upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-20 23:00:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
8126 commits 23 branches 209 tags 123 MiB
Commit graph

608 commits

Author SHA1 Message Date
Willem Toorop
75f3fbdd65 Downstream DNS Cookies a la RFC7873 and RFC9018 
Create server cookies for clients that send client cookies.
Needs to be turned on in the config file with:

	answer-cookie: yes

A cookie-secret can be configured for anycast setups.
Also adds an access control list that will allow queries with
either a valid cookie or over a stateful transport.
 2022-09-28 10:28:19 +02:00
TCY16
0b176750bd add @wcawijngaards' review comments 2022-09-26 12:14:17 +02:00
TCY16
dcfcde2ec8 add cached EDE strings 2022-09-21 11:21:33 +02:00
W.C.A. Wijngaards
f6753a0f10 - Fix the novel ghost domain issues CVE-2022-30698 and CVE-2022-30699. 2022-08-01 13:24:40 +02:00
George Thessalonikefs
efdd70c7b5 - Cleanup some comments and TODO text. 2022-07-23 19:55:15 +02:00
George Thessalonikefs
eda0c0c194 - Fix bug introduced in 'improve val_sigcrypt.c::algo_needs_missing for 
one loop pass'.
 2022-07-04 09:34:45 +02:00
George Thessalonikefs
309b1d368b - Reintroduce documentation and more EDE support for 
val_sigcrypt.c::dnskeyset_verify_rrset_sig.
 2022-07-04 00:06:26 +02:00
George Thessalonikefs
c513119bba - Improve val_sigcrypt.c::algo_needs_missing for one loop pass. 2022-07-03 23:32:18 +02:00
George Thessalonikefs
317bab9f1d For #660: formatting, less verbose logging, add EDE information. 2022-07-03 22:32:56 +02:00
Yorgos Thessalonikefs
e102aea751
Merge pull request #660 from InfrastructureServices/sha1-runtime-insecure 
Sha1 runtime insecure
 2022-07-03 22:24:58 +02:00
George Thessalonikefs
391dd86c3b Merge branch 'master' into InfrastructureServices-fips-mode-algo-ed25519 2022-07-01 17:34:09 +02:00
W.C.A. Wijngaards
11d077c826 - Fix some lint type warnings. 2022-05-20 15:32:27 +02:00
Petr Mensik
917c30a46a Disable ED25519 and ED448 in FIPS mode on openssl3 
Both crypto functions are not allowed by FIPS 140-3. Use openssl 3.0
function to check FIPS mode presence and use it to make those algorithms
unsupported.
 2022-05-11 16:19:25 +02:00
tcarpay
0ce36e8289
Add the basic EDE (RFC8914) cases (#604) 2022-05-06 12:48:53 +02:00
Petr Mensik
74c6cf5ac6 Log detailed openssl error also for digests failures 
Make output still only shown in verbose detail. But provide openssl
error details to make a reason more obvious.
 2022-04-12 16:13:49 +02:00
Petr Mensik
33c8baaaba Forward indeterminate status higher 
Create a path where it can result in insecure.
 2022-04-08 16:26:50 +02:00
Petr Mensik
6cfcf21451 Make SHA-1 signed domains insecure if openssl refuses the digest 
RHEL9/CentOS 9 would fail in default crypto policy. If call to openssl
returns invalid digest then report the name insecure. If all tested
signatures return the same issue, then make the reply insecure.
 2022-04-08 16:26:50 +02:00
W.C.A. Wijngaards
f81420d77f - Fix compile warnings for printf ll format on mingw compile. 2022-03-02 14:34:36 +01:00
W.C.A. Wijngaards
2b90181d3a - Fix #628: A rpz-passthru action is not ending RPZ zone processing. 2022-02-15 16:20:12 +01:00
W.C.A. Wijngaards
c6c54f9de4 - Fix validator debug output about DS support, print correct algorithm. 2021-12-06 13:12:44 +01:00
Wouter Wijngaards
9645228f03
Merge pull request #570 from rex4539/typos 
Fix typos
 2021-11-29 11:39:48 +01:00
tcarpay
c5a1e87f75
Remove wrongly added EDE comments 
Co-authored-by: Wouter Wijngaards <wcawijngaards@users.noreply.github.com>
 2021-11-15 13:03:26 +01:00
Dimitris Apostolou
c21d6af617
Fix typos 2021-11-13 16:56:15 +02:00
TCY16
f5b586dbdc add potential EDE spots 2021-11-08 11:50:57 +01:00
TCY16
8205c87a96 complete renaming of the modules edns list 2021-11-08 11:50:29 +01:00
Tom Carpay
89d7476539 split edns_data.opt_list in opt_list_in and opt_list_out 
opt_list_in for parsed (incoming) edns options, and
opt_list_out for outgoing (to be encoded) edns options
 2021-11-01 12:48:40 +00:00
Tom Carpay
3e6eeb504d Modules have their own outgoing ends options list 
But nothing happens with it yet
 2021-10-27 13:48:49 +00:00
W.C.A. Wijngaards
60663c766a Review fixup for keyraw pkey function use. 2021-08-02 13:39:48 +02:00
W.C.A. Wijngaards
ca00814e67 - Prepare for OpenSSL 3.0.0 provider API usage, move the sldns 
keyraw functions to produce EVP_PKEY results.
 2021-08-02 13:33:32 +02:00
W.C.A. Wijngaards
a7eaf6364d - Fix from lint for ignored return value. 2021-07-16 17:46:04 +02:00
W.C.A. Wijngaards
e4e0eaa63e Analysis workflow, fix ctime formatting for autotrust and testbound. 2021-06-25 15:11:10 +02:00
W.C.A. Wijngaards
79209823ac - Fix a number of warnings reported by the gcc analyzer. 2021-06-18 18:12:26 +02:00
Florian Obser
d4314cad33 Make VAL_MAX_RESTART_COUNT configurable. 
unbound tries very hard (up to 6 authoritative servers) to find a
validating answer. This is not always desirable, for example on high
latency links.
 2021-05-08 16:56:32 +02:00
W.C.A. Wijngaards
e217bb48ad - Remove case fallthrough from deprecate-rsa-1024 code. 2021-05-07 17:06:09 +02:00
W.C.A. Wijngaards
59ea44322e - Add ./configure --with-deprecate-rsa-1024 that turns off RSA 1024. 2021-05-07 14:28:20 +02:00
George Thessalonikefs
e9a5f5ab3f - Add more logging for out-of-memory cases. 2021-05-04 15:39:06 +02:00
W.C.A. Wijngaards
b7a633fdc0 Merge branch 'master' into zonemd 2021-02-04 16:08:11 +01:00
Christopher Zimmermann
1d23e0c920 Merge remote-tracking branch 'upstream/master' 2021-02-03 13:19:19 +01:00
Willem Toorop
48ecf95108 Merge branch 'master' into features/padding 2021-01-22 10:29:50 +01:00
W.C.A. Wijngaards
42d7cdb7d5 zonemd, region freed, and qstate not used when not in a query, and nsec 
and nsec3 bitmap checks.
 2020-10-14 14:46:59 +02:00
W.C.A. Wijngaards
1dc4d7a9f6 zonemd, harden result length for unsupported algo in nettle digest final. 2020-10-09 14:40:26 +02:00
W.C.A. Wijngaards
5e477e8a31 Merge branch 'master' into zonemd 2020-10-09 14:32:24 +02:00
W.C.A. Wijngaards
fca884a7e6 - Fix warning in libnss compile, nss_buf2dsa is not used without DSA. 2020-10-09 14:31:55 +02:00
W.C.A. Wijngaards
6cb0c4c61d zonemd, libnss implementation and libnettle implementation. Both succeed 
on unit tests.
 2020-10-09 14:30:56 +02:00
W.C.A. Wijngaards
eb4932a463 zonemd, digest code calls, secalgo openssl sha384 and sha512. 2020-10-09 11:19:31 +02:00
W.C.A. Wijngaards
3163a93121 zonemd, loop over zone and canonicalize data, test call in unit test. 2020-10-06 17:07:24 +02:00
W.C.A. Wijngaards
dd59521e52 dlv removal, remove from comments and unused code in iterator and validator 2020-08-04 17:17:48 +02:00
W.C.A. Wijngaards
f78f6a3b29 dlv removal, remove from tests and validator state machine 2020-08-04 09:15:45 +02:00
W.C.A. Wijngaards
c0c722cd97 DLV removal 2020-08-04 09:05:09 +02:00
W.C.A. Wijngaards
ff50993f36 - Fix add missing DSA header, for compilation without deprecated 
OpenSSL APIs.
 2020-07-08 11:43:50 +02:00
Christopher Zimmermann
c96e4ca121 allow privileged initialisation of modules 2020-05-10 22:30:25 +02:00
Willem Toorop
4f78b37c61 Down- and upstream padding a la RFC7830 & RFC8467 2020-04-02 18:34:03 +02:00
Willem Toorop
d4dcdba07e Cleanup nettle_ecc_point when verifying for ... 
... ECDSA256 with libnettle
 2020-03-02 12:27:45 +01:00
W.C.A. Wijngaards
57bbbfc0e6 - Fix #170: Fix gcc undefined sanitizer signed integer overflow 
warning in signature expiry RFC1982 serial number arithmetic.
 2020-02-27 15:22:35 +01:00
W.C.A. Wijngaards
2916cfb3b0 - Fix with libnettle make test with dsa disabled. 2020-02-12 11:15:24 +01:00
W.C.A. Wijngaards
2c4be0c201 - Fix crash after reload where a stats lookup could reference old key 
cache and neg cache structures.
 2020-01-14 15:18:52 +01:00
Florian Obser
da6ac0c4ff Use passed in neg and key cache if non-NULL. 
With this the neg and key caches can be shared between multiple
libunbound contexts.

The msg and rrset caches already allowed this since context_finalize()
did not touch those if they are already available and have the correct
size.

Care must be taken to properly unhook the caches from the validator
environment before calling ub_ctx_delete() otherwise one risks double
free or use after free bugs.
 2019-12-19 13:20:34 +01:00
W.C.A. Wijngaards
5a00b31f86 - Fix text around serial arithmatic used for RRSIG times to refer 
to correct RFC number.
 2019-12-03 12:58:09 +01:00
W.C.A. Wijngaards
3a49e683ed - Fix Enum Name not Used, reported by X41 D-Sec. 2019-11-20 14:22:06 +01:00
W.C.A. Wijngaards
3907876eac - Fix Unrequired Checks, reported by X41 D-Sec. 2019-11-20 14:05:54 +01:00
W.C.A. Wijngaards
fcd9b34bb5 - Fix Useless memset() in validator, reported by X41 D-Sec. 2019-11-20 14:02:58 +01:00
W.C.A. Wijngaards
1fa40654d2 - Fix Race Condition in autr_tp_create(), 
reported by X41 D-Sec.
 2019-11-20 11:01:56 +01:00
W.C.A. Wijngaards
d05d6b959a - fixes for splint cleanliness, long vs int in SSL set_mode. 2019-11-13 15:16:27 +01:00
Vladimír Čunát
ec021e0d4b
fix build with nettle-3.5 
https://git.lysator.liu.se/nettle/nettle/commit/8bf4747d9
 2019-10-02 20:05:03 +02:00
W.C.A. Wijngaards
4700d79024 - avoid warning about upcast on 32bit systems for autotrust. 2019-08-15 14:25:46 +02:00
W.C.A. Wijngaards
9d9884c442 - Fix autotrust temp file uniqueness windows compile. 2019-08-15 14:02:14 +02:00
W.C.A. Wijngaards
fe0b1da859 Fix comment. 2019-07-29 16:58:23 +02:00
W.C.A. Wijngaards
27811ffaa9 - Add hex print of trust anchor pointer to trust anchor file temp 
name to make it unique, for libunbound created multiple contexts.
 2019-07-29 16:51:40 +02:00
Wouter Wijngaards
c1c1cd97e7 - Remove clang analysis warnings. 
git-svn-id: file:///svn/unbound/trunk@4998 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-11-29 14:39:26 +00:00
Wouter Wijngaards
5c25bbd93f fix error print 
git-svn-id: file:///svn/unbound/trunk@4911 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-09-17 07:44:11 +00:00
Wouter Wijngaards
d8937492cb fixup 3 
git-svn-id: file:///svn/unbound/trunk@4910 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-09-17 07:35:09 +00:00
Wouter Wijngaards
e91d85edb5 Fixup 
git-svn-id: file:///svn/unbound/trunk@4909 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-09-17 07:32:40 +00:00
Wouter Wijngaards
5089db7331 - Fix unbound for openssl in FIPS mode, it uses the digests with 
the EVP call contexts.


git-svn-id: file:///svn/unbound/trunk@4908 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-09-17 07:28:55 +00:00
Wouter Wijngaards
2e9d09b961 - initialize statistics totals for printout. 
- in authzone check that node exists before adding rrset.
	- in unbound-anchor, use readwrite memory BIO.
	- assertion in autotrust that packed rrset is formed correctly.


git-svn-id: file:///svn/unbound/trunk@4903 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-09-13 12:20:41 +00:00
Wouter Wijngaards
75b8b8c875 - Free memory leak in config strlist append. 
- make sure nsec3 comparison salt is initialized.


git-svn-id: file:///svn/unbound/trunk@4900 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-09-13 10:23:30 +00:00
Ralph Dolmans
2e5e31e8ac - Added serve-expired-ttl and serve-expired-ttl-reset options. 
git-svn-id: file:///svn/unbound/trunk@4876 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-08-28 14:21:56 +00:00
Wouter Wijngaards
4fe427ded2 - log-servfail: yes prints log lines that say why queries are 
returning SERVFAIL to clients.


git-svn-id: file:///svn/unbound/trunk@4863 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-08-17 15:22:05 +00:00
Wouter Wijngaards
b0ca964984 and printout for these cases too. 
git-svn-id: file:///svn/unbound/trunk@4862 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-08-17 15:09:23 +00:00
Wouter Wijngaards
b0daf867c2 and the error looks good. 
git-svn-id: file:///svn/unbound/trunk@4860 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-08-17 14:17:48 +00:00
Wouter Wijngaards
8e5a32f4dc - Fix that printout of error for cycle targets is a verbosity 4 
printout and does not wrongly print it is a memory error.


git-svn-id: file:///svn/unbound/trunk@4851 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-08-14 07:27:57 +00:00
George Thessalonikefs
749d1b9ebc - Expose if a query (or a subquery) was ratelimited (not src IP 
ratelimiting) to libunbound under 'ub_result.was_ratelimited'.
  This also introduces a change to 'ub_event_callback_type' in
  libunbound/unbound-event.h.
- Tidy pylib tests.


git-svn-id: file:///svn/unbound/trunk@4828 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-08-03 14:00:46 +00:00
Ralph Dolmans
127759b160 strcpy to memmove, to please analysers 
git-svn-id: file:///svn/unbound/trunk@4656 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-04-24 10:10:11 +00:00
Ralph Dolmans
4d06c36342 - Added root-key-sentinel support 
git-svn-id: file:///svn/unbound/trunk@4652 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-04-24 09:03:49 +00:00
Ralph Dolmans
6ef9cafc0e - num.query.aggressive.NOERROR and num.query.aggressive.NXDOMAIN statistics 
counters


git-svn-id: file:///svn/unbound/trunk@4616 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-04-10 11:39:23 +00:00
Wouter Wijngaards
1f9caf5805 - ED448 support. 
git-svn-id: file:///svn/unbound/trunk@4607 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-04-05 14:44:17 +00:00
Wouter Wijngaards
980711e658 - patch to log creates keytag queries, from A. Schulze. 
git-svn-id: file:///svn/unbound/trunk@4566 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-03-07 08:39:10 +00:00
Wouter Wijngaards
1a7540c80a - Reverted fix for #3512, this may not be the best way forward; 
although it could be changed at a later time, to stay similar to
  other implementations.


git-svn-id: file:///svn/unbound/trunk@4560 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-03-06 08:22:33 +00:00
Wouter Wijngaards
0e390bca00 - Fix compile without threads, and remove unused variable. 
git-svn-id: file:///svn/unbound/trunk@4553 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-02-27 10:36:12 +00:00
Ralph Dolmans
8148308cff - use existing code to find signer on positive wildcard answers 
git-svn-id: file:///svn/unbound/trunk@4551 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-02-22 15:32:18 +00:00
Ralph Dolmans
24fc3242fc - Save wildcard RRset from answer with original owner for use in aggressive 
NSEC.


git-svn-id: file:///svn/unbound/trunk@4550 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-02-22 15:12:31 +00:00
Wouter Wijngaards
6905e41b57 - Fix validation for CNAME loops. When it detects a cname loop, 
by finding the cname, cname in the existing list, it returns
  the partial result with the validation result up to then.


git-svn-id: file:///svn/unbound/trunk@4547 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-02-21 14:04:02 +00:00
Ralph Dolmans
8449dc1b9d - Fix the ce_len+2 fix (Aggressive NSEC review) 
git-svn-id: file:///svn/unbound/trunk@4530 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-02-12 12:22:29 +00:00
Ralph Dolmans
0648475a66 - Processed aggressive NSEC code review remarks Wouter 
git-svn-id: file:///svn/unbound/trunk@4529 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-02-12 12:14:01 +00:00
Ralph Dolmans
77f78152ee - Aggressive use of NSEC implementation. Use cached NSEC records to generate 
NXDOMAIN, NODATA and positive wildcard answers.


git-svn-id: file:///svn/unbound/trunk@4522 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-02-08 13:16:36 +00:00
Ralph Dolmans
f4ff97c297 Also use NSEC with longest closest encloser for CNAME responses. 
git-svn-id: file:///svn/unbound/trunk@4463 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-01-29 14:44:39 +00:00
Ralph Dolmans
b9f4ff6e9f - Use NSEC with longest ce to prove wildcard absence. 
- Only use *.ce to prove wildcard absence, no longer names.


git-svn-id: file:///svn/unbound/trunk@4460 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-01-29 13:46:57 +00:00
Wouter Wijngaards
2a6250e3fb - patch for CVE-2017-15105: vulnerability in the processing of 
wildcard synthesized NSEC records.


git-svn-id: file:///svn/unbound/trunk@4441 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-01-19 09:50:35 +00:00
Wouter Wijngaards
21d1989e05 fix oneoff 
git-svn-id: file:///svn/unbound/trunk@4433 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-01-02 13:36:17 +00:00
Wouter Wijngaards
fa90bbc07a fixup larger than 2**31 case. 
git-svn-id: file:///svn/unbound/trunk@4432 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-01-02 12:43:43 +00:00
Wouter Wijngaards
44eb7bfd25 - Remove clang optimizer disable, 
Fix that expiration date checks don't fail with clang -O2.


git-svn-id: file:///svn/unbound/trunk@4431 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-01-02 10:48:00 +00:00