upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2026-01-14 10:42:55 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'master' into doh

Browse source
This commit is contained in:
Ralph Dolmans 2020-05-07 17:12:26 +02:00
commit e7601870cc
84 changed files with 5197 additions and 4709 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

186
README-Travis.md
View file

@ -4,7 +4,7 @@ Unbound 1.10 and above leverage Travis CI to increase coverage of compilers and
Android is tested on armv7a, aarch64, x86 and x86_64. The Android recipes build and install OpenSSL and Expat, and then builds Unbound. The testing is tailored for Android NDK-r19 and above, and includes NDK-r20 and NDK-r21. Mips and Mips64 are not tested because they are no longer supported under current NDKs.
iOS is tested for iPhoneOS, WatchOS and AppleTVOS. The testing uses Xcode 10.0 on OS X 10.13.
iOS is tested for iPhoneOS, WatchOS, AppleTVOS, iPhoneSimulator, AppleTVSimulator and WatchSimulator. The testing uses Xcode 10 on OS X 10.13.
The Unbound Travis configuration file `.travis.yml` does not use top-level keys like `os:` and `compiler:` so there is no matrix expansion. Instead Unbound specifies the exact job to run under the `jobs:` and `include:` keys.
@ -68,43 +68,59 @@ elif [ "$TEST_ASAN" = "yes" ]; then
Travis tests Android builds for the armv7a, aarch64, x86 and x86_64 architectures. The builds are trickier than other builds for several reasons. The testing requires installation of the Android NDK and SDK, it requires a cross-compile, and requires OpenSSL and Expat prerequisites. The Android cross-compiles also require care to set the Autotools triplet, the OpenSSL triplet, the toolchain path, the tool variables, and the sysroot. The discussion below detail the steps of the Android recipes.
### ANDROID_NDK_ROOT
### Android job
The first step for Android is to set the environmental variables `ANDROID_NDK_ROOT` and `ANDROID_SDK_ROOT`. This is an important step because the NDK and SDK use the variables internally to locate their own tools. Also see [Recommended NDK Directory?](https://groups.google.com/forum/#!topic/android-ndk/qZjhOaynHXc) on the android-ndk mailing list. (Many folks botch this step, and use incorrect variables like `ANDROID_NDK_HOME` or `ANDROID_SDK_HOME`).
Unbound exports the variables in the Travis configuration script for the Android recipe:
```
export ANDROID_SDK_ROOT="$HOME/android-sdk"
export ANDROID_NDK_ROOT="$HOME/android-ndk"
```
### NDK installation
The second step installs the NDK and SDK. This step is handled in by the script `contrib/android/install_ndk.sh`. The script uses `ANDROID_NDK_ROOT` and `ANDROID_SDK_ROOT` to place the NDK and SDK in the `$HOME` directory.
If you are working from a developer machine you probably already have a NDK and SDK installed.
### Android environment
The third step sets the Android cross-compile environment using the script `contrib/android/setenv_android.sh`. The script is `sourced` so the variables in the script are available to the calling shell. The script sets variables like `CC`, `CXX`, `AS` and `AR`; sets `CFLAGS` and `CXXFLAGS`; sets a `sysroot` so Android headers and libraries are found; and adds the path to the toolchain to `PATH`.
`contrib/android/setenv_android.sh` knows which toolchain and architecture to select by inspecting environmental variables set by Travis for the job. In particular, the variables `ANDROID_CPU` and `ANDROID_API` tell `contrib/android/setenv_android.sh` what tools and libraries to select. For example, below is part of the Aarch64 recipe.
The first step sets environmental variables for the cross-compile using the Travis job. A typical job with variables is shown below.
```
- os: linux
name: Android aarch64, Linux, Amd64
name: Android armv7a, Linux, Amd64
compiler: clang
arch: amd64
dist: bionic
env:
- TEST_ANDROID=yes
- AUTOTOOLS_HOST=aarch64-linux-android
- OPENSSL_HOST=android-arm64
- ANDROID_CPU=aarch64
- AUTOTOOLS_HOST=armv7a-linux-androideabi
- OPENSSL_HOST=android-arm
- ANDROID_CPU=armv7a
- ANDROID_API=23
- ANDROID_PREFIX="$HOME/android$ANDROID_API-$ANDROID_CPU"
- ANDROID_SDK_ROOT="$HOME/android-sdk"
- ANDROID_NDK_ROOT="$HOME/android-ndk"
```
### ANDROID_NDK_ROOT
The second step for Android is to set the environmental variables `ANDROID_NDK_ROOT` and `ANDROID_SDK_ROOT`. This is an important step because the NDK and SDK use the variables internally to locate their own tools. Also see [Recommended NDK Directory?](https://groups.google.com/forum/#!topic/android-ndk/qZjhOaynHXc) on the android-ndk mailing list. (Many folks miss this step, or use incorrect variables like `ANDROID_NDK_HOME` or `ANDROID_SDK_HOME`).
If you are working from a developer machine you probably already have the necessary tools installed. You should ensure `ANDROID_NDK_ROOT` and `ANDROID_SDK_ROOT` are set properly.
### Tool installation
The second step installs tools needed for OpenSSL, Expat and Unbound. This step is handled in by the script `contrib/android/install_tools.sh`. The tools include curl, tar, zip, unzip and java.
```
before_script:
- |
if [ "$TEST_ANDROID" = "yes" ]; then
./contrib/android/install_tools.sh
elif [ "$TEST_IOS" = "yes" ]; then
./contrib/ios/install_tools.sh
fi
```
### NDK installation
The third step installs the NDK and SDK. This step is handled in by the script `contrib/android/install_ndk.sh`. The script uses `ANDROID_NDK_ROOT` and `ANDROID_SDK_ROOT` to place the NDK and SDK in the `$HOME` directory.
If you are working from a developer machine you probably already have a NDK and SDK installed.
### Android environment
The fourth step sets the Android cross-compile environment using the script `contrib/android/setenv_android.sh`. The script is `sourced` so the variables in the script are available to the calling shell. The script sets variables like `CC`, `CXX`, `AS` and `AR`; sets `CFLAGS` and `CXXFLAGS`; sets a `sysroot` so Android headers and libraries are found; and adds the path to the toolchain to `PATH`.
`contrib/android/setenv_android.sh` knows which toolchain and architecture to select by inspecting environmental variables set by Travis for the job. In particular, the variables `ANDROID_CPU` and `ANDROID_API` tell `contrib/android/setenv_android.sh` which tools and libraries to select.
The `contrib/android/setenv_android.sh` script specifies the tools in a `case` statement like the following. There is a case for each of the architectures armv7a, aarch64, x86 and x86_64.
```
@ -121,17 +137,11 @@ armv8a|aarch64|arm64|arm64-v8a)
CXXFLAGS="-funwind-tables -fexceptions -frtti"
```
### Tool installation
The fourth step installs tools needed for OpenSSL, Expat and Unbound. This step is handled in by the script `contrib/android/install_tools.sh`. The tools include curl, tar, zip, unzip and java.
If you are working from a developer machine you probably already have the necessary tools installed.
### OpenSSL and Expat
The fifth step builds OpenSSL and Expat. OpenSSL and Expat are built for Android using the scripts `contrib/android/install_openssl.sh` and `contrib/android/install_expat.sh`. The scripts download, configure and install the latest release version of the libraries. The libraries are configured with `--prefix="$ANDROID_PREFIX"` so the headers are placed in `$ANDROID_PREFIX/include` directory, and the libraries are placed in the `$ANDROID_PREFIX/lib` directory.
`ANDROID_PREFIX` is the value `$HOME/android$ANDROID_API-$ANDROID_CPU`. The libraries will be installed in `$HOME/android23-armv7a`, `$HOME/android23-aarch64`, etc. For Autotools projects, the appropriate `PKG_CONFIG_PATH` is exported. `PKG_CONFIG_PATH` is the userland equivalent to sysroot, and allows Autotools to find non-system library's headers and libraries for an architecture. Typical `PKG_CONFIG_PATH` are `$HOME/android23-armv7a/lib/pkgconfig` and `$HOME/android23-aarch64/lib/pkgconfig`.
`ANDROID_PREFIX` is the value `$HOME/android$ANDROID_API-$ANDROID_CPU`. The libraries will be installed in `$HOME/android23-armv7a`, `$HOME/android23-aarch64`, etc. For Autotools projects, the appropriate `PKG_CONFIG_PATH` is exported. `PKG_CONFIG_PATH` is the userland equivalent to sysroot, and allows Autotools to find non-system headers and libraries for an architecture. Typical `PKG_CONFIG_PATH` are `$HOME/android23-armv7a/lib/pkgconfig` and `$HOME/android23-aarch64/lib/pkgconfig`.
OpenSSL also uses a custom configuration file called `15-android.conf`. It is a copy of the OpenSSL's project file and located at `contrib/android/15-android.conf`. The Unbound version is copied to the OpenSSL source files after unpacking the OpenSSL distribution. The Unbound version has legacy NDK support removed and some other fixes, like `ANDROID_NDK_ROOT` awareness. The changes mean Unbound's `15-android.conf` will only work with Unbound, with NDK-r19 and above, and a properly set environment.
@ -147,19 +157,20 @@ elif [ "$TEST_ANDROID" = "yes" ]; then
export PKG_CONFIG_PATH="$ANDROID_PREFIX/lib/pkgconfig"
./contrib/android/install_ndk.sh
source ./contrib/android/setenv_android.sh
./contrib/android/install_tools.sh
./contrib/android/install_openssl.sh
./contrib/android/install_expat.sh
./configure \
--build="$AUTOTOOLS_BUILD" --host="$AUTOTOOLS_HOST" \
--build="$AUTOTOOLS_BUILD" \
--host="$AUTOTOOLS_HOST" \
--prefix="$ANDROID_PREFIX" \
--with-ssl="$ANDROID_PREFIX" --disable-gost \
--with-libexpat="$ANDROID_PREFIX";
--with-ssl="$ANDROID_PREFIX" \
--with-libexpat="$ANDROID_PREFIX" \
--disable-gost;
make -j 2
make install
```
Travis only smoke tests an Android build using a compile and link. The self tests are not run. TODO: figure out how to fire up an emulator, push the tests to the device and run them.
Travis only smoke tests an Android build using a compile, link and install. The self tests are not run. TODO: figure out how to fire up an emulator, push the tests to the device and run them.
### Android flags
@ -171,58 +182,68 @@ To inspect the flags used by `ndk-build` for a platform clone ASOP's [ndk-sample
## iOS builds
Travis tests iOS builds for the armv7a, armv7s and aarch64 architectures for iPhoneOS, AppleTVOS and WatchOS. iPhoneOS is tested using both 32-bit builds (iPhones) and 64-bit builds (iPads). The builds are trickier than other builds for several reasons. The testing requires a cross-compile, and requires OpenSSL and Expat prerequisites. The iOS cross-compiles also require care to set the Autotools triplet, the OpenSSL triplet, the toolchain path, the tool variables, and the sysroot. The discussion below detail the steps of the iOS recipes.
Travis tests iOS builds for the armv7a, armv7s and aarch64 architectures for iPhoneOS, AppleTVOS and WatchOS. iPhoneOS is tested using both 32-bit builds (iPhones) and 64-bit builds (iPads). Travis also tests compiles against the simulators. The builds are trickier than other builds for several reasons. The testing requires a cross-compile, and requires OpenSSL and Expat prerequisites. The iOS cross-compiles also require care to set the Autotools triplet, the OpenSSL triplet, the toolchain path, the tool variables, and the sysroot. The discussion below detail the steps of the iOS recipes.
### iOS environment
### iOS job
The first step sets the iOS cross-compile environment using the script `contrib/ios/setenv_ios.sh`. The script is `sourced` so the variables in the script are available to the calling shell. The script sets variables like `CC`, `CXX`, `AS` and `AR`; sets `CFLAGS` and `CXXFLAGS`; sets a `sysroot` so iOS headers and libraries are found; and adds the path to the toolchain to `PATH`.
`contrib/ios/setenv_ios.sh` knows which toolchain and architecture to select by inspecting environmental variables set by Travis for the job. In particular, the variables `IOS_SDK` and `IOS_CPU` tell `contrib/ios/setenv_ios.sh` what tools and libraries to select. For example, below is part of the Aarch64 recipe.
The first step sets environmental variables for the cross-compile using the Travis job. A typical job with variables is shown below.
```
os: osx
osx_image: xcode10
name: Apple iPhone, OS X, Amd64
compiler: clang
env:
- TEST_IOS=yes
- AUTOTOOLS_HOST=armv7-apple-ios
- OPENSSL_HOST=ios-cross
- IOS_SDK=iPhoneOS
- IOS_CPU=armv7s
```
The `contrib/ios/setenv_ios.sh` script specifies the tools in a `case` statement like the following. There is a case for each of the architectures armv7a, aarch64, x86 and x86_64.
```
iphone|iphoneos)
CPP="cpp"
CC="clang"
CXX="clang++"
LD="ld"
AS="as"
AR="ar"
RANLIB="ranlib"
STRIP="strip"
# Default armv7. Also allowed armv7a, armv7s, arm64
if [ -z "$IOS_CPU" ]; then IOS_CPU=armv7; fi
CFLAGS="-arch $IOS_CPU -mios-version-min=6"
CXXFLAGS="-arch $IOS_CPU -stdlib=libc++ -mios-version-min=6"
- os: osx
osx_image: xcode10
name: Apple iPhone on iOS, armv7
compiler: clang
env:
- TEST_IOS=yes
- AUTOTOOLS_HOST=armv7-apple-ios
- OPENSSL_HOST=ios-cross
- IOS_SDK=iPhoneOS
- IOS_CPU=armv7s
- IOS_PREFIX="$HOME/$IOS_SDK-$IOS_CPU"
```
### Tool installation
The second step installs tools needed for OpenSSL, Expat and Unbound. This step is handled in by the script `contrib/ios/install_tools.sh`. The tools include autotools, curl and perl.
The second step installs tools needed for OpenSSL, Expat and Unbound. This step is handled in by the script `contrib/ios/install_tools.sh`. The tools include autotools, curl and perl. The installation happens at the `before_script:` stage of Travis.
```
before_script:
- |
if [ "$TEST_ANDROID" = "yes" ]; then
./contrib/android/install_tools.sh
elif [ "$TEST_IOS" = "yes" ]; then
./contrib/ios/install_tools.sh
fi
```
### iOS environment
The third step sets the iOS cross-compile environment using the script `contrib/ios/setenv_ios.sh`. The script is `sourced` so the variables in the script are available to the calling shell. The script sets variables like `CC`, `CXX`, `AS` and `AR`; sets `CFLAGS` and `CXXFLAGS`; sets a `sysroot` so iOS headers and libraries are found; and adds the path to the toolchain to `PATH`.
`contrib/ios/setenv_ios.sh` knows which toolchain and architecture to select by inspecting environmental variables set by Travis for the job. In particular, the variables `IOS_SDK` and `IOS_CPU` tell `contrib/ios/setenv_ios.sh` which tools and libraries to select.
The `contrib/ios/setenv_ios.sh` script specifies the tools to use during the cross-compile. For Apple SDKs, the tool names are the same as a desktop. There are no special prefixes for the mobile tools.
```
CPP=cpp
CC=clang
CXX=clang++
LD=ld
AS=as
AR=ar
RANLIB=ranlib
STRIP=strip
```
If you are working from a developer machine you probably already have the necessary tools installed.
### OpenSSL and Expat
The third step builds OpenSSL and Expat. OpenSSL and Expat are built for iOS using the scripts `contrib/ios/install_openssl.sh` and `contrib/ios/install_expat.sh`. The scripts download, configure and install the latest release version of the libraries. The libraries are configured with `--prefix="$IOS_PREFIX"` so the headers are placed in `$IOS_PREFIX/include` directory, and the libraries are placed in the `$IOS_PREFIX/lib` directory.
The fourth step builds OpenSSL and Expat. OpenSSL and Expat are built for iOS using the scripts `contrib/ios/install_openssl.sh` and `contrib/ios/install_expat.sh`. The scripts download, configure and install the latest release version of the libraries. The libraries are configured with `--prefix="$IOS_PREFIX"` so the headers are placed in `$IOS_PREFIX/include` directory, and the libraries are placed in the `$IOS_PREFIX/lib` directory.
`IOS_PREFIX` is the value `$HOME/iPhoneOS-$IOS_CPU`, `$HOME/AppleTVOS` or `$HOME/WatchOS`. The libraries will be installed in `$HOME/iPhoneOS-armv7s`, `$HOME/iPhoneOS-arm64`, etc. For Autotools projects, the appropriate `PKG_CONFIG_PATH` is exported. `PKG_CONFIG_PATH` is the userland equivalent to sysroot, and allows Autotools to find non-system library's headers and libraries for an architecture. Typical `PKG_CONFIG_PATH` are `$HOME/iPhoneOS-armv7s/lib/pkgconfig` and `$HOME/iPhoneOS-arm64/lib/pkgconfig`.
`IOS_PREFIX` is the value `$HOME/$IOS_SDK-$IOS_CPU`. The scheme handles both iOS SDKs and cpu architectures so the pair recieves a unique installation directory. The libraries will be installed in `$HOME/iPhoneOS-armv7s`, `$HOME/iPhoneOS-arm64`, `$HOME/iPhoneSimulator-i386`, etc. For Autotools projects, the appropriate `PKG_CONFIG_PATH` is exported.
`PKG_CONFIG_PATH` is an important variable. It is the userland equivalent to sysroot, and allows Autotools to find non-system headers and libraries for an architecture. Typical `PKG_CONFIG_PATH` are `$HOME/iPhoneOS-armv7s/lib/pkgconfig` and `$HOME/iPhoneOS-arm64/lib/pkgconfig`.
OpenSSL also uses a custom configuration file called `15-ios.conf`. It is a copy of the OpenSSL's project file and located at `contrib/ios/15-ios.conf`. The Unbound version is copied to the OpenSSL source files after unpacking the OpenSSL distribution. The changes mean Unbound's `15-ios.conf` will only work with Unbound and a properly set environment.
@ -230,26 +251,27 @@ OpenSSL is configured with `no-engine`. Engines require dynamic loading so engin
### iOS build
Finally, once OpenSSL and Expat are built, then the Travis script configures and builds Unbound. The recipe looks as follows.
Finally, once OpenSSL and Expat are built, then the Travis script configures and builds Unbound. The full recipe looks as follows.
```
elif [ "$TEST_IOS" = "yes" ]; then
export AUTOTOOLS_BUILD="$(./config.guess)"
export PKG_CONFIG_PATH="$IOS_PREFIX/lib/pkgconfig"
source ./contrib/ios/setenv_ios.sh
./contrib/ios/install_tools.sh
./contrib/ios/install_openssl.sh
./contrib/ios/install_expat.sh
./configure \
--build="$AUTOTOOLS_BUILD" --host="$AUTOTOOLS_HOST" \
--build="$AUTOTOOLS_BUILD" \
--host="$AUTOTOOLS_HOST" \
--prefix="$IOS_PREFIX" \
--with-ssl="$IOS_PREFIX" --disable-gost \
--with-libexpat="$IOS_PREFIX";
--with-ssl="$IOS_PREFIX" \
--with-libexpat="$IOS_PREFIX" \
--disable-gost;
make -j 2
make install
```
Travis only smoke tests an iOS build using a compile and link. The self tests are not run. TODO: figure out how to fire up an simulator, push the tests to the device and run them.
Travis only smoke tests an iOS build using a compile, link and install. The self tests are not run. TODO: figure out how to fire up an simulator, push the tests to the device and run them.
### iOS flags

5
acx_python.m4
View file

@ -58,6 +58,11 @@ $ac_distutils_result])
AC_MSG_RESULT([$PYTHON_LDFLAGS])
AC_SUBST([PYTHON_LDFLAGS])
if test -z "$PYTHON_LIBDIR"; then
PYTHON_LIBDIR=`$PYTHON -c "from distutils.sysconfig import *; \
print(get_config_var('LIBDIR'));"`
fi
#
# Check for site packages
#

5
cachedb/cachedb.c
View file

@ -160,7 +160,7 @@ testframe_lookup(struct module_env* env, struct cachedb_env* cachedb_env,
static void
testframe_store(struct module_env* env, struct cachedb_env* cachedb_env,
char* key, uint8_t* data, size_t data_len)
char* key, uint8_t* data, size_t data_len, time_t ATTR_UNUSED(ttl))
{
struct testframe_moddata* d = (struct testframe_moddata*)
cachedb_env->backend_data;
@ -606,7 +606,8 @@ cachedb_extcache_store(struct module_qstate* qstate, struct cachedb_env* ie)
/* call backend */
(*ie->backend->store)(qstate->env, ie, key,
sldns_buffer_begin(qstate->env->scratch_buffer),
sldns_buffer_limit(qstate->env->scratch_buffer));
sldns_buffer_limit(qstate->env->scratch_buffer),
qstate->return_msg->rep->ttl);
}
/**

2
cachedb/cachedb.h
View file

@ -84,7 +84,7 @@ struct cachedb_backend {
/** Store (env, cachedb_env, key, data, data_len) */
void (*store)(struct module_env*, struct cachedb_env*, char*,
uint8_t*, size_t);
uint8_t*, size_t, time_t);
};
#define CACHEDB_HASHSIZE 256 /* bit hash */

59
cachedb/redis.c
View file

@ -59,6 +59,9 @@ struct redis_moddata {
struct timeval timeout; /* timeout for connection setup and commands */
};
static redisReply* redis_command(struct module_env*, struct cachedb_env*,
const char*, const uint8_t*, size_t);
static redisContext*
redis_connect(const struct redis_moddata* moddata)
{
@ -114,6 +117,33 @@ redis_init(struct module_env* env, struct cachedb_env* cachedb_env)
for(i = 0; i < moddata->numctxs; i++)
moddata->ctxs[i] = redis_connect(moddata);
cachedb_env->backend_data = moddata;
if(env->cfg->redis_expire_records) {
redisReply* rep = NULL;
int redis_reply_type = 0;
/** check if setex command is supported */
rep = redis_command(env, cachedb_env,
"SETEX __UNBOUND_REDIS_CHECK__ 1 none", NULL, 0);
if(!rep) {
/** init failed, no response from redis server*/
log_err("redis_init: failed to init redis, the "
"redis-expire-records option requires the SETEX command "
"(redis >= 2.0.0)");
return 0;
}
redis_reply_type = rep->type;
freeReplyObject(rep);
switch(redis_reply_type) {
case REDIS_REPLY_STATUS:
break;
default:
/** init failed, setex command not supported */
log_err("redis_init: failed to init redis, the "
"redis-expire-records option requires the SETEX command "
"(redis >= 2.0.0)");
return 0;
}
}
return 1;
}
@ -219,7 +249,7 @@ redis_lookup(struct module_env* env, struct cachedb_env* cachedb_env,
rep = redis_command(env, cachedb_env, cmdbuf, NULL, 0);
if(!rep)
return 0;
switch (rep->type) {
switch(rep->type) {
case REDIS_REPLY_NIL:
verbose(VERB_ALGO, "redis_lookup: no data cached");
break;
@ -249,16 +279,33 @@ redis_lookup(struct module_env* env, struct cachedb_env* cachedb_env,
static void
redis_store(struct module_env* env, struct cachedb_env* cachedb_env,
char* key, uint8_t* data, size_t data_len)
char* key, uint8_t* data, size_t data_len, time_t ttl)
{
redisReply* rep;
char cmdbuf[4+(CACHEDB_HASHSIZE/8)*2+3+1]; /* "SET " + key + " %b" */
int n;
int set_ttl = (env->cfg->redis_expire_records &&
(!env->cfg->serve_expired || env->cfg->serve_expired_ttl > 0));
/* Supported commands:
* - "SET " + key + " %b"
* - "SETEX " + key + " " + ttl + " %b"
*/
char cmdbuf[6+(CACHEDB_HASHSIZE/8)*2+11+3+1];
if (!set_ttl) {
verbose(VERB_ALGO, "redis_store %s (%d bytes)", key, (int)data_len);
/* build command to set to a binary safe string */
n = snprintf(cmdbuf, sizeof(cmdbuf), "SET %s %%b", key);
} else {
/* add expired ttl time to redis ttl to avoid premature eviction of key */
ttl += env->cfg->serve_expired_ttl;
verbose(VERB_ALGO, "redis_store %s (%d bytes) with ttl %u",
key, (int)data_len, (uint32_t)ttl);
/* build command to set to a binary safe string */
n = snprintf(cmdbuf, sizeof(cmdbuf), "SETEX %s %u %%b", key,
(uint32_t)ttl);
}
verbose(VERB_ALGO, "redis_store %s (%d bytes)", key, (int)data_len);
/* build command to set to a binary safe string */
n = snprintf(cmdbuf, sizeof(cmdbuf), "SET %s %%b", key);
if(n < 0 || n >= (int)sizeof(cmdbuf)) {
log_err("redis_store: unexpected failure to build command");
return;

14
configure vendored
View file

@ -17343,6 +17343,11 @@ $as_echo_n "checking for Python library path... " >&6; }
$as_echo "$PYTHON_LDFLAGS" >&6; }
if test -z "$PYTHON_LIBDIR"; then
PYTHON_LIBDIR=`$PYTHON -c "from distutils.sysconfig import *; \
print(get_config_var('LIBDIR'));"`
fi
#
# Check for site packages
#
@ -17448,6 +17453,15 @@ $as_echo "#define HAVE_PYTHON 1" >>confdefs.h
else
CPPFLAGS="$PYTHON_CPPFLAGS"
fi
if test "$PYTHON_LIBDIR" != "/usr/lib" -a "$PYTHON_LIBDIR" != "" -a "$PYTHON_LIBDIR" != "/usr/lib64"; then
if test "x$enable_rpath" = xyes; then
if echo "$PYTHON_LIBDIR" | grep "^/" >/dev/null; then
RUNTIME_PATH="$RUNTIME_PATH -R$PYTHON_LIBDIR"
fi
fi
fi
ub_have_python=yes
if test -n "$PKG_CONFIG" && \
{ { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"\"python\${PY_MAJOR_VERSION}\"\""; } >&5

3
configure.ac
View file

@ -678,6 +678,9 @@ if test x_$ub_test_python != x_no; then
else
CPPFLAGS="$PYTHON_CPPFLAGS"
fi
if test "$PYTHON_LIBDIR" != "/usr/lib" -a "$PYTHON_LIBDIR" != "" -a "$PYTHON_LIBDIR" != "/usr/lib64"; then
ACX_RUNTIME_PATH_ADD([$PYTHON_LIBDIR])
fi
ub_have_python=yes
PKG_CHECK_EXISTS(["python${PY_MAJOR_VERSION}"],
[PC_PY_DEPENDENCY="python${PY_MAJOR_VERSION}"],

165
contrib/android/15-android.conf
View file

@ -1,180 +1,37 @@
#### Android...
#
# See NOTES.ANDROID for details, and don't miss platform-specific
# comments below...
{
use File::Spec::Functions;
my $android_ndk = {};
my %triplet = (
arm => "arm-linux-androideabi",
arm64 => "aarch64-linux-android",
x86 => "i686-linux-android",
x86_64 => "x86_64-linux-android"
);
sub android_ndk {
unless (%$android_ndk) {
if ($now_printing =~ m|^android|) {
return $android_ndk = { bn_ops => "BN_AUTO" };
}
my $ndk_var;
my $ndk;
foreach (qw(ANDROID_NDK_ROOT)) {
$ndk_var = $_;
$ndk = $ENV{$ndk_var};
last if defined $ndk;
}
die "\$ANDROID_NDK_ROOT is not defined" if (!$ndk);
if (!-d "$ndk/platforms" && !-f "$ndk/AndroidVersion.txt") {
# $ndk/platforms is traditional "all-inclusive" NDK, while
# $ndk/AndroidVersion.txt is so-called standalone toolchain
# tailored for specific target down to API level.
die "\$ANDROID_NDK_ROOT=$ndk is invalid";
}
$ndk = canonpath($ndk);
my $ndkver = undef;
if (open my $fh, "<$ndk/source.properties") {
local $_;
while(<$fh>) {
if (m|Pkg\.Revision\s*=\s*([0-9]+)|) {
$ndkver = $1;
last;
}
}
close $fh;
}
my ($sysroot, $api, $arch);
$config{target} =~ m|[^-]+-([^-]+)$|; # split on dash
$arch = $1;
if ($arch = "armeabi") {
$arch = "arm";
}
if (-f "$ndk/AndroidVersion.txt") {
$sysroot = "$ndk/sysroot";
} else {
$api = "*";
# see if user passed -D__ANDROID_API__=N
foreach (@{$useradd{CPPDEFINES}}, @{$user{CPPFLAGS}}) {
if (m|__ANDROID_API__=([0-9]+)|) {
$api = $1;
last;
}
}
# list available platforms (numerically)
my @platforms = sort { $a =~ m/-([0-9]+)$/; my $aa = $1;
$b =~ m/-([0-9]+)$/; $aa <=> $1;
} glob("$ndk/platforms/android-$api");
die "no $ndk/platforms/android-$api" if ($#platforms < 0);
$sysroot = "@platforms[$#platforms]/arch-$arch";
$sysroot =~ m|/android-([0-9]+)/arch-$arch|;
$api = $1;
}
die "no sysroot=$sysroot" if (!-d $sysroot);
my $triarch = $triplet{$arch};
my $cflags;
my $cppflags;
# see if there is NDK clang on $PATH, "universal" or "standalone"
if (which("clang") =~ m|^$ndk/.*/prebuilt/([^/]+)/|) {
my $host=$1;
# harmonize with gcc default
my $arm = $ndkver > 16 ? "armv7a" : "armv5te";
(my $tridefault = $triarch) =~ s/^arm-/$arm-/;
(my $tritools = $triarch) =~ s/(?:x|i6)86(_64)?-.*/x86$1/;
$cflags .= " -target $tridefault ";
$user{CC} = "clang" if ($user{CC} !~ m|clang|);
$user{CROSS_COMPILE} = undef;
if (which("llvm-ar") =~ m|^$ndk/.*/prebuilt/([^/]+)/|) {
$user{AR} = "llvm-ar";
$user{ARFLAGS} = [ "rs" ];
$user{RANLIB} = ":";
}
} elsif (-f "$ndk/AndroidVersion.txt") { #"standalone toolchain"
my $cc = $user{CC} // "clang";
# One can probably argue that both clang and gcc should be
# probed, but support for "standalone toolchain" was added
# *after* announcement that gcc is being phased out, so
# favouring clang is considered adequate. Those who insist
# have option to enforce test for gcc with CC=gcc.
if (which("$triarch-$cc") !~ m|^$ndk|) {
die "no NDK $triarch-$cc on \$PATH";
}
$user{CC} = $cc;
$user{CROSS_COMPILE} = "$triarch-";
} elsif ($user{CC} eq "clang") {
die "no NDK clang on \$PATH";
} else {
if (which("$triarch-gcc") !~ m|^$ndk/.*/prebuilt/([^/]+)/|) {
die "no NDK $triarch-gcc on \$PATH";
}
$cflags .= " -mandroid";
$user{CROSS_COMPILE} = "$triarch-";
}
if (!-d "$sysroot/usr/include") {
my $incroot = "$ndk/sysroot/usr/include";
die "no $incroot" if (!-d $incroot);
die "no $incroot/$triarch" if (!-d "$incroot/$triarch");
$incroot =~ s|^$ndk/||;
$cppflags = "-D__ANDROID_API__=$api";
}
$sysroot =~ s|^$ndk/||;
$android_ndk = {
cppflags => $cppflags,
bn_ops => $arch =~ m/64$/ ? "SIXTY_FOUR_BIT_LONG"
: "BN_LLONG",
};
}
return $android_ndk;
}
}
# Heavily hacked 15-android.conf based on OpenSSL's config file of the same name.
# This 15-android.conf avoids compiler errors using NDK-r20. This 15-android.conf
# requires an environment set (sourced) using setenv-android.sh.
my %targets = (
"android" => {
inherit_from => [ "linux-generic32" ],
template => 1,
cflags => add(sub { android_ndk()->{cflags} }),
cppflags => add(sub { android_ndk()->{cppflags} }),
cxxflags => add(sub { android_ndk()->{cflags} }),
bn_ops => sub { android_ndk()->{bn_ops} },
bin_cflags => "-fPIE",
bin_lflags => "-pie",
bin_cflags => add("-fPIE"),
bin_lflags => add("-pie"),
enable => [ ],
},
"android-arm" => {
inherit_from => [ "android", asm("armv4_asm") ],
bn_ops => add("RC4_CHAR"),
bn_ops => [ "BN_LLONG", "RC4_CHAR" ],
},
"android-arm64" => {
inherit_from => [ "android", asm("aarch64_asm") ],
bn_ops => add("RC4_CHAR"),
bn_ops => [ "SIXTY_FOUR_BIT_LONG", "RC4_CHAR" ],
perlasm_scheme => "linux64",
},
"android-x86" => {
inherit_from => [ "android", asm("x86_asm") ],
CFLAGS => add(picker(release => "-fomit-frame-pointer")),
bn_ops => add("RC4_INT"),
cflags => add(picker(release => "-fomit-frame-pointer")),
bn_ops => [ "BN_LLONG", "RC4_INT" ],
perlasm_scheme => "android",
},
"android-x86_64" => {
inherit_from => [ "android", asm("x86_64_asm") ],
bn_ops => add("RC4_INT"),
bn_ops => [ "SIXTY_FOUR_BIT_LONG", "RC4_INT" ],
perlasm_scheme => "elf",
},
);

91
contrib/android/setenv_android.sh
View file

@ -1,16 +1,43 @@
#!/usr/bin/env bash
# Error checking
# ====================================================================
# Sets the cross compile environment for Android
#
# Based upon OpenSSL's setenv-android.sh by TH, JW, and SM.
# Heavily modified by JWW for Crypto++.
# Updated by Skycoder42 for current recommendations for Android.
# Modified by JWW for Unbound.
# ====================================================================
#########################################
##### Some validation #####
#########################################
if [ -z "$ANDROID_API" ]; then
echo "ANDROID_API is not set. Please set it"
[[ "$0" = "${BASH_SOURCE[0]}" ]] && exit 1 || return 1
fi
if [ -z "$ANDROID_CPU" ]; then
echo "ANDROID_CPU is not set. Please set it"
[[ "$0" = "${BASH_SOURCE[0]}" ]] && exit 1 || return 1
fi
if [ ! -d "$ANDROID_NDK_ROOT" ]; then
echo "ERROR: ANDROID_NDK_ROOT is not a valid path. Please set it."
echo "NDK root is $ANDROID_NDK_ROOT"
[ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
fi
# cryptest-android.sh may run this script without sourcing.
if [ "$0" = "${BASH_SOURCE[0]}" ]; then
echo "setenv-android.sh is usually sourced, but not this time."
fi
#####################################################################
# Need to set THIS_HOST to darwin-x86_64, linux-x86_64,
# windows-x86_64 or windows.
# windows, or windows-x86_64
if [[ "$(uname -s | grep -i -c darwin)" -ne 0 ]]; then
THIS_HOST=darwin-x86_64
@ -21,38 +48,30 @@ else
[ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
fi
AOSP_TOOLCHAIN_ROOT="$ANDROID_NDK_ROOT/toolchains/llvm/prebuilt/$THIS_HOST"
AOSP_TOOLCHAIN_PATH="$AOSP_TOOLCHAIN_ROOT/bin"
AOSP_SYSROOT="$AOSP_TOOLCHAIN_ROOT/sysroot"
ANDROID_TOOLCHAIN="$ANDROID_NDK_ROOT/toolchains/llvm/prebuilt/$THIS_HOST/bin"
ANDROID_SYSROOT="$ANDROID_NDK_ROOT/toolchains/llvm/prebuilt/$THIS_HOST/sysroot"
# Error checking
if [ ! -d "$AOSP_TOOLCHAIN_ROOT" ]; then
echo "ERROR: AOSP_TOOLCHAIN_ROOT is not a valid path. Please set it."
echo "Root is $AOSP_TOOLCHAIN_ROOT"
if [ ! -d "$ANDROID_TOOLCHAIN" ]; then
echo "ERROR: ANDROID_TOOLCHAIN is not a valid path. Please set it."
echo "Path is $ANDROID_TOOLCHAIN"
[ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
fi
# Error checking
if [ ! -d "$AOSP_TOOLCHAIN_PATH" ]; then
echo "ERROR: AOSP_TOOLCHAIN_PATH is not a valid path. Please set it."
echo "Path is $AOSP_TOOLCHAIN_PATH"
[ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
fi
# Error checking
if [ ! -d "$AOSP_SYSROOT" ]; then
echo "ERROR: AOSP_SYSROOT is not a valid path. Please set it."
echo "Path is $AOSP_SYSROOT"
if [ ! -d "$ANDROID_SYSROOT" ]; then
echo "ERROR: ANDROID_SYSROOT is not a valid path. Please set it."
echo "Path is $ANDROID_SYSROOT"
[ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
fi
#####################################################################
AOSP_CPU=$(tr '[:upper:]' '[:lower:]' <<< "$ANDROID_CPU")
THE_ARCH=$(tr '[:upper:]' '[:lower:]' <<< "$ANDROID_CPU")
# https://developer.android.com/ndk/guides/abis.html
case "$AOSP_CPU" in
armeabi|armv7a|armv7-a|armeabi-v7a)
case "$THE_ARCH" in
armv7*|armeabi*)
CC="armv7a-linux-androideabi$ANDROID_API-clang"
CXX="armv7a-linux-androideabi$ANDROID_API-clang++"
LD="arm-linux-androideabi-ld"
@ -65,7 +84,7 @@ case "$AOSP_CPU" in
CXXFLAGS="-march=armv7-a -mthumb -mfloat-abi=softfp -funwind-tables -fexceptions -frtti"
;;
armv8|armv8a|aarch64|arm64|arm64-v8a)
armv8*|aarch64|arm64*)
CC="aarch64-linux-android$ANDROID_API-clang"
CXX="aarch64-linux-android$ANDROID_API-clang++"
LD="aarch64-linux-android-ld"
@ -108,66 +127,67 @@ case "$AOSP_CPU" in
echo "ERROR: Unknown architecture $ANDROID_CPU"
[ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
;;
esac
#####################################################################
# Error checking
if [ ! -e "$AOSP_TOOLCHAIN_PATH/$CC" ]; then
if [ ! -e "$ANDROID_TOOLCHAIN/$CC" ]; then
echo "ERROR: Failed to find Android clang. Please edit this script."
[ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
fi
# Error checking
if [ ! -e "$AOSP_TOOLCHAIN_PATH/$CXX" ]; then
if [ ! -e "$ANDROID_TOOLCHAIN/$CXX" ]; then
echo "ERROR: Failed to find Android clang++. Please edit this script."
[ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
fi
# Error checking
if [ ! -e "$AOSP_TOOLCHAIN_PATH/$RANLIB" ]; then
if [ ! -e "$ANDROID_TOOLCHAIN/$RANLIB" ]; then
echo "ERROR: Failed to find Android ranlib. Please edit this script."
[ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
fi
# Error checking
if [ ! -e "$AOSP_TOOLCHAIN_PATH/$AR" ]; then
if [ ! -e "$ANDROID_TOOLCHAIN/$AR" ]; then
echo "ERROR: Failed to find Android ar. Please edit this script."
[ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
fi
# Error checking
if [ ! -e "$AOSP_TOOLCHAIN_PATH/$AS" ]; then
if [ ! -e "$ANDROID_TOOLCHAIN/$AS" ]; then
echo "ERROR: Failed to find Android as. Please edit this script."
[ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
fi
# Error checking
if [ ! -e "$AOSP_TOOLCHAIN_PATH/$LD" ]; then
if [ ! -e "$ANDROID_TOOLCHAIN/$LD" ]; then
echo "ERROR: Failed to find Android ld. Please edit this script."
[ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
fi
#####################################################################
LENGTH=${#AOSP_TOOLCHAIN_PATH}
LENGTH=${#ANDROID_TOOLCHAIN}
SUBSTR=${PATH:0:$LENGTH}
if [ "$SUBSTR" != "$AOSP_TOOLCHAIN_PATH" ]; then
export PATH="$AOSP_TOOLCHAIN_PATH:$PATH"
if [ "$SUBSTR" != "$ANDROID_TOOLCHAIN" ]; then
export PATH="$ANDROID_TOOLCHAIN:$PATH"
fi
#####################################################################
export CPP CC CXX LD AS AR RANLIB STRIP
export ANDROID_SYSROOT="$AOSP_SYSROOT"
export CFLAGS="-D__ANDROID_API__=$ANDROID_API $CFLAGS --sysroot=$AOSP_SYSROOT"
export CXXFLAGS="-D__ANDROID_API__=$ANDROID_API $CXXFLAGS --sysroot=$AOSP_SYSROOT"
export CPPFLAGS="-D__ANDROID_API__=$ANDROID_API"
export CFLAGS="$CFLAGS --sysroot=$AOSP_SYSROOT"
export CXXFLAGS="$CXXFLAGS -stdlib=libc++ --sysroot=$AOSP_SYSROOT"
#####################################################################
echo "AOSP_TOOLCHAIN_PATH: $AOSP_TOOLCHAIN_PATH"
echo "ANDROID_TOOLCHAIN: $ANDROID_TOOLCHAIN"
echo "CPP: $(command -v "$CPP")"
echo "CC: $(command -v "$CC")"
echo "CXX: $(command -v "$CXX")"
echo "LD: $(command -v "$LD")"
@ -176,6 +196,7 @@ echo "AR: $(command -v "$AR")"
echo "ANDROID_SYSROOT: $ANDROID_SYSROOT"
echo "CPPFLAGS: $CPPFLAGS"
echo "CFLAGS: $CFLAGS"
echo "CXXFLAGS: $CXXFLAGS"

3
contrib/ios/install_tools.sh
View file

@ -4,4 +4,5 @@
echo "Updating tools"
brew update 1>/dev/null
echo "Installing tools"
brew install autoconf automake libtool pkg-config curl perl 1>/dev/null
# already installed are: autoconf automake libtool pkg-config
brew install curl perl 1>/dev/null

7
daemon/remote.c
View file

@ -329,7 +329,8 @@ add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err,
/* open fd */
fd = create_tcp_accept_sock(res, 1, &noproto, 0,
cfg->ip_transparent, 0, 0, cfg->ip_freebind, cfg->use_systemd);
cfg->ip_transparent, 0, 0, cfg->ip_freebind,
cfg->use_systemd, cfg->ip_dscp);
freeaddrinfo(res);
}
@ -1124,6 +1125,10 @@ parse_arg_name(RES* ssl, char* str, uint8_t** res, size_t* len, int* labs)
*res = NULL;
*len = 0;
*labs = 0;
if(str[0] == '\0') {
ssl_printf(ssl, "error: this option requires a domain name\n");
return 0;
}
status = sldns_str2wire_dname_buf(str, nm, &nmlen);
if(status != 0) {
ssl_printf(ssl, "error cannot parse name %s at %d: %s\n", str,

4
daemon/worker.c
View file

@ -1809,14 +1809,14 @@ worker_init(struct worker* worker, struct config_file *cfg,
worker->back = outside_network_create(worker->base,
cfg->msg_buffer_size, (size_t)cfg->outgoing_num_ports,
cfg->out_ifs, cfg->num_out_ifs, cfg->do_ip4, cfg->do_ip6,
cfg->do_tcp?cfg->outgoing_num_tcp:0,
cfg->do_tcp?cfg->outgoing_num_tcp:0, cfg->ip_dscp,
worker->daemon->env->infra_cache, worker->rndstate,
cfg->use_caps_bits_for_id, worker->ports, worker->numports,
cfg->unwanted_threshold, cfg->outgoing_tcp_mss,
&worker_alloc_cleanup, worker,
cfg->do_udp || cfg->udp_upstream_without_downstream,
worker->daemon->connect_sslctx, cfg->delay_close,
dtenv);
cfg->tls_use_sni, dtenv);
if(!worker->back) {
log_err("could not create outgoing sockets");
worker_delete(worker);

4
dnstap/dtstream.c
View file

@ -351,6 +351,7 @@ int dt_io_thread_apply_cfg(struct dt_io_thread* dtio, struct config_file *cfg)
log_err("could not setup SSL CTX");
return 0;
}
dtio->tls_use_sni = cfg->tls_use_sni;
#endif /* HAVE_SSL */
}
return 1;
@ -1661,7 +1662,8 @@ static int dtio_setup_ssl(struct dt_io_thread* dtio)
dtio->ssl_handshake_done = 0;
dtio->ssl_brief_read = 0;
if(!set_auth_name_on_ssl(dtio->ssl, dtio->tls_server_name)) {
if(!set_auth_name_on_ssl(dtio->ssl, dtio->tls_server_name,
dtio->tls_use_sni)) {
return 0;
}
return 1;

2
dnstap/dtstream.h
View file

@ -109,6 +109,8 @@ struct dt_io_thread {
int started;
/** ssl context for the io thread, for tls connections. type SSL_CTX* */
void* ssl_ctx;
/** if SNI will be used for TLS connections. */
int tls_use_sni;
/** file descriptor that the thread writes to */
int fd;

77
doc/Changelog
View file

@ -1,3 +1,80 @@
22 April 2020: George
- Explicitly use 'rrset-roundrobin: no' for test cases.
21 April 2020: Wouter
- Merge #225 from akhait: KSK-2010 has been revoked. It removes the
KSK-2010 from the default list in unbound-anchor, now that the
revocation period is over. KSK-2017 is the only trust anchor in
the shipped default now.
21 April 2020: George
- Change default value for 'rrset-roundrobin' to yes.
- Fix tests for new rrset-roundrobin default.
20 April 2020: Wouter
- Fix #222: --enable-rpath, fails to rpath python lib.
- Fix for count of reply states in the mesh.
- Remove unneeded was_mesh_reply check.
17 April 2020: George
- Add SNI support on more TLS connections (fixes #193).
- Add SNI support to unbound-anchor.
16 April 2020: George
- Add doxygen documentation for DSCP.
16 April 2020: Wouter
- Fix help return code in unbound-control-setup script.
- Fix for posix shell syntax for trap in nsd-control-setup.
- Fix for posix shell syntax for trap in run_msg.sh test script.
15 April 2020: George
- Fix #220: auth-zone section in config may lead to segfault.
7 April 2020: Wouter
- Merge PR #214 from gearnode: unbound-control-setup recreate
certificates. With the -r option the certificates are created
again, without it, only the files that do not exist are created.
6 April 2020: Ralph
- Keep track of number of timeouts. Use this counter to determine if
capsforid fallback should be started.
6 April 2020: George
- More documentation for redis-expire-records option.
1 April 2020: George
- Merge PR #206: Redis TTL, by Talkabout.
30 March 2020: Wouter
- Merge PR #207: Clarify if-automatic listens on 0.0.0.0 and ::
- Merge PR #208: Fix uncached CLIENT_RESPONSE'es on stateful
transports.
27 March 2020: Wouter
- Merge PR #203 from noloader: Update README-Travis.md with current
procedures.
27 March 2020: Ralph
- Make unbound-control error returned on missing domain name more user
friendly.
26 March 2020: Ralph
- Fix RPZ concurrency issue when using auth_zone_reload.
25 March 2020: George
- Merge PR #201 from noloader: Fix OpenSSL cross-compaile warnings.
- Fix on #201.
24 March 2020: Wouter
- Merge PR #200 from yarikk: add ip-dscp option to specify the DSCP
tag for outgoing packets.
- Fixes on #200.
- Travis fix for ios by omitting tools from install.
23 March 2020: Wouter
- Fix compile on Solaris for unbound-checkconf.
20 March 2020: George
- Merge PR #198 from fobser: Declare lz_enter_rr_into_zone() static, it's
only used in this file.

15
doc/example.conf.in
View file

@ -119,6 +119,11 @@ server:
# Linux only. On Linux you also have ip-transparent that is similar.
# ip-freebind: no
# the value of the Differentiated Services Codepoint (DSCP)
# in the differentiated services field (DS) of the outgoing
# IP packets
# ip-dscp: 0
# EDNS reassembly buffer to advertise to UDP peers (the actual buffer
# is set with msg-buffer-size). 1472 can solve fragmentation (timeouts)
# edns-buffer-size: 4096
@ -468,7 +473,7 @@ server:
# deny-any: no
# if yes, Unbound rotates RRSet order in response.
# rrset-roundrobin: no
# rrset-roundrobin: yes
# if yes, Unbound doesn't insert authority/additional sections
# into response messages when those sections are not required.
@ -743,6 +748,10 @@ server:
# cipher setting for TLSv1.3
# tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
# Use the SNI extension for TLS connections. Default is yes.
# Changing the value requires a reload.
# tls-use-sni: yes
# Add the secret file for TLS Session Ticket.
# Secret file must be 80 bytes of random data.
# First key use to encrypt and decrypt TLS session tickets.
@ -1010,10 +1019,12 @@ remote-control:
# redis-server-port: 6379
# # timeout (in ms) for communication with the redis server
# redis-timeout: 100
# # set timeout on redis records based on DNS response TTL
# redis-expire-records: no
# IPSet
# Add specify domain into set via ipset.
# Note: To enable ipset needs run unbound as root user.
# Note: To enable ipset unbound needs to run as root user.
# ipset:
# # set name for ip v4 addresses
# name-v4: "list-v4"

3
doc/unbound-anchor.8.in
View file

@ -69,6 +69,9 @@ The server name, it connects to https://name. Specify without https:// prefix.
The default is "data.iana.org". It connects to the port specified with \-P.
You can pass an IPv4 address or IPv6 address (no brackets) if you want.
.TP
.B \-S
Do not use SNI for the HTTPS connection. Default is to use SNI.
.TP
.B \-b \fIaddress
The source address to bind to for domain resolution and contacting the server
on https. May be either an IPv4 address or IPv6 address (no brackets).

35
doc/unbound.conf.5.in
View file

@ -126,9 +126,12 @@ interface and port number), if not specified the default port (from
Same as interface: (for ease of compatibility with nsd.conf).
.TP
.B interface\-automatic: \fI<yes or no>
Detect source interface on UDP queries and copy them to replies. This
feature is experimental, and needs support in your OS for particular socket
options. Default value is no.
Listen on all addresses on all (current and future) interfaces, detect the
source interface on UDP queries and copy them to replies. This is a lot like
ip\-transparent, but this option services all interfaces whilst with
ip\-transparent you can select which (future) interfaces unbound provides
service on. This feature is experimental, and needs support in your OS for
particular socket options. Default value is no.
.TP
.B outgoing\-interface: \fI<ip address or ip6 netblock>
Interface to use to connect to the network. This interface is used to send
@ -323,6 +326,12 @@ IP addresses that are nonlocal or do not exist, like when the network
interface or IP address is down. Exists only on Linux, where the similar
ip\-transparent option is also available.
.TP
.B ip-dscp: \fI<number>
The value of the Differentiated Services Codepoint (DSCP) in the
differentiated services field (DS) of the outgoing IP packet headers.
The field replaces the outdated IPv4 Type-Of-Service field and the
IPV6 traffic class field.
.TP
.B rrset\-cache\-size: \fI<number>
Number of bytes size of the RRset cache. Default is 4 megabytes.
A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
@ -542,6 +551,11 @@ and that is the default.
Set the list of ciphersuites to allow when serving TLS. This is for newer
TLS 1.3 connections. Use "" for defaults, and that is the default.
.TP
.B tls\-use\-sni: \fI<yes or no>
Enable or disable sending the SNI extension on TLS connections.
Default is yes.
Changing the value requires a reload.
.TP
.B use\-systemd: \fI<yes or no>
Enable or disable systemd socket activation.
Default is no.
@ -923,7 +937,7 @@ are none.
.TP
.B rrset\-roundrobin: \fI<yes or no>
If yes, Unbound rotates RRSet order in response (the random number is taken
from the query ID, for speed and thread safety). Default is no.
from the query ID, for speed and thread safety). Default is yes.
.TP
.B minimal-responses: \fI<yes or no>
If yes, Unbound doesn't insert authority/additional sections into response
@ -2072,6 +2086,11 @@ even if some data have expired in terms of DNS TTL or the Redis server has
cached too much data;
if necessary the Redis server must be configured to limit the cache size,
preferably with some kind of least-recently-used eviction policy.
Additionaly, the \fBredis\-expire\-records\fR option can be used in order to
set the relative DNS TTL of the message as timeout to the Redis records; keep
in mind that some additional memory is used per key and that the expire
information is stored as absolute Unix timestamps in Redis (computer time must
be stable).
This backend uses synchronous communication with the Redis server
based on the assumption that the communication is stable and sufficiently
fast.
@ -2126,6 +2145,14 @@ If this timeout expires Unbound closes the connection, treats it as
if the Redis server does not have the requested data, and will try to
re-establish a new connection later.
This option defaults to 100 milliseconds.
.TP
.B redis-expire-records: \fI<yes or no>
If Redis record expiration is enabled. If yes, unbound sets timeout for Redis
records so that Redis can evict keys that have expired automatically. If
unbound is configured with \fBserve-expired\fR and \fBserve-expired-ttl\fR is 0,
this option is internally reverted to "no". Redis SETEX support is required
for this option (Redis >= 2.0.0).
This option defaults to no.
.SS DNSTAP Logging Options
DNSTAP support, when compiled in, is enabled in the \fBdnstap:\fR section.
This starts an extra thread (when compiled with threading) that writes

11
iterator/iterator.c
View file

@ -159,7 +159,7 @@ iter_new(struct module_qstate* qstate, int id)
iq->qchase = qstate->qinfo;
outbound_list_init(&iq->outlist);
iq->minimise_count = 0;
iq->minimise_timeout_count = 0;
iq->timeout_count = 0;
if (qstate->env->cfg->qname_minimisation)
iq->minimisation_state = INIT_MINIMISE_STATE;
else
@ -2190,7 +2190,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
iq->qinfo_out.qname = iq->qchase.qname;
iq->qinfo_out.qname_len = iq->qchase.qname_len;
iq->minimise_count++;
iq->minimise_timeout_count = 0;
iq->timeout_count = 0;
iter_dec_attempts(iq->dp, 1);
@ -2249,7 +2249,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
}
}
if(iq->minimisation_state == SKIP_MINIMISE_STATE) {
if(iq->minimise_timeout_count < MAX_MINIMISE_TIMEOUT_COUNT)
if(iq->timeout_count < MAX_MINIMISE_TIMEOUT_COUNT)
/* Do not increment qname, continue incrementing next
* iteration */
iq->minimisation_state = MINIMISE_STATE;
@ -2586,14 +2586,15 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
if(iq->response == NULL) {
/* Don't increment qname when QNAME minimisation is enabled */
if(qstate->env->cfg->qname_minimisation) {
iq->minimise_timeout_count++;
iq->minimisation_state = SKIP_MINIMISE_STATE;
}
iq->timeout_count++;
iq->chase_to_rd = 0;
iq->dnssec_lame_query = 0;
verbose(VERB_ALGO, "query response was timeout");
return next_state(iq, QUERYTARGETS_STATE);
}
iq->timeout_count = 0;
type = response_type_from_server(
(int)((iq->chase_flags&BIT_RD) || iq->chase_to_rd),
iq->response, &iq->qinfo_out, iq->dp);
@ -3599,7 +3600,7 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
iq->response = NULL;
iq->state = QUERY_RESP_STATE;
if(event == module_event_noreply || event == module_event_error) {
if(event == module_event_noreply && iq->sent_count >= 3 &&
if(event == module_event_noreply && iq->timeout_count >= 3 &&
qstate->env->cfg->use_caps_bits_for_id &&
!iq->caps_fallback && !is_caps_whitelisted(ie, iq)) {
/* start fallback */

5
iterator/iterator.h
View file

@ -388,8 +388,9 @@ struct iter_qstate {
/**
* Count number of time-outs. Used to prevent resolving failures when
* the QNAME minimisation QTYPE is blocked. */
int minimise_timeout_count;
* the QNAME minimisation QTYPE is blocked. Used to determine if
* capsforid fallback should be started.*/
int timeout_count;
/** True if the current response is from auth_zone */
int auth_zone_response;

4
libunbound/libworker.c
View file

@ -233,12 +233,12 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
w->back = outside_network_create(w->base, cfg->msg_buffer_size,
(size_t)cfg->outgoing_num_ports, cfg->out_ifs,
cfg->num_out_ifs, cfg->do_ip4, cfg->do_ip6,
cfg->do_tcp?cfg->outgoing_num_tcp:0,
cfg->do_tcp?cfg->outgoing_num_tcp:0, cfg->ip_dscp,
w->env->infra_cache, w->env->rnd, cfg->use_caps_bits_for_id,
ports, numports, cfg->unwanted_threshold,
cfg->outgoing_tcp_mss, &libworker_alloc_cleanup, w,
cfg->do_udp || cfg->udp_upstream_without_downstream, w->sslctx,
cfg->delay_close, NULL);
cfg->delay_close, cfg->tls_use_sni, NULL);
w->env->outnet = w->back;
if(!w->is_bg || w->is_bg_thread) {
lock_basic_unlock(&ctx->cfglock);

27
respip/respip.c
View file

@ -914,6 +914,7 @@ respip_rewrite_reply(const struct query_info* qinfo,
int ret = 1;
struct ub_packed_rrset_key* redirect_rrset = NULL;
struct rpz* r;
struct auth_zone* a;
struct ub_packed_rrset_key* data = NULL;
int rpz_used = 0;
int rpz_log = 0;
@ -955,6 +956,10 @@ respip_rewrite_reply(const struct query_info* qinfo,
}
if(!raddr && !view->isfirst)
goto done;
if(!raddr && view->isfirst) {
lock_rw_unlock(&view->lock);
view = NULL;
}
}
if(!raddr && (raddr = respip_addr_lookup(rep, ipset,
&rrset_id))) {
@ -965,7 +970,9 @@ respip_rewrite_reply(const struct query_info* qinfo,
ipset->tagname, ipset->num_tags);
}
lock_rw_rdlock(&az->rpz_lock);
for(r = az->rpz_first; r && !raddr; r = r->next) {
for(a = az->rpz_first; a && !raddr; a = a->rpz_az_next) {
lock_rw_rdlock(&a->lock);
r = a->rpz;
if(!r->taglist || taglist_intersect(r->taglist,
r->taglistlen, ctaglist, ctaglen)) {
if((raddr = respip_addr_lookup(rep,
@ -975,16 +982,21 @@ respip_rewrite_reply(const struct query_info* qinfo,
region, &rpz_used)) {
log_err("out of memory");
lock_rw_unlock(&raddr->lock);
lock_rw_unlock(&a->lock);
lock_rw_unlock(&az->rpz_lock);
return 0;
}
if(!rpz_used) {
lock_rw_unlock(&raddr->lock);
raddr = NULL;
actinfo->rpz_disabled++;
if(rpz_used) {
/* break to make sure 'a' stays pointed
* to used auth_zone, and keeps lock */
break;
}
lock_rw_unlock(&raddr->lock);
raddr = NULL;
actinfo->rpz_disabled++;
}
}
}
lock_rw_unlock(&a->lock);
}
lock_rw_unlock(&az->rpz_lock);
if(raddr && !search_only) {
@ -1038,6 +1050,9 @@ respip_rewrite_reply(const struct query_info* qinfo,
if(raddr) {
lock_rw_unlock(&raddr->lock);
}
if(rpz_used) {
lock_rw_unlock(&a->lock);
}
return ret;
}

39
services/authzone.c
View file

@ -392,12 +392,12 @@ auth_zone_delete(struct auth_zone* z, struct auth_zones* az)
if(az && z->rpz) {
/* keep RPZ linked list intact */
lock_rw_wrlock(&az->rpz_lock);
if(z->rpz->prev)
z->rpz->prev->next = z->rpz->next;
if(z->rpz_az_prev)
z->rpz_az_prev->rpz_az_next = z->rpz_az_next;
else
az->rpz_first = z->rpz->next;
if(z->rpz->next)
z->rpz->next->prev = z->rpz->prev;
az->rpz_first = z->rpz_az_next;
if(z->rpz_az_next)
z->rpz_az_next->rpz_az_prev = z->rpz_az_prev;
lock_rw_unlock(&az->rpz_lock);
}
if(z->rpz)
@ -426,9 +426,11 @@ auth_zone_create(struct auth_zones* az, uint8_t* nm, size_t nmlen,
}
rbtree_init(&z->data, &auth_data_cmp);
lock_rw_init(&z->lock);
lock_protect(&z->lock, &z->name, sizeof(*z)-sizeof(rbnode_type));
lock_protect(&z->lock, &z->name, sizeof(*z)-sizeof(rbnode_type)-
sizeof(&z->rpz_az_next)-sizeof(&z->rpz_az_prev));
lock_rw_wrlock(&z->lock);
/* z lock protects all, except rbtree itself, which is az->lock */
/* z lock protects all, except rbtree itself and the rpz linked list
* pointers, which are protected using az->lock */
if(!rbtree_insert(&az->ztree, &z->node)) {
lock_rw_unlock(&z->lock);
auth_zone_delete(z, NULL);
@ -1897,11 +1899,12 @@ auth_zones_cfg(struct auth_zones* az, struct config_auth* c)
fatal_exit("Could not setup RPZ zones");
return 0;
}
lock_protect(&z->lock, &z->rpz->local_zones, sizeof(*z->rpz));
lock_rw_wrlock(&az->rpz_lock);
z->rpz->next = az->rpz_first;
z->rpz_az_next = az->rpz_first;
if(az->rpz_first)
az->rpz_first->prev = z->rpz;
az->rpz_first = z->rpz;
az->rpz_first->rpz_az_prev = z;
az->rpz_first = z;
lock_rw_unlock(&az->rpz_lock);
}
@ -5331,7 +5334,7 @@ void auth_xfer_transfer_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
log_assert(xfr->task_transfer);
lock_basic_lock(&xfr->lock);
env = xfr->task_transfer->env;
if(env->outnet->want_to_quit) {
if(!env || env->outnet->want_to_quit) {
lock_basic_unlock(&xfr->lock);
return; /* stop on quit */
}
@ -5770,7 +5773,7 @@ auth_xfer_transfer_timer_callback(void* arg)
log_assert(xfr->task_transfer);
lock_basic_lock(&xfr->lock);
env = xfr->task_transfer->env;
if(env->outnet->want_to_quit) {
if(!env || env->outnet->want_to_quit) {
lock_basic_unlock(&xfr->lock);
return; /* stop on quit */
}
@ -5812,7 +5815,7 @@ auth_xfer_transfer_tcp_callback(struct comm_point* c, void* arg, int err,
log_assert(xfr->task_transfer);
lock_basic_lock(&xfr->lock);
env = xfr->task_transfer->env;
if(env->outnet->want_to_quit) {
if(!env || env->outnet->want_to_quit) {
lock_basic_unlock(&xfr->lock);
return 0; /* stop on quit */
}
@ -5893,7 +5896,7 @@ auth_xfer_transfer_http_callback(struct comm_point* c, void* arg, int err,
log_assert(xfr->task_transfer);
lock_basic_lock(&xfr->lock);
env = xfr->task_transfer->env;
if(env->outnet->want_to_quit) {
if(!env || env->outnet->want_to_quit) {
lock_basic_unlock(&xfr->lock);
return 0; /* stop on quit */
}
@ -6107,7 +6110,7 @@ auth_xfer_probe_timer_callback(void* arg)
log_assert(xfr->task_probe);
lock_basic_lock(&xfr->lock);
env = xfr->task_probe->env;
if(env->outnet->want_to_quit) {
if(!env || env->outnet->want_to_quit) {
lock_basic_unlock(&xfr->lock);
return; /* stop on quit */
}
@ -6143,7 +6146,7 @@ auth_xfer_probe_udp_callback(struct comm_point* c, void* arg, int err,
log_assert(xfr->task_probe);
lock_basic_lock(&xfr->lock);
env = xfr->task_probe->env;
if(env->outnet->want_to_quit) {
if(!env || env->outnet->want_to_quit) {
lock_basic_unlock(&xfr->lock);
return 0; /* stop on quit */
}
@ -6388,7 +6391,7 @@ void auth_xfer_probe_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
log_assert(xfr->task_probe);
lock_basic_lock(&xfr->lock);
env = xfr->task_probe->env;
if(env->outnet->want_to_quit) {
if(!env || env->outnet->want_to_quit) {
lock_basic_unlock(&xfr->lock);
return; /* stop on quit */
}
@ -6465,7 +6468,7 @@ auth_xfer_timer(void* arg)
log_assert(xfr->task_nextprobe);
lock_basic_lock(&xfr->lock);
env = xfr->task_nextprobe->env;
if(env->outnet->want_to_quit) {
if(!env || env->outnet->want_to_quit) {
lock_basic_unlock(&xfr->lock);
return; /* stop on quit */
}

9
services/authzone.h
View file

@ -82,8 +82,8 @@ struct auth_zones {
size_t num_query_up;
/** number of queries downstream */
size_t num_query_down;
/** first rpz item in linked list */
struct rpz* rpz_first;
/** first auth zone containing rpz item in linked list */
struct auth_zone* rpz_first;
/** rw lock for rpz linked list, needed when iterating or editing linked
* list. */
lock_rw_type rpz_lock;
@ -138,6 +138,11 @@ struct auth_zone {
int zone_deleted;
/** deletelist pointer, unused normally except during delete */
struct auth_zone* delete_next;
/* not protected by auth_zone lock, must be last items in struct */
/** next auth zone containing RPZ data, or NULL */
struct auth_zone* rpz_az_next;
/** previous auth zone containing RPZ data, or NULL */
struct auth_zone* rpz_az_prev;
};
/**

96
services/listen_dnsport.c
View file

@ -180,9 +180,10 @@ int
create_udp_sock(int family, int socktype, struct sockaddr* addr,
socklen_t addrlen, int v6only, int* inuse, int* noproto,
int rcv, int snd, int listen, int* reuseport, int transparent,
int freebind, int use_systemd)
int freebind, int use_systemd, int dscp)
{
int s;
char* err;
#if defined(SO_REUSEADDR) || defined(SO_REUSEPORT) || defined(IPV6_USE_MIN_MTU) || defined(IP_TRANSPARENT) || defined(IP_BINDANY) || defined(IP_FREEBIND) || defined (SO_BINDANY)
int on=1;
#endif
@ -452,6 +453,9 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
# endif
#endif /* SO_SNDBUF */
}
err = set_ip_dscp(s, family, dscp);
if(err != NULL)
log_warn("error setting IP DiffServ codepoint %d on UDP socket: %s", dscp, err);
if(family == AF_INET6) {
# if defined(IPV6_V6ONLY)
if(v6only) {
@ -640,9 +644,10 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
int
create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto,
int* reuseport, int transparent, int mss, int nodelay, int freebind,
int use_systemd)
int use_systemd, int dscp)
{
int s;
char* err;
#if defined(SO_REUSEADDR) || defined(SO_REUSEPORT) || defined(IPV6_V6ONLY) || defined(IP_TRANSPARENT) || defined(IP_BINDANY) || defined(IP_FREEBIND) || defined(SO_BINDANY)
int on = 1;
#endif
@ -825,6 +830,9 @@ create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto,
strerror(errno));
}
#endif /* IP_TRANSPARENT || IP_BINDANY || SO_BINDANY */
err = set_ip_dscp(s, addr->ai_family, dscp);
if(err != NULL)
log_warn("error setting IP DiffServ codepoint %d on TCP socket: %s", dscp, err);
if(
#ifdef HAVE_SYSTEMD
!got_fd_from_systemd &&
@ -898,6 +906,55 @@ create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto,
return s;
}
char*
set_ip_dscp(int socket, int addrfamily, int dscp)
{
int ds;
if(dscp == 0)
return NULL;
ds = dscp << 2;
switch(addrfamily) {
case AF_INET6:
if(setsockopt(socket, IPPROTO_IPV6, IPV6_TCLASS, &ds, sizeof(ds)) < 0)
return sock_strerror(errno);
break;
default:
if(setsockopt(socket, IPPROTO_IP, IP_TOS, &ds, sizeof(ds)) < 0)
return sock_strerror(errno);
break;
}
return NULL;
}
# ifndef USE_WINSOCK
char*
sock_strerror(int errn)
{
return strerror(errn);
}
void
sock_close(int socket)
{
close(socket);
}
# else
char*
sock_strerror(int ATTR_UNUSED(errn))
{
return wsa_strerror(WSAGetLastError());
}
void
sock_close(int socket)
{
closesocket(socket);
}
# endif /* USE_WINSOCK */
int
create_local_accept_sock(const char *path, int* noproto, int use_systemd)
{
@ -985,7 +1042,7 @@ static int
make_sock(int stype, const char* ifname, const char* port,
struct addrinfo *hints, int v6only, int* noip6, size_t rcv, size_t snd,
int* reuseport, int transparent, int tcp_mss, int nodelay, int freebind,
int use_systemd)
int use_systemd, int dscp)
{
struct addrinfo *res = NULL;
int r, s, inuse, noproto;
@ -1013,7 +1070,7 @@ make_sock(int stype, const char* ifname, const char* port,
s = create_udp_sock(res->ai_family, res->ai_socktype,
(struct sockaddr*)res->ai_addr, res->ai_addrlen,
v6only, &inuse, &noproto, (int)rcv, (int)snd, 1,
reuseport, transparent, freebind, use_systemd);
reuseport, transparent, freebind, use_systemd, dscp);
if(s == -1 && inuse) {
log_err("bind: address already in use");
} else if(s == -1 && noproto && hints->ai_family == AF_INET6){
@ -1021,7 +1078,8 @@ make_sock(int stype, const char* ifname, const char* port,
}
} else {
s = create_tcp_accept_sock(res, v6only, &noproto, reuseport,
transparent, tcp_mss, nodelay, freebind, use_systemd);
transparent, tcp_mss, nodelay, freebind, use_systemd,
dscp);
if(s == -1 && noproto && hints->ai_family == AF_INET6){
*noip6 = 1;
}
@ -1035,7 +1093,7 @@ static int
make_sock_port(int stype, const char* ifname, const char* port,
struct addrinfo *hints, int v6only, int* noip6, size_t rcv, size_t snd,
int* reuseport, int transparent, int tcp_mss, int nodelay, int freebind,
int use_systemd)
int use_systemd, int dscp)
{
char* s = strchr(ifname, '@');
if(s) {
@ -1056,12 +1114,13 @@ make_sock_port(int stype, const char* ifname, const char* port,
newif[s-ifname] = 0;
(void)strlcpy(p, s+1, sizeof(p));
p[strlen(s+1)]=0;
return make_sock(stype, newif, p, hints, v6only, noip6,
rcv, snd, reuseport, transparent, tcp_mss, nodelay,
freebind, use_systemd);
return make_sock(stype, newif, p, hints, v6only, noip6, rcv,
snd, reuseport, transparent, tcp_mss, nodelay, freebind,
use_systemd, dscp);
}
return make_sock(stype, ifname, port, hints, v6only, noip6, rcv, snd,
reuseport, transparent, tcp_mss, nodelay, freebind, use_systemd);
reuseport, transparent, tcp_mss, nodelay, freebind, use_systemd,
dscp);
}
/**
@ -1194,6 +1253,7 @@ if_is_https(const char* ifname, const char* port, int https_port)
* @param freebind: set IP_FREEBIND socket option.
* @param use_systemd: if true, fetch sockets from systemd.
* @param dnscrypt_port: dnscrypt service port number
* @param dscp: DSCP to use.
* @return: returns false on error.
*/
static int
@ -1202,7 +1262,7 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
size_t rcv, size_t snd, int ssl_port,
struct config_strlist* tls_additional_port, int https_port,
int* reuseport, int transparent, int tcp_mss, int freebind,
int use_systemd, int dnscrypt_port)
int use_systemd, int dnscrypt_port, int dscp)
{
int s, noip6=0;
int is_https = if_is_https(ifname, port, https_port);
@ -1221,7 +1281,7 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
if(do_auto) {
if((s = make_sock_port(SOCK_DGRAM, ifname, port, hints, 1,
&noip6, rcv, snd, reuseport, transparent,
tcp_mss, nodelay, freebind, use_systemd)) == -1) {
tcp_mss, nodelay, freebind, use_systemd, dscp)) == -1) {
if(noip6) {
log_warn("IPv6 protocol not available");
return 1;
@ -1250,7 +1310,7 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
/* regular udp socket */
if((s = make_sock_port(SOCK_DGRAM, ifname, port, hints, 1,
&noip6, rcv, snd, reuseport, transparent,
tcp_mss, nodelay, freebind, use_systemd)) == -1) {
tcp_mss, nodelay, freebind, use_systemd, dscp)) == -1) {
if(noip6) {
log_warn("IPv6 protocol not available");
return 1;
@ -1281,7 +1341,7 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
port_type = listen_type_tcp;
if((s = make_sock_port(SOCK_STREAM, ifname, port, hints, 1,
&noip6, 0, 0, reuseport, transparent, tcp_mss, nodelay,
freebind, use_systemd)) == -1) {
freebind, use_systemd, dscp)) == -1) {
if(noip6) {
/*log_warn("IPv6 protocol not available");*/
return 1;
@ -1501,7 +1561,7 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
cfg->https_port,
reuseport, cfg->ip_transparent,
cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd,
cfg->dnscrypt_port)) {
cfg->dnscrypt_port, cfg->ip_dscp)) {
listening_ports_free(list);
return NULL;
}
@ -1516,7 +1576,7 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
cfg->https_port,
reuseport, cfg->ip_transparent,
cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd,
cfg->dnscrypt_port)) {
cfg->dnscrypt_port, cfg->ip_dscp)) {
listening_ports_free(list);
return NULL;
}
@ -1533,7 +1593,7 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
cfg->https_port,
reuseport, cfg->ip_transparent,
cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd,
cfg->dnscrypt_port)) {
cfg->dnscrypt_port, cfg->ip_dscp)) {
listening_ports_free(list);
return NULL;
}
@ -1548,7 +1608,7 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
cfg->https_port,
reuseport, cfg->ip_transparent,
cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd,
cfg->dnscrypt_port)) {
cfg->dnscrypt_port, cfg->ip_dscp)) {
listening_ports_free(list);
return NULL;
}

9
services/listen_dnsport.h
View file

@ -210,11 +210,12 @@ void listen_start_accept(struct listen_dnsport* listen);
* @param transparent: set IP_TRANSPARENT socket option.
* @param freebind: set IP_FREEBIND socket option.
* @param use_systemd: if true, fetch sockets from systemd.
* @param dscp: DSCP to use.
* @return: the socket. -1 on error.
*/
int create_udp_sock(int family, int socktype, struct sockaddr* addr,
socklen_t addrlen, int v6only, int* inuse, int* noproto, int rcv,
int snd, int listen, int* reuseport, int transparent, int freebind, int use_systemd);
int snd, int listen, int* reuseport, int transparent, int freebind, int use_systemd, int dscp);
/**
* Create and bind TCP listening socket
@ -228,11 +229,12 @@ int create_udp_sock(int family, int socktype, struct sockaddr* addr,
* @param nodelay: if true set TCP_NODELAY and TCP_QUICKACK socket options.
* @param freebind: set IP_FREEBIND socket option.
* @param use_systemd: if true, fetch sockets from systemd.
* @param dscp: DSCP to use.
* @return: the socket. -1 on error.
*/
int create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto,
int* reuseport, int transparent, int mss, int nodelay, int freebind,
int use_systemd);
int use_systemd, int dscp);
/**
* Create and bind local listening socket
@ -394,4 +396,7 @@ int http2_submit_dns_response(struct http2_session* h2_session);
int http2_submit_dns_response(void* v);
#endif /* HAVE_NGHTTP2 */
char* set_ip_dscp(int socket, int addrfamily, int ds);
char* sock_strerror(int errn);
#endif /* LISTEN_DNSPORT_H */

2
services/mesh.c
View file

@ -1968,7 +1968,7 @@ mesh_serve_expired_callback(void* arg)
r = mstate->reply_list;
mstate->reply_list = NULL;
if(!mstate->reply_list && !mstate->cb_list) {
if(!mstate->reply_list && !mstate->cb_list && r) {
log_assert(mesh->num_reply_states > 0);
mesh->num_reply_states--;
if(mstate->super_set.count == 0) {

55
services/outside_network.c
View file

@ -205,18 +205,25 @@ pick_outgoing_tcp(struct waiting_tcp* w, int s)
/** get TCP file descriptor for address, returns -1 on failure,
* tcp_mss is 0 or maxseg size to set for TCP packets. */
int
outnet_get_tcp_fd(struct sockaddr_storage* addr, socklen_t addrlen, int tcp_mss)
outnet_get_tcp_fd(struct sockaddr_storage* addr, socklen_t addrlen, int tcp_mss, int dscp)
{
int s;
int af;
char* err;
#ifdef SO_REUSEADDR
int on = 1;
#endif
#ifdef INET6
if(addr_is_ip6(addr, addrlen))
if(addr_is_ip6(addr, addrlen)){
s = socket(PF_INET6, SOCK_STREAM, IPPROTO_TCP);
else
af = AF_INET6;
} else {
#else
{
#endif
af = AF_INET;
s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
}
if(s == -1) {
#ifndef USE_WINSOCK
log_err_addr("outgoing tcp: socket", strerror(errno),
@ -236,6 +243,12 @@ outnet_get_tcp_fd(struct sockaddr_storage* addr, socklen_t addrlen, int tcp_mss)
}
#endif
err = set_ip_dscp(s, af, dscp);
if(err != NULL) {
verbose(VERB_ALGO, "outgoing tcp:"
"error setting IP DiffServ codepoint on socket");
}
if(tcp_mss > 0) {
#if defined(IPPROTO_TCP) && defined(TCP_MAXSEG)
if(setsockopt(s, IPPROTO_TCP, TCP_MAXSEG,
@ -291,7 +304,7 @@ outnet_tcp_take_into_use(struct waiting_tcp* w, uint8_t* pkt, size_t pkt_len)
log_assert(pkt);
log_assert(w->addrlen > 0);
/* open socket */
s = outnet_get_tcp_fd(&w->addr, w->addrlen, w->outnet->tcp_mss);
s = outnet_get_tcp_fd(&w->addr, w->addrlen, w->outnet->tcp_mss, w->outnet->ip_dscp);
if(s == -1)
return 0;
@ -373,7 +386,8 @@ outnet_tcp_take_into_use(struct waiting_tcp* w, uint8_t* pkt, size_t pkt_len)
comm_point_tcp_win_bio_cb(pend->c, pend->c->ssl);
#endif
pend->c->ssl_shake_state = comm_ssl_shake_write;
if(!set_auth_name_on_ssl(pend->c->ssl, w->tls_auth_name)) {
if(!set_auth_name_on_ssl(pend->c->ssl, w->tls_auth_name,
w->outnet->tls_use_sni)) {
pend->c->fd = s;
#ifdef HAVE_SSL
SSL_free(pend->c->ssl);
@ -719,11 +733,11 @@ static int setup_if(struct port_if* pif, const char* addrstr,
struct outside_network*
outside_network_create(struct comm_base *base, size_t bufsize,
size_t num_ports, char** ifs, int num_ifs, int do_ip4,
int do_ip6, size_t num_tcp, struct infra_cache* infra,
int do_ip6, size_t num_tcp, int dscp, struct infra_cache* infra,
struct ub_randstate* rnd, int use_caps_for_id, int* availports,
int numavailports, size_t unwanted_threshold, int tcp_mss,
void (*unwanted_action)(void*), void* unwanted_param, int do_udp,
void* sslctx, int delayclose, struct dt_env* dtenv)
void* sslctx, int delayclose, int tls_use_sni, struct dt_env* dtenv)
{
struct outside_network* outnet = (struct outside_network*)
calloc(1, sizeof(struct outside_network));
@ -739,6 +753,7 @@ outside_network_create(struct comm_base *base, size_t bufsize,
outnet->infra = infra;
outnet->rnd = rnd;
outnet->sslctx = sslctx;
outnet->tls_use_sni = tls_use_sni;
#ifdef USE_DNSTAP
outnet->dtenv = dtenv;
#else
@ -752,6 +767,7 @@ outside_network_create(struct comm_base *base, size_t bufsize,
outnet->use_caps_for_id = use_caps_for_id;
outnet->do_udp = do_udp;
outnet->tcp_mss = tcp_mss;
outnet->ip_dscp = dscp;
#ifndef S_SPLINT_S
if(delayclose) {
outnet->delayclose = 1;
@ -1037,11 +1053,12 @@ sai6_putrandom(struct sockaddr_in6 *sa, int pfxlen, struct ub_randstate *rnd)
* @param port: port override for addr.
* @param inuse: if -1 is returned, this bool means the port was in use.
* @param rnd: random state (for address randomisation).
* @param dscp: DSCP to use.
* @return fd or -1
*/
static int
udp_sockport(struct sockaddr_storage* addr, socklen_t addrlen, int pfxlen,
int port, int* inuse, struct ub_randstate* rnd)
int port, int* inuse, struct ub_randstate* rnd, int dscp)
{
int fd, noproto;
if(addr_is_ip6(addr, addrlen)) {
@ -1056,13 +1073,13 @@ udp_sockport(struct sockaddr_storage* addr, socklen_t addrlen, int pfxlen,
}
fd = create_udp_sock(AF_INET6, SOCK_DGRAM,
(struct sockaddr*)&sa, addrlen, 1, inuse, &noproto,
0, 0, 0, NULL, 0, freebind, 0);
0, 0, 0, NULL, 0, freebind, 0, dscp);
} else {
struct sockaddr_in* sa = (struct sockaddr_in*)addr;
sa->sin_port = (in_port_t)htons((uint16_t)port);
fd = create_udp_sock(AF_INET, SOCK_DGRAM,
(struct sockaddr*)addr, addrlen, 1, inuse, &noproto,
0, 0, 0, NULL, 0, 0, 0);
0, 0, 0, NULL, 0, 0, 0, dscp);
}
return fd;
}
@ -1127,7 +1144,7 @@ select_ifport(struct outside_network* outnet, struct pending* pend,
my_port = portno = 0;
#endif
fd = udp_sockport(&pif->addr, pif->addrlen, pif->pfxlen,
portno, &inuse, outnet->rnd);
portno, &inuse, outnet->rnd, outnet->ip_dscp);
if(fd == -1 && !inuse) {
/* nonrecoverable error making socket */
return 0;
@ -2176,10 +2193,11 @@ fd_for_dest(struct outside_network* outnet, struct sockaddr_storage* to_addr,
{
struct sockaddr_storage* addr;
socklen_t addrlen;
int i, try, pnum;
int i, try, pnum, dscp;
struct port_if* pif;
/* create fd */
dscp = outnet->ip_dscp;
for(try = 0; try<1000; try++) {
int port = 0;
int freebind = 0;
@ -2226,13 +2244,13 @@ fd_for_dest(struct outside_network* outnet, struct sockaddr_storage* to_addr,
sa.sin6_port = (in_port_t)htons((uint16_t)port);
fd = create_udp_sock(AF_INET6, SOCK_DGRAM,
(struct sockaddr*)&sa, addrlen, 1, &inuse, &noproto,
0, 0, 0, NULL, 0, freebind, 0);
0, 0, 0, NULL, 0, freebind, 0, dscp);
} else {
struct sockaddr_in* sa = (struct sockaddr_in*)addr;
sa->sin_port = (in_port_t)htons((uint16_t)port);
fd = create_udp_sock(AF_INET, SOCK_DGRAM,
(struct sockaddr*)addr, addrlen, 1, &inuse, &noproto,
0, 0, 0, NULL, 0, freebind, 0);
0, 0, 0, NULL, 0, freebind, 0, dscp);
}
if(fd != -1) {
return fd;
@ -2281,6 +2299,11 @@ setup_comm_ssl(struct comm_point* cp, struct outside_network* outnet,
#endif
cp->ssl_shake_state = comm_ssl_shake_write;
/* https verification */
#ifdef HAVE_SSL
if(outnet->tls_use_sni) {
(void)SSL_set_tlsext_host_name(cp->ssl, host);
}
#endif
#ifdef HAVE_SSL_SET1_HOST
if((SSL_CTX_get_verify_mode(outnet->sslctx)&SSL_VERIFY_PEER)) {
/* because we set SSL_VERIFY_PEER, in netevent in
@ -2324,7 +2347,7 @@ outnet_comm_point_for_tcp(struct outside_network* outnet,
sldns_buffer* query, int timeout, int ssl, char* host)
{
struct comm_point* cp;
int fd = outnet_get_tcp_fd(to_addr, to_addrlen, outnet->tcp_mss);
int fd = outnet_get_tcp_fd(to_addr, to_addrlen, outnet->tcp_mss, outnet->ip_dscp);
if(fd == -1) {
return 0;
}
@ -2386,7 +2409,7 @@ outnet_comm_point_for_http(struct outside_network* outnet,
{
/* cp calls cb with err=NETEVENT_DONE when transfer is done */
struct comm_point* cp;
int fd = outnet_get_tcp_fd(to_addr, to_addrlen, outnet->tcp_mss);
int fd = outnet_get_tcp_fd(to_addr, to_addrlen, outnet->tcp_mss, outnet->ip_dscp);
if(fd == -1) {
return 0;
}

12
services/outside_network.h
View file

@ -132,12 +132,16 @@ struct outside_network {
struct ub_randstate* rnd;
/** ssl context to create ssl wrapped TCP with DNS connections */
void* sslctx;
/** if SNI will be used for TLS connections */
int tls_use_sni;
#ifdef USE_DNSTAP
/** dnstap environment */
struct dt_env* dtenv;
#endif
/** maximum segment size of tcp socket */
int tcp_mss;
/** IP_TOS socket option requested on the sockets */
int ip_dscp;
/**
* Array of tcp pending used for outgoing TCP connections.
@ -401,6 +405,7 @@ struct serviced_query {
* @param do_ip4: service IP4.
* @param do_ip6: service IP6.
* @param num_tcp: number of outgoing tcp buffers to preallocate.
* @param dscp: DSCP to use.
* @param infra: pointer to infra cached used for serviced queries.
* @param rnd: stored to create random numbers for serviced queries.
* @param use_caps_for_id: enable to use 0x20 bits to encode id randomness.
@ -414,16 +419,17 @@ struct serviced_query {
* @param sslctx: context to create outgoing connections with (if enabled).
* @param delayclose: if not 0, udp sockets are delayed before timeout closure.
* msec to wait on timeouted udp sockets.
* @param tls_use_sni: if SNI is used for TLS connections.
* @param dtenv: environment to send dnstap events with (if enabled).
* @return: the new structure (with no pending answers) or NULL on error.
*/
struct outside_network* outside_network_create(struct comm_base* base,
size_t bufsize, size_t num_ports, char** ifs, int num_ifs,
int do_ip4, int do_ip6, size_t num_tcp, struct infra_cache* infra,
int do_ip4, int do_ip6, size_t num_tcp, int dscp, struct infra_cache* infra,
struct ub_randstate* rnd, int use_caps_for_id, int* availports,
int numavailports, size_t unwanted_threshold, int tcp_mss,
void (*unwanted_action)(void*), void* unwanted_param, int do_udp,
void* sslctx, int delayclose, struct dt_env *dtenv);
void* sslctx, int delayclose, int tls_use_sni, struct dt_env *dtenv);
/**
* Delete outside_network structure.
@ -542,7 +548,7 @@ size_t serviced_get_mem(struct serviced_query* sq);
/** get TCP file descriptor for address, returns -1 on failure,
* tcp_mss is 0 or maxseg size to set for TCP packets. */
int outnet_get_tcp_fd(struct sockaddr_storage* addr, socklen_t addrlen, int tcp_mss);
int outnet_get_tcp_fd(struct sockaddr_storage* addr, socklen_t addrlen, int tcp_mss, int dscp);
/**
* Create udp commpoint suitable for sending packets to the destination.

21
services/rpz.c
View file

@ -834,6 +834,8 @@ rpz_remove_qname_trigger(struct rpz* r, uint8_t* dname, size_t dnamelen,
delete_zone = rpz_data_delete_rr(z, dname,
dnamelen, rr_type, rdatawl, rdatalen);
else if(a != localzone_type_to_rpz_action(z->type)) {
lock_rw_unlock(&z->lock);
lock_rw_unlock(&r->local_zones->lock);
return;
}
lock_rw_unlock(&z->lock);
@ -939,13 +941,16 @@ rpz_apply_qname_trigger(struct auth_zones* az, struct module_env* env,
struct regional* temp, struct comm_reply* repinfo,
uint8_t* taglist, size_t taglen, struct ub_server_stats* stats)
{
struct rpz* r;
struct rpz* r = NULL;
struct auth_zone* a;
int ret;
enum localzone_type lzt;
struct local_zone* z = NULL;
struct local_data* ld = NULL;
lock_rw_rdlock(&az->rpz_lock);
for(r = az->rpz_first; r; r = r->next) {
for(a = az->rpz_first; a; a = a->rpz_az_next) {
lock_rw_rdlock(&a->lock);
r = a->rpz;
if(!r->taglist || taglist_intersect(r->taglist,
r->taglistlen, taglist, taglen)) {
z = rpz_find_zone(r, qinfo->qname, qinfo->qname_len,
@ -963,13 +968,14 @@ rpz_apply_qname_trigger(struct auth_zones* az, struct module_env* env,
}
if(z)
break;
}
}
lock_rw_unlock(&a->lock); /* not found in this auth_zone */
}
lock_rw_unlock(&az->rpz_lock);
if(!z)
return 0;
return 0; /* not holding auth_zone.lock anymore */
log_assert(r);
if(r->action_override == RPZ_NO_OVERRIDE_ACTION)
lzt = z->type;
else
@ -980,6 +986,7 @@ rpz_apply_qname_trigger(struct auth_zones* az, struct module_env* env,
regional_alloc_zero(temp, sizeof(struct local_rrset));
if(!qinfo->local_alias) {
lock_rw_unlock(&z->lock);
lock_rw_unlock(&a->lock);
return 0; /* out of memory */
}
qinfo->local_alias->rrset =
@ -987,6 +994,7 @@ rpz_apply_qname_trigger(struct auth_zones* az, struct module_env* env,
sizeof(*r->cname_override));
if(!qinfo->local_alias->rrset) {
lock_rw_unlock(&z->lock);
lock_rw_unlock(&a->lock);
return 0; /* out of memory */
}
qinfo->local_alias->rrset->rk.dname = qinfo->qname;
@ -996,6 +1004,7 @@ rpz_apply_qname_trigger(struct auth_zones* az, struct module_env* env,
qinfo, repinfo, r->log_name);
stats->rpz_action[RPZ_CNAME_OVERRIDE_ACTION]++;
lock_rw_unlock(&z->lock);
lock_rw_unlock(&a->lock);
return 0;
}
@ -1008,6 +1017,7 @@ rpz_apply_qname_trigger(struct auth_zones* az, struct module_env* env,
repinfo, r->log_name);
stats->rpz_action[localzone_type_to_rpz_action(lzt)]++;
lock_rw_unlock(&z->lock);
lock_rw_unlock(&a->lock);
return !qinfo->local_alias;
}
@ -1018,6 +1028,7 @@ rpz_apply_qname_trigger(struct auth_zones* az, struct module_env* env,
qinfo, repinfo, r->log_name);
stats->rpz_action[localzone_type_to_rpz_action(lzt)]++;
lock_rw_unlock(&z->lock);
lock_rw_unlock(&a->lock);
return ret;
}

5
services/rpz.h
View file

@ -86,7 +86,8 @@ enum rpz_action {
/**
* RPZ containing policies. Pointed to from corresponding auth-zone. Part of a
* linked list to keep configuration order. Iterating or changing the linked
* list requires the rpz_lock from struct auth_zones.
* list requires the rpz_lock from struct auth_zones. Changing items in this
* struct require the lock from struct auth_zone.
*/
struct rpz {
struct local_zones* local_zones;
@ -97,8 +98,6 @@ struct rpz {
struct ub_packed_rrset_key* cname_override;
int log;
char* log_name;
struct rpz* next;
struct rpz* prev;
struct regional* region;
};

35
smallapp/unbound-anchor.c
View file

@ -187,6 +187,7 @@ usage(void)
printf("-c file cert file, default %s\n", ROOT_CERT_FILE);
printf("-l list builtin key and cert on stdout\n");
printf("-u name server in https url, default %s\n", URLNAME);
printf("-S do not use SNI for the https connection\n");
printf("-x path pathname to xml in url, default %s\n", XMLNAME);
printf("-s path pathname to p7s in url, default %s\n", P7SNAME);
printf("-n name signer's subject emailAddress, default %s\n", P7SIGNER);
@ -245,9 +246,7 @@ get_builtin_ds(void)
return
/* The anchors must start on a new line with ". IN DS and end with \n"[;]
* because the makedist script greps on the source here */
/* anchor 19036 is from 2010 */
/* anchor 20326 is from 2017 */
". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n"
". IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D\n";
}
@ -772,7 +771,7 @@ setup_sslctx(void)
/** initiate TLS on a connection */
static SSL*
TLS_initiate(SSL_CTX* sslctx, int fd)
TLS_initiate(SSL_CTX* sslctx, int fd, const char* urlname, int use_sni)
{
X509* x;
int r;
@ -788,6 +787,9 @@ TLS_initiate(SSL_CTX* sslctx, int fd)
SSL_free(ssl);
return NULL;
}
if(use_sni) {
(void)SSL_set_tlsext_host_name(ssl, urlname);
}
while(1) {
ERR_clear_error();
if( (r=SSL_do_handshake(ssl)) == 1)
@ -1123,7 +1125,7 @@ read_http_result(SSL* ssl)
/** https to an IP addr, return BIO with pathname or NULL */
static BIO*
https_to_ip(struct ip_list* ip, const char* pathname, const char* urlname,
struct ip_list* src)
struct ip_list* src, int use_sni)
{
int fd;
SSL* ssl;
@ -1137,7 +1139,7 @@ https_to_ip(struct ip_list* ip, const char* pathname, const char* urlname,
SSL_CTX_free(sslctx);
return NULL;
}
ssl = TLS_initiate(sslctx, fd);
ssl = TLS_initiate(sslctx, fd, urlname, use_sni);
if(!ssl) {
SSL_CTX_free(sslctx);
fd_close(fd);
@ -1161,11 +1163,12 @@ https_to_ip(struct ip_list* ip, const char* pathname, const char* urlname,
* @param pathname: pathname of file on server to GET.
* @param urlname: name to pass as the virtual host for this request.
* @param src: if nonNULL, source address to bind to.
* @param use_sni: if SNI will be used.
* @return a memory BIO with the file in it.
*/
static BIO*
https(struct ip_list* ip_list, const char* pathname, const char* urlname,
struct ip_list* src)
struct ip_list* src, int use_sni)
{
struct ip_list* ip;
BIO* bio = NULL;
@ -1173,7 +1176,7 @@ https(struct ip_list* ip_list, const char* pathname, const char* urlname,
wipe_ip_usage(ip_list);
while( (ip = pick_random_ip(ip_list)) ) {
ip->used = 1;
bio = https_to_ip(ip, pathname, urlname, src);
bio = https_to_ip(ip, pathname, urlname, src, use_sni);
if(bio) break;
}
if(!bio) {
@ -1929,7 +1932,7 @@ do_certupdate(const char* root_anchor_file, const char* root_cert_file,
const char* urlname, const char* xmlname, const char* p7sname,
const char* p7signer, const char* res_conf, const char* root_hints,
const char* debugconf, const char* srcaddr, int ip4only, int ip6only,
int port)
int port, int use_sni)
{
STACK_OF(X509)* cert;
@ -1963,8 +1966,8 @@ do_certupdate(const char* root_anchor_file, const char* root_cert_file,
#endif
/* fetch the necessary files over HTTPS */
xml = https(ip_list, xmlname, urlname, src);
p7s = https(ip_list, p7sname, urlname, src);
xml = https(ip_list, xmlname, urlname, src, use_sni);
p7s = https(ip_list, p7sname, urlname, src, use_sni);
/* verify and update the root anchor */
verify_and_update_anchor(root_anchor_file, xml, p7s, cert, p7signer);
@ -2235,7 +2238,7 @@ do_root_update_work(const char* root_anchor_file, const char* root_cert_file,
const char* urlname, const char* xmlname, const char* p7sname,
const char* p7signer, const char* res_conf, const char* root_hints,
const char* debugconf, const char* srcaddr, int ip4only, int ip6only,
int force, int res_conf_fallback, int port)
int force, int res_conf_fallback, int port, int use_sni)
{
struct ub_result* dnskey;
int used_builtin = 0;
@ -2278,7 +2281,7 @@ do_root_update_work(const char* root_anchor_file, const char* root_cert_file,
probe_date_allows_certupdate(root_anchor_file)) || force) {
if(do_certupdate(root_anchor_file, root_cert_file, urlname,
xmlname, p7sname, p7signer, res_conf, root_hints,
debugconf, srcaddr, ip4only, ip6only, port))
debugconf, srcaddr, ip4only, ip6only, port, use_sni))
return 1;
return used_builtin;
}
@ -2307,8 +2310,9 @@ int main(int argc, char* argv[])
const char* srcaddr = NULL;
int dolist=0, ip4only=0, ip6only=0, force=0, port = HTTPS_PORT;
int res_conf_fallback = 0;
int use_sni = 1;
/* parse the options */
while( (c=getopt(argc, argv, "46C:FRP:a:b:c:f:hln:r:s:u:vx:")) != -1) {
while( (c=getopt(argc, argv, "46C:FRSP:a:b:c:f:hln:r:s:u:vx:")) != -1) {
switch(c) {
case 'l':
dolist = 1;
@ -2331,6 +2335,9 @@ int main(int argc, char* argv[])
case 'u':
urlname = optarg;
break;
case 'S':
use_sni = 0;
break;
case 'x':
xmlname = optarg;
break;
@ -2397,5 +2404,5 @@ int main(int argc, char* argv[])
return do_root_update_work(root_anchor_file, root_cert_file, urlname,
xmlname, p7sname, p7signer, res_conf, root_hints, debugconf,
srcaddr, ip4only, ip6only, force, res_conf_fallback, port);
srcaddr, ip4only, ip6only, force, res_conf_fallback, port, use_sni);
}

2
smallapp/unbound-checkconf.c
View file

@ -705,7 +705,7 @@ check_auth(struct config_file* cfg)
{
int is_rpz = 0;
struct auth_zones* az = auth_zones_create();
if(!az || !auth_zones_apply_cfg(az, cfg, 0i, &is_rpz)) {
if(!az || !auth_zones_apply_cfg(az, cfg, 0, &is_rpz)) {
fatal_exit("Could not setup authority zones");
}
auth_zones_delete(az);

203
smallapp/unbound-control-setup.sh.in
View file

@ -5,22 +5,22 @@
# Copyright (c) 2008, NLnet Labs. All rights reserved.
#
# This software is open source.
#
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
#
# Redistributions of source code must retain the above copyright notice,
# this list of conditions and the following disclaimer.
#
#
# Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
#
# Neither the name of the NLNET LABS nor the names of its contributors may
# be used to endorse or promote products derived from this software without
# specific prior written permission.
#
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
@ -57,87 +57,144 @@ SVR_BASE=unbound_server
# base name for unbound-control keys
CTL_BASE=unbound_control
# flag to recreate generated certificates
RECREATE=0
# we want -rw-r----- access (say you run this as root: grp=yes (server), all=no).
umask 0027
# end of options
# functions:
error ( ) {
echo "$0 fatal error: $1"
exit 1
set -eu
cleanup() {
echo "removing artifacts"
rm -rf \
server.cnf \
client.cnf \
"${SVR_BASE}_trust.pem" \
"${CTL_BASE}_trust.pem" \
"${SVR_BASE}_trust.srl"
}
# check arguments:
while test $# -ne 0; do
case $1 in
-d)
if test $# -eq 1; then error "need argument for -d"; fi
DESTDIR="$2"
shift
;;
*)
echo "unbound-control-setup.sh - setup SSL keys for unbound-control"
echo " -d dir use directory to store keys and certificates."
echo " default: $DESTDIR"
echo "please run this command using the same user id that the "
echo "unbound daemon uses, it needs read privileges."
exit 1
;;
esac
shift
fatal() {
printf "fatal error: $*\n" >/dev/stderr
exit 1
}
usage() {
cat <<EOF
usage: $0 OPTIONS
OPTIONS
-d <dir> used directory to store keys and certificates (default: $DESTDIR)
-h show help notice
-r recreate certificates
EOF
}
OPTIND=1
while getopts 'd:hr' arg; do
case "$arg" in
d) DESTDIR="$OPTARG" ;;
h) usage; exit 1 ;;
r) RECREATE=1 ;;
?) fatal "'$arg' unknown option" ;;
esac
done
shift $((OPTIND - 1))
# go!:
echo "setup in directory $DESTDIR"
cd "$DESTDIR" || error "could not cd to $DESTDIR"
cd "$DESTDIR"
# create certificate keys; do not recreate if they already exist.
if test -f $SVR_BASE.key; then
echo "$SVR_BASE.key exists"
else
echo "generating $SVR_BASE.key"
openssl genrsa -out $SVR_BASE.key $BITS || error "could not genrsa"
fi
if test -f $CTL_BASE.key; then
echo "$CTL_BASE.key exists"
else
echo "generating $CTL_BASE.key"
openssl genrsa -out $CTL_BASE.key $BITS || error "could not genrsa"
trap cleanup INT
# ===
# Generate server certificate
# ===
# generate private key; do no recreate it if they already exist.
if [ ! -f "$SVR_BASE.key" ]; then
openssl genrsa -out "$SVR_BASE.key" "$BITS"
fi
# create self-signed cert for server
echo "[req]" > request.cfg
echo "default_bits=$BITS" >> request.cfg
echo "default_md=$HASH" >> request.cfg
echo "prompt=no" >> request.cfg
echo "distinguished_name=req_distinguished_name" >> request.cfg
echo "" >> request.cfg
echo "[req_distinguished_name]" >> request.cfg
echo "commonName=$SERVERNAME" >> request.cfg
cat >server.cnf <<EOF
default_bits=$BITS
default_md=$HASH
prompt=no
distinguished_name=req_distinguished_name
[req_distinguished_name]
commonName=$SERVERNAME
EOF
test -f request.cfg || error "could not create request.cfg"
[ -f server.cnf ] || fatal "cannot create openssl configuration"
echo "create $SVR_BASE.pem (self signed certificate)"
openssl req -key $SVR_BASE.key -config request.cfg -new -x509 -days $DAYS -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem"
# create trusted usage pem
openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem"
if [ ! -f "$SVR_BASE.pem" -o $RECREATE -eq 1 ]; then
openssl req \
-new -x509 \
-key "$SVR_BASE.key" \
-config server.cnf \
-days "$DAYS" \
-out "$SVR_BASE.pem"
# create client request and sign it, piped
echo "[req]" > request.cfg
echo "default_bits=$BITS" >> request.cfg
echo "default_md=$HASH" >> request.cfg
echo "prompt=no" >> request.cfg
echo "distinguished_name=req_distinguished_name" >> request.cfg
echo "" >> request.cfg
echo "[req_distinguished_name]" >> request.cfg
echo "commonName=$CLIENTNAME" >> request.cfg
[ ! -f "SVR_BASE.pem" ] || fatal "cannot create server certificate"
fi
test -f request.cfg || error "could not create request.cfg"
# ===
# Generate client certificate
# ===
# generate private key; do no recreate it if they already exist.
if [ ! -f "$CTL_BASE.key" ]; then
openssl genrsa -out "$CTL_BASE.key" "$BITS"
fi
cat >client.cnf <<EOF
[req]
default_bits=$BITS
default_md=$HASH
prompt=no
distinguished_name=req_distinguished_name
[req_distinguished_name]
commonName=$CLIENTNAME
EOF
[ -f client.cnf ] || fatal "cannot create openssl configuration"
if [ ! -f "$CTL_BASE.pem" -o $RECREATE -eq 1 ]; then
openssl x509 \
-addtrust serverAuth \
-in "$SVR_BASE.pem" \
-out "${SVR_BASE}_trust.pem"
openssl req \
-new \
-config client.cnf \
-key "$CTL_BASE.key" \
| openssl x509 \
-req \
-days "$DAYS" \
-CA "${SVR_BASE}_trust.pem" \
-CAkey "$SVR_BASE.key" \
-CAcreateserial \
-$HASH \
-out "$CTL_BASE.pem"
[ ! -f "CTL_BASE.pem" ] || fatal "cannot create signed client certificate"
fi
# remove unused permissions
chmod o-rw \
"$SVR_BASE.pem" \
"$SVR_BASE.key" \
"$CTL_BASE.pem" \
"$CTL_BASE.key"
cleanup
echo "Setup success. Certificates created. Enable in unbound.conf file to use"
echo "create $CTL_BASE.pem (signed client certificate)"
openssl req -key $CTL_BASE.key -config request.cfg -new | openssl x509 -req -days $DAYS -CA $SVR_BASE"_trust.pem" -CAkey $SVR_BASE.key -CAcreateserial -$HASH -out $CTL_BASE.pem
test -f $CTL_BASE.pem || error "could not create $CTL_BASE.pem"
# create trusted usage pem
# openssl x509 -in $CTL_BASE.pem -addtrust clientAuth -out $CTL_BASE"_trust.pem"
@ -148,13 +205,3 @@ test -f $CTL_BASE.pem || error "could not create $CTL_BASE.pem"
# echo "empty password is used, simply click OK on the password dialog box."
# openssl pkcs12 -export -in $CTL_BASE"_trust.pem" -inkey $CTL_BASE.key -name "unbound remote control client cert" -out $CTL_BASE"_browser.pfx" -password "pass:" || error "could not create browser certificate"
# set desired permissions
chmod 0640 $SVR_BASE.pem $SVR_BASE.key $CTL_BASE.pem $CTL_BASE.key
# remove crap
rm -f request.cfg
rm -f $CTL_BASE"_trust.pem" $SVR_BASE"_trust.pem" $SVR_BASE"_trust.srl"
echo "Setup success. Certificates created. Enable in unbound.conf file to use"
exit 0

8
testcode/fake_event.c
View file

@ -1032,6 +1032,7 @@ outside_network_create(struct comm_base* base, size_t bufsize,
size_t ATTR_UNUSED(num_ports), char** ATTR_UNUSED(ifs),
int ATTR_UNUSED(num_ifs), int ATTR_UNUSED(do_ip4),
int ATTR_UNUSED(do_ip6), size_t ATTR_UNUSED(num_tcp),
int ATTR_UNUSED(dscp),
struct infra_cache* infra,
struct ub_randstate* ATTR_UNUSED(rnd),
int ATTR_UNUSED(use_caps_for_id), int* ATTR_UNUSED(availports),
@ -1039,7 +1040,8 @@ outside_network_create(struct comm_base* base, size_t bufsize,
int ATTR_UNUSED(outgoing_tcp_mss),
void (*unwanted_action)(void*), void* ATTR_UNUSED(unwanted_param),
int ATTR_UNUSED(do_udp), void* ATTR_UNUSED(sslctx),
int ATTR_UNUSED(delayclose), struct dt_env* ATTR_UNUSED(dtenv))
int ATTR_UNUSED(delayclose), int ATTR_UNUSED(tls_use_sni),
struct dt_env* ATTR_UNUSED(dtenv))
{
struct replay_runtime* runtime = (struct replay_runtime*)base;
struct outside_network* outnet = calloc(1,
@ -1584,7 +1586,7 @@ int create_udp_sock(int ATTR_UNUSED(family), int ATTR_UNUSED(socktype),
int* ATTR_UNUSED(noproto), int ATTR_UNUSED(rcv), int ATTR_UNUSED(snd),
int ATTR_UNUSED(listen), int* ATTR_UNUSED(reuseport),
int ATTR_UNUSED(transparent), int ATTR_UNUSED(freebind),
int ATTR_UNUSED(use_systemd))
int ATTR_UNUSED(use_systemd), int ATTR_UNUSED(dscp))
{
/* if you actually print to this, it'll be stdout during test */
return 1;
@ -1791,7 +1793,7 @@ int comm_point_send_udp_msg(struct comm_point *c, sldns_buffer* packet,
}
int outnet_get_tcp_fd(struct sockaddr_storage* ATTR_UNUSED(addr),
socklen_t ATTR_UNUSED(addrlen), int ATTR_UNUSED(tcp_mss))
socklen_t ATTR_UNUSED(addrlen), int ATTR_UNUSED(tcp_mss), int ATTR_UNUSED(dscp))
{
log_assert(0);
return -1;

2
testcode/run_vm.sh
View file

@ -34,7 +34,7 @@ cleanup() {
if test -f "$t.bak"; then mv "$t.bak" "$t"; fi
exit 0
}
trap cleanup SIGINT
trap cleanup INT
for t in $RUNLIST
do

2
testcode/unitmain.c
View file

@ -867,6 +867,8 @@ main(int argc, char* argv[])
printf("\tperforms unit tests.\n");
return 1;
}
/* Disable roundrobin for the unit tests */
RRSET_ROUNDROBIN = 0;
#ifdef USE_LIBEVENT
printf("Start of %s+libevent unit test.\n", PACKAGE_STRING);
#else

5
testdata/04-checkconf.tdir/bad.dscp vendored Normal file
View file

@ -0,0 +1,5 @@
include: "good.min"
server:
# an abnormal value for the option
ip-dscp: 500

4
testdata/04-checkconf.tdir/good.all vendored
View file

@ -220,6 +220,10 @@ server:
# more slabs reduce lock contention, but fragment memory usage.
key-cache-slabs: 4
# the value of the Differentiated Services Codepoint (DSCP)
# in the differentiated services field (DS) of the outgoing
# IP packets
ip-dscp: 5
# Stub zones.
# Create entries like below, to make all queries for 'example.com' and

7
testdata/04-checkconf.tdir/good.min vendored Normal file
View file

@ -0,0 +1,7 @@
# the minimal passing config - include in your bad.x to verify that
# it is your option which triggers failure
server:
chroot: ""
username: ""
directory: "."
pidfile: ""

1
testdata/autotrust_10key.rpl vendored
View file

@ -106,7 +106,6 @@ www.example.com. IN A
SECTION ANSWER
www.example.com. IN A 10.20.30.40
ENTRY_END
RANGE_END
RANGE_END

1
testdata/autotrust_revtp.rpl vendored
View file

@ -97,7 +97,6 @@ www.example.com. IN A
SECTION ANSWER
www.example.com. IN A 10.20.30.40
ENTRY_END
RANGE_END
RANGE_END

1
testdata/autotrust_revtp_read.rpl vendored
View file

@ -85,7 +85,6 @@ www.example.com. IN A
SECTION ANSWER
www.example.com. IN A 10.20.30.40
ENTRY_END
RANGE_END
RANGE_END

1
testdata/black_data.rpl vendored
View file

@ -8,6 +8,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
minimal-responses: no
rrset-roundrobin: no
stub-zone:
name: "."

1
testdata/black_prime.rpl vendored
View file

@ -8,6 +8,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
minimal-responses: no
rrset-roundrobin: no
stub-zone:
name: "."

1
testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.conf vendored
View file

@ -10,6 +10,7 @@ server:
username: ""
do-not-query-localhost: no
minimal-responses: no
rrset-roundrobin: no
forward-zone:
name: "."
forward-addr: "127.0.0.1@@TOPORT@"

1
testdata/iter_lame_noaa.rpl vendored
View file

@ -4,6 +4,7 @@ server:
target-fetch-policy: "0 0 0 0 0"
qname-minimisation: "no"
minimal-responses: no
rrset-roundrobin: no
stub-zone:
name: "."

1
testdata/iter_lame_nosoa.rpl vendored
View file

@ -2,6 +2,7 @@
server:
target-fetch-policy: "0 0 0 0 0"
minimal-responses: no
rrset-roundrobin: no
stub-zone:
name: "."

1
testdata/iter_ns_badip.rpl vendored
View file

@ -3,6 +3,7 @@ server:
target-fetch-policy: "3 2 1 0 0"
qname-minimisation: "no"
minimal-responses: no
rrset-roundrobin: no
stub-zone:
name: "."

1
testdata/iter_pcnamech.rpl vendored
View file

@ -2,6 +2,7 @@
server:
target-fetch-policy: "0 0 0 0 0"
minimal-responses: no
rrset-roundrobin: no
stub-zone:
name: "."

1
testdata/iter_pcnamechrec.rpl vendored
View file

@ -2,6 +2,7 @@
server:
target-fetch-policy: "0 0 0 0 0"
minimal-responses: no
rrset-roundrobin: no
stub-zone:
name: "."

1
testdata/iter_ranoaa_lame.rpl vendored
View file

@ -2,6 +2,7 @@
server:
target-fetch-policy: "0 0 0 0 0"
minimal-responses: no
rrset-roundrobin: no
stub-zone:
name: "."

1
testdata/iter_reclame_one.rpl vendored
View file

@ -3,6 +3,7 @@ server:
target-fetch-policy: "0 0 0 0 0"
qname-minimisation: "no"
minimal-responses: no
rrset-roundrobin: no
stub-zone:
name: "."

1
testdata/iter_reclame_two.rpl vendored
View file

@ -2,6 +2,7 @@
server:
target-fetch-policy: "0 0 0 0 0"
minimal-responses: no
rrset-roundrobin: no
stub-zone:
name: "."

1
testdata/localdata.rpl vendored
View file

@ -4,6 +4,7 @@ server:
hide-version: no
identity: "test-identity"
version: "test-version"
rrset-roundrobin: no
; implicit transparent zone should not block id.server
local-data: "mydata.server. CH A 10.11.12.13"

1
testdata/rpz_axfr.rpl vendored
View file

@ -3,6 +3,7 @@ server:
module-config: "respip validator iterator"
target-fetch-policy: "0 0 0 0 0"
qname-minimisation: no
rrset-roundrobin: no
rpz:
name: "rpz.example.com."

1
testdata/rpz_ixfr.rpl vendored
View file

@ -3,6 +3,7 @@ server:
module-config: "respip validator iterator"
target-fetch-policy: "0 0 0 0 0"
qname-minimisation: no
rrset-roundrobin: no
rpz:
name: "rpz.example.com."

1
testdata/rrset_updated.rpl vendored
View file

@ -2,6 +2,7 @@
; config options go here.
server:
minimal-responses: no
rrset-roundrobin: no
forward-zone: name: "." forward-addr: 216.0.0.1
CONFIG_END

1
testdata/val_any.rpl vendored
View file

@ -7,6 +7,7 @@ server:
qname-minimisation: "no"
fake-sha1: yes
trust-anchor-signaling: no
rrset-roundrobin: no
stub-zone:
name: "."

1
testdata/val_any_dname.rpl vendored
View file

@ -7,6 +7,7 @@ server:
qname-minimisation: "no"
fake-sha1: yes
trust-anchor-signaling: no
rrset-roundrobin: no
stub-zone:
name: "."

3
testdata/val_nsec3_b3_optout.rpl vendored
View file

@ -1,12 +1,13 @@
; config options
server:
trust-anchor: "example. DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ ( j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 AbsUdblMFin8CVF3n4s= )"
trust-anchor: "example. DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ ( j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 AbsUdblMFin8CVF3n4s= )"
val-override-date: "20120420235959"
target-fetch-policy: "0 0 0 0 0"
qname-minimisation: "no"
fake-sha1: yes
trust-anchor-signaling: no
minimal-responses: no
rrset-roundrobin: no
stub-zone:
name: "."

3
testdata/val_nsec3_b3_optout_negcache.rpl vendored
View file

@ -1,12 +1,13 @@
; config options
server:
trust-anchor: "example. DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ ( j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 AbsUdblMFin8CVF3n4s= )"
trust-anchor: "example. DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ ( j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 AbsUdblMFin8CVF3n4s= )"
val-override-date: "20120420235959"
target-fetch-policy: "0 0 0 0 0"
qname-minimisation: "no"
fake-sha1: yes
trust-anchor-signaling: no
minimal-responses: no
rrset-roundrobin: no
stub-zone:
name: "."

3
testdata/val_nsec3_b3_optout_noce.rpl vendored
View file

@ -1,11 +1,12 @@
; config options
server:
trust-anchor: "example. DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ ( j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 AbsUdblMFin8CVF3n4s= )"
trust-anchor: "example. DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ ( j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 AbsUdblMFin8CVF3n4s= )"
val-override-date: "20120420235959"
target-fetch-policy: "0 0 0 0 0"
qname-minimisation: "no"
fake-sha1: yes
trust-anchor-signaling: no
rrset-roundrobin: no
stub-zone:
name: "."

2
testdata/val_nsec3_b3_optout_nonc.rpl vendored
View file

@ -1,6 +1,6 @@
; config options
server:
trust-anchor: "example. DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ ( j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 AbsUdblMFin8CVF3n4s= )"
trust-anchor: "example. DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ ( j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 AbsUdblMFin8CVF3n4s= )"
val-override-date: "20120420235959"
target-fetch-policy: "0 0 0 0 0"
qname-minimisation: "no"

3
testdata/val_nsec3_b4_wild.rpl vendored
View file

@ -1,11 +1,12 @@
; config options
server:
trust-anchor: "example. DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ ( j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 AbsUdblMFin8CVF3n4s= )"
trust-anchor: "example. DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ ( j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 AbsUdblMFin8CVF3n4s= )"
val-override-date: "20120420235959"
target-fetch-policy: "0 0 0 0 0"
qname-minimisation: "no"
fake-sha1: yes
trust-anchor-signaling: no
rrset-roundrobin: no
stub-zone:
name: "."

2
testdata/val_nsec3_b5_wcnodata.rpl vendored
View file

@ -1,6 +1,6 @@
; config options
server:
trust-anchor: "example. DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ ( j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 AbsUdblMFin8CVF3n4s= )"
trust-anchor: "example. DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ ( j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 AbsUdblMFin8CVF3n4s= )"
val-override-date: "20120420235959"
target-fetch-policy: "0 0 0 0 0"
qname-minimisation: "no"

2
testdata/val_nsec3_b5_wcnodata_noce.rpl vendored
View file

@ -1,6 +1,6 @@
; config options
server:
trust-anchor: "example. DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ ( j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 AbsUdblMFin8CVF3n4s= )"
trust-anchor: "example. DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ ( j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 AbsUdblMFin8CVF3n4s= )"
val-override-date: "20120420235959"
target-fetch-policy: "0 0 0 0 0"
qname-minimisation: "no"

2
testdata/val_nsec3_b5_wcnodata_nonc.rpl vendored
View file

@ -1,6 +1,6 @@
; config options
server:
trust-anchor: "example. DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ ( j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 AbsUdblMFin8CVF3n4s= )"
trust-anchor: "example. DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ ( j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 AbsUdblMFin8CVF3n4s= )"
val-override-date: "20120420235959"
target-fetch-policy: "0 0 0 0 0"
qname-minimisation: "no"

2
testdata/val_nsec3_b5_wcnodata_nowc.rpl vendored
View file

@ -1,6 +1,6 @@
; config options
server:
trust-anchor: "example. DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ ( j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 AbsUdblMFin8CVF3n4s= )"
trust-anchor: "example. DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ ( j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 AbsUdblMFin8CVF3n4s= )"
val-override-date: "20120420235959"
target-fetch-policy: "0 0 0 0 0"
qname-minimisation: "no"

1
testdata/val_nsec3_wcany.rpl vendored
View file

@ -7,6 +7,7 @@ server:
qname-minimisation: "no"
fake-sha1: yes
trust-anchor-signaling: no
rrset-roundrobin: no
stub-zone:
name: "."

1
testdata/val_nx_nsec3_collision.rpl vendored
View file

@ -7,6 +7,7 @@ server:
qname-minimisation: "no"
fake-sha1: yes
trust-anchor-signaling: no
rrset-roundrobin: no
stub-zone:
name: "."

1
testdata/val_refer_unsignadd.rpl vendored
View file

@ -9,6 +9,7 @@ server:
qname-minimisation: "no"
fake-sha1: yes
trust-anchor-signaling: no
rrset-roundrobin: no
stub-zone:
name: "."

1
testdata/val_referglue.rpl vendored
View file

@ -10,6 +10,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
minimal-responses: no
rrset-roundrobin: no
stub-zone:
name: "."

1
testdata/val_twocname.rpl vendored
View file

@ -5,6 +5,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
minimal-responses: no
rrset-roundrobin: no
forward-zone:
name: "."

10
util/config_file.c
View file

@ -117,6 +117,7 @@ config_create(void)
cfg->tls_cert_bundle = NULL;
cfg->tls_win_cert = 0;
cfg->https_port = UNBOUND_DNS_OVER_HTTPS_PORT;
cfg->tls_use_sni = 1;
cfg->use_syslog = 1;
cfg->log_identity = NULL; /* changed later with argv[0] */
cfg->log_time_ascii = 0;
@ -187,6 +188,7 @@ config_create(void)
cfg->so_reuseport = REUSEPORT_DEFAULT;
cfg->ip_transparent = 0;
cfg->ip_freebind = 0;
cfg->ip_dscp = 0;
cfg->num_ifs = 0;
cfg->ifs = NULL;
cfg->num_out_ifs = 0;
@ -273,7 +275,7 @@ config_create(void)
cfg->control_port = UNBOUND_CONTROL_PORT;
cfg->control_use_cert = 1;
cfg->minimal_responses = 1;
cfg->rrset_roundrobin = 0;
cfg->rrset_roundrobin = 1;
cfg->unknown_server_time_limit = 376;
cfg->max_udp_size = 4096;
if(!(cfg->server_key_file = strdup(RUN_DIR"/unbound_server.key")))
@ -337,6 +339,7 @@ config_create(void)
if(!(cfg->redis_server_host = strdup("127.0.0.1"))) goto error_exit;
cfg->redis_timeout = 100;
cfg->redis_server_port = 6379;
cfg->redis_expire_records = 0;
#endif /* USE_REDIS */
#endif /* USE_CACHEDB */
#ifdef USE_IPSET
@ -507,6 +510,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
else S_STR("tls-ciphers:", tls_ciphers)
else S_STR("tls-ciphersuites:", tls_ciphersuites)
else S_NUMBER_NONZERO("https-port:", https_port)
else S_YNO("tls-use-sni:", tls_use_sni)
else S_YNO("interface-automatic:", if_automatic)
else S_YNO("use-systemd:", use_systemd)
else S_YNO("do-daemonize:", do_daemonize)
@ -526,6 +530,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
else S_YNO("so-reuseport:", so_reuseport)
else S_YNO("ip-transparent:", ip_transparent)
else S_YNO("ip-freebind:", ip_freebind)
else S_NUMBER_OR_ZERO("ip-dscp:", ip_dscp)
else S_MEMSIZE("rrset-cache-size:", rrset_cache_size)
else S_POW2("rrset-cache-slabs:", rrset_cache_slabs)
else S_YNO("prefetch:", prefetch)
@ -925,6 +930,7 @@ config_get_option(struct config_file* cfg, const char* opt,
else O_YNO(opt, "so-reuseport", so_reuseport)
else O_YNO(opt, "ip-transparent", ip_transparent)
else O_YNO(opt, "ip-freebind", ip_freebind)
else O_DEC(opt, "ip-dscp", ip_dscp)
else O_MEM(opt, "rrset-cache-size", rrset_cache_size)
else O_DEC(opt, "rrset-cache-slabs", rrset_cache_slabs)
else O_YNO(opt, "prefetch-key", prefetch_key)
@ -960,6 +966,7 @@ config_get_option(struct config_file* cfg, const char* opt,
else O_STR(opt, "tls-ciphers", tls_ciphers)
else O_STR(opt, "tls-ciphersuites", tls_ciphersuites)
else O_DEC(opt, "https-port", https_port)
else O_YNO(opt, "tls-use-sni", tls_use_sni)
else O_YNO(opt, "use-systemd", use_systemd)
else O_YNO(opt, "do-daemonize", do_daemonize)
else O_STR(opt, "chroot", chrootdir)
@ -1135,6 +1142,7 @@ config_get_option(struct config_file* cfg, const char* opt,
else O_STR(opt, "redis-server-host", redis_server_host)
else O_DEC(opt, "redis-server-port", redis_server_port)
else O_DEC(opt, "redis-timeout", redis_timeout)
else O_YNO(opt, "redis-expire-records", redis_expire_records)
#endif /* USE_REDIS */
#endif /* USE_CACHEDB */
#ifdef USE_IPSET

6
util/config_file.h
View file

@ -130,6 +130,8 @@ struct config_file {
char* tls_ciphersuites;
/** port on which to provide DNS over HTTPS service */
int https_port;
/** if SNI is to be used */
int tls_use_sni;
/** outgoing port range number of ports (per thread) */
int outgoing_num_ports;
@ -190,6 +192,8 @@ struct config_file {
int ip_transparent;
/** IP_FREEBIND socket option request on port 53 sockets */
int ip_freebind;
/** IP_TOS socket option requested on port 53 sockets */
int ip_dscp;
/** number of interfaces to open. If 0 default all interfaces. */
int num_ifs;
@ -598,6 +602,8 @@ struct config_file {
int redis_server_port;
/** timeout (in ms) for communication with the redis server */
int redis_timeout;
/** set timeout on redis records based on DNS response ttl */
int redis_expire_records;
#endif
#endif

4745
util/configlexer.c
View file

File diff suppressed because it is too large Load diff

3
util/configlexer.lex
View file

@ -249,6 +249,7 @@ tls-session-ticket-keys{COLON} { YDVAR(1, VAR_TLS_SESSION_TICKET_KEYS) }
tls-ciphers{COLON} { YDVAR(1, VAR_TLS_CIPHERS) }
tls-ciphersuites{COLON} { YDVAR(1, VAR_TLS_CIPHERSUITES) }
https-port{COLON} { YDVAR(1, VAR_HTTPS_PORT) }
tls-use-sni{COLON} { YDVAR(1, VAR_TLS_USE_SNI) }
use-systemd{COLON} { YDVAR(1, VAR_USE_SYSTEMD) }
do-daemonize{COLON} { YDVAR(1, VAR_DO_DAEMONIZE) }
interface{COLON} { YDVAR(1, VAR_INTERFACE) }
@ -260,6 +261,7 @@ so-sndbuf{COLON} { YDVAR(1, VAR_SO_SNDBUF) }
so-reuseport{COLON} { YDVAR(1, VAR_SO_REUSEPORT) }
ip-transparent{COLON} { YDVAR(1, VAR_IP_TRANSPARENT) }
ip-freebind{COLON} { YDVAR(1, VAR_IP_FREEBIND) }
ip-dscp{COLON} { YDVAR(1, VAR_IP_DSCP) }
chroot{COLON} { YDVAR(1, VAR_CHROOT) }
username{COLON} { YDVAR(1, VAR_USERNAME) }
directory{COLON} { YDVAR(1, VAR_DIRECTORY) }
@ -500,6 +502,7 @@ secret-seed{COLON} { YDVAR(1, VAR_CACHEDB_SECRETSEED) }
redis-server-host{COLON} { YDVAR(1, VAR_CACHEDB_REDISHOST) }
redis-server-port{COLON} { YDVAR(1, VAR_CACHEDB_REDISPORT) }
redis-timeout{COLON} { YDVAR(1, VAR_CACHEDB_REDISTIMEOUT) }
redis-expire-records{COLON} { YDVAR(1, VAR_CACHEDB_REDISEXPIRERECORDS) }
ipset{COLON} { YDVAR(0, VAR_IPSET) }
name-v4{COLON} { YDVAR(1, VAR_IPSET_NAME_V4) }
name-v6{COLON} { YDVAR(1, VAR_IPSET_NAME_V6) }

3345
util/configparser.c
View file

File diff suppressed because it is too large Load diff

444
util/configparser.h
View file

@ -219,115 +219,118 @@ extern int yydebug;
VAR_RESPONSE_IP_DATA = 429,
VAR_HARDEN_ALGO_DOWNGRADE = 430,
VAR_IP_TRANSPARENT = 431,
VAR_DISABLE_DNSSEC_LAME_CHECK = 432,
VAR_IP_RATELIMIT = 433,
VAR_IP_RATELIMIT_SLABS = 434,
VAR_IP_RATELIMIT_SIZE = 435,
VAR_RATELIMIT = 436,
VAR_RATELIMIT_SLABS = 437,
VAR_RATELIMIT_SIZE = 438,
VAR_RATELIMIT_FOR_DOMAIN = 439,
VAR_RATELIMIT_BELOW_DOMAIN = 440,
VAR_IP_RATELIMIT_FACTOR = 441,
VAR_RATELIMIT_FACTOR = 442,
VAR_SEND_CLIENT_SUBNET = 443,
VAR_CLIENT_SUBNET_ZONE = 444,
VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 445,
VAR_CLIENT_SUBNET_OPCODE = 446,
VAR_MAX_CLIENT_SUBNET_IPV4 = 447,
VAR_MAX_CLIENT_SUBNET_IPV6 = 448,
VAR_MIN_CLIENT_SUBNET_IPV4 = 449,
VAR_MIN_CLIENT_SUBNET_IPV6 = 450,
VAR_MAX_ECS_TREE_SIZE_IPV4 = 451,
VAR_MAX_ECS_TREE_SIZE_IPV6 = 452,
VAR_CAPS_WHITELIST = 453,
VAR_CACHE_MAX_NEGATIVE_TTL = 454,
VAR_PERMIT_SMALL_HOLDDOWN = 455,
VAR_QNAME_MINIMISATION = 456,
VAR_QNAME_MINIMISATION_STRICT = 457,
VAR_IP_FREEBIND = 458,
VAR_DEFINE_TAG = 459,
VAR_LOCAL_ZONE_TAG = 460,
VAR_ACCESS_CONTROL_TAG = 461,
VAR_LOCAL_ZONE_OVERRIDE = 462,
VAR_ACCESS_CONTROL_TAG_ACTION = 463,
VAR_ACCESS_CONTROL_TAG_DATA = 464,
VAR_VIEW = 465,
VAR_ACCESS_CONTROL_VIEW = 466,
VAR_VIEW_FIRST = 467,
VAR_SERVE_EXPIRED = 468,
VAR_SERVE_EXPIRED_TTL = 469,
VAR_SERVE_EXPIRED_TTL_RESET = 470,
VAR_SERVE_EXPIRED_REPLY_TTL = 471,
VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 472,
VAR_FAKE_DSA = 473,
VAR_FAKE_SHA1 = 474,
VAR_LOG_IDENTITY = 475,
VAR_HIDE_TRUSTANCHOR = 476,
VAR_TRUST_ANCHOR_SIGNALING = 477,
VAR_AGGRESSIVE_NSEC = 478,
VAR_USE_SYSTEMD = 479,
VAR_SHM_ENABLE = 480,
VAR_SHM_KEY = 481,
VAR_ROOT_KEY_SENTINEL = 482,
VAR_DNSCRYPT = 483,
VAR_DNSCRYPT_ENABLE = 484,
VAR_DNSCRYPT_PORT = 485,
VAR_DNSCRYPT_PROVIDER = 486,
VAR_DNSCRYPT_SECRET_KEY = 487,
VAR_DNSCRYPT_PROVIDER_CERT = 488,
VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 489,
VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 490,
VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 491,
VAR_DNSCRYPT_NONCE_CACHE_SIZE = 492,
VAR_DNSCRYPT_NONCE_CACHE_SLABS = 493,
VAR_IPSECMOD_ENABLED = 494,
VAR_IPSECMOD_HOOK = 495,
VAR_IPSECMOD_IGNORE_BOGUS = 496,
VAR_IPSECMOD_MAX_TTL = 497,
VAR_IPSECMOD_WHITELIST = 498,
VAR_IPSECMOD_STRICT = 499,
VAR_CACHEDB = 500,
VAR_CACHEDB_BACKEND = 501,
VAR_CACHEDB_SECRETSEED = 502,
VAR_CACHEDB_REDISHOST = 503,
VAR_CACHEDB_REDISPORT = 504,
VAR_CACHEDB_REDISTIMEOUT = 505,
VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 506,
VAR_FOR_UPSTREAM = 507,
VAR_AUTH_ZONE = 508,
VAR_ZONEFILE = 509,
VAR_MASTER = 510,
VAR_URL = 511,
VAR_FOR_DOWNSTREAM = 512,
VAR_FALLBACK_ENABLED = 513,
VAR_TLS_ADDITIONAL_PORT = 514,
VAR_LOW_RTT = 515,
VAR_LOW_RTT_PERMIL = 516,
VAR_FAST_SERVER_PERMIL = 517,
VAR_FAST_SERVER_NUM = 518,
VAR_ALLOW_NOTIFY = 519,
VAR_TLS_WIN_CERT = 520,
VAR_TCP_CONNECTION_LIMIT = 521,
VAR_FORWARD_NO_CACHE = 522,
VAR_STUB_NO_CACHE = 523,
VAR_LOG_SERVFAIL = 524,
VAR_DENY_ANY = 525,
VAR_UNKNOWN_SERVER_TIME_LIMIT = 526,
VAR_LOG_TAG_QUERYREPLY = 527,
VAR_STREAM_WAIT_SIZE = 528,
VAR_TLS_CIPHERS = 529,
VAR_TLS_CIPHERSUITES = 530,
VAR_IPSET = 531,
VAR_IPSET_NAME_V4 = 532,
VAR_IPSET_NAME_V6 = 533,
VAR_TLS_SESSION_TICKET_KEYS = 534,
VAR_RPZ = 535,
VAR_TAGS = 536,
VAR_RPZ_ACTION_OVERRIDE = 537,
VAR_RPZ_CNAME_OVERRIDE = 538,
VAR_RPZ_LOG = 539,
VAR_RPZ_LOG_NAME = 540
VAR_IP_DSCP = 432,
VAR_DISABLE_DNSSEC_LAME_CHECK = 433,
VAR_IP_RATELIMIT = 434,
VAR_IP_RATELIMIT_SLABS = 435,
VAR_IP_RATELIMIT_SIZE = 436,
VAR_RATELIMIT = 437,
VAR_RATELIMIT_SLABS = 438,
VAR_RATELIMIT_SIZE = 439,
VAR_RATELIMIT_FOR_DOMAIN = 440,
VAR_RATELIMIT_BELOW_DOMAIN = 441,
VAR_IP_RATELIMIT_FACTOR = 442,
VAR_RATELIMIT_FACTOR = 443,
VAR_SEND_CLIENT_SUBNET = 444,
VAR_CLIENT_SUBNET_ZONE = 445,
VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 446,
VAR_CLIENT_SUBNET_OPCODE = 447,
VAR_MAX_CLIENT_SUBNET_IPV4 = 448,
VAR_MAX_CLIENT_SUBNET_IPV6 = 449,
VAR_MIN_CLIENT_SUBNET_IPV4 = 450,
VAR_MIN_CLIENT_SUBNET_IPV6 = 451,
VAR_MAX_ECS_TREE_SIZE_IPV4 = 452,
VAR_MAX_ECS_TREE_SIZE_IPV6 = 453,
VAR_CAPS_WHITELIST = 454,
VAR_CACHE_MAX_NEGATIVE_TTL = 455,
VAR_PERMIT_SMALL_HOLDDOWN = 456,
VAR_QNAME_MINIMISATION = 457,
VAR_QNAME_MINIMISATION_STRICT = 458,
VAR_IP_FREEBIND = 459,
VAR_DEFINE_TAG = 460,
VAR_LOCAL_ZONE_TAG = 461,
VAR_ACCESS_CONTROL_TAG = 462,
VAR_LOCAL_ZONE_OVERRIDE = 463,
VAR_ACCESS_CONTROL_TAG_ACTION = 464,
VAR_ACCESS_CONTROL_TAG_DATA = 465,
VAR_VIEW = 466,
VAR_ACCESS_CONTROL_VIEW = 467,
VAR_VIEW_FIRST = 468,
VAR_SERVE_EXPIRED = 469,
VAR_SERVE_EXPIRED_TTL = 470,
VAR_SERVE_EXPIRED_TTL_RESET = 471,
VAR_SERVE_EXPIRED_REPLY_TTL = 472,
VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 473,
VAR_FAKE_DSA = 474,
VAR_FAKE_SHA1 = 475,
VAR_LOG_IDENTITY = 476,
VAR_HIDE_TRUSTANCHOR = 477,
VAR_TRUST_ANCHOR_SIGNALING = 478,
VAR_AGGRESSIVE_NSEC = 479,
VAR_USE_SYSTEMD = 480,
VAR_SHM_ENABLE = 481,
VAR_SHM_KEY = 482,
VAR_ROOT_KEY_SENTINEL = 483,
VAR_DNSCRYPT = 484,
VAR_DNSCRYPT_ENABLE = 485,
VAR_DNSCRYPT_PORT = 486,
VAR_DNSCRYPT_PROVIDER = 487,
VAR_DNSCRYPT_SECRET_KEY = 488,
VAR_DNSCRYPT_PROVIDER_CERT = 489,
VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 490,
VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 491,
VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 492,
VAR_DNSCRYPT_NONCE_CACHE_SIZE = 493,
VAR_DNSCRYPT_NONCE_CACHE_SLABS = 494,
VAR_IPSECMOD_ENABLED = 495,
VAR_IPSECMOD_HOOK = 496,
VAR_IPSECMOD_IGNORE_BOGUS = 497,
VAR_IPSECMOD_MAX_TTL = 498,
VAR_IPSECMOD_WHITELIST = 499,
VAR_IPSECMOD_STRICT = 500,
VAR_CACHEDB = 501,
VAR_CACHEDB_BACKEND = 502,
VAR_CACHEDB_SECRETSEED = 503,
VAR_CACHEDB_REDISHOST = 504,
VAR_CACHEDB_REDISPORT = 505,
VAR_CACHEDB_REDISTIMEOUT = 506,
VAR_CACHEDB_REDISEXPIRERECORDS = 507,
VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 508,
VAR_FOR_UPSTREAM = 509,
VAR_AUTH_ZONE = 510,
VAR_ZONEFILE = 511,
VAR_MASTER = 512,
VAR_URL = 513,
VAR_FOR_DOWNSTREAM = 514,
VAR_FALLBACK_ENABLED = 515,
VAR_TLS_ADDITIONAL_PORT = 516,
VAR_LOW_RTT = 517,
VAR_LOW_RTT_PERMIL = 518,
VAR_FAST_SERVER_PERMIL = 519,
VAR_FAST_SERVER_NUM = 520,
VAR_ALLOW_NOTIFY = 521,
VAR_TLS_WIN_CERT = 522,
VAR_TCP_CONNECTION_LIMIT = 523,
VAR_FORWARD_NO_CACHE = 524,
VAR_STUB_NO_CACHE = 525,
VAR_LOG_SERVFAIL = 526,
VAR_DENY_ANY = 527,
VAR_UNKNOWN_SERVER_TIME_LIMIT = 528,
VAR_LOG_TAG_QUERYREPLY = 529,
VAR_STREAM_WAIT_SIZE = 530,
VAR_TLS_CIPHERS = 531,
VAR_TLS_CIPHERSUITES = 532,
VAR_TLS_USE_SNI = 533,
VAR_IPSET = 534,
VAR_IPSET_NAME_V4 = 535,
VAR_IPSET_NAME_V6 = 536,
VAR_TLS_SESSION_TICKET_KEYS = 537,
VAR_RPZ = 538,
VAR_TAGS = 539,
VAR_RPZ_ACTION_OVERRIDE = 540,
VAR_RPZ_CNAME_OVERRIDE = 541,
VAR_RPZ_LOG = 542,
VAR_RPZ_LOG_NAME = 543
};
#endif
/* Tokens. */
@ -505,115 +508,118 @@ extern int yydebug;
#define VAR_RESPONSE_IP_DATA 429
#define VAR_HARDEN_ALGO_DOWNGRADE 430
#define VAR_IP_TRANSPARENT 431
#define VAR_DISABLE_DNSSEC_LAME_CHECK 432
#define VAR_IP_RATELIMIT 433
#define VAR_IP_RATELIMIT_SLABS 434
#define VAR_IP_RATELIMIT_SIZE 435
#define VAR_RATELIMIT 436
#define VAR_RATELIMIT_SLABS 437
#define VAR_RATELIMIT_SIZE 438
#define VAR_RATELIMIT_FOR_DOMAIN 439
#define VAR_RATELIMIT_BELOW_DOMAIN 440
#define VAR_IP_RATELIMIT_FACTOR 441
#define VAR_RATELIMIT_FACTOR 442
#define VAR_SEND_CLIENT_SUBNET 443
#define VAR_CLIENT_SUBNET_ZONE 444
#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 445
#define VAR_CLIENT_SUBNET_OPCODE 446
#define VAR_MAX_CLIENT_SUBNET_IPV4 447
#define VAR_MAX_CLIENT_SUBNET_IPV6 448
#define VAR_MIN_CLIENT_SUBNET_IPV4 449
#define VAR_MIN_CLIENT_SUBNET_IPV6 450
#define VAR_MAX_ECS_TREE_SIZE_IPV4 451
#define VAR_MAX_ECS_TREE_SIZE_IPV6 452
#define VAR_CAPS_WHITELIST 453
#define VAR_CACHE_MAX_NEGATIVE_TTL 454
#define VAR_PERMIT_SMALL_HOLDDOWN 455
#define VAR_QNAME_MINIMISATION 456
#define VAR_QNAME_MINIMISATION_STRICT 457
#define VAR_IP_FREEBIND 458
#define VAR_DEFINE_TAG 459
#define VAR_LOCAL_ZONE_TAG 460
#define VAR_ACCESS_CONTROL_TAG 461
#define VAR_LOCAL_ZONE_OVERRIDE 462
#define VAR_ACCESS_CONTROL_TAG_ACTION 463
#define VAR_ACCESS_CONTROL_TAG_DATA 464
#define VAR_VIEW 465
#define VAR_ACCESS_CONTROL_VIEW 466
#define VAR_VIEW_FIRST 467
#define VAR_SERVE_EXPIRED 468
#define VAR_SERVE_EXPIRED_TTL 469
#define VAR_SERVE_EXPIRED_TTL_RESET 470
#define VAR_SERVE_EXPIRED_REPLY_TTL 471
#define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 472
#define VAR_FAKE_DSA 473
#define VAR_FAKE_SHA1 474
#define VAR_LOG_IDENTITY 475
#define VAR_HIDE_TRUSTANCHOR 476
#define VAR_TRUST_ANCHOR_SIGNALING 477
#define VAR_AGGRESSIVE_NSEC 478
#define VAR_USE_SYSTEMD 479
#define VAR_SHM_ENABLE 480
#define VAR_SHM_KEY 481
#define VAR_ROOT_KEY_SENTINEL 482
#define VAR_DNSCRYPT 483
#define VAR_DNSCRYPT_ENABLE 484
#define VAR_DNSCRYPT_PORT 485
#define VAR_DNSCRYPT_PROVIDER 486
#define VAR_DNSCRYPT_SECRET_KEY 487
#define VAR_DNSCRYPT_PROVIDER_CERT 488
#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 489
#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 490
#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 491
#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 492
#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 493
#define VAR_IPSECMOD_ENABLED 494
#define VAR_IPSECMOD_HOOK 495
#define VAR_IPSECMOD_IGNORE_BOGUS 496
#define VAR_IPSECMOD_MAX_TTL 497
#define VAR_IPSECMOD_WHITELIST 498
#define VAR_IPSECMOD_STRICT 499
#define VAR_CACHEDB 500
#define VAR_CACHEDB_BACKEND 501
#define VAR_CACHEDB_SECRETSEED 502
#define VAR_CACHEDB_REDISHOST 503
#define VAR_CACHEDB_REDISPORT 504
#define VAR_CACHEDB_REDISTIMEOUT 505
#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 506
#define VAR_FOR_UPSTREAM 507
#define VAR_AUTH_ZONE 508
#define VAR_ZONEFILE 509
#define VAR_MASTER 510
#define VAR_URL 511
#define VAR_FOR_DOWNSTREAM 512
#define VAR_FALLBACK_ENABLED 513
#define VAR_TLS_ADDITIONAL_PORT 514
#define VAR_LOW_RTT 515
#define VAR_LOW_RTT_PERMIL 516
#define VAR_FAST_SERVER_PERMIL 517
#define VAR_FAST_SERVER_NUM 518
#define VAR_ALLOW_NOTIFY 519
#define VAR_TLS_WIN_CERT 520
#define VAR_TCP_CONNECTION_LIMIT 521
#define VAR_FORWARD_NO_CACHE 522
#define VAR_STUB_NO_CACHE 523
#define VAR_LOG_SERVFAIL 524
#define VAR_DENY_ANY 525
#define VAR_UNKNOWN_SERVER_TIME_LIMIT 526
#define VAR_LOG_TAG_QUERYREPLY 527
#define VAR_STREAM_WAIT_SIZE 528
#define VAR_TLS_CIPHERS 529
#define VAR_TLS_CIPHERSUITES 530
#define VAR_IPSET 531
#define VAR_IPSET_NAME_V4 532
#define VAR_IPSET_NAME_V6 533
#define VAR_TLS_SESSION_TICKET_KEYS 534
#define VAR_RPZ 535
#define VAR_TAGS 536
#define VAR_RPZ_ACTION_OVERRIDE 537
#define VAR_RPZ_CNAME_OVERRIDE 538
#define VAR_RPZ_LOG 539
#define VAR_RPZ_LOG_NAME 540
#define VAR_IP_DSCP 432
#define VAR_DISABLE_DNSSEC_LAME_CHECK 433
#define VAR_IP_RATELIMIT 434
#define VAR_IP_RATELIMIT_SLABS 435
#define VAR_IP_RATELIMIT_SIZE 436
#define VAR_RATELIMIT 437
#define VAR_RATELIMIT_SLABS 438
#define VAR_RATELIMIT_SIZE 439
#define VAR_RATELIMIT_FOR_DOMAIN 440
#define VAR_RATELIMIT_BELOW_DOMAIN 441
#define VAR_IP_RATELIMIT_FACTOR 442
#define VAR_RATELIMIT_FACTOR 443
#define VAR_SEND_CLIENT_SUBNET 444
#define VAR_CLIENT_SUBNET_ZONE 445
#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 446
#define VAR_CLIENT_SUBNET_OPCODE 447
#define VAR_MAX_CLIENT_SUBNET_IPV4 448
#define VAR_MAX_CLIENT_SUBNET_IPV6 449
#define VAR_MIN_CLIENT_SUBNET_IPV4 450
#define VAR_MIN_CLIENT_SUBNET_IPV6 451
#define VAR_MAX_ECS_TREE_SIZE_IPV4 452
#define VAR_MAX_ECS_TREE_SIZE_IPV6 453
#define VAR_CAPS_WHITELIST 454
#define VAR_CACHE_MAX_NEGATIVE_TTL 455
#define VAR_PERMIT_SMALL_HOLDDOWN 456
#define VAR_QNAME_MINIMISATION 457
#define VAR_QNAME_MINIMISATION_STRICT 458
#define VAR_IP_FREEBIND 459
#define VAR_DEFINE_TAG 460
#define VAR_LOCAL_ZONE_TAG 461
#define VAR_ACCESS_CONTROL_TAG 462
#define VAR_LOCAL_ZONE_OVERRIDE 463
#define VAR_ACCESS_CONTROL_TAG_ACTION 464
#define VAR_ACCESS_CONTROL_TAG_DATA 465
#define VAR_VIEW 466
#define VAR_ACCESS_CONTROL_VIEW 467
#define VAR_VIEW_FIRST 468
#define VAR_SERVE_EXPIRED 469
#define VAR_SERVE_EXPIRED_TTL 470
#define VAR_SERVE_EXPIRED_TTL_RESET 471
#define VAR_SERVE_EXPIRED_REPLY_TTL 472
#define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 473
#define VAR_FAKE_DSA 474
#define VAR_FAKE_SHA1 475
#define VAR_LOG_IDENTITY 476
#define VAR_HIDE_TRUSTANCHOR 477
#define VAR_TRUST_ANCHOR_SIGNALING 478
#define VAR_AGGRESSIVE_NSEC 479
#define VAR_USE_SYSTEMD 480
#define VAR_SHM_ENABLE 481
#define VAR_SHM_KEY 482
#define VAR_ROOT_KEY_SENTINEL 483
#define VAR_DNSCRYPT 484
#define VAR_DNSCRYPT_ENABLE 485
#define VAR_DNSCRYPT_PORT 486
#define VAR_DNSCRYPT_PROVIDER 487
#define VAR_DNSCRYPT_SECRET_KEY 488
#define VAR_DNSCRYPT_PROVIDER_CERT 489
#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 490
#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 491
#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 492
#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 493
#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 494
#define VAR_IPSECMOD_ENABLED 495
#define VAR_IPSECMOD_HOOK 496
#define VAR_IPSECMOD_IGNORE_BOGUS 497
#define VAR_IPSECMOD_MAX_TTL 498
#define VAR_IPSECMOD_WHITELIST 499
#define VAR_IPSECMOD_STRICT 500
#define VAR_CACHEDB 501
#define VAR_CACHEDB_BACKEND 502
#define VAR_CACHEDB_SECRETSEED 503
#define VAR_CACHEDB_REDISHOST 504
#define VAR_CACHEDB_REDISPORT 505
#define VAR_CACHEDB_REDISTIMEOUT 506
#define VAR_CACHEDB_REDISEXPIRERECORDS 507
#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 508
#define VAR_FOR_UPSTREAM 509
#define VAR_AUTH_ZONE 510
#define VAR_ZONEFILE 511
#define VAR_MASTER 512
#define VAR_URL 513
#define VAR_FOR_DOWNSTREAM 514
#define VAR_FALLBACK_ENABLED 515
#define VAR_TLS_ADDITIONAL_PORT 516
#define VAR_LOW_RTT 517
#define VAR_LOW_RTT_PERMIL 518
#define VAR_FAST_SERVER_PERMIL 519
#define VAR_FAST_SERVER_NUM 520
#define VAR_ALLOW_NOTIFY 521
#define VAR_TLS_WIN_CERT 522
#define VAR_TCP_CONNECTION_LIMIT 523
#define VAR_FORWARD_NO_CACHE 524
#define VAR_STUB_NO_CACHE 525
#define VAR_LOG_SERVFAIL 526
#define VAR_DENY_ANY 527
#define VAR_UNKNOWN_SERVER_TIME_LIMIT 528
#define VAR_LOG_TAG_QUERYREPLY 529
#define VAR_STREAM_WAIT_SIZE 530
#define VAR_TLS_CIPHERS 531
#define VAR_TLS_CIPHERSUITES 532
#define VAR_TLS_USE_SNI 533
#define VAR_IPSET 534
#define VAR_IPSET_NAME_V4 535
#define VAR_IPSET_NAME_V6 536
#define VAR_TLS_SESSION_TICKET_KEYS 537
#define VAR_RPZ 538
#define VAR_TAGS 539
#define VAR_RPZ_ACTION_OVERRIDE 540
#define VAR_RPZ_CNAME_OVERRIDE 541
#define VAR_RPZ_LOG 542
#define VAR_RPZ_LOG_NAME 543
/* Value type. */
#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
@ -624,7 +630,7 @@ union YYSTYPE
char* str;
#line 628 "util/configparser.h" /* yacc.c:1909 */
#line 634 "util/configparser.h" /* yacc.c:1909 */
};
typedef union YYSTYPE YYSTYPE;

45
util/configparser.y
View file

@ -130,6 +130,7 @@ extern struct config_parser_state* cfg_parser;
%token VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES
%token VAR_RESPONSE_IP_TAG VAR_RESPONSE_IP VAR_RESPONSE_IP_DATA
%token VAR_HARDEN_ALGO_DOWNGRADE VAR_IP_TRANSPARENT
%token VAR_IP_DSCP
%token VAR_DISABLE_DNSSEC_LAME_CHECK
%token VAR_IP_RATELIMIT VAR_IP_RATELIMIT_SLABS VAR_IP_RATELIMIT_SIZE
%token VAR_RATELIMIT VAR_RATELIMIT_SLABS VAR_RATELIMIT_SIZE
@ -162,6 +163,7 @@ extern struct config_parser_state* cfg_parser;
%token VAR_IPSECMOD_MAX_TTL VAR_IPSECMOD_WHITELIST VAR_IPSECMOD_STRICT
%token VAR_CACHEDB VAR_CACHEDB_BACKEND VAR_CACHEDB_SECRETSEED
%token VAR_CACHEDB_REDISHOST VAR_CACHEDB_REDISPORT VAR_CACHEDB_REDISTIMEOUT
%token VAR_CACHEDB_REDISEXPIRERECORDS
%token VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM VAR_FOR_UPSTREAM
%token VAR_AUTH_ZONE VAR_ZONEFILE VAR_MASTER VAR_URL VAR_FOR_DOWNSTREAM
%token VAR_FALLBACK_ENABLED VAR_TLS_ADDITIONAL_PORT VAR_LOW_RTT VAR_LOW_RTT_PERMIL
@ -169,7 +171,7 @@ extern struct config_parser_state* cfg_parser;
%token VAR_ALLOW_NOTIFY VAR_TLS_WIN_CERT VAR_TCP_CONNECTION_LIMIT
%token VAR_FORWARD_NO_CACHE VAR_STUB_NO_CACHE VAR_LOG_SERVFAIL VAR_DENY_ANY
%token VAR_UNKNOWN_SERVER_TIME_LIMIT VAR_LOG_TAG_QUERYREPLY
%token VAR_STREAM_WAIT_SIZE VAR_TLS_CIPHERS VAR_TLS_CIPHERSUITES
%token VAR_STREAM_WAIT_SIZE VAR_TLS_CIPHERS VAR_TLS_CIPHERSUITES VAR_TLS_USE_SNI
%token VAR_IPSET VAR_IPSET_NAME_V4 VAR_IPSET_NAME_V6
%token VAR_TLS_SESSION_TICKET_KEYS VAR_RPZ VAR_TAGS VAR_RPZ_ACTION_OVERRIDE
%token VAR_RPZ_CNAME_OVERRIDE VAR_RPZ_LOG VAR_RPZ_LOG_NAME
@ -243,6 +245,7 @@ content_server: server_num_threads | server_verbosity | server_port |
server_dns64_prefix | server_dns64_synthall | server_dns64_ignore_aaaa |
server_infra_cache_min_rtt | server_harden_algo_downgrade |
server_ip_transparent | server_ip_ratelimit | server_ratelimit |
server_ip_dscp |
server_ip_ratelimit_slabs | server_ratelimit_slabs |
server_ip_ratelimit_size | server_ratelimit_size |
server_ratelimit_for_domain |
@ -276,7 +279,8 @@ content_server: server_num_threads | server_verbosity | server_port |
server_tcp_connection_limit | server_log_servfail | server_deny_any |
server_unknown_server_time_limit | server_log_tag_queryreply |
server_stream_wait_size | server_tls_ciphers |
server_tls_ciphersuites | server_tls_session_ticket_keys
server_tls_ciphersuites | server_tls_session_ticket_keys |
server_tls_use_sni
;
stubstart: VAR_STUB_ZONE
{
@ -957,6 +961,13 @@ server_https_port: VAR_HTTPS_PORT STRING_ARG
if(atoi($2) == 0)
yyerror("port number expected");
else cfg_parser->cfg->https_port = atoi($2);
};
server_tls_use_sni: VAR_TLS_USE_SNI STRING_ARG
{
OUTYY(("P(server_tls_use_sni:%s)\n", $2));
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
yyerror("expected yes or no.");
else cfg_parser->cfg->tls_use_sni = (strcmp($2, "yes")==0);
free($2);
}
;
@ -1269,6 +1280,20 @@ server_ip_freebind: VAR_IP_FREEBIND STRING_ARG
free($2);
}
;
server_ip_dscp: VAR_IP_DSCP STRING_ARG
{
OUTYY(("P(server_ip_dscp:%s)\n", $2));
if(atoi($2) == 0 && strcmp($2, "0") != 0)
yyerror("number expected");
else if (atoi($2) > 63)
yyerror("value too large (max 63)");
else if (atoi($2) < 0)
yyerror("value too small (min 0)");
else
cfg_parser->cfg->ip_dscp = atoi($2);
free($2);
}
;
server_stream_wait_size: VAR_STREAM_WAIT_SIZE STRING_ARG
{
OUTYY(("P(server_stream_wait_size:%s)\n", $2));
@ -3072,7 +3097,8 @@ cachedbstart: VAR_CACHEDB
contents_cachedb: contents_cachedb content_cachedb
| ;
content_cachedb: cachedb_backend_name | cachedb_secret_seed |
redis_server_host | redis_server_port | redis_timeout
redis_server_host | redis_server_port | redis_timeout |
redis_expire_records
;
cachedb_backend_name: VAR_CACHEDB_BACKEND STRING_ARG
{
@ -3138,6 +3164,19 @@ redis_timeout: VAR_CACHEDB_REDISTIMEOUT STRING_ARG
free($2);
}
;
redis_expire_records: VAR_CACHEDB_REDISEXPIRERECORDS STRING_ARG
{
#if defined(USE_CACHEDB) && defined(USE_REDIS)
OUTYY(("P(redis_expire_records:%s)\n", $2));
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
yyerror("expected yes or no.");
else cfg_parser->cfg->redis_expire_records = (strcmp($2, "yes")==0);
#else
OUTYY(("P(Compiled without cachedb or redis, ignoring)\n"));
#endif
free($2);
}
;
server_tcp_connection_limit: VAR_TCP_CONNECTION_LIMIT STRING_ARG STRING_ARG
{
OUTYY(("P(server_tcp_connection_limit:%s %s)\n", $2, $3));

10
util/net_help.c
View file

@ -70,8 +70,8 @@ uint16_t EDNS_ADVERTISED_SIZE = 4096;
/** minimal responses when positive answer: default is no */
int MINIMAL_RESPONSES = 0;
/** rrset order roundrobin: default is no */
int RRSET_ROUNDROBIN = 0;
/** rrset order roundrobin: default is yes */
int RRSET_ROUNDROBIN = 1;
/** log tag queries with name instead of 'info' for filtering */
int LOG_TAG_QUERYREPLY = 0;
@ -1252,11 +1252,13 @@ int check_auth_name_for_ssl(char* auth_name)
}
/** set the authname on an SSL structure, SSL* ssl */
int set_auth_name_on_ssl(void* ssl, char* auth_name)
int set_auth_name_on_ssl(void* ssl, char* auth_name, int use_sni)
{
if(!auth_name) return 1;
#ifdef HAVE_SSL
(void)SSL_set_tlsext_host_name(ssl, auth_name);
if(use_sni) {
(void)SSL_set_tlsext_host_name(ssl, auth_name);
}
#else
(void)ssl;
#endif

3
util/net_help.h
View file

@ -453,9 +453,10 @@ int check_auth_name_for_ssl(char* auth_name);
* set auth name on SSL for verification
* @param ssl: SSL* to set
* @param auth_name: if NULL nothing happens, otherwise the name to check.
* @param use_sni: if SNI will be used.
* @return 1 on success or NULL auth_name, 0 on failure.
*/
int set_auth_name_on_ssl(void* ssl, char* auth_name);
int set_auth_name_on_ssl(void* ssl, char* auth_name, int use_sni);
/**
* Initialize openssl locking for thread safety

5
util/netevent.c
View file

@ -3651,7 +3651,10 @@ comm_point_send_reply(struct comm_reply *repinfo)
if(repinfo->c->tcp_parent->dtenv != NULL &&
repinfo->c->tcp_parent->dtenv->log_client_response_messages)
dt_msg_send_client_response(repinfo->c->tcp_parent->dtenv,
&repinfo->addr, repinfo->c->type, repinfo->c->buffer);
&repinfo->addr, repinfo->c->type,
( repinfo->c->tcp_req_info
? repinfo->c->tcp_req_info->spool_buffer
: repinfo->c->buffer ));
#endif
if(repinfo->c->tcp_req_info) {
tcp_req_info_send_reply(repinfo->c->tcp_req_info);