Merge branch 'master' of ssh://pkgs.fedoraproject.org/unbound

Conflicts:
	unbound.spec
This commit is contained in:
Paul Wouters 2013-08-12 11:56:28 -04:00
commit 97c849787b
35 changed files with 98 additions and 6009 deletions

View File

@ -1,15 +0,0 @@
Index: smallapp/unbound-checkconf.c
===================================================================
--- smallapp/unbound-checkconf.c (revision 1404)
+++ smallapp/unbound-checkconf.c (working copy)
@@ -258,7 +258,9 @@
{
struct config_strlist* p;
for(p=list; p; p=p->next) {
- check_chroot_string(desc, &p->str, chrootdir, cfg);
+ /* skip wildcard checks, may fail */
+ if(strstr(p->str,"*") == NULL)
+ check_chroot_string(desc, &p->str, chrootdir, cfg);
}
}

View File

@ -1,73 +0,0 @@
Index: validator/val_anchor.c
===================================================================
--- validator/val_anchor.c (revision 1404)
+++ validator/val_anchor.c (working copy)
@@ -47,6 +47,11 @@
#include "util/regional.h"
#include "util/config_file.h"
+#include <dirent.h>
+#include <libgen.h>
+#include <fnmatch.h>
+
+
int
anchor_cmp(const void* k1, const void* k2)
{
@@ -627,9 +633,53 @@
FILE* in = fopen(fname, "r");
int rdlen = 0;
if(!in) {
- log_err("error opening file %s: %s", fname, strerror(errno));
- return 0;
- }
+ if(strstr(fname,"*")!=NULL) {
+ struct dirent **namelist;
+ char *fnameb = strdup(fname);
+ char *fnamef = strdup(fname);
+ char *dbase, *globmatch;
+ dbase = dirname(fnameb);
+ globmatch = basename(fnamef);
+ int n;
+ verbose(VERB_QUERY, "wildcard found, processing directory");
+ n = scandir(dbase,&namelist, 0, 0);
+ if (n<0) {
+ log_err("error opening wildcard in dir: %s:", dbase);
+ free(namelist);
+ free(dbase);
+ free(fnameb);
+ free(fnamef);
+ free(globmatch);
+ return 1;
+ }
+ else {
+ while(n--) {
+ if (namelist[n]->d_type != DT_DIR) {
+ if(!fnmatch(globmatch,namelist[n]->d_name,0)) {
+ // log_err( "file %s matched pattern %s - loading", namelist[n]->d_name, globmatch);
+ char *newname = malloc(strlen(namelist[n]->d_name) + strlen(dbase) + strlen("/") + 1);
+ strcpy(newname, dbase);
+ strcat(newname,"/");
+ strcat(newname, namelist[n]->d_name);
+ if(!anchor_read_bind_file(anchors, buffer,newname)) {
+ log_err("error reading wildcard trusted-keys-file: %s", newname);
+ }
+ free(newname);
+ } else {
+ // log_err("file %s did not match pattern %s", namelist[n]->d_name, globmatch);
+ }
+ }
+ free(namelist[n]);
+ }
+ free(namelist);
+ free(dbase);
+ // causes segfault free(fnameb);
+ free(fnamef);
+ // causes segfault free(globmatch);
+ }
+ return 1;
+ }
+ }
verbose(VERB_QUERY, "reading in bind-compat-mode: '%s'", fname);
/* scan for trusted-keys keyword, ignore everything else */
ldns_buffer_clear(buffer);

View File

@ -1,13 +0,0 @@
diff -Naur unbound-1.2.0/validator/val_anchor.c unbound-1.2.0.new/validator/val_anchor.c
--- unbound-1.2.0/validator/val_anchor.c 2009-01-07 07:24:34.000000000 -0500
+++ unbound-1.2.0.new/validator/val_anchor.c 2009-01-20 17:31:43.000000000 -0500
@@ -718,7 +718,8 @@
log_err("wildcard trusted-keys-file %s: expansion "
"failed (%s)", pat, strerror(errno));
}
- return 0;
+ /* ignore globs that yield no files */
+ return 1;
}
/* process files found, if any */
for(i=0; i<(size_t)g.gl_pathc; i++) {

View File

@ -1,11 +0,0 @@
--- pythonmod/pythonmod.c.orig 2011-08-08 20:45:48.344987246 +0200
+++ pythonmod/pythonmod.c 2011-08-08 21:31:41.429025557 +0200
@@ -153,6 +153,8 @@
}
PyRun_SimpleString("sys.path.append('"RUN_DIR"') \n");
PyRun_SimpleString("sys.path.append('"SHARE_DIR"') \n");
+ PyRun_SimpleString("import sysconfig \n");
+ PyRun_SimpleString("sys.path.append(sysconfig.get_path('purelib')) \n");
if (PyRun_SimpleString("from unboundmodule import *\n") < 0)
{
log_err("pythonmod: cannot initialize core module: unboundmodule.py");

View File

@ -1,109 +0,0 @@
Index: services/outside_network.c
===================================================================
--- services/outside_network.c (revision 2491)
+++ services/outside_network.c (revision 2493)
@@ -1199,6 +1199,7 @@
if(sq->status == serviced_query_UDP_EDNS ||
sq->status == serviced_query_UDP ||
sq->status == serviced_query_PROBE_EDNS ||
+ sq->status == serviced_query_UDP_EDNS_FRAG ||
sq->status == serviced_query_UDP_EDNS_fallback) {
struct pending* p = (struct pending*)sq->pending;
if(p->pc)
@@ -1280,7 +1281,19 @@
edns.edns_present = 1;
edns.ext_rcode = 0;
edns.edns_version = EDNS_ADVERTISED_VERSION;
- edns.udp_size = EDNS_ADVERTISED_SIZE;
+ if(sq->status == serviced_query_UDP_EDNS_FRAG) {
+ if(addr_is_ip6(&sq->addr, sq->addrlen)) {
+ if(EDNS_FRAG_SIZE_IP6 < EDNS_ADVERTISED_SIZE)
+ edns.udp_size = EDNS_FRAG_SIZE_IP6;
+ else edns.udp_size = EDNS_ADVERTISED_SIZE;
+ } else {
+ if(EDNS_FRAG_SIZE_IP4 < EDNS_ADVERTISED_SIZE)
+ edns.udp_size = EDNS_FRAG_SIZE_IP4;
+ else edns.udp_size = EDNS_ADVERTISED_SIZE;
+ }
+ } else {
+ edns.udp_size = EDNS_ADVERTISED_SIZE;
+ }
edns.bits = 0;
if(sq->dnssec & EDNS_DO)
edns.bits = EDNS_DO;
@@ -1324,7 +1337,8 @@
sq->status = serviced_query_UDP;
}
}
- serviced_encode(sq, buff, sq->status == serviced_query_UDP_EDNS);
+ serviced_encode(sq, buff, (sq->status == serviced_query_UDP_EDNS) ||
+ (sq->status == serviced_query_UDP_EDNS_FRAG));
sq->last_sent_time = *sq->outnet->now_tv;
sq->edns_lame_known = (int)edns_lame_known;
verbose(VERB_ALGO, "serviced query UDP timeout=%d msec", rtt);
@@ -1564,6 +1578,20 @@
* by EDNS. */
sq->status = serviced_query_UDP_EDNS;
}
+ if(sq->status == serviced_query_UDP_EDNS) {
+ /* fallback to 1480/1280 */
+ sq->status = serviced_query_UDP_EDNS_FRAG;
+ log_name_addr(VERB_ALGO, "try edns1xx0", sq->qbuf+10,
+ &sq->addr, sq->addrlen);
+ if(!serviced_udp_send(sq, c->buffer)) {
+ serviced_callbacks(sq, NETEVENT_CLOSED, c, rep);
+ }
+ return 0;
+ }
+ if(sq->status == serviced_query_UDP_EDNS_FRAG) {
+ /* fragmentation size did not fix it */
+ sq->status = serviced_query_UDP_EDNS;
+ }
sq->retry++;
if(!(rto=infra_rtt_update(outnet->infra, &sq->addr, sq->addrlen,
-1, sq->last_rtt, (uint32_t)now.tv_sec)))
@@ -1589,7 +1617,8 @@
return 0;
}
if(!fallback_tcp) {
- if(sq->status == serviced_query_UDP_EDNS
+ if( (sq->status == serviced_query_UDP_EDNS
+ ||sq->status == serviced_query_UDP_EDNS_FRAG)
&& (LDNS_RCODE_WIRE(ldns_buffer_begin(c->buffer))
== LDNS_RCODE_FORMERR || LDNS_RCODE_WIRE(
ldns_buffer_begin(c->buffer)) == LDNS_RCODE_NOTIMPL)) {
@@ -1866,6 +1895,7 @@
if(sq->status == serviced_query_UDP_EDNS ||
sq->status == serviced_query_UDP ||
sq->status == serviced_query_PROBE_EDNS ||
+ sq->status == serviced_query_UDP_EDNS_FRAG ||
sq->status == serviced_query_UDP_EDNS_fallback) {
s += sizeof(struct pending);
s += comm_timer_get_mem(NULL);
Index: services/outside_network.h
===================================================================
--- services/outside_network.h (revision 2491)
+++ services/outside_network.h (revision 2493)
@@ -274,6 +274,11 @@
void* cb_arg;
};
+/** fallback size for fragmentation for EDNS in IPv4 */
+#define EDNS_FRAG_SIZE_IP4 1480
+/** fallback size for EDNS in IPv6, fits one fragment with ip6-tunnel-ids */
+#define EDNS_FRAG_SIZE_IP6 1260
+
/**
* Query service record.
* Contains query and destination. UDP, TCP, EDNS are all tried.
@@ -314,7 +319,9 @@
/** probe to test noEDNS0 (EDNS gives FORMERRorNOTIMP) */
serviced_query_UDP_EDNS_fallback,
/** probe to test TCP noEDNS0 (EDNS gives FORMERRorNOTIMP) */
- serviced_query_TCP_EDNS_fallback
+ serviced_query_TCP_EDNS_fallback,
+ /** send UDP query with EDNS1480 (or 1280) */
+ serviced_query_UDP_EDNS_FRAG
}
/** variable with current status */
status;

View File

@ -1,49 +0,0 @@
>From fe05ea0802ff3f2fd2f49ed0bb3f1f0f4542f196 Mon Sep 17 00:00:00 2001
From: "Robert S. Edmonds" <edmonds@debian.org>
Date: Sat, 28 Jan 2012 20:05:43 -0500
Subject: [PATCH] Makefile.in: use -version-info, not -version-number
from the libtool manual:
-version-info current[:revision[:age]]
If output-file is a libtool library, use interface version
information current, revision, and age to build it (see
Versioning). Do not use this flag to specify package release
information, rather see the -release flag.
-version-number major[:minor[:revision]]
If output-file is a libtool library, compute interface version
information so that the resulting library uses the specified
major, minor and revision numbers. This is designed to permit
libtool to be used with existing projects where identical
version numbers are already used across operating systems. New
projects should use the -version-info flag instead.
---
Makefile.in | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/Makefile.in b/Makefile.in
index bdd8dba..4c26f52 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -224,7 +224,7 @@ ALL_OBJ=$(COMMON_OBJ) $(UNITTEST_OBJ) $(DAEMON_OBJ) \
COMPILE=$(LIBTOOL) --tag=CC --mode=compile $(CC) $(CPPFLAGS) $(CFLAGS)
LINK=$(LIBTOOL) --tag=CC --mode=link $(CC) $(staticexe) $(RUNTIME_PATH) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS)
-LINK_LIB=$(LIBTOOL) --tag=CC --mode=link $(CC) $(RUNTIME_PATH) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) $(staticexe) -version-number @LIBUNBOUND_CURRENT@:@LIBUNBOUND_REVISION@:@LIBUNBOUND_AGE@ -no-undefined
+LINK_LIB=$(LIBTOOL) --tag=CC --mode=link $(CC) $(RUNTIME_PATH) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) $(staticexe) -version-info @LIBUNBOUND_CURRENT@:@LIBUNBOUND_REVISION@:@LIBUNBOUND_AGE@ -no-undefined
.PHONY: clean realclean doc lint all install uninstall tests test strip lib longtest longcheck check
@@ -369,7 +369,7 @@ libunbound/python/libunbound_wrap.c: $(srcdir)/libunbound/python/libunbound.i $(
# Pyunbound python unbound wrapper
_unbound.la: libunbound_wrap.lo libunbound.la
- $(LIBTOOL) --tag=CC --mode=link $(CC) $(RUNTIME_PATH) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -module -version-number @LIBUNBOUND_CURRENT@:@LIBUNBOUND_REVISION@:@LIBUNBOUND_AGE@ -no-undefined -o $@ libunbound_wrap.lo -rpath $(PYTHON_SITE_PKG) L. -L.libs -lunbound $(LIBS)
+ $(LIBTOOL) --tag=CC --mode=link $(CC) $(RUNTIME_PATH) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -module -version-info @LIBUNBOUND_CURRENT@:@LIBUNBOUND_REVISION@:@LIBUNBOUND_AGE@ -no-undefined -o $@ libunbound_wrap.lo -rpath $(PYTHON_SITE_PKG) L. -L.libs -lunbound $(LIBS)
util/config_file.c: util/configparser.h
util/configlexer.c: $(srcdir)/util/configlexer.lex util/configparser.h
--
1.7.8.3

View File

@ -1,100 +0,0 @@
diff -aur unbound-1.4.17-orig/iterator/iterator.c unbound-1.4.17/iterator/iterator.c
--- unbound-1.4.17-orig/iterator/iterator.c 2012-03-21 11:01:01.000000000 -0400
+++ unbound-1.4.17/iterator/iterator.c 2012-07-23 13:29:05.755093317 -0400
@@ -1541,8 +1541,7 @@
* the final state (i.e., on answer).
*/
static int
-processDSNSFind(struct module_qstate* qstate, struct iter_qstate* iq,
- int id)
+processDSNSFind(struct module_qstate* qstate, struct iter_qstate* iq, int id)
{
struct module_qstate* subq = NULL;
verbose(VERB_ALGO, "processDSNSFind");
@@ -1906,8 +1905,16 @@
if(iq->qchase.qtype == LDNS_RR_TYPE_DS && !iq->dsns_point
&& !(iq->chase_flags&BIT_RD)
&& iter_ds_toolow(iq->response, iq->dp)
- && iter_dp_cangodown(&iq->qchase, iq->dp))
+ && iter_dp_cangodown(&iq->qchase, iq->dp)) {
+ /* close down outstanding requests to be discarded */
+ outbound_list_clear(&iq->outlist);
+ iq->num_current_queries = 0;
+ fptr_ok(fptr_whitelist_modenv_detach_subs(
+ qstate->env->detach_subs));
+ (*qstate->env->detach_subs)(qstate);
+ iq->num_target_queries = 0;
return processDSNSFind(qstate, iq, id);
+ }
if(!iter_dns_store(qstate->env, &iq->response->qinfo,
iq->response->rep, 0, qstate->prefetch_leeway,
iq->dp&&iq->dp->has_parent_side_NS,
@@ -2032,8 +2039,15 @@
if(iq->qchase.qtype == LDNS_RR_TYPE_DS && !iq->dsns_point
&& !(iq->chase_flags&BIT_RD)
&& iter_ds_toolow(iq->response, iq->dp)
- && iter_dp_cangodown(&iq->qchase, iq->dp))
+ && iter_dp_cangodown(&iq->qchase, iq->dp)) {
+ outbound_list_clear(&iq->outlist);
+ iq->num_current_queries = 0;
+ fptr_ok(fptr_whitelist_modenv_detach_subs(
+ qstate->env->detach_subs));
+ (*qstate->env->detach_subs)(qstate);
+ iq->num_target_queries = 0;
return processDSNSFind(qstate, iq, id);
+ }
/* Process the CNAME response. */
if(!handle_cname_response(qstate, iq, iq->response,
&sname, &snamelen))
diff -aur unbound-1.4.17-orig/services/mesh.c unbound-1.4.17/services/mesh.c
--- unbound-1.4.17-orig/services/mesh.c 2011-11-10 13:44:06.000000000 -0500
+++ unbound-1.4.17/services/mesh.c 2012-07-23 13:27:08.163096837 -0400
@@ -676,6 +676,7 @@
/* find it, if not, create it */
struct mesh_area* mesh = qstate->env->mesh;
struct mesh_state* sub = mesh_area_find(mesh, qinfo, qflags, prime);
+ int was_detached;
if(mesh_detect_cycle_found(qstate, sub)) {
verbose(VERB_ALGO, "attach failed, cycle detected");
return 0;
@@ -706,9 +707,12 @@
*newq = &sub->s;
} else
*newq = NULL;
+ was_detached = (sub->super_set.count == 0);
if(!mesh_state_attachment(qstate->mesh_info, sub))
return 0;
- if(!sub->reply_list && !sub->cb_list && sub->super_set.count == 1) {
+ /* if it was a duplicate attachment, the count was not zero before */
+ if(!sub->reply_list && !sub->cb_list && was_detached &&
+ sub->super_set.count == 1) {
/* it used to be detached, before this one got added */
log_assert(mesh->num_detached_states > 0);
mesh->num_detached_states--;
@@ -735,16 +739,20 @@
superref->s = super;
subref->node.key = subref;
subref->s = sub;
-#ifdef UNBOUND_DEBUG
- n =
-#endif
- rbtree_insert(&sub->super_set, &superref->node);
- log_assert(n != NULL);
+ if(!rbtree_insert(&sub->super_set, &superref->node)) {
+ /* this should not happen, iterator and validator do not
+ * attach subqueries that are identical. */
+ /* already attached, we are done, nothing todo.
+ * since superref and subref already allocated in region,
+ * we cannot free them */
+ return 1;
+ }
#ifdef UNBOUND_DEBUG
n =
#endif
rbtree_insert(&super->sub_set, &subref->node);
- log_assert(n != NULL);
+ log_assert(n != NULL); /* we checked above if statement, the reverse
+ administration should not fail now, unless they are out of sync */
return 1;
}

View File

@ -1,109 +0,0 @@
diff -Naur unbound-1.4.17-orig/config.h.in unbound-1.4.17/config.h.in
--- unbound-1.4.17-orig/config.h.in 2012-02-13 05:42:22.000000000 -0500
+++ unbound-1.4.17/config.h.in 2012-07-03 11:08:53.440318529 -0400
@@ -106,6 +106,9 @@
/* Define to 1 if you have the `fcntl' function. */
#undef HAVE_FCNTL
+/* Define to 1 if you have the `FIPS_mode' function. */
+#undef HAVE_FIPS_MODE
+
/* Define to 1 if you have the `fork' function. */
#undef HAVE_FORK
diff -Naur unbound-1.4.17-orig/configure unbound-1.4.17/configure
--- unbound-1.4.17-orig/configure 2012-05-24 04:37:55.000000000 -0400
+++ unbound-1.4.17/configure 2012-07-03 11:08:53.445318575 -0400
@@ -16376,7 +16376,7 @@
done
-for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512
+for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode
do :
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
diff -Naur unbound-1.4.17-orig/configure.ac unbound-1.4.17/configure.ac
--- unbound-1.4.17-orig/configure.ac 2012-05-15 10:50:21.000000000 -0400
+++ unbound-1.4.17/configure.ac 2012-07-03 11:08:53.447318592 -0400
@@ -515,7 +515,7 @@
ACX_LIB_SSL
AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
-AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512])
+AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode])
AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free], [], [], [
AC_INCLUDES_DEFAULT
#ifdef HAVE_OPENSSL_ERR_H
diff -Naur unbound-1.4.17-orig/util/random.c unbound-1.4.17/util/random.c
--- unbound-1.4.17-orig/util/random.c 2012-05-09 05:13:57.000000000 -0400
+++ unbound-1.4.17/util/random.c 2012-07-03 11:08:53.440318529 -0400
@@ -140,6 +140,16 @@
return;
}
}
+#ifdef HAVE_FIPS_MODE
+ if(FIPS_mode()) {
+ /* RC4 is not allowed, get some trustworthy randomness */
+ /* double certainty here, this routine should not be
+ * called in FIPS_mode */
+ memset(rand_buf, 0, sizeof(rand_buf));
+ s->rc4_ready = REKEY_BYTES;
+ return;
+ }
+#endif /* FIPS_MODE */
RC4_set_key(&s->rc4, SEED_SIZE, (unsigned char*)rand_buf);
/*
@@ -164,6 +174,9 @@
return NULL;
}
ub_systemseed(seed);
+#ifdef HAVE_FIPS_MODE
+ if(!FIPS_mode())
+#endif
ub_arc4random_stir(s, from);
return s;
}
@@ -172,6 +185,20 @@
ub_random(struct ub_randstate* s)
{
unsigned int r = 0;
+#ifdef HAVE_FIPS_MODE
+ if(FIPS_mode()) {
+ /* RC4 is not allowed, get some trustworthy randomness */
+ /* we use pseudo bytes: it tries to return secure randomness
+ * but returns 'something' if that fails. We need something
+ * else if it fails, because we cannot block here */
+ if(RAND_pseudo_bytes((unsigned char*)&r, (int)sizeof(r))
+ == -1) {
+ log_err("FIPSmode, no arc4random but RAND failed "
+ "(error %ld)", ERR_get_error());
+ }
+ return (long int)((r) % (((unsigned)MAX_VALUE + 1)));
+ }
+#endif /* FIPS_MODE */
if (s->rc4_ready <= 0) {
ub_arc4random_stir(s, NULL);
}
diff -Naur unbound-1.4.17-orig/validator/val_sigcrypt.c unbound-1.4.17/validator/val_sigcrypt.c
--- unbound-1.4.17-orig/validator/val_sigcrypt.c 2012-02-16 05:08:07.000000000 -0500
+++ unbound-1.4.17/validator/val_sigcrypt.c 2012-07-03 11:15:31.724850996 -0400
@@ -417,11 +417,16 @@
dnskey_algo_id_is_supported(int id)
{
switch(id) {
+ case LDNS_RSAMD5:
+#ifdef HAVE_FIPS_MODE
+ return !FIPS_mode();
+#else
+ return 1;
+#endif
case LDNS_DSA:
case LDNS_DSA_NSEC3:
case LDNS_RSASHA1:
case LDNS_RSASHA1_NSEC3:
- case LDNS_RSAMD5:
#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
case LDNS_RSASHA256:
#endif

View File

@ -1,265 +0,0 @@
diff -Naur unbound-1.4.18-orig/util/config_file.c unbound-1.4.18/util/config_file.c
--- unbound-1.4.18-orig/util/config_file.c 2012-06-18 10:22:29.000000000 -0400
+++ unbound-1.4.18/util/config_file.c 2012-09-26 00:45:37.509190970 -0400
@@ -53,6 +53,10 @@
#include "util/regional.h"
#include "util/fptr_wlist.h"
#include "util/data/dname.h"
+#ifdef HAVE_GLOB_H
+# include <glob.h>
+#endif
+
/** global config during parsing */
struct config_parser_state* cfg_parser = 0;
/** lex in file */
@@ -689,6 +693,65 @@
char *fname = (char*)filename;
if(!fname)
return 1;
+
+ /* check for wildcards */
+#ifdef HAVE_GLOB
+ glob_t g;
+ size_t i;
+ int r, flags;
+ if(!(!strchr(fname, '*') && !strchr(fname, '?') && !strchr(fname, '[') &&
+ !strchr(fname, '{') && !strchr(fname, '~'))) {
+ verbose(VERB_QUERY, "wildcard found, processing %s", fname);
+ flags = 0
+#ifdef GLOB_ERR
+ | GLOB_ERR
+#endif
+#ifdef GLOB_NOSORT
+ | GLOB_NOSORT
+#endif
+#ifdef GLOB_BRACE
+ | GLOB_BRACE
+#endif
+#ifdef GLOB_TILDE
+ | GLOB_TILDE
+#endif
+ ;
+ memset(&g, 0, sizeof(g));
+ r = glob(fname, flags, NULL, &g);
+ if(r) {
+ /* some error */
+ if(r == GLOB_NOMATCH) {
+ verbose(VERB_QUERY, "include: "
+ "no matches for %s", fname);
+ return 1;
+ } else if(r == GLOB_NOSPACE) {
+ log_err("include: %s: "
+ "fnametern out of memory", fname);
+ } else if(r == GLOB_ABORTED) {
+ log_err("wildcard include: %s: expansion "
+ "aborted (%s)", fname, strerror(errno));
+ } else {
+ log_err("wildcard include: %s: expansion "
+ "failed (%s)", fname, strerror(errno));
+ }
+ /* ignore globs that yield no files */
+ return 1;
+ }
+ /* process files found, if any */
+ for(i=0; i<(size_t)g.gl_pathc; i++) {
+ if(!config_read(cfg, g.gl_pathv[i], chroot)) {
+ log_err("error reading wildcard "
+ "include: %s", g.gl_pathv[i]);
+ globfree(&g);
+ return 0;
+ }
+ }
+ globfree(&g);
+ return 1;
+ }
+#endif
+
+
in = fopen(fname, "r");
if(!in) {
log_err("Could not open %s: %s", fname, strerror(errno));
diff -Naur unbound-1.4.18-orig/util/configlexer.c unbound-1.4.18/util/configlexer.c
--- unbound-1.4.18-orig/util/configlexer.c 2012-08-02 03:26:14.000000000 -0400
+++ unbound-1.4.18/util/configlexer.c 2012-09-26 00:47:40.856511450 -0400
@@ -22,6 +22,10 @@
#include <string.h>
#include <errno.h>
#include <stdlib.h>
+#ifdef HAVE_GLOB_H
+# include <glob.h>
+#endif
+
/* end standard C headers. */
@@ -1827,7 +1831,7 @@
}
input = fopen(filename, "r");
if(!input) {
- ub_c_error_msg("cannot open include file '%s': %s",
+ ub_c_error_msg("(c)cannot open include file '%s': %s",
filename, strerror(errno));
return;
}
@@ -1841,6 +1845,46 @@
++config_include_stack_ptr;
}
+static void config_start_include_glob(const char* filename)
+{
+#ifdef HAVE_GLOB
+ glob_t g;
+ size_t i;
+ int r, flags;
+ if(!(!strchr(filename, '*') && !strchr(filename, '?') && !strchr(filename, '[') &&
+ !strchr(filename, '{') && !strchr(filename, '~'))) {
+ /* verbose(VERB_QUERY, "wildcard found, processing %s", filename); */
+ flags = 0
+#ifdef GLOB_ERR
+ | GLOB_ERR
+#endif
+#ifdef GLOB_NOSORT
+ | GLOB_NOSORT
+#endif
+#ifdef GLOB_BRACE
+ | GLOB_BRACE
+#endif
+#ifdef GLOB_TILDE
+ | GLOB_TILDE
+#endif
+ ;
+ memset(&g, 0, sizeof(g));
+ r = glob(filename, flags, NULL, &g);
+ if(r) {
+ /* some error */
+ return;
+ }
+ /* process files found, if any */
+ for(i=0; i<(size_t)g.gl_pathc; i++) {
+ config_start_include(g.gl_pathv[i]);
+ }
+ globfree(&g);
+ return;
+ }
+#endif
+ config_start_include(filename);
+}
+
static void config_end_include(void)
{
--config_include_stack_ptr;
@@ -2875,7 +2919,7 @@
#line 300 "util/configlexer.lex"
{
LEXOUT(("Iunquotedstr(%s) ", yytext));
- config_start_include(yytext);
+ config_start_include_glob(yytext);
BEGIN(inc_prev);
}
YY_BREAK
@@ -2904,7 +2948,7 @@
{
LEXOUT(("IQE "));
yytext[yyleng - 1] = '\0';
- config_start_include(yytext);
+ config_start_include_glob(yytext);
BEGIN(inc_prev);
}
YY_BREAK
diff -Naur unbound-1.4.18-orig/util/configlexer.lex unbound-1.4.18/util/configlexer.lex
--- unbound-1.4.18-orig/util/configlexer.lex 2012-04-10 05:16:39.000000000 -0400
+++ unbound-1.4.18/util/configlexer.lex 2012-09-26 00:46:59.135064805 -0400
@@ -11,6 +11,9 @@
#include <ctype.h>
#include <string.h>
#include <strings.h>
+#ifdef HAVE_GLOB_H
+# include <glob.h>
+#endif
#include "util/config_file.h"
#include "util/configparser.h"
@@ -43,6 +46,7 @@
static int inc_prev = 0;
static int num_args = 0;
+
static void config_start_include(const char* filename)
{
FILE *input;
@@ -60,7 +64,7 @@
}
input = fopen(filename, "r");
if(!input) {
- ub_c_error_msg("cannot open include file '%s': %s",
+ ub_c_error_msg("(lex)cannot open include file '%s': %s",
filename, strerror(errno));
return;
}
@@ -74,6 +78,48 @@
++config_include_stack_ptr;
}
+static void config_start_include_glob(const char* filename)
+{
+
+ /* check for wildcards */
+#ifdef HAVE_GLOB
+ glob_t g;
+ size_t i;
+ int r, flags;
+ if(!(!strchr(filename, '*') && !strchr(filename, '?') && !strchr(filename, '[') &&
+ !strchr(filename, '{') && !strchr(filename, '~'))) {
+ /* verbose(VERB_QUERY, "wildcard found, processing %s", filename); */
+ flags = 0
+#ifdef GLOB_ERR
+ | GLOB_ERR
+#endif
+#ifdef GLOB_NOSORT
+ | GLOB_NOSORT
+#endif
+#ifdef GLOB_BRACE
+ | GLOB_BRACE
+#endif
+#ifdef GLOB_TILDE
+ | GLOB_TILDE
+#endif
+ ;
+ memset(&g, 0, sizeof(g));
+ r = glob(filename, flags, NULL, &g);
+ if(r) {
+ /* some error */
+ return config_start_include(filename); /* let original deal with it */
+ }
+ /* process files found, if any */
+ for(i=0; i<(size_t)g.gl_pathc; i++) {
+ config_start_include(g.gl_pathv[i]);
+ }
+ globfree(&g);
+ return 1;
+ }
+#endif
+
+ config_start_include(filename);
+}
static void config_end_include(void)
{
--config_include_stack_ptr;
@@ -299,7 +345,7 @@
<include>\" { LEXOUT(("IQS ")); BEGIN(include_quoted); }
<include>{UNQUOTEDLETTER}* {
LEXOUT(("Iunquotedstr(%s) ", yytext));
- config_start_include(yytext);
+ config_start_include_glob(yytext);
BEGIN(inc_prev);
}
<include_quoted><<EOF>> {
@@ -312,7 +358,7 @@
<include_quoted>\" {
LEXOUT(("IQE "));
yytext[yyleng - 1] = '\0';
- config_start_include(yytext);
+ config_start_include_glob(yytext);
BEGIN(inc_prev);
}
<INITIAL,val><<EOF>> {

View File

@ -1,104 +0,0 @@
Index: daemon/daemon.c
===================================================================
--- daemon/daemon.c (revision 2732)
+++ daemon/daemon.c (revision 2733)
@@ -209,6 +209,10 @@
comp_meth = (void*)SSL_COMP_get_compression_methods();
# endif
(void)SSL_library_init();
+# if defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED)
+ if(!ub_openssl_lock_init())
+ fatal_exit("could not init openssl locks");
+# endif
#elif defined(HAVE_NSS)
if(NSS_NoDB_Init(NULL) != SECSuccess)
fatal_exit("could not init NSS");
@@ -568,6 +572,9 @@
ERR_remove_state(0);
ERR_free_strings();
RAND_cleanup();
+# if defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED)
+ ub_openssl_lock_delete();
+# endif
#elif defined(HAVE_NSS)
NSS_Shutdown();
#endif /* HAVE_SSL or HAVE_NSS */
Index: util/net_help.c
===================================================================
--- util/net_help.c (revision 2732)
+++ util/net_help.c (revision 2733)
@@ -725,3 +725,54 @@
return NULL;
#endif
}
+
+/** global lock list for openssl locks */
+static lock_basic_t *ub_openssl_locks = NULL;
+
+/** callback that gets thread id for openssl */
+static unsigned long
+ub_crypto_id_cb(void)
+{
+ return (unsigned long)ub_thread_self();
+}
+
+static void
+ub_crypto_lock_cb(int mode, int type, const char *ATTR_UNUSED(file),
+ int ATTR_UNUSED(line))
+{
+ if((mode&CRYPTO_LOCK)) {
+ lock_basic_lock(&ub_openssl_locks[type]);
+ } else {
+ lock_basic_unlock(&ub_openssl_locks[type]);
+ }
+}
+
+int ub_openssl_lock_init(void)
+{
+#ifdef OPENSSL_THREADS
+ size_t i;
+ ub_openssl_locks = (lock_basic_t*)malloc(
+ sizeof(lock_basic_t)*CRYPTO_num_locks());
+ if(!ub_openssl_locks)
+ return 0;
+ for(i=0; i<CRYPTO_num_locks(); i++) {
+ lock_basic_init(&ub_openssl_locks[i]);
+ }
+ CRYPTO_set_id_callback(&ub_crypto_id_cb);
+ CRYPTO_set_locking_callback(&ub_crypto_lock_cb);
+#endif /* OPENSSL_THREADS */
+ return 1;
+}
+
+void ub_openssl_lock_delete(void)
+{
+#ifdef OPENSSL_THREADS
+ size_t i;
+ if(!ub_openssl_locks)
+ return;
+ for(i=0; i<CRYPTO_num_locks(); i++) {
+ lock_basic_destroy(&ub_openssl_locks[i]);
+ }
+#endif /* OPENSSL_THREADS */
+}
+
Index: util/net_help.h
===================================================================
--- util/net_help.h (revision 2732)
+++ util/net_help.h (revision 2733)
@@ -369,4 +369,15 @@
*/
void* outgoing_ssl_fd(void* sslctx, int fd);
+/**
+ * Initialize openssl locking for thread safety
+ * @return false on failure (alloc failure).
+ */
+int ub_openssl_lock_init(void);
+
+/**
+ * De-init the allocated openssl locks
+ */
+void ub_openssl_lock_delete(void);
+
#endif /* NET_HELP_H */

View File

@ -1,44 +0,0 @@
Index: iterator/iter_fwd.c
===================================================================
--- iterator/iter_fwd.c (revision 2780)
+++ iterator/iter_fwd.c (working copy)
@@ -270,25 +270,6 @@
return 1;
}
-/** see if zone needs to have a hole inserted */
-static int
-need_hole_insert(rbtree_t* tree, struct iter_forward_zone* zone)
-{
- struct iter_forward_zone k;
- if(rbtree_search(tree, zone))
- return 0; /* exact match exists */
- k = *zone;
- k.node.key = &k;
- /* search up the tree */
- do {
- dname_remove_label(&k.name, &k.namelen);
- k.namelabs --;
- if(rbtree_search(tree, &k))
- return 1; /* found an upper forward zone, need hole */
- } while(k.namelabs > 1);
- return 0; /* no forwards above, no holes needed */
-}
-
/** insert a stub hole (if necessary) for stub name */
static int
fwd_add_stub_hole(struct iter_forwards* fwd, uint16_t c, uint8_t* nm)
@@ -298,11 +279,8 @@
key.dclass = c;
key.name = nm;
key.namelabs = dname_count_size_labels(key.name, &key.namelen);
- if(need_hole_insert(fwd->tree, &key)) {
- return forwards_insert_data(fwd, key.dclass, key.name,
- key.namelen, key.namelabs, NULL);
- }
- return 1;
+ return forwards_insert_data(fwd, key.dclass, key.name,
+ key.namelen, key.namelabs, NULL);
}
/** make NULL entries for stubs */

View File

@ -1,32 +0,0 @@
diff -Naur unbound-1.4.19-orig/smallapp/unbound-anchor.c unbound-1.4.19/smallapp/unbound-anchor.c
--- unbound-1.4.19-orig/smallapp/unbound-anchor.c 2012-10-30 11:13:53.000000000 -0400
+++ unbound-1.4.19/smallapp/unbound-anchor.c 2012-12-20 13:18:11.048256192 -0500
@@ -1503,6 +1503,20 @@
}
}
+/* Stop the parser when an entity declaration is encountered. For safety. */
+static void
+xml_entitydeclhandler(void *userData,
+ const XML_Char *ATTR_UNUSED(entityName),
+ int ATTR_UNUSED(is_parameter_entity),
+ const XML_Char *ATTR_UNUSED(value), int ATTR_UNUSED(value_length),
+ const XML_Char *ATTR_UNUSED(base),
+ const XML_Char *ATTR_UNUSED(systemId),
+ const XML_Char *ATTR_UNUSED(publicId),
+ const XML_Char *ATTR_UNUSED(notationName))
+{
+ XML_StopParser((XML_Parser)userData, XML_FALSE);
+}
+
/**
* XML parser setup of the callbacks for the tags
*/
@@ -1531,6 +1545,7 @@
if(verb) printf("out of memory\n");
exit(0);
}
+ XML_SetEntityDeclHandler(parser, xml_entitydeclhandler);
XML_SetElementHandler(parser, xml_startelem, xml_endelem);
XML_SetCharacterDataHandler(parser, xml_charhandle);
}

View File

@ -0,0 +1,86 @@
From 2af92efb1f128ef43313e890182ff23e94276dca Mon Sep 17 00:00:00 2001
From: wouter <wouter@be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Fri, 19 Jul 2013 10:46:16 +0000
Subject: [PATCH] - streamtcp man page, contributed by Tomas Hozza.
git-svn-id: http://unbound.nlnetlabs.nl/svn/trunk@2924 be551aaa-1e26-0410-a405-d3ace91eadb9
---
testcode/streamtcp.1 | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++++
1 files changed, 66 insertions(+)
create mode 100644 testcode/streamtcp.1
diff --git a/testcode/streamtcp.1 b/testcode/streamtcp.1
new file mode 100644
index 0000000..7c738d9
--- /dev/null
+++ b/testcode/streamtcp.1
@@ -0,0 +1,66 @@
+.TH "unbound\-streamtcp" "1" "Mar 21, 2013" "NLnet Labs" "unbound"
+.\"
+.\" unbound-streamtcp.1 -- unbound DNS lookup utility
+.\"
+.SH "NAME"
+.LP
+.B unbound\-streamtcp
+\- unbound DNS lookup utility
+.SH "SYNOPSIS"
+.LP
+.B unbound\-streamtcp
+.RB [ \-unsh ]
+.RB [ \-f
+.IR ipaddr[@port] ]
+.I name
+.I type
+.I class
+.SH "DESCRIPTION"
+.LP
+.B unbound\-streamtcp
+sends a DNS Query of the given \fBtype\fR and \fBclass\fR for the given \fBname\fR
+to the DNS server over TCP and displays the response.
+.P
+If the server to query is not given using the \fB\-f\fR option then localhost
+(127.0.0.1) is used. More queries can be given on one commandline, they
+are resolved in sequence.
+.P
+The available options are:
+.TP
+.I name
+This name is resolved (looked up in the DNS).
+.TP
+.I type
+Specify the type of data to lookup.
+.TP
+.I class
+Specify the class to lookup for.
+.TP
+.B \-u
+Use UDP instead of TCP. No retries are attempted.
+.TP
+.B \-n
+Do not wait for the answer.
+.TP
+.B \-s
+Use SSL.
+.TP
+.B \-h
+Print program usage.
+.TP
+.B \-f \fIipaddr[@port]
+Specify the server to send the queries to. If not specified localhost (127.0.0.1) is used.
+.SH "EXAMPLES"
+.LP
+Some examples of use.
+.P
+$ unbound\-streamtcp www.example.com A IN
+.P
+$ unbound\-streamtcp \-f 192.168.1.1 www.example.com SOA IN
+.P
+$ unbound\-streamtcp \-f 192.168.1.1@1234 153.1.168.192.in\-addr.arpa. PTR IN
+.SH "EXIT CODE"
+The unbound\-streamtcp program exits with status code 1 on error,
+0 on no error.
+.SH "AUTHOR"
+This manual page was written by Tomas Hozza <thozza@redhat.com>.
--
1.8.3.1

View File

@ -1,52 +0,0 @@
commit 00f12c3365fbb1f8a185a9972734c6bf225e7c0d
Author: wouter <wouter@be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Tue Apr 27 14:15:19 2010 +0000
Fix harden-referral-path so it does not generate lookup failures.
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index fbe3748..16a607c 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -456,6 +456,8 @@ path to the answer.
Default off, because it burdens the authority servers, and it is
not RFC standard, and could lead to performance problems because of the
extra query load that is generated. Experimental option.
+If you enable it consider adding more numbers after the target\-fetch\-policy
+to increase the max depth that is checked to.
.TP
.B use\-caps\-for\-id: \fI<yes or no>
Use 0x20\-encoded random bits in the query to foil spoof attempts.
diff --git a/iterator/iterator.c b/iterator/iterator.c
index 08354e8..19b9a26 100644
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -695,12 +695,15 @@ static void
generate_a_aaaa_check(struct module_qstate* qstate, struct iter_qstate* iq,
int id)
{
+ struct iter_env* ie = (struct iter_env*)qstate->env->modinfo[id];
struct module_qstate* subq;
size_t i;
struct reply_info* rep = iq->response->rep;
struct ub_packed_rrset_key* s;
log_assert(iq->dp);
+ if(iq->depth == ie->max_dependency_depth)
+ return;
/* walk through additional, and check if in-zone,
* only relevant A, AAAA are left after scrub anyway */
for(i=rep->an_numrrsets+rep->ns_numrrsets; i<rep->rrset_count; i++) {
@@ -746,9 +749,12 @@ generate_a_aaaa_check(struct module_qstate* qstate, struct iter_qstate* iq,
static void
generate_ns_check(struct module_qstate* qstate, struct iter_qstate* iq, int id)
{
+ struct iter_env* ie = (struct iter_env*)qstate->env->modinfo[id];
struct module_qstate* subq;
log_assert(iq->dp);
+ if(iq->depth == ie->max_dependency_depth)
+ return;
/* is this query the same as the nscheck? */
if(qstate->qinfo.qtype == LDNS_RR_TYPE_NS &&
query_dname_compare(iq->dp->name, qstate->qinfo.qname)==0 &&

View File

@ -1,196 +0,0 @@
commit 28093c6d7d9bafbb9763fc6d9b7f222642e8a835
Author: wouter <wouter@be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Thu Apr 22 15:01:02 2010 +0000
- Fix validation failure for qtype ANY caused by a RRSIG parse failure.
The validator error message was 'no signatures from ...'.
diff --git a/testcode/unitmsgparse.c b/testcode/unitmsgparse.c
index 43e4377..d1ef854 100644
--- a/testcode/unitmsgparse.c
+++ b/testcode/unitmsgparse.c
@@ -45,6 +45,7 @@
#include "util/data/msgparse.h"
#include "util/data/msgreply.h"
#include "util/data/msgencode.h"
+#include "util/data/dname.h"
#include "util/alloc.h"
#include "util/regional.h"
#include "util/net_help.h"
@@ -54,6 +55,8 @@
static int vbmp = 0;
/** if matching within a section should disregard the order of RRs. */
static int matches_nolocation = 0;
+/** see if RRSIGs are properly matched to RRsets. */
+static int check_rrsigs = 0;
/** match two rr lists */
static int
@@ -318,6 +321,76 @@ perftestpkt(ldns_buffer* pkt, struct alloc_cache* alloc, ldns_buffer* out,
regional_destroy(region);
}
+/** debug print a packet that failed */
+static void
+print_packet_rrsets(struct query_info* qinfo, struct reply_info* rep)
+{
+ size_t i;
+ ldns_rr_list* l;
+ ldns_buffer* buf = ldns_buffer_new(65536);
+ log_query_info(0, "failed query", qinfo);
+ printf(";; ANSWER SECTION (%d rrsets)\n", (int)rep->an_numrrsets);
+ for(i=0; i<rep->an_numrrsets; i++) {
+ l = packed_rrset_to_rr_list(rep->rrsets[i], buf);
+ printf("; rrset %d\n", (int)i);
+ ldns_rr_list_print(stdout, l);
+ ldns_rr_list_deep_free(l);
+ }
+ printf(";; AUTHORITY SECTION (%d rrsets)\n", (int)rep->ns_numrrsets);
+ for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep->ns_numrrsets; i++) {
+ l = packed_rrset_to_rr_list(rep->rrsets[i], buf);
+ printf("; rrset %d\n", (int)i);
+ ldns_rr_list_print(stdout, l);
+ ldns_rr_list_deep_free(l);
+ }
+ printf(";; ADDITIONAL SECTION (%d rrsets)\n", (int)rep->ar_numrrsets);
+ for(i=rep->an_numrrsets+rep->ns_numrrsets; i<rep->rrset_count; i++) {
+ l = packed_rrset_to_rr_list(rep->rrsets[i], buf);
+ printf("; rrset %d\n", (int)i);
+ ldns_rr_list_print(stdout, l);
+ ldns_rr_list_deep_free(l);
+ }
+ printf(";; packet end\n");
+ ldns_buffer_free(buf);
+}
+
+/** check that there is no data element that matches the RRSIG */
+static int
+no_data_for_rrsig(struct reply_info* rep, struct ub_packed_rrset_key* rrsig)
+{
+ size_t i;
+ for(i=0; i<rep->rrset_count; i++) {
+ if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_RRSIG)
+ continue;
+ if(query_dname_compare(rep->rrsets[i]->rk.dname,
+ rrsig->rk.dname) == 0)
+ /* only name is compared right now */
+ return 0;
+ }
+ return 1;
+}
+
+/** check RRSIGs in packet */
+static void
+check_the_rrsigs(struct query_info* qinfo, struct reply_info* rep)
+{
+ /* every RRSIG must be matched to an RRset */
+ size_t i;
+ for(i=0; i<rep->rrset_count; i++) {
+ struct ub_packed_rrset_key* s = rep->rrsets[i];
+ if(ntohs(s->rk.type) == LDNS_RR_TYPE_RRSIG) {
+ /* see if really a problem, i.e. is there a data
+ * element. */
+ if(no_data_for_rrsig(rep, rep->rrsets[i]))
+ continue;
+ log_dns_msg("rrsig failed for packet", qinfo, rep);
+ print_packet_rrsets(qinfo, rep);
+ printf("failed rrset is nr %d\n", (int)i);
+ unit_assert(0);
+ }
+ }
+}
+
/** test a packet */
static void
testpkt(ldns_buffer* pkt, struct alloc_cache* alloc, ldns_buffer* out,
@@ -355,6 +428,8 @@ testpkt(ldns_buffer* pkt, struct alloc_cache* alloc, ldns_buffer* out,
(unsigned)ldns_buffer_limit(pkt),
(unsigned)ldns_buffer_limit(out));
test_buffers(pkt, out);
+ if(check_rrsigs)
+ check_the_rrsigs(&qi, rep);
if(ldns_buffer_limit(out) > lim) {
ret = reply_info_encode(&qi, rep, id, flags, out,
@@ -519,7 +594,9 @@ void msgparse_test()
matches_nolocation = 1; /* RR order not important for the next test */
testfromdrillfile(pkt, &alloc, out, "testdata/test_packets.6");
+ check_rrsigs = 1;
testfromdrillfile(pkt, &alloc, out, "testdata/test_packets.7");
+ check_rrsigs = 0;
matches_nolocation = 0;
/* cleanup */
diff --git a/testdata/test_packets.7 b/testdata/test_packets.7
index 4f71c2c..357fa40 100644
--- a/testdata/test_packets.7
+++ b/testdata/test_packets.7
@@ -17,3 +17,21 @@ A608C7155005EBEDCA2176A559EFAF28D5DA1E91F540874BAA1C46BB08B1BAAE1812699A18139CF0
13BBDA2EC641FB23993A72ED6606C8C85E0D1660CC1770769697CEE7EB8E6474714984D7FF41FBBE48FF4A70669101BF00320340B82DC590B2C19D0006841121DC6AC933002E00010000012C007D000105030000012C4B11ADE94AEA20E9FC600673776974636802636800561C052414445D427CE00A40ACE2DA2EC168523823830CA724B087B8116F46B3CD051C5EC5874F6FC75CF6BA846279E469C474A75F9334242BB66FDD367C73B8BBC3F8748736BC5E6AED8B9B7C5FB5FE2DEDFBF46B403BC173DE958C038CFCCAC933002E00010000012C007D001C05030000012C4B11ADE94AEA20E9FC600673776974636802636800A6F44063C12A5A8BF5BCFADD
745C5B3915E463DA478131E636347EED414675023BBCA5BA2AABEC2FA3DF976A2343B4AA3403D1AFA3D470D25812BD1A319FBB5B833244D0FA18A59BB69ABB77BBDB3D7F62740D3871A69A5B9D43331D78AB8AE8C91B002E00010000012C007D000105030000012C4B11ADE94AEA20E9FC6006737769746368026368008906D2CFEFC3AA652125DD021CAB6392EBC4A9B4B3CFE3B07E4AFE7DA3263C7B8CE5DC3B66DA45D120E75B3D49ADC1F7D2E9A04A31760698FCFDEAB4AC82915D8E0AD2494DB4F11C02E115C3BD47DC8E57EDA7805BF0E7820A445F93A07698DF0000291000000080000000
+;-- es.net IN ANY about RRSIG ordering.
+687D8410000100150000000E026573036E65740000FF0001C00C00060001000151800027036E7331C00C0A686F73746D6173746572C00C77CECF4300001C2000000E100012750000000258C00C002E000100015180011A00300502000151804BE2932A4BD0101A2522026573036E657400AF2107A80A9D98A0712FF20826B95D8E686FFF023BEEAD1019045569D94D1493C84C819446ECB5489EBC6B556F4BE4B51A8E9CAC8BAA69F2B74948B78CBB197044E3D3A9E0E5EA958254637984D34BAE34167E1437D275E01C4B7C04C34053333514E1FE7EAC7C4777B02F24356F1F775526E19F54A21D3A134DC74DE153F9267008F5605D3BE38E61352BA9495D77
+97A76735BD68350CD648F40F95ADA4B25464A615E7CD4870E23C21D681F5C68C3DE9477D2EC7216FDF3269F5993428D0F1A4B7E203A04AB6807836263FDD7D6796BE6D84478B906B802DEBDCB1E0870481388503F0396CAD24147BC819A855E6CBCE98526ECAF8423450E30CB4F59C7062C069002E000100015180009A00300502000151804BE2932A4BD0101A4BA3026573036E657400602356C2D379E94F97D2900473D118288D46CFBCAAFF73D8A6FDF0B4305E8B338DD53A90106CDD78BF82A1AEC20B7C02067FDE1BEEC912E5581687BB32DD8BDC7E84B3F844F01E198E75C179194447C13B568886B33933FF35370060440D64E2DB7446962CA348C199
+DDFE4AA252AFFDEB3A818D1BF45CD795EA0907332B4508C18F002E000100015180009A00060502000151804BE2932A4BD0101A4BA3026573036E6574004FFB07563C6F88028C0E09CF163BAC777065BDCC826C583A3B3ABD525D6AF5101A6D5533888E5BAAA33DE28B52330815E14034506C4C69EDE8AD1A1F00B486C670FE0DC2F3B5F7210EBAC66695CC8679F2CA2353666A143A2E3E87377DCD8D3E6E450934BBD4CC6F9EE033E11D05CA3F44B1A64A2666E3AF2A8710F16FF8CC33C235002E000100000258009A002F0502000002584BE2932A4BD0101A4BA3026573036E6574003D2DDC713285C7338263BD338AFEEAB77571054B1F483A7BADC87BAF32
+0740A8D1B8B28CB23E04A80F90979704B44FE379103F4D91482D0EBC1D7005E326668F30B2A434F9DE76BB90DFEF2BFEDEE8CAD62164CA089651AB31498F18ED9A1E5694B4D460FFA4E667950322B2A75E8FD408B6A54EDB00257CE44AC865D1567346C2DB002E000100000258009A00100502000002584BE2932A4BD0101A4BA3026573036E6574004367180234A327C0AF72B3963518FC6E53A43E92CE6F5560E383FE8E7EF258FEA28BA666C026A90DAB67F46FBA4FF82F2704FEB3A27E25F3A8E6874B78938D70C5A20D94BEC90596B55C594F94A1438B14C8F890CE61D9630EFD897DEA9B3995D2C668469F62DB9346BB6AAF2EB6F3EE20EC31EAC80BCB
+962105A64CCD5783EFC381002E000100000258009A000F0502000002584BE2932A4BD0101A4BA3026573036E657400D36D367D4D95060CB2952870BE9E826E6F7835CF6517FF83957F5097B6FC401FE5815B8895D02C68E23A47D7015A3DCE9FDE63AF9D9E1D697016444355633D0BE03177B35BE54980B241C12978A7F3EBF2420861EBFAA028CAF9FCBBF54C069869BFB7F9AB9E60D4791ACCA276AE698EB6EF7582235977E158DA8530EC84327EC427002E000100000258009A00010502000002584BE2932A4BD0101A4BA3026573036E65740068E7176D8561B49621F80DB36DC12A3C5DCD2DE5FE3973F5D7DE15769F099F2A1A9BB088042E794747E3AB
+BB4AE48651F815D5D38BE7F4FB94F08F51FC209246296BE108111E90A7A5E2A5A79D305F81DBE313569B72598F36F3CFAA02FD9F321FBC2BDA10861F1D537D48DDF80BBF4B228724636FD79C06C4487365F602E6F5C4CD002E000100000258009A00020502000002584BE2932A4BD0101A4BA3026573036E657400BAA98093DDB57F38CA58C599EEED47F16AA20C1CCF668FF0A022AFAAC97059A28C50FE63034E58FBE361059B43FCBAE3876AC6AE8450987B8A00BEC29093267B9B655E645B7478294FF5E149984459A39D191585463BD80F635C21DBCF30462E60E4EACF8EECC25E4D02C181954CCBB8BDF5D19882CF6F9E982B1BEBEF14797DC573003000
+0100015180008801000305030100017D08356710D7E8A11F9B4C29E5E0F6B65F18CE64B4AAFAD7EA0E08DB85013CD777436CB8BC4EE33C0B4E6EEDFBE4227B25354F2EA2F978EE3222F3F32C1D4D3AF0F6014A527981FC5A0D2B65BF78B86A1D37965A98CAE3746CBB250655C2200FB9B8EBCC8C0AFD3182738F246AD0DAACA3199C54F08CF5F666477281872710E7C573003000010001518000880100030503010001DF43A43270EA741D5E79034C5E46A8310C9CFC7BD65C532D815D6B8C245EFF8F0C365DE400B6CDAC0124B00E08017DFB98D91133D5C18251EE0868852AD9E7FED091B393DAD1CD57381A5A1E7EA74E8FB4B708DB0F93B9EA4296EA4A71
+6E3572F168779CB5288880699413B3FFD4B7432EBE2AA2767B8EA6CB576A65C5163A3DC5730030000100015180010801010305030100017DA2FA058940109205AA36338EB8AA8B5B0D9788C4229368D371DBDE4BD24F0805C60EDD8DF223D250F23D189CDC434F388A91D6CEC1A9D6F305817409ACA784F381DFFD7EC3EC688FFE16D2AC57BD7F0B625EFC3099B3A9A5EDA1742460229669DD67D81F12069877F6AFA497F81EB12D179B183F5C8185B2786B790BEAFB6D02E0F94C780065511CF46AF80D40055022867DF712869CC262C0D315B92DFA96D58BC2336DAB5D1258DD60406913D116DC2EC1135D89C6D2092C35A19C67959743B407A3C30F3C6B8B
+C4763504FE12541EDD947A5FBE8E402D31816D1824867E2CD89AEE5FF6ED7A2D683B8C5E6B7B5972BDFF355BFD9128F0D0EDB59A60F321C573003000010001518001080101030503010001DD8EC709089B6D74BAF2D294E4C626CF789B89A74B7E320D7002A03D0F94EA62DF1F19717FE8C4BFD732DA495E481353C78167255CC6256A98ACBFF5977B81A48C5E2A5AF23E8377423C4034D5D84E9E3548B9D0A07955586F67324B6B5720CC4456D86AEE3A21A4EBED9BA13358C8127D182A5083739B042D7E06307E417D020DD68EC0628E9C8279AF0F7E608A3C5D51AB33BF7C32EBD27B45D72B1AD5752BB485D52488FBA9A1B5BF3B2B50F074F481171E4B65
+3AF846E58FE46DEB3491FA683959B38B893BF55721CED8FC4A64DBEDB6BF1C7FADE650EE219A01E81DD0212B89259319CA5DC81F26821A5CC29B4CC1059AE28227B89B8816039E43C35E33C57300300001000151800108018103050301000188F31BEFA3466D6FCAF11E0D1954D2011D6EAECF922D9E1B8D620095A0D15E7CFF8EA33F8E2A8C3B3F45A1ADACFED62E3E4EDC884AEF8A7CADBCFF8EDF2158730136D01BDB6D057BEBF3D35A92ADB5E8ACB1152FE1244B2D36DCB500E952CFB6D744BF7DBAB24A901B984F869FF47113C9515D53FE1A57293B01C24195A1D40580566CDAE5B04348CB60507267BB38F34839EE959D43FB9605652157014059FDBD
+39EB0836D4043A63F8660D241006F757DB92B35B39B5ABCA32A16A81C65C9F53DA79A99F1134CF3ED5304F189434AF787A3A10D63862E6C2E5FBA08B6EF6701783DB00CB41851DF13070947EEC090FCED3539F3F494170BD90E68F99453DF9C573002F00010000025800220B726573657276652D3132380231340131026573036E657400000762018000000380CA7C0010000100000258009C9B763D73706631206D7820613A6D61696C312E65732E6E657420613A6D61696C322E65732E6E657420613A6D61696C332E65732E6E657420613A6D61696C342E65732E6E657420613A6D61696C2E65732E6E657420613A6D61696C67772E65732E6E657420613A
+706F7374616C312E65732E6E657420613A706F7374616C322E65732E6E657420613A706F7374616C332E65732E6E6574207E616C6CCA7C000F00010000025800090032046D61696CCA7CCA7C00010001000002580004C6800370CA7C00020001000002580009066E732D616F61CA7CCA7C00020001000002580002C024CA7C00020001000002580009066E732D6C766BCA7CCB4300010001000002580004C0BC1609CB43001C000100000258001020010400FFFFFFFFFFFFFFFFFFFFFF81C02400010001000151800004C680020AC024001C000100000258001020010400001400020000000000000010CB6600010001000002580004C67CFC16CB66001C0001
+00000258001020010400600000000000000000000022CB8900010001000002580004C681FC22CB89001C000100000258001020010400091000010000000000000002CB43002E000100000258009A00010503000002584BE2932A4BD0101A4BA3026573036E657400B425467E45E411066B99B85420FB7E844D734F414FFAF6B9528867B3DF808733BF479A0F125C84179401306579994AB8D84DF0173E2824527CEDA45C75ED4D818722EEB2D5A37641108B112D9A6D832D29A507C35DBBEBD46D50DE9915E924F53F55B5A2A263A48B48209FB50A13A7DF40AE697B1BCCE71A2B95C1BB9E47ACCACB43002E000100000258009A001C0503000002584BE2932A
+4BD0101A4BA3026573036E6574002588E73F85BE8FAFD09628232906913DB78592B59F9C3C95A4AD1334D383C1326EE0C6FCF38892D8BB74631D680A6E4DB2D603D32394BC7B4EC798A1511667D246A0C30B33D03AB144C3704AA80AFCA27F197B2F83F20A9F0D2835C7C0A9B49E47E7CF2E192DC7DBF4635C39ECCCB291DB4B2832E0B8FF430A75726500194D9EC024002E000100015180009A00010503000151804BE2932A4BD0101A4BA3026573036E6574000E9F4098B1EF4F429B802007E3A9EA8E267A1F78EA7241AADD120A74CEBF70DC1DF76065A2CE0CDAA51AAB2F68411D9DEDC1F9DBEB3AB114A1FCBE122610756DE205EEC576CA5E62BD02497F
+84D5DDB7110AC7F2BF02485B3E7B28FC1EB2999724B64D811270B085D1D10E184295D423F0141D652BD7E97633AC2E98C2819EDAC024002E000100000258009A001C0503000002584BE2932A4BD0101A4BA3026573036E657400936ADA283A90836E92BD42E2B6C8A0299147BCB8E47D9D4464C4151FCC99DC4F2D1C39FB691F6E322715B22F61E7BB8D5507982A3119674B350C569BDC2CD95C708EC73B4E5DEA516D053A4FD725326FFC5B0D0562B542BA96124D9FFBBF787CA0BBE6960951CC2FDD074376A1D184287C2C56A93FBBC1C7FFAA6977B30AE808CB66002E000100000258009A00010503000002584BE2932A4BD0101A4BA3026573036E657400
+0CE145578E56BB359606C9B85538450D2BCA3E9AD0DEFC8FF865DA646F900B9CBC7325B7F04706B60E2770107E62894FE9CF3B1A432F0FB53C5C7A8F37D0F60354C7D52F4DF88BDD4C46774AA728DFC1C807EF5276641CA28774F323C7326B7C1D99DFCB9498C6E096392009AA972B83F0583A5D1002CA26B59B5C97F6A8309C0000291000000080000000
+
diff --git a/util/data/msgparse.c b/util/data/msgparse.c
index 2db8832..ae6dfc1 100644
--- a/util/data/msgparse.c
+++ b/util/data/msgparse.c
@@ -335,16 +335,20 @@ moveover_rrsigs(ldns_buffer* pkt, struct regional* region,
struct rr_parse* sig = sigset->rr_first;
struct rr_parse* prev = NULL;
struct rr_parse* insert;
+ struct rr_parse* nextsig;
while(sig) {
+ nextsig = sig->next;
if(pkt_rrsig_covered_equals(pkt, sig->ttl_data,
dataset->type)) {
if(duplicate) {
/* new */
insert = (struct rr_parse*)regional_alloc(
region, sizeof(struct rr_parse));
+ if(!insert) return 0;
insert->outside_packet = 0;
insert->ttl_data = sig->ttl_data;
insert->size = sig->size;
+ /* prev not used */
} else {
/* remove from sigset */
if(prev) prev->next = sig->next;
@@ -354,6 +358,7 @@ moveover_rrsigs(ldns_buffer* pkt, struct regional* region,
sigset->rr_count--;
sigset->size -= sig->size;
insert = sig;
+ /* prev not changed */
}
/* add to dataset */
dataset->rrsig_count++;
@@ -363,9 +368,9 @@ moveover_rrsigs(ldns_buffer* pkt, struct regional* region,
else dataset->rrsig_first = insert;
dataset->rrsig_last = insert;
dataset->size += insert->size;
- }
- prev = sig;
- sig = sig->next;
+ } else
+ prev = sig;
+ sig = nextsig;
}
return 1;
}

View File

@ -1,38 +0,0 @@
commit 374822322e33503d3576c85b3e43fef158a80e42
Author: wouter <wouter@be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Thu Apr 29 12:36:12 2010 +0000
dnssec lameness detection looks in key cache if dnssec is expected.
diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c
index 6124650..f63b6fe 100644
--- a/iterator/iter_utils.c
+++ b/iterator/iter_utils.c
@@ -60,6 +60,8 @@
#include "util/random.h"
#include "util/fptr_wlist.h"
#include "validator/val_anchor.h"
+#include "validator/val_kcache.h"
+#include "validator/val_kentry.h"
/** time when nameserver glue is said to be 'recent' */
#define SUSPICION_RECENT_EXPIRY 86400
@@ -570,6 +572,18 @@ iter_indicates_dnssec(struct module_env* env, struct delegpt* dp,
reply_find_rrset_section_ns(msg->rep, dp->name, dp->namelen,
LDNS_RR_TYPE_DS, dclass))
return 1;
+ /* look in key cache */
+ if(env->key_cache) {
+ struct key_entry_key* kk = key_cache_obtain(env->key_cache,
+ dp->name, dp->namelen, dclass, env->scratch, *env->now);
+ if(kk) {
+ if(key_entry_isgood(kk) || key_entry_isbad(kk)) {
+ regional_free_all(env->scratch);
+ return 1;
+ }
+ regional_free_all(env->scratch);
+ }
+ }
return 0;
}

View File

@ -1,153 +0,0 @@
commit 40d18f7cfb64a806699545410858b655e76660e1
Author: wouter <wouter@be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Tue May 4 08:39:04 2010 +0000
- Fix dnssec-missing detection that was turned off by server selection.
diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c
index b3a31fa..3a75d03 100644
--- a/iterator/iter_utils.c
+++ b/iterator/iter_utils.c
@@ -310,7 +310,7 @@ iter_filter_order(struct iter_env* iter_env, struct module_env* env,
struct delegpt_addr*
iter_server_selection(struct iter_env* iter_env,
struct module_env* env, struct delegpt* dp,
- uint8_t* name, size_t namelen, uint16_t qtype, int* dnssec_expected,
+ uint8_t* name, size_t namelen, uint16_t qtype, int* dnssec_lame,
int* chase_to_rd, int open_target, struct sock_list* blacklist)
{
int sel;
@@ -331,7 +331,7 @@ iter_server_selection(struct iter_env* iter_env,
if(selrtt-BLACKLIST_PENALTY > USEFUL_SERVER_TOP_TIMEOUT) {
verbose(VERB_ALGO, "chase to "
"blacklisted dnssec lame server");
- *dnssec_expected = 0;
+ *dnssec_lame = 1;
}
} else {
if(selrtt > USEFUL_SERVER_TOP_TIMEOUT*2) {
@@ -340,7 +340,7 @@ iter_server_selection(struct iter_env* iter_env,
}
if(selrtt > USEFUL_SERVER_TOP_TIMEOUT) {
verbose(VERB_ALGO, "chase to dnssec lame server");
- *dnssec_expected = 0;
+ *dnssec_lame = 1;
}
if(selrtt == USEFUL_SERVER_TOP_TIMEOUT) {
verbose(VERB_ALGO, "chase to blacklisted lame server");
diff --git a/iterator/iter_utils.h b/iterator/iter_utils.h
index a9f4247..d3870ec 100644
--- a/iterator/iter_utils.h
+++ b/iterator/iter_utils.h
@@ -80,7 +80,7 @@ int iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg);
* @param name: zone name (for lameness check).
* @param namelen: length of name.
* @param qtype: query type that we want to send.
- * @param dnssec_expected: set to 0, if a known dnssec-lame server is selected
+ * @param dnssec_lame: set to 1, if a known dnssec-lame server is selected
* these are not preferred, but are used as a last resort.
* @param chase_to_rd: set to 1 if a known recursion lame server is selected
* these are not preferred, but are used as a last resort.
@@ -92,7 +92,7 @@ int iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg);
*/
struct delegpt_addr* iter_server_selection(struct iter_env* iter_env,
struct module_env* env, struct delegpt* dp, uint8_t* name,
- size_t namelen, uint16_t qtype, int* dnssec_expected,
+ size_t namelen, uint16_t qtype, int* dnssec_lame,
int* chase_to_rd, int open_target, struct sock_list* blacklist);
/**
diff --git a/iterator/iterator.c b/iterator/iterator.c
index 19b9a26..6f486bf 100644
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -120,6 +120,7 @@ iter_new(struct module_qstate* qstate, int id)
iq->wait_priming_stub = 0;
iq->refetch_glue = 0;
iq->dnssec_expected = 0;
+ iq->dnssec_lame_query = 0;
iq->chase_flags = qstate->query_flags;
/* Start with the (current) qname. */
iq->qchase = qstate->qinfo;
@@ -1451,8 +1452,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
/* Select the next usable target, filtering out unsuitable targets. */
target = iter_server_selection(ie, qstate->env, iq->dp,
iq->dp->name, iq->dp->namelen, iq->qchase.qtype,
- &iq->dnssec_expected, &iq->chase_to_rd, iq->num_target_queries,
- qstate->blacklist);
+ &iq->dnssec_lame_query, &iq->chase_to_rd,
+ iq->num_target_queries, qstate->blacklist);
/* If no usable target was selected... */
if(!target) {
@@ -1530,10 +1531,14 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
}
/* We have a valid target. */
- if(iq->dnssec_expected) verbose(VERB_ALGO, "dnssec is expected");
- log_query_info(VERB_QUERY, "sending query:", &iq->qchase);
- log_name_addr(VERB_QUERY, "sending to target:", iq->dp->name,
- &target->addr, target->addrlen);
+ if(verbosity >= VERB_QUERY) {
+ log_query_info(VERB_QUERY, "sending query:", &iq->qchase);
+ log_name_addr(VERB_QUERY, "sending to target:", iq->dp->name,
+ &target->addr, target->addrlen);
+ verbose(VERB_ALGO, "dnssec status: %s%s",
+ iq->dnssec_expected?"expected": "not expected",
+ iq->dnssec_lame_query?" but lame_query anyway": "");
+ }
fptr_ok(fptr_whitelist_modenv_send_query(qstate->env->send_query));
outq = (*qstate->env->send_query)(
iq->qchase.qname, iq->qchase.qname_len,
@@ -1587,6 +1592,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
iq->num_current_queries--;
if(iq->response == NULL) {
iq->chase_to_rd = 0;
+ iq->dnssec_lame_query = 0;
verbose(VERB_ALGO, "query response was timeout");
return next_state(iq, QUERYTARGETS_STATE);
}
@@ -1599,7 +1605,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
* differently. No queries should be sent elsewhere */
type = RESPONSE_TYPE_ANSWER;
}
- if(iq->dnssec_expected && !(iq->chase_flags&BIT_RD)
+ if(iq->dnssec_expected && !iq->dnssec_lame_query &&
+ !(iq->chase_flags&BIT_RD)
&& type != RESPONSE_TYPE_LAME
&& type != RESPONSE_TYPE_REC_LAME
&& type != RESPONSE_TYPE_THROWAWAY
@@ -1615,7 +1622,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
type = RESPONSE_TYPE_LAME;
dnsseclame = 1;
}
- }
+ } else iq->dnssec_lame_query = 0;
/* see if referral brings us close to the target */
if(type == RESPONSE_TYPE_REFERRAL) {
struct ub_packed_rrset_key* ns = find_NS(
@@ -1764,7 +1771,6 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
/* Clear the query state, since this is a query restart. */
iq->deleg_msg = NULL;
iq->dp = NULL;
- iq->dnssec_expected = 0;
/* Note the query restart. */
iq->query_restart_count++;
diff --git a/iterator/iterator.h b/iterator/iterator.h
index 736af51..350fb1d 100644
--- a/iterator/iterator.h
+++ b/iterator/iterator.h
@@ -255,6 +255,12 @@ struct iter_qstate {
int dnssec_expected;
/**
+ * We are expecting dnssec information, but we also know the server
+ * is DNSSEC lame. The response need not be marked dnssec-lame again.
+ */
+ int dnssec_lame_query;
+
+ /**
* This is flag that, if true, means that this event is
* waiting for a stub priming query.
*/

View File

@ -1,159 +0,0 @@
commit 41b631ca4182e68b09eecdaec7d67ac576f3800d
Author: wouter <wouter@be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Tue Apr 27 11:10:35 2010 +0000
- fix retry sequence if prime hints are recursion-lame.
diff --git a/iterator/iterator.c b/iterator/iterator.c
index b1a948d..08354e8 100644
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -1897,8 +1897,11 @@ static int
processPrimeResponse(struct module_qstate* qstate, int id)
{
struct iter_qstate* iq = (struct iter_qstate*)qstate->minfo[id];
- enum response_type type = response_type_from_server(0, iq->response,
- &iq->qchase, iq->dp);
+ enum response_type type;
+ iq->response->rep->flags &= ~(BIT_RD|BIT_RA); /* ignore rec-lame */
+ type = response_type_from_server(
+ (int)((iq->chase_flags&BIT_RD) || iq->chase_to_rd),
+ iq->response, &iq->qchase, iq->dp);
if(type == RESPONSE_TYPE_ANSWER) {
qstate->return_rcode = LDNS_RCODE_NOERROR;
qstate->return_msg = iq->response;
@@ -2230,7 +2233,7 @@ void
iter_inform_super(struct module_qstate* qstate, int id,
struct module_qstate* super)
{
- if(super->qinfo.qclass == LDNS_RR_CLASS_ANY)
+ if(!qstate->is_priming && super->qinfo.qclass == LDNS_RR_CLASS_ANY)
processClassResponse(qstate, id, super);
else if(qstate->return_rcode != LDNS_RCODE_NOERROR)
error_supers(qstate, id, super);
diff --git a/testdata/iter_hint_lame.rpl b/testdata/iter_hint_lame.rpl
new file mode 100644
index 0000000..8cbede1
--- /dev/null
+++ b/testdata/iter_hint_lame.rpl
@@ -0,0 +1,120 @@
+; config options
+server:
+ target-fetch-policy: "0 0 0 0 0"
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test iterative resolve with lame hints.
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR RA NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION AUTHORITY
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+ ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION ANSWER
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A 10.20.30.40
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+; recursion happens here.
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A 10.20.30.40
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+SCENARIO_END

View File

@ -1,51 +0,0 @@
commit 5e989a15b927094a83d0f3a08be0cd559e29d3ff
Author: wouter <wouter@be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Fri Apr 23 09:07:05 2010 +0000
- Fix to fetch data as last resort more tenaciously. When cycle
targets cause the server selection to believe there are more options
when they really are not there, the server selection is reinitiated.
- Fix fetch from blacklisted dnssec lame servers as last resort. The
servers IP address is then given in validator errors as well.
diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c
index a706e6b..9082055 100644
--- a/iterator/iter_utils.c
+++ b/iterator/iter_utils.c
@@ -322,9 +322,15 @@ iter_server_selection(struct iter_env* iter_env,
verbose(VERB_ALGO, "selrtt %d", selrtt);
if(selrtt > BLACKLIST_PENALTY) {
if(selrtt-BLACKLIST_PENALTY > USEFUL_SERVER_TOP_TIMEOUT*2) {
- verbose(VERB_ALGO, "chase to recursion lame server");
+ verbose(VERB_ALGO, "chase to "
+ "blacklisted recursion lame server");
*chase_to_rd = 1;
}
+ if(selrtt-BLACKLIST_PENALTY > USEFUL_SERVER_TOP_TIMEOUT) {
+ verbose(VERB_ALGO, "chase to "
+ "blacklisted dnssec lame server");
+ *dnssec_expected = 0;
+ }
} else {
if(selrtt > USEFUL_SERVER_TOP_TIMEOUT*2) {
verbose(VERB_ALGO, "chase to recursion lame server");
diff --git a/iterator/iterator.c b/iterator/iterator.c
index e8345c8..c7cdbc8 100644
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -1469,6 +1469,15 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
return error_response(qstate, id,
LDNS_RCODE_SERVFAIL);
}
+ if(qs == 0 &&
+ delegpt_count_missing_targets(iq->dp) == 0){
+ /* it looked like there were missing
+ * targets, but they did not turn up.
+ * Try the bad choices again (if any),
+ * when we get back here missing==0,
+ * so this is not a loop. */
+ return 1;
+ }
iq->num_target_queries += qs;
}
/* Since a target query might have been made, we

View File

@ -1,18 +0,0 @@
commit 5f58ed252d7bcd500ebedfb351e3ce7c84c44211
Author: wouter <wouter@be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Tue Apr 27 09:16:23 2010 +0000
unbound-control get_option domain-insecure works.
diff --git a/util/config_file.c b/util/config_file.c
index aca82e1..ec0866c 100644
--- a/util/config_file.c
+++ b/util/config_file.c
@@ -609,6 +609,7 @@ config_get_option(struct config_file* cfg, const char* opt,
else O_LST(opt, "trusted-keys-file", trusted_keys_file_list)
else O_LST(opt, "dlv-anchor", dlv_anchor_list)
else O_LST(opt, "control-interface", control_ifs)
+ else O_LST(opt, "domain-insecure", domain_insecure)
else O_UNS(opt, "val-override-date", val_date_override)
/* not here:
* outgoing-permit, outgoing-avoid - have list of ports

View File

@ -1,26 +0,0 @@
commit 74d75e591a6f5343109922f2bf1f83eba59f0a4f
Author: wouter <wouter@be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Thu Apr 29 12:52:44 2010 +0000
fix for key cache lookup
diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c
index f63b6fe..b3a31fa 100644
--- a/iterator/iter_utils.c
+++ b/iterator/iter_utils.c
@@ -577,9 +577,14 @@ iter_indicates_dnssec(struct module_env* env, struct delegpt* dp,
struct key_entry_key* kk = key_cache_obtain(env->key_cache,
dp->name, dp->namelen, dclass, env->scratch, *env->now);
if(kk) {
- if(key_entry_isgood(kk) || key_entry_isbad(kk)) {
+ if(query_dname_compare(kk->name, dp->name) == 0) {
+ if(key_entry_isgood(kk) || key_entry_isbad(kk)) {
regional_free_all(env->scratch);
return 1;
+ } else if(key_entry_isnull(kk)) {
+ regional_free_all(env->scratch);
+ return 0;
+ }
}
regional_free_all(env->scratch);
}

View File

@ -1,77 +0,0 @@
commit 778d4ab54a4e9efb41b042607b9a685853c5483c
Author: wouter <wouter@be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Fri Apr 23 14:03:09 2010 +0000
- Fix local-zone type redirect that did not use the query name for
the answer rrset.
diff --git a/services/localzone.c b/services/localzone.c
index dba7f3b..b8da77a 100644
--- a/services/localzone.c
+++ b/services/localzone.c
@@ -1040,10 +1040,10 @@ local_data_answer(struct local_zone* z, struct query_info* qinfo,
if(!lr)
return 0;
if(z->type == local_zone_redirect) {
- /* convert rrset name to zone name; like a wildcard */
+ /* convert rrset name to query name; like a wildcard */
struct ub_packed_rrset_key r = *lr->rrset;
- r.rk.dname = z->name;
- r.rk.dname_len = z->namelen;
+ r.rk.dname = qinfo->qname;
+ r.rk.dname_len = qinfo->qname_len;
return local_encode(qinfo, edns, buf, temp, &r, 1,
LDNS_RCODE_NOERROR);
}
diff --git a/testdata/localdata.rpl b/testdata/localdata.rpl
index 5bb259e..08aec6d 100644
--- a/testdata/localdata.rpl
+++ b/testdata/localdata.rpl
@@ -30,6 +30,10 @@ server:
; refuse zone (error)
local-zone: "refuse.top." refuse
+ ; redirect zone
+ local-zone: "redirect.top." redirect
+ local-data: "redirect.top. A 20.30.40.54"
+
; create implicit data in the IN domain as well
local-data: "a.a.implicit. A 20.30.41.50"
local-data: "b.a.implicit. A 20.30.42.50"
@@ -318,4 +322,36 @@ www.deny.top. IN A
ENTRY_END
; no answer is checked at exit of testbound.
+; redirect zone apex
+STEP 50 QUERY
+ENTRY_BEGIN
+SECTION QUESTION
+redirect.top. IN A
+ENTRY_END
+STEP 51 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RA AA NOERROR
+SECTION QUESTION
+redirect.top. IN A
+SECTION ANSWER
+redirect.top. IN A 20.30.40.54
+ENTRY_END
+
+; redirect zone
+STEP 52 QUERY
+ENTRY_BEGIN
+SECTION QUESTION
+www.redirect.top. IN A
+ENTRY_END
+STEP 53 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RA AA NOERROR
+SECTION QUESTION
+www.redirect.top. IN A
+SECTION ANSWER
+www.redirect.top. IN A 20.30.40.54
+ENTRY_END
+
SCENARIO_END

View File

@ -1,88 +0,0 @@
commit 7f27d6c9992fec6847ae914f38db6a3d1b28e81a
Author: wouter <wouter@be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Thu Apr 29 14:12:54 2010 +0000
- infra cache entries that are expired are wiped clean. Previously
it was possible to not expire host data (if accessed often).
diff --git a/services/cache/infra.c b/services/cache/infra.c
index 9c32c81..6066f98 100644
--- a/services/cache/infra.c
+++ b/services/cache/infra.c
@@ -187,6 +187,19 @@ infra_lookup_host(struct infra_cache* infra,
return data;
}
+/** init the host elements (not lame elems) */
+static void
+host_entry_init(struct infra_cache* infra, struct lruhash_entry* e,
+ uint32_t timenow)
+{
+ struct infra_host_data* data = (struct infra_host_data*)e->data;
+ data->ttl = timenow + infra->host_ttl;
+ rtt_init(&data->rtt);
+ data->edns_version = 0;
+ data->edns_lame_known = 0;
+ data->num_timeouts = 0;
+}
+
/**
* Create and init a new entry for a host
* @param infra: infra structure with config parameters.
@@ -216,12 +229,8 @@ new_host_entry(struct infra_cache* infra, struct sockaddr_storage* addr,
key->entry.data = (void*)data;
key->addrlen = addrlen;
memcpy(&key->addr, addr, addrlen);
- data->ttl = tm + infra->host_ttl;
data->lameness = NULL;
- data->edns_version = 0;
- data->edns_lame_known = 0;
- data->num_timeouts = 0;
- rtt_init(&data->rtt);
+ host_entry_init(infra, &key->entry, tm);
return &key->entry;
}
@@ -240,12 +249,8 @@ infra_host(struct infra_cache* infra, struct sockaddr_storage* addr,
if(e) {
/* if its still there we have a writelock, init */
/* re-initialise */
- data = (struct infra_host_data*)e->data;
- data->ttl = timenow + infra->host_ttl;
- rtt_init(&data->rtt);
/* do not touch lameness, it may be valid still */
- data->edns_version = 0;
- data->edns_lame_known = 0;
+ host_entry_init(infra, e, timenow);
}
}
if(!e) {
@@ -469,10 +474,11 @@ infra_rtt_update(struct infra_cache* infra,
if(!(e = new_host_entry(infra, addr, addrlen, timenow)))
return 0;
needtoinsert = 1;
- }
- /* have an entry, update the rtt, and the ttl */
+ } else if(((struct infra_host_data*)e->data)->ttl < timenow) {
+ host_entry_init(infra, e, timenow);
+ }
+ /* have an entry, update the rtt */
data = (struct infra_host_data*)e->data;
- data->ttl = timenow + infra->host_ttl;
if(roundtrip == -1) {
rtt_lost(&data->rtt, orig_rtt);
if(data->num_timeouts<255)
@@ -503,10 +509,11 @@ infra_edns_update(struct infra_cache* infra,
if(!(e = new_host_entry(infra, addr, addrlen, timenow)))
return 0;
needtoinsert = 1;
- }
+ } else if(((struct infra_host_data*)e->data)->ttl < timenow) {
+ host_entry_init(infra, e, timenow);
+ }
/* have an entry, update the rtt, and the ttl */
data = (struct infra_host_data*)e->data;
- data->ttl = timenow + infra->host_ttl;
data->edns_version = edns_version;
data->edns_lame_known = 1;

View File

@ -1,62 +0,0 @@
commit a6f07ba49319bbb62772a99cc3267fe8409a39d4
Author: wouter <wouter@be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Fri Apr 23 06:48:49 2010 +0000
- Squelch log message: sendto failed permission denied for
255.255.255.255, it is visible in VERB_DETAIL (verbosity 2).
diff --git a/util/net_help.c b/util/net_help.c
index 182f39d..7b2a3f4 100644
--- a/util/net_help.c
+++ b/util/net_help.c
@@ -494,6 +494,14 @@ addr_is_ip4mapped(struct sockaddr_storage* addr, socklen_t addrlen)
return (memcmp(s, map_prefix, 12) == 0);
}
+int addr_is_broadcast(struct sockaddr_storage* addr, socklen_t addrlen)
+{
+ int af = (int)((struct sockaddr_in*)addr)->sin_family;
+ void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
+ return af == AF_INET && addrlen>=(socklen_t)sizeof(struct sockaddr_in)
+ && memcmp(sinaddr, "\377\377\377\377", 4) == 0;
+}
+
void sock_list_insert(struct sock_list** list, struct sockaddr_storage* addr,
socklen_t len, struct regional* region)
{
diff --git a/util/net_help.h b/util/net_help.h
index 9ac96eb..8afa84b 100644
--- a/util/net_help.h
+++ b/util/net_help.h
@@ -280,6 +280,14 @@ void addr_to_str(struct sockaddr_storage* addr, socklen_t addrlen,
int addr_is_ip4mapped(struct sockaddr_storage* addr, socklen_t addrlen);
/**
+ * See if sockaddr is 255.255.255.255.
+ * @param addr: address
+ * @param addrlen: length of address
+ * @return true if so
+ */
+int addr_is_broadcast(struct sockaddr_storage* addr, socklen_t addrlen);
+
+/**
* Insert new socket list item. If fails logs error.
* @param list: pointer to pointer to first item.
* @param addr: address or NULL if 'cache'.
diff --git a/util/netevent.c b/util/netevent.c
index 4b6a0a3..3f3c6ce 100644
--- a/util/netevent.c
+++ b/util/netevent.c
@@ -301,6 +301,12 @@ comm_point_send_udp_msg(struct comm_point *c, ldns_buffer* packet,
(struct sockaddr_storage*)addr, addrlen) &&
verbosity < VERB_DETAIL)
return 0;
+ /* SO_BROADCAST sockopt can give access to 255.255.255.255,
+ * but a dns cache does not need it. */
+ if(errno == EACCES && addr_is_broadcast(
+ (struct sockaddr_storage*)addr, addrlen) &&
+ verbosity < VERB_DETAIL)
+ return 0;
#ifndef USE_WINSOCK
verbose(VERB_OPS, "sendto failed: %s", strerror(errno));
#else

View File

@ -1,61 +0,0 @@
commit c2baa73db1a2a0b0c0c8bba3d203a28ca86c5f31
Author: wouter <wouter@be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Tue May 4 10:50:27 2010 +0000
- Conforms to draft-ietf-dnsop-default-local-zones-13. Added default
reverse lookup blocks for IPv4 test nets 100.51.198.in-addr.arpa,
113.0.203.in-addr.arpa and Orchid prefix 0.1.1.0.0.2.ip6.arpa.
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index 16a607c..40b4bad 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -778,7 +778,8 @@ records are provided.
.TP 10
\h'5'\fIreverse RFC3330 IP4 this, link\-local, testnet and broadcast\fR
Reverse data for zones 0.in\-addr.arpa, 254.169.in\-addr.arpa,
-2.0.192.in\-addr.arpa, 255.255.255.255.in\-addr.arpa.
+2.0.192.in\-addr.arpa (TEST NET 1), 100.51.198.in\-addr.arpa (TEST NET 2),
+113.0.203.in\-addr.arpa (TEST NET 3), 255.255.255.255.in\-addr.arpa.
.TP 10
\h'5'\fIreverse RFC4291 IP6 unspecified\fR
Reverse data for zone
@@ -793,12 +794,17 @@ Reverse data for zone D.F.ip6.arpa.
\h'5'\fIreverse RFC4291 IPv6 Link Local Addresses\fR
Reverse data for zones 8.E.F.ip6.arpa to B.E.F.ip6.arpa.
.TP 10
+\h'5'\fIreverse RFC4843 Orchid Prefix\fR
+Reverse data for zone 0.1.1.0.0.2.ip6.arpa.
+.TP 10
\h'5'\fIreverse IPv6 Example Prefix\fR
Reverse data for zone 8.B.D.0.1.0.0.2.ip6.arpa. This zone is used for
tutorials and examples. You can remove the block on this zone with:
.nf
local\-zone: 8.B.D.0.1.0.0.2.ip6.arpa. nodefault
.fi
+You can also selectively unblock a part of the zone by making that part
+transparent with a local\-zone statement.
This also works with the other default zones.
.\" End of local-zone listing.
.TP 5
diff --git a/services/localzone.c b/services/localzone.c
index b8da77a..248d45f 100644
--- a/services/localzone.c
+++ b/services/localzone.c
@@ -689,6 +689,8 @@ lz_enter_defaults(struct local_zones* zones, struct config_file* cfg,
!add_as112_default(zones, cfg, buf, "0.in-addr.arpa.") ||
!add_as112_default(zones, cfg, buf, "254.169.in-addr.arpa.") ||
!add_as112_default(zones, cfg, buf, "2.0.192.in-addr.arpa.") ||
+ !add_as112_default(zones, cfg, buf, "100.51.198.in-addr.arpa.") ||
+ !add_as112_default(zones, cfg, buf, "113.0.203.in-addr.arpa.") ||
!add_as112_default(zones, cfg, buf, "255.255.255.255.in-addr.arpa.") ||
!add_as112_default(zones, cfg, buf, "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.") ||
!add_as112_default(zones, cfg, buf, "d.f.ip6.arpa.") ||
@@ -696,6 +698,7 @@ lz_enter_defaults(struct local_zones* zones, struct config_file* cfg,
!add_as112_default(zones, cfg, buf, "9.e.f.ip6.arpa.") ||
!add_as112_default(zones, cfg, buf, "a.e.f.ip6.arpa.") ||
!add_as112_default(zones, cfg, buf, "b.e.f.ip6.arpa.") ||
+ !add_as112_default(zones, cfg, buf, "0.1.1.0.0.2.ip6.arpa.") ||
!add_as112_default(zones, cfg, buf, "8.b.d.0.1.0.0.2.ip6.arpa.")) {
log_err("out of memory adding default zone");
return 0;

View File

@ -1,123 +0,0 @@
commit d7ef7b31e0dbb0a73b201649c3729508b270f43f
Author: wouter <wouter@be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Mon Apr 26 14:59:44 2010 +0000
Fix bug#307: 0x20 fallback outstanding query count, together with rec_lame,
and canonical rrset comparison.
diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c
index 9082055..6124650 100644
--- a/iterator/iter_utils.c
+++ b/iterator/iter_utils.c
@@ -674,7 +674,7 @@ rrset_equal(struct ub_packed_rrset_key* k1, struct ub_packed_rrset_key* k2)
}
int
-reply_equal(struct reply_info* p, struct reply_info* q)
+reply_equal(struct reply_info* p, struct reply_info* q, ldns_buffer* scratch)
{
size_t i;
if(p->flags != q->flags ||
@@ -688,8 +688,29 @@ reply_equal(struct reply_info* p, struct reply_info* q)
p->rrset_count != q->rrset_count)
return 0;
for(i=0; i<p->rrset_count; i++) {
- if(!rrset_equal(p->rrsets[i], q->rrsets[i]))
- return 0;
+ if(!rrset_equal(p->rrsets[i], q->rrsets[i])) {
+ /* fallback procedure: try to sort and canonicalize */
+ ldns_rr_list* pl, *ql;
+ pl = packed_rrset_to_rr_list(p->rrsets[i], scratch);
+ ql = packed_rrset_to_rr_list(q->rrsets[i], scratch);
+ if(!pl || !ql) {
+ ldns_rr_list_deep_free(pl);
+ ldns_rr_list_deep_free(ql);
+ return 0;
+ }
+ ldns_rr_list2canonical(pl);
+ ldns_rr_list2canonical(ql);
+ ldns_rr_list_sort(pl);
+ ldns_rr_list_sort(ql);
+ if(ldns_rr_list_compare(pl, ql) != 0) {
+ ldns_rr_list_deep_free(pl);
+ ldns_rr_list_deep_free(ql);
+ return 0;
+ }
+ ldns_rr_list_deep_free(pl);
+ ldns_rr_list_deep_free(ql);
+ continue;
+ }
}
return 1;
}
@@ -792,3 +813,18 @@ iter_scrub_ds(struct dns_msg* msg, struct ub_packed_rrset_key* ns, uint8_t* z)
i++;
}
}
+
+void iter_dec_attempts(struct delegpt* dp, int d)
+{
+ struct delegpt_addr* a;
+ for(a=dp->target_list; a; a = a->next_target) {
+ if(a->attempts >= OUTBOUND_MSG_RETRY) {
+ /* add back to result list */
+ a->next_result = dp->result_list;
+ dp->result_list = a;
+ }
+ if(a->attempts > d)
+ a->attempts -= d;
+ else a->attempts = 0;
+ }
+}
diff --git a/iterator/iter_utils.h b/iterator/iter_utils.h
index 9a1db5f..a9f4247 100644
--- a/iterator/iter_utils.h
+++ b/iterator/iter_utils.h
@@ -211,9 +211,10 @@ int iter_msg_from_zone(struct dns_msg* msg, struct delegpt* dp,
* @param p: reply one. The reply has rrset data pointers in region.
* Does not check rrset-IDs
* @param q: reply two
+ * @param buf: scratch buffer.
* @return if one and two are equal.
*/
-int reply_equal(struct reply_info* p, struct reply_info* q);
+int reply_equal(struct reply_info* p, struct reply_info* q, ldns_buffer* buf);
/**
* Store in-zone glue in seperate rrset cache entries for later last-resort
@@ -257,4 +258,11 @@ int iter_get_next_root(struct iter_hints* hints, struct iter_forwards* fwd,
void iter_scrub_ds(struct dns_msg* msg, struct ub_packed_rrset_key* ns,
uint8_t* z);
+/**
+ * Remove query attempts from all available ips. For 0x20.
+ * @param dp: delegpt.
+ * @param d: decrease.
+ */
+void iter_dec_attempts(struct delegpt* dp, int d);
+
#endif /* ITERATOR_ITER_UTILS_H */
diff --git a/iterator/iterator.c b/iterator/iterator.c
index c7cdbc8..b1a948d 100644
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -1416,6 +1416,9 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
"match for %d wanted, done.",
(int)iq->caps_server+1, (int)naddr*3);
iq->caps_fallback = 0;
+ iter_dec_attempts(iq->dp, 3); /* space for fallback */
+ iq->num_current_queries++; /* RespState decrements it*/
+ iq->referral_count++; /* make sure we don't loop */
iq->state = QUERY_RESP_STATE;
return 1;
}
@@ -2384,7 +2387,8 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
goto handle_it;
} else {
/* check if reply is the same, otherwise, fail */
- if(!reply_equal(iq->response->rep, iq->caps_reply)) {
+ if(!reply_equal(iq->response->rep, iq->caps_reply,
+ qstate->env->scratch_buffer)) {
verbose(VERB_DETAIL, "Capsforid fallback: "
"getting different replies, failed");
outbound_list_remove(&iq->outlist, outbound);

View File

@ -1,11 +0,0 @@
diff -Naur unbound-1.4.9/daemon/worker.c unbound-1.4.9-CVE-2011-1922/daemon/worker.c
--- unbound-1.4.9/daemon/worker.c 2010-11-04 08:35:39.000000000 -0400
+++ unbound-1.4.9-CVE-2011-1922/daemon/worker.c 2011-05-25 15:14:04.888288236 -0400
@@ -777,6 +777,7 @@
qinfo.qtype == LDNS_RR_TYPE_IXFR) {
verbose(VERB_ALGO, "worker request: refused zone transfer.");
log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
+ ldns_buffer_rewind(c->buffer);
LDNS_QR_SET(ldns_buffer_begin(c->buffer));
LDNS_RCODE_SET(ldns_buffer_begin(c->buffer),
LDNS_RCODE_REFUSED);

View File

@ -1,105 +0,0 @@
commit b1a2731277dd0939572901bf018afa7a0debdb54
Author: wouter <wouter@be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Thu Feb 5 11:12:01 2009 +0000
call initgroups.
git-svn-id: http://unbound.nlnetlabs.nl/svn/trunk@1453 be551aaa-1e26-0410-a405-d3ace91eadb9
diff --git a/config.h.in b/config.h.in
index 956224d..aa7ce2d 100644
--- a/config.h.in
+++ b/config.h.in
@@ -85,6 +85,9 @@
/* Define to 1 if you have the `gmtime_r' function. */
#undef HAVE_GMTIME_R
+/* Define to 1 if you have the <grp.h> header file. */
+#undef HAVE_GRP_H
+
/* If you have HMAC_CTX_init */
#undef HAVE_HMAC_CTX_INIT
@@ -97,6 +100,9 @@
/* Define to 1 if you have the `inet_pton' function. */
#undef HAVE_INET_PTON
+/* Define to 1 if you have the `initgroups' function. */
+#undef HAVE_INITGROUPS
+
/* Define to 1 if you have the <inttypes.h> header file. */
#undef HAVE_INTTYPES_H
diff --git a/configure b/configure
index a823b0b..0b1f96a 100755
--- a/configure
+++ b/configure
@@ -19961,7 +19961,8 @@ fi
-for ac_header in stdarg.h stdbool.h netinet/in.h sys/param.h sys/socket.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h
+
+for ac_header in stdarg.h stdbool.h netinet/in.h sys/param.h sys/socket.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h
do
as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
{ echo "$as_me:$LINENO: checking for $ac_header" >&5
@@ -25282,7 +25283,8 @@ fi
-for ac_func in tzset sigprocmask fcntl getpwnam getrlimit setsid sbrk chroot kill sleep usleep random srandom recvmsg sendmsg writev setresuid setreuid setresgid setregid glob
+
+for ac_func in tzset sigprocmask fcntl getpwnam getrlimit setsid sbrk chroot kill sleep usleep random srandom recvmsg sendmsg writev setresuid setreuid setresgid setregid glob initgroups
do
as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
{ echo "$as_me:$LINENO: checking for $ac_func" >&5
diff --git a/configure.ac b/configure.ac
index bd000bc..48a4385 100644
--- a/configure.ac
+++ b/configure.ac
@@ -480,7 +480,7 @@ AC_PROG_LIBTOOL
# Checks for header files.
AC_HEADER_STDC
-AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h sys/param.h sys/socket.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h],,, [AC_INCLUDES_DEFAULT])
+AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h sys/param.h sys/socket.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h],,, [AC_INCLUDES_DEFAULT])
# check for types
AC_CHECK_TYPE(int8_t, char)
@@ -854,7 +854,7 @@ AC_CHECK_GETADDRINFO_WITH_INCLUDES
if test $ac_cv_func_getaddrinfo = no; then
AC_LIBOBJ([fake-rfc2553])
fi
-AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam getrlimit setsid sbrk chroot kill sleep usleep random srandom recvmsg sendmsg writev setresuid setreuid setresgid setregid glob])
+AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam getrlimit setsid sbrk chroot kill sleep usleep random srandom recvmsg sendmsg writev setresuid setreuid setresgid setregid glob initgroups])
# check if setreuid en setregid fail, on MacOSX10.4(darwin8).
if echo $build_os | grep darwin8 > /dev/null; then
diff --git a/daemon/unbound.c b/daemon/unbound.c
index 09767a4..6c5fb6f 100644
--- a/daemon/unbound.c
+++ b/daemon/unbound.c
@@ -56,6 +56,9 @@
#ifdef HAVE_PWD_H
#include <pwd.h>
#endif
+#ifdef HAVE_GRP_H
+#include <grp.h>
+#endif
#ifdef HAVE_SYS_RESOURCE_H
#include <sys/resource.h>
@@ -451,6 +454,11 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
/* drop permissions after chroot, getpwnam, pidfile, syslog done*/
#ifdef HAVE_GETPWNAM
if(cfg->username && cfg->username[0]) {
+#ifdef HAVE_INITGROUPS
+ if(initgroups(cfg->username, gid) != 0)
+ log_warn("unable to initgroups %s: %s",
+ cfg->username, strerror(errno));
+#endif
#ifdef HAVE_SETRESGID
if(setresgid(gid,gid,gid) != 0)
#elif defined(HAVE_SETREGID) && !defined(DARWIN_BROKEN_SETREUID)

View File

@ -1,23 +0,0 @@
Index: iterator/iterator.c
===================================================================
--- iterator/iterator.c (revision 1527)
+++ iterator/iterator.c (working copy)
@@ -1288,14 +1288,14 @@
/* if there is a policy to fetch missing targets
* opportunistically, do it. we rely on the fact that once a
* query (or queries) for a missing name have been issued,
- * they will not be show up again. */
+ * they will not show up again. */
} else if(tf_policy != 0) {
int extra = 0;
verbose(VERB_ALGO, "attempt to get extra %d targets",
tf_policy);
- if(!query_for_targets(qstate, iq, ie, id, tf_policy, &extra)) {
- return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
- }
+ (void)query_for_targets(qstate, iq, ie, id, tf_policy, &extra);
+ /* errors ignored, these targets are not strictly necessary for
+ * this result, we do not have to reply with SERVFAIL */
iq->num_target_queries += extra;
}

View File

@ -1,348 +0,0 @@
Index: iterator/iter_delegpt.c
===================================================================
--- iterator/iter_delegpt.c (revision 1952)
+++ iterator/iter_delegpt.c (revision 1953)
@@ -154,11 +154,13 @@
/* ignore it */
return 1;
}
- if(addr_is_ip6(addr, addrlen))
- ns->got6 = 1;
- else ns->got4 = 1;
- if(ns->got4 && ns->got6)
- ns->resolved = 1;
+ if(!lame) {
+ if(addr_is_ip6(addr, addrlen))
+ ns->got6 = 1;
+ else ns->got4 = 1;
+ if(ns->got4 && ns->got6)
+ ns->resolved = 1;
+ }
return delegpt_add_addr(dp, region, addr, addrlen, bogus, lame, nodup);
}
@@ -254,10 +256,11 @@
(dp->bogus?" BOGUS":"") );
}
for(a = dp->target_list; a; a = a->next_target) {
- if(a->bogus)
- log_addr(VERB_ALGO, " BOGUS ",
- &a->addr, a->addrlen);
- else log_addr(VERB_ALGO, " ", &a->addr, a->addrlen);
+ const char* str = " ";
+ if(a->bogus && a->lame) str = " BOGUS ADDR_LAME ";
+ else if(a->bogus) str = " BOGUS ";
+ else if(a->lame) str = " ADDR_LAME ";
+ log_addr(VERB_ALGO, str, &a->addr, a->addrlen);
}
}
}
@@ -448,3 +451,13 @@
}
}
}
+
+void delegpt_no_ipv6(struct delegpt* dp)
+{
+ struct delegpt_ns* ns;
+ for(ns = dp->nslist; ns; ns = ns->next) {
+ /* no ipv6, so only ipv4 is enough to resolve a nameserver */
+ if(ns->got4)
+ ns->resolved = 1;
+ }
+}
Index: iterator/iter_delegpt.h
===================================================================
--- iterator/iter_delegpt.h (revision 1952)
+++ iterator/iter_delegpt.h (revision 1953)
@@ -314,4 +314,11 @@
*/
void delegpt_add_neg_msg(struct delegpt* dp, struct msgreply_entry* msg);
+/**
+ * Register the fact that there is no ipv6 and thus AAAAs are not going
+ * to be queried for or be useful.
+ * @param dp: the delegation point. Updated to reflect no ipv6.
+ */
+void delegpt_no_ipv6(struct delegpt* dp);
+
#endif /* ITERATOR_ITER_DELEGPT_H */
Index: iterator/iterator.c
===================================================================
--- iterator/iterator.c (revision 1952)
+++ iterator/iterator.c (revision 1953)
@@ -1305,6 +1305,8 @@
verbose(VERB_QUERY, "Failed to get a delegation, giving up");
return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
}
+ if(!ie->supports_ipv6)
+ delegpt_no_ipv6(iq->dp);
delegpt_log(VERB_ALGO, iq->dp);
if(iq->num_current_queries>0) {
Index: doc/Changelog
===================================================================
--- doc/Changelog (revision 1952)
+++ doc/Changelog (revision 1953)
@@ -1,3 +1,11 @@
+8 January 2010: Wouter
+ - Fix for parent-child disagreement code which could have trouble
+ when (a) ipv6 was disabled and (b) the TTL for parent and child
+ were different. There were two bugs, the parent-side information
+ is fixed to no longer block lookup of child side information and
+ the iterator is fixed to no longer attempt to get ipv6 when it is
+ not enabled and then give up in failure.
+
7 January 2010: Wouter
- Fixup python documentation (thanks Leo Vandewoestijne).
- Work on cache prefetch feature.
Index: testdata/iter_pcttl.rpl
===================================================================
--- testdata/iter_pcttl.rpl (revision 0)
+++ testdata/iter_pcttl.rpl (revision 1953)
@@ -0,0 +1,245 @@
+; config options
+server:
+ target-fetch-policy: "0 0 0 0 0"
+ do-ip6: no
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test cache ttls where parent child differ in ttl
+; and the lameness for parent suddenly becomes the only information point.
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION AUTHORITY
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+net. IN NS
+SECTION AUTHORITY
+net. IN NS e.gtld-servers.net.
+SECTION ADDITIONAL
+e.gtld-servers.net. IN A 192.12.94.30
+ENTRY_END
+
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+ ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION ANSWER
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION AUTHORITY
+example.com. IN NS ns.foo.com.
+SECTION ADDITIONAL
+;ns.foo.com. 200 IN A 1.2.3.44
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+foo.com. IN NS
+SECTION AUTHORITY
+foo.com. 200 IN NS ns.foo.com.
+SECTION ADDITIONAL
+ns.foo.com. 200 IN A 1.2.3.44
+ENTRY_END
+
+RANGE_END
+
+; e.gtld-servers.net.
+RANGE_BEGIN 0 100
+ ADDRESS 192.12.94.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+net. IN NS
+SECTION ANSWER
+net. IN NS e.gtld-servers.net.
+SECTION ADDITIONAL
+e.gtld-servers.net. IN A 192.12.94.30
+ENTRY_END
+
+RANGE_END
+
+; ns.foo.com.
+; The parent-IP version
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.44
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY AA QR NOERROR
+SECTION QUESTION
+foo.com. IN NS
+SECTION ANSWER
+foo.com. 200 IN NS ns.foo.com.
+SECTION ADDITIONAL
+ns.foo.com. 100 IN A 1.2.3.44
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY AA QR NOERROR
+SECTION QUESTION
+ns.foo.com. IN A
+SECTION ANSWER
+ns.foo.com. 100 IN A 1.2.3.44
+SECTION AUTHORITY
+foo.com. 200 IN NS ns.foo.com.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY AA QR NOERROR
+SECTION QUESTION
+ns.foo.com. IN AAAA
+SECTION AUTHORITY
+foo.com. 100 IN SOA . . 1 2 3 4 5
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY AA QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com. 200 IN NS ns.foo.com.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY AA QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. 100 IN A 10.20.30.40
+SECTION AUTHORITY
+example.com. 200 IN NS ns.foo.com.
+SECTION ADDITIONAL
+ns.foo.com 100 IN A 1.2.3.44
+ENTRY_END
+RANGE_END
+
+; NOT USED. The parent side equals child side but not in the cache.
+; and they have different TTLs only.
+; ns.foo.com
+; The child IP version. Does not respond to anything (servfail instead
+; of timeouts since this is easier to encode in .rpl file format).
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.55
+ENTRY_BEGIN
+MATCH opcode
+ADJUST copy_id copy_query
+REPLY QR SERVFAIL
+SECTION QUESTION
+foo.com. IN NS
+SECTION ANSWER
+ENTRY_END
+
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+; recursion happens here.
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. 100 IN A 10.20.30.40
+SECTION AUTHORITY
+example.com. 100 IN NS ns.foo.com.
+; scrubbed off
+;SECTION ADDITIONAL
+;ns.foo.com IN A 1.2.3.44
+ENTRY_END
+
+; Now we wait 101 seconds, and the child data is gone,
+; but the parent-side was cached for 200 and it still there.
+
+STEP 30 TIME_PASSES ELAPSE 101
+
+STEP 40 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+; recursion happens here.
+STEP 50 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. 100 IN A 10.20.30.40
+SECTION AUTHORITY
+example.com. 100 IN NS ns.foo.com.
+; scrubbed off
+;SECTION ADDITIONAL
+;ns.foo.com IN A 1.2.3.44
+ENTRY_END
+
+SCENARIO_END

View File

@ -1,66 +0,0 @@
Index: validator/validator.c
===================================================================
--- validator/validator.c (revision 1656)
+++ validator/validator.c (revision 1657)
@@ -251,9 +251,8 @@
/**
* Check to see if a given response needs to go through the validation
* process. Typical reasons for this routine to return false are: CD bit was
- * on in the original request, the response was already validated, or the
- * response is a kind of message that is unvalidatable (i.e., SERVFAIL,
- * REFUSED, etc.)
+ * on in the original request, or the response is a kind of message that
+ * is unvalidatable (i.e., SERVFAIL, REFUSED, etc.)
*
* @param qstate: query state.
* @param ret_rc: rcode for this message (if noerror - examine ret_msg).
@@ -292,14 +291,25 @@
verbose(VERB_ALGO, "cannot validate RRSIG, no sigs on sigs.");
return 0;
}
+ return 1;
+}
+/**
+ * Check to see if the response has already been validated.
+ * @param ret_msg: return msg, can be NULL
+ * @return true if the response has already been validated
+ */
+static int
+already_validated(struct dns_msg* ret_msg)
+{
/* validate unchecked, and re-validate bogus messages */
if (ret_msg && ret_msg->rep->security > sec_status_bogus)
{
- verbose(VERB_ALGO, "response has already been validated");
- return 0;
+ verbose(VERB_ALGO, "response has already been validated: %s",
+ sec_status_to_string(ret_msg->rep->security));
+ return 1;
}
- return 1;
+ return 0;
}
/**
@@ -1937,6 +1947,10 @@
qstate->ext_state[id] = module_finished;
return;
}
+ if(already_validated(qstate->return_msg)) {
+ qstate->ext_state[id] = module_finished;
+ return;
+ }
/* create state to start validation */
qstate->ext_state[id] = module_error; /* override this */
if(!vq) {
@@ -2397,7 +2411,8 @@
}
if(msg->rep->security != sec_status_secure) {
vq->dlv_status = dlv_error;
- verbose(VERB_ALGO, "response is not secure");
+ verbose(VERB_ALGO, "response is not secure, %s",
+ sec_status_to_string(msg->rep->security));
return;
}
/* was the lookup a success? validated DLV? */

View File

@ -1,77 +0,0 @@
Index: validator/validator.c
===================================================================
--- validator/validator.c (revision 1669)
+++ validator/validator.c (revision 1670)
@@ -479,6 +479,36 @@
}
/**
+ * Detect wrong truncated response, by a bad recursor out there.
+ * The positive response has a mangled authority section.
+ * Remove that authority section.
+ * @param rep: reply
+ * @return true if a wrongly truncated response.
+ */
+static int
+detect_wrongly_truncated(struct reply_info* rep)
+{
+ size_t i;
+ /* no additional, only NS in authority, and it is bogus */
+ if(rep->ar_numrrsets != 0 || rep->ns_numrrsets != 1 ||
+ rep->an_numrrsets == 0)
+ return 0;
+ if(ntohs(rep->rrsets[ rep->an_numrrsets ]->rk.type) != LDNS_RR_TYPE_NS)
+ return 0;
+ if(((struct packed_rrset_data*)rep->rrsets[ rep->an_numrrsets ]
+ ->entry.data)->security != sec_status_bogus)
+ return 0;
+ /* answer section is present and secure */
+ for(i=0; i<rep->an_numrrsets; i++) {
+ if(((struct packed_rrset_data*)rep->rrsets[ i ]
+ ->entry.data)->security != sec_status_secure)
+ return 0;
+ }
+ return 1;
+}
+
+
+/**
* Given a "positive" response -- a response that contains an answer to the
* question, and no CNAME chain, validate this response.
*
@@ -1449,17 +1479,31 @@
vq->chase_reply->security = sec_status_bogus;
return 1;
}
+ subtype = val_classify_response(qstate->query_flags, &qstate->qinfo,
+ &vq->qchase, vq->orig_msg->rep, vq->rrset_skip);
/* check signatures in the message;
* answer and authority must be valid, additional is only checked. */
if(!validate_msg_signatures(qstate->env, ve, &vq->qchase,
vq->chase_reply, vq->key_entry)) {
- verbose(VERB_DETAIL, "Validate: message contains bad rrsets");
- return 1;
+ /* workaround bad recursor out there that truncates (even
+ * with EDNS4k) to 512 by removing RRSIG from auth section
+ * for positive replies*/
+ if(subtype == VAL_CLASS_POSITIVE &&
+ detect_wrongly_truncated(vq->orig_msg->rep)) {
+ /* truncate the message some more */
+ vq->orig_msg->rep->ns_numrrsets = 0;
+ vq->orig_msg->rep->rrset_count--;
+ vq->chase_reply->ns_numrrsets = 0;
+ vq->chase_reply->rrset_count--;
+ }
+ else {
+ verbose(VERB_DETAIL, "Validate: message contains "
+ "bad rrsets");
+ return 1;
+ }
}
- subtype = val_classify_response(qstate->query_flags, &qstate->qinfo,
- &vq->qchase, vq->orig_msg->rep, vq->rrset_skip);
switch(subtype) {
case VAL_CLASS_POSITIVE:
verbose(VERB_ALGO, "Validating a positive response");

View File

@ -1,33 +0,0 @@
Index: validator/validator.c
===================================================================
--- validator/validator.c (revision 1677)
+++ validator/validator.c (working copy)
@@ -479,7 +479,7 @@
}
/**
- * Detect wrong truncated response, by a bad recursor out there.
+ * Detect wrong truncated response (from BIND 9.6.1 with minimal-responses).
* The positive response has a mangled authority section.
* Remove that authority section.
* @param rep: reply
Index: iterator/iterator.c
===================================================================
--- iterator/iterator.c (revision 1677)
+++ iterator/iterator.c (working copy)
@@ -1513,9 +1513,14 @@
/* we know that all other NS rrsets are scrubbed
* away, thus on referral only one is left.
* see if that equals the query name... */
- && reply_find_rrset_section_ns(iq->response->rep,
+ && ( /* auth section, but sometimes in answer section*/
+ reply_find_rrset_section_ns(iq->response->rep,
qstate->qinfo.qname, qstate->qinfo.qname_len,
LDNS_RR_TYPE_NS, qstate->qinfo.qclass)
+ || reply_find_rrset_section_an(iq->response->rep,
+ qstate->qinfo.qname, qstate->qinfo.qname_len,
+ LDNS_RR_TYPE_NS, qstate->qinfo.qclass)
+ )
)) {
/* Store the referral under the current query */
if(!iter_dns_store(qstate->env, &iq->response->qinfo,

File diff suppressed because it is too large Load Diff

View File

@ -11,7 +11,7 @@
Summary: Validating, recursive, and caching DNS(SEC) resolver
Name: unbound
Version: 1.4.20
Release: 16%{?dist}
Release: 18%{?dist}
License: BSD
Url: http://www.nlnetlabs.nl/unbound/
Source: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz
@ -33,6 +33,7 @@ Source14: unbound.sysconfig
Source15: unbound.cron
Source16: unbound-munin.README
Patch1: unbound-1.4.20-roundrobin.patch
Patch2: unbound-1.4.20-streamtcp-manpage.patch
Group: System Environment/Daemons
BuildRequires: flex, openssl-devel , ldns-devel >= 1.6.13
@ -107,6 +108,7 @@ Python modules and extensions for unbound
%prep
%setup -q
%patch1 -p1
%patch2 -p1
%build
export LDFLAGS="-Wl,-z,relro,-z,now -pie -specs=/usr/lib/rpm/redhat/redhat-hardened-ld"
@ -149,6 +151,8 @@ done
# install streamtcp used for monitoring / debugging unbound's port 80/443 modes
install -m 0755 streamtcp %{buildroot}%{_sbindir}/unbound-streamtcp
# install streamtcp man page
install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1
# Install tmpfiles.d config
install -d -m 0755 %{buildroot}%{_sysconfdir}/tmpfiles.d/ %{buildroot}%{_sharedstatedir}/unbound
@ -277,9 +281,15 @@ exit 0
/bin/systemctl try-restart unbound-keygen.service >/dev/null 2>&1 || :
%changelog
* Mon Aug 12 2013 Paul Wouters <pwouters@redhat.com> - 1.4.20-16
* Mon Aug 12 2013 Paul Wouters <pwouters@redhat.com> - 1.4.20-18
- Change unbound.conf to only use ephemeral ports (32768-65535)
* Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.20-17
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Mon Jul 22 2013 Tomas Hozza <thozza@redhat.com> - 1.4.20-16
- provide man page for unbound-streamtcp
* Mon Jul 08 2013 Paul Wouters <pwouters@redhat.com> - 1.4.20-15
- Re-introduce hardening flags for full relro and pie
- Fixes compilation failure for python module