upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-20 23:00:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
8126 commits 23 branches 209 tags 123 MiB
Commit graph

2126 commits

Author SHA1 Message Date
George Thessalonikefs
95604a90e8 Review for #759: 
- Keep EDE information for keys close to key creation.
- Fix inconsistencies between reply and cached EDEs.
- Incorporate EDE caching checks in EDE tests.
- Fix some EDE cases where missing DNSKEY was wrongly reported.
 2023-07-19 15:20:44 +02:00
George Thessalonikefs
f5a2a58ce3 Review for #759: 
- Fix SEGFAULT in load_cache control command.
- Change reason_bogus_str to an explicit NULL-terminated string.
- Fix potential memory leak when discarding a message for referrals and
  0 TTL answers.
- Fix reason_bogus initialization in localzone answers.
- reply_info creation in validator is always regional.
 2023-07-17 17:26:31 +02:00
George Thessalonikefs
15b8d8b96a Merge branch 'master' into features/ede-caching 2023-07-13 11:25:59 +02:00
Natalie Reece
67e52ea9c5 Exclude EDE before other EDNS options when there isn't enough space 2023-07-11 17:01:26 -06:00
George Thessalonikefs
a952ac17be Merge branch 'tilan7663-subnet_cache_prefetch' into subnet_cache_prefetch 2023-07-07 16:50:58 +02:00
George Thessalonikefs
40e47bf767 - For #664: easier code flow for subnetcache prefetching. 
- For #664: add testcase.
 2023-07-06 22:22:21 +02:00
George Thessalonikefs
f1537e2041 - For #762: please doxygen. 2023-06-22 12:21:27 +02:00
George Thessalonikefs
47cf44cc70 - For #762: relocate edns_opt_list_append_keepalive. 2023-06-22 12:11:28 +02:00
George Thessalonikefs
1cd75cccfc - For #762: More generic integration for siphash.c 2023-06-22 11:45:08 +02:00
George Thessalonikefs
b02f9befcd - For #762: fix compiler C90 warning. 2023-06-14 16:41:01 +02:00
George Thessalonikefs
4f52be4db9 - Introduce num.query.cachedb to track cache hits for the external cache. 2023-05-30 17:49:50 +02:00
W.C.A. Wijngaards
a07ccbae9a - Fix to print debug log for ancillary data with correct IP address. 2023-05-16 09:21:21 +02:00
W.C.A. Wijngaards
b2cba7b707 - Fix doxygen in addr_to_nat64 header definition. 2023-05-04 15:53:05 +02:00
W.C.A. Wijngaards
cac1d13fda - Fix proxy-protocol to read header in multiple reads and check buffer size. 2023-05-02 14:54:51 +02:00
W.C.A. Wijngaards
80153decd1 - Fix proxy-protocol buffer checks when writing and read from buffer. 2023-05-02 14:36:29 +02:00
George Thessalonikefs
adb4aeb609 - For #722: Minor fixes, formatting and refactoring. 2023-05-01 18:23:13 +02:00
George Thessalonikefs
e1ec3cf893 Merge branch 'nat64' of https://github.com/eqvinox/unbound into eqvinox-nat64 2023-04-26 15:14:39 +02:00
W.C.A. Wijngaards
144f29638c - Fix for #882: small changes, date updated in Copyright for 
util/timeval_func.c and util/timeval_func.h. Man page entries and
  example entry.
 2023-04-26 13:49:33 +02:00
Vadim Fedorenko
04540f82e5 config: add sock_queue_timeout configuration 
Add sock_queue_timeout config option to have queue timeout configurable.

Signed-off-by: Vadim Fedorenko <vadfed@meta.com>
 2023-04-26 03:27:19 -07:00
Vadim Fedorenko
2e6ddd6032 netevent: parse and store rcv timestamp from sock 
Add special field in comm_point to store the software receive timestamp
for every particular UDP packet. Aux data parser is updated to read
values and the whole callback is switched to use recvmsg form.

Signed-off-by: Vadim Fedorenko <vadfed@meta.com>
 2023-04-26 03:26:51 -07:00
Vadim Fedorenko
a197aac2f6 timeval_func: move all timeval manipulation to separate file 
There are several definitions of the same functions manipulating timeval
structures. Let's move them to separate file and arrange the code
preperly.

Signed-off-by: Vadim Fedorenko <vadfed@meta.com>
 2023-04-26 03:23:41 -07:00
Vadim Fedorenko
648ad4db6f Linting change. 
Remove config parser/lexer code as it's rebuilded every time but can
break adding new config options.
Also clean up the code base to avoid mixing actual code changes and lint
issues.

Signed-off-by: Vadim Fedorenko <vadfed@meta.com>
 2023-04-25 17:05:00 -07:00
W.C.A. Wijngaards
542f717bf9 - adjust generic proxy-protocol header for IPv6 support with ifdef. 2023-04-25 08:16:19 +02:00
George Thessalonikefs
b5cc8b6c59 - Generalise the proxy protocol code 2023-04-24 16:15:56 +02:00
W.C.A. Wijngaards
8f83c0a2cb - iana portlist update. 2023-03-20 14:55:55 +01:00
George Thessalonikefs
d7e7761141 - Fix #812, fix #846, by using the SSL_OP_IGNORE_UNEXPECTED_EOF option 
to ignore the unexpected eof while reading in openssl >= 3.
 2023-03-17 14:39:37 +01:00
Philip Homburg
71e0ddc94a Improved comment 2023-02-21 09:27:03 +01:00
Philip Homburg
d1f5ded1d9 ifdef CLIENT_SUBNET 2023-02-21 09:21:24 +01:00
Philip Homburg
fb06364014 Fix issue #825: interaction between ECS and serve-expired. 2023-02-21 09:20:28 +01:00
George Thessalonikefs
6bf677e7de Fix #833: [FR] Ability to set the Redis password. 2023-01-23 11:45:07 +01:00
W.C.A. Wijngaards
77f15428c9 - Add #835: [FR] Ability to use Redis unix sockets. 2023-01-23 10:09:28 +01:00
W.C.A. Wijngaards
111e66ae64 Changelog note for #819, generate configparser.c and comment syntax change. 
- Merge #819: Added new static zone type block_a to suppress all A
  queries for specific zones.
 2023-01-20 16:19:20 +01:00
Wouter Wijngaards
6a4a9435d1
Merge pull request #819 from pavel-odintsov/pavel/suppress_a 
Added new static zone type block_a to suppress all A queries for specific zones
 2023-01-20 16:18:05 +01:00
W.C.A. Wijngaards
c9233f8429 - Set default for harden-unknown-additional to no. So that it does 
not hamper future protocol developments.
 2023-01-19 15:45:10 +01:00
W.C.A. Wijngaards
8df1e58209 - Add harden-unknown-additional option. Default on and it removes 
unknown records from the authority section and additional section.
  Thanks to Xiang Li, from NISL Lab, Tsinghua University.
 2023-01-19 14:59:18 +01:00
W.C.A. Wijngaards
d69f875261 - Set max-udp-size default to 1232. This is the same default value as 
the default value for edns-buffer-size. It restricts client edns
  buffer size choices, and makes unbound behave similar to other DNS
  resolvers. The new choice, down from 4096 means it is harder to get
  large responses from Unbound. Thanks to Xiang Li, from NISL Lab,
  Tsinghua University.
 2023-01-19 14:16:17 +01:00
Sergey Kacheev
52a4ccee18 add a metric about the maximum number of collisions in lrushah 2023-01-13 13:33:38 +07:00
Pavel Odintsov
d5b9a790fe Added new static zone type block_a to suppress all A queries for specific zones 2023-01-03 19:17:51 +00:00
George Thessalonikefs
df411b3f28 - Updates for #461 (Add max-query-restarts option). 2022-12-13 15:29:22 +01:00
George Thessalonikefs
71db243b0d Merge branch 'restart_conf' of https://github.com/cgallred/unbound into cgallred-restart_conf 2022-12-13 14:35:01 +01:00
George Thessalonikefs
c61b2121b5 - Expose 'max-sent-count' as a configuration option; the 
default value retains Unbound's behavior.
 2022-12-13 13:57:07 +01:00
George Thessalonikefs
859d0f2dfe - Expose 'statistics-inhibit-zero' as a configuration option; the 
default value retains Unbound's behavior.
 2022-12-13 10:47:37 +01:00
W.C.A. Wijngaards
effbf99281 - Fix #782: Segmentation fault in stats.c:404. 2022-11-30 10:18:27 +01:00
W.C.A. Wijngaards
6f7da59b77 - Fix for the ignore of tcp events for closed comm points, preserve 
the use after free protection features.
 2022-11-28 10:04:52 +01:00
Philip-NLnetLabs
b86a97019f
Merge pull request #720 from jonathangray/winsock_uaf 
fix use after free when WSACreateEvent() fails
 2022-11-23 14:08:01 +01:00
TCY16
8b4a8493d0 Merge branch 'master' of github.com:NLnetLabs/unbound into features/ede-caching 2022-11-21 11:34:36 +01:00
W.C.A. Wijngaards
89d9b25090 - iana portlist update. 2022-11-08 15:24:24 +01:00
W.C.A. Wijngaards
52a9e6268e - Fix to make sure to not read again after a tcp comm point is closed. 2022-11-08 13:23:44 +01:00
W.C.A. Wijngaards
8367b24bc5 - Fix to ignore tcp events for closed comm points. 2022-11-08 12:02:48 +01:00
Willem Toorop
8df26b132b Merge branch 'master' into devel/merge-master-into-downstream-cookies 2022-11-07 17:09:20 +00:00
David Lamparter
64fb06f892 NAT64 support 
This implements #721.  Includes documentation and some very basic tests.
Please refer to doc for further detail.
 2022-11-07 11:37:50 +00:00
Florian Obser
08dcae0dab Arithmetic on a pointer to void is a GNU extension. 2022-10-14 13:56:32 +02:00
George Thessalonikefs
d25e0cd9b0 - Fix PROXYv2 header read for TCP connections when no proxied addresses 
are provided.
 2022-10-11 17:39:30 +02:00
W.C.A. Wijngaards
bf1cce6f9b - Fix proxy length debug output printout typecasts. 2022-10-06 15:53:21 +02:00
W.C.A. Wijngaards
c0eaadfc42 - Fix to close errno block in comm_point_tcp_handle_read outside of 
ifdef.
 2022-10-03 16:21:39 +02:00
Yorgos Thessalonikefs
c4e51a4cfe
PROXYv2 downstream support (#760) 2022-10-03 15:29:47 +02:00
Willem Toorop
bd2c202674 The generated lexer and parser sources for configuring cookies 2022-09-28 10:34:06 +02:00
Willem Toorop
75f3fbdd65 Downstream DNS Cookies a la RFC7873 and RFC9018 
Create server cookies for clients that send client cookies.
Needs to be turned on in the config file with:

	answer-cookie: yes

A cookie-secret can be configured for anycast setups.
Also adds an access control list that will allow queries with
either a valid cookie or over a stateful transport.
 2022-09-28 10:28:19 +02:00
Willem Toorop
71f23ef354 extended_error_encode() for extended errors 2022-09-28 09:57:56 +02:00
TCY16
0b176750bd add @wcawijngaards' review comments 2022-09-26 12:14:17 +02:00
TCY16
f0989fc754 differentiate between malloc and regional_alloc 2022-09-26 11:49:49 +02:00
TCY16
c9f90def0a swap malloc for regional_alloc and add free 2022-09-26 11:18:58 +02:00
TCY16
dcfcde2ec8 add cached EDE strings 2022-09-21 11:21:33 +02:00
George Thessalonikefs
d301bfe4a2 - ACL per interface: refactor, complete testing and a bugfix for 
interface names.
 2022-09-11 20:57:41 +02:00
George Thessalonikefs
c30bdff939 Initial commit for interface based ACL. 2022-09-11 20:21:32 +02:00
W.C.A. Wijngaards
57230d7f22 - Fix to log a verbose message at operational notice level if a 
thread is not responding, to stats requests. It is logged with
  thread identifiers.
 2022-09-01 15:14:20 +02:00
TCY16
5f309d0018 Add caching EDEs 2022-09-01 14:10:14 +02:00
W.C.A. Wijngaards
d66e1cccf8 - Fix to set out of file descriptor warning to operational verbosity. 2022-09-01 14:01:56 +02:00
W.C.A. Wijngaards
2450b4653a - Slow down log frequency of write wait failures. 2022-09-01 14:00:29 +02:00
W.C.A. Wijngaards
1f5cc25974 - Fix for wait for udp send to stop when packet is successfully sent. 2022-08-31 16:45:15 +02:00
W.C.A. Wijngaards
ec5812a748 - Fix to wait for blocked write on UDP sockets, with a timeout if it 
takes too long the packet is dropped.
 2022-08-31 11:54:11 +02:00
W.C.A. Wijngaards
10a5a5880a - Patch from Vadim Fedorenko that adds MSG_DONTWAIT to receive 
operations, so that instruction reordering does not cause mistakenly
  blocking socket operations.
 2022-08-31 10:11:25 +02:00
W.C.A. Wijngaards
2fa1c17cd9 - Fix to avoid process wide fcntl calls mixed with nonblocking 
operations after a blocked write.
 2022-08-31 10:09:39 +02:00
W.C.A. Wijngaards
dc6c04b243 - Fix to log accept error ENFILE and EMFILE errno, but slowly, once 
per 10 seconds. Also log accept failures when no slow down is used.
 2022-08-12 09:54:29 +02:00
W.C.A. Wijngaards
ef57f8bd51 - Fix #734 [FR] enable unbound-checkconf to detect more (basic) 
errors.
 2022-08-05 14:41:05 +02:00
W.C.A. Wijngaards
f6753a0f10 - Fix the novel ghost domain issues CVE-2022-30698 and CVE-2022-30699. 2022-08-01 13:24:40 +02:00
Jonathan Gray
1464b166a4 fix use after free when WSACreateEvent() fails 2022-07-22 18:23:59 +10:00
Minghang Chen
249efd4285 Introduce infra-cache-max-rtt option to config max retransmit timeout 
Added the option and let it default to 120 seconds so that it won't change
current behavior.

Related-to #717
 2022-07-16 01:46:18 -07:00
W.C.A. Wijngaards
12cd495d55 - iana portlist update. 2022-07-15 09:20:25 +02:00
W.C.A. Wijngaards
7696398231 - Fix verbose EDE error printout. 2022-07-11 13:13:51 +02:00
George Thessalonikefs
a30286502c - Fix for correct openssl error when adding windows CA certificates to 
the openssl trust store.
 2022-07-03 22:41:39 +02:00
W.C.A. Wijngaards
80dbc7dd2c - iana portlist update. 2022-06-29 09:38:31 +02:00
W.C.A. Wijngaards
11d077c826 - Fix some lint type warnings. 2022-05-20 15:32:27 +02:00
George Thessalonikefs
7e506bb477 - Fix typos in config_set_option for the 'num-threads' and 
'ede-serve-expired' options.
 2022-05-18 19:56:26 +03:00
W.C.A. Wijngaards
e62b309959 - For #677: Added tls-system-cert to config parser and documentation. 
- Changelog note for #677.
 2022-05-12 16:30:19 +02:00
Wouter Wijngaards
2132e67b36
Merge pull request #677 from InfrastructureServices/use-system-cas 
Allow using system certificates not only on Windows
 2022-05-12 16:16:49 +02:00
Petr Mensik
0abfddd279 Allow using system certificates not only on Windows 
OpenSSL has a way to load default file. That file might contain usable
certificates to verify common connections. Allow similar trust as on
windows and leave it on openssl package to provide sane defaults.

Also provide use-system-cert alias, because it is not windows specific
anymore.
 2022-05-12 16:07:41 +02:00
W.C.A. Wijngaards
f0d91950ad - Fix #673: DNS over TLS: error: SSL_handshake syscall: No route to 
host.
 2022-05-11 17:10:42 +02:00
tcarpay
0ce36e8289
Add the basic EDE (RFC8914) cases (#604) 2022-05-06 12:48:53 +02:00
Christian Allred
d19e12ab5d Merge branch 'master' of https://github.com/NLnetLabs/unbound into restart_conf 2022-04-18 12:16:40 -07:00
George Thessalonikefs
b8e7dfa01e - Various fixes for #632: variable initialisation, convert the qinfo 
to str once, accept trailing dot in the local-zone ipset option.
 2022-03-02 14:29:56 +01:00
Wouter Wijngaards
fbbb42c9d4
Merge pull request #631 from mollyim/boringssl-compat 
Replace OpenSSL's ERR_PACK with ERR_GET_REASON
 2022-02-18 09:37:34 +01:00
Oscar Mira
78aee89201 Replace OpenSSL's ERR_PACK with ERR_GET_REASON 2022-02-17 20:20:18 +01:00
W.C.A. Wijngaards
2b90181d3a - Fix #628: A rpz-passthru action is not ending RPZ zone processing. 2022-02-15 16:20:12 +01:00
W.C.A. Wijngaards
a0feea393a - Fix #618: enabling interface-automatic disables DNS-over-TLS. 
Adds the option to list interface-automatic-ports.
 2022-02-11 10:58:53 +01:00
W.C.A. Wijngaards
e656be63f9 - Fix header comment for doxygen for authextstrtoaddr. 2022-02-02 13:20:46 +01:00
gthess
11f2e7e6ae
Merge pull request #617 from NLnetLabs/update-host-notation 
Update stub/forward-host notation to accept port and tls-auth-name
 2022-02-02 11:56:27 +01:00
George Thessalonikefs
32c3bbd249 - Change aggressive-nsec default to yes. 2022-02-02 11:25:08 +01:00
gthess
358e3a5963
Merge pull request #616 from NLnetLabs/bugfix/ratelimit 
Update ratelimit logic
 2022-02-02 11:16:04 +01:00
George Thessalonikefs
814a234876 - Update stub/forward-host notation to accept port and tls-auth-name. 
Fixes #546.
 2022-02-01 14:44:29 +01:00
W.C.A. Wijngaards
84df46289d - iana portlist update. 2022-01-31 10:53:22 +01:00
George Thessalonikefs
3086335724 - Introduce ratelimit-backoff and ip-ratelimit-backoff options for more 
aggressive rate limiting.
 2022-01-30 00:36:29 +01:00
George Thessalonikefs
f857af873e - Update ratelimit code for recent serviced_query changes and more 
accurate ratelimit calculation.
 2022-01-29 23:49:38 +01:00
George Thessalonikefs
c49e87e1b7 - Fix tls-* and ssl-* documented alternate syntax to also be available 
through remote-control and unbound-checkconf.
 2022-01-29 15:11:47 +01:00
George Thessalonikefs
f0c6d26155 - Better bookkeeping when reclaiming the TCP buffer. 2022-01-25 10:32:37 +01:00
George Thessalonikefs
c3c0186658 - Add serviced_query timer to send upstream queries outside of the mesh 
flow to prevent race conditions.
 2022-01-25 00:01:43 +01:00
W.C.A. Wijngaards
2996040c6c - Add rpz: for-downstream: yesno option, where the RPZ zone is 
authoritatively answered for, so the RPZ zone contents can be
  checked with DNS queries directed at the RPZ zone.
 2022-01-14 16:23:43 +01:00
W.C.A. Wijngaards
392c1f0f54 - Fix #596: unset the RA bit when a query is blocked by an unbound 
RPZ nxdomain reply. The option rpz-signal-nxdomain-ra allows to
  signal that a domain is externally blocked to clients when it
  is blocked with NXDOMAIN by unsetting RA.
 2022-01-04 13:40:07 +01:00
W.C.A. Wijngaards
4efbee08b5 - Fix compile warning for if_nametoindex on windows 64bit. 2021-12-03 10:44:47 +01:00
gthess
43615e98b5
Merge pull request #522 from sibeream/net_help_RESOURCE_LEAK 
- memory management violations fixed
 2021-12-01 03:59:32 +01:00
gthess
806a75808d
Merge pull request #562 from NLnetLabs/bugfix/reset-keepalive-per-tcp-session 
Reset keepalive per new tcp session
 2021-12-01 03:57:04 +01:00
gthess
ba9356af99
Merge pull request #555 from fobser/if_nametoindex 
Allow interface names as scope-id in IPv6 link-local addresses.
 2021-12-01 03:54:45 +01:00
W.C.A. Wijngaards
88da8ce174 - iana portlist update. 2021-11-30 15:05:27 +01:00
Wouter Wijngaards
9645228f03
Merge pull request #570 from rex4539/typos 
Fix typos
 2021-11-29 11:39:48 +01:00
tcarpay
c47e98a659
Merge pull request #563 from NLnetLabs/bugfix/general-edns-options3 
Better positioning of general EDNS option handling: revisited V2
 2021-11-15 15:14:51 +01:00
Tom Carpay
ff030fa332 Clarify KEEPALIVE EDNS0 option operation 2021-11-15 14:00:31 +00:00
Tom Carpay
e899b4cefe Make explicit whether edns options are parsed from queries or responses 2021-11-15 13:40:51 +00:00
Tom Carpay
b47dc528aa add missing return code 2021-11-15 12:33:08 +00:00
Dimitris Apostolou
c21d6af617
Fix typos 2021-11-13 16:56:15 +02:00
tcarpay
a0df340b1e
Update util/data/msgparse.c 
Co-authored-by: gthess <george@nlnetlabs.nl>
 2021-11-08 12:28:03 +01:00
TCY16
8205c87a96 complete renaming of the modules edns list 2021-11-08 11:50:29 +01:00
tcarpay
fa73142b79
Apply suggestions from code review 
Co-authored-by: Willem Toorop <willem@nlnetlabs.nl>
 2021-11-08 11:02:54 +01:00
George Thessalonikefs
24eded6ef9 - Fix for #558: clear the UB_EV_TIMEOUT bit before adding an event. 2021-11-05 11:21:30 +01:00
George Thessalonikefs
431b749d7a - Fix for #558: fix loop in comm_point->tcp_free when a comm_point is reclaimed 
more than once during callbacks.
 2021-11-05 11:19:08 +01:00
Willem Toorop
53a1677828 Reset keepalive per new tcp session 2021-11-01 21:06:07 +01:00
Tom Carpay
cb48d9e4a1 Fix keepalive logic 2021-11-01 15:01:07 +00:00
Tom Carpay
5f8447830a Move option handling to parse-time 2021-11-01 13:48:31 +00:00
Tom Carpay
89d7476539 split edns_data.opt_list in opt_list_in and opt_list_out 
opt_list_in for parsed (incoming) edns options, and
opt_list_out for outgoing (to be encoded) edns options
 2021-11-01 12:48:40 +00:00
Tom Carpay
3ebfa9fc97 Outgoing module options go to opt_list_modules_out 
And opt_list_modules_out is reset in case of failure
BEWARE! No options from modules will be encoded in the responses now!
 2021-10-27 14:01:56 +00:00
Tom Carpay
3e6eeb504d Modules have their own outgoing ends options list 
But nothing happens with it yet
 2021-10-27 13:48:49 +00:00
Florian Obser
8756f1e4c7 Allow interface names as scope-id in IPv6 link-local addresses. 
For example, this makes
forward-zone:
    name: "."
    forward-addr: fe80::20d:b9ff:fe46:c7f4%vio0
    forward-first: yes

work instead of fe80::20d:b9ff:fe46:c7f4%1.
 2021-10-24 16:06:55 +02:00
W.C.A. Wijngaards
ecb0b44ba8 - Fix to protect custom regional create against small values. 2021-10-11 17:23:30 +02:00
W.C.A. Wijngaards
9f26f397a9 - Fix crosscompile windows to use libssp when it exists. 
- For the windows compile script disable gost.
- Fix that on windows, use BIO_set_callback_ex instead of deprecated
 2021-09-21 13:51:34 +02:00
W.C.A. Wijngaards
829f3c932e - Fix for #41: change outbound retry to int to fix signed comparison 
warnings.
 2021-09-08 15:07:11 +02:00
W.C.A. Wijngaards
750f46d1aa - Small fixes for #41: changelog, conflicts resolved, 
processQueryResponse takes an iterator env argument like other
  functions in the iterator, no colon in string for set_option,
  and some whitespace style, to make it similar to the rest.
 2021-09-08 14:52:56 +02:00
W.C.A. Wijngaards
204edd229e Merge branch 'feature/configure-outbound_msg_retry' of git://github.com/countsudoku/unbound into countsudoku-feature/configure-outbound_msg_retry 2021-09-08 14:38:36 +02:00
Thomas du Boÿs
ebb4987146 Fix subnetcache statistics 2021-09-03 10:37:07 +02:00
W.C.A. Wijngaards
520fa84265 - Fix tcp fastopen failure when disabled, try normal connect instead. 2021-09-01 16:21:10 +02:00
W.C.A. Wijngaards
4b2799fdd6 - Fix #533: Negative responses get cached even when setting 
cache-max-negative-ttl: 1
 2021-08-27 10:33:21 +02:00
Wouter Wijngaards
74f1f0addd
Merge pull request #401 from NLnetLabs/rpz-triggers 
RPZ triggers
 2021-08-25 10:14:12 +02:00
W.C.A. Wijngaards
54b7554b5a Changelog note for #529 and nicer layout. 
- Fix #529: Fix: log_assert does nothing if UNBOUND_DEBUG is
  undefined.
 2021-08-20 14:32:13 +02:00
Shchelkunov Artem
4ea9651624
Fix: log_assert does nothing if UNBOUND_DEBUG is undefined 
Found by static analyzer svace
Static analyzer message: Integer value 'len' obtained from untrusted
source at tube.c:374 by passing as 2nd parameter to function 'read'
at tube.c:340 without checking its higher bound is used as a loop bound
at tube.c:374.


on-behalf-of: @ideco-team <github@ideco.ru>
 2021-08-20 17:16:39 +05:00
W.C.A. Wijngaards
a9de6879b8 Merge branch 'master' into rpz-triggers 2021-08-18 09:53:35 +02:00
W.C.A. Wijngaards
d88f554503 - Fix #527: not sending quad9 cert to syslog (and may be more). 2021-08-17 13:03:33 +02:00
W.C.A. Wijngaards
ad45e9b89e - Fix for #431: Squelch permission denied errors for udp connect, 
and udp send, they are visible at higher verbosity settings.
 2021-08-13 09:27:58 +02:00
W.C.A. Wijngaards
de31bcdf2e - Support using system-wide crypto policies. 2021-08-13 09:21:47 +02:00
W.C.A. Wijngaards
2f828ec720 - For #519: yacc and lex. And fix python bindings, and test program 
unbound-dnstap-socket.
 2021-08-12 15:12:55 +02:00
Wouter Wijngaards
0ace659fe2
Merge pull request #519 from ziollek/tcp_upstream_option 
Support for selective enabling tcp-upstream for stub/forward zones
 2021-08-12 15:03:57 +02:00
Wouter Wijngaards
79df099f4c
Merge pull request #523 from Shchelk/bugfix 
fix: free() call more than once with the same pointer
 2021-08-12 13:45:00 +02:00
Shchelkunov Artem
e20b2c1aaf fix: free() call more than once with the same pointer 2021-08-11 15:14:43 +05:00
Artem Egorenkov
0d8dd6ec33 - memory management violations fixed 2021-08-06 14:11:12 +02:00
liheng562653799
edbf9c21ee
Update mini_event.c 
When in heavy load, unbound opens many outside_network sockets for out going queries to delegation servers, which may result in a big fd(maxfd) value(for thread A 65500, for thread B 65501, for thread C ...). 
There are situations when thread A has a max fd num 65500 where maxfd is of course 65500, thread B has max fd num 20 for now but maxfd is still 65501. Though linux kernel checks whether maxfd+1  passed by select syscall  is really the process' maxfd+1. Linux kernel can not tell maxfd+1 passed by thread B select syscall is much bigger(65501+1 or 65500+1  after trimed by kerne) than it should be (20+1).
In this situation, when kernel do_select() for thread B, much work is wasted.
 2021-08-06 12:00:56 +08:00
W.C.A. Wijngaards
f232562430 Merge branch 'master' into rpz-triggers 2021-08-05 13:37:22 +02:00
Tomasz Ziolkowski
ae45f46b9e Add (stub|forward)-tcp-upstream options which enable using tcp transport only for specified stub/forward zones 2021-08-05 08:44:18 +02:00
gthess
bdaecd942d
Merge pull request #415 from sibeream/master 
Use /proc/sys/net/ipv4/ip_local_port_range to determine available outgoing ports
 2021-08-04 10:42:12 +02:00
W.C.A. Wijngaards
2a0df9e72e - Annotate assertion into error printout; we think it may be an 
error, but the situation looks harmless.
 2021-08-03 14:08:30 +02:00
Wouter Wijngaards
5196ee03e6
Merge pull request #517 from dyunwei/master 
#420 breaks the mesh reply list function that need to reuse the dns answer.
 2021-08-03 13:11:01 +02:00
George Thessalonikefs
a519009378 Merge branch 'master' of github.com:NLnetLabs/unbound 2021-08-03 12:20:45 +02:00
George Thessalonikefs
ca67691092 - Listen to read or write events after the SSL handshake. 
Sticky events on windows would stick on read when write was needed.
 2021-08-03 12:18:58 +02:00
daiyunwei
0784ad7a11 #420 
clear the c->buffer in the comm_point_send_reply does resolve the "can't fit qbuffer in c->buffer" issue, but it breaks the mesh reply list function that need to reuse the answer. because the c->buffer is cleared in the comm_point_send_reply, it cannot be resued again. it means that it is not inappropriate to clear c->buffer in the comm_point_send_reply.

After some investigation, i found it is appropriate to clear c->buffer before use in the http2_query_read_done.
 2021-08-03 11:40:30 +08:00
W.C.A. Wijngaards
89e2f2f753 - iana portlist update. 2021-08-02 15:26:20 +02:00
W.C.A. Wijngaards
b6abcb1508 - For #515: Fix compilation with openssl 3.0.0 beta2, lib64 dir and 
SSL_get_peer_certificate.
- Move acx_nlnetlabs.m4 to version 41, with lib64 openssl dir check.
 2021-07-30 13:54:43 +02:00
Artem Egorenkov
d9153cb35b Option --enable-linux-ip-local-port-range added to use system configured port range for libunbound on Linux 2021-07-20 14:46:43 +02:00
George Thessalonikefs
ca4d68c64c - Introduce 'http-user-agent:' and 'hide-http-user-agent:' options. 2021-07-16 14:32:18 +02:00
W.C.A. Wijngaards
8180ca192f - Fix for #510: in depth, use ifdefs for windows api event calls. 2021-07-16 09:12:06 +02:00
Nick Porter
2c3f764d61
Don't call a function which hasn't been defined 2021-07-15 17:55:33 +01:00
W.C.A. Wijngaards
3f7e164751 - iana portlist update. 2021-07-06 15:15:43 +02:00
W.C.A. Wijngaards
79209823ac - Fix a number of warnings reported by the gcc analyzer. 2021-06-18 18:12:26 +02:00
George Thessalonikefs
d02e956da0 - Changelog entry for #486: Make VAL_MAX_RESTART_COUNT configurable. 
- Generetated lexer and parser for #486; updated example.conf.
 2021-06-09 12:32:58 +02:00
gthess
45be341267
Merge pull request #486 from fobser/val-max-restart 
Make VAL_MAX_RESTART_COUNT configurable.
 2021-06-09 12:09:27 +02:00
W.C.A. Wijngaards
cf0aad9fb6 Merge branch 'master' into rpz-triggers 2021-05-28 15:00:55 +02:00
W.C.A. Wijngaards
ea4f1ee8a6 - zonemd-check: yesno option, default no, enables the processing 
of ZONEMD records for that zone.
 2021-05-27 14:20:53 +02:00
Jim Hague
6066a24405 Use build system endianness if available, otherwise try to work it out. 
The getdns build system provides the endianness, enabling building on
Windows native. This change is a convenience for getdns maintainers.
 2021-05-27 10:57:35 +01:00
W.C.A. Wijngaards
11b3ebc386 - Move the NSEC3 max iterations count in line with the 150 value 
used by BIND, Knot and PowerDNS. This sets the default value
  for it in the configuration to 150 for all key sizes.
 2021-05-25 14:35:19 +02:00
W.C.A. Wijngaards
e5cb48c432 Merge branch 'master' into rpz-triggers 2021-05-21 14:09:30 +02:00
George Thessalonikefs
ff6b527184 - Fix for #411, #439, #469: Reset the DNS message ID when moving queries 
between TCP streams.
- Refactor for uniform way to produce random DNS message IDs.
 2021-05-19 15:07:32 +02:00
W.C.A. Wijngaards
355526da7d - rpz-triggers, the added soa for client ip modified answers is affected 
by the minimal-responses config option.
 2021-05-14 16:34:38 +02:00
W.C.A. Wijngaards
50dcadd495 - rpz-triggers, for clientip modified answers the rpz SOA is added to the 
additional section with the serial number and name of the rpz zone that
  was applied.
 2021-05-14 15:34:48 +02:00
W.C.A. Wijngaards
32d82fac9b Merge branch 'master' into rpz-triggers 2021-05-14 08:47:56 +02:00
Florian Obser
d4314cad33 Make VAL_MAX_RESTART_COUNT configurable. 
unbound tries very hard (up to 6 authoritative servers) to find a
validating answer. This is not always desirable, for example on high
latency links.
 2021-05-08 16:56:32 +02:00
W.C.A. Wijngaards
80f06ae9b1 - Rerun flex and bison. 2021-05-04 16:24:16 +02:00
George Thessalonikefs
e9a5f5ab3f - Add more logging for out-of-memory cases. 2021-05-04 15:39:06 +02:00
André Cruz
e07f973938
Allow configuration of TCP timeout while waiting for response 
This allows us to configure how long Unbound will wait for a response
on a TCP connection.
 2021-04-28 16:20:46 +01:00
George Thessalonikefs
45328d37b1 - Fix compiler warning for signed/unsigned comparison for 
max_reuse_tcp_queries.
 2021-04-28 16:15:52 +02:00
W.C.A. Wijngaards
4604f30d70 - Fix #474: always_null and others inside view. 2021-04-28 14:05:23 +02:00
Wouter Wijngaards
646d6b9bce
Merge pull request #470 from edevil/configurable_tcp 
Allow configuration of persistent TCP connections
 2021-04-26 16:07:16 +02:00
W.C.A. Wijngaards
25425d9aa7 - Fix #468: OpenSSL 1.0.1 can no longer build Unbound. 2021-04-22 09:00:15 +02:00
André Cruz
75875d4d1c
Allow configuration of persistent TCP connections 
Added 2 new options to configure previously hardcoded
values: max-reuse-tcp-queries and tcp-reuse-timeout. These
allow fine-grained control over how unbound uses persistent
TCP connections to authority servers.
 2021-04-21 13:50:45 +01:00
Felipe Gasper
0efccaa1eb Support OpenSSLs that lack SSL_get0_alpn_selected. 2021-04-19 13:05:50 -04:00
W.C.A. Wijngaards
b366441157 Merge branch 'master' into rpz-triggers 2021-04-14 09:39:41 +02:00
George Thessalonikefs
13e445d50b - Remove unused functions worker_handle_reply and 
libworker_handle_reply.
 2021-04-13 14:54:26 +02:00
W.C.A. Wijngaards
addd21f750 - Fix permission denied sendto log, squelch the log messages 
unless high verbosity is set.
 2021-04-12 11:18:23 +02:00
Christian Allred
0e3068559c Add max-query-restarts to grammar and lexer 2021-04-05 16:24:49 -07:00
Christian Allred
41fa45c99e Add max-query-restarts config parameter 2021-04-05 15:41:53 -07:00
W.C.A. Wijngaards
1c75e62804 - rpz-triggers, separate cache storage of RPZ records from network records. 2021-04-01 12:06:14 +02:00
W.C.A. Wijngaards
49d9e91492 Merge branch 'master' into rpz-triggers 2021-03-25 17:28:53 +01:00
W.C.A. Wijngaards
ff0c5f863d - Fix #429: Also fix end of transfer for http download of auth zones. 2021-03-25 12:18:49 +01:00
W.C.A. Wijngaards
5b782d0a22 - iana portlist update. 2021-03-22 09:12:41 +01:00
W.C.A. Wijngaards
57d4c3a8a4 - Fix for #447: squelch connection refused tcp connection failures 
from the log, unless verbosity is high.
 2021-03-19 17:43:36 +01:00
W.C.A. Wijngaards
6f507eb036 Merge branch 'master' into rpz-triggers 2021-03-12 09:04:54 +01:00
W.C.A. Wijngaards
9753f36463 - iana portlist update. 2021-03-04 10:14:32 +01:00
Wouter Wijngaards
209dc32624
Merge pull request #367 from NLnetLabs/dnstap-log-local-addr 
DNSTAP log local address
 2021-02-25 11:58:36 +01:00
W.C.A. Wijngaards
6612974d12 - spelling fix in header. 2021-02-24 16:56:57 +01:00
W.C.A. Wijngaards
a9e15f36d8 - Fix unit test for added ulimit checks. 2021-02-24 15:30:12 +01:00
W.C.A. Wijngaards
40fbc3fa8a - Fix #431: Squelch permission denied errors for tcp connect 2021-02-22 08:24:04 +01:00
W.C.A. Wijngaards
bc4bdbabea - Fix #429: rpz: url: with https: broken (regression in 1.13.1). 2021-02-19 14:42:02 +01:00
W.C.A. Wijngaards
f5339ec7e5 Merge branch 'master' into dnstap-log-local-addr 2021-02-18 13:12:09 +01:00
W.C.A. Wijngaards
3b24d845ff - Fix doxygen and pydoc warnings. 2021-02-18 11:39:06 +01:00
W.C.A. Wijngaards
c906401597 Merge branch 'master' into zonemd 2021-02-12 17:21:51 +01:00
yunwei
5d5e4579de
Merge pull request #1 from NLnetLabs/master 
synchronize the code.
 2021-02-10 09:03:38 +08:00
W.C.A. Wijngaards
b7a633fdc0 Merge branch 'master' into zonemd 2021-02-04 16:08:11 +01:00
Christopher Zimmermann
1d23e0c920 Merge remote-tracking branch 'upstream/master' 2021-02-03 13:19:19 +01:00
W.C.A. Wijngaards
ad8104bb7c - Fix empty clause warning in edns pass for padding. 2021-01-28 09:15:45 +01:00
W.C.A. Wijngaards
3a19ceaae6 - Fix to use correct type for label count in ipdnametoaddr rpz routine. 2021-01-28 09:14:19 +01:00
W.C.A. Wijngaards
cb55b5906a - Fix empty clause warning in config_file nsid parse. 2021-01-28 09:11:46 +01:00
George Thessalonikefs
515df834a5 Merge branch 'rijswijk-orig_ttl' 2021-01-26 12:58:38 +01:00
George Thessalonikefs
707eb6108d Merge branch 'yacc-clashes' of https://github.com/fobser/unbound into fobser-yacc-clashes 2021-01-25 20:56:36 +01:00
George Thessalonikefs
f5b7169729 Merge branch 'orig_ttl' of https://github.com/rijswijk/unbound into rijswijk-orig_ttl 2021-01-25 17:39:24 +01:00
Willem Toorop
ca2139bf3d Some review nits from George 2021-01-25 15:13:54 +01:00
Roland van Rijswijk-Deij
d253db04fd Addressed review comment from @wcawijngaards 2021-01-22 18:56:09 +00:00
Roland van Rijswijk-Deij
c4c849d878 Rebase on master 2021-01-22 16:44:56 +00:00
Willem Toorop
48ecf95108 Merge branch 'master' into features/padding 2021-01-22 10:29:50 +01:00
yunwei
0215500261
Update netevent.c 
#386
I found the root cause of this issue. r_buffer is r->query_reply.c->buffer, used to fill the reply in the mesh_send_reply function, then call comm_point_send_reply, and then call http2_submit_dns_response to send the DOH response. However, the buffer is not cleared after use. If the query length is greater than the last response length, the next dns query in the same H2 session will encounter an error.
This is bug!!!

Clear the buffer after use.
 2021-01-20 14:12:51 +08:00
Florian Obser
68d92b7bbb Prevent a few more yacc clashes. 2021-01-19 17:13:00 +01:00
Willem Toorop
a152c7f907 Merge branch 'master' into features/nsid 2021-01-19 14:21:18 +01:00
W.C.A. Wijngaards
c125fe67bc - Fix #404: DNS query with small edns bufsize fail. 2021-01-18 08:29:52 +01:00
W.C.A. Wijngaards
cdb60adcdc Merge branch 'rpz' of https://github.com/magenbluten/unbound into magenbluten-rpz 
Conflict fixed for rpz.disabled check added.
 2021-01-14 12:11:29 +01:00
xiangbao227
93e5705259 I found that in function lruhash_remove, table was locked at first ,then lru_remove the entry , then unlock the table, and then markdel entry , but in function rrset_cache_touch , the entry will be touched to lru again before markdelling entry in function lruhash_remove. This is a bug! 2021-01-13 10:33:41 +08:00
W.C.A. Wijngaards
d1b92a6ce2 - Fix so local zone types always_nodata and always_deny can be used 
from the config file.
 2021-01-12 13:39:07 +01:00
W.C.A. Wijngaards
3322f631e5 - Fix #397: [Feature request] add new type always_null to local-zone 
similar to always_nxdomain.
 2021-01-12 13:35:05 +01:00
W.C.A. Wijngaards
d9dd7bc36f - Add comment documentation. 2021-01-08 11:01:06 +01:00
W.C.A. Wijngaards
ee2545d939 - For #391: fix indentation. 2021-01-08 09:53:52 +01:00
W.C.A. Wijngaards
3e03e2c26d - For #391: use struct timeval* start_time for callback information. 2021-01-08 09:47:46 +01:00
Wouter Wijngaards
48724de155
Merge pull request #391 from fhriley/reply_cb_start_time 
Add start_time to reply callbacks so modules can compute the response…
 2021-01-08 09:35:07 +01:00
Anton Lindqvist
422213c171 add missing null check 
I have a unbound forward zone configured on my router for my $DAYJOB.
The address associated with the zone is only accessible when the router
is connected to a VPN. If the VPN connection is absent, trying to
resolve any domain that must be handled by the zone crashes unbound.
Turns out there's a missing NULL check in `comm_point_send_udp_msg()`.
The same routine already has `if (addr) {} else {}` branches so I guess
protecting the call to `log_addr()` using the same conditional is
reasonable

I have also committed the same fix to unbound shipped with OpenBSD[1].

[1] https://marc.info/?l=openbsd-cvs&m=160993335615698&w=2
 2021-01-06 12:44:26 +01:00
W.C.A. Wijngaards
44075a06a5 - Fix #379: zone loading over HTTP appears to have buffer issues. 2021-01-06 10:36:23 +01:00
W.C.A. Wijngaards
64cccdb8d5 - iana portlist updated. 2021-01-04 14:18:24 +01:00
W.C.A. Wijngaards
4d51c6b86e - For #376: Fix that comm point event is not double removed or double 
added to event map.
 2021-01-04 14:05:50 +01:00
Frank Riley
e3abd772f7 Add start_time to reply callbacks so modules can compute the response time. 2021-01-01 15:44:21 -07:00
Frank Riley
28b45e1d87 Add missing callbacks to the python module 2021-01-01 10:19:32 -07:00
George Thessalonikefs
08968baec1 - Fix error cases when udp-connect is set and send() returns an error 
(modified patch from Xin Li @delphij).
 2020-12-16 17:11:41 +01:00
Wouter Wijngaards
48c038391a
Merge pull request #373 from fobser/void-arithmetic 
Warning: arithmetic on a pointer to void is a GNU extension.
 2020-12-11 14:07:30 +01:00
Wouter Wijngaards
29b5b25852
Merge pull request #335 from fobser/static 
Sprinkle in some static to prevent missing prototype warnings.
 2020-12-11 14:03:46 +01:00
Florian Obser
15e1b16da0 Warning: arithmetic on a pointer to void is a GNU extension. 2020-12-11 14:00:20 +01:00
W.C.A. Wijngaards
7077660932 - Fix to squelch permission denied and other errors from remote host, 
they are logged at higher verbosity but not on low verbosity.
 2020-12-11 10:30:54 +01:00
W.C.A. Wijngaards
51e431ada1 doxygen comments fixup 2020-12-09 14:17:02 +01:00
W.C.A. Wijngaards
6bf1293bcd No need for mk_local_addr, can pass the sockaddr structure. 2020-12-09 11:56:35 +01:00
W.C.A. Wijngaards
7167153db5 configure test for struct sockaddr_in6 sin6_len member 2020-12-09 11:41:07 +01:00
W.C.A. Wijngaards
72d3b588ca For the DoH create_http_handler, also pass the socket. 2020-12-09 11:29:57 +01:00
W.C.A. Wijngaards
31cedb47cb Remove unused whitespace, add missing header change, make it compile 2020-12-09 11:13:58 +01:00