subquery without subnet, and the forward-no-cache or
stub-no-cache option is set, it is not stored in cache due to
the forward or stub option.
This has the changelog entry and test.
to include YXDOMAIN and non-referral nodata answers in the mitigation as
well, reported by TaoFei Guo from Peking University, Yang Luo and JianJun
Chen from Tsinghua University.
same time, the client info is copied for attach_sub and add_sub
calls. That makes respip work on dns64 synthesized answers, and
also makes RPZ work with DNS64. The order for the modules is
module-config: "respip dns64 validator iterator".
- Cached messages that reach 0 TTL are considered expired. This prevents
Unbound itself from issuing replies with TTL 0 and possibly causing a
thundering herd at the last second. Upstream replies of TTL 0 still
get the usual pass-through but they are not considered for caching
from Unbound or any of its caching modules.
- 'serve-expired-reply-ttl' is changed and is now capped by the original
TTL value of the record to try and make some sense when replying
with expired records.
- TTL decoding was updated to adhere to RFC8767 section 4 where a set
high-order bit means the value is positive instead of 0.
global cache if the querier used 0.0.0.0/0 and the name and address
do not receive subnet treatment. If the name and address are
configured for subnet, it is stored in the subnet cache.
- Fix NSEC3 code to not break on broken auth zones that include unsigned
out of zone (above apex) data. Could lead to hang while trying to
prove a wildcard answer.
Reported by Dmitrii Kuvaiskii from Amazon Web Services.
- Tests for NSEC3 auth zones with out of zone data.
* v1 EDER poc
* remove superfluous edns_list_get_option function
* create an EDER configurable
* Hackathon 114
* Fixes for version -04
* Generated configparser and configlexer are not versioned in master anymore
* Remove NOERROR DNS Error Reporting; not part of final RFC.
* Use assigned IANA EDNS0 Option Code for Report-Channel.
* Fix buffer protection and agent domain validity
* Use DNS Error Reporting instead of the eder nickname
* Update documentation.
* Fix typo.
* Bail out early if ede is not present.
* Forget previous EDNS options from upstream; this is what was
implicitly happening but not deterministacally.
* Don't report LDNS_EDE_OTHER and bail early if there is no reporting
agent.
* Only do DNS error reporting when a client asked for something that
went wrong.
* Add an error reporting agent in the parent that should be ignored.
* review feedback.
* fixup for fast reload
* Add 'num.dns_error_reports' to stats and test for it.
---------
Co-authored-by: TCY16 <tom@nlnetlabs.nl>
Co-authored-by: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
* Set version to 1.19.1 for point release.
* Initial work for Redis read-only replica support.
* Test for Redis replica.
* Documentation for the Redis replica timeouts.
* redis replica, rewrite set_timeout()
* clean merge.
* Add new options for fast reload.
* Apply suggestions from code review
Co-authored-by: Wouter Wijngaards <wcawijngaards@users.noreply.github.com>
* some more typos
---------
Co-authored-by: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Co-authored-by: Wouter Wijngaards <wcawijngaards@users.noreply.github.com>
* - fast-reload, add unbound-control fast_reload
* - fast-reload, make a thread to service the unbound-control command.
* - fast-reload, communication sockets for information transfer.
* - fast-reload, fix compile for unbound-dnstap-socket.
* - fast-reload, set nonblocking communication to keep the server thread
responding to DNS requests.
* - fast-reload, poll routine to test for readiness, timeout fails connection.
* - fast-reload, detect loop in sock_poll_timeout routine.
* - fast-reload, send done and exited notification.
* - fast-reload, defines for constants in ipc.
* - fast-reload, ipc socket recv and send resists partial reads and writes and
can continue byte by byte. Also it can continue after an interrupt.
* - fast-reload, send exit command to thread when done.
* - fast-reload, output strings for client on string list.
* - fast-reload, add newline to terminal output.
* - fast-reload, send client string to remote client.
* - fast-reload, better debug output.
* - fast-reload, print queue structure, for output to the remote client.
* - fast-reload, move print items to print queue from fast_reload_thread struct.
* - fast-reload, keep list of pending print queue items in daemon struct.
* - fast-reload, comment explains in_list for printq to print remainder.
* - fast-reload, unit test testdata/fast_reload_thread.tdir that tests the
thread output.
* - fast-reload, fix test link for fast_reload_printq_list_delete function.
* - fast-reload, reread config file from disk.
* - fast-reload, unshare forwards, making the structure locked, with an rwlock.
* - fast-reload, for nonthreaded, the unbound-control commands forward,
forward_add and forward_delete should be distributed to other processes,
but when threaded, they should not be distributed to other threads because
the structure is not thread specific any more.
* - fast-reload, unshared stub hints, making the structure locked, with an rwlock.
* - fast-reload, helpful comments for hints lookup function return value.
* - fast-reload, fix bug in fast reload printout, the strlist appendlist routine,
and printout time statistics after the reload is done.
* - fast-reload, keep track of reloadtime and deletestime and print them.
* - fast-reload, keep track of constructtime and print it.
* - fast-reload, construct new items.
* - fast-reload, better comment.
* - fast-reload, reload the config and swap trees for forwards and stub hints.
* - fast-reload, in forwards_swap_tree set protection of trees with locks.
* - fast-reload, in hints_swap_tree also swap the node count of the trees.
* - fast-reload, reload ipc to stop and start threads.
* - fast-reload, unused forward declarations removed.
* - fast-reload, unit test that fast reload works with forwards and stubs.
* - fast-reload, fix clang analyzer warnings.
* - fast-reload, small documentation entry in unbound-control -h output.
* - fast-reload, printout memory use by fast reload, in bytes.
* - fast-reload, compile without threads.
* - fast-reload, document fast_reload in man page.
* - fast-reload, print ok when done successfully.
* - fast-reload, option for fast-reload commandline, +v verbosity option,
with timing and memory use output.
* - fast-reload, option for fast-reload commandline, +p does not pause threads.
* - fast-reload, option for fast-reload commandline, +d drops mesh queries.
* - fast-reload, fix to poll every thread with nopause to make certain that
resources are not held by the threads and can be deleted.
* - fast-reload, fix to use atomic store for config variables with nopause.
* - fast-reload, reload views.
* - fast-reload, when tag defines are different, it drops the queries.
* - fast-reload, fix tag define check.
* - fast-reload, document that tag change causes drop of queries.
* - fast-reload, fix space in documentation man page.
* - fast-reload, copy respip client information to query state, put views tree
in module env for lookup.
* - fast-reload, nicer respip view comparison.
* - fast-reload, respip global set is in module env.
* - fast-reload, document that respip_client_info acl info is copied.
* - fast-reload, reload the respip_set.
* - fast-reload, document no pause and pick up of use_response_ip boolean.
* - fast-reload, fix test compile.
* - fast-reload, reload local zones.
* Update locking management for iter_fwd and iter_hints methods. (#1054)
fast reload, move most of the locking management to iter_fwd and
iter_hints methods. The caller still has the ability to handle its
own locking, if desired, for atomic operations on sets of different
structs.
Co-authored-by: Wouter Wijngaards <wcawijngaards@users.noreply.github.com>
* - fast-reload, reload access-control.
* - fast-reload, reload access control interface, such as interface-action.
* - fast-reload, reload tcp-connection-limit.
* - fast-reload, improve comments on acl_list and tcl_list swap tree.
* - fast-reload, fixup references to old tcp connection limits in open tcp
connections.
* - fast-reload, fixup to clean tcp connection also for different linked order.
* - fast-reload, if no tcp connection limits existed, no need to remove
references for that.
* - fast-reload, document more options that work and do not work.
* - fast-reload, reload auth_zone and rpz data.
* - fast-reload, fix auth_zones_get_mem.
* - fast-reload, fix compilation of testbound for the new comm_timer_get_mem
reference in remote control.
* - fast-reload, change use_rpz with reload.
* - fast-reload, list changes in auth zones and stop zonemd callbacks for
deleted auth zones.
* - fast-reload, note xtree is not swapped, and why it is not swapped.
* - fast-reload, for added auth zones, pick up zone transfer and zonemd tasks.
* - fast-reload, unlock xfr when done with transfer pick up.
* - fast-reload, unlock z when picking up the xfr for it during transfer task
pick up.
* - fast-reload, pick up task changes for added, deleted and modified auth zones.
* - fast-reload, remove xfr of auth zone deletion without tasks.
* - fast-reload, pick up zone transfer config.
* - fast-reload, the main worker thread picks up the transfer tasks and also
performs setup of the xfer struct.
* - fast-reload, keep writelock on newzone when auth zone changes.
* - fast-reload, change cachedb_enabled setting.
* - fast-reload, pick up edns-strings config.
* - fast-reload, note that settings are not updated.
* - fast-reload, pick up dnstap config.
* - fast-reload, dnstap options that need to be loaded without +p.
* - fast-reload, fix auth zone reload
* - fast-reload, remove debug for auth zone test.
* - fast-reload, fix auth zone reload with zone transfer.
* - fast-reload, fix auth zone reload lock order.
* - fast-reload, remove debug from fast reload test.
* - fast-reload, remove unused function.
* - fast-reload, fix the worker trust anchor probe timer lock acquisition in
the probe answer callback routine for trust anchor probes.
* - fast-reload, reload trust anchors.
* - fast-reload, fix trust anchor reload lock on autr global data and test
for trust anchor reload.
* - fast-reload, adjust cache sizes.
* - fast-reload, reload cache sizes when changed.
* - fast-reload, reload validator env changes.
* - fast-reload, reload mesh changes.
* - fast-reload, check for incompatible changes.
* - fast-reload, improve error text for incompatible change.
* - fast-reload, fix check config option compatibility.
* - fast-reload, improve error text for nopause change.
* - fast-reload, fix spelling of incompatible options.
* - fast-reload, reload target-fetch-policy, outbound-msg-retry, max-sent-count
and max-query-restarts.
* - fast-reload, check nopause config change for target-fetch-policy.
* - fast-reload, reload do-not-query-address, private-address and capt-exempt.
* - fast-reload, check nopause config change for do-not-query-address,
private-address and capt-exempt.
* - fast-reload, check fast reload not possible due to interface and
outgoing-interface changes.
* - fast-reload, reload nat64 settings.
* - fast-reload, reload settings stored in the infra structure.
* - fast-reload, fix modstack lookup and remove outgoing-range check.
* - fast-reload, more explanation for config parse failure.
* - fast-reload, reload worker outside network changes.
* - fast-reload, detect incompatible changes in network settings.
* fast-reload, commit test files.
* - fast-reload, fix warnings for call types in windows compile.
* - fast-reload, fix warnings and comm_point_internal for tcp wouldblock calls.
* - fast-reload, extend lock checks for repeat thread ids.
* - fast-reload, additional test cases, cache change and tag changes.
* - fast-reload, fix documentation for auth_zone_verify_zonemd_with_key.
* - fast-reload, fix copy_cfg type casts and memory leak on config parse failure.
* - fast-reload, fix use of WSAPoll.
* Review comments for the fast reload feature (#1259)
* - fast-reload review, respip set can be null from a view.
* - fast-reload review, typos.
* - fast-reload review, keep clang static analyzer happy.
* - fast-reload review, don't forget to copy tag_actions.
* - fast-reload review, less indentation.
* - fast-reload review, don't leak respip_actions when reloading.
* - fast-reload review, protect NULL pointer dereference in get_mem
functions.
* - fast-reload review, add fast_reload_most_options.tdir to test most
options with high verbosity when fast reloading.
* - fast-reload review, don't skip new line on long error printouts.
* - fast-reload review, typo.
* - fast-reload review, use new_z for consistency.
* - fast-reload review, nit for unlock ordering to make eye comparison
with the lock counterpart easier.
* - fast-reload review, in case of error the sockets are already closed.
* - fast-reload review, identation.
* - fast-reload review, add static keywords.
* - fast-reload review, update unbound-control usage text.
* - fast-reload review, updates to the man page.
* - fast-reload, the fast-reload command is experimental.
* - fast-reload, fix compile of doqclient for fast reload functions.
* Changelog comment for #1042
- Merge #1042: Fast Reload. The unbound-control fast_reload is added.
It reads changed config in a thread, then only briefly pauses the
service threads, that keep running. DNS service is only interrupted
briefly, less than a second.
---------
Co-authored-by: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
- Fixes a regression bug with serve-expired that appeared in 1.22.0
and would not allow the iterator to update the cache with
not-yet-validated entries resulting in increased outgoing traffic.
- Treat serve_expired_norec_ttl as a backoff timer for failed updates of expired records.
- Try to use expired answers instead of SERVFAIL if serve-expired is
enabled even without serve-expired-client-timeout.
- Add suggestion to refresh the cached norec_ttl and expired_ttl when a
response cannot update the usable expired entry.
