Update to 1.7.1 (#1574495)
Signed-off-by: Petr Menšík <pemensik@redhat.com>
This commit is contained in:
Petr Menšík
parent
f81c94bdec
commit
749ca6b65b
1
.gitignore
vendored
1
.gitignore
vendored
@ -46,3 +46,4 @@ unbound-1.4.5.tar.gz
|
||||
/unbound-1.6.7.tar.gz
|
||||
/unbound-1.6.8.tar.gz
|
||||
/unbound-1.7.0.tar.gz
|
||||
/unbound-1.7.1.tar.gz
|
||||
|
||||
2
sources
2
sources
@ -1 +1 @@
|
||||
SHA512 (unbound-1.7.0.tar.gz) = 49b07643da2a89d8ceedce1295f550f74a76f4f11c2df54df55e9c42f03bad1b133789c7b36fb3c4f37d6b331ac302ecfd1249e8ebaaa4333beda8fa250b61d9
|
||||
SHA512 (unbound-1.7.1.tar.gz) = 99a68abf1f60f6ea80cf2973906df44da9c577d8cac969824af1ce9ca385a2e84dd684937480da87cb73c7dc41ad5c00b0013ec74103eadb8fd7dc6f98a89255
|
||||
|
||||
@ -1,199 +0,0 @@
|
||||
diff --git a/cachedb/cachedb.c b/cachedb/cachedb.c
|
||||
index 7eb0df43..43abdc1b 100644
|
||||
--- a/cachedb/cachedb.c
|
||||
+++ b/cachedb/cachedb.c
|
||||
@@ -589,7 +589,8 @@ cachedb_intcache_lookup(struct module_qstate* qstate)
|
||||
qstate->region, qstate->env->scratch,
|
||||
1 /* no partial messages with only a CNAME */
|
||||
);
|
||||
- if(!msg && qstate->env->neg_cache) {
|
||||
+ if(!msg && qstate->env->neg_cache &&
|
||||
+ iter_qname_indicates_dnssec(qstate->env, &iq->qchase)) {
|
||||
/* lookup in negative cache; may result in
|
||||
* NOERROR/NODATA or NXDOMAIN answers that need validation */
|
||||
msg = val_neg_getmsg(qstate->env->neg_cache, &qstate->qinfo,
|
||||
diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c
|
||||
index 70cab40f..54844825 100644
|
||||
--- a/iterator/iter_utils.c
|
||||
+++ b/iterator/iter_utils.c
|
||||
@@ -625,7 +625,7 @@ iter_dp_is_useless(struct query_info* qinfo, uint16_t qflags,
|
||||
}
|
||||
|
||||
int
|
||||
-iter_indicates_dnssec_fwd(struct module_env* env, struct query_info *qinfo)
|
||||
+iter_qname_indicates_dnssec(struct module_env* env, struct query_info *qinfo)
|
||||
{
|
||||
struct trust_anchor* a;
|
||||
if(!env || !env->anchors || !qinfo || !qinfo->qname)
|
||||
diff --git a/iterator/iter_utils.h b/iterator/iter_utils.h
|
||||
index 602fa6db..a866d2c1 100644
|
||||
--- a/iterator/iter_utils.h
|
||||
+++ b/iterator/iter_utils.h
|
||||
@@ -174,15 +174,14 @@ int iter_dp_is_useless(struct query_info* qinfo, uint16_t qflags,
|
||||
struct delegpt* dp);
|
||||
|
||||
/**
|
||||
- * See if qname has DNSSEC needs in the forwarding case. This is true if
|
||||
- * there is a trust anchor above it. Whether there is an insecure delegation
|
||||
- * to the data is unknown, but CD-retry is needed.
|
||||
+ * See if qname has DNSSEC needs. This is true if there is a trust anchor above
|
||||
+ * it. Whether there is an insecure delegation to the data is unknown.
|
||||
* @param env: environment with anchors.
|
||||
* @param qinfo: query name and class.
|
||||
* @return true if trust anchor above qname, false if no anchor or insecure
|
||||
* point above qname.
|
||||
*/
|
||||
-int iter_indicates_dnssec_fwd(struct module_env* env,
|
||||
+int iter_qname_indicates_dnssec(struct module_env* env,
|
||||
struct query_info *qinfo);
|
||||
|
||||
/**
|
||||
diff --git a/iterator/iterator.c b/iterator/iterator.c
|
||||
index 7f3c6573..57fa839b 100644
|
||||
--- a/iterator/iterator.c
|
||||
+++ b/iterator/iterator.c
|
||||
@@ -1206,7 +1206,8 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
iq->qchase.qname_len, iq->qchase.qtype,
|
||||
iq->qchase.qclass, qstate->query_flags,
|
||||
qstate->region, qstate->env->scratch, 0);
|
||||
- if(!msg && qstate->env->neg_cache) {
|
||||
+ if(!msg && qstate->env->neg_cache &&
|
||||
+ iter_qname_indicates_dnssec(qstate->env, &iq->qchase)) {
|
||||
/* lookup in negative cache; may result in
|
||||
* NOERROR/NODATA or NXDOMAIN answers that need validation */
|
||||
msg = val_neg_getmsg(qstate->env->neg_cache, &iq->qchase,
|
||||
@@ -2366,7 +2367,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
* (blacklist nonempty) and no trust-anchors are configured
|
||||
* above the qname or on the first attempt when dnssec is on */
|
||||
EDNS_DO| ((iq->chase_to_rd||(iq->chase_flags&BIT_RD)!=0)&&
|
||||
- !qstate->blacklist&&(!iter_indicates_dnssec_fwd(qstate->env,
|
||||
+ !qstate->blacklist&&(!iter_qname_indicates_dnssec(qstate->env,
|
||||
&iq->qinfo_out)||target->attempts==1)?0:BIT_CD),
|
||||
iq->dnssec_expected, iq->caps_fallback || is_caps_whitelisted(
|
||||
ie, iq), &target->addr, target->addrlen,
|
||||
diff --git a/testdata/val_negcache_nta.rpl b/testdata/val_negcache_nta.rpl
|
||||
new file mode 100755
|
||||
index 00000000..2331643f
|
||||
--- /dev/null
|
||||
+++ b/testdata/val_negcache_nta.rpl
|
||||
@@ -0,0 +1,120 @@
|
||||
+; config options
|
||||
+; The island of trust is at testzone.nlnetlabs.nl
|
||||
+server:
|
||||
+ trust-anchor: "testzone.nlnetlabs.nl. IN DS 2926 8 2 6f8512d1e82eecbd684fc4a76f39f8c5b411af385494873bdead663ddb78a88b"
|
||||
+ val-override-date: "20180213111425"
|
||||
+ target-fetch-policy: "0 0 0 0 0"
|
||||
+ trust-anchor-signaling: no
|
||||
+ aggressive-nsec: yes
|
||||
+ domain-insecure: "ant.testzone.nlnetlabs.nl"
|
||||
+
|
||||
+stub-zone:
|
||||
+ name: "testzone.nlnetlabs.nl"
|
||||
+ stub-addr: 185.49.140.60
|
||||
+stub-zone:
|
||||
+ name: "ant.testzone.nlnetlabs.nl"
|
||||
+ stub-addr: 185.49.140.61
|
||||
+CONFIG_END
|
||||
+
|
||||
+SCENARIO_BEGIN Test to not do aggressive NSEC for domains under NTA
|
||||
+
|
||||
+; testzone.nlnetlabs.nl nameserver
|
||||
+RANGE_BEGIN 0 100
|
||||
+ ADDRESS 185.49.140.60
|
||||
+
|
||||
+; response to DNSKEY priming query
|
||||
+ENTRY_BEGIN
|
||||
+MATCH opcode qtype qname
|
||||
+ADJUST copy_id
|
||||
+REPLY QR NOERROR
|
||||
+SECTION QUESTION
|
||||
+testzone.nlnetlabs.nl. IN DNSKEY
|
||||
+SECTION ANSWER
|
||||
+testzone.nlnetlabs.nl. 3600 IN DNSKEY 256 3 8 AwEAAbrNEg01ByEpUUiip+GNAkNVjUfeX7sl9kPUssR3JQvhCJWVs7aBY0Ae1cNtQWgzCmidGorlXvEY2nNBiMM4l7IXqopJsgyj+Cb3nQPVLi/7yVwUb+AIwSJw1gRFElMYonsMOL9qUrJi8BBCnCR0EqkL+X4slmtkXSJbzQAwvHI7
|
||||
+testzone.nlnetlabs.nl. 3600 IN DNSKEY 257 3 8 AwEAAbn0eGV0wqMBQNSVTY//BoiOD7bexC7FcVv0fH9bwjKOA8I+ob377E14vZN2xRLC2b1GG5iBckjeI+N2dB9eC2KRnScU3Gbmtw75BBYfm/y4Hu72zEjEZ0ZGv6gjSZRv/1o87ODAwQaxN8/dQD+5U/5xu12XM39bCJZx2GWTbf5L
|
||||
+testzone.nlnetlabs.nl. 3600 IN RRSIG DNSKEY 8 3 3600 20180313101254 20180213101254 2926 testzone.nlnetlabs.nl. gSLZb/dSKutRlAKSo8ZCC1R+SkvABMYBRQsms77WPfYCDbt5GbXeuGqwGdadjEN8gGSU+qrYNxBZRhlYY6d2vtl+DGh67qwteHSwOCw0VvU64eVh38maJA1U673U4JtlBALzBOA/UHmXPlCgPPoW3BG0U3T2Qir/mqOmegmpBcw=
|
||||
+SECTION AUTHORITY
|
||||
+testzone.nlnetlabs.nl. 3600 IN NS ns.nlnetlabs.nl.
|
||||
+testzone.nlnetlabs.nl. 3600 IN RRSIG NS 8 3 3600 20180313102201 20180213102201 44940 testzone.nlnetlabs.nl. Ox0iKc+z3i1qR1wMr8TBPYzuYO5UTaLrBsDagJAd25fvCkGN+h3HPmWlCIW0cBHsS+IaHXr1JhWutjSCc4UBcY+sT7Y7Fw3V1qdZW2KzbSgWUyPkTXoYcIIVLacSUTXEyltW6jj61WEI/RaUGUCJortvwH5iv1Hzee343isxObI=
|
||||
+SECTION ADDITIONAL
|
||||
+ENTRY_END
|
||||
+
|
||||
+; response for antelope.testzone.nlnetlabs.nl.
|
||||
+ENTRY_BEGIN
|
||||
+MATCH opcode qtype qname
|
||||
+ADJUST copy_id
|
||||
+REPLY QR NXDOMAIN
|
||||
+SECTION QUESTION
|
||||
+antelope.testzone.nlnetlabs.nl. IN TXT
|
||||
+SECTION ANSWER
|
||||
+SECTION AUTHORITY
|
||||
+testzone.nlnetlabs.nl. 3600 IN NSEC alligator.testzone.nlnetlabs.nl. NS SOA RRSIG NSEC DNSKEY
|
||||
+testzone.nlnetlabs.nl. 3600 IN RRSIG NSEC 8 3 3600 20180313102201 20180213102201 44940 testzone.nlnetlabs.nl. gTKn6U1nal9oA79IRxLa/7zexl6A0yJZzeEGBbZ5rh5feyAr2X4LTR9bPCgcHeMVggf4FP+kD1L/sxzj/YLwB1ZKGKlwnzsHtPFTlmvDClaqQ76DRZq5Vejr2ZfnclBUb2vtxaXywTRW8oueaaq9flcShEQ/cQ+KRU8sc344qd0=
|
||||
+alligator.testzone.nlnetlabs.nl. 3600 IN NSEC cheetah.testzone.nlnetlabs.nl. TXT RRSIG NSEC
|
||||
+alligator.testzone.nlnetlabs.nl. 3600 IN RRSIG NSEC 8 4 3600 20180313102201 20180213102201 44940 testzone.nlnetlabs.nl. QAgQ0AsMoYG02+VPfoOctSPlTHdQOkQt5fFkSkzIbVhUzNOqa+dB/Qkc81AwFeJosA+PvYjt6utcVkIWmK2Djy9eXC49gILtVF79vUe4G7ZrybO5NXjqNa5ANoUGM+yew4wkjeNOMVAsvs+1kvFY7S8RAa/0AIYlZHQ8vNBPNaI=
|
||||
+testzone.nlnetlabs.nl. 3600 IN SOA ns.nlnetlabs.nl. ralph.nlnetlabs.nl. 1 14400 3600 604800 3600
|
||||
+testzone.nlnetlabs.nl. 3600 IN RRSIG SOA 8 3 3600 20180313102201 20180213102201 44940 testzone.nlnetlabs.nl. GhmXNFQktZIgaBpGKwj9Q2mfq5+jcbRPK+PPgtRVicUPZga/d/iGEL8PV/8DzGwkaZbM14pamSUMgdJibW4zNhLz/ukjPilbjoj6giH1jtbdZLAQ6iK9pZ/4jKUEq4txviTczZNnDeolgPEEl4xo4NclQmi7zj1XBlQRbjvG0/0=
|
||||
+SECTION ADDITIONAL
|
||||
+ENTRY_END
|
||||
+
|
||||
+RANGE_END
|
||||
+
|
||||
+; ant.testzone.nlnetlabs.nl nameserver
|
||||
+RANGE_BEGIN 0 100
|
||||
+ ADDRESS 185.49.140.61
|
||||
+
|
||||
+ENTRY_BEGIN
|
||||
+MATCH opcode qtype qname
|
||||
+ADJUST copy_id
|
||||
+REPLY QR NOERROR
|
||||
+SECTION QUESTION
|
||||
+ant.testzone.nlnetlabs.nl. IN TXT
|
||||
+SECTION ANSWER
|
||||
+ant.testzone.nlnetlabs.nl. 10 IN TXT "domain under NTA"
|
||||
+ENTRY_END
|
||||
+RANGE_END
|
||||
+
|
||||
+STEP 1 QUERY
|
||||
+ENTRY_BEGIN
|
||||
+REPLY RD DO
|
||||
+SECTION QUESTION
|
||||
+antelope.testzone.nlnetlabs.nl. IN TXT
|
||||
+ENTRY_END
|
||||
+
|
||||
+; recursion happens here.
|
||||
+STEP 10 CHECK_ANSWER
|
||||
+ENTRY_BEGIN
|
||||
+MATCH all
|
||||
+REPLY QR RD RA DO AD NXDOMAIN
|
||||
+SECTION QUESTION
|
||||
+antelope.testzone.nlnetlabs.nl. IN TXT
|
||||
+SECTION ANSWER
|
||||
+SECTION AUTHORITY
|
||||
+testzone.nlnetlabs.nl. 3600 IN NSEC alligator.testzone.nlnetlabs.nl. NS SOA RRSIG NSEC DNSKEY
|
||||
+testzone.nlnetlabs.nl. 3600 IN RRSIG NSEC 8 3 3600 20180313102201 20180213102201 44940 testzone.nlnetlabs.nl. gTKn6U1nal9oA79IRxLa/7zexl6A0yJZzeEGBbZ5rh5feyAr2X4LTR9bPCgcHeMVggf4FP+kD1L/sxzj/YLwB1ZKGKlwnzsHtPFTlmvDClaqQ76DRZq5Vejr2ZfnclBUb2vtxaXywTRW8oueaaq9flcShEQ/cQ+KRU8sc344qd0=
|
||||
+alligator.testzone.nlnetlabs.nl. 3600 IN NSEC cheetah.testzone.nlnetlabs.nl. TXT RRSIG NSEC
|
||||
+alligator.testzone.nlnetlabs.nl. 3600 IN RRSIG NSEC 8 4 3600 20180313102201 20180213102201 44940 testzone.nlnetlabs.nl. QAgQ0AsMoYG02+VPfoOctSPlTHdQOkQt5fFkSkzIbVhUzNOqa+dB/Qkc81AwFeJosA+PvYjt6utcVkIWmK2Djy9eXC49gILtVF79vUe4G7ZrybO5NXjqNa5ANoUGM+yew4wkjeNOMVAsvs+1kvFY7S8RAa/0AIYlZHQ8vNBPNaI=
|
||||
+testzone.nlnetlabs.nl. 3600 IN SOA ns.nlnetlabs.nl. ralph.nlnetlabs.nl. 1 14400 3600 604800 3600
|
||||
+testzone.nlnetlabs.nl. 3600 IN RRSIG SOA 8 3 3600 20180313102201 20180213102201 44940 testzone.nlnetlabs.nl. GhmXNFQktZIgaBpGKwj9Q2mfq5+jcbRPK+PPgtRVicUPZga/d/iGEL8PV/8DzGwkaZbM14pamSUMgdJibW4zNhLz/ukjPilbjoj6giH1jtbdZLAQ6iK9pZ/4jKUEq4txviTczZNnDeolgPEEl4xo4NclQmi7zj1XBlQRbjvG0/0=
|
||||
+SECTION ADDITIONAL
|
||||
+ENTRY_END
|
||||
+
|
||||
+; query for ant.testzone.nlnetlabs.nl, which is below an NTA
|
||||
+STEP 20 QUERY
|
||||
+ENTRY_BEGIN
|
||||
+REPLY RD DO
|
||||
+SECTION QUESTION
|
||||
+ant.testzone.nlnetlabs.nl. IN TXT
|
||||
+ENTRY_END
|
||||
+
|
||||
+STEP 30 CHECK_ANSWER
|
||||
+ENTRY_BEGIN
|
||||
+MATCH all
|
||||
+REPLY QR RD RA DO NOERROR
|
||||
+SECTION QUESTION
|
||||
+ant.testzone.nlnetlabs.nl. IN TXT
|
||||
+SECTION ANSWER
|
||||
+ant.testzone.nlnetlabs.nl. 10 IN TXT "domain under NTA"
|
||||
+ENTRY_END
|
||||
+
|
||||
+SCENARIO_END
|
||||
@ -1,10 +0,0 @@
|
||||
--- a/daemon/remote.c 2017-09-18 10:55:08.000000000 +0200
|
||||
+++ b/daemon/remote.c 2018-04-09 10:55:46.719032250 +0200
|
||||
@@ -1644,6 +1644,7 @@
|
||||
struct reply_info* d = (struct reply_info*)e->data;
|
||||
if(d->ttl > inf->expired) {
|
||||
d->ttl = inf->expired;
|
||||
+ d->prefetch_ttl = inf->expired;
|
||||
inf->num_msgs++;
|
||||
}
|
||||
}
|
||||
@ -1,33 +0,0 @@
|
||||
--- a/iterator/iterator.c 2018-04-04 19:03:14.483416675 +0200
|
||||
+++ b/iteratoriterator.c 2018-04-04 19:05:33.444712537 +0200
|
||||
@@ -2161,11 +2161,15 @@
|
||||
log_dns_msg("msg from auth zone",
|
||||
&iq->response->qinfo, iq->response->rep);
|
||||
}
|
||||
- iq->num_current_queries++;
|
||||
- iq->chase_to_rd = 0;
|
||||
- iq->dnssec_lame_query = 0;
|
||||
- iq->auth_zone_response = 1;
|
||||
- return next_state(iq, QUERY_RESP_STATE);
|
||||
+ if((iq->chase_flags&BIT_RD) && !(iq->response->rep->flags&BIT_AA)) {
|
||||
+ verbose(VERB_ALGO, "forwarder, ignoring referral from auth zone");
|
||||
+ } else {
|
||||
+ iq->num_current_queries++;
|
||||
+ iq->chase_to_rd = 0;
|
||||
+ iq->dnssec_lame_query = 0;
|
||||
+ iq->auth_zone_response = 1;
|
||||
+ return next_state(iq, QUERY_RESP_STATE);
|
||||
+ }
|
||||
}
|
||||
iq->auth_zone_response = 0;
|
||||
if(auth_fallback == 0) {
|
||||
@@ -2443,7 +2447,8 @@
|
||||
(int)((iq->chase_flags&BIT_RD) || iq->chase_to_rd),
|
||||
iq->response, &iq->qchase, iq->dp);
|
||||
iq->chase_to_rd = 0;
|
||||
- if(type == RESPONSE_TYPE_REFERRAL && (iq->chase_flags&BIT_RD)) {
|
||||
+ if(type == RESPONSE_TYPE_REFERRAL && (iq->chase_flags&BIT_RD) &&
|
||||
+ !iq->auth_zone_response) {
|
||||
/* When forwarding (RD bit is set), we handle referrals
|
||||
* differently. No queries should be sent elsewhere */
|
||||
type = RESPONSE_TYPE_ANSWER;
|
||||
15
unbound.spec
15
unbound.spec
@ -33,8 +33,8 @@
|
||||
|
||||
Summary: Validating, recursive, and caching DNS(SEC) resolver
|
||||
Name: unbound
|
||||
Version: 1.7.0
|
||||
Release: 5%{?extra_version:.%{extra_version}}%{?dist}
|
||||
Version: 1.7.1
|
||||
Release: 1%{?extra_version:.%{extra_version}}%{?dist}
|
||||
License: BSD
|
||||
Url: https://www.unbound.net/
|
||||
Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz
|
||||
@ -55,10 +55,6 @@ Source15: unbound-anchor.timer
|
||||
Source16: unbound-munin.README
|
||||
Source17: unbound-anchor.service
|
||||
|
||||
Patch1: unbound-1.7.0-aggrnsec.patch
|
||||
Patch2: unbound-1.7.0-ref.patch
|
||||
Patch3: unbound-1.7.0-prefetch.patch
|
||||
|
||||
BuildRequires: gcc, make
|
||||
BuildRequires: flex, openssl-devel
|
||||
BuildRequires: libevent-devel expat-devel
|
||||
@ -162,10 +158,6 @@ Python 3 modules and extensions for unbound
|
||||
%setup -qcn %{pkgname}
|
||||
|
||||
pushd %{pkgname}
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
|
||||
# only for snapshots
|
||||
# autoreconf -iv
|
||||
|
||||
@ -432,6 +424,9 @@ popd
|
||||
%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
|
||||
|
||||
%changelog
|
||||
* Wed May 30 2018 Petr Menšík <pemensik@redhat.com> - 1.7.1-1
|
||||
- Update to 1.7.1 (#1574495)
|
||||
|
||||
* Mon Apr 09 2018 Petr Menšík <pemensik@redhat.com> - 1.7.0-5
|
||||
- Require gcc and make on build
|
||||
- Remove group, simplify systemd requires
|
||||
|
||||
Loading…
Reference in New Issue
Block a user