rpms/unbound
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Auto sync2gitlab import of unbound-1.7.3-17.el8.src.rpm

Browse Source
This commit is contained in:
James Antill 2022-05-26 15:44:00 -04:00
parent 5a0b771b68
commit c15d20bc9b
35 changed files with 6478 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
/unbound-1.7.3.tar.gz

1
EMPTY
View File

@ -1 +0,0 @@

10
block-example.com.conf Normal file
View File

@ -0,0 +1,10 @@
# entries in this file override toe global DNS
#
# Example blocking email going out to example.com
#
# local-data: "example.com. 3600 IN MX 5 127.0.0.1"
# local-data: "example.com. 3600 IN A 127.0.0.1"
# This can also be done dynamically using: unbound-control local-data [...]
# For more complicated redirection, use conf.d/ with stub-add: or forward-add:

17
example.com.conf Normal file
View File

@ -0,0 +1,17 @@
# Example of an override of the "public DNS tree" with an "internal view"
# override, for example to add an internal-only corporate DNS zone.
#
# The stub-zone/stub-addr must point to AUTHORITATIVE servers. If you want to
# point to an internal RECURSIVE server, use forward-zone/forward-addr instead.
#stub-zone:
# name: example.com
# stub-prime: no
# # if you could trust a lookup, use:
# stub-host: a.iana-servers.net.
# stub-host: b.iana-servers.net.
# # else specify the IP's using:
# stub-addr: 199.43.132.53
# stub-addr: 2001:500:8c::53
# stub-addr: 199.43.133.53
# stub-addr: 2001:500:8d::53

7
example.com.key Normal file
View File

@ -0,0 +1,7 @@
; // format is BIND trusted-keys format
; // Ensure to only put KSKs (usually 257) here, not ZSKs (usually 256)
; // trusted-keys {
; // "example.com." 257 3 8 "AwEAAawt7HplI5M8GGAsxuyCyjF0l+QlcgVN11CRZ4vP66qbDCX0BnShZ11BGb//4zSG/8mmBHirL2FLg+mVuIIxig+iroZYjh4iTKVOhv2hZftRwyrQHK++qXvCCWN3ki51RG/e8R4kOEV71rZ8OgQvPWx6F91qroqOPpcf7PPxippeHOn+PxnP0hpyLyo1mx1rPs/cMpL3jOMufGP+LJYh+fBU7lt0sP5i09HaJPruzyZML9BPtpv8ZAdQhwtXVG0+MnET2qT/1+TljpxZn6yeegFRCFRHBjMo6iiRJnUWra/klkrgEn2Q+BXGTOMTTKQdYz4OxYEa1z7apu3a09dYNBM="; // key id = 51605
; // "example.com." 257 3 8 "AwEAAeikvxboZpn9VCxm3YDLHo40SvA9EmRwJHHQyJ0OCzrQSRBSipojrW7yESXWiDDyzflS8rgzDs7M3fIdSduOdyNi55DmXPdkS8HYORTMNyzFsSOg+xx6tUySK2p4WAhlbsJNLz4IkQCek59NoDBOLyQ15npsr7Tgfb/HHU7zmCMvnxh0SqO2lyhnQfk29Thc3nC4KNJNb3drjWKOuCw5mg+2GrEZYc/VqdeGvrOCQ2el8jWZpSU5cxb7EdEy4B9nEeZiBpHXaZ5XJ+ewi4vmcUK5/445mGJqV4rDeicy5/ShC/BJ81v3bIRPWebvDRJmDbjr2d9MnLXUE7yyETrQd18="; // key id = 31589
; // };

237
icannbundle.pem Normal file
View File

@ -0,0 +1,237 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
Validity
Not Before: Dec 23 04:19:12 2009 GMT
Not After : Dec 18 04:19:12 2029 GMT
Subject: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:a0:db:70:b8:4f:34:da:9c:d4:d0:7e:bb:ea:15:
bc:e9:c9:11:2a:1f:61:2f:6a:b9:bd:3f:3d:76:a0:
9a:0a:f7:ee:93:6e:6e:55:53:84:8c:f2:2c:f1:82:
27:c8:0f:9a:cf:52:1b:54:da:28:d2:2c:30:8e:dd:
fb:92:20:33:2d:d6:c8:f1:0e:10:21:88:71:fa:84:
22:4b:5d:47:56:16:7c:9b:9f:5d:c3:11:79:9c:14:
e2:ff:c0:74:ac:dd:39:d7:e0:38:d8:b0:73:aa:fb:
d1:db:84:af:52:22:a8:f6:d5:9b:94:f4:e6:5d:5e:
e8:3f:87:90:0b:c7:1a:77:f5:2e:d3:8f:1a:ce:02:
1d:07:69:21:47:32:da:46:ae:00:4c:b6:a5:a2:9c:
39:c1:c0:4a:f6:d3:1c:ae:d3:6d:bb:c7:18:f0:7e:
ed:f6:80:ce:d0:01:2e:89:de:12:ba:ee:11:cb:a6:
7a:d7:0d:7c:f3:08:8d:72:9d:bf:55:75:13:70:bb:
31:22:4a:cb:e8:c0:aa:a4:09:aa:36:68:40:60:74:
9d:e7:19:81:43:22:52:fe:c9:2b:52:0f:41:13:36:
09:72:65:95:cc:89:ae:6f:56:17:16:34:73:52:a3:
04:ed:bd:88:82:8a:eb:d7:dc:82:52:9c:06:e1:52:
85:41
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50
Signature Algorithm: sha256WithRSAEncryption
0f:f1:e9:82:a2:0a:87:9f:2d:94:60:5a:b2:c0:4b:a1:2f:2b:
3b:47:d5:0a:99:86:38:b2:ec:c6:3b:89:e4:6e:07:cf:14:c7:
c7:e8:cf:99:8f:aa:30:c3:19:70:b9:e6:6d:d6:3f:c8:68:26:
b2:a0:a5:37:42:ca:d8:62:80:d1:a2:5a:48:2e:1f:85:3f:0c:
7b:c2:c7:94:11:5f:19:2a:95:ac:a0:3a:03:d8:91:5b:2e:0d:
9c:7c:1f:2e:fc:e9:44:e1:16:26:73:1c:45:4a:65:c1:83:4c:
90:f3:f2:28:42:df:db:c4:e7:04:12:18:62:43:5e:bc:1f:6c:
84:e6:bc:49:32:df:61:d7:99:ee:e4:90:52:7b:0a:c2:91:8a:
98:62:66:b1:c8:e0:b7:5a:b5:46:7c:76:71:54:8e:cc:a4:81:
5c:19:db:d2:6f:66:b5:bb:2b:ae:6b:c9:74:04:a8:24:de:e8:
c5:d3:fc:2c:1c:d7:8f:db:6a:8d:c9:53:be:5d:50:73:ac:cf:
1f:93:c0:52:50:5b:a2:4f:fe:ad:65:36:17:46:d1:2d:e5:a2:
90:66:05:db:29:4e:5d:50:5d:e3:4f:da:a0:8f:f0:6b:e4:16:
70:dd:7f:f3:77:7d:b9:4e:f9:ec:c3:33:02:d7:e9:63:2f:31:
e7:40:61:a4
-----BEGIN CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV
BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0MTkxMloX
DTI5MTIxODA0MTkxMlowXTEOMAwGA1UEChMFSUNBTk4xJjAkBgNVBAsTHUlDQU5O
IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1JQ0FOTiBSb290IENB
MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKDb
cLhPNNqc1NB+u+oVvOnJESofYS9qub0/PXagmgr37pNublVThIzyLPGCJ8gPms9S
G1TaKNIsMI7d+5IgMy3WyPEOECGIcfqEIktdR1YWfJufXcMReZwU4v/AdKzdOdfg
ONiwc6r70duEr1IiqPbVm5T05l1e6D+HkAvHGnf1LtOPGs4CHQdpIUcy2kauAEy2
paKcOcHASvbTHK7TbbvHGPB+7faAztABLoneErruEcumetcNfPMIjXKdv1V1E3C7
MSJKy+jAqqQJqjZoQGB0necZgUMiUv7JK1IPQRM2CXJllcyJrm9WFxY0c1KjBO29
iIKK69fcglKcBuFShUECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B
Af8EBAMCAf4wHQYDVR0OBBYEFLpS6UmDJIZSL8eZzfyNa2kITcBQMA0GCSqGSIb3
DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH
6M+Zj6owwxlwueZt1j/IaCayoKU3QsrYYoDRolpILh+FPwx7wseUEV8ZKpWsoDoD
2JFbLg2cfB8u/OlE4RYmcxxFSmXBg0yQ8/IoQt/bxOcEEhhiQ168H2yE5rxJMt9h
15nu5JBSewrCkYqYYmaxyOC3WrVGfHZxVI7MpIFcGdvSb2a1uyuua8l0BKgk3ujF
0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg
j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 11 (0xb)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
Validity
Not Before: Nov 8 23:39:47 2016 GMT
Not After : Nov 6 23:39:47 2026 GMT
Subject: O=ICANN, CN=ICANN EMAIL CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:d2:19:1e:22:69:33:f6:a4:d2:76:c5:80:11:75:
8e:d0:e8:6f:bf:89:f8:2a:6a:da:8a:85:28:40:ba:
c5:23:5f:47:ed:72:e2:8e:d3:5c:c8:8a:3a:99:a9:
57:2c:0a:2b:22:f3:54:7b:8b:f7:8c:21:a2:50:01:
4f:8b:af:34:df:72:fc:78:31:d0:1d:eb:bc:9b:e6:
fa:c1:84:d0:05:07:8a:74:53:a5:60:9e:eb:75:9e:
a8:5d:32:c8:02:32:e4:bf:cb:97:9b:7a:fa:2c:f6:
6a:1d:b8:57:ad:e3:03:22:93:d0:f4:4f:a8:b8:01:
db:82:33:98:b6:87:ed:3d:67:40:00:27:2e:d5:95:
d2:ad:36:46:14:c6:17:79:65:7f:65:f3:88:80:65:
7c:22:67:08:23:3c:cf:a5:10:38:72:30:97:92:6f:
20:4a:ba:24:4c:4a:c8:4a:a5:dc:2a:44:a1:29:78:
b4:9f:fe:84:ff:27:5b:3a:72:ea:31:c1:ad:06:22:
d6:44:a0:4a:57:32:9c:f2:46:47:d0:89:6e:20:23:
2c:ea:b0:83:7e:c1:f3:ea:da:dd:e3:63:59:97:21:
fa:1b:11:39:27:cf:82:8b:56:15:d4:36:92:0c:a5:
7e:80:e0:18:c9:50:08:42:0a:df:97:3c:9c:b8:0a:
4d:b1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Authority Key Identifier:
keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50
X509v3 Subject Key Identifier:
7B:3F:BA:CE:A1:B3:A6:13:2E:5A:82:84:D4:D2:EA:A5:24:F1:CD:B4
Signature Algorithm: sha256WithRSAEncryption
0e:8a:c9:ea:6f:9c:e9:23:b6:9c:a6:a4:c2:d1:b1:ee:25:18:
24:2b:79:d4:a8:f2:99:b9:5c:91:4d:e6:2b:32:2e:01:f5:87:
95:64:fc:6d:f1:87:fa:24:b4:43:4b:49:f3:84:54:44:eb:af:
41:ab:49:ab:c8:b7:32:6c:14:83:5b:d7:2c:41:f9:89:d5:c4:
2b:9a:55:c5:b6:ad:17:d5:4d:bc:41:58:56:72:0d:db:b7:7d:
57:c6:a2:9c:7e:6b:67:ae:26:f8:26:45:bb:c4:95:2e:ea:71:
e3:b4:7a:69:95:a4:8a:80:f8:59:dc:88:6e:e1:a7:fc:bb:8e:
b2:aa:a8:b6:1b:2f:2c:97:a5:12:d5:82:ae:a0:e8:a6:15:fd:
d1:e0:5d:e4:84:b1:76:db:0a:e2:ca:58:2e:d3:df:48:4e:46:
ac:c6:35:79:17:99:ce:e9:be:2c:e4:c2:50:ff:5b:96:15:cd:
64:ac:1b:db:fe:d2:ac:43:61:c8:5f:ee:24:b6:a4:3b:d2:ff:
0a:f4:0c:88:58:a1:9d:a4:c1:1f:6a:6c:67:90:98:e8:1f:5e:
2d:55:60:91:26:2a:b1:66:80:e4:e6:0e:05:2c:75:a9:ca:0b:
e4:a0:8f:e1:47:a8:8f:61:5d:7c:ce:09:60:88:48:c3:46:bf:
be:7e:36:be
-----BEGIN CERTIFICATE-----
MIIDZDCCAkygAwIBAgIBCzANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV
BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTE2MTEwODIzMzk0N1oX
DTI2MTEwNjIzMzk0N1owKTEOMAwGA1UEChMFSUNBTk4xFzAVBgNVBAMTDklDQU5O
IEVNQUlMIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0hkeImkz
9qTSdsWAEXWO0Ohvv4n4KmraioUoQLrFI19H7XLijtNcyIo6malXLAorIvNUe4v3
jCGiUAFPi68033L8eDHQHeu8m+b6wYTQBQeKdFOlYJ7rdZ6oXTLIAjLkv8uXm3r6
LPZqHbhXreMDIpPQ9E+ouAHbgjOYtoftPWdAACcu1ZXSrTZGFMYXeWV/ZfOIgGV8
ImcIIzzPpRA4cjCXkm8gSrokTErISqXcKkShKXi0n/6E/ydbOnLqMcGtBiLWRKBK
VzKc8kZH0IluICMs6rCDfsHz6trd42NZlyH6GxE5J8+Ci1YV1DaSDKV+gOAYyVAI
QgrflzycuApNsQIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE
AwIBBjAfBgNVHSMEGDAWgBS6UulJgySGUi/Hmc38jWtpCE3AUDAdBgNVHQ4EFgQU
ez+6zqGzphMuWoKE1NLqpSTxzbQwDQYJKoZIhvcNAQELBQADggEBAA6KyepvnOkj
tpympMLRse4lGCQredSo8pm5XJFN5isyLgH1h5Vk/G3xh/oktENLSfOEVETrr0Gr
SavItzJsFINb1yxB+YnVxCuaVcW2rRfVTbxBWFZyDdu3fVfGopx+a2euJvgmRbvE
lS7qceO0emmVpIqA+FnciG7hp/y7jrKqqLYbLyyXpRLVgq6g6KYV/dHgXeSEsXbb
CuLKWC7T30hORqzGNXkXmc7pvizkwlD/W5YVzWSsG9v+0qxDYchf7iS2pDvS/wr0
DIhYoZ2kwR9qbGeQmOgfXi1VYJEmKrFmgOTmDgUsdanKC+Sgj+FHqI9hXXzOCWCI
SMNGv75+Nr4=
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 10 (0xa)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
Validity
Not Before: Nov 8 23:38:16 2016 GMT
Not After : Nov 6 23:38:16 2026 GMT
Subject: O=ICANN, CN=ICANN SSL CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:dd:c6:ab:bf:7c:66:9d:b3:2b:96:00:14:c7:60:
7a:8d:62:5b:26:4b:30:d7:b3:4c:82:69:c6:4d:4d:
73:f3:d4:91:21:5d:ab:35:f0:c8:04:0e:f4:a3:35:
e2:e1:18:a9:98:12:03:58:f8:9f:eb:77:54:5b:89:
81:26:c9:aa:c2:f4:c9:0c:82:57:2a:5e:05:e9:61:
17:cc:19:18:71:eb:35:83:c1:86:9d:ec:f1:6b:ca:
dd:a1:96:0b:95:d4:e1:0f:9e:24:6f:dc:3c:d0:28:
9e:f2:53:47:2b:a1:ad:32:03:c8:3f:0d:80:80:7d:
f0:02:d2:6e:5a:2c:44:21:9b:09:50:15:3f:a1:3d:
d3:c9:c8:24:e7:ea:4e:92:2f:94:90:2e:de:e7:68:
f6:c6:b3:90:1f:bc:c9:7b:a2:65:d7:11:e9:8b:f0:
3a:5a:b7:17:07:df:69:e3:6e:b9:54:6a:8e:3a:aa:
94:7f:2c:0a:a1:ad:ba:b7:d9:60:62:27:a7:71:40:
3b:8e:b0:84:7b:b8:c8:67:ef:66:ba:3d:ac:c3:85:
e5:86:bb:a7:9c:fd:b6:e1:c0:10:53:3d:d4:7e:1b:
09:e6:9f:22:5c:a7:27:09:7e:27:12:33:fa:df:9b:
20:2f:14:f7:17:c0:e4:1e:07:91:1f:f9:9a:cd:a8:
e2:c5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Authority Key Identifier:
keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50
X509v3 Subject Key Identifier:
6E:77:A8:40:10:4A:D8:9C:0C:F2:B7:5A:3A:A5:2F:79:4A:61:14:D8
Signature Algorithm: sha256WithRSAEncryption
47:46:4f:c7:5f:46:e3:d1:dc:fc:2b:f8:fc:65:ce:36:b1:f4:
5f:ee:14:75:a3:d9:5f:de:75:4b:fa:7b:88:9f:10:8c:2e:97:
cc:35:1b:ce:24:d3:36:60:95:d5:ae:11:b6:3f:8b:f4:12:69:
85:b5:3b:2a:b6:ab:7a:81:85:c2:55:57:ed:d0:b5:e7:4f:54:
37:51:24:c9:d5:07:3a:ef:b6:c5:1a:3e:14:29:a7:a6:f8:08:
2a:0b:26:79:f9:62:85:4a:e5:ea:90:ca:71:38:16:91:4e:7e:
fd:e3:b3:f3:55:8f:5a:d0:86:cf:33:94:88:f1:90:99:cb:81:
e2:81:92:68:2f:c3:61:d5:52:8d:e6:9a:5b:00:83:42:27:88:
f6:d9:fa:d1:bc:bb:b0:bc:b5:14:0b:4e:1a:54:ef:fa:d6:9d:
c4:0c:fc:ed:15:ab:21:4b:45:b5:d9:3b:ed:3c:d5:1e:2e:7a:
83:6f:24:45:d4:4c:b4:ef:60:43:18:d0:84:5d:16:7b:f5:50:
80:b1:a9:c2:8f:3b:c8:90:08:fd:aa:17:13:19:38:19:d1:8e:
85:7c:1e:57:16:8c:f9:8a:e8:29:25:38:cd:bb:55:8e:4a:6a:
6f:e5:7d:fc:d7:55:d6:ae:38:07:96:c1:97:ff:e5:2b:4f:99:
2d:70:f2:08
-----BEGIN CERTIFICATE-----
MIIDYjCCAkqgAwIBAgIBCjANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV
BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTE2MTEwODIzMzgxNloX
DTI2MTEwNjIzMzgxNlowJzEOMAwGA1UEChMFSUNBTk4xFTATBgNVBAMTDElDQU5O
IFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN3Gq798Zp2z
K5YAFMdgeo1iWyZLMNezTIJpxk1Nc/PUkSFdqzXwyAQO9KM14uEYqZgSA1j4n+t3
VFuJgSbJqsL0yQyCVypeBelhF8wZGHHrNYPBhp3s8WvK3aGWC5XU4Q+eJG/cPNAo
nvJTRyuhrTIDyD8NgIB98ALSblosRCGbCVAVP6E908nIJOfqTpIvlJAu3udo9saz
kB+8yXuiZdcR6YvwOlq3FwffaeNuuVRqjjqqlH8sCqGturfZYGInp3FAO46whHu4
yGfvZro9rMOF5Ya7p5z9tuHAEFM91H4bCeafIlynJwl+JxIz+t+bIC8U9xfA5B4H
kR/5ms2o4sUCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
AQYwHwYDVR0jBBgwFoAUulLpSYMkhlIvx5nN/I1raQhNwFAwHQYDVR0OBBYEFG53
qEAQSticDPK3WjqlL3lKYRTYMA0GCSqGSIb3DQEBCwUAA4IBAQBHRk/HX0bj0dz8
K/j8Zc42sfRf7hR1o9lf3nVL+nuInxCMLpfMNRvOJNM2YJXVrhG2P4v0EmmFtTsq
tqt6gYXCVVft0LXnT1Q3USTJ1Qc677bFGj4UKaem+AgqCyZ5+WKFSuXqkMpxOBaR
Tn7947PzVY9a0IbPM5SI8ZCZy4HigZJoL8Nh1VKN5ppbAINCJ4j22frRvLuwvLUU
C04aVO/61p3EDPztFashS0W12TvtPNUeLnqDbyRF1Ey072BDGNCEXRZ79VCAsanC
jzvIkAj9qhcTGTgZ0Y6FfB5XFoz5iugpJTjNu1WOSmpv5X3811XWrjgHlsGX/+Ur
T5ktcPII
-----END CERTIFICATE-----

1
root.anchor Normal file
View File

@ -0,0 +1 @@
. 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b}

5
root.key Normal file
View File

@ -0,0 +1,5 @@
; // The root key in bind format. This can be read by most tools, including
; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this
trusted-keys {
"." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326
};

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (unbound-1.7.3.tar.gz) = 34b2e93660e519b2eccefef26a6c7ac09fa3312384cc3bc449ff2b10743bd86bfeb36ec19d35eb913f8d0a3d91ad7923260a66fc799f28b0a2cc06741d80f27a

1
tmpfiles-unbound.conf Normal file
View File

@ -0,0 +1 @@
D /run/unbound 0755 unbound unbound -

320
unbound-1.7.2-python3-devel.patch Normal file
View File

@ -0,0 +1,320 @@
From b5aab36d41f374eddb0f66f28f251588f53a1e1e Mon Sep 17 00:00:00 2001
From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Wed, 27 Jun 2018 05:46:36 +0000
Subject: [PATCH 1/2] - #4109: Fix that package config depends on python
unconditionally.
git-svn-id: file:///svn/unbound/trunk@4757 be551aaa-1e26-0410-a405-d3ace91eadb9
---
configure | 257 +++++++++++++++++++++++++++++++----------------------------
configure.ac | 5 +-
2 files changed, 137 insertions(+), 125 deletions(-)
diff --git a/configure b/configure
index 3f1c372a..2a1687ae 100755
--- a/configure
+++ b/configure
@@ -670,9 +670,6 @@ SYSTEMD_DAEMON_LIBS
SYSTEMD_DAEMON_CFLAGS
SYSTEMD_LIBS
SYSTEMD_CFLAGS
-PKG_CONFIG_LIBDIR
-PKG_CONFIG_PATH
-PKG_CONFIG
staticexe
PC_LIBEVENT_DEPENDENCY
UNBOUND_EVENT_UNINSTALL
@@ -697,6 +694,9 @@ swig
SWIG_LIB
SWIG
PC_PY_DEPENDENCY
+PKG_CONFIG_LIBDIR
+PKG_CONFIG_PATH
+PKG_CONFIG
PY_MAJOR_VERSION
PYTHON_SITE_PKG
PYTHON_LDFLAGS
@@ -16930,7 +16930,136 @@ $as_echo "#define HAVE_PYTHON 1" >>confdefs.h
CPPFLAGS="$PYTHON_CPPFLAGS"
fi
ub_have_python=yes
- PC_PY_DEPENDENCY="python"
+
+
+
+
+
+
+
+if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then
+ if test -n "$ac_tool_prefix"; then
+ # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args.
+set dummy ${ac_tool_prefix}pkg-config; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_PKG_CONFIG+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ case $PKG_CONFIG in
+ [\\/]* | ?:[\\/]*)
+ ac_cv_path_PKG_CONFIG="$PKG_CONFIG" # Let the user override the test with a path.
+ ;;
+ *)
+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ ac_cv_path_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+ fi
+done
+ done
+IFS=$as_save_IFS
+
+ ;;
+esac
+fi
+PKG_CONFIG=$ac_cv_path_PKG_CONFIG
+if test -n "$PKG_CONFIG"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PKG_CONFIG" >&5
+$as_echo "$PKG_CONFIG" >&6; }
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_path_PKG_CONFIG"; then
+ ac_pt_PKG_CONFIG=$PKG_CONFIG
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+set dummy pkg-config; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_ac_pt_PKG_CONFIG+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ case $ac_pt_PKG_CONFIG in
+ [\\/]* | ?:[\\/]*)
+ ac_cv_path_ac_pt_PKG_CONFIG="$ac_pt_PKG_CONFIG" # Let the user override the test with a path.
+ ;;
+ *)
+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ ac_cv_path_ac_pt_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+ fi
+done
+ done
+IFS=$as_save_IFS
+
+ ;;
+esac
+fi
+ac_pt_PKG_CONFIG=$ac_cv_path_ac_pt_PKG_CONFIG
+if test -n "$ac_pt_PKG_CONFIG"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_pt_PKG_CONFIG" >&5
+$as_echo "$ac_pt_PKG_CONFIG" >&6; }
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+ if test "x$ac_pt_PKG_CONFIG" = x; then
+ PKG_CONFIG=""
+ else
+ case $cross_compiling:$ac_tool_warned in
+yes:)
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
+ac_tool_warned=yes ;;
+esac
+ PKG_CONFIG=$ac_pt_PKG_CONFIG
+ fi
+else
+ PKG_CONFIG="$ac_cv_path_PKG_CONFIG"
+fi
+
+fi
+if test -n "$PKG_CONFIG"; then
+ _pkg_min_version=0.9.0
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking pkg-config is at least version $_pkg_min_version" >&5
+$as_echo_n "checking pkg-config is at least version $_pkg_min_version... " >&6; }
+ if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+ PKG_CONFIG=""
+ fi
+fi
+ if test -n "$PKG_CONFIG" && \
+ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"\"python\${PY_MAJOR_VERSION}\"\""; } >&5
+ ($PKG_CONFIG --exists --print-errors ""python${PY_MAJOR_VERSION}"") 2>&5
+ ac_status=$?
+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+ test $ac_status = 0; }; then
+ PC_PY_DEPENDENCY="python${PY_MAJOR_VERSION}"
+else
+ PC_PY_DEPENDENCY="python"
+fi
# Check for SWIG
@@ -18960,126 +19089,6 @@ else
fi
have_systemd=no
-
-
-
-
-
-
-
-if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then
- if test -n "$ac_tool_prefix"; then
- # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args.
-set dummy ${ac_tool_prefix}pkg-config; ac_word=$2
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
-if ${ac_cv_path_PKG_CONFIG+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- case $PKG_CONFIG in
- [\\/]* | ?:[\\/]*)
- ac_cv_path_PKG_CONFIG="$PKG_CONFIG" # Let the user override the test with a path.
- ;;
- *)
- as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
- for ac_exec_ext in '' $ac_executable_extensions; do
- if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
- ac_cv_path_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
- break 2
- fi
-done
- done
-IFS=$as_save_IFS
-
- ;;
-esac
-fi
-PKG_CONFIG=$ac_cv_path_PKG_CONFIG
-if test -n "$PKG_CONFIG"; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PKG_CONFIG" >&5
-$as_echo "$PKG_CONFIG" >&6; }
-else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
-fi
-
-
-fi
-if test -z "$ac_cv_path_PKG_CONFIG"; then
- ac_pt_PKG_CONFIG=$PKG_CONFIG
- # Extract the first word of "pkg-config", so it can be a program name with args.
-set dummy pkg-config; ac_word=$2
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
-if ${ac_cv_path_ac_pt_PKG_CONFIG+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- case $ac_pt_PKG_CONFIG in
- [\\/]* | ?:[\\/]*)
- ac_cv_path_ac_pt_PKG_CONFIG="$ac_pt_PKG_CONFIG" # Let the user override the test with a path.
- ;;
- *)
- as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
- for ac_exec_ext in '' $ac_executable_extensions; do
- if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
- ac_cv_path_ac_pt_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
- break 2
- fi
-done
- done
-IFS=$as_save_IFS
-
- ;;
-esac
-fi
-ac_pt_PKG_CONFIG=$ac_cv_path_ac_pt_PKG_CONFIG
-if test -n "$ac_pt_PKG_CONFIG"; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_pt_PKG_CONFIG" >&5
-$as_echo "$ac_pt_PKG_CONFIG" >&6; }
-else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
-fi
-
- if test "x$ac_pt_PKG_CONFIG" = x; then
- PKG_CONFIG=""
- else
- case $cross_compiling:$ac_tool_warned in
-yes:)
-{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
-$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
-ac_tool_warned=yes ;;
-esac
- PKG_CONFIG=$ac_pt_PKG_CONFIG
- fi
-else
- PKG_CONFIG="$ac_cv_path_PKG_CONFIG"
-fi
-
-fi
-if test -n "$PKG_CONFIG"; then
- _pkg_min_version=0.9.0
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking pkg-config is at least version $_pkg_min_version" >&5
-$as_echo_n "checking pkg-config is at least version $_pkg_min_version... " >&6; }
- if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
- else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
- PKG_CONFIG=""
- fi
-fi
if test "x$enable_systemd" != xno; then :
diff --git a/configure.ac b/configure.ac
index 1828253c..b2c95d1a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -586,7 +586,10 @@ if test x_$ub_test_python != x_no; then
CPPFLAGS="$PYTHON_CPPFLAGS"
fi
ub_have_python=yes
- PC_PY_DEPENDENCY="python"
+ PKG_PROG_PKG_CONFIG
+ PKG_CHECK_EXISTS(["python${PY_MAJOR_VERSION}"],
+ [PC_PY_DEPENDENCY="python${PY_MAJOR_VERSION}"],
+ [PC_PY_DEPENDENCY="python"])
AC_SUBST(PC_PY_DEPENDENCY)
# Check for SWIG
--
2.14.4

31
unbound-1.7.2-python3-pkgconfig.patch Normal file
View File

@ -0,0 +1,31 @@
From bca54a8b252d4a75e940424dc761c6a4e487eb84 Mon Sep 17 00:00:00 2001
From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Wed, 27 Jun 2018 06:07:31 +0000
Subject: [PATCH 2/2] =?UTF-8?q?-=20Patch,=20do=20not=20export=20python=20f?=
=?UTF-8?q?rom=20pkg-config,=20from=20Petr=20Men=C5=A1=C3=ADk.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
git-svn-id: file:///svn/unbound/trunk@4758 be551aaa-1e26-0410-a405-d3ace91eadb9
---
contrib/libunbound.pc.in | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/contrib/libunbound.pc.in b/contrib/libunbound.pc.in
index 0cb9f875..810c5713 100644
--- a/contrib/libunbound.pc.in
+++ b/contrib/libunbound.pc.in
@@ -7,7 +7,8 @@ Name: unbound
Description: Library with validating, recursive, and caching DNS resolver
URL: http://www.unbound.net
Version: @PACKAGE_VERSION@
-Requires: @PC_LIBEVENT_DEPENDENCY@ @PC_PY_DEPENDENCY@
+Requires: libcrypto libssl @PC_LIBEVENT_DEPENDENCY@
+Requires.private: @PC_PY_DEPENDENCY@
Libs: -L${libdir} -lunbound -lssl -lcrypto
Libs.private: @SSLLIB@ @LIBS@
Cflags: -I${includedir}
--
2.14.4

36
unbound-1.7.3-DNS-over-TLS-memory-leak.patch Normal file
View File

@ -0,0 +1,36 @@
From 377d5b426a30fc915cf7905786f93c0ec89845b7 Mon Sep 17 00:00:00 2001
From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Tue, 25 Sep 2018 09:01:13 +0000
Subject: [PATCH] - Add SSL cleanup for tcp timeout.
git-svn-id: file:///svn/unbound/trunk@4915 be551aaa-1e26-0410-a405-d3ace91eadb9
---
services/outside_network.c | 11 +++++++++++
1 files changed, 9 insertions(+)
diff --git a/services/outside_network.c b/services/outside_network.c
index 5700ef8..b52cdab 100644
--- a/services/outside_network.c
+++ b/services/outside_network.c
@@ -373,6 +373,8 @@ outnet_tcp_take_into_use(struct waiting_tcp* w, uint8_t* pkt, size_t pkt_len)
if(!SSL_set1_host(pend->c->ssl, w->tls_auth_name)) {
log_err("SSL_set1_host failed");
pend->c->fd = s;
+ SSL_free(pend->c->ssl);
+ pend->c->ssl = NULL;
comm_point_close(pend->c);
return 0;
}
@@ -1258,6 +1260,13 @@ outnet_tcptimer(void* arg)
} else {
/* it was in use */
struct pending_tcp* pend=(struct pending_tcp*)w->next_waiting;
+ if(pend->c->ssl) {
+#ifdef HAVE_SSL
+ SSL_shutdown(pend->c->ssl);
+ SSL_free(pend->c->ssl);
+ pend->c->ssl = NULL;
+#endif
+ }
comm_point_close(pend->c);
pend->query = NULL;
pend->next_free = outnet->tcp_free;

553
unbound-1.7.3-additional-logging.patch Normal file
View File

@ -0,0 +1,553 @@
diff --git a/daemon/worker.c b/daemon/worker.c
index 44a989a..3acecc1 100644
--- a/daemon/worker.c
+++ b/daemon/worker.c
@@ -1193,7 +1193,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
if(worker->env.cfg->log_queries) {
char ip[128];
addr_to_str(&repinfo->addr, repinfo->addrlen, ip, sizeof(ip));
- log_nametypeclass(0, ip, qinfo.qname, qinfo.qtype, qinfo.qclass);
+ log_query_in(ip, qinfo.qname, qinfo.qtype, qinfo.qclass);
}
if(qinfo.qtype == LDNS_RR_TYPE_AXFR ||
qinfo.qtype == LDNS_RR_TYPE_IXFR) {
diff --git a/doc/Changelog b/doc/Changelog
index 3d05ae5..bb74461 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,15 @@
+30 November 2018: Wouter
+ - log-tag-queryreply: yes in unbound.conf tags the log-queries and
+ log-replies in the log file for easier log filter maintenance.
+
+21 August 2018: Wouter
+ - log-local-actions: yes option for unbound.conf that logs all the
+ local zone actions, a patch from Saksham Manchanda (Secure64).
+
+17 August 2018: Wouter
+ - log-servfail: yes prints log lines that say why queries are
+ returning SERVFAIL to clients.
+
19 June 2018: Wouter
- Fix for unbound-control on Windows and set TCP socket parameters
more closely.
diff --git a/doc/example.conf.in b/doc/example.conf.in
index be83bda..aa06cee 100644
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -309,6 +309,17 @@ server:
# timetoresolve, fromcache and responsesize.
# log-replies: no
+ # log with tag 'query' and 'reply' instead of 'info' for
+ # filtering log-queries and log-replies from the log.
+ # log-tag-queryreply: no
+
+ # log the local-zone actions, like local-zone type inform is enabled
+ # also for the other local zone types.
+ # log-local-actions: no
+
+ # print log lines that say why queries return SERVFAIL to clients.
+ # log-servfail: no
+
# the pid file. Can be an absolute path outside of chroot/work dir.
# pidfile: "@UNBOUND_PIDFILE@"
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index 9167a5a..b73bc70 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -618,6 +618,21 @@ Default is no. Note that it takes time to print these
lines which makes the server (significantly) slower. Odd (nonprintable)
characters in names are printed as '?'.
.TP
+.B log\-tag\-queryreply: \fI<yes or no>
+Prints the word 'query' and 'reply' with log\-queries and log\-replies.
+This makes filtering logs easier. The default is off (for backwards
+compatibility).
+.TP
+.B log\-local\-actions: \fI<yes or no>
+Print log lines to inform about local zone actions. These lines are like the
+local\-zone type inform prints out, but they are also printed for the other
+types of local zones.
+.TP
+.B log\-servfail: \fI<yes or no>
+Print log lines that say why queries return SERVFAIL to clients.
+This is separate from the verbosity debug logs, much smaller, and printed
+at the error level, not the info level of debug info from verbosity.
+.TP
.B pidfile: \fI<filename>
The process id is written to the file. Default is "@UNBOUND_PIDFILE@".
So,
diff --git a/services/localzone.c b/services/localzone.c
index 0f60817..a85619b 100644
--- a/services/localzone.c
+++ b/services/localzone.c
@@ -1459,7 +1459,7 @@ lz_inform_print(struct local_zone* z, struct query_info* qinfo,
uint16_t port = ntohs(((struct sockaddr_in*)&repinfo->addr)->sin_port);
dname_str(z->name, zname);
addr_to_str(&repinfo->addr, repinfo->addrlen, ip, sizeof(ip));
- snprintf(txt, sizeof(txt), "%s inform %s@%u", zname, ip,
+ snprintf(txt, sizeof(txt), "%s %s %s@%u", zname, local_zone_type2str(z->type), ip,
(unsigned)port);
log_nametypeclass(0, txt, qinfo->qname, qinfo->qtype, qinfo->qclass);
}
@@ -1576,7 +1576,8 @@ local_zones_answer(struct local_zones* zones, struct module_env* env,
z->override_tree, &tag, tagname, num_tags);
lock_rw_unlock(&zones->lock);
}
- if((lzt == local_zone_inform || lzt == local_zone_inform_deny)
+ if((env->cfg->log_local_actions ||
+ lzt == local_zone_inform || lzt == local_zone_inform_deny)
&& repinfo)
lz_inform_print(z, qinfo, repinfo);
diff --git a/services/mesh.c b/services/mesh.c
index 41aba74..55c1947 100644
--- a/services/mesh.c
+++ b/services/mesh.c
@@ -977,7 +977,7 @@ mesh_do_callback(struct mesh_state* m, int rcode, struct reply_info* rep,
rcode = LDNS_RCODE_SERVFAIL;
if(!rcode && (rep->security == sec_status_bogus ||
rep->security == sec_status_secure_sentinel_fail)) {
- if(!(reason = errinf_to_str(&m->s)))
+ if(!(reason = errinf_to_str_bogus(&m->s)))
rcode = LDNS_RCODE_SERVFAIL;
}
/* send the reply */
@@ -1148,6 +1148,15 @@ void mesh_query_done(struct mesh_state* mstate)
struct mesh_cb* c;
struct reply_info* rep = (mstate->s.return_msg?
mstate->s.return_msg->rep:NULL);
+ if((mstate->s.return_rcode == LDNS_RCODE_SERVFAIL ||
+ (rep && FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_SERVFAIL))
+ && mstate->s.env->cfg->log_servfail
+ && !mstate->s.env->cfg->val_log_squelch) {
+ char* err = errinf_to_str_servfail(&mstate->s);
+ if(err)
+ log_err("%s", err);
+ free(err);
+ }
for(r = mstate->reply_list; r; r = r->next) {
/* if a response-ip address block has been stored the
* information should be logged for each client. */
diff --git a/util/config_file.c b/util/config_file.c
index b061760..68a0a15 100644
--- a/util/config_file.c
+++ b/util/config_file.c
@@ -115,6 +115,9 @@ config_create(void)
cfg->log_time_ascii = 0;
cfg->log_queries = 0;
cfg->log_replies = 0;
+ cfg->log_tag_queryreply = 0;
+ cfg->log_local_actions = 0;
+ cfg->log_servfail = 0;
#ifndef USE_WINSOCK
# ifdef USE_MINI_EVENT
/* select max 1024 sockets */
@@ -540,6 +543,9 @@ int config_set_option(struct config_file* cfg, const char* opt,
else S_YNO("val-log-squelch:", val_log_squelch)
else S_YNO("log-queries:", log_queries)
else S_YNO("log-replies:", log_replies)
+ else S_YNO("log-tag-queryreply:", log_tag_queryreply)
+ else S_YNO("log-local-actions:", log_local_actions)
+ else S_YNO("log-servfail:", log_servfail)
else S_YNO("val-permissive-mode:", val_permissive_mode)
else S_YNO("aggressive-nsec:", aggressive_nsec)
else S_YNO("ignore-cd-flag:", ignore_cd)
@@ -893,6 +899,9 @@ config_get_option(struct config_file* cfg, const char* opt,
else O_STR(opt, "logfile", logfile)
else O_YNO(opt, "log-queries", log_queries)
else O_YNO(opt, "log-replies", log_replies)
+ else O_YNO(opt, "log-tag-queryreply", log_tag_queryreply)
+ else O_YNO(opt, "log-local-actions", log_local_actions)
+ else O_YNO(opt, "log-servfail", log_servfail)
else O_STR(opt, "pidfile", pidfile)
else O_YNO(opt, "hide-identity", hide_identity)
else O_YNO(opt, "hide-version", hide_version)
@@ -1845,6 +1854,7 @@ config_apply(struct config_file* config)
EDNS_ADVERTISED_SIZE = (uint16_t)config->edns_buffer_size;
MINIMAL_RESPONSES = config->minimal_responses;
RRSET_ROUNDROBIN = config->rrset_roundrobin;
+ LOG_TAG_QUERYREPLY = config->log_tag_queryreply;
log_set_time_asc(config->log_time_ascii);
autr_permit_small_holddown = config->permit_small_holddown;
}
@@ -2220,7 +2230,7 @@ void errinf_origin(struct module_qstate* qstate, struct sock_list *origin)
}
}
-char* errinf_to_str(struct module_qstate* qstate)
+char* errinf_to_str_bogus(struct module_qstate* qstate)
{
char buf[20480];
char* p = buf;
@@ -2245,6 +2255,31 @@ char* errinf_to_str(struct module_qstate* qstate)
return p;
}
+char* errinf_to_str_servfail(struct module_qstate* qstate)
+{
+ char buf[20480];
+ char* p = buf;
+ size_t left = sizeof(buf);
+ struct config_strlist* s;
+ char dname[LDNS_MAX_DOMAINLEN+1];
+ char t[16], c[16];
+ sldns_wire2str_type_buf(qstate->qinfo.qtype, t, sizeof(t));
+ sldns_wire2str_class_buf(qstate->qinfo.qclass, c, sizeof(c));
+ dname_str(qstate->qinfo.qname, dname);
+ snprintf(p, left, "SERVFAIL <%s %s %s>:", dname, t, c);
+ left -= strlen(p); p += strlen(p);
+ if(!qstate->errinf)
+ snprintf(p, left, " misc failure");
+ else for(s=qstate->errinf; s; s=s->next) {
+ snprintf(p, left, " %s", s->str);
+ left -= strlen(p); p += strlen(p);
+ }
+ p = strdup(buf);
+ if(!p)
+ log_err("malloc failure in errinf_to_str");
+ return p;
+}
+
void errinf_rrset(struct module_qstate* qstate, struct ub_packed_rrset_key *rr)
{
char buf[1024];
diff --git a/util/config_file.h b/util/config_file.h
index 4206eb9..1e7f402 100644
--- a/util/config_file.h
+++ b/util/config_file.h
@@ -268,6 +268,12 @@ struct config_file {
int log_queries;
/** log replies with one line per reply */
int log_replies;
+ /** tag log_queries and log_replies for filtering */
+ int log_tag_queryreply;
+ /** log every local-zone hit **/
+ int log_local_actions;
+ /** log servfails with a reason */
+ int log_servfail;
/** log identity to report */
char* log_identity;
@@ -1070,7 +1076,15 @@ void errinf_dname(struct module_qstate* qstate, const char* str,
* @return string or NULL on malloc failure (already logged).
* This string is malloced and has to be freed by caller.
*/
-char* errinf_to_str(struct module_qstate* qstate);
+char* errinf_to_str_bogus(struct module_qstate* qstate);
+
+/**
+ * Create error info in string. For other servfails.
+ * @param qstate: query state.
+ * @return string or NULL on malloc failure (already logged).
+ * This string is malloced and has to be freed by caller.
+ */
+char* errinf_to_str_servfail(struct module_qstate* qstate);
/**
* Used during options parsing
diff --git a/util/configlexer.lex b/util/configlexer.lex
index 6124e32..9b22db1 100644
--- a/util/configlexer.lex
+++ b/util/configlexer.lex
@@ -366,6 +366,9 @@ log-identity{COLON} { YDVAR(1, VAR_LOG_IDENTITY) }
log-time-ascii{COLON} { YDVAR(1, VAR_LOG_TIME_ASCII) }
log-queries{COLON} { YDVAR(1, VAR_LOG_QUERIES) }
log-replies{COLON} { YDVAR(1, VAR_LOG_REPLIES) }
+log-tag-queryreply{COLON} { YDVAR(1, VAR_LOG_TAG_QUERYREPLY) }
+log-local-actions{COLON} { YDVAR(1, VAR_LOG_LOCAL_ACTIONS) }
+log-servfail{COLON} { YDVAR(1, VAR_LOG_SERVFAIL) }
local-zone{COLON} { YDVAR(2, VAR_LOCAL_ZONE) }
local-data{COLON} { YDVAR(1, VAR_LOCAL_DATA) }
local-data-ptr{COLON} { YDVAR(1, VAR_LOCAL_DATA_PTR) }
diff --git a/util/configparser.y b/util/configparser.y
index e34665a..4b23a71 100644
--- a/util/configparser.y
+++ b/util/configparser.y
@@ -106,7 +106,7 @@ extern struct config_parser_state* cfg_parser;
%token VAR_AUTO_TRUST_ANCHOR_FILE VAR_KEEP_MISSING VAR_ADD_HOLDDOWN
%token VAR_DEL_HOLDDOWN VAR_SO_RCVBUF VAR_EDNS_BUFFER_SIZE VAR_PREFETCH
%token VAR_PREFETCH_KEY VAR_SO_SNDBUF VAR_SO_REUSEPORT VAR_HARDEN_BELOW_NXDOMAIN
-%token VAR_IGNORE_CD_FLAG VAR_LOG_QUERIES VAR_LOG_REPLIES
+%token VAR_IGNORE_CD_FLAG VAR_LOG_QUERIES VAR_LOG_REPLIES VAR_LOG_LOCAL_ACTIONS
%token VAR_TCP_UPSTREAM VAR_SSL_UPSTREAM
%token VAR_SSL_SERVICE_KEY VAR_SSL_SERVICE_PEM VAR_SSL_PORT VAR_FORWARD_FIRST
%token VAR_STUB_SSL_UPSTREAM VAR_FORWARD_SSL_UPSTREAM VAR_TLS_CERT_BUNDLE
@@ -158,6 +158,8 @@ extern struct config_parser_state* cfg_parser;
%token VAR_AUTH_ZONE VAR_ZONEFILE VAR_MASTER VAR_URL VAR_FOR_DOWNSTREAM
%token VAR_FALLBACK_ENABLED VAR_TLS_ADDITIONAL_PORT VAR_LOW_RTT VAR_LOW_RTT_PERMIL
%token VAR_ALLOW_NOTIFY VAR_TLS_WIN_CERT
+%token VAR_FORWARD_NO_CACHE VAR_STUB_NO_CACHE VAR_LOG_SERVFAIL
+%token VAR_UNKNOWN_SERVER_TIME_LIMIT VAR_LOG_TAG_QUERYREPLY
%%
toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@@ -217,6 +219,7 @@ content_server: server_num_threads | server_verbosity | server_port |
server_edns_buffer_size | server_prefetch | server_prefetch_key |
server_so_sndbuf | server_harden_below_nxdomain | server_ignore_cd_flag |
server_log_queries | server_log_replies | server_tcp_upstream | server_ssl_upstream |
+ server_log_local_actions |
server_ssl_service_key | server_ssl_service_pem | server_ssl_port |
server_minimal_responses | server_rrset_roundrobin | server_max_udp_size |
server_so_reuseport | server_delay_close |
@@ -249,7 +252,9 @@ content_server: server_num_threads | server_verbosity | server_port |
server_ipsecmod_whitelist | server_ipsecmod_strict |
server_udp_upstream_without_downstream | server_aggressive_nsec |
server_tls_cert_bundle | server_tls_additional_port | server_low_rtt |
- server_low_rtt_permil | server_tls_win_cert
+ server_low_rtt_permil | server_tls_win_cert |
+ server_tcp_connection_limit | server_log_servfail |
+ server_unknown_server_time_limit | server_log_tag_queryreply
;
stubstart: VAR_STUB_ZONE
{
@@ -764,6 +769,33 @@ server_log_replies: VAR_LOG_REPLIES STRING_ARG
free($2);
}
;
+server_log_tag_queryreply: VAR_LOG_TAG_QUERYREPLY STRING_ARG
+ {
+ OUTYY(("P(server_log_tag_queryreply:%s)\n", $2));
+ if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+ yyerror("expected yes or no.");
+ else cfg_parser->cfg->log_tag_queryreply = (strcmp($2, "yes")==0);
+ free($2);
+ }
+ ;
+server_log_servfail: VAR_LOG_SERVFAIL STRING_ARG
+ {
+ OUTYY(("P(server_log_servfail:%s)\n", $2));
+ if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+ yyerror("expected yes or no.");
+ else cfg_parser->cfg->log_servfail = (strcmp($2, "yes")==0);
+ free($2);
+ }
+ ;
+server_log_local_actions: VAR_LOG_LOCAL_ACTIONS STRING_ARG
+ {
+ OUTYY(("P(server_log_local_actions:%s)\n", $2));
+ if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+ yyerror("expected yes or no.");
+ else cfg_parser->cfg->log_local_actions = (strcmp($2, "yes")==0);
+ free($2);
+ }
+ ;
server_chroot: VAR_CHROOT STRING_ARG
{
OUTYY(("P(server_chroot:%s)\n", $2));
diff --git a/util/data/msgreply.c b/util/data/msgreply.c
index 772f5d1..df2131c 100644
--- a/util/data/msgreply.c
+++ b/util/data/msgreply.c
@@ -844,7 +844,9 @@ log_reply_info(enum verbosity_value v, struct query_info *qinf,
addr_to_str(addr, addrlen, clientip_buf, sizeof(clientip_buf));
if(rcode == LDNS_RCODE_FORMERR)
{
- log_info("%s - - - %s - - - ", clientip_buf, rcode_buf);
+ if(LOG_TAG_QUERYREPLY)
+ log_reply("%s - - - %s - - - ", clientip_buf, rcode_buf);
+ else log_info("%s - - - %s - - - ", clientip_buf, rcode_buf);
} else {
if(qinf->qname)
dname_str(qinf->qname, qname_buf);
@@ -852,7 +854,11 @@ log_reply_info(enum verbosity_value v, struct query_info *qinf,
pktlen = sldns_buffer_limit(rmsg);
sldns_wire2str_type_buf(qinf->qtype, type_buf, sizeof(type_buf));
sldns_wire2str_class_buf(qinf->qclass, class_buf, sizeof(class_buf));
- log_info("%s %s %s %s %s " ARG_LL "d.%6.6d %d %d",
+ if(LOG_TAG_QUERYREPLY)
+ log_reply("%s %s %s %s %s " ARG_LL "d.%6.6d %d %d",
+ clientip_buf, qname_buf, type_buf, class_buf,
+ rcode_buf, (long long)dur.tv_sec, (int)dur.tv_usec, cached, (int)pktlen);
+ else log_info("%s %s %s %s %s " ARG_LL "d.%6.6d %d %d",
clientip_buf, qname_buf, type_buf, class_buf,
rcode_buf, (long long)dur.tv_sec, (int)dur.tv_usec, cached, (int)pktlen);
}
diff --git a/util/log.c b/util/log.c
index 43dd572..fff4319 100644
--- a/util/log.c
+++ b/util/log.c
@@ -391,6 +391,24 @@ log_hex(const char* msg, void* data, size_t length)
log_hex_f(verbosity, msg, data, length);
}
+void
+log_query(const char *format, ...)
+{
+ va_list args;
+ va_start(args, format);
+ log_vmsg(LOG_INFO, "query", format, args);
+ va_end(args);
+}
+
+void
+log_reply(const char *format, ...)
+{
+ va_list args;
+ va_start(args, format);
+ log_vmsg(LOG_INFO, "reply", format, args);
+ va_end(args);
+}
+
void log_buf(enum verbosity_value level, const char* msg, sldns_buffer* buf)
{
if(verbosity < level)
diff --git a/util/log.h b/util/log.h
index 7bc3d9e..172cd01 100644
--- a/util/log.h
+++ b/util/log.h
@@ -160,6 +160,20 @@ void log_warn(const char* format, ...) ATTR_FORMAT(printf, 1, 2);
*/
void log_hex(const char* msg, void* data, size_t length);
+/**
+ * Log query.
+ * Pass printf formatted arguments. No trailing newline is needed.
+ * @param format: printf-style format string. Arguments follow.
+ */
+void log_query(const char* format, ...) ATTR_FORMAT(printf, 1, 2);
+
+/**
+ * Log reply.
+ * Pass printf formatted arguments. No trailing newline is needed.
+ * @param format: printf-style format string. Arguments follow.
+ */
+void log_reply(const char* format, ...) ATTR_FORMAT(printf, 1, 2);
+
/**
* Easy alternative for log_hex, takes a sldns_buffer.
* @param level: verbosity level for this message, compared to global
diff --git a/util/net_help.c b/util/net_help.c
index a193c36..617a896 100644
--- a/util/net_help.c
+++ b/util/net_help.c
@@ -67,6 +67,9 @@ int MINIMAL_RESPONSES = 0;
/** rrset order roundrobin: default is no */
int RRSET_ROUNDROBIN = 0;
+/** log tag queries with name instead of 'info' for filtering */
+int LOG_TAG_QUERYREPLY = 0;
+
/* returns true is string addr is an ip6 specced address */
int
str_is_ip6(const char* str)
@@ -335,7 +338,7 @@ log_nametypeclass(enum verbosity_value v, const char* str, uint8_t* name,
{
char buf[LDNS_MAX_DOMAINLEN+1];
char t[12], c[12];
- const char *ts, *cs;
+ const char *ts, *cs;
if(verbosity < v)
return;
dname_str(name, buf);
@@ -361,6 +364,37 @@ log_nametypeclass(enum verbosity_value v, const char* str, uint8_t* name,
log_info("%s %s %s %s", str, buf, ts, cs);
}
+void
+log_query_in(const char* str, uint8_t* name, uint16_t type, uint16_t dclass)
+{
+ char buf[LDNS_MAX_DOMAINLEN+1];
+ char t[12], c[12];
+ const char *ts, *cs;
+ dname_str(name, buf);
+ if(type == LDNS_RR_TYPE_TSIG) ts = "TSIG";
+ else if(type == LDNS_RR_TYPE_IXFR) ts = "IXFR";
+ else if(type == LDNS_RR_TYPE_AXFR) ts = "AXFR";
+ else if(type == LDNS_RR_TYPE_MAILB) ts = "MAILB";
+ else if(type == LDNS_RR_TYPE_MAILA) ts = "MAILA";
+ else if(type == LDNS_RR_TYPE_ANY) ts = "ANY";
+ else if(sldns_rr_descript(type) && sldns_rr_descript(type)->_name)
+ ts = sldns_rr_descript(type)->_name;
+ else {
+ snprintf(t, sizeof(t), "TYPE%d", (int)type);
+ ts = t;
+ }
+ if(sldns_lookup_by_id(sldns_rr_classes, (int)dclass) &&
+ sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name)
+ cs = sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name;
+ else {
+ snprintf(c, sizeof(c), "CLASS%d", (int)dclass);
+ cs = c;
+ }
+ if(LOG_TAG_QUERYREPLY)
+ log_query("%s %s %s %s", str, buf, ts, cs);
+ else log_info("%s %s %s %s", str, buf, ts, cs);
+}
+
void log_name_addr(enum verbosity_value v, const char* str, uint8_t* zone,
struct sockaddr_storage* addr, socklen_t addrlen)
{
diff --git a/util/net_help.h b/util/net_help.h
index de2e1ac..f2e0e43 100644
--- a/util/net_help.h
+++ b/util/net_help.h
@@ -99,6 +99,9 @@ extern int MINIMAL_RESPONSES;
/** rrset order roundrobin */
extern int RRSET_ROUNDROBIN;
+/** log tag queries with name instead of 'info' for filtering */
+extern int LOG_TAG_QUERYREPLY;
+
/**
* See if string is ip4 or ip6.
* @param str: IP specification.
@@ -235,6 +238,12 @@ void sockaddr_store_port(struct sockaddr_storage* addr, socklen_t addrlen,
void log_nametypeclass(enum verbosity_value v, const char* str,
uint8_t* name, uint16_t type, uint16_t dclass);
+/**
+ * Like log_nametypeclass, but logs with log_query for query logging
+ */
+void log_query_in(const char* str, uint8_t* name, uint16_t type,
+ uint16_t dclass);
+
/**
* Compare two sockaddrs. Imposes an ordering on the addresses.
* Compares address and port.
diff --git a/validator/val_kcache.c b/validator/val_kcache.c
index 22070cc..e0b88b6 100644
--- a/validator/val_kcache.c
+++ b/validator/val_kcache.c
@@ -89,7 +89,7 @@ key_cache_insert(struct key_cache* kcache, struct key_entry_key* kkey,
if(key_entry_isbad(k) && qstate->errinf &&
qstate->env->cfg->val_log_level >= 2) {
/* on malloc failure there is simply no reason string */
- key_entry_set_reason(k, errinf_to_str(qstate));
+ key_entry_set_reason(k, errinf_to_str_bogus(qstate));
}
key_entry_hash(k);
slabhash_insert(kcache->slab, k->entry.hash, &k->entry,
diff --git a/validator/validator.c b/validator/validator.c
index 5777b29..2d9cc17 100644
--- a/validator/validator.c
+++ b/validator/validator.c
@@ -2227,13 +2227,15 @@ processFinished(struct module_qstate* qstate, struct val_qstate* vq,
vq->orig_msg->rep->ttl = ve->bogus_ttl;
vq->orig_msg->rep->prefetch_ttl =
PREFETCH_TTL_CALC(vq->orig_msg->rep->ttl);
- if(qstate->env->cfg->val_log_level >= 1 &&
+ if((qstate->env->cfg->val_log_level >= 1 ||
+ qstate->env->cfg->log_servfail) &&
!qstate->env->cfg->val_log_squelch) {
- if(qstate->env->cfg->val_log_level < 2)
+ if(qstate->env->cfg->val_log_level < 2 &&
+ !qstate->env->cfg->log_servfail)
log_query_info(0, "validation failure",
&qstate->qinfo);
else {
- char* err = errinf_to_str(qstate);
+ char* err = errinf_to_str_bogus(qstate);
if(err) log_info("%s", err);
free(err);
}
@@ -2332,6 +2334,7 @@ processDLVLookup(struct module_qstate* qstate, struct val_qstate* vq,
if(vq->dlv_status == dlv_error) {
verbose(VERB_QUERY, "failed DLV lookup");
+ errinf(qstate, "failed DLV lookup");
return val_error(qstate, id);
} else if(vq->dlv_status == dlv_success) {
uint8_t* nm;

944
unbound-1.7.3-amplifying-an-incoming-query.patch Normal file
View File

@ -0,0 +1,944 @@
diff --git a/iterator/iter_delegpt.c b/iterator/iter_delegpt.c
index f88b3e1..522e0e9 100644
--- a/iterator/iter_delegpt.c
+++ b/iterator/iter_delegpt.c
@@ -84,7 +84,7 @@ struct delegpt* delegpt_copy(struct delegpt* dp, struct regional* region)
}
for(a = dp->target_list; a; a = a->next_target) {
if(!delegpt_add_addr(copy, region, &a->addr, a->addrlen,
- a->bogus, a->lame, a->tls_auth_name))
+ a->bogus, a->lame, a->tls_auth_name, NULL))
return NULL;
}
return copy;
@@ -161,7 +161,7 @@ delegpt_find_addr(struct delegpt* dp, struct sockaddr_storage* addr,
int
delegpt_add_target(struct delegpt* dp, struct regional* region,
uint8_t* name, size_t namelen, struct sockaddr_storage* addr,
- socklen_t addrlen, uint8_t bogus, uint8_t lame)
+ socklen_t addrlen, uint8_t bogus, uint8_t lame, int* additions)
{
struct delegpt_ns* ns = delegpt_find_ns(dp, name, namelen);
log_assert(!dp->dp_type_mlc);
@@ -176,13 +176,14 @@ delegpt_add_target(struct delegpt* dp, struct regional* region,
if(ns->got4 && ns->got6)
ns->resolved = 1;
}
- return delegpt_add_addr(dp, region, addr, addrlen, bogus, lame, NULL);
+ return delegpt_add_addr(dp, region, addr, addrlen, bogus, lame, NULL,
+ additions);
}
int
delegpt_add_addr(struct delegpt* dp, struct regional* region,
struct sockaddr_storage* addr, socklen_t addrlen, uint8_t bogus,
- uint8_t lame, char* tls_auth_name)
+ uint8_t lame, char* tls_auth_name, int* additions)
{
struct delegpt_addr* a;
log_assert(!dp->dp_type_mlc);
@@ -195,6 +196,9 @@ delegpt_add_addr(struct delegpt* dp, struct regional* region,
return 1;
}
+ if(additions)
+ *additions = 1;
+
a = (struct delegpt_addr*)regional_alloc(region,
sizeof(struct delegpt_addr));
if(!a)
@@ -382,10 +386,10 @@ delegpt_from_message(struct dns_msg* msg, struct regional* region)
continue;
if(ntohs(s->rk.type) == LDNS_RR_TYPE_A) {
- if(!delegpt_add_rrset_A(dp, region, s, 0))
+ if(!delegpt_add_rrset_A(dp, region, s, 0, NULL))
return NULL;
} else if(ntohs(s->rk.type) == LDNS_RR_TYPE_AAAA) {
- if(!delegpt_add_rrset_AAAA(dp, region, s, 0))
+ if(!delegpt_add_rrset_AAAA(dp, region, s, 0, NULL))
return NULL;
}
}
@@ -416,7 +420,7 @@ delegpt_rrset_add_ns(struct delegpt* dp, struct regional* region,
int
delegpt_add_rrset_A(struct delegpt* dp, struct regional* region,
- struct ub_packed_rrset_key* ak, uint8_t lame)
+ struct ub_packed_rrset_key* ak, uint8_t lame, int* additions)
{
struct packed_rrset_data* d=(struct packed_rrset_data*)ak->entry.data;
size_t i;
@@ -432,7 +436,7 @@ delegpt_add_rrset_A(struct delegpt* dp, struct regional* region,
memmove(&sa.sin_addr, d->rr_data[i]+2, INET_SIZE);
if(!delegpt_add_target(dp, region, ak->rk.dname,
ak->rk.dname_len, (struct sockaddr_storage*)&sa,
- len, (d->security==sec_status_bogus), lame))
+ len, (d->security==sec_status_bogus), lame, additions))
return 0;
}
return 1;
@@ -440,7 +444,7 @@ delegpt_add_rrset_A(struct delegpt* dp, struct regional* region,
int
delegpt_add_rrset_AAAA(struct delegpt* dp, struct regional* region,
- struct ub_packed_rrset_key* ak, uint8_t lame)
+ struct ub_packed_rrset_key* ak, uint8_t lame, int* additions)
{
struct packed_rrset_data* d=(struct packed_rrset_data*)ak->entry.data;
size_t i;
@@ -456,7 +460,7 @@ delegpt_add_rrset_AAAA(struct delegpt* dp, struct regional* region,
memmove(&sa.sin6_addr, d->rr_data[i]+2, INET6_SIZE);
if(!delegpt_add_target(dp, region, ak->rk.dname,
ak->rk.dname_len, (struct sockaddr_storage*)&sa,
- len, (d->security==sec_status_bogus), lame))
+ len, (d->security==sec_status_bogus), lame, additions))
return 0;
}
return 1;
@@ -464,20 +468,32 @@ delegpt_add_rrset_AAAA(struct delegpt* dp, struct regional* region,
int
delegpt_add_rrset(struct delegpt* dp, struct regional* region,
- struct ub_packed_rrset_key* rrset, uint8_t lame)
+ struct ub_packed_rrset_key* rrset, uint8_t lame, int* additions)
{
if(!rrset)
return 1;
if(ntohs(rrset->rk.type) == LDNS_RR_TYPE_NS)
return delegpt_rrset_add_ns(dp, region, rrset, lame);
else if(ntohs(rrset->rk.type) == LDNS_RR_TYPE_A)
- return delegpt_add_rrset_A(dp, region, rrset, lame);
+ return delegpt_add_rrset_A(dp, region, rrset, lame, additions);
else if(ntohs(rrset->rk.type) == LDNS_RR_TYPE_AAAA)
- return delegpt_add_rrset_AAAA(dp, region, rrset, lame);
+ return delegpt_add_rrset_AAAA(dp, region, rrset, lame, additions);
log_warn("Unknown rrset type added to delegpt");
return 1;
}
+void delegpt_mark_neg(struct delegpt_ns* ns, uint16_t qtype)
+{
+ if(ns) {
+ if(qtype == LDNS_RR_TYPE_A)
+ ns->got4 = 2;
+ else if(qtype == LDNS_RR_TYPE_AAAA)
+ ns->got6 = 2;
+ if(ns->got4 && ns->got6)
+ ns->resolved = 1;
+ }
+}
+
void delegpt_add_neg_msg(struct delegpt* dp, struct msgreply_entry* msg)
{
struct reply_info* rep = (struct reply_info*)msg->entry.data;
@@ -487,14 +503,7 @@ void delegpt_add_neg_msg(struct delegpt* dp, struct msgreply_entry* msg)
if(FLAGS_GET_RCODE(rep->flags) != 0 || rep->an_numrrsets == 0) {
struct delegpt_ns* ns = delegpt_find_ns(dp, msg->key.qname,
msg->key.qname_len);
- if(ns) {
- if(msg->key.qtype == LDNS_RR_TYPE_A)
- ns->got4 = 1;
- else if(msg->key.qtype == LDNS_RR_TYPE_AAAA)
- ns->got6 = 1;
- if(ns->got4 && ns->got6)
- ns->resolved = 1;
- }
+ delegpt_mark_neg(ns, msg->key.qtype);
}
}
diff --git a/iterator/iter_delegpt.h b/iterator/iter_delegpt.h
index 354bd61..3aded22 100644
--- a/iterator/iter_delegpt.h
+++ b/iterator/iter_delegpt.h
@@ -104,9 +104,10 @@ struct delegpt_ns {
* and marked true if got4 and got6 are both true.
*/
int resolved;
- /** if the ipv4 address is in the delegpt */
+ /** if the ipv4 address is in the delegpt, 0=not, 1=yes 2=negative,
+ * negative means it was done, but no content. */
uint8_t got4;
- /** if the ipv6 address is in the delegpt */
+ /** if the ipv6 address is in the delegpt, 0=not, 1=yes 2=negative */
uint8_t got6;
/**
* If the name is parent-side only and thus dispreferred.
@@ -213,11 +214,12 @@ int delegpt_rrset_add_ns(struct delegpt* dp, struct regional* regional,
* @param addrlen: the length of addr.
* @param bogus: security status for the address, pass true if bogus.
* @param lame: address is lame.
+ * @param additions: will be set to 1 if a new address is added
* @return false on error.
*/
int delegpt_add_target(struct delegpt* dp, struct regional* regional,
uint8_t* name, size_t namelen, struct sockaddr_storage* addr,
- socklen_t addrlen, uint8_t bogus, uint8_t lame);
+ socklen_t addrlen, uint8_t bogus, uint8_t lame, int* additions);
/**
* Add A RRset to delegpt.
@@ -225,10 +227,11 @@ int delegpt_add_target(struct delegpt* dp, struct regional* regional,
* @param regional: where to allocate the info.
* @param rrset: RRset A to add.
* @param lame: rrset is lame, disprefer it.
+ * @param additions: will be set to 1 if a new address is added
* @return 0 on alloc error.
*/
int delegpt_add_rrset_A(struct delegpt* dp, struct regional* regional,
- struct ub_packed_rrset_key* rrset, uint8_t lame);
+ struct ub_packed_rrset_key* rrset, uint8_t lame, int* additions);
/**
* Add AAAA RRset to delegpt.
@@ -236,10 +239,11 @@ int delegpt_add_rrset_A(struct delegpt* dp, struct regional* regional,
* @param regional: where to allocate the info.
* @param rrset: RRset AAAA to add.
* @param lame: rrset is lame, disprefer it.
+ * @param additions: will be set to 1 if a new address is added
* @return 0 on alloc error.
*/
int delegpt_add_rrset_AAAA(struct delegpt* dp, struct regional* regional,
- struct ub_packed_rrset_key* rrset, uint8_t lame);
+ struct ub_packed_rrset_key* rrset, uint8_t lame, int* additions);
/**
* Add any RRset to delegpt.
@@ -248,10 +252,11 @@ int delegpt_add_rrset_AAAA(struct delegpt* dp, struct regional* regional,
* @param regional: where to allocate the info.
* @param rrset: RRset to add, NS, A, AAAA.
* @param lame: rrset is lame, disprefer it.
+ * @param additions: will be set to 1 if a new address is added
* @return 0 on alloc error.
*/
int delegpt_add_rrset(struct delegpt* dp, struct regional* regional,
- struct ub_packed_rrset_key* rrset, uint8_t lame);
+ struct ub_packed_rrset_key* rrset, uint8_t lame, int* additions);
/**
* Add address to the delegation point. No servername is associated or checked.
@@ -262,11 +267,13 @@ int delegpt_add_rrset(struct delegpt* dp, struct regional* regional,
* @param bogus: if address is bogus.
* @param lame: if address is lame.
* @param tls_auth_name: TLS authentication name (or NULL).
+ * @param additions: will be set to 1 if a new address is added
+ * @return 0 on alloc error.
* @return false on error.
*/
int delegpt_add_addr(struct delegpt* dp, struct regional* regional,
struct sockaddr_storage* addr, socklen_t addrlen,
- uint8_t bogus, uint8_t lame, char* tls_auth_name);
+ uint8_t bogus, uint8_t lame, char* tls_auth_name, int* additions);
/**
* Find NS record in name list of delegation point.
@@ -339,6 +346,14 @@ size_t delegpt_count_targets(struct delegpt* dp);
struct delegpt* delegpt_from_message(struct dns_msg* msg,
struct regional* regional);
+/**
+* Mark negative return in delegation point for specific nameserver.
+* sets the got4 or got6 to negative, updates the ns->resolved.
+* @param ns: the nameserver in the delegpt.
+* @param qtype: A or AAAA (host order).
+*/
+void delegpt_mark_neg(struct delegpt_ns* ns, uint16_t qtype);
+
/**
* Add negative message to delegation point.
* @param dp: delegation point.
diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c
index 12580dc..8230d17 100644
--- a/iterator/iter_scrub.c
+++ b/iterator/iter_scrub.c
@@ -185,8 +185,9 @@ mark_additional_rrset(sldns_buffer* pkt, struct msg_parse* msg,
/** Get target name of a CNAME */
static int
parse_get_cname_target(struct rrset_parse* rrset, uint8_t** sname,
- size_t* snamelen)
+ size_t* snamelen, sldns_buffer* pkt)
{
+ size_t oldpos, dlen;
if(rrset->rr_count != 1) {
struct rr_parse* sig;
verbose(VERB_ALGO, "Found CNAME rrset with "
@@ -204,6 +205,19 @@ parse_get_cname_target(struct rrset_parse* rrset, uint8_t** sname,
*sname = rrset->rr_first->ttl_data + sizeof(uint32_t)
+ sizeof(uint16_t); /* skip ttl, rdatalen */
*snamelen = rrset->rr_first->size - sizeof(uint16_t);
+
+ if(rrset->rr_first->outside_packet) {
+ if(!dname_valid(*sname, *snamelen))
+ return 0;
+ return 1;
+ }
+ oldpos = sldns_buffer_position(pkt);
+ sldns_buffer_set_position(pkt, (size_t)(*sname - sldns_buffer_begin(pkt)));
+ dlen = pkt_dname_len(pkt);
+ sldns_buffer_set_position(pkt, oldpos);
+ if(dlen == 0)
+ return 0; /* parse fail on the rdata name */
+ *snamelen = dlen;
return 1;
}
@@ -215,7 +229,7 @@ synth_cname(uint8_t* qname, size_t qnamelen, struct rrset_parse* dname_rrset,
/* we already know that sname is a strict subdomain of DNAME owner */
uint8_t* dtarg = NULL;
size_t dtarglen;
- if(!parse_get_cname_target(dname_rrset, &dtarg, &dtarglen))
+ if(!parse_get_cname_target(dname_rrset, &dtarg, &dtarglen, pkt))
return 0;
log_assert(qnamelen > dname_rrset->dname_len);
/* DNAME from com. to net. with qname example.com. -> example.net. */
@@ -372,7 +386,7 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
/* check next cname */
uint8_t* t = NULL;
size_t tlen = 0;
- if(!parse_get_cname_target(nx, &t, &tlen))
+ if(!parse_get_cname_target(nx, &t, &tlen, pkt))
return 0;
if(dname_pkt_compare(pkt, alias, t) == 0) {
/* it's OK and better capitalized */
@@ -423,7 +437,7 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
size_t tlen = 0;
if(synth_cname(sname, snamelen, nx, alias,
&aliaslen, pkt) &&
- parse_get_cname_target(rrset, &t, &tlen) &&
+ parse_get_cname_target(rrset, &t, &tlen, pkt) &&
dname_pkt_compare(pkt, alias, t) == 0) {
/* the synthesized CNAME equals the
* current CNAME. This CNAME is the
@@ -442,7 +456,7 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
}
/* move to next name in CNAME chain */
- if(!parse_get_cname_target(rrset, &sname, &snamelen))
+ if(!parse_get_cname_target(rrset, &sname, &snamelen, pkt))
return 0;
prev = rrset;
rrset = rrset->rrset_all_next;
diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c
index 0a8f770..a107bee 100644
--- a/iterator/iter_utils.c
+++ b/iterator/iter_utils.c
@@ -1008,7 +1008,7 @@ int iter_lookup_parent_glue_from_cache(struct module_env* env,
log_rrset_key(VERB_ALGO, "found parent-side", akey);
ns->done_pside4 = 1;
/* a negative-cache-element has no addresses it adds */
- if(!delegpt_add_rrset_A(dp, region, akey, 1))
+ if(!delegpt_add_rrset_A(dp, region, akey, 1, NULL))
log_err("malloc failure in lookup_parent_glue");
lock_rw_unlock(&akey->entry.lock);
}
@@ -1020,7 +1020,7 @@ int iter_lookup_parent_glue_from_cache(struct module_env* env,
log_rrset_key(VERB_ALGO, "found parent-side", akey);
ns->done_pside6 = 1;
/* a negative-cache-element has no addresses it adds */
- if(!delegpt_add_rrset_AAAA(dp, region, akey, 1))
+ if(!delegpt_add_rrset_AAAA(dp, region, akey, 1, NULL))
log_err("malloc failure in lookup_parent_glue");
lock_rw_unlock(&akey->entry.lock);
}
diff --git a/iterator/iterator.c b/iterator/iterator.c
index 58a9bff..a4ad319 100644
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -69,6 +69,8 @@
#include "sldns/parseutil.h"
#include "sldns/sbuffer.h"
+static void target_count_increase_nx(struct iter_qstate* iq, int num);
+
int
iter_init(struct module_env* env, int id)
{
@@ -147,6 +149,7 @@ iter_new(struct module_qstate* qstate, int id)
iq->sent_count = 0;
iq->ratelimit_ok = 0;
iq->target_count = NULL;
+ iq->dp_target_count = 0;
iq->wait_priming_stub = 0;
iq->refetch_glue = 0;
iq->dnssec_expected = 0;
@@ -218,6 +221,7 @@ final_state(struct iter_qstate* iq)
static void
error_supers(struct module_qstate* qstate, int id, struct module_qstate* super)
{
+ struct iter_env* ie = (struct iter_env*)qstate->env->modinfo[id];
struct iter_qstate* super_iq = (struct iter_qstate*)super->minfo[id];
if(qstate->qinfo.qtype == LDNS_RR_TYPE_A ||
@@ -242,7 +246,11 @@ error_supers(struct module_qstate* qstate, int id, struct module_qstate* super)
super->region, super_iq->dp))
log_err("out of memory adding missing");
}
+ delegpt_mark_neg(dpns, qstate->qinfo.qtype);
dpns->resolved = 1; /* mark as failed */
+ if((dpns->got4 == 2 || !ie->supports_ipv4) &&
+ (dpns->got6 == 2 || !ie->supports_ipv6))
+ target_count_increase_nx(super_iq, 1);
}
if(qstate->qinfo.qtype == LDNS_RR_TYPE_NS) {
/* prime failed to get delegation */
@@ -577,7 +585,7 @@ static void
target_count_create(struct iter_qstate* iq)
{
if(!iq->target_count) {
- iq->target_count = (int*)calloc(2, sizeof(int));
+ iq->target_count = (int*)calloc(3, sizeof(int));
/* if calloc fails we simply do not track this number */
if(iq->target_count)
iq->target_count[0] = 1;
@@ -590,6 +598,15 @@ target_count_increase(struct iter_qstate* iq, int num)
target_count_create(iq);
if(iq->target_count)
iq->target_count[1] += num;
+ iq->dp_target_count++;
+}
+
+static void
+target_count_increase_nx(struct iter_qstate* iq, int num)
+{
+ target_count_create(iq);
+ if(iq->target_count)
+ iq->target_count[2] += num;
}
/**
@@ -612,13 +629,15 @@ target_count_increase(struct iter_qstate* iq, int num)
* @param subq_ret: if newly allocated, the subquerystate, or NULL if it does
* not need initialisation.
* @param v: if true, validation is done on the subquery.
+ * @param detached: true if this qstate should not attach to the subquery
* @return false on error (malloc).
*/
static int
generate_sub_request(uint8_t* qname, size_t qnamelen, uint16_t qtype,
uint16_t qclass, struct module_qstate* qstate, int id,
struct iter_qstate* iq, enum iter_state initial_state,
- enum iter_state finalstate, struct module_qstate** subq_ret, int v)
+ enum iter_state finalstate, struct module_qstate** subq_ret, int v,
+ int detached)
{
struct module_qstate* subq = NULL;
struct iter_qstate* subiq = NULL;
@@ -645,12 +664,24 @@ generate_sub_request(uint8_t* qname, size_t qnamelen, uint16_t qtype,
valrec = 1;
}
- /* attach subquery, lookup existing or make a new one */
- fptr_ok(fptr_whitelist_modenv_attach_sub(qstate->env->attach_sub));
- if(!(*qstate->env->attach_sub)(qstate, &qinf, qflags, prime, valrec,
- &subq)) {
- return 0;
- }
+ if(detached) {
+ struct mesh_state* sub = NULL;
+ fptr_ok(fptr_whitelist_modenv_add_sub(
+ qstate->env->add_sub));
+ if(!(*qstate->env->add_sub)(qstate, &qinf,
+ qflags, prime, valrec, &subq, &sub)){
+ return 0;
+ }
+ }
+ else {
+ /* attach subquery, lookup existing or make a new one */
+ fptr_ok(fptr_whitelist_modenv_attach_sub(
+ qstate->env->attach_sub));
+ if(!(*qstate->env->attach_sub)(qstate, &qinf, qflags, prime,
+ valrec, &subq)) {
+ return 0;
+ }
+ }
*subq_ret = subq;
if(subq) {
/* initialise the new subquery */
@@ -672,6 +703,7 @@ generate_sub_request(uint8_t* qname, size_t qnamelen, uint16_t qtype,
subiq->target_count = iq->target_count;
if(iq->target_count)
iq->target_count[0] ++; /* extra reference */
+ subiq->dp_target_count = 0;
subiq->num_current_queries = 0;
subiq->depth = iq->depth+1;
outbound_list_init(&subiq->outlist);
@@ -715,7 +747,7 @@ prime_root(struct module_qstate* qstate, struct iter_qstate* iq, int id,
* the normal INIT state logic (which would cause an infloop). */
if(!generate_sub_request((uint8_t*)"\000", 1, LDNS_RR_TYPE_NS,
qclass, qstate, id, iq, QUERYTARGETS_STATE, PRIME_RESP_STATE,
- &subq, 0)) {
+ &subq, 0, 0)) {
verbose(VERB_ALGO, "could not prime root");
return 0;
}
@@ -805,7 +837,7 @@ prime_stub(struct module_qstate* qstate, struct iter_qstate* iq, int id,
* redundant INIT state processing. */
if(!generate_sub_request(stub_dp->name, stub_dp->namelen,
LDNS_RR_TYPE_NS, qclass, qstate, id, iq,
- QUERYTARGETS_STATE, PRIME_RESP_STATE, &subq, 0)) {
+ QUERYTARGETS_STATE, PRIME_RESP_STATE, &subq, 0, 0)) {
verbose(VERB_ALGO, "could not prime stub");
(void)error_response(qstate, id, LDNS_RCODE_SERVFAIL);
return 1; /* return 1 to make module stop, with error */
@@ -976,7 +1008,7 @@ generate_a_aaaa_check(struct module_qstate* qstate, struct iter_qstate* iq,
if(!generate_sub_request(s->rk.dname, s->rk.dname_len,
ntohs(s->rk.type), ntohs(s->rk.rrset_class),
qstate, id, iq,
- INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1)) {
+ INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1, 0)) {
verbose(VERB_ALGO, "could not generate addr check");
return;
}
@@ -1020,7 +1052,7 @@ generate_ns_check(struct module_qstate* qstate, struct iter_qstate* iq, int id)
iq->dp->name, LDNS_RR_TYPE_NS, iq->qchase.qclass);
if(!generate_sub_request(iq->dp->name, iq->dp->namelen,
LDNS_RR_TYPE_NS, iq->qchase.qclass, qstate, id, iq,
- INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1)) {
+ INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1, 0)) {
verbose(VERB_ALGO, "could not generate ns check");
return;
}
@@ -1077,7 +1109,7 @@ generate_dnskey_prefetch(struct module_qstate* qstate,
iq->dp->name, LDNS_RR_TYPE_DNSKEY, iq->qchase.qclass);
if(!generate_sub_request(iq->dp->name, iq->dp->namelen,
LDNS_RR_TYPE_DNSKEY, iq->qchase.qclass, qstate, id, iq,
- INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0)) {
+ INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0, 0)) {
/* we'll be slower, but it'll work */
verbose(VERB_ALGO, "could not generate dnskey prefetch");
return;
@@ -1251,6 +1283,7 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
iq->refetch_glue = 0;
iq->query_restart_count++;
iq->sent_count = 0;
+ iq->dp_target_count = 0;
sock_list_insert(&qstate->reply_origin, NULL, 0, qstate->region);
if(qstate->env->cfg->qname_minimisation)
iq->minimisation_state = INIT_MINIMISE_STATE;
@@ -1613,7 +1646,7 @@ generate_parentside_target_query(struct module_qstate* qstate,
{
struct module_qstate* subq;
if(!generate_sub_request(name, namelen, qtype, qclass, qstate,
- id, iq, INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0))
+ id, iq, INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0, 0))
return 0;
if(subq) {
struct iter_qstate* subiq =
@@ -1664,7 +1697,7 @@ generate_target_query(struct module_qstate* qstate, struct iter_qstate* iq,
{
struct module_qstate* subq;
if(!generate_sub_request(name, namelen, qtype, qclass, qstate,
- id, iq, INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0))
+ id, iq, INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0, 0))
return 0;
log_nametypeclass(VERB_QUERY, "new target", name, qtype, qclass);
return 1;
@@ -1703,6 +1736,14 @@ query_for_targets(struct module_qstate* qstate, struct iter_qstate* iq,
"number of glue fetches %d", s, iq->target_count[1]);
return 0;
}
+ if(iq->dp_target_count > MAX_DP_TARGET_COUNT) {
+ char s[LDNS_MAX_DOMAINLEN+1];
+ dname_str(qstate->qinfo.qname, s);
+ verbose(VERB_QUERY, "request %s has exceeded the maximum "
+ "number of glue fetches %d to a single delegation point",
+ s, iq->dp_target_count);
+ return 0;
+ }
iter_mark_cycle_targets(qstate, iq->dp);
missing = (int)delegpt_count_missing_targets(iq->dp);
@@ -1815,7 +1856,7 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
for(a = p->target_list; a; a=a->next_target) {
(void)delegpt_add_addr(iq->dp, qstate->region,
&a->addr, a->addrlen, a->bogus,
- a->lame, a->tls_auth_name);
+ a->lame, a->tls_auth_name, NULL);
}
}
iq->dp->has_parent_side_NS = 1;
@@ -1832,6 +1873,7 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
iq->refetch_glue = 1;
iq->query_restart_count++;
iq->sent_count = 0;
+ iq->dp_target_count = 0;
if(qstate->env->cfg->qname_minimisation)
iq->minimisation_state = INIT_MINIMISE_STATE;
return next_state(iq, INIT_REQUEST_STATE);
@@ -1986,7 +2028,7 @@ processDSNSFind(struct module_qstate* qstate, struct iter_qstate* iq, int id)
iq->dsns_point, LDNS_RR_TYPE_NS, iq->qchase.qclass);
if(!generate_sub_request(iq->dsns_point, iq->dsns_point_len,
LDNS_RR_TYPE_NS, iq->qchase.qclass, qstate, id, iq,
- INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0)) {
+ INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0, 0)) {
return error_response_cache(qstate, id, LDNS_RCODE_SERVFAIL);
}
@@ -2039,7 +2081,14 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
"number of sends with %d", iq->sent_count);
return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
}
-
+ if(iq->target_count && iq->target_count[2] > MAX_TARGET_NX) {
+ verbose(VERB_QUERY, "request has exceeded the maximum "
+ " number of nxdomain nameserver lookups with %d",
+ iq->target_count[2]);
+ errinf(qstate, "exceeded the maximum nameserver nxdomains");
+ return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
+ }
+
/* Make sure we have a delegation point, otherwise priming failed
* or another failure occurred */
if(!iq->dp) {
@@ -2139,12 +2188,41 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
iq->qinfo_out.qtype, iq->qinfo_out.qclass,
qstate->query_flags, qstate->region,
qstate->env->scratch, 0);
- if(msg && msg->rep->an_numrrsets == 0
- && FLAGS_GET_RCODE(msg->rep->flags) ==
+ if(msg && FLAGS_GET_RCODE(msg->rep->flags) ==
LDNS_RCODE_NOERROR)
/* no need to send query if it is already
- * cached as NOERROR/NODATA */
+ * cached as NOERROR */
return 1;
+ if(msg && FLAGS_GET_RCODE(msg->rep->flags) ==
+ LDNS_RCODE_NXDOMAIN &&
+ qstate->env->need_to_validate &&
+ qstate->env->cfg->harden_below_nxdomain) {
+ if(msg->rep->security == sec_status_secure) {
+ iq->response = msg;
+ return final_state(iq);
+ }
+ if(msg->rep->security == sec_status_unchecked) {
+ struct module_qstate* subq = NULL;
+ if(!generate_sub_request(
+ iq->qinfo_out.qname,
+ iq->qinfo_out.qname_len,
+ iq->qinfo_out.qtype,
+ iq->qinfo_out.qclass,
+ qstate, id, iq,
+ INIT_REQUEST_STATE,
+ FINISHED_STATE, &subq, 1, 1))
+ verbose(VERB_ALGO,
+ "could not validate NXDOMAIN "
+ "response");
+ }
+ }
+ if(msg && FLAGS_GET_RCODE(msg->rep->flags) ==
+ LDNS_RCODE_NXDOMAIN) {
+ /* return and add a label in the next
+ * minimisation iteration.
+ */
+ return 1;
+ }
}
}
if(iq->minimisation_state == SKIP_MINIMISE_STATE) {
@@ -2219,6 +2297,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
* generated query will immediately be discarded due to depth and
* that servfail is cached, which is not good as opportunism goes. */
if(iq->depth < ie->max_dependency_depth
+ && iq->num_target_queries == 0
+ && (!iq->target_count || iq->target_count[2]==0)
&& iq->sent_count < TARGET_FETCH_STOP) {
tf_policy = ie->target_fetch_policy[iq->depth];
}
@@ -2256,6 +2336,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
iq->num_current_queries++; /* RespState decrements it*/
iq->referral_count++; /* make sure we don't loop */
iq->sent_count = 0;
+ iq->dp_target_count = 0;
iq->state = QUERY_RESP_STATE;
return 1;
}
@@ -2341,6 +2422,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
iq->num_current_queries++; /* RespState decrements it*/
iq->referral_count++; /* make sure we don't loop */
iq->sent_count = 0;
+ iq->dp_target_count = 0;
iq->state = QUERY_RESP_STATE;
return 1;
}
@@ -2607,7 +2689,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
/* Make subrequest to validate intermediate
* NXDOMAIN if harden-below-nxdomain is
* enabled. */
- if(qstate->env->cfg->harden_below_nxdomain) {
+ if(qstate->env->cfg->harden_below_nxdomain &&
+ qstate->env->need_to_validate) {
struct module_qstate* subq = NULL;
log_query_info(VERB_QUERY,
"schedule NXDOMAIN validation:",
@@ -2619,7 +2702,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
iq->response->qinfo.qclass,
qstate, id, iq,
INIT_REQUEST_STATE,
- FINISHED_STATE, &subq, 1))
+ FINISHED_STATE, &subq, 1, 1))
verbose(VERB_ALGO,
"could not validate NXDOMAIN "
"response");
@@ -2702,6 +2785,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
/* Count this as a referral. */
iq->referral_count++;
iq->sent_count = 0;
+ iq->dp_target_count = 0;
/* see if the next dp is a trust anchor, or a DS was sent
* along, indicating dnssec is expected for next zone */
iq->dnssec_expected = iter_indicates_dnssec(qstate->env,
@@ -2776,6 +2860,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
iq->dsns_point = NULL;
iq->auth_zone_response = 0;
iq->sent_count = 0;
+ iq->dp_target_count = 0;
if(iq->minimisation_state != MINIMISE_STATE)
/* Only count as query restart when it is not an extra
* query as result of qname minimisation. */
@@ -2964,7 +3049,7 @@ processPrimeResponse(struct module_qstate* qstate, int id)
if(!generate_sub_request(qstate->qinfo.qname,
qstate->qinfo.qname_len, qstate->qinfo.qtype,
qstate->qinfo.qclass, qstate, id, iq,
- INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1)) {
+ INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1, 0)) {
verbose(VERB_ALGO, "could not generate prime check");
}
generate_a_aaaa_check(qstate, iq, id);
@@ -2992,6 +3077,7 @@ static void
processTargetResponse(struct module_qstate* qstate, int id,
struct module_qstate* forq)
{
+ struct iter_env* ie = (struct iter_env*)qstate->env->modinfo[id];
struct iter_qstate* iq = (struct iter_qstate*)qstate->minfo[id];
struct iter_qstate* foriq = (struct iter_qstate*)forq->minfo[id];
struct ub_packed_rrset_key* rrset;
@@ -3029,7 +3115,7 @@ processTargetResponse(struct module_qstate* qstate, int id,
log_rrset_key(VERB_ALGO, "add parentside glue to dp",
iq->pside_glue);
if(!delegpt_add_rrset(foriq->dp, forq->region,
- iq->pside_glue, 1))
+ iq->pside_glue, 1, NULL))
log_err("out of memory adding pside glue");
}
@@ -3040,6 +3126,7 @@ processTargetResponse(struct module_qstate* qstate, int id,
* response type was ANSWER. */
rrset = reply_find_answer_rrset(&iq->qchase, qstate->return_msg->rep);
if(rrset) {
+ int additions = 0;
/* if CNAMEs have been followed - add new NS to delegpt. */
/* BTW. RFC 1918 says NS should not have got CNAMEs. Robust. */
if(!delegpt_find_ns(foriq->dp, rrset->rk.dname,
@@ -3051,13 +3138,23 @@ processTargetResponse(struct module_qstate* qstate, int id,
}
/* if dpns->lame then set the address(es) lame too */
if(!delegpt_add_rrset(foriq->dp, forq->region, rrset,
- dpns->lame))
+ dpns->lame, &additions))
log_err("out of memory adding targets");
+ if(!additions) {
+ /* no new addresses, increase the nxns counter, like
+ * this could be a list of wildcards with no new
+ * addresses */
+ target_count_increase_nx(foriq, 1);
+ }
verbose(VERB_ALGO, "added target response");
delegpt_log(VERB_ALGO, foriq->dp);
} else {
verbose(VERB_ALGO, "iterator TargetResponse failed");
+ delegpt_mark_neg(dpns, qstate->qinfo.qtype);
dpns->resolved = 1; /* fail the target */
+ if((dpns->got4 == 2 || !ie->supports_ipv4) &&
+ (dpns->got6 == 2 || !ie->supports_ipv6))
+ target_count_increase_nx(foriq, 1);
}
}
@@ -3228,7 +3325,7 @@ processCollectClass(struct module_qstate* qstate, int id)
qstate->qinfo.qname_len, qstate->qinfo.qtype,
c, qstate, id, iq, INIT_REQUEST_STATE,
FINISHED_STATE, &subq,
- (int)!(qstate->query_flags&BIT_CD))) {
+ (int)!(qstate->query_flags&BIT_CD), 0)) {
return error_response(qstate, id,
LDNS_RCODE_SERVFAIL);
}
diff --git a/iterator/iterator.h b/iterator/iterator.h
index 67ffeb1..4b325b5 100644
--- a/iterator/iterator.h
+++ b/iterator/iterator.h
@@ -55,6 +55,11 @@ struct rbtree_type;
/** max number of targets spawned for a query and its subqueries */
#define MAX_TARGET_COUNT 64
+/** max number of target lookups per qstate, per delegation point */
+#define MAX_DP_TARGET_COUNT 16
+/** max number of nxdomains allowed for target lookups for a query and
+ * its subqueries */
+#define MAX_TARGET_NX 5
/** max number of query restarts. Determines max number of CNAME chain. */
#define MAX_RESTART_COUNT 8
/** max number of referrals. Makes sure resolver does not run away */
@@ -305,9 +310,14 @@ struct iter_qstate {
int sent_count;
/** number of target queries spawned in [1], for this query and its
- * subqueries, the malloced-array is shared, [0] refcount. */
+ * subqueries, the malloced-array is shared, [0] refcount.
+ * in [2] the number of nxdomains is counted. */
int* target_count;
+ /** number of target lookups per delegation point. Reset to 0 after
+ * receiving referral answer. Not shared with subqueries. */
+ int dp_target_count;
+
/** if true, already tested for ratelimiting and passed the test */
int ratelimit_ok;
diff --git a/services/cache/dns.c b/services/cache/dns.c
index 35adc35..23ec68e 100644
--- a/services/cache/dns.c
+++ b/services/cache/dns.c
@@ -271,7 +271,7 @@ find_add_addrs(struct module_env* env, uint16_t qclass,
akey = rrset_cache_lookup(env->rrset_cache, ns->name,
ns->namelen, LDNS_RR_TYPE_A, qclass, 0, now, 0);
if(akey) {
- if(!delegpt_add_rrset_A(dp, region, akey, 0)) {
+ if(!delegpt_add_rrset_A(dp, region, akey, 0, NULL)) {
lock_rw_unlock(&akey->entry.lock);
return 0;
}
@@ -291,7 +291,7 @@ find_add_addrs(struct module_env* env, uint16_t qclass,
akey = rrset_cache_lookup(env->rrset_cache, ns->name,
ns->namelen, LDNS_RR_TYPE_AAAA, qclass, 0, now, 0);
if(akey) {
- if(!delegpt_add_rrset_AAAA(dp, region, akey, 0)) {
+ if(!delegpt_add_rrset_AAAA(dp, region, akey, 0, NULL)) {
lock_rw_unlock(&akey->entry.lock);
return 0;
}
@@ -325,7 +325,8 @@ cache_fill_missing(struct module_env* env, uint16_t qclass,
akey = rrset_cache_lookup(env->rrset_cache, ns->name,
ns->namelen, LDNS_RR_TYPE_A, qclass, 0, now, 0);
if(akey) {
- if(!delegpt_add_rrset_A(dp, region, akey, ns->lame)) {
+ if(!delegpt_add_rrset_A(dp, region, akey, ns->lame,
+ NULL)) {
lock_rw_unlock(&akey->entry.lock);
return 0;
}
@@ -345,7 +346,8 @@ cache_fill_missing(struct module_env* env, uint16_t qclass,
akey = rrset_cache_lookup(env->rrset_cache, ns->name,
ns->namelen, LDNS_RR_TYPE_AAAA, qclass, 0, now, 0);
if(akey) {
- if(!delegpt_add_rrset_AAAA(dp, region, akey, ns->lame)) {
+ if(!delegpt_add_rrset_AAAA(dp, region, akey, ns->lame,
+ NULL)) {
lock_rw_unlock(&akey->entry.lock);
return 0;
}
diff --git a/util/data/dname.c b/util/data/dname.c
index c7360f7..b744f06 100644
--- a/util/data/dname.c
+++ b/util/data/dname.c
@@ -231,17 +231,28 @@ int
dname_pkt_compare(sldns_buffer* pkt, uint8_t* d1, uint8_t* d2)
{
uint8_t len1, len2;
+ int count1 = 0, count2 = 0;
log_assert(pkt && d1 && d2);
len1 = *d1++;
len2 = *d2++;
while( len1 != 0 || len2 != 0 ) {
/* resolve ptrs */
if(LABEL_IS_PTR(len1)) {
+ if((size_t)PTR_OFFSET(len1, *d1)
+ >= sldns_buffer_limit(pkt))
+ return -1;
+ if(count1++ > MAX_COMPRESS_PTRS)
+ return -1;
d1 = sldns_buffer_at(pkt, PTR_OFFSET(len1, *d1));
len1 = *d1++;
continue;
}
if(LABEL_IS_PTR(len2)) {
+ if((size_t)PTR_OFFSET(len2, *d2)
+ >= sldns_buffer_limit(pkt))
+ return 1;
+ if(count2++ > MAX_COMPRESS_PTRS)
+ return 1;
d2 = sldns_buffer_at(pkt, PTR_OFFSET(len2, *d2));
len2 = *d2++;
continue;
@@ -300,12 +311,19 @@ dname_pkt_hash(sldns_buffer* pkt, uint8_t* dname, hashvalue_type h)
uint8_t labuf[LDNS_MAX_LABELLEN+1];
uint8_t lablen;
int i;
+ int count = 0;
/* preserve case of query, make hash label by label */
lablen = *dname++;
while(lablen) {
if(LABEL_IS_PTR(lablen)) {
/* follow pointer */
+ if((size_t)PTR_OFFSET(lablen, *dname)
+ >= sldns_buffer_limit(pkt))
+ return h;
+ if(count++ > MAX_COMPRESS_PTRS)
+ return h;
+
dname = sldns_buffer_at(pkt, PTR_OFFSET(lablen, *dname));
lablen = *dname++;
continue;
@@ -333,6 +351,9 @@ void dname_pkt_copy(sldns_buffer* pkt, uint8_t* to, uint8_t* dname)
while(lablen) {
if(LABEL_IS_PTR(lablen)) {
/* follow pointer */
+ if((size_t)PTR_OFFSET(lablen, *dname)
+ >= sldns_buffer_limit(pkt))
+ return;
dname = sldns_buffer_at(pkt, PTR_OFFSET(lablen, *dname));
lablen = *dname++;
continue;
@@ -357,6 +378,7 @@ void dname_pkt_copy(sldns_buffer* pkt, uint8_t* to, uint8_t* dname)
void dname_print(FILE* out, struct sldns_buffer* pkt, uint8_t* dname)
{
uint8_t lablen;
+ int count = 0;
if(!out) out = stdout;
if(!dname) return;
@@ -370,6 +392,15 @@ void dname_print(FILE* out, struct sldns_buffer* pkt, uint8_t* dname)
fputs("??compressionptr??", out);
return;
}
+ if((size_t)PTR_OFFSET(lablen, *dname)
+ >= sldns_buffer_limit(pkt)) {
+ fputs("??compressionptr??", out);
+ return;
+ }
+ if(count++ > MAX_COMPRESS_PTRS) {
+ fputs("??compressionptr??", out);
+ return;
+ }
dname = sldns_buffer_at(pkt, PTR_OFFSET(lablen, *dname));
lablen = *dname++;
continue;
diff --git a/util/data/msgparse.c b/util/data/msgparse.c
index 13cad8a..c8a5384 100644
--- a/util/data/msgparse.c
+++ b/util/data/msgparse.c
@@ -55,7 +55,11 @@ smart_compare(sldns_buffer* pkt, uint8_t* dnow,
{
if(LABEL_IS_PTR(*dnow)) {
/* ptr points to a previous dname */
- uint8_t* p = sldns_buffer_at(pkt, PTR_OFFSET(dnow[0], dnow[1]));
+ uint8_t* p;
+ if((size_t)PTR_OFFSET(dnow[0], dnow[1])
+ >= sldns_buffer_limit(pkt))
+ return -1;
+ p = sldns_buffer_at(pkt, PTR_OFFSET(dnow[0], dnow[1]));
if( p == dprfirst || p == dprlast )
return 0;
/* prev dname is also a ptr, both ptrs are the same. */

182
unbound-1.7.3-anchor-fallback.patch Normal file
View File

@ -0,0 +1,182 @@
From 81e9f82a8ddd811d7ebafe2fd0ee5af836d0b405 Mon Sep 17 00:00:00 2001
From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Wed, 4 Jul 2018 10:02:16 +0000
Subject: [PATCH] - Fix #4112: Fix that unbound-anchor -f /etc/resolv.conf will
not pass if DNSSEC is not enabled. New option -R allows fallback from
resolv.conf to direct queries.
git-svn-id: file:///svn/unbound/trunk@4770 be551aaa-1e26-0410-a405-d3ace91eadb9
---
doc/unbound-anchor.8.in | 5 ++++
smallapp/unbound-anchor.c | 66 ++++++++++++++++++++++++++++++++++-------------
2 files changed, 53 insertions(+), 18 deletions(-)
diff --git a/doc/unbound-anchor.8.in b/doc/unbound-anchor.8.in
index 02a3e781..e114eb25 100644
--- a/doc/unbound-anchor.8.in
+++ b/doc/unbound-anchor.8.in
@@ -109,6 +109,11 @@ It does so, because the tool when used for bootstrapping the recursive
resolver, cannot use that recursive resolver itself because it is bootstrapping
that server.
.TP
+.B \-R
+Allow fallback from \-f resolv.conf file to direct root servers query.
+It allows you to prefer local resolvers, but fallback automatically
+to direct root query if they do not respond or do not support DNSSEC.
+.TP
.B \-v
More verbose. Once prints informational messages, multiple times may enable
large debug amounts (such as full certificates or byte\-dumps of downloaded
diff --git a/smallapp/unbound-anchor.c b/smallapp/unbound-anchor.c
index b3009108..f3985090 100644
--- a/smallapp/unbound-anchor.c
+++ b/smallapp/unbound-anchor.c
@@ -192,9 +192,10 @@ usage(void)
printf("-n name signer's subject emailAddress, default %s\n", P7SIGNER);
printf("-4 work using IPv4 only\n");
printf("-6 work using IPv6 only\n");
- printf("-f resolv.conf use given resolv.conf to resolve -u name\n");
- printf("-r root.hints use given root.hints to resolve -u name\n"
+ printf("-f resolv.conf use given resolv.conf\n");
+ printf("-r root.hints use given root.hints\n"
" builtin root hints are used by default\n");
+ printf("-R fallback from -f to root query on error\n");
printf("-v more verbose\n");
printf("-C conf debug, read config\n");
printf("-P port use port for https connect, default 443\n");
@@ -1920,8 +1921,7 @@ static int
do_certupdate(const char* root_anchor_file, const char* root_cert_file,
const char* urlname, const char* xmlname, const char* p7sname,
const char* p7signer, const char* res_conf, const char* root_hints,
- const char* debugconf, int ip4only, int ip6only, int port,
- struct ub_result* dnskey)
+ const char* debugconf, int ip4only, int ip6only, int port)
{
STACK_OF(X509)* cert;
BIO *xml, *p7s;
@@ -1961,7 +1961,6 @@ do_certupdate(const char* root_anchor_file, const char* root_cert_file,
#ifndef S_SPLINT_S
sk_X509_pop_free(cert, X509_free);
#endif
- ub_resolve_free(dnskey);
ip_list_free(ip_list);
return 1;
}
@@ -2199,16 +2198,33 @@ probe_date_allows_certupdate(const char* root_anchor_file)
return 0;
}
+static struct ub_result *
+fetch_root_key(const char* root_anchor_file, const char* res_conf,
+ const char* root_hints, const char* debugconf,
+ int ip4only, int ip6only)
+{
+ struct ub_ctx* ctx;
+ struct ub_result* dnskey;
+
+ ctx = create_unbound_context(res_conf, root_hints, debugconf,
+ ip4only, ip6only);
+ add_5011_probe_root(ctx, root_anchor_file);
+ dnskey = prime_root_key(ctx);
+ ub_ctx_delete(ctx);
+ return dnskey;
+}
+
/** perform the unbound-anchor work */
static int
do_root_update_work(const char* root_anchor_file, const char* root_cert_file,
const char* urlname, const char* xmlname, const char* p7sname,
const char* p7signer, const char* res_conf, const char* root_hints,
- const char* debugconf, int ip4only, int ip6only, int force, int port)
+ const char* debugconf, int ip4only, int ip6only, int force,
+ int res_conf_fallback, int port)
{
- struct ub_ctx* ctx;
struct ub_result* dnskey;
int used_builtin = 0;
+ int rcode;
/* see if builtin rootanchor needs to be provided, or if
* rootanchor is 'revoked-trust-point' */
@@ -2217,12 +2233,22 @@ do_root_update_work(const char* root_anchor_file, const char* root_cert_file,
/* make unbound context with 5011-probe for root anchor,
* and probe . DNSKEY */
- ctx = create_unbound_context(res_conf, root_hints, debugconf,
- ip4only, ip6only);
- add_5011_probe_root(ctx, root_anchor_file);
- dnskey = prime_root_key(ctx);
- ub_ctx_delete(ctx);
-
+ dnskey = fetch_root_key(root_anchor_file, res_conf,
+ root_hints, debugconf, ip4only, ip6only);
+ rcode = dnskey->rcode;
+
+ if (res_conf_fallback && res_conf && !dnskey->secure) {
+ if (verb) printf("%s failed, retrying direct\n", res_conf);
+ ub_resolve_free(dnskey);
+ /* try direct query without res_conf */
+ dnskey = fetch_root_key(root_anchor_file, NULL,
+ root_hints, debugconf, ip4only, ip6only);
+ if (rcode != 0 && dnskey->rcode == 0) {
+ res_conf = NULL;
+ rcode = 0;
+ }
+ }
+
/* if secure: exit */
if(dnskey->secure && !force) {
if(verb) printf("success: the anchor is ok\n");
@@ -2230,18 +2256,18 @@ do_root_update_work(const char* root_anchor_file, const char* root_cert_file,
return used_builtin;
}
if(force && verb) printf("debug cert update forced\n");
+ ub_resolve_free(dnskey);
/* if not (and NOERROR): check date and do certupdate */
- if((dnskey->rcode == 0 &&
+ if((rcode == 0 &&
probe_date_allows_certupdate(root_anchor_file)) || force) {
if(do_certupdate(root_anchor_file, root_cert_file, urlname,
xmlname, p7sname, p7signer, res_conf, root_hints,
- debugconf, ip4only, ip6only, port, dnskey))
+ debugconf, ip4only, ip6only, port))
return 1;
return used_builtin;
}
if(verb) printf("fail: the anchor is NOT ok and could not be fixed\n");
- ub_resolve_free(dnskey);
return used_builtin;
}
@@ -2264,8 +2290,9 @@ int main(int argc, char* argv[])
const char* root_hints = NULL;
const char* debugconf = NULL;
int dolist=0, ip4only=0, ip6only=0, force=0, port = HTTPS_PORT;
+ int res_conf_fallback = 0;
/* parse the options */
- while( (c=getopt(argc, argv, "46C:FP:a:c:f:hln:r:s:u:vx:")) != -1) {
+ while( (c=getopt(argc, argv, "46C:FRP:a:c:f:hln:r:s:u:vx:")) != -1) {
switch(c) {
case 'l':
dolist = 1;
@@ -2300,6 +2327,9 @@ int main(int argc, char* argv[])
case 'r':
root_hints = optarg;
break;
+ case 'R':
+ res_conf_fallback = 1;
+ break;
case 'C':
debugconf = optarg;
break;
@@ -2346,5 +2376,5 @@ int main(int argc, char* argv[])
return do_root_update_work(root_anchor_file, root_cert_file, urlname,
xmlname, p7sname, p7signer, res_conf, root_hints, debugconf,
- ip4only, ip6only, force, port);
+ ip4only, ip6only, force, res_conf_fallback, port);
}
--
2.14.4

65
unbound-1.7.3-auth-callback.patch Normal file
View File

@ -0,0 +1,65 @@
--- a/services/authzone.c 2018-06-14 09:09:01.000000000 +0200
+++ b/services/authzone.c 2020-04-16 18:55:50.806693241 +0200
@@ -5139,7 +5139,7 @@
log_assert(xfr->task_transfer);
lock_basic_lock(&xfr->lock);
env = xfr->task_transfer->env;
- if(env->outnet->want_to_quit) {
+ if(!env || env->outnet->want_to_quit) {
lock_basic_unlock(&xfr->lock);
return; /* stop on quit */
}
@@ -5558,7 +5558,7 @@
log_assert(xfr->task_transfer);
lock_basic_lock(&xfr->lock);
env = xfr->task_transfer->env;
- if(env->outnet->want_to_quit) {
+ if(!env || env->outnet->want_to_quit) {
lock_basic_unlock(&xfr->lock);
return 0; /* stop on quit */
}
@@ -5619,7 +5619,7 @@
log_assert(xfr->task_transfer);
lock_basic_lock(&xfr->lock);
env = xfr->task_transfer->env;
- if(env->outnet->want_to_quit) {
+ if(!env || env->outnet->want_to_quit) {
lock_basic_unlock(&xfr->lock);
return 0; /* stop on quit */
}
@@ -5798,7 +5798,7 @@
log_assert(xfr->task_probe);
lock_basic_lock(&xfr->lock);
env = xfr->task_probe->env;
- if(env->outnet->want_to_quit) {
+ if(!env || env->outnet->want_to_quit) {
lock_basic_unlock(&xfr->lock);
return; /* stop on quit */
}
@@ -5829,7 +5829,7 @@
log_assert(xfr->task_probe);
lock_basic_lock(&xfr->lock);
env = xfr->task_probe->env;
- if(env->outnet->want_to_quit) {
+ if(!env || env->outnet->want_to_quit) {
lock_basic_unlock(&xfr->lock);
return 0; /* stop on quit */
}
@@ -6030,7 +6030,7 @@
log_assert(xfr->task_probe);
lock_basic_lock(&xfr->lock);
env = xfr->task_probe->env;
- if(env->outnet->want_to_quit) {
+ if(!env || env->outnet->want_to_quit) {
lock_basic_unlock(&xfr->lock);
return; /* stop on quit */
}
@@ -6089,7 +6089,7 @@
log_assert(xfr->task_nextprobe);
lock_basic_lock(&xfr->lock);
env = xfr->task_nextprobe->env;
- if(env->outnet->want_to_quit) {
+ if(!env || env->outnet->want_to_quit) {
lock_basic_unlock(&xfr->lock);
return; /* stop on quit */
}

13
unbound-1.7.3-crypto-policy-non-compliance-openssl.patch Normal file
View File

@ -0,0 +1,13 @@
diff --git a/util/net_help.c b/util/net_help.c
index a5059b0..a193c36 100644
--- a/util/net_help.c
+++ b/util/net_help.c
@@ -703,7 +703,7 @@ listen_sslctx_setup(void* ctxt)
#endif
#if defined(SHA256_DIGEST_LENGTH) && defined(USE_ECDSA)
/* if we have sha256, set the cipher list to have no known vulns */
- if(!SSL_CTX_set_cipher_list(ctx, "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"))
+ if(!SSL_CTX_set_cipher_list(ctx, "PROFILE=SYSTEM"))
log_crypto_err("could not set cipher list with SSL_CTX_set_cipher_list");
#endif

12
unbound-1.7.3-host-any.patch Normal file
View File

@ -0,0 +1,12 @@
diff --git a/smallapp/unbound-host.c b/smallapp/unbound-host.c
index 53bf3277..f02511fe 100644
--- a/smallapp/unbound-host.c
+++ b/smallapp/unbound-host.c
@@ -340,6 +340,7 @@ pretty_output(char* q, int t, int c, struct ub_result* result, int docname)
exit(1);
}
printf("%s\n", s);
+ free(s);
} else printf(" has no %s record", tstr);
printf(" %s\n", secstatus);
}

218
unbound-1.7.3-ipsec-hook.patch Normal file
View File

@ -0,0 +1,218 @@
diff --git a/ipsecmod/ipsecmod.c b/ipsecmod/ipsecmod.c
index c8400c6..9e916d6 100644
--- a/ipsecmod/ipsecmod.c
+++ b/ipsecmod/ipsecmod.c
@@ -162,6 +162,71 @@ generate_request(struct module_qstate* qstate, int id, uint8_t* name,
}
/**
+ * Check if the string passed is a valid domain name with safe characters to
+ * pass to a shell.
+ * This will only allow:
+ * - digits
+ * - alphas
+ * - hyphen (not at the start)
+ * - dot (not at the start, or the only character)
+ * - underscore
+ * @param s: pointer to the string.
+ * @param slen: string's length.
+ * @return true if s only contains safe characters; false otherwise.
+ */
+static int
+domainname_has_safe_characters(char* s, size_t slen) {
+ size_t i;
+ for(i = 0; i < slen; i++) {
+ if(s[i] == '\0') return 1;
+ if((s[i] == '-' && i != 0)
+ || (s[i] == '.' && (i != 0 || s[1] == '\0'))
+ || (s[i] == '_') || (s[i] >= '0' && s[i] <= '9')
+ || (s[i] >= 'A' && s[i] <= 'Z')
+ || (s[i] >= 'a' && s[i] <= 'z')) {
+ continue;
+ }
+ return 0;
+ }
+ return 1;
+}
+
+/**
+ * Check if the stringified IPSECKEY RDATA contains safe characters to pass to
+ * a shell.
+ * This is only relevant for checking the gateway when the gateway type is 3
+ * (domainname).
+ * @param s: pointer to the string.
+ * @param slen: string's length.
+ * @return true if s contains only safe characters; false otherwise.
+ */
+static int
+ipseckey_has_safe_characters(char* s, size_t slen) {
+ int precedence, gateway_type, algorithm;
+ char* gateway;
+ gateway = (char*)calloc(slen, sizeof(char));
+ if(!gateway) {
+ log_err("ipsecmod: out of memory when calling the hook");
+ return 0;
+ }
+ if(sscanf(s, "%d %d %d %s ",
+ &precedence, &gateway_type, &algorithm, gateway) != 4) {
+ free(gateway);
+ return 0;
+ }
+ if(gateway_type != 3) {
+ free(gateway);
+ return 1;
+ }
+ if(domainname_has_safe_characters(gateway, slen)) {
+ free(gateway);
+ return 1;
+ }
+ free(gateway);
+ return 0;
+}
+
+/**
* Prepare the data and call the hook.
*
* @param qstate: query state.
@@ -175,7 +240,7 @@ call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq,
{
size_t slen, tempdata_len, tempstring_len, i;
char str[65535], *s, *tempstring;
- int w;
+ int w = 0, w_temp, qtype;
struct ub_packed_rrset_key* rrset_key;
struct packed_rrset_data* rrset_data;
uint8_t *tempdata;
@@ -192,9 +257,9 @@ call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq,
memset(s, 0, slen);
/* Copy the hook into the buffer. */
- sldns_str_print(&s, &slen, "%s", qstate->env->cfg->ipsecmod_hook);
+ w += sldns_str_print(&s, &slen, "%s", qstate->env->cfg->ipsecmod_hook);
/* Put space into the buffer. */
- sldns_str_print(&s, &slen, " ");
+ w += sldns_str_print(&s, &slen, " ");
/* Copy the qname into the buffer. */
tempstring = sldns_wire2str_dname(qstate->qinfo.qname,
qstate->qinfo.qname_len);
@@ -202,68 +267,96 @@ call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq,
log_err("ipsecmod: out of memory when calling the hook");
return 0;
}
- sldns_str_print(&s, &slen, "\"%s\"", tempstring);
+ if(!domainname_has_safe_characters(tempstring, strlen(tempstring))) {
+ log_err("ipsecmod: qname has unsafe characters");
+ free(tempstring);
+ return 0;
+ }
+ w += sldns_str_print(&s, &slen, "\"%s\"", tempstring);
free(tempstring);
/* Put space into the buffer. */
- sldns_str_print(&s, &slen, " ");
+ w += sldns_str_print(&s, &slen, " ");
/* Copy the IPSECKEY TTL into the buffer. */
rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data;
- sldns_str_print(&s, &slen, "\"%ld\"", (long)rrset_data->ttl);
+ w += sldns_str_print(&s, &slen, "\"%ld\"", (long)rrset_data->ttl);
/* Put space into the buffer. */
- sldns_str_print(&s, &slen, " ");
- /* Copy the A/AAAA record(s) into the buffer. Start and end this section
- * with a double quote. */
+ w += sldns_str_print(&s, &slen, " ");
rrset_key = reply_find_answer_rrset(&qstate->return_msg->qinfo,
qstate->return_msg->rep);
+ /* Double check that the records are indeed A/AAAA.
+ * This should never happen as this function is only executed for A/AAAA
+ * queries but make sure we don't pass anything other than A/AAAA to the
+ * shell. */
+ qtype = ntohs(rrset_key->rk.type);
+ if(qtype != LDNS_RR_TYPE_AAAA && qtype != LDNS_RR_TYPE_A) {
+ log_err("ipsecmod: Answer is not of A or AAAA type");
+ return 0;
+ }
rrset_data = (struct packed_rrset_data*)rrset_key->entry.data;
- sldns_str_print(&s, &slen, "\"");
+ /* Copy the A/AAAA record(s) into the buffer. Start and end this section
+ * with a double quote. */
+ w += sldns_str_print(&s, &slen, "\"");
for(i=0; i<rrset_data->count; i++) {
if(i > 0) {
/* Put space into the buffer. */
- sldns_str_print(&s, &slen, " ");
+ w += sldns_str_print(&s, &slen, " ");
}
/* Ignore the first two bytes, they are the rr_data len. */
- w = sldns_wire2str_rdata_buf(rrset_data->rr_data[i] + 2,
+ w_temp = sldns_wire2str_rdata_buf(rrset_data->rr_data[i] + 2,
rrset_data->rr_len[i] - 2, s, slen, qstate->qinfo.qtype);
- if(w < 0) {
+ if(w_temp < 0) {
/* Error in printout. */
- return -1;
- } else if((size_t)w >= slen) {
+ log_err("ipsecmod: Error in printing IP address");
+ return 0;
+ } else if((size_t)w_temp >= slen) {
s = NULL; /* We do not want str to point outside of buffer. */
slen = 0;
- return -1;
+ log_err("ipsecmod: shell command too long");
+ return 0;
} else {
- s += w;
- slen -= w;
+ s += w_temp;
+ slen -= w_temp;
+ w += w_temp;
}
}
- sldns_str_print(&s, &slen, "\"");
+ w += sldns_str_print(&s, &slen, "\"");
/* Put space into the buffer. */
- sldns_str_print(&s, &slen, " ");
+ w += sldns_str_print(&s, &slen, " ");
/* Copy the IPSECKEY record(s) into the buffer. Start and end this section
* with a double quote. */
- sldns_str_print(&s, &slen, "\"");
+ w += sldns_str_print(&s, &slen, "\"");
rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data;
for(i=0; i<rrset_data->count; i++) {
if(i > 0) {
/* Put space into the buffer. */
- sldns_str_print(&s, &slen, " ");
+ w += sldns_str_print(&s, &slen, " ");
}
/* Ignore the first two bytes, they are the rr_data len. */
tempdata = rrset_data->rr_data[i] + 2;
tempdata_len = rrset_data->rr_len[i] - 2;
/* Save the buffer pointers. */
tempstring = s; tempstring_len = slen;
- w = sldns_wire2str_ipseckey_scan(&tempdata, &tempdata_len, &s, &slen,
- NULL, 0);
+ w_temp = sldns_wire2str_ipseckey_scan(&tempdata, &tempdata_len, &s,
+ &slen, NULL, 0);
/* There was an error when parsing the IPSECKEY; reset the buffer
* pointers to their previous values. */
- if(w == -1){
+ if(w_temp == -1) {
s = tempstring; slen = tempstring_len;
+ } else if(w_temp > 0) {
+ if(!ipseckey_has_safe_characters(
+ tempstring, tempstring_len - slen)) {
+ log_err("ipsecmod: ipseckey has unsafe characters");
+ return 0;
+ }
+ w += w_temp;
}
}
- sldns_str_print(&s, &slen, "\"");
- verbose(VERB_ALGO, "ipsecmod: hook command: '%s'", str);
+ w += sldns_str_print(&s, &slen, "\"");
+ if(w >= (int)sizeof(str)) {
+ log_err("ipsecmod: shell command too long");
+ return 0;
+ }
+ verbose(VERB_ALGO, "ipsecmod: shell command: '%s'", str);
/* ipsecmod-hook should return 0 on success. */
if(system(str) != 0)
return 0;

14
unbound-1.7.3-ksk-2010-revoked.patch Normal file
View File

@ -0,0 +1,14 @@
diff --git a/smallapp/unbound-anchor.c b/smallapp/unbound-anchor.c
index 2bf5b3ab..a30523c7 100644
--- a/smallapp/unbound-anchor.c
+++ b/smallapp/unbound-anchor.c
@@ -246,9 +246,7 @@ get_builtin_ds(void)
return
/* The anchors must start on a new line with ". IN DS and end with \n"[;]
* because the makedist script greps on the source here */
-/* anchor 19036 is from 2010 */
/* anchor 20326 is from 2017 */
-". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n"
". IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D\n";
}

203
unbound-1.7.3-rh1830625.patch Normal file
View File

@ -0,0 +1,203 @@
diff --git a/config.h.in b/config.h.in
index 3b06bfa..2beb538 100644
--- a/config.h.in
+++ b/config.h.in
@@ -735,6 +735,14 @@
/* Define to 1 to use ipsecmod support. */
#undef USE_IPSECMOD
+/* WARNING! This is only for the libunbound on Linux and does not affect
+ unbound resolving daemon itself. This may severely limit the number of
+ available outgoing ports and thus decrease randomness. Define this only
+ when the target system restricts (e.g. some of SELinux enabled
+ distributions) the use of non-ephemeral ports. Define this to enable use of
+ /proc/sys/net/ipv4/ip_local_port_range as a default outgoing port range. */
+#undef USE_LINUX_IP_LOCAL_PORT_RANGE
+
/* Define if you want to use internal select based events */
#undef USE_MINI_EVENT
diff --git a/configure b/configure
index 16d50d0..36cf3fa 100755
--- a/configure
+++ b/configure
@@ -878,6 +878,7 @@ enable_dnscrypt
with_libsodium
enable_cachedb
enable_ipsecmod
+enable_linux_ip_local_port_range
with_libunbound_only
'
ac_precious_vars='build_alias
@@ -1565,6 +1566,16 @@ Optional Features:
storage
--enable-ipsecmod Enable ipsecmod module that facilitates
opportunistic IPsec
+ --enable-linux-ip-local-port-range
+ WARNING! This is only for the libunbound on Linux
+ and does not affect unbound resolving daemon itself.
+ This may severely limit the number of available
+ outgoing ports and thus decrease randomness. Use
+ this option only when the target system restricts
+ the use of non-ephemeral ports. (e.g. some of
+ SELinux enabled distributions) Enable this option to
+ use /proc/sys/net/ipv4/ip_local_port_range as a
+ default outgoing port range
Optional Packages:
--with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
@@ -4147,6 +4158,13 @@ else
else on_mingw="no"; fi
fi
+# are we on Linux?
+if uname -s 2>&1 | grep -i linux >/dev/null; then on_linux="yes"
+else
+ if echo $host $target | grep linux >/dev/null; then on_linux="yes"
+ else on_linux="no"; fi
+fi
+
#
# Determine configuration file
# the eval is to evaluate shell expansion twice
@@ -20899,6 +20917,23 @@ $as_echo "#define USE_IPSECMOD 1" >>confdefs.h
;;
esac
+if test $on_linux = "yes"; then
+ # Check whether --enable-linux-ip-local-port-range was given.
+if test "${enable_linux_ip_local_port_range+set}" = set; then :
+ enableval=$enable_linux_ip_local_port_range;
+fi
+
+ case "$enable_linux_ip_local_port_range" in
+ yes)
+
+$as_echo "#define USE_LINUX_IP_LOCAL_PORT_RANGE 1" >>confdefs.h
+
+ ;;
+ no|*)
+ ;;
+ esac
+fi
+
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if ${MAKE:-make} supports $< with implicit rule in scope" >&5
$as_echo_n "checking if ${MAKE:-make} supports $< with implicit rule in scope... " >&6; }
# on openBSD, the implicit rule make $< work.
diff --git a/configure.ac b/configure.ac
index 1bff4ed..525ad62 100644
--- a/configure.ac
+++ b/configure.ac
@@ -131,6 +131,13 @@ else
else on_mingw="no"; fi
fi
+# are we on Linux?
+if uname -s 2>&1 | grep -i linux >/dev/null; then on_linux="yes"
+else
+ if echo $host $target | grep linux >/dev/null; then on_linux="yes"
+ else on_linux="no"; fi
+fi
+
#
# Determine configuration file
# the eval is to evaluate shell expansion twice
@@ -1520,6 +1527,17 @@ case "$enable_ipsecmod" in
;;
esac
+if test $on_linux = "yes"; then
+ AC_ARG_ENABLE(linux-ip-local-port-range, AC_HELP_STRING([--enable-linux-ip-local-port-range], [WARNING! This is only for the libunbound on Linux and does not affect unbound resolving daemon itself. This may severely limit the number of available outgoing ports and thus decrease randomness. Use this option only when the target system restricts the use of non-ephemeral ports. (e.g. some of SELinux enabled distributions) Enable this option to use /proc/sys/net/ipv4/ip_local_port_range as a default outgoing port range]))
+ case "$enable_linux_ip_local_port_range" in
+ yes)
+ AC_DEFINE([USE_LINUX_IP_LOCAL_PORT_RANGE], [1], [WARNING! This is only for the libunbound on Linux and does not affect unbound resolving daemon itself. This may severely limit the number of available outgoing ports and thus decrease randomness. Define this only when the target system restricts (e.g. some of SELinux enabled distributions) the use of non-ephemeral ports. Define this to enable use of /proc/sys/net/ipv4/ip_local_port_range as a default outgoing port range.])
+ ;;
+ no|*)
+ ;;
+ esac
+fi
+
AC_MSG_CHECKING([if ${MAKE:-make} supports $< with implicit rule in scope])
# on openBSD, the implicit rule make $< work.
# on Solaris, it does not work ($? is changed sources, $^ lists dependencies).
diff --git a/libunbound/context.c b/libunbound/context.c
index 6ac8086..e1fbc64 100644
--- a/libunbound/context.c
+++ b/libunbound/context.c
@@ -60,6 +60,7 @@ context_finalize(struct ub_ctx* ctx)
if(ctx->logfile_override)
log_file(ctx->log_out);
else log_init(cfg->logfile, cfg->use_syslog, NULL);
+ cfg_apply_local_port_policy(cfg, 65536);
config_apply(cfg);
if(!modstack_setup(&ctx->mods, cfg->module_conf, ctx->env))
return UB_INITFAIL;
diff --git a/util/config_file.c b/util/config_file.c
index 68a0a15..eaf1ca3 100644
--- a/util/config_file.c
+++ b/util/config_file.c
@@ -1474,6 +1474,37 @@ int cfg_condense_ports(struct config_file* cfg, int** avail)
return num;
}
+void cfg_apply_local_port_policy(struct config_file* cfg, int num) {
+(void)cfg;
+(void)num;
+#ifdef USE_LINUX_IP_LOCAL_PORT_RANGE
+ {
+ int i = 0;
+ FILE* range_fd;
+ if ((range_fd = fopen(LINUX_IP_LOCAL_PORT_RANGE_PATH, "r")) != NULL) {
+ int min_port = 0;
+ int max_port = num - 1;
+ if (fscanf(range_fd, "%d %d", &min_port, &max_port) == 2) {
+ for(i=0; i<min_port; i++) {
+ cfg->outgoing_avail_ports[i] = 0;
+ }
+ for(i=max_port+1; i<num; i++) {
+ cfg->outgoing_avail_ports[i] = 0;
+ }
+ } else {
+ log_err("unexpected port range in %s",
+ LINUX_IP_LOCAL_PORT_RANGE_PATH);
+ }
+ fclose(range_fd);
+ } else {
+ log_warn("failed to read from file: %s (%s)",
+ LINUX_IP_LOCAL_PORT_RANGE_PATH,
+ strerror(errno));
+ }
+ }
+#endif
+}
+
/** print error with file and line number */
static void ub_c_error_va_list(const char *fmt, va_list args)
{
diff --git a/util/config_file.h b/util/config_file.h
index 1e7f402..3aa71b7 100644
--- a/util/config_file.h
+++ b/util/config_file.h
@@ -1009,6 +1009,13 @@ int cfg_mark_ports(const char* str, int allow, int* avail, int num);
*/
int cfg_condense_ports(struct config_file* cfg, int** avail);
+/**
+ * Apply system specific port range policy.
+ * @param cfg: config file.
+ * @param num: size of the array (65536).
+ */
+void cfg_apply_local_port_policy(struct config_file* cfg, int num);
+
/**
* Scan ports available
* @param avail: the array from cfg.
@@ -1138,4 +1145,8 @@ void w_config_adjust_directory(struct config_file* cfg);
/** debug option for unit tests. */
extern int fake_dsa, fake_sha1;
+#ifdef USE_LINUX_IP_LOCAL_PORT_RANGE
+#define LINUX_IP_LOCAL_PORT_RANGE_PATH "/proc/sys/net/ipv4/ip_local_port_range"
+#endif
+
#endif /* UTIL_CONFIG_FILE_H */

677
unbound-1.7.3-security-hardening.patch Normal file
View File

@ -0,0 +1,677 @@
diff --git a/config.h.in b/config.h.in
index 04356f3..3b06bfa 100644
--- a/config.h.in
+++ b/config.h.in
@@ -666,6 +666,9 @@
/* Shared data */
#undef SHARE_DIR
+/* The size of `size_t', as computed by sizeof. */
+#undef SIZEOF_SIZE_T
+
/* The size of `time_t', as computed by sizeof. */
#undef SIZEOF_TIME_T
diff --git a/configure.ac b/configure.ac
index c5e0c7b..1bff4ed 100644
--- a/configure.ac
+++ b/configure.ac
@@ -371,6 +371,7 @@ AC_INCLUDES_DEFAULT
# endif
#endif
])
+AC_CHECK_SIZEOF(size_t)
# add option to disable the evil rpath
ACX_ARG_RPATH
diff --git a/contrib/create_unbound_ad_servers.sh b/contrib/create_unbound_ad_servers.sh
index d31f078..49fdbff 100644
--- a/contrib/create_unbound_ad_servers.sh
+++ b/contrib/create_unbound_ad_servers.sh
@@ -9,12 +9,13 @@
# Variables
dst_dir="/etc/opt/csw/unbound"
work_dir="/tmp"
-list_addr="http://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml&showintro=1&startdate%5Bday%5D=&startdate%5Bmonth%5D=&startdate%5Byear%5D="
+list_addr="https://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml&showintro=1&startdate%5Bday%5D=&startdate%5Bmonth%5D=&startdate%5Byear%5D="
# OS commands
CAT=`which cat`
ECHO=`which echo`
WGET=`which wget`
+TR=`which tr`
# Check Wget installed
if [ ! -f $WGET ]; then
@@ -22,8 +23,10 @@ if [ ! -f $WGET ]; then
exit 1
fi
+# remove special characters with tr to protect unbound.conf
$WGET -O $work_dir/yoyo_ad_servers "$list_addr" && \
$CAT $work_dir/yoyo_ad_servers | \
+$TR -d '";$\\' | \
while read line ; \
do \
$ECHO "local-zone: \"$line\" redirect" ;\
@@ -36,4 +39,4 @@ echo "Done."
# the unbound_ad_servers file:
#
# include: $dst_dir/unbound_ad_servers
-#
\ No newline at end of file
+#
diff --git a/daemon/daemon.c b/daemon/daemon.c
index 6820e11..1b4f329 100644
--- a/daemon/daemon.c
+++ b/daemon/daemon.c
@@ -426,9 +426,7 @@ daemon_create_workers(struct daemon* daemon)
int* shufport;
log_assert(daemon && daemon->cfg);
if(!daemon->rand) {
- unsigned int seed = (unsigned int)time(NULL) ^
- (unsigned int)getpid() ^ 0x438;
- daemon->rand = ub_initstate(seed, NULL);
+ daemon->rand = ub_initstate(NULL);
if(!daemon->rand)
fatal_exit("could not init random generator");
hash_set_raninit((uint32_t)ub_random(daemon->rand));
diff --git a/daemon/worker.c b/daemon/worker.c
index 3acecc1..8354010 100644
--- a/daemon/worker.c
+++ b/daemon/worker.c
@@ -1629,18 +1629,14 @@ worker_create(struct daemon* daemon, int id, int* ports, int n)
return NULL;
}
/* create random state here to avoid locking trouble in RAND_bytes */
- seed = (unsigned int)time(NULL) ^ (unsigned int)getpid() ^
- (((unsigned int)worker->thread_num)<<17);
- /* shift thread_num so it does not match out pid bits */
- if(!(worker->rndstate = ub_initstate(seed, daemon->rand))) {
- seed = 0;
+ if(!(worker->rndstate = ub_initstate(daemon->rand))) {
log_err("could not init random numbers.");
tube_delete(worker->cmd);
free(worker->ports);
free(worker);
return NULL;
}
- seed = 0;
+ explicit_bzero(&seed, sizeof(seed));
#ifdef USE_DNSTAP
if(daemon->cfg->dnstap) {
log_assert(daemon->dtenv != NULL);
diff --git a/dns64/dns64.c b/dns64/dns64.c
index 7889d72..300202c 100644
--- a/dns64/dns64.c
+++ b/dns64/dns64.c
@@ -782,6 +782,16 @@ dns64_inform_super(struct module_qstate* qstate, int id,
* Signal that the sub-query is finished, no matter whether we are
* successful or not. This lets the state machine terminate.
*/
+ if(!super->minfo[id]) {
+ super->minfo[id] = (enum dns64_qstate *)regional_alloc(super->region,
+ sizeof(*(super->minfo[id])));
+ if(!super->minfo[id]) {
+ log_err("out of memory");
+ super->return_rcode = LDNS_RCODE_SERVFAIL;
+ super->return_msg = NULL;
+ return;
+ }
+ }
super->minfo[id] = (void*)DNS64_SUBQUERY_FINISHED;
/* If there is no successful answer, we're done. */
diff --git a/dnscrypt/dnscrypt.c b/dnscrypt/dnscrypt.c
index 3545d3d..7dd2ce5 100644
--- a/dnscrypt/dnscrypt.c
+++ b/dnscrypt/dnscrypt.c
@@ -732,6 +732,11 @@ dnsc_load_local_data(struct dnsc_env* dnscenv, struct config_file *cfg)
);
continue;
}
+ if((unsigned)strlen(dnscenv->provider_name) >= (unsigned)0xffff0000) {
+ /* guard against integer overflow in rrlen calculation */
+ verbose(VERB_OPS, "cert #%" PRIu32 " is too long", serial);
+ continue;
+ }
rrlen = strlen(dnscenv->provider_name) +
strlen(ttl_class_type) +
4 * sizeof(struct SignedCert) + // worst case scenario
diff --git a/doc/Changelog b/doc/Changelog
index bb74461..4cb080e 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,55 @@
+3 December 2019: Wouter
+ - Fix Assert Causing DoS in synth_cname(),
+ reported by X41 D-Sec.
+ - Fix Assert Causing DoS in dname_pkt_copy(),
+ reported by X41 D-Sec.
+ - Fix OOB Read in sldns_wire2str_dname_scan(),
+ reported by X41 D-Sec.
+ - Fix Out of Bounds Write in sldns_str2wire_str_buf(),
+ reported by X41 D-Sec.
+ - Fix Out of Bounds Write in sldns_b64_pton(),
+ fixed by check in sldns_str2wire_int16_data_buf(),
+ reported by X41 D-Sec.
+ - Fix Insufficient Handling of Compressed Names in dname_pkt_copy(),
+ reported by X41 D-Sec.
+ - Fix Out of Bound Write Compressed Names in rdata_copy(),
+ reported by X41 D-Sec.
+ - Fix Hang in sldns_wire2str_pkt_scan(),
+ reported by X41 D-Sec.
+
+20 November 2019: Wouter
+ - Fix Out of Bounds Read in rrinternal_get_owner(),
+ reported by X41 D-Sec.
+ - Fix Race Condition in autr_tp_create(),
+ reported by X41 D-Sec.
+ - Fix Shared Memory World Writeable,
+ reported by X41 D-Sec.
+ - Adjust unbound-control to make stats_shm a read only operation.
+ - Fix Weak Entropy Used For Nettle,
+ reported by X41 D-Sec.
+ - Fix Randomness Error not Handled Properly,
+ reported by X41 D-Sec.
+ - Fix Out-of-Bounds Read in dname_valid(),
+ reported by X41 D-Sec.
+ - Fix Config Injection in create_unbound_ad_servers.sh,
+ reported by X41 D-Sec.
+
+19 November 2019: Wouter
+ - Fix Integer Overflow in Regional Allocator,
+ reported by X41 D-Sec.
+ - Fix Unchecked NULL Pointer in dns64_inform_super()
+ and ipsecmod_new(), reported by X41 D-Sec.
+ - Fix Out-of-bounds Read in rr_comment_dnskey(),
+ reported by X41 D-Sec.
+ - Fix Integer Overflows in Size Calculations,
+ reported by X41 D-Sec.
+ - Fix Integer Overflow to Buffer Overflow in
+ sldns_str2wire_dname_buf_origin(), reported by X41 D-Sec.
+ - Fix Out of Bounds Read in sldns_str2wire_dname(),
+ reported by X41 D-Sec.
+ - Fix Out of Bounds Write in sldns_bget_token_par(),
+ reported by X41 D-Sec.
+
30 November 2018: Wouter
- log-tag-queryreply: yes in unbound.conf tags the log-queries and
log-replies in the log file for easier log filter maintenance.
diff --git a/ipsecmod/ipsecmod.c b/ipsecmod/ipsecmod.c
index 3572f12..1422a62 100644
--- a/ipsecmod/ipsecmod.c
+++ b/ipsecmod/ipsecmod.c
@@ -103,11 +103,11 @@ ipsecmod_new(struct module_qstate* qstate, int id)
{
struct ipsecmod_qstate* iq = (struct ipsecmod_qstate*)regional_alloc(
qstate->region, sizeof(struct ipsecmod_qstate));
- memset(iq, 0, sizeof(*iq));
qstate->minfo[id] = iq;
if(!iq)
return 0;
/* Initialise it. */
+ memset(iq, 0, sizeof(*iq));
iq->enabled = qstate->env->cfg->ipsecmod_enabled;
iq->is_whitelisted = ipsecmod_domain_is_whitelisted(
(struct ipsecmod_env*)qstate->env->modinfo[id], qstate->qinfo.qname,
diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c
index 8230d17..942c3d5 100644
--- a/iterator/iter_scrub.c
+++ b/iterator/iter_scrub.c
@@ -231,6 +231,10 @@ synth_cname(uint8_t* qname, size_t qnamelen, struct rrset_parse* dname_rrset,
size_t dtarglen;
if(!parse_get_cname_target(dname_rrset, &dtarg, &dtarglen, pkt))
return 0;
+ if(qnamelen <= dname_rrset->dname_len)
+ return 0;
+ if(qnamelen == 0)
+ return 0;
log_assert(qnamelen > dname_rrset->dname_len);
/* DNAME from com. to net. with qname example.com. -> example.net. */
/* so: \3com\0 to \3net\0 and qname \7example\3com\0 */
diff --git a/libunbound/libunbound.c b/libunbound/libunbound.c
index 275e8d2..a8979c2 100644
--- a/libunbound/libunbound.c
+++ b/libunbound/libunbound.c
@@ -83,7 +83,6 @@
static struct ub_ctx* ub_ctx_create_nopipe(void)
{
struct ub_ctx* ctx;
- unsigned int seed;
#ifdef USE_WINSOCK
int r;
WSADATA wsa_data;
@@ -107,15 +106,12 @@ static struct ub_ctx* ub_ctx_create_nopipe(void)
return NULL;
}
alloc_init(&ctx->superalloc, NULL, 0);
- seed = (unsigned int)time(NULL) ^ (unsigned int)getpid();
- if(!(ctx->seed_rnd = ub_initstate(seed, NULL))) {
- seed = 0;
+ if(!(ctx->seed_rnd = ub_initstate(NULL))) {
ub_randfree(ctx->seed_rnd);
free(ctx);
errno = ENOMEM;
return NULL;
}
- seed = 0;
lock_basic_init(&ctx->qqpipe_lock);
lock_basic_init(&ctx->rrpipe_lock);
lock_basic_init(&ctx->cfglock);
diff --git a/libunbound/libworker.c b/libunbound/libworker.c
index 3dcaa78..07a08c6 100644
--- a/libunbound/libworker.c
+++ b/libunbound/libworker.c
@@ -122,7 +122,6 @@ libworker_delete_event(struct libworker* w)
static struct libworker*
libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
{
- unsigned int seed;
struct libworker* w = (struct libworker*)calloc(1, sizeof(*w));
struct config_file* cfg = ctx->env->cfg;
int* ports;
@@ -177,17 +176,13 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
}
w->env->worker = (struct worker*)w;
w->env->probe_timer = NULL;
- seed = (unsigned int)time(NULL) ^ (unsigned int)getpid() ^
- (((unsigned int)w->thread_num)<<17);
- seed ^= (unsigned int)w->env->alloc->next_id;
if(!w->is_bg || w->is_bg_thread) {
lock_basic_lock(&ctx->cfglock);
}
- if(!(w->env->rnd = ub_initstate(seed, ctx->seed_rnd))) {
+ if(!(w->env->rnd = ub_initstate(ctx->seed_rnd))) {
if(!w->is_bg || w->is_bg_thread) {
lock_basic_unlock(&ctx->cfglock);
}
- seed = 0;
libworker_delete(w);
return NULL;
}
@@ -207,7 +202,6 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
hash_set_raninit((uint32_t)ub_random(w->env->rnd));
}
}
- seed = 0;
if(eb)
w->base = comm_base_create_event(eb);
diff --git a/respip/respip.c b/respip/respip.c
index 2e9313f..7d2a588 100644
--- a/respip/respip.c
+++ b/respip/respip.c
@@ -475,10 +475,16 @@ copy_rrset(const struct ub_packed_rrset_key* key, struct regional* region)
if(!ck->rk.dname)
return NULL;
+ if((unsigned)data->count >= 0xffff00U)
+ return NULL; /* guard against integer overflow in dsize */
dsize = sizeof(struct packed_rrset_data) + data->count *
(sizeof(size_t)+sizeof(uint8_t*)+sizeof(time_t));
- for(i=0; i<data->count; i++)
+ for(i=0; i<data->count; i++) {
+ if((unsigned)dsize >= 0x0fffffffU ||
+ (unsigned)data->rr_len[i] >= 0x0fffffffU)
+ return NULL; /* guard against integer overflow */
dsize += data->rr_len[i];
+ }
d = regional_alloc(region, dsize);
if(!d)
return NULL;
diff --git a/sldns/parse.c b/sldns/parse.c
index b62c405..b30264e 100644
--- a/sldns/parse.c
+++ b/sldns/parse.c
@@ -325,8 +325,14 @@ sldns_bget_token_par(sldns_buffer *b, char *token, const char *delim,
if (c == '\n' && p != 0) {
/* in parentheses */
/* do not write ' ' if we want to skip spaces */
- if(!(skipw && (strchr(skipw, c)||strchr(skipw, ' '))))
+ if(!(skipw && (strchr(skipw, c)||strchr(skipw, ' ')))) {
+ /* check for space for the space character */
+ if (limit > 0 && (i >= limit || (size_t)(t-token) >= limit)) {
+ *t = '\0';
+ return -1;
+ }
*t++ = ' ';
+ }
lc = c;
continue;
}
diff --git a/sldns/str2wire.c b/sldns/str2wire.c
index 1a51bb6..414b7b8 100644
--- a/sldns/str2wire.c
+++ b/sldns/str2wire.c
@@ -150,6 +150,10 @@ int sldns_str2wire_dname_buf_origin(const char* str, uint8_t* buf, size_t* len,
if(s) return s;
if(rel && origin && dlen > 0) {
+ if((unsigned)dlen >= 0x00ffffffU ||
+ (unsigned)origin_len >= 0x00ffffffU)
+ /* guard against integer overflow in addition */
+ return RET_ERR(LDNS_WIREPARSE_ERR_GENERAL, *len);
if(dlen + origin_len - 1 > LDNS_MAX_DOMAINLEN)
return RET_ERR(LDNS_WIREPARSE_ERR_DOMAINNAME_OVERFLOW,
LDNS_MAX_DOMAINLEN);
@@ -168,7 +172,9 @@ uint8_t* sldns_str2wire_dname(const char* str, size_t* len)
uint8_t dname[LDNS_MAX_DOMAINLEN+1];
*len = sizeof(dname);
if(sldns_str2wire_dname_buf(str, dname, len) == 0) {
- uint8_t* r = (uint8_t*)malloc(*len);
+ uint8_t* r;
+ if(*len > sizeof(dname)) return NULL;
+ r = (uint8_t*)malloc(*len);
if(r) return memcpy(r, dname, *len);
}
*len = 0;
@@ -187,6 +193,9 @@ rrinternal_get_owner(sldns_buffer* strbuf, uint8_t* rr, size_t* len,
sldns_buffer_position(strbuf));
}
+ if(token_len < 2) /* make sure there is space to read "@" or "" */
+ return RET_ERR(LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL,
+ sldns_buffer_position(strbuf));
if(strcmp(token, "@") == 0) {
uint8_t* tocopy;
if (origin) {
@@ -1094,7 +1103,7 @@ int sldns_str2wire_str_buf(const char* str, uint8_t* rd, size_t* len)
while(sldns_parse_char(&ch, &s)) {
if(sl >= 255)
return RET_ERR(LDNS_WIREPARSE_ERR_INVALID_STR, s-str);
- if(*len < sl+1)
+ if(*len < sl+2)
return RET_ERR(LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL,
s-str);
rd[++sl] = ch;
@@ -2095,6 +2104,8 @@ int sldns_str2wire_int16_data_buf(const char* str, uint8_t* rd, size_t* len)
char* s;
int n;
n = strtol(str, &s, 10);
+ if(n < 0) /* negative number not allowed */
+ return LDNS_WIREPARSE_ERR_SYNTAX;
if(*len < ((size_t)n)+2)
return LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
if(n > 65535)
diff --git a/sldns/wire2str.c b/sldns/wire2str.c
index 832239f..a95c9b3 100644
--- a/sldns/wire2str.c
+++ b/sldns/wire2str.c
@@ -585,6 +585,7 @@ static int rr_comment_dnskey(char** s, size_t* slen, uint8_t* rr,
if(rrlen < dname_off + 10) return 0;
rdlen = sldns_read_uint16(rr+dname_off+8);
if(rrlen < dname_off + 10 + rdlen) return 0;
+ if(rdlen < 2) return 0;
rdata = rr + dname_off + 10;
flags = (int)sldns_read_uint16(rdata);
w += sldns_str_print(s, slen, " ;{");
@@ -781,7 +782,7 @@ int sldns_wire2str_dname_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen,
/* spool labels onto the string, use compression if its there */
uint8_t* pos = *d;
unsigned i, counter=0;
- const unsigned maxcompr = 1000; /* loop detection, max compr ptrs */
+ const unsigned maxcompr = 256; /* loop detection, max compr ptrs */
int in_buf = 1;
if(*dlen == 0) return sldns_str_print(s, slen, "ErrorMissingDname");
if(*pos == 0) {
@@ -789,7 +790,7 @@ int sldns_wire2str_dname_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen,
(*dlen)--;
return sldns_str_print(s, slen, ".");
}
- while(*pos) {
+ while((!pkt || pos < pkt+pktlen) && *pos) {
/* read label length */
uint8_t labellen = *pos++;
if(in_buf) { (*d)++; (*dlen)--; }
diff --git a/smallapp/unbound-control.c b/smallapp/unbound-control.c
index d165417..2884309 100644
--- a/smallapp/unbound-control.c
+++ b/smallapp/unbound-control.c
@@ -407,19 +407,19 @@ static void print_stats_shm(const char* cfgfile)
if(!config_read(cfg, cfgfile, NULL))
fatal_exit("could not read config file");
/* get shm segments */
- id_ctl = shmget(cfg->shm_key, sizeof(int), SHM_R|SHM_W);
+ id_ctl = shmget(cfg->shm_key, sizeof(int), SHM_R);
if(id_ctl == -1) {
fatal_exit("shmget(%d): %s", cfg->shm_key, strerror(errno));
}
- id_arr = shmget(cfg->shm_key+1, sizeof(int), SHM_R|SHM_W);
+ id_arr = shmget(cfg->shm_key+1, sizeof(int), SHM_R);
if(id_arr == -1) {
fatal_exit("shmget(%d): %s", cfg->shm_key+1, strerror(errno));
}
- shm_stat = (struct ub_shm_stat_info*)shmat(id_ctl, NULL, 0);
+ shm_stat = (struct ub_shm_stat_info*)shmat(id_ctl, NULL, SHM_RDONLY);
if(shm_stat == (void*)-1) {
fatal_exit("shmat(%d): %s", id_ctl, strerror(errno));
}
- stats = (struct ub_stats_info*)shmat(id_arr, NULL, 0);
+ stats = (struct ub_stats_info*)shmat(id_arr, NULL, SHM_RDONLY);
if(stats == (void*)-1) {
fatal_exit("shmat(%d): %s", id_arr, strerror(errno));
}
diff --git a/testcode/unitmain.c b/testcode/unitmain.c
index fecde80..96a6654 100644
--- a/testcode/unitmain.c
+++ b/testcode/unitmain.c
@@ -537,10 +537,8 @@ rnd_test(void)
struct ub_randstate* r;
int num = 1000, i;
long int a[1000];
- unsigned int seed = (unsigned)time(NULL);
unit_show_feature("ub_random");
- printf("ub_random seed is %u\n", seed);
- unit_assert( (r = ub_initstate(seed, NULL)) );
+ unit_assert( (r = ub_initstate(NULL)) );
for(i=0; i<num; i++) {
a[i] = ub_random(r);
unit_assert(a[i] >= 0);
diff --git a/util/data/dname.c b/util/data/dname.c
index b744f06..923be02 100644
--- a/util/data/dname.c
+++ b/util/data/dname.c
@@ -75,6 +75,8 @@ dname_valid(uint8_t* dname, size_t maxlen)
{
size_t len = 0;
size_t labellen;
+ if(maxlen == 0)
+ return 0; /* too short, shortest is '0' root label */
labellen = *dname++;
while(labellen) {
if(labellen&0xc0)
@@ -345,11 +347,17 @@ dname_pkt_hash(sldns_buffer* pkt, uint8_t* dname, hashvalue_type h)
void dname_pkt_copy(sldns_buffer* pkt, uint8_t* to, uint8_t* dname)
{
/* copy over the dname and decompress it at the same time */
+ size_t comprcount = 0;
size_t len = 0;
uint8_t lablen;
lablen = *dname++;
while(lablen) {
if(LABEL_IS_PTR(lablen)) {
+ if(comprcount++ > MAX_COMPRESS_PTRS) {
+ /* too many compression pointers */
+ *to = 0; /* end the result prematurely */
+ return;
+ }
/* follow pointer */
if((size_t)PTR_OFFSET(lablen, *dname)
>= sldns_buffer_limit(pkt))
@@ -358,6 +366,10 @@ void dname_pkt_copy(sldns_buffer* pkt, uint8_t* to, uint8_t* dname)
lablen = *dname++;
continue;
}
+ if(lablen > LDNS_MAX_LABELLEN) {
+ *to = 0; /* end the result prematurely */
+ return;
+ }
log_assert(lablen <= LDNS_MAX_LABELLEN);
len += (size_t)lablen+1;
if(len >= LDNS_MAX_DOMAINLEN) {
diff --git a/util/data/msgreply.c b/util/data/msgreply.c
index df2131c..dbae34d 100644
--- a/util/data/msgreply.c
+++ b/util/data/msgreply.c
@@ -238,10 +238,10 @@ rdata_copy(sldns_buffer* pkt, struct packed_rrset_data* data, uint8_t* to,
break;
}
if(len) {
+ log_assert(len <= pkt_len);
memmove(to, sldns_buffer_current(pkt), len);
to += len;
sldns_buffer_skip(pkt, (ssize_t)len);
- log_assert(len <= pkt_len);
pkt_len -= len;
}
rdf++;
diff --git a/util/random.c b/util/random.c
index 8332960..9380502 100644
--- a/util/random.c
+++ b/util/random.c
@@ -86,8 +86,7 @@ ub_systemseed(unsigned int ATTR_UNUSED(seed))
}
struct ub_randstate*
-ub_initstate(unsigned int ATTR_UNUSED(seed),
- struct ub_randstate* ATTR_UNUSED(from))
+ub_initstate(struct ub_randstate* ATTR_UNUSED(from))
{
struct ub_randstate* s = (struct ub_randstate*)malloc(1);
if(!s) {
@@ -123,8 +122,8 @@ void ub_systemseed(unsigned int ATTR_UNUSED(seed))
{
}
-struct ub_randstate* ub_initstate(unsigned int ATTR_UNUSED(seed),
- struct ub_randstate* ATTR_UNUSED(from))
+struct ub_randstate*
+ub_initstate(struct ub_randstate* ATTR_UNUSED(from))
{
struct ub_randstate* s = (struct ub_randstate*)calloc(1, sizeof(*s));
if(!s) {
@@ -140,7 +139,9 @@ long int ub_random(struct ub_randstate* ATTR_UNUSED(state))
/* random 31 bit value. */
SECStatus s = PK11_GenerateRandom((unsigned char*)&x, (int)sizeof(x));
if(s != SECSuccess) {
- log_err("PK11_GenerateRandom error: %s",
+ /* unbound needs secure randomness for randomized
+ * ID bits and port numbers in packets to upstream servers */
+ fatal_exit("PK11_GenerateRandom error: %s",
PORT_ErrorToString(PORT_GetError()));
}
return x & MAX_VALUE;
@@ -166,8 +167,7 @@ void ub_systemseed(unsigned int ATTR_UNUSED(seed))
log_err("Re-seeding not supported, generator untouched");
}
-struct ub_randstate* ub_initstate(unsigned int seed,
- struct ub_randstate* ATTR_UNUSED(from))
+struct ub_randstate* ub_initstate(struct ub_randstate* ATTR_UNUSED(from))
{
struct ub_randstate* s = (struct ub_randstate*)calloc(1, sizeof(*s));
uint8_t buf[YARROW256_SEED_FILE_SIZE];
@@ -183,15 +183,10 @@ struct ub_randstate* ub_initstate(unsigned int seed,
yarrow256_seed(&s->ctx, YARROW256_SEED_FILE_SIZE, buf);
s->seeded = yarrow256_is_seeded(&s->ctx);
} else {
- /* Stretch the uint32 input seed and feed it to Yarrow */
- uint32_t v = seed;
- size_t i;
- for(i=0; i < (YARROW256_SEED_FILE_SIZE/sizeof(seed)); i++) {
- memmove(buf+i*sizeof(seed), &v, sizeof(seed));
- v = v*seed + (uint32_t)i;
- }
- yarrow256_seed(&s->ctx, YARROW256_SEED_FILE_SIZE, buf);
- s->seeded = yarrow256_is_seeded(&s->ctx);
+ log_err("nettle random(yarrow) cannot initialize, "
+ "getentropy failed: %s", strerror(errno));
+ free(s);
+ return NULL;
}
return s;
diff --git a/util/random.h b/util/random.h
index a05a994..e75157d 100644
--- a/util/random.h
+++ b/util/random.h
@@ -57,15 +57,12 @@ void ub_systemseed(unsigned int seed);
/**
* Initialize a random generator state for use
- * @param seed: seed value to create state contents.
- * (ignored for arc4random).
* @param from: if not NULL, the seed is taken from this random structure.
* can be used to seed random states via a parent-random-state that
* is itself seeded with entropy.
* @return new state or NULL alloc failure.
*/
-struct ub_randstate* ub_initstate(unsigned int seed,
- struct ub_randstate* from);
+struct ub_randstate* ub_initstate(struct ub_randstate* from);
/**
* Generate next random number from the state passed along.
diff --git a/util/regional.c b/util/regional.c
index 899a54e..5be09eb 100644
--- a/util/regional.c
+++ b/util/regional.c
@@ -120,8 +120,18 @@ regional_destroy(struct regional *r)
void *
regional_alloc(struct regional *r, size_t size)
{
- size_t a = ALIGN_UP(size, ALIGNMENT);
+ size_t a;
void *s;
+ if(
+#if SIZEOF_SIZE_T == 8
+ (unsigned long long)size >= 0xffffffffffffff00ULL
+#else
+ (unsigned)size >= (unsigned)0xffffff00UL
+#endif
+ )
+ return NULL; /* protect against integer overflow in
+ malloc and ALIGN_UP */
+ a = ALIGN_UP(size, ALIGNMENT);
/* large objects */
if(a > REGIONAL_LARGE_OBJECT_SIZE) {
s = malloc(ALIGNMENT + size);
diff --git a/util/shm_side/shm_main.c b/util/shm_side/shm_main.c
index a783c09..69bee4d 100644
--- a/util/shm_side/shm_main.c
+++ b/util/shm_side/shm_main.c
@@ -121,7 +121,7 @@ int shm_main_init(struct daemon* daemon)
shmctl(daemon->shm_info->id_arr, IPC_RMID, NULL);
/* SHM: Create the segment */
- daemon->shm_info->id_ctl = shmget(daemon->shm_info->key, sizeof(struct ub_shm_stat_info), IPC_CREAT | 0666);
+ daemon->shm_info->id_ctl = shmget(daemon->shm_info->key, sizeof(struct ub_shm_stat_info), IPC_CREAT | 0644);
if (daemon->shm_info->id_ctl < 0)
{
@@ -134,7 +134,7 @@ int shm_main_init(struct daemon* daemon)
return 0;
}
- daemon->shm_info->id_arr = shmget(daemon->shm_info->key + 1, shm_size, IPC_CREAT | 0666);
+ daemon->shm_info->id_arr = shmget(daemon->shm_info->key + 1, shm_size, IPC_CREAT | 0644);
if (daemon->shm_info->id_arr < 0)
{
diff --git a/validator/autotrust.c b/validator/autotrust.c
index 7bc5577..e19bd7b 100644
--- a/validator/autotrust.c
+++ b/validator/autotrust.c
@@ -370,10 +370,10 @@ autr_tp_create(struct val_anchors* anchors, uint8_t* own, size_t own_len,
free(tp);
return NULL;
}
- lock_basic_unlock(&anchors->lock);
lock_basic_init(&tp->lock);
lock_protect(&tp->lock, tp, sizeof(*tp));
lock_protect(&tp->lock, tp->autr, sizeof(*tp->autr));
+ lock_basic_unlock(&anchors->lock);
return tp;
}

43
unbound-1.7.3-symlink-traversal.patch Normal file
View File

@ -0,0 +1,43 @@
diff --git a/unbound-1.7.3/daemon/unbound.c b/unbound-1.7.3/daemon/unbound.c
index 1383110..66ed61d 100644
--- a/daemon/unbound.c
+++ b/daemon/unbound.c
@@ -327,18 +327,32 @@ readpid (const char* file)
static void
writepid (const char* pidfile, pid_t pid)
{
- FILE* f;
+ int fd;
+ char pidbuf[32];
+ size_t count = 0;
+ snprintf(pidbuf, sizeof(pidbuf), "%lu\n", (unsigned long)pid);
- if ((f = fopen(pidfile, "w")) == NULL ) {
+ if((fd = open(pidfile, O_WRONLY | O_CREAT | O_TRUNC
+#ifdef O_NOFOLLOW
+ | O_NOFOLLOW
+#endif
+ , 0644)) == -1) {
log_err("cannot open pidfile %s: %s",
pidfile, strerror(errno));
return;
}
- if(fprintf(f, "%lu\n", (unsigned long)pid) < 0) {
- log_err("cannot write to pidfile %s: %s",
- pidfile, strerror(errno));
+ while(count < strlen(pidbuf)) {
+ ssize_t r = write(fd, pidbuf+count, strlen(pidbuf)-count);
+ if(r == -1) {
+ if(errno == EAGAIN || errno == EINTR)
+ continue;
+ log_err("cannot write to pidfile %s: %s",
+ pidfile, strerror(errno));
+ break;
+ }
+ count += r;
}
- fclose(f);
+ close(fd);
}
/**

109
unbound-1.7.3-use-basic-lock.patch Normal file
View File

@ -0,0 +1,109 @@
diff --git a/util/log.c b/util/log.c
index 75a58f9..43dd572 100644
--- a/util/log.c
+++ b/util/log.c
@@ -70,7 +70,7 @@ static int key_created = 0;
static ub_thread_key_type logkey;
#ifndef THREADS_DISABLED
/** pthread mutex to protect FILE* */
-static lock_quick_type log_lock;
+static lock_basic_type log_lock;
#endif
/** the identity of this executable/process */
static const char* ident="unbound";
@@ -90,18 +90,18 @@ log_init(const char* filename, int use_syslog, const char* chrootdir)
if(!key_created) {
key_created = 1;
ub_thread_key_create(&logkey, NULL);
- lock_quick_init(&log_lock);
+ lock_basic_init(&log_lock);
}
- lock_quick_lock(&log_lock);
+ lock_basic_lock(&log_lock);
if(logfile
#if defined(HAVE_SYSLOG_H) || defined(UB_ON_WINDOWS)
|| logging_to_syslog
#endif
) {
- lock_quick_unlock(&log_lock); /* verbose() needs the lock */
+ lock_basic_unlock(&log_lock); /* verbose() needs the lock */
verbose(VERB_QUERY, "switching log to %s",
use_syslog?"syslog":(filename&&filename[0]?filename:"stderr"));
- lock_quick_lock(&log_lock);
+ lock_basic_lock(&log_lock);
}
if(logfile && logfile != stderr) {
FILE* cl = logfile;
@@ -119,7 +119,7 @@ log_init(const char* filename, int use_syslog, const char* chrootdir)
* chroot and no longer be able to access dev/log and so on */
openlog(ident, LOG_NDELAY, LOG_DAEMON);
logging_to_syslog = 1;
- lock_quick_unlock(&log_lock);
+ lock_basic_unlock(&log_lock);
return;
}
#elif defined(UB_ON_WINDOWS)
@@ -128,13 +128,13 @@ log_init(const char* filename, int use_syslog, const char* chrootdir)
}
if(use_syslog) {
logging_to_syslog = 1;
- lock_quick_unlock(&log_lock);
+ lock_basic_unlock(&log_lock);
return;
}
#endif /* HAVE_SYSLOG_H */
if(!filename || !filename[0]) {
logfile = stderr;
- lock_quick_unlock(&log_lock);
+ lock_basic_unlock(&log_lock);
return;
}
/* open the file for logging */
@@ -143,7 +143,7 @@ log_init(const char* filename, int use_syslog, const char* chrootdir)
filename += strlen(chrootdir);
f = fopen(filename, "a");
if(!f) {
- lock_quick_unlock(&log_lock);
+ lock_basic_unlock(&log_lock);
log_err("Could not open logfile %s: %s", filename,
strerror(errno));
return;
@@ -153,14 +153,14 @@ log_init(const char* filename, int use_syslog, const char* chrootdir)
setvbuf(f, NULL, (int)_IOLBF, 0);
#endif
logfile = f;
- lock_quick_unlock(&log_lock);
+ lock_basic_unlock(&log_lock);
}
void log_file(FILE *f)
{
- lock_quick_lock(&log_lock);
+ lock_basic_lock(&log_lock);
logfile = f;
- lock_quick_unlock(&log_lock);
+ lock_basic_unlock(&log_lock);
}
void log_thread_set(int* num)
@@ -250,9 +250,9 @@ log_vmsg(int pri, const char* type,
return;
}
#endif /* HAVE_SYSLOG_H */
- lock_quick_lock(&log_lock);
+ lock_basic_lock(&log_lock);
if(!logfile) {
- lock_quick_unlock(&log_lock);
+ lock_basic_unlock(&log_lock);
return;
}
if(log_now)
@@ -279,7 +279,7 @@ log_vmsg(int pri, const char* type,
/* line buffering does not work on windows */
fflush(logfile);
#endif
- lock_quick_unlock(&log_lock);
+ lock_basic_unlock(&log_lock);
}
/**

9
unbound-anchor.service Normal file
View File

@ -0,0 +1,9 @@
[Unit]
Description=update of the root trust anchor for DNSSEC validation in unbound
Documentation=man:unbound-anchor(8)
[Service]
Type=oneshot
User=unbound
ExecStart=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R
SuccessExitStatus=1

14
unbound-anchor.timer Normal file
View File

@ -0,0 +1,14 @@
[Unit]
Description=daily update of the root trust anchor for DNSSEC
Documentation=man:unbound-anchor(8)
[Timer]
# Current DNSKEY TTL in root zone is 172800 seconds, i.e. 172800/60/60/24 = 2 days.
# It means that unboud-anchor should be run at least once a day.
OnCalendar=daily
Persistent=true
AccuracySec=24h
[Install]
WantedBy=timers.target

15
unbound-keygen.service Normal file
View File

@ -0,0 +1,15 @@
[Unit]
Description=Unbound Control Key And Certificate Generator
After=syslog.target
Before=unbound.service
ConditionPathExists=!/etc/unbound/unbound_control.key
[Service]
Type=oneshot
Group=unbound
ExecStart=/usr/sbin/unbound-control-setup -d /etc/unbound/
ExecStart=/sbin/restorecon /etc/unbound/*
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

5
unbound-munin.README Normal file
View File

@ -0,0 +1,5 @@
To activate the munin plugins, run (as root):
cd /etc/munin/plugins
for i in /usr/share/munin/plugins/unbound_*; do ln -s $i; done

957
unbound.conf Normal file
View File

@ -0,0 +1,957 @@
#
# Example configuration file.
#
# See unbound.conf(5) man page
#
# this is a comment.
#Use this to include other text into the file.
#include: "otherfile.conf"
# The server clause sets the main parameters.
server:
# whitespace is not necessary, but looks cleaner.
# verbosity number, 0 is least verbose. 1 is default.
verbosity: 1
# print statistics to the log (for every thread) every N seconds.
# Set to "" or 0 to disable. Default is disabled.
# Needs to be disabled for munin plugin
statistics-interval: 0
# enable shm for stats, default no. if you enable also enable
# statistics-interval, every time it also writes stats to the
# shared memory segment keyed with shm-key.
# shm-enable: no
# shm for stats uses this key, and key+1 for the shared mem segment.
# shm-key: 11777
# enable cumulative statistics, without clearing them after printing.
# Needs to be disabled for munin plugin
statistics-cumulative: no
# enable extended statistics (query types, answer codes, status)
# printed from unbound-control. default off, because of speed.
# Needs to be enabled for munin plugin
extended-statistics: yes
# number of threads to create. 1 disables threading.
num-threads: 4
# specify the interfaces to answer queries from by ip-address.
# The default is to listen to localhost (127.0.0.1 and ::1).
# specify 0.0.0.0 and ::0 to bind to all available interfaces.
# specify every interface[@port] on a new 'interface:' labelled line.
# The listen interfaces are not changed on reload, only on restart.
# interface: 0.0.0.0
# interface: ::0
# interface: 192.0.2.153
# interface: 192.0.2.154
# interface: 192.0.2.154@5003
# interface: 2001:DB8::5
#
# for dns over tls and raw dns over port 80
# interface: 0.0.0.0@443
# interface: ::0@443
# interface: 0.0.0.0@80
# interface: ::0@80
# enable this feature to copy the source address of queries to reply.
# Socket options are not supported on all platforms. experimental.
# interface-automatic: yes
#
# NOTE: Enable this option when specifying interface 0.0.0.0 or ::0
# NOTE: Disabled per Fedora policy not to listen to * on default install
# NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled
interface-automatic: no
# port to answer queries from
# port: 53
# specify the interfaces to send outgoing queries to authoritative
# server from by ip-address. If none, the default (all) interface
# is used. Specify every interface on a 'outgoing-interface:' line.
# outgoing-interface: 192.0.2.153
# outgoing-interface: 2001:DB8::5
# outgoing-interface: 2001:DB8::6
# Specify a netblock to use remainder 64 bits as random bits for
# upstream queries. Uses freebind option (Linux).
# outgoing-interface: 2001:DB8::/64
# Also (Linux:) ip -6 addr add 2001:db8::/64 dev lo
# And: ip -6 route add local 2001:db8::/64 dev lo
# And set prefer-ip6: yes to use the ip6 randomness from a netblock.
# Set this to yes to prefer ipv6 upstream servers over ipv4.
# prefer-ip6: no
# number of ports to allocate per thread, determines the size of the
# port range that can be open simultaneously. About double the
# num-queries-per-thread, or, use as many as the OS will allow you.
# outgoing-range: 4096
# permit unbound to use this port number or port range for
# making outgoing queries, using an outgoing interface.
# Only ephemeral ports are allowed by SElinux
outgoing-port-permit: 32768-60999
# deny unbound the use this of port number or port range for
# making outgoing queries, using an outgoing interface.
# Use this to make sure unbound does not grab a UDP port that some
# other server on this computer needs. The default is to avoid
# IANA-assigned port numbers.
# If multiple outgoing-port-permit and outgoing-port-avoid options
# are present, they are processed in order.
# Our SElinux policy does not allow non-ephemeral ports to be used
outgoing-port-avoid: 0-32767
# number of outgoing simultaneous tcp buffers to hold per thread.
# outgoing-num-tcp: 10
# number of incoming simultaneous tcp buffers to hold per thread.
# incoming-num-tcp: 10
# buffer size for UDP port 53 incoming (SO_RCVBUF socket option).
# 0 is system default. Use 4m to catch query spikes for busy servers.
# so-rcvbuf: 0
# buffer size for UDP port 53 outgoing (SO_SNDBUF socket option).
# 0 is system default. Use 4m to handle spikes on very busy servers.
# so-sndbuf: 0
# use SO_REUSEPORT to distribute queries over threads.
so-reuseport: yes
# use IP_TRANSPARENT so the interface: addresses can be non-local
# and you can config non-existing IPs that are going to work later on
# (uses IP_BINDANY on FreeBSD).
ip-transparent: yes
# use IP_FREEBIND so the interface: addresses can be non-local
# and you can bind to nonexisting IPs and interfaces that are down.
# Linux only. On Linux you also have ip-transparent that is similar.
# ip-freebind: no
# EDNS reassembly buffer to advertise to UDP peers (the actual buffer
# is set with msg-buffer-size). 1472 can solve fragmentation (timeouts).
# edns-buffer-size: 4096
# Maximum UDP response size (not applied to TCP response).
# Suggested values are 512 to 4096. Default is 4096. 65536 disables it.
# 3072 causes +dnssec any isc.org queries to need TC=1.
# Helps mitigating DDOS
max-udp-size: 3072
# buffer size for handling DNS data. No messages larger than this
# size can be sent or received, by UDP or TCP. In bytes.
# msg-buffer-size: 65552
# the amount of memory to use for the message cache.
# plain value in bytes or you can append k, m or G. default is "4Mb".
# msg-cache-size: 4m
# the number of slabs to use for the message cache.
# the number of slabs must be a power of 2.
# more slabs reduce lock contention, but fragment memory usage.
# msg-cache-slabs: 4
# the number of queries that a thread gets to service.
# num-queries-per-thread: 1024
# if very busy, 50% queries run to completion, 50% get timeout in msec
# jostle-timeout: 200
# msec to wait before close of port on timeout UDP. 0 disables.
# delay-close: 0
# the amount of memory to use for the RRset cache.
# plain value in bytes or you can append k, m or G. default is "4Mb".
# rrset-cache-size: 4m
# the number of slabs to use for the RRset cache.
# the number of slabs must be a power of 2.
# more slabs reduce lock contention, but fragment memory usage.
# rrset-cache-slabs: 4
# the time to live (TTL) value lower bound, in seconds. Default 0.
# If more than an hour could easily give trouble due to stale data.
# cache-min-ttl: 0
# the time to live (TTL) value cap for RRsets and messages in the
# cache. Items are not cached for longer. In seconds.
# cache-max-ttl: 86400
# the time to live (TTL) value cap for negative responses in the cache
# cache-max-negative-ttl: 3600
# the time to live (TTL) value for cached roundtrip times, lameness and
# EDNS version information for hosts. In seconds.
# infra-host-ttl: 900
# minimum wait time for responses, increase if uplink is long. In msec.
# infra-cache-min-rtt: 50
# the number of slabs to use for the Infrastructure cache.
# the number of slabs must be a power of 2.
# more slabs reduce lock contention, but fragment memory usage.
# infra-cache-slabs: 4
# the maximum number of hosts that are cached (roundtrip, EDNS, lame).
# infra-cache-numhosts: 10000
# define a number of tags here, use with local-zone, access-control.
# repeat the define-tag statement to add additional tags.
# define-tag: "tag1 tag2 tag3"
# Enable IPv4, "yes" or "no".
# do-ip4: yes
# Enable IPv6, "yes" or "no".
# do-ip6: yes
# Enable UDP, "yes" or "no".
# NOTE: if setting up an unbound on tls443 for public use, you might want to
# disable UDP to avoid being used in DNS amplification attacks.
# do-udp: yes
# Enable TCP, "yes" or "no".
# do-tcp: yes
# upstream connections use TCP only (and no UDP), "yes" or "no"
# useful for tunneling scenarios, default no.
# tcp-upstream: no
# upstream connections also use UDP (even if do-udp is no).
# useful if if you want UDP upstream, but don't provide UDP downstream.
# udp-upstream-without-downstream: no
# Maximum segment size (MSS) of TCP socket on which the server
# responds to queries. Default is 0, system default MSS.
# tcp-mss: 0
# Maximum segment size (MSS) of TCP socket for outgoing queries.
# Default is 0, system default MSS.
# outgoing-tcp-mss: 0
# Fedora note: do not activate this - can cause a crash
# Use systemd socket activation for UDP, TCP, and control sockets.
# use-systemd: no
# Detach from the terminal, run in background, "yes" or "no".
# Set the value to "no" when unbound runs as systemd service.
# do-daemonize: yes
# control which clients are allowed to make (recursive) queries
# to this server. Specify classless netblocks with /size and action.
# By default everything is refused, except for localhost.
# Choose deny (drop message), refuse (polite error reply),
# allow (recursive ok), allow_setrd (recursive ok, rd bit is forced on),
# allow_snoop (recursive and nonrecursive ok)
# deny_non_local (drop queries unless can be answered from local-data)
# refuse_non_local (like deny_non_local but polite error reply).
# access-control: 0.0.0.0/0 refuse
# access-control: 127.0.0.0/8 allow
# access-control: ::0/0 refuse
# access-control: ::1 allow
# access-control: ::ffff:127.0.0.1 allow
# tag access-control with list of tags (in "" with spaces between)
# Clients using this access control element use localzones that
# are tagged with one of these tags.
# access-control-tag: 192.0.2.0/24 "tag2 tag3"
# set action for particular tag for given access control element
# if you have multiple tag values, the tag used to lookup the action
# is the first tag match between access-control-tag and local-zone-tag
# where "first" comes from the order of the define-tag values.
# access-control-tag-action: 192.0.2.0/24 tag3 refuse
# set redirect data for particular tag for access control element
# access-control-tag-data: 192.0.2.0/24 tag2 "A 127.0.0.1"
# Set view for access control element
# access-control-view: 192.0.2.0/24 viewname
# if given, a chroot(2) is done to the given directory.
# i.e. you can chroot to the working directory, for example,
# for extra security, but make sure all files are in that directory.
#
# If chroot is enabled, you should pass the configfile (from the
# commandline) as a full path from the original root. After the
# chroot has been performed the now defunct portion of the config
# file path is removed to be able to reread the config after a reload.
#
# All other file paths (working dir, logfile, roothints, and
# key files) can be specified in several ways:
# o as an absolute path relative to the new root.
# o as a relative path to the working directory.
# o as an absolute path relative to the original root.
# In the last case the path is adjusted to remove the unused portion.
#
# The pid file can be absolute and outside of the chroot, it is
# written just prior to performing the chroot and dropping permissions.
#
# Additionally, unbound may need to access /dev/random (for entropy).
# How to do this is specific to your OS.
#
# If you give "" no chroot is performed. The path must not end in a /.
# chroot: "/var/lib/unbound"
chroot: ""
# if given, user privileges are dropped (after binding port),
# and the given username is assumed. Default is user "unbound".
# If you give "" no privileges are dropped.
username: "unbound"
# the working directory. The relative files in this config are
# relative to this directory. If you give "" the working directory
# is not changed.
# If you give a server: directory: dir before include: file statements
# then those includes can be relative to the working directory.
directory: "/etc/unbound"
# the log file, "" means log to stderr.
# Use of this option sets use-syslog to "no".
# logfile: ""
# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
# log to. If yes, it overrides the logfile.
# use-syslog: yes
# Log identity to report. if empty, defaults to the name of argv[0]
# (usually "unbound").
# log-identity: ""
# print UTC timestamp in ascii to logfile, default is epoch in seconds.
log-time-ascii: yes
# print one line with time, IP, name, type, class for every query.
# log-queries: no
# print one line per reply, with time, IP, name, type, class, rcode,
# timetoresolve, fromcache and responsesize.
# log-replies: no
# the pid file. Can be an absolute path outside of chroot/work dir.
pidfile: "/run/unbound/unbound.pid"
# file to read root hints from.
# get one from https://www.internic.net/domain/named.cache
# root-hints: ""
# enable to not answer id.server and hostname.bind queries.
# hide-identity: no
# enable to not answer version.server and version.bind queries.
# hide-version: no
# enable to not answer trustanchor.unbound queries.
# hide-trustanchor: no
# the identity to report. Leave "" or default to return hostname.
# identity: ""
# the version to report. Leave "" or default to return package version.
# version: ""
# the target fetch policy.
# series of integers describing the policy per dependency depth.
# The number of values in the list determines the maximum dependency
# depth the recursor will pursue before giving up. Each integer means:
# -1 : fetch all targets opportunistically,
# 0: fetch on demand,
# positive value: fetch that many targets opportunistically.
# Enclose the list of numbers between quotes ("").
# target-fetch-policy: "3 2 1 0 0"
# Harden against very small EDNS buffer sizes.
# harden-short-bufsize: no
# Harden against unseemly large queries.
# harden-large-queries: no
# Harden against out of zone rrsets, to avoid spoofing attempts.
harden-glue: yes
# Harden against receiving dnssec-stripped data. If you turn it
# off, failing to validate dnskey data for a trustanchor will
# trigger insecure mode for that zone (like without a trustanchor).
# Default on, which insists on dnssec data for trust-anchored zones.
harden-dnssec-stripped: yes
# Harden against queries that fall under dnssec-signed nxdomain names.
harden-below-nxdomain: yes
# Harden the referral path by performing additional queries for
# infrastructure data. Validates the replies (if possible).
# Default off, because the lookups burden the server. Experimental
# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
harden-referral-path: yes
# Harden against algorithm downgrade when multiple algorithms are
# advertised in the DS record. If no, allows the weakest algorithm
# to validate the zone.
# harden-algo-downgrade: no
# Sent minimum amount of information to upstream servers to enhance
# privacy. Only sent minimum required labels of the QNAME and set QTYPE
# to NS when possible.
qname-minimisation: yes
# QNAME minimisation in strict mode. Do not fall-back to sending full
# QNAME to potentially broken nameservers. A lot of domains will not be
# resolvable when this option in enabled.
# This option only has effect when qname-minimisation is enabled.
# qname-minimisation-strict: no
# Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
# and other denials, using information from previous NXDOMAINs answers.
aggressive-nsec: yes
# Use 0x20-encoded random bits in the query to foil spoof attempts.
# This feature is an experimental implementation of draft dns-0x20.
# use-caps-for-id: no
# Domains (and domains in them) without support for dns-0x20 and
# the fallback fails because they keep sending different answers.
# caps-whitelist: "licdn.com"
# caps-whitelist: "senderbase.org"
# Enforce privacy of these addresses. Strips them away from answers.
# It may cause DNSSEC validation to additionally mark it as bogus.
# Protects against 'DNS Rebinding' (uses browser as network proxy).
# Only 'private-domain' and 'local-data' names are allowed to have
# these private addresses. No default.
# private-address: 10.0.0.0/8
# private-address: 172.16.0.0/12
# private-address: 192.168.0.0/16
# private-address: 169.254.0.0/16
# private-address: fd00::/8
# private-address: fe80::/10
# private-address: ::ffff:0:0/96
# Allow the domain (and its subdomains) to contain private addresses.
# local-data statements are allowed to contain private addresses too.
# private-domain: "example.com"
# If nonzero, unwanted replies are not only reported in statistics,
# but also a running total is kept per thread. If it reaches the
# threshold, a warning is printed and a defensive action is taken,
# the cache is cleared to flush potential poison out of it.
# A suggested value is 10000000, the default is 0 (turned off).
unwanted-reply-threshold: 10000000
# Do not query the following addresses. No DNS queries are sent there.
# List one address per entry. List classless netblocks with /size,
# do-not-query-address: 127.0.0.1/8
# do-not-query-address: ::1
# if yes, the above default do-not-query-address entries are present.
# if no, localhost can be queried (for testing and debugging).
# do-not-query-localhost: yes
# if yes, perform prefetching of almost expired message cache entries.
prefetch: yes
# if yes, perform key lookups adjacent to normal lookups.
prefetch-key: yes
# if yes, Unbound rotates RRSet order in response.
rrset-roundrobin: yes
# if yes, Unbound doesn't insert authority/additional sections
# into response messages when those sections are not required.
minimal-responses: yes
# true to disable DNSSEC lameness check in iterator.
# disable-dnssec-lame-check: no
# module configuration of the server. A string with identifiers
# separated by spaces. Syntax: "[dns64] [validator] iterator"
module-config: "ipsecmod validator iterator"
# File with trusted keys, kept uptodate using RFC5011 probes,
# initial file like trust-anchor-file, then it stores metadata.
# Use several entries, one per domain name, to track multiple zones.
#
# If you want to perform DNSSEC validation, run unbound-anchor before
# you start unbound (i.e. in the system boot scripts). And enable:
# Please note usage of unbound-anchor root anchor is at your own risk
# and under the terms of our LICENSE (see that file in the source).
# auto-trust-anchor-file: "/var/lib/unbound/root.key"
# trust anchor signaling sends a RFC8145 key tag query after priming.
trust-anchor-signaling: yes
# Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel)
root-key-sentinel: yes
# File with DLV trusted keys. Same format as trust-anchor-file.
# There can be only one DLV configured, it is trusted from root down.
# DLV is going to be decommissioned. Please do not use it any more.
# dlv-anchor-file: "dlv.isc.org.key"
# File with trusted keys for validation. Specify more than one file
# with several entries, one file per entry.
# Zone file format, with DS and DNSKEY entries.
# Note this gets out of date, use auto-trust-anchor-file please.
# trust-anchor-file: ""
# Trusted key for validation. DS or DNSKEY. specify the RR on a
# single line, surrounded by "". TTL is ignored. class is IN default.
# Note this gets out of date, use auto-trust-anchor-file please.
# (These examples are from August 2007 and may not be valid anymore).
# trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ=="
# trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A"
# File with trusted keys for validation. Specify more than one file
# with several entries, one file per entry. Like trust-anchor-file
# but has a different file format. Format is BIND-9 style format,
# the trusted-keys { name flag proto algo "key"; }; clauses are read.
# you need external update procedures to track changes in keys.
# trusted-keys-file: ""
#
trusted-keys-file: /etc/unbound/keys.d/*.key
auto-trust-anchor-file: "/var/lib/unbound/root.key"
# Ignore chain of trust. Domain is treated as insecure.
# domain-insecure: "example.com"
# Override the date for validation with a specific fixed date.
# Do not set this unless you are debugging signature inception
# and expiration. "" or "0" turns the feature off. -1 ignores date.
# val-override-date: ""
# The time to live for bogus data, rrsets and messages. This avoids
# some of the revalidation, until the time interval expires. in secs.
# val-bogus-ttl: 60
# The signature inception and expiration dates are allowed to be off
# by 10% of the signature lifetime (expir-incep) from our local clock.
# This leeway is capped with a minimum and a maximum. In seconds.
# val-sig-skew-min: 3600
# val-sig-skew-max: 86400
# Should additional section of secure message also be kept clean of
# unsecure data. Useful to shield the users of this validator from
# potential bogus data in the additional section. All unsigned data
# in the additional section is removed from secure messages.
val-clean-additional: yes
# Turn permissive mode on to permit bogus messages. Thus, messages
# for which security checks failed will be returned to clients,
# instead of SERVFAIL. It still performs the security checks, which
# result in interesting log files and possibly the AD bit in
# replies if the message is found secure. The default is off.
# NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY
val-permissive-mode: no
# Ignore the CD flag in incoming queries and refuse them bogus data.
# Enable it if the only clients of unbound are legacy servers (w2008)
# that set CD but cannot validate themselves.
# ignore-cd-flag: no
# Serve expired responses from cache, with TTL 0 in the response,
# and then attempt to fetch the data afresh.
serve-expired: yes
# Have the validator log failed validations for your diagnosis.
# 0: off. 1: A line per failed user query. 2: With reason and bad IP.
val-log-level: 1
# It is possible to configure NSEC3 maximum iteration counts per
# keysize. Keep this table very short, as linear search is done.
# A message with an NSEC3 with larger count is marked insecure.
# List in ascending order the keysize and count values.
# val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500"
# instruct the auto-trust-anchor-file probing to add anchors after ttl.
# add-holddown: 2592000 # 30 days
# instruct the auto-trust-anchor-file probing to del anchors after ttl.
# del-holddown: 2592000 # 30 days
# auto-trust-anchor-file probing removes missing anchors after ttl.
# If the value 0 is given, missing anchors are not removed.
# keep-missing: 31622400 # 366 days
# debug option that allows very small holddown times for key rollover,
# otherwise the RFC mandates probe intervals must be at least 1 hour.
# permit-small-holddown: no
# the amount of memory to use for the key cache.
# plain value in bytes or you can append k, m or G. default is "4Mb".
# key-cache-size: 4m
# the number of slabs to use for the key cache.
# the number of slabs must be a power of 2.
# more slabs reduce lock contention, but fragment memory usage.
# key-cache-slabs: 4
# the amount of memory to use for the negative cache (used for DLV).
# plain value in bytes or you can append k, m or G. default is "1Mb".
# neg-cache-size: 1m
# By default, for a number of zones a small default 'nothing here'
# reply is built-in. Query traffic is thus blocked. If you
# wish to serve such zone you can unblock them by uncommenting one
# of the nodefault statements below.
# You may also have to use domain-insecure: zone to make DNSSEC work,
# unless you have your own trust anchors for this zone.
# local-zone: "localhost." nodefault
# local-zone: "127.in-addr.arpa." nodefault
# local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault
# local-zone: "onion." nodefault
# local-zone: "test." nodefault
# local-zone: "invalid." nodefault
# local-zone: "10.in-addr.arpa." nodefault
# local-zone: "16.172.in-addr.arpa." nodefault
# local-zone: "17.172.in-addr.arpa." nodefault
# local-zone: "18.172.in-addr.arpa." nodefault
# local-zone: "19.172.in-addr.arpa." nodefault
# local-zone: "20.172.in-addr.arpa." nodefault
# local-zone: "21.172.in-addr.arpa." nodefault
# local-zone: "22.172.in-addr.arpa." nodefault
# local-zone: "23.172.in-addr.arpa." nodefault
# local-zone: "24.172.in-addr.arpa." nodefault
# local-zone: "25.172.in-addr.arpa." nodefault
# local-zone: "26.172.in-addr.arpa." nodefault
# local-zone: "27.172.in-addr.arpa." nodefault
# local-zone: "28.172.in-addr.arpa." nodefault
# local-zone: "29.172.in-addr.arpa." nodefault
# local-zone: "30.172.in-addr.arpa." nodefault
# local-zone: "31.172.in-addr.arpa." nodefault
# local-zone: "168.192.in-addr.arpa." nodefault
# local-zone: "0.in-addr.arpa." nodefault
# local-zone: "254.169.in-addr.arpa." nodefault
# local-zone: "2.0.192.in-addr.arpa." nodefault
# local-zone: "100.51.198.in-addr.arpa." nodefault
# local-zone: "113.0.203.in-addr.arpa." nodefault
# local-zone: "255.255.255.255.in-addr.arpa." nodefault
# local-zone: "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault
# local-zone: "d.f.ip6.arpa." nodefault
# local-zone: "8.e.f.ip6.arpa." nodefault
# local-zone: "9.e.f.ip6.arpa." nodefault
# local-zone: "a.e.f.ip6.arpa." nodefault
# local-zone: "b.e.f.ip6.arpa." nodefault
# local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
# And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa.
# If unbound is running service for the local host then it is useful
# to perform lan-wide lookups to the upstream, and unblock the
# long list of local-zones above. If this unbound is a dns server
# for a network of computers, disabled is better and stops information
# leakage of local lan information.
# unblock-lan-zones: no
# The insecure-lan-zones option disables validation for
# these zones, as if they were all listed as domain-insecure.
# insecure-lan-zones: no
# a number of locally served zones can be configured.
# local-zone: <zone> <type>
# local-data: "<resource record string>"
# o deny serves local data (if any), else, drops queries.
# o refuse serves local data (if any), else, replies with error.
# o static serves local data, else, nxdomain or nodata answer.
# o transparent gives local data, but resolves normally for other names
# o redirect serves the zone data for any subdomain in the zone.
# o nodefault can be used to normally resolve AS112 zones.
# o typetransparent resolves normally for other types and other names
# o inform acts like transparent, but logs client IP address
# o inform_deny drops queries and logs client IP address
# o always_transparent, always_refuse, always_nxdomain, resolve in
# that way but ignore local data for that name
# o noview breaks out of that view towards global local-zones.
#
# defaults are localhost address, reverse for 127.0.0.1 and ::1
# and nxdomain for AS112 zones. If you configure one of these zones
# the default content is omitted, or you can omit it with 'nodefault'.
#
# If you configure local-data without specifying local-zone, by
# default a transparent local-zone is created for the data.
#
# You can add locally served data with
# local-zone: "local." static
# local-data: "mycomputer.local. IN A 192.0.2.51"
# local-data: 'mytext.local TXT "content of text record"'
#
# You can override certain queries with
# local-data: "adserver.example.com A 127.0.0.1"
#
# You can redirect a domain to a fixed address with
# (this makes example.com, www.example.com, etc, all go to 192.0.2.3)
# local-zone: "example.com" redirect
# local-data: "example.com A 192.0.2.3"
#
# Shorthand to make PTR records, "IPv4 name" or "IPv6 name".
# You can also add PTR records using local-data directly, but then
# you need to do the reverse notation yourself.
# local-data-ptr: "192.0.2.3 www.example.com"
include: /etc/unbound/local.d/*.conf
# tag a localzone with a list of tag names (in "" with spaces between)
# local-zone-tag: "example.com" "tag2 tag3"
# add a netblock specific override to a localzone, with zone type
# local-zone-override: "example.com" 192.0.2.0/24 refuse
# service clients over SSL (on the TCP sockets), with plain DNS inside
# the SSL stream. Give the certificate to use and private key.
# default is "" (disabled). requires restart to take effect.
# tls-service-key: "/etc/unbound/unbound_server.key"
# tls-service-pem: "/etc/unbound/unbound_server.pem"
# tls-port: 853
#
# request upstream over SSL (with plain DNS inside the SSL stream).
# Default is no. Can be turned on and off with unbound-control.
# tls-upstream: no
# Certificates used to authenticate connections made upstream.
# tls-cert-bundle: ""
# Add system certs to the cert bundle, from the Windows Cert Store
# tls-win-cert: no
# Also serve tls on these port numbers (eg. 443, ...), by listing
# tls-additional-ports: portno for each of the port numbers.
# DNS64 prefix. Must be specified when DNS64 is use.
# Enable dns64 in module-config. Used to synthesize IPv6 from IPv4.
# dns64-prefix: 64:ff9b::0/96
# ratelimit for uncached, new queries, this limits recursion effort.
# ratelimiting is experimental, and may help against randomqueryflood.
# if 0(default) it is disabled, otherwise state qps allowed per zone.
# ratelimit: 0
# ratelimits are tracked in a cache, size in bytes of cache (or k,m).
# ratelimit-size: 4m
# ratelimit cache slabs, reduces lock contention if equal to cpucount.
# ratelimit-slabs: 4
# 0 blocks when ratelimited, otherwise let 1/xth traffic through
# ratelimit-factor: 10
# what is considered a low rtt (ping time for upstream server), in msec
# low-rtt: 45
# select low rtt this many times out of 1000. 0 means the fast server
# select is disabled. prefetches are not sped up.
# low-rtt-permil: 0
# override the ratelimit for a specific domain name.
# give this setting multiple times to have multiple overrides.
# ratelimit-for-domain: example.com 1000
# override the ratelimits for all domains below a domain name
# can give this multiple times, the name closest to the zone is used.
# ratelimit-below-domain: com 1000
# global query ratelimit for all ip addresses.
# feature is experimental.
# if 0(default) it is disabled, otherwise states qps allowed per ip address
# ip-ratelimit: 0
# ip ratelimits are tracked in a cache, size in bytes of cache (or k,m).
# ip-ratelimit-size: 4m
# ip ratelimit cache slabs, reduces lock contention if equal to cpucount.
# ip-ratelimit-slabs: 4
# 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through
# ip-ratelimit-factor: 10
# Specific options for ipsecmod. unbound needs to be configured with
# --enable-ipsecmod for these to take effect.
#
# Enable or disable ipsecmod (it still needs to be defined in
# module-config above). Can be used when ipsecmod needs to be
# enabled/disabled via remote-control(below).
# Fedora: module will be enabled on-demand by libreswan
ipsecmod-enabled: no
# Path to executable external hook. It must be defined when ipsecmod is
# listed in module-config (above).
# ipsecmod-hook: "./my_executable"
ipsecmod-hook:/usr/libexec/ipsec/_unbound-hook
# When enabled unbound will reply with SERVFAIL if the return value of
# the ipsecmod-hook is not 0.
# ipsecmod-strict: no
#
# Maximum time to live (TTL) for cached A/AAAA records with IPSECKEY.
# ipsecmod-max-ttl: 3600
#
# Reply with A/AAAA even if the relevant IPSECKEY is bogus. Mainly used for
# testing.
# ipsecmod-ignore-bogus: no
#
# Domains for which ipsecmod will be triggered. If not defined (default)
# all domains are treated as being whitelisted.
# ipsecmod-whitelist: "libreswan.org"
# ipsecmod-whitelist: "nlnetlabs.nl"
# Python config section. To enable:
# o use --with-pythonmodule to configure before compiling.
# o list python in the module-config string (above) to enable.
# o and give a python-script to run.
python:
# Script file to load
# python-script: "/etc/unbound/ubmodule-tst.py"
# Remote control config section.
remote-control:
# Enable remote control with unbound-control(8) here.
# set up the keys and certificates with unbound-control-setup.
# Note: required for unbound-munin package
control-enable: yes
# Set to no and use an absolute path as control-interface to use
# a unix local named pipe for unbound-control.
# control-use-cert: yes
# what interfaces are listened to for remote control.
# give 0.0.0.0 and ::0 to listen to all interfaces.
# control-interface: 127.0.0.1
# control-interface: ::1
# port number for remote control operations.
# control-port: 8953
# unbound server key file.
server-key-file: "/etc/unbound/unbound_server.key"
# unbound server certificate file.
server-cert-file: "/etc/unbound/unbound_server.pem"
# unbound-control key file.
control-key-file: "/etc/unbound/unbound_control.key"
# unbound-control certificate file.
control-cert-file: "/etc/unbound/unbound_control.pem"
# Stub and Forward zones
include: /etc/unbound/conf.d/*.conf
# Stub zones.
# Create entries like below, to make all queries for 'example.com' and
# 'example.org' go to the given list of nameservers. list zero or more
# nameservers by hostname or by ipaddress. If you set stub-prime to yes,
# the list is treated as priming hints (default is no).
# With stub-first yes, it attempts without the stub if it fails.
# Consider adding domain-insecure: name and local-zone: name nodefault
# to the server: section if the stub is a locally served zone.
# stub-zone:
# name: "example.com"
# stub-addr: 192.0.2.68
# stub-prime: no
# stub-first: no
# stub-tls-upstream: no
# stub-zone:
# name: "example.org"
# stub-host: ns.example.com.
# You can now also dynamically create and delete stub-zone's using
# unbound-control stub_add domain.com 1.2.3.4 5.6.7.8
# unbound-control stub_remove domain.com 1.2.3.4 5.6.7.8
# Forward zones
# Create entries like below, to make all queries for 'example.com' and
# 'example.org' go to the given list of servers. These servers have to handle
# recursion to other nameservers. List zero or more nameservers by hostname
# or by ipaddress. Use an entry with name "." to forward all queries.
# If you enable forward-first, it attempts without the forward if it fails.
# forward-zone:
# name: "example.com"
# forward-addr: 192.0.2.68
# forward-addr: 192.0.2.73@5355 # forward to port 5355.
# forward-first: no
# forward-tls-upstream: no
# forward-zone:
# name: "example.org"
# forward-host: fwd.example.com
#
# You can now also dynamically create and delete forward-zone's using
# unbound-control forward_add domain.com 1.2.3.4 5.6.7.8
# unbound-control forward_remove domain.com 1.2.3.4 5.6.7.8
# Authority zones
# The data for these zones is kept locally, from a file or downloaded.
# The data can be served to downstream clients, or used instead of the
# upstream (which saves a lookup to the upstream). The first example
# has a copy of the root for local usage. The second serves example.org
# authoritatively. zonefile: reads from file (and writes to it if you also
# download it), master: fetches with AXFR and IXFR, or url to zonefile.
auth-zone:
name: "."
for-downstream: no
for-upstream: yes
fallback-enabled: yes
master: b.root-servers.net
master: c.root-servers.net
master: e.root-servers.net
master: f.root-servers.net
master: g.root-servers.net
master: k.root-servers.net
# auth-zone:
# name: "example.org"
# for-downstream: yes
# for-upstream: yes
# zonefile: "example.org.zone"
# Views
# Create named views. Name must be unique. Map views to requests using
# the access-control-view option. Views can contain zero or more local-zone
# and local-data options. Options from matching views will override global
# options. Global options will be used if no matching view is found.
# With view-first yes, it will try to answer using the global local-zone and
# local-data elements if there is no view specific match.
# view:
# name: "viewname"
# local-zone: "example.com" redirect
# local-data: "example.com A 192.0.2.3"
# local-data-ptr: "192.0.2.3 www.example.com"
# view-first: no
# view:
# name: "anotherview"
# local-zone: "example.com" refuse
# Fedora: DNSCrypt support not enabled since it requires linking to
# another crypto library
#
# DNSCrypt
# Caveats:
# 1. the keys/certs cannot be produced by unbound. You can use dnscrypt-wrapper
# for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage
# 2. dnscrypt channel attaches to an interface. you MUST set interfaces to
# listen on `dnscrypt-port` with the follo0wing snippet:
# server:
# interface: 0.0.0.0@443
# interface: ::0@443
#
# Finally, `dnscrypt` config has its own section.
# dnscrypt:
# dnscrypt-enable: yes
# dnscrypt-port: 443
# dnscrypt-provider: 2.dnscrypt-cert.example.com.
# dnscrypt-secret-key: /path/unbound-conf/keys1/1.key
# dnscrypt-secret-key: /path/unbound-conf/keys2/1.key
# dnscrypt-provider-cert: /path/unbound-conf/keys1/1.cert
# dnscrypt-provider-cert: /path/unbound-conf/keys2/1.cert
# CacheDB
# Enable external backend DB as auxiliary cache. Specify the backend name
# (default is "testframe", which has no use other than for debugging and
# testing) and backend-specific options. The 'cachedb' module must be
# included in module-config.
# cachedb:
# backend: "testframe"
# # secret seed string to calculate hashed keys
# secret-seed: "default"
# # For "redis" backend:
# # redis server's IP address or host name
# redis-server-host: 127.0.0.1
# # redis server's TCP port
# redis-server-port: 6379
# # timeout (in ms) for communication with the redis server
# redis-timeout: 100

11
unbound.munin Normal file
View File

@ -0,0 +1,11 @@
#
# For this plugin to work, unbound.conf needs to have:
# remote-control: control-enable: yes
#
[unbound*]
user root
env.statefile /var/lib/munin/plugin-state/unbound-state
env.unbound_conf /etc/unbound/unbound.conf
env.unbound_control /usr/sbin/unbound-control
env.spoof_warn 1000
env.spoof_crit 100000

19
unbound.service Normal file
View File

@ -0,0 +1,19 @@
[Unit]
Description=Unbound recursive Domain Name Server
After=network.target
After=unbound-keygen.service
Wants=unbound-keygen.service
Wants=unbound-anchor.timer
Before=nss-lookup.target
Wants=nss-lookup.target
[Service]
Type=simple
EnvironmentFile=-/etc/sysconfig/unbound
ExecStartPre=/usr/sbin/unbound-checkconf
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_UNBOUND_ANCHOR" == "yes" ]; then /usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R; else echo "Updates of root keys with unbound-anchor is disabled"; fi'
ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS
ExecReload=/usr/sbin/unbound-control reload
[Install]
WantedBy=multi-user.target

1192
unbound.spec Normal file
View File

File diff suppressed because it is too large Load Diff

3
unbound.sysconfig Normal file
View File

@ -0,0 +1,3 @@
# for extra debug, add "-v -v" or change verbosity: in unbound.conf
UNBOUND_OPTIONS=""

553
unbound_munin_ Normal file
View File

@ -0,0 +1,553 @@
#!/bin/sh
#
# plugin for munin to monitor usage of unbound servers.
#
# (C) 2008 W.C.A. Wijngaards. BSD Licensed.
#
# To install; enable statistics and unbound-control in unbound.conf
# server: extended-statistics: yes
# statistics-cumulative: no
# statistics-interval: 0
# remote-control: control-enable: yes
# Run the command unbound-control-setup to generate the key files.
#
# Environment variables for this script
# statefile - where to put temporary statefile.
# unbound_conf - where the unbound.conf file is located.
# unbound_control - where to find unbound-control executable.
# spoof_warn - what level to warn about spoofing
# spoof_crit - what level to crit about spoofing
#
# You can set them in your munin/plugin-conf.d/plugins.conf file
# with:
# [unbound*]
# user root
# env.statefile /usr/local/var/munin/plugin-state/unbound-state
# env.unbound_conf /usr/local/etc/unbound/unbound.conf
# env.unbound_control /usr/local/sbin/unbound-control
# env.spoof_warn 1000
# env.spoof_crit 100000
#
# This plugin can create different graphs depending on what name
# you link it as (with ln -s) into the plugins directory
# You can link it multiple times.
# If you are only a casual user, the _hits and _by_type are most interesting,
# possibly followed by _by_rcode.
#
# unbound_munin_hits - base volume, cache hits, unwanted traffic
# unbound_munin_queue - to monitor the internal requestlist
# unbound_munin_memory - memory usage
# unbound_munin_by_type - incoming queries by type
# unbound_munin_by_class - incoming queries by class
# unbound_munin_by_opcode - incoming queries by opcode
# unbound_munin_by_rcode - answers by rcode, validation status
# unbound_munin_by_flags - incoming queries by flags
# unbound_munin_histogram - histogram of query resolving times
#
# Magic markers - optional - used by installation scripts and
# munin-config:
#
#%# family=contrib
#%# capabilities=autoconf suggest
# POD documentation
: <<=cut
=head1 NAME
unbound_munin_ - Munin plugin to monitor the Unbound DNS resolver.
=head1 APPLICABLE SYSTEMS
System with unbound daemon.
=head1 CONFIGURATION
[unbound*]
user root
env.statefile /var/lib/munin/plugin-state/unbound-state
env.unbound_conf /etc/unbound/unbound.conf
env.unbound_control /usr/sbin/unbound-control
env.spoof_warn 1000
env.spoof_crit 100000
Use the .env settings to override the defaults.
=head1 USAGE
Can be used to present different graphs. Use ln -s for that name in
the plugins directory to enable the graph.
unbound_munin_hits - base volume, cache hits, unwanted traffic
unbound_munin_queue - to monitor the internal requestlist
unbound_munin_memory - memory usage
unbound_munin_by_type - incoming queries by type
unbound_munin_by_class - incoming queries by class
unbound_munin_by_opcode - incoming queries by opcode
unbound_munin_by_rcode - answers by rcode, validation status
unbound_munin_by_flags - incoming queries by flags
unbound_munin_histogram - histogram of query resolving times
=head1 AUTHOR
Copyright 2008 W.C.A. Wijngaards
=head1 LICENSE
BSD
=cut
state=${statefile:-/var/lib/munin/plugin-state/unbound-state}
conf=${unbound_conf:-/etc/unbound/unbound.conf}
ctrl=${unbound_control:-/usr/sbin/unbound-control}
warn=${spoof_warn:-1000}
crit=${spoof_crit:-100000}
lock=$state.lock
# number of seconds between polling attempts.
# makes the statefile hang around for at least this many seconds,
# so that multiple links of this script can share the results.
lee=55
# to keep things within 19 characters
ABBREV="-e s/total/t/ -e s/thread/t/ -e s/num/n/ -e s/query/q/ -e s/answer/a/ -e s/unwanted/u/ -e s/requestlist/ql/ -e s/type/t/ -e s/class/c/ -e s/opcode/o/ -e s/rcode/r/ -e s/edns/e/ -e s/mem/m/ -e s/cache/c/ -e s/mod/m/"
# get value from $1 into return variable $value
get_value ( ) {
value="`grep '^'$1'=' $state | sed -e 's/^.*=//'`"
if test "$value"x = ""x; then
value="0"
fi
}
# download the state from the unbound server.
get_state ( ) {
# obtain lock for fetching the state
# because there is a race condition in fetching and writing to file
# see if the lock is stale, if so, take it
if test -f $lock ; then
pid="`cat $lock 2>&1`"
kill -0 "$pid" >/dev/null 2>&1
if test $? -ne 0 -a "$pid" != $$ ; then
echo $$ >$lock
fi
fi
i=0
while test ! -f $lock || test "`cat $lock 2>&1`" != $$; do
while test -f $lock; do
# wait
i=`expr $i + 1`
if test $i -gt 1000; then
sleep 1;
fi
if test $i -gt 1500; then
echo "error locking $lock" "=" `cat $lock`
rm -f $lock
exit 1
fi
done
# try to get it
echo $$ >$lock
done
# do not refetch if the file exists and only LEE seconds old
if test -f $state; then
now=`date +%s`
get_value "time.now"
value="`echo $value | sed -e 's/\..*$//'`"
if test $now -lt `expr $value + $lee`; then
rm -f $lock
return
fi
fi
$ctrl -c $conf stats > $state
if test $? -ne 0; then
echo "error retrieving data from unbound server"
rm -f $lock
exit 1
fi
rm -f $lock
}
if test "$1" = "autoconf" ; then
if test ! -f $conf; then
echo no "($conf does not exist)"
exit 1
fi
if test ! -d `dirname $state`; then
echo no "($state directory does not exist)"
exit 1
fi
echo yes
exit 0
fi
if test "$1" = "suggest" ; then
echo "hits"
echo "queue"
echo "memory"
echo "by_type"
echo "by_class"
echo "by_opcode"
echo "by_rcode"
echo "by_flags"
echo "histogram"
exit 0
fi
# determine my type, by name
id=`echo $0 | sed -e 's/^.*unbound_munin_//'`
if test "$id"x = ""x; then
# some default to keep people sane.
id="hits"
fi
# if $1 exists in statefile, config is echoed with label $2
exist_config ( ) {
mn=`echo $1 | sed $ABBREV | tr . _`
if grep '^'$1'=' $state >/dev/null 2>&1; then
echo "$mn.label $2"
echo "$mn.min 0"
fi
}
# print label and min 0 for a name $1 in unbound format
p_config ( ) {
mn=`echo $1 | sed $ABBREV | tr . _`
echo $mn.label "$2"
echo $mn.min 0
}
if test "$1" = "config" ; then
if test ! -f $state; then
get_state
fi
case $id in
hits)
echo "graph_title Unbound DNS traffic and cache hits"
echo "graph_args --base 1000 -l 0"
echo "graph_vlabel queries / second"
echo "graph_category DNS"
for x in thread0.num.queries thread1.num.queries \
thread2.num.queries thread3.num.queries thread4.num.queries \
thread5.num.queries thread6.num.queries thread7.num.queries; do
exist_config $x "queries handled by `basename $x .num.queries`"
done
p_config "total.num.queries" "total queries from clients"
p_config "total.num.cachehits" "cache hits"
p_config "total.num.prefetch" "cache prefetch"
p_config "num.query.tcp" "TCP queries"
p_config "num.query.ipv6" "IPv6 queries"
p_config "unwanted.queries" "queries that failed acl"
p_config "unwanted.replies" "unwanted or unsolicited replies"
echo "u_replies.warning $warn"
echo "u_replies.critical $crit"
echo "graph_info DNS queries to the recursive resolver. The unwanted replies could be innocent duplicate packets, late replies, or spoof threats."
;;
queue)
echo "graph_title Unbound requestlist size"
echo "graph_args --base 1000 -l 0"
echo "graph_vlabel number of queries"
echo "graph_category DNS"
p_config "total.requestlist.avg" "Average size of queue on insert"
p_config "total.requestlist.max" "Max size of queue (in 5 min)"
p_config "total.requestlist.overwritten" "Number of queries replaced by new ones"
p_config "total.requestlist.exceeded" "Number of queries dropped due to lack of space"
echo "graph_info The queries that did not hit the cache and need recursion service take up space in the requestlist. If there are too many queries, first queries get overwritten, and at last resort dropped."
;;
memory)
echo "graph_title Unbound memory usage"
echo "graph_args --base 1024 -l 0"
echo "graph_vlabel memory used in bytes"
echo "graph_category DNS"
p_config "mem.total.sbrk" "Total memory"
p_config "mem.cache.rrset" "RRset cache memory"
p_config "mem.cache.message" "Message cache memory"
p_config "mem.mod.iterator" "Iterator module memory"
p_config "mem.mod.validator" "Validator module and key cache memory"
echo "graph_info The memory used by unbound."
;;
by_type)
echo "graph_title Unbound DNS queries by type"
echo "graph_args --base 1000 -l 0"
echo "graph_vlabel queries / second"
echo "graph_category DNS"
for x in `grep "^num.query.type" $state`; do
nm=`echo $x | sed -e 's/=.*$//'`
tp=`echo $nm | sed -e s/num.query.type.//`
p_config "$nm" "$tp"
done
echo "graph_info queries by DNS RR type queried for"
;;
by_class)
echo "graph_title Unbound DNS queries by class"
echo "graph_args --base 1000 -l 0"
echo "graph_vlabel queries / second"
echo "graph_category DNS"
for x in `grep "^num.query.class" $state`; do
nm=`echo $x | sed -e 's/=.*$//'`
tp=`echo $nm | sed -e s/num.query.class.//`
p_config "$nm" "$tp"
done
echo "graph_info queries by DNS RR class queried for."
;;
by_opcode)
echo "graph_title Unbound DNS queries by opcode"
echo "graph_args --base 1000 -l 0"
echo "graph_vlabel queries / second"
echo "graph_category DNS"
for x in `grep "^num.query.opcode" $state`; do
nm=`echo $x | sed -e 's/=.*$//'`
tp=`echo $nm | sed -e s/num.query.opcode.//`
p_config "$nm" "$tp"
done
echo "graph_info queries by opcode in the query packet."
;;
by_rcode)
echo "graph_title Unbound DNS answers by return code"
echo "graph_args --base 1000 -l 0"
echo "graph_vlabel answer packets / second"
echo "graph_category DNS"
for x in `grep "^num.answer.rcode" $state`; do
nm=`echo $x | sed -e 's/=.*$//'`
tp=`echo $nm | sed -e s/num.answer.rcode.//`
p_config "$nm" "$tp"
done
p_config "num.answer.secure" "answer secure"
p_config "num.answer.bogus" "answer bogus"
p_config "num.rrset.bogus" "num rrsets marked bogus"
echo "graph_info answers sorted by return value. rrsets bogus is the number of rrsets marked bogus per second by the validator"
;;
by_flags)
echo "graph_title Unbound DNS incoming queries by flags"
echo "graph_args --base 1000 -l 0"
echo "graph_vlabel queries / second"
echo "graph_category DNS"
p_config "num.query.flags.QR" "QR (query reply) flag"
p_config "num.query.flags.AA" "AA (auth answer) flag"
p_config "num.query.flags.TC" "TC (truncated) flag"
p_config "num.query.flags.RD" "RD (recursion desired) flag"
p_config "num.query.flags.RA" "RA (rec avail) flag"
p_config "num.query.flags.Z" "Z (zero) flag"
p_config "num.query.flags.AD" "AD (auth data) flag"
p_config "num.query.flags.CD" "CD (check disabled) flag"
p_config "num.query.edns.present" "EDNS OPT present"
p_config "num.query.edns.DO" "DO (DNSSEC OK) flag"
echo "graph_info This graphs plots the flags inside incoming queries. For example, if QR, AA, TC, RA, Z flags are set, the query can be rejected. RD, AD, CD and DO are legitimately set by some software."
;;
histogram)
echo "graph_title Unbound DNS histogram of reply time"
echo "graph_args --base 1000 -l 0"
echo "graph_vlabel queries / second"
echo "graph_category DNS"
echo hcache.label "cache hits"
echo hcache.min 0
echo hcache.draw AREA
echo hcache.colour 999999
echo h64ms.label "0 msec - 66 msec"
echo h64ms.min 0
echo h64ms.draw STACK
echo h64ms.colour 0000FF
echo h128ms.label "66 msec - 131 msec"
echo h128ms.min 0
echo h128ms.colour 1F00DF
echo h128ms.draw STACK
echo h256ms.label "131 msec - 262 msec"
echo h256ms.min 0
echo h256ms.draw STACK
echo h256ms.colour 3F00BF
echo h512ms.label "262 msec - 524 msec"
echo h512ms.min 0
echo h512ms.draw STACK
echo h512ms.colour 5F009F
echo h1s.label "524 msec - 1 sec"
echo h1s.min 0
echo h1s.draw STACK
echo h1s.colour 7F007F
echo h2s.label "1 sec - 2 sec"
echo h2s.min 0
echo h2s.draw STACK
echo h2s.colour 9F005F
echo h4s.label "2 sec - 4 sec"
echo h4s.min 0
echo h4s.draw STACK
echo h4s.colour BF003F
echo h8s.label "4 sec - 8 sec"
echo h8s.min 0
echo h8s.draw STACK
echo h8s.colour DF001F
echo h16s.label "8 sec - ..."
echo h16s.min 0
echo h16s.draw STACK
echo h16s.colour FF0000
echo "graph_info Histogram of the reply times for queries."
;;
esac
exit 0
fi
# do the stats itself
get_state
# get the time elapsed
get_value "time.elapsed"
if test $value = 0 || test $value = "0.000000"; then
echo "error: time elapsed 0 or could not retrieve data"
exit 1
fi
elapsed="$value"
# print value for $1 / elapsed
print_qps ( ) {
mn=`echo $1 | sed $ABBREV | tr . _`
get_value $1
echo "$mn.value" `echo scale=6';' $value / $elapsed | bc `
}
# print qps if line already found in $2
print_qps_line ( ) {
mn=`echo $1 | sed $ABBREV | tr . _`
value="`echo $2 | sed -e 's/^.*=//'`"
echo "$mn.value" `echo scale=6';' $value / $elapsed | bc `
}
# print value for $1
print_value ( ) {
mn=`echo $1 | sed $ABBREV | tr . _`
get_value $1
echo "$mn.value" $value
}
case $id in
hits)
for x in thread0.num.queries thread1.num.queries thread2.num.queries \
thread3.num.queries thread4.num.queries thread5.num.queries \
thread6.num.queries thread7.num.queries total.num.queries \
total.num.cachehits total.num.prefetch num.query.tcp \
num.query.ipv6 unwanted.queries unwanted.replies; do
if grep "^"$x"=" $state >/dev/null 2>&1; then
print_qps $x
fi
done
;;
queue)
for x in total.requestlist.avg total.requestlist.max \
total.requestlist.overwritten total.requestlist.exceeded; do
print_value $x
done
;;
memory)
mn=`echo mem.total.sbrk | sed $ABBREV | tr . _`
get_value 'mem.total.sbrk'
if test $value -eq 0; then
chk=`echo $ctrl | sed -e 's/-control$/-checkconf/'`
pidf=`$chk -o pidfile $conf 2>&1`
pid=`cat $pidf 2>&1`
value=`ps -p "$pid" -o rss= 2>&1`
if test "`expr $value + 1 - 1 2>&1`" -eq "$value" 2>&1; then
value=`expr $value \* 1024`
else
value=0
fi
fi
echo "$mn.value" $value
for x in mem.cache.rrset mem.cache.message \
mem.mod.iterator mem.mod.validator; do
print_value $x
done
;;
by_type)
for x in `grep "^num.query.type" $state`; do
nm=`echo $x | sed -e 's/=.*$//'`
print_qps_line $nm $x
done
;;
by_class)
for x in `grep "^num.query.class" $state`; do
nm=`echo $x | sed -e 's/=.*$//'`
print_qps_line $nm $x
done
;;
by_opcode)
for x in `grep "^num.query.opcode" $state`; do
nm=`echo $x | sed -e 's/=.*$//'`
print_qps_line $nm $x
done
;;
by_rcode)
for x in `grep "^num.answer.rcode" $state`; do
nm=`echo $x | sed -e 's/=.*$//'`
print_qps_line $nm $x
done
print_qps "num.answer.secure"
print_qps "num.answer.bogus"
print_qps "num.rrset.bogus"
;;
by_flags)
for x in num.query.flags.QR num.query.flags.AA num.query.flags.TC num.query.flags.RD num.query.flags.RA num.query.flags.Z num.query.flags.AD num.query.flags.CD num.query.edns.present num.query.edns.DO; do
print_qps $x
done
;;
histogram)
get_value total.num.cachehits
echo hcache.value `echo scale=6';' $value / $elapsed | bc `
r=0
for x in histogram.000000.000000.to.000000.000001 \
histogram.000000.000001.to.000000.000002 \
histogram.000000.000002.to.000000.000004 \
histogram.000000.000004.to.000000.000008 \
histogram.000000.000008.to.000000.000016 \
histogram.000000.000016.to.000000.000032 \
histogram.000000.000032.to.000000.000064 \
histogram.000000.000064.to.000000.000128 \
histogram.000000.000128.to.000000.000256 \
histogram.000000.000256.to.000000.000512 \
histogram.000000.000512.to.000000.001024 \
histogram.000000.001024.to.000000.002048 \
histogram.000000.002048.to.000000.004096 \
histogram.000000.004096.to.000000.008192 \
histogram.000000.008192.to.000000.016384 \
histogram.000000.016384.to.000000.032768 \
histogram.000000.032768.to.000000.065536; do
get_value $x
r=`expr $r + $value`
done
echo h64ms.value `echo scale=6';' $r / $elapsed | bc `
get_value histogram.000000.065536.to.000000.131072
echo h128ms.value `echo scale=6';' $value / $elapsed | bc `
get_value histogram.000000.131072.to.000000.262144
echo h256ms.value `echo scale=6';' $value / $elapsed | bc `
get_value histogram.000000.262144.to.000000.524288
echo h512ms.value `echo scale=6';' $value / $elapsed | bc `
get_value histogram.000000.524288.to.000001.000000
echo h1s.value `echo scale=6';' $value / $elapsed | bc `
get_value histogram.000001.000000.to.000002.000000
echo h2s.value `echo scale=6';' $value / $elapsed | bc `
get_value histogram.000002.000000.to.000004.000000
echo h4s.value `echo scale=6';' $value / $elapsed | bc `
get_value histogram.000004.000000.to.000008.000000
echo h8s.value `echo scale=6';' $value / $elapsed | bc `
r=0
for x in histogram.000008.000000.to.000016.000000 \
histogram.000016.000000.to.000032.000000 \
histogram.000032.000000.to.000064.000000 \
histogram.000064.000000.to.000128.000000 \
histogram.000128.000000.to.000256.000000 \
histogram.000256.000000.to.000512.000000 \
histogram.000512.000000.to.001024.000000 \
histogram.001024.000000.to.002048.000000 \
histogram.002048.000000.to.004096.000000 \
histogram.004096.000000.to.008192.000000 \
histogram.008192.000000.to.016384.000000 \
histogram.016384.000000.to.032768.000000 \
histogram.032768.000000.to.065536.000000 \
histogram.065536.000000.to.131072.000000 \
histogram.131072.000000.to.262144.000000 \
histogram.262144.000000.to.524288.000000; do
get_value $x
r=`expr $r + $value`
done
echo h16s.value `echo scale=6';' $r / $elapsed | bc `
;;
esac