diff --git a/.github/workflows/analysis_ports.yml b/.github/workflows/analysis_ports.yml index 0388e3cca..f843eeb5e 100644 --- a/.github/workflows/analysis_ports.yml +++ b/.github/workflows/analysis_ports.yml @@ -193,8 +193,12 @@ jobs: - uses: actions/checkout@v4 with: submodules: false + persist-credentials: false - name: test_windows if: ${{ matrix.test_windows == 'yes' }} + env: + LIBEXPAT_FNAME: expat-2.7.0 + LIBEXPAT_VERSION_DIR: R_2_7_0 shell: bash run: | export unboundpath=`pwd` @@ -237,9 +241,9 @@ jobs: cd .. mkdir expat echo "curl expat" - curl -L -k -s -S -o expat-2.2.10.tar.gz https://github.com/libexpat/libexpat/releases/download/R_2_2_10/expat-2.2.10.tar.gz - tar xzf expat-2.2.10.tar.gz - cd expat-2.2.10 + curl -L -k -s -S -o $LIBEXPAT_FNAME.tar.gz https://github.com/libexpat/libexpat/releases/download/$LIBEXPAT_VERSION_DIR/$LIBEXPAT_FNAME.tar.gz + tar xzf $LIBEXPAT_FNAME.tar.gz + cd $LIBEXPAT_FNAME echo "./configure SHELL=/usr/bin/bash CONFIG_SHELL=/usr/bin/bash --prefix=\"$prepath/expat\" --exec-prefix=\"$prepath/expat\" --bindir=\"$prepath/expat/bin\" --includedir=\"$prepath/expat/include\" --mandir=\"$prepath/expat/man\" --libdir=\"$prepath/expat/lib\"" ./configure SHELL=/usr/bin/bash CONFIG_SHELL=/usr/bin/bash --prefix="$prepath/expat" --exec-prefix="$prepath/expat" --bindir="$prepath/expat/bin" --includedir="$prepath/expat/include" --mandir="$prepath/expat/man" --libdir="$prepath/expat/lib" # fixup SHELL is treated specially, but SHELZZ is not by make. diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f01ed3273..6ca3bc414 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,6 +13,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: configure run: ./configure --enable-debug - name: make diff --git a/Makefile.in b/Makefile.in index b8d2a96b2..b28ed34ae 100644 --- a/Makefile.in +++ b/Makefile.in @@ -179,11 +179,11 @@ testcode/unitlruhash.c testcode/unitmain.c testcode/unitmsgparse.c \ testcode/unitneg.c testcode/unitregional.c testcode/unitslabhash.c \ testcode/unitverify.c testcode/readhex.c testcode/testpkts.c testcode/unitldns.c \ testcode/unitecs.c testcode/unitauth.c testcode/unitzonemd.c \ -testcode/unittcpreuse.c testcode/unitdoq.c +testcode/unittcpreuse.c testcode/unitdoq.c testcode/unitinfra.c UNITTEST_OBJ=unitanchor.lo unitdname.lo unitlruhash.lo unitmain.lo \ unitmsgparse.lo unitneg.lo unitregional.lo unitslabhash.lo unitverify.lo \ readhex.lo testpkts.lo unitldns.lo unitecs.lo unitauth.lo unitzonemd.lo \ -unittcpreuse.lo unitdoq.lo +unittcpreuse.lo unitdoq.lo unitinfra.lo UNITTEST_OBJ_LINK=$(UNITTEST_OBJ) worker_cb.lo $(COMMON_OBJ) $(SLDNS_OBJ) \ $(COMPAT_OBJ) DAEMON_SRC=daemon/acl_list.c daemon/cachedump.c daemon/daemon.c \ @@ -449,9 +449,13 @@ dnstap.lo dnstap.o: $(srcdir)/dnstap/dnstap.c config.h dnstap/dnstap_config.h \ $(srcdir)/util/netevent.h $(srcdir)/util/net_help.h \ $(srcdir)/util/locks.h -dnstap/dnstap.pb-c.c dnstap/dnstap.pb-c.h: $(srcdir)/dnstap/dnstap.proto +# Builds both dnstap/dnstap.pb-c.c and dnstap/dnstap.pb-c.h. +# To avoid double-building we split one target out. +dnstap/dnstap.pb-c.c: $(srcdir)/dnstap/dnstap.proto @-if test ! -d dnstap; then $(INSTALL) -d dnstap; fi $(PROTOC_C) --c_out=. --proto_path=$(srcdir) $(srcdir)/dnstap/dnstap.proto +dnstap/dnstap.pb-c.h: dnstap/dnstap.pb-c.c + touch $@ unbound-dnstap-socket$(EXEEXT): $(DNSTAP_SOCKET_OBJ_LINK) $(LINK) -o $@ $(DNSTAP_SOCKET_OBJ_LINK) $(SSLLIB) $(LIBS) @@ -722,299 +726,338 @@ unitdoq.lo unitdoq.o: $(srcdir)/testcode/unitdoq.c dns.lo dns.o: $(srcdir)/services/cache/dns.c config.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/util/log.h \ $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h $(srcdir)/validator/val_nsec.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ - $(srcdir)/validator/val_utils.h $(srcdir)/sldns/pkthdr.h $(srcdir)/services/cache/dns.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_utils.h $(srcdir)/sldns/pkthdr.h $(srcdir)/services/cache/dns.h \ $(srcdir)/util/data/msgreply.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/dname.h $(srcdir)/util/module.h \ - $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h + $(srcdir)/util/data/msgparse.h $(srcdir)/util/data/dname.h $(srcdir)/util/module.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/random.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h infra.lo infra.o: $(srcdir)/services/cache/infra.c config.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h \ $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/services/cache/infra.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/data/dname.h \ - $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/iterator/iterator.h \ - $(srcdir)/services/outbound_list.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/sldns/pkthdr.h + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/slabhash.h \ + $(srcdir)/util/storage/lookup3.h $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \ + $(srcdir)/util/config_file.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \ + $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h rrset.lo rrset.o: $(srcdir)/services/cache/rrset.c config.h $(srcdir)/services/cache/rrset.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/slabhash.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/config_file.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/regional.h \ - $(srcdir)/util/alloc.h $(srcdir)/util/net_help.h + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ + $(srcdir)/util/data/dname.h $(srcdir)/util/regional.h $(srcdir)/util/alloc.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/random.h as112.lo as112.o: $(srcdir)/util/as112.c $(srcdir)/util/as112.h dname.lo dname.o: $(srcdir)/util/data/dname.c config.h $(srcdir)/util/data/dname.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgparse.h \ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/storage/lookup3.h $(srcdir)/sldns/sbuffer.h msgencode.lo msgencode.o: $(srcdir)/util/data/msgencode.c config.h $(srcdir)/util/data/msgencode.h \ $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/dname.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \ - $(srcdir)/sldns/sbuffer.h $(srcdir)/services/localzone.h $(srcdir)/util/rbtree.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/util/data/dname.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/random.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/localzone.h $(srcdir)/util/rbtree.h \ $(srcdir)/util/storage/dnstree.h $(srcdir)/util/module.h $(srcdir)/services/view.h -msgparse.lo msgparse.o: $(srcdir)/util/data/msgparse.c config.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/sldns/pkthdr.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/sldns/sbuffer.h \ - $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h +msgparse.lo msgparse.o: $(srcdir)/util/data/msgparse.c config.h $(srcdir)/util/config_file.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ + $(srcdir)/util/log.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ + $(srcdir)/util/data/dname.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/storage/lookup3.h $(srcdir)/util/regional.h $(srcdir)/util/rfc_1982.h $(srcdir)/util/edns.h \ + $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \ + $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h msgreply.lo msgreply.o: $(srcdir)/util/data/msgreply.c config.h $(srcdir)/util/data/msgreply.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/util/storage/lookup3.h $(srcdir)/util/alloc.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h \ - $(srcdir)/util/regional.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \ - $(srcdir)/util/data/msgencode.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/module.h \ - $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \ - $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ - $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/util/config_file.h \ - $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \ - $(srcdir)/respip/respip.h + $(srcdir)/sldns/rrdef.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/alloc.h $(srcdir)/util/netevent.h \ + $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/data/dname.h $(srcdir)/util/regional.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/data/msgencode.h \ + $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/module.h $(srcdir)/util/fptr_wlist.h \ + $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \ + $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \ + $(srcdir)/services/view.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \ + $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h packed_rrset.lo packed_rrset.o: $(srcdir)/util/data/packed_rrset.c config.h $(srcdir)/util/data/msgparse.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/sldns/pkthdr.h \ $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/dname.h \ $(srcdir)/util/storage/lookup3.h $(srcdir)/util/alloc.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \ - $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h + $(srcdir)/util/random.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h iterator.lo iterator.o: $(srcdir)/iterator/iterator.c config.h $(srcdir)/iterator/iterator.h \ $(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \ - $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/iterator/iter_utils.h \ + $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/iterator/iter_utils.h \ $(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_hints.h $(srcdir)/util/storage/dnstree.h \ $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_donotq.h \ $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_scrub.h $(srcdir)/iterator/iter_priv.h \ - $(srcdir)/validator/val_neg.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/infra.h \ - $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h \ - $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h \ - $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ - $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \ - $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \ - $(srcdir)/util/random.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/parseutil.h + $(srcdir)/validator/val_neg.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h \ + $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \ + $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \ + $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h \ + $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \ + $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/regional.h $(srcdir)/util/data/dname.h \ + $(srcdir)/util/data/msgencode.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/sldns/wire2str.h \ + $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/parseutil.h iter_delegpt.lo iter_delegpt.o: $(srcdir)/iterator/iter_delegpt.c config.h $(srcdir)/iterator/iter_delegpt.h \ $(srcdir)/util/log.h $(srcdir)/services/cache/dns.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/regional.h \ - $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/regional.h $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \ + $(srcdir)/sldns/sbuffer.h iter_donotq.lo iter_donotq.o: $(srcdir)/iterator/iter_donotq.c config.h $(srcdir)/iterator/iter_donotq.h \ $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/regional.h $(srcdir)/util/log.h \ - $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h + $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h iter_fwd.lo iter_fwd.o: $(srcdir)/iterator/iter_fwd.c config.h $(srcdir)/iterator/iter_fwd.h \ - $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/util/log.h $(srcdir)/util/config_file.h \ - $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h + $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/iterator/iter_delegpt.h \ + $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \ + $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/str2wire.h iter_hints.lo iter_hints.o: $(srcdir)/iterator/iter_hints.c config.h $(srcdir)/iterator/iter_hints.h \ - $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/util/log.h \ - $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h \ + $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ + $(srcdir)/iterator/iter_delegpt.h $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/random.h $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/str2wire.h \ $(srcdir)/sldns/wire2str.h iter_priv.lo iter_priv.o: $(srcdir)/iterator/iter_priv.c config.h $(srcdir)/iterator/iter_priv.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/regional.h $(srcdir)/util/log.h $(srcdir)/util/config_file.h \ - $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \ $(srcdir)/util/storage/dnstree.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/sbuffer.h iter_resptype.lo iter_resptype.o: $(srcdir)/iterator/iter_resptype.c config.h \ - $(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iterator.h $(srcdir)/util/log.h \ - $(srcdir)/services/cache/dns.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/net_help.h \ - $(srcdir)/util/data/dname.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h + $(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/util/log.h \ + $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/data/packed_rrset.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ + $(srcdir)/services/cache/dns.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/data/dname.h iter_scrub.lo iter_scrub.o: $(srcdir)/iterator/iter_scrub.c config.h $(srcdir)/iterator/iter_scrub.h \ $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ $(srcdir)/iterator/iter_priv.h $(srcdir)/util/rbtree.h $(srcdir)/services/cache/rrset.h \ - $(srcdir)/util/storage/slabhash.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \ + $(srcdir)/util/storage/slabhash.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/regional.h \ $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h $(srcdir)/util/alloc.h $(srcdir)/sldns/sbuffer.h iter_utils.lo iter_utils.o: $(srcdir)/iterator/iter_utils.c config.h $(srcdir)/iterator/iter_utils.h \ $(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \ $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/iterator/iter_hints.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/iterator/iter_hints.h \ $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_fwd.h \ $(srcdir)/iterator/iter_donotq.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_priv.h \ $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h \ - $(srcdir)/util/storage/slabhash.h $(srcdir)/services/outside_network.h \ - $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h \ - $(srcdir)/util/regional.h $(srcdir)/util/data/dname.h $(srcdir)/util/random.h $(srcdir)/util/fptr_wlist.h \ - $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \ - $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h \ - $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \ - $(srcdir)/validator/val_anchor.h $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_kentry.h \ - $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_sigcrypt.h $(srcdir)/sldns/str2wire.h + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \ + $(srcdir)/services/outside_network.h $(srcdir)/util/alloc.h $(srcdir)/util/regional.h \ + $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/config_file.h \ + $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \ + $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h \ + $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ + $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/validator/val_anchor.h \ + $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_kentry.h $(srcdir)/validator/val_utils.h \ + $(srcdir)/validator/val_sigcrypt.h $(srcdir)/sldns/str2wire.h listen_dnsport.lo listen_dnsport.o: $(srcdir)/services/listen_dnsport.c config.h \ $(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h \ - $(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \ - $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h $(srcdir)/services/mesh.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \ - $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ - $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/services/authzone.h \ - $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \ - $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h + $(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ + $(srcdir)/util/rbtree.h $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \ + $(srcdir)/services/outside_network.h $(srcdir)/util/alloc.h $(srcdir)/util/regional.h \ + $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/random.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h \ + $(srcdir)/services/mesh.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \ + $(srcdir)/services/localzone.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ + $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \ + $(srcdir)/util/timeval_func.h \ + localzone.lo localzone.o: $(srcdir)/services/localzone.c config.h $(srcdir)/services/localzone.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h \ $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h \ $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h \ - $(srcdir)/util/data/msgencode.h $(srcdir)/util/net_help.h $(srcdir)/util/netevent.h \ - $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/as112.h + $(srcdir)/util/data/msgencode.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/netevent.h \ + $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/as112.h mesh.lo mesh.o: $(srcdir)/services/mesh.c config.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \ - $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \ - $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \ - $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \ - $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h \ - $(srcdir)/util/storage/slabhash.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \ - $(srcdir)/util/data/msgencode.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/alloc.h \ - $(srcdir)/util/edns.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/data/dname.h $(srcdir)/services/listen_dnsport.h -modstack.lo modstack.o: $(srcdir)/services/modstack.c config.h $(srcdir)/services/modstack.h \ - $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \ - $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/tube.h \ - $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ + $(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ + $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \ $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ - $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/dns64/dns64.h $(srcdir)/iterator/iterator.h \ - $(srcdir)/services/outbound_list.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h + $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/services/outbound_list.h \ + $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \ + $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \ + $(srcdir)/util/regional.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \ + $(srcdir)/util/alloc.h $(srcdir)/util/edns.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/data/dname.h \ + $(srcdir)/services/listen_dnsport.h $(srcdir)/daemon/acl_list.h \ + $(srcdir)/util/timeval_func.h $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/edns-subnet/addrtree.h \ + $(srcdir)/edns-subnet/edns-subnet.h +modstack.lo modstack.o: $(srcdir)/services/modstack.c config.h $(srcdir)/services/modstack.h \ + $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \ + $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/rpz.h \ + $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \ + $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \ + $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/dns64/dns64.h \ + $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/validator/validator.h \ + $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_nsec3.h $(PYTHONMOD_HEADER) \ + $(DYNLIBMOD_HEADER) $(srcdir)/cachedb/cachedb.h $(srcdir)/ipsecmod/ipsecmod.h \ + $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/util/alloc.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \ + $(srcdir)/util/storage/slabhash.h $(srcdir)/util/data/dname.h $(srcdir)/edns-subnet/addrtree.h \ + $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/ipset/ipset.h view.lo view.o: $(srcdir)/services/view.c config.h $(srcdir)/services/view.h $(srcdir)/util/rbtree.h \ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \ $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h + $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/respip/respip.h rpz.lo rpz.o: $(srcdir)/services/rpz.c config.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h \ $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h \ $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/services/modstack.h $(srcdir)/libunbound/unbound.h \ - $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/respip/respip.h $(srcdir)/sldns/wire2str.h \ - $(srcdir)/sldns/str2wire.h $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/services/modstack.h $(srcdir)/libunbound/unbound.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ + $(srcdir)/respip/respip.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/util/data/dname.h \ + $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/regional.h $(srcdir)/util/data/msgencode.h \ + $(srcdir)/services/cache/dns.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \ + $(srcdir)/iterator/iter_delegpt.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/util/alloc.h \ + $(srcdir)/dnstap/dnstap.h +rfc_1982.lo rfc_1982.o: $(srcdir)/util/rfc_1982.c config.h $(srcdir)/util/rfc_1982.h outbound_list.lo outbound_list.o: $(srcdir)/services/outbound_list.c config.h \ - $(srcdir)/services/outbound_list.h $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h \ - $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - + $(srcdir)/services/outbound_list.h $(srcdir)/services/outside_network.h $(srcdir)/util/alloc.h \ + $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h $(srcdir)/util/regional.h $(srcdir)/util/netevent.h \ + $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \ + outside_network.lo outside_network.o: $(srcdir)/services/outside_network.c config.h \ - $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h $(srcdir)/util/netevent.h \ - $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/lruhash.h \ - $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/iterator/iterator.h \ - $(srcdir)/services/outbound_list.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h \ - $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \ - $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ - $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h \ - $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \ - $(srcdir)/util/edns.h $(srcdir)/dnstap/dnstap.h + $(srcdir)/services/outside_network.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ + $(srcdir)/util/rbtree.h $(srcdir)/util/regional.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/services/listen_dnsport.h $(srcdir)/daemon/acl_list.h \ + $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \ + $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/rtt.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/util/module.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/data/msgencode.h \ + $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/fptr_wlist.h \ + $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \ + $(srcdir)/services/localzone.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h \ + $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \ + $(srcdir)/respip/respip.h $(srcdir)/util/edns.h $(srcdir)/dnstap/dnstap.h \ + alloc.lo alloc.o: $(srcdir)/util/alloc.c config.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ $(srcdir)/util/regional.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \ $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \ - $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \ - $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \ - $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \ - $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \ + $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ + $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \ + $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ + $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h config_file.lo config_file.o: $(srcdir)/util/config_file.c config.h $(srcdir)/util/log.h \ - $(srcdir)/util/configyyrename.h $(srcdir)/util/config_file.h util/configparser.h \ - $(srcdir)/util/net_help.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/regional.h $(srcdir)/util/fptr_wlist.h \ - $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/util/configyyrename.h $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h \ + util/configparser.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/module.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/regional.h \ + $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h \ $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \ $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \ $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \ $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/data/dname.h \ $(srcdir)/util/rtt.h $(srcdir)/services/cache/infra.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h \ - $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/util/iana_ports.inc + $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/edns-subnet/edns-subnet.h \ + $(srcdir)/util/iana_ports.inc configlexer.lo configlexer.o: util/configlexer.c config.h $(srcdir)/util/configyyrename.h \ - $(srcdir)/util/config_file.h util/configparser.h + $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h util/configparser.h configparser.lo configparser.o: util/configparser.c config.h $(srcdir)/util/configyyrename.h \ - $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/sldns/str2wire.h \ - $(srcdir)/sldns/rrdef.h + $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \ + $(srcdir)/util/random.h $(srcdir)/sldns/str2wire.h util/configparser.h shm_main.lo shm_main.o: $(srcdir)/util/shm_side/shm_main.c config.h $(srcdir)/util/shm_side/shm_main.h \ $(srcdir)/libunbound/unbound.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \ $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \ $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \ - $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \ - $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/services/mesh.h \ - $(srcdir)/util/rbtree.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \ - $(srcdir)/services/view.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/respip/respip.h \ - $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h \ - $(srcdir)/util/rtt.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/util/fptr_wlist.h \ - $(srcdir)/util/tube.h $(srcdir)/util/timeval_func.h + $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ + $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \ + $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ + $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/util/config_file.h \ + $(srcdir)/services/authzone.h $(srcdir)/respip/respip.h $(srcdir)/services/cache/rrset.h \ + $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \ + $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_nsec3.h \ + $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h authzone.lo authzone.o: $(srcdir)/services/authzone.c config.h $(srcdir)/services/authzone.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h \ - $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/modstack.h \ - $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \ - $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/daemon/stats.h \ - $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/data/dname.h \ - $(srcdir)/util/data/msgencode.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \ - $(srcdir)/services/cache/dns.h $(srcdir)/services/outside_network.h \ - $(srcdir)/services/listen_dnsport.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h \ - $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/keyraw.h $(srcdir)/validator/val_nsec3.h \ - $(srcdir)/validator/val_nsec.h $(srcdir)/validator/val_secalgo.h $(srcdir)/validator/val_sigcrypt.h \ - $(srcdir)/validator/val_anchor.h $(srcdir)/validator/val_utils.h + $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ + $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ + $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \ + $(srcdir)/util/config_file.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \ + $(srcdir)/respip/respip.h $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/regional.h \ + $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/services/cache/dns.h \ + $(srcdir)/services/outside_network.h $(srcdir)/util/alloc.h \ + $(srcdir)/services/listen_dnsport.h $(srcdir)/daemon/acl_list.h \ + $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/keyraw.h \ + $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_nsec.h $(srcdir)/validator/val_secalgo.h \ + $(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/val_anchor.h $(srcdir)/validator/val_utils.h fptr_wlist.lo fptr_wlist.o: $(srcdir)/util/fptr_wlist.c config.h $(srcdir)/util/fptr_wlist.h \ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/module.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \ + $(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \ $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \ $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ - $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h \ - $(srcdir)/services/outside_network.h $(srcdir)/services/cache/infra.h \ - $(srcdir)/util/rtt.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/dns64/dns64.h \ - $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h \ - $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_anchor.h \ - $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/val_kentry.h \ - $(srcdir)/validator/val_neg.h $(srcdir)/validator/autotrust.h $(srcdir)/libunbound/libworker.h \ - $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/libunbound/unbound-event.h \ - $(srcdir)/libunbound/worker.h + $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/mini_event.h \ + $(srcdir)/services/outside_network.h $(srcdir)/util/alloc.h $(srcdir)/util/regional.h \ + $(srcdir)/services/listen_dnsport.h $(srcdir)/daemon/acl_list.h \ + $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/services/cache/rrset.h \ + $(srcdir)/util/storage/slabhash.h $(srcdir)/dns64/dns64.h $(srcdir)/iterator/iterator.h \ + $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/validator/validator.h \ + $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_anchor.h \ + $(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/val_kentry.h $(srcdir)/validator/val_neg.h \ + $(srcdir)/validator/autotrust.h $(srcdir)/libunbound/libworker.h $(srcdir)/libunbound/context.h \ + $(srcdir)/libunbound/unbound-event.h $(srcdir)/libunbound/worker.h $(srcdir)/daemon/remote.h \ + $(PYTHONMOD_HEADER) $(DYNLIBMOD_HEADER) $(srcdir)/cachedb/cachedb.h \ + $(srcdir)/ipsecmod/ipsecmod.h $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/random.h $(srcdir)/util/data/dname.h $(srcdir)/edns-subnet/addrtree.h \ + $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/ipset/ipset.h $(srcdir)/dnstap/dtstream.h locks.lo locks.o: $(srcdir)/util/locks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h log.lo log.o: $(srcdir)/util/log.c config.h $(srcdir)/util/log.h $(srcdir)/util/locks.h $(srcdir)/sldns/sbuffer.h -mini_event.lo mini_event.o: $(srcdir)/util/mini_event.c config.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h \ - $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ - $(srcdir)/util/log.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \ - $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \ - $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \ - $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \ - $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h +mini_event.lo mini_event.o: $(srcdir)/util/mini_event.c config.h $(srcdir)/util/mini_event.h module.lo module.o: $(srcdir)/util/module.c config.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h + $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/wire2str.h \ + $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/random.h netevent.lo netevent.o: $(srcdir)/util/netevent.c config.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/ub_event.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \ - $(srcdir)/util/tcp_conn_limit.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h \ - $(srcdir)/util/fptr_wlist.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \ - $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h \ - $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \ - $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/sldns/str2wire.h \ - $(srcdir)/dnstap/dnstap.h $(srcdir)/services/listen_dnsport.h $(srcdir)/util/timeval_func.h -proxy_protocol.lo proxy_protocol.o: $(srcdir)/util/proxy_protocol.c config.h \ - $(srcdir)/util/proxy_protocol.h $(srcdir)/sldns/sbuffer.h + $(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ + $(srcdir)/util/ub_event.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/tcp_conn_limit.h \ + $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/fptr_wlist.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h \ + $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \ + $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ + $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/proxy_protocol.h \ + $(srcdir)/util/timeval_func.h $(srcdir)/sldns/str2wire.h $(srcdir)/dnstap/dnstap.h \ + $(srcdir)/services/listen_dnsport.h $(srcdir)/daemon/acl_list.h \ + net_help.lo net_help.o: $(srcdir)/util/net_help.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \ - $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h \ - $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h + $(srcdir)/util/random.h $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ + $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/regional.h \ + $(srcdir)/util/config_file.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h \ + random.lo random.o: $(srcdir)/util/random.c config.h $(srcdir)/util/random.h $(srcdir)/util/log.h rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c config.h $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h \ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/module.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \ + $(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \ $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \ $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ @@ -1022,438 +1065,609 @@ rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c config.h $(srcdir)/util/log.h $(srcd regional.lo regional.o: $(srcdir)/util/regional.c config.h $(srcdir)/util/log.h $(srcdir)/util/regional.h rtt.lo rtt.o: $(srcdir)/util/rtt.c config.h $(srcdir)/util/rtt.h $(srcdir)/iterator/iterator.h \ $(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \ - $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h -siphash.lo siphash.o: $(srcdir)/util/siphash.c -rfc_1982.lo rfc_1982.o: $(srcdir)/util/rfc_1982.c + $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h +siphash.lo siphash.o: $(srcdir)/util/siphash.c config.h $(srcdir)/util/siphash.h edns.lo edns.o: $(srcdir)/util/edns.c config.h $(srcdir)/util/edns.h $(srcdir)/util/storage/dnstree.h \ - $(srcdir)/util/rbtree.h $(srcdir)/util/config_file.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/regional.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h + $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/regional.h $(srcdir)/util/rfc_1982.h \ + $(srcdir)/util/siphash.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ + $(srcdir)/sldns/sbuffer.h dnstree.lo dnstree.o: $(srcdir)/util/storage/dnstree.c config.h $(srcdir)/util/storage/dnstree.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ - $(srcdir)/util/log.h $(srcdir)/util/net_help.h + $(srcdir)/util/log.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h lookup3.lo lookup3.o: $(srcdir)/util/storage/lookup3.c config.h $(srcdir)/util/storage/lookup3.h lruhash.lo lruhash.o: $(srcdir)/util/storage/lruhash.c config.h $(srcdir)/util/storage/lruhash.h \ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \ - $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/module.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \ - $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ - $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \ - $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ - $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h + $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/tube.h \ + $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \ + $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \ + $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \ + $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h slabhash.lo slabhash.o: $(srcdir)/util/storage/slabhash.c config.h $(srcdir)/util/storage/slabhash.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h tcp_conn_limit.lo tcp_conn_limit.o: $(srcdir)/util/tcp_conn_limit.c config.h $(srcdir)/util/regional.h \ - $(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/tcp_conn_limit.h \ - $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/services/localzone.h \ - $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h -timehist.lo timehist.o: $(srcdir)/util/timehist.c config.h $(srcdir)/util/timehist.h $(srcdir)/util/log.h -tube.lo tube.o: $(srcdir)/util/tube.c config.h $(srcdir)/util/tube.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \ - $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/fptr_wlist.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h \ + $(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/random.h $(srcdir)/util/tcp_conn_limit.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \ + $(srcdir)/util/locks.h $(srcdir)/services/localzone.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h +timehist.lo timehist.o: $(srcdir)/util/timehist.c config.h $(srcdir)/util/timehist.h $(srcdir)/util/log.h \ + $(srcdir)/util/timeval_func.h +tube.lo tube.o: $(srcdir)/util/tube.c config.h $(srcdir)/util/tube.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/random.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h \ + $(srcdir)/util/fptr_wlist.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \ $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \ $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/ub_event.h +proxy_protocol.lo proxy_protocol.o: $(srcdir)/util/proxy_protocol.c $(srcdir)/util/proxy_protocol.h config.h +timeval_func.lo timeval_func.o: $(srcdir)/util/timeval_func.c config.h $(srcdir)/util/timeval_func.h ub_event.lo ub_event.o: $(srcdir)/util/ub_event.c config.h $(srcdir)/util/ub_event.h $(srcdir)/util/log.h \ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/tube.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h + $(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h \ + $(srcdir)/util/tube.h $(srcdir)/daemon/remote.h \ + $(srcdir)/dnstap/dtstream.h ub_event_pluggable.lo ub_event_pluggable.o: $(srcdir)/util/ub_event_pluggable.c config.h $(srcdir)/util/ub_event.h \ $(srcdir)/libunbound/unbound-event.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \ - $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ + $(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ + $(srcdir)/util/fptr_wlist.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \ + $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \ $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ - $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h + $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h winsock_event.lo winsock_event.o: $(srcdir)/util/winsock_event.c config.h autotrust.lo autotrust.o: $(srcdir)/validator/autotrust.c config.h $(srcdir)/validator/autotrust.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_anchor.h $(srcdir)/validator/val_utils.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/validator/val_sigcrypt.h $(srcdir)/util/data/dname.h $(srcdir)/util/module.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h \ - $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/random.h $(srcdir)/services/mesh.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_sigcrypt.h $(srcdir)/util/data/dname.h \ + $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/random.h $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/services/mesh.h \ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h \ $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \ $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \ $(srcdir)/respip/respip.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \ - $(srcdir)/validator/val_kcache.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/keyraw.h + $(srcdir)/validator/val_kcache.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/keyraw.h \ + val_anchor.lo val_anchor.o: $(srcdir)/validator/val_anchor.c config.h $(srcdir)/validator/val_anchor.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_sigcrypt.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h \ - $(srcdir)/validator/autotrust.h $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h \ - $(srcdir)/util/config_file.h $(srcdir)/util/as112.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/validator/autotrust.h $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/random.h $(srcdir)/util/config_file.h $(srcdir)/util/as112.h $(srcdir)/sldns/sbuffer.h \ $(srcdir)/sldns/str2wire.h validator.lo validator.o: $(srcdir)/validator/validator.c config.h $(srcdir)/validator/validator.h \ $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_utils.h \ - $(srcdir)/validator/val_anchor.h $(srcdir)/util/rbtree.h $(srcdir)/validator/val_kcache.h \ - $(srcdir)/util/storage/slabhash.h $(srcdir)/validator/val_kentry.h $(srcdir)/validator/val_nsec.h \ - $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_neg.h $(srcdir)/validator/val_sigcrypt.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/validator/val_utils.h \ + $(srcdir)/validator/val_nsec3.h $(srcdir)/util/rbtree.h $(srcdir)/validator/val_anchor.h \ + $(srcdir)/validator/val_kcache.h $(srcdir)/util/storage/slabhash.h $(srcdir)/validator/val_kentry.h \ + $(srcdir)/validator/val_nsec.h $(srcdir)/validator/val_neg.h $(srcdir)/validator/val_sigcrypt.h \ $(srcdir)/validator/autotrust.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h \ - $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h \ - $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \ - $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ - $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \ - $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \ - $(srcdir)/respip/respip.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h + $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/regional.h \ + $(srcdir)/util/config_file.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \ + $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \ + $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ + $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h val_kcache.lo val_kcache.o: $(srcdir)/validator/val_kcache.c config.h $(srcdir)/validator/val_kcache.h \ $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ - $(srcdir)/validator/val_kentry.h $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h \ - $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h + $(srcdir)/validator/val_kentry.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/config_file.h \ + $(srcdir)/util/data/dname.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h val_kentry.lo val_kentry.o: $(srcdir)/validator/val_kentry.c config.h $(srcdir)/validator/val_kentry.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h -val_neg.lo val_neg.o: $(srcdir)/validator/val_neg.c config.h $(srcdir)/validator/val_neg.h $(srcdir)/util/locks.h \ - $(srcdir)/util/log.h $(srcdir)/util/rbtree.h $(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_utils.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lookup3.h \ + $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/sldns/keyraw.h \ + +val_neg.lo val_neg.o: $(srcdir)/validator/val_neg.c config.h \ + $(srcdir)/validator/val_neg.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h \ + $(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_utils.h $(srcdir)/sldns/pkthdr.h \ + $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \ $(srcdir)/util/config_file.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \ - $(srcdir)/services/cache/dns.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h + $(srcdir)/services/cache/dns.h $(srcdir)/sldns/sbuffer.h val_nsec3.lo val_nsec3.o: $(srcdir)/validator/val_nsec3.c config.h $(srcdir)/validator/val_nsec3.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \ - $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_secalgo.h $(srcdir)/validator/validator.h \ - $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_kentry.h \ - $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/regional.h \ - $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h $(srcdir)/validator/val_nsec.h $(srcdir)/sldns/sbuffer.h + $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_secalgo.h \ + $(srcdir)/validator/validator.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/validator/val_utils.h \ + $(srcdir)/validator/val_kentry.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \ + $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/data/dname.h \ + $(srcdir)/validator/val_nsec.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h val_nsec.lo val_nsec.o: $(srcdir)/validator/val_nsec.c config.h $(srcdir)/validator/val_nsec.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ - $(srcdir)/validator/val_utils.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h + $(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_utils.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/module.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h val_secalgo.lo val_secalgo.o: $(srcdir)/validator/val_secalgo.c config.h $(srcdir)/util/data/packed_rrset.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_secalgo.h \ $(srcdir)/validator/val_nsec3.h $(srcdir)/util/rbtree.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \ - $(srcdir)/sldns/sbuffer.h + $(srcdir)/sldns/sbuffer.h \ + val_sigcrypt.lo val_sigcrypt.o: $(srcdir)/validator/val_sigcrypt.c config.h \ $(srcdir)/validator/val_sigcrypt.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \ - $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/sldns/pkthdr.h $(srcdir)/validator/val_secalgo.h \ - $(srcdir)/validator/validator.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_utils.h \ - $(srcdir)/util/data/dname.h $(srcdir)/util/rbtree.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \ - $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h \ - $(srcdir)/sldns/wire2str.h + $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/validator/val_secalgo.h $(srcdir)/validator/validator.h $(srcdir)/util/module.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/validator/val_utils.h \ + $(srcdir)/validator/val_nsec3.h $(srcdir)/util/rbtree.h $(srcdir)/util/data/dname.h $(srcdir)/util/rfc_1982.h \ + $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h \ + $(srcdir)/sldns/keyraw.h \ + $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h $(srcdir)/services/mesh.h \ + $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ + $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/services/authzone.h \ + $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \ + val_utils.lo val_utils.o: $(srcdir)/validator/val_utils.c config.h $(srcdir)/validator/val_utils.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/validator/validator.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_kentry.h \ - $(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/val_anchor.h $(srcdir)/util/rbtree.h \ - $(srcdir)/validator/val_nsec.h $(srcdir)/validator/val_neg.h $(srcdir)/services/cache/rrset.h \ - $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h $(srcdir)/util/data/dname.h \ - $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/wire2str.h \ - $(srcdir)/sldns/parseutil.h + $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/validator/validator.h $(srcdir)/util/module.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/validator/val_nsec3.h \ + $(srcdir)/util/rbtree.h $(srcdir)/validator/val_kentry.h $(srcdir)/validator/val_sigcrypt.h \ + $(srcdir)/validator/val_anchor.h $(srcdir)/validator/val_nsec.h $(srcdir)/validator/val_neg.h \ + $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h \ + $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/regional.h \ + $(srcdir)/util/config_file.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h dns64.lo dns64.o: $(srcdir)/dns64/dns64.c config.h $(srcdir)/dns64/dns64.h $(srcdir)/util/module.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h \ $(srcdir)/util/storage/slabhash.h $(srcdir)/util/config_file.h $(srcdir)/util/fptr_wlist.h \ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h \ $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \ $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \ $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \ $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/net_help.h \ - $(srcdir)/util/regional.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/str2wire.h -edns-subnet.lo edns-subnet.o: $(srcdir)/edns-subnet/edns-subnet.c config.h -subnetmod.lo subnetmod.o: $(srcdir)/edns-subnet/subnetmod.c config.h + $(srcdir)/util/random.h $(srcdir)/util/regional.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/str2wire.h +edns-subnet.lo edns-subnet.o: $(srcdir)/edns-subnet/edns-subnet.c config.h \ + $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/random.h +subnetmod.lo subnetmod.o: $(srcdir)/edns-subnet/subnetmod.c config.h $(srcdir)/edns-subnet/subnetmod.h \ + $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/services/outbound_list.h \ + $(srcdir)/util/alloc.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/storage/slabhash.h \ + $(srcdir)/util/data/dname.h $(srcdir)/edns-subnet/addrtree.h $(srcdir)/edns-subnet/edns-subnet.h \ + $(srcdir)/edns-subnet/subnet-whitelist.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \ + $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h \ + $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \ + $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \ + $(srcdir)/services/cache/dns.h $(srcdir)/util/regional.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \ + $(srcdir)/sldns/wire2str.h $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h \ + $(srcdir)/cachedb/cachedb.h addrtree.lo addrtree.o: $(srcdir)/edns-subnet/addrtree.c config.h $(srcdir)/util/log.h \ $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/edns-subnet/addrtree.h -subnet-whitelist.lo subnet-whitelist.o: $(srcdir)/edns-subnet/subnet-whitelist.c config.h + $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/edns-subnet/addrtree.h +subnet-whitelist.lo subnet-whitelist.o: $(srcdir)/edns-subnet/subnet-whitelist.c config.h \ + $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/random.h \ + $(srcdir)/edns-subnet/subnet-whitelist.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \ + $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h \ + $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h +cachedb.lo cachedb.o: $(srcdir)/cachedb/cachedb.c config.h $(srcdir)/cachedb/cachedb.h $(srcdir)/util/module.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/cachedb/redis.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/random.h $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h \ + $(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/util/netevent.h \ + $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ + $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \ + $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \ + $(srcdir)/respip/respip.h $(srcdir)/validator/val_neg.h $(srcdir)/validator/val_secalgo.h \ + $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h $(srcdir)/sldns/parseutil.h \ + $(srcdir)/sldns/wire2str.h +redis.lo redis.o: $(srcdir)/cachedb/redis.c config.h $(srcdir)/cachedb/redis.h $(srcdir)/cachedb/cachedb.h \ + $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/alloc.h $(srcdir)/util/config_file.h \ + $(srcdir)/util/timeval_func.h $(srcdir)/sldns/sbuffer.h respip.lo respip.o: $(srcdir)/respip/respip.c config.h $(srcdir)/services/localzone.h $(srcdir)/util/rbtree.h \ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/module.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/services/view.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/services/view.h \ $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h \ - $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/services/modstack.h \ - $(srcdir)/services/rpz.h $(srcdir)/util/config_file.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ - $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/services/cache/dns.h \ - $(srcdir)/sldns/str2wire.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h \ - $(srcdir)/util/regional.h + $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/util/config_file.h $(srcdir)/daemon/stats.h \ + $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \ + $(srcdir)/services/cache/dns.h $(srcdir)/sldns/str2wire.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \ + $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/regional.h $(srcdir)/util/data/dname.h checklocks.lo checklocks.o: $(srcdir)/testcode/checklocks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ $(srcdir)/testcode/checklocks.h -ipsecmod.lo ipsecmod.o: $(srcdir)/ipsecmod/ipsecmod.c config.h -ipsecmod-whitelist.lo ipsecmod-whitelist.o: $(srcdir)/ipsecmod/ipsecmod-whitelist.c config.h +dnstap.lo dnstap.o: $(srcdir)/dnstap/dnstap.c config.h $(srcdir)/sldns/sbuffer.h \ + $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \ + $(srcdir)/util/random.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h \ + $(srcdir)/dnstap/dnstap.h $(srcdir)/dnstap/dtstream.h dnstap/dnstap.pb-c.h +dnstap.pb-c.lo dnstap.pb-c.o: dnstap/dnstap.pb-c.c dnstap/dnstap.pb-c.h +dnstap_fstrm.lo dnstap_fstrm.o: $(srcdir)/dnstap/dnstap_fstrm.c config.h $(srcdir)/dnstap/dnstap_fstrm.h \ + $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h +dtstream.lo dtstream.o: $(srcdir)/dnstap/dtstream.c config.h $(srcdir)/dnstap/dtstream.h $(srcdir)/util/locks.h \ + $(srcdir)/util/log.h $(srcdir)/dnstap/dnstap_fstrm.h $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/ub_event.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/services/outside_network.h \ + $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/util/regional.h $(srcdir)/util/netevent.h \ + $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/sldns/sbuffer.h \ + +dnscrypt.lo dnscrypt.o: $(srcdir)/dnscrypt/dnscrypt.c config.h $(srcdir)/sldns/sbuffer.h \ + $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \ + $(srcdir)/util/random.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h \ + $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/storage/lookup3.h +ipsecmod.lo ipsecmod.o: $(srcdir)/ipsecmod/ipsecmod.c config.h $(srcdir)/ipsecmod/ipsecmod.h \ + $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/rbtree.h \ + $(srcdir)/ipsecmod/ipsecmod-whitelist.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/fptr_wlist.h \ + $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \ + $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h \ + $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \ + $(srcdir)/respip/respip.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \ + $(srcdir)/services/cache/dns.h $(srcdir)/sldns/wire2str.h +ipsecmod-whitelist.lo ipsecmod-whitelist.o: $(srcdir)/ipsecmod/ipsecmod-whitelist.c config.h \ + $(srcdir)/ipsecmod/ipsecmod.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ + $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/rbtree.h \ + $(srcdir)/ipsecmod/ipsecmod-whitelist.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/regional.h \ + $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/str2wire.h +ipset.lo ipset.o: $(srcdir)/ipset/ipset.c config.h $(srcdir)/ipset/ipset.h $(srcdir)/util/module.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \ + $(srcdir)/util/config_file.h $(srcdir)/services/cache/dns.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h \ + $(srcdir)/sldns/parseutil.h unitanchor.lo unitanchor.o: $(srcdir)/testcode/unitanchor.c config.h $(srcdir)/util/log.h $(srcdir)/util/data/dname.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/testcode/unitmain.h \ $(srcdir)/validator/val_anchor.h $(srcdir)/util/rbtree.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h unitdname.lo unitdname.o: $(srcdir)/testcode/unitdname.c config.h $(srcdir)/util/log.h $(srcdir)/testcode/unitmain.h \ $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/sldns/sbuffer.h \ - $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h + $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h unitlruhash.lo unitlruhash.o: $(srcdir)/testcode/unitlruhash.c config.h $(srcdir)/testcode/unitmain.h \ $(srcdir)/util/log.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/storage/slabhash.h -unitmain.lo unitmain.o: $(srcdir)/testcode/unitmain.c config.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \ - $(srcdir)/util/log.h $(srcdir)/testcode/unitmain.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \ - $(srcdir)/util/config_file.h $(srcdir)/util/rtt.h $(srcdir)/util/timehist.h $(srcdir)/iterator/iterator.h \ - $(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/libunbound/unbound.h $(srcdir)/services/cache/infra.h \ - $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/random.h $(srcdir)/respip/respip.h \ - $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \ - $(srcdir)/services/outside_network.h +unitmain.lo unitmain.o: $(srcdir)/testcode/unitmain.c config.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \ + $(srcdir)/util/log.h \ + $(srcdir)/testcode/unitmain.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/random.h $(srcdir)/util/config_file.h $(srcdir)/util/rtt.h $(srcdir)/util/timehist.h \ + $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/edns.h \ + $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/respip/respip.h \ + $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/regional.h \ + $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h $(srcdir)/sldns/str2wire.h unitmsgparse.lo unitmsgparse.o: $(srcdir)/testcode/unitmsgparse.c config.h $(srcdir)/util/log.h \ $(srcdir)/testcode/unitmain.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h \ $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h \ - $(srcdir)/util/alloc.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/testcode/readhex.h \ - $(srcdir)/testcode/testpkts.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h + $(srcdir)/util/alloc.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \ + $(srcdir)/testcode/readhex.h $(srcdir)/testcode/testpkts.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h \ + $(srcdir)/sldns/wire2str.h unitneg.lo unitneg.o: $(srcdir)/testcode/unitneg.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ - $(srcdir)/util/data/dname.h $(srcdir)/testcode/unitmain.h $(srcdir)/validator/val_neg.h $(srcdir)/util/rbtree.h \ - $(srcdir)/sldns/rrdef.h + $(srcdir)/util/random.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \ + $(srcdir)/util/locks.h $(srcdir)/util/data/dname.h $(srcdir)/testcode/unitmain.h $(srcdir)/validator/val_neg.h \ + $(srcdir)/util/rbtree.h $(srcdir)/sldns/rrdef.h unitregional.lo unitregional.o: $(srcdir)/testcode/unitregional.c config.h $(srcdir)/testcode/unitmain.h \ $(srcdir)/util/log.h $(srcdir)/util/regional.h unitslabhash.lo unitslabhash.o: $(srcdir)/testcode/unitslabhash.c config.h $(srcdir)/testcode/unitmain.h \ $(srcdir)/util/log.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h unitverify.lo unitverify.o: $(srcdir)/testcode/unitverify.c config.h $(srcdir)/util/log.h \ $(srcdir)/testcode/unitmain.h $(srcdir)/validator/val_sigcrypt.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \ $(srcdir)/validator/val_secalgo.h $(srcdir)/validator/val_nsec.h $(srcdir)/validator/val_nsec3.h \ $(srcdir)/util/rbtree.h $(srcdir)/validator/validator.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_utils.h \ - $(srcdir)/testcode/testpkts.h $(srcdir)/util/data/dname.h $(srcdir)/util/regional.h $(srcdir)/util/alloc.h \ - $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/keyraw.h \ - $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h + $(srcdir)/util/data/msgparse.h $(srcdir)/validator/val_utils.h $(srcdir)/testcode/testpkts.h \ + $(srcdir)/util/data/dname.h $(srcdir)/util/regional.h $(srcdir)/util/alloc.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/random.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/keyraw.h \ + $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h \ + readhex.lo readhex.o: $(srcdir)/testcode/readhex.c config.h $(srcdir)/testcode/readhex.h $(srcdir)/util/log.h \ $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h testpkts.lo testpkts.o: $(srcdir)/testcode/testpkts.c config.h $(srcdir)/testcode/testpkts.h \ - $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h \ - $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h + $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/random.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h unitldns.lo unitldns.o: $(srcdir)/testcode/unitldns.c config.h $(srcdir)/util/log.h $(srcdir)/testcode/unitmain.h \ $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h \ $(srcdir)/sldns/parseutil.h -unitecs.lo unitecs.o: $(srcdir)/testcode/unitecs.c config.h +unitecs.lo unitecs.o: $(srcdir)/testcode/unitecs.c config.h $(srcdir)/util/log.h $(srcdir)/util/module.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/testcode/unitmain.h $(srcdir)/edns-subnet/addrtree.h \ + $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/services/outbound_list.h $(srcdir)/util/alloc.h \ + $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/data/dname.h \ + $(srcdir)/edns-subnet/edns-subnet.h unitauth.lo unitauth.o: $(srcdir)/testcode/unitauth.c config.h $(srcdir)/services/authzone.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h \ - $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/modstack.h \ - $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \ - $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/daemon/stats.h \ - $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/testcode/unitmain.h \ - $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/services/cache/dns.h $(srcdir)/sldns/str2wire.h \ - $(srcdir)/sldns/wire2str.h + $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ + $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ + $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \ + $(srcdir)/util/config_file.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \ + $(srcdir)/respip/respip.h $(srcdir)/testcode/unitmain.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/random.h $(srcdir)/services/cache/dns.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h unitzonemd.lo unitzonemd.o: $(srcdir)/testcode/unitzonemd.c config.h $(srcdir)/util/log.h \ $(srcdir)/testcode/unitmain.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/services/authzone.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h \ - $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \ - $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \ - $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ - $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/data/dname.h $(srcdir)/util/regional.h \ - $(srcdir)/validator/val_anchor.h -unittcpreuse.lo unittcpreuse.o: $(srcdir)/testcode/unittcpreuse.c config.h $(srcdir)/services/outside_network.h \ -$(srcdir)/util/random.h + $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/module.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/modstack.h \ + $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \ + $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/daemon/stats.h \ + $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/data/dname.h \ + $(srcdir)/util/regional.h $(srcdir)/validator/val_anchor.h +unittcpreuse.lo unittcpreuse.o: $(srcdir)/testcode/unittcpreuse.c config.h $(srcdir)/testcode/unitmain.h \ + $(srcdir)/util/log.h $(srcdir)/util/random.h $(srcdir)/services/outside_network.h $(srcdir)/util/alloc.h \ + $(srcdir)/util/locks.h $(srcdir)/util/rbtree.h $(srcdir)/util/regional.h $(srcdir)/util/netevent.h \ + $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \ + +unitdoq.lo unitdoq.o: $(srcdir)/testcode/unitdoq.c config.h $(srcdir)/util/netevent.h \ + $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/locks.h $(srcdir)/util/log.h \ + $(srcdir)/services/listen_dnsport.h $(srcdir)/util/rbtree.h $(srcdir)/daemon/acl_list.h \ + $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \ + $(srcdir)/testcode/unitmain.h +unitinfra.lo unitinfra.o: $(srcdir)/testcode/unitinfra.c config.h $(srcdir)/testcode/unitmain.h $(srcdir)/util/log.h \ + $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/data/packed_rrset.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ + $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h \ + $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/acl_list.h \ $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/locks.h \ - $(srcdir)/util/log.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \ - $(srcdir)/services/localzone.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h -cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h $(srcdir)/daemon/cachedump.h \ - $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ - $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \ + $(srcdir)/util/log.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/services/localzone.h $(srcdir)/util/module.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/sbuffer.h \ + $(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/sldns/str2wire.h +cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h \ + $(srcdir)/daemon/cachedump.h $(srcdir)/daemon/remote.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ + $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h \ + $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \ $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \ $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h \ $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h \ - $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h $(srcdir)/iterator/iterator.h \ + $(srcdir)/services/outside_network.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \ + $(srcdir)/util/data/dname.h $(srcdir)/util/config_file.h $(srcdir)/iterator/iterator.h \ $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_utils.h \ $(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \ - $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/util/config_file.h $(srcdir)/services/outside_network.h -daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h \ - $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \ - $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \ - $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \ - $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \ - $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \ - $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \ - $(srcdir)/services/view.h $(srcdir)/util/config_file.h $(srcdir)/util/shm_side/shm_main.h \ - $(srcdir)/util/storage/lookup3.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/tcp_conn_limit.h \ - $(srcdir)/util/edns.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \ - $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/services/localzone.h \ - $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h $(srcdir)/respip/respip.h \ - $(srcdir)/util/random.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/sldns/keyraw.h \ - $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h -remote.lo remote.o: $(srcdir)/daemon/remote.c config.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h \ + $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h +daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h \ + $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \ + $(srcdir)/daemon/worker.h \ $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h \ - $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/alloc.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h \ - $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \ + $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \ + $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \ + $(srcdir)/util/config_file.h $(srcdir)/util/shm_side/shm_main.h $(srcdir)/util/storage/lookup3.h \ + $(srcdir)/util/storage/slabhash.h $(srcdir)/util/tcp_conn_limit.h $(srcdir)/util/edns.h \ + $(srcdir)/services/listen_dnsport.h \ + $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \ + $(srcdir)/services/localzone.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h \ + $(srcdir)/respip/respip.h $(srcdir)/util/random.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/sldns/keyraw.h \ + $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/cachedb/cachedb.h +remote.lo remote.o: $(srcdir)/daemon/remote.c config.h \ + $(srcdir)/daemon/remote.h \ + $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \ + $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \ + $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \ + $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \ $(srcdir)/services/modstack.h $(srcdir)/daemon/cachedump.h $(srcdir)/util/config_file.h \ - $(srcdir)/util/net_help.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \ - $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \ - $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h \ - $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/services/authzone.h $(srcdir)/respip/respip.h \ - $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/data/dname.h $(srcdir)/validator/validator.h \ - $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_kentry.h \ - $(srcdir)/validator/val_anchor.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \ - $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/iterator/iter_delegpt.h \ - $(srcdir)/services/outside_network.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/parseutil.h \ - $(srcdir)/sldns/wire2str.h $(srcdir)/util/edns.h + $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/ub_event.h $(srcdir)/services/listen_dnsport.h \ + $(srcdir)/util/rbtree.h $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \ + $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h \ + $(srcdir)/util/rtt.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ + $(srcdir)/services/authzone.h $(srcdir)/respip/respip.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \ + $(srcdir)/util/data/dname.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \ + $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_kentry.h \ + $(srcdir)/validator/val_anchor.h $(srcdir)/validator/val_neg.h $(srcdir)/iterator/iterator.h \ + $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \ + $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h \ + $(srcdir)/iterator/iter_donotq.h $(srcdir)/iterator/iter_priv.h $(srcdir)/services/outside_network.h \ + $(srcdir)/util/regional.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h \ + $(srcdir)/util/timeval_func.h $(srcdir)/util/tcp_conn_limit.h $(srcdir)/util/edns.h $(srcdir)/cachedb/cachedb.h \ + $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/edns-subnet/addrtree.h $(srcdir)/edns-subnet/edns-subnet.h stats.lo stats.o: $(srcdir)/daemon/stats.c config.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ $(srcdir)/libunbound/unbound.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \ + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \ $(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \ $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \ $(srcdir)/services/view.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/respip/respip.h \ - $(srcdir)/services/outside_network.h $(srcdir)/services/listen_dnsport.h $(srcdir)/util/tube.h \ - $(srcdir)/util/net_help.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \ - $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h \ - $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \ - $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_neg.h + $(srcdir)/services/outside_network.h $(srcdir)/util/regional.h $(srcdir)/services/listen_dnsport.h \ + $(srcdir)/daemon/acl_list.h \ + $(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/validator/validator.h \ + $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_nsec3.h $(srcdir)/iterator/iterator.h \ + $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \ + $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/validator/val_kcache.h \ + $(srcdir)/validator/val_neg.h $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/util/data/dname.h \ + $(srcdir)/edns-subnet/addrtree.h $(srcdir)/edns-subnet/edns-subnet.h \ + unbound.lo unbound.o: $(srcdir)/daemon/unbound.c config.h $(srcdir)/util/log.h $(srcdir)/daemon/daemon.h \ $(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \ - $(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h \ - $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h $(srcdir)/services/listen_dnsport.h \ - $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/services/cache/rrset.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \ - $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/fptr_wlist.h \ - $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \ - $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ - $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \ - $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/net_help.h \ - $(srcdir)/util/ub_event.h + $(srcdir)/daemon/remote.h \ + $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/storage/slabhash.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h \ + $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/rbtree.h $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \ + $(srcdir)/services/cache/rrset.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h \ + $(srcdir)/util/rtt.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \ + $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h \ + $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \ + $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/ub_event.h worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \ $(srcdir)/util/random.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ - $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/timeval_func.h \ - $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \ + $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \ $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \ - $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h \ - $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/config_file.h \ - $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h \ + $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h \ + $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \ + $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h \ + $(srcdir)/services/listen_dnsport.h \ $(srcdir)/services/outside_network.h $(srcdir)/services/outbound_list.h \ $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \ $(srcdir)/services/cache/dns.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h \ $(srcdir)/services/localzone.h $(srcdir)/respip/respip.h $(srcdir)/util/data/msgencode.h \ - $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/edns.h \ - $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/iterator/iter_utils.h \ - $(srcdir)/iterator/iter_resptype.h $(srcdir)/validator/autotrust.h $(srcdir)/validator/val_anchor.h \ - $(srcdir)/libunbound/context.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/libunbound/libworker.h \ - $(srcdir)/sldns/wire2str.h $(srcdir)/util/shm_side/shm_main.h $(srcdir)/dnstap/dtstream.h + $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/proxy_protocol.h \ + $(srcdir)/util/edns.h $(srcdir)/util/timeval_func.h $(srcdir)/iterator/iter_fwd.h \ + $(srcdir)/iterator/iter_hints.h $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h \ + $(srcdir)/validator/autotrust.h $(srcdir)/validator/val_anchor.h $(srcdir)/libunbound/context.h \ + $(srcdir)/libunbound/unbound-event.h $(srcdir)/libunbound/libworker.h $(srcdir)/sldns/wire2str.h \ + $(srcdir)/util/shm_side/shm_main.h $(srcdir)/dnstap/dtstream.h testbound.lo testbound.o: $(srcdir)/testcode/testbound.c config.h $(srcdir)/testcode/testpkts.h \ $(srcdir)/testcode/replay.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/rbtree.h $(srcdir)/testcode/fake_event.h \ - $(srcdir)/daemon/remote.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ - $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h $(srcdir)/daemon/unbound.c $(srcdir)/daemon/daemon.h \ - $(srcdir)/util/alloc.h $(srcdir)/util/timeval_func.h $(srcdir)/services/modstack.h \ - $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \ - $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \ - $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h \ - $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \ - $(srcdir)/respip/respip.h $(srcdir)/util/net_help.h $(srcdir)/util/ub_event.h $(srcdir)/daemon/worker.h + $(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ + $(srcdir)/util/rbtree.h $(srcdir)/testcode/fake_event.h $(srcdir)/daemon/remote.h \ + $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/daemon/worker.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/daemon/stats.h \ + $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \ + $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h \ + $(srcdir)/daemon/unbound.c $(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h \ + $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h $(srcdir)/daemon/acl_list.h \ + $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \ + $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \ + $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h \ + $(srcdir)/services/localzone.h $(srcdir)/services/authzone.h $(srcdir)/respip/respip.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/random.h $(srcdir)/util/ub_event.h testpkts.lo testpkts.o: $(srcdir)/testcode/testpkts.c config.h $(srcdir)/testcode/testpkts.h \ - $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h \ - $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h + $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/random.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \ $(srcdir)/util/random.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ - $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/timeval_func.h \ - $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \ + $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \ $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \ - $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h \ - $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/config_file.h \ - $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h \ + $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h \ + $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \ + $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h \ + $(srcdir)/services/listen_dnsport.h \ $(srcdir)/services/outside_network.h $(srcdir)/services/outbound_list.h \ $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \ $(srcdir)/services/cache/dns.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h \ $(srcdir)/services/localzone.h $(srcdir)/respip/respip.h $(srcdir)/util/data/msgencode.h \ - $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/edns.h \ - $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/iterator/iter_utils.h \ - $(srcdir)/iterator/iter_resptype.h $(srcdir)/validator/autotrust.h $(srcdir)/validator/val_anchor.h \ - $(srcdir)/libunbound/context.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/libunbound/libworker.h \ - $(srcdir)/sldns/wire2str.h $(srcdir)/util/shm_side/shm_main.h $(srcdir)/dnstap/dtstream.h + $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/proxy_protocol.h \ + $(srcdir)/util/edns.h $(srcdir)/util/timeval_func.h $(srcdir)/iterator/iter_fwd.h \ + $(srcdir)/iterator/iter_hints.h $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h \ + $(srcdir)/validator/autotrust.h $(srcdir)/validator/val_anchor.h $(srcdir)/libunbound/context.h \ + $(srcdir)/libunbound/unbound-event.h $(srcdir)/libunbound/libworker.h $(srcdir)/sldns/wire2str.h \ + $(srcdir)/util/shm_side/shm_main.h $(srcdir)/dnstap/dtstream.h acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/acl_list.h \ $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/locks.h \ - $(srcdir)/util/log.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \ - $(srcdir)/services/localzone.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h -daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h \ - $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \ - $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \ - $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \ - $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \ - $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \ - $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \ - $(srcdir)/services/view.h $(srcdir)/util/config_file.h $(srcdir)/util/shm_side/shm_main.h \ - $(srcdir)/util/storage/lookup3.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/tcp_conn_limit.h \ - $(srcdir)/util/edns.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \ - $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/services/localzone.h \ - $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h $(srcdir)/respip/respip.h \ - $(srcdir)/util/random.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/sldns/keyraw.h + $(srcdir)/util/log.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/services/localzone.h $(srcdir)/util/module.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/sbuffer.h \ + $(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/sldns/str2wire.h +daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h \ + $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \ + $(srcdir)/daemon/worker.h \ + $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ + $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h \ + $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \ + $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \ + $(srcdir)/util/config_file.h $(srcdir)/util/shm_side/shm_main.h $(srcdir)/util/storage/lookup3.h \ + $(srcdir)/util/storage/slabhash.h $(srcdir)/util/tcp_conn_limit.h $(srcdir)/util/edns.h \ + $(srcdir)/services/listen_dnsport.h \ + $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \ + $(srcdir)/services/localzone.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h \ + $(srcdir)/respip/respip.h $(srcdir)/util/random.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/sldns/keyraw.h \ + $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/cachedb/cachedb.h stats.lo stats.o: $(srcdir)/daemon/stats.c config.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ $(srcdir)/libunbound/unbound.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \ + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \ $(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \ $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \ $(srcdir)/services/view.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/respip/respip.h \ - $(srcdir)/services/outside_network.h $(srcdir)/services/listen_dnsport.h $(srcdir)/util/tube.h \ - $(srcdir)/util/net_help.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \ - $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h \ - $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \ - $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_neg.h + $(srcdir)/services/outside_network.h $(srcdir)/util/regional.h $(srcdir)/services/listen_dnsport.h \ + $(srcdir)/daemon/acl_list.h \ + $(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/validator/validator.h \ + $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_nsec3.h $(srcdir)/iterator/iterator.h \ + $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \ + $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/validator/val_kcache.h \ + $(srcdir)/validator/val_neg.h $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/util/data/dname.h \ + $(srcdir)/edns-subnet/addrtree.h $(srcdir)/edns-subnet/edns-subnet.h \ + replay.lo replay.o: $(srcdir)/testcode/replay.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \ - $(srcdir)/util/config_file.h $(srcdir)/testcode/replay.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/testcode/testpkts.h $(srcdir)/util/rbtree.h $(srcdir)/util/timeval_func.h \ - $(srcdir)/testcode/fake_event.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h + $(srcdir)/util/random.h $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/testcode/replay.h \ + $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h \ + $(srcdir)/testcode/testpkts.h $(srcdir)/util/rbtree.h $(srcdir)/testcode/fake_event.h $(srcdir)/sldns/str2wire.h \ + $(srcdir)/util/timeval_func.h fake_event.lo fake_event.o: $(srcdir)/testcode/fake_event.c config.h $(srcdir)/testcode/fake_event.h \ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h \ - $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ + $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h \ - $(srcdir)/util/edns.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/config_file.h \ - $(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h $(srcdir)/util/timeval_func.h \ + $(srcdir)/util/storage/slabhash.h $(srcdir)/util/edns.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \ + $(srcdir)/util/config_file.h $(srcdir)/services/listen_dnsport.h $(srcdir)/daemon/acl_list.h \ + $(srcdir)/services/view.h \ + $(srcdir)/services/outside_network.h $(srcdir)/util/alloc.h $(srcdir)/util/regional.h \ $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \ $(srcdir)/testcode/replay.h $(srcdir)/testcode/testpkts.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \ $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \ - $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h \ - $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \ - $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/daemon/remote.h $(srcdir)/util/storage/slabhash.h $(srcdir)/daemon/daemon.h + $(srcdir)/services/localzone.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \ + $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/sldns/wire2str.h \ + $(srcdir)/sldns/str2wire.h $(srcdir)/daemon/remote.h \ + $(srcdir)/daemon/daemon.h $(srcdir)/util/timeval_func.h lock_verify.lo lock_verify.o: $(srcdir)/testcode/lock_verify.c config.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h \ $(srcdir)/util/locks.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \ - $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ - $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \ - $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ - $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h \ + $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \ + $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h \ + $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h pktview.lo pktview.o: $(srcdir)/testcode/pktview.c config.h $(srcdir)/util/log.h $(srcdir)/util/data/dname.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ $(srcdir)/sldns/rrdef.h $(srcdir)/testcode/unitmain.h $(srcdir)/testcode/readhex.h $(srcdir)/sldns/sbuffer.h \ @@ -1462,133 +1676,156 @@ readhex.lo readhex.o: $(srcdir)/testcode/readhex.c config.h $(srcdir)/testcode/r $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h memstats.lo memstats.o: $(srcdir)/testcode/memstats.c config.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h \ $(srcdir)/util/locks.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \ - $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ - $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \ - $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ - $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h \ + $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \ + $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h \ + $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h unbound-checkconf.lo unbound-checkconf.o: $(srcdir)/smallapp/unbound-checkconf.c config.h $(srcdir)/util/log.h \ - $(srcdir)/util/config_file.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \ - $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h \ - $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_hints.h $(srcdir)/util/storage/dnstree.h \ - $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/services/localzone.h \ - $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h \ - $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ - $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/sldns/str2wire.h + $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \ + $(srcdir)/util/locks.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \ + $(srcdir)/util/regional.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \ + $(srcdir)/iterator/iter_fwd.h $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_hints.h \ + $(srcdir)/util/storage/dnstree.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \ + $(srcdir)/validator/val_nsec3.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h \ + $(srcdir)/sldns/sbuffer.h $(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h \ + $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/daemon/acl_list.h \ + $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \ + $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \ + $(srcdir)/sldns/str2wire.h $(PYTHONMOD_HEADER) $(srcdir)/edns-subnet/subnet-whitelist.h worker_cb.lo worker_cb.o: $(srcdir)/smallapp/worker_cb.c config.h $(srcdir)/libunbound/context.h \ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \ $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/util/data/packed_rrset.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \ $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \ - $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ - $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/util/config_file.h \ - $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/respip/respip.h + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h \ + $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \ + $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ + $(srcdir)/respip/respip.h $(srcdir)/dnstap/dtstream.h context.lo context.o: $(srcdir)/libunbound/context.c config.h $(srcdir)/libunbound/context.h \ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \ $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/config_file.h \ - $(srcdir)/util/net_help.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/random.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \ $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/cache/rrset.h \ $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h \ $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h $(srcdir)/daemon/stats.h \ - $(srcdir)/util/timehist.h $(srcdir)/respip/respip.h $(srcdir)/util/edns.h \ - $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h + $(srcdir)/util/timehist.h $(srcdir)/respip/respip.h $(srcdir)/services/listen_dnsport.h \ + $(srcdir)/daemon/acl_list.h \ + $(srcdir)/util/edns.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h libunbound.lo libunbound.o: $(srcdir)/libunbound/libunbound.c $(srcdir)/libunbound/unbound.h \ $(srcdir)/libunbound/unbound-event.h config.h $(srcdir)/libunbound/context.h $(srcdir)/util/locks.h \ $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/libunbound/libworker.h \ - $(srcdir)/util/config_file.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h \ - $(srcdir)/util/random.h $(srcdir)/util/net_help.h $(srcdir)/util/tube.h $(srcdir)/util/ub_event.h $(srcdir)/util/edns.h \ + $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/regional.h $(srcdir)/util/random.h \ + $(srcdir)/util/net_help.h $(srcdir)/util/tube.h $(srcdir)/util/ub_event.h $(srcdir)/util/edns.h \ $(srcdir)/util/storage/dnstree.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h \ $(srcdir)/sldns/sbuffer.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h \ - $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/services/cache/rrset.h \ - $(srcdir)/util/storage/slabhash.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h \ - $(srcdir)/services/rpz.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/respip/respip.h \ + $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/authzone.h \ + $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ + $(srcdir)/respip/respip.h $(srcdir)/services/listen_dnsport.h $(srcdir)/daemon/acl_list.h \ $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h -libworker.lo libworker.o: $(srcdir)/libunbound/libworker.c config.h $(srcdir)/libunbound/libworker.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ - $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \ - $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/libunbound/worker.h \ - $(srcdir)/sldns/sbuffer.h $(srcdir)/services/outside_network.h $(srcdir)/util/netevent.h \ - $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/services/mesh.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \ - $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ - $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/util/config_file.h \ - $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/respip/respip.h \ - $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/outbound_list.h \ - $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/regional.h $(srcdir)/util/random.h \ - $(srcdir)/util/storage/lookup3.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h \ - $(srcdir)/util/data/msgencode.h $(srcdir)/sldns/str2wire.h +libworker.lo libworker.o: $(srcdir)/libunbound/libworker.c config.h \ + $(srcdir)/libunbound/libworker.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \ + $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h \ + $(srcdir)/services/modstack.h $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/unbound-event.h \ + $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/outside_network.h \ + $(srcdir)/util/regional.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/services/mesh.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \ + $(srcdir)/services/view.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \ + $(srcdir)/util/timehist.h $(srcdir)/respip/respip.h $(srcdir)/services/cache/rrset.h \ + $(srcdir)/util/storage/slabhash.h $(srcdir)/services/outbound_list.h $(srcdir)/util/fptr_wlist.h \ + $(srcdir)/util/tube.h $(srcdir)/util/random.h $(srcdir)/util/proxy_protocol.h $(srcdir)/util/storage/lookup3.h \ + $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h $(srcdir)/sldns/str2wire.h \ + $(srcdir)/dnstap/dtstream.h unbound-host.lo unbound-host.o: $(srcdir)/smallapp/unbound-host.c config.h $(srcdir)/libunbound/unbound.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h + $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h \ + asynclook.lo asynclook.o: $(srcdir)/testcode/asynclook.c config.h $(srcdir)/libunbound/unbound.h \ $(srcdir)/libunbound/context.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h \ $(srcdir)/services/modstack.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/rrdef.h + $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/rrdef.h \ + streamtcp.lo streamtcp.o: $(srcdir)/testcode/streamtcp.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ - $(srcdir)/util/net_help.h $(srcdir)/util/proxy_protocol.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/proxy_protocol.h \ + $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/sbuffer.h \ - $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h + $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h \ + perf.lo perf.o: $(srcdir)/testcode/perf.c config.h $(srcdir)/util/log.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \ - $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h + $(srcdir)/util/random.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h \ + $(srcdir)/sldns/str2wire.h delayer.lo delayer.o: $(srcdir)/testcode/delayer.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \ - $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h -unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c config.h $(srcdir)/util/log.h \ - $(srcdir)/util/config_file.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h $(srcdir)/util/shm_side/shm_main.h \ - $(srcdir)/libunbound/unbound.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/sldns/wire2str.h \ + $(srcdir)/util/random.h $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h +unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c config.h \ + $(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/random.h $(srcdir)/util/shm_side/shm_main.h $(srcdir)/libunbound/unbound.h \ + $(srcdir)/util/timeval_func.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/sldns/wire2str.h \ $(srcdir)/sldns/pkthdr.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/rbtree.h \ $(srcdir)/util/storage/dnstree.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h \ - $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/services/modstack.h $(srcdir)/respip/respip.h \ - $(srcdir)/services/listen_dnsport.h + $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h \ + $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/services/modstack.h $(srcdir)/respip/respip.h $(srcdir)/services/listen_dnsport.h \ + $(srcdir)/daemon/acl_list.h \ + unbound-anchor.lo unbound-anchor.o: $(srcdir)/smallapp/unbound-anchor.c config.h $(srcdir)/libunbound/unbound.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h -petal.lo petal.o: $(srcdir)/testcode/petal.c config.h + $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h \ + +petal.lo petal.o: $(srcdir)/testcode/petal.c config.h \ + unbound-dnstap-socket.lo unbound-dnstap-socket.o: $(srcdir)/dnstap/unbound-dnstap-socket.c config.h \ $(srcdir)/dnstap/dtstream.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/dnstap/dnstap_fstrm.h \ - $(srcdir)/util/ub_event.h $(srcdir)/util/net_help.h $(srcdir)/services/listen_dnsport.h \ + $(srcdir)/util/ub_event.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/services/listen_dnsport.h \ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/config_file.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/daemon/worker.h \ - $(srcdir)/libunbound/worker.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \ - $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \ + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/rbtree.h $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \ + $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/pkthdr.h dnstap/dnstap.pb-c.h \ + $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/packed_rrset.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/util/alloc.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ + $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \ $(srcdir)/daemon/remote.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \ - $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \ - $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \ + $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ $(srcdir)/services/authzone.h $(srcdir)/respip/respip.h $(srcdir)/libunbound/context.h \ $(srcdir)/libunbound/unbound-event.h pythonmod_utils.lo pythonmod_utils.o: $(srcdir)/pythonmod/pythonmod_utils.c config.h \ $(srcdir)/pythonmod/pythonmod_utils.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/netevent.h \ - $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/net_help.h \ - $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \ - $(srcdir)/util/regional.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/sldns/sbuffer.h + $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/netevent.h \ + $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/services/cache/dns.h \ + $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/regional.h \ + $(srcdir)/iterator/iter_delegpt.h $(srcdir)/sldns/sbuffer.h \ + win_svc.lo win_svc.o: $(srcdir)/winrc/win_svc.c config.h $(srcdir)/winrc/win_svc.h $(srcdir)/winrc/w_inst.h \ $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \ $(srcdir)/daemon/worker.h \ $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h \ - $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h $(srcdir)/util/ub_event.h \ - $(srcdir)/util/net_help.h + $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \ + $(srcdir)/util/config_file.h $(srcdir)/util/ub_event.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h w_inst.lo w_inst.o: $(srcdir)/winrc/w_inst.c config.h $(srcdir)/winrc/w_inst.h $(srcdir)/winrc/win_svc.h unbound-service-install.lo unbound-service-install.o: $(srcdir)/winrc/unbound-service-install.c config.h \ $(srcdir)/winrc/w_inst.h @@ -1596,12 +1833,14 @@ unbound-service-remove.lo unbound-service-remove.o: $(srcdir)/winrc/unbound-serv $(srcdir)/winrc/w_inst.h anchor-update.lo anchor-update.o: $(srcdir)/winrc/anchor-update.c config.h $(srcdir)/libunbound/unbound.h \ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/wire2str.h -keyraw.lo keyraw.o: $(srcdir)/sldns/keyraw.c config.h $(srcdir)/sldns/keyraw.h $(srcdir)/sldns/rrdef.h +keyraw.lo keyraw.o: $(srcdir)/sldns/keyraw.c config.h $(srcdir)/sldns/keyraw.h \ + $(srcdir)/sldns/rrdef.h \ + sbuffer.lo sbuffer.o: $(srcdir)/sldns/sbuffer.c config.h $(srcdir)/sldns/sbuffer.h wire2str.lo wire2str.o: $(srcdir)/sldns/wire2str.c config.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h \ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/sbuffer.h \ - $(srcdir)/sldns/keyraw.h $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ - $(srcdir)/util/log.h + $(srcdir)/sldns/keyraw.h \ + $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h parse.lo parse.o: $(srcdir)/sldns/parse.c config.h $(srcdir)/sldns/parse.h $(srcdir)/sldns/parseutil.h \ $(srcdir)/sldns/sbuffer.h parseutil.lo parseutil.o: $(srcdir)/sldns/parseutil.c config.h $(srcdir)/sldns/parseutil.h @@ -1612,8 +1851,23 @@ dohclient.lo dohclient.o: $(srcdir)/testcode/dohclient.c config.h $(srcdir)/sldn $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h \ $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/util/net_help.h -readzone.lo readzone.o: $(srcdir)/testcode/readzone.c + $(srcdir)/sldns/pkthdr.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \ + +doqclient.lo doqclient.o: $(srcdir)/testcode/doqclient.c config.h \ + $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/sldns/sbuffer.h \ + $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/data/dname.h $(srcdir)/util/ub_event.h \ + $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h $(srcdir)/util/alloc.h $(srcdir)/daemon/stats.h \ + $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \ + $(srcdir)/daemon/remote.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \ + $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \ + $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \ + $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/respip/respip.h \ + $(srcdir)/libunbound/context.h $(srcdir)/libunbound/unbound-event.h +readzone.lo readzone.o: $(srcdir)/testcode/readzone.c config.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/sldns/wire2str.h ctime_r.lo ctime_r.o: $(srcdir)/compat/ctime_r.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h fake-rfc2553.lo fake-rfc2553.o: $(srcdir)/compat/fake-rfc2553.c $(srcdir)/compat/fake-rfc2553.h config.h gmtime_r.lo gmtime_r.o: $(srcdir)/compat/gmtime_r.c config.h @@ -1628,9 +1882,11 @@ strlcat.lo strlcat.o: $(srcdir)/compat/strlcat.c config.h strlcpy.lo strlcpy.o: $(srcdir)/compat/strlcpy.c config.h strptime.lo strptime.o: $(srcdir)/compat/strptime.c config.h getentropy_freebsd.lo getentropy_freebsd.o: $(srcdir)/compat/getentropy_freebsd.c -getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c config.h +getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c config.h \ + getentropy_osx.lo getentropy_osx.o: $(srcdir)/compat/getentropy_osx.c -getentropy_solaris.lo getentropy_solaris.o: $(srcdir)/compat/getentropy_solaris.c config.h +getentropy_solaris.lo getentropy_solaris.o: $(srcdir)/compat/getentropy_solaris.c config.h \ + getentropy_win.lo getentropy_win.o: $(srcdir)/compat/getentropy_win.c explicit_bzero.lo explicit_bzero.o: $(srcdir)/compat/explicit_bzero.c config.h arc4random.lo arc4random.o: $(srcdir)/compat/arc4random.c config.h $(srcdir)/compat/chacha_private.h diff --git a/ax_build_date_epoch.m4 b/ax_build_date_epoch.m4 new file mode 100644 index 000000000..dbecb067a --- /dev/null +++ b/ax_build_date_epoch.m4 @@ -0,0 +1,70 @@ +# =========================================================================== +# https://www.gnu.org/software/autoconf-archive/ax_build_date_epoch.html +# =========================================================================== +# +# SYNOPSIS +# +# AX_BUILD_DATE_EPOCH(VARIABLE[, FORMAT[, ACTION-IF-FAIL]]) +# +# DESCRIPTION +# +# Sets VARIABLE to a string representing the current time. It is +# formatted according to FORMAT if specified, otherwise it is formatted as +# the number of seconds (excluding leap seconds) since the UNIX epoch (01 +# Jan 1970 00:00:00 UTC). +# +# If the SOURCE_DATE_EPOCH environment variable is set, it uses the value +# of that variable instead of the current time. See +# https://reproducible-builds.org/specs/source-date-epoch). If +# SOURCE_DATE_EPOCH is set but cannot be properly interpreted as a UNIX +# timestamp, then execute ACTION-IF-FAIL if specified, otherwise error. +# +# VARIABLE is AC_SUBST-ed. +# +# LICENSE +# +# Copyright (c) 2016 Eric Bavier +# +# This program is free software: you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General +# Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program. If not, see . +# +# As a special exception, the respective Autoconf Macro's copyright owner +# gives unlimited permission to copy, distribute and modify the configure +# scripts that are the output of Autoconf when processing the Macro. You +# need not follow the terms of the GNU General Public License when using +# or distributing such scripts, even though portions of the text of the +# Macro appear in them. The GNU General Public License (GPL) does govern +# all other use of the material that constitutes the Autoconf Macro. +# +# This special exception to the GPL applies to versions of the Autoconf +# Macro released by the Autoconf Archive. When you make and distribute a +# modified version of the Autoconf Macro, you may extend this special +# exception to the GPL to apply to your modified version as well. + +#serial 2 + +AC_DEFUN([AX_BUILD_DATE_EPOCH], +[dnl +AC_MSG_CHECKING([for build time]) +ax_date_fmt="m4_default($2,%s)" +AS_IF([test x"$SOURCE_DATE_EPOCH" = x], + [$1=`date "+$ax_date_fmt"`], + [ax_build_date=`date -u -d "@$SOURCE_DATE_EPOCH" "+$ax_date_fmt" 2>/dev/null \ + || date -u -r "$SOURCE_DATE_EPOCH" "+$ax_date_fmt" 2>/dev/null` + AS_IF([test x"$ax_build_date" = x], + [m4_ifval([$3], + [$3], + [AC_MSG_ERROR([malformed SOURCE_DATE_EPOCH])])], + [$1=$ax_build_date])]) +AC_MSG_RESULT([$$1]) +])dnl AX_BUILD_DATE_EPOCH diff --git a/cachedb/cachedb.c b/cachedb/cachedb.c index 24f458e8f..8f2e66342 100644 --- a/cachedb/cachedb.c +++ b/cachedb/cachedb.c @@ -47,6 +47,7 @@ #include "util/regional.h" #include "util/net_help.h" #include "util/config_file.h" +#include "util/data/dname.h" #include "util/data/msgreply.h" #include "util/data/msgencode.h" #include "services/cache/dns.h" @@ -341,6 +342,7 @@ calc_hash(struct query_info* qinfo, struct module_env* env, char* buf, /* copy the hash info into the clear buffer */ if(clen + qinfo->qname_len < sizeof(clear)) { memmove(clear+clen, qinfo->qname, qinfo->qname_len); + query_dname_tolower(clear+clen); clen += qinfo->qname_len; } if(clen + 4 < sizeof(clear)) { diff --git a/cachedb/redis.c b/cachedb/redis.c index 248a3d7b4..9383f1c85 100644 --- a/cachedb/redis.c +++ b/cachedb/redis.c @@ -46,26 +46,62 @@ #include "cachedb/cachedb.h" #include "util/alloc.h" #include "util/config_file.h" +#include "util/locks.h" +#include "util/timeval_func.h" #include "sldns/sbuffer.h" #ifdef USE_REDIS #include "hiredis/hiredis.h" struct redis_moddata { - redisContext** ctxs; /* thread-specific redis contexts */ - int numctxs; /* number of ctx entries */ - const char* server_host; /* server's IP address or host name */ - int server_port; /* server's TCP port */ - const char* server_path; /* server's unix path, or "", NULL if unused */ - const char* server_password; /* server's AUTH password, or "", NULL if unused */ - struct timeval command_timeout; /* timeout for commands */ - struct timeval connect_timeout; /* timeout for connect */ - int logical_db; /* the redis logical database to use */ - int setex_available; /* if the SETEX command is supported */ + /* thread-specific redis contexts */ + redisContext** ctxs; + redisContext** replica_ctxs; + /* number of ctx entries */ + int numctxs; + /* server's IP address or host name */ + const char* server_host; + const char* replica_server_host; + /* server's TCP port */ + int server_port; + int replica_server_port; + /* server's unix path, or "", NULL if unused */ + const char* server_path; + const char* replica_server_path; + /* server's AUTH password, or "", NULL if unused */ + const char* server_password; + const char* replica_server_password; + /* timeout for commands */ + struct timeval command_timeout; + struct timeval replica_command_timeout; + /* timeout for connection setup */ + struct timeval connect_timeout; + struct timeval replica_connect_timeout; + /* the reconnect interval time. */ + struct timeval reconnect_interval; + struct timeval replica_reconnect_interval; + /* reconnect attempts, 0 if connected, counts up failed reconnects. */ + int reconnect_attempts; + int replica_reconnect_attempts; + /* Lock on reconnect_wait time. */ + lock_basic_type wait_lock; + lock_basic_type replica_wait_lock; + /* reconnect wait time, wait until it has passed before reconnect. */ + struct timeval reconnect_wait; + struct timeval replica_reconnect_wait; + /* the redis logical database to use */ + int logical_db; + int replica_logical_db; + /* if the SET with EX command is supported */ + int set_with_ex_available; }; +/** The limit on the number of redis connect attempts. After failure if + * the number is exceeded, the reconnects are throttled by the wait time. */ +#define REDIS_RECONNECT_ATTEMPT_LIMIT 3 + static redisReply* redis_command(struct module_env*, struct cachedb_env*, - const char*, const uint8_t*, size_t); + const char*, const uint8_t*, size_t, int); static void moddata_clean(struct redis_moddata** moddata) { @@ -79,63 +115,139 @@ moddata_clean(struct redis_moddata** moddata) { } free((*moddata)->ctxs); } + if((*moddata)->replica_ctxs) { + int i; + for(i = 0; i < (*moddata)->numctxs; i++) { + if((*moddata)->replica_ctxs[i]) + redisFree((*moddata)->replica_ctxs[i]); + } + free((*moddata)->replica_ctxs); + } + lock_basic_destroy(&(*moddata)->wait_lock); + lock_basic_destroy(&(*moddata)->replica_wait_lock); free(*moddata); *moddata = NULL; } static redisContext* -redis_connect(const struct redis_moddata* moddata) +redis_connect(const char* host, int port, const char* path, + const char* password, int logical_db, + const struct timeval connect_timeout, + const struct timeval command_timeout, + const struct timeval* reconnect_interval, + int* reconnect_attempts, + struct timeval* reconnect_wait, + lock_basic_type* wait_lock, + struct timeval* now_tv, + const char* infostr) { + struct timeval now_val; redisContext* ctx; - if(moddata->server_path && moddata->server_path[0]!=0) { - ctx = redisConnectUnixWithTimeout(moddata->server_path, - moddata->connect_timeout); + /* See if the redis server is down, and reconnect has to wait. */ + if(*reconnect_attempts > REDIS_RECONNECT_ATTEMPT_LIMIT) { + /* Acquire lock to look at timeval, the integer has atomic + * integrity. */ + struct timeval wait_tv; + if(now_tv) { + now_val = *now_tv; + } else { + if(gettimeofday(&now_val, NULL) < 0) + log_err("redis: gettimeofday: %s", + strerror(errno)); + } + lock_basic_lock(wait_lock); + wait_tv = *reconnect_wait; + lock_basic_unlock(wait_lock); + if(timeval_smaller(&now_val, &wait_tv)) { + verbose(VERB_ALGO, "redis %sdown, reconnect wait", + infostr); + return NULL; + } + } + + if(path && path[0]!=0) { + ctx = redisConnectUnixWithTimeout(path, connect_timeout); } else { - ctx = redisConnectWithTimeout(moddata->server_host, - moddata->server_port, moddata->connect_timeout); + ctx = redisConnectWithTimeout(host, port, connect_timeout); } if(!ctx || ctx->err) { const char *errstr = "out of memory"; if(ctx) errstr = ctx->errstr; - log_err("failed to connect to redis server: %s", errstr); + log_err("failed to connect to redis %sserver: %s", infostr, errstr); goto fail; } - if(redisSetTimeout(ctx, moddata->command_timeout) != REDIS_OK) { - log_err("failed to set redis timeout, %s", ctx->errstr); + if(redisSetTimeout(ctx, command_timeout) != REDIS_OK) { + log_err("failed to set redis %stimeout, %s", infostr, ctx->errstr); goto fail; } - if(moddata->server_password && moddata->server_password[0]!=0) { + if(password && password[0]!=0) { redisReply* rep; - rep = redisCommand(ctx, "AUTH %s", moddata->server_password); + rep = redisCommand(ctx, "AUTH %s", password); if(!rep || rep->type == REDIS_REPLY_ERROR) { - log_err("failed to authenticate with password"); + log_err("failed to authenticate %swith password", infostr); freeReplyObject(rep); goto fail; } freeReplyObject(rep); } - if(moddata->logical_db > 0) { + if(logical_db > 0) { redisReply* rep; - rep = redisCommand(ctx, "SELECT %d", moddata->logical_db); + rep = redisCommand(ctx, "SELECT %d", logical_db); if(!rep || rep->type == REDIS_REPLY_ERROR) { - log_err("failed to set logical database (%d)", - moddata->logical_db); + log_err("failed %sto set logical database (%d)", + infostr, logical_db); freeReplyObject(rep); goto fail; } freeReplyObject(rep); } - verbose(VERB_OPS, "Connection to Redis established"); + *reconnect_attempts = 0; + if(verbosity >= VERB_OPS) { + char port_str[6+1]; + port_str[0] = ' '; + (void)snprintf(port_str+1, sizeof(port_str)-1, "%d", port); + verbose(VERB_OPS, "Connection to Redis %sestablished (%s%s)", + infostr, + path&&path[0]!=0?path:host, + path&&path[0]!=0?"":port_str); + } return ctx; fail: if(ctx) redisFree(ctx); + (*reconnect_attempts)++; + if(*reconnect_attempts > REDIS_RECONNECT_ATTEMPT_LIMIT) { + /* Wait for the reconnect interval before trying again. */ + struct timeval tv; + if(now_tv) { + now_val = *now_tv; + } else { + if(gettimeofday(&now_val, NULL) < 0) + log_err("redis: gettimeofday: %s", + strerror(errno)); + } + tv = now_val; + timeval_add(&tv, reconnect_interval); + lock_basic_lock(wait_lock); + *reconnect_wait = tv; + lock_basic_unlock(wait_lock); + verbose(VERB_ALGO, "redis %sreconnect wait until %d.%6.6d", + infostr, (int)tv.tv_sec, (int)tv.tv_usec); + } return NULL; } +static void +set_timeout(struct timeval* timeout, int value, int explicit_value) +{ + int v = explicit_value != 0 ? explicit_value : value; + timeout->tv_sec = v / 1000; + timeout->tv_usec = (v % 1000) * 1000; +} + static int redis_init(struct module_env* env, struct cachedb_env* cachedb_env) { @@ -149,39 +261,76 @@ redis_init(struct module_env* env, struct cachedb_env* cachedb_env) log_err("out of memory"); goto fail; } + lock_basic_init(&moddata->wait_lock); + lock_protect(&moddata->wait_lock, &moddata->reconnect_wait, + sizeof(moddata->reconnect_wait)); + lock_basic_init(&moddata->replica_wait_lock); + lock_protect(&moddata->replica_wait_lock, + &moddata->replica_reconnect_wait, + sizeof(moddata->replica_reconnect_wait)); moddata->numctxs = env->cfg->num_threads; + /* note: server_host and similar string configuration options are + * shallow references to configured strings; we don't have to free them + * in this module. */ + moddata->server_host = env->cfg->redis_server_host; + moddata->replica_server_host = env->cfg->redis_replica_server_host; + + moddata->server_port = env->cfg->redis_server_port; + moddata->replica_server_port = env->cfg->redis_replica_server_port; + + moddata->server_path = env->cfg->redis_server_path; + moddata->replica_server_path = env->cfg->redis_replica_server_path; + + moddata->server_password = env->cfg->redis_server_password; + moddata->replica_server_password = env->cfg->redis_replica_server_password; + + set_timeout(&moddata->command_timeout, + env->cfg->redis_timeout, + env->cfg->redis_command_timeout); + set_timeout(&moddata->replica_command_timeout, + env->cfg->redis_replica_timeout, + env->cfg->redis_replica_command_timeout); + set_timeout(&moddata->connect_timeout, + env->cfg->redis_timeout, + env->cfg->redis_connect_timeout); + set_timeout(&moddata->replica_connect_timeout, + env->cfg->redis_replica_timeout, + env->cfg->redis_replica_connect_timeout); + set_timeout(&moddata->reconnect_interval, 1000, 0); + set_timeout(&moddata->replica_reconnect_interval, 1000, 0); + + moddata->logical_db = env->cfg->redis_logical_db; + moddata->replica_logical_db = env->cfg->redis_replica_logical_db; + moddata->ctxs = calloc(env->cfg->num_threads, sizeof(redisContext*)); if(!moddata->ctxs) { log_err("out of memory"); goto fail; } - /* note: server_host is a shallow reference to configured string. - * we don't have to free it in this module. */ - moddata->server_host = env->cfg->redis_server_host; - moddata->server_port = env->cfg->redis_server_port; - moddata->server_path = env->cfg->redis_server_path; - moddata->server_password = env->cfg->redis_server_password; - moddata->command_timeout.tv_sec = env->cfg->redis_timeout / 1000; - moddata->command_timeout.tv_usec = - (env->cfg->redis_timeout % 1000) * 1000; - moddata->connect_timeout.tv_sec = env->cfg->redis_timeout / 1000; - moddata->connect_timeout.tv_usec = - (env->cfg->redis_timeout % 1000) * 1000; - if(env->cfg->redis_command_timeout != 0) { - moddata->command_timeout.tv_sec = - env->cfg->redis_command_timeout / 1000; - moddata->command_timeout.tv_usec = - (env->cfg->redis_command_timeout % 1000) * 1000; + if((moddata->replica_server_host && moddata->replica_server_host[0]!=0) + || (moddata->replica_server_path && moddata->replica_server_path[0]!=0)) { + /* There is a replica configured, allocate ctxs */ + moddata->replica_ctxs = calloc(env->cfg->num_threads, sizeof(redisContext*)); + if(!moddata->replica_ctxs) { + log_err("out of memory"); + goto fail; + } } - if(env->cfg->redis_connect_timeout != 0) { - moddata->connect_timeout.tv_sec = - env->cfg->redis_connect_timeout / 1000; - moddata->connect_timeout.tv_usec = - (env->cfg->redis_connect_timeout % 1000) * 1000; - } - moddata->logical_db = env->cfg->redis_logical_db; for(i = 0; i < moddata->numctxs; i++) { - redisContext* ctx = redis_connect(moddata); + redisContext* ctx = redis_connect( + moddata->server_host, + moddata->server_port, + moddata->server_path, + moddata->server_password, + moddata->logical_db, + moddata->connect_timeout, + moddata->command_timeout, + &moddata->reconnect_interval, + &moddata->reconnect_attempts, + &moddata->reconnect_wait, + &moddata->wait_lock, + env->now_tv, + ""); if(!ctx) { log_err("redis_init: failed to init redis " "(for thread %d)", i); @@ -190,17 +339,42 @@ redis_init(struct module_env* env, struct cachedb_env* cachedb_env) } moddata->ctxs[i] = ctx; } + if(moddata->replica_ctxs) { + for(i = 0; i < moddata->numctxs; i++) { + redisContext* ctx = redis_connect( + moddata->replica_server_host, + moddata->replica_server_port, + moddata->replica_server_path, + moddata->replica_server_password, + moddata->replica_logical_db, + moddata->replica_connect_timeout, + moddata->replica_command_timeout, + &moddata->replica_reconnect_interval, + &moddata->replica_reconnect_attempts, + &moddata->replica_reconnect_wait, + &moddata->replica_wait_lock, + env->now_tv, + "replica "); + if(!ctx) { + log_err("redis_init: failed to init redis " + "replica (for thread %d)", i); + /* And continue, the context can be established + * later, just like after a disconnect. */ + } + moddata->replica_ctxs[i] = ctx; + } + } cachedb_env->backend_data = moddata; if(env->cfg->redis_expire_records && moddata->ctxs[env->alloc->thread_num] != NULL) { redisReply* rep = NULL; int redis_reply_type = 0; - /** check if setex command is supported */ + /** check if set with ex command is supported */ rep = redis_command(env, cachedb_env, - "SETEX __UNBOUND_REDIS_CHECK__ 1 none", NULL, 0); + "SET __UNBOUND_REDIS_CHECK__ none EX 1", NULL, 0, 1); if(!rep) { /** init failed, no response from redis server*/ - goto setex_fail; + goto set_with_ex_fail; } redis_reply_type = rep->type; freeReplyObject(rep); @@ -208,17 +382,17 @@ redis_init(struct module_env* env, struct cachedb_env* cachedb_env) case REDIS_REPLY_STATUS: break; default: - /** init failed, setex command not supported */ - goto setex_fail; + /** init failed, set_with_ex command not supported */ + goto set_with_ex_fail; } - moddata->setex_available = 1; + moddata->set_with_ex_available = 1; } return 1; -setex_fail: +set_with_ex_fail: log_err("redis_init: failure during redis_init, the " - "redis-expire-records option requires the SETEX command " - "(redis >= 2.0.0)"); + "redis-expire-records option requires the SET with EX command " + "(redis >= 2.6.12)"); return 1; fail: moddata_clean(&moddata); @@ -250,9 +424,9 @@ redis_deinit(struct module_env* env, struct cachedb_env* cachedb_env) */ static redisReply* redis_command(struct module_env* env, struct cachedb_env* cachedb_env, - const char* command, const uint8_t* data, size_t data_len) + const char* command, const uint8_t* data, size_t data_len, int write) { - redisContext* ctx; + redisContext* ctx, **ctx_selector; redisReply* rep; struct redis_moddata* d = (struct redis_moddata*) cachedb_env->backend_data; @@ -263,17 +437,50 @@ redis_command(struct module_env* env, struct cachedb_env* cachedb_env, * assumption throughout the unbound architecture, so we simply assert * it. */ log_assert(env->alloc->thread_num < d->numctxs); - ctx = d->ctxs[env->alloc->thread_num]; + + ctx_selector = !write && d->replica_ctxs + ?d->replica_ctxs + :d->ctxs; + ctx = ctx_selector[env->alloc->thread_num]; /* If we've not established a connection to the server or we've closed * it on a failure, try to re-establish a new one. Failures will be * logged in redis_connect(). */ if(!ctx) { - ctx = redis_connect(d); - d->ctxs[env->alloc->thread_num] = ctx; + if(!write && d->replica_ctxs) { + ctx = redis_connect( + d->replica_server_host, + d->replica_server_port, + d->replica_server_path, + d->replica_server_password, + d->replica_logical_db, + d->replica_connect_timeout, + d->replica_command_timeout, + &d->replica_reconnect_interval, + &d->replica_reconnect_attempts, + &d->replica_reconnect_wait, + &d->replica_wait_lock, + env->now_tv, + "replica "); + } else { + ctx = redis_connect( + d->server_host, + d->server_port, + d->server_path, + d->server_password, + d->logical_db, + d->connect_timeout, + d->command_timeout, + &d->reconnect_interval, + &d->reconnect_attempts, + &d->reconnect_wait, + &d->wait_lock, + env->now_tv, + ""); + } + ctx_selector[env->alloc->thread_num] = ctx; } - if(!ctx) - return NULL; + if(!ctx) return NULL; /* Send the command and get a reply, synchronously. */ rep = (redisReply*)redisCommand(ctx, command, data, data_len); @@ -283,7 +490,7 @@ redis_command(struct module_env* env, struct cachedb_env* cachedb_env, log_err("redis_command: failed to receive a reply, " "closing connection: %s", ctx->errstr); redisFree(ctx); - d->ctxs[env->alloc->thread_num] = NULL; + ctx_selector[env->alloc->thread_num] = NULL; return NULL; } @@ -301,7 +508,14 @@ redis_lookup(struct module_env* env, struct cachedb_env* cachedb_env, char* key, struct sldns_buffer* result_buffer) { redisReply* rep; - char cmdbuf[4+(CACHEDB_HASHSIZE/8)*2+1]; /* "GET " + key */ + /* Supported commands: + * - "GET " + key + */ +#define REDIS_LOOKUP_MAX_BUF_LEN \ + 4 /* "GET " */ \ + +(CACHEDB_HASHSIZE/8)*2 /* key hash */ \ + + 1 /* \0 */ + char cmdbuf[REDIS_LOOKUP_MAX_BUF_LEN]; int n; int ret = 0; @@ -313,7 +527,7 @@ redis_lookup(struct module_env* env, struct cachedb_env* cachedb_env, return 0; } - rep = redis_command(env, cachedb_env, cmdbuf, NULL, 0); + rep = redis_command(env, cachedb_env, cmdbuf, NULL, 0, 0); if(!rep) return 0; switch(rep->type) { @@ -352,27 +566,43 @@ redis_store(struct module_env* env, struct cachedb_env* cachedb_env, int n; struct redis_moddata* moddata = (struct redis_moddata*) cachedb_env->backend_data; - int set_ttl = (moddata->setex_available && + int set_ttl = (moddata->set_with_ex_available && env->cfg->redis_expire_records && (!env->cfg->serve_expired || env->cfg->serve_expired_ttl > 0)); /* Supported commands: * - "SET " + key + " %b" - * - "SETEX " + key + " " + ttl + " %b" + * - "SET " + key + " %b EX " + ttl + * older redis 2.0.0 was "SETEX " + key + " " + ttl + " %b" + * - "EXPIRE " + key + " 0" */ - char cmdbuf[6+(CACHEDB_HASHSIZE/8)*2+11+3+1]; +#define REDIS_STORE_MAX_BUF_LEN \ + 7 /* "EXPIRE " */ \ + +(CACHEDB_HASHSIZE/8)*2 /* key hash */ \ + + 7 /* " %b EX " */ \ + + 20 /* ttl (uint64_t) */ \ + + 1 /* \0 */ + char cmdbuf[REDIS_STORE_MAX_BUF_LEN]; if (!set_ttl) { verbose(VERB_ALGO, "redis_store %s (%d bytes)", key, (int)data_len); /* build command to set to a binary safe string */ n = snprintf(cmdbuf, sizeof(cmdbuf), "SET %s %%b", key); + } else if(ttl == 0) { + /* use the EXPIRE command, SET with EX 0 is an invalid time. */ + /* Replies with REDIS_REPLY_INTEGER of 1. */ + verbose(VERB_ALGO, "redis_store expire %s (%d bytes)", + key, (int)data_len); + n = snprintf(cmdbuf, sizeof(cmdbuf), "EXPIRE %s 0", key); + data = NULL; + data_len = 0; } else { /* add expired ttl time to redis ttl to avoid premature eviction of key */ ttl += env->cfg->serve_expired_ttl; verbose(VERB_ALGO, "redis_store %s (%d bytes) with ttl %u", - key, (int)data_len, (uint32_t)ttl); + key, (int)data_len, (unsigned)(uint32_t)ttl); /* build command to set to a binary safe string */ - n = snprintf(cmdbuf, sizeof(cmdbuf), "SETEX %s %u %%b", key, - (uint32_t)ttl); + n = snprintf(cmdbuf, sizeof(cmdbuf), "SET %s %%b EX %u", key, + (unsigned)(uint32_t)ttl); } @@ -381,11 +611,12 @@ redis_store(struct module_env* env, struct cachedb_env* cachedb_env, return; } - rep = redis_command(env, cachedb_env, cmdbuf, data, data_len); + rep = redis_command(env, cachedb_env, cmdbuf, data, data_len, 1); if(rep) { verbose(VERB_ALGO, "redis_store set completed"); if(rep->type != REDIS_REPLY_STATUS && - rep->type != REDIS_REPLY_ERROR) { + rep->type != REDIS_REPLY_ERROR && + rep->type != REDIS_REPLY_INTEGER) { log_err("redis_store: unexpected type of reply (%d)", rep->type); } diff --git a/compat/fake-rfc2553.c b/compat/fake-rfc2553.c index 0f0f34f1f..45b703f2b 100644 --- a/compat/fake-rfc2553.c +++ b/compat/fake-rfc2553.c @@ -57,7 +57,7 @@ int getnameinfo(const struct sockaddr *sa, size_t ATTR_UNUSED(salen), char *host } if (host != NULL) { - if (flags & NI_NUMERICHOST) { + if ((flags & NI_NUMERICHOST)) { if (strlcpy(host, inet_ntoa(sin->sin_addr), hostlen) >= hostlen) return (EAI_MEMORY); @@ -168,7 +168,7 @@ getaddrinfo(const char *hostname, const char *servname, port = 0; } - if (hints && hints->ai_flags & AI_PASSIVE) { + if (hints && (hints->ai_flags & AI_PASSIVE)) { addr = htonl(0x00000000); if (hostname && inet_aton(hostname, &in) != 0) addr = in.s_addr; @@ -193,7 +193,7 @@ getaddrinfo(const char *hostname, const char *servname, } /* Don't try DNS if AI_NUMERICHOST is set */ - if (hints && hints->ai_flags & AI_NUMERICHOST) + if (hints && (hints->ai_flags & AI_NUMERICHOST)) return (EAI_NONAME); hp = gethostbyname(hostname); diff --git a/compat/malloc.c b/compat/malloc.c index d8097b13e..74beae01c 100644 --- a/compat/malloc.c +++ b/compat/malloc.c @@ -5,12 +5,8 @@ #undef malloc #include -#ifndef USE_WINSOCK -void *malloc (); -#else /* provide a prototype */ void *malloc (size_t n); -#endif /* Allocate an N-byte block of memory from the heap. If N is zero, allocate a 1-byte block. */ diff --git a/config.h.in b/config.h.in index dc03e82dd..10222cd12 100644 --- a/config.h.in +++ b/config.h.in @@ -173,6 +173,10 @@ 0 if you don't. */ #undef HAVE_DECL_SSL_CTX_SET_ECDH_AUTO +/* Define to 1 if you have the declaration of `SSL_CTX_set_tmp_ecdh', and to 0 + if you don't. */ +#undef HAVE_DECL_SSL_CTX_SET_TMP_ECDH + /* Define to 1 if you have the declaration of `strlcat', and to 0 if you don't. */ #undef HAVE_DECL_STRLCAT @@ -378,6 +382,9 @@ /* Define if we have LibreSSL */ #undef HAVE_LIBRESSL +/* If we have atomic_store */ +#undef HAVE_LINK_ATOMIC_STORE + /* Define to 1 if you have the header file. */ #undef HAVE_LINUX_NET_TSTAMP_H @@ -474,6 +481,9 @@ `ngtcp2_crypto_quictls_from_ossl_encryption_level' function. */ #undef HAVE_NGTCP2_CRYPTO_QUICTLS_FROM_OSSL_ENCRYPTION_LEVEL +/* Define to 1 if you have the `ngtcp2_crypto_quictls_init' function. */ +#undef HAVE_NGTCP2_CRYPTO_QUICTLS_INIT + /* Define to 1 if the system has the type `ngtcp2_encryption_level'. */ #undef HAVE_NGTCP2_ENCRYPTION_LEVEL @@ -481,6 +491,9 @@ */ #undef HAVE_NGTCP2_NGTCP2_CRYPTO_OPENSSL_H +/* Define to 1 if you have the header file. */ +#undef HAVE_NGTCP2_NGTCP2_CRYPTO_OSSL_H + /* Define to 1 if you have the header file. */ #undef HAVE_NGTCP2_NGTCP2_CRYPTO_QUICTLS_H @@ -642,9 +655,6 @@ function. */ #undef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB -/* Define to 1 if you have the `SSL_CTX_set_tmp_ecdh' function. */ -#undef HAVE_SSL_CTX_SET_TMP_ECDH - /* Define to 1 if you have the `SSL_get0_alpn_selected' function. */ #undef HAVE_SSL_GET0_ALPN_SELECTED @@ -663,6 +673,9 @@ /* Define to 1 if you have the header file. */ #undef HAVE_STDARG_H +/* Define to 1 if you have the header file. */ +#undef HAVE_STDATOMIC_H + /* Define to 1 if you have the header file. */ #undef HAVE_STDBOOL_H @@ -1017,6 +1030,9 @@ /* Define this to enable client TCP Fast Open. */ #undef USE_MSG_FASTOPEN +/* Define this to use ngtcp2_crypto_ossl. */ +#undef USE_NGTCP2_CRYPTO_OSSL + /* Define this to enable client TCP Fast Open. */ #undef USE_OSX_MSG_FASTOPEN diff --git a/configure b/configure index a41e3e1eb..e6cc137bd 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.71 for unbound 1.22.1. +# Generated by GNU Autoconf 2.71 for unbound 1.23.2. # # Report bugs to . # @@ -622,8 +622,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='unbound' PACKAGE_TARNAME='unbound' -PACKAGE_VERSION='1.22.1' -PACKAGE_STRING='unbound 1.22.1' +PACKAGE_VERSION='1.23.2' +PACKAGE_STRING='unbound 1.23.2' PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues' PACKAGE_URL='' @@ -685,7 +685,9 @@ opt_dnstap_socket_path ENABLE_DNSTAP PROTOBUFC_LIBS PROTOBUFC_CFLAGS +PROTOC_GEN_C PROTOC_C +PROTOC UBSYMS EXTRALINK COMMON_OBJ_ALL_SYMBOLS @@ -712,6 +714,7 @@ SSLLIB HAVE_SSL PC_CRYPTO_DEPENDENCY CONFIG_DATE +SOURCE_DATE_EPOCH GCC_DOCKER_LINTFLAGS NETBSD_LINTFLAGS PYUNBOUND_UNINSTALL @@ -959,6 +962,7 @@ SYSTEMD_LIBS SYSTEMD_DAEMON_CFLAGS SYSTEMD_DAEMON_LIBS PYTHON_VERSION +SOURCE_DATE_EPOCH PROTOBUFC_CFLAGS PROTOBUFC_LIBS' @@ -1509,7 +1513,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures unbound 1.22.1 to adapt to many kinds of systems. +\`configure' configures unbound 1.23.2 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1575,7 +1579,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of unbound 1.22.1:";; + short | recursive ) echo "Configuration of unbound 1.23.2:";; esac cat <<\_ACEOF @@ -1752,6 +1756,10 @@ Some influential environment variables: The installed Python version to use, for example '2.3'. This string will be appended to the Python interpreter canonical name. + SOURCE_DATE_EPOCH + If it is set, it uses the value of that variable instead of the + current time as the build timestamp. The format is a unix + timestamp. This enables reproducible build output. PROTOBUFC_CFLAGS C compiler flags for PROTOBUFC, overriding pkg-config PROTOBUFC_LIBS @@ -1824,7 +1832,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -unbound configure 1.22.1 +unbound configure 1.23.2 generated by GNU Autoconf 2.71 Copyright (C) 2021 Free Software Foundation, Inc. @@ -2481,7 +2489,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by unbound $as_me 1.22.1, which was +It was created by unbound $as_me 1.23.2, which was generated by GNU Autoconf 2.71. Invocation command line was $ $0$ac_configure_args_raw @@ -3243,13 +3251,13 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu UNBOUND_VERSION_MAJOR=1 -UNBOUND_VERSION_MINOR=22 +UNBOUND_VERSION_MINOR=23 -UNBOUND_VERSION_MICRO=1 +UNBOUND_VERSION_MICRO=2 LIBUNBOUND_CURRENT=9 -LIBUNBOUND_REVISION=31 +LIBUNBOUND_REVISION=33 LIBUNBOUND_AGE=1 # 1.0.0 had 0:12:0 # 1.0.1 had 0:13:0 @@ -3347,7 +3355,9 @@ LIBUNBOUND_AGE=1 # 1.21.0 had 9:28:1 # 1.21.1 had 9:29:1 # 1.22.0 had 9:30:1 -# 1.22.1 had 9:31:1 +# 1.23.0 had 9:31:1 +# 1.23.1 had 9:32:1 +# 1.23.2 had 9:33:1 # Current -- the number of the binary API that we're implementing # Revision -- which iteration of the implementation of the binary @@ -16094,6 +16104,14 @@ then : fi +ac_fn_c_check_header_compile "$LINENO" "stdatomic.h" "ac_cv_header_stdatomic_h" "$ac_includes_default +" +if test "x$ac_cv_header_stdatomic_h" = xyes +then : + printf "%s\n" "#define HAVE_STDATOMIC_H 1" >>confdefs.h + +fi + # check for types. # Using own tests for int64* because autoconf builtin only give 32bit. @@ -19894,7 +19912,26 @@ if test "`uname`" = "Linux"; then GCC_DOCKER_LINTFLAGS='-syntax' fi -CONFIG_DATE=`date +%Y%m%d` +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for build time" >&5 +printf %s "checking for build time... " >&6; } +ax_date_fmt="%Y%m%d" +if test x"$SOURCE_DATE_EPOCH" = x +then : + CONFIG_DATE=`date "+$ax_date_fmt"` +else $as_nop + ax_build_date=`date -u -d "@$SOURCE_DATE_EPOCH" "+$ax_date_fmt" 2>/dev/null \ + || date -u -r "$SOURCE_DATE_EPOCH" "+$ax_date_fmt" 2>/dev/null` + if test x"$ax_build_date" = x +then : + as_fn_error $? "malformed SOURCE_DATE_EPOCH" "$LINENO" 5 +else $as_nop + CONFIG_DATE=$ax_build_date +fi +fi +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CONFIG_DATE" >&5 +printf "%s\n" "$CONFIG_DATE" >&6; } + + # Checks for libraries. @@ -20783,12 +20820,6 @@ then : printf "%s\n" "#define HAVE_BIO_SET_CALLBACK_EX 1" >>confdefs.h fi -ac_fn_c_check_func "$LINENO" "SSL_CTX_set_tmp_ecdh" "ac_cv_func_SSL_CTX_set_tmp_ecdh" -if test "x$ac_cv_func_SSL_CTX_set_tmp_ecdh" = xyes -then : - printf "%s\n" "#define HAVE_SSL_CTX_SET_TMP_ECDH 1" >>confdefs.h - -fi # these check_funcs need -lssl @@ -20947,6 +20978,34 @@ else $as_nop ac_have_decl=0 fi printf "%s\n" "#define HAVE_DECL_SSL_CTX_SET_ECDH_AUTO $ac_have_decl" >>confdefs.h +ac_fn_check_decl "$LINENO" "SSL_CTX_set_tmp_ecdh" "ac_cv_have_decl_SSL_CTX_set_tmp_ecdh" " +$ac_includes_default +#ifdef HAVE_OPENSSL_ERR_H +#include +#endif + +#ifdef HAVE_OPENSSL_RAND_H +#include +#endif + +#ifdef HAVE_OPENSSL_CONF_H +#include +#endif + +#ifdef HAVE_OPENSSL_ENGINE_H +#include +#endif +#include +#include + +" "$ac_c_undeclared_builtin_options" "CFLAGS" +if test "x$ac_cv_have_decl_SSL_CTX_set_tmp_ecdh" = xyes +then : + ac_have_decl=1 +else $as_nop + ac_have_decl=0 +fi +printf "%s\n" "#define HAVE_DECL_SSL_CTX_SET_TMP_ECDH $ac_have_decl" >>confdefs.h if test "$ac_cv_func_HMAC_Init_ex" = "yes"; then @@ -22250,6 +22309,13 @@ if test "x$ac_cv_header_ngtcp2_ngtcp2_h" = xyes then : printf "%s\n" "#define HAVE_NGTCP2_NGTCP2_H 1" >>confdefs.h +fi +ac_fn_c_check_header_compile "$LINENO" "ngtcp2/ngtcp2_crypto_ossl.h" "ac_cv_header_ngtcp2_ngtcp2_crypto_ossl_h" "$ac_includes_default +" +if test "x$ac_cv_header_ngtcp2_ngtcp2_crypto_ossl_h" = xyes +then : + printf "%s\n" "#define HAVE_NGTCP2_NGTCP2_CRYPTO_OSSL_H 1" >>confdefs.h + fi ac_fn_c_check_header_compile "$LINENO" "ngtcp2/ngtcp2_crypto_openssl.h" "ac_cv_header_ngtcp2_ngtcp2_crypto_openssl_h" "$ac_includes_default " @@ -22290,7 +22356,52 @@ else $as_nop fi printf "%s\n" "#define HAVE_DECL_NGTCP2_CRYPTO_ENCRYPT_CB $ac_have_decl" >>confdefs.h - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for ngtcp2_crypto_encrypt_cb in -lngtcp2_crypto_openssl" >&5 + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for ngtcp2_crypto_encrypt_cb in -lngtcp2_crypto_ossl" >&5 +printf %s "checking for ngtcp2_crypto_encrypt_cb in -lngtcp2_crypto_ossl... " >&6; } +if test ${ac_cv_lib_ngtcp2_crypto_ossl_ngtcp2_crypto_encrypt_cb+y} +then : + printf %s "(cached) " >&6 +else $as_nop + ac_check_lib_save_LIBS=$LIBS +LIBS="-lngtcp2_crypto_ossl $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +char ngtcp2_crypto_encrypt_cb (); +int +main (void) +{ +return ngtcp2_crypto_encrypt_cb (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO" +then : + ac_cv_lib_ngtcp2_crypto_ossl_ngtcp2_crypto_encrypt_cb=yes +else $as_nop + ac_cv_lib_ngtcp2_crypto_ossl_ngtcp2_crypto_encrypt_cb=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.beam \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ngtcp2_crypto_ossl_ngtcp2_crypto_encrypt_cb" >&5 +printf "%s\n" "$ac_cv_lib_ngtcp2_crypto_ossl_ngtcp2_crypto_encrypt_cb" >&6; } +if test "x$ac_cv_lib_ngtcp2_crypto_ossl_ngtcp2_crypto_encrypt_cb" = xyes +then : + + LIBS="$LIBS -lngtcp2_crypto_ossl" + +printf "%s\n" "#define USE_NGTCP2_CRYPTO_OSSL 1" >>confdefs.h + + +else $as_nop + + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for ngtcp2_crypto_encrypt_cb in -lngtcp2_crypto_openssl" >&5 printf %s "checking for ngtcp2_crypto_encrypt_cb in -lngtcp2_crypto_openssl... " >&6; } if test ${ac_cv_lib_ngtcp2_crypto_openssl_ngtcp2_crypto_encrypt_cb+y} then : @@ -22328,9 +22439,9 @@ printf "%s\n" "$ac_cv_lib_ngtcp2_crypto_openssl_ngtcp2_crypto_encrypt_cb" >&6; } if test "x$ac_cv_lib_ngtcp2_crypto_openssl_ngtcp2_crypto_encrypt_cb" = xyes then : LIBS="$LIBS -lngtcp2_crypto_openssl" -fi +else $as_nop - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for ngtcp2_crypto_encrypt_cb in -lngtcp2_crypto_quictls" >&5 + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for ngtcp2_crypto_encrypt_cb in -lngtcp2_crypto_quictls" >&5 printf %s "checking for ngtcp2_crypto_encrypt_cb in -lngtcp2_crypto_quictls... " >&6; } if test ${ac_cv_lib_ngtcp2_crypto_quictls_ngtcp2_crypto_encrypt_cb+y} then : @@ -22368,6 +22479,12 @@ printf "%s\n" "$ac_cv_lib_ngtcp2_crypto_quictls_ngtcp2_crypto_encrypt_cb" >&6; } if test "x$ac_cv_lib_ngtcp2_crypto_quictls_ngtcp2_crypto_encrypt_cb" = xyes then : LIBS="$LIBS -lngtcp2_crypto_quictls" +fi + + +fi + + fi ac_fn_c_check_func "$LINENO" "ngtcp2_crypto_encrypt_cb" "ac_cv_func_ngtcp2_crypto_encrypt_cb" @@ -22417,6 +22534,12 @@ if test "x$ac_cv_func_ngtcp2_crypto_quictls_configure_client_context" = xyes then : printf "%s\n" "#define HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_CLIENT_CONTEXT 1" >>confdefs.h +fi +ac_fn_c_check_func "$LINENO" "ngtcp2_crypto_quictls_init" "ac_cv_func_ngtcp2_crypto_quictls_init" +if test "x$ac_cv_func_ngtcp2_crypto_quictls_init" = xyes +then : + printf "%s\n" "#define HAVE_NGTCP2_CRYPTO_QUICTLS_INIT 1" >>confdefs.h + fi ac_fn_c_check_func "$LINENO" "ngtcp2_conn_get_num_scid" "ac_cv_func_ngtcp2_conn_get_num_scid" if test "x$ac_cv_func_ngtcp2_conn_get_num_scid" = xyes @@ -22438,6 +22561,10 @@ then : fi + # these check_funcs need -lssl + BAKLIBS="$LIBS" + LIBS="-lssl $LIBS" + for ac_func in SSL_is_quic do : ac_fn_c_check_func "$LINENO" "SSL_is_quic" "ac_cv_func_SSL_is_quic" @@ -22450,6 +22577,8 @@ else $as_nop fi done + LIBS="$BAKLIBS" + ac_fn_c_check_type "$LINENO" "struct ngtcp2_version_cid" "ac_cv_type_struct_ngtcp2_version_cid" "$ac_includes_default #include @@ -23497,6 +23626,48 @@ if echo $host_os | grep darwin8 > /dev/null; then printf "%s\n" "#define DARWIN_BROKEN_SETREUID 1" >>confdefs.h fi + +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for atomic_store" >&5 +printf %s "checking for atomic_store... " >&6; } +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$ac_includes_default +#ifdef HAVE_STDATOMIC_H +#include +#endif + +int +main (void) +{ + + int newvar = 5, var = 0; + atomic_store((_Atomic int*)&var, newvar); + newvar = 0; + /* condition to use the variables. */ + if(var == newvar) return 1; + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO" +then : + + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +printf "%s\n" "yes" >&6; } + +printf "%s\n" "#define HAVE_LINK_ATOMIC_STORE 1" >>confdefs.h + + +else $as_nop + + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 +printf "%s\n" "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext conftest.beam \ + conftest$ac_exeext conftest.$ac_ext + ac_fn_check_decl "$LINENO" "inet_pton" "ac_cv_have_decl_inet_pton" " $ac_includes_default #ifdef HAVE_NETINET_IN_H @@ -24173,7 +24344,55 @@ fi if test "x$opt_dnstap" != "xno"; then - # Extract the first word of "protoc-c", so it can be a program name with args. + # Extract the first word of "protoc", so it can be a program name with args. +set dummy protoc; ac_word=$2 +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +printf %s "checking for $ac_word... " >&6; } +if test ${ac_cv_path_PROTOC+y} +then : + printf %s "(cached) " >&6 +else $as_nop + case $PROTOC in + [\\/]* | ?:[\\/]*) + ac_cv_path_PROTOC="$PROTOC" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + case $as_dir in #((( + '') as_dir=./ ;; + */) ;; + *) as_dir=$as_dir/ ;; + esac + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then + ac_cv_path_PROTOC="$as_dir$ac_word$ac_exec_ext" + printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +PROTOC=$ac_cv_path_PROTOC +if test -n "$PROTOC"; then + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $PROTOC" >&5 +printf "%s\n" "$PROTOC" >&6; } +else + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 +printf "%s\n" "no" >&6; } +fi + + + # 'protoc-c' is deprecated. We use 'protoc' instead. If it can not be + # found, try 'protoc-c'. + if test -z "$PROTOC"; then + # Extract the first word of "protoc-c", so it can be a program name with args. set dummy protoc-c; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } @@ -24218,9 +24437,83 @@ printf "%s\n" "no" >&6; } fi - if test -z "$PROTOC_C"; then - as_fn_error $? "The protoc-c program was not found. Please install protobuf-c!" "$LINENO" 5 - fi + else + PROTOC_C="$PROTOC" + fi + if test -z "$PROTOC_C"; then + as_fn_error $? "The protoc or protoc-c program was not found. It is needed for dnstap, use --disable-dnstap, or install protobuf-c to provide protoc or protoc-c" "$LINENO" 5 + fi + + # Check for protoc-gen-c plugin + # Extract the first word of "protoc-gen-c", so it can be a program name with args. +set dummy protoc-gen-c; ac_word=$2 +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +printf %s "checking for $ac_word... " >&6; } +if test ${ac_cv_path_PROTOC_GEN_C+y} +then : + printf %s "(cached) " >&6 +else $as_nop + case $PROTOC_GEN_C in + [\\/]* | ?:[\\/]*) + ac_cv_path_PROTOC_GEN_C="$PROTOC_GEN_C" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + case $as_dir in #((( + '') as_dir=./ ;; + */) ;; + *) as_dir=$as_dir/ ;; + esac + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then + ac_cv_path_PROTOC_GEN_C="$as_dir$ac_word$ac_exec_ext" + printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +PROTOC_GEN_C=$ac_cv_path_PROTOC_GEN_C +if test -n "$PROTOC_GEN_C"; then + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $PROTOC_GEN_C" >&5 +printf "%s\n" "$PROTOC_GEN_C" >&6; } +else + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 +printf "%s\n" "no" >&6; } +fi + + + if test -z "$PROTOC_GEN_C"; then + as_fn_error $? "The protoc-gen-c plugin was not found. It is needed for dnstap, use --disable-dnstap, or install protobuf-c-compiler to provide protoc-gen-c" "$LINENO" 5 + fi + + # Test that protoc-gen-c actually works + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking if protoc-gen-c plugin works" >&5 +printf %s "checking if protoc-gen-c plugin works... " >&6; } + cat > conftest.proto << EOF +syntax = "proto2"; +message TestMessage { + optional string test_field = 1; +} +EOF + if $PROTOC_C --c_out=. conftest.proto >/dev/null 2>&1; then + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +printf "%s\n" "yes" >&6; } + rm -f conftest.proto conftest.pb-c.c conftest.pb-c.h + else + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 +printf "%s\n" "no" >&6; } + rm -f conftest.proto conftest.pb-c.c conftest.pb-c.h + as_fn_error $? "The protoc-gen-c plugin is not working properly. Please ensure protobuf-c-compiler is properly installed" "$LINENO" 5 + fi + # Check whether --with-protobuf-c was given. if test ${with_protobuf_c+y} @@ -24998,9 +25291,27 @@ printf "%s\n" "#define MAXSYSLOGMSGLEN 10240" >>confdefs.h -version=1.22.1 +version=1.23.2 + +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for build time" >&5 +printf %s "checking for build time... " >&6; } +ax_date_fmt="%b %e, %Y" +if test x"$SOURCE_DATE_EPOCH" = x +then : + date=`date "+$ax_date_fmt"` +else $as_nop + ax_build_date=`date -u -d "@$SOURCE_DATE_EPOCH" "+$ax_date_fmt" 2>/dev/null \ + || date -u -r "$SOURCE_DATE_EPOCH" "+$ax_date_fmt" 2>/dev/null` + if test x"$ax_build_date" = x +then : + as_fn_error $? "malformed SOURCE_DATE_EPOCH" "$LINENO" 5 +else $as_nop + date=$ax_build_date +fi +fi +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $date" >&5 +printf "%s\n" "$date" >&6; } -date=`date +'%b %e, %Y'` ac_config_files="$ac_config_files Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8 doc/unbound-host.1 smallapp/unbound-control-setup.sh dnstap/dnstap_config.h dnscrypt/dnscrypt_config.h contrib/libunbound.pc contrib/unbound.socket contrib/unbound.service contrib/unbound_portable.service" @@ -25510,7 +25821,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by unbound $as_me 1.22.1, which was +This file was extended by unbound $as_me 1.23.2, which was generated by GNU Autoconf 2.71. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -25578,7 +25889,7 @@ ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ -unbound config.status 1.22.1 +unbound config.status 1.23.2 configured by $0, generated by GNU Autoconf 2.71, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index a5a856fc1..d92e61a28 100644 --- a/configure.ac +++ b/configure.ac @@ -2,6 +2,7 @@ # Process this file with autoconf to produce a configure script. AC_PREREQ([2.56]) sinclude(acx_nlnetlabs.m4) +sinclude(ax_build_date_epoch.m4) sinclude(ax_pthread.m4) sinclude(acx_python.m4) sinclude(ax_pkg_swig.m4) @@ -10,15 +11,15 @@ sinclude(dnscrypt/dnscrypt.m4) # must be numbers. ac_defun because of later processing m4_define([VERSION_MAJOR],[1]) -m4_define([VERSION_MINOR],[22]) -m4_define([VERSION_MICRO],[1]) +m4_define([VERSION_MINOR],[23]) +m4_define([VERSION_MICRO],[2]) AC_INIT([unbound],m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]),[unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues],[unbound]) AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR]) AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR]) AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO]) LIBUNBOUND_CURRENT=9 -LIBUNBOUND_REVISION=31 +LIBUNBOUND_REVISION=33 LIBUNBOUND_AGE=1 # 1.0.0 had 0:12:0 # 1.0.1 had 0:13:0 @@ -116,7 +117,9 @@ LIBUNBOUND_AGE=1 # 1.21.0 had 9:28:1 # 1.21.1 had 9:29:1 # 1.22.0 had 9:30:1 -# 1.22.1 had 9:31:1 +# 1.23.0 had 9:31:1 +# 1.23.1 had 9:32:1 +# 1.23.2 had 9:33:1 # Current -- the number of the binary API that we're implementing # Revision -- which iteration of the implementation of the binary @@ -523,6 +526,7 @@ AC_CHECK_HEADERS([netioapi.h],,, [AC_INCLUDES_DEFAULT # Check for Linux timestamping headers AC_CHECK_HEADERS([linux/net_tstamp.h],,, [AC_INCLUDES_DEFAULT]) +AC_CHECK_HEADERS([stdatomic.h],,, [AC_INCLUDES_DEFAULT]) # check for types. # Using own tests for int64* because autoconf builtin only give 32bit. @@ -908,7 +912,8 @@ if test "`uname`" = "Linux"; then GCC_DOCKER_LINTFLAGS='-syntax' AC_SUBST(GCC_DOCKER_LINTFLAGS) fi -CONFIG_DATE=`date +%Y%m%d` +AX_BUILD_DATE_EPOCH(CONFIG_DATE, [%Y%m%d]) +AC_ARG_VAR(SOURCE_DATE_EPOCH, [If it is set, it uses the value of that variable instead of the current time as the build timestamp. The format is a unix timestamp. This enables reproducible build output.]) AC_SUBST(CONFIG_DATE) # Checks for libraries. @@ -992,7 +997,7 @@ else AC_MSG_RESULT([no]) fi AC_CHECK_HEADERS([openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h openssl/core_names.h openssl/param_build.h],,, [AC_INCLUDES_DEFAULT]) -AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_default_properties_is_fips_enabled EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new BIO_set_callback_ex SSL_CTX_set_tmp_ecdh]) +AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_default_properties_is_fips_enabled EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new BIO_set_callback_ex]) # these check_funcs need -lssl BAKLIBS="$LIBS" @@ -1000,7 +1005,7 @@ LIBS="-lssl $LIBS" AC_CHECK_FUNCS([OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb SSL_CTX_set_alpn_select_cb SSL_get0_alpn_selected SSL_CTX_set_alpn_protos SSL_get1_peer_certificate]) LIBS="$BAKLIBS" -AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [ +AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto,SSL_CTX_set_tmp_ecdh], [], [], [ AC_INCLUDES_DEFAULT #ifdef HAVE_OPENSSL_ERR_H #include @@ -1606,17 +1611,29 @@ if test x_$withval = x_yes -o x_$withval != x_no; then if test x_$found_libngtcp2 != x_yes; then AC_MSG_ERROR([Could not find libngtcp2, ngtcp2.h]) fi - AC_CHECK_HEADERS([ngtcp2/ngtcp2.h ngtcp2/ngtcp2_crypto_openssl.h ngtcp2/ngtcp2_crypto_quictls.h],,, [AC_INCLUDES_DEFAULT]) + AC_CHECK_HEADERS([ngtcp2/ngtcp2.h ngtcp2/ngtcp2_crypto_ossl.h ngtcp2/ngtcp2_crypto_openssl.h ngtcp2/ngtcp2_crypto_quictls.h],,, [AC_INCLUDES_DEFAULT]) AC_CHECK_DECLS([ngtcp2_conn_server_new], [], [], [AC_INCLUDES_DEFAULT #include ]) AC_CHECK_DECLS([ngtcp2_crypto_encrypt_cb], [], [], [AC_INCLUDES_DEFAULT #include ]) - AC_CHECK_LIB([ngtcp2_crypto_openssl], [ngtcp2_crypto_encrypt_cb], [ LIBS="$LIBS -lngtcp2_crypto_openssl" ]) - AC_CHECK_LIB([ngtcp2_crypto_quictls], [ngtcp2_crypto_encrypt_cb], [ LIBS="$LIBS -lngtcp2_crypto_quictls" ]) - AC_CHECK_FUNCS([ngtcp2_crypto_encrypt_cb ngtcp2_ccerr_default ngtcp2_conn_in_closing_period ngtcp2_conn_in_draining_period ngtcp2_conn_get_max_local_streams_uni ngtcp2_crypto_quictls_from_ossl_encryption_level ngtcp2_crypto_quictls_configure_server_context ngtcp2_crypto_quictls_configure_client_context ngtcp2_conn_get_num_scid ngtcp2_conn_tls_early_data_rejected ngtcp2_conn_encode_0rtt_transport_params]) + AC_CHECK_LIB([ngtcp2_crypto_ossl], [ngtcp2_crypto_encrypt_cb], [ + LIBS="$LIBS -lngtcp2_crypto_ossl" + AC_DEFINE(USE_NGTCP2_CRYPTO_OSSL, 1, [Define this to use ngtcp2_crypto_ossl.]) + ], [ + AC_CHECK_LIB([ngtcp2_crypto_openssl], [ngtcp2_crypto_encrypt_cb], [ LIBS="$LIBS -lngtcp2_crypto_openssl" ], [ + AC_CHECK_LIB([ngtcp2_crypto_quictls], [ngtcp2_crypto_encrypt_cb], [ LIBS="$LIBS -lngtcp2_crypto_quictls" ]) + ]) + ]) + AC_CHECK_FUNCS([ngtcp2_crypto_encrypt_cb ngtcp2_ccerr_default ngtcp2_conn_in_closing_period ngtcp2_conn_in_draining_period ngtcp2_conn_get_max_local_streams_uni ngtcp2_crypto_quictls_from_ossl_encryption_level ngtcp2_crypto_quictls_configure_server_context ngtcp2_crypto_quictls_configure_client_context ngtcp2_crypto_quictls_init ngtcp2_conn_get_num_scid ngtcp2_conn_tls_early_data_rejected ngtcp2_conn_encode_0rtt_transport_params]) + + # these check_funcs need -lssl + BAKLIBS="$LIBS" + LIBS="-lssl $LIBS" AC_CHECK_FUNCS([SSL_is_quic], [], [AC_MSG_ERROR([No QUIC support detected in OpenSSL. Need OpenSSL version with QUIC support to enable DNS over QUIC with libngtcp2.])]) + LIBS="$BAKLIBS" + AC_CHECK_TYPES([struct ngtcp2_version_cid, ngtcp2_encryption_level],,,[AC_INCLUDES_DEFAULT #include ]) @@ -1815,6 +1832,25 @@ AC_CHECK_FUNCS([setresgid],,[AC_CHECK_FUNCS([setregid])]) if echo $host_os | grep darwin8 > /dev/null; then AC_DEFINE(DARWIN_BROKEN_SETREUID, 1, [Define this if on macOSX10.4-darwin8 and setreuid and setregid do not work]) fi + +AC_MSG_CHECKING([for atomic_store]) +AC_LINK_IFELSE([AC_LANG_PROGRAM(AC_INCLUDES_DEFAULT [[ +#ifdef HAVE_STDATOMIC_H +#include +#endif +]], [[ + int newvar = 5, var = 0; + atomic_store((_Atomic int*)&var, newvar); + newvar = 0; + /* condition to use the variables. */ + if(var == newvar) return 1; +]])], [ + AC_MSG_RESULT(yes) + AC_DEFINE(HAVE_LINK_ATOMIC_STORE, 1, [If we have atomic_store]) +], [ + AC_MSG_RESULT([no]) +]) + AC_CHECK_DECLS([inet_pton,inet_ntop], [], [], [ AC_INCLUDES_DEFAULT #ifdef HAVE_NETINET_IN_H @@ -2435,7 +2471,8 @@ char *unbound_stat_strdup_log(const char *s, const char* file, int line, dnl if we build from source tree, the man pages need @date@ and @version@ dnl if this is a distro tarball, that was already done by makedist.sh AC_SUBST(version, [VERSION_MAJOR.VERSION_MINOR.VERSION_MICRO]) -AC_SUBST(date, [`date +'%b %e, %Y'`]) +AX_BUILD_DATE_EPOCH(date, [[%b %e, %Y]]) +AC_SUBST(date) AC_CONFIG_FILES([Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8 doc/unbound-host.1 smallapp/unbound-control-setup.sh dnstap/dnstap_config.h dnscrypt/dnscrypt_config.h contrib/libunbound.pc contrib/unbound.socket contrib/unbound.service contrib/unbound_portable.service]) AC_CONFIG_HEADERS([config.h]) diff --git a/contrib/android/install_expat.sh b/contrib/android/install_expat.sh index ffb22322c..5d736b8b9 100755 --- a/contrib/android/install_expat.sh +++ b/contrib/android/install_expat.sh @@ -1,21 +1,24 @@ #!/usr/bin/env bash +LIBEXPAT_FNAME=expat-2.7.0 +LIBEXPAT_VERSION_DIR=R_2_7_0 + echo "Downloading Expat" -if ! curl -L -k -s -o expat-2.2.9.tar.gz https://github.com/libexpat/libexpat/releases/download/R_2_2_9/expat-2.2.9.tar.gz; +if ! curl -L -k -s -o $LIBEXPAT_FNAME.tar.gz https://github.com/libexpat/libexpat/releases/download/$LIBEXPAT_VERSION_DIR/$LIBEXPAT_FNAME.tar.gz; then echo "Failed to download Expat" exit 1 fi echo "Unpacking Expat" -rm -rf ./expat-2.2.9 -if ! tar -xf expat-2.2.9.tar.gz; +rm -rf ./$LIBEXPAT_FNAME +if ! tar -xf $LIBEXPAT_FNAME.tar.gz; then echo "Failed to unpack Expat" exit 1 fi -cd expat-2.2.9 || exit 1 +cd $LIBEXPAT_FNAME || exit 1 echo "Configuring Expat" if ! ./configure --build="$AUTOTOOLS_BUILD" --host="$AUTOTOOLS_HOST" --prefix="$ANDROID_PREFIX"; then diff --git a/contrib/ios/install_expat.sh b/contrib/ios/install_expat.sh index 9471b5aff..4972c467b 100755 --- a/contrib/ios/install_expat.sh +++ b/contrib/ios/install_expat.sh @@ -1,28 +1,32 @@ #!/usr/bin/env bash +LIBEXPAT_FNAME=expat-2.7.0 +LIBEXPAT_VERSION_DIR=R_2_7_0 + echo "Downloading Expat" -if ! curl -L -k -s -o expat-2.2.9.tar.gz https://github.com/libexpat/libexpat/releases/download/R_2_2_9/expat-2.2.9.tar.gz; +if ! curl -L -k -s -o $LIBEXPAT_FNAME.tar.gz https://github.com/libexpat/libexpat/releases/download/$LIBEXPAT_VERSION_DIR/$LIBEXPAT_FNAME.tar.gz; then echo "Failed to download Expat" exit 1 fi echo "Unpacking Expat" -rm -rf ./expat-2.2.9 -if ! tar -xf expat-2.2.9.tar.gz; +rm -rf ./$LIBEXPAT_FNAME +if ! tar -xf $LIBEXPAT_FNAME.tar.gz; then echo "Failed to unpack Expat" exit 1 fi -cd expat-2.2.9 || exit 1 +cd $LIBEXPAT_FNAME || exit 1 export PKG_CONFIG_PATH="$IOS_PREFIX/lib/pkgconfig" echo "Configuring Expat" -if ! ./configure \ - --build="$AUTOTOOLS_BUILD" --host="$AUTOTOOLS_HOST" \ - --prefix="$IOS_PREFIX" ; then +if ! ./configure --without-tests \ + --build="$AUTOTOOLS_BUILD" --host="$AUTOTOOLS_HOST" \ + --prefix="$IOS_PREFIX" ; +then echo "Error: Failed to configure Expat" cat config.log exit 1 diff --git a/contrib/unbound.service.in b/contrib/unbound.service.in index 8a5d3b2b0..cc8d0ed2d 100644 --- a/contrib/unbound.service.in +++ b/contrib/unbound.service.in @@ -38,11 +38,17 @@ ; - `LockPersonality=yes` locks down the personality system call so that the ; kernel execution domain may not be changed from the default. ; +; - With /etc/systemd/network/*.network a setting to make sure the network +; is not considered online too early, can reduce network unreachable +; errors on server start: +; [Link] +; RequiredForOnline=routable ; [Unit] Description=Validating, recursive, and caching DNS resolver Documentation=man:unbound(8) After=network-online.target +Wants=network-online.target Before=nss-lookup.target [Install] diff --git a/daemon/acl_list.c b/daemon/acl_list.c index 605851e4f..24cd9b399 100644 --- a/daemon/acl_list.c +++ b/daemon/acl_list.c @@ -221,7 +221,9 @@ acl_interface_insert(struct acl_list* acl_interface, struct sockaddr_storage* addr, socklen_t addrlen, enum acl_access control) { - return acl_find_or_create(acl_interface, addr, addrlen, control); + struct acl_addr* node = acl_find_or_create(acl_interface, addr, addrlen, control); + node->is_interface = 1; + return node; } /** apply acl_tag string */ @@ -805,10 +807,23 @@ log_acl_action(const char* action, struct sockaddr_storage* addr, addr_to_str(&acladdr->node.addr, acladdr->node.addrlen, n, sizeof(n)); verbose(VERB_ALGO, "%s query from %s port %d because of " - "%s/%d %s", action, a, (int)port, n, acladdr->node.net, + "%s/%d %s%s", action, a, (int)port, n, + acladdr->node.net, + acladdr->is_interface?"(ACL on interface IP) ":"", acl_access_to_str(acl)); } else { verbose(VERB_ALGO, "%s query from %s port %d", action, a, (int)port); } } + +void acl_list_swap_tree(struct acl_list* acl, struct acl_list* data) +{ + /* swap tree and region */ + rbtree_type oldtree = acl->tree; + struct regional* oldregion = acl->region; + acl->tree = data->tree; + acl->region = data->region; + data->tree = oldtree; + data->region = oldregion; +} diff --git a/daemon/acl_list.h b/daemon/acl_list.h index ee679eb6e..416169ee9 100644 --- a/daemon/acl_list.h +++ b/daemon/acl_list.h @@ -107,6 +107,8 @@ struct acl_addr { struct config_strlist** tag_datas; /** size of the tag_datas array */ size_t tag_datas_size; + /* If the acl node is for an interface */ + int is_interface; /* view element, NULL if none */ struct view* view; }; @@ -199,4 +201,12 @@ const char* acl_access_to_str(enum acl_access acl); void log_acl_action(const char* action, struct sockaddr_storage* addr, socklen_t addrlen, enum acl_access acl, struct acl_addr* acladdr); +/** + * Swap internal tree with preallocated entries. + * @param acl: the acl structure. + * @param data: the data structure used to take elements from. This contains + * the old elements on return. + */ +void acl_list_swap_tree(struct acl_list* acl, struct acl_list* data); + #endif /* DAEMON_ACL_LIST_H */ diff --git a/daemon/cachedump.c b/daemon/cachedump.c index a04b24e56..f0a693bf6 100644 --- a/daemon/cachedump.c +++ b/daemon/cachedump.c @@ -62,84 +62,231 @@ #include "sldns/wire2str.h" #include "sldns/str2wire.h" +static void spool_txt_printf(struct config_strlist_head* txt, + const char* format, ...) ATTR_FORMAT(printf, 2, 3); + +/** Append to strlist at end, and log error if out of memory. */ +static void +spool_txt_string(struct config_strlist_head* txt, char* str) +{ + if(!cfg_strlist_append(txt, strdup(str))) { + log_err("out of memory in spool text"); + } +} + +/** Spool txt to spool list. */ +static void +spool_txt_vmsg(struct config_strlist_head* txt, const char* format, + va_list args) +{ + char msg[65535]; + vsnprintf(msg, sizeof(msg), format, args); + spool_txt_string(txt, msg); +} + +/** Print item to spool list. On alloc failure the list is as before. */ +static void +spool_txt_printf(struct config_strlist_head* txt, const char* format, ...) +{ + va_list args; + va_start(args, format); + spool_txt_vmsg(txt, format, args); + va_end(args); +} + /** dump one rrset zonefile line */ -static int -dump_rrset_line(RES* ssl, struct ub_packed_rrset_key* k, time_t now, size_t i) +static void +dump_rrset_line(struct config_strlist_head* txt, struct ub_packed_rrset_key* k, + time_t now, size_t i) { char s[65535]; if(!packed_rr_to_string(k, i, now, s, sizeof(s))) { - return ssl_printf(ssl, "BADRR\n"); + spool_txt_string(txt, "BADRR\n"); + return; } - return ssl_printf(ssl, "%s", s); + spool_txt_string(txt, s); } /** dump rrset key and data info */ -static int -dump_rrset(RES* ssl, struct ub_packed_rrset_key* k, +static void +dump_rrset(struct config_strlist_head* txt, struct ub_packed_rrset_key* k, struct packed_rrset_data* d, time_t now) { size_t i; /* rd lock held by caller */ - if(!k || !d) return 1; - if(k->id == 0) return 1; /* deleted */ - if(d->ttl < now) return 1; /* expired */ + if(!k || !d) return; + if(k->id == 0) return; /* deleted */ + if(d->ttl < now) return; /* expired */ /* meta line */ - if(!ssl_printf(ssl, ";rrset%s " ARG_LL "d %u %u %d %d\n", + spool_txt_printf(txt, ";rrset%s " ARG_LL "d %u %u %d %d\n", (k->rk.flags & PACKED_RRSET_NSEC_AT_APEX)?" nsec_apex":"", (long long)(d->ttl - now), (unsigned)d->count, (unsigned)d->rrsig_count, (int)d->trust, (int)d->security - )) - return 0; + ); for(i=0; icount + d->rrsig_count; i++) { - if(!dump_rrset_line(ssl, k, now, i)) + dump_rrset_line(txt, k, now, i); + } +} + +/** Spool strlist to the output. */ +static int +spool_strlist(RES* ssl, struct config_strlist* list) +{ + struct config_strlist* s; + for(s=list; s; s=s->next) { + if(!ssl_printf(ssl, "%s", s->str)) return 0; } return 1; } -/** dump lruhash rrset cache */ +/** dump lruhash cache and call callback for every item. */ static int -dump_rrset_lruhash(RES* ssl, struct lruhash* h, time_t now) +dump_lruhash(struct lruhash* table, + void (*func)(struct lruhash_entry*, struct config_strlist_head*, void*), + RES* ssl, void* arg) { - struct lruhash_entry* e; - /* lruhash already locked by caller */ - /* walk in order of lru; best first */ - for(e=h->lru_start; e; e = e->lru_next) { - lock_rw_rdlock(&e->lock); - if(!dump_rrset(ssl, (struct ub_packed_rrset_key*)e->key, - (struct packed_rrset_data*)e->data, now)) { - lock_rw_unlock(&e->lock); + int just_started = 1; + int not_done = 1; + hashvalue_type hash; + size_t num = 0; /* number of entries processed. */ + size_t max = 2; /* number of entries after which it unlocks. */ + struct config_strlist_head txt; /* Text strings spooled. */ + memset(&txt, 0, sizeof(txt)); + + while(not_done) { + size_t i; /* hash bin. */ + /* Process a number of items. */ + num = 0; + lock_quick_lock(&table->lock); + if(just_started) { + i = 0; + } else { + i = hash&table->size_mask; + } + while(num < max) { + /* Process bin. */ + int found = 0; + size_t num_bin = 0; + struct lruhash_bin* bin = &table->array[i]; + struct lruhash_entry* e; + lock_quick_lock(&bin->lock); + for(e = bin->overflow_list; e; e = e->overflow_next) { + /* Entry e is locked by the func. */ + func(e, &txt, arg); + num_bin++; + } + lock_quick_unlock(&bin->lock); + /* This addition of bin number of entries may take + * it over the max. */ + num += num_bin; + + /* Move to next bin. */ + /* Find one with an entry, with a hash value, so we + * can continue from the hash value. The hash value + * can be indexed also if the array changes size. */ + i++; + while(i < table->size) { + bin = &table->array[i]; + lock_quick_lock(&bin->lock); + if(bin->overflow_list) { + hash = bin->overflow_list->hash; + lock_quick_unlock(&bin->lock); + found = 1; + just_started = 0; + break; + } + lock_quick_unlock(&bin->lock); + i++; + } + if(!found) { + not_done = 0; + break; + } + } + lock_quick_unlock(&table->lock); + /* Print the spooled items, that are collected while the + * locks are locked. The print happens while they are not + * locked. */ + if(txt.first) { + if(!spool_strlist(ssl, txt.first)) { + config_delstrlist(txt.first); + return 0; + } + config_delstrlist(txt.first); + memset(&txt, 0, sizeof(txt)); + } + } + /* Print the final spooled items. */ + if(txt.first) { + if(!spool_strlist(ssl, txt.first)) { + config_delstrlist(txt.first); return 0; } - lock_rw_unlock(&e->lock); + config_delstrlist(txt.first); } return 1; } +/** dump slabhash cache and call callback for every item. */ +static int +dump_slabhash(struct slabhash* sh, + void (*func)(struct lruhash_entry*, struct config_strlist_head*, void*), + RES* ssl, void* arg) +{ + /* Process a number of items at a time, then unlock the cache, + * so that ordinary processing can continue. Keep an iteration marker + * to continue the loop. That means the cache can change, items + * could be inserted and deleted. And, for example, the hash table + * can grow. */ + size_t slab; + for(slab=0; slabsize; slab++) { + if(!dump_lruhash(sh->array[slab], func, ssl, arg)) + return 0; + } + return 1; +} + +/** Struct for dump information. */ +struct dump_info { + /** The worker. */ + struct worker* worker; + /** The printout connection. */ + RES* ssl; +}; + +/** Dump the rrset cache entry */ +static void +dump_rrset_entry(struct lruhash_entry* e, struct config_strlist_head* txt, + void* arg) +{ + struct dump_info* dump_info = (struct dump_info*)arg; + lock_rw_rdlock(&e->lock); + dump_rrset(txt, (struct ub_packed_rrset_key*)e->key, + (struct packed_rrset_data*)e->data, + *dump_info->worker->env.now); + lock_rw_unlock(&e->lock); +} + /** dump rrset cache */ static int dump_rrset_cache(RES* ssl, struct worker* worker) { struct rrset_cache* r = worker->env.rrset_cache; - size_t slab; + struct dump_info dump_info; + dump_info.worker = worker; + dump_info.ssl = ssl; if(!ssl_printf(ssl, "START_RRSET_CACHE\n")) return 0; - for(slab=0; slabtable.size; slab++) { - lock_quick_lock(&r->table.array[slab]->lock); - if(!dump_rrset_lruhash(ssl, r->table.array[slab], - *worker->env.now)) { - lock_quick_unlock(&r->table.array[slab]->lock); - return 0; - } - lock_quick_unlock(&r->table.array[slab]->lock); - } + if(!dump_slabhash(&r->table, &dump_rrset_entry, ssl, &dump_info)) + return 0; return ssl_printf(ssl, "END_RRSET_CACHE\n"); } /** dump message to rrset reference */ -static int -dump_msg_ref(RES* ssl, struct ub_packed_rrset_key* k) +static void +dump_msg_ref(struct config_strlist_head* txt, struct ub_packed_rrset_key* k) { char* nm, *tp, *cl; nm = sldns_wire2str_dname(k->rk.dname, k->rk.dname_len); @@ -149,30 +296,25 @@ dump_msg_ref(RES* ssl, struct ub_packed_rrset_key* k) free(nm); free(tp); free(cl); - return ssl_printf(ssl, "BADREF\n"); - } - if(!ssl_printf(ssl, "%s %s %s %d\n", nm, cl, tp, (int)k->rk.flags)) { - free(nm); - free(tp); - free(cl); - return 0; + spool_txt_string(txt, "BADREF\n"); + return; } + spool_txt_printf(txt, "%s %s %s %d\n", nm, cl, tp, (int)k->rk.flags); free(nm); free(tp); free(cl); - - return 1; } /** dump message entry */ -static int -dump_msg(RES* ssl, struct query_info* k, struct reply_info* d, time_t now) +static void +dump_msg(struct config_strlist_head* txt, struct query_info* k, + struct reply_info* d, time_t now) { size_t i; char* nm, *tp, *cl; - if(!k || !d) return 1; - if(d->ttl < now) return 1; /* expired */ - + if(!k || !d) return; + if(d->ttl < now) return; /* expired */ + nm = sldns_wire2str_dname(k->qname, k->qname_len); tp = sldns_wire2str_type(k->qtype); cl = sldns_wire2str_class(k->qclass); @@ -180,45 +322,35 @@ dump_msg(RES* ssl, struct query_info* k, struct reply_info* d, time_t now) free(nm); free(tp); free(cl); - return 1; /* skip this entry */ + return; /* skip this entry */ } if(!rrset_array_lock(d->ref, d->rrset_count, now)) { /* rrsets have timed out or do not exist */ free(nm); free(tp); free(cl); - return 1; /* skip this entry */ + return; /* skip this entry */ } - + /* meta line */ - if(!ssl_printf(ssl, "msg %s %s %s %d %d " ARG_LL "d %d %u %u %u %d %s\n", - nm, cl, tp, - (int)d->flags, (int)d->qdcount, - (long long)(d->ttl-now), (int)d->security, - (unsigned)d->an_numrrsets, - (unsigned)d->ns_numrrsets, - (unsigned)d->ar_numrrsets, - (int)d->reason_bogus, - d->reason_bogus_str?d->reason_bogus_str:"")) { - free(nm); - free(tp); - free(cl); - rrset_array_unlock(d->ref, d->rrset_count); - return 0; - } + spool_txt_printf(txt, + "msg %s %s %s %d %d " ARG_LL "d %d %u %u %u %d %s\n", + nm, cl, tp, + (int)d->flags, (int)d->qdcount, + (long long)(d->ttl-now), (int)d->security, + (unsigned)d->an_numrrsets, + (unsigned)d->ns_numrrsets, + (unsigned)d->ar_numrrsets, + (int)d->reason_bogus, + d->reason_bogus_str?d->reason_bogus_str:""); free(nm); free(tp); free(cl); for(i=0; irrset_count; i++) { - if(!dump_msg_ref(ssl, d->rrsets[i])) { - rrset_array_unlock(d->ref, d->rrset_count); - return 0; - } + dump_msg_ref(txt, d->rrsets[i]); } rrset_array_unlock(d->ref, d->rrset_count); - - return 1; } /** copy msg to worker pad */ @@ -247,49 +379,40 @@ copy_msg(struct regional* region, struct lruhash_entry* e, return (*k)->qname != NULL; } -/** dump lruhash msg cache */ -static int -dump_msg_lruhash(RES* ssl, struct worker* worker, struct lruhash* h) +/** Dump the msg entry. */ +static void +dump_msg_entry(struct lruhash_entry* e, struct config_strlist_head* txt, + void* arg) { - struct lruhash_entry* e; + struct dump_info* dump_info = (struct dump_info*)arg; struct query_info* k; struct reply_info* d; - /* lruhash already locked by caller */ - /* walk in order of lru; best first */ - for(e=h->lru_start; e; e = e->lru_next) { - regional_free_all(worker->scratchpad); - lock_rw_rdlock(&e->lock); - /* make copy of rrset in worker buffer */ - if(!copy_msg(worker->scratchpad, e, &k, &d)) { - lock_rw_unlock(&e->lock); - return 0; - } + regional_free_all(dump_info->worker->scratchpad); + /* Make copy of rrset in worker buffer. */ + lock_rw_rdlock(&e->lock); + if(!copy_msg(dump_info->worker->scratchpad, e, &k, &d)) { lock_rw_unlock(&e->lock); - /* release lock so we can lookup the rrset references - * in the rrset cache */ - if(!dump_msg(ssl, k, d, *worker->env.now)) { - return 0; - } + log_err("out of memory in dump_msg_entry"); + return; } - return 1; + lock_rw_unlock(&e->lock); + /* Release lock so we can lookup the rrset references + * in the rrset cache. */ + dump_msg(txt, k, d, *dump_info->worker->env.now); } /** dump msg cache */ static int dump_msg_cache(RES* ssl, struct worker* worker) { - struct slabhash* sh = worker->env.msg_cache; - size_t slab; + struct dump_info dump_info; + dump_info.worker = worker; + dump_info.ssl = ssl; if(!ssl_printf(ssl, "START_MSG_CACHE\n")) return 0; - for(slab=0; slabsize; slab++) { - lock_quick_lock(&sh->array[slab]->lock); - if(!dump_msg_lruhash(ssl, worker, sh->array[slab])) { - lock_quick_unlock(&sh->array[slab]->lock); - return 0; - } - lock_quick_unlock(&sh->array[slab]->lock); - } + if(!dump_slabhash(worker->env.msg_cache, &dump_msg_entry, ssl, + &dump_info)) + return 0; return ssl_printf(ssl, "END_MSG_CACHE\n"); } @@ -811,12 +934,18 @@ print_dp_main(RES* ssl, struct delegpt* dp, struct dns_msg* msg) struct ub_packed_rrset_key* k = msg->rep->rrsets[i]; struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data; + struct config_strlist_head txt; + memset(&txt, 0, sizeof(txt)); if(d->security == sec_status_bogus) { if(!ssl_printf(ssl, "Address is BOGUS:\n")) return; } - if(!dump_rrset(ssl, k, d, 0)) + dump_rrset(&txt, k, d, 0); + if(!spool_strlist(ssl, txt.first)) { + config_delstrlist(txt.first); return; + } + config_delstrlist(txt.first); } delegpt_count_ns(dp, &n_ns, &n_miss); delegpt_count_addr(dp, &n_addr, &n_res, &n_avail); @@ -836,7 +965,7 @@ int print_deleg_lookup(RES* ssl, struct worker* worker, uint8_t* nm, struct delegpt* dp; struct dns_msg* msg; struct regional* region = worker->scratchpad; - char b[260]; + char b[LDNS_MAX_DOMAINLEN]; struct query_info qinfo; struct iter_hints_stub* stub; int nolock = 0; diff --git a/daemon/daemon.c b/daemon/daemon.c index 1c8272b14..f882bb9ad 100644 --- a/daemon/daemon.c +++ b/daemon/daemon.c @@ -323,8 +323,7 @@ daemon_init(void) return daemon; } -static int setup_acl_for_ports(struct acl_list* list, - struct listen_port* port_list) +int setup_acl_for_ports(struct acl_list* list, struct listen_port* port_list) { struct acl_addr* acl_node; for(; port_list; port_list=port_list->next) { @@ -717,16 +716,16 @@ daemon_fork(struct daemon* daemon) #endif log_assert(daemon); - if(!(daemon->views = views_create())) + if(!(daemon->env->views = views_create())) fatal_exit("Could not create views: out of memory"); /* create individual views and their localzone/data trees */ - if(!views_apply_cfg(daemon->views, daemon->cfg)) + if(!views_apply_cfg(daemon->env->views, daemon->cfg)) fatal_exit("Could not set up views"); - if(!acl_list_apply_cfg(daemon->acl, daemon->cfg, daemon->views)) + if(!acl_list_apply_cfg(daemon->acl, daemon->cfg, daemon->env->views)) fatal_exit("Could not setup access control list"); if(!acl_interface_apply_cfg(daemon->acl_interface, daemon->cfg, - daemon->views)) + daemon->env->views)) fatal_exit("Could not setup interface control list"); if(!tcl_list_apply_cfg(daemon->tcl, daemon->cfg)) fatal_exit("Could not setup TCP connection limits"); @@ -762,15 +761,15 @@ daemon_fork(struct daemon* daemon) fatal_exit("Could not set root or stub hints"); /* process raw response-ip configuration data */ - if(!(daemon->respip_set = respip_set_create())) + if(!(daemon->env->respip_set = respip_set_create())) fatal_exit("Could not create response IP set"); - if(!respip_global_apply_cfg(daemon->respip_set, daemon->cfg)) + if(!respip_global_apply_cfg(daemon->env->respip_set, daemon->cfg)) fatal_exit("Could not set up response IP set"); - if(!respip_views_apply_cfg(daemon->views, daemon->cfg, + if(!respip_views_apply_cfg(daemon->env->views, daemon->cfg, &have_view_respip_cfg)) fatal_exit("Could not set up per-view response IP sets"); - daemon->use_response_ip = !respip_set_is_empty(daemon->respip_set) || - have_view_respip_cfg; + daemon->use_response_ip = !respip_set_is_empty( + daemon->env->respip_set) || have_view_respip_cfg; /* setup modules */ daemon_setup_modules(daemon); @@ -886,14 +885,18 @@ daemon_cleanup(struct daemon* daemon) daemon->env->hints = NULL; local_zones_delete(daemon->local_zones); daemon->local_zones = NULL; - respip_set_delete(daemon->respip_set); - daemon->respip_set = NULL; - views_delete(daemon->views); - daemon->views = NULL; + respip_set_delete(daemon->env->respip_set); + daemon->env->respip_set = NULL; + views_delete(daemon->env->views); + daemon->env->views = NULL; if(daemon->env->auth_zones) auth_zones_cleanup(daemon->env->auth_zones); /* key cache is cleared by module deinit during next daemon_fork() */ daemon_remote_clear(daemon->rc); + if(daemon->fast_reload_thread) + fast_reload_thread_stop(daemon->fast_reload_thread); + if(daemon->fast_reload_printq_list) + fast_reload_printq_list_delete(daemon->fast_reload_printq_list); for(i=0; inum; i++) worker_delete(daemon->workers[i]); free(daemon->workers); @@ -951,11 +954,16 @@ daemon_delete(struct daemon* daemon) listen_desetup_locks(); free(daemon->chroot); free(daemon->pidfile); + free(daemon->cfgfile); free(daemon->env); #ifdef HAVE_SSL listen_sslctx_delete_ticket_keys(); - SSL_CTX_free((SSL_CTX*)daemon->listen_sslctx); - SSL_CTX_free((SSL_CTX*)daemon->connect_sslctx); + SSL_CTX_free((SSL_CTX*)daemon->listen_dot_sslctx); + SSL_CTX_free((SSL_CTX*)daemon->listen_doh_sslctx); + SSL_CTX_free((SSL_CTX*)daemon->connect_dot_sslctx); +#endif +#ifdef HAVE_NGTCP2 + SSL_CTX_free((SSL_CTX*)daemon->listen_quic_sslctx); #endif free(daemon); /* lex cleanup */ diff --git a/daemon/daemon.h b/daemon/daemon.h index fc1bde713..2295761ab 100644 --- a/daemon/daemon.h +++ b/daemon/daemon.h @@ -60,6 +60,8 @@ struct respip_set; struct shm_main_info; struct doq_table; struct cookie_secrets; +struct fast_reload_thread; +struct fast_reload_printq; #include "dnstap/dnstap_config.h" #ifdef USE_DNSTAP @@ -97,8 +99,14 @@ struct daemon { struct listen_port* rc_ports; /** remote control connections management (for first worker) */ struct daemon_remote* rc; - /** ssl context for listening to dnstcp over ssl, and connecting ssl */ - void* listen_sslctx, *connect_sslctx; + /** ssl context for listening to dnstcp over ssl */ + void* listen_dot_sslctx; + /** ssl context for connecting to dnstcp over ssl */ + void* connect_dot_sslctx; + /** ssl context for listening to DoH */ + void* listen_doh_sslctx; + /** ssl context for listening to quic */ + void* listen_quic_sslctx; /** num threads allocated */ int num; /** num threads allocated in the previous config or 0 at first */ @@ -131,15 +139,11 @@ struct daemon { struct timeval time_last_stat; /** time when daemon started */ struct timeval time_boot; - /** views structure containing view tree */ - struct views* views; #ifdef USE_DNSTAP /** the dnstap environment master value, copied and changed by threads*/ struct dt_env* dtenv; #endif struct shm_main_info* shm_info; - /** response-ip set with associated actions and tags. */ - struct respip_set* respip_set; /** some response-ip tags or actions are configured if true */ int use_response_ip; /** some RPZ policies are configured */ @@ -154,6 +158,17 @@ struct daemon { int reuse_cache; /** the EDNS cookie secrets from the cookie-secret-file */ struct cookie_secrets* cookie_secrets; + /** the fast reload thread, or NULL */ + struct fast_reload_thread* fast_reload_thread; + /** the fast reload printq list */ + struct fast_reload_printq* fast_reload_printq_list; + /** the fast reload option to drop mesh queries, true if so. */ + int fast_reload_drop_mesh; + /** for fast reload, if the tcl, tcp connection limits, has + * changes for workers */ + int fast_reload_tcl_has_changes; + /** config file name */ + char* cfgfile; }; /** @@ -206,4 +221,12 @@ void daemon_delete(struct daemon* daemon); */ void daemon_apply_cfg(struct daemon* daemon, struct config_file* cfg); +/** + * Setup acl list to have entries for the port list. + * @param list: the acl interface + * @param port_list: list of open ports, or none. + * @return false on failure + */ +int setup_acl_for_ports(struct acl_list* list, struct listen_port* port_list); + #endif /* DAEMON_H */ diff --git a/daemon/remote.c b/daemon/remote.c index 4d7cff4db..e10dadde7 100644 --- a/daemon/remote.c +++ b/daemon/remote.c @@ -52,6 +52,9 @@ #ifdef HAVE_OPENSSL_BN_H #include #endif +#ifdef HAVE_STDATOMIC_H +#include +#endif #include #include "daemon/remote.h" @@ -63,6 +66,7 @@ #include "util/config_file.h" #include "util/net_help.h" #include "util/module.h" +#include "util/ub_event.h" #include "services/listen_dnsport.h" #include "services/cache/rrset.h" #include "services/cache/infra.h" @@ -77,10 +81,14 @@ #include "validator/val_kcache.h" #include "validator/val_kentry.h" #include "validator/val_anchor.h" +#include "validator/val_neg.h" #include "iterator/iterator.h" #include "iterator/iter_fwd.h" #include "iterator/iter_hints.h" #include "iterator/iter_delegpt.h" +#include "iterator/iter_utils.h" +#include "iterator/iter_donotq.h" +#include "iterator/iter_priv.h" #include "services/outbound_list.h" #include "services/outside_network.h" #include "sldns/str2wire.h" @@ -88,10 +96,15 @@ #include "sldns/wire2str.h" #include "sldns/sbuffer.h" #include "util/timeval_func.h" +#include "util/tcp_conn_limit.h" #include "util/edns.h" #ifdef USE_CACHEDB #include "cachedb/cachedb.h" #endif +#ifdef CLIENT_SUBNET +#include "edns-subnet/subnetmod.h" +#include "edns-subnet/addrtree.h" +#endif #ifdef HAVE_SYS_TYPES_H # include @@ -102,6 +115,9 @@ #ifdef HAVE_NETDB_H #include #endif +#ifdef HAVE_POLL_H +#include +#endif /* just for portability */ #ifdef SQ @@ -114,6 +130,18 @@ /** Acceptable lengths of str lines */ #define MAX_CMD_STRLINE 1024 #define MAX_STDIN_STRLINE 2048 +/** What number of loop iterations is too much for ipc retries */ +#define IPC_LOOP_MAX 200 +/** Timeout in msec for ipc socket poll. */ +#define IPC_NOTIFICATION_WAIT 200 + +static void fr_printq_delete(struct fast_reload_printq* printq); +static void fr_main_perform_printout(struct fast_reload_thread* fr); +static int fr_printq_empty(struct fast_reload_printq* printq); +static void fr_printq_list_insert(struct fast_reload_printq* printq, + struct daemon* daemon); +static void fr_printq_remove(struct fast_reload_printq* printq); +static void fr_check_cmd_from_thread(struct fast_reload_thread* fr); static int remote_setup_ctx(struct daemon_remote* rc, struct config_file* cfg) @@ -512,6 +540,11 @@ state_list_remove_elem(struct rc_state** list, struct comm_point* c) static void clean_point(struct daemon_remote* rc, struct rc_state* s) { + if(!s->rc) { + /* the state has been picked up and moved away */ + free(s); + return; + } state_list_remove_elem(&rc->busy_list, s->c); rc->active --; if(s->ssl) { @@ -679,6 +712,65 @@ do_reload(RES* ssl, struct worker* worker, int reuse_cache) send_ok(ssl); } +#ifndef THREADS_DISABLED +/** parse fast reload command options. */ +static int +fr_parse_options(RES* ssl, char* arg, int* fr_verb, int* fr_nopause, + int* fr_drop_mesh) +{ + char* argp = arg; + while(*argp=='+') { + argp++; + while(*argp!=0 && *argp!=' ' && *argp!='\t') { + if(*argp == 'v') { + (*fr_verb)++; + } else if(*argp == 'p') { + (*fr_nopause) = 1; + } else if(*argp == 'd') { + (*fr_drop_mesh) = 1; + } else { + if(!ssl_printf(ssl, + "error: unknown option '+%c'\n", + *argp)) + return 0; + return 0; + } + argp++; + } + argp = skipwhite(argp); + } + if(*argp!=0) { + if(!ssl_printf(ssl, "error: unknown option '%s'\n", argp)) + return 0; + return 0; + } + return 1; +} +#endif /* !THREADS_DISABLED */ + +/** do the fast_reload command */ +static void +do_fast_reload(RES* ssl, struct worker* worker, struct rc_state* s, char* arg) +{ +#ifdef THREADS_DISABLED + if(!ssl_printf(ssl, "error: no threads for fast_reload, compiled without threads.\n")) + return; + (void)worker; + (void)s; + (void)arg; +#else + int fr_verb = 0, fr_nopause = 0, fr_drop_mesh = 0; + if(!fr_parse_options(ssl, arg, &fr_verb, &fr_nopause, &fr_drop_mesh)) + return; + if(fr_verb >= 1) { + if(!ssl_printf(ssl, "start fast_reload\n")) + return; + } + fast_reload_thread_start(ssl, worker, s, fr_verb, fr_nopause, + fr_drop_mesh); +#endif +} + /** do the verbosity command */ static void do_verbosity(RES* ssl, char* str) @@ -736,6 +828,8 @@ print_stats(RES* ssl, const char* nm, struct ub_stats_info* s) if(!ssl_printf(ssl, "%s.num.dnscrypt.malformed"SQ"%lu\n", nm, (unsigned long)s->svr.num_query_dnscrypt_crypted_malformed)) return 0; #endif + if(!ssl_printf(ssl, "%s.num.dns_error_reports"SQ"%lu\n", nm, + (unsigned long)s->svr.num_dns_error_reports)) return 0; if(!ssl_printf(ssl, "%s.requestlist.avg"SQ"%g\n", nm, (s->svr.num_queries_missed_cache+s->svr.num_queries_prefetch)? (double)s->svr.sum_query_list_size/ @@ -1058,6 +1152,8 @@ print_ext(RES* ssl, struct ub_stats_info* s, int inhibit_zero) (unsigned long)s->svr.ans_bogus)) return 0; if(!ssl_printf(ssl, "num.rrset.bogus"SQ"%lu\n", (unsigned long)s->svr.rrset_bogus)) return 0; + if(!ssl_printf(ssl, "num.valops"SQ"%lu\n", + (unsigned long)s->svr.val_ops)) return 0; if(!ssl_printf(ssl, "num.query.aggressive.NOERROR"SQ"%lu\n", (unsigned long)s->svr.num_neg_cache_noerror)) return 0; if(!ssl_printf(ssl, "num.query.aggressive.NXDOMAIN"SQ"%lu\n", @@ -1473,8 +1569,7 @@ do_view_zone_add(RES* ssl, struct worker* worker, char* arg) struct view* v; if(!find_arg2(ssl, arg, &arg2)) return; - v = views_find_view(worker->daemon->views, - arg, 1 /* get write lock*/); + v = views_find_view(worker->env.views, arg, 1 /* get write lock*/); if(!v) { ssl_printf(ssl,"no view with name: %s\n", arg); return; @@ -1487,7 +1582,7 @@ do_view_zone_add(RES* ssl, struct worker* worker, char* arg) } if(!v->isfirst) { /* Global local-zone is not used for this view, - * therefore add defaults to this view-specic + * therefore add defaults to this view-specific * local-zone. */ struct config_file lz_cfg; memset(&lz_cfg, 0, sizeof(lz_cfg)); @@ -1506,8 +1601,7 @@ do_view_zone_remove(RES* ssl, struct worker* worker, char* arg) struct view* v; if(!find_arg2(ssl, arg, &arg2)) return; - v = views_find_view(worker->daemon->views, - arg, 1 /* get write lock*/); + v = views_find_view(worker->env.views, arg, 1 /* get write lock*/); if(!v) { ssl_printf(ssl,"no view with name: %s\n", arg); return; @@ -1529,8 +1623,7 @@ do_view_data_add(RES* ssl, struct worker* worker, char* arg) struct view* v; if(!find_arg2(ssl, arg, &arg2)) return; - v = views_find_view(worker->daemon->views, - arg, 1 /* get write lock*/); + v = views_find_view(worker->env.views, arg, 1 /* get write lock*/); if(!v) { ssl_printf(ssl,"no view with name: %s\n", arg); return; @@ -1555,8 +1648,7 @@ do_view_datas_add(struct daemon_remote* rc, RES* ssl, struct worker* worker, char buf[MAX_CMD_STRLINE + MAX_STDIN_STRLINE] = "view_local_data "; size_t cmd_len; int num = 0, line = 0; - v = views_find_view(worker->daemon->views, - arg, 1 /* get write lock*/); + v = views_find_view(worker->env.views, arg, 1 /* get write lock*/); if(!v) { ssl_printf(ssl,"no view with name: %s\n", arg); return; @@ -1597,8 +1689,7 @@ do_view_data_remove(RES* ssl, struct worker* worker, char* arg) struct view* v; if(!find_arg2(ssl, arg, &arg2)) return; - v = views_find_view(worker->daemon->views, - arg, 1 /* get write lock*/); + v = views_find_view(worker->env.views, arg, 1 /* get write lock*/); if(!v) { ssl_printf(ssl,"no view with name: %s\n", arg); return; @@ -1621,8 +1712,7 @@ do_view_datas_remove(struct daemon_remote* rc, RES* ssl, struct worker* worker, char buf[MAX_CMD_STRLINE + MAX_STDIN_STRLINE] = "view_local_data_remove "; int num = 0; size_t cmd_len; - v = views_find_view(worker->daemon->views, - arg, 1 /* get write lock*/); + v = views_find_view(worker->env.views, arg, 1 /* get write lock*/); if(!v) { ssl_printf(ssl,"no view with name: %s\n", arg); return; @@ -1656,6 +1746,334 @@ do_view_datas_remove(struct daemon_remote* rc, RES* ssl, struct worker* worker, (void)ssl_printf(ssl, "removed %d datas\n", num); } +/** information for the domain search */ +struct cache_lookup_info { + /** The connection to print on. */ + RES* ssl; + /** The worker. */ + struct worker* worker; + /** The domain, in wireformat. */ + uint8_t* nm; + /** The length of nm. */ + size_t nmlen; +}; + +#ifdef CLIENT_SUBNET +static void addrtree_traverse_visit_node(struct addrnode* n, addrkey_t* addr, + size_t addr_size, int is_ipv6, time_t now, struct query_info* q, + void (*func)(struct query_info*, struct reply_info*, addrkey_t*, + size_t, int, addrlen_t, int, time_t, void*), void* arg); + +/** Lookup in subnet addrtree */ +static void +cache_lookup_subnet_addrnode(struct query_info* q, struct reply_info* d, + addrkey_t* addr, size_t addr_size, int is_ipv6, addrlen_t scope, + int only_match_scope_zero, time_t ttl, void* arg) +{ + size_t i; + char s[65535], tp[32], cl[32], rc[32], fg[32], astr[64]; + struct cache_lookup_info* inf = (struct cache_lookup_info*)arg; + if(is_ipv6) { + if(addr_size < 16 || inet_ntop(AF_INET6, addr, astr, + sizeof(astr)) == NULL) + snprintf(astr, sizeof(astr), "(inet6ntoperror)"); + } else { + if(addr_size < 4 || inet_ntop(AF_INET, addr, astr, + sizeof(astr)) == NULL) + snprintf(astr, sizeof(astr), "(inetntoperror)"); + } + sldns_wire2str_dname_buf(q->qname, q->qname_len, s, sizeof(s)); + sldns_wire2str_type_buf(q->qtype, tp, sizeof(tp)); + sldns_wire2str_class_buf(q->qclass, cl, sizeof(cl)); + sldns_wire2str_rcode_buf(FLAGS_GET_RCODE(d->flags), + rc, sizeof(rc)); + snprintf(fg, sizeof(fg), "%s%s%s%s%s%s%s%s", + ((d->flags&BIT_QR)?" QR":""), + ((d->flags&BIT_AA)?" AA":""), + ((d->flags&BIT_TC)?" TC":""), + ((d->flags&BIT_RD)?" RD":""), + ((d->flags&BIT_RA)?" RA":""), + ((d->flags&BIT_Z)?" Z":""), + ((d->flags&BIT_AD)?" AD":""), + ((d->flags&BIT_CD)?" CD":"")); + if(!rrset_array_lock(d->ref, d->rrset_count, + *inf->worker->env.now)) { + /* rrsets have timed out or do not exist */ + return; + } + if(!ssl_printf(inf->ssl, "subnet %s/%d%s %s %s %s " ARG_LL "d\n", astr, + (int)scope, (only_match_scope_zero?" scope_zero":""), + s, cl, tp, (long long)(ttl-*inf->worker->env.now))) { + rrset_array_unlock(d->ref, d->rrset_count); + return; + } + ssl_printf(inf->ssl, + "subnet msg %s %s %s%s %s %d %d " ARG_LL "d %d %u %u %u %d %s\n", + s, cl, tp, fg, rc, + (int)d->flags, (int)d->qdcount, + (long long)(d->ttl-*inf->worker->env.now), + (int)d->security, + (unsigned)d->an_numrrsets, + (unsigned)d->ns_numrrsets, + (unsigned)d->ar_numrrsets, + (int)d->reason_bogus, + d->reason_bogus_str?d->reason_bogus_str:""); + for(i=0; irrset_count; i++) { + struct ub_packed_rrset_key* rk = d->rrsets[i]; + struct packed_rrset_data* rd = (struct packed_rrset_data*)rk->entry.data; + size_t j; + for(j=0; jcount + rd->rrsig_count; j++) { + if(!packed_rr_to_string(rk, j, + *inf->worker->env.now, s, sizeof(s))) { + ssl_printf(inf->ssl, "BADRR\n"); + } else { + ssl_printf(inf->ssl, "%s", s); + } + } + } + rrset_array_unlock(d->ref, d->rrset_count); + ssl_printf(inf->ssl, "\n"); +} + +/** Visit an edge in subnet addrtree traverse */ +static void +addrtree_traverse_visit_edge(struct addredge* edge, addrkey_t* addr, + size_t addr_size, int is_ipv6, time_t now, struct query_info* q, + void (*func)(struct query_info*, struct reply_info*, addrkey_t*, + size_t, int, addrlen_t, int, time_t, void*), void* arg) +{ + size_t n; + addrlen_t addrlen; + if(!edge || !edge->node) + return; + addrlen = edge->len; + /* ceil() */ + n = (size_t)((addrlen / KEYWIDTH) + ((addrlen % KEYWIDTH != 0)?1:0)); + if(n > addr_size) + n = addr_size; + memset(addr, 0, addr_size); + memcpy(addr, edge->str, n); + addrtree_traverse_visit_node(edge->node, addr, addr_size, is_ipv6, + now, q, func, arg); +} + +/** Visit a node in subnet addrtree traverse */ +static void +addrtree_traverse_visit_node(struct addrnode* n, addrkey_t* addr, + size_t addr_size, int is_ipv6, time_t now, struct query_info* q, + void (*func)(struct query_info*, struct reply_info*, addrkey_t*, + size_t, int, addrlen_t, int, time_t, void*), void* arg) +{ + /* If this node has data, and not expired. */ + if(n->elem && n->ttl >= now) { + func(q, (struct reply_info*)n->elem, addr, addr_size, is_ipv6, + n->scope, n->only_match_scope_zero, n->ttl, arg); + } + /* Traverse edges. */ + addrtree_traverse_visit_edge(n->edge[0], addr, addr_size, is_ipv6, + now, q, func, arg); + addrtree_traverse_visit_edge(n->edge[1], addr, addr_size, is_ipv6, + now, q, func, arg); +} + +/** Traverse subnet addrtree */ +static void +addrtree_traverse(struct addrtree* tree, int is_ipv6, time_t now, + struct query_info* q, + void (*func)(struct query_info*, struct reply_info*, addrkey_t*, + size_t, int, addrlen_t, int, time_t, void*), void* arg) +{ + uint8_t addr[16]; /* Large enough for IPv4 and IPv6. */ + memset(addr, 0, sizeof(addr)); + addrtree_traverse_visit_node(tree->root, (addrkey_t*)addr, + sizeof(addr), is_ipv6, now, q, func, arg); +} + +/** Lookup cache_lookup for subnet content. */ +static void +cache_lookup_subnet_msg(struct lruhash_entry* e, void* arg) +{ + struct cache_lookup_info* inf = (struct cache_lookup_info*)arg; + struct msgreply_entry *k = (struct msgreply_entry*)e->key; + struct subnet_msg_cache_data* d = + (struct subnet_msg_cache_data*)e->data; + if(!dname_subdomain_c(k->key.qname, inf->nm)) + return; + + if(d->tree4) { + addrtree_traverse(d->tree4, 0, *inf->worker->env.now, &k->key, + &cache_lookup_subnet_addrnode, inf); + } + if(d->tree6) { + addrtree_traverse(d->tree6, 1, *inf->worker->env.now, &k->key, + &cache_lookup_subnet_addrnode, inf); + } +} +#endif /* CLIENT_SUBNET */ + +static void +cache_lookup_rrset(struct lruhash_entry* e, void* arg) +{ + struct cache_lookup_info* inf = (struct cache_lookup_info*)arg; + struct ub_packed_rrset_key* k = (struct ub_packed_rrset_key*)e->key; + struct packed_rrset_data* d = (struct packed_rrset_data*)e->data; + if(*inf->worker->env.now < d->ttl && + k->id != 0 && /* not deleted */ + dname_subdomain_c(k->rk.dname, inf->nm)) { + size_t i; + for(i=0; icount + d->rrsig_count; i++) { + char s[65535]; + if(!packed_rr_to_string(k, i, *inf->worker->env.now, + s, sizeof(s))) { + ssl_printf(inf->ssl, "BADRR\n"); + return; + } + ssl_printf(inf->ssl, "%s", s); + } + ssl_printf(inf->ssl, "\n"); + } +} + +static void +cache_lookup_msg(struct lruhash_entry* e, void* arg) +{ + struct cache_lookup_info* inf = (struct cache_lookup_info*)arg; + struct msgreply_entry* k = (struct msgreply_entry*)e->key; + struct reply_info* d = (struct reply_info*)e->data; + if(*inf->worker->env.now < d->ttl && + dname_subdomain_c(k->key.qname, inf->nm)) { + size_t i; + char s[65535], tp[32], cl[32], rc[32], fg[32]; + sldns_wire2str_dname_buf(k->key.qname, k->key.qname_len, + s, sizeof(s)); + sldns_wire2str_type_buf(k->key.qtype, tp, sizeof(tp)); + sldns_wire2str_class_buf(k->key.qclass, cl, sizeof(cl)); + sldns_wire2str_rcode_buf(FLAGS_GET_RCODE(d->flags), + rc, sizeof(rc)); + snprintf(fg, sizeof(fg), "%s%s%s%s%s%s%s%s", + ((d->flags&BIT_QR)?" QR":""), + ((d->flags&BIT_AA)?" AA":""), + ((d->flags&BIT_TC)?" TC":""), + ((d->flags&BIT_RD)?" RD":""), + ((d->flags&BIT_RA)?" RA":""), + ((d->flags&BIT_Z)?" Z":""), + ((d->flags&BIT_AD)?" AD":""), + ((d->flags&BIT_CD)?" CD":"")); + if(!rrset_array_lock(d->ref, d->rrset_count, + *inf->worker->env.now)) { + /* rrsets have timed out or do not exist */ + return; + } + ssl_printf(inf->ssl, + "msg %s %s %s%s %s %d %d " ARG_LL "d %d %u %u %u %d %s\n", + s, cl, tp, fg, rc, + (int)d->flags, (int)d->qdcount, + (long long)(d->ttl-*inf->worker->env.now), + (int)d->security, + (unsigned)d->an_numrrsets, + (unsigned)d->ns_numrrsets, + (unsigned)d->ar_numrrsets, + (int)d->reason_bogus, + d->reason_bogus_str?d->reason_bogus_str:""); + for(i=0; irrset_count; i++) { + struct ub_packed_rrset_key* rk = d->rrsets[i]; + struct packed_rrset_data* rd = (struct packed_rrset_data*)rk->entry.data; + size_t j; + for(j=0; jcount + rd->rrsig_count; j++) { + if(!packed_rr_to_string(rk, j, + *inf->worker->env.now, s, sizeof(s))) { + rrset_array_unlock(d->ref, d->rrset_count); + ssl_printf(inf->ssl, "BADRR\n"); + return; + } + ssl_printf(inf->ssl, "%s", s); + } + } + rrset_array_unlock(d->ref, d->rrset_count); + ssl_printf(inf->ssl, "\n"); + } +} + +/** perform cache search for domain */ +static void +do_cache_lookup_domain(RES* ssl, struct worker* worker, uint8_t* nm, + size_t nmlen) +{ +#ifdef CLIENT_SUBNET + int m; + struct subnet_env* sn_env = NULL; +#endif /* CLIENT_SUBNET */ + struct cache_lookup_info inf; + inf.ssl = ssl; + inf.worker = worker; + inf.nm = nm; + inf.nmlen = nmlen; + +#ifdef CLIENT_SUBNET + m = modstack_find(worker->env.modstack, "subnetcache"); + if(m != -1) sn_env = (struct subnet_env*)worker->env.modinfo[m]; + if(sn_env) { + lock_rw_rdlock(&sn_env->biglock); + slabhash_traverse(sn_env->subnet_msg_cache, 0, + &cache_lookup_subnet_msg, &inf); + lock_rw_unlock(&sn_env->biglock); + } +#endif /* CLIENT_SUBNET */ + + slabhash_traverse(&worker->env.rrset_cache->table, 0, + &cache_lookup_rrset, &inf); + slabhash_traverse(worker->env.msg_cache, 0, &cache_lookup_msg, &inf); +} + +/** cache lookup of domain */ +static void +do_cache_lookup(RES* ssl, struct worker* worker, char* arg) +{ + uint8_t nm[LDNS_MAX_DOMAINLEN+1]; + size_t nmlen; + int status; + char* s = arg, *next = NULL; + int allow_long = 0; + + if(arg[0] == '+' && arg[1] == 't' && (arg[2]==' ' || arg[2]=='\t')) { + allow_long = 1; + s = arg+2; + } + + /* Find the commandline arguments of domains. */ + while(s && *s != 0) { + s = skipwhite(s); + if(*s == 0) + break; + if(strchr(s, ' ') || strchr(s, '\t')) { + char* sp = strchr(s, ' '); + if(strchr(s, '\t') != 0 && strchr(s, '\t') < sp) + sp = strchr(s, '\t'); + *sp = 0; + next = sp+1; + } else { + next = NULL; + } + + nmlen = sizeof(nm); + status = sldns_str2wire_dname_buf(s, nm, &nmlen); + if(status != 0) { + ssl_printf(ssl, "error cannot parse name %s at %d: %s\n", s, + LDNS_WIREPARSE_OFFSET(status), + sldns_get_errorstr_parse(status)); + return; + } + if(!allow_long && dname_count_labels(nm) < 3) { + ssl_printf(ssl, "error name too short: '%s'. Need example.com. or longer, short names take very long, use +t to allow them.\n", s); + return; + } + + do_cache_lookup_domain(ssl, worker, nm, nmlen); + + s = next; + } +} + /** cache lookup of nameservers */ static void do_lookup(RES* ssl, struct worker* worker, char* arg) @@ -1950,7 +2368,7 @@ bogus_del_rrset(struct lruhash_entry* e, void* arg) /* entry is locked */ struct del_info* inf = (struct del_info*)arg; struct packed_rrset_data* d = (struct packed_rrset_data*)e->data; - if(d->security == sec_status_bogus) { + if(d->security == sec_status_bogus && d->ttl > inf->expired) { d->ttl = inf->expired; inf->num_rrsets++; } @@ -1963,7 +2381,7 @@ bogus_del_msg(struct lruhash_entry* e, void* arg) /* entry is locked */ struct del_info* inf = (struct del_info*)arg; struct reply_info* d = (struct reply_info*)e->data; - if(d->security == sec_status_bogus) { + if(d->security == sec_status_bogus && d->ttl > inf->expired) { d->ttl = inf->expired; d->prefetch_ttl = inf->expired; d->serve_expired_ttl = inf->expired; @@ -1983,7 +2401,7 @@ bogus_del_kcache(struct lruhash_entry* e, void* arg) /* entry is locked */ struct del_info* inf = (struct del_info*)arg; struct key_entry_data* d = (struct key_entry_data*)e->data; - if(d->isbad) { + if(d->isbad && d->ttl > inf->expired) { d->ttl = inf->expired; inf->num_keys++; } @@ -2032,7 +2450,8 @@ negative_del_rrset(struct lruhash_entry* e, void* arg) /* delete the parentside negative cache rrsets, * these are nameserver rrsets that failed lookup, rdata empty */ if((k->rk.flags & PACKED_RRSET_PARENT_SIDE) && d->count == 1 && - d->rrsig_count == 0 && d->rr_len[0] == 0) { + d->rrsig_count == 0 && d->rr_len[0] == 0 && + d->ttl > inf->expired) { d->ttl = inf->expired; inf->num_rrsets++; } @@ -2047,7 +2466,8 @@ negative_del_msg(struct lruhash_entry* e, void* arg) struct reply_info* d = (struct reply_info*)e->data; /* rcode not NOERROR: NXDOMAIN, SERVFAIL, ..: an nxdomain or error * or NOERROR rcode with ANCOUNT==0: a NODATA answer */ - if(FLAGS_GET_RCODE(d->flags) != 0 || d->an_numrrsets == 0) { + if((FLAGS_GET_RCODE(d->flags) != 0 || d->an_numrrsets == 0) && + d->ttl > inf->expired) { d->ttl = inf->expired; d->prefetch_ttl = inf->expired; d->serve_expired_ttl = inf->expired; @@ -2069,7 +2489,7 @@ negative_del_kcache(struct lruhash_entry* e, void* arg) struct key_entry_data* d = (struct key_entry_data*)e->data; /* could be bad because of lookup failure on the DS, DNSKEY, which * was nxdomain or servfail, and thus a result of negative lookups */ - if(d->isbad) { + if(d->isbad && d->ttl > inf->expired) { d->ttl = inf->expired; inf->num_keys++; } @@ -2141,7 +2561,7 @@ static int ssl_print_name_dp(RES* ssl, const char* str, uint8_t* nm, uint16_t dclass, struct delegpt* dp) { - char buf[257]; + char buf[LDNS_MAX_DOMAINLEN]; struct delegpt_ns* ns; struct delegpt_addr* a; int f = 0; @@ -2509,7 +2929,7 @@ do_insecure_remove(RES* ssl, struct worker* worker, char* arg) static void do_insecure_list(RES* ssl, struct worker* worker) { - char buf[257]; + char buf[LDNS_MAX_DOMAINLEN]; struct trust_anchor* a; if(worker->env.anchors) { RBTREE_FOR(a, struct trust_anchor*, worker->env.anchors->tree) { @@ -2606,7 +3026,7 @@ get_mesh_status(struct mesh_area* mesh, struct mesh_state* m, } } else if(s == module_wait_subquery) { /* look in subs from mesh state to see what */ - char nm[257]; + char nm[LDNS_MAX_DOMAINLEN]; struct mesh_state_ref* sub; snprintf(buf, len, "%s wants", modname); l = strlen(buf); @@ -2636,7 +3056,7 @@ do_dump_requestlist(RES* ssl, struct worker* worker) struct mesh_area* mesh; struct mesh_state* m; int num = 0; - char buf[257]; + char buf[LDNS_MAX_DOMAINLEN]; char timebuf[32]; char statbuf[10240]; if(!ssl_printf(ssl, "thread #%d\n", worker->thread_num)) @@ -2686,7 +3106,7 @@ dump_infra_host(struct lruhash_entry* e, void* arg) struct infra_key* k = (struct infra_key*)e->key; struct infra_data* d = (struct infra_data*)e->data; char ip_str[1024]; - char name[257]; + char name[LDNS_MAX_DOMAINLEN]; int port; if(a->ssl_failed) return; @@ -2801,10 +3221,13 @@ do_auth_zone_reload(RES* ssl, struct worker* worker, char* arg) (void)ssl_printf(ssl, "error: no SOA in zone after read %s\n", arg); return; } - if(xfr->have_zone) + if(xfr->have_zone) { xfr->lease_time = *worker->env.now; + xfr->soa_zone_acquired = *worker->env.now; + } lock_basic_unlock(&xfr->lock); } + z->soa_zone_acquired = *worker->env.now; auth_zone_verify_zonemd(z, &worker->env, &worker->env.mesh->mods, &reason, 0, 0); @@ -2953,7 +3376,7 @@ static void do_list_auth_zones(RES* ssl, struct auth_zones* az) { struct auth_zone* z; - char buf[257], buf2[256]; + char buf[LDNS_MAX_DOMAINLEN], buf2[256], buf3[256]; lock_rw_rdlock(&az->lock); RBTREE_FOR(z, struct auth_zone*, &az->ztree) { lock_rw_rdlock(&z->lock); @@ -2962,18 +3385,41 @@ do_list_auth_zones(RES* ssl, struct auth_zones* az) snprintf(buf2, sizeof(buf2), "expired"); else { uint32_t serial = 0; - if(auth_zone_get_serial(z, &serial)) + if(auth_zone_get_serial(z, &serial)) { snprintf(buf2, sizeof(buf2), "serial %u", (unsigned)serial); - else snprintf(buf2, sizeof(buf2), "no serial"); + if(z->soa_zone_acquired != 0) { +#if defined(HAVE_STRFTIME) && defined(HAVE_LOCALTIME_R) + char tmbuf[32]; + struct tm tm; + struct tm *tm_p; + tm_p = localtime_r( + &z->soa_zone_acquired, &tm); + if(!strftime(tmbuf, sizeof(tmbuf), "%Y-%m-%dT%H:%M:%S", tm_p)) + snprintf(tmbuf, sizeof(tmbuf), "strftime-err-%u", (unsigned)z->soa_zone_acquired); + snprintf(buf3, sizeof(buf3), + "\t since %u %s", + (unsigned)z->soa_zone_acquired, + tmbuf); +#else + snprintf(buf3, sizeof(buf3), + "\t since %u", + (unsigned)z->soa_zone_acquired); +#endif + } else { + buf3[0]=0; + } + } else { + snprintf(buf2, sizeof(buf2), "no serial"); + buf3[0]=0; + } } - if(!ssl_printf(ssl, "%s\t%s\n", buf, buf2)) { + lock_rw_unlock(&z->lock); + if(!ssl_printf(ssl, "%s\t%s%s\n", buf, buf2, buf3)) { /* failure to print */ - lock_rw_unlock(&z->lock); lock_rw_unlock(&az->lock); return; } - lock_rw_unlock(&z->lock); } lock_rw_unlock(&az->lock); } @@ -2983,7 +3429,7 @@ static void do_list_local_zones(RES* ssl, struct local_zones* zones) { struct local_zone* z; - char buf[257]; + char buf[LDNS_MAX_DOMAINLEN]; lock_rw_rdlock(&zones->lock); RBTREE_FOR(z, struct local_zone*, &zones->ztree) { lock_rw_rdlock(&z->lock); @@ -3043,7 +3489,7 @@ do_list_local_data(RES* ssl, struct worker* worker, struct local_zones* zones) static void do_view_list_local_zones(RES* ssl, struct worker* worker, char* arg) { - struct view* v = views_find_view(worker->daemon->views, + struct view* v = views_find_view(worker->env.views, arg, 0 /* get read lock*/); if(!v) { ssl_printf(ssl,"no view with name: %s\n", arg); @@ -3059,7 +3505,7 @@ do_view_list_local_zones(RES* ssl, struct worker* worker, char* arg) static void do_view_list_local_data(RES* ssl, struct worker* worker, char* arg) { - struct view* v = views_find_view(worker->daemon->views, + struct view* v = views_find_view(worker->env.views, arg, 0 /* get read lock*/); if(!v) { ssl_printf(ssl,"no view with name: %s\n", arg); @@ -3094,7 +3540,7 @@ rate_list(struct lruhash_entry* e, void* arg) struct ratelimit_list_arg* a = (struct ratelimit_list_arg*)arg; struct rate_key* k = (struct rate_key*)e->key; struct rate_data* d = (struct rate_data*)e->data; - char buf[257]; + char buf[LDNS_MAX_DOMAINLEN]; int lim = infra_find_ratelimit(a->infra, k->name, k->namelen); int max = infra_rate_max(d, a->now, a->backoff); if(a->all == 0) { @@ -3416,6 +3862,30 @@ do_print_cookie_secrets(RES* ssl, struct worker* worker) { explicit_bzero(secret_hex, sizeof(secret_hex)); } +/** check that there is no argument after a command that takes no arguments. */ +static int +cmd_no_args(RES* ssl, char* cmd, char* p) +{ + if(p && *p != 0) { + /* cmd contains the command that is called at the start, + * with space or tab after it. */ + char* c = cmd; + if(strchr(c, ' ') && strchr(c, '\t')) { + if(strchr(c, ' ') < strchr(c, '\t')) + *strchr(c, ' ')=0; + else *strchr(c, '\t')=0; + } else if(strchr(c, ' ')) { + *strchr(c, ' ')=0; + } else if(strchr(c, '\t')) { + *strchr(c, '\t')=0; + } + (void)ssl_printf(ssl, "error command %s takes no arguments," + " have '%s'\n", c, p); + return 1; + } + return 0; +} + /** check for name with end-of-string, space or tab after it */ static int cmdcmp(char* p, const char* cmd, size_t len) @@ -3425,30 +3895,47 @@ cmdcmp(char* p, const char* cmd, size_t len) /** execute a remote control command */ static void -execute_cmd(struct daemon_remote* rc, RES* ssl, char* cmd, +execute_cmd(struct daemon_remote* rc, struct rc_state* s, RES* ssl, char* cmd, struct worker* worker) { char* p = skipwhite(cmd); /* compare command */ if(cmdcmp(p, "stop", 4)) { + if(cmd_no_args(ssl, p, skipwhite(p+4))) + return; do_stop(ssl, worker); return; } else if(cmdcmp(p, "reload_keep_cache", 17)) { + if(cmd_no_args(ssl, p, skipwhite(p+17))) + return; do_reload(ssl, worker, 1); return; } else if(cmdcmp(p, "reload", 6)) { + if(cmd_no_args(ssl, p, skipwhite(p+6))) + return; do_reload(ssl, worker, 0); return; + } else if(cmdcmp(p, "fast_reload", 11)) { + do_fast_reload(ssl, worker, s, skipwhite(p+11)); + return; } else if(cmdcmp(p, "stats_noreset", 13)) { + if(cmd_no_args(ssl, p, skipwhite(p+13))) + return; do_stats(ssl, worker, 0); return; } else if(cmdcmp(p, "stats", 5)) { + if(cmd_no_args(ssl, p, skipwhite(p+5))) + return; do_stats(ssl, worker, 1); return; } else if(cmdcmp(p, "status", 6)) { + if(cmd_no_args(ssl, p, skipwhite(p+6))) + return; do_status(ssl, worker); return; } else if(cmdcmp(p, "dump_cache", 10)) { + if(cmd_no_args(ssl, p, skipwhite(p+10))) + return; #ifdef THREADS_DISABLED if(worker->daemon->num > 1) { (void)ssl_printf(ssl, "dump_cache/load_cache is not " @@ -3459,6 +3946,8 @@ execute_cmd(struct daemon_remote* rc, RES* ssl, char* cmd, (void)dump_cache(ssl, worker); return; } else if(cmdcmp(p, "load_cache", 10)) { + if(cmd_no_args(ssl, p, skipwhite(p+10))) + return; #ifdef THREADS_DISABLED if(worker->daemon->num > 1) { /* The warning can't be printed when stdin is sending @@ -3469,18 +3958,28 @@ execute_cmd(struct daemon_remote* rc, RES* ssl, char* cmd, if(load_cache(ssl, worker)) send_ok(ssl); return; } else if(cmdcmp(p, "list_forwards", 13)) { + if(cmd_no_args(ssl, p, skipwhite(p+13))) + return; do_list_forwards(ssl, worker); return; } else if(cmdcmp(p, "list_stubs", 10)) { + if(cmd_no_args(ssl, p, skipwhite(p+10))) + return; do_list_stubs(ssl, worker); return; } else if(cmdcmp(p, "list_insecure", 13)) { + if(cmd_no_args(ssl, p, skipwhite(p+13))) + return; do_insecure_list(ssl, worker); return; } else if(cmdcmp(p, "list_local_zones", 16)) { + if(cmd_no_args(ssl, p, skipwhite(p+16))) + return; do_list_local_zones(ssl, worker->daemon->local_zones); return; } else if(cmdcmp(p, "list_local_data", 15)) { + if(cmd_no_args(ssl, p, skipwhite(p+15))) + return; do_list_local_data(ssl, worker, worker->daemon->local_zones); return; } else if(cmdcmp(p, "view_list_local_zones", 21)) { @@ -3496,6 +3995,8 @@ execute_cmd(struct daemon_remote* rc, RES* ssl, char* cmd, do_ip_ratelimit_list(ssl, worker, p+17); return; } else if(cmdcmp(p, "list_auth_zones", 15)) { + if(cmd_no_args(ssl, p, skipwhite(p+15))) + return; do_list_auth_zones(ssl, worker->env.auth_zones); return; } else if(cmdcmp(p, "auth_zone_reload", 16)) { @@ -3516,14 +4017,21 @@ execute_cmd(struct daemon_remote* rc, RES* ssl, char* cmd, return; } else if(cmdcmp(p, "flush_stats", 11)) { /* must always distribute this cmd */ + if(cmd_no_args(ssl, p, skipwhite(p+11))) + return; if(rc) distribute_cmd(rc, ssl, cmd); do_flush_stats(ssl, worker); return; } else if(cmdcmp(p, "flush_requestlist", 17)) { /* must always distribute this cmd */ + if(cmd_no_args(ssl, p, skipwhite(p+17))) + return; if(rc) distribute_cmd(rc, ssl, cmd); do_flush_requestlist(ssl, worker); return; + } else if(cmdcmp(p, "cache_lookup", 12)) { + do_cache_lookup(ssl, worker, skipwhite(p+12)); + return; } else if(cmdcmp(p, "lookup", 6)) { do_lookup(ssl, worker, skipwhite(p+6)); return; @@ -3531,15 +4039,23 @@ execute_cmd(struct daemon_remote* rc, RES* ssl, char* cmd, * Each line needs to be distributed if THREADS_DISABLED. */ } else if(cmdcmp(p, "local_zones_remove", 18)) { + if(cmd_no_args(ssl, p, skipwhite(p+18))) + return; do_zones_remove(rc, ssl, worker); return; } else if(cmdcmp(p, "local_zones", 11)) { + if(cmd_no_args(ssl, p, skipwhite(p+11))) + return; do_zones_add(rc, ssl, worker); return; } else if(cmdcmp(p, "local_datas_remove", 18)) { + if(cmd_no_args(ssl, p, skipwhite(p+18))) + return; do_datas_remove(rc, ssl, worker); return; } else if(cmdcmp(p, "local_datas", 11)) { + if(cmd_no_args(ssl, p, skipwhite(p+11))) + return; do_datas_add(rc, ssl, worker); return; } else if(cmdcmp(p, "view_local_datas_remove", 23)){ @@ -3549,6 +4065,8 @@ execute_cmd(struct daemon_remote* rc, RES* ssl, char* cmd, do_view_datas_add(rc, ssl, worker, skipwhite(p+16)); return; } else if(cmdcmp(p, "print_cookie_secrets", 20)) { + if(cmd_no_args(ssl, p, skipwhite(p+20))) + return; do_print_cookie_secrets(ssl, worker); return; } @@ -3598,10 +4116,16 @@ execute_cmd(struct daemon_remote* rc, RES* ssl, char* cmd, } else if(cmdcmp(p, "flush", 5)) { do_flush_name(ssl, worker, skipwhite(p+5)); } else if(cmdcmp(p, "dump_requestlist", 16)) { + if(cmd_no_args(ssl, p, skipwhite(p+16))) + return; do_dump_requestlist(ssl, worker); } else if(cmdcmp(p, "dump_infra", 10)) { + if(cmd_no_args(ssl, p, skipwhite(p+10))) + return; do_dump_infra(ssl, worker); } else if(cmdcmp(p, "log_reopen", 10)) { + if(cmd_no_args(ssl, p, skipwhite(p+10))) + return; do_log_reopen(ssl, worker); } else if(cmdcmp(p, "set_option", 10)) { do_set_option(ssl, worker, skipwhite(p+10)); @@ -3618,8 +4142,12 @@ execute_cmd(struct daemon_remote* rc, RES* ssl, char* cmd, } else if(cmdcmp(p, "add_cookie_secret", 17)) { do_add_cookie_secret(ssl, worker, skipwhite(p+17)); } else if(cmdcmp(p, "drop_cookie_secret", 18)) { + if(cmd_no_args(ssl, p, skipwhite(p+18))) + return; do_drop_cookie_secret(ssl, worker); } else if(cmdcmp(p, "activate_cookie_secret", 22)) { + if(cmd_no_args(ssl, p, skipwhite(p+22))) + return; do_activate_cookie_secret(ssl, worker); } else { (void)ssl_printf(ssl, "error unknown command '%s'\n", p); @@ -3637,7 +4165,7 @@ daemon_remote_exec(struct worker* worker) return; } verbose(VERB_ALGO, "remote exec distributed: %s", (char*)msg); - execute_cmd(NULL, NULL, (char*)msg, worker); + execute_cmd(NULL, NULL, NULL, (char*)msg, worker); free(msg); } @@ -3701,7 +4229,7 @@ handle_req(struct daemon_remote* rc, struct rc_state* s, RES* res) verbose(VERB_DETAIL, "control cmd: %s", buf); /* figure out what to do */ - execute_cmd(rc, res, buf, rc->worker); + execute_cmd(rc, s, res, buf, rc->worker); } /** handle SSL_do_handshake changes to the file descriptor to wait for later */ @@ -3793,3 +4321,3928 @@ int remote_control_callback(struct comm_point* c, void* arg, int err, clean_point(rc, s); return 0; } + +/** + * This routine polls a socket for readiness. + * @param fd: file descriptor, -1 uses no fd for a timer only. + * @param timeout: time in msec to wait. 0 means nonblocking test, + * -1 waits blocking for events. + * @param pollin: check for input event. + * @param pollout: check for output event. + * @param event: output variable, set to true if the event happens. + * It is false if there was an error or timeout. + * @return false is system call failure, also logged. + */ +static int +sock_poll_timeout(int fd, int timeout, int pollin, int pollout, int* event) +{ + int loopcount = 0; + /* Loop if the system call returns an errno to do so, like EINTR. */ + log_assert(pollin || pollout); + while(1) { + struct pollfd p, *fds; + int nfds, ret; + if(++loopcount > IPC_LOOP_MAX) { + log_err("sock_poll_timeout: loop"); + if(event) + *event = 0; + return 0; + } + if(fd == -1) { + fds = NULL; + nfds = 0; + } else { + fds = &p; + nfds = 1; + memset(&p, 0, sizeof(p)); + p.fd = fd; +#ifndef USE_WINSOCK + p.events = POLLERR + | POLLHUP + ; +#endif + if(pollin) + p.events |= POLLIN; + if(pollout) + p.events |= POLLOUT; + } +#ifndef USE_WINSOCK + ret = poll(fds, nfds, timeout); +#else + if(fds == NULL) { + Sleep(timeout); + ret = 0; + } else { + ret = WSAPoll(fds, nfds, timeout); + } +#endif + if(ret == -1) { +#ifndef USE_WINSOCK + if( + errno == EINTR || errno == EAGAIN +# ifdef EWOULDBLOCK + || errno == EWOULDBLOCK +# endif + ) continue; /* Try again. */ +#endif + /* For WSAPoll we only get errors here: + * o WSAENETDOWN + * o WSAEFAULT + * o WSAEINVAL + * o WSAENOBUFS + */ + log_err("poll: %s", sock_strerror(errno)); + if(event) + *event = 0; + return 0; + } else if(ret == 0) { + /* Timeout */ + if(event) + *event = 0; + return 1; + } + break; + } + if(event) + *event = 1; + return 1; +} + +/** fast reload convert fast reload notification status to string */ +static const char* +fr_notification_to_string(enum fast_reload_notification status) +{ + switch(status) { + case fast_reload_notification_none: + return "none"; + case fast_reload_notification_done: + return "done"; + case fast_reload_notification_done_error: + return "done_error"; + case fast_reload_notification_exit: + return "exit"; + case fast_reload_notification_exited: + return "exited"; + case fast_reload_notification_printout: + return "printout"; + case fast_reload_notification_reload_stop: + return "reload_stop"; + case fast_reload_notification_reload_ack: + return "reload_ack"; + case fast_reload_notification_reload_nopause_poll: + return "reload_nopause_poll"; + case fast_reload_notification_reload_start: + return "reload_start"; + default: + break; + } + return "unknown"; +} + +#ifndef THREADS_DISABLED +/** fast reload, poll for notification incoming. True if quit */ +static int +fr_poll_for_quit(struct fast_reload_thread* fr) +{ + int inevent, loopexit = 0, bcount = 0; + uint32_t cmd; + ssize_t ret; + + if(fr->need_to_quit) + return 1; + /* Is there data? */ + if(!sock_poll_timeout(fr->commpair[1], 0, 1, 0, &inevent)) { + log_err("fr_poll_for_quit: poll failed"); + return 0; + } + if(!inevent) + return 0; + + /* Read the data */ + while(1) { + if(++loopexit > IPC_LOOP_MAX) { + log_err("fr_poll_for_quit: recv loops %s", + sock_strerror(errno)); + return 0; + } + ret = recv(fr->commpair[1], ((char*)&cmd)+bcount, + sizeof(cmd)-bcount, 0); + if(ret == -1) { + if( +#ifndef USE_WINSOCK + errno == EINTR || errno == EAGAIN +# ifdef EWOULDBLOCK + || errno == EWOULDBLOCK +# endif +#else + WSAGetLastError() == WSAEINTR || + WSAGetLastError() == WSAEINPROGRESS || + WSAGetLastError() == WSAEWOULDBLOCK +#endif + ) + continue; /* Try again. */ + log_err("fr_poll_for_quit: recv: %s", + sock_strerror(errno)); + return 0; + } else if(ret+(ssize_t)bcount != sizeof(cmd)) { + bcount += ret; + if((size_t)bcount < sizeof(cmd)) + continue; + } + break; + } + if(cmd == fast_reload_notification_exit) { + fr->need_to_quit = 1; + verbose(VERB_ALGO, "fast reload: exit notification received"); + return 1; + } + log_err("fr_poll_for_quit: unknown notification status received: %d %s", + cmd, fr_notification_to_string(cmd)); + return 0; +} + +/** fast reload thread. Send notification from the fast reload thread */ +static void +fr_send_notification(struct fast_reload_thread* fr, + enum fast_reload_notification status) +{ + int outevent, loopexit = 0, bcount = 0; + uint32_t cmd; + ssize_t ret; + verbose(VERB_ALGO, "fast reload: send notification %s", + fr_notification_to_string(status)); + /* Make a blocking attempt to send. But meanwhile stay responsive, + * once in a while for quit commands. In case the server has to quit. */ + /* see if there is incoming quit signals */ + if(fr_poll_for_quit(fr)) + return; + cmd = status; + while(1) { + if(++loopexit > IPC_LOOP_MAX) { + log_err("fast reload: could not send notification"); + return; + } + /* wait for socket to become writable */ + if(!sock_poll_timeout(fr->commpair[1], IPC_NOTIFICATION_WAIT, + 0, 1, &outevent)) { + log_err("fast reload: poll failed"); + return; + } + if(fr_poll_for_quit(fr)) + return; + if(!outevent) + continue; + ret = send(fr->commpair[1], ((char*)&cmd)+bcount, + sizeof(cmd)-bcount, 0); + if(ret == -1) { + if( +#ifndef USE_WINSOCK + errno == EINTR || errno == EAGAIN +# ifdef EWOULDBLOCK + || errno == EWOULDBLOCK +# endif +#else + WSAGetLastError() == WSAEINTR || + WSAGetLastError() == WSAEINPROGRESS || + WSAGetLastError() == WSAEWOULDBLOCK +#endif + ) + continue; /* Try again. */ + log_err("fast reload send notification: send: %s", + sock_strerror(errno)); + return; + } else if(ret+(ssize_t)bcount != sizeof(cmd)) { + bcount += ret; + if((size_t)bcount < sizeof(cmd)) + continue; + } + break; + } +} + +/** fast reload thread queue up text string for output */ +static int +fr_output_text(struct fast_reload_thread* fr, const char* msg) +{ + char* item = strdup(msg); + if(!item) { + log_err("fast reload output text: strdup out of memory"); + return 0; + } + lock_basic_lock(&fr->fr_output_lock); + if(!cfg_strlist_append(fr->fr_output, item)) { + lock_basic_unlock(&fr->fr_output_lock); + /* The item is freed by cfg_strlist_append on failure. */ + log_err("fast reload output text: append out of memory"); + return 0; + } + lock_basic_unlock(&fr->fr_output_lock); + return 1; +} + +/** fast reload thread output vmsg function */ +static int +fr_output_vmsg(struct fast_reload_thread* fr, const char* format, va_list args) +{ + char msg[1024]; + vsnprintf(msg, sizeof(msg), format, args); + return fr_output_text(fr, msg); +} + +/** fast reload thread printout function, with printf arguments */ +static int fr_output_printf(struct fast_reload_thread* fr, + const char* format, ...) ATTR_FORMAT(printf, 2, 3); + +/** fast reload thread printout function, prints to list and signals + * the remote control thread to move that to get written to the socket + * of the remote control connection. */ +static int +fr_output_printf(struct fast_reload_thread* fr, const char* format, ...) +{ + va_list args; + int ret; + va_start(args, format); + ret = fr_output_vmsg(fr, format, args); + va_end(args); + return ret; +} + +/** fast reload thread, init time counters */ +static void +fr_init_time(struct timeval* time_start, struct timeval* time_read, + struct timeval* time_construct, struct timeval* time_reload, + struct timeval* time_end) +{ + memset(time_start, 0, sizeof(*time_start)); + memset(time_read, 0, sizeof(*time_read)); + memset(time_construct, 0, sizeof(*time_construct)); + memset(time_reload, 0, sizeof(*time_reload)); + memset(time_end, 0, sizeof(*time_end)); + if(gettimeofday(time_start, NULL) < 0) + log_err("gettimeofday: %s", strerror(errno)); +} + +/** + * Structure with constructed elements for use during fast reload. + * At the start it contains the tree items for the new config. + * After the tree items are swapped into the server, the old elements + * are kept in here. They can then be deleted. + */ +struct fast_reload_construct { + /** construct for views */ + struct views* views; + /** construct for auth zones */ + struct auth_zones* auth_zones; + /** construct for forwards */ + struct iter_forwards* fwds; + /** construct for stubs */ + struct iter_hints* hints; + /** construct for respip_set */ + struct respip_set* respip_set; + /** construct for access control */ + struct acl_list* acl; + /** construct for access control interface */ + struct acl_list* acl_interface; + /** construct for tcp connection limit */ + struct tcl_list* tcl; + /** construct for local zones */ + struct local_zones* local_zones; + /** if there is response ip configuration in use */ + int use_response_ip; + /** if there is an rpz zone */ + int use_rpz; + /** construct for edns strings */ + struct edns_strings* edns_strings; + /** construct for trust anchors */ + struct val_anchors* anchors; + /** construct for nsec3 key size */ + size_t* nsec3_keysize; + /** construct for nsec3 max iter */ + size_t* nsec3_maxiter; + /** construct for nsec3 keyiter count */ + int nsec3_keyiter_count; + /** construct for target fetch policy */ + int* target_fetch_policy; + /** construct for max dependency depth */ + int max_dependency_depth; + /** construct for donotquery addresses */ + struct iter_donotq* donotq; + /** construct for private addresses and domains */ + struct iter_priv* priv; + /** construct whitelist for capsforid names */ + struct rbtree_type* caps_white; + /** construct for nat64 */ + struct iter_nat64 nat64; + /** construct for wait_limits_netblock */ + struct rbtree_type wait_limits_netblock; + /** construct for wait_limits_cookie_netblock */ + struct rbtree_type wait_limits_cookie_netblock; + /** construct for domain limits */ + struct rbtree_type domain_limits; + /** storage for the old configuration elements. The outer struct + * is allocated with malloc here, the items are from config. */ + struct config_file* oldcfg; +}; + +/** fast reload thread, read config */ +static int +fr_read_config(struct fast_reload_thread* fr, struct config_file** newcfg) +{ + /* Create new config structure. */ + *newcfg = config_create(); + if(!*newcfg) { + if(!fr_output_printf(fr, "config_create failed: out of memory\n")) + return 0; + fr_send_notification(fr, fast_reload_notification_printout); + return 0; + } + if(fr_poll_for_quit(fr)) + return 1; + + /* Read new config from file */ + if(!config_read(*newcfg, fr->worker->daemon->cfgfile, + fr->worker->daemon->chroot)) { + config_delete(*newcfg); + if(!fr_output_printf(fr, "config_read %s%s%s%s failed: %s\n", + (fr->worker->daemon->chroot?"worker->daemon->chroot?fr->worker->daemon->chroot:""), + (fr->worker->daemon->chroot?"> ":""), + fr->worker->daemon->cfgfile, strerror(errno))) + return 0; + fr_send_notification(fr, fast_reload_notification_printout); + return 0; + } + if(fr_poll_for_quit(fr)) + return 1; + if(fr->fr_verb >= 1) { + if(!fr_output_printf(fr, "done read config file %s%s%s%s\n", + (fr->worker->daemon->chroot?"worker->daemon->chroot?fr->worker->daemon->chroot:""), + (fr->worker->daemon->chroot?"> ":""), + fr->worker->daemon->cfgfile)) + return 0; + fr_send_notification(fr, fast_reload_notification_printout); + } + + return 1; +} + +/** Check if two taglists are equal. */ +static int +taglist_equal(char** tagname_a, int num_tags_a, char** tagname_b, + int num_tags_b) +{ + int i; + if(num_tags_a != num_tags_b) + return 0; + for(i=0; i= num_tags_b) + return 0; + /* So, b is longer than a. Check if the initial start of the two + * taglists is the same. */ + if(!taglist_equal(tagname_a, num_tags_a, tagname_b, num_tags_a)) + return 0; + return 1; +} + +/** fast reload thread, check tag defines. */ +static int +fr_check_tag_defines(struct fast_reload_thread* fr, struct config_file* newcfg) +{ + /* The tags are kept in a bitlist for items. Some of them are stored + * in query info. If the tags change, then the old values are + * inaccurate. The solution is to then flush the query list. + * Unless the change only involves adding new tags at the end, that + * needs no changes. */ + if(!taglist_equal(fr->worker->daemon->cfg->tagname, + fr->worker->daemon->cfg->num_tags, newcfg->tagname, + newcfg->num_tags) && + !taglist_change_at_end(fr->worker->daemon->cfg->tagname, + fr->worker->daemon->cfg->num_tags, newcfg->tagname, + newcfg->num_tags)) { + /* The tags have changed too much, the define-tag config. */ + if(fr->fr_drop_mesh) + return 1; /* already dropping queries */ + fr->fr_drop_mesh = 1; + fr->worker->daemon->fast_reload_drop_mesh = fr->fr_drop_mesh; + if(!fr_output_printf(fr, "tags have changed, with " + "'define-tag', and the queries have to be dropped " + "for consistency, setting '+d'\n")) + return 0; + fr_send_notification(fr, fast_reload_notification_printout); + } + return 1; +} + +/** fast reload thread, add incompatible option to the explanatory string */ +static void +fr_add_incompatible_option(const char* desc, char* str, size_t len) +{ + size_t slen = strlen(str); + size_t desclen = strlen(desc); + if(slen == 0) { + snprintf(str, len, "%s", desc); + return; + } + if(len - slen < desclen+2) + return; /* It does not fit */ + snprintf(str+slen, len-slen, " %s", desc); +} + +/** fast reload thread, check if config item has changed; thus incompatible */ +#define FR_CHECK_CHANGED_CFG(desc, var, str) \ +do { \ + if(cfg->var != newcfg->var) { \ + fr_add_incompatible_option(desc, str, sizeof(str)); \ + } \ +} while(0); + +/** fast reload thread, check if config string has changed, checks NULLs. */ +#define FR_CHECK_CHANGED_CFG_STR(desc, var, str) \ +do { \ + if((!cfg->var && newcfg->var) || \ + (cfg->var && !newcfg->var) || \ + (cfg->var && newcfg->var \ + && strcmp(cfg->var, newcfg->var) != 0)) { \ + fr_add_incompatible_option(desc, str, sizeof(str)); \ + } \ +} while(0); + +/** fast reload thread, check if config strlist has changed. */ +#define FR_CHECK_CHANGED_CFG_STRLIST(desc, var, str) do { \ + fr_check_changed_cfg_strlist(cfg->var, newcfg->var, desc, str, \ + sizeof(str)); \ + } while(0); +static void +fr_check_changed_cfg_strlist(struct config_strlist* cmp1, + struct config_strlist* cmp2, const char* desc, char* str, size_t len) +{ + struct config_strlist* p1 = cmp1, *p2 = cmp2; + while(p1 && p2) { + if((!p1->str && p2->str) || + (p1->str && !p2->str) || + (p1->str && p2->str && strcmp(p1->str, p2->str) != 0)) { + /* The strlist is different. */ + fr_add_incompatible_option(desc, str, len); + return; + } + p1 = p1->next; + p2 = p2->next; + } + if((!p1 && p2) || (p1 && !p2)) { + fr_add_incompatible_option(desc, str, len); + } +} + +/** fast reload thread, check if config str2list has changed. */ +#define FR_CHECK_CHANGED_CFG_STR2LIST(desc, var, buff) do { \ + fr_check_changed_cfg_str2list(cfg->var, newcfg->var, desc, buff,\ + sizeof(buff)); \ + } while(0); +static void +fr_check_changed_cfg_str2list(struct config_str2list* cmp1, + struct config_str2list* cmp2, const char* desc, char* str, size_t len) +{ + struct config_str2list* p1 = cmp1, *p2 = cmp2; + while(p1 && p2) { + if((!p1->str && p2->str) || + (p1->str && !p2->str) || + (p1->str && p2->str && strcmp(p1->str, p2->str) != 0)) { + /* The str2list is different. */ + fr_add_incompatible_option(desc, str, len); + return; + } + if((!p1->str2 && p2->str2) || + (p1->str2 && !p2->str2) || + (p1->str2 && p2->str2 && + strcmp(p1->str2, p2->str2) != 0)) { + /* The str2list is different. */ + fr_add_incompatible_option(desc, str, len); + return; + } + p1 = p1->next; + p2 = p2->next; + } + if((!p1 && p2) || (p1 && !p2)) { + fr_add_incompatible_option(desc, str, len); + } +} + +/** fast reload thread, check compatible config items */ +static int +fr_check_compat_cfg(struct fast_reload_thread* fr, struct config_file* newcfg) +{ + int i; + char changed_str[1024]; + struct config_file* cfg = fr->worker->env.cfg; + changed_str[0]=0; + + /* Find incompatible options, and if so, print an error. */ + FR_CHECK_CHANGED_CFG("num-threads", num_threads, changed_str); + FR_CHECK_CHANGED_CFG("do-ip4", do_ip4, changed_str); + FR_CHECK_CHANGED_CFG("do-ip6", do_ip6, changed_str); + FR_CHECK_CHANGED_CFG("do-udp", do_udp, changed_str); + FR_CHECK_CHANGED_CFG("do-tcp", do_tcp, changed_str); + FR_CHECK_CHANGED_CFG("port", port, changed_str); + /* But cfg->outgoing_num_ports has been changed at startup, + * possibly to reduce it, so do not check it here. */ + FR_CHECK_CHANGED_CFG("outgoing-num-tcp", outgoing_num_tcp, changed_str); + FR_CHECK_CHANGED_CFG("incoming-num-tcp", incoming_num_tcp, changed_str); + FR_CHECK_CHANGED_CFG("outgoing-interface", num_out_ifs, changed_str); + if(cfg->num_out_ifs == newcfg->num_out_ifs) { + for(i=0; inum_out_ifs; i++) + FR_CHECK_CHANGED_CFG_STR("outgoing-interface", + out_ifs[i], changed_str); + } + FR_CHECK_CHANGED_CFG("interface", num_ifs, changed_str); + if(cfg->num_ifs == newcfg->num_ifs) { + for(i=0; inum_ifs; i++) + FR_CHECK_CHANGED_CFG_STR("interface", + ifs[i], changed_str); + } + FR_CHECK_CHANGED_CFG("interface-automatic", if_automatic, changed_str); + FR_CHECK_CHANGED_CFG("so-rcvbuf", so_rcvbuf, changed_str); + FR_CHECK_CHANGED_CFG("so-sndbuf", so_sndbuf, changed_str); + FR_CHECK_CHANGED_CFG("so-reuseport", so_reuseport, changed_str); + FR_CHECK_CHANGED_CFG("ip-transparent", ip_transparent, changed_str); + FR_CHECK_CHANGED_CFG("ip-freebind", ip_freebind, changed_str); + FR_CHECK_CHANGED_CFG("udp-connect", udp_connect, changed_str); + FR_CHECK_CHANGED_CFG("msg-buffer-size", msg_buffer_size, changed_str); + FR_CHECK_CHANGED_CFG("edns-tcp-keepalive", do_tcp_keepalive, changed_str); + FR_CHECK_CHANGED_CFG("edns-tcp-keepalive-timeout", tcp_keepalive_timeout, changed_str); + FR_CHECK_CHANGED_CFG("tcp-idle-timeout", tcp_idle_timeout, changed_str); + /* Not changed, only if DoH is used, it is then stored in commpoints, + * as well as used from cfg. */ + FR_CHECK_CHANGED_CFG("harden-large-queries", harden_large_queries, changed_str); + FR_CHECK_CHANGED_CFG("http-max-streams", http_max_streams, changed_str); + FR_CHECK_CHANGED_CFG_STR("http-endpoint", http_endpoint, changed_str); + FR_CHECK_CHANGED_CFG("http_notls_downstream", http_notls_downstream, changed_str); + FR_CHECK_CHANGED_CFG("https-port", https_port, changed_str); + FR_CHECK_CHANGED_CFG("tls-port", ssl_port, changed_str); + FR_CHECK_CHANGED_CFG_STR("tls-service-key", ssl_service_key, changed_str); + FR_CHECK_CHANGED_CFG_STR("tls-service-pem", ssl_service_pem, changed_str); + FR_CHECK_CHANGED_CFG_STR("tls-cert-bundle", tls_cert_bundle, changed_str); + FR_CHECK_CHANGED_CFG_STRLIST("proxy-protocol-port", proxy_protocol_port, changed_str); + FR_CHECK_CHANGED_CFG_STRLIST("tls-additional-port", tls_additional_port, changed_str); + FR_CHECK_CHANGED_CFG_STR("interface-automatic-ports", if_automatic_ports, changed_str); + FR_CHECK_CHANGED_CFG("udp-upstream-without-downstream", udp_upstream_without_downstream, changed_str); + + if(changed_str[0] != 0) { + /* The new config changes some items that do not work with + * fast reload. */ + if(!fr_output_printf(fr, "The config changes items that are " + "not compatible with fast_reload, perhaps do reload " + "or restart: %s", changed_str) || + !fr_output_printf(fr, "\n")) + return 0; + fr_send_notification(fr, fast_reload_notification_printout); + return 0; + } + return 1; +} + +/** fast reload thread, check nopause config items */ +static int +fr_check_nopause_compat_cfg(struct fast_reload_thread* fr, struct config_file* newcfg) +{ + char changed_str[1024]; + struct config_file* cfg = fr->worker->env.cfg; + if(!fr->fr_nopause) + return 1; /* The nopause is not enabled, so no problem. */ + changed_str[0]=0; + + /* Check for iter_env. */ + FR_CHECK_CHANGED_CFG("outbound-msg-retry", outbound_msg_retry, changed_str); + FR_CHECK_CHANGED_CFG("max-sent-count", max_sent_count, changed_str); + FR_CHECK_CHANGED_CFG("max-query-restarts", max_query_restarts, changed_str); + FR_CHECK_CHANGED_CFG_STR("target-fetch-policy", target_fetch_policy, changed_str); + FR_CHECK_CHANGED_CFG("do-not-query-localhost", donotquery_localhost, changed_str); + FR_CHECK_CHANGED_CFG_STRLIST("do-not-query-address", donotqueryaddrs, changed_str); + FR_CHECK_CHANGED_CFG_STRLIST("private-address", private_address, changed_str); + FR_CHECK_CHANGED_CFG_STRLIST("private-domain", private_domain, changed_str); + FR_CHECK_CHANGED_CFG_STRLIST("caps-exempt", caps_whitelist, changed_str); + FR_CHECK_CHANGED_CFG("do-nat64", do_nat64, changed_str); + FR_CHECK_CHANGED_CFG_STR("nat64-prefix", nat64_prefix, changed_str); + + /* Check for val_env. */ + FR_CHECK_CHANGED_CFG("val-bogus-ttl", bogus_ttl, changed_str); + FR_CHECK_CHANGED_CFG("val-date-override", val_date_override, changed_str); + FR_CHECK_CHANGED_CFG("val-sig-skew-min", val_sig_skew_min, changed_str); + FR_CHECK_CHANGED_CFG("val-sig-skew-max", val_sig_skew_max, changed_str); + FR_CHECK_CHANGED_CFG("val-max-restart", val_max_restart, changed_str); + FR_CHECK_CHANGED_CFG_STR("val-nsec3-keysize-iterations", + val_nsec3_key_iterations, changed_str); + + /* Check for infra. */ + FR_CHECK_CHANGED_CFG("infra-host-ttl", host_ttl, changed_str); + FR_CHECK_CHANGED_CFG("infra-keep-probing", infra_keep_probing, changed_str); + FR_CHECK_CHANGED_CFG("ratelimit", ratelimit, changed_str); + FR_CHECK_CHANGED_CFG("ip-ratelimit", ip_ratelimit, changed_str); + FR_CHECK_CHANGED_CFG("ip-ratelimit-cookie", ip_ratelimit_cookie, changed_str); + FR_CHECK_CHANGED_CFG_STR2LIST("wait-limit-netblock", wait_limit_netblock, changed_str); + FR_CHECK_CHANGED_CFG_STR2LIST("wait-limit-cookie-netblock", wait_limit_cookie_netblock, changed_str); + FR_CHECK_CHANGED_CFG_STR2LIST("ratelimit-below-domain", ratelimit_below_domain, changed_str); + FR_CHECK_CHANGED_CFG_STR2LIST("ratelimit-for-domain", ratelimit_for_domain, changed_str); + + /* Check for dnstap. */ + FR_CHECK_CHANGED_CFG("dnstap-send-identity", dnstap_send_identity, changed_str); + FR_CHECK_CHANGED_CFG("dnstap-send-version", dnstap_send_version, changed_str); + FR_CHECK_CHANGED_CFG_STR("dnstap-identity", dnstap_identity, changed_str); + FR_CHECK_CHANGED_CFG_STR("dnstap-version", dnstap_version, changed_str); + + if(changed_str[0] != 0) { + /* The new config changes some items that need a pause, + * to be able to update the variables. */ + if(!fr_output_printf(fr, "The config changes items that need " + "the fast_reload +p option, for nopause, " + "disabled to be reloaded: %s", changed_str) || + !fr_output_printf(fr, "\n")) + return 0; + fr_send_notification(fr, fast_reload_notification_printout); + return 0; + } + return 1; +} + +/** fast reload thread, clear construct information, deletes items */ +static void +fr_construct_clear(struct fast_reload_construct* ct) +{ + if(!ct) + return; + auth_zones_delete(ct->auth_zones); + forwards_delete(ct->fwds); + hints_delete(ct->hints); + respip_set_delete(ct->respip_set); + local_zones_delete(ct->local_zones); + acl_list_delete(ct->acl); + acl_list_delete(ct->acl_interface); + tcl_list_delete(ct->tcl); + edns_strings_delete(ct->edns_strings); + anchors_delete(ct->anchors); + views_delete(ct->views); + free(ct->nsec3_keysize); + free(ct->nsec3_maxiter); + free(ct->target_fetch_policy); + donotq_delete(ct->donotq); + priv_delete(ct->priv); + caps_white_delete(ct->caps_white); + wait_limits_free(&ct->wait_limits_netblock); + wait_limits_free(&ct->wait_limits_cookie_netblock); + domain_limits_free(&ct->domain_limits); + /* Delete the log identity here so that the global value is not + * reset by config_delete. */ + if(ct->oldcfg && ct->oldcfg->log_identity) { + free(ct->oldcfg->log_identity); + ct->oldcfg->log_identity = NULL; + } + config_delete(ct->oldcfg); +} + +/** get memory for strlist */ +static size_t +getmem_config_strlist(struct config_strlist* p) +{ + size_t m = 0; + struct config_strlist* s; + for(s = p; s; s = s->next) + m += sizeof(*s) + getmem_str(s->str); + return m; +} + +/** get memory for str2list */ +static size_t +getmem_config_str2list(struct config_str2list* p) +{ + size_t m = 0; + struct config_str2list* s; + for(s = p; s; s = s->next) + m += sizeof(*s) + getmem_str(s->str) + getmem_str(s->str2); + return m; +} + +/** get memory for str3list */ +static size_t +getmem_config_str3list(struct config_str3list* p) +{ + size_t m = 0; + struct config_str3list* s; + for(s = p; s; s = s->next) + m += sizeof(*s) + getmem_str(s->str) + getmem_str(s->str2) + + getmem_str(s->str3); + return m; +} + +/** get memory for strbytelist */ +static size_t +getmem_config_strbytelist(struct config_strbytelist* p) +{ + size_t m = 0; + struct config_strbytelist* s; + for(s = p; s; s = s->next) + m += sizeof(*s) + getmem_str(s->str) + (s->str2?s->str2len:0); + return m; +} + +/** get memory used by ifs array */ +static size_t +getmem_ifs(int numifs, char** ifs) +{ + size_t m = 0; + int i; + m += numifs * sizeof(char*); + for(i=0; inext) + m += sizeof(*s) + getmem_str(s->name) + + getmem_config_strlist(s->hosts) + + getmem_config_strlist(s->addrs); + return m; +} + +/** get memory for config_auth */ +static size_t +getmem_config_auth(struct config_auth* p) +{ + size_t m = 0; + struct config_auth* s; + for(s = p; s; s = s->next) + m += sizeof(*s) + getmem_str(s->name) + + getmem_config_strlist(s->masters) + + getmem_config_strlist(s->urls) + + getmem_config_strlist(s->allow_notify) + + getmem_str(s->zonefile) + + s->rpz_taglistlen + + getmem_str(s->rpz_action_override) + + getmem_str(s->rpz_log_name) + + getmem_str(s->rpz_cname); + return m; +} + +/** get memory for config_view */ +static size_t +getmem_config_view(struct config_view* p) +{ + size_t m = 0; + struct config_view* s; + for(s = p; s; s = s->next) + m += sizeof(*s) + getmem_str(s->name) + + getmem_config_str2list(s->local_zones) + + getmem_config_strlist(s->local_data) + + getmem_config_strlist(s->local_zones_nodefault) +#ifdef USE_IPSET + + getmem_config_strlist(s->local_zones_ipset) +#endif + + getmem_config_str2list(s->respip_actions) + + getmem_config_str2list(s->respip_data); + + return m; +} + +/** get memory used by config_file item, estimate */ +static size_t +config_file_getmem(struct config_file* cfg) +{ + size_t m = 0; + m += sizeof(*cfg); + m += getmem_config_strlist(cfg->proxy_protocol_port); + m += getmem_str(cfg->ssl_service_key); + m += getmem_str(cfg->ssl_service_pem); + m += getmem_str(cfg->tls_cert_bundle); + m += getmem_config_strlist(cfg->tls_additional_port); + m += getmem_config_strlist(cfg->tls_session_ticket_keys.first); + m += getmem_str(cfg->tls_ciphers); + m += getmem_str(cfg->tls_ciphersuites); + m += getmem_str(cfg->http_endpoint); + m += (cfg->outgoing_avail_ports?65536*sizeof(int):0); + m += getmem_str(cfg->target_fetch_policy); + m += getmem_str(cfg->if_automatic_ports); + m += getmem_ifs(cfg->num_ifs, cfg->ifs); + m += getmem_ifs(cfg->num_out_ifs, cfg->out_ifs); + m += getmem_config_strlist(cfg->root_hints); + m += getmem_config_stub(cfg->stubs); + m += getmem_config_stub(cfg->forwards); + m += getmem_config_auth(cfg->auths); + m += getmem_config_view(cfg->views); + m += getmem_config_strlist(cfg->donotqueryaddrs); +#ifdef CLIENT_SUBNET + m += getmem_config_strlist(cfg->client_subnet); + m += getmem_config_strlist(cfg->client_subnet_zone); +#endif + m += getmem_config_str2list(cfg->acls); + m += getmem_config_str2list(cfg->tcp_connection_limits); + m += getmem_config_strlist(cfg->caps_whitelist); + m += getmem_config_strlist(cfg->private_address); + m += getmem_config_strlist(cfg->private_domain); + m += getmem_str(cfg->chrootdir); + m += getmem_str(cfg->username); + m += getmem_str(cfg->directory); + m += getmem_str(cfg->logfile); + m += getmem_str(cfg->pidfile); + m += getmem_str(cfg->log_identity); + m += getmem_str(cfg->identity); + m += getmem_str(cfg->version); + m += getmem_str(cfg->http_user_agent); + m += getmem_str(cfg->nsid_cfg_str); + m += (cfg->nsid?cfg->nsid_len:0); + m += getmem_str(cfg->module_conf); + m += getmem_config_strlist(cfg->trust_anchor_file_list); + m += getmem_config_strlist(cfg->trust_anchor_list); + m += getmem_config_strlist(cfg->auto_trust_anchor_file_list); + m += getmem_config_strlist(cfg->trusted_keys_file_list); + m += getmem_config_strlist(cfg->domain_insecure); + m += getmem_str(cfg->val_nsec3_key_iterations); + m += getmem_config_str2list(cfg->local_zones); + m += getmem_config_strlist(cfg->local_zones_nodefault); +#ifdef USE_IPSET + m += getmem_config_strlist(cfg->local_zones_ipset); +#endif + m += getmem_config_strlist(cfg->local_data); + m += getmem_config_str3list(cfg->local_zone_overrides); + m += getmem_config_strbytelist(cfg->local_zone_tags); + m += getmem_config_strbytelist(cfg->acl_tags); + m += getmem_config_str3list(cfg->acl_tag_actions); + m += getmem_config_str3list(cfg->acl_tag_datas); + m += getmem_config_str2list(cfg->acl_view); + m += getmem_config_str2list(cfg->interface_actions); + m += getmem_config_strbytelist(cfg->interface_tags); + m += getmem_config_str3list(cfg->interface_tag_actions); + m += getmem_config_str3list(cfg->interface_tag_datas); + m += getmem_config_str2list(cfg->interface_view); + m += getmem_config_strbytelist(cfg->respip_tags); + m += getmem_config_str2list(cfg->respip_actions); + m += getmem_config_str2list(cfg->respip_data); + m += getmem_ifs(cfg->num_tags, cfg->tagname); + m += getmem_config_strlist(cfg->control_ifs.first); + m += getmem_str(cfg->server_key_file); + m += getmem_str(cfg->server_cert_file); + m += getmem_str(cfg->control_key_file); + m += getmem_str(cfg->control_cert_file); + m += getmem_config_strlist(cfg->python_script); + m += getmem_config_strlist(cfg->dynlib_file); + m += getmem_str(cfg->dns64_prefix); + m += getmem_config_strlist(cfg->dns64_ignore_aaaa); + m += getmem_str(cfg->nat64_prefix); + m += getmem_str(cfg->dnstap_socket_path); + m += getmem_str(cfg->dnstap_ip); + m += getmem_str(cfg->dnstap_tls_server_name); + m += getmem_str(cfg->dnstap_tls_cert_bundle); + m += getmem_str(cfg->dnstap_tls_client_key_file); + m += getmem_str(cfg->dnstap_tls_client_cert_file); + m += getmem_str(cfg->dnstap_identity); + m += getmem_str(cfg->dnstap_version); + m += getmem_config_str2list(cfg->ratelimit_for_domain); + m += getmem_config_str2list(cfg->ratelimit_below_domain); + m += getmem_config_str2list(cfg->edns_client_strings); + m += getmem_str(cfg->dnscrypt_provider); + m += getmem_config_strlist(cfg->dnscrypt_secret_key); + m += getmem_config_strlist(cfg->dnscrypt_provider_cert); + m += getmem_config_strlist(cfg->dnscrypt_provider_cert_rotated); +#ifdef USE_IPSECMOD + m += getmem_config_strlist(cfg->ipsecmod_whitelist); + m += getmem_str(cfg->ipsecmod_hook); +#endif +#ifdef USE_CACHEDB + m += getmem_str(cfg->cachedb_backend); + m += getmem_str(cfg->cachedb_secret); +#ifdef USE_REDIS + m += getmem_str(cfg->redis_server_host); + m += getmem_str(cfg->redis_replica_server_host); + m += getmem_str(cfg->redis_server_path); + m += getmem_str(cfg->redis_replica_server_path); + m += getmem_str(cfg->redis_server_password); + m += getmem_str(cfg->redis_replica_server_password); +#endif +#endif +#ifdef USE_IPSET + m += getmem_str(cfg->ipset_name_v4); + m += getmem_str(cfg->ipset_name_v6); +#endif + return m; +} + +/** fast reload thread, print memory used by construct of items. */ +static int +fr_printmem(struct fast_reload_thread* fr, + struct config_file* newcfg, struct fast_reload_construct* ct) +{ + size_t mem = 0; + if(fr_poll_for_quit(fr)) + return 1; + mem += views_get_mem(ct->views); + mem += respip_set_get_mem(ct->respip_set); + mem += auth_zones_get_mem(ct->auth_zones); + mem += forwards_get_mem(ct->fwds); + mem += hints_get_mem(ct->hints); + mem += local_zones_get_mem(ct->local_zones); + mem += acl_list_get_mem(ct->acl); + mem += acl_list_get_mem(ct->acl_interface); + mem += tcl_list_get_mem(ct->tcl); + mem += edns_strings_get_mem(ct->edns_strings); + mem += anchors_get_mem(ct->anchors); + mem += sizeof(*ct->oldcfg); + mem += config_file_getmem(newcfg); + + if(!fr_output_printf(fr, "memory use %d bytes\n", (int)mem)) + return 0; + fr_send_notification(fr, fast_reload_notification_printout); + + return 1; +} + +/** fast reload thread, setup the acl_interface for the ports that + * the server has. */ +static int +ct_acl_interface_setup_ports(struct acl_list* acl_interface, + struct daemon* daemon) +{ + /* clean acl_interface */ + acl_interface_init(acl_interface); + if(!setup_acl_for_ports(acl_interface, daemon->ports[0])) + return 0; + if(daemon->reuseport) { + size_t i; + for(i=1; inum_ports; i++) { + if(!setup_acl_for_ports(acl_interface, + daemon->ports[i])) + return 0; + } + } + return 1; +} + +/** fast reload, add new change to list of auth zones */ +static int +fr_add_auth_zone_change(struct fast_reload_thread* fr, struct auth_zone* old_z, + struct auth_zone* new_z, int is_deleted, int is_added, int is_changed) +{ + struct fast_reload_auth_change* item; + item = calloc(1, sizeof(*item)); + if(!item) { + log_err("malloc failure in add auth zone change"); + return 0; + } + item->old_z = old_z; + item->new_z = new_z; + item->is_deleted = is_deleted; + item->is_added = is_added; + item->is_changed = is_changed; + + item->next = fr->auth_zone_change_list; + fr->auth_zone_change_list = item; + return 1; +} + +/** See if auth master is equal */ +static int +xfr_auth_master_equal(struct auth_master* m1, struct auth_master* m2) +{ + if(!m1 && !m2) + return 1; + if(!m1 || !m2) + return 0; + + if((m1->host && !m2->host) || (!m1->host && m2->host)) + return 0; + if(m1->host && m2->host && strcmp(m1->host, m2->host) != 0) + return 0; + + if((m1->file && !m2->file) || (!m1->file && m2->file)) + return 0; + if(m1->file && m2->file && strcmp(m1->file, m2->file) != 0) + return 0; + + if((m1->http && !m2->http) || (!m1->http && m2->http)) + return 0; + if((m1->ixfr && !m2->ixfr) || (!m1->ixfr && m2->ixfr)) + return 0; + if((m1->allow_notify && !m2->allow_notify) || (!m1->allow_notify && m2->allow_notify)) + return 0; + if((m1->ssl && !m2->ssl) || (!m1->ssl && m2->ssl)) + return 0; + if(m1->port != m2->port) + return 0; + return 1; +} + +/** See if list of auth masters is equal */ +static int +xfr_masterlist_equal(struct auth_master* list1, struct auth_master* list2) +{ + struct auth_master* p1 = list1, *p2 = list2; + while(p1 && p2) { + if(!xfr_auth_master_equal(p1, p2)) + return 0; + p1 = p1->next; + p2 = p2->next; + } + if(!p1 && !p2) + return 1; + return 0; +} + +/** See if the list of masters has changed. */ +static int +xfr_masters_equal(struct auth_xfer* xfr1, struct auth_xfer* xfr2) +{ + if(xfr1 == NULL && xfr2 == NULL) + return 1; + if(xfr1 == NULL && xfr2 != NULL) + return 0; + if(xfr1 != NULL && xfr2 == NULL) + return 0; + if(xfr_masterlist_equal(xfr1->task_probe->masters, + xfr2->task_probe->masters) && + xfr_masterlist_equal(xfr1->task_transfer->masters, + xfr2->task_transfer->masters)) + return 1; + return 0; +} + +/** Check what has changed in auth zones, like added and deleted zones */ +static int +auth_zones_check_changes(struct fast_reload_thread* fr, + struct fast_reload_construct* ct) +{ + /* Check every zone in turn. */ + struct auth_zone* new_z, *old_z; + struct module_env* env = &fr->worker->env; + + fr->old_auth_zones = ct->auth_zones; + /* Nobody is using the new ct version yet. + * Also the ct lock is picked up before the env lock for auth_zones. */ + lock_rw_rdlock(&ct->auth_zones->lock); + + /* Find deleted zones by looping over the current list and looking + * up in the new tree. */ + lock_rw_rdlock(&env->auth_zones->lock); + RBTREE_FOR(old_z, struct auth_zone*, &env->auth_zones->ztree) { + new_z = auth_zone_find(ct->auth_zones, old_z->name, + old_z->namelen, old_z->dclass); + if(!new_z) { + /* The zone has been removed. */ + if(!fr_add_auth_zone_change(fr, old_z, NULL, 1, 0, + 0)) { + lock_rw_unlock(&env->auth_zones->lock); + lock_rw_unlock(&ct->auth_zones->lock); + return 0; + } + } + } + lock_rw_unlock(&env->auth_zones->lock); + + /* Find added zones by looping over new list and lookup in current. */ + RBTREE_FOR(new_z, struct auth_zone*, &ct->auth_zones->ztree) { + lock_rw_rdlock(&env->auth_zones->lock); + old_z = auth_zone_find(env->auth_zones, new_z->name, + new_z->namelen, new_z->dclass); + if(!old_z) { + /* The zone has been added. */ + lock_rw_unlock(&env->auth_zones->lock); + if(!fr_add_auth_zone_change(fr, NULL, new_z, 0, 1, + 0)) { + lock_rw_unlock(&ct->auth_zones->lock); + return 0; + } + } else { + uint32_t old_serial = 0, new_serial = 0; + int have_old = 0, have_new = 0; + struct auth_xfer* old_xfr, *new_xfr; + lock_rw_rdlock(&new_z->lock); + lock_rw_rdlock(&old_z->lock); + new_xfr = auth_xfer_find(ct->auth_zones, new_z->name, + new_z->namelen, new_z->dclass); + old_xfr = auth_xfer_find(env->auth_zones, old_z->name, + old_z->namelen, old_z->dclass); + if(new_xfr) { + lock_basic_lock(&new_xfr->lock); + } + if(old_xfr) { + lock_basic_lock(&old_xfr->lock); + } + lock_rw_unlock(&env->auth_zones->lock); + + /* Change in the auth zone can be detected. */ + /* A change in serial number means that auth_xfer + * has to be updated. */ + have_old = (auth_zone_get_serial(old_z, + &old_serial)!=0); + have_new = (auth_zone_get_serial(new_z, + &new_serial)!=0); + if(have_old != have_new || old_serial != new_serial + || !xfr_masters_equal(old_xfr, new_xfr)) { + /* The zone has been changed. */ + if(!fr_add_auth_zone_change(fr, old_z, new_z, + 0, 0, 1)) { + lock_rw_unlock(&old_z->lock); + lock_rw_unlock(&new_z->lock); + lock_rw_unlock(&ct->auth_zones->lock); + if(new_xfr) { + lock_basic_unlock(&new_xfr->lock); + } + if(old_xfr) { + lock_basic_unlock(&old_xfr->lock); + } + return 0; + } + } + + if(new_xfr) { + lock_basic_unlock(&new_xfr->lock); + } + if(old_xfr) { + lock_basic_unlock(&old_xfr->lock); + } + lock_rw_unlock(&old_z->lock); + lock_rw_unlock(&new_z->lock); + } + } + + lock_rw_unlock(&ct->auth_zones->lock); + return 1; +} + +/** fast reload thread, construct from config the new items */ +static int +fr_construct_from_config(struct fast_reload_thread* fr, + struct config_file* newcfg, struct fast_reload_construct* ct) +{ + int have_view_respip_cfg = 0; + + if(!(ct->views = views_create())) { + fr_construct_clear(ct); + return 0; + } + if(!views_apply_cfg(ct->views, newcfg)) { + fr_construct_clear(ct); + return 0; + } + if(fr_poll_for_quit(fr)) + return 1; + + if(!(ct->acl = acl_list_create())) { + fr_construct_clear(ct); + return 0; + } + if(!acl_list_apply_cfg(ct->acl, newcfg, ct->views)) { + fr_construct_clear(ct); + return 0; + } + if(fr_poll_for_quit(fr)) + return 1; + + if(!(ct->acl_interface = acl_list_create())) { + fr_construct_clear(ct); + return 0; + } + if(!ct_acl_interface_setup_ports(ct->acl_interface, + fr->worker->daemon)) { + fr_construct_clear(ct); + return 0; + } + if(!acl_interface_apply_cfg(ct->acl_interface, newcfg, ct->views)) { + fr_construct_clear(ct); + return 0; + } + if(fr_poll_for_quit(fr)) + return 1; + + if(!(ct->tcl = tcl_list_create())) { + fr_construct_clear(ct); + return 0; + } + if(!tcl_list_apply_cfg(ct->tcl, newcfg)) { + fr_construct_clear(ct); + return 0; + } + if(fr->worker->daemon->tcl->tree.count != 0) + fr->worker->daemon->fast_reload_tcl_has_changes = 1; + else fr->worker->daemon->fast_reload_tcl_has_changes = 0; + if(fr_poll_for_quit(fr)) + return 1; + + if(!(ct->auth_zones = auth_zones_create())) { + fr_construct_clear(ct); + return 0; + } + if(!auth_zones_apply_cfg(ct->auth_zones, newcfg, 1, &ct->use_rpz, + fr->worker->daemon->env, &fr->worker->daemon->mods)) { + fr_construct_clear(ct); + return 0; + } + if(!auth_zones_check_changes(fr, ct)) { + fr_construct_clear(ct); + return 0; + } + if(fr_poll_for_quit(fr)) + return 1; + + if(!(ct->fwds = forwards_create())) { + fr_construct_clear(ct); + return 0; + } + if(!forwards_apply_cfg(ct->fwds, newcfg)) { + fr_construct_clear(ct); + return 0; + } + if(fr_poll_for_quit(fr)) + return 1; + + if(!(ct->hints = hints_create())) { + fr_construct_clear(ct); + return 0; + } + if(!hints_apply_cfg(ct->hints, newcfg)) { + fr_construct_clear(ct); + return 0; + } + if(fr_poll_for_quit(fr)) + return 1; + + if(!(ct->local_zones = local_zones_create())) { + fr_construct_clear(ct); + return 0; + } + if(!local_zones_apply_cfg(ct->local_zones, newcfg)) { + fr_construct_clear(ct); + return 0; + } + if(fr_poll_for_quit(fr)) + return 1; + + if(!(ct->respip_set = respip_set_create())) { + fr_construct_clear(ct); + return 0; + } + if(!respip_global_apply_cfg(ct->respip_set, newcfg)) { + fr_construct_clear(ct); + return 0; + } + if(fr_poll_for_quit(fr)) + return 1; + if(!respip_views_apply_cfg(ct->views, newcfg, &have_view_respip_cfg)) { + fr_construct_clear(ct); + return 0; + } + ct->use_response_ip = !respip_set_is_empty(ct->respip_set) || + have_view_respip_cfg; + if(fr_poll_for_quit(fr)) + return 1; + + if(!(ct->edns_strings = edns_strings_create())) { + fr_construct_clear(ct); + return 0; + } + if(!edns_strings_apply_cfg(ct->edns_strings, newcfg)) { + fr_construct_clear(ct); + return 0; + } + if(fr_poll_for_quit(fr)) + return 1; + + if(fr->worker->env.anchors) { + /* There are trust anchors already, so create it for reload. */ + if(!(ct->anchors = anchors_create())) { + fr_construct_clear(ct); + return 0; + } + if(!anchors_apply_cfg(ct->anchors, newcfg)) { + fr_construct_clear(ct); + return 0; + } + if(fr_poll_for_quit(fr)) + return 1; + } + + if(!val_env_parse_key_iter(newcfg->val_nsec3_key_iterations, + &ct->nsec3_keysize, &ct->nsec3_maxiter, + &ct->nsec3_keyiter_count)) { + fr_construct_clear(ct); + return 0; + } + if(fr_poll_for_quit(fr)) + return 1; + + if(!read_fetch_policy(&ct->target_fetch_policy, + &ct->max_dependency_depth, newcfg->target_fetch_policy)) { + fr_construct_clear(ct); + return 0; + } + if(!(ct->donotq = donotq_create())) { + fr_construct_clear(ct); + return 0; + } + if(!donotq_apply_cfg(ct->donotq, newcfg)) { + fr_construct_clear(ct); + return 0; + } + if(!(ct->priv = priv_create())) { + fr_construct_clear(ct); + return 0; + } + if(!priv_apply_cfg(ct->priv, newcfg)) { + fr_construct_clear(ct); + return 0; + } + if(newcfg->caps_whitelist) { + if(!(ct->caps_white = caps_white_create())) { + fr_construct_clear(ct); + return 0; + } + if(!caps_white_apply_cfg(ct->caps_white, newcfg)) { + fr_construct_clear(ct); + return 0; + } + } + if(!nat64_apply_cfg(&ct->nat64, newcfg)) { + fr_construct_clear(ct); + return 0; + } + if(fr_poll_for_quit(fr)) + return 1; + + if(!setup_wait_limits(&ct->wait_limits_netblock, + &ct->wait_limits_cookie_netblock, newcfg)) { + fr_construct_clear(ct); + return 0; + } + if(!setup_domain_limits(&ct->domain_limits, newcfg)) { + fr_construct_clear(ct); + return 0; + } + if(fr_poll_for_quit(fr)) + return 1; + + if(!(ct->oldcfg = (struct config_file*)calloc(1, + sizeof(*ct->oldcfg)))) { + fr_construct_clear(ct); + log_err("out of memory"); + return 0; + } + if(fr->fr_verb >= 2) { + if(!fr_printmem(fr, newcfg, ct)) + return 0; + } + return 1; +} + +/** fast reload thread, finish timers */ +static int +fr_finish_time(struct fast_reload_thread* fr, struct timeval* time_start, + struct timeval* time_read, struct timeval* time_construct, + struct timeval* time_reload, struct timeval* time_end) +{ + struct timeval total, readtime, constructtime, reloadtime, deletetime; + if(gettimeofday(time_end, NULL) < 0) + log_err("gettimeofday: %s", strerror(errno)); + + timeval_subtract(&total, time_end, time_start); + timeval_subtract(&readtime, time_read, time_start); + timeval_subtract(&constructtime, time_construct, time_read); + timeval_subtract(&reloadtime, time_reload, time_construct); + timeval_subtract(&deletetime, time_end, time_reload); + if(!fr_output_printf(fr, "read disk %3d.%6.6ds\n", + (int)readtime.tv_sec, (int)readtime.tv_usec)) + return 0; + if(!fr_output_printf(fr, "construct %3d.%6.6ds\n", + (int)constructtime.tv_sec, (int)constructtime.tv_usec)) + return 0; + if(!fr_output_printf(fr, "reload %3d.%6.6ds\n", + (int)reloadtime.tv_sec, (int)reloadtime.tv_usec)) + return 0; + if(!fr_output_printf(fr, "deletes %3d.%6.6ds\n", + (int)deletetime.tv_sec, (int)deletetime.tv_usec)) + return 0; + if(!fr_output_printf(fr, "total time %3d.%6.6ds\n", (int)total.tv_sec, + (int)total.tv_usec)) + return 0; + fr_send_notification(fr, fast_reload_notification_printout); + return 1; +} + +/** Swap auth zone information */ +static void +auth_zones_swap(struct auth_zones* az, struct auth_zones* data) +{ + rbtree_type oldztree = az->ztree; + int old_have_downstream = az->have_downstream; + struct auth_zone* old_rpz_first = az->rpz_first; + + az->ztree = data->ztree; + data->ztree = oldztree; + + az->have_downstream = data->have_downstream; + data->have_downstream = old_have_downstream; + + /* Leave num_query_up and num_query_down, the statistics can + * remain counted. */ + + az->rpz_first = data->rpz_first; + data->rpz_first = old_rpz_first; + + /* The xtree is not swapped. This contains the auth_xfer elements + * that contain tasks in progress, like zone transfers. + * The unchanged zones can keep their tasks in the tree, and thus + * the xfer elements can continue to be their callbacks. */ +} + +#if defined(ATOMIC_POINTER_LOCK_FREE) && defined(HAVE_LINK_ATOMIC_STORE) +/** Fast reload thread, if atomics are available, copy the config items + * one by one with atomic store operations. */ +static void +fr_atomic_copy_cfg(struct config_file* oldcfg, struct config_file* cfg, + struct config_file* newcfg) +{ +#define COPY_VAR_int(var) oldcfg->var = cfg->var; atomic_store((_Atomic int*)&cfg->var, newcfg->var); newcfg->var = 0; +#define COPY_VAR_ptr(var) oldcfg->var = cfg->var; atomic_store((void* _Atomic*)&cfg->var, newcfg->var); newcfg->var = 0; +#define COPY_VAR_unsigned_int(var) oldcfg->var = cfg->var; atomic_store((_Atomic unsigned*)&cfg->var, newcfg->var); newcfg->var = 0; +#define COPY_VAR_size_t(var) oldcfg->var = cfg->var; atomic_store((_Atomic size_t*)&cfg->var, newcfg->var); newcfg->var = 0; +#define COPY_VAR_uint8_t(var) oldcfg->var = cfg->var; atomic_store((_Atomic uint8_t*)&cfg->var, newcfg->var); newcfg->var = 0; +#define COPY_VAR_uint16_t(var) oldcfg->var = cfg->var; atomic_store((_Atomic uint16_t*)&cfg->var, newcfg->var); newcfg->var = 0; +#define COPY_VAR_uint32_t(var) oldcfg->var = cfg->var; atomic_store((_Atomic uint32_t*)&cfg->var, newcfg->var); newcfg->var = 0; +#define COPY_VAR_int32_t(var) oldcfg->var = cfg->var; atomic_store((_Atomic int32_t*)&cfg->var, newcfg->var); newcfg->var = 0; + /* If config file items are missing from this list, they are + * not updated by fast-reload +p. */ + /* For missing items, the oldcfg item is not updated, still NULL, + * and the cfg stays the same. The newcfg item is untouched. + * The newcfg item is then deleted later. */ + /* Items that need synchronisation are omitted from the list. + * Use fast-reload without +p to update them together. */ + COPY_VAR_int(verbosity); + COPY_VAR_int(stat_interval); + COPY_VAR_int(stat_cumulative); + COPY_VAR_int(stat_extended); + COPY_VAR_int(stat_inhibit_zero); + COPY_VAR_int(num_threads); + COPY_VAR_int(port); + COPY_VAR_int(do_ip4); + COPY_VAR_int(do_ip6); + COPY_VAR_int(do_nat64); + COPY_VAR_int(prefer_ip4); + COPY_VAR_int(prefer_ip6); + COPY_VAR_int(do_udp); + COPY_VAR_int(do_tcp); + COPY_VAR_size_t(max_reuse_tcp_queries); + COPY_VAR_int(tcp_reuse_timeout); + COPY_VAR_int(tcp_auth_query_timeout); + COPY_VAR_int(tcp_upstream); + COPY_VAR_int(udp_upstream_without_downstream); + COPY_VAR_int(tcp_mss); + COPY_VAR_int(outgoing_tcp_mss); + COPY_VAR_int(tcp_idle_timeout); + COPY_VAR_int(do_tcp_keepalive); + COPY_VAR_int(tcp_keepalive_timeout); + COPY_VAR_int(sock_queue_timeout); + COPY_VAR_ptr(proxy_protocol_port); + COPY_VAR_ptr(ssl_service_key); + COPY_VAR_ptr(ssl_service_pem); + COPY_VAR_int(ssl_port); + COPY_VAR_int(ssl_upstream); + COPY_VAR_ptr(tls_cert_bundle); + COPY_VAR_int(tls_win_cert); + COPY_VAR_ptr(tls_additional_port); + /* The first is used to walk through the list but last is + * only used during config read. */ + COPY_VAR_ptr(tls_session_ticket_keys.first); + COPY_VAR_ptr(tls_session_ticket_keys.last); + COPY_VAR_ptr(tls_ciphers); + COPY_VAR_ptr(tls_ciphersuites); + COPY_VAR_int(tls_use_sni); + COPY_VAR_int(https_port); + COPY_VAR_ptr(http_endpoint); + COPY_VAR_uint32_t(http_max_streams); + COPY_VAR_size_t(http_query_buffer_size); + COPY_VAR_size_t(http_response_buffer_size); + COPY_VAR_int(http_nodelay); + COPY_VAR_int(http_notls_downstream); + COPY_VAR_int(outgoing_num_ports); + COPY_VAR_size_t(outgoing_num_tcp); + COPY_VAR_size_t(incoming_num_tcp); + COPY_VAR_ptr(outgoing_avail_ports); + COPY_VAR_size_t(edns_buffer_size); + COPY_VAR_size_t(stream_wait_size); + COPY_VAR_size_t(msg_buffer_size); + COPY_VAR_size_t(msg_cache_size); + COPY_VAR_size_t(msg_cache_slabs); + COPY_VAR_size_t(num_queries_per_thread); + COPY_VAR_size_t(jostle_time); + COPY_VAR_size_t(rrset_cache_size); + COPY_VAR_size_t(rrset_cache_slabs); + COPY_VAR_int(host_ttl); + COPY_VAR_size_t(infra_cache_slabs); + COPY_VAR_size_t(infra_cache_numhosts); + COPY_VAR_int(infra_cache_min_rtt); + COPY_VAR_int(infra_cache_max_rtt); + COPY_VAR_int(infra_keep_probing); + COPY_VAR_int(delay_close); + COPY_VAR_int(udp_connect); + COPY_VAR_ptr(target_fetch_policy); + COPY_VAR_int(fast_server_permil); + COPY_VAR_size_t(fast_server_num); + COPY_VAR_int(if_automatic); + COPY_VAR_ptr(if_automatic_ports); + COPY_VAR_size_t(so_rcvbuf); + COPY_VAR_size_t(so_sndbuf); + COPY_VAR_int(so_reuseport); + COPY_VAR_int(ip_transparent); + COPY_VAR_int(ip_freebind); + COPY_VAR_int(ip_dscp); + /* Not copied because the length and items could then not match. + num_ifs, ifs, num_out_ifs, out_ifs + */ + COPY_VAR_ptr(root_hints); + COPY_VAR_ptr(stubs); + COPY_VAR_ptr(forwards); + COPY_VAR_ptr(auths); + COPY_VAR_ptr(views); + COPY_VAR_ptr(donotqueryaddrs); +#ifdef CLIENT_SUBNET + COPY_VAR_ptr(client_subnet); + COPY_VAR_ptr(client_subnet_zone); + COPY_VAR_uint16_t(client_subnet_opcode); + COPY_VAR_int(client_subnet_always_forward); + COPY_VAR_uint8_t(max_client_subnet_ipv4); + COPY_VAR_uint8_t(max_client_subnet_ipv6); + COPY_VAR_uint8_t(min_client_subnet_ipv4); + COPY_VAR_uint8_t(min_client_subnet_ipv6); + COPY_VAR_uint32_t(max_ecs_tree_size_ipv4); + COPY_VAR_uint32_t(max_ecs_tree_size_ipv6); +#endif + COPY_VAR_ptr(acls); + COPY_VAR_int(donotquery_localhost); + COPY_VAR_ptr(tcp_connection_limits); + COPY_VAR_int(harden_short_bufsize); + COPY_VAR_int(harden_large_queries); + COPY_VAR_int(harden_glue); + COPY_VAR_int(harden_dnssec_stripped); + COPY_VAR_int(harden_below_nxdomain); + COPY_VAR_int(harden_referral_path); + COPY_VAR_int(harden_algo_downgrade); + COPY_VAR_int(harden_unknown_additional); + COPY_VAR_int(use_caps_bits_for_id); + COPY_VAR_ptr(caps_whitelist); + COPY_VAR_ptr(private_address); + COPY_VAR_ptr(private_domain); + COPY_VAR_size_t(unwanted_threshold); + COPY_VAR_int(max_ttl); + COPY_VAR_int(min_ttl); + COPY_VAR_int(max_negative_ttl); + COPY_VAR_int(min_negative_ttl); + COPY_VAR_int(prefetch); + COPY_VAR_int(prefetch_key); + COPY_VAR_int(deny_any); + COPY_VAR_ptr(chrootdir); + COPY_VAR_ptr(username); + COPY_VAR_ptr(directory); + COPY_VAR_ptr(logfile); + COPY_VAR_ptr(pidfile); + COPY_VAR_int(use_syslog); + COPY_VAR_int(log_time_ascii); + COPY_VAR_int(log_queries); + COPY_VAR_int(log_replies); + COPY_VAR_int(log_tag_queryreply); + COPY_VAR_int(log_local_actions); + COPY_VAR_int(log_servfail); + COPY_VAR_ptr(log_identity); + COPY_VAR_int(log_destaddr); + COPY_VAR_int(hide_identity); + COPY_VAR_int(hide_version); + COPY_VAR_int(hide_trustanchor); + COPY_VAR_int(hide_http_user_agent); + COPY_VAR_ptr(identity); + COPY_VAR_ptr(version); + COPY_VAR_ptr(http_user_agent); + COPY_VAR_ptr(nsid_cfg_str); + /* Not copied because the length and items could then not match. + nsid; + nsid_len; + */ + COPY_VAR_ptr(module_conf); + COPY_VAR_ptr(trust_anchor_file_list); + COPY_VAR_ptr(trust_anchor_list); + COPY_VAR_ptr(auto_trust_anchor_file_list); + COPY_VAR_ptr(trusted_keys_file_list); + COPY_VAR_ptr(domain_insecure); + COPY_VAR_int(trust_anchor_signaling); + COPY_VAR_int(root_key_sentinel); + COPY_VAR_int32_t(val_date_override); + COPY_VAR_int32_t(val_sig_skew_min); + COPY_VAR_int32_t(val_sig_skew_max); + COPY_VAR_int32_t(val_max_restart); + COPY_VAR_int(bogus_ttl); + COPY_VAR_int(val_clean_additional); + COPY_VAR_int(val_log_level); + COPY_VAR_int(val_log_squelch); + COPY_VAR_int(val_permissive_mode); + COPY_VAR_int(aggressive_nsec); + COPY_VAR_int(ignore_cd); + COPY_VAR_int(disable_edns_do); + COPY_VAR_int(serve_expired); + COPY_VAR_int(serve_expired_ttl); + COPY_VAR_int(serve_expired_ttl_reset); + COPY_VAR_int(serve_expired_reply_ttl); + COPY_VAR_int(serve_expired_client_timeout); + COPY_VAR_int(ede_serve_expired); + COPY_VAR_int(dns_error_reporting); + COPY_VAR_int(serve_original_ttl); + COPY_VAR_ptr(val_nsec3_key_iterations); + COPY_VAR_int(zonemd_permissive_mode); + COPY_VAR_unsigned_int(add_holddown); + COPY_VAR_unsigned_int(del_holddown); + COPY_VAR_unsigned_int(keep_missing); + COPY_VAR_int(permit_small_holddown); + COPY_VAR_size_t(key_cache_size); + COPY_VAR_size_t(key_cache_slabs); + COPY_VAR_size_t(neg_cache_size); + COPY_VAR_ptr(local_zones); + COPY_VAR_ptr(local_zones_nodefault); +#ifdef USE_IPSET + COPY_VAR_ptr(local_zones_ipset); +#endif + COPY_VAR_int(local_zones_disable_default); + COPY_VAR_ptr(local_data); + COPY_VAR_ptr(local_zone_overrides); + COPY_VAR_int(unblock_lan_zones); + COPY_VAR_int(insecure_lan_zones); + /* These reference tags + COPY_VAR_ptr(local_zone_tags); + COPY_VAR_ptr(acl_tags); + COPY_VAR_ptr(acl_tag_actions); + COPY_VAR_ptr(acl_tag_datas); + */ + COPY_VAR_ptr(acl_view); + COPY_VAR_ptr(interface_actions); + /* These reference tags + COPY_VAR_ptr(interface_tags); + COPY_VAR_ptr(interface_tag_actions); + COPY_VAR_ptr(interface_tag_datas); + */ + COPY_VAR_ptr(interface_view); + /* This references tags + COPY_VAR_ptr(respip_tags); + */ + COPY_VAR_ptr(respip_actions); + COPY_VAR_ptr(respip_data); + /* Not copied because the length and items could then not match. + * also the respip module keeps a pointer to the array in its state. + tagname, num_tags + */ + COPY_VAR_int(remote_control_enable); + /* The first is used to walk through the list but last is + * only used during config read. */ + COPY_VAR_ptr(control_ifs.first); + COPY_VAR_ptr(control_ifs.last); + COPY_VAR_int(control_use_cert); + COPY_VAR_int(control_port); + COPY_VAR_ptr(server_key_file); + COPY_VAR_ptr(server_cert_file); + COPY_VAR_ptr(control_key_file); + COPY_VAR_ptr(control_cert_file); + COPY_VAR_ptr(python_script); + COPY_VAR_ptr(dynlib_file); + COPY_VAR_int(use_systemd); + COPY_VAR_int(do_daemonize); + COPY_VAR_int(minimal_responses); + COPY_VAR_int(rrset_roundrobin); + COPY_VAR_int(unknown_server_time_limit); + COPY_VAR_int(discard_timeout); + COPY_VAR_int(wait_limit); + COPY_VAR_int(wait_limit_cookie); + COPY_VAR_ptr(wait_limit_netblock); + COPY_VAR_ptr(wait_limit_cookie_netblock); + COPY_VAR_size_t(max_udp_size); + COPY_VAR_ptr(dns64_prefix); + COPY_VAR_int(dns64_synthall); + COPY_VAR_ptr(dns64_ignore_aaaa); + COPY_VAR_ptr(nat64_prefix); + COPY_VAR_int(dnstap); + COPY_VAR_int(dnstap_bidirectional); + COPY_VAR_ptr(dnstap_socket_path); + COPY_VAR_ptr(dnstap_ip); + COPY_VAR_int(dnstap_tls); + COPY_VAR_ptr(dnstap_tls_server_name); + COPY_VAR_ptr(dnstap_tls_cert_bundle); + COPY_VAR_ptr(dnstap_tls_client_key_file); + COPY_VAR_ptr(dnstap_tls_client_cert_file); + COPY_VAR_int(dnstap_send_identity); + COPY_VAR_int(dnstap_send_version); + COPY_VAR_ptr(dnstap_identity); + COPY_VAR_ptr(dnstap_version); + COPY_VAR_int(dnstap_sample_rate); + COPY_VAR_int(dnstap_log_resolver_query_messages); + COPY_VAR_int(dnstap_log_resolver_response_messages); + COPY_VAR_int(dnstap_log_client_query_messages); + COPY_VAR_int(dnstap_log_client_response_messages); + COPY_VAR_int(dnstap_log_forwarder_query_messages); + COPY_VAR_int(dnstap_log_forwarder_response_messages); + COPY_VAR_int(disable_dnssec_lame_check); + COPY_VAR_int(ip_ratelimit); + COPY_VAR_int(ip_ratelimit_cookie); + COPY_VAR_size_t(ip_ratelimit_slabs); + COPY_VAR_size_t(ip_ratelimit_size); + COPY_VAR_int(ip_ratelimit_factor); + COPY_VAR_int(ip_ratelimit_backoff); + COPY_VAR_int(ratelimit); + COPY_VAR_size_t(ratelimit_slabs); + COPY_VAR_size_t(ratelimit_size); + COPY_VAR_ptr(ratelimit_for_domain); + COPY_VAR_ptr(ratelimit_below_domain); + COPY_VAR_int(ratelimit_factor); + COPY_VAR_int(ratelimit_backoff); + COPY_VAR_int(outbound_msg_retry); + COPY_VAR_int(max_sent_count); + COPY_VAR_int(max_query_restarts); + COPY_VAR_int(qname_minimisation); + COPY_VAR_int(qname_minimisation_strict); + COPY_VAR_int(shm_enable); + COPY_VAR_int(shm_key); + COPY_VAR_ptr(edns_client_strings); + COPY_VAR_uint16_t(edns_client_string_opcode); + COPY_VAR_int(dnscrypt); + COPY_VAR_int(dnscrypt_port); + COPY_VAR_ptr(dnscrypt_provider); + COPY_VAR_ptr(dnscrypt_secret_key); + COPY_VAR_ptr(dnscrypt_provider_cert); + COPY_VAR_ptr(dnscrypt_provider_cert_rotated); + COPY_VAR_size_t(dnscrypt_shared_secret_cache_size); + COPY_VAR_size_t(dnscrypt_shared_secret_cache_slabs); + COPY_VAR_size_t(dnscrypt_nonce_cache_size); + COPY_VAR_size_t(dnscrypt_nonce_cache_slabs); + COPY_VAR_int(pad_responses); + COPY_VAR_size_t(pad_responses_block_size); + COPY_VAR_int(pad_queries); + COPY_VAR_size_t(pad_queries_block_size); +#ifdef USE_IPSECMOD + COPY_VAR_int(ipsecmod_enabled); + COPY_VAR_ptr(ipsecmod_whitelist); + COPY_VAR_ptr(ipsecmod_hook); + COPY_VAR_int(ipsecmod_ignore_bogus); + COPY_VAR_int(ipsecmod_max_ttl); + COPY_VAR_int(ipsecmod_strict); +#endif +#ifdef USE_CACHEDB + COPY_VAR_ptr(cachedb_backend); + COPY_VAR_ptr(cachedb_secret); + COPY_VAR_int(cachedb_no_store); + COPY_VAR_int(cachedb_check_when_serve_expired); +#ifdef USE_REDIS + COPY_VAR_ptr(redis_server_host); + COPY_VAR_ptr(redis_replica_server_host); + COPY_VAR_int(redis_server_port); + COPY_VAR_int(redis_replica_server_port); + COPY_VAR_ptr(redis_server_path); + COPY_VAR_ptr(redis_replica_server_path); + COPY_VAR_ptr(redis_server_password); + COPY_VAR_ptr(redis_replica_server_password); + COPY_VAR_int(redis_timeout); + COPY_VAR_int(redis_replica_timeout); + COPY_VAR_int(redis_command_timeout); + COPY_VAR_int(redis_replica_command_timeout); + COPY_VAR_int(redis_connect_timeout); + COPY_VAR_int(redis_replica_connect_timeout); + COPY_VAR_int(redis_expire_records); + COPY_VAR_int(redis_logical_db); + COPY_VAR_int(redis_replica_logical_db); +#endif +#endif + COPY_VAR_int(do_answer_cookie); + /* Not copied because the length and content could then not match. + cookie_secret[40], cookie_secret_len + */ +#ifdef USE_IPSET + COPY_VAR_ptr(ipset_name_v4); + COPY_VAR_ptr(ipset_name_v6); +#endif + COPY_VAR_int(ede); +} +#endif /* ATOMIC_POINTER_LOCK_FREE && HAVE_LINK_ATOMIC_STORE */ + +/** fast reload thread, adjust the cache sizes */ +static void +fr_adjust_cache(struct module_env* env, struct config_file* oldcfg) +{ + if(env->cfg->msg_cache_size != oldcfg->msg_cache_size) + slabhash_adjust_size(env->msg_cache, env->cfg->msg_cache_size); + if(env->cfg->rrset_cache_size != oldcfg->rrset_cache_size) + slabhash_adjust_size(&env->rrset_cache->table, + env->cfg->rrset_cache_size); + if(env->key_cache && + env->cfg->key_cache_size != oldcfg->key_cache_size) + slabhash_adjust_size(env->key_cache->slab, + env->cfg->key_cache_size); + if(env->cfg->infra_cache_numhosts != oldcfg->infra_cache_numhosts) { + size_t inframem = env->cfg->infra_cache_numhosts * + (sizeof(struct infra_key) + sizeof(struct infra_data) + + INFRA_BYTES_NAME); + slabhash_adjust_size(env->infra_cache->hosts, inframem); + } + if(env->cfg->ratelimit_size != oldcfg->ratelimit_size) { + slabhash_adjust_size(env->infra_cache->domain_rates, + env->cfg->ratelimit_size); + slabhash_adjust_size(env->infra_cache->client_ip_rates, + env->cfg->ratelimit_size); + } + if(env->neg_cache && + env->cfg->neg_cache_size != oldcfg->neg_cache_size) { + val_neg_adjust_size(env->neg_cache, env->cfg->neg_cache_size); + } +} + +/** fast reload thread, adjust the iterator env */ +static void +fr_adjust_iter_env(struct module_env* env, struct fast_reload_construct* ct) +{ + int m; + struct iter_env* iter_env = NULL; + /* There is no comparison here to see if no options changed and thus + * no swap is needed, the trees with addresses and domains can be + * large and that would take too long. Instead the trees are + * swapped in. */ + + /* Because the iterator env is not locked, the update cannot happen + * when fr nopause is used. Without it the fast reload pauses the + * other threads, so they are not currently using the structure. */ + m = modstack_find(env->modstack, "iterator"); + if(m != -1) iter_env = (struct iter_env*)env->modinfo[m]; + if(iter_env) { + /* Swap the data so that the delete happens afterwards. */ + int* oldtargetfetchpolicy = iter_env->target_fetch_policy; + int oldmaxdependencydepth = iter_env->max_dependency_depth; + struct iter_donotq* olddonotq = iter_env->donotq; + struct iter_priv* oldpriv = iter_env->priv; + struct rbtree_type* oldcapswhite = iter_env->caps_white; + struct iter_nat64 oldnat64 = iter_env->nat64; + + iter_env->target_fetch_policy = ct->target_fetch_policy; + iter_env->max_dependency_depth = ct->max_dependency_depth; + iter_env->donotq = ct->donotq; + iter_env->priv = ct->priv; + iter_env->caps_white = ct->caps_white; + iter_env->nat64 = ct->nat64; + iter_env->outbound_msg_retry = env->cfg->outbound_msg_retry; + iter_env->max_sent_count = env->cfg->max_sent_count; + iter_env->max_query_restarts = env->cfg->max_query_restarts; + + ct->target_fetch_policy = oldtargetfetchpolicy; + ct->max_dependency_depth = oldmaxdependencydepth; + ct->donotq = olddonotq; + ct->priv = oldpriv; + ct->caps_white = oldcapswhite; + ct->nat64 = oldnat64; + } +} + +/** fast reload thread, adjust the validator env */ +static void +fr_adjust_val_env(struct module_env* env, struct fast_reload_construct* ct, + struct config_file* oldcfg) +{ + int m; + struct val_env* val_env = NULL; + if(env->cfg->bogus_ttl == oldcfg->bogus_ttl && + env->cfg->val_date_override == oldcfg->val_date_override && + env->cfg->val_sig_skew_min == oldcfg->val_sig_skew_min && + env->cfg->val_sig_skew_max == oldcfg->val_sig_skew_max && + env->cfg->val_max_restart == oldcfg->val_max_restart && + strcmp(env->cfg->val_nsec3_key_iterations, + oldcfg->val_nsec3_key_iterations) == 0) + return; /* no changes */ + + /* Because the validator env is not locked, the update cannot happen + * when fr nopause is used. Without it the fast reload pauses the + * other threads, so they are not currently using the structure. */ + m = modstack_find(env->modstack, "validator"); + if(m != -1) val_env = (struct val_env*)env->modinfo[m]; + if(val_env) { + /* Swap the arrays so that the delete happens afterwards. */ + size_t* oldkeysize = val_env->nsec3_keysize; + size_t* oldmaxiter = val_env->nsec3_maxiter; + val_env->nsec3_keysize = NULL; + val_env->nsec3_maxiter = NULL; + val_env_apply_cfg(val_env, env->cfg, ct->nsec3_keysize, + ct->nsec3_maxiter, ct->nsec3_keyiter_count); + ct->nsec3_keysize = oldkeysize; + ct->nsec3_maxiter = oldmaxiter; + if(env->neg_cache) { + lock_basic_lock(&env->neg_cache->lock); + env->neg_cache->nsec3_max_iter = val_env-> + nsec3_maxiter[val_env->nsec3_keyiter_count-1]; + lock_basic_unlock(&env->neg_cache->lock); + } + } +} + +/** fast reload thread, adjust the infra cache parameters */ +static void +fr_adjust_infra(struct module_env* env, struct fast_reload_construct* ct) +{ + struct infra_cache* infra = env->infra_cache; + struct config_file* cfg = env->cfg; + struct rbtree_type oldwaitlim = infra->wait_limits_netblock; + struct rbtree_type oldwaitlimcookie = + infra->wait_limits_cookie_netblock; + struct rbtree_type olddomainlim = infra->domain_limits; + + /* The size of the infra cache and ip rates is changed + * in fr_adjust_cache. */ + infra->host_ttl = cfg->host_ttl; + infra->infra_keep_probing = cfg->infra_keep_probing; + infra_dp_ratelimit = cfg->ratelimit; + infra_ip_ratelimit = cfg->ip_ratelimit; + infra_ip_ratelimit_cookie = cfg->ip_ratelimit_cookie; + infra->wait_limits_netblock = ct->wait_limits_netblock; + infra->wait_limits_cookie_netblock = ct->wait_limits_cookie_netblock; + infra->domain_limits = ct->domain_limits; + + ct->wait_limits_netblock = oldwaitlim; + ct->wait_limits_cookie_netblock = oldwaitlimcookie; + ct->domain_limits = olddomainlim; +} + +/** fast reload thread, reload config with putting the new config items + * in place and swapping out the old items. */ +static int +fr_reload_config(struct fast_reload_thread* fr, struct config_file* newcfg, + struct fast_reload_construct* ct) +{ + struct daemon* daemon = fr->worker->daemon; + struct module_env* env = daemon->env; + + /* These are constructed in the fr_construct_from_config routine. */ + log_assert(ct->oldcfg); + log_assert(ct->fwds); + log_assert(ct->hints); + + /* Grab big locks to satisfy lock conditions. */ + lock_rw_wrlock(&ct->views->lock); + lock_rw_wrlock(&env->views->lock); + lock_rw_wrlock(&ct->respip_set->lock); + lock_rw_wrlock(&env->respip_set->lock); + lock_rw_wrlock(&ct->local_zones->lock); + lock_rw_wrlock(&daemon->local_zones->lock); + lock_rw_wrlock(&ct->auth_zones->rpz_lock); + lock_rw_wrlock(&env->auth_zones->rpz_lock); + lock_rw_wrlock(&ct->auth_zones->lock); + lock_rw_wrlock(&env->auth_zones->lock); + lock_rw_wrlock(&ct->fwds->lock); + lock_rw_wrlock(&env->fwds->lock); + lock_rw_wrlock(&ct->hints->lock); + lock_rw_wrlock(&env->hints->lock); + if(ct->anchors) { + lock_basic_lock(&ct->anchors->lock); + lock_basic_lock(&env->anchors->lock); + } + +#if defined(ATOMIC_POINTER_LOCK_FREE) && defined(HAVE_LINK_ATOMIC_STORE) + if(fr->fr_nopause) { + fr_atomic_copy_cfg(ct->oldcfg, env->cfg, newcfg); + } else { +#endif + /* Store old config elements. */ + *ct->oldcfg = *env->cfg; + /* Insert new config elements. */ + *env->cfg = *newcfg; +#if defined(ATOMIC_POINTER_LOCK_FREE) && defined(HAVE_LINK_ATOMIC_STORE) + } +#endif + + if(env->cfg->log_identity || ct->oldcfg->log_identity) { + /* pick up new log_identity string to use for log output. */ + log_ident_set_or_default(env->cfg->log_identity); + } + /* the newcfg elements are in env->cfg, so should not be freed here. */ +#if defined(ATOMIC_POINTER_LOCK_FREE) && defined(HAVE_LINK_ATOMIC_STORE) + /* if used, the routine that copies the config has zeroed items. */ + if(!fr->fr_nopause) +#endif + memset(newcfg, 0, sizeof(*newcfg)); + + /* Quickly swap the tree roots themselves with the already allocated + * elements. This is a quick swap operation on the pointer. + * The other threads are stopped and locks are held, so that a + * consistent view of the configuration, before, and after, exists + * towards the state machine for query resolution. */ + forwards_swap_tree(env->fwds, ct->fwds); + hints_swap_tree(env->hints, ct->hints); + views_swap_tree(env->views, ct->views); + acl_list_swap_tree(daemon->acl, ct->acl); + acl_list_swap_tree(daemon->acl_interface, ct->acl_interface); + tcl_list_swap_tree(daemon->tcl, ct->tcl); + local_zones_swap_tree(daemon->local_zones, ct->local_zones); + respip_set_swap_tree(env->respip_set, ct->respip_set); + daemon->use_response_ip = ct->use_response_ip; + daemon->use_rpz = ct->use_rpz; + auth_zones_swap(env->auth_zones, ct->auth_zones); + edns_strings_swap_tree(env->edns_strings, ct->edns_strings); + anchors_swap_tree(env->anchors, ct->anchors); +#ifdef USE_CACHEDB + daemon->env->cachedb_enabled = cachedb_is_enabled(&daemon->mods, + daemon->env); +#endif +#ifdef USE_DNSTAP + if(env->cfg->dnstap) { + if(!fr->fr_nopause) + dt_apply_cfg(daemon->dtenv, env->cfg); + else dt_apply_logcfg(daemon->dtenv, env->cfg); + } +#endif + fr_adjust_cache(env, ct->oldcfg); + if(!fr->fr_nopause) { + fr_adjust_iter_env(env, ct); + fr_adjust_val_env(env, ct, ct->oldcfg); + fr_adjust_infra(env, ct); + } + + /* Set globals with new config. */ + config_apply(env->cfg); + + lock_rw_unlock(&ct->views->lock); + lock_rw_unlock(&env->views->lock); + lock_rw_unlock(&ct->respip_set->lock); + lock_rw_unlock(&env->respip_set->lock); + lock_rw_unlock(&ct->local_zones->lock); + lock_rw_unlock(&daemon->local_zones->lock); + lock_rw_unlock(&ct->auth_zones->lock); + lock_rw_unlock(&env->auth_zones->lock); + lock_rw_unlock(&ct->auth_zones->rpz_lock); + lock_rw_unlock(&env->auth_zones->rpz_lock); + lock_rw_unlock(&ct->fwds->lock); + lock_rw_unlock(&env->fwds->lock); + lock_rw_unlock(&ct->hints->lock); + lock_rw_unlock(&env->hints->lock); + if(ct->anchors) { + lock_basic_unlock(&ct->anchors->lock); + lock_basic_unlock(&env->anchors->lock); + } + + return 1; +} + +/** fast reload, poll for ack incoming. */ +static void +fr_poll_for_ack(struct fast_reload_thread* fr) +{ + int loopexit = 0, bcount = 0; + uint32_t cmd; + ssize_t ret; + + if(fr->need_to_quit) + return; + /* Is there data? */ + if(!sock_poll_timeout(fr->commpair[1], -1, 1, 0, NULL)) { + log_err("fr_poll_for_ack: poll failed"); + return; + } + + /* Read the data */ + while(1) { + if(++loopexit > IPC_LOOP_MAX) { + log_err("fr_poll_for_ack: recv loops %s", + sock_strerror(errno)); + return; + } + ret = recv(fr->commpair[1], ((char*)&cmd)+bcount, + sizeof(cmd)-bcount, 0); + if(ret == -1) { + if( +#ifndef USE_WINSOCK + errno == EINTR || errno == EAGAIN +# ifdef EWOULDBLOCK + || errno == EWOULDBLOCK +# endif +#else + WSAGetLastError() == WSAEINTR || + WSAGetLastError() == WSAEINPROGRESS || + WSAGetLastError() == WSAEWOULDBLOCK +#endif + ) + continue; /* Try again. */ + log_err("fr_poll_for_ack: recv: %s", + sock_strerror(errno)); + return; + } else if(ret+(ssize_t)bcount != sizeof(cmd)) { + bcount += ret; + if((size_t)bcount < sizeof(cmd)) + continue; + } + break; + } + if(cmd == fast_reload_notification_exit) { + fr->need_to_quit = 1; + verbose(VERB_ALGO, "fast reload wait for ack: " + "exit notification received"); + return; + } + if(cmd != fast_reload_notification_reload_ack) { + verbose(VERB_ALGO, "fast reload wait for ack: " + "wrong notification %d", (int)cmd); + } +} + +/** fast reload thread, reload ipc communication to stop and start threads. */ +static int +fr_reload_ipc(struct fast_reload_thread* fr, struct config_file* newcfg, + struct fast_reload_construct* ct) +{ + int result = 1; + if(!fr->fr_nopause) { + fr_send_notification(fr, fast_reload_notification_reload_stop); + fr_poll_for_ack(fr); + } + if(!fr_reload_config(fr, newcfg, ct)) { + result = 0; + } + if(!fr->fr_nopause) { + fr_send_notification(fr, fast_reload_notification_reload_start); + fr_poll_for_ack(fr); + } + return result; +} + +/** fast reload thread, load config */ +static int +fr_load_config(struct fast_reload_thread* fr, struct timeval* time_read, + struct timeval* time_construct, struct timeval* time_reload) +{ + struct fast_reload_construct ct; + struct config_file* newcfg = NULL; + memset(&ct, 0, sizeof(ct)); + + /* Read file. */ + if(!fr_read_config(fr, &newcfg)) + return 0; + if(gettimeofday(time_read, NULL) < 0) + log_err("gettimeofday: %s", strerror(errno)); + if(fr_poll_for_quit(fr)) { + config_delete(newcfg); + return 1; + } + + /* Check if the config can be loaded */ + if(!fr_check_tag_defines(fr, newcfg)) { + config_delete(newcfg); + return 0; + } + if(!fr_check_compat_cfg(fr, newcfg)) { + config_delete(newcfg); + return 0; + } + if(!fr_check_nopause_compat_cfg(fr, newcfg)) { + config_delete(newcfg); + return 0; + } + if(fr_poll_for_quit(fr)) { + config_delete(newcfg); + return 1; + } + + /* Construct items. */ + if(!fr_construct_from_config(fr, newcfg, &ct)) { + config_delete(newcfg); + if(!fr_output_printf(fr, "Could not construct from the " + "config, check for errors with unbound-checkconf, or " + "out of memory. The parse errors are printed in " + "the log.\n")) + return 0; + fr_send_notification(fr, fast_reload_notification_printout); + return 0; + } + if(gettimeofday(time_construct, NULL) < 0) + log_err("gettimeofday: %s", strerror(errno)); + if(fr_poll_for_quit(fr)) { + config_delete(newcfg); + fr_construct_clear(&ct); + return 1; + } + + /* Reload server. */ + if(!fr_reload_ipc(fr, newcfg, &ct)) { + config_delete(newcfg); + fr_construct_clear(&ct); + if(!fr_output_printf(fr, "error: reload failed\n")) + return 0; + fr_send_notification(fr, fast_reload_notification_printout); + return 0; + } + if(gettimeofday(time_reload, NULL) < 0) + log_err("gettimeofday: %s", strerror(errno)); + + if(fr_poll_for_quit(fr)) { + config_delete(newcfg); + fr_construct_clear(&ct); + return 1; + } + if(fr->fr_nopause) { + /* Poll every thread, with a no-work poll item over the + * command pipe. This makes the worker thread surely move + * to deal with that event, and thus the thread is no longer + * holding, eg. a string item from the old config struct. + * And then the old config struct can safely be deleted. + * Only needed when nopause is used, because without that + * the worker threads are already waiting on a command pipe + * item. This nopause command pipe item does not take work, + * it returns immediately, so it does not delay the workers. + * They can be polled one at a time. But its processing causes + * the worker to have released data items from old config. + * This also makes sure the threads are not holding locks on + * individual items in the local_zones, views, respip_set. */ + fr_send_notification(fr, + fast_reload_notification_reload_nopause_poll); + fr_poll_for_ack(fr); + } + + /* Delete old. */ + config_delete(newcfg); + fr_construct_clear(&ct); + return 1; +} + +/** fast reload thread. the thread main function */ +static void* fast_reload_thread_main(void* arg) +{ + struct fast_reload_thread* fast_reload_thread = (struct fast_reload_thread*)arg; + struct timeval time_start, time_read, time_construct, time_reload, + time_end; + log_thread_set(&fast_reload_thread->threadnum); + + verbose(VERB_ALGO, "start fast reload thread"); + if(fast_reload_thread->fr_verb >= 1) { + fr_init_time(&time_start, &time_read, &time_construct, + &time_reload, &time_end); + if(fr_poll_for_quit(fast_reload_thread)) + goto done; + } + + /* print output to the client */ + if(fast_reload_thread->fr_verb >= 1) { + if(!fr_output_printf(fast_reload_thread, "thread started\n")) + goto done_error; + fr_send_notification(fast_reload_thread, + fast_reload_notification_printout); + if(fr_poll_for_quit(fast_reload_thread)) + goto done; + } + + if(!fr_load_config(fast_reload_thread, &time_read, &time_construct, + &time_reload)) + goto done_error; + if(fr_poll_for_quit(fast_reload_thread)) + goto done; + + if(fast_reload_thread->fr_verb >= 1) { + if(!fr_finish_time(fast_reload_thread, &time_start, &time_read, + &time_construct, &time_reload, &time_end)) + goto done_error; + if(fr_poll_for_quit(fast_reload_thread)) + goto done; + } + + if(!fr_output_printf(fast_reload_thread, "ok\n")) + goto done_error; + fr_send_notification(fast_reload_thread, + fast_reload_notification_printout); + verbose(VERB_ALGO, "stop fast reload thread"); + /* If this is not an exit due to quit earlier, send regular done. */ + if(!fast_reload_thread->need_to_quit) + fr_send_notification(fast_reload_thread, + fast_reload_notification_done); + /* If during the fast_reload_notification_done send, + * fast_reload_notification_exit was received, ack it. If the + * thread is exiting due to quit received earlier, also ack it.*/ +done: + if(fast_reload_thread->need_to_quit) + fr_send_notification(fast_reload_thread, + fast_reload_notification_exited); + return NULL; +done_error: + verbose(VERB_ALGO, "stop fast reload thread with done_error"); + fr_send_notification(fast_reload_thread, + fast_reload_notification_done_error); + return NULL; +} +#endif /* !THREADS_DISABLED */ + +/** create a socketpair for bidirectional communication, false on failure */ +static int +create_socketpair(int* pair, struct ub_randstate* rand) +{ +#ifndef USE_WINSOCK + if(socketpair(AF_UNIX, SOCK_STREAM, 0, pair) == -1) { + log_err("socketpair: %s", strerror(errno)); + return 0; + } + (void)rand; +#else + struct sockaddr_in addr, baddr, accaddr, connaddr; + socklen_t baddrlen, accaddrlen, connaddrlen; + uint8_t localhost[] = {127, 0, 0, 1}; + uint8_t nonce[16], recvnonce[16]; + size_t i; + int lst, pollin_event, bcount, loopcount; + int connect_poll_timeout = 200; /* msec to wait for connection */ + ssize_t ret; + pair[0] = -1; + pair[1] = -1; + for(i=0; i (socklen_t)sizeof(baddr)) { + log_err("create socketpair: getsockname returned addr too big"); + sock_close(lst); + sock_close(pair[1]); + pair[1] = -1; + return 0; + } + /* the socket is blocking */ + if(connect(pair[1], (struct sockaddr*)&baddr, baddrlen) == -1) { + log_err("create socketpair: connect: %s", + sock_strerror(errno)); + sock_close(lst); + sock_close(pair[1]); + pair[1] = -1; + return 0; + } + if(!sock_poll_timeout(lst, connect_poll_timeout, 1, 0, &pollin_event)) { + log_err("create socketpair: poll for accept failed: %s", + sock_strerror(errno)); + sock_close(lst); + sock_close(pair[1]); + pair[1] = -1; + return 0; + } + if(!pollin_event) { + log_err("create socketpair: poll timeout for accept"); + sock_close(lst); + sock_close(pair[1]); + pair[1] = -1; + return 0; + } + accaddrlen = (socklen_t)sizeof(accaddr); + pair[0] = accept(lst, (struct sockaddr*)&accaddr, &accaddrlen); + if(pair[0] == -1) { + log_err("create socketpair: accept: %s", sock_strerror(errno)); + sock_close(lst); + sock_close(pair[1]); + pair[1] = -1; + return 0; + } + if(accaddrlen > (socklen_t)sizeof(accaddr)) { + log_err("create socketpair: accept returned addr too big"); + sock_close(lst); + sock_close(pair[0]); + sock_close(pair[1]); + pair[0] = -1; + pair[1] = -1; + return 0; + } + if(accaddr.sin_family != AF_INET || + memcmp(localhost, &accaddr.sin_addr, 4) != 0) { + log_err("create socketpair: accept from wrong address"); + sock_close(lst); + sock_close(pair[0]); + sock_close(pair[1]); + pair[0] = -1; + pair[1] = -1; + return 0; + } + connaddrlen = (socklen_t)sizeof(connaddr); + if(getsockname(pair[1], (struct sockaddr*)&connaddr, &connaddrlen) + == -1) { + log_err("create socketpair: getsockname connectedaddr: %s", + sock_strerror(errno)); + sock_close(lst); + sock_close(pair[0]); + sock_close(pair[1]); + pair[0] = -1; + pair[1] = -1; + return 0; + } + if(connaddrlen > (socklen_t)sizeof(connaddr)) { + log_err("create socketpair: getsockname connectedaddr returned addr too big"); + sock_close(lst); + sock_close(pair[0]); + sock_close(pair[1]); + pair[0] = -1; + pair[1] = -1; + return 0; + } + if(connaddr.sin_family != AF_INET || + memcmp(localhost, &connaddr.sin_addr, 4) != 0) { + log_err("create socketpair: getsockname connectedaddr returned wrong address"); + sock_close(lst); + sock_close(pair[0]); + sock_close(pair[1]); + pair[0] = -1; + pair[1] = -1; + return 0; + } + if(accaddr.sin_port != connaddr.sin_port) { + log_err("create socketpair: accept from wrong port"); + sock_close(lst); + sock_close(pair[0]); + sock_close(pair[1]); + pair[0] = -1; + pair[1] = -1; + return 0; + } + sock_close(lst); + + loopcount = 0; + bcount = 0; + while(1) { + if(++loopcount > IPC_LOOP_MAX) { + log_err("create socketpair: send failed due to loop"); + sock_close(pair[0]); + sock_close(pair[1]); + pair[0] = -1; + pair[1] = -1; + return 0; + } + ret = send(pair[1], (void*)(nonce+bcount), + sizeof(nonce)-bcount, 0); + if(ret == -1) { + if( +#ifndef USE_WINSOCK + errno == EINTR || errno == EAGAIN +# ifdef EWOULDBLOCK + || errno == EWOULDBLOCK +# endif +#else + WSAGetLastError() == WSAEINTR || + WSAGetLastError() == WSAEINPROGRESS || + WSAGetLastError() == WSAEWOULDBLOCK +#endif + ) + continue; /* Try again. */ + log_err("create socketpair: send: %s", sock_strerror(errno)); + sock_close(pair[0]); + sock_close(pair[1]); + pair[0] = -1; + pair[1] = -1; + return 0; + } else if(ret+(ssize_t)bcount != sizeof(nonce)) { + bcount += ret; + if((size_t)bcount < sizeof(nonce)) + continue; + } + break; + } + + if(!sock_poll_timeout(pair[0], connect_poll_timeout, 1, 0, &pollin_event)) { + log_err("create socketpair: poll failed: %s", + sock_strerror(errno)); + sock_close(pair[0]); + sock_close(pair[1]); + pair[0] = -1; + pair[1] = -1; + return 0; + } + if(!pollin_event) { + log_err("create socketpair: poll timeout for recv"); + sock_close(pair[0]); + sock_close(pair[1]); + pair[0] = -1; + pair[1] = -1; + return 0; + } + + loopcount = 0; + bcount = 0; + while(1) { + if(++loopcount > IPC_LOOP_MAX) { + log_err("create socketpair: recv failed due to loop"); + sock_close(pair[0]); + sock_close(pair[1]); + pair[0] = -1; + pair[1] = -1; + return 0; + } + ret = recv(pair[0], (void*)(recvnonce+bcount), + sizeof(nonce)-bcount, 0); + if(ret == -1) { + if( +#ifndef USE_WINSOCK + errno == EINTR || errno == EAGAIN +# ifdef EWOULDBLOCK + || errno == EWOULDBLOCK +# endif +#else + WSAGetLastError() == WSAEINTR || + WSAGetLastError() == WSAEINPROGRESS || + WSAGetLastError() == WSAEWOULDBLOCK +#endif + ) + continue; /* Try again. */ + log_err("create socketpair: recv: %s", sock_strerror(errno)); + sock_close(pair[0]); + sock_close(pair[1]); + pair[0] = -1; + pair[1] = -1; + return 0; + } else if(ret == 0) { + log_err("create socketpair: stream closed"); + sock_close(pair[0]); + sock_close(pair[1]); + pair[0] = -1; + pair[1] = -1; + return 0; + } else if(ret+(ssize_t)bcount != sizeof(nonce)) { + bcount += ret; + if((size_t)bcount < sizeof(nonce)) + continue; + } + break; + } + + if(memcmp(nonce, recvnonce, sizeof(nonce)) != 0) { + log_err("create socketpair: recv wrong nonce"); + sock_close(pair[0]); + sock_close(pair[1]); + pair[0] = -1; + pair[1] = -1; + return 0; + } +#endif + return 1; +} + +/** fast reload thread. setup the thread info */ +static int +fast_reload_thread_setup(struct worker* worker, int fr_verb, int fr_nopause, + int fr_drop_mesh) +{ + struct fast_reload_thread* fr; + int numworkers = worker->daemon->num; + worker->daemon->fast_reload_thread = (struct fast_reload_thread*) + calloc(1, sizeof(*worker->daemon->fast_reload_thread)); + if(!worker->daemon->fast_reload_thread) + return 0; + fr = worker->daemon->fast_reload_thread; + fr->fr_verb = fr_verb; + fr->fr_nopause = fr_nopause; + fr->fr_drop_mesh = fr_drop_mesh; + worker->daemon->fast_reload_drop_mesh = fr->fr_drop_mesh; + /* The thread id printed in logs, numworker+1 is the dnstap thread. + * This is numworkers+2. */ + fr->threadnum = numworkers+2; + fr->commpair[0] = -1; + fr->commpair[1] = -1; + fr->commreload[0] = -1; + fr->commreload[1] = -1; + if(!create_socketpair(fr->commpair, worker->daemon->rand)) { + free(fr); + worker->daemon->fast_reload_thread = NULL; + return 0; + } + fr->worker = worker; + fr->fr_output = (struct config_strlist_head*)calloc(1, + sizeof(*fr->fr_output)); + if(!fr->fr_output) { + sock_close(fr->commpair[0]); + sock_close(fr->commpair[1]); + free(fr); + worker->daemon->fast_reload_thread = NULL; + return 0; + } + if(!create_socketpair(fr->commreload, worker->daemon->rand)) { + sock_close(fr->commpair[0]); + sock_close(fr->commpair[1]); + free(fr->fr_output); + free(fr); + worker->daemon->fast_reload_thread = NULL; + return 0; + } + lock_basic_init(&fr->fr_output_lock); + lock_protect(&fr->fr_output_lock, fr->fr_output, + sizeof(*fr->fr_output)); + return 1; +} + +/** fast reload, delete auth zone change list */ +static void +fr_auth_change_list_delete( + struct fast_reload_auth_change* auth_zone_change_list) +{ + struct fast_reload_auth_change* item, *next; + item = auth_zone_change_list; + while(item) { + next = item->next; + free(item); + item = next; + } +} + +/** fast reload thread. desetup and delete the thread info. */ +static void +fast_reload_thread_desetup(struct fast_reload_thread* fast_reload_thread) +{ + if(!fast_reload_thread) + return; + if(fast_reload_thread->service_event && + fast_reload_thread->service_event_is_added) { + ub_event_del(fast_reload_thread->service_event); + fast_reload_thread->service_event_is_added = 0; + } + if(fast_reload_thread->service_event) + ub_event_free(fast_reload_thread->service_event); + sock_close(fast_reload_thread->commpair[0]); + sock_close(fast_reload_thread->commpair[1]); + sock_close(fast_reload_thread->commreload[0]); + sock_close(fast_reload_thread->commreload[1]); + if(fast_reload_thread->printq) { + fr_main_perform_printout(fast_reload_thread); + /* If it is empty now, there is nothing to print on fd. */ + if(fr_printq_empty(fast_reload_thread->printq)) { + fr_printq_delete(fast_reload_thread->printq); + } else { + /* Keep the printq around to printout the remaining + * text to the remote client. Until it is done, it + * sits on a list, that is in the daemon struct. + * The event can then spool the remaining text to the + * remote client and eventually delete itself from the + * callback. */ + fr_printq_list_insert(fast_reload_thread->printq, + fast_reload_thread->worker->daemon); + fast_reload_thread->printq = NULL; + } + } + lock_basic_destroy(&fast_reload_thread->fr_output_lock); + if(fast_reload_thread->fr_output) { + config_delstrlist(fast_reload_thread->fr_output->first); + free(fast_reload_thread->fr_output); + } + fr_auth_change_list_delete(fast_reload_thread->auth_zone_change_list); + + free(fast_reload_thread); +} + +/** + * Fast reload thread, send a command to the thread. Blocking on timeout. + * It handles received input from the thread, if any is received. + */ +static void +fr_send_cmd_to(struct fast_reload_thread* fr, + enum fast_reload_notification status, int check_cmds, int blocking) +{ + int outevent, loopexit = 0, bcount = 0; + uint32_t cmd; + ssize_t ret; + verbose(VERB_ALGO, "send notification to fast reload thread: %s", + fr_notification_to_string(status)); + cmd = status; + while(1) { + if(++loopexit > IPC_LOOP_MAX) { + log_err("send notification to fast reload: could not send notification: loop"); + return; + } + if(check_cmds) + fr_check_cmd_from_thread(fr); + /* wait for socket to become writable */ + if(!sock_poll_timeout(fr->commpair[0], + (blocking?-1:IPC_NOTIFICATION_WAIT), + 0, 1, &outevent)) { + log_err("send notification to fast reload: poll failed"); + return; + } + if(!outevent) + continue; + /* keep static analyzer happy; send(-1,..) */ + log_assert(fr->commpair[0] >= 0); + ret = send(fr->commpair[0], ((char*)&cmd)+bcount, + sizeof(cmd)-bcount, 0); + if(ret == -1) { + if( +#ifndef USE_WINSOCK + errno == EINTR || errno == EAGAIN +# ifdef EWOULDBLOCK + || errno == EWOULDBLOCK +# endif +#else + WSAGetLastError() == WSAEINTR || + WSAGetLastError() == WSAEINPROGRESS || + WSAGetLastError() == WSAEWOULDBLOCK +#endif + ) + continue; /* Try again. */ + log_err("send notification to fast reload: send: %s", + sock_strerror(errno)); + return; + } else if(ret+(ssize_t)bcount != sizeof(cmd)) { + bcount += ret; + if((size_t)bcount < sizeof(cmd)) + continue; + } + break; + } +} + +/** Fast reload, the main thread handles that the fast reload thread has + * exited. */ +static void +fr_main_perform_done(struct fast_reload_thread* fr) +{ + struct worker* worker = fr->worker; + verbose(VERB_ALGO, "join with fastreload thread"); + ub_thread_join(fr->tid); + verbose(VERB_ALGO, "joined with fastreload thread"); + fast_reload_thread_desetup(fr); + worker->daemon->fast_reload_thread = NULL; +} + +/** Append strlist after strlist */ +static void +cfg_strlist_append_listhead(struct config_strlist_head* list, + struct config_strlist_head* more) +{ + if(!more->first) + return; + if(list->last) + list->last->next = more->first; + else + list->first = more->first; + list->last = more->last; +} + +/** Fast reload, the remote control thread handles that the fast reload thread + * has output to be printed, on the linked list that is locked. */ +static void +fr_main_perform_printout(struct fast_reload_thread* fr) +{ + struct config_strlist_head out; + + /* Fetch the list of items to be printed */ + lock_basic_lock(&fr->fr_output_lock); + out.first = fr->fr_output->first; + out.last = fr->fr_output->last; + fr->fr_output->first = NULL; + fr->fr_output->last = NULL; + lock_basic_unlock(&fr->fr_output_lock); + + if(!fr->printq || !fr->printq->client_cp) { + /* There is no output socket, delete it. */ + config_delstrlist(out.first); + return; + } + + /* Put them on the output list, not locked because the list + * producer and consumer are both owned by the remote control thread, + * it moves the items to the list for printing in the event callback + * for the client_cp. */ + cfg_strlist_append_listhead(fr->printq->to_print, &out); + + /* Set the client_cp to output if not already */ + if(!fr->printq->client_cp->event_added) + comm_point_listen_for_rw(fr->printq->client_cp, 0, 1); +} + +/** fast reload, receive ack from workers that they are waiting, run + * by the mainthr after sending them reload_stop. */ +static void +fr_read_ack_from_workers(struct fast_reload_thread* fr) +{ + struct daemon* daemon = fr->worker->daemon; + /* Every worker sends one byte, wait for num-1 bytes. */ + int count=0, total=daemon->num-1; + while(count < total) { + uint8_t r; + ssize_t ret; + ret = recv(fr->commreload[0], (void*)&r, 1, 0); + if(ret == -1) { + if( +#ifndef USE_WINSOCK + errno == EINTR || errno == EAGAIN +# ifdef EWOULDBLOCK + || errno == EWOULDBLOCK +# endif +#else + WSAGetLastError() == WSAEINTR || + WSAGetLastError() == WSAEINPROGRESS || + WSAGetLastError() == WSAEWOULDBLOCK +#endif + ) + continue; /* Try again */ + log_err("worker reload ack: recv failed: %s", + sock_strerror(errno)); + return; + } + count++; + verbose(VERB_ALGO, "worker reload ack from (uint8_t)%d", + (int)r); + } +} + +/** fast reload, poll for reload_start in mainthr waiting on a notification + * from the fast reload thread. */ +static void +fr_poll_for_reload_start(struct fast_reload_thread* fr) +{ + int loopexit = 0, bcount = 0; + uint32_t cmd; + ssize_t ret; + + /* Is there data? */ + if(!sock_poll_timeout(fr->commpair[0], -1, 1, 0, NULL)) { + log_err("fr_poll_for_reload_start: poll failed"); + return; + } + + /* Read the data */ + while(1) { + if(++loopexit > IPC_LOOP_MAX) { + log_err("fr_poll_for_reload_start: recv loops %s", + sock_strerror(errno)); + return; + } + ret = recv(fr->commpair[0], ((char*)&cmd)+bcount, + sizeof(cmd)-bcount, 0); + if(ret == -1) { + if( +#ifndef USE_WINSOCK + errno == EINTR || errno == EAGAIN +# ifdef EWOULDBLOCK + || errno == EWOULDBLOCK +# endif +#else + WSAGetLastError() == WSAEINTR || + WSAGetLastError() == WSAEINPROGRESS || + WSAGetLastError() == WSAEWOULDBLOCK +#endif + ) + continue; /* Try again. */ + log_err("fr_poll_for_reload_start: recv: %s", + sock_strerror(errno)); + return; + } else if(ret+(ssize_t)bcount != sizeof(cmd)) { + bcount += ret; + if((size_t)bcount < sizeof(cmd)) + continue; + } + break; + } + if(cmd != fast_reload_notification_reload_start) { + verbose(VERB_ALGO, "fast reload wait for ack: " + "wrong notification %d", (int)cmd); + } +} + +/** Pick up the worker mesh changes, after fast reload. */ +static void +fr_worker_pickup_mesh(struct worker* worker) +{ + struct mesh_area* mesh = worker->env.mesh; + struct config_file* cfg = worker->env.cfg; + mesh->use_response_ip = worker->daemon->use_response_ip; + mesh->use_rpz = worker->daemon->use_rpz; + mesh->max_reply_states = cfg->num_queries_per_thread; + mesh->max_forever_states = (mesh->max_reply_states+1)/2; +#ifndef S_SPLINT_S + mesh->jostle_max.tv_sec = (time_t)(cfg->jostle_time / 1000); + mesh->jostle_max.tv_usec = (time_t)((cfg->jostle_time % 1000)*1000); +#endif +} + +/** + * Remove the old tcl_addr entries from the open connections. + * They are only incremented when an accept is performed on a tcp comm point. + * @param front: listening comm ports of the worker. + */ +static void +tcl_remove_old(struct listen_dnsport* front) +{ + struct listen_list* l; + l = front->cps; + while(l) { + if(l->com->type == comm_tcp_accept) { + int i; + for(i=0; icom->max_tcp_count; i++) { + if(l->com->tcp_handlers[i]->tcl_addr) { + /* Because the increment of the + * connection limit was in the old + * tcl list, the new list does not + * need a decrement. With NULL it is + * not decremented when the connection + * is done, and also there is no + * reference to the old connection + * limit structure. */ + l->com->tcp_handlers[i]->tcl_addr = + NULL; + } + } + } + l = l->next; + } +} + +/** Stop zonemd lookup */ +static void +auth_zone_zonemd_stop_lookup(struct auth_zone* z, struct mesh_area* mesh) +{ + struct query_info qinfo; + uint16_t qflags = BIT_RD; + qinfo.qname_len = z->namelen; + qinfo.qname = z->name; + qinfo.qclass = z->dclass; + qinfo.qtype = z->zonemd_callback_qtype; + qinfo.local_alias = NULL; + + mesh_remove_callback(mesh, &qinfo, qflags, + &auth_zonemd_dnskey_lookup_callback, z); +} + +/** Pick up the auth zone locks. */ +static void +fr_pickup_auth_locks(struct worker* worker, struct auth_zone* namez, + struct auth_zone* old_z, struct auth_zone* new_z, + struct auth_xfer** xfr, struct auth_xfer** loadxfr) +{ + uint8_t nm[LDNS_MAX_DOMAINLEN+1]; + size_t nmlen; + uint16_t dclass; + + log_assert(namez->namelen <= sizeof(nm)); + lock_rw_rdlock(&namez->lock); + nmlen = namez->namelen; + dclass = namez->dclass; + memmove(nm, namez->name, nmlen); + lock_rw_unlock(&namez->lock); + + lock_rw_wrlock(&worker->daemon->fast_reload_thread->old_auth_zones->lock); + lock_rw_wrlock(&worker->env.auth_zones->lock); + if(new_z) { + lock_rw_wrlock(&new_z->lock); + } + if(old_z) { + lock_rw_wrlock(&old_z->lock); + } + if(loadxfr) + *loadxfr = auth_xfer_find(worker->daemon->fast_reload_thread-> + old_auth_zones, nm, nmlen, dclass); + if(xfr) + *xfr = auth_xfer_find(worker->env.auth_zones, nm, nmlen, + dclass); + if(loadxfr && *loadxfr) { + lock_basic_lock(&(*loadxfr)->lock); + } + if(xfr && *xfr) { + lock_basic_lock(&(*xfr)->lock); + } +} + +/** Fast reload, worker picks up deleted auth zone */ +static void +fr_worker_auth_del(struct worker* worker, struct fast_reload_auth_change* item, + int for_change) +{ + int released = 0; /* Did this routine release callbacks. */ + struct auth_xfer* xfr = NULL; + + lock_rw_wrlock(&item->old_z->lock); + if(item->old_z->zonemd_callback_env && + item->old_z->zonemd_callback_env->worker == worker){ + /* This worker was performing a zonemd lookup, + * stop the lookup and remove that entry. */ + auth_zone_zonemd_stop_lookup(item->old_z, worker->env.mesh); + item->old_z->zonemd_callback_env = NULL; + } + lock_rw_unlock(&item->old_z->lock); + + fr_pickup_auth_locks(worker, item->old_z, item->old_z, NULL, &xfr, + NULL); + lock_rw_unlock(&worker->daemon->fast_reload_thread->old_auth_zones->lock); + lock_rw_unlock(&worker->env.auth_zones->lock); + lock_rw_unlock(&item->old_z->lock); + if(xfr) { + /* Release callbacks on the xfr, if this worker holds them. */ + if(xfr->task_nextprobe->worker == worker || + xfr->task_probe->worker == worker || + xfr->task_transfer->worker == worker) { + released = 1; + xfr_disown_tasks(xfr, worker); + } + lock_basic_unlock(&xfr->lock); + } + + if(!for_change && (released || worker->thread_num == 0)) { + /* See if the xfr item can be deleted. */ + xfr = NULL; + fr_pickup_auth_locks(worker, item->old_z, item->old_z, NULL, + &xfr, NULL); + lock_rw_unlock(&worker->daemon->fast_reload_thread->old_auth_zones->lock); + lock_rw_unlock(&item->old_z->lock); + if(xfr && xfr->task_nextprobe->worker == NULL && + xfr->task_probe->worker == NULL && + xfr->task_transfer->worker == NULL) { + (void)rbtree_delete(&worker->env.auth_zones->xtree, + &xfr->node); + lock_rw_unlock(&worker->env.auth_zones->lock); + lock_basic_unlock(&xfr->lock); + auth_xfer_delete(xfr); + } else { + lock_rw_unlock(&worker->env.auth_zones->lock); + if(xfr) { + lock_basic_unlock(&xfr->lock); + } + } + } +} + +/** Fast reload, auth xfer config is picked up */ +static void +auth_xfr_pickup_config(struct auth_xfer* loadxfr, struct auth_xfer* xfr) +{ + struct auth_master *probe_masters, *transfer_masters; + log_assert(loadxfr->namelen == xfr->namelen); + log_assert(loadxfr->namelabs == xfr->namelabs); + log_assert(loadxfr->dclass == xfr->dclass); + + /* The lists can be swapped in, the other xfr struct will be deleted + * afterwards. */ + probe_masters = xfr->task_probe->masters; + transfer_masters = xfr->task_transfer->masters; + xfr->task_probe->masters = loadxfr->task_probe->masters; + xfr->task_transfer->masters = loadxfr->task_transfer->masters; + loadxfr->task_probe->masters = probe_masters; + loadxfr->task_transfer->masters = transfer_masters; +} + +/** Fast reload, worker picks up added auth zone */ +static void +fr_worker_auth_add(struct worker* worker, struct fast_reload_auth_change* item, + int for_change) +{ + struct auth_xfer* xfr = NULL, *loadxfr = NULL; + + /* Start zone transfers and lookups. */ + fr_pickup_auth_locks(worker, item->new_z, NULL, item->new_z, &xfr, + &loadxfr); + if(xfr == NULL && item->new_z->zone_is_slave) { + /* The xfr item needs to be created. The auth zones lock + * is held to make this possible. */ + xfr = auth_xfer_create(worker->env.auth_zones, item->new_z); + auth_xfr_pickup_config(loadxfr, xfr); + /* Serial information is copied into the xfr struct. */ + if(!xfr_find_soa(item->new_z, xfr)) { + xfr->serial = 0; + } + } else if(for_change && xfr) { + if(!xfr_find_soa(item->new_z, xfr)) { + xfr->serial = 0; + } + } + auth_zone_pickup_initial_zone(item->new_z, &worker->env); + lock_rw_unlock(&item->new_z->lock); + lock_rw_unlock(&worker->env.auth_zones->lock); + lock_rw_unlock(&worker->daemon->fast_reload_thread->old_auth_zones->lock); + if(loadxfr) { + lock_basic_unlock(&loadxfr->lock); + } + if(xfr) { + auth_xfer_pickup_initial_zone(xfr, &worker->env); + if(for_change) { + xfr->task_probe->only_lookup = 0; + } + lock_basic_unlock(&xfr->lock); + } + + /* Perform ZONEMD verification lookups. */ + lock_rw_wrlock(&item->new_z->lock); + /* holding only the new_z lock */ + auth_zone_verify_zonemd(item->new_z, &worker->env, + &worker->env.mesh->mods, NULL, 0, 1); + lock_rw_unlock(&item->new_z->lock); +} + +/** Fast reload, worker picks up changed auth zone */ +static void +fr_worker_auth_cha(struct worker* worker, struct fast_reload_auth_change* item) +{ + int todelete = 0; + struct auth_xfer* loadxfr = NULL, *xfr = NULL; + /* Since the zone has been changed, by rereading it from zone file, + * existing transfers and probes are likely for the old version. + * Stop them, and start new ones if needed. */ + fr_worker_auth_del(worker, item, 1); + + if(worker->thread_num != 0) + return; + + /* The old callbacks are stopped, tasks have been disowned. The + * new config contents can be picked up. SOA information is picked + * up in the auth_add routine, as it has the new_z ready. */ + + fr_pickup_auth_locks(worker, item->new_z, item->old_z, item->new_z, + &xfr, &loadxfr); + + /* The xfr is not there any more if the zone is not set to have + * zone transfers. Or the xfr needs to be created if it is set to + * have zone transfers. */ + if(loadxfr && xfr) { + /* Copy the config from loadxfr to the xfr in current use. */ + auth_xfr_pickup_config(loadxfr, xfr); + } else if(!loadxfr && xfr) { + /* Delete the xfr. */ + (void)rbtree_delete(&worker->env.auth_zones->xtree, + &xfr->node); + todelete = 1; + item->new_z->zone_is_slave = 0; + } else if(loadxfr && !xfr) { + /* Create the xfr. */ + xfr = auth_xfer_create(worker->env.auth_zones, item->new_z); + auth_xfr_pickup_config(loadxfr, xfr); + item->new_z->zone_is_slave = 1; + } + lock_rw_unlock(&item->new_z->lock); + lock_rw_unlock(&item->old_z->lock); + lock_rw_unlock(&worker->daemon->fast_reload_thread->old_auth_zones->lock); + lock_rw_unlock(&worker->env.auth_zones->lock); + if(loadxfr) { + lock_basic_unlock(&loadxfr->lock); + } + if(xfr) { + lock_basic_unlock(&xfr->lock); + } + if(todelete) { + auth_xfer_delete(xfr); + } + + fr_worker_auth_add(worker, item, 1); +} + +/** Fast reload, the worker picks up changes in auth zones. */ +static void +fr_worker_pickup_auth_changes(struct worker* worker, + struct fast_reload_auth_change* auth_zone_change_list) +{ + struct fast_reload_auth_change* item; + for(item = auth_zone_change_list; item; item = item->next) { + if(item->is_deleted) { + fr_worker_auth_del(worker, item, 0); + } + if(item->is_added) { + if(worker->thread_num == 0) { + fr_worker_auth_add(worker, item, 0); + } + } + if(item->is_changed) { + fr_worker_auth_cha(worker, item); + } + } +} + +/** Fast reload, the worker picks up changes in outside_network. */ +static void +fr_worker_pickup_outside_network(struct worker* worker) +{ + struct outside_network* outnet = worker->back; + struct config_file* cfg = worker->env.cfg; + outnet->use_caps_for_id = cfg->use_caps_bits_for_id; + outnet->unwanted_threshold = cfg->unwanted_threshold; + outnet->tls_use_sni = cfg->tls_use_sni; + outnet->tcp_mss = cfg->outgoing_tcp_mss; + outnet->ip_dscp = cfg->ip_dscp; + outnet->max_reuse_tcp_queries = cfg->max_reuse_tcp_queries; + outnet->tcp_reuse_timeout = cfg->tcp_reuse_timeout; + outnet->tcp_auth_query_timeout = cfg->tcp_auth_query_timeout; + outnet->delayclose = cfg->delay_close; + if(outnet->delayclose) { +#ifndef S_SPLINT_S + outnet->delay_tv.tv_sec = cfg->delay_close/1000; + outnet->delay_tv.tv_usec = (cfg->delay_close%1000)*1000; +#endif + } +} + +void +fast_reload_worker_pickup_changes(struct worker* worker) +{ + /* The pickup of changes is called when the fast reload has + * a synchronized moment, and all the threads are paused and the + * reload has been applied. Then the worker can pick up the new + * changes and store them in worker-specific structs. + * The pickup is also called when there is no pause, and then + * it is called after the reload has completed, and the worker + * get a signal to release old information, it can then pick + * up the new information. But in the mean time, the reload has + * swapped in trees, and the worker has been running with the + * older information for some time. */ + fr_worker_pickup_mesh(worker); + + /* If the tcp connection limit has changed, the open connections + * need to remove their reference for the old tcp limits counters. */ + if(worker->daemon->fast_reload_tcl_has_changes) + tcl_remove_old(worker->front); + + /* If there are zonemd lookups, but the zone was deleted, the + * lookups should be cancelled. */ + fr_worker_pickup_auth_changes(worker, + worker->daemon->fast_reload_thread->auth_zone_change_list); +#ifdef USE_CACHEDB + worker->env.cachedb_enabled = worker->daemon->env->cachedb_enabled; +#endif + fr_worker_pickup_outside_network(worker); +} + +/** fast reload thread, handle reload_stop notification, send reload stop + * to other threads over IPC and collect their ack. When that is done, + * ack to the caller, the fast reload thread, and wait for it to send start. */ +static void +fr_main_perform_reload_stop(struct fast_reload_thread* fr) +{ + struct daemon* daemon = fr->worker->daemon; + int i; + + /* Send reload_stop to other threads. */ + for(i=0; inum; i++) { + if(i == fr->worker->thread_num) + continue; /* Do not send to ourselves. */ + worker_send_cmd(daemon->workers[i], worker_cmd_reload_stop); + } + + /* Wait for the other threads to ack. */ + fr_read_ack_from_workers(fr); + + /* Send ack to fast reload thread. */ + fr_send_cmd_to(fr, fast_reload_notification_reload_ack, 0, 1); + + /* Wait for reload_start from fast reload thread to resume. */ + fr_poll_for_reload_start(fr); + + /* Send reload_start to other threads */ + for(i=0; inum; i++) { + if(i == fr->worker->thread_num) + continue; /* Do not send to ourselves. */ + worker_send_cmd(daemon->workers[i], worker_cmd_reload_start); + } + + /* Pick up changes for this worker. */ + if(fr->worker->daemon->fast_reload_drop_mesh) { + verbose(VERB_ALGO, "worker: drop mesh queries after reload"); + mesh_delete_all(fr->worker->env.mesh); + } + fast_reload_worker_pickup_changes(fr->worker); + + /* Wait for the other threads to ack. */ + fr_read_ack_from_workers(fr); + + /* Send ack to fast reload thread. */ + fr_send_cmd_to(fr, fast_reload_notification_reload_ack, 0, 1); + + verbose(VERB_ALGO, "worker resume after reload"); +} + +/** Fast reload, the main thread performs the nopause poll. It polls every + * other worker thread briefly over the command pipe ipc. The command takes + * no time for the worker, it can return immediately. After that it sends + * an acknowledgement to the fastreload thread. */ +static void +fr_main_perform_reload_nopause_poll(struct fast_reload_thread* fr) +{ + struct daemon* daemon = fr->worker->daemon; + int i; + + /* Send the reload_poll to other threads. They can respond + * one at a time. */ + for(i=0; inum; i++) { + if(i == fr->worker->thread_num) + continue; /* Do not send to ourselves. */ + worker_send_cmd(daemon->workers[i], worker_cmd_reload_poll); + } + + /* Wait for the other threads to ack. */ + fr_read_ack_from_workers(fr); + fast_reload_worker_pickup_changes(fr->worker); + + /* Send ack to fast reload thread. */ + fr_send_cmd_to(fr, fast_reload_notification_reload_ack, 0, 1); +} + +/** Fast reload, perform the command received from the fast reload thread */ +static void +fr_main_perform_cmd(struct fast_reload_thread* fr, + enum fast_reload_notification status) +{ + verbose(VERB_ALGO, "main perform fast reload status: %s", + fr_notification_to_string(status)); + if(status == fast_reload_notification_printout) { + fr_main_perform_printout(fr); + } else if(status == fast_reload_notification_done || + status == fast_reload_notification_done_error || + status == fast_reload_notification_exited) { + fr_main_perform_done(fr); + } else if(status == fast_reload_notification_reload_stop) { + fr_main_perform_reload_stop(fr); + } else if(status == fast_reload_notification_reload_nopause_poll) { + fr_main_perform_reload_nopause_poll(fr); + } else { + log_err("main received unknown status from fast reload: %d %s", + (int)status, fr_notification_to_string(status)); + } +} + +/** Fast reload, handle command from fast reload to the main thread. */ +static void +fr_main_handle_cmd(struct fast_reload_thread* fr) +{ + enum fast_reload_notification status; + ssize_t ret; + /* keep static analyzer happy; recv(-1,..) */ + log_assert(fr->commpair[0] >= 0); + ret = recv(fr->commpair[0], + ((char*)&fr->service_read_cmd)+fr->service_read_cmd_count, + sizeof(fr->service_read_cmd)-fr->service_read_cmd_count, 0); + if(ret == -1) { + if( +#ifndef USE_WINSOCK + errno == EINTR || errno == EAGAIN +# ifdef EWOULDBLOCK + || errno == EWOULDBLOCK +# endif +#else + WSAGetLastError() == WSAEINTR || + WSAGetLastError() == WSAEINPROGRESS +#endif + ) + return; /* Continue later. */ +#ifdef USE_WINSOCK + if(WSAGetLastError() == WSAEWOULDBLOCK) { + ub_winsock_tcp_wouldblock(fr->service_event, + UB_EV_READ); + return; /* Continue later. */ + } +#endif + log_err("read cmd from fast reload thread, recv: %s", + sock_strerror(errno)); + return; + } else if(ret == 0) { + verbose(VERB_ALGO, "closed connection from fast reload thread"); + fr->service_read_cmd_count = 0; + /* handle this like an error */ + fr->service_read_cmd = fast_reload_notification_done_error; + } else if(ret + (ssize_t)fr->service_read_cmd_count < + (ssize_t)sizeof(fr->service_read_cmd)) { + fr->service_read_cmd_count += ret; + /* Continue later. */ + return; + } + status = fr->service_read_cmd; + fr->service_read_cmd = 0; + fr->service_read_cmd_count = 0; + fr_main_perform_cmd(fr, status); +} + +/** Fast reload, poll for and handle cmd from fast reload thread. */ +static void +fr_check_cmd_from_thread(struct fast_reload_thread* fr) +{ + int inevent = 0; + struct worker* worker = fr->worker; + /* Stop in case the thread has exited, or there is no read event. */ + while(worker->daemon->fast_reload_thread) { + if(!sock_poll_timeout(fr->commpair[0], 0, 1, 0, &inevent)) { + log_err("check for cmd from fast reload thread: " + "poll failed"); +#ifdef USE_WINSOCK + if(worker->daemon->fast_reload_thread) + ub_winsock_tcp_wouldblock(worker->daemon-> + fast_reload_thread->service_event, + UB_EV_READ); +#endif + return; + } + if(!inevent) { +#ifdef USE_WINSOCK + if(worker->daemon->fast_reload_thread) + ub_winsock_tcp_wouldblock(worker->daemon-> + fast_reload_thread->service_event, + UB_EV_READ); +#endif + return; + } + fr_main_handle_cmd(fr); + } +} + +void fast_reload_service_cb(int ATTR_UNUSED(fd), short ATTR_UNUSED(bits), + void* arg) +{ + struct fast_reload_thread* fast_reload_thread = + (struct fast_reload_thread*)arg; + struct worker* worker = fast_reload_thread->worker; + + /* Read and handle the command */ + fr_main_handle_cmd(fast_reload_thread); + if(worker->daemon->fast_reload_thread != NULL) { + /* If not exited, see if there are more pending statuses + * from the fast reload thread. */ + fr_check_cmd_from_thread(fast_reload_thread); + } +} + +#ifdef HAVE_SSL +/** fast reload, send client item over SSL. Returns number of bytes + * printed, 0 on wait later, or -1 on failure. */ +static int +fr_client_send_item_ssl(struct fast_reload_printq* printq) +{ + int r; + ERR_clear_error(); + r = SSL_write(printq->remote.ssl, + printq->client_item+printq->client_byte_count, + printq->client_len - printq->client_byte_count); + if(r <= 0) { + int want = SSL_get_error(printq->remote.ssl, r); + if(want == SSL_ERROR_ZERO_RETURN) { + log_err("fast_reload print to remote client: " + "SSL_write says connection closed."); + return -1; + } else if(want == SSL_ERROR_WANT_READ) { + /* wait for read condition */ + printq->client_cp->ssl_shake_state = comm_ssl_shake_hs_read; + comm_point_listen_for_rw(printq->client_cp, 1, 0); + return 0; + } else if(want == SSL_ERROR_WANT_WRITE) { +#ifdef USE_WINSOCK + ub_winsock_tcp_wouldblock(comm_point_internal(printq->client_cp), UB_EV_WRITE); +#endif + return 0; /* write more later */ + } else if(want == SSL_ERROR_SYSCALL) { +#ifdef EPIPE + if(errno == EPIPE && verbosity < 2) { + /* silence 'broken pipe' */ + return -1; + } +#endif + if(errno != 0) + log_err("fast_reload print to remote client: " + "SSL_write syscall: %s", + sock_strerror(errno)); + return -1; + } + log_crypto_err_io("fast_reload print to remote client: " + "could not SSL_write", want); + return -1; + } + return r; +} +#endif /* HAVE_SSL */ + +/** fast reload, send client item for fd, returns bytes sent, or 0 for wait + * later, or -1 on failure. */ +static int +fr_client_send_item_fd(struct fast_reload_printq* printq) +{ + int r; + r = (int)send(printq->remote.fd, + printq->client_item+printq->client_byte_count, + printq->client_len - printq->client_byte_count, 0); + if(r == -1) { + if( +#ifndef USE_WINSOCK + errno == EINTR || errno == EAGAIN +# ifdef EWOULDBLOCK + || errno == EWOULDBLOCK +# endif +#else + WSAGetLastError() == WSAEINTR || + WSAGetLastError() == WSAEINPROGRESS || + WSAGetLastError() == WSAEWOULDBLOCK +#endif + ) { +#ifdef USE_WINSOCK + ub_winsock_tcp_wouldblock(comm_point_internal(printq->client_cp), UB_EV_WRITE); +#endif + return 0; /* Try again. */ + } + log_err("fast_reload print to remote client: send failed: %s", + sock_strerror(errno)); + return -1; + } + return r; +} + +/** fast reload, send current client item. false on failure or wait later. */ +static int +fr_client_send_item(struct fast_reload_printq* printq) +{ + int r; +#ifdef HAVE_SSL + if(printq->remote.ssl) { + r = fr_client_send_item_ssl(printq); + } else { +#endif + r = fr_client_send_item_fd(printq); +#ifdef HAVE_SSL + } +#endif + if(r == 0) { + /* Wait for later. */ + return 0; + } else if(r == -1) { + /* It failed, close comm point and stop sending. */ + fr_printq_remove(printq); + return 0; + } + printq->client_byte_count += r; + if(printq->client_byte_count < printq->client_len) + return 0; /* Print more later. */ + return 1; +} + +/** fast reload, pick up the next item to print */ +static void +fr_client_pickup_next_item(struct fast_reload_printq* printq) +{ + struct config_strlist* item; + /* Pop first off the list. */ + if(!printq->to_print->first) { + printq->client_item = NULL; + printq->client_len = 0; + printq->client_byte_count = 0; + return; + } + item = printq->to_print->first; + if(item->next) { + printq->to_print->first = item->next; + } else { + printq->to_print->first = NULL; + printq->to_print->last = NULL; + } + item->next = NULL; + printq->client_len = 0; + printq->client_byte_count = 0; + printq->client_item = item->str; + item->str = NULL; + free(item); + /* The len is the number of bytes to print out, and thus excludes + * the terminator zero. */ + if(printq->client_item) + printq->client_len = (int)strlen(printq->client_item); +} + +int fast_reload_client_callback(struct comm_point* ATTR_UNUSED(c), void* arg, + int err, struct comm_reply* ATTR_UNUSED(rep)) +{ + struct fast_reload_printq* printq = (struct fast_reload_printq*)arg; + if(!printq->client_cp) { + fr_printq_remove(printq); + return 0; /* the output is closed and deleted */ + } + if(err != NETEVENT_NOERROR) { + verbose(VERB_ALGO, "fast reload client: error, close it"); + fr_printq_remove(printq); + return 0; + } +#ifdef HAVE_SSL + if(printq->client_cp->ssl_shake_state == comm_ssl_shake_hs_read) { + /* read condition satisfied back to writing */ + comm_point_listen_for_rw(printq->client_cp, 0, 1); + printq->client_cp->ssl_shake_state = comm_ssl_shake_none; + } +#endif /* HAVE_SSL */ + + /* Pickup an item if there are none */ + if(!printq->client_item) { + fr_client_pickup_next_item(printq); + } + if(!printq->client_item) { + if(printq->in_list) { + /* Nothing more to print, it can be removed. */ + fr_printq_remove(printq); + return 0; + } + /* Done with printing for now. */ + comm_point_stop_listening(printq->client_cp); + return 0; + } + + /* Try to print out a number of items, if they can print in full. */ + while(printq->client_item) { + /* Send current item, if any. */ + if(printq->client_item && printq->client_len != 0 && + printq->client_byte_count < printq->client_len) { + if(!fr_client_send_item(printq)) + return 0; + } + + /* The current item is done. */ + if(printq->client_item) { + free(printq->client_item); + printq->client_item = NULL; + printq->client_len = 0; + printq->client_byte_count = 0; + } + if(!printq->to_print->first) { + if(printq->in_list) { + /* Nothing more to print, it can be removed. */ + fr_printq_remove(printq); + return 0; + } + /* Done with printing for now. */ + comm_point_stop_listening(printq->client_cp); + return 0; + } + fr_client_pickup_next_item(printq); + } + + return 0; +} + +#ifndef THREADS_DISABLED +/** fast reload printq create */ +static struct fast_reload_printq* +fr_printq_create(struct comm_point* c, struct worker* worker) +{ + struct fast_reload_printq* printq = calloc(1, sizeof(*printq)); + if(!printq) + return NULL; + printq->to_print = calloc(1, sizeof(*printq->to_print)); + if(!printq->to_print) { + free(printq); + return NULL; + } + printq->worker = worker; + printq->client_cp = c; + printq->client_cp->callback = fast_reload_client_callback; + printq->client_cp->cb_arg = printq; + return printq; +} +#endif /* !THREADS_DISABLED */ + +/** fast reload printq delete */ +static void +fr_printq_delete(struct fast_reload_printq* printq) +{ + if(!printq) + return; +#ifdef HAVE_SSL + if(printq->remote.ssl) { + SSL_shutdown(printq->remote.ssl); + SSL_free(printq->remote.ssl); + } +#endif + comm_point_delete(printq->client_cp); + if(printq->to_print) { + config_delstrlist(printq->to_print->first); + free(printq->to_print); + } + free(printq); +} + +/** fast reload printq, returns true if the list is empty and no item */ +static int +fr_printq_empty(struct fast_reload_printq* printq) +{ + if(printq->to_print->first == NULL && printq->client_item == NULL) + return 1; + return 0; +} + +/** fast reload printq, insert onto list */ +static void +fr_printq_list_insert(struct fast_reload_printq* printq, struct daemon* daemon) +{ + if(printq->in_list) + return; + printq->next = daemon->fast_reload_printq_list; + if(printq->next) + printq->next->prev = printq; + printq->prev = NULL; + printq->in_list = 1; + daemon->fast_reload_printq_list = printq; +} + +/** fast reload printq delete list */ +void +fast_reload_printq_list_delete(struct fast_reload_printq* list) +{ + struct fast_reload_printq* printq = list, *next; + while(printq) { + next = printq->next; + fr_printq_delete(printq); + printq = next; + } +} + +/** fast reload printq remove the item from the printq list */ +static void +fr_printq_list_remove(struct fast_reload_printq* printq) +{ + struct daemon* daemon = printq->worker->daemon; + if(printq->prev == NULL) + daemon->fast_reload_printq_list = printq->next; + else printq->prev->next = printq->next; + if(printq->next) + printq->next->prev = printq->prev; + printq->in_list = 0; +} + +/** fast reload printq, remove the printq when no longer needed, + * like the stream is closed. */ +static void +fr_printq_remove(struct fast_reload_printq* printq) +{ + if(!printq) + return; + if(printq->worker->daemon->fast_reload_thread && + printq->worker->daemon->fast_reload_thread->printq == printq) + printq->worker->daemon->fast_reload_thread->printq = NULL; + if(printq->in_list) + fr_printq_list_remove(printq); + fr_printq_delete(printq); +} + +/** fast reload thread, send stop command to the thread, from the main thread. + */ +static void +fr_send_stop(struct fast_reload_thread* fr) +{ + fr_send_cmd_to(fr, fast_reload_notification_exit, 1, 0); +} + +void +fast_reload_thread_start(RES* ssl, struct worker* worker, struct rc_state* s, + int fr_verb, int fr_nopause, int fr_drop_mesh) +{ + if(worker->daemon->fast_reload_thread) { + log_err("fast reload thread already running"); + return; + } + if(!fast_reload_thread_setup(worker, fr_verb, fr_nopause, + fr_drop_mesh)) { + if(!ssl_printf(ssl, "error could not setup thread\n")) + return; + return; + } + worker->daemon->fast_reload_thread->started = 1; + +#ifndef THREADS_DISABLED + /* Setup command listener in remote servicing thread */ + /* The listener has to be nonblocking, so the the remote servicing + * thread can continue to service DNS queries, the fast reload + * thread is going to read the config from disk and apply it. */ + /* The commpair[1] element can stay blocking, it is used by the + * fast reload thread to communicate back. The thread needs to wait + * at these times, when it has to check briefly it can use poll. */ + fd_set_nonblock(worker->daemon->fast_reload_thread->commpair[0]); + worker->daemon->fast_reload_thread->service_event = ub_event_new( + comm_base_internal(worker->base), + worker->daemon->fast_reload_thread->commpair[0], + UB_EV_READ | UB_EV_PERSIST, fast_reload_service_cb, + worker->daemon->fast_reload_thread); + if(!worker->daemon->fast_reload_thread->service_event) { + fast_reload_thread_desetup(worker->daemon->fast_reload_thread); + if(!ssl_printf(ssl, "error out of memory\n")) + return; + return; + } + if(ub_event_add(worker->daemon->fast_reload_thread->service_event, + NULL) != 0) { + fast_reload_thread_desetup(worker->daemon->fast_reload_thread); + if(!ssl_printf(ssl, "error out of memory adding service event\n")) + return; + return; + } + worker->daemon->fast_reload_thread->service_event_is_added = 1; + + /* Setup the comm point to the remote control client as an event + * on the remote servicing thread, which it already is. + * It needs a new callback to service it. */ + log_assert(s); + state_list_remove_elem(&s->rc->busy_list, s->c); + s->rc->active --; + /* Set the comm point file descriptor to nonblocking. So that + * printout to the remote control client does not block the + * server thread from servicing DNS queries. */ + fd_set_nonblock(s->c->fd); + worker->daemon->fast_reload_thread->printq = fr_printq_create(s->c, + worker); + if(!worker->daemon->fast_reload_thread->printq) { + fast_reload_thread_desetup(worker->daemon->fast_reload_thread); + if(!ssl_printf(ssl, "error out of memory create printq\n")) + return; + return; + } + worker->daemon->fast_reload_thread->printq->remote = *ssl; + s->rc = NULL; /* move away the rc state */ + /* Nothing to print right now, so no need to have it active. */ + comm_point_stop_listening(worker->daemon->fast_reload_thread->printq->client_cp); + + /* Start fast reload thread */ + ub_thread_create(&worker->daemon->fast_reload_thread->tid, + fast_reload_thread_main, worker->daemon->fast_reload_thread); +#else + (void)s; +#endif +} + +void +fast_reload_thread_stop(struct fast_reload_thread* fast_reload_thread) +{ + struct worker* worker = fast_reload_thread->worker; + if(!fast_reload_thread) + return; + fr_send_stop(fast_reload_thread); + if(worker->daemon->fast_reload_thread != NULL) { + /* If it did not exit yet, join with the thread now. It is + * going to exit because the exit command is sent to it. */ + fr_main_perform_done(fast_reload_thread); + } +} diff --git a/daemon/remote.h b/daemon/remote.h index 4902803f5..064d7b7fc 100644 --- a/daemon/remote.h +++ b/daemon/remote.h @@ -48,6 +48,7 @@ #ifdef HAVE_OPENSSL_SSL_H #include #endif +#include "util/locks.h" struct config_file; struct listen_list; struct listen_port; @@ -55,6 +56,7 @@ struct worker; struct comm_reply; struct comm_point; struct daemon_remote; +struct config_strlist_head; /** number of milliseconds timeout on incoming remote control handshake */ #define REMOTE_CONTROL_TCP_TIMEOUT 120000 @@ -118,6 +120,137 @@ struct remote_stream { }; typedef struct remote_stream RES; +/** + * Notification status. This is exchanged between the fast reload thread + * and the server thread, over the commpair sockets. + */ +enum fast_reload_notification { + /** nothing, not used */ + fast_reload_notification_none = 0, + /** the fast reload thread is done */ + fast_reload_notification_done = 1, + /** the fast reload thread is done but with an error, it failed */ + fast_reload_notification_done_error = 2, + /** the fast reload thread is told to exit by the server thread. + * Sent on server quit while the reload is running. */ + fast_reload_notification_exit = 3, + /** the fast reload thread has exited, after being told to exit */ + fast_reload_notification_exited = 4, + /** the fast reload thread has information to print out */ + fast_reload_notification_printout = 5, + /** stop as part of the reload the thread and other threads */ + fast_reload_notification_reload_stop = 6, + /** ack the stop as part of the reload, and also ack start */ + fast_reload_notification_reload_ack = 7, + /** resume from stop as part of the reload */ + fast_reload_notification_reload_start = 8, + /** the fast reload thread wants the mainthread to poll workers, + * after the reload, sent when nopause is used */ + fast_reload_notification_reload_nopause_poll = 9 +}; + +/** + * Fast reload printout queue. Contains a list of strings, that need to be + * printed over the file descriptor. + */ +struct fast_reload_printq { + /** if this item is in a list, the previous and next */ + struct fast_reload_printq *prev, *next; + /** if this item is in a list, it is true. */ + int in_list; + /** list of strings to printout */ + struct config_strlist_head* to_print; + /** the current item to print. It is malloced. NULL if none. */ + char* client_item; + /** The length, strlen, of the client_item, that has to be sent. */ + int client_len; + /** The number of bytes sent of client_item. */ + int client_byte_count; + /** the comm point for the client connection, the remote control + * client. */ + struct comm_point* client_cp; + /** the remote control connection to print output to. */ + struct remote_stream remote; + /** the worker that the event is added in */ + struct worker* worker; +}; + +/** + * Fast reload auth zone change. Keeps track if an auth zone was removed, + * added or changed. This is needed because workers can have events for + * dealing with auth zones, like transfers, and those have to be removed + * too, not just the auth zone structure from the tree. */ +struct fast_reload_auth_change { + /** next in the list of auth zone changes. */ + struct fast_reload_auth_change* next; + /** the zone in the old config */ + struct auth_zone* old_z; + /** the zone in the new config */ + struct auth_zone* new_z; + /** if the zone was deleted */ + int is_deleted; + /** if the zone was added */ + int is_added; + /** if the zone has been changed */ + int is_changed; +}; + +/** + * Fast reload thread structure + */ +struct fast_reload_thread { + /** the thread number for the dtio thread, + * must be first to cast thread arg to int* in checklock code. */ + int threadnum; + /** communication socket pair, that sends commands */ + int commpair[2]; + /** thread id, of the io thread */ + ub_thread_type tid; + /** if the io processing has started */ + int started; + /** if the thread has to quit */ + int need_to_quit; + /** verbosity of the fast_reload command, the number of +v options */ + int fr_verb; + /** option to not pause threads during reload */ + int fr_nopause; + /** option to drop mesh queries */ + int fr_drop_mesh; + + /** the event that listens on the remote service worker to the + * commpair, it receives content from the fast reload thread. */ + void* service_event; + /** if the event that listens on the remote service worker has + * been added to the comm base. */ + int service_event_is_added; + /** the service event can read a cmd, nonblocking, so it can + * save the partial read cmd here */ + uint32_t service_read_cmd; + /** the number of bytes in service_read_cmd */ + int service_read_cmd_count; + /** the worker that the service_event is added in */ + struct worker* worker; + + /** the printout of output to the remote client. */ + struct fast_reload_printq *printq; + + /** lock on fr_output, to stop race when both remote control thread + * and fast reload thread use fr_output list. */ + lock_basic_type fr_output_lock; + /** list of strings, that the fast reload thread produces that have + * to be printed. The remote control thread can pick them up with + * the lock. */ + struct config_strlist_head* fr_output; + + /** communication socket pair, to respond to the reload request */ + int commreload[2]; + + /** the list of auth zone changes. */ + struct fast_reload_auth_change* auth_zone_change_list; + /** the old tree of auth zones, to lookup. */ + struct auth_zones* old_auth_zones; +}; + /** * Create new remote control state for the daemon. * @param cfg: config file with key file settings. @@ -203,4 +336,38 @@ int ssl_printf(RES* ssl, const char* format, ...) int ssl_read_line(RES* ssl, char* buf, size_t max); #endif /* HAVE_SSL */ +/** + * Start fast reload thread + * @param ssl: the RES connection to print to. + * @param worker: the remote servicing worker. + * @param s: the rc_state that is servicing the remote control connection to + * the remote control client. It needs to be moved away to stay connected + * while the fast reload is running. + * @param fr_verb: verbosity to print output at. 0 is nothing, 1 is some + * and 2 is more detail. + * @param fr_nopause: option to not pause threads during reload. + * @param fr_drop_mesh: option to drop mesh queries. + */ +void fast_reload_thread_start(RES* ssl, struct worker* worker, + struct rc_state* s, int fr_verb, int fr_nopause, int fr_drop_mesh); + +/** + * Stop fast reload thread + * @param fast_reload_thread: the thread struct. + */ +void fast_reload_thread_stop(struct fast_reload_thread* fast_reload_thread); + +/** fast reload thread commands to remote service thread event callback */ +void fast_reload_service_cb(int fd, short bits, void* arg); + +/** fast reload callback for the remote control client connection */ +int fast_reload_client_callback(struct comm_point* c, void* arg, int err, + struct comm_reply* rep); + +/** fast reload printq delete list */ +void fast_reload_printq_list_delete(struct fast_reload_printq* list); + +/** Pick up per worker changes after a fast reload. */ +void fast_reload_worker_pickup_changes(struct worker* worker); + #endif /* DAEMON_REMOTE_H */ diff --git a/daemon/stats.c b/daemon/stats.c index a15ff8883..41c4656aa 100644 --- a/daemon/stats.c +++ b/daemon/stats.c @@ -273,6 +273,7 @@ server_stats_compile(struct worker* worker, struct ub_stats_info* s, int reset) /* add in the values from the mesh */ s->svr.ans_secure += (long long)worker->env.mesh->ans_secure; s->svr.ans_bogus += (long long)worker->env.mesh->ans_bogus; + s->svr.val_ops += (long long)worker->env.mesh->val_ops; s->svr.ans_rcode_nodata += (long long)worker->env.mesh->ans_nodata; s->svr.ans_expired += (long long)worker->env.mesh->ans_expired; for(i=0; ienv.mesh->num_queries_discard_timeout; s->svr.num_queries_wait_limit += (long long)worker->env.mesh->num_queries_wait_limit; + s->svr.num_dns_error_reports += + (long long)worker->env.mesh->num_dns_error_reports; /* values from outside network */ s->svr.unwanted_replies = (long long)worker->back->unwanted_replies; s->svr.qtcp_outgoing = (long long)worker->back->num_tcp_outgoing; @@ -329,20 +332,8 @@ server_stats_compile(struct worker* worker, struct ub_stats_info* s, int reset) s->svr.num_query_dnscrypt_replay = 0; #endif /* USE_DNSCRYPT */ if(worker->env.auth_zones) { - if(reset && !worker->env.cfg->stat_cumulative) { - lock_rw_wrlock(&worker->env.auth_zones->lock); - } else { - lock_rw_rdlock(&worker->env.auth_zones->lock); - } - s->svr.num_query_authzone_up = (long long)worker->env. - auth_zones->num_query_up; - s->svr.num_query_authzone_down = (long long)worker->env. - auth_zones->num_query_down; - if(reset && !worker->env.cfg->stat_cumulative) { - worker->env.auth_zones->num_query_up = 0; - worker->env.auth_zones->num_query_down = 0; - } - lock_rw_unlock(&worker->env.auth_zones->lock); + s->svr.num_query_authzone_up += (long long)worker->env.mesh->num_query_authzone_up; + s->svr.num_query_authzone_down += (long long)worker->env.mesh->num_query_authzone_down; } s->svr.mem_stream_wait = (long long)tcp_req_info_get_stream_buffer_size(); @@ -458,9 +449,12 @@ void server_stats_add(struct ub_stats_info* total, struct ub_stats_info* a) total->svr.num_queries_discard_timeout += a->svr.num_queries_discard_timeout; total->svr.num_queries_wait_limit += a->svr.num_queries_wait_limit; + total->svr.num_dns_error_reports += a->svr.num_dns_error_reports; total->svr.num_queries_missed_cache += a->svr.num_queries_missed_cache; total->svr.num_queries_prefetch += a->svr.num_queries_prefetch; total->svr.num_queries_timed_out += a->svr.num_queries_timed_out; + total->svr.num_query_authzone_up += a->svr.num_query_authzone_up; + total->svr.num_query_authzone_down += a->svr.num_query_authzone_down; if (total->svr.max_query_time_us < a->svr.max_query_time_us) total->svr.max_query_time_us = a->svr.max_query_time_us; total->svr.sum_query_list_size += a->svr.sum_query_list_size; @@ -468,9 +462,9 @@ void server_stats_add(struct ub_stats_info* total, struct ub_stats_info* a) #ifdef USE_DNSCRYPT total->svr.num_query_dnscrypt_crypted += a->svr.num_query_dnscrypt_crypted; total->svr.num_query_dnscrypt_cert += a->svr.num_query_dnscrypt_cert; - total->svr.num_query_dnscrypt_cleartext += \ + total->svr.num_query_dnscrypt_cleartext += a->svr.num_query_dnscrypt_cleartext; - total->svr.num_query_dnscrypt_crypted_malformed += \ + total->svr.num_query_dnscrypt_crypted_malformed += a->svr.num_query_dnscrypt_crypted_malformed; #endif /* USE_DNSCRYPT */ /* the max size reached is upped to higher of both */ @@ -502,6 +496,7 @@ void server_stats_add(struct ub_stats_info* total, struct ub_stats_info* a) total->svr.ans_rcode_nodata += a->svr.ans_rcode_nodata; total->svr.ans_secure += a->svr.ans_secure; total->svr.ans_bogus += a->svr.ans_bogus; + total->svr.val_ops += a->svr.val_ops; total->svr.unwanted_replies += a->svr.unwanted_replies; total->svr.unwanted_queries += a->svr.unwanted_queries; total->svr.tcp_accept_usage += a->svr.tcp_accept_usage; diff --git a/daemon/unbound.c b/daemon/unbound.c index 306fe6caf..164d0fb89 100644 --- a/daemon/unbound.c +++ b/daemon/unbound.c @@ -174,7 +174,7 @@ static void checkrlimits(struct config_file* cfg) { #ifndef S_SPLINT_S -#ifdef HAVE_GETRLIMIT +#if defined(HAVE_GETRLIMIT) && !defined(unbound_testbound) /* list has number of ports to listen to, ifs number addresses */ int list = ((cfg->do_udp?1:0) + (cfg->do_tcp?1 + (int)cfg->incoming_num_tcp:0)); @@ -463,6 +463,62 @@ detach(void) #endif /* HAVE_DAEMON */ } +#ifdef HAVE_SSL +/* setup a listening ssl context, fatal_exit() on any failure */ +static void +setup_listen_sslctx(void** ctx, int is_dot, int is_doh, struct config_file* cfg) +{ + if(!(*ctx = listen_sslctx_create( + cfg->ssl_service_key, cfg->ssl_service_pem, NULL, + cfg->tls_ciphers, cfg->tls_ciphersuites, + (cfg->tls_session_ticket_keys.first && + cfg->tls_session_ticket_keys.first->str[0] != 0), + is_dot, is_doh))) { + fatal_exit("could not set up listen SSL_CTX"); + } +} +#endif /* HAVE_SSL */ + +/* setups the needed ssl contexts, fatal_exit() on any failure */ +static void +setup_sslctxs(struct daemon* daemon, struct config_file* cfg) +{ +#ifdef HAVE_SSL + if(!(daemon->rc = daemon_remote_create(cfg))) + fatal_exit("could not set up remote-control"); + if(cfg->ssl_service_key && cfg->ssl_service_key[0]) { + /* setup the session keys; the callback to use them will be + * attached to each sslctx separately */ + if(cfg->tls_session_ticket_keys.first && + cfg->tls_session_ticket_keys.first->str[0] != 0) { + if(!listen_sslctx_setup_ticket_keys( + cfg->tls_session_ticket_keys.first)) { + fatal_exit("could not set session ticket SSL_CTX"); + } + } + (void)setup_listen_sslctx(&daemon->listen_dot_sslctx, 1, 0, cfg); +#ifdef HAVE_NGHTTP2_NGHTTP2_H + if(cfg_has_https(cfg)) { + (void)setup_listen_sslctx(&daemon->listen_doh_sslctx, 0, 1, cfg); + } +#endif +#ifdef HAVE_NGTCP2 + if(cfg_has_quic(cfg)) { + if(!(daemon->listen_quic_sslctx = quic_sslctx_create( + cfg->ssl_service_key, cfg->ssl_service_pem, NULL))) { + fatal_exit("could not set up quic SSL_CTX"); + } + } +#endif /* HAVE_NGTCP2 */ + } + if(!(daemon->connect_dot_sslctx = connect_sslctx_create(NULL, NULL, + cfg->tls_cert_bundle, cfg->tls_win_cert))) + fatal_exit("could not set up connect SSL_CTX"); +#else /* HAVE_SSL */ + (void)daemon;(void)cfg; +#endif /* HAVE_SSL */ +} + /** daemonize, drop user privileges and chroot if needed */ static void perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode, @@ -489,36 +545,7 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode, #endif /* read ssl keys while superuser and outside chroot */ -#ifdef HAVE_SSL - if(!(daemon->rc = daemon_remote_create(cfg))) - fatal_exit("could not set up remote-control"); - if(cfg->ssl_service_key && cfg->ssl_service_key[0]) { - if(!(daemon->listen_sslctx = listen_sslctx_create( - cfg->ssl_service_key, cfg->ssl_service_pem, NULL))) - fatal_exit("could not set up listen SSL_CTX"); - if(cfg->tls_ciphers && cfg->tls_ciphers[0]) { - if (!SSL_CTX_set_cipher_list(daemon->listen_sslctx, cfg->tls_ciphers)) { - fatal_exit("failed to set tls-cipher %s", cfg->tls_ciphers); - } - } -#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES - if(cfg->tls_ciphersuites && cfg->tls_ciphersuites[0]) { - if (!SSL_CTX_set_ciphersuites(daemon->listen_sslctx, cfg->tls_ciphersuites)) { - fatal_exit("failed to set tls-ciphersuites %s", cfg->tls_ciphersuites); - } - } -#endif - if(cfg->tls_session_ticket_keys.first && - cfg->tls_session_ticket_keys.first->str[0] != 0) { - if(!listen_sslctx_setup_ticket_keys(daemon->listen_sslctx, cfg->tls_session_ticket_keys.first)) { - fatal_exit("could not set session ticket SSL_CTX"); - } - } - } - if(!(daemon->connect_sslctx = connect_sslctx_create(NULL, NULL, - cfg->tls_cert_bundle, cfg->tls_win_cert))) - fatal_exit("could not set up connect SSL_CTX"); -#endif + (void)setup_sslctxs(daemon, cfg); /* init syslog (as root) if needed, before daemonize, otherwise * a fork error could not be printed since daemonize closed stderr.*/ @@ -681,6 +708,9 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode, * it would succeed on SIGHUP as well */ if(!cfg->use_syslog) log_init(cfg->logfile, cfg->use_syslog, cfg->chrootdir); + daemon->cfgfile = strdup(*cfgfile); + if(!daemon->cfgfile) + fatal_exit("out of memory in daemon cfgfile strdup"); } /** @@ -715,6 +745,7 @@ run_daemon(const char* cfgfile, int cmdline_verbose, int debug_mode, int need_pi "the commandline to see more errors, " "or unbound-checkconf", cfgfile); log_warn("Continuing with default config settings"); + config_auto_slab_values(cfg); } apply_settings(daemon, cfg, cmdline_verbose, debug_mode); if(!done_setup) diff --git a/daemon/worker.c b/daemon/worker.c index 7bce4d5a1..77417c249 100644 --- a/daemon/worker.c +++ b/daemon/worker.c @@ -371,6 +371,84 @@ worker_check_request(sldns_buffer* pkt, struct worker* worker, return; } +/** + * Send fast-reload acknowledgement to the mainthread in one byte. + * This signals that this worker has received the previous command. + * The worker is waiting if that is after a reload_stop command. + * Or the worker has briefly processed the event itself, and in doing so + * released data pointers to old config, after a reload_poll command. + */ +static void +worker_send_reload_ack(struct worker* worker) +{ + /* If this is clipped to 8 bits because thread_num>255, then that + * is not a problem, the receiver counts the number of bytes received. + * The number is informative only. */ + uint8_t c = (uint8_t)worker->thread_num; + ssize_t ret; + while(1) { + ret = send(worker->daemon->fast_reload_thread->commreload[1], + (void*)&c, 1, 0); + if(ret == -1) { + if( +#ifndef USE_WINSOCK + errno == EINTR || errno == EAGAIN +# ifdef EWOULDBLOCK + || errno == EWOULDBLOCK +# endif +#else + WSAGetLastError() == WSAEINTR || + WSAGetLastError() == WSAEINPROGRESS || + WSAGetLastError() == WSAEWOULDBLOCK +#endif + ) + continue; /* Try again. */ + log_err("worker reload ack reply: send failed: %s", + sock_strerror(errno)); + break; + } + break; + } +} + +/** stop and wait to resume the worker */ +static void +worker_stop_and_wait(struct worker* worker) +{ + uint8_t* buf = NULL; + uint32_t len = 0, cmd; + worker_send_reload_ack(worker); + /* wait for reload */ + if(!tube_read_msg(worker->cmd, &buf, &len, 0)) { + log_err("worker reload read reply failed"); + return; + } + if(len != sizeof(uint32_t)) { + log_err("worker reload reply, bad control msg length %d", + (int)len); + free(buf); + return; + } + cmd = sldns_read_uint32(buf); + free(buf); + if(cmd == worker_cmd_quit) { + /* quit anyway */ + verbose(VERB_ALGO, "reload reply, control cmd quit"); + comm_base_exit(worker->base); + return; + } + if(cmd != worker_cmd_reload_start) { + log_err("worker reload reply, wrong reply command"); + } + if(worker->daemon->fast_reload_drop_mesh) { + verbose(VERB_ALGO, "worker: drop mesh queries after reload"); + mesh_delete_all(worker->env.mesh); + } + fast_reload_worker_pickup_changes(worker); + worker_send_reload_ack(worker); + verbose(VERB_ALGO, "worker resume after reload"); +} + void worker_handle_control_cmd(struct tube* ATTR_UNUSED(tube), uint8_t* msg, size_t len, int error, void* arg) @@ -406,6 +484,15 @@ worker_handle_control_cmd(struct tube* ATTR_UNUSED(tube), uint8_t* msg, verbose(VERB_ALGO, "got control cmd remote"); daemon_remote_exec(worker); break; + case worker_cmd_reload_stop: + verbose(VERB_ALGO, "got control cmd reload_stop"); + worker_stop_and_wait(worker); + break; + case worker_cmd_reload_poll: + verbose(VERB_ALGO, "got control cmd reload_poll"); + fast_reload_worker_pickup_changes(worker); + worker_send_reload_ack(worker); + break; default: log_err("bad command %d", (int)cmd); break; @@ -600,7 +687,8 @@ apply_respip_action(struct worker* worker, const struct query_info* qinfo, return 1; if(!respip_rewrite_reply(qinfo, cinfo, rep, encode_repp, &actinfo, - alias_rrset, 0, worker->scratchpad, az, NULL)) + alias_rrset, 0, worker->scratchpad, az, NULL, + worker->env.views, worker->env.respip_set)) return 0; /* xxx_deny actions mean dropping the reply, unless the original reply @@ -761,7 +849,8 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo, } else if(partial_rep && !respip_merge_cname(partial_rep, qinfo, rep, cinfo, must_validate, &encode_rep, worker->scratchpad, - worker->env.auth_zones)) { + worker->env.auth_zones, worker->env.views, + worker->env.respip_set)) { goto bail_out; } if(encode_rep != rep) { @@ -1082,7 +1171,7 @@ answer_notify(struct worker* w, struct query_info* qinfo, if(verbosity >= VERB_DETAIL) { char buf[380]; - char zname[255+1]; + char zname[LDNS_MAX_DOMAINLEN]; char sr[25]; dname_str(qinfo->qname, zname); sr[0]=0; @@ -1413,7 +1502,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error, return 0; } if(c->dnscrypt && !repinfo->is_dnscrypted) { - char buf[LDNS_MAX_DOMAINLEN+1]; + char buf[LDNS_MAX_DOMAINLEN]; /* Check if this is unencrypted and asking for certs */ worker_check_request(c->buffer, worker, &check_result); if(check_result.value != 0) { @@ -1618,6 +1707,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error, repinfo->client_addrlen, edns.cookie_valid, c->buffer)) { worker->stats.num_queries_ip_ratelimited++; + regional_free_all(worker->scratchpad); comm_point_drop_reply(repinfo); return 0; } @@ -1729,8 +1819,9 @@ worker_handle_request(struct comm_point* c, void* arg, int error, goto send_reply; } if(worker->env.auth_zones && - auth_zones_answer(worker->env.auth_zones, &worker->env, - &qinfo, &edns, repinfo, c->buffer, worker->scratchpad)) { + auth_zones_downstream_answer(worker->env.auth_zones, + &worker->env, &qinfo, &edns, repinfo, c->buffer, + worker->scratchpad)) { regional_free_all(worker->scratchpad); if(sldns_buffer_limit(c->buffer) == 0) { comm_point_drop_reply(repinfo); @@ -1783,20 +1874,11 @@ worker_handle_request(struct comm_point* c, void* arg, int error, /* If we've found a local alias, replace the qname with the alias * target before resolving it. */ if(qinfo.local_alias) { - struct ub_packed_rrset_key* rrset = qinfo.local_alias->rrset; - struct packed_rrset_data* d = rrset->entry.data; - - /* Sanity check: our current implementation only supports - * a single CNAME RRset as a local alias. */ - if(qinfo.local_alias->next || - rrset->rk.type != htons(LDNS_RR_TYPE_CNAME) || - d->count != 1) { - log_err("assumption failure: unexpected local alias"); + if(!local_alias_shallow_copy_qname(qinfo.local_alias, &qinfo.qname, + &qinfo.qname_len)) { regional_free_all(worker->scratchpad); return 0; /* drop it */ } - qinfo.qname = d->rr_data[0] + 2; - qinfo.qname_len = d->rr_len[0] - 2; } /* If we may apply IP-based actions to the answer, build the client @@ -1813,7 +1895,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error, cinfo_tmp.tag_datas = acladdr->tag_datas; cinfo_tmp.tag_datas_size = acladdr->tag_datas_size; cinfo_tmp.view = acladdr->view; - cinfo_tmp.respip_set = worker->daemon->respip_set; + cinfo_tmp.view_name = NULL; cinfo = &cinfo_tmp; } @@ -1845,10 +1927,10 @@ lookup_cache: * its qname must be that used for cache * lookup. */ if((worker->env.cfg->prefetch && - *worker->env.now >= rep->prefetch_ttl) || + rep->prefetch_ttl <= *worker->env.now) || (worker->env.cfg->serve_expired && - *worker->env.now > rep->ttl)) { - + rep->ttl < *worker->env.now && + !(*worker->env.now < rep->serve_expired_norec_ttl))) { time_t leeway = rep->ttl - *worker->env.now; if(rep->ttl < *worker->env.now) leeway = 0; @@ -1966,13 +2048,13 @@ send_reply_rc: &repinfo->client_addr, repinfo->client_addrlen, tv, 1, c->buffer, (worker->env.cfg->log_destaddr?(void*)repinfo->c->socket->addr:NULL), - c->type); + c->type, c->ssl); } else { log_reply_info(NO_VERBOSE, &qinfo, &repinfo->client_addr, repinfo->client_addrlen, tv, 1, c->buffer, (worker->env.cfg->log_destaddr?(void*)repinfo->c->socket->addr:NULL), - c->type); + c->type, c->ssl); } } #ifdef USE_DNSCRYPT @@ -2173,10 +2255,11 @@ worker_init(struct worker* worker, struct config_file *cfg, : cfg->tcp_idle_timeout, cfg->harden_large_queries, cfg->http_max_streams, cfg->http_endpoint, cfg->http_notls_downstream, - worker->daemon->tcl, worker->daemon->listen_sslctx, + worker->daemon->tcl, worker->daemon->listen_dot_sslctx, + worker->daemon->listen_doh_sslctx, + worker->daemon->listen_quic_sslctx, dtenv, worker->daemon->doq_table, worker->env.rnd, - cfg->ssl_service_key, cfg->ssl_service_pem, cfg, - worker_handle_request, worker); + cfg, worker_handle_request, worker); if(!worker->front) { log_err("could not create listening sockets"); worker_delete(worker); @@ -2191,7 +2274,7 @@ worker_init(struct worker* worker, struct config_file *cfg, cfg->unwanted_threshold, cfg->outgoing_tcp_mss, &worker_alloc_cleanup, worker, cfg->do_udp || cfg->udp_upstream_without_downstream, - worker->daemon->connect_sslctx, cfg->delay_close, + worker->daemon->connect_dot_sslctx, cfg->delay_close, cfg->tls_use_sni, dtenv, cfg->udp_connect, cfg->max_reuse_tcp_queries, cfg->tcp_reuse_timeout, cfg->tcp_auth_query_timeout); diff --git a/daemon/worker.h b/daemon/worker.h index ab2fc728d..b7bb52fd7 100644 --- a/daemon/worker.h +++ b/daemon/worker.h @@ -72,7 +72,13 @@ enum worker_commands { /** obtain statistics without statsclear */ worker_cmd_stats_noreset, /** execute remote control command */ - worker_cmd_remote + worker_cmd_remote, + /** for fast-reload, perform stop */ + worker_cmd_reload_stop, + /** for fast-reload, start again */ + worker_cmd_reload_start, + /** for fast-reload, poll to make sure worker has released data */ + worker_cmd_reload_poll }; /** diff --git a/dns64/dns64.c b/dns64/dns64.c index f028cd28a..fbdbd87b9 100644 --- a/dns64/dns64.c +++ b/dns64/dns64.c @@ -631,7 +631,7 @@ handle_event_moddone(struct module_qstate* qstate, int id) /* When an AAAA query completes check if we want to perform DNS64 * synthesis. We skip queries with DNSSEC enabled (!CD) and - * ones generated by us to retrive the A/PTR record to use for + * ones generated by us to retrieve the A/PTR record to use for * synth. */ int could_synth = qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA && diff --git a/dnstap/dnstap.c b/dnstap/dnstap.c index cff308f93..3b2730182 100644 --- a/dnstap/dnstap.c +++ b/dnstap/dnstap.c @@ -192,8 +192,11 @@ static void dt_apply_identity(struct dt_env *env, struct config_file *cfg) { char buf[MAXHOSTNAMELEN+1]; - if (!cfg->dnstap_send_identity) + if (!cfg->dnstap_send_identity) { + free(env->identity); + env->identity = NULL; return; + } free(env->identity); if (cfg->dnstap_identity == NULL || cfg->dnstap_identity[0] == 0) { if (gethostname(buf, MAXHOSTNAMELEN) == 0) { @@ -215,8 +218,11 @@ dt_apply_identity(struct dt_env *env, struct config_file *cfg) static void dt_apply_version(struct dt_env *env, struct config_file *cfg) { - if (!cfg->dnstap_send_version) + if (!cfg->dnstap_send_version) { + free(env->version); + env->version = NULL; return; + } free(env->version); if (cfg->dnstap_version == NULL || cfg->dnstap_version[0] == 0) env->version = strdup(PACKAGE_STRING); @@ -230,13 +236,8 @@ dt_apply_version(struct dt_env *env, struct config_file *cfg) } void -dt_apply_cfg(struct dt_env *env, struct config_file *cfg) +dt_apply_logcfg(struct dt_env *env, struct config_file *cfg) { - if (!cfg->dnstap) - return; - - dt_apply_identity(env, cfg); - dt_apply_version(env, cfg); if ((env->log_resolver_query_messages = (unsigned int) cfg->dnstap_log_resolver_query_messages)) { @@ -275,6 +276,17 @@ dt_apply_cfg(struct dt_env *env, struct config_file *cfg) lock_basic_unlock(&env->sample_lock); } +void +dt_apply_cfg(struct dt_env *env, struct config_file *cfg) +{ + if (!cfg->dnstap) + return; + + dt_apply_identity(env, cfg); + dt_apply_version(env, cfg); + dt_apply_logcfg(env, cfg); +} + int dt_init(struct dt_env *env, struct comm_base* base) { @@ -530,7 +542,7 @@ dt_msg_send_outside_query(struct dt_env *env, qflags = sldns_buffer_read_u16_at(qmsg, 2); /* type */ - if (qflags & BIT_RD) { + if ((qflags & BIT_RD)) { if (!env->log_forwarder_query_messages) return; dt_msg_init(env, &dm, DNSTAP__MESSAGE__TYPE__FORWARDER_QUERY); @@ -587,7 +599,7 @@ dt_msg_send_outside_response(struct dt_env *env, qflags = ntohs(qflags); /* type */ - if (qflags & BIT_RD) { + if ((qflags & BIT_RD)) { if (!env->log_forwarder_response_messages) return; dt_msg_init(env, &dm, DNSTAP__MESSAGE__TYPE__FORWARDER_RESPONSE); diff --git a/dnstap/dnstap.h b/dnstap/dnstap.h index 21c033697..4390a9cf1 100644 --- a/dnstap/dnstap.h +++ b/dnstap/dnstap.h @@ -106,6 +106,13 @@ dt_create(struct config_file* cfg); void dt_apply_cfg(struct dt_env *env, struct config_file *cfg); +/** + * Apply config settings for log enable for message types. + * @param env: dnstap environment object. + * @param cfg: new config settings. + */ +void dt_apply_logcfg(struct dt_env *env, struct config_file *cfg); + /** * Initialize per-worker state in dnstap environment object. * @param env: dnstap environment object to initialize, created with dt_create(). diff --git a/dnstap/dnstap.m4 b/dnstap/dnstap.m4 index 78d0dd68b..89eda929b 100644 --- a/dnstap/dnstap.m4 +++ b/dnstap/dnstap.m4 @@ -18,10 +18,41 @@ AC_DEFUN([dt_DNSTAP], [opt_dnstap_socket_path="$1"]) if test "x$opt_dnstap" != "xno"; then - AC_PATH_PROG([PROTOC_C], [protoc-c]) - if test -z "$PROTOC_C"; then - AC_MSG_ERROR([The protoc-c program was not found. Please install protobuf-c!]) - fi + AC_PATH_PROG([PROTOC], [protoc]) + # 'protoc-c' is deprecated. We use 'protoc' instead. If it can not be + # found, try 'protoc-c'. + if test -z "$PROTOC"; then + AC_PATH_PROG([PROTOC_C], [protoc-c]) + else + PROTOC_C="$PROTOC" + fi + if test -z "$PROTOC_C"; then + AC_MSG_ERROR([[The protoc or protoc-c program was not found. It is needed for dnstap, use --disable-dnstap, or install protobuf-c to provide protoc or protoc-c]]) + fi + + # Check for protoc-gen-c plugin + AC_PATH_PROG([PROTOC_GEN_C], [protoc-gen-c]) + if test -z "$PROTOC_GEN_C"; then + AC_MSG_ERROR([[The protoc-gen-c plugin was not found. It is needed for dnstap, use --disable-dnstap, or install protobuf-c-compiler to provide protoc-gen-c]]) + fi + + # Test that protoc-gen-c actually works + AC_MSG_CHECKING([if protoc-gen-c plugin works]) + cat > conftest.proto << EOF +syntax = "proto2"; +message TestMessage { + optional string test_field = 1; +} +EOF + if $PROTOC_C --c_out=. conftest.proto >/dev/null 2>&1; then + AC_MSG_RESULT([yes]) + rm -f conftest.proto conftest.pb-c.c conftest.pb-c.h + else + AC_MSG_RESULT([no]) + rm -f conftest.proto conftest.pb-c.c conftest.pb-c.h + AC_MSG_ERROR([[The protoc-gen-c plugin is not working properly. Please ensure protobuf-c-compiler is properly installed]]) + fi + AC_ARG_WITH([protobuf-c], AS_HELP_STRING([--with-protobuf-c=path], [Path where protobuf-c is installed, for dnstap]), [ diff --git a/dnstap/dnstap.proto b/dnstap/dnstap.proto index dfc8ad411..75b8757c2 100644 --- a/dnstap/dnstap.proto +++ b/dnstap/dnstap.proto @@ -98,7 +98,7 @@ message Policy { // rule: the rule matched by the message. // // In a RPZ context, this is the owner name of the rule in - // the Reponse Policy Zone in wire format. + // the Response Policy Zone in wire format. optional bytes rule = 2; // action: the policy action taken in response to the diff --git a/dnstap/dtstream.c b/dnstap/dtstream.c index 2d5ab20f0..39d43403b 100644 --- a/dnstap/dtstream.c +++ b/dnstap/dtstream.c @@ -1509,7 +1509,7 @@ void dtio_output_cb(int ATTR_UNUSED(fd), short bits, void* arg) } #endif - if((bits&UB_EV_READ || dtio->ssl_brief_write)) { + if((bits&UB_EV_READ) || dtio->ssl_brief_write) { #ifdef HAVE_SSL if(dtio->ssl_brief_write) (void)dtio_disable_brief_write(dtio); diff --git a/dnstap/unbound-dnstap-socket.c b/dnstap/unbound-dnstap-socket.c index 7f8be4965..a01627de9 100644 --- a/dnstap/unbound-dnstap-socket.c +++ b/dnstap/unbound-dnstap-socket.c @@ -346,7 +346,8 @@ static struct tap_socket* tap_socket_new_tlsaccept(char* ip, s->fd = -1; s->ev_cb = ev_cb; s->data = data; - s->sslctx = listen_sslctx_create(server_key, server_cert, verifypem); + s->sslctx = listen_sslctx_create(server_key, server_cert, verifypem, + NULL, NULL, 0, 0, 0); if(!s->sslctx) { log_err("could not create ssl context"); free(s->ip); @@ -1786,6 +1787,20 @@ void remote_get_opt_ssl(char* ATTR_UNUSED(str), void* ATTR_UNUSED(arg)) log_assert(0); } +void fast_reload_service_cb(int ATTR_UNUSED(fd), short ATTR_UNUSED(ev), + void* ATTR_UNUSED(arg)) +{ + log_assert(0); +} + +int fast_reload_client_callback(struct comm_point* ATTR_UNUSED(c), + void* ATTR_UNUSED(arg), int ATTR_UNUSED(error), + struct comm_reply* ATTR_UNUSED(repinfo)) +{ + log_assert(0); + return 0; +} + #ifdef HAVE_NGTCP2 void doq_client_event_cb(int ATTR_UNUSED(fd), short ATTR_UNUSED(ev), void* ATTR_UNUSED(arg)) diff --git a/doc/Changelog b/doc/Changelog index abb60af22..5fe960354 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,470 @@ +8 September 2025: Yorgos + - Update documentation for using "SET ... EX" in Redis. + - Document max buffer sizes for Redis commands. + - Update man pages. + +3 September 2025: Wouter + - For #1328: make depend. + +2 September 2025: Wouter + - Fix #1235: Outdated Python2 code in + unbound/pythonmod/examples/log.py. + - Fix #1324: Memory leak in 'msgparse.c' in + 'parse_edns_options_from_query(...)'. + - Fix indentation in tcp-mss option parsing. + +1 September 2025: Wouter + - Fix for #1324: Fix to free edns options scratch in ratelimit case. + +29 August 2025: Yorgos + - Limit the number of consecutive reads on an HTTP/2 session. + Thanks to Gal Bar Nahum for exposing the possibility of infinite + reads on the session. + +28 August 2025: Wouter + - Fix setup_listen_sslctx warning for nettle compile. + +27 August 2025: Wouter + - Fix unbound-control dump_cache for double unlock of lruhash table. + +26 August 2025: Wouter + - Fix ports workflow to install expat for macos. + +22 August 2025: Wouter + - For #1318: Fix compile warnings for DoH compile on windows. + - Fix sha1 enable environment variable in test code on windows. + - Fix #1319: [FR] zone status for Unbound auth-zones. + - Fix that the zone acquired timestamp is set after the + zonefile is read. + +21 August 2025: Wouter + - Fix to check for extraneous command arguments for unbound-control, + when the command takes no arguments but there are arguments present. + - Fix #1317: Unbound starts too early. Add + Wants=network-online.target under [Unit] in unbound.service. + - Fix for #1317: Fix contrib/unbound.service comment path for + systemd network configuration. + +15 August 2025: Wouter + - unbound-control cache_lookup +t allows tld and root names. And + subnet cache contents are printed. + - Fix cache_lookup subnet printout to wipe zero part of the prefix. + - Fix cache_lookup subnet print to not print messages without rrsets + and perform in-depth check on node in the addrtree. + +14 August 2025: Wouter + - Fix to increase responsiveness of dump_cache. + - Fix to decouple file descriptor activity and cache lookups in + dump_cache. + +13 August 2025: Wouter + - unbound-control cache_lookup prints the cached rrsets + and messages for those. + - Fix to remove debug from cache_lookup. + - Fix to unlock cache_lookup message for malformed records. + +12 August 2025: Wouter + - Fix that unbound-control dump_cache releases the cache locks + every so often, so that the server stays responsive. + +7 August 2025: Wouter + - Fix dname_str for printout of long names. Thanks to Jan Komissar + for the fix. + - Fix that edns-subnet failure to create a subquery errors as + servfail, and not formerror. + - Fix to whitespace in dname_str. + +6 August 2025: Wouter + - Fix edns subnet, so that the subquery without subnet is stored in + global cache if the querier used 0.0.0.0/0 and the name and address + do not receive subnet treatment. If the name and address are + configured for subnet, it is stored in the subnet cache. + +5 August 2025: Wouter + - Fix #1309: incorrectly reclaimed tcp handler can cause data + corruption and segfault. + - Fix to use assertions for consistency checks in #1309 reclaimed + tcp handlers. + +1 August 2025: Wouter + - Fix testbound test program to accurately output packets from hex. + +28 July 2025: Wouter + - Fix redis cachedb module gettimeofday init failure. + +24 July 2025: Wouter + - Redis checks for server down and throttles reconnects. + +17 July 2025: Wouter + - Fix to not set rlimits in the unit tests. + - Fix #1303: [FR] Disable TLSv1.2. + - iana portlist updated. + +16 July 2025: Wouter + - Fix for RebirthDay Attack CVE-2025-5994, reported by Xiang Li + from AOSP Lab Nankai University. + - Tag for 1.23.1 with the release of 1.23.0 and the CVE fix, the + repository continues with the previous fixes, with 1.23.2. + - Add unit tests for non-ecs aggregation. + +12 July 2025: Yorgos + - Merge #1289 from Roland van Rijswijk-Deij: Add extra statistic to + track the number of signature validation operations. + Adds 'num.valops' to extended statistics. + - For #1289: test num.valops in existing stat_values.tdir. + - For #1289: add num.valops in the unbound-control man page. + +11 July 2025: Wouter + - Fix detection of SSL_CTX_set_tmp_ecdh function. + - For #1301: configure cant find SSL_is_quic in OpenSSL 3.5.1. + +8 July 2025: Wouter + - Fix to improve dnstap discovery on Fedora. + +3 July 2025: Wouter + - Fix #1300: Is 'sock-queue-timeout' a linux only feature. + - For #1300: implement sock-queue-timeout for FreeBSD as well. + - Fix layout of comm_point_udp_ancil_callback. + +2 July 2025: Wouter + - Merge #1299: Fix typos. + - Generate ltmain.sh and configure again. + +25 June 2025: Yorgos + - Fix #1247: forward-first: ssl handshake failed on root nameservers. + - For #1247, turn off fetch-policy for delegation when looking into + parent side name servers that may not update the addresses and hit + NXNS limits. + - For #1247, replay test (added tcp_transport to + outnet_serviced_query). + +20 June 2025: Yorgos + - Fix #1293: EDE 6 is attached to insecure cached answers when client + sends the CD bit. + +19 June 2025: Wouter + - Fix #1296: DNS over QUIC depends on a very outdated version of + ngtcp2. Fixed so it works with ngtcp2 1.13.0 and OpenSSL 3.5.0. + - Merge #1297: edns-subnet: fix NULL_AFTER_DEREF on subnetmod. + - Fix rrset cache create allocation failure case. + +17 June 2025: Yorgos + - Fix for consistent use of local zone CNAME alias for configured auth + zones. Now it also applies to downstream configured auth zones. + +16 June 2025: Wouter + - Fix to check control-interface addresses in unbound-checkconf. + - Fix #1295: Windows 32-bit binaries download seems to be missing dll + dependency. + +12 June 2025: Wouter + - Fix header return value description for skip_pkt_rrs and + parse_edns_from_query_pkt. + +11 June 2025: Wouter + - Fix bitwise operators in conditional expressions with parentheses. + - Fix conditional expressions with parentheses for bitwise and. + +5 June 2025: Wouter + - Fix unbound-anchor certificate file read for line ends and end of + file. + - Fix comment for the dname_remove_label_limit_len function. + - iana portlist updated. + +3 June 2025: Yorgos + - Small manpage corrections for the 'disable-dnssec-lame-check' option. + +21 May 2025: Wouter + - Fix #1288: [FR] Improve fuzzing of unbound by adapting the netbound + program. + +20 May 2025: Yorgos + - Merge #1285: RST man pages. It introduces restructuredText man pages + to sync the online and source code man page documentation. + The templated man pages (*.in) are still part of the repo but + generated with docutils from their .rst counterpart. + Documentation on how to generate those (mainly for core developers) + is in README.man. + - Add more checks about respip in unbound-checkconf. + Also fixes #310: unbound-checkconf not reporting RPZ configuration + error. + +19 May 2025: Wouter + - Fix for cname chain length with qtype ANY and qname minimisation. + Thanks to Jim Greenwood from Nominet for the report. + +15 May 2025: Wouter + - Fix config of slab values when there is no config file. + +13 May 2025: Yorgos + - Fix #1284: NULL pointer deref in az_find_nsec_cover() (latent bug) + by adding a log_assert() to safeguard future development. + - Fix #1282: log-destaddr fail on long ipv6 addresses. + +13 May 2025: Wouter + - Change default for so-sndbuf to 1m, to mitigate a cross-layer + issue where the UDP socket send buffers are exhausted waiting + for ARP/NDP resolution. Thanks to Reflyable for the report. + - Adjusted so-sndbuf default to 4m. + +12 May 2025: Yorgos + - Merge #1280: Fix auth nsec3 code. Fixes NSEC3 code to not break on + broken auth zones that include unsigned out of zone (above apex) + data. Could lead to hang while trying to prove a wildcard answer. + +12 May 2025: Wouter + - Fix #1283: Unsafe usage of atoi() while parsing the configuration + file. + +9 May 2025: Wouter + - Fix #1281: forward-zone "name: ." conflicts with auth-zone "name: ." + in 1.23.0, but worked in 1.22.0. + +5 May 2025: Yorgos + - Sync unbound and unbound-checkconf log output for unknown modules. + +29 April 2025: Wouter + - Fix for parallel build of dnstap protoc-c output. + - Fix dnstap to use protoc. + +29 April 2025: Yorgos + - Merge #1276: Auto-configure '-slabs' values. + +28 April 2025: Yorgos + - Merge #1275: Use macros for the fr_check_changed* functions. + +25 April 2025: Wouter + - Fix #1272: assertion failure testcode/unitverify.c:202. + +16 April 2025: Wouter + - Increase default to `num-queries-per-thread: 2048`, when unbound is + compiled with libevent. It makes saturation of the task queue more + resource intensive and less practical. Thanks to Shiming Liu, + Network and Information Security Lab, Tsinghua University for the + report. + +11 April 2025: Wouter + - Tag for 1.23.0rc2. This became the release of 1.23.0 on 24 April + 2025. The code repository continues with 1.23.1 in development. + +11 April 2025: Yorgos + - Merge #1265: Fix WSAPoll. + +10 April 2025: Wouter + - Fix for print of connection type in log-replies for dot and doh. + +9 April 2025: Wouter + - Fix to detect if atomic_store links in configure. + - Fix #1264: unbound 1.22.0 leaks memory when doing DoH. + +8 April 2025: Wouter + - Tag for 1.23.0rc1. + - Fix fast_reload to print chroot with config file name. + +7 April 2025: Yorgos + - Merge #902: DNS Error Reporting (RFC 9567). Introduces new + configuration option 'dns-error-reporting' and new statistics for + 'num.dns_error_reports'. + +4 April 2025: Wouter + - Fix mesh_copy_client_info to omit null contents from copy. + - Fix comment name in the rpz nsdname test. + - Fix nettle compile for warnings and ticket keys. + - Fix redis_replica test for unused option defaults and log printout. + - Fix test to speed up common.sh script kill_pid. + - Fix to update common.sh for speed of kill_pid. + +4 April 2025: Yorgos + - Merge #1019: Redis read-only replica support. + Introduces new 'redis-replica-*' options for the Redis cache backend. + +3 April 2025: Wouter + - Fix #1263: Exempt loopback addresses from wait-limit. + - Fix wait-limit-netblock and wait-limit-cookie-netblock config parse + to allow two arguments. + - Fix ub_event and include dnstap and win_svc headers. + - Fix test for stat_values for wait limit defaults for localhost. + - Fix parameter unused warning in net_help.c. + +2 April 2025: Yorgos + - Merge #1262 from markyang92, fix build with + 'gcc-15 -Wbuiltin-declaration-mismatch' error in compat/malloc.c. + - For #1262, ifdef is no longer needed. + +2 April 2025: Wouter + - Fix unbound-control test so it counts the new flush_negative output, + also answers the _ta probe from testns and prints command output + and skip a thread specific test when no threads are available. + - Fix that ub_event has the facility to deal with callbacks for + fast reload, doq, windows-stop and dnstap. + - Fix fast reload test to check if pid exists before acting on it. + +1 April 2025: Wouter + - Fix escape more characters when printing an RR type with an unquoted + string. + - Enable the auth_tls.tdir and auth_tls_failcert.tdir tests. + +31 March 2025: Wouter + - iana portlist update. + - Merge #1042: Fast Reload. The unbound-control fast_reload is added. + It reads changed config in a thread, then only briefly pauses the + service threads, that keep running. DNS service is only interrupted + briefly, less than a second. + - Skip the unit tests for auth_tls.tdir and auth_tls_failcert.tdir. + +27 March 2025: Wouter + - Fix unit test dname log printout typecast. + - Fix for ci test, expat is installed on the osx image. + +26 March 2025: Yorgos + - Fix #1255: Multiple pinnings to vulnerable copies of libexpat. + - For #1255, for ios use an older expat version that does not require + C++11 language features. + - For #1255, for ios disable building tests that require C++11. + - For #1255, for ios try the latest expat version again. + +24 March 2025: Wouter + - Fix #1254: `send failed: Socket is not connected` and + `remote address is 0.0.0.0 port 53`. + +21 March 2025: Wouter + - Fix #1253: Cache entries fail to be removed from Redis cachedb + backend with unbound-control flush* +c. + - Fix for #1253: Fix for redis cachedb backend to expect an integer + reply for the EXPIRE command. + +20 March 2025: Wouter + - Fix print of RR type NSAP-PTR, it is an unquoted string. + +18 March 2025: Wouter + - Fix #1251: WSAPoll first argument cannot be NULL. + - Fix for windows compile create ssl contexts. + +17 March 2025: Wouter + - Fix representation of types GPOS and RESINFO, add rdf type for + unquoted str. + +16 March 2025: Yorgos + - Fix 'unbound-control flush_negative' when reporting removed data; + reported by David 'eqvinox' Lamparter. + +28 February 2025: Wouter + - Merge #1238: Prefer SOURCE_DATE_EPOCH over actual time. + Add --help output description for the SOURCE_DATE_EPOCH variable. + +25 February 2025: Wouter + - Merge #1243: Do not shadow tm on line 236. + +24 February 2025: Yorgos + - Fix hash calculation for cachedb to ignore case. Previously, cached + records there were only relevant for same case queries (if not + already in Unbound's internal cache). + +19 February 2025: Yorgos + - Fix static analysis report about unhandled EOF on error conditions + when reading anchor key files. + - Merge #1241: Fix infra-keep-probing for low infra-cache-max-rtt + values. + +17 February 2025: Yorgos + - Consider reconfigurations when calculating the still_useful_timeout + for servers in the infrastructure cache. + +30 January 2025: Wouter + - Fix #986: Resolving sas.com with dnssec-validation fails though + signed delegations seem to be (mostly) correct. + +29 January 2025: Yorgos + - Make the default value of module-config "validator iterator" + regardless of compilation options. --enable-subnet would implicitly + change the value to enable the subnetcache module by default in the + past. + +24 January 2025: Yorgos + - Merge #1220 from Petr Menšík, Add unbound members group access to + control key. + +21 January 2025: Yorgos + - Use the same interface listening port discovery code for all needed + protocols. + - Port to string only when needed before getaddrinfo(). + - Do not open unencrypted channels next to encrypted ones on the same + port. + - Merge #1224 from Theo Buehler: Do not use DSA API unless USE_DSA is + set. + +21 January 2025: Wouter + - Fix compile of interface check code when dnscrypt or quic is + disabled. + - Fix encoding of RR type ATMA. + - Fix to check length in ATMA string to wire. + - Merge #1229: check before use daemon->shm_info. + +20 January 2025: Yorgos + - Merge #1222: Unique DoT and DoH SSL contexts to allow for different + ALPN. + - Create the quic SSL listening context only when needed. + +15 January 2025: Yorgos + - Merge #1221: Consider auth zones when checking for forwarders. + +14 January 2025: Yorgos + - Add resolver.arpa and service.arpa to the default locally served + zones. + +13 January 2025: Yorgos + - Fix #1213: Misleading error message on default access control causing + refuse. + +10 January 2025: Yorgos + - Merge #1214: Use TCP_NODELAY on TLS sockets to speed up the TLS + handshake. + +31 December 2024: Yorgos + - Merge #1174: Serve expired cache update fixes. Fixes a regression bug + with serve-expired that appeared in 1.22.0 and would not allow the + iterator to update the cache with not-yet-validated entries resulting + in increased outgoing traffic. + +20 December 2024: Yorgos + - For #1207: [FR] Support for RESINFO RRType 261 (RFC9606), add + LDNS_RR_TYPE_RESINFO similar to LDNS_RR_TYPE_TXT. + +13 December 2024: Yorgos + - Merge #1204: ci: set persist-credentials: false for actions/checkout + per zizmor suggestion. + +3 December 2024: Yorgos + - Merge #1189: Fix the dname_str method to cause conversion errors + when the domain name length is 255. + - Merge #1197: dname_str() fixes. + - For #1175, the default value of serve-expired-ttl is set to 86400 + (1 day) as suggested by RFC8767. + - Merge #1198: Fix log-servfail with serve expired and no useful cache + contents. + - Safeguard alias loop while looking in the cache for expired answers. + - Merge #1187: Create the SSL_CTX for QUIC before chroot and privilege + drop. + - Fix typo in log_servfail.tdir test. + +22 November 2024: Yorgos + - Fix #1175: serve-expired does not adhere to secure-by-default + principle. The default value of serve-expired-client-timeout + is set to 1800 as suggested by RFC8767. + - For #1175, update serve-expired tests. + +20 November 2024: Yorgos + - Fix comparison to help static analyzer. + +19 November 2024: Yorgos + - Merge #1169 from Sergey Kacheev, fix: lock-free counters for + auth_zone up/down queries. + +15 November 2024: Wouter + - Fix #1183: the data being used is released in method + nsec3_hash_test_entry. + - Fix for #1183: release nsec3 hashes per test file. + 8 November 2024: Yorgos - More descriptive text for 'harden-algo-downgrade'. - Complete fix for max-global-quota to 200. @@ -433,7 +900,7 @@ now checks both single and multi process/thread operation. 16 May 2024: Yorgos - - Merge #1070: Fix rtt assignement for low values of + - Merge #1070: Fix rtt assignment for low values of infra-cache-max-rtt. 16 May 2024: Wouter @@ -841,7 +1308,7 @@ 13 October 2023: George - Better fix for infinite loop when reading multiple lines of input on a broken remote control socket, by treating a zero byte line the - same as transmission end. Addesses #947 and #948. + same as transmission end. Addresses #947 and #948. 12 October 2023: Wouter - Merge #944: Disable EDNS DO. @@ -864,7 +1331,7 @@ 10 October 2023: George - Fix infinite loop when reading multiple lines of input on a broken - remote control socket. Addesses #947 and #948. + remote control socket. Addresses #947 and #948. 9 October 2023: Wouter - Fix edns subnet so that queries with a source prefix of zero cause @@ -1297,7 +1764,7 @@ - Ignore expired error responses. 11 November 2022: Wouter - - Fix #779: [doc] Missing documention in ub_resolve_event() for + - Fix #779: [doc] Missing documentation in ub_resolve_event() for callback parameter was_ratelimited. 9 November 2022: George @@ -2261,7 +2728,7 @@ not hang. removed trailing slashes from configure paths. Moved iOS tests to allow-failure. - travis, analyzer disabled on test without debug, that does not - run anway. Turn off failing tests except one. Update iOS test + run anyway. Turn off failing tests except one. Update iOS test to xcode image 12.2. 22 March 2021: George @@ -2350,7 +2817,7 @@ - Fix build on Python 3.10. 10 February 2021: Wouter - - Merge PR #420 from dyunwei: DOH not responsing with + - Merge PR #420 from dyunwei: DOH not responding with "http2_query_read_done failure" logged. 9 February 2021: Wouter @@ -2750,7 +3217,7 @@ 6 August 2020: Wouter - Merge PR #284 and Fix #246: Remove DLV entirely from Unbound. - The DLV has been decommisioned and in unbound 1.5.4, in 2015, there + The DLV has been decommissioned and in unbound 1.5.4, in 2015, there was advise to stop using it. The current code base does not contain DLV code any more. The use of dlv options displays a warning. @@ -3299,7 +3766,7 @@ 3 December 2019: Wouter - Merge pull request #124 from rmetrich: Changed log lock from 'quick' to 'basic' because this is an I/O lock. - - Fix text around serial arithmatic used for RRSIG times to refer + - Fix text around serial arithmetic used for RRSIG times to refer to correct RFC number. - Fix Assert Causing DoS in synth_cname(), reported by X41 D-Sec. @@ -3562,7 +4029,7 @@ - For #52 #53, second context does not close logfile override. - Fix #52 #53, fix for example fail program. - Fix to return after failed auth zone http chunk write. - - Fix to remove unused test for task_probe existance. + - Fix to remove unused test for task_probe existence. - Fix to timeval_add for remaining second in microseconds. - Check repinfo in worker_handle_request, if null, drop it. @@ -4819,7 +5286,7 @@ 1 February 2018: Wouter - fix unaligned structure making a false positive in checklock - unitialised memory. + uninitialised memory. 29 January 2018: Ralph - Use NSEC with longest ce to prove wildcard absence. @@ -5422,8 +5889,8 @@ - Remove (now unused) event2 include from dnscrypt code. 24 March 2017: George - - Fix to prevent non-referal query from being cached as referal when the - no_cache_store flag was set. + - Fix to prevent non-referral query from being cached as referral when + the no_cache_store flag was set. 23 March 2017: Wouter - Fix #1239: configure fails to find python distutils if python @@ -5486,7 +5953,7 @@ 7 March 2017: Wouter - Fix #1230: swig version 2.0.0 is required for pythonmod, with - 1.3.40 it crashes when running repeatly unbound-control reload. + 1.3.40 it crashes when running repeatedly unbound-control reload. - Response actions based on IP address from Jinmei Tatuya (Infoblox). 6 March 2017: Wouter @@ -5502,7 +5969,7 @@ known vulns. 27 February 2017: Wouter - - Fix #1227: Fix that Unbound control allows weak ciphersuits. + - Fix #1227: Fix that Unbound control allows weak ciphersuites. - Fix #1226: provide official 32bit binary for windows. 24 February 2017: Wouter @@ -6491,7 +6958,7 @@ - Fix #674: Do not free pointers given by getenv. 29 May 2015: Wouter - - Fix that unparseable error responses are ratelimited. + - Fix that unparsable error responses are ratelimited. - SOA negative TTL is capped at minimumttl in its rdata section. - cache-max-negative-ttl config option, default 3600. @@ -6509,7 +6976,7 @@ 10 May 2015: Wouter - Change syntax of particular validator error to be easier for - machine parse, swap rrset and ip adres info so it looks like: + machine parse, swap rrset and ip address info so it looks like: validation failure : signature crypto failed from 2001:DB8:7:bba4::53 for <*.example.nl. NSEC IN> @@ -8089,7 +8556,7 @@ - fix that --enable-static-exe does not complain about it unknown. 30 June 2011: Wouter - - tag relase 1.4.11, trunk is 1.4.12 development. + - tag release 1.4.11, trunk is 1.4.12 development. - iana portlist updated. - fix bug#395: id bits of other query may leak out under conditions - fix replyaddr count wrong after jostled queries, which leads to @@ -9419,7 +9886,7 @@ 8 June 2009: Wouter - Removed RFC5011 REVOKE flag support. Partial 5011 support may cause - inadvertant behaviour. + inadvertent behaviour. - 1.3.0 tarball for release created. - 1.3.1 development in svn trunk. - iana portlist updated. @@ -9768,7 +10235,7 @@ - initgroups(3) is called to drop secondary group permissions, if applicable. - configure option --with-ldns-builtin forces the use of the - inluded ldns package with the unbound source. The -I include + included ldns package with the unbound source. The -I include is put before the others, so it avoids bad include files from an older ldns install. - daemon(3) posix call is used when available. @@ -10073,7 +10540,7 @@ please ranlib, stop file without symbols warning. - harden referral path now also validates the root after priming. It looks up the root NS authoritatively as well as the root servers - and attemps to validate the entries. + and attempts to validate the entries. 16 October 2008: Wouter - Fixup negative TTL values appearing (reported by Attila Nagy). @@ -10852,7 +11319,7 @@ - please doxygen, put doxygen comment in one place. - asynclook -b blocking mode and test. - refactor asynclook, nicer code. - - fixup race problems from opensll in rand init from library, with + - fixup race problems from openssl in rand init from library, with a mutex around the rand init. - fix pass async_id=NULL to _async resolve(). - rewrote _wait() routine, so that it is threadsafe. @@ -11825,7 +12292,7 @@ 11 June 2007: Wouter - replies on TCP queries have the address field set in replyinfo, for serviced queries, because the initiator does not know that - a TCP fallback has occured. + a TCP fallback has occurred. - omit DNSSEC types from nonDO replies, except if qtype is ANY or if qtype directly queries for the type (and then only show that 'unknown type' in the answer section). diff --git a/doc/README.man b/doc/README.man new file mode 100644 index 000000000..8e7897f47 --- /dev/null +++ b/doc/README.man @@ -0,0 +1,16 @@ +After Unbound 1.23.0, the source of the man pages is in reStructuredText format. + +This helps with the online documentation at https://unbound.docs.nlnetlabs.nl +and makes it easier to maintain and contribute to the documentation. + +The templated man pages (*.in) are still part of the code repository as to not +alter current procedures that could be in place by users/packagers. + +The templated man pages (*.in) are generated by Sphinx (used for the online +documentation). +The online documentation has its own repository at +https://github.com/NLnetLabs/unbound-manual. + +In the README.md there (branch test-auto for now), there are further simple +instructions on how to generate the templated man pages there and update them +in this repository. diff --git a/doc/example.conf.in b/doc/example.conf.in index 55fea6a42..b33e65bfe 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in @@ -116,8 +116,8 @@ server: # so-rcvbuf: 0 # buffer size for UDP port 53 outgoing (SO_SNDBUF socket option). - # 0 is system default. Use 4m to handle spikes on very busy servers. - # so-sndbuf: 0 + # 0 is system default. Set larger to handle spikes on very busy servers. + # so-sndbuf: 4m # use SO_REUSEPORT to distribute queries over threads. # at extreme load it could be better to turn it off to distribute even. @@ -163,7 +163,7 @@ server: # msg-cache-slabs: 4 # the number of queries that a thread gets to service. - # num-queries-per-thread: 1024 + # num-queries-per-thread: 2048 # if very busy, 50% queries run to completion, 50% get timeout in msec # jostle-timeout: 200 @@ -215,6 +215,12 @@ server: # Apart from the default, the wait limit with cookie can be adjusted. # wait-limit-cookie-netblock: 192.0.2.0/24 50000 + # Defaults for loopback, it has no wait limit. + # wait-limit-netblock: 127.0.0.0/8 -1 + # wait-limit-netblock: ::1/128 -1 + # wait-limit-cookie-netblock: 127.0.0.0/8 -1 + # wait-limit-cookie-netblock: ::1/128 -1 + # the amount of memory to use for the RRset cache. # plain value in bytes or you can append k, m or G. default is "4Mb". # rrset-cache-size: 4m @@ -273,7 +279,7 @@ server: # do-ip6: yes # If running unbound on an IPv6-only host, domains that only have - # IPv4 servers would become unresolveable. If NAT64 is available in + # IPv4 servers would become unresolvable. If NAT64 is available in # the network, unbound can use NAT64 to reach these servers with # the following option. This is NOT needed for enabling DNS64 on a # system that has IPv4 connectivity. @@ -731,12 +737,13 @@ server: # disable-edns-do: no # Serve expired responses from cache, with serve-expired-reply-ttl in - # the response, and then attempt to fetch the data afresh. + # the response. By default it first tries to refresh an expired answer. + # Can be configured with serve-expired-client-timeout. # serve-expired: no # # Limit serving of expired responses to configured seconds after # expiration. 0 disables the limit. - # serve-expired-ttl: 0 + # serve-expired-ttl: 86400 # # Set the TTL of expired records to the serve-expired-ttl value after a # failed attempt to retrieve the record from upstream. This makes sure @@ -749,10 +756,9 @@ server: # # Time in milliseconds before replying to the client with expired data. # This essentially enables the serve-stale behavior as specified in - # RFC 8767 that first tries to resolve before - # immediately responding with expired data. 0 disables this behavior. - # A recommended value is 1800. - # serve-expired-client-timeout: 0 + # RFC 8767 that first tries to resolve before immediately responding + # with expired data. 0 disables this behavior. + # serve-expired-client-timeout: 1800 # Return the original TTL as received from the upstream name server rather # than the decrementing TTL as stored in the cache. Enabling this feature @@ -811,6 +817,8 @@ server: # local-zone: "127.in-addr.arpa." nodefault # local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault # local-zone: "home.arpa." nodefault + # local-zone: "resolver.arpa." nodefault + # local-zone: "service.arpa." nodefault # local-zone: "onion." nodefault # local-zone: "test." nodefault # local-zone: "invalid." nodefault @@ -1078,6 +1086,11 @@ server: # Note that the ede option above needs to be enabled for this to work. # ede-serve-expired: no + # Enable DNS Error Reporting (RFC9567). + # qname-minimisation is advised to be turned on as well to increase + # privacy on the outgoing reports. + # dns-error-reporting: no + # Specific options for ipsecmod. Unbound needs to be configured with # --enable-ipsecmod for these to take effect. # @@ -1305,9 +1318,9 @@ remote-control: # # redis server's TCP port # redis-server-port: 6379 # # if the server uses a unix socket, set its path, or "" when not used. -# # redis-server-path: "/var/lib/redis/redis-server.sock" +# redis-server-path: "/var/lib/redis/redis-server.sock" # # if the server uses an AUTH password, specify here, or "" when not used. -# # redis-server-password: "" +# redis-server-password: "" # # timeout (in ms) for communication with the redis server # redis-timeout: 100 # # timeout (in ms) for commands, if 0, uses redis-timeout. @@ -1318,6 +1331,22 @@ remote-control: # redis-expire-records: no # # redis logical database to use, 0 is the default database. # redis-logical-db: 0 +# # redis replica server's IP address or host name +# redis-replica-server-host: 127.0.0.1 +# # redis replica server's TCP port +# redis-replica-server-port: 6379 +# # if the replica server uses a unix socket, set its path, or "" when not used. +# redis-replica-server-path: "/var/lib/redis/redis-server.sock" +# # if the replica server uses an AUTH password, specify here, or "" when not used. +# redis-replica-server-password: "" +# # timeout (in ms) for communication with the redis replica server +# redis-replica-timeout: 100 +# # timeout (in ms) for redis replica commands, if 0, uses redis-replica-timeout. +# redis-replica-command-timeout: 0 +# # timeout (in ms) for redis replica connection set up, if 0, uses redis-replica-timeout. +# redis-replica-connect-timeout: 0 +# # redis logical database to use for the replica server, 0 is the default database. +# redis-replica-logical-db: 0 # IPSet # Add specify domain into set via ipset. diff --git a/doc/libunbound.3.in b/doc/libunbound.3.in index 548969142..204cda20c 100644 --- a/doc/libunbound.3.in +++ b/doc/libunbound.3.in @@ -1,335 +1,306 @@ -.TH "libunbound" "3" "@date@" "NLnet Labs" "unbound @version@" -.\" -.\" libunbound.3 -- unbound library functions manual -.\" -.\" Copyright (c) 2007, NLnet Labs. All rights reserved. -.\" -.\" See LICENSE for the license. -.\" -.\" -.SH "NAME" -.B libunbound, -.B unbound.h, -.B ub_ctx, -.B ub_result, -.B ub_callback_type, -.B ub_ctx_create, -.B ub_ctx_delete, -.B ub_ctx_set_option, -.B ub_ctx_get_option, -.B ub_ctx_config, -.B ub_ctx_set_fwd, -.B ub_ctx_set_stub, -.B ub_ctx_set_tls, -.B ub_ctx_resolvconf, -.B ub_ctx_hosts, -.B ub_ctx_add_ta, -.B ub_ctx_add_ta_autr, -.B ub_ctx_add_ta_file, -.B ub_ctx_trustedkeys, -.B ub_ctx_debugout, -.B ub_ctx_debuglevel, -.B ub_ctx_async, -.B ub_poll, -.B ub_wait, -.B ub_fd, -.B ub_process, -.B ub_resolve, -.B ub_resolve_async, -.B ub_cancel, -.B ub_resolve_free, -.B ub_strerror, -.B ub_ctx_print_local_zones, -.B ub_ctx_zone_add, -.B ub_ctx_zone_remove, -.B ub_ctx_data_add, -.B ub_ctx_data_remove -\- Unbound DNS validating resolver @version@ functions. -.SH "SYNOPSIS" -.B #include -.LP -\fIstruct ub_ctx *\fR -\fBub_ctx_create\fR(\fIvoid\fR); -.LP -\fIvoid\fR -\fBub_ctx_delete\fR(\fIstruct ub_ctx*\fR ctx); -.LP -\fIint\fR -\fBub_ctx_set_option\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR opt, \fIchar*\fR val); -.LP -\fIint\fR -\fBub_ctx_get_option\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR opt, \fIchar**\fR val); -.LP -\fIint\fR -\fBub_ctx_config\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname); -.LP -\fIint\fR -\fBub_ctx_set_fwd\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR addr); -.LP -\fIint\fR -\fBub_ctx_set_stub\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR zone, -\fIchar*\fR addr, -.br - \fIint\fR isprime); -.LP -\fIint\fR -\fBub_ctx_set_tls\fR(\fIstruct ub_ctx*\fR ctx, \fIint\fR tls); -.LP -\fIint\fR -\fBub_ctx_resolvconf\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname); -.LP -\fIint\fR -\fBub_ctx_hosts\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname); -.LP -\fIint\fR -\fBub_ctx_add_ta\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR ta); -.LP -\fIint\fR -\fBub_ctx_add_ta_autr\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname); -.LP -\fIint\fR -\fBub_ctx_add_ta_file\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname); -.LP -\fIint\fR -\fBub_ctx_trustedkeys\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname); -.LP -\fIint\fR -\fBub_ctx_debugout\fR(\fIstruct ub_ctx*\fR ctx, \fIFILE*\fR out); -.LP -\fIint\fR -\fBub_ctx_debuglevel\fR(\fIstruct ub_ctx*\fR ctx, \fIint\fR d); -.LP -\fIint\fR -\fBub_ctx_async\fR(\fIstruct ub_ctx*\fR ctx, \fIint\fR dothread); -.LP -\fIint\fR -\fBub_poll\fR(\fIstruct ub_ctx*\fR ctx); -.LP -\fIint\fR -\fBub_wait\fR(\fIstruct ub_ctx*\fR ctx); -.LP -\fIint\fR -\fBub_fd\fR(\fIstruct ub_ctx*\fR ctx); -.LP -\fIint\fR -\fBub_process\fR(\fIstruct ub_ctx*\fR ctx); -.LP -\fIint\fR -\fBub_resolve\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR name, -.br - \fIint\fR rrtype, \fIint\fR rrclass, \fIstruct ub_result**\fR result); -.LP -\fIint\fR -\fBub_resolve_async\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR name, -.br - \fIint\fR rrtype, \fIint\fR rrclass, \fIvoid*\fR mydata, -.br - \fIub_callback_type\fR callback, \fIint*\fR async_id); -.LP -\fIint\fR -\fBub_cancel\fR(\fIstruct ub_ctx*\fR ctx, \fIint\fR async_id); -.LP -\fIvoid\fR -\fBub_resolve_free\fR(\fIstruct ub_result*\fR result); -.LP -\fIconst char *\fR -\fBub_strerror\fR(\fIint\fR err); -.LP -\fIint\fR -\fBub_ctx_print_local_zones\fR(\fIstruct ub_ctx*\fR ctx); -.LP -\fIint\fR -\fBub_ctx_zone_add\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR zone_name, \fIchar*\fR zone_type); -.LP -\fIint\fR -\fBub_ctx_zone_remove\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR zone_name); -.LP -\fIint\fR -\fBub_ctx_data_add\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR data); -.LP -\fIint\fR -\fBub_ctx_data_remove\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR data); -.SH "DESCRIPTION" -.B Unbound -is an implementation of a DNS resolver, that does caching and -DNSSEC validation. This is the library API, for using the \-lunbound library. -The server daemon is described in \fIunbound\fR(8). -The library works independent from a running unbound server, and -can be used to convert hostnames to ip addresses, and back, -and obtain other information from the DNS. The library performs public\-key -validation of results with DNSSEC. -.P -The library uses a variable of type \fIstruct ub_ctx\fR to keep context -between calls. The user must maintain it, creating it with -.B ub_ctx_create -and deleting it with -.B ub_ctx_delete\fR. -It can be created and deleted at any time. Creating it anew removes any -previous configuration (such as trusted keys) and clears any cached results. -.P -The functions are thread\-safe, and a context can be used in a threaded (as -well as in a non\-threaded) environment. Also resolution (and validation) -can be performed blocking and non\-blocking (also called asynchronous). -The async method returns from the call immediately, so that processing -can go on, while the results become available later. -.P +.\" Man page generated from reStructuredText. +. +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.TH "LIBUNBOUND" "3" "@date@" "@version@" "Unbound" +.SH NAME +libunbound \- Unbound DNS validating resolver @version@ functions. +.SH SYNOPSIS +.sp +\fB#include \fP +.sp +struct ub_ctx * \fBub_ctx_create\fP(void); +.sp +void \fBub_ctx_delete\fP(struct ub_ctx* ctx); +.sp +int \fBub_ctx_set_option\fP(struct ub_ctx* ctx, char* opt, char* val); +.sp +int \fBub_ctx_get_option\fP(struct ub_ctx* ctx, char* opt, char** val); +.sp +int \fBub_ctx_config\fP(struct ub_ctx* ctx, char* fname); +.sp +int \fBub_ctx_set_fwd\fP(struct ub_ctx* ctx, char* addr); +.INDENT 0.0 +.TP +int \fBub_ctx_set_stub\fP(struct ub_ctx* ctx, char* zone, char* addr, +int isprime); +.UNINDENT +.sp +int \fBub_ctx_set_tls\fP(struct ub_ctx* ctx, int tls); +.sp +int \fBub_ctx_resolvconf\fP(struct ub_ctx* ctx, char* fname); +.sp +int \fBub_ctx_hosts\fP(struct ub_ctx* ctx, char* fname); +.sp +int \fBub_ctx_add_ta\fP(struct ub_ctx* ctx, char* ta); +.sp +int \fBub_ctx_add_ta_autr\fP(struct ub_ctx* ctx, char* fname); +.sp +int \fBub_ctx_add_ta_file\fP(struct ub_ctx* ctx, char* fname); +.sp +int \fBub_ctx_trustedkeys\fP(struct ub_ctx* ctx, char* fname); +.sp +int \fBub_ctx_debugout\fP(struct ub_ctx* ctx, FILE* out); +.sp +int \fBub_ctx_debuglevel\fP(struct ub_ctx* ctx, int d); +.sp +int \fBub_ctx_async\fP(struct ub_ctx* ctx, int dothread); +.sp +int \fBub_poll\fP(struct ub_ctx* ctx); +.sp +int \fBub_wait\fP(struct ub_ctx* ctx); +.sp +int \fBub_fd\fP(struct ub_ctx* ctx); +.sp +int \fBub_process\fP(struct ub_ctx* ctx); +.INDENT 0.0 +.TP +int \fBub_resolve\fP(struct ub_ctx* ctx, char* name, +int rrtype, int rrclass, struct ub_result** result); +.TP +int \fBub_resolve_async\fP(struct ub_ctx* ctx, char* name, +int rrtype, int rrclass, void* mydata, +ub_callback_type* callback, int* async_id); +.UNINDENT +.sp +int \fBub_cancel\fP(struct ub_ctx* ctx, int async_id); +.sp +void \fBub_resolve_free\fP(struct ub_result* result); +.sp +const char * \fBub_strerror\fP(int err); +.sp +int \fBub_ctx_print_local_zones\fP(struct ub_ctx* ctx); +.sp +int \fBub_ctx_zone_add\fP(struct ub_ctx* ctx, char* zone_name, char* zone_type); +.sp +int \fBub_ctx_zone_remove\fP(struct ub_ctx* ctx, char* zone_name); +.sp +int \fBub_ctx_data_add\fP(struct ub_ctx* ctx, char* data); +.sp +int \fBub_ctx_data_remove\fP(struct ub_ctx* ctx, char* data); +.SH DESCRIPTION +.sp +Unbound is an implementation of a DNS resolver, that does caching and DNSSEC +validation. +This is the library API, for using the \fB\-lunbound\fP library. +The server daemon is described in \fI\%unbound(8)\fP\&. +The library works independent from a running unbound server, and can be used to +convert hostnames to ip addresses, and back, and obtain other information from +the DNS. +The library performs public\-key validation of results with DNSSEC. +.sp +The library uses a variable of type \fIstruct ub_ctx\fP to keep context between +calls. +The user must maintain it, creating it with \fBub_ctx_create\fP and deleting it +with \fBub_ctx_delete\fP\&. +It can be created and deleted at any time. +Creating it anew removes any previous configuration (such as trusted keys) and +clears any cached results. +.sp +The functions are thread\-safe, and a context can be used in a threaded (as well +as in a non\-threaded) environment. +Also resolution (and validation) can be performed blocking and non\-blocking +(also called asynchronous). +The async method returns from the call immediately, so that processing can go +on, while the results become available later. +.sp The functions are discussed in turn below. -.SH "FUNCTIONS" -.TP +.SH FUNCTIONS +.INDENT 0.0 +.TP .B ub_ctx_create Create a new context, initialised with defaults. -The information from /etc/resolv.conf and /etc/hosts is not utilised -by default. Use -.B ub_ctx_resolvconf -and -.B ub_ctx_hosts -to read them. -Before you call this, use the openssl functions CRYPTO_set_id_callback and -CRYPTO_set_locking_callback to set up asynchronous operation if you use -lib openssl (the application calls these functions once for initialisation). -Openssl 1.0.0 or later uses the CRYPTO_THREADID_set_callback function. +The information from \fB/etc/resolv.conf\fP and \fB/etc/hosts\fP is +not utilised by default. +Use \fBub_ctx_resolvconf\fP and \fBub_ctx_hosts\fP to read them. +Before you call this, use the openssl functions +\fBCRYPTO_set_id_callback\fP and \fBCRYPTO_set_locking_callback\fP to set +up asynchronous operation if you use lib openssl (the application calls +these functions once for initialisation). +Openssl 1.0.0 or later uses the \fBCRYPTO_THREADID_set_callback\fP +function. .TP .B ub_ctx_delete Delete validation context and free associated resources. -Outstanding async queries are killed and callbacks are not called for them. +Outstanding async queries are killed and callbacks are not called for +them. .TP .B ub_ctx_set_option -A power\-user interface that lets you specify one of the options from the -config file format, see \fIunbound.conf\fR(5). Not all options are -relevant. For some specific options, such as adding trust anchors, special -routines exist. Pass the option name with the trailing ':'. +A power\-user interface that lets you specify one of the options from +the config file format, see \fI\%unbound.conf(5)\fP\&. +Not all options are relevant. +For some specific options, such as adding trust anchors, special +routines exist. +Pass the option name with the trailing \fB\(aq:\(aq\fP\&. .TP .B ub_ctx_get_option -A power\-user interface that gets an option value. Some options cannot be -gotten, and others return a newline separated list. Pass the option name -without trailing ':'. The returned value must be free(2)d by the caller. +A power\-user interface that gets an option value. +Some options cannot be gotten, and others return a newline separated +list. +Pass the option name without trailing \fB\(aq:\(aq\fP\&. +The returned value must be free(2)d by the caller. .TP .B ub_ctx_config -A power\-user interface that lets you specify an unbound config file, see -\fIunbound.conf\fR(5), which is read for configuration. Not all options are -relevant. For some specific options, such as adding trust anchors, special -routines exist. This function is thread\-safe only if a single instance of -ub_ctx* exists in the application. If several instances exist the -application has to ensure that ub_ctx_config is not called in parallel by -the different instances. +A power\-user interface that lets you specify an unbound config file, +see \fI\%unbound.conf(5)\fP, which is read for +configuration. +Not all options are relevant. +For some specific options, such as adding trust anchors, special +routines exist. +This function is thread\-safe only if a single instance of \fBub_ctx\fP* +exists in the application. +If several instances exist the application has to ensure that +\fBub_ctx_config\fP is not called in parallel by the different instances. .TP .B ub_ctx_set_fwd -Set machine to forward DNS queries to, the caching resolver to use. -IP4 or IP6 address. Forwards all DNS requests to that machine, which -is expected to run a recursive resolver. If the proxy is not -DNSSEC capable, validation may fail. Can be called several times, in -that case the addresses are used as backup servers. -At this time it is only possible to set configuration before the -first resolve is done. +Set machine to forward DNS queries to, the caching resolver to use. +IP4 or IP6 address. +Forwards all DNS requests to that machine, which is expected to run a +recursive resolver. +If the proxy is not DNSSEC capable, validation may fail. +Can be called several times, in that case the addresses are used as +backup servers. +At this time it is only possible to set configuration before the first +resolve is done. .TP .B ub_ctx_set_stub -Set a stub zone, authoritative dns servers to use for a particular zone. -IP4 or IP6 address. If the address is NULL the stub entry is removed. -Set isprime true if you configure root hints with it. Otherwise similar to -the stub zone item from unbound's config file. Can be called several times, -for different zones, or to add multiple addresses for a particular zone. -At this time it is only possible to set configuration before the -first resolve is done. +Set a stub zone, authoritative dns servers to use for a particular +zone. +IP4 or IP6 address. +If the address is NULL the stub entry is removed. +Set isprime true if you configure root hints with it. +Otherwise similar to the stub zone item from unbound\(aqs config file. +Can be called several times, for different zones, or to add multiple +addresses for a particular zone. +At this time it is only possible to set configuration before the first +resolve is done. .TP .B ub_ctx_set_tls -Enable DNS over TLS (DoT) for machines set with -.B ub_ctx_set_fwd. -At this time it is only possible to set configuration before the -first resolve is done. +Enable DNS over TLS (DoT) for machines set with \fBub_ctx_set_fwd\fP\&. +At this time it is only possible to set configuration before the first +resolve is done. .TP .B ub_ctx_resolvconf -By default the root servers are queried and full resolver mode is used, but -you can use this call to read the list of nameservers to use from the -filename given. -Usually "/etc/resolv.conf". Uses those nameservers as caching proxies. +By default the root servers are queried and full resolver mode is used, +but you can use this call to read the list of nameservers to use from +the filename given. +Usually \fB\(dq/etc/resolv.conf\(dq\fP\&. +Uses those nameservers as caching proxies. If they do not support DNSSEC, validation may fail. Only nameservers are picked up, the searchdomain, ndots and other -settings from \fIresolv.conf\fR(5) are ignored. -If fname NULL is passed, "/etc/resolv.conf" is used (if on Windows, -the system\-wide configured nameserver is picked instead). -At this time it is only possible to set configuration before the -first resolve is done. +settings from \fIresolv.conf(5)\fP are ignored. +If fname NULL is passed, \fB\(dq/etc/resolv.conf\(dq\fP is used (if on +Windows, the system\-wide configured nameserver is picked instead). +At this time it is only possible to set configuration before the first +resolve is done. .TP .B ub_ctx_hosts Read list of hosts from the filename given. -Usually "/etc/hosts". When queried for, these addresses are not marked -DNSSEC secure. If fname NULL is passed, "/etc/hosts" is used -(if on Windows, etc/hosts from WINDIR is picked instead). -At this time it is only possible to set configuration before the -first resolve is done. +Usually \fB\(dq/etc/hosts\(dq\fP\&. +When queried for, these addresses are not marked DNSSEC secure. +If fname NULL is passed, \fB\(dq/etc/hosts\(dq\fP is used (if on Windows, +\fBetc/hosts\fP from WINDIR is picked instead). +At this time it is only possible to set configuration before the first +resolve is done. .TP -.B -ub_ctx_add_ta +.B ub_ctx_add_ta Add a trust anchor to the given context. -At this time it is only possible to add trusted keys before the -first resolve is done. +At this time it is only possible to add trusted keys before the first +resolve is done. The format is a string, similar to the zone\-file format, -[domainname] [type] [rdata contents]. Both DS and DNSKEY records are accepted. +\fB[domainname]\fP \fB[type]\fP \fB[rdata contents]\fP\&. +Both DS and DNSKEY records are accepted. .TP .B ub_ctx_add_ta_autr -Add filename with automatically tracked trust anchor to the given context. -Pass name of a file with the managed trust anchor. You can create this -file with \fIunbound\-anchor\fR(8) for the root anchor. You can also -create it with an initial file with one line with a DNSKEY or DS record. +Add filename with automatically tracked trust anchor to the given +context. +Pass name of a file with the managed trust anchor. +You can create this file with +\fI\%unbound\-anchor(8)\fP for the root anchor. +You can also create it with an initial file with one line with a DNSKEY +or DS record. If the file is writable, it is updated when the trust anchor changes. -At this time it is only possible to add trusted keys before the -first resolve is done. +At this time it is only possible to add trusted keys before the first +resolve is done. .TP .B ub_ctx_add_ta_file Add trust anchors to the given context. Pass name of a file with DS and DNSKEY records in zone file format. -At this time it is only possible to add trusted keys before the -first resolve is done. +At this time it is only possible to add trusted keys before the first +resolve is done. .TP .B ub_ctx_trustedkeys Add trust anchors to the given context. -Pass the name of a bind\-style config file with trusted\-keys{}. -At this time it is only possible to add trusted keys before the -first resolve is done. +Pass the name of a bind\-style config file with \fBtrusted\-keys{}\fP\&. +At this time it is only possible to add trusted keys before the first +resolve is done. .TP .B ub_ctx_debugout -Set debug and error log output to the given stream. Pass NULL to disable -output. Default is stderr. File\-names or using syslog can be enabled -using config options, this routine is for using your own stream. +Set debug and error log output to the given stream. +Pass NULL to disable output. +Default is stderr. +File\-names or using syslog can be enabled using config options, this +routine is for using your own stream. .TP .B ub_ctx_debuglevel -Set debug verbosity for the context. Output is directed to stderr. +Set debug verbosity for the context. +Output is directed to stderr. Higher debug level gives more output. .TP .B ub_ctx_async Set a context behaviour for asynchronous action. -if set to true, enables threading and a call to -.B ub_resolve_async +if set to true, enables threading and a call to \fBub_resolve_async\fP creates a thread to handle work in the background. If false, a process is forked to handle work in the background. -Changes to this setting after -.B ub_resolve_async -calls have been made have no effect (delete and re\-create the context -to change). +Changes to this setting after \fBub_resolve_async\fP calls have been made +have no effect (delete and re\-create the context to change). .TP .B ub_poll Poll a context to see if it has any new results. -Do not poll in a loop, instead extract the fd below to poll for readiness, -and then check, or wait using the wait routine. +Do not poll in a loop, instead extract the \fBfd\fP below to poll for +readiness, and then check, or wait using the wait routine. Returns 0 if nothing to read, or nonzero if a result is available. -If nonzero, call -.B ub_process -to do callbacks. +If nonzero, call \fBub_process\fP to do callbacks. .TP .B ub_wait -Wait for a context to finish with results. Calls -.B ub_process -after the wait for you. After the wait, there are no more outstanding -asynchronous queries. +Wait for a context to finish with results. +Calls \fBub_process\fP after the wait for you. +After the wait, there are no more outstanding asynchronous queries. .TP .B ub_fd -Get file descriptor. Wait for it to become readable, at this point -answers are returned from the asynchronous validating resolver. -Then call the \fBub_process\fR to continue processing. +Get file descriptor. +Wait for it to become readable, at this point answers are returned from +the asynchronous validating resolver. +Then call the \fBub_process\fP to continue processing. .TP .B ub_process Call this routine to continue processing results from the validating -resolver (when the fd becomes readable). +resolver (when the \fBfd\fP becomes readable). Will perform necessary callbacks. .TP .B ub_resolve @@ -340,95 +311,111 @@ The result structure is newly allocated with the resulting data. .TP .B ub_resolve_async Perform asynchronous resolution and validation of the target name. -Arguments mean the same as for \fBub_resolve\fR except no -data is returned immediately, instead a callback is called later. -The callback receives a copy of the mydata pointer, that you can use to pass -information to the callback. The callback type is a function pointer to -a function declared as -.IP -void my_callback_function(void* my_arg, int err, -.br - struct ub_result* result); -.IP -The async_id is returned so you can (at your option) decide to track it -and cancel the request if needed. If you pass a NULL pointer the async_id -is not returned. +Arguments mean the same as for \fBub_resolve\fP except no data is +returned immediately, instead a callback is called later. +The callback receives a copy of the mydata pointer, that you can use to +pass information to the callback. +The callback type is a function pointer to a function declared as: +.INDENT 7.0 +.INDENT 3.5 +.sp +.nf +.ft C +void my_callback_function(void* my_arg, int err, + struct ub_result* result); +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +The \fBasync_id\fP is returned so you can (at your option) decide to +track it and cancel the request if needed. +If you pass a NULL pointer the \fBasync_id\fP is not returned. .TP .B ub_cancel -Cancel an async query in progress. This may return an error if the query -does not exist, or the query is already being delivered, in that case you -may still get a callback for the query. +Cancel an async query in progress. +This may return an error if the query does not exist, or the query is +already being delivered, in that case you may still get a callback for +the query. .TP .B ub_resolve_free -Free struct ub_result contents after use. +Free struct \fBub_result\fP contents after use. .TP .B ub_strerror -Convert error value from one of the unbound library functions -to a human readable string. +Convert error value from one of the unbound library functions to a +human readable string. .TP .B ub_ctx_print_local_zones Debug printout the local authority information to debug output. .TP .B ub_ctx_zone_add -Add new zone to local authority info, like local\-zone \fIunbound.conf\fR(5) -statement. +Add new zone to local authority info, like local\-zone +\fI\%unbound.conf(5)\fP statement. .TP .B ub_ctx_zone_remove Delete zone from local authority info. .TP .B ub_ctx_data_add Add resource record data to local authority info, like local\-data -\fIunbound.conf\fR(5) statement. +\fI\%unbound.conf(5)\fP statement. .TP .B ub_ctx_data_remove Delete local authority data from the name given. -.SH "RESULT DATA STRUCTURE" -The result of the DNS resolution and validation is returned as -\fIstruct ub_result\fR. The result structure contains the following entries. -.P +.UNINDENT +.SH RESULT DATA STRUCTURE +.sp +The result of the DNS resolution and validation is returned as \fIstruct +ub_result\fP\&. +The result structure contains the following entries: +.INDENT 0.0 +.INDENT 3.5 +.sp .nf - struct ub_result { - char* qname; /* text string, original question */ - int qtype; /* type code asked for */ - int qclass; /* class code asked for */ - char** data; /* array of rdata items, NULL terminated*/ - int* len; /* array with lengths of rdata items */ - char* canonname; /* canonical name of result */ - int rcode; /* additional error code in case of no data */ - void* answer_packet; /* full network format answer packet */ - int answer_len; /* length of packet in octets */ - int havedata; /* true if there is data */ - int nxdomain; /* true if nodata because name does not exist */ - int secure; /* true if result is secure */ - int bogus; /* true if a security failure happened */ - char* why_bogus; /* string with error if bogus */ - int was_ratelimited; /* true if the query was ratelimited (SERVFAIL) by unbound */ - int ttl; /* number of seconds the result is valid */ - }; +.ft C +struct ub_result { + char* qname; /* text string, original question */ + int qtype; /* type code asked for */ + int qclass; /* class code asked for */ + char** data; /* array of rdata items, NULL terminated*/ + int* len; /* array with lengths of rdata items */ + char* canonname; /* canonical name of result */ + int rcode; /* additional error code in case of no data */ + void* answer_packet; /* full network format answer packet */ + int answer_len; /* length of packet in octets */ + int havedata; /* true if there is data */ + int nxdomain; /* true if nodata because name does not exist */ + int secure; /* true if result is secure */ + int bogus; /* true if a security failure happened */ + char* why_bogus; /* string with error if bogus */ + int was_ratelimited; /* true if the query was ratelimited (SERVFAIL) by unbound */ + int ttl; /* number of seconds the result is valid */ +}; +.ft P .fi -.P -If both secure and bogus are false, security was not enabled for the -domain of the query. Else, they are not both true, one of them is true. -.SH "RETURN VALUES" -Many routines return an error code. The value 0 (zero) denotes no error -happened. Other values can be passed to -.B ub_strerror -to obtain a readable error string. -.B ub_strerror -returns a zero terminated string. -.B ub_ctx_create -returns NULL on an error (a malloc failure). -.B ub_poll -returns true if some information may be available, false otherwise. -.B ub_fd -returns a file descriptor or \-1 on error. -.B ub_ctx_config -and -.B ub_ctx_resolvconf -attempt to leave errno informative on a function return with file read failure. -.SH "SEE ALSO" -\fIunbound.conf\fR(5), -\fIunbound\fR(8). -.SH "AUTHORS" -.B Unbound -developers are mentioned in the CREDITS file in the distribution. +.UNINDENT +.UNINDENT +.sp +If both secure and bogus are false, security was not enabled for the domain of +the query. +Else, they are not both true, one of them is true. +.SH RETURN VALUES +.sp +Many routines return an error code. +The value 0 (zero) denotes no error happened. +Other values can be passed to \fBub_strerror\fP to obtain a readable error +string. +\fBub_strerror\fP returns a zero terminated string. +\fBub_ctx_create\fP returns NULL on an error (a malloc failure). +\fBub_poll\fP returns true if some information may be available, false otherwise. +\fBub_fd\fP returns a file descriptor or \-1 on error. +\fBub_ctx_config\fP and \fBub_ctx_resolvconf\fP attempt to leave errno informative +on a function return with file read failure. +.SH SEE ALSO +.sp +\fI\%unbound.conf(5)\fP, \fI\%unbound(8)\fP\&. +.SH AUTHOR +Unbound developers are mentioned in the CREDITS file in the distribution. +.SH COPYRIGHT +1999-2025, NLnet Labs +.\" Generated by docutils manpage writer. +. diff --git a/doc/libunbound.rst b/doc/libunbound.rst new file mode 100644 index 000000000..97883dc55 --- /dev/null +++ b/doc/libunbound.rst @@ -0,0 +1,491 @@ +.. + WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE + +.. + IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE + +.. + IT HELPS PEOPLE DIFFING THE CHANGES + +.. + WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE + +.. + IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE + +.. + IT HELPS PEOPLE DIFFING THE CHANGES + +.. + WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE + +.. + IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE + +.. + IT HELPS PEOPLE DIFFING THE CHANGES + +.. + WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE + +.. + IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE + +.. + IT HELPS PEOPLE DIFFING THE CHANGES + +libunbound(3) +============= + +Synopsis +-------- + +.. only:: html + + .. code-block:: c + + #include + + struct ub_ctx * ub_ctx_create(void); + + void ub_ctx_delete(struct ub_ctx* ctx); + + int ub_ctx_set_option(struct ub_ctx* ctx, char* opt, char* val); + + int ub_ctx_get_option(struct ub_ctx* ctx, char* opt, char** val); + + int ub_ctx_config(struct ub_ctx* ctx, char* fname); + + int ub_ctx_set_fwd(struct ub_ctx* ctx, char* addr); + + int ub_ctx_set_stub(struct ub_ctx* ctx, char* zone, char* addr, + int isprime); + + int ub_ctx_set_tls(struct ub_ctx* ctx, int tls); + + int ub_ctx_resolvconf(struct ub_ctx* ctx, char* fname); + + int ub_ctx_hosts(struct ub_ctx* ctx, char* fname); + + int ub_ctx_add_ta(struct ub_ctx* ctx, char* ta); + + int ub_ctx_add_ta_autr(struct ub_ctx* ctx, char* fname); + + int ub_ctx_add_ta_file(struct ub_ctx* ctx, char* fname); + + int ub_ctx_trustedkeys(struct ub_ctx* ctx, char* fname); + + int ub_ctx_debugout(struct ub_ctx* ctx, FILE* out); + + int ub_ctx_debuglevel(struct ub_ctx* ctx, int d); + + int ub_ctx_async(struct ub_ctx* ctx, int dothread); + + int ub_poll(struct ub_ctx* ctx); + + int ub_wait(struct ub_ctx* ctx); + + int ub_fd(struct ub_ctx* ctx); + + int ub_process(struct ub_ctx* ctx); + + int ub_resolve(struct ub_ctx* ctx, char* name, int rrtype, + int rrclass, struct ub_result** result); + + int ub_resolve_async(struct ub_ctx* ctx, char* name, int rrtype, + int rrclass, void* mydata, ub_callback_type callback, + int* async_id); + + int ub_cancel(struct ub_ctx* ctx, int async_id); + + void ub_resolve_free(struct ub_result* result); + + const char * ub_strerror(int err); + + int ub_ctx_print_local_zones(struct ub_ctx* ctx); + + int ub_ctx_zone_add(struct ub_ctx* ctx, char* zone_name, char* zone_type); + + int ub_ctx_zone_remove(struct ub_ctx* ctx, char* zone_name); + + int ub_ctx_data_add(struct ub_ctx* ctx, char* data); + + int ub_ctx_data_remove(struct ub_ctx* ctx, char* data); + +.. only:: man + + **#include ** + + struct ub_ctx \* **ub_ctx_create**\ (void); + + void **ub_ctx_delete**\ (struct ub_ctx\* ctx); + + int **ub_ctx_set_option**\ (struct ub_ctx\* ctx, char\* opt, char\* val); + + int **ub_ctx_get_option**\ (struct ub_ctx\* ctx, char\* opt, char\*\* val); + + int **ub_ctx_config**\ (struct ub_ctx\* ctx, char* fname); + + int **ub_ctx_set_fwd**\ (struct ub_ctx\* ctx, char\* addr); + + int **ub_ctx_set_stub**\ (struct ub_ctx\* ctx, char\* zone, char\* addr, + int isprime); + + int **ub_ctx_set_tls**\ (struct ub_ctx\* ctx, int tls); + + int **ub_ctx_resolvconf**\ (struct ub_ctx\* ctx, char\* fname); + + int **ub_ctx_hosts**\ (struct ub_ctx\* ctx, char\* fname); + + int **ub_ctx_add_ta**\ (struct ub_ctx\* ctx, char\* ta); + + int **ub_ctx_add_ta_autr**\ (struct ub_ctx\* ctx, char\* fname); + + int **ub_ctx_add_ta_file**\ (struct ub_ctx\* ctx, char\* fname); + + int **ub_ctx_trustedkeys**\ (struct ub_ctx\* ctx, char\* fname); + + int **ub_ctx_debugout**\ (struct ub_ctx\* ctx, FILE\* out); + + int **ub_ctx_debuglevel**\ (struct ub_ctx\* ctx, int d); + + int **ub_ctx_async**\ (struct ub_ctx\* ctx, int dothread); + + int **ub_poll**\ (struct ub_ctx\* ctx); + + int **ub_wait**\ (struct ub_ctx\* ctx); + + int **ub_fd**\ (struct ub_ctx\* ctx); + + int **ub_process**\ (struct ub_ctx\* ctx); + + int **ub_resolve**\ (struct ub_ctx\* ctx, char\* name, + int rrtype, int rrclass, struct ub_result\*\* result); + + int **ub_resolve_async**\ (struct ub_ctx\* ctx, char\* name, + int rrtype, int rrclass, void\* mydata, + ub_callback_type\* callback, int\* async_id); + + int **ub_cancel**\ (struct ub_ctx\* ctx, int async_id); + + void **ub_resolve_free**\ (struct ub_result\* result); + + const char \* **ub_strerror**\ (int err); + + int **ub_ctx_print_local_zones**\ (struct ub_ctx\* ctx); + + int **ub_ctx_zone_add**\ (struct ub_ctx\* ctx, char\* zone_name, char\* zone_type); + + int **ub_ctx_zone_remove**\ (struct ub_ctx\* ctx, char\* zone_name); + + int **ub_ctx_data_add**\ (struct ub_ctx\* ctx, char\* data); + + int **ub_ctx_data_remove**\ (struct ub_ctx\* ctx, char\* data); + +Description +----------- + +Unbound is an implementation of a DNS resolver, that does caching and DNSSEC +validation. +This is the library API, for using the ``-lunbound`` library. +The server daemon is described in :doc:`unbound(8)`. +The library works independent from a running unbound server, and can be used to +convert hostnames to ip addresses, and back, and obtain other information from +the DNS. +The library performs public-key validation of results with DNSSEC. + +The library uses a variable of type *struct ub_ctx* to keep context between +calls. +The user must maintain it, creating it with **ub_ctx_create** and deleting it +with **ub_ctx_delete**. +It can be created and deleted at any time. +Creating it anew removes any previous configuration (such as trusted keys) and +clears any cached results. + +The functions are thread-safe, and a context can be used in a threaded (as well +as in a non-threaded) environment. +Also resolution (and validation) can be performed blocking and non-blocking +(also called asynchronous). +The async method returns from the call immediately, so that processing can go +on, while the results become available later. + +The functions are discussed in turn below. + +Functions +--------- + +.. glossary:: + + ub_ctx_create + Create a new context, initialised with defaults. + The information from :file:`/etc/resolv.conf` and :file:`/etc/hosts` is + not utilised by default. + Use **ub_ctx_resolvconf** and **ub_ctx_hosts** to read them. + Before you call this, use the openssl functions + **CRYPTO_set_id_callback** and **CRYPTO_set_locking_callback** to set + up asynchronous operation if you use lib openssl (the application calls + these functions once for initialisation). + Openssl 1.0.0 or later uses the **CRYPTO_THREADID_set_callback** + function. + + ub_ctx_delete + Delete validation context and free associated resources. + Outstanding async queries are killed and callbacks are not called for + them. + + ub_ctx_set_option + A power-user interface that lets you specify one of the options from + the config file format, see :doc:`unbound.conf(5)`. + Not all options are relevant. + For some specific options, such as adding trust anchors, special + routines exist. + Pass the option name with the trailing ``':'``. + + ub_ctx_get_option + A power-user interface that gets an option value. + Some options cannot be gotten, and others return a newline separated + list. + Pass the option name without trailing ``':'``. + The returned value must be free(2)d by the caller. + + ub_ctx_config + A power-user interface that lets you specify an unbound config file, + see :doc:`unbound.conf(5)`, which is read for + configuration. + Not all options are relevant. + For some specific options, such as adding trust anchors, special + routines exist. + This function is thread-safe only if a single instance of **ub_ctx**\* + exists in the application. + If several instances exist the application has to ensure that + **ub_ctx_config** is not called in parallel by the different instances. + + ub_ctx_set_fwd + Set machine to forward DNS queries to, the caching resolver to use. + IP4 or IP6 address. + Forwards all DNS requests to that machine, which is expected to run a + recursive resolver. + If the proxy is not DNSSEC capable, validation may fail. + Can be called several times, in that case the addresses are used as + backup servers. + At this time it is only possible to set configuration before the first + resolve is done. + + ub_ctx_set_stub + Set a stub zone, authoritative dns servers to use for a particular + zone. + IP4 or IP6 address. + If the address is NULL the stub entry is removed. + Set isprime true if you configure root hints with it. + Otherwise similar to the stub zone item from unbound's config file. + Can be called several times, for different zones, or to add multiple + addresses for a particular zone. + At this time it is only possible to set configuration before the first + resolve is done. + + ub_ctx_set_tls + Enable DNS over TLS (DoT) for machines set with **ub_ctx_set_fwd**. + At this time it is only possible to set configuration before the first + resolve is done. + + ub_ctx_resolvconf + By default the root servers are queried and full resolver mode is used, + but you can use this call to read the list of nameservers to use from + the filename given. + Usually :file:`"/etc/resolv.conf"`. + Uses those nameservers as caching proxies. + If they do not support DNSSEC, validation may fail. + Only nameservers are picked up, the searchdomain, ndots and other + settings from *resolv.conf(5)* are ignored. + If fname NULL is passed, :file:`"/etc/resolv.conf"` is used (if on + Windows, the system-wide configured nameserver is picked instead). + At this time it is only possible to set configuration before the first + resolve is done. + + ub_ctx_hosts + Read list of hosts from the filename given. + Usually :file:`"/etc/hosts"`. + When queried for, these addresses are not marked DNSSEC secure. + If fname NULL is passed, :file:`"/etc/hosts"` is used (if on Windows, + :file:`etc/hosts` from WINDIR is picked instead). + At this time it is only possible to set configuration before the first + resolve is done. + + ub_ctx_add_ta + Add a trust anchor to the given context. + At this time it is only possible to add trusted keys before the first + resolve is done. + The format is a string, similar to the zone-file format, + **[domainname]** **[type]** **[rdata contents]**. + Both DS and DNSKEY records are accepted. + + ub_ctx_add_ta_autr + Add filename with automatically tracked trust anchor to the given + context. + Pass name of a file with the managed trust anchor. + You can create this file with + :doc:`unbound-anchor(8)` for the root anchor. + You can also create it with an initial file with one line with a DNSKEY + or DS record. + If the file is writable, it is updated when the trust anchor changes. + At this time it is only possible to add trusted keys before the first + resolve is done. + + ub_ctx_add_ta_file + Add trust anchors to the given context. + Pass name of a file with DS and DNSKEY records in zone file format. + At this time it is only possible to add trusted keys before the first + resolve is done. + + ub_ctx_trustedkeys + Add trust anchors to the given context. + Pass the name of a bind-style config file with ``trusted-keys{}``. + At this time it is only possible to add trusted keys before the first + resolve is done. + + ub_ctx_debugout + Set debug and error log output to the given stream. + Pass NULL to disable output. + Default is stderr. + File-names or using syslog can be enabled using config options, this + routine is for using your own stream. + + ub_ctx_debuglevel + Set debug verbosity for the context. + Output is directed to stderr. + Higher debug level gives more output. + + ub_ctx_async + Set a context behaviour for asynchronous action. + if set to true, enables threading and a call to **ub_resolve_async** + creates a thread to handle work in the background. + If false, a process is forked to handle work in the background. + Changes to this setting after **ub_resolve_async** calls have been made + have no effect (delete and re-create the context to change). + + ub_poll + Poll a context to see if it has any new results. + Do not poll in a loop, instead extract the **fd** below to poll for + readiness, and then check, or wait using the wait routine. + Returns 0 if nothing to read, or nonzero if a result is available. + If nonzero, call **ub_process** to do callbacks. + + ub_wait + Wait for a context to finish with results. + Calls **ub_process** after the wait for you. + After the wait, there are no more outstanding asynchronous queries. + + ub_fd + Get file descriptor. + Wait for it to become readable, at this point answers are returned from + the asynchronous validating resolver. + Then call the **ub_process** to continue processing. + + ub_process + Call this routine to continue processing results from the validating + resolver (when the **fd** becomes readable). + Will perform necessary callbacks. + + ub_resolve + Perform resolution and validation of the target name. + The name is a domain name in a zero terminated text string. + The rrtype and rrclass are DNS type and class codes. + The result structure is newly allocated with the resulting data. + + ub_resolve_async + Perform asynchronous resolution and validation of the target name. + Arguments mean the same as for **ub_resolve** except no data is + returned immediately, instead a callback is called later. + The callback receives a copy of the mydata pointer, that you can use to + pass information to the callback. + The callback type is a function pointer to a function declared as: + + .. code-block:: c + + void my_callback_function(void* my_arg, int err, + struct ub_result* result); + + The **async_id** is returned so you can (at your option) decide to + track it and cancel the request if needed. + If you pass a NULL pointer the **async_id** is not returned. + + ub_cancel + Cancel an async query in progress. + This may return an error if the query does not exist, or the query is + already being delivered, in that case you may still get a callback for + the query. + + ub_resolve_free + Free struct **ub_result** contents after use. + + ub_strerror + Convert error value from one of the unbound library functions to a + human readable string. + + ub_ctx_print_local_zones + Debug printout the local authority information to debug output. + + ub_ctx_zone_add + Add new zone to local authority info, like local-zone + :doc:`unbound.conf(5)` statement. + + ub_ctx_zone_remove + Delete zone from local authority info. + + ub_ctx_data_add + Add resource record data to local authority info, like local-data + :doc:`unbound.conf(5)` statement. + + ub_ctx_data_remove + Delete local authority data from the name given. + +Result Data structure +--------------------- + +The result of the DNS resolution and validation is returned as *struct +ub_result*. +The result structure contains the following entries: + +.. code-block:: c + + struct ub_result { + char* qname; /* text string, original question */ + int qtype; /* type code asked for */ + int qclass; /* class code asked for */ + char** data; /* array of rdata items, NULL terminated*/ + int* len; /* array with lengths of rdata items */ + char* canonname; /* canonical name of result */ + int rcode; /* additional error code in case of no data */ + void* answer_packet; /* full network format answer packet */ + int answer_len; /* length of packet in octets */ + int havedata; /* true if there is data */ + int nxdomain; /* true if nodata because name does not exist */ + int secure; /* true if result is secure */ + int bogus; /* true if a security failure happened */ + char* why_bogus; /* string with error if bogus */ + int was_ratelimited; /* true if the query was ratelimited (SERVFAIL) by unbound */ + int ttl; /* number of seconds the result is valid */ + }; + +If both secure and bogus are false, security was not enabled for the domain of +the query. +Else, they are not both true, one of them is true. + +Return Values +------------- + +Many routines return an error code. +The value 0 (zero) denotes no error happened. +Other values can be passed to **ub_strerror** to obtain a readable error +string. +**ub_strerror** returns a zero terminated string. +**ub_ctx_create** returns NULL on an error (a malloc failure). +**ub_poll** returns true if some information may be available, false otherwise. +**ub_fd** returns a file descriptor or -1 on error. +**ub_ctx_config** and **ub_ctx_resolvconf** attempt to leave errno informative +on a function return with file read failure. + +See Also +-------- + +:doc:`unbound.conf(5)`, :doc:`unbound(8)`. diff --git a/doc/unbound-anchor.8.in b/doc/unbound-anchor.8.in index 31c4e9113..9c77b4cf7 100644 --- a/doc/unbound-anchor.8.in +++ b/doc/unbound-anchor.8.in @@ -1,189 +1,300 @@ -.TH "unbound-anchor" "8" "@date@" "NLnet Labs" "unbound @version@" -.\" -.\" unbound-anchor.8 -- unbound anchor maintenance utility manual -.\" -.\" Copyright (c) 2008, NLnet Labs. All rights reserved. -.\" -.\" See LICENSE for the license. -.\" -.\" -.SH "NAME" -.B unbound\-anchor -\- Unbound anchor utility. -.SH "SYNOPSIS" -.B unbound\-anchor -.RB [ opts ] -.SH "DESCRIPTION" -.B Unbound\-anchor -performs setup or update of the root trust anchor for DNSSEC validation. -The program fetches the trust anchor with the method from RFC7958 when -regular RFC5011 update fails to bring it up to date. +.\" Man page generated from reStructuredText. +. +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.TH "UNBOUND-ANCHOR" "8" "@date@" "@version@" "Unbound" +.SH NAME +unbound-anchor \- Unbound @version@ anchor utility. +.SH SYNOPSIS +.sp +\fBunbound\-anchor\fP [\fBopts\fP] +.SH DESCRIPTION +.sp +\fBunbound\-anchor\fP performs setup or update of the root trust anchor for DNSSEC +validation. +The program fetches the trust anchor with the method from \fI\%RFC 7958\fP when +regular \fI\%RFC 5011\fP update fails to bring it up to date. It can be run (as root) from the commandline, or run as part of startup -scripts. Before you start the \fIunbound\fR(8) DNS server. -.P +scripts. +Before you start the \fI\%unbound(8)\fP DNS server. +.sp Suggested usage: -.P +.INDENT 0.0 +.INDENT 3.5 +.sp .nf - # in the init scripts. - # provide or update the root anchor (if necessary) - unbound-anchor \-a "@UNBOUND_ROOTKEY_FILE@" - # Please note usage of this root anchor is at your own risk - # and under the terms of our LICENSE (see source). - # - # start validating resolver - # the unbound.conf contains: - # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" - unbound \-c unbound.conf +.ft C +# in the init scripts. +# provide or update the root anchor (if necessary) +unbound\-anchor \-a \(dq@UNBOUND_ROOTKEY_FILE@\(dq +# Please note usage of this root anchor is at your own risk +# and under the terms of our LICENSE (see source). +# +# start validating resolver +# the unbound.conf contains: +# auto\-trust\-anchor\-file: \(dq@UNBOUND_ROOTKEY_FILE@\(dq +unbound \-c unbound.conf +.ft P .fi -.P -This tool provides builtin default contents for the root anchor and root -update certificate files. -.P +.UNINDENT +.UNINDENT +.sp +This tool provides builtin default contents for the root anchor and root update +certificate files. +.sp It tests if the root anchor file works, and if not, and an update is possible, attempts to update the root anchor using the root update certificate. -It performs a https fetch of root-anchors.xml and checks the results (RFC7958), -if all checks are successful, it updates the root anchor file. Otherwise -the root anchor file is unchanged. It performs RFC5011 tracking if the -DNSSEC information available via the DNS makes that possible. -.P -It does not perform an update if the certificate is expired, if the network -is down or other errors occur. -.P +It performs a https fetch of +\fI\%root\-anchors.xml\fP +and checks the results (\fI\%RFC 7958\fP); if all checks are successful, it updates +the root anchor file. +Otherwise the root anchor file is unchanged. +It performs \fI\%RFC 5011\fP tracking if the DNSSEC information available via the +DNS makes that possible. +.sp +It does not perform an update if the certificate is expired, if the network is +down or other errors occur. +.sp The available options are: +.INDENT 0.0 .TP -.B \-a \fIfile +.B \-a The root anchor key file, that is read in and written out. -Default is @UNBOUND_ROOTKEY_FILE@. -If the file does not exist, or is empty, a builtin root key is written to it. +Default is \fB@UNBOUND_ROOTKEY_FILE@\fP\&. +If the file does not exist, or is empty, a builtin root key is written +to it. +.UNINDENT +.INDENT 0.0 .TP -.B \-c \fIfile +.B \-c The root update certificate file, that is read in. -Default is @UNBOUND_ROOTCERT_FILE@. +Default is \fB@UNBOUND_ROOTCERT_FILE@\fP\&. If the file does not exist, or is empty, a builtin certificate is used. +.UNINDENT +.INDENT 0.0 .TP .B \-l List the builtin root key and builtin root update certificate on stdout. +.UNINDENT +.INDENT 0.0 .TP -.B \-u \fIname -The server name, it connects to https://name. Specify without https:// prefix. -The default is "data.iana.org". It connects to the port specified with \-P. +.B \-u +The server name, it connects to \fBhttps://name\fP\&. +Specify without \fBhttps://\fP prefix. +The default is \fB\(dqdata.iana.org\(dq\fP\&. +It connects to the port specified with \fI\%\-P\fP\&. You can pass an IPv4 address or IPv6 address (no brackets) if you want. +.UNINDENT +.INDENT 0.0 .TP .B \-S -Do not use SNI for the HTTPS connection. Default is to use SNI. +Do not use SNI for the HTTPS connection. +Default is to use SNI. +.UNINDENT +.INDENT 0.0 .TP -.B \-b \fIaddress -The source address to bind to for domain resolution and contacting the server -on https. May be either an IPv4 address or IPv6 address (no brackets). +.B \-b
+The source address to bind to for domain resolution and contacting the +server on https. +May be either an IPv4 address or IPv6 address (no brackets). +.UNINDENT +.INDENT 0.0 .TP -.B \-x \fIpath -The pathname to the root\-anchors.xml file on the server. (forms URL with \-u). -The default is /root\-anchors/root\-anchors.xml. +.B \-x +The pathname to the root\-anchors.xml file on the server. +(forms URL with \fI\%\-u\fP). +The default is \fB/root\-anchors/root\-anchors.xml\fP\&. +.UNINDENT +.INDENT 0.0 .TP -.B \-s \fIpath -The pathname to the root\-anchors.p7s file on the server. (forms URL with \-u). -The default is /root\-anchors/root\-anchors.p7s. This file has to be a PKCS7 -signature over the xml file, using the pem file (\-c) as trust anchor. +.B \-s +The pathname to the root\-anchors.p7s file on the server. +(forms URL with \fI\%\-u\fP). +The default is \fB/root\-anchors/root\-anchors.p7s\fP\&. +This file has to be a PKCS7 signature over the xml file, using the pem +file (\fI\%\-c\fP) as trust anchor. +.UNINDENT +.INDENT 0.0 .TP -.B \-n \fIname -The emailAddress for the Subject of the signer's certificate from the p7s -signature file. Only signatures from this name are allowed. default is -dnssec@iana.org. If you pass "" then the emailAddress is not checked. +.B \-n +The emailAddress for the Subject of the signer\(aqs certificate from the +p7s signature file. +Only signatures from this name are allowed. +The default is \fBdnssec@iana.org\fP\&. +If you pass \fB\(dq\(dq\fP then the emailAddress is not checked. +.UNINDENT +.INDENT 0.0 .TP .B \-4 -Use IPv4 for domain resolution and contacting the server on https. Default is -to use IPv4 and IPv6 where appropriate. +Use IPv4 for domain resolution and contacting the server on +https. +Default is to use IPv4 and IPv6 where appropriate. +.UNINDENT +.INDENT 0.0 .TP .B \-6 -Use IPv6 for domain resolution and contacting the server on https. Default is -to use IPv4 and IPv6 where appropriate. +Use IPv6 for domain resolution and contacting the server on https. +Default is to use IPv4 and IPv6 where appropriate. +.UNINDENT +.INDENT 0.0 .TP -.B \-f \fIresolv.conf -Use the given resolv.conf file. Not enabled by default, but you could try to -pass /etc/resolv.conf on some systems. It contains the IP addresses of the -recursive nameservers to use. However, since this tool could be used to -bootstrap that very recursive nameserver, it would not be useful (since -that server is not up yet, since we are bootstrapping it). It could be -useful in a situation where you know an upstream cache is deployed (and -running) and in captive portal situations. +.B \-f +Use the given resolv.conf file. +Not enabled by default, but you could try to pass +\fB/etc/resolv.conf\fP on some systems. +It contains the IP addresses of the recursive nameservers to use. +However, since this tool could be used to bootstrap that very recursive +nameserver, it would not be useful (since that server is not up yet, +since we are bootstrapping it). +It could be useful in a situation where you know an upstream cache is +deployed (and running) and in captive portal situations. +.UNINDENT +.INDENT 0.0 .TP -.B \-r \fIroot.hints -Use the given root.hints file (same syntax as the BIND and Unbound root hints -file) to bootstrap domain resolution. By default a list of builtin root -hints is used. Unbound\-anchor goes to the network itself for these roots, -to resolve the server (\-u option) and to check the root DNSKEY records. +.B \-r +Use the given root.hints file (same syntax as the BIND and Unbound root +hints file) to bootstrap domain resolution. +By default a list of builtin root hints is used. +unbound\-anchor goes to the network itself for these roots, to resolve +the server (\fI\%\-u\fP option) and to check the root DNSKEY records. It does so, because the tool when used for bootstrapping the recursive -resolver, cannot use that recursive resolver itself because it is bootstrapping -that server. +resolver, cannot use that recursive resolver itself because it is +bootstrapping that server. +.UNINDENT +.INDENT 0.0 .TP .B \-R -Allow fallback from \-f resolv.conf file to direct root servers query. -It allows you to prefer local resolvers, but fallback automatically -to direct root query if they do not respond or do not support DNSSEC. +Allow fallback from \fI\%\-f\fP \fB\fP file to direct root +servers query. +It allows you to prefer local resolvers, but fallback automatically to +direct root query if they do not respond or do not support DNSSEC. +.UNINDENT +.INDENT 0.0 .TP .B \-v -More verbose. Once prints informational messages, multiple times may enable -large debug amounts (such as full certificates or byte\-dumps of downloaded -files). By default it prints almost nothing. It also prints nothing on -errors by default; in that case the original root anchor file is simply -left undisturbed, so that a recursive server can start right after it. +More verbose. +Once prints informational messages, multiple times may enable large +debug amounts (such as full certificates or byte\-dumps of downloaded +files). +By default it prints almost nothing. +It also prints nothing on errors by default; in that case the original +root anchor file is simply left undisturbed, so that a recursive server +can start right after it. +.UNINDENT +.INDENT 0.0 .TP -.B \-C \fIunbound.conf -Debug option to read unbound.conf into the resolver process used. +.B \-C +Debug option to read \fB\fP into the resolver process +used. +.UNINDENT +.INDENT 0.0 .TP -.B \-P \fIport -Set the port number to use for the https connection. The default is 443. +.B \-P +Set the port number to use for the https connection. +The default is 443. +.UNINDENT +.INDENT 0.0 .TP .B \-F -Debug option to force update of the root anchor through downloading the xml -file and verifying it with the certificate. By default it first tries to -update by contacting the DNS, which uses much less bandwidth, is much -faster (200 msec not 2 sec), and is nicer to the deployed infrastructure. -With this option, it still attempts to do so (and may verbosely tell you), -but then ignores the result and goes on to use the xml fallback method. +Debug option to force update of the root anchor through downloading the +xml file and verifying it with the certificate. +By default it first tries to update by contacting the DNS, which uses +much less bandwidth, is much faster (200 msec not 2 sec), and is nicer +to the deployed infrastructure. +With this option, it still attempts to do so (and may verbosely tell +you), but then ignores the result and goes on to use the xml fallback +method. +.UNINDENT +.INDENT 0.0 .TP .B \-h Show the version and commandline option help. -.SH "EXIT CODE" +.UNINDENT +.SH EXIT CODE +.sp This tool exits with value 1 if the root anchor was updated using the -certificate or if the builtin root-anchor was used. It exits with code -0 if no update was necessary, if the update was possible with RFC5011 -tracking, or if an error occurred. -.P +certificate or if the builtin root\-anchor was used. +It exits with code 0 if no update was necessary, if the update was possible +with \fI\%RFC 5011\fP tracking, or if an error occurred. +.sp You can check the exit value in this manner: +.INDENT 0.0 +.INDENT 3.5 +.sp .nf - unbound-anchor \-a "root.key" || logger "Please check root.key" +.ft C +unbound\-anchor \-a \(dqroot.key\(dq || logger \(dqPlease check root.key\(dq +.ft P .fi +.UNINDENT +.UNINDENT +.sp Or something more suitable for your operational environment. -.SH "TRUST" -The root keys and update certificate included in this tool -are provided for convenience and under the terms of our -license (see the LICENSE file in the source distribution or -https://github.com/NLnetLabs/unbound/blob/master/LICENSE) and might be stale or -not suitable to your purpose. -.P -By running "unbound\-anchor \-l" the keys and certificate that are +.SH TRUST +.sp +The root keys and update certificate included in this tool are provided for +convenience and under the terms of our license (see the LICENSE file in the +source distribution or \fI\%https://github.com/NLnetLabs/unbound/blob/master/LICENSE\fP +and might be stale or not suitable to your purpose. +.sp +By running \fI\%unbound\-anchor \-l\fP the keys and certificate that are configured in the code are printed for your convenience. -.P -The build\-in configuration can be overridden by providing a root\-cert -file and a rootkey file. -.SH "FILES" +.sp +The built\-in configuration can be overridden by providing a root\-cert file and +a rootkey file. +.SH FILES +.INDENT 0.0 .TP -.I @UNBOUND_ROOTKEY_FILE@ -The root anchor file, updated with 5011 tracking, and read and written to. +.B @UNBOUND_ROOTKEY_FILE@ +The root anchor file, updated with 5011 tracking, and read and written +to. The file is created if it does not exist. .TP -.I @UNBOUND_ROOTCERT_FILE@ -The trusted self\-signed certificate that is used to verify the downloaded -DNSSEC root trust anchor. You can update it by fetching it from -https://data.iana.org/root\-anchors/icannbundle.pem (and validate it). +.B @UNBOUND_ROOTCERT_FILE@ +The trusted self\-signed certificate that is used to verify the +downloaded DNSSEC root trust anchor. +You can update it by fetching it from +\fI\%https://data.iana.org/root\-anchors/icannbundle.pem\fP (and validate it). If the file does not exist or is empty, a builtin version is used. .TP -.I https://data.iana.org/root\-anchors/root\-anchors.xml +.B \fI\%https://data.iana.org/root\-anchors/root\-anchors.xml\fP Source for the root key information. .TP -.I https://data.iana.org/root\-anchors/root\-anchors.p7s +.B \fI\%https://data.iana.org/root\-anchors/root\-anchors.p7s\fP Signature on the root key information. -.SH "SEE ALSO" -\fIunbound.conf\fR(5), -\fIunbound\fR(8). +.UNINDENT +.SH SEE ALSO +.sp +\fI\%unbound.conf(5)\fP, +\fI\%unbound(8)\fP\&. +.SH AUTHOR +Unbound developers are mentioned in the CREDITS file in the distribution. +.SH COPYRIGHT +1999-2025, NLnet Labs +.\" Generated by docutils manpage writer. +. diff --git a/doc/unbound-anchor.rst b/doc/unbound-anchor.rst new file mode 100644 index 000000000..480db8eeb --- /dev/null +++ b/doc/unbound-anchor.rst @@ -0,0 +1,281 @@ +.. + WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE + +.. + IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE + +.. + IT HELPS PEOPLE DIFFING THE CHANGES + +.. + WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE + +.. + IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE + +.. + IT HELPS PEOPLE DIFFING THE CHANGES + +.. + WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE + +.. + IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE + +.. + IT HELPS PEOPLE DIFFING THE CHANGES + +.. + WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE + +.. + IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE + +.. + IT HELPS PEOPLE DIFFING THE CHANGES + +.. program:: unbound-anchor + +unbound-anchor(8) +================= + +Synopsis +-------- + +**unbound-anchor** [``opts``] + +Description +----------- + +``unbound-anchor`` performs setup or update of the root trust anchor for DNSSEC +validation. +The program fetches the trust anchor with the method from :rfc:`7958` when +regular :rfc:`5011` update fails to bring it up to date. +It can be run (as root) from the commandline, or run as part of startup +scripts. +Before you start the :doc:`unbound(8)` DNS server. + +Suggested usage: + +.. code-block:: text + + # in the init scripts. + # provide or update the root anchor (if necessary) + unbound-anchor -a "@UNBOUND_ROOTKEY_FILE@" + # Please note usage of this root anchor is at your own risk + # and under the terms of our LICENSE (see source). + # + # start validating resolver + # the unbound.conf contains: + # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" + unbound -c unbound.conf + +This tool provides builtin default contents for the root anchor and root update +certificate files. + +It tests if the root anchor file works, and if not, and an update is possible, +attempts to update the root anchor using the root update certificate. +It performs a https fetch of +`root-anchors.xml `__ +and checks the results (:rfc:`7958`); if all checks are successful, it updates +the root anchor file. +Otherwise the root anchor file is unchanged. +It performs :rfc:`5011` tracking if the DNSSEC information available via the +DNS makes that possible. + +It does not perform an update if the certificate is expired, if the network is +down or other errors occur. + +The available options are: + +.. option:: -a + + The root anchor key file, that is read in and written out. + Default is :file:`@UNBOUND_ROOTKEY_FILE@`. + If the file does not exist, or is empty, a builtin root key is written + to it. + +.. option:: -c + + The root update certificate file, that is read in. + Default is :file:`@UNBOUND_ROOTCERT_FILE@`. + If the file does not exist, or is empty, a builtin certificate is used. + +.. option:: -l + + List the builtin root key and builtin root update certificate on stdout. + +.. option:: -u + + The server name, it connects to ``https://name``. + Specify without ``https://`` prefix. + The default is ``"data.iana.org"``. + It connects to the port specified with :option:`-P`. + You can pass an IPv4 address or IPv6 address (no brackets) if you want. + +.. option:: -S + + Do not use SNI for the HTTPS connection. + Default is to use SNI. + +.. option:: -b
+ + The source address to bind to for domain resolution and contacting the + server on https. + May be either an IPv4 address or IPv6 address (no brackets). + +.. option:: -x + + The pathname to the root-anchors.xml file on the server. + (forms URL with :option:`-u`). + The default is :file:`/root-anchors/root-anchors.xml`. + +.. option:: -s + + The pathname to the root-anchors.p7s file on the server. + (forms URL with :option:`-u`). + The default is :file:`/root-anchors/root-anchors.p7s`. + This file has to be a PKCS7 signature over the xml file, using the pem + file (:option:`-c`) as trust anchor. + +.. option:: -n + + The emailAddress for the Subject of the signer's certificate from the + p7s signature file. + Only signatures from this name are allowed. + The default is ``dnssec@iana.org``. + If you pass ``""`` then the emailAddress is not checked. + +.. option:: -4 + + Use IPv4 for domain resolution and contacting the server on + https. + Default is to use IPv4 and IPv6 where appropriate. + +.. option:: -6 + + Use IPv6 for domain resolution and contacting the server on https. + Default is to use IPv4 and IPv6 where appropriate. + +.. option:: -f + + Use the given resolv.conf file. + Not enabled by default, but you could try to pass + :file:`/etc/resolv.conf` on some systems. + It contains the IP addresses of the recursive nameservers to use. + However, since this tool could be used to bootstrap that very recursive + nameserver, it would not be useful (since that server is not up yet, + since we are bootstrapping it). + It could be useful in a situation where you know an upstream cache is + deployed (and running) and in captive portal situations. + +.. option:: -r + + Use the given root.hints file (same syntax as the BIND and Unbound root + hints file) to bootstrap domain resolution. + By default a list of builtin root hints is used. + unbound-anchor goes to the network itself for these roots, to resolve + the server (:option:`-u` option) and to check the root DNSKEY records. + It does so, because the tool when used for bootstrapping the recursive + resolver, cannot use that recursive resolver itself because it is + bootstrapping that server. + +.. option:: -R + + Allow fallback from :option:`-f` ```` file to direct root + servers query. + It allows you to prefer local resolvers, but fallback automatically to + direct root query if they do not respond or do not support DNSSEC. + +.. option:: -v + + More verbose. + Once prints informational messages, multiple times may enable large + debug amounts (such as full certificates or byte-dumps of downloaded + files). + By default it prints almost nothing. + It also prints nothing on errors by default; in that case the original + root anchor file is simply left undisturbed, so that a recursive server + can start right after it. + +.. option:: -C + + Debug option to read :file:`` into the resolver process + used. + +.. option:: -P + + Set the port number to use for the https connection. + The default is 443. + +.. option:: -F + + Debug option to force update of the root anchor through downloading the + xml file and verifying it with the certificate. + By default it first tries to update by contacting the DNS, which uses + much less bandwidth, is much faster (200 msec not 2 sec), and is nicer + to the deployed infrastructure. + With this option, it still attempts to do so (and may verbosely tell + you), but then ignores the result and goes on to use the xml fallback + method. + +.. option:: -h + + Show the version and commandline option help. + +Exit Code +--------- + +This tool exits with value 1 if the root anchor was updated using the +certificate or if the builtin root-anchor was used. +It exits with code 0 if no update was necessary, if the update was possible +with :rfc:`5011` tracking, or if an error occurred. + +You can check the exit value in this manner: + +.. code-block:: text + + unbound-anchor -a "root.key" || logger "Please check root.key" + +Or something more suitable for your operational environment. + +Trust +----- + +The root keys and update certificate included in this tool are provided for +convenience and under the terms of our license (see the LICENSE file in the +source distribution or https://github.com/NLnetLabs/unbound/blob/master/LICENSE +and might be stale or not suitable to your purpose. + +By running :option:`unbound-anchor -l` the keys and certificate that are +configured in the code are printed for your convenience. + +The built-in configuration can be overridden by providing a root-cert file and +a rootkey file. + +Files +----- + +@UNBOUND_ROOTKEY_FILE@ + The root anchor file, updated with 5011 tracking, and read and written + to. + The file is created if it does not exist. + +@UNBOUND_ROOTCERT_FILE@ + The trusted self-signed certificate that is used to verify the + downloaded DNSSEC root trust anchor. + You can update it by fetching it from + https://data.iana.org/root-anchors/icannbundle.pem (and validate it). + If the file does not exist or is empty, a builtin version is used. + +https://data.iana.org/root-anchors/root-anchors.xml + Source for the root key information. + +https://data.iana.org/root-anchors/root-anchors.p7s + Signature on the root key information. + +See Also +-------- + +:doc:`unbound.conf(5)`, +:doc:`unbound(8)`. diff --git a/doc/unbound-checkconf.8.in b/doc/unbound-checkconf.8.in index f4d0f2908..1d17573e9 100644 --- a/doc/unbound-checkconf.8.in +++ b/doc/unbound-checkconf.8.in @@ -1,56 +1,93 @@ -.TH "unbound-checkconf" "8" "@date@" "NLnet Labs" "unbound @version@" -.\" -.\" unbound-checkconf.8 -- unbound configuration checker manual -.\" -.\" Copyright (c) 2007, NLnet Labs. All rights reserved. -.\" -.\" See LICENSE for the license. -.\" -.\" -.SH "NAME" -unbound\-checkconf -\- Check Unbound configuration file for errors. -.SH "SYNOPSIS" -.B unbound\-checkconf -.RB [ \-h ] -.RB [ \-f ] -.RB [ \-q ] -.RB [ \-o -.IR option ] -.RI [ cfgfile ] -.SH "DESCRIPTION" -.B Unbound\-checkconf -checks the configuration file for the -\fIunbound\fR(8) -DNS resolver for syntax and other errors. +.\" Man page generated from reStructuredText. +. +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.TH "UNBOUND-CHECKCONF" "8" "@date@" "@version@" "Unbound" +.SH NAME +unbound-checkconf \- Check Unbound @version@ configuration file for errors. +.SH SYNOPSIS +.sp +\fBunbound\-checkconf\fP [\fB\-hf\fP] [\fB\-o option\fP] [cfgfile] +.SH DESCRIPTION +.sp +\fBunbound\-checkconf\fP checks the configuration file for the +\fI\%unbound(8)\fP DNS resolver for syntax and other errors. The config file syntax is described in -\fIunbound.conf\fR(5). -.P +\fI\%unbound.conf(5)\fP\&. +.sp The available options are: +.INDENT 0.0 .TP .B \-h Show the version and commandline option help. +.UNINDENT +.INDENT 0.0 .TP .B \-f -Print full pathname, with chroot applied to it. Use with the \-o option. -.TP -.B \-o\fI option -If given, after checking the config file the value of this option is -printed to stdout. For "" (disabled) options an empty line is printed. +Print full pathname, with chroot applied to it. +Use with the \fI\%\-o\fP option. +.UNINDENT +.INDENT 0.0 .TP .B \-q Make the operation quiet, suppress output on success. +.UNINDENT +.INDENT 0.0 .TP -.I cfgfile -The config file to read with settings for Unbound. It is checked. +.B \-o