From 77bdbc6e98ff9315f57fe13ecd7c0628183be85a Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Fri, 14 Feb 2020 07:54:49 +0100 Subject: [PATCH 1/8] - Fix spelling in unbound.conf.5.in. --- doc/Changelog | 6 ++++++ doc/unbound.conf.5.in | 4 ++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/doc/Changelog b/doc/Changelog index 25ad03100..1e1c7c11b 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,9 @@ +14 February 2020: Wouter + - Fix spelling in unbound.conf.5.in. + +13 February 2020: Wouter + - tag for 1.10.0rc1 release. + 12 February 2020: Wouter - Fix with libnettle make test with dsa disabled. - Fix contrib/fastrpz.patch to apply cleanly. Fix for serve-stale diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index 38c2d2984..aef2e977f 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -65,7 +65,7 @@ server: .SH "FILE FORMAT" There must be whitespace between keywords. Attribute keywords end with a colon ':'. An attribute is followed by a value, or its containing attributes -in which case it is refered to as a clause. Clauses can be repeated throughout +in which case it is referred to as a clause. Clauses can be repeated throughout the file (or included files) to group attributes under the same clause. .P Files can be included using the @@ -2174,7 +2174,7 @@ Specify a string to be part of the log line, for easy referencing. .TP .B tags: \fI Limit the policies from this RPZ clause to clients with a matching tag. Tags -need to be defined in \fBdefine\-tag\fR and can be assiged to client addresses +need to be defined in \fBdefine\-tag\fR and can be assigned to client addresses using \fBaccess\-control\-tag\fR. Enclose list of tags in quotes ("") and put spaces between tags. If no tags are specified the policies from this clause will be applied for all clients. From 2665ae0414341dd6f2aed5d90588d55bd2a87be8 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Fri, 14 Feb 2020 07:57:57 +0100 Subject: [PATCH 2/8] - Stop unbound-checkconf from insisting that auth-zone and rpz zonefiles have to exist. They can not exist, and download later. --- doc/Changelog | 2 ++ smallapp/unbound-checkconf.c | 7 ------- 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/doc/Changelog b/doc/Changelog index 1e1c7c11b..6bbb4dba5 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,5 +1,7 @@ 14 February 2020: Wouter - Fix spelling in unbound.conf.5.in. + - Stop unbound-checkconf from insisting that auth-zone and rpz + zonefiles have to exist. They can not exist, and download later. 13 February 2020: Wouter - tag for 1.10.0rc1 release. diff --git a/smallapp/unbound-checkconf.c b/smallapp/unbound-checkconf.c index 07b8f4522..27c6d4c3a 100644 --- a/smallapp/unbound-checkconf.c +++ b/smallapp/unbound-checkconf.c @@ -469,7 +469,6 @@ check_modules_exist(const char* module_conf) static void morechecks(struct config_file* cfg) { - struct config_auth* auth; warn_hosts("stub-host", cfg->stubs); warn_hosts("forward-host", cfg->forwards); interfacechecks(cfg); @@ -535,12 +534,6 @@ morechecks(struct config_file* cfg) cfg->trusted_keys_file_list, cfg->chrootdir, cfg); check_chroot_string("dlv-anchor-file", &cfg->dlv_anchor_file, cfg->chrootdir, cfg); - for(auth = cfg->auths; auth; auth = auth->next) { - char* az = (auth->isrpz) ? "rpz zonefile" : - "auth-zone zonefile"; - check_chroot_string(az, &auth->zonefile, - cfg->chrootdir, cfg); - } #ifdef USE_IPSECMOD if(cfg->ipsecmod_enabled && strstr(cfg->module_conf, "ipsecmod")) { /* only check hook if enabled */ From 42fdfd8121a63ee7e2fc9e62ff60d700acbb061a Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Mon, 17 Feb 2020 10:09:46 +0100 Subject: [PATCH 3/8] - contrib/drop2rpz: perl script that converts the Spamhaus DROP-List in RPZ-Format, contributed by Andreas Schulze. --- contrib/README | 2 ++ contrib/drop2rpz | 39 +++++++++++++++++++++++++++++++++++++++ doc/Changelog | 4 ++++ 3 files changed, 45 insertions(+) create mode 100644 contrib/drop2rpz diff --git a/contrib/README b/contrib/README index d8afceabd..18c076fd8 100644 --- a/contrib/README +++ b/contrib/README @@ -51,3 +51,5 @@ distribution but may be helpful. compile. From Saksham Manchanda (Secure64). Please note that we think this will drop DNSKEY and DS lookups for tlds and hence break DNSSEC lookups for downstream clients. +* drop2rpz: perl script that converts the Spamhaus DROP-List in RPZ-Format, + contributed by Andreas Schulze. diff --git a/contrib/drop2rpz b/contrib/drop2rpz new file mode 100644 index 000000000..01602f651 --- /dev/null +++ b/contrib/drop2rpz @@ -0,0 +1,39 @@ +#!/usr/bin/perl + +# usage: curl --silent https://www.spamhaus.org/drop/drop.txt | $0 > /path/to/spamhaus-drop.rpz.local +# +# unbound.conf: +# rpz: +# name: "spamhaus-drop.rpz.local." +# zonefile: "/path/tp/spamhaus-drop.rpz.local" +# rpz-log: yes +# rpz-log-name: "spamhaus-drop" +# + +use strict; +use vars qw{$o1 $o2 $o3 $o4 $m}; + +# trailing dots required +my $origin = 'drop.spamhaus.org.rpz.local.'; +my $mname = 'localhost.'; +my $rname = 'root.localhost.'; +my $ns = $mname; + +my $rpz_action = '.'; # return NXDOMAIN +#my $rpz_action = '*.'; # return NODATA +#my $rpz_action = 'rpz-drop.'; # drop the query + +print "$origin SOA $mname $rname 1 43200 7200 2419200 3600\n"; +print "$origin NS $ns\n"; +while(<>) { + if(($o1, $o2, $o3, $o4, $m) = m{(\d+)\.(\d+)\.(\d+)\.(\d+)/(\d+)}) { + print "$m.$o4.$o3.$o2.$o1.rpz-ip.$origin CNAME $rpz_action\n"; + } else { + print "$_"; + } +} + +# add a testpoint: ask for "dns.google" +# print "32.8.8.8.8.rpz-ip.$origin CNAME $rpz_action\n"; + +exit; diff --git a/doc/Changelog b/doc/Changelog index 6bbb4dba5..03fcb7d42 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,7 @@ +17 February 2020: Wouter + - drop2rpz: perl script that converts the Spamhaus DROP-List in + RPZ-Format, contributed by Andreas Schulze. + 14 February 2020: Wouter - Fix spelling in unbound.conf.5.in. - Stop unbound-checkconf from insisting that auth-zone and rpz From a9b7638f4b517560f36485f6dc21701e2020b487 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Mon, 17 Feb 2020 10:10:44 +0100 Subject: [PATCH 4/8] Neater changelog --- doc/Changelog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/Changelog b/doc/Changelog index 03fcb7d42..82502bc14 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,6 +1,6 @@ 17 February 2020: Wouter - - drop2rpz: perl script that converts the Spamhaus DROP-List in - RPZ-Format, contributed by Andreas Schulze. + - contrib/drop2rpz: perl script that converts the Spamhaus DROP-List + in RPZ-Format, contributed by Andreas Schulze. 14 February 2020: Wouter - Fix spelling in unbound.conf.5.in. From 4b354d38c11f5609bfb69ff6ca0c0783f25f33d0 Mon Sep 17 00:00:00 2001 From: George Thessalonikefs Date: Mon, 17 Feb 2020 12:56:20 +0100 Subject: [PATCH 5/8] - Remove unused variable. --- doc/Changelog | 3 +++ services/outside_network.c | 5 ++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/doc/Changelog b/doc/Changelog index 82502bc14..9f14eafa5 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,6 @@ +17 February 2020: George + - Remove unused variable. + 17 February 2020: Wouter - contrib/drop2rpz: perl script that converts the Spamhaus DROP-List in RPZ-Format, contributed by Andreas Schulze. diff --git a/services/outside_network.c b/services/outside_network.c index 9876c2150..80b1f1245 100644 --- a/services/outside_network.c +++ b/services/outside_network.c @@ -1974,7 +1974,6 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error, sq->pending = NULL; /* removed after callback */ if(error == NETEVENT_TIMEOUT) { - int rto = 0; if(sq->status == serviced_query_UDP_EDNS && sq->last_rtt < 5000) { /* fallback to 1480/1280 */ sq->status = serviced_query_UDP_EDNS_FRAG; @@ -1990,9 +1989,9 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error, sq->status = serviced_query_UDP_EDNS; } sq->retry++; - if(!(rto=infra_rtt_update(outnet->infra, &sq->addr, sq->addrlen, + if(!infra_rtt_update(outnet->infra, &sq->addr, sq->addrlen, sq->zone, sq->zonelen, sq->qtype, -1, sq->last_rtt, - (time_t)now.tv_sec))) + (time_t)now.tv_sec)) log_err("out of memory in UDP exponential backoff"); if(sq->retry < OUTBOUND_UDP_RETRY) { log_name_addr(VERB_ALGO, "retry query", sq->qbuf+10, From fe5370a98ae6a0ee3161e28ec3de0ac01327a1bd Mon Sep 17 00:00:00 2001 From: Ralph Dolmans Date: Mon, 17 Feb 2020 13:36:30 +0100 Subject: [PATCH 6/8] - Add respip to supported module-config options in unbound-checkconf. --- doc/Changelog | 3 +++ smallapp/unbound-checkconf.c | 31 +++++++++++++++++++++++++++---- 2 files changed, 30 insertions(+), 4 deletions(-) diff --git a/doc/Changelog b/doc/Changelog index 9f14eafa5..322eceea8 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,6 @@ +17 February 2020: Ralph + - Add respip to supported module-config options in unbound-checkconf. + 17 February 2020: George - Remove unused variable. diff --git a/smallapp/unbound-checkconf.c b/smallapp/unbound-checkconf.c index 27c6d4c3a..1d31fd84e 100644 --- a/smallapp/unbound-checkconf.c +++ b/smallapp/unbound-checkconf.c @@ -548,10 +548,7 @@ morechecks(struct config_file* cfg) /* check that the modules listed in module_conf exist */ check_modules_exist(cfg->module_conf); - /* There should be no reason for 'respip' module not to work with - * dns64, but it's not explicitly confirmed, so the combination is - * excluded below. It's simply unknown yet for the combination of - * respip and other modules. */ + /* Respip is know to *not* work with dns64. */ if(strcmp(cfg->module_conf, "iterator") != 0 && strcmp(cfg->module_conf, "validator iterator") != 0 && strcmp(cfg->module_conf, "dns64 validator iterator") != 0 @@ -560,7 +557,9 @@ morechecks(struct config_file* cfg) && strcmp(cfg->module_conf, "respip validator iterator") != 0 #ifdef WITH_PYTHONMODULE && strcmp(cfg->module_conf, "python iterator") != 0 + && strcmp(cfg->module_conf, "python respip iterator") != 0 && strcmp(cfg->module_conf, "python validator iterator") != 0 + && strcmp(cfg->module_conf, "python respip validator iterator") != 0 && strcmp(cfg->module_conf, "validator python iterator") != 0 && strcmp(cfg->module_conf, "dns64 python iterator") != 0 && strcmp(cfg->module_conf, "dns64 python validator iterator") != 0 @@ -570,7 +569,9 @@ morechecks(struct config_file* cfg) #endif #ifdef USE_CACHEDB && strcmp(cfg->module_conf, "validator cachedb iterator") != 0 + && strcmp(cfg->module_conf, "respip validator cachedb iterator") != 0 && strcmp(cfg->module_conf, "cachedb iterator") != 0 + && strcmp(cfg->module_conf, "respip cachedb iterator") != 0 && strcmp(cfg->module_conf, "dns64 validator cachedb iterator") != 0 && strcmp(cfg->module_conf, "dns64 cachedb iterator") != 0 #endif @@ -580,39 +581,61 @@ morechecks(struct config_file* cfg) && strcmp(cfg->module_conf, "dns64 python cachedb iterator") != 0 && strcmp(cfg->module_conf, "dns64 python validator cachedb iterator") != 0 && strcmp(cfg->module_conf, "python cachedb iterator") != 0 + && strcmp(cfg->module_conf, "python respip cachedb iterator") != 0 && strcmp(cfg->module_conf, "python validator cachedb iterator") != 0 + && strcmp(cfg->module_conf, "python respip validator cachedb iterator") != 0 && strcmp(cfg->module_conf, "cachedb python iterator") != 0 + && strcmp(cfg->module_conf, "respip cachedb python iterator") != 0 && strcmp(cfg->module_conf, "validator cachedb python iterator") != 0 + && strcmp(cfg->module_conf, "respip validator cachedb python iterator") != 0 && strcmp(cfg->module_conf, "validator python cachedb iterator") != 0 + && strcmp(cfg->module_conf, "respip validator python cachedb iterator") != 0 #endif #ifdef CLIENT_SUBNET && strcmp(cfg->module_conf, "subnetcache iterator") != 0 + && strcmp(cfg->module_conf, "respip subnetcache iterator") != 0 && strcmp(cfg->module_conf, "subnetcache validator iterator") != 0 + && strcmp(cfg->module_conf, "respip subnetcache validator iterator") != 0 && strcmp(cfg->module_conf, "dns64 subnetcache iterator") != 0 && strcmp(cfg->module_conf, "dns64 subnetcache validator iterator") != 0 #endif #if defined(WITH_PYTHONMODULE) && defined(CLIENT_SUBNET) && strcmp(cfg->module_conf, "python subnetcache iterator") != 0 + && strcmp(cfg->module_conf, "python respip subnetcache iterator") != 0 && strcmp(cfg->module_conf, "subnetcache python iterator") != 0 + && strcmp(cfg->module_conf, "respip subnetcache python iterator") != 0 && strcmp(cfg->module_conf, "python subnetcache validator iterator") != 0 + && strcmp(cfg->module_conf, "python respip subnetcache validator iterator") != 0 && strcmp(cfg->module_conf, "subnetcache python validator iterator") != 0 + && strcmp(cfg->module_conf, "respip subnetcache python validator iterator") != 0 && strcmp(cfg->module_conf, "subnetcache validator python iterator") != 0 + && strcmp(cfg->module_conf, "respip subnetcache validator python iterator") != 0 #endif #ifdef USE_IPSECMOD && strcmp(cfg->module_conf, "ipsecmod iterator") != 0 + && strcmp(cfg->module_conf, "ipsecmod respip iterator") != 0 && strcmp(cfg->module_conf, "ipsecmod validator iterator") != 0 + && strcmp(cfg->module_conf, "ipsecmod respip validator iterator") != 0 #endif #if defined(WITH_PYTHONMODULE) && defined(USE_IPSECMOD) && strcmp(cfg->module_conf, "python ipsecmod iterator") != 0 + && strcmp(cfg->module_conf, "python ipsecmod respip iterator") != 0 && strcmp(cfg->module_conf, "ipsecmod python iterator") != 0 + && strcmp(cfg->module_conf, "ipsecmod python respip iterator") != 0 && strcmp(cfg->module_conf, "ipsecmod validator iterator") != 0 + && strcmp(cfg->module_conf, "ipsecmod respip validator iterator") != 0 && strcmp(cfg->module_conf, "python ipsecmod validator iterator") != 0 + && strcmp(cfg->module_conf, "python ipsecmod respip validator iterator") != 0 && strcmp(cfg->module_conf, "ipsecmod python validator iterator") != 0 + && strcmp(cfg->module_conf, "ipsecmod python respip validator iterator") != 0 && strcmp(cfg->module_conf, "ipsecmod validator python iterator") != 0 + && strcmp(cfg->module_conf, "ipsecmod respip validator python iterator") != 0 #endif #ifdef USE_IPSET && strcmp(cfg->module_conf, "validator ipset iterator") != 0 + && strcmp(cfg->module_conf, "validator ipset respip iterator") != 0 && strcmp(cfg->module_conf, "ipset iterator") != 0 + && strcmp(cfg->module_conf, "ipset respip iterator") != 0 #endif ) { fatal_exit("module conf '%s' is not known to work", From b7706993198fdbdb274c2958b7de13f23d62482c Mon Sep 17 00:00:00 2001 From: Ralph Dolmans Date: Mon, 17 Feb 2020 13:38:01 +0100 Subject: [PATCH 7/8] typo fix --- smallapp/unbound-checkconf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/smallapp/unbound-checkconf.c b/smallapp/unbound-checkconf.c index 1d31fd84e..c46d41215 100644 --- a/smallapp/unbound-checkconf.c +++ b/smallapp/unbound-checkconf.c @@ -548,7 +548,7 @@ morechecks(struct config_file* cfg) /* check that the modules listed in module_conf exist */ check_modules_exist(cfg->module_conf); - /* Respip is know to *not* work with dns64. */ + /* Respip is known to *not* work with dns64. */ if(strcmp(cfg->module_conf, "iterator") != 0 && strcmp(cfg->module_conf, "validator iterator") != 0 && strcmp(cfg->module_conf, "dns64 validator iterator") != 0 From 85fd23769fb223707e2a30df5bf25d407364858c Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Mon, 17 Feb 2020 15:24:29 +0100 Subject: [PATCH 8/8] - changelog point where the tag for 1.10.0rc2 release is. --- doc/Changelog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/doc/Changelog b/doc/Changelog index 322eceea8..d9c72937a 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,6 @@ +17 February 2020: Wouter + - changelog point where the tag for 1.10.0rc2 release is. + 17 February 2020: Ralph - Add respip to supported module-config options in unbound-checkconf.