upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2026-02-19 02:34:06 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'master' into features/rfc8914-ede

Browse source
This commit is contained in:
tcarpay 2021-12-15 13:07:01 +01:00 committed by GitHub
commit df229db074
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
76 changed files with 707 additions and 376 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
Makefile.in
View file

@ -61,6 +61,7 @@ PYTHON_CPPFLAGS=-I. @PYTHON_CPPFLAGS@
CFLAGS=-DSRCDIR=$(srcdir) @CFLAGS@
LDFLAGS=@LDFLAGS@
LIBS=@LIBS@
PYTHON_LIBS=@PYTHON_LIBS@
LIBOBJS=@LIBOBJS@
# filter out ctime_r from compat obj.
LIBOBJ_WITHOUT_CTIME=@LIBOBJ_WITHOUT_CTIME@
@ -478,7 +479,7 @@ libunbound/python/libunbound_wrap.c: $(srcdir)/libunbound/python/libunbound.i un
# Pyunbound python unbound wrapper
_unbound.la: libunbound_wrap.lo libunbound.la
$(LIBTOOL) --tag=CC --mode=link $(CC) $(RUNTIME_PATH) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -module -avoid-version -no-undefined -shared -o $@ libunbound_wrap.lo -rpath $(PYTHON_SITE_PKG) -L. -L.libs libunbound.la $(LIBS)
$(LIBTOOL) --tag=CC --mode=link $(CC) $(RUNTIME_PATH) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -module -avoid-version -no-undefined -shared -o $@ libunbound_wrap.lo -rpath $(PYTHON_SITE_PKG) -L. -L.libs libunbound.la $(PYTHON_LIBS)
util/config_file.c: util/configparser.h
util/configlexer.c: $(srcdir)/util/configlexer.lex util/configparser.h

2
README-Travis.md
View file

@ -241,7 +241,7 @@ If you are working from a developer machine you probably already have the necess
The fourth step builds OpenSSL and Expat. OpenSSL and Expat are built for iOS using the scripts `contrib/ios/install_openssl.sh` and `contrib/ios/install_expat.sh`. The scripts download, configure and install the latest release version of the libraries. The libraries are configured with `--prefix="$IOS_PREFIX"` so the headers are placed in `$IOS_PREFIX/include` directory, and the libraries are placed in the `$IOS_PREFIX/lib` directory.
`IOS_PREFIX` is the value `$HOME/$IOS_SDK-$IOS_CPU`. The scheme handles both iOS SDKs and cpu architectures so the pair recieves a unique installation directory. The libraries will be installed in `$HOME/iPhoneOS-armv7s`, `$HOME/iPhoneOS-arm64`, `$HOME/iPhoneSimulator-i386`, etc. For Autotools projects, the appropriate `PKG_CONFIG_PATH` is exported.
`IOS_PREFIX` is the value `$HOME/$IOS_SDK-$IOS_CPU`. The scheme handles both iOS SDKs and cpu architectures so the pair receives a unique installation directory. The libraries will be installed in `$HOME/iPhoneOS-armv7s`, `$HOME/iPhoneOS-arm64`, `$HOME/iPhoneSimulator-i386`, etc. For Autotools projects, the appropriate `PKG_CONFIG_PATH` is exported.
`PKG_CONFIG_PATH` is an important variable. It is the userland equivalent to sysroot, and allows Autotools to find non-system headers and libraries for an architecture. Typical `PKG_CONFIG_PATH` are `$HOME/iPhoneOS-armv7s/lib/pkgconfig` and `$HOME/iPhoneOS-arm64/lib/pkgconfig`.

6
config.h.in
View file

@ -318,6 +318,9 @@
/* Define to 1 if you have the <ifaddrs.h> header file. */
#undef HAVE_IFADDRS_H
/* Define to 1 if you have the `if_nametoindex' function. */
#undef HAVE_IF_NAMETOINDEX
/* Define to 1 if you have the `inet_aton' function. */
#undef HAVE_INET_ATON
@ -378,6 +381,9 @@
/* Define to 1 if you have the <netinet/tcp.h> header file. */
#undef HAVE_NETINET_TCP_H
/* Define to 1 if you have the <netioapi.h> header file. */
#undef HAVE_NETIOAPI_H
/* Use libnettle for crypto */
#undef HAVE_NETTLE

95
configure vendored
View file

@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for unbound 1.13.3.
# Generated by GNU Autoconf 2.69 for unbound 1.14.1.
#
# Report bugs to <unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues>.
#
@ -591,8 +591,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='unbound'
PACKAGE_TARNAME='unbound'
PACKAGE_VERSION='1.13.3'
PACKAGE_STRING='unbound 1.13.3'
PACKAGE_VERSION='1.14.1'
PACKAGE_STRING='unbound 1.14.1'
PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues'
PACKAGE_URL=''
@ -698,6 +698,7 @@ swig
SWIG_LIB
SWIG
PC_PY_DEPENDENCY
PYTHON_LIBS
PY_MAJOR_VERSION
PYTHON_SITE_PKG
PYTHON_LDFLAGS
@ -1465,7 +1466,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures unbound 1.13.3 to adapt to many kinds of systems.
\`configure' configures unbound 1.14.1 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@ -1530,7 +1531,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of unbound 1.13.3:";;
short | recursive ) echo "Configuration of unbound 1.14.1:";;
esac
cat <<\_ACEOF
@ -1772,7 +1773,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
unbound configure 1.13.3
unbound configure 1.14.1
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@ -2481,7 +2482,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by unbound $as_me 1.13.3, which was
It was created by unbound $as_me 1.14.1, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@ -2831,13 +2832,13 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
UNBOUND_VERSION_MAJOR=1
UNBOUND_VERSION_MINOR=13
UNBOUND_VERSION_MINOR=14
UNBOUND_VERSION_MICRO=3
UNBOUND_VERSION_MICRO=1
LIBUNBOUND_CURRENT=9
LIBUNBOUND_REVISION=14
LIBUNBOUND_REVISION=15
LIBUNBOUND_AGE=1
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
@ -2918,7 +2919,8 @@ LIBUNBOUND_AGE=1
# 1.13.0 had 9:11:1
# 1.13.1 had 9:12:1
# 1.13.2 had 9:13:1
# 1.13.3 had 9:14:1
# 1.14.0 had 9:14:1
# 1.14.1 had 9:15:1
# Current -- the number of the binary API that we're implementing
# Revision -- which iteration of the implementation of the binary
@ -14811,6 +14813,51 @@ fi
done
for ac_header in netioapi.h
do :
ac_fn_c_check_header_compile "$LINENO" "netioapi.h" "ac_cv_header_netioapi_h" "$ac_includes_default
#if HAVE_SYS_PARAM_H
#include <sys/param.h>
#endif
#ifdef HAVE_SYS_SOCKET_H
#include <sys/socket.h>
#endif
#ifdef HAVE_SYS_UIO_H
#include <sys/uio.h>
#endif
#ifdef HAVE_NETINET_IN_H
#include <netinet/in.h>
#endif
#ifdef HAVE_NETINET_TCP_H
#include <netinet/tcp.h>
#endif
#ifdef HAVE_ARPA_INET_H
#include <arpa/inet.h>
#endif
#ifdef HAVE_WINSOCK2_H
#include <winsock2.h>
#endif
#ifdef HAVE_WS2TCPIP_H
#include <ws2tcpip.h>
#endif
"
if test "x$ac_cv_header_netioapi_h" = xyes; then :
cat >>confdefs.h <<_ACEOF
#define HAVE_NETIOAPI_H 1
_ACEOF
fi
done
# check for types.
# Using own tests for int64* because autoconf builtin only give 32bit.
@ -15324,7 +15371,7 @@ if test "$ac_res" != no; then :
fi
# check wether strptime also works
# check whether strptime also works
# check some functions of the OS before linking libs (while still runnable).
for ac_header in unistd.h
@ -17555,11 +17602,15 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
$as_echo "#define HAVE_PYTHON 1" >>confdefs.h
if test -n "$LIBS"; then
LIBS="$PYTHON_LDFLAGS $LIBS"
else
LIBS="$PYTHON_LDFLAGS"
if test x_$ub_with_pythonmod != x_no; then
if test -n "$LIBS"; then
LIBS="$PYTHON_LDFLAGS $LIBS"
else
LIBS="$PYTHON_LDFLAGS"
fi
fi
PYTHON_LIBS="$PYTHON_LDFLAGS"
if test -n "$CPPFLAGS"; then
CPPFLAGS="$CPPFLAGS $PYTHON_CPPFLAGS"
else
@ -18347,7 +18398,7 @@ rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
SSLLIB="-lssl"
PC_CRYPTO_DEPENDENCY="libcrypto libssl"
PC_CRYPTO_DEPENDENCY=""
# check if -lcrypt32 is needed because CAPIENG needs that. (on windows)
@ -18777,7 +18828,7 @@ $as_echo "#define CLIENT_SUBNET 1" >>confdefs.h
;;
esac
# check wether gost also works
# check whether gost also works
# Check whether --enable-gost was given.
if test "${enable_gost+set}" = set; then :
@ -20417,7 +20468,7 @@ if test "$ac_res" != no; then :
fi
for ac_func in tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4 getifaddrs
for ac_func in tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4 getifaddrs if_nametoindex
do :
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@ -21835,7 +21886,7 @@ _ACEOF
version=1.13.3
version=1.14.1
date=`date +'%b %e, %Y'`
@ -22354,7 +22405,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by unbound $as_me 1.13.3, which was
This file was extended by unbound $as_me 1.14.1, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@ -22420,7 +22471,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
unbound config.status 1.13.3
unbound config.status 1.14.1
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"

62
configure.ac
View file

@ -10,15 +10,15 @@ sinclude(dnscrypt/dnscrypt.m4)
# must be numbers. ac_defun because of later processing
m4_define([VERSION_MAJOR],[1])
m4_define([VERSION_MINOR],[13])
m4_define([VERSION_MICRO],[3])
m4_define([VERSION_MINOR],[14])
m4_define([VERSION_MICRO],[1])
AC_INIT([unbound],m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]),[unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues],[unbound])
AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
LIBUNBOUND_CURRENT=9
LIBUNBOUND_REVISION=14
LIBUNBOUND_REVISION=15
LIBUNBOUND_AGE=1
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
@ -99,7 +99,8 @@ LIBUNBOUND_AGE=1
# 1.13.0 had 9:11:1
# 1.13.1 had 9:12:1
# 1.13.2 had 9:13:1
# 1.13.3 had 9:14:1
# 1.14.0 had 9:14:1
# 1.14.1 had 9:15:1
# Current -- the number of the binary API that we're implementing
# Revision -- which iteration of the implementation of the binary
@ -412,6 +413,39 @@ AC_CHECK_HEADERS([net/if.h],,, [
# Check for Apple header. This uncovers TARGET_OS_IPHONE, TARGET_OS_TV or TARGET_OS_WATCH
AC_CHECK_HEADERS([TargetConditionals.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_HEADERS([netioapi.h],,, [AC_INCLUDES_DEFAULT
#if HAVE_SYS_PARAM_H
#include <sys/param.h>
#endif
#ifdef HAVE_SYS_SOCKET_H
#include <sys/socket.h>
#endif
#ifdef HAVE_SYS_UIO_H
#include <sys/uio.h>
#endif
#ifdef HAVE_NETINET_IN_H
#include <netinet/in.h>
#endif
#ifdef HAVE_NETINET_TCP_H
#include <netinet/tcp.h>
#endif
#ifdef HAVE_ARPA_INET_H
#include <arpa/inet.h>
#endif
#ifdef HAVE_WINSOCK2_H
#include <winsock2.h>
#endif
#ifdef HAVE_WS2TCPIP_H
#include <ws2tcpip.h>
#endif
])
# check for types.
# Using own tests for int64* because autoconf builtin only give 32bit.
@ -458,7 +492,7 @@ AC_SUBST(RUNTIME_PATH)
AC_SEARCH_LIBS([inet_pton], [nsl])
AC_SEARCH_LIBS([socket], [socket])
# check wether strptime also works
# check whether strptime also works
AC_DEFUN([AC_CHECK_STRPTIME_WORKS],
[AC_REQUIRE([AC_PROG_CC])
AC_MSG_CHECKING(whether strptime works)
@ -700,11 +734,15 @@ if test x_$ub_test_python != x_no; then
AC_SUBST(PY_MAJOR_VERSION)
# Have Python
AC_DEFINE(HAVE_PYTHON,1,[Define if you have Python libraries and header files.])
if test -n "$LIBS"; then
LIBS="$PYTHON_LDFLAGS $LIBS"
else
LIBS="$PYTHON_LDFLAGS"
if test x_$ub_with_pythonmod != x_no; then
if test -n "$LIBS"; then
LIBS="$PYTHON_LDFLAGS $LIBS"
else
LIBS="$PYTHON_LDFLAGS"
fi
fi
PYTHON_LIBS="$PYTHON_LDFLAGS"
AC_SUBST(PYTHON_LIBS)
if test -n "$CPPFLAGS"; then
CPPFLAGS="$CPPFLAGS $PYTHON_CPPFLAGS"
else
@ -837,7 +875,7 @@ ACX_WITH_SSL
ACX_LIB_SSL
SSLLIB="-lssl"
PC_CRYPTO_DEPENDENCY="libcrypto libssl"
PC_CRYPTO_DEPENDENCY=""
AC_SUBST(PC_CRYPTO_DEPENDENCY)
# check if -lcrypt32 is needed because CAPIENG needs that. (on windows)
@ -980,7 +1018,7 @@ case "$enable_subnet" in
;;
esac
# check wether gost also works
# check whether gost also works
AC_DEFUN([AC_CHECK_GOST_WORKS],
[AC_REQUIRE([AC_PROG_CC])
AC_MSG_CHECKING([if GOST works])
@ -1601,7 +1639,7 @@ AC_LINK_IFELSE([AC_LANG_PROGRAM([
AC_MSG_RESULT(no))
AC_SEARCH_LIBS([setusercontext], [util])
AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4 getifaddrs])
AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4 getifaddrs if_nametoindex])
AC_CHECK_FUNCS([setresuid],,[AC_CHECK_FUNCS([setreuid])])
AC_CHECK_FUNCS([setresgid],,[AC_CHECK_FUNCS([setregid])])

13
dns64/dns64.c
View file

@ -685,8 +685,12 @@ dns64_operate(struct module_qstate* qstate, enum module_ev event, int id,
switch(event) {
case module_event_new:
/* Tag this query as being new and fall through. */
iq = (struct dns64_qstate*)regional_alloc(
qstate->region, sizeof(*iq));
if (!(iq = (struct dns64_qstate*)regional_alloc(
qstate->region, sizeof(*iq)))) {
log_err("out of memory");
qstate->ext_state[id] = module_error;
return;
}
qstate->minfo[id] = iq;
iq->state = DNS64_NEW_QUERY;
iq->started_no_cache_store = qstate->no_cache_store;
@ -913,8 +917,9 @@ dns64_adjust_ptr(struct module_qstate* qstate, struct module_qstate* super)
sizeof(struct dns_msg))))
return;
super->return_msg->qinfo = super->qinfo;
super->return_msg->rep = reply_info_copy(qstate->return_msg->rep, NULL,
super->region);
if (!(super->return_msg->rep = reply_info_copy(qstate->return_msg->rep,
NULL, super->region)))
return;
/*
* Adjust the domain name of the answer RR set so that it matches the

4
dnscrypt/dnscrypt.c
View file

@ -435,7 +435,7 @@ dnscrypt_hrtime(void)
/**
* Add the server nonce part to once.
* The nonce is made half of client nonce and the seconf half of the server
* The nonce is made half of client nonce and the second half of the server
* nonce, both of them of size crypto_box_HALF_NONCEBYTES.
* \param[in] nonce: a uint8_t* of size crypto_box_NONCEBYTES
*/
@ -674,7 +674,7 @@ dnsc_find_cert(struct dnsc_env* dnscenv, struct sldns_buffer* buffer)
/**
* Insert local-zone and local-data into configuration.
* In order to be able to serve certs over TXT, we can reuse the local-zone and
* local-data config option. The zone and qname are infered from the
* local-data config option. The zone and qname are inferred from the
* provider_name and the content of the TXT record from the certificate content.
* returns the number of certificate TXT record that were loaded.
* < 0 in case of error.

4
dnscrypt/dnscrypt.h
View file

@ -114,7 +114,7 @@ void dnsc_delete(struct dnsc_env *env);
/**
* handle a crypted dnscrypt request.
* Determine wether or not a query is coming over the dnscrypt listener and
* Determine whether or not a query is coming over the dnscrypt listener and
* attempt to uncurve it or detect if it is a certificate query.
* return 0 in case of failure.
*/
@ -122,7 +122,7 @@ int dnsc_handle_curved_request(struct dnsc_env* dnscenv,
struct comm_reply* repinfo);
/**
* handle an unencrypted dnscrypt request.
* Determine wether or not a query is going over the dnscrypt channel and
* Determine whether or not a query is going over the dnscrypt channel and
* attempt to curve it unless it was not crypted like when it is a
* certificate query.
* \return 0 in case of failure.

6
dnstap/dtstream.c
View file

@ -251,7 +251,7 @@ dt_msg_queue_submit(struct dt_msg_queue* mq, void* buf, size_t len)
entry->buf = buf;
entry->len = len;
/* aqcuire lock */
/* acquire lock */
lock_basic_lock(&mq->lock);
/* if list was empty, start timer for (eventual) wakeup */
if(mq->first == NULL)
@ -930,7 +930,7 @@ static int dtio_write_more_of_data(struct dt_io_thread* dtio)
return 1;
}
/** write more of the current messsage. false if incomplete, true if
/** write more of the current message. false if incomplete, true if
* the message is done */
static int dtio_write_more(struct dt_io_thread* dtio)
{
@ -1181,7 +1181,7 @@ static int dtio_read_accept_frame(struct dt_io_thread* dtio)
goto close_connection;
return 1;
} else {
/* unknow content type */
/* unknown content type */
verbose(VERB_ALGO, "dnstap: ACCEPT frame "
"contains unknown content type, "
"closing connection");

56
doc/Changelog
View file

@ -1,3 +1,59 @@
13 December 2021: George
- Add missing configure flags for optional features in the
documentation.
- Fix Unbound capitalization in the documentation.
13 December 2021: Wouter
- Fix to pick up other class local zone information before unlock.
10 December 2021: George
- Allow local-data for classes other than IN to inherit a configured
local-zone's type if possible, instead of defaulting to type
transparent as per the implicit rule.
10 December 2021: Wouter
- Add code similar to fix for ldns for tab between strings, for
consistency, the test case was not broken.
6 December 2021: Wouter
- Merge PR #581 from fobser: Fix -Wmissing-prototypes and -Wshadow
warnings in rpz.
- Fix validator debug output about DS support, print correct algorithm.
3 December 2021: Wouter
- Fix compile warning for if_nametoindex on windows 64bit.
1 December 2021: Wouter
- configure is set to 1.14.0, and release branch.
This was released as version 1.14.0 on 9 Dec 2021, with the doxygen
fix below included. The main branch continues as 1.14.1.
- Fix doc/unbound.doxygen to remove obsolete tag warning.
1 December 2021: George
- Merge PR #511 from yan12125: Reduce unnecessary linking.
- Merge PR #493 from Jaap: Fix generation of libunbound.pc.
- Merge PR #555 from fobser: Allow interface names as scope-id in IPv6
link-local addresses.
- Merge PR #562 from Willem: Reset keepalive per new tcp session.
- Merge PR #522 from sibeream: memory management violations fixed.
- Merge PR #530 from Shchelk: Fix: dereferencing a null pointer.
- Fix #454: listen_dnsport.c:825: error: IPV6_TCLASS undeclared.
- Fix #574: Review fixes for size allocation.
30 November 2021: Wouter
- Fix to remove git tracking and ci information from release tarballs.
- iana portlist update.
29 November 2021: Wouter
- Merge PR #570 from rex4539: Fix typos.
- Fix for #570: regen aclocal.m4, fix configure.ac for spelling.
- Fix to make python module opt_list use opt_list_in.
- Fix #574: unbound-checkconf reports fatal error if interface names
are used as value for interfaces:
- Fix #574: Review fixes for it.
- Fix #576: [FR] UB_* error codes in unbound.h
- Fix #574: Review fix for spelling.
15 November 2021: Tom
- Improve EDNS option handling, now also works for synthesised
responses such as local-data and server.id CH TXT responses.

49
doc/example.conf.in
View file

@ -82,13 +82,13 @@ server:
# num-queries-per-thread, or, use as many as the OS will allow you.
# outgoing-range: 4096
# permit unbound to use this port number or port range for
# permit Unbound to use this port number or port range for
# making outgoing queries, using an outgoing interface.
# outgoing-port-permit: 32768
# deny unbound the use this of port number or port range for
# deny Unbound the use this of port number or port range for
# making outgoing queries, using an outgoing interface.
# Use this to make sure unbound does not grab a UDP port that some
# Use this to make sure Unbound does not grab a UDP port that some
# other server on this computer needs. The default is to avoid
# IANA-assigned port numbers.
# If multiple outgoing-port-permit and outgoing-port-avoid options
@ -254,7 +254,7 @@ server:
# use-systemd: no
# Detach from the terminal, run in background, "yes" or "no".
# Set the value to "no" when unbound runs as systemd service.
# Set the value to "no" when Unbound runs as systemd service.
# do-daemonize: yes
# control which clients are allowed to make (recursive) queries
@ -307,7 +307,7 @@ server:
# The pid file can be absolute and outside of the chroot, it is
# written just prior to performing the chroot and dropping permissions.
#
# Additionally, unbound may need to access /dev/urandom (for entropy).
# Additionally, Unbound may need to access /dev/urandom (for entropy).
# How to do this is specific to your OS.
#
# If you give "" no chroot is performed. The path must not end in a /.
@ -517,7 +517,7 @@ server:
# Use several entries, one per domain name, to track multiple zones.
#
# If you want to perform DNSSEC validation, run unbound-anchor before
# you start unbound (i.e. in the system boot scripts).
# you start Unbound (i.e. in the system boot scripts).
# And then enable the auto-trust-anchor-file config item.
# Please note usage of unbound-anchor root anchor is at your own risk
# and under the terms of our LICENSE (see that file in the source).
@ -585,7 +585,7 @@ server:
# val-permissive-mode: no
# Ignore the CD flag in incoming queries and refuse them bogus data.
# Enable it if the only clients of unbound are legacy servers (w2008)
# Enable it if the only clients of Unbound are legacy servers (w2008)
# that set CD but cannot validate themselves.
# ignore-cd-flag: no
@ -615,7 +615,7 @@ server:
# Return the original TTL as received from the upstream name server rather
# than the decrementing TTL as stored in the cache. Enabling this feature
# does not impact cache expiry, it only changes the TTL unbound embeds in
# does not impact cache expiry, it only changes the TTL Unbound embeds in
# responses to queries. Note that enabling this feature implicitly disables
# enforcement of the configured minimum and maximum TTL.
# serve-original-ttl: no
@ -709,9 +709,9 @@ server:
# Add example.com into ipset
# local-zone: "example.com" ipset
# If unbound is running service for the local host then it is useful
# If Unbound is running service for the local host then it is useful
# to perform lan-wide lookups to the upstream, and unblock the
# long list of local-zones above. If this unbound is a dns server
# long list of local-zones above. If this Unbound is a dns server
# for a network of computers, disabled is better and stops information
# leakage of local lan information.
# unblock-lan-zones: no
@ -889,7 +889,7 @@ server:
# the number of servers that will be used in the fast server selection.
# fast-server-num: 3
# Specific options for ipsecmod. unbound needs to be configured with
# Specific options for ipsecmod. Unbound needs to be configured with
# --enable-ipsecmod for these to take effect.
#
# Enable or disable ipsecmod (it still needs to be defined in
@ -901,7 +901,7 @@ server:
# listed in module-config (above).
# ipsecmod-hook: "./my_executable"
#
# When enabled unbound will reply with SERVFAIL if the return value of
# When enabled Unbound will reply with SERVFAIL if the return value of
# the ipsecmod-hook is not 0.
# ipsecmod-strict: no
#
@ -966,10 +966,10 @@ remote-control:
# For local sockets this option is ignored, and TLS is not used.
# control-use-cert: "yes"
# unbound server key file.
# Unbound server key file.
# server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key"
# unbound server certificate file.
# Unbound server certificate file.
# server-cert-file: "@UNBOUND_RUN_DIR@/unbound_server.pem"
# unbound-control key file.
@ -1072,8 +1072,9 @@ remote-control:
# local-zone: "example.com" refuse
# DNSCrypt
# To enable, use --enable-dnscrypt to configure before compiling.
# Caveats:
# 1. the keys/certs cannot be produced by unbound. You can use dnscrypt-wrapper
# 1. the keys/certs cannot be produced by Unbound. You can use dnscrypt-wrapper
# for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage
# 2. dnscrypt channel attaches to an interface. you MUST set interfaces to
# listen on `dnscrypt-port` with the follo0wing snippet:
@ -1092,7 +1093,9 @@ remote-control:
# dnscrypt-provider-cert: /path/unbound-conf/keys2/1.cert
# CacheDB
# Enable external backend DB as auxiliary cache. Specify the backend name
# External backend DB as auxiliary cache.
# To enable, use --enable-cachedb to configure before compiling.
# Specify the backend name
# (default is "testframe", which has no use other than for debugging and
# testing) and backend-specific options. The 'cachedb' module must be
# included in module-config, just before the iterator module.
@ -1102,6 +1105,7 @@ remote-control:
# secret-seed: "default"
#
# # For "redis" backend:
# # (to enable, use --with-libhiredis to configure before compiling)
# # redis server's IP address or host name
# redis-server-host: 127.0.0.1
# # redis server's TCP port
@ -1113,7 +1117,9 @@ remote-control:
# IPSet
# Add specify domain into set via ipset.
# Note: To enable ipset unbound needs to run as root user.
# To enable:
# o use --enable-ipset to configure before compiling;
# o Unbound then needs to run as root user.
# ipset:
# # set name for ip v4 addresses
# name-v4: "list-v4"
@ -1121,9 +1127,10 @@ remote-control:
# name-v6: "list-v6"
#
# Dnstap logging support, if compiled in. To enable, set the dnstap-enable
# to yes and also some of dnstap-log-..-messages to yes. And select an
# upstream log destination, by socket path, TCP or TLS destination.
# Dnstap logging support, if compiled in by using --enable-dnstap to configure.
# To enable, set the dnstap-enable to yes and also some of
# dnstap-log-..-messages to yes. And select an upstream log destination, by
# socket path, TCP or TLS destination.
# dnstap:
# dnstap-enable: no
# # if set to yes frame streams will be used in bidirectional mode
@ -1136,7 +1143,7 @@ remote-control:
# dnstap-tls: yes
# # name for authenticating the upstream server. or "" disabled.
# dnstap-tls-server-name: ""
# # if "", it uses the cert bundle from the main unbound config.
# # if "", it uses the cert bundle from the main Unbound config.
# dnstap-tls-cert-bundle: ""
# # key file for client authentication, or "" disabled.
# dnstap-tls-client-key-file: ""

4
doc/unbound-anchor.8.in
View file

@ -41,7 +41,7 @@ update certificate files.
.P
It tests if the root anchor file works, and if not, and an update is possible,
attempts to update the root anchor using the root update certificate.
It performs a https fetch of root-anchors.xml and checks the results (RFC7958),
It performs a https fetch of root-anchors.xml and checks the results (RFC7958),
if all checks are successful, it updates the root anchor file. Otherwise
the root anchor file is unchanged. It performs RFC5011 tracking if the
DNSSEC information available via the DNS makes that possible.
@ -185,5 +185,5 @@ Source for the root key information.
.I https://data.iana.org/root\-anchors/root\-anchors.p7s
Signature on the root key information.
.SH "SEE ALSO"
\fIunbound.conf\fR(5),
\fIunbound.conf\fR(5),
\fIunbound\fR(8).

16
doc/unbound-checkconf.8.in
View file

@ -9,7 +9,7 @@
.\"
.SH "NAME"
unbound\-checkconf
\- Check unbound configuration file for errors.
\- Check Unbound configuration file for errors.
.SH "SYNOPSIS"
.B unbound\-checkconf
.RB [ \-h ]
@ -21,8 +21,8 @@ unbound\-checkconf
.B Unbound\-checkconf
checks the configuration file for the
\fIunbound\fR(8)
DNS resolver for syntax and other errors.
The config file syntax is described in
DNS resolver for syntax and other errors.
The config file syntax is described in
\fIunbound.conf\fR(5).
.P
The available options are:
@ -34,19 +34,19 @@ Show the version and commandline option help.
Print full pathname, with chroot applied to it. Use with the \-o option.
.TP
.B \-o\fI option
If given, after checking the config file the value of this option is
If given, after checking the config file the value of this option is
printed to stdout. For "" (disabled) options an empty line is printed.
.TP
.I cfgfile
The config file to read with settings for unbound. It is checked.
The config file to read with settings for Unbound. It is checked.
If omitted, the config file at the default location is checked.
.SH "EXIT CODE"
The unbound\-checkconf program exits with status code 1 on error,
The unbound\-checkconf program exits with status code 1 on error,
0 for a correct config file.
.SH "FILES"
.TP
.I @ub_conf_file@
unbound configuration file.
Unbound configuration file.
.SH "SEE ALSO"
\fIunbound.conf\fR(5),
\fIunbound.conf\fR(5),
\fIunbound\fR(8).

78
doc/unbound-control.8.in
View file

@ -14,15 +14,15 @@
.SH "SYNOPSIS"
.B unbound\-control
.RB [ \-hq ]
.RB [ \-c
.RB [ \-c
.IR cfgfile ]
.RB [ \-s
.RB [ \-s
.IR server ]
.IR command
.SH "DESCRIPTION"
.B Unbound\-control
performs remote administration on the \fIunbound\fR(8) DNS server.
It reads the configuration file, contacts the unbound server over SSL
It reads the configuration file, contacts the Unbound server over SSL
sends the command and displays the result.
.P
The available options are:
@ -44,8 +44,8 @@ quiet, if the option is given it does not print anything if it works ok.
There are several commands that the server understands.
.TP
.B start
Start the server. Simply execs \fIunbound\fR(8). The unbound executable
is searched for in the \fBPATH\fR set in the environment. It is started
Start the server. Simply execs \fIunbound\fR(8). The Unbound executable
is searched for in the \fBPATH\fR set in the environment. It is started
with the config file specified using \fI\-c\fR or the default config file.
.TP
.B stop
@ -65,8 +65,8 @@ daemon release the file it is logging to. If you are using syslog it will
attempt to close and open the syslog (which may not work if chrooted).
.TP
.B stats
Print statistics. Resets the internal counters to zero, this can be
controlled using the \fBstatistics\-cumulative\fR config statement.
Print statistics. Resets the internal counters to zero, this can be
controlled using the \fBstatistics\-cumulative\fR config statement.
Statistics are printed with one [name]: [value] per line.
.TP
.B stats_noreset
@ -74,7 +74,7 @@ Peek at statistics. Prints them like the \fBstats\fR command does, but does not
reset the internal counters to zero.
.TP
.B status
Display server status. Exit code 3 if not running (the connection to the
Display server status. Exit code 3 if not running (the connection to the
port is refused), 1 on error, 0 if running.
.TP
.B local_zone \fIname\fR \fItype
@ -88,14 +88,14 @@ it. If the zone does not exist, the command succeeds.
.B local_data \fIRR data...
Add new local data, the given resource record. Like \fBlocal\-data\fR
config statement, except for when no covering zone exists. In that case
this remote control command creates a transparent zone with the same
this remote control command creates a transparent zone with the same
name as this record.
.TP
.B local_data_remove \fIname
Remove all RR data from local name. If the name already has no items,
nothing happens. Often results in NXDOMAIN for the name (in a static zone),
but if the name has become an empty nonterminal (there is still data in
domain names below the removed name), NOERROR nodata answers are the
but if the name has become an empty nonterminal (there is still data in
domain names below the removed name), NOERROR nodata answers are the
result for that name.
.TP
.B local_zones
@ -125,22 +125,22 @@ in old or wrong data returned to clients. Loading data into the cache
in this way is supported in order to aid with debugging.
.TP
.B lookup \fIname
Print to stdout the name servers that would be used to look up the
Print to stdout the name servers that would be used to look up the
name specified.
.TP
.B flush \fIname
Remove the name from the cache. Removes the types
A, AAAA, NS, SOA, CNAME, DNAME, MX, PTR, SRV and NAPTR.
Because that is fast to do. Other record types can be removed using
.B flush_type
or
Because that is fast to do. Other record types can be removed using
.B flush_type
or
.B flush_zone\fR.
.TP
.B flush_type \fIname\fR \fItype
Remove the name, type information from the cache.
.TP
.B flush_zone \fIname
Remove all information at or below the name from the cache.
Remove all information at or below the name from the cache.
The rrsets and key entries are removed so that new lookups will be performed.
This needs to walk and inspect the entire cache, and is a slow operation.
The entries are set to expired in the implementation of this command (so,
@ -187,7 +187,7 @@ therefore not flushed. The option must end with a ':' and whitespace
must be between the option and the value. Some values may not have an
effect if set this way, the new values are not written to the config file,
not all options are supported. This is different from the set_option call
in libunbound, where all values work because unbound has not been initialized.
in libunbound, where all values work because Unbound has not been initialized.
.IP
The values that work are: statistics\-interval, statistics\-cumulative,
do\-not\-query\-localhost, harden\-short\-bufsize, harden\-large\-queries,
@ -227,36 +227,36 @@ List the local data RRs in use. The resource records are printed.
.TP
.B insecure_add \fIzone
Add a \fBdomain\-insecure\fR for the given zone, like the statement in unbound.conf.
Adds to the running unbound without affecting the cache contents (which may
Adds to the running Unbound without affecting the cache contents (which may
still be bogus, use \fBflush_zone\fR to remove it), does not affect the config file.
.TP
.B insecure_remove \fIzone
Removes domain\-insecure for the given zone.
.TP
.B forward_add \fR[\fI+i\fR] \fIzone addr ...
Add a new forward zone to running unbound. With +i option also adds a
Add a new forward zone to running Unbound. With +i option also adds a
\fIdomain\-insecure\fR for the zone (so it can resolve insecurely if you have
a DNSSEC root trust anchor configured for other names).
The addr can be IP4, IP6 or nameserver names, like \fIforward-zone\fR config
in unbound.conf.
.TP
.B forward_remove \fR[\fI+i\fR] \fIzone
Remove a forward zone from running unbound. The +i also removes a
Remove a forward zone from running Unbound. The +i also removes a
\fIdomain\-insecure\fR for the zone.
.TP
.B stub_add \fR[\fI+ip\fR] \fIzone addr ...
Add a new stub zone to running unbound. With +i option also adds a
Add a new stub zone to running Unbound. With +i option also adds a
\fIdomain\-insecure\fR for the zone. With +p the stub zone is set to prime,
without it it is set to notprime. The addr can be IP4, IP6 or nameserver
names, like the \fIstub-zone\fR config in unbound.conf.
.TP
.B stub_remove \fR[\fI+i\fR] \fIzone
Remove a stub zone from running unbound. The +i also removes a
Remove a stub zone from running Unbound. The +i also removes a
\fIdomain\-insecure\fR for the zone.
.TP
.B forward \fR[\fIoff\fR | \fIaddr ...\fR ]
Setup forwarding mode. Configures if the server should ask other upstream
nameservers, should go to the internet root nameservers itself, or show
nameservers, should go to the internet root nameservers itself, or show
the current config. You could pass the nameservers after a DHCP update.
.IP
Without arguments the current list of addresses used to forward all queries
@ -296,7 +296,7 @@ status, indicating if the zone is expired and current serial number.
Reload the auth zone from zonefile. The zonefile is read in overwriting
the current contents of the zone in memory. This changes the auth zone
contents itself, not the cache contents. Such cache contents exists if
you set unbound to validate with for-upstream yes and that can be cleared
you set Unbound to validate with for-upstream yes and that can be cleared
with \fBflush_zone\fR \fIzone\fR.
.TP
.B auth_zone_transfer \fIzone\fR
@ -336,7 +336,7 @@ Add a list of \fIlocal_data\fR for given view from stdin. Like local_datas.
.SH "EXIT CODE"
The unbound\-control program exits with status code 1 on error, 0 on success.
.SH "SET UP"
The setup requires a self\-signed certificate and private keys for both
The setup requires a self\-signed certificate and private keys for both
the server and client. The script \fIunbound\-control\-setup\fR generates
these in the default run directory, or with \-d in another directory.
If you change the access control permissions on the key files you can decide
@ -350,7 +350,7 @@ If you have not configured
a username in unbound.conf, the keys need read permission for the user
credentials under which the daemon is started.
The script preserves private keys present in the directory.
After running the script as root, turn on \fBcontrol\-enable\fR in
After running the script as root, turn on \fBcontrol\-enable\fR in
\fIunbound.conf\fR.
.SH "STATISTIC COUNTERS"
The \fIstats\fR command shows a number of statistic counters.
@ -417,8 +417,8 @@ Average time it took to answer queries that needed recursive processing. Note th
.TP
.I threadX.recursion.time.median
The median of the time it took to answer queries that needed recursive
processing. The median means that 50% of the user queries were answered in
less than this time. Because of big outliers (usually queries to non
processing. The median means that 50% of the user queries were answered in
less than this time. Because of big outliers (usually queries to non
responsive servers), the average can be bigger than the median. This median
has been calculated by interpolation from a histogram.
.TP
@ -544,32 +544,32 @@ The total number of queries over all threads with query opcode QUERY.
Also printed for other opcodes, UPDATE, ...
.TP
.I num.query.tcp
Number of queries that were made using TCP towards the unbound server.
Number of queries that were made using TCP towards the Unbound server.
.TP
.I num.query.tcpout
Number of queries that the unbound server made using TCP outgoing towards
Number of queries that the Unbound server made using TCP outgoing towards
other servers.
.TP
.I num.query.tls
Number of queries that were made using TLS towards the unbound server.
Number of queries that were made using TLS towards the Unbound server.
These are also counted in num.query.tcp, because TLS uses TCP.
.TP
.I num.query.tls.resume
Number of TLS session resumptions, these are queries over TLS towards
the unbound server where the client negotiated a TLS session resumption key.
the Unbound server where the client negotiated a TLS session resumption key.
.TP
.I num.query.https
Number of queries that were made using HTTPS towards the unbound server.
Number of queries that were made using HTTPS towards the Unbound server.
These are also counted in num.query.tcp and num.query.tls, because HTTPS
uses TLS and TCP.
.TP
.I num.query.ipv6
Number of queries that were made using IPv6 towards the unbound server.
Number of queries that were made using IPv6 towards the Unbound server.
.TP
.I num.query.flags.RD
The number of queries that had the RD flag set in the header.
Also printed for flags QR, AA, TC, RA, Z, AD, CD.
Note that queries with flags QR, AA or TC may have been rejected
Note that queries with flags QR, AA or TC may have been rejected
because of that.
.TP
.I num.query.edns.present
@ -603,7 +603,7 @@ These queries are also included in the num.answer.rcode.NOERROR number.
Common for AAAA lookups when an A record exists, and no AAAA.
.TP
.I num.answer.secure
Number of answers that were secure. The answer validated correctly.
Number of answers that were secure. The answer validated correctly.
The AD bit might have been set in some of these answers, where the client
signalled (with DO or AD bit in the query) that they were ready to accept
the AD bit in the answer.
@ -644,7 +644,7 @@ per delegation point, and their validation status.
.I dnscrypt_shared_secret.cache.count
The number of items in the shared secret cache. These are precomputed shared
secrets for a given client public key/server secret key pair. Shared secrets
are CPU intensive and this cache allows unbound to avoid recomputing the
are CPU intensive and this cache allows Unbound to avoid recomputing the
shared secret when multiple dnscrypt queries are sent from the same client.
.TP
.I dnscrypt_nonce.cache.count
@ -689,11 +689,11 @@ disabled, and cname\-override.
.SH "FILES"
.TP
.I @ub_conf_file@
unbound configuration file.
Unbound configuration file.
.TP
.I @UNBOUND_RUN_DIR@
directory with private keys (unbound_server.key and unbound_control.key) and
self\-signed certificates (unbound_server.pem and unbound_control.pem).
.SH "SEE ALSO"
\fIunbound.conf\fR(5),
\fIunbound.conf\fR(5),
\fIunbound\fR(8).

14
doc/unbound-host.1.in
View file

@ -15,7 +15,7 @@
.RB [ \-C
.IR configfile ]
.RB [ \-vdhr46D ]
.RB [ \-c
.RB [ \-c
.IR class ]
.RB [ \-t
.IR type ]
@ -28,12 +28,12 @@
.I hostname
.SH "DESCRIPTION"
.B Unbound\-host
uses the unbound validating resolver to query for the hostname and display
results. With the \fB\-v\fR option it displays validation
uses the Unbound validating resolver to query for the hostname and display
results. With the \fB\-v\fR option it displays validation
status: secure, insecure, bogus (security failure).
.P
By default it reads no configuration file whatsoever. It attempts to reach
the internet root servers. With \fB\-C\fR an unbound config file and with
the internet root servers. With \fB\-C\fR an Unbound config file and with
\fB\-r\fR resolv.conf can be read.
.P
The available options are:
@ -73,7 +73,7 @@ For example \-y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546
.TP
.B \-D
Enables DNSSEC validation. Reads the root anchor from the default configured
root anchor at the default location, \fI@UNBOUND_ROOTKEY_FILE@\fR.
root anchor at the default location, \fI@UNBOUND_ROOTKEY_FILE@\fR.
.TP
.B \-f \fIkeyfile
Reads keys from a file. Every line has a DS or DNSKEY record, in the format
@ -110,9 +110,9 @@ $ unbound\-host \-v \-y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325
.P
$ unbound\-host \-v \-y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546CD" 192.0.2.153
.SH "EXIT CODE"
The unbound\-host program exits with status code 1 on error,
The unbound\-host program exits with status code 1 on error,
0 on no error. The data may not be available on exit code 0, exit code 1
means the lookup encountered a fatal error.
.SH "SEE ALSO"
\fIunbound.conf\fR(5),
\fIunbound.conf\fR(5),
\fIunbound\fR(8).

4
doc/unbound.8.in
View file

@ -57,7 +57,7 @@ The available options are:
Show the version number and commandline option help, and exit.
.TP
.B \-c\fI cfgfile
Set the config file with settings for unbound to read instead of reading the
Set the config file with settings for Unbound to read instead of reading the
file at the default location, @ub_conf_file@. The syntax is
described in \fIunbound.conf\fR(5).
.TP
@ -70,7 +70,7 @@ or to syslog, but the log messages are printed to stderr all the time.
.TP
.B \-p
Don't use a pidfile. This argument should only be used by supervision
systems which can ensure that only one instance of unbound will run
systems which can ensure that only one instance of Unbound will run
concurrently.
.TP
.B \-v

182
doc/unbound.conf.5.in
View file

@ -104,7 +104,7 @@ requestlist statistics are printed for every interval (but can be 0).
This is because the median calculation requires data to be present.
.TP
.B statistics\-cumulative: \fI<yes or no>
If enabled, statistics are cumulative since starting unbound, without clearing
If enabled, statistics are cumulative since starting Unbound, without clearing
the statistics counters after logging the statistics. Default is no.
.TP
.B extended\-statistics: \fI<yes or no>
@ -136,7 +136,7 @@ Same as interface: (for ease of compatibility with nsd.conf).
Listen on all addresses on all (current and future) interfaces, detect the
source interface on UDP queries and copy them to replies. This is a lot like
ip\-transparent, but this option services all interfaces whilst with
ip\-transparent you can select which (future) interfaces unbound provides
ip\-transparent you can select which (future) interfaces Unbound provides
service on. This feature is experimental, and needs support in your OS for
particular socket options. Default value is no.
.TP
@ -154,7 +154,7 @@ sent via a random outgoing interface to counter spoofing.
If an IPv6 netblock is specified instead of an individual IPv6 address,
outgoing UDP queries will use a randomised source address taken from the
netblock to counter spoofing. Requires the IPv6 netblock to be routed to the
host running unbound, and requires OS support for unprivileged non-local binds
host running Unbound, and requires OS support for unprivileged non-local binds
(currently only supported on Linux). Several netblocks may be specified with
multiple
.B outgoing\-interface:
@ -174,7 +174,7 @@ numbers need extra resources from the operating system. For performance a
very large value is best, use libevent to make this possible.
.TP
.B outgoing\-port\-permit: \fI<port number or range>
Permit unbound to open this port or range of ports for use to send queries.
Permit Unbound to open this port or range of ports for use to send queries.
A larger number of permitted outgoing ports increases resilience against
spoofing attempts. Make sure these ports are not needed by other daemons.
By default only ports above 1024 that have not been assigned by IANA are used.
@ -187,8 +187,8 @@ processing starts with the non IANA allocated ports above 1024 in the set
of allowed ports.
.TP
.B outgoing\-port\-avoid: \fI<port number or range>
Do not permit unbound to open this port or range of ports for use to send
queries. Use this to make sure unbound does not grab a port that another
Do not permit Unbound to open this port or range of ports for use to send
queries. Use this to make sure Unbound does not grab a port that another
daemon needs. The port is avoided on all outgoing interfaces, both IP4 and IP6.
By default only ports above 1024 that have not been assigned by IANA are used.
Give a port number or a range of the form "low\-high", without spaces.
@ -289,7 +289,7 @@ If not 0, then set the SO_RCVBUF socket option to get more buffer
space on UDP port 53 incoming queries. So that short spikes on busy
servers do not drop packets (see counter in netstat \-su). Default is
0 (use system value). Otherwise, the number of bytes to ask for, try
"4m" on a busy server. The OS caps it at a maximum, on linux unbound
"4m" on a busy server. The OS caps it at a maximum, on linux Unbound
needs root permission to bypass the limit, or the admin can use sysctl
net.core.rmem_max. On BSD change kern.ipc.maxsockbuf in /etc/sysctl.conf.
On OpenBSD change header and recompile kernel. On Solaris ndd \-set
@ -302,7 +302,7 @@ in answer traffic, otherwise 'send: resource temporarily unavailable'
can get logged, the buffer overrun is also visible by netstat \-su.
Default is 0 (use system value). Specify the number of bytes to ask
for, try "4m" on a very busy server. The OS caps it at a maximum, on
linux unbound needs root permission to bypass the limit, or the admin
linux Unbound needs root permission to bypass the limit, or the admin
can use sysctl net.core.wmem_max. On BSD, Solaris changes are similar
to so\-rcvbuf.
.TP
@ -319,18 +319,18 @@ At extreme load it could be better to turn it off to distribute the queries
evenly, reported for Linux systems (4.4.x).
.TP
.B ip\-transparent: \fI<yes or no>
If yes, then use IP_TRANSPARENT socket option on sockets where unbound
If yes, then use IP_TRANSPARENT socket option on sockets where Unbound
is listening for incoming traffic. Default no. Allows you to bind to
non\-local interfaces. For example for non\-existent IP addresses that
are going to exist later on, with host failover configuration. This is
a lot like interface\-automatic, but that one services all interfaces
and with this option you can select which (future) interfaces unbound
provides service on. This option needs unbound to be started with root
and with this option you can select which (future) interfaces Unbound
provides service on. This option needs Unbound to be started with root
permissions on some systems. The option uses IP_BINDANY on FreeBSD systems
and SO_BINDANY on OpenBSD systems.
.TP
.B ip\-freebind: \fI<yes or no>
If yes, then use IP_FREEBIND socket option on sockets where unbound
If yes, then use IP_FREEBIND socket option on sockets where Unbound
is listening to incoming traffic. Default no. Allows you to bind to
IP addresses that are nonlocal or do not exist, like when the network
interface or IP address is down. Exists only on Linux, where the similar
@ -560,7 +560,7 @@ service. Can list multiple, each on a new statement.
.TP
.B tls-session-ticket-keys: \fI<file>
If not "", lists files with 80 bytes of random contents that are used to
perform TLS session resumption for clients using the unbound server.
perform TLS session resumption for clients using the Unbound server.
These files contain the secret key for the TLS session tickets.
First key use to encrypt and decrypt TLS session tickets.
Other keys use to decrypt only. With this you can roll over to new keys,
@ -642,8 +642,8 @@ Enable or disable systemd socket activation.
Default is no.
.TP
.B do\-daemonize: \fI<yes or no>
Enable or disable whether the unbound server forks into the background as
a daemon. Set the value to \fIno\fR when unbound runs as systemd service.
Enable or disable whether the Unbound server forks into the background as
a daemon. Set the value to \fIno\fR when Unbound runs as systemd service.
Default is yes.
.TP
.B tcp\-connection\-limit: \fI<IP netblock> <limit>
@ -670,7 +670,7 @@ what almost all clients need). Nonrecursive queries are refused.
.IP
The \fIallow\fR action does allow nonrecursive queries to access the
local\-data that is configured. The reason is that this does not involve
the unbound server recursive lookup algorithm, and static data is served
the Unbound server recursive lookup algorithm, and static data is served
in the reply. This supports normal operations where nonrecursive queries
are made for the authoritative data. For nonrecursive queries any replies
from the dynamic cache are refused.
@ -742,7 +742,7 @@ to chroot and dropping permissions. This allows the pidfile to be
Unbound is not able to remove the pidfile after termination when it is located
outside of the chroot directory.
.IP
Additionally, unbound may need to access /dev/urandom (for entropy)
Additionally, Unbound may need to access /dev/urandom (for entropy)
from inside the chroot.
.IP
If given a chroot is done to the given directory. By default chroot is
@ -776,7 +776,7 @@ The logfile is reopened (for append) when the config file is reread, on
SIGHUP.
.TP
.B use\-syslog: \fI<yes or no>
Sets unbound to send log messages to the syslogd, using
Sets Unbound to send log messages to the syslogd, using
\fIsyslog\fR(3).
The log facility LOG_DAEMON is used, with identity "unbound".
The logfile setting is overridden when use\-syslog is turned on.
@ -786,7 +786,7 @@ The default is to log to syslog.
If "" is given (default), then the name of the executable, usually "unbound"
is used to report to the log. Enter a string to override it
with that, which is useful on systems that run more than one instance of
unbound, with different configurations, so that the logs can be easily
Unbound, with different configurations, so that the logs can be easily
distinguished against.
.TP
.B log\-time\-ascii: \fI<yes or no>
@ -874,12 +874,12 @@ with ascii_ prefix and then an ascii string.
If enabled trustanchor.unbound queries are refused.
.TP
.B target\-fetch\-policy: \fI<"list of numbers">
Set the target fetch policy used by unbound to determine if it should fetch
Set the target fetch policy used by Unbound to determine if it should fetch
nameserver target addresses opportunistically. The policy is described per
dependency depth.
.IP
The number of values determines the maximum dependency depth
that unbound will pursue in answering a query.
that Unbound will pursue in answering a query.
A value of \-1 means to fetch all targets opportunistically for that dependency
depth. A value of 0 means to fetch on demand only. A positive value fetches
that many targets opportunistically.
@ -1030,7 +1030,7 @@ a little more CPU. Also if the cache is set to 0, it is no use. Default is no.
.TP
.B deny\-any: \fI<yes or no>
If yes, deny queries of type ANY with an empty response. Default is no.
If disabled, unbound responds with a short list of resource records if some
If disabled, Unbound responds with a short list of resource records if some
can be found in the cache and makes the upstream type ANY query if there
are none.
.TP
@ -1090,7 +1090,7 @@ File with trust anchor for one zone, which is tracked with RFC5011 probes.
The probes are run several times per month, thus the machine must be online
frequently. The initial file can be one with contents as described in
\fBtrust\-anchor\-file\fR. The file is written to when the anchor is updated,
so the unbound user must have write permission. Write permission to the file,
so the Unbound user must have write permission. Write permission to the file,
but also to the directory it is in (to create a temporary file, which is
necessary to deal with filesystem full events), it must also be inside the
chroot (if that is used).
@ -1176,7 +1176,7 @@ the verbosity setting. Default is 0, off. At 1, for every user query
that fails a line is printed to the logs. This way you can monitor what
happens with validation. Use a diagnosis tool, such as dig or drill,
to find out why validation is failing for these queries. At 2, not only
the query that failed is printed but also the reason why unbound thought
the query that failed is printed but also the reason why Unbound thought
it was wrong and which server sent the faulty data.
.TP
.B val\-permissive\-mode: \fI<yes or no>
@ -1188,15 +1188,15 @@ is set in replies. Also logging is performed as for full validation.
The default value is "no".
.TP
.B ignore\-cd\-flag: \fI<yes or no>
Instruct unbound to ignore the CD flag from clients and refuse to
Instruct Unbound to ignore the CD flag from clients and refuse to
return bogus answers to them. Thus, the CD (Checking Disabled) flag
does not disable checking any more. This is useful if legacy (w2008)
servers that set the CD flag but cannot validate DNSSEC themselves are
the clients, and then unbound provides them with DNSSEC protection.
the clients, and then Unbound provides them with DNSSEC protection.
The default value is "no".
.TP
.B serve\-expired: \fI<yes or no>
If enabled, unbound attempts to serve old responses from cache with a
If enabled, Unbound attempts to serve old responses from cache with a
TTL of \fBserve\-expired\-reply\-ttl\fR in the response without waiting for the
actual resolution to finish. The actual resolution answer ends up in the cache
later on. Default is "no".
@ -1227,14 +1227,14 @@ RFC 8767 is 1800. Setting this to 0 will disable this
behavior. Default is 0.
.TP
.B serve\-original\-ttl: \fI<yes or no>
If enabled, unbound will always return the original TTL as received from
If enabled, Unbound will always return the original TTL as received from
the upstream name server rather than the decrementing TTL as
stored in the cache. This feature may be useful if unbound serves as a
front-end to a hidden authoritative name server. Enabling this feature does
not impact cache expiry, it only changes the TTL unbound embeds in responses to
stored in the cache. This feature may be useful if Unbound serves as a
front-end to a hidden authoritative name server. Enabling this feature does
not impact cache expiry, it only changes the TTL Unbound embeds in responses to
queries. Note that enabling this feature implicitly disables enforcement of
the configured minimum and maximum TTL, as it is assumed users who enable this
feature do not want unbound to change the TTL obtained from an upstream server.
the configured minimum and maximum TTL, as it is assumed users who enable this
feature do not want Unbound to change the TTL obtained from an upstream server.
Thus, the values set using \fBcache\-min\-ttl\fR and \fBcache\-max\-ttl\fR are
ignored.
Default is "no".
@ -1295,11 +1295,11 @@ or gigabytes (1024*1024 bytes in a megabyte).
.TP
.B unblock\-lan\-zones: \fI<yes or no>
Default is disabled. If enabled, then for private address space,
the reverse lookups are no longer filtered. This allows unbound when
the reverse lookups are no longer filtered. This allows Unbound when
running as dns service on a host where it provides service for that host,
to put out all of the queries for the 'lan' upstream. When enabled,
only localhost, 127.0.0.1 reverse and ::1 reverse zones are configured
with default local zones. Disable the option when unbound is running
with default local zones. Disable the option when Unbound is running
as a (DHCP-) DNS network resolver for a group of machines, where such
lookups should be filtered (RFC compliance), this also stops potential
data leakage about the local network to the upstream DNS servers.
@ -1403,7 +1403,7 @@ Breaks out of that view and moves towards the global local zones for answer
to the query. If the view first is no, it'll resolve normally. If view first
is enabled, it'll break perform that step and check the global answers.
For when the view has view specific overrides but some zone has to be
answered from global local zone contents.
answered from global local zone contents.
.TP 10
\h'5'\fInodefault\fR
Used to turn off default contents for AS112 zones. The other types
@ -1694,7 +1694,7 @@ query names, but not spoofed reflection floods. Cached responses are not
ratelimited by this setting. The zone of the query is determined by examining
the nameservers for it, the zone name is used to keep track of the rate.
For example, 1000 may be a suitable value to stop the server from being
overloaded with random names, and keeps unbound from sending traffic to the
overloaded with random names, and keeps Unbound from sending traffic to the
nameservers for those zones.
.TP 5
.B ratelimit\-size: \fI<memory size>
@ -1761,7 +1761,7 @@ and enter the cache, whilst also mitigating the traffic flow by the
factor given.
.TP 5
.B outbound\-msg\-retry: \fI<number>
The number of retries unbound will do in case of a non positive response is
The number of retries Unbound will do in case of a non positive response is
received. If a forward nameserver is used, this is the number of retries per
forward nameserver in case of throwaway response.
.TP 5
@ -1794,7 +1794,7 @@ In the
.B remote\-control:
clause are the declarations for the remote control facility. If this is
enabled, the \fIunbound\-control\fR(8) utility can be used to send
commands to the running unbound server. The server uses these clauses
commands to the running Unbound server. The server uses these clauses
to setup TLSv1 security for the connection. The
\fIunbound\-control\fR(8) utility also reads the \fBremote\-control\fR
section for options. To setup the correct self\-signed certificates use the
@ -1814,7 +1814,7 @@ the server for the change to take effect.
.IP
If you set it to an absolute path, a local socket is used. The local socket
does not use the certificates and keys, so those files need not be present.
To restrict access, unbound sets permissions on the file to the user and
To restrict access, Unbound sets permissions on the file to the user and
group that is configured, the access bits are set to allow the group members
to access the control socket file. Put users that need to access the socket
in the that group. To restrict access further, create a directory to put
@ -1834,12 +1834,12 @@ and the value of this option is ignored.
.B server\-key\-file: \fI<private key file>
Path to the server private key, by default unbound_server.key.
This file is generated by the \fIunbound\-control\-setup\fR utility.
This file is used by the unbound server, but not by \fIunbound\-control\fR.
This file is used by the Unbound server, but not by \fIunbound\-control\fR.
.TP 5
.B server\-cert\-file: \fI<certificate file.pem>
Path to the server self signed certificate, by default unbound_server.pem.
This file is generated by the \fIunbound\-control\-setup\fR utility.
This file is used by the unbound server, and also by \fIunbound\-control\fR.
This file is used by the Unbound server, and also by \fIunbound\-control\fR.
.TP 5
.B control\-key\-file: \fI<private key file>
Path to the control client private key, by default unbound_control.key.
@ -1857,24 +1857,24 @@ There may be multiple
.B stub\-zone:
clauses. Each with a name: and zero or more hostnames or IP addresses.
For the stub zone this list of nameservers is used. Class IN is assumed.
The servers should be authority servers, not recursors; unbound performs
The servers should be authority servers, not recursors; Unbound performs
the recursive processing itself for stub zones.
.P
The stub zone can be used to configure authoritative data to be used
by the resolver that cannot be accessed using the public internet servers.
This is useful for company\-local data or private zones. Setup an
authoritative server on a different host (or different port). Enter a config
entry for unbound with
entry for Unbound with
.B stub\-addr:
<ip address of host[@port]>.
The unbound resolver can then access the data, without referring to the
The Unbound resolver can then access the data, without referring to the
public internet for it.
.P
This setup allows DNSSEC signed zones to be served by that
authoritative server, in which case a trusted key entry with the public key
can be put in config, so that unbound can validate the data and set the AD
can be put in config, so that Unbound can validate the data and set the AD
bit on replies for the private zone (authoritative servers do not set the
AD bit). This setup makes unbound capable of answering queries for the
AD bit). This setup makes Unbound capable of answering queries for the
private zone, and can even set the AD bit ('authentic'), but the AA
('authoritative') bit is not set on these replies.
.P
@ -1882,7 +1882,7 @@ Consider adding \fBserver:\fR statements for \fBdomain\-insecure:\fR and
for \fBlocal\-zone:\fI name nodefault\fR for the zone if it is a locally
served zone. The insecure clause stops DNSSEC from invalidating the
zone. The local zone nodefault (or \fItransparent\fR) clause makes the
(reverse\-) zone bypass unbound's filtering of RFC1918 zones.
(reverse\-) zone bypass Unbound's filtering of RFC1918 zones.
.TP
.B name: \fI<domain name>
Name of the stub zone. This is the full domain name of the zone.
@ -1931,10 +1931,10 @@ clauses. Each with a \fBname:\fR and zero or more hostnames or IP
addresses. For the forward zone this list of nameservers is used to
forward the queries to. The servers listed as \fBforward\-host:\fR and
\fBforward\-addr:\fR have to handle further recursion for the query. Thus,
those servers are not authority servers, but are (just like unbound is)
recursive servers too; unbound does not perform recursion itself for the
those servers are not authority servers, but are (just like Unbound is)
recursive servers too; Unbound does not perform recursion itself for the
forward zone, it lets the remote server do it. Class IN is assumed.
CNAMEs are chased by unbound itself, asking the remote server for every
CNAMEs are chased by Unbound itself, asking the remote server for every
name in the indirection chain, to protect the local cache from illegal
indirect referenced items.
A forward\-zone entry with name "." and a forward\-addr target will
@ -1960,7 +1960,7 @@ name is accepted. The cert must also match a CA from the tls\-cert\-bundle.
.TP
.B forward\-first: \fI<yes or no>
If a forwarded query is met with a SERVFAIL error, and this option is
enabled, unbound will fall back to normal recursive resolution for this
enabled, Unbound will fall back to normal recursive resolution for this
query as if no query forwarding had been specified. The default is "no".
.TP
.B forward\-tls\-upstream: \fI<yes or no>
@ -1986,7 +1986,7 @@ have a \fBname:\fR. There can be multiple ones, by listing multiple auth\-zone
The authority zone with the name closest to the name looked up is used.
Authority zones are processed after \fBlocal\-zones\fR and before
cache (\fBfor\-downstream:\fR \fIyes\fR), and when used in this manner
make unbound respond like an authority server. Authority zones are also
make Unbound respond like an authority server. Authority zones are also
processed after cache, just before going to the network to fetch
information for recursion (\fBfor\-upstream:\fR \fIyes\fR), and when used
in this manner provide a local copy of an authority server that speeds up
@ -2047,25 +2047,25 @@ file is downloaded when notified. The primaries from primary: statements are
allowed notify by default.
.TP
.B fallback\-enabled: \fI<yes or no>
Default no. If enabled, unbound falls back to querying the internet as
Default no. If enabled, Unbound falls back to querying the internet as
a resolver for this zone when lookups fail. For example for DNSSEC
validation failures.
.TP
.B for\-downstream: \fI<yes or no>
Default yes. If enabled, unbound serves authority responses to
downstream clients for this zone. This option makes unbound behave, for
Default yes. If enabled, Unbound serves authority responses to
downstream clients for this zone. This option makes Unbound behave, for
the queries with names in this zone, like one of the authority servers for
that zone. Turn it off if you want unbound to provide recursion for the
that zone. Turn it off if you want Unbound to provide recursion for the
zone but have a local copy of zone data. If for\-downstream is no and
for\-upstream is yes, then unbound will DNSSEC validate the contents of the
for\-upstream is yes, then Unbound will DNSSEC validate the contents of the
zone before serving the zone contents to clients and store validation
results in the cache.
.TP
.B for\-upstream: \fI<yes or no>
Default yes. If enabled, unbound fetches data from this data collection
Default yes. If enabled, Unbound fetches data from this data collection
for answering recursion queries. Instead of sending queries over the internet
to the authority servers for this zone, it'll fetch the data directly from
the zone data. Turn it on when you want unbound to provide recursion for
the zone data. Turn it on when you want Unbound to provide recursion for
downstream clients, and use the zone data as a local copy to speed up lookups.
.TP
.B zonemd\-check: \fI<yes or no>
@ -2089,14 +2089,14 @@ a ZONEMD is always a failure, also for nonDNSSEC signed zones.
.TP
.B zonefile: \fI<filename>
The filename where the zone is stored. If not given then no zonefile is used.
If the file does not exist or is empty, unbound will attempt to fetch zone
If the file does not exist or is empty, Unbound will attempt to fetch zone
data (eg. from the primary servers).
.SS "View Options"
.LP
There may be multiple
.B view:
clauses. Each with a \fBname:\fR and zero or more \fBlocal\-zone\fR and
\fBlocal\-data\fR elements. Views can also contain view\-first,
\fBlocal\-data\fR elements. Views can also contain view\-first,
response\-ip, response\-ip\-data and local\-data\-ptr elements.
View can be mapped to requests by specifying the
view name in an \fBaccess\-control\-view\fR element. Options from matching
@ -2189,9 +2189,9 @@ underneath the name given.
The
.B dnscrypt:
clause gives the settings of the dnscrypt channel. While those options are
available, they are only meaningful if unbound was compiled with
available, they are only meaningful if Unbound was compiled with
\fB\-\-enable\-dnscrypt\fR.
Currently certificate and secret/public keys cannot be generated by unbound.
Currently certificate and secret/public keys cannot be generated by Unbound.
You can use dnscrypt-wrapper to generate those: https://github.com/cofyc/\
dnscrypt-wrapper/blob/master/README.md#usage
.TP
@ -2310,7 +2310,7 @@ of 0 is always accepted. Default is 0.
.TP
.B min\-client\-subnet\-ipv4: \fI<number>\fR
Specifies the minimum prefix length of the IPv4 source mask we are willing to
accept in queries. Shorter source masks result in REFUSED answers. Source mask
accept in queries. Shorter source masks result in REFUSED answers. Source mask
of 0 is always accepted. Default is 0.
.TP
.B max\-ecs\-tree\-size\-ipv4: \fI<number>\fR
@ -2323,12 +2323,13 @@ This number applies for each qname/qclass/qtype tuple. Defaults to 100.
.SS "Opportunistic IPsec Support Module Options"
.LP
The IPsec module must be configured in the \fBmodule\-config:\fR "ipsecmod
validator iterator" directive and be compiled into the daemon to be
enabled. These settings go in the \fBserver:\fR section.
validator iterator" directive and be compiled into Unbound by using
\fB\-\-enable\-ipsecmod\fR to be enabled.
These settings go in the \fBserver:\fR section.
.LP
When unbound receives an A/AAAA query that is not in the cache and finds a
When Unbound receives an A/AAAA query that is not in the cache and finds a
valid answer, it will withhold returning the answer and instead will generate
an IPSECKEY subquery for the same domain name. If an answer was found, unbound
an IPSECKEY subquery for the same domain name. If an answer was found, Unbound
will call an external hook passing the following arguments:
.TP 10
\h'5'\fIQNAME\fR
@ -2357,19 +2358,19 @@ relevant for opportunistic IPsec.
.B ipsecmod-enabled: \fI<yes or no>\fR
Specifies whether the IPsec module is enabled or not. The IPsec module still
needs to be defined in the \fBmodule\-config:\fR directive. This option
facilitates turning on/off the module without restarting/reloading unbound.
facilitates turning on/off the module without restarting/reloading Unbound.
Defaults to yes.
.TP
.B ipsecmod\-hook: \fI<filename>\fR
Specifies the external hook that unbound will call with \fIsystem\fR(3). The
Specifies the external hook that Unbound will call with \fIsystem\fR(3). The
file can be specified as an absolute/relative path. The file needs the proper
permissions to be able to be executed by the same user that runs unbound. It
permissions to be able to be executed by the same user that runs Unbound. It
must be present when the IPsec module is defined in the \fBmodule\-config:\fR
directive.
.TP
.B ipsecmod-strict: \fI<yes or no>\fR
If enabled unbound requires the external hook to return a success value of 0.
Failing to do so unbound will reply with SERVFAIL. The A/AAAA answer will also
If enabled Unbound requires the external hook to return a success value of 0.
Failing to do so Unbound will reply with SERVFAIL. The A/AAAA answer will also
not be cached. Defaults to no.
.TP
.B ipsecmod\-max-ttl: \fI<seconds>\fR
@ -2377,7 +2378,7 @@ Time to live maximum for A/AAAA cached records after calling the external hook.
Defaults to 3600.
.TP
.B ipsecmod-ignore-bogus: \fI<yes or no>\fR
Specifies the behaviour of unbound when the IPSECKEY answer is bogus. If set
Specifies the behaviour of Unbound when the IPSECKEY answer is bogus. If set
to yes, the hook will be called and the A/AAAA answer will be returned to the
client. If set to no, the hook will not be called and the answer to the
A/AAAA query will be SERVFAIL. Mainly used for testing. Defaults to no.
@ -2404,7 +2405,7 @@ If Unbound cannot even find an answer in the backend, it resolves the
query as usual, and stores the answer in the backend.
.P
This module interacts with the \fBserve\-expired\-*\fR options and will reply
with expired data if unbound is configured for that. Currently the use
with expired data if Unbound is configured for that. Currently the use
of \fBserve\-expired\-client\-timeout:\fR and
\fBserve\-expired\-reply\-ttl:\fR is not consistent for data originating from
the external cache as these will result in a reply with 0 TTL without trying to
@ -2462,7 +2463,7 @@ This option defaults to "default".
.P
The following
.B cachedb
otions are specific to the redis backend.
options are specific to the redis backend.
.TP
.B redis-server-host: \fI<server address or name>\fR
The IP (either v6 or v4) address or domain name of the Redis server.
@ -2483,16 +2484,17 @@ re-establish a new connection later.
This option defaults to 100 milliseconds.
.TP
.B redis-expire-records: \fI<yes or no>
If Redis record expiration is enabled. If yes, unbound sets timeout for Redis
If Redis record expiration is enabled. If yes, Unbound sets timeout for Redis
records so that Redis can evict keys that have expired automatically. If
unbound is configured with \fBserve-expired\fR and \fBserve-expired-ttl\fR is 0,
Unbound is configured with \fBserve-expired\fR and \fBserve-expired-ttl\fR is 0,
this option is internally reverted to "no". Redis SETEX support is required
for this option (Redis >= 2.0.0).
This option defaults to no.
.SS DNSTAP Logging Options
DNSTAP support, when compiled in, is enabled in the \fBdnstap:\fR section.
DNSTAP support, when compiled in by using \fB\-\-enable\-dnstap\fR, is enabled
in the \fBdnstap:\fR section.
This starts an extra thread (when compiled with threading) that writes
the log information to the destination. If unbound is compiled without
the log information to the destination. If Unbound is compiled without
threading it does not spawn a thread, but connects per-process to the
destination.
.TP
@ -2550,19 +2552,19 @@ Default is "".
.TP
.B dnstap-log-resolver-query-messages: \fI<yes or no>
Enable to log resolver query messages. Default is no.
These are messages from unbound to upstream servers.
These are messages from Unbound to upstream servers.
.TP
.B dnstap-log-resolver-response-messages: \fI<yes or no>
Enable to log resolver response messages. Default is no.
These are replies from upstream servers to unbound.
These are replies from upstream servers to Unbound.
.TP
.B dnstap-log-client-query-messages: \fI<yes or no>
Enable to log client query messages. Default is no.
These are client queries to unbound.
These are client queries to Unbound.
.TP
.B dnstap-log-client-response-messages: \fI<yes or no>
Enable to log client response messages. Default is no.
These are responses from unbound to clients.
These are responses from Unbound to clients.
.TP
.B dnstap-log-forwarder-query-messages: \fI<yes or no>
Enable to log forwarder query messages. Default is no.
@ -2661,7 +2663,7 @@ allowed notify by default.
.TP
.B zonefile: \fI<filename>
The filename where the zone is stored. If not given then no zonefile is used.
If the file does not exist or is empty, unbound will attempt to fetch zone
If the file does not exist or is empty, Unbound will attempt to fetch zone
data (eg. from the primary servers).
.TP
.B rpz\-action\-override: \fI<action>
@ -2718,7 +2720,7 @@ server:
.SH "FILES"
.TP
.I @UNBOUND_RUN_DIR@
default unbound working directory.
default Unbound working directory.
.TP
.I @UNBOUND_CHROOT_DIR@
default
@ -2726,13 +2728,13 @@ default
location.
.TP
.I @ub_conf_file@
unbound configuration file.
Unbound configuration file.
.TP
.I @UNBOUND_PIDFILE@
default unbound pidfile with process ID of the running daemon.
default Unbound pidfile with process ID of the running daemon.
.TP
.I unbound.log
unbound log file. default is to log to
Unbound log file. default is to log to
\fIsyslog\fR(3).
.SH "SEE ALSO"
\fIunbound\fR(8),

6
doc/unbound.doxygen
View file

@ -279,10 +279,10 @@ TYPEDEF_HIDES_STRUCT = NO
# For small to medium size projects (<1000 input files) the default value is
# probably good enough. For larger projects a too small cache size can cause
# doxygen to be busy swapping symbols to and from disk most of the time
# causing a significant performance penality.
# causing a significant performance penalty.
# If the system has enough physical memory increasing the cache will improve the
# performance by keeping more symbols in memory. Note that the value works on
# a logarithmic scale so increasing the size by one will rougly double the
# a logarithmic scale so increasing the size by one will roughly double the
# memory usage. The cache size is given by this formula:
# 2^(16+SYMBOL_CACHE_SIZE). The valid range is 0..9, the default is 0,
# corresponding to a cache size of 2^16 = 65536 symbols
@ -779,7 +779,7 @@ ALPHABETICAL_INDEX = YES
# the COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns
# in which this list will be split (can be a number in the range [1..20])
COLS_IN_ALPHA_INDEX = 5
#COLS_IN_ALPHA_INDEX = 5
# In case all classes in a project start with a common prefix, all
# classes will be put under the same header in the alphabetical index.

2
edns-subnet/edns-subnet.h
View file

@ -59,7 +59,7 @@ struct ecs_data {
/**
* copy the first n BITS from src to dst iff both src and dst
* are large enough, return 0 on succes
* are large enough, return 0 on success
*/
int
copy_clear(uint8_t* dst, size_t dstlen, uint8_t* src, size_t srclen, size_t n);

2
edns-subnet/subnetmod.c
View file

@ -497,7 +497,7 @@ eval_response(struct module_qstate *qstate, int id, struct subnet_qstate *sq)
if (!s_in->subnet_validdata) {
/* The authority indicated no support for edns subnet. As a
* consequence the answer ended up in the regular cache. It
* is still usefull to put it in the edns subnet cache for
* is still useful to put it in the edns subnet cache for
* when a client explicitly asks for subnet specific answer. */
verbose(VERB_QUERY, "subnetcache: Authority indicates no support");
if(!sq->started_no_cache_store) {

2
ipsecmod/ipsecmod.c
View file

@ -37,7 +37,7 @@
* \file
*
* This file contains a module that facilitates opportunistic IPsec. It does so
* by also quering for the IPSECKEY for A/AAAA queries and calling a
* by also querying for the IPSECKEY for A/AAAA queries and calling a
* configurable hook (eg. signaling an IKE daemon) before replying.
*/

2
ipsecmod/ipsecmod.h
View file

@ -37,7 +37,7 @@
* \file
*
* This file contains a module that facilitates opportunistic IPsec. It does so
* by also quering for the IPSECKEY for A/AAAA queries and calling a
* by also querying for the IPSECKEY for A/AAAA queries and calling a
* configurable hook (eg. signaling an IKE daemon) before replying.
*/

2
iterator/iterator.c
View file

@ -3242,7 +3242,7 @@ prime_supers(struct module_qstate* qstate, int id, struct module_qstate* forq)
/* Convert our response to a delegation point */
dp = delegpt_from_message(qstate->return_msg, forq->region);
if(!dp) {
/* if there is no convertable delegation point, then
/* if there is no convertible delegation point, then
* the ANSWER type was (presumably) a negative answer. */
verbose(VERB_ALGO, "prime response was not a positive "
"ANSWER; failing");

29
libunbound/context.h
View file

@ -176,35 +176,6 @@ struct ctx_query {
struct ub_result* res;
};
/**
* The error constants
*/
enum ub_ctx_err {
/** no error */
UB_NOERROR = 0,
/** socket operation. Set to -1, so that if an error from _fd() is
* passed (-1) it gives a socket error. */
UB_SOCKET = -1,
/** alloc failure */
UB_NOMEM = -2,
/** syntax error */
UB_SYNTAX = -3,
/** DNS service failed */
UB_SERVFAIL = -4,
/** fork() failed */
UB_FORKFAIL = -5,
/** cfg change after finalize() */
UB_AFTERFINAL = -6,
/** initialization failed (bad settings) */
UB_INITFAIL = -7,
/** error in pipe communication with async bg worker */
UB_PIPE = -8,
/** error reading from file (resolv.conf) */
UB_READFILE = -9,
/** error async_id does not exist or result already been delivered */
UB_NOID = -10
};
/**
* Command codes for libunbound pipe.
*

2
libunbound/python/doc/examples/example4.rst
View file

@ -31,6 +31,6 @@ Source code
else:
print "Result is insecure"
More detailed informations can be seen in libUnbound DNSSEC tutorial `here`_.
More detailed information can be seen in libUnbound DNSSEC tutorial `here`_.
.. _here: http://www.unbound.net/documentation/libunbound-tutorial-6.html

2
libunbound/python/libunbound.i
View file

@ -363,7 +363,7 @@ Result: ['74.125.43.147', '74.125.43.99', '74.125.43.103', '74.125.43.104']
ctx.debuglevel(3)
ctx.debugout(fw)
Another option is to print the debug informations to stderr output
Another option is to print the debug information to stderr output
::

2
libunbound/unbound-event.h
View file

@ -41,7 +41,7 @@
*
* Use ub_ctx_create_event_ub_base() to create an unbound context that uses
* the user provided event base API. Then, use the ub_resolve_event call
* to add DNS resolve queries to the context. Those then run whith the
* to add DNS resolve queries to the context. Those then run with the
* provided event_base, and when they are done you get a function callback.
*
* This method does not fork another process or create a thread, the effort

32
libunbound/unbound.h
View file

@ -224,7 +224,7 @@ struct ub_result {
* It is called with
* void* my_arg: your pointer to a (struct of) data of your choice,
* or NULL.
* int err: if 0 all is OK, otherwise an error occured and no results
* int err: if 0 all is OK, otherwise an error occurred and no results
* are forthcoming.
* struct result: pointer to more detailed result structure.
* This structure is allocated on the heap and needs to be
@ -232,6 +232,35 @@ struct ub_result {
*/
typedef void (*ub_callback_type)(void*, int, struct ub_result*);
/**
* The error constants
*/
enum ub_ctx_err {
/** no error */
UB_NOERROR = 0,
/** socket operation. Set to -1, so that if an error from _fd() is
* passed (-1) it gives a socket error. */
UB_SOCKET = -1,
/** alloc failure */
UB_NOMEM = -2,
/** syntax error */
UB_SYNTAX = -3,
/** DNS service failed */
UB_SERVFAIL = -4,
/** fork() failed */
UB_FORKFAIL = -5,
/** cfg change after finalize() */
UB_AFTERFINAL = -6,
/** initialization failed (bad settings) */
UB_INITFAIL = -7,
/** error in pipe communication with async bg worker */
UB_PIPE = -8,
/** error reading from file (resolv.conf) */
UB_READFILE = -9,
/** error async_id does not exist or result already been delivered */
UB_NOID = -10
};
/**
* Create a resolving and validation context.
* The information from /etc/resolv.conf and /etc/hosts is not utilised by
@ -563,6 +592,7 @@ void ub_resolve_free(struct ub_result* result);
/**
* Convert error value to a human readable string.
* @param err: error code from one of the libunbound functions.
* The error codes are from the type enum ub_ctx_err.
* @return pointer to constant text string, zero terminated.
*/
const char* ub_strerror(int err);

4
libunbound/worker.h
View file

@ -66,7 +66,7 @@ struct query_info;
* @param ssl_upstream: use SSL for upstream queries.
* @param tls_auth_name: if ssl_upstream, use this name with TLS
* authentication.
* @param q: wich query state to reactivate upon return.
* @param q: which query state to reactivate upon return.
* @return: false on failure (memory or socket related). no query was
* sent.
*/
@ -118,7 +118,7 @@ void worker_sighandler(int sig, void* arg);
* @param ssl_upstream: use SSL for upstream queries.
* @param tls_auth_name: if ssl_upstream, use this name with TLS
* authentication.
* @param q: wich query state to reactivate upon return.
* @param q: which query state to reactivate upon return.
* @return: false on failure (memory or socket related). no query was
* sent.
*/

4
makedist.sh
View file

@ -329,7 +329,7 @@ if [ "$DOWIN" = "yes" ]; then
info "git clone --depth=1 --no-tags -b $GITBRANCH $GITREPO unbound"
git clone --depth=1 --no-tags -b $GITBRANCH $GITREPO unbound || error_cleanup "git clone failed"
cd unbound || error_cleanup "Unbound not exported correctly from git"
rm -rf .git || error_cleanup "Failed to remove .git tracking information"
rm -rf .git .travis.yml .gitattributes .github .gitignore || error_cleanup "Failed to remove .git tracking and ci information"
# on a re-configure the cache may no longer be valid...
if test -f mingw32-config.cache; then rm mingw32-config.cache; fi
@ -489,7 +489,7 @@ info "git clone --depth=1 --no-tags -b $GITBRANCH $GITREPO unbound"
git clone --depth=1 --no-tags -b $GITBRANCH $GITREPO unbound || error_cleanup "git clone failed"
cd unbound || error_cleanup "Unbound not exported correctly from git"
rm -rf .git || error_cleanup "Failed to remove .git tracking information"
rm -rf .git .travis.yml .gitattributes .github .gitignore || error_cleanup "Failed to remove .git tracking and ci information"
info "Adding libtool utils (libtoolize)."
libtoolize -c --install || libtoolize -c || error_cleanup "Libtoolize failed."

2
pythonmod/doc/examples/example5.rst
View file

@ -90,7 +90,7 @@ We can also remove an EDNS option code from an EDNS option list.
log_info("python: Option code {} was not found in the "
"list.".format(code))
.. note:: All occurences of the EDNS option code will be removed from the list:
.. note:: All occurrences of the EDNS option code will be removed from the list:
Controlling other modules' cache behavior

6
pythonmod/doc/modules/struct.rst
View file

@ -12,7 +12,7 @@ module_qstate
.. attribute:: qinfo
(:class:`query_info`) Informations about query being answered. Name, RR type, RR class.
(:class:`query_info`) Information about query being answered. Name, RR type, RR class.
.. attribute:: query_flags
@ -256,7 +256,7 @@ dns_msg
.. attribute:: qinfo
(:class:`query_info`) Informations about query.
(:class:`query_info`) Information about query.
.. attribute:: rep
@ -440,7 +440,7 @@ DNSMessage
.. method:: set_return_msg(self, qstate)
This method fills qstate return message according to the given informations.
This method fills qstate return message according to the given information.
It takes lists of RRs in each section of answer, created necessary RRsets in wire format and store the result in :attr:`qstate.return_msg`.
Returns 1 if OK.

2
pythonmod/doc/usecase.rst
View file

@ -21,7 +21,7 @@ almost every mail server supports DNS based blacklisting.
DNS based Wake-On-Lan
---------------------
Controled by secured queries secured with private key.
Controlled by secured queries secured with private key.
Dynamic translation service
---------------------------

2
pythonmod/examples/edns.py
View file

@ -55,7 +55,7 @@
# Return True on success, False on failure.
#
# edns_opt_list_remove(edns_opt_list, code):
# Remove all occurences of the given EDNS option code from the
# Remove all occurrences of the given EDNS option code from the
# edns_opt_list.
# Return True when at least one EDNS option was removed, False otherwise.
#

9
pythonmod/interface.i
View file

@ -678,11 +678,14 @@ struct edns_data {
uint8_t edns_version;
uint16_t bits;
uint16_t udp_size;
struct edns_option* opt_list;
struct edns_option* opt_list_in;
struct edns_option* opt_list_out;
struct edns_option* opt_list_inplace_cb_out;
uint16_t padding_block_size;
};
%inline %{
struct edns_option** _edns_data_opt_list_get(struct edns_data* edns) {
return &edns->opt_list;
return &edns->opt_list_in;
}
%}
%extend edns_data {
@ -1341,7 +1344,7 @@ int set_return_msg(struct module_qstate* qstate,
%pythoncode %{
class DNSMessage:
def __init__(self, rr_name, rr_type, rr_class = RR_CLASS_IN, query_flags = 0, default_ttl = 0):
"""Query flags is a combination of PKT_xx contants"""
"""Query flags is a combination of PKT_xx constants"""
self.rr_name = rr_name
self.rr_type = rr_type
self.rr_class = rr_class

6
services/authzone.c
View file

@ -84,7 +84,7 @@
#define AUTH_PROBE_TIMEOUT_STOP 1000 /* msec */
/* auth transfer timeout for TCP connections, in msec */
#define AUTH_TRANSFER_TIMEOUT 10000 /* msec */
/* auth transfer max backoff for failed tranfers and probes */
/* auth transfer max backoff for failed transfers and probes */
#define AUTH_TRANSFER_MAX_BACKOFF 86400 /* sec */
/* auth http port number */
#define AUTH_HTTP_PORT 80
@ -243,7 +243,7 @@ msg_add_rrset_an(struct auth_zone* z, struct regional* region,
return 1;
}
/** add rrset to authority section (no additonal section rrsets yet) */
/** add rrset to authority section (no additional section rrsets yet) */
static int
msg_add_rrset_ns(struct auth_zone* z, struct regional* region,
struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset)
@ -6493,7 +6493,7 @@ auth_xfer_probe_udp_callback(struct comm_point* c, void* arg, int err,
comm_point_delete(xfr->task_probe->cp);
xfr->task_probe->cp = NULL;
/* if the result was not a successfull probe, we need
/* if the result was not a successful probe, we need
* to send the next one */
xfr_probe_nextmaster(xfr);
xfr_probe_send_or_end(xfr, env);

4
services/cache/rrset.h vendored
View file

@ -120,7 +120,7 @@ void rrset_cache_touch(struct rrset_cache* r, struct ub_packed_rrset_key* key,
* the new rrset. The reference may be changed if the cached rrset is
* superior.
* Before calling the rrset is presumed newly allocated and changeable.
* Afer calling you do not hold a lock, and the rrset is inserted in
* After calling you do not hold a lock, and the rrset is inserted in
* the hashtable so you need a lock to change it.
* @param alloc: how to allocate (and deallocate) the special rrset key.
* @param timenow: current time (to see if ttl in cache is expired).
@ -143,7 +143,7 @@ int rrset_cache_update(struct rrset_cache* r, struct rrset_ref* ref,
* @param rrset: which rrset to cache as wildcard. This rrset is left
* untouched.
* @param ce: the closest encloser, will be uses to generate the wildcard dname.
* @param ce_len: the closest encloser lenght.
* @param ce_len: the closest encloser length.
* @param alloc: how to allocate (and deallocate) the special rrset key.
* @param timenow: current time (to see if ttl in cache is expired).
*/

15
services/listen_dnsport.c
View file

@ -869,9 +869,14 @@ set_ip_dscp(int socket, int addrfamily, int dscp)
ds = dscp << 2;
switch(addrfamily) {
case AF_INET6:
if(setsockopt(socket, IPPROTO_IPV6, IPV6_TCLASS, (void*)&ds, sizeof(ds)) < 0)
#ifdef IPV6_TCLASS
if(setsockopt(socket, IPPROTO_IPV6, IPV6_TCLASS, (void*)&ds,
sizeof(ds)) < 0)
return sock_strerror(errno);
break;
#else
return "IPV6_TCLASS not defined on this system";
#endif
default:
if(setsockopt(socket, IPPROTO_IP, IP_TOS, (void*)&ds, sizeof(ds)) < 0)
return sock_strerror(errno);
@ -2618,7 +2623,7 @@ static int http2_req_begin_headers_cb(nghttp2_session* session,
int ret;
if(frame->hd.type != NGHTTP2_HEADERS ||
frame->headers.cat != NGHTTP2_HCAT_REQUEST) {
/* only interrested in request headers */
/* only interested in request headers */
return 0;
}
if(!(h2_stream = http2_stream_create(frame->hd.stream_id))) {
@ -2746,7 +2751,7 @@ static int http2_req_header_cb(nghttp2_session* session,
* the HEADER */
if(frame->hd.type != NGHTTP2_HEADERS ||
frame->headers.cat != NGHTTP2_HCAT_REQUEST) {
/* only interrested in request headers */
/* only interested in request headers */
return 0;
}
if(!(h2_stream = nghttp2_session_get_stream_user_data(session,
@ -2842,7 +2847,7 @@ static int http2_req_header_cb(nghttp2_session* session,
h2_stream->query_too_large = 1;
return 0;
}
/* guaranteed to only contian digits and be null terminated */
/* guaranteed to only contain digits and be null terminated */
h2_stream->content_length = atoi((const char*)value);
if(h2_stream->content_length >
h2_session->c->http2_stream_max_qbuffer_size) {
@ -2882,7 +2887,7 @@ static int http2_req_data_chunk_recv_cb(nghttp2_session* ATTR_UNUSED(session),
/* setting this to msg-buffer-size can result in a lot
* of memory consuption. Most queries should fit in a
* single DATA frame, and most POST queries will
* containt content-length which does not impose this
* contain content-length which does not impose this
* limit. */
qlen = len;
}

106
services/localzone.c
View file

@ -56,6 +56,44 @@
* with 16 bytes for an A record, a 64K packet has about 4000 max */
#define LOCALZONE_RRSET_COUNT_MAX 4096
/** print all RRsets in local zone */
static void
local_zone_out(struct local_zone* z)
{
struct local_data* d;
struct local_rrset* p;
RBTREE_FOR(d, struct local_data*, &z->data) {
for(p = d->rrsets; p; p = p->next) {
log_nametypeclass(NO_VERBOSE, "rrset", d->name,
ntohs(p->rrset->rk.type),
ntohs(p->rrset->rk.rrset_class));
}
}
}
static void
local_zone_print(struct local_zone* z)
{
char buf[64];
lock_rw_rdlock(&z->lock);
snprintf(buf, sizeof(buf), "%s zone",
local_zone_type2str(z->type));
log_nametypeclass(NO_VERBOSE, buf, z->name, 0, z->dclass);
local_zone_out(z);
lock_rw_unlock(&z->lock);
}
void local_zones_print(struct local_zones* zones)
{
struct local_zone* z;
lock_rw_rdlock(&zones->lock);
log_info("number of auth zones %u", (unsigned)zones->ztree.count);
RBTREE_FOR(z, struct local_zone*, &zones->ztree) {
local_zone_print(z);
}
lock_rw_unlock(&zones->lock);
}
struct local_zones*
local_zones_create(void)
{
@ -467,7 +505,7 @@ lz_find_create_node(struct local_zone* z, uint8_t* nm, size_t nmlen,
/* Mark the SOA record for the zone. This only marks the SOA rrset; the data
* for the RR is entered later on local_zone_enter_rr() as with the other
* records. An artifical soa_negative record with a modified TTL (minimum of
* records. An artificial soa_negative record with a modified TTL (minimum of
* the TTL and the SOA.MINIMUM) is also created and marked for usage with
* negative answers and to avoid allocations during those answers. */
static int
@ -1207,6 +1245,38 @@ lz_setup_implicit(struct local_zones* zones, struct config_file* cfg)
lock_rw_rdlock(&zones->lock);
if(!local_zones_lookup(zones, rr_name, len, labs, rr_class,
rr_type)) {
/* Check if there is a zone that this could go
* under but for different class; created zones are
* always for LDNS_RR_CLASS_IN. Create the zone with
* a different class but the same configured
* local_zone_type. */
struct local_zone* z = local_zones_lookup(zones,
rr_name, len, labs, LDNS_RR_CLASS_IN, rr_type);
if(z) {
uint8_t* name = memdup(z->name, z->namelen);
size_t znamelen = z->namelen;
int znamelabs = z->namelabs;
enum localzone_type ztype = z->type;
lock_rw_unlock(&zones->lock);
if(!name) {
log_err("out of memory");
free(rr_name);
return 0;
}
if(!(
#ifndef THREADS_DISABLED
z =
#endif
lz_enter_zone_dname(zones, name,
znamelen, znamelabs,
ztype, rr_class))) {
free(rr_name);
return 0;
}
lock_rw_unlock(&z->lock);
free(rr_name);
continue;
}
if(!have_name) {
dclass = rr_class;
nm = rr_name;
@ -1426,38 +1496,6 @@ local_zones_find_le(struct local_zones* zones,
return (struct local_zone*)node;
}
/** print all RRsets in local zone */
static void
local_zone_out(struct local_zone* z)
{
struct local_data* d;
struct local_rrset* p;
RBTREE_FOR(d, struct local_data*, &z->data) {
for(p = d->rrsets; p; p = p->next) {
log_nametypeclass(NO_VERBOSE, "rrset", d->name,
ntohs(p->rrset->rk.type),
ntohs(p->rrset->rk.rrset_class));
}
}
}
void local_zones_print(struct local_zones* zones)
{
struct local_zone* z;
lock_rw_rdlock(&zones->lock);
log_info("number of auth zones %u", (unsigned)zones->ztree.count);
RBTREE_FOR(z, struct local_zone*, &zones->ztree) {
char buf[64];
lock_rw_rdlock(&z->lock);
snprintf(buf, sizeof(buf), "%s zone",
local_zone_type2str(z->type));
log_nametypeclass(NO_VERBOSE, buf, z->name, 0, z->dclass);
local_zone_out(z);
lock_rw_unlock(&z->lock);
}
lock_rw_unlock(&zones->lock);
}
/** encode answer consisting of 1 rrset */
static int
local_encode(struct query_info* qinfo, struct module_env* env,
@ -1798,7 +1836,7 @@ local_data_answer(struct local_zone* z, struct module_env* env,
/* write qname */
memmove(d->rr_data[0] + sizeof(uint16_t), qinfo->qname,
qinfo->qname_len - 1);
/* write cname target wilcard wildcard label */
/* write cname target wildcard label */
memmove(d->rr_data[0] + sizeof(uint16_t) +
qinfo->qname_len - 1, ctarget + 2,
ctargetlen - 2);

2
services/localzone.h
View file

@ -262,7 +262,7 @@ void local_zone_delete(struct local_zone* z);
* @param dclass: class to lookup.
* @param dtype: type to lookup, if type DS a zone higher is used for zonecuts.
* @param taglist: taglist to lookup.
* @param taglen: lenth of taglist.
* @param taglen: length of taglist.
* @param ignoretags: lookup zone by name and class, regardless the
* local-zone's tags.
* @return closest local_zone or NULL if no covering zone is found.

4
services/mesh.c
View file

@ -1379,7 +1379,7 @@ void mesh_query_done(struct mesh_state* mstate)
}
if(mstate->s.return_rcode == LDNS_RCODE_SERVFAIL ||
(rep && FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_SERVFAIL)) {
/* we are SERVFAILing; check for expired asnwer here */
/* we are SERVFAILing; check for expired answer here */
mesh_serve_expired_callback(mstate);
if((mstate->reply_list || mstate->cb_list)
&& mstate->s.env->cfg->log_servfail
@ -1602,7 +1602,7 @@ int mesh_state_add_reply(struct mesh_state* s, struct edns_data* edns,
return 0;
/* the rrset is not packed, like in the cache, but it is
* individualy allocated with an allocator from localzone. */
* individually allocated with an allocator from localzone. */
d = regional_alloc_zero(s->s.region, sizeof(*d));
if(!d)
return 0;

2
services/outbound_list.h
View file

@ -79,7 +79,7 @@ void outbound_list_init(struct outbound_list* list);
* Clear the user owner outbound list structure.
* Deletes serviced queries.
* @param list: the list structure. It is cleared, but the list struct itself
* is callers responsability to delete.
* is callers responsibility to delete.
*/
void outbound_list_clear(struct outbound_list* list);

2
services/outside_network.c
View file

@ -1935,7 +1935,7 @@ select_id(struct outside_network* outnet, struct pending* pend,
LDNS_ID_SET(sldns_buffer_begin(packet), pend->id);
id_tries++;
if(id_tries == MAX_ID_RETRY) {
pend->id=99999; /* non existant ID */
pend->id=99999; /* non existent ID */
log_err("failed to generate unique ID, drop msg");
return 0;
}

18
services/rpz.c
View file

@ -836,7 +836,7 @@ rpz_report_rrset_error(const char* msg, uint8_t* rr, size_t rr_len) {
}
/* from localzone.c; difference is we don't have a dname */
struct local_rrset*
static struct local_rrset*
rpz_clientip_new_rrset(struct regional* region,
struct clientip_synthesized_rr* raddr, uint16_t rrtype, uint16_t rrclass)
{
@ -1095,7 +1095,7 @@ rpz_insert_rr(struct rpz* r, uint8_t* azname, size_t aznamelen, uint8_t* dname,
* @param qname: qname
* @param qname_len: length of qname
* @param qclass: qclass
* @param only_exact: if 1 only excact (non wildcard) matches are returned
* @param only_exact: if 1 only exact (non wildcard) matches are returned
* @param wr: get write lock for local-zone if 1, read lock if 0
* @param zones_keep_lock: if set do not release the r->local_zones lock, this
* makes the caller of this function responsible for releasing the lock.
@ -1191,7 +1191,7 @@ rpz_find_zone(struct local_zones* zones, uint8_t* qname, size_t qname_len, uint1
* Remove RR from RPZ's local-data
* @param z: local-zone for RPZ, holding write lock
* @param policydname: dname of RR to remove
* @param policydnamelen: lenth of policydname
* @param policydnamelen: length of policydname
* @param rr_type: RR type of RR to remove
* @param rdata: rdata of RR to remove
* @param rdatalen: length of rdata
@ -1384,9 +1384,9 @@ log_rpz_apply(char* trigger, uint8_t* dname, struct addr_tree_node* addrnode,
if(dname) {
dname_str(dname, dnamestr);
} else if(addrnode) {
char a[128];
addr_to_str(&addrnode->addr, addrnode->addrlen, a, sizeof(a));
snprintf(dnamestr, sizeof(dnamestr), "%s/%d", a, addrnode->net);
char addrbuf[128];
addr_to_str(&addrnode->addr, addrnode->addrlen, addrbuf, sizeof(addrbuf));
snprintf(dnamestr, sizeof(dnamestr), "%s/%d", addrbuf, addrnode->net);
} else {
dnamestr[0]=0;
}
@ -1935,7 +1935,7 @@ rpz_synthesize_qname_localdata(struct module_env* env, struct rpz* r,
return ret;
}
struct clientip_synthesized_rr*
static struct clientip_synthesized_rr*
rpz_delegation_point_ipbased_trigger_lookup(struct rpz* rpz, struct iter_qstate* is)
{
struct delegpt_addr* cursor;
@ -1952,7 +1952,7 @@ rpz_delegation_point_ipbased_trigger_lookup(struct rpz* rpz, struct iter_qstate*
return NULL;
}
struct dns_msg*
static struct dns_msg*
rpz_apply_nsip_trigger(struct module_qstate* ms, struct rpz* r,
struct clientip_synthesized_rr* raddr, struct auth_zone* az)
{
@ -2011,7 +2011,7 @@ done:
return ret;
}
struct dns_msg*
static struct dns_msg*
rpz_apply_nsdname_trigger(struct module_qstate* ms, struct rpz* r,
struct local_zone* z, struct matched_delegation_point const* match,
struct auth_zone* az)

4
services/rpz.h
View file

@ -173,7 +173,7 @@ void rpz_remove_rr(struct rpz* r, size_t aznamelen, uint8_t* dname,
* @param temp: scratchpad
* @param repinfo: reply info
* @param taglist: taglist to lookup.
* @param taglen: lenth of taglist.
* @param taglen: length of taglist.
* @param stats: worker stats struct
* @return: 1 if client answer is ready, 0 to continue resolving
*/
@ -235,7 +235,7 @@ enum rpz_action
respip_action_to_rpz_action(enum respip_action a);
/**
* Prepare RPZ after procesing feed content.
* Prepare RPZ after processing feed content.
* @param r: RPZ to use
*/
void rpz_finish_config(struct rpz* r);

2
sldns/parseutil.h
View file

@ -58,7 +58,7 @@ time_t sldns_mktime_from_utc(const struct tm *tm);
* The function interprets time as the number of seconds since epoch
* with respect to now using serial arithmetics (rfc1982).
* That number of seconds is then converted to broken-out time information.
* This is especially usefull when converting the inception and expiration
* This is especially useful when converting the inception and expiration
* fields of RRSIG records.
*
* \param[in] time number of seconds since epoch (midnight, January 1st, 1970)

7
sldns/str2wire.c
View file

@ -543,9 +543,10 @@ sldns_parse_rdf_token(sldns_buffer* strbuf, char* token, size_t token_len,
{
size_t slen;
/* skip spaces */
/* skip spaces and tabs */
while(sldns_buffer_remaining(strbuf) > 0 && !*quoted &&
*(sldns_buffer_current(strbuf)) == ' ') {
(*(sldns_buffer_current(strbuf)) == ' ' ||
*(sldns_buffer_current(strbuf)) == '\t')) {
sldns_buffer_skip(strbuf, 1);
}
@ -1427,7 +1428,7 @@ sldns_str2wire_svcbparam_parse_next_unescaped_comma(const char *val)
}
/* The source is already properly unescaped, this double unescaping is purely to allow for
* comma's in comma seperated alpn lists.
* comma's in comma separated alpn lists.
*
* In draft-ietf-dnsop-svcb-https-06 Section 7:
* To enable simpler parsing, this SvcParamValue MUST NOT contain escape sequences.

2
sldns/wire2str.h
View file

@ -59,7 +59,7 @@ char* sldns_wire2str_pkt(uint8_t* data, size_t len);
char* sldns_wire2str_rr(uint8_t* rr, size_t len);
/**
* Conver wire dname to a string.
* Convert wire dname to a string.
* @param dname: the dname in uncompressed wireformat.
* @param dname_len: length of the dname.
* @return string or NULL on failure.

60
smallapp/unbound-checkconf.c
View file

@ -54,6 +54,7 @@
#include "iterator/iter_hints.h"
#include "validator/validator.h"
#include "services/localzone.h"
#include "services/listen_dnsport.h"
#include "services/view.h"
#include "services/authzone.h"
#include "respip/respip.h"
@ -334,19 +335,64 @@ interfacechecks(struct config_file* cfg)
int d;
struct sockaddr_storage a;
socklen_t alen;
int i, j;
int i, j, i2, j2;
char*** resif = NULL;
int* num_resif = NULL;
if(cfg->num_ifs != 0) {
resif = (char***)calloc(cfg->num_ifs, sizeof(char**));
if(!resif) fatal_exit("malloc failure");
num_resif = (int*)calloc(cfg->num_ifs, sizeof(int));
if(!num_resif) fatal_exit("malloc failure");
}
for(i=0; i<cfg->num_ifs; i++) {
if(!extstrtoaddr(cfg->ifs[i], &a, &alen)) {
fatal_exit("cannot parse interface specified as '%s'",
cfg->ifs[i]);
}
for(j=0; j<cfg->num_ifs; j++) {
if(i!=j && strcmp(cfg->ifs[i], cfg->ifs[j])==0)
/* search for duplicates in IP or ifname arguments */
for(i2=0; i2<i; i2++) {
if(strcmp(cfg->ifs[i], cfg->ifs[i2]) == 0) {
fatal_exit("interface: %s present twice, "
"cannot bind same ports twice.",
cfg->ifs[i]);
}
}
if(!resolve_interface_names(&cfg->ifs[i], 1, NULL, &resif[i],
&num_resif[i])) {
fatal_exit("could not resolve interface names, for %s",
cfg->ifs[i]);
}
/* search for duplicates in the returned addresses */
for(j=0; j<num_resif[i]; j++) {
if(!extstrtoaddr(resif[i][j], &a, &alen)) {
if(strcmp(cfg->ifs[i], resif[i][j]) != 0)
fatal_exit("cannot parse interface address '%s' from the interface specified as '%s'",
resif[i][j], cfg->ifs[i]);
else
fatal_exit("cannot parse interface specified as '%s'",
cfg->ifs[i]);
}
for(i2=0; i2<i; i2++) {
for(j2=0; j2<num_resif[i2]; j2++) {
if(strcmp(resif[i][j], resif[i2][j2])
== 0) {
char info1[1024], info2[1024];
if(strcmp(cfg->ifs[i], resif[i][j]) != 0)
snprintf(info1, sizeof(info1), "address %s from interface: %s", resif[i][j], cfg->ifs[i]);
else snprintf(info1, sizeof(info1), "interface: %s", cfg->ifs[i]);
if(strcmp(cfg->ifs[i2], resif[i2][j2]) != 0)
snprintf(info2, sizeof(info2), "address %s from interface: %s", resif[i2][j2], cfg->ifs[i2]);
else snprintf(info2, sizeof(info2), "interface: %s", cfg->ifs[i2]);
fatal_exit("%s present twice, cannot bind the same ports twice. The first entry is %s and the second is %s", resif[i][j], info2, info1);
}
}
}
}
}
for(i=0; i<cfg->num_ifs; i++) {
config_del_strarray(resif[i], num_resif[i]);
}
free(resif);
free(num_resif);
for(i=0; i<cfg->num_out_ifs; i++) {
if(!ipstrtoaddr(cfg->out_ifs[i], UNBOUND_DNS_PORT, &a, &alen) &&
!netblockstrtoaddr(cfg->out_ifs[i], UNBOUND_DNS_PORT, &a, &alen, &d)) {

4
testcode/dohclient.c
View file

@ -358,7 +358,7 @@ static int http2_data_chunk_recv_cb(nghttp2_session* ATTR_UNUSED(session),
}
if(sldns_buffer_remaining(h2_stream->buf) < len) {
log_err("received data chunck does not fit into buffer");
log_err("received data chunk does not fit into buffer");
return NGHTTP2_ERR_CALLBACK_FAILURE;
}
@ -531,7 +531,7 @@ run(struct http2_session* h2_session, int port, int no_tls, int count, char** q)
h2_session->block_select = 1;
/* hande query */
/* handle query */
for(i=0; i<count; i+=3) {
buf = make_query(q[i], q[i+1], q[i+2]);
submit_query(h2_session, buf);

2
testdata/10-unbound-anchor.tdir/keys/unbound-control-setup vendored
View file

@ -81,7 +81,7 @@ while test $# -ne 0; do
echo " -d dir use directory to store keys and certificates."
echo " default: $DESTDIR"
echo "please run this command using the same user id that the "
echo "unboun daemon uses, it needs read privileges."
echo "unbound daemon uses, it needs read privileges."
exit 1
;;
esac

2
testdata/auth_xfr_ixfrmismatch.rpl vendored
View file

@ -182,7 +182,7 @@ example.com. IN SOA ns.example.com. hostmaster.example.com. 2 3600 900 86400 360
example.com. IN SOA ns.example.com. hostmaster.example.com. 1 3600 900 86400 3600
www.example.com. IN A 1.2.3.4
mail.example.com. 3600 IN A 1.2.3.6
; this is the delete of the nonexistant entry
; this is the delete of the nonexistent entry
nonexist.example.com. 3600 IN A 1.2.3.4
example.com. IN SOA ns.example.com. hostmaster.example.com. 2 3600 900 86400 3600
EXTRA_PACKET

2
testdata/fwd.rpl vendored
View file

@ -28,7 +28,7 @@ REPLY RD
SECTION QUESTION
www.example.com. IN A
ENTRY_END
; unneccesary nothing steps.
; unnecessary nothing steps.
STEP 2 NOTHING
STEP 3 NOTHING
STEP 4 CHECK_ANSWER

2
testdata/fwd_any.rpl vendored
View file

@ -59,7 +59,7 @@ REPLY RD
SECTION QUESTION
www.example.com. IN A
ENTRY_END
; unneccesary nothing steps.
; unnecessary nothing steps.
STEP 20 NOTHING
STEP 30 CHECK_ANSWER
ENTRY_BEGIN

10
testdata/http_user_agent.tdir/http_user_agent.test vendored
View file

@ -81,12 +81,12 @@ echo "> cat logfiles"
cat petal.log
cat unbound.log
# check petal.log for the correct number of occurences.
# check petal.log for the correct number of occurrences.
# It should be 2 User-Agents, one being the custom.
echo "> check User-Agent occurences"
occurences=`grep "User-Agent:" petal.log | wc -l`
echo $occurences
if test $occurences -eq 2; then
echo "> check User-Agent occurrences"
occurrences=`grep "User-Agent:" petal.log | wc -l`
echo $occurrences
if test $occurrences -eq 2; then
echo "OK"
else
echo "Not OK"

2
testdata/iter_primenoglue.rpl vendored
View file

@ -28,7 +28,7 @@ SECTION QUESTION
SECTION ANSWER
. IN NS K.ROOT-SERVERS.NET.
SECTION ADDITIONAL
; glue ommitted!
; glue omitted!
;K.ROOT-SERVERS.NET. IN A 193.0.14.129
ENTRY_END

2
testdata/iter_scrub_dname_rev.rpl vendored
View file

@ -17,7 +17,7 @@ CONFIG_END
SCENARIO_BEGIN Test scrub of reversed DNAME and CNAME in answer section
RANGE_BEGIN 0 100
; all adresses
; all addresses
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id

2
testdata/iter_scrub_dname_sec.rpl vendored
View file

@ -17,7 +17,7 @@ CONFIG_END
SCENARIO_BEGIN Test scrub of secure DNAME in answer section
RANGE_BEGIN 0 100
; all adresses
; all addresses
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id

54
testdata/localdata.rpl vendored
View file

@ -45,9 +45,32 @@ server:
local-data: "b.c.implicit. A 20.30.45.50"
local-data: "c.c.implicit. A 20.30.44.50"
; create implicit data in the ANY domain
; this should inherit the local_zone_type of the already configured
; zone 'refuse.top.' and not be transparent
local-data: "refuse.top. ANY TXT implicit_non_transparent"
stub-zone:
name: "refuse.top"
stub-addr: 1.2.3.4
CONFIG_END
SCENARIO_BEGIN Test local data queries
RANGE_BEGIN 0 100
ADDRESS 1.2.3.4
; This entry should never be queried
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
www.refuse.top. IN A
SECTION ANSWER
www.refuse.top. IN A 5.5.5.5
ENTRY_END
RANGE_END
; id.server.
STEP 1 QUERY
ENTRY_BEGIN
@ -390,4 +413,35 @@ SECTION ANSWER
foo.null.top. IN AAAA ::0
ENTRY_END
; refuse zone for implicit local-data with CLASS != IN
STEP 64 QUERY
ENTRY_BEGIN
SECTION QUESTION
refuse.top. ANY TXT
ENTRY_END
STEP 65 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RA AA NOERROR
SECTION QUESTION
refuse.top. ANY TXT
SECTION ANSWER
refuse.top. ANY TXT implicit_non_transparent
ENTRY_END
; refuse zone for implicit local-data with CLASS != IN
STEP 66 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
www.refuse.top. ANY A
ENTRY_END
STEP 67 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RA RD AA REFUSED
SECTION QUESTION
www.refuse.top. ANY A
ENTRY_END
SCENARIO_END

2
testdata/root_anchor.tdir/root_anchor.test vendored
View file

@ -27,7 +27,7 @@ fi
echo ""
# test that unbound-anchor, the builtin certificate, works
# so, force https with -F and the -c is a nonexistant file
# so, force https with -F and the -c is a nonexistent file
$PRE/unbound-anchor -a test.cert -c test.pem -v -F
# check that the test.cert file is OK.
if $PRE/unbound-host -f test.cert -t SOA -v . 2>&1 | grep "(secure)"; then

2
testdata/svcb.tdir/svcb.test vendored
View file

@ -80,7 +80,7 @@ else
fi
# check all the succes and write them
# check all the success and write them
if ! $PRE/readzone svcb.success-cases.zone > svcb.success-cases.zone.out
then
echo "Some particular success cases did not succeed to parse"

2
testdata/test_ldnsrr.5 vendored
View file

@ -172,3 +172,5 @@ uri.arpa. 3600 IN ZONEMD 2018100702 1 1 ( 1291b78ddf7669b1a39d014
root-servers.net. 3600000 IN ZONEMD 2018091100 1 1 ( f1ca0ccd91bd5573d9f431c00ee0101b2545c97602be0a97 8a3b11dbfc1c776d5b3e86ae3d973d6b5349ba7f04340f79 )
; from ldns issue #121, 0.10m was parsed as 0.01m.
foo. 12345 IN LOC 12 45 52.333 N 105 40 33.452 W -24m 0.1m 0.1m 0.1m
; from ldns issue #147, fix #148, tab between quoted strings.
foo 12345 IN HINFO "hohum" "weirdo"

2
testdata/test_ldnsrr.c5 vendored
View file

@ -212,3 +212,5 @@ uri.arpa. 3600 IN ZONEMD 2018100702 1 1 1291B78DDF7669B1A39D014D87626B709B55774C
root-servers.net. 3600000 IN ZONEMD 2018091100 1 1 F1CA0CCD91BD5573D9F431C00EE0101B2545C97602BE0A978A3B11DBFC1C776D5B3E86AE3D973D6B5349BA7F04340F79
03666F6F00001D00010000303900100011111182BD2D4D69530BD400988D20
foo. 12345 IN LOC 12 45 52.333 N 105 40 33.452 W -24m 0.10m 0.10m 0.10m
03666F6F00000D000100003039000D05686F68756D0677656972646F
foo. 12345 IN HINFO "hohum" "weirdo"

2
testdata/ttl_msg.rpl vendored
View file

@ -411,7 +411,7 @@ ENTRY_END
; cause a lookup for nx1.example.com bypassing the cache.
; with bug; this causes msg ttl for nx1 to be time(NOW)+ttl.
; so 15+5 = 20
; visiable in debug log as "msg ttl is %d"
; visible in debug log as "msg ttl is %d"
STEP 40 QUERY
ENTRY_BEGIN
REPLY RD

2
testdata/val_keyprefetch_verify.rpl vendored
View file

@ -219,7 +219,7 @@ STEP 20 TIME_PASSES ELAPSE 3400
; now the key gets prefetched and has to be verified with the anchor,
; not with the key itself.
; this answer is from cache enyway.
; this answer is from cache anyway.
STEP 30 QUERY
ENTRY_BEGIN
REPLY RD DO

2
testdata/val_nodata_failwc.rpl vendored
View file

@ -42,7 +42,7 @@ SECTION ANSWER
SECTION AUTHORITY
nsecwc.nlnetlabs.nl. 3600 IN SOA ns.nlnetlabs.nl. ralph.nlnetlabs.nl. 1 14400 3600 604800 3600
nsecwc.nlnetlabs.nl. 3600 IN RRSIG SOA 8 3 3600 20200101000000 20171108114635 565 nsecwc.nlnetlabs.nl. bYibpCDg1LgrnYJgVahgu94LBqLIcNs4iC0SW8LV7pTI1hhuFKbLkO2O ekPdkJAWmu/KTytf8D+cdcK6X/9VS8QCVIF5S0hraHtNezu0f1B5ztg3 7Rqy+uJSucNKoykueAsz2z43GMgO0rGH3bqM7+3ii8p2E2rhzqEtG/D3 qyY=
; NSEC has a label lenght of 3, indication that the original owner name is:
; NSEC has a label length of 3, indication that the original owner name is:
; *.nsecwc.nlnetlabs.nl. The NSEC therefore does no prove the NODATA answer.
_25._tcp.mail.nsecwc.nlnetlabs.nl. 3600 IN NSEC delegation.nsecwc.nlnetlabs.nl. TXT RRSIG NSEC
_25._tcp.mail.nsecwc.nlnetlabs.nl. 3600 IN RRSIG NSEC 8 3 3600 20200101000000 20171108114635 565 nsecwc.nlnetlabs.nl. ddy1MRbshFuFJswlouNGHsZUF/tYu8BOCztY2JuHeTMyWL7rhRKp73q/ 1RAXMwywKsynT5ioY0bMtEQszeIEn29IYaPDHieLAobjF6BMu1kO7U2/ oEBrSHM/fx28BcaM5G4nfCIm3BlhQhWvk1NDHLn3Q26x4hF/dnmFOUet aXw=

4
testdata/val_nsec3_optout_cache.rpl vendored
View file

@ -138,7 +138,7 @@ b6fuorg741ufili49mg9j4328ig53sqg.example.com. IN NSEC3 1 1 123 aabb00123456bbccd
b6fuorg741ufili49mg9j4328ig53sqg.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. AKHQ0gnNP5WDab1yqbd+Bt12CSSff88sqeDR40dvhiWOcYA8mmyjYNA=
; span around sub.example.com., same span as foo.example.com, but it has
; just changed and it is now larger to accomodate sub.example.com.
; just changed and it is now larger to accommodate sub.example.com.
6obgmo062d9935unjnnj2su5otaj9334.example.com. IN NSEC3 1 1 123 aabb00123456bbccdd 9r1f0ieoutlnjc03meng9e3bn2n0o9pd NS DS RRSIG
6obgmo062d9935unjnnj2su5otaj9334.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. ABzruSKUUcJRNlYDqZ4UmQH/WnzeXt9Gozp3chS4cR0sqsEeGjL54eQ=
@ -164,7 +164,7 @@ b6fuorg741ufili49mg9j4328ig53sqg.example.com. IN NSEC3 1 1 123 aabb00123456bbccd
b6fuorg741ufili49mg9j4328ig53sqg.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. AKHQ0gnNP5WDab1yqbd+Bt12CSSff88sqeDR40dvhiWOcYA8mmyjYNA=
; span around sub.example.com., same span as foo.example.com, but it has
; just changed and it is now larger to accomodate sub.example.com.
; just changed and it is now larger to accommodate sub.example.com.
6obgmo062d9935unjnnj2su5otaj9334.example.com. IN NSEC3 1 1 123 aabb00123456bbccdd 9r1f0ieoutlnjc03meng9e3bn2n0o9pd NS DS RRSIG
6obgmo062d9935unjnnj2su5otaj9334.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. ABzruSKUUcJRNlYDqZ4UmQH/WnzeXt9Gozp3chS4cR0sqsEeGjL54eQ=

2
util/config_file.h
View file

@ -1120,7 +1120,7 @@ int cfg_count_numbers(const char* str);
int cfg_parse_memsize(const char* str, size_t* res);
/**
* Parse nsid from string into binary nsid. nsid is either a hexidecimal
* Parse nsid from string into binary nsid. nsid is either a hexadecimal
* string or an ascii string prepended with ascii_ in which case the
* characters after ascii_ are simply copied.
* @param str: the string to parse.

2
util/module.h
View file

@ -358,7 +358,7 @@ struct module_env {
* @param ssl_upstream: use SSL for upstream queries.
* @param tls_auth_name: if ssl_upstream, use this name with TLS
* authentication.
* @param q: wich query state to reactivate upon return.
* @param q: which query state to reactivate upon return.
* @return: false on failure (memory or socket related). no query was
* sent. Or returns an outbound entry with qsent and qstate set.
* This outbound_entry will be used on later module invocations

15
util/net_help.c
View file

@ -38,6 +38,15 @@
*/
#include "config.h"
#ifdef HAVE_SYS_TYPES_H
# include <sys/types.h>
#endif
#ifdef HAVE_NET_IF_H
#include <net/if.h>
#endif
#ifdef HAVE_NETIOAPI_H
#include <netioapi.h>
#endif
#include "util/net_help.h"
#include "util/log.h"
#include "util/data/dname.h"
@ -266,7 +275,10 @@ ipstrtoaddr(const char* ip, int port, struct sockaddr_storage* addr,
return 0;
(void)strlcpy(buf, ip, sizeof(buf));
buf[s-ip]=0;
sa->sin6_scope_id = (uint32_t)atoi(s+1);
#ifdef HAVE_IF_NAMETOINDEX
if (!(sa->sin6_scope_id = if_nametoindex(s+1)))
#endif /* HAVE_IF_NAMETOINDEX */
sa->sin6_scope_id = (uint32_t)atoi(s+1);
ip = buf;
}
if(inet_pton((int)sa->sin6_family, ip, &sa->sin6_addr) <= 0) {
@ -1181,6 +1193,7 @@ void* connect_sslctx_create(char* key, char* pem, char* verifypem, int wincert)
if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) {
log_crypto_err("could not set SSL_OP_NO_RENEGOTIATION");
SSL_CTX_free(ctx);
return 0;
}
#endif

1
util/netevent.c
View file

@ -818,6 +818,7 @@ setup_tcp_handler(struct comm_point* c, int fd, int cur, int max)
#endif
c->tcp_is_reading = 1;
c->tcp_byte_count = 0;
c->tcp_keepalive = 0;
/* if more than half the tcp handlers are in use, use a shorter
* timeout for this TCP connection, we need to make space for
* other connections to be able to get attention */

2
util/netevent.h
View file

@ -743,7 +743,7 @@ struct comm_signal* comm_signal_create(struct comm_base* base,
void (*callback)(int, void*), void* cb_arg);
/**
* Bind signal struct to catch a signal. A signle comm_signal can be bound
* Bind signal struct to catch a signal. A single comm_signal can be bound
* to multiple signals, calling comm_signal_bind multiple times.
* @param comsig: the communication point, with callback information.
* @param sig: signal number.

2
util/ub_event.c
View file

@ -1,5 +1,5 @@
/*
* util/ub_event.c - directly call libevent (compatability) functions
* util/ub_event.c - directly call libevent (compatibility) functions
*
* Copyright (c) 2007, NLnet Labs. All rights reserved.
*

9
validator/val_utils.c
View file

@ -839,16 +839,15 @@ val_dsset_isusable(struct ub_packed_rrset_key* ds_rrset)
sldns_lookup_table *lt;
char herr[64], aerr[64];
lt = sldns_lookup_by_id(sldns_hashes,
(int)ds_get_digest_algo(ds_rrset, i));
(int)ds_get_digest_algo(ds_rrset, 0));
if(lt) snprintf(herr, sizeof(herr), "%s", lt->name);
else snprintf(herr, sizeof(herr), "%d",
(int)ds_get_digest_algo(ds_rrset, i));
(int)ds_get_digest_algo(ds_rrset, 0));
lt = sldns_lookup_by_id(sldns_algorithms,
(int)ds_get_key_algo(ds_rrset, i));
(int)ds_get_key_algo(ds_rrset, 0));
if(lt) snprintf(aerr, sizeof(aerr), "%s", lt->name);
else snprintf(aerr, sizeof(aerr), "%d",
(int)ds_get_key_algo(ds_rrset, i));
(int)ds_get_key_algo(ds_rrset, 0));
verbose(VERB_ALGO, "DS unsupported, hash %s %s, "
"key algorithm %s %s", herr,
(ds_digest_algo_is_supported(ds_rrset, 0)?

4
validator/validator.c
View file

@ -140,7 +140,7 @@ val_apply_cfg(struct module_env* env, struct val_env* val_env,
val_env->max_restart = cfg->val_max_restart;
c = cfg_count_numbers(cfg->val_nsec3_key_iterations);
if(c < 1 || (c&1)) {
log_err("validator: unparseable or odd nsec3 key "
log_err("validator: unparsable or odd nsec3 key "
"iterations: %s", cfg->val_nsec3_key_iterations);
return 0;
}
@ -484,7 +484,7 @@ generate_keytag_query(struct module_qstate* qstate, int id,
return 0;
}
/* Not interrested in subquery response. Restore the ext_state,
/* Not interested in subquery response. Restore the ext_state,
* that might be changed by generate_request() */
qstate->ext_state[id] = ext_state;

2
validator/validator.h
View file

@ -68,7 +68,7 @@ struct config_strlist;
#define SENTINEL_IS "root-key-sentinel-is-ta-"
/** Root key sentinel is not ta preamble */
#define SENTINEL_NOT "root-key-sentinel-not-ta-"
/** Root key sentinal keytag length */
/** Root key sentinel keytag length */
#define SENTINEL_KEYTAG_LEN 5
/**