upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2026-01-04 05:49:35 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'master' into edns-string

Browse source
This commit is contained in:
Ralph Dolmans 2020-11-11 11:37:32 +01:00
commit 946ed23f73
50 changed files with 5553 additions and 4558 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

81
configure vendored
View file

@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for unbound 1.11.1.
# Generated by GNU Autoconf 2.69 for unbound 1.12.1.
#
# Report bugs to <unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues>.
#
@ -591,8 +591,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='unbound'
PACKAGE_TARNAME='unbound'
PACKAGE_VERSION='1.11.1'
PACKAGE_STRING='unbound 1.11.1'
PACKAGE_VERSION='1.12.1'
PACKAGE_STRING='unbound 1.12.1'
PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues'
PACKAGE_URL=''
@ -808,7 +808,6 @@ infodir
docdir
oldincludedir
includedir
runstatedir
localstatedir
sharedstatedir
sysconfdir
@ -958,7 +957,6 @@ datadir='${datarootdir}'
sysconfdir='${prefix}/etc'
sharedstatedir='${prefix}/com'
localstatedir='${prefix}/var'
runstatedir='${localstatedir}/run'
includedir='${prefix}/include'
oldincludedir='/usr/include'
docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
@ -1211,15 +1209,6 @@ do
| -silent | --silent | --silen | --sile | --sil)
silent=yes ;;
-runstatedir | --runstatedir | --runstatedi | --runstated \
| --runstate | --runstat | --runsta | --runst | --runs \
| --run | --ru | --r)
ac_prev=runstatedir ;;
-runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
| --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
| --run=* | --ru=* | --r=*)
runstatedir=$ac_optarg ;;
-sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
ac_prev=sbindir ;;
-sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
@ -1357,7 +1346,7 @@ fi
for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \
datadir sysconfdir sharedstatedir localstatedir includedir \
oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
libdir localedir mandir runstatedir
libdir localedir mandir
do
eval ac_val=\$$ac_var
# Remove trailing slashes.
@ -1470,7 +1459,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures unbound 1.11.1 to adapt to many kinds of systems.
\`configure' configures unbound 1.12.1 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@ -1510,7 +1499,6 @@ Fine tuning of the installation directories:
--sysconfdir=DIR read-only single-machine data [PREFIX/etc]
--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
--localstatedir=DIR modifiable single-machine data [PREFIX/var]
--runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run]
--libdir=DIR object code libraries [EPREFIX/lib]
--includedir=DIR C header files [PREFIX/include]
--oldincludedir=DIR C header files for non-gcc [/usr/include]
@ -1536,7 +1524,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of unbound 1.11.1:";;
short | recursive ) echo "Configuration of unbound 1.12.1:";;
esac
cat <<\_ACEOF
@ -1764,7 +1752,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
unbound configure 1.11.1
unbound configure 1.12.1
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@ -2473,7 +2461,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by unbound $as_me 1.11.1, which was
It was created by unbound $as_me 1.12.1, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@ -2823,13 +2811,13 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
UNBOUND_VERSION_MAJOR=1
UNBOUND_VERSION_MINOR=11
UNBOUND_VERSION_MINOR=12
UNBOUND_VERSION_MICRO=1
LIBUNBOUND_CURRENT=9
LIBUNBOUND_REVISION=10
LIBUNBOUND_REVISION=11
LIBUNBOUND_AGE=1
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
@ -2906,7 +2894,8 @@ LIBUNBOUND_AGE=1
# 1.10.0 had 9:7:1
# 1.10.1 had 9:8:1
# 1.11.0 had 9:9:1
# 1.11.1 had 9:10:1
# 1.12.0 had 9:10:1
# 1.12.1 had 9:11:1
# Current -- the number of the binary API that we're implementing
# Revision -- which iteration of the implementation of the binary
@ -14756,7 +14745,7 @@ $as_echo "no" >&6; }
fi
# Checks for header files.
for ac_header in stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h net/if.h
for ac_header in stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h
do :
as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default
@ -14770,6 +14759,34 @@ fi
done
# net/if.h portability for Darwin see:
# https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Header-Portability.html
for ac_header in net/if.h
do :
ac_fn_c_check_header_compile "$LINENO" "net/if.h" "ac_cv_header_net_if_h" "
#include <stdio.h>
#ifdef STDC_HEADERS
# include <stdlib.h>
# include <stddef.h>
#else
# ifdef HAVE_STDLIB_H
# include <stdlib.h>
# endif
#endif
#ifdef HAVE_SYS_SOCKET_H
# include <sys/socket.h>
#endif
"
if test "x$ac_cv_header_net_if_h" = xyes; then :
cat >>confdefs.h <<_ACEOF
#define HAVE_NET_IF_H 1
_ACEOF
fi
done
# Check for Apple header. This uncovers TARGET_OS_IPHONE, TARGET_OS_TV or TARGET_OS_WATCH
for ac_header in TargetConditionals.h
@ -15705,7 +15722,7 @@ else
We can't simply define LARGE_OFF_T to be 9223372036854775807,
since some C++ compilers masquerading as C compilers
incorrectly reject 9223372036854775807. */
#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
&& LARGE_OFF_T % 2147483647 == 1)
? 1 : -1];
@ -15751,7 +15768,7 @@ else
We can't simply define LARGE_OFF_T to be 9223372036854775807,
since some C++ compilers masquerading as C compilers
incorrectly reject 9223372036854775807. */
#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
&& LARGE_OFF_T % 2147483647 == 1)
? 1 : -1];
@ -15775,7 +15792,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
We can't simply define LARGE_OFF_T to be 9223372036854775807,
since some C++ compilers masquerading as C compilers
incorrectly reject 9223372036854775807. */
#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
&& LARGE_OFF_T % 2147483647 == 1)
? 1 : -1];
@ -15820,7 +15837,7 @@ else
We can't simply define LARGE_OFF_T to be 9223372036854775807,
since some C++ compilers masquerading as C compilers
incorrectly reject 9223372036854775807. */
#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
&& LARGE_OFF_T % 2147483647 == 1)
? 1 : -1];
@ -15844,7 +15861,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
We can't simply define LARGE_OFF_T to be 9223372036854775807,
since some C++ compilers masquerading as C compilers
incorrectly reject 9223372036854775807. */
#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
&& LARGE_OFF_T % 2147483647 == 1)
? 1 : -1];
@ -21714,7 +21731,7 @@ _ACEOF
version=1.11.1
version=1.12.1
date=`date +'%b %e, %Y'`
@ -22233,7 +22250,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by unbound $as_me 1.11.1, which was
This file was extended by unbound $as_me 1.12.1, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@ -22299,7 +22316,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
unbound config.status 1.11.1
unbound config.status 1.12.1
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"

25
configure.ac
View file

@ -10,7 +10,7 @@ sinclude(dnscrypt/dnscrypt.m4)
# must be numbers. ac_defun because of later processing
m4_define([VERSION_MAJOR],[1])
m4_define([VERSION_MINOR],[11])
m4_define([VERSION_MINOR],[12])
m4_define([VERSION_MICRO],[1])
AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues, unbound)
AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
@ -18,7 +18,7 @@ AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
LIBUNBOUND_CURRENT=9
LIBUNBOUND_REVISION=10
LIBUNBOUND_REVISION=11
LIBUNBOUND_AGE=1
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
@ -95,7 +95,8 @@ LIBUNBOUND_AGE=1
# 1.10.0 had 9:7:1
# 1.10.1 had 9:8:1
# 1.11.0 had 9:9:1
# 1.11.1 had 9:10:1
# 1.12.0 had 9:10:1
# 1.12.1 had 9:11:1
# Current -- the number of the binary API that we're implementing
# Revision -- which iteration of the implementation of the binary
@ -399,7 +400,23 @@ ACX_LIBTOOL_C_ONLY
PKG_PROG_PKG_CONFIG
# Checks for header files.
AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h net/if.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h],,, [AC_INCLUDES_DEFAULT])
# net/if.h portability for Darwin see:
# https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Header-Portability.html
AC_CHECK_HEADERS([net/if.h],,, [
#include <stdio.h>
#ifdef STDC_HEADERS
# include <stdlib.h>
# include <stddef.h>
#else
# ifdef HAVE_STDLIB_H
# include <stdlib.h>
# endif
#endif
#ifdef HAVE_SYS_SOCKET_H
# include <sys/socket.h>
#endif
])
# Check for Apple header. This uncovers TARGET_OS_IPHONE, TARGET_OS_TV or TARGET_OS_WATCH
AC_CHECK_HEADERS([TargetConditionals.h])

4
daemon/worker.c
View file

@ -1789,8 +1789,8 @@ worker_init(struct worker* worker, struct config_file *cfg,
? cfg->tcp_keepalive_timeout
: cfg->tcp_idle_timeout,
cfg->harden_large_queries, cfg->http_max_streams,
cfg->http_endpoint, worker->daemon->tcl,
worker->daemon->listen_sslctx,
cfg->http_endpoint, cfg->http_notls_downstream,
worker->daemon->tcl, worker->daemon->listen_sslctx,
dtenv, worker_handle_request, worker);
if(!worker->front) {
log_err("could not create listening sockets");

10
dnstap/dnstap.c
View file

@ -134,15 +134,13 @@ dt_create(struct config_file* cfg)
if(cfg->dnstap && cfg->dnstap_socket_path && cfg->dnstap_socket_path[0] &&
(cfg->dnstap_ip==NULL || cfg->dnstap_ip[0]==0)) {
char* p = fname_after_chroot(cfg->dnstap_socket_path, cfg, 1);
if(!p) {
log_err("malloc failure");
return NULL;
}
char* p = cfg->dnstap_socket_path;
if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(p,
cfg->chrootdir, strlen(cfg->chrootdir)) == 0)
p += strlen(cfg->chrootdir);
verbose(VERB_OPS, "attempting to connect to dnstap socket %s",
p);
check_socket_file(p);
free(p);
}
env = (struct dt_env *) calloc(1, sizeof(struct dt_env));

8
dnstap/dtstream.c
View file

@ -341,15 +341,19 @@ int dt_io_thread_apply_cfg(struct dt_io_thread* dtio, struct config_file *cfg)
dtio->is_bidirectional = cfg->dnstap_bidirectional;
if(dtio->upstream_is_unix) {
char* nm;
if(!cfg->dnstap_socket_path ||
cfg->dnstap_socket_path[0]==0) {
log_err("dnstap setup: no dnstap-socket-path for "
"socket connect");
return 0;
}
nm = cfg->dnstap_socket_path;
if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(nm,
cfg->chrootdir, strlen(cfg->chrootdir)) == 0)
nm += strlen(cfg->chrootdir);
free(dtio->socket_path);
dtio->socket_path = fname_after_chroot(cfg->dnstap_socket_path,
cfg, 1);
dtio->socket_path = strdup(nm);
if(!dtio->socket_path) {
log_err("dnstap setup: malloc failure");
return 0;

4
dnstap/unbound-dnstap-socket.c
View file

@ -1167,8 +1167,10 @@ int sig_quit = 0;
static RETSIGTYPE main_sigh(int sig)
{
verbose(VERB_ALGO, "exit on signal %d\n", sig);
if(sig_base)
if(sig_base) {
ub_event_base_loopexit(sig_base);
sig_base = NULL;
}
sig_quit = 1;
}

94
doc/Changelog
View file

@ -1,3 +1,96 @@
27 October 2020: Wouter
- In man page note that tls-cert-bundle is read before permission
drop and chroot.
22 October 2020: Wouter
- Fix #333: Unbound Segmentation Fault w/ log_info Functions From
Python Mod.
- Fix that minimal-responses does not remove addresses from a priming
query response.
21 October 2020: George
- Fix #327: net/if.h check fails on some darwin versions; contribution by
Joshua Root.
- Fix #320: potential memory corruption due to size miscomputation upton
custom region alloc init.
21 October 2020: Wouter
- Merge PR #228 : infra-keep-probing option to probe hosts that are
down. Add infra-keep-probing: yes option. Hosts that are down are
probed more frequently.
With the option turned on, it probes about every 120 seconds,
eventually after exponential backoff, and that keeps that way. If
traffic keeps up for the domain. It probes with one at a time, eg.
one query is allowed to probe, other queries within that 120 second
interval are turned away.
19 October 2020: George
- Merge PR #324 from James Renken: Add modern X.509v3 extensions to
unbound-control TLS certificates.
- Fix for PR #324 to attach the x509v3 extensions to the client
certificate.
19 October 2020: Ralph
- local-zone regional allocations outside of chunk
19 October 2020: Wouter
- Fix that http settings have colon in set_option, for
http-endpoint, http-max-streams, http-query-buffer-size,
http-response-buffer-size, and http-nodelay.
- Fix memory leak of https port string when reading config.
- Fix #330: [Feature request] Add unencrypted DNS over HTTPS support.
This adds the option http-notls-downstream: yesno to change that,
and the dohclient test code has the -n option.
- Fix python documentation warning on functions.rst inplace_cb_reply.
- Fix dnstap test to wait for log timer to see if queries are logged.
- Log ip address when http session recv fails, eg. due to tls fail.
- Fix to set the tcp handler event toggle flag back to default when
the handler structure is reused.
- Clean the fix for out of order TCP processing limits on number
of queries. It was tested to work.
16 October 2020: Wouter
- Fix that the out of order TCP processing does not limit the
number of outstanding queries over a connection.
15 October 2020: George
- Fix that if there are reply callbacks for the given rcode, those
are called per reply and a new message created if that was modified
by the call.
- Pass the comm_reply information to the inplace_cb_reply* functions
during the mesh state and update the documentation on that.
15 October 2020: Wouter
- Merge PR #326 from netblue30: DoH: implement content-length
header field
- DoH content length, simplify code, remove declaration after
statement and fix cast warning.
14 October 2020: Wouter
- Fix for python reply callback to see mesh state reply_list member,
it only removes it briefly for the commpoint call so that it does
not drop it and attempt to modify the reply list during reply.
- Fix that if there are on reply callbacks, those are called per
reply and a new message created if that was modified by the call.
- Free up auth zone parse region after use for lookup of host
13 October 2020: Wouter
- Fix #323: unbound testsuite fails on mock build in systemd-nspawn
if systemd support is build.
9 October 2020: Wouter
- Fix dnstap socket and the chroot not applied properly to the dnstap
socket path.
- Fix warning in libnss compile, nss_buf2dsa is not used without DSA.
8 October 2020: Wouter
- Tag for 1.12.0 release.
- Current repo is version 1.12.1 in development.
- Fix #319: potential memory leak on config failure, in rpz config.
1 October 2020: Wouter
- Current repo is version 1.12.0 for release. Tag for 1.12.0rc1.
30 September 2020: Wouter
- Fix doh tests when not compiled in.
- Add dohclient test executable to gitignore.
@ -5,6 +98,7 @@
alloc check debug output.
- Easier kill of unbound-dnstap-socket tool in test.
- Fix memory leak of edns tags at libunbound context delete.
- Fix double loopexit for unbound-dnstap-socket after sigterm.
29 September 2020: Ralph
- DNS Flag Day 2020: change edns-buffer-size default to 1232.

6
doc/example.conf.in
View file

@ -192,6 +192,9 @@ server:
# minimum wait time for responses, increase if uplink is long. In msec.
# infra-cache-min-rtt: 50
# enable to make server probe down hosts more frequently.
# infra-keep-probing: no
# the number of slabs to use for the Infrastructure cache.
# the number of slabs must be a power of 2.
# more slabs reduce lock contention, but fragment memory usage.
@ -788,6 +791,9 @@ server:
# service.
# http-nodelay: yes
# Disable TLS for DNS-over-HTTP downstream service.
# http-notls-downstream: no
# DNS64 prefix. Must be specified when DNS64 is use.
# Enable dns64 in module-config. Used to synthesize IPv6 from IPv4.
# dns64-prefix: 64:ff9b::0/96

13
doc/unbound.conf.5.in
View file

@ -382,6 +382,12 @@ Lower limit for dynamic retransmit timeout calculation in infrastructure
cache. Default is 50 milliseconds. Increase this value if using forwarders
needing more time to do recursive name resolution.
.TP
.B infra\-keep\-probing: \fI<yes or no>
If enabled the server keeps probing hosts that are down, in the one probe
at a time regime. Default is no. Hosts that are down, eg. they did
not respond during the one probe at a time period, are marked as down and
it may take \fBinfra\-host\-ttl\fR time to get probed again.
.TP
.B define\-tag: \fI<"list of tags">
Define the tags that can be used with local\-zone and access\-control.
Enclose the list between quotes ("") and put spaces between tags.
@ -516,7 +522,8 @@ Alternate syntax for \fBtls\-port\fR.
If null or "", no file is used. Set it to the certificate bundle file,
for example "/etc/pki/tls/certs/ca\-bundle.crt". These certificates are used
for authenticating connections made to outside peers. For example auth\-zone
urls, and also DNS over TLS connections.
urls, and also DNS over TLS connections. It is read at start up before
permission drop and chroot.
.TP
.B ssl\-cert\-bundle: \fI<file>
Alternate syntax for \fBtls\-cert\-bundle\fR.
@ -587,6 +594,10 @@ megabytes or gigabytes (1024*1024 bytes in a megabyte).
Set TCP_NODELAY socket option on sockets used to provide DNS-over-HTTPS service.
Ignored if the option is not available. Default is yes.
.TP
.B http\-notls\-downstream: \fI<yes or no>
Disable use of TLS for the downstream DNS-over-HTTP connections. Useful for
local back end servers. Default is no.
.TP
.B use\-systemd: \fI<yes or no>
Enable or disable systemd socket activation.
Default is no.

7
pythonmod/doc/examples/example6.rst
View file

@ -60,7 +60,6 @@ The callback function's prototype is the following:
:param **kwargs: Dictionary that may contain parameters added in a future
release. Current parameters:
``repinfo``: Reply information for a communication point (comm_reply).
It is None when the callback happens in the mesh states.
:return: True on success, False on failure.
@ -105,8 +104,6 @@ The callback function's prototype is the following:
:param **kwargs: Dictionary that may contain parameters added in a future
release. Current parameters:
``repinfo``: Reply information for a communication point (comm_reply).
It is None when the callback happens in the mesh
states(modules).
:return: True on success, False on failure.
@ -154,8 +151,6 @@ The callback function's prototype is the following:
:param **kwargs: Dictionary that may contain parameters added in a future
release. Current parameters:
``repinfo``: Reply information for a communication point (comm_reply).
It is None when the callback happens in the mesh
states(modules).
:return: True on success, False on failure.
@ -201,8 +196,6 @@ The callback function's prototype is the following:
:param **kwargs: Dictionary that may contain parameters added in a future
release. Current parameters:
``repinfo``: Reply information for a communication point (comm_reply).
It is None when the callback happens in the mesh
states(modules).
:return: True on success, False on failure.

5
pythonmod/doc/modules/functions.rst
View file

@ -89,7 +89,7 @@ EDNS options
Inplace callbacks
-----------------
.. function:: inplace_cb_reply(qinfo, qstate, rep, rcode, edns, opt_list_out, region)
.. function:: inplace_cb_reply(qinfo, qstate, rep, rcode, edns, opt_list_out, region, \*\*kwargs)
Function prototype for callback functions used in
`register_inplace_cb_reply`_, `register_inplace_cb_reply_cache`_,
@ -102,6 +102,9 @@ Inplace callbacks
:param edns: :class:`edns_data`
:param opt_list_out: :class:`edns_option`. EDNS option list to append options to.
:param region: :class:`regional`
:param \*\*kwargs: Dictionary that may contain parameters added in a future
release. Current parameters:
``repinfo``: :class:`comm_reply`. Reply information for a communication point.
.. function:: inplace_cb_query(qinfo, flags, qstate, addr, zone, region)

30
pythonmod/examples/inplace_callbacks.py
View file

@ -43,7 +43,7 @@
# This query returns SERVFAIL as the txt record of bogus.nlnetlabs.nl is
# intentionally bogus. The reply will contain an empty EDNS option
# with option code 65003.
# Unbound will also log the source address(es) of the client(s) that made
# Unbound will also log the source address of the client that made
# the request.
# (unbound needs to be validating for this example to work)
@ -91,8 +91,6 @@ def inplace_reply_callback(qinfo, qstate, rep, rcode, edns, opt_list_out,
:param **kwargs: Dictionary that may contain parameters added in a future
release. Current parameters:
``repinfo``: Reply information for a communication point (comm_reply).
It is None when the callback happens in the mesh
states(modules).
:return: True on success, False on failure.
@ -121,8 +119,6 @@ def inplace_cache_callback(qinfo, qstate, rep, rcode, edns, opt_list_out,
:param **kwargs: Dictionary that may contain parameters added in a future
release. Current parameters:
``repinfo``: Reply information for a communication point (comm_reply).
It is None when the callback happens in the mesh
states(modules).
:return: True on success, False on failure.
@ -173,8 +169,6 @@ def inplace_local_callback(qinfo, qstate, rep, rcode, edns, opt_list_out,
:param **kwargs: Dictionary that may contain parameters added in a future
release. Current parameters:
``repinfo``: Reply information for a communication point (comm_reply).
It is None when the callback happens in the mesh
states(modules).
:return: True on success, False on failure.
@ -205,13 +199,11 @@ def inplace_servfail_callback(qinfo, qstate, rep, rcode, edns, opt_list_out,
:param **kwargs: Dictionary that may contain parameters added in a future
release. Current parameters:
``repinfo``: Reply information for a communication point (comm_reply).
It is None when the callback happens in the mesh
states(modules).
:return: True on success, False on failure.
For demonstration purposes we want to reply with an empty EDNS code '65003'
and log the IP address(es) of the client(s).
and log the IP address of the client.
"""
log_info("python: called back while servfail.")
@ -219,30 +211,14 @@ def inplace_servfail_callback(qinfo, qstate, rep, rcode, edns, opt_list_out,
b = bytearray.fromhex("")
edns_opt_list_append(opt_list_out, 65003, b, region)
# Log the client(s) IP address(es)
# Log the client's IP address
comm_reply = kwargs['repinfo']
if comm_reply:
# If it is not None this callback was called before the query reached
# the mesh states(modules). There is only one client associated with
# this query.
addr = comm_reply.addr
port = comm_reply.port
addr_family = comm_reply.family
log_info("python: Client IP: {}({}), port: {}"
"".format(addr, addr_family, port))
else:
# If it is not None this callback was called while the query is in the
# mesh states(modules). In this case they may be multiple clients
# waiting for this query.
# The following code is the same as with the resip.py example.
rl = qstate.mesh_info.reply_list
while (rl):
if rl.query_reply:
q = rl.query_reply
log_info("python: Client IP: {}({}), port: {}"
"".format(q.addr, q.family, q.port))
rl = rl.next
return True

26
pythonmod/interface.i
View file

@ -1413,6 +1413,19 @@ struct delegpt* find_delegation(struct module_qstate* qstate, char *nm, size_t n
/******************************
* Various debugging functions *
******************************/
/* rename the variadic functions because python does the formatting already*/
%rename (unbound_log_info) log_info;
%rename (unbound_log_err) log_err;
%rename (unbound_log_warn) log_warn;
%rename (unbound_verbose) verbose;
/* provide functions that take one string as argument, so python can cook
the string */
%rename (log_info) pymod_log_info;
%rename (log_warn) pymod_log_warn;
%rename (log_err) pymod_log_err;
%rename (verbose) pymod_verbose;
void verbose(enum verbosity_value level, const char* format, ...);
void log_info(const char* format, ...);
void log_err(const char* format, ...);
@ -1422,6 +1435,19 @@ void log_dns_msg(const char* str, struct query_info* qinfo, struct reply_info* r
void log_query_info(enum verbosity_value v, const char* str, struct query_info* qinf);
void regional_log_stats(struct regional *r);
/* the one argument string log functions */
void pymod_log_info(const char* str);
void pymod_log_err(const char* str);
void pymod_log_warn(const char* str);
void pymod_verbose(enum verbosity_value level, const char* str);
%{
void pymod_log_info(const char* str) { log_info("%s", str); }
void pymod_log_err(const char* str) { log_err("%s", str); }
void pymod_log_warn(const char* str) { log_warn("%s", str); }
void pymod_verbose(enum verbosity_value level, const char* str) {
verbose(level, "%s", str); }
%}
/***************************************************************************
* Free allocated memory from marked sources returning corresponding types *
***************************************************************************/

2
services/authzone.c
View file

@ -5387,6 +5387,7 @@ void auth_xfer_transfer_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
verbose(VERB_ALGO, "auth zone %s host %s type %s transfer lookup has no answer", zname, xfr->task_transfer->lookup_target->host, (xfr->task_transfer->lookup_aaaa?"AAAA":"A"));
}
}
regional_free_all(temp);
} else {
if(verbosity >= VERB_ALGO) {
char zname[255+1];
@ -6444,6 +6445,7 @@ void auth_xfer_probe_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
verbose(VERB_ALGO, "auth zone %s host %s type %s probe lookup has no address", zname, xfr->task_probe->lookup_target->host, (xfr->task_probe->lookup_aaaa?"AAAA":"A"));
}
}
regional_free_all(temp);
} else {
if(verbosity >= VERB_ALGO) {
char zname[255+1];

28
services/cache/infra.c vendored
View file

@ -244,6 +244,7 @@ infra_create(struct config_file* cfg)
return NULL;
}
infra->host_ttl = cfg->host_ttl;
infra->infra_keep_probing = cfg->infra_keep_probing;
infra_dp_ratelimit = cfg->ratelimit;
infra->domain_rates = slabhash_create(cfg->ratelimit_slabs,
INFRA_HOST_STARTSIZE, cfg->ratelimit_size,
@ -297,6 +298,7 @@ infra_adjust(struct infra_cache* infra, struct config_file* cfg)
if(!infra)
return infra_create(cfg);
infra->host_ttl = cfg->host_ttl;
infra->infra_keep_probing = cfg->infra_keep_probing;
infra_dp_ratelimit = cfg->ratelimit;
infra_ip_ratelimit = cfg->ip_ratelimit;
maxmem = cfg->infra_cache_numhosts * (sizeof(struct infra_key)+
@ -445,6 +447,7 @@ infra_host(struct infra_cache* infra, struct sockaddr_storage* addr,
if(e && ((struct infra_data*)e->data)->ttl < timenow) {
/* it expired, try to reuse existing entry */
int old = ((struct infra_data*)e->data)->rtt.rto;
time_t tprobe = ((struct infra_data*)e->data)->probedelay;
uint8_t tA = ((struct infra_data*)e->data)->timeout_A;
uint8_t tAAAA = ((struct infra_data*)e->data)->timeout_AAAA;
uint8_t tother = ((struct infra_data*)e->data)->timeout_other;
@ -460,6 +463,7 @@ infra_host(struct infra_cache* infra, struct sockaddr_storage* addr,
if(old >= USEFUL_SERVER_TOP_TIMEOUT) {
((struct infra_data*)e->data)->rtt.rto
= USEFUL_SERVER_TOP_TIMEOUT;
((struct infra_data*)e->data)->probedelay = tprobe;
((struct infra_data*)e->data)->timeout_A = tA;
((struct infra_data*)e->data)->timeout_AAAA = tAAAA;
((struct infra_data*)e->data)->timeout_other = tother;
@ -482,7 +486,8 @@ infra_host(struct infra_cache* infra, struct sockaddr_storage* addr,
*edns_vs = data->edns_version;
*edns_lame_known = data->edns_lame_known;
*to = rtt_timeout(&data->rtt);
if(*to >= PROBE_MAXRTO && rtt_notimeout(&data->rtt)*4 <= *to) {
if(*to >= PROBE_MAXRTO && (infra->infra_keep_probing ||
rtt_notimeout(&data->rtt)*4 <= *to)) {
/* delay other queries, this is the probe query */
if(!wr) {
lock_rw_unlock(&e->lock);
@ -566,18 +571,27 @@ infra_rtt_update(struct infra_cache* infra, struct sockaddr_storage* addr,
struct lruhash_entry* e = infra_lookup_nottl(infra, addr, addrlen,
nm, nmlen, 1);
struct infra_data* data;
int needtoinsert = 0;
int needtoinsert = 0, expired = 0;
int rto = 1;
time_t oldprobedelay = 0;
if(!e) {
if(!(e = new_entry(infra, addr, addrlen, nm, nmlen, timenow)))
return 0;
needtoinsert = 1;
} else if(((struct infra_data*)e->data)->ttl < timenow) {
oldprobedelay = ((struct infra_data*)e->data)->probedelay;
data_entry_init(infra, e, timenow);
expired = 1;
}
/* have an entry, update the rtt */
data = (struct infra_data*)e->data;
if(roundtrip == -1) {
if(needtoinsert || expired) {
/* timeout on entry that has expired before the timer
* keep old timeout from the function caller */
data->rtt.rto = orig_rtt;
data->probedelay = oldprobedelay;
}
rtt_lost(&data->rtt, orig_rtt);
if(qtype == LDNS_RR_TYPE_A) {
if(data->timeout_A < TIMEOUT_COUNT_MAX)
@ -681,7 +695,12 @@ infra_get_lame_rtt(struct infra_cache* infra,
return 0;
host = (struct infra_data*)e->data;
*rtt = rtt_unclamped(&host->rtt);
if(host->rtt.rto >= PROBE_MAXRTO && timenow < host->probedelay
if(host->rtt.rto >= PROBE_MAXRTO && timenow >= host->probedelay
&& infra->infra_keep_probing) {
/* single probe, keep probing */
if(*rtt >= USEFUL_SERVER_TOP_TIMEOUT)
*rtt = USEFUL_SERVER_TOP_TIMEOUT-1000;
} else if(host->rtt.rto >= PROBE_MAXRTO && timenow < host->probedelay
&& rtt_notimeout(&host->rtt)*4 <= host->rtt.rto) {
/* single probe for this domain, and we are not probing */
/* unless the query type allows a probe to happen */
@ -704,7 +723,8 @@ infra_get_lame_rtt(struct infra_cache* infra,
/* see if this can be a re-probe of an unresponsive server */
/* minus 1000 because that is outside of the RTTBAND, so
* blacklisted servers stay blacklisted if this is chosen */
if(host->rtt.rto >= USEFUL_SERVER_TOP_TIMEOUT) {
if(host->rtt.rto >= USEFUL_SERVER_TOP_TIMEOUT ||
infra->infra_keep_probing) {
lock_rw_unlock(&e->lock);
*rtt = USEFUL_SERVER_TOP_TIMEOUT-1000;
*lame = 0;

2
services/cache/infra.h vendored
View file

@ -114,6 +114,8 @@ struct infra_cache {
struct slabhash* hosts;
/** TTL value for host information, in seconds */
int host_ttl;
/** the hosts that are down are kept probed for recovery */
int infra_keep_probing;
/** hash table with query rates per name: rate_key, rate_data */
struct slabhash* domain_rates;
/** ratelimit settings for domains, struct domain_limit_data */

36
services/listen_dnsport.c
View file

@ -81,9 +81,6 @@
/** number of queued TCP connections for listen() */
#define TCP_BACKLOG 256
/** number of simultaneous requests a client can have */
#define TCP_MAX_REQ_SIMULTANEOUS 32
#ifndef THREADS_DISABLED
/** lock on the counter of stream buffer memory */
static lock_basic_type stream_wait_count_lock;
@ -1244,8 +1241,9 @@ struct listen_dnsport*
listen_create(struct comm_base* base, struct listen_port* ports,
size_t bufsize, int tcp_accept_count, int tcp_idle_timeout,
int harden_large_queries, uint32_t http_max_streams,
char* http_endpoint, struct tcl_list* tcp_conn_limit, void* sslctx,
struct dt_env* dtenv, comm_point_callback_type* cb, void *cb_arg)
char* http_endpoint, int http_notls, struct tcl_list* tcp_conn_limit,
void* sslctx, struct dt_env* dtenv, comm_point_callback_type* cb,
void *cb_arg)
{
struct listen_dnsport* front = (struct listen_dnsport*)
malloc(sizeof(struct listen_dnsport));
@ -1295,15 +1293,19 @@ listen_create(struct comm_base* base, struct listen_port* ports,
http_max_streams, http_endpoint,
tcp_conn_limit, bufsize, front->udp_buff,
ports->ftype, cb, cb_arg);
cp->ssl = sslctx;
if(http_notls && ports->ftype == listen_type_http)
cp->ssl = NULL;
else
cp->ssl = sslctx;
if(ports->ftype == listen_type_http) {
if(!sslctx) {
log_warn("HTTPS port configured, but no TLS "
if(!sslctx && !http_notls) {
log_warn("HTTPS port configured, but no TLS "
"tls-service-key or tls-service-pem "
"set");
}
#ifndef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
log_warn("Unbound is not compiled with an "
if(!http_notls)
log_warn("Unbound is not compiled with an "
"OpenSSL version supporting ALPN "
" (OpenSSL >= 1.0.2). This is required "
"to use DNS-over-HTTPS");
@ -1804,8 +1806,7 @@ tcp_req_info_setup_listen(struct tcp_req_info* req)
if(!req->cp->tcp_is_reading)
wr = 1;
if(req->num_open_req + req->num_done_req < TCP_MAX_REQ_SIMULTANEOUS &&
!req->read_is_closed)
if(!req->read_is_closed)
rd = 1;
if(wr) {
@ -2177,9 +2178,10 @@ int http2_submit_dns_response(struct http2_session* h2_session)
int ret;
nghttp2_data_provider data_prd;
char status[4];
nghttp2_nv headers[2];
nghttp2_nv headers[3];
struct http2_stream* h2_stream = h2_session->c->h2_stream;
size_t rlen;
char rlen_str[32];
if(h2_stream->rbuffer) {
log_err("http2 submit response error: rbuffer already "
@ -2198,6 +2200,8 @@ int http2_submit_dns_response(struct http2_session* h2_session)
}
rlen = sldns_buffer_remaining(h2_session->c->buffer);
snprintf(rlen_str, sizeof(rlen_str), "%u", rlen);
lock_basic_lock(&http2_response_buffer_count_lock);
if(http2_response_buffer_count + rlen > http2_response_buffer_max) {
lock_basic_unlock(&http2_response_buffer_count_lock);
@ -2228,13 +2232,11 @@ int http2_submit_dns_response(struct http2_session* h2_session)
headers[1].valuelen = 23;
headers[1].flags = NGHTTP2_NV_FLAG_NONE;
/*TODO be nice and add the content-length header
headers[2].name = (uint8_t*)"content-length";
headers[2].namelen = 14;
headers[2].value =
headers[2].valuelen =
headers[2].value = (uint8_t*)rlen_str;
headers[2].valuelen = strlen(rlen_str);
headers[2].flags = NGHTTP2_NV_FLAG_NONE;
*/
sldns_buffer_write(h2_stream->rbuffer,
sldns_buffer_current(h2_session->c->buffer),
@ -2244,7 +2246,7 @@ int http2_submit_dns_response(struct http2_session* h2_session)
data_prd.source.ptr = h2_session;
data_prd.read_callback = http2_submit_response_read_callback;
ret = nghttp2_submit_response(h2_session->session, h2_stream->stream_id,
headers, 2, &data_prd);
headers, 3, &data_prd);
if(ret) {
verbose(VERB_QUERY, "http2: set_stream_user_data failed, "
"error: %s", nghttp2_strerror(ret));

6
services/listen_dnsport.h
View file

@ -159,6 +159,7 @@ int resolve_interface_names(struct config_file* cfg, char*** resif,
* @param harden_large_queries: whether query size should be limited.
* @param http_max_streams: maximum number of HTTP/2 streams per connection.
* @param http_endpoint: HTTP endpoint to service queries on
* @param http_notls: no TLS for http downstream
* @param tcp_conn_limit: TCP connection limit info.
* @param sslctx: nonNULL if ssl context.
* @param dtenv: nonNULL if dnstap enabled.
@ -171,8 +172,9 @@ struct listen_dnsport*
listen_create(struct comm_base* base, struct listen_port* ports,
size_t bufsize, int tcp_accept_count, int tcp_idle_timeout,
int harden_large_queries, uint32_t http_max_streams,
char* http_endpoint, struct tcl_list* tcp_conn_limit, void* sslctx,
struct dt_env* dtenv, comm_point_callback_type* cb, void *cb_arg);
char* http_endpoint, int http_notls, struct tcl_list* tcp_conn_limit,
void* sslctx, struct dt_env* dtenv, comm_point_callback_type* cb,
void *cb_arg);
/**
* delete the listening structure

2
services/localzone.c
View file

@ -157,7 +157,7 @@ local_zone_create(uint8_t* nm, size_t len, int labs,
z->namelen = len;
z->namelabs = labs;
lock_rw_init(&z->lock);
z->region = regional_create_custom(sizeof(struct regional));
z->region = regional_create_nochunk(sizeof(struct regional));
if(!z->region) {
free(z);
return NULL;

59
services/mesh.c
View file

@ -1196,6 +1196,12 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
/* Copy the client's EDNS for later restore, to make sure the edns
* compare is with the correct edns options. */
struct edns_data edns_bak = r->edns;
/* briefly set the replylist to null in case the
* meshsendreply calls tcpreqinfo sendreply that
* comm_point_drops because of size, and then the
* null stops the mesh state remove and thus
* reply_list modification and accounting */
struct mesh_reply* rlist = m->reply_list;
/* examine security status */
if(m->s.env->need_to_validate && (!(r->qflags&BIT_CD) ||
m->s.env->cfg->ignore_cd) && rep &&
@ -1218,15 +1224,21 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
r->h2_stream->mesh_state = NULL;
}
/* send the reply */
/* We don't reuse the encoded answer if either the previous or current
* response has a local alias. We could compare the alias records
* and still reuse the previous answer if they are the same, but that
* would be complicated and error prone for the relatively minor case.
* So we err on the side of safety. */
if(prev && prev_buffer && prev->qflags == r->qflags &&
/* We don't reuse the encoded answer if:
* - either the previous or current response has a local alias. We could
* compare the alias records and still reuse the previous answer if they
* are the same, but that would be complicated and error prone for the
* relatively minor case. So we err on the side of safety.
* - there are registered callback functions for the given rcode, as these
* need to be called for each reply. */
if(((rcode != LDNS_RCODE_SERVFAIL &&
!m->s.env->inplace_cb_lists[inplace_cb_reply]) ||
(rcode == LDNS_RCODE_SERVFAIL &&
!m->s.env->inplace_cb_lists[inplace_cb_reply_servfail])) &&
prev && prev_buffer && prev->qflags == r->qflags &&
!prev->local_alias && !r->local_alias &&
prev->edns.edns_present == r->edns.edns_present &&
prev->edns.bits == r->edns.bits &&
prev->edns.edns_present == r->edns.edns_present &&
prev->edns.bits == r->edns.bits &&
prev->edns.udp_size == r->edns.udp_size &&
edns_opt_list_compare(prev->edns.opt_list, r->edns.opt_list)
== 0) {
@ -1236,22 +1248,26 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
sldns_buffer_write_at(r_buffer, 0, &r->qid, sizeof(uint16_t));
sldns_buffer_write_at(r_buffer, 12, r->qname,
m->s.qinfo.qname_len);
m->reply_list = NULL;
comm_point_send_reply(&r->query_reply);
m->reply_list = rlist;
} else if(rcode) {
m->s.qinfo.qname = r->qname;
m->s.qinfo.local_alias = r->local_alias;
if(rcode == LDNS_RCODE_SERVFAIL) {
if(!inplace_cb_reply_servfail_call(m->s.env, &m->s.qinfo, &m->s,
rep, rcode, &r->edns, NULL, m->s.region))
rep, rcode, &r->edns, &r->query_reply, m->s.region))
r->edns.opt_list = NULL;
} else {
if(!inplace_cb_reply_call(m->s.env, &m->s.qinfo, &m->s, rep, rcode,
&r->edns, NULL, m->s.region))
&r->edns, &r->query_reply, m->s.region))
r->edns.opt_list = NULL;
}
error_encode(r_buffer, rcode, &m->s.qinfo, r->qid,
r->qflags, &r->edns);
m->reply_list = NULL;
comm_point_send_reply(&r->query_reply);
m->reply_list = rlist;
} else {
size_t udp_size = r->edns.udp_size;
r->edns.edns_version = EDNS_ADVERTISED_VERSION;
@ -1261,7 +1277,7 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
m->s.qinfo.qname = r->qname;
m->s.qinfo.local_alias = r->local_alias;
if(!inplace_cb_reply_call(m->s.env, &m->s.qinfo, &m->s, rep,
LDNS_RCODE_NOERROR, &r->edns, NULL, m->s.region) ||
LDNS_RCODE_NOERROR, &r->edns, &r->query_reply, m->s.region) ||
!apply_edns_options(&r->edns, &edns_bak,
m->s.env->cfg, r->query_reply.c,
m->s.region) ||
@ -1271,13 +1287,15 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
secure))
{
if(!inplace_cb_reply_servfail_call(m->s.env, &m->s.qinfo, &m->s,
rep, LDNS_RCODE_SERVFAIL, &r->edns, NULL, m->s.region))
rep, LDNS_RCODE_SERVFAIL, &r->edns, &r->query_reply, m->s.region))
r->edns.opt_list = NULL;
error_encode(r_buffer, LDNS_RCODE_SERVFAIL,
&m->s.qinfo, r->qid, r->qflags, &r->edns);
}
r->edns = edns_bak;
m->reply_list = NULL;
comm_point_send_reply(&r->query_reply);
m->reply_list = rlist;
}
/* account */
log_assert(m->s.env->mesh->num_reply_addrs > 0);
@ -1365,20 +1383,12 @@ void mesh_query_done(struct mesh_state* mstate)
mstate->reply_list = reply_list;
} else {
struct sldns_buffer* r_buffer = r->query_reply.c->buffer;
struct mesh_reply* rlist = mstate->reply_list;
if(r->query_reply.c->tcp_req_info) {
r_buffer = r->query_reply.c->tcp_req_info->spool_buffer;
prev_buffer = NULL;
}
/* briefly set the replylist to null in case the
* meshsendreply calls tcpreqinfo sendreply that
* comm_point_drops because of size, and then the
* null stops the mesh state remove and thus
* reply_list modification and accounting */
mstate->reply_list = NULL;
mesh_send_reply(mstate, mstate->s.return_rcode, rep,
r, r_buffer, prev, prev_buffer);
mstate->reply_list = rlist;
if(r->query_reply.c->tcp_req_info) {
tcp_req_info_remove_mesh_state(r->query_reply.c->tcp_req_info, mstate);
r_buffer = NULL;
@ -1894,7 +1904,7 @@ mesh_serve_expired_callback(void* arg)
{
struct mesh_state* mstate = (struct mesh_state*) arg;
struct module_qstate* qstate = &mstate->s;
struct mesh_reply* r, *rlist;
struct mesh_reply* r;
struct mesh_area* mesh = qstate->env->mesh;
struct dns_msg* msg;
struct mesh_cb* c;
@ -1999,15 +2009,8 @@ mesh_serve_expired_callback(void* arg)
r_buffer = r->query_reply.c->buffer;
if(r->query_reply.c->tcp_req_info)
r_buffer = r->query_reply.c->tcp_req_info->spool_buffer;
/* briefly set the replylist to null in case the meshsendreply
* calls tcpreqinfo sendreply that comm_point_drops because
* of size, and then the null stops the mesh state remove and
* thus reply_list modification and accounting */
rlist = mstate->reply_list;
mstate->reply_list = NULL;
mesh_send_reply(mstate, LDNS_RCODE_NOERROR, msg->rep,
r, r_buffer, prev, prev_buffer);
mstate->reply_list = rlist;
if(r->query_reply.c->tcp_req_info)
tcp_req_info_remove_mesh_state(r->query_reply.c->tcp_req_info, mstate);
prev = r;

2
services/rpz.c
View file

@ -440,6 +440,8 @@ err:
respip_set_delete(r->respip_set);
if(r->taglist)
free(r->taglist);
if(r->region)
regional_destroy(r->region);
free(r);
}
return NULL;

13
smallapp/unbound-control-setup.sh.in
View file

@ -120,12 +120,19 @@ if [ ! -f "$SVR_BASE.key" ]; then
fi
cat >server.cnf <<EOF
[req]
default_bits=$BITS
default_md=$HASH
prompt=no
distinguished_name=req_distinguished_name
x509_extensions=v3_ca
[req_distinguished_name]
commonName=$SERVERNAME
[v3_ca]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=critical,CA:TRUE,pathlen:0
subjectAltName=DNS:$SERVERNAME
EOF
[ -f server.cnf ] || fatal "cannot create openssl configuration"
@ -156,8 +163,12 @@ default_bits=$BITS
default_md=$HASH
prompt=no
distinguished_name=req_distinguished_name
req_extensions=v3_req
[req_distinguished_name]
commonName=$CLIENTNAME
[v3_req]
basicConstraints=critical,CA:FALSE
subjectAltName=DNS:$CLIENTNAME
EOF
[ -f client.cnf ] || fatal "cannot create openssl configuration"
@ -179,6 +190,8 @@ if [ ! -f "$CTL_BASE.pem" -o $RECREATE -eq 1 ]; then
-CAkey "$SVR_BASE.key" \
-CAcreateserial \
-$HASH \
-extfile client.cnf \
-extensions v3_req \
-out "$CTL_BASE.pem"
[ ! -f "CTL_BASE.pem" ] || fatal "cannot create signed client certificate"

3
testcode/do-tests.sh
View file

@ -29,6 +29,9 @@ else
HAVE_MINGW=no
fi
# stop tests from notifying systemd, if that is compiled in.
export -n NOTIFY_SOCKET
cd testdata;
sh ../testcode/mini_tdir.sh clean
rm -f .perfstats.txt

136
testcode/dohclient.c
View file

@ -90,6 +90,7 @@ static void usage(char* argv[])
printf("-e HTTP endpoint, default: /dns-query\n");
printf("-c Content-type in request, default: "
"application/dns-message\n");
printf("-n no-tls, TLS is disabled\n");
printf("-h This help text\n");
exit(1);
}
@ -185,7 +186,10 @@ submit_query(struct http2_session* h2_session, struct sldns_buffer* buf)
headers[1].name = (uint8_t*)":path";
headers[1].value = (uint8_t*)h2_stream->path;
headers[2].name = (uint8_t*)":scheme";
headers[2].value = (uint8_t*)"https";
if(h2_session->ssl)
headers[2].value = (uint8_t*)"https";
else
headers[2].value = (uint8_t*)"http";
headers[3].name = (uint8_t*)":authority";
headers[3].value = (uint8_t*)h2_session->authority;
headers[4].name = (uint8_t*)"content-type";
@ -246,6 +250,7 @@ static ssize_t http2_recv_cb(nghttp2_session* ATTR_UNUSED(session),
{
struct http2_session* h2_session = (struct http2_session*)cb_arg;
int r;
ssize_t ret;
struct timeval tv, *waittv;
fd_set rfd;
ERR_clear_error();
@ -267,35 +272,58 @@ static ssize_t http2_recv_cb(nghttp2_session* ATTR_UNUSED(session),
return NGHTTP2_ERR_WOULDBLOCK;
}
r = SSL_read(h2_session->ssl, buf, len);
if(r <= 0) {
int want = SSL_get_error(h2_session->ssl, r);
if(want == SSL_ERROR_ZERO_RETURN) {
if(h2_session->ssl) {
r = SSL_read(h2_session->ssl, buf, len);
if(r <= 0) {
int want = SSL_get_error(h2_session->ssl, r);
if(want == SSL_ERROR_ZERO_RETURN) {
return NGHTTP2_ERR_EOF;
}
log_crypto_err("could not SSL_read");
return NGHTTP2_ERR_EOF;
}
log_crypto_err("could not SSL_read");
return r;
}
ret = read(h2_session->fd, buf, len);
if(ret == 0) {
return NGHTTP2_ERR_EOF;
} else if(ret < 0) {
log_err("could not http2 read: %s", strerror(errno));
return NGHTTP2_ERR_EOF;
}
return r;
return ret;
}
static ssize_t http2_send_cb(nghttp2_session* ATTR_UNUSED(session),
const uint8_t* buf, size_t len, int ATTR_UNUSED(flags), void* cb_arg)
{
struct http2_session* h2_session = (struct http2_session*)cb_arg;
ssize_t ret;
int r;
ERR_clear_error();
r = SSL_write(h2_session->ssl, buf, len);
if(r <= 0) {
int want = SSL_get_error(h2_session->ssl, r);
if(want == SSL_ERROR_ZERO_RETURN) {
if(h2_session->ssl) {
int r;
ERR_clear_error();
r = SSL_write(h2_session->ssl, buf, len);
if(r <= 0) {
int want = SSL_get_error(h2_session->ssl, r);
if(want == SSL_ERROR_ZERO_RETURN) {
return NGHTTP2_ERR_CALLBACK_FAILURE;
}
log_crypto_err("could not SSL_write");
return NGHTTP2_ERR_CALLBACK_FAILURE;
}
log_crypto_err("could not SSL_write");
return r;
}
ret = write(h2_session->fd, buf, len);
if(ret == 0) {
return NGHTTP2_ERR_CALLBACK_FAILURE;
} else if(ret < 0) {
log_err("could not http2 write: %s", strerror(errno));
return NGHTTP2_ERR_CALLBACK_FAILURE;
}
return r;
return ret;
}
static int http2_stream_close_cb(nghttp2_session* ATTR_UNUSED(session),
@ -459,7 +487,7 @@ http2_read(struct http2_session* h2_session)
}
static void
run(struct http2_session* h2_session, int port, int count, char** q)
run(struct http2_session* h2_session, int port, int no_tls, int count, char** q)
{
int i;
SSL_CTX* ctx = NULL;
@ -470,26 +498,28 @@ run(struct http2_session* h2_session, int port, int count, char** q)
fd = open_svr(h2_session->authority, port);
h2_session->fd = fd;
ctx = connect_sslctx_create(NULL, NULL, NULL, 0);
if(!ctx) fatal_exit("cannot create ssl ctx");
SSL_CTX_set_alpn_protos(ctx, (const unsigned char *)"\x02h2", 3);
ssl = outgoing_ssl_fd(ctx, fd);
if(!ssl) {
printf("cannot create ssl\n");
exit(1);
}
h2_session->ssl = ssl;
while(1) {
int r;
ERR_clear_error();
if( (r=SSL_do_handshake(ssl)) == 1)
break;
r = SSL_get_error(ssl, r);
if(r != SSL_ERROR_WANT_READ &&
r != SSL_ERROR_WANT_WRITE) {
log_crypto_err("could not ssl_handshake");
if(!no_tls) {
ctx = connect_sslctx_create(NULL, NULL, NULL, 0);
if(!ctx) fatal_exit("cannot create ssl ctx");
SSL_CTX_set_alpn_protos(ctx, (const unsigned char *)"\x02h2", 3);
ssl = outgoing_ssl_fd(ctx, fd);
if(!ssl) {
printf("cannot create ssl\n");
exit(1);
}
h2_session->ssl = ssl;
while(1) {
int r;
ERR_clear_error();
if( (r=SSL_do_handshake(ssl)) == 1)
break;
r = SSL_get_error(ssl, r);
if(r != SSL_ERROR_WANT_READ &&
r != SSL_ERROR_WANT_WRITE) {
log_crypto_err("could not ssl_handshake");
exit(1);
}
}
}
http2_submit_setting(h2_session);
@ -511,9 +541,13 @@ run(struct http2_session* h2_session, int port, int count, char** q)
/* shutdown */
http2_session_delete(h2_session);
SSL_shutdown(ssl);
SSL_free(ssl);
SSL_CTX_free(ctx);
if(ssl) {
SSL_shutdown(ssl);
SSL_free(ssl);
}
if(ctx) {
SSL_CTX_free(ctx);
}
close(fd);
}
@ -524,10 +558,21 @@ extern char* optarg;
int main(int argc, char** argv)
{
int c;
int port = UNBOUND_DNS_OVER_HTTPS_PORT;
struct http2_session* h2_session = http2_session_create();
if(!h2_session) fatal_exit("out of memory");
int port = UNBOUND_DNS_OVER_HTTPS_PORT, no_tls = 0;
struct http2_session* h2_session;
#ifdef USE_WINSOCK
WSADATA wsa_data;
if(WSAStartup(MAKEWORD(2,2), &wsa_data) != 0) {
printf("WSAStartup failed\n");
return 1;
}
#endif
log_init(0, 0, 0);
checklock_start();
h2_session = http2_session_create();
if(!h2_session) fatal_exit("out of memory");
if(argc == 1) {
usage(argv);
}
@ -537,7 +582,7 @@ int main(int argc, char** argv)
h2_session->endpoint = "/dns-query";
h2_session->content_type = "application/dns-message";
while((c=getopt(argc, argv, "c:e:hs:p:P")) != -1) {
while((c=getopt(argc, argv, "c:e:hns:p:P")) != -1) {
switch(c) {
case 'c':
h2_session->content_type = optarg;
@ -545,6 +590,9 @@ int main(int argc, char** argv)
case 'e':
h2_session->endpoint = optarg;
break;
case 'n':
no_tls = 1;
break;
case 'p':
if(atoi(optarg)==0 && strcmp(optarg,"0")!=0) {
printf("error parsing port, "
@ -573,8 +621,12 @@ int main(int argc, char** argv)
}
run(h2_session, port, argc, argv);
run(h2_session, port, no_tls, argc, argv);
checklock_stop();
#ifdef USE_WINSOCK
WSACleanup();
#endif
return 0;
}
#else

1
testcode/fake_event.c
View file

@ -872,6 +872,7 @@ listen_create(struct comm_base* base, struct listen_port* ATTR_UNUSED(ports),
int ATTR_UNUSED(harden_large_queries),
uint32_t ATTR_UNUSED(http_max_streams),
char* ATTR_UNUSED(http_endpoint),
int ATTR_UNUSED(http_notls),
struct tcl_list* ATTR_UNUSED(tcp_conn_limit),
void* ATTR_UNUSED(sslctx), struct dt_env* ATTR_UNUSED(dtenv),
comm_point_callback_type* cb, void *cb_arg)

2
testcode/run_vm.sh
View file

@ -40,6 +40,8 @@ cleanup() {
exit 0
}
trap cleanup INT
# stop tests from notifying systemd, if that is compiled in.
export -n NOTIFY_SOCKET
for t in $RUNLIST
do

4
testcode/testbound.c
View file

@ -362,6 +362,10 @@ main(int argc, char* argv[])
/* we do not want the test to depend on the timezone */
(void)putenv("TZ=UTC");
memset(pass_argv, 0, sizeof(pass_argv));
#ifdef HAVE_SYSTEMD
/* we do not want the test to use systemd daemon startup notification*/
(void)unsetenv("NOTIFY_SOCKET");
#endif /* HAVE_SYSTEMD */
log_init(NULL, 0, NULL);
/* determine commandline options for the daemon */

2
testdata/dnstap.tdir/dnstap.pre vendored
View file

@ -45,7 +45,7 @@ fi
# make config file
sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' -e 's/@CONTROL_PORT\@/'$CONTROL_PORT'/' < dnstap.conf > ub.conf
# start unbound in the background
$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
$PRE/unbound -d -c ub.conf -vvvv >unbound.log 2>&1 &
UNBOUND_PID=$!
echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test

2
testdata/dnstap.tdir/dnstap.test vendored
View file

@ -59,6 +59,8 @@ dig @127.0.0.1 -p $UNBOUND_PORT q7.example.net.
dig @127.0.0.1 -p $UNBOUND_PORT q8.example.net.
dig @127.0.0.1 -p $UNBOUND_PORT q9.example.net.
dig @127.0.0.1 -p $UNBOUND_PORT q10.example.net.
echo "> wait for log to happen on timer"
sleep 3
for x in q1 q2 q3 q4 5 q6 q7 q8 q9 q10; do
if grep "$x.example.net" tap.log >/dev/null; then :; else sleep 1; fi
if grep "$x.example.net" tap.log >/dev/null; then :; else sleep 1; fi

28
testdata/doh_downstream_notls.tdir/doh_downstream_notls.conf vendored Normal file
View file

@ -0,0 +1,28 @@
server:
verbosity: 2
# num-threads: 1
interface: 127.0.0.1@@PORT@
https-port: @PORT@
tls-service-key: "unbound_server.key"
tls-service-pem: "unbound_server.pem"
use-syslog: no
directory: .
pidfile: "unbound.pid"
chroot: ""
username: ""
do-not-query-localhost: no
http-query-buffer-size: 1G
http-response-buffer-size: 1G
http-max-streams: 200
http-notls-downstream: yes
local-zone: "example.net" static
local-data: "www1.example.net. IN A 1.2.3.1"
local-data: "www2.example.net. IN A 1.2.3.2"
local-data: "www3.example.net. IN A 1.2.3.3"
local-zone: "drop.net" deny
tcp-upstream: yes
forward-zone:
name: "."
forward-addr: "127.0.0.1@@TOPORT@"

16
testdata/doh_downstream_notls.tdir/doh_downstream_notls.dsc vendored Normal file
View file

@ -0,0 +1,16 @@
BaseName: doh_downstream_notls
Version: 1.0
Description: Test DNS-over-HTTP query processing with no-tls
CreationDate: Mon Jun 12 12:00:00 CET 2020
Maintainer:
Category:
Component:
CmdDepends:
Depends:
Help:
Pre: doh_downstream_notls.pre
Post: doh_downstream_notls.post
Test: doh_downstream_notls.test
AuxFiles:
Passed:
Failure:

13
testdata/doh_downstream_notls.tdir/doh_downstream_notls.post vendored Normal file
View file

@ -0,0 +1,13 @@
# #-- doh_downstream_notls.post --#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# source the test var file when it's there
[ -f .tpkg.var.test ] && source .tpkg.var.test
#
# do your teardown here
PRE="../.."
if grep "define HAVE_NGHTTP2 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
. ../common.sh
kill_pid $FWD_PID
kill_pid $UNBOUND_PID
cat unbound.log

33
testdata/doh_downstream_notls.tdir/doh_downstream_notls.pre vendored Normal file
View file

@ -0,0 +1,33 @@
# #-- doh_downstream_notls.pre--#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# use .tpkg.var.test for in test variable passing
[ -f .tpkg.var.test ] && source .tpkg.var.test
PRE="../.."
. ../common.sh
if grep "define HAVE_NGHTTP2 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
get_random_port 2
UNBOUND_PORT=$RND_PORT
FWD_PORT=$(($RND_PORT + 1))
echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
# start forwarder
get_ldns_testns
$LDNS_TESTNS -p $FWD_PORT doh_downstream_notls.testns >fwd.log 2>&1 &
FWD_PID=$!
echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
# make config file
sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < doh_downstream_notls.conf > ub.conf
# start unbound in the background
$PRE/unbound -vvvv -d -c ub.conf >unbound.log 2>&1 &
UNBOUND_PID=$!
echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
cat .tpkg.var.test
wait_ldns_testns_up fwd.log
wait_unbound_up unbound.log

339
testdata/doh_downstream_notls.tdir/doh_downstream_notls.test vendored Normal file
View file

@ -0,0 +1,339 @@
# #-- doh_downstream_notls.test --#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# use .tpkg.var.test for in test variable passing
[ -f .tpkg.var.test ] && source .tpkg.var.test
PRE="../.."
. ../common.sh
if grep "define HAVE_NGHTTP2 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
get_make
(cd $PRE; $MAKE dohclient)
# this test query should just work (server is up)
echo "> query www1.example.net."
$PRE/dohclient -n -s 127.0.0.1 -p $UNBOUND_PORT www1.example.net. A IN >outfile 2>&1
cat outfile
if test "$?" -ne 0; then
echo "exit status not OK"
echo "> cat logfiles"
cat outfile
cat fwd.log
cat unbound.log
echo "Not OK"
exit 1
fi
if grep "www1.example.net" outfile | grep "1.2.3.1"; then
echo "content OK"
else
echo "result contents not OK"
echo "> cat logfiles"
cat outfile
cat fwd.log
cat unbound.log
echo "result contents not OK"
exit 1
fi
echo "OK"
# multiple requests (from localdata)
echo "> query www1.example.net. www2.example.net. www3.example.net."
$PRE/dohclient -n -s 127.0.0.1 -p $UNBOUND_PORT www1.example.net. A IN www2.example.net A IN www3.example.net A IN >outfile 2>&1
cat outfile
if test "$?" -ne 0; then
echo "exit status not OK"
echo "> cat logfiles"
cat outfile
cat fwd.log
cat unbound.log
echo "Not OK"
exit 1
fi
if grep "www1.example.net" outfile | grep "1.2.3.1"; then
echo "content OK"
else
echo "result contents not OK"
echo "> cat logfiles"
cat outfile
cat fwd.log
cat unbound.log
echo "result contents not OK"
exit 1
fi
if grep "www2.example.net" outfile | grep "1.2.3.2"; then
echo "content OK"
else
echo "result contents not OK"
echo "> cat logfiles"
cat outfile
cat fwd.log
cat unbound.log
echo "result contents not OK"
exit 1
fi
if grep "www3.example.net" outfile | grep "1.2.3.3"; then
echo "content OK"
else
echo "result contents not OK"
echo "> cat logfiles"
cat outfile
cat fwd.log
cat unbound.log
echo "result contents not OK"
exit 1
fi
# out of order requests, the example.com elements take 2 seconds to wait.
echo ""
echo "> query www1.example.net. www.example.com. www2.example.net. www2.example.com. www3.example.net."
$PRE/dohclient -n -s 127.0.0.1 -p $UNBOUND_PORT www1.example.net. A IN www.example.com. A IN www2.example.net A IN www2.example.com. A IN www3.example.net A IN >outfile 2>&1
cat outfile
if test "$?" -ne 0; then
echo "exit status not OK"
echo "> cat logfiles"
cat outfile
cat fwd.log
cat unbound.log
echo "Not OK"
exit 1
fi
if grep "www1.example.net" outfile | grep "1.2.3.1"; then
echo "content OK"
else
echo "result contents not OK"
echo "> cat logfiles"
cat outfile
cat fwd.log
cat unbound.log
echo "result contents not OK"
exit 1
fi
if grep "www2.example.net" outfile | grep "1.2.3.2"; then
echo "content OK"
else
echo "result contents not OK"
echo "> cat logfiles"
cat outfile
cat fwd.log
cat unbound.log
echo "result contents not OK"
exit 1
fi
if grep "www3.example.net" outfile | grep "1.2.3.3"; then
echo "content OK"
else
echo "result contents not OK"
echo "> cat logfiles"
cat outfile
cat fwd.log
cat unbound.log
echo "result contents not OK"
exit 1
fi
if grep "www.example.com" outfile | grep "10.20.30.40"; then
echo "content OK"
else
echo "result contents not OK"
echo "> cat logfiles"
cat outfile
cat fwd.log
cat unbound.log
echo "result contents not OK"
exit 1
fi
if grep "www2.example.com" outfile | grep "10.20.30.42"; then
echo "content OK"
else
echo "result contents not OK"
echo "> cat logfiles"
cat outfile
cat fwd.log
cat unbound.log
echo "result contents not OK"
exit 1
fi
# out of order requests, the example.com elements take 2 seconds to wait.
# www.example.com present twice, answered twice.
echo ""
echo "> query www1.example.net. www.example.com. www2.example.net. www.example.com. www3.example.net."
$PRE/dohclient -n -s 127.0.0.1 -p $UNBOUND_PORT www1.example.net. A IN www.example.com. A IN www2.example.net A IN www.example.com. A IN www3.example.net A IN >outfile 2>&1
cat outfile
if test "$?" -ne 0; then
echo "exit status not OK"
echo "> cat logfiles"
cat outfile
cat fwd.log
cat unbound.log
echo "Not OK"
exit 1
fi
if grep "www1.example.net" outfile | grep "1.2.3.1"; then
echo "content OK"
else
echo "result contents not OK"
echo "> cat logfiles"
cat outfile
cat fwd.log
cat unbound.log
echo "result contents not OK"
exit 1
fi
if grep "www2.example.net" outfile | grep "1.2.3.2"; then
echo "content OK"
else
echo "result contents not OK"
echo "> cat logfiles"
cat outfile
cat fwd.log
cat unbound.log
echo "result contents not OK"
exit 1
fi
if grep "www3.example.net" outfile | grep "1.2.3.3"; then
echo "content OK"
else
echo "result contents not OK"
echo "> cat logfiles"
cat outfile
cat fwd.log
cat unbound.log
echo "result contents not OK"
exit 1
fi
if grep "www.example.com" outfile | grep "10.20.30.40"; then
echo "content OK"
else
echo "result contents not OK"
echo "> cat logfiles"
cat outfile
cat fwd.log
cat unbound.log
echo "result contents not OK"
exit 1
fi
# out of order requests, the example.com elements take 2 seconds to wait.
# www3.example.com present twice, answered twice.
echo ""
echo "> query www1.example.net. www3.example.com. www2.example.net. www3.example.com. www3.example.net."
$PRE/dohclient -n -s 127.0.0.1 -p $UNBOUND_PORT www1.example.net. A IN www3.example.com. A IN www2.example.net A IN www3.example.com. A IN www3.example.net A IN >outfile 2>&1
cat outfile
if test "$?" -ne 0; then
echo "exit status not OK"
echo "> cat logfiles"
cat outfile
cat fwd.log
cat unbound.log
echo "Not OK"
exit 1
fi
if grep "www1.example.net" outfile | grep "1.2.3.1"; then
echo "content OK"
else
echo "result contents not OK"
echo "> cat logfiles"
cat outfile
cat fwd.log
cat unbound.log
echo "result contents not OK"
exit 1
fi
if grep "www2.example.net" outfile | grep "1.2.3.2"; then
echo "content OK"
else
echo "result contents not OK"
echo "> cat logfiles"
cat outfile
cat fwd.log
cat unbound.log
echo "result contents not OK"
exit 1
fi
if grep "www3.example.net" outfile | grep "1.2.3.3"; then
echo "content OK"
else
echo "result contents not OK"
echo "> cat logfiles"
cat outfile
cat fwd.log
cat unbound.log
echo "result contents not OK"
exit 1
fi
if grep "www3.example.com" outfile | grep "10.20.30.43"; then
echo "content OK"
else
echo "result contents not OK"
echo "> cat logfiles"
cat outfile
cat fwd.log
cat unbound.log
echo "result contents not OK"
exit 1
fi
echo ""
echo "> query www4.example.com. www3.example.net."
$PRE/dohclient -n -s 127.0.0.1 -p $UNBOUND_PORT www4.example.com. A IN www3.example.net A IN >outfile 2>&1
cat outfile
if test "$?" -ne 0; then
echo "exit status not OK"
echo "> cat logfiles"
cat outfile
cat fwd.log
cat unbound.log
echo "Not OK"
exit 1
fi
if grep "www3.example.net" outfile | grep "1.2.3.3"; then
echo "content OK"
else
echo "result contents not OK"
echo "> cat logfiles"
cat outfile
cat fwd.log
cat unbound.log
echo "result contents not OK"
exit 1
fi
if grep "www4.example.com" outfile | grep "10.20.30.44"; then
echo "content OK"
else
echo "result contents not OK"
echo "> cat logfiles"
cat outfile
cat fwd.log
cat unbound.log
echo "result contents not OK"
exit 1
fi
echo ""
echo "> query a1.example.com. - a90.example.com."
$PRE/dohclient -n -s 127.0.0.1 -p $UNBOUND_PORT www6.example.com. A IN a1.a.example.com. A IN a2.a.example.com. A IN a3.a.example.com. A IN a4.a.example.com. A IN a5.a.example.com. A IN a6.a.example.com. A IN a7.a.example.com. A IN a8.a.example.com. A IN a9.a.example.com. A IN a10.a.example.com. A IN a11.a.example.com. A IN a12.a.example.com. A IN a13.a.example.com. A IN a14.a.example.com. A IN a15.a.example.com. A IN a16.a.example.com. A IN a17.a.example.com. A IN a18.a.example.com. A IN a19.a.example.com. A IN a20.a.example.com. A IN a21.a.example.com. A IN a22.a.example.com. A IN a23.a.example.com. A IN a24.a.example.com. A IN a25.a.example.com. A IN a26.a.example.com. A IN a27.a.example.com. A IN a28.a.example.com. A IN a29.a.example.com. A IN a30.a.example.com. A IN a31.a.example.com. A IN a32.a.example.com. A IN a33.a.example.com. A IN a34.a.example.com. A IN a35.a.example.com. A IN a36.a.example.com. A IN a37.a.example.com. A IN a38.a.example.com. A IN a39.a.example.com. A IN a40.a.example.com. A IN a41.a.example.com. A IN a42.a.example.com. A IN a43.a.example.com. A IN a44.a.example.com. A IN a45.a.example.com. A IN a46.a.example.com. A IN a47.a.example.com. A IN a48.a.example.com. A IN a49.a.example.com. A IN a50.a.example.com. A IN a51.a.example.com. A IN a52.a.example.com. A IN a53.a.example.com. A IN a54.a.example.com. A IN a55.a.example.com. A IN a56.a.example.com. A IN a57.a.example.com. A IN a58.a.example.com. A IN a59.a.example.com. A IN a60.a.example.com. A IN a61.a.example.com. A IN a62.a.example.com. A IN a63.a.example.com. A IN a64.a.example.com. A IN a65.a.example.com. A IN a66.a.example.com. A IN a67.a.example.com. A IN a68.a.example.com. A IN a69.a.example.com. A IN a70.a.example.com. A IN a71.a.example.com. A IN a72.a.example.com. A IN a73.a.example.com. A IN a74.a.example.com. A IN a75.a.example.com. A IN a76.a.example.com. A IN a77.a.example.com. A IN a78.a.example.com. A IN a79.a.example.com. A IN a80.a.example.com. A IN a81.a.example.com. A IN a82.a.example.com. A IN a83.a.example.com. A IN a84.a.example.com. A IN a85.a.example.com. A IN a86.a.example.com. A IN a87.a.example.com. A IN a88.a.example.com. A IN a89.a.example.com. A IN a90.a.example.com. A IN >outfile 2>&1
cat outfile
if test "$?" -ne 0; then
echo "exit status not OK"
echo "> cat logfiles"
cat outfile
cat fwd.log
cat unbound.log
echo "Not OK"
exit 1
fi
num_ans=$(grep -B 3 "a.example.com. IN A" outfile | grep "rcode: NOERROR" | wc -l )
if test "$num_ans" -ne 90; then
echo "number of answers not OK"
echo "> cat logfiles"
cat outfile
cat fwd.log
cat unbound.log
echo "Not OK"
exit 1
fi
echo "OK"
exit 0

74
testdata/doh_downstream_notls.tdir/doh_downstream_notls.testns vendored Normal file
View file

@ -0,0 +1,74 @@
; nameserver test file
$ORIGIN example.com.
$TTL 3600
ENTRY_BEGIN
MATCH opcode qtype qname
REPLY QR AA NOERROR
ADJUST copy_id sleep=2
SECTION QUESTION
www IN A
SECTION ANSWER
www IN A 10.20.30.40
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
REPLY QR AA NOERROR
ADJUST copy_id
SECTION QUESTION
www2 IN A
SECTION ANSWER
www2 IN A 10.20.30.42
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
REPLY QR AA NOERROR
ADJUST copy_id
SECTION QUESTION
www3 IN A
SECTION ANSWER
www3 IN A 10.20.30.43
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
REPLY QR AA NOERROR
ADJUST copy_id sleep=2
SECTION QUESTION
www4 IN A
SECTION ANSWER
www4 IN A 10.20.30.44
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
REPLY QR AA NOERROR
ADJUST copy_id sleep=2
SECTION QUESTION
www5 IN A
SECTION ANSWER
www5 IN A 10.20.30.45
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
REPLY QR AA NOERROR
ADJUST copy_id sleep=2
SECTION QUESTION
www6 IN A
SECTION ANSWER
www6 IN A 10.20.30.46
ENTRY_END
; lots of noerror/nodata answers for other queries (a.. queries)
ENTRY_BEGIN
MATCH opcode qtype subdomain
REPLY QR AA NOERROR
ADJUST copy_id copy_query
SECTION QUESTION
a.example.com. IN A
SECTION AUTHORITY
example.com. IN SOA ns hostmaster 2019 28800 7200 604800 3600
ENTRY_END

15
testdata/doh_downstream_notls.tdir/unbound_server.key vendored Normal file
View file

@ -0,0 +1,15 @@
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQC3F7Jsv2u01pLL9rFnjsMU/IaCFUIz/624DcaE84Z4gjMl5kWA
3axQcqul1wlwSrbKwrony+d9hH/+MX0tZwvl8w3OmhmOAiaQ+SHCsIuOjVwQjX0s
RLB61Pz5+PAiVvnPa9JIYB5QrK6DVEsxIHj8MOc5JKORrnESsFDh6yeMeQIDAQAB
AoGAAuWoGBprTOA8UGfl5LqYkaNxSWumsYXxLMFjC8WCsjN1NbtQDDr1uAwodSZS
6ujzvX+ZTHnofs7y64XC8k34HTOCD2zlW7kijWbT8YjRYFU6o9F5zUGD9RCan0ds
sVscT2psLSzfdsmFAcbmnGdxYkXk2PC1FHtaqExxehralGUCQQDcqrg9uQKXlhQi
XAaPr8SiWvtRm2a9IMMZkRfUWZclPHq6fCWNuUaCD+cTat4wAuqeknAz33VEosw3
fXGsok//AkEA1GjIHXrOcSlpfVJb6NeOBugjRtZ7ZDT5gbtnMS9ob0qntKV6saaL
CNmJwuD9Q3XkU5j1+uHvYGP2NzcJd2CjhwJACV0hNlVMe9w9fHvFN4Gw6WbM9ViP
0oS6YrJafYNTu5vGZXVxLoNnL4u3NYa6aPUmuZXjNwBLfJ8f5VboZPf6RwJAINd2
oYA8bSi/A755MX4qmozH74r4Fx1Nuq5UHTm8RwDe/0Javx8F/j9MWpJY9lZDEF3l
In5OebPa/NyInSmW/wJAZuP9aRn0nDBkHYri++1A7NykMiJ/nH0mDECbnk+wxx0S
LwqIetBhxb8eQwMg45+iAH7CHAMQ8BQuF/nFE6eotg==
-----END RSA PRIVATE KEY-----

11
testdata/doh_downstream_notls.tdir/unbound_server.pem vendored Normal file
View file

@ -0,0 +1,11 @@
-----BEGIN CERTIFICATE-----
MIIBmzCCAQQCCQDsNJ1UmphEFzANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowEjEQMA4GA1UE
AxMHdW5ib3VuZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtxeybL9rtNaS
y/axZ47DFPyGghVCM/+tuA3GhPOGeIIzJeZFgN2sUHKrpdcJcEq2ysK6J8vnfYR/
/jF9LWcL5fMNzpoZjgImkPkhwrCLjo1cEI19LESwetT8+fjwIlb5z2vSSGAeUKyu
g1RLMSB4/DDnOSSjka5xErBQ4esnjHkCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAZ
9N0lnLENs4JMvPS+mn8C5m9bkkFITd32IiLjf0zgYpIUbFXH6XaEr9GNZBUG8feG
l/6WRXnbnVSblI5odQ4XxGZ9inYY6qtW30uv76HvoKp+QZ1c3460ddR8NauhcCHH
Z7S+QbLXi+r2JAhpPozZCjBHlRD0ixzA1mKQTJhJZg==
-----END CERTIFICATE-----

15
util/config_file.c
View file

@ -170,6 +170,7 @@ config_create(void)
cfg->infra_cache_slabs = 4;
cfg->infra_cache_numhosts = 10000;
cfg->infra_cache_min_rtt = 50;
cfg->infra_keep_probing = 0;
cfg->delay_close = 0;
if(!(cfg->outgoing_avail_ports = (int*)calloc(65536, sizeof(int))))
goto error_exit;
@ -522,11 +523,12 @@ int config_set_option(struct config_file* cfg, const char* opt,
else S_STR("tls-ciphersuites:", tls_ciphersuites)
else S_YNO("tls-use-sni:", tls_use_sni)
else S_NUMBER_NONZERO("https-port:", https_port)
else S_STR("http-endpoint", http_endpoint)
else S_NUMBER_NONZERO("http-max-streams", http_max_streams)
else S_MEMSIZE("http-query-buffer-size", http_query_buffer_size)
else S_MEMSIZE("http-response-buffer-size", http_response_buffer_size)
else S_YNO("http-nodelay", http_nodelay)
else S_STR("http-endpoint:", http_endpoint)
else S_NUMBER_NONZERO("http-max-streams:", http_max_streams)
else S_MEMSIZE("http-query-buffer-size:", http_query_buffer_size)
else S_MEMSIZE("http-response-buffer-size:", http_response_buffer_size)
else S_YNO("http-nodelay:", http_nodelay)
else S_YNO("http-notls-downstream:", http_notls_downstream)
else S_YNO("interface-automatic:", if_automatic)
else S_YNO("use-systemd:", use_systemd)
else S_YNO("do-daemonize:", do_daemonize)
@ -562,6 +564,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
IS_NUMBER_OR_ZERO; cfg->infra_cache_min_rtt = atoi(val);
RTT_MIN_TIMEOUT=cfg->infra_cache_min_rtt;
}
else S_YNO("infra-keep-probing:", infra_keep_probing)
else S_NUMBER_OR_ZERO("infra-host-ttl:", host_ttl)
else S_POW2("infra-cache-slabs:", infra_cache_slabs)
else S_SIZET_NONZERO("infra-cache-numhosts:", infra_cache_numhosts)
@ -958,6 +961,7 @@ config_get_option(struct config_file* cfg, const char* opt,
else O_DEC(opt, "infra-host-ttl", host_ttl)
else O_DEC(opt, "infra-cache-slabs", infra_cache_slabs)
else O_DEC(opt, "infra-cache-min-rtt", infra_cache_min_rtt)
else O_YNO(opt, "infra-keep-probing", infra_keep_probing)
else O_MEM(opt, "infra-cache-numhosts", infra_cache_numhosts)
else O_UNS(opt, "delay-close", delay_close)
else O_YNO(opt, "do-ip4", do_ip4)
@ -990,6 +994,7 @@ config_get_option(struct config_file* cfg, const char* opt,
else O_MEM(opt, "http-query-buffer-size", http_query_buffer_size)
else O_MEM(opt, "http-response-buffer-size", http_response_buffer_size)
else O_YNO(opt, "http-nodelay", http_nodelay)
else O_YNO(opt, "http-notls-downstream", http_notls_downstream)
else O_YNO(opt, "use-systemd", use_systemd)
else O_YNO(opt, "do-daemonize", do_daemonize)
else O_STR(opt, "chroot", chrootdir)

4
util/config_file.h
View file

@ -143,6 +143,8 @@ struct config_file {
size_t http_response_buffer_size;
/** set TCP_NODELAY option for http sockets */
int http_nodelay;
/** Disable TLS for http sockets downstream */
int http_notls_downstream;
/** outgoing port range number of ports (per thread) */
int outgoing_num_ports;
@ -179,6 +181,8 @@ struct config_file {
size_t infra_cache_numhosts;
/** min value for infra cache rtt */
int infra_cache_min_rtt;
/** keep probing hosts that are down */
int infra_keep_probing;
/** delay close of udp-timeouted ports, if 0 no delayclose. in msec */
int delay_close;

4673
util/configlexer.c
View file

File diff suppressed because it is too large Load diff

2
util/configlexer.lex
View file

@ -262,6 +262,7 @@ http-max-streams{COLON} { YDVAR(1, VAR_HTTP_MAX_STREAMS) }
http-query-buffer-size{COLON} { YDVAR(1, VAR_HTTP_QUERY_BUFFER_SIZE) }
http-response-buffer-size{COLON} { YDVAR(1, VAR_HTTP_RESPONSE_BUFFER_SIZE) }
http-nodelay{COLON} { YDVAR(1, VAR_HTTP_NODELAY) }
http-notls-downstream{COLON} { YDVAR(1, VAR_HTTP_NOTLS_DOWNSTREAM) }
use-systemd{COLON} { YDVAR(1, VAR_USE_SYSTEMD) }
do-daemonize{COLON} { YDVAR(1, VAR_DO_DAEMONIZE) }
interface{COLON} { YDVAR(1, VAR_INTERFACE) }
@ -296,6 +297,7 @@ infra-cache-slabs{COLON} { YDVAR(1, VAR_INFRA_CACHE_SLABS) }
infra-cache-numhosts{COLON} { YDVAR(1, VAR_INFRA_CACHE_NUMHOSTS) }
infra-cache-lame-size{COLON} { YDVAR(1, VAR_INFRA_CACHE_LAME_SIZE) }
infra-cache-min-rtt{COLON} { YDVAR(1, VAR_INFRA_CACHE_MIN_RTT) }
infra-keep-probing{COLON} { YDVAR(1, VAR_INFRA_KEEP_PROBING) }
num-queries-per-thread{COLON} { YDVAR(1, VAR_NUM_QUERIES_PER_THREAD) }
jostle-timeout{COLON} { YDVAR(1, VAR_JOSTLE_TIMEOUT) }
delay-close{COLON} { YDVAR(1, VAR_DELAY_CLOSE) }

3383
util/configparser.c
View file

File diff suppressed because it is too large Load diff

614
util/configparser.h
View file

@ -194,158 +194,160 @@ extern int yydebug;
VAR_HTTP_QUERY_BUFFER_SIZE = 400,
VAR_HTTP_RESPONSE_BUFFER_SIZE = 401,
VAR_HTTP_NODELAY = 402,
VAR_STUB_FIRST = 403,
VAR_MINIMAL_RESPONSES = 404,
VAR_RRSET_ROUNDROBIN = 405,
VAR_MAX_UDP_SIZE = 406,
VAR_DELAY_CLOSE = 407,
VAR_UNBLOCK_LAN_ZONES = 408,
VAR_INSECURE_LAN_ZONES = 409,
VAR_INFRA_CACHE_MIN_RTT = 410,
VAR_DNS64_PREFIX = 411,
VAR_DNS64_SYNTHALL = 412,
VAR_DNS64_IGNORE_AAAA = 413,
VAR_DNSTAP = 414,
VAR_DNSTAP_ENABLE = 415,
VAR_DNSTAP_SOCKET_PATH = 416,
VAR_DNSTAP_IP = 417,
VAR_DNSTAP_TLS = 418,
VAR_DNSTAP_TLS_SERVER_NAME = 419,
VAR_DNSTAP_TLS_CERT_BUNDLE = 420,
VAR_DNSTAP_TLS_CLIENT_KEY_FILE = 421,
VAR_DNSTAP_TLS_CLIENT_CERT_FILE = 422,
VAR_DNSTAP_SEND_IDENTITY = 423,
VAR_DNSTAP_SEND_VERSION = 424,
VAR_DNSTAP_BIDIRECTIONAL = 425,
VAR_DNSTAP_IDENTITY = 426,
VAR_DNSTAP_VERSION = 427,
VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 428,
VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 429,
VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 430,
VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 431,
VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 432,
VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 433,
VAR_RESPONSE_IP_TAG = 434,
VAR_RESPONSE_IP = 435,
VAR_RESPONSE_IP_DATA = 436,
VAR_HARDEN_ALGO_DOWNGRADE = 437,
VAR_IP_TRANSPARENT = 438,
VAR_IP_DSCP = 439,
VAR_DISABLE_DNSSEC_LAME_CHECK = 440,
VAR_IP_RATELIMIT = 441,
VAR_IP_RATELIMIT_SLABS = 442,
VAR_IP_RATELIMIT_SIZE = 443,
VAR_RATELIMIT = 444,
VAR_RATELIMIT_SLABS = 445,
VAR_RATELIMIT_SIZE = 446,
VAR_RATELIMIT_FOR_DOMAIN = 447,
VAR_RATELIMIT_BELOW_DOMAIN = 448,
VAR_IP_RATELIMIT_FACTOR = 449,
VAR_RATELIMIT_FACTOR = 450,
VAR_SEND_CLIENT_SUBNET = 451,
VAR_CLIENT_SUBNET_ZONE = 452,
VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 453,
VAR_CLIENT_SUBNET_OPCODE = 454,
VAR_MAX_CLIENT_SUBNET_IPV4 = 455,
VAR_MAX_CLIENT_SUBNET_IPV6 = 456,
VAR_MIN_CLIENT_SUBNET_IPV4 = 457,
VAR_MIN_CLIENT_SUBNET_IPV6 = 458,
VAR_MAX_ECS_TREE_SIZE_IPV4 = 459,
VAR_MAX_ECS_TREE_SIZE_IPV6 = 460,
VAR_CAPS_WHITELIST = 461,
VAR_CACHE_MAX_NEGATIVE_TTL = 462,
VAR_PERMIT_SMALL_HOLDDOWN = 463,
VAR_QNAME_MINIMISATION = 464,
VAR_QNAME_MINIMISATION_STRICT = 465,
VAR_IP_FREEBIND = 466,
VAR_DEFINE_TAG = 467,
VAR_LOCAL_ZONE_TAG = 468,
VAR_ACCESS_CONTROL_TAG = 469,
VAR_LOCAL_ZONE_OVERRIDE = 470,
VAR_ACCESS_CONTROL_TAG_ACTION = 471,
VAR_ACCESS_CONTROL_TAG_DATA = 472,
VAR_VIEW = 473,
VAR_ACCESS_CONTROL_VIEW = 474,
VAR_VIEW_FIRST = 475,
VAR_SERVE_EXPIRED = 476,
VAR_SERVE_EXPIRED_TTL = 477,
VAR_SERVE_EXPIRED_TTL_RESET = 478,
VAR_SERVE_EXPIRED_REPLY_TTL = 479,
VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 480,
VAR_FAKE_DSA = 481,
VAR_FAKE_SHA1 = 482,
VAR_LOG_IDENTITY = 483,
VAR_HIDE_TRUSTANCHOR = 484,
VAR_TRUST_ANCHOR_SIGNALING = 485,
VAR_AGGRESSIVE_NSEC = 486,
VAR_USE_SYSTEMD = 487,
VAR_SHM_ENABLE = 488,
VAR_SHM_KEY = 489,
VAR_ROOT_KEY_SENTINEL = 490,
VAR_DNSCRYPT = 491,
VAR_DNSCRYPT_ENABLE = 492,
VAR_DNSCRYPT_PORT = 493,
VAR_DNSCRYPT_PROVIDER = 494,
VAR_DNSCRYPT_SECRET_KEY = 495,
VAR_DNSCRYPT_PROVIDER_CERT = 496,
VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 497,
VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 498,
VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 499,
VAR_DNSCRYPT_NONCE_CACHE_SIZE = 500,
VAR_DNSCRYPT_NONCE_CACHE_SLABS = 501,
VAR_IPSECMOD_ENABLED = 502,
VAR_IPSECMOD_HOOK = 503,
VAR_IPSECMOD_IGNORE_BOGUS = 504,
VAR_IPSECMOD_MAX_TTL = 505,
VAR_IPSECMOD_WHITELIST = 506,
VAR_IPSECMOD_STRICT = 507,
VAR_CACHEDB = 508,
VAR_CACHEDB_BACKEND = 509,
VAR_CACHEDB_SECRETSEED = 510,
VAR_CACHEDB_REDISHOST = 511,
VAR_CACHEDB_REDISPORT = 512,
VAR_CACHEDB_REDISTIMEOUT = 513,
VAR_CACHEDB_REDISEXPIRERECORDS = 514,
VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 515,
VAR_FOR_UPSTREAM = 516,
VAR_AUTH_ZONE = 517,
VAR_ZONEFILE = 518,
VAR_MASTER = 519,
VAR_URL = 520,
VAR_FOR_DOWNSTREAM = 521,
VAR_FALLBACK_ENABLED = 522,
VAR_TLS_ADDITIONAL_PORT = 523,
VAR_LOW_RTT = 524,
VAR_LOW_RTT_PERMIL = 525,
VAR_FAST_SERVER_PERMIL = 526,
VAR_FAST_SERVER_NUM = 527,
VAR_ALLOW_NOTIFY = 528,
VAR_TLS_WIN_CERT = 529,
VAR_TCP_CONNECTION_LIMIT = 530,
VAR_FORWARD_NO_CACHE = 531,
VAR_STUB_NO_CACHE = 532,
VAR_LOG_SERVFAIL = 533,
VAR_DENY_ANY = 534,
VAR_UNKNOWN_SERVER_TIME_LIMIT = 535,
VAR_LOG_TAG_QUERYREPLY = 536,
VAR_STREAM_WAIT_SIZE = 537,
VAR_TLS_CIPHERS = 538,
VAR_TLS_CIPHERSUITES = 539,
VAR_TLS_USE_SNI = 540,
VAR_IPSET = 541,
VAR_IPSET_NAME_V4 = 542,
VAR_IPSET_NAME_V6 = 543,
VAR_TLS_SESSION_TICKET_KEYS = 544,
VAR_RPZ = 545,
VAR_TAGS = 546,
VAR_RPZ_ACTION_OVERRIDE = 547,
VAR_RPZ_CNAME_OVERRIDE = 548,
VAR_RPZ_LOG = 549,
VAR_RPZ_LOG_NAME = 550,
VAR_DYNLIB = 551,
VAR_DYNLIB_FILE = 552,
VAR_EDNS_CLIENT_STRING = 553,
VAR_EDNS_CLIENT_STRING_OPCODE = 554
VAR_HTTP_NOTLS_DOWNSTREAM = 403,
VAR_STUB_FIRST = 404,
VAR_MINIMAL_RESPONSES = 405,
VAR_RRSET_ROUNDROBIN = 406,
VAR_MAX_UDP_SIZE = 407,
VAR_DELAY_CLOSE = 408,
VAR_UNBLOCK_LAN_ZONES = 409,
VAR_INSECURE_LAN_ZONES = 410,
VAR_INFRA_CACHE_MIN_RTT = 411,
VAR_INFRA_KEEP_PROBING = 412,
VAR_DNS64_PREFIX = 413,
VAR_DNS64_SYNTHALL = 414,
VAR_DNS64_IGNORE_AAAA = 415,
VAR_DNSTAP = 416,
VAR_DNSTAP_ENABLE = 417,
VAR_DNSTAP_SOCKET_PATH = 418,
VAR_DNSTAP_IP = 419,
VAR_DNSTAP_TLS = 420,
VAR_DNSTAP_TLS_SERVER_NAME = 421,
VAR_DNSTAP_TLS_CERT_BUNDLE = 422,
VAR_DNSTAP_TLS_CLIENT_KEY_FILE = 423,
VAR_DNSTAP_TLS_CLIENT_CERT_FILE = 424,
VAR_DNSTAP_SEND_IDENTITY = 425,
VAR_DNSTAP_SEND_VERSION = 426,
VAR_DNSTAP_BIDIRECTIONAL = 427,
VAR_DNSTAP_IDENTITY = 428,
VAR_DNSTAP_VERSION = 429,
VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 430,
VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 431,
VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 432,
VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 433,
VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 434,
VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 435,
VAR_RESPONSE_IP_TAG = 436,
VAR_RESPONSE_IP = 437,
VAR_RESPONSE_IP_DATA = 438,
VAR_HARDEN_ALGO_DOWNGRADE = 439,
VAR_IP_TRANSPARENT = 440,
VAR_IP_DSCP = 441,
VAR_DISABLE_DNSSEC_LAME_CHECK = 442,
VAR_IP_RATELIMIT = 443,
VAR_IP_RATELIMIT_SLABS = 444,
VAR_IP_RATELIMIT_SIZE = 445,
VAR_RATELIMIT = 446,
VAR_RATELIMIT_SLABS = 447,
VAR_RATELIMIT_SIZE = 448,
VAR_RATELIMIT_FOR_DOMAIN = 449,
VAR_RATELIMIT_BELOW_DOMAIN = 450,
VAR_IP_RATELIMIT_FACTOR = 451,
VAR_RATELIMIT_FACTOR = 452,
VAR_SEND_CLIENT_SUBNET = 453,
VAR_CLIENT_SUBNET_ZONE = 454,
VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 455,
VAR_CLIENT_SUBNET_OPCODE = 456,
VAR_MAX_CLIENT_SUBNET_IPV4 = 457,
VAR_MAX_CLIENT_SUBNET_IPV6 = 458,
VAR_MIN_CLIENT_SUBNET_IPV4 = 459,
VAR_MIN_CLIENT_SUBNET_IPV6 = 460,
VAR_MAX_ECS_TREE_SIZE_IPV4 = 461,
VAR_MAX_ECS_TREE_SIZE_IPV6 = 462,
VAR_CAPS_WHITELIST = 463,
VAR_CACHE_MAX_NEGATIVE_TTL = 464,
VAR_PERMIT_SMALL_HOLDDOWN = 465,
VAR_QNAME_MINIMISATION = 466,
VAR_QNAME_MINIMISATION_STRICT = 467,
VAR_IP_FREEBIND = 468,
VAR_DEFINE_TAG = 469,
VAR_LOCAL_ZONE_TAG = 470,
VAR_ACCESS_CONTROL_TAG = 471,
VAR_LOCAL_ZONE_OVERRIDE = 472,
VAR_ACCESS_CONTROL_TAG_ACTION = 473,
VAR_ACCESS_CONTROL_TAG_DATA = 474,
VAR_VIEW = 475,
VAR_ACCESS_CONTROL_VIEW = 476,
VAR_VIEW_FIRST = 477,
VAR_SERVE_EXPIRED = 478,
VAR_SERVE_EXPIRED_TTL = 479,
VAR_SERVE_EXPIRED_TTL_RESET = 480,
VAR_SERVE_EXPIRED_REPLY_TTL = 481,
VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 482,
VAR_FAKE_DSA = 483,
VAR_FAKE_SHA1 = 484,
VAR_LOG_IDENTITY = 485,
VAR_HIDE_TRUSTANCHOR = 486,
VAR_TRUST_ANCHOR_SIGNALING = 487,
VAR_AGGRESSIVE_NSEC = 488,
VAR_USE_SYSTEMD = 489,
VAR_SHM_ENABLE = 490,
VAR_SHM_KEY = 491,
VAR_ROOT_KEY_SENTINEL = 492,
VAR_DNSCRYPT = 493,
VAR_DNSCRYPT_ENABLE = 494,
VAR_DNSCRYPT_PORT = 495,
VAR_DNSCRYPT_PROVIDER = 496,
VAR_DNSCRYPT_SECRET_KEY = 497,
VAR_DNSCRYPT_PROVIDER_CERT = 498,
VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 499,
VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 500,
VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 501,
VAR_DNSCRYPT_NONCE_CACHE_SIZE = 502,
VAR_DNSCRYPT_NONCE_CACHE_SLABS = 503,
VAR_IPSECMOD_ENABLED = 504,
VAR_IPSECMOD_HOOK = 505,
VAR_IPSECMOD_IGNORE_BOGUS = 506,
VAR_IPSECMOD_MAX_TTL = 507,
VAR_IPSECMOD_WHITELIST = 508,
VAR_IPSECMOD_STRICT = 509,
VAR_CACHEDB = 510,
VAR_CACHEDB_BACKEND = 511,
VAR_CACHEDB_SECRETSEED = 512,
VAR_CACHEDB_REDISHOST = 513,
VAR_CACHEDB_REDISPORT = 514,
VAR_CACHEDB_REDISTIMEOUT = 515,
VAR_CACHEDB_REDISEXPIRERECORDS = 516,
VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 517,
VAR_FOR_UPSTREAM = 518,
VAR_AUTH_ZONE = 519,
VAR_ZONEFILE = 520,
VAR_MASTER = 521,
VAR_URL = 522,
VAR_FOR_DOWNSTREAM = 523,
VAR_FALLBACK_ENABLED = 524,
VAR_TLS_ADDITIONAL_PORT = 525,
VAR_LOW_RTT = 526,
VAR_LOW_RTT_PERMIL = 527,
VAR_FAST_SERVER_PERMIL = 528,
VAR_FAST_SERVER_NUM = 529,
VAR_ALLOW_NOTIFY = 530,
VAR_TLS_WIN_CERT = 531,
VAR_TCP_CONNECTION_LIMIT = 532,
VAR_FORWARD_NO_CACHE = 533,
VAR_STUB_NO_CACHE = 534,
VAR_LOG_SERVFAIL = 535,
VAR_DENY_ANY = 536,
VAR_UNKNOWN_SERVER_TIME_LIMIT = 537,
VAR_LOG_TAG_QUERYREPLY = 538,
VAR_STREAM_WAIT_SIZE = 539,
VAR_TLS_CIPHERS = 540,
VAR_TLS_CIPHERSUITES = 541,
VAR_TLS_USE_SNI = 542,
VAR_IPSET = 543,
VAR_IPSET_NAME_V4 = 544,
VAR_IPSET_NAME_V6 = 545,
VAR_TLS_SESSION_TICKET_KEYS = 546,
VAR_RPZ = 547,
VAR_TAGS = 548,
VAR_RPZ_ACTION_OVERRIDE = 549,
VAR_RPZ_CNAME_OVERRIDE = 550,
VAR_RPZ_LOG = 551,
VAR_RPZ_LOG_NAME = 552,
VAR_DYNLIB = 553,
VAR_DYNLIB_FILE = 554,
VAR_EDNS_CLIENT_STRING = 555,
VAR_EDNS_CLIENT_STRING_OPCODE = 556
};
#endif
/* Tokens. */
@ -494,158 +496,160 @@ extern int yydebug;
#define VAR_HTTP_QUERY_BUFFER_SIZE 400
#define VAR_HTTP_RESPONSE_BUFFER_SIZE 401
#define VAR_HTTP_NODELAY 402
#define VAR_STUB_FIRST 403
#define VAR_MINIMAL_RESPONSES 404
#define VAR_RRSET_ROUNDROBIN 405
#define VAR_MAX_UDP_SIZE 406
#define VAR_DELAY_CLOSE 407
#define VAR_UNBLOCK_LAN_ZONES 408
#define VAR_INSECURE_LAN_ZONES 409
#define VAR_INFRA_CACHE_MIN_RTT 410
#define VAR_DNS64_PREFIX 411
#define VAR_DNS64_SYNTHALL 412
#define VAR_DNS64_IGNORE_AAAA 413
#define VAR_DNSTAP 414
#define VAR_DNSTAP_ENABLE 415
#define VAR_DNSTAP_SOCKET_PATH 416
#define VAR_DNSTAP_IP 417
#define VAR_DNSTAP_TLS 418
#define VAR_DNSTAP_TLS_SERVER_NAME 419
#define VAR_DNSTAP_TLS_CERT_BUNDLE 420
#define VAR_DNSTAP_TLS_CLIENT_KEY_FILE 421
#define VAR_DNSTAP_TLS_CLIENT_CERT_FILE 422
#define VAR_DNSTAP_SEND_IDENTITY 423
#define VAR_DNSTAP_SEND_VERSION 424
#define VAR_DNSTAP_BIDIRECTIONAL 425
#define VAR_DNSTAP_IDENTITY 426
#define VAR_DNSTAP_VERSION 427
#define VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES 428
#define VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES 429
#define VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES 430
#define VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES 431
#define VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES 432
#define VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES 433
#define VAR_RESPONSE_IP_TAG 434
#define VAR_RESPONSE_IP 435
#define VAR_RESPONSE_IP_DATA 436
#define VAR_HARDEN_ALGO_DOWNGRADE 437
#define VAR_IP_TRANSPARENT 438
#define VAR_IP_DSCP 439
#define VAR_DISABLE_DNSSEC_LAME_CHECK 440
#define VAR_IP_RATELIMIT 441
#define VAR_IP_RATELIMIT_SLABS 442
#define VAR_IP_RATELIMIT_SIZE 443
#define VAR_RATELIMIT 444
#define VAR_RATELIMIT_SLABS 445
#define VAR_RATELIMIT_SIZE 446
#define VAR_RATELIMIT_FOR_DOMAIN 447
#define VAR_RATELIMIT_BELOW_DOMAIN 448
#define VAR_IP_RATELIMIT_FACTOR 449
#define VAR_RATELIMIT_FACTOR 450
#define VAR_SEND_CLIENT_SUBNET 451
#define VAR_CLIENT_SUBNET_ZONE 452
#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 453
#define VAR_CLIENT_SUBNET_OPCODE 454
#define VAR_MAX_CLIENT_SUBNET_IPV4 455
#define VAR_MAX_CLIENT_SUBNET_IPV6 456
#define VAR_MIN_CLIENT_SUBNET_IPV4 457
#define VAR_MIN_CLIENT_SUBNET_IPV6 458
#define VAR_MAX_ECS_TREE_SIZE_IPV4 459
#define VAR_MAX_ECS_TREE_SIZE_IPV6 460
#define VAR_CAPS_WHITELIST 461
#define VAR_CACHE_MAX_NEGATIVE_TTL 462
#define VAR_PERMIT_SMALL_HOLDDOWN 463
#define VAR_QNAME_MINIMISATION 464
#define VAR_QNAME_MINIMISATION_STRICT 465
#define VAR_IP_FREEBIND 466
#define VAR_DEFINE_TAG 467
#define VAR_LOCAL_ZONE_TAG 468
#define VAR_ACCESS_CONTROL_TAG 469
#define VAR_LOCAL_ZONE_OVERRIDE 470
#define VAR_ACCESS_CONTROL_TAG_ACTION 471
#define VAR_ACCESS_CONTROL_TAG_DATA 472
#define VAR_VIEW 473
#define VAR_ACCESS_CONTROL_VIEW 474
#define VAR_VIEW_FIRST 475
#define VAR_SERVE_EXPIRED 476
#define VAR_SERVE_EXPIRED_TTL 477
#define VAR_SERVE_EXPIRED_TTL_RESET 478
#define VAR_SERVE_EXPIRED_REPLY_TTL 479
#define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 480
#define VAR_FAKE_DSA 481
#define VAR_FAKE_SHA1 482
#define VAR_LOG_IDENTITY 483
#define VAR_HIDE_TRUSTANCHOR 484
#define VAR_TRUST_ANCHOR_SIGNALING 485
#define VAR_AGGRESSIVE_NSEC 486
#define VAR_USE_SYSTEMD 487
#define VAR_SHM_ENABLE 488
#define VAR_SHM_KEY 489
#define VAR_ROOT_KEY_SENTINEL 490
#define VAR_DNSCRYPT 491
#define VAR_DNSCRYPT_ENABLE 492
#define VAR_DNSCRYPT_PORT 493
#define VAR_DNSCRYPT_PROVIDER 494
#define VAR_DNSCRYPT_SECRET_KEY 495
#define VAR_DNSCRYPT_PROVIDER_CERT 496
#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 497
#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 498
#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 499
#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 500
#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 501
#define VAR_IPSECMOD_ENABLED 502
#define VAR_IPSECMOD_HOOK 503
#define VAR_IPSECMOD_IGNORE_BOGUS 504
#define VAR_IPSECMOD_MAX_TTL 505
#define VAR_IPSECMOD_WHITELIST 506
#define VAR_IPSECMOD_STRICT 507
#define VAR_CACHEDB 508
#define VAR_CACHEDB_BACKEND 509
#define VAR_CACHEDB_SECRETSEED 510
#define VAR_CACHEDB_REDISHOST 511
#define VAR_CACHEDB_REDISPORT 512
#define VAR_CACHEDB_REDISTIMEOUT 513
#define VAR_CACHEDB_REDISEXPIRERECORDS 514
#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 515
#define VAR_FOR_UPSTREAM 516
#define VAR_AUTH_ZONE 517
#define VAR_ZONEFILE 518
#define VAR_MASTER 519
#define VAR_URL 520
#define VAR_FOR_DOWNSTREAM 521
#define VAR_FALLBACK_ENABLED 522
#define VAR_TLS_ADDITIONAL_PORT 523
#define VAR_LOW_RTT 524
#define VAR_LOW_RTT_PERMIL 525
#define VAR_FAST_SERVER_PERMIL 526
#define VAR_FAST_SERVER_NUM 527
#define VAR_ALLOW_NOTIFY 528
#define VAR_TLS_WIN_CERT 529
#define VAR_TCP_CONNECTION_LIMIT 530
#define VAR_FORWARD_NO_CACHE 531
#define VAR_STUB_NO_CACHE 532
#define VAR_LOG_SERVFAIL 533
#define VAR_DENY_ANY 534
#define VAR_UNKNOWN_SERVER_TIME_LIMIT 535
#define VAR_LOG_TAG_QUERYREPLY 536
#define VAR_STREAM_WAIT_SIZE 537
#define VAR_TLS_CIPHERS 538
#define VAR_TLS_CIPHERSUITES 539
#define VAR_TLS_USE_SNI 540
#define VAR_IPSET 541
#define VAR_IPSET_NAME_V4 542
#define VAR_IPSET_NAME_V6 543
#define VAR_TLS_SESSION_TICKET_KEYS 544
#define VAR_RPZ 545
#define VAR_TAGS 546
#define VAR_RPZ_ACTION_OVERRIDE 547
#define VAR_RPZ_CNAME_OVERRIDE 548
#define VAR_RPZ_LOG 549
#define VAR_RPZ_LOG_NAME 550
#define VAR_DYNLIB 551
#define VAR_DYNLIB_FILE 552
#define VAR_EDNS_CLIENT_STRING 553
#define VAR_EDNS_CLIENT_STRING_OPCODE 554
#define VAR_HTTP_NOTLS_DOWNSTREAM 403
#define VAR_STUB_FIRST 404
#define VAR_MINIMAL_RESPONSES 405
#define VAR_RRSET_ROUNDROBIN 406
#define VAR_MAX_UDP_SIZE 407
#define VAR_DELAY_CLOSE 408
#define VAR_UNBLOCK_LAN_ZONES 409
#define VAR_INSECURE_LAN_ZONES 410
#define VAR_INFRA_CACHE_MIN_RTT 411
#define VAR_INFRA_KEEP_PROBING 412
#define VAR_DNS64_PREFIX 413
#define VAR_DNS64_SYNTHALL 414
#define VAR_DNS64_IGNORE_AAAA 415
#define VAR_DNSTAP 416
#define VAR_DNSTAP_ENABLE 417
#define VAR_DNSTAP_SOCKET_PATH 418
#define VAR_DNSTAP_IP 419
#define VAR_DNSTAP_TLS 420
#define VAR_DNSTAP_TLS_SERVER_NAME 421
#define VAR_DNSTAP_TLS_CERT_BUNDLE 422
#define VAR_DNSTAP_TLS_CLIENT_KEY_FILE 423
#define VAR_DNSTAP_TLS_CLIENT_CERT_FILE 424
#define VAR_DNSTAP_SEND_IDENTITY 425
#define VAR_DNSTAP_SEND_VERSION 426
#define VAR_DNSTAP_BIDIRECTIONAL 427
#define VAR_DNSTAP_IDENTITY 428
#define VAR_DNSTAP_VERSION 429
#define VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES 430
#define VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES 431
#define VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES 432
#define VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES 433
#define VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES 434
#define VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES 435
#define VAR_RESPONSE_IP_TAG 436
#define VAR_RESPONSE_IP 437
#define VAR_RESPONSE_IP_DATA 438
#define VAR_HARDEN_ALGO_DOWNGRADE 439
#define VAR_IP_TRANSPARENT 440
#define VAR_IP_DSCP 441
#define VAR_DISABLE_DNSSEC_LAME_CHECK 442
#define VAR_IP_RATELIMIT 443
#define VAR_IP_RATELIMIT_SLABS 444
#define VAR_IP_RATELIMIT_SIZE 445
#define VAR_RATELIMIT 446
#define VAR_RATELIMIT_SLABS 447
#define VAR_RATELIMIT_SIZE 448
#define VAR_RATELIMIT_FOR_DOMAIN 449
#define VAR_RATELIMIT_BELOW_DOMAIN 450
#define VAR_IP_RATELIMIT_FACTOR 451
#define VAR_RATELIMIT_FACTOR 452
#define VAR_SEND_CLIENT_SUBNET 453
#define VAR_CLIENT_SUBNET_ZONE 454
#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 455
#define VAR_CLIENT_SUBNET_OPCODE 456
#define VAR_MAX_CLIENT_SUBNET_IPV4 457
#define VAR_MAX_CLIENT_SUBNET_IPV6 458
#define VAR_MIN_CLIENT_SUBNET_IPV4 459
#define VAR_MIN_CLIENT_SUBNET_IPV6 460
#define VAR_MAX_ECS_TREE_SIZE_IPV4 461
#define VAR_MAX_ECS_TREE_SIZE_IPV6 462
#define VAR_CAPS_WHITELIST 463
#define VAR_CACHE_MAX_NEGATIVE_TTL 464
#define VAR_PERMIT_SMALL_HOLDDOWN 465
#define VAR_QNAME_MINIMISATION 466
#define VAR_QNAME_MINIMISATION_STRICT 467
#define VAR_IP_FREEBIND 468
#define VAR_DEFINE_TAG 469
#define VAR_LOCAL_ZONE_TAG 470
#define VAR_ACCESS_CONTROL_TAG 471
#define VAR_LOCAL_ZONE_OVERRIDE 472
#define VAR_ACCESS_CONTROL_TAG_ACTION 473
#define VAR_ACCESS_CONTROL_TAG_DATA 474
#define VAR_VIEW 475
#define VAR_ACCESS_CONTROL_VIEW 476
#define VAR_VIEW_FIRST 477
#define VAR_SERVE_EXPIRED 478
#define VAR_SERVE_EXPIRED_TTL 479
#define VAR_SERVE_EXPIRED_TTL_RESET 480
#define VAR_SERVE_EXPIRED_REPLY_TTL 481
#define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 482
#define VAR_FAKE_DSA 483
#define VAR_FAKE_SHA1 484
#define VAR_LOG_IDENTITY 485
#define VAR_HIDE_TRUSTANCHOR 486
#define VAR_TRUST_ANCHOR_SIGNALING 487
#define VAR_AGGRESSIVE_NSEC 488
#define VAR_USE_SYSTEMD 489
#define VAR_SHM_ENABLE 490
#define VAR_SHM_KEY 491
#define VAR_ROOT_KEY_SENTINEL 492
#define VAR_DNSCRYPT 493
#define VAR_DNSCRYPT_ENABLE 494
#define VAR_DNSCRYPT_PORT 495
#define VAR_DNSCRYPT_PROVIDER 496
#define VAR_DNSCRYPT_SECRET_KEY 497
#define VAR_DNSCRYPT_PROVIDER_CERT 498
#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 499
#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 500
#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 501
#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 502
#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 503
#define VAR_IPSECMOD_ENABLED 504
#define VAR_IPSECMOD_HOOK 505
#define VAR_IPSECMOD_IGNORE_BOGUS 506
#define VAR_IPSECMOD_MAX_TTL 507
#define VAR_IPSECMOD_WHITELIST 508
#define VAR_IPSECMOD_STRICT 509
#define VAR_CACHEDB 510
#define VAR_CACHEDB_BACKEND 511
#define VAR_CACHEDB_SECRETSEED 512
#define VAR_CACHEDB_REDISHOST 513
#define VAR_CACHEDB_REDISPORT 514
#define VAR_CACHEDB_REDISTIMEOUT 515
#define VAR_CACHEDB_REDISEXPIRERECORDS 516
#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 517
#define VAR_FOR_UPSTREAM 518
#define VAR_AUTH_ZONE 519
#define VAR_ZONEFILE 520
#define VAR_MASTER 521
#define VAR_URL 522
#define VAR_FOR_DOWNSTREAM 523
#define VAR_FALLBACK_ENABLED 524
#define VAR_TLS_ADDITIONAL_PORT 525
#define VAR_LOW_RTT 526
#define VAR_LOW_RTT_PERMIL 527
#define VAR_FAST_SERVER_PERMIL 528
#define VAR_FAST_SERVER_NUM 529
#define VAR_ALLOW_NOTIFY 530
#define VAR_TLS_WIN_CERT 531
#define VAR_TCP_CONNECTION_LIMIT 532
#define VAR_FORWARD_NO_CACHE 533
#define VAR_STUB_NO_CACHE 534
#define VAR_LOG_SERVFAIL 535
#define VAR_DENY_ANY 536
#define VAR_UNKNOWN_SERVER_TIME_LIMIT 537
#define VAR_LOG_TAG_QUERYREPLY 538
#define VAR_STREAM_WAIT_SIZE 539
#define VAR_TLS_CIPHERS 540
#define VAR_TLS_CIPHERSUITES 541
#define VAR_TLS_USE_SNI 542
#define VAR_IPSET 543
#define VAR_IPSET_NAME_V4 544
#define VAR_IPSET_NAME_V6 545
#define VAR_TLS_SESSION_TICKET_KEYS 546
#define VAR_RPZ 547
#define VAR_TAGS 548
#define VAR_RPZ_ACTION_OVERRIDE 549
#define VAR_RPZ_CNAME_OVERRIDE 550
#define VAR_RPZ_LOG 551
#define VAR_RPZ_LOG_NAME 552
#define VAR_DYNLIB 553
#define VAR_DYNLIB_FILE 554
#define VAR_EDNS_CLIENT_STRING 555
#define VAR_EDNS_CLIENT_STRING_OPCODE 556
/* Value type. */
#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
@ -655,7 +659,7 @@ union YYSTYPE
char* str;
#line 659 "util/configparser.h"
#line 663 "util/configparser.h"
};
typedef union YYSTYPE YYSTYPE;

27
util/configparser.y
View file

@ -114,11 +114,11 @@ extern struct config_parser_state* cfg_parser;
%token VAR_STUB_SSL_UPSTREAM VAR_FORWARD_SSL_UPSTREAM VAR_TLS_CERT_BUNDLE
%token VAR_HTTPS_PORT VAR_HTTP_ENDPOINT VAR_HTTP_MAX_STREAMS
%token VAR_HTTP_QUERY_BUFFER_SIZE VAR_HTTP_RESPONSE_BUFFER_SIZE
%token VAR_HTTP_NODELAY
%token VAR_HTTP_NODELAY VAR_HTTP_NOTLS_DOWNSTREAM
%token VAR_STUB_FIRST VAR_MINIMAL_RESPONSES VAR_RRSET_ROUNDROBIN
%token VAR_MAX_UDP_SIZE VAR_DELAY_CLOSE
%token VAR_UNBLOCK_LAN_ZONES VAR_INSECURE_LAN_ZONES
%token VAR_INFRA_CACHE_MIN_RTT
%token VAR_INFRA_CACHE_MIN_RTT VAR_INFRA_KEEP_PROBING
%token VAR_DNS64_PREFIX VAR_DNS64_SYNTHALL VAR_DNS64_IGNORE_AAAA
%token VAR_DNSTAP VAR_DNSTAP_ENABLE VAR_DNSTAP_SOCKET_PATH VAR_DNSTAP_IP
%token VAR_DNSTAP_TLS VAR_DNSTAP_TLS_SERVER_NAME VAR_DNSTAP_TLS_CERT_BUNDLE
@ -250,14 +250,14 @@ content_server: server_num_threads | server_verbosity | server_port |
server_ssl_service_key | server_ssl_service_pem | server_ssl_port |
server_https_port | server_http_endpoint | server_http_max_streams |
server_http_query_buffer_size | server_http_response_buffer_size |
server_http_nodelay |
server_http_nodelay | server_http_notls_downstream |
server_minimal_responses | server_rrset_roundrobin | server_max_udp_size |
server_so_reuseport | server_delay_close |
server_unblock_lan_zones | server_insecure_lan_zones |
server_dns64_prefix | server_dns64_synthall | server_dns64_ignore_aaaa |
server_infra_cache_min_rtt | server_harden_algo_downgrade |
server_ip_transparent | server_ip_ratelimit | server_ratelimit |
server_ip_dscp |
server_ip_dscp | server_infra_keep_probing |
server_ip_ratelimit_slabs | server_ratelimit_slabs |
server_ip_ratelimit_size | server_ratelimit_size |
server_ratelimit_for_domain |
@ -983,6 +983,7 @@ server_https_port: VAR_HTTPS_PORT STRING_ARG
if(atoi($2) == 0)
yyerror("port number expected");
else cfg_parser->cfg->https_port = atoi($2);
free($2);
};
server_http_endpoint: VAR_HTTP_ENDPOINT STRING_ARG
{
@ -1031,6 +1032,14 @@ server_http_nodelay: VAR_HTTP_NODELAY STRING_ARG
yyerror("expected yes or no.");
else cfg_parser->cfg->http_nodelay = (strcmp($2, "yes")==0);
free($2);
}
server_http_notls_downstream: VAR_HTTP_NOTLS_DOWNSTREAM STRING_ARG
{
OUTYY(("P(server_http_notls_downstream:%s)\n", $2));
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
yyerror("expected yes or no.");
else cfg_parser->cfg->http_notls_downstream = (strcmp($2, "yes")==0);
free($2);
};
server_use_systemd: VAR_USE_SYSTEMD STRING_ARG
{
@ -1532,6 +1541,16 @@ server_infra_cache_min_rtt: VAR_INFRA_CACHE_MIN_RTT STRING_ARG
free($2);
}
;
server_infra_keep_probing: VAR_INFRA_KEEP_PROBING STRING_ARG
{
OUTYY(("P(server_infra_keep_probing:%s)\n", $2));
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
yyerror("expected yes or no.");
else cfg_parser->cfg->infra_keep_probing =
(strcmp($2, "yes")==0);
free($2);
}
;
server_target_fetch_policy: VAR_TARGET_FETCH_POLICY STRING_ARG
{
OUTYY(("P(server_target_fetch_policy:%s)\n", $2));

3
util/data/msgencode.c
View file

@ -624,6 +624,9 @@ positive_answer(struct reply_info* rep, uint16_t qtype) {
for(i=0;i<rep->an_numrrsets; i++) {
if(ntohs(rep->rrsets[i]->rk.type) == qtype) {
/* for priming queries, type NS, include addresses */
if(qtype == LDNS_RR_TYPE_NS)
return 0;
/* in case it is a wildcard with DNSSEC, there will
* be NSEC/NSEC3 records in the authority section
* that we cannot remove */

2
util/data/msgreply.h
View file

@ -552,7 +552,7 @@ struct edns_option* edns_opt_list_find(struct edns_option* list, uint16_t code);
* @param rep: Reply info. Could be NULL.
* @param rcode: return code.
* @param edns: edns data of the reply.
* @param repinfo: comm_reply. NULL.
* @param repinfo: comm_reply. Reply information for a communication point.
* @param region: region to store data.
* @return false on failure (a callback function returned an error).
*/

203
util/netevent.c
View file

@ -965,6 +965,10 @@ comm_point_tcp_accept_callback(int fd, short event, void* arg)
/* clear leftover flags from previous use, and then set the
* correct event base for the event structure for libevent */
ub_event_free(c_hdl->ev->ev);
if((c_hdl->type == comm_tcp && c_hdl->tcp_req_info) ||
c_hdl->type == comm_local || c_hdl->type == comm_raw)
c_hdl->tcp_do_toggle_rw = 0;
else c_hdl->tcp_do_toggle_rw = 1;
if(c_hdl->type == comm_http) {
#ifdef HAVE_NGHTTP2
@ -978,6 +982,10 @@ comm_point_tcp_accept_callback(int fd, short event, void* arg)
log_warn("failed to submit http2 settings");
return;
}
if(!c->ssl) {
c_hdl->tcp_do_toggle_rw = 0;
c_hdl->use_h2 = 1;
}
#endif
c_hdl->ev->ev = ub_event_new(c_hdl->ev->base->eb->base, -1,
UB_EV_PERSIST | UB_EV_READ | UB_EV_TIMEOUT,
@ -2359,48 +2367,76 @@ int http2_stream_close_cb(nghttp2_session* ATTR_UNUSED(session),
ssize_t http2_recv_cb(nghttp2_session* ATTR_UNUSED(session), uint8_t* buf,
size_t len, int ATTR_UNUSED(flags), void* cb_arg)
{
#ifdef HAVE_SSL
struct http2_session* h2_session = (struct http2_session*)cb_arg;
int r;
ssize_t ret;
log_assert(h2_session->c->type == comm_http);
log_assert(h2_session->c->h2_session);
if(!h2_session->c->ssl)
return 0;
ERR_clear_error();
r = SSL_read(h2_session->c->ssl, buf, len);
if(r <= 0) {
int want = SSL_get_error(h2_session->c->ssl, r);
if(want == SSL_ERROR_ZERO_RETURN) {
return NGHTTP2_ERR_EOF;
} else if(want == SSL_ERROR_WANT_READ) {
return NGHTTP2_ERR_WOULDBLOCK;
} else if(want == SSL_ERROR_WANT_WRITE) {
h2_session->c->ssl_shake_state = comm_ssl_shake_hs_write;
comm_point_listen_for_rw(h2_session->c, 0, 1);
return NGHTTP2_ERR_WOULDBLOCK;
} else if(want == SSL_ERROR_SYSCALL) {
#ifdef HAVE_SSL
if(h2_session->c->ssl) {
int r;
ERR_clear_error();
r = SSL_read(h2_session->c->ssl, buf, len);
if(r <= 0) {
int want = SSL_get_error(h2_session->c->ssl, r);
if(want == SSL_ERROR_ZERO_RETURN) {
return NGHTTP2_ERR_EOF;
} else if(want == SSL_ERROR_WANT_READ) {
return NGHTTP2_ERR_WOULDBLOCK;
} else if(want == SSL_ERROR_WANT_WRITE) {
h2_session->c->ssl_shake_state = comm_ssl_shake_hs_write;
comm_point_listen_for_rw(h2_session->c, 0, 1);
return NGHTTP2_ERR_WOULDBLOCK;
} else if(want == SSL_ERROR_SYSCALL) {
#ifdef ECONNRESET
if(errno == ECONNRESET && verbosity < 2)
return NGHTTP2_ERR_CALLBACK_FAILURE;
if(errno == ECONNRESET && verbosity < 2)
return NGHTTP2_ERR_CALLBACK_FAILURE;
#endif
if(errno != 0)
log_err("SSL_read syscall: %s",
strerror(errno));
if(errno != 0)
log_err("SSL_read syscall: %s",
strerror(errno));
return NGHTTP2_ERR_CALLBACK_FAILURE;
}
log_crypto_err("could not SSL_read");
return NGHTTP2_ERR_CALLBACK_FAILURE;
}
log_crypto_err("could not SSL_read");
return r;
}
#endif /* HAVE_SSL */
ret = recv(h2_session->c->fd, buf, len, 0);
if(ret == 0) {
return NGHTTP2_ERR_EOF;
} else if(ret < 0) {
#ifndef USE_WINSOCK
if(errno == EINTR || errno == EAGAIN)
return NGHTTP2_ERR_WOULDBLOCK;
#ifdef ECONNRESET
if(errno == ECONNRESET && verbosity < 2)
return NGHTTP2_ERR_CALLBACK_FAILURE;
#endif
log_err_addr("could not http2 recv: %s", strerror(errno),
&h2_session->c->repinfo.addr,
h2_session->c->repinfo.addrlen);
#else /* USE_WINSOCK */
if(WSAGetLastError() == WSAECONNRESET)
return NGHTTP2_ERR_CALLBACK_FAILURE;
if(WSAGetLastError() == WSAEINPROGRESS)
return NGHTTP2_ERR_WOULDBLOCK;
if(WSAGetLastError() == WSAEWOULDBLOCK) {
ub_winsock_tcp_wouldblock(h2_session->c->ev->ev,
UB_EV_READ);
return NGHTTP2_ERR_WOULDBLOCK;
}
log_err_addr("could not http2 recv: %s",
wsa_strerror(WSAGetLastError()),
&h2_session->c->repinfo.addr,
h2_session->c->repinfo.addrlen);
#endif
return NGHTTP2_ERR_CALLBACK_FAILURE;
}
return r;
#else
(void)buf;
(void)len;
(void)cb_arg;
return -1;
#endif
return ret;
}
#endif /* HAVE_NGHTTP2 */
@ -2411,15 +2447,17 @@ comm_point_http2_handle_read(int ATTR_UNUSED(fd), struct comm_point* c)
#ifdef HAVE_NGHTTP2
int ret;
log_assert(c->h2_session);
log_assert(c->ssl);
/* reading until recv cb returns NGHTTP2_ERR_WOULDBLOCK */
ret = nghttp2_session_recv(c->h2_session->session);
if(ret) {
if(ret != NGHTTP2_ERR_EOF &&
ret != NGHTTP2_ERR_CALLBACK_FAILURE) {
verbose(VERB_QUERY, "http2: session_recv failed, "
"error: %s", nghttp2_strerror(ret));
char a[256];
addr_to_str(&c->repinfo.addr, c->repinfo.addrlen,
a, sizeof(a));
verbose(VERB_QUERY, "http2: session_recv from %s failed, "
"error: %s", a, nghttp2_strerror(ret));
}
return 0;
}
@ -2648,47 +2686,81 @@ http_write_more(int fd, struct comm_point* c)
ssize_t http2_send_cb(nghttp2_session* ATTR_UNUSED(session), const uint8_t* buf,
size_t len, int ATTR_UNUSED(flags), void* cb_arg)
{
#ifdef HAVE_SSL
int r;
ssize_t ret;
struct http2_session* h2_session = (struct http2_session*)cb_arg;
log_assert(h2_session->c->type == comm_http);
log_assert(h2_session->c->h2_session);
if(!h2_session->c->ssl)
return 0;
ERR_clear_error();
r = SSL_write(h2_session->c->ssl, buf, len);
if(r <= 0) {
int want = SSL_get_error(h2_session->c->ssl, r);
if(want == SSL_ERROR_ZERO_RETURN) {
return NGHTTP2_ERR_CALLBACK_FAILURE;
} else if(want == SSL_ERROR_WANT_READ) {
h2_session->c->ssl_shake_state = comm_ssl_shake_hs_read;
comm_point_listen_for_rw(h2_session->c, 1, 0);
return NGHTTP2_ERR_WOULDBLOCK;
} else if(want == SSL_ERROR_WANT_WRITE) {
return NGHTTP2_ERR_WOULDBLOCK;
} else if(want == SSL_ERROR_SYSCALL) {
#ifdef EPIPE
if(errno == EPIPE && verbosity < 2)
#ifdef HAVE_SSL
if(h2_session->c->ssl) {
int r;
ERR_clear_error();
r = SSL_write(h2_session->c->ssl, buf, len);
if(r <= 0) {
int want = SSL_get_error(h2_session->c->ssl, r);
if(want == SSL_ERROR_ZERO_RETURN) {
return NGHTTP2_ERR_CALLBACK_FAILURE;
} else if(want == SSL_ERROR_WANT_READ) {
h2_session->c->ssl_shake_state = comm_ssl_shake_hs_read;
comm_point_listen_for_rw(h2_session->c, 1, 0);
return NGHTTP2_ERR_WOULDBLOCK;
} else if(want == SSL_ERROR_WANT_WRITE) {
return NGHTTP2_ERR_WOULDBLOCK;
} else if(want == SSL_ERROR_SYSCALL) {
#ifdef EPIPE
if(errno == EPIPE && verbosity < 2)
return NGHTTP2_ERR_CALLBACK_FAILURE;
#endif
if(errno != 0)
log_err("SSL_write syscall: %s",
strerror(errno));
if(errno != 0)
log_err("SSL_write syscall: %s",
strerror(errno));
return NGHTTP2_ERR_CALLBACK_FAILURE;
}
log_crypto_err("could not SSL_write");
return NGHTTP2_ERR_CALLBACK_FAILURE;
}
log_crypto_err("could not SSL_write");
return r;
}
#endif /* HAVE_SSL */
ret = send(h2_session->c->fd, buf, len, 0);
if(ret == 0) {
return NGHTTP2_ERR_CALLBACK_FAILURE;
} else if(ret < 0) {
#ifndef USE_WINSOCK
if(errno == EINTR || errno == EAGAIN)
return NGHTTP2_ERR_WOULDBLOCK;
#ifdef EPIPE
if(errno == EPIPE && verbosity < 2)
return NGHTTP2_ERR_CALLBACK_FAILURE;
#endif
#ifdef ECONNRESET
if(errno == ECONNRESET && verbosity < 2)
return NGHTTP2_ERR_CALLBACK_FAILURE;
#endif
log_err_addr("could not http2 write: %s", strerror(errno),
&h2_session->c->repinfo.addr,
h2_session->c->repinfo.addrlen);
#else /* USE_WINSOCK */
if(WSAGetLastError() == WSAENOTCONN)
return NGHTTP2_ERR_WOULDBLOCK;
if(WSAGetLastError() == WSAEINPROGRESS)
return NGHTTP2_ERR_WOULDBLOCK;
if(WSAGetLastError() == WSAEWOULDBLOCK) {
ub_winsock_tcp_wouldblock(h2_session->c->ev->ev,
UB_EV_WRITE);
return NGHTTP2_ERR_WOULDBLOCK;
}
if(WSAGetLastError() == WSAECONNRESET && verbosity < 2)
return NGHTTP2_ERR_CALLBACK_FAILURE;
log_err_addr("could not http2 write: %s",
wsa_strerror(WSAGetLastError()),
&h2_session->c->repinfo.addr,
h2_session->c->repinfo.addrlen);
#endif
return NGHTTP2_ERR_CALLBACK_FAILURE;
}
return r;
#else
(void)buf;
(void)len;
(void)cb_arg;
return -1;
#endif
return ret;
}
#endif /* HAVE_NGHTTP2 */
@ -2699,7 +2771,6 @@ comm_point_http2_handle_write(int ATTR_UNUSED(fd), struct comm_point* c)
#ifdef HAVE_NGHTTP2
int ret;
log_assert(c->h2_session);
log_assert(c->ssl);
ret = nghttp2_session_send(c->h2_session->session);
if(ret) {

31
util/regional.c
View file

@ -80,18 +80,39 @@ regional_init(struct regional* r)
r->total_large = 0;
}
struct regional*
regional_create_custom(size_t size)
/**
* Create a new region, with custom first block and large-object sizes.
* @param size: length of first block.
* @param large_object_size: outside of chunk allocation threshold.
* @return: newly allocated regional.
*/
static struct regional*
regional_create_custom_large_object(size_t size, size_t large_object_size)
{
struct regional* r = (struct regional*)malloc(size);
struct regional* r;
size = ALIGN_UP(size, ALIGNMENT);
r = (struct regional*)malloc(size);
log_assert(sizeof(struct regional) <= size);
if(!r) return NULL;
r->first_size = size;
r->large_object_size = large_object_size;
regional_init(r);
return r;
}
struct regional*
regional_create_custom(size_t size)
{
return regional_create_custom_large_object(size,
REGIONAL_LARGE_OBJECT_SIZE);
}
struct regional*
regional_create_nochunk(size_t size)
{
return regional_create_custom_large_object(size, 0);
}
void
regional_free_all(struct regional *r)
{
@ -134,7 +155,7 @@ regional_alloc(struct regional *r, size_t size)
malloc and ALIGN_UP */
a = ALIGN_UP(size, ALIGNMENT);
/* large objects */
if(a > REGIONAL_LARGE_OBJECT_SIZE) {
if(a > r->large_object_size) {
s = malloc(ALIGNMENT + size);
if(!s) return NULL;
r->total_large += ALIGNMENT+size;
@ -219,7 +240,7 @@ regional_log_stats(struct regional *r)
/* some basic assertions put here (non time critical code) */
log_assert(ALIGNMENT >= sizeof(char*));
log_assert(REGIONAL_CHUNK_SIZE > ALIGNMENT);
log_assert(REGIONAL_CHUNK_SIZE-ALIGNMENT > REGIONAL_LARGE_OBJECT_SIZE);
log_assert(REGIONAL_CHUNK_SIZE-ALIGNMENT > r->large_object_size);
log_assert(REGIONAL_CHUNK_SIZE >= sizeof(struct regional));
/* debug print */
log_info("regional %u chunks, %u large",

10
util/regional.h
View file

@ -74,6 +74,8 @@ struct regional
size_t available;
/** current chunk data position. */
char* data;
/** threshold for outside of chunk allocations */
size_t large_object_size;
};
/**
@ -88,6 +90,14 @@ struct regional* regional_create(void);
* @return: newly allocated regional.
*/
struct regional* regional_create_custom(size_t size);
/**
* Create a new region, with custom settings, that will allocate everything
* outside the region chunk.
* @param size: length of first block.
* @return: newly allocated regional.
*/
struct regional* regional_create_nochunk(size_t size);
/**
* Free all memory associated with regional. Only keeps the first block with

2
validator/val_secalgo.c
View file

@ -990,6 +990,7 @@ static SECKEYPublicKey* nss_buf2ecdsa(unsigned char* key, size_t len, int algo)
return pk;
}
#if defined(USE_DSA) && defined(USE_SHA1)
static SECKEYPublicKey* nss_buf2dsa(unsigned char* key, size_t len)
{
SECKEYPublicKey* pk;
@ -1050,6 +1051,7 @@ static SECKEYPublicKey* nss_buf2dsa(unsigned char* key, size_t len)
}
return pk;
}
#endif /* USE_DSA && USE_SHA1 */
static SECKEYPublicKey* nss_buf2rsa(unsigned char* key, size_t len)
{