Merge branch 'master' of ssh://pkgs.fedoraproject.org/unbound
Conflicts: unbound.spec
This commit is contained in:
commit
97c849787b
@ -1,15 +0,0 @@
|
|||||||
Index: smallapp/unbound-checkconf.c
|
|
||||||
===================================================================
|
|
||||||
--- smallapp/unbound-checkconf.c (revision 1404)
|
|
||||||
+++ smallapp/unbound-checkconf.c (working copy)
|
|
||||||
@@ -258,7 +258,9 @@
|
|
||||||
{
|
|
||||||
struct config_strlist* p;
|
|
||||||
for(p=list; p; p=p->next) {
|
|
||||||
- check_chroot_string(desc, &p->str, chrootdir, cfg);
|
|
||||||
+ /* skip wildcard checks, may fail */
|
|
||||||
+ if(strstr(p->str,"*") == NULL)
|
|
||||||
+ check_chroot_string(desc, &p->str, chrootdir, cfg);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
@ -1,73 +0,0 @@
|
|||||||
Index: validator/val_anchor.c
|
|
||||||
===================================================================
|
|
||||||
--- validator/val_anchor.c (revision 1404)
|
|
||||||
+++ validator/val_anchor.c (working copy)
|
|
||||||
@@ -47,6 +47,11 @@
|
|
||||||
#include "util/regional.h"
|
|
||||||
#include "util/config_file.h"
|
|
||||||
|
|
||||||
+#include <dirent.h>
|
|
||||||
+#include <libgen.h>
|
|
||||||
+#include <fnmatch.h>
|
|
||||||
+
|
|
||||||
+
|
|
||||||
int
|
|
||||||
anchor_cmp(const void* k1, const void* k2)
|
|
||||||
{
|
|
||||||
@@ -627,9 +633,53 @@
|
|
||||||
FILE* in = fopen(fname, "r");
|
|
||||||
int rdlen = 0;
|
|
||||||
if(!in) {
|
|
||||||
- log_err("error opening file %s: %s", fname, strerror(errno));
|
|
||||||
- return 0;
|
|
||||||
- }
|
|
||||||
+ if(strstr(fname,"*")!=NULL) {
|
|
||||||
+ struct dirent **namelist;
|
|
||||||
+ char *fnameb = strdup(fname);
|
|
||||||
+ char *fnamef = strdup(fname);
|
|
||||||
+ char *dbase, *globmatch;
|
|
||||||
+ dbase = dirname(fnameb);
|
|
||||||
+ globmatch = basename(fnamef);
|
|
||||||
+ int n;
|
|
||||||
+ verbose(VERB_QUERY, "wildcard found, processing directory");
|
|
||||||
+ n = scandir(dbase,&namelist, 0, 0);
|
|
||||||
+ if (n<0) {
|
|
||||||
+ log_err("error opening wildcard in dir: %s:", dbase);
|
|
||||||
+ free(namelist);
|
|
||||||
+ free(dbase);
|
|
||||||
+ free(fnameb);
|
|
||||||
+ free(fnamef);
|
|
||||||
+ free(globmatch);
|
|
||||||
+ return 1;
|
|
||||||
+ }
|
|
||||||
+ else {
|
|
||||||
+ while(n--) {
|
|
||||||
+ if (namelist[n]->d_type != DT_DIR) {
|
|
||||||
+ if(!fnmatch(globmatch,namelist[n]->d_name,0)) {
|
|
||||||
+ // log_err( "file %s matched pattern %s - loading", namelist[n]->d_name, globmatch);
|
|
||||||
+ char *newname = malloc(strlen(namelist[n]->d_name) + strlen(dbase) + strlen("/") + 1);
|
|
||||||
+ strcpy(newname, dbase);
|
|
||||||
+ strcat(newname,"/");
|
|
||||||
+ strcat(newname, namelist[n]->d_name);
|
|
||||||
+ if(!anchor_read_bind_file(anchors, buffer,newname)) {
|
|
||||||
+ log_err("error reading wildcard trusted-keys-file: %s", newname);
|
|
||||||
+ }
|
|
||||||
+ free(newname);
|
|
||||||
+ } else {
|
|
||||||
+ // log_err("file %s did not match pattern %s", namelist[n]->d_name, globmatch);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ free(namelist[n]);
|
|
||||||
+ }
|
|
||||||
+ free(namelist);
|
|
||||||
+ free(dbase);
|
|
||||||
+ // causes segfault free(fnameb);
|
|
||||||
+ free(fnamef);
|
|
||||||
+ // causes segfault free(globmatch);
|
|
||||||
+ }
|
|
||||||
+ return 1;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
verbose(VERB_QUERY, "reading in bind-compat-mode: '%s'", fname);
|
|
||||||
/* scan for trusted-keys keyword, ignore everything else */
|
|
||||||
ldns_buffer_clear(buffer);
|
|
@ -1,13 +0,0 @@
|
|||||||
diff -Naur unbound-1.2.0/validator/val_anchor.c unbound-1.2.0.new/validator/val_anchor.c
|
|
||||||
--- unbound-1.2.0/validator/val_anchor.c 2009-01-07 07:24:34.000000000 -0500
|
|
||||||
+++ unbound-1.2.0.new/validator/val_anchor.c 2009-01-20 17:31:43.000000000 -0500
|
|
||||||
@@ -718,7 +718,8 @@
|
|
||||||
log_err("wildcard trusted-keys-file %s: expansion "
|
|
||||||
"failed (%s)", pat, strerror(errno));
|
|
||||||
}
|
|
||||||
- return 0;
|
|
||||||
+ /* ignore globs that yield no files */
|
|
||||||
+ return 1;
|
|
||||||
}
|
|
||||||
/* process files found, if any */
|
|
||||||
for(i=0; i<(size_t)g.gl_pathc; i++) {
|
|
@ -1,11 +0,0 @@
|
|||||||
--- pythonmod/pythonmod.c.orig 2011-08-08 20:45:48.344987246 +0200
|
|
||||||
+++ pythonmod/pythonmod.c 2011-08-08 21:31:41.429025557 +0200
|
|
||||||
@@ -153,6 +153,8 @@
|
|
||||||
}
|
|
||||||
PyRun_SimpleString("sys.path.append('"RUN_DIR"') \n");
|
|
||||||
PyRun_SimpleString("sys.path.append('"SHARE_DIR"') \n");
|
|
||||||
+ PyRun_SimpleString("import sysconfig \n");
|
|
||||||
+ PyRun_SimpleString("sys.path.append(sysconfig.get_path('purelib')) \n");
|
|
||||||
if (PyRun_SimpleString("from unboundmodule import *\n") < 0)
|
|
||||||
{
|
|
||||||
log_err("pythonmod: cannot initialize core module: unboundmodule.py");
|
|
@ -1,109 +0,0 @@
|
|||||||
Index: services/outside_network.c
|
|
||||||
===================================================================
|
|
||||||
--- services/outside_network.c (revision 2491)
|
|
||||||
+++ services/outside_network.c (revision 2493)
|
|
||||||
@@ -1199,6 +1199,7 @@
|
|
||||||
if(sq->status == serviced_query_UDP_EDNS ||
|
|
||||||
sq->status == serviced_query_UDP ||
|
|
||||||
sq->status == serviced_query_PROBE_EDNS ||
|
|
||||||
+ sq->status == serviced_query_UDP_EDNS_FRAG ||
|
|
||||||
sq->status == serviced_query_UDP_EDNS_fallback) {
|
|
||||||
struct pending* p = (struct pending*)sq->pending;
|
|
||||||
if(p->pc)
|
|
||||||
@@ -1280,7 +1281,19 @@
|
|
||||||
edns.edns_present = 1;
|
|
||||||
edns.ext_rcode = 0;
|
|
||||||
edns.edns_version = EDNS_ADVERTISED_VERSION;
|
|
||||||
- edns.udp_size = EDNS_ADVERTISED_SIZE;
|
|
||||||
+ if(sq->status == serviced_query_UDP_EDNS_FRAG) {
|
|
||||||
+ if(addr_is_ip6(&sq->addr, sq->addrlen)) {
|
|
||||||
+ if(EDNS_FRAG_SIZE_IP6 < EDNS_ADVERTISED_SIZE)
|
|
||||||
+ edns.udp_size = EDNS_FRAG_SIZE_IP6;
|
|
||||||
+ else edns.udp_size = EDNS_ADVERTISED_SIZE;
|
|
||||||
+ } else {
|
|
||||||
+ if(EDNS_FRAG_SIZE_IP4 < EDNS_ADVERTISED_SIZE)
|
|
||||||
+ edns.udp_size = EDNS_FRAG_SIZE_IP4;
|
|
||||||
+ else edns.udp_size = EDNS_ADVERTISED_SIZE;
|
|
||||||
+ }
|
|
||||||
+ } else {
|
|
||||||
+ edns.udp_size = EDNS_ADVERTISED_SIZE;
|
|
||||||
+ }
|
|
||||||
edns.bits = 0;
|
|
||||||
if(sq->dnssec & EDNS_DO)
|
|
||||||
edns.bits = EDNS_DO;
|
|
||||||
@@ -1324,7 +1337,8 @@
|
|
||||||
sq->status = serviced_query_UDP;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
- serviced_encode(sq, buff, sq->status == serviced_query_UDP_EDNS);
|
|
||||||
+ serviced_encode(sq, buff, (sq->status == serviced_query_UDP_EDNS) ||
|
|
||||||
+ (sq->status == serviced_query_UDP_EDNS_FRAG));
|
|
||||||
sq->last_sent_time = *sq->outnet->now_tv;
|
|
||||||
sq->edns_lame_known = (int)edns_lame_known;
|
|
||||||
verbose(VERB_ALGO, "serviced query UDP timeout=%d msec", rtt);
|
|
||||||
@@ -1564,6 +1578,20 @@
|
|
||||||
* by EDNS. */
|
|
||||||
sq->status = serviced_query_UDP_EDNS;
|
|
||||||
}
|
|
||||||
+ if(sq->status == serviced_query_UDP_EDNS) {
|
|
||||||
+ /* fallback to 1480/1280 */
|
|
||||||
+ sq->status = serviced_query_UDP_EDNS_FRAG;
|
|
||||||
+ log_name_addr(VERB_ALGO, "try edns1xx0", sq->qbuf+10,
|
|
||||||
+ &sq->addr, sq->addrlen);
|
|
||||||
+ if(!serviced_udp_send(sq, c->buffer)) {
|
|
||||||
+ serviced_callbacks(sq, NETEVENT_CLOSED, c, rep);
|
|
||||||
+ }
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+ if(sq->status == serviced_query_UDP_EDNS_FRAG) {
|
|
||||||
+ /* fragmentation size did not fix it */
|
|
||||||
+ sq->status = serviced_query_UDP_EDNS;
|
|
||||||
+ }
|
|
||||||
sq->retry++;
|
|
||||||
if(!(rto=infra_rtt_update(outnet->infra, &sq->addr, sq->addrlen,
|
|
||||||
-1, sq->last_rtt, (uint32_t)now.tv_sec)))
|
|
||||||
@@ -1589,7 +1617,8 @@
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
if(!fallback_tcp) {
|
|
||||||
- if(sq->status == serviced_query_UDP_EDNS
|
|
||||||
+ if( (sq->status == serviced_query_UDP_EDNS
|
|
||||||
+ ||sq->status == serviced_query_UDP_EDNS_FRAG)
|
|
||||||
&& (LDNS_RCODE_WIRE(ldns_buffer_begin(c->buffer))
|
|
||||||
== LDNS_RCODE_FORMERR || LDNS_RCODE_WIRE(
|
|
||||||
ldns_buffer_begin(c->buffer)) == LDNS_RCODE_NOTIMPL)) {
|
|
||||||
@@ -1866,6 +1895,7 @@
|
|
||||||
if(sq->status == serviced_query_UDP_EDNS ||
|
|
||||||
sq->status == serviced_query_UDP ||
|
|
||||||
sq->status == serviced_query_PROBE_EDNS ||
|
|
||||||
+ sq->status == serviced_query_UDP_EDNS_FRAG ||
|
|
||||||
sq->status == serviced_query_UDP_EDNS_fallback) {
|
|
||||||
s += sizeof(struct pending);
|
|
||||||
s += comm_timer_get_mem(NULL);
|
|
||||||
Index: services/outside_network.h
|
|
||||||
===================================================================
|
|
||||||
--- services/outside_network.h (revision 2491)
|
|
||||||
+++ services/outside_network.h (revision 2493)
|
|
||||||
@@ -274,6 +274,11 @@
|
|
||||||
void* cb_arg;
|
|
||||||
};
|
|
||||||
|
|
||||||
+/** fallback size for fragmentation for EDNS in IPv4 */
|
|
||||||
+#define EDNS_FRAG_SIZE_IP4 1480
|
|
||||||
+/** fallback size for EDNS in IPv6, fits one fragment with ip6-tunnel-ids */
|
|
||||||
+#define EDNS_FRAG_SIZE_IP6 1260
|
|
||||||
+
|
|
||||||
/**
|
|
||||||
* Query service record.
|
|
||||||
* Contains query and destination. UDP, TCP, EDNS are all tried.
|
|
||||||
@@ -314,7 +319,9 @@
|
|
||||||
/** probe to test noEDNS0 (EDNS gives FORMERRorNOTIMP) */
|
|
||||||
serviced_query_UDP_EDNS_fallback,
|
|
||||||
/** probe to test TCP noEDNS0 (EDNS gives FORMERRorNOTIMP) */
|
|
||||||
- serviced_query_TCP_EDNS_fallback
|
|
||||||
+ serviced_query_TCP_EDNS_fallback,
|
|
||||||
+ /** send UDP query with EDNS1480 (or 1280) */
|
|
||||||
+ serviced_query_UDP_EDNS_FRAG
|
|
||||||
}
|
|
||||||
/** variable with current status */
|
|
||||||
status;
|
|
@ -1,49 +0,0 @@
|
|||||||
>From fe05ea0802ff3f2fd2f49ed0bb3f1f0f4542f196 Mon Sep 17 00:00:00 2001
|
|
||||||
From: "Robert S. Edmonds" <edmonds@debian.org>
|
|
||||||
Date: Sat, 28 Jan 2012 20:05:43 -0500
|
|
||||||
Subject: [PATCH] Makefile.in: use -version-info, not -version-number
|
|
||||||
|
|
||||||
from the libtool manual:
|
|
||||||
|
|
||||||
-version-info current[:revision[:age]]
|
|
||||||
If output-file is a libtool library, use interface version
|
|
||||||
information current, revision, and age to build it (see
|
|
||||||
Versioning). Do not use this flag to specify package release
|
|
||||||
information, rather see the -release flag.
|
|
||||||
|
|
||||||
-version-number major[:minor[:revision]]
|
|
||||||
If output-file is a libtool library, compute interface version
|
|
||||||
information so that the resulting library uses the specified
|
|
||||||
major, minor and revision numbers. This is designed to permit
|
|
||||||
libtool to be used with existing projects where identical
|
|
||||||
version numbers are already used across operating systems. New
|
|
||||||
projects should use the -version-info flag instead.
|
|
||||||
---
|
|
||||||
Makefile.in | 4 ++--
|
|
||||||
1 files changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/Makefile.in b/Makefile.in
|
|
||||||
index bdd8dba..4c26f52 100644
|
|
||||||
--- a/Makefile.in
|
|
||||||
+++ b/Makefile.in
|
|
||||||
@@ -224,7 +224,7 @@ ALL_OBJ=$(COMMON_OBJ) $(UNITTEST_OBJ) $(DAEMON_OBJ) \
|
|
||||||
|
|
||||||
COMPILE=$(LIBTOOL) --tag=CC --mode=compile $(CC) $(CPPFLAGS) $(CFLAGS)
|
|
||||||
LINK=$(LIBTOOL) --tag=CC --mode=link $(CC) $(staticexe) $(RUNTIME_PATH) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS)
|
|
||||||
-LINK_LIB=$(LIBTOOL) --tag=CC --mode=link $(CC) $(RUNTIME_PATH) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) $(staticexe) -version-number @LIBUNBOUND_CURRENT@:@LIBUNBOUND_REVISION@:@LIBUNBOUND_AGE@ -no-undefined
|
|
||||||
+LINK_LIB=$(LIBTOOL) --tag=CC --mode=link $(CC) $(RUNTIME_PATH) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) $(staticexe) -version-info @LIBUNBOUND_CURRENT@:@LIBUNBOUND_REVISION@:@LIBUNBOUND_AGE@ -no-undefined
|
|
||||||
|
|
||||||
.PHONY: clean realclean doc lint all install uninstall tests test strip lib longtest longcheck check
|
|
||||||
|
|
||||||
@@ -369,7 +369,7 @@ libunbound/python/libunbound_wrap.c: $(srcdir)/libunbound/python/libunbound.i $(
|
|
||||||
|
|
||||||
# Pyunbound python unbound wrapper
|
|
||||||
_unbound.la: libunbound_wrap.lo libunbound.la
|
|
||||||
- $(LIBTOOL) --tag=CC --mode=link $(CC) $(RUNTIME_PATH) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -module -version-number @LIBUNBOUND_CURRENT@:@LIBUNBOUND_REVISION@:@LIBUNBOUND_AGE@ -no-undefined -o $@ libunbound_wrap.lo -rpath $(PYTHON_SITE_PKG) L. -L.libs -lunbound $(LIBS)
|
|
||||||
+ $(LIBTOOL) --tag=CC --mode=link $(CC) $(RUNTIME_PATH) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -module -version-info @LIBUNBOUND_CURRENT@:@LIBUNBOUND_REVISION@:@LIBUNBOUND_AGE@ -no-undefined -o $@ libunbound_wrap.lo -rpath $(PYTHON_SITE_PKG) L. -L.libs -lunbound $(LIBS)
|
|
||||||
|
|
||||||
util/config_file.c: util/configparser.h
|
|
||||||
util/configlexer.c: $(srcdir)/util/configlexer.lex util/configparser.h
|
|
||||||
--
|
|
||||||
1.7.8.3
|
|
||||||
|
|
@ -1,100 +0,0 @@
|
|||||||
diff -aur unbound-1.4.17-orig/iterator/iterator.c unbound-1.4.17/iterator/iterator.c
|
|
||||||
--- unbound-1.4.17-orig/iterator/iterator.c 2012-03-21 11:01:01.000000000 -0400
|
|
||||||
+++ unbound-1.4.17/iterator/iterator.c 2012-07-23 13:29:05.755093317 -0400
|
|
||||||
@@ -1541,8 +1541,7 @@
|
|
||||||
* the final state (i.e., on answer).
|
|
||||||
*/
|
|
||||||
static int
|
|
||||||
-processDSNSFind(struct module_qstate* qstate, struct iter_qstate* iq,
|
|
||||||
- int id)
|
|
||||||
+processDSNSFind(struct module_qstate* qstate, struct iter_qstate* iq, int id)
|
|
||||||
{
|
|
||||||
struct module_qstate* subq = NULL;
|
|
||||||
verbose(VERB_ALGO, "processDSNSFind");
|
|
||||||
@@ -1906,8 +1905,16 @@
|
|
||||||
if(iq->qchase.qtype == LDNS_RR_TYPE_DS && !iq->dsns_point
|
|
||||||
&& !(iq->chase_flags&BIT_RD)
|
|
||||||
&& iter_ds_toolow(iq->response, iq->dp)
|
|
||||||
- && iter_dp_cangodown(&iq->qchase, iq->dp))
|
|
||||||
+ && iter_dp_cangodown(&iq->qchase, iq->dp)) {
|
|
||||||
+ /* close down outstanding requests to be discarded */
|
|
||||||
+ outbound_list_clear(&iq->outlist);
|
|
||||||
+ iq->num_current_queries = 0;
|
|
||||||
+ fptr_ok(fptr_whitelist_modenv_detach_subs(
|
|
||||||
+ qstate->env->detach_subs));
|
|
||||||
+ (*qstate->env->detach_subs)(qstate);
|
|
||||||
+ iq->num_target_queries = 0;
|
|
||||||
return processDSNSFind(qstate, iq, id);
|
|
||||||
+ }
|
|
||||||
if(!iter_dns_store(qstate->env, &iq->response->qinfo,
|
|
||||||
iq->response->rep, 0, qstate->prefetch_leeway,
|
|
||||||
iq->dp&&iq->dp->has_parent_side_NS,
|
|
||||||
@@ -2032,8 +2039,15 @@
|
|
||||||
if(iq->qchase.qtype == LDNS_RR_TYPE_DS && !iq->dsns_point
|
|
||||||
&& !(iq->chase_flags&BIT_RD)
|
|
||||||
&& iter_ds_toolow(iq->response, iq->dp)
|
|
||||||
- && iter_dp_cangodown(&iq->qchase, iq->dp))
|
|
||||||
+ && iter_dp_cangodown(&iq->qchase, iq->dp)) {
|
|
||||||
+ outbound_list_clear(&iq->outlist);
|
|
||||||
+ iq->num_current_queries = 0;
|
|
||||||
+ fptr_ok(fptr_whitelist_modenv_detach_subs(
|
|
||||||
+ qstate->env->detach_subs));
|
|
||||||
+ (*qstate->env->detach_subs)(qstate);
|
|
||||||
+ iq->num_target_queries = 0;
|
|
||||||
return processDSNSFind(qstate, iq, id);
|
|
||||||
+ }
|
|
||||||
/* Process the CNAME response. */
|
|
||||||
if(!handle_cname_response(qstate, iq, iq->response,
|
|
||||||
&sname, &snamelen))
|
|
||||||
diff -aur unbound-1.4.17-orig/services/mesh.c unbound-1.4.17/services/mesh.c
|
|
||||||
--- unbound-1.4.17-orig/services/mesh.c 2011-11-10 13:44:06.000000000 -0500
|
|
||||||
+++ unbound-1.4.17/services/mesh.c 2012-07-23 13:27:08.163096837 -0400
|
|
||||||
@@ -676,6 +676,7 @@
|
|
||||||
/* find it, if not, create it */
|
|
||||||
struct mesh_area* mesh = qstate->env->mesh;
|
|
||||||
struct mesh_state* sub = mesh_area_find(mesh, qinfo, qflags, prime);
|
|
||||||
+ int was_detached;
|
|
||||||
if(mesh_detect_cycle_found(qstate, sub)) {
|
|
||||||
verbose(VERB_ALGO, "attach failed, cycle detected");
|
|
||||||
return 0;
|
|
||||||
@@ -706,9 +707,12 @@
|
|
||||||
*newq = &sub->s;
|
|
||||||
} else
|
|
||||||
*newq = NULL;
|
|
||||||
+ was_detached = (sub->super_set.count == 0);
|
|
||||||
if(!mesh_state_attachment(qstate->mesh_info, sub))
|
|
||||||
return 0;
|
|
||||||
- if(!sub->reply_list && !sub->cb_list && sub->super_set.count == 1) {
|
|
||||||
+ /* if it was a duplicate attachment, the count was not zero before */
|
|
||||||
+ if(!sub->reply_list && !sub->cb_list && was_detached &&
|
|
||||||
+ sub->super_set.count == 1) {
|
|
||||||
/* it used to be detached, before this one got added */
|
|
||||||
log_assert(mesh->num_detached_states > 0);
|
|
||||||
mesh->num_detached_states--;
|
|
||||||
@@ -735,16 +739,20 @@
|
|
||||||
superref->s = super;
|
|
||||||
subref->node.key = subref;
|
|
||||||
subref->s = sub;
|
|
||||||
-#ifdef UNBOUND_DEBUG
|
|
||||||
- n =
|
|
||||||
-#endif
|
|
||||||
- rbtree_insert(&sub->super_set, &superref->node);
|
|
||||||
- log_assert(n != NULL);
|
|
||||||
+ if(!rbtree_insert(&sub->super_set, &superref->node)) {
|
|
||||||
+ /* this should not happen, iterator and validator do not
|
|
||||||
+ * attach subqueries that are identical. */
|
|
||||||
+ /* already attached, we are done, nothing todo.
|
|
||||||
+ * since superref and subref already allocated in region,
|
|
||||||
+ * we cannot free them */
|
|
||||||
+ return 1;
|
|
||||||
+ }
|
|
||||||
#ifdef UNBOUND_DEBUG
|
|
||||||
n =
|
|
||||||
#endif
|
|
||||||
rbtree_insert(&super->sub_set, &subref->node);
|
|
||||||
- log_assert(n != NULL);
|
|
||||||
+ log_assert(n != NULL); /* we checked above if statement, the reverse
|
|
||||||
+ administration should not fail now, unless they are out of sync */
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
@ -1,109 +0,0 @@
|
|||||||
diff -Naur unbound-1.4.17-orig/config.h.in unbound-1.4.17/config.h.in
|
|
||||||
--- unbound-1.4.17-orig/config.h.in 2012-02-13 05:42:22.000000000 -0500
|
|
||||||
+++ unbound-1.4.17/config.h.in 2012-07-03 11:08:53.440318529 -0400
|
|
||||||
@@ -106,6 +106,9 @@
|
|
||||||
/* Define to 1 if you have the `fcntl' function. */
|
|
||||||
#undef HAVE_FCNTL
|
|
||||||
|
|
||||||
+/* Define to 1 if you have the `FIPS_mode' function. */
|
|
||||||
+#undef HAVE_FIPS_MODE
|
|
||||||
+
|
|
||||||
/* Define to 1 if you have the `fork' function. */
|
|
||||||
#undef HAVE_FORK
|
|
||||||
|
|
||||||
diff -Naur unbound-1.4.17-orig/configure unbound-1.4.17/configure
|
|
||||||
--- unbound-1.4.17-orig/configure 2012-05-24 04:37:55.000000000 -0400
|
|
||||||
+++ unbound-1.4.17/configure 2012-07-03 11:08:53.445318575 -0400
|
|
||||||
@@ -16376,7 +16376,7 @@
|
|
||||||
|
|
||||||
done
|
|
||||||
|
|
||||||
-for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512
|
|
||||||
+for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode
|
|
||||||
do :
|
|
||||||
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
|
|
||||||
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
|
|
||||||
diff -Naur unbound-1.4.17-orig/configure.ac unbound-1.4.17/configure.ac
|
|
||||||
--- unbound-1.4.17-orig/configure.ac 2012-05-15 10:50:21.000000000 -0400
|
|
||||||
+++ unbound-1.4.17/configure.ac 2012-07-03 11:08:53.447318592 -0400
|
|
||||||
@@ -515,7 +515,7 @@
|
|
||||||
ACX_LIB_SSL
|
|
||||||
AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
|
|
||||||
AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
|
|
||||||
-AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512])
|
|
||||||
+AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode])
|
|
||||||
AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free], [], [], [
|
|
||||||
AC_INCLUDES_DEFAULT
|
|
||||||
#ifdef HAVE_OPENSSL_ERR_H
|
|
||||||
diff -Naur unbound-1.4.17-orig/util/random.c unbound-1.4.17/util/random.c
|
|
||||||
--- unbound-1.4.17-orig/util/random.c 2012-05-09 05:13:57.000000000 -0400
|
|
||||||
+++ unbound-1.4.17/util/random.c 2012-07-03 11:08:53.440318529 -0400
|
|
||||||
@@ -140,6 +140,16 @@
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
+#ifdef HAVE_FIPS_MODE
|
|
||||||
+ if(FIPS_mode()) {
|
|
||||||
+ /* RC4 is not allowed, get some trustworthy randomness */
|
|
||||||
+ /* double certainty here, this routine should not be
|
|
||||||
+ * called in FIPS_mode */
|
|
||||||
+ memset(rand_buf, 0, sizeof(rand_buf));
|
|
||||||
+ s->rc4_ready = REKEY_BYTES;
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+#endif /* FIPS_MODE */
|
|
||||||
RC4_set_key(&s->rc4, SEED_SIZE, (unsigned char*)rand_buf);
|
|
||||||
|
|
||||||
/*
|
|
||||||
@@ -164,6 +174,9 @@
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
ub_systemseed(seed);
|
|
||||||
+#ifdef HAVE_FIPS_MODE
|
|
||||||
+ if(!FIPS_mode())
|
|
||||||
+#endif
|
|
||||||
ub_arc4random_stir(s, from);
|
|
||||||
return s;
|
|
||||||
}
|
|
||||||
@@ -172,6 +185,20 @@
|
|
||||||
ub_random(struct ub_randstate* s)
|
|
||||||
{
|
|
||||||
unsigned int r = 0;
|
|
||||||
+#ifdef HAVE_FIPS_MODE
|
|
||||||
+ if(FIPS_mode()) {
|
|
||||||
+ /* RC4 is not allowed, get some trustworthy randomness */
|
|
||||||
+ /* we use pseudo bytes: it tries to return secure randomness
|
|
||||||
+ * but returns 'something' if that fails. We need something
|
|
||||||
+ * else if it fails, because we cannot block here */
|
|
||||||
+ if(RAND_pseudo_bytes((unsigned char*)&r, (int)sizeof(r))
|
|
||||||
+ == -1) {
|
|
||||||
+ log_err("FIPSmode, no arc4random but RAND failed "
|
|
||||||
+ "(error %ld)", ERR_get_error());
|
|
||||||
+ }
|
|
||||||
+ return (long int)((r) % (((unsigned)MAX_VALUE + 1)));
|
|
||||||
+ }
|
|
||||||
+#endif /* FIPS_MODE */
|
|
||||||
if (s->rc4_ready <= 0) {
|
|
||||||
ub_arc4random_stir(s, NULL);
|
|
||||||
}
|
|
||||||
diff -Naur unbound-1.4.17-orig/validator/val_sigcrypt.c unbound-1.4.17/validator/val_sigcrypt.c
|
|
||||||
--- unbound-1.4.17-orig/validator/val_sigcrypt.c 2012-02-16 05:08:07.000000000 -0500
|
|
||||||
+++ unbound-1.4.17/validator/val_sigcrypt.c 2012-07-03 11:15:31.724850996 -0400
|
|
||||||
@@ -417,11 +417,16 @@
|
|
||||||
dnskey_algo_id_is_supported(int id)
|
|
||||||
{
|
|
||||||
switch(id) {
|
|
||||||
+ case LDNS_RSAMD5:
|
|
||||||
+#ifdef HAVE_FIPS_MODE
|
|
||||||
+ return !FIPS_mode();
|
|
||||||
+#else
|
|
||||||
+ return 1;
|
|
||||||
+#endif
|
|
||||||
case LDNS_DSA:
|
|
||||||
case LDNS_DSA_NSEC3:
|
|
||||||
case LDNS_RSASHA1:
|
|
||||||
case LDNS_RSASHA1_NSEC3:
|
|
||||||
- case LDNS_RSAMD5:
|
|
||||||
#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
|
|
||||||
case LDNS_RSASHA256:
|
|
||||||
#endif
|
|
@ -1,265 +0,0 @@
|
|||||||
diff -Naur unbound-1.4.18-orig/util/config_file.c unbound-1.4.18/util/config_file.c
|
|
||||||
--- unbound-1.4.18-orig/util/config_file.c 2012-06-18 10:22:29.000000000 -0400
|
|
||||||
+++ unbound-1.4.18/util/config_file.c 2012-09-26 00:45:37.509190970 -0400
|
|
||||||
@@ -53,6 +53,10 @@
|
|
||||||
#include "util/regional.h"
|
|
||||||
#include "util/fptr_wlist.h"
|
|
||||||
#include "util/data/dname.h"
|
|
||||||
+#ifdef HAVE_GLOB_H
|
|
||||||
+# include <glob.h>
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
/** global config during parsing */
|
|
||||||
struct config_parser_state* cfg_parser = 0;
|
|
||||||
/** lex in file */
|
|
||||||
@@ -689,6 +693,65 @@
|
|
||||||
char *fname = (char*)filename;
|
|
||||||
if(!fname)
|
|
||||||
return 1;
|
|
||||||
+
|
|
||||||
+ /* check for wildcards */
|
|
||||||
+#ifdef HAVE_GLOB
|
|
||||||
+ glob_t g;
|
|
||||||
+ size_t i;
|
|
||||||
+ int r, flags;
|
|
||||||
+ if(!(!strchr(fname, '*') && !strchr(fname, '?') && !strchr(fname, '[') &&
|
|
||||||
+ !strchr(fname, '{') && !strchr(fname, '~'))) {
|
|
||||||
+ verbose(VERB_QUERY, "wildcard found, processing %s", fname);
|
|
||||||
+ flags = 0
|
|
||||||
+#ifdef GLOB_ERR
|
|
||||||
+ | GLOB_ERR
|
|
||||||
+#endif
|
|
||||||
+#ifdef GLOB_NOSORT
|
|
||||||
+ | GLOB_NOSORT
|
|
||||||
+#endif
|
|
||||||
+#ifdef GLOB_BRACE
|
|
||||||
+ | GLOB_BRACE
|
|
||||||
+#endif
|
|
||||||
+#ifdef GLOB_TILDE
|
|
||||||
+ | GLOB_TILDE
|
|
||||||
+#endif
|
|
||||||
+ ;
|
|
||||||
+ memset(&g, 0, sizeof(g));
|
|
||||||
+ r = glob(fname, flags, NULL, &g);
|
|
||||||
+ if(r) {
|
|
||||||
+ /* some error */
|
|
||||||
+ if(r == GLOB_NOMATCH) {
|
|
||||||
+ verbose(VERB_QUERY, "include: "
|
|
||||||
+ "no matches for %s", fname);
|
|
||||||
+ return 1;
|
|
||||||
+ } else if(r == GLOB_NOSPACE) {
|
|
||||||
+ log_err("include: %s: "
|
|
||||||
+ "fnametern out of memory", fname);
|
|
||||||
+ } else if(r == GLOB_ABORTED) {
|
|
||||||
+ log_err("wildcard include: %s: expansion "
|
|
||||||
+ "aborted (%s)", fname, strerror(errno));
|
|
||||||
+ } else {
|
|
||||||
+ log_err("wildcard include: %s: expansion "
|
|
||||||
+ "failed (%s)", fname, strerror(errno));
|
|
||||||
+ }
|
|
||||||
+ /* ignore globs that yield no files */
|
|
||||||
+ return 1;
|
|
||||||
+ }
|
|
||||||
+ /* process files found, if any */
|
|
||||||
+ for(i=0; i<(size_t)g.gl_pathc; i++) {
|
|
||||||
+ if(!config_read(cfg, g.gl_pathv[i], chroot)) {
|
|
||||||
+ log_err("error reading wildcard "
|
|
||||||
+ "include: %s", g.gl_pathv[i]);
|
|
||||||
+ globfree(&g);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ globfree(&g);
|
|
||||||
+ return 1;
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+
|
|
||||||
in = fopen(fname, "r");
|
|
||||||
if(!in) {
|
|
||||||
log_err("Could not open %s: %s", fname, strerror(errno));
|
|
||||||
diff -Naur unbound-1.4.18-orig/util/configlexer.c unbound-1.4.18/util/configlexer.c
|
|
||||||
--- unbound-1.4.18-orig/util/configlexer.c 2012-08-02 03:26:14.000000000 -0400
|
|
||||||
+++ unbound-1.4.18/util/configlexer.c 2012-09-26 00:47:40.856511450 -0400
|
|
||||||
@@ -22,6 +22,10 @@
|
|
||||||
#include <string.h>
|
|
||||||
#include <errno.h>
|
|
||||||
#include <stdlib.h>
|
|
||||||
+#ifdef HAVE_GLOB_H
|
|
||||||
+# include <glob.h>
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
|
|
||||||
/* end standard C headers. */
|
|
||||||
|
|
||||||
@@ -1827,7 +1831,7 @@
|
|
||||||
}
|
|
||||||
input = fopen(filename, "r");
|
|
||||||
if(!input) {
|
|
||||||
- ub_c_error_msg("cannot open include file '%s': %s",
|
|
||||||
+ ub_c_error_msg("(c)cannot open include file '%s': %s",
|
|
||||||
filename, strerror(errno));
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
@@ -1841,6 +1845,46 @@
|
|
||||||
++config_include_stack_ptr;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static void config_start_include_glob(const char* filename)
|
|
||||||
+{
|
|
||||||
+#ifdef HAVE_GLOB
|
|
||||||
+ glob_t g;
|
|
||||||
+ size_t i;
|
|
||||||
+ int r, flags;
|
|
||||||
+ if(!(!strchr(filename, '*') && !strchr(filename, '?') && !strchr(filename, '[') &&
|
|
||||||
+ !strchr(filename, '{') && !strchr(filename, '~'))) {
|
|
||||||
+ /* verbose(VERB_QUERY, "wildcard found, processing %s", filename); */
|
|
||||||
+ flags = 0
|
|
||||||
+#ifdef GLOB_ERR
|
|
||||||
+ | GLOB_ERR
|
|
||||||
+#endif
|
|
||||||
+#ifdef GLOB_NOSORT
|
|
||||||
+ | GLOB_NOSORT
|
|
||||||
+#endif
|
|
||||||
+#ifdef GLOB_BRACE
|
|
||||||
+ | GLOB_BRACE
|
|
||||||
+#endif
|
|
||||||
+#ifdef GLOB_TILDE
|
|
||||||
+ | GLOB_TILDE
|
|
||||||
+#endif
|
|
||||||
+ ;
|
|
||||||
+ memset(&g, 0, sizeof(g));
|
|
||||||
+ r = glob(filename, flags, NULL, &g);
|
|
||||||
+ if(r) {
|
|
||||||
+ /* some error */
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+ /* process files found, if any */
|
|
||||||
+ for(i=0; i<(size_t)g.gl_pathc; i++) {
|
|
||||||
+ config_start_include(g.gl_pathv[i]);
|
|
||||||
+ }
|
|
||||||
+ globfree(&g);
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
+ config_start_include(filename);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static void config_end_include(void)
|
|
||||||
{
|
|
||||||
--config_include_stack_ptr;
|
|
||||||
@@ -2875,7 +2919,7 @@
|
|
||||||
#line 300 "util/configlexer.lex"
|
|
||||||
{
|
|
||||||
LEXOUT(("Iunquotedstr(%s) ", yytext));
|
|
||||||
- config_start_include(yytext);
|
|
||||||
+ config_start_include_glob(yytext);
|
|
||||||
BEGIN(inc_prev);
|
|
||||||
}
|
|
||||||
YY_BREAK
|
|
||||||
@@ -2904,7 +2948,7 @@
|
|
||||||
{
|
|
||||||
LEXOUT(("IQE "));
|
|
||||||
yytext[yyleng - 1] = '\0';
|
|
||||||
- config_start_include(yytext);
|
|
||||||
+ config_start_include_glob(yytext);
|
|
||||||
BEGIN(inc_prev);
|
|
||||||
}
|
|
||||||
YY_BREAK
|
|
||||||
diff -Naur unbound-1.4.18-orig/util/configlexer.lex unbound-1.4.18/util/configlexer.lex
|
|
||||||
--- unbound-1.4.18-orig/util/configlexer.lex 2012-04-10 05:16:39.000000000 -0400
|
|
||||||
+++ unbound-1.4.18/util/configlexer.lex 2012-09-26 00:46:59.135064805 -0400
|
|
||||||
@@ -11,6 +11,9 @@
|
|
||||||
#include <ctype.h>
|
|
||||||
#include <string.h>
|
|
||||||
#include <strings.h>
|
|
||||||
+#ifdef HAVE_GLOB_H
|
|
||||||
+# include <glob.h>
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
#include "util/config_file.h"
|
|
||||||
#include "util/configparser.h"
|
|
||||||
@@ -43,6 +46,7 @@
|
|
||||||
static int inc_prev = 0;
|
|
||||||
static int num_args = 0;
|
|
||||||
|
|
||||||
+
|
|
||||||
static void config_start_include(const char* filename)
|
|
||||||
{
|
|
||||||
FILE *input;
|
|
||||||
@@ -60,7 +64,7 @@
|
|
||||||
}
|
|
||||||
input = fopen(filename, "r");
|
|
||||||
if(!input) {
|
|
||||||
- ub_c_error_msg("cannot open include file '%s': %s",
|
|
||||||
+ ub_c_error_msg("(lex)cannot open include file '%s': %s",
|
|
||||||
filename, strerror(errno));
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
@@ -74,6 +78,48 @@
|
|
||||||
++config_include_stack_ptr;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static void config_start_include_glob(const char* filename)
|
|
||||||
+{
|
|
||||||
+
|
|
||||||
+ /* check for wildcards */
|
|
||||||
+#ifdef HAVE_GLOB
|
|
||||||
+ glob_t g;
|
|
||||||
+ size_t i;
|
|
||||||
+ int r, flags;
|
|
||||||
+ if(!(!strchr(filename, '*') && !strchr(filename, '?') && !strchr(filename, '[') &&
|
|
||||||
+ !strchr(filename, '{') && !strchr(filename, '~'))) {
|
|
||||||
+ /* verbose(VERB_QUERY, "wildcard found, processing %s", filename); */
|
|
||||||
+ flags = 0
|
|
||||||
+#ifdef GLOB_ERR
|
|
||||||
+ | GLOB_ERR
|
|
||||||
+#endif
|
|
||||||
+#ifdef GLOB_NOSORT
|
|
||||||
+ | GLOB_NOSORT
|
|
||||||
+#endif
|
|
||||||
+#ifdef GLOB_BRACE
|
|
||||||
+ | GLOB_BRACE
|
|
||||||
+#endif
|
|
||||||
+#ifdef GLOB_TILDE
|
|
||||||
+ | GLOB_TILDE
|
|
||||||
+#endif
|
|
||||||
+ ;
|
|
||||||
+ memset(&g, 0, sizeof(g));
|
|
||||||
+ r = glob(filename, flags, NULL, &g);
|
|
||||||
+ if(r) {
|
|
||||||
+ /* some error */
|
|
||||||
+ return config_start_include(filename); /* let original deal with it */
|
|
||||||
+ }
|
|
||||||
+ /* process files found, if any */
|
|
||||||
+ for(i=0; i<(size_t)g.gl_pathc; i++) {
|
|
||||||
+ config_start_include(g.gl_pathv[i]);
|
|
||||||
+ }
|
|
||||||
+ globfree(&g);
|
|
||||||
+ return 1;
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+ config_start_include(filename);
|
|
||||||
+}
|
|
||||||
static void config_end_include(void)
|
|
||||||
{
|
|
||||||
--config_include_stack_ptr;
|
|
||||||
@@ -299,7 +345,7 @@
|
|
||||||
<include>\" { LEXOUT(("IQS ")); BEGIN(include_quoted); }
|
|
||||||
<include>{UNQUOTEDLETTER}* {
|
|
||||||
LEXOUT(("Iunquotedstr(%s) ", yytext));
|
|
||||||
- config_start_include(yytext);
|
|
||||||
+ config_start_include_glob(yytext);
|
|
||||||
BEGIN(inc_prev);
|
|
||||||
}
|
|
||||||
<include_quoted><<EOF>> {
|
|
||||||
@@ -312,7 +358,7 @@
|
|
||||||
<include_quoted>\" {
|
|
||||||
LEXOUT(("IQE "));
|
|
||||||
yytext[yyleng - 1] = '\0';
|
|
||||||
- config_start_include(yytext);
|
|
||||||
+ config_start_include_glob(yytext);
|
|
||||||
BEGIN(inc_prev);
|
|
||||||
}
|
|
||||||
<INITIAL,val><<EOF>> {
|
|
@ -1,104 +0,0 @@
|
|||||||
Index: daemon/daemon.c
|
|
||||||
===================================================================
|
|
||||||
--- daemon/daemon.c (revision 2732)
|
|
||||||
+++ daemon/daemon.c (revision 2733)
|
|
||||||
@@ -209,6 +209,10 @@
|
|
||||||
comp_meth = (void*)SSL_COMP_get_compression_methods();
|
|
||||||
# endif
|
|
||||||
(void)SSL_library_init();
|
|
||||||
+# if defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED)
|
|
||||||
+ if(!ub_openssl_lock_init())
|
|
||||||
+ fatal_exit("could not init openssl locks");
|
|
||||||
+# endif
|
|
||||||
#elif defined(HAVE_NSS)
|
|
||||||
if(NSS_NoDB_Init(NULL) != SECSuccess)
|
|
||||||
fatal_exit("could not init NSS");
|
|
||||||
@@ -568,6 +572,9 @@
|
|
||||||
ERR_remove_state(0);
|
|
||||||
ERR_free_strings();
|
|
||||||
RAND_cleanup();
|
|
||||||
+# if defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED)
|
|
||||||
+ ub_openssl_lock_delete();
|
|
||||||
+# endif
|
|
||||||
#elif defined(HAVE_NSS)
|
|
||||||
NSS_Shutdown();
|
|
||||||
#endif /* HAVE_SSL or HAVE_NSS */
|
|
||||||
Index: util/net_help.c
|
|
||||||
===================================================================
|
|
||||||
--- util/net_help.c (revision 2732)
|
|
||||||
+++ util/net_help.c (revision 2733)
|
|
||||||
@@ -725,3 +725,54 @@
|
|
||||||
return NULL;
|
|
||||||
#endif
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+/** global lock list for openssl locks */
|
|
||||||
+static lock_basic_t *ub_openssl_locks = NULL;
|
|
||||||
+
|
|
||||||
+/** callback that gets thread id for openssl */
|
|
||||||
+static unsigned long
|
|
||||||
+ub_crypto_id_cb(void)
|
|
||||||
+{
|
|
||||||
+ return (unsigned long)ub_thread_self();
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void
|
|
||||||
+ub_crypto_lock_cb(int mode, int type, const char *ATTR_UNUSED(file),
|
|
||||||
+ int ATTR_UNUSED(line))
|
|
||||||
+{
|
|
||||||
+ if((mode&CRYPTO_LOCK)) {
|
|
||||||
+ lock_basic_lock(&ub_openssl_locks[type]);
|
|
||||||
+ } else {
|
|
||||||
+ lock_basic_unlock(&ub_openssl_locks[type]);
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int ub_openssl_lock_init(void)
|
|
||||||
+{
|
|
||||||
+#ifdef OPENSSL_THREADS
|
|
||||||
+ size_t i;
|
|
||||||
+ ub_openssl_locks = (lock_basic_t*)malloc(
|
|
||||||
+ sizeof(lock_basic_t)*CRYPTO_num_locks());
|
|
||||||
+ if(!ub_openssl_locks)
|
|
||||||
+ return 0;
|
|
||||||
+ for(i=0; i<CRYPTO_num_locks(); i++) {
|
|
||||||
+ lock_basic_init(&ub_openssl_locks[i]);
|
|
||||||
+ }
|
|
||||||
+ CRYPTO_set_id_callback(&ub_crypto_id_cb);
|
|
||||||
+ CRYPTO_set_locking_callback(&ub_crypto_lock_cb);
|
|
||||||
+#endif /* OPENSSL_THREADS */
|
|
||||||
+ return 1;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void ub_openssl_lock_delete(void)
|
|
||||||
+{
|
|
||||||
+#ifdef OPENSSL_THREADS
|
|
||||||
+ size_t i;
|
|
||||||
+ if(!ub_openssl_locks)
|
|
||||||
+ return;
|
|
||||||
+ for(i=0; i<CRYPTO_num_locks(); i++) {
|
|
||||||
+ lock_basic_destroy(&ub_openssl_locks[i]);
|
|
||||||
+ }
|
|
||||||
+#endif /* OPENSSL_THREADS */
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
Index: util/net_help.h
|
|
||||||
===================================================================
|
|
||||||
--- util/net_help.h (revision 2732)
|
|
||||||
+++ util/net_help.h (revision 2733)
|
|
||||||
@@ -369,4 +369,15 @@
|
|
||||||
*/
|
|
||||||
void* outgoing_ssl_fd(void* sslctx, int fd);
|
|
||||||
|
|
||||||
+/**
|
|
||||||
+ * Initialize openssl locking for thread safety
|
|
||||||
+ * @return false on failure (alloc failure).
|
|
||||||
+ */
|
|
||||||
+int ub_openssl_lock_init(void);
|
|
||||||
+
|
|
||||||
+/**
|
|
||||||
+ * De-init the allocated openssl locks
|
|
||||||
+ */
|
|
||||||
+void ub_openssl_lock_delete(void);
|
|
||||||
+
|
|
||||||
#endif /* NET_HELP_H */
|
|
@ -1,44 +0,0 @@
|
|||||||
Index: iterator/iter_fwd.c
|
|
||||||
===================================================================
|
|
||||||
--- iterator/iter_fwd.c (revision 2780)
|
|
||||||
+++ iterator/iter_fwd.c (working copy)
|
|
||||||
@@ -270,25 +270,6 @@
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
-/** see if zone needs to have a hole inserted */
|
|
||||||
-static int
|
|
||||||
-need_hole_insert(rbtree_t* tree, struct iter_forward_zone* zone)
|
|
||||||
-{
|
|
||||||
- struct iter_forward_zone k;
|
|
||||||
- if(rbtree_search(tree, zone))
|
|
||||||
- return 0; /* exact match exists */
|
|
||||||
- k = *zone;
|
|
||||||
- k.node.key = &k;
|
|
||||||
- /* search up the tree */
|
|
||||||
- do {
|
|
||||||
- dname_remove_label(&k.name, &k.namelen);
|
|
||||||
- k.namelabs --;
|
|
||||||
- if(rbtree_search(tree, &k))
|
|
||||||
- return 1; /* found an upper forward zone, need hole */
|
|
||||||
- } while(k.namelabs > 1);
|
|
||||||
- return 0; /* no forwards above, no holes needed */
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
/** insert a stub hole (if necessary) for stub name */
|
|
||||||
static int
|
|
||||||
fwd_add_stub_hole(struct iter_forwards* fwd, uint16_t c, uint8_t* nm)
|
|
||||||
@@ -298,11 +279,8 @@
|
|
||||||
key.dclass = c;
|
|
||||||
key.name = nm;
|
|
||||||
key.namelabs = dname_count_size_labels(key.name, &key.namelen);
|
|
||||||
- if(need_hole_insert(fwd->tree, &key)) {
|
|
||||||
- return forwards_insert_data(fwd, key.dclass, key.name,
|
|
||||||
- key.namelen, key.namelabs, NULL);
|
|
||||||
- }
|
|
||||||
- return 1;
|
|
||||||
+ return forwards_insert_data(fwd, key.dclass, key.name,
|
|
||||||
+ key.namelen, key.namelabs, NULL);
|
|
||||||
}
|
|
||||||
|
|
||||||
/** make NULL entries for stubs */
|
|
@ -1,32 +0,0 @@
|
|||||||
diff -Naur unbound-1.4.19-orig/smallapp/unbound-anchor.c unbound-1.4.19/smallapp/unbound-anchor.c
|
|
||||||
--- unbound-1.4.19-orig/smallapp/unbound-anchor.c 2012-10-30 11:13:53.000000000 -0400
|
|
||||||
+++ unbound-1.4.19/smallapp/unbound-anchor.c 2012-12-20 13:18:11.048256192 -0500
|
|
||||||
@@ -1503,6 +1503,20 @@
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+/* Stop the parser when an entity declaration is encountered. For safety. */
|
|
||||||
+static void
|
|
||||||
+xml_entitydeclhandler(void *userData,
|
|
||||||
+ const XML_Char *ATTR_UNUSED(entityName),
|
|
||||||
+ int ATTR_UNUSED(is_parameter_entity),
|
|
||||||
+ const XML_Char *ATTR_UNUSED(value), int ATTR_UNUSED(value_length),
|
|
||||||
+ const XML_Char *ATTR_UNUSED(base),
|
|
||||||
+ const XML_Char *ATTR_UNUSED(systemId),
|
|
||||||
+ const XML_Char *ATTR_UNUSED(publicId),
|
|
||||||
+ const XML_Char *ATTR_UNUSED(notationName))
|
|
||||||
+{
|
|
||||||
+ XML_StopParser((XML_Parser)userData, XML_FALSE);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/**
|
|
||||||
* XML parser setup of the callbacks for the tags
|
|
||||||
*/
|
|
||||||
@@ -1531,6 +1545,7 @@
|
|
||||||
if(verb) printf("out of memory\n");
|
|
||||||
exit(0);
|
|
||||||
}
|
|
||||||
+ XML_SetEntityDeclHandler(parser, xml_entitydeclhandler);
|
|
||||||
XML_SetElementHandler(parser, xml_startelem, xml_endelem);
|
|
||||||
XML_SetCharacterDataHandler(parser, xml_charhandle);
|
|
||||||
}
|
|
86
unbound-1.4.20-streamtcp-manpage.patch
Normal file
86
unbound-1.4.20-streamtcp-manpage.patch
Normal file
@ -0,0 +1,86 @@
|
|||||||
|
From 2af92efb1f128ef43313e890182ff23e94276dca Mon Sep 17 00:00:00 2001
|
||||||
|
From: wouter <wouter@be551aaa-1e26-0410-a405-d3ace91eadb9>
|
||||||
|
Date: Fri, 19 Jul 2013 10:46:16 +0000
|
||||||
|
Subject: [PATCH] - streamtcp man page, contributed by Tomas Hozza.
|
||||||
|
|
||||||
|
git-svn-id: http://unbound.nlnetlabs.nl/svn/trunk@2924 be551aaa-1e26-0410-a405-d3ace91eadb9
|
||||||
|
---
|
||||||
|
testcode/streamtcp.1 | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||||
|
1 files changed, 66 insertions(+)
|
||||||
|
create mode 100644 testcode/streamtcp.1
|
||||||
|
|
||||||
|
diff --git a/testcode/streamtcp.1 b/testcode/streamtcp.1
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..7c738d9
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/testcode/streamtcp.1
|
||||||
|
@@ -0,0 +1,66 @@
|
||||||
|
+.TH "unbound\-streamtcp" "1" "Mar 21, 2013" "NLnet Labs" "unbound"
|
||||||
|
+.\"
|
||||||
|
+.\" unbound-streamtcp.1 -- unbound DNS lookup utility
|
||||||
|
+.\"
|
||||||
|
+.SH "NAME"
|
||||||
|
+.LP
|
||||||
|
+.B unbound\-streamtcp
|
||||||
|
+\- unbound DNS lookup utility
|
||||||
|
+.SH "SYNOPSIS"
|
||||||
|
+.LP
|
||||||
|
+.B unbound\-streamtcp
|
||||||
|
+.RB [ \-unsh ]
|
||||||
|
+.RB [ \-f
|
||||||
|
+.IR ipaddr[@port] ]
|
||||||
|
+.I name
|
||||||
|
+.I type
|
||||||
|
+.I class
|
||||||
|
+.SH "DESCRIPTION"
|
||||||
|
+.LP
|
||||||
|
+.B unbound\-streamtcp
|
||||||
|
+sends a DNS Query of the given \fBtype\fR and \fBclass\fR for the given \fBname\fR
|
||||||
|
+to the DNS server over TCP and displays the response.
|
||||||
|
+.P
|
||||||
|
+If the server to query is not given using the \fB\-f\fR option then localhost
|
||||||
|
+(127.0.0.1) is used. More queries can be given on one commandline, they
|
||||||
|
+are resolved in sequence.
|
||||||
|
+.P
|
||||||
|
+The available options are:
|
||||||
|
+.TP
|
||||||
|
+.I name
|
||||||
|
+This name is resolved (looked up in the DNS).
|
||||||
|
+.TP
|
||||||
|
+.I type
|
||||||
|
+Specify the type of data to lookup.
|
||||||
|
+.TP
|
||||||
|
+.I class
|
||||||
|
+Specify the class to lookup for.
|
||||||
|
+.TP
|
||||||
|
+.B \-u
|
||||||
|
+Use UDP instead of TCP. No retries are attempted.
|
||||||
|
+.TP
|
||||||
|
+.B \-n
|
||||||
|
+Do not wait for the answer.
|
||||||
|
+.TP
|
||||||
|
+.B \-s
|
||||||
|
+Use SSL.
|
||||||
|
+.TP
|
||||||
|
+.B \-h
|
||||||
|
+Print program usage.
|
||||||
|
+.TP
|
||||||
|
+.B \-f \fIipaddr[@port]
|
||||||
|
+Specify the server to send the queries to. If not specified localhost (127.0.0.1) is used.
|
||||||
|
+.SH "EXAMPLES"
|
||||||
|
+.LP
|
||||||
|
+Some examples of use.
|
||||||
|
+.P
|
||||||
|
+$ unbound\-streamtcp www.example.com A IN
|
||||||
|
+.P
|
||||||
|
+$ unbound\-streamtcp \-f 192.168.1.1 www.example.com SOA IN
|
||||||
|
+.P
|
||||||
|
+$ unbound\-streamtcp \-f 192.168.1.1@1234 153.1.168.192.in\-addr.arpa. PTR IN
|
||||||
|
+.SH "EXIT CODE"
|
||||||
|
+The unbound\-streamtcp program exits with status code 1 on error,
|
||||||
|
+0 on no error.
|
||||||
|
+.SH "AUTHOR"
|
||||||
|
+This manual page was written by Tomas Hozza <thozza@redhat.com>.
|
||||||
|
--
|
||||||
|
1.8.3.1
|
||||||
|
|
@ -1,52 +0,0 @@
|
|||||||
commit 00f12c3365fbb1f8a185a9972734c6bf225e7c0d
|
|
||||||
Author: wouter <wouter@be551aaa-1e26-0410-a405-d3ace91eadb9>
|
|
||||||
Date: Tue Apr 27 14:15:19 2010 +0000
|
|
||||||
|
|
||||||
Fix harden-referral-path so it does not generate lookup failures.
|
|
||||||
|
|
||||||
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
|
|
||||||
index fbe3748..16a607c 100644
|
|
||||||
--- a/doc/unbound.conf.5.in
|
|
||||||
+++ b/doc/unbound.conf.5.in
|
|
||||||
@@ -456,6 +456,8 @@ path to the answer.
|
|
||||||
Default off, because it burdens the authority servers, and it is
|
|
||||||
not RFC standard, and could lead to performance problems because of the
|
|
||||||
extra query load that is generated. Experimental option.
|
|
||||||
+If you enable it consider adding more numbers after the target\-fetch\-policy
|
|
||||||
+to increase the max depth that is checked to.
|
|
||||||
.TP
|
|
||||||
.B use\-caps\-for\-id: \fI<yes or no>
|
|
||||||
Use 0x20\-encoded random bits in the query to foil spoof attempts.
|
|
||||||
diff --git a/iterator/iterator.c b/iterator/iterator.c
|
|
||||||
index 08354e8..19b9a26 100644
|
|
||||||
--- a/iterator/iterator.c
|
|
||||||
+++ b/iterator/iterator.c
|
|
||||||
@@ -695,12 +695,15 @@ static void
|
|
||||||
generate_a_aaaa_check(struct module_qstate* qstate, struct iter_qstate* iq,
|
|
||||||
int id)
|
|
||||||
{
|
|
||||||
+ struct iter_env* ie = (struct iter_env*)qstate->env->modinfo[id];
|
|
||||||
struct module_qstate* subq;
|
|
||||||
size_t i;
|
|
||||||
struct reply_info* rep = iq->response->rep;
|
|
||||||
struct ub_packed_rrset_key* s;
|
|
||||||
log_assert(iq->dp);
|
|
||||||
|
|
||||||
+ if(iq->depth == ie->max_dependency_depth)
|
|
||||||
+ return;
|
|
||||||
/* walk through additional, and check if in-zone,
|
|
||||||
* only relevant A, AAAA are left after scrub anyway */
|
|
||||||
for(i=rep->an_numrrsets+rep->ns_numrrsets; i<rep->rrset_count; i++) {
|
|
||||||
@@ -746,9 +749,12 @@ generate_a_aaaa_check(struct module_qstate* qstate, struct iter_qstate* iq,
|
|
||||||
static void
|
|
||||||
generate_ns_check(struct module_qstate* qstate, struct iter_qstate* iq, int id)
|
|
||||||
{
|
|
||||||
+ struct iter_env* ie = (struct iter_env*)qstate->env->modinfo[id];
|
|
||||||
struct module_qstate* subq;
|
|
||||||
log_assert(iq->dp);
|
|
||||||
|
|
||||||
+ if(iq->depth == ie->max_dependency_depth)
|
|
||||||
+ return;
|
|
||||||
/* is this query the same as the nscheck? */
|
|
||||||
if(qstate->qinfo.qtype == LDNS_RR_TYPE_NS &&
|
|
||||||
query_dname_compare(iq->dp->name, qstate->qinfo.qname)==0 &&
|
|
@ -1,196 +0,0 @@
|
|||||||
commit 28093c6d7d9bafbb9763fc6d9b7f222642e8a835
|
|
||||||
Author: wouter <wouter@be551aaa-1e26-0410-a405-d3ace91eadb9>
|
|
||||||
Date: Thu Apr 22 15:01:02 2010 +0000
|
|
||||||
|
|
||||||
- Fix validation failure for qtype ANY caused by a RRSIG parse failure.
|
|
||||||
The validator error message was 'no signatures from ...'.
|
|
||||||
|
|
||||||
diff --git a/testcode/unitmsgparse.c b/testcode/unitmsgparse.c
|
|
||||||
index 43e4377..d1ef854 100644
|
|
||||||
--- a/testcode/unitmsgparse.c
|
|
||||||
+++ b/testcode/unitmsgparse.c
|
|
||||||
@@ -45,6 +45,7 @@
|
|
||||||
#include "util/data/msgparse.h"
|
|
||||||
#include "util/data/msgreply.h"
|
|
||||||
#include "util/data/msgencode.h"
|
|
||||||
+#include "util/data/dname.h"
|
|
||||||
#include "util/alloc.h"
|
|
||||||
#include "util/regional.h"
|
|
||||||
#include "util/net_help.h"
|
|
||||||
@@ -54,6 +55,8 @@
|
|
||||||
static int vbmp = 0;
|
|
||||||
/** if matching within a section should disregard the order of RRs. */
|
|
||||||
static int matches_nolocation = 0;
|
|
||||||
+/** see if RRSIGs are properly matched to RRsets. */
|
|
||||||
+static int check_rrsigs = 0;
|
|
||||||
|
|
||||||
/** match two rr lists */
|
|
||||||
static int
|
|
||||||
@@ -318,6 +321,76 @@ perftestpkt(ldns_buffer* pkt, struct alloc_cache* alloc, ldns_buffer* out,
|
|
||||||
regional_destroy(region);
|
|
||||||
}
|
|
||||||
|
|
||||||
+/** debug print a packet that failed */
|
|
||||||
+static void
|
|
||||||
+print_packet_rrsets(struct query_info* qinfo, struct reply_info* rep)
|
|
||||||
+{
|
|
||||||
+ size_t i;
|
|
||||||
+ ldns_rr_list* l;
|
|
||||||
+ ldns_buffer* buf = ldns_buffer_new(65536);
|
|
||||||
+ log_query_info(0, "failed query", qinfo);
|
|
||||||
+ printf(";; ANSWER SECTION (%d rrsets)\n", (int)rep->an_numrrsets);
|
|
||||||
+ for(i=0; i<rep->an_numrrsets; i++) {
|
|
||||||
+ l = packed_rrset_to_rr_list(rep->rrsets[i], buf);
|
|
||||||
+ printf("; rrset %d\n", (int)i);
|
|
||||||
+ ldns_rr_list_print(stdout, l);
|
|
||||||
+ ldns_rr_list_deep_free(l);
|
|
||||||
+ }
|
|
||||||
+ printf(";; AUTHORITY SECTION (%d rrsets)\n", (int)rep->ns_numrrsets);
|
|
||||||
+ for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep->ns_numrrsets; i++) {
|
|
||||||
+ l = packed_rrset_to_rr_list(rep->rrsets[i], buf);
|
|
||||||
+ printf("; rrset %d\n", (int)i);
|
|
||||||
+ ldns_rr_list_print(stdout, l);
|
|
||||||
+ ldns_rr_list_deep_free(l);
|
|
||||||
+ }
|
|
||||||
+ printf(";; ADDITIONAL SECTION (%d rrsets)\n", (int)rep->ar_numrrsets);
|
|
||||||
+ for(i=rep->an_numrrsets+rep->ns_numrrsets; i<rep->rrset_count; i++) {
|
|
||||||
+ l = packed_rrset_to_rr_list(rep->rrsets[i], buf);
|
|
||||||
+ printf("; rrset %d\n", (int)i);
|
|
||||||
+ ldns_rr_list_print(stdout, l);
|
|
||||||
+ ldns_rr_list_deep_free(l);
|
|
||||||
+ }
|
|
||||||
+ printf(";; packet end\n");
|
|
||||||
+ ldns_buffer_free(buf);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/** check that there is no data element that matches the RRSIG */
|
|
||||||
+static int
|
|
||||||
+no_data_for_rrsig(struct reply_info* rep, struct ub_packed_rrset_key* rrsig)
|
|
||||||
+{
|
|
||||||
+ size_t i;
|
|
||||||
+ for(i=0; i<rep->rrset_count; i++) {
|
|
||||||
+ if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_RRSIG)
|
|
||||||
+ continue;
|
|
||||||
+ if(query_dname_compare(rep->rrsets[i]->rk.dname,
|
|
||||||
+ rrsig->rk.dname) == 0)
|
|
||||||
+ /* only name is compared right now */
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+ return 1;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/** check RRSIGs in packet */
|
|
||||||
+static void
|
|
||||||
+check_the_rrsigs(struct query_info* qinfo, struct reply_info* rep)
|
|
||||||
+{
|
|
||||||
+ /* every RRSIG must be matched to an RRset */
|
|
||||||
+ size_t i;
|
|
||||||
+ for(i=0; i<rep->rrset_count; i++) {
|
|
||||||
+ struct ub_packed_rrset_key* s = rep->rrsets[i];
|
|
||||||
+ if(ntohs(s->rk.type) == LDNS_RR_TYPE_RRSIG) {
|
|
||||||
+ /* see if really a problem, i.e. is there a data
|
|
||||||
+ * element. */
|
|
||||||
+ if(no_data_for_rrsig(rep, rep->rrsets[i]))
|
|
||||||
+ continue;
|
|
||||||
+ log_dns_msg("rrsig failed for packet", qinfo, rep);
|
|
||||||
+ print_packet_rrsets(qinfo, rep);
|
|
||||||
+ printf("failed rrset is nr %d\n", (int)i);
|
|
||||||
+ unit_assert(0);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/** test a packet */
|
|
||||||
static void
|
|
||||||
testpkt(ldns_buffer* pkt, struct alloc_cache* alloc, ldns_buffer* out,
|
|
||||||
@@ -355,6 +428,8 @@ testpkt(ldns_buffer* pkt, struct alloc_cache* alloc, ldns_buffer* out,
|
|
||||||
(unsigned)ldns_buffer_limit(pkt),
|
|
||||||
(unsigned)ldns_buffer_limit(out));
|
|
||||||
test_buffers(pkt, out);
|
|
||||||
+ if(check_rrsigs)
|
|
||||||
+ check_the_rrsigs(&qi, rep);
|
|
||||||
|
|
||||||
if(ldns_buffer_limit(out) > lim) {
|
|
||||||
ret = reply_info_encode(&qi, rep, id, flags, out,
|
|
||||||
@@ -519,7 +594,9 @@ void msgparse_test()
|
|
||||||
|
|
||||||
matches_nolocation = 1; /* RR order not important for the next test */
|
|
||||||
testfromdrillfile(pkt, &alloc, out, "testdata/test_packets.6");
|
|
||||||
+ check_rrsigs = 1;
|
|
||||||
testfromdrillfile(pkt, &alloc, out, "testdata/test_packets.7");
|
|
||||||
+ check_rrsigs = 0;
|
|
||||||
matches_nolocation = 0;
|
|
||||||
|
|
||||||
/* cleanup */
|
|
||||||
diff --git a/testdata/test_packets.7 b/testdata/test_packets.7
|
|
||||||
index 4f71c2c..357fa40 100644
|
|
||||||
--- a/testdata/test_packets.7
|
|
||||||
+++ b/testdata/test_packets.7
|
|
||||||
@@ -17,3 +17,21 @@ A608C7155005EBEDCA2176A559EFAF28D5DA1E91F540874BAA1C46BB08B1BAAE1812699A18139CF0
|
|
||||||
13BBDA2EC641FB23993A72ED6606C8C85E0D1660CC1770769697CEE7EB8E6474714984D7FF41FBBE48FF4A70669101BF00320340B82DC590B2C19D0006841121DC6AC933002E00010000012C007D000105030000012C4B11ADE94AEA20E9FC600673776974636802636800561C052414445D427CE00A40ACE2DA2EC168523823830CA724B087B8116F46B3CD051C5EC5874F6FC75CF6BA846279E469C474A75F9334242BB66FDD367C73B8BBC3F8748736BC5E6AED8B9B7C5FB5FE2DEDFBF46B403BC173DE958C038CFCCAC933002E00010000012C007D001C05030000012C4B11ADE94AEA20E9FC600673776974636802636800A6F44063C12A5A8BF5BCFADD
|
|
||||||
745C5B3915E463DA478131E636347EED414675023BBCA5BA2AABEC2FA3DF976A2343B4AA3403D1AFA3D470D25812BD1A319FBB5B833244D0FA18A59BB69ABB77BBDB3D7F62740D3871A69A5B9D43331D78AB8AE8C91B002E00010000012C007D000105030000012C4B11ADE94AEA20E9FC6006737769746368026368008906D2CFEFC3AA652125DD021CAB6392EBC4A9B4B3CFE3B07E4AFE7DA3263C7B8CE5DC3B66DA45D120E75B3D49ADC1F7D2E9A04A31760698FCFDEAB4AC82915D8E0AD2494DB4F11C02E115C3BD47DC8E57EDA7805BF0E7820A445F93A07698DF0000291000000080000000
|
|
||||||
|
|
||||||
+;-- es.net IN ANY about RRSIG ordering.
|
|
||||||
+687D8410000100150000000E026573036E65740000FF0001C00C00060001000151800027036E7331C00C0A686F73746D6173746572C00C77CECF4300001C2000000E100012750000000258C00C002E000100015180011A00300502000151804BE2932A4BD0101A2522026573036E657400AF2107A80A9D98A0712FF20826B95D8E686FFF023BEEAD1019045569D94D1493C84C819446ECB5489EBC6B556F4BE4B51A8E9CAC8BAA69F2B74948B78CBB197044E3D3A9E0E5EA958254637984D34BAE34167E1437D275E01C4B7C04C34053333514E1FE7EAC7C4777B02F24356F1F775526E19F54A21D3A134DC74DE153F9267008F5605D3BE38E61352BA9495D77
|
|
||||||
+97A76735BD68350CD648F40F95ADA4B25464A615E7CD4870E23C21D681F5C68C3DE9477D2EC7216FDF3269F5993428D0F1A4B7E203A04AB6807836263FDD7D6796BE6D84478B906B802DEBDCB1E0870481388503F0396CAD24147BC819A855E6CBCE98526ECAF8423450E30CB4F59C7062C069002E000100015180009A00300502000151804BE2932A4BD0101A4BA3026573036E657400602356C2D379E94F97D2900473D118288D46CFBCAAFF73D8A6FDF0B4305E8B338DD53A90106CDD78BF82A1AEC20B7C02067FDE1BEEC912E5581687BB32DD8BDC7E84B3F844F01E198E75C179194447C13B568886B33933FF35370060440D64E2DB7446962CA348C199
|
|
||||||
+DDFE4AA252AFFDEB3A818D1BF45CD795EA0907332B4508C18F002E000100015180009A00060502000151804BE2932A4BD0101A4BA3026573036E6574004FFB07563C6F88028C0E09CF163BAC777065BDCC826C583A3B3ABD525D6AF5101A6D5533888E5BAAA33DE28B52330815E14034506C4C69EDE8AD1A1F00B486C670FE0DC2F3B5F7210EBAC66695CC8679F2CA2353666A143A2E3E87377DCD8D3E6E450934BBD4CC6F9EE033E11D05CA3F44B1A64A2666E3AF2A8710F16FF8CC33C235002E000100000258009A002F0502000002584BE2932A4BD0101A4BA3026573036E6574003D2DDC713285C7338263BD338AFEEAB77571054B1F483A7BADC87BAF32
|
|
||||||
+0740A8D1B8B28CB23E04A80F90979704B44FE379103F4D91482D0EBC1D7005E326668F30B2A434F9DE76BB90DFEF2BFEDEE8CAD62164CA089651AB31498F18ED9A1E5694B4D460FFA4E667950322B2A75E8FD408B6A54EDB00257CE44AC865D1567346C2DB002E000100000258009A00100502000002584BE2932A4BD0101A4BA3026573036E6574004367180234A327C0AF72B3963518FC6E53A43E92CE6F5560E383FE8E7EF258FEA28BA666C026A90DAB67F46FBA4FF82F2704FEB3A27E25F3A8E6874B78938D70C5A20D94BEC90596B55C594F94A1438B14C8F890CE61D9630EFD897DEA9B3995D2C668469F62DB9346BB6AAF2EB6F3EE20EC31EAC80BCB
|
|
||||||
+962105A64CCD5783EFC381002E000100000258009A000F0502000002584BE2932A4BD0101A4BA3026573036E657400D36D367D4D95060CB2952870BE9E826E6F7835CF6517FF83957F5097B6FC401FE5815B8895D02C68E23A47D7015A3DCE9FDE63AF9D9E1D697016444355633D0BE03177B35BE54980B241C12978A7F3EBF2420861EBFAA028CAF9FCBBF54C069869BFB7F9AB9E60D4791ACCA276AE698EB6EF7582235977E158DA8530EC84327EC427002E000100000258009A00010502000002584BE2932A4BD0101A4BA3026573036E65740068E7176D8561B49621F80DB36DC12A3C5DCD2DE5FE3973F5D7DE15769F099F2A1A9BB088042E794747E3AB
|
|
||||||
+BB4AE48651F815D5D38BE7F4FB94F08F51FC209246296BE108111E90A7A5E2A5A79D305F81DBE313569B72598F36F3CFAA02FD9F321FBC2BDA10861F1D537D48DDF80BBF4B228724636FD79C06C4487365F602E6F5C4CD002E000100000258009A00020502000002584BE2932A4BD0101A4BA3026573036E657400BAA98093DDB57F38CA58C599EEED47F16AA20C1CCF668FF0A022AFAAC97059A28C50FE63034E58FBE361059B43FCBAE3876AC6AE8450987B8A00BEC29093267B9B655E645B7478294FF5E149984459A39D191585463BD80F635C21DBCF30462E60E4EACF8EECC25E4D02C181954CCBB8BDF5D19882CF6F9E982B1BEBEF14797DC573003000
|
|
||||||
+0100015180008801000305030100017D08356710D7E8A11F9B4C29E5E0F6B65F18CE64B4AAFAD7EA0E08DB85013CD777436CB8BC4EE33C0B4E6EEDFBE4227B25354F2EA2F978EE3222F3F32C1D4D3AF0F6014A527981FC5A0D2B65BF78B86A1D37965A98CAE3746CBB250655C2200FB9B8EBCC8C0AFD3182738F246AD0DAACA3199C54F08CF5F666477281872710E7C573003000010001518000880100030503010001DF43A43270EA741D5E79034C5E46A8310C9CFC7BD65C532D815D6B8C245EFF8F0C365DE400B6CDAC0124B00E08017DFB98D91133D5C18251EE0868852AD9E7FED091B393DAD1CD57381A5A1E7EA74E8FB4B708DB0F93B9EA4296EA4A71
|
|
||||||
+6E3572F168779CB5288880699413B3FFD4B7432EBE2AA2767B8EA6CB576A65C5163A3DC5730030000100015180010801010305030100017DA2FA058940109205AA36338EB8AA8B5B0D9788C4229368D371DBDE4BD24F0805C60EDD8DF223D250F23D189CDC434F388A91D6CEC1A9D6F305817409ACA784F381DFFD7EC3EC688FFE16D2AC57BD7F0B625EFC3099B3A9A5EDA1742460229669DD67D81F12069877F6AFA497F81EB12D179B183F5C8185B2786B790BEAFB6D02E0F94C780065511CF46AF80D40055022867DF712869CC262C0D315B92DFA96D58BC2336DAB5D1258DD60406913D116DC2EC1135D89C6D2092C35A19C67959743B407A3C30F3C6B8B
|
|
||||||
+C4763504FE12541EDD947A5FBE8E402D31816D1824867E2CD89AEE5FF6ED7A2D683B8C5E6B7B5972BDFF355BFD9128F0D0EDB59A60F321C573003000010001518001080101030503010001DD8EC709089B6D74BAF2D294E4C626CF789B89A74B7E320D7002A03D0F94EA62DF1F19717FE8C4BFD732DA495E481353C78167255CC6256A98ACBFF5977B81A48C5E2A5AF23E8377423C4034D5D84E9E3548B9D0A07955586F67324B6B5720CC4456D86AEE3A21A4EBED9BA13358C8127D182A5083739B042D7E06307E417D020DD68EC0628E9C8279AF0F7E608A3C5D51AB33BF7C32EBD27B45D72B1AD5752BB485D52488FBA9A1B5BF3B2B50F074F481171E4B65
|
|
||||||
+3AF846E58FE46DEB3491FA683959B38B893BF55721CED8FC4A64DBEDB6BF1C7FADE650EE219A01E81DD0212B89259319CA5DC81F26821A5CC29B4CC1059AE28227B89B8816039E43C35E33C57300300001000151800108018103050301000188F31BEFA3466D6FCAF11E0D1954D2011D6EAECF922D9E1B8D620095A0D15E7CFF8EA33F8E2A8C3B3F45A1ADACFED62E3E4EDC884AEF8A7CADBCFF8EDF2158730136D01BDB6D057BEBF3D35A92ADB5E8ACB1152FE1244B2D36DCB500E952CFB6D744BF7DBAB24A901B984F869FF47113C9515D53FE1A57293B01C24195A1D40580566CDAE5B04348CB60507267BB38F34839EE959D43FB9605652157014059FDBD
|
|
||||||
+39EB0836D4043A63F8660D241006F757DB92B35B39B5ABCA32A16A81C65C9F53DA79A99F1134CF3ED5304F189434AF787A3A10D63862E6C2E5FBA08B6EF6701783DB00CB41851DF13070947EEC090FCED3539F3F494170BD90E68F99453DF9C573002F00010000025800220B726573657276652D3132380231340131026573036E657400000762018000000380CA7C0010000100000258009C9B763D73706631206D7820613A6D61696C312E65732E6E657420613A6D61696C322E65732E6E657420613A6D61696C332E65732E6E657420613A6D61696C342E65732E6E657420613A6D61696C2E65732E6E657420613A6D61696C67772E65732E6E657420613A
|
|
||||||
+706F7374616C312E65732E6E657420613A706F7374616C322E65732E6E657420613A706F7374616C332E65732E6E6574207E616C6CCA7C000F00010000025800090032046D61696CCA7CCA7C00010001000002580004C6800370CA7C00020001000002580009066E732D616F61CA7CCA7C00020001000002580002C024CA7C00020001000002580009066E732D6C766BCA7CCB4300010001000002580004C0BC1609CB43001C000100000258001020010400FFFFFFFFFFFFFFFFFFFFFF81C02400010001000151800004C680020AC024001C000100000258001020010400001400020000000000000010CB6600010001000002580004C67CFC16CB66001C0001
|
|
||||||
+00000258001020010400600000000000000000000022CB8900010001000002580004C681FC22CB89001C000100000258001020010400091000010000000000000002CB43002E000100000258009A00010503000002584BE2932A4BD0101A4BA3026573036E657400B425467E45E411066B99B85420FB7E844D734F414FFAF6B9528867B3DF808733BF479A0F125C84179401306579994AB8D84DF0173E2824527CEDA45C75ED4D818722EEB2D5A37641108B112D9A6D832D29A507C35DBBEBD46D50DE9915E924F53F55B5A2A263A48B48209FB50A13A7DF40AE697B1BCCE71A2B95C1BB9E47ACCACB43002E000100000258009A001C0503000002584BE2932A
|
|
||||||
+4BD0101A4BA3026573036E6574002588E73F85BE8FAFD09628232906913DB78592B59F9C3C95A4AD1334D383C1326EE0C6FCF38892D8BB74631D680A6E4DB2D603D32394BC7B4EC798A1511667D246A0C30B33D03AB144C3704AA80AFCA27F197B2F83F20A9F0D2835C7C0A9B49E47E7CF2E192DC7DBF4635C39ECCCB291DB4B2832E0B8FF430A75726500194D9EC024002E000100015180009A00010503000151804BE2932A4BD0101A4BA3026573036E6574000E9F4098B1EF4F429B802007E3A9EA8E267A1F78EA7241AADD120A74CEBF70DC1DF76065A2CE0CDAA51AAB2F68411D9DEDC1F9DBEB3AB114A1FCBE122610756DE205EEC576CA5E62BD02497F
|
|
||||||
+84D5DDB7110AC7F2BF02485B3E7B28FC1EB2999724B64D811270B085D1D10E184295D423F0141D652BD7E97633AC2E98C2819EDAC024002E000100000258009A001C0503000002584BE2932A4BD0101A4BA3026573036E657400936ADA283A90836E92BD42E2B6C8A0299147BCB8E47D9D4464C4151FCC99DC4F2D1C39FB691F6E322715B22F61E7BB8D5507982A3119674B350C569BDC2CD95C708EC73B4E5DEA516D053A4FD725326FFC5B0D0562B542BA96124D9FFBBF787CA0BBE6960951CC2FDD074376A1D184287C2C56A93FBBC1C7FFAA6977B30AE808CB66002E000100000258009A00010503000002584BE2932A4BD0101A4BA3026573036E657400
|
|
||||||
+0CE145578E56BB359606C9B85538450D2BCA3E9AD0DEFC8FF865DA646F900B9CBC7325B7F04706B60E2770107E62894FE9CF3B1A432F0FB53C5C7A8F37D0F60354C7D52F4DF88BDD4C46774AA728DFC1C807EF5276641CA28774F323C7326B7C1D99DFCB9498C6E096392009AA972B83F0583A5D1002CA26B59B5C97F6A8309C0000291000000080000000
|
|
||||||
+
|
|
||||||
diff --git a/util/data/msgparse.c b/util/data/msgparse.c
|
|
||||||
index 2db8832..ae6dfc1 100644
|
|
||||||
--- a/util/data/msgparse.c
|
|
||||||
+++ b/util/data/msgparse.c
|
|
||||||
@@ -335,16 +335,20 @@ moveover_rrsigs(ldns_buffer* pkt, struct regional* region,
|
|
||||||
struct rr_parse* sig = sigset->rr_first;
|
|
||||||
struct rr_parse* prev = NULL;
|
|
||||||
struct rr_parse* insert;
|
|
||||||
+ struct rr_parse* nextsig;
|
|
||||||
while(sig) {
|
|
||||||
+ nextsig = sig->next;
|
|
||||||
if(pkt_rrsig_covered_equals(pkt, sig->ttl_data,
|
|
||||||
dataset->type)) {
|
|
||||||
if(duplicate) {
|
|
||||||
/* new */
|
|
||||||
insert = (struct rr_parse*)regional_alloc(
|
|
||||||
region, sizeof(struct rr_parse));
|
|
||||||
+ if(!insert) return 0;
|
|
||||||
insert->outside_packet = 0;
|
|
||||||
insert->ttl_data = sig->ttl_data;
|
|
||||||
insert->size = sig->size;
|
|
||||||
+ /* prev not used */
|
|
||||||
} else {
|
|
||||||
/* remove from sigset */
|
|
||||||
if(prev) prev->next = sig->next;
|
|
||||||
@@ -354,6 +358,7 @@ moveover_rrsigs(ldns_buffer* pkt, struct regional* region,
|
|
||||||
sigset->rr_count--;
|
|
||||||
sigset->size -= sig->size;
|
|
||||||
insert = sig;
|
|
||||||
+ /* prev not changed */
|
|
||||||
}
|
|
||||||
/* add to dataset */
|
|
||||||
dataset->rrsig_count++;
|
|
||||||
@@ -363,9 +368,9 @@ moveover_rrsigs(ldns_buffer* pkt, struct regional* region,
|
|
||||||
else dataset->rrsig_first = insert;
|
|
||||||
dataset->rrsig_last = insert;
|
|
||||||
dataset->size += insert->size;
|
|
||||||
- }
|
|
||||||
- prev = sig;
|
|
||||||
- sig = sig->next;
|
|
||||||
+ } else
|
|
||||||
+ prev = sig;
|
|
||||||
+ sig = nextsig;
|
|
||||||
}
|
|
||||||
return 1;
|
|
||||||
}
|
|
@ -1,38 +0,0 @@
|
|||||||
commit 374822322e33503d3576c85b3e43fef158a80e42
|
|
||||||
Author: wouter <wouter@be551aaa-1e26-0410-a405-d3ace91eadb9>
|
|
||||||
Date: Thu Apr 29 12:36:12 2010 +0000
|
|
||||||
|
|
||||||
dnssec lameness detection looks in key cache if dnssec is expected.
|
|
||||||
|
|
||||||
diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c
|
|
||||||
index 6124650..f63b6fe 100644
|
|
||||||
--- a/iterator/iter_utils.c
|
|
||||||
+++ b/iterator/iter_utils.c
|
|
||||||
@@ -60,6 +60,8 @@
|
|
||||||
#include "util/random.h"
|
|
||||||
#include "util/fptr_wlist.h"
|
|
||||||
#include "validator/val_anchor.h"
|
|
||||||
+#include "validator/val_kcache.h"
|
|
||||||
+#include "validator/val_kentry.h"
|
|
||||||
|
|
||||||
/** time when nameserver glue is said to be 'recent' */
|
|
||||||
#define SUSPICION_RECENT_EXPIRY 86400
|
|
||||||
@@ -570,6 +572,18 @@ iter_indicates_dnssec(struct module_env* env, struct delegpt* dp,
|
|
||||||
reply_find_rrset_section_ns(msg->rep, dp->name, dp->namelen,
|
|
||||||
LDNS_RR_TYPE_DS, dclass))
|
|
||||||
return 1;
|
|
||||||
+ /* look in key cache */
|
|
||||||
+ if(env->key_cache) {
|
|
||||||
+ struct key_entry_key* kk = key_cache_obtain(env->key_cache,
|
|
||||||
+ dp->name, dp->namelen, dclass, env->scratch, *env->now);
|
|
||||||
+ if(kk) {
|
|
||||||
+ if(key_entry_isgood(kk) || key_entry_isbad(kk)) {
|
|
||||||
+ regional_free_all(env->scratch);
|
|
||||||
+ return 1;
|
|
||||||
+ }
|
|
||||||
+ regional_free_all(env->scratch);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
@ -1,153 +0,0 @@
|
|||||||
commit 40d18f7cfb64a806699545410858b655e76660e1
|
|
||||||
Author: wouter <wouter@be551aaa-1e26-0410-a405-d3ace91eadb9>
|
|
||||||
Date: Tue May 4 08:39:04 2010 +0000
|
|
||||||
|
|
||||||
- Fix dnssec-missing detection that was turned off by server selection.
|
|
||||||
|
|
||||||
diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c
|
|
||||||
index b3a31fa..3a75d03 100644
|
|
||||||
--- a/iterator/iter_utils.c
|
|
||||||
+++ b/iterator/iter_utils.c
|
|
||||||
@@ -310,7 +310,7 @@ iter_filter_order(struct iter_env* iter_env, struct module_env* env,
|
|
||||||
struct delegpt_addr*
|
|
||||||
iter_server_selection(struct iter_env* iter_env,
|
|
||||||
struct module_env* env, struct delegpt* dp,
|
|
||||||
- uint8_t* name, size_t namelen, uint16_t qtype, int* dnssec_expected,
|
|
||||||
+ uint8_t* name, size_t namelen, uint16_t qtype, int* dnssec_lame,
|
|
||||||
int* chase_to_rd, int open_target, struct sock_list* blacklist)
|
|
||||||
{
|
|
||||||
int sel;
|
|
||||||
@@ -331,7 +331,7 @@ iter_server_selection(struct iter_env* iter_env,
|
|
||||||
if(selrtt-BLACKLIST_PENALTY > USEFUL_SERVER_TOP_TIMEOUT) {
|
|
||||||
verbose(VERB_ALGO, "chase to "
|
|
||||||
"blacklisted dnssec lame server");
|
|
||||||
- *dnssec_expected = 0;
|
|
||||||
+ *dnssec_lame = 1;
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
if(selrtt > USEFUL_SERVER_TOP_TIMEOUT*2) {
|
|
||||||
@@ -340,7 +340,7 @@ iter_server_selection(struct iter_env* iter_env,
|
|
||||||
}
|
|
||||||
if(selrtt > USEFUL_SERVER_TOP_TIMEOUT) {
|
|
||||||
verbose(VERB_ALGO, "chase to dnssec lame server");
|
|
||||||
- *dnssec_expected = 0;
|
|
||||||
+ *dnssec_lame = 1;
|
|
||||||
}
|
|
||||||
if(selrtt == USEFUL_SERVER_TOP_TIMEOUT) {
|
|
||||||
verbose(VERB_ALGO, "chase to blacklisted lame server");
|
|
||||||
diff --git a/iterator/iter_utils.h b/iterator/iter_utils.h
|
|
||||||
index a9f4247..d3870ec 100644
|
|
||||||
--- a/iterator/iter_utils.h
|
|
||||||
+++ b/iterator/iter_utils.h
|
|
||||||
@@ -80,7 +80,7 @@ int iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg);
|
|
||||||
* @param name: zone name (for lameness check).
|
|
||||||
* @param namelen: length of name.
|
|
||||||
* @param qtype: query type that we want to send.
|
|
||||||
- * @param dnssec_expected: set to 0, if a known dnssec-lame server is selected
|
|
||||||
+ * @param dnssec_lame: set to 1, if a known dnssec-lame server is selected
|
|
||||||
* these are not preferred, but are used as a last resort.
|
|
||||||
* @param chase_to_rd: set to 1 if a known recursion lame server is selected
|
|
||||||
* these are not preferred, but are used as a last resort.
|
|
||||||
@@ -92,7 +92,7 @@ int iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg);
|
|
||||||
*/
|
|
||||||
struct delegpt_addr* iter_server_selection(struct iter_env* iter_env,
|
|
||||||
struct module_env* env, struct delegpt* dp, uint8_t* name,
|
|
||||||
- size_t namelen, uint16_t qtype, int* dnssec_expected,
|
|
||||||
+ size_t namelen, uint16_t qtype, int* dnssec_lame,
|
|
||||||
int* chase_to_rd, int open_target, struct sock_list* blacklist);
|
|
||||||
|
|
||||||
/**
|
|
||||||
diff --git a/iterator/iterator.c b/iterator/iterator.c
|
|
||||||
index 19b9a26..6f486bf 100644
|
|
||||||
--- a/iterator/iterator.c
|
|
||||||
+++ b/iterator/iterator.c
|
|
||||||
@@ -120,6 +120,7 @@ iter_new(struct module_qstate* qstate, int id)
|
|
||||||
iq->wait_priming_stub = 0;
|
|
||||||
iq->refetch_glue = 0;
|
|
||||||
iq->dnssec_expected = 0;
|
|
||||||
+ iq->dnssec_lame_query = 0;
|
|
||||||
iq->chase_flags = qstate->query_flags;
|
|
||||||
/* Start with the (current) qname. */
|
|
||||||
iq->qchase = qstate->qinfo;
|
|
||||||
@@ -1451,8 +1452,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
|
|
||||||
/* Select the next usable target, filtering out unsuitable targets. */
|
|
||||||
target = iter_server_selection(ie, qstate->env, iq->dp,
|
|
||||||
iq->dp->name, iq->dp->namelen, iq->qchase.qtype,
|
|
||||||
- &iq->dnssec_expected, &iq->chase_to_rd, iq->num_target_queries,
|
|
||||||
- qstate->blacklist);
|
|
||||||
+ &iq->dnssec_lame_query, &iq->chase_to_rd,
|
|
||||||
+ iq->num_target_queries, qstate->blacklist);
|
|
||||||
|
|
||||||
/* If no usable target was selected... */
|
|
||||||
if(!target) {
|
|
||||||
@@ -1530,10 +1531,14 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
|
|
||||||
}
|
|
||||||
|
|
||||||
/* We have a valid target. */
|
|
||||||
- if(iq->dnssec_expected) verbose(VERB_ALGO, "dnssec is expected");
|
|
||||||
- log_query_info(VERB_QUERY, "sending query:", &iq->qchase);
|
|
||||||
- log_name_addr(VERB_QUERY, "sending to target:", iq->dp->name,
|
|
||||||
- &target->addr, target->addrlen);
|
|
||||||
+ if(verbosity >= VERB_QUERY) {
|
|
||||||
+ log_query_info(VERB_QUERY, "sending query:", &iq->qchase);
|
|
||||||
+ log_name_addr(VERB_QUERY, "sending to target:", iq->dp->name,
|
|
||||||
+ &target->addr, target->addrlen);
|
|
||||||
+ verbose(VERB_ALGO, "dnssec status: %s%s",
|
|
||||||
+ iq->dnssec_expected?"expected": "not expected",
|
|
||||||
+ iq->dnssec_lame_query?" but lame_query anyway": "");
|
|
||||||
+ }
|
|
||||||
fptr_ok(fptr_whitelist_modenv_send_query(qstate->env->send_query));
|
|
||||||
outq = (*qstate->env->send_query)(
|
|
||||||
iq->qchase.qname, iq->qchase.qname_len,
|
|
||||||
@@ -1587,6 +1592,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
|
|
||||||
iq->num_current_queries--;
|
|
||||||
if(iq->response == NULL) {
|
|
||||||
iq->chase_to_rd = 0;
|
|
||||||
+ iq->dnssec_lame_query = 0;
|
|
||||||
verbose(VERB_ALGO, "query response was timeout");
|
|
||||||
return next_state(iq, QUERYTARGETS_STATE);
|
|
||||||
}
|
|
||||||
@@ -1599,7 +1605,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
|
|
||||||
* differently. No queries should be sent elsewhere */
|
|
||||||
type = RESPONSE_TYPE_ANSWER;
|
|
||||||
}
|
|
||||||
- if(iq->dnssec_expected && !(iq->chase_flags&BIT_RD)
|
|
||||||
+ if(iq->dnssec_expected && !iq->dnssec_lame_query &&
|
|
||||||
+ !(iq->chase_flags&BIT_RD)
|
|
||||||
&& type != RESPONSE_TYPE_LAME
|
|
||||||
&& type != RESPONSE_TYPE_REC_LAME
|
|
||||||
&& type != RESPONSE_TYPE_THROWAWAY
|
|
||||||
@@ -1615,7 +1622,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
|
|
||||||
type = RESPONSE_TYPE_LAME;
|
|
||||||
dnsseclame = 1;
|
|
||||||
}
|
|
||||||
- }
|
|
||||||
+ } else iq->dnssec_lame_query = 0;
|
|
||||||
/* see if referral brings us close to the target */
|
|
||||||
if(type == RESPONSE_TYPE_REFERRAL) {
|
|
||||||
struct ub_packed_rrset_key* ns = find_NS(
|
|
||||||
@@ -1764,7 +1771,6 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
|
|
||||||
/* Clear the query state, since this is a query restart. */
|
|
||||||
iq->deleg_msg = NULL;
|
|
||||||
iq->dp = NULL;
|
|
||||||
- iq->dnssec_expected = 0;
|
|
||||||
/* Note the query restart. */
|
|
||||||
iq->query_restart_count++;
|
|
||||||
|
|
||||||
diff --git a/iterator/iterator.h b/iterator/iterator.h
|
|
||||||
index 736af51..350fb1d 100644
|
|
||||||
--- a/iterator/iterator.h
|
|
||||||
+++ b/iterator/iterator.h
|
|
||||||
@@ -255,6 +255,12 @@ struct iter_qstate {
|
|
||||||
int dnssec_expected;
|
|
||||||
|
|
||||||
/**
|
|
||||||
+ * We are expecting dnssec information, but we also know the server
|
|
||||||
+ * is DNSSEC lame. The response need not be marked dnssec-lame again.
|
|
||||||
+ */
|
|
||||||
+ int dnssec_lame_query;
|
|
||||||
+
|
|
||||||
+ /**
|
|
||||||
* This is flag that, if true, means that this event is
|
|
||||||
* waiting for a stub priming query.
|
|
||||||
*/
|
|
@ -1,159 +0,0 @@
|
|||||||
commit 41b631ca4182e68b09eecdaec7d67ac576f3800d
|
|
||||||
Author: wouter <wouter@be551aaa-1e26-0410-a405-d3ace91eadb9>
|
|
||||||
Date: Tue Apr 27 11:10:35 2010 +0000
|
|
||||||
|
|
||||||
- fix retry sequence if prime hints are recursion-lame.
|
|
||||||
|
|
||||||
diff --git a/iterator/iterator.c b/iterator/iterator.c
|
|
||||||
index b1a948d..08354e8 100644
|
|
||||||
--- a/iterator/iterator.c
|
|
||||||
+++ b/iterator/iterator.c
|
|
||||||
@@ -1897,8 +1897,11 @@ static int
|
|
||||||
processPrimeResponse(struct module_qstate* qstate, int id)
|
|
||||||
{
|
|
||||||
struct iter_qstate* iq = (struct iter_qstate*)qstate->minfo[id];
|
|
||||||
- enum response_type type = response_type_from_server(0, iq->response,
|
|
||||||
- &iq->qchase, iq->dp);
|
|
||||||
+ enum response_type type;
|
|
||||||
+ iq->response->rep->flags &= ~(BIT_RD|BIT_RA); /* ignore rec-lame */
|
|
||||||
+ type = response_type_from_server(
|
|
||||||
+ (int)((iq->chase_flags&BIT_RD) || iq->chase_to_rd),
|
|
||||||
+ iq->response, &iq->qchase, iq->dp);
|
|
||||||
if(type == RESPONSE_TYPE_ANSWER) {
|
|
||||||
qstate->return_rcode = LDNS_RCODE_NOERROR;
|
|
||||||
qstate->return_msg = iq->response;
|
|
||||||
@@ -2230,7 +2233,7 @@ void
|
|
||||||
iter_inform_super(struct module_qstate* qstate, int id,
|
|
||||||
struct module_qstate* super)
|
|
||||||
{
|
|
||||||
- if(super->qinfo.qclass == LDNS_RR_CLASS_ANY)
|
|
||||||
+ if(!qstate->is_priming && super->qinfo.qclass == LDNS_RR_CLASS_ANY)
|
|
||||||
processClassResponse(qstate, id, super);
|
|
||||||
else if(qstate->return_rcode != LDNS_RCODE_NOERROR)
|
|
||||||
error_supers(qstate, id, super);
|
|
||||||
diff --git a/testdata/iter_hint_lame.rpl b/testdata/iter_hint_lame.rpl
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..8cbede1
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/testdata/iter_hint_lame.rpl
|
|
||||||
@@ -0,0 +1,120 @@
|
|
||||||
+; config options
|
|
||||||
+server:
|
|
||||||
+ target-fetch-policy: "0 0 0 0 0"
|
|
||||||
+
|
|
||||||
+stub-zone:
|
|
||||||
+ name: "."
|
|
||||||
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
|
|
||||||
+CONFIG_END
|
|
||||||
+
|
|
||||||
+SCENARIO_BEGIN Test iterative resolve with lame hints.
|
|
||||||
+
|
|
||||||
+; K.ROOT-SERVERS.NET.
|
|
||||||
+RANGE_BEGIN 0 100
|
|
||||||
+ ADDRESS 193.0.14.129
|
|
||||||
+ENTRY_BEGIN
|
|
||||||
+MATCH opcode qtype qname
|
|
||||||
+ADJUST copy_id
|
|
||||||
+REPLY QR RA NOERROR
|
|
||||||
+SECTION QUESTION
|
|
||||||
+. IN NS
|
|
||||||
+SECTION ANSWER
|
|
||||||
+. IN NS K.ROOT-SERVERS.NET.
|
|
||||||
+SECTION ADDITIONAL
|
|
||||||
+K.ROOT-SERVERS.NET. IN A 193.0.14.129
|
|
||||||
+ENTRY_END
|
|
||||||
+
|
|
||||||
+ENTRY_BEGIN
|
|
||||||
+MATCH opcode qtype qname
|
|
||||||
+ADJUST copy_id
|
|
||||||
+REPLY QR RA NOERROR
|
|
||||||
+SECTION QUESTION
|
|
||||||
+www.example.com. IN A
|
|
||||||
+SECTION AUTHORITY
|
|
||||||
+com. IN NS a.gtld-servers.net.
|
|
||||||
+SECTION ADDITIONAL
|
|
||||||
+a.gtld-servers.net. IN A 192.5.6.30
|
|
||||||
+ENTRY_END
|
|
||||||
+RANGE_END
|
|
||||||
+
|
|
||||||
+; a.gtld-servers.net.
|
|
||||||
+RANGE_BEGIN 0 100
|
|
||||||
+ ADDRESS 192.5.6.30
|
|
||||||
+ENTRY_BEGIN
|
|
||||||
+MATCH opcode qtype qname
|
|
||||||
+ADJUST copy_id
|
|
||||||
+REPLY QR NOERROR
|
|
||||||
+SECTION QUESTION
|
|
||||||
+com. IN NS
|
|
||||||
+SECTION ANSWER
|
|
||||||
+com. IN NS a.gtld-servers.net.
|
|
||||||
+SECTION ADDITIONAL
|
|
||||||
+a.gtld-servers.net. IN A 192.5.6.30
|
|
||||||
+ENTRY_END
|
|
||||||
+
|
|
||||||
+ENTRY_BEGIN
|
|
||||||
+MATCH opcode qtype qname
|
|
||||||
+ADJUST copy_id
|
|
||||||
+REPLY QR NOERROR
|
|
||||||
+SECTION QUESTION
|
|
||||||
+www.example.com. IN A
|
|
||||||
+SECTION AUTHORITY
|
|
||||||
+example.com. IN NS ns.example.com.
|
|
||||||
+SECTION ADDITIONAL
|
|
||||||
+ns.example.com. IN A 1.2.3.4
|
|
||||||
+ENTRY_END
|
|
||||||
+RANGE_END
|
|
||||||
+
|
|
||||||
+; ns.example.com.
|
|
||||||
+RANGE_BEGIN 0 100
|
|
||||||
+ ADDRESS 1.2.3.4
|
|
||||||
+ENTRY_BEGIN
|
|
||||||
+MATCH opcode qtype qname
|
|
||||||
+ADJUST copy_id
|
|
||||||
+REPLY QR NOERROR
|
|
||||||
+SECTION QUESTION
|
|
||||||
+example.com. IN NS
|
|
||||||
+SECTION ANSWER
|
|
||||||
+example.com. IN NS ns.example.com.
|
|
||||||
+SECTION ADDITIONAL
|
|
||||||
+ns.example.com. IN A 1.2.3.4
|
|
||||||
+ENTRY_END
|
|
||||||
+
|
|
||||||
+ENTRY_BEGIN
|
|
||||||
+MATCH opcode qtype qname
|
|
||||||
+ADJUST copy_id
|
|
||||||
+REPLY QR NOERROR
|
|
||||||
+SECTION QUESTION
|
|
||||||
+www.example.com. IN A
|
|
||||||
+SECTION ANSWER
|
|
||||||
+www.example.com. IN A 10.20.30.40
|
|
||||||
+SECTION AUTHORITY
|
|
||||||
+example.com. IN NS ns.example.com.
|
|
||||||
+SECTION ADDITIONAL
|
|
||||||
+ns.example.com. IN A 1.2.3.4
|
|
||||||
+ENTRY_END
|
|
||||||
+RANGE_END
|
|
||||||
+
|
|
||||||
+STEP 1 QUERY
|
|
||||||
+ENTRY_BEGIN
|
|
||||||
+REPLY RD
|
|
||||||
+SECTION QUESTION
|
|
||||||
+www.example.com. IN A
|
|
||||||
+ENTRY_END
|
|
||||||
+
|
|
||||||
+; recursion happens here.
|
|
||||||
+STEP 10 CHECK_ANSWER
|
|
||||||
+ENTRY_BEGIN
|
|
||||||
+MATCH all
|
|
||||||
+REPLY QR RD RA NOERROR
|
|
||||||
+SECTION QUESTION
|
|
||||||
+www.example.com. IN A
|
|
||||||
+SECTION ANSWER
|
|
||||||
+www.example.com. IN A 10.20.30.40
|
|
||||||
+SECTION AUTHORITY
|
|
||||||
+example.com. IN NS ns.example.com.
|
|
||||||
+SECTION ADDITIONAL
|
|
||||||
+ns.example.com. IN A 1.2.3.4
|
|
||||||
+ENTRY_END
|
|
||||||
+
|
|
||||||
+SCENARIO_END
|
|
@ -1,51 +0,0 @@
|
|||||||
commit 5e989a15b927094a83d0f3a08be0cd559e29d3ff
|
|
||||||
Author: wouter <wouter@be551aaa-1e26-0410-a405-d3ace91eadb9>
|
|
||||||
Date: Fri Apr 23 09:07:05 2010 +0000
|
|
||||||
|
|
||||||
- Fix to fetch data as last resort more tenaciously. When cycle
|
|
||||||
targets cause the server selection to believe there are more options
|
|
||||||
when they really are not there, the server selection is reinitiated.
|
|
||||||
- Fix fetch from blacklisted dnssec lame servers as last resort. The
|
|
||||||
servers IP address is then given in validator errors as well.
|
|
||||||
|
|
||||||
diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c
|
|
||||||
index a706e6b..9082055 100644
|
|
||||||
--- a/iterator/iter_utils.c
|
|
||||||
+++ b/iterator/iter_utils.c
|
|
||||||
@@ -322,9 +322,15 @@ iter_server_selection(struct iter_env* iter_env,
|
|
||||||
verbose(VERB_ALGO, "selrtt %d", selrtt);
|
|
||||||
if(selrtt > BLACKLIST_PENALTY) {
|
|
||||||
if(selrtt-BLACKLIST_PENALTY > USEFUL_SERVER_TOP_TIMEOUT*2) {
|
|
||||||
- verbose(VERB_ALGO, "chase to recursion lame server");
|
|
||||||
+ verbose(VERB_ALGO, "chase to "
|
|
||||||
+ "blacklisted recursion lame server");
|
|
||||||
*chase_to_rd = 1;
|
|
||||||
}
|
|
||||||
+ if(selrtt-BLACKLIST_PENALTY > USEFUL_SERVER_TOP_TIMEOUT) {
|
|
||||||
+ verbose(VERB_ALGO, "chase to "
|
|
||||||
+ "blacklisted dnssec lame server");
|
|
||||||
+ *dnssec_expected = 0;
|
|
||||||
+ }
|
|
||||||
} else {
|
|
||||||
if(selrtt > USEFUL_SERVER_TOP_TIMEOUT*2) {
|
|
||||||
verbose(VERB_ALGO, "chase to recursion lame server");
|
|
||||||
diff --git a/iterator/iterator.c b/iterator/iterator.c
|
|
||||||
index e8345c8..c7cdbc8 100644
|
|
||||||
--- a/iterator/iterator.c
|
|
||||||
+++ b/iterator/iterator.c
|
|
||||||
@@ -1469,6 +1469,15 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
|
|
||||||
return error_response(qstate, id,
|
|
||||||
LDNS_RCODE_SERVFAIL);
|
|
||||||
}
|
|
||||||
+ if(qs == 0 &&
|
|
||||||
+ delegpt_count_missing_targets(iq->dp) == 0){
|
|
||||||
+ /* it looked like there were missing
|
|
||||||
+ * targets, but they did not turn up.
|
|
||||||
+ * Try the bad choices again (if any),
|
|
||||||
+ * when we get back here missing==0,
|
|
||||||
+ * so this is not a loop. */
|
|
||||||
+ return 1;
|
|
||||||
+ }
|
|
||||||
iq->num_target_queries += qs;
|
|
||||||
}
|
|
||||||
/* Since a target query might have been made, we
|
|
@ -1,18 +0,0 @@
|
|||||||
commit 5f58ed252d7bcd500ebedfb351e3ce7c84c44211
|
|
||||||
Author: wouter <wouter@be551aaa-1e26-0410-a405-d3ace91eadb9>
|
|
||||||
Date: Tue Apr 27 09:16:23 2010 +0000
|
|
||||||
|
|
||||||
unbound-control get_option domain-insecure works.
|
|
||||||
|
|
||||||
diff --git a/util/config_file.c b/util/config_file.c
|
|
||||||
index aca82e1..ec0866c 100644
|
|
||||||
--- a/util/config_file.c
|
|
||||||
+++ b/util/config_file.c
|
|
||||||
@@ -609,6 +609,7 @@ config_get_option(struct config_file* cfg, const char* opt,
|
|
||||||
else O_LST(opt, "trusted-keys-file", trusted_keys_file_list)
|
|
||||||
else O_LST(opt, "dlv-anchor", dlv_anchor_list)
|
|
||||||
else O_LST(opt, "control-interface", control_ifs)
|
|
||||||
+ else O_LST(opt, "domain-insecure", domain_insecure)
|
|
||||||
else O_UNS(opt, "val-override-date", val_date_override)
|
|
||||||
/* not here:
|
|
||||||
* outgoing-permit, outgoing-avoid - have list of ports
|
|
@ -1,26 +0,0 @@
|
|||||||
commit 74d75e591a6f5343109922f2bf1f83eba59f0a4f
|
|
||||||
Author: wouter <wouter@be551aaa-1e26-0410-a405-d3ace91eadb9>
|
|
||||||
Date: Thu Apr 29 12:52:44 2010 +0000
|
|
||||||
|
|
||||||
fix for key cache lookup
|
|
||||||
|
|
||||||
diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c
|
|
||||||
index f63b6fe..b3a31fa 100644
|
|
||||||
--- a/iterator/iter_utils.c
|
|
||||||
+++ b/iterator/iter_utils.c
|
|
||||||
@@ -577,9 +577,14 @@ iter_indicates_dnssec(struct module_env* env, struct delegpt* dp,
|
|
||||||
struct key_entry_key* kk = key_cache_obtain(env->key_cache,
|
|
||||||
dp->name, dp->namelen, dclass, env->scratch, *env->now);
|
|
||||||
if(kk) {
|
|
||||||
- if(key_entry_isgood(kk) || key_entry_isbad(kk)) {
|
|
||||||
+ if(query_dname_compare(kk->name, dp->name) == 0) {
|
|
||||||
+ if(key_entry_isgood(kk) || key_entry_isbad(kk)) {
|
|
||||||
regional_free_all(env->scratch);
|
|
||||||
return 1;
|
|
||||||
+ } else if(key_entry_isnull(kk)) {
|
|
||||||
+ regional_free_all(env->scratch);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
regional_free_all(env->scratch);
|
|
||||||
}
|
|
@ -1,77 +0,0 @@
|
|||||||
commit 778d4ab54a4e9efb41b042607b9a685853c5483c
|
|
||||||
Author: wouter <wouter@be551aaa-1e26-0410-a405-d3ace91eadb9>
|
|
||||||
Date: Fri Apr 23 14:03:09 2010 +0000
|
|
||||||
|
|
||||||
- Fix local-zone type redirect that did not use the query name for
|
|
||||||
the answer rrset.
|
|
||||||
|
|
||||||
diff --git a/services/localzone.c b/services/localzone.c
|
|
||||||
index dba7f3b..b8da77a 100644
|
|
||||||
--- a/services/localzone.c
|
|
||||||
+++ b/services/localzone.c
|
|
||||||
@@ -1040,10 +1040,10 @@ local_data_answer(struct local_zone* z, struct query_info* qinfo,
|
|
||||||
if(!lr)
|
|
||||||
return 0;
|
|
||||||
if(z->type == local_zone_redirect) {
|
|
||||||
- /* convert rrset name to zone name; like a wildcard */
|
|
||||||
+ /* convert rrset name to query name; like a wildcard */
|
|
||||||
struct ub_packed_rrset_key r = *lr->rrset;
|
|
||||||
- r.rk.dname = z->name;
|
|
||||||
- r.rk.dname_len = z->namelen;
|
|
||||||
+ r.rk.dname = qinfo->qname;
|
|
||||||
+ r.rk.dname_len = qinfo->qname_len;
|
|
||||||
return local_encode(qinfo, edns, buf, temp, &r, 1,
|
|
||||||
LDNS_RCODE_NOERROR);
|
|
||||||
}
|
|
||||||
diff --git a/testdata/localdata.rpl b/testdata/localdata.rpl
|
|
||||||
index 5bb259e..08aec6d 100644
|
|
||||||
--- a/testdata/localdata.rpl
|
|
||||||
+++ b/testdata/localdata.rpl
|
|
||||||
@@ -30,6 +30,10 @@ server:
|
|
||||||
; refuse zone (error)
|
|
||||||
local-zone: "refuse.top." refuse
|
|
||||||
|
|
||||||
+ ; redirect zone
|
|
||||||
+ local-zone: "redirect.top." redirect
|
|
||||||
+ local-data: "redirect.top. A 20.30.40.54"
|
|
||||||
+
|
|
||||||
; create implicit data in the IN domain as well
|
|
||||||
local-data: "a.a.implicit. A 20.30.41.50"
|
|
||||||
local-data: "b.a.implicit. A 20.30.42.50"
|
|
||||||
@@ -318,4 +322,36 @@ www.deny.top. IN A
|
|
||||||
ENTRY_END
|
|
||||||
; no answer is checked at exit of testbound.
|
|
||||||
|
|
||||||
+; redirect zone apex
|
|
||||||
+STEP 50 QUERY
|
|
||||||
+ENTRY_BEGIN
|
|
||||||
+SECTION QUESTION
|
|
||||||
+redirect.top. IN A
|
|
||||||
+ENTRY_END
|
|
||||||
+STEP 51 CHECK_ANSWER
|
|
||||||
+ENTRY_BEGIN
|
|
||||||
+MATCH all
|
|
||||||
+REPLY QR RA AA NOERROR
|
|
||||||
+SECTION QUESTION
|
|
||||||
+redirect.top. IN A
|
|
||||||
+SECTION ANSWER
|
|
||||||
+redirect.top. IN A 20.30.40.54
|
|
||||||
+ENTRY_END
|
|
||||||
+
|
|
||||||
+; redirect zone
|
|
||||||
+STEP 52 QUERY
|
|
||||||
+ENTRY_BEGIN
|
|
||||||
+SECTION QUESTION
|
|
||||||
+www.redirect.top. IN A
|
|
||||||
+ENTRY_END
|
|
||||||
+STEP 53 CHECK_ANSWER
|
|
||||||
+ENTRY_BEGIN
|
|
||||||
+MATCH all
|
|
||||||
+REPLY QR RA AA NOERROR
|
|
||||||
+SECTION QUESTION
|
|
||||||
+www.redirect.top. IN A
|
|
||||||
+SECTION ANSWER
|
|
||||||
+www.redirect.top. IN A 20.30.40.54
|
|
||||||
+ENTRY_END
|
|
||||||
+
|
|
||||||
SCENARIO_END
|
|
@ -1,88 +0,0 @@
|
|||||||
commit 7f27d6c9992fec6847ae914f38db6a3d1b28e81a
|
|
||||||
Author: wouter <wouter@be551aaa-1e26-0410-a405-d3ace91eadb9>
|
|
||||||
Date: Thu Apr 29 14:12:54 2010 +0000
|
|
||||||
|
|
||||||
- infra cache entries that are expired are wiped clean. Previously
|
|
||||||
it was possible to not expire host data (if accessed often).
|
|
||||||
|
|
||||||
diff --git a/services/cache/infra.c b/services/cache/infra.c
|
|
||||||
index 9c32c81..6066f98 100644
|
|
||||||
--- a/services/cache/infra.c
|
|
||||||
+++ b/services/cache/infra.c
|
|
||||||
@@ -187,6 +187,19 @@ infra_lookup_host(struct infra_cache* infra,
|
|
||||||
return data;
|
|
||||||
}
|
|
||||||
|
|
||||||
+/** init the host elements (not lame elems) */
|
|
||||||
+static void
|
|
||||||
+host_entry_init(struct infra_cache* infra, struct lruhash_entry* e,
|
|
||||||
+ uint32_t timenow)
|
|
||||||
+{
|
|
||||||
+ struct infra_host_data* data = (struct infra_host_data*)e->data;
|
|
||||||
+ data->ttl = timenow + infra->host_ttl;
|
|
||||||
+ rtt_init(&data->rtt);
|
|
||||||
+ data->edns_version = 0;
|
|
||||||
+ data->edns_lame_known = 0;
|
|
||||||
+ data->num_timeouts = 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/**
|
|
||||||
* Create and init a new entry for a host
|
|
||||||
* @param infra: infra structure with config parameters.
|
|
||||||
@@ -216,12 +229,8 @@ new_host_entry(struct infra_cache* infra, struct sockaddr_storage* addr,
|
|
||||||
key->entry.data = (void*)data;
|
|
||||||
key->addrlen = addrlen;
|
|
||||||
memcpy(&key->addr, addr, addrlen);
|
|
||||||
- data->ttl = tm + infra->host_ttl;
|
|
||||||
data->lameness = NULL;
|
|
||||||
- data->edns_version = 0;
|
|
||||||
- data->edns_lame_known = 0;
|
|
||||||
- data->num_timeouts = 0;
|
|
||||||
- rtt_init(&data->rtt);
|
|
||||||
+ host_entry_init(infra, &key->entry, tm);
|
|
||||||
return &key->entry;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -240,12 +249,8 @@ infra_host(struct infra_cache* infra, struct sockaddr_storage* addr,
|
|
||||||
if(e) {
|
|
||||||
/* if its still there we have a writelock, init */
|
|
||||||
/* re-initialise */
|
|
||||||
- data = (struct infra_host_data*)e->data;
|
|
||||||
- data->ttl = timenow + infra->host_ttl;
|
|
||||||
- rtt_init(&data->rtt);
|
|
||||||
/* do not touch lameness, it may be valid still */
|
|
||||||
- data->edns_version = 0;
|
|
||||||
- data->edns_lame_known = 0;
|
|
||||||
+ host_entry_init(infra, e, timenow);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if(!e) {
|
|
||||||
@@ -469,10 +474,11 @@ infra_rtt_update(struct infra_cache* infra,
|
|
||||||
if(!(e = new_host_entry(infra, addr, addrlen, timenow)))
|
|
||||||
return 0;
|
|
||||||
needtoinsert = 1;
|
|
||||||
- }
|
|
||||||
- /* have an entry, update the rtt, and the ttl */
|
|
||||||
+ } else if(((struct infra_host_data*)e->data)->ttl < timenow) {
|
|
||||||
+ host_entry_init(infra, e, timenow);
|
|
||||||
+ }
|
|
||||||
+ /* have an entry, update the rtt */
|
|
||||||
data = (struct infra_host_data*)e->data;
|
|
||||||
- data->ttl = timenow + infra->host_ttl;
|
|
||||||
if(roundtrip == -1) {
|
|
||||||
rtt_lost(&data->rtt, orig_rtt);
|
|
||||||
if(data->num_timeouts<255)
|
|
||||||
@@ -503,10 +509,11 @@ infra_edns_update(struct infra_cache* infra,
|
|
||||||
if(!(e = new_host_entry(infra, addr, addrlen, timenow)))
|
|
||||||
return 0;
|
|
||||||
needtoinsert = 1;
|
|
||||||
- }
|
|
||||||
+ } else if(((struct infra_host_data*)e->data)->ttl < timenow) {
|
|
||||||
+ host_entry_init(infra, e, timenow);
|
|
||||||
+ }
|
|
||||||
/* have an entry, update the rtt, and the ttl */
|
|
||||||
data = (struct infra_host_data*)e->data;
|
|
||||||
- data->ttl = timenow + infra->host_ttl;
|
|
||||||
data->edns_version = edns_version;
|
|
||||||
data->edns_lame_known = 1;
|
|
||||||
|
|
@ -1,62 +0,0 @@
|
|||||||
commit a6f07ba49319bbb62772a99cc3267fe8409a39d4
|
|
||||||
Author: wouter <wouter@be551aaa-1e26-0410-a405-d3ace91eadb9>
|
|
||||||
Date: Fri Apr 23 06:48:49 2010 +0000
|
|
||||||
|
|
||||||
- Squelch log message: sendto failed permission denied for
|
|
||||||
255.255.255.255, it is visible in VERB_DETAIL (verbosity 2).
|
|
||||||
|
|
||||||
diff --git a/util/net_help.c b/util/net_help.c
|
|
||||||
index 182f39d..7b2a3f4 100644
|
|
||||||
--- a/util/net_help.c
|
|
||||||
+++ b/util/net_help.c
|
|
||||||
@@ -494,6 +494,14 @@ addr_is_ip4mapped(struct sockaddr_storage* addr, socklen_t addrlen)
|
|
||||||
return (memcmp(s, map_prefix, 12) == 0);
|
|
||||||
}
|
|
||||||
|
|
||||||
+int addr_is_broadcast(struct sockaddr_storage* addr, socklen_t addrlen)
|
|
||||||
+{
|
|
||||||
+ int af = (int)((struct sockaddr_in*)addr)->sin_family;
|
|
||||||
+ void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
|
|
||||||
+ return af == AF_INET && addrlen>=(socklen_t)sizeof(struct sockaddr_in)
|
|
||||||
+ && memcmp(sinaddr, "\377\377\377\377", 4) == 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
void sock_list_insert(struct sock_list** list, struct sockaddr_storage* addr,
|
|
||||||
socklen_t len, struct regional* region)
|
|
||||||
{
|
|
||||||
diff --git a/util/net_help.h b/util/net_help.h
|
|
||||||
index 9ac96eb..8afa84b 100644
|
|
||||||
--- a/util/net_help.h
|
|
||||||
+++ b/util/net_help.h
|
|
||||||
@@ -280,6 +280,14 @@ void addr_to_str(struct sockaddr_storage* addr, socklen_t addrlen,
|
|
||||||
int addr_is_ip4mapped(struct sockaddr_storage* addr, socklen_t addrlen);
|
|
||||||
|
|
||||||
/**
|
|
||||||
+ * See if sockaddr is 255.255.255.255.
|
|
||||||
+ * @param addr: address
|
|
||||||
+ * @param addrlen: length of address
|
|
||||||
+ * @return true if so
|
|
||||||
+ */
|
|
||||||
+int addr_is_broadcast(struct sockaddr_storage* addr, socklen_t addrlen);
|
|
||||||
+
|
|
||||||
+/**
|
|
||||||
* Insert new socket list item. If fails logs error.
|
|
||||||
* @param list: pointer to pointer to first item.
|
|
||||||
* @param addr: address or NULL if 'cache'.
|
|
||||||
diff --git a/util/netevent.c b/util/netevent.c
|
|
||||||
index 4b6a0a3..3f3c6ce 100644
|
|
||||||
--- a/util/netevent.c
|
|
||||||
+++ b/util/netevent.c
|
|
||||||
@@ -301,6 +301,12 @@ comm_point_send_udp_msg(struct comm_point *c, ldns_buffer* packet,
|
|
||||||
(struct sockaddr_storage*)addr, addrlen) &&
|
|
||||||
verbosity < VERB_DETAIL)
|
|
||||||
return 0;
|
|
||||||
+ /* SO_BROADCAST sockopt can give access to 255.255.255.255,
|
|
||||||
+ * but a dns cache does not need it. */
|
|
||||||
+ if(errno == EACCES && addr_is_broadcast(
|
|
||||||
+ (struct sockaddr_storage*)addr, addrlen) &&
|
|
||||||
+ verbosity < VERB_DETAIL)
|
|
||||||
+ return 0;
|
|
||||||
#ifndef USE_WINSOCK
|
|
||||||
verbose(VERB_OPS, "sendto failed: %s", strerror(errno));
|
|
||||||
#else
|
|
@ -1,61 +0,0 @@
|
|||||||
commit c2baa73db1a2a0b0c0c8bba3d203a28ca86c5f31
|
|
||||||
Author: wouter <wouter@be551aaa-1e26-0410-a405-d3ace91eadb9>
|
|
||||||
Date: Tue May 4 10:50:27 2010 +0000
|
|
||||||
|
|
||||||
- Conforms to draft-ietf-dnsop-default-local-zones-13. Added default
|
|
||||||
reverse lookup blocks for IPv4 test nets 100.51.198.in-addr.arpa,
|
|
||||||
113.0.203.in-addr.arpa and Orchid prefix 0.1.1.0.0.2.ip6.arpa.
|
|
||||||
|
|
||||||
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
|
|
||||||
index 16a607c..40b4bad 100644
|
|
||||||
--- a/doc/unbound.conf.5.in
|
|
||||||
+++ b/doc/unbound.conf.5.in
|
|
||||||
@@ -778,7 +778,8 @@ records are provided.
|
|
||||||
.TP 10
|
|
||||||
\h'5'\fIreverse RFC3330 IP4 this, link\-local, testnet and broadcast\fR
|
|
||||||
Reverse data for zones 0.in\-addr.arpa, 254.169.in\-addr.arpa,
|
|
||||||
-2.0.192.in\-addr.arpa, 255.255.255.255.in\-addr.arpa.
|
|
||||||
+2.0.192.in\-addr.arpa (TEST NET 1), 100.51.198.in\-addr.arpa (TEST NET 2),
|
|
||||||
+113.0.203.in\-addr.arpa (TEST NET 3), 255.255.255.255.in\-addr.arpa.
|
|
||||||
.TP 10
|
|
||||||
\h'5'\fIreverse RFC4291 IP6 unspecified\fR
|
|
||||||
Reverse data for zone
|
|
||||||
@@ -793,12 +794,17 @@ Reverse data for zone D.F.ip6.arpa.
|
|
||||||
\h'5'\fIreverse RFC4291 IPv6 Link Local Addresses\fR
|
|
||||||
Reverse data for zones 8.E.F.ip6.arpa to B.E.F.ip6.arpa.
|
|
||||||
.TP 10
|
|
||||||
+\h'5'\fIreverse RFC4843 Orchid Prefix\fR
|
|
||||||
+Reverse data for zone 0.1.1.0.0.2.ip6.arpa.
|
|
||||||
+.TP 10
|
|
||||||
\h'5'\fIreverse IPv6 Example Prefix\fR
|
|
||||||
Reverse data for zone 8.B.D.0.1.0.0.2.ip6.arpa. This zone is used for
|
|
||||||
tutorials and examples. You can remove the block on this zone with:
|
|
||||||
.nf
|
|
||||||
local\-zone: 8.B.D.0.1.0.0.2.ip6.arpa. nodefault
|
|
||||||
.fi
|
|
||||||
+You can also selectively unblock a part of the zone by making that part
|
|
||||||
+transparent with a local\-zone statement.
|
|
||||||
This also works with the other default zones.
|
|
||||||
.\" End of local-zone listing.
|
|
||||||
.TP 5
|
|
||||||
diff --git a/services/localzone.c b/services/localzone.c
|
|
||||||
index b8da77a..248d45f 100644
|
|
||||||
--- a/services/localzone.c
|
|
||||||
+++ b/services/localzone.c
|
|
||||||
@@ -689,6 +689,8 @@ lz_enter_defaults(struct local_zones* zones, struct config_file* cfg,
|
|
||||||
!add_as112_default(zones, cfg, buf, "0.in-addr.arpa.") ||
|
|
||||||
!add_as112_default(zones, cfg, buf, "254.169.in-addr.arpa.") ||
|
|
||||||
!add_as112_default(zones, cfg, buf, "2.0.192.in-addr.arpa.") ||
|
|
||||||
+ !add_as112_default(zones, cfg, buf, "100.51.198.in-addr.arpa.") ||
|
|
||||||
+ !add_as112_default(zones, cfg, buf, "113.0.203.in-addr.arpa.") ||
|
|
||||||
!add_as112_default(zones, cfg, buf, "255.255.255.255.in-addr.arpa.") ||
|
|
||||||
!add_as112_default(zones, cfg, buf, "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.") ||
|
|
||||||
!add_as112_default(zones, cfg, buf, "d.f.ip6.arpa.") ||
|
|
||||||
@@ -696,6 +698,7 @@ lz_enter_defaults(struct local_zones* zones, struct config_file* cfg,
|
|
||||||
!add_as112_default(zones, cfg, buf, "9.e.f.ip6.arpa.") ||
|
|
||||||
!add_as112_default(zones, cfg, buf, "a.e.f.ip6.arpa.") ||
|
|
||||||
!add_as112_default(zones, cfg, buf, "b.e.f.ip6.arpa.") ||
|
|
||||||
+ !add_as112_default(zones, cfg, buf, "0.1.1.0.0.2.ip6.arpa.") ||
|
|
||||||
!add_as112_default(zones, cfg, buf, "8.b.d.0.1.0.0.2.ip6.arpa.")) {
|
|
||||||
log_err("out of memory adding default zone");
|
|
||||||
return 0;
|
|
@ -1,123 +0,0 @@
|
|||||||
commit d7ef7b31e0dbb0a73b201649c3729508b270f43f
|
|
||||||
Author: wouter <wouter@be551aaa-1e26-0410-a405-d3ace91eadb9>
|
|
||||||
Date: Mon Apr 26 14:59:44 2010 +0000
|
|
||||||
|
|
||||||
Fix bug#307: 0x20 fallback outstanding query count, together with rec_lame,
|
|
||||||
and canonical rrset comparison.
|
|
||||||
|
|
||||||
diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c
|
|
||||||
index 9082055..6124650 100644
|
|
||||||
--- a/iterator/iter_utils.c
|
|
||||||
+++ b/iterator/iter_utils.c
|
|
||||||
@@ -674,7 +674,7 @@ rrset_equal(struct ub_packed_rrset_key* k1, struct ub_packed_rrset_key* k2)
|
|
||||||
}
|
|
||||||
|
|
||||||
int
|
|
||||||
-reply_equal(struct reply_info* p, struct reply_info* q)
|
|
||||||
+reply_equal(struct reply_info* p, struct reply_info* q, ldns_buffer* scratch)
|
|
||||||
{
|
|
||||||
size_t i;
|
|
||||||
if(p->flags != q->flags ||
|
|
||||||
@@ -688,8 +688,29 @@ reply_equal(struct reply_info* p, struct reply_info* q)
|
|
||||||
p->rrset_count != q->rrset_count)
|
|
||||||
return 0;
|
|
||||||
for(i=0; i<p->rrset_count; i++) {
|
|
||||||
- if(!rrset_equal(p->rrsets[i], q->rrsets[i]))
|
|
||||||
- return 0;
|
|
||||||
+ if(!rrset_equal(p->rrsets[i], q->rrsets[i])) {
|
|
||||||
+ /* fallback procedure: try to sort and canonicalize */
|
|
||||||
+ ldns_rr_list* pl, *ql;
|
|
||||||
+ pl = packed_rrset_to_rr_list(p->rrsets[i], scratch);
|
|
||||||
+ ql = packed_rrset_to_rr_list(q->rrsets[i], scratch);
|
|
||||||
+ if(!pl || !ql) {
|
|
||||||
+ ldns_rr_list_deep_free(pl);
|
|
||||||
+ ldns_rr_list_deep_free(ql);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+ ldns_rr_list2canonical(pl);
|
|
||||||
+ ldns_rr_list2canonical(ql);
|
|
||||||
+ ldns_rr_list_sort(pl);
|
|
||||||
+ ldns_rr_list_sort(ql);
|
|
||||||
+ if(ldns_rr_list_compare(pl, ql) != 0) {
|
|
||||||
+ ldns_rr_list_deep_free(pl);
|
|
||||||
+ ldns_rr_list_deep_free(ql);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+ ldns_rr_list_deep_free(pl);
|
|
||||||
+ ldns_rr_list_deep_free(ql);
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
@@ -792,3 +813,18 @@ iter_scrub_ds(struct dns_msg* msg, struct ub_packed_rrset_key* ns, uint8_t* z)
|
|
||||||
i++;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+void iter_dec_attempts(struct delegpt* dp, int d)
|
|
||||||
+{
|
|
||||||
+ struct delegpt_addr* a;
|
|
||||||
+ for(a=dp->target_list; a; a = a->next_target) {
|
|
||||||
+ if(a->attempts >= OUTBOUND_MSG_RETRY) {
|
|
||||||
+ /* add back to result list */
|
|
||||||
+ a->next_result = dp->result_list;
|
|
||||||
+ dp->result_list = a;
|
|
||||||
+ }
|
|
||||||
+ if(a->attempts > d)
|
|
||||||
+ a->attempts -= d;
|
|
||||||
+ else a->attempts = 0;
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
diff --git a/iterator/iter_utils.h b/iterator/iter_utils.h
|
|
||||||
index 9a1db5f..a9f4247 100644
|
|
||||||
--- a/iterator/iter_utils.h
|
|
||||||
+++ b/iterator/iter_utils.h
|
|
||||||
@@ -211,9 +211,10 @@ int iter_msg_from_zone(struct dns_msg* msg, struct delegpt* dp,
|
|
||||||
* @param p: reply one. The reply has rrset data pointers in region.
|
|
||||||
* Does not check rrset-IDs
|
|
||||||
* @param q: reply two
|
|
||||||
+ * @param buf: scratch buffer.
|
|
||||||
* @return if one and two are equal.
|
|
||||||
*/
|
|
||||||
-int reply_equal(struct reply_info* p, struct reply_info* q);
|
|
||||||
+int reply_equal(struct reply_info* p, struct reply_info* q, ldns_buffer* buf);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Store in-zone glue in seperate rrset cache entries for later last-resort
|
|
||||||
@@ -257,4 +258,11 @@ int iter_get_next_root(struct iter_hints* hints, struct iter_forwards* fwd,
|
|
||||||
void iter_scrub_ds(struct dns_msg* msg, struct ub_packed_rrset_key* ns,
|
|
||||||
uint8_t* z);
|
|
||||||
|
|
||||||
+/**
|
|
||||||
+ * Remove query attempts from all available ips. For 0x20.
|
|
||||||
+ * @param dp: delegpt.
|
|
||||||
+ * @param d: decrease.
|
|
||||||
+ */
|
|
||||||
+void iter_dec_attempts(struct delegpt* dp, int d);
|
|
||||||
+
|
|
||||||
#endif /* ITERATOR_ITER_UTILS_H */
|
|
||||||
diff --git a/iterator/iterator.c b/iterator/iterator.c
|
|
||||||
index c7cdbc8..b1a948d 100644
|
|
||||||
--- a/iterator/iterator.c
|
|
||||||
+++ b/iterator/iterator.c
|
|
||||||
@@ -1416,6 +1416,9 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
|
|
||||||
"match for %d wanted, done.",
|
|
||||||
(int)iq->caps_server+1, (int)naddr*3);
|
|
||||||
iq->caps_fallback = 0;
|
|
||||||
+ iter_dec_attempts(iq->dp, 3); /* space for fallback */
|
|
||||||
+ iq->num_current_queries++; /* RespState decrements it*/
|
|
||||||
+ iq->referral_count++; /* make sure we don't loop */
|
|
||||||
iq->state = QUERY_RESP_STATE;
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
@@ -2384,7 +2387,8 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
|
|
||||||
goto handle_it;
|
|
||||||
} else {
|
|
||||||
/* check if reply is the same, otherwise, fail */
|
|
||||||
- if(!reply_equal(iq->response->rep, iq->caps_reply)) {
|
|
||||||
+ if(!reply_equal(iq->response->rep, iq->caps_reply,
|
|
||||||
+ qstate->env->scratch_buffer)) {
|
|
||||||
verbose(VERB_DETAIL, "Capsforid fallback: "
|
|
||||||
"getting different replies, failed");
|
|
||||||
outbound_list_remove(&iq->outlist, outbound);
|
|
@ -1,11 +0,0 @@
|
|||||||
diff -Naur unbound-1.4.9/daemon/worker.c unbound-1.4.9-CVE-2011-1922/daemon/worker.c
|
|
||||||
--- unbound-1.4.9/daemon/worker.c 2010-11-04 08:35:39.000000000 -0400
|
|
||||||
+++ unbound-1.4.9-CVE-2011-1922/daemon/worker.c 2011-05-25 15:14:04.888288236 -0400
|
|
||||||
@@ -777,6 +777,7 @@
|
|
||||||
qinfo.qtype == LDNS_RR_TYPE_IXFR) {
|
|
||||||
verbose(VERB_ALGO, "worker request: refused zone transfer.");
|
|
||||||
log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
|
|
||||||
+ ldns_buffer_rewind(c->buffer);
|
|
||||||
LDNS_QR_SET(ldns_buffer_begin(c->buffer));
|
|
||||||
LDNS_RCODE_SET(ldns_buffer_begin(c->buffer),
|
|
||||||
LDNS_RCODE_REFUSED);
|
|
@ -1,105 +0,0 @@
|
|||||||
commit b1a2731277dd0939572901bf018afa7a0debdb54
|
|
||||||
Author: wouter <wouter@be551aaa-1e26-0410-a405-d3ace91eadb9>
|
|
||||||
Date: Thu Feb 5 11:12:01 2009 +0000
|
|
||||||
|
|
||||||
call initgroups.
|
|
||||||
|
|
||||||
|
|
||||||
git-svn-id: http://unbound.nlnetlabs.nl/svn/trunk@1453 be551aaa-1e26-0410-a405-d3ace91eadb9
|
|
||||||
|
|
||||||
diff --git a/config.h.in b/config.h.in
|
|
||||||
index 956224d..aa7ce2d 100644
|
|
||||||
--- a/config.h.in
|
|
||||||
+++ b/config.h.in
|
|
||||||
@@ -85,6 +85,9 @@
|
|
||||||
/* Define to 1 if you have the `gmtime_r' function. */
|
|
||||||
#undef HAVE_GMTIME_R
|
|
||||||
|
|
||||||
+/* Define to 1 if you have the <grp.h> header file. */
|
|
||||||
+#undef HAVE_GRP_H
|
|
||||||
+
|
|
||||||
/* If you have HMAC_CTX_init */
|
|
||||||
#undef HAVE_HMAC_CTX_INIT
|
|
||||||
|
|
||||||
@@ -97,6 +100,9 @@
|
|
||||||
/* Define to 1 if you have the `inet_pton' function. */
|
|
||||||
#undef HAVE_INET_PTON
|
|
||||||
|
|
||||||
+/* Define to 1 if you have the `initgroups' function. */
|
|
||||||
+#undef HAVE_INITGROUPS
|
|
||||||
+
|
|
||||||
/* Define to 1 if you have the <inttypes.h> header file. */
|
|
||||||
#undef HAVE_INTTYPES_H
|
|
||||||
|
|
||||||
diff --git a/configure b/configure
|
|
||||||
index a823b0b..0b1f96a 100755
|
|
||||||
--- a/configure
|
|
||||||
+++ b/configure
|
|
||||||
@@ -19961,7 +19961,8 @@ fi
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
-for ac_header in stdarg.h stdbool.h netinet/in.h sys/param.h sys/socket.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h
|
|
||||||
+
|
|
||||||
+for ac_header in stdarg.h stdbool.h netinet/in.h sys/param.h sys/socket.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h
|
|
||||||
do
|
|
||||||
as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
|
|
||||||
{ echo "$as_me:$LINENO: checking for $ac_header" >&5
|
|
||||||
@@ -25282,7 +25283,8 @@ fi
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
-for ac_func in tzset sigprocmask fcntl getpwnam getrlimit setsid sbrk chroot kill sleep usleep random srandom recvmsg sendmsg writev setresuid setreuid setresgid setregid glob
|
|
||||||
+
|
|
||||||
+for ac_func in tzset sigprocmask fcntl getpwnam getrlimit setsid sbrk chroot kill sleep usleep random srandom recvmsg sendmsg writev setresuid setreuid setresgid setregid glob initgroups
|
|
||||||
do
|
|
||||||
as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
|
|
||||||
{ echo "$as_me:$LINENO: checking for $ac_func" >&5
|
|
||||||
diff --git a/configure.ac b/configure.ac
|
|
||||||
index bd000bc..48a4385 100644
|
|
||||||
--- a/configure.ac
|
|
||||||
+++ b/configure.ac
|
|
||||||
@@ -480,7 +480,7 @@ AC_PROG_LIBTOOL
|
|
||||||
|
|
||||||
# Checks for header files.
|
|
||||||
AC_HEADER_STDC
|
|
||||||
-AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h sys/param.h sys/socket.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h],,, [AC_INCLUDES_DEFAULT])
|
|
||||||
+AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h sys/param.h sys/socket.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h],,, [AC_INCLUDES_DEFAULT])
|
|
||||||
|
|
||||||
# check for types
|
|
||||||
AC_CHECK_TYPE(int8_t, char)
|
|
||||||
@@ -854,7 +854,7 @@ AC_CHECK_GETADDRINFO_WITH_INCLUDES
|
|
||||||
if test $ac_cv_func_getaddrinfo = no; then
|
|
||||||
AC_LIBOBJ([fake-rfc2553])
|
|
||||||
fi
|
|
||||||
-AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam getrlimit setsid sbrk chroot kill sleep usleep random srandom recvmsg sendmsg writev setresuid setreuid setresgid setregid glob])
|
|
||||||
+AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam getrlimit setsid sbrk chroot kill sleep usleep random srandom recvmsg sendmsg writev setresuid setreuid setresgid setregid glob initgroups])
|
|
||||||
|
|
||||||
# check if setreuid en setregid fail, on MacOSX10.4(darwin8).
|
|
||||||
if echo $build_os | grep darwin8 > /dev/null; then
|
|
||||||
diff --git a/daemon/unbound.c b/daemon/unbound.c
|
|
||||||
index 09767a4..6c5fb6f 100644
|
|
||||||
--- a/daemon/unbound.c
|
|
||||||
+++ b/daemon/unbound.c
|
|
||||||
@@ -56,6 +56,9 @@
|
|
||||||
#ifdef HAVE_PWD_H
|
|
||||||
#include <pwd.h>
|
|
||||||
#endif
|
|
||||||
+#ifdef HAVE_GRP_H
|
|
||||||
+#include <grp.h>
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
#ifdef HAVE_SYS_RESOURCE_H
|
|
||||||
#include <sys/resource.h>
|
|
||||||
@@ -451,6 +454,11 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
|
|
||||||
/* drop permissions after chroot, getpwnam, pidfile, syslog done*/
|
|
||||||
#ifdef HAVE_GETPWNAM
|
|
||||||
if(cfg->username && cfg->username[0]) {
|
|
||||||
+#ifdef HAVE_INITGROUPS
|
|
||||||
+ if(initgroups(cfg->username, gid) != 0)
|
|
||||||
+ log_warn("unable to initgroups %s: %s",
|
|
||||||
+ cfg->username, strerror(errno));
|
|
||||||
+#endif
|
|
||||||
#ifdef HAVE_SETRESGID
|
|
||||||
if(setresgid(gid,gid,gid) != 0)
|
|
||||||
#elif defined(HAVE_SETREGID) && !defined(DARWIN_BROKEN_SETREUID)
|
|
@ -1,23 +0,0 @@
|
|||||||
Index: iterator/iterator.c
|
|
||||||
===================================================================
|
|
||||||
--- iterator/iterator.c (revision 1527)
|
|
||||||
+++ iterator/iterator.c (working copy)
|
|
||||||
@@ -1288,14 +1288,14 @@
|
|
||||||
/* if there is a policy to fetch missing targets
|
|
||||||
* opportunistically, do it. we rely on the fact that once a
|
|
||||||
* query (or queries) for a missing name have been issued,
|
|
||||||
- * they will not be show up again. */
|
|
||||||
+ * they will not show up again. */
|
|
||||||
} else if(tf_policy != 0) {
|
|
||||||
int extra = 0;
|
|
||||||
verbose(VERB_ALGO, "attempt to get extra %d targets",
|
|
||||||
tf_policy);
|
|
||||||
- if(!query_for_targets(qstate, iq, ie, id, tf_policy, &extra)) {
|
|
||||||
- return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
|
|
||||||
- }
|
|
||||||
+ (void)query_for_targets(qstate, iq, ie, id, tf_policy, &extra);
|
|
||||||
+ /* errors ignored, these targets are not strictly necessary for
|
|
||||||
+ * this result, we do not have to reply with SERVFAIL */
|
|
||||||
iq->num_target_queries += extra;
|
|
||||||
}
|
|
||||||
|
|
@ -1,348 +0,0 @@
|
|||||||
Index: iterator/iter_delegpt.c
|
|
||||||
===================================================================
|
|
||||||
--- iterator/iter_delegpt.c (revision 1952)
|
|
||||||
+++ iterator/iter_delegpt.c (revision 1953)
|
|
||||||
@@ -154,11 +154,13 @@
|
|
||||||
/* ignore it */
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
- if(addr_is_ip6(addr, addrlen))
|
|
||||||
- ns->got6 = 1;
|
|
||||||
- else ns->got4 = 1;
|
|
||||||
- if(ns->got4 && ns->got6)
|
|
||||||
- ns->resolved = 1;
|
|
||||||
+ if(!lame) {
|
|
||||||
+ if(addr_is_ip6(addr, addrlen))
|
|
||||||
+ ns->got6 = 1;
|
|
||||||
+ else ns->got4 = 1;
|
|
||||||
+ if(ns->got4 && ns->got6)
|
|
||||||
+ ns->resolved = 1;
|
|
||||||
+ }
|
|
||||||
return delegpt_add_addr(dp, region, addr, addrlen, bogus, lame, nodup);
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -254,10 +256,11 @@
|
|
||||||
(dp->bogus?" BOGUS":"") );
|
|
||||||
}
|
|
||||||
for(a = dp->target_list; a; a = a->next_target) {
|
|
||||||
- if(a->bogus)
|
|
||||||
- log_addr(VERB_ALGO, " BOGUS ",
|
|
||||||
- &a->addr, a->addrlen);
|
|
||||||
- else log_addr(VERB_ALGO, " ", &a->addr, a->addrlen);
|
|
||||||
+ const char* str = " ";
|
|
||||||
+ if(a->bogus && a->lame) str = " BOGUS ADDR_LAME ";
|
|
||||||
+ else if(a->bogus) str = " BOGUS ";
|
|
||||||
+ else if(a->lame) str = " ADDR_LAME ";
|
|
||||||
+ log_addr(VERB_ALGO, str, &a->addr, a->addrlen);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -448,3 +451,13 @@
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+void delegpt_no_ipv6(struct delegpt* dp)
|
|
||||||
+{
|
|
||||||
+ struct delegpt_ns* ns;
|
|
||||||
+ for(ns = dp->nslist; ns; ns = ns->next) {
|
|
||||||
+ /* no ipv6, so only ipv4 is enough to resolve a nameserver */
|
|
||||||
+ if(ns->got4)
|
|
||||||
+ ns->resolved = 1;
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
Index: iterator/iter_delegpt.h
|
|
||||||
===================================================================
|
|
||||||
--- iterator/iter_delegpt.h (revision 1952)
|
|
||||||
+++ iterator/iter_delegpt.h (revision 1953)
|
|
||||||
@@ -314,4 +314,11 @@
|
|
||||||
*/
|
|
||||||
void delegpt_add_neg_msg(struct delegpt* dp, struct msgreply_entry* msg);
|
|
||||||
|
|
||||||
+/**
|
|
||||||
+ * Register the fact that there is no ipv6 and thus AAAAs are not going
|
|
||||||
+ * to be queried for or be useful.
|
|
||||||
+ * @param dp: the delegation point. Updated to reflect no ipv6.
|
|
||||||
+ */
|
|
||||||
+void delegpt_no_ipv6(struct delegpt* dp);
|
|
||||||
+
|
|
||||||
#endif /* ITERATOR_ITER_DELEGPT_H */
|
|
||||||
Index: iterator/iterator.c
|
|
||||||
===================================================================
|
|
||||||
--- iterator/iterator.c (revision 1952)
|
|
||||||
+++ iterator/iterator.c (revision 1953)
|
|
||||||
@@ -1305,6 +1305,8 @@
|
|
||||||
verbose(VERB_QUERY, "Failed to get a delegation, giving up");
|
|
||||||
return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
|
|
||||||
}
|
|
||||||
+ if(!ie->supports_ipv6)
|
|
||||||
+ delegpt_no_ipv6(iq->dp);
|
|
||||||
delegpt_log(VERB_ALGO, iq->dp);
|
|
||||||
|
|
||||||
if(iq->num_current_queries>0) {
|
|
||||||
Index: doc/Changelog
|
|
||||||
===================================================================
|
|
||||||
--- doc/Changelog (revision 1952)
|
|
||||||
+++ doc/Changelog (revision 1953)
|
|
||||||
@@ -1,3 +1,11 @@
|
|
||||||
+8 January 2010: Wouter
|
|
||||||
+ - Fix for parent-child disagreement code which could have trouble
|
|
||||||
+ when (a) ipv6 was disabled and (b) the TTL for parent and child
|
|
||||||
+ were different. There were two bugs, the parent-side information
|
|
||||||
+ is fixed to no longer block lookup of child side information and
|
|
||||||
+ the iterator is fixed to no longer attempt to get ipv6 when it is
|
|
||||||
+ not enabled and then give up in failure.
|
|
||||||
+
|
|
||||||
7 January 2010: Wouter
|
|
||||||
- Fixup python documentation (thanks Leo Vandewoestijne).
|
|
||||||
- Work on cache prefetch feature.
|
|
||||||
Index: testdata/iter_pcttl.rpl
|
|
||||||
===================================================================
|
|
||||||
--- testdata/iter_pcttl.rpl (revision 0)
|
|
||||||
+++ testdata/iter_pcttl.rpl (revision 1953)
|
|
||||||
@@ -0,0 +1,245 @@
|
|
||||||
+; config options
|
|
||||||
+server:
|
|
||||||
+ target-fetch-policy: "0 0 0 0 0"
|
|
||||||
+ do-ip6: no
|
|
||||||
+
|
|
||||||
+stub-zone:
|
|
||||||
+ name: "."
|
|
||||||
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
|
|
||||||
+CONFIG_END
|
|
||||||
+
|
|
||||||
+SCENARIO_BEGIN Test cache ttls where parent child differ in ttl
|
|
||||||
+; and the lameness for parent suddenly becomes the only information point.
|
|
||||||
+
|
|
||||||
+; K.ROOT-SERVERS.NET.
|
|
||||||
+RANGE_BEGIN 0 100
|
|
||||||
+ ADDRESS 193.0.14.129
|
|
||||||
+ENTRY_BEGIN
|
|
||||||
+MATCH opcode qtype qname
|
|
||||||
+ADJUST copy_id
|
|
||||||
+REPLY QR NOERROR
|
|
||||||
+SECTION QUESTION
|
|
||||||
+. IN NS
|
|
||||||
+SECTION ANSWER
|
|
||||||
+. IN NS K.ROOT-SERVERS.NET.
|
|
||||||
+SECTION ADDITIONAL
|
|
||||||
+K.ROOT-SERVERS.NET. IN A 193.0.14.129
|
|
||||||
+ENTRY_END
|
|
||||||
+
|
|
||||||
+ENTRY_BEGIN
|
|
||||||
+MATCH opcode subdomain
|
|
||||||
+ADJUST copy_id copy_query
|
|
||||||
+REPLY QR NOERROR
|
|
||||||
+SECTION QUESTION
|
|
||||||
+com. IN NS
|
|
||||||
+SECTION AUTHORITY
|
|
||||||
+com. IN NS a.gtld-servers.net.
|
|
||||||
+SECTION ADDITIONAL
|
|
||||||
+a.gtld-servers.net. IN A 192.5.6.30
|
|
||||||
+ENTRY_END
|
|
||||||
+
|
|
||||||
+ENTRY_BEGIN
|
|
||||||
+MATCH opcode subdomain
|
|
||||||
+ADJUST copy_id copy_query
|
|
||||||
+REPLY QR NOERROR
|
|
||||||
+SECTION QUESTION
|
|
||||||
+net. IN NS
|
|
||||||
+SECTION AUTHORITY
|
|
||||||
+net. IN NS e.gtld-servers.net.
|
|
||||||
+SECTION ADDITIONAL
|
|
||||||
+e.gtld-servers.net. IN A 192.12.94.30
|
|
||||||
+ENTRY_END
|
|
||||||
+
|
|
||||||
+RANGE_END
|
|
||||||
+
|
|
||||||
+; a.gtld-servers.net.
|
|
||||||
+RANGE_BEGIN 0 100
|
|
||||||
+ ADDRESS 192.5.6.30
|
|
||||||
+ENTRY_BEGIN
|
|
||||||
+MATCH opcode qtype qname
|
|
||||||
+ADJUST copy_id
|
|
||||||
+REPLY QR NOERROR
|
|
||||||
+SECTION QUESTION
|
|
||||||
+com. IN NS
|
|
||||||
+SECTION ANSWER
|
|
||||||
+com. IN NS a.gtld-servers.net.
|
|
||||||
+SECTION ADDITIONAL
|
|
||||||
+a.gtld-servers.net. IN A 192.5.6.30
|
|
||||||
+ENTRY_END
|
|
||||||
+
|
|
||||||
+ENTRY_BEGIN
|
|
||||||
+MATCH opcode subdomain
|
|
||||||
+ADJUST copy_id copy_query
|
|
||||||
+REPLY QR NOERROR
|
|
||||||
+SECTION QUESTION
|
|
||||||
+example.com. IN NS
|
|
||||||
+SECTION AUTHORITY
|
|
||||||
+example.com. IN NS ns.foo.com.
|
|
||||||
+SECTION ADDITIONAL
|
|
||||||
+;ns.foo.com. 200 IN A 1.2.3.44
|
|
||||||
+ENTRY_END
|
|
||||||
+
|
|
||||||
+ENTRY_BEGIN
|
|
||||||
+MATCH opcode subdomain
|
|
||||||
+ADJUST copy_id copy_query
|
|
||||||
+REPLY QR NOERROR
|
|
||||||
+SECTION QUESTION
|
|
||||||
+foo.com. IN NS
|
|
||||||
+SECTION AUTHORITY
|
|
||||||
+foo.com. 200 IN NS ns.foo.com.
|
|
||||||
+SECTION ADDITIONAL
|
|
||||||
+ns.foo.com. 200 IN A 1.2.3.44
|
|
||||||
+ENTRY_END
|
|
||||||
+
|
|
||||||
+RANGE_END
|
|
||||||
+
|
|
||||||
+; e.gtld-servers.net.
|
|
||||||
+RANGE_BEGIN 0 100
|
|
||||||
+ ADDRESS 192.12.94.30
|
|
||||||
+ENTRY_BEGIN
|
|
||||||
+MATCH opcode qtype qname
|
|
||||||
+ADJUST copy_id
|
|
||||||
+REPLY QR NOERROR
|
|
||||||
+SECTION QUESTION
|
|
||||||
+net. IN NS
|
|
||||||
+SECTION ANSWER
|
|
||||||
+net. IN NS e.gtld-servers.net.
|
|
||||||
+SECTION ADDITIONAL
|
|
||||||
+e.gtld-servers.net. IN A 192.12.94.30
|
|
||||||
+ENTRY_END
|
|
||||||
+
|
|
||||||
+RANGE_END
|
|
||||||
+
|
|
||||||
+; ns.foo.com.
|
|
||||||
+; The parent-IP version
|
|
||||||
+RANGE_BEGIN 0 100
|
|
||||||
+ ADDRESS 1.2.3.44
|
|
||||||
+ENTRY_BEGIN
|
|
||||||
+MATCH opcode qtype qname
|
|
||||||
+ADJUST copy_id
|
|
||||||
+REPLY AA QR NOERROR
|
|
||||||
+SECTION QUESTION
|
|
||||||
+foo.com. IN NS
|
|
||||||
+SECTION ANSWER
|
|
||||||
+foo.com. 200 IN NS ns.foo.com.
|
|
||||||
+SECTION ADDITIONAL
|
|
||||||
+ns.foo.com. 100 IN A 1.2.3.44
|
|
||||||
+ENTRY_END
|
|
||||||
+
|
|
||||||
+ENTRY_BEGIN
|
|
||||||
+MATCH opcode qtype qname
|
|
||||||
+ADJUST copy_id
|
|
||||||
+REPLY AA QR NOERROR
|
|
||||||
+SECTION QUESTION
|
|
||||||
+ns.foo.com. IN A
|
|
||||||
+SECTION ANSWER
|
|
||||||
+ns.foo.com. 100 IN A 1.2.3.44
|
|
||||||
+SECTION AUTHORITY
|
|
||||||
+foo.com. 200 IN NS ns.foo.com.
|
|
||||||
+ENTRY_END
|
|
||||||
+
|
|
||||||
+ENTRY_BEGIN
|
|
||||||
+MATCH opcode qtype qname
|
|
||||||
+ADJUST copy_id
|
|
||||||
+REPLY AA QR NOERROR
|
|
||||||
+SECTION QUESTION
|
|
||||||
+ns.foo.com. IN AAAA
|
|
||||||
+SECTION AUTHORITY
|
|
||||||
+foo.com. 100 IN SOA . . 1 2 3 4 5
|
|
||||||
+ENTRY_END
|
|
||||||
+
|
|
||||||
+ENTRY_BEGIN
|
|
||||||
+MATCH opcode qtype qname
|
|
||||||
+ADJUST copy_id
|
|
||||||
+REPLY AA QR NOERROR
|
|
||||||
+SECTION QUESTION
|
|
||||||
+example.com. IN NS
|
|
||||||
+SECTION ANSWER
|
|
||||||
+example.com. 200 IN NS ns.foo.com.
|
|
||||||
+ENTRY_END
|
|
||||||
+
|
|
||||||
+ENTRY_BEGIN
|
|
||||||
+MATCH opcode qtype qname
|
|
||||||
+ADJUST copy_id
|
|
||||||
+REPLY AA QR NOERROR
|
|
||||||
+SECTION QUESTION
|
|
||||||
+www.example.com. IN A
|
|
||||||
+SECTION ANSWER
|
|
||||||
+www.example.com. 100 IN A 10.20.30.40
|
|
||||||
+SECTION AUTHORITY
|
|
||||||
+example.com. 200 IN NS ns.foo.com.
|
|
||||||
+SECTION ADDITIONAL
|
|
||||||
+ns.foo.com 100 IN A 1.2.3.44
|
|
||||||
+ENTRY_END
|
|
||||||
+RANGE_END
|
|
||||||
+
|
|
||||||
+; NOT USED. The parent side equals child side but not in the cache.
|
|
||||||
+; and they have different TTLs only.
|
|
||||||
+; ns.foo.com
|
|
||||||
+; The child IP version. Does not respond to anything (servfail instead
|
|
||||||
+; of timeouts since this is easier to encode in .rpl file format).
|
|
||||||
+RANGE_BEGIN 0 100
|
|
||||||
+ ADDRESS 1.2.3.55
|
|
||||||
+ENTRY_BEGIN
|
|
||||||
+MATCH opcode
|
|
||||||
+ADJUST copy_id copy_query
|
|
||||||
+REPLY QR SERVFAIL
|
|
||||||
+SECTION QUESTION
|
|
||||||
+foo.com. IN NS
|
|
||||||
+SECTION ANSWER
|
|
||||||
+ENTRY_END
|
|
||||||
+
|
|
||||||
+RANGE_END
|
|
||||||
+
|
|
||||||
+STEP 1 QUERY
|
|
||||||
+ENTRY_BEGIN
|
|
||||||
+REPLY RD
|
|
||||||
+SECTION QUESTION
|
|
||||||
+www.example.com. IN A
|
|
||||||
+ENTRY_END
|
|
||||||
+
|
|
||||||
+; recursion happens here.
|
|
||||||
+STEP 20 CHECK_ANSWER
|
|
||||||
+ENTRY_BEGIN
|
|
||||||
+MATCH all
|
|
||||||
+REPLY QR RD RA NOERROR
|
|
||||||
+SECTION QUESTION
|
|
||||||
+www.example.com. IN A
|
|
||||||
+SECTION ANSWER
|
|
||||||
+www.example.com. 100 IN A 10.20.30.40
|
|
||||||
+SECTION AUTHORITY
|
|
||||||
+example.com. 100 IN NS ns.foo.com.
|
|
||||||
+; scrubbed off
|
|
||||||
+;SECTION ADDITIONAL
|
|
||||||
+;ns.foo.com IN A 1.2.3.44
|
|
||||||
+ENTRY_END
|
|
||||||
+
|
|
||||||
+; Now we wait 101 seconds, and the child data is gone,
|
|
||||||
+; but the parent-side was cached for 200 and it still there.
|
|
||||||
+
|
|
||||||
+STEP 30 TIME_PASSES ELAPSE 101
|
|
||||||
+
|
|
||||||
+STEP 40 QUERY
|
|
||||||
+ENTRY_BEGIN
|
|
||||||
+REPLY RD
|
|
||||||
+SECTION QUESTION
|
|
||||||
+www.example.com. IN A
|
|
||||||
+ENTRY_END
|
|
||||||
+
|
|
||||||
+; recursion happens here.
|
|
||||||
+STEP 50 CHECK_ANSWER
|
|
||||||
+ENTRY_BEGIN
|
|
||||||
+MATCH all
|
|
||||||
+REPLY QR RD RA NOERROR
|
|
||||||
+SECTION QUESTION
|
|
||||||
+www.example.com. IN A
|
|
||||||
+SECTION ANSWER
|
|
||||||
+www.example.com. 100 IN A 10.20.30.40
|
|
||||||
+SECTION AUTHORITY
|
|
||||||
+example.com. 100 IN NS ns.foo.com.
|
|
||||||
+; scrubbed off
|
|
||||||
+;SECTION ADDITIONAL
|
|
||||||
+;ns.foo.com IN A 1.2.3.44
|
|
||||||
+ENTRY_END
|
|
||||||
+
|
|
||||||
+SCENARIO_END
|
|
@ -1,66 +0,0 @@
|
|||||||
Index: validator/validator.c
|
|
||||||
===================================================================
|
|
||||||
--- validator/validator.c (revision 1656)
|
|
||||||
+++ validator/validator.c (revision 1657)
|
|
||||||
@@ -251,9 +251,8 @@
|
|
||||||
/**
|
|
||||||
* Check to see if a given response needs to go through the validation
|
|
||||||
* process. Typical reasons for this routine to return false are: CD bit was
|
|
||||||
- * on in the original request, the response was already validated, or the
|
|
||||||
- * response is a kind of message that is unvalidatable (i.e., SERVFAIL,
|
|
||||||
- * REFUSED, etc.)
|
|
||||||
+ * on in the original request, or the response is a kind of message that
|
|
||||||
+ * is unvalidatable (i.e., SERVFAIL, REFUSED, etc.)
|
|
||||||
*
|
|
||||||
* @param qstate: query state.
|
|
||||||
* @param ret_rc: rcode for this message (if noerror - examine ret_msg).
|
|
||||||
@@ -292,14 +291,25 @@
|
|
||||||
verbose(VERB_ALGO, "cannot validate RRSIG, no sigs on sigs.");
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
+ return 1;
|
|
||||||
+}
|
|
||||||
|
|
||||||
+/**
|
|
||||||
+ * Check to see if the response has already been validated.
|
|
||||||
+ * @param ret_msg: return msg, can be NULL
|
|
||||||
+ * @return true if the response has already been validated
|
|
||||||
+ */
|
|
||||||
+static int
|
|
||||||
+already_validated(struct dns_msg* ret_msg)
|
|
||||||
+{
|
|
||||||
/* validate unchecked, and re-validate bogus messages */
|
|
||||||
if (ret_msg && ret_msg->rep->security > sec_status_bogus)
|
|
||||||
{
|
|
||||||
- verbose(VERB_ALGO, "response has already been validated");
|
|
||||||
- return 0;
|
|
||||||
+ verbose(VERB_ALGO, "response has already been validated: %s",
|
|
||||||
+ sec_status_to_string(ret_msg->rep->security));
|
|
||||||
+ return 1;
|
|
||||||
}
|
|
||||||
- return 1;
|
|
||||||
+ return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
@@ -1937,6 +1947,10 @@
|
|
||||||
qstate->ext_state[id] = module_finished;
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
+ if(already_validated(qstate->return_msg)) {
|
|
||||||
+ qstate->ext_state[id] = module_finished;
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
/* create state to start validation */
|
|
||||||
qstate->ext_state[id] = module_error; /* override this */
|
|
||||||
if(!vq) {
|
|
||||||
@@ -2397,7 +2411,8 @@
|
|
||||||
}
|
|
||||||
if(msg->rep->security != sec_status_secure) {
|
|
||||||
vq->dlv_status = dlv_error;
|
|
||||||
- verbose(VERB_ALGO, "response is not secure");
|
|
||||||
+ verbose(VERB_ALGO, "response is not secure, %s",
|
|
||||||
+ sec_status_to_string(msg->rep->security));
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
/* was the lookup a success? validated DLV? */
|
|
@ -1,77 +0,0 @@
|
|||||||
Index: validator/validator.c
|
|
||||||
===================================================================
|
|
||||||
--- validator/validator.c (revision 1669)
|
|
||||||
+++ validator/validator.c (revision 1670)
|
|
||||||
@@ -479,6 +479,36 @@
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
+ * Detect wrong truncated response, by a bad recursor out there.
|
|
||||||
+ * The positive response has a mangled authority section.
|
|
||||||
+ * Remove that authority section.
|
|
||||||
+ * @param rep: reply
|
|
||||||
+ * @return true if a wrongly truncated response.
|
|
||||||
+ */
|
|
||||||
+static int
|
|
||||||
+detect_wrongly_truncated(struct reply_info* rep)
|
|
||||||
+{
|
|
||||||
+ size_t i;
|
|
||||||
+ /* no additional, only NS in authority, and it is bogus */
|
|
||||||
+ if(rep->ar_numrrsets != 0 || rep->ns_numrrsets != 1 ||
|
|
||||||
+ rep->an_numrrsets == 0)
|
|
||||||
+ return 0;
|
|
||||||
+ if(ntohs(rep->rrsets[ rep->an_numrrsets ]->rk.type) != LDNS_RR_TYPE_NS)
|
|
||||||
+ return 0;
|
|
||||||
+ if(((struct packed_rrset_data*)rep->rrsets[ rep->an_numrrsets ]
|
|
||||||
+ ->entry.data)->security != sec_status_bogus)
|
|
||||||
+ return 0;
|
|
||||||
+ /* answer section is present and secure */
|
|
||||||
+ for(i=0; i<rep->an_numrrsets; i++) {
|
|
||||||
+ if(((struct packed_rrset_data*)rep->rrsets[ i ]
|
|
||||||
+ ->entry.data)->security != sec_status_secure)
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+ return 1;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+/**
|
|
||||||
* Given a "positive" response -- a response that contains an answer to the
|
|
||||||
* question, and no CNAME chain, validate this response.
|
|
||||||
*
|
|
||||||
@@ -1449,17 +1479,31 @@
|
|
||||||
vq->chase_reply->security = sec_status_bogus;
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
+ subtype = val_classify_response(qstate->query_flags, &qstate->qinfo,
|
|
||||||
+ &vq->qchase, vq->orig_msg->rep, vq->rrset_skip);
|
|
||||||
|
|
||||||
/* check signatures in the message;
|
|
||||||
* answer and authority must be valid, additional is only checked. */
|
|
||||||
if(!validate_msg_signatures(qstate->env, ve, &vq->qchase,
|
|
||||||
vq->chase_reply, vq->key_entry)) {
|
|
||||||
- verbose(VERB_DETAIL, "Validate: message contains bad rrsets");
|
|
||||||
- return 1;
|
|
||||||
+ /* workaround bad recursor out there that truncates (even
|
|
||||||
+ * with EDNS4k) to 512 by removing RRSIG from auth section
|
|
||||||
+ * for positive replies*/
|
|
||||||
+ if(subtype == VAL_CLASS_POSITIVE &&
|
|
||||||
+ detect_wrongly_truncated(vq->orig_msg->rep)) {
|
|
||||||
+ /* truncate the message some more */
|
|
||||||
+ vq->orig_msg->rep->ns_numrrsets = 0;
|
|
||||||
+ vq->orig_msg->rep->rrset_count--;
|
|
||||||
+ vq->chase_reply->ns_numrrsets = 0;
|
|
||||||
+ vq->chase_reply->rrset_count--;
|
|
||||||
+ }
|
|
||||||
+ else {
|
|
||||||
+ verbose(VERB_DETAIL, "Validate: message contains "
|
|
||||||
+ "bad rrsets");
|
|
||||||
+ return 1;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
- subtype = val_classify_response(qstate->query_flags, &qstate->qinfo,
|
|
||||||
- &vq->qchase, vq->orig_msg->rep, vq->rrset_skip);
|
|
||||||
switch(subtype) {
|
|
||||||
case VAL_CLASS_POSITIVE:
|
|
||||||
verbose(VERB_ALGO, "Validating a positive response");
|
|
@ -1,33 +0,0 @@
|
|||||||
Index: validator/validator.c
|
|
||||||
===================================================================
|
|
||||||
--- validator/validator.c (revision 1677)
|
|
||||||
+++ validator/validator.c (working copy)
|
|
||||||
@@ -479,7 +479,7 @@
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
- * Detect wrong truncated response, by a bad recursor out there.
|
|
||||||
+ * Detect wrong truncated response (from BIND 9.6.1 with minimal-responses).
|
|
||||||
* The positive response has a mangled authority section.
|
|
||||||
* Remove that authority section.
|
|
||||||
* @param rep: reply
|
|
||||||
Index: iterator/iterator.c
|
|
||||||
===================================================================
|
|
||||||
--- iterator/iterator.c (revision 1677)
|
|
||||||
+++ iterator/iterator.c (working copy)
|
|
||||||
@@ -1513,9 +1513,14 @@
|
|
||||||
/* we know that all other NS rrsets are scrubbed
|
|
||||||
* away, thus on referral only one is left.
|
|
||||||
* see if that equals the query name... */
|
|
||||||
- && reply_find_rrset_section_ns(iq->response->rep,
|
|
||||||
+ && ( /* auth section, but sometimes in answer section*/
|
|
||||||
+ reply_find_rrset_section_ns(iq->response->rep,
|
|
||||||
qstate->qinfo.qname, qstate->qinfo.qname_len,
|
|
||||||
LDNS_RR_TYPE_NS, qstate->qinfo.qclass)
|
|
||||||
+ || reply_find_rrset_section_an(iq->response->rep,
|
|
||||||
+ qstate->qinfo.qname, qstate->qinfo.qname_len,
|
|
||||||
+ LDNS_RR_TYPE_NS, qstate->qinfo.qclass)
|
|
||||||
+ )
|
|
||||||
)) {
|
|
||||||
/* Store the referral under the current query */
|
|
||||||
if(!iter_dns_store(qstate->env, &iq->response->qinfo,
|
|
3316
unbound-trunk.patch
3316
unbound-trunk.patch
File diff suppressed because it is too large
Load Diff
14
unbound.spec
14
unbound.spec
@ -11,7 +11,7 @@
|
|||||||
Summary: Validating, recursive, and caching DNS(SEC) resolver
|
Summary: Validating, recursive, and caching DNS(SEC) resolver
|
||||||
Name: unbound
|
Name: unbound
|
||||||
Version: 1.4.20
|
Version: 1.4.20
|
||||||
Release: 16%{?dist}
|
Release: 18%{?dist}
|
||||||
License: BSD
|
License: BSD
|
||||||
Url: http://www.nlnetlabs.nl/unbound/
|
Url: http://www.nlnetlabs.nl/unbound/
|
||||||
Source: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz
|
Source: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz
|
||||||
@ -33,6 +33,7 @@ Source14: unbound.sysconfig
|
|||||||
Source15: unbound.cron
|
Source15: unbound.cron
|
||||||
Source16: unbound-munin.README
|
Source16: unbound-munin.README
|
||||||
Patch1: unbound-1.4.20-roundrobin.patch
|
Patch1: unbound-1.4.20-roundrobin.patch
|
||||||
|
Patch2: unbound-1.4.20-streamtcp-manpage.patch
|
||||||
|
|
||||||
Group: System Environment/Daemons
|
Group: System Environment/Daemons
|
||||||
BuildRequires: flex, openssl-devel , ldns-devel >= 1.6.13
|
BuildRequires: flex, openssl-devel , ldns-devel >= 1.6.13
|
||||||
@ -107,6 +108,7 @@ Python modules and extensions for unbound
|
|||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q
|
||||||
%patch1 -p1
|
%patch1 -p1
|
||||||
|
%patch2 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
export LDFLAGS="-Wl,-z,relro,-z,now -pie -specs=/usr/lib/rpm/redhat/redhat-hardened-ld"
|
export LDFLAGS="-Wl,-z,relro,-z,now -pie -specs=/usr/lib/rpm/redhat/redhat-hardened-ld"
|
||||||
@ -149,6 +151,8 @@ done
|
|||||||
|
|
||||||
# install streamtcp used for monitoring / debugging unbound's port 80/443 modes
|
# install streamtcp used for monitoring / debugging unbound's port 80/443 modes
|
||||||
install -m 0755 streamtcp %{buildroot}%{_sbindir}/unbound-streamtcp
|
install -m 0755 streamtcp %{buildroot}%{_sbindir}/unbound-streamtcp
|
||||||
|
# install streamtcp man page
|
||||||
|
install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1
|
||||||
|
|
||||||
# Install tmpfiles.d config
|
# Install tmpfiles.d config
|
||||||
install -d -m 0755 %{buildroot}%{_sysconfdir}/tmpfiles.d/ %{buildroot}%{_sharedstatedir}/unbound
|
install -d -m 0755 %{buildroot}%{_sysconfdir}/tmpfiles.d/ %{buildroot}%{_sharedstatedir}/unbound
|
||||||
@ -277,9 +281,15 @@ exit 0
|
|||||||
/bin/systemctl try-restart unbound-keygen.service >/dev/null 2>&1 || :
|
/bin/systemctl try-restart unbound-keygen.service >/dev/null 2>&1 || :
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Mon Aug 12 2013 Paul Wouters <pwouters@redhat.com> - 1.4.20-16
|
* Mon Aug 12 2013 Paul Wouters <pwouters@redhat.com> - 1.4.20-18
|
||||||
- Change unbound.conf to only use ephemeral ports (32768-65535)
|
- Change unbound.conf to only use ephemeral ports (32768-65535)
|
||||||
|
|
||||||
|
* Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.20-17
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon Jul 22 2013 Tomas Hozza <thozza@redhat.com> - 1.4.20-16
|
||||||
|
- provide man page for unbound-streamtcp
|
||||||
|
|
||||||
* Mon Jul 08 2013 Paul Wouters <pwouters@redhat.com> - 1.4.20-15
|
* Mon Jul 08 2013 Paul Wouters <pwouters@redhat.com> - 1.4.20-15
|
||||||
- Re-introduce hardening flags for full relro and pie
|
- Re-introduce hardening flags for full relro and pie
|
||||||
- Fixes compilation failure for python module
|
- Fixes compilation failure for python module
|
||||||
|
Loading…
Reference in New Issue
Block a user