upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-20 23:00:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'master' into rpz-triggers

Browse source
This commit is contained in:
W.C.A. Wijngaards 2021-05-28 15:00:55 +02:00
commit cf0aad9fb6
34 changed files with 4032 additions and 3807 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
doc/Changelog
View file

@ -1,3 +1,20 @@
27 May 2021: Wouter
- Merge #496 from banburybill: Use build system endianness if
available, otherwise try to work it out.
- zonemd-check: yesno option, default no, enables the processing
of ZONEMD records for that zone.
25 May 2021: Wouter
- Move the NSEC3 max iterations count in line with the 150 value
used by BIND, Knot and PowerDNS. This sets the default value
for it in the configuration to 150 for all key sizes.
- Fix #492: module-config respip missing in unbound.conf.5.in man
page. Merges #494 from he32.
- For #492: Fix font highlighting for the man page on emacs.
21 May 2021: Wouter
- Test code has -q option for quiet output.
19 May 2021: George 19 May 2021: George
- Fix for #411, #439, #469: Reset the DNS message ID when moving queries - Fix for #411, #439, #469: Reset the DNS message ID when moving queries
between TCP streams. between TCP streams.

3
doc/example.conf.in
View file

@ -614,7 +614,7 @@ server:
# keysize. Keep this table very short, as linear search is done. # keysize. Keep this table very short, as linear search is done.
# A message with an NSEC3 with larger count is marked insecure. # A message with an NSEC3 with larger count is marked insecure.
# List in ascending order the keysize and count values. # List in ascending order the keysize and count values.
# val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500" # val-nsec3-keysize-iterations: "1024 150 2048 150 4096 150"
# if enabled, ZONEMD verification failures do not block the zone. # if enabled, ZONEMD verification failures do not block the zone.
# zonemd-permissive-mode: no # zonemd-permissive-mode: no
@ -1033,6 +1033,7 @@ remote-control:
# name: "example.org" # name: "example.org"
# for-downstream: yes # for-downstream: yes
# for-upstream: yes # for-upstream: yes
# zonemd-check: no
# zonemd-reject-absence: no # zonemd-reject-absence: no
# zonefile: "example.org.zone" # zonefile: "example.org.zone"

111
doc/unbound.conf.5.in
View file

@ -1026,7 +1026,7 @@ If yes, Unbound rotates RRSet order in response (the random number is taken
from the query ID, for speed and thread safety). Default is yes. from the query ID, for speed and thread safety). Default is yes.
.TP .TP
.B minimal-responses: \fI<yes or no> .B minimal-responses: \fI<yes or no>
If yes, Unbound doesn't insert authority/additional sections into response If yes, Unbound does not insert authority/additional sections into response
messages when those sections are not required. This reduces response messages when those sections are not required. This reduces response
size significantly, and may avoid TCP fallback for some responses. size significantly, and may avoid TCP fallback for some responses.
This may cause a slight speedup. The default is yes, even though the DNS This may cause a slight speedup. The default is yes, even though the DNS
@ -1044,15 +1044,24 @@ of this setting, if a trust anchor is loaded.
.TP .TP
.B module\-config: \fI<"module names"> .B module\-config: \fI<"module names">
Module configuration, a list of module names separated by spaces, surround Module configuration, a list of module names separated by spaces, surround
the string with quotes (""). The modules can be validator, iterator. the string with quotes (""). The modules can be \fIrespip\fR,
Setting this to "iterator" will result in a non\-validating server. \fIvalidator\fR, or \fIiterator\fR (and possibly more, see below).
Setting this to "validator iterator" will turn on DNSSEC validation. Setting this to just "\fIiterator\fR" will result in a non\-validating
The ordering of the modules is important. server.
You must also set trust\-anchors for validation to be useful. Setting this to "\fIvalidator iterator\fR" will turn on DNSSEC validation.
The default is "validator iterator". When the server is built with The ordering of the modules is significant, the order decides the
EDNS client subnet support the default is "subnetcache validator iterator". order of processing.
You must also set \fItrust\-anchors\fR for validation to be useful.
Adding \fIrespip\fR to the front will cause RPZ processing to be done on
all queries.
The default is "\fIvalidator iterator\fR".
.IP
When the server is built with
EDNS client subnet support the default is "\fIsubnetcache validator
iterator\fR".
Most modules that need to be listed here have to be listed at the beginning Most modules that need to be listed here have to be listed at the beginning
of the line. The cachedb module has to be listed just before the iterator. of the line. The subnetcachedb module has to be listed just before
the iterator.
The python module can be listed in different places, it then processes the The python module can be listed in different places, it then processes the
output of the module it is just before. The dynlib module can be listed pretty output of the module it is just before. The dynlib module can be listed pretty
much anywhere, it is only a very thin wrapper that allows dynamic libraries to much anywhere, it is only a very thin wrapper that allows dynamic libraries to
@ -1215,7 +1224,7 @@ Default is "no".
.TP .TP
.B val\-nsec3\-keysize\-iterations: \fI<"list of values"> .B val\-nsec3\-keysize\-iterations: \fI<"list of values">
List of keysize and iteration count values, separated by spaces, surrounded List of keysize and iteration count values, separated by spaces, surrounded
by quotes. Default is "1024 150 2048 500 4096 2500". This determines the by quotes. Default is "1024 150 2048 150 4096 150". This determines the
maximum allowed NSEC3 iteration count before a message is simply marked maximum allowed NSEC3 iteration count before a message is simply marked
insecure instead of performing the many hashing iterations. The list must insecure instead of performing the many hashing iterations. The list must
be in ascending order and have at least one entry. If you set it to be in ascending order and have at least one entry. If you set it to
@ -1527,6 +1536,82 @@ Use this localzone type, regardless the type configured for the local-zone
(both tagged and untagged) and regardless the type configured using (both tagged and untagged) and regardless the type configured using
access\-control\-tag\-action. access\-control\-tag\-action.
.TP 5 .TP 5
.B response\-ip: \fI<IP-netblock> <action>
This requires use of the "respip" module.
.IP
If the IP address in an AAAA or A RR in the answer section of a
response matches the specified IP netblock, the specified action will
apply.
\fI<action>\fR has generally the same semantics as that for
\fIaccess-control-tag-action\fR, but there are some exceptions.
.IP
Actions for \fIresponse-ip\fR are different from those for
\fIlocal-zone\fR in that in case of the former there is no point of
such conditions as "the query matches it but there is no local data".
Because of this difference, the semantics of \fIresponse-ip\fR actions
are modified or simplified as follows: The \fIstatic, refuse,
transparent, typetransparent,\fR and \fInodefault\fR actions are
invalid for \fIresponse-ip\fR.
Using any of these will cause the configuration to be rejected as
faulty. The \fIdeny\fR action is non-conditional, i.e. it always
results in dropping the corresponding query.
The resolution result before applying the deny action is still cached
and can be used for other queries.
.TP 5
.B response-ip-data: \fI<IP-netblock> <"resource record string">
This requires use of the "respip" module.
.IP
This specifies the action data for \fIresponse-ip\fR with action being
to redirect as specified by "\fIresource record string\fR". "Resource
record string" is similar to that of \fIaccess-control-tag-action\fR,
but it must be of either AAAA, A or CNAME types.
If the IP-netblock is an IPv6/IPV4 prefix, the record
must be AAAA/A respectively, unless it is a CNAME (which can be used
for both versions of IP netblocks). If it is CNAME there must not be
more than one \fIresponse-ip-data\fR for the same IP-netblock.
Also, CNAME and other types of records must not coexist for the same
IP-netblock, following the normal rules for CNAME records.
The textual domain name for the CNAME does not have to be explicitly
terminated with a dot ("."); the root name is assumed to be the origin
for the name.
.TP 5
.B response-ip-tag: \fI<IP-netblock> <"list of tags">
This requires use of the "respip" module.
.IP
Assign tags to response IP-netblocks. If the IP address in an AAAA or
A RR in the answer section of a response matches the specified
IP-netblock, the specified tags are assigned to the IP address.
Then, if an \fIaccess-control-tag\fR is defined for the client and it
includes one of the tags for the response IP, the corresponding
\fIaccess-control-tag-action\fR will apply.
Tag matching rule is the same as that for \fIaccess-control-tag\fR and
\fIlocal-zones\fR.
Unlike \fIlocal-zone-tag\fR, \fIresponse-ip-tag\fR can be defined for
an IP-netblock even if no \fIresponse-ip\fR is defined for that
netblock.
If multiple \fIresponse-ip-tag\fR options are specified for the same
IP-netblock in different statements, all but the first will be
ignored.
However, this will not be flagged as a configuration error, but the
result is probably not what was intended.
.IP
Actions specified in an
\fIaccess-control-tag-action\fR that has a matching tag with
\fIresponse-ip-tag\fR can be those that are "invalid" for
\fIresponse-ip\fR listed above, since \fIaccess-control-tag-action\fRs
can be shared with local zones.
For these actions, if they behave differently depending on whether
local data exists or not in case of local zones, the behavior for
\fIresponse-ip-data\fR will generally result in NOERROR/NODATA instead
of NXDOMAIN, since the \fIresponse-ip\fR data are inherently type
specific, and non-existence of data does not indicate anything about
the existence or non-existence of the qname itself.
For example, if the matching tag action is \fIstatic\fR but there is
no data for the corresponding \fIresponse-ip\fR configuration, then
the result will be NOERROR/NODATA.
The only case where NXDOMAIN is returned is when an
\fIalways_nxdomain\fR action applies.
.TP 5
.B ratelimit: \fI<number or 0> .B ratelimit: \fI<number or 0>
Enable ratelimiting of queries sent to nameserver for performing recursion. Enable ratelimiting of queries sent to nameserver for performing recursion.
If 0, the default, it is disabled. This option is experimental at this time. If 0, the default, it is disabled. This option is experimental at this time.
@ -1895,6 +1980,12 @@ to the authority servers for this zone, it'll fetch the data directly from
the zone data. Turn it on when you want unbound to provide recursion for the zone data. Turn it on when you want unbound to provide recursion for
downstream clients, and use the zone data as a local copy to speed up lookups. downstream clients, and use the zone data as a local copy to speed up lookups.
.TP .TP
.B zonemd\-check: \fI<yes or no>
Enable this option to check ZONEMD records in the zone. Default is disabled.
The ZONEMD record is a checksum over the zone data. This includes glue in
the zone and data from the zone file, and excludes comments from the zone file.
When there is a DNSSEC chain of trust, DNSSEC signatures are checked too.
.TP
.B zonemd\-reject\-absence: \fI<yes or no> .B zonemd\-reject\-absence: \fI<yes or no>
Enable this option to reject the absence of the ZONEMD record. Without it, Enable this option to reject the absence of the ZONEMD record. Without it,
when zonemd is not there it is not checked. It is useful to enable for a when zonemd is not there it is not checked. It is useful to enable for a

9
services/authzone.c
View file

@ -1755,6 +1755,8 @@ zonemd_offline_verify(struct auth_zone* z, struct module_env* env_for_val,
{ {
struct module_env env; struct module_env env;
time_t now = 0; time_t now = 0;
if(!z->zonemd_check)
return;
env = *env_for_val; env = *env_for_val;
env.scratch_buffer = sldns_buffer_new(env.cfg->msg_buffer_size); env.scratch_buffer = sldns_buffer_new(env.cfg->msg_buffer_size);
if(!env.scratch_buffer) { if(!env.scratch_buffer) {
@ -2107,6 +2109,7 @@ auth_zones_cfg(struct auth_zones* az, struct config_auth* c)
z->for_downstream = c->for_downstream; z->for_downstream = c->for_downstream;
z->for_upstream = c->for_upstream; z->for_upstream = c->for_upstream;
z->fallback_enabled = c->fallback_enabled; z->fallback_enabled = c->fallback_enabled;
z->zonemd_check = c->zonemd_check;
z->zonemd_reject_absence = c->zonemd_reject_absence; z->zonemd_reject_absence = c->zonemd_reject_absence;
if(c->isrpz && !z->rpz){ if(c->isrpz && !z->rpz){
if(!(z->rpz = rpz_create(c))){ if(!(z->rpz = rpz_create(c))){
@ -8245,6 +8248,8 @@ void auth_zone_verify_zonemd(struct auth_zone* z, struct module_env* env,
int is_insecure = 0; int is_insecure = 0;
/* verify the ZONEMD if present. /* verify the ZONEMD if present.
* If not present check if absence is allowed by DNSSEC */ * If not present check if absence is allowed by DNSSEC */
if(!z->zonemd_check)
return;
/* if zone is under a trustanchor */ /* if zone is under a trustanchor */
/* is it equal to trustanchor - get dnskey's verified */ /* is it equal to trustanchor - get dnskey's verified */
@ -8313,6 +8318,10 @@ void auth_zones_pickup_zonemd_verify(struct auth_zones* az,
lock_rw_rdlock(&az->lock); lock_rw_rdlock(&az->lock);
RBTREE_FOR(z, struct auth_zone*, &az->ztree) { RBTREE_FOR(z, struct auth_zone*, &az->ztree) {
lock_rw_wrlock(&z->lock); lock_rw_wrlock(&z->lock);
if(!z->zonemd_check) {
lock_rw_unlock(&z->lock);
continue;
}
key.dclass = z->dclass; key.dclass = z->dclass;
key.namelabs = z->namelabs; key.namelabs = z->namelabs;
if(z->namelen > sizeof(savezname)) { if(z->namelen > sizeof(savezname)) {

2
services/authzone.h
View file

@ -132,6 +132,8 @@ struct auth_zone {
/** for upstream: this zone answers queries that unbound intends to /** for upstream: this zone answers queries that unbound intends to
* send upstream. */ * send upstream. */
int for_upstream; int for_upstream;
/** check ZONEMD records */
int zonemd_check;
/** reject absence of ZONEMD records */ /** reject absence of ZONEMD records */
int zonemd_reject_absence; int zonemd_reject_absence;
/** RPZ zones */ /** RPZ zones */

12
testcode/do-tests.sh
View file

@ -1,5 +1,11 @@
#!/usr/bin/env bash #!/usr/bin/env bash
. testdata/common.sh . testdata/common.sh
quiet=0
if test "$1" = "-q"; then
quiet=1
tdirarg="-q"
shift
fi
NEED_SPLINT='00-lint.tdir' NEED_SPLINT='00-lint.tdir'
NEED_DOXYGEN='01-doc.tdir' NEED_DOXYGEN='01-doc.tdir'
@ -33,7 +39,7 @@ fi
export -n NOTIFY_SOCKET export -n NOTIFY_SOCKET
cd testdata; cd testdata;
sh ../testcode/mini_tdir.sh clean sh ../testcode/mini_tdir.sh $tdirarg clean
rm -f .perfstats.txt rm -f .perfstats.txt
for test in `ls -d *.tdir`; do for test in `ls -d *.tdir`; do
SKIP=0 SKIP=0
@ -57,10 +63,10 @@ for test in `ls -d *.tdir`; do
fi fi
if test $SKIP -eq 0; then if test $SKIP -eq 0; then
echo $test echo $test
sh ../testcode/mini_tdir.sh -a ../.. exe $test sh ../testcode/mini_tdir.sh -a ../.. $tdirarg exe $test
else else
echo "skip $test" echo "skip $test"
fi fi
done done
sh ../testcode/mini_tdir.sh report sh ../testcode/mini_tdir.sh $tdirarg report
cat .perfstats.txt cat .perfstats.txt

45
testcode/mini_tdir.sh
View file

@ -5,14 +5,23 @@ if test "$1" = "-a"; then
shift shift
shift shift
fi fi
quiet=0
if test "$1" = "-q"; then
quiet=1
shift
fi
if test "$1" = "clean"; then if test "$1" = "clean"; then
echo "rm -f result.* .done* .tdir.var.master .tdir.var.test" if test $quiet = 0; then
echo "rm -f result.* .done* .tdir.var.master .tdir.var.test"
fi
rm -f result.* .done* .tdir.var.master .tdir.var.test rm -f result.* .done* .tdir.var.master .tdir.var.test
exit 0 exit 0
fi fi
if test "$1" = "fake"; then if test "$1" = "fake"; then
echo "minitdir fake $2" if test $quiet = 0; then
echo "minitdir fake $2"
fi
echo "fake" > .done-`basename $2 .tdir` echo "fake" > .done-`basename $2 .tdir`
exit 0 exit 0
fi fi
@ -37,7 +46,7 @@ if test "$1" = "-f" && test "$2" = "report"; then
desc=`grep ^Description: "result.$name" | sed -e 's/Description: //'` desc=`grep ^Description: "result.$name" | sed -e 's/Description: //'`
fi fi
if test -f ".done-$name"; then if test -f ".done-$name"; then
if test "$1" != "-q"; then if test $quiet = 0; then
echo "** PASSED ** $timelen $name: $desc" echo "** PASSED ** $timelen $name: $desc"
pass=`expr $pass + 1` pass=`expr $pass + 1`
fi fi
@ -65,7 +74,7 @@ if test "$1" = "report" || test "$2" = "report"; then
for result in *.tdir; do for result in *.tdir; do
name=`basename $result .tdir` name=`basename $result .tdir`
if test -f ".done-$name"; then if test -f ".done-$name"; then
if test "$1" != "-q"; then if test $quiet = 0; then
echo "** PASSED ** : $name" echo "** PASSED ** : $name"
fi fi
else else
@ -82,9 +91,9 @@ fi
if test "$1" != 'exe'; then if test "$1" != 'exe'; then
# usage # usage
echo "mini tdir. Reduced functionality for old shells." echo "mini tdir. Reduced functionality for old shells."
echo " tdir exe <file>" echo " tdir [-q] exe <file>"
echo " tdir fake <file>" echo " tdir [-q] fake <file>"
echo " tdir clean" echo " tdir [-q] clean"
echo " tdir [-q|-f] report" echo " tdir [-q|-f] report"
exit 1 exit 1
fi fi
@ -117,7 +126,9 @@ if test -f .done-$name; then
fi fi
# Copy # Copy
echo "minitdir copy $1 to $dir" if test $quiet = 0; then
echo "minitdir copy $1 to $dir"
fi
mkdir $dir mkdir $dir
if cp --help 2>&1 | grep -- "-a" >/dev/null; then if cp --help 2>&1 | grep -- "-a" >/dev/null; then
cp -a $name.tdir/* $dir/ cp -a $name.tdir/* $dir/
@ -131,7 +142,9 @@ echo "minitdir exe $name" > $result
grep "Description:" $name.dsc >> $result 2>&1 grep "Description:" $name.dsc >> $result 2>&1
echo "DateRunStart: "`date "+%s" 2>/dev/null` >> $result echo "DateRunStart: "`date "+%s" 2>/dev/null` >> $result
if test -f $name.pre; then if test -f $name.pre; then
echo "minitdir exe $name.pre" if test $quiet = 0; then
echo "minitdir exe $name.pre"
fi
echo "minitdir exe $name.pre" >> $result echo "minitdir exe $name.pre" >> $result
$shell $name.pre $args >> $result $shell $name.pre $args >> $result
if test $? -ne 0; then if test $? -ne 0; then
@ -139,7 +152,9 @@ if test -f $name.pre; then
fi fi
fi fi
if test -f $name.test; then if test -f $name.test; then
echo "minitdir exe $name.test" if test $quiet = 0; then
echo "minitdir exe $name.test"
fi
echo "minitdir exe $name.test" >> $result echo "minitdir exe $name.test" >> $result
$shell $name.test $args >>$result 2>&1 $shell $name.test $args >>$result 2>&1
if test $? -ne 0; then if test $? -ne 0; then
@ -149,12 +164,16 @@ if test -f $name.test; then
else else
echo "$name: PASSED" >> $result echo "$name: PASSED" >> $result
echo "$name: PASSED" > ../.done-$name echo "$name: PASSED" > ../.done-$name
echo "$name: PASSED" if test $quiet = 0; then
echo "$name: PASSED"
fi
success="yes" success="yes"
fi fi
fi fi
if test -f $name.post; then if test -f $name.post; then
echo "minitdir exe $name.post" if test $quiet = 0; then
echo "minitdir exe $name.post"
fi
echo "minitdir exe $name.post" >> $result echo "minitdir exe $name.post" >> $result
$shell $name.post $args >> $result $shell $name.post $args >> $result
if test $? -ne 0; then if test $? -ne 0; then

3
testcode/unitzonemd.c
View file

@ -82,6 +82,7 @@ static void zonemd_generate_test(const char* zname, char* zfile,
/* read file */ /* read file */
z = authtest_addzone(az, zname, zfile); z = authtest_addzone(az, zname, zfile);
unit_assert(z); unit_assert(z);
z->zonemd_check = 1;
/* create zonemd digest */ /* create zonemd digest */
result = auth_zone_generate_zonemd_hash(z, scheme, hashalgo, result = auth_zone_generate_zonemd_hash(z, scheme, hashalgo,
@ -196,6 +197,7 @@ static void zonemd_check_test(void)
/* read file */ /* read file */
z = authtest_addzone(az, zname, zfile); z = authtest_addzone(az, zname, zfile);
unit_assert(z); unit_assert(z);
z->zonemd_check = 1;
hashlen = sizeof(hash); hashlen = sizeof(hash);
if(sldns_str2wire_hex_buf(digest, hash, &hashlen) != 0) { if(sldns_str2wire_hex_buf(digest, hash, &hashlen) != 0) {
unit_assert(0); /* parse failure */ unit_assert(0); /* parse failure */
@ -291,6 +293,7 @@ static void zonemd_verify_test(char* zname, char* zfile, char* tastr,
/* test */ /* test */
lock_rw_wrlock(&z->lock); lock_rw_wrlock(&z->lock);
z->zonemd_check = 1;
auth_zone_verify_zonemd(z, &env, &mods, &result, 1, 0); auth_zone_verify_zonemd(z, &env, &mods, &result, 1, 0);
lock_rw_unlock(&z->lock); lock_rw_unlock(&z->lock);
if(verbosity >= VERB_ALGO) { if(verbosity >= VERB_ALGO) {

1
testdata/auth_zonemd_anchor.rpl vendored
View file

@ -24,6 +24,7 @@ auth-zone:
## on failures with for-upstream, fallback to sending queries to ## on failures with for-upstream, fallback to sending queries to
## the authority servers ## the authority servers
## fallback-enabled: no ## fallback-enabled: no
zonemd-check: yes
## this line generates zonefile: \n"/tmp/xxx.example.com"\n ## this line generates zonefile: \n"/tmp/xxx.example.com"\n
zonefile: zonefile:

1
testdata/auth_zonemd_anchor_fail.rpl vendored
View file

@ -27,6 +27,7 @@ auth-zone:
## on failures with for-upstream, fallback to sending queries to ## on failures with for-upstream, fallback to sending queries to
## the authority servers ## the authority servers
## fallback-enabled: no ## fallback-enabled: no
zonemd-check: yes
## this line generates zonefile: \n"/tmp/xxx.example.com"\n ## this line generates zonefile: \n"/tmp/xxx.example.com"\n
zonefile: zonefile:

1
testdata/auth_zonemd_chain.rpl vendored
View file

@ -24,6 +24,7 @@ auth-zone:
## on failures with for-upstream, fallback to sending queries to ## on failures with for-upstream, fallback to sending queries to
## the authority servers ## the authority servers
## fallback-enabled: no ## fallback-enabled: no
zonemd-check: yes
## this line generates zonefile: \n"/tmp/xxx.example.com"\n ## this line generates zonefile: \n"/tmp/xxx.example.com"\n
zonefile: zonefile:

1
testdata/auth_zonemd_chain_fail.rpl vendored
View file

@ -24,6 +24,7 @@ auth-zone:
## on failures with for-upstream, fallback to sending queries to ## on failures with for-upstream, fallback to sending queries to
## the authority servers ## the authority servers
## fallback-enabled: no ## fallback-enabled: no
zonemd-check: yes
## this line generates zonefile: \n"/tmp/xxx.example.com"\n ## this line generates zonefile: \n"/tmp/xxx.example.com"\n
zonefile: zonefile:

1
testdata/auth_zonemd_file.rpl vendored
View file

@ -21,6 +21,7 @@ auth-zone:
## on failures with for-upstream, fallback to sending queries to ## on failures with for-upstream, fallback to sending queries to
## the authority servers ## the authority servers
## fallback-enabled: no ## fallback-enabled: no
zonemd-check: yes
## this line generates zonefile: \n"/tmp/xxx.example.com"\n ## this line generates zonefile: \n"/tmp/xxx.example.com"\n
zonefile: zonefile:

1
testdata/auth_zonemd_file_fail.rpl vendored
View file

@ -21,6 +21,7 @@ auth-zone:
## on failures with for-upstream, fallback to sending queries to ## on failures with for-upstream, fallback to sending queries to
## the authority servers ## the authority servers
## fallback-enabled: no ## fallback-enabled: no
zonemd-check: yes
## this line generates zonefile: \n"/tmp/xxx.example.com"\n ## this line generates zonefile: \n"/tmp/xxx.example.com"\n
zonefile: zonefile:

1
testdata/auth_zonemd_insecure.rpl vendored
View file

@ -24,6 +24,7 @@ auth-zone:
## on failures with for-upstream, fallback to sending queries to ## on failures with for-upstream, fallback to sending queries to
## the authority servers ## the authority servers
## fallback-enabled: no ## fallback-enabled: no
zonemd-check: yes
## this line generates zonefile: \n"/tmp/xxx.example.com"\n ## this line generates zonefile: \n"/tmp/xxx.example.com"\n
zonefile: zonefile:

1
testdata/auth_zonemd_insecure_absent.rpl vendored
View file

@ -24,6 +24,7 @@ auth-zone:
## on failures with for-upstream, fallback to sending queries to ## on failures with for-upstream, fallback to sending queries to
## the authority servers ## the authority servers
## fallback-enabled: no ## fallback-enabled: no
zonemd-check: yes
## this line generates zonefile: \n"/tmp/xxx.example.com"\n ## this line generates zonefile: \n"/tmp/xxx.example.com"\n
zonefile: zonefile:

1
testdata/auth_zonemd_insecure_absent_reject.rpl vendored
View file

@ -7,6 +7,7 @@ server:
auth-zone: auth-zone:
name: "example.com." name: "example.com."
zonemd-check: yes
zonemd-reject-absence: yes zonemd-reject-absence: yes
## zonefile (or none). ## zonefile (or none).
## zonefile: "example.com.zone" ## zonefile: "example.com.zone"

1
testdata/auth_zonemd_insecure_fail.rpl vendored
View file

@ -24,6 +24,7 @@ auth-zone:
## on failures with for-upstream, fallback to sending queries to ## on failures with for-upstream, fallback to sending queries to
## the authority servers ## the authority servers
## fallback-enabled: no ## fallback-enabled: no
zonemd-check: yes
## this line generates zonefile: \n"/tmp/xxx.example.com"\n ## this line generates zonefile: \n"/tmp/xxx.example.com"\n
zonefile: zonefile:

1
testdata/auth_zonemd_nokey.rpl vendored
View file

@ -24,6 +24,7 @@ auth-zone:
## on failures with for-upstream, fallback to sending queries to ## on failures with for-upstream, fallback to sending queries to
## the authority servers ## the authority servers
## fallback-enabled: no ## fallback-enabled: no
zonemd-check: yes
## this line generates zonefile: \n"/tmp/xxx.example.com"\n ## this line generates zonefile: \n"/tmp/xxx.example.com"\n
zonefile: zonefile:

1
testdata/auth_zonemd_permissive_mode.rpl vendored
View file

@ -22,6 +22,7 @@ auth-zone:
## on failures with for-upstream, fallback to sending queries to ## on failures with for-upstream, fallback to sending queries to
## the authority servers ## the authority servers
## fallback-enabled: no ## fallback-enabled: no
zonemd-check: yes
## this line generates zonefile: \n"/tmp/xxx.example.com"\n ## this line generates zonefile: \n"/tmp/xxx.example.com"\n
zonefile: zonefile:

1
testdata/auth_zonemd_xfr.rpl vendored
View file

@ -22,6 +22,7 @@ auth-zone:
## on failures with for-upstream, fallback to sending queries to ## on failures with for-upstream, fallback to sending queries to
## the authority servers ## the authority servers
## fallback-enabled: no ## fallback-enabled: no
zonemd-check: yes
## this line generates zonefile: \n"/tmp/xxx.example.com"\n ## this line generates zonefile: \n"/tmp/xxx.example.com"\n
zonefile: zonefile:

1
testdata/auth_zonemd_xfr_anchor.rpl vendored
View file

@ -25,6 +25,7 @@ auth-zone:
## on failures with for-upstream, fallback to sending queries to ## on failures with for-upstream, fallback to sending queries to
## the authority servers ## the authority servers
## fallback-enabled: no ## fallback-enabled: no
zonemd-check: yes
## this line generates zonefile: \n"/tmp/xxx.example.com"\n ## this line generates zonefile: \n"/tmp/xxx.example.com"\n
zonefile: zonefile:

1
testdata/auth_zonemd_xfr_anchor_fail.rpl vendored
View file

@ -25,6 +25,7 @@ auth-zone:
## on failures with for-upstream, fallback to sending queries to ## on failures with for-upstream, fallback to sending queries to
## the authority servers ## the authority servers
## fallback-enabled: no ## fallback-enabled: no
zonemd-check: yes
## this line generates zonefile: \n"/tmp/xxx.example.com"\n ## this line generates zonefile: \n"/tmp/xxx.example.com"\n
zonefile: zonefile:

1
testdata/auth_zonemd_xfr_chain.rpl vendored
View file

@ -25,6 +25,7 @@ auth-zone:
## on failures with for-upstream, fallback to sending queries to ## on failures with for-upstream, fallback to sending queries to
## the authority servers ## the authority servers
## fallback-enabled: no ## fallback-enabled: no
zonemd-check: yes
## this line generates zonefile: \n"/tmp/xxx.example.com"\n ## this line generates zonefile: \n"/tmp/xxx.example.com"\n
zonefile: zonefile:

1
testdata/auth_zonemd_xfr_chain_fail.rpl vendored
View file

@ -25,6 +25,7 @@ auth-zone:
## on failures with for-upstream, fallback to sending queries to ## on failures with for-upstream, fallback to sending queries to
## the authority servers ## the authority servers
## fallback-enabled: no ## fallback-enabled: no
zonemd-check: yes
## this line generates zonefile: \n"/tmp/xxx.example.com"\n ## this line generates zonefile: \n"/tmp/xxx.example.com"\n
zonefile: zonefile:

1
testdata/auth_zonemd_xfr_fail.rpl vendored
View file

@ -22,6 +22,7 @@ auth-zone:
## on failures with for-upstream, fallback to sending queries to ## on failures with for-upstream, fallback to sending queries to
## the authority servers ## the authority servers
## fallback-enabled: no ## fallback-enabled: no
zonemd-check: yes
## this line generates zonefile: \n"/tmp/xxx.example.com"\n ## this line generates zonefile: \n"/tmp/xxx.example.com"\n
zonefile: zonefile:

2
util/config_file.c
View file

@ -309,7 +309,7 @@ config_create(void)
if(!(cfg->module_conf = strdup("validator iterator"))) goto error_exit; if(!(cfg->module_conf = strdup("validator iterator"))) goto error_exit;
#endif #endif
if(!(cfg->val_nsec3_key_iterations = if(!(cfg->val_nsec3_key_iterations =
strdup("1024 150 2048 500 4096 2500"))) goto error_exit; strdup("1024 150 2048 150 4096 150"))) goto error_exit;
#if defined(DNSTAP_SOCKET_PATH) #if defined(DNSTAP_SOCKET_PATH)
if(!(cfg->dnstap_socket_path = strdup(DNSTAP_SOCKET_PATH))) if(!(cfg->dnstap_socket_path = strdup(DNSTAP_SOCKET_PATH)))
goto error_exit; goto error_exit;

2
util/config_file.h
View file

@ -735,6 +735,8 @@ struct config_auth {
/** Always reply with this CNAME target if the cname override action is /** Always reply with this CNAME target if the cname override action is
* used */ * used */
char* rpz_cname; char* rpz_cname;
/** Check ZONEMD records for this zone */
int zonemd_check;
/** Reject absence of ZONEMD records, zone must have one */ /** Reject absence of ZONEMD records, zone must have one */
int zonemd_reject_absence; int zonemd_reject_absence;
}; };

4302
util/configlexer.c
View file

File diff suppressed because it is too large Load diff

1
util/configlexer.lex
View file

@ -405,6 +405,7 @@ neg-cache-size{COLON} { YDVAR(1, VAR_NEG_CACHE_SIZE) }
val-nsec3-keysize-iterations{COLON} { val-nsec3-keysize-iterations{COLON} {
YDVAR(1, VAR_VAL_NSEC3_KEYSIZE_ITERATIONS) } YDVAR(1, VAR_VAL_NSEC3_KEYSIZE_ITERATIONS) }
zonemd-permissive-mode{COLON} { YDVAR(1, VAR_ZONEMD_PERMISSIVE_MODE) } zonemd-permissive-mode{COLON} { YDVAR(1, VAR_ZONEMD_PERMISSIVE_MODE) }
zonemd-check{COLON} { YDVAR(1, VAR_ZONEMD_CHECK) }
zonemd-reject-absence{COLON} { YDVAR(1, VAR_ZONEMD_REJECT_ABSENCE) } zonemd-reject-absence{COLON} { YDVAR(1, VAR_ZONEMD_REJECT_ABSENCE) }
add-holddown{COLON} { YDVAR(1, VAR_ADD_HOLDDOWN) } add-holddown{COLON} { YDVAR(1, VAR_ADD_HOLDDOWN) }
del-holddown{COLON} { YDVAR(1, VAR_DEL_HOLDDOWN) } del-holddown{COLON} { YDVAR(1, VAR_DEL_HOLDDOWN) }

3187
util/configparser.c
View file

File diff suppressed because it is too large Load diff

8
util/configparser.h
View file

@ -364,7 +364,8 @@ extern int yydebug;
VAR_EDNS_CLIENT_STRING_OPCODE = 565, /* VAR_EDNS_CLIENT_STRING_OPCODE */ VAR_EDNS_CLIENT_STRING_OPCODE = 565, /* VAR_EDNS_CLIENT_STRING_OPCODE */
VAR_NSID = 566, /* VAR_NSID */ VAR_NSID = 566, /* VAR_NSID */
VAR_ZONEMD_PERMISSIVE_MODE = 567, /* VAR_ZONEMD_PERMISSIVE_MODE */ VAR_ZONEMD_PERMISSIVE_MODE = 567, /* VAR_ZONEMD_PERMISSIVE_MODE */
VAR_ZONEMD_REJECT_ABSENCE = 568 /* VAR_ZONEMD_REJECT_ABSENCE */ VAR_ZONEMD_CHECK = 568, /* VAR_ZONEMD_CHECK */
VAR_ZONEMD_REJECT_ABSENCE = 569 /* VAR_ZONEMD_REJECT_ABSENCE */
}; };
typedef enum yytokentype yytoken_kind_t; typedef enum yytokentype yytoken_kind_t;
#endif #endif
@ -682,7 +683,8 @@ extern int yydebug;
#define VAR_EDNS_CLIENT_STRING_OPCODE 565 #define VAR_EDNS_CLIENT_STRING_OPCODE 565
#define VAR_NSID 566 #define VAR_NSID 566
#define VAR_ZONEMD_PERMISSIVE_MODE 567 #define VAR_ZONEMD_PERMISSIVE_MODE 567
#define VAR_ZONEMD_REJECT_ABSENCE 568 #define VAR_ZONEMD_CHECK 568
#define VAR_ZONEMD_REJECT_ABSENCE 569
/* Value type. */ /* Value type. */
#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
@ -692,7 +694,7 @@ union YYSTYPE
char* str; char* str;
#line 696 "util/configparser.h" #line 698 "util/configparser.h"
}; };
typedef union YYSTYPE YYSTYPE; typedef union YYSTYPE YYSTYPE;

15
util/configparser.y
View file

@ -182,7 +182,7 @@ extern struct config_parser_state* cfg_parser;
%token VAR_RPZ_CNAME_OVERRIDE VAR_RPZ_LOG VAR_RPZ_LOG_NAME %token VAR_RPZ_CNAME_OVERRIDE VAR_RPZ_LOG VAR_RPZ_LOG_NAME
%token VAR_DYNLIB VAR_DYNLIB_FILE VAR_EDNS_CLIENT_STRING %token VAR_DYNLIB VAR_DYNLIB_FILE VAR_EDNS_CLIENT_STRING
%token VAR_EDNS_CLIENT_STRING_OPCODE VAR_NSID %token VAR_EDNS_CLIENT_STRING_OPCODE VAR_NSID
%token VAR_ZONEMD_PERMISSIVE_MODE VAR_ZONEMD_REJECT_ABSENCE %token VAR_ZONEMD_PERMISSIVE_MODE VAR_ZONEMD_CHECK VAR_ZONEMD_REJECT_ABSENCE
%% %%
toplevelvars: /* empty */ | toplevelvars toplevelvar ; toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@ -370,6 +370,7 @@ authstart: VAR_AUTH_ZONE
s->for_downstream = 1; s->for_downstream = 1;
s->for_upstream = 1; s->for_upstream = 1;
s->fallback_enabled = 0; s->fallback_enabled = 0;
s->zonemd_check = 0;
s->zonemd_reject_absence = 0; s->zonemd_reject_absence = 0;
s->isrpz = 0; s->isrpz = 0;
} else } else
@ -380,7 +381,7 @@ contents_auth: contents_auth content_auth
| ; | ;
content_auth: auth_name | auth_zonefile | auth_master | auth_url | content_auth: auth_name | auth_zonefile | auth_master | auth_url |
auth_for_downstream | auth_for_upstream | auth_fallback_enabled | auth_for_downstream | auth_for_upstream | auth_fallback_enabled |
auth_allow_notify | auth_zonemd_reject_absence auth_allow_notify | auth_zonemd_check | auth_zonemd_reject_absence
; ;
rpz_tag: VAR_TAGS STRING_ARG rpz_tag: VAR_TAGS STRING_ARG
@ -2788,6 +2789,16 @@ auth_allow_notify: VAR_ALLOW_NOTIFY STRING_ARG
yyerror("out of memory"); yyerror("out of memory");
} }
; ;
auth_zonemd_check: VAR_ZONEMD_CHECK STRING_ARG
{
OUTYY(("P(zonemd-check:%s)\n", $2));
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
yyerror("expected yes or no.");
else cfg_parser->cfg->auths->zonemd_check =
(strcmp($2, "yes")==0);
free($2);
}
;
auth_zonemd_reject_absence: VAR_ZONEMD_REJECT_ABSENCE STRING_ARG auth_zonemd_reject_absence: VAR_ZONEMD_REJECT_ABSENCE STRING_ARG
{ {
OUTYY(("P(zonemd-reject-absence:%s)\n", $2)); OUTYY(("P(zonemd-reject-absence:%s)\n", $2));

102
util/storage/lookup3.c
View file

@ -53,21 +53,69 @@ on 1 byte), but shoehorning those bytes into integers efficiently is messy.
#include "util/storage/lookup3.h" #include "util/storage/lookup3.h"
#include <stdio.h> /* defines printf for tests */ #include <stdio.h> /* defines printf for tests */
#include <time.h> /* defines time_t for timings in the test */ #include <time.h> /* defines time_t for timings in the test */
/*#include <stdint.h> defines uint32_t etc (from config.h) */
#include <sys/param.h> /* attempt to define endianness */ /*
#ifdef HAVE_SYS_TYPES_H * If our build system provides endianness info, signalled by
# include <sys/types.h> /* attempt to define endianness (solaris) */ * HAVE_TARGET_ENDIANNESS and the presence or absence of TARGET_IS_BIG_ENDIAN,
#endif * use that. Otherwise try to work out the endianness.
#if defined(linux) || defined(__OpenBSD__) */
#if defined(HAVE_TARGET_ENDIANNESS)
# if defined(TARGET_IS_BIG_ENDIAN)
# define HASH_LITTLE_ENDIAN 0
# define HASH_BIG_ENDIAN 1
# else
# define HASH_LITTLE_ENDIAN 1
# define HASH_BIG_ENDIAN 0
# endif
#else
# include <sys/param.h> /* attempt to define endianness */
# ifdef HAVE_SYS_TYPES_H
# include <sys/types.h> /* attempt to define endianness (solaris) */
# endif
# if defined(linux) || defined(__OpenBSD__)
# ifdef HAVE_ENDIAN_H # ifdef HAVE_ENDIAN_H
# include <endian.h> /* attempt to define endianness */ # include <endian.h> /* attempt to define endianness */
# else # else
# include <machine/endian.h> /* on older OpenBSD */ # include <machine/endian.h> /* on older OpenBSD */
# endif # endif
#endif # endif
#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__DragonFly__) # if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__DragonFly__)
#include <sys/endian.h> /* attempt to define endianness */ # include <sys/endian.h> /* attempt to define endianness */
#endif # endif
/*
* My best guess at if you are big-endian or little-endian. This may
* need adjustment.
*/
# if (defined(__BYTE_ORDER) && defined(__LITTLE_ENDIAN) && \
__BYTE_ORDER == __LITTLE_ENDIAN) || \
(defined(i386) || defined(__i386__) || defined(__i486__) || \
defined(__i586__) || defined(__i686__) || defined(vax) || defined(MIPSEL) || defined(__x86))
# define HASH_LITTLE_ENDIAN 1
# define HASH_BIG_ENDIAN 0
# elif (defined(__BYTE_ORDER) && defined(__BIG_ENDIAN) && \
__BYTE_ORDER == __BIG_ENDIAN) || \
(defined(sparc) || defined(__sparc) || defined(__sparc__) || defined(POWERPC) || defined(mc68000) || defined(sel))
# define HASH_LITTLE_ENDIAN 0
# define HASH_BIG_ENDIAN 1
# elif defined(_MACHINE_ENDIAN_H_)
/* test for machine_endian_h protects failure if some are empty strings */
# if defined(_BYTE_ORDER) && defined(_BIG_ENDIAN) && _BYTE_ORDER == _BIG_ENDIAN
# define HASH_LITTLE_ENDIAN 0
# define HASH_BIG_ENDIAN 1
# endif
# if defined(_BYTE_ORDER) && defined(_LITTLE_ENDIAN) && _BYTE_ORDER == _LITTLE_ENDIAN
# define HASH_LITTLE_ENDIAN 1
# define HASH_BIG_ENDIAN 0
# endif /* _MACHINE_ENDIAN_H_ */
# else
# define HASH_LITTLE_ENDIAN 0
# define HASH_BIG_ENDIAN 0
# endif
#endif /* defined(HAVE_TARGET_ENDIANNESS) */
#define hashsize(n) ((uint32_t)1<<(n))
#define hashmask(n) (hashsize(n)-1)
#define rot(x,k) (((x)<<(k)) | ((x)>>(32-(k))))
/* random initial value */ /* random initial value */
static uint32_t raninit = (uint32_t)0xdeadbeef; static uint32_t raninit = (uint32_t)0xdeadbeef;
@ -78,40 +126,6 @@ hash_set_raninit(uint32_t v)
raninit = v; raninit = v;
} }
/*
* My best guess at if you are big-endian or little-endian. This may
* need adjustment.
*/
#if (defined(__BYTE_ORDER) && defined(__LITTLE_ENDIAN) && \
__BYTE_ORDER == __LITTLE_ENDIAN) || \
(defined(i386) || defined(__i386__) || defined(__i486__) || \
defined(__i586__) || defined(__i686__) || defined(vax) || defined(MIPSEL) || defined(__x86))
# define HASH_LITTLE_ENDIAN 1
# define HASH_BIG_ENDIAN 0
#elif (defined(__BYTE_ORDER) && defined(__BIG_ENDIAN) && \
__BYTE_ORDER == __BIG_ENDIAN) || \
(defined(sparc) || defined(__sparc) || defined(__sparc__) || defined(POWERPC) || defined(mc68000) || defined(sel))
# define HASH_LITTLE_ENDIAN 0
# define HASH_BIG_ENDIAN 1
#elif defined(_MACHINE_ENDIAN_H_)
/* test for machine_endian_h protects failure if some are empty strings */
# if defined(_BYTE_ORDER) && defined(_BIG_ENDIAN) && _BYTE_ORDER == _BIG_ENDIAN
# define HASH_LITTLE_ENDIAN 0
# define HASH_BIG_ENDIAN 1
# endif
# if defined(_BYTE_ORDER) && defined(_LITTLE_ENDIAN) && _BYTE_ORDER == _LITTLE_ENDIAN
# define HASH_LITTLE_ENDIAN 1
# define HASH_BIG_ENDIAN 0
# endif /* _MACHINE_ENDIAN_H_ */
#else
# define HASH_LITTLE_ENDIAN 0
# define HASH_BIG_ENDIAN 0
#endif
#define hashsize(n) ((uint32_t)1<<(n))
#define hashmask(n) (hashsize(n)-1)
#define rot(x,k) (((x)<<(k)) | ((x)>>(32-(k))))
/* /*
------------------------------------------------------------------------------- -------------------------------------------------------------------------------
mix -- mix 3 32-bit values reversibly. mix -- mix 3 32-bit values reversibly.