* 'tls-use-system-policy-versions' is introduced to allow Unbound to use
any system available TLS version when serving TLS.
* Apply suggestions from code review
---------
Co-authored-by: Wouter Wijngaards <wcawijngaards@users.noreply.github.com>
* v1 EDER poc
* remove superfluous edns_list_get_option function
* create an EDER configurable
* Hackathon 114
* Fixes for version -04
* Generated configparser and configlexer are not versioned in master anymore
* Remove NOERROR DNS Error Reporting; not part of final RFC.
* Use assigned IANA EDNS0 Option Code for Report-Channel.
* Fix buffer protection and agent domain validity
* Use DNS Error Reporting instead of the eder nickname
* Update documentation.
* Fix typo.
* Bail out early if ede is not present.
* Forget previous EDNS options from upstream; this is what was
implicitly happening but not deterministacally.
* Don't report LDNS_EDE_OTHER and bail early if there is no reporting
agent.
* Only do DNS error reporting when a client asked for something that
went wrong.
* Add an error reporting agent in the parent that should be ignored.
* review feedback.
* fixup for fast reload
* Add 'num.dns_error_reports' to stats and test for it.
---------
Co-authored-by: TCY16 <tom@nlnetlabs.nl>
Co-authored-by: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
* Set version to 1.19.1 for point release.
* Initial work for Redis read-only replica support.
* Test for Redis replica.
* Documentation for the Redis replica timeouts.
* redis replica, rewrite set_timeout()
* clean merge.
* Add new options for fast reload.
* Apply suggestions from code review
Co-authored-by: Wouter Wijngaards <wcawijngaards@users.noreply.github.com>
* some more typos
---------
Co-authored-by: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Co-authored-by: Wouter Wijngaards <wcawijngaards@users.noreply.github.com>
* - dnsoverquic, configure --with-libngtcp2 option.
* - dnsoverquic, create comm_point for doq and receive cmsg local address.
* - dnsoverquic, less obtrusive debug.
* - dnsoverquic, log and fix local port number. Neater subroutines and ifdefs.
* - dnsoverquic, add testcode/doqclient.
* - dnsoverquic, review fixes on doqclient.
* - dnsoverquic, fix unit test testbound link.
* - dnsoverquic, parse query in doqclient.
* - dnsoverquic, link with libngtcp2_crypto_openssl and code for doqclient.
* - dnsoverquic, random routine for doqclient and fix ngaddr allocation, and
check ub_initstate return.
* - dnsoverquic, fix doqclient free of allocated ngaddr addresses.
* - dnsoverquic, enable debug output with -v for doqclient.
* - dnsoverquic, create and set TLS object and TLS context in doqclient.
* - dnsoverquic, work on quic tls context in doqclient.
* - dnsoverquic, set default dnsoverquic port to the standardized 853 port.
* - dnsoverquic, remove debug comment.
* - dnsoverquic, dns-over-quic quic-port: 853 config option.
* - dnsoverquic, log type of interface created at start of unbound.
* - dnsoverquic, log type of no tls https as https when interface is created.
* - dnsoverquic, setup client quic tls methods.
* - dnsoverquic, event work in doqclient.
* - dnsoverquic, explain in documentation that QUIC uses UDP.
* - dnsoverquic, make doqclient exit.
* - dnsoverquic, doqclient cleanup run routine.
* - dnsoverquic, doqclient code nicer.
* - dnsoverquic, doqclient read and timer.
* - dnsoverquic, doqclient write work.
* - dnsoverquic, review fixes.
* - dnsoverquic, detect openssl quic support at configure time.
* - dnsoverquic, do not allow QUIC on port 53 to stop confusion of DoQ and DNS.
* - dnsoverquic, in doqclient, when idle close is returned, drop the connection
without calling ngtcp2_conn_write_connection_close.
* - dnsoverquic, in doqclient, log callbacks.
* - dnsoverquic, in doqclient add extend_max_local_streams_bidi callback.
* - dnsoverquic, in doqclient add client query lists.
* - dnsoverquic, in doqclient, code cleaner, log text nicer.
* - dnsoverquic, in doqclient, work on write_streams.
* - dnsoverquic, in doqclient, use signed int for stream_id, work on the
ngtcp2_recv_stream_data callback.
* - dnsoverquic, in doqclient, print result and fixes for recv data.
* - dnsoverquic, in doqclient, add the event callbacks to fptr wlist.
* - dnsoverquic, in doqclient, when already expired, use zero timeout timer.
* - dnsoverquic, in doqclient, ignore unused return codes from
ngtcp2_conn_writev_stream.
* - dnsoverquic, add doqclient event functions to the unbound-dnstap-socket
test tool for linking.
* - dnsoverquic, in doqclient, fix multiple operands for the commandline.
neater dns message output.
* - dnsoverquic, in doqclient, store packet when write blocks and try later.
* - dnsoverquic, in doqclient, limit number of packets and number of bytes sent.
* - dnsoverquic, in doqclient, better size estimate for outgoing packet.
* - dnsoverquic, in doqclient, fix that already written next packet is not
counted for data length to send.
* - dnsoverquic, in doqclient, early data transmission and session resumption.
* - dnsoverquic, send version negotiation packet.
* - dnsoverquic, send retry and accept the connection.
* - dnsoverquic, storage structures.
* - dnsoverquic, doq connection setup.
* - dnsoverquic, neater code layout for new conn. Fix verbosity of log print.
* - dnsoverquic, doq conn callback functions.
* - dnsoverquic, doq_fill_rand routine in header file.
* - dnsoverquic, keep track of connection ids.
* - dnsoverquic, get_new_connection_id callback.
* - dnsoverquic, create doq_conid tree.
* - dnsoverquic, settings for server connection.
* - dnsoverquic, tls context.
* - dnsoverquic, sendmsg error handling.
* - dnsoverquic, neat code.
* - dnsoverquic, track doq connection last error.
* - dnsoverquic, neater packet address parameters.
* - dnsoverquic, fix uninitialized bytes in msg control in doq sendmsg, and
fix tree cleanup of conid tree.
* - dnsoverquic, better usage text for doqclient.
* - dnsoverquic, neat code.
* - dnsoverquic, connection receive packet handling.
* - dnsoverquic, debug output.
* - dnsoverquic, debug switched meaning of scid and dcid gives
ERR_TRANSPORT_PARAM.
* - dnsoverquic, remove debug output.
* - dnsoverquic, connection delete routine and error from connection read in
more detail with less clutter.
* - dnsoverquic, write to stream, and receive stream data, log packet.
* - dnsoverquic, alpn set up.
* - dnsoverquic, connection close.
* - dnsoverquic, doq_table and locks.
* - dnsoverquic, fix tests.
* - dnsoverquic, better locking.
* - dnsoverquic, doq_stream.
* - dnsoverquic, remove compile warning.
* - dnsoverquic, doq_stream receive data.
* - dnsoverquic, fixes for locks and keep length bytes allocated.
* - dnsoverquic, lock connection on initial insertion.
* - dnsoverquic, reply information, and reply buffer.
* - dnsoverquic, reply info from cache, local-zone and recursion lookups.
* - dnsoverquic, spelling in comment about buffer storage.
* - dnsoverquic, stream write list and doqclient fixes to exit and printout.
* - dnsoverquic, doqclient -q option for short printout.
* - dnsoverquic, unit test with local data reply.
* - dnsoverquic, write connection and write event is set.
* - dnsoverquic, neater logging for write event connection stream writes.
* - dnsoverquic, log remote connection when the streams are written for it.
* - dnsoverquic, better threaded use, threads can write to doq connections at
the same time.
* - dnsoverquic, unit test for the calculation of connection size with a query.
* - dnsoverquic, use less memory per connection.
* - dnsoverquic, remove unit test output.
* - dnsoverquic, add MSG_DONTWAIT so that there is no mistakenly blocking
socket operations.
* - dnsoverquic, doqclient logs address on connection failures.
* - dnsoverquic, compat code for clock get time routine.
* - dnsoverquic, use skip_test for doq unit test.
* - dnsoverquic, fixes for proxyprotocol, use remote_addr and set proxyprotocol
disabled on the doq connection.
* - dnsoverquic, doqclient sets log identity to its name, instead of "unbound".
* - dnsoverquic, handle blocked udp packet writes.
* - dnsoverquic, fix function documentation for verbose_print_addr from
services/listen_dnsport.c.
* - dnsoverquic, fix doq_conn lock protection. The checklock allows to set
the output file name, and doqclient uses that. Print place of lock_protect.
* - dnsoverquic, neater buffer clear when write of blocked packet fails, make
sure that memory area does not overlap for blocked packet addresses when
write of blocked packet fails, and size blocked packet buffer to the pkt buf.
* - dnsoverquic, move lock check after the test to test script in doq test.
* - dnsoverquic, the doq test uses valgrind when enabled.
* - dnsoverquic, git ignore the doqclient test.
* - dnsoverquic, limit the buffer for packets to max packet size with some more.
* - dnsoverquic, spelling fix.
* - dnsoverquic, timer work, structure and adds and deletes.
* - dnsoverquic, timer_tree uses table.lock.
* - dnsoverquic, fix timer tree remove and spelling in header file comment.
* - dnsoverquic, fix testbound for timer compare function linkage.
* - dnsoverquic, timer set add debug output.
* - dnsoverquic, doq_conn_check_timer function.
* - dnsoverquic, doq_done_setup_timer_and_write function.
* - dnsoverquic, fix that doq conn is not deleted whilst editing write and timer.
* - dnsoverquic, Fix#861 make ERROR netevent.h:1073:32: error: field 'blocked_pkt_pi' has incomplete type
* - dnsoverquic, timer element has timeout setup when socket callback complete.
* - dnsoverquic, fix unit test compile.
* - dnsoverquic, timer callback routine, handle timeout and close and delete the
connection if necessary.
* - dnsoverquic, timer pickup stops at current time.
* - dnsoverquic, timer comparable with the event base time.
* - dnsoverquic, erase marked time when timer disabled.
* - dnsoverquic, fix timer to set correctly and lock popped write connection
early, before it is modified.
* - dnsoverquic, fix to unlock connection lock when it is unlinked and deleted.
* - dnsoverquic, fix to unlock connection lock when it is deleted because it is
a duplicate connection.
* - dnsoverquic, fix that doq timer is not disabled when not set.
* - dnsoverquic, quic-size: 8m maximum number of bytes for QUIC buffers.
* - dnsoverquic, flex and bison.
* - dnsoverquic, quic-size turn away new connections when full.
* - dnsoverquic, doqclient outputs stream reset information.
* - dnsoverquic, detect stream close and reset.
* - dnsoverquic, free stream buffers when data is acked and stream is closed.
* - dnsoverquic, delete stream when closed. Unlink it. Allow stream_id 4 as first.
* - dnsoverquic, stats output for mem.quic and num.query.quic.
* - dnsoverquic, review fix.
* - dnsoverquic, fix when compiled without ngtcp2.
* - dnsoverquic, fix to detect ngtcp2_crypto_quictls for openssl crypto, after
change in libngtcp2.
* - dnsoverquic, fix for newer ngtcp2 versions. detect ngtcp2_ccerr_default,
ngtcp2/ngtcp2_crypto_quictls.h, struct ngtcp2_pkt_hd.tokenlen,
struct ngtcp2_settings.tokenlen and struct ngtcp2_version_cid.
* - dnsoverquic, fix for newer ngtcp2 version, detect number of arguments for
ngtcp2_conn_shutdown_stream.
* - dnsoverquic, fix for newer ngtcp2.
* - dnsoverquic, use the functions from util/timeval_func.h.
* - dnsoverquic, fix in doqclient only write transport parameters once.
* - dnsoverquic, debug log output removed.
* - dnsoverquic, fix in doqclient to work with renamed NGTCP2_CC_ALGO_BBR_V2
from ngtcp2.
* - dnsoverquic, fix to check in doq_server_socket_create that tls-service-key
and tls-service-pem have a value.
* - dnsoverquic, fix to error when doq_server_socket_create fails.
* - dnsoverquic, improve linebreaks in configparser additions.
* - dnsoverquic, fix port from interface pickup after main branch change.
* Fix getting user data from SSL, fix calloc warning.
* Fix fwrite return value check in doqclient
* - timeval_substruct from timeval_func.h
- lock_protect also for HAVE_NGTCP2_CCERR_DEFAULT
- fix doq logging for inet_ntop failures
* - memset for consistency
- no value returned from msghdr_get_ecn when S_SPLINT_S is defined
* - dnsoverquic, rerun autoconf.
---------
Co-authored-by: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
that can set the timeout separately for commands and the
connection set up to the redis server. If they are not
specified, the redis-timeout value is used.
`harden-unverified-glue`, from Karthik Umashankar (Microsoft).
Enabling this option protects the Unbound resolver against bad
glue, that is unverified out of zone glue, by resolving them.
It uses the records as last resort if there is no other working
glue.
Remove config parser/lexer code as it's rebuilded every time but can
break adding new config options.
Also clean up the code base to avoid mixing actual code changes and lint
issues.
Signed-off-by: Vadim Fedorenko <vadfed@meta.com>
Create server cookies for clients that send client cookies.
Needs to be turned on in the config file with:
answer-cookie: yes
A cookie-secret can be configured for anycast setups.
Also adds an access control list that will allow queries with
either a valid cookie or over a stateful transport.
RPZ nxdomain reply. The option rpz-signal-nxdomain-ra allows to
signal that a domain is externally blocked to clients when it
is blocked with NXDOMAIN by unsetting RA.
