and it checks that an owner name does not collide with BADRR
on the input, and changes verbosity on the log of failure in
rrset to string. Thanks to Qifan Zhang, Palo Alto Networks,
for the report.
with errors for error cases, and does not stay silent.
In addition, the error replies do not contain parts of the
incoming query. This is more conformant, stops reflection
and stops it as a covert channel. Thanks to Yuqi Qiu and
Xiang Li, Nankai University (AOSP Lab) for the report.
In addition, thanks to Qifan Zhang, Palo Alto Networks, for
noting the fingerprinting possibility, that is also fixed
with this.
- Introduce new 'tls-protocols' configuration option that specifies
which of the supported TLS protocols will be used.
This change invalidates some previous changes:
- TLSv1.2 is again enabled by default, but can be selectively turned off if
desired (related to #1303).
- The biefly introduced (not yet released) 'tls-use-system-versions'
configuration option, that addressed #1346, is reverted in favor of
'tls-protocols'.
- The briefly introduced (not yet released) '--enable-system-tls'
configure option, related to #1401, is no longer needed with the new
option and the current default.
- Review comment for checking out of memory condition
Co-authored-by: Wouter Wijngaards <wcawijngaards@users.noreply.github.com>
an overly large number of RRSIGs. It can be configured with
`iter-scrub-rrsig: 8`, it has default 8. Thanks to Yuxiao Wu,
Tsinghua University for the report.
* - stats-shm-volley, with mesh_time_median the additions add up to the correct
average that is used.
* - stats-shm-volley, the stat interval is selected with offset.
* - stats-shm-volley, stat totals in separate struct. The first thread zeroes
it, and the last thread copies it.
* - stats-shm-volley, the array is inited for a new round if one or more
* - stats-shm-volley, the array is inited for a new round if one or more
threads are not responsive for stat collection.
* - stats-shm-volley review, typos and slightly more detailed text for comments.
---------
Co-authored-by: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
* Do not initialize quic_table unless it is enabled
Fedora in FIPS mode might fail to initialize ngtcp2 library, because
some ciphers desired are not available.
Make it possible to skip initialization by setting explicitly quic_port
to 0. Unless we have some listeners for port 853 configured, skip its
initialization as well.
Related: https://pagure.io/freeipa/issue/9877
* Fix typo in logged function name
- On fast_reload, the identity and version strings are always freed and
reallocated as part of dt_apply_cfg(). Add fr_worker_pickup_dnstap_changes()
to copy any changes from daemon to workers.
* Statistics counter for number of queries dropped by limit on reply addresses
Request list entries can be associated with multiple pending "reply
addresses". Basically each request list entry keeps its own list of
clients that should receive the response once the recursion is finished.
This requires keeping allocations around for each client, and there is
a global limit on the number of *additional* reply addresses that can
be allocated. (Each new request list entry seems to get its own initial
reply address which is not counted against the limit.)
This commit adds a statistics counter "num_queries_replyaddr_limit" that
counts the number of incoming client queries that have been dropped due
to the restriction on allocating additional reply addresses. This allows
distinguishing these drops from other kinds of drops.
* Statistics counter for number of mesh reply entries
Request list entries can be associated with multiple pending "reply
addresses". Since there is a limit on the number of additional reply
addresses that can be allocated which can cause incoming queries to be
dropped if exceeded, it would be nice to be able to track this number.
This commit basically exports the mesh_area's internal counter
`num_reply_addrs` as "threadX.requestlist.current.replies" /
"total.requestlist.current.replies".
* 'tls-use-system-policy-versions' is introduced to allow Unbound to use
any system available TLS version when serving TLS.
* Apply suggestions from code review
---------
Co-authored-by: Wouter Wijngaards <wcawijngaards@users.noreply.github.com>
- Cached messages that reach 0 TTL are considered expired. This prevents
Unbound itself from issuing replies with TTL 0 and possibly causing a
thundering herd at the last second. Upstream replies of TTL 0 still
get the usual pass-through but they are not considered for caching
from Unbound or any of its caching modules.
- 'serve-expired-reply-ttl' is changed and is now capped by the original
TTL value of the record to try and make some sense when replying
with expired records.
- TTL decoding was updated to adhere to RFC8767 section 4 where a set
high-order bit means the value is positive instead of 0.
