upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-18 14:56:05 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
8160 commits 23 branches 209 tags 123 MiB
Commit graph

8160 commits

This branch
This branch
All branches
Author SHA1 Message Date
W.C.A. Wijngaards
c0522043f0 - Fix http2 drop handling to clear the postpone_drop state so that
Some checks failed
ci / build (push) Has been cancelled
Details 
other streams on the http2 session are not affected by a drop,
  and can clean up properly if also dropped. Fix http2 send reply
  so that when there is a send failure is does not recurse into
  the mesh functions and also does not drop the connection due to
  the condition of one stream.
 2025-12-03 14:41:10 +01:00
W.C.A. Wijngaards
b858801feb - Fix to remove http2 stream mesh state when mesh new request is
Some checks are pending
ci / build (push) Waiting to run
Details 
dropping the new request.
 2025-12-02 15:31:53 +01:00
W.C.A. Wijngaards
588db09928 - Fix header comment about EDE reference in validator/val_sigcrypt.h.
Some checks are pending
ci / build (push) Waiting to run
Details
2025-12-01 16:04:41 +01:00
W.C.A. Wijngaards
5c66c48a1b - Fix to add EDNS CO flag to testbound and debug message log. 2025-12-01 15:29:41 +01:00
Yorgos Thessalonikefs
83336477c6 - For #1375, there is no DNSTAP environment if it wasn't configured.
Some checks failed
ci / build (push) Has been cancelled
Details
2025-11-28 15:20:21 +01:00
Yorgos Thessalonikefs
e3e5eb66cf - Tag for 1.24.2 release.
Some checks failed
ci / build (push) Has been cancelled
Details 
The repository continues with version 1.24.3.
 2025-11-26 13:54:25 +01:00
Yorgos Thessalonikefs
00d3b97dbb Merge branch 'branch-1.24.2' 2025-11-26 13:50:49 +01:00
Yorgos Thessalonikefs
f6269baa60 - Additional fix for CVE-2025-11411 (possible domain hijacking attack), 
to include YXDOMAIN and non-referral nodata answers in the mitigation as
  well, reported by TaoFei Guo from Peking University, Yang Luo and JianJun
  Chen from Tsinghua University.
 2025-11-26 11:09:40 +01:00
Yorgos Thessalonikefs
19154c6e58 - Set version to 1.24.2. 2025-11-26 10:58:06 +01:00
W.C.A. Wijngaards
0f43b0ea6c Changelog note for #1375, and lock for lockchecks and ifdef for compile fix.
Some checks failed
ci / build (push) Has been cancelled
Details 
- Merge #1375: Copy DNSTAP changes from daemon to workers after
  fast_reload.
 2025-11-13 15:45:27 +01:00
smeddlep
e6d92f458f
Copy DNSTAP changes from daemon to workers after fast_reload (#1375) 
- On fast_reload, the identity and version strings are always freed and
  reallocated as part of dt_apply_cfg(). Add fr_worker_pickup_dnstap_changes()
  to copy any changes from daemon to workers.
 2025-11-13 15:42:44 +01:00
W.C.A. Wijngaards
a31b9d50e2 Changelog note for #1374
Some checks are pending
ci / build (push) Waiting to run
Details 
- Merge #1374: Mesh reply counters.
  This adds the statistics num.queries.replyaddr_limit and
  requestlist.current.replies.
 2025-11-13 09:34:45 +01:00
Robert Edmonds
fceb4e8585
Mesh reply counters (#1374) 
* Statistics counter for number of queries dropped by limit on reply addresses

Request list entries can be associated with multiple pending "reply
addresses". Basically each request list entry keeps its own list of
clients that should receive the response once the recursion is finished.
This requires keeping allocations around for each client, and there is
a global limit on the number of *additional* reply addresses that can
be allocated. (Each new request list entry seems to get its own initial
reply address which is not counted against the limit.)

This commit adds a statistics counter "num_queries_replyaddr_limit" that
counts the number of incoming client queries that have been dropped due
to the restriction on allocating additional reply addresses. This allows
distinguishing these drops from other kinds of drops.

* Statistics counter for number of mesh reply entries

Request list entries can be associated with multiple pending "reply
addresses". Since there is a limit on the number of additional reply
addresses that can be allocated which can cause incoming queries to be
dropped if exceeded, it would be nice to be able to track this number.

This commit basically exports the mesh_area's internal counter
`num_reply_addrs` as "threadX.requestlist.current.replies" /
"total.requestlist.current.replies".
 2025-11-13 09:33:05 +01:00
W.C.A. Wijngaards
98f4257890 - iana portlist updated.
Some checks are pending
ci / build (push) Waiting to run
Details
2025-11-12 11:49:21 +01:00
W.C.A. Wijngaards
0a15118aff - Fix that when discard timeout drops packet, they are accounted as 
less reply addresses in use in the mesh area.
 2025-11-12 11:49:04 +01:00
W.C.A. Wijngaards
e887a79a92 - Fix configure test for nonstring attribute so that it does not
Some checks failed
ci / build (push) Has been cancelled
Details 
accept when the compiler prints a warning about an unknown
  attribute.
 2025-11-06 15:03:17 +01:00
W.C.A. Wijngaards
f9b9050ab8 - Fix configure test for noreturn attribute so it compiles without 
warning.
 2025-11-06 15:00:08 +01:00
W.C.A. Wijngaards
94735384fd - Fix add comment to worker_handle_request function that explain it. 2025-11-06 14:32:56 +01:00
W.C.A. Wijngaards
5dab0609e5 - Fix dns64 log output to log the default instead of a null string.
Some checks failed
ci / build (push) Has been cancelled
Details
2025-11-04 10:19:03 +01:00
Yorgos Thessalonikefs
024c921dbf - Fix #1366: Infra cache does not work correctly for NAT64, by
Some checks failed
ci / build (push) Has been cancelled
Details 
moving the NAT64 synthesis from the iterator when selecting a target
  address, to the delegation point itself when adding target
  addresses.
 2025-11-01 15:10:27 +01:00
Yorgos Thessalonikefs
1a808e2978 - Fix typo; spotted by T3rm1.
Some checks failed
ci / build (push) Has been cancelled
Details
2025-10-28 14:42:20 +01:00
Yorgos Thessalonikefs
56ded934de - Fix #1165, document the possible circular dependency when using
Some checks are pending
ci / build (push) Waiting to run
Details 
host names instead of IP addresses for name servers in stub/forward
  zones and log a warning when spotted in the configuration.
 2025-10-27 14:01:10 +01:00
Yorgos Thessalonikefs
98952f11d1 Changelog entry for #1331:
Some checks are pending
ci / build (push) Waiting to run
Details 
- Merge #1331 from Jitka Plesníková: Replace deprecated $function by
  new $action, for SWIG.
 2025-10-27 09:59:35 +01:00
Yorgos Thessalonikefs
cb4b3de62f
Merge pull request #1331 from jplesnik/master 
Replace deprecated $function by new $action
 2025-10-27 09:57:59 +01:00
Yorgos Thessalonikefs
c8dcfc0853 - For #1364, use OPENSSL_VERSION_TEXT instead of OPENSSL_VERSION_NUMBER
Some checks failed
ci / build (push) Has been cancelled
Details 
for part of the configure script. OPENSSL_VERSION_TEXT is more
  consistent across versions.
 2025-10-24 15:43:22 +02:00
Yorgos Thessalonikefs
2bb28fdf12 - Fix unused attribute warning in redis.c when threads are not 
supported.
 2025-10-24 14:44:58 +02:00
Yorgos Thessalonikefs
6ad26909dd - Note Havard Eidnes for his suggestions on the mailing list. 2025-10-24 14:26:08 +02:00
Yorgos Thessalonikefs
9602973c86 - unbound.conf man page updates to include a preview of the section 
clauses and some reformatting around the use of "clause", "option"
  and "attributes".
 2025-10-24 14:23:53 +02:00
Yorgos Thessalonikefs
713b1783d4 - Tag for 1.24.1 release.
Some checks failed
ci / build (push) Has been cancelled
Details 
The repository continues with version 1.24.2.
 2025-10-22 12:49:29 +02:00
Yorgos Thessalonikefs
e06b7eb3f1 Merge branch 'branch-1.24.1' 2025-10-22 12:44:59 +02:00
Yorgos Thessalonikefs
a33f0638e1 - Fix CVE-2025-11411 (possible domain hijacking attack), reported by Yuxiao Wu, 
Yunyi Zhang, Baojun Liu and Haixin Duan from Tsinghua University.
 2025-10-22 10:54:57 +02:00
Yorgos Thessalonikefs
bbeee42e25 - Set version to 1.24.1. 2025-10-22 10:50:18 +02:00
Yorgos Thessalonikefs
1cb9595a42 - Update the unbound.conf online man page link and some text
Some checks failed
ci / build (push) Has been cancelled
Details 
reformatting in README.md.
 2025-10-20 14:34:40 +02:00
Wouter Wijngaards
aa21e38b3a
Fix for analysis and ports workflows iOS, Windows (#1361)
Some checks failed
ci / build (push) Has been cancelled
Details 
* - Remove SDK_VERSION and only run failed jobs, echo windows config.log

* Use commented out to fix syntax of ci.

* - Turn off succeeded tests, only link libssp for cross compile, use
no-shared for openssl ios.

* - Remove iPhone armv7s, and iPhoneSimulator i386 from ios ci.
  The lib system does not provide symbols for it on the new macos
  runner.
- Fix to exclude libssp for windows compiles.
 2025-10-15 16:12:39 +02:00
W.C.A. Wijngaards
964848b94a - Fix unbound.conf man page entry for root-hints to say it can 
be used without strongly recommending it.
 2025-10-15 15:40:47 +02:00
Yorgos Thessalonikefs
a4dd321fd8 - Remove extra gpg instructions from makedist.sh output. 2025-10-15 14:59:48 +02:00
Yorgos Thessalonikefs
d23a28a693 - ci: don't fail fast for the analysis_port workflow.
Some checks are pending
ci / build (push) Waiting to run
Details
2025-10-15 14:10:20 +02:00
W.C.A. Wijngaards
5423c0a8e9 Update ios ci with older sdk version to use. 2025-10-15 13:41:36 +02:00
W.C.A. Wijngaards
6a5385f291 - Fix to update openssl version in ios ci. 2025-10-15 12:25:44 +02:00
W.C.A. Wijngaards
16f3478048 - Add extended dns error code for invalid query type to definition 
list.
 2025-10-15 11:39:58 +02:00
W.C.A. Wijngaards
c8860a5fb6 - Fix to reply with SERVFAIL when the wait-limit is exceeded. 2025-10-15 11:36:29 +02:00
W.C.A. Wijngaards
735c96aac7 - Fix to drop UDP for discard-timeout, but not stream connections. 2025-10-15 11:04:22 +02:00
W.C.A. Wijngaards
a75ea01a15 - Fix #1358 Enabling FIPS in OpenSSL causes unit test to fail.
Some checks failed
ci / build (push) Has been cancelled
Details
2025-10-10 09:17:08 +02:00
Yorgos Thessalonikefs
21f02a0865 - Note clearly that 'wait-limit: 0' disables all wait limits. 
- 'wait-limit-cookie: 0' can now disable cookie validated wait
  limits.
 2025-10-03 16:44:44 +02:00
Yorgos Thessalonikefs
e017d66fc1 - Note 'respip' and 'dns64' module order in the unbound.conf 
man page.
 2025-10-03 11:27:26 +02:00
W.C.A. Wijngaards
adaf5dab49 - Fix that https is set up as enabled when the port is listed in 
interface-automatic-ports. Also for the set up of quic it is
  enabled when listed there.
 2025-10-02 10:16:06 +02:00
W.C.A. Wijngaards
feeebc95f8 - Fix for #1344: Fix that respip and dns64 can be enabled at the 
same time, the client info is copied for attach_sub and add_sub
  calls. That makes respip work on dns64 synthesized answers, and
  also makes RPZ work with DNS64. The order for the modules is
  module-config: "respip dns64 validator iterator".
 2025-09-30 11:28:15 +02:00
W.C.A. Wijngaards
187aa52859 - Fix #1344: module conf 'respip dns64 validator cachedb iterator' 
is not known to work.
 2025-09-29 16:11:50 +02:00
W.C.A. Wijngaards
f1fea8dc46 - Fix #1353: auth-zone can not use empty label for $ORIGIN when 
http download.
 2025-09-29 14:24:31 +02:00
Yorgos Thessalonikefs
0c01257d1d Changelog entry for #1351: 
- Merge #1351: ac_cv_func_malloc_0_nonnull for malloc(0) check.
 2025-09-29 13:14:07 +02:00