diff --git a/contrib/README b/contrib/README index d8afceabd..18c076fd8 100644 --- a/contrib/README +++ b/contrib/README @@ -51,3 +51,5 @@ distribution but may be helpful. compile. From Saksham Manchanda (Secure64). Please note that we think this will drop DNSKEY and DS lookups for tlds and hence break DNSSEC lookups for downstream clients. +* drop2rpz: perl script that converts the Spamhaus DROP-List in RPZ-Format, + contributed by Andreas Schulze. diff --git a/contrib/drop2rpz b/contrib/drop2rpz new file mode 100644 index 000000000..01602f651 --- /dev/null +++ b/contrib/drop2rpz @@ -0,0 +1,39 @@ +#!/usr/bin/perl + +# usage: curl --silent https://www.spamhaus.org/drop/drop.txt | $0 > /path/to/spamhaus-drop.rpz.local +# +# unbound.conf: +# rpz: +# name: "spamhaus-drop.rpz.local." +# zonefile: "/path/tp/spamhaus-drop.rpz.local" +# rpz-log: yes +# rpz-log-name: "spamhaus-drop" +# + +use strict; +use vars qw{$o1 $o2 $o3 $o4 $m}; + +# trailing dots required +my $origin = 'drop.spamhaus.org.rpz.local.'; +my $mname = 'localhost.'; +my $rname = 'root.localhost.'; +my $ns = $mname; + +my $rpz_action = '.'; # return NXDOMAIN +#my $rpz_action = '*.'; # return NODATA +#my $rpz_action = 'rpz-drop.'; # drop the query + +print "$origin SOA $mname $rname 1 43200 7200 2419200 3600\n"; +print "$origin NS $ns\n"; +while(<>) { + if(($o1, $o2, $o3, $o4, $m) = m{(\d+)\.(\d+)\.(\d+)\.(\d+)/(\d+)}) { + print "$m.$o4.$o3.$o2.$o1.rpz-ip.$origin CNAME $rpz_action\n"; + } else { + print "$_"; + } +} + +# add a testpoint: ask for "dns.google" +# print "32.8.8.8.8.rpz-ip.$origin CNAME $rpz_action\n"; + +exit; diff --git a/doc/Changelog b/doc/Changelog index 25ad03100..d9c72937a 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,24 @@ +17 February 2020: Wouter + - changelog point where the tag for 1.10.0rc2 release is. + +17 February 2020: Ralph + - Add respip to supported module-config options in unbound-checkconf. + +17 February 2020: George + - Remove unused variable. + +17 February 2020: Wouter + - contrib/drop2rpz: perl script that converts the Spamhaus DROP-List + in RPZ-Format, contributed by Andreas Schulze. + +14 February 2020: Wouter + - Fix spelling in unbound.conf.5.in. + - Stop unbound-checkconf from insisting that auth-zone and rpz + zonefiles have to exist. They can not exist, and download later. + +13 February 2020: Wouter + - tag for 1.10.0rc1 release. + 12 February 2020: Wouter - Fix with libnettle make test with dsa disabled. - Fix contrib/fastrpz.patch to apply cleanly. Fix for serve-stale diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index 86a962430..7b48e2eaf 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -65,7 +65,7 @@ server: .SH "FILE FORMAT" There must be whitespace between keywords. Attribute keywords end with a colon ':'. An attribute is followed by a value, or its containing attributes -in which case it is refered to as a clause. Clauses can be repeated throughout +in which case it is referred to as a clause. Clauses can be repeated throughout the file (or included files) to group attributes under the same clause. .P Files can be included using the @@ -2246,7 +2246,7 @@ Specify a string to be part of the log line, for easy referencing. .TP .B tags: \fI Limit the policies from this RPZ clause to clients with a matching tag. Tags -need to be defined in \fBdefine\-tag\fR and can be assiged to client addresses +need to be defined in \fBdefine\-tag\fR and can be assigned to client addresses using \fBaccess\-control\-tag\fR. Enclose list of tags in quotes ("") and put spaces between tags. If no tags are specified the policies from this clause will be applied for all clients. diff --git a/services/outside_network.c b/services/outside_network.c index 721dd335a..1b9261e70 100644 --- a/services/outside_network.c +++ b/services/outside_network.c @@ -1944,7 +1944,6 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error, sq->pending = NULL; /* removed after callback */ if(error == NETEVENT_TIMEOUT) { - int rto = 0; if(sq->status == serviced_query_UDP_EDNS && sq->last_rtt < 5000) { /* fallback to 1480/1280 */ sq->status = serviced_query_UDP_EDNS_FRAG; @@ -1960,9 +1959,9 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error, sq->status = serviced_query_UDP_EDNS; } sq->retry++; - if(!(rto=infra_rtt_update(outnet->infra, &sq->addr, sq->addrlen, + if(!infra_rtt_update(outnet->infra, &sq->addr, sq->addrlen, sq->zone, sq->zonelen, sq->qtype, -1, sq->last_rtt, - (time_t)now.tv_sec))) + (time_t)now.tv_sec)) log_err("out of memory in UDP exponential backoff"); if(sq->retry < OUTBOUND_UDP_RETRY) { log_name_addr(VERB_ALGO, "retry query", sq->qbuf+10, diff --git a/smallapp/unbound-checkconf.c b/smallapp/unbound-checkconf.c index 07b8f4522..c46d41215 100644 --- a/smallapp/unbound-checkconf.c +++ b/smallapp/unbound-checkconf.c @@ -469,7 +469,6 @@ check_modules_exist(const char* module_conf) static void morechecks(struct config_file* cfg) { - struct config_auth* auth; warn_hosts("stub-host", cfg->stubs); warn_hosts("forward-host", cfg->forwards); interfacechecks(cfg); @@ -535,12 +534,6 @@ morechecks(struct config_file* cfg) cfg->trusted_keys_file_list, cfg->chrootdir, cfg); check_chroot_string("dlv-anchor-file", &cfg->dlv_anchor_file, cfg->chrootdir, cfg); - for(auth = cfg->auths; auth; auth = auth->next) { - char* az = (auth->isrpz) ? "rpz zonefile" : - "auth-zone zonefile"; - check_chroot_string(az, &auth->zonefile, - cfg->chrootdir, cfg); - } #ifdef USE_IPSECMOD if(cfg->ipsecmod_enabled && strstr(cfg->module_conf, "ipsecmod")) { /* only check hook if enabled */ @@ -555,10 +548,7 @@ morechecks(struct config_file* cfg) /* check that the modules listed in module_conf exist */ check_modules_exist(cfg->module_conf); - /* There should be no reason for 'respip' module not to work with - * dns64, but it's not explicitly confirmed, so the combination is - * excluded below. It's simply unknown yet for the combination of - * respip and other modules. */ + /* Respip is known to *not* work with dns64. */ if(strcmp(cfg->module_conf, "iterator") != 0 && strcmp(cfg->module_conf, "validator iterator") != 0 && strcmp(cfg->module_conf, "dns64 validator iterator") != 0 @@ -567,7 +557,9 @@ morechecks(struct config_file* cfg) && strcmp(cfg->module_conf, "respip validator iterator") != 0 #ifdef WITH_PYTHONMODULE && strcmp(cfg->module_conf, "python iterator") != 0 + && strcmp(cfg->module_conf, "python respip iterator") != 0 && strcmp(cfg->module_conf, "python validator iterator") != 0 + && strcmp(cfg->module_conf, "python respip validator iterator") != 0 && strcmp(cfg->module_conf, "validator python iterator") != 0 && strcmp(cfg->module_conf, "dns64 python iterator") != 0 && strcmp(cfg->module_conf, "dns64 python validator iterator") != 0 @@ -577,7 +569,9 @@ morechecks(struct config_file* cfg) #endif #ifdef USE_CACHEDB && strcmp(cfg->module_conf, "validator cachedb iterator") != 0 + && strcmp(cfg->module_conf, "respip validator cachedb iterator") != 0 && strcmp(cfg->module_conf, "cachedb iterator") != 0 + && strcmp(cfg->module_conf, "respip cachedb iterator") != 0 && strcmp(cfg->module_conf, "dns64 validator cachedb iterator") != 0 && strcmp(cfg->module_conf, "dns64 cachedb iterator") != 0 #endif @@ -587,39 +581,61 @@ morechecks(struct config_file* cfg) && strcmp(cfg->module_conf, "dns64 python cachedb iterator") != 0 && strcmp(cfg->module_conf, "dns64 python validator cachedb iterator") != 0 && strcmp(cfg->module_conf, "python cachedb iterator") != 0 + && strcmp(cfg->module_conf, "python respip cachedb iterator") != 0 && strcmp(cfg->module_conf, "python validator cachedb iterator") != 0 + && strcmp(cfg->module_conf, "python respip validator cachedb iterator") != 0 && strcmp(cfg->module_conf, "cachedb python iterator") != 0 + && strcmp(cfg->module_conf, "respip cachedb python iterator") != 0 && strcmp(cfg->module_conf, "validator cachedb python iterator") != 0 + && strcmp(cfg->module_conf, "respip validator cachedb python iterator") != 0 && strcmp(cfg->module_conf, "validator python cachedb iterator") != 0 + && strcmp(cfg->module_conf, "respip validator python cachedb iterator") != 0 #endif #ifdef CLIENT_SUBNET && strcmp(cfg->module_conf, "subnetcache iterator") != 0 + && strcmp(cfg->module_conf, "respip subnetcache iterator") != 0 && strcmp(cfg->module_conf, "subnetcache validator iterator") != 0 + && strcmp(cfg->module_conf, "respip subnetcache validator iterator") != 0 && strcmp(cfg->module_conf, "dns64 subnetcache iterator") != 0 && strcmp(cfg->module_conf, "dns64 subnetcache validator iterator") != 0 #endif #if defined(WITH_PYTHONMODULE) && defined(CLIENT_SUBNET) && strcmp(cfg->module_conf, "python subnetcache iterator") != 0 + && strcmp(cfg->module_conf, "python respip subnetcache iterator") != 0 && strcmp(cfg->module_conf, "subnetcache python iterator") != 0 + && strcmp(cfg->module_conf, "respip subnetcache python iterator") != 0 && strcmp(cfg->module_conf, "python subnetcache validator iterator") != 0 + && strcmp(cfg->module_conf, "python respip subnetcache validator iterator") != 0 && strcmp(cfg->module_conf, "subnetcache python validator iterator") != 0 + && strcmp(cfg->module_conf, "respip subnetcache python validator iterator") != 0 && strcmp(cfg->module_conf, "subnetcache validator python iterator") != 0 + && strcmp(cfg->module_conf, "respip subnetcache validator python iterator") != 0 #endif #ifdef USE_IPSECMOD && strcmp(cfg->module_conf, "ipsecmod iterator") != 0 + && strcmp(cfg->module_conf, "ipsecmod respip iterator") != 0 && strcmp(cfg->module_conf, "ipsecmod validator iterator") != 0 + && strcmp(cfg->module_conf, "ipsecmod respip validator iterator") != 0 #endif #if defined(WITH_PYTHONMODULE) && defined(USE_IPSECMOD) && strcmp(cfg->module_conf, "python ipsecmod iterator") != 0 + && strcmp(cfg->module_conf, "python ipsecmod respip iterator") != 0 && strcmp(cfg->module_conf, "ipsecmod python iterator") != 0 + && strcmp(cfg->module_conf, "ipsecmod python respip iterator") != 0 && strcmp(cfg->module_conf, "ipsecmod validator iterator") != 0 + && strcmp(cfg->module_conf, "ipsecmod respip validator iterator") != 0 && strcmp(cfg->module_conf, "python ipsecmod validator iterator") != 0 + && strcmp(cfg->module_conf, "python ipsecmod respip validator iterator") != 0 && strcmp(cfg->module_conf, "ipsecmod python validator iterator") != 0 + && strcmp(cfg->module_conf, "ipsecmod python respip validator iterator") != 0 && strcmp(cfg->module_conf, "ipsecmod validator python iterator") != 0 + && strcmp(cfg->module_conf, "ipsecmod respip validator python iterator") != 0 #endif #ifdef USE_IPSET && strcmp(cfg->module_conf, "validator ipset iterator") != 0 + && strcmp(cfg->module_conf, "validator ipset respip iterator") != 0 && strcmp(cfg->module_conf, "ipset iterator") != 0 + && strcmp(cfg->module_conf, "ipset respip iterator") != 0 #endif ) { fatal_exit("module conf '%s' is not known to work",