upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2026-01-04 13:59:35 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
7987 commits 23 branches 209 tags 124 MiB
Commit graph

7987 commits

This branch
This branch
All branches
Author SHA1 Message Date
W.C.A. Wijngaards
5f58ced71e - Fix to check length in ATMA string to wire. 2025-01-21 12:30:30 +01:00
W.C.A. Wijngaards
207ae97ff9 - Fix encoding of RR type ATMA. 2025-01-21 12:27:15 +01:00
W.C.A. Wijngaards
9a0de14aa1 - Fix compile of interface check code when dnscrypt or quic is 
disabled.
 2025-01-21 10:13:48 +01:00
Yorgos Thessalonikefs
048c193243 - Use the same interface listening port discovery code for all needed 
protocols.
- Port to string only when needed before getaddrinfo().
 2025-01-21 10:04:30 +01:00
Yorgos Thessalonikefs
d62fff2c7c - Create the quic SSL listening context only when needed. 2025-01-20 15:49:37 +01:00
Yorgos Thessalonikefs
3f839cebc3 Changelog entry for #1222: 
- Merge #1222: Unique DoT and DoH SSL contexts to allow for different
  ALPN.
 2025-01-20 15:45:11 +01:00
Yorgos Thessalonikefs
e4483bbbd1
Unique DoT and DoH SSL contexts to allow for different ALPN (#1222) 2025-01-20 15:43:44 +01:00
Theo Buehler
8672b34fca Do not use DSA API unless USE_DSA is set 
Even if USE_DSA is unset, unbound ends up linking against OpenSSL
DSA API because these guards are missing.
 2025-01-18 10:40:43 +01:00
Yorgos Thessalonikefs
1d428f2d54 Changelog entry for #1221: 
- Merge #1221: Consider auth zones when checking for forwarders.
 2025-01-17 10:19:26 +01:00
Yorgos Thessalonikefs
9882a395ab
Merge pull request #1221 from NLnetLabs/bugfix/consider-auth-zones-when-forwarding 
Consider auth zones when checking for forwarders
 2025-01-17 10:18:32 +01:00
Yorgos Thessalonikefs
394588818f - Use correct RFC number for resolver.arpa. 2025-01-15 10:55:31 +01:00
Yorgos Thessalonikefs
f52b2a6ea2 - Add resolver.arpa and service.arpa to the default locally served 
zones.
 2025-01-14 17:18:32 +01:00
Yorgos Thessalonikefs
b2fec3be11 - Take configured auth zones into consideration when checking if a 
request needs to be forwarded.
 2025-01-14 16:38:53 +01:00
Petr Menšík
f4881bd81a Add unbound members group access to control key 
Recent openssl genrsa does not use umask for generated keys. There is no
strong reason why every member of unbound group should be able read
server key. But control key would be quite useful to be group readable
and to allow control access to whole group. Allowing access to control
by group membership, not via sudo.
 2025-01-14 14:35:09 +01:00
Yorgos Thessalonikefs
c3b5bff311 - Fix typo. 2025-01-13 12:32:16 +01:00
Yorgos Thessalonikefs
62a0e03801 - Fix #1213: Misleading error message on default access control causing 
refuse.
 2025-01-13 11:33:24 +01:00
Yorgos Thessalonikefs
716f3df385 Changelog entry for #1214: 
- Merge #1214: Use TCP_NODELAY on TLS sockets to speed up the TLS
  handshake.
 2025-01-10 13:54:49 +01:00
Yorgos Thessalonikefs
7e4f7ec5be
Merge pull request #1214 from NLnetLabs/bugfix/tls-handshake 
Use TCP_NODELAY on TLS sockets to speed up the TLS handshake.
 2025-01-10 13:53:46 +01:00
Yorgos Thessalonikefs
7559d26c93 - Use TCP_NODELAY on TLS sockets to speed up the TLS handshake. 2025-01-10 12:11:59 +01:00
Yorgos Thessalonikefs
eb36c880de Changelog entry for #1174: 
- Merge #1174: Serve expired cache update fixes. Fixes a regression bug
  with serve-expired that appeared in 1.22.0 and would not allow the
  iterator to update the cache with not-yet-validated entries resulting
  in increased outgoing traffic.
 2024-12-31 16:30:35 +01:00
Yorgos Thessalonikefs
fff9f62a1e
Serve expired cache update fixes (#1174) 
- Fixes a regression bug with serve-expired that appeared in 1.22.0
  and would not allow the iterator to update the cache with
  not-yet-validated entries resulting in increased outgoing traffic.

- Treat serve_expired_norec_ttl as a backoff timer for failed updates of expired records.
- Try to use expired answers instead of SERVFAIL if serve-expired is
  enabled even without serve-expired-client-timeout.
- Add suggestion to refresh the cached norec_ttl and expired_ttl when a
  response cannot update the usable expired entry.
 2024-12-31 16:28:12 +01:00
Yorgos Thessalonikefs
e57e537c85 - For #1207: [FR] Support for RESINFO RRType 261 (RFC9606), add 
LDNS_RR_TYPE_RESINFO similar to LDNS_RR_TYPE_TXT.
 2024-12-20 15:04:34 +01:00
Yorgos Thessalonikefs
71d821fde9 Changelog entry for #1204: 
- Merge #1204: ci: set persist-credentials: false for actions/checkout
  per zizmor suggestion.
 2024-12-13 13:43:29 +01:00
Yorgos Thessalonikefs
df5ab5624d
Merge pull request #1204 from NLnetLabs/zizmor-improvements 2024-12-13 13:42:31 +01:00
Maarten Aertsen
eb08dc617a set persist-credentials: false per zizmor suggestion 2024-12-13 13:12:03 +01:00
Yorgos Thessalonikefs
ded4c82ced - Fix typo in log_servfail.tdir test. 2024-12-03 16:03:05 +01:00
Yorgos Thessalonikefs
e82a691efe Changelog entry for #1187: 
- Merge #1187: Create the SSL_CTX for QUIC before chroot and privilege
  drop.
 2024-12-03 14:21:34 +01:00
Yorgos Thessalonikefs
61d7250b96
Create the SSL_CTX for QUIC before chroot and privilege drop (#1187) 
Fixes #1185 by creating the SSL_CTX for QUIC before chroot and
privilege drop, just like the other SSL_CTX creations.

---------

Co-authored-by: Wouter Wijngaards <wcawijngaards@users.noreply.github.com>
 2024-12-03 14:20:33 +01:00
Yorgos Thessalonikefs
b4a9c8bb05 - Safeguard alias loop while looking in the cache for expired answers. 2024-12-03 14:10:17 +01:00
Yorgos Thessalonikefs
be92752368 - Merge #1198: Fix log-servfail with serve expired and no useful cache 
contents.
 2024-12-03 14:05:12 +01:00
Yorgos Thessalonikefs
1512945c79
Merge pull request #1198 from NLnetLabs/bugfix/log-servfail-serve-expired 
Fix log-servfail with serve expired and no useful cache contents
 2024-12-03 14:02:03 +01:00
Yorgos Thessalonikefs
9de159b96b - For #1175, the default value of serve-expired-ttl is set to 86400 
(1 day) as suggested by RFC8767.
 2024-12-03 13:09:51 +01:00
Yorgos Thessalonikefs
bd2e66de1e Changelog entry for #1189, #1197: 
- Merge #1189: Fix the dname_str method to cause conversion errors
  when the domain name length is 255.
- Merge #1197: dname_str() fixes.
 2024-12-03 11:58:06 +01:00
Yorgos Thessalonikefs
9770e855d2
Merge pull request #1197 from NLnetLabs/dname_str-more-tests 
dname_str() fixes
 2024-12-03 11:55:41 +01:00
Yorgos Thessalonikefs
c124f67f33 - For #1193, introduce log-servfail.tdir and cleanup the log-servfail 
setting from other tests.
 2024-12-02 12:30:11 +01:00
Yorgos Thessalonikefs
c55490c1e6 - Fix #1193: log-servfail fails to log host SERVFAIL responses in 
Unbound 1.19.2 on Ubuntu 24.04.1 LTS, by not considering cached
  failures when trying to reply with expired data.
 2024-12-02 12:28:11 +01:00
Yorgos Thessalonikefs
f46acec35f - For #1189, homogenize the input buffer size for dname_str(). 2024-12-02 11:53:56 +01:00
Yorgos Thessalonikefs
1cd2fb3b9d - For #1189, add unit tests for dname_str() and debug check the input 
buffer size.
 2024-12-02 10:03:35 +01:00
wenxuan70
06fb30d0a0 Fix the dname_str method to cause conversion errors when the domain name length is 255 2024-11-24 17:53:23 +08:00
Yorgos Thessalonikefs
9e3c50ec9e - For #1175, update serve-expired tests. 2024-11-22 16:14:02 +01:00
Yorgos Thessalonikefs
eefdbb341f - Fix #1175: serve-expired does not adhere to secure-by-default 
principle. The default value of serve-expired-client-timeout
  is set to 1800 as suggested by RFC8767.
 2024-11-22 15:32:34 +01:00
Yorgos Thessalonikefs
e75da7d954 - Fix comparison to help static analyzer. 2024-11-20 10:53:45 +01:00
Yorgos Thessalonikefs
9a3a1bc221 Changelog entry for #1169: 
- Merge #1169 from Sergey Kacheev, fix: lock-free counters for
  auth_zone up/down queries.
 2024-11-19 17:01:34 +01:00
Yorgos Thessalonikefs
c1e9d7be7f
Merge pull request #1169 from sakateka/lock-free-az-counters 
fix: lock-free counters for auth_zone up/down queries
 2024-11-19 17:00:01 +01:00
Sergey Kacheev
2c72a4970b
fix: lock-free counters for auth_zone up/down queries 2024-11-19 18:55:31 +03:00
W.C.A. Wijngaards
4cf7fae50c - Fix for #1183: release nsec3 hashes per test file. 2024-11-15 10:47:27 +01:00
W.C.A. Wijngaards
a2ac980737 - Fix #1183: the data being used is released in method 
nsec3_hash_test_entry.
 2024-11-15 10:37:35 +01:00
Yorgos Thessalonikefs
733d5f7161 - Complete fix for max-global-quota to 200. 2024-11-08 17:34:28 +01:00
Yorgos Thessalonikefs
fe288a9b06 - More descriptive text for 'harden-algo-downgrade'. 2024-11-08 13:56:04 +01:00
Yorgos Thessalonikefs
fd1a1d5fa0 - Increase the default of max-global-quota to 200 from 128 after 
operational feedback. Still keeping the possible amplification
  factor (CAMP related issues) in the hundreds.
 2024-11-06 16:28:37 +01:00