import unbound 1.25.1

This commit is contained in:
Dag-Erling Smørgrav
2026-05-22 16:09:04 +02:00
parent 4dd0a17edc
commit 22e58f330a
35 changed files with 3420 additions and 1953 deletions
Vendored
+453 -292
View File
File diff suppressed because it is too large Load Diff
Vendored
+1056 -293
View File
File diff suppressed because it is too large Load Diff
+3 -2
View File
@@ -12,14 +12,14 @@ sinclude(dnscrypt/dnscrypt.m4)
# must be numbers. ac_defun because of later processing # must be numbers. ac_defun because of later processing
m4_define([VERSION_MAJOR],[1]) m4_define([VERSION_MAJOR],[1])
m4_define([VERSION_MINOR],[25]) m4_define([VERSION_MINOR],[25])
m4_define([VERSION_MICRO],[0]) m4_define([VERSION_MICRO],[1])
AC_INIT([unbound],m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]),[unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues],[unbound]) AC_INIT([unbound],m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]),[unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues],[unbound])
AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR]) AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR]) AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO]) AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
LIBUNBOUND_CURRENT=9 LIBUNBOUND_CURRENT=9
LIBUNBOUND_REVISION=36 LIBUNBOUND_REVISION=37
LIBUNBOUND_AGE=1 LIBUNBOUND_AGE=1
# 1.0.0 had 0:12:0 # 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0 # 1.0.1 had 0:13:0
@@ -123,6 +123,7 @@ LIBUNBOUND_AGE=1
# 1.24.1 had 9:34:1 # 1.24.1 had 9:34:1
# 1.24.2 had 9:35:1 # 1.24.2 had 9:35:1
# 1.25.0 had 9:36:1 # 1.25.0 had 9:36:1
# 1.25.1 had 9:37:1
# Current -- the number of the binary API that we're implementing # Current -- the number of the binary API that we're implementing
# Revision -- which iteration of the implementation of the binary # Revision -- which iteration of the implementation of the binary
+1 -1
View File
@@ -361,7 +361,7 @@ dnscrypt_server_uncurve(struct dnsc_env* env,
len -= DNSCRYPT_QUERY_HEADER_SIZE; len -= DNSCRYPT_QUERY_HEADER_SIZE;
while (*sldns_buffer_at(buffer, --len) == 0) while (len>0 && *sldns_buffer_at(buffer, --len) == 0)
; ;
if (*sldns_buffer_at(buffer, len) != 0x80) { if (*sldns_buffer_at(buffer, len) != 0x80) {
+30
View File
@@ -1,3 +1,33 @@
20 May 2026: Wouter
- Fix CVE-2026-33278, Possible remote code execution during DNSSEC
validation. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
- Fix CVE-2026-42944, Heap overflow and crash with multiple nsid,
cookie, padding EDNS options. Thanks to Qifan Zhang, Palo Alto
Networks, for the report.
- Fix CVE-2026-42959, Crash during DNSSEC validation of malicious
content. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
- Fix CVE-2026-32792, Packet of death with DNSCrypt. Thanks to Andrew
Griffiths from 'calif.io' for the report.
- Fix CVE-2026-40622, "Ghost domain name" variant. Thanks to Qifan
Zhang, Palo Alto Networks, for the report.
- Fix CVE-2026-41292, Parsing a long list of incoming EDNS options
degrades performance. Thanks to GitHub user 'N0zoM1z0', also Qifan
Zhang from Palo Alto Networks, for the report.
- Fix CVE-2026-42534, Jostle logic bypass degrades resolution
performance. Thanks to Qifan Zhang, Palo Alto Networks, for the
report.
- Fix CVE-2026-42923, Degradation of service with unbounded NSEC3
hash calculations. Thanks to Qifan Zhang, Palo Alto Networks, for
the report.
- Fix CVE-2026-42960, Possible cache poisoning attack while following
delegation. Thanks to TaoFei Guo from Peking University, Yang Luo
and JianJun Chen, Tsinghua University, for the report.
- Fix CVE-2026-44390, Unbounded name compression in certain cases
causes degradation of service. Thanks to Qifan Zhang, Palo Alto
Networks, for the report.
- Fix CVE-2026-44608, Use after free and crash in RPZ code. Thanks
to Qifan Zhang, Palo Alto Networks, for the report.
23 April 2026: Wouter 23 April 2026: Wouter
- Merge #1441: Fix buffer overrun in - Merge #1441: Fix buffer overrun in
doq_repinfo_retrieve_localaddr(). doq_repinfo_retrieve_localaddr().
+1 -1
View File
@@ -1,4 +1,4 @@
README for Unbound 1.25.0 README for Unbound 1.25.1
Copyright 2007 NLnet Labs Copyright 2007 NLnet Labs
http://unbound.net http://unbound.net
+1 -1
View File
@@ -1,7 +1,7 @@
# #
# Example configuration file. # Example configuration file.
# #
# See unbound.conf(5) man page, version 1.25.0. # See unbound.conf(5) man page, version 1.25.1.
# #
# this is a comment. # this is a comment.
+2 -2
View File
@@ -27,9 +27,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
.. ..
.TH "LIBUNBOUND" "3" "Apr 29, 2026" "1.25.0" "Unbound" .TH "LIBUNBOUND" "3" "May 20, 2026" "1.25.1" "Unbound"
.SH NAME .SH NAME
libunbound \- Unbound DNS validating resolver 1.25.0 functions. libunbound \- Unbound DNS validating resolver 1.25.1 functions.
.SH SYNOPSIS .SH SYNOPSIS
.sp .sp
\fB#include <unbound.h>\fP \fB#include <unbound.h>\fP
+2 -2
View File
@@ -27,9 +27,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
.. ..
.TH "UNBOUND-ANCHOR" "8" "Apr 29, 2026" "1.25.0" "Unbound" .TH "UNBOUND-ANCHOR" "8" "May 20, 2026" "1.25.1" "Unbound"
.SH NAME .SH NAME
unbound-anchor \- Unbound 1.25.0 anchor utility. unbound-anchor \- Unbound 1.25.1 anchor utility.
.SH SYNOPSIS .SH SYNOPSIS
.sp .sp
\fBunbound\-anchor\fP [\fBopts\fP] \fBunbound\-anchor\fP [\fBopts\fP]
+2 -2
View File
@@ -27,9 +27,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
.. ..
.TH "UNBOUND-CHECKCONF" "8" "Apr 29, 2026" "1.25.0" "Unbound" .TH "UNBOUND-CHECKCONF" "8" "May 20, 2026" "1.25.1" "Unbound"
.SH NAME .SH NAME
unbound-checkconf \- Check Unbound 1.25.0 configuration file for errors. unbound-checkconf \- Check Unbound 1.25.1 configuration file for errors.
.SH SYNOPSIS .SH SYNOPSIS
.sp .sp
\fBunbound\-checkconf\fP [\fB\-hf\fP] [\fB\-o option\fP] [cfgfile] \fBunbound\-checkconf\fP [\fB\-hf\fP] [\fB\-o option\fP] [cfgfile]
+2 -2
View File
@@ -27,9 +27,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
.. ..
.TH "UNBOUND-CONTROL" "8" "Apr 29, 2026" "1.25.0" "Unbound" .TH "UNBOUND-CONTROL" "8" "May 20, 2026" "1.25.1" "Unbound"
.SH NAME .SH NAME
unbound-control \- Unbound 1.25.0 remote server control utility. unbound-control \- Unbound 1.25.1 remote server control utility.
.SH SYNOPSIS .SH SYNOPSIS
.sp .sp
\fBunbound\-control\fP [\fB\-hq\fP] [\fB\-c cfgfile\fP] [\fB\-s server\fP] command \fBunbound\-control\fP [\fB\-hq\fP] [\fB\-c cfgfile\fP] [\fB\-s server\fP] command
+2 -2
View File
@@ -27,9 +27,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
.. ..
.TH "UNBOUND-HOST" "1" "Apr 29, 2026" "1.25.0" "Unbound" .TH "UNBOUND-HOST" "1" "May 20, 2026" "1.25.1" "Unbound"
.SH NAME .SH NAME
unbound-host \- Unbound 1.25.0 DNS lookup utility. unbound-host \- Unbound 1.25.1 DNS lookup utility.
.SH SYNOPSIS .SH SYNOPSIS
.sp .sp
\fBunbound\-host\fP [\fB\-C configfile\fP] [\fB\-vdhr46D\fP] [\fB\-c class\fP] \fBunbound\-host\fP [\fB\-C configfile\fP] [\fB\-vdhr46D\fP] [\fB\-c class\fP]
+2 -2
View File
@@ -27,9 +27,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
.. ..
.TH "UNBOUND" "8" "Apr 29, 2026" "1.25.0" "Unbound" .TH "UNBOUND" "8" "May 20, 2026" "1.25.1" "Unbound"
.SH NAME .SH NAME
unbound \- Unbound DNS validating resolver 1.25.0. unbound \- Unbound DNS validating resolver 1.25.1.
.SH SYNOPSIS .SH SYNOPSIS
.sp .sp
\fBunbound\fP [\fB\-hdpVv\fP] [\fB\-c <cfgfile>\fP] \fBunbound\fP [\fB\-hdpVv\fP] [\fB\-c <cfgfile>\fP]
+2 -2
View File
@@ -27,9 +27,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
.. ..
.TH "UNBOUND.CONF" "5" "Apr 29, 2026" "1.25.0" "Unbound" .TH "UNBOUND.CONF" "5" "May 20, 2026" "1.25.1" "Unbound"
.SH NAME .SH NAME
unbound.conf \- Unbound 1.25.0 configuration file. unbound.conf \- Unbound 1.25.1 configuration file.
.SH SYNOPSIS .SH SYNOPSIS
.sp .sp
\fBunbound.conf\fP \fBunbound.conf\fP
+87 -47
View File
@@ -1,7 +1,7 @@
#!/usr/bin/sh #!/usr/bin/sh
# install - install a program, script, or datafile # install - install a program, script, or datafile
scriptversion=2013-12-25.23; # UTC scriptversion=2024-06-19.01; # UTC
# This originates from X11R5 (mit/util/scripts/install.sh), which was # This originates from X11R5 (mit/util/scripts/install.sh), which was
# later released in X11R6 (xc/config/util/install.sh) with the # later released in X11R6 (xc/config/util/install.sh) with the
@@ -69,6 +69,11 @@ posix_mkdir=
# Desired mode of installed file. # Desired mode of installed file.
mode=0755 mode=0755
# Create dirs (including intermediate dirs) using mode 755.
# This is like GNU 'install' as of coreutils 8.32 (2020).
mkdir_umask=22
backupsuffix=
chgrpcmd= chgrpcmd=
chmodcmd=$chmodprog chmodcmd=$chmodprog
chowncmd= chowncmd=
@@ -99,19 +104,29 @@ Options:
--version display version info and exit. --version display version info and exit.
-c (ignored) -c (ignored)
-C install only if different (preserve the last data modification time) -C install only if different (preserve data modification time)
-d create directories instead of installing files. -d create directories instead of installing files.
-g GROUP $chgrpprog installed files to GROUP. -g GROUP $chgrpprog installed files to GROUP.
-m MODE $chmodprog installed files to MODE. -m MODE $chmodprog installed files to MODE.
-o USER $chownprog installed files to USER. -o USER $chownprog installed files to USER.
-p pass -p to $cpprog.
-s $stripprog installed files. -s $stripprog installed files.
-S SUFFIX attempt to back up existing files, with suffix SUFFIX.
-t DIRECTORY install into DIRECTORY. -t DIRECTORY install into DIRECTORY.
-T report an error if DSTFILE is a directory. -T report an error if DSTFILE is a directory.
Environment variables override the default commands: Environment variables override the default commands:
CHGRPPROG CHMODPROG CHOWNPROG CMPPROG CPPROG MKDIRPROG MVPROG CHGRPPROG CHMODPROG CHOWNPROG CMPPROG CPPROG MKDIRPROG MVPROG
RMPROG STRIPPROG RMPROG STRIPPROG
"
By default, rm is invoked with -f; when overridden with RMPROG,
it's up to you to specify -f if you want it.
If -S is not specified, no backups are attempted.
Report bugs to <bug-automake@gnu.org>.
GNU Automake home page: <https://www.gnu.org/software/automake/>.
General help using GNU software: <https://www.gnu.org/gethelp/>."
while test $# -ne 0; do while test $# -ne 0; do
case $1 in case $1 in
@@ -137,8 +152,13 @@ while test $# -ne 0; do
-o) chowncmd="$chownprog $2" -o) chowncmd="$chownprog $2"
shift;; shift;;
-p) cpprog="$cpprog -p";;
-s) stripcmd=$stripprog;; -s) stripcmd=$stripprog;;
-S) backupsuffix="$2"
shift;;
-t) -t)
is_target_a_directory=always is_target_a_directory=always
dst_arg=$2 dst_arg=$2
@@ -150,7 +170,7 @@ while test $# -ne 0; do
-T) is_target_a_directory=never;; -T) is_target_a_directory=never;;
--version) echo "$0 $scriptversion"; exit $?;; --version) echo "$0 (GNU Automake) $scriptversion"; exit $?;;
--) shift --) shift
break;; break;;
@@ -255,6 +275,10 @@ do
dstdir=$dst dstdir=$dst
test -d "$dstdir" test -d "$dstdir"
dstdir_status=$? dstdir_status=$?
# Don't chown directories that already exist.
if test $dstdir_status = 0; then
chowncmd=""
fi
else else
# Waiting for this to be detected by the "$cpprog $src $dsttmp" command # Waiting for this to be detected by the "$cpprog $src $dsttmp" command
@@ -271,15 +295,18 @@ do
fi fi
dst=$dst_arg dst=$dst_arg
# If destination is a directory, append the input filename; won't work # If destination is a directory, append the input filename.
# if double slashes aren't ignored.
if test -d "$dst"; then if test -d "$dst"; then
if test "$is_target_a_directory" = never; then if test "$is_target_a_directory" = never; then
echo "$0: $dst_arg: Is a directory" >&2 echo "$0: $dst_arg: Is a directory" >&2
exit 1 exit 1
fi fi
dstdir=$dst dstdir=$dst
dst=$dstdir/`basename "$src"` dstbase=`basename "$src"`
case $dst in
*/) dst=$dst$dstbase;;
*) dst=$dst/$dstbase;;
esac
dstdir_status=0 dstdir_status=0
else else
dstdir=`dirname "$dst"` dstdir=`dirname "$dst"`
@@ -288,27 +315,16 @@ do
fi fi
fi fi
case $dstdir in
*/) dstdirslash=$dstdir;;
*) dstdirslash=$dstdir/;;
esac
obsolete_mkdir_used=false obsolete_mkdir_used=false
if test $dstdir_status != 0; then if test $dstdir_status != 0; then
case $posix_mkdir in case $posix_mkdir in
'') '')
# Create intermediate dirs using mode 755 as modified by the umask.
# This is like FreeBSD 'install' as of 1997-10-28.
umask=`umask`
case $stripcmd.$umask in
# Optimize common cases.
*[2367][2367]) mkdir_umask=$umask;;
.*0[02][02] | .[02][02] | .[02]) mkdir_umask=22;;
*[0-7])
mkdir_umask=`expr $umask + 22 \
- $umask % 100 % 40 + $umask % 20 \
- $umask % 10 % 4 + $umask % 2
`;;
*) mkdir_umask=$umask,go-w;;
esac
# With -d, create the new directory with the user-specified mode. # With -d, create the new directory with the user-specified mode.
# Otherwise, rely on $mkdir_umask. # Otherwise, rely on $mkdir_umask.
if test -n "$dir_arg"; then if test -n "$dir_arg"; then
@@ -318,43 +334,49 @@ do
fi fi
posix_mkdir=false posix_mkdir=false
case $umask in # The $RANDOM variable is not portable (e.g., dash). Use it
*[123567][0-7][0-7]) # here however when possible just to lower collision chance.
# POSIX mkdir -p sets u+wx bits regardless of umask, which
# is incompatible with FreeBSD 'install' when (umask & 300) != 0.
;;
*)
tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$ tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$
trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit $ret' 0
trap '
ret=$?
rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null
exit $ret
' 0
# Because "mkdir -p" follows existing symlinks and we likely work
# directly in world-writable /tmp, make sure that the '$tmpdir'
# directory is successfully created first before we actually test
# 'mkdir -p'.
if (umask $mkdir_umask && if (umask $mkdir_umask &&
exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1 $mkdirprog $mkdir_mode "$tmpdir" &&
exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1
then then
if test -z "$dir_arg" || { if test -z "$dir_arg" || {
# Check for POSIX incompatibilities with -m. # Check for POSIX incompatibility with -m.
# HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or
# other-writable bit of parent directory when it shouldn't. # other-writable bit of parent directory when it shouldn't.
# FreeBSD 6.1 mkdir -m -p sets mode of existing directory. # FreeBSD 6.1 mkdir -m -p sets mode of existing directory.
ls_ld_tmpdir=`ls -ld "$tmpdir"` test_tmpdir="$tmpdir/a"
ls_ld_tmpdir=`ls -ld "$test_tmpdir"`
case $ls_ld_tmpdir in case $ls_ld_tmpdir in
d????-?r-*) different_mode=700;; d????-?r-*) different_mode=700;;
d????-?--*) different_mode=755;; d????-?--*) different_mode=755;;
*) false;; *) false;;
esac && esac &&
$mkdirprog -m$different_mode -p -- "$tmpdir" && { $mkdirprog -m$different_mode -p -- "$test_tmpdir" && {
ls_ld_tmpdir_1=`ls -ld "$tmpdir"` ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"`
test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1" test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1"
} }
} }
then posix_mkdir=: then posix_mkdir=:
fi fi
rmdir "$tmpdir/d" "$tmpdir" rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir"
else else
# Remove any dirs left behind by ancient mkdir implementations. # Remove any dirs left behind by ancient mkdir implementations.
rmdir ./$mkdir_mode ./-p ./-- 2>/dev/null rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null
fi fi
trap '' 0;; trap '' 0;;
esac;;
esac esac
if if
@@ -365,7 +387,7 @@ do
then : then :
else else
# The umask is ridiculous, or mkdir does not conform to POSIX, # mkdir does not conform to POSIX,
# or it failed possibly due to a race condition. Create the # or it failed possibly due to a race condition. Create the
# directory the slow way, step by step, checking for races as we go. # directory the slow way, step by step, checking for races as we go.
@@ -394,7 +416,7 @@ do
prefixes= prefixes=
else else
if $posix_mkdir; then if $posix_mkdir; then
(umask=$mkdir_umask && (umask $mkdir_umask &&
$doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break
# Don't fail if two instances are running concurrently. # Don't fail if two instances are running concurrently.
test -d "$prefix" || exit 1 test -d "$prefix" || exit 1
@@ -427,14 +449,25 @@ do
else else
# Make a couple of temp file names in the proper directory. # Make a couple of temp file names in the proper directory.
dsttmp=$dstdir/_inst.$$_ dsttmp=${dstdirslash}_inst.$$_
rmtmp=$dstdir/_rm.$$_ rmtmp=${dstdirslash}_rm.$$_
# Trap to clean up those temp files at exit. # Trap to clean up those temp files at exit.
trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0 trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0
# Copy the file name to the temp name. # Copy the file name to the temp name.
(umask $cp_umask && $doit_exec $cpprog "$src" "$dsttmp") && (umask $cp_umask &&
{ test -z "$stripcmd" || {
# Create $dsttmp read-write so that cp doesn't create it read-only,
# which would cause strip to fail.
if test -z "$doit"; then
: >"$dsttmp" # No need to fork-exec 'touch'.
else
$doit touch "$dsttmp"
fi
}
} &&
$doit_exec $cpprog "$src" "$dsttmp") &&
# and set any options; do chmod last to preserve setuid bits. # and set any options; do chmod last to preserve setuid bits.
# #
@@ -460,6 +493,13 @@ do
then then
rm -f "$dsttmp" rm -f "$dsttmp"
else else
# If $backupsuffix is set, and the file being installed
# already exists, attempt a backup. Don't worry if it fails,
# e.g., if mv doesn't support -f.
if test -n "$backupsuffix" && test -f "$dst"; then
$doit $mvcmd -f "$dst" "$dst$backupsuffix" 2>/dev/null
fi
# Rename the file to the real destination. # Rename the file to the real destination.
$doit $mvcmd -f "$dsttmp" "$dst" 2>/dev/null || $doit $mvcmd -f "$dsttmp" "$dst" 2>/dev/null ||
@@ -474,9 +514,9 @@ do
# file should still install successfully. # file should still install successfully.
{ {
test ! -f "$dst" || test ! -f "$dst" ||
$doit $rmcmd -f "$dst" 2>/dev/null || $doit $rmcmd "$dst" 2>/dev/null ||
{ $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null && { $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null &&
{ $doit $rmcmd -f "$rmtmp" 2>/dev/null; :; } { $doit $rmcmd "$rmtmp" 2>/dev/null; :; }
} || } ||
{ echo "$0: cannot unlink or rename $dst" >&2 { echo "$0: cannot unlink or rename $dst" >&2
(exit 1); exit 1 (exit 1); exit 1
@@ -493,9 +533,9 @@ do
done done
# Local variables: # Local variables:
# eval: (add-hook 'write-file-hooks 'time-stamp) # eval: (add-hook 'before-save-hook 'time-stamp)
# time-stamp-start: "scriptversion=" # time-stamp-start: "scriptversion="
# time-stamp-format: "%:y-%02m-%02d.%02H" # time-stamp-format: "%:y-%02m-%02d.%02H"
# time-stamp-time-zone: "UTC" # time-stamp-time-zone: "UTC0"
# time-stamp-end: "; # UTC" # time-stamp-end: "; # UTC"
# End: # End:
+6
View File
@@ -777,6 +777,12 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
rrset->rrset_all_next = NULL; rrset->rrset_all_next = NULL;
return 1; return 1;
} }
/* Only mark glue as allowed for type NS in the authority
* section. Other RR types do not get glue for them, it
* is allowed from the answer section, but not authority
* so that a message can not have address records cached
* as a side effect to the query. */
if(rrset->type==LDNS_RR_TYPE_NS)
mark_additional_rrset(pkt, msg, rrset); mark_additional_rrset(pkt, msg, rrset);
prev = rrset; prev = rrset;
rrset = rrset->rrset_all_next; rrset = rrset->rrset_all_next;
+911 -543
View File
File diff suppressed because it is too large Load Diff
+7 -1
View File
@@ -712,10 +712,16 @@ struct dns_msg*
dns_msg_deepcopy_region(struct dns_msg* origin, struct regional* region) dns_msg_deepcopy_region(struct dns_msg* origin, struct regional* region)
{ {
size_t i; size_t i;
struct ub_packed_rrset_key** saved_rrsets;
struct dns_msg* res = NULL; struct dns_msg* res = NULL;
size_t rep_alloc_size = sizeof(struct reply_info)
- sizeof(struct rrset_ref); /* this is the size of res->rep
allocated in gen_dns_msg() */
res = gen_dns_msg(region, &origin->qinfo, origin->rep->rrset_count); res = gen_dns_msg(region, &origin->qinfo, origin->rep->rrset_count);
if(!res) return NULL; if(!res) return NULL;
*res->rep = *origin->rep; saved_rrsets = res->rep->rrsets; /* save rrsets alloc by gen_dns_msg */
memcpy(res->rep, origin->rep, rep_alloc_size);
res->rep->rrsets = saved_rrsets;
if(origin->rep->reason_bogus_str) { if(origin->rep->reason_bogus_str) {
res->rep->reason_bogus_str = regional_strdup(region, res->rep->reason_bogus_str = regional_strdup(region,
origin->rep->reason_bogus_str); origin->rep->reason_bogus_str);
+10
View File
@@ -149,6 +149,16 @@ need_to_update_rrset(void* nd, void* cd, time_t timenow, int equal, int ns)
if(equal && !TTL_IS_EXPIRED(cached->ttl, timenow) && if(equal && !TTL_IS_EXPIRED(cached->ttl, timenow) &&
cached->security == sec_status_bogus) cached->security == sec_status_bogus)
return 0; return 0;
/* ghost-domain: never let an NS overwrite extend lifetime
* past the entry it replaces, regardless of trust. */
if(ns && !TTL_IS_EXPIRED(cached->ttl, timenow) &&
newd->ttl > cached->ttl) {
size_t i;
newd->ttl = cached->ttl;
for(i=0; i<(newd->count+newd->rrsig_count); i++)
if(newd->rr_ttl[i] > newd->ttl)
newd->rr_ttl[i] = newd->ttl;
}
return 1; return 1;
} }
/* o item in cache has expired */ /* o item in cache has expired */
+9 -3
View File
@@ -297,12 +297,14 @@ int mesh_make_new_space(struct mesh_area* mesh, sldns_buffer* qbuf)
if(mesh->num_reply_states < mesh->max_reply_states) if(mesh->num_reply_states < mesh->max_reply_states)
return 1; return 1;
/* try to kick out a jostle-list item */ /* try to kick out a jostle-list item */
if(m && m->reply_list && m->list_select == mesh_jostle_list) { if(m && m->list_select == mesh_jostle_list) {
/* how old is it? */ /* how old is it? */
struct timeval age; struct timeval age;
if(m->has_first_reply_time)
timeval_subtract(&age, mesh->env->now_tv, timeval_subtract(&age, mesh->env->now_tv,
&m->reply_list->start_time); &m->first_reply_time);
if(timeval_smaller(&mesh->jostle_max, &age)) { if(!m->has_first_reply_time ||
timeval_smaller(&mesh->jostle_max, &age)) {
/* its a goner */ /* its a goner */
log_nametypeclass(VERB_ALGO, "query jostled out to " log_nametypeclass(VERB_ALGO, "query jostled out to "
"make space for a new one", "make space for a new one",
@@ -1995,6 +1997,10 @@ int mesh_state_add_reply(struct mesh_state* s, struct edns_data* edns,
r->qid = qid; r->qid = qid;
r->qflags = qflags; r->qflags = qflags;
r->start_time = *s->s.env->now_tv; r->start_time = *s->s.env->now_tv;
if(s->reply_list == NULL && !s->has_first_reply_time) {
s->first_reply_time = r->start_time;
s->has_first_reply_time = 1;
}
r->next = s->reply_list; r->next = s->reply_list;
r->qname = regional_alloc_init(s->s.region, qinfo->qname, r->qname = regional_alloc_init(s->s.region, qinfo->qname,
s->s.qinfo.qname_len); s->s.qinfo.qname_len);
+6
View File
@@ -191,6 +191,12 @@ struct mesh_state {
struct module_qstate s; struct module_qstate s;
/** the list of replies to clients for the results */ /** the list of replies to clients for the results */
struct mesh_reply* reply_list; struct mesh_reply* reply_list;
/** if it has a first reply time */
int has_first_reply_time;
/** wall-clock time the first client reply was attached;
* used by mesh_make_new_space() so duplicate retransmits
* cannot reset jostle aging. */
struct timeval first_reply_time;
/** the list of callbacks for the results */ /** the list of callbacks for the results */
struct mesh_cb* cb_list; struct mesh_cb* cb_list;
/** set of superstates (that want this state's result) /** set of superstates (that want this state's result)
+6 -4
View File
@@ -2469,6 +2469,7 @@ rpz_callback_from_iterator_module(struct module_qstate* ms, struct iter_qstate*
{ {
struct auth_zones* az; struct auth_zones* az;
struct auth_zone* a; struct auth_zone* a;
struct dns_msg* ret = NULL;
struct clientip_synthesized_rr* raddr = NULL; struct clientip_synthesized_rr* raddr = NULL;
struct rpz* r = NULL; struct rpz* r = NULL;
struct local_zone* z = NULL; struct local_zone* z = NULL;
@@ -2512,13 +2513,11 @@ rpz_callback_from_iterator_module(struct module_qstate* ms, struct iter_qstate*
z = rpz_delegation_point_zone_lookup(is->dp, r->nsdname_zones, z = rpz_delegation_point_zone_lookup(is->dp, r->nsdname_zones,
is->qchase.qclass, &match); is->qchase.qclass, &match);
if(z != NULL) { if(z != NULL) {
lock_rw_unlock(&a->lock);
break; break;
} }
raddr = rpz_delegation_point_ipbased_trigger_lookup(r, is); raddr = rpz_delegation_point_ipbased_trigger_lookup(r, is);
if(raddr != NULL) { if(raddr != NULL) {
lock_rw_unlock(&a->lock);
break; break;
} }
lock_rw_unlock(&a->lock); lock_rw_unlock(&a->lock);
@@ -2533,9 +2532,12 @@ rpz_callback_from_iterator_module(struct module_qstate* ms, struct iter_qstate*
if(z) { if(z) {
lock_rw_unlock(&z->lock); lock_rw_unlock(&z->lock);
} }
return rpz_apply_nsip_trigger(ms, &is->qchase, r, raddr, a); ret = rpz_apply_nsip_trigger(ms, &is->qchase, r, raddr, a);
} else {
ret = rpz_apply_nsdname_trigger(ms, &is->qchase, r, z, &match, a);
} }
return rpz_apply_nsdname_trigger(ms, &is->qchase, r, z, &match, a); lock_rw_unlock(&a->lock);
return ret;
} }
struct dns_msg* rpz_callback_from_iterator_cname(struct module_qstate* ms, struct dns_msg* rpz_callback_from_iterator_cname(struct module_qstate* ms,
+2 -2
View File
@@ -1092,7 +1092,7 @@ static void edns_ede_encode_notxt_fit_test( struct query_info* qinfo,
{ {
struct edns_data edns; struct edns_data edns;
sldns_buffer* pkt; sldns_buffer* pkt;
uint16_t edns_field_size, ede_txt_size; size_t edns_field_size, ede_txt_size;
int found_ede = 0, found_ede_other = 0, found_ede_txt = 0; int found_ede = 0, found_ede_other = 0, found_ede_txt = 0;
int found_other_edns = 0; int found_other_edns = 0;
edns_ede_encode_setup(&edns, region); edns_ede_encode_setup(&edns, region);
@@ -1123,7 +1123,7 @@ static void edns_ede_encode_no_fit_test( struct query_info* qinfo,
{ {
struct edns_data edns; struct edns_data edns;
sldns_buffer* pkt; sldns_buffer* pkt;
uint16_t edns_field_size, ede_size, ede_txt_size; size_t edns_field_size, ede_size, ede_txt_size;
int found_ede = 0, found_ede_other = 0, found_ede_txt = 0; int found_ede = 0, found_ede_other = 0, found_ede_txt = 0;
int found_other_edns = 0; int found_other_edns = 0;
edns_ede_encode_setup(&edns, region); edns_ede_encode_setup(&edns, region);
+9 -9
View File
@@ -120,12 +120,12 @@ example.com. IN SOA ns.example.com. hostmaster.example.com. 2007090400 28800 720
example.com. 3600 IN RRSIG SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFCNGZ+/OfElYQMCZ77O9Lw9rhk7PAhUAmDcvTAst6Bq83qPq3r6c/Dm1nFc= ;{id = 2854} example.com. 3600 IN RRSIG SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFCNGZ+/OfElYQMCZ77O9Lw9rhk7PAhUAmDcvTAst6Bq83qPq3r6c/Dm1nFc= ;{id = 2854}
; closest encloser, H(example.com). ; closest encloser, H(example.com).
6md8numosa4q9ugkffdo1bmm82t5j39s.example.com. NSEC3 1 1 8 - 6md8numosa4q9ugkffdo1bmm82t5j49s SOA NS MX DNSKEY RRSIG b6fuorg741ufili49mg9j4328ig53sqg.example.com. NSEC3 1 1 123 aabb00123456bbccdd b6fuorg741ufili49mg9j4328ig53sqh SOA NS MX DNSKEY RRSIG
6md8numosa4q9ugkffdo1bmm82t5j39s.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCz/LkFOFcaQzVnyySW9ZoVUnxh7gIUdxyS9vqVDzo8pGhFU+3YogN2ZRk= ;{id = 2854} b6fuorg741ufili49mg9j4328ig53sqg.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. AJlV5car66lq5f0ASx7W47A/OADkARAXzKt9ZLojXze+FWK9JjAX+eA=
; wildcard denial, H(*.example.com.) = 4f3cnt8cu22tngec382jj4gde4rb47ub ; wildcard denial, H(*.example.com.) = k1a2vr9c269jummpru5d68qllbfmtdcb.
4f3cnt8cu22tngec382jj4gde4rb46ub.example.com. NSEC3 1 1 0 - 4f3cnt8cu22tngec382jj4gde4rb48ub A MX RRSIG k1a2vr9c269jummpru5d68qllbfmtacb.example.com. NSEC3 1 1 123 aabb00123456bbccdd k1a2vr9c269jummpru5d68qllbfmtgcb A MX RRSIG
4f3cnt8cu22tngec382jj4gde4rb46ub.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. MCwCFHS+i/OB/V/gYmS1eQTXieXIXGjsAhQQ0Ql7TW/hsUklrb0DfoyhVPG95Q== ;{id = 2854} k1a2vr9c269jummpru5d68qllbfmtacb.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. AARB9z4C1WZUI3WP3QAR7RJXFnN0qEBkEt8ocudxXzms4/7/2l6NNWc=
; next closer name, H(www.example.com.) = s1unhcti19bkdr98fegs0v46mbu3t4m3. ; next closer name, H(www.example.com.) = s1unhcti19bkdr98fegs0v46mbu3t4m3.
s1unhcti19bkdr98fegs0v46mbu3t4m2.example.com. NSEC3 1 1 123 aabb00123456bbccdd s1unhcti19bkdr98fegs0v46mbu3t4m4 A MX RRSIG s1unhcti19bkdr98fegs0v46mbu3t4m2.example.com. NSEC3 1 1 123 aabb00123456bbccdd s1unhcti19bkdr98fegs0v46mbu3t4m4 A MX RRSIG
@@ -152,10 +152,10 @@ SECTION ANSWER
SECTION AUTHORITY SECTION AUTHORITY
example.com. IN SOA ns.example.com. hostmaster.example.com. 2007090400 28800 7200 604800 18000 example.com. IN SOA ns.example.com. hostmaster.example.com. 2007090400 28800 7200 604800 18000
example.com. 3600 IN RRSIG SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFCNGZ+/OfElYQMCZ77O9Lw9rhk7PAhUAmDcvTAst6Bq83qPq3r6c/Dm1nFc= ;{id = 2854} example.com. 3600 IN RRSIG SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFCNGZ+/OfElYQMCZ77O9Lw9rhk7PAhUAmDcvTAst6Bq83qPq3r6c/Dm1nFc= ;{id = 2854}
6md8numosa4q9ugkffdo1bmm82t5j39s.example.com. NSEC3 1 1 8 - 6md8numosa4q9ugkffdo1bmm82t5j49s SOA NS MX DNSKEY RRSIG b6fuorg741ufili49mg9j4328ig53sqg.example.com. NSEC3 1 1 123 aabb00123456bbccdd b6fuorg741ufili49mg9j4328ig53sqh SOA NS MX DNSKEY RRSIG
6md8numosa4q9ugkffdo1bmm82t5j39s.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCz/LkFOFcaQzVnyySW9ZoVUnxh7gIUdxyS9vqVDzo8pGhFU+3YogN2ZRk= ;{id = 2854} b6fuorg741ufili49mg9j4328ig53sqg.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. AJlV5car66lq5f0ASx7W47A/OADkARAXzKt9ZLojXze+FWK9JjAX+eA=
4f3cnt8cu22tngec382jj4gde4rb46ub.example.com. NSEC3 1 1 0 - 4f3cnt8cu22tngec382jj4gde4rb48ub A MX RRSIG k1a2vr9c269jummpru5d68qllbfmtacb.example.com. NSEC3 1 1 123 aabb00123456bbccdd k1a2vr9c269jummpru5d68qllbfmtgcb A MX RRSIG
4f3cnt8cu22tngec382jj4gde4rb46ub.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. MCwCFHS+i/OB/V/gYmS1eQTXieXIXGjsAhQQ0Ql7TW/hsUklrb0DfoyhVPG95Q== ;{id = 2854} k1a2vr9c269jummpru5d68qllbfmtacb.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. AARB9z4C1WZUI3WP3QAR7RJXFnN0qEBkEt8ocudxXzms4/7/2l6NNWc=
s1unhcti19bkdr98fegs0v46mbu3t4m2.example.com. NSEC3 1 1 123 aabb00123456bbccdd s1unhcti19bkdr98fegs0v46mbu3t4m4 A MX RRSIG s1unhcti19bkdr98fegs0v46mbu3t4m2.example.com. NSEC3 1 1 123 aabb00123456bbccdd s1unhcti19bkdr98fegs0v46mbu3t4m4 A MX RRSIG
s1unhcti19bkdr98fegs0v46mbu3t4m2.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFFSH4klZKke48dYyddYDj17gjTS0AhUAltWicpFLWqW98/Af9Qlx70MH8o4= ;{id = 2854} s1unhcti19bkdr98fegs0v46mbu3t4m2.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFFSH4klZKke48dYyddYDj17gjTS0AhUAltWicpFLWqW98/Af9Qlx70MH8o4= ;{id = 2854}
+12 -19
View File
@@ -89,6 +89,17 @@ ns.example.com. IN A 1.2.3.4
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
ENTRY_END ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR AA NOERROR
SECTION QUESTION
ns.example.com. IN AAAA
SECTION AUTHORITY
example.com. IN SOA ns.example.com. hostmaster.example.com. 2007090400 28800 7200 604800 18000
example.com. 3600 IN RRSIG SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFCNGZ+/OfElYQMCZ77O9Lw9rhk7PAhUAmDcvTAst6Bq83qPq3r6c/Dm1nFc= ;{id = 2854}
ENTRY_END
; response to DNSKEY priming query ; response to DNSKEY priming query
ENTRY_BEGIN ENTRY_BEGIN
MATCH opcode qtype qname MATCH opcode qtype qname
@@ -163,29 +174,11 @@ STEP 2 TIME_PASSES ELAPSE 0.05
STEP 10 CHECK_ANSWER STEP 10 CHECK_ANSWER
ENTRY_BEGIN ENTRY_BEGIN
MATCH all MATCH all
REPLY QR RD RA DO NXDOMAIN REPLY QR RD RA DO SERVFAIL
SECTION QUESTION SECTION QUESTION
www.example.com. IN A www.example.com. IN A
SECTION ANSWER SECTION ANSWER
SECTION AUTHORITY SECTION AUTHORITY
example.com. IN SOA ns.example.com. hostmaster.example.com. 2007090400 28800 7200 604800 18000
example.com. 3600 IN RRSIG SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFCNGZ+/OfElYQMCZ77O9Lw9rhk7PAhUAmDcvTAst6Bq83qPq3r6c/Dm1nFc= ;{id = 2854}
6md8numosa4q9ugkffdo1bmm82t5j39s.example.com. NSEC3 1 1 123 aabb00123456bbccdd 6md8numosa4q9ugkffdo1bmm82t5j49s A RRSIG
6md8numosa4q9ugkffdo1bmm82t5j39s.example.com. NSEC3 1 1 8 - 6md8numosa4q9ugkffdo1bmm82t5j49s SOA NS MX DNSKEY RRSIG
6md8numosa4q9ugkffdo1bmm82t5j39s.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. MCwCFHndWrEEbuzezs/4lxeiMgEuUsUbAhR72gJgd/Zmhf80yoxCauw9k5OkCw== ;{id = 2854}
4f3cnt8cu22tngec382jj4gde4rb46ub.example.com. NSEC3 1 1 18 - 4f3cnt8cu22tngec382jj4gde4rb87ub A RRSIG
4f3cnt8cu22tngec382jj4gde4rb46ub.example.com. NSEC3 1 1 0 - 4f3cnt8cu22tngec382jj4gde4rb48ub A MX RRSIG
4f3cnt8cu22tngec382jj4gde4rb46ub.example.com. NSEC3 1 1 19 - 4f3cnt8cu22tngec382jj4gde4rb87ub A RRSIG
4f3cnt8cu22tngec382jj4gde4rb46ub.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. MCwCFDRwji51WCXJg7W/3+Jx586af5qgAhQPxHegtzu1I/QbvCNrOOON05N1rw== ;{id = 2854}
s1unhcti19bkdr98fegs0v46mbu3t4m2.example.com. NSEC3 1 1 18 - s1unhcti19bkdr98fegs0v46mbu3t4m4 A RRSIG
s1unhcti19bkdr98fegs0v46mbu3t4m2.example.com. NSEC3 1 1 19 - s1unhcti19bkdr98fegs0v46mbu3t4m4 A RRSIG
s1unhcti19bkdr98fegs0v46mbu3t4m2.example.com. NSEC3 1 1 20 00 s1unhcti19bkdr98fegs0v46mbu3t4m4 A RRSIG
s1unhcti19bkdr98fegs0v46mbu3t4m2.example.com. NSEC3 1 1 123 aabb00123456bbccdd s1unhcti19bkdr98fegs0v46mbu3t4m4 A MX RRSIG
s1unhcti19bkdr98fegs0v46mbu3t4m2.example.com. NSEC3 1 1 20 01 s1unhcti19bkdr98fegs0v46mbu3t4m4 A RRSIG
s1unhcti19bkdr98fegs0v46mbu3t4m2.example.com. NSEC3 1 1 20 02 s1unhcti19bkdr98fegs0v46mbu3t4m4 A RRSIG
s1unhcti19bkdr98fegs0v46mbu3t4m2.example.com. NSEC3 1 1 20 03 s1unhcti19bkdr98fegs0v46mbu3t4m4 A RRSIG
s1unhcti19bkdr98fegs0v46mbu3t4m2.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. MCwCFDLy4GbR8ZaKHATVJGnGxzpsuq60AhQ1/pRbXi1ZbcYohzHgWzNC50fC5A== ;{id = 2854}
SECTION ADDITIONAL SECTION ADDITIONAL
ENTRY_END ENTRY_END
+12 -10
View File
@@ -88,6 +88,17 @@ ns.example.com. IN A 1.2.3.4
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
ENTRY_END ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR AA NOERROR
SECTION QUESTION
ns.example.com. IN AAAA
SECTION AUTHORITY
example.com. IN SOA ns.example.com. hostmaster.example.com. 2007090400 28800 7200 604800 18000
example.com. 3600 IN RRSIG SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFCNGZ+/OfElYQMCZ77O9Lw9rhk7PAhUAmDcvTAst6Bq83qPq3r6c/Dm1nFc= ;{id = 2854}
ENTRY_END
; response to DNSKEY priming query ; response to DNSKEY priming query
ENTRY_BEGIN ENTRY_BEGIN
MATCH opcode qtype qname MATCH opcode qtype qname
@@ -144,20 +155,11 @@ ENTRY_END
STEP 10 CHECK_ANSWER STEP 10 CHECK_ANSWER
ENTRY_BEGIN ENTRY_BEGIN
MATCH all MATCH all
REPLY QR RD RA DO NXDOMAIN REPLY QR RD RA DO SERVFAIL
SECTION QUESTION SECTION QUESTION
www.example.com. IN A www.example.com. IN A
SECTION ANSWER SECTION ANSWER
SECTION AUTHORITY SECTION AUTHORITY
example.com. IN SOA ns.example.com. hostmaster.example.com. 2007090400 28800 7200 604800 18000
example.com. 3600 IN RRSIG SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFCNGZ+/OfElYQMCZ77O9Lw9rhk7PAhUAmDcvTAst6Bq83qPq3r6c/Dm1nFc= ;{id = 2854}
6md8numosa4q9ugkffdo1bmm82t5j39s.example.com. NSEC3 1 1 8 - 6md8numosa4q9ugkffdo1bmm82t5j49s SOA NS MX DNSKEY RRSIG
6md8numosa4q9ugkffdo1bmm82t5j39s.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCz/LkFOFcaQzVnyySW9ZoVUnxh7gIUdxyS9vqVDzo8pGhFU+3YogN2ZRk= ;{id = 2854}
4f3cnt8cu22tngec382jj4gde4rb46ub.example.com. NSEC3 1 1 0 - 4f3cnt8cu22tngec382jj4gde4rb48ub A MX RRSIG
4f3cnt8cu22tngec382jj4gde4rb46ub.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. MCwCFHS+i/OB/V/gYmS1eQTXieXIXGjsAhQQ0Ql7TW/hsUklrb0DfoyhVPG95Q== ;{id = 2854}
s1unhcti19bkdr98fegs0v46mbu3t4m2.example.com. NSEC3 1 1 123 aabb00123456bbccdd s1unhcti19bkdr98fegs0v46mbu3t4m4 A MX RRSIG
s1unhcti19bkdr98fegs0v46mbu3t4m2.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFFSH4klZKke48dYyddYDj17gjTS0AhUAltWicpFLWqW98/Af9Qlx70MH8o4= ;{id = 2854}
SECTION ADDITIONAL SECTION ADDITIONAL
ENTRY_END ENTRY_END
+419 -465
View File
File diff suppressed because it is too large Load Diff
+3 -1
View File
@@ -1,4 +1,4 @@
/* A Bison parser, made by GNU Bison 3.7.6. */ /* A Bison parser, made by GNU Bison 3.8.2. */
/* Bison interface for Yacc-like parsers in C /* Bison interface for Yacc-like parsers in C
@@ -838,6 +838,8 @@ typedef union YYSTYPE YYSTYPE;
extern YYSTYPE yylval; extern YYSTYPE yylval;
int yyparse (void); int yyparse (void);
#endif /* !YY_YY_UTIL_CONFIGPARSER_H_INCLUDED */ #endif /* !YY_YY_UTIL_CONFIGPARSER_H_INCLUDED */
+24 -14
View File
@@ -352,7 +352,6 @@ compress_any_dname(uint8_t* dname, sldns_buffer* pkt, int labs,
(p = compress_tree_lookup(tree, dname, labs, &insertpt))) { (p = compress_tree_lookup(tree, dname, labs, &insertpt))) {
if(!write_compressed_dname(pkt, dname, labs, p)) if(!write_compressed_dname(pkt, dname, labs, p))
return RETVAL_TRUNC; return RETVAL_TRUNC;
(*compress_count)++;
} else { } else {
if(!dname_buffer_write(pkt, dname)) if(!dname_buffer_write(pkt, dname))
return RETVAL_TRUNC; return RETVAL_TRUNC;
@@ -360,6 +359,7 @@ compress_any_dname(uint8_t* dname, sldns_buffer* pkt, int labs,
if(*compress_count < MAX_COMPRESSION_PER_MESSAGE && if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
!compress_tree_store(dname, labs, pos, region, p, insertpt)) !compress_tree_store(dname, labs, pos, region, p, insertpt))
return RETVAL_OUTMEM; return RETVAL_OUTMEM;
(*compress_count)++;
return RETVAL_OK; return RETVAL_OK;
} }
@@ -820,7 +820,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
return 1; return 1;
} }
uint16_t size_t
calc_edns_field_size(struct edns_data* edns) calc_edns_field_size(struct edns_data* edns)
{ {
size_t rdatalen = 0; size_t rdatalen = 0;
@@ -856,7 +856,7 @@ calc_edns_option_size(struct edns_data* edns, uint16_t code)
} }
uint16_t uint16_t
calc_ede_option_size(struct edns_data* edns, uint16_t* txt_size) calc_ede_option_size(struct edns_data* edns, size_t* txt_size)
{ {
size_t rdatalen = 0; size_t rdatalen = 0;
struct edns_option* opt; struct edns_option* opt;
@@ -958,6 +958,10 @@ attach_edns_record_max_msg_sz(sldns_buffer* pkt, struct edns_data* edns,
padding_option = opt; padding_option = opt;
continue; continue;
} }
if(sldns_buffer_position(pkt) + opt->opt_len + 4 > max_msg_sz)
break; /* no space for it */
if(!sldns_buffer_available(pkt, 4 + opt->opt_len))
break;
sldns_buffer_write_u16(pkt, opt->opt_code); sldns_buffer_write_u16(pkt, opt->opt_code);
sldns_buffer_write_u16(pkt, opt->opt_len); sldns_buffer_write_u16(pkt, opt->opt_len);
if(opt->opt_len != 0) if(opt->opt_len != 0)
@@ -968,12 +972,18 @@ attach_edns_record_max_msg_sz(sldns_buffer* pkt, struct edns_data* edns,
padding_option = opt; padding_option = opt;
continue; continue;
} }
if(sldns_buffer_position(pkt) + opt->opt_len + 4 > max_msg_sz)
break; /* no space for it */
if(!sldns_buffer_available(pkt, 4 + opt->opt_len))
break;
sldns_buffer_write_u16(pkt, opt->opt_code); sldns_buffer_write_u16(pkt, opt->opt_code);
sldns_buffer_write_u16(pkt, opt->opt_len); sldns_buffer_write_u16(pkt, opt->opt_len);
if(opt->opt_len != 0) if(opt->opt_len != 0)
sldns_buffer_write(pkt, opt->opt_data, opt->opt_len); sldns_buffer_write(pkt, opt->opt_data, opt->opt_len);
} }
if (padding_option && edns->padding_block_size ) { if (padding_option && edns->padding_block_size &&
sldns_buffer_position(pkt)+4 <= max_msg_sz &&
sldns_buffer_available(pkt, 4) /* if there is space for it */) {
size_t pad_pos = sldns_buffer_position(pkt); size_t pad_pos = sldns_buffer_position(pkt);
size_t msg_sz = ((pad_pos + 3) / edns->padding_block_size + 1) size_t msg_sz = ((pad_pos + 3) / edns->padding_block_size + 1)
* edns->padding_block_size; * edns->padding_block_size;
@@ -1017,7 +1027,7 @@ reply_info_answer_encode(struct query_info* qinf, struct reply_info* rep,
{ {
uint16_t flags; uint16_t flags;
unsigned int attach_edns = 0; unsigned int attach_edns = 0;
uint16_t edns_field_size, ede_size, ede_txt_size; size_t edns_field_size, ede_size, ede_txt_size;
if(!cached || rep->authoritative) { if(!cached || rep->authoritative) {
/* original flags, copy RD and CD bits from query. */ /* original flags, copy RD and CD bits from query. */
@@ -1044,12 +1054,12 @@ reply_info_answer_encode(struct query_info* qinf, struct reply_info* rep,
* calculate sizes once here */ * calculate sizes once here */
edns_field_size = calc_edns_field_size(edns); edns_field_size = calc_edns_field_size(edns);
ede_size = calc_ede_option_size(edns, &ede_txt_size); ede_size = calc_ede_option_size(edns, &ede_txt_size);
if(sldns_buffer_capacity(pkt) < udpsize) if(sldns_buffer_capacity(pkt) < (size_t)udpsize)
udpsize = sldns_buffer_capacity(pkt); udpsize = sldns_buffer_capacity(pkt);
if(!edns || !edns->edns_present) { if(!edns || !edns->edns_present) {
attach_edns = 0; attach_edns = 0;
/* EDEs are optional, try to fit anything else before them */ /* EDEs are optional, try to fit anything else before them */
} else if(udpsize < LDNS_HEADER_SIZE + edns_field_size - ede_size) { } else if((size_t)udpsize < (size_t)LDNS_HEADER_SIZE + edns_field_size - ede_size) {
/* packet too small to contain edns, omit it. */ /* packet too small to contain edns, omit it. */
attach_edns = 0; attach_edns = 0;
} else { } else {
@@ -1063,13 +1073,13 @@ reply_info_answer_encode(struct query_info* qinf, struct reply_info* rep,
return 0; return 0;
} }
if(attach_edns) { if(attach_edns) {
if(udpsize >= sldns_buffer_limit(pkt) + edns_field_size) if((size_t)udpsize >= sldns_buffer_limit(pkt) + edns_field_size)
attach_edns_record_max_msg_sz(pkt, edns, udpsize); attach_edns_record_max_msg_sz(pkt, edns, udpsize);
else if(udpsize >= sldns_buffer_limit(pkt) + edns_field_size - ede_txt_size) { else if((size_t)udpsize >= sldns_buffer_limit(pkt) + edns_field_size - ede_txt_size) {
ede_trim_text(&edns->opt_list_inplace_cb_out); ede_trim_text(&edns->opt_list_inplace_cb_out);
ede_trim_text(&edns->opt_list_out); ede_trim_text(&edns->opt_list_out);
attach_edns_record_max_msg_sz(pkt, edns, udpsize); attach_edns_record_max_msg_sz(pkt, edns, udpsize);
} else if(udpsize >= sldns_buffer_limit(pkt) + edns_field_size - ede_size) { } else if((size_t)udpsize >= sldns_buffer_limit(pkt) + edns_field_size - ede_size) {
edns_opt_list_remove(&edns->opt_list_inplace_cb_out, LDNS_EDNS_EDE); edns_opt_list_remove(&edns->opt_list_inplace_cb_out, LDNS_EDNS_EDE);
edns_opt_list_remove(&edns->opt_list_out, LDNS_EDNS_EDE); edns_opt_list_remove(&edns->opt_list_out, LDNS_EDNS_EDE);
attach_edns_record_max_msg_sz(pkt, edns, udpsize); attach_edns_record_max_msg_sz(pkt, edns, udpsize);
@@ -1132,7 +1142,7 @@ extended_error_encode(sldns_buffer* buf, uint16_t rcode,
} }
sldns_buffer_flip(buf); sldns_buffer_flip(buf);
if(edns && edns->edns_present) { if(edns && edns->edns_present) {
uint16_t edns_field_size, ede_size, ede_txt_size; size_t edns_field_size, ede_size, ede_txt_size;
struct edns_data es = *edns; struct edns_data es = *edns;
es.edns_version = EDNS_ADVERTISED_VERSION; es.edns_version = EDNS_ADVERTISED_VERSION;
es.udp_size = EDNS_ADVERTISED_SIZE; es.udp_size = EDNS_ADVERTISED_SIZE;
@@ -1144,13 +1154,13 @@ extended_error_encode(sldns_buffer* buf, uint16_t rcode,
* to see if EDNS can fit. */ * to see if EDNS can fit. */
edns_field_size = calc_edns_field_size(&es); edns_field_size = calc_edns_field_size(&es);
ede_size = calc_ede_option_size(&es, &ede_txt_size); ede_size = calc_ede_option_size(&es, &ede_txt_size);
if(edns->udp_size >= sldns_buffer_limit(buf) + edns_field_size) if((size_t)edns->udp_size >= sldns_buffer_limit(buf) + edns_field_size)
attach_edns_record_max_msg_sz(buf, &es, edns->udp_size); attach_edns_record_max_msg_sz(buf, &es, edns->udp_size);
else if(edns->udp_size >= sldns_buffer_limit(buf) + edns_field_size - ede_txt_size) { else if((size_t)edns->udp_size >= sldns_buffer_limit(buf) + edns_field_size - ede_txt_size) {
ede_trim_text(&es.opt_list_inplace_cb_out); ede_trim_text(&es.opt_list_inplace_cb_out);
ede_trim_text(&es.opt_list_out); ede_trim_text(&es.opt_list_out);
attach_edns_record_max_msg_sz(buf, &es, edns->udp_size); attach_edns_record_max_msg_sz(buf, &es, edns->udp_size);
} else if(edns->udp_size >= sldns_buffer_limit(buf) + edns_field_size - ede_size) { } else if((size_t)edns->udp_size >= sldns_buffer_limit(buf) + edns_field_size - ede_size) {
edns_opt_list_remove(&es.opt_list_inplace_cb_out, LDNS_EDNS_EDE); edns_opt_list_remove(&es.opt_list_inplace_cb_out, LDNS_EDNS_EDE);
edns_opt_list_remove(&es.opt_list_out, LDNS_EDNS_EDE); edns_opt_list_remove(&es.opt_list_out, LDNS_EDNS_EDE);
attach_edns_record_max_msg_sz(buf, &es, edns->udp_size); attach_edns_record_max_msg_sz(buf, &es, edns->udp_size);
+2 -2
View File
@@ -106,7 +106,7 @@ void qinfo_query_encode(struct sldns_buffer* pkt, struct query_info* qinfo);
* @param edns: edns data or NULL. * @param edns: edns data or NULL.
* @return octets to reserve for EDNS. * @return octets to reserve for EDNS.
*/ */
uint16_t calc_edns_field_size(struct edns_data* edns); size_t calc_edns_field_size(struct edns_data* edns);
/** /**
* Calculate the size of a specific EDNS option in packet. * Calculate the size of a specific EDNS option in packet.
@@ -127,7 +127,7 @@ uint16_t calc_edns_option_size(struct edns_data* edns, uint16_t code);
* extra text. * extra text.
* @return octets the option will take up. * @return octets the option will take up.
*/ */
uint16_t calc_ede_option_size(struct edns_data* edns, uint16_t* txt_size); uint16_t calc_ede_option_size(struct edns_data* edns, size_t* txt_size);
/** /**
* Attach EDNS record to buffer. Buffer has complete packet. There must * Attach EDNS record to buffer. Buffer has complete packet. There must
+14 -5
View File
@@ -53,6 +53,8 @@
#include "sldns/parseutil.h" #include "sldns/parseutil.h"
#include "sldns/wire2str.h" #include "sldns/wire2str.h"
#define MAX_PARSED_EDNS_OPTIONS 100
/** smart comparison of (compressed, valid) dnames from packet */ /** smart comparison of (compressed, valid) dnames from packet */
static int static int
smart_compare(sldns_buffer* pkt, uint8_t* dnow, smart_compare(sldns_buffer* pkt, uint8_t* dnow,
@@ -950,6 +952,7 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len,
struct comm_reply* repinfo, uint32_t now, struct regional* region, struct comm_reply* repinfo, uint32_t now, struct regional* region,
struct cookie_secrets* cookie_secrets) struct cookie_secrets* cookie_secrets)
{ {
int i = 0, nsid_seen = 0, cookie_seen = 0, padding_seen = 0;
/* To respond with a Keepalive option, the client connection must have /* To respond with a Keepalive option, the client connection must have
* received one message with a TCP Keepalive EDNS option, and that * received one message with a TCP Keepalive EDNS option, and that
* option must have 0 length data. Subsequent messages sent on that * option must have 0 length data. Subsequent messages sent on that
@@ -969,7 +972,7 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len,
/* while still more options, and have code+len to read */ /* while still more options, and have code+len to read */
/* ignores partial content (i.e. rdata len 3) */ /* ignores partial content (i.e. rdata len 3) */
while(rdata_len >= 4) { while(rdata_len >= 4 && i < MAX_PARSED_EDNS_OPTIONS) {
uint16_t opt_code = sldns_read_uint16(rdata_ptr); uint16_t opt_code = sldns_read_uint16(rdata_ptr);
uint16_t opt_len = sldns_read_uint16(rdata_ptr+2); uint16_t opt_len = sldns_read_uint16(rdata_ptr+2);
uint8_t server_cookie[40]; uint8_t server_cookie[40];
@@ -984,8 +987,9 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len,
/* handle parse time edns options here */ /* handle parse time edns options here */
switch(opt_code) { switch(opt_code) {
case LDNS_EDNS_NSID: case LDNS_EDNS_NSID:
if (!cfg || !cfg->nsid) if (!cfg || !cfg->nsid || nsid_seen)
break; break;
nsid_seen = 1;
if(!edns_opt_list_append(&edns->opt_list_out, if(!edns_opt_list_append(&edns->opt_list_out,
LDNS_EDNS_NSID, cfg->nsid_len, LDNS_EDNS_NSID, cfg->nsid_len,
cfg->nsid, region)) { cfg->nsid, region)) {
@@ -1027,8 +1031,9 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len,
case LDNS_EDNS_PADDING: case LDNS_EDNS_PADDING:
if(!cfg || !cfg->pad_responses || if(!cfg || !cfg->pad_responses ||
!c || c->type != comm_tcp ||!c->ssl) !c || c->type != comm_tcp ||!c->ssl || padding_seen)
break; break;
padding_seen = 1;
if(!edns_opt_list_append(&edns->opt_list_out, if(!edns_opt_list_append(&edns->opt_list_out,
LDNS_EDNS_PADDING, LDNS_EDNS_PADDING,
0, NULL, region)) { 0, NULL, region)) {
@@ -1039,8 +1044,9 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len,
break; break;
case LDNS_EDNS_COOKIE: case LDNS_EDNS_COOKIE:
if(!cfg || !cfg->do_answer_cookie || !repinfo) if(!cfg || !cfg->do_answer_cookie || !repinfo || cookie_seen)
break; break;
cookie_seen = 1;
if(opt_len != 8 && (opt_len < 16 || opt_len > 40)) { if(opt_len != 8 && (opt_len < 16 || opt_len > 40)) {
verbose(VERB_ALGO, "worker request: " verbose(VERB_ALGO, "worker request: "
"badly formatted cookie"); "badly formatted cookie");
@@ -1146,6 +1152,7 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len,
} }
rdata_ptr += opt_len; rdata_ptr += opt_len;
rdata_len -= opt_len; rdata_len -= opt_len;
i++;
} }
return LDNS_RCODE_NOERROR; return LDNS_RCODE_NOERROR;
} }
@@ -1160,6 +1167,7 @@ parse_extract_edns_from_response_msg(struct msg_parse* msg,
struct rrset_parse* found_prev = 0; struct rrset_parse* found_prev = 0;
size_t rdata_len; size_t rdata_len;
uint8_t* rdata_ptr; uint8_t* rdata_ptr;
int i = 0;
/* since the class encodes the UDP size, we cannot use hash table to /* since the class encodes the UDP size, we cannot use hash table to
* find the EDNS OPT record. Scan the packet. */ * find the EDNS OPT record. Scan the packet. */
while(rrset) { while(rrset) {
@@ -1219,7 +1227,7 @@ parse_extract_edns_from_response_msg(struct msg_parse* msg,
/* while still more options, and have code+len to read */ /* while still more options, and have code+len to read */
/* ignores partial content (i.e. rdata len 3) */ /* ignores partial content (i.e. rdata len 3) */
while(rdata_len >= 4) { while(rdata_len >= 4 && i < MAX_PARSED_EDNS_OPTIONS) {
uint16_t opt_code = sldns_read_uint16(rdata_ptr); uint16_t opt_code = sldns_read_uint16(rdata_ptr);
uint16_t opt_len = sldns_read_uint16(rdata_ptr+2); uint16_t opt_len = sldns_read_uint16(rdata_ptr+2);
rdata_ptr += 4; rdata_ptr += 4;
@@ -1234,6 +1242,7 @@ parse_extract_edns_from_response_msg(struct msg_parse* msg,
} }
rdata_ptr += opt_len; rdata_ptr += opt_len;
rdata_len -= opt_len; rdata_len -= opt_len;
i++;
} }
/* ignore rrsigs */ /* ignore rrsigs */
return LDNS_RCODE_NOERROR; return LDNS_RCODE_NOERROR;
+27 -1
View File
@@ -62,6 +62,13 @@
#include "sldns/rrdef.h" #include "sldns/rrdef.h"
#include "sldns/sbuffer.h" #include "sldns/sbuffer.h"
/**
* The maximum salt length that the negative cache is willing to use.
* Larger salt increases the computation time, while recommendations are
* for zero salt length for zones.
*/
#define MAX_SALT_LENGTH 64
int val_neg_data_compare(const void* a, const void* b) int val_neg_data_compare(const void* a, const void* b)
{ {
struct val_neg_data* x = (struct val_neg_data*)a; struct val_neg_data* x = (struct val_neg_data*)a;
@@ -826,7 +833,11 @@ void neg_insert_data(struct val_neg_cache* neg,
(slen != 0 && zone->nsec3_salt && s (slen != 0 && zone->nsec3_salt && s
&& memcmp(zone->nsec3_salt, s, slen) != 0))) { && memcmp(zone->nsec3_salt, s, slen) != 0))) {
if(slen > 0) { if(slen > MAX_SALT_LENGTH) {
/* RFC 9276 s3.1: operators SHOULD NOT use a salt; large
* salts inflate per-hash block count. Decline to cache. */
return;
} else if(slen > 0) {
uint8_t* sa = memdup(s, slen); uint8_t* sa = memdup(s, slen);
if(sa) { if(sa) {
free(zone->nsec3_salt); free(zone->nsec3_salt);
@@ -1165,6 +1176,15 @@ neg_find_nsec3_ce(struct val_neg_zone* zone, uint8_t* qname, size_t qname_len,
uint8_t hashce[NSEC3_SHA_LEN]; uint8_t hashce[NSEC3_SHA_LEN];
uint8_t b32[257]; uint8_t b32[257];
size_t celen, b32len; size_t celen, b32len;
int hashmax = MAX_NSEC3_CALCULATIONS;
if(qlabs > hashmax) {
/* strip leading labels so the walk costs at most
* MAX_NSEC3_CALCULATIONS hashes, mirroring val_nsec3.c */
while(qlabs > hashmax) {
dname_remove_label(&qname, &qname_len);
qlabs--;
}
}
*nclen = 0; *nclen = 0;
while(qlabs > 0) { while(qlabs > 0) {
@@ -1265,6 +1285,12 @@ neg_nsec3_proof_ds(struct val_neg_zone* zone, uint8_t* qname, size_t qname_len,
if(!zone->nsec3_hash) if(!zone->nsec3_hash)
return NULL; /* not nsec3 zone */ return NULL; /* not nsec3 zone */
if(!topname && qlabs > zone->labs + 1)
return NULL; /* iterator caller; opt-out proof would be discarded
* at the !topname check below anyway.
* The qlabs check allows the exact-match for
* the one-label-below-zone case. */
if(!(data=neg_find_nsec3_ce(zone, qname, qname_len, qlabs, buf, if(!(data=neg_find_nsec3_ce(zone, qname, qname_len, qlabs, buf,
hashnc, &nclen))) { hashnc, &nclen))) {
return NULL; return NULL;
+71 -5
View File
@@ -59,11 +59,6 @@
#include "sldns/sbuffer.h" #include "sldns/sbuffer.h"
#include "util/config_file.h" #include "util/config_file.h"
/**
* Max number of NSEC3 calculations at once, suspend query for later.
* 8 is low enough and allows for cases where multiple proofs are needed.
*/
#define MAX_NSEC3_CALCULATIONS 8
/** /**
* When all allowed NSEC3 calculations at once resulted in error treat as * When all allowed NSEC3 calculations at once resulted in error treat as
* bogus. NSEC3 hash errors are not cached and this helps breaks loops with * bogus. NSEC3 hash errors are not cached and this helps breaks loops with
@@ -456,6 +451,67 @@ filter_init(struct nsec3_filter* filter, struct ub_packed_rrset_key** list,
} }
} }
/** Check if the NSEC3s have the same parameter set. */
static int
param_set_same(struct nsec3_filter* flt, char** reason)
{
size_t rrsetnum;
int rrnum;
struct ub_packed_rrset_key* rrset;
int have_params = 0;
int first_algo = 0;
size_t first_iter = 0;
uint8_t* first_salt = NULL;
size_t first_saltlen = 0;
/* If the NSEC3 parameter sets have distinct values, then they are
* from different NSEC3 chains, and we do not want that. */
for(rrset=filter_first(flt, &rrsetnum, &rrnum); rrset;
rrset=filter_next(flt, &rrsetnum, &rrnum)) {
if(!have_params) {
first_algo = nsec3_get_algo(rrset, rrnum);
first_iter = nsec3_get_iter(rrset, rrnum);
if(!nsec3_get_salt(rrset, rrnum, &first_salt,
&first_saltlen)) {
verbose(VERB_ALGO, "NSEC3 salt malformed");
if(reason)
*reason = "NSEC3 salt malformed";
return 0;
}
have_params = 1;
} else {
uint8_t* salt = NULL;
size_t saltlen = 0;
if(nsec3_get_algo(rrset, rrnum) != first_algo) {
verbose(VERB_ALGO, "NSEC3 algorithm mismatch");
if(reason)
*reason = "NSEC3 algorithm mismatch";
return 0;
}
if(nsec3_get_iter(rrset, rrnum) != first_iter) {
verbose(VERB_ALGO, "NSEC3 iterations mismatch");
if(reason)
*reason = "NSEC3 iterations mismatch";
return 0;
}
if(!nsec3_get_salt(rrset, rrnum, &salt, &saltlen)) {
verbose(VERB_ALGO, "NSEC3 salt malformed");
if(reason)
*reason = "NSEC3 salt malformed";
return 0;
}
if(saltlen != first_saltlen ||
memcmp(salt, first_salt, saltlen) != 0) {
verbose(VERB_ALGO, "NSEC3 salt mismatch");
if(reason)
*reason = "NSEC3 salt mismatch";
return 0;
}
}
}
return 1;
}
/** /**
* Find max iteration count using config settings and key size * Find max iteration count using config settings and key size
* @param ve: validator environment with iteration count config settings. * @param ve: validator environment with iteration count config settings.
@@ -1192,6 +1248,8 @@ nsec3_prove_nameerror(struct module_env* env, struct val_env* ve,
filter_init(&flt, list, num, qinfo); /* init RR iterator */ filter_init(&flt, list, num, qinfo); /* init RR iterator */
if(!flt.zone) if(!flt.zone)
return sec_status_bogus; /* no RRs */ return sec_status_bogus; /* no RRs */
if(!param_set_same(&flt, NULL))
return sec_status_bogus; /* nsec3 params from distinct chains*/
if(nsec3_iteration_count_high(ve, &flt, kkey)) if(nsec3_iteration_count_high(ve, &flt, kkey))
return sec_status_insecure; /* iteration count too high */ return sec_status_insecure; /* iteration count too high */
log_nametypeclass(VERB_ALGO, "start nsec3 nameerror proof, zone", log_nametypeclass(VERB_ALGO, "start nsec3 nameerror proof, zone",
@@ -1378,6 +1436,8 @@ nsec3_prove_nodata(struct module_env* env, struct val_env* ve,
filter_init(&flt, list, num, qinfo); /* init RR iterator */ filter_init(&flt, list, num, qinfo); /* init RR iterator */
if(!flt.zone) if(!flt.zone)
return sec_status_bogus; /* no RRs */ return sec_status_bogus; /* no RRs */
if(!param_set_same(&flt, NULL))
return sec_status_bogus; /* nsec3 params from distinct chains*/
if(nsec3_iteration_count_high(ve, &flt, kkey)) if(nsec3_iteration_count_high(ve, &flt, kkey))
return sec_status_insecure; /* iteration count too high */ return sec_status_insecure; /* iteration count too high */
return nsec3_do_prove_nodata(env, &flt, ct, qinfo, calc); return nsec3_do_prove_nodata(env, &flt, ct, qinfo, calc);
@@ -1401,6 +1461,8 @@ nsec3_prove_wildcard(struct module_env* env, struct val_env* ve,
filter_init(&flt, list, num, qinfo); /* init RR iterator */ filter_init(&flt, list, num, qinfo); /* init RR iterator */
if(!flt.zone) if(!flt.zone)
return sec_status_bogus; /* no RRs */ return sec_status_bogus; /* no RRs */
if(!param_set_same(&flt, NULL))
return sec_status_bogus; /* nsec3 params from distinct chains*/
if(nsec3_iteration_count_high(ve, &flt, kkey)) if(nsec3_iteration_count_high(ve, &flt, kkey))
return sec_status_insecure; /* iteration count too high */ return sec_status_insecure; /* iteration count too high */
@@ -1503,6 +1565,8 @@ nsec3_prove_nods(struct module_env* env, struct val_env* ve,
*reason = "no NSEC3 records"; *reason = "no NSEC3 records";
return sec_status_bogus; /* no RRs */ return sec_status_bogus; /* no RRs */
} }
if(!param_set_same(&flt, reason))
return sec_status_bogus; /* nsec3 params from distinct chains*/
if(nsec3_iteration_count_high(ve, &flt, kkey)) if(nsec3_iteration_count_high(ve, &flt, kkey))
return sec_status_insecure; /* iteration count too high */ return sec_status_insecure; /* iteration count too high */
@@ -1596,6 +1660,8 @@ nsec3_prove_nxornodata(struct module_env* env, struct val_env* ve,
filter_init(&flt, list, num, qinfo); /* init RR iterator */ filter_init(&flt, list, num, qinfo); /* init RR iterator */
if(!flt.zone) if(!flt.zone)
return sec_status_bogus; /* no RRs */ return sec_status_bogus; /* no RRs */
if(!param_set_same(&flt, NULL))
return sec_status_bogus; /* nsec3 params from distinct chains*/
if(nsec3_iteration_count_high(ve, &flt, kkey)) if(nsec3_iteration_count_high(ve, &flt, kkey))
return sec_status_insecure; /* iteration count too high */ return sec_status_insecure; /* iteration count too high */
+6
View File
@@ -98,6 +98,12 @@ struct sldns_buffer;
/** The SHA1 hash algorithm for NSEC3 */ /** The SHA1 hash algorithm for NSEC3 */
#define NSEC3_HASH_SHA1 0x01 #define NSEC3_HASH_SHA1 0x01
/**
* Max number of NSEC3 calculations at once, suspend query for later.
* 8 is low enough and allows for cases where multiple proofs are needed.
*/
#define MAX_NSEC3_CALCULATIONS 8
/** /**
* Cache table for NSEC3 hashes. * Cache table for NSEC3 hashes.
* It keeps a *pointer* to the region its items are allocated. * It keeps a *pointer* to the region its items are allocated.
+2 -2
View File
@@ -1066,10 +1066,10 @@ val_fill_reply(struct reply_info* chase, struct reply_info* orig,
if(query_dname_compare(name, if(query_dname_compare(name,
orig->rrsets[i]->rk.dname) == 0) orig->rrsets[i]->rk.dname) == 0)
chase->rrsets[chase->an_numrrsets chase->rrsets[chase->an_numrrsets
+orig->ns_numrrsets+chase->ar_numrrsets++] +chase->ns_numrrsets+chase->ar_numrrsets++]
= orig->rrsets[i]; = orig->rrsets[i];
} else if(rrset_has_signer(orig->rrsets[i], name, len)) { } else if(rrset_has_signer(orig->rrsets[i], name, len)) {
chase->rrsets[chase->an_numrrsets+orig->ns_numrrsets+ chase->rrsets[chase->an_numrrsets+chase->ns_numrrsets+
chase->ar_numrrsets++] = orig->rrsets[i]; chase->ar_numrrsets++] = orig->rrsets[i];
} }
} }