DDoS attacks, reported by Xiang Li and Wei Xu from NISL Lab,
Tsinghua University. The fix stops query loops, by refusing to send
RD=0 queries to a forwarder, they still get answered from cache.
* - Introduce leniency for target discovery when under load.
* - Allow for easier testing (to be reverted).
* - Happy compiler.
* - Precheck access to target_fetch_policy.
* - Do not mark a nameserver as resolved when one of A/AAAA is negative.
* - Update fetch_glue.rpl test for (possible) outstanding queries.
* - Update fetch_glue_cname.rpl test for possible outstanding queries.
* - Better fix for fetch_glue_cname.rpl.
* - Fix iter_emptydp_for_glue.rpl to match the referral.
* - Disabled the nxns tests for now (to be reverted).
* - Update iter_recurse.rpl for possible outstanding queries.
* Revert "- Disabled the nxns tests for now (to be reverted)."
This reverts commit 34a9c13a90.
* Revert "- Allow for easier testing (to be reverted)."
This reverts commit b6dfe35e1d.
processQueryResponse takes an iterator env argument like other
functions in the iterator, no colon in string for set_option,
and some whitespace style, to make it similar to the rest.
query into a large number of queries directed to a target.
- CVE-2020-12663 Malformed answers from upstream name servers can be
used to make Unbound unresponsive.
answers.
- For harden-below-nxdomain: do not consider a name to be non-exitent when
message contains a CNAME record.
git-svn-id: file:///svn/unbound/trunk@5174 be551aaa-1e26-0410-a405-d3ace91eadb9
include mini_event.h to have a prototype for mini_ev_cmp
include edns.h to have a prototype for apply_edns_options
sldns_wire2str_edns_keepalive_print is only called in the wire2str,
module declare it static to get rid of compiler warning:
no previous prototype for function
infra_find_ip_ratedata() is only called in the infra module,
declare it static to get rid of compiler warning:
no previous prototype for function
do not shadow local variable buf in authzone
auth_chunks_delete and az_nsec3_findnode are only called in the
authzone module, declare them static to get rid of compiler warning:
no previous prototype for function...
copy_rrset() is only called in the respip module, declare it
static to get rid of compiler warning:
no previous prototype for function 'copy_rrset'
no need for another variable "r"; gets rid of compiler warning:
declaration shadows a local variable in libunbound.c
no need for another variable "ns"; gets rid of compiler warning:
declaration shadows a local variable in iterator.c
git-svn-id: file:///svn/unbound/trunk@5072 be551aaa-1e26-0410-a405-d3ace91eadb9
no check for already checked delegation pointer in iterator,
in testcode check for NULL packet matches, in perf do not copy
from NULL start list when growing capacity. Adjust host and file
only when present in test header read to please checker. In
testcode for unknown macro operand give zero result. Initialise the
passed argv array in test code. In test code add EDNS data
segment copy only when nonempty.
git-svn-id: file:///svn/unbound/trunk@5070 be551aaa-1e26-0410-a405-d3ace91eadb9
adds the option unknown-server-time-limit to unbound.conf that
can be increased to avoid the problem.
git-svn-id: file:///svn/unbound/trunk@4954 be551aaa-1e26-0410-a405-d3ace91eadb9
qname minimisation with a forwarder when connectivity has issues
from rejecting responses.
git-svn-id: file:///svn/unbound/trunk@4916 be551aaa-1e26-0410-a405-d3ace91eadb9
some iterator states for nonresponsive domains can get into a
state where they waited for an empty list.
- Stop UDP to TCP failover after timeouts that causes the ping count
to be reset by the TCP time measurement (that exists for TLS),
because that causes the UDP part to not be measured as timeout.
git-svn-id: file:///svn/unbound/trunk@4912 be551aaa-1e26-0410-a405-d3ace91eadb9
- check for null in delegation point during iterator refetch
in forward zone.
- neater pointer cast in libunbound context quit routine.
git-svn-id: file:///svn/unbound/trunk@4902 be551aaa-1e26-0410-a405-d3ace91eadb9
caching for the contents of that stub or forward, for when you
want immediate changes visible, from Bjoern A. Zeeb.
git-svn-id: file:///svn/unbound/trunk@4846 be551aaa-1e26-0410-a405-d3ace91eadb9
ratelimiting) to libunbound under 'ub_result.was_ratelimited'.
This also introduces a change to 'ub_event_callback_type' in
libunbound/unbound-event.h.
- Tidy pylib tests.
git-svn-id: file:///svn/unbound/trunk@4828 be551aaa-1e26-0410-a405-d3ace91eadb9
- Fix downstream auth zone, only fallback when auth zone fails to
answer and fallback is enabled.
git-svn-id: file:///svn/unbound/trunk@4610 be551aaa-1e26-0410-a405-d3ace91eadb9
failing with a forwarder set. Now, auth-zone is only used for
answers (not referrals) when a forwarder is set.
git-svn-id: file:///svn/unbound/trunk@4600 be551aaa-1e26-0410-a405-d3ace91eadb9
although it could be changed at a later time, to stay similar to
other implementations.
git-svn-id: file:///svn/unbound/trunk@4560 be551aaa-1e26-0410-a405-d3ace91eadb9
by finding the cname, cname in the existing list, it returns
the partial result with the validation result up to then.
git-svn-id: file:///svn/unbound/trunk@4547 be551aaa-1e26-0410-a405-d3ace91eadb9
