upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-20 23:00:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

- Fix #4190: Please create a "ANY" deny option, adds the option

Browse source 
deny-any: yes in unbound.conf.  This responds with an empty message
  to queries of type ANY.


git-svn-id: file:///svn/unbound/trunk@4949 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
Wouter Wijngaards 2018-10-25 08:07:37 +00:00
parent 0f83653e76
commit 23505d30a5
11 changed files with 3193 additions and 3124 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
doc/Changelog
View file

@ -1,5 +1,8 @@
25 October 2018: Wouter 25 October 2018: Wouter
- Fix #4191: NXDOMAIN vs SERVFAIL during dns64 PTR query. - Fix #4191: NXDOMAIN vs SERVFAIL during dns64 PTR query.
- Fix #4190: Please create a "ANY" deny option, adds the option
deny-any: yes in unbound.conf. This responds with an empty message
to queries of type ANY.
24 October 2018: Ralph 24 October 2018: Ralph
- Add markdel function to ECS slabhash. - Add markdel function to ECS slabhash.

3
doc/example.conf.in
View file

@ -449,6 +449,9 @@ server:
# if yes, perform key lookups adjacent to normal lookups. # if yes, perform key lookups adjacent to normal lookups.
# prefetch-key: no # prefetch-key: no
# deny queries of type ANY with an empty response.
# deny-any: no
# if yes, Unbound rotates RRSet order in response. # if yes, Unbound rotates RRSet order in response.
# rrset-roundrobin: no # rrset-roundrobin: no

10
doc/unbound.conf.5.in
View file

@ -848,12 +848,18 @@ keep the cache up to date. Default is no. Turning it on gives about
10 percent more traffic and load on the machine, but popular items do 10 percent more traffic and load on the machine, but popular items do
not expire from the cache. not expire from the cache.
.TP .TP
.B prefetch-key: \fI<yes or no> .B prefetch\-key: \fI<yes or no>
If yes, fetch the DNSKEYs earlier in the validation process, when a DS If yes, fetch the DNSKEYs earlier in the validation process, when a DS
record is encountered. This lowers the latency of requests. It does use record is encountered. This lowers the latency of requests. It does use
a little more CPU. Also if the cache is set to 0, it is no use. Default is no. a little more CPU. Also if the cache is set to 0, it is no use. Default is no.
.TP .TP
.B rrset-roundrobin: \fI<yes or no> .B deny\-any: \fI<yes or no>
If yes, deny queries of type ANY with an empty response. Default is no.
If disabled, unbound responds with a short list of resource records if some
can be found in the cache and makes the upstream type ANY query if there
are none.
.TP
.B rrset\-roundrobin: \fI<yes or no>
If yes, Unbound rotates RRSet order in response (the random number is taken If yes, Unbound rotates RRSet order in response (the random number is taken
from the query ID, for speed and thread safety). Default is no. from the query ID, for speed and thread safety). Default is no.
.TP .TP

11
services/cache/dns.c vendored
View file

@ -721,6 +721,17 @@ fill_any(struct module_env* env,
int i, num=6; /* number of RR types to look up */ int i, num=6; /* number of RR types to look up */
log_assert(lookup[num] == 0); log_assert(lookup[num] == 0);
if(env->cfg->deny_any) {
/* return empty message */
msg = dns_msg_create(qname, qnamelen, qtype, qclass,
region, 0);
if(!msg) {
return NULL;
}
msg->rep->security = sec_status_indeterminate;
return msg;
}
for(i=0; i<num; i++) { for(i=0; i<num; i++) {
/* look up this RR for inclusion in type ANY response */ /* look up this RR for inclusion in type ANY response */
struct ub_packed_rrset_key* rrset = rrset_cache_lookup( struct ub_packed_rrset_key* rrset = rrset_cache_lookup(

3
util/config_file.c
View file

@ -152,6 +152,7 @@ config_create(void)
cfg->max_negative_ttl = 3600; cfg->max_negative_ttl = 3600;
cfg->prefetch = 0; cfg->prefetch = 0;
cfg->prefetch_key = 0; cfg->prefetch_key = 0;
cfg->deny_any = 0;
cfg->infra_cache_slabs = 4; cfg->infra_cache_slabs = 4;
cfg->infra_cache_numhosts = 10000; cfg->infra_cache_numhosts = 10000;
cfg->infra_cache_min_rtt = 50; cfg->infra_cache_min_rtt = 50;
@ -500,6 +501,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
else S_POW2("rrset-cache-slabs:", rrset_cache_slabs) else S_POW2("rrset-cache-slabs:", rrset_cache_slabs)
else S_YNO("prefetch:", prefetch) else S_YNO("prefetch:", prefetch)
else S_YNO("prefetch-key:", prefetch_key) else S_YNO("prefetch-key:", prefetch_key)
else S_YNO("deny-any:", deny_any)
else if(strcmp(opt, "cache-max-ttl:") == 0) else if(strcmp(opt, "cache-max-ttl:") == 0)
{ IS_NUMBER_OR_ZERO; cfg->max_ttl = atoi(val); MAX_TTL=(time_t)cfg->max_ttl;} { IS_NUMBER_OR_ZERO; cfg->max_ttl = atoi(val); MAX_TTL=(time_t)cfg->max_ttl;}
else if(strcmp(opt, "cache-max-negative-ttl:") == 0) else if(strcmp(opt, "cache-max-negative-ttl:") == 0)
@ -882,6 +884,7 @@ config_get_option(struct config_file* cfg, const char* opt,
else O_DEC(opt, "rrset-cache-slabs", rrset_cache_slabs) else O_DEC(opt, "rrset-cache-slabs", rrset_cache_slabs)
else O_YNO(opt, "prefetch-key", prefetch_key) else O_YNO(opt, "prefetch-key", prefetch_key)
else O_YNO(opt, "prefetch", prefetch) else O_YNO(opt, "prefetch", prefetch)
else O_YNO(opt, "deny-any", deny_any)
else O_DEC(opt, "cache-max-ttl", max_ttl) else O_DEC(opt, "cache-max-ttl", max_ttl)
else O_DEC(opt, "cache-max-negative-ttl", max_negative_ttl) else O_DEC(opt, "cache-max-negative-ttl", max_negative_ttl)
else O_DEC(opt, "cache-min-ttl", min_ttl) else O_DEC(opt, "cache-min-ttl", min_ttl)

2
util/config_file.h
View file

@ -261,6 +261,8 @@ struct config_file {
int prefetch; int prefetch;
/** if prefetching of DNSKEYs should be performed. */ /** if prefetching of DNSKEYs should be performed. */
int prefetch_key; int prefetch_key;
/** deny queries of type ANY with an empty answer */
int deny_any;
/** chrootdir, if not "" or chroot will be done */ /** chrootdir, if not "" or chroot will be done */
char* chrootdir; char* chrootdir;

4291
util/configlexer.c
View file

File diff suppressed because it is too large Load diff

1
util/configlexer.lex
View file

@ -296,6 +296,7 @@ private-address{COLON} { YDVAR(1, VAR_PRIVATE_ADDRESS) }
private-domain{COLON} { YDVAR(1, VAR_PRIVATE_DOMAIN) } private-domain{COLON} { YDVAR(1, VAR_PRIVATE_DOMAIN) }
prefetch-key{COLON} { YDVAR(1, VAR_PREFETCH_KEY) } prefetch-key{COLON} { YDVAR(1, VAR_PREFETCH_KEY) }
prefetch{COLON} { YDVAR(1, VAR_PREFETCH) } prefetch{COLON} { YDVAR(1, VAR_PREFETCH) }
deny-any{COLON} { YDVAR(1, VAR_DENY_ANY) }
stub-zone{COLON} { YDVAR(0, VAR_STUB_ZONE) } stub-zone{COLON} { YDVAR(0, VAR_STUB_ZONE) }
name{COLON} { YDVAR(1, VAR_NAME) } name{COLON} { YDVAR(1, VAR_NAME) }
stub-addr{COLON} { YDVAR(1, VAR_STUB_ADDR) } stub-addr{COLON} { YDVAR(1, VAR_STUB_ADDR) }

1974
util/configparser.c
View file

File diff suppressed because it is too large Load diff

6
util/configparser.h
View file

@ -299,7 +299,8 @@ extern int yydebug;
VAR_TCP_CONNECTION_LIMIT = 509, VAR_TCP_CONNECTION_LIMIT = 509,
VAR_FORWARD_NO_CACHE = 510, VAR_FORWARD_NO_CACHE = 510,
VAR_STUB_NO_CACHE = 511, VAR_STUB_NO_CACHE = 511,
VAR_LOG_SERVFAIL = 512 VAR_LOG_SERVFAIL = 512,
VAR_DENY_ANY = 513
}; };
#endif #endif
/* Tokens. */ /* Tokens. */
@ -558,6 +559,7 @@ extern int yydebug;
#define VAR_FORWARD_NO_CACHE 510 #define VAR_FORWARD_NO_CACHE 510
#define VAR_STUB_NO_CACHE 511 #define VAR_STUB_NO_CACHE 511
#define VAR_LOG_SERVFAIL 512 #define VAR_LOG_SERVFAIL 512
#define VAR_DENY_ANY 513
/* Value type. */ /* Value type. */
#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
@ -568,7 +570,7 @@ union YYSTYPE
char* str; char* str;
#line 572 "util/configparser.h" /* yacc.c:1909 */ #line 574 "util/configparser.h" /* yacc.c:1909 */
}; };
typedef union YYSTYPE YYSTYPE; typedef union YYSTYPE YYSTYPE;

13
util/configparser.y
View file

@ -162,7 +162,7 @@ extern struct config_parser_state* cfg_parser;
%token VAR_FALLBACK_ENABLED VAR_TLS_ADDITIONAL_PORT VAR_LOW_RTT VAR_LOW_RTT_PERMIL %token VAR_FALLBACK_ENABLED VAR_TLS_ADDITIONAL_PORT VAR_LOW_RTT VAR_LOW_RTT_PERMIL
%token VAR_FAST_SERVER_PERMIL VAR_FAST_SERVER_NUM %token VAR_FAST_SERVER_PERMIL VAR_FAST_SERVER_NUM
%token VAR_ALLOW_NOTIFY VAR_TLS_WIN_CERT VAR_TCP_CONNECTION_LIMIT %token VAR_ALLOW_NOTIFY VAR_TLS_WIN_CERT VAR_TCP_CONNECTION_LIMIT
%token VAR_FORWARD_NO_CACHE VAR_STUB_NO_CACHE VAR_LOG_SERVFAIL %token VAR_FORWARD_NO_CACHE VAR_STUB_NO_CACHE VAR_LOG_SERVFAIL VAR_DENY_ANY
%% %%
toplevelvars: /* empty */ | toplevelvars toplevelvar ; toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@ -259,7 +259,7 @@ content_server: server_num_threads | server_verbosity | server_port |
server_udp_upstream_without_downstream | server_aggressive_nsec | server_udp_upstream_without_downstream | server_aggressive_nsec |
server_tls_cert_bundle | server_tls_additional_port | server_low_rtt | server_tls_cert_bundle | server_tls_additional_port | server_low_rtt |
server_fast_server_permil | server_fast_server_num | server_tls_win_cert | server_fast_server_permil | server_fast_server_num | server_tls_win_cert |
server_tcp_connection_limit | server_log_servfail server_tcp_connection_limit | server_log_servfail | server_deny_any
; ;
stubstart: VAR_STUB_ZONE stubstart: VAR_STUB_ZONE
{ {
@ -1375,6 +1375,15 @@ server_prefetch_key: VAR_PREFETCH_KEY STRING_ARG
free($2); free($2);
} }
; ;
server_deny_any: VAR_DENY_ANY STRING_ARG
{
OUTYY(("P(server_deny_any:%s)\n", $2));
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
yyerror("expected yes or no.");
else cfg_parser->cfg->deny_any = (strcmp($2, "yes")==0);
free($2);
}
;
server_unwanted_reply_threshold: VAR_UNWANTED_REPLY_THRESHOLD STRING_ARG server_unwanted_reply_threshold: VAR_UNWANTED_REPLY_THRESHOLD STRING_ARG
{ {
OUTYY(("P(server_unwanted_reply_threshold:%s)\n", $2)); OUTYY(("P(server_unwanted_reply_threshold:%s)\n", $2));