upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2026-01-06 06:49:35 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
7793 commits 23 branches 209 tags 124 MiB
Commit graph

602 commits

Author SHA1 Message Date
George Thessalonikefs
df411b3f28 - Updates for #461 (Add max-query-restarts option). 2022-12-13 15:29:22 +01:00
George Thessalonikefs
71db243b0d Merge branch 'restart_conf' of https://github.com/cgallred/unbound into cgallred-restart_conf 2022-12-13 14:35:01 +01:00
George Thessalonikefs
c61b2121b5 - Expose 'max-sent-count' as a configuration option; the 
default value retains Unbound's behavior.
 2022-12-13 13:57:07 +01:00
TCY16
8b4a8493d0 Merge branch 'master' of github.com:NLnetLabs/unbound into features/ede-caching 2022-11-21 11:34:36 +01:00
David Lamparter
64fb06f892 NAT64 support 
This implements #721.  Includes documentation and some very basic tests.
Please refer to doc for further detail.
 2022-11-07 11:37:50 +00:00
George Thessalonikefs
e9107907e5 - Clarify the use of MAX_SENT_COUNT in the iterator code. 2022-10-18 12:29:07 +02:00
W.C.A. Wijngaards
b043bc5eb4 - Fix to stop responses with TC flag from resulting in partial 
responses. It retries to fetch the data elsewhere, or fails the
  query and in depth fix removes the TC flag from the cached item.
 2022-10-06 10:01:09 +02:00
Yorgos Thessalonikefs
f1d263a318
Leniency for target discovery when under load (for NRDelegation changes) (#764) 
* - Introduce leniency for target discovery when under load.

* - Allow for easier testing (to be reverted).

* - Happy compiler.

* - Precheck access to target_fetch_policy.

* - Do not mark a nameserver as resolved when one of A/AAAA is negative.

* - Update fetch_glue.rpl test for (possible) outstanding queries.

* - Update fetch_glue_cname.rpl test for possible outstanding queries.

* - Better fix for fetch_glue_cname.rpl.

* - Fix iter_emptydp_for_glue.rpl to match the referral.

* - Disabled the nxns tests for now (to be reverted).

* - Update iter_recurse.rpl for possible outstanding queries.

* Revert "- Disabled the nxns tests for now (to be reverted)."

This reverts commit 34a9c13a90.

* Revert "- Allow for easier testing (to be reverted)."

This reverts commit b6dfe35e1d.
 2022-10-04 22:21:08 +02:00
Yorgos Thessalonikefs
c4e51a4cfe
PROXYv2 downstream support (#760) 2022-10-03 15:29:47 +02:00
W.C.A. Wijngaards
a102fb1df8 - Fix to remove erroneous TC flag from TCP upstream. 2022-10-03 09:53:41 +02:00
W.C.A. Wijngaards
e3871ca907 Merge branch 'branch-1.16.3' 2022-09-21 12:11:26 +02:00
TCY16
dcfcde2ec8 add cached EDE strings 2022-09-21 11:21:33 +02:00
W.C.A. Wijngaards
137719522a - Patch for CVE-2022-3204 Non-Responsive Delegation Attack. 2022-09-21 11:10:38 +02:00
George Thessalonikefs
c30bdff939 Initial commit for interface based ACL. 2022-09-11 20:21:32 +02:00
W.C.A. Wijngaards
f6753a0f10 - Fix the novel ghost domain issues CVE-2022-30698 and CVE-2022-30699. 2022-08-01 13:24:40 +02:00
Minghang Chen
249efd4285 Introduce infra-cache-max-rtt option to config max retransmit timeout 
Added the option and let it default to 120 seconds so that it won't change
current behavior.

Related-to #717
 2022-07-16 01:46:18 -07:00
George Thessalonikefs
2dbaba7d73 - Improved logging for NXNS fallback. 2022-07-01 16:18:33 +02:00
George Thessalonikefs
923eb7d474 - Allow fallback to the parent side when MAX_TARGET_NX is reached. 
This will also allow MAX_TARGET_NX more NXDOMAINs.
 2022-06-29 17:32:29 +02:00
George Thessalonikefs
58b21e4fca - Fix to not count cached NXDOMAIN for MAX_TARGET_NX. 2022-06-29 17:26:09 +02:00
W.C.A. Wijngaards
b61b0af5d6 - Fix #670: SERVFAIL problems with unbound 1.15.0 running on 
OpenBSD 7.1.
 2022-04-28 14:51:47 +02:00
Christian Allred
d19e12ab5d Merge branch 'master' of https://github.com/NLnetLabs/unbound into restart_conf 2022-04-18 12:16:40 -07:00
gthess
6e79237dc8
Merge pull request #623 from rex4539/typos 
Fix typos
 2022-02-28 12:36:11 +01:00
George Thessalonikefs
82adcfb971 - Fix #630: Unify the RPZ log messages. 2022-02-28 12:07:25 +01:00
W.C.A. Wijngaards
4b772ed571 - Fix to detect that no IPv6 support means that IPv6 addresses are 
useless for delegation point lookups.
 2022-02-25 10:27:56 +01:00
Dimitris Apostolou
c7be51a11b
Fix typos 2022-02-18 15:51:03 +02:00
W.C.A. Wijngaards
c44fe07a07 - Fix #412: cache invalidation issue with CNAME+A. 2022-02-04 14:27:01 +01:00
gthess
11f2e7e6ae
Merge pull request #617 from NLnetLabs/update-host-notation 
Update stub/forward-host notation to accept port and tls-auth-name
 2022-02-02 11:56:27 +01:00
George Thessalonikefs
814a234876 - Update stub/forward-host notation to accept port and tls-auth-name. 
Fixes #546.
 2022-02-01 14:44:29 +01:00
George Thessalonikefs
f857af873e - Update ratelimit code for recent serviced_query changes and more 
accurate ratelimit calculation.
 2022-01-29 23:49:38 +01:00
George Thessalonikefs
ea47c08e70 - Fix #599: [FR] RFC 9156 (obsoletes RFC 7816), by noting the new RFC 
document.
 2022-01-26 14:35:22 +01:00
W.C.A. Wijngaards
6b2e96430e - Fix for #596: fix that rpz return message is returned and not just 
the rcode from the iterator return path. This fixes signal unset RA
  after a CNAME.
 2022-01-05 13:35:18 +01:00
Wouter Wijngaards
9645228f03
Merge pull request #570 from rex4539/typos 
Fix typos
 2021-11-29 11:39:48 +01:00
Tom Carpay
e899b4cefe Make explicit whether edns options are parsed from queries or responses 2021-11-15 13:40:51 +00:00
Dimitris Apostolou
c21d6af617
Fix typos 2021-11-13 16:56:15 +02:00
Tom Carpay
89d7476539 split edns_data.opt_list in opt_list_in and opt_list_out 
opt_list_in for parsed (incoming) edns options, and
opt_list_out for outgoing (to be encoded) edns options
 2021-11-01 12:48:40 +00:00
W.C.A. Wijngaards
829f3c932e - Fix for #41: change outbound retry to int to fix signed comparison 
warnings.
 2021-09-08 15:07:11 +02:00
W.C.A. Wijngaards
750f46d1aa - Small fixes for #41: changelog, conflicts resolved, 
processQueryResponse takes an iterator env argument like other
  functions in the iterator, no colon in string for set_option,
  and some whitespace style, to make it similar to the rest.
 2021-09-08 14:52:56 +02:00
W.C.A. Wijngaards
204edd229e Merge branch 'feature/configure-outbound_msg_retry' of git://github.com/countsudoku/unbound into countsudoku-feature/configure-outbound_msg_retry 2021-09-08 14:38:36 +02:00
Wouter Wijngaards
74f1f0addd
Merge pull request #401 from NLnetLabs/rpz-triggers 
RPZ triggers
 2021-08-25 10:14:12 +02:00
Shchelkunov Artem
ba7598f559
Fix: passed to proc after free 
Found by static analyzer svace
Static analyzer message: Pointer 'dp' is passed to a function at
iter_hints.c:401 after the referenced memory was deallocated at
iter_hints.c:174 by passing as 3rd parameter to function 'hints_insert'
at iter_hints.c:398.

on-behalf-of: @ideco-team <github@ideco.ru>
 2021-08-20 18:06:51 +05:00
W.C.A. Wijngaards
a9de6879b8 Merge branch 'master' into rpz-triggers 2021-08-18 09:53:35 +02:00
W.C.A. Wijngaards
f232562430 Merge branch 'master' into rpz-triggers 2021-08-05 13:37:22 +02:00
Tomasz Ziolkowski
ae45f46b9e Add (stub|forward)-tcp-upstream options which enable using tcp transport only for specified stub/forward zones 2021-08-05 08:44:18 +02:00
George Thessalonikefs
8878680898 - Bump MAX_RESTART_COUNT to 11 from 8; in relation to #438. This allows 
longer CNAME chains in Unbound.
 2021-08-04 10:53:22 +02:00
W.C.A. Wijngaards
79209823ac - Fix a number of warnings reported by the gcc analyzer. 2021-06-18 18:12:26 +02:00
W.C.A. Wijngaards
32d82fac9b Merge branch 'master' into rpz-triggers 2021-05-14 08:47:56 +02:00
W.C.A. Wijngaards
ecb8aed2f2 - Add that log-servfail prints an IP address and more information 
about one of the last failures for that query.
 2021-04-29 10:24:35 +02:00
W.C.A. Wijngaards
b366441157 Merge branch 'master' into rpz-triggers 2021-04-14 09:39:41 +02:00
W.C.A. Wijngaards
55ba863440 - Fix that nxdomain synthesis does not happen above the stub or 
forward definition.
 2021-04-13 13:52:57 +02:00
George Thessalonikefs
403d0551b7 - Fix (increase) verbosity level for iterator error log in 
processQueryTargets().
 2021-04-12 16:49:45 +02:00
Christian Allred
07c0d04a14 Use max-query-restarts in iterative resolver 2021-04-05 16:25:43 -07:00
W.C.A. Wijngaards
1c75e62804 - rpz-triggers, separate cache storage of RPZ records from network records. 2021-04-01 12:06:14 +02:00
W.C.A. Wijngaards
49d9e91492 Merge branch 'master' into rpz-triggers 2021-03-25 17:28:53 +01:00
W.C.A. Wijngaards
8e7ced72e5 - rpz-triggers, fix that after cname an nsdname or nsip trigger has cname 
rrsets prepended by the iterator.
 2021-03-22 09:42:04 +01:00
W.C.A. Wijngaards
81cd0d76c8 - rpz-triggers, call rpz callback only if there are auth zones configured. 2021-03-22 09:39:12 +01:00
W.C.A. Wijngaards
7f39003c04 - rpz triggers, implement qname trigger after cname. 2021-03-19 17:31:44 +01:00
W.C.A. Wijngaards
0c07861404 - Fix #441: Minimal NSEC range not accepted for top level domains. 2021-03-17 14:04:02 +01:00
W.C.A. Wijngaards
6f507eb036 Merge branch 'master' into rpz-triggers 2021-03-12 09:04:54 +01:00
W.C.A. Wijngaards
3b24d845ff - Fix doxygen and pydoc warnings. 2021-02-18 11:39:06 +01:00
W.C.A. Wijngaards
5943c6f2e3 - Fix to make tests work with support indicators set for iterator. 2021-02-15 14:57:29 +01:00
W.C.A. Wijngaards
74e06cc4b3 - Fix #422: IPv6 fallback issues when IPv6 is not properly 
enabled/configured.
 2021-02-15 14:40:48 +01:00
Christopher Zimmermann
1d23e0c920 Merge remote-tracking branch 'upstream/master' 2021-02-03 13:19:19 +01:00
mb
f78aa90ff1 rpz: nsdname stubs 2020-11-26 11:33:49 +01:00
mb
7acf1a5088 rpz: fix forged response 2020-11-24 16:29:15 +01:00
mb
afc73e28d8 rpz: fix forged messages 2020-11-24 12:02:59 +01:00
mb
b178cf34b6 rpz: update ext_state in the iterator 2020-11-24 11:33:16 +01:00
mb
126e114d6f rpz: forge responses 2020-11-24 11:25:01 +01:00
mb
354c19f6ac rpz: apply trigger at query time not response time 2020-11-24 09:33:08 +01:00
mb
e27b160acd rpz: stubs for nsip triggers 2020-11-13 14:36:00 +01:00
W.C.A. Wijngaards
dd59521e52 dlv removal, remove from comments and unused code in iterator and validator 2020-08-04 17:17:48 +02:00
W.C.A. Wijngaards
ba0f382eee - CVE-2020-12662 Unbound can be tricked into amplifying an incoming 
query into a large number of queries directed to a target.
- CVE-2020-12663 Malformed answers from upstream name servers can be
  used to make Unbound unresponsive.
 2020-05-19 10:27:27 +02:00
Christopher Zimmermann
c96e4ca121 allow privileged initialisation of modules 2020-05-10 22:30:25 +02:00
Ralph Dolmans
03a37d1ff6 - Keep track of number of timeouts. Use this counter to determine if capsforid 
fallback should be started.
 2020-04-06 18:00:06 +02:00
W.C.A. Wijngaards
318d4e91cc - Fix #165: Add prefer-ip4: yesno config option to prefer ipv4 for 
using ipv4 filters, because the hosts ip6 netblock /64 is not owned
  by one operator, and thus reputation is shared.
 2020-02-25 09:55:59 +01:00
W.C.A. Wijngaards
f5e06689d1 - Fix Assert Causing DoS in synth_cname(), 
reported by X41 D-Sec.
 2019-12-03 15:10:36 +01:00
W.C.A. Wijngaards
9f0b260c49 - Fix wrong response ttl for prepended short CNAME ttls, this would 
create a wrong zero_ttl response count with serve-expired enabled.
 2019-09-19 16:29:51 +02:00
Moritz Schneider
79cc049096 Make outbound msg retry configurable 2019-06-12 19:01:28 +02:00
Moritz Schneider
1f9e3e9ba6 Styling: remove trailing whitespaces 2019-06-12 19:01:26 +02:00
Ralph Dolmans
edf1ad369a - Scrub RRs from answer section when reusing NXDOMAIN message for subdomain 
answers.
 - For harden-below-nxdomain: do not consider a name to be non-exitent when
   message contains a CNAME record.


git-svn-id: file:///svn/unbound/trunk@5174 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-04-18 15:09:15 +00:00
Wouter Wijngaards
91e863138b - Print query name and IP address when domain rate limit exceeded. 
git-svn-id: file:///svn/unbound/trunk@5117 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-02-18 15:53:02 +00:00
Wouter Wijngaards
a41375411e - Fix capsforid canonical sort qsort callback. 
git-svn-id: file:///svn/unbound/trunk@5114 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-02-14 08:16:15 +00:00
Wouter Wijngaards
429e130768 - Fix that qname minimisation does not skip a label when missing 
nameserver targets need to be fetched.


git-svn-id: file:///svn/unbound/trunk@5107 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-02-08 13:30:51 +00:00
Wouter Wijngaards
20d57ec58b - Fix #4206: OpenSSL 1.0.2 hostname verification for FreeBSD 11.2. 
git-svn-id: file:///svn/unbound/trunk@5106 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-02-07 08:34:28 +00:00
Wouter Wijngaards
a9e028564d Keep scratch region free on exit. 
git-svn-id: file:///svn/unbound/trunk@5101 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-02-04 15:48:21 +00:00
Wouter Wijngaards
99994a26b0 - Perform canonical sort for 0x20 capsforid compare of replies, 
this sorts rrsets in the authority and additional section before
  comparison, so that out of order rrsets do not cause failure.


git-svn-id: file:///svn/unbound/trunk@5100 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-02-04 15:22:08 +00:00
Wouter Wijngaards
3028fa50a8 - Patch from Florian Obser fixes some compiler warnings: 
include mini_event.h to have a prototype for mini_ev_cmp
  include edns.h to have a prototype for apply_edns_options
  sldns_wire2str_edns_keepalive_print is only called in the wire2str,
  module declare it static to get rid of compiler warning:
  no previous prototype for function
  infra_find_ip_ratedata() is only called in the infra module,
  declare it static to get rid of compiler warning:
  no previous prototype for function
  do not shadow local variable buf in authzone
  auth_chunks_delete and az_nsec3_findnode are only called in the
  authzone module, declare them static to get rid of compiler warning:
  no previous prototype for function...
  copy_rrset() is only called in the respip module, declare it
  static to get rid of compiler warning:
  no previous prototype for function 'copy_rrset'
  no need for another variable "r"; gets rid of compiler warning:
  declaration shadows a local variable in libunbound.c
  no need for another variable "ns"; gets rid of compiler warning:
  declaration shadows a local variable in iterator.c



git-svn-id: file:///svn/unbound/trunk@5072 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-01-24 16:05:00 +00:00
Wouter Wijngaards
d48abb9a84 clang analysis fixes, assert arc4random buffer in init, 
no check for already checked delegation pointer in iterator,
in testcode check for NULL packet matches, in perf do not copy
from NULL start list when growing capacity.  Adjust host and file
only when present in test header read to please checker.  In
testcode for unknown macro operand give zero result. Initialise the
passed argv array in test code.  In test code add EDNS data
segment copy only when nonempty.


git-svn-id: file:///svn/unbound/trunk@5070 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-01-24 11:55:10 +00:00
Wouter Wijngaards
762920232a - For caps-for-id fallback, use the whitelist to avoid timeout 
starting a fallback sequence for it.


git-svn-id: file:///svn/unbound/trunk@5038 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-01-17 08:50:25 +00:00
Wouter Wijngaards
d96de4c222 - New and better fix for Fix #4193: Fix that prefetch failure does 
not overwrite valid cache entry with SERVFAIL.


git-svn-id: file:///svn/unbound/trunk@4982 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-11-27 10:56:45 +00:00
Wouter Wijngaards
0ff5c52657 - Fix #4208: 'stub-no-cache' and 'forward-no-cache' not work. 
git-svn-id: file:///svn/unbound/trunk@4981 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-11-27 10:29:14 +00:00
Wouter Wijngaards
8fcc82171a - Fix #4193: Fix that prefetch failure does not overwrite valid cache 
entry with SERVFAIL.


git-svn-id: file:///svn/unbound/trunk@4976 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-11-26 10:25:50 +00:00
Wouter Wijngaards
022d5131b3 Fixup. 
git-svn-id: file:///svn/unbound/trunk@4965 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-11-21 06:44:24 +00:00
Wouter Wijngaards
7458729d28 - Scrub NS records from NODATA responses as well. 
git-svn-id: file:///svn/unbound/trunk@4964 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-11-21 06:37:00 +00:00
Wouter Wijngaards
f7e99131b9 - Scrub NS records from NXDOMAIN responses to stop fragmentation 
poisoning of the cache.


git-svn-id: file:///svn/unbound/trunk@4961 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-11-20 09:44:40 +00:00
Wouter Wijngaards
fd5e4e6019 - Fix #4126: RTT_band too low on VSAT links with 600+ms latency, 
adds the option unknown-server-time-limit to unbound.conf that
  can be increased to avoid the problem.


git-svn-id: file:///svn/unbound/trunk@4954 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-10-25 09:21:41 +00:00
Ralph Dolmans
9268f0db50 Please lint by using proper types 
git-svn-id: file:///svn/unbound/trunk@4939 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-10-08 16:33:04 +00:00
Ralph Dolmans
02bd3e2ff1 - Add fast-server-permil and fast-server-num options. 
- Deprecate low-rtt and low-rtt-permil options.


git-svn-id: file:///svn/unbound/trunk@4938 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-10-08 16:03:46 +00:00
Wouter Wijngaards
9be04e6fac - Fix #4188: IPv6 forwarders without ipv6 result in SERVFAIL, fixes 
qname minimisation with a forwarder when connectivity has issues
  from rejecting responses.


git-svn-id: file:///svn/unbound/trunk@4916 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-09-27 08:19:29 +00:00
Wouter Wijngaards
9b6caf5a5b - Fix that with harden-below-nxdomain and qname minisation enabled 
some iterator states for nonresponsive domains can get into a
  state where they waited for an empty list.
- Stop UDP to TCP failover after timeouts that causes the ping count
  to be reset by the TCP time measurement (that exists for TLS),
  because that causes the UDP part to not be measured as timeout.


git-svn-id: file:///svn/unbound/trunk@4912 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-09-17 11:25:52 +00:00
Wouter Wijngaards
8dd6efe5ed - remove unused variable assignment from iterator scrub routine. 
- check for null in delegation point during iterator refetch
  in forward zone.
- neater pointer cast in libunbound context quit routine.


git-svn-id: file:///svn/unbound/trunk@4902 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-09-13 10:36:22 +00:00