unbound: Vendor import 1.24.0
Release notes at https://nlnetlabs.nl/news/2025/Sep/18/unbound-1.24.0-released/
This commit is contained in:
+816
-564
File diff suppressed because it is too large
Load Diff
+130
-14
@@ -46,6 +46,8 @@
|
||||
#include "cachedb/cachedb.h"
|
||||
#include "util/alloc.h"
|
||||
#include "util/config_file.h"
|
||||
#include "util/locks.h"
|
||||
#include "util/timeval_func.h"
|
||||
#include "sldns/sbuffer.h"
|
||||
|
||||
#ifdef USE_REDIS
|
||||
@@ -75,6 +77,18 @@ struct redis_moddata {
|
||||
/* timeout for connection setup */
|
||||
struct timeval connect_timeout;
|
||||
struct timeval replica_connect_timeout;
|
||||
/* the reconnect interval time. */
|
||||
struct timeval reconnect_interval;
|
||||
struct timeval replica_reconnect_interval;
|
||||
/* reconnect attempts, 0 if connected, counts up failed reconnects. */
|
||||
int reconnect_attempts;
|
||||
int replica_reconnect_attempts;
|
||||
/* Lock on reconnect_wait time. */
|
||||
lock_basic_type wait_lock;
|
||||
lock_basic_type replica_wait_lock;
|
||||
/* reconnect wait time, wait until it has passed before reconnect. */
|
||||
struct timeval reconnect_wait;
|
||||
struct timeval replica_reconnect_wait;
|
||||
/* the redis logical database to use */
|
||||
int logical_db;
|
||||
int replica_logical_db;
|
||||
@@ -82,6 +96,10 @@ struct redis_moddata {
|
||||
int set_with_ex_available;
|
||||
};
|
||||
|
||||
/** The limit on the number of redis connect attempts. After failure if
|
||||
* the number is exceeded, the reconnects are throttled by the wait time. */
|
||||
#define REDIS_RECONNECT_ATTEMPT_LIMIT 3
|
||||
|
||||
static redisReply* redis_command(struct module_env*, struct cachedb_env*,
|
||||
const char*, const uint8_t*, size_t, int);
|
||||
|
||||
@@ -105,6 +123,8 @@ moddata_clean(struct redis_moddata** moddata) {
|
||||
}
|
||||
free((*moddata)->replica_ctxs);
|
||||
}
|
||||
lock_basic_destroy(&(*moddata)->wait_lock);
|
||||
lock_basic_destroy(&(*moddata)->replica_wait_lock);
|
||||
free(*moddata);
|
||||
*moddata = NULL;
|
||||
}
|
||||
@@ -113,10 +133,39 @@ static redisContext*
|
||||
redis_connect(const char* host, int port, const char* path,
|
||||
const char* password, int logical_db,
|
||||
const struct timeval connect_timeout,
|
||||
const struct timeval command_timeout)
|
||||
const struct timeval command_timeout,
|
||||
const struct timeval* reconnect_interval,
|
||||
int* reconnect_attempts,
|
||||
struct timeval* reconnect_wait,
|
||||
lock_basic_type* wait_lock,
|
||||
struct timeval* now_tv,
|
||||
const char* infostr)
|
||||
{
|
||||
struct timeval now_val;
|
||||
redisContext* ctx;
|
||||
|
||||
/* See if the redis server is down, and reconnect has to wait. */
|
||||
if(*reconnect_attempts > REDIS_RECONNECT_ATTEMPT_LIMIT) {
|
||||
/* Acquire lock to look at timeval, the integer has atomic
|
||||
* integrity. */
|
||||
struct timeval wait_tv;
|
||||
if(now_tv) {
|
||||
now_val = *now_tv;
|
||||
} else {
|
||||
if(gettimeofday(&now_val, NULL) < 0)
|
||||
log_err("redis: gettimeofday: %s",
|
||||
strerror(errno));
|
||||
}
|
||||
lock_basic_lock(wait_lock);
|
||||
wait_tv = *reconnect_wait;
|
||||
lock_basic_unlock(wait_lock);
|
||||
if(timeval_smaller(&now_val, &wait_tv)) {
|
||||
verbose(VERB_ALGO, "redis %sdown, reconnect wait",
|
||||
infostr);
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
|
||||
if(path && path[0]!=0) {
|
||||
ctx = redisConnectUnixWithTimeout(path, connect_timeout);
|
||||
} else {
|
||||
@@ -126,18 +175,18 @@ redis_connect(const char* host, int port, const char* path,
|
||||
const char *errstr = "out of memory";
|
||||
if(ctx)
|
||||
errstr = ctx->errstr;
|
||||
log_err("failed to connect to redis server: %s", errstr);
|
||||
log_err("failed to connect to redis %sserver: %s", infostr, errstr);
|
||||
goto fail;
|
||||
}
|
||||
if(redisSetTimeout(ctx, command_timeout) != REDIS_OK) {
|
||||
log_err("failed to set redis timeout, %s", ctx->errstr);
|
||||
log_err("failed to set redis %stimeout, %s", infostr, ctx->errstr);
|
||||
goto fail;
|
||||
}
|
||||
if(password && password[0]!=0) {
|
||||
redisReply* rep;
|
||||
rep = redisCommand(ctx, "AUTH %s", password);
|
||||
if(!rep || rep->type == REDIS_REPLY_ERROR) {
|
||||
log_err("failed to authenticate with password");
|
||||
log_err("failed to authenticate %swith password", infostr);
|
||||
freeReplyObject(rep);
|
||||
goto fail;
|
||||
}
|
||||
@@ -147,18 +196,20 @@ redis_connect(const char* host, int port, const char* path,
|
||||
redisReply* rep;
|
||||
rep = redisCommand(ctx, "SELECT %d", logical_db);
|
||||
if(!rep || rep->type == REDIS_REPLY_ERROR) {
|
||||
log_err("failed to set logical database (%d)",
|
||||
logical_db);
|
||||
log_err("failed %sto set logical database (%d)",
|
||||
infostr, logical_db);
|
||||
freeReplyObject(rep);
|
||||
goto fail;
|
||||
}
|
||||
freeReplyObject(rep);
|
||||
}
|
||||
*reconnect_attempts = 0;
|
||||
if(verbosity >= VERB_OPS) {
|
||||
char port_str[6+1];
|
||||
port_str[0] = ' ';
|
||||
(void)snprintf(port_str+1, sizeof(port_str)-1, "%d", port);
|
||||
verbose(VERB_OPS, "Connection to Redis established (%s%s)",
|
||||
verbose(VERB_OPS, "Connection to Redis %sestablished (%s%s)",
|
||||
infostr,
|
||||
path&&path[0]!=0?path:host,
|
||||
path&&path[0]!=0?"":port_str);
|
||||
}
|
||||
@@ -167,6 +218,25 @@ redis_connect(const char* host, int port, const char* path,
|
||||
fail:
|
||||
if(ctx)
|
||||
redisFree(ctx);
|
||||
(*reconnect_attempts)++;
|
||||
if(*reconnect_attempts > REDIS_RECONNECT_ATTEMPT_LIMIT) {
|
||||
/* Wait for the reconnect interval before trying again. */
|
||||
struct timeval tv;
|
||||
if(now_tv) {
|
||||
now_val = *now_tv;
|
||||
} else {
|
||||
if(gettimeofday(&now_val, NULL) < 0)
|
||||
log_err("redis: gettimeofday: %s",
|
||||
strerror(errno));
|
||||
}
|
||||
tv = now_val;
|
||||
timeval_add(&tv, reconnect_interval);
|
||||
lock_basic_lock(wait_lock);
|
||||
*reconnect_wait = tv;
|
||||
lock_basic_unlock(wait_lock);
|
||||
verbose(VERB_ALGO, "redis %sreconnect wait until %d.%6.6d",
|
||||
infostr, (int)tv.tv_sec, (int)tv.tv_usec);
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
|
||||
@@ -191,6 +261,13 @@ redis_init(struct module_env* env, struct cachedb_env* cachedb_env)
|
||||
log_err("out of memory");
|
||||
goto fail;
|
||||
}
|
||||
lock_basic_init(&moddata->wait_lock);
|
||||
lock_protect(&moddata->wait_lock, &moddata->reconnect_wait,
|
||||
sizeof(moddata->reconnect_wait));
|
||||
lock_basic_init(&moddata->replica_wait_lock);
|
||||
lock_protect(&moddata->replica_wait_lock,
|
||||
&moddata->replica_reconnect_wait,
|
||||
sizeof(moddata->replica_reconnect_wait));
|
||||
moddata->numctxs = env->cfg->num_threads;
|
||||
/* note: server_host and similar string configuration options are
|
||||
* shallow references to configured strings; we don't have to free them
|
||||
@@ -219,6 +296,8 @@ redis_init(struct module_env* env, struct cachedb_env* cachedb_env)
|
||||
set_timeout(&moddata->replica_connect_timeout,
|
||||
env->cfg->redis_replica_timeout,
|
||||
env->cfg->redis_replica_connect_timeout);
|
||||
set_timeout(&moddata->reconnect_interval, 1000, 0);
|
||||
set_timeout(&moddata->replica_reconnect_interval, 1000, 0);
|
||||
|
||||
moddata->logical_db = env->cfg->redis_logical_db;
|
||||
moddata->replica_logical_db = env->cfg->redis_replica_logical_db;
|
||||
@@ -245,7 +324,13 @@ redis_init(struct module_env* env, struct cachedb_env* cachedb_env)
|
||||
moddata->server_password,
|
||||
moddata->logical_db,
|
||||
moddata->connect_timeout,
|
||||
moddata->command_timeout);
|
||||
moddata->command_timeout,
|
||||
&moddata->reconnect_interval,
|
||||
&moddata->reconnect_attempts,
|
||||
&moddata->reconnect_wait,
|
||||
&moddata->wait_lock,
|
||||
env->now_tv,
|
||||
"");
|
||||
if(!ctx) {
|
||||
log_err("redis_init: failed to init redis "
|
||||
"(for thread %d)", i);
|
||||
@@ -263,7 +348,13 @@ redis_init(struct module_env* env, struct cachedb_env* cachedb_env)
|
||||
moddata->replica_server_password,
|
||||
moddata->replica_logical_db,
|
||||
moddata->replica_connect_timeout,
|
||||
moddata->replica_command_timeout);
|
||||
moddata->replica_command_timeout,
|
||||
&moddata->replica_reconnect_interval,
|
||||
&moddata->replica_reconnect_attempts,
|
||||
&moddata->replica_reconnect_wait,
|
||||
&moddata->replica_wait_lock,
|
||||
env->now_tv,
|
||||
"replica ");
|
||||
if(!ctx) {
|
||||
log_err("redis_init: failed to init redis "
|
||||
"replica (for thread %d)", i);
|
||||
@@ -301,7 +392,7 @@ redis_init(struct module_env* env, struct cachedb_env* cachedb_env)
|
||||
set_with_ex_fail:
|
||||
log_err("redis_init: failure during redis_init, the "
|
||||
"redis-expire-records option requires the SET with EX command "
|
||||
"(redis >= 2.6.2)");
|
||||
"(redis >= 2.6.12)");
|
||||
return 1;
|
||||
fail:
|
||||
moddata_clean(&moddata);
|
||||
@@ -364,7 +455,13 @@ redis_command(struct module_env* env, struct cachedb_env* cachedb_env,
|
||||
d->replica_server_password,
|
||||
d->replica_logical_db,
|
||||
d->replica_connect_timeout,
|
||||
d->replica_command_timeout);
|
||||
d->replica_command_timeout,
|
||||
&d->replica_reconnect_interval,
|
||||
&d->replica_reconnect_attempts,
|
||||
&d->replica_reconnect_wait,
|
||||
&d->replica_wait_lock,
|
||||
env->now_tv,
|
||||
"replica ");
|
||||
} else {
|
||||
ctx = redis_connect(
|
||||
d->server_host,
|
||||
@@ -373,7 +470,13 @@ redis_command(struct module_env* env, struct cachedb_env* cachedb_env,
|
||||
d->server_password,
|
||||
d->logical_db,
|
||||
d->connect_timeout,
|
||||
d->command_timeout);
|
||||
d->command_timeout,
|
||||
&d->reconnect_interval,
|
||||
&d->reconnect_attempts,
|
||||
&d->reconnect_wait,
|
||||
&d->wait_lock,
|
||||
env->now_tv,
|
||||
"");
|
||||
}
|
||||
ctx_selector[env->alloc->thread_num] = ctx;
|
||||
}
|
||||
@@ -405,7 +508,14 @@ redis_lookup(struct module_env* env, struct cachedb_env* cachedb_env,
|
||||
char* key, struct sldns_buffer* result_buffer)
|
||||
{
|
||||
redisReply* rep;
|
||||
char cmdbuf[4+(CACHEDB_HASHSIZE/8)*2+1]; /* "GET " + key */
|
||||
/* Supported commands:
|
||||
* - "GET " + key
|
||||
*/
|
||||
#define REDIS_LOOKUP_MAX_BUF_LEN \
|
||||
4 /* "GET " */ \
|
||||
+(CACHEDB_HASHSIZE/8)*2 /* key hash */ \
|
||||
+ 1 /* \0 */
|
||||
char cmdbuf[REDIS_LOOKUP_MAX_BUF_LEN];
|
||||
int n;
|
||||
int ret = 0;
|
||||
|
||||
@@ -465,7 +575,13 @@ redis_store(struct module_env* env, struct cachedb_env* cachedb_env,
|
||||
* older redis 2.0.0 was "SETEX " + key + " " + ttl + " %b"
|
||||
* - "EXPIRE " + key + " 0"
|
||||
*/
|
||||
char cmdbuf[6+(CACHEDB_HASHSIZE/8)*2+11+3+1];
|
||||
#define REDIS_STORE_MAX_BUF_LEN \
|
||||
7 /* "EXPIRE " */ \
|
||||
+(CACHEDB_HASHSIZE/8)*2 /* key hash */ \
|
||||
+ 7 /* " %b EX " */ \
|
||||
+ 20 /* ttl (uint64_t) */ \
|
||||
+ 1 /* \0 */
|
||||
char cmdbuf[REDIS_STORE_MAX_BUF_LEN];
|
||||
|
||||
if (!set_ttl) {
|
||||
verbose(VERB_ALGO, "redis_store %s (%d bytes)", key, (int)data_len);
|
||||
|
||||
@@ -57,7 +57,7 @@ int getnameinfo(const struct sockaddr *sa, size_t ATTR_UNUSED(salen), char *host
|
||||
}
|
||||
|
||||
if (host != NULL) {
|
||||
if (flags & NI_NUMERICHOST) {
|
||||
if ((flags & NI_NUMERICHOST)) {
|
||||
if (strlcpy(host, inet_ntoa(sin->sin_addr),
|
||||
hostlen) >= hostlen)
|
||||
return (EAI_MEMORY);
|
||||
@@ -168,7 +168,7 @@ getaddrinfo(const char *hostname, const char *servname,
|
||||
port = 0;
|
||||
}
|
||||
|
||||
if (hints && hints->ai_flags & AI_PASSIVE) {
|
||||
if (hints && (hints->ai_flags & AI_PASSIVE)) {
|
||||
addr = htonl(0x00000000);
|
||||
if (hostname && inet_aton(hostname, &in) != 0)
|
||||
addr = in.s_addr;
|
||||
@@ -193,7 +193,7 @@ getaddrinfo(const char *hostname, const char *servname,
|
||||
}
|
||||
|
||||
/* Don't try DNS if AI_NUMERICHOST is set */
|
||||
if (hints && hints->ai_flags & AI_NUMERICHOST)
|
||||
if (hints && (hints->ai_flags & AI_NUMERICHOST))
|
||||
return (EAI_NONAME);
|
||||
|
||||
hp = gethostbyname(hostname);
|
||||
|
||||
+13
-3
@@ -173,6 +173,10 @@
|
||||
0 if you don't. */
|
||||
#undef HAVE_DECL_SSL_CTX_SET_ECDH_AUTO
|
||||
|
||||
/* Define to 1 if you have the declaration of `SSL_CTX_set_tmp_ecdh', and to 0
|
||||
if you don't. */
|
||||
#undef HAVE_DECL_SSL_CTX_SET_TMP_ECDH
|
||||
|
||||
/* Define to 1 if you have the declaration of `strlcat', and to 0 if you
|
||||
don't. */
|
||||
#undef HAVE_DECL_STRLCAT
|
||||
@@ -477,6 +481,9 @@
|
||||
`ngtcp2_crypto_quictls_from_ossl_encryption_level' function. */
|
||||
#undef HAVE_NGTCP2_CRYPTO_QUICTLS_FROM_OSSL_ENCRYPTION_LEVEL
|
||||
|
||||
/* Define to 1 if you have the `ngtcp2_crypto_quictls_init' function. */
|
||||
#undef HAVE_NGTCP2_CRYPTO_QUICTLS_INIT
|
||||
|
||||
/* Define to 1 if the system has the type `ngtcp2_encryption_level'. */
|
||||
#undef HAVE_NGTCP2_ENCRYPTION_LEVEL
|
||||
|
||||
@@ -484,6 +491,9 @@
|
||||
*/
|
||||
#undef HAVE_NGTCP2_NGTCP2_CRYPTO_OPENSSL_H
|
||||
|
||||
/* Define to 1 if you have the <ngtcp2/ngtcp2_crypto_ossl.h> header file. */
|
||||
#undef HAVE_NGTCP2_NGTCP2_CRYPTO_OSSL_H
|
||||
|
||||
/* Define to 1 if you have the <ngtcp2/ngtcp2_crypto_quictls.h> header file.
|
||||
*/
|
||||
#undef HAVE_NGTCP2_NGTCP2_CRYPTO_QUICTLS_H
|
||||
@@ -645,9 +655,6 @@
|
||||
function. */
|
||||
#undef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
|
||||
|
||||
/* Define to 1 if you have the `SSL_CTX_set_tmp_ecdh' function. */
|
||||
#undef HAVE_SSL_CTX_SET_TMP_ECDH
|
||||
|
||||
/* Define to 1 if you have the `SSL_get0_alpn_selected' function. */
|
||||
#undef HAVE_SSL_GET0_ALPN_SELECTED
|
||||
|
||||
@@ -1023,6 +1030,9 @@
|
||||
/* Define this to enable client TCP Fast Open. */
|
||||
#undef USE_MSG_FASTOPEN
|
||||
|
||||
/* Define this to use ngtcp2_crypto_ossl. */
|
||||
#undef USE_NGTCP2_CRYPTO_OSSL
|
||||
|
||||
/* Define this to enable client TCP Fast Open. */
|
||||
#undef USE_OSX_MSG_FASTOPEN
|
||||
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
#! /bin/sh
|
||||
# Guess values for system-dependent variables and create Makefiles.
|
||||
# Generated by GNU Autoconf 2.71 for unbound 1.23.1.
|
||||
# Generated by GNU Autoconf 2.71 for unbound 1.24.0.
|
||||
#
|
||||
# Report bugs to <unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues>.
|
||||
#
|
||||
@@ -622,8 +622,8 @@ MAKEFLAGS=
|
||||
# Identity of this package.
|
||||
PACKAGE_NAME='unbound'
|
||||
PACKAGE_TARNAME='unbound'
|
||||
PACKAGE_VERSION='1.23.1'
|
||||
PACKAGE_STRING='unbound 1.23.1'
|
||||
PACKAGE_VERSION='1.24.0'
|
||||
PACKAGE_STRING='unbound 1.24.0'
|
||||
PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues'
|
||||
PACKAGE_URL=''
|
||||
|
||||
@@ -685,7 +685,9 @@ opt_dnstap_socket_path
|
||||
ENABLE_DNSTAP
|
||||
PROTOBUFC_LIBS
|
||||
PROTOBUFC_CFLAGS
|
||||
PROTOC_GEN_C
|
||||
PROTOC_C
|
||||
PROTOC
|
||||
UBSYMS
|
||||
EXTRALINK
|
||||
COMMON_OBJ_ALL_SYMBOLS
|
||||
@@ -1511,7 +1513,7 @@ if test "$ac_init_help" = "long"; then
|
||||
# Omit some internal or obsolete options to make the list less imposing.
|
||||
# This message is too long to be a string in the A/UX 3.1 sh.
|
||||
cat <<_ACEOF
|
||||
\`configure' configures unbound 1.23.1 to adapt to many kinds of systems.
|
||||
\`configure' configures unbound 1.24.0 to adapt to many kinds of systems.
|
||||
|
||||
Usage: $0 [OPTION]... [VAR=VALUE]...
|
||||
|
||||
@@ -1577,7 +1579,7 @@ fi
|
||||
|
||||
if test -n "$ac_init_help"; then
|
||||
case $ac_init_help in
|
||||
short | recursive ) echo "Configuration of unbound 1.23.1:";;
|
||||
short | recursive ) echo "Configuration of unbound 1.24.0:";;
|
||||
esac
|
||||
cat <<\_ACEOF
|
||||
|
||||
@@ -1830,7 +1832,7 @@ fi
|
||||
test -n "$ac_init_help" && exit $ac_status
|
||||
if $ac_init_version; then
|
||||
cat <<\_ACEOF
|
||||
unbound configure 1.23.1
|
||||
unbound configure 1.24.0
|
||||
generated by GNU Autoconf 2.71
|
||||
|
||||
Copyright (C) 2021 Free Software Foundation, Inc.
|
||||
@@ -2487,7 +2489,7 @@ cat >config.log <<_ACEOF
|
||||
This file contains any messages produced by compilers while
|
||||
running configure, to aid debugging if configure makes a mistake.
|
||||
|
||||
It was created by unbound $as_me 1.23.1, which was
|
||||
It was created by unbound $as_me 1.24.0, which was
|
||||
generated by GNU Autoconf 2.71. Invocation command line was
|
||||
|
||||
$ $0$ac_configure_args_raw
|
||||
@@ -3249,13 +3251,13 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
|
||||
|
||||
UNBOUND_VERSION_MAJOR=1
|
||||
|
||||
UNBOUND_VERSION_MINOR=23
|
||||
UNBOUND_VERSION_MINOR=24
|
||||
|
||||
UNBOUND_VERSION_MICRO=1
|
||||
UNBOUND_VERSION_MICRO=0
|
||||
|
||||
|
||||
LIBUNBOUND_CURRENT=9
|
||||
LIBUNBOUND_REVISION=32
|
||||
LIBUNBOUND_REVISION=33
|
||||
LIBUNBOUND_AGE=1
|
||||
# 1.0.0 had 0:12:0
|
||||
# 1.0.1 had 0:13:0
|
||||
@@ -3355,6 +3357,7 @@ LIBUNBOUND_AGE=1
|
||||
# 1.22.0 had 9:30:1
|
||||
# 1.23.0 had 9:31:1
|
||||
# 1.23.1 had 9:32:1
|
||||
# 1.24.0 had 9:33:1
|
||||
|
||||
# Current -- the number of the binary API that we're implementing
|
||||
# Revision -- which iteration of the implementation of the binary
|
||||
@@ -20817,12 +20820,6 @@ then :
|
||||
printf "%s\n" "#define HAVE_BIO_SET_CALLBACK_EX 1" >>confdefs.h
|
||||
|
||||
fi
|
||||
ac_fn_c_check_func "$LINENO" "SSL_CTX_set_tmp_ecdh" "ac_cv_func_SSL_CTX_set_tmp_ecdh"
|
||||
if test "x$ac_cv_func_SSL_CTX_set_tmp_ecdh" = xyes
|
||||
then :
|
||||
printf "%s\n" "#define HAVE_SSL_CTX_SET_TMP_ECDH 1" >>confdefs.h
|
||||
|
||||
fi
|
||||
|
||||
|
||||
# these check_funcs need -lssl
|
||||
@@ -20981,6 +20978,34 @@ else $as_nop
|
||||
ac_have_decl=0
|
||||
fi
|
||||
printf "%s\n" "#define HAVE_DECL_SSL_CTX_SET_ECDH_AUTO $ac_have_decl" >>confdefs.h
|
||||
ac_fn_check_decl "$LINENO" "SSL_CTX_set_tmp_ecdh" "ac_cv_have_decl_SSL_CTX_set_tmp_ecdh" "
|
||||
$ac_includes_default
|
||||
#ifdef HAVE_OPENSSL_ERR_H
|
||||
#include <openssl/err.h>
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_OPENSSL_RAND_H
|
||||
#include <openssl/rand.h>
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_OPENSSL_CONF_H
|
||||
#include <openssl/conf.h>
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_OPENSSL_ENGINE_H
|
||||
#include <openssl/engine.h>
|
||||
#endif
|
||||
#include <openssl/ssl.h>
|
||||
#include <openssl/evp.h>
|
||||
|
||||
" "$ac_c_undeclared_builtin_options" "CFLAGS"
|
||||
if test "x$ac_cv_have_decl_SSL_CTX_set_tmp_ecdh" = xyes
|
||||
then :
|
||||
ac_have_decl=1
|
||||
else $as_nop
|
||||
ac_have_decl=0
|
||||
fi
|
||||
printf "%s\n" "#define HAVE_DECL_SSL_CTX_SET_TMP_ECDH $ac_have_decl" >>confdefs.h
|
||||
|
||||
|
||||
if test "$ac_cv_func_HMAC_Init_ex" = "yes"; then
|
||||
@@ -22284,6 +22309,13 @@ if test "x$ac_cv_header_ngtcp2_ngtcp2_h" = xyes
|
||||
then :
|
||||
printf "%s\n" "#define HAVE_NGTCP2_NGTCP2_H 1" >>confdefs.h
|
||||
|
||||
fi
|
||||
ac_fn_c_check_header_compile "$LINENO" "ngtcp2/ngtcp2_crypto_ossl.h" "ac_cv_header_ngtcp2_ngtcp2_crypto_ossl_h" "$ac_includes_default
|
||||
"
|
||||
if test "x$ac_cv_header_ngtcp2_ngtcp2_crypto_ossl_h" = xyes
|
||||
then :
|
||||
printf "%s\n" "#define HAVE_NGTCP2_NGTCP2_CRYPTO_OSSL_H 1" >>confdefs.h
|
||||
|
||||
fi
|
||||
ac_fn_c_check_header_compile "$LINENO" "ngtcp2/ngtcp2_crypto_openssl.h" "ac_cv_header_ngtcp2_ngtcp2_crypto_openssl_h" "$ac_includes_default
|
||||
"
|
||||
@@ -22324,7 +22356,52 @@ else $as_nop
|
||||
fi
|
||||
printf "%s\n" "#define HAVE_DECL_NGTCP2_CRYPTO_ENCRYPT_CB $ac_have_decl" >>confdefs.h
|
||||
|
||||
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for ngtcp2_crypto_encrypt_cb in -lngtcp2_crypto_openssl" >&5
|
||||
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for ngtcp2_crypto_encrypt_cb in -lngtcp2_crypto_ossl" >&5
|
||||
printf %s "checking for ngtcp2_crypto_encrypt_cb in -lngtcp2_crypto_ossl... " >&6; }
|
||||
if test ${ac_cv_lib_ngtcp2_crypto_ossl_ngtcp2_crypto_encrypt_cb+y}
|
||||
then :
|
||||
printf %s "(cached) " >&6
|
||||
else $as_nop
|
||||
ac_check_lib_save_LIBS=$LIBS
|
||||
LIBS="-lngtcp2_crypto_ossl $LIBS"
|
||||
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||
/* end confdefs.h. */
|
||||
|
||||
/* Override any GCC internal prototype to avoid an error.
|
||||
Use char because int might match the return type of a GCC
|
||||
builtin and then its argument prototype would still apply. */
|
||||
char ngtcp2_crypto_encrypt_cb ();
|
||||
int
|
||||
main (void)
|
||||
{
|
||||
return ngtcp2_crypto_encrypt_cb ();
|
||||
;
|
||||
return 0;
|
||||
}
|
||||
_ACEOF
|
||||
if ac_fn_c_try_link "$LINENO"
|
||||
then :
|
||||
ac_cv_lib_ngtcp2_crypto_ossl_ngtcp2_crypto_encrypt_cb=yes
|
||||
else $as_nop
|
||||
ac_cv_lib_ngtcp2_crypto_ossl_ngtcp2_crypto_encrypt_cb=no
|
||||
fi
|
||||
rm -f core conftest.err conftest.$ac_objext conftest.beam \
|
||||
conftest$ac_exeext conftest.$ac_ext
|
||||
LIBS=$ac_check_lib_save_LIBS
|
||||
fi
|
||||
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ngtcp2_crypto_ossl_ngtcp2_crypto_encrypt_cb" >&5
|
||||
printf "%s\n" "$ac_cv_lib_ngtcp2_crypto_ossl_ngtcp2_crypto_encrypt_cb" >&6; }
|
||||
if test "x$ac_cv_lib_ngtcp2_crypto_ossl_ngtcp2_crypto_encrypt_cb" = xyes
|
||||
then :
|
||||
|
||||
LIBS="$LIBS -lngtcp2_crypto_ossl"
|
||||
|
||||
printf "%s\n" "#define USE_NGTCP2_CRYPTO_OSSL 1" >>confdefs.h
|
||||
|
||||
|
||||
else $as_nop
|
||||
|
||||
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for ngtcp2_crypto_encrypt_cb in -lngtcp2_crypto_openssl" >&5
|
||||
printf %s "checking for ngtcp2_crypto_encrypt_cb in -lngtcp2_crypto_openssl... " >&6; }
|
||||
if test ${ac_cv_lib_ngtcp2_crypto_openssl_ngtcp2_crypto_encrypt_cb+y}
|
||||
then :
|
||||
@@ -22362,9 +22439,9 @@ printf "%s\n" "$ac_cv_lib_ngtcp2_crypto_openssl_ngtcp2_crypto_encrypt_cb" >&6; }
|
||||
if test "x$ac_cv_lib_ngtcp2_crypto_openssl_ngtcp2_crypto_encrypt_cb" = xyes
|
||||
then :
|
||||
LIBS="$LIBS -lngtcp2_crypto_openssl"
|
||||
fi
|
||||
else $as_nop
|
||||
|
||||
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for ngtcp2_crypto_encrypt_cb in -lngtcp2_crypto_quictls" >&5
|
||||
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for ngtcp2_crypto_encrypt_cb in -lngtcp2_crypto_quictls" >&5
|
||||
printf %s "checking for ngtcp2_crypto_encrypt_cb in -lngtcp2_crypto_quictls... " >&6; }
|
||||
if test ${ac_cv_lib_ngtcp2_crypto_quictls_ngtcp2_crypto_encrypt_cb+y}
|
||||
then :
|
||||
@@ -22402,6 +22479,12 @@ printf "%s\n" "$ac_cv_lib_ngtcp2_crypto_quictls_ngtcp2_crypto_encrypt_cb" >&6; }
|
||||
if test "x$ac_cv_lib_ngtcp2_crypto_quictls_ngtcp2_crypto_encrypt_cb" = xyes
|
||||
then :
|
||||
LIBS="$LIBS -lngtcp2_crypto_quictls"
|
||||
fi
|
||||
|
||||
|
||||
fi
|
||||
|
||||
|
||||
fi
|
||||
|
||||
ac_fn_c_check_func "$LINENO" "ngtcp2_crypto_encrypt_cb" "ac_cv_func_ngtcp2_crypto_encrypt_cb"
|
||||
@@ -22451,6 +22534,12 @@ if test "x$ac_cv_func_ngtcp2_crypto_quictls_configure_client_context" = xyes
|
||||
then :
|
||||
printf "%s\n" "#define HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_CLIENT_CONTEXT 1" >>confdefs.h
|
||||
|
||||
fi
|
||||
ac_fn_c_check_func "$LINENO" "ngtcp2_crypto_quictls_init" "ac_cv_func_ngtcp2_crypto_quictls_init"
|
||||
if test "x$ac_cv_func_ngtcp2_crypto_quictls_init" = xyes
|
||||
then :
|
||||
printf "%s\n" "#define HAVE_NGTCP2_CRYPTO_QUICTLS_INIT 1" >>confdefs.h
|
||||
|
||||
fi
|
||||
ac_fn_c_check_func "$LINENO" "ngtcp2_conn_get_num_scid" "ac_cv_func_ngtcp2_conn_get_num_scid"
|
||||
if test "x$ac_cv_func_ngtcp2_conn_get_num_scid" = xyes
|
||||
@@ -22472,6 +22561,10 @@ then :
|
||||
fi
|
||||
|
||||
|
||||
# these check_funcs need -lssl
|
||||
BAKLIBS="$LIBS"
|
||||
LIBS="-lssl $LIBS"
|
||||
|
||||
for ac_func in SSL_is_quic
|
||||
do :
|
||||
ac_fn_c_check_func "$LINENO" "SSL_is_quic" "ac_cv_func_SSL_is_quic"
|
||||
@@ -22484,6 +22577,8 @@ else $as_nop
|
||||
fi
|
||||
|
||||
done
|
||||
LIBS="$BAKLIBS"
|
||||
|
||||
ac_fn_c_check_type "$LINENO" "struct ngtcp2_version_cid" "ac_cv_type_struct_ngtcp2_version_cid" "$ac_includes_default
|
||||
#include <ngtcp2/ngtcp2.h>
|
||||
|
||||
@@ -24249,7 +24344,55 @@ fi
|
||||
|
||||
|
||||
if test "x$opt_dnstap" != "xno"; then
|
||||
# Extract the first word of "protoc-c", so it can be a program name with args.
|
||||
# Extract the first word of "protoc", so it can be a program name with args.
|
||||
set dummy protoc; ac_word=$2
|
||||
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
|
||||
printf %s "checking for $ac_word... " >&6; }
|
||||
if test ${ac_cv_path_PROTOC+y}
|
||||
then :
|
||||
printf %s "(cached) " >&6
|
||||
else $as_nop
|
||||
case $PROTOC in
|
||||
[\\/]* | ?:[\\/]*)
|
||||
ac_cv_path_PROTOC="$PROTOC" # Let the user override the test with a path.
|
||||
;;
|
||||
*)
|
||||
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
|
||||
for as_dir in $PATH
|
||||
do
|
||||
IFS=$as_save_IFS
|
||||
case $as_dir in #(((
|
||||
'') as_dir=./ ;;
|
||||
*/) ;;
|
||||
*) as_dir=$as_dir/ ;;
|
||||
esac
|
||||
for ac_exec_ext in '' $ac_executable_extensions; do
|
||||
if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
|
||||
ac_cv_path_PROTOC="$as_dir$ac_word$ac_exec_ext"
|
||||
printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
|
||||
break 2
|
||||
fi
|
||||
done
|
||||
done
|
||||
IFS=$as_save_IFS
|
||||
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
PROTOC=$ac_cv_path_PROTOC
|
||||
if test -n "$PROTOC"; then
|
||||
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $PROTOC" >&5
|
||||
printf "%s\n" "$PROTOC" >&6; }
|
||||
else
|
||||
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
printf "%s\n" "no" >&6; }
|
||||
fi
|
||||
|
||||
|
||||
# 'protoc-c' is deprecated. We use 'protoc' instead. If it can not be
|
||||
# found, try 'protoc-c'.
|
||||
if test -z "$PROTOC"; then
|
||||
# Extract the first word of "protoc-c", so it can be a program name with args.
|
||||
set dummy protoc-c; ac_word=$2
|
||||
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
|
||||
printf %s "checking for $ac_word... " >&6; }
|
||||
@@ -24294,9 +24437,83 @@ printf "%s\n" "no" >&6; }
|
||||
fi
|
||||
|
||||
|
||||
if test -z "$PROTOC_C"; then
|
||||
as_fn_error $? "The protoc-c program was not found. Please install protobuf-c!" "$LINENO" 5
|
||||
fi
|
||||
else
|
||||
PROTOC_C="$PROTOC"
|
||||
fi
|
||||
if test -z "$PROTOC_C"; then
|
||||
as_fn_error $? "The protoc or protoc-c program was not found. It is needed for dnstap, use --disable-dnstap, or install protobuf-c to provide protoc or protoc-c" "$LINENO" 5
|
||||
fi
|
||||
|
||||
# Check for protoc-gen-c plugin
|
||||
# Extract the first word of "protoc-gen-c", so it can be a program name with args.
|
||||
set dummy protoc-gen-c; ac_word=$2
|
||||
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
|
||||
printf %s "checking for $ac_word... " >&6; }
|
||||
if test ${ac_cv_path_PROTOC_GEN_C+y}
|
||||
then :
|
||||
printf %s "(cached) " >&6
|
||||
else $as_nop
|
||||
case $PROTOC_GEN_C in
|
||||
[\\/]* | ?:[\\/]*)
|
||||
ac_cv_path_PROTOC_GEN_C="$PROTOC_GEN_C" # Let the user override the test with a path.
|
||||
;;
|
||||
*)
|
||||
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
|
||||
for as_dir in $PATH
|
||||
do
|
||||
IFS=$as_save_IFS
|
||||
case $as_dir in #(((
|
||||
'') as_dir=./ ;;
|
||||
*/) ;;
|
||||
*) as_dir=$as_dir/ ;;
|
||||
esac
|
||||
for ac_exec_ext in '' $ac_executable_extensions; do
|
||||
if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
|
||||
ac_cv_path_PROTOC_GEN_C="$as_dir$ac_word$ac_exec_ext"
|
||||
printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
|
||||
break 2
|
||||
fi
|
||||
done
|
||||
done
|
||||
IFS=$as_save_IFS
|
||||
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
PROTOC_GEN_C=$ac_cv_path_PROTOC_GEN_C
|
||||
if test -n "$PROTOC_GEN_C"; then
|
||||
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $PROTOC_GEN_C" >&5
|
||||
printf "%s\n" "$PROTOC_GEN_C" >&6; }
|
||||
else
|
||||
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
printf "%s\n" "no" >&6; }
|
||||
fi
|
||||
|
||||
|
||||
if test -z "$PROTOC_GEN_C"; then
|
||||
as_fn_error $? "The protoc-gen-c plugin was not found. It is needed for dnstap, use --disable-dnstap, or install protobuf-c-compiler to provide protoc-gen-c" "$LINENO" 5
|
||||
fi
|
||||
|
||||
# Test that protoc-gen-c actually works
|
||||
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking if protoc-gen-c plugin works" >&5
|
||||
printf %s "checking if protoc-gen-c plugin works... " >&6; }
|
||||
cat > conftest.proto << EOF
|
||||
syntax = "proto2";
|
||||
message TestMessage {
|
||||
optional string test_field = 1;
|
||||
}
|
||||
EOF
|
||||
if $PROTOC_C --c_out=. conftest.proto >/dev/null 2>&1; then
|
||||
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5
|
||||
printf "%s\n" "yes" >&6; }
|
||||
rm -f conftest.proto conftest.pb-c.c conftest.pb-c.h
|
||||
else
|
||||
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
printf "%s\n" "no" >&6; }
|
||||
rm -f conftest.proto conftest.pb-c.c conftest.pb-c.h
|
||||
as_fn_error $? "The protoc-gen-c plugin is not working properly. Please ensure protobuf-c-compiler is properly installed" "$LINENO" 5
|
||||
fi
|
||||
|
||||
|
||||
# Check whether --with-protobuf-c was given.
|
||||
if test ${with_protobuf_c+y}
|
||||
@@ -25074,7 +25291,7 @@ printf "%s\n" "#define MAXSYSLOGMSGLEN 10240" >>confdefs.h
|
||||
|
||||
|
||||
|
||||
version=1.23.1
|
||||
version=1.24.0
|
||||
|
||||
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for build time" >&5
|
||||
printf %s "checking for build time... " >&6; }
|
||||
@@ -25604,7 +25821,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
|
||||
# report actual input values of CONFIG_FILES etc. instead of their
|
||||
# values after options handling.
|
||||
ac_log="
|
||||
This file was extended by unbound $as_me 1.23.1, which was
|
||||
This file was extended by unbound $as_me 1.24.0, which was
|
||||
generated by GNU Autoconf 2.71. Invocation command line was
|
||||
|
||||
CONFIG_FILES = $CONFIG_FILES
|
||||
@@ -25672,7 +25889,7 @@ ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\
|
||||
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
|
||||
ac_cs_config='$ac_cs_config_escaped'
|
||||
ac_cs_version="\\
|
||||
unbound config.status 1.23.1
|
||||
unbound config.status 1.24.0
|
||||
configured by $0, generated by GNU Autoconf 2.71,
|
||||
with options \\"\$ac_cs_config\\"
|
||||
|
||||
|
||||
+22
-9
@@ -11,15 +11,15 @@ sinclude(dnscrypt/dnscrypt.m4)
|
||||
|
||||
# must be numbers. ac_defun because of later processing
|
||||
m4_define([VERSION_MAJOR],[1])
|
||||
m4_define([VERSION_MINOR],[23])
|
||||
m4_define([VERSION_MICRO],[1])
|
||||
m4_define([VERSION_MINOR],[24])
|
||||
m4_define([VERSION_MICRO],[0])
|
||||
AC_INIT([unbound],m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]),[unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues],[unbound])
|
||||
AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
|
||||
AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
|
||||
AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
|
||||
|
||||
LIBUNBOUND_CURRENT=9
|
||||
LIBUNBOUND_REVISION=32
|
||||
LIBUNBOUND_REVISION=33
|
||||
LIBUNBOUND_AGE=1
|
||||
# 1.0.0 had 0:12:0
|
||||
# 1.0.1 had 0:13:0
|
||||
@@ -119,6 +119,7 @@ LIBUNBOUND_AGE=1
|
||||
# 1.22.0 had 9:30:1
|
||||
# 1.23.0 had 9:31:1
|
||||
# 1.23.1 had 9:32:1
|
||||
# 1.24.0 had 9:33:1
|
||||
|
||||
# Current -- the number of the binary API that we're implementing
|
||||
# Revision -- which iteration of the implementation of the binary
|
||||
@@ -996,7 +997,7 @@ else
|
||||
AC_MSG_RESULT([no])
|
||||
fi
|
||||
AC_CHECK_HEADERS([openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h openssl/core_names.h openssl/param_build.h],,, [AC_INCLUDES_DEFAULT])
|
||||
AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_default_properties_is_fips_enabled EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new BIO_set_callback_ex SSL_CTX_set_tmp_ecdh])
|
||||
AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_default_properties_is_fips_enabled EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new BIO_set_callback_ex])
|
||||
|
||||
# these check_funcs need -lssl
|
||||
BAKLIBS="$LIBS"
|
||||
@@ -1004,7 +1005,7 @@ LIBS="-lssl $LIBS"
|
||||
AC_CHECK_FUNCS([OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb SSL_CTX_set_alpn_select_cb SSL_get0_alpn_selected SSL_CTX_set_alpn_protos SSL_get1_peer_certificate])
|
||||
LIBS="$BAKLIBS"
|
||||
|
||||
AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [
|
||||
AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto,SSL_CTX_set_tmp_ecdh], [], [], [
|
||||
AC_INCLUDES_DEFAULT
|
||||
#ifdef HAVE_OPENSSL_ERR_H
|
||||
#include <openssl/err.h>
|
||||
@@ -1610,17 +1611,29 @@ if test x_$withval = x_yes -o x_$withval != x_no; then
|
||||
if test x_$found_libngtcp2 != x_yes; then
|
||||
AC_MSG_ERROR([Could not find libngtcp2, ngtcp2.h])
|
||||
fi
|
||||
AC_CHECK_HEADERS([ngtcp2/ngtcp2.h ngtcp2/ngtcp2_crypto_openssl.h ngtcp2/ngtcp2_crypto_quictls.h],,, [AC_INCLUDES_DEFAULT])
|
||||
AC_CHECK_HEADERS([ngtcp2/ngtcp2.h ngtcp2/ngtcp2_crypto_ossl.h ngtcp2/ngtcp2_crypto_openssl.h ngtcp2/ngtcp2_crypto_quictls.h],,, [AC_INCLUDES_DEFAULT])
|
||||
AC_CHECK_DECLS([ngtcp2_conn_server_new], [], [], [AC_INCLUDES_DEFAULT
|
||||
#include <ngtcp2/ngtcp2.h>
|
||||
])
|
||||
AC_CHECK_DECLS([ngtcp2_crypto_encrypt_cb], [], [], [AC_INCLUDES_DEFAULT
|
||||
#include <ngtcp2/ngtcp2_crypto.h>
|
||||
])
|
||||
AC_CHECK_LIB([ngtcp2_crypto_openssl], [ngtcp2_crypto_encrypt_cb], [ LIBS="$LIBS -lngtcp2_crypto_openssl" ])
|
||||
AC_CHECK_LIB([ngtcp2_crypto_quictls], [ngtcp2_crypto_encrypt_cb], [ LIBS="$LIBS -lngtcp2_crypto_quictls" ])
|
||||
AC_CHECK_FUNCS([ngtcp2_crypto_encrypt_cb ngtcp2_ccerr_default ngtcp2_conn_in_closing_period ngtcp2_conn_in_draining_period ngtcp2_conn_get_max_local_streams_uni ngtcp2_crypto_quictls_from_ossl_encryption_level ngtcp2_crypto_quictls_configure_server_context ngtcp2_crypto_quictls_configure_client_context ngtcp2_conn_get_num_scid ngtcp2_conn_tls_early_data_rejected ngtcp2_conn_encode_0rtt_transport_params])
|
||||
AC_CHECK_LIB([ngtcp2_crypto_ossl], [ngtcp2_crypto_encrypt_cb], [
|
||||
LIBS="$LIBS -lngtcp2_crypto_ossl"
|
||||
AC_DEFINE(USE_NGTCP2_CRYPTO_OSSL, 1, [Define this to use ngtcp2_crypto_ossl.])
|
||||
], [
|
||||
AC_CHECK_LIB([ngtcp2_crypto_openssl], [ngtcp2_crypto_encrypt_cb], [ LIBS="$LIBS -lngtcp2_crypto_openssl" ], [
|
||||
AC_CHECK_LIB([ngtcp2_crypto_quictls], [ngtcp2_crypto_encrypt_cb], [ LIBS="$LIBS -lngtcp2_crypto_quictls" ])
|
||||
])
|
||||
])
|
||||
AC_CHECK_FUNCS([ngtcp2_crypto_encrypt_cb ngtcp2_ccerr_default ngtcp2_conn_in_closing_period ngtcp2_conn_in_draining_period ngtcp2_conn_get_max_local_streams_uni ngtcp2_crypto_quictls_from_ossl_encryption_level ngtcp2_crypto_quictls_configure_server_context ngtcp2_crypto_quictls_configure_client_context ngtcp2_crypto_quictls_init ngtcp2_conn_get_num_scid ngtcp2_conn_tls_early_data_rejected ngtcp2_conn_encode_0rtt_transport_params])
|
||||
|
||||
# these check_funcs need -lssl
|
||||
BAKLIBS="$LIBS"
|
||||
LIBS="-lssl $LIBS"
|
||||
AC_CHECK_FUNCS([SSL_is_quic], [], [AC_MSG_ERROR([No QUIC support detected in OpenSSL. Need OpenSSL version with QUIC support to enable DNS over QUIC with libngtcp2.])])
|
||||
LIBS="$BAKLIBS"
|
||||
|
||||
AC_CHECK_TYPES([struct ngtcp2_version_cid, ngtcp2_encryption_level],,,[AC_INCLUDES_DEFAULT
|
||||
#include <ngtcp2/ngtcp2.h>
|
||||
])
|
||||
|
||||
+243
-26
@@ -1,6 +1,6 @@
|
||||
#! /bin/sh
|
||||
# Guess values for system-dependent variables and create Makefiles.
|
||||
# Generated by GNU Autoconf 2.71 for unbound 1.23.1.
|
||||
# Generated by GNU Autoconf 2.71 for unbound 1.24.0.
|
||||
#
|
||||
# Report bugs to <unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues>.
|
||||
#
|
||||
@@ -622,8 +622,8 @@ MAKEFLAGS=
|
||||
# Identity of this package.
|
||||
PACKAGE_NAME='unbound'
|
||||
PACKAGE_TARNAME='unbound'
|
||||
PACKAGE_VERSION='1.23.1'
|
||||
PACKAGE_STRING='unbound 1.23.1'
|
||||
PACKAGE_VERSION='1.24.0'
|
||||
PACKAGE_STRING='unbound 1.24.0'
|
||||
PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues'
|
||||
PACKAGE_URL=''
|
||||
|
||||
@@ -685,7 +685,9 @@ opt_dnstap_socket_path
|
||||
ENABLE_DNSTAP
|
||||
PROTOBUFC_LIBS
|
||||
PROTOBUFC_CFLAGS
|
||||
PROTOC_GEN_C
|
||||
PROTOC_C
|
||||
PROTOC
|
||||
UBSYMS
|
||||
EXTRALINK
|
||||
COMMON_OBJ_ALL_SYMBOLS
|
||||
@@ -1511,7 +1513,7 @@ if test "$ac_init_help" = "long"; then
|
||||
# Omit some internal or obsolete options to make the list less imposing.
|
||||
# This message is too long to be a string in the A/UX 3.1 sh.
|
||||
cat <<_ACEOF
|
||||
\`configure' configures unbound 1.23.1 to adapt to many kinds of systems.
|
||||
\`configure' configures unbound 1.24.0 to adapt to many kinds of systems.
|
||||
|
||||
Usage: $0 [OPTION]... [VAR=VALUE]...
|
||||
|
||||
@@ -1577,7 +1579,7 @@ fi
|
||||
|
||||
if test -n "$ac_init_help"; then
|
||||
case $ac_init_help in
|
||||
short | recursive ) echo "Configuration of unbound 1.23.1:";;
|
||||
short | recursive ) echo "Configuration of unbound 1.24.0:";;
|
||||
esac
|
||||
cat <<\_ACEOF
|
||||
|
||||
@@ -1830,7 +1832,7 @@ fi
|
||||
test -n "$ac_init_help" && exit $ac_status
|
||||
if $ac_init_version; then
|
||||
cat <<\_ACEOF
|
||||
unbound configure 1.23.1
|
||||
unbound configure 1.24.0
|
||||
generated by GNU Autoconf 2.71
|
||||
|
||||
Copyright (C) 2021 Free Software Foundation, Inc.
|
||||
@@ -2487,7 +2489,7 @@ cat >config.log <<_ACEOF
|
||||
This file contains any messages produced by compilers while
|
||||
running configure, to aid debugging if configure makes a mistake.
|
||||
|
||||
It was created by unbound $as_me 1.23.1, which was
|
||||
It was created by unbound $as_me 1.24.0, which was
|
||||
generated by GNU Autoconf 2.71. Invocation command line was
|
||||
|
||||
$ $0$ac_configure_args_raw
|
||||
@@ -3249,13 +3251,13 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
|
||||
|
||||
UNBOUND_VERSION_MAJOR=1
|
||||
|
||||
UNBOUND_VERSION_MINOR=23
|
||||
UNBOUND_VERSION_MINOR=24
|
||||
|
||||
UNBOUND_VERSION_MICRO=1
|
||||
UNBOUND_VERSION_MICRO=0
|
||||
|
||||
|
||||
LIBUNBOUND_CURRENT=9
|
||||
LIBUNBOUND_REVISION=32
|
||||
LIBUNBOUND_REVISION=33
|
||||
LIBUNBOUND_AGE=1
|
||||
# 1.0.0 had 0:12:0
|
||||
# 1.0.1 had 0:13:0
|
||||
@@ -3355,6 +3357,7 @@ LIBUNBOUND_AGE=1
|
||||
# 1.22.0 had 9:30:1
|
||||
# 1.23.0 had 9:31:1
|
||||
# 1.23.1 had 9:32:1
|
||||
# 1.24.0 had 9:33:1
|
||||
|
||||
# Current -- the number of the binary API that we're implementing
|
||||
# Revision -- which iteration of the implementation of the binary
|
||||
@@ -20817,12 +20820,6 @@ then :
|
||||
printf "%s\n" "#define HAVE_BIO_SET_CALLBACK_EX 1" >>confdefs.h
|
||||
|
||||
fi
|
||||
ac_fn_c_check_func "$LINENO" "SSL_CTX_set_tmp_ecdh" "ac_cv_func_SSL_CTX_set_tmp_ecdh"
|
||||
if test "x$ac_cv_func_SSL_CTX_set_tmp_ecdh" = xyes
|
||||
then :
|
||||
printf "%s\n" "#define HAVE_SSL_CTX_SET_TMP_ECDH 1" >>confdefs.h
|
||||
|
||||
fi
|
||||
|
||||
|
||||
# these check_funcs need -lssl
|
||||
@@ -20981,6 +20978,34 @@ else $as_nop
|
||||
ac_have_decl=0
|
||||
fi
|
||||
printf "%s\n" "#define HAVE_DECL_SSL_CTX_SET_ECDH_AUTO $ac_have_decl" >>confdefs.h
|
||||
ac_fn_check_decl "$LINENO" "SSL_CTX_set_tmp_ecdh" "ac_cv_have_decl_SSL_CTX_set_tmp_ecdh" "
|
||||
$ac_includes_default
|
||||
#ifdef HAVE_OPENSSL_ERR_H
|
||||
#include <openssl/err.h>
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_OPENSSL_RAND_H
|
||||
#include <openssl/rand.h>
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_OPENSSL_CONF_H
|
||||
#include <openssl/conf.h>
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_OPENSSL_ENGINE_H
|
||||
#include <openssl/engine.h>
|
||||
#endif
|
||||
#include <openssl/ssl.h>
|
||||
#include <openssl/evp.h>
|
||||
|
||||
" "$ac_c_undeclared_builtin_options" "CFLAGS"
|
||||
if test "x$ac_cv_have_decl_SSL_CTX_set_tmp_ecdh" = xyes
|
||||
then :
|
||||
ac_have_decl=1
|
||||
else $as_nop
|
||||
ac_have_decl=0
|
||||
fi
|
||||
printf "%s\n" "#define HAVE_DECL_SSL_CTX_SET_TMP_ECDH $ac_have_decl" >>confdefs.h
|
||||
|
||||
|
||||
if test "$ac_cv_func_HMAC_Init_ex" = "yes"; then
|
||||
@@ -22284,6 +22309,13 @@ if test "x$ac_cv_header_ngtcp2_ngtcp2_h" = xyes
|
||||
then :
|
||||
printf "%s\n" "#define HAVE_NGTCP2_NGTCP2_H 1" >>confdefs.h
|
||||
|
||||
fi
|
||||
ac_fn_c_check_header_compile "$LINENO" "ngtcp2/ngtcp2_crypto_ossl.h" "ac_cv_header_ngtcp2_ngtcp2_crypto_ossl_h" "$ac_includes_default
|
||||
"
|
||||
if test "x$ac_cv_header_ngtcp2_ngtcp2_crypto_ossl_h" = xyes
|
||||
then :
|
||||
printf "%s\n" "#define HAVE_NGTCP2_NGTCP2_CRYPTO_OSSL_H 1" >>confdefs.h
|
||||
|
||||
fi
|
||||
ac_fn_c_check_header_compile "$LINENO" "ngtcp2/ngtcp2_crypto_openssl.h" "ac_cv_header_ngtcp2_ngtcp2_crypto_openssl_h" "$ac_includes_default
|
||||
"
|
||||
@@ -22324,7 +22356,52 @@ else $as_nop
|
||||
fi
|
||||
printf "%s\n" "#define HAVE_DECL_NGTCP2_CRYPTO_ENCRYPT_CB $ac_have_decl" >>confdefs.h
|
||||
|
||||
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for ngtcp2_crypto_encrypt_cb in -lngtcp2_crypto_openssl" >&5
|
||||
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for ngtcp2_crypto_encrypt_cb in -lngtcp2_crypto_ossl" >&5
|
||||
printf %s "checking for ngtcp2_crypto_encrypt_cb in -lngtcp2_crypto_ossl... " >&6; }
|
||||
if test ${ac_cv_lib_ngtcp2_crypto_ossl_ngtcp2_crypto_encrypt_cb+y}
|
||||
then :
|
||||
printf %s "(cached) " >&6
|
||||
else $as_nop
|
||||
ac_check_lib_save_LIBS=$LIBS
|
||||
LIBS="-lngtcp2_crypto_ossl $LIBS"
|
||||
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||
/* end confdefs.h. */
|
||||
|
||||
/* Override any GCC internal prototype to avoid an error.
|
||||
Use char because int might match the return type of a GCC
|
||||
builtin and then its argument prototype would still apply. */
|
||||
char ngtcp2_crypto_encrypt_cb ();
|
||||
int
|
||||
main (void)
|
||||
{
|
||||
return ngtcp2_crypto_encrypt_cb ();
|
||||
;
|
||||
return 0;
|
||||
}
|
||||
_ACEOF
|
||||
if ac_fn_c_try_link "$LINENO"
|
||||
then :
|
||||
ac_cv_lib_ngtcp2_crypto_ossl_ngtcp2_crypto_encrypt_cb=yes
|
||||
else $as_nop
|
||||
ac_cv_lib_ngtcp2_crypto_ossl_ngtcp2_crypto_encrypt_cb=no
|
||||
fi
|
||||
rm -f core conftest.err conftest.$ac_objext conftest.beam \
|
||||
conftest$ac_exeext conftest.$ac_ext
|
||||
LIBS=$ac_check_lib_save_LIBS
|
||||
fi
|
||||
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ngtcp2_crypto_ossl_ngtcp2_crypto_encrypt_cb" >&5
|
||||
printf "%s\n" "$ac_cv_lib_ngtcp2_crypto_ossl_ngtcp2_crypto_encrypt_cb" >&6; }
|
||||
if test "x$ac_cv_lib_ngtcp2_crypto_ossl_ngtcp2_crypto_encrypt_cb" = xyes
|
||||
then :
|
||||
|
||||
LIBS="$LIBS -lngtcp2_crypto_ossl"
|
||||
|
||||
printf "%s\n" "#define USE_NGTCP2_CRYPTO_OSSL 1" >>confdefs.h
|
||||
|
||||
|
||||
else $as_nop
|
||||
|
||||
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for ngtcp2_crypto_encrypt_cb in -lngtcp2_crypto_openssl" >&5
|
||||
printf %s "checking for ngtcp2_crypto_encrypt_cb in -lngtcp2_crypto_openssl... " >&6; }
|
||||
if test ${ac_cv_lib_ngtcp2_crypto_openssl_ngtcp2_crypto_encrypt_cb+y}
|
||||
then :
|
||||
@@ -22362,9 +22439,9 @@ printf "%s\n" "$ac_cv_lib_ngtcp2_crypto_openssl_ngtcp2_crypto_encrypt_cb" >&6; }
|
||||
if test "x$ac_cv_lib_ngtcp2_crypto_openssl_ngtcp2_crypto_encrypt_cb" = xyes
|
||||
then :
|
||||
LIBS="$LIBS -lngtcp2_crypto_openssl"
|
||||
fi
|
||||
else $as_nop
|
||||
|
||||
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for ngtcp2_crypto_encrypt_cb in -lngtcp2_crypto_quictls" >&5
|
||||
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for ngtcp2_crypto_encrypt_cb in -lngtcp2_crypto_quictls" >&5
|
||||
printf %s "checking for ngtcp2_crypto_encrypt_cb in -lngtcp2_crypto_quictls... " >&6; }
|
||||
if test ${ac_cv_lib_ngtcp2_crypto_quictls_ngtcp2_crypto_encrypt_cb+y}
|
||||
then :
|
||||
@@ -22402,6 +22479,12 @@ printf "%s\n" "$ac_cv_lib_ngtcp2_crypto_quictls_ngtcp2_crypto_encrypt_cb" >&6; }
|
||||
if test "x$ac_cv_lib_ngtcp2_crypto_quictls_ngtcp2_crypto_encrypt_cb" = xyes
|
||||
then :
|
||||
LIBS="$LIBS -lngtcp2_crypto_quictls"
|
||||
fi
|
||||
|
||||
|
||||
fi
|
||||
|
||||
|
||||
fi
|
||||
|
||||
ac_fn_c_check_func "$LINENO" "ngtcp2_crypto_encrypt_cb" "ac_cv_func_ngtcp2_crypto_encrypt_cb"
|
||||
@@ -22451,6 +22534,12 @@ if test "x$ac_cv_func_ngtcp2_crypto_quictls_configure_client_context" = xyes
|
||||
then :
|
||||
printf "%s\n" "#define HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_CLIENT_CONTEXT 1" >>confdefs.h
|
||||
|
||||
fi
|
||||
ac_fn_c_check_func "$LINENO" "ngtcp2_crypto_quictls_init" "ac_cv_func_ngtcp2_crypto_quictls_init"
|
||||
if test "x$ac_cv_func_ngtcp2_crypto_quictls_init" = xyes
|
||||
then :
|
||||
printf "%s\n" "#define HAVE_NGTCP2_CRYPTO_QUICTLS_INIT 1" >>confdefs.h
|
||||
|
||||
fi
|
||||
ac_fn_c_check_func "$LINENO" "ngtcp2_conn_get_num_scid" "ac_cv_func_ngtcp2_conn_get_num_scid"
|
||||
if test "x$ac_cv_func_ngtcp2_conn_get_num_scid" = xyes
|
||||
@@ -22472,6 +22561,10 @@ then :
|
||||
fi
|
||||
|
||||
|
||||
# these check_funcs need -lssl
|
||||
BAKLIBS="$LIBS"
|
||||
LIBS="-lssl $LIBS"
|
||||
|
||||
for ac_func in SSL_is_quic
|
||||
do :
|
||||
ac_fn_c_check_func "$LINENO" "SSL_is_quic" "ac_cv_func_SSL_is_quic"
|
||||
@@ -22484,6 +22577,8 @@ else $as_nop
|
||||
fi
|
||||
|
||||
done
|
||||
LIBS="$BAKLIBS"
|
||||
|
||||
ac_fn_c_check_type "$LINENO" "struct ngtcp2_version_cid" "ac_cv_type_struct_ngtcp2_version_cid" "$ac_includes_default
|
||||
#include <ngtcp2/ngtcp2.h>
|
||||
|
||||
@@ -24249,7 +24344,55 @@ fi
|
||||
|
||||
|
||||
if test "x$opt_dnstap" != "xno"; then
|
||||
# Extract the first word of "protoc-c", so it can be a program name with args.
|
||||
# Extract the first word of "protoc", so it can be a program name with args.
|
||||
set dummy protoc; ac_word=$2
|
||||
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
|
||||
printf %s "checking for $ac_word... " >&6; }
|
||||
if test ${ac_cv_path_PROTOC+y}
|
||||
then :
|
||||
printf %s "(cached) " >&6
|
||||
else $as_nop
|
||||
case $PROTOC in
|
||||
[\\/]* | ?:[\\/]*)
|
||||
ac_cv_path_PROTOC="$PROTOC" # Let the user override the test with a path.
|
||||
;;
|
||||
*)
|
||||
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
|
||||
for as_dir in $PATH
|
||||
do
|
||||
IFS=$as_save_IFS
|
||||
case $as_dir in #(((
|
||||
'') as_dir=./ ;;
|
||||
*/) ;;
|
||||
*) as_dir=$as_dir/ ;;
|
||||
esac
|
||||
for ac_exec_ext in '' $ac_executable_extensions; do
|
||||
if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
|
||||
ac_cv_path_PROTOC="$as_dir$ac_word$ac_exec_ext"
|
||||
printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
|
||||
break 2
|
||||
fi
|
||||
done
|
||||
done
|
||||
IFS=$as_save_IFS
|
||||
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
PROTOC=$ac_cv_path_PROTOC
|
||||
if test -n "$PROTOC"; then
|
||||
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $PROTOC" >&5
|
||||
printf "%s\n" "$PROTOC" >&6; }
|
||||
else
|
||||
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
printf "%s\n" "no" >&6; }
|
||||
fi
|
||||
|
||||
|
||||
# 'protoc-c' is deprecated. We use 'protoc' instead. If it can not be
|
||||
# found, try 'protoc-c'.
|
||||
if test -z "$PROTOC"; then
|
||||
# Extract the first word of "protoc-c", so it can be a program name with args.
|
||||
set dummy protoc-c; ac_word=$2
|
||||
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
|
||||
printf %s "checking for $ac_word... " >&6; }
|
||||
@@ -24294,9 +24437,83 @@ printf "%s\n" "no" >&6; }
|
||||
fi
|
||||
|
||||
|
||||
if test -z "$PROTOC_C"; then
|
||||
as_fn_error $? "The protoc-c program was not found. Please install protobuf-c!" "$LINENO" 5
|
||||
fi
|
||||
else
|
||||
PROTOC_C="$PROTOC"
|
||||
fi
|
||||
if test -z "$PROTOC_C"; then
|
||||
as_fn_error $? "The protoc or protoc-c program was not found. It is needed for dnstap, use --disable-dnstap, or install protobuf-c to provide protoc or protoc-c" "$LINENO" 5
|
||||
fi
|
||||
|
||||
# Check for protoc-gen-c plugin
|
||||
# Extract the first word of "protoc-gen-c", so it can be a program name with args.
|
||||
set dummy protoc-gen-c; ac_word=$2
|
||||
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
|
||||
printf %s "checking for $ac_word... " >&6; }
|
||||
if test ${ac_cv_path_PROTOC_GEN_C+y}
|
||||
then :
|
||||
printf %s "(cached) " >&6
|
||||
else $as_nop
|
||||
case $PROTOC_GEN_C in
|
||||
[\\/]* | ?:[\\/]*)
|
||||
ac_cv_path_PROTOC_GEN_C="$PROTOC_GEN_C" # Let the user override the test with a path.
|
||||
;;
|
||||
*)
|
||||
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
|
||||
for as_dir in $PATH
|
||||
do
|
||||
IFS=$as_save_IFS
|
||||
case $as_dir in #(((
|
||||
'') as_dir=./ ;;
|
||||
*/) ;;
|
||||
*) as_dir=$as_dir/ ;;
|
||||
esac
|
||||
for ac_exec_ext in '' $ac_executable_extensions; do
|
||||
if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
|
||||
ac_cv_path_PROTOC_GEN_C="$as_dir$ac_word$ac_exec_ext"
|
||||
printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
|
||||
break 2
|
||||
fi
|
||||
done
|
||||
done
|
||||
IFS=$as_save_IFS
|
||||
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
PROTOC_GEN_C=$ac_cv_path_PROTOC_GEN_C
|
||||
if test -n "$PROTOC_GEN_C"; then
|
||||
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $PROTOC_GEN_C" >&5
|
||||
printf "%s\n" "$PROTOC_GEN_C" >&6; }
|
||||
else
|
||||
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
printf "%s\n" "no" >&6; }
|
||||
fi
|
||||
|
||||
|
||||
if test -z "$PROTOC_GEN_C"; then
|
||||
as_fn_error $? "The protoc-gen-c plugin was not found. It is needed for dnstap, use --disable-dnstap, or install protobuf-c-compiler to provide protoc-gen-c" "$LINENO" 5
|
||||
fi
|
||||
|
||||
# Test that protoc-gen-c actually works
|
||||
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking if protoc-gen-c plugin works" >&5
|
||||
printf %s "checking if protoc-gen-c plugin works... " >&6; }
|
||||
cat > conftest.proto << EOF
|
||||
syntax = "proto2";
|
||||
message TestMessage {
|
||||
optional string test_field = 1;
|
||||
}
|
||||
EOF
|
||||
if $PROTOC_C --c_out=. conftest.proto >/dev/null 2>&1; then
|
||||
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5
|
||||
printf "%s\n" "yes" >&6; }
|
||||
rm -f conftest.proto conftest.pb-c.c conftest.pb-c.h
|
||||
else
|
||||
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
printf "%s\n" "no" >&6; }
|
||||
rm -f conftest.proto conftest.pb-c.c conftest.pb-c.h
|
||||
as_fn_error $? "The protoc-gen-c plugin is not working properly. Please ensure protobuf-c-compiler is properly installed" "$LINENO" 5
|
||||
fi
|
||||
|
||||
|
||||
# Check whether --with-protobuf-c was given.
|
||||
if test ${with_protobuf_c+y}
|
||||
@@ -25074,7 +25291,7 @@ printf "%s\n" "#define MAXSYSLOGMSGLEN 10240" >>confdefs.h
|
||||
|
||||
|
||||
|
||||
version=1.23.1
|
||||
version=1.24.0
|
||||
|
||||
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for build time" >&5
|
||||
printf %s "checking for build time... " >&6; }
|
||||
@@ -25604,7 +25821,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
|
||||
# report actual input values of CONFIG_FILES etc. instead of their
|
||||
# values after options handling.
|
||||
ac_log="
|
||||
This file was extended by unbound $as_me 1.23.1, which was
|
||||
This file was extended by unbound $as_me 1.24.0, which was
|
||||
generated by GNU Autoconf 2.71. Invocation command line was
|
||||
|
||||
CONFIG_FILES = $CONFIG_FILES
|
||||
@@ -25672,7 +25889,7 @@ ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\
|
||||
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
|
||||
ac_cs_config='$ac_cs_config_escaped'
|
||||
ac_cs_version="\\
|
||||
unbound config.status 1.23.1
|
||||
unbound config.status 1.24.0
|
||||
configured by $0, generated by GNU Autoconf 2.71,
|
||||
with options \\"\$ac_cs_config\\"
|
||||
|
||||
|
||||
@@ -1,10 +1,10 @@
|
||||
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
|
||||
index 5a75e319..c6c6dbe2 100644
|
||||
index 172eb26c..2921c87f 100644
|
||||
--- a/doc/unbound.conf.5.in
|
||||
+++ b/doc/unbound.conf.5.in
|
||||
@@ -970,6 +970,13 @@ potentially broken nameservers. A lot of domains will not be resolvable when
|
||||
this option in enabled. Only use if you know what you are doing.
|
||||
This option only has effect when qname-minimisation is enabled. Default is no.
|
||||
@@ -2146,6 +2146,13 @@ Default: no
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
+.B aaaa\-filter: \fI<yes or no>
|
||||
+Activate behavior similar to BIND's AAAA-filter.
|
||||
@@ -13,14 +13,14 @@ index 5a75e319..c6c6dbe2 100644
|
||||
+This also causes an additional A query to be sent for each AAAA query.
|
||||
+This breaks DNSSEC!
|
||||
+.TP
|
||||
.B aggressive\-nsec: \fI<yes or no>
|
||||
Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
|
||||
and other denials, using information from previous NXDOMAINs answers.
|
||||
.B aggressive\-nsec: \fI<yes or no>\fP
|
||||
Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN and other
|
||||
denials, using information from previous NXDOMAINs answers.
|
||||
diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c
|
||||
index f093c1bf..e55a2246 100644
|
||||
index 49a5f5da..fbe434fa 100644
|
||||
--- a/iterator/iter_scrub.c
|
||||
+++ b/iterator/iter_scrub.c
|
||||
@@ -679,6 +679,32 @@ static int sanitize_nsec_is_overreach(sldns_buffer* pkt,
|
||||
@@ -849,6 +849,32 @@ scrub_sanitize_rr_length(sldns_buffer* pkt, struct msg_parse* msg,
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -53,15 +53,15 @@ index f093c1bf..e55a2246 100644
|
||||
/**
|
||||
* Given a response event, remove suspect RRsets from the response.
|
||||
* "Suspect" rrsets are potentially poison. Note that this routine expects
|
||||
@@ -698,6 +724,7 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
|
||||
@@ -869,6 +895,7 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
|
||||
struct query_info* qinfo, uint8_t* zonename, struct module_env* env,
|
||||
struct iter_env* ie)
|
||||
struct iter_env* ie, struct module_qstate* qstate)
|
||||
{
|
||||
+ int found_a_record = 0; /* ASN: do we have a A record? */
|
||||
int del_addi = 0; /* if additional-holding rrsets are deleted, we
|
||||
do not trust the normalized additional-A-AAAA any more */
|
||||
struct rrset_parse* rrset, *prev;
|
||||
@@ -733,6 +760,13 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
|
||||
uint8_t* ns_rrset_dname = NULL;
|
||||
@@ -906,6 +933,13 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
|
||||
rrset = rrset->rrset_all_next;
|
||||
}
|
||||
|
||||
@@ -75,9 +75,9 @@ index f093c1bf..e55a2246 100644
|
||||
/* At this point, we brutally remove ALL rrsets that aren't
|
||||
* children of the originating zone. The idea here is that,
|
||||
* as far as we know, the server that we contacted is ONLY
|
||||
@@ -744,6 +778,24 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
|
||||
rrset = msg->rrset_first;
|
||||
while(rrset) {
|
||||
@@ -925,6 +959,24 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
|
||||
continue;
|
||||
}
|
||||
|
||||
+ /* ASN: For AAAA records only... */
|
||||
+ if((ie->aaaa_filter) && (rrset->type == LDNS_RR_TYPE_AAAA)) {
|
||||
@@ -101,10 +101,10 @@ index f093c1bf..e55a2246 100644
|
||||
if( (rrset->type == LDNS_RR_TYPE_A ||
|
||||
rrset->type == LDNS_RR_TYPE_AAAA)) {
|
||||
diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c
|
||||
index 2482a1f4..bd5ba243 100644
|
||||
index 1da21896..6583dd0e 100644
|
||||
--- a/iterator/iter_utils.c
|
||||
+++ b/iterator/iter_utils.c
|
||||
@@ -177,6 +177,7 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg)
|
||||
@@ -250,6 +250,7 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg)
|
||||
iter_env->outbound_msg_retry = cfg->outbound_msg_retry;
|
||||
iter_env->max_sent_count = cfg->max_sent_count;
|
||||
iter_env->max_query_restarts = cfg->max_query_restarts;
|
||||
@@ -113,12 +113,12 @@ index 2482a1f4..bd5ba243 100644
|
||||
}
|
||||
|
||||
diff --git a/iterator/iterator.c b/iterator/iterator.c
|
||||
index 54006940..768fe202 100644
|
||||
index 71e64655..735f4ca0 100644
|
||||
--- a/iterator/iterator.c
|
||||
+++ b/iterator/iterator.c
|
||||
@@ -2155,6 +2155,53 @@ processDSNSFind(struct module_qstate* qstate, struct iter_qstate* iq, int id)
|
||||
|
||||
return 0;
|
||||
@@ -2412,6 +2412,53 @@ check_waiting_queries(struct iter_qstate* iq, struct module_qstate* qstate,
|
||||
qstate->ext_state[id] = module_wait_reply;
|
||||
}
|
||||
}
|
||||
+
|
||||
+/**
|
||||
@@ -170,8 +170,8 @@ index 54006940..768fe202 100644
|
||||
|
||||
/**
|
||||
* This is the request event state where the request will be sent to one of
|
||||
@@ -2216,6 +2263,13 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
|
||||
@@ -2554,6 +2601,13 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
}
|
||||
}
|
||||
|
||||
+ /* ASN: If we have a AAAA query, then also query for A records */
|
||||
@@ -184,7 +184,7 @@ index 54006940..768fe202 100644
|
||||
/* Make sure we have a delegation point, otherwise priming failed
|
||||
* or another failure occurred */
|
||||
if(!iq->dp) {
|
||||
@@ -3648,6 +3702,61 @@ processFinished(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
@@ -4178,6 +4232,61 @@ processFinished(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -246,7 +246,7 @@ index 54006940..768fe202 100644
|
||||
/*
|
||||
* Return priming query results to interested super querystates.
|
||||
*
|
||||
@@ -3667,6 +3776,9 @@ iter_inform_super(struct module_qstate* qstate, int id,
|
||||
@@ -4197,6 +4306,9 @@ iter_inform_super(struct module_qstate* qstate, int id,
|
||||
else if(super->qinfo.qtype == LDNS_RR_TYPE_DS && ((struct iter_qstate*)
|
||||
super->minfo[id])->state == DSNS_FIND_STATE)
|
||||
processDSNSResponse(qstate, id, super);
|
||||
@@ -256,7 +256,7 @@ index 54006940..768fe202 100644
|
||||
else if(qstate->return_rcode != LDNS_RCODE_NOERROR)
|
||||
error_supers(qstate, id, super);
|
||||
else if(qstate->is_priming)
|
||||
@@ -3704,6 +3816,9 @@ iter_handle(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
@@ -4234,6 +4346,9 @@ iter_handle(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
case INIT_REQUEST_3_STATE:
|
||||
cont = processInitRequest3(qstate, iq, id);
|
||||
break;
|
||||
@@ -266,7 +266,7 @@ index 54006940..768fe202 100644
|
||||
case QUERYTARGETS_STATE:
|
||||
cont = processQueryTargets(qstate, iq, ie, id);
|
||||
break;
|
||||
@@ -4040,6 +4155,8 @@ iter_state_to_string(enum iter_state state)
|
||||
@@ -4578,6 +4693,8 @@ iter_state_to_string(enum iter_state state)
|
||||
return "INIT REQUEST STATE (stage 2)";
|
||||
case INIT_REQUEST_3_STATE:
|
||||
return "INIT REQUEST STATE (stage 3)";
|
||||
@@ -275,7 +275,7 @@ index 54006940..768fe202 100644
|
||||
case QUERYTARGETS_STATE :
|
||||
return "QUERY TARGETS STATE";
|
||||
case PRIME_RESP_STATE :
|
||||
@@ -4064,6 +4181,7 @@ iter_state_is_responsestate(enum iter_state s)
|
||||
@@ -4602,6 +4719,7 @@ iter_state_is_responsestate(enum iter_state s)
|
||||
case INIT_REQUEST_STATE :
|
||||
case INIT_REQUEST_2_STATE :
|
||||
case INIT_REQUEST_3_STATE :
|
||||
@@ -284,10 +284,10 @@ index 54006940..768fe202 100644
|
||||
case COLLECT_CLASS_STATE :
|
||||
return 0;
|
||||
diff --git a/iterator/iterator.h b/iterator/iterator.h
|
||||
index 8b840528..a61c4195 100644
|
||||
index ae4b4e45..a44f9d27 100644
|
||||
--- a/iterator/iterator.h
|
||||
+++ b/iterator/iterator.h
|
||||
@@ -133,6 +133,9 @@ struct iter_env {
|
||||
@@ -157,6 +157,9 @@ struct iter_env {
|
||||
*/
|
||||
int* target_fetch_policy;
|
||||
|
||||
@@ -297,7 +297,7 @@ index 8b840528..a61c4195 100644
|
||||
/** lock on ratelimit counter */
|
||||
lock_basic_type queries_ratelimit_lock;
|
||||
/** number of queries that have been ratelimited */
|
||||
@@ -187,6 +190,14 @@ enum iter_state {
|
||||
@@ -217,6 +220,14 @@ enum iter_state {
|
||||
*/
|
||||
INIT_REQUEST_3_STATE,
|
||||
|
||||
@@ -312,9 +312,9 @@ index 8b840528..a61c4195 100644
|
||||
/**
|
||||
* Each time a delegation point changes for a given query or a
|
||||
* query times out and/or wakes up, this state is (re)visited.
|
||||
@@ -376,6 +387,13 @@ struct iter_qstate {
|
||||
*/
|
||||
int refetch_glue;
|
||||
@@ -434,6 +445,13 @@ struct iter_qstate {
|
||||
* already so that it is accepted later. */
|
||||
int empty_nodata_found;
|
||||
|
||||
+ /**
|
||||
+ * ASN: This is a flag that, if true, means that this query is
|
||||
@@ -327,10 +327,10 @@ index 8b840528..a61c4195 100644
|
||||
struct outbound_list outlist;
|
||||
|
||||
diff --git a/pythonmod/interface.i b/pythonmod/interface.i
|
||||
index 1ca8686a..d91b19ec 100644
|
||||
index 2040fb9e..f073c3dc 100644
|
||||
--- a/pythonmod/interface.i
|
||||
+++ b/pythonmod/interface.i
|
||||
@@ -995,6 +995,7 @@ struct config_file {
|
||||
@@ -1013,6 +1013,7 @@ struct config_file {
|
||||
int harden_dnssec_stripped;
|
||||
int harden_referral_path;
|
||||
int use_caps_bits_for_id;
|
||||
@@ -339,23 +339,23 @@ index 1ca8686a..d91b19ec 100644
|
||||
struct config_strlist* private_domain;
|
||||
size_t unwanted_threshold;
|
||||
diff --git a/util/config_file.c b/util/config_file.c
|
||||
index 969d664b..8d94b008 100644
|
||||
index b1e767b3..5eb3c099 100644
|
||||
--- a/util/config_file.c
|
||||
+++ b/util/config_file.c
|
||||
@@ -231,6 +231,7 @@ config_create(void)
|
||||
cfg->harden_referral_path = 0;
|
||||
@@ -247,6 +247,7 @@ config_create(void)
|
||||
cfg->harden_algo_downgrade = 0;
|
||||
cfg->harden_unknown_additional = 0;
|
||||
cfg->use_caps_bits_for_id = 0;
|
||||
+ cfg->aaaa_filter = 0; /* ASN: default is disabled */
|
||||
cfg->caps_whitelist = NULL;
|
||||
cfg->private_address = NULL;
|
||||
cfg->private_domain = NULL;
|
||||
diff --git a/util/config_file.h b/util/config_file.h
|
||||
index c7c9a0a4..e3aa15b0 100644
|
||||
index 44ac036b..1e59ab07 100644
|
||||
--- a/util/config_file.h
|
||||
+++ b/util/config_file.h
|
||||
@@ -285,6 +285,8 @@ struct config_file {
|
||||
int harden_algo_downgrade;
|
||||
@@ -311,6 +311,8 @@ struct config_file {
|
||||
int harden_unknown_additional;
|
||||
/** use 0x20 bits in query as random ID bits */
|
||||
int use_caps_bits_for_id;
|
||||
+ /** ASN: enable AAAA filter? */
|
||||
@@ -364,10 +364,10 @@ index c7c9a0a4..e3aa15b0 100644
|
||||
struct config_strlist* caps_whitelist;
|
||||
/** strip away these private addrs from answers, no DNS Rebinding */
|
||||
diff --git a/util/configlexer.lex b/util/configlexer.lex
|
||||
index 34a0e5dd..c890be2a 100644
|
||||
index bc258673..76aab170 100644
|
||||
--- a/util/configlexer.lex
|
||||
+++ b/util/configlexer.lex
|
||||
@@ -317,6 +317,7 @@ use-caps-for-id{COLON} { YDVAR(1, VAR_USE_CAPS_FOR_ID) }
|
||||
@@ -327,6 +327,7 @@ use-caps-for-id{COLON} { YDVAR(1, VAR_USE_CAPS_FOR_ID) }
|
||||
caps-whitelist{COLON} { YDVAR(1, VAR_CAPS_WHITELIST) }
|
||||
caps-exempt{COLON} { YDVAR(1, VAR_CAPS_WHITELIST) }
|
||||
unwanted-reply-threshold{COLON} { YDVAR(1, VAR_UNWANTED_REPLY_THRESHOLD) }
|
||||
@@ -376,10 +376,10 @@ index 34a0e5dd..c890be2a 100644
|
||||
private-domain{COLON} { YDVAR(1, VAR_PRIVATE_DOMAIN) }
|
||||
prefetch-key{COLON} { YDVAR(1, VAR_PREFETCH_KEY) }
|
||||
diff --git a/util/configparser.y b/util/configparser.y
|
||||
index d4f965f9..8cc237c6 100644
|
||||
index 82e1d878..dc19bed5 100644
|
||||
--- a/util/configparser.y
|
||||
+++ b/util/configparser.y
|
||||
@@ -97,6 +97,7 @@ extern struct config_parser_state* cfg_parser;
|
||||
@@ -100,6 +100,7 @@ extern struct config_parser_state* cfg_parser;
|
||||
%token VAR_STATISTICS_CUMULATIVE VAR_OUTGOING_PORT_PERMIT
|
||||
%token VAR_OUTGOING_PORT_AVOID VAR_DLV_ANCHOR_FILE VAR_DLV_ANCHOR
|
||||
%token VAR_NEG_CACHE_SIZE VAR_HARDEN_REFERRAL_PATH VAR_PRIVATE_ADDRESS
|
||||
@@ -387,7 +387,7 @@ index d4f965f9..8cc237c6 100644
|
||||
%token VAR_PRIVATE_DOMAIN VAR_REMOTE_CONTROL VAR_CONTROL_ENABLE
|
||||
%token VAR_CONTROL_INTERFACE VAR_CONTROL_PORT VAR_SERVER_KEY_FILE
|
||||
%token VAR_SERVER_CERT_FILE VAR_CONTROL_KEY_FILE VAR_CONTROL_CERT_FILE
|
||||
@@ -247,6 +248,7 @@ content_server: server_num_threads | server_verbosity | server_port |
|
||||
@@ -276,6 +277,7 @@ content_server: server_num_threads | server_verbosity | server_port |
|
||||
server_dlv_anchor_file | server_dlv_anchor | server_neg_cache_size |
|
||||
server_harden_referral_path | server_private_address |
|
||||
server_private_domain | server_extended_statistics |
|
||||
@@ -395,7 +395,7 @@ index d4f965f9..8cc237c6 100644
|
||||
server_local_data_ptr | server_jostle_timeout |
|
||||
server_unwanted_reply_threshold | server_log_time_ascii |
|
||||
server_domain_insecure | server_val_sig_skew_min |
|
||||
@@ -1754,6 +1756,15 @@ server_caps_whitelist: VAR_CAPS_WHITELIST STRING_ARG
|
||||
@@ -1932,6 +1934,15 @@ server_caps_whitelist: VAR_CAPS_WHITELIST STRING_ARG
|
||||
yyerror("out of memory");
|
||||
}
|
||||
;
|
||||
|
||||
@@ -38,11 +38,17 @@
|
||||
; - `LockPersonality=yes` locks down the personality system call so that the
|
||||
; kernel execution domain may not be changed from the default.
|
||||
;
|
||||
; - With /etc/systemd/network/*.network a setting to make sure the network
|
||||
; is not considered online too early, can reduce network unreachable
|
||||
; errors on server start:
|
||||
; [Link]
|
||||
; RequiredForOnline=routable
|
||||
;
|
||||
[Unit]
|
||||
Description=Validating, recursive, and caching DNS resolver
|
||||
Documentation=man:unbound(8)
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
Before=nss-lookup.target
|
||||
|
||||
[Install]
|
||||
|
||||
+234
-105
@@ -62,84 +62,231 @@
|
||||
#include "sldns/wire2str.h"
|
||||
#include "sldns/str2wire.h"
|
||||
|
||||
static void spool_txt_printf(struct config_strlist_head* txt,
|
||||
const char* format, ...) ATTR_FORMAT(printf, 2, 3);
|
||||
|
||||
/** Append to strlist at end, and log error if out of memory. */
|
||||
static void
|
||||
spool_txt_string(struct config_strlist_head* txt, char* str)
|
||||
{
|
||||
if(!cfg_strlist_append(txt, strdup(str))) {
|
||||
log_err("out of memory in spool text");
|
||||
}
|
||||
}
|
||||
|
||||
/** Spool txt to spool list. */
|
||||
static void
|
||||
spool_txt_vmsg(struct config_strlist_head* txt, const char* format,
|
||||
va_list args)
|
||||
{
|
||||
char msg[65535];
|
||||
vsnprintf(msg, sizeof(msg), format, args);
|
||||
spool_txt_string(txt, msg);
|
||||
}
|
||||
|
||||
/** Print item to spool list. On alloc failure the list is as before. */
|
||||
static void
|
||||
spool_txt_printf(struct config_strlist_head* txt, const char* format, ...)
|
||||
{
|
||||
va_list args;
|
||||
va_start(args, format);
|
||||
spool_txt_vmsg(txt, format, args);
|
||||
va_end(args);
|
||||
}
|
||||
|
||||
/** dump one rrset zonefile line */
|
||||
static int
|
||||
dump_rrset_line(RES* ssl, struct ub_packed_rrset_key* k, time_t now, size_t i)
|
||||
static void
|
||||
dump_rrset_line(struct config_strlist_head* txt, struct ub_packed_rrset_key* k,
|
||||
time_t now, size_t i)
|
||||
{
|
||||
char s[65535];
|
||||
if(!packed_rr_to_string(k, i, now, s, sizeof(s))) {
|
||||
return ssl_printf(ssl, "BADRR\n");
|
||||
spool_txt_string(txt, "BADRR\n");
|
||||
return;
|
||||
}
|
||||
return ssl_printf(ssl, "%s", s);
|
||||
spool_txt_string(txt, s);
|
||||
}
|
||||
|
||||
/** dump rrset key and data info */
|
||||
static int
|
||||
dump_rrset(RES* ssl, struct ub_packed_rrset_key* k,
|
||||
static void
|
||||
dump_rrset(struct config_strlist_head* txt, struct ub_packed_rrset_key* k,
|
||||
struct packed_rrset_data* d, time_t now)
|
||||
{
|
||||
size_t i;
|
||||
/* rd lock held by caller */
|
||||
if(!k || !d) return 1;
|
||||
if(k->id == 0) return 1; /* deleted */
|
||||
if(d->ttl < now) return 1; /* expired */
|
||||
if(!k || !d) return;
|
||||
if(k->id == 0) return; /* deleted */
|
||||
if(d->ttl < now) return; /* expired */
|
||||
|
||||
/* meta line */
|
||||
if(!ssl_printf(ssl, ";rrset%s " ARG_LL "d %u %u %d %d\n",
|
||||
spool_txt_printf(txt, ";rrset%s " ARG_LL "d %u %u %d %d\n",
|
||||
(k->rk.flags & PACKED_RRSET_NSEC_AT_APEX)?" nsec_apex":"",
|
||||
(long long)(d->ttl - now),
|
||||
(unsigned)d->count, (unsigned)d->rrsig_count,
|
||||
(int)d->trust, (int)d->security
|
||||
))
|
||||
return 0;
|
||||
);
|
||||
for(i=0; i<d->count + d->rrsig_count; i++) {
|
||||
if(!dump_rrset_line(ssl, k, now, i))
|
||||
dump_rrset_line(txt, k, now, i);
|
||||
}
|
||||
}
|
||||
|
||||
/** Spool strlist to the output. */
|
||||
static int
|
||||
spool_strlist(RES* ssl, struct config_strlist* list)
|
||||
{
|
||||
struct config_strlist* s;
|
||||
for(s=list; s; s=s->next) {
|
||||
if(!ssl_printf(ssl, "%s", s->str))
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
/** dump lruhash rrset cache */
|
||||
/** dump lruhash cache and call callback for every item. */
|
||||
static int
|
||||
dump_rrset_lruhash(RES* ssl, struct lruhash* h, time_t now)
|
||||
dump_lruhash(struct lruhash* table,
|
||||
void (*func)(struct lruhash_entry*, struct config_strlist_head*, void*),
|
||||
RES* ssl, void* arg)
|
||||
{
|
||||
struct lruhash_entry* e;
|
||||
/* lruhash already locked by caller */
|
||||
/* walk in order of lru; best first */
|
||||
for(e=h->lru_start; e; e = e->lru_next) {
|
||||
lock_rw_rdlock(&e->lock);
|
||||
if(!dump_rrset(ssl, (struct ub_packed_rrset_key*)e->key,
|
||||
(struct packed_rrset_data*)e->data, now)) {
|
||||
lock_rw_unlock(&e->lock);
|
||||
int just_started = 1;
|
||||
int not_done = 1;
|
||||
hashvalue_type hash;
|
||||
size_t num = 0; /* number of entries processed. */
|
||||
size_t max = 2; /* number of entries after which it unlocks. */
|
||||
struct config_strlist_head txt; /* Text strings spooled. */
|
||||
memset(&txt, 0, sizeof(txt));
|
||||
|
||||
while(not_done) {
|
||||
size_t i; /* hash bin. */
|
||||
/* Process a number of items. */
|
||||
num = 0;
|
||||
lock_quick_lock(&table->lock);
|
||||
if(just_started) {
|
||||
i = 0;
|
||||
} else {
|
||||
i = hash&table->size_mask;
|
||||
}
|
||||
while(num < max) {
|
||||
/* Process bin. */
|
||||
int found = 0;
|
||||
size_t num_bin = 0;
|
||||
struct lruhash_bin* bin = &table->array[i];
|
||||
struct lruhash_entry* e;
|
||||
lock_quick_lock(&bin->lock);
|
||||
for(e = bin->overflow_list; e; e = e->overflow_next) {
|
||||
/* Entry e is locked by the func. */
|
||||
func(e, &txt, arg);
|
||||
num_bin++;
|
||||
}
|
||||
lock_quick_unlock(&bin->lock);
|
||||
/* This addition of bin number of entries may take
|
||||
* it over the max. */
|
||||
num += num_bin;
|
||||
|
||||
/* Move to next bin. */
|
||||
/* Find one with an entry, with a hash value, so we
|
||||
* can continue from the hash value. The hash value
|
||||
* can be indexed also if the array changes size. */
|
||||
i++;
|
||||
while(i < table->size) {
|
||||
bin = &table->array[i];
|
||||
lock_quick_lock(&bin->lock);
|
||||
if(bin->overflow_list) {
|
||||
hash = bin->overflow_list->hash;
|
||||
lock_quick_unlock(&bin->lock);
|
||||
found = 1;
|
||||
just_started = 0;
|
||||
break;
|
||||
}
|
||||
lock_quick_unlock(&bin->lock);
|
||||
i++;
|
||||
}
|
||||
if(!found) {
|
||||
not_done = 0;
|
||||
break;
|
||||
}
|
||||
}
|
||||
lock_quick_unlock(&table->lock);
|
||||
/* Print the spooled items, that are collected while the
|
||||
* locks are locked. The print happens while they are not
|
||||
* locked. */
|
||||
if(txt.first) {
|
||||
if(!spool_strlist(ssl, txt.first)) {
|
||||
config_delstrlist(txt.first);
|
||||
return 0;
|
||||
}
|
||||
config_delstrlist(txt.first);
|
||||
memset(&txt, 0, sizeof(txt));
|
||||
}
|
||||
}
|
||||
/* Print the final spooled items. */
|
||||
if(txt.first) {
|
||||
if(!spool_strlist(ssl, txt.first)) {
|
||||
config_delstrlist(txt.first);
|
||||
return 0;
|
||||
}
|
||||
lock_rw_unlock(&e->lock);
|
||||
config_delstrlist(txt.first);
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
/** dump slabhash cache and call callback for every item. */
|
||||
static int
|
||||
dump_slabhash(struct slabhash* sh,
|
||||
void (*func)(struct lruhash_entry*, struct config_strlist_head*, void*),
|
||||
RES* ssl, void* arg)
|
||||
{
|
||||
/* Process a number of items at a time, then unlock the cache,
|
||||
* so that ordinary processing can continue. Keep an iteration marker
|
||||
* to continue the loop. That means the cache can change, items
|
||||
* could be inserted and deleted. And, for example, the hash table
|
||||
* can grow. */
|
||||
size_t slab;
|
||||
for(slab=0; slab<sh->size; slab++) {
|
||||
if(!dump_lruhash(sh->array[slab], func, ssl, arg))
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
/** Struct for dump information. */
|
||||
struct dump_info {
|
||||
/** The worker. */
|
||||
struct worker* worker;
|
||||
/** The printout connection. */
|
||||
RES* ssl;
|
||||
};
|
||||
|
||||
/** Dump the rrset cache entry */
|
||||
static void
|
||||
dump_rrset_entry(struct lruhash_entry* e, struct config_strlist_head* txt,
|
||||
void* arg)
|
||||
{
|
||||
struct dump_info* dump_info = (struct dump_info*)arg;
|
||||
lock_rw_rdlock(&e->lock);
|
||||
dump_rrset(txt, (struct ub_packed_rrset_key*)e->key,
|
||||
(struct packed_rrset_data*)e->data,
|
||||
*dump_info->worker->env.now);
|
||||
lock_rw_unlock(&e->lock);
|
||||
}
|
||||
|
||||
/** dump rrset cache */
|
||||
static int
|
||||
dump_rrset_cache(RES* ssl, struct worker* worker)
|
||||
{
|
||||
struct rrset_cache* r = worker->env.rrset_cache;
|
||||
size_t slab;
|
||||
struct dump_info dump_info;
|
||||
dump_info.worker = worker;
|
||||
dump_info.ssl = ssl;
|
||||
if(!ssl_printf(ssl, "START_RRSET_CACHE\n")) return 0;
|
||||
for(slab=0; slab<r->table.size; slab++) {
|
||||
lock_quick_lock(&r->table.array[slab]->lock);
|
||||
if(!dump_rrset_lruhash(ssl, r->table.array[slab],
|
||||
*worker->env.now)) {
|
||||
lock_quick_unlock(&r->table.array[slab]->lock);
|
||||
return 0;
|
||||
}
|
||||
lock_quick_unlock(&r->table.array[slab]->lock);
|
||||
}
|
||||
if(!dump_slabhash(&r->table, &dump_rrset_entry, ssl, &dump_info))
|
||||
return 0;
|
||||
return ssl_printf(ssl, "END_RRSET_CACHE\n");
|
||||
}
|
||||
|
||||
/** dump message to rrset reference */
|
||||
static int
|
||||
dump_msg_ref(RES* ssl, struct ub_packed_rrset_key* k)
|
||||
static void
|
||||
dump_msg_ref(struct config_strlist_head* txt, struct ub_packed_rrset_key* k)
|
||||
{
|
||||
char* nm, *tp, *cl;
|
||||
nm = sldns_wire2str_dname(k->rk.dname, k->rk.dname_len);
|
||||
@@ -149,30 +296,25 @@ dump_msg_ref(RES* ssl, struct ub_packed_rrset_key* k)
|
||||
free(nm);
|
||||
free(tp);
|
||||
free(cl);
|
||||
return ssl_printf(ssl, "BADREF\n");
|
||||
}
|
||||
if(!ssl_printf(ssl, "%s %s %s %d\n", nm, cl, tp, (int)k->rk.flags)) {
|
||||
free(nm);
|
||||
free(tp);
|
||||
free(cl);
|
||||
return 0;
|
||||
spool_txt_string(txt, "BADREF\n");
|
||||
return;
|
||||
}
|
||||
spool_txt_printf(txt, "%s %s %s %d\n", nm, cl, tp, (int)k->rk.flags);
|
||||
free(nm);
|
||||
free(tp);
|
||||
free(cl);
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
/** dump message entry */
|
||||
static int
|
||||
dump_msg(RES* ssl, struct query_info* k, struct reply_info* d, time_t now)
|
||||
static void
|
||||
dump_msg(struct config_strlist_head* txt, struct query_info* k,
|
||||
struct reply_info* d, time_t now)
|
||||
{
|
||||
size_t i;
|
||||
char* nm, *tp, *cl;
|
||||
if(!k || !d) return 1;
|
||||
if(d->ttl < now) return 1; /* expired */
|
||||
|
||||
if(!k || !d) return;
|
||||
if(d->ttl < now) return; /* expired */
|
||||
|
||||
nm = sldns_wire2str_dname(k->qname, k->qname_len);
|
||||
tp = sldns_wire2str_type(k->qtype);
|
||||
cl = sldns_wire2str_class(k->qclass);
|
||||
@@ -180,45 +322,35 @@ dump_msg(RES* ssl, struct query_info* k, struct reply_info* d, time_t now)
|
||||
free(nm);
|
||||
free(tp);
|
||||
free(cl);
|
||||
return 1; /* skip this entry */
|
||||
return; /* skip this entry */
|
||||
}
|
||||
if(!rrset_array_lock(d->ref, d->rrset_count, now)) {
|
||||
/* rrsets have timed out or do not exist */
|
||||
free(nm);
|
||||
free(tp);
|
||||
free(cl);
|
||||
return 1; /* skip this entry */
|
||||
return; /* skip this entry */
|
||||
}
|
||||
|
||||
|
||||
/* meta line */
|
||||
if(!ssl_printf(ssl, "msg %s %s %s %d %d " ARG_LL "d %d %u %u %u %d %s\n",
|
||||
nm, cl, tp,
|
||||
(int)d->flags, (int)d->qdcount,
|
||||
(long long)(d->ttl-now), (int)d->security,
|
||||
(unsigned)d->an_numrrsets,
|
||||
(unsigned)d->ns_numrrsets,
|
||||
(unsigned)d->ar_numrrsets,
|
||||
(int)d->reason_bogus,
|
||||
d->reason_bogus_str?d->reason_bogus_str:"")) {
|
||||
free(nm);
|
||||
free(tp);
|
||||
free(cl);
|
||||
rrset_array_unlock(d->ref, d->rrset_count);
|
||||
return 0;
|
||||
}
|
||||
spool_txt_printf(txt,
|
||||
"msg %s %s %s %d %d " ARG_LL "d %d %u %u %u %d %s\n",
|
||||
nm, cl, tp,
|
||||
(int)d->flags, (int)d->qdcount,
|
||||
(long long)(d->ttl-now), (int)d->security,
|
||||
(unsigned)d->an_numrrsets,
|
||||
(unsigned)d->ns_numrrsets,
|
||||
(unsigned)d->ar_numrrsets,
|
||||
(int)d->reason_bogus,
|
||||
d->reason_bogus_str?d->reason_bogus_str:"");
|
||||
free(nm);
|
||||
free(tp);
|
||||
free(cl);
|
||||
|
||||
for(i=0; i<d->rrset_count; i++) {
|
||||
if(!dump_msg_ref(ssl, d->rrsets[i])) {
|
||||
rrset_array_unlock(d->ref, d->rrset_count);
|
||||
return 0;
|
||||
}
|
||||
dump_msg_ref(txt, d->rrsets[i]);
|
||||
}
|
||||
rrset_array_unlock(d->ref, d->rrset_count);
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
/** copy msg to worker pad */
|
||||
@@ -247,49 +379,40 @@ copy_msg(struct regional* region, struct lruhash_entry* e,
|
||||
return (*k)->qname != NULL;
|
||||
}
|
||||
|
||||
/** dump lruhash msg cache */
|
||||
static int
|
||||
dump_msg_lruhash(RES* ssl, struct worker* worker, struct lruhash* h)
|
||||
/** Dump the msg entry. */
|
||||
static void
|
||||
dump_msg_entry(struct lruhash_entry* e, struct config_strlist_head* txt,
|
||||
void* arg)
|
||||
{
|
||||
struct lruhash_entry* e;
|
||||
struct dump_info* dump_info = (struct dump_info*)arg;
|
||||
struct query_info* k;
|
||||
struct reply_info* d;
|
||||
|
||||
/* lruhash already locked by caller */
|
||||
/* walk in order of lru; best first */
|
||||
for(e=h->lru_start; e; e = e->lru_next) {
|
||||
regional_free_all(worker->scratchpad);
|
||||
lock_rw_rdlock(&e->lock);
|
||||
/* make copy of rrset in worker buffer */
|
||||
if(!copy_msg(worker->scratchpad, e, &k, &d)) {
|
||||
lock_rw_unlock(&e->lock);
|
||||
return 0;
|
||||
}
|
||||
regional_free_all(dump_info->worker->scratchpad);
|
||||
/* Make copy of rrset in worker buffer. */
|
||||
lock_rw_rdlock(&e->lock);
|
||||
if(!copy_msg(dump_info->worker->scratchpad, e, &k, &d)) {
|
||||
lock_rw_unlock(&e->lock);
|
||||
/* release lock so we can lookup the rrset references
|
||||
* in the rrset cache */
|
||||
if(!dump_msg(ssl, k, d, *worker->env.now)) {
|
||||
return 0;
|
||||
}
|
||||
log_err("out of memory in dump_msg_entry");
|
||||
return;
|
||||
}
|
||||
return 1;
|
||||
lock_rw_unlock(&e->lock);
|
||||
/* Release lock so we can lookup the rrset references
|
||||
* in the rrset cache. */
|
||||
dump_msg(txt, k, d, *dump_info->worker->env.now);
|
||||
}
|
||||
|
||||
/** dump msg cache */
|
||||
static int
|
||||
dump_msg_cache(RES* ssl, struct worker* worker)
|
||||
{
|
||||
struct slabhash* sh = worker->env.msg_cache;
|
||||
size_t slab;
|
||||
struct dump_info dump_info;
|
||||
dump_info.worker = worker;
|
||||
dump_info.ssl = ssl;
|
||||
if(!ssl_printf(ssl, "START_MSG_CACHE\n")) return 0;
|
||||
for(slab=0; slab<sh->size; slab++) {
|
||||
lock_quick_lock(&sh->array[slab]->lock);
|
||||
if(!dump_msg_lruhash(ssl, worker, sh->array[slab])) {
|
||||
lock_quick_unlock(&sh->array[slab]->lock);
|
||||
return 0;
|
||||
}
|
||||
lock_quick_unlock(&sh->array[slab]->lock);
|
||||
}
|
||||
if(!dump_slabhash(worker->env.msg_cache, &dump_msg_entry, ssl,
|
||||
&dump_info))
|
||||
return 0;
|
||||
return ssl_printf(ssl, "END_MSG_CACHE\n");
|
||||
}
|
||||
|
||||
@@ -811,12 +934,18 @@ print_dp_main(RES* ssl, struct delegpt* dp, struct dns_msg* msg)
|
||||
struct ub_packed_rrset_key* k = msg->rep->rrsets[i];
|
||||
struct packed_rrset_data* d =
|
||||
(struct packed_rrset_data*)k->entry.data;
|
||||
struct config_strlist_head txt;
|
||||
memset(&txt, 0, sizeof(txt));
|
||||
if(d->security == sec_status_bogus) {
|
||||
if(!ssl_printf(ssl, "Address is BOGUS:\n"))
|
||||
return;
|
||||
}
|
||||
if(!dump_rrset(ssl, k, d, 0))
|
||||
dump_rrset(&txt, k, d, 0);
|
||||
if(!spool_strlist(ssl, txt.first)) {
|
||||
config_delstrlist(txt.first);
|
||||
return;
|
||||
}
|
||||
config_delstrlist(txt.first);
|
||||
}
|
||||
delegpt_count_ns(dp, &n_ns, &n_miss);
|
||||
delegpt_count_addr(dp, &n_addr, &n_res, &n_avail);
|
||||
|
||||
+562
-205
File diff suppressed because it is too large
Load Diff
@@ -273,6 +273,7 @@ server_stats_compile(struct worker* worker, struct ub_stats_info* s, int reset)
|
||||
/* add in the values from the mesh */
|
||||
s->svr.ans_secure += (long long)worker->env.mesh->ans_secure;
|
||||
s->svr.ans_bogus += (long long)worker->env.mesh->ans_bogus;
|
||||
s->svr.val_ops += (long long)worker->env.mesh->val_ops;
|
||||
s->svr.ans_rcode_nodata += (long long)worker->env.mesh->ans_nodata;
|
||||
s->svr.ans_expired += (long long)worker->env.mesh->ans_expired;
|
||||
for(i=0; i<UB_STATS_RCODE_NUM; i++)
|
||||
@@ -495,6 +496,7 @@ void server_stats_add(struct ub_stats_info* total, struct ub_stats_info* a)
|
||||
total->svr.ans_rcode_nodata += a->svr.ans_rcode_nodata;
|
||||
total->svr.ans_secure += a->svr.ans_secure;
|
||||
total->svr.ans_bogus += a->svr.ans_bogus;
|
||||
total->svr.val_ops += a->svr.val_ops;
|
||||
total->svr.unwanted_replies += a->svr.unwanted_replies;
|
||||
total->svr.unwanted_queries += a->svr.unwanted_queries;
|
||||
total->svr.tcp_accept_usage += a->svr.tcp_accept_usage;
|
||||
|
||||
+4
-5
@@ -174,7 +174,7 @@ static void
|
||||
checkrlimits(struct config_file* cfg)
|
||||
{
|
||||
#ifndef S_SPLINT_S
|
||||
#ifdef HAVE_GETRLIMIT
|
||||
#if defined(HAVE_GETRLIMIT) && !defined(unbound_testbound)
|
||||
/* list has number of ports to listen to, ifs number addresses */
|
||||
int list = ((cfg->do_udp?1:0) + (cfg->do_tcp?1 +
|
||||
(int)cfg->incoming_num_tcp:0));
|
||||
@@ -463,11 +463,11 @@ detach(void)
|
||||
#endif /* HAVE_DAEMON */
|
||||
}
|
||||
|
||||
#ifdef HAVE_SSL
|
||||
/* setup a listening ssl context, fatal_exit() on any failure */
|
||||
static void
|
||||
setup_listen_sslctx(void** ctx, int is_dot, int is_doh, struct config_file* cfg)
|
||||
{
|
||||
#ifdef HAVE_SSL
|
||||
if(!(*ctx = listen_sslctx_create(
|
||||
cfg->ssl_service_key, cfg->ssl_service_pem, NULL,
|
||||
cfg->tls_ciphers, cfg->tls_ciphersuites,
|
||||
@@ -476,10 +476,8 @@ setup_listen_sslctx(void** ctx, int is_dot, int is_doh, struct config_file* cfg)
|
||||
is_dot, is_doh))) {
|
||||
fatal_exit("could not set up listen SSL_CTX");
|
||||
}
|
||||
#else /* HAVE_SSL */
|
||||
(void)ctx;(void)is_dot;(void)is_doh;(void)cfg;
|
||||
#endif /* HAVE_SSL */
|
||||
}
|
||||
#endif /* HAVE_SSL */
|
||||
|
||||
/* setups the needed ssl contexts, fatal_exit() on any failure */
|
||||
static void
|
||||
@@ -747,6 +745,7 @@ run_daemon(const char* cfgfile, int cmdline_verbose, int debug_mode, int need_pi
|
||||
"the commandline to see more errors, "
|
||||
"or unbound-checkconf", cfgfile);
|
||||
log_warn("Continuing with default config settings");
|
||||
config_auto_slab_values(cfg);
|
||||
}
|
||||
apply_settings(daemon, cfg, cmdline_verbose, debug_mode);
|
||||
if(!done_setup)
|
||||
|
||||
+6
-13
@@ -1707,6 +1707,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
|
||||
repinfo->client_addrlen, edns.cookie_valid,
|
||||
c->buffer)) {
|
||||
worker->stats.num_queries_ip_ratelimited++;
|
||||
regional_free_all(worker->scratchpad);
|
||||
comm_point_drop_reply(repinfo);
|
||||
return 0;
|
||||
}
|
||||
@@ -1818,8 +1819,9 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
|
||||
goto send_reply;
|
||||
}
|
||||
if(worker->env.auth_zones &&
|
||||
auth_zones_answer(worker->env.auth_zones, &worker->env,
|
||||
&qinfo, &edns, repinfo, c->buffer, worker->scratchpad)) {
|
||||
auth_zones_downstream_answer(worker->env.auth_zones,
|
||||
&worker->env, &qinfo, &edns, repinfo, c->buffer,
|
||||
worker->scratchpad)) {
|
||||
regional_free_all(worker->scratchpad);
|
||||
if(sldns_buffer_limit(c->buffer) == 0) {
|
||||
comm_point_drop_reply(repinfo);
|
||||
@@ -1872,20 +1874,11 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
|
||||
/* If we've found a local alias, replace the qname with the alias
|
||||
* target before resolving it. */
|
||||
if(qinfo.local_alias) {
|
||||
struct ub_packed_rrset_key* rrset = qinfo.local_alias->rrset;
|
||||
struct packed_rrset_data* d = rrset->entry.data;
|
||||
|
||||
/* Sanity check: our current implementation only supports
|
||||
* a single CNAME RRset as a local alias. */
|
||||
if(qinfo.local_alias->next ||
|
||||
rrset->rk.type != htons(LDNS_RR_TYPE_CNAME) ||
|
||||
d->count != 1) {
|
||||
log_err("assumption failure: unexpected local alias");
|
||||
if(!local_alias_shallow_copy_qname(qinfo.local_alias, &qinfo.qname,
|
||||
&qinfo.qname_len)) {
|
||||
regional_free_all(worker->scratchpad);
|
||||
return 0; /* drop it */
|
||||
}
|
||||
qinfo.qname = d->rr_data[0] + 2;
|
||||
qinfo.qname_len = d->rr_len[0] - 2;
|
||||
}
|
||||
|
||||
/* If we may apply IP-based actions to the answer, build the client
|
||||
|
||||
+1
-1
@@ -631,7 +631,7 @@ handle_event_moddone(struct module_qstate* qstate, int id)
|
||||
|
||||
/* When an AAAA query completes check if we want to perform DNS64
|
||||
* synthesis. We skip queries with DNSSEC enabled (!CD) and
|
||||
* ones generated by us to retrive the A/PTR record to use for
|
||||
* ones generated by us to retrieve the A/PTR record to use for
|
||||
* synth. */
|
||||
int could_synth =
|
||||
qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA &&
|
||||
|
||||
+2
-2
@@ -542,7 +542,7 @@ dt_msg_send_outside_query(struct dt_env *env,
|
||||
qflags = sldns_buffer_read_u16_at(qmsg, 2);
|
||||
|
||||
/* type */
|
||||
if (qflags & BIT_RD) {
|
||||
if ((qflags & BIT_RD)) {
|
||||
if (!env->log_forwarder_query_messages)
|
||||
return;
|
||||
dt_msg_init(env, &dm, DNSTAP__MESSAGE__TYPE__FORWARDER_QUERY);
|
||||
@@ -599,7 +599,7 @@ dt_msg_send_outside_response(struct dt_env *env,
|
||||
qflags = ntohs(qflags);
|
||||
|
||||
/* type */
|
||||
if (qflags & BIT_RD) {
|
||||
if ((qflags & BIT_RD)) {
|
||||
if (!env->log_forwarder_response_messages)
|
||||
return;
|
||||
dt_msg_init(env, &dm, DNSTAP__MESSAGE__TYPE__FORWARDER_RESPONSE);
|
||||
|
||||
+35
-4
@@ -18,10 +18,41 @@ AC_DEFUN([dt_DNSTAP],
|
||||
[opt_dnstap_socket_path="$1"])
|
||||
|
||||
if test "x$opt_dnstap" != "xno"; then
|
||||
AC_PATH_PROG([PROTOC_C], [protoc-c])
|
||||
if test -z "$PROTOC_C"; then
|
||||
AC_MSG_ERROR([The protoc-c program was not found. Please install protobuf-c!])
|
||||
fi
|
||||
AC_PATH_PROG([PROTOC], [protoc])
|
||||
# 'protoc-c' is deprecated. We use 'protoc' instead. If it can not be
|
||||
# found, try 'protoc-c'.
|
||||
if test -z "$PROTOC"; then
|
||||
AC_PATH_PROG([PROTOC_C], [protoc-c])
|
||||
else
|
||||
PROTOC_C="$PROTOC"
|
||||
fi
|
||||
if test -z "$PROTOC_C"; then
|
||||
AC_MSG_ERROR([[The protoc or protoc-c program was not found. It is needed for dnstap, use --disable-dnstap, or install protobuf-c to provide protoc or protoc-c]])
|
||||
fi
|
||||
|
||||
# Check for protoc-gen-c plugin
|
||||
AC_PATH_PROG([PROTOC_GEN_C], [protoc-gen-c])
|
||||
if test -z "$PROTOC_GEN_C"; then
|
||||
AC_MSG_ERROR([[The protoc-gen-c plugin was not found. It is needed for dnstap, use --disable-dnstap, or install protobuf-c-compiler to provide protoc-gen-c]])
|
||||
fi
|
||||
|
||||
# Test that protoc-gen-c actually works
|
||||
AC_MSG_CHECKING([if protoc-gen-c plugin works])
|
||||
cat > conftest.proto << EOF
|
||||
syntax = "proto2";
|
||||
message TestMessage {
|
||||
optional string test_field = 1;
|
||||
}
|
||||
EOF
|
||||
if $PROTOC_C --c_out=. conftest.proto >/dev/null 2>&1; then
|
||||
AC_MSG_RESULT([yes])
|
||||
rm -f conftest.proto conftest.pb-c.c conftest.pb-c.h
|
||||
else
|
||||
AC_MSG_RESULT([no])
|
||||
rm -f conftest.proto conftest.pb-c.c conftest.pb-c.h
|
||||
AC_MSG_ERROR([[The protoc-gen-c plugin is not working properly. Please ensure protobuf-c-compiler is properly installed]])
|
||||
fi
|
||||
|
||||
AC_ARG_WITH([protobuf-c],
|
||||
AS_HELP_STRING([--with-protobuf-c=path], [Path where protobuf-c is installed, for dnstap]),
|
||||
[
|
||||
|
||||
+1
-1
@@ -98,7 +98,7 @@ message Policy {
|
||||
// rule: the rule matched by the message.
|
||||
//
|
||||
// In a RPZ context, this is the owner name of the rule in
|
||||
// the Reponse Policy Zone in wire format.
|
||||
// the Response Policy Zone in wire format.
|
||||
optional bytes rule = 2;
|
||||
|
||||
// action: the policy action taken in response to the
|
||||
|
||||
+1
-1
@@ -1509,7 +1509,7 @@ void dtio_output_cb(int ATTR_UNUSED(fd), short bits, void* arg)
|
||||
}
|
||||
#endif
|
||||
|
||||
if((bits&UB_EV_READ || dtio->ssl_brief_write)) {
|
||||
if((bits&UB_EV_READ) || dtio->ssl_brief_write) {
|
||||
#ifdef HAVE_SSL
|
||||
if(dtio->ssl_brief_write)
|
||||
(void)dtio_disable_brief_write(dtio);
|
||||
|
||||
+289
-22
@@ -1,3 +1,270 @@
|
||||
17 September 2025: Yorgos
|
||||
- Too many quotes for the EDE message debug printout.
|
||||
|
||||
15 September 2025: Yorgos
|
||||
- Small debug output improvement when attaching an EDE.
|
||||
|
||||
15 September 2025: Wouter
|
||||
- Fix to print warning for when so-sndbuf setsockopt is not granted.
|
||||
|
||||
11 September 2025: Wouter
|
||||
- version set to 1.24.0 for release.
|
||||
- tag for 1.24.0rc1.
|
||||
- Update contrib/aaaa-filter-iterator.patch so it applies on 1.24.0.
|
||||
|
||||
9 September 2025: Wouter
|
||||
- Fix #1332: CNAME chains are sometimes not followed when RPZs add a
|
||||
local CNAME rewrite.
|
||||
|
||||
8 September 2025: Yorgos
|
||||
- Update documentation for using "SET ... EX" in Redis.
|
||||
- Document max buffer sizes for Redis commands.
|
||||
- Update man pages.
|
||||
|
||||
3 September 2025: Wouter
|
||||
- For #1328: make depend.
|
||||
|
||||
2 September 2025: Wouter
|
||||
- Fix #1235: Outdated Python2 code in
|
||||
unbound/pythonmod/examples/log.py.
|
||||
- Fix #1324: Memory leak in 'msgparse.c' in
|
||||
'parse_edns_options_from_query(...)'.
|
||||
- Fix indentation in tcp-mss option parsing.
|
||||
|
||||
1 September 2025: Wouter
|
||||
- Fix for #1324: Fix to free edns options scratch in ratelimit case.
|
||||
|
||||
29 August 2025: Yorgos
|
||||
- Limit the number of consecutive reads on an HTTP/2 session.
|
||||
Thanks to Gal Bar Nahum for exposing the possibility of infinite
|
||||
reads on the session.
|
||||
|
||||
28 August 2025: Wouter
|
||||
- Fix setup_listen_sslctx warning for nettle compile.
|
||||
|
||||
27 August 2025: Wouter
|
||||
- Fix unbound-control dump_cache for double unlock of lruhash table.
|
||||
|
||||
26 August 2025: Wouter
|
||||
- Fix ports workflow to install expat for macos.
|
||||
|
||||
22 August 2025: Wouter
|
||||
- For #1318: Fix compile warnings for DoH compile on windows.
|
||||
- Fix sha1 enable environment variable in test code on windows.
|
||||
- Fix #1319: [FR] zone status for Unbound auth-zones.
|
||||
- Fix that the zone acquired timestamp is set after the
|
||||
zonefile is read.
|
||||
|
||||
21 August 2025: Wouter
|
||||
- Fix to check for extraneous command arguments for unbound-control,
|
||||
when the command takes no arguments but there are arguments present.
|
||||
- Fix #1317: Unbound starts too early. Add
|
||||
Wants=network-online.target under [Unit] in unbound.service.
|
||||
- Fix for #1317: Fix contrib/unbound.service comment path for
|
||||
systemd network configuration.
|
||||
|
||||
15 August 2025: Wouter
|
||||
- unbound-control cache_lookup +t allows tld and root names. And
|
||||
subnet cache contents are printed.
|
||||
- Fix cache_lookup subnet printout to wipe zero part of the prefix.
|
||||
- Fix cache_lookup subnet print to not print messages without rrsets
|
||||
and perform in-depth check on node in the addrtree.
|
||||
|
||||
14 August 2025: Wouter
|
||||
- Fix to increase responsiveness of dump_cache.
|
||||
- Fix to decouple file descriptor activity and cache lookups in
|
||||
dump_cache.
|
||||
|
||||
13 August 2025: Wouter
|
||||
- unbound-control cache_lookup <domains> prints the cached rrsets
|
||||
and messages for those.
|
||||
- Fix to remove debug from cache_lookup.
|
||||
- Fix to unlock cache_lookup message for malformed records.
|
||||
|
||||
12 August 2025: Wouter
|
||||
- Fix that unbound-control dump_cache releases the cache locks
|
||||
every so often, so that the server stays responsive.
|
||||
|
||||
7 August 2025: Wouter
|
||||
- Fix dname_str for printout of long names. Thanks to Jan Komissar
|
||||
for the fix.
|
||||
- Fix that edns-subnet failure to create a subquery errors as
|
||||
servfail, and not formerror.
|
||||
- Fix to whitespace in dname_str.
|
||||
|
||||
6 August 2025: Wouter
|
||||
- Fix edns subnet, so that the subquery without subnet is stored in
|
||||
global cache if the querier used 0.0.0.0/0 and the name and address
|
||||
do not receive subnet treatment. If the name and address are
|
||||
configured for subnet, it is stored in the subnet cache.
|
||||
|
||||
5 August 2025: Wouter
|
||||
- Fix #1309: incorrectly reclaimed tcp handler can cause data
|
||||
corruption and segfault.
|
||||
- Fix to use assertions for consistency checks in #1309 reclaimed
|
||||
tcp handlers.
|
||||
|
||||
1 August 2025: Wouter
|
||||
- Fix testbound test program to accurately output packets from hex.
|
||||
|
||||
28 July 2025: Wouter
|
||||
- Fix redis cachedb module gettimeofday init failure.
|
||||
|
||||
24 July 2025: Wouter
|
||||
- Redis checks for server down and throttles reconnects.
|
||||
|
||||
17 July 2025: Wouter
|
||||
- Fix to not set rlimits in the unit tests.
|
||||
- Fix #1303: [FR] Disable TLSv1.2.
|
||||
- iana portlist updated.
|
||||
|
||||
16 July 2025: Wouter
|
||||
- Fix for RebirthDay Attack CVE-2025-5994, reported by Xiang Li
|
||||
from AOSP Lab Nankai University.
|
||||
- Tag for 1.23.1 with the release of 1.23.0 and the CVE fix, the
|
||||
repository continues with the previous fixes, with 1.23.2.
|
||||
- Add unit tests for non-ecs aggregation.
|
||||
|
||||
12 July 2025: Yorgos
|
||||
- Merge #1289 from Roland van Rijswijk-Deij: Add extra statistic to
|
||||
track the number of signature validation operations.
|
||||
Adds 'num.valops' to extended statistics.
|
||||
- For #1289: test num.valops in existing stat_values.tdir.
|
||||
- For #1289: add num.valops in the unbound-control man page.
|
||||
|
||||
11 July 2025: Wouter
|
||||
- Fix detection of SSL_CTX_set_tmp_ecdh function.
|
||||
- For #1301: configure cant find SSL_is_quic in OpenSSL 3.5.1.
|
||||
|
||||
8 July 2025: Wouter
|
||||
- Fix to improve dnstap discovery on Fedora.
|
||||
|
||||
3 July 2025: Wouter
|
||||
- Fix #1300: Is 'sock-queue-timeout' a linux only feature.
|
||||
- For #1300: implement sock-queue-timeout for FreeBSD as well.
|
||||
- Fix layout of comm_point_udp_ancil_callback.
|
||||
|
||||
2 July 2025: Wouter
|
||||
- Merge #1299: Fix typos.
|
||||
- Generate ltmain.sh and configure again.
|
||||
|
||||
25 June 2025: Yorgos
|
||||
- Fix #1247: forward-first: ssl handshake failed on root nameservers.
|
||||
- For #1247, turn off fetch-policy for delegation when looking into
|
||||
parent side name servers that may not update the addresses and hit
|
||||
NXNS limits.
|
||||
- For #1247, replay test (added tcp_transport to
|
||||
outnet_serviced_query).
|
||||
|
||||
20 June 2025: Yorgos
|
||||
- Fix #1293: EDE 6 is attached to insecure cached answers when client
|
||||
sends the CD bit.
|
||||
|
||||
19 June 2025: Wouter
|
||||
- Fix #1296: DNS over QUIC depends on a very outdated version of
|
||||
ngtcp2. Fixed so it works with ngtcp2 1.13.0 and OpenSSL 3.5.0.
|
||||
- Merge #1297: edns-subnet: fix NULL_AFTER_DEREF on subnetmod.
|
||||
- Fix rrset cache create allocation failure case.
|
||||
|
||||
17 June 2025: Yorgos
|
||||
- Fix for consistent use of local zone CNAME alias for configured auth
|
||||
zones. Now it also applies to downstream configured auth zones.
|
||||
|
||||
16 June 2025: Wouter
|
||||
- Fix to check control-interface addresses in unbound-checkconf.
|
||||
- Fix #1295: Windows 32-bit binaries download seems to be missing dll
|
||||
dependency.
|
||||
|
||||
12 June 2025: Wouter
|
||||
- Fix header return value description for skip_pkt_rrs and
|
||||
parse_edns_from_query_pkt.
|
||||
|
||||
11 June 2025: Wouter
|
||||
- Fix bitwise operators in conditional expressions with parentheses.
|
||||
- Fix conditional expressions with parentheses for bitwise and.
|
||||
|
||||
5 June 2025: Wouter
|
||||
- Fix unbound-anchor certificate file read for line ends and end of
|
||||
file.
|
||||
- Fix comment for the dname_remove_label_limit_len function.
|
||||
- iana portlist updated.
|
||||
|
||||
3 June 2025: Yorgos
|
||||
- Small manpage corrections for the 'disable-dnssec-lame-check' option.
|
||||
|
||||
21 May 2025: Wouter
|
||||
- Fix #1288: [FR] Improve fuzzing of unbound by adapting the netbound
|
||||
program.
|
||||
|
||||
20 May 2025: Yorgos
|
||||
- Merge #1285: RST man pages. It introduces restructuredText man pages
|
||||
to sync the online and source code man page documentation.
|
||||
The templated man pages (*.in) are still part of the repo but
|
||||
generated with docutils from their .rst counterpart.
|
||||
Documentation on how to generate those (mainly for core developers)
|
||||
is in README.man.
|
||||
- Add more checks about respip in unbound-checkconf.
|
||||
Also fixes #310: unbound-checkconf not reporting RPZ configuration
|
||||
error.
|
||||
|
||||
19 May 2025: Wouter
|
||||
- Fix for cname chain length with qtype ANY and qname minimisation.
|
||||
Thanks to Jim Greenwood from Nominet for the report.
|
||||
|
||||
15 May 2025: Wouter
|
||||
- Fix config of slab values when there is no config file.
|
||||
|
||||
13 May 2025: Yorgos
|
||||
- Fix #1284: NULL pointer deref in az_find_nsec_cover() (latent bug)
|
||||
by adding a log_assert() to safeguard future development.
|
||||
- Fix #1282: log-destaddr fail on long ipv6 addresses.
|
||||
|
||||
13 May 2025: Wouter
|
||||
- Change default for so-sndbuf to 1m, to mitigate a cross-layer
|
||||
issue where the UDP socket send buffers are exhausted waiting
|
||||
for ARP/NDP resolution. Thanks to Reflyable for the report.
|
||||
- Adjusted so-sndbuf default to 4m.
|
||||
|
||||
12 May 2025: Yorgos
|
||||
- Merge #1280: Fix auth nsec3 code. Fixes NSEC3 code to not break on
|
||||
broken auth zones that include unsigned out of zone (above apex)
|
||||
data. Could lead to hang while trying to prove a wildcard answer.
|
||||
|
||||
12 May 2025: Wouter
|
||||
- Fix #1283: Unsafe usage of atoi() while parsing the configuration
|
||||
file.
|
||||
|
||||
9 May 2025: Wouter
|
||||
- Fix #1281: forward-zone "name: ." conflicts with auth-zone "name: ."
|
||||
in 1.23.0, but worked in 1.22.0.
|
||||
|
||||
5 May 2025: Yorgos
|
||||
- Sync unbound and unbound-checkconf log output for unknown modules.
|
||||
|
||||
29 April 2025: Wouter
|
||||
- Fix for parallel build of dnstap protoc-c output.
|
||||
- Fix dnstap to use protoc.
|
||||
|
||||
29 April 2025: Yorgos
|
||||
- Merge #1276: Auto-configure '-slabs' values.
|
||||
|
||||
28 April 2025: Yorgos
|
||||
- Merge #1275: Use macros for the fr_check_changed* functions.
|
||||
|
||||
25 April 2025: Wouter
|
||||
- Fix #1272: assertion failure testcode/unitverify.c:202.
|
||||
|
||||
16 April 2025: Wouter
|
||||
- Increase default to `num-queries-per-thread: 2048`, when unbound is
|
||||
compiled with libevent. It makes saturation of the task queue more
|
||||
resource intensive and less practical. Thanks to Shiming Liu,
|
||||
Network and Information Security Lab, Tsinghua University for the
|
||||
report.
|
||||
|
||||
11 April 2025: Wouter
|
||||
- Tag for 1.23.0rc2. This became the release of 1.23.0 on 24 April
|
||||
2025. The code repository continues with 1.23.1 in development.
|
||||
|
||||
11 April 2025: Yorgos
|
||||
- Merge #1265: Fix WSAPoll.
|
||||
|
||||
@@ -651,7 +918,7 @@
|
||||
now checks both single and multi process/thread operation.
|
||||
|
||||
16 May 2024: Yorgos
|
||||
- Merge #1070: Fix rtt assignement for low values of
|
||||
- Merge #1070: Fix rtt assignment for low values of
|
||||
infra-cache-max-rtt.
|
||||
|
||||
16 May 2024: Wouter
|
||||
@@ -1059,7 +1326,7 @@
|
||||
13 October 2023: George
|
||||
- Better fix for infinite loop when reading multiple lines of input on
|
||||
a broken remote control socket, by treating a zero byte line the
|
||||
same as transmission end. Addesses #947 and #948.
|
||||
same as transmission end. Addresses #947 and #948.
|
||||
|
||||
12 October 2023: Wouter
|
||||
- Merge #944: Disable EDNS DO.
|
||||
@@ -1082,7 +1349,7 @@
|
||||
|
||||
10 October 2023: George
|
||||
- Fix infinite loop when reading multiple lines of input on a broken
|
||||
remote control socket. Addesses #947 and #948.
|
||||
remote control socket. Addresses #947 and #948.
|
||||
|
||||
9 October 2023: Wouter
|
||||
- Fix edns subnet so that queries with a source prefix of zero cause
|
||||
@@ -1515,7 +1782,7 @@
|
||||
- Ignore expired error responses.
|
||||
|
||||
11 November 2022: Wouter
|
||||
- Fix #779: [doc] Missing documention in ub_resolve_event() for
|
||||
- Fix #779: [doc] Missing documentation in ub_resolve_event() for
|
||||
callback parameter was_ratelimited.
|
||||
|
||||
9 November 2022: George
|
||||
@@ -2479,7 +2746,7 @@
|
||||
not hang. removed trailing slashes from configure paths. Moved iOS
|
||||
tests to allow-failure.
|
||||
- travis, analyzer disabled on test without debug, that does not
|
||||
run anway. Turn off failing tests except one. Update iOS test
|
||||
run anyway. Turn off failing tests except one. Update iOS test
|
||||
to xcode image 12.2.
|
||||
|
||||
22 March 2021: George
|
||||
@@ -2568,7 +2835,7 @@
|
||||
- Fix build on Python 3.10.
|
||||
|
||||
10 February 2021: Wouter
|
||||
- Merge PR #420 from dyunwei: DOH not responsing with
|
||||
- Merge PR #420 from dyunwei: DOH not responding with
|
||||
"http2_query_read_done failure" logged.
|
||||
|
||||
9 February 2021: Wouter
|
||||
@@ -2968,7 +3235,7 @@
|
||||
|
||||
6 August 2020: Wouter
|
||||
- Merge PR #284 and Fix #246: Remove DLV entirely from Unbound.
|
||||
The DLV has been decommisioned and in unbound 1.5.4, in 2015, there
|
||||
The DLV has been decommissioned and in unbound 1.5.4, in 2015, there
|
||||
was advise to stop using it. The current code base does not contain
|
||||
DLV code any more. The use of dlv options displays a warning.
|
||||
|
||||
@@ -3517,7 +3784,7 @@
|
||||
3 December 2019: Wouter
|
||||
- Merge pull request #124 from rmetrich: Changed log lock
|
||||
from 'quick' to 'basic' because this is an I/O lock.
|
||||
- Fix text around serial arithmatic used for RRSIG times to refer
|
||||
- Fix text around serial arithmetic used for RRSIG times to refer
|
||||
to correct RFC number.
|
||||
- Fix Assert Causing DoS in synth_cname(),
|
||||
reported by X41 D-Sec.
|
||||
@@ -3780,7 +4047,7 @@
|
||||
- For #52 #53, second context does not close logfile override.
|
||||
- Fix #52 #53, fix for example fail program.
|
||||
- Fix to return after failed auth zone http chunk write.
|
||||
- Fix to remove unused test for task_probe existance.
|
||||
- Fix to remove unused test for task_probe existence.
|
||||
- Fix to timeval_add for remaining second in microseconds.
|
||||
- Check repinfo in worker_handle_request, if null, drop it.
|
||||
|
||||
@@ -5037,7 +5304,7 @@
|
||||
|
||||
1 February 2018: Wouter
|
||||
- fix unaligned structure making a false positive in checklock
|
||||
unitialised memory.
|
||||
uninitialised memory.
|
||||
|
||||
29 January 2018: Ralph
|
||||
- Use NSEC with longest ce to prove wildcard absence.
|
||||
@@ -5640,8 +5907,8 @@
|
||||
- Remove (now unused) event2 include from dnscrypt code.
|
||||
|
||||
24 March 2017: George
|
||||
- Fix to prevent non-referal query from being cached as referal when the
|
||||
no_cache_store flag was set.
|
||||
- Fix to prevent non-referral query from being cached as referral when
|
||||
the no_cache_store flag was set.
|
||||
|
||||
23 March 2017: Wouter
|
||||
- Fix #1239: configure fails to find python distutils if python
|
||||
@@ -5704,7 +5971,7 @@
|
||||
|
||||
7 March 2017: Wouter
|
||||
- Fix #1230: swig version 2.0.0 is required for pythonmod, with
|
||||
1.3.40 it crashes when running repeatly unbound-control reload.
|
||||
1.3.40 it crashes when running repeatedly unbound-control reload.
|
||||
- Response actions based on IP address from Jinmei Tatuya (Infoblox).
|
||||
|
||||
6 March 2017: Wouter
|
||||
@@ -5720,7 +5987,7 @@
|
||||
known vulns.
|
||||
|
||||
27 February 2017: Wouter
|
||||
- Fix #1227: Fix that Unbound control allows weak ciphersuits.
|
||||
- Fix #1227: Fix that Unbound control allows weak ciphersuites.
|
||||
- Fix #1226: provide official 32bit binary for windows.
|
||||
|
||||
24 February 2017: Wouter
|
||||
@@ -6709,7 +6976,7 @@
|
||||
- Fix #674: Do not free pointers given by getenv.
|
||||
|
||||
29 May 2015: Wouter
|
||||
- Fix that unparseable error responses are ratelimited.
|
||||
- Fix that unparsable error responses are ratelimited.
|
||||
- SOA negative TTL is capped at minimumttl in its rdata section.
|
||||
- cache-max-negative-ttl config option, default 3600.
|
||||
|
||||
@@ -6727,7 +6994,7 @@
|
||||
|
||||
10 May 2015: Wouter
|
||||
- Change syntax of particular validator error to be easier for
|
||||
machine parse, swap rrset and ip adres info so it looks like:
|
||||
machine parse, swap rrset and ip address info so it looks like:
|
||||
validation failure <www.example.nl. TXT IN>: signature crypto
|
||||
failed from 2001:DB8:7:bba4::53 for <*.example.nl. NSEC IN>
|
||||
|
||||
@@ -8307,7 +8574,7 @@
|
||||
- fix that --enable-static-exe does not complain about it unknown.
|
||||
|
||||
30 June 2011: Wouter
|
||||
- tag relase 1.4.11, trunk is 1.4.12 development.
|
||||
- tag release 1.4.11, trunk is 1.4.12 development.
|
||||
- iana portlist updated.
|
||||
- fix bug#395: id bits of other query may leak out under conditions
|
||||
- fix replyaddr count wrong after jostled queries, which leads to
|
||||
@@ -9637,7 +9904,7 @@
|
||||
|
||||
8 June 2009: Wouter
|
||||
- Removed RFC5011 REVOKE flag support. Partial 5011 support may cause
|
||||
inadvertant behaviour.
|
||||
inadvertent behaviour.
|
||||
- 1.3.0 tarball for release created.
|
||||
- 1.3.1 development in svn trunk.
|
||||
- iana portlist updated.
|
||||
@@ -9986,7 +10253,7 @@
|
||||
- initgroups(3) is called to drop secondary group permissions, if
|
||||
applicable.
|
||||
- configure option --with-ldns-builtin forces the use of the
|
||||
inluded ldns package with the unbound source. The -I include
|
||||
included ldns package with the unbound source. The -I include
|
||||
is put before the others, so it avoids bad include files from
|
||||
an older ldns install.
|
||||
- daemon(3) posix call is used when available.
|
||||
@@ -10291,7 +10558,7 @@
|
||||
please ranlib, stop file without symbols warning.
|
||||
- harden referral path now also validates the root after priming.
|
||||
It looks up the root NS authoritatively as well as the root servers
|
||||
and attemps to validate the entries.
|
||||
and attempts to validate the entries.
|
||||
|
||||
16 October 2008: Wouter
|
||||
- Fixup negative TTL values appearing (reported by Attila Nagy).
|
||||
@@ -11070,7 +11337,7 @@
|
||||
- please doxygen, put doxygen comment in one place.
|
||||
- asynclook -b blocking mode and test.
|
||||
- refactor asynclook, nicer code.
|
||||
- fixup race problems from opensll in rand init from library, with
|
||||
- fixup race problems from openssl in rand init from library, with
|
||||
a mutex around the rand init.
|
||||
- fix pass async_id=NULL to _async resolve().
|
||||
- rewrote _wait() routine, so that it is threadsafe.
|
||||
@@ -12043,7 +12310,7 @@
|
||||
11 June 2007: Wouter
|
||||
- replies on TCP queries have the address field set in replyinfo,
|
||||
for serviced queries, because the initiator does not know that
|
||||
a TCP fallback has occured.
|
||||
a TCP fallback has occurred.
|
||||
- omit DNSSEC types from nonDO replies, except if qtype is ANY or
|
||||
if qtype directly queries for the type (and then only show that
|
||||
'unknown type' in the answer section).
|
||||
|
||||
+1
-1
@@ -1,4 +1,4 @@
|
||||
README for Unbound 1.23.1
|
||||
README for Unbound 1.24.0
|
||||
Copyright 2007 NLnet Labs
|
||||
http://unbound.net
|
||||
|
||||
|
||||
@@ -0,0 +1,16 @@
|
||||
After Unbound 1.23.0, the source of the man pages is in reStructuredText format.
|
||||
|
||||
This helps with the online documentation at https://unbound.docs.nlnetlabs.nl
|
||||
and makes it easier to maintain and contribute to the documentation.
|
||||
|
||||
The templated man pages (*.in) are still part of the code repository as to not
|
||||
alter current procedures that could be in place by users/packagers.
|
||||
|
||||
The templated man pages (*.in) are generated by Sphinx (used for the online
|
||||
documentation).
|
||||
The online documentation has its own repository at
|
||||
https://github.com/NLnetLabs/unbound-manual.
|
||||
|
||||
In the README.md there (branch test-auto for now), there are further simple
|
||||
instructions on how to generate the templated man pages there and update them
|
||||
in this repository.
|
||||
+5
-5
@@ -1,7 +1,7 @@
|
||||
#
|
||||
# Example configuration file.
|
||||
#
|
||||
# See unbound.conf(5) man page, version 1.23.1.
|
||||
# See unbound.conf(5) man page, version 1.24.0.
|
||||
#
|
||||
# this is a comment.
|
||||
|
||||
@@ -116,8 +116,8 @@ server:
|
||||
# so-rcvbuf: 0
|
||||
|
||||
# buffer size for UDP port 53 outgoing (SO_SNDBUF socket option).
|
||||
# 0 is system default. Use 4m to handle spikes on very busy servers.
|
||||
# so-sndbuf: 0
|
||||
# 0 is system default. Set larger to handle spikes on very busy servers.
|
||||
# so-sndbuf: 4m
|
||||
|
||||
# use SO_REUSEPORT to distribute queries over threads.
|
||||
# at extreme load it could be better to turn it off to distribute even.
|
||||
@@ -163,7 +163,7 @@ server:
|
||||
# msg-cache-slabs: 4
|
||||
|
||||
# the number of queries that a thread gets to service.
|
||||
# num-queries-per-thread: 1024
|
||||
# num-queries-per-thread: 2048
|
||||
|
||||
# if very busy, 50% queries run to completion, 50% get timeout in msec
|
||||
# jostle-timeout: 200
|
||||
@@ -279,7 +279,7 @@ server:
|
||||
# do-ip6: yes
|
||||
|
||||
# If running unbound on an IPv6-only host, domains that only have
|
||||
# IPv4 servers would become unresolveable. If NAT64 is available in
|
||||
# IPv4 servers would become unresolvable. If NAT64 is available in
|
||||
# the network, unbound can use NAT64 to reach these servers with
|
||||
# the following option. This is NOT needed for enabling DNS64 on a
|
||||
# system that has IPv4 connectivity.
|
||||
|
||||
+330
-343
@@ -1,335 +1,306 @@
|
||||
.TH "libunbound" "3" "Jul 16, 2025" "NLnet Labs" "unbound 1.23.1"
|
||||
.\"
|
||||
.\" libunbound.3 -- unbound library functions manual
|
||||
.\"
|
||||
.\" Copyright (c) 2007, NLnet Labs. All rights reserved.
|
||||
.\"
|
||||
.\" See LICENSE for the license.
|
||||
.\"
|
||||
.\"
|
||||
.SH "NAME"
|
||||
.B libunbound,
|
||||
.B unbound.h,
|
||||
.B ub_ctx,
|
||||
.B ub_result,
|
||||
.B ub_callback_type,
|
||||
.B ub_ctx_create,
|
||||
.B ub_ctx_delete,
|
||||
.B ub_ctx_set_option,
|
||||
.B ub_ctx_get_option,
|
||||
.B ub_ctx_config,
|
||||
.B ub_ctx_set_fwd,
|
||||
.B ub_ctx_set_stub,
|
||||
.B ub_ctx_set_tls,
|
||||
.B ub_ctx_resolvconf,
|
||||
.B ub_ctx_hosts,
|
||||
.B ub_ctx_add_ta,
|
||||
.B ub_ctx_add_ta_autr,
|
||||
.B ub_ctx_add_ta_file,
|
||||
.B ub_ctx_trustedkeys,
|
||||
.B ub_ctx_debugout,
|
||||
.B ub_ctx_debuglevel,
|
||||
.B ub_ctx_async,
|
||||
.B ub_poll,
|
||||
.B ub_wait,
|
||||
.B ub_fd,
|
||||
.B ub_process,
|
||||
.B ub_resolve,
|
||||
.B ub_resolve_async,
|
||||
.B ub_cancel,
|
||||
.B ub_resolve_free,
|
||||
.B ub_strerror,
|
||||
.B ub_ctx_print_local_zones,
|
||||
.B ub_ctx_zone_add,
|
||||
.B ub_ctx_zone_remove,
|
||||
.B ub_ctx_data_add,
|
||||
.B ub_ctx_data_remove
|
||||
\- Unbound DNS validating resolver 1.23.1 functions.
|
||||
.SH "SYNOPSIS"
|
||||
.B #include <unbound.h>
|
||||
.LP
|
||||
\fIstruct ub_ctx *\fR
|
||||
\fBub_ctx_create\fR(\fIvoid\fR);
|
||||
.LP
|
||||
\fIvoid\fR
|
||||
\fBub_ctx_delete\fR(\fIstruct ub_ctx*\fR ctx);
|
||||
.LP
|
||||
\fIint\fR
|
||||
\fBub_ctx_set_option\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR opt, \fIchar*\fR val);
|
||||
.LP
|
||||
\fIint\fR
|
||||
\fBub_ctx_get_option\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR opt, \fIchar**\fR val);
|
||||
.LP
|
||||
\fIint\fR
|
||||
\fBub_ctx_config\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname);
|
||||
.LP
|
||||
\fIint\fR
|
||||
\fBub_ctx_set_fwd\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR addr);
|
||||
.LP
|
||||
\fIint\fR
|
||||
\fBub_ctx_set_stub\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR zone,
|
||||
\fIchar*\fR addr,
|
||||
.br
|
||||
\fIint\fR isprime);
|
||||
.LP
|
||||
\fIint\fR
|
||||
\fBub_ctx_set_tls\fR(\fIstruct ub_ctx*\fR ctx, \fIint\fR tls);
|
||||
.LP
|
||||
\fIint\fR
|
||||
\fBub_ctx_resolvconf\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname);
|
||||
.LP
|
||||
\fIint\fR
|
||||
\fBub_ctx_hosts\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname);
|
||||
.LP
|
||||
\fIint\fR
|
||||
\fBub_ctx_add_ta\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR ta);
|
||||
.LP
|
||||
\fIint\fR
|
||||
\fBub_ctx_add_ta_autr\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname);
|
||||
.LP
|
||||
\fIint\fR
|
||||
\fBub_ctx_add_ta_file\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname);
|
||||
.LP
|
||||
\fIint\fR
|
||||
\fBub_ctx_trustedkeys\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname);
|
||||
.LP
|
||||
\fIint\fR
|
||||
\fBub_ctx_debugout\fR(\fIstruct ub_ctx*\fR ctx, \fIFILE*\fR out);
|
||||
.LP
|
||||
\fIint\fR
|
||||
\fBub_ctx_debuglevel\fR(\fIstruct ub_ctx*\fR ctx, \fIint\fR d);
|
||||
.LP
|
||||
\fIint\fR
|
||||
\fBub_ctx_async\fR(\fIstruct ub_ctx*\fR ctx, \fIint\fR dothread);
|
||||
.LP
|
||||
\fIint\fR
|
||||
\fBub_poll\fR(\fIstruct ub_ctx*\fR ctx);
|
||||
.LP
|
||||
\fIint\fR
|
||||
\fBub_wait\fR(\fIstruct ub_ctx*\fR ctx);
|
||||
.LP
|
||||
\fIint\fR
|
||||
\fBub_fd\fR(\fIstruct ub_ctx*\fR ctx);
|
||||
.LP
|
||||
\fIint\fR
|
||||
\fBub_process\fR(\fIstruct ub_ctx*\fR ctx);
|
||||
.LP
|
||||
\fIint\fR
|
||||
\fBub_resolve\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR name,
|
||||
.br
|
||||
\fIint\fR rrtype, \fIint\fR rrclass, \fIstruct ub_result**\fR result);
|
||||
.LP
|
||||
\fIint\fR
|
||||
\fBub_resolve_async\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR name,
|
||||
.br
|
||||
\fIint\fR rrtype, \fIint\fR rrclass, \fIvoid*\fR mydata,
|
||||
.br
|
||||
\fIub_callback_type\fR callback, \fIint*\fR async_id);
|
||||
.LP
|
||||
\fIint\fR
|
||||
\fBub_cancel\fR(\fIstruct ub_ctx*\fR ctx, \fIint\fR async_id);
|
||||
.LP
|
||||
\fIvoid\fR
|
||||
\fBub_resolve_free\fR(\fIstruct ub_result*\fR result);
|
||||
.LP
|
||||
\fIconst char *\fR
|
||||
\fBub_strerror\fR(\fIint\fR err);
|
||||
.LP
|
||||
\fIint\fR
|
||||
\fBub_ctx_print_local_zones\fR(\fIstruct ub_ctx*\fR ctx);
|
||||
.LP
|
||||
\fIint\fR
|
||||
\fBub_ctx_zone_add\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR zone_name, \fIchar*\fR zone_type);
|
||||
.LP
|
||||
\fIint\fR
|
||||
\fBub_ctx_zone_remove\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR zone_name);
|
||||
.LP
|
||||
\fIint\fR
|
||||
\fBub_ctx_data_add\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR data);
|
||||
.LP
|
||||
\fIint\fR
|
||||
\fBub_ctx_data_remove\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR data);
|
||||
.SH "DESCRIPTION"
|
||||
.B Unbound
|
||||
is an implementation of a DNS resolver, that does caching and
|
||||
DNSSEC validation. This is the library API, for using the \-lunbound library.
|
||||
The server daemon is described in \fIunbound\fR(8).
|
||||
The library works independent from a running unbound server, and
|
||||
can be used to convert hostnames to ip addresses, and back,
|
||||
and obtain other information from the DNS. The library performs public\-key
|
||||
validation of results with DNSSEC.
|
||||
.P
|
||||
The library uses a variable of type \fIstruct ub_ctx\fR to keep context
|
||||
between calls. The user must maintain it, creating it with
|
||||
.B ub_ctx_create
|
||||
and deleting it with
|
||||
.B ub_ctx_delete\fR.
|
||||
It can be created and deleted at any time. Creating it anew removes any
|
||||
previous configuration (such as trusted keys) and clears any cached results.
|
||||
.P
|
||||
The functions are thread\-safe, and a context can be used in a threaded (as
|
||||
well as in a non\-threaded) environment. Also resolution (and validation)
|
||||
can be performed blocking and non\-blocking (also called asynchronous).
|
||||
The async method returns from the call immediately, so that processing
|
||||
can go on, while the results become available later.
|
||||
.P
|
||||
.\" Man page generated from reStructuredText.
|
||||
.
|
||||
.
|
||||
.nr rst2man-indent-level 0
|
||||
.
|
||||
.de1 rstReportMargin
|
||||
\\$1 \\n[an-margin]
|
||||
level \\n[rst2man-indent-level]
|
||||
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
||||
-
|
||||
\\n[rst2man-indent0]
|
||||
\\n[rst2man-indent1]
|
||||
\\n[rst2man-indent2]
|
||||
..
|
||||
.de1 INDENT
|
||||
.\" .rstReportMargin pre:
|
||||
. RS \\$1
|
||||
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
|
||||
. nr rst2man-indent-level +1
|
||||
.\" .rstReportMargin post:
|
||||
..
|
||||
.de UNINDENT
|
||||
. RE
|
||||
.\" indent \\n[an-margin]
|
||||
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
||||
.nr rst2man-indent-level -1
|
||||
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
||||
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
|
||||
..
|
||||
.TH "LIBUNBOUND" "3" "Sep 18, 2025" "1.24.0" "Unbound"
|
||||
.SH NAME
|
||||
libunbound \- Unbound DNS validating resolver 1.24.0 functions.
|
||||
.SH SYNOPSIS
|
||||
.sp
|
||||
\fB#include <unbound.h>\fP
|
||||
.sp
|
||||
struct ub_ctx * \fBub_ctx_create\fP(void);
|
||||
.sp
|
||||
void \fBub_ctx_delete\fP(struct ub_ctx* ctx);
|
||||
.sp
|
||||
int \fBub_ctx_set_option\fP(struct ub_ctx* ctx, char* opt, char* val);
|
||||
.sp
|
||||
int \fBub_ctx_get_option\fP(struct ub_ctx* ctx, char* opt, char** val);
|
||||
.sp
|
||||
int \fBub_ctx_config\fP(struct ub_ctx* ctx, char* fname);
|
||||
.sp
|
||||
int \fBub_ctx_set_fwd\fP(struct ub_ctx* ctx, char* addr);
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
int \fBub_ctx_set_stub\fP(struct ub_ctx* ctx, char* zone, char* addr,
|
||||
int isprime);
|
||||
.UNINDENT
|
||||
.sp
|
||||
int \fBub_ctx_set_tls\fP(struct ub_ctx* ctx, int tls);
|
||||
.sp
|
||||
int \fBub_ctx_resolvconf\fP(struct ub_ctx* ctx, char* fname);
|
||||
.sp
|
||||
int \fBub_ctx_hosts\fP(struct ub_ctx* ctx, char* fname);
|
||||
.sp
|
||||
int \fBub_ctx_add_ta\fP(struct ub_ctx* ctx, char* ta);
|
||||
.sp
|
||||
int \fBub_ctx_add_ta_autr\fP(struct ub_ctx* ctx, char* fname);
|
||||
.sp
|
||||
int \fBub_ctx_add_ta_file\fP(struct ub_ctx* ctx, char* fname);
|
||||
.sp
|
||||
int \fBub_ctx_trustedkeys\fP(struct ub_ctx* ctx, char* fname);
|
||||
.sp
|
||||
int \fBub_ctx_debugout\fP(struct ub_ctx* ctx, FILE* out);
|
||||
.sp
|
||||
int \fBub_ctx_debuglevel\fP(struct ub_ctx* ctx, int d);
|
||||
.sp
|
||||
int \fBub_ctx_async\fP(struct ub_ctx* ctx, int dothread);
|
||||
.sp
|
||||
int \fBub_poll\fP(struct ub_ctx* ctx);
|
||||
.sp
|
||||
int \fBub_wait\fP(struct ub_ctx* ctx);
|
||||
.sp
|
||||
int \fBub_fd\fP(struct ub_ctx* ctx);
|
||||
.sp
|
||||
int \fBub_process\fP(struct ub_ctx* ctx);
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
int \fBub_resolve\fP(struct ub_ctx* ctx, char* name,
|
||||
int rrtype, int rrclass, struct ub_result** result);
|
||||
.TP
|
||||
int \fBub_resolve_async\fP(struct ub_ctx* ctx, char* name,
|
||||
int rrtype, int rrclass, void* mydata,
|
||||
ub_callback_type* callback, int* async_id);
|
||||
.UNINDENT
|
||||
.sp
|
||||
int \fBub_cancel\fP(struct ub_ctx* ctx, int async_id);
|
||||
.sp
|
||||
void \fBub_resolve_free\fP(struct ub_result* result);
|
||||
.sp
|
||||
const char * \fBub_strerror\fP(int err);
|
||||
.sp
|
||||
int \fBub_ctx_print_local_zones\fP(struct ub_ctx* ctx);
|
||||
.sp
|
||||
int \fBub_ctx_zone_add\fP(struct ub_ctx* ctx, char* zone_name, char* zone_type);
|
||||
.sp
|
||||
int \fBub_ctx_zone_remove\fP(struct ub_ctx* ctx, char* zone_name);
|
||||
.sp
|
||||
int \fBub_ctx_data_add\fP(struct ub_ctx* ctx, char* data);
|
||||
.sp
|
||||
int \fBub_ctx_data_remove\fP(struct ub_ctx* ctx, char* data);
|
||||
.SH DESCRIPTION
|
||||
.sp
|
||||
Unbound is an implementation of a DNS resolver, that does caching and DNSSEC
|
||||
validation.
|
||||
This is the library API, for using the \fB\-lunbound\fP library.
|
||||
The server daemon is described in \fI\%unbound(8)\fP\&.
|
||||
The library works independent from a running unbound server, and can be used to
|
||||
convert hostnames to ip addresses, and back, and obtain other information from
|
||||
the DNS.
|
||||
The library performs public\-key validation of results with DNSSEC.
|
||||
.sp
|
||||
The library uses a variable of type \fIstruct ub_ctx\fP to keep context between
|
||||
calls.
|
||||
The user must maintain it, creating it with \fBub_ctx_create\fP and deleting it
|
||||
with \fBub_ctx_delete\fP\&.
|
||||
It can be created and deleted at any time.
|
||||
Creating it anew removes any previous configuration (such as trusted keys) and
|
||||
clears any cached results.
|
||||
.sp
|
||||
The functions are thread\-safe, and a context can be used in a threaded (as well
|
||||
as in a non\-threaded) environment.
|
||||
Also resolution (and validation) can be performed blocking and non\-blocking
|
||||
(also called asynchronous).
|
||||
The async method returns from the call immediately, so that processing can go
|
||||
on, while the results become available later.
|
||||
.sp
|
||||
The functions are discussed in turn below.
|
||||
.SH "FUNCTIONS"
|
||||
.TP
|
||||
.SH FUNCTIONS
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B ub_ctx_create
|
||||
Create a new context, initialised with defaults.
|
||||
The information from /etc/resolv.conf and /etc/hosts is not utilised
|
||||
by default. Use
|
||||
.B ub_ctx_resolvconf
|
||||
and
|
||||
.B ub_ctx_hosts
|
||||
to read them.
|
||||
Before you call this, use the openssl functions CRYPTO_set_id_callback and
|
||||
CRYPTO_set_locking_callback to set up asynchronous operation if you use
|
||||
lib openssl (the application calls these functions once for initialisation).
|
||||
Openssl 1.0.0 or later uses the CRYPTO_THREADID_set_callback function.
|
||||
The information from \fB/etc/resolv.conf\fP and \fB/etc/hosts\fP is
|
||||
not utilised by default.
|
||||
Use \fBub_ctx_resolvconf\fP and \fBub_ctx_hosts\fP to read them.
|
||||
Before you call this, use the openssl functions
|
||||
\fBCRYPTO_set_id_callback\fP and \fBCRYPTO_set_locking_callback\fP to set
|
||||
up asynchronous operation if you use lib openssl (the application calls
|
||||
these functions once for initialisation).
|
||||
Openssl 1.0.0 or later uses the \fBCRYPTO_THREADID_set_callback\fP
|
||||
function.
|
||||
.TP
|
||||
.B ub_ctx_delete
|
||||
Delete validation context and free associated resources.
|
||||
Outstanding async queries are killed and callbacks are not called for them.
|
||||
Outstanding async queries are killed and callbacks are not called for
|
||||
them.
|
||||
.TP
|
||||
.B ub_ctx_set_option
|
||||
A power\-user interface that lets you specify one of the options from the
|
||||
config file format, see \fIunbound.conf\fR(5). Not all options are
|
||||
relevant. For some specific options, such as adding trust anchors, special
|
||||
routines exist. Pass the option name with the trailing ':'.
|
||||
A power\-user interface that lets you specify one of the options from
|
||||
the config file format, see \fI\%unbound.conf(5)\fP\&.
|
||||
Not all options are relevant.
|
||||
For some specific options, such as adding trust anchors, special
|
||||
routines exist.
|
||||
Pass the option name with the trailing \fB\(aq:\(aq\fP\&.
|
||||
.TP
|
||||
.B ub_ctx_get_option
|
||||
A power\-user interface that gets an option value. Some options cannot be
|
||||
gotten, and others return a newline separated list. Pass the option name
|
||||
without trailing ':'. The returned value must be free(2)d by the caller.
|
||||
A power\-user interface that gets an option value.
|
||||
Some options cannot be gotten, and others return a newline separated
|
||||
list.
|
||||
Pass the option name without trailing \fB\(aq:\(aq\fP\&.
|
||||
The returned value must be free(2)d by the caller.
|
||||
.TP
|
||||
.B ub_ctx_config
|
||||
A power\-user interface that lets you specify an unbound config file, see
|
||||
\fIunbound.conf\fR(5), which is read for configuration. Not all options are
|
||||
relevant. For some specific options, such as adding trust anchors, special
|
||||
routines exist. This function is thread\-safe only if a single instance of
|
||||
ub_ctx* exists in the application. If several instances exist the
|
||||
application has to ensure that ub_ctx_config is not called in parallel by
|
||||
the different instances.
|
||||
A power\-user interface that lets you specify an unbound config file,
|
||||
see \fI\%unbound.conf(5)\fP, which is read for
|
||||
configuration.
|
||||
Not all options are relevant.
|
||||
For some specific options, such as adding trust anchors, special
|
||||
routines exist.
|
||||
This function is thread\-safe only if a single instance of \fBub_ctx\fP*
|
||||
exists in the application.
|
||||
If several instances exist the application has to ensure that
|
||||
\fBub_ctx_config\fP is not called in parallel by the different instances.
|
||||
.TP
|
||||
.B ub_ctx_set_fwd
|
||||
Set machine to forward DNS queries to, the caching resolver to use.
|
||||
IP4 or IP6 address. Forwards all DNS requests to that machine, which
|
||||
is expected to run a recursive resolver. If the proxy is not
|
||||
DNSSEC capable, validation may fail. Can be called several times, in
|
||||
that case the addresses are used as backup servers.
|
||||
At this time it is only possible to set configuration before the
|
||||
first resolve is done.
|
||||
Set machine to forward DNS queries to, the caching resolver to use.
|
||||
IP4 or IP6 address.
|
||||
Forwards all DNS requests to that machine, which is expected to run a
|
||||
recursive resolver.
|
||||
If the proxy is not DNSSEC capable, validation may fail.
|
||||
Can be called several times, in that case the addresses are used as
|
||||
backup servers.
|
||||
At this time it is only possible to set configuration before the first
|
||||
resolve is done.
|
||||
.TP
|
||||
.B ub_ctx_set_stub
|
||||
Set a stub zone, authoritative dns servers to use for a particular zone.
|
||||
IP4 or IP6 address. If the address is NULL the stub entry is removed.
|
||||
Set isprime true if you configure root hints with it. Otherwise similar to
|
||||
the stub zone item from unbound's config file. Can be called several times,
|
||||
for different zones, or to add multiple addresses for a particular zone.
|
||||
At this time it is only possible to set configuration before the
|
||||
first resolve is done.
|
||||
Set a stub zone, authoritative dns servers to use for a particular
|
||||
zone.
|
||||
IP4 or IP6 address.
|
||||
If the address is NULL the stub entry is removed.
|
||||
Set isprime true if you configure root hints with it.
|
||||
Otherwise similar to the stub zone item from unbound\(aqs config file.
|
||||
Can be called several times, for different zones, or to add multiple
|
||||
addresses for a particular zone.
|
||||
At this time it is only possible to set configuration before the first
|
||||
resolve is done.
|
||||
.TP
|
||||
.B ub_ctx_set_tls
|
||||
Enable DNS over TLS (DoT) for machines set with
|
||||
.B ub_ctx_set_fwd.
|
||||
At this time it is only possible to set configuration before the
|
||||
first resolve is done.
|
||||
Enable DNS over TLS (DoT) for machines set with \fBub_ctx_set_fwd\fP\&.
|
||||
At this time it is only possible to set configuration before the first
|
||||
resolve is done.
|
||||
.TP
|
||||
.B ub_ctx_resolvconf
|
||||
By default the root servers are queried and full resolver mode is used, but
|
||||
you can use this call to read the list of nameservers to use from the
|
||||
filename given.
|
||||
Usually "/etc/resolv.conf". Uses those nameservers as caching proxies.
|
||||
By default the root servers are queried and full resolver mode is used,
|
||||
but you can use this call to read the list of nameservers to use from
|
||||
the filename given.
|
||||
Usually \fB\(dq/etc/resolv.conf\(dq\fP\&.
|
||||
Uses those nameservers as caching proxies.
|
||||
If they do not support DNSSEC, validation may fail.
|
||||
Only nameservers are picked up, the searchdomain, ndots and other
|
||||
settings from \fIresolv.conf\fR(5) are ignored.
|
||||
If fname NULL is passed, "/etc/resolv.conf" is used (if on Windows,
|
||||
the system\-wide configured nameserver is picked instead).
|
||||
At this time it is only possible to set configuration before the
|
||||
first resolve is done.
|
||||
settings from \fIresolv.conf(5)\fP are ignored.
|
||||
If fname NULL is passed, \fB\(dq/etc/resolv.conf\(dq\fP is used (if on
|
||||
Windows, the system\-wide configured nameserver is picked instead).
|
||||
At this time it is only possible to set configuration before the first
|
||||
resolve is done.
|
||||
.TP
|
||||
.B ub_ctx_hosts
|
||||
Read list of hosts from the filename given.
|
||||
Usually "/etc/hosts". When queried for, these addresses are not marked
|
||||
DNSSEC secure. If fname NULL is passed, "/etc/hosts" is used
|
||||
(if on Windows, etc/hosts from WINDIR is picked instead).
|
||||
At this time it is only possible to set configuration before the
|
||||
first resolve is done.
|
||||
Usually \fB\(dq/etc/hosts\(dq\fP\&.
|
||||
When queried for, these addresses are not marked DNSSEC secure.
|
||||
If fname NULL is passed, \fB\(dq/etc/hosts\(dq\fP is used (if on Windows,
|
||||
\fBetc/hosts\fP from WINDIR is picked instead).
|
||||
At this time it is only possible to set configuration before the first
|
||||
resolve is done.
|
||||
.TP
|
||||
.B
|
||||
ub_ctx_add_ta
|
||||
.B ub_ctx_add_ta
|
||||
Add a trust anchor to the given context.
|
||||
At this time it is only possible to add trusted keys before the
|
||||
first resolve is done.
|
||||
At this time it is only possible to add trusted keys before the first
|
||||
resolve is done.
|
||||
The format is a string, similar to the zone\-file format,
|
||||
[domainname] [type] [rdata contents]. Both DS and DNSKEY records are accepted.
|
||||
\fB[domainname]\fP \fB[type]\fP \fB[rdata contents]\fP\&.
|
||||
Both DS and DNSKEY records are accepted.
|
||||
.TP
|
||||
.B ub_ctx_add_ta_autr
|
||||
Add filename with automatically tracked trust anchor to the given context.
|
||||
Pass name of a file with the managed trust anchor. You can create this
|
||||
file with \fIunbound\-anchor\fR(8) for the root anchor. You can also
|
||||
create it with an initial file with one line with a DNSKEY or DS record.
|
||||
Add filename with automatically tracked trust anchor to the given
|
||||
context.
|
||||
Pass name of a file with the managed trust anchor.
|
||||
You can create this file with
|
||||
\fI\%unbound\-anchor(8)\fP for the root anchor.
|
||||
You can also create it with an initial file with one line with a DNSKEY
|
||||
or DS record.
|
||||
If the file is writable, it is updated when the trust anchor changes.
|
||||
At this time it is only possible to add trusted keys before the
|
||||
first resolve is done.
|
||||
At this time it is only possible to add trusted keys before the first
|
||||
resolve is done.
|
||||
.TP
|
||||
.B ub_ctx_add_ta_file
|
||||
Add trust anchors to the given context.
|
||||
Pass name of a file with DS and DNSKEY records in zone file format.
|
||||
At this time it is only possible to add trusted keys before the
|
||||
first resolve is done.
|
||||
At this time it is only possible to add trusted keys before the first
|
||||
resolve is done.
|
||||
.TP
|
||||
.B ub_ctx_trustedkeys
|
||||
Add trust anchors to the given context.
|
||||
Pass the name of a bind\-style config file with trusted\-keys{}.
|
||||
At this time it is only possible to add trusted keys before the
|
||||
first resolve is done.
|
||||
Pass the name of a bind\-style config file with \fBtrusted\-keys{}\fP\&.
|
||||
At this time it is only possible to add trusted keys before the first
|
||||
resolve is done.
|
||||
.TP
|
||||
.B ub_ctx_debugout
|
||||
Set debug and error log output to the given stream. Pass NULL to disable
|
||||
output. Default is stderr. File\-names or using syslog can be enabled
|
||||
using config options, this routine is for using your own stream.
|
||||
Set debug and error log output to the given stream.
|
||||
Pass NULL to disable output.
|
||||
Default is stderr.
|
||||
File\-names or using syslog can be enabled using config options, this
|
||||
routine is for using your own stream.
|
||||
.TP
|
||||
.B ub_ctx_debuglevel
|
||||
Set debug verbosity for the context. Output is directed to stderr.
|
||||
Set debug verbosity for the context.
|
||||
Output is directed to stderr.
|
||||
Higher debug level gives more output.
|
||||
.TP
|
||||
.B ub_ctx_async
|
||||
Set a context behaviour for asynchronous action.
|
||||
if set to true, enables threading and a call to
|
||||
.B ub_resolve_async
|
||||
if set to true, enables threading and a call to \fBub_resolve_async\fP
|
||||
creates a thread to handle work in the background.
|
||||
If false, a process is forked to handle work in the background.
|
||||
Changes to this setting after
|
||||
.B ub_resolve_async
|
||||
calls have been made have no effect (delete and re\-create the context
|
||||
to change).
|
||||
Changes to this setting after \fBub_resolve_async\fP calls have been made
|
||||
have no effect (delete and re\-create the context to change).
|
||||
.TP
|
||||
.B ub_poll
|
||||
Poll a context to see if it has any new results.
|
||||
Do not poll in a loop, instead extract the fd below to poll for readiness,
|
||||
and then check, or wait using the wait routine.
|
||||
Do not poll in a loop, instead extract the \fBfd\fP below to poll for
|
||||
readiness, and then check, or wait using the wait routine.
|
||||
Returns 0 if nothing to read, or nonzero if a result is available.
|
||||
If nonzero, call
|
||||
.B ub_process
|
||||
to do callbacks.
|
||||
If nonzero, call \fBub_process\fP to do callbacks.
|
||||
.TP
|
||||
.B ub_wait
|
||||
Wait for a context to finish with results. Calls
|
||||
.B ub_process
|
||||
after the wait for you. After the wait, there are no more outstanding
|
||||
asynchronous queries.
|
||||
Wait for a context to finish with results.
|
||||
Calls \fBub_process\fP after the wait for you.
|
||||
After the wait, there are no more outstanding asynchronous queries.
|
||||
.TP
|
||||
.B ub_fd
|
||||
Get file descriptor. Wait for it to become readable, at this point
|
||||
answers are returned from the asynchronous validating resolver.
|
||||
Then call the \fBub_process\fR to continue processing.
|
||||
Get file descriptor.
|
||||
Wait for it to become readable, at this point answers are returned from
|
||||
the asynchronous validating resolver.
|
||||
Then call the \fBub_process\fP to continue processing.
|
||||
.TP
|
||||
.B ub_process
|
||||
Call this routine to continue processing results from the validating
|
||||
resolver (when the fd becomes readable).
|
||||
resolver (when the \fBfd\fP becomes readable).
|
||||
Will perform necessary callbacks.
|
||||
.TP
|
||||
.B ub_resolve
|
||||
@@ -340,95 +311,111 @@ The result structure is newly allocated with the resulting data.
|
||||
.TP
|
||||
.B ub_resolve_async
|
||||
Perform asynchronous resolution and validation of the target name.
|
||||
Arguments mean the same as for \fBub_resolve\fR except no
|
||||
data is returned immediately, instead a callback is called later.
|
||||
The callback receives a copy of the mydata pointer, that you can use to pass
|
||||
information to the callback. The callback type is a function pointer to
|
||||
a function declared as
|
||||
.IP
|
||||
void my_callback_function(void* my_arg, int err,
|
||||
.br
|
||||
struct ub_result* result);
|
||||
.IP
|
||||
The async_id is returned so you can (at your option) decide to track it
|
||||
and cancel the request if needed. If you pass a NULL pointer the async_id
|
||||
is not returned.
|
||||
Arguments mean the same as for \fBub_resolve\fP except no data is
|
||||
returned immediately, instead a callback is called later.
|
||||
The callback receives a copy of the mydata pointer, that you can use to
|
||||
pass information to the callback.
|
||||
The callback type is a function pointer to a function declared as:
|
||||
.INDENT 7.0
|
||||
.INDENT 3.5
|
||||
.sp
|
||||
.nf
|
||||
.ft C
|
||||
void my_callback_function(void* my_arg, int err,
|
||||
struct ub_result* result);
|
||||
.ft P
|
||||
.fi
|
||||
.UNINDENT
|
||||
.UNINDENT
|
||||
.sp
|
||||
The \fBasync_id\fP is returned so you can (at your option) decide to
|
||||
track it and cancel the request if needed.
|
||||
If you pass a NULL pointer the \fBasync_id\fP is not returned.
|
||||
.TP
|
||||
.B ub_cancel
|
||||
Cancel an async query in progress. This may return an error if the query
|
||||
does not exist, or the query is already being delivered, in that case you
|
||||
may still get a callback for the query.
|
||||
Cancel an async query in progress.
|
||||
This may return an error if the query does not exist, or the query is
|
||||
already being delivered, in that case you may still get a callback for
|
||||
the query.
|
||||
.TP
|
||||
.B ub_resolve_free
|
||||
Free struct ub_result contents after use.
|
||||
Free struct \fBub_result\fP contents after use.
|
||||
.TP
|
||||
.B ub_strerror
|
||||
Convert error value from one of the unbound library functions
|
||||
to a human readable string.
|
||||
Convert error value from one of the unbound library functions to a
|
||||
human readable string.
|
||||
.TP
|
||||
.B ub_ctx_print_local_zones
|
||||
Debug printout the local authority information to debug output.
|
||||
.TP
|
||||
.B ub_ctx_zone_add
|
||||
Add new zone to local authority info, like local\-zone \fIunbound.conf\fR(5)
|
||||
statement.
|
||||
Add new zone to local authority info, like local\-zone
|
||||
\fI\%unbound.conf(5)\fP statement.
|
||||
.TP
|
||||
.B ub_ctx_zone_remove
|
||||
Delete zone from local authority info.
|
||||
.TP
|
||||
.B ub_ctx_data_add
|
||||
Add resource record data to local authority info, like local\-data
|
||||
\fIunbound.conf\fR(5) statement.
|
||||
\fI\%unbound.conf(5)\fP statement.
|
||||
.TP
|
||||
.B ub_ctx_data_remove
|
||||
Delete local authority data from the name given.
|
||||
.SH "RESULT DATA STRUCTURE"
|
||||
The result of the DNS resolution and validation is returned as
|
||||
\fIstruct ub_result\fR. The result structure contains the following entries.
|
||||
.P
|
||||
.UNINDENT
|
||||
.SH RESULT DATA STRUCTURE
|
||||
.sp
|
||||
The result of the DNS resolution and validation is returned as \fIstruct
|
||||
ub_result\fP\&.
|
||||
The result structure contains the following entries:
|
||||
.INDENT 0.0
|
||||
.INDENT 3.5
|
||||
.sp
|
||||
.nf
|
||||
struct ub_result {
|
||||
char* qname; /* text string, original question */
|
||||
int qtype; /* type code asked for */
|
||||
int qclass; /* class code asked for */
|
||||
char** data; /* array of rdata items, NULL terminated*/
|
||||
int* len; /* array with lengths of rdata items */
|
||||
char* canonname; /* canonical name of result */
|
||||
int rcode; /* additional error code in case of no data */
|
||||
void* answer_packet; /* full network format answer packet */
|
||||
int answer_len; /* length of packet in octets */
|
||||
int havedata; /* true if there is data */
|
||||
int nxdomain; /* true if nodata because name does not exist */
|
||||
int secure; /* true if result is secure */
|
||||
int bogus; /* true if a security failure happened */
|
||||
char* why_bogus; /* string with error if bogus */
|
||||
int was_ratelimited; /* true if the query was ratelimited (SERVFAIL) by unbound */
|
||||
int ttl; /* number of seconds the result is valid */
|
||||
};
|
||||
.ft C
|
||||
struct ub_result {
|
||||
char* qname; /* text string, original question */
|
||||
int qtype; /* type code asked for */
|
||||
int qclass; /* class code asked for */
|
||||
char** data; /* array of rdata items, NULL terminated*/
|
||||
int* len; /* array with lengths of rdata items */
|
||||
char* canonname; /* canonical name of result */
|
||||
int rcode; /* additional error code in case of no data */
|
||||
void* answer_packet; /* full network format answer packet */
|
||||
int answer_len; /* length of packet in octets */
|
||||
int havedata; /* true if there is data */
|
||||
int nxdomain; /* true if nodata because name does not exist */
|
||||
int secure; /* true if result is secure */
|
||||
int bogus; /* true if a security failure happened */
|
||||
char* why_bogus; /* string with error if bogus */
|
||||
int was_ratelimited; /* true if the query was ratelimited (SERVFAIL) by unbound */
|
||||
int ttl; /* number of seconds the result is valid */
|
||||
};
|
||||
.ft P
|
||||
.fi
|
||||
.P
|
||||
If both secure and bogus are false, security was not enabled for the
|
||||
domain of the query. Else, they are not both true, one of them is true.
|
||||
.SH "RETURN VALUES"
|
||||
Many routines return an error code. The value 0 (zero) denotes no error
|
||||
happened. Other values can be passed to
|
||||
.B ub_strerror
|
||||
to obtain a readable error string.
|
||||
.B ub_strerror
|
||||
returns a zero terminated string.
|
||||
.B ub_ctx_create
|
||||
returns NULL on an error (a malloc failure).
|
||||
.B ub_poll
|
||||
returns true if some information may be available, false otherwise.
|
||||
.B ub_fd
|
||||
returns a file descriptor or \-1 on error.
|
||||
.B ub_ctx_config
|
||||
and
|
||||
.B ub_ctx_resolvconf
|
||||
attempt to leave errno informative on a function return with file read failure.
|
||||
.SH "SEE ALSO"
|
||||
\fIunbound.conf\fR(5),
|
||||
\fIunbound\fR(8).
|
||||
.SH "AUTHORS"
|
||||
.B Unbound
|
||||
developers are mentioned in the CREDITS file in the distribution.
|
||||
.UNINDENT
|
||||
.UNINDENT
|
||||
.sp
|
||||
If both secure and bogus are false, security was not enabled for the domain of
|
||||
the query.
|
||||
Else, they are not both true, one of them is true.
|
||||
.SH RETURN VALUES
|
||||
.sp
|
||||
Many routines return an error code.
|
||||
The value 0 (zero) denotes no error happened.
|
||||
Other values can be passed to \fBub_strerror\fP to obtain a readable error
|
||||
string.
|
||||
\fBub_strerror\fP returns a zero terminated string.
|
||||
\fBub_ctx_create\fP returns NULL on an error (a malloc failure).
|
||||
\fBub_poll\fP returns true if some information may be available, false otherwise.
|
||||
\fBub_fd\fP returns a file descriptor or \-1 on error.
|
||||
\fBub_ctx_config\fP and \fBub_ctx_resolvconf\fP attempt to leave errno informative
|
||||
on a function return with file read failure.
|
||||
.SH SEE ALSO
|
||||
.sp
|
||||
\fI\%unbound.conf(5)\fP, \fI\%unbound(8)\fP\&.
|
||||
.SH AUTHOR
|
||||
Unbound developers are mentioned in the CREDITS file in the distribution.
|
||||
.SH COPYRIGHT
|
||||
1999-2025, NLnet Labs
|
||||
.\" Generated by docutils manpage writer.
|
||||
.
|
||||
|
||||
@@ -0,0 +1,491 @@
|
||||
..
|
||||
WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE
|
||||
|
||||
..
|
||||
IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE
|
||||
|
||||
..
|
||||
IT HELPS PEOPLE DIFFING THE CHANGES
|
||||
|
||||
..
|
||||
WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE
|
||||
|
||||
..
|
||||
IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE
|
||||
|
||||
..
|
||||
IT HELPS PEOPLE DIFFING THE CHANGES
|
||||
|
||||
..
|
||||
WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE
|
||||
|
||||
..
|
||||
IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE
|
||||
|
||||
..
|
||||
IT HELPS PEOPLE DIFFING THE CHANGES
|
||||
|
||||
..
|
||||
WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE
|
||||
|
||||
..
|
||||
IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE
|
||||
|
||||
..
|
||||
IT HELPS PEOPLE DIFFING THE CHANGES
|
||||
|
||||
libunbound(3)
|
||||
=============
|
||||
|
||||
Synopsis
|
||||
--------
|
||||
|
||||
.. only:: html
|
||||
|
||||
.. code-block:: c
|
||||
|
||||
#include <unbound.h>
|
||||
|
||||
struct ub_ctx * ub_ctx_create(void);
|
||||
|
||||
void ub_ctx_delete(struct ub_ctx* ctx);
|
||||
|
||||
int ub_ctx_set_option(struct ub_ctx* ctx, char* opt, char* val);
|
||||
|
||||
int ub_ctx_get_option(struct ub_ctx* ctx, char* opt, char** val);
|
||||
|
||||
int ub_ctx_config(struct ub_ctx* ctx, char* fname);
|
||||
|
||||
int ub_ctx_set_fwd(struct ub_ctx* ctx, char* addr);
|
||||
|
||||
int ub_ctx_set_stub(struct ub_ctx* ctx, char* zone, char* addr,
|
||||
int isprime);
|
||||
|
||||
int ub_ctx_set_tls(struct ub_ctx* ctx, int tls);
|
||||
|
||||
int ub_ctx_resolvconf(struct ub_ctx* ctx, char* fname);
|
||||
|
||||
int ub_ctx_hosts(struct ub_ctx* ctx, char* fname);
|
||||
|
||||
int ub_ctx_add_ta(struct ub_ctx* ctx, char* ta);
|
||||
|
||||
int ub_ctx_add_ta_autr(struct ub_ctx* ctx, char* fname);
|
||||
|
||||
int ub_ctx_add_ta_file(struct ub_ctx* ctx, char* fname);
|
||||
|
||||
int ub_ctx_trustedkeys(struct ub_ctx* ctx, char* fname);
|
||||
|
||||
int ub_ctx_debugout(struct ub_ctx* ctx, FILE* out);
|
||||
|
||||
int ub_ctx_debuglevel(struct ub_ctx* ctx, int d);
|
||||
|
||||
int ub_ctx_async(struct ub_ctx* ctx, int dothread);
|
||||
|
||||
int ub_poll(struct ub_ctx* ctx);
|
||||
|
||||
int ub_wait(struct ub_ctx* ctx);
|
||||
|
||||
int ub_fd(struct ub_ctx* ctx);
|
||||
|
||||
int ub_process(struct ub_ctx* ctx);
|
||||
|
||||
int ub_resolve(struct ub_ctx* ctx, char* name, int rrtype,
|
||||
int rrclass, struct ub_result** result);
|
||||
|
||||
int ub_resolve_async(struct ub_ctx* ctx, char* name, int rrtype,
|
||||
int rrclass, void* mydata, ub_callback_type callback,
|
||||
int* async_id);
|
||||
|
||||
int ub_cancel(struct ub_ctx* ctx, int async_id);
|
||||
|
||||
void ub_resolve_free(struct ub_result* result);
|
||||
|
||||
const char * ub_strerror(int err);
|
||||
|
||||
int ub_ctx_print_local_zones(struct ub_ctx* ctx);
|
||||
|
||||
int ub_ctx_zone_add(struct ub_ctx* ctx, char* zone_name, char* zone_type);
|
||||
|
||||
int ub_ctx_zone_remove(struct ub_ctx* ctx, char* zone_name);
|
||||
|
||||
int ub_ctx_data_add(struct ub_ctx* ctx, char* data);
|
||||
|
||||
int ub_ctx_data_remove(struct ub_ctx* ctx, char* data);
|
||||
|
||||
.. only:: man
|
||||
|
||||
**#include <unbound.h>**
|
||||
|
||||
struct ub_ctx \* **ub_ctx_create**\ (void);
|
||||
|
||||
void **ub_ctx_delete**\ (struct ub_ctx\* ctx);
|
||||
|
||||
int **ub_ctx_set_option**\ (struct ub_ctx\* ctx, char\* opt, char\* val);
|
||||
|
||||
int **ub_ctx_get_option**\ (struct ub_ctx\* ctx, char\* opt, char\*\* val);
|
||||
|
||||
int **ub_ctx_config**\ (struct ub_ctx\* ctx, char* fname);
|
||||
|
||||
int **ub_ctx_set_fwd**\ (struct ub_ctx\* ctx, char\* addr);
|
||||
|
||||
int **ub_ctx_set_stub**\ (struct ub_ctx\* ctx, char\* zone, char\* addr,
|
||||
int isprime);
|
||||
|
||||
int **ub_ctx_set_tls**\ (struct ub_ctx\* ctx, int tls);
|
||||
|
||||
int **ub_ctx_resolvconf**\ (struct ub_ctx\* ctx, char\* fname);
|
||||
|
||||
int **ub_ctx_hosts**\ (struct ub_ctx\* ctx, char\* fname);
|
||||
|
||||
int **ub_ctx_add_ta**\ (struct ub_ctx\* ctx, char\* ta);
|
||||
|
||||
int **ub_ctx_add_ta_autr**\ (struct ub_ctx\* ctx, char\* fname);
|
||||
|
||||
int **ub_ctx_add_ta_file**\ (struct ub_ctx\* ctx, char\* fname);
|
||||
|
||||
int **ub_ctx_trustedkeys**\ (struct ub_ctx\* ctx, char\* fname);
|
||||
|
||||
int **ub_ctx_debugout**\ (struct ub_ctx\* ctx, FILE\* out);
|
||||
|
||||
int **ub_ctx_debuglevel**\ (struct ub_ctx\* ctx, int d);
|
||||
|
||||
int **ub_ctx_async**\ (struct ub_ctx\* ctx, int dothread);
|
||||
|
||||
int **ub_poll**\ (struct ub_ctx\* ctx);
|
||||
|
||||
int **ub_wait**\ (struct ub_ctx\* ctx);
|
||||
|
||||
int **ub_fd**\ (struct ub_ctx\* ctx);
|
||||
|
||||
int **ub_process**\ (struct ub_ctx\* ctx);
|
||||
|
||||
int **ub_resolve**\ (struct ub_ctx\* ctx, char\* name,
|
||||
int rrtype, int rrclass, struct ub_result\*\* result);
|
||||
|
||||
int **ub_resolve_async**\ (struct ub_ctx\* ctx, char\* name,
|
||||
int rrtype, int rrclass, void\* mydata,
|
||||
ub_callback_type\* callback, int\* async_id);
|
||||
|
||||
int **ub_cancel**\ (struct ub_ctx\* ctx, int async_id);
|
||||
|
||||
void **ub_resolve_free**\ (struct ub_result\* result);
|
||||
|
||||
const char \* **ub_strerror**\ (int err);
|
||||
|
||||
int **ub_ctx_print_local_zones**\ (struct ub_ctx\* ctx);
|
||||
|
||||
int **ub_ctx_zone_add**\ (struct ub_ctx\* ctx, char\* zone_name, char\* zone_type);
|
||||
|
||||
int **ub_ctx_zone_remove**\ (struct ub_ctx\* ctx, char\* zone_name);
|
||||
|
||||
int **ub_ctx_data_add**\ (struct ub_ctx\* ctx, char\* data);
|
||||
|
||||
int **ub_ctx_data_remove**\ (struct ub_ctx\* ctx, char\* data);
|
||||
|
||||
Description
|
||||
-----------
|
||||
|
||||
Unbound is an implementation of a DNS resolver, that does caching and DNSSEC
|
||||
validation.
|
||||
This is the library API, for using the ``-lunbound`` library.
|
||||
The server daemon is described in :doc:`unbound(8)</manpages/unbound>`.
|
||||
The library works independent from a running unbound server, and can be used to
|
||||
convert hostnames to ip addresses, and back, and obtain other information from
|
||||
the DNS.
|
||||
The library performs public-key validation of results with DNSSEC.
|
||||
|
||||
The library uses a variable of type *struct ub_ctx* to keep context between
|
||||
calls.
|
||||
The user must maintain it, creating it with **ub_ctx_create** and deleting it
|
||||
with **ub_ctx_delete**.
|
||||
It can be created and deleted at any time.
|
||||
Creating it anew removes any previous configuration (such as trusted keys) and
|
||||
clears any cached results.
|
||||
|
||||
The functions are thread-safe, and a context can be used in a threaded (as well
|
||||
as in a non-threaded) environment.
|
||||
Also resolution (and validation) can be performed blocking and non-blocking
|
||||
(also called asynchronous).
|
||||
The async method returns from the call immediately, so that processing can go
|
||||
on, while the results become available later.
|
||||
|
||||
The functions are discussed in turn below.
|
||||
|
||||
Functions
|
||||
---------
|
||||
|
||||
.. glossary::
|
||||
|
||||
ub_ctx_create
|
||||
Create a new context, initialised with defaults.
|
||||
The information from :file:`/etc/resolv.conf` and :file:`/etc/hosts` is
|
||||
not utilised by default.
|
||||
Use **ub_ctx_resolvconf** and **ub_ctx_hosts** to read them.
|
||||
Before you call this, use the openssl functions
|
||||
**CRYPTO_set_id_callback** and **CRYPTO_set_locking_callback** to set
|
||||
up asynchronous operation if you use lib openssl (the application calls
|
||||
these functions once for initialisation).
|
||||
Openssl 1.0.0 or later uses the **CRYPTO_THREADID_set_callback**
|
||||
function.
|
||||
|
||||
ub_ctx_delete
|
||||
Delete validation context and free associated resources.
|
||||
Outstanding async queries are killed and callbacks are not called for
|
||||
them.
|
||||
|
||||
ub_ctx_set_option
|
||||
A power-user interface that lets you specify one of the options from
|
||||
the config file format, see :doc:`unbound.conf(5)</manpages/unbound.conf>`.
|
||||
Not all options are relevant.
|
||||
For some specific options, such as adding trust anchors, special
|
||||
routines exist.
|
||||
Pass the option name with the trailing ``':'``.
|
||||
|
||||
ub_ctx_get_option
|
||||
A power-user interface that gets an option value.
|
||||
Some options cannot be gotten, and others return a newline separated
|
||||
list.
|
||||
Pass the option name without trailing ``':'``.
|
||||
The returned value must be free(2)d by the caller.
|
||||
|
||||
ub_ctx_config
|
||||
A power-user interface that lets you specify an unbound config file,
|
||||
see :doc:`unbound.conf(5)</manpages/unbound.conf>`, which is read for
|
||||
configuration.
|
||||
Not all options are relevant.
|
||||
For some specific options, such as adding trust anchors, special
|
||||
routines exist.
|
||||
This function is thread-safe only if a single instance of **ub_ctx**\*
|
||||
exists in the application.
|
||||
If several instances exist the application has to ensure that
|
||||
**ub_ctx_config** is not called in parallel by the different instances.
|
||||
|
||||
ub_ctx_set_fwd
|
||||
Set machine to forward DNS queries to, the caching resolver to use.
|
||||
IP4 or IP6 address.
|
||||
Forwards all DNS requests to that machine, which is expected to run a
|
||||
recursive resolver.
|
||||
If the proxy is not DNSSEC capable, validation may fail.
|
||||
Can be called several times, in that case the addresses are used as
|
||||
backup servers.
|
||||
At this time it is only possible to set configuration before the first
|
||||
resolve is done.
|
||||
|
||||
ub_ctx_set_stub
|
||||
Set a stub zone, authoritative dns servers to use for a particular
|
||||
zone.
|
||||
IP4 or IP6 address.
|
||||
If the address is NULL the stub entry is removed.
|
||||
Set isprime true if you configure root hints with it.
|
||||
Otherwise similar to the stub zone item from unbound's config file.
|
||||
Can be called several times, for different zones, or to add multiple
|
||||
addresses for a particular zone.
|
||||
At this time it is only possible to set configuration before the first
|
||||
resolve is done.
|
||||
|
||||
ub_ctx_set_tls
|
||||
Enable DNS over TLS (DoT) for machines set with **ub_ctx_set_fwd**.
|
||||
At this time it is only possible to set configuration before the first
|
||||
resolve is done.
|
||||
|
||||
ub_ctx_resolvconf
|
||||
By default the root servers are queried and full resolver mode is used,
|
||||
but you can use this call to read the list of nameservers to use from
|
||||
the filename given.
|
||||
Usually :file:`"/etc/resolv.conf"`.
|
||||
Uses those nameservers as caching proxies.
|
||||
If they do not support DNSSEC, validation may fail.
|
||||
Only nameservers are picked up, the searchdomain, ndots and other
|
||||
settings from *resolv.conf(5)* are ignored.
|
||||
If fname NULL is passed, :file:`"/etc/resolv.conf"` is used (if on
|
||||
Windows, the system-wide configured nameserver is picked instead).
|
||||
At this time it is only possible to set configuration before the first
|
||||
resolve is done.
|
||||
|
||||
ub_ctx_hosts
|
||||
Read list of hosts from the filename given.
|
||||
Usually :file:`"/etc/hosts"`.
|
||||
When queried for, these addresses are not marked DNSSEC secure.
|
||||
If fname NULL is passed, :file:`"/etc/hosts"` is used (if on Windows,
|
||||
:file:`etc/hosts` from WINDIR is picked instead).
|
||||
At this time it is only possible to set configuration before the first
|
||||
resolve is done.
|
||||
|
||||
ub_ctx_add_ta
|
||||
Add a trust anchor to the given context.
|
||||
At this time it is only possible to add trusted keys before the first
|
||||
resolve is done.
|
||||
The format is a string, similar to the zone-file format,
|
||||
**[domainname]** **[type]** **[rdata contents]**.
|
||||
Both DS and DNSKEY records are accepted.
|
||||
|
||||
ub_ctx_add_ta_autr
|
||||
Add filename with automatically tracked trust anchor to the given
|
||||
context.
|
||||
Pass name of a file with the managed trust anchor.
|
||||
You can create this file with
|
||||
:doc:`unbound-anchor(8)</manpages/unbound-anchor>` for the root anchor.
|
||||
You can also create it with an initial file with one line with a DNSKEY
|
||||
or DS record.
|
||||
If the file is writable, it is updated when the trust anchor changes.
|
||||
At this time it is only possible to add trusted keys before the first
|
||||
resolve is done.
|
||||
|
||||
ub_ctx_add_ta_file
|
||||
Add trust anchors to the given context.
|
||||
Pass name of a file with DS and DNSKEY records in zone file format.
|
||||
At this time it is only possible to add trusted keys before the first
|
||||
resolve is done.
|
||||
|
||||
ub_ctx_trustedkeys
|
||||
Add trust anchors to the given context.
|
||||
Pass the name of a bind-style config file with ``trusted-keys{}``.
|
||||
At this time it is only possible to add trusted keys before the first
|
||||
resolve is done.
|
||||
|
||||
ub_ctx_debugout
|
||||
Set debug and error log output to the given stream.
|
||||
Pass NULL to disable output.
|
||||
Default is stderr.
|
||||
File-names or using syslog can be enabled using config options, this
|
||||
routine is for using your own stream.
|
||||
|
||||
ub_ctx_debuglevel
|
||||
Set debug verbosity for the context.
|
||||
Output is directed to stderr.
|
||||
Higher debug level gives more output.
|
||||
|
||||
ub_ctx_async
|
||||
Set a context behaviour for asynchronous action.
|
||||
if set to true, enables threading and a call to **ub_resolve_async**
|
||||
creates a thread to handle work in the background.
|
||||
If false, a process is forked to handle work in the background.
|
||||
Changes to this setting after **ub_resolve_async** calls have been made
|
||||
have no effect (delete and re-create the context to change).
|
||||
|
||||
ub_poll
|
||||
Poll a context to see if it has any new results.
|
||||
Do not poll in a loop, instead extract the **fd** below to poll for
|
||||
readiness, and then check, or wait using the wait routine.
|
||||
Returns 0 if nothing to read, or nonzero if a result is available.
|
||||
If nonzero, call **ub_process** to do callbacks.
|
||||
|
||||
ub_wait
|
||||
Wait for a context to finish with results.
|
||||
Calls **ub_process** after the wait for you.
|
||||
After the wait, there are no more outstanding asynchronous queries.
|
||||
|
||||
ub_fd
|
||||
Get file descriptor.
|
||||
Wait for it to become readable, at this point answers are returned from
|
||||
the asynchronous validating resolver.
|
||||
Then call the **ub_process** to continue processing.
|
||||
|
||||
ub_process
|
||||
Call this routine to continue processing results from the validating
|
||||
resolver (when the **fd** becomes readable).
|
||||
Will perform necessary callbacks.
|
||||
|
||||
ub_resolve
|
||||
Perform resolution and validation of the target name.
|
||||
The name is a domain name in a zero terminated text string.
|
||||
The rrtype and rrclass are DNS type and class codes.
|
||||
The result structure is newly allocated with the resulting data.
|
||||
|
||||
ub_resolve_async
|
||||
Perform asynchronous resolution and validation of the target name.
|
||||
Arguments mean the same as for **ub_resolve** except no data is
|
||||
returned immediately, instead a callback is called later.
|
||||
The callback receives a copy of the mydata pointer, that you can use to
|
||||
pass information to the callback.
|
||||
The callback type is a function pointer to a function declared as:
|
||||
|
||||
.. code-block:: c
|
||||
|
||||
void my_callback_function(void* my_arg, int err,
|
||||
struct ub_result* result);
|
||||
|
||||
The **async_id** is returned so you can (at your option) decide to
|
||||
track it and cancel the request if needed.
|
||||
If you pass a NULL pointer the **async_id** is not returned.
|
||||
|
||||
ub_cancel
|
||||
Cancel an async query in progress.
|
||||
This may return an error if the query does not exist, or the query is
|
||||
already being delivered, in that case you may still get a callback for
|
||||
the query.
|
||||
|
||||
ub_resolve_free
|
||||
Free struct **ub_result** contents after use.
|
||||
|
||||
ub_strerror
|
||||
Convert error value from one of the unbound library functions to a
|
||||
human readable string.
|
||||
|
||||
ub_ctx_print_local_zones
|
||||
Debug printout the local authority information to debug output.
|
||||
|
||||
ub_ctx_zone_add
|
||||
Add new zone to local authority info, like local-zone
|
||||
:doc:`unbound.conf(5)</manpages/unbound.conf>` statement.
|
||||
|
||||
ub_ctx_zone_remove
|
||||
Delete zone from local authority info.
|
||||
|
||||
ub_ctx_data_add
|
||||
Add resource record data to local authority info, like local-data
|
||||
:doc:`unbound.conf(5)</manpages/unbound.conf>` statement.
|
||||
|
||||
ub_ctx_data_remove
|
||||
Delete local authority data from the name given.
|
||||
|
||||
Result Data structure
|
||||
---------------------
|
||||
|
||||
The result of the DNS resolution and validation is returned as *struct
|
||||
ub_result*.
|
||||
The result structure contains the following entries:
|
||||
|
||||
.. code-block:: c
|
||||
|
||||
struct ub_result {
|
||||
char* qname; /* text string, original question */
|
||||
int qtype; /* type code asked for */
|
||||
int qclass; /* class code asked for */
|
||||
char** data; /* array of rdata items, NULL terminated*/
|
||||
int* len; /* array with lengths of rdata items */
|
||||
char* canonname; /* canonical name of result */
|
||||
int rcode; /* additional error code in case of no data */
|
||||
void* answer_packet; /* full network format answer packet */
|
||||
int answer_len; /* length of packet in octets */
|
||||
int havedata; /* true if there is data */
|
||||
int nxdomain; /* true if nodata because name does not exist */
|
||||
int secure; /* true if result is secure */
|
||||
int bogus; /* true if a security failure happened */
|
||||
char* why_bogus; /* string with error if bogus */
|
||||
int was_ratelimited; /* true if the query was ratelimited (SERVFAIL) by unbound */
|
||||
int ttl; /* number of seconds the result is valid */
|
||||
};
|
||||
|
||||
If both secure and bogus are false, security was not enabled for the domain of
|
||||
the query.
|
||||
Else, they are not both true, one of them is true.
|
||||
|
||||
Return Values
|
||||
-------------
|
||||
|
||||
Many routines return an error code.
|
||||
The value 0 (zero) denotes no error happened.
|
||||
Other values can be passed to **ub_strerror** to obtain a readable error
|
||||
string.
|
||||
**ub_strerror** returns a zero terminated string.
|
||||
**ub_ctx_create** returns NULL on an error (a malloc failure).
|
||||
**ub_poll** returns true if some information may be available, false otherwise.
|
||||
**ub_fd** returns a file descriptor or -1 on error.
|
||||
**ub_ctx_config** and **ub_ctx_resolvconf** attempt to leave errno informative
|
||||
on a function return with file read failure.
|
||||
|
||||
See Also
|
||||
--------
|
||||
|
||||
:doc:`unbound.conf(5)</manpages/unbound.conf>`, :doc:`unbound(8)</manpages/unbound>`.
|
||||
+245
-134
@@ -1,189 +1,300 @@
|
||||
.TH "unbound-anchor" "8" "Jul 16, 2025" "NLnet Labs" "unbound 1.23.1"
|
||||
.\"
|
||||
.\" unbound-anchor.8 -- unbound anchor maintenance utility manual
|
||||
.\"
|
||||
.\" Copyright (c) 2008, NLnet Labs. All rights reserved.
|
||||
.\"
|
||||
.\" See LICENSE for the license.
|
||||
.\"
|
||||
.\"
|
||||
.SH "NAME"
|
||||
.B unbound\-anchor
|
||||
\- Unbound anchor utility.
|
||||
.SH "SYNOPSIS"
|
||||
.B unbound\-anchor
|
||||
.RB [ opts ]
|
||||
.SH "DESCRIPTION"
|
||||
.B Unbound\-anchor
|
||||
performs setup or update of the root trust anchor for DNSSEC validation.
|
||||
The program fetches the trust anchor with the method from RFC7958 when
|
||||
regular RFC5011 update fails to bring it up to date.
|
||||
.\" Man page generated from reStructuredText.
|
||||
.
|
||||
.
|
||||
.nr rst2man-indent-level 0
|
||||
.
|
||||
.de1 rstReportMargin
|
||||
\\$1 \\n[an-margin]
|
||||
level \\n[rst2man-indent-level]
|
||||
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
||||
-
|
||||
\\n[rst2man-indent0]
|
||||
\\n[rst2man-indent1]
|
||||
\\n[rst2man-indent2]
|
||||
..
|
||||
.de1 INDENT
|
||||
.\" .rstReportMargin pre:
|
||||
. RS \\$1
|
||||
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
|
||||
. nr rst2man-indent-level +1
|
||||
.\" .rstReportMargin post:
|
||||
..
|
||||
.de UNINDENT
|
||||
. RE
|
||||
.\" indent \\n[an-margin]
|
||||
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
||||
.nr rst2man-indent-level -1
|
||||
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
||||
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
|
||||
..
|
||||
.TH "UNBOUND-ANCHOR" "8" "Sep 18, 2025" "1.24.0" "Unbound"
|
||||
.SH NAME
|
||||
unbound-anchor \- Unbound 1.24.0 anchor utility.
|
||||
.SH SYNOPSIS
|
||||
.sp
|
||||
\fBunbound\-anchor\fP [\fBopts\fP]
|
||||
.SH DESCRIPTION
|
||||
.sp
|
||||
\fBunbound\-anchor\fP performs setup or update of the root trust anchor for DNSSEC
|
||||
validation.
|
||||
The program fetches the trust anchor with the method from \fI\%RFC 7958\fP when
|
||||
regular \fI\%RFC 5011\fP update fails to bring it up to date.
|
||||
It can be run (as root) from the commandline, or run as part of startup
|
||||
scripts. Before you start the \fIunbound\fR(8) DNS server.
|
||||
.P
|
||||
scripts.
|
||||
Before you start the \fI\%unbound(8)\fP DNS server.
|
||||
.sp
|
||||
Suggested usage:
|
||||
.P
|
||||
.INDENT 0.0
|
||||
.INDENT 3.5
|
||||
.sp
|
||||
.nf
|
||||
# in the init scripts.
|
||||
# provide or update the root anchor (if necessary)
|
||||
unbound-anchor \-a "@UNBOUND_ROOTKEY_FILE@"
|
||||
# Please note usage of this root anchor is at your own risk
|
||||
# and under the terms of our LICENSE (see source).
|
||||
#
|
||||
# start validating resolver
|
||||
# the unbound.conf contains:
|
||||
# auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
|
||||
unbound \-c unbound.conf
|
||||
.ft C
|
||||
# in the init scripts.
|
||||
# provide or update the root anchor (if necessary)
|
||||
unbound\-anchor \-a \(dq@UNBOUND_ROOTKEY_FILE@\(dq
|
||||
# Please note usage of this root anchor is at your own risk
|
||||
# and under the terms of our LICENSE (see source).
|
||||
#
|
||||
# start validating resolver
|
||||
# the unbound.conf contains:
|
||||
# auto\-trust\-anchor\-file: \(dq@UNBOUND_ROOTKEY_FILE@\(dq
|
||||
unbound \-c unbound.conf
|
||||
.ft P
|
||||
.fi
|
||||
.P
|
||||
This tool provides builtin default contents for the root anchor and root
|
||||
update certificate files.
|
||||
.P
|
||||
.UNINDENT
|
||||
.UNINDENT
|
||||
.sp
|
||||
This tool provides builtin default contents for the root anchor and root update
|
||||
certificate files.
|
||||
.sp
|
||||
It tests if the root anchor file works, and if not, and an update is possible,
|
||||
attempts to update the root anchor using the root update certificate.
|
||||
It performs a https fetch of root-anchors.xml and checks the results (RFC7958),
|
||||
if all checks are successful, it updates the root anchor file. Otherwise
|
||||
the root anchor file is unchanged. It performs RFC5011 tracking if the
|
||||
DNSSEC information available via the DNS makes that possible.
|
||||
.P
|
||||
It does not perform an update if the certificate is expired, if the network
|
||||
is down or other errors occur.
|
||||
.P
|
||||
It performs a https fetch of
|
||||
\fI\%root\-anchors.xml\fP
|
||||
and checks the results (\fI\%RFC 7958\fP); if all checks are successful, it updates
|
||||
the root anchor file.
|
||||
Otherwise the root anchor file is unchanged.
|
||||
It performs \fI\%RFC 5011\fP tracking if the DNSSEC information available via the
|
||||
DNS makes that possible.
|
||||
.sp
|
||||
It does not perform an update if the certificate is expired, if the network is
|
||||
down or other errors occur.
|
||||
.sp
|
||||
The available options are:
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-a \fIfile
|
||||
.B \-a <file>
|
||||
The root anchor key file, that is read in and written out.
|
||||
Default is @UNBOUND_ROOTKEY_FILE@.
|
||||
If the file does not exist, or is empty, a builtin root key is written to it.
|
||||
Default is \fB@UNBOUND_ROOTKEY_FILE@\fP\&.
|
||||
If the file does not exist, or is empty, a builtin root key is written
|
||||
to it.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-c \fIfile
|
||||
.B \-c <file>
|
||||
The root update certificate file, that is read in.
|
||||
Default is @UNBOUND_ROOTCERT_FILE@.
|
||||
Default is \fB@UNBOUND_ROOTCERT_FILE@\fP\&.
|
||||
If the file does not exist, or is empty, a builtin certificate is used.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-l
|
||||
List the builtin root key and builtin root update certificate on stdout.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-u \fIname
|
||||
The server name, it connects to https://name. Specify without https:// prefix.
|
||||
The default is "data.iana.org". It connects to the port specified with \-P.
|
||||
.B \-u <name>
|
||||
The server name, it connects to \fBhttps://name\fP\&.
|
||||
Specify without \fBhttps://\fP prefix.
|
||||
The default is \fB\(dqdata.iana.org\(dq\fP\&.
|
||||
It connects to the port specified with \fI\%\-P\fP\&.
|
||||
You can pass an IPv4 address or IPv6 address (no brackets) if you want.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-S
|
||||
Do not use SNI for the HTTPS connection. Default is to use SNI.
|
||||
Do not use SNI for the HTTPS connection.
|
||||
Default is to use SNI.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-b \fIaddress
|
||||
The source address to bind to for domain resolution and contacting the server
|
||||
on https. May be either an IPv4 address or IPv6 address (no brackets).
|
||||
.B \-b <address>
|
||||
The source address to bind to for domain resolution and contacting the
|
||||
server on https.
|
||||
May be either an IPv4 address or IPv6 address (no brackets).
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-x \fIpath
|
||||
The pathname to the root\-anchors.xml file on the server. (forms URL with \-u).
|
||||
The default is /root\-anchors/root\-anchors.xml.
|
||||
.B \-x <path>
|
||||
The pathname to the root\-anchors.xml file on the server.
|
||||
(forms URL with \fI\%\-u\fP).
|
||||
The default is \fB/root\-anchors/root\-anchors.xml\fP\&.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-s \fIpath
|
||||
The pathname to the root\-anchors.p7s file on the server. (forms URL with \-u).
|
||||
The default is /root\-anchors/root\-anchors.p7s. This file has to be a PKCS7
|
||||
signature over the xml file, using the pem file (\-c) as trust anchor.
|
||||
.B \-s <path>
|
||||
The pathname to the root\-anchors.p7s file on the server.
|
||||
(forms URL with \fI\%\-u\fP).
|
||||
The default is \fB/root\-anchors/root\-anchors.p7s\fP\&.
|
||||
This file has to be a PKCS7 signature over the xml file, using the pem
|
||||
file (\fI\%\-c\fP) as trust anchor.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-n \fIname
|
||||
The emailAddress for the Subject of the signer's certificate from the p7s
|
||||
signature file. Only signatures from this name are allowed. default is
|
||||
dnssec@iana.org. If you pass "" then the emailAddress is not checked.
|
||||
.B \-n <name>
|
||||
The emailAddress for the Subject of the signer\(aqs certificate from the
|
||||
p7s signature file.
|
||||
Only signatures from this name are allowed.
|
||||
The default is \fBdnssec@iana.org\fP\&.
|
||||
If you pass \fB\(dq\(dq\fP then the emailAddress is not checked.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-4
|
||||
Use IPv4 for domain resolution and contacting the server on https. Default is
|
||||
to use IPv4 and IPv6 where appropriate.
|
||||
Use IPv4 for domain resolution and contacting the server on
|
||||
https.
|
||||
Default is to use IPv4 and IPv6 where appropriate.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-6
|
||||
Use IPv6 for domain resolution and contacting the server on https. Default is
|
||||
to use IPv4 and IPv6 where appropriate.
|
||||
Use IPv6 for domain resolution and contacting the server on https.
|
||||
Default is to use IPv4 and IPv6 where appropriate.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-f \fIresolv.conf
|
||||
Use the given resolv.conf file. Not enabled by default, but you could try to
|
||||
pass /etc/resolv.conf on some systems. It contains the IP addresses of the
|
||||
recursive nameservers to use. However, since this tool could be used to
|
||||
bootstrap that very recursive nameserver, it would not be useful (since
|
||||
that server is not up yet, since we are bootstrapping it). It could be
|
||||
useful in a situation where you know an upstream cache is deployed (and
|
||||
running) and in captive portal situations.
|
||||
.B \-f <resolv.conf>
|
||||
Use the given resolv.conf file.
|
||||
Not enabled by default, but you could try to pass
|
||||
\fB/etc/resolv.conf\fP on some systems.
|
||||
It contains the IP addresses of the recursive nameservers to use.
|
||||
However, since this tool could be used to bootstrap that very recursive
|
||||
nameserver, it would not be useful (since that server is not up yet,
|
||||
since we are bootstrapping it).
|
||||
It could be useful in a situation where you know an upstream cache is
|
||||
deployed (and running) and in captive portal situations.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-r \fIroot.hints
|
||||
Use the given root.hints file (same syntax as the BIND and Unbound root hints
|
||||
file) to bootstrap domain resolution. By default a list of builtin root
|
||||
hints is used. Unbound\-anchor goes to the network itself for these roots,
|
||||
to resolve the server (\-u option) and to check the root DNSKEY records.
|
||||
.B \-r <root.hints>
|
||||
Use the given root.hints file (same syntax as the BIND and Unbound root
|
||||
hints file) to bootstrap domain resolution.
|
||||
By default a list of builtin root hints is used.
|
||||
unbound\-anchor goes to the network itself for these roots, to resolve
|
||||
the server (\fI\%\-u\fP option) and to check the root DNSKEY records.
|
||||
It does so, because the tool when used for bootstrapping the recursive
|
||||
resolver, cannot use that recursive resolver itself because it is bootstrapping
|
||||
that server.
|
||||
resolver, cannot use that recursive resolver itself because it is
|
||||
bootstrapping that server.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-R
|
||||
Allow fallback from \-f resolv.conf file to direct root servers query.
|
||||
It allows you to prefer local resolvers, but fallback automatically
|
||||
to direct root query if they do not respond or do not support DNSSEC.
|
||||
Allow fallback from \fI\%\-f\fP \fB<resolv.conf>\fP file to direct root
|
||||
servers query.
|
||||
It allows you to prefer local resolvers, but fallback automatically to
|
||||
direct root query if they do not respond or do not support DNSSEC.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-v
|
||||
More verbose. Once prints informational messages, multiple times may enable
|
||||
large debug amounts (such as full certificates or byte\-dumps of downloaded
|
||||
files). By default it prints almost nothing. It also prints nothing on
|
||||
errors by default; in that case the original root anchor file is simply
|
||||
left undisturbed, so that a recursive server can start right after it.
|
||||
More verbose.
|
||||
Once prints informational messages, multiple times may enable large
|
||||
debug amounts (such as full certificates or byte\-dumps of downloaded
|
||||
files).
|
||||
By default it prints almost nothing.
|
||||
It also prints nothing on errors by default; in that case the original
|
||||
root anchor file is simply left undisturbed, so that a recursive server
|
||||
can start right after it.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-C \fIunbound.conf
|
||||
Debug option to read unbound.conf into the resolver process used.
|
||||
.B \-C <unbound.conf>
|
||||
Debug option to read \fB<unbound.conf>\fP into the resolver process
|
||||
used.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-P \fIport
|
||||
Set the port number to use for the https connection. The default is 443.
|
||||
.B \-P <port>
|
||||
Set the port number to use for the https connection.
|
||||
The default is 443.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-F
|
||||
Debug option to force update of the root anchor through downloading the xml
|
||||
file and verifying it with the certificate. By default it first tries to
|
||||
update by contacting the DNS, which uses much less bandwidth, is much
|
||||
faster (200 msec not 2 sec), and is nicer to the deployed infrastructure.
|
||||
With this option, it still attempts to do so (and may verbosely tell you),
|
||||
but then ignores the result and goes on to use the xml fallback method.
|
||||
Debug option to force update of the root anchor through downloading the
|
||||
xml file and verifying it with the certificate.
|
||||
By default it first tries to update by contacting the DNS, which uses
|
||||
much less bandwidth, is much faster (200 msec not 2 sec), and is nicer
|
||||
to the deployed infrastructure.
|
||||
With this option, it still attempts to do so (and may verbosely tell
|
||||
you), but then ignores the result and goes on to use the xml fallback
|
||||
method.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-h
|
||||
Show the version and commandline option help.
|
||||
.SH "EXIT CODE"
|
||||
.UNINDENT
|
||||
.SH EXIT CODE
|
||||
.sp
|
||||
This tool exits with value 1 if the root anchor was updated using the
|
||||
certificate or if the builtin root-anchor was used. It exits with code
|
||||
0 if no update was necessary, if the update was possible with RFC5011
|
||||
tracking, or if an error occurred.
|
||||
.P
|
||||
certificate or if the builtin root\-anchor was used.
|
||||
It exits with code 0 if no update was necessary, if the update was possible
|
||||
with \fI\%RFC 5011\fP tracking, or if an error occurred.
|
||||
.sp
|
||||
You can check the exit value in this manner:
|
||||
.INDENT 0.0
|
||||
.INDENT 3.5
|
||||
.sp
|
||||
.nf
|
||||
unbound-anchor \-a "root.key" || logger "Please check root.key"
|
||||
.ft C
|
||||
unbound\-anchor \-a \(dqroot.key\(dq || logger \(dqPlease check root.key\(dq
|
||||
.ft P
|
||||
.fi
|
||||
.UNINDENT
|
||||
.UNINDENT
|
||||
.sp
|
||||
Or something more suitable for your operational environment.
|
||||
.SH "TRUST"
|
||||
The root keys and update certificate included in this tool
|
||||
are provided for convenience and under the terms of our
|
||||
license (see the LICENSE file in the source distribution or
|
||||
https://github.com/NLnetLabs/unbound/blob/master/LICENSE) and might be stale or
|
||||
not suitable to your purpose.
|
||||
.P
|
||||
By running "unbound\-anchor \-l" the keys and certificate that are
|
||||
.SH TRUST
|
||||
.sp
|
||||
The root keys and update certificate included in this tool are provided for
|
||||
convenience and under the terms of our license (see the LICENSE file in the
|
||||
source distribution or \fI\%https://github.com/NLnetLabs/unbound/blob/master/LICENSE\fP
|
||||
and might be stale or not suitable to your purpose.
|
||||
.sp
|
||||
By running \fI\%unbound\-anchor \-l\fP the keys and certificate that are
|
||||
configured in the code are printed for your convenience.
|
||||
.P
|
||||
The build\-in configuration can be overridden by providing a root\-cert
|
||||
file and a rootkey file.
|
||||
.SH "FILES"
|
||||
.sp
|
||||
The built\-in configuration can be overridden by providing a root\-cert file and
|
||||
a rootkey file.
|
||||
.SH FILES
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.I @UNBOUND_ROOTKEY_FILE@
|
||||
The root anchor file, updated with 5011 tracking, and read and written to.
|
||||
.B @UNBOUND_ROOTKEY_FILE@
|
||||
The root anchor file, updated with 5011 tracking, and read and written
|
||||
to.
|
||||
The file is created if it does not exist.
|
||||
.TP
|
||||
.I @UNBOUND_ROOTCERT_FILE@
|
||||
The trusted self\-signed certificate that is used to verify the downloaded
|
||||
DNSSEC root trust anchor. You can update it by fetching it from
|
||||
https://data.iana.org/root\-anchors/icannbundle.pem (and validate it).
|
||||
.B @UNBOUND_ROOTCERT_FILE@
|
||||
The trusted self\-signed certificate that is used to verify the
|
||||
downloaded DNSSEC root trust anchor.
|
||||
You can update it by fetching it from
|
||||
\fI\%https://data.iana.org/root\-anchors/icannbundle.pem\fP (and validate it).
|
||||
If the file does not exist or is empty, a builtin version is used.
|
||||
.TP
|
||||
.I https://data.iana.org/root\-anchors/root\-anchors.xml
|
||||
.B \fI\%https://data.iana.org/root\-anchors/root\-anchors.xml\fP
|
||||
Source for the root key information.
|
||||
.TP
|
||||
.I https://data.iana.org/root\-anchors/root\-anchors.p7s
|
||||
.B \fI\%https://data.iana.org/root\-anchors/root\-anchors.p7s\fP
|
||||
Signature on the root key information.
|
||||
.SH "SEE ALSO"
|
||||
\fIunbound.conf\fR(5),
|
||||
\fIunbound\fR(8).
|
||||
.UNINDENT
|
||||
.SH SEE ALSO
|
||||
.sp
|
||||
\fI\%unbound.conf(5)\fP,
|
||||
\fI\%unbound(8)\fP\&.
|
||||
.SH AUTHOR
|
||||
Unbound developers are mentioned in the CREDITS file in the distribution.
|
||||
.SH COPYRIGHT
|
||||
1999-2025, NLnet Labs
|
||||
.\" Generated by docutils manpage writer.
|
||||
.
|
||||
|
||||
@@ -0,0 +1,281 @@
|
||||
..
|
||||
WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE
|
||||
|
||||
..
|
||||
IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE
|
||||
|
||||
..
|
||||
IT HELPS PEOPLE DIFFING THE CHANGES
|
||||
|
||||
..
|
||||
WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE
|
||||
|
||||
..
|
||||
IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE
|
||||
|
||||
..
|
||||
IT HELPS PEOPLE DIFFING THE CHANGES
|
||||
|
||||
..
|
||||
WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE
|
||||
|
||||
..
|
||||
IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE
|
||||
|
||||
..
|
||||
IT HELPS PEOPLE DIFFING THE CHANGES
|
||||
|
||||
..
|
||||
WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE
|
||||
|
||||
..
|
||||
IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE
|
||||
|
||||
..
|
||||
IT HELPS PEOPLE DIFFING THE CHANGES
|
||||
|
||||
.. program:: unbound-anchor
|
||||
|
||||
unbound-anchor(8)
|
||||
=================
|
||||
|
||||
Synopsis
|
||||
--------
|
||||
|
||||
**unbound-anchor** [``opts``]
|
||||
|
||||
Description
|
||||
-----------
|
||||
|
||||
``unbound-anchor`` performs setup or update of the root trust anchor for DNSSEC
|
||||
validation.
|
||||
The program fetches the trust anchor with the method from :rfc:`7958` when
|
||||
regular :rfc:`5011` update fails to bring it up to date.
|
||||
It can be run (as root) from the commandline, or run as part of startup
|
||||
scripts.
|
||||
Before you start the :doc:`unbound(8)</manpages/unbound>` DNS server.
|
||||
|
||||
Suggested usage:
|
||||
|
||||
.. code-block:: text
|
||||
|
||||
# in the init scripts.
|
||||
# provide or update the root anchor (if necessary)
|
||||
unbound-anchor -a "@UNBOUND_ROOTKEY_FILE@"
|
||||
# Please note usage of this root anchor is at your own risk
|
||||
# and under the terms of our LICENSE (see source).
|
||||
#
|
||||
# start validating resolver
|
||||
# the unbound.conf contains:
|
||||
# auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
|
||||
unbound -c unbound.conf
|
||||
|
||||
This tool provides builtin default contents for the root anchor and root update
|
||||
certificate files.
|
||||
|
||||
It tests if the root anchor file works, and if not, and an update is possible,
|
||||
attempts to update the root anchor using the root update certificate.
|
||||
It performs a https fetch of
|
||||
`root-anchors.xml <http://data.iana.org/root-anchors/root-anchors.xml>`__
|
||||
and checks the results (:rfc:`7958`); if all checks are successful, it updates
|
||||
the root anchor file.
|
||||
Otherwise the root anchor file is unchanged.
|
||||
It performs :rfc:`5011` tracking if the DNSSEC information available via the
|
||||
DNS makes that possible.
|
||||
|
||||
It does not perform an update if the certificate is expired, if the network is
|
||||
down or other errors occur.
|
||||
|
||||
The available options are:
|
||||
|
||||
.. option:: -a <file>
|
||||
|
||||
The root anchor key file, that is read in and written out.
|
||||
Default is :file:`@UNBOUND_ROOTKEY_FILE@`.
|
||||
If the file does not exist, or is empty, a builtin root key is written
|
||||
to it.
|
||||
|
||||
.. option:: -c <file>
|
||||
|
||||
The root update certificate file, that is read in.
|
||||
Default is :file:`@UNBOUND_ROOTCERT_FILE@`.
|
||||
If the file does not exist, or is empty, a builtin certificate is used.
|
||||
|
||||
.. option:: -l
|
||||
|
||||
List the builtin root key and builtin root update certificate on stdout.
|
||||
|
||||
.. option:: -u <name>
|
||||
|
||||
The server name, it connects to ``https://name``.
|
||||
Specify without ``https://`` prefix.
|
||||
The default is ``"data.iana.org"``.
|
||||
It connects to the port specified with :option:`-P`.
|
||||
You can pass an IPv4 address or IPv6 address (no brackets) if you want.
|
||||
|
||||
.. option:: -S
|
||||
|
||||
Do not use SNI for the HTTPS connection.
|
||||
Default is to use SNI.
|
||||
|
||||
.. option:: -b <address>
|
||||
|
||||
The source address to bind to for domain resolution and contacting the
|
||||
server on https.
|
||||
May be either an IPv4 address or IPv6 address (no brackets).
|
||||
|
||||
.. option:: -x <path>
|
||||
|
||||
The pathname to the root-anchors.xml file on the server.
|
||||
(forms URL with :option:`-u`).
|
||||
The default is :file:`/root-anchors/root-anchors.xml`.
|
||||
|
||||
.. option:: -s <path>
|
||||
|
||||
The pathname to the root-anchors.p7s file on the server.
|
||||
(forms URL with :option:`-u`).
|
||||
The default is :file:`/root-anchors/root-anchors.p7s`.
|
||||
This file has to be a PKCS7 signature over the xml file, using the pem
|
||||
file (:option:`-c`) as trust anchor.
|
||||
|
||||
.. option:: -n <name>
|
||||
|
||||
The emailAddress for the Subject of the signer's certificate from the
|
||||
p7s signature file.
|
||||
Only signatures from this name are allowed.
|
||||
The default is ``dnssec@iana.org``.
|
||||
If you pass ``""`` then the emailAddress is not checked.
|
||||
|
||||
.. option:: -4
|
||||
|
||||
Use IPv4 for domain resolution and contacting the server on
|
||||
https.
|
||||
Default is to use IPv4 and IPv6 where appropriate.
|
||||
|
||||
.. option:: -6
|
||||
|
||||
Use IPv6 for domain resolution and contacting the server on https.
|
||||
Default is to use IPv4 and IPv6 where appropriate.
|
||||
|
||||
.. option:: -f <resolv.conf>
|
||||
|
||||
Use the given resolv.conf file.
|
||||
Not enabled by default, but you could try to pass
|
||||
:file:`/etc/resolv.conf` on some systems.
|
||||
It contains the IP addresses of the recursive nameservers to use.
|
||||
However, since this tool could be used to bootstrap that very recursive
|
||||
nameserver, it would not be useful (since that server is not up yet,
|
||||
since we are bootstrapping it).
|
||||
It could be useful in a situation where you know an upstream cache is
|
||||
deployed (and running) and in captive portal situations.
|
||||
|
||||
.. option:: -r <root.hints>
|
||||
|
||||
Use the given root.hints file (same syntax as the BIND and Unbound root
|
||||
hints file) to bootstrap domain resolution.
|
||||
By default a list of builtin root hints is used.
|
||||
unbound-anchor goes to the network itself for these roots, to resolve
|
||||
the server (:option:`-u` option) and to check the root DNSKEY records.
|
||||
It does so, because the tool when used for bootstrapping the recursive
|
||||
resolver, cannot use that recursive resolver itself because it is
|
||||
bootstrapping that server.
|
||||
|
||||
.. option:: -R
|
||||
|
||||
Allow fallback from :option:`-f` ``<resolv.conf>`` file to direct root
|
||||
servers query.
|
||||
It allows you to prefer local resolvers, but fallback automatically to
|
||||
direct root query if they do not respond or do not support DNSSEC.
|
||||
|
||||
.. option:: -v
|
||||
|
||||
More verbose.
|
||||
Once prints informational messages, multiple times may enable large
|
||||
debug amounts (such as full certificates or byte-dumps of downloaded
|
||||
files).
|
||||
By default it prints almost nothing.
|
||||
It also prints nothing on errors by default; in that case the original
|
||||
root anchor file is simply left undisturbed, so that a recursive server
|
||||
can start right after it.
|
||||
|
||||
.. option:: -C <unbound.conf>
|
||||
|
||||
Debug option to read :file:`<unbound.conf>` into the resolver process
|
||||
used.
|
||||
|
||||
.. option:: -P <port>
|
||||
|
||||
Set the port number to use for the https connection.
|
||||
The default is 443.
|
||||
|
||||
.. option:: -F
|
||||
|
||||
Debug option to force update of the root anchor through downloading the
|
||||
xml file and verifying it with the certificate.
|
||||
By default it first tries to update by contacting the DNS, which uses
|
||||
much less bandwidth, is much faster (200 msec not 2 sec), and is nicer
|
||||
to the deployed infrastructure.
|
||||
With this option, it still attempts to do so (and may verbosely tell
|
||||
you), but then ignores the result and goes on to use the xml fallback
|
||||
method.
|
||||
|
||||
.. option:: -h
|
||||
|
||||
Show the version and commandline option help.
|
||||
|
||||
Exit Code
|
||||
---------
|
||||
|
||||
This tool exits with value 1 if the root anchor was updated using the
|
||||
certificate or if the builtin root-anchor was used.
|
||||
It exits with code 0 if no update was necessary, if the update was possible
|
||||
with :rfc:`5011` tracking, or if an error occurred.
|
||||
|
||||
You can check the exit value in this manner:
|
||||
|
||||
.. code-block:: text
|
||||
|
||||
unbound-anchor -a "root.key" || logger "Please check root.key"
|
||||
|
||||
Or something more suitable for your operational environment.
|
||||
|
||||
Trust
|
||||
-----
|
||||
|
||||
The root keys and update certificate included in this tool are provided for
|
||||
convenience and under the terms of our license (see the LICENSE file in the
|
||||
source distribution or https://github.com/NLnetLabs/unbound/blob/master/LICENSE
|
||||
and might be stale or not suitable to your purpose.
|
||||
|
||||
By running :option:`unbound-anchor -l` the keys and certificate that are
|
||||
configured in the code are printed for your convenience.
|
||||
|
||||
The built-in configuration can be overridden by providing a root-cert file and
|
||||
a rootkey file.
|
||||
|
||||
Files
|
||||
-----
|
||||
|
||||
@UNBOUND_ROOTKEY_FILE@
|
||||
The root anchor file, updated with 5011 tracking, and read and written
|
||||
to.
|
||||
The file is created if it does not exist.
|
||||
|
||||
@UNBOUND_ROOTCERT_FILE@
|
||||
The trusted self-signed certificate that is used to verify the
|
||||
downloaded DNSSEC root trust anchor.
|
||||
You can update it by fetching it from
|
||||
https://data.iana.org/root-anchors/icannbundle.pem (and validate it).
|
||||
If the file does not exist or is empty, a builtin version is used.
|
||||
|
||||
https://data.iana.org/root-anchors/root-anchors.xml
|
||||
Source for the root key information.
|
||||
|
||||
https://data.iana.org/root-anchors/root-anchors.p7s
|
||||
Signature on the root key information.
|
||||
|
||||
See Also
|
||||
--------
|
||||
|
||||
:doc:`unbound.conf(5)</manpages/unbound.conf>`,
|
||||
:doc:`unbound(8)</manpages/unbound>`.
|
||||
+79
-42
@@ -1,56 +1,93 @@
|
||||
.TH "unbound-checkconf" "8" "Jul 16, 2025" "NLnet Labs" "unbound 1.23.1"
|
||||
.\"
|
||||
.\" unbound-checkconf.8 -- unbound configuration checker manual
|
||||
.\"
|
||||
.\" Copyright (c) 2007, NLnet Labs. All rights reserved.
|
||||
.\"
|
||||
.\" See LICENSE for the license.
|
||||
.\"
|
||||
.\"
|
||||
.SH "NAME"
|
||||
unbound\-checkconf
|
||||
\- Check Unbound configuration file for errors.
|
||||
.SH "SYNOPSIS"
|
||||
.B unbound\-checkconf
|
||||
.RB [ \-h ]
|
||||
.RB [ \-f ]
|
||||
.RB [ \-q ]
|
||||
.RB [ \-o
|
||||
.IR option ]
|
||||
.RI [ cfgfile ]
|
||||
.SH "DESCRIPTION"
|
||||
.B Unbound\-checkconf
|
||||
checks the configuration file for the
|
||||
\fIunbound\fR(8)
|
||||
DNS resolver for syntax and other errors.
|
||||
.\" Man page generated from reStructuredText.
|
||||
.
|
||||
.
|
||||
.nr rst2man-indent-level 0
|
||||
.
|
||||
.de1 rstReportMargin
|
||||
\\$1 \\n[an-margin]
|
||||
level \\n[rst2man-indent-level]
|
||||
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
||||
-
|
||||
\\n[rst2man-indent0]
|
||||
\\n[rst2man-indent1]
|
||||
\\n[rst2man-indent2]
|
||||
..
|
||||
.de1 INDENT
|
||||
.\" .rstReportMargin pre:
|
||||
. RS \\$1
|
||||
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
|
||||
. nr rst2man-indent-level +1
|
||||
.\" .rstReportMargin post:
|
||||
..
|
||||
.de UNINDENT
|
||||
. RE
|
||||
.\" indent \\n[an-margin]
|
||||
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
||||
.nr rst2man-indent-level -1
|
||||
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
||||
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
|
||||
..
|
||||
.TH "UNBOUND-CHECKCONF" "8" "Sep 18, 2025" "1.24.0" "Unbound"
|
||||
.SH NAME
|
||||
unbound-checkconf \- Check Unbound 1.24.0 configuration file for errors.
|
||||
.SH SYNOPSIS
|
||||
.sp
|
||||
\fBunbound\-checkconf\fP [\fB\-hf\fP] [\fB\-o option\fP] [cfgfile]
|
||||
.SH DESCRIPTION
|
||||
.sp
|
||||
\fBunbound\-checkconf\fP checks the configuration file for the
|
||||
\fI\%unbound(8)\fP DNS resolver for syntax and other errors.
|
||||
The config file syntax is described in
|
||||
\fIunbound.conf\fR(5).
|
||||
.P
|
||||
\fI\%unbound.conf(5)\fP\&.
|
||||
.sp
|
||||
The available options are:
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-h
|
||||
Show the version and commandline option help.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-f
|
||||
Print full pathname, with chroot applied to it. Use with the \-o option.
|
||||
.TP
|
||||
.B \-o\fI option
|
||||
If given, after checking the config file the value of this option is
|
||||
printed to stdout. For "" (disabled) options an empty line is printed.
|
||||
Print full pathname, with chroot applied to it.
|
||||
Use with the \fI\%\-o\fP option.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-q
|
||||
Make the operation quiet, suppress output on success.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.I cfgfile
|
||||
The config file to read with settings for Unbound. It is checked.
|
||||
.B \-o <option>
|
||||
If given, after checking the config file the value of this option is
|
||||
printed to stdout.
|
||||
For \fB\(dq\(dq\fP (disabled) options an empty line is printed.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B cfgfile
|
||||
The config file to read with settings for Unbound.
|
||||
It is checked.
|
||||
If omitted, the config file at the default location is checked.
|
||||
.SH "EXIT CODE"
|
||||
The unbound\-checkconf program exits with status code 1 on error,
|
||||
0 for a correct config file.
|
||||
.SH "FILES"
|
||||
.UNINDENT
|
||||
.SH EXIT CODE
|
||||
.sp
|
||||
The \fBunbound\-checkconf\fP program exits with status code 1 on error, 0 for a
|
||||
correct config file.
|
||||
.SH FILES
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.I @ub_conf_file@
|
||||
.B @ub_conf_file@
|
||||
Unbound configuration file.
|
||||
.SH "SEE ALSO"
|
||||
\fIunbound.conf\fR(5),
|
||||
\fIunbound\fR(8).
|
||||
.UNINDENT
|
||||
.SH SEE ALSO
|
||||
.sp
|
||||
\fI\%unbound.conf(5)\fP,
|
||||
\fI\%unbound(8)\fP\&.
|
||||
.SH AUTHOR
|
||||
Unbound developers are mentioned in the CREDITS file in the distribution.
|
||||
.SH COPYRIGHT
|
||||
1999-2025, NLnet Labs
|
||||
.\" Generated by docutils manpage writer.
|
||||
.
|
||||
|
||||
@@ -0,0 +1,98 @@
|
||||
..
|
||||
WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE
|
||||
|
||||
..
|
||||
IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE
|
||||
|
||||
..
|
||||
IT HELPS PEOPLE DIFFING THE CHANGES
|
||||
|
||||
..
|
||||
WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE
|
||||
|
||||
..
|
||||
IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE
|
||||
|
||||
..
|
||||
IT HELPS PEOPLE DIFFING THE CHANGES
|
||||
|
||||
..
|
||||
WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE
|
||||
|
||||
..
|
||||
IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE
|
||||
|
||||
..
|
||||
IT HELPS PEOPLE DIFFING THE CHANGES
|
||||
|
||||
..
|
||||
WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE
|
||||
|
||||
..
|
||||
IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE
|
||||
|
||||
..
|
||||
IT HELPS PEOPLE DIFFING THE CHANGES
|
||||
|
||||
.. program:: unbound-checkconf
|
||||
|
||||
unbound-checkconf(8)
|
||||
====================
|
||||
|
||||
Synopsis
|
||||
--------
|
||||
|
||||
**unbound-checkconf** [``-hf``] [``-o option``] [cfgfile]
|
||||
|
||||
Description
|
||||
-----------
|
||||
|
||||
``unbound-checkconf`` checks the configuration file for the
|
||||
:doc:`unbound(8)</manpages/unbound>` DNS resolver for syntax and other errors.
|
||||
The config file syntax is described in
|
||||
:doc:`unbound.conf(5)</manpages/unbound.conf>`.
|
||||
|
||||
The available options are:
|
||||
|
||||
.. option:: -h
|
||||
|
||||
Show the version and commandline option help.
|
||||
|
||||
.. option:: -f
|
||||
|
||||
Print full pathname, with chroot applied to it.
|
||||
Use with the :option:`-o` option.
|
||||
|
||||
.. option:: -q
|
||||
|
||||
Make the operation quiet, suppress output on success.
|
||||
|
||||
.. option:: -o <option>
|
||||
|
||||
If given, after checking the config file the value of this option is
|
||||
printed to stdout.
|
||||
For ``""`` (disabled) options an empty line is printed.
|
||||
|
||||
.. option:: cfgfile
|
||||
|
||||
The config file to read with settings for Unbound.
|
||||
It is checked.
|
||||
If omitted, the config file at the default location is checked.
|
||||
|
||||
Exit Code
|
||||
---------
|
||||
|
||||
The ``unbound-checkconf`` program exits with status code 1 on error, 0 for a
|
||||
correct config file.
|
||||
|
||||
Files
|
||||
-----
|
||||
|
||||
@ub_conf_file@
|
||||
Unbound configuration file.
|
||||
|
||||
See Also
|
||||
--------
|
||||
|
||||
:doc:`unbound.conf(5)</manpages/unbound.conf>`,
|
||||
:doc:`unbound(8)</manpages/unbound>`.
|
||||
+1202
-637
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
+157
-85
@@ -1,118 +1,190 @@
|
||||
.TH "unbound\-host" "1" "Jul 16, 2025" "NLnet Labs" "unbound 1.23.1"
|
||||
.\"
|
||||
.\" unbound-host.1 -- unbound DNS lookup utility
|
||||
.\"
|
||||
.\" Copyright (c) 2007, NLnet Labs. All rights reserved.
|
||||
.\"
|
||||
.\" See LICENSE for the license.
|
||||
.\"
|
||||
.\"
|
||||
.SH "NAME"
|
||||
.B unbound\-host
|
||||
\- unbound DNS lookup utility
|
||||
.SH "SYNOPSIS"
|
||||
.B unbound\-host
|
||||
.RB [ \-C
|
||||
.IR configfile ]
|
||||
.RB [ \-vdhr46D ]
|
||||
.RB [ \-c
|
||||
.IR class ]
|
||||
.RB [ \-t
|
||||
.IR type ]
|
||||
.RB [ \-y
|
||||
.IR key ]
|
||||
.RB [ \-f
|
||||
.IR keyfile ]
|
||||
.RB [ \-F
|
||||
.IR namedkeyfile ]
|
||||
.I hostname
|
||||
.SH "DESCRIPTION"
|
||||
.B Unbound\-host
|
||||
uses the Unbound validating resolver to query for the hostname and display
|
||||
results. With the \fB\-v\fR option it displays validation
|
||||
status: secure, insecure, bogus (security failure).
|
||||
.P
|
||||
By default it reads no configuration file whatsoever. It attempts to reach
|
||||
the internet root servers. With \fB\-C\fR an Unbound config file and with
|
||||
\fB\-r\fR resolv.conf can be read.
|
||||
.P
|
||||
.\" Man page generated from reStructuredText.
|
||||
.
|
||||
.
|
||||
.nr rst2man-indent-level 0
|
||||
.
|
||||
.de1 rstReportMargin
|
||||
\\$1 \\n[an-margin]
|
||||
level \\n[rst2man-indent-level]
|
||||
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
||||
-
|
||||
\\n[rst2man-indent0]
|
||||
\\n[rst2man-indent1]
|
||||
\\n[rst2man-indent2]
|
||||
..
|
||||
.de1 INDENT
|
||||
.\" .rstReportMargin pre:
|
||||
. RS \\$1
|
||||
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
|
||||
. nr rst2man-indent-level +1
|
||||
.\" .rstReportMargin post:
|
||||
..
|
||||
.de UNINDENT
|
||||
. RE
|
||||
.\" indent \\n[an-margin]
|
||||
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
||||
.nr rst2man-indent-level -1
|
||||
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
||||
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
|
||||
..
|
||||
.TH "UNBOUND-HOST" "1" "Sep 18, 2025" "1.24.0" "Unbound"
|
||||
.SH NAME
|
||||
unbound-host \- Unbound 1.24.0 DNS lookup utility.
|
||||
.SH SYNOPSIS
|
||||
.sp
|
||||
\fBunbound\-host\fP [\fB\-C configfile\fP] [\fB\-vdhr46D\fP] [\fB\-c class\fP]
|
||||
[\fB\-t type\fP] [\fB\-y key\fP] [\fB\-f keyfile\fP] [\fB\-F namedkeyfile\fP] hostname
|
||||
.SH DESCRIPTION
|
||||
.sp
|
||||
\fBunbound\-host\fP uses the Unbound validating resolver to query for the hostname
|
||||
and display results.
|
||||
With the \fI\%\-v\fP option it displays validation status: secure, insecure,
|
||||
bogus (security failure).
|
||||
.sp
|
||||
By default it reads no configuration file whatsoever.
|
||||
It attempts to reach the internet root servers.
|
||||
With \fI\%\-C\fP an unbound config file and with \fI\%\-r\fP \fBresolv.conf\fP
|
||||
can be read.
|
||||
.sp
|
||||
The available options are:
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.I hostname
|
||||
.B hostname
|
||||
This name is resolved (looked up in the DNS).
|
||||
If a IPv4 or IPv6 address is given, a reverse lookup is performed.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-h
|
||||
Show the version and commandline option help.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-v
|
||||
Enable verbose output and it shows validation results, on every line.
|
||||
Secure means that the NXDOMAIN (no such domain name), nodata (no such data)
|
||||
or positive data response validated correctly with one of the keys.
|
||||
Secure means that the NXDOMAIN (no such domain name), nodata (no such
|
||||
data) or positive data response validated correctly with one of the
|
||||
keys.
|
||||
Insecure means that that domain name has no security set up for it.
|
||||
Bogus (security failure) means that the response failed one or more checks,
|
||||
it is likely wrong, outdated, tampered with, or broken.
|
||||
Bogus (security failure) means that the response failed one or more
|
||||
checks, it is likely wrong, outdated, tampered with, or broken.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-d
|
||||
Enable debug output to stderr. One \-d shows what the resolver and validator
|
||||
are doing and may tell you what is going on. More times, \-d \-d, gives a
|
||||
lot of output, with every packet sent and received.
|
||||
Enable debug output to stderr.
|
||||
One \fI\%\-d\fP shows what the resolver and validator are doing and may
|
||||
tell you what is going on.
|
||||
More times, \fI\%\-d\fP \fI\%\-d\fP, gives a lot of output, with every
|
||||
packet sent and received.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-c \fIclass
|
||||
Specify the class to lookup for, the default is IN the internet class.
|
||||
.B \-c <class>
|
||||
Specify the class to lookup for, the default is IN the internet
|
||||
class.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-t \fItype
|
||||
Specify the type of data to lookup. The default looks for IPv4, IPv6 and
|
||||
mail handler data, or domain name pointers for reverse queries.
|
||||
.B \-t <type>
|
||||
Specify the type of data to lookup.
|
||||
The default looks for IPv4, IPv6 and mail handler data, or domain name
|
||||
pointers for reverse queries.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-y \fIkey
|
||||
Specify a public key to use as trust anchor. This is the base for a chain
|
||||
of trust that is built up from the trust anchor to the response, in order
|
||||
to validate the response message. Can be given as a DS or DNSKEY record.
|
||||
For example \-y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546CD".
|
||||
.B \-y <key>
|
||||
Specify a public key to use as trust anchor.
|
||||
This is the base for a chain of trust that is built up from the trust
|
||||
anchor to the response, in order to validate the response message.
|
||||
Can be given as a DS or DNSKEY record.
|
||||
For example:
|
||||
.INDENT 7.0
|
||||
.INDENT 3.5
|
||||
.sp
|
||||
.nf
|
||||
.ft C
|
||||
\-y \(dqexample.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546CD\(dq
|
||||
.ft P
|
||||
.fi
|
||||
.UNINDENT
|
||||
.UNINDENT
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-D
|
||||
Enables DNSSEC validation. Reads the root anchor from the default configured
|
||||
root anchor at the default location, \fI@UNBOUND_ROOTKEY_FILE@\fR.
|
||||
Enables DNSSEC validation.
|
||||
Reads the root anchor from the default configured root anchor at the
|
||||
default location, \fB@UNBOUND_ROOTKEY_FILE@\fP\&.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-f \fIkeyfile
|
||||
Reads keys from a file. Every line has a DS or DNSKEY record, in the format
|
||||
as for \-y. The zone file format, the same as dig and drill produce.
|
||||
.B \-f <keyfile>
|
||||
Reads keys from a file.
|
||||
Every line has a DS or DNSKEY record, in the format as for \fI\%\-y\fP\&.
|
||||
The zone file format, the same as \fBdig\fP and \fBdrill\fP produce.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-F \fInamedkeyfile
|
||||
Reads keys from a BIND\-style named.conf file. Only the trusted\-key {}; entries
|
||||
are read.
|
||||
.B \-F <namedkeyfile>
|
||||
Reads keys from a BIND\-style \fBnamed.conf\fP file.
|
||||
Only the \fBtrusted\-key {};\fP entries are read.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-C \fIconfigfile
|
||||
Uses the specified unbound.conf to prime
|
||||
.IR libunbound (3).
|
||||
.B \-C <configfile>
|
||||
Uses the specified unbound.conf to prime \fI\%libunbound(3)\fP\&.
|
||||
Pass it as first argument if you want to override some options from the
|
||||
config file with further arguments on the commandline.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-r
|
||||
Read /etc/resolv.conf, and use the forward DNS servers from there (those could
|
||||
have been set by DHCP). More info in
|
||||
.IR resolv.conf (5).
|
||||
Read \fB/etc/resolv.conf\fP, and use the forward DNS servers from
|
||||
there (those could have been set by DHCP).
|
||||
More info in \fIresolv.conf(5)\fP\&.
|
||||
Breaks validation if those servers do not support DNSSEC.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-4
|
||||
Use solely the IPv4 network for sending packets.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-6
|
||||
Use solely the IPv6 network for sending packets.
|
||||
.SH "EXAMPLES"
|
||||
Some examples of use. The keys shown below are fakes, thus a security failure
|
||||
is encountered.
|
||||
.P
|
||||
.UNINDENT
|
||||
.SH EXAMPLES
|
||||
.sp
|
||||
Some examples of use.
|
||||
The keys shown below are fakes, thus a security failure is encountered.
|
||||
.INDENT 0.0
|
||||
.INDENT 3.5
|
||||
.sp
|
||||
.nf
|
||||
.ft C
|
||||
$ unbound\-host www.example.com
|
||||
.P
|
||||
$ unbound\-host \-v \-y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546CD" www.example.com
|
||||
.P
|
||||
$ unbound\-host \-v \-y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546CD" 192.0.2.153
|
||||
.SH "EXIT CODE"
|
||||
The unbound\-host program exits with status code 1 on error,
|
||||
0 on no error. The data may not be available on exit code 0, exit code 1
|
||||
means the lookup encountered a fatal error.
|
||||
.SH "SEE ALSO"
|
||||
\fIunbound.conf\fR(5),
|
||||
\fIunbound\fR(8).
|
||||
|
||||
$ unbound\-host \-v \-y \(dqexample.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546CD\(dq www.example.com
|
||||
|
||||
$ unbound\-host \-v \-y \(dqexample.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546CD\(dq 192.0.2.153
|
||||
.ft P
|
||||
.fi
|
||||
.UNINDENT
|
||||
.UNINDENT
|
||||
.SH EXIT CODE
|
||||
.sp
|
||||
The \fBunbound\-host\fP program exits with status code 1 on error, 0 on no error.
|
||||
The data may not be available on exit code 0, exit code 1 means the lookup
|
||||
encountered a fatal error.
|
||||
.SH SEE ALSO
|
||||
.sp
|
||||
\fI\%unbound.conf(5)\fP,
|
||||
\fI\%unbound(8)\fP\&.
|
||||
.SH AUTHOR
|
||||
Unbound developers are mentioned in the CREDITS file in the distribution.
|
||||
.SH COPYRIGHT
|
||||
1999-2025, NLnet Labs
|
||||
.\" Generated by docutils manpage writer.
|
||||
.
|
||||
|
||||
@@ -0,0 +1,176 @@
|
||||
..
|
||||
WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE
|
||||
|
||||
..
|
||||
IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE
|
||||
|
||||
..
|
||||
IT HELPS PEOPLE DIFFING THE CHANGES
|
||||
|
||||
..
|
||||
WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE
|
||||
|
||||
..
|
||||
IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE
|
||||
|
||||
..
|
||||
IT HELPS PEOPLE DIFFING THE CHANGES
|
||||
|
||||
..
|
||||
WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE
|
||||
|
||||
..
|
||||
IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE
|
||||
|
||||
..
|
||||
IT HELPS PEOPLE DIFFING THE CHANGES
|
||||
|
||||
..
|
||||
WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE
|
||||
|
||||
..
|
||||
IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE
|
||||
|
||||
..
|
||||
IT HELPS PEOPLE DIFFING THE CHANGES
|
||||
|
||||
.. program:: unbound-host
|
||||
|
||||
unbound-host(1)
|
||||
===============
|
||||
|
||||
Synopsis
|
||||
--------
|
||||
|
||||
**unbound-host** [``-C configfile``] [``-vdhr46D``] [``-c class``]
|
||||
[``-t type``] [``-y key``] [``-f keyfile``] [``-F namedkeyfile``] hostname
|
||||
|
||||
Description
|
||||
-----------
|
||||
|
||||
``unbound-host`` uses the Unbound validating resolver to query for the hostname
|
||||
and display results.
|
||||
With the :option:`-v` option it displays validation status: secure, insecure,
|
||||
bogus (security failure).
|
||||
|
||||
By default it reads no configuration file whatsoever.
|
||||
It attempts to reach the internet root servers.
|
||||
With :option:`-C` an unbound config file and with :option:`-r` ``resolv.conf``
|
||||
can be read.
|
||||
|
||||
The available options are:
|
||||
|
||||
.. option:: hostname
|
||||
|
||||
This name is resolved (looked up in the DNS).
|
||||
If a IPv4 or IPv6 address is given, a reverse lookup is performed.
|
||||
|
||||
.. option:: -h
|
||||
|
||||
Show the version and commandline option help.
|
||||
|
||||
.. option:: -v
|
||||
|
||||
Enable verbose output and it shows validation results, on every line.
|
||||
Secure means that the NXDOMAIN (no such domain name), nodata (no such
|
||||
data) or positive data response validated correctly with one of the
|
||||
keys.
|
||||
Insecure means that that domain name has no security set up for it.
|
||||
Bogus (security failure) means that the response failed one or more
|
||||
checks, it is likely wrong, outdated, tampered with, or broken.
|
||||
|
||||
.. option:: -d
|
||||
|
||||
Enable debug output to stderr.
|
||||
One :option:`-d` shows what the resolver and validator are doing and may
|
||||
tell you what is going on.
|
||||
More times, :option:`-d` :option:`-d`, gives a lot of output, with every
|
||||
packet sent and received.
|
||||
|
||||
.. option:: -c <class>
|
||||
|
||||
Specify the class to lookup for, the default is IN the internet
|
||||
class.
|
||||
|
||||
.. option:: -t <type>
|
||||
|
||||
Specify the type of data to lookup.
|
||||
The default looks for IPv4, IPv6 and mail handler data, or domain name
|
||||
pointers for reverse queries.
|
||||
|
||||
.. option:: -y <key>
|
||||
|
||||
Specify a public key to use as trust anchor.
|
||||
This is the base for a chain of trust that is built up from the trust
|
||||
anchor to the response, in order to validate the response message.
|
||||
Can be given as a DS or DNSKEY record.
|
||||
For example:
|
||||
|
||||
.. code-block:: text
|
||||
|
||||
-y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546CD"
|
||||
|
||||
.. option:: -D
|
||||
|
||||
Enables DNSSEC validation.
|
||||
Reads the root anchor from the default configured root anchor at the
|
||||
default location, :file:`@UNBOUND_ROOTKEY_FILE@`.
|
||||
|
||||
.. option:: -f <keyfile>
|
||||
|
||||
Reads keys from a file.
|
||||
Every line has a DS or DNSKEY record, in the format as for :option:`-y`.
|
||||
The zone file format, the same as ``dig`` and ``drill`` produce.
|
||||
|
||||
.. option:: -F <namedkeyfile>
|
||||
|
||||
Reads keys from a BIND-style :file:`named.conf` file.
|
||||
Only the ``trusted-key {};`` entries are read.
|
||||
|
||||
.. option:: -C <configfile>
|
||||
|
||||
Uses the specified unbound.conf to prime :doc:`libunbound(3)</manpages/libunbound>`.
|
||||
Pass it as first argument if you want to override some options from the
|
||||
config file with further arguments on the commandline.
|
||||
|
||||
.. option:: -r
|
||||
|
||||
Read :file:`/etc/resolv.conf`, and use the forward DNS servers from
|
||||
there (those could have been set by DHCP).
|
||||
More info in *resolv.conf(5)*.
|
||||
Breaks validation if those servers do not support DNSSEC.
|
||||
|
||||
.. option:: -4
|
||||
|
||||
Use solely the IPv4 network for sending packets.
|
||||
|
||||
.. option:: -6
|
||||
|
||||
Use solely the IPv6 network for sending packets.
|
||||
|
||||
Examples
|
||||
--------
|
||||
|
||||
Some examples of use.
|
||||
The keys shown below are fakes, thus a security failure is encountered.
|
||||
|
||||
.. code-block:: text
|
||||
|
||||
$ unbound-host www.example.com
|
||||
|
||||
$ unbound-host -v -y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546CD" www.example.com
|
||||
|
||||
$ unbound-host -v -y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546CD" 192.0.2.153
|
||||
|
||||
Exit Code
|
||||
---------
|
||||
|
||||
The ``unbound-host`` program exits with status code 1 on error, 0 on no error.
|
||||
The data may not be available on exit code 0, exit code 1 means the lookup
|
||||
encountered a fatal error.
|
||||
|
||||
See Also
|
||||
--------
|
||||
|
||||
:doc:`unbound.conf(5)</manpages/unbound.conf>`,
|
||||
:doc:`unbound(8)</manpages/unbound>`.
|
||||
+102
-67
@@ -1,88 +1,123 @@
|
||||
.TH "unbound" "8" "Jul 16, 2025" "NLnet Labs" "unbound 1.23.1"
|
||||
.\"
|
||||
.\" unbound.8 -- unbound manual
|
||||
.\"
|
||||
.\" Copyright (c) 2007, NLnet Labs. All rights reserved.
|
||||
.\"
|
||||
.\" See LICENSE for the license.
|
||||
.\"
|
||||
.\"
|
||||
.SH "NAME"
|
||||
.B unbound
|
||||
\- Unbound DNS validating resolver 1.23.1.
|
||||
.SH "SYNOPSIS"
|
||||
.B unbound
|
||||
.RB [ \-h ]
|
||||
.RB [ \-d ]
|
||||
.RB [ \-p ]
|
||||
.RB [ \-v ]
|
||||
.RB [ \-c
|
||||
.IR cfgfile ]
|
||||
.SH "DESCRIPTION"
|
||||
.B Unbound
|
||||
is a caching DNS resolver.
|
||||
.P
|
||||
It uses a built in list of authoritative nameservers for the root zone (.),
|
||||
.\" Man page generated from reStructuredText.
|
||||
.
|
||||
.
|
||||
.nr rst2man-indent-level 0
|
||||
.
|
||||
.de1 rstReportMargin
|
||||
\\$1 \\n[an-margin]
|
||||
level \\n[rst2man-indent-level]
|
||||
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
||||
-
|
||||
\\n[rst2man-indent0]
|
||||
\\n[rst2man-indent1]
|
||||
\\n[rst2man-indent2]
|
||||
..
|
||||
.de1 INDENT
|
||||
.\" .rstReportMargin pre:
|
||||
. RS \\$1
|
||||
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
|
||||
. nr rst2man-indent-level +1
|
||||
.\" .rstReportMargin post:
|
||||
..
|
||||
.de UNINDENT
|
||||
. RE
|
||||
.\" indent \\n[an-margin]
|
||||
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
||||
.nr rst2man-indent-level -1
|
||||
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
||||
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
|
||||
..
|
||||
.TH "UNBOUND" "8" "Sep 18, 2025" "1.24.0" "Unbound"
|
||||
.SH NAME
|
||||
unbound \- Unbound DNS validating resolver 1.24.0.
|
||||
.SH SYNOPSIS
|
||||
.sp
|
||||
\fBunbound\fP [\fB\-hdpv\fP] [\fB\-c <cfgfile>\fP]
|
||||
.SH DESCRIPTION
|
||||
.sp
|
||||
\fBunbound\fP is a caching DNS resolver.
|
||||
.sp
|
||||
It uses a built in list of authoritative nameservers for the root zone (\fB\&.\fP),
|
||||
the so called root hints.
|
||||
On receiving a DNS query it will ask the root nameservers for
|
||||
an answer and will in almost all cases receive a delegation to a top level
|
||||
domain (TLD) authoritative nameserver.
|
||||
On receiving a DNS query it will ask the root nameservers for an answer and
|
||||
will in almost all cases receive a delegation to a top level domain (TLD)
|
||||
authoritative nameserver.
|
||||
It will then ask that nameserver for an answer.
|
||||
It will recursively continue until an answer is found or no answer is
|
||||
available (NXDOMAIN).
|
||||
For performance and efficiency reasons that answer is cached for a
|
||||
certain time (the answer's time\-to\-live or TTL).
|
||||
It will recursively continue until an answer is found or no answer is available
|
||||
(NXDOMAIN).
|
||||
For performance and efficiency reasons that answer is cached for a certain time
|
||||
(the answer\(aqs time\-to\-live or TTL).
|
||||
A second query for the same name will then be answered from the cache.
|
||||
Unbound can also do DNSSEC validation.
|
||||
.P
|
||||
To use a locally running
|
||||
.B Unbound
|
||||
for resolving put
|
||||
.sp
|
||||
.RS 6n
|
||||
To use a locally running Unbound for resolving put:
|
||||
.INDENT 0.0
|
||||
.INDENT 3.5
|
||||
.sp
|
||||
.nf
|
||||
.ft C
|
||||
nameserver 127.0.0.1
|
||||
.RE
|
||||
.ft P
|
||||
.fi
|
||||
.UNINDENT
|
||||
.UNINDENT
|
||||
.sp
|
||||
into \fIresolv.conf(5)\fP\&.
|
||||
.sp
|
||||
If authoritative DNS is needed as well using \fI\%nsd(8)\fP,
|
||||
careful setup is required because authoritative nameservers and resolvers are
|
||||
using the same port number (53).
|
||||
.sp
|
||||
into
|
||||
.IR resolv.conf (5).
|
||||
.P
|
||||
If authoritative DNS is needed as well using
|
||||
.IR nsd (8),
|
||||
careful setup is required because authoritative nameservers and
|
||||
resolvers are using the same port number (53).
|
||||
.P
|
||||
The available options are:
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-h
|
||||
Show the version number and commandline option help, and exit.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-c\fI cfgfile
|
||||
Set the config file with settings for Unbound to read instead of reading the
|
||||
file at the default location, @ub_conf_file@. The syntax is
|
||||
described in \fIunbound.conf\fR(5).
|
||||
.B \-c <cfgfile>
|
||||
Set the config file with settings for unbound to read instead of reading the
|
||||
file at the default location, \fB@ub_conf_file@\fP\&.
|
||||
The syntax is described in \fI\%unbound.conf(5)\fP\&.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-d
|
||||
Debug flag: do not fork into the background, but stay attached to
|
||||
the console. This flag will also delay writing to the log file until
|
||||
the thread\-spawn time, so that most config and setup errors appear on
|
||||
stderr. If given twice or more, logging does not switch to the log file
|
||||
or to syslog, but the log messages are printed to stderr all the time.
|
||||
Debug flag: do not fork into the background, but stay attached to the
|
||||
console.
|
||||
This flag will also delay writing to the log file until the thread\-spawn
|
||||
time, so that most config and setup errors appear on stderr.
|
||||
If given twice or more, logging does not switch to the log file or to
|
||||
syslog, but the log messages are printed to stderr all the time.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-p
|
||||
Don't use a pidfile. This argument should only be used by supervision
|
||||
systems which can ensure that only one instance of Unbound will run
|
||||
concurrently.
|
||||
Don\(aqt use a pidfile.
|
||||
This argument should only be used by supervision systems which can ensure
|
||||
that only one instance of Unbound will run concurrently.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-v
|
||||
Increase verbosity. If given multiple times, more information is logged.
|
||||
This is added to the verbosity (if any) from the config file.
|
||||
Increase verbosity.
|
||||
If given multiple times, more information is logged.
|
||||
This is in addition to the verbosity (if any) from the config file.
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
.B \-V
|
||||
Show the version number and build options, and exit.
|
||||
.SH "SEE ALSO"
|
||||
\fIunbound.conf\fR(5),
|
||||
\fIunbound\-checkconf\fR(8),
|
||||
\fInsd\fR(8).
|
||||
.SH "AUTHORS"
|
||||
.B Unbound
|
||||
developers are mentioned in the CREDITS file in the distribution.
|
||||
.UNINDENT
|
||||
.SH SEE ALSO
|
||||
.sp
|
||||
\fI\%unbound.conf(5)\fP,
|
||||
\fI\%unbound\-checkconf(8)\fP,
|
||||
\fI\%nsd(8)\fP\&.
|
||||
.SH AUTHOR
|
||||
Unbound developers are mentioned in the CREDITS file in the distribution.
|
||||
.SH COPYRIGHT
|
||||
1999-2025, NLnet Labs
|
||||
.\" Generated by docutils manpage writer.
|
||||
.
|
||||
|
||||
+5033
-2546
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
+119
@@ -0,0 +1,119 @@
|
||||
..
|
||||
WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE
|
||||
|
||||
..
|
||||
IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE
|
||||
|
||||
..
|
||||
IT HELPS PEOPLE DIFFING THE CHANGES
|
||||
|
||||
..
|
||||
WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE
|
||||
|
||||
..
|
||||
IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE
|
||||
|
||||
..
|
||||
IT HELPS PEOPLE DIFFING THE CHANGES
|
||||
|
||||
..
|
||||
WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE
|
||||
|
||||
..
|
||||
IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE
|
||||
|
||||
..
|
||||
IT HELPS PEOPLE DIFFING THE CHANGES
|
||||
|
||||
..
|
||||
WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE
|
||||
|
||||
..
|
||||
IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE
|
||||
|
||||
..
|
||||
IT HELPS PEOPLE DIFFING THE CHANGES
|
||||
|
||||
.. program:: unbound
|
||||
|
||||
unbound(8)
|
||||
==========
|
||||
|
||||
Synopsis
|
||||
--------
|
||||
|
||||
**unbound** [``-hdpv``] [``-c <cfgfile>``]
|
||||
|
||||
Description
|
||||
-----------
|
||||
|
||||
``unbound`` is a caching DNS resolver.
|
||||
|
||||
It uses a built in list of authoritative nameservers for the root zone (``.``),
|
||||
the so called root hints.
|
||||
On receiving a DNS query it will ask the root nameservers for an answer and
|
||||
will in almost all cases receive a delegation to a top level domain (TLD)
|
||||
authoritative nameserver.
|
||||
It will then ask that nameserver for an answer.
|
||||
It will recursively continue until an answer is found or no answer is available
|
||||
(NXDOMAIN).
|
||||
For performance and efficiency reasons that answer is cached for a certain time
|
||||
(the answer's time-to-live or TTL).
|
||||
A second query for the same name will then be answered from the cache.
|
||||
Unbound can also do DNSSEC validation.
|
||||
|
||||
To use a locally running Unbound for resolving put:
|
||||
|
||||
.. code-block:: text
|
||||
|
||||
nameserver 127.0.0.1
|
||||
|
||||
into *resolv.conf(5)*.
|
||||
|
||||
If authoritative DNS is needed as well using :external+nsd:doc:`manpages/nsd`,
|
||||
careful setup is required because authoritative nameservers and resolvers are
|
||||
using the same port number (53).
|
||||
|
||||
The available options are:
|
||||
|
||||
.. option:: -h
|
||||
|
||||
Show the version number and commandline option help, and exit.
|
||||
|
||||
.. option:: -c <cfgfile>
|
||||
|
||||
Set the config file with settings for unbound to read instead of reading the
|
||||
file at the default location, :file:`@ub_conf_file@`.
|
||||
The syntax is described in :doc:`unbound.conf(5)</manpages/unbound.conf>`.
|
||||
|
||||
.. option:: -d
|
||||
|
||||
Debug flag: do not fork into the background, but stay attached to the
|
||||
console.
|
||||
This flag will also delay writing to the log file until the thread-spawn
|
||||
time, so that most config and setup errors appear on stderr.
|
||||
If given twice or more, logging does not switch to the log file or to
|
||||
syslog, but the log messages are printed to stderr all the time.
|
||||
|
||||
.. option:: -p
|
||||
|
||||
Don't use a pidfile.
|
||||
This argument should only be used by supervision systems which can ensure
|
||||
that only one instance of Unbound will run concurrently.
|
||||
|
||||
.. option:: -v
|
||||
|
||||
Increase verbosity.
|
||||
If given multiple times, more information is logged.
|
||||
This is in addition to the verbosity (if any) from the config file.
|
||||
|
||||
.. option:: -V
|
||||
|
||||
Show the version number and build options, and exit.
|
||||
|
||||
See Also
|
||||
--------
|
||||
|
||||
:doc:`unbound.conf(5)</manpages/unbound.conf>`,
|
||||
:doc:`unbound-checkconf(8)</manpages/unbound-checkconf>`,
|
||||
:external+nsd:doc:`manpages/nsd`.
|
||||
@@ -116,7 +116,7 @@ struct addredge {
|
||||
addrlen_t len;
|
||||
/** child node this edge is connected to */
|
||||
struct addrnode *node;
|
||||
/** Parent node this ege is connected to */
|
||||
/** Parent node this edge is connected to */
|
||||
struct addrnode *parent_node;
|
||||
/** Index of this edge in parent_node */
|
||||
int parent_index;
|
||||
|
||||
+38
-9
@@ -154,6 +154,21 @@ int ecs_whitelist_check(struct query_info* qinfo,
|
||||
return 1;
|
||||
sn_env = (struct subnet_env*)qstate->env->modinfo[id];
|
||||
|
||||
if(sq->is_subquery_nonsubnet) {
|
||||
if(sq->is_subquery_scopezero) {
|
||||
/* Check if the result can be stored in the global cache,
|
||||
* this is okay if the address and name are not configured
|
||||
* as subnet address and subnet zone. */
|
||||
if(!ecs_is_whitelisted(sn_env->whitelist,
|
||||
addr, addrlen, qinfo->qname, qinfo->qname_len,
|
||||
qinfo->qclass)) {
|
||||
verbose(VERB_ALGO, "subnet store subquery global, name and addr have no subnet treatment.");
|
||||
qstate->no_cache_store = 0;
|
||||
}
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
/* Cache by default, might be disabled after parsing EDNS option
|
||||
* received from nameserver. */
|
||||
if(!iter_stub_fwd_no_cache(qstate, &qstate->qinfo, NULL, NULL, NULL, 0)
|
||||
@@ -234,13 +249,13 @@ subnetmod_init(struct module_env *env, int id)
|
||||
HASH_DEFAULT_STARTARRAY, env->cfg->msg_cache_size,
|
||||
msg_cache_sizefunc, query_info_compare, query_entry_delete,
|
||||
subnet_data_delete, NULL);
|
||||
slabhash_setmarkdel(sn_env->subnet_msg_cache, &subnet_markdel);
|
||||
if(!sn_env->subnet_msg_cache) {
|
||||
log_err("subnetcache: could not create cache");
|
||||
free(sn_env);
|
||||
env->modinfo[id] = NULL;
|
||||
return 0;
|
||||
}
|
||||
slabhash_setmarkdel(sn_env->subnet_msg_cache, &subnet_markdel);
|
||||
/* whitelist for edns subnet capable servers */
|
||||
sn_env->whitelist = ecs_whitelist_create();
|
||||
if(!sn_env->whitelist ||
|
||||
@@ -527,11 +542,12 @@ common_prefix(uint8_t *a, uint8_t *b, uint8_t net)
|
||||
/**
|
||||
* Create sub request that looks up the query.
|
||||
* @param qstate: query state
|
||||
* @param id: module id.
|
||||
* @param sq: subnet qstate
|
||||
* @return false on failure.
|
||||
*/
|
||||
static int
|
||||
generate_sub_request(struct module_qstate *qstate, struct subnet_qstate* sq)
|
||||
generate_sub_request(struct module_qstate *qstate, int id, struct subnet_qstate* sq)
|
||||
{
|
||||
struct module_qstate* subq = NULL;
|
||||
uint16_t qflags = 0; /* OPCODE QUERY, no flags */
|
||||
@@ -557,10 +573,22 @@ generate_sub_request(struct module_qstate *qstate, struct subnet_qstate* sq)
|
||||
}
|
||||
if(subq) {
|
||||
/* It is possible to access the subquery module state. */
|
||||
struct subnet_qstate* subsq;
|
||||
if(!subnet_new_qstate(subq, id)) {
|
||||
verbose(VERB_ALGO, "Could not allocate new subnet qstate");
|
||||
return 0;
|
||||
}
|
||||
subsq = (struct subnet_qstate*)subq->minfo[id];
|
||||
subsq->is_subquery_nonsubnet = 1;
|
||||
|
||||
/* When the client asks 0.0.0.0/0 and the name is not treated
|
||||
* as subnet, it is to be stored in the global cache.
|
||||
* Store that the client asked for that, if so. */
|
||||
if(sq->ecs_client_in.subnet_source_mask == 0 &&
|
||||
edns_opt_list_find(qstate->edns_opts_front_in,
|
||||
qstate->env->cfg->client_subnet_opcode)) {
|
||||
subq->no_cache_store = 1;
|
||||
subsq->is_subquery_scopezero = 1;
|
||||
}
|
||||
}
|
||||
return 1;
|
||||
@@ -569,17 +597,18 @@ generate_sub_request(struct module_qstate *qstate, struct subnet_qstate* sq)
|
||||
/**
|
||||
* Perform the query without subnet
|
||||
* @param qstate: query state
|
||||
* @param id: module id.
|
||||
* @param sq: subnet qstate
|
||||
* @return module state
|
||||
*/
|
||||
static enum module_ext_state
|
||||
generate_lookup_without_subnet(struct module_qstate *qstate,
|
||||
generate_lookup_without_subnet(struct module_qstate *qstate, int id,
|
||||
struct subnet_qstate* sq)
|
||||
{
|
||||
verbose(VERB_ALGO, "subnetcache: make subquery to look up without subnet");
|
||||
if(!generate_sub_request(qstate, sq)) {
|
||||
if(!generate_sub_request(qstate, id, sq)) {
|
||||
verbose(VERB_ALGO, "Could not generate sub query");
|
||||
qstate->return_rcode = LDNS_RCODE_FORMERR;
|
||||
qstate->return_rcode = LDNS_RCODE_SERVFAIL;
|
||||
qstate->return_msg = NULL;
|
||||
return module_finished;
|
||||
}
|
||||
@@ -622,7 +651,7 @@ eval_response(struct module_qstate *qstate, int id, struct subnet_qstate *sq)
|
||||
* is still useful to put it in the edns subnet cache for
|
||||
* when a client explicitly asks for subnet specific answer. */
|
||||
verbose(VERB_QUERY, "subnetcache: Authority indicates no support");
|
||||
return generate_lookup_without_subnet(qstate, sq);
|
||||
return generate_lookup_without_subnet(qstate, id, sq);
|
||||
}
|
||||
|
||||
/* Purposefully there was no sent subnet, and there is consequently
|
||||
@@ -654,7 +683,7 @@ eval_response(struct module_qstate *qstate, int id, struct subnet_qstate *sq)
|
||||
qstate->env->cfg->client_subnet_opcode);
|
||||
sq->subnet_sent = 0;
|
||||
sq->subnet_sent_no_subnet = 0;
|
||||
return generate_lookup_without_subnet(qstate, sq);
|
||||
return generate_lookup_without_subnet(qstate, id, sq);
|
||||
}
|
||||
|
||||
lock_rw_wrlock(&sne->biglock);
|
||||
@@ -945,7 +974,7 @@ subnetmod_operate(struct module_qstate *qstate, enum module_ev event,
|
||||
/* aggregated this deaggregated state */
|
||||
qstate->ext_state[id] =
|
||||
generate_lookup_without_subnet(
|
||||
qstate, sq);
|
||||
qstate, id, sq);
|
||||
return;
|
||||
}
|
||||
verbose(VERB_ALGO, "subnetcache: pass to next module");
|
||||
@@ -993,7 +1022,7 @@ subnetmod_operate(struct module_qstate *qstate, enum module_ev event,
|
||||
qstate->env->cfg->client_subnet_opcode)) {
|
||||
/* client asked for resolution without edns subnet */
|
||||
qstate->ext_state[id] = generate_lookup_without_subnet(
|
||||
qstate, sq);
|
||||
qstate, id, sq);
|
||||
return;
|
||||
}
|
||||
|
||||
|
||||
@@ -106,6 +106,10 @@ struct subnet_qstate {
|
||||
int wait_subquery;
|
||||
/** The subquery waited for is done. */
|
||||
int wait_subquery_done;
|
||||
/** The subnet state is a subquery state for nonsubnet lookup. */
|
||||
int is_subquery_nonsubnet;
|
||||
/** This is a subquery, and it is made due to a scope zero request. */
|
||||
int is_subquery_scopezero;
|
||||
};
|
||||
|
||||
void subnet_data_delete(void* d, void* ATTR_UNUSED(arg));
|
||||
|
||||
@@ -79,6 +79,16 @@ struct delegpt {
|
||||
* Also true if the delegationpoint was created from a delegation
|
||||
* message and thus contains the parent-side-info already. */
|
||||
uint8_t has_parent_side_NS;
|
||||
/** if true, the delegation point has reached last resort processing
|
||||
* and the parent side information has been possibly added to the
|
||||
* delegation point.
|
||||
* For now this signals that further target lookups will ignore
|
||||
* the configured target-fetch-policy and only resolve on
|
||||
* demand to try and avoid triggering limits at this stage (.i.e, it
|
||||
* is very likely that the A/AAAA queries for the newly added name
|
||||
* servers will not yield new IP addresses and trigger NXNS
|
||||
* countermeasures. */
|
||||
uint8_t fallback_to_parent_side_NS;
|
||||
/** for assertions on type of delegpt */
|
||||
uint8_t dp_type_mlc;
|
||||
/** use SSL for upstream query */
|
||||
|
||||
+21
-11
@@ -139,6 +139,17 @@ forwards_insert_data(struct iter_forwards* fwd, uint16_t c, uint8_t* nm,
|
||||
return 1;
|
||||
}
|
||||
|
||||
static struct iter_forward_zone*
|
||||
fwd_zone_find(struct iter_forwards* fwd, uint16_t c, uint8_t* nm)
|
||||
{
|
||||
struct iter_forward_zone key;
|
||||
key.node.key = &key;
|
||||
key.dclass = c;
|
||||
key.name = nm;
|
||||
key.namelabs = dname_count_size_labels(nm, &key.namelen);
|
||||
return (struct iter_forward_zone*)rbtree_search(fwd->tree, &key);
|
||||
}
|
||||
|
||||
/** insert new info into forward structure given dp */
|
||||
static int
|
||||
forwards_insert(struct iter_forwards* fwd, uint16_t c, struct delegpt* dp)
|
||||
@@ -321,6 +332,11 @@ make_stub_holes(struct iter_forwards* fwd, struct config_file* cfg)
|
||||
log_err("cannot parse stub name '%s'", s->name);
|
||||
return 0;
|
||||
}
|
||||
if(fwd_zone_find(fwd, LDNS_RR_CLASS_IN, dname) != NULL) {
|
||||
/* Already a forward zone there. */
|
||||
free(dname);
|
||||
continue;
|
||||
}
|
||||
if(!fwd_add_stub_hole(fwd, LDNS_RR_CLASS_IN, dname)) {
|
||||
free(dname);
|
||||
log_err("out of memory");
|
||||
@@ -345,6 +361,11 @@ make_auth_holes(struct iter_forwards* fwd, struct config_file* cfg)
|
||||
log_err("cannot parse auth name '%s'", a->name);
|
||||
return 0;
|
||||
}
|
||||
if(fwd_zone_find(fwd, LDNS_RR_CLASS_IN, dname) != NULL) {
|
||||
/* Already a forward zone there. */
|
||||
free(dname);
|
||||
continue;
|
||||
}
|
||||
if(!fwd_add_stub_hole(fwd, LDNS_RR_CLASS_IN, dname)) {
|
||||
free(dname);
|
||||
log_err("out of memory");
|
||||
@@ -537,17 +558,6 @@ forwards_get_mem(struct iter_forwards* fwd)
|
||||
return s;
|
||||
}
|
||||
|
||||
static struct iter_forward_zone*
|
||||
fwd_zone_find(struct iter_forwards* fwd, uint16_t c, uint8_t* nm)
|
||||
{
|
||||
struct iter_forward_zone key;
|
||||
key.node.key = &key;
|
||||
key.dclass = c;
|
||||
key.name = nm;
|
||||
key.namelabs = dname_count_size_labels(nm, &key.namelen);
|
||||
return (struct iter_forward_zone*)rbtree_search(fwd->tree, &key);
|
||||
}
|
||||
|
||||
int
|
||||
forwards_add_zone(struct iter_forwards* fwd, uint16_t c, struct delegpt* dp,
|
||||
int nolock)
|
||||
|
||||
+25
-7
@@ -2152,6 +2152,7 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
verbose(VERB_QUERY, "configured stub or forward servers failed -- returning SERVFAIL");
|
||||
return error_response_cache(qstate, id, LDNS_RCODE_SERVFAIL);
|
||||
}
|
||||
iq->dp->fallback_to_parent_side_NS = 1;
|
||||
if(qstate->env->cfg->harden_unverified_glue) {
|
||||
if(!cache_fill_missing(qstate->env, iq->qchase.qclass,
|
||||
qstate->region, iq->dp, PACKED_RRSET_UNVERIFIED_GLUE))
|
||||
@@ -2180,6 +2181,10 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
a->lame, a->tls_auth_name, -1, NULL);
|
||||
}
|
||||
lock_rw_unlock(&qstate->env->hints->lock);
|
||||
/* copy over some configuration since we update the
|
||||
* delegation point in place */
|
||||
iq->dp->tcp_upstream = dp->tcp_upstream;
|
||||
iq->dp->ssl_upstream = dp->ssl_upstream;
|
||||
}
|
||||
iq->dp->has_parent_side_NS = 1;
|
||||
} else if(!iq->dp->has_parent_side_NS) {
|
||||
@@ -2768,7 +2773,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
}
|
||||
/* if the mesh query list is full, then do not waste cpu and sockets to
|
||||
* fetch promiscuous targets. They can be looked up when needed. */
|
||||
if(can_do_promisc && !mesh_jostle_exceeded(qstate->env->mesh)) {
|
||||
if(!iq->dp->fallback_to_parent_side_NS && can_do_promisc
|
||||
&& !mesh_jostle_exceeded(qstate->env->mesh)) {
|
||||
tf_policy = ie->target_fetch_policy[iq->depth];
|
||||
}
|
||||
|
||||
@@ -3247,13 +3253,19 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
}
|
||||
}
|
||||
if(type == RESPONSE_TYPE_CNAME &&
|
||||
iq->qchase.qtype == LDNS_RR_TYPE_CNAME &&
|
||||
(iq->qchase.qtype == LDNS_RR_TYPE_CNAME ||
|
||||
iq->qchase.qtype == LDNS_RR_TYPE_ANY) &&
|
||||
iq->minimisation_state == MINIMISE_STATE &&
|
||||
query_dname_compare(iq->qchase.qname, iq->qinfo_out.qname) == 0) {
|
||||
/* The minimised query for full QTYPE and hidden QTYPE can be
|
||||
* classified as CNAME response type, even when the original
|
||||
* QTYPE=CNAME. This should be treated as answer response type.
|
||||
*/
|
||||
/* For QTYPE=ANY, it is also considered the response, that
|
||||
* is what the classifier would say, if it saw qtype ANY,
|
||||
* and this same response was returned for that. The response
|
||||
* can already be treated as such an answer, without having
|
||||
* to send another query with a new qtype. */
|
||||
type = RESPONSE_TYPE_ANSWER;
|
||||
}
|
||||
|
||||
@@ -3510,6 +3522,15 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
iq->num_target_queries = 0;
|
||||
return processDSNSFind(qstate, iq, id);
|
||||
}
|
||||
if(iq->minimisation_state == MINIMISE_STATE &&
|
||||
query_dname_compare(iq->qchase.qname,
|
||||
iq->qinfo_out.qname) != 0) {
|
||||
verbose(VERB_ALGO, "continue query minimisation, "
|
||||
"downwards, after CNAME response for "
|
||||
"intermediate label");
|
||||
/* continue query minimisation, downwards */
|
||||
return next_state(iq, QUERYTARGETS_STATE);
|
||||
}
|
||||
/* Process the CNAME response. */
|
||||
if(!handle_cname_response(qstate, iq, iq->response,
|
||||
&sname, &snamelen)) {
|
||||
@@ -3572,10 +3593,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
iq->auth_zone_response = 0;
|
||||
iq->sent_count = 0;
|
||||
iq->dp_target_count = 0;
|
||||
if(iq->minimisation_state != MINIMISE_STATE)
|
||||
/* Only count as query restart when it is not an extra
|
||||
* query as result of qname minimisation. */
|
||||
iq->query_restart_count++;
|
||||
iq->query_restart_count++;
|
||||
if(qstate->env->cfg->qname_minimisation)
|
||||
iq->minimisation_state = INIT_MINIMISE_STATE;
|
||||
|
||||
@@ -4147,7 +4165,7 @@ processFinished(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
/* store message with the finished prepended items,
|
||||
* but only if we did recursion. The nonrecursion referral
|
||||
* from cache does not need to be stored in the msg cache. */
|
||||
if(!qstate->no_cache_store && qstate->query_flags&BIT_RD) {
|
||||
if(!qstate->no_cache_store && (qstate->query_flags&BIT_RD)) {
|
||||
iter_dns_store(qstate->env, &qstate->qinfo,
|
||||
iq->response->rep, 0, qstate->prefetch_leeway,
|
||||
iq->dp&&iq->dp->has_parent_side_NS,
|
||||
|
||||
@@ -630,8 +630,9 @@ int libworker_fg(struct ub_ctx* ctx, struct ctx_query* q)
|
||||
free(qinfo.qname);
|
||||
return UB_NOERROR;
|
||||
}
|
||||
if(ctx->env->auth_zones && auth_zones_answer(ctx->env->auth_zones,
|
||||
w->env, &qinfo, &edns, NULL, w->back->udp_buff, w->env->scratch)) {
|
||||
if(ctx->env->auth_zones && auth_zones_downstream_answer(
|
||||
ctx->env->auth_zones, w->env, &qinfo, &edns, NULL,
|
||||
w->back->udp_buff, w->env->scratch)) {
|
||||
regional_free_all(w->env->scratch);
|
||||
libworker_fillup_fg(q, LDNS_RCODE_NOERROR,
|
||||
w->back->udp_buff, sec_status_insecure, NULL, 0);
|
||||
@@ -709,8 +710,9 @@ int libworker_attach_mesh(struct ub_ctx* ctx, struct ctx_query* q,
|
||||
w->back->udp_buff, sec_status_insecure, NULL, 0);
|
||||
return UB_NOERROR;
|
||||
}
|
||||
if(ctx->env->auth_zones && auth_zones_answer(ctx->env->auth_zones,
|
||||
w->env, &qinfo, &edns, NULL, w->back->udp_buff, w->env->scratch)) {
|
||||
if(ctx->env->auth_zones && auth_zones_downstream_answer(
|
||||
ctx->env->auth_zones, w->env, &qinfo, &edns, NULL,
|
||||
w->back->udp_buff, w->env->scratch)) {
|
||||
regional_free_all(w->env->scratch);
|
||||
free(qinfo.qname);
|
||||
libworker_event_done_cb(q, LDNS_RCODE_NOERROR,
|
||||
@@ -847,8 +849,9 @@ handle_newq(struct libworker* w, uint8_t* buf, uint32_t len)
|
||||
free(qinfo.qname);
|
||||
return;
|
||||
}
|
||||
if(w->ctx->env->auth_zones && auth_zones_answer(w->ctx->env->auth_zones,
|
||||
w->env, &qinfo, &edns, NULL, w->back->udp_buff, w->env->scratch)) {
|
||||
if(w->ctx->env->auth_zones && auth_zones_downstream_answer(
|
||||
w->ctx->env->auth_zones, w->env, &qinfo, &edns, NULL,
|
||||
w->back->udp_buff, w->env->scratch)) {
|
||||
regional_free_all(w->env->scratch);
|
||||
q->msg_security = sec_status_insecure;
|
||||
add_bg_result(w, q, w->back->udp_buff, UB_NOERROR, NULL, 0);
|
||||
|
||||
@@ -772,6 +772,8 @@ struct ub_server_stats {
|
||||
long long ans_bogus;
|
||||
/** rrsets marked bogus by validator */
|
||||
long long rrset_bogus;
|
||||
/** number of signature validation operations performed by validator */
|
||||
long long val_ops;
|
||||
/** number of queries that have been ratelimited by domain recursion. */
|
||||
long long queries_ratelimited;
|
||||
/** unwanted traffic received on server-facing ports */
|
||||
|
||||
+17
-15
@@ -38,12 +38,14 @@
|
||||
def dataHex(data, prefix=""):
|
||||
"""Converts binary string data to display representation form"""
|
||||
res = ""
|
||||
for i in range(0, (len(data)+15)/16):
|
||||
for i in range(0, int((len(data)+15)/16)):
|
||||
res += "%s0x%02X | " % (prefix, i*16)
|
||||
d = map(lambda x:ord(x), data[i*16:i*16+17])
|
||||
d = map(lambda x:x, data[i*16:i*16+17])
|
||||
count=0
|
||||
for ch in d:
|
||||
res += "%02X " % ch
|
||||
for i in range(0,17-len(d)):
|
||||
count+=1
|
||||
for i in range(0,17-count):
|
||||
res += " "
|
||||
res += "| "
|
||||
for ch in d:
|
||||
@@ -60,31 +62,31 @@ def logDnsMsg(qstate):
|
||||
r = qstate.return_msg.rep
|
||||
q = qstate.return_msg.qinfo
|
||||
|
||||
print "-"*100
|
||||
print("-"*100)
|
||||
print("Query: %s, type: %s (%d), class: %s (%d) " % (
|
||||
qstate.qinfo.qname_str, qstate.qinfo.qtype_str, qstate.qinfo.qtype,
|
||||
qstate.qinfo.qclass_str, qstate.qinfo.qclass))
|
||||
print "-"*100
|
||||
print "Return reply :: flags: %04X, QDcount: %d, Security:%d, TTL=%d" % (r.flags, r.qdcount, r.security, r.ttl)
|
||||
print " qinfo :: qname: %s %s, qtype: %s, qclass: %s" % (str(q.qname_list), q.qname_str, q.qtype_str, q.qclass_str)
|
||||
print("-"*100)
|
||||
print("Return reply :: flags: %04X, QDcount: %d, Security:%d, TTL=%d" % (r.flags, r.qdcount, r.security, r.ttl))
|
||||
print(" qinfo :: qname: %s %s, qtype: %s, qclass: %s" % (str(q.qname_list), q.qname_str, q.qtype_str, q.qclass_str))
|
||||
|
||||
if (r):
|
||||
print "Reply:"
|
||||
print("Reply:")
|
||||
for i in range(0, r.rrset_count):
|
||||
rr = r.rrsets[i]
|
||||
|
||||
rk = rr.rk
|
||||
print i,":",rk.dname_list, rk.dname_str, "flags: %04X" % rk.flags,
|
||||
print "type:",rk.type_str,"(%d)" % ntohs(rk.type), "class:",rk.rrset_class_str,"(%d)" % ntohs(rk.rrset_class)
|
||||
print(i,":",rk.dname_list, rk.dname_str, "flags: %04X" % rk.flags,)
|
||||
print("type:",rk.type_str,"(%d)" % ntohs(rk.type), "class:",rk.rrset_class_str,"(%d)" % ntohs(rk.rrset_class))
|
||||
|
||||
d = rr.entry.data
|
||||
for j in range(0,d.count+d.rrsig_count):
|
||||
print " ",j,":","TTL=",d.rr_ttl[j],
|
||||
if (j >= d.count): print "rrsig",
|
||||
print
|
||||
print dataHex(d.rr_data[j]," ")
|
||||
print(" ",j,":","TTL=",d.rr_ttl[j],)
|
||||
if (j >= d.count): print("rrsig",)
|
||||
print()
|
||||
print(dataHex(d.rr_data[j]," "))
|
||||
|
||||
print "-"*100
|
||||
print("-"*100)
|
||||
|
||||
def init(id, cfg):
|
||||
log_info("pythonmod: init called, module id is %d port: %d script: %s" % (id, cfg.port, mod_env['script']))
|
||||
|
||||
+1
-1
@@ -276,7 +276,7 @@ void respip_inform_print(struct respip_action_info* respip_actinfo,
|
||||
* @param addrlen: length of addr.
|
||||
* @param net: netblock to lookup.
|
||||
* @param create: create node if it does not exist when 1.
|
||||
* @param ipstr: human redable ip string, for logging.
|
||||
* @param ipstr: human readable ip string, for logging.
|
||||
* @return newly created of found node, not holding lock.
|
||||
*/
|
||||
struct resp_addr*
|
||||
|
||||
+56
-34
@@ -2413,14 +2413,12 @@ az_find_wildcard(struct auth_zone* z, struct query_info* qinfo,
|
||||
if(!dname_subdomain_c(nm, z->name))
|
||||
return NULL; /* out of zone */
|
||||
while((node=az_find_wildcard_domain(z, nm, nmlen))==NULL) {
|
||||
/* see if we can go up to find the wildcard */
|
||||
if(nmlen == z->namelen)
|
||||
return NULL; /* top of zone reached */
|
||||
if(ce && nmlen == ce->namelen)
|
||||
return NULL; /* ce reached */
|
||||
if(dname_is_root(nm))
|
||||
return NULL; /* cannot go up */
|
||||
dname_remove_label(&nm, &nmlen);
|
||||
if(!dname_remove_label_limit_len(&nm, &nmlen, z->namelen))
|
||||
return NULL; /* can't go up */
|
||||
}
|
||||
return node;
|
||||
}
|
||||
@@ -2442,9 +2440,8 @@ az_find_candidate_ce(struct auth_zone* z, struct query_info* qinfo,
|
||||
n = az_find_name(z, nm, nmlen);
|
||||
/* delete labels and go up on name */
|
||||
while(!n) {
|
||||
if(dname_is_root(nm))
|
||||
return NULL; /* cannot go up */
|
||||
dname_remove_label(&nm, &nmlen);
|
||||
if(!dname_remove_label_limit_len(&nm, &nmlen, z->namelen))
|
||||
return NULL; /* can't go up */
|
||||
n = az_find_name(z, nm, nmlen);
|
||||
}
|
||||
return n;
|
||||
@@ -2456,8 +2453,7 @@ az_domain_go_up(struct auth_zone* z, struct auth_data* n)
|
||||
{
|
||||
uint8_t* nm = n->name;
|
||||
size_t nmlen = n->namelen;
|
||||
while(!dname_is_root(nm)) {
|
||||
dname_remove_label(&nm, &nmlen);
|
||||
while(dname_remove_label_limit_len(&nm, &nmlen, z->namelen)) {
|
||||
if((n=az_find_name(z, nm, nmlen)) != NULL)
|
||||
return n;
|
||||
}
|
||||
@@ -2771,26 +2767,23 @@ az_change_dnames(struct dns_msg* msg, uint8_t* oldname, uint8_t* newname,
|
||||
}
|
||||
}
|
||||
|
||||
/** find NSEC record covering the query */
|
||||
/** find NSEC record covering the query, with the given node in the zone */
|
||||
static struct auth_rrset*
|
||||
az_find_nsec_cover(struct auth_zone* z, struct auth_data** node)
|
||||
{
|
||||
uint8_t* nm = (*node)->name;
|
||||
size_t nmlen = (*node)->namelen;
|
||||
uint8_t* nm;
|
||||
size_t nmlen;
|
||||
struct auth_rrset* rrset;
|
||||
log_assert(*node); /* we already have a node when calling this */
|
||||
nm = (*node)->name;
|
||||
nmlen = (*node)->namelen;
|
||||
/* find the NSEC for the smallest-or-equal node */
|
||||
/* if node == NULL, we did not find a smaller name. But the zone
|
||||
* name is the smallest name and should have an NSEC. So there is
|
||||
* no NSEC to return (for a properly signed zone) */
|
||||
/* for empty nonterminals, the auth-data node should not exist,
|
||||
* and thus we don't need to go rbtree_previous here to find
|
||||
* a domain with an NSEC record */
|
||||
/* but there could be glue, and if this is node, then it has no NSEC.
|
||||
/* But there could be glue, and then it has no NSEC.
|
||||
* Go up to find nonglue (previous) NSEC-holding nodes */
|
||||
while((rrset=az_domain_rrset(*node, LDNS_RR_TYPE_NSEC)) == NULL) {
|
||||
if(dname_is_root(nm)) return NULL;
|
||||
if(nmlen == z->namelen) return NULL;
|
||||
dname_remove_label(&nm, &nmlen);
|
||||
if(!dname_remove_label_limit_len(&nm, &nmlen, z->namelen))
|
||||
return NULL; /* can't go up */
|
||||
/* adjust *node for the nsec rrset to find in */
|
||||
*node = az_find_name(z, nm, nmlen);
|
||||
}
|
||||
@@ -3018,12 +3011,9 @@ az_nsec3_find_ce(struct auth_zone* z, uint8_t** cenm, size_t* cenmlen,
|
||||
struct auth_data* node;
|
||||
while((node = az_nsec3_find_exact(z, *cenm, *cenmlen,
|
||||
algo, iter, salt, saltlen)) == NULL) {
|
||||
if(*cenmlen == z->namelen) {
|
||||
/* next step up would take us out of the zone. fail */
|
||||
return NULL;
|
||||
}
|
||||
if(!dname_remove_label_limit_len(cenm, cenmlen, z->namelen))
|
||||
return NULL; /* can't go up */
|
||||
*no_exact_ce = 1;
|
||||
dname_remove_label(cenm, cenmlen);
|
||||
}
|
||||
return node;
|
||||
}
|
||||
@@ -3340,7 +3330,8 @@ az_generate_wildcard_answer(struct auth_zone* z, struct query_info* qinfo,
|
||||
} else if(ce) {
|
||||
uint8_t* wildup = wildcard->name;
|
||||
size_t wilduplen= wildcard->namelen;
|
||||
dname_remove_label(&wildup, &wilduplen);
|
||||
if(!dname_remove_label_limit_len(&wildup, &wilduplen, z->namelen))
|
||||
return 0; /* can't go up */
|
||||
if(!az_add_nsec3_proof(z, region, msg, wildup,
|
||||
wilduplen, msg->qinfo.qname,
|
||||
msg->qinfo.qname_len, 0, insert_ce, 1, 0))
|
||||
@@ -3399,7 +3390,7 @@ az_generate_answer_with_node(struct auth_zone* z, struct query_info* qinfo,
|
||||
}
|
||||
|
||||
/** Generate answer without an existing-node that we can use.
|
||||
* So it'll be a referral, DNAME or nxdomain */
|
||||
* So it'll be a referral, DNAME, notype, wildcard or nxdomain */
|
||||
static int
|
||||
az_generate_answer_nonexistnode(struct auth_zone* z, struct query_info* qinfo,
|
||||
struct regional* region, struct dns_msg* msg, struct auth_data* ce,
|
||||
@@ -3565,14 +3556,17 @@ auth_error_encode(struct query_info* qinfo, struct module_env* env,
|
||||
sldns_buffer_read_u16_at(buf, 2), edns);
|
||||
}
|
||||
|
||||
int auth_zones_answer(struct auth_zones* az, struct module_env* env,
|
||||
int auth_zones_downstream_answer(struct auth_zones* az, struct module_env* env,
|
||||
struct query_info* qinfo, struct edns_data* edns,
|
||||
struct comm_reply* repinfo, struct sldns_buffer* buf, struct regional* temp)
|
||||
struct comm_reply* repinfo, struct sldns_buffer* buf,
|
||||
struct regional* temp)
|
||||
{
|
||||
struct dns_msg* msg = NULL;
|
||||
struct auth_zone* z;
|
||||
int r;
|
||||
int fallback = 0;
|
||||
/* Copy the qinfo in case of cname aliasing from local-zone */
|
||||
struct query_info zqinfo = *qinfo;
|
||||
|
||||
lock_rw_rdlock(&az->lock);
|
||||
if(!az->have_downstream) {
|
||||
@@ -3580,6 +3574,7 @@ int auth_zones_answer(struct auth_zones* az, struct module_env* env,
|
||||
lock_rw_unlock(&az->lock);
|
||||
return 0;
|
||||
}
|
||||
|
||||
if(qinfo->qtype == LDNS_RR_TYPE_DS) {
|
||||
uint8_t* delname = qinfo->qname;
|
||||
size_t delnamelen = qinfo->qname_len;
|
||||
@@ -3587,8 +3582,14 @@ int auth_zones_answer(struct auth_zones* az, struct module_env* env,
|
||||
z = auth_zones_find_zone(az, delname, delnamelen,
|
||||
qinfo->qclass);
|
||||
} else {
|
||||
z = auth_zones_find_zone(az, qinfo->qname, qinfo->qname_len,
|
||||
qinfo->qclass);
|
||||
if(zqinfo.local_alias && !local_alias_shallow_copy_qname(
|
||||
zqinfo.local_alias, &zqinfo.qname,
|
||||
&zqinfo.qname_len)) {
|
||||
lock_rw_unlock(&az->lock);
|
||||
return 0;
|
||||
}
|
||||
z = auth_zones_find_zone(az, zqinfo.qname, zqinfo.qname_len,
|
||||
zqinfo.qclass);
|
||||
}
|
||||
if(!z) {
|
||||
/* no zone above it */
|
||||
@@ -3614,7 +3615,7 @@ int auth_zones_answer(struct auth_zones* az, struct module_env* env,
|
||||
}
|
||||
|
||||
/* answer it from zone z */
|
||||
r = auth_zone_generate_answer(z, qinfo, temp, &msg, &fallback);
|
||||
r = auth_zone_generate_answer(z, &zqinfo, temp, &msg, &fallback);
|
||||
lock_rw_unlock(&z->lock);
|
||||
if(!r && fallback) {
|
||||
/* fallback to regular answering (recursive) */
|
||||
@@ -5023,6 +5024,7 @@ apply_axfr(struct auth_xfer* xfr, struct auth_zone* z,
|
||||
|
||||
xfr->have_zone = 0;
|
||||
xfr->serial = 0;
|
||||
xfr->soa_zone_acquired = 0;
|
||||
|
||||
/* insert all RRs in to the zone */
|
||||
/* insert the SOA only once, skip the last one */
|
||||
@@ -5124,6 +5126,7 @@ apply_http(struct auth_xfer* xfr, struct auth_zone* z,
|
||||
|
||||
xfr->have_zone = 0;
|
||||
xfr->serial = 0;
|
||||
xfr->soa_zone_acquired = 0;
|
||||
|
||||
chunk = xfr->task_transfer->chunks_first;
|
||||
chunk_pos = 0;
|
||||
@@ -5334,6 +5337,8 @@ xfr_process_chunk_list(struct auth_xfer* xfr, struct module_env* env,
|
||||
" (or malformed RR)", xfr->task_transfer->master->host);
|
||||
return 0;
|
||||
}
|
||||
z->soa_zone_acquired = *env->now;
|
||||
xfr->soa_zone_acquired = *env->now;
|
||||
|
||||
/* release xfr lock while verifying zonemd because it may have
|
||||
* to spawn lookups in the state machines */
|
||||
@@ -7003,13 +7008,23 @@ xfr_set_timeout(struct auth_xfer* xfr, struct module_env* env,
|
||||
comm_timer_set(xfr->task_nextprobe->timer, &tv);
|
||||
}
|
||||
|
||||
void auth_zone_pickup_initial_zone(struct auth_zone* z, struct module_env* env)
|
||||
{
|
||||
/* Set the time, because we now have timestamp in env,
|
||||
* (not earlier during startup and apply_cfg), and this
|
||||
* notes the start time when the data was acquired. */
|
||||
z->soa_zone_acquired = *env->now;
|
||||
}
|
||||
|
||||
void auth_xfer_pickup_initial_zone(struct auth_xfer* x, struct module_env* env)
|
||||
{
|
||||
/* set lease_time, because we now have timestamp in env,
|
||||
* (not earlier during startup and apply_cfg), and this
|
||||
* notes the start time when the data was acquired */
|
||||
if(x->have_zone)
|
||||
if(x->have_zone) {
|
||||
x->lease_time = *env->now;
|
||||
x->soa_zone_acquired = *env->now;
|
||||
}
|
||||
if(x->task_nextprobe && x->task_nextprobe->worker == NULL) {
|
||||
xfr_set_timeout(x, env, 0, 1);
|
||||
}
|
||||
@@ -7020,7 +7035,13 @@ void
|
||||
auth_xfer_pickup_initial(struct auth_zones* az, struct module_env* env)
|
||||
{
|
||||
struct auth_xfer* x;
|
||||
struct auth_zone* z;
|
||||
lock_rw_wrlock(&az->lock);
|
||||
RBTREE_FOR(z, struct auth_zone*, &az->ztree) {
|
||||
lock_rw_wrlock(&z->lock);
|
||||
auth_zone_pickup_initial_zone(z, env);
|
||||
lock_rw_unlock(&z->lock);
|
||||
}
|
||||
RBTREE_FOR(x, struct auth_xfer*, &az->xtree) {
|
||||
lock_basic_lock(&x->lock);
|
||||
auth_xfer_pickup_initial_zone(x, env);
|
||||
@@ -7105,6 +7126,7 @@ auth_xfer_new(struct auth_zone* z)
|
||||
lock_protect(&xfr->lock, &xfr->notify_serial, sizeof(xfr->notify_serial));
|
||||
lock_protect(&xfr->lock, &xfr->zone_expired, sizeof(xfr->zone_expired));
|
||||
lock_protect(&xfr->lock, &xfr->have_zone, sizeof(xfr->have_zone));
|
||||
lock_protect(&xfr->lock, &xfr->soa_zone_acquired, sizeof(xfr->soa_zone_acquired));
|
||||
lock_protect(&xfr->lock, &xfr->serial, sizeof(xfr->serial));
|
||||
lock_protect(&xfr->lock, &xfr->retry, sizeof(xfr->retry));
|
||||
lock_protect(&xfr->lock, &xfr->refresh, sizeof(xfr->refresh));
|
||||
|
||||
+15
-2
@@ -118,6 +118,8 @@ struct auth_zone {
|
||||
char* zonefile;
|
||||
/** fallback to the internet on failure or ttl-expiry of auth zone */
|
||||
int fallback_enabled;
|
||||
/** the time when zone was transferred from upstream */
|
||||
time_t soa_zone_acquired;
|
||||
/** the zone has expired (enabled by the xfer worker), fallback
|
||||
* happens if that option is enabled. */
|
||||
int zone_expired;
|
||||
@@ -261,6 +263,8 @@ struct auth_xfer {
|
||||
int zone_expired;
|
||||
/** do we have a zone (if 0, no zone data at all) */
|
||||
int have_zone;
|
||||
/** the time when zone was transferred from upstream */
|
||||
time_t soa_zone_acquired;
|
||||
|
||||
/** current serial (from SOA), if we have no zone, 0 */
|
||||
uint32_t serial;
|
||||
@@ -550,9 +554,10 @@ int auth_zones_lookup(struct auth_zones* az, struct query_info* qinfo,
|
||||
* @param temp: temporary storage region.
|
||||
* @return false if not answered
|
||||
*/
|
||||
int auth_zones_answer(struct auth_zones* az, struct module_env* env,
|
||||
int auth_zones_downstream_answer(struct auth_zones* az, struct module_env* env,
|
||||
struct query_info* qinfo, struct edns_data* edns,
|
||||
struct comm_reply* repinfo, struct sldns_buffer* buf, struct regional* temp);
|
||||
struct comm_reply* repinfo, struct sldns_buffer* buf,
|
||||
struct regional* temp);
|
||||
|
||||
/**
|
||||
* Find the auth zone that is above the given qname.
|
||||
@@ -799,6 +804,14 @@ size_t auth_zones_get_mem(struct auth_zones* zones);
|
||||
void auth_xfer_pickup_initial_zone(struct auth_xfer* x,
|
||||
struct module_env* env);
|
||||
|
||||
/**
|
||||
* Initial pick up of the auth zone, it sets the acquired time.
|
||||
* @param z: the zone, write locked by caller.
|
||||
* @param env: environment of the worker, with current time.
|
||||
*/
|
||||
void auth_zone_pickup_initial_zone(struct auth_zone* z,
|
||||
struct module_env* env);
|
||||
|
||||
/**
|
||||
* Delete auth xfer structure
|
||||
* @param xfr: delete this xfer and its tasks.
|
||||
|
||||
Vendored
+2
@@ -68,6 +68,8 @@ struct rrset_cache* rrset_cache_create(struct config_file* cfg,
|
||||
struct rrset_cache *r = (struct rrset_cache*)slabhash_create(slabs,
|
||||
startarray, maxmem, ub_rrset_sizefunc, ub_rrset_compare,
|
||||
ub_rrset_key_delete, rrset_data_delete, alloc);
|
||||
if(!r)
|
||||
return NULL;
|
||||
slabhash_setmarkdel(&r->table, &rrset_markdel);
|
||||
return r;
|
||||
}
|
||||
|
||||
+94
-23
@@ -90,10 +90,13 @@
|
||||
#ifdef HAVE_NGTCP2
|
||||
#include <ngtcp2/ngtcp2.h>
|
||||
#include <ngtcp2/ngtcp2_crypto.h>
|
||||
#ifdef HAVE_NGTCP2_NGTCP2_CRYPTO_QUICTLS_H
|
||||
#ifdef HAVE_NGTCP2_NGTCP2_CRYPTO_OSSL_H
|
||||
#include <ngtcp2/ngtcp2_crypto_ossl.h>
|
||||
#elif defined(HAVE_NGTCP2_NGTCP2_CRYPTO_QUICTLS_H)
|
||||
#include <ngtcp2/ngtcp2_crypto_quictls.h>
|
||||
#else
|
||||
#elif defined(HAVE_NGTCP2_NGTCP2_CRYPTO_OPENSSL_H)
|
||||
#include <ngtcp2/ngtcp2_crypto_openssl.h>
|
||||
#define MAKE_QUIC_METHOD 1
|
||||
#endif
|
||||
#endif
|
||||
|
||||
@@ -447,7 +450,7 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
|
||||
* /proc/sys/net/core/wmem_max or sysctl net.core.wmem_max */
|
||||
if(setsockopt(s, SOL_SOCKET, SO_SNDBUFFORCE, (void*)&snd,
|
||||
(socklen_t)sizeof(snd)) < 0) {
|
||||
if(errno != EPERM) {
|
||||
if(errno != EPERM && errno != ENOBUFS) {
|
||||
log_err("setsockopt(..., SO_SNDBUFFORCE, "
|
||||
"...) failed: %s", sock_strerror(errno));
|
||||
sock_close(s);
|
||||
@@ -455,15 +458,23 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
|
||||
*inuse = 0;
|
||||
return -1;
|
||||
}
|
||||
if(errno != EPERM) {
|
||||
verbose(VERB_ALGO, "setsockopt(..., SO_SNDBUFFORCE, "
|
||||
"...) was not granted: %s", sock_strerror(errno));
|
||||
}
|
||||
# endif /* SO_SNDBUFFORCE */
|
||||
if(setsockopt(s, SOL_SOCKET, SO_SNDBUF, (void*)&snd,
|
||||
(socklen_t)sizeof(snd)) < 0) {
|
||||
log_err("setsockopt(..., SO_SNDBUF, "
|
||||
"...) failed: %s", sock_strerror(errno));
|
||||
sock_close(s);
|
||||
*noproto = 0;
|
||||
*inuse = 0;
|
||||
return -1;
|
||||
if(errno != ENOSYS && errno != ENOBUFS) {
|
||||
log_err("setsockopt(..., SO_SNDBUF, "
|
||||
"...) failed: %s", sock_strerror(errno));
|
||||
sock_close(s);
|
||||
*noproto = 0;
|
||||
*inuse = 0;
|
||||
return -1;
|
||||
}
|
||||
log_warn("setsockopt(..., SO_SNDBUF, "
|
||||
"...) was not granted: %s", sock_strerror(errno));
|
||||
}
|
||||
/* check if we got the right thing or if system
|
||||
* reduced to some system max. Warn if so */
|
||||
@@ -473,7 +484,8 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
|
||||
"Got %u. To fix: start with "
|
||||
"root permissions(linux) or sysctl "
|
||||
"bigger net.core.wmem_max(linux) or "
|
||||
"kern.ipc.maxsockbuf(bsd) values.",
|
||||
"kern.ipc.maxsockbuf(bsd) values. or "
|
||||
"set so-sndbuf: 0 (use system value).",
|
||||
(unsigned)snd, (unsigned)got);
|
||||
}
|
||||
# ifdef SO_SNDBUFFORCE
|
||||
@@ -902,7 +914,7 @@ create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto,
|
||||
against IP spoofing attacks as suggested in RFC7413 */
|
||||
#ifdef __APPLE__
|
||||
/* OS X implementation only supports qlen of 1 via this call. Actual
|
||||
value is configured by the net.inet.tcp.fastopen_backlog kernel parm. */
|
||||
value is configured by the net.inet.tcp.fastopen_backlog kernel param. */
|
||||
qlen = 1;
|
||||
#else
|
||||
/* 5 is recommended on linux */
|
||||
@@ -1179,6 +1191,15 @@ set_recvtimestamp(int s)
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
#elif defined(SO_TIMESTAMP) && defined(SCM_TIMESTAMP)
|
||||
int on = 1;
|
||||
/* FreeBSD and also Linux. */
|
||||
if (setsockopt(s, SOL_SOCKET, SO_TIMESTAMP, (void*)&on, (socklen_t)sizeof(on)) < 0) {
|
||||
log_err("setsockopt(..., SO_TIMESTAMP, ...) failed: %s",
|
||||
strerror(errno));
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
#else
|
||||
log_err("packets timestamping is not supported on this platform");
|
||||
(void)s;
|
||||
@@ -1598,7 +1619,7 @@ listen_create(struct comm_base* base, struct listen_port* ports,
|
||||
front->udp_buff, ports->pp2_enabled, cb,
|
||||
cb_arg, ports->socket);
|
||||
#else
|
||||
log_warn("This system does not support UDP ancilliary data.");
|
||||
log_warn("This system does not support UDP ancillary data.");
|
||||
#endif
|
||||
}
|
||||
if(!cp) {
|
||||
@@ -3099,7 +3120,7 @@ static int http2_req_header_cb(nghttp2_session* session,
|
||||
return 0;
|
||||
}
|
||||
/* Content type is a SHOULD (rfc7231#section-3.1.1.5) when using POST,
|
||||
* and not needed when using GET. Don't enfore.
|
||||
* and not needed when using GET. Don't enforce.
|
||||
* If set only allow lowercase "application/dns-message".
|
||||
*
|
||||
* Clients SHOULD (rfc8484#section-4.1) set an accept header, but MUST
|
||||
@@ -3161,7 +3182,7 @@ static int http2_req_data_chunk_recv_cb(nghttp2_session* ATTR_UNUSED(session),
|
||||
qlen = h2_stream->content_length;
|
||||
} else if(len <= h2_session->c->http2_stream_max_qbuffer_size) {
|
||||
/* setting this to msg-buffer-size can result in a lot
|
||||
* of memory consuption. Most queries should fit in a
|
||||
* of memory consumption. Most queries should fit in a
|
||||
* single DATA frame, and most POST queries will
|
||||
* contain content-length which does not impose this
|
||||
* limit. */
|
||||
@@ -3187,7 +3208,7 @@ static int http2_req_data_chunk_recv_cb(nghttp2_session* ATTR_UNUSED(session),
|
||||
|
||||
if(!h2_stream->qbuffer ||
|
||||
sldns_buffer_remaining(h2_stream->qbuffer) < len) {
|
||||
verbose(VERB_ALGO, "http2 data_chunck_recv failed. Not enough "
|
||||
verbose(VERB_ALGO, "http2 data_chunk_recv failed. Not enough "
|
||||
"buffer space for POST query. Can happen on multi "
|
||||
"frame requests without content-length header");
|
||||
h2_stream->query_too_large = 1;
|
||||
@@ -3257,6 +3278,21 @@ doq_table_create(struct config_file* cfg, struct ub_randstate* rnd)
|
||||
struct doq_table* table = calloc(1, sizeof(*table));
|
||||
if(!table)
|
||||
return NULL;
|
||||
#ifdef USE_NGTCP2_CRYPTO_OSSL
|
||||
/* Initialize the ossl crypto, it is harmless to call twice,
|
||||
* and this is before use of doq connections. */
|
||||
if(ngtcp2_crypto_ossl_init() != 0) {
|
||||
log_err("ngtcp2_crypto_oss_init failed");
|
||||
free(table);
|
||||
return NULL;
|
||||
}
|
||||
#elif defined(HAVE_NGTCP2_CRYPTO_QUICTLS_INIT)
|
||||
if(ngtcp2_crypto_quictls_init() != 0) {
|
||||
log_err("ngtcp2_crypto_quictls_init failed");
|
||||
free(table);
|
||||
return NULL;
|
||||
}
|
||||
#endif
|
||||
table->idle_timeout = ((uint64_t)cfg->tcp_idle_timeout)*
|
||||
NGTCP2_MILLISECONDS;
|
||||
table->sv_scidlen = 16;
|
||||
@@ -3596,12 +3632,18 @@ doq_conn_delete(struct doq_conn* conn, struct doq_table* table)
|
||||
lock_rw_wrlock(&conn->table->conid_lock);
|
||||
doq_conn_clear_conids(conn);
|
||||
lock_rw_unlock(&conn->table->conid_lock);
|
||||
ngtcp2_conn_del(conn->conn);
|
||||
/* Remove the app data from ngtcp2 before SSL_free of conn->ssl,
|
||||
* because the ngtcp2 conn is deleted. */
|
||||
SSL_set_app_data(conn->ssl, NULL);
|
||||
if(conn->stream_tree.count != 0) {
|
||||
traverse_postorder(&conn->stream_tree, stream_tree_del, table);
|
||||
}
|
||||
free(conn->key.dcid);
|
||||
SSL_free(conn->ssl);
|
||||
#ifdef USE_NGTCP2_CRYPTO_OSSL
|
||||
ngtcp2_crypto_ossl_ctx_del(conn->ossl_ctx);
|
||||
#endif
|
||||
ngtcp2_conn_del(conn->conn);
|
||||
free(conn->close_pkt);
|
||||
free(conn);
|
||||
}
|
||||
@@ -4459,7 +4501,7 @@ doq_log_printf_cb(void* ATTR_UNUSED(user_data), const char* fmt, ...)
|
||||
va_end(ap);
|
||||
}
|
||||
|
||||
#ifndef HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_SERVER_CONTEXT
|
||||
#ifdef MAKE_QUIC_METHOD
|
||||
/** the doq application tx key callback, false on failure */
|
||||
static int
|
||||
doq_application_tx_key_cb(struct doq_conn* conn)
|
||||
@@ -4493,7 +4535,9 @@ doq_set_encryption_secrets(SSL *ssl, OSSL_ENCRYPTION_LEVEL ossl_level,
|
||||
ngtcp2_crypto_level
|
||||
#endif
|
||||
level =
|
||||
#ifdef HAVE_NGTCP2_CRYPTO_QUICTLS_FROM_OSSL_ENCRYPTION_LEVEL
|
||||
#ifdef USE_NGTCP2_CRYPTO_OSSL
|
||||
ngtcp2_crypto_ossl_from_ossl_encryption_level(ossl_level);
|
||||
#elif defined(HAVE_NGTCP2_CRYPTO_QUICTLS_FROM_OSSL_ENCRYPTION_LEVEL)
|
||||
ngtcp2_crypto_quictls_from_ossl_encryption_level(ossl_level);
|
||||
#else
|
||||
ngtcp2_crypto_openssl_from_ossl_encryption_level(ossl_level);
|
||||
@@ -4539,7 +4583,9 @@ doq_add_handshake_data(SSL *ssl, OSSL_ENCRYPTION_LEVEL ossl_level,
|
||||
ngtcp2_crypto_level
|
||||
#endif
|
||||
level =
|
||||
#ifdef HAVE_NGTCP2_CRYPTO_QUICTLS_FROM_OSSL_ENCRYPTION_LEVEL
|
||||
#ifdef USE_NGTCP2_CRYPTO_OSSL
|
||||
ngtcp2_crypto_ossl_from_ossl_encryption_level(ossl_level);
|
||||
#elif defined(HAVE_NGTCP2_CRYPTO_QUICTLS_FROM_OSSL_ENCRYPTION_LEVEL)
|
||||
ngtcp2_crypto_quictls_from_ossl_encryption_level(ossl_level);
|
||||
#else
|
||||
ngtcp2_crypto_openssl_from_ossl_encryption_level(ossl_level);
|
||||
@@ -4574,7 +4620,7 @@ doq_send_alert(SSL *ssl, enum ssl_encryption_level_t ATTR_UNUSED(level),
|
||||
doq_conn->tls_alert = alert;
|
||||
return 1;
|
||||
}
|
||||
#endif /* HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_SERVER_CONTEXT */
|
||||
#endif /* MAKE_QUIC_METHOD */
|
||||
|
||||
/** ALPN select callback for the doq SSL context */
|
||||
static int
|
||||
@@ -4596,7 +4642,7 @@ void* quic_sslctx_create(char* key, char* pem, char* verifypem)
|
||||
{
|
||||
#ifdef HAVE_NGTCP2
|
||||
char* sid_ctx = "unbound server";
|
||||
#ifndef HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_SERVER_CONTEXT
|
||||
#ifdef MAKE_QUIC_METHOD
|
||||
SSL_QUIC_METHOD* quic_method;
|
||||
#endif
|
||||
SSL_CTX* ctx = SSL_CTX_new(TLS_server_method());
|
||||
@@ -4669,7 +4715,7 @@ void* quic_sslctx_create(char* key, char* pem, char* verifypem)
|
||||
SSL_CTX_free(ctx);
|
||||
return NULL;
|
||||
}
|
||||
#else /* HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_SERVER_CONTEXT */
|
||||
#elif defined(MAKE_QUIC_METHOD)
|
||||
/* The quic_method needs to remain valid during the SSL_CTX
|
||||
* lifetime, so we allocate it. It is freed with the
|
||||
* doq_server_socket. */
|
||||
@@ -4704,12 +4750,29 @@ static ngtcp2_conn* doq_conn_ref_get_conn(ngtcp2_crypto_conn_ref* conn_ref)
|
||||
static SSL*
|
||||
doq_ssl_server_setup(SSL_CTX* ctx, struct doq_conn* conn)
|
||||
{
|
||||
#ifdef USE_NGTCP2_CRYPTO_OSSL
|
||||
int ret;
|
||||
#endif
|
||||
SSL* ssl = SSL_new(ctx);
|
||||
if(!ssl) {
|
||||
log_crypto_err("doq: SSL_new failed");
|
||||
return NULL;
|
||||
}
|
||||
#ifdef HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_SERVER_CONTEXT
|
||||
#ifdef USE_NGTCP2_CRYPTO_OSSL
|
||||
if((ret=ngtcp2_crypto_ossl_ctx_new(&conn->ossl_ctx, NULL)) != 0) {
|
||||
log_err("doq: ngtcp2_crypto_ossl_ctx_new failed: %s",
|
||||
ngtcp2_strerror(ret));
|
||||
SSL_free(ssl);
|
||||
return NULL;
|
||||
}
|
||||
ngtcp2_crypto_ossl_ctx_set_ssl(conn->ossl_ctx, ssl);
|
||||
if(ngtcp2_crypto_ossl_configure_server_session(ssl) != 0) {
|
||||
log_err("doq: ngtcp2_crypto_ossl_configure_server_session failed");
|
||||
SSL_free(ssl);
|
||||
return NULL;
|
||||
}
|
||||
#endif
|
||||
#if defined(USE_NGTCP2_CRYPTO_OSSL) || defined(HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_SERVER_CONTEXT)
|
||||
conn->conn_ref.get_conn = &doq_conn_ref_get_conn;
|
||||
conn->conn_ref.user_data = conn;
|
||||
SSL_set_app_data(ssl, &conn->conn_ref);
|
||||
@@ -4717,7 +4780,11 @@ doq_ssl_server_setup(SSL_CTX* ctx, struct doq_conn* conn)
|
||||
SSL_set_app_data(ssl, conn);
|
||||
#endif
|
||||
SSL_set_accept_state(ssl);
|
||||
#ifdef USE_NGTCP2_CRYPTO_OSSL
|
||||
SSL_set_quic_tls_early_data_enabled(ssl, 1);
|
||||
#else
|
||||
SSL_set_quic_early_data_enabled(ssl, 1);
|
||||
#endif
|
||||
return ssl;
|
||||
}
|
||||
|
||||
@@ -4838,7 +4905,11 @@ doq_conn_setup(struct doq_conn* conn, uint8_t* scid, size_t scidlen,
|
||||
log_err("doq_ssl_server_setup failed");
|
||||
return 0;
|
||||
}
|
||||
#ifdef USE_NGTCP2_CRYPTO_OSSL
|
||||
ngtcp2_conn_set_tls_native_handle(conn->conn, conn->ossl_ctx);
|
||||
#else
|
||||
ngtcp2_conn_set_tls_native_handle(conn->conn, conn->ssl);
|
||||
#endif
|
||||
doq_conn_write_enable(conn);
|
||||
return 1;
|
||||
}
|
||||
|
||||
@@ -52,6 +52,9 @@
|
||||
#ifdef HAVE_NGTCP2
|
||||
#include <ngtcp2/ngtcp2.h>
|
||||
#include <ngtcp2/ngtcp2_crypto.h>
|
||||
#ifdef USE_NGTCP2_CRYPTO_OSSL
|
||||
struct ngtcp2_crypto_ossl_ctx;
|
||||
#endif
|
||||
#endif
|
||||
struct listen_list;
|
||||
struct config_file;
|
||||
@@ -606,9 +609,13 @@ struct doq_conn {
|
||||
uint8_t tls_alert;
|
||||
/** the ssl context, SSL* */
|
||||
void* ssl;
|
||||
#ifdef HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_SERVER_CONTEXT
|
||||
#if defined(USE_NGTCP2_CRYPTO_OSSL) || defined(HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_SERVER_CONTEXT)
|
||||
/** the connection reference for ngtcp2_conn and userdata in ssl */
|
||||
struct ngtcp2_crypto_conn_ref conn_ref;
|
||||
#endif
|
||||
#ifdef USE_NGTCP2_CRYPTO_OSSL
|
||||
/** the per-connection state for ngtcp2_crypto_ossl */
|
||||
struct ngtcp2_crypto_ossl_ctx* ossl_ctx;
|
||||
#endif
|
||||
/** closure packet, if any */
|
||||
uint8_t* close_pkt;
|
||||
|
||||
@@ -2265,6 +2265,7 @@ mesh_stats_clear(struct mesh_area* mesh)
|
||||
timehist_clear(mesh->histogram);
|
||||
mesh->ans_secure = 0;
|
||||
mesh->ans_bogus = 0;
|
||||
mesh->val_ops = 0;
|
||||
mesh->ans_expired = 0;
|
||||
mesh->ans_cachedb = 0;
|
||||
memset(&mesh->ans_rcode[0], 0, sizeof(size_t)*UB_STATS_RCODE_NUM);
|
||||
|
||||
@@ -131,6 +131,8 @@ struct mesh_area {
|
||||
size_t ans_secure;
|
||||
/** (extended stats) bogus replies */
|
||||
size_t ans_bogus;
|
||||
/** (extended stats) number of validation operations */
|
||||
size_t val_ops;
|
||||
/** (extended stats) rcodes in replies */
|
||||
size_t ans_rcode[UB_STATS_RCODE_NUM];
|
||||
/** (extended stats) rcode nodata in replies */
|
||||
|
||||
+2
-2
@@ -138,8 +138,8 @@ modstack_config(struct module_stack* stack, const char* module_conf)
|
||||
if(strchr(s, ' ')) *(strchr(s, ' ')) = 0;
|
||||
if(strchr(s, '\t')) *(strchr(s, '\t')) = 0;
|
||||
log_err("Unknown value in module-config, module: '%s'."
|
||||
" This module is not present (not compiled in),"
|
||||
" See the list of linked modules with unbound -V", s);
|
||||
" This module is not present (not compiled in);"
|
||||
" see the list of linked modules with unbound -V", s);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
+1
-1
@@ -67,7 +67,7 @@ void modstack_init(struct module_stack* stack);
|
||||
void modstack_free(struct module_stack* stack);
|
||||
|
||||
/**
|
||||
* Initialises modules and assignes ids. Calls module_startup().
|
||||
* Initialises modules and assigns ids. Calls module_startup().
|
||||
* @param stack: Expected empty, filled according to module_conf
|
||||
* @param module_conf: string what modules to initialize
|
||||
* @param env: module environment which is inited by the modules.
|
||||
|
||||
@@ -2827,7 +2827,7 @@ serviced_perturb_qname(struct ub_randstate* rnd, uint8_t* qbuf, size_t len)
|
||||
random = ub_random(rnd);
|
||||
bits = 30;
|
||||
}
|
||||
if(random & 0x1) {
|
||||
if((random & 0x1)) {
|
||||
*d = (uint8_t)toupper((unsigned char)*d);
|
||||
} else {
|
||||
*d = (uint8_t)tolower((unsigned char)*d);
|
||||
@@ -2890,9 +2890,9 @@ serviced_encode(struct serviced_query* sq, sldns_buffer* buff, int with_edns)
|
||||
edns.opt_list_inplace_cb_out = NULL;
|
||||
edns.udp_size = serviced_query_udp_size(sq, sq->status);
|
||||
edns.bits = 0;
|
||||
if(sq->dnssec & EDNS_DO)
|
||||
if((sq->dnssec & EDNS_DO))
|
||||
edns.bits = EDNS_DO;
|
||||
if(sq->dnssec & BIT_CD)
|
||||
if((sq->dnssec & BIT_CD))
|
||||
LDNS_CD_SET(sldns_buffer_begin(buff));
|
||||
if (sq->ssl_upstream && sq->padding_block_size) {
|
||||
padding_option.opt_code = LDNS_EDNS_PADDING;
|
||||
|
||||
+19
-1
@@ -2121,8 +2121,17 @@ rpz_synthesize_nsdname_localdata(struct rpz* r, struct module_qstate* ms,
|
||||
rpz_log_dname("nsdname local data", key.name, key.namelen);
|
||||
|
||||
ld = (struct local_data*)rbtree_search(&z->data, &key.node);
|
||||
if(ld == NULL && dname_is_wild(z->name)) {
|
||||
key.name = z->name;
|
||||
key.namelen = z->namelen;
|
||||
key.namelabs = z->namelabs;
|
||||
ld = (struct local_data*)rbtree_search(&z->data, &key.node);
|
||||
/* rpz_synthesize_localdata_from_rrset is going to make
|
||||
* the rrset source name equal to the query name. So no need
|
||||
* to make the wildcard rrset here. */
|
||||
}
|
||||
if(ld == NULL) {
|
||||
verbose(VERB_ALGO, "rpz: nsdname: impossible: qname not found");
|
||||
verbose(VERB_ALGO, "rpz: nsdname: qname not found");
|
||||
return NULL;
|
||||
}
|
||||
|
||||
@@ -2148,6 +2157,15 @@ rpz_synthesize_qname_localdata_msg(struct rpz* r, struct module_qstate* ms,
|
||||
key.namelen = qinfo->qname_len;
|
||||
key.namelabs = dname_count_labels(qinfo->qname);
|
||||
ld = (struct local_data*)rbtree_search(&z->data, &key.node);
|
||||
if(ld == NULL && dname_is_wild(z->name)) {
|
||||
key.name = z->name;
|
||||
key.namelen = z->namelen;
|
||||
key.namelabs = z->namelabs;
|
||||
ld = (struct local_data*)rbtree_search(&z->data, &key.node);
|
||||
/* rpz_synthesize_localdata_from_rrset is going to make
|
||||
* the rrset source name equal to the query name. So no need
|
||||
* to make the wildcard rrset here. */
|
||||
}
|
||||
if(ld == NULL) {
|
||||
verbose(VERB_ALGO, "rpz: qname: name not found");
|
||||
return NULL;
|
||||
|
||||
+2
-2
@@ -124,7 +124,7 @@ uint16_t sldns_calc_keytag_raw(uint8_t* key, size_t keysize)
|
||||
size_t i;
|
||||
uint32_t ac32 = 0;
|
||||
for (i = 0; i < keysize; ++i) {
|
||||
ac32 += (i & 1) ? key[i] : key[i] << 8;
|
||||
ac32 += ((i & 1)) ? key[i] : key[i] << 8;
|
||||
}
|
||||
ac32 += (ac32 >> 16) & 0xFFFF;
|
||||
return (uint16_t) (ac32 & 0xFFFF);
|
||||
@@ -272,7 +272,7 @@ sldns_key_buf2dsa_raw(unsigned char* key, size_t len)
|
||||
return NULL;
|
||||
}
|
||||
if (!DSA_set0_key(dsa, Y, NULL)) {
|
||||
/* QPG attached, cleaned up by DSA_fre() */
|
||||
/* QPG attached, cleaned up by DSA_free() */
|
||||
DSA_free(dsa);
|
||||
BN_free(Y);
|
||||
return NULL;
|
||||
|
||||
+1
-1
@@ -857,7 +857,7 @@ rrinternal_parse_rdata(sldns_buffer* strbuf, char* token, size_t token_len,
|
||||
while (rdata_len && *rdata != 0) {
|
||||
uint8_t label_len;
|
||||
|
||||
if (*rdata & 0xC0)
|
||||
if ((*rdata & 0xC0))
|
||||
return LDNS_WIREPARSE_ERR_OK;
|
||||
|
||||
label_len = *rdata + 1;
|
||||
|
||||
+1
-1
@@ -262,7 +262,7 @@ int sldns_wire2str_rdata_unknown_scan(uint8_t** data, size_t* data_len,
|
||||
* @param pkt: packet for decompression, if NULL no decompression.
|
||||
* @param pktlen: length of packet buffer.
|
||||
* @param comprloop: inout bool, that is set true if compression loop failure
|
||||
* happens. Pass in 0, if passsed in as true, a lower bound is set
|
||||
* happens. Pass in 0, if passed in as true, a lower bound is set
|
||||
* on compression loops to stop arbitrary long packet parse times.
|
||||
* This is meant so you can set it to 0 at the start of a list of dnames,
|
||||
* and then scan all of them in sequence, if a loop happens, it becomes
|
||||
|
||||
@@ -382,7 +382,7 @@ read_cert_file(const char* file)
|
||||
STACK_OF(X509)* sk;
|
||||
FILE* in;
|
||||
int content = 0;
|
||||
char buf[128];
|
||||
long flen;
|
||||
if(file == NULL || strcmp(file, "") == 0) {
|
||||
return NULL;
|
||||
}
|
||||
@@ -399,6 +399,11 @@ read_cert_file(const char* file)
|
||||
#endif
|
||||
return NULL;
|
||||
}
|
||||
if(fseek(in, 0, SEEK_END) < 0)
|
||||
printf("%s fseek: %s\n", file, strerror(errno));
|
||||
flen = ftell(in);
|
||||
if(fseek(in, 0, SEEK_SET) < 0)
|
||||
printf("%s fseek: %s\n", file, strerror(errno));
|
||||
while(!feof(in)) {
|
||||
X509* x = PEM_read_X509(in, NULL, NULL, NULL);
|
||||
if(x == NULL) {
|
||||
@@ -414,8 +419,9 @@ read_cert_file(const char* file)
|
||||
exit(0);
|
||||
}
|
||||
content = 1;
|
||||
/* read away newline after --END CERT-- */
|
||||
if(!fgets(buf, (int)sizeof(buf), in))
|
||||
/* feof may not be true yet, but if the position is
|
||||
* at end of file, stop reading more certificates. */
|
||||
if(ftell(in) == flen)
|
||||
break;
|
||||
}
|
||||
fclose(in);
|
||||
|
||||
@@ -294,7 +294,8 @@ view_and_respipchecks(struct config_file* cfg)
|
||||
{
|
||||
struct views* views = NULL;
|
||||
struct respip_set* respip = NULL;
|
||||
int ignored = 0;
|
||||
int have_view_respip_cfg = 0;
|
||||
int use_response_ip = 0;
|
||||
if(!(views = views_create()))
|
||||
fatal_exit("Could not create views: out of memory");
|
||||
if(!(respip = respip_set_create()))
|
||||
@@ -303,8 +304,11 @@ view_and_respipchecks(struct config_file* cfg)
|
||||
fatal_exit("Could not set up views");
|
||||
if(!respip_global_apply_cfg(respip, cfg))
|
||||
fatal_exit("Could not setup respip set");
|
||||
if(!respip_views_apply_cfg(views, cfg, &ignored))
|
||||
if(!respip_views_apply_cfg(views, cfg, &have_view_respip_cfg))
|
||||
fatal_exit("Could not setup per-view respip sets");
|
||||
use_response_ip = !respip_set_is_empty(respip) || have_view_respip_cfg;
|
||||
if(use_response_ip && !strstr(cfg->module_conf, "respip"))
|
||||
fatal_exit("response-ip options require respip module");
|
||||
acl_view_tag_checks(cfg, views);
|
||||
views_delete(views);
|
||||
respip_set_delete(respip);
|
||||
@@ -450,6 +454,39 @@ ifautomaticportschecks(char* ifautomaticports)
|
||||
}
|
||||
}
|
||||
|
||||
/** check control interface strings */
|
||||
static void
|
||||
controlinterfacechecks(struct config_file* cfg)
|
||||
{
|
||||
struct config_strlist* p;
|
||||
for(p = cfg->control_ifs.first; p; p = p->next) {
|
||||
struct sockaddr_storage a;
|
||||
socklen_t alen;
|
||||
char** rcif = NULL;
|
||||
int i, num_rcif = 0;
|
||||
/* See if it is a local socket, starts with a '/'. */
|
||||
if(p->str && p->str[0] == '/')
|
||||
continue;
|
||||
if(!resolve_interface_names(&p->str, 1, NULL, &rcif,
|
||||
&num_rcif)) {
|
||||
fatal_exit("could not resolve interface names, for control-interface: %s",
|
||||
p->str);
|
||||
}
|
||||
for(i=0; i<num_rcif; i++) {
|
||||
if(!extstrtoaddr(rcif[i], &a, &alen,
|
||||
cfg->control_port)) {
|
||||
if(strcmp(p->str, rcif[i])!=0)
|
||||
fatal_exit("cannot parse control-interface address '%s' from the control-interface specified as '%s'",
|
||||
rcif[i], p->str);
|
||||
else
|
||||
fatal_exit("cannot parse control-interface specified as '%s'",
|
||||
p->str);
|
||||
}
|
||||
}
|
||||
config_del_strarray(rcif, num_rcif);
|
||||
}
|
||||
}
|
||||
|
||||
/** check acl ips */
|
||||
static void
|
||||
aclchecks(struct config_file* cfg)
|
||||
@@ -636,8 +673,10 @@ check_modules_exist(const char* module_conf)
|
||||
}
|
||||
n[j] = s[j];
|
||||
}
|
||||
fatal_exit("module_conf lists module '%s' but that "
|
||||
"module is not available.", n);
|
||||
fatal_exit("Unknown value in module-config, module: "
|
||||
"'%s'. This module is not present (not "
|
||||
"compiled in); see the list of linked modules "
|
||||
"with unbound -V", n);
|
||||
}
|
||||
s += strlen(names[i]);
|
||||
}
|
||||
@@ -926,6 +965,8 @@ morechecks(struct config_file* cfg)
|
||||
fatal_exit("control-cert-file: \"%s\" does not exist",
|
||||
cfg->control_cert_file);
|
||||
}
|
||||
if(cfg->remote_control_enable)
|
||||
controlinterfacechecks(cfg);
|
||||
|
||||
donotquerylocalhostcheck(cfg);
|
||||
localzonechecks(cfg);
|
||||
@@ -966,6 +1007,8 @@ check_auth(struct config_file* cfg)
|
||||
if(!az || !auth_zones_apply_cfg(az, cfg, 0, &is_rpz, NULL, NULL)) {
|
||||
fatal_exit("Could not setup authority zones");
|
||||
}
|
||||
if(is_rpz && !strstr(cfg->module_conf, "respip"))
|
||||
fatal_exit("RPZ requires the respip module");
|
||||
auth_zones_delete(az);
|
||||
}
|
||||
|
||||
|
||||
@@ -143,6 +143,8 @@ usage(void)
|
||||
printf(" load_cache load cache from stdin\n");
|
||||
printf(" (not supported in remote unbounds in\n");
|
||||
printf(" multi-process operation)\n");
|
||||
printf(" cache_lookup [+t] <names> print rrsets and msgs at or under the names\n");
|
||||
printf(" +t allow tld and root names.\n");
|
||||
printf(" lookup <name> print nameservers for name\n");
|
||||
printf(" flush [+c] <name> flushes common types for name from cache\n");
|
||||
printf(" types: A, AAAA, MX, PTR, NS,\n");
|
||||
@@ -409,6 +411,7 @@ static void print_extended(struct ub_stats_info* s, int inhibit_zero)
|
||||
PR_UL("num.answer.secure", s->svr.ans_secure);
|
||||
PR_UL("num.answer.bogus", s->svr.ans_bogus);
|
||||
PR_UL("num.rrset.bogus", s->svr.rrset_bogus);
|
||||
PR_UL("num.valops", s->svr.val_ops);
|
||||
PR_UL("num.query.aggressive.NOERROR", s->svr.num_neg_cache_noerror);
|
||||
PR_UL("num.query.aggressive.NXDOMAIN", s->svr.num_neg_cache_nxdomain);
|
||||
/* threat detection */
|
||||
|
||||
@@ -388,7 +388,7 @@ static int http2_frame_recv_cb(nghttp2_session *session,
|
||||
}
|
||||
if(((frame->hd.type != NGHTTP2_DATA &&
|
||||
frame->hd.type != NGHTTP2_HEADERS) ||
|
||||
frame->hd.flags & NGHTTP2_FLAG_END_STREAM) &&
|
||||
(frame->hd.flags & NGHTTP2_FLAG_END_STREAM)) &&
|
||||
h2_stream->res_status == 200) {
|
||||
char* pktstr;
|
||||
sldns_buffer_flip(h2_stream->buf);
|
||||
|
||||
+60
-11
@@ -48,10 +48,13 @@
|
||||
#ifdef HAVE_NGTCP2
|
||||
#include <ngtcp2/ngtcp2.h>
|
||||
#include <ngtcp2/ngtcp2_crypto.h>
|
||||
#ifdef HAVE_NGTCP2_NGTCP2_CRYPTO_QUICTLS_H
|
||||
#ifdef HAVE_NGTCP2_NGTCP2_CRYPTO_OSSL_H
|
||||
#include <ngtcp2/ngtcp2_crypto_ossl.h>
|
||||
#elif defined(HAVE_NGTCP2_NGTCP2_CRYPTO_QUICTLS_H)
|
||||
#include <ngtcp2/ngtcp2_crypto_quictls.h>
|
||||
#else
|
||||
#elif defined(HAVE_NGTCP2_NGTCP2_CRYPTO_OPENSSL_H)
|
||||
#include <ngtcp2/ngtcp2_crypto_openssl.h>
|
||||
#define MAKE_QUIC_METHOD 1
|
||||
#endif
|
||||
#include <openssl/ssl.h>
|
||||
#include <openssl/rand.h>
|
||||
@@ -107,9 +110,13 @@ struct doq_client_data {
|
||||
SSL_CTX* ctx;
|
||||
/** SSL object */
|
||||
SSL* ssl;
|
||||
#ifdef HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_CLIENT_CONTEXT
|
||||
#if defined(USE_NGTCP2_CRYPTO_OSSL) || defined(HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_CLIENT_CONTEXT)
|
||||
/** the connection reference for ngtcp2_conn and userdata in ssl */
|
||||
struct ngtcp2_crypto_conn_ref conn_ref;
|
||||
#endif
|
||||
#ifdef USE_NGTCP2_CRYPTO_OSSL
|
||||
/** the per-connection state for ngtcp2_crypto_ossl */
|
||||
struct ngtcp2_crypto_ossl_ctx* ossl_ctx;
|
||||
#endif
|
||||
/** the quic version to use */
|
||||
uint32_t quic_version;
|
||||
@@ -197,11 +204,12 @@ struct doq_client_stream {
|
||||
int query_is_done;
|
||||
};
|
||||
|
||||
#ifndef HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_CLIENT_CONTEXT
|
||||
#ifdef MAKE_QUIC_METHOD
|
||||
/** the quic method struct, must remain valid during the QUIC connection. */
|
||||
static SSL_QUIC_METHOD quic_method;
|
||||
#endif
|
||||
|
||||
#if defined(USE_NGTCP2_CRYPTO_OSSL) || defined(HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_CLIENT_CONTEXT)
|
||||
/** Get the connection ngtcp2_conn from the ssl app data
|
||||
* ngtcp2_crypto_conn_ref */
|
||||
static ngtcp2_conn* conn_ref_get_conn(ngtcp2_crypto_conn_ref* conn_ref)
|
||||
@@ -210,11 +218,12 @@ static ngtcp2_conn* conn_ref_get_conn(ngtcp2_crypto_conn_ref* conn_ref)
|
||||
conn_ref->user_data;
|
||||
return data->conn;
|
||||
}
|
||||
#endif
|
||||
|
||||
static void
|
||||
set_app_data(SSL* ssl, struct doq_client_data* data)
|
||||
{
|
||||
#ifdef HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_CLIENT_CONTEXT
|
||||
#if defined(USE_NGTCP2_CRYPTO_OSSL) || defined(HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_CLIENT_CONTEXT)
|
||||
data->conn_ref.get_conn = &conn_ref_get_conn;
|
||||
data->conn_ref.user_data = data;
|
||||
SSL_set_app_data(ssl, &data->conn_ref);
|
||||
@@ -227,7 +236,7 @@ static struct doq_client_data*
|
||||
get_app_data(SSL* ssl)
|
||||
{
|
||||
struct doq_client_data* data;
|
||||
#ifdef HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_CLIENT_CONTEXT
|
||||
#if defined(USE_NGTCP2_CRYPTO_OSSL) || defined(HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_CLIENT_CONTEXT)
|
||||
data = (struct doq_client_data*)((struct ngtcp2_crypto_conn_ref*)
|
||||
SSL_get_app_data(ssl))->user_data;
|
||||
#else
|
||||
@@ -893,7 +902,7 @@ handshake_completed(ngtcp2_conn* ATTR_UNUSED(conn), void* user_data)
|
||||
verbose(1, "early data was accepted by the server");
|
||||
}
|
||||
}
|
||||
#ifdef HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_CLIENT_CONTEXT
|
||||
#if defined(USE_NGTCP2_CRYPTO_OSSL) || defined(HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_CLIENT_CONTEXT)
|
||||
if(data->transport_file) {
|
||||
early_data_write_transport(data);
|
||||
}
|
||||
@@ -1207,7 +1216,7 @@ early_data_write_transport(struct doq_client_data* data)
|
||||
#endif
|
||||
}
|
||||
|
||||
#ifndef HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_CLIENT_CONTEXT
|
||||
#ifdef MAKE_QUIC_METHOD
|
||||
/** applicatation rx key callback, this is where the rx key is set,
|
||||
* and streams can be opened, like http3 unidirectional streams, like
|
||||
* the http3 control and http3 qpack encode and decoder streams. */
|
||||
@@ -1317,7 +1326,7 @@ send_alert(SSL *ssl, enum ssl_encryption_level_t ATTR_UNUSED(level),
|
||||
data->tls_alert = alert;
|
||||
return 1;
|
||||
}
|
||||
#endif /* HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_CLIENT_CONTEXT */
|
||||
#endif /* MAKE_QUIC_METHOD */
|
||||
|
||||
/** new session callback. We can write it to file for resumption later. */
|
||||
static int
|
||||
@@ -1357,7 +1366,7 @@ ctx_client_setup(void)
|
||||
log_err("ngtcp2_crypto_quictls_configure_client_context failed");
|
||||
exit(1);
|
||||
}
|
||||
#else
|
||||
#elif defined(MAKE_QUIC_METHOD)
|
||||
memset(&quic_method, 0, sizeof(quic_method));
|
||||
quic_method.set_encryption_secrets = &set_encryption_secrets;
|
||||
quic_method.add_handshake_data = &add_handshake_data;
|
||||
@@ -1373,22 +1382,39 @@ ctx_client_setup(void)
|
||||
static SSL*
|
||||
ssl_client_setup(struct doq_client_data* data)
|
||||
{
|
||||
#ifdef USE_NGTCP2_CRYPTO_OSSL
|
||||
int ret;
|
||||
#endif
|
||||
SSL* ssl = SSL_new(data->ctx);
|
||||
if(!ssl) {
|
||||
log_crypto_err("Could not SSL_new");
|
||||
exit(1);
|
||||
}
|
||||
#ifdef USE_NGTCP2_CRYPTO_OSSL
|
||||
if((ret=ngtcp2_crypto_ossl_ctx_new(&data->ossl_ctx, NULL)) != 0) {
|
||||
log_err("ngtcp2_crypto_ossl_ctx_new failed: %s",
|
||||
ngtcp2_strerror(ret));
|
||||
exit(1);
|
||||
}
|
||||
ngtcp2_crypto_ossl_ctx_set_ssl(data->ossl_ctx, ssl);
|
||||
if(ngtcp2_crypto_ossl_configure_client_session(ssl) != 0) {
|
||||
log_err("ngtcp2_crypto_ossl_configure_client_session failed");
|
||||
exit(1);
|
||||
}
|
||||
#endif
|
||||
set_app_data(ssl, data);
|
||||
SSL_set_connect_state(ssl);
|
||||
if(!SSL_set_fd(ssl, data->fd)) {
|
||||
log_crypto_err("Could not SSL_set_fd");
|
||||
exit(1);
|
||||
}
|
||||
#ifndef USE_NGTCP2_CRYPTO_OSSL
|
||||
if((data->quic_version & 0xff000000) == 0xff000000) {
|
||||
SSL_set_quic_use_legacy_codepoint(ssl, 1);
|
||||
} else {
|
||||
SSL_set_quic_use_legacy_codepoint(ssl, 0);
|
||||
}
|
||||
#endif
|
||||
SSL_set_alpn_protos(ssl, (const unsigned char *)"\x03""doq", 4);
|
||||
/* send the SNI host name */
|
||||
SSL_set_tlsext_host_name(ssl, "localhost");
|
||||
@@ -2072,7 +2098,11 @@ early_data_setup_session(struct doq_client_data* data)
|
||||
SSL_SESSION_free(session);
|
||||
return 0;
|
||||
}
|
||||
#ifdef USE_NGTCP2_CRYPTO_OSSL
|
||||
SSL_set_quic_tls_early_data_enabled(data->ssl, 1);
|
||||
#else
|
||||
SSL_set_quic_early_data_enabled(data->ssl, 1);
|
||||
#endif
|
||||
SSL_SESSION_free(session);
|
||||
return 1;
|
||||
}
|
||||
@@ -2221,6 +2251,15 @@ create_doq_client_data(const char* svr, int port, struct ub_event_base* base,
|
||||
data = calloc(1, sizeof(*data));
|
||||
if(!data) fatal_exit("calloc failed: out of memory");
|
||||
data->base = base;
|
||||
#ifdef USE_NGTCP2_CRYPTO_OSSL
|
||||
/* Initialize the ossl crypto, it is harmless to call twice,
|
||||
* and this is before use of doq connections. */
|
||||
if(ngtcp2_crypto_ossl_init() != 0)
|
||||
fatal_exit("ngtcp2_crypto_oss_init failed");
|
||||
#elif defined(HAVE_NGTCP2_CRYPTO_QUICTLS_INIT)
|
||||
if(ngtcp2_crypto_quictls_init() != 0)
|
||||
fatal_exit("ngtcp2_crypto_quictls_init failed");
|
||||
#endif
|
||||
data->rnd = ub_initstate(NULL);
|
||||
if(!data->rnd) fatal_exit("ub_initstate failed: out of memory");
|
||||
data->svr = svr;
|
||||
@@ -2255,7 +2294,11 @@ create_doq_client_data(const char* svr, int port, struct ub_event_base* base,
|
||||
SSL_CTX_sess_set_new_cb(data->ctx, new_session_cb);
|
||||
}
|
||||
data->ssl = ssl_client_setup(data);
|
||||
#ifdef USE_NGTCP2_CRYPTO_OSSL
|
||||
ngtcp2_conn_set_tls_native_handle(data->conn, data->ossl_ctx);
|
||||
#else
|
||||
ngtcp2_conn_set_tls_native_handle(data->conn, data->ssl);
|
||||
#endif
|
||||
if(data->early_data_enabled)
|
||||
early_data_setup(data);
|
||||
|
||||
@@ -2301,8 +2344,14 @@ delete_doq_client_data(struct doq_client_data* data)
|
||||
}
|
||||
}
|
||||
#endif
|
||||
ngtcp2_conn_del(data->conn);
|
||||
/* Remove the app data from ngtcp2 before SSL_free of conn->ssl,
|
||||
* because the ngtcp2 conn is deleted. */
|
||||
SSL_set_app_data(data->ssl, NULL);
|
||||
SSL_free(data->ssl);
|
||||
#ifdef USE_NGTCP2_CRYPTO_OSSL
|
||||
ngtcp2_crypto_ossl_ctx_del(data->ossl_ctx);
|
||||
#endif
|
||||
ngtcp2_conn_del(data->conn);
|
||||
sldns_buffer_free(data->pkt_buf);
|
||||
sldns_buffer_free(data->blocked_pkt);
|
||||
if(data->fd != -1)
|
||||
|
||||
+34
-12
@@ -188,6 +188,22 @@ delete_replay_answer(struct replay_answer* a)
|
||||
free(a);
|
||||
}
|
||||
|
||||
/** Log the packet for a reply_packet from testpkts. */
|
||||
static void
|
||||
log_testpkt_reply_pkt(const char* txt, struct reply_packet* reppkt)
|
||||
{
|
||||
if(!reppkt) {
|
||||
log_info("%s <null>", txt);
|
||||
return;
|
||||
}
|
||||
if(reppkt->reply_from_hex) {
|
||||
log_pkt(txt, sldns_buffer_begin(reppkt->reply_from_hex),
|
||||
sldns_buffer_limit(reppkt->reply_from_hex));
|
||||
return;
|
||||
}
|
||||
log_pkt(txt, reppkt->reply_pkt, reppkt->reply_len);
|
||||
}
|
||||
|
||||
/**
|
||||
* return: true if pending query matches the now event.
|
||||
*/
|
||||
@@ -240,9 +256,8 @@ pending_find_match(struct replay_runtime* runtime, struct entry** entry,
|
||||
p->start_step, p->end_step, (*entry)->lineno);
|
||||
if(p->addrlen != 0)
|
||||
log_addr(0, "matched ip", &p->addr, p->addrlen);
|
||||
log_pkt("matched pkt: ",
|
||||
(*entry)->reply_list->reply_pkt,
|
||||
(*entry)->reply_list->reply_len);
|
||||
log_testpkt_reply_pkt("matched pkt: ",
|
||||
(*entry)->reply_list);
|
||||
return 1;
|
||||
}
|
||||
p = p->next_range;
|
||||
@@ -330,7 +345,7 @@ fill_buffer_with_reply(sldns_buffer* buffer, struct entry* entry, uint8_t* q,
|
||||
while(reppkt && i--)
|
||||
reppkt = reppkt->next;
|
||||
if(!reppkt) fatal_exit("extra packet read from TCP stream but none is available");
|
||||
log_pkt("extra_packet ", reppkt->reply_pkt, reppkt->reply_len);
|
||||
log_testpkt_reply_pkt("extra packet ", reppkt);
|
||||
}
|
||||
if(reppkt->reply_from_hex) {
|
||||
c = sldns_buffer_begin(reppkt->reply_from_hex);
|
||||
@@ -462,8 +477,7 @@ fake_front_query(struct replay_runtime* runtime, struct replay_moment *todo)
|
||||
repinfo.c->type = comm_udp;
|
||||
fill_buffer_with_reply(repinfo.c->buffer, todo->match, NULL, 0, 0);
|
||||
log_info("testbound: incoming QUERY");
|
||||
log_pkt("query pkt", todo->match->reply_list->reply_pkt,
|
||||
todo->match->reply_list->reply_len);
|
||||
log_testpkt_reply_pkt("query pkt ", todo->match->reply_list);
|
||||
/* call the callback for incoming queries */
|
||||
if((*runtime->callback_query)(repinfo.c, runtime->cb_arg,
|
||||
NETEVENT_NOERROR, &repinfo)) {
|
||||
@@ -900,8 +914,10 @@ run_scenario(struct replay_runtime* runtime)
|
||||
runtime->now->evt_type == repevt_front_reply) {
|
||||
answer_check_it(runtime);
|
||||
advance_moment(runtime);
|
||||
} else if(pending_matches_range(runtime, &entry, &pending)) {
|
||||
answer_callback_from_entry(runtime, entry, pending);
|
||||
} else if(runtime->now && pending_matches_range(runtime,
|
||||
&entry, &pending)) {
|
||||
if(entry)
|
||||
answer_callback_from_entry(runtime, entry, pending);
|
||||
} else {
|
||||
do_moment_and_advance(runtime);
|
||||
}
|
||||
@@ -1254,7 +1270,7 @@ struct serviced_query* outnet_serviced_query(struct outside_network* outnet,
|
||||
struct query_info* qinfo, uint16_t flags, int dnssec,
|
||||
int ATTR_UNUSED(want_dnssec), int ATTR_UNUSED(nocaps),
|
||||
int ATTR_UNUSED(check_ratelimit),
|
||||
int ATTR_UNUSED(tcp_upstream), int ATTR_UNUSED(ssl_upstream),
|
||||
int tcp_upstream, int ATTR_UNUSED(ssl_upstream),
|
||||
char* ATTR_UNUSED(tls_auth_name), struct sockaddr_storage* addr,
|
||||
socklen_t addrlen, uint8_t* zone, size_t zonelen,
|
||||
struct module_qstate* qstate, comm_point_callback_type* callback,
|
||||
@@ -1274,7 +1290,7 @@ struct serviced_query* outnet_serviced_query(struct outside_network* outnet,
|
||||
(flags&~(BIT_RD|BIT_CD))?" MORE":"", (dnssec)?" DO":"");
|
||||
|
||||
/* create packet with EDNS */
|
||||
pend->buffer = sldns_buffer_new(512);
|
||||
pend->buffer = sldns_buffer_new(4096);
|
||||
log_assert(pend->buffer);
|
||||
sldns_buffer_write_u16(pend->buffer, 0); /* id */
|
||||
sldns_buffer_write_u16(pend->buffer, flags);
|
||||
@@ -1334,7 +1350,13 @@ struct serviced_query* outnet_serviced_query(struct outside_network* outnet,
|
||||
edns.opt_list_in = NULL;
|
||||
edns.opt_list_out = per_upstream_opt_list;
|
||||
edns.opt_list_inplace_cb_out = NULL;
|
||||
attach_edns_record(pend->buffer, &edns);
|
||||
if(sldns_buffer_capacity(pend->buffer) >=
|
||||
sldns_buffer_limit(pend->buffer)
|
||||
+calc_edns_field_size(&edns)) {
|
||||
attach_edns_record(pend->buffer, &edns);
|
||||
} else {
|
||||
verbose(VERB_ALGO, "edns field too large to fit");
|
||||
}
|
||||
}
|
||||
memcpy(&pend->addr, addr, addrlen);
|
||||
pend->addrlen = addrlen;
|
||||
@@ -1345,7 +1367,7 @@ struct serviced_query* outnet_serviced_query(struct outside_network* outnet,
|
||||
pend->callback = callback;
|
||||
pend->cb_arg = callback_arg;
|
||||
pend->timeout = UDP_AUTH_QUERY_TIMEOUT/1000;
|
||||
pend->transport = transport_udp; /* pretend UDP */
|
||||
pend->transport = tcp_upstream?transport_tcp:transport_udp;
|
||||
pend->pkt = NULL;
|
||||
pend->runtime = runtime;
|
||||
pend->serviced = 1;
|
||||
|
||||
+1
-1
@@ -256,7 +256,7 @@ setup_ctx(char* key, char* cert)
|
||||
#if HAVE_DECL_SSL_CTX_SET_ECDH_AUTO
|
||||
if (!SSL_CTX_set_ecdh_auto(ctx,1))
|
||||
if(verb>=1) printf("failed to set_ecdh_auto, not enabling ECDHE\n");
|
||||
#elif defined(USE_ECDSA) && defined(HAVE_SSL_CTX_SET_TMP_ECDH)
|
||||
#elif defined(USE_ECDSA) && HAVE_DECL_SSL_CTX_SET_TMP_ECDH
|
||||
if(1) {
|
||||
EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
|
||||
if (!ecdh) {
|
||||
|
||||
+3
-1
@@ -795,7 +795,7 @@ macro_expand(rbtree_type* store, struct replay_runtime* runtime, char** text)
|
||||
char buf[10240];
|
||||
char* at = *text;
|
||||
size_t len = macro_length(at);
|
||||
int dofunc = 0;
|
||||
int tries = 0, dofunc = 0;
|
||||
char* arithstart = NULL;
|
||||
if(len >= sizeof(buf))
|
||||
return NULL; /* too long */
|
||||
@@ -834,6 +834,8 @@ macro_expand(rbtree_type* store, struct replay_runtime* runtime, char** text)
|
||||
/* actual macro text expansion */
|
||||
while(*at) {
|
||||
size_t remain = sizeof(buf)-strlen(buf);
|
||||
if(tries++ > 10000)
|
||||
return NULL; /* looks like got into an infinite loop, bail out */
|
||||
if(strncmp(at, "${", 2) == 0) {
|
||||
at = do_macro_recursion(store, runtime, at, remain);
|
||||
} else if(*at == '$') {
|
||||
|
||||
+135
-15
@@ -293,6 +293,16 @@ setup_config(FILE* in, int* lineno, int* pass_argc, char* pass_argv[])
|
||||
fclose(cfg);
|
||||
return;
|
||||
}
|
||||
if(strncmp(parse, "fake-sha1: yes", 14) == 0) {
|
||||
/* Allow the use of SHA1 signatures for the test,
|
||||
* in case that OpenSSL disallows use of RSASHA1
|
||||
* with rh-allow-sha1-signatures disabled. */
|
||||
#ifndef UB_ON_WINDOWS
|
||||
setenv("OPENSSL_ENABLE_SHA1_SIGNATURES", "1", 0);
|
||||
#else
|
||||
_putenv("OPENSSL_ENABLE_SHA1_SIGNATURES=1");
|
||||
#endif
|
||||
}
|
||||
fputs(line, cfg);
|
||||
}
|
||||
fatal_exit("No CONFIG_END in input file");
|
||||
@@ -333,6 +343,35 @@ static void remove_configfile(void)
|
||||
cfgfiles = NULL;
|
||||
}
|
||||
|
||||
/** perform the playback on the playback_file with the args. */
|
||||
static int
|
||||
perform_playback(char* playback_file, int pass_argc, char** pass_argv)
|
||||
{
|
||||
struct replay_scenario* scen = NULL;
|
||||
int c, res;
|
||||
|
||||
/* setup test environment */
|
||||
scen = setup_playback(playback_file, &pass_argc, pass_argv);
|
||||
/* init fake event backend */
|
||||
fake_event_init(scen);
|
||||
|
||||
pass_argv[pass_argc] = NULL;
|
||||
echo_cmdline(pass_argc, pass_argv);
|
||||
|
||||
/* run the normal daemon */
|
||||
res = daemon_main(pass_argc, pass_argv);
|
||||
|
||||
fake_event_cleanup();
|
||||
for(c=1; c<pass_argc; c++)
|
||||
free(pass_argv[c]);
|
||||
return res;
|
||||
}
|
||||
|
||||
/* For fuzzing the main routine is replaced with
|
||||
* LLVMFuzzerTestOneInput. */
|
||||
#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
|
||||
#define main dummy_main
|
||||
#endif
|
||||
/**
|
||||
* Main fake event test program. Setup, teardown and report errors.
|
||||
* @param argc: arg count.
|
||||
@@ -348,7 +387,6 @@ main(int argc, char* argv[])
|
||||
char* playback_file = NULL;
|
||||
int init_optind = optind;
|
||||
char* init_optarg = optarg;
|
||||
struct replay_scenario* scen = NULL;
|
||||
|
||||
/* we do not want the test to depend on the timezone */
|
||||
(void)putenv("TZ=UTC");
|
||||
@@ -456,24 +494,11 @@ main(int argc, char* argv[])
|
||||
if(atexit(&remove_configfile) != 0)
|
||||
fatal_exit("atexit() failed: %s", strerror(errno));
|
||||
|
||||
/* setup test environment */
|
||||
scen = setup_playback(playback_file, &pass_argc, pass_argv);
|
||||
/* init fake event backend */
|
||||
fake_event_init(scen);
|
||||
|
||||
pass_argv[pass_argc] = NULL;
|
||||
echo_cmdline(pass_argc, pass_argv);
|
||||
|
||||
/* reset getopt processing */
|
||||
optind = init_optind;
|
||||
optarg = init_optarg;
|
||||
|
||||
/* run the normal daemon */
|
||||
res = daemon_main(pass_argc, pass_argv);
|
||||
|
||||
fake_event_cleanup();
|
||||
for(c=1; c<pass_argc; c++)
|
||||
free(pass_argv[c]);
|
||||
res = perform_playback(playback_file, pass_argc, pass_argv);
|
||||
if(res == 0) {
|
||||
log_info("Testbound Exit Success\n");
|
||||
/* remove configfile from here, the atexit() is for when
|
||||
@@ -493,6 +518,101 @@ main(int argc, char* argv[])
|
||||
return res;
|
||||
}
|
||||
|
||||
#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
|
||||
static int delete_file(const char *pathname) {
|
||||
int ret = unlink(pathname);
|
||||
free((void *)pathname);
|
||||
return ret;
|
||||
}
|
||||
|
||||
static char *buf_to_file(const uint8_t *buf, size_t size) {
|
||||
int fd;
|
||||
size_t pos;
|
||||
char *pathname = strdup("/tmp/fuzz-XXXXXX");
|
||||
if (pathname == NULL)
|
||||
return NULL;
|
||||
|
||||
fd = mkstemp(pathname);
|
||||
if (fd == -1) {
|
||||
log_err("mkstemp of file %s failed: %s", pathname, strerror(errno));
|
||||
free(pathname);
|
||||
return NULL;
|
||||
}
|
||||
pos = 0;
|
||||
while (pos < size) {
|
||||
int nbytes = write(fd, &buf[pos], size - pos);
|
||||
if (nbytes <= 0) {
|
||||
if (nbytes == -1 && errno == EINTR)
|
||||
continue;
|
||||
log_err("write to file %s failed: %s", pathname, strerror(errno));
|
||||
goto err;
|
||||
}
|
||||
pos += nbytes;
|
||||
}
|
||||
|
||||
if (close(fd) == -1) {
|
||||
log_err("close of file %s failed: %s", pathname, strerror(errno));
|
||||
goto err;
|
||||
}
|
||||
|
||||
return pathname;
|
||||
err:
|
||||
delete_file(pathname);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/* based on main() above, but with: hard-coded passed args, file created from fuzz input */
|
||||
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
|
||||
{
|
||||
int c, res;
|
||||
int pass_argc = 0;
|
||||
char* pass_argv[MAXARG];
|
||||
char* playback_file = NULL;
|
||||
|
||||
/* we do not want the test to depend on the timezone */
|
||||
(void)putenv("TZ=UTC");
|
||||
memset(pass_argv, 0, sizeof(pass_argv));
|
||||
#ifdef HAVE_SYSTEMD
|
||||
/* we do not want the test to use systemd daemon startup notification*/
|
||||
(void)unsetenv("NOTIFY_SOCKET");
|
||||
#endif /* HAVE_SYSTEMD */
|
||||
|
||||
checklock_start();
|
||||
log_init(NULL, 0, NULL);
|
||||
/* determine commandline options for the daemon */
|
||||
pass_argc = 1;
|
||||
pass_argv[0] = "unbound";
|
||||
add_opts("-d", &pass_argc, pass_argv);
|
||||
|
||||
playback_file = buf_to_file(Data, Size);
|
||||
if (playback_file) {
|
||||
log_info("Start of %s testbound program.", PACKAGE_STRING);
|
||||
|
||||
res = perform_playback(playback_file, pass_argc, pass_argv);
|
||||
if(res == 0) {
|
||||
log_info("Testbound Exit Success\n");
|
||||
/* remove configfile from here, the atexit() is for when
|
||||
* there is a crash to remove the tmpdir file.
|
||||
* This one removes the file while alloc and log locks are
|
||||
* still valid, and can be logged (for memory calculation),
|
||||
* it leaves the ptr NULL so the atexit does nothing. */
|
||||
remove_configfile();
|
||||
#ifdef HAVE_PTHREAD
|
||||
/* dlopen frees its thread state (dlopen of gost engine) */
|
||||
pthread_exit(NULL);
|
||||
#endif
|
||||
}
|
||||
|
||||
delete_file(playback_file);
|
||||
}
|
||||
|
||||
if(log_get_lock()) {
|
||||
lock_basic_destroy((lock_basic_type*)log_get_lock());
|
||||
}
|
||||
return res;
|
||||
}
|
||||
#endif /* FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION */
|
||||
|
||||
/* fake remote control */
|
||||
struct listen_port* daemon_remote_open_ports(struct config_file*
|
||||
ATTR_UNUSED(cfg))
|
||||
|
||||
+19
-2
@@ -923,10 +923,14 @@ pkt_snip_edns_option(uint8_t* pkt, size_t len, sldns_edns_option code,
|
||||
if(!pkt_find_edns_opt(&opt_position, &remaining)) return 0;
|
||||
if(remaining < 8) return -1; /* malformed */
|
||||
rdlen = sldns_read_uint16(opt_position+6);
|
||||
if(remaining < ((size_t)rdlen)+8)
|
||||
return -1; /* malformed */
|
||||
rdata = opt_position + 8;
|
||||
while(rdlen > 0) {
|
||||
if(rdlen < 4) return -1; /* malformed */
|
||||
optlen = sldns_read_uint16(rdata+2);
|
||||
if((size_t)rdlen < 4+((size_t)optlen))
|
||||
return -1; /* malformed */
|
||||
if(sldns_read_uint16(rdata) == code) {
|
||||
/* save data to buf for caller inspection */
|
||||
memmove(buf, rdata+4, optlen);
|
||||
@@ -1134,8 +1138,9 @@ static void lowercase_dname(uint8_t** p, size_t* remain)
|
||||
while(**p != 0) {
|
||||
/* compressed? */
|
||||
if((**p & 0xc0) == 0xc0) {
|
||||
*p += 2;
|
||||
*remain -= 2;
|
||||
llen = *remain < 2 ? (unsigned int)*remain : 2;
|
||||
*p += llen;
|
||||
*remain -= llen;
|
||||
return;
|
||||
}
|
||||
llen = (unsigned int)**p;
|
||||
@@ -1178,6 +1183,12 @@ static void lowercase_rdata(uint8_t** p, size_t* remain,
|
||||
uint8_t len;
|
||||
if(rdataremain == 0) return;
|
||||
len = **p;
|
||||
if(rdataremain < ((size_t)len)+1) {
|
||||
/* malformed LDNS_RDF_TYPE_STR, skip remainder */
|
||||
*p += rdataremain;
|
||||
*remain -= rdatalen;
|
||||
return;
|
||||
}
|
||||
*p += len+1;
|
||||
rdataremain -= len+1;
|
||||
} else {
|
||||
@@ -1207,6 +1218,12 @@ static void lowercase_rdata(uint8_t** p, size_t* remain,
|
||||
break;
|
||||
default: error("bad rdf type in lowercase %d", (int)f);
|
||||
}
|
||||
if (rdataremain < (size_t)len) {
|
||||
/* malformed RDF, skip remainder */
|
||||
*p += rdataremain;
|
||||
*remain -= rdatalen;
|
||||
return;
|
||||
}
|
||||
*p += len;
|
||||
rdataremain -= len;
|
||||
}
|
||||
|
||||
@@ -670,6 +670,7 @@ authtest_addzone(struct auth_zones* az, const char* name, char* fname)
|
||||
auth_zone_set_zonefile(z, fname);
|
||||
z->for_upstream = 1;
|
||||
cfg = config_create();
|
||||
config_auto_slab_values(cfg);
|
||||
free(cfg->chrootdir);
|
||||
cfg->chrootdir = NULL;
|
||||
|
||||
|
||||
@@ -45,6 +45,7 @@
|
||||
#include "util/data/dname.h"
|
||||
#include "sldns/sbuffer.h"
|
||||
#include "sldns/str2wire.h"
|
||||
#include "sldns/wire2str.h"
|
||||
|
||||
/** put dname into buffer */
|
||||
static sldns_buffer*
|
||||
@@ -476,6 +477,23 @@ dname_test_removelabel(void)
|
||||
unit_assert( l == 1 );
|
||||
}
|
||||
|
||||
/** test dname_remove_label_limit_len */
|
||||
static void
|
||||
dname_test_removelabellimitlen(void)
|
||||
{
|
||||
uint8_t* orig = (uint8_t*)"\007example\003com\000";
|
||||
uint8_t* n = orig;
|
||||
size_t l = 13;
|
||||
size_t lenlimit = 5; /* com.*/
|
||||
unit_show_func("util/data/dname.c", "dname_remove_label_limit_len");
|
||||
unit_assert(dname_remove_label_limit_len(&n, &l, lenlimit) == 1);
|
||||
unit_assert( n == orig+8 );
|
||||
unit_assert( l == 5 );
|
||||
unit_assert(dname_remove_label_limit_len(&n, &l, lenlimit) == 0);
|
||||
unit_assert( n == orig+8 );
|
||||
unit_assert( l == 5 );
|
||||
}
|
||||
|
||||
/** test dname_signame_label_count */
|
||||
static void
|
||||
dname_test_sigcount(void)
|
||||
@@ -859,6 +877,262 @@ dname_setup_bufs(sldns_buffer* loopbuf, sldns_buffer* boundbuf)
|
||||
sldns_buffer_flip(boundbuf);
|
||||
}
|
||||
|
||||
/* Test strings for the test_long_names test. */
|
||||
/* Each label begins with the length of the label including the length octet. */
|
||||
|
||||
char desc_1[] = "Domain is 1 octet too long.";
|
||||
|
||||
uint8_t wire_dom_1[] = { /* Bad: Domain: (8x)0031abcdefghijklmnopqrstuvwxyz.0007ab. */
|
||||
0x1e, 0x30, 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b,
|
||||
0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e,
|
||||
0x30, 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c,
|
||||
0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30,
|
||||
0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d,
|
||||
0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30,
|
||||
0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e,
|
||||
0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33,
|
||||
0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
|
||||
0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33, 0x31,
|
||||
0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70,
|
||||
0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33, 0x31, 0x61,
|
||||
0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71,
|
||||
0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33, 0x31, 0x61, 0x62,
|
||||
0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72,
|
||||
0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, /* Bad: */ 0x06, 0x30, 0x30, 0x30, 0x37, 0x61, 0x62, 0x00
|
||||
};
|
||||
|
||||
char desc_2[] = "Domain has the maximum allowed length (255).";
|
||||
|
||||
uint8_t wire_dom_2[] = { /* Good: Domain: (8x)0031abcdefghijklmnopqrstuvwxyz.00076a. */
|
||||
0x1e, 0x30, 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b,
|
||||
0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e,
|
||||
0x30, 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c,
|
||||
0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30,
|
||||
0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d,
|
||||
0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30,
|
||||
0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e,
|
||||
0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33,
|
||||
0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
|
||||
0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33, 0x31,
|
||||
0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70,
|
||||
0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33, 0x31, 0x61,
|
||||
0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71,
|
||||
0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33, 0x31, 0x61, 0x62,
|
||||
0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72,
|
||||
0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, /* Good: */ 0x05, 0x30, 0x30, 0x30, 0x36, 0x61, 0x00
|
||||
};
|
||||
|
||||
char desc_3[] = "Domain has a length one label in the 255th position for a total of 257.";
|
||||
|
||||
uint8_t wire_dom_3[] = { /* Bad: Domain: (8x(0031abcdefghijklmnopqrstuvwxyz.0006ab.1. */
|
||||
0x1e, 0x30, 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b,
|
||||
0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e,
|
||||
0x30, 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c,
|
||||
0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30,
|
||||
0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d,
|
||||
0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30,
|
||||
0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e,
|
||||
0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33,
|
||||
0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
|
||||
0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33, 0x31,
|
||||
0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70,
|
||||
0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33, 0x31, 0x61,
|
||||
0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71,
|
||||
0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33, 0x31, 0x61, 0x62,
|
||||
0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72,
|
||||
0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, /* Bad: */ 0x05, 0x30, 0x30, 0x30, 0x36, 0x61, 0x01, 0x32, 0x00
|
||||
};
|
||||
|
||||
char desc_4[] = "Domain has the maximum allowed length (255).";
|
||||
|
||||
uint8_t wire_dom_4[] = { /* Good: Domain: (8x)0031abcdefghijklmnopqrstuvwxyz.03.03. */
|
||||
0x1e, 0x30, 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b,
|
||||
0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e,
|
||||
0x30, 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c,
|
||||
0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30,
|
||||
0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d,
|
||||
0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30,
|
||||
0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e,
|
||||
0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33,
|
||||
0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
|
||||
0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33, 0x31,
|
||||
0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70,
|
||||
0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33, 0x31, 0x61,
|
||||
0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71,
|
||||
0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33, 0x31, 0x61, 0x62,
|
||||
0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72,
|
||||
0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, /* Good: */ 0x02, 0x30, 0x33, 0x02, 0x30, 0x33, 0x00
|
||||
};
|
||||
|
||||
char desc_5[] = "Domain has a maximum length label (63) in the 255th position.";
|
||||
|
||||
uint8_t wire_dom_5[] = { /* Bad: Domain: (8x)0031abcdefghijklmnopqrstuvwxyz.03.03.65abc...zab...zab...ghi. */
|
||||
0x1e, 0x30, 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b,
|
||||
0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e,
|
||||
0x30, 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c,
|
||||
0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30,
|
||||
0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d,
|
||||
0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30,
|
||||
0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e,
|
||||
0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33,
|
||||
0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
|
||||
0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33, 0x31,
|
||||
0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70,
|
||||
0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33, 0x31, 0x61,
|
||||
0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71,
|
||||
0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33, 0x31, 0x61, 0x62,
|
||||
0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72,
|
||||
0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, /* Bad: */ 0x02, 0x30, 0x33, 0x02, 0x30, 0x33, 0x3f, 0x36,
|
||||
0x33, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
|
||||
0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x61, 0x62, 0x63, 0x64, 0x65,
|
||||
0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75,
|
||||
0x76, 0x77, 0x78, 0x79, 0x7a, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x00
|
||||
};
|
||||
|
||||
char desc_6[] = "Domain has a too long label (65) in the 255th position.";
|
||||
|
||||
uint8_t wire_dom_6[] = { /* Bad: Domain: (8x)0031abcdefghijklmnopqrstuvwxyz.03.03.66abc...zab...zab...ijk. */
|
||||
0x1e, 0x30, 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b,
|
||||
0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e,
|
||||
0x30, 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c,
|
||||
0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30,
|
||||
0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d,
|
||||
0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30,
|
||||
0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e,
|
||||
0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33,
|
||||
0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
|
||||
0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33, 0x31,
|
||||
0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70,
|
||||
0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33, 0x31, 0x61,
|
||||
0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71,
|
||||
0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33, 0x31, 0x61, 0x62,
|
||||
0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72,
|
||||
0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, /* Bad: */ 0x02, 0x30, 0x33, 0x02, 0x30, 0x33, 0x41, 0x36,
|
||||
0x36, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
|
||||
0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x61, 0x62, 0x63, 0x64, 0x65,
|
||||
0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75,
|
||||
0x76, 0x77, 0x78, 0x79, 0x7a, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b,
|
||||
0x00
|
||||
};
|
||||
|
||||
char desc_7[] = "Domain has a too long label (65) in the 187th position.";
|
||||
|
||||
uint8_t wire_dom_7[] = { /* Bad: Domain: (6x)0031abcdefghijklmnopqrstuvwxyz.65abc..zab...zab...ijk. */
|
||||
0x1e, 0x30, 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b,
|
||||
0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e,
|
||||
0x30, 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c,
|
||||
0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30,
|
||||
0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d,
|
||||
0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30,
|
||||
0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e,
|
||||
0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33,
|
||||
0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
|
||||
0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33, 0x31,
|
||||
0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70,
|
||||
0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a,
|
||||
/* Bad: */ 0x41, 0x36,
|
||||
0x36, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
|
||||
0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x61, 0x62, 0x63, 0x64, 0x65,
|
||||
0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75,
|
||||
0x76, 0x77, 0x78, 0x79, 0x7a, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b,
|
||||
0x00
|
||||
};
|
||||
|
||||
char desc_8[] = "Domains has the maximum allowed length and ends with a maximum length label.";
|
||||
|
||||
uint8_t wire_dom_8[] = { /* Good: Domain: (6x)0031abcdefghijklmnopqrstuvwxyz.0004.0064abc..zab...zabcdefg. */
|
||||
0x1e, 0x30, 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b,
|
||||
0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e,
|
||||
0x30, 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c,
|
||||
0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30,
|
||||
0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d,
|
||||
0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30,
|
||||
0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e,
|
||||
0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33,
|
||||
0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
|
||||
0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33, 0x31,
|
||||
0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70,
|
||||
0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x03, 0x30, 0x30, 0x34 ,/* Good: */ 0x3f, 0x30,
|
||||
0x30, 0x36, 0x34, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d,
|
||||
0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x61, 0x62, 0x63,
|
||||
0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73,
|
||||
0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x00
|
||||
};
|
||||
|
||||
char desc_9[] = "Domains has 254 octets, one less than the maximum allowed length.";
|
||||
|
||||
uint8_t wire_dom_9[] = { /* Good: Domain: (6x)0031abcdefghijklmnopqrstuvwxyz.0004.0064abc..zab...zabcdef. */
|
||||
0x1e, 0x30, 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b,
|
||||
0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e,
|
||||
0x30, 0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c,
|
||||
0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30,
|
||||
0x30, 0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d,
|
||||
0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30,
|
||||
0x33, 0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e,
|
||||
0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33,
|
||||
0x31, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
|
||||
0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x1e, 0x30, 0x30, 0x33, 0x31,
|
||||
0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70,
|
||||
0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x03, 0x30, 0x30, 0x34 ,/* Good: */ 0x3e, 0x30,
|
||||
0x30, 0x35, 0x34, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d,
|
||||
0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x61, 0x62, 0x63,
|
||||
0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73,
|
||||
0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x00
|
||||
};
|
||||
|
||||
/** Test dname to string with long domain names. */
|
||||
static void
|
||||
test_long_names(void)
|
||||
{
|
||||
/* Set to 1 for verbose output, 0 turns it off. */
|
||||
int verbtest = 0;
|
||||
|
||||
uint8_t* wire_doms[] = {wire_dom_1, wire_dom_2, wire_dom_3,
|
||||
wire_dom_4, wire_dom_5, wire_dom_6, wire_dom_7, wire_dom_8,
|
||||
wire_dom_9, 0};
|
||||
char* descs[] = {desc_1, desc_2, desc_3, desc_4, desc_5, desc_6,
|
||||
desc_7, desc_8, desc_9, 0};
|
||||
|
||||
int n;
|
||||
char string_domain[260];
|
||||
uint8_t** wd = wire_doms;
|
||||
int di = 0;
|
||||
int skip = 5; /* 0..6 */
|
||||
|
||||
while (*wd) {
|
||||
|
||||
if(verbtest)
|
||||
printf("Test: %s\n", descs[di++]);
|
||||
|
||||
memset(string_domain, 0xff, sizeof(string_domain));
|
||||
dname_str(*wd, string_domain);
|
||||
for (n = 0 ; n < (int)sizeof(string_domain); ++n) {
|
||||
if ((uint8_t)string_domain[n] == 0xff)
|
||||
break;
|
||||
}
|
||||
if(verbtest)
|
||||
printf("dname_str: L=%d, S=Skipping %d labels...%s\n",
|
||||
n, skip, string_domain + skip*31);
|
||||
unit_assert(n <= 255);
|
||||
|
||||
memset(string_domain, 0xff, sizeof(string_domain));
|
||||
sldns_wire2str_dname_buf(*wd,
|
||||
strlen((char*)*wd)+1 /* strlen works with these test strings */,
|
||||
string_domain,
|
||||
255 /* for comparable result to dname_str */ );
|
||||
for (n = 0 ; n < (int)sizeof(string_domain); ++n) {
|
||||
if ((uint8_t)string_domain[n] == 0xff)
|
||||
break;
|
||||
}
|
||||
if(verbtest)
|
||||
printf("sldns_wire2str_dname_buf: L=%d, S=Skipping %d labels...%s\n",
|
||||
n, skip, string_domain + skip*31);
|
||||
unit_assert(n <= 255);
|
||||
|
||||
++wd;
|
||||
}
|
||||
}
|
||||
|
||||
static void
|
||||
dname_test_str(sldns_buffer* buff)
|
||||
{
|
||||
@@ -1002,6 +1276,8 @@ dname_test_str(sldns_buffer* buff)
|
||||
unit_assert(0);
|
||||
}
|
||||
}
|
||||
|
||||
test_long_names();
|
||||
}
|
||||
|
||||
void dname_test(void)
|
||||
@@ -1024,6 +1300,7 @@ void dname_test(void)
|
||||
dname_test_subdomain();
|
||||
dname_test_isroot();
|
||||
dname_test_removelabel();
|
||||
dname_test_removelabellimitlen();
|
||||
dname_test_sigcount();
|
||||
dname_test_iswild();
|
||||
dname_test_canoncmp();
|
||||
|
||||
@@ -131,6 +131,7 @@ void infra_test(void)
|
||||
unit_show_feature("infra cache");
|
||||
unit_assert(ipstrtoaddr("127.0.0.1", 53, &one, &onelen));
|
||||
|
||||
config_auto_slab_values(cfg);
|
||||
slab = infra_create(cfg);
|
||||
/* insert new record */
|
||||
unit_assert( infra_host(slab, &one, onelen, zone, zonelen, now,
|
||||
|
||||
@@ -205,6 +205,8 @@ net_test(void)
|
||||
unit_assert(memcmp(&a6.sin6_addr, "\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\000", 16) == 0);
|
||||
addr_mask((struct sockaddr_storage*)&a6, l6, 64);
|
||||
unit_assert(memcmp(&a6.sin6_addr, "\377\377\377\377\377\377\377\377\000\000\000\000\000\000\000\000", 16) == 0);
|
||||
/* Check that negative value in net is not problematic. */
|
||||
addr_mask((struct sockaddr_storage*)&a6, l6, -100);
|
||||
addr_mask((struct sockaddr_storage*)&a6, l6, 0);
|
||||
unit_assert(memcmp(&a6.sin6_addr, "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 16) == 0);
|
||||
}
|
||||
@@ -266,6 +268,28 @@ net_test(void)
|
||||
(struct sockaddr_storage*)&b6, i, l6) == i);
|
||||
}
|
||||
}
|
||||
/* test netblockstrtoaddr */
|
||||
unit_show_func("util/net_help.c", "netblockstrtoaddr");
|
||||
if(1) {
|
||||
struct sockaddr_storage a;
|
||||
socklen_t alen = 0;
|
||||
int net = 0, res;
|
||||
char astr[128];
|
||||
memset(&a, 0, sizeof(a));
|
||||
|
||||
res = netblockstrtoaddr("1.2.3.0/24", 53, &a, &alen, &net);
|
||||
unit_assert(res!=0 && net == 24);
|
||||
addr_to_str(&a, alen, astr, sizeof(astr));
|
||||
unit_assert(strcmp(astr, "1.2.3.0") == 0);
|
||||
unit_assert(ntohs(((struct sockaddr_in*)&a)->sin_port)==53);
|
||||
|
||||
res = netblockstrtoaddr("2001:DB8:33:44::/64", 53,
|
||||
&a, &alen, &net);
|
||||
unit_assert(res!=0 && net == 64);
|
||||
addr_to_str(&a, alen, astr, sizeof(astr));
|
||||
unit_assert(strcmp(astr, "2001:db8:33:44::") == 0);
|
||||
unit_assert(ntohs(((struct sockaddr_in6*)&a)->sin6_port)==53);
|
||||
}
|
||||
/* test sockaddr_cmp_addr */
|
||||
unit_show_func("util/net_help.c", "sockaddr_cmp_addr");
|
||||
if(1) {
|
||||
|
||||
@@ -61,6 +61,12 @@
|
||||
#include "sldns/str2wire.h"
|
||||
#include "sldns/wire2str.h"
|
||||
|
||||
#ifdef HAVE_SSL
|
||||
#ifdef HAVE_OPENSSL_ERR_H
|
||||
#include <openssl/err.h>
|
||||
#endif
|
||||
#endif
|
||||
|
||||
/** verbose signature test */
|
||||
static int vsig = 0;
|
||||
|
||||
@@ -509,10 +515,137 @@ nsec3_hash_test(const char* fname)
|
||||
|
||||
#define SRCDIRSTR xstr(SRCDIR)
|
||||
|
||||
#if defined(HAVE_SSL) && defined(USE_SHA1)
|
||||
/* Detect if openssl is configured to disable RSASHA1 signatures,
|
||||
* with the rh-allow-sha1-signatures disabled. */
|
||||
static int
|
||||
rh_allow_sha1_signatures_disabled(void)
|
||||
{
|
||||
EVP_MD_CTX* ctx;
|
||||
EVP_PKEY* evp_key;
|
||||
/* This key is rdata from nlnetlabs.nl DNSKEY from 20250424005001,
|
||||
* with id=50602 (ksk), size=2048b.
|
||||
* A 2048 bit key is taken to avoid key too small errors. */
|
||||
unsigned char key[] = {
|
||||
0x03, 0x01, 0x00, 0x01, 0xBC, 0x0B, 0xE8, 0xBB,
|
||||
0x97, 0x4C, 0xB5, 0xED, 0x6F, 0x6D, 0xC2, 0xB1,
|
||||
0x78, 0x69, 0x93, 0x1C, 0x72, 0x19, 0xB1, 0x05,
|
||||
0x51, 0x13, 0xA1, 0xFC, 0xBF, 0x01, 0x58, 0x0D,
|
||||
0x44, 0x10, 0x5F, 0x0B, 0x75, 0x0E, 0x11, 0x9A,
|
||||
0xC8, 0xF8, 0x0F, 0x90, 0xFC, 0xB8, 0x09, 0xD1,
|
||||
0x14, 0x39, 0x0D, 0x84, 0xCE, 0x97, 0x88, 0x82,
|
||||
0x3D, 0xC5, 0xCB, 0x1A, 0xBF, 0x00, 0x46, 0x37,
|
||||
0x01, 0xF1, 0xCD, 0x46, 0xA2, 0x8F, 0x83, 0x19,
|
||||
0x42, 0xED, 0x6F, 0xAF, 0x37, 0x1F, 0x18, 0x82,
|
||||
0x4B, 0x70, 0x2D, 0x50, 0xA5, 0xA6, 0x66, 0x48,
|
||||
0x7F, 0x56, 0xA8, 0x86, 0x05, 0x41, 0xC8, 0xBE,
|
||||
0x4F, 0x8B, 0x38, 0x51, 0xF0, 0xEB, 0xAD, 0x2F,
|
||||
0x7A, 0xC0, 0xEF, 0xC7, 0xD2, 0x72, 0x6F, 0x16,
|
||||
0x66, 0xAF, 0x59, 0x55, 0xFF, 0xEE, 0x9D, 0x50,
|
||||
0xE9, 0xDB, 0xF4, 0x02, 0xBC, 0x33, 0x5C, 0xC5,
|
||||
0xDA, 0x1C, 0x6A, 0xD1, 0x55, 0xD1, 0x20, 0x2B,
|
||||
0x63, 0x03, 0x4B, 0x77, 0x45, 0x46, 0x78, 0x31,
|
||||
0xE4, 0x90, 0xB9, 0x7F, 0x00, 0xFB, 0x62, 0x7C,
|
||||
0x07, 0xD3, 0xC1, 0x00, 0xA0, 0x54, 0x63, 0x74,
|
||||
0x0A, 0x17, 0x7B, 0xE7, 0xAD, 0x38, 0x07, 0x86,
|
||||
0x68, 0xE4, 0xFD, 0x20, 0x68, 0xD5, 0x33, 0x92,
|
||||
0xCA, 0x90, 0xDD, 0xA4, 0xE9, 0xF2, 0x11, 0xBD,
|
||||
0x9D, 0xA5, 0xF5, 0xEB, 0xB9, 0xFE, 0x8F, 0xA1,
|
||||
0xE4, 0xBF, 0xA4, 0xA4, 0x34, 0x5C, 0x6A, 0x95,
|
||||
0xB6, 0x42, 0x22, 0xF6, 0xD6, 0x10, 0x9C, 0x9B,
|
||||
0x0A, 0x56, 0xE7, 0x42, 0xE5, 0x7F, 0x1F, 0x4E,
|
||||
0xBE, 0x4F, 0x8C, 0xED, 0x30, 0x63, 0xA7, 0x88,
|
||||
0x93, 0xED, 0x37, 0x3C, 0x80, 0xBC, 0xD1, 0x66,
|
||||
0xBD, 0xB8, 0x2E, 0x65, 0xC4, 0xC8, 0x00, 0x5B,
|
||||
0xE7, 0x85, 0x96, 0xDD, 0xAA, 0x05, 0xE6, 0x4F,
|
||||
0x03, 0x64, 0xFA, 0x2D, 0xF6, 0x88, 0x14, 0x8F,
|
||||
0x15, 0x4D, 0xFD, 0xD3
|
||||
};
|
||||
size_t keylen = 260;
|
||||
|
||||
#ifdef HAVE_EVP_MD_CTX_NEW
|
||||
ctx = EVP_MD_CTX_new();
|
||||
#else
|
||||
ctx = (EVP_MD_CTX*)malloc(sizeof(*ctx));
|
||||
if(ctx) EVP_MD_CTX_init(ctx);
|
||||
#endif
|
||||
if(!ctx) return 0;
|
||||
|
||||
evp_key = sldns_key_rsa2pkey_raw(key, keylen);
|
||||
if(!evp_key) {
|
||||
#ifdef HAVE_EVP_MD_CTX_NEW
|
||||
EVP_MD_CTX_destroy(ctx);
|
||||
#else
|
||||
EVP_MD_CTX_cleanup(ctx);
|
||||
free(ctx);
|
||||
#endif
|
||||
return 0;
|
||||
}
|
||||
|
||||
#ifndef HAVE_EVP_DIGESTVERIFY
|
||||
(void)evp_key; /* not used */
|
||||
if(EVP_DigestInit(ctx, EVP_sha1()) == 0)
|
||||
#else
|
||||
if(EVP_DigestVerifyInit(ctx, NULL, EVP_sha1(), NULL, evp_key) == 0)
|
||||
#endif
|
||||
{
|
||||
unsigned long e = ERR_get_error();
|
||||
#ifdef EVP_R_INVALID_DIGEST
|
||||
if (ERR_GET_LIB(e) == ERR_LIB_EVP &&
|
||||
ERR_GET_REASON(e) == EVP_R_INVALID_DIGEST) {
|
||||
/* rh-allow-sha1-signatures makes use of sha1 invalid. */
|
||||
if(vsig)
|
||||
printf("Detected that rh-allow-sha1-signatures is off, and disables SHA1 signatures\n");
|
||||
#ifdef HAVE_EVP_MD_CTX_NEW
|
||||
EVP_MD_CTX_destroy(ctx);
|
||||
#else
|
||||
EVP_MD_CTX_cleanup(ctx);
|
||||
free(ctx);
|
||||
#endif
|
||||
EVP_PKEY_free(evp_key);
|
||||
return 1;
|
||||
}
|
||||
#endif /* EVP_R_INVALID_DIGEST */
|
||||
/* The signature verify failed for another reason. */
|
||||
log_crypto_err_code("EVP_DigestVerifyInit", e);
|
||||
#ifdef HAVE_EVP_MD_CTX_NEW
|
||||
EVP_MD_CTX_destroy(ctx);
|
||||
#else
|
||||
EVP_MD_CTX_cleanup(ctx);
|
||||
free(ctx);
|
||||
#endif
|
||||
EVP_PKEY_free(evp_key);
|
||||
return 0;
|
||||
}
|
||||
#ifdef HAVE_EVP_MD_CTX_NEW
|
||||
EVP_MD_CTX_destroy(ctx);
|
||||
#else
|
||||
EVP_MD_CTX_cleanup(ctx);
|
||||
free(ctx);
|
||||
#endif
|
||||
EVP_PKEY_free(evp_key);
|
||||
return 0;
|
||||
}
|
||||
#endif /* HAVE_SSL && USE_SHA1 */
|
||||
|
||||
void
|
||||
verify_test(void)
|
||||
{
|
||||
unit_show_feature("signature verify");
|
||||
|
||||
#if defined(HAVE_SSL) && defined(USE_SHA1)
|
||||
if(rh_allow_sha1_signatures_disabled()) {
|
||||
/* Allow the use of SHA1 signatures for the test,
|
||||
* in case that OpenSSL disallows use of RSASHA1
|
||||
* with rh-allow-sha1-signatures disabled. */
|
||||
#ifndef UB_ON_WINDOWS
|
||||
setenv("OPENSSL_ENABLE_SHA1_SIGNATURES", "1", 0);
|
||||
#else
|
||||
_putenv("OPENSSL_ENABLE_SHA1_SIGNATURES=1");
|
||||
#endif
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef USE_SHA1
|
||||
verifytest_file(SRCDIRSTR "/testdata/test_signatures.1", "20070818005004");
|
||||
#endif
|
||||
|
||||
@@ -267,6 +267,7 @@ static void zonemd_verify_test(char* zname, char* zfile, char* tastr,
|
||||
env.cfg = config_create();
|
||||
if(!env.cfg)
|
||||
fatal_exit("out of memory");
|
||||
config_auto_slab_values(env.cfg);
|
||||
env.now = &now;
|
||||
env.cfg->val_date_override = cfg_convert_timeval(date_override);
|
||||
if(!env.cfg->val_date_override)
|
||||
|
||||
+228
@@ -0,0 +1,228 @@
|
||||
; config options
|
||||
server:
|
||||
target-fetch-policy: "0 0 0 0 0"
|
||||
|
||||
auth-zone:
|
||||
name: "unbound-auth-test.nlnetlabs.nl."
|
||||
## zonefile (or none).
|
||||
## zonefile: "example.com.zone"
|
||||
## master by IP address or hostname
|
||||
## can list multiple masters, each on one line.
|
||||
## master:
|
||||
## url for http fetch
|
||||
## url:
|
||||
## queries from downstream clients get authoritative answers.
|
||||
## for-downstream: yes
|
||||
for-downstream: yes
|
||||
## queries are used to fetch authoritative answers from this zone,
|
||||
## instead of unbound itself sending queries there.
|
||||
## for-upstream: yes
|
||||
for-upstream: yes
|
||||
## on failures with for-upstream, fallback to sending queries to
|
||||
## the authority servers
|
||||
## fallback-enabled: no
|
||||
|
||||
## this line generates zonefile: \n"/tmp/xxx.example.com"\n
|
||||
zonefile:
|
||||
TEMPFILE_NAME unbound-auth-test.nlnetlabs.nl
|
||||
## this is the inline file /tmp/xxx.unbound-auth-test.nlnetlabs.nl
|
||||
## the tempfiles are deleted when the testrun is over.
|
||||
TEMPFILE_CONTENTS unbound-auth-test.nlnetlabs.nl
|
||||
;; Zone: unbound-auth-test.nlnetlabs.nl.
|
||||
;
|
||||
unbound-auth-test.nlnetlabs.nl. 3600 IN SOA ns.nlnetlabs.nl. ralph.nlnetlabs.nl. 1554201247 14400 3600 604800 3600
|
||||
unbound-auth-test.nlnetlabs.nl. 3600 IN RRSIG SOA 13 3 3600 20190430103407 20190402103407 15486 unbound-auth-test.nlnetlabs.nl. NLFcC2oet+HC+1dhT4D/2JJFIcMiRtTM81KwvT7u8ybF3iDE4bnyrILvQk8DsizpYKwk+D3J3tMC3TV5+//qFw==
|
||||
;; Out of zone record that shouldn't break NSEC3 proofs.
|
||||
;; There was a bug that would keep removing labels and use this out of zone
|
||||
;; record.
|
||||
nlnetlabs.nl. 3600 IN NS ns.nlnetlabs.nl.
|
||||
;
|
||||
unbound-auth-test.nlnetlabs.nl. 3600 IN NS ns.nlnetlabs.nl.
|
||||
unbound-auth-test.nlnetlabs.nl. 3600 IN RRSIG NS 13 3 3600 20190430103407 20190402103407 15486 unbound-auth-test.nlnetlabs.nl. Gm0UF77ljiInG4/HZ6Tkzx7z9N45WwwmbBt9KxeN3z1BkdBLiy10Du71ZBFLP71b+USs1rv5SJQ0hteZFbl8sg==
|
||||
unbound-auth-test.nlnetlabs.nl. 3600 IN DNSKEY 256 3 13 S3Da9HqpFj0pEbI8WXOdkvN3vgZ6qxNSz4XyKkmWWAG28kq5T+/lWp36DUDvnMI9wJNuixzUHtgZ6oZoAaVrPg== ;{id = 15486 (zsk), size = 256b}
|
||||
unbound-auth-test.nlnetlabs.nl. 3600 IN RRSIG DNSKEY 13 3 3600 20190430103407 20190402103407 15486 unbound-auth-test.nlnetlabs.nl. 1cLFaDb6kP8KnRJujW1ieHUdS5Tgdv59TCZ+FloCRJMJBwQAow6UKAIY7HHlTb8IHTajyUrjlxX/dN8S/5VwuA==
|
||||
unbound-auth-test.nlnetlabs.nl. 3600 IN NSEC3PARAM 1 0 1 -
|
||||
unbound-auth-test.nlnetlabs.nl. 3600 IN RRSIG NSEC3PARAM 13 3 3600 20190430103407 20190402103407 15486 unbound-auth-test.nlnetlabs.nl. GWgtJArNpfJ4ifoinUBUVRTlkk0CMemdozhMKY13dk3EQMP0jb4g49PcTAgEP2dBUs9efttQVQQpmFPyTGfN1w==
|
||||
tvdhfml24jp7cott1qijj9812qu9ibh3.unbound-auth-test.nlnetlabs.nl. 3600 IN NSEC3 1 0 1 - 41pcah2j3fr8k99gj5pveh4igrjfc871 NS SOA RRSIG DNSKEY NSEC3PARAM ;{ flags: -, from: unbound-auth-test.nlnetlabs.nl. to: b.b.unbound-auth-test.nlnetlabs.nl.}
|
||||
tvdhfml24jp7cott1qijj9812qu9ibh3.unbound-auth-test.nlnetlabs.nl. 3600 IN RRSIG NSEC3 13 4 3600 20190430103407 20190402103407 15486 unbound-auth-test.nlnetlabs.nl. DzwQTaZj4j29eHXEKllIFcq4yNWA7VMqkh8+gCrBO+GEek9+hGxL6ANsU0Hv6glyBmPDeYUZcy4xy0EEj1R4hQ==
|
||||
;
|
||||
;; Empty nonterminal: b.unbound-auth-test.nlnetlabs.nl.
|
||||
apejmh1fqds9gir0nnsf4d5gtno10tg1.unbound-auth-test.nlnetlabs.nl. 3600 IN NSEC3 1 0 1 - dbs0aj50410urbvt3ghfr644n7h06gs5 ;{ flags: -, from: b.unbound-auth-test.nlnetlabs.nl. to: c.b.unbound-auth-test.nlnetlabs.nl.}
|
||||
apejmh1fqds9gir0nnsf4d5gtno10tg1.unbound-auth-test.nlnetlabs.nl. 3600 IN RRSIG NSEC3 13 4 3600 20190430103407 20190402103407 15486 unbound-auth-test.nlnetlabs.nl. m9B0W8xDZF6ml/m8OujrZZBiF1O0wAeKciK/5FMT/hCjHR0hMrbXBPg/ZntpVJD/Pko2HcBvWKu87U721yTHyQ==
|
||||
;
|
||||
;; Empty nonterminal: a.b.unbound-auth-test.nlnetlabs.nl.
|
||||
toqivctpt4pdcp5g19neqt19fvtgbgeu.unbound-auth-test.nlnetlabs.nl. 3600 IN NSEC3 1 0 1 - tvdhfml24jp7cott1qijj9812qu9ibh3 ;{ flags: -, from: a.b.unbound-auth-test.nlnetlabs.nl. to: unbound-auth-test.nlnetlabs.nl.}
|
||||
toqivctpt4pdcp5g19neqt19fvtgbgeu.unbound-auth-test.nlnetlabs.nl. 3600 IN RRSIG NSEC3 13 4 3600 20190430103407 20190402103407 15486 unbound-auth-test.nlnetlabs.nl. Jr1oPPs+DGBVV13n4gG4AGVFsleItluLbtCIyQDcYZEA+e5JMkrLzfW3rXqXaUSUauR4iEu5FmTfs4GTsumdUw==
|
||||
;
|
||||
*.a.b.unbound-auth-test.nlnetlabs.nl. 3600 IN TXT "*.a.b"
|
||||
*.a.b.unbound-auth-test.nlnetlabs.nl. 3600 IN RRSIG TXT 13 5 3600 20190430103407 20190402103407 15486 unbound-auth-test.nlnetlabs.nl. NrMUaNzZp88lXit/HLL/iDBHspDSfoM//K+/0VwUYRZjmVJQQHCHtHBGgR4NgrLi3ffvCAWq2LNGxDm+YMSl3g==
|
||||
jrtu61ssgd18lfjglqrbbs5b2vmbh6cl.unbound-auth-test.nlnetlabs.nl. 3600 IN NSEC3 1 0 1 - k8r2bchsbehs5dbu5d6ivjfnmjb3jc8s TXT RRSIG ;{ flags: -, from: *.a.b.unbound-auth-test.nlnetlabs.nl. to: *.c.b.unbound-auth-test.nlnetlabs.nl.}
|
||||
jrtu61ssgd18lfjglqrbbs5b2vmbh6cl.unbound-auth-test.nlnetlabs.nl. 3600 IN RRSIG NSEC3 13 4 3600 20190430103407 20190402103407 15486 unbound-auth-test.nlnetlabs.nl. kLIhE9+iz1OybJwXbtRJZst+Mk5u4OAtpZGWSwJUfqD6dXAk+h6msKAR18jpPeL7cCjXjIAKIv3x4oYRkl+uKw==
|
||||
;
|
||||
;; Empty nonterminal: b.b.unbound-auth-test.nlnetlabs.nl.
|
||||
41pcah2j3fr8k99gj5pveh4igrjfc871.unbound-auth-test.nlnetlabs.nl. 3600 IN NSEC3 1 0 1 - apejmh1fqds9gir0nnsf4d5gtno10tg1 ;{ flags: -, from: b.b.unbound-auth-test.nlnetlabs.nl. to: b.unbound-auth-test.nlnetlabs.nl.}
|
||||
41pcah2j3fr8k99gj5pveh4igrjfc871.unbound-auth-test.nlnetlabs.nl. 3600 IN RRSIG NSEC3 13 4 3600 20190430103407 20190402103407 15486 unbound-auth-test.nlnetlabs.nl. XlIjnuF313w0GXn6vymrAcsyuxZSaN6IShFjxQ5T2HUFePHBNvtRkL+TtMQZNlR8nTR3+MWcON0cOZIGjVCCjg==
|
||||
;
|
||||
*.b.b.unbound-auth-test.nlnetlabs.nl. 3600 IN TXT "*.b.b"
|
||||
*.b.b.unbound-auth-test.nlnetlabs.nl. 3600 IN RRSIG TXT 13 5 3600 20190430103407 20190402103407 15486 unbound-auth-test.nlnetlabs.nl. FkS3ceWpoHyOKaa8OtywIl148Bwo0vkzBd263vqYe0puhuRa6IvNEk5ERdwfWt9eNEq+6IlizPT/dYxA2fXYXA==
|
||||
ft7dasbom0copm9e2ak9k151dj08kjfs.unbound-auth-test.nlnetlabs.nl. 3600 IN NSEC3 1 0 1 - jrtu61ssgd18lfjglqrbbs5b2vmbh6cl TXT RRSIG ;{ flags: -, from: *.b.b.unbound-auth-test.nlnetlabs.nl. to: *.a.b.unbound-auth-test.nlnetlabs.nl.}
|
||||
ft7dasbom0copm9e2ak9k151dj08kjfs.unbound-auth-test.nlnetlabs.nl. 3600 IN RRSIG NSEC3 13 4 3600 20190430103407 20190402103407 15486 unbound-auth-test.nlnetlabs.nl. 5QhLGohTRLQSGC8vstzDjqcwfrbOnLUG2OelSjvsZFy1smsWUxJBCQXQdx1+JX7xamZHlZESQtS+cELuZUqpvA==
|
||||
;
|
||||
;; Empty nonterminal: c.b.unbound-auth-test.nlnetlabs.nl.
|
||||
dbs0aj50410urbvt3ghfr644n7h06gs5.unbound-auth-test.nlnetlabs.nl. 3600 IN NSEC3 1 0 1 - ft7dasbom0copm9e2ak9k151dj08kjfs ;{ flags: -, from: c.b.unbound-auth-test.nlnetlabs.nl. to: *.b.b.unbound-auth-test.nlnetlabs.nl.}
|
||||
dbs0aj50410urbvt3ghfr644n7h06gs5.unbound-auth-test.nlnetlabs.nl. 3600 IN RRSIG NSEC3 13 4 3600 20190430103407 20190402103407 15486 unbound-auth-test.nlnetlabs.nl. hjk1foJWW68JK3O1Ktf0ZogoXVrMDw3mHVBBYTrpaBKX1gWR5icmJiOCYZWYx3z88PUnGkfH+kx4oDUjioqN+Q==
|
||||
;
|
||||
*.c.b.unbound-auth-test.nlnetlabs.nl. 3600 IN TXT "*.c.b"
|
||||
*.c.b.unbound-auth-test.nlnetlabs.nl. 3600 IN RRSIG TXT 13 5 3600 20190430103407 20190402103407 15486 unbound-auth-test.nlnetlabs.nl. b7rFR5tlx5Y5SQqNdYBtfD6DrkNx9h79GCmnZfWrUzRz+A256k2v08IPRJDK+WxEHuYHjfNnVWxjRr9M1OW2Iw==
|
||||
k8r2bchsbehs5dbu5d6ivjfnmjb3jc8s.unbound-auth-test.nlnetlabs.nl. 3600 IN NSEC3 1 0 1 - toqivctpt4pdcp5g19neqt19fvtgbgeu TXT RRSIG ;{ flags: -, from: *.c.b.unbound-auth-test.nlnetlabs.nl. to: a.b.unbound-auth-test.nlnetlabs.nl.}
|
||||
k8r2bchsbehs5dbu5d6ivjfnmjb3jc8s.unbound-auth-test.nlnetlabs.nl. 3600 IN RRSIG NSEC3 13 4 3600 20190430103407 20190402103407 15486 unbound-auth-test.nlnetlabs.nl. 34BS1ajedCNdfXgUfxTyiAK1ichfFLshhJ3TnfplrUps0UsZaQLEG+EIlP4wTBtro2c6V8YCSmOuxuce4gYoDw==
|
||||
;
|
||||
TEMPFILE_END
|
||||
|
||||
stub-zone:
|
||||
name: "."
|
||||
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
|
||||
CONFIG_END
|
||||
|
||||
SCENARIO_BEGIN Test authority zone with NSEC3 empty nonterminal
|
||||
; with exact match NSEC3 in existence (eg. not a CE-proof)
|
||||
|
||||
; K.ROOT-SERVERS.NET.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 193.0.14.129
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
. IN NS
|
||||
SECTION ANSWER
|
||||
. IN NS K.ROOT-SERVERS.NET.
|
||||
SECTION ADDITIONAL
|
||||
K.ROOT-SERVERS.NET. IN A 193.0.14.129
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode subdomain
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
com. IN NS
|
||||
SECTION AUTHORITY
|
||||
com. IN NS a.gtld-servers.net.
|
||||
SECTION ADDITIONAL
|
||||
a.gtld-servers.net. IN A 192.5.6.30
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; a.gtld-servers.net.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 192.5.6.30
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
com. IN NS
|
||||
SECTION ANSWER
|
||||
com. IN NS a.gtld-servers.net.
|
||||
SECTION ADDITIONAL
|
||||
a.gtld-servers.net. IN A 192.5.6.30
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode subdomain
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. IN NS
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.44
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; ns.example.net.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 1.2.3.44
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.net. IN NS
|
||||
SECTION ANSWER
|
||||
example.net. IN NS ns.example.net.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.net. IN A 1.2.3.44
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
ns.example.net. IN A
|
||||
SECTION ANSWER
|
||||
ns.example.net. IN A 1.2.3.44
|
||||
SECTION AUTHORITY
|
||||
example.net. IN NS ns.example.net.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
ns.example.net. IN AAAA
|
||||
SECTION AUTHORITY
|
||||
example.net. IN NS ns.example.net.
|
||||
SECTION ADDITIONAL
|
||||
www.example.net. IN A 1.2.3.44
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. IN NS
|
||||
SECTION ANSWER
|
||||
example.com. IN NS ns.example.net.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. IN A 10.20.30.40
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
STEP 1 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD DO
|
||||
SECTION QUESTION
|
||||
a.b.unbound-auth-test.nlnetlabs.nl. IN TXT
|
||||
ENTRY_END
|
||||
|
||||
; recursion happens here.
|
||||
STEP 20 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR AA RD RA DO NOERROR
|
||||
SECTION QUESTION
|
||||
a.b.unbound-auth-test.nlnetlabs.nl. IN TXT
|
||||
SECTION ANSWER
|
||||
SECTION AUTHORITY
|
||||
unbound-auth-test.nlnetlabs.nl. 3600 IN SOA ns.nlnetlabs.nl. ralph.nlnetlabs.nl. 1554201247 14400 3600 604800 3600
|
||||
unbound-auth-test.nlnetlabs.nl. 3600 IN RRSIG SOA 13 3 3600 20190430103407 20190402103407 15486 unbound-auth-test.nlnetlabs.nl. NLFcC2oet+HC+1dhT4D/2JJFIcMiRtTM81KwvT7u8ybF3iDE4bnyrILv Qk8DsizpYKwk+D3J3tMC3TV5+//qFw==
|
||||
toqivctpt4pdcp5g19neqt19fvtgbgeu.unbound-auth-test.nlnetlabs.nl. 3600 IN NSEC3 1 0 1 - TVDHFML24JP7COTT1QIJJ9812QU9IBH3
|
||||
toqivctpt4pdcp5g19neqt19fvtgbgeu.unbound-auth-test.nlnetlabs.nl. 3600 IN RRSIG NSEC3 13 4 3600 20190430103407 20190402103407 15486 unbound-auth-test.nlnetlabs.nl. Jr1oPPs+DGBVV13n4gG4AGVFsleItluLbtCIyQDcYZEA+e5JMkrLzfW3 rXqXaUSUauR4iEu5FmTfs4GTsumdUw==
|
||||
ENTRY_END
|
||||
|
||||
SCENARIO_END
|
||||
+234
@@ -0,0 +1,234 @@
|
||||
; config options
|
||||
server:
|
||||
target-fetch-policy: "0 0 0 0 0"
|
||||
|
||||
auth-zone:
|
||||
name: "test-ns-signed.dev.internet.nl."
|
||||
## zonefile (or none).
|
||||
## zonefile: "example.com.zone"
|
||||
## master by IP address or hostname
|
||||
## can list multiple masters, each on one line.
|
||||
## master:
|
||||
## url for http fetch
|
||||
## url:
|
||||
## queries from downstream clients get authoritative answers.
|
||||
## for-downstream: yes
|
||||
for-downstream: yes
|
||||
## queries are used to fetch authoritative answers from this zone,
|
||||
## instead of unbound itself sending queries there.
|
||||
## for-upstream: yes
|
||||
for-upstream: yes
|
||||
## on failures with for-upstream, fallback to sending queries to
|
||||
## the authority servers
|
||||
## fallback-enabled: no
|
||||
|
||||
## this line generates zonefile: \n"/tmp/xxx.example.com"\n
|
||||
zonefile:
|
||||
TEMPFILE_NAME test-ns-signed.dev.internet.nl
|
||||
## this is the inline file /tmp/xxx.test-ns-signed.dev.internet.nl
|
||||
## the tempfiles are deleted when the testrun is over.
|
||||
TEMPFILE_CONTENTS test-ns-signed.dev.internet.nl
|
||||
test-ns-signed.dev.internet.nl. 3600 IN SOA ns.nlnetlabs.nl. ralph.nlnetlabs.nl. 4 14400 3600 604800 3600
|
||||
test-ns-signed.dev.internet.nl. 3600 IN RRSIG SOA 8 4 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. ybb0Hc7NC+QOFEEv4cX2+Umlk+miiOAHmeP2Uwvg6lqfxkk+3g7yWBEKMinXjLKz0odWZ6fki6M/3yBPQX8SV0OCRY5gYvAHAjbxAIHozIM+5iwOkRQhNF1DRgQ3BLjL93f6T5e5Z4y1812iOpu4GYswXW/UTOZACXz2UiaCPAg=
|
||||
;; Out of zone record that shouldn't break NSEC3 proofs.
|
||||
;; There was a bug that would keep removing labels and use this out of zone
|
||||
;; record.
|
||||
dev.internet.nl. 3600 IN NS ns.test-ns-signed.dev.internet.nl.
|
||||
test-ns-signed.dev.internet.nl. 3600 IN NS ns.test-ns-signed.dev.internet.nl.
|
||||
test-ns-signed.dev.internet.nl. 3600 IN RRSIG NS 8 4 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. KqiwTF3hKm1ZHGbgx6MVzZYHlS1p7+Xrikx4izMHFbWiD6ki6lrJBJsnH9j/hH1cwHxjXslOeJh0hdBdbn8la0meZPsebOyUbEjoLPzRLzKNLDBuA4BUJnRGQJy21CX7XooXAMAmR8YFipO8CojI9EogU2m2o9YkfbpacFWQoTk=
|
||||
test-ns-signed.dev.internet.nl. 3600 IN DNSKEY 256 3 8 AwEAAc6c8tpMXBSOFLu/9n4aUUDK43wN4B7A2UDqZi0IOkyptxWCFghleyZeeN5uq6p9MoUt8lS73mFmIYC0ux5zBO3uVaJQ9u+00qRAEVg/RgBwa58y2f/zNtFV/f7mBSPcPTiEjUh0bwHSiTvUn/8JkrvjyAcbQMO0YOsRof5q6tzl ;{id = 32784 (zsk), size = 1024b}
|
||||
test-ns-signed.dev.internet.nl. 3600 IN DNSKEY 257 3 8 AwEAAdC0hBJP1U8lbZ6JFXn0ouK6VipiraN7I8oog62SuEd/fqAupys7A/Ih6WK/UoJorjlnccEL8euNMaS4kNogvoBrFx8ciIWKcbot5mtwc4WDr3cnR+HIZNCUFVkIxsMqE7HCD0yn0zhkB60shED+ZHs8zpyU+cjnsOSizxOnIY+F ;{id = 54502 (ksk), size = 1024b}
|
||||
test-ns-signed.dev.internet.nl. 3600 IN RRSIG DNSKEY 8 4 3600 20190205132351 20190108132351 54502 test-ns-signed.dev.internet.nl. X3qN+plfjf45FA4pr/tcUqUCR9ajDqwtNe4TS19WOJogVL/Gf/N5/ToOCrs3s+a7VrJl58WvSJquDM8xAS8f4oJggKgHFhopce8tMTGRxkRvJo4y+tt3vCveh/zjHLAnbOaBGA4CJ/IPhRqzHzcX/SjSv0EACWd6XpQIWogRv6c=
|
||||
test-ns-signed.dev.internet.nl. 3600 IN NSEC3PARAM 1 0 1 -
|
||||
test-ns-signed.dev.internet.nl. 3600 IN RRSIG NSEC3PARAM 8 4 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. A/1xUGO46uIz+9vjPGfWVD99akwU9bd/UlnVG9LPfoTzG7TMWSoZ4ksg8k8ub8K1TrkDmQokNHSW0Gt6qwoRh17c+p1h/SFlDVL83wgTc4NqG43OQjgGU9RV035XU+VESlO3lavifhlu8rHWBJTlhiXcMGq6H+zvoz4sx9p5GNM=
|
||||
93stp7o7i5n9gb83uu7vv6h8qltk14ig.test-ns-signed.dev.internet.nl. 3600 IN NSEC3 1 0 1 - fee0c2kfhi6bnljce6vehaenqq3pbupu NS SOA RRSIG DNSKEY NSEC3PARAM
|
||||
93stp7o7i5n9gb83uu7vv6h8qltk14ig.test-ns-signed.dev.internet.nl. 3600 IN RRSIG NSEC3 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. YoTRDQ7sSvERcY1WwAH4oRRR7DmaAwA8/H70jdMeSU4wsnM/VM03kDcc2sgq5edmHiZoTWnq7nEb/1Y7Ro0YrqTUQdYFZvXi6UjZQrKI9nqAGnhdXZWlZJHmYpn2+2Emd+bYHkwvKaPnfnnKjUoGVBH8Hly0HBYKPUF1/viquB0=
|
||||
kl94uofq16t2vlq0bmampf6e4o9k5hbi.test-ns-signed.dev.internet.nl. 3600 IN NSEC3 1 0 1 - 7ag3p2pfrvq09dpn63cvga8ub1rnrrg1
|
||||
kl94uofq16t2vlq0bmampf6e4o9k5hbi.test-ns-signed.dev.internet.nl. 3600 IN RRSIG NSEC3 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. NI5zJ/k1kPVZ1abms5OoME/wazb77Ltduyk6ZevAnt4tKydZYwSsjEd0Ixknw9xnakCABn5rAYEXctARN0KCwCkNHR7TYlTAJT14hlDYjbad2u2HT9L1kzAnfj3BeLZl/LRADeMbTtzrkTSF3Dnezurb94fMnUnKt2hPfQfj560=
|
||||
fee0c2kfhi6bnljce6vehaenqq3pbupu.test-ns-signed.dev.internet.nl. 3600 IN NSEC3 1 0 1 - i6pi4e3o98e7vtkpjfhqn7g77d3mjcnv
|
||||
fee0c2kfhi6bnljce6vehaenqq3pbupu.test-ns-signed.dev.internet.nl. 3600 IN RRSIG NSEC3 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. WIb3ISP1nlafbyWoWa4z7sG5IS+V86PyvEMHdD/64hgsFkrCu483XK7VNnBz28SL/631JXA1R19O+UxeWhTUyctp8QSt6cEZcMPY8b7yG97rNFNvhSw75rSXXt+JwgIYHPHQV5oqPtVmEpQM5SfJd+hs+Nn1bJcWB3UaESNNAMQ=
|
||||
*.a.b.test-ns-signed.dev.internet.nl. 3600 IN TXT "a"
|
||||
*.a.b.test-ns-signed.dev.internet.nl. 3600 IN RRSIG TXT 8 6 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. eNcJkQXdTO1z21od0sXbgqtABhhr/9tNC/Zx8zYbhXkfj7rufN71yk9xqgu6TG0MeJV26ISrqIGRVFJFmTRvO1LLxoKkEPhqe+08nqRztxXZajCV+dDeFoGIDcXJg6tAxB+MJznkKDtZPpIWvyt1WwdYfcMrGtE9AmR3K1/P/xE=
|
||||
7ag3p2pfrvq09dpn63cvga8ub1rnrrg1.test-ns-signed.dev.internet.nl. 3600 IN NSEC3 1 0 1 - 93stp7o7i5n9gb83uu7vv6h8qltk14ig TXT RRSIG
|
||||
7ag3p2pfrvq09dpn63cvga8ub1rnrrg1.test-ns-signed.dev.internet.nl. 3600 IN RRSIG NSEC3 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. gtxoiTa3FRUqoRLvkWSxmWQ+DfijVd26gpKH3+GmGIcNB/sr/Cf8kERRwVVHvgzYIcvdJcys5b2LUXnZJwcdAlx7efZPWgNZzWxJrw6ES25LCWJOrp31isWn9FlAZGIbnpyEXxD2apBSmtyPnKbTgU6lHHS9jrsYHu4G8Zouv3k=
|
||||
ns.test-ns-signed.dev.internet.nl. 3600 IN A 185.49.141.11
|
||||
ns.test-ns-signed.dev.internet.nl. 3600 IN RRSIG A 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. F9sXEVAmlRn+/84WbuvegiCwstNxMDMQLl0Obv2CTPpee4U6psbmXrlzczjjjkE6aLjsIHYdcXCzEWTrmukT+V9jzaGPRJvxNvC0ASWyzggAoh0Z++Hl4cVa9587o6I9ODayehFI9Pgdem+RVdb4zlWuzi9FmKXgeTlgWN54tPg=
|
||||
ns.test-ns-signed.dev.internet.nl. 3600 IN AAAA 2a04:b900:0:100::11
|
||||
ns.test-ns-signed.dev.internet.nl. 3600 IN RRSIG AAAA 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. F1XRrx/QgfzJ1RS7d0m23QoIPx1G8WL1SrlTOm7pk5vWTL07w7HEw2TETblkjnitJGKfN9ebsIum/cDPUZc3UqLkguP2UCWpePnlllTJuwmG0Z+wyINIR4xF4PQlqttvzThBkD2JKWb/o0W8dQyXTj+jJ1vCZ0NjjA2N4+iJIQE=
|
||||
i6pi4e3o98e7vtkpjfhqn7g77d3mjcnv.test-ns-signed.dev.internet.nl. 3600 IN NSEC3 1 0 1 - kl94uofq16t2vlq0bmampf6e4o9k5hbi A AAAA RRSIG
|
||||
i6pi4e3o98e7vtkpjfhqn7g77d3mjcnv.test-ns-signed.dev.internet.nl. 3600 IN RRSIG NSEC3 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. xLysIqn3r3rdHE3GvwVjZwUyuFClhkhgrQdwyc66RuHKE3MfSuhVr9cHTCJzhipF5TwQTbUpLOr74r99bzdiIY8Xkgjy2M0nc76v1ObSGJdPPjGTevbhDOnavUURwOR/q0NqqO2iPrgFjOVMZ+8uwRJtCty2iAVZfVG+qDzs8hU=
|
||||
TEMPFILE_END
|
||||
|
||||
stub-zone:
|
||||
name: "."
|
||||
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
|
||||
CONFIG_END
|
||||
|
||||
SCENARIO_BEGIN Test authority zone with NSEC3 wildcard
|
||||
|
||||
; K.ROOT-SERVERS.NET.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 193.0.14.129
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
. IN NS
|
||||
SECTION ANSWER
|
||||
. IN NS K.ROOT-SERVERS.NET.
|
||||
SECTION ADDITIONAL
|
||||
K.ROOT-SERVERS.NET. IN A 193.0.14.129
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode subdomain
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
com. IN NS
|
||||
SECTION AUTHORITY
|
||||
com. IN NS a.gtld-servers.net.
|
||||
SECTION ADDITIONAL
|
||||
a.gtld-servers.net. IN A 192.5.6.30
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; a.gtld-servers.net.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 192.5.6.30
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
com. IN NS
|
||||
SECTION ANSWER
|
||||
com. IN NS a.gtld-servers.net.
|
||||
SECTION ADDITIONAL
|
||||
a.gtld-servers.net. IN A 192.5.6.30
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode subdomain
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. IN NS
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.44
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; ns.example.net.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 1.2.3.44
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.net. IN NS
|
||||
SECTION ANSWER
|
||||
example.net. IN NS ns.example.net.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.net. IN A 1.2.3.44
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
ns.example.net. IN A
|
||||
SECTION ANSWER
|
||||
ns.example.net. IN A 1.2.3.44
|
||||
SECTION AUTHORITY
|
||||
example.net. IN NS ns.example.net.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
ns.example.net. IN AAAA
|
||||
SECTION AUTHORITY
|
||||
example.net. IN NS ns.example.net.
|
||||
SECTION ADDITIONAL
|
||||
www.example.net. IN A 1.2.3.44
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. IN NS
|
||||
SECTION ANSWER
|
||||
example.com. IN NS ns.example.net.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. IN A 10.20.30.40
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
STEP 1 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD DO
|
||||
SECTION QUESTION
|
||||
something.a.b.test-ns-signed.dev.internet.nl. IN TXT
|
||||
ENTRY_END
|
||||
|
||||
; recursion happens here.
|
||||
STEP 20 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR AA RD RA DO NOERROR
|
||||
SECTION QUESTION
|
||||
something.a.b.test-ns-signed.dev.internet.nl. IN TXT
|
||||
SECTION ANSWER
|
||||
something.a.b.test-ns-signed.dev.internet.nl. IN TXT "a"
|
||||
something.a.b.test-ns-signed.dev.internet.nl. 3600 IN RRSIG TXT 8 6 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. eNcJkQXdTO1z21od0sXbgqtABhhr/9tNC/Zx8zYbhXkfj7rufN71yk9xqgu6TG0MeJV26ISrqIGRVFJFmTRvO1LLxoKkEPhqe+08nqRztxXZajCV+dDeFoGIDcXJg6tAxB+MJznkKDtZPpIWvyt1WwdYfcMrGtE9AmR3K1/P/xE=
|
||||
SECTION AUTHORITY
|
||||
i6pi4e3o98e7vtkpjfhqn7g77d3mjcnv.test-ns-signed.dev.internet.nl. 3600 IN NSEC3 1 0 1 - KL94UOFQ16T2VLQ0BMAMPF6E4O9K5HBI A AAAA RRSIG
|
||||
i6pi4e3o98e7vtkpjfhqn7g77d3mjcnv.test-ns-signed.dev.internet.nl. 3600 IN RRSIG NSEC3 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. xLysIqn3r3rdHE3GvwVjZwUyuFClhkhgrQdwyc66RuHKE3MfSuhVr9cHTCJzhipF5TwQTbUpLOr74r99bzdiIY8Xkgjy2M0nc76v1ObSGJdPPjGTevbhDOnavUURwOR/q0NqqO2iPrgFjOVMZ+8uwRJtCty2iAVZfVG+qDzs8hU=
|
||||
ENTRY_END
|
||||
|
||||
; Check that the reply for a wildcard nodata answer contains the NSEC3s.
|
||||
; qname denial NSEC3, closest encloser NSEC3, and type bitmap NSEC3.
|
||||
STEP 30 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD DO
|
||||
SECTION QUESTION
|
||||
something.a.b.test-ns-signed.dev.internet.nl. IN AAAA
|
||||
ENTRY_END
|
||||
|
||||
STEP 40 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR AA RD RA DO NOERROR
|
||||
SECTION QUESTION
|
||||
something.a.b.test-ns-signed.dev.internet.nl. IN AAAA
|
||||
SECTION ANSWER
|
||||
SECTION AUTHORITY
|
||||
test-ns-signed.dev.internet.nl. 3600 IN SOA ns.nlnetlabs.nl. ralph.nlnetlabs.nl. 4 14400 3600 604800 3600
|
||||
test-ns-signed.dev.internet.nl. 3600 IN RRSIG SOA 8 4 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. ybb0Hc7NC+QOFEEv4cX2+Umlk+miiOAHmeP2Uwvg6lqfxkk+3g7yWBEKMinXjLKz0odWZ6fki6M/3yBPQX8SV0OCRY5gYvAHAjbxAIHozIM+5iwOkRQhNF1DRgQ3BLjL93f6T5e5Z4y1812iOpu4GYswXW/UTOZACXz2UiaCPAg= ;{id = 32784}
|
||||
7ag3p2pfrvq09dpn63cvga8ub1rnrrg1.test-ns-signed.dev.internet.nl. 3600 IN NSEC3 1 0 1 - 93stp7o7i5n9gb83uu7vv6h8qltk14ig TXT RRSIG
|
||||
7ag3p2pfrvq09dpn63cvga8ub1rnrrg1.test-ns-signed.dev.internet.nl. 3600 IN RRSIG NSEC3 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. gtxoiTa3FRUqoRLvkWSxmWQ+DfijVd26gpKH3+GmGIcNB/sr/Cf8kERRwVVHvgzYIcvdJcys5b2LUXnZJwcdAlx7efZPWgNZzWxJrw6ES25LCWJOrp31isWn9FlAZGIbnpyEXxD2apBSmtyPnKbTgU6lHHS9jrsYHu4G8Zouv3k= ;{id = 32784}
|
||||
fee0c2kfhi6bnljce6vehaenqq3pbupu.test-ns-signed.dev.internet.nl. 3600 IN NSEC3 1 0 1 - i6pi4e3o98e7vtkpjfhqn7g77d3mjcnv
|
||||
fee0c2kfhi6bnljce6vehaenqq3pbupu.test-ns-signed.dev.internet.nl. 3600 IN RRSIG NSEC3 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. WIb3ISP1nlafbyWoWa4z7sG5IS+V86PyvEMHdD/64hgsFkrCu483XK7VNnBz28SL/631JXA1R19O+UxeWhTUyctp8QSt6cEZcMPY8b7yG97rNFNvhSw75rSXXt+JwgIYHPHQV5oqPtVmEpQM5SfJd+hs+Nn1bJcWB3UaESNNAMQ= ;{id = 32784}
|
||||
i6pi4e3o98e7vtkpjfhqn7g77d3mjcnv.test-ns-signed.dev.internet.nl. 3600 IN NSEC3 1 0 1 - kl94uofq16t2vlq0bmampf6e4o9k5hbi A AAAA RRSIG
|
||||
i6pi4e3o98e7vtkpjfhqn7g77d3mjcnv.test-ns-signed.dev.internet.nl. 3600 IN RRSIG NSEC3 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. xLysIqn3r3rdHE3GvwVjZwUyuFClhkhgrQdwyc66RuHKE3MfSuhVr9cHTCJzhipF5TwQTbUpLOr74r99bzdiIY8Xkgjy2M0nc76v1ObSGJdPPjGTevbhDOnavUURwOR/q0NqqO2iPrgFjOVMZ+8uwRJtCty2iAVZfVG+qDzs8hU= ;{id = 32784}
|
||||
ENTRY_END
|
||||
|
||||
SCENARIO_END
|
||||
Vendored
+23
@@ -6,6 +6,7 @@ server:
|
||||
val-override-date: "20070916134226"
|
||||
target-fetch-policy: "0 0 0 0 0"
|
||||
qname-minimisation: "no"
|
||||
ede: yes
|
||||
|
||||
stub-zone:
|
||||
name: "."
|
||||
@@ -210,4 +211,26 @@ SECTION AUTHORITY
|
||||
SECTION ADDITIONAL
|
||||
ENTRY_END
|
||||
|
||||
; Check cached response with CD bit
|
||||
STEP 20 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD CD DO
|
||||
SECTION QUESTION
|
||||
www.sub.example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
; a bug here would return EDE=6 (default from validator)
|
||||
STEP 21 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA CD DO NOERROR
|
||||
SECTION QUESTION
|
||||
www.sub.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.sub.example.com. 3600 IN A 11.11.11.11
|
||||
www.sub.example.com. 3600 IN RRSIG A 5 4 3600 20070926134150 20070829134150 30899 sub.example.com. 0DqqRfRtm7VSEQ4mmBbzrKRqQAay3JAE8DPDGmjtokrrjN9F1G/HxozDV7bjdIh2EChlQea8FPwf/GepJMUVxg== ;{id = 30899}
|
||||
SECTION AUTHORITY
|
||||
SECTION ADDITIONAL
|
||||
ENTRY_END
|
||||
|
||||
SCENARIO_END
|
||||
|
||||
+37
-13
@@ -1,15 +1,39 @@
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIICWwIBAAKBgQC3F7Jsv2u01pLL9rFnjsMU/IaCFUIz/624DcaE84Z4gjMl5kWA
|
||||
3axQcqul1wlwSrbKwrony+d9hH/+MX0tZwvl8w3OmhmOAiaQ+SHCsIuOjVwQjX0s
|
||||
RLB61Pz5+PAiVvnPa9JIYB5QrK6DVEsxIHj8MOc5JKORrnESsFDh6yeMeQIDAQAB
|
||||
AoGAAuWoGBprTOA8UGfl5LqYkaNxSWumsYXxLMFjC8WCsjN1NbtQDDr1uAwodSZS
|
||||
6ujzvX+ZTHnofs7y64XC8k34HTOCD2zlW7kijWbT8YjRYFU6o9F5zUGD9RCan0ds
|
||||
sVscT2psLSzfdsmFAcbmnGdxYkXk2PC1FHtaqExxehralGUCQQDcqrg9uQKXlhQi
|
||||
XAaPr8SiWvtRm2a9IMMZkRfUWZclPHq6fCWNuUaCD+cTat4wAuqeknAz33VEosw3
|
||||
fXGsok//AkEA1GjIHXrOcSlpfVJb6NeOBugjRtZ7ZDT5gbtnMS9ob0qntKV6saaL
|
||||
CNmJwuD9Q3XkU5j1+uHvYGP2NzcJd2CjhwJACV0hNlVMe9w9fHvFN4Gw6WbM9ViP
|
||||
0oS6YrJafYNTu5vGZXVxLoNnL4u3NYa6aPUmuZXjNwBLfJ8f5VboZPf6RwJAINd2
|
||||
oYA8bSi/A755MX4qmozH74r4Fx1Nuq5UHTm8RwDe/0Javx8F/j9MWpJY9lZDEF3l
|
||||
In5OebPa/NyInSmW/wJAZuP9aRn0nDBkHYri++1A7NykMiJ/nH0mDECbnk+wxx0S
|
||||
LwqIetBhxb8eQwMg45+iAH7CHAMQ8BQuF/nFE6eotg==
|
||||
MIIG5AIBAAKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI
|
||||
0x41iG32a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+Nqq
|
||||
GRS7XVQ24vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Z
|
||||
uh9MDgotaBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8K
|
||||
WaBe1ca4TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5
|
||||
FzUReSXZuTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xP
|
||||
q6O9UPj4+nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XL
|
||||
A5UoZgRzXgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP
|
||||
7kFZSngxdy1+A/bNAgMBAAECggGBALpTOIqQwVg4CFBylL/a8K1IWJTI/I65sklf
|
||||
XxYL7G7SB2HlEJ//z+E+F0+S4Vlao1vyLQ5QkgE82pAUB8FoMWvY1qF0Y8A5wtm6
|
||||
iZSGk4OLK488ZbT8Ii9i+AGKgPe2XbVxsJwj8N4k7Zooqec9hz73Up8ATEWJkRz7
|
||||
2u7oMGG4z91E0PULA64dOi3l/vOQe5w/Aa+CwVbAWtI05o7kMvQEBMDJn6C7CByo
|
||||
MB5op9wueJMnz7PM7hns+U7Dy6oE4ljuolJUy51bDzFWwoM54cRoQqLFNHd8JVQj
|
||||
WxldCkbfF43iyprlsEcUrTyUjtdA+ZeiG39vg/mtdmgNpGmdupHJZQvSuG8IcVlz
|
||||
O+eMSeQS1QXPD6Ik8UK4SU0h+zOl8xIWtRrsxQuh4fnTN40udm/YUWl/6gOebsBI
|
||||
IrVLlKGqJSfB3tMjpCRqdTzJ0dA9keVpkqm2ugZkxEf1+/efq/rFIQ2pUBLCqNTN
|
||||
qpNqruK8y8FphP30I2uI4Ej2UIB8AQKBwQDd2Yptj2FyDyaXCycsyde0wYkNyzGU
|
||||
dRnzdibfHnMZwjgTjwAwgIUBVIS8H0/z7ZJQKN7osJfddMrtjJtYYUk9g/dCpHXs
|
||||
bNh2QSoWah3FdzNGuWd0iRf9+LFxhjAAMo/FS8zFJAJKrFsBdCGTfFUMdsLC0bjr
|
||||
YjiWBuvV72uKf8XIZX5KIZruKdWBBcWukcb21R1UDyFYyXRBsly5XHaIYKZql3km
|
||||
7pV7MKWO0IYgHbHIqGUqPQlzZ/lkunS1jKECgcEA23wHffD6Ou9/x3okPx2AWpTr
|
||||
gh8rgqbyo6hQkBW5Y90Wz824cqaYebZDaBR/xlVx/YwjKkohv8Bde2lpH/ZxRZ1Z
|
||||
5Sk2s6GJ/vU0L9RsJZgCgj4L6Coal1NMxuZtCXAlnOpiCdxSZgfqbshbTVz30KsG
|
||||
ZJG361Cua1ScdAHxlZBxT52/1Sm0zRC2hnxL7h4qo7Idmtzs40LAJvYOKekR0pPN
|
||||
oWeJfra7vgx/jVNvMFWoOoSLpidVO4g+ot4ery6tAoHAdW3rCic1C2zdnmH28Iw+
|
||||
s50l8Lk3mz+I5wgJd1zkzCO0DxZIoWPGA3g7cmCYr6N3KRsZMs4W9NAXgjpFGDkW
|
||||
zYsG3K21BdpvkdjYcFjnPVjlOXB2RIc0vehf9Jl02wXoeCSxVUDEPcaRvWk9RJYx
|
||||
ZpGOchUU7vNkxHURbIJ4yCzuAi9G8/Jp0dsu+kaV5tufF5SjG5WOrzKjaQsCbdN1
|
||||
oqaWMCHRrTvov/Z2C+xwsptFOdN5CSyZzg6hQiI4GMlBAoHAXyb6KINcOEi0YMp3
|
||||
BFXJ23tMTnEs78tozcKeipigcsbaqORK3omS+NEnj+uzKUzJyl4CsMbKstK2tFYS
|
||||
mSTCHqgE3PBtIpsZtEqhgUraR8IK9GPpzZDTTl9ynZgwFTNlWw3RyuyVXF56J+T8
|
||||
kCGJ3hEHCHqT/ZRQyX85BKIDFhA0z4tYKxWVqIFiYBNq56R0X9tMMmMs36mEnF93
|
||||
7Ht6mowxTZQRa7nU0qOgeKh/P7ki4Zus3y+WJ+T9IqahLtlRAoHBAIhqMrcxSAB8
|
||||
RpB9jukJlAnidw2jCMPgrFE8tP0khhVvGrXMldxAUsMKntDIo8dGCnG1KTcWDI0O
|
||||
jepvSPHSsxVLFugL79h0eVIS5z4huW48i9xgU8VlHdgAcgEPIAOFcOw2BCu/s0Vp
|
||||
O+MM/EyUOdo3NsibB3qc/GJI6iNBYS7AljYEVo6rXo5V/MZvZUF4vClen6Obzsre
|
||||
MTTb+4sJjfqleWuvr1XNMeu2mBfXBQkWGZP1byBK0MvD/aQ2PWq92A==
|
||||
-----END RSA PRIVATE KEY-----
|
||||
|
||||
+20
-9
@@ -1,11 +1,22 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIBmzCCAQQCCQDsNJ1UmphEFzANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
|
||||
bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowEjEQMA4GA1UE
|
||||
AxMHdW5ib3VuZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtxeybL9rtNaS
|
||||
y/axZ47DFPyGghVCM/+tuA3GhPOGeIIzJeZFgN2sUHKrpdcJcEq2ysK6J8vnfYR/
|
||||
/jF9LWcL5fMNzpoZjgImkPkhwrCLjo1cEI19LESwetT8+fjwIlb5z2vSSGAeUKyu
|
||||
g1RLMSB4/DDnOSSjka5xErBQ4esnjHkCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAZ
|
||||
9N0lnLENs4JMvPS+mn8C5m9bkkFITd32IiLjf0zgYpIUbFXH6XaEr9GNZBUG8feG
|
||||
l/6WRXnbnVSblI5odQ4XxGZ9inYY6qtW30uv76HvoKp+QZ1c3460ddR8NauhcCHH
|
||||
Z7S+QbLXi+r2JAhpPozZCjBHlRD0ixzA1mKQTJhJZg==
|
||||
MIIDqzCCAhMCFBHWXeQ6ZIa9QcQbXLFfC6tj+KA+MA0GCSqGSIb3DQEBCwUAMBIx
|
||||
EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMjI5WhcNNDAwMzI1MTMzMjI5
|
||||
WjASMRAwDgYDVQQDDAd1bmJvdW5kMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIB
|
||||
igKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI0x41iG32
|
||||
a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+NqqGRS7XVQ2
|
||||
4vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Zuh9MDgot
|
||||
aBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8KWaBe1ca4
|
||||
TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5FzUReSXZ
|
||||
uTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xPq6O9UPj4
|
||||
+nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XLA5UoZgRz
|
||||
XgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP7kFZSngx
|
||||
dy1+A/bNAgMBAAEwDQYJKoZIhvcNAQELBQADggGBABunf93MKaCUHiZgnoOTinsW
|
||||
84/EgInrgtKzAyH+BhnKkJOhhR0kkIAx5d9BpDlaSiRTACFon9moWCgDIIsK/Ar7
|
||||
JE0Kln9cV//wiiNoFU0O4mnzyGUIMvlaEX6QHMJJQYvL05+w/3AAcf5XmMJtR5ca
|
||||
fJ8FqvGC34b2WxX9lTQoyT52sRt+1KnQikiMEnEyAdKktMG+MwKsFDdOwDXyZhZg
|
||||
XZhRrfX3/NVJolqB6EahjWIGXDeKuSSKZVtCyib6LskyeMzN5lcRfvubKDdlqFVF
|
||||
qlD7rHBsKhQUWK/IO64mGf7y/de+CgHtED5vDvr/p2uj/9sABATfbrOQR3W/Of25
|
||||
sLBj4OEfrJ7lX8hQgFaxkMI3x6VFT3W8dTCp7xnQgb6bgROWB5fNEZ9jk/gjSRmD
|
||||
yIU+r0UbKe5kBk/CmZVFXL2TyJ92V5NYEQh8V4DGy19qZ6u/XKYyNJL4ocs35GGe
|
||||
CA8SBuyrmdhx38h1RHErR2Skzadi1S7MwGf1y431fQ==
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
Vendored
+163
@@ -0,0 +1,163 @@
|
||||
; config options
|
||||
server:
|
||||
target-fetch-policy: "0 0 0 0 0"
|
||||
minimal-responses: no
|
||||
tcp-upstream: no
|
||||
#tls-upstream:no # same case but not testable in rpl.
|
||||
|
||||
# Builtin hints work similar to this explicit '.' stub-zone.
|
||||
stub-zone:
|
||||
name: "."
|
||||
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
|
||||
|
||||
forward-zone:
|
||||
name: "."
|
||||
forward-addr: 1.2.3.6 # failing resolver
|
||||
forward-first: yes
|
||||
forward-tcp-upstream: yes
|
||||
#forward-tls-upstream:yes # same case but not testable in rpl.
|
||||
|
||||
CONFIG_END
|
||||
|
||||
SCENARIO_BEGIN Test forward-first directive in forward zone configured with explicit tcp upstream next to an equal stub name.
|
||||
|
||||
; K.ROOT-SERVERS.NET.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 193.0.14.129
|
||||
ENTRY_BEGIN
|
||||
MATCH UDP opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
. IN NS
|
||||
SECTION ANSWER
|
||||
. IN NS K.ROOT-SERVERS.NET.
|
||||
SECTION ADDITIONAL
|
||||
K.ROOT-SERVERS.NET. IN A 193.0.14.129
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH UDP opcode subdomain
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
com. IN A
|
||||
SECTION AUTHORITY
|
||||
com. IN NS a.gtld-servers.net.
|
||||
SECTION ADDITIONAL
|
||||
a.gtld-servers.net. IN A 192.5.6.30
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; a.gtld-servers.net.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 192.5.6.30
|
||||
ENTRY_BEGIN
|
||||
MATCH UDP opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
com. IN NS
|
||||
SECTION ANSWER
|
||||
com. IN NS a.gtld-servers.net.
|
||||
SECTION ADDITIONAL
|
||||
a.gtld-servers.net. IN A 192.5.6.30
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH UDP opcode subdomain
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. IN A
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; ns.example.com.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 1.2.3.4
|
||||
ENTRY_BEGIN
|
||||
MATCH UDP opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. IN NS
|
||||
SECTION ANSWER
|
||||
example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH UDP opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. IN A 10.20.30.40
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; local resolver (that fails a lot)
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 1.2.3.6
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH TCP opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR RA SERVFAIL
|
||||
SECTION QUESTION
|
||||
example.com. IN NS
|
||||
SECTION ANSWER
|
||||
;example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
;ns.example.com. IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH TCP opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR RA SERVFAIL
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
;www.example.com. IN A 10.20.30.50
|
||||
SECTION AUTHORITY
|
||||
;example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
;ns.example.com. IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
STEP 1 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
; recursion happens here.
|
||||
STEP 10 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. IN A 10.20.30.40
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
SCENARIO_END
|
||||
Vendored
+623
@@ -0,0 +1,623 @@
|
||||
; config options
|
||||
server:
|
||||
target-fetch-policy: "0 0 0 0 0"
|
||||
qname-minimisation: yes
|
||||
max-query-restarts: 11
|
||||
max-global-quota: 120
|
||||
|
||||
stub-zone:
|
||||
name: "."
|
||||
stub-addr: 193.0.14.129
|
||||
CONFIG_END
|
||||
|
||||
SCENARIO_BEGIN Test qname minimisation and long cname chain.
|
||||
|
||||
; K.ROOT-SERVERS.NET.
|
||||
RANGE_BEGIN 0 1000
|
||||
ADDRESS 193.0.14.129
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
. IN NS
|
||||
SECTION ANSWER
|
||||
. IN NS K.ROOT-SERVERS.NET.
|
||||
SECTION ADDITIONAL
|
||||
K.ROOT-SERVERS.NET. IN A 193.0.14.129
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode subdomain
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
com. IN NS
|
||||
SECTION AUTHORITY
|
||||
com. IN NS a.gtld-servers.net.
|
||||
SECTION ADDITIONAL
|
||||
a.gtld-servers.net. IN A 192.5.6.30
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; a.gtld-servers.net.
|
||||
RANGE_BEGIN 0 1000
|
||||
ADDRESS 192.5.6.30
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
com. IN A
|
||||
SECTION AUTHORITY
|
||||
com. IN NS a.gtld-servers.net.
|
||||
SECTION ADDITIONAL
|
||||
a.gtld-servers.net. IN A 192.5.6.30
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode subdomain
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. IN NS
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; ns.example.com.
|
||||
RANGE_BEGIN 0 1000
|
||||
ADDRESS 1.2.3.4
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. IN NS
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
chain1.example.com. IN CNAME
|
||||
SECTION ANSWER
|
||||
chain1.example.com. IN CNAME chain2.example.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
chain2.example.com. IN CNAME
|
||||
SECTION ANSWER
|
||||
chain2.example.com. IN CNAME chain3.example.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
chain3.example.com. IN CNAME
|
||||
SECTION ANSWER
|
||||
chain3.example.com. IN CNAME chain4.example.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
chain4.example.com. IN CNAME
|
||||
SECTION ANSWER
|
||||
chain4.example.com. IN CNAME chain5.example.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
chain5.example.com. IN CNAME
|
||||
SECTION ANSWER
|
||||
chain5.example.com. IN CNAME chain6.example.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
chain6.example.com. IN CNAME
|
||||
SECTION ANSWER
|
||||
chain6.example.com. IN CNAME chain7.example.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
chain7.example.com. IN CNAME
|
||||
SECTION ANSWER
|
||||
chain7.example.com. IN CNAME chain8.example.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
chain8.example.com. IN CNAME
|
||||
SECTION ANSWER
|
||||
chain8.example.com. IN CNAME chain9.example.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
chain9.example.com. IN CNAME
|
||||
SECTION ANSWER
|
||||
chain9.example.com. IN CNAME chain10.example.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
chain10.example.com. IN CNAME
|
||||
SECTION ANSWER
|
||||
chain10.example.com. IN CNAME chain11.example.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
chain11.example.com. IN CNAME
|
||||
SECTION ANSWER
|
||||
chain11.example.com. IN CNAME chain12.example.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
chain12.example.com. IN CNAME
|
||||
SECTION ANSWER
|
||||
chain12.example.com. IN CNAME chain13.example.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
chain13.example.com. IN CNAME
|
||||
SECTION ANSWER
|
||||
chain13.example.com. IN CNAME chain14.example.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
chain14.example.com. IN CNAME
|
||||
SECTION ANSWER
|
||||
chain14.example.com. IN CNAME chain15.example.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
chain15.example.com. IN CNAME
|
||||
SECTION ANSWER
|
||||
chain15.example.com. IN CNAME chain16.example.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
chain16.example.com. IN CNAME
|
||||
SECTION ANSWER
|
||||
chain16.example.com. IN CNAME chain17.example.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
chain17.example.com. IN CNAME
|
||||
SECTION ANSWER
|
||||
chain17.example.com. IN CNAME chain18.example.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
chain18.example.com. IN CNAME
|
||||
SECTION ANSWER
|
||||
chain18.example.com. IN CNAME chain19.example.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
chain19.example.com. IN CNAME
|
||||
SECTION ANSWER
|
||||
chain19.example.com. IN CNAME chain20.example.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
chain20.example.com. IN CNAME
|
||||
SECTION ANSWER
|
||||
chain20.example.com. IN CNAME chain21.example.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
chain21.example.com. IN CNAME
|
||||
SECTION ANSWER
|
||||
chain21.example.com. IN CNAME chain22.example.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
chain22.example.com. IN CNAME
|
||||
SECTION ANSWER
|
||||
chain22.example.com. IN CNAME chain23.example.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
chain23.example.com. IN CNAME
|
||||
SECTION ANSWER
|
||||
chain23.example.com. IN CNAME chain24.example.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
chain24.example.com. IN CNAME
|
||||
SECTION ANSWER
|
||||
chain24.example.com. IN CNAME chain25.example.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
chain25.example.com. IN CNAME
|
||||
SECTION ANSWER
|
||||
chain25.example.com. IN CNAME chain26.example.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
chain26.example.com. IN CNAME
|
||||
SECTION ANSWER
|
||||
chain26.example.com. IN CNAME chain27.example.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
chain27.example.com. IN CNAME
|
||||
SECTION ANSWER
|
||||
chain27.example.com. IN CNAME chain28.example.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
chain28.example.com. IN CNAME
|
||||
SECTION ANSWER
|
||||
chain28.example.com. IN CNAME chain29.example.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
chain29.example.com. IN CNAME
|
||||
SECTION ANSWER
|
||||
chain29.example.com. IN CNAME chain30.example.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
chain30.example.com. IN CNAME
|
||||
SECTION ANSWER
|
||||
chain30.example.com. IN CNAME chain31.example.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
chain31.example.com. IN CNAME
|
||||
SECTION ANSWER
|
||||
chain31.example.com. IN CNAME chain32.example.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
chain32.example.com. IN CNAME
|
||||
SECTION ANSWER
|
||||
chain32.example.com. IN CNAME chain33.example.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
chain33.example.com. IN CNAME
|
||||
SECTION ANSWER
|
||||
chain33.example.com. IN CNAME chain34.example.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
chain34.example.com. IN CNAME
|
||||
SECTION ANSWER
|
||||
chain34.example.com. IN CNAME chain35.example.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
chain35.example.com. IN CNAME
|
||||
SECTION ANSWER
|
||||
chain35.example.com. IN CNAME chain36.example.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
chain36.example.com. IN CNAME
|
||||
SECTION ANSWER
|
||||
chain36.example.com. IN CNAME chain37.example.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
chain37.example.com. IN CNAME
|
||||
SECTION ANSWER
|
||||
chain37.example.com. IN CNAME chain38.example.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
chain38.example.com. IN CNAME
|
||||
SECTION ANSWER
|
||||
chain38.example.com. IN CNAME chain39.example.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
chain39.example.com. IN CNAME
|
||||
SECTION ANSWER
|
||||
chain39.example.com. IN CNAME chain40.example.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
chain40.example.com. IN CNAME
|
||||
SECTION ANSWER
|
||||
chain40.example.com. IN CNAME chain41.example.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
sub1.chain1.example.com. IN A
|
||||
SECTION ANSWER
|
||||
sub1.chain1.example.com. IN A 1.2.3.5
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
sub1.chain1.example.com. IN ANY
|
||||
SECTION ANSWER
|
||||
sub1.chain1.example.com. IN A 1.2.3.5
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
sub2.chain2.example.com. IN A
|
||||
SECTION ANSWER
|
||||
sub2.chain2.example.com. IN CNAME sub2-2.chain2.example.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
sub2-2.chain2.example.com. IN A
|
||||
SECTION ANSWER
|
||||
sub2-2.chain2.example.com. IN CNAME sub2-3.chain2.example.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
sub2-3.chain1.example.com. IN ANY
|
||||
SECTION ANSWER
|
||||
sub2-3.chain1.example.com. IN A 1.2.3.6
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
STEP 10 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
chain1.example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
STEP 20 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA SERVFAIL
|
||||
SECTION QUESTION
|
||||
chain1.example.com. IN A
|
||||
SECTION ANSWER
|
||||
ENTRY_END
|
||||
|
||||
STEP 30 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
chain13.example.com. IN ANY
|
||||
ENTRY_END
|
||||
|
||||
STEP 40 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
chain13.example.com. IN ANY
|
||||
SECTION ANSWER
|
||||
chain13.example.com. IN CNAME chain14.example.com.
|
||||
ENTRY_END
|
||||
|
||||
STEP 49 TIME_PASSES ELAPSE 7200 ; expire the previous records.
|
||||
STEP 50 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
chain1.example.com. IN ANY
|
||||
ENTRY_END
|
||||
|
||||
STEP 60 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
chain1.example.com. IN ANY
|
||||
SECTION ANSWER
|
||||
chain1.example.com. IN CNAME chain2.example.com.
|
||||
ENTRY_END
|
||||
|
||||
STEP 69 TIME_PASSES ELAPSE 7200 ; expire the previous records.
|
||||
STEP 70 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
sub1.chain1.example.com. IN ANY
|
||||
ENTRY_END
|
||||
|
||||
STEP 80 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
sub1.chain1.example.com. IN ANY
|
||||
SECTION ANSWER
|
||||
sub1.chain1.example.com. IN A 1.2.3.5
|
||||
ENTRY_END
|
||||
|
||||
STEP 90 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
sub2.chain2.example.com. IN ANY
|
||||
ENTRY_END
|
||||
|
||||
STEP 100 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
sub2.chain2.example.com. IN ANY
|
||||
SECTION ANSWER
|
||||
sub2.chain2.example.com. IN CNAME sub2-2.chain2.example.com.
|
||||
ENTRY_END
|
||||
|
||||
SCENARIO_END
|
||||
Vendored
+112
-112
@@ -49,7 +49,7 @@ RANGE_BEGIN 0 100
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
nonexistant.com. IN A
|
||||
nonexistent.com. IN A
|
||||
SECTION AUTHORITY
|
||||
com. IN NS a.gtld-servers.net.
|
||||
SECTION ADDITIONAL
|
||||
@@ -89,9 +89,9 @@ RANGE_BEGIN 0 100
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
nonexistant.com. IN A
|
||||
nonexistent.com. IN A
|
||||
SECTION AUTHORITY
|
||||
nonexistant.com. IN NS ns.example.com.
|
||||
nonexistent.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. 10 IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
@@ -107,18 +107,18 @@ RANGE_BEGIN 0 100
|
||||
SECTION QUESTION
|
||||
example.com. IN NS
|
||||
SECTION ANSWER
|
||||
example.com. IN NS ns1.nonexistant.com.
|
||||
example.com. IN NS ns2.nonexistant.com.
|
||||
example.com. IN NS ns3.nonexistant.com.
|
||||
example.com. IN NS ns4.nonexistant.com.
|
||||
example.com. IN NS ns5.nonexistant.com.
|
||||
example.com. IN NS ns6.nonexistant.com.
|
||||
example.com. IN NS ns7.nonexistant.com.
|
||||
example.com. IN NS ns8.nonexistant.com.
|
||||
example.com. IN NS ns9.nonexistant.com.
|
||||
example.com. IN NS ns10.nonexistant.com.
|
||||
example.com. IN NS ns11.nonexistant.com.
|
||||
example.com. IN NS ns12.nonexistant.com.
|
||||
example.com. IN NS ns1.nonexistent.com.
|
||||
example.com. IN NS ns2.nonexistent.com.
|
||||
example.com. IN NS ns3.nonexistent.com.
|
||||
example.com. IN NS ns4.nonexistent.com.
|
||||
example.com. IN NS ns5.nonexistent.com.
|
||||
example.com. IN NS ns6.nonexistent.com.
|
||||
example.com. IN NS ns7.nonexistent.com.
|
||||
example.com. IN NS ns8.nonexistent.com.
|
||||
example.com. IN NS ns9.nonexistent.com.
|
||||
example.com. IN NS ns10.nonexistent.com.
|
||||
example.com. IN NS ns11.nonexistent.com.
|
||||
example.com. IN NS ns12.nonexistent.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
@@ -146,7 +146,7 @@ RANGE_BEGIN 0 100
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NXDOMAIN
|
||||
SECTION QUESTION
|
||||
nonexistant.com. IN A
|
||||
nonexistent.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
@@ -158,18 +158,18 @@ RANGE_BEGIN 0 100
|
||||
SECTION ANSWER
|
||||
a.example.com. IN A 10.20.30.40
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns1.nonexistant.com.
|
||||
example.com. IN NS ns2.nonexistant.com.
|
||||
example.com. IN NS ns3.nonexistant.com.
|
||||
example.com. IN NS ns4.nonexistant.com.
|
||||
example.com. IN NS ns5.nonexistant.com.
|
||||
example.com. IN NS ns6.nonexistant.com.
|
||||
example.com. IN NS ns7.nonexistant.com.
|
||||
example.com. IN NS ns8.nonexistant.com.
|
||||
example.com. IN NS ns9.nonexistant.com.
|
||||
example.com. IN NS ns10.nonexistant.com.
|
||||
example.com. IN NS ns11.nonexistant.com.
|
||||
example.com. IN NS ns12.nonexistant.com.
|
||||
example.com. IN NS ns1.nonexistent.com.
|
||||
example.com. IN NS ns2.nonexistent.com.
|
||||
example.com. IN NS ns3.nonexistent.com.
|
||||
example.com. IN NS ns4.nonexistent.com.
|
||||
example.com. IN NS ns5.nonexistent.com.
|
||||
example.com. IN NS ns6.nonexistent.com.
|
||||
example.com. IN NS ns7.nonexistent.com.
|
||||
example.com. IN NS ns8.nonexistent.com.
|
||||
example.com. IN NS ns9.nonexistent.com.
|
||||
example.com. IN NS ns10.nonexistent.com.
|
||||
example.com. IN NS ns11.nonexistent.com.
|
||||
example.com. IN NS ns12.nonexistent.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
@@ -181,18 +181,18 @@ RANGE_BEGIN 0 100
|
||||
SECTION ANSWER
|
||||
b.example.com. IN A 10.20.30.40
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns1.nonexistant.com.
|
||||
example.com. IN NS ns2.nonexistant.com.
|
||||
example.com. IN NS ns3.nonexistant.com.
|
||||
example.com. IN NS ns4.nonexistant.com.
|
||||
example.com. IN NS ns5.nonexistant.com.
|
||||
example.com. IN NS ns6.nonexistant.com.
|
||||
example.com. IN NS ns7.nonexistant.com.
|
||||
example.com. IN NS ns8.nonexistant.com.
|
||||
example.com. IN NS ns9.nonexistant.com.
|
||||
example.com. IN NS ns10.nonexistant.com.
|
||||
example.com. IN NS ns11.nonexistant.com.
|
||||
example.com. IN NS ns12.nonexistant.com.
|
||||
example.com. IN NS ns1.nonexistent.com.
|
||||
example.com. IN NS ns2.nonexistent.com.
|
||||
example.com. IN NS ns3.nonexistent.com.
|
||||
example.com. IN NS ns4.nonexistent.com.
|
||||
example.com. IN NS ns5.nonexistent.com.
|
||||
example.com. IN NS ns6.nonexistent.com.
|
||||
example.com. IN NS ns7.nonexistent.com.
|
||||
example.com. IN NS ns8.nonexistent.com.
|
||||
example.com. IN NS ns9.nonexistent.com.
|
||||
example.com. IN NS ns10.nonexistent.com.
|
||||
example.com. IN NS ns11.nonexistent.com.
|
||||
example.com. IN NS ns12.nonexistent.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
@@ -204,18 +204,18 @@ RANGE_BEGIN 0 100
|
||||
SECTION ANSWER
|
||||
c.example.com. IN A 10.20.30.40
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns1.nonexistant.com.
|
||||
example.com. IN NS ns2.nonexistant.com.
|
||||
example.com. IN NS ns3.nonexistant.com.
|
||||
example.com. IN NS ns4.nonexistant.com.
|
||||
example.com. IN NS ns5.nonexistant.com.
|
||||
example.com. IN NS ns6.nonexistant.com.
|
||||
example.com. IN NS ns7.nonexistant.com.
|
||||
example.com. IN NS ns8.nonexistant.com.
|
||||
example.com. IN NS ns9.nonexistant.com.
|
||||
example.com. IN NS ns10.nonexistant.com.
|
||||
example.com. IN NS ns11.nonexistant.com.
|
||||
example.com. IN NS ns12.nonexistant.com.
|
||||
example.com. IN NS ns1.nonexistent.com.
|
||||
example.com. IN NS ns2.nonexistent.com.
|
||||
example.com. IN NS ns3.nonexistent.com.
|
||||
example.com. IN NS ns4.nonexistent.com.
|
||||
example.com. IN NS ns5.nonexistent.com.
|
||||
example.com. IN NS ns6.nonexistent.com.
|
||||
example.com. IN NS ns7.nonexistent.com.
|
||||
example.com. IN NS ns8.nonexistent.com.
|
||||
example.com. IN NS ns9.nonexistent.com.
|
||||
example.com. IN NS ns10.nonexistent.com.
|
||||
example.com. IN NS ns11.nonexistent.com.
|
||||
example.com. IN NS ns12.nonexistent.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
@@ -227,18 +227,18 @@ RANGE_BEGIN 0 100
|
||||
SECTION ANSWER
|
||||
d.example.com. IN A 10.20.30.40
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns1.nonexistant.com.
|
||||
example.com. IN NS ns2.nonexistant.com.
|
||||
example.com. IN NS ns3.nonexistant.com.
|
||||
example.com. IN NS ns4.nonexistant.com.
|
||||
example.com. IN NS ns5.nonexistant.com.
|
||||
example.com. IN NS ns6.nonexistant.com.
|
||||
example.com. IN NS ns7.nonexistant.com.
|
||||
example.com. IN NS ns8.nonexistant.com.
|
||||
example.com. IN NS ns9.nonexistant.com.
|
||||
example.com. IN NS ns10.nonexistant.com.
|
||||
example.com. IN NS ns11.nonexistant.com.
|
||||
example.com. IN NS ns12.nonexistant.com.
|
||||
example.com. IN NS ns1.nonexistent.com.
|
||||
example.com. IN NS ns2.nonexistent.com.
|
||||
example.com. IN NS ns3.nonexistent.com.
|
||||
example.com. IN NS ns4.nonexistent.com.
|
||||
example.com. IN NS ns5.nonexistent.com.
|
||||
example.com. IN NS ns6.nonexistent.com.
|
||||
example.com. IN NS ns7.nonexistent.com.
|
||||
example.com. IN NS ns8.nonexistent.com.
|
||||
example.com. IN NS ns9.nonexistent.com.
|
||||
example.com. IN NS ns10.nonexistent.com.
|
||||
example.com. IN NS ns11.nonexistent.com.
|
||||
example.com. IN NS ns12.nonexistent.com.
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
@@ -259,18 +259,18 @@ a.example.com. IN A
|
||||
SECTION ANSWER
|
||||
a.example.com. IN A 10.20.30.40
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns1.nonexistant.com.
|
||||
example.com. IN NS ns2.nonexistant.com.
|
||||
example.com. IN NS ns3.nonexistant.com.
|
||||
example.com. IN NS ns4.nonexistant.com.
|
||||
example.com. IN NS ns5.nonexistant.com.
|
||||
example.com. IN NS ns6.nonexistant.com.
|
||||
example.com. IN NS ns7.nonexistant.com.
|
||||
example.com. IN NS ns8.nonexistant.com.
|
||||
example.com. IN NS ns9.nonexistant.com.
|
||||
example.com. IN NS ns10.nonexistant.com.
|
||||
example.com. IN NS ns11.nonexistant.com.
|
||||
example.com. IN NS ns12.nonexistant.com.
|
||||
example.com. IN NS ns1.nonexistent.com.
|
||||
example.com. IN NS ns2.nonexistent.com.
|
||||
example.com. IN NS ns3.nonexistent.com.
|
||||
example.com. IN NS ns4.nonexistent.com.
|
||||
example.com. IN NS ns5.nonexistent.com.
|
||||
example.com. IN NS ns6.nonexistent.com.
|
||||
example.com. IN NS ns7.nonexistent.com.
|
||||
example.com. IN NS ns8.nonexistent.com.
|
||||
example.com. IN NS ns9.nonexistent.com.
|
||||
example.com. IN NS ns10.nonexistent.com.
|
||||
example.com. IN NS ns11.nonexistent.com.
|
||||
example.com. IN NS ns12.nonexistent.com.
|
||||
ENTRY_END
|
||||
|
||||
; The child side nameservers are now known to Unbound
|
||||
@@ -293,18 +293,18 @@ b.example.com. IN A
|
||||
SECTION ANSWER
|
||||
b.example.com. IN A 10.20.30.40
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns1.nonexistant.com.
|
||||
example.com. IN NS ns2.nonexistant.com.
|
||||
example.com. IN NS ns3.nonexistant.com.
|
||||
example.com. IN NS ns4.nonexistant.com.
|
||||
example.com. IN NS ns5.nonexistant.com.
|
||||
example.com. IN NS ns6.nonexistant.com.
|
||||
example.com. IN NS ns7.nonexistant.com.
|
||||
example.com. IN NS ns8.nonexistant.com.
|
||||
example.com. IN NS ns9.nonexistant.com.
|
||||
example.com. IN NS ns10.nonexistant.com.
|
||||
example.com. IN NS ns11.nonexistant.com.
|
||||
example.com. IN NS ns12.nonexistant.com.
|
||||
example.com. IN NS ns1.nonexistent.com.
|
||||
example.com. IN NS ns2.nonexistent.com.
|
||||
example.com. IN NS ns3.nonexistent.com.
|
||||
example.com. IN NS ns4.nonexistent.com.
|
||||
example.com. IN NS ns5.nonexistent.com.
|
||||
example.com. IN NS ns6.nonexistent.com.
|
||||
example.com. IN NS ns7.nonexistent.com.
|
||||
example.com. IN NS ns8.nonexistent.com.
|
||||
example.com. IN NS ns9.nonexistent.com.
|
||||
example.com. IN NS ns10.nonexistent.com.
|
||||
example.com. IN NS ns11.nonexistent.com.
|
||||
example.com. IN NS ns12.nonexistent.com.
|
||||
ENTRY_END
|
||||
|
||||
; Query a third time, this will get the cached NXDOMAINs (no NX counter for
|
||||
@@ -330,18 +330,18 @@ c.example.com. IN A
|
||||
SECTION ANSWER
|
||||
c.example.com. IN A 10.20.30.40
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns1.nonexistant.com.
|
||||
example.com. IN NS ns2.nonexistant.com.
|
||||
example.com. IN NS ns3.nonexistant.com.
|
||||
example.com. IN NS ns4.nonexistant.com.
|
||||
example.com. IN NS ns5.nonexistant.com.
|
||||
example.com. IN NS ns6.nonexistant.com.
|
||||
example.com. IN NS ns7.nonexistant.com.
|
||||
example.com. IN NS ns8.nonexistant.com.
|
||||
example.com. IN NS ns9.nonexistant.com.
|
||||
example.com. IN NS ns10.nonexistant.com.
|
||||
example.com. IN NS ns11.nonexistant.com.
|
||||
example.com. IN NS ns12.nonexistant.com.
|
||||
example.com. IN NS ns1.nonexistent.com.
|
||||
example.com. IN NS ns2.nonexistent.com.
|
||||
example.com. IN NS ns3.nonexistent.com.
|
||||
example.com. IN NS ns4.nonexistent.com.
|
||||
example.com. IN NS ns5.nonexistent.com.
|
||||
example.com. IN NS ns6.nonexistent.com.
|
||||
example.com. IN NS ns7.nonexistent.com.
|
||||
example.com. IN NS ns8.nonexistent.com.
|
||||
example.com. IN NS ns9.nonexistent.com.
|
||||
example.com. IN NS ns10.nonexistent.com.
|
||||
example.com. IN NS ns11.nonexistent.com.
|
||||
example.com. IN NS ns12.nonexistent.com.
|
||||
ENTRY_END
|
||||
|
||||
; Allow for the nameserver glue to expire
|
||||
@@ -365,18 +365,18 @@ d.example.com. IN A
|
||||
SECTION ANSWER
|
||||
d.example.com. IN A 10.20.30.40
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns1.nonexistant.com.
|
||||
example.com. IN NS ns2.nonexistant.com.
|
||||
example.com. IN NS ns3.nonexistant.com.
|
||||
example.com. IN NS ns4.nonexistant.com.
|
||||
example.com. IN NS ns5.nonexistant.com.
|
||||
example.com. IN NS ns6.nonexistant.com.
|
||||
example.com. IN NS ns7.nonexistant.com.
|
||||
example.com. IN NS ns8.nonexistant.com.
|
||||
example.com. IN NS ns9.nonexistant.com.
|
||||
example.com. IN NS ns10.nonexistant.com.
|
||||
example.com. IN NS ns11.nonexistant.com.
|
||||
example.com. IN NS ns12.nonexistant.com.
|
||||
example.com. IN NS ns1.nonexistent.com.
|
||||
example.com. IN NS ns2.nonexistent.com.
|
||||
example.com. IN NS ns3.nonexistent.com.
|
||||
example.com. IN NS ns4.nonexistent.com.
|
||||
example.com. IN NS ns5.nonexistent.com.
|
||||
example.com. IN NS ns6.nonexistent.com.
|
||||
example.com. IN NS ns7.nonexistent.com.
|
||||
example.com. IN NS ns8.nonexistent.com.
|
||||
example.com. IN NS ns9.nonexistent.com.
|
||||
example.com. IN NS ns10.nonexistent.com.
|
||||
example.com. IN NS ns11.nonexistent.com.
|
||||
example.com. IN NS ns12.nonexistent.com.
|
||||
ENTRY_END
|
||||
|
||||
SCENARIO_END
|
||||
|
||||
Vendored
+10
-10
@@ -51,7 +51,7 @@ RANGE_BEGIN 0 100
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
nonexistant.com. IN A
|
||||
nonexistent.com. IN A
|
||||
SECTION AUTHORITY
|
||||
com. IN NS a.gtld-servers.net.
|
||||
SECTION ADDITIONAL
|
||||
@@ -81,14 +81,14 @@ RANGE_BEGIN 0 100
|
||||
SECTION QUESTION
|
||||
example.com. IN A
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns1.nonexistant.com.
|
||||
example.com. IN NS ns2.nonexistant.com.
|
||||
example.com. IN NS ns3.nonexistant.com.
|
||||
example.com. IN NS ns4.nonexistant.com.
|
||||
example.com. IN NS ns5.nonexistant.com.
|
||||
example.com. IN NS ns6.nonexistant.com.
|
||||
example.com. IN NS ns7.nonexistant.com.
|
||||
example.com. IN NS ns8.nonexistant.com.
|
||||
example.com. IN NS ns1.nonexistent.com.
|
||||
example.com. IN NS ns2.nonexistent.com.
|
||||
example.com. IN NS ns3.nonexistent.com.
|
||||
example.com. IN NS ns4.nonexistent.com.
|
||||
example.com. IN NS ns5.nonexistent.com.
|
||||
example.com. IN NS ns6.nonexistent.com.
|
||||
example.com. IN NS ns7.nonexistent.com.
|
||||
example.com. IN NS ns8.nonexistent.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
@@ -96,7 +96,7 @@ RANGE_BEGIN 0 100
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NXDOMAIN
|
||||
SECTION QUESTION
|
||||
nonexistant.com. IN A
|
||||
nonexistent.com. IN A
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
|
||||
Vendored
+81
-2
@@ -11,6 +11,7 @@ server:
|
||||
# Use a fixed and faked date for DNSSEC validation to avoid run-time
|
||||
# re-signing test signatures.
|
||||
val-override-date: "20161001003725"
|
||||
fake-sha1: yes
|
||||
|
||||
define-tag: "cname cname2 nx servfail sec ambiguous"
|
||||
access-control-tag: 127.0.0.1/32 "cname cname2 nx servfail sec"
|
||||
@@ -56,6 +57,14 @@ server:
|
||||
local-zone: synth.cname redirect
|
||||
local-data: "synth.cname. IN CNAME *.from.resolution."
|
||||
|
||||
# CNAME is pointing to a downstream auth zone
|
||||
local-zone: authdown.example.net. redirect
|
||||
local-data: "authdown.example.net. IN CNAME downstream.zone."
|
||||
|
||||
# CNAME is pointing to an upstream auth zone
|
||||
local-zone: authup.example.net. redirect
|
||||
local-data: "authup.example.net. IN CNAME upstream.zone."
|
||||
|
||||
### template zone and tag intended to be used for tests with CNAME and
|
||||
### other data.
|
||||
##local-zone: ambiguous.example.com redirect
|
||||
@@ -66,14 +75,45 @@ server:
|
||||
##@TAGDATA1@
|
||||
##@TAGDATA2@
|
||||
|
||||
|
||||
|
||||
target-fetch-policy: "0 0 0 0 0"
|
||||
|
||||
# send the queries to the test server (see the 10.0.10.3 entries below)
|
||||
forward-zone:
|
||||
name: "."
|
||||
forward-addr: 10.0.10.3
|
||||
|
||||
auth-zone:
|
||||
name: "downstream.zone."
|
||||
for-downstream: yes
|
||||
for-upstream: no
|
||||
fallback-enabled: no
|
||||
## this line generates zonefile: \n"/tmp/xxx.downstream.zone"\n
|
||||
zonefile:
|
||||
TEMPFILE_NAME downstream.zone
|
||||
## this is the inline file /tmp/xxx.downstream.zone
|
||||
## the tempfiles are deleted when the testrun is over.
|
||||
TEMPFILE_CONTENTS downstream.zone
|
||||
$ORIGIN downstream.zone.
|
||||
@ 3600 IN SOA a b 1 2 3 4 5
|
||||
@ IN TXT "hello from downstream auth zone"
|
||||
TEMPFILE_END
|
||||
|
||||
server: domain-insecure: upstream.zone.
|
||||
auth-zone:
|
||||
name: "upstream.zone."
|
||||
for-downstream: no
|
||||
for-upstream: yes
|
||||
fallback-enabled: no
|
||||
## this line generates zonefile: \n"/tmp/xxx.upstream.zone"\n
|
||||
zonefile:
|
||||
TEMPFILE_NAME upstream.zone
|
||||
## this is the inline file /tmp/xxx.upstream.zone
|
||||
## the tempfiles are deleted when the testrun is over.
|
||||
TEMPFILE_CONTENTS upstream.zone
|
||||
$ORIGIN upstream.zone.
|
||||
@ 3600 IN SOA a b 1 2 3 4 5
|
||||
@ IN TXT "hello from upstream auth zone"
|
||||
TEMPFILE_END
|
||||
CONFIG_END
|
||||
|
||||
; short one-line description of scenario:
|
||||
@@ -524,5 +564,44 @@ SECTION AUTHORITY
|
||||
SECTION ADDITIONAL
|
||||
ENTRY_END
|
||||
|
||||
STEP 290 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD DO
|
||||
SECTION QUESTION
|
||||
authdown.example.net. IN TXT
|
||||
ENTRY_END
|
||||
|
||||
STEP 300 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR AA RD RA DO NOERROR
|
||||
SECTION QUESTION
|
||||
authdown.example.net. IN TXT
|
||||
SECTION ANSWER
|
||||
authdown.example.net. IN CNAME downstream.zone.
|
||||
downstream.zone. IN TXT "hello from downstream auth zone"
|
||||
SECTION AUTHORITY
|
||||
SECTION ADDITIONAL
|
||||
ENTRY_END
|
||||
|
||||
STEP 310 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD DO
|
||||
SECTION QUESTION
|
||||
authup.example.net. IN TXT
|
||||
ENTRY_END
|
||||
|
||||
STEP 320 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR AA RD RA DO NOERROR
|
||||
SECTION QUESTION
|
||||
authup.example.net. IN TXT
|
||||
SECTION ANSWER
|
||||
authup.example.net. IN CNAME upstream.zone.
|
||||
upstream.zone. IN TXT "hello from upstream auth zone"
|
||||
SECTION AUTHORITY
|
||||
SECTION ADDITIONAL
|
||||
ENTRY_END
|
||||
|
||||
SCENARIO_END
|
||||
|
||||
@@ -0,0 +1,2 @@
|
||||
redis.com. IN SOA server. ma.il 1 2 3 4 5
|
||||
redis.com. IN A 2.2.2.2
|
||||
@@ -0,0 +1,2 @@
|
||||
redis.com. IN SOA server. ma.il 1 2 3 4 5
|
||||
redis.com. IN A 1.1.1.1
|
||||
+583
@@ -0,0 +1,583 @@
|
||||
###
|
||||
### Settings for this test ###################################################
|
||||
###
|
||||
|
||||
# Accept connections on the specified port, default is 6379 (IANA #815344).
|
||||
# If port 0 is specified Redis will not listen on a TCP socket.
|
||||
port 0
|
||||
|
||||
# Unix socket.
|
||||
#
|
||||
# Specify the path for the Unix socket that will be used to listen for
|
||||
# incoming connections. There is no default, so Redis will not listen
|
||||
# on a unix socket when not specified.
|
||||
#
|
||||
unixsocket @SOCKET@
|
||||
# unixsocketperm 700
|
||||
|
||||
# By default Redis does not run as a daemon. Use 'yes' if you need it.
|
||||
# Note that Redis will write a pid file in /var/run/redis.pid when daemonized.
|
||||
# When Redis is supervised by upstart or systemd, this parameter has no impact.
|
||||
daemonize no
|
||||
|
||||
# Specify the server verbosity level.
|
||||
# This can be one of:
|
||||
# debug (a lot of information, useful for development/testing)
|
||||
# verbose (many rarely useful info, but not a mess like the debug level)
|
||||
# notice (moderately verbose, what you want in production probably)
|
||||
# warning (only very important / critical messages are logged)
|
||||
# nothing (nothing is logged)
|
||||
loglevel notice
|
||||
|
||||
# Specify the log file name. Also the empty string can be used to force
|
||||
# Redis to log on the standard output. Note that if you use standard
|
||||
# output for logging but daemonize, logs will be sent to /dev/null
|
||||
logfile @LOGFILE@
|
||||
|
||||
# To enable logging to the system logger, just set 'syslog-enabled' to yes,
|
||||
# and optionally update the other syslog parameters to suit your needs.
|
||||
syslog-enabled no
|
||||
|
||||
# Set the number of databases. The default database is DB 0, you can select
|
||||
# a different one on a per-connection basis using SELECT <dbid> where
|
||||
# dbid is a number between 0 and 'databases'-1
|
||||
databases 2
|
||||
|
||||
# Snapshotting can be completely disabled with a single empty string argument
|
||||
# as in following example:
|
||||
#
|
||||
save ""
|
||||
|
||||
# The working directory.
|
||||
#
|
||||
# The DB will be written inside this directory, with the filename specified
|
||||
# above using the 'dbfilename' configuration directive.
|
||||
#
|
||||
# The Append Only File will also be created inside this directory.
|
||||
#
|
||||
# Note that you must specify a directory here, not a file name.
|
||||
dir .
|
||||
|
||||
###
|
||||
### Rest of the default Redis settings #######################################
|
||||
###
|
||||
|
||||
bind 127.0.0.1 -::1
|
||||
|
||||
# When protected mode is on and the default user has no password, the server
|
||||
# only accepts local connections from the IPv4 address (127.0.0.1), IPv6 address
|
||||
# (::1) or Unix domain sockets.
|
||||
protected-mode yes
|
||||
|
||||
# TCP listen() backlog.
|
||||
#
|
||||
# In high requests-per-second environments you need a high backlog in order
|
||||
# to avoid slow clients connection issues. Note that the Linux kernel
|
||||
# will silently truncate it to the value of /proc/sys/net/core/somaxconn so
|
||||
# make sure to raise both the value of somaxconn and tcp_max_syn_backlog
|
||||
# in order to get the desired effect.
|
||||
tcp-backlog 511
|
||||
|
||||
# Close the connection after a client is idle for N seconds (0 to disable)
|
||||
timeout 0
|
||||
|
||||
# TCP keepalive.
|
||||
# A reasonable value for this option is 300 seconds, which is the new
|
||||
# Redis default starting with Redis 3.2.1.
|
||||
tcp-keepalive 300
|
||||
|
||||
# By default Redis shows an ASCII art logo only when started to log to the
|
||||
# standard output and if the standard output is a TTY and syslog logging is
|
||||
# disabled. Basically this means that normally a logo is displayed only in
|
||||
# interactive sessions.
|
||||
#
|
||||
# However it is possible to force the pre-4.0 behavior and always show a
|
||||
# ASCII art logo in startup logs by setting the following option to yes.
|
||||
always-show-logo no
|
||||
|
||||
# By default, Redis modifies the process title (as seen in 'top' and 'ps') to
|
||||
# provide some runtime information. It is possible to disable this and leave
|
||||
# the process name as executed by setting the following to no.
|
||||
set-proc-title yes
|
||||
|
||||
# When changing the process title, Redis uses the following template to construct
|
||||
# the modified title.
|
||||
#
|
||||
# Template variables are specified in curly brackets. The following variables are
|
||||
# supported:
|
||||
#
|
||||
# {title} Name of process as executed if parent, or type of child process.
|
||||
# {listen-addr} Bind address or '*' followed by TCP or TLS port listening on, or
|
||||
# Unix socket if only that's available.
|
||||
# {server-mode} Special mode, i.e. "[sentinel]" or "[cluster]".
|
||||
# {port} TCP port listening on, or 0.
|
||||
# {tls-port} TLS port listening on, or 0.
|
||||
# {unixsocket} Unix domain socket listening on, or "".
|
||||
# {config-file} Name of configuration file used.
|
||||
#
|
||||
proc-title-template "{title} {listen-addr} {server-mode}"
|
||||
|
||||
# Set the local environment which is used for string comparison operations, and
|
||||
# also affect the performance of Lua scripts. Empty String indicates the locale
|
||||
# is derived from the environment variables.
|
||||
#locale-collate ""
|
||||
|
||||
# By default Redis will stop accepting writes if RDB snapshots are enabled
|
||||
# (at least one save point) and the latest background save failed.
|
||||
# This will make the user aware (in a hard way) that data is not persisting
|
||||
# on disk properly, otherwise chances are that no one will notice and some
|
||||
# disaster will happen.
|
||||
#
|
||||
# If the background saving process will start working again Redis will
|
||||
# automatically allow writes again.
|
||||
#
|
||||
# However if you have setup your proper monitoring of the Redis server
|
||||
# and persistence, you may want to disable this feature so that Redis will
|
||||
# continue to work as usual even if there are problems with disk,
|
||||
# permissions, and so forth.
|
||||
stop-writes-on-bgsave-error yes
|
||||
|
||||
# Compress string objects using LZF when dump .rdb databases?
|
||||
# By default compression is enabled as it's almost always a win.
|
||||
# If you want to save some CPU in the saving child set it to 'no' but
|
||||
# the dataset will likely be bigger if you have compressible values or keys.
|
||||
rdbcompression yes
|
||||
|
||||
# Since version 5 of RDB a CRC64 checksum is placed at the end of the file.
|
||||
# This makes the format more resistant to corruption but there is a performance
|
||||
# hit to pay (around 10%) when saving and loading RDB files, so you can disable it
|
||||
# for maximum performances.
|
||||
#
|
||||
# RDB files created with checksum disabled have a checksum of zero that will
|
||||
# tell the loading code to skip the check.
|
||||
rdbchecksum yes
|
||||
|
||||
# The filename where to dump the DB
|
||||
dbfilename redis.rdb
|
||||
|
||||
# Remove RDB files used by replication in instances without persistence
|
||||
# enabled. By default this option is disabled, however there are environments
|
||||
# where for regulations or other security concerns, RDB files persisted on
|
||||
# disk by masters in order to feed replicas, or stored on disk by replicas
|
||||
# in order to load them for the initial synchronization, should be deleted
|
||||
# ASAP. Note that this option ONLY WORKS in instances that have both AOF
|
||||
# and RDB persistence disabled, otherwise is completely ignored.
|
||||
#
|
||||
# An alternative (and sometimes better) way to obtain the same effect is
|
||||
# to use diskless replication on both master and replicas instances. However
|
||||
# in the case of replicas, diskless is not always an option.
|
||||
rdb-del-sync-files no
|
||||
|
||||
# When a replica loses its connection with the master, or when the replication
|
||||
# is still in progress, the replica can act in two different ways:
|
||||
#
|
||||
# 1) if replica-serve-stale-data is set to 'yes' (the default) the replica will
|
||||
# still reply to client requests, possibly with out of date data, or the
|
||||
# data set may just be empty if this is the first synchronization.
|
||||
#
|
||||
# 2) If replica-serve-stale-data is set to 'no' the replica will reply with error
|
||||
# "MASTERDOWN Link with MASTER is down and replica-serve-stale-data is set to 'no'"
|
||||
# to all data access commands, excluding commands such as:
|
||||
# INFO, REPLICAOF, AUTH, SHUTDOWN, REPLCONF, ROLE, CONFIG, SUBSCRIBE,
|
||||
# UNSUBSCRIBE, PSUBSCRIBE, PUNSUBSCRIBE, PUBLISH, PUBSUB, COMMAND, POST,
|
||||
# HOST and LATENCY.
|
||||
#
|
||||
replica-serve-stale-data yes
|
||||
|
||||
# You can configure a replica instance to accept writes or not. Writing against
|
||||
# a replica instance may be useful to store some ephemeral data (because data
|
||||
# written on a replica will be easily deleted after resync with the master) but
|
||||
# may also cause problems if clients are writing to it because of a
|
||||
# misconfiguration.
|
||||
#
|
||||
# Since Redis 2.6 by default replicas are read-only.
|
||||
#
|
||||
# Note: read only replicas are not designed to be exposed to untrusted clients
|
||||
# on the internet. It's just a protection layer against misuse of the instance.
|
||||
# Still a read only replica exports by default all the administrative commands
|
||||
# such as CONFIG, DEBUG, and so forth. To a limited extent you can improve
|
||||
# security of read only replicas using 'rename-command' to shadow all the
|
||||
# administrative / dangerous commands.
|
||||
replica-read-only yes
|
||||
|
||||
# Replication SYNC strategy: disk or socket.
|
||||
#
|
||||
# New replicas and reconnecting replicas that are not able to continue the
|
||||
# replication process just receiving differences, need to do what is called a
|
||||
# "full synchronization". An RDB file is transmitted from the master to the
|
||||
# replicas.
|
||||
#
|
||||
# The transmission can happen in two different ways:
|
||||
#
|
||||
# 1) Disk-backed: The Redis master creates a new process that writes the RDB
|
||||
# file on disk. Later the file is transferred by the parent
|
||||
# process to the replicas incrementally.
|
||||
# 2) Diskless: The Redis master creates a new process that directly writes the
|
||||
# RDB file to replica sockets, without touching the disk at all.
|
||||
#
|
||||
# With disk-backed replication, while the RDB file is generated, more replicas
|
||||
# can be queued and served with the RDB file as soon as the current child
|
||||
# producing the RDB file finishes its work. With diskless replication instead
|
||||
# once the transfer starts, new replicas arriving will be queued and a new
|
||||
# transfer will start when the current one terminates.
|
||||
#
|
||||
# When diskless replication is used, the master waits a configurable amount of
|
||||
# time (in seconds) before starting the transfer in the hope that multiple
|
||||
# replicas will arrive and the transfer can be parallelized.
|
||||
#
|
||||
# With slow disks and fast (large bandwidth) networks, diskless replication
|
||||
# works better.
|
||||
repl-diskless-sync yes
|
||||
|
||||
# When diskless replication is enabled, it is possible to configure the delay
|
||||
# the server waits in order to spawn the child that transfers the RDB via socket
|
||||
# to the replicas.
|
||||
#
|
||||
# This is important since once the transfer starts, it is not possible to serve
|
||||
# new replicas arriving, that will be queued for the next RDB transfer, so the
|
||||
# server waits a delay in order to let more replicas arrive.
|
||||
#
|
||||
# The delay is specified in seconds, and by default is 5 seconds. To disable
|
||||
# it entirely just set it to 0 seconds and the transfer will start ASAP.
|
||||
repl-diskless-sync-delay 5
|
||||
|
||||
# When diskless replication is enabled with a delay, it is possible to let
|
||||
# the replication start before the maximum delay is reached if the maximum
|
||||
# number of replicas expected have connected. Default of 0 means that the
|
||||
# maximum is not defined and Redis will wait the full delay.
|
||||
#repl-diskless-sync-max-replicas 0
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# WARNING: Since in this setup the replica does not immediately store an RDB on
|
||||
# disk, it may cause data loss during failovers. RDB diskless load + Redis
|
||||
# modules not handling I/O reads may cause Redis to abort in case of I/O errors
|
||||
# during the initial synchronization stage with the master.
|
||||
# -----------------------------------------------------------------------------
|
||||
#
|
||||
# Replica can load the RDB it reads from the replication link directly from the
|
||||
# socket, or store the RDB to a file and read that file after it was completely
|
||||
# received from the master.
|
||||
#
|
||||
# In many cases the disk is slower than the network, and storing and loading
|
||||
# the RDB file may increase replication time (and even increase the master's
|
||||
# Copy on Write memory and replica buffers).
|
||||
# However, when parsing the RDB file directly from the socket, in order to avoid
|
||||
# data loss it's only safe to flush the current dataset when the new dataset is
|
||||
# fully loaded in memory, resulting in higher memory usage.
|
||||
# For this reason we have the following options:
|
||||
#
|
||||
# "disabled" - Don't use diskless load (store the rdb file to the disk first)
|
||||
# "swapdb" - Keep current db contents in RAM while parsing the data directly
|
||||
# from the socket. Replicas in this mode can keep serving current
|
||||
# dataset while replication is in progress, except for cases where
|
||||
# they can't recognize master as having a data set from same
|
||||
# replication history.
|
||||
# Note that this requires sufficient memory, if you don't have it,
|
||||
# you risk an OOM kill.
|
||||
# "on-empty-db" - Use diskless load only when current dataset is empty. This is
|
||||
# safer and avoid having old and new dataset loaded side by side
|
||||
# during replication.
|
||||
repl-diskless-load disabled
|
||||
|
||||
# Master send PINGs to its replicas in a predefined interval. It's possible to
|
||||
# change this interval with the repl_ping_replica_period option. The default
|
||||
# value is 10 seconds.
|
||||
#
|
||||
# repl-ping-replica-period 10
|
||||
|
||||
# The following option sets the replication timeout for:
|
||||
#
|
||||
# 1) Bulk transfer I/O during SYNC, from the point of view of replica.
|
||||
# 2) Master timeout from the point of view of replicas (data, pings).
|
||||
# 3) Replica timeout from the point of view of masters (REPLCONF ACK pings).
|
||||
#
|
||||
# It is important to make sure that this value is greater than the value
|
||||
# specified for repl-ping-replica-period otherwise a timeout will be detected
|
||||
# every time there is low traffic between the master and the replica. The default
|
||||
# value is 60 seconds.
|
||||
#
|
||||
# repl-timeout 60
|
||||
|
||||
# Disable TCP_NODELAY on the replica socket after SYNC?
|
||||
#
|
||||
# If you select "yes" Redis will use a smaller number of TCP packets and
|
||||
# less bandwidth to send data to replicas. But this can add a delay for
|
||||
# the data to appear on the replica side, up to 40 milliseconds with
|
||||
# Linux kernels using a default configuration.
|
||||
#
|
||||
# If you select "no" the delay for data to appear on the replica side will
|
||||
# be reduced but more bandwidth will be used for replication.
|
||||
#
|
||||
# By default we optimize for low latency, but in very high traffic conditions
|
||||
# or when the master and replicas are many hops away, turning this to "yes" may
|
||||
# be a good idea.
|
||||
repl-disable-tcp-nodelay no
|
||||
|
||||
# The replica priority is an integer number published by Redis in the INFO
|
||||
# output. It is used by Redis Sentinel in order to select a replica to promote
|
||||
# into a master if the master is no longer working correctly.
|
||||
#
|
||||
# A replica with a low priority number is considered better for promotion, so
|
||||
# for instance if there are three replicas with priority 10, 100, 25 Sentinel
|
||||
# will pick the one with priority 10, that is the lowest.
|
||||
#
|
||||
# However a special priority of 0 marks the replica as not able to perform the
|
||||
# role of master, so a replica with priority of 0 will never be selected by
|
||||
# Redis Sentinel for promotion.
|
||||
#
|
||||
# By default the priority is 100.
|
||||
replica-priority 100
|
||||
|
||||
# ACL LOG
|
||||
#
|
||||
# The ACL Log tracks failed commands and authentication events associated
|
||||
# with ACLs. The ACL Log is useful to troubleshoot failed commands blocked
|
||||
# by ACLs. The ACL Log is stored in memory. You can reclaim memory with
|
||||
# ACL LOG RESET. Define the maximum entry length of the ACL Log below.
|
||||
acllog-max-len 128
|
||||
|
||||
lazyfree-lazy-eviction no
|
||||
lazyfree-lazy-expire no
|
||||
lazyfree-lazy-server-del no
|
||||
replica-lazy-flush no
|
||||
|
||||
# It is also possible, for the case when to replace the user code DEL calls
|
||||
# with UNLINK calls is not easy, to modify the default behavior of the DEL
|
||||
# command to act exactly like UNLINK, using the following configuration
|
||||
# directive:
|
||||
lazyfree-lazy-user-del no
|
||||
|
||||
# FLUSHDB, FLUSHALL, SCRIPT FLUSH and FUNCTION FLUSH support both asynchronous and synchronous
|
||||
# deletion, which can be controlled by passing the [SYNC|ASYNC] flags into the
|
||||
# commands. When neither flag is passed, this directive will be used to determine
|
||||
# if the data should be deleted asynchronously.
|
||||
lazyfree-lazy-user-flush no
|
||||
|
||||
# On Linux, it is possible to hint the kernel OOM killer on what processes
|
||||
# should be killed first when out of memory.
|
||||
#
|
||||
# Enabling this feature makes Redis actively control the oom_score_adj value
|
||||
# for all its processes, depending on their role. The default scores will
|
||||
# attempt to have background child processes killed before all others, and
|
||||
# replicas killed before masters.
|
||||
#
|
||||
# Redis supports these options:
|
||||
#
|
||||
# no: Don't make changes to oom-score-adj (default).
|
||||
# yes: Alias to "relative" see below.
|
||||
# absolute: Values in oom-score-adj-values are written as is to the kernel.
|
||||
# relative: Values are used relative to the initial value of oom_score_adj when
|
||||
# the server starts and are then clamped to a range of -1000 to 1000.
|
||||
# Because typically the initial value is 0, they will often match the
|
||||
# absolute values.
|
||||
oom-score-adj no
|
||||
|
||||
# When oom-score-adj is used, this directive controls the specific values used
|
||||
# for master, replica and background child processes. Values range -2000 to
|
||||
# 2000 (higher means more likely to be killed).
|
||||
#
|
||||
# Unprivileged processes (not root, and without CAP_SYS_RESOURCE capabilities)
|
||||
# can freely increase their value, but not decrease it below its initial
|
||||
# settings. This means that setting oom-score-adj to "relative" and setting the
|
||||
# oom-score-adj-values to positive values will always succeed.
|
||||
oom-score-adj-values 0 200 800
|
||||
|
||||
# Usually the kernel Transparent Huge Pages control is set to "madvise" or
|
||||
# or "never" by default (/sys/kernel/mm/transparent_hugepage/enabled), in which
|
||||
# case this config has no effect. On systems in which it is set to "always",
|
||||
# redis will attempt to disable it specifically for the redis process in order
|
||||
# to avoid latency problems specifically with fork(2) and CoW.
|
||||
# If for some reason you prefer to keep it enabled, you can set this config to
|
||||
# "no" and the kernel global to "always".
|
||||
disable-thp yes
|
||||
|
||||
# By default Redis asynchronously dumps the dataset on disk. This mode is
|
||||
# good enough in many applications, but an issue with the Redis process or
|
||||
# a power outage may result into a few minutes of writes lost (depending on
|
||||
# the configured save points).
|
||||
#
|
||||
# The Append Only File is an alternative persistence mode that provides
|
||||
# much better durability. For instance using the default data fsync policy
|
||||
# (see later in the config file) Redis can lose just one second of writes in a
|
||||
# dramatic event like a server power outage, or a single write if something
|
||||
# wrong with the Redis process itself happens, but the operating system is
|
||||
# still running correctly.
|
||||
#
|
||||
# AOF and RDB persistence can be enabled at the same time without problems.
|
||||
# If the AOF is enabled on startup Redis will load the AOF, that is the file
|
||||
# with the better durability guarantees.
|
||||
#
|
||||
# Please check https://redis.io/topics/persistence for more information.
|
||||
appendonly no
|
||||
|
||||
# The following time is expressed in microseconds, so 1000000 is equivalent
|
||||
# to one second. Note that a negative number disables the slow log, while
|
||||
# a value of zero forces the logging of every command.
|
||||
slowlog-log-slower-than 10000
|
||||
|
||||
# There is no limit to this length. Just be aware that it will consume memory.
|
||||
# You can reclaim memory used by the slow log with SLOWLOG RESET.
|
||||
slowlog-max-len 128
|
||||
|
||||
# By default latency monitoring is disabled since it is mostly not needed
|
||||
# if you don't have latency issues, and collecting data has a performance
|
||||
# impact, that while very small, can be measured under big load. Latency
|
||||
# monitoring can easily be enabled at runtime using the command
|
||||
# "CONFIG SET latency-monitor-threshold <milliseconds>" if needed.
|
||||
latency-monitor-threshold 0
|
||||
|
||||
# By default all notifications are disabled because most users don't need
|
||||
# this feature and the feature has some overhead. Note that if you don't
|
||||
# specify at least one of K or E, no events will be delivered.
|
||||
notify-keyspace-events ""
|
||||
|
||||
# Hashes are encoded using a memory efficient data structure when they have a
|
||||
# small number of entries, and the biggest entry does not exceed a given
|
||||
# threshold. These thresholds can be configured using the following directives.
|
||||
#hash-max-listpack-entries 512
|
||||
#hash-max-listpack-value 64
|
||||
|
||||
# Lists are also encoded in a special way to save a lot of space.
|
||||
# The number of entries allowed per internal list node can be specified
|
||||
# as a fixed maximum size or a maximum number of elements.
|
||||
# For a fixed maximum size, use -5 through -1, meaning:
|
||||
# -5: max size: 64 Kb <-- not recommended for normal workloads
|
||||
# -4: max size: 32 Kb <-- not recommended
|
||||
# -3: max size: 16 Kb <-- probably not recommended
|
||||
# -2: max size: 8 Kb <-- good
|
||||
# -1: max size: 4 Kb <-- good
|
||||
# Positive numbers mean store up to _exactly_ that number of elements
|
||||
# per list node.
|
||||
# The highest performing option is usually -2 (8 Kb size) or -1 (4 Kb size),
|
||||
# but if your use case is unique, adjust the settings as necessary.
|
||||
#list-max-listpack-size -2
|
||||
|
||||
# Lists may also be compressed.
|
||||
# Compress depth is the number of quicklist ziplist nodes from *each* side of
|
||||
# the list to *exclude* from compression. The head and tail of the list
|
||||
# are always uncompressed for fast push/pop operations. Settings are:
|
||||
# 0: disable all list compression
|
||||
# 1: depth 1 means "don't start compressing until after 1 node into the list,
|
||||
# going from either the head or tail"
|
||||
# So: [head]->node->node->...->node->[tail]
|
||||
# [head], [tail] will always be uncompressed; inner nodes will compress.
|
||||
# 2: [head]->[next]->node->node->...->node->[prev]->[tail]
|
||||
# 2 here means: don't compress head or head->next or tail->prev or tail,
|
||||
# but compress all nodes between them.
|
||||
# 3: [head]->[next]->[next]->node->node->...->node->[prev]->[prev]->[tail]
|
||||
# etc.
|
||||
list-compress-depth 0
|
||||
|
||||
# Sets have a special encoding when a set is composed
|
||||
# of just strings that happen to be integers in radix 10 in the range
|
||||
# of 64 bit signed integers.
|
||||
# The following configuration setting sets the limit in the size of the
|
||||
# set in order to use this special memory saving encoding.
|
||||
set-max-intset-entries 512
|
||||
|
||||
# Sets containing non-integer values are also encoded using a memory efficient
|
||||
# data structure when they have a small number of entries, and the biggest entry
|
||||
# does not exceed a given threshold. These thresholds can be configured using
|
||||
# the following directives.
|
||||
#set-max-listpack-entries 128
|
||||
#set-max-listpack-value 64
|
||||
|
||||
# Similarly to hashes and lists, sorted sets are also specially encoded in
|
||||
# order to save a lot of space. This encoding is only used when the length and
|
||||
# elements of a sorted set are below the following limits:
|
||||
#zset-max-listpack-entries 128
|
||||
#zset-max-listpack-value 64
|
||||
|
||||
# HyperLogLog sparse representation bytes limit. The limit includes the
|
||||
# 16 bytes header. When a HyperLogLog using the sparse representation crosses
|
||||
# this limit, it is converted into the dense representation.
|
||||
#
|
||||
# A value greater than 16000 is totally useless, since at that point the
|
||||
# dense representation is more memory efficient.
|
||||
#
|
||||
# The suggested value is ~ 3000 in order to have the benefits of
|
||||
# the space efficient encoding without slowing down too much PFADD,
|
||||
# which is O(N) with the sparse encoding. The value can be raised to
|
||||
# ~ 10000 when CPU is not a concern, but space is, and the data set is
|
||||
# composed of many HyperLogLogs with cardinality in the 0 - 15000 range.
|
||||
hll-sparse-max-bytes 3000
|
||||
|
||||
# Streams macro node max size / items. The stream data structure is a radix
|
||||
# tree of big nodes that encode multiple items inside. Using this configuration
|
||||
# it is possible to configure how big a single node can be in bytes, and the
|
||||
# maximum number of items it may contain before switching to a new node when
|
||||
# appending new stream entries. If any of the following settings are set to
|
||||
# zero, the limit is ignored, so for instance it is possible to set just a
|
||||
# max entries limit by setting max-bytes to 0 and max-entries to the desired
|
||||
# value.
|
||||
stream-node-max-bytes 4096
|
||||
stream-node-max-entries 100
|
||||
|
||||
# Active rehashing uses 1 millisecond every 100 milliseconds of CPU time in
|
||||
# order to help rehashing the main Redis hash table (the one mapping top-level
|
||||
# keys to values). The hash table implementation Redis uses (see dict.c)
|
||||
# performs a lazy rehashing: the more operation you run into a hash table
|
||||
# that is rehashing, the more rehashing "steps" are performed, so if the
|
||||
# server is idle the rehashing is never complete and some more memory is used
|
||||
# by the hash table.
|
||||
#
|
||||
# The default is to use this millisecond 10 times every second in order to
|
||||
# actively rehash the main dictionaries, freeing memory when possible.
|
||||
#
|
||||
# If unsure:
|
||||
# use "activerehashing no" if you have hard latency requirements and it is
|
||||
# not a good thing in your environment that Redis can reply from time to time
|
||||
# to queries with 2 milliseconds delay.
|
||||
#
|
||||
# use "activerehashing yes" if you don't have such hard requirements but
|
||||
# want to free memory asap when possible.
|
||||
activerehashing yes
|
||||
|
||||
# The client output buffer limits can be used to force disconnection of clients
|
||||
# that are not reading data from the server fast enough for some reason (a
|
||||
# common reason is that a Pub/Sub client can't consume messages as fast as the
|
||||
# publisher can produce them).
|
||||
#
|
||||
# Both the hard or the soft limit can be disabled by setting them to zero.
|
||||
client-output-buffer-limit normal 0 0 0
|
||||
client-output-buffer-limit replica 256mb 64mb 60
|
||||
client-output-buffer-limit pubsub 32mb 8mb 60
|
||||
|
||||
# Redis calls an internal function to perform many background tasks, like
|
||||
# closing connections of clients in timeout, purging expired keys that are
|
||||
# never requested, and so forth.
|
||||
#
|
||||
# Not all tasks are performed with the same frequency, but Redis checks for
|
||||
# tasks to perform according to the specified "hz" value.
|
||||
#
|
||||
# By default "hz" is set to 10. Raising the value will use more CPU when
|
||||
# Redis is idle, but at the same time will make Redis more responsive when
|
||||
# there are many keys expiring at the same time, and timeouts may be
|
||||
# handled with more precision.
|
||||
#
|
||||
# The range is between 1 and 500, however a value over 100 is usually not
|
||||
# a good idea. Most users should use the default of 10 and raise this up to
|
||||
# 100 only in environments where very low latency is required.
|
||||
hz 10
|
||||
|
||||
# When dynamic HZ is enabled, the actual configured HZ will be used
|
||||
# as a baseline, but multiples of the configured HZ value will be actually
|
||||
# used as needed once more clients are connected. In this way an idle
|
||||
# instance will use very little CPU time while a busy instance will be
|
||||
# more responsive.
|
||||
dynamic-hz yes
|
||||
|
||||
# When a child rewrites the AOF file, if the following option is enabled
|
||||
# the file will be fsync-ed every 4 MB of data generated. This is useful
|
||||
# in order to commit the file to the disk more incrementally and avoid
|
||||
# big latency spikes.
|
||||
aof-rewrite-incremental-fsync yes
|
||||
|
||||
# When redis saves RDB file, if the following option is enabled
|
||||
# the file will be fsync-ed every 4 MB of data generated. This is useful
|
||||
# in order to commit the file to the disk more incrementally and avoid
|
||||
# big latency spikes.
|
||||
rdb-save-incremental-fsync yes
|
||||
|
||||
# Jemalloc background thread for purging will be enabled by default
|
||||
jemalloc-bg-thread yes
|
||||
@@ -0,0 +1,33 @@
|
||||
server:
|
||||
verbosity: 7
|
||||
num-threads: 1
|
||||
interface: 127.0.0.1
|
||||
port: @PORT@
|
||||
use-syslog: no
|
||||
directory: ""
|
||||
pidfile: "unbound.pid"
|
||||
chroot: ""
|
||||
username: ""
|
||||
module-config: "cachedb iterator"
|
||||
root-key-sentinel: no
|
||||
trust-anchor-signaling: no
|
||||
log-time-ascii: yes
|
||||
log-time-iso: yes
|
||||
cachedb:
|
||||
backend: redis
|
||||
redis-server-path: @REDIS_SOCKET@
|
||||
redis-replica-server-path: @REDIS_REPLICA_SOCKET@
|
||||
auth-zone:
|
||||
name: "redis.com"
|
||||
for-upstream: yes
|
||||
for-downstream: no
|
||||
zonefile: "redis.zone"
|
||||
remote-control:
|
||||
control-enable: yes
|
||||
control-interface: 127.0.0.1
|
||||
# control-interface: ::1
|
||||
control-port: @CONTROL_PORT@
|
||||
server-key-file: "unbound_server.key"
|
||||
server-cert-file: "unbound_server.pem"
|
||||
control-key-file: "unbound_control.key"
|
||||
control-cert-file: "unbound_control.pem"
|
||||
@@ -0,0 +1,16 @@
|
||||
BaseName: redis_reconnect_interval
|
||||
Version: 1.0
|
||||
Description: Test redis reconnect interval
|
||||
CreationDate: Thu 24 July 09:29:09 CEST 2025
|
||||
Maintainer: Wouter Wijngaards
|
||||
Category:
|
||||
Component:
|
||||
CmdDepends:
|
||||
Depends:
|
||||
Help:
|
||||
Pre: redis_reconnect_interval.pre
|
||||
Post: redis_reconnect_interval.post
|
||||
Test: redis_reconnect_interval.test
|
||||
AuxFiles:
|
||||
Passed:
|
||||
Failure:
|
||||
@@ -0,0 +1,18 @@
|
||||
# #-- redis_reconnect_interval.post --#
|
||||
# source the master var file when it's there
|
||||
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
|
||||
# source the test var file when it's there
|
||||
[ -f .tpkg.var.test ] && source .tpkg.var.test
|
||||
#
|
||||
# do your teardown here
|
||||
. ../common.sh
|
||||
kill_pid $REDIS_PID
|
||||
kill_pid $REDIS_REPLICA_PID
|
||||
kill_pid $UNBOUND_PID
|
||||
echo "> cat logfiles"
|
||||
echo "redis server.log"
|
||||
cat server.log
|
||||
echo "redis replica.log"
|
||||
cat replica.log
|
||||
echo "unbound.log"
|
||||
cat unbound.log
|
||||
@@ -0,0 +1,46 @@
|
||||
# #-- redis_reconnect_interval.pre--#
|
||||
# source the master var file when it's there
|
||||
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
|
||||
# use .tpkg.var.test for in test variable passing
|
||||
[ -f .tpkg.var.test ] && source .tpkg.var.test
|
||||
|
||||
PRE="../.."
|
||||
. ../common.sh
|
||||
|
||||
if grep "define USE_REDIS 1" $PRE/config.h; then echo test enabled; else skip_test "test skipped"; fi
|
||||
|
||||
get_random_port 2
|
||||
UNBOUND_PORT=$RND_PORT
|
||||
CONTROL_PORT=$(($RND_PORT + 1))
|
||||
echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
|
||||
echo "CONTROL_PORT=$CONTROL_PORT" >> .tpkg.var.test
|
||||
|
||||
REDIS_SOCKET=server.sock
|
||||
REDIS_REPLICA_SOCKET=replica.sock
|
||||
echo "REDIS_SOCKET=$REDIS_SOCKET" >> .tpkg.var.test
|
||||
echo "REDIS_REPLICA_SOCKET=$REDIS_REPLICA_SOCKET" >> .tpkg.var.test
|
||||
|
||||
# start redis
|
||||
sed -e 's/@SOCKET\@/'$REDIS_SOCKET'/' -e 's/@LOGFILE\@/server.log/' < redis.conf > server.conf
|
||||
redis-server server.conf &
|
||||
REDIS_PID=$!
|
||||
echo "REDIS_PID=$REDIS_PID" >> .tpkg.var.test
|
||||
|
||||
# start redis replica
|
||||
sed -e 's/@SOCKET\@/'$REDIS_REPLICA_SOCKET'/' -e 's/@LOGFILE\@/replica.log/' < redis.conf > replica.conf
|
||||
redis-server replica.conf &
|
||||
REDIS_REPLICA_PID=$!
|
||||
echo "REDIS_REPLICA_PID=$REDIS_REPLICA_PID" >> .tpkg.var.test
|
||||
|
||||
# Copy initial zonefile
|
||||
cp before.zone redis.zone
|
||||
|
||||
# make config file
|
||||
sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@REDIS_SOCKET\@/'$REDIS_SOCKET'/' -e 's/@REDIS_REPLICA_SOCKET\@/'$REDIS_REPLICA_SOCKET'/' -e 's/@CONTROL_PORT\@/'$CONTROL_PORT'/' < redis_reconnect_interval.conf > ub.conf
|
||||
# start unbound in the background
|
||||
$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
|
||||
UNBOUND_PID=$!
|
||||
echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
|
||||
|
||||
cat .tpkg.var.test
|
||||
wait_unbound_up unbound.log
|
||||
@@ -0,0 +1,121 @@
|
||||
# #-- redis_reconnect_interval.test --#
|
||||
# source the master var file when it's there
|
||||
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
|
||||
# use .tpkg.var.test for in test variable passing
|
||||
[ -f .tpkg.var.test ] && source .tpkg.var.test
|
||||
|
||||
PRE="../.."
|
||||
. ../common.sh
|
||||
# do the test
|
||||
|
||||
# Check number of keys in the db
|
||||
# $1: socket to connect to
|
||||
# $2: expected number of keys
|
||||
redis_cli_check_keys () {
|
||||
echo "> redis-cli connecting to $1 to check number of keys; expecting $2"
|
||||
keys=$(redis-cli --no-raw -s $1 keys "*" | grep -vF empty | wc -l)
|
||||
if test $keys -ne $2
|
||||
then
|
||||
echo "Expected $2 keys, got $keys"
|
||||
exit 1
|
||||
fi
|
||||
echo "OK"
|
||||
}
|
||||
|
||||
# Query and check the expected result
|
||||
# $1: query
|
||||
# $2: expected answer
|
||||
expect_answer () {
|
||||
echo "> dig @127.0.0.1 -p $UNBOUND_PORT $1"
|
||||
dig @127.0.0.1 -p $UNBOUND_PORT $1 > tmp.answer
|
||||
if ! grep -F $2 tmp.answer
|
||||
then
|
||||
echo "Expected $2 in the answer, got:"
|
||||
cat tmp.answer
|
||||
exit 1
|
||||
fi
|
||||
echo "OK"
|
||||
}
|
||||
|
||||
# Start test
|
||||
|
||||
# check Redis server has no keys
|
||||
redis_cli_check_keys $REDIS_SOCKET 0
|
||||
|
||||
# check Redis replica server has no keys
|
||||
redis_cli_check_keys $REDIS_REPLICA_SOCKET 0
|
||||
|
||||
# query and check answer
|
||||
expect_answer redis.com 1.1.1.1
|
||||
|
||||
# check Redis server has 1 key
|
||||
redis_cli_check_keys $REDIS_SOCKET 1
|
||||
|
||||
# check Redis replica server has no keys
|
||||
redis_cli_check_keys $REDIS_REPLICA_SOCKET 0
|
||||
|
||||
# change auth zone and reload
|
||||
cp after.zone redis.zone
|
||||
echo "$PRE/unbound-control -c ub.conf reload"
|
||||
$PRE/unbound-control -c ub.conf reload
|
||||
if test $? -ne 0; then
|
||||
echo "wrong exit value after success"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# query and check answer
|
||||
# we are writing to server but reading from replica; which is not actually
|
||||
# replicating so the new answer will come through while overwriting the record
|
||||
# in the server.
|
||||
expect_answer redis.com 2.2.2.2
|
||||
|
||||
# check Redis server has 1 key
|
||||
redis_cli_check_keys $REDIS_SOCKET 1
|
||||
|
||||
# check Redis replica server has no keys
|
||||
redis_cli_check_keys $REDIS_REPLICA_SOCKET 0
|
||||
|
||||
echo "> OK"
|
||||
|
||||
# take down the redis server and observe reconnect attempts.
|
||||
# first the replica that it tries to read from.
|
||||
kill_pid $REDIS_REPLICA_PID
|
||||
$PRE/unbound-control -c ub.conf reload
|
||||
expect_answer redis.com 2.2.2.2
|
||||
# some more queries to exceed the limit on reconnects.
|
||||
expect_answer d1.redis.com NXDOMAIN
|
||||
expect_answer d2.redis.com NXDOMAIN
|
||||
expect_answer d3.redis.com NXDOMAIN
|
||||
expect_answer d4.redis.com NXDOMAIN
|
||||
expect_answer d5.redis.com NXDOMAIN
|
||||
# it has entered the wait period
|
||||
sleep 2
|
||||
expect_answer d6.redis.com NXDOMAIN
|
||||
|
||||
kill_pid $REDIS_PID
|
||||
$PRE/unbound-control -c ub.conf reload
|
||||
expect_answer redis.com 2.2.2.2
|
||||
expect_answer d1.redis.com NXDOMAIN
|
||||
expect_answer d2.redis.com NXDOMAIN
|
||||
expect_answer d3.redis.com NXDOMAIN
|
||||
expect_answer d4.redis.com NXDOMAIN
|
||||
expect_answer d5.redis.com NXDOMAIN
|
||||
# it has entered the wait period
|
||||
sleep 2
|
||||
expect_answer d6.redis.com NXDOMAIN
|
||||
|
||||
# bring up the redis server again.
|
||||
redis-server server.conf &
|
||||
REDIS_PID=$!
|
||||
echo "REDIS_PID=$REDIS_PID" >> .tpkg.var.test
|
||||
redis-server replica.conf &
|
||||
REDIS_REPLICA_PID=$!
|
||||
echo "REDIS_REPLICA_PID=$REDIS_REPLICA_PID" >> .tpkg.var.test
|
||||
|
||||
expect_answer d7.redis.com NXDOMAIN
|
||||
expect_answer d8.redis.com NXDOMAIN
|
||||
sleep 2
|
||||
expect_answer d9.redis.com NXDOMAIN
|
||||
expect_answer d10.redis.com NXDOMAIN
|
||||
|
||||
exit 0
|
||||
@@ -0,0 +1,39 @@
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIG4gIBAAKCAYEAstEp+Pyh8XGrtZ77A4FhYjvbeB3dMa7Q2rGWxobzlA9przhA
|
||||
1aChAvUtCOAuM+rB6NTNB8YWfZJbQHawyMNpmC77cg6vXLYCGUQHZyAqidN049RJ
|
||||
F5T7j4N8Vniv17LiRdr0S6swy4PRvEnIPPV43EQHZqC5jVvHsKkhIfmBF/Dj5TXR
|
||||
ypeawWV/m5jeU6/4HRYMfytBZdO1mPXuWLh0lgbQ4SCbgrOUVD3rniMk1yZIbQOm
|
||||
vlDHYqekjDb/vOW2KxUQLG04aZMJ1mWfdbwG0CKQkSjISEDZ1l76vhM6mTM0fwXb
|
||||
IvyFZ9yPPCle1mF5aSlxS2cmGuGVSRQaw8XF9fe3a9ACJJTr33HdSpyaZkKRAUzL
|
||||
cKqLCl323daKv3NwwAT03Tj4iQM416ASMoiyfFa/2GWTKQVjddu8Crar7tGaf5xr
|
||||
lig4DBmrBvdYA3njy72/RD71hLwmlRoCGU7dRuDr9O6KASUm1Ri91ONZ/qdjMvov
|
||||
15l2vj4GV+KXR00dAgMBAAECggGAHepIL1N0dEQkCdpy+/8lH54L9WhpnOo2HqAf
|
||||
LU9eaKK7d4jdr9+TkD8cLaPzltPrZNxVALvu/0sA4SP6J1wpyj/x6P7z73qzly5+
|
||||
Xo5PD4fEwmi9YaiW/UduAblnEZrnp/AddptJKoL/D5T4XtpiQddPtael4zQ7kB57
|
||||
YIexRSQTvEDovA/o3/nvA0TrzOxfgd4ycQP3iOWGN/TMzyLsvjydrUwbOB567iz9
|
||||
whL3Etdgvnwh5Sz2blbFfH+nAR8ctvFFz+osPvuIVR21VMEI6wm7kTpSNnQ6sh/c
|
||||
lrLb/bTADn4g7z/LpIZJ+MrLvyEcoqValrLYeFBhM9CV8woPxvkO2P3pU47HVGax
|
||||
tC7GV6a/kt5RoKFd/TNdiA3OC7NGZtaeXv9VkPf4fVwBtSO9d5ZZXTGEynDD/rUQ
|
||||
U4KFJe6OD23APjse08HiiKqTPhsOneOONU67iqoaTdIkT2R4EdlkVEDpXVtWb+G9
|
||||
Q+IqYzVljlzuyHrhWXLJw/FMa2aBAoHBAOnZbi4gGpH+P6886WDWVgIlTccuXoyc
|
||||
Mg9QQYk9UDeXxL0AizR5bZy49Sduegz9vkHpAiZARQsUnizHjZ8YlRcrmn4t6tx3
|
||||
ahTIKAjdprnxJfYINM580j8CGbXvX5LhIlm3O267D0Op+co3+7Ujy+cjsIuFQrP+
|
||||
1MqMgXSeBjzC1APivmps7HeFE+4w0k2PfN5wSMDNCzLo99PZuUG5XZ93OVOS5dpN
|
||||
b+WskdcD8NOoJy/X/5A08veEI/jYO/DyqQKBwQDDwUQCOWf41ecvJLtBHKmEnHDz
|
||||
ftzHino9DRKG8a9XaN4rmetnoWEaM2vHGX3pf3mwH+dAe8vJdAQueDhBKYeEpm6C
|
||||
TYNOpou1+Zs5s99BilCTNYo8fkMOAyqwRwmz9zgHS6QxXuPwsghKefLJGt6o6RFF
|
||||
tfWVTfLlYJ+I3GQe3ySsk3wjVz4oUTKiyiq5+KzD+HhEkS7u+RQ7Z0ZI2xd2cF8Y
|
||||
aN2hjKDpcOiFf3CDoqka5D1qMNLgIHO52AHww1UCgcA1h7o7AMpURRka6hyaODY0
|
||||
A4oMYEbwdQjYjIyT998W+rzkbu1us6UtzQEBZ760npkgyU/epbOoV63lnkCC/MOU
|
||||
LD0PST+L/CHiY/cWIHb79YG1EifUZKpUFg0Aoq0EGFkepF0MefGCkbRGYA5UZr9U
|
||||
R80wAu9D+L+JJiS0J0BSRF74DL196zUuHt5zFeXuLzxsRtPAnq9DliS08BACRYZy
|
||||
7H3I7cWD9Vn5/0jbKWHFcaaWwyETR6uekTcSzZzbCRECgcBeoE3/xUA9SSk34Mmj
|
||||
7/cB4522Ft0imA3+9RK/qJTZ7Bd5fC4PKjOGNtUiqW/0L2rjeIiQ40bfWvWqgPKw
|
||||
jSK1PL6uvkl6+4cNsFsYyZpiVDoe7wKju2UuoNlB3RUTqa2r2STFuNj2wRjA57I1
|
||||
BIgdnox65jqQsd14g/yaa+75/WP9CE45xzKEyrtvdcqxm0Pod3OrsYK+gikFjiar
|
||||
kT0GQ8u0QPzh2tjt/2ZnIfOBrl+QYERP0MofDZDjhUdq2wECgcB0Lu841+yP5cdR
|
||||
qbJhXO4zJNh7oWNcJlOuQp3ZMNFrA1oHpe9pmLukiROOy01k9WxIMQDzU5GSqRv3
|
||||
VLkYOIcbhJ3kClKAcM3j95SkKbU2H5/RENb3Ck52xtl4pNU1x/3PnVFZfDVuuHO9
|
||||
MZ9YBcIeK98MyP2jr5JtFKnOyPE7xKq0IHIhXadpbc2wjje5FtZ1cUtMyEECCXNa
|
||||
C1TpXebHGyXGpY9WdWXhjdE/1jPvfS+uO5WyuDpYPr339gsdq1g=
|
||||
-----END RSA PRIVATE KEY-----
|
||||
@@ -0,0 +1,22 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDszCCAhsCFGD5193whHQ2bVdzbaQfdf1gc4SkMA0GCSqGSIb3DQEBCwUAMBIx
|
||||
EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMjMwWhcNNDAwMzI1MTMzMjMw
|
||||
WjAaMRgwFgYDVQQDDA91bmJvdW5kLWNvbnRyb2wwggGiMA0GCSqGSIb3DQEBAQUA
|
||||
A4IBjwAwggGKAoIBgQCy0Sn4/KHxcau1nvsDgWFiO9t4Hd0xrtDasZbGhvOUD2mv
|
||||
OEDVoKEC9S0I4C4z6sHo1M0HxhZ9kltAdrDIw2mYLvtyDq9ctgIZRAdnICqJ03Tj
|
||||
1EkXlPuPg3xWeK/XsuJF2vRLqzDLg9G8Scg89XjcRAdmoLmNW8ewqSEh+YEX8OPl
|
||||
NdHKl5rBZX+bmN5Tr/gdFgx/K0Fl07WY9e5YuHSWBtDhIJuCs5RUPeueIyTXJkht
|
||||
A6a+UMdip6SMNv+85bYrFRAsbThpkwnWZZ91vAbQIpCRKMhIQNnWXvq+EzqZMzR/
|
||||
Bdsi/IVn3I88KV7WYXlpKXFLZyYa4ZVJFBrDxcX197dr0AIklOvfcd1KnJpmQpEB
|
||||
TMtwqosKXfbd1oq/c3DABPTdOPiJAzjXoBIyiLJ8Vr/YZZMpBWN127wKtqvu0Zp/
|
||||
nGuWKDgMGasG91gDeePLvb9EPvWEvCaVGgIZTt1G4Ov07ooBJSbVGL3U41n+p2My
|
||||
+i/XmXa+PgZX4pdHTR0CAwEAATANBgkqhkiG9w0BAQsFAAOCAYEAd++Wen6l8Ifj
|
||||
4h3p/y16PhSsWJWuJ4wdNYy3/GM84S26wGjzlEEwiW76HpH6VJzPOiBAeWnFKE83
|
||||
hFyetEIxgJeIPbcs9ZP/Uoh8GZH9tRISBSN9Hgk2Slr9llo4t1H0g/XTgA5HqMQU
|
||||
9YydlBh43G7Vw3FVwh09OM6poNOGQKNc/tq2/QdKeUMtyBbLWpRmjH5XcCT35fbn
|
||||
ZiVOUldqSHD4kKrFO4nJYXZyipRbcXybsLiX9GP0GLemc3IgIvOXyJ2RPp06o/SJ
|
||||
pzlMlkcAfLJaSuEW57xRakhuNK7m051TKKzJzIEX+NFYOVdafFHS8VwGrYsdrFvD
|
||||
72tMfu+Fu55y3awdWWGc6YlaGogZiuMnJkvQphwgn+5qE/7CGEckoKEsH601rqIZ
|
||||
muaIc85+nEcHJeijd/ZlBN9zeltjFoMuqTUENgmv8+tUAdVm/UMY9Vjme6b43ydP
|
||||
uv6DS02+k9z8toxXworLiPr94BGaiGV1NxgwZKLZigYJt/Fi2Qte
|
||||
-----END CERTIFICATE-----
|
||||
@@ -0,0 +1,39 @@
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIG5AIBAAKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI
|
||||
0x41iG32a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+Nqq
|
||||
GRS7XVQ24vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Z
|
||||
uh9MDgotaBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8K
|
||||
WaBe1ca4TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5
|
||||
FzUReSXZuTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xP
|
||||
q6O9UPj4+nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XL
|
||||
A5UoZgRzXgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP
|
||||
7kFZSngxdy1+A/bNAgMBAAECggGBALpTOIqQwVg4CFBylL/a8K1IWJTI/I65sklf
|
||||
XxYL7G7SB2HlEJ//z+E+F0+S4Vlao1vyLQ5QkgE82pAUB8FoMWvY1qF0Y8A5wtm6
|
||||
iZSGk4OLK488ZbT8Ii9i+AGKgPe2XbVxsJwj8N4k7Zooqec9hz73Up8ATEWJkRz7
|
||||
2u7oMGG4z91E0PULA64dOi3l/vOQe5w/Aa+CwVbAWtI05o7kMvQEBMDJn6C7CByo
|
||||
MB5op9wueJMnz7PM7hns+U7Dy6oE4ljuolJUy51bDzFWwoM54cRoQqLFNHd8JVQj
|
||||
WxldCkbfF43iyprlsEcUrTyUjtdA+ZeiG39vg/mtdmgNpGmdupHJZQvSuG8IcVlz
|
||||
O+eMSeQS1QXPD6Ik8UK4SU0h+zOl8xIWtRrsxQuh4fnTN40udm/YUWl/6gOebsBI
|
||||
IrVLlKGqJSfB3tMjpCRqdTzJ0dA9keVpkqm2ugZkxEf1+/efq/rFIQ2pUBLCqNTN
|
||||
qpNqruK8y8FphP30I2uI4Ej2UIB8AQKBwQDd2Yptj2FyDyaXCycsyde0wYkNyzGU
|
||||
dRnzdibfHnMZwjgTjwAwgIUBVIS8H0/z7ZJQKN7osJfddMrtjJtYYUk9g/dCpHXs
|
||||
bNh2QSoWah3FdzNGuWd0iRf9+LFxhjAAMo/FS8zFJAJKrFsBdCGTfFUMdsLC0bjr
|
||||
YjiWBuvV72uKf8XIZX5KIZruKdWBBcWukcb21R1UDyFYyXRBsly5XHaIYKZql3km
|
||||
7pV7MKWO0IYgHbHIqGUqPQlzZ/lkunS1jKECgcEA23wHffD6Ou9/x3okPx2AWpTr
|
||||
gh8rgqbyo6hQkBW5Y90Wz824cqaYebZDaBR/xlVx/YwjKkohv8Bde2lpH/ZxRZ1Z
|
||||
5Sk2s6GJ/vU0L9RsJZgCgj4L6Coal1NMxuZtCXAlnOpiCdxSZgfqbshbTVz30KsG
|
||||
ZJG361Cua1ScdAHxlZBxT52/1Sm0zRC2hnxL7h4qo7Idmtzs40LAJvYOKekR0pPN
|
||||
oWeJfra7vgx/jVNvMFWoOoSLpidVO4g+ot4ery6tAoHAdW3rCic1C2zdnmH28Iw+
|
||||
s50l8Lk3mz+I5wgJd1zkzCO0DxZIoWPGA3g7cmCYr6N3KRsZMs4W9NAXgjpFGDkW
|
||||
zYsG3K21BdpvkdjYcFjnPVjlOXB2RIc0vehf9Jl02wXoeCSxVUDEPcaRvWk9RJYx
|
||||
ZpGOchUU7vNkxHURbIJ4yCzuAi9G8/Jp0dsu+kaV5tufF5SjG5WOrzKjaQsCbdN1
|
||||
oqaWMCHRrTvov/Z2C+xwsptFOdN5CSyZzg6hQiI4GMlBAoHAXyb6KINcOEi0YMp3
|
||||
BFXJ23tMTnEs78tozcKeipigcsbaqORK3omS+NEnj+uzKUzJyl4CsMbKstK2tFYS
|
||||
mSTCHqgE3PBtIpsZtEqhgUraR8IK9GPpzZDTTl9ynZgwFTNlWw3RyuyVXF56J+T8
|
||||
kCGJ3hEHCHqT/ZRQyX85BKIDFhA0z4tYKxWVqIFiYBNq56R0X9tMMmMs36mEnF93
|
||||
7Ht6mowxTZQRa7nU0qOgeKh/P7ki4Zus3y+WJ+T9IqahLtlRAoHBAIhqMrcxSAB8
|
||||
RpB9jukJlAnidw2jCMPgrFE8tP0khhVvGrXMldxAUsMKntDIo8dGCnG1KTcWDI0O
|
||||
jepvSPHSsxVLFugL79h0eVIS5z4huW48i9xgU8VlHdgAcgEPIAOFcOw2BCu/s0Vp
|
||||
O+MM/EyUOdo3NsibB3qc/GJI6iNBYS7AljYEVo6rXo5V/MZvZUF4vClen6Obzsre
|
||||
MTTb+4sJjfqleWuvr1XNMeu2mBfXBQkWGZP1byBK0MvD/aQ2PWq92A==
|
||||
-----END RSA PRIVATE KEY-----
|
||||
@@ -0,0 +1,22 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDqzCCAhMCFBHWXeQ6ZIa9QcQbXLFfC6tj+KA+MA0GCSqGSIb3DQEBCwUAMBIx
|
||||
EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMjI5WhcNNDAwMzI1MTMzMjI5
|
||||
WjASMRAwDgYDVQQDDAd1bmJvdW5kMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIB
|
||||
igKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI0x41iG32
|
||||
a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+NqqGRS7XVQ2
|
||||
4vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Zuh9MDgot
|
||||
aBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8KWaBe1ca4
|
||||
TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5FzUReSXZ
|
||||
uTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xPq6O9UPj4
|
||||
+nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XLA5UoZgRz
|
||||
XgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP7kFZSngx
|
||||
dy1+A/bNAgMBAAEwDQYJKoZIhvcNAQELBQADggGBABunf93MKaCUHiZgnoOTinsW
|
||||
84/EgInrgtKzAyH+BhnKkJOhhR0kkIAx5d9BpDlaSiRTACFon9moWCgDIIsK/Ar7
|
||||
JE0Kln9cV//wiiNoFU0O4mnzyGUIMvlaEX6QHMJJQYvL05+w/3AAcf5XmMJtR5ca
|
||||
fJ8FqvGC34b2WxX9lTQoyT52sRt+1KnQikiMEnEyAdKktMG+MwKsFDdOwDXyZhZg
|
||||
XZhRrfX3/NVJolqB6EahjWIGXDeKuSSKZVtCyib6LskyeMzN5lcRfvubKDdlqFVF
|
||||
qlD7rHBsKhQUWK/IO64mGf7y/de+CgHtED5vDvr/p2uj/9sABATfbrOQR3W/Of25
|
||||
sLBj4OEfrJ7lX8hQgFaxkMI3x6VFT3W8dTCp7xnQgb6bgROWB5fNEZ9jk/gjSRmD
|
||||
yIU+r0UbKe5kBk/CmZVFXL2TyJ92V5NYEQh8V4DGy19qZ6u/XKYyNJL4ocs35GGe
|
||||
CA8SBuyrmdhx38h1RHErR2Skzadi1S7MwGf1y431fQ==
|
||||
-----END CERTIFICATE-----
|
||||
Vendored
+190
@@ -0,0 +1,190 @@
|
||||
; config options
|
||||
server:
|
||||
module-config: "respip validator iterator"
|
||||
target-fetch-policy: "0 0 0 0 0"
|
||||
qname-minimisation: no
|
||||
access-control: 192.0.0.0/8 allow
|
||||
|
||||
rpz:
|
||||
name: "rpz.example.com."
|
||||
rpz-log: yes
|
||||
rpz-log-name: "rpz.example.com"
|
||||
zonefile:
|
||||
TEMPFILE_NAME rpz.example.com
|
||||
TEMPFILE_CONTENTS rpz.example.com
|
||||
$ORIGIN example.com.
|
||||
rpz 3600 IN SOA ns1.rpz.example.com. hostmaster.rpz.example.com. (
|
||||
1379078166 28800 7200 604800 7200 )
|
||||
3600 IN NS ns1.rpz.example.com.
|
||||
3600 IN NS ns2.rpz.example.com.
|
||||
$ORIGIN rpz.example.com.
|
||||
*.gotham5.a CNAME static.gotham6.a.
|
||||
*.gotham7.a.rpz-nsdname CNAME static.gotham8.a.
|
||||
TEMPFILE_END
|
||||
|
||||
stub-zone:
|
||||
name: "a."
|
||||
stub-addr: 10.20.30.40
|
||||
CONFIG_END
|
||||
|
||||
SCENARIO_BEGIN Test RPZ with CNAME with a wildcarded qname trigger after it.
|
||||
|
||||
; a.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 10.20.30.40
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode subdomain
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
gotham.a. IN NS
|
||||
SECTION AUTHORITY
|
||||
gotham.a. NS ns1.gotham.a.
|
||||
SECTION ADDITIONAL
|
||||
ns1.gotham.a. A 10.20.30.41
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode subdomain
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
gotham2.a. IN NS
|
||||
SECTION AUTHORITY
|
||||
gotham2.a. NS ns1.gotham2.a.
|
||||
SECTION ADDITIONAL
|
||||
ns1.gotham2.a. A 10.20.30.42
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode subdomain
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
gotham6.a. IN NS
|
||||
SECTION AUTHORITY
|
||||
gotham6.a. NS ns1.gotham6.a.
|
||||
SECTION ADDITIONAL
|
||||
ns1.gotham6.a. A 10.20.30.46
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode subdomain
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
gotham7.a. IN NS
|
||||
SECTION AUTHORITY
|
||||
gotham7.a. NS ns1.gotham7.a.
|
||||
SECTION ADDITIONAL
|
||||
ns1.gotham7.a. A 10.20.30.47
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode subdomain
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
gotham8.a. IN NS
|
||||
SECTION AUTHORITY
|
||||
gotham8.a. NS ns1.gotham8.a.
|
||||
SECTION ADDITIONAL
|
||||
ns1.gotham8.a. A 10.20.30.48
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; gotham.a.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 10.20.30.41
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
www.gotham.a. IN A
|
||||
SECTION ANSWER
|
||||
www.gotham.a. CNAME host.gotham5.a.
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; gotham2.a.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 10.20.30.42
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
www.gotham2.a. IN A
|
||||
SECTION ANSWER
|
||||
www.gotham2.a. CNAME host.gotham7.a.
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; gotham6.a.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 10.20.30.46
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
static.gotham6.a. IN A
|
||||
SECTION ANSWER
|
||||
static.gotham6.a. A 1.2.3.4
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; gotham8.a.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 10.20.30.48
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
static.gotham8.a. IN A
|
||||
SECTION ANSWER
|
||||
static.gotham8.a. A 1.2.3.5
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
STEP 10 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
www.gotham.a. IN A
|
||||
ENTRY_END
|
||||
|
||||
STEP 20 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
www.gotham.a. IN A
|
||||
SECTION ANSWER
|
||||
www.gotham.a. CNAME host.gotham5.a.
|
||||
host.gotham5.a CNAME static.gotham6.a.
|
||||
static.gotham6.a. A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
STEP 30 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
www.gotham2.a. IN A
|
||||
ENTRY_END
|
||||
|
||||
STEP 40 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
www.gotham2.a. IN A
|
||||
SECTION ANSWER
|
||||
www.gotham2.a. CNAME host.gotham7.a.
|
||||
host.gotham7.a CNAME static.gotham8.a.
|
||||
static.gotham8.a. A 1.2.3.5
|
||||
ENTRY_END
|
||||
|
||||
SCENARIO_END
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user