mirror of
https://github.com/NLnetLabs/unbound.git
synced 2026-01-22 22:52:55 -05:00
Merge branch 'master' into framestreams
This commit is contained in:
W.C.A. Wijngaards
commit
b4f055effc
6 changed files with 93 additions and 16 deletions
|
|
@ -51,3 +51,5 @@ distribution but may be helpful.
|
|||
compile. From Saksham Manchanda (Secure64). Please note that we think
|
||||
this will drop DNSKEY and DS lookups for tlds and hence break DNSSEC
|
||||
lookups for downstream clients.
|
||||
* drop2rpz: perl script that converts the Spamhaus DROP-List in RPZ-Format,
|
||||
contributed by Andreas Schulze.
|
||||
|
|
|
|||
39
contrib/drop2rpz
Normal file
39
contrib/drop2rpz
Normal file
|
|
@ -0,0 +1,39 @@
|
|||
#!/usr/bin/perl
|
||||
|
||||
# usage: curl --silent https://www.spamhaus.org/drop/drop.txt | $0 > /path/to/spamhaus-drop.rpz.local
|
||||
#
|
||||
# unbound.conf:
|
||||
# rpz:
|
||||
# name: "spamhaus-drop.rpz.local."
|
||||
# zonefile: "/path/tp/spamhaus-drop.rpz.local"
|
||||
# rpz-log: yes
|
||||
# rpz-log-name: "spamhaus-drop"
|
||||
#
|
||||
|
||||
use strict;
|
||||
use vars qw{$o1 $o2 $o3 $o4 $m};
|
||||
|
||||
# trailing dots required
|
||||
my $origin = 'drop.spamhaus.org.rpz.local.';
|
||||
my $mname = 'localhost.';
|
||||
my $rname = 'root.localhost.';
|
||||
my $ns = $mname;
|
||||
|
||||
my $rpz_action = '.'; # return NXDOMAIN
|
||||
#my $rpz_action = '*.'; # return NODATA
|
||||
#my $rpz_action = 'rpz-drop.'; # drop the query
|
||||
|
||||
print "$origin SOA $mname $rname 1 43200 7200 2419200 3600\n";
|
||||
print "$origin NS $ns\n";
|
||||
while(<>) {
|
||||
if(($o1, $o2, $o3, $o4, $m) = m{(\d+)\.(\d+)\.(\d+)\.(\d+)/(\d+)}) {
|
||||
print "$m.$o4.$o3.$o2.$o1.rpz-ip.$origin CNAME $rpz_action\n";
|
||||
} else {
|
||||
print "$_";
|
||||
}
|
||||
}
|
||||
|
||||
# add a testpoint: ask for "dns.google"
|
||||
# print "32.8.8.8.8.rpz-ip.$origin CNAME $rpz_action\n";
|
||||
|
||||
exit;
|
||||
|
|
@ -1,3 +1,24 @@
|
|||
17 February 2020: Wouter
|
||||
- changelog point where the tag for 1.10.0rc2 release is.
|
||||
|
||||
17 February 2020: Ralph
|
||||
- Add respip to supported module-config options in unbound-checkconf.
|
||||
|
||||
17 February 2020: George
|
||||
- Remove unused variable.
|
||||
|
||||
17 February 2020: Wouter
|
||||
- contrib/drop2rpz: perl script that converts the Spamhaus DROP-List
|
||||
in RPZ-Format, contributed by Andreas Schulze.
|
||||
|
||||
14 February 2020: Wouter
|
||||
- Fix spelling in unbound.conf.5.in.
|
||||
- Stop unbound-checkconf from insisting that auth-zone and rpz
|
||||
zonefiles have to exist. They can not exist, and download later.
|
||||
|
||||
13 February 2020: Wouter
|
||||
- tag for 1.10.0rc1 release.
|
||||
|
||||
12 February 2020: Wouter
|
||||
- Fix with libnettle make test with dsa disabled.
|
||||
- Fix contrib/fastrpz.patch to apply cleanly. Fix for serve-stale
|
||||
|
|
|
|||
|
|
@ -65,7 +65,7 @@ server:
|
|||
.SH "FILE FORMAT"
|
||||
There must be whitespace between keywords. Attribute keywords end with a
|
||||
colon ':'. An attribute is followed by a value, or its containing attributes
|
||||
in which case it is refered to as a clause. Clauses can be repeated throughout
|
||||
in which case it is referred to as a clause. Clauses can be repeated throughout
|
||||
the file (or included files) to group attributes under the same clause.
|
||||
.P
|
||||
Files can be included using the
|
||||
|
|
@ -2246,7 +2246,7 @@ Specify a string to be part of the log line, for easy referencing.
|
|||
.TP
|
||||
.B tags: \fI<list of tags>
|
||||
Limit the policies from this RPZ clause to clients with a matching tag. Tags
|
||||
need to be defined in \fBdefine\-tag\fR and can be assiged to client addresses
|
||||
need to be defined in \fBdefine\-tag\fR and can be assigned to client addresses
|
||||
using \fBaccess\-control\-tag\fR. Enclose list of tags in quotes ("") and put
|
||||
spaces between tags. If no tags are specified the policies from this clause will
|
||||
be applied for all clients.
|
||||
|
|
|
|||
|
|
@ -1944,7 +1944,6 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
|
|||
|
||||
sq->pending = NULL; /* removed after callback */
|
||||
if(error == NETEVENT_TIMEOUT) {
|
||||
int rto = 0;
|
||||
if(sq->status == serviced_query_UDP_EDNS && sq->last_rtt < 5000) {
|
||||
/* fallback to 1480/1280 */
|
||||
sq->status = serviced_query_UDP_EDNS_FRAG;
|
||||
|
|
@ -1960,9 +1959,9 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
|
|||
sq->status = serviced_query_UDP_EDNS;
|
||||
}
|
||||
sq->retry++;
|
||||
if(!(rto=infra_rtt_update(outnet->infra, &sq->addr, sq->addrlen,
|
||||
if(!infra_rtt_update(outnet->infra, &sq->addr, sq->addrlen,
|
||||
sq->zone, sq->zonelen, sq->qtype, -1, sq->last_rtt,
|
||||
(time_t)now.tv_sec)))
|
||||
(time_t)now.tv_sec))
|
||||
log_err("out of memory in UDP exponential backoff");
|
||||
if(sq->retry < OUTBOUND_UDP_RETRY) {
|
||||
log_name_addr(VERB_ALGO, "retry query", sq->qbuf+10,
|
||||
|
|
|
|||
|
|
@ -469,7 +469,6 @@ check_modules_exist(const char* module_conf)
|
|||
static void
|
||||
morechecks(struct config_file* cfg)
|
||||
{
|
||||
struct config_auth* auth;
|
||||
warn_hosts("stub-host", cfg->stubs);
|
||||
warn_hosts("forward-host", cfg->forwards);
|
||||
interfacechecks(cfg);
|
||||
|
|
@ -535,12 +534,6 @@ morechecks(struct config_file* cfg)
|
|||
cfg->trusted_keys_file_list, cfg->chrootdir, cfg);
|
||||
check_chroot_string("dlv-anchor-file", &cfg->dlv_anchor_file,
|
||||
cfg->chrootdir, cfg);
|
||||
for(auth = cfg->auths; auth; auth = auth->next) {
|
||||
char* az = (auth->isrpz) ? "rpz zonefile" :
|
||||
"auth-zone zonefile";
|
||||
check_chroot_string(az, &auth->zonefile,
|
||||
cfg->chrootdir, cfg);
|
||||
}
|
||||
#ifdef USE_IPSECMOD
|
||||
if(cfg->ipsecmod_enabled && strstr(cfg->module_conf, "ipsecmod")) {
|
||||
/* only check hook if enabled */
|
||||
|
|
@ -555,10 +548,7 @@ morechecks(struct config_file* cfg)
|
|||
/* check that the modules listed in module_conf exist */
|
||||
check_modules_exist(cfg->module_conf);
|
||||
|
||||
/* There should be no reason for 'respip' module not to work with
|
||||
* dns64, but it's not explicitly confirmed, so the combination is
|
||||
* excluded below. It's simply unknown yet for the combination of
|
||||
* respip and other modules. */
|
||||
/* Respip is known to *not* work with dns64. */
|
||||
if(strcmp(cfg->module_conf, "iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "validator iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "dns64 validator iterator") != 0
|
||||
|
|
@ -567,7 +557,9 @@ morechecks(struct config_file* cfg)
|
|||
&& strcmp(cfg->module_conf, "respip validator iterator") != 0
|
||||
#ifdef WITH_PYTHONMODULE
|
||||
&& strcmp(cfg->module_conf, "python iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "python respip iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "python validator iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "python respip validator iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "validator python iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "dns64 python iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "dns64 python validator iterator") != 0
|
||||
|
|
@ -577,7 +569,9 @@ morechecks(struct config_file* cfg)
|
|||
#endif
|
||||
#ifdef USE_CACHEDB
|
||||
&& strcmp(cfg->module_conf, "validator cachedb iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "respip validator cachedb iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "cachedb iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "respip cachedb iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "dns64 validator cachedb iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "dns64 cachedb iterator") != 0
|
||||
#endif
|
||||
|
|
@ -587,39 +581,61 @@ morechecks(struct config_file* cfg)
|
|||
&& strcmp(cfg->module_conf, "dns64 python cachedb iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "dns64 python validator cachedb iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "python cachedb iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "python respip cachedb iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "python validator cachedb iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "python respip validator cachedb iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "cachedb python iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "respip cachedb python iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "validator cachedb python iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "respip validator cachedb python iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "validator python cachedb iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "respip validator python cachedb iterator") != 0
|
||||
#endif
|
||||
#ifdef CLIENT_SUBNET
|
||||
&& strcmp(cfg->module_conf, "subnetcache iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "respip subnetcache iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "subnetcache validator iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "respip subnetcache validator iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "dns64 subnetcache iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "dns64 subnetcache validator iterator") != 0
|
||||
#endif
|
||||
#if defined(WITH_PYTHONMODULE) && defined(CLIENT_SUBNET)
|
||||
&& strcmp(cfg->module_conf, "python subnetcache iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "python respip subnetcache iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "subnetcache python iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "respip subnetcache python iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "python subnetcache validator iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "python respip subnetcache validator iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "subnetcache python validator iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "respip subnetcache python validator iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "subnetcache validator python iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "respip subnetcache validator python iterator") != 0
|
||||
#endif
|
||||
#ifdef USE_IPSECMOD
|
||||
&& strcmp(cfg->module_conf, "ipsecmod iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "ipsecmod respip iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "ipsecmod validator iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "ipsecmod respip validator iterator") != 0
|
||||
#endif
|
||||
#if defined(WITH_PYTHONMODULE) && defined(USE_IPSECMOD)
|
||||
&& strcmp(cfg->module_conf, "python ipsecmod iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "python ipsecmod respip iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "ipsecmod python iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "ipsecmod python respip iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "ipsecmod validator iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "ipsecmod respip validator iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "python ipsecmod validator iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "python ipsecmod respip validator iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "ipsecmod python validator iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "ipsecmod python respip validator iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "ipsecmod validator python iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "ipsecmod respip validator python iterator") != 0
|
||||
#endif
|
||||
#ifdef USE_IPSET
|
||||
&& strcmp(cfg->module_conf, "validator ipset iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "validator ipset respip iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "ipset iterator") != 0
|
||||
&& strcmp(cfg->module_conf, "ipset respip iterator") != 0
|
||||
#endif
|
||||
) {
|
||||
fatal_exit("module conf '%s' is not known to work",
|
||||
|
|
|
|||
Loading…
Reference in a new issue