upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2026-01-10 08:42:53 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'master' into rpz-triggers

Browse source
This commit is contained in:
W.C.A. Wijngaards 2021-08-18 09:53:35 +02:00
commit a9de6879b8
54 changed files with 6544 additions and 4876 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored
View file

@ -37,6 +37,7 @@
/perf
/petal
/pktview
/readzone
/streamtcp
/unbound-dnstap-socket
/testbound

4
Makefile.in
View file

@ -85,6 +85,8 @@ LINTFLAGS+=@NETBSD_LINTFLAGS@
LINTFLAGS+="-Dsigset_t=long"
# FreeBSD
LINTFLAGS+="-D__uint16_t=uint16_t" "-DEVP_PKEY_ASN1_METHOD=int" "-D_RuneLocale=int" "-D__va_list=va_list" "-D__uint32_t=uint32_t" "-D_Alignof(x)=x" "-D__aligned(x)=" "-D__requires_exclusive(x)=" "-D__requires_unlocked(x)=" "-D__locks_exclusive(x)=" "-D__trylocks_exclusive(x)=" "-D__unlocks(x)=" "-D__locks_shared(x)=" "-D__trylocks_shared(x)="
# GCC Docker
LINTFLAGS+=@GCC_DOCKER_LINTFLAGS@
INSTALL=$(SHELL) $(srcdir)/install-sh
@ -476,7 +478,7 @@ libunbound/python/libunbound_wrap.c: $(srcdir)/libunbound/python/libunbound.i un
# Pyunbound python unbound wrapper
_unbound.la: libunbound_wrap.lo libunbound.la
$(LIBTOOL) --tag=CC --mode=link $(CC) $(RUNTIME_PATH) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -module -avoid-version -no-undefined -shared -o $@ libunbound_wrap.lo -rpath $(PYTHON_SITE_PKG) libunbound.la $(LIBS)
$(LIBTOOL) --tag=CC --mode=link $(CC) $(RUNTIME_PATH) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -module -avoid-version -no-undefined -shared -o $@ libunbound_wrap.lo -rpath $(PYTHON_SITE_PKG) -L. -L.libs libunbound.la $(LIBS)
util/config_file.c: util/configparser.h
util/configlexer.c: $(srcdir)/util/configlexer.lex util/configparser.h

66
acx_nlnetlabs.m4
View file

@ -2,7 +2,10 @@
# Copyright 2009, Wouter Wijngaards, NLnet Labs.
# BSD licensed.
#
# Version 41
# Version 43
# 2021-08-17 fix sed script in ssldir split handling.
# 2021-08-17 fix for openssl to detect split version, with ssldir_include
# and ssldir_lib output directories.
# 2021-07-30 fix for openssl use of lib64 directory.
# 2021-06-14 fix nonblocking test to use host instead of target for mingw test.
# 2021-05-17 fix nonblocking socket test from grep on mingw32 to mingw for
@ -647,6 +650,30 @@ AC_DEFUN([ACX_SSL_CHECKS], [
withval=$1
if test x_$withval != x_no; then
AC_MSG_CHECKING(for SSL)
if test -n "$withval"; then
dnl look for openssl install with different version, eg.
dnl in /usr/include/openssl11/openssl/ssl.h
dnl and /usr/lib64/openssl11/libssl.so
dnl with the --with-ssl=/usr/include/openssl11
if test ! -f "$withval/include/openssl/ssl.h" -a -f "$withval/openssl/ssl.h"; then
ssldir="$withval"
found_ssl="yes"
withval=""
ssldir_include="$ssldir"
dnl find the libdir
ssldir_lib=`echo $ssldir | sed -e 's/include/lib/'`
if test -f "$ssldir_lib/libssl.a" -o -f "$ssldir_lib/libssl.so"; then
: # found here
else
ssldir_lib=`echo $ssldir | sed -e 's/include/lib64/'`
if test -f "$ssldir_lib/libssl.a" -o -f "$ssldir_lib/libssl.so"; then
: # found here
else
AC_MSG_ERROR([Could not find openssl lib file, $ssldir_lib/libssl.[so,a], pass like "/usr/local" or "/usr/include/openssl11"])
fi
fi
fi
fi
if test x_$withval = x_ -o x_$withval = x_yes; then
withval="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr"
fi
@ -654,12 +681,12 @@ AC_DEFUN([ACX_SSL_CHECKS], [
ssldir="$dir"
if test -f "$dir/include/openssl/ssl.h"; then
found_ssl="yes"
AC_DEFINE_UNQUOTED([HAVE_SSL], [], [Define if you have the SSL libraries installed.])
dnl assume /usr/include is already in the include-path.
if test "$ssldir" != "/usr"; then
CPPFLAGS="$CPPFLAGS -I$ssldir/include"
LIBSSL_CPPFLAGS="$LIBSSL_CPPFLAGS -I$ssldir/include"
fi
ssldir_include="$ssldir/include"
if test ! -d "$ssldir/lib" -a -d "$ssldir/lib64"; then
ssldir_lib="$ssldir/lib64"
else
ssldir_lib="$ssldir/lib"
fi
break;
fi
done
@ -667,19 +694,16 @@ AC_DEFUN([ACX_SSL_CHECKS], [
AC_MSG_ERROR(Cannot find the SSL libraries in $withval)
else
AC_MSG_RESULT(found in $ssldir)
AC_DEFINE_UNQUOTED([HAVE_SSL], [], [Define if you have the SSL libraries installed.])
HAVE_SSL=yes
dnl assume /usr is already in the lib and dynlib paths.
if test "$ssldir" != "/usr" -a "$ssldir" != ""; then
if test ! -d "$ssldir/lib" -a -d "$ssldir/lib64"; then
LDFLAGS="$LDFLAGS -L$ssldir/lib64"
LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir/lib64"
ACX_RUNTIME_PATH_ADD([$ssldir/lib64])
else
LDFLAGS="$LDFLAGS -L$ssldir/lib"
LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir/lib"
ACX_RUNTIME_PATH_ADD([$ssldir/lib])
fi
fi
dnl assume /usr is already in the include, lib and dynlib paths.
if test "$ssldir" != "/usr"; then
CPPFLAGS="$CPPFLAGS -I$ssldir_include"
LIBSSL_CPPFLAGS="$LIBSSL_CPPFLAGS -I$ssldir_include"
LDFLAGS="$LDFLAGS -L$ssldir_lib"
LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir_lib"
ACX_RUNTIME_PATH_ADD([$ssldir_lib])
fi
AC_MSG_CHECKING([for EVP_sha256 in -lcrypto])
LIBS="$LIBS -lcrypto"
@ -758,7 +782,7 @@ dnl
AC_DEFUN([ACX_WITH_SSL],
[
AC_ARG_WITH(ssl, AS_HELP_STRING([--with-ssl=pathname],[enable SSL (will check /usr/local/ssl
/usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr)]),[
/usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr or specify like /usr/include/openssl11)]),[
],[
withval="yes"
])
@ -776,7 +800,7 @@ dnl
AC_DEFUN([ACX_WITH_SSL_OPTIONAL],
[
AC_ARG_WITH(ssl, AS_HELP_STRING([--with-ssl=pathname],[enable SSL (will check /usr/local/ssl
/usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr)]),[
/usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr or specify like /usr/include/openssl11)]),[
],[
withval="yes"
])

107
configure vendored
View file

@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for unbound 1.13.2.
# Generated by GNU Autoconf 2.69 for unbound 1.13.3.
#
# Report bugs to <unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues>.
#
@ -591,8 +591,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='unbound'
PACKAGE_TARNAME='unbound'
PACKAGE_VERSION='1.13.2'
PACKAGE_STRING='unbound 1.13.2'
PACKAGE_VERSION='1.13.3'
PACKAGE_STRING='unbound 1.13.3'
PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues'
PACKAGE_URL=''
@ -682,6 +682,7 @@ SSLLIB
HAVE_SSL
PC_CRYPTO_DEPENDENCY
CONFIG_DATE
GCC_DOCKER_LINTFLAGS
NETBSD_LINTFLAGS
PYUNBOUND_UNINSTALL
PYUNBOUND_INSTALL
@ -1464,7 +1465,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures unbound 1.13.2 to adapt to many kinds of systems.
\`configure' configures unbound 1.13.3 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@ -1529,7 +1530,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of unbound 1.13.2:";;
short | recursive ) echo "Configuration of unbound 1.13.3:";;
esac
cat <<\_ACEOF
@ -1649,7 +1650,7 @@ Optional Packages:
--with-nettle=path use libnettle as crypto library, installed at path.
--with-ssl=pathname enable SSL (will check /usr/local/ssl /usr/lib/ssl
/usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw
/usr)
/usr or specify like /usr/include/openssl11)
--with-libbsd Use portable libbsd functions
--with-deprecate-rsa-1024
Deprecate RSA 1024 bit length, makes that an
@ -1771,7 +1772,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
unbound configure 1.13.2
unbound configure 1.13.3
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@ -2480,7 +2481,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by unbound $as_me 1.13.2, which was
It was created by unbound $as_me 1.13.3, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@ -2832,11 +2833,11 @@ UNBOUND_VERSION_MAJOR=1
UNBOUND_VERSION_MINOR=13
UNBOUND_VERSION_MICRO=2
UNBOUND_VERSION_MICRO=3
LIBUNBOUND_CURRENT=9
LIBUNBOUND_REVISION=13
LIBUNBOUND_REVISION=14
LIBUNBOUND_AGE=1
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
@ -2917,6 +2918,7 @@ LIBUNBOUND_AGE=1
# 1.13.0 had 9:11:1
# 1.13.1 had 9:12:1
# 1.13.2 had 9:13:1
# 1.13.3 had 9:14:1
# Current -- the number of the binary API that we're implementing
# Revision -- which iteration of the implementation of the binary
@ -17886,6 +17888,12 @@ fi
if test "`uname`" = "NetBSD"; then
NETBSD_LINTFLAGS='"-D__RENAME(x)=" -D_NETINET_IN_H_'
fi
if test "`uname -o`" = "GNU/Linux"; then
# splint cannot parse modern c99 header files
GCC_DOCKER_LINTFLAGS='-syntax'
fi
CONFIG_DATE=`date +%Y%m%d`
@ -17993,6 +18001,25 @@ fi
if test x_$withval != x_no; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL" >&5
$as_echo_n "checking for SSL... " >&6; }
if test -n "$withval"; then
if test ! -f "$withval/include/openssl/ssl.h" -a -f "$withval/openssl/ssl.h"; then
ssldir="$withval"
found_ssl="yes"
withval=""
ssldir_include="$ssldir"
ssldir_lib=`echo $ssldir | sed -e 's/include/lib/'`
if test -f "$ssldir_lib/libssl.a" -o -f "$ssldir_lib/libssl.so"; then
: # found here
else
ssldir_lib=`echo $ssldir | sed -e 's/include/lib64/'`
if test -f "$ssldir_lib/libssl.a" -o -f "$ssldir_lib/libssl.so"; then
: # found here
else
as_fn_error $? "Could not find openssl lib file, $ssldir_lib/libssl.so,a, pass like \"/usr/local\" or \"/usr/include/openssl11\"" "$LINENO" 5
fi
fi
fi
fi
if test x_$withval = x_ -o x_$withval = x_yes; then
withval="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr"
fi
@ -18000,15 +18027,12 @@ $as_echo_n "checking for SSL... " >&6; }
ssldir="$dir"
if test -f "$dir/include/openssl/ssl.h"; then
found_ssl="yes"
cat >>confdefs.h <<_ACEOF
#define HAVE_SSL /**/
_ACEOF
if test "$ssldir" != "/usr"; then
CPPFLAGS="$CPPFLAGS -I$ssldir/include"
LIBSSL_CPPFLAGS="$LIBSSL_CPPFLAGS -I$ssldir/include"
fi
ssldir_include="$ssldir/include"
if test ! -d "$ssldir/lib" -a -d "$ssldir/lib64"; then
ssldir_lib="$ssldir/lib64"
else
ssldir_lib="$ssldir/lib"
fi
break;
fi
done
@ -18017,30 +18041,25 @@ _ACEOF
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: found in $ssldir" >&5
$as_echo "found in $ssldir" >&6; }
cat >>confdefs.h <<_ACEOF
#define HAVE_SSL /**/
_ACEOF
HAVE_SSL=yes
if test "$ssldir" != "/usr" -a "$ssldir" != ""; then
if test ! -d "$ssldir/lib" -a -d "$ssldir/lib64"; then
LDFLAGS="$LDFLAGS -L$ssldir/lib64"
LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir/lib64"
if test "$ssldir" != "/usr"; then
CPPFLAGS="$CPPFLAGS -I$ssldir_include"
LIBSSL_CPPFLAGS="$LIBSSL_CPPFLAGS -I$ssldir_include"
LDFLAGS="$LDFLAGS -L$ssldir_lib"
LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir_lib"
if test "x$enable_rpath" = xyes; then
if echo "$ssldir/lib64" | grep "^/" >/dev/null; then
RUNTIME_PATH="$RUNTIME_PATH -R$ssldir/lib64"
if echo "$ssldir_lib" | grep "^/" >/dev/null; then
RUNTIME_PATH="$RUNTIME_PATH -R$ssldir_lib"
fi
fi
else
LDFLAGS="$LDFLAGS -L$ssldir/lib"
LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir/lib"
if test "x$enable_rpath" = xyes; then
if echo "$ssldir/lib" | grep "^/" >/dev/null; then
RUNTIME_PATH="$RUNTIME_PATH -R$ssldir/lib"
fi
fi
fi
fi
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_sha256 in -lcrypto" >&5
$as_echo_n "checking for EVP_sha256 in -lcrypto... " >&6; }
@ -18369,7 +18388,7 @@ rm -f core conftest.err conftest.$ac_objext \
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for LibreSSL" >&5
$as_echo_n "checking for LibreSSL... " >&6; }
if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
if grep VERSION_TEXT $ssldir_include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
@ -18791,7 +18810,7 @@ $as_echo_n "checking if GOST works... " >&6; }
if test c${cross_compiling} = cno; then
BAKCFLAGS="$CFLAGS"
if test -n "$ssldir"; then
CFLAGS="$CFLAGS -Wl,-rpath,$ssldir/lib"
CFLAGS="$CFLAGS -Wl,-rpath,$ssldir_lib"
fi
if test "$cross_compiling" = yes; then :
{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
@ -18974,8 +18993,8 @@ fi
# see if OPENSSL 1.0.0 or later (has EVP MD and Verify independency)
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if openssl supports SHA2 and ECDSA with EVP" >&5
$as_echo_n "checking if openssl supports SHA2 and ECDSA with EVP... " >&6; }
if grep OPENSSL_VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "OpenSSL" >/dev/null; then
if grep OPENSSL_VERSION_NUMBER $ssldir/include/openssl/opensslv.h | grep 0x0 >/dev/null; then
if grep OPENSSL_VERSION_TEXT $ssldir_include/openssl/opensslv.h | grep "OpenSSL" >/dev/null; then
if grep OPENSSL_VERSION_NUMBER $ssldir_include/openssl/opensslv.h | grep 0x0 >/dev/null; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
@ -21816,7 +21835,7 @@ _ACEOF
version=1.13.2
version=1.13.3
date=`date +'%b %e, %Y'`
@ -22335,7 +22354,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by unbound $as_me 1.13.2, which was
This file was extended by unbound $as_me 1.13.3, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@ -22401,7 +22420,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
unbound config.status 1.13.2
unbound config.status 1.13.3
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"

19
configure.ac
View file

@ -11,14 +11,14 @@ sinclude(dnscrypt/dnscrypt.m4)
# must be numbers. ac_defun because of later processing
m4_define([VERSION_MAJOR],[1])
m4_define([VERSION_MINOR],[13])
m4_define([VERSION_MICRO],[2])
m4_define([VERSION_MICRO],[3])
AC_INIT([unbound],m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]),[unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues],[unbound])
AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
LIBUNBOUND_CURRENT=9
LIBUNBOUND_REVISION=13
LIBUNBOUND_REVISION=14
LIBUNBOUND_AGE=1
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
@ -99,6 +99,7 @@ LIBUNBOUND_AGE=1
# 1.13.0 had 9:11:1
# 1.13.1 had 9:12:1
# 1.13.2 had 9:13:1
# 1.13.3 had 9:14:1
# Current -- the number of the binary API that we're implementing
# Revision -- which iteration of the implementation of the binary
@ -776,6 +777,12 @@ if test "`uname`" = "NetBSD"; then
NETBSD_LINTFLAGS='"-D__RENAME(x)=" -D_NETINET_IN_H_'
AC_SUBST(NETBSD_LINTFLAGS)
fi
if test "`uname -o`" = "GNU/Linux"; then
# splint cannot parse modern c99 header files
GCC_DOCKER_LINTFLAGS='-syntax'
AC_SUBST(GCC_DOCKER_LINTFLAGS)
fi
CONFIG_DATE=`date +%Y%m%d`
AC_SUBST(CONFIG_DATE)
@ -850,7 +857,7 @@ AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[
])
AC_MSG_CHECKING([for LibreSSL])
if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
if grep VERSION_TEXT $ssldir_include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
AC_MSG_RESULT([yes])
AC_DEFINE([HAVE_LIBRESSL], [1], [Define if we have LibreSSL])
# libressl provides these compat functions, but they may also be
@ -980,7 +987,7 @@ AC_MSG_CHECKING([if GOST works])
if test c${cross_compiling} = cno; then
BAKCFLAGS="$CFLAGS"
if test -n "$ssldir"; then
CFLAGS="$CFLAGS -Wl,-rpath,$ssldir/lib"
CFLAGS="$CFLAGS -Wl,-rpath,$ssldir_lib"
fi
AC_RUN_IFELSE([AC_LANG_SOURCE([[
#include <string.h>
@ -1103,8 +1110,8 @@ case "$enable_ecdsa" in
])
# see if OPENSSL 1.0.0 or later (has EVP MD and Verify independency)
AC_MSG_CHECKING([if openssl supports SHA2 and ECDSA with EVP])
if grep OPENSSL_VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "OpenSSL" >/dev/null; then
if grep OPENSSL_VERSION_NUMBER $ssldir/include/openssl/opensslv.h | grep 0x0 >/dev/null; then
if grep OPENSSL_VERSION_TEXT $ssldir_include/openssl/opensslv.h | grep "OpenSSL" >/dev/null; then
if grep OPENSSL_VERSION_NUMBER $ssldir_include/openssl/opensslv.h | grep 0x0 >/dev/null; then
AC_MSG_RESULT([no])
AC_DEFINE_UNQUOTED([USE_ECDSA_EVP_WORKAROUND], [1], [Define this to enable an EVP workaround for older openssl])
else

11
contrib/Dockerfile.tests Normal file
View file

@ -0,0 +1,11 @@
FROM gcc:latest
WORKDIR /usr/src/unbound
RUN apt-get update
# install semantic parser & lexical analyzer
RUN apt-get install -y bison flex
# install packages used in tests
RUN apt-get install -y ldnsutils dnsutils xxd splint doxygen netcat
# accept short rsa keys, which are used in tests
RUN sed -i 's/SECLEVEL=2/SECLEVEL=1/g' /usr/lib/ssl/openssl.cnf
CMD ["/bin/bash"]

8
daemon/worker.c
View file

@ -1988,8 +1988,8 @@ worker_delete(struct worker* worker)
struct outbound_entry*
worker_send_query(struct query_info* qinfo, uint16_t flags, int dnssec,
int want_dnssec, int nocaps, struct sockaddr_storage* addr,
socklen_t addrlen, uint8_t* zone, size_t zonelen, int ssl_upstream,
char* tls_auth_name, struct module_qstate* q)
socklen_t addrlen, uint8_t* zone, size_t zonelen, int tcp_upstream,
int ssl_upstream, char* tls_auth_name, struct module_qstate* q)
{
struct worker* worker = q->env->worker;
struct outbound_entry* e = (struct outbound_entry*)regional_alloc(
@ -1998,7 +1998,7 @@ worker_send_query(struct query_info* qinfo, uint16_t flags, int dnssec,
return NULL;
e->qstate = q;
e->qsent = outnet_serviced_query(worker->back, qinfo, flags, dnssec,
want_dnssec, nocaps, q->env->cfg->tcp_upstream,
want_dnssec, nocaps, tcp_upstream,
ssl_upstream, tls_auth_name, addr, addrlen, zone, zonelen, q,
worker_handle_service_reply, e, worker->back->udp_buff, q->env);
if(!e->qsent) {
@ -2045,7 +2045,7 @@ struct outbound_entry* libworker_send_query(
uint16_t ATTR_UNUSED(flags), int ATTR_UNUSED(dnssec),
int ATTR_UNUSED(want_dnssec), int ATTR_UNUSED(nocaps),
struct sockaddr_storage* ATTR_UNUSED(addr), socklen_t ATTR_UNUSED(addrlen),
uint8_t* ATTR_UNUSED(zone), size_t ATTR_UNUSED(zonelen),
uint8_t* ATTR_UNUSED(zone), size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(tcp_upstream),
int ATTR_UNUSED(ssl_upstream), char* ATTR_UNUSED(tls_auth_name),
struct module_qstate* ATTR_UNUSED(q))
{

10
dnstap/unbound-dnstap-socket.c
View file

@ -1415,8 +1415,9 @@ struct outbound_entry* worker_send_query(
int ATTR_UNUSED(dnssec), int ATTR_UNUSED(want_dnssec),
int ATTR_UNUSED(nocaps), struct sockaddr_storage* ATTR_UNUSED(addr),
socklen_t ATTR_UNUSED(addrlen), uint8_t* ATTR_UNUSED(zone),
size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(ssl_upstream),
char* ATTR_UNUSED(tls_auth_name), struct module_qstate* ATTR_UNUSED(q))
size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(tcp_upstream),
int ATTR_UNUSED(ssl_upstream), char* ATTR_UNUSED(tls_auth_name),
struct module_qstate* ATTR_UNUSED(q))
{
log_assert(0);
return 0;
@ -1447,8 +1448,9 @@ struct outbound_entry* libworker_send_query(
int ATTR_UNUSED(dnssec), int ATTR_UNUSED(want_dnssec),
int ATTR_UNUSED(nocaps), struct sockaddr_storage* ATTR_UNUSED(addr),
socklen_t ATTR_UNUSED(addrlen), uint8_t* ATTR_UNUSED(zone),
size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(ssl_upstream),
char* ATTR_UNUSED(tls_auth_name), struct module_qstate* ATTR_UNUSED(q))
size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(tcp_upstream),
int ATTR_UNUSED(ssl_upstream), char* ATTR_UNUSED(tls_auth_name),
struct module_qstate* ATTR_UNUSED(q))
{
log_assert(0);
return 0;

42
doc/Changelog
View file

@ -1,5 +1,47 @@
17 August 2021: Wouter
- Fix that --with-ssl can use "/usr/include/openssl11" to pass the
location of a different openssl version.
- Fix #527: not sending quad9 cert to syslog (and may be more).
- Fix sed script in ssldir split handling.
16 August 2021: George
- Merge PR #528 from fobser: Make sldns_str2wire_svcparam_buf()
static.
16 August 2021: Wouter
- Fix to support harden-algo-downgrade for ZONEMD dnssec checks.
13 August 2021: Wouter
- Support using system-wide crypto policies.
- Fix for #431: Squelch permission denied errors for udp connect,
and udp send, they are visible at higher verbosity settings.
- Fix zonemd verification of key that is not in DNS but in the zone
and needs a chain of trust.
- zonemd, fix order of bogus printout string manipulation.
12 August 2021: George
- Merge PR #514, from ziollek: Docker environment for run tests.
- For #514: generate configure.
12 August 2021: Wouter
- And 1.13.2rc1 became the 1.13.2 with the fix for the python module
build. The current code repository continues with version 1.13.3.
- Add test tool readzone to .gitignore.
- Merge #521: Update mini_event.c.
- Merge #523: fix: free() call more than once with the same pointer.
- Merge #519: Support for selective enabling tcp-upstream for
stub/forward zones.
- For #519: note stub-tcp-upstream and forward-tcp-upstream in
the example configuration file.
- For #519: yacc and lex. And fix python bindings, and test program
unbound-dnstap-socket.
- For #519: fix comments for doxygen.
- Fix to print error from unbound-anchor for writing to the key
file, also when not verbose.
5 August 2021: Wouter
- Tag for 1.13.2rc1 release.
- Fix #520: Unbound 1.13.2rc1 fails to build python module.
4 August 2021: George
- Merge PR #415 from sibeream: Use

8
doc/README.tests
View file

@ -15,6 +15,14 @@ You need to have the following programs installed and in your PATH.
* xxd and nc (optional) - for (malformed) packet transmission.
The optional programs are detected and can be omitted.
You can also use prepared Dockerfile to run tests inside docker based on latest gcc image:
* build container: docker build -t unbound-tester -f contrib/Dockerfile.tests .
* run container: docker run -it --mount type=bind,source="$(pwd)",target=/usr/src/unbound --rm unbound-tester
* configure environment: ./configure
* run test: make test
* run long tests: make longtest
It is worth to mention that you need to enable [ipv6 in your docker daemon configuration](https://docs.docker.com/config/daemon/ipv6/) because some tests need ipv6 network stack.
testdata/ contains the data for tests.
testcode/ contains scripts and c code for the tests.

2
doc/example.conf.in
View file

@ -987,6 +987,7 @@ remote-control:
# stub-addr: 192.0.2.68
# stub-prime: no
# stub-first: no
# stub-tcp-upstream: no
# stub-tls-upstream: no
# stub-no-cache: no
# stub-zone:
@ -1004,6 +1005,7 @@ remote-control:
# forward-addr: 192.0.2.68
# forward-addr: 192.0.2.73@5355 # forward to port 5355.
# forward-first: no
# forward-tcp-upstream: no
# forward-tls-upstream: no
# forward-no-cache: no
# forward-zone:

12
doc/unbound.conf.5.in
View file

@ -485,7 +485,9 @@ advertised timeout.
.TP
.B tcp\-upstream: \fI<yes or no>
Enable or disable whether the upstream queries use TCP only for transport.
Default is no. Useful in tunneling scenarios.
Default is no. Useful in tunneling scenarios. If set to no you can specify
TCP transport only for selected forward or stub zones using forward-tcp-upstream
or stub-tcp-upstream respectively.
.TP
.B udp\-upstream\-without\-downstream: \fI<yes or no>
Enable udp upstream even if do-udp is no. Default is no, and this does not
@ -1853,6 +1855,10 @@ Default is no.
.B stub\-ssl\-upstream: \fI<yes or no>
Alternate syntax for \fBstub\-tls\-upstream\fR.
.TP
.B stub\-tcp\-upstream: \fI<yes or no>
If it is set to "yes" then upstream queries use TCP only for transport regardless of global flag tcp-upstream.
Default is no.
.TP
.B stub\-no\-cache: \fI<yes or no>
Default is no. If enabled, data inside the stub is not cached. This is
useful when you want immediate changes to be visible.
@ -1905,6 +1911,10 @@ load CA certs, otherwise the connections cannot be authenticated.
.B forward\-ssl\-upstream: \fI<yes or no>
Alternate syntax for \fBforward\-tls\-upstream\fR.
.TP
.B forward\-tcp\-upstream: \fI<yes or no>
If it is set to "yes" then upstream queries use TCP only for transport regardless of global flag tcp-upstream.
Default is no.
.TP
.B forward\-no\-cache: \fI<yes or no>
Default is no. If enabled, data inside the forward is not cached. This is
useful when you want immediate changes to be visible.

1
iterator/iter_delegpt.c
View file

@ -73,6 +73,7 @@ struct delegpt* delegpt_copy(struct delegpt* dp, struct regional* region)
copy->bogus = dp->bogus;
copy->has_parent_side_NS = dp->has_parent_side_NS;
copy->ssl_upstream = dp->ssl_upstream;
copy->tcp_upstream = dp->tcp_upstream;
for(ns = dp->nslist; ns; ns = ns->next) {
if(!delegpt_add_ns(copy, region, ns->name, ns->lame))
return NULL;

2
iterator/iter_delegpt.h
View file

@ -83,6 +83,8 @@ struct delegpt {
uint8_t dp_type_mlc;
/** use SSL for upstream query */
uint8_t ssl_upstream;
/** use TCP for upstream query */
uint8_t tcp_upstream;
/** delegpt from authoritative zone that is locally hosted */
uint8_t auth_dp;
/*** no cache */

2
iterator/iter_fwd.c
View file

@ -276,6 +276,8 @@ read_forwards(struct iter_forwards* fwd, struct config_file* cfg)
dp->no_cache = s->no_cache;
/* use SSL for queries to this forwarder */
dp->ssl_upstream = (uint8_t)s->ssl_upstream;
/* use TCP for queries to this forwarder */
dp->tcp_upstream = (uint8_t)s->tcp_upstream;
verbose(VERB_QUERY, "Forward zone server list:");
delegpt_log(VERB_QUERY, dp);
if(!forwards_insert(fwd, LDNS_RR_CLASS_IN, dp))

2
iterator/iter_hints.c
View file

@ -287,6 +287,8 @@ read_stubs(struct iter_hints* hints, struct config_file* cfg)
dp->no_cache = s->no_cache;
/* ssl_upstream */
dp->ssl_upstream = (uint8_t)s->ssl_upstream;
/* tcp_upstream */
dp->tcp_upstream = (uint8_t)s->tcp_upstream;
delegpt_log(VERB_QUERY, dp);
if(!hints_insert(hints, LDNS_RR_CLASS_IN, dp, !s->isprime))
return 0;

1
iterator/iterator.c
View file

@ -2683,6 +2683,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
iq->dnssec_expected, iq->caps_fallback || is_caps_whitelisted(
ie, iq), &target->addr, target->addrlen,
iq->dp->name, iq->dp->namelen,
(iq->dp->tcp_upstream || qstate->env->cfg->tcp_upstream),
(iq->dp->ssl_upstream || qstate->env->cfg->ssl_upstream),
target->tls_auth_name, qstate);
if(!outq) {

6
libunbound/libworker.c
View file

@ -881,7 +881,7 @@ void libworker_alloc_cleanup(void* arg)
struct outbound_entry* libworker_send_query(struct query_info* qinfo,
uint16_t flags, int dnssec, int want_dnssec, int nocaps,
struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone,
size_t zonelen, int ssl_upstream, char* tls_auth_name,
size_t zonelen, int tcp_upstream, int ssl_upstream, char* tls_auth_name,
struct module_qstate* q)
{
struct libworker* w = (struct libworker*)q->env->worker;
@ -891,7 +891,7 @@ struct outbound_entry* libworker_send_query(struct query_info* qinfo,
return NULL;
e->qstate = q;
e->qsent = outnet_serviced_query(w->back, qinfo, flags, dnssec,
want_dnssec, nocaps, q->env->cfg->tcp_upstream, ssl_upstream,
want_dnssec, nocaps, tcp_upstream, ssl_upstream,
tls_auth_name, addr, addrlen, zone, zonelen, q,
libworker_handle_service_reply, e, w->back->udp_buff, q->env);
if(!e->qsent) {
@ -975,7 +975,7 @@ struct outbound_entry* worker_send_query(struct query_info* ATTR_UNUSED(qinfo),
uint16_t ATTR_UNUSED(flags), int ATTR_UNUSED(dnssec),
int ATTR_UNUSED(want_dnssec), int ATTR_UNUSED(nocaps),
struct sockaddr_storage* ATTR_UNUSED(addr), socklen_t ATTR_UNUSED(addrlen),
uint8_t* ATTR_UNUSED(zone), size_t ATTR_UNUSED(zonelen),
uint8_t* ATTR_UNUSED(zone), size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(tcp_upstream),
int ATTR_UNUSED(ssl_upstream), char* ATTR_UNUSED(tls_auth_name),
struct module_qstate* ATTR_UNUSED(q))
{

6
libunbound/worker.h
View file

@ -62,6 +62,7 @@ struct query_info;
* @param addrlen: length of addr.
* @param zone: delegation point name.
* @param zonelen: length of zone name wireformat dname.
* @param tcp_upstream: use TCP for upstream queries.
* @param ssl_upstream: use SSL for upstream queries.
* @param tls_auth_name: if ssl_upstream, use this name with TLS
* authentication.
@ -72,7 +73,7 @@ struct query_info;
struct outbound_entry* libworker_send_query(struct query_info* qinfo,
uint16_t flags, int dnssec, int want_dnssec, int nocaps,
struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone,
size_t zonelen, int ssl_upstream, char* tls_auth_name,
size_t zonelen, int tcp_upstream, int ssl_upstream, char* tls_auth_name,
struct module_qstate* q);
/** process incoming serviced query replies from the network */
@ -113,6 +114,7 @@ void worker_sighandler(int sig, void* arg);
* @param addrlen: length of addr.
* @param zone: wireformat dname of the zone.
* @param zonelen: length of zone name.
* @param tcp_upstream: use TCP for upstream queries.
* @param ssl_upstream: use SSL for upstream queries.
* @param tls_auth_name: if ssl_upstream, use this name with TLS
* authentication.
@ -123,7 +125,7 @@ void worker_sighandler(int sig, void* arg);
struct outbound_entry* worker_send_query(struct query_info* qinfo,
uint16_t flags, int dnssec, int want_dnssec, int nocaps,
struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone,
size_t zonelen, int ssl_upstream, char* tls_auth_name,
size_t zonelen, int tcp_upstream, int ssl_upstream, char* tls_auth_name,
struct module_qstate* q);
/**

4
pythonmod/interface.i
View file

@ -710,8 +710,8 @@ struct module_env {
struct outbound_entry* (*send_query)(struct query_info* qinfo,
uint16_t flags, int dnssec, int want_dnssec, int nocaps,
struct sockaddr_storage* addr, socklen_t addrlen,
uint8_t* zone, size_t zonelen, int ssl_upstream, char* tls_auth_name,
struct module_qstate* q);
uint8_t* zone, size_t zonelen, int tcp_upstream, int ssl_upstream,
char* tls_auth_name, struct module_qstate* q);
void (*detach_subs)(struct module_qstate* qstate);
int (*attach_sub)(struct module_qstate* qstate,
struct query_info* qinfo, uint16_t qflags, int prime,

182
services/authzone.c
View file

@ -7694,7 +7694,7 @@ static void auth_zone_log(uint8_t* name, enum verbosity_value level,
static int zonemd_dnssec_verify_rrset(struct auth_zone* z,
struct module_env* env, struct module_stack* mods,
struct ub_packed_rrset_key* dnskey, struct auth_data* node,
struct auth_rrset* rrset, char** why_bogus)
struct auth_rrset* rrset, char** why_bogus, uint8_t* sigalg)
{
struct ub_packed_rrset_key pk;
enum sec_status sec;
@ -7722,7 +7722,7 @@ static int zonemd_dnssec_verify_rrset(struct auth_zone* z,
auth_zone_log(z->name, VERB_ALGO,
"zonemd: verify %s RRset with DNSKEY", typestr);
}
sec = dnskeyset_verify_rrset(env, ve, &pk, dnskey, NULL, why_bogus,
sec = dnskeyset_verify_rrset(env, ve, &pk, dnskey, sigalg, why_bogus,
LDNS_SECTION_ANSWER, NULL);
if(sec == sec_status_secure) {
return 1;
@ -7766,7 +7766,7 @@ static int nsec3_of_param_has_type(struct auth_rrset* nsec3, int algo,
static int zonemd_check_dnssec_absence(struct auth_zone* z,
struct module_env* env, struct module_stack* mods,
struct ub_packed_rrset_key* dnskey, struct auth_data* apex,
char** reason, char** why_bogus)
char** reason, char** why_bogus, uint8_t* sigalg)
{
struct auth_rrset* nsec = NULL;
if(!apex) {
@ -7778,7 +7778,7 @@ static int zonemd_check_dnssec_absence(struct auth_zone* z,
struct ub_packed_rrset_key pk;
/* dnssec verify the NSEC */
if(!zonemd_dnssec_verify_rrset(z, env, mods, dnskey, apex,
nsec, why_bogus)) {
nsec, why_bogus, sigalg)) {
*reason = "DNSSEC verify failed for NSEC RRset";
return 0;
}
@ -7821,7 +7821,7 @@ static int zonemd_check_dnssec_absence(struct auth_zone* z,
}
/* dnssec verify the NSEC3 */
if(!zonemd_dnssec_verify_rrset(z, env, mods, dnskey, match,
nsec3, why_bogus)) {
nsec3, why_bogus, sigalg)) {
*reason = "DNSSEC verify failed for NSEC3 RRset";
return 0;
}
@ -7842,7 +7842,8 @@ static int zonemd_check_dnssec_absence(struct auth_zone* z,
static int zonemd_check_dnssec_soazonemd(struct auth_zone* z,
struct module_env* env, struct module_stack* mods,
struct ub_packed_rrset_key* dnskey, struct auth_data* apex,
struct auth_rrset* zonemd_rrset, char** reason, char** why_bogus)
struct auth_rrset* zonemd_rrset, char** reason, char** why_bogus,
uint8_t* sigalg)
{
struct auth_rrset* soa;
if(!apex) {
@ -7855,12 +7856,12 @@ static int zonemd_check_dnssec_soazonemd(struct auth_zone* z,
return 0;
}
if(!zonemd_dnssec_verify_rrset(z, env, mods, dnskey, apex, soa,
why_bogus)) {
why_bogus, sigalg)) {
*reason = "DNSSEC verify failed for SOA RRset";
return 0;
}
if(!zonemd_dnssec_verify_rrset(z, env, mods, dnskey, apex,
zonemd_rrset, why_bogus)) {
zonemd_rrset, why_bogus, sigalg)) {
*reason = "DNSSEC verify failed for ZONEMD RRset";
return 0;
}
@ -7919,12 +7920,14 @@ static void auth_zone_zonemd_fail(struct auth_zone* z, struct module_env* env,
* @param is_insecure: if true, the dnskey is not used, the zone is insecure.
* And dnssec is not used. It is DNSSEC secure insecure or not under
* a trust anchor.
* @param sigalg: if nonNULL provide algorithm downgrade protection.
* Otherwise one algorithm is enough. Must have space of ALGO_NEEDS_MAX+1.
* @param result: if not NULL result reason copied here.
*/
static void
auth_zone_verify_zonemd_with_key(struct auth_zone* z, struct module_env* env,
struct module_stack* mods, struct ub_packed_rrset_key* dnskey,
int is_insecure, char** result)
int is_insecure, char** result, uint8_t* sigalg)
{
char* reason = NULL, *why_bogus = NULL;
struct auth_data* apex = NULL;
@ -7954,7 +7957,7 @@ auth_zone_verify_zonemd_with_key(struct auth_zone* z, struct module_env* env,
} else if(!zonemd_rrset && dnskey && !is_insecure) {
/* fetch, DNSSEC verify, and check NSEC/NSEC3 */
if(!zonemd_check_dnssec_absence(z, env, mods, dnskey, apex,
&reason, &why_bogus)) {
&reason, &why_bogus, sigalg)) {
auth_zone_zonemd_fail(z, env, reason, why_bogus, result);
return;
}
@ -7962,7 +7965,7 @@ auth_zone_verify_zonemd_with_key(struct auth_zone* z, struct module_env* env,
} else if(zonemd_rrset && dnskey && !is_insecure) {
/* check DNSSEC verify of SOA and ZONEMD */
if(!zonemd_check_dnssec_soazonemd(z, env, mods, dnskey, apex,
zonemd_rrset, &reason, &why_bogus)) {
zonemd_rrset, &reason, &why_bogus, sigalg)) {
auth_zone_zonemd_fail(z, env, reason, why_bogus, result);
return;
}
@ -8076,15 +8079,78 @@ zonemd_get_dnskey_from_anchor(struct auth_zone* z, struct module_env* env,
return NULL;
}
/** verify the DNSKEY from the zone with looked up DS record */
static struct ub_packed_rrset_key*
auth_zone_verify_zonemd_key_with_ds(struct auth_zone* z,
struct module_env* env, struct module_stack* mods,
struct ub_packed_rrset_key* ds, int* is_insecure, char** why_bogus,
struct ub_packed_rrset_key* keystorage, uint8_t* sigalg)
{
struct auth_data* apex;
struct auth_rrset* dnskey_rrset;
enum sec_status sec;
struct val_env* ve;
int m;
/* fetch DNSKEY from zone data */
apex = az_find_name(z, z->name, z->namelen);
if(!apex) {
*why_bogus = "in verifywithDS, zone has no apex";
return NULL;
}
dnskey_rrset = az_domain_rrset(apex, LDNS_RR_TYPE_DNSKEY);
if(!dnskey_rrset || dnskey_rrset->data->count==0) {
*why_bogus = "in verifywithDS, zone has no DNSKEY";
return NULL;
}
m = modstack_find(mods, "validator");
if(m == -1) {
*why_bogus = "in verifywithDS, have no validator module";
return NULL;
}
ve = (struct val_env*)env->modinfo[m];
memset(keystorage, 0, sizeof(*keystorage));
keystorage->entry.key = keystorage;
keystorage->entry.data = dnskey_rrset->data;
keystorage->rk.dname = apex->name;
keystorage->rk.dname_len = apex->namelen;
keystorage->rk.type = htons(LDNS_RR_TYPE_DNSKEY);
keystorage->rk.rrset_class = htons(z->dclass);
auth_zone_log(z->name, VERB_QUERY, "zonemd: verify zone DNSKEY with DS");
sec = val_verify_DNSKEY_with_DS(env, ve, keystorage, ds, sigalg,
why_bogus, NULL);
regional_free_all(env->scratch);
if(sec == sec_status_secure) {
/* success */
return keystorage;
} else if(sec == sec_status_insecure) {
/* insecure */
*is_insecure = 1;
} else {
/* bogus */
*is_insecure = 0;
if(*why_bogus == NULL)
*why_bogus = "verify failed";
auth_zone_log(z->name, VERB_ALGO,
"zonemd: verify DNSKEY RRset with DS failed: %s",
*why_bogus);
}
return NULL;
}
/** callback for ZONEMD lookup of DNSKEY */
void auth_zonemd_dnskey_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
enum sec_status sec, char* why_bogus, int ATTR_UNUSED(was_ratelimited))
{
struct auth_zone* z = (struct auth_zone*)arg;
struct module_env* env;
char* reason = NULL;
struct ub_packed_rrset_key* dnskey = NULL;
int is_insecure = 0;
char* reason = NULL, *ds_bogus = NULL, *typestr="DNSKEY";
struct ub_packed_rrset_key* dnskey = NULL, *ds = NULL;
int is_insecure = 0, downprot;
struct ub_packed_rrset_key keystorage;
uint8_t sigalg[ALGO_NEEDS_MAX+1];
lock_rw_wrlock(&z->lock);
env = z->zonemd_callback_env;
@ -8095,16 +8161,22 @@ void auth_zonemd_dnskey_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
lock_rw_unlock(&z->lock);
return; /* stop on quit */
}
if(z->zonemd_callback_qtype == LDNS_RR_TYPE_DS)
typestr = "DS";
downprot = env->cfg->harden_algo_downgrade;
/* process result */
if(sec == sec_status_bogus) {
reason = why_bogus;
if(!reason)
reason = "lookup of DNSKEY was bogus";
if(!reason) {
if(z->zonemd_callback_qtype == LDNS_RR_TYPE_DNSKEY)
reason = "lookup of DNSKEY was bogus";
else reason = "lookup of DS was bogus";
}
auth_zone_log(z->name, VERB_ALGO,
"zonemd lookup of DNSKEY was bogus: %s", reason);
"zonemd lookup of %s was bogus: %s", typestr, reason);
} else if(rcode == LDNS_RCODE_NOERROR) {
uint16_t wanted_qtype = LDNS_RR_TYPE_DNSKEY;
uint16_t wanted_qtype = z->zonemd_callback_qtype;
struct regional* temp = env->scratch;
struct query_info rq;
struct reply_info* rep;
@ -8117,25 +8189,29 @@ void auth_zonemd_dnskey_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
struct ub_packed_rrset_key* answer =
reply_find_answer_rrset(&rq, rep);
if(answer && sec == sec_status_secure) {
dnskey = answer;
if(z->zonemd_callback_qtype == LDNS_RR_TYPE_DNSKEY)
dnskey = answer;
else ds = answer;
auth_zone_log(z->name, VERB_ALGO,
"zonemd lookup of DNSKEY was secure");
"zonemd lookup of %s was secure", typestr);
} else if(sec == sec_status_secure && !answer) {
is_insecure = 1;
auth_zone_log(z->name, VERB_ALGO,
"zonemd lookup of DNSKEY has no content, but is secure, treat as insecure");
"zonemd lookup of %s has no content, but is secure, treat as insecure", typestr);
} else if(sec == sec_status_insecure) {
is_insecure = 1;
auth_zone_log(z->name, VERB_ALGO,
"zonemd lookup of DNSKEY was insecure");
"zonemd lookup of %s was insecure", typestr);
} else if(sec == sec_status_indeterminate) {
is_insecure = 1;
auth_zone_log(z->name, VERB_ALGO,
"zonemd lookup of DNSKEY was indeterminate, treat as insecure");
"zonemd lookup of %s was indeterminate, treat as insecure", typestr);
} else {
auth_zone_log(z->name, VERB_ALGO,
"zonemd lookup of DNSKEY has nodata");
reason = "lookup of DNSKEY has nodata";
"zonemd lookup of %s has nodata", typestr);
if(z->zonemd_callback_qtype == LDNS_RR_TYPE_DNSKEY)
reason = "lookup of DNSKEY has nodata";
else reason = "lookup of DS has nodata";
}
} else if(rep && rq.qtype == wanted_qtype &&
query_dname_compare(z->name, rq.qname) == 0 &&
@ -8148,40 +8224,52 @@ void auth_zonemd_dnskey_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
* trust, as insecure. */
is_insecure = 1;
auth_zone_log(z->name, VERB_ALGO,
"zonemd lookup of DNSKEY was secure NXDOMAIN, treat as insecure");
"zonemd lookup of %s was secure NXDOMAIN, treat as insecure", typestr);
} else if(rep && rq.qtype == wanted_qtype &&
query_dname_compare(z->name, rq.qname) == 0 &&
FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN &&
sec == sec_status_insecure) {
is_insecure = 1;
auth_zone_log(z->name, VERB_ALGO,
"zonemd lookup of DNSKEY was insecure NXDOMAIN, treat as insecure");
"zonemd lookup of %s was insecure NXDOMAIN, treat as insecure", typestr);
} else if(rep && rq.qtype == wanted_qtype &&
query_dname_compare(z->name, rq.qname) == 0 &&
FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN &&
sec == sec_status_indeterminate) {
is_insecure = 1;
auth_zone_log(z->name, VERB_ALGO,
"zonemd lookup of DNSKEY was indeterminate NXDOMAIN, treat as insecure");
"zonemd lookup of %s was indeterminate NXDOMAIN, treat as insecure", typestr);
} else {
auth_zone_log(z->name, VERB_ALGO,
"zonemd lookup of DNSKEY has no answer");
reason = "lookup of DNSKEY has no answer";
"zonemd lookup of %s has no answer", typestr);
if(z->zonemd_callback_qtype == LDNS_RR_TYPE_DNSKEY)
reason = "lookup of DNSKEY has no answer";
else reason = "lookup of DS has no answer";
}
} else {
auth_zone_log(z->name, VERB_ALGO,
"zonemd lookup of DNSKEY failed");
reason = "lookup of DNSKEY failed";
"zonemd lookup of %s failed", typestr);
if(z->zonemd_callback_qtype == LDNS_RR_TYPE_DNSKEY)
reason = "lookup of DNSKEY failed";
else reason = "lookup of DS failed";
}
if(!reason && !is_insecure && !dnskey && ds) {
dnskey = auth_zone_verify_zonemd_key_with_ds(z, env,
&env->mesh->mods, ds, &is_insecure, &ds_bogus,
&keystorage, downprot?sigalg:NULL);
if(!dnskey && !is_insecure && !reason)
reason = "DNSKEY verify with DS failed";
}
if(reason) {
auth_zone_zonemd_fail(z, env, reason, NULL, NULL);
auth_zone_zonemd_fail(z, env, reason, ds_bogus, NULL);
lock_rw_unlock(&z->lock);
return;
}
auth_zone_verify_zonemd_with_key(z, env, &env->mesh->mods, dnskey,
is_insecure, NULL);
is_insecure, NULL, downprot?sigalg:NULL);
regional_free_all(env->scratch);
lock_rw_unlock(&z->lock);
}
@ -8194,14 +8282,21 @@ zonemd_lookup_dnskey(struct auth_zone* z, struct module_env* env)
uint16_t qflags = BIT_RD;
struct edns_data edns;
sldns_buffer* buf = env->scratch_buffer;
int fetch_ds = 0;
if(!z->fallback_enabled) {
/* we cannot actually get the DNSKEY, because it is in the
* zone we have ourselves, and it is not served yet
* (possibly), so fetch type DS */
fetch_ds = 1;
}
if(z->zonemd_callback_env) {
/* another worker is already working on the callback
* for the DNSKEY lookup for ZONEMD verification.
* We do not also have to do ZONEMD verification, let that
* worker do it */
auth_zone_log(z->name, VERB_ALGO,
"zonemd needs lookup of DNSKEY and that already worked on by another worker");
"zonemd needs lookup of %s and that already is worked on by another worker", (fetch_ds?"DS":"DNSKEY"));
return 1;
}
@ -8210,14 +8305,17 @@ zonemd_lookup_dnskey(struct auth_zone* z, struct module_env* env)
qinfo.qname_len = z->namelen;
qinfo.qname = z->name;
qinfo.qclass = z->dclass;
qinfo.qtype = LDNS_RR_TYPE_DNSKEY;
if(fetch_ds)
qinfo.qtype = LDNS_RR_TYPE_DS;
else qinfo.qtype = LDNS_RR_TYPE_DNSKEY;
qinfo.local_alias = NULL;
if(verbosity >= VERB_ALGO) {
char buf1[512];
char buf2[LDNS_MAX_DOMAINLEN+1];
dname_str(z->name, buf2);
snprintf(buf1, sizeof(buf1), "auth zone %s: lookup DNSKEY "
"for zonemd verification", buf2);
snprintf(buf1, sizeof(buf1), "auth zone %s: lookup %s "
"for zonemd verification", buf2,
(fetch_ds?"DS":"DNSKEY"));
log_query_info(VERB_ALGO, buf1, &qinfo);
}
edns.edns_present = 1;
@ -8232,12 +8330,14 @@ zonemd_lookup_dnskey(struct auth_zone* z, struct module_env* env)
/* store the worker-specific module env for the callback.
* We can then reference this when the callback executes */
z->zonemd_callback_env = env;
z->zonemd_callback_qtype = qinfo.qtype;
/* the callback can be called straight away */
lock_rw_unlock(&z->lock);
if(!mesh_new_callback(env->mesh, &qinfo, qflags, &edns, buf, 0,
&auth_zonemd_dnskey_lookup_callback, z)) {
lock_rw_wrlock(&z->lock);
log_err("out of memory lookup up dnskey for zonemd");
log_err("out of memory lookup of %s for zonemd",
(fetch_ds?"DS":"DNSKEY"));
return 0;
}
lock_rw_wrlock(&z->lock);
@ -8256,6 +8356,8 @@ void auth_zone_verify_zonemd(struct auth_zone* z, struct module_env* env,
* If not present check if absence is allowed by DNSSEC */
if(!z->zonemd_check)
return;
if(z->data.count == 0)
return; /* no data */
/* if zone is under a trustanchor */
/* is it equal to trustanchor - get dnskey's verified */
@ -8309,7 +8411,7 @@ void auth_zone_verify_zonemd(struct auth_zone* z, struct module_env* env,
}
auth_zone_verify_zonemd_with_key(z, env, mods, dnskey, is_insecure,
result);
result, NULL);
regional_free_all(env->scratch);
}

2
services/authzone.h
View file

@ -143,6 +143,8 @@ struct auth_zone {
* worker has already picked up the zonemd verification task and
* this worker does not have to do it as well. */
struct module_env* zonemd_callback_env;
/** for the zonemd callback, the type of data looked up */
uint16_t zonemd_callback_qtype;
/** zone has been deleted */
int zone_deleted;
/** deletelist pointer, unused normally except during delete */

1
services/outside_network.c
View file

@ -1962,6 +1962,7 @@ static int udp_connect_needs_log(int err)
case ENETDOWN:
# endif
case EPERM:
case EACCES:
if(verbosity >= VERB_ALGO)
return 1;
return 0;

2
sldns/str2wire.c
View file

@ -1565,7 +1565,7 @@ sldns_str2wire_svcparam_value(const char *key, size_t key_len,
return LDNS_WIREPARSE_ERR_GENERAL;
}
int sldns_str2wire_svcparam_buf(const char* str, uint8_t* rd, size_t* rd_len)
static int sldns_str2wire_svcparam_buf(const char* str, uint8_t* rd, size_t* rd_len)
{
const char* eq_pos;
char unescaped_val[LDNS_MAX_RDFLEN];

8
smallapp/unbound-anchor.c
View file

@ -2044,13 +2044,13 @@ write_builtin_anchor(const char* file)
const char* builtin_root_anchor = get_builtin_ds();
FILE* out = fopen(file, "w");
if(!out) {
if(verb) printf("%s: %s\n", file, strerror(errno));
if(verb) printf(" could not write builtin anchor\n");
printf("could not write builtin anchor, to file %s: %s\n",
file, strerror(errno));
return;
}
if(!fwrite(builtin_root_anchor, strlen(builtin_root_anchor), 1, out)) {
if(verb) printf("%s: %s\n", file, strerror(errno));
if(verb) printf(" could not complete write builtin anchor\n");
printf("could not complete write builtin anchor, to file %s: %s\n",
file, strerror(errno));
}
fclose(out);
}

4
smallapp/worker_cb.c
View file

@ -99,7 +99,7 @@ struct outbound_entry* worker_send_query(
int ATTR_UNUSED(dnssec), int ATTR_UNUSED(want_dnssec),
int ATTR_UNUSED(nocaps), struct sockaddr_storage* ATTR_UNUSED(addr),
socklen_t ATTR_UNUSED(addrlen), uint8_t* ATTR_UNUSED(zone),
size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(ssl_upstream),
size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(tcp_upstream), int ATTR_UNUSED(ssl_upstream),
char* ATTR_UNUSED(tls_auth_name), struct module_qstate* ATTR_UNUSED(q))
{
log_assert(0);
@ -131,7 +131,7 @@ struct outbound_entry* libworker_send_query(
int ATTR_UNUSED(dnssec), int ATTR_UNUSED(want_dnssec),
int ATTR_UNUSED(nocaps), struct sockaddr_storage* ATTR_UNUSED(addr),
socklen_t ATTR_UNUSED(addrlen), uint8_t* ATTR_UNUSED(zone),
size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(ssl_upstream),
size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(tcp_upstream), int ATTR_UNUSED(ssl_upstream),
char* ATTR_UNUSED(tls_auth_name), struct module_qstate* ATTR_UNUSED(q))
{
log_assert(0);

10
testcode/petal.c
View file

@ -220,8 +220,11 @@ read_http_headers(SSL* ssl, char* file, size_t flen, char* host, size_t hlen,
host[0] = 0;
while(read_ssl_line(ssl, buf, sizeof(buf))) {
if(verb>=2) printf("read: %s\n", buf);
if(buf[0] == 0)
if(buf[0] == 0) {
int e = ERR_peek_error();
printf("error string: %s\n", ERR_reason_error_string(e));
return 1;
}
if(!process_one_header(buf, file, flen, host, hlen, vs))
return 0;
}
@ -241,8 +244,11 @@ setup_ctx(char* key, char* cert)
#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
SSL_CTX_set_security_level(ctx, 0); /* for keys in tests */
#endif
if(!SSL_CTX_use_certificate_chain_file(ctx, cert))
if(!SSL_CTX_use_certificate_chain_file(ctx, cert)) {
int e = ERR_peek_error();
printf("error string: %s\n", ERR_reason_error_string(e));
print_exit("cannot read cert");
}
if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM))
print_exit("cannot read key");
if(!SSL_CTX_check_private_key(ctx))

315
testdata/auth_zonemd_xfr_chain_keyinxfr.rpl vendored Normal file
View file

@ -0,0 +1,315 @@
; config options
server:
target-fetch-policy: "0 0 0 0 0"
trust-anchor: "com. DS 1444 8 2 0d72034e3e18a9ef383c164b68302433bbde957616e10cf44575fea2abae469c"
trust-anchor-signaling: no
val-override-date: 20201020135527
auth-zone:
name: "example.com."
## zonefile (or none).
## zonefile: "example.com.zone"
## master by IP address or hostname
## can list multiple masters, each on one line.
## master:
master: 1.2.3.44
## url for http fetch
## url:
## queries from downstream clients get authoritative answers.
## for-downstream: yes
## The for-downstream and fallback are disabled, the key cannot be
## retrieved by DNS lookup, it is in the xfr itself.
## only after the zone is loaded can it be looked up.
for-downstream: no
## queries are used to fetch authoritative answers from this zone,
## instead of unbound itself sending queries there.
## for-upstream: yes
for-upstream: yes
## on failures with for-upstream, fallback to sending queries to
## the authority servers
## fallback-enabled: no
fallback-enabled: no
zonemd-check: yes
## this line generates zonefile: \n"/tmp/xxx.example.com"\n
zonefile:
TEMPFILE_NAME example.com
## this is the inline file /tmp/xxx.example.com
## the tempfiles are deleted when the testrun is over.
TEMPFILE_CONTENTS example.com
TEMPFILE_END
stub-zone:
name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
SCENARIO_BEGIN Test authority zone with AXFR with ZONEMD with key in xfr
; K.ROOT-SERVERS.NET.
RANGE_BEGIN 0 100
ADDRESS 193.0.14.129
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
. IN NS
SECTION ANSWER
. IN NS K.ROOT-SERVERS.NET.
SECTION ADDITIONAL
K.ROOT-SERVERS.NET. IN A 193.0.14.129
ENTRY_END
ENTRY_BEGIN
MATCH opcode subdomain
ADJUST copy_id copy_query
REPLY QR NOERROR
SECTION QUESTION
com. IN NS
SECTION AUTHORITY
com. IN NS a.gtld-servers.net.
SECTION ADDITIONAL
a.gtld-servers.net. IN A 192.5.6.30
ENTRY_END
RANGE_END
; a.gtld-servers.net.
RANGE_BEGIN 0 100
ADDRESS 192.5.6.30
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
com. IN NS
SECTION ANSWER
com. IN NS a.gtld-servers.net.
SECTION ADDITIONAL
a.gtld-servers.net. IN A 192.5.6.30
ENTRY_END
ENTRY_BEGIN
MATCH opcode qname qtype
ADJUST copy_id
REPLY QR AA NOERROR
SECTION QUESTION
example.com. IN DS
SECTION ANSWER
example.com. 3600 IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af
example.com. 3600 IN RRSIG DS 8 2 3600 20201116135527 20201019135527 1444 com. BpV1M171SSkbdlGawwweJwQ0W+aNaCrgkt2QTsxCvbo1acR5i3AKm4REOUzo4I36lRx26mYkF9Topkeu0aFmov7P2uUhCxk4faFK7k87k97FAqZaDGp/K9b3YCfiwJBc5pJSUW0ndU/Ve5zAh/wL493RMSC7LwJr5JjV0NxydFk=
ENTRY_END
ENTRY_BEGIN
MATCH opcode subdomain
ADJUST copy_id copy_query
REPLY QR NOERROR
SECTION QUESTION
example.com. IN NS
SECTION AUTHORITY
example.com. IN NS ns.example.com.
example.com. 3600 IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af
example.com. 3600 IN RRSIG DS 8 2 3600 20201116135527 20201019135527 1444 com. BpV1M171SSkbdlGawwweJwQ0W+aNaCrgkt2QTsxCvbo1acR5i3AKm4REOUzo4I36lRx26mYkF9Topkeu0aFmov7P2uUhCxk4faFK7k87k97FAqZaDGp/K9b3YCfiwJBc5pJSUW0ndU/Ve5zAh/wL493RMSC7LwJr5JjV0NxydFk=
SECTION ADDITIONAL
ns.example.com. IN A 1.2.3.44
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR AA NOERROR
SECTION QUESTION
com. IN DNSKEY
SECTION ANSWER
com. 3600 IN DNSKEY 257 3 8 AwEAAbd9WqjzE2Pynz21OG5doSf9hFzMr5dhzz2waZ3vTa+0o5r7AjTAqmA1yH/B3+aAMihUm5ucZSfVqo7+kOaRE8yFj9aivOmA1n1+JLevJq/oyvQyjxQN2Qb89LyaNUT5oKZIiL+uyyhNW3KDR3SSbQ/GBwQNDHVcZi+JDR3RC0r7 ;{id = 1444 (ksk), size = 1024b}
com. 3600 IN RRSIG DNSKEY 8 1 3600 20201116135527 20201019135527 1444 com. BEOMfWvi6RgnHaHsst+Ed265hBuCkgMR7gDpu89J7ZrVL6DzMKnNVFdgjl/9xwLj/pkukc7qeLSHjAfLlN0E4THW7PVshscQnjvXCkktG2Ejx9fTyllAqeGDh9z9QDGlQZIGTMgb9413qZhNqe2Tda9PTJRpiZ8b4bdQp6V1kVo=
SECTION ADDITIONAL
ENTRY_END
RANGE_END
; ns.example.net.
RANGE_BEGIN 0 100
ADDRESS 1.2.3.44
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
example.net. IN NS
SECTION ANSWER
example.net. IN NS ns.example.net.
SECTION ADDITIONAL
ns.example.net. IN A 1.2.3.44
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
ns.example.net. IN A
SECTION ANSWER
ns.example.net. IN A 1.2.3.44
SECTION AUTHORITY
example.net. IN NS ns.example.net.
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
ns.example.net. IN AAAA
SECTION AUTHORITY
example.net. IN NS ns.example.net.
SECTION ADDITIONAL
www.example.net. IN A 1.2.3.44
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
example.com. IN NS
SECTION ANSWER
example.com. IN NS ns.example.net.
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
www.example.com. IN A 10.20.30.40
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
example.com. IN SOA
SECTION ANSWER
; serial, refresh, retry, expire, minimum
example.com. IN SOA ns.example.com. hostmaster.example.com. 1 3600 900 86400 3600
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR AA NOERROR
SECTION QUESTION
example.com. IN AXFR
SECTION ANSWER
example.com. 3600 IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
example.com. 3600 IN RRSIG SOA 8 2 3600 20201116135527 20201019135527 55566 example.com. gcFHT/Q4iDZ78CK6fyY2HZr8sRtgH2Rna9fEs06RW0gqMnfDntweoIaBamOZ7NlAP84aY2bZeanmEccmkHexByUpodCoKQ4NzVXctLr0TO4PVoFyfUfj62fjhM56SF8ioDxsoDQcPtYXcjNQjwfntWofMqHCMxrb9LzbgePzhOM=
example.com. 3600 IN NS ns.example.com.
example.com. 3600 IN RRSIG NS 8 2 3600 20201116135527 20201019135527 55566 example.com. X+V3XsbJbBi9OsHpjMkGCox8RLY/uXp/XX/O/flTrIre9fMDWm9ZGnewtuQFpLgGc6hUTi0eLsuRWRA5fZXEKUBhmoR2Ph01KgE1gvlL7v6zPWQwXVcBRUr3mOSbYdNNkHkXEjiDBGEhNkfqR216zNgw563eEGXOkLUFNIx5Zpg=
example.com. 3600 IN DNSKEY 256 3 8 AwEAAdug/L739i0mgN2nuK/bhxu3wFn5Ud9nK2+XUmZQlPUEZUC5YZvm1rfMmEWTGBn87fFxEu/kjFZHJ55JLzqsbbpVHLbmKCTT2gYR2FV2WDKROGKuYbVkJIXdKAjJ0ONuK507NinYvlWXIoxHn22KAWOd9wKgSTNHBlmGkX+ts3hh ;{id = 55566 (zsk), size = 1024b}
example.com. 3600 IN RRSIG DNSKEY 8 2 3600 20201116135527 20201019135527 55566 example.com. fsdnVg38PKQTH2mDOwkXL6Jre7JP7Gf8WI3CvIbmeYQUJtAlpcSbZkS3wInm3kKMxOuT55BWzndQzpfmpo91OqJjG27W0k9301NMLUwFprA6b9HK+iPAT0JpYPDPzcm1bQdarLzLS+eD/GPwmyVSX7Gze+08VfE8m8sOW2r7UjA=
example.com. 3600 IN TYPE63 \# 70 0bee1bc6010258f7620f93204bbb31b44f795b3409cc4abd9ef5601decc15675bd7751213152984eddce0626e6062e744b03b3e47711202fbb79e4a2eb8bc5cf46741b5cae6f
example.com. 3600 IN RRSIG TYPE63 8 2 3600 20201116135527 20201019135527 55566 example.com. orn8ZF/yqj9u4WrhiO6gtEcTaVsnZSWWZLfXhcIOiWSB8kKCxtZl5cG17dD3Du1NllUwMRqkp0KleLhIoUS9xeQ/0x05u+CYLrfQ62oAiD7q54ZQzpXJIH52aQzKV70ZnO03CZowhQBnetmIoKX6xLogKo8pt+BdQbo3oVHxV8Y=
example.com. 3600 IN NSEC bar.example.com. NS SOA RRSIG NSEC DNSKEY TYPE63
example.com. 3600 IN RRSIG NSEC 8 2 3600 20201116135527 20201019135527 55566 example.com. ufLrlOQprAqjnH85Rt3T0Mxd3ZB0mBeeNIr84eFJ8Rk6WiWEPm0Y1R7GRufNI24Mj7iqLcL4nJM6KK6B7dJqjqu73jw1acuYNnbsoV2BNDRXRFP2FNWTpctVdi+955f3FzgsmEJXfGiSUG0YXAEcZmdCPCn5ii2jk8mk7r6KKYo=
bar.example.com. 3600 IN A 1.2.3.4
bar.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. NYhmRicF4C9+YxpWeQrepy4ALM1CM0USoDuGi3W5Xtp4/+YpCJfSIdR9vlJaJ2WayYuZrz9Ai2ci7oWwE1Fn3oywGwCKvGo9m0c3mC2eEtphE19wrop6pWu6um4RiFhmzYS1voraA3PAdYzze9U4NHzlk0+sb5vNZW9dSZS30Ds=
bar.example.com. 3600 IN NSEC ding.example.com. A RRSIG NSEC
bar.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. VhsGuBx20DXQZNU8ITAMnasn6NVyEjN9xtB8msH5xJn80UCuaqvFBURzcPWN3aHnykEvGfdPF/9P3WvlON0cMikWkqSLy6Q9bpvgAq13HWYh+ZcDoqLtICaB7RkBQc+6aHAqZFyQbD8/m8Kxt5eVJtV6rEuf+yPX0+3aXHhsRg0=
ding.example.com. 3600 IN A 1.2.3.4
ding.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. OERsruISkpd1s68ute8Xm8YXisBCTkkiDMt34K+0dVqvySOJq63d3qN18BeUxZxLyHDB1eR3nZZKqEdkTqrv2r98skhWhjnOECpFbu5gKjtN/KPexbbJ+rxC0QqciuWOC7M6YE0cvI17/RB9KhVRy5rqY2X4Gt2wk2CNeD1dAko=
ding.example.com. 3600 IN NSEC foo.example.com. A RRSIG NSEC
ding.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. nb1W2aaKrU5iAQiY8gMsoMOejID19JMTEwY2rRoe+KsvzMs0rE0ifEkqit4blXaU0tfy0foJ70uqdJFqBoGz1NcSwZ6GNk/iNfGvG3XpxZ/zqEe7kkIucqqei794G7z9psqV94yZ3WaT+IswPpWrSaWv1w41RtcWufPhe4fOAmU=
foo.example.com. 3600 IN A 1.2.3.4
foo.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. ZcUngb2pUejwnsshbJN/Dfr+Bzu8fcZXyqLArQ+10Bw1IPHyfx7yyUJ43V5tTYVHPSEsJzTnaWj+olVrNhVZxq5e0pgzSYPfGln2FEItEvMIOn33j8yKTpPW2MLyuFF5ZkXhosG20EUwRMvMmRHRz9mIZfwWoMbSGPukmLh8zMA=
foo.example.com. 3600 IN NSEC ns.example.com. A RRSIG NSEC
foo.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. fUZEpkEULRWDntN5Z7Kr8M83Hjhf08ECMKRpo6IBoBc3ayenj+YMgWAvFXC825wjENPYYWNGag0d32U83zCZxqgv+8uXZd3B7QDpTbL41aWZdc++s5YWTkYjyOWwJ1XHOv4nL3qEnJBXVzo/E1gbSKhTFuG97i+7J1MFd9MsC5s=
ns.example.com. 3600 IN A 127.0.0.1
ns.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. SiuxuPtN/ITd+Z20j8UNUHJWbLHirE8zQOWMv5fAZ1rPKpAidrZgUL8J417GdrTwkueU2ywAJ7EzFJSwNTa7o/wUnq7svmOR6Ze6UQsKuZFZGEfqPNDRp4YuF86LU5jChuo+f/IRpydHrxVwGxDPCR9KarDM+ewfW+yI5bZeZcg=
ns.example.com. 3600 IN NSEC www.example.com. A RRSIG NSEC
ns.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. 0upKNYjiow4NDJm3I1RbUddE9GGuFYEVKswww5BAc/6WHuukupncL30lskvcSKGpByDssP2Hi2CufyEtYeGWh6q1TxtOFRqFBX1p6Q5b3tBlCtvv4h31dQR9uqLvq+GkGS5MR+0LO5kWagIpZmnI8YY5plVdXEtNbp2Ar8zvz/A=
www.example.com. 3600 IN A 127.0.0.1
www.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. AaIeICaPjV50TDrpbyOn94+hs8EYIMTmN4pYqj7e8GIGimqQIk5jgpwSx6SOoOF+uOqkf9GKHkQTn5YVGaeXwEQleg7mPTmMYKAOk06Y7MFUO1Vwt1Vt7Wo+Cpa3x2a1CmEkfFOi4WqP43VJnUtjjKmXoKRz3VUmqByyJYUAGbQ=
www.example.com. 3600 IN NSEC example.com. A RRSIG NSEC
www.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. meg/t6nIBqQZ0d5/dT7uu/3CuP4vE+HxqFQaj2fjUNceA/6C7QIQnqQ5Kyblg+XijDkQX0yvyFNHYdgF16UDgFT7tlNUCHk1SpF5BWzV4c4tBEhxASTz7UQo111O3Tyd6CldPzO/Se15Ud0/ZYltHEqWTfY5nJoXC/OJD9V2QOI=
example.com. 3600 IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
ENTRY_END
RANGE_END
STEP 1 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
www.example.com. IN A
ENTRY_END
; recursion happens here.
STEP 20 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA SERVFAIL
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
ENTRY_END
STEP 30 TIME_PASSES ELAPSE 10
STEP 40 TRAFFIC
STEP 50 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
www.example.com. IN A
ENTRY_END
; recursion happens here.
STEP 60 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA NOERROR
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
www.example.com. IN A 127.0.0.1
ENTRY_END
; the zonefile was updated with new contents
STEP 70 CHECK_TEMPFILE example.com
FILE_BEGIN
example.com. 3600 IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
example.com. 3600 IN RRSIG SOA 8 2 3600 20201116135527 20201019135527 55566 example.com. gcFHT/Q4iDZ78CK6fyY2HZr8sRtgH2Rna9fEs06RW0gqMnfDntweoIaBamOZ7NlAP84aY2bZeanmEccmkHexByUpodCoKQ4NzVXctLr0TO4PVoFyfUfj62fjhM56SF8ioDxsoDQcPtYXcjNQjwfntWofMqHCMxrb9LzbgePzhOM=
example.com. 3600 IN NS ns.example.com.
example.com. 3600 IN RRSIG NS 8 2 3600 20201116135527 20201019135527 55566 example.com. X+V3XsbJbBi9OsHpjMkGCox8RLY/uXp/XX/O/flTrIre9fMDWm9ZGnewtuQFpLgGc6hUTi0eLsuRWRA5fZXEKUBhmoR2Ph01KgE1gvlL7v6zPWQwXVcBRUr3mOSbYdNNkHkXEjiDBGEhNkfqR216zNgw563eEGXOkLUFNIx5Zpg=
example.com. 3600 IN NSEC bar.example.com. NS SOA RRSIG NSEC DNSKEY ZONEMD
example.com. 3600 IN RRSIG NSEC 8 2 3600 20201116135527 20201019135527 55566 example.com. ufLrlOQprAqjnH85Rt3T0Mxd3ZB0mBeeNIr84eFJ8Rk6WiWEPm0Y1R7GRufNI24Mj7iqLcL4nJM6KK6B7dJqjqu73jw1acuYNnbsoV2BNDRXRFP2FNWTpctVdi+955f3FzgsmEJXfGiSUG0YXAEcZmdCPCn5ii2jk8mk7r6KKYo=
example.com. 3600 IN DNSKEY 256 3 8 AwEAAdug/L739i0mgN2nuK/bhxu3wFn5Ud9nK2+XUmZQlPUEZUC5YZvm1rfMmEWTGBn87fFxEu/kjFZHJ55JLzqsbbpVHLbmKCTT2gYR2FV2WDKROGKuYbVkJIXdKAjJ0ONuK507NinYvlWXIoxHn22KAWOd9wKgSTNHBlmGkX+ts3hh ;{id = 55566}
example.com. 3600 IN RRSIG DNSKEY 8 2 3600 20201116135527 20201019135527 55566 example.com. fsdnVg38PKQTH2mDOwkXL6Jre7JP7Gf8WI3CvIbmeYQUJtAlpcSbZkS3wInm3kKMxOuT55BWzndQzpfmpo91OqJjG27W0k9301NMLUwFprA6b9HK+iPAT0JpYPDPzcm1bQdarLzLS+eD/GPwmyVSX7Gze+08VfE8m8sOW2r7UjA=
example.com. 3600 IN ZONEMD 200154054 1 2 58F7620F93204BBB31B44F795B3409CC4ABD9EF5601DECC15675BD7751213152984EDDCE0626E6062E744B03B3E47711202FBB79E4A2EB8BC5CF46741B5CAE6F
example.com. 3600 IN RRSIG ZONEMD 8 2 3600 20201116135527 20201019135527 55566 example.com. orn8ZF/yqj9u4WrhiO6gtEcTaVsnZSWWZLfXhcIOiWSB8kKCxtZl5cG17dD3Du1NllUwMRqkp0KleLhIoUS9xeQ/0x05u+CYLrfQ62oAiD7q54ZQzpXJIH52aQzKV70ZnO03CZowhQBnetmIoKX6xLogKo8pt+BdQbo3oVHxV8Y=
bar.example.com. 3600 IN A 1.2.3.4
bar.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. NYhmRicF4C9+YxpWeQrepy4ALM1CM0USoDuGi3W5Xtp4/+YpCJfSIdR9vlJaJ2WayYuZrz9Ai2ci7oWwE1Fn3oywGwCKvGo9m0c3mC2eEtphE19wrop6pWu6um4RiFhmzYS1voraA3PAdYzze9U4NHzlk0+sb5vNZW9dSZS30Ds=
bar.example.com. 3600 IN NSEC ding.example.com. A RRSIG NSEC
bar.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. VhsGuBx20DXQZNU8ITAMnasn6NVyEjN9xtB8msH5xJn80UCuaqvFBURzcPWN3aHnykEvGfdPF/9P3WvlON0cMikWkqSLy6Q9bpvgAq13HWYh+ZcDoqLtICaB7RkBQc+6aHAqZFyQbD8/m8Kxt5eVJtV6rEuf+yPX0+3aXHhsRg0=
ding.example.com. 3600 IN A 1.2.3.4
ding.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. OERsruISkpd1s68ute8Xm8YXisBCTkkiDMt34K+0dVqvySOJq63d3qN18BeUxZxLyHDB1eR3nZZKqEdkTqrv2r98skhWhjnOECpFbu5gKjtN/KPexbbJ+rxC0QqciuWOC7M6YE0cvI17/RB9KhVRy5rqY2X4Gt2wk2CNeD1dAko=
ding.example.com. 3600 IN NSEC foo.example.com. A RRSIG NSEC
ding.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. nb1W2aaKrU5iAQiY8gMsoMOejID19JMTEwY2rRoe+KsvzMs0rE0ifEkqit4blXaU0tfy0foJ70uqdJFqBoGz1NcSwZ6GNk/iNfGvG3XpxZ/zqEe7kkIucqqei794G7z9psqV94yZ3WaT+IswPpWrSaWv1w41RtcWufPhe4fOAmU=
foo.example.com. 3600 IN A 1.2.3.4
foo.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. ZcUngb2pUejwnsshbJN/Dfr+Bzu8fcZXyqLArQ+10Bw1IPHyfx7yyUJ43V5tTYVHPSEsJzTnaWj+olVrNhVZxq5e0pgzSYPfGln2FEItEvMIOn33j8yKTpPW2MLyuFF5ZkXhosG20EUwRMvMmRHRz9mIZfwWoMbSGPukmLh8zMA=
foo.example.com. 3600 IN NSEC ns.example.com. A RRSIG NSEC
foo.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. fUZEpkEULRWDntN5Z7Kr8M83Hjhf08ECMKRpo6IBoBc3ayenj+YMgWAvFXC825wjENPYYWNGag0d32U83zCZxqgv+8uXZd3B7QDpTbL41aWZdc++s5YWTkYjyOWwJ1XHOv4nL3qEnJBXVzo/E1gbSKhTFuG97i+7J1MFd9MsC5s=
ns.example.com. 3600 IN A 127.0.0.1
ns.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. SiuxuPtN/ITd+Z20j8UNUHJWbLHirE8zQOWMv5fAZ1rPKpAidrZgUL8J417GdrTwkueU2ywAJ7EzFJSwNTa7o/wUnq7svmOR6Ze6UQsKuZFZGEfqPNDRp4YuF86LU5jChuo+f/IRpydHrxVwGxDPCR9KarDM+ewfW+yI5bZeZcg=
ns.example.com. 3600 IN NSEC www.example.com. A RRSIG NSEC
ns.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. 0upKNYjiow4NDJm3I1RbUddE9GGuFYEVKswww5BAc/6WHuukupncL30lskvcSKGpByDssP2Hi2CufyEtYeGWh6q1TxtOFRqFBX1p6Q5b3tBlCtvv4h31dQR9uqLvq+GkGS5MR+0LO5kWagIpZmnI8YY5plVdXEtNbp2Ar8zvz/A=
www.example.com. 3600 IN A 127.0.0.1
www.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. AaIeICaPjV50TDrpbyOn94+hs8EYIMTmN4pYqj7e8GIGimqQIk5jgpwSx6SOoOF+uOqkf9GKHkQTn5YVGaeXwEQleg7mPTmMYKAOk06Y7MFUO1Vwt1Vt7Wo+Cpa3x2a1CmEkfFOi4WqP43VJnUtjjKmXoKRz3VUmqByyJYUAGbQ=
www.example.com. 3600 IN NSEC example.com. A RRSIG NSEC
www.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. meg/t6nIBqQZ0d5/dT7uu/3CuP4vE+HxqFQaj2fjUNceA/6C7QIQnqQ5Kyblg+XijDkQX0yvyFNHYdgF16UDgFT7tlNUCHk1SpF5BWzV4c4tBEhxASTz7UQo111O3Tyd6CldPzO/Se15Ud0/ZYltHEqWTfY5nJoXC/OJD9V2QOI=
FILE_END
SCENARIO_END

20
testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.conf vendored Normal file
View file

@ -0,0 +1,20 @@
server:
verbosity: 5
# num-threads: 1
interface: 127.0.0.1
port: @PORT@
use-syslog: no
directory: ""
pidfile: "unbound.pid"
chroot: ""
username: ""
do-not-query-localhost: no
forward-zone:
name: "tcp.example.com"
forward-addr: "127.0.0.1@@TOPORT@"
forward-tcp-upstream: "yes"
forward-zone:
name: "udp.example.com"
forward-addr: "127.0.0.1@@TOPORT@"
forward-tcp-upstream: "no"

16
testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.dsc vendored Normal file
View file

@ -0,0 +1,16 @@
BaseName: fwd_udp_with_tcp_upstream
Version: 1.0
Description: Forward an UDP packet to upstream via TCP and return reply.
CreationDate: Thu Aug 5 07:44:41 CEST 2021
Maintainer: ziollek
Category:
Component:
CmdDepends:
Depends:
Help:
Pre: fwd_udp_with_tcp_upstream.pre
Post: fwd_udp_with_tcp_upstream.post
Test: fwd_udp_with_tcp_upstream.test
AuxFiles:
Passed:
Failure:

10
testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.post vendored Normal file
View file

@ -0,0 +1,10 @@
# #-- fwd_udp_with_tcp_upstream.post --#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# source the test var file when it's there
[ -f .tpkg.var.test ] && source .tpkg.var.test
#
# do your teardown here
. ../common.sh
kill_pid $FWD_PID
kill_pid $UNBOUND_PID

31
testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.pre vendored Normal file
View file

@ -0,0 +1,31 @@
# #-- fwd_udp_with_tcp_upstream.pre--#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# use .tpkg.var.test for in test variable passing
[ -f .tpkg.var.test ] && source .tpkg.var.test
. ../common.sh
get_random_port 2
UNBOUND_PORT=$RND_PORT
FWD_PORT=$(($RND_PORT + 1))
echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
# start forwarder
get_ldns_testns
$LDNS_TESTNS -p $FWD_PORT fwd_udp_with_tcp_upstream.testns >fwd.log 2>&1 &
FWD_PID=$!
echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
# make config file
sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < fwd_udp_with_tcp_upstream.conf > ub.conf
# start unbound in the background
PRE="../.."
$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
UNBOUND_PID=$!
echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
cat .tpkg.var.test
wait_ldns_testns_up fwd.log
wait_unbound_up unbound.log

35
testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.test vendored Normal file
View file

@ -0,0 +1,35 @@
# #-- fwd_udp_with_tcp_upstream.test --#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# use .tpkg.var.test for in test variable passing
[ -f .tpkg.var.test ] && source .tpkg.var.test
PRE="../.."
# do the test
echo "> dig tcp.example.com."
dig @localhost -p $UNBOUND_PORT tcp.example.com. | tee outfile
echo "> cat logfiles"
cat fwd.log
cat unbound.log
echo "> check answer"
if grep "10.20.30.40" outfile; then
echo "OK"
else
echo "Not OK"
exit 1
fi
echo "> dig udp.example.com."
dig @localhost -p $UNBOUND_PORT udp.example.com. | tee outfile
echo "> cat logfiles"
cat fwd.log
cat unbound.log
echo "> check answer"
if grep "10.20.30.80" outfile; then
echo "OK"
else
echo "Not OK"
exit 1
fi
exit 0

25
testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.testns vendored Normal file
View file

@ -0,0 +1,25 @@
; nameserver test file
$ORIGIN example.com.
$TTL 3600
ENTRY_BEGIN
MATCH opcode qtype qname
MATCH TCP
REPLY QR AA NOERROR
ADJUST copy_id
SECTION QUESTION
tcp IN A
SECTION ANSWER
tcp IN A 10.20.30.40
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
MATCH UDP
REPLY QR AA NOERROR
ADJUST copy_id
SECTION QUESTION
udp IN A
SECTION ANSWER
udp IN A 10.20.30.80
ENTRY_END

2
testdata/fwd_zero.tdir/fwd_zero.test vendored
View file

@ -7,7 +7,7 @@
PRE="../.."
OPT="-i"
if nc -h 2>&1 | grep -- "-w secs" >/dev/null; then
if nc -h 2>&1 | grep -E -- "-w (timeout|secs)" >/dev/null; then
OPT="-w"
fi

19
testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.conf vendored Normal file
View file

@ -0,0 +1,19 @@
server:
verbosity: 2
# num-threads: 1
interface: 127.0.0.1
port: @PORT@
use-syslog: no
directory: ""
pidfile: "unbound.pid"
chroot: ""
username: ""
do-not-query-localhost: no
stub-zone:
name: "tcp.example.com"
stub-addr: "127.0.0.1@@TOPORT@"
stub-tcp-upstream: "yes"
stub-zone:
name: "udp.example.com"
stub-addr: "127.0.0.1@@TOPORT@"
stub-tcp-upstream: "no"

16
testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.dsc vendored Normal file
View file

@ -0,0 +1,16 @@
BaseName: stub_udp_with_tcp_upstream
Version: 1.0
Description: Stub server contacted via UDP with tcp upstream.
CreationDate: Thu Aug 5 07:44:41 CEST 2021
Maintainer: ziollek
Category:
Component:
CmdDepends:
Depends:
Help:
Pre: stub_udp_with_tcp_upstream.pre
Post: stub_udp_with_tcp_upstream.post
Test: stub_udp_with_tcp_upstream.test
AuxFiles:
Passed:
Failure:

10
testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.post vendored Normal file
View file

@ -0,0 +1,10 @@
# #-- stub_udp_with_tcp_upstream.post --#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# source the test var file when it's there
[ -f .tpkg.var.test ] && source .tpkg.var.test
#
# do your teardown here
. ../common.sh
kill_pid $FWD_PID
kill_pid $UNBOUND_PID

35
testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.pre vendored Normal file
View file

@ -0,0 +1,35 @@
# #-- stub_udp_with_tcp_upstream.pre--#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# use .tpkg.var.test for in test variable passing
[ -f .tpkg.var.test ] && source .tpkg.var.test
. ../common.sh
get_random_port 2
UNBOUND_PORT=$RND_PORT
FWD_PORT=$(($RND_PORT + 1))
echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
# start forwarder
get_ldns_testns
$LDNS_TESTNS -p $FWD_PORT stub_udp_with_tcp_upstream.testns >fwd.log 2>&1 &
FWD_PID=$!
echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
# make config file
sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < stub_udp_with_tcp_upstream.conf > ub.conf
# start unbound in the background
PRE="../.."
$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
UNBOUND_PID=$!
echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
cat .tpkg.var.test
# wait for forwarder to come up
wait_ldns_testns_up fwd.log
# wait for unbound to come up
wait_unbound_up unbound.log

37
testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.test vendored Normal file
View file

@ -0,0 +1,37 @@
# #-- stub_udp_with_tcp_upstream.test --#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# use .tpkg.var.test for in test variable passing
[ -f .tpkg.var.test ] && source .tpkg.var.test
PRE="../.."
# do the test
echo "> dig tcp.example.com."
dig @127.0.0.1 -p $UNBOUND_PORT tcp.example.com. | tee outfile
echo "> cat logfiles"
cat fwd.log
cat unbound.log
echo "> check answer"
if grep "10.20.30.40" outfile; then
echo "OK"
else
echo "Not OK"
exit 1
fi
# check if second stub is requested via udp
echo "> dig udp.example.com."
dig @127.0.0.1 -p $UNBOUND_PORT udp.example.com. | tee outfile
echo "> cat logfiles"
cat fwd.log
cat unbound.log
echo "> check answer"
if grep "10.20.30.80" outfile; then
echo "OK"
else
echo "Not OK"
exit 1
fi
exit 0

48
testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.testns vendored Normal file
View file

@ -0,0 +1,48 @@
; nameserver test file
$ORIGIN example.com.
$TTL 3600
ENTRY_BEGIN
MATCH opcode qtype qname
MATCH TCP
REPLY QR AA NOERROR
ADJUST copy_id
SECTION QUESTION
tcp IN A
SECTION ANSWER
tcp IN A 10.20.30.40
SECTION AUTHORITY
@ IN NS ns.example.com.
SECTION ADDITIONAL
ns IN A 127.0.0.1
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
MATCH UDP
REPLY QR AA NOERROR
ADJUST copy_id
SECTION QUESTION
udp IN A
SECTION ANSWER
udp IN A 10.20.30.80
SECTION AUTHORITY
@ IN NS ns.example.com.
SECTION ADDITIONAL
ns IN A 127.0.0.1
ENTRY_END
; root prime
ENTRY_BEGIN
MATCH opcode qtype qname
REPLY QR AA NOERROR
ADJUST copy_id
SECTION QUESTION
. IN NS
SECTION ANSWER
. IN NS root.server.
SECTION AUTHORITY
SECTION ADDITIONAL
root.server. IN A 127.0.0.1
ENTRY_END

2
util/config_file.h
View file

@ -697,6 +697,8 @@ struct config_stub {
int isprime;
/** if forward-first is set (failover to without if fails) */
int isfirst;
/** use tcp for queries to this stub */
int tcp_upstream;
/** use SSL for queries to this stub */
int ssl_upstream;
/*** no cache */

4781
util/configlexer.c
View file

File diff suppressed because it is too large Load diff

2
util/configlexer.lex
View file

@ -331,6 +331,7 @@ stub-first{COLON} { YDVAR(1, VAR_STUB_FIRST) }
stub-no-cache{COLON} { YDVAR(1, VAR_STUB_NO_CACHE) }
stub-ssl-upstream{COLON} { YDVAR(1, VAR_STUB_SSL_UPSTREAM) }
stub-tls-upstream{COLON} { YDVAR(1, VAR_STUB_SSL_UPSTREAM) }
stub-tcp-upstream{COLON} { YDVAR(1, VAR_STUB_TCP_UPSTREAM) }
forward-zone{COLON} { YDVAR(0, VAR_FORWARD_ZONE) }
forward-addr{COLON} { YDVAR(1, VAR_FORWARD_ADDR) }
forward-host{COLON} { YDVAR(1, VAR_FORWARD_HOST) }
@ -338,6 +339,7 @@ forward-first{COLON} { YDVAR(1, VAR_FORWARD_FIRST) }
forward-no-cache{COLON} { YDVAR(1, VAR_FORWARD_NO_CACHE) }
forward-ssl-upstream{COLON} { YDVAR(1, VAR_FORWARD_SSL_UPSTREAM) }
forward-tls-upstream{COLON} { YDVAR(1, VAR_FORWARD_SSL_UPSTREAM) }
forward-tcp-upstream{COLON} { YDVAR(1, VAR_FORWARD_TCP_UPSTREAM) }
auth-zone{COLON} { YDVAR(0, VAR_AUTH_ZONE) }
rpz{COLON} { YDVAR(0, VAR_RPZ) }
tags{COLON} { YDVAR(1, VAR_TAGS) }

4740
util/configparser.c
View file

File diff suppressed because it is too large Load diff

697
util/configparser.h
View file

@ -1,4 +1,4 @@
/* A Bison parser, made by GNU Bison 3.7.4. */
/* A Bison parser, made by GNU Bison 3.6.4. */
/* Bison interface for Yacc-like parsers in C
@ -197,183 +197,184 @@ extern int yydebug;
VAR_STUB_SSL_UPSTREAM = 398, /* VAR_STUB_SSL_UPSTREAM */
VAR_FORWARD_SSL_UPSTREAM = 399, /* VAR_FORWARD_SSL_UPSTREAM */
VAR_TLS_CERT_BUNDLE = 400, /* VAR_TLS_CERT_BUNDLE */
VAR_HTTPS_PORT = 401, /* VAR_HTTPS_PORT */
VAR_HTTP_ENDPOINT = 402, /* VAR_HTTP_ENDPOINT */
VAR_HTTP_MAX_STREAMS = 403, /* VAR_HTTP_MAX_STREAMS */
VAR_HTTP_QUERY_BUFFER_SIZE = 404, /* VAR_HTTP_QUERY_BUFFER_SIZE */
VAR_HTTP_RESPONSE_BUFFER_SIZE = 405, /* VAR_HTTP_RESPONSE_BUFFER_SIZE */
VAR_HTTP_NODELAY = 406, /* VAR_HTTP_NODELAY */
VAR_HTTP_NOTLS_DOWNSTREAM = 407, /* VAR_HTTP_NOTLS_DOWNSTREAM */
VAR_STUB_FIRST = 408, /* VAR_STUB_FIRST */
VAR_MINIMAL_RESPONSES = 409, /* VAR_MINIMAL_RESPONSES */
VAR_RRSET_ROUNDROBIN = 410, /* VAR_RRSET_ROUNDROBIN */
VAR_MAX_UDP_SIZE = 411, /* VAR_MAX_UDP_SIZE */
VAR_DELAY_CLOSE = 412, /* VAR_DELAY_CLOSE */
VAR_UDP_CONNECT = 413, /* VAR_UDP_CONNECT */
VAR_UNBLOCK_LAN_ZONES = 414, /* VAR_UNBLOCK_LAN_ZONES */
VAR_INSECURE_LAN_ZONES = 415, /* VAR_INSECURE_LAN_ZONES */
VAR_INFRA_CACHE_MIN_RTT = 416, /* VAR_INFRA_CACHE_MIN_RTT */
VAR_INFRA_KEEP_PROBING = 417, /* VAR_INFRA_KEEP_PROBING */
VAR_DNS64_PREFIX = 418, /* VAR_DNS64_PREFIX */
VAR_DNS64_SYNTHALL = 419, /* VAR_DNS64_SYNTHALL */
VAR_DNS64_IGNORE_AAAA = 420, /* VAR_DNS64_IGNORE_AAAA */
VAR_DNSTAP = 421, /* VAR_DNSTAP */
VAR_DNSTAP_ENABLE = 422, /* VAR_DNSTAP_ENABLE */
VAR_DNSTAP_SOCKET_PATH = 423, /* VAR_DNSTAP_SOCKET_PATH */
VAR_DNSTAP_IP = 424, /* VAR_DNSTAP_IP */
VAR_DNSTAP_TLS = 425, /* VAR_DNSTAP_TLS */
VAR_DNSTAP_TLS_SERVER_NAME = 426, /* VAR_DNSTAP_TLS_SERVER_NAME */
VAR_DNSTAP_TLS_CERT_BUNDLE = 427, /* VAR_DNSTAP_TLS_CERT_BUNDLE */
VAR_DNSTAP_TLS_CLIENT_KEY_FILE = 428, /* VAR_DNSTAP_TLS_CLIENT_KEY_FILE */
VAR_DNSTAP_TLS_CLIENT_CERT_FILE = 429, /* VAR_DNSTAP_TLS_CLIENT_CERT_FILE */
VAR_DNSTAP_SEND_IDENTITY = 430, /* VAR_DNSTAP_SEND_IDENTITY */
VAR_DNSTAP_SEND_VERSION = 431, /* VAR_DNSTAP_SEND_VERSION */
VAR_DNSTAP_BIDIRECTIONAL = 432, /* VAR_DNSTAP_BIDIRECTIONAL */
VAR_DNSTAP_IDENTITY = 433, /* VAR_DNSTAP_IDENTITY */
VAR_DNSTAP_VERSION = 434, /* VAR_DNSTAP_VERSION */
VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 435, /* VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES */
VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 436, /* VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES */
VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 437, /* VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES */
VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 438, /* VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES */
VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 439, /* VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES */
VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 440, /* VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES */
VAR_RESPONSE_IP_TAG = 441, /* VAR_RESPONSE_IP_TAG */
VAR_RESPONSE_IP = 442, /* VAR_RESPONSE_IP */
VAR_RESPONSE_IP_DATA = 443, /* VAR_RESPONSE_IP_DATA */
VAR_HARDEN_ALGO_DOWNGRADE = 444, /* VAR_HARDEN_ALGO_DOWNGRADE */
VAR_IP_TRANSPARENT = 445, /* VAR_IP_TRANSPARENT */
VAR_IP_DSCP = 446, /* VAR_IP_DSCP */
VAR_DISABLE_DNSSEC_LAME_CHECK = 447, /* VAR_DISABLE_DNSSEC_LAME_CHECK */
VAR_IP_RATELIMIT = 448, /* VAR_IP_RATELIMIT */
VAR_IP_RATELIMIT_SLABS = 449, /* VAR_IP_RATELIMIT_SLABS */
VAR_IP_RATELIMIT_SIZE = 450, /* VAR_IP_RATELIMIT_SIZE */
VAR_RATELIMIT = 451, /* VAR_RATELIMIT */
VAR_RATELIMIT_SLABS = 452, /* VAR_RATELIMIT_SLABS */
VAR_RATELIMIT_SIZE = 453, /* VAR_RATELIMIT_SIZE */
VAR_RATELIMIT_FOR_DOMAIN = 454, /* VAR_RATELIMIT_FOR_DOMAIN */
VAR_RATELIMIT_BELOW_DOMAIN = 455, /* VAR_RATELIMIT_BELOW_DOMAIN */
VAR_IP_RATELIMIT_FACTOR = 456, /* VAR_IP_RATELIMIT_FACTOR */
VAR_RATELIMIT_FACTOR = 457, /* VAR_RATELIMIT_FACTOR */
VAR_SEND_CLIENT_SUBNET = 458, /* VAR_SEND_CLIENT_SUBNET */
VAR_CLIENT_SUBNET_ZONE = 459, /* VAR_CLIENT_SUBNET_ZONE */
VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 460, /* VAR_CLIENT_SUBNET_ALWAYS_FORWARD */
VAR_CLIENT_SUBNET_OPCODE = 461, /* VAR_CLIENT_SUBNET_OPCODE */
VAR_MAX_CLIENT_SUBNET_IPV4 = 462, /* VAR_MAX_CLIENT_SUBNET_IPV4 */
VAR_MAX_CLIENT_SUBNET_IPV6 = 463, /* VAR_MAX_CLIENT_SUBNET_IPV6 */
VAR_MIN_CLIENT_SUBNET_IPV4 = 464, /* VAR_MIN_CLIENT_SUBNET_IPV4 */
VAR_MIN_CLIENT_SUBNET_IPV6 = 465, /* VAR_MIN_CLIENT_SUBNET_IPV6 */
VAR_MAX_ECS_TREE_SIZE_IPV4 = 466, /* VAR_MAX_ECS_TREE_SIZE_IPV4 */
VAR_MAX_ECS_TREE_SIZE_IPV6 = 467, /* VAR_MAX_ECS_TREE_SIZE_IPV6 */
VAR_CAPS_WHITELIST = 468, /* VAR_CAPS_WHITELIST */
VAR_CACHE_MAX_NEGATIVE_TTL = 469, /* VAR_CACHE_MAX_NEGATIVE_TTL */
VAR_PERMIT_SMALL_HOLDDOWN = 470, /* VAR_PERMIT_SMALL_HOLDDOWN */
VAR_QNAME_MINIMISATION = 471, /* VAR_QNAME_MINIMISATION */
VAR_QNAME_MINIMISATION_STRICT = 472, /* VAR_QNAME_MINIMISATION_STRICT */
VAR_IP_FREEBIND = 473, /* VAR_IP_FREEBIND */
VAR_DEFINE_TAG = 474, /* VAR_DEFINE_TAG */
VAR_LOCAL_ZONE_TAG = 475, /* VAR_LOCAL_ZONE_TAG */
VAR_ACCESS_CONTROL_TAG = 476, /* VAR_ACCESS_CONTROL_TAG */
VAR_LOCAL_ZONE_OVERRIDE = 477, /* VAR_LOCAL_ZONE_OVERRIDE */
VAR_ACCESS_CONTROL_TAG_ACTION = 478, /* VAR_ACCESS_CONTROL_TAG_ACTION */
VAR_ACCESS_CONTROL_TAG_DATA = 479, /* VAR_ACCESS_CONTROL_TAG_DATA */
VAR_VIEW = 480, /* VAR_VIEW */
VAR_ACCESS_CONTROL_VIEW = 481, /* VAR_ACCESS_CONTROL_VIEW */
VAR_VIEW_FIRST = 482, /* VAR_VIEW_FIRST */
VAR_SERVE_EXPIRED = 483, /* VAR_SERVE_EXPIRED */
VAR_SERVE_EXPIRED_TTL = 484, /* VAR_SERVE_EXPIRED_TTL */
VAR_SERVE_EXPIRED_TTL_RESET = 485, /* VAR_SERVE_EXPIRED_TTL_RESET */
VAR_SERVE_EXPIRED_REPLY_TTL = 486, /* VAR_SERVE_EXPIRED_REPLY_TTL */
VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 487, /* VAR_SERVE_EXPIRED_CLIENT_TIMEOUT */
VAR_SERVE_ORIGINAL_TTL = 488, /* VAR_SERVE_ORIGINAL_TTL */
VAR_FAKE_DSA = 489, /* VAR_FAKE_DSA */
VAR_FAKE_SHA1 = 490, /* VAR_FAKE_SHA1 */
VAR_LOG_IDENTITY = 491, /* VAR_LOG_IDENTITY */
VAR_HIDE_TRUSTANCHOR = 492, /* VAR_HIDE_TRUSTANCHOR */
VAR_HIDE_HTTP_USER_AGENT = 493, /* VAR_HIDE_HTTP_USER_AGENT */
VAR_HTTP_USER_AGENT = 494, /* VAR_HTTP_USER_AGENT */
VAR_TRUST_ANCHOR_SIGNALING = 495, /* VAR_TRUST_ANCHOR_SIGNALING */
VAR_AGGRESSIVE_NSEC = 496, /* VAR_AGGRESSIVE_NSEC */
VAR_USE_SYSTEMD = 497, /* VAR_USE_SYSTEMD */
VAR_SHM_ENABLE = 498, /* VAR_SHM_ENABLE */
VAR_SHM_KEY = 499, /* VAR_SHM_KEY */
VAR_ROOT_KEY_SENTINEL = 500, /* VAR_ROOT_KEY_SENTINEL */
VAR_DNSCRYPT = 501, /* VAR_DNSCRYPT */
VAR_DNSCRYPT_ENABLE = 502, /* VAR_DNSCRYPT_ENABLE */
VAR_DNSCRYPT_PORT = 503, /* VAR_DNSCRYPT_PORT */
VAR_DNSCRYPT_PROVIDER = 504, /* VAR_DNSCRYPT_PROVIDER */
VAR_DNSCRYPT_SECRET_KEY = 505, /* VAR_DNSCRYPT_SECRET_KEY */
VAR_DNSCRYPT_PROVIDER_CERT = 506, /* VAR_DNSCRYPT_PROVIDER_CERT */
VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 507, /* VAR_DNSCRYPT_PROVIDER_CERT_ROTATED */
VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 508, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE */
VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 509, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS */
VAR_DNSCRYPT_NONCE_CACHE_SIZE = 510, /* VAR_DNSCRYPT_NONCE_CACHE_SIZE */
VAR_DNSCRYPT_NONCE_CACHE_SLABS = 511, /* VAR_DNSCRYPT_NONCE_CACHE_SLABS */
VAR_PAD_RESPONSES = 512, /* VAR_PAD_RESPONSES */
VAR_PAD_RESPONSES_BLOCK_SIZE = 513, /* VAR_PAD_RESPONSES_BLOCK_SIZE */
VAR_PAD_QUERIES = 514, /* VAR_PAD_QUERIES */
VAR_PAD_QUERIES_BLOCK_SIZE = 515, /* VAR_PAD_QUERIES_BLOCK_SIZE */
VAR_IPSECMOD_ENABLED = 516, /* VAR_IPSECMOD_ENABLED */
VAR_IPSECMOD_HOOK = 517, /* VAR_IPSECMOD_HOOK */
VAR_IPSECMOD_IGNORE_BOGUS = 518, /* VAR_IPSECMOD_IGNORE_BOGUS */
VAR_IPSECMOD_MAX_TTL = 519, /* VAR_IPSECMOD_MAX_TTL */
VAR_IPSECMOD_WHITELIST = 520, /* VAR_IPSECMOD_WHITELIST */
VAR_IPSECMOD_STRICT = 521, /* VAR_IPSECMOD_STRICT */
VAR_CACHEDB = 522, /* VAR_CACHEDB */
VAR_CACHEDB_BACKEND = 523, /* VAR_CACHEDB_BACKEND */
VAR_CACHEDB_SECRETSEED = 524, /* VAR_CACHEDB_SECRETSEED */
VAR_CACHEDB_REDISHOST = 525, /* VAR_CACHEDB_REDISHOST */
VAR_CACHEDB_REDISPORT = 526, /* VAR_CACHEDB_REDISPORT */
VAR_CACHEDB_REDISTIMEOUT = 527, /* VAR_CACHEDB_REDISTIMEOUT */
VAR_CACHEDB_REDISEXPIRERECORDS = 528, /* VAR_CACHEDB_REDISEXPIRERECORDS */
VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 529, /* VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM */
VAR_FOR_UPSTREAM = 530, /* VAR_FOR_UPSTREAM */
VAR_AUTH_ZONE = 531, /* VAR_AUTH_ZONE */
VAR_ZONEFILE = 532, /* VAR_ZONEFILE */
VAR_MASTER = 533, /* VAR_MASTER */
VAR_URL = 534, /* VAR_URL */
VAR_FOR_DOWNSTREAM = 535, /* VAR_FOR_DOWNSTREAM */
VAR_FALLBACK_ENABLED = 536, /* VAR_FALLBACK_ENABLED */
VAR_TLS_ADDITIONAL_PORT = 537, /* VAR_TLS_ADDITIONAL_PORT */
VAR_LOW_RTT = 538, /* VAR_LOW_RTT */
VAR_LOW_RTT_PERMIL = 539, /* VAR_LOW_RTT_PERMIL */
VAR_FAST_SERVER_PERMIL = 540, /* VAR_FAST_SERVER_PERMIL */
VAR_FAST_SERVER_NUM = 541, /* VAR_FAST_SERVER_NUM */
VAR_ALLOW_NOTIFY = 542, /* VAR_ALLOW_NOTIFY */
VAR_TLS_WIN_CERT = 543, /* VAR_TLS_WIN_CERT */
VAR_TCP_CONNECTION_LIMIT = 544, /* VAR_TCP_CONNECTION_LIMIT */
VAR_FORWARD_NO_CACHE = 545, /* VAR_FORWARD_NO_CACHE */
VAR_STUB_NO_CACHE = 546, /* VAR_STUB_NO_CACHE */
VAR_LOG_SERVFAIL = 547, /* VAR_LOG_SERVFAIL */
VAR_DENY_ANY = 548, /* VAR_DENY_ANY */
VAR_UNKNOWN_SERVER_TIME_LIMIT = 549, /* VAR_UNKNOWN_SERVER_TIME_LIMIT */
VAR_LOG_TAG_QUERYREPLY = 550, /* VAR_LOG_TAG_QUERYREPLY */
VAR_STREAM_WAIT_SIZE = 551, /* VAR_STREAM_WAIT_SIZE */
VAR_TLS_CIPHERS = 552, /* VAR_TLS_CIPHERS */
VAR_TLS_CIPHERSUITES = 553, /* VAR_TLS_CIPHERSUITES */
VAR_TLS_USE_SNI = 554, /* VAR_TLS_USE_SNI */
VAR_IPSET = 555, /* VAR_IPSET */
VAR_IPSET_NAME_V4 = 556, /* VAR_IPSET_NAME_V4 */
VAR_IPSET_NAME_V6 = 557, /* VAR_IPSET_NAME_V6 */
VAR_TLS_SESSION_TICKET_KEYS = 558, /* VAR_TLS_SESSION_TICKET_KEYS */
VAR_RPZ = 559, /* VAR_RPZ */
VAR_TAGS = 560, /* VAR_TAGS */
VAR_RPZ_ACTION_OVERRIDE = 561, /* VAR_RPZ_ACTION_OVERRIDE */
VAR_RPZ_CNAME_OVERRIDE = 562, /* VAR_RPZ_CNAME_OVERRIDE */
VAR_RPZ_LOG = 563, /* VAR_RPZ_LOG */
VAR_RPZ_LOG_NAME = 564, /* VAR_RPZ_LOG_NAME */
VAR_DYNLIB = 565, /* VAR_DYNLIB */
VAR_DYNLIB_FILE = 566, /* VAR_DYNLIB_FILE */
VAR_EDNS_CLIENT_STRING = 567, /* VAR_EDNS_CLIENT_STRING */
VAR_EDNS_CLIENT_STRING_OPCODE = 568, /* VAR_EDNS_CLIENT_STRING_OPCODE */
VAR_NSID = 569, /* VAR_NSID */
VAR_ZONEMD_PERMISSIVE_MODE = 570, /* VAR_ZONEMD_PERMISSIVE_MODE */
VAR_ZONEMD_CHECK = 571, /* VAR_ZONEMD_CHECK */
VAR_ZONEMD_REJECT_ABSENCE = 572 /* VAR_ZONEMD_REJECT_ABSENCE */
VAR_STUB_TCP_UPSTREAM = 401, /* VAR_STUB_TCP_UPSTREAM */
VAR_FORWARD_TCP_UPSTREAM = 402, /* VAR_FORWARD_TCP_UPSTREAM */
VAR_HTTPS_PORT = 403, /* VAR_HTTPS_PORT */
VAR_HTTP_ENDPOINT = 404, /* VAR_HTTP_ENDPOINT */
VAR_HTTP_MAX_STREAMS = 405, /* VAR_HTTP_MAX_STREAMS */
VAR_HTTP_QUERY_BUFFER_SIZE = 406, /* VAR_HTTP_QUERY_BUFFER_SIZE */
VAR_HTTP_RESPONSE_BUFFER_SIZE = 407, /* VAR_HTTP_RESPONSE_BUFFER_SIZE */
VAR_HTTP_NODELAY = 408, /* VAR_HTTP_NODELAY */
VAR_HTTP_NOTLS_DOWNSTREAM = 409, /* VAR_HTTP_NOTLS_DOWNSTREAM */
VAR_STUB_FIRST = 410, /* VAR_STUB_FIRST */
VAR_MINIMAL_RESPONSES = 411, /* VAR_MINIMAL_RESPONSES */
VAR_RRSET_ROUNDROBIN = 412, /* VAR_RRSET_ROUNDROBIN */
VAR_MAX_UDP_SIZE = 413, /* VAR_MAX_UDP_SIZE */
VAR_DELAY_CLOSE = 414, /* VAR_DELAY_CLOSE */
VAR_UDP_CONNECT = 415, /* VAR_UDP_CONNECT */
VAR_UNBLOCK_LAN_ZONES = 416, /* VAR_UNBLOCK_LAN_ZONES */
VAR_INSECURE_LAN_ZONES = 417, /* VAR_INSECURE_LAN_ZONES */
VAR_INFRA_CACHE_MIN_RTT = 418, /* VAR_INFRA_CACHE_MIN_RTT */
VAR_INFRA_KEEP_PROBING = 419, /* VAR_INFRA_KEEP_PROBING */
VAR_DNS64_PREFIX = 420, /* VAR_DNS64_PREFIX */
VAR_DNS64_SYNTHALL = 421, /* VAR_DNS64_SYNTHALL */
VAR_DNS64_IGNORE_AAAA = 422, /* VAR_DNS64_IGNORE_AAAA */
VAR_DNSTAP = 423, /* VAR_DNSTAP */
VAR_DNSTAP_ENABLE = 424, /* VAR_DNSTAP_ENABLE */
VAR_DNSTAP_SOCKET_PATH = 425, /* VAR_DNSTAP_SOCKET_PATH */
VAR_DNSTAP_IP = 426, /* VAR_DNSTAP_IP */
VAR_DNSTAP_TLS = 427, /* VAR_DNSTAP_TLS */
VAR_DNSTAP_TLS_SERVER_NAME = 428, /* VAR_DNSTAP_TLS_SERVER_NAME */
VAR_DNSTAP_TLS_CERT_BUNDLE = 429, /* VAR_DNSTAP_TLS_CERT_BUNDLE */
VAR_DNSTAP_TLS_CLIENT_KEY_FILE = 430, /* VAR_DNSTAP_TLS_CLIENT_KEY_FILE */
VAR_DNSTAP_TLS_CLIENT_CERT_FILE = 431, /* VAR_DNSTAP_TLS_CLIENT_CERT_FILE */
VAR_DNSTAP_SEND_IDENTITY = 432, /* VAR_DNSTAP_SEND_IDENTITY */
VAR_DNSTAP_SEND_VERSION = 433, /* VAR_DNSTAP_SEND_VERSION */
VAR_DNSTAP_BIDIRECTIONAL = 434, /* VAR_DNSTAP_BIDIRECTIONAL */
VAR_DNSTAP_IDENTITY = 435, /* VAR_DNSTAP_IDENTITY */
VAR_DNSTAP_VERSION = 436, /* VAR_DNSTAP_VERSION */
VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 437, /* VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES */
VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 438, /* VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES */
VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 439, /* VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES */
VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 440, /* VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES */
VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 441, /* VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES */
VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 442, /* VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES */
VAR_RESPONSE_IP_TAG = 443, /* VAR_RESPONSE_IP_TAG */
VAR_RESPONSE_IP = 444, /* VAR_RESPONSE_IP */
VAR_RESPONSE_IP_DATA = 445, /* VAR_RESPONSE_IP_DATA */
VAR_HARDEN_ALGO_DOWNGRADE = 446, /* VAR_HARDEN_ALGO_DOWNGRADE */
VAR_IP_TRANSPARENT = 447, /* VAR_IP_TRANSPARENT */
VAR_IP_DSCP = 448, /* VAR_IP_DSCP */
VAR_DISABLE_DNSSEC_LAME_CHECK = 449, /* VAR_DISABLE_DNSSEC_LAME_CHECK */
VAR_IP_RATELIMIT = 450, /* VAR_IP_RATELIMIT */
VAR_IP_RATELIMIT_SLABS = 451, /* VAR_IP_RATELIMIT_SLABS */
VAR_IP_RATELIMIT_SIZE = 452, /* VAR_IP_RATELIMIT_SIZE */
VAR_RATELIMIT = 453, /* VAR_RATELIMIT */
VAR_RATELIMIT_SLABS = 454, /* VAR_RATELIMIT_SLABS */
VAR_RATELIMIT_SIZE = 455, /* VAR_RATELIMIT_SIZE */
VAR_RATELIMIT_FOR_DOMAIN = 456, /* VAR_RATELIMIT_FOR_DOMAIN */
VAR_RATELIMIT_BELOW_DOMAIN = 457, /* VAR_RATELIMIT_BELOW_DOMAIN */
VAR_IP_RATELIMIT_FACTOR = 458, /* VAR_IP_RATELIMIT_FACTOR */
VAR_RATELIMIT_FACTOR = 459, /* VAR_RATELIMIT_FACTOR */
VAR_SEND_CLIENT_SUBNET = 460, /* VAR_SEND_CLIENT_SUBNET */
VAR_CLIENT_SUBNET_ZONE = 461, /* VAR_CLIENT_SUBNET_ZONE */
VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 462, /* VAR_CLIENT_SUBNET_ALWAYS_FORWARD */
VAR_CLIENT_SUBNET_OPCODE = 463, /* VAR_CLIENT_SUBNET_OPCODE */
VAR_MAX_CLIENT_SUBNET_IPV4 = 464, /* VAR_MAX_CLIENT_SUBNET_IPV4 */
VAR_MAX_CLIENT_SUBNET_IPV6 = 465, /* VAR_MAX_CLIENT_SUBNET_IPV6 */
VAR_MIN_CLIENT_SUBNET_IPV4 = 466, /* VAR_MIN_CLIENT_SUBNET_IPV4 */
VAR_MIN_CLIENT_SUBNET_IPV6 = 467, /* VAR_MIN_CLIENT_SUBNET_IPV6 */
VAR_MAX_ECS_TREE_SIZE_IPV4 = 468, /* VAR_MAX_ECS_TREE_SIZE_IPV4 */
VAR_MAX_ECS_TREE_SIZE_IPV6 = 469, /* VAR_MAX_ECS_TREE_SIZE_IPV6 */
VAR_CAPS_WHITELIST = 470, /* VAR_CAPS_WHITELIST */
VAR_CACHE_MAX_NEGATIVE_TTL = 471, /* VAR_CACHE_MAX_NEGATIVE_TTL */
VAR_PERMIT_SMALL_HOLDDOWN = 472, /* VAR_PERMIT_SMALL_HOLDDOWN */
VAR_QNAME_MINIMISATION = 473, /* VAR_QNAME_MINIMISATION */
VAR_QNAME_MINIMISATION_STRICT = 474, /* VAR_QNAME_MINIMISATION_STRICT */
VAR_IP_FREEBIND = 475, /* VAR_IP_FREEBIND */
VAR_DEFINE_TAG = 476, /* VAR_DEFINE_TAG */
VAR_LOCAL_ZONE_TAG = 477, /* VAR_LOCAL_ZONE_TAG */
VAR_ACCESS_CONTROL_TAG = 478, /* VAR_ACCESS_CONTROL_TAG */
VAR_LOCAL_ZONE_OVERRIDE = 479, /* VAR_LOCAL_ZONE_OVERRIDE */
VAR_ACCESS_CONTROL_TAG_ACTION = 480, /* VAR_ACCESS_CONTROL_TAG_ACTION */
VAR_ACCESS_CONTROL_TAG_DATA = 481, /* VAR_ACCESS_CONTROL_TAG_DATA */
VAR_VIEW = 482, /* VAR_VIEW */
VAR_ACCESS_CONTROL_VIEW = 483, /* VAR_ACCESS_CONTROL_VIEW */
VAR_VIEW_FIRST = 484, /* VAR_VIEW_FIRST */
VAR_SERVE_EXPIRED = 485, /* VAR_SERVE_EXPIRED */
VAR_SERVE_EXPIRED_TTL = 486, /* VAR_SERVE_EXPIRED_TTL */
VAR_SERVE_EXPIRED_TTL_RESET = 487, /* VAR_SERVE_EXPIRED_TTL_RESET */
VAR_SERVE_EXPIRED_REPLY_TTL = 488, /* VAR_SERVE_EXPIRED_REPLY_TTL */
VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 489, /* VAR_SERVE_EXPIRED_CLIENT_TIMEOUT */
VAR_SERVE_ORIGINAL_TTL = 490, /* VAR_SERVE_ORIGINAL_TTL */
VAR_FAKE_DSA = 491, /* VAR_FAKE_DSA */
VAR_FAKE_SHA1 = 492, /* VAR_FAKE_SHA1 */
VAR_LOG_IDENTITY = 493, /* VAR_LOG_IDENTITY */
VAR_HIDE_TRUSTANCHOR = 494, /* VAR_HIDE_TRUSTANCHOR */
VAR_HIDE_HTTP_USER_AGENT = 495, /* VAR_HIDE_HTTP_USER_AGENT */
VAR_HTTP_USER_AGENT = 496, /* VAR_HTTP_USER_AGENT */
VAR_TRUST_ANCHOR_SIGNALING = 497, /* VAR_TRUST_ANCHOR_SIGNALING */
VAR_AGGRESSIVE_NSEC = 498, /* VAR_AGGRESSIVE_NSEC */
VAR_USE_SYSTEMD = 499, /* VAR_USE_SYSTEMD */
VAR_SHM_ENABLE = 500, /* VAR_SHM_ENABLE */
VAR_SHM_KEY = 501, /* VAR_SHM_KEY */
VAR_ROOT_KEY_SENTINEL = 502, /* VAR_ROOT_KEY_SENTINEL */
VAR_DNSCRYPT = 503, /* VAR_DNSCRYPT */
VAR_DNSCRYPT_ENABLE = 504, /* VAR_DNSCRYPT_ENABLE */
VAR_DNSCRYPT_PORT = 505, /* VAR_DNSCRYPT_PORT */
VAR_DNSCRYPT_PROVIDER = 506, /* VAR_DNSCRYPT_PROVIDER */
VAR_DNSCRYPT_SECRET_KEY = 507, /* VAR_DNSCRYPT_SECRET_KEY */
VAR_DNSCRYPT_PROVIDER_CERT = 508, /* VAR_DNSCRYPT_PROVIDER_CERT */
VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 509, /* VAR_DNSCRYPT_PROVIDER_CERT_ROTATED */
VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 510, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE */
VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 511, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS */
VAR_DNSCRYPT_NONCE_CACHE_SIZE = 512, /* VAR_DNSCRYPT_NONCE_CACHE_SIZE */
VAR_DNSCRYPT_NONCE_CACHE_SLABS = 513, /* VAR_DNSCRYPT_NONCE_CACHE_SLABS */
VAR_PAD_RESPONSES = 514, /* VAR_PAD_RESPONSES */
VAR_PAD_RESPONSES_BLOCK_SIZE = 515, /* VAR_PAD_RESPONSES_BLOCK_SIZE */
VAR_PAD_QUERIES = 516, /* VAR_PAD_QUERIES */
VAR_PAD_QUERIES_BLOCK_SIZE = 517, /* VAR_PAD_QUERIES_BLOCK_SIZE */
VAR_IPSECMOD_ENABLED = 518, /* VAR_IPSECMOD_ENABLED */
VAR_IPSECMOD_HOOK = 519, /* VAR_IPSECMOD_HOOK */
VAR_IPSECMOD_IGNORE_BOGUS = 520, /* VAR_IPSECMOD_IGNORE_BOGUS */
VAR_IPSECMOD_MAX_TTL = 521, /* VAR_IPSECMOD_MAX_TTL */
VAR_IPSECMOD_WHITELIST = 522, /* VAR_IPSECMOD_WHITELIST */
VAR_IPSECMOD_STRICT = 523, /* VAR_IPSECMOD_STRICT */
VAR_CACHEDB = 524, /* VAR_CACHEDB */
VAR_CACHEDB_BACKEND = 525, /* VAR_CACHEDB_BACKEND */
VAR_CACHEDB_SECRETSEED = 526, /* VAR_CACHEDB_SECRETSEED */
VAR_CACHEDB_REDISHOST = 527, /* VAR_CACHEDB_REDISHOST */
VAR_CACHEDB_REDISPORT = 528, /* VAR_CACHEDB_REDISPORT */
VAR_CACHEDB_REDISTIMEOUT = 529, /* VAR_CACHEDB_REDISTIMEOUT */
VAR_CACHEDB_REDISEXPIRERECORDS = 530, /* VAR_CACHEDB_REDISEXPIRERECORDS */
VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 531, /* VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM */
VAR_FOR_UPSTREAM = 532, /* VAR_FOR_UPSTREAM */
VAR_AUTH_ZONE = 533, /* VAR_AUTH_ZONE */
VAR_ZONEFILE = 534, /* VAR_ZONEFILE */
VAR_MASTER = 535, /* VAR_MASTER */
VAR_URL = 536, /* VAR_URL */
VAR_FOR_DOWNSTREAM = 537, /* VAR_FOR_DOWNSTREAM */
VAR_FALLBACK_ENABLED = 538, /* VAR_FALLBACK_ENABLED */
VAR_TLS_ADDITIONAL_PORT = 539, /* VAR_TLS_ADDITIONAL_PORT */
VAR_LOW_RTT = 540, /* VAR_LOW_RTT */
VAR_LOW_RTT_PERMIL = 541, /* VAR_LOW_RTT_PERMIL */
VAR_FAST_SERVER_PERMIL = 542, /* VAR_FAST_SERVER_PERMIL */
VAR_FAST_SERVER_NUM = 543, /* VAR_FAST_SERVER_NUM */
VAR_ALLOW_NOTIFY = 544, /* VAR_ALLOW_NOTIFY */
VAR_TLS_WIN_CERT = 545, /* VAR_TLS_WIN_CERT */
VAR_TCP_CONNECTION_LIMIT = 546, /* VAR_TCP_CONNECTION_LIMIT */
VAR_FORWARD_NO_CACHE = 547, /* VAR_FORWARD_NO_CACHE */
VAR_STUB_NO_CACHE = 548, /* VAR_STUB_NO_CACHE */
VAR_LOG_SERVFAIL = 549, /* VAR_LOG_SERVFAIL */
VAR_DENY_ANY = 550, /* VAR_DENY_ANY */
VAR_UNKNOWN_SERVER_TIME_LIMIT = 551, /* VAR_UNKNOWN_SERVER_TIME_LIMIT */
VAR_LOG_TAG_QUERYREPLY = 552, /* VAR_LOG_TAG_QUERYREPLY */
VAR_STREAM_WAIT_SIZE = 553, /* VAR_STREAM_WAIT_SIZE */
VAR_TLS_CIPHERS = 554, /* VAR_TLS_CIPHERS */
VAR_TLS_CIPHERSUITES = 555, /* VAR_TLS_CIPHERSUITES */
VAR_TLS_USE_SNI = 556, /* VAR_TLS_USE_SNI */
VAR_IPSET = 557, /* VAR_IPSET */
VAR_IPSET_NAME_V4 = 558, /* VAR_IPSET_NAME_V4 */
VAR_IPSET_NAME_V6 = 559, /* VAR_IPSET_NAME_V6 */
VAR_TLS_SESSION_TICKET_KEYS = 560, /* VAR_TLS_SESSION_TICKET_KEYS */
VAR_RPZ = 561, /* VAR_RPZ */
VAR_TAGS = 562, /* VAR_TAGS */
VAR_RPZ_ACTION_OVERRIDE = 563, /* VAR_RPZ_ACTION_OVERRIDE */
VAR_RPZ_CNAME_OVERRIDE = 564, /* VAR_RPZ_CNAME_OVERRIDE */
VAR_RPZ_LOG = 565, /* VAR_RPZ_LOG */
VAR_RPZ_LOG_NAME = 566, /* VAR_RPZ_LOG_NAME */
VAR_DYNLIB = 567, /* VAR_DYNLIB */
VAR_DYNLIB_FILE = 568, /* VAR_DYNLIB_FILE */
VAR_EDNS_CLIENT_STRING = 569, /* VAR_EDNS_CLIENT_STRING */
VAR_EDNS_CLIENT_STRING_OPCODE = 570, /* VAR_EDNS_CLIENT_STRING_OPCODE */
VAR_NSID = 571, /* VAR_NSID */
VAR_ZONEMD_PERMISSIVE_MODE = 572, /* VAR_ZONEMD_PERMISSIVE_MODE */
VAR_ZONEMD_CHECK = 573, /* VAR_ZONEMD_CHECK */
VAR_ZONEMD_REJECT_ABSENCE = 574 /* VAR_ZONEMD_REJECT_ABSENCE */
};
typedef enum yytokentype yytoken_kind_t;
#endif
/* Token kinds. */
#define YYEMPTY -2
#define YYEOF 0
#define YYerror 256
#define YYUNDEF 257
@ -520,178 +521,180 @@ extern int yydebug;
#define VAR_STUB_SSL_UPSTREAM 398
#define VAR_FORWARD_SSL_UPSTREAM 399
#define VAR_TLS_CERT_BUNDLE 400
#define VAR_HTTPS_PORT 401
#define VAR_HTTP_ENDPOINT 402
#define VAR_HTTP_MAX_STREAMS 403
#define VAR_HTTP_QUERY_BUFFER_SIZE 404
#define VAR_HTTP_RESPONSE_BUFFER_SIZE 405
#define VAR_HTTP_NODELAY 406
#define VAR_HTTP_NOTLS_DOWNSTREAM 407
#define VAR_STUB_FIRST 408
#define VAR_MINIMAL_RESPONSES 409
#define VAR_RRSET_ROUNDROBIN 410
#define VAR_MAX_UDP_SIZE 411
#define VAR_DELAY_CLOSE 412
#define VAR_UDP_CONNECT 413
#define VAR_UNBLOCK_LAN_ZONES 414
#define VAR_INSECURE_LAN_ZONES 415
#define VAR_INFRA_CACHE_MIN_RTT 416
#define VAR_INFRA_KEEP_PROBING 417
#define VAR_DNS64_PREFIX 418
#define VAR_DNS64_SYNTHALL 419
#define VAR_DNS64_IGNORE_AAAA 420
#define VAR_DNSTAP 421
#define VAR_DNSTAP_ENABLE 422
#define VAR_DNSTAP_SOCKET_PATH 423
#define VAR_DNSTAP_IP 424
#define VAR_DNSTAP_TLS 425
#define VAR_DNSTAP_TLS_SERVER_NAME 426
#define VAR_DNSTAP_TLS_CERT_BUNDLE 427
#define VAR_DNSTAP_TLS_CLIENT_KEY_FILE 428
#define VAR_DNSTAP_TLS_CLIENT_CERT_FILE 429
#define VAR_DNSTAP_SEND_IDENTITY 430
#define VAR_DNSTAP_SEND_VERSION 431
#define VAR_DNSTAP_BIDIRECTIONAL 432
#define VAR_DNSTAP_IDENTITY 433
#define VAR_DNSTAP_VERSION 434
#define VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES 435
#define VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES 436
#define VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES 437
#define VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES 438
#define VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES 439
#define VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES 440
#define VAR_RESPONSE_IP_TAG 441
#define VAR_RESPONSE_IP 442
#define VAR_RESPONSE_IP_DATA 443
#define VAR_HARDEN_ALGO_DOWNGRADE 444
#define VAR_IP_TRANSPARENT 445
#define VAR_IP_DSCP 446
#define VAR_DISABLE_DNSSEC_LAME_CHECK 447
#define VAR_IP_RATELIMIT 448
#define VAR_IP_RATELIMIT_SLABS 449
#define VAR_IP_RATELIMIT_SIZE 450
#define VAR_RATELIMIT 451
#define VAR_RATELIMIT_SLABS 452
#define VAR_RATELIMIT_SIZE 453
#define VAR_RATELIMIT_FOR_DOMAIN 454
#define VAR_RATELIMIT_BELOW_DOMAIN 455
#define VAR_IP_RATELIMIT_FACTOR 456
#define VAR_RATELIMIT_FACTOR 457
#define VAR_SEND_CLIENT_SUBNET 458
#define VAR_CLIENT_SUBNET_ZONE 459
#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 460
#define VAR_CLIENT_SUBNET_OPCODE 461
#define VAR_MAX_CLIENT_SUBNET_IPV4 462
#define VAR_MAX_CLIENT_SUBNET_IPV6 463
#define VAR_MIN_CLIENT_SUBNET_IPV4 464
#define VAR_MIN_CLIENT_SUBNET_IPV6 465
#define VAR_MAX_ECS_TREE_SIZE_IPV4 466
#define VAR_MAX_ECS_TREE_SIZE_IPV6 467
#define VAR_CAPS_WHITELIST 468
#define VAR_CACHE_MAX_NEGATIVE_TTL 469
#define VAR_PERMIT_SMALL_HOLDDOWN 470
#define VAR_QNAME_MINIMISATION 471
#define VAR_QNAME_MINIMISATION_STRICT 472
#define VAR_IP_FREEBIND 473
#define VAR_DEFINE_TAG 474
#define VAR_LOCAL_ZONE_TAG 475
#define VAR_ACCESS_CONTROL_TAG 476
#define VAR_LOCAL_ZONE_OVERRIDE 477
#define VAR_ACCESS_CONTROL_TAG_ACTION 478
#define VAR_ACCESS_CONTROL_TAG_DATA 479
#define VAR_VIEW 480
#define VAR_ACCESS_CONTROL_VIEW 481
#define VAR_VIEW_FIRST 482
#define VAR_SERVE_EXPIRED 483
#define VAR_SERVE_EXPIRED_TTL 484
#define VAR_SERVE_EXPIRED_TTL_RESET 485
#define VAR_SERVE_EXPIRED_REPLY_TTL 486
#define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 487
#define VAR_SERVE_ORIGINAL_TTL 488
#define VAR_FAKE_DSA 489
#define VAR_FAKE_SHA1 490
#define VAR_LOG_IDENTITY 491
#define VAR_HIDE_TRUSTANCHOR 492
#define VAR_HIDE_HTTP_USER_AGENT 493
#define VAR_HTTP_USER_AGENT 494
#define VAR_TRUST_ANCHOR_SIGNALING 495
#define VAR_AGGRESSIVE_NSEC 496
#define VAR_USE_SYSTEMD 497
#define VAR_SHM_ENABLE 498
#define VAR_SHM_KEY 499
#define VAR_ROOT_KEY_SENTINEL 500
#define VAR_DNSCRYPT 501
#define VAR_DNSCRYPT_ENABLE 502
#define VAR_DNSCRYPT_PORT 503
#define VAR_DNSCRYPT_PROVIDER 504
#define VAR_DNSCRYPT_SECRET_KEY 505
#define VAR_DNSCRYPT_PROVIDER_CERT 506
#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 507
#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 508
#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 509
#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 510
#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 511
#define VAR_PAD_RESPONSES 512
#define VAR_PAD_RESPONSES_BLOCK_SIZE 513
#define VAR_PAD_QUERIES 514
#define VAR_PAD_QUERIES_BLOCK_SIZE 515
#define VAR_IPSECMOD_ENABLED 516
#define VAR_IPSECMOD_HOOK 517
#define VAR_IPSECMOD_IGNORE_BOGUS 518
#define VAR_IPSECMOD_MAX_TTL 519
#define VAR_IPSECMOD_WHITELIST 520
#define VAR_IPSECMOD_STRICT 521
#define VAR_CACHEDB 522
#define VAR_CACHEDB_BACKEND 523
#define VAR_CACHEDB_SECRETSEED 524
#define VAR_CACHEDB_REDISHOST 525
#define VAR_CACHEDB_REDISPORT 526
#define VAR_CACHEDB_REDISTIMEOUT 527
#define VAR_CACHEDB_REDISEXPIRERECORDS 528
#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 529
#define VAR_FOR_UPSTREAM 530
#define VAR_AUTH_ZONE 531
#define VAR_ZONEFILE 532
#define VAR_MASTER 533
#define VAR_URL 534
#define VAR_FOR_DOWNSTREAM 535
#define VAR_FALLBACK_ENABLED 536
#define VAR_TLS_ADDITIONAL_PORT 537
#define VAR_LOW_RTT 538
#define VAR_LOW_RTT_PERMIL 539
#define VAR_FAST_SERVER_PERMIL 540
#define VAR_FAST_SERVER_NUM 541
#define VAR_ALLOW_NOTIFY 542
#define VAR_TLS_WIN_CERT 543
#define VAR_TCP_CONNECTION_LIMIT 544
#define VAR_FORWARD_NO_CACHE 545
#define VAR_STUB_NO_CACHE 546
#define VAR_LOG_SERVFAIL 547
#define VAR_DENY_ANY 548
#define VAR_UNKNOWN_SERVER_TIME_LIMIT 549
#define VAR_LOG_TAG_QUERYREPLY 550
#define VAR_STREAM_WAIT_SIZE 551
#define VAR_TLS_CIPHERS 552
#define VAR_TLS_CIPHERSUITES 553
#define VAR_TLS_USE_SNI 554
#define VAR_IPSET 555
#define VAR_IPSET_NAME_V4 556
#define VAR_IPSET_NAME_V6 557
#define VAR_TLS_SESSION_TICKET_KEYS 558
#define VAR_RPZ 559
#define VAR_TAGS 560
#define VAR_RPZ_ACTION_OVERRIDE 561
#define VAR_RPZ_CNAME_OVERRIDE 562
#define VAR_RPZ_LOG 563
#define VAR_RPZ_LOG_NAME 564
#define VAR_DYNLIB 565
#define VAR_DYNLIB_FILE 566
#define VAR_EDNS_CLIENT_STRING 567
#define VAR_EDNS_CLIENT_STRING_OPCODE 568
#define VAR_NSID 569
#define VAR_ZONEMD_PERMISSIVE_MODE 570
#define VAR_ZONEMD_CHECK 571
#define VAR_ZONEMD_REJECT_ABSENCE 572
#define VAR_STUB_TCP_UPSTREAM 401
#define VAR_FORWARD_TCP_UPSTREAM 402
#define VAR_HTTPS_PORT 403
#define VAR_HTTP_ENDPOINT 404
#define VAR_HTTP_MAX_STREAMS 405
#define VAR_HTTP_QUERY_BUFFER_SIZE 406
#define VAR_HTTP_RESPONSE_BUFFER_SIZE 407
#define VAR_HTTP_NODELAY 408
#define VAR_HTTP_NOTLS_DOWNSTREAM 409
#define VAR_STUB_FIRST 410
#define VAR_MINIMAL_RESPONSES 411
#define VAR_RRSET_ROUNDROBIN 412
#define VAR_MAX_UDP_SIZE 413
#define VAR_DELAY_CLOSE 414
#define VAR_UDP_CONNECT 415
#define VAR_UNBLOCK_LAN_ZONES 416
#define VAR_INSECURE_LAN_ZONES 417
#define VAR_INFRA_CACHE_MIN_RTT 418
#define VAR_INFRA_KEEP_PROBING 419
#define VAR_DNS64_PREFIX 420
#define VAR_DNS64_SYNTHALL 421
#define VAR_DNS64_IGNORE_AAAA 422
#define VAR_DNSTAP 423
#define VAR_DNSTAP_ENABLE 424
#define VAR_DNSTAP_SOCKET_PATH 425
#define VAR_DNSTAP_IP 426
#define VAR_DNSTAP_TLS 427
#define VAR_DNSTAP_TLS_SERVER_NAME 428
#define VAR_DNSTAP_TLS_CERT_BUNDLE 429
#define VAR_DNSTAP_TLS_CLIENT_KEY_FILE 430
#define VAR_DNSTAP_TLS_CLIENT_CERT_FILE 431
#define VAR_DNSTAP_SEND_IDENTITY 432
#define VAR_DNSTAP_SEND_VERSION 433
#define VAR_DNSTAP_BIDIRECTIONAL 434
#define VAR_DNSTAP_IDENTITY 435
#define VAR_DNSTAP_VERSION 436
#define VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES 437
#define VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES 438
#define VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES 439
#define VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES 440
#define VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES 441
#define VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES 442
#define VAR_RESPONSE_IP_TAG 443
#define VAR_RESPONSE_IP 444
#define VAR_RESPONSE_IP_DATA 445
#define VAR_HARDEN_ALGO_DOWNGRADE 446
#define VAR_IP_TRANSPARENT 447
#define VAR_IP_DSCP 448
#define VAR_DISABLE_DNSSEC_LAME_CHECK 449
#define VAR_IP_RATELIMIT 450
#define VAR_IP_RATELIMIT_SLABS 451
#define VAR_IP_RATELIMIT_SIZE 452
#define VAR_RATELIMIT 453
#define VAR_RATELIMIT_SLABS 454
#define VAR_RATELIMIT_SIZE 455
#define VAR_RATELIMIT_FOR_DOMAIN 456
#define VAR_RATELIMIT_BELOW_DOMAIN 457
#define VAR_IP_RATELIMIT_FACTOR 458
#define VAR_RATELIMIT_FACTOR 459
#define VAR_SEND_CLIENT_SUBNET 460
#define VAR_CLIENT_SUBNET_ZONE 461
#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 462
#define VAR_CLIENT_SUBNET_OPCODE 463
#define VAR_MAX_CLIENT_SUBNET_IPV4 464
#define VAR_MAX_CLIENT_SUBNET_IPV6 465
#define VAR_MIN_CLIENT_SUBNET_IPV4 466
#define VAR_MIN_CLIENT_SUBNET_IPV6 467
#define VAR_MAX_ECS_TREE_SIZE_IPV4 468
#define VAR_MAX_ECS_TREE_SIZE_IPV6 469
#define VAR_CAPS_WHITELIST 470
#define VAR_CACHE_MAX_NEGATIVE_TTL 471
#define VAR_PERMIT_SMALL_HOLDDOWN 472
#define VAR_QNAME_MINIMISATION 473
#define VAR_QNAME_MINIMISATION_STRICT 474
#define VAR_IP_FREEBIND 475
#define VAR_DEFINE_TAG 476
#define VAR_LOCAL_ZONE_TAG 477
#define VAR_ACCESS_CONTROL_TAG 478
#define VAR_LOCAL_ZONE_OVERRIDE 479
#define VAR_ACCESS_CONTROL_TAG_ACTION 480
#define VAR_ACCESS_CONTROL_TAG_DATA 481
#define VAR_VIEW 482
#define VAR_ACCESS_CONTROL_VIEW 483
#define VAR_VIEW_FIRST 484
#define VAR_SERVE_EXPIRED 485
#define VAR_SERVE_EXPIRED_TTL 486
#define VAR_SERVE_EXPIRED_TTL_RESET 487
#define VAR_SERVE_EXPIRED_REPLY_TTL 488
#define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 489
#define VAR_SERVE_ORIGINAL_TTL 490
#define VAR_FAKE_DSA 491
#define VAR_FAKE_SHA1 492
#define VAR_LOG_IDENTITY 493
#define VAR_HIDE_TRUSTANCHOR 494
#define VAR_HIDE_HTTP_USER_AGENT 495
#define VAR_HTTP_USER_AGENT 496
#define VAR_TRUST_ANCHOR_SIGNALING 497
#define VAR_AGGRESSIVE_NSEC 498
#define VAR_USE_SYSTEMD 499
#define VAR_SHM_ENABLE 500
#define VAR_SHM_KEY 501
#define VAR_ROOT_KEY_SENTINEL 502
#define VAR_DNSCRYPT 503
#define VAR_DNSCRYPT_ENABLE 504
#define VAR_DNSCRYPT_PORT 505
#define VAR_DNSCRYPT_PROVIDER 506
#define VAR_DNSCRYPT_SECRET_KEY 507
#define VAR_DNSCRYPT_PROVIDER_CERT 508
#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 509
#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 510
#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 511
#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 512
#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 513
#define VAR_PAD_RESPONSES 514
#define VAR_PAD_RESPONSES_BLOCK_SIZE 515
#define VAR_PAD_QUERIES 516
#define VAR_PAD_QUERIES_BLOCK_SIZE 517
#define VAR_IPSECMOD_ENABLED 518
#define VAR_IPSECMOD_HOOK 519
#define VAR_IPSECMOD_IGNORE_BOGUS 520
#define VAR_IPSECMOD_MAX_TTL 521
#define VAR_IPSECMOD_WHITELIST 522
#define VAR_IPSECMOD_STRICT 523
#define VAR_CACHEDB 524
#define VAR_CACHEDB_BACKEND 525
#define VAR_CACHEDB_SECRETSEED 526
#define VAR_CACHEDB_REDISHOST 527
#define VAR_CACHEDB_REDISPORT 528
#define VAR_CACHEDB_REDISTIMEOUT 529
#define VAR_CACHEDB_REDISEXPIRERECORDS 530
#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 531
#define VAR_FOR_UPSTREAM 532
#define VAR_AUTH_ZONE 533
#define VAR_ZONEFILE 534
#define VAR_MASTER 535
#define VAR_URL 536
#define VAR_FOR_DOWNSTREAM 537
#define VAR_FALLBACK_ENABLED 538
#define VAR_TLS_ADDITIONAL_PORT 539
#define VAR_LOW_RTT 540
#define VAR_LOW_RTT_PERMIL 541
#define VAR_FAST_SERVER_PERMIL 542
#define VAR_FAST_SERVER_NUM 543
#define VAR_ALLOW_NOTIFY 544
#define VAR_TLS_WIN_CERT 545
#define VAR_TCP_CONNECTION_LIMIT 546
#define VAR_FORWARD_NO_CACHE 547
#define VAR_STUB_NO_CACHE 548
#define VAR_LOG_SERVFAIL 549
#define VAR_DENY_ANY 550
#define VAR_UNKNOWN_SERVER_TIME_LIMIT 551
#define VAR_LOG_TAG_QUERYREPLY 552
#define VAR_STREAM_WAIT_SIZE 553
#define VAR_TLS_CIPHERS 554
#define VAR_TLS_CIPHERSUITES 555
#define VAR_TLS_USE_SNI 556
#define VAR_IPSET 557
#define VAR_IPSET_NAME_V4 558
#define VAR_IPSET_NAME_V6 559
#define VAR_TLS_SESSION_TICKET_KEYS 560
#define VAR_RPZ 561
#define VAR_TAGS 562
#define VAR_RPZ_ACTION_OVERRIDE 563
#define VAR_RPZ_CNAME_OVERRIDE 564
#define VAR_RPZ_LOG 565
#define VAR_RPZ_LOG_NAME 566
#define VAR_DYNLIB 567
#define VAR_DYNLIB_FILE 568
#define VAR_EDNS_CLIENT_STRING 569
#define VAR_EDNS_CLIENT_STRING_OPCODE 570
#define VAR_NSID 571
#define VAR_ZONEMD_PERMISSIVE_MODE 572
#define VAR_ZONEMD_CHECK 573
#define VAR_ZONEMD_REJECT_ABSENCE 574
/* Value type. */
#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
@ -701,7 +704,7 @@ union YYSTYPE
char* str;
#line 705 "util/configparser.h"
#line 708 "util/configparser.h"
};
typedef union YYSTYPE YYSTYPE;

25
util/configparser.y
View file

@ -113,6 +113,7 @@ extern struct config_parser_state* cfg_parser;
%token VAR_SSL_UPSTREAM VAR_TCP_AUTH_QUERY_TIMEOUT VAR_SSL_SERVICE_KEY
%token VAR_SSL_SERVICE_PEM VAR_SSL_PORT VAR_FORWARD_FIRST
%token VAR_STUB_SSL_UPSTREAM VAR_FORWARD_SSL_UPSTREAM VAR_TLS_CERT_BUNDLE
%token VAR_STUB_TCP_UPSTREAM VAR_FORWARD_TCP_UPSTREAM
%token VAR_HTTPS_PORT VAR_HTTP_ENDPOINT VAR_HTTP_MAX_STREAMS
%token VAR_HTTP_QUERY_BUFFER_SIZE VAR_HTTP_RESPONSE_BUFFER_SIZE
%token VAR_HTTP_NODELAY VAR_HTTP_NOTLS_DOWNSTREAM
@ -324,7 +325,7 @@ stubstart: VAR_STUB_ZONE
contents_stub: contents_stub content_stub
| ;
content_stub: stub_name | stub_host | stub_addr | stub_prime | stub_first |
stub_no_cache | stub_ssl_upstream
stub_no_cache | stub_ssl_upstream | stub_tcp_upstream
;
forwardstart: VAR_FORWARD_ZONE
{
@ -341,7 +342,7 @@ forwardstart: VAR_FORWARD_ZONE
contents_forward: contents_forward content_forward
| ;
content_forward: forward_name | forward_host | forward_addr | forward_first |
forward_no_cache | forward_ssl_upstream
forward_no_cache | forward_ssl_upstream | forward_tcp_upstream
;
viewstart: VAR_VIEW
{
@ -2721,6 +2722,16 @@ stub_ssl_upstream: VAR_STUB_SSL_UPSTREAM STRING_ARG
free($2);
}
;
stub_tcp_upstream: VAR_STUB_TCP_UPSTREAM STRING_ARG
{
OUTYY(("P(stub-tcp-upstream:%s)\n", $2));
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
yyerror("expected yes or no.");
else cfg_parser->cfg->stubs->tcp_upstream =
(strcmp($2, "yes")==0);
free($2);
}
;
stub_prime: VAR_STUB_PRIME STRING_ARG
{
OUTYY(("P(stub-prime:%s)\n", $2));
@ -2783,6 +2794,16 @@ forward_ssl_upstream: VAR_FORWARD_SSL_UPSTREAM STRING_ARG
free($2);
}
;
forward_tcp_upstream: VAR_FORWARD_TCP_UPSTREAM STRING_ARG
{
OUTYY(("P(forward-tcp-upstream:%s)\n", $2));
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
yyerror("expected yes or no.");
else cfg_parser->cfg->forwards->tcp_upstream =
(strcmp($2, "yes")==0);
free($2);
}
;
auth_name: VAR_NAME STRING_ARG
{
OUTYY(("P(name:%s)\n", $2));

1
util/data/msgreply.c
View file

@ -521,7 +521,6 @@ int reply_info_parse(sldns_buffer* pkt, struct alloc_cache* alloc,
/* this also performs dname decompression */
if(!parse_create_msg(pkt, msg, alloc, qinf, rep, NULL)) {
query_info_clear(qinf);
reply_info_parsedelete(*rep, alloc);
*rep = NULL;
return LDNS_RCODE_SERVFAIL;
}

2
util/fptr_wlist.c
View file

@ -335,7 +335,7 @@ int
fptr_whitelist_modenv_send_query(struct outbound_entry* (*fptr)(
struct query_info* qinfo, uint16_t flags, int dnssec, int want_dnssec,
int nocaps, struct sockaddr_storage* addr, socklen_t addrlen,
uint8_t* zone, size_t zonelen, int ssl_upstream, char* tls_auth_name,
uint8_t* zone, size_t zonelen, int tcp_upstream, int ssl_upstream, char* tls_auth_name,
struct module_qstate* q))
{
if(fptr == &worker_send_query) return 1;

2
util/fptr_wlist.h
View file

@ -212,7 +212,7 @@ int fptr_whitelist_hash_markdelfunc(lruhash_markdelfunc_type fptr);
int fptr_whitelist_modenv_send_query(struct outbound_entry* (*fptr)(
struct query_info* qinfo, uint16_t flags, int dnssec, int want_dnssec,
int nocaps, struct sockaddr_storage* addr, socklen_t addrlen,
uint8_t* zone, size_t zonelen, int ssl_upstream, char* tls_auth_name,
uint8_t* zone, size_t zonelen, int tcp_upstream, int ssl_upstream, char* tls_auth_name,
struct module_qstate* q));
/**

9
util/mini_event.c
View file

@ -337,6 +337,15 @@ int event_del(struct event* ev)
FD_CLR(FD_SET_T ev->ev_fd, &ev->ev_base->writes);
FD_CLR(FD_SET_T ev->ev_fd, &ev->ev_base->ready);
FD_CLR(FD_SET_T ev->ev_fd, &ev->ev_base->content);
if(ev->ev_fd == ev->ev_base->maxfd) {
int i = ev->ev_base->maxfd - 1;
for (; i > 3; i--) {
if (NULL != ev->ev_base->fds[i]) {
break;
}
}
ev->ev_base->maxfd = i;
}
}
ev->added = 0;
return 0;

3
util/module.h
View file

@ -354,6 +354,7 @@ struct module_env {
* @param addrlen: length of addr.
* @param zone: delegation point name.
* @param zonelen: length of zone name.
* @param tcp_upstream: use TCP for upstream queries.
* @param ssl_upstream: use SSL for upstream queries.
* @param tls_auth_name: if ssl_upstream, use this name with TLS
* authentication.
@ -366,7 +367,7 @@ struct module_env {
struct outbound_entry* (*send_query)(struct query_info* qinfo,
uint16_t flags, int dnssec, int want_dnssec, int nocaps,
struct sockaddr_storage* addr, socklen_t addrlen,
uint8_t* zone, size_t zonelen, int ssl_upstream,
uint8_t* zone, size_t zonelen, int tcp_upstream, int ssl_upstream,
char* tls_auth_name, struct module_qstate* q);
/**

13
util/net_help.c
View file

@ -881,6 +881,12 @@ log_cert(unsigned level, const char* str, void* cert)
BIO_write(bio, &nul, (int)sizeof(nul));
len = BIO_get_mem_data(bio, &pp);
if(len != 0 && pp) {
/* reduce size of cert printout */
char* s;
while((s=strstr(pp, " "))!=NULL)
memmove(s, s+1, strlen(s+1)+1);
while((s=strstr(pp, "\t\t"))!=NULL)
memmove(s, s+1, strlen(s+1)+1);
verbose(level, "%s: \n%s", str, pp);
}
BIO_free(bio);
@ -945,9 +951,12 @@ listen_sslctx_setup(void* ctxt)
}
#endif
#if defined(SHA256_DIGEST_LENGTH) && defined(USE_ECDSA)
/* if we detect system-wide crypto policies, use those */
if (access( "/etc/crypto-policies/config", F_OK ) != 0 ) {
/* if we have sha256, set the cipher list to have no known vulns */
if(!SSL_CTX_set_cipher_list(ctx, "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"))
log_crypto_err("could not set cipher list with SSL_CTX_set_cipher_list");
if(!SSL_CTX_set_cipher_list(ctx, "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"))
log_crypto_err("could not set cipher list with SSL_CTX_set_cipher_list");
}
#endif
if((SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE) &

1
util/netevent.c
View file

@ -300,6 +300,7 @@ udp_send_errno_needs_log(struct sockaddr* addr, socklen_t addrlen)
case ENETDOWN:
# endif
case EPERM:
case EACCES:
if(verbosity < VERB_ALGO)
return 0;
default: