACTION = 489, /* VAR_ACCESS_CONTROL_TAG_ACTION */
|
||||
VAR_ACCESS_CONTROL_TAG_DATA = 490, /* VAR_ACCESS_CONTROL_TAG_DATA */
|
||||
VAR_VIEW = 491, /* VAR_VIEW */
|
||||
VAR_ACCESS_CONTROL_VIEW = 492, /* VAR_ACCESS_CONTROL_VIEW */
|
||||
VAR_VIEW_FIRST = 493, /* VAR_VIEW_FIRST */
|
||||
VAR_SERVE_EXPIRED = 494, /* VAR_SERVE_EXPIRED */
|
||||
VAR_SERVE_EXPIRED_TTL = 495, /* VAR_SERVE_EXPIRED_TTL */
|
||||
VAR_SERVE_EXPIRED_TTL_RESET = 496, /* VAR_SERVE_EXPIRED_TTL_RESET */
|
||||
VAR_SERVE_EXPIRED_REPLY_TTL = 497, /* VAR_SERVE_EXPIRED_REPLY_TTL */
|
||||
VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 498, /* VAR_SERVE_EXPIRED_CLIENT_TIMEOUT */
|
||||
VAR_EDE_SERVE_EXPIRED = 499, /* VAR_EDE_SERVE_EXPIRED */
|
||||
VAR_SERVE_ORIGINAL_TTL = 500, /* VAR_SERVE_ORIGINAL_TTL */
|
||||
VAR_FAKE_DSA = 501, /* VAR_FAKE_DSA */
|
||||
VAR_FAKE_SHA1 = 502, /* VAR_FAKE_SHA1 */
|
||||
VAR_LOG_IDENTITY = 503, /* VAR_LOG_IDENTITY */
|
||||
VAR_HIDE_TRUSTANCHOR = 504, /* VAR_HIDE_TRUSTANCHOR */
|
||||
VAR_HIDE_HTTP_USER_AGENT = 505, /* VAR_HIDE_HTTP_USER_AGENT */
|
||||
VAR_HTTP_USER_AGENT = 506, /* VAR_HTTP_USER_AGENT */
|
||||
VAR_TRUST_ANCHOR_SIGNALING = 507, /* VAR_TRUST_ANCHOR_SIGNALING */
|
||||
VAR_AGGRESSIVE_NSEC = 508, /* VAR_AGGRESSIVE_NSEC */
|
||||
VAR_USE_SYSTEMD = 509, /* VAR_USE_SYSTEMD */
|
||||
VAR_SHM_ENABLE = 510, /* VAR_SHM_ENABLE */
|
||||
VAR_SHM_KEY = 511, /* VAR_SHM_KEY */
|
||||
VAR_ROOT_KEY_SENTINEL = 512, /* VAR_ROOT_KEY_SENTINEL */
|
||||
VAR_DNSCRYPT = 513, /* VAR_DNSCRYPT */
|
||||
VAR_DNSCRYPT_ENABLE = 514, /* VAR_DNSCRYPT_ENABLE */
|
||||
VAR_DNSCRYPT_PORT = 515, /* VAR_DNSCRYPT_PORT */
|
||||
VAR_DNSCRYPT_PROVIDER = 516, /* VAR_DNSCRYPT_PROVIDER */
|
||||
VAR_DNSCRYPT_SECRET_KEY = 517, /* VAR_DNSCRYPT_SECRET_KEY */
|
||||
VAR_DNSCRYPT_PROVIDER_CERT = 518, /* VAR_DNSCRYPT_PROVIDER_CERT */
|
||||
VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 519, /* VAR_DNSCRYPT_PROVIDER_CERT_ROTATED */
|
||||
VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 520, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE */
|
||||
VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 521, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS */
|
||||
VAR_DNSCRYPT_NONCE_CACHE_SIZE = 522, /* VAR_DNSCRYPT_NONCE_CACHE_SIZE */
|
||||
VAR_DNSCRYPT_NONCE_CACHE_SLABS = 523, /* VAR_DNSCRYPT_NONCE_CACHE_SLABS */
|
||||
VAR_PAD_RESPONSES = 524, /* VAR_PAD_RESPONSES */
|
||||
VAR_PAD_RESPONSES_BLOCK_SIZE = 525, /* VAR_PAD_RESPONSES_BLOCK_SIZE */
|
||||
VAR_PAD_QUERIES = 526, /* VAR_PAD_QUERIES */
|
||||
VAR_PAD_QUERIES_BLOCK_SIZE = 527, /* VAR_PAD_QUERIES_BLOCK_SIZE */
|
||||
VAR_IPSECMOD_ENABLED = 528, /* VAR_IPSECMOD_ENABLED */
|
||||
VAR_IPSECMOD_HOOK = 529, /* VAR_IPSECMOD_HOOK */
|
||||
VAR_IPSECMOD_IGNORE_BOGUS = 530, /* VAR_IPSECMOD_IGNORE_BOGUS */
|
||||
VAR_IPSECMOD_MAX_TTL = 531, /* VAR_IPSECMOD_MAX_TTL */
|
||||
VAR_IPSECMOD_WHITELIST = 532, /* VAR_IPSECMOD_WHITELIST */
|
||||
VAR_IPSECMOD_STRICT = 533, /* VAR_IPSECMOD_STRICT */
|
||||
VAR_CACHEDB = 534, /* VAR_CACHEDB */
|
||||
VAR_CACHEDB_BACKEND = 535, /* VAR_CACHEDB_BACKEND */
|
||||
VAR_CACHEDB_SECRETSEED = 536, /* VAR_CACHEDB_SECRETSEED */
|
||||
VAR_CACHEDB_REDISHOST = 537, /* VAR_CACHEDB_REDISHOST */
|
||||
VAR_CACHEDB_REDISPORT = 538, /* VAR_CACHEDB_REDISPORT */
|
||||
VAR_CACHEDB_REDISTIMEOUT = 539, /* VAR_CACHEDB_REDISTIMEOUT */
|
||||
VAR_CACHEDB_REDISEXPIRERECORDS = 540, /* VAR_CACHEDB_REDISEXPIRERECORDS */
|
||||
VAR_CACHEDB_REDISPATH = 541, /* VAR_CACHEDB_REDISPATH */
|
||||
VAR_CACHEDB_REDISPASSWORD = 542, /* VAR_CACHEDB_REDISPASSWORD */
|
||||
VAR_CACHEDB_REDISLOGICALDB = 543, /* VAR_CACHEDB_REDISLOGICALDB */
|
||||
VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 544, /* VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM */
|
||||
VAR_FOR_UPSTREAM = 545, /* VAR_FOR_UPSTREAM */
|
||||
VAR_AUTH_ZONE = 546, /* VAR_AUTH_ZONE */
|
||||
VAR_ZONEFILE = 547, /* VAR_ZONEFILE */
|
||||
VAR_MASTER = 548, /* VAR_MASTER */
|
||||
VAR_URL = 549, /* VAR_URL */
|
||||
VAR_FOR_DOWNSTREAM = 550, /* VAR_FOR_DOWNSTREAM */
|
||||
VAR_FALLBACK_ENABLED = 551, /* VAR_FALLBACK_ENABLED */
|
||||
VAR_TLS_ADDITIONAL_PORT = 552, /* VAR_TLS_ADDITIONAL_PORT */
|
||||
VAR_LOW_RTT = 553, /* VAR_LOW_RTT */
|
||||
VAR_LOW_RTT_PERMIL = 554, /* VAR_LOW_RTT_PERMIL */
|
||||
VAR_FAST_SERVER_PERMIL = 555, /* VAR_FAST_SERVER_PERMIL */
|
||||
VAR_FAST_SERVER_NUM = 556, /* VAR_FAST_SERVER_NUM */
|
||||
VAR_ALLOW_NOTIFY = 557, /* VAR_ALLOW_NOTIFY */
|
||||
VAR_TLS_WIN_CERT = 558, /* VAR_TLS_WIN_CERT */
|
||||
VAR_TCP_CONNECTION_LIMIT = 559, /* VAR_TCP_CONNECTION_LIMIT */
|
||||
VAR_ANSWER_COOKIE = 560, /* VAR_ANSWER_COOKIE */
|
||||
VAR_COOKIE_SECRET = 561, /* VAR_COOKIE_SECRET */
|
||||
VAR_IP_RATELIMIT_COOKIE = 562, /* VAR_IP_RATELIMIT_COOKIE */
|
||||
VAR_FORWARD_NO_CACHE = 563, /* VAR_FORWARD_NO_CACHE */
|
||||
VAR_STUB_NO_CACHE = 564, /* VAR_STUB_NO_CACHE */
|
||||
VAR_LOG_SERVFAIL = 565, /* VAR_LOG_SERVFAIL */
|
||||
VAR_DENY_ANY = 566, /* VAR_DENY_ANY */
|
||||
VAR_UNKNOWN_SERVER_TIME_LIMIT = 567, /* VAR_UNKNOWN_SERVER_TIME_LIMIT */
|
||||
VAR_LOG_TAG_QUERYREPLY = 568, /* VAR_LOG_TAG_QUERYREPLY */
|
||||
VAR_STREAM_WAIT_SIZE = 569, /* VAR_STREAM_WAIT_SIZE */
|
||||
VAR_TLS_CIPHERS = 570, /* VAR_TLS_CIPHERS */
|
||||
VAR_TLS_CIPHERSUITES = 571, /* VAR_TLS_CIPHERSUITES */
|
||||
VAR_TLS_USE_SNI = 572, /* VAR_TLS_USE_SNI */
|
||||
VAR_IPSET = 573, /* VAR_IPSET */
|
||||
VAR_IPSET_NAME_V4 = 574, /* VAR_IPSET_NAME_V4 */
|
||||
VAR_IPSET_NAME_V6 = 575, /* VAR_IPSET_NAME_V6 */
|
||||
VAR_TLS_SESSION_TICKET_KEYS = 576, /* VAR_TLS_SESSION_TICKET_KEYS */
|
||||
VAR_RPZ = 577, /* VAR_RPZ */
|
||||
VAR_TAGS = 578, /* VAR_TAGS */
|
||||
VAR_RPZ_ACTION_OVERRIDE = 579, /* VAR_RPZ_ACTION_OVERRIDE */
|
||||
VAR_RPZ_CNAME_OVERRIDE = 580, /* VAR_RPZ_CNAME_OVERRIDE */
|
||||
VAR_RPZ_LOG = 581, /* VAR_RPZ_LOG */
|
||||
VAR_RPZ_LOG_NAME = 582, /* VAR_RPZ_LOG_NAME */
|
||||
VAR_DYNLIB = 583, /* VAR_DYNLIB */
|
||||
VAR_DYNLIB_FILE = 584, /* VAR_DYNLIB_FILE */
|
||||
VAR_EDNS_CLIENT_STRING = 585, /* VAR_EDNS_CLIENT_STRING */
|
||||
VAR_EDNS_CLIENT_STRING_OPCODE = 586, /* VAR_EDNS_CLIENT_STRING_OPCODE */
|
||||
VAR_NSID = 587, /* VAR_NSID */
|
||||
VAR_ZONEMD_PERMISSIVE_MODE = 588, /* VAR_ZONEMD_PERMISSIVE_MODE */
|
||||
VAR_ZONEMD_CHECK = 589, /* VAR_ZONEMD_CHECK */
|
||||
VAR_ZONEMD_REJECT_ABSENCE = 590, /* VAR_ZONEMD_REJECT_ABSENCE */
|
||||
VAR_RPZ_SIGNAL_NXDOMAIN_RA = 591, /* VAR_RPZ_SIGNAL_NXDOMAIN_RA */
|
||||
VAR_INTERFACE_AUTOMATIC_PORTS = 592, /* VAR_INTERFACE_AUTOMATIC_PORTS */
|
||||
VAR_EDE = 593, /* VAR_EDE */
|
||||
VAR_INTERFACE_ACTION = 594, /* VAR_INTERFACE_ACTION */
|
||||
VAR_INTERFACE_VIEW = 595, /* VAR_INTERFACE_VIEW */
|
||||
VAR_INTERFACE_TAG = 596, /* VAR_INTERFACE_TAG */
|
||||
VAR_INTERFACE_TAG_ACTION = 597, /* VAR_INTERFACE_TAG_ACTION */
|
||||
VAR_INTERFACE_TAG_DATA = 598, /* VAR_INTERFACE_TAG_DATA */
|
||||
VAR_PROXY_PROTOCOL_PORT = 599, /* VAR_PROXY_PROTOCOL_PORT */
|
||||
VAR_STATISTICS_INHIBIT_ZERO = 600, /* VAR_STATISTICS_INHIBIT_ZERO */
|
||||
VAR_HARDEN_UNKNOWN_ADDITIONAL = 601, /* VAR_HARDEN_UNKNOWN_ADDITIONAL */
|
||||
VAR_DISABLE_EDNS_DO = 602, /* VAR_DISABLE_EDNS_DO */
|
||||
VAR_CACHEDB_NO_STORE = 603, /* VAR_CACHEDB_NO_STORE */
|
||||
VAR_LOG_DESTADDR = 604 /* VAR_LOG_DESTADDR */
|
||||
};
|
||||
typedef enum yytokentype yytoken_kind_t;
|
||||
#endif
|
||||
/* Token kinds. */
|
||||
#define YYEMPTY -2
|
||||
#define YYEOF 0
|
||||
#define YYerror 256
|
||||
#define YYUNDEF 257
|
||||
#define SPACE 258
|
||||
#define LETTER 259
|
||||
#define NEWLINE 260
|
||||
#define COMMENT 261
|
||||
#define COLON 262
|
||||
#define ANY 263
|
||||
#define ZONESTR 264
|
||||
#define STRING_ARG 265
|
||||
#define VAR_FORCE_TOPLEVEL 266
|
||||
#define VAR_SERVER 267
|
||||
#define VAR_VERBOSITY 268
|
||||
#define VAR_NUM_THREADS 269
|
||||
#define VAR_PORT 270
|
||||
#define VAR_OUTGOING_RANGE 271
|
||||
#define VAR_INTERFACE 272
|
||||
#define VAR_PREFER_IP4 273
|
||||
#define VAR_DO_IP4 274
|
||||
#define VAR_DO_IP6 275
|
||||
#define VAR_DO_NAT64 276
|
||||
#define VAR_PREFER_IP6 277
|
||||
#define VAR_DO_UDP 278
|
||||
#define VAR_DO_TCP 279
|
||||
#define VAR_TCP_MSS 280
|
||||
#define VAR_OUTGOING_TCP_MSS 281
|
||||
#define VAR_TCP_IDLE_TIMEOUT 282
|
||||
#define VAR_EDNS_TCP_KEEPALIVE 283
|
||||
#define VAR_EDNS_TCP_KEEPALIVE_TIMEOUT 284
|
||||
#define VAR_SOCK_QUEUE_TIMEOUT 285
|
||||
#define VAR_CHROOT 286
|
||||
#define VAR_USERNAME 287
|
||||
#define VAR_DIRECTORY 288
|
||||
#define VAR_LOGFILE 289
|
||||
#define VAR_PIDFILE 290
|
||||
#define VAR_MSG_CACHE_SIZE 291
|
||||
#define VAR_MSG_CACHE_SLABS 292
|
||||
#define VAR_NUM_QUERIES_PER_THREAD 293
|
||||
#define VAR_RRSET_CACHE_SIZE 294
|
||||
#define VAR_RRSET_CACHE_SLABS 295
|
||||
#define VAR_OUTGOING_NUM_TCP 296
|
||||
#define VAR_INFRA_HOST_TTL 297
|
||||
#define VAR_INFRA_LAME_TTL 298
|
||||
#define VAR_INFRA_CACHE_SLABS 299
|
||||
#define VAR_INFRA_CACHE_NUMHOSTS 300
|
||||
#define VAR_INFRA_CACHE_LAME_SIZE 301
|
||||
#define VAR_NAME 302
|
||||
#define VAR_STUB_ZONE 303
|
||||
#define VAR_STUB_HOST 304
|
||||
#define VAR_STUB_ADDR 305
|
||||
#define VAR_TARGET_FETCH_POLICY 306
|
||||
#define VAR_HARDEN_SHORT_BUFSIZE 307
|
||||
#define VAR_HARDEN_LARGE_QUERIES 308
|
||||
#define VAR_FORWARD_ZONE 309
|
||||
#define VAR_FORWARD_HOST 310
|
||||
#define VAR_FORWARD_ADDR 311
|
||||
#define VAR_DO_NOT_QUERY_ADDRESS 312
|
||||
#define VAR_HIDE_IDENTITY 313
|
||||
#define VAR_HIDE_VERSION 314
|
||||
#define VAR_IDENTITY 315
|
||||
#define VAR_VERSION 316
|
||||
#define VAR_HARDEN_GLUE 317
|
||||
#define VAR_MODULE_CONF 318
|
||||
#define VAR_TRUST_ANCHOR_FILE 319
|
||||
#define VAR_TRUST_ANCHOR 320
|
||||
#define VAR_VAL_OVERRIDE_DATE 321
|
||||
#define VAR_BOGUS_TTL 322
|
||||
#define VAR_VAL_CLEAN_ADDITIONAL 323
|
||||
#define VAR_VAL_PERMISSIVE_MODE 324
|
||||
#define VAR_INCOMING_NUM_TCP 325
|
||||
#define VAR_MSG_BUFFER_SIZE 326
|
||||
#define VAR_KEY_CACHE_SIZE 327
|
||||
#define VAR_KEY_CACHE_SLABS 328
|
||||
#define VAR_TRUSTED_KEYS_FILE 329
|
||||
#define VAR_VAL_NSEC3_KEYSIZE_ITERATIONS 330
|
||||
#define VAR_USE_SYSLOG 331
|
||||
#define VAR_OUTGOING_INTERFACE 332
|
||||
#define VAR_ROOT_HINTS 333
|
||||
#define VAR_DO_NOT_QUERY_LOCALHOST 334
|
||||
#define VAR_CACHE_MAX_TTL 335
|
||||
#define VAR_HARDEN_DNSSEC_STRIPPED 336
|
||||
#define VAR_ACCESS_CONTROL 337
|
||||
#define VAR_LOCAL_ZONE 338
|
||||
#define VAR_LOCAL_DATA 339
|
||||
#define VAR_INTERFACE_AUTOMATIC 340
|
||||
#define VAR_STATISTICS_INTERVAL 341
|
||||
#define VAR_DO_DAEMONIZE 342
|
||||
#define VAR_USE_CAPS_FOR_ID 343
|
||||
#define VAR_STATISTICS_CUMULATIVE 344
|
||||
#define VAR_OUTGOING_PORT_PERMIT 345
|
||||
#define VAR_OUTGOING_PORT_AVOID 346
|
||||
#define VAR_DLV_ANCHOR_FILE 347
|
||||
#define VAR_DLV_ANCHOR 348
|
||||
#define VAR_NEG_CACHE_SIZE 349
|
||||
#define VAR_HARDEN_REFERRAL_PATH 350
|
||||
#define VAR_PRIVATE_ADDRESS 351
|
||||
#define VAR_PRIVATE_DOMAIN 352
|
||||
#define VAR_REMOTE_CONTROL 353
|
||||
#define VAR_CONTROL_ENABLE 354
|
||||
#define VAR_CONTROL_INTERFACE 355
|
||||
#define VAR_CONTROL_PORT 356
|
||||
#define VAR_SERVER_KEY_FILE 357
|
||||
#define VAR_SERVER_CERT_FILE 358
|
||||
#define VAR_CONTROL_KEY_FILE 359
|
||||
#define VAR_CONTROL_CERT_FILE 360
|
||||
#define VAR_CONTROL_USE_CERT 361
|
||||
#define VAR_TCP_REUSE_TIMEOUT 362
|
||||
#define VAR_MAX_REUSE_TCP_QUERIES 363
|
||||
#define VAR_EXTENDED_STATISTICS 364
|
||||
#define VAR_LOCAL_DATA_PTR 365
|
||||
#define VAR_JOSTLE_TIMEOUT 366
|
||||
#define VAR_STUB_PRIME 367
|
||||
#define VAR_UNWANTED_REPLY_THRESHOLD 368
|
||||
#define VAR_LOG_TIME_ASCII 369
|
||||
#define VAR_DOMAIN_INSECURE 370
|
||||
#define VAR_PYTHON 371
|
||||
#define VAR_PYTHON_SCRIPT 372
|
||||
#define VAR_VAL_SIG_SKEW_MIN 373
|
||||
#define VAR_VAL_SIG_SKEW_MAX 374
|
||||
#define VAR_VAL_MAX_RESTART 375
|
||||
#define VAR_CACHE_MIN_TTL 376
|
||||
#define VAR_VAL_LOG_LEVEL 377
|
||||
#define VAR_AUTO_TRUST_ANCHOR_FILE 378
|
||||
#define VAR_KEEP_MISSING 379
|
||||
#define VAR_ADD_HOLDDOWN 380
|
||||
#define VAR_DEL_HOLDDOWN 381
|
||||
#define VAR_SO_RCVBUF 382
|
||||
#define VAR_EDNS_BUFFER_SIZE 383
|
||||
#define VAR_PREFETCH 384
|
||||
#define VAR_PREFETCH_KEY 385
|
||||
#define VAR_SO_SNDBUF 386
|
||||
#define VAR_SO_REUSEPORT 387
|
||||
#define VAR_HARDEN_BELOW_NXDOMAIN 388
|
||||
#define VAR_IGNORE_CD_FLAG 389
|
||||
#define VAR_LOG_QUERIES 390
|
||||
#define VAR_LOG_REPLIES 391
|
||||
#define VAR_LOG_LOCAL_ACTIONS 392
|
||||
#define VAR_TCP_UPSTREAM 393
|
||||
#define VAR_SSL_UPSTREAM 394
|
||||
#define VAR_TCP_AUTH_QUERY_TIMEOUT 395
|
||||
#define VAR_SSL_SERVICE_KEY 396
|
||||
#define VAR_SSL_SERVICE_PEM 397
|
||||
#define VAR_SSL_PORT 398
|
||||
#define VAR_FORWARD_FIRST 399
|
||||
#define VAR_STUB_SSL_UPSTREAM 400
|
||||
#define VAR_FORWARD_SSL_UPSTREAM 401
|
||||
#define VAR_TLS_CERT_BUNDLE 402
|
||||
#define VAR_STUB_TCP_UPSTREAM 403
|
||||
#define VAR_FORWARD_TCP_UPSTREAM 404
|
||||
#define VAR_HTTPS_PORT 405
|
||||
#define VAR_HTTP_ENDPOINT 406
|
||||
#define VAR_HTTP_MAX_STREAMS 407
|
||||
#define VAR_HTTP_QUERY_BUFFER_SIZE 408
|
||||
#define VAR_HTTP_RESPONSE_BUFFER_SIZE 409
|
||||
#define VAR_HTTP_NODELAY 410
|
||||
#define VAR_HTTP_NOTLS_DOWNSTREAM 411
|
||||
#define VAR_STUB_FIRST 412
|
||||
#define VAR_MINIMAL_RESPONSES 413
|
||||
#define VAR_RRSET_ROUNDROBIN 414
|
||||
#define VAR_MAX_UDP_SIZE 415
|
||||
#define VAR_DELAY_CLOSE 416
|
||||
#define VAR_UDP_CONNECT 417
|
||||
#define VAR_UNBLOCK_LAN_ZONES 418
|
||||
#define VAR_INSECURE_LAN_ZONES 419
|
||||
#define VAR_INFRA_CACHE_MIN_RTT 420
|
||||
#define VAR_INFRA_CACHE_MAX_RTT 421
|
||||
#define VAR_INFRA_KEEP_PROBING 422
|
||||
#define VAR_DNS64_PREFIX 423
|
||||
#define VAR_DNS64_SYNTHALL 424
|
||||
#define VAR_DNS64_IGNORE_AAAA 425
|
||||
#define VAR_NAT64_PREFIX 426
|
||||
#define VAR_DNSTAP 427
|
||||
#define VAR_DNSTAP_ENABLE 428
|
||||
#define VAR_DNSTAP_SOCKET_PATH 429
|
||||
#define VAR_DNSTAP_IP 430
|
||||
#define VAR_DNSTAP_TLS 431
|
||||
#define VAR_DNSTAP_TLS_SERVER_NAME 432
|
||||
#define VAR_DNSTAP_TLS_CERT_BUNDLE 433
|
||||
#define VAR_DNSTAP_TLS_CLIENT_KEY_FILE 434
|
||||
#define VAR_DNSTAP_TLS_CLIENT_CERT_FILE 435
|
||||
#define VAR_DNSTAP_SEND_IDENTITY 436
|
||||
#define VAR_DNSTAP_SEND_VERSION 437
|
||||
#define VAR_DNSTAP_BIDIRECTIONAL 438
|
||||
#define VAR_DNSTAP_IDENTITY 439
|
||||
#define VAR_DNSTAP_VERSION 440
|
||||
#define VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES 441
|
||||
#define VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES 442
|
||||
#define VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES 443
|
||||
#define VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES 444
|
||||
#define VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES 445
|
||||
#define VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES 446
|
||||
#define VAR_RESPONSE_IP_TAG 447
|
||||
#define VAR_RESPONSE_IP 448
|
||||
#define VAR_RESPONSE_IP_DATA 449
|
||||
#define VAR_HARDEN_ALGO_DOWNGRADE 450
|
||||
#define VAR_IP_TRANSPARENT 451
|
||||
#define VAR_IP_DSCP 452
|
||||
#define VAR_DISABLE_DNSSEC_LAME_CHECK 453
|
||||
#define VAR_IP_RATELIMIT 454
|
||||
#define VAR_IP_RATELIMIT_SLABS 455
|
||||
#define VAR_IP_RATELIMIT_SIZE 456
|
||||
#define VAR_RATELIMIT 457
|
||||
#define VAR_RATELIMIT_SLABS 458
|
||||
#define VAR_RATELIMIT_SIZE 459
|
||||
#define VAR_OUTBOUND_MSG_RETRY 460
|
||||
#define VAR_MAX_SENT_COUNT 461
|
||||
#define VAR_MAX_QUERY_RESTARTS 462
|
||||
#define VAR_RATELIMIT_FOR_DOMAIN 463
|
||||
#define VAR_RATELIMIT_BELOW_DOMAIN 464
|
||||
#define VAR_IP_RATELIMIT_FACTOR 465
|
||||
#define VAR_RATELIMIT_FACTOR 466
|
||||
#define VAR_IP_RATELIMIT_BACKOFF 467
|
||||
#define VAR_RATELIMIT_BACKOFF 468
|
||||
#define VAR_SEND_CLIENT_SUBNET 469
|
||||
#define VAR_CLIENT_SUBNET_ZONE 470
|
||||
#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 471
|
||||
#define VAR_CLIENT_SUBNET_OPCODE 472
|
||||
#define VAR_MAX_CLIENT_SUBNET_IPV4 473
|
||||
#define VAR_MAX_CLIENT_SUBNET_IPV6 474
|
||||
#define VAR_MIN_CLIENT_SUBNET_IPV4 475
|
||||
#define VAR_MIN_CLIENT_SUBNET_IPV6 476
|
||||
#define VAR_MAX_ECS_TREE_SIZE_IPV4 477
|
||||
#define VAR_MAX_ECS_TREE_SIZE_IPV6 478
|
||||
#define VAR_CAPS_WHITELIST 479
|
||||
#define VAR_CACHE_MAX_NEGATIVE_TTL 480
|
||||
#define VAR_PERMIT_SMALL_HOLDDOWN 481
|
||||
#define VAR_QNAME_MINIMISATION 482
|
||||
#define VAR_QNAME_MINIMISATION_STRICT 483
|
||||
#define VAR_IP_FREEBIND 484
|
||||
#define VAR_DEFINE_TAG 485
|
||||
#define VAR_LOCAL_ZONE_TAG 486
|
||||
#define VAR_ACCESS_CONTROL_TAG 487
|
||||
#define VAR_LOCAL_ZONE_OVERRIDE 488
|
||||
#define VAR_ACCESS_CONTROL_TAG_ACTION 489
|
||||
#define VAR_ACCESS_CONTROL_TAG_DATA 490
|
||||
#define VAR_VIEW 491
|
||||
#define VAR_ACCESS_CONTROL_VIEW 492
|
||||
#define VAR_VIEW_FIRST 493
|
||||
#define VAR_SERVE_EXPIRED 494
|
||||
#define VAR_SERVE_EXPIRED_TTL 495
|
||||
#define VAR_SERVE_EXPIRED_TTL_RESET 496
|
||||
#define VAR_SERVE_EXPIRED_REPLY_TTL 497
|
||||
#define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 498
|
||||
#define VAR_EDE_SERVE_EXPIRED 499
|
||||
#define VAR_SERVE_ORIGINAL_TTL 500
|
||||
#define VAR_FAKE_DSA 501
|
||||
#define VAR_FAKE_SHA1 502
|
||||
#define VAR_LOG_IDENTITY 503
|
||||
#define VAR_HIDE_TRUSTANCHOR 504
|
||||
#define VAR_HIDE_HTTP_USER_AGENT 505
|
||||
#define VAR_HTTP_USER_AGENT 506
|
||||
#define VAR_TRUST_ANCHOR_SIGNALING 507
|
||||
#define VAR_AGGRESSIVE_NSEC 508
|
||||
#define VAR_USE_SYSTEMD 509
|
||||
#define VAR_SHM_ENABLE 510
|
||||
#define VAR_SHM_KEY 511
|
||||
#define VAR_ROOT_KEY_SENTINEL 512
|
||||
#define VAR_DNSCRYPT 513
|
||||
#define VAR_DNSCRYPT_ENABLE 514
|
||||
#define VAR_DNSCRYPT_PORT 515
|
||||
#define VAR_DNSCRYPT_PROVIDER 516
|
||||
#define VAR_DNSCRYPT_SECRET_KEY 517
|
||||
#define VAR_DNSCRYPT_PROVIDER_CERT 518
|
||||
#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 519
|
||||
#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 520
|
||||
#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 521
|
||||
#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 522
|
||||
#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 523
|
||||
#define VAR_PAD_RESPONSES 524
|
||||
#define VAR_PAD_RESPONSES_BLOCK_SIZE 525
|
||||
#define VAR_PAD_QUERIES 526
|
||||
#define VAR_PAD_QUERIES_BLOCK_SIZE 527
|
||||
#define VAR_IPSECMOD_ENABLED 528
|
||||
#define VAR_IPSECMOD_HOOK 529
|
||||
#define VAR_IPSECMOD_IGNORE_BOGUS 530
|
||||
#define VAR_IPSECMOD_MAX_TTL 531
|
||||
#define VAR_IPSECMOD_WHITELIST 532
|
||||
#define VAR_IPSECMOD_STRICT 533
|
||||
#define VAR_CACHEDB 534
|
||||
#define VAR_CACHEDB_BACKEND 535
|
||||
#define VAR_CACHEDB_SECRETSEED 536
|
||||
#define VAR_CACHEDB_REDISHOST 537
|
||||
#define VAR_CACHEDB_REDISPORT 538
|
||||
#define VAR_CACHEDB_REDISTIMEOUT 539
|
||||
#define VAR_CACHEDB_REDISEXPIRERECORDS 540
|
||||
#define VAR_CACHEDB_REDISPATH 541
|
||||
#define VAR_CACHEDB_REDISPASSWORD 542
|
||||
#define VAR_CACHEDB_REDISLOGICALDB 543
|
||||
#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 544
|
||||
#define VAR_FOR_UPSTREAM 545
|
||||
#define VAR_AUTH_ZONE 546
|
||||
#define VAR_ZONEFILE 547
|
||||
#define VAR_MASTER 548
|
||||
#define VAR_URL 549
|
||||
#define VAR_FOR_DOWNSTREAM 550
|
||||
#define VAR_FALLBACK_ENABLED 551
|
||||
#define VAR_TLS_ADDITIONAL_PORT 552
|
||||
#define VAR_LOW_RTT 553
|
||||
#define VAR_LOW_RTT_PERMIL 554
|
||||
#define VAR_FAST_SERVER_PERMIL 555
|
||||
#define VAR_FAST_SERVER_NUM 556
|
||||
#define VAR_ALLOW_NOTIFY 557
|
||||
#define VAR_TLS_WIN_CERT 558
|
||||
#define VAR_TCP_CONNECTION_LIMIT 559
|
||||
#define VAR_ANSWER_COOKIE 560
|
||||
#define VAR_COOKIE_SECRET 561
|
||||
#define VAR_IP_RATELIMIT_COOKIE 562
|
||||
#define VAR_FORWARD_NO_CACHE 563
|
||||
#define VAR_STUB_NO_CACHE 564
|
||||
#define VAR_LOG_SERVFAIL 565
|
||||
#define VAR_DENY_ANY 566
|
||||
#define VAR_UNKNOWN_SERVER_TIME_LIMIT 567
|
||||
#define VAR_LOG_TAG_QUERYREPLY 568
|
||||
#define VAR_STREAM_WAIT_SIZE 569
|
||||
#define VAR_TLS_CIPHERS 570
|
||||
#define VAR_TLS_CIPHERSUITES 571
|
||||
#define VAR_TLS_USE_SNI 572
|
||||
#define VAR_IPSET 573
|
||||
#define VAR_IPSET_NAME_V4 574
|
||||
#define VAR_IPSET_NAME_V6 575
|
||||
#define VAR_TLS_SESSION_TICKET_KEYS 576
|
||||
#define VAR_RPZ 577
|
||||
#define VAR_TAGS 578
|
||||
#define VAR_RPZ_ACTION_OVERRIDE 579
|
||||
#define VAR_RPZ_CNAME_OVERRIDE 580
|
||||
#define VAR_RPZ_LOG 581
|
||||
#define VAR_RPZ_LOG_NAME 582
|
||||
#define VAR_DYNLIB 583
|
||||
#define VAR_DYNLIB_FILE 584
|
||||
#define VAR_EDNS_CLIENT_STRING 585
|
||||
#define VAR_EDNS_CLIENT_STRING_OPCODE 586
|
||||
#define VAR_NSID 587
|
||||
#define VAR_ZONEMD_PERMISSIVE_MODE 588
|
||||
#define VAR_ZONEMD_CHECK 589
|
||||
#define VAR_ZONEMD_REJECT_ABSENCE 590
|
||||
#define VAR_RPZ_SIGNAL_NXDOMAIN_RA 591
|
||||
#define VAR_INTERFACE_AUTOMATIC_PORTS 592
|
||||
#define VAR_EDE 593
|
||||
#define VAR_INTERFACE_ACTION 594
|
||||
#define VAR_INTERFACE_VIEW 595
|
||||
#define VAR_INTERFACE_TAG 596
|
||||
#define VAR_INTERFACE_TAG_ACTION 597
|
||||
#define VAR_INTERFACE_TAG_DATA 598
|
||||
#define VAR_PROXY_PROTOCOL_PORT 599
|
||||
#define VAR_STATISTICS_INHIBIT_ZERO 600
|
||||
#define VAR_HARDEN_UNKNOWN_ADDITIONAL 601
|
||||
#define VAR_DISABLE_EDNS_DO 602
|
||||
#define VAR_CACHEDB_NO_STORE 603
|
||||
#define VAR_LOG_DESTADDR 604
|
||||
|
||||
/* Value type. */
|
||||
#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
|
||||
union YYSTYPE
|
||||
{
|
||||
#line 68 "util/configparser.y"
|
||||
|
||||
char* str;
|
||||
|
||||
#line 769 "util/configparser.h"
|
||||
|
||||
};
|
||||
typedef union YYSTYPE YYSTYPE;
|
||||
# define YYSTYPE_IS_TRIVIAL 1
|
||||
# define YYSTYPE_IS_DECLARED 1
|
||||
#endif
|
||||
|
||||
|
||||
extern YYSTYPE yylval;
|
||||
|
||||
int yyparse (void);
|
||||
|
||||
#endif /* !YY_YY_UTIL_CONFIGPARSER_H_INCLUDED */
|
|
@ -200,6 +200,7 @@ extern struct config_parser_state* cfg_parser;
|
|||
%token VAR_INTERFACE_TAG_ACTION VAR_INTERFACE_TAG_DATA
|
||||
%token VAR_PROXY_PROTOCOL_PORT VAR_STATISTICS_INHIBIT_ZERO
|
||||
%token VAR_HARDEN_UNKNOWN_ADDITIONAL VAR_DISABLE_EDNS_DO VAR_CACHEDB_NO_STORE
|
||||
%token VAR_LOG_DESTADDR
|
||||
|
||||
%%
|
||||
toplevelvars: /* empty */ | toplevelvars toplevelvar ;
|
||||
|
@ -333,7 +334,8 @@ content_server: server_num_threads | server_verbosity | server_port |
|
|||
server_tcp_reuse_timeout | server_tcp_auth_query_timeout |
|
||||
server_interface_automatic_ports | server_ede |
|
||||
server_proxy_protocol_port | server_statistics_inhibit_zero |
|
||||
server_harden_unknown_additional | server_disable_edns_do
|
||||
server_harden_unknown_additional | server_disable_edns_do |
|
||||
server_log_destaddr
|
||||
;
|
||||
stubstart: VAR_STUB_ZONE
|
||||
{
|
||||
|
@ -1250,6 +1252,15 @@ server_log_servfail: VAR_LOG_SERVFAIL STRING_ARG
|
|||
free($2);
|
||||
}
|
||||
;
|
||||
server_log_destaddr: VAR_LOG_DESTADDR STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_log_destaddr:%s)\n", $2));
|
||||
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
|
||||
yyerror("expected yes or no.");
|
||||
else cfg_parser->cfg->log_destaddr = (strcmp($2, "yes")==0);
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
server_log_local_actions: VAR_LOG_LOCAL_ACTIONS STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_log_local_actions:%s)\n", $2));
|
||||
|
|
|
@ -886,6 +886,9 @@ ede_trim_text(struct edns_option** list)
|
|||
curr->opt_len = 2;
|
||||
prev = curr;
|
||||
curr = curr->next;
|
||||
} else {
|
||||
prev = curr;
|
||||
curr = curr->next;
|
||||
}
|
||||
} else {
|
||||
/* continue */
|
||||
|
|
|
@ -918,13 +918,15 @@ log_dns_msg(const char* str, struct query_info* qinfo, struct reply_info* rep)
|
|||
void
|
||||
log_reply_info(enum verbosity_value v, struct query_info *qinf,
|
||||
struct sockaddr_storage *addr, socklen_t addrlen, struct timeval dur,
|
||||
int cached, struct sldns_buffer *rmsg)
|
||||
int cached, struct sldns_buffer *rmsg, struct sockaddr_storage* daddr,
|
||||
enum comm_point_type tp)
|
||||
{
|
||||
char qname_buf[LDNS_MAX_DOMAINLEN+1];
|
||||
char clientip_buf[128];
|
||||
char rcode_buf[16];
|
||||
char type_buf[16];
|
||||
char class_buf[16];
|
||||
char dest_buf[160];
|
||||
size_t pktlen;
|
||||
uint16_t rcode = FLAGS_GET_RCODE(sldns_buffer_read_u16_at(rmsg, 2));
|
||||
|
||||
|
@ -933,11 +935,46 @@ log_reply_info(enum verbosity_value v, struct query_info *qinf,
|
|||
|
||||
sldns_wire2str_rcode_buf((int)rcode, rcode_buf, sizeof(rcode_buf));
|
||||
addr_to_str(addr, addrlen, clientip_buf, sizeof(clientip_buf));
|
||||
if(daddr) {
|
||||
char da[128];
|
||||
int port = 0;
|
||||
char* comm;
|
||||
if(daddr->ss_family == AF_INET6) {
|
||||
struct sockaddr_in6 *d = (struct sockaddr_in6 *)daddr;
|
||||
if(inet_ntop(d->sin6_family, &d->sin6_addr, da,
|
||||
sizeof(*d)) == 0)
|
||||
snprintf(dest_buf, sizeof(dest_buf),
|
||||
"(inet_ntop_error)");
|
||||
port = ntohs(d->sin6_port);
|
||||
} else if(daddr->ss_family == AF_INET) {
|
||||
struct sockaddr_in *d = (struct sockaddr_in *)daddr;
|
||||
if(inet_ntop(d->sin_family, &d->sin_addr, da,
|
||||
sizeof(*d)) == 0)
|
||||
snprintf(dest_buf, sizeof(dest_buf),
|
||||
"(inet_ntop_error)");
|
||||
port = ntohs(d->sin_port);
|
||||
} else {
|
||||
snprintf(da, sizeof(da), "socket%d",
|
||||
(int)daddr->ss_family);
|
||||
}
|
||||
comm = "udp";
|
||||
if(tp == comm_tcp) comm = "tcp";
|
||||
else if(tp == comm_tcp_accept) comm = "tcp";
|
||||
else if(tp == comm_http) comm = "dot";
|
||||
else if(tp == comm_local) comm = "unix";
|
||||
else if(tp == comm_raw) comm = "raw";
|
||||
snprintf(dest_buf, sizeof(dest_buf), " on %s %s %d",
|
||||
comm, da, port);
|
||||
} else {
|
||||
dest_buf[0]=0;
|
||||
}
|
||||
if(rcode == LDNS_RCODE_FORMERR)
|
||||
{
|
||||
if(LOG_TAG_QUERYREPLY)
|
||||
log_reply("%s - - - %s - - - ", clientip_buf, rcode_buf);
|
||||
else log_info("%s - - - %s - - - ", clientip_buf, rcode_buf);
|
||||
log_reply("%s - - - %s - - -%s", clientip_buf,
|
||||
rcode_buf, dest_buf);
|
||||
else log_info("%s - - - %s - - -%s", clientip_buf,
|
||||
rcode_buf, dest_buf);
|
||||
} else {
|
||||
if(qinf->qname)
|
||||
dname_str(qinf->qname, qname_buf);
|
||||
|
@ -946,12 +983,14 @@ log_reply_info(enum verbosity_value v, struct query_info *qinf,
|
|||
sldns_wire2str_type_buf(qinf->qtype, type_buf, sizeof(type_buf));
|
||||
sldns_wire2str_class_buf(qinf->qclass, class_buf, sizeof(class_buf));
|
||||
if(LOG_TAG_QUERYREPLY)
|
||||
log_reply("%s %s %s %s %s " ARG_LL "d.%6.6d %d %d",
|
||||
log_reply("%s %s %s %s %s " ARG_LL "d.%6.6d %d %d%s",
|
||||
clientip_buf, qname_buf, type_buf, class_buf,
|
||||
rcode_buf, (long long)dur.tv_sec, (int)dur.tv_usec, cached, (int)pktlen);
|
||||
else log_info("%s %s %s %s %s " ARG_LL "d.%6.6d %d %d",
|
||||
rcode_buf, (long long)dur.tv_sec, (int)dur.tv_usec,
|
||||
cached, (int)pktlen, dest_buf);
|
||||
else log_info("%s %s %s %s %s " ARG_LL "d.%6.6d %d %d%s",
|
||||
clientip_buf, qname_buf, type_buf, class_buf,
|
||||
rcode_buf, (long long)dur.tv_sec, (int)dur.tv_usec, cached, (int)pktlen);
|
||||
rcode_buf, (long long)dur.tv_sec, (int)dur.tv_usec,
|
||||
cached, (int)pktlen, dest_buf);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -58,6 +58,7 @@ struct msg_parse;
|
|||
struct rrset_parse;
|
||||
struct local_rrset;
|
||||
struct dns_msg;
|
||||
enum comm_point_type;
|
||||
|
||||
/** calculate the prefetch TTL as 90% of original. Calculation
|
||||
* without numerical overflow (uin32_t) */
|
||||
|
@ -520,10 +521,13 @@ void log_dns_msg(const char* str, struct query_info* qinfo,
|
|||
* @param cached: whether or not the reply is coming from
|
||||
* the cache, or an outside network.
|
||||
* @param rmsg: sldns buffer packet.
|
||||
* @param daddr: if not NULL, the destination address and port are logged.
|
||||
* @param tp: type of the comm point for logging destination connection type.
|
||||
*/
|
||||
void log_reply_info(enum verbosity_value v, struct query_info *qinf,
|
||||
struct sockaddr_storage *addr, socklen_t addrlen, struct timeval dur,
|
||||
int cached, struct sldns_buffer *rmsg);
|
||||
int cached, struct sldns_buffer *rmsg, struct sockaddr_storage* daddr,
|
||||
enum comm_point_type tp);
|
||||
|
||||
/**
|
||||
* Print string with neat domain name, type, class from query info.
|
||||
|
|
|
@ -275,6 +275,7 @@ int packed_rr_to_string(struct ub_packed_rrset_key* rrset, size_t i,
|
|||
struct packed_rrset_data* d = (struct packed_rrset_data*)rrset->
|
||||
entry.data;
|
||||
uint8_t rr[65535];
|
||||
size_t wlen;
|
||||
size_t rlen = rrset->rk.dname_len + 2 + 2 + 4 + d->rr_len[i];
|
||||
time_t adjust = 0;
|
||||
log_assert(dest_len > 0 && dest);
|
||||
|
@ -292,7 +293,9 @@ int packed_rr_to_string(struct ub_packed_rrset_key* rrset, size_t i,
|
|||
sldns_write_uint32(rr+rrset->rk.dname_len+4,
|
||||
(uint32_t)(d->rr_ttl[i]-adjust));
|
||||
memmove(rr+rrset->rk.dname_len+8, d->rr_data[i], d->rr_len[i]);
|
||||
if(sldns_wire2str_rr_buf(rr, rlen, dest, dest_len) == -1) {
|
||||
wlen = (size_t)sldns_wire2str_rr_buf(rr, rlen, dest, dest_len);
|
||||
if(wlen >= dest_len) {
|
||||
/* the output string was truncated */
|
||||
log_info("rrbuf failure %d %s", (int)d->rr_len[i], dest);
|
||||
dest[0] = 0;
|
||||
return 0;
|
||||
|
|
|
@ -258,7 +258,6 @@
|
|||
356,
|
||||
357,
|
||||
358,
|
||||
359,
|
||||
360,
|
||||
361,
|
||||
362,
|
||||
|
|
|
@ -1672,8 +1672,13 @@ ssl_handshake(struct comm_point* c)
|
|||
} else {
|
||||
unsigned long err = ERR_get_error();
|
||||
if(!squelch_err_ssl_handshake(err)) {
|
||||
long vr;
|
||||
log_crypto_err_io_code("ssl handshake failed",
|
||||
want, err);
|
||||
if((vr=SSL_get_verify_result(c->ssl)) != 0)
|
||||
log_err("ssl handshake cert error: %s",
|
||||
X509_verify_cert_error_string(
|
||||
vr));
|
||||
log_addr(VERB_OPS, "ssl handshake failed",
|
||||
&c->repinfo.remote_addr,
|
||||
c->repinfo.remote_addrlen);
|
||||
|
@ -1748,6 +1753,9 @@ ssl_handshake(struct comm_point* c)
|
|||
/* connection upgraded to HTTP2 */
|
||||
c->tcp_do_toggle_rw = 0;
|
||||
c->use_h2 = 1;
|
||||
} else {
|
||||
verbose(VERB_ALGO, "client doesn't support HTTP/2");
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
@ -4766,7 +4774,7 @@ comm_point_send_reply(struct comm_reply *repinfo)
|
|||
if(repinfo->c->dtenv != NULL && repinfo->c->dtenv->log_client_response_messages) {
|
||||
log_addr(VERB_ALGO, "from local addr", (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->socket->addr->ai_addrlen);
|
||||
log_addr(VERB_ALGO, "response to client", &repinfo->client_addr, repinfo->client_addrlen);
|
||||
dt_msg_send_client_response(repinfo->c->dtenv, &repinfo->client_addr, (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->type, repinfo->c->buffer);
|
||||
dt_msg_send_client_response(repinfo->c->dtenv, &repinfo->client_addr, (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->type, repinfo->c->ssl, repinfo->c->buffer);
|
||||
}
|
||||
#endif
|
||||
} else {
|
||||
|
@ -4777,7 +4785,7 @@ comm_point_send_reply(struct comm_reply *repinfo)
|
|||
if(repinfo->c->tcp_parent->dtenv != NULL && repinfo->c->tcp_parent->dtenv->log_client_response_messages) {
|
||||
log_addr(VERB_ALGO, "from local addr", (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->socket->addr->ai_addrlen);
|
||||
log_addr(VERB_ALGO, "response to client", &repinfo->client_addr, repinfo->client_addrlen);
|
||||
dt_msg_send_client_response(repinfo->c->tcp_parent->dtenv, &repinfo->client_addr, (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->type,
|
||||
dt_msg_send_client_response(repinfo->c->tcp_parent->dtenv, &repinfo->client_addr, (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->type, repinfo->c->ssl,
|
||||
( repinfo->c->tcp_req_info? repinfo->c->tcp_req_info->spool_buffer: repinfo->c->buffer ));
|
||||
}
|
||||
#endif
|
||||
|
|
|
@ -353,17 +353,21 @@ autr_tp_create(struct val_anchors* anchors, uint8_t* own, size_t own_len,
|
|||
|
||||
lock_basic_lock(&anchors->lock);
|
||||
if(!rbtree_insert(anchors->tree, &tp->node)) {
|
||||
char buf[LDNS_MAX_DOMAINLEN+1];
|
||||
lock_basic_unlock(&anchors->lock);
|
||||
log_err("trust anchor presented twice");
|
||||
dname_str(tp->name, buf);
|
||||
log_err("trust anchor for '%s' presented twice", buf);
|
||||
free(tp->name);
|
||||
free(tp->autr);
|
||||
free(tp);
|
||||
return NULL;
|
||||
}
|
||||
if(!rbtree_insert(&anchors->autr->probe, &tp->autr->pnode)) {
|
||||
char buf[LDNS_MAX_DOMAINLEN+1];
|
||||
(void)rbtree_delete(anchors->tree, tp);
|
||||
lock_basic_unlock(&anchors->lock);
|
||||
log_err("trust anchor in probetree twice");
|
||||
dname_str(tp->name, buf);
|
||||
log_err("trust anchor for '%s' in probetree twice", buf);
|
||||
free(tp->name);
|
||||
free(tp->autr);
|
||||
free(tp);
|
||||
|
|
|
@ -748,7 +748,6 @@ dnskey_verify_rrset(struct module_env* env, struct val_env* ve,
|
|||
return sec_status_bogus;
|
||||
}
|
||||
}
|
||||
verbose(VERB_ALGO, "rrset failed to verify: all signatures are bogus");
|
||||
if(!numchecked) {
|
||||
*reason = "signature for expected key and algorithm missing";
|
||||
if(reason_bogus)
|
||||
|
@ -761,6 +760,7 @@ dnskey_verify_rrset(struct module_env* env, struct val_env* ve,
|
|||
*reason = "algorithm refused by cryptolib";
|
||||
return sec_status_indeterminate;
|
||||
}
|
||||
verbose(VERB_ALGO, "rrset failed to verify: all signatures are bogus");
|
||||
return sec_status_bogus;
|
||||
}
|
||||
|
||||
|
|
|
@ -424,11 +424,13 @@ static enum sec_status
|
|||
verify_dnskeys_with_ds_rr(struct module_env* env, struct val_env* ve,
|
||||
struct ub_packed_rrset_key* dnskey_rrset,
|
||||
struct ub_packed_rrset_key* ds_rrset, size_t ds_idx, char** reason,
|
||||
sldns_ede_code *reason_bogus, struct module_qstate* qstate)
|
||||
sldns_ede_code *reason_bogus, struct module_qstate* qstate,
|
||||
int *nonechecked)
|
||||
{
|
||||
enum sec_status sec = sec_status_bogus;
|
||||
size_t i, num, numchecked = 0, numhashok = 0, numsizesupp = 0;
|
||||
num = rrset_get_count(dnskey_rrset);
|
||||
*nonechecked = 0;
|
||||
for(i=0; i<num; i++) {
|
||||
/* Skip DNSKEYs that don't match the basic criteria. */
|
||||
if(ds_get_key_algo(ds_rrset, ds_idx)
|
||||
|
@ -476,13 +478,15 @@ verify_dnskeys_with_ds_rr(struct module_env* env, struct val_env* ve,
|
|||
/* there is a working DS, but that DNSKEY is not supported */
|
||||
return sec_status_insecure;
|
||||
}
|
||||
if(numchecked == 0)
|
||||
if(numchecked == 0) {
|
||||
algo_needs_reason(env, ds_get_key_algo(ds_rrset, ds_idx),
|
||||
reason, "no keys have a DS");
|
||||
else if(numhashok == 0)
|
||||
*nonechecked = 1;
|
||||
} else if(numhashok == 0) {
|
||||
*reason = "DS hash mismatches key";
|
||||
else if(!*reason)
|
||||
} else if(!*reason) {
|
||||
*reason = "keyset not secured by DNSKEY that matches DS";
|
||||
}
|
||||
return sec_status_bogus;
|
||||
}
|
||||
|
||||
|
@ -511,7 +515,8 @@ val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve,
|
|||
{
|
||||
/* as long as this is false, we can consider this DS rrset to be
|
||||
* equivalent to no DS rrset. */
|
||||
int has_useful_ds = 0, digest_algo, alg;
|
||||
int has_useful_ds = 0, digest_algo, alg, has_algo_refusal = 0,
|
||||
nonechecked, has_checked_ds = 0;
|
||||
struct algo_needs needs;
|
||||
size_t i, num;
|
||||
enum sec_status sec;
|
||||
|
@ -544,9 +549,16 @@ val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve,
|
|||
}
|
||||
|
||||
sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset,
|
||||
ds_rrset, i, reason, reason_bogus, qstate);
|
||||
if(sec == sec_status_insecure)
|
||||
ds_rrset, i, reason, reason_bogus, qstate,
|
||||
&nonechecked);
|
||||
if(sec == sec_status_insecure) {
|
||||
/* DNSKEY too large unsupported or algo refused by
|
||||
* crypto lib. */
|
||||
has_algo_refusal = 1;
|
||||
continue;
|
||||
}
|
||||
if(!nonechecked)
|
||||
has_checked_ds = 1;
|
||||
|
||||
/* Once we see a single DS with a known digestID and
|
||||
* algorithm, we cannot return INSECURE (with a
|
||||
|
@ -571,6 +583,15 @@ val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve,
|
|||
|
||||
/* None of the DS's worked out. */
|
||||
|
||||
/* If none of the DSes have been checked, eg. that means no matches
|
||||
* for keytags, and the other dses are all algo_refusal, it is an
|
||||
* insecure delegation point, since the only matched DS records
|
||||
* have an algo refusal, or are unsupported. */
|
||||
if(has_algo_refusal && !has_checked_ds) {
|
||||
verbose(VERB_ALGO, "No supported DS records were found -- "
|
||||
"treating as insecure.");
|
||||
return sec_status_insecure;
|
||||
}
|
||||
/* If no DSs were understandable, then this is OK. */
|
||||
if(!has_useful_ds) {
|
||||
verbose(VERB_ALGO, "No usable DS records were found -- "
|
||||
|
@ -624,7 +645,8 @@ val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve,
|
|||
{
|
||||
/* as long as this is false, we can consider this anchor to be
|
||||
* equivalent to no anchor. */
|
||||
int has_useful_ta = 0, digest_algo = 0, alg;
|
||||
int has_useful_ta = 0, digest_algo = 0, alg, has_algo_refusal = 0,
|
||||
nonechecked, has_checked_ds = 0;
|
||||
struct algo_needs needs;
|
||||
size_t i, num;
|
||||
enum sec_status sec;
|
||||
|
@ -670,9 +692,13 @@ val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve,
|
|||
continue;
|
||||
|
||||
sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset,
|
||||
ta_ds, i, reason, reason_bogus, qstate);
|
||||
if(sec == sec_status_insecure)
|
||||
ta_ds, i, reason, reason_bogus, qstate, &nonechecked);
|
||||
if(sec == sec_status_insecure) {
|
||||
has_algo_refusal = 1;
|
||||
continue;
|
||||
}
|
||||
if(!nonechecked)
|
||||
has_checked_ds = 1;
|
||||
|
||||
/* Once we see a single DS with a known digestID and
|
||||
* algorithm, we cannot return INSECURE (with a
|
||||
|
@ -728,6 +754,15 @@ val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve,
|
|||
}
|
||||
}
|
||||
|
||||
/* If none of the DSes have been checked, eg. that means no matches
|
||||
* for keytags, and the other dses are all algo_refusal, it is an
|
||||
* insecure delegation point, since the only matched DS records
|
||||
* have an algo refusal, or are unsupported. */
|
||||
if(has_algo_refusal && !has_checked_ds) {
|
||||
verbose(VERB_ALGO, "No supported trust anchors were found -- "
|
||||
"treating as insecure.");
|
||||
return sec_status_insecure;
|
||||
}
|
||||
/* If no DSs were understandable, then this is OK. */
|
||||
if(!has_useful_ta) {
|
||||
verbose(VERB_ALGO, "No usable trust anchors were found -- "
|
||||
|
|
|
@ -3010,6 +3010,8 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
|
|||
* @param msg: result message (if rcode is OK).
|
||||
* @param qinfo: from the sub query state, query info.
|
||||
* @param origin: the origin of msg.
|
||||
* @param suspend: returned true if the task takes too long and needs to
|
||||
* suspend to continue the effort later.
|
||||
*/
|
||||
static void
|
||||
process_ds_response(struct module_qstate* qstate, struct val_qstate* vq,
|
||||
|
|
|
@ -793,7 +793,7 @@
|
|||
#define PACKAGE_NAME "unbound"
|
||||
|
||||
/* Define to the full name and version of this package. */
|
||||
#define PACKAGE_STRING "unbound 1.19.1"
|
||||
#define PACKAGE_STRING "unbound 1.19.3"
|
||||
|
||||
/* Define to the one symbol short name of this package. */
|
||||
#define PACKAGE_TARNAME "unbound"
|
||||
|
@ -802,7 +802,7 @@
|
|||
#define PACKAGE_URL ""
|
||||
|
||||
/* Define to the version of this package. */
|
||||
#define PACKAGE_VERSION "1.19.1"
|
||||
#define PACKAGE_VERSION "1.19.3"
|
||||
|
||||
/* default pidfile location */
|
||||
#define PIDFILE "/var/unbound/unbound.pid"
|
||||
|
@ -825,7 +825,7 @@
|
|||
#define ROOT_CERT_FILE "/var/unbound/icannbundle.pem"
|
||||
|
||||
/* version number for resource files */
|
||||
#define RSRC_PACKAGE_VERSION 1,19,0,0
|
||||
#define RSRC_PACKAGE_VERSION 1,19,3,0
|
||||
|
||||
/* Directory to chdir to */
|
||||
#define RUN_DIR "/var/unbound"
|
||||
|
|
Loading…
Reference in a new issue