upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2026-02-18 18:25:10 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'master' into simdzone-zone-load

Browse source
This commit is contained in:
W.C.A. Wijngaards 2025-10-16 12:11:55 +02:00
commit f6b4582eec
13 changed files with 161 additions and 83 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
.github/workflows/analysis_ports.yml vendored
View file

@ -12,6 +12,7 @@ jobs:
build:
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
include:
- name: GCC on Linux
@ -48,15 +49,6 @@ jobs:
os: ubuntu-latest
config: 'CFLAGS="-DNDEBUG -g2 -O3 -fsanitize=address" --disable-flto --disable-static'
make_test: "yes"
- name: Apple iPhone on iOS, armv7
os: macos-latest
AUTOTOOLS_HOST: armv7-apple-ios
OPENSSL_HOST: ios-cross
IOS_SDK: iPhoneOS
IOS_CPU: armv7s
test_ios: "yes"
config: "no"
make: "no"
- name: Apple iPhone on iOS, arm64
os: macos-latest
AUTOTOOLS_HOST: aarch64-apple-ios
@ -84,15 +76,6 @@ jobs:
test_ios: "yes"
config: "no"
make: "no"
- name: iPhoneSimulator on OS X, i386
os: macos-latest
AUTOTOOLS_HOST: i386-apple-ios
OPENSSL_HOST: iphoneos-cross
IOS_SDK: iPhoneSimulator
IOS_CPU: i386
test_ios: "yes"
config: "no"
make: "no"
- name: iPhoneSimulator on OS X, x86_64
os: macos-latest
AUTOTOOLS_HOST: x86_64-apple-ios

20
configure vendored
View file

@ -22811,10 +22811,12 @@ then :
LIBS="$LIBS -lz"
fi
if echo "$LIBS" | grep -e "libssp.a" -e "lssp" >/dev/null; then
:
else
LIBS="$LIBS -l:libssp.a"
if echo "$host" | $GREP -i -e linux >/dev/null; then
if echo "$LIBS" | grep -e "libssp.a" -e "lssp" >/dev/null; then
:
else
LIBS="$LIBS -l:libssp.a"
fi
fi
fi
fi
@ -22875,10 +22877,12 @@ then :
LIBS="$LIBS -lz"
fi
if echo "$LIBS" | grep -e "libssp.a" -e "lssp" >/dev/null; then
:
else
LIBS="$LIBS -l:libssp.a"
if echo "$host" | $GREP -i -e linux >/dev/null; then
if echo "$LIBS" | grep -e "libssp.a" -e "lssp" >/dev/null; then
:
else
LIBS="$LIBS -l:libssp.a"
fi
fi
fi
fi

20
configure.ac
View file

@ -1673,10 +1673,12 @@ if test x_$enable_static_exe = x_yes; then
LIBS="$LIBS -lgdi32"
fi
AC_CHECK_LIB([z], [compress], [ LIBS="$LIBS -lz" ])
if echo "$LIBS" | grep -e "libssp.a" -e "lssp" >/dev/null; then
:
else
LIBS="$LIBS -l:libssp.a"
if echo "$host" | $GREP -i -e linux >/dev/null; then
if echo "$LIBS" | grep -e "libssp.a" -e "lssp" >/dev/null; then
:
else
LIBS="$LIBS -l:libssp.a"
fi
fi
fi
fi
@ -1694,10 +1696,12 @@ if test x_$enable_fully_static = x_yes; then
LIBS="$LIBS -lgdi32"
fi
AC_CHECK_LIB([z], [compress], [ LIBS="$LIBS -lz" ])
if echo "$LIBS" | grep -e "libssp.a" -e "lssp" >/dev/null; then
:
else
LIBS="$LIBS -l:libssp.a"
if echo "$host" | $GREP -i -e linux >/dev/null; then
if echo "$LIBS" | grep -e "libssp.a" -e "lssp" >/dev/null; then
:
else
LIBS="$LIBS -l:libssp.a"
fi
fi
fi
fi

12
contrib/ios/install_openssl.sh
View file

@ -1,21 +1,22 @@
#!/usr/bin/env bash
OPENSSL_VERSION=1.1.1d
echo "Downloading OpenSSL"
if ! curl -L -k -s -o openssl-1.1.1d.tar.gz https://www.openssl.org/source/openssl-1.1.1d.tar.gz;
if ! curl -L -k -s -o openssl-$OPENSSL_VERSION.tar.gz https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz;
then
echo "Failed to download OpenSSL"
exit 1
fi
echo "Unpacking OpenSSL"
rm -rf ./openssl-1.1.1d
if ! tar -xf openssl-1.1.1d.tar.gz;
rm -rf ./openssl-$OPENSSL_VERSION
if ! tar -xf openssl-$OPENSSL_VERSION.tar.gz;
then
echo "Failed to unpack OpenSSL"
exit 1
fi
cd openssl-1.1.1d || exit 1
cd openssl-$OPENSSL_VERSION || exit 1
if ! cp ../contrib/ios/15-ios.conf Configurations/; then
echo "Failed to copy OpenSSL ios config"
@ -27,7 +28,8 @@ fi
# Also see https://github.com/openssl/openssl/issues/7607.
if ! patch -u -p0 < ../contrib/ios/openssl.patch; then
echo "Failed to patch OpenSSL"
exit 1
# the partial patch may be useful.
#exit 1
fi
echo "Configuring OpenSSL"

5
contrib/ios/setenv_ios.sh
View file

@ -175,6 +175,7 @@ fi
# For example, remove 4.3, 6.2, and 6.1 if they are not installed. We go back to
# the 1.0 SDKs because Apple WatchOS uses low numbers, like 2.0 and 2.1.
XCODE_SDK=
if test -z "$SDK_VERSION"; then
for i in $(seq -f "%.1f" 30.0 -0.1 1.0)
do
if [ -d "$XCODE_DEVELOPER_SDK/Developer/SDKs/$IOS_SDK$i.sdk" ]; then
@ -182,6 +183,10 @@ do
break
fi
done
else
i="$SDK_VERSION"
XCODE_SDK="$IOS_SDK$i.sdk"
fi
# Error checking
if [ -z "$XCODE_SDK" ]; then

22
doc/Changelog
View file

@ -1,3 +1,25 @@
15 October 2025: Wouter
- Fix to drop UDP for discard-timeout, but not stream connections.
- Fix to reply with SERVFAIL when the wait-limit is exceeded.
- Add extended dns error code for invalid query type to definition
list.
- Fix unbound.conf man page entry for root-hints to say it can
be used without strongly recommending it.
- Remove iPhone armv7s, and iPhoneSimulator i386 from ios ci.
The lib system does not provide symbols for it on the new macos
runner.
- Fix to exclude libssp for windows compiles.
10 October 2025: Wouter
- Fix #1358 Enabling FIPS in OpenSSL causes unit test to fail.
3 October 2025: Yorgos
- Note 'respip' and 'dns64' module order in the unbound.conf
man page.
- Note clearly that 'wait-limit: 0' disables all wait limits.
- 'wait-limit-cookie: 0' can now disable cookie validated wait
limits.
2 October 2025: Wouter
- Fix that https is set up as enabled when the port is listed in
interface-automatic-ports. Also for the set up of quic it is

29
doc/unbound.conf.rst
View file

@ -496,6 +496,9 @@ These options are part of the **server:** clause.
The wait time in msec where recursion requests are dropped.
This is to stop a large number of replies from accumulating.
They receive no reply, the work item continues to recurse.
For UDP the replies are dropped, for stream connections the reply
is not dropped if the stream connection is still open ready to receive
answers.
It is nice to be a bit larger than
:ref:`serve-expired-client-timeout<unbound.conf.serve-expired-client-timeout>`
if that is enabled.
@ -510,7 +513,7 @@ These options are part of the **server:** clause.
This makes a ratelimit per IP address of waiting replies for recursion.
It stops very large amounts of queries waiting to be returned to one
destination.
The value ``0`` disables wait limits.
The value ``0`` disables all wait limits.
Default: 1000
@ -518,7 +521,11 @@ These options are part of the **server:** clause.
@@UAHL@unbound.conf@wait-limit-cookie@@: *<number>*
The number of replies that can wait for recursion, for an IP address
that sent the query with a valid DNS Cookie.
Since the cookie validates the client address, this limit can be higher.
Since the cookie already validates the client address, this option allows
to override a configured
:ref:`wait-limit<unbound.conf.wait-limit>` value usually with a higher one
for cookie validated queries.
The value ``0`` disables wait limits for cookie validated queries.
Default: 10000
@ -1673,8 +1680,8 @@ These options are part of the **server:** clause.
Default is nothing, using builtin hints for the IN class.
The file has the format of zone files, with root nameserver names and
addresses only.
The default may become outdated, when servers change, therefore it is good
practice to use a root hints file.
The default may become outdated, when servers change, and then it is
possible to use a root hints file with specific servers.
Default: ""
@ -3959,6 +3966,13 @@ and be compiled into the daemon to be enabled.
.. note::
These settings go in the :ref:`server:<unbound.conf.server>` section.
.. note::
If combining the ``respip`` and ``dns64`` modules, the ``respip`` module
needs to appear before the ``dns64`` module in the
:ref:`module-config<unbound.conf.module-config>`
configuration option so that response IP and/or RPZ feeds can properly
filter responses regardless of DNS64 synthesis.
@@UAHL@unbound.conf.dns64@dns64-prefix@@: *<IPv6 prefix>*
This sets the DNS64 prefix to use to synthesize AAAA records with.
@ -4777,6 +4791,13 @@ The respip module needs to be added to the
module-config: "respip validator iterator"
.. note::
If combining the ``respip`` and ``dns64`` modules, the ``respip`` module
needs to appear before the ``dns64`` module in the
:ref:`module-config<unbound.conf.module-config>`
configuration option so that response IP and/or RPZ feeds can properly
filter responses regardless of DNS64 synthesis.
QNAME, Response IP Address, nsdname, nsip and clientip triggers are supported.
Supported actions are: NXDOMAIN, NODATA, PASSTHRU, DROP, Local Data, tcp-only
and drop.

2
makedist.sh
View file

@ -715,7 +715,5 @@ cleanup
storehash unbound-$version.tar.gz
echo "create unbound-$version.tar.gz.asc with:"
echo " gpg --armor --detach-sign --digest-algo SHA256 unbound-$version.tar.gz"
echo " gpg --armor --detach-sign --digest-algo SHA256 unbound-$version.zip"
echo " gpg --armor --detach-sign --digest-algo SHA256 unbound_setup_$version.exe"
info "Unbound distribution created successfully."

3
services/cache/infra.c vendored
View file

@ -1269,7 +1269,8 @@ int infra_wait_limit_allowed(struct infra_cache* infra, struct comm_reply* rep,
int cookie_valid, struct config_file* cfg)
{
struct lruhash_entry* entry;
if(cfg->wait_limit == 0)
if(cfg->wait_limit == 0 ||
(cookie_valid && cfg->wait_limit_cookie == 0))
return 1;
entry = infra_find_ip_ratedata(infra, &rep->client_addr,

66
services/mesh.c
View file

@ -441,9 +441,18 @@ void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo,
if(!infra_wait_limit_allowed(mesh->env->infra_cache, rep,
edns->cookie_valid, mesh->env->cfg)) {
verbose(VERB_ALGO, "Too many queries waiting from the IP. "
"dropping incoming query.");
comm_point_drop_reply(rep);
"servfail incoming query.");
mesh->num_queries_wait_limit++;
edns_opt_list_append_ede(&edns->opt_list_out,
mesh->env->scratch, LDNS_EDE_OTHER,
"Too many queries queued up and waiting from the IP");
if(!inplace_cb_reply_servfail_call(mesh->env, qinfo, NULL, NULL,
LDNS_RCODE_SERVFAIL, edns, rep, mesh->env->scratch, mesh->env->now_tv))
edns->opt_list_inplace_cb_out = NULL;
error_encode(r_buffer, LDNS_RCODE_SERVFAIL,
qinfo, qid, qflags, edns);
regional_free_all(mesh->env->scratch);
comm_point_send_reply(rep);
return;
}
if(!unique)
@ -1728,28 +1737,37 @@ void mesh_query_done(struct mesh_state* mstate)
dns_error_reporting(&mstate->s, rep);
for(r = mstate->reply_list; r; r = r->next) {
struct timeval old;
timeval_subtract(&old, mstate->s.env->now_tv, &r->start_time);
if(mstate->s.env->cfg->discard_timeout != 0 &&
((int)old.tv_sec)*1000+((int)old.tv_usec)/1000 >
mstate->s.env->cfg->discard_timeout) {
/* Drop the reply, it is too old */
/* briefly set the reply_list to NULL, so that the
* tcp req info cleanup routine that calls the mesh
* to deregister the meshstate for it is not done
* because the list is NULL and also accounting is not
* done there, but instead we do that here. */
struct mesh_reply* reply_list = mstate->reply_list;
verbose(VERB_ALGO, "drop reply, it is older than discard-timeout");
infra_wait_limit_dec(mstate->s.env->infra_cache,
&r->query_reply, mstate->s.env->cfg);
mstate->reply_list = NULL;
if(r->query_reply.c->use_h2)
http2_stream_remove_mesh_state(r->h2_stream);
comm_point_drop_reply(&r->query_reply);
mstate->reply_list = reply_list;
mstate->s.env->mesh->num_queries_discard_timeout++;
continue;
if(mesh_is_udp(r)) {
/* For UDP queries, the old replies are discarded.
* This stops a large volume of old replies from
* building up.
* The stream replies, are not discarded. The
* stream is open, the other side is waiting.
* Some answer is needed, even if servfail, but the
* real reply is ready to go, so that is given. */
struct timeval old;
timeval_subtract(&old, mstate->s.env->now_tv, &r->start_time);
if(mstate->s.env->cfg->discard_timeout != 0 &&
((int)old.tv_sec)*1000+((int)old.tv_usec)/1000 >
mstate->s.env->cfg->discard_timeout) {
/* Drop the reply, it is too old */
/* briefly set the reply_list to NULL, so that the
* tcp req info cleanup routine that calls the mesh
* to deregister the meshstate for it is not done
* because the list is NULL and also accounting is not
* done there, but instead we do that here. */
struct mesh_reply* reply_list = mstate->reply_list;
verbose(VERB_ALGO, "drop reply, it is older than discard-timeout");
infra_wait_limit_dec(mstate->s.env->infra_cache,
&r->query_reply, mstate->s.env->cfg);
mstate->reply_list = NULL;
if(r->query_reply.c->use_h2)
http2_stream_remove_mesh_state(r->h2_stream);
comm_point_drop_reply(&r->query_reply);
mstate->reply_list = reply_list;
mstate->s.env->mesh->num_queries_discard_timeout++;
continue;
}
}
i++;

3
sldns/rrdef.h
View file

@ -480,7 +480,8 @@ enum sldns_enum_ede_code
LDNS_EDE_TOO_EARLY = 26,
LDNS_EDE_UNSUPPORTED_NSEC3_ITERATIONS = 27,
LDNS_EDE_BADPROXYPOLICY = 28,
LDNS_EDE_SYNTHESIZED = 29
LDNS_EDE_SYNTHESIZED = 29,
LDNS_EDE_INVALID_QUERY_TYPE = 30
};
typedef enum sldns_enum_ede_code sldns_ede_code;

1
sldns/wire2str.c
View file

@ -233,6 +233,7 @@ static sldns_lookup_table sldns_edns_ede_codes_data[] = {
{ LDNS_EDE_UNSUPPORTED_NSEC3_ITERATIONS, "Unsupported NSEC3 Iterations Value" },
{ LDNS_EDE_BADPROXYPOLICY, "Unable to Conform to Policy" },
{ LDNS_EDE_SYNTHESIZED, "Synthesized Answer" },
{ LDNS_EDE_INVALID_QUERY_TYPE, "Invalid Query Type" },
{ 0, NULL}
};
sldns_lookup_table* sldns_edns_ede_codes = sldns_edns_ede_codes_data;

42
testcode/unitverify.c
View file

@ -631,6 +631,7 @@ rh_allow_sha1_signatures_disabled(void)
void
verify_test(void)
{
int do_sha1 = 1;
unit_show_feature("signature verify");
#if defined(HAVE_SSL) && defined(USE_SHA1)
@ -643,27 +644,40 @@ verify_test(void)
#else
_putenv("OPENSSL_ENABLE_SHA1_SIGNATURES=1");
#endif
do_sha1 = 1;
}
#ifdef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED
if (EVP_default_properties_is_fips_enabled(NULL))
do_sha1 = 0;
#endif
#endif /* HAVE_SSL and USE_SHA1 */
#ifdef USE_SHA1
verifytest_file(SRCDIRSTR "/testdata/test_signatures.1", "20070818005004");
if(do_sha1) {
verifytest_file(SRCDIRSTR "/testdata/test_signatures.1", "20070818005004");
}
#endif
#if defined(USE_DSA) && defined(USE_SHA1)
verifytest_file(SRCDIRSTR "/testdata/test_signatures.2", "20080414005004");
verifytest_file(SRCDIRSTR "/testdata/test_signatures.3", "20080416005004");
verifytest_file(SRCDIRSTR "/testdata/test_signatures.4", "20080416005004");
verifytest_file(SRCDIRSTR "/testdata/test_signatures.5", "20080416005004");
verifytest_file(SRCDIRSTR "/testdata/test_signatures.6", "20080416005004");
verifytest_file(SRCDIRSTR "/testdata/test_signatures.7", "20070829144150");
if(do_sha1) {
verifytest_file(SRCDIRSTR "/testdata/test_signatures.2", "20080414005004");
verifytest_file(SRCDIRSTR "/testdata/test_signatures.3", "20080416005004");
verifytest_file(SRCDIRSTR "/testdata/test_signatures.4", "20080416005004");
verifytest_file(SRCDIRSTR "/testdata/test_signatures.5", "20080416005004");
verifytest_file(SRCDIRSTR "/testdata/test_signatures.6", "20080416005004");
verifytest_file(SRCDIRSTR "/testdata/test_signatures.7", "20070829144150");
}
#endif /* USE_DSA */
#ifdef USE_SHA1
verifytest_file(SRCDIRSTR "/testdata/test_signatures.8", "20070829144150");
if(do_sha1) {
verifytest_file(SRCDIRSTR "/testdata/test_signatures.8", "20070829144150");
}
#endif
#if (defined(HAVE_EVP_SHA256) || defined(HAVE_NSS) || defined(HAVE_NETTLE)) && defined(USE_SHA2)
verifytest_file(SRCDIRSTR "/testdata/test_sigs.rsasha256", "20070829144150");
# ifdef USE_SHA1
verifytest_file(SRCDIRSTR "/testdata/test_sigs.sha1_and_256", "20070829144150");
if(do_sha1) {
verifytest_file(SRCDIRSTR "/testdata/test_sigs.sha1_and_256", "20070829144150");
}
# endif
verifytest_file(SRCDIRSTR "/testdata/test_sigs.rsasha256_draft", "20090101000000");
#endif
@ -672,8 +686,10 @@ verify_test(void)
verifytest_file(SRCDIRSTR "/testdata/test_signatures.9", "20171215000000");
#endif
#ifdef USE_SHA1
verifytest_file(SRCDIRSTR "/testdata/test_sigs.hinfo", "20090107100022");
verifytest_file(SRCDIRSTR "/testdata/test_sigs.revoked", "20080414005004");
if(do_sha1) {
verifytest_file(SRCDIRSTR "/testdata/test_sigs.hinfo", "20090107100022");
verifytest_file(SRCDIRSTR "/testdata/test_sigs.revoked", "20080414005004");
}
#endif
#ifdef USE_GOST
if(sldns_key_EVP_load_gost_id())
@ -699,7 +715,9 @@ verify_test(void)
}
#endif
#ifdef USE_SHA1
dstest_file(SRCDIRSTR "/testdata/test_ds.sha1");
if(do_sha1) {
dstest_file(SRCDIRSTR "/testdata/test_ds.sha1");
}
#endif
nsectest();
nsec3_hash_test(SRCDIRSTR "/testdata/test_nsec3_hash.1");