other streams on the http2 session are not affected by a drop,
and can clean up properly if also dropped. Fix http2 send reply
so that when there is a send failure is does not recurse into
the mesh functions and also does not drop the connection due to
the condition of one stream.
same time, the client info is copied for attach_sub and add_sub
calls. That makes respip work on dns64 synthesized answers, and
also makes RPZ work with DNS64. The order for the modules is
module-config: "respip dns64 validator iterator".
* 'tls-use-system-policy-versions' is introduced to allow Unbound to use
any system available TLS version when serving TLS.
* Apply suggestions from code review
---------
Co-authored-by: Wouter Wijngaards <wcawijngaards@users.noreply.github.com>
- Cached messages that reach 0 TTL are considered expired. This prevents
Unbound itself from issuing replies with TTL 0 and possibly causing a
thundering herd at the last second. Upstream replies of TTL 0 still
get the usual pass-through but they are not considered for caching
from Unbound or any of its caching modules.
- 'serve-expired-reply-ttl' is changed and is now capped by the original
TTL value of the record to try and make some sense when replying
with expired records.
- TTL decoding was updated to adhere to RFC8767 section 4 where a set
high-order bit means the value is positive instead of 0.
- Fix NSEC3 code to not break on broken auth zones that include unsigned
out of zone (above apex) data. Could lead to hang while trying to
prove a wildcard answer.
Reported by Dmitrii Kuvaiskii from Amazon Web Services.
- Tests for NSEC3 auth zones with out of zone data.
- Auto-configure '-slabs' values to a power of 2 value close to num-threads
by default for multi-threaded environments.
Co-authored-by: Wouter Wijngaards <wcawijngaards@users.noreply.github.com>
compiled with libevent. It makes saturation of the task queue more
resource intensive and less practical. Thanks to Shiming Liu,
Network and Information Security Lab, Tsinghua University for the
report.
* Fix calling WSAPoll.
* fast_reload: explicitly set tcp_wouldblock on Windows when there is no
command to read from the fast_reload thread.
* For poll(), also check for ENOMEM (Linux).
* Remove ifdefs for ENOMEM.
* Some systems return EAGAIN for poll.
* Fix calling WSAPoll.
* fast_reload: explicitly set tcp_wouldblock on Windows when there is no
command to read from the fast_reload thread.
* For poll(), also check for ENOMEM (Linux).
* Remove ifdefs for ENOMEM.
* Some systems return EAGAIN for poll.
* v1 EDER poc
* remove superfluous edns_list_get_option function
* create an EDER configurable
* Hackathon 114
* Fixes for version -04
* Generated configparser and configlexer are not versioned in master anymore
* Remove NOERROR DNS Error Reporting; not part of final RFC.
* Use assigned IANA EDNS0 Option Code for Report-Channel.
* Fix buffer protection and agent domain validity
* Use DNS Error Reporting instead of the eder nickname
* Update documentation.
* Fix typo.
* Bail out early if ede is not present.
* Forget previous EDNS options from upstream; this is what was
implicitly happening but not deterministacally.
* Don't report LDNS_EDE_OTHER and bail early if there is no reporting
agent.
* Only do DNS error reporting when a client asked for something that
went wrong.
* Add an error reporting agent in the parent that should be ignored.
* review feedback.
* fixup for fast reload
* Add 'num.dns_error_reports' to stats and test for it.
---------
Co-authored-by: TCY16 <tom@nlnetlabs.nl>
Co-authored-by: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
