upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-23 00:00:51 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
7873 commits 23 branches 209 tags 123 MiB
Commit graph

421 commits

Author SHA1 Message Date
Yorgos Thessalonikefs
f46acec35f - For #1189, homogenize the input buffer size for dname_str(). 2024-12-02 11:53:56 +01:00
Yorgos Thessalonikefs
c1e9d7be7f
Merge pull request #1169 from sakateka/lock-free-az-counters 
fix: lock-free counters for auth_zone up/down queries
 2024-11-19 17:00:01 +01:00
Sergey Kacheev
2c72a4970b
fix: lock-free counters for auth_zone up/down queries 2024-11-19 18:55:31 +03:00
Yorgos Thessalonikefs
733d5f7161 - Complete fix for max-global-quota to 200. 2024-11-08 17:34:28 +01:00
W.C.A. Wijngaards
d5e91d181b - Fix for the serve expired DNSSEC information fix, it would not allow 
current delegation information be updated in cache. The fix allows
  current delegation and validation recursion information to be
  updated, but as a consequence no longer has certain expired
  information around for later dnssec valid expired responses.
 2024-11-05 10:39:27 +01:00
W.C.A. Wijngaards
5679c8b1df - Fix to limit NSEC TTL for messages from cachedb. Fix to limit the 
prefetch ttl for messages after a CNAME with short TTL.
 2024-10-09 15:28:55 +02:00
Yorgos Thessalonikefs
2e398d51ba
Fix cache update when serve expired is used (#1143) 
- Fix cache update when serve expired is used in order to not evict
  still usable expired records. Modules are forbidden to update the
  cache if their answer is DNSSEC unchecked or bogus and a valid
  (expired) entry already exists. Bogus replies from the validator are
  also discarded in favor of existing (expired) valid replies.

- serve-expired-ttl-reset should try to keep expired records in the
  cache in case they are reset.
 2024-09-24 16:47:04 +02:00
W.C.A. Wijngaards
24e0f0ab7e - Fix to limit NSEC and NSEC3 TTL when aggressive nsec is 
enabled (RFC9077).
 2024-09-10 10:13:48 +02:00
W.C.A. Wijngaards
1e0cf1e86b - Merge patch to fix for glue that is outside of zone, with 
`harden-unverified-glue`, from Karthik Umashankar (Microsoft).
  Enabling this option protects the Unbound resolver against bad
  glue, that is unverified out of zone glue, by resolving them.
  It uses the records as last resort if there is no other working
  glue.
 2024-08-23 08:56:48 +02:00
W.C.A. Wijngaards
3d350fa73d - Add iter-scrub-ns, iter-scrub-cname and max-global-quota 
configuration options.
 2024-08-20 14:08:52 +02:00
W.C.A. Wijngaards
ed883238fd - Fix CAMP issues with global quota. Thanks to Huayi Duan, Marco 
Bearzi, Jodok Vieli, and Cagin Tanir from NetSec group, ETH Zurich.
 2024-08-08 09:27:45 +02:00
W.C.A. Wijngaards
03b511b1a2 - Fix for #1114: Fix that cache fill for forward-host names is 
performed, so that with nonzero target-fetch-policy it fetches
  forwarder addresses and uses them from cache. Also updated that
  delegation point cache fill routines use CDflag for AAAA message
  lookups, so that its negative lookup stops a recursion since the
  cache uses the bit for disambiguation for dns64 but the recursion
  uses CDflag for the AAAA target lookups, so the check correctly
  stops a useless recursion by its cache lookup.
 2024-07-31 11:42:44 +02:00
W.C.A. Wijngaards
a335e601e4 ipset-pf-support, move startup and destartup to the front of the module 
func block functions, modstack call deinit function names, and detect
module change when no startup functions are needed.
 2024-07-03 13:53:44 +02:00
W.C.A. Wijngaards
ff653a7ef8 Call module init init again, and new function startup and destartup. 
NULL can be used if the function is not used. Open shared ports during
reload. Deinit is called during reload.
 2024-07-01 16:10:07 +02:00
W.C.A. Wijngaards
3953f827fb Merge branch 'master' of https://github.com/madroach/unbound into ipset-pf-support 2024-07-01 14:36:33 +02:00
W.C.A. Wijngaards
47956de897 - Fix to enable that SERVFAIL is cached, for a short period, for more 
cases. In the cases where limits are exceeded.
 2024-05-27 13:53:16 +02:00
W.C.A. Wijngaards
7de009f99a - Fix when the mesh jostle is exceeded that nameserver targets are 
marked as resolved, so that the lookup is not stuck on the
  requestlist.
 2024-05-10 09:50:35 +02:00
Yorgos Thessalonikefs
63a6b7b255 - Cleanup unnecessary strdup calls for EDE strings. 2024-04-29 10:15:19 +02:00
Wouter Wijngaards
ced9762b14
Merge pull request #1041 from NLnetLabs/stubfwd-unshare 
Stub and Forward unshare
 2024-04-25 11:11:00 +02:00
Yorgos Thessalonikefs
9b9bba9f02
Update locking management for iter_fwd and iter_hints methods. (#1054) 
fast reload, move most of the locking management to iter_fwd and
iter_hints methods. The caller still has the ability to handle its
own locking, if desired, for atomic operations on sets of different
structs.

Co-authored-by: Wouter Wijngaards <wcawijngaards@users.noreply.github.com>
 2024-04-25 11:05:58 +02:00
Yorgos Thessalonikefs
3ec74d1e3a - When a granchild delegation is returned, remove any cached child delegations 
up to parent to not cause delegation invalidation because of an
  expired child delegation that would never be updated. Most likely to
  happen without qname-minimisation. Reported by Roland van Rijswijk-Deij.
 2024-04-22 15:46:06 +02:00
W.C.A. Wijngaards
48113cfaba - fast-reload, unshared stub hints, making the structure locked, with an rwlock. 2024-04-03 13:55:57 +02:00
W.C.A. Wijngaards
f2fb498c69 - fast-reload, unshare forwards, making the structure locked, with an rwlock. 2024-04-03 13:55:54 +02:00
W.C.A. Wijngaards
fef974ca5c - Fix rpz so that rpz CNAME can apply after rpz CNAME. And fix that 
clientip and nsip can give a CNAME.
 2024-03-19 09:32:53 +01:00
W.C.A. Wijngaards
8dbf46913b - Fix rpz for qtype CNAME after nameserver trigger. 2024-03-18 14:36:29 +01:00
W.C.A. Wijngaards
79e25e192c - Fix that rpz CNAME content is limited to the max number of cnames. 2024-03-18 11:25:29 +01:00
W.C.A. Wijngaards
4b54d8e15e - Fix rpz for cname override action after nsdname and nsip triggers. 2024-03-13 17:14:14 +01:00
W.C.A. Wijngaards
e361f6b284 - Fix qname minimisation for reply with a DNAME for qtype CNAME that 
answers it.
 2024-03-08 16:33:17 +01:00
W.C.A. Wijngaards
be626f7c53 - Fix edns subnet replies for scope zero answers to not get stored 
in the global cache, and in cachedb, when the upstream replies
  without an EDNS record.
 2024-03-04 13:20:13 +01:00
W.C.A. Wijngaards
0f78bea4a3 - Fix #954: Inconsistent RPZ handling for A record returned along with 
CNAME.
 2023-10-17 16:47:04 +02:00
W.C.A. Wijngaards
1e85749e6e Merge branch 'master' into disable-edns-do 2023-10-05 15:57:41 +02:00
W.C.A. Wijngaards
b865aca03a - Fix #946: Forwarder returns servfail on upstream response noerror no 
data.
 2023-10-04 18:16:22 +02:00
W.C.A. Wijngaards
9aaafddf04 - disable-edns-do, the option turns of the EDNS DO flag when a message is 
sent from the iterator.
 2023-09-20 13:28:06 +02:00
W.C.A. Wijngaards
fdd5f8ff83 - Fix to add EDE text when RRs have been removed due to length. 2023-09-07 14:44:48 +02:00
W.C.A. Wijngaards
be53e37b15 - Fix #923: processQueryResponse() THROWAWAY should be mindful of 
fail_reply.
 2023-08-21 14:32:13 +02:00
George Thessalonikefs
6819c1e444 - Merge #759 from Tom Carpay: Add EDE (RFC8914) caching. 2023-07-30 11:48:04 +02:00
George Thessalonikefs
f5a2a58ce3 Review for #759: 
- Fix SEGFAULT in load_cache control command.
- Change reason_bogus_str to an explicit NULL-terminated string.
- Fix potential memory leak when discarding a message for referrals and
  0 TTL answers.
- Fix reason_bogus initialization in localzone answers.
- reply_info creation in validator is always regional.
 2023-07-17 17:26:31 +02:00
George Thessalonikefs
15b8d8b96a Merge branch 'master' into features/ede-caching 2023-07-13 11:25:59 +02:00
Boris VANHOOF
17559c737b typo in comments 2023-05-23 09:21:58 +02:00
George Thessalonikefs
adb4aeb609 - For #722: Minor fixes, formatting and refactoring. 2023-05-01 18:23:13 +02:00
George Thessalonikefs
e1ec3cf893 Merge branch 'nat64' of https://github.com/eqvinox/unbound into eqvinox-nat64 2023-04-26 15:14:39 +02:00
W.C.A. Wijngaards
c7618a9b80 - Fix #870: NXDOMAIN instead of NOERROR rcode when asked for existing 
CNAME record.
 2023-04-04 10:06:16 +02:00
George Thessalonikefs
eb81761b13 - Clean up iterator/iterator.c::error_response_cache() and allow for 
better interaction with serve-expired, prefetch and cached error
  responses.
 2023-02-10 16:51:07 +01:00
George Thessalonikefs
1c1c5d72d3 Changelog entry for 
- Allow TTL refresh of expired error responses.
 2023-02-09 10:52:56 +01:00
George Thessalonikefs
87a8c80fcb - Allow TTL refresh of expired error responses. 2023-02-09 10:47:46 +01:00
W.C.A. Wijngaards
b12ab31ae3 - Fix not following cleared RD flags potentially enables amplification 
DDoS attacks, reported by Xiang Li and Wei Xu from NISL Lab,
  Tsinghua University. The fix stops query loops, by refusing to send
  RD=0 queries to a forwarder, they still get answered from cache.
 2023-01-18 13:18:47 +01:00
George Thessalonikefs
71db243b0d Merge branch 'restart_conf' of https://github.com/cgallred/unbound into cgallred-restart_conf 2022-12-13 14:35:01 +01:00
George Thessalonikefs
c61b2121b5 - Expose 'max-sent-count' as a configuration option; the 
default value retains Unbound's behavior.
 2022-12-13 13:57:07 +01:00
TCY16
8b4a8493d0 Merge branch 'master' of github.com:NLnetLabs/unbound into features/ede-caching 2022-11-21 11:34:36 +01:00
David Lamparter
64fb06f892 NAT64 support 
This implements #721.  Includes documentation and some very basic tests.
Please refer to doc for further detail.
 2022-11-07 11:37:50 +00:00