Recent openssl genrsa does not use umask for generated keys. There is no
strong reason why every member of unbound group should be able read
server key. But control key would be quite useful to be group readable
and to allow control access to whole group. Allowing access to control
by group membership, not via sudo.
- Merge #1174: Serve expired cache update fixes. Fixes a regression bug
with serve-expired that appeared in 1.22.0 and would not allow the
iterator to update the cache with not-yet-validated entries resulting
in increased outgoing traffic.
- Fixes a regression bug with serve-expired that appeared in 1.22.0
and would not allow the iterator to update the cache with
not-yet-validated entries resulting in increased outgoing traffic.
- Treat serve_expired_norec_ttl as a backoff timer for failed updates of expired records.
- Try to use expired answers instead of SERVFAIL if serve-expired is
enabled even without serve-expired-client-timeout.
- Add suggestion to refresh the cached norec_ttl and expired_ttl when a
response cannot update the usable expired entry.
Fixes#1185 by creating the SSL_CTX for QUIC before chroot and
privilege drop, just like the other SSL_CTX creations.
---------
Co-authored-by: Wouter Wijngaards <wcawijngaards@users.noreply.github.com>
current delegation information be updated in cache. The fix allows
current delegation and validation recursion information to be
updated, but as a consequence no longer has certain expired
information around for later dnssec valid expired responses.
Without the change `make -j16 --shuffle` occasinally fails to build as:
$ make -j16 --shuffle
...
bison -y -d -o util/configparser.c ./util/configparser.y
...
/libtool --tag=CC --mode=compile gcc -I. -I...-openssl-3.3.2-dev/include -I...-libevent-2.1.12-dev/include -I...-expat-2.6.3-dev/include -DSRCDIR=. -g -O2 -flto -fPIE -pthread -o configparser.lo -c util/configparser.c
...
util/configparser.c:755:3: error: expected ',' or '}' at end of input
755 | YYSYMBOL_server_low_rtt = 626, /* server_low_rtt */
| ^
The build failure happens due to this `Makefile.in` rule:
util/configparser.c util/configparser.h: $(srcdir)/util/configparser.y
@-if test ! -d util; then $(INSTALL) -d util; fi
$(YACC) -d -o util/configparser.c $(srcdir)/util/configparser.y
For GNU make that means that each of the targets will attempt the rule
execution when the file is missing: one for .c file and another for .h
file:
https://www.gnu.org/software/make/manual/html_node/Multiple-Targets.html
The workaround is to only run $(YACC) for .c target and use .c as a
pre-requisite for an .h file.
Before the change the build fails about every 10-th run.
After the change no build failures after 100 successful builds.
