upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2026-01-02 21:09:35 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
7769 commits 23 branches 209 tags 124 MiB
Commit graph

230 commits

Author SHA1 Message Date
W.C.A. Wijngaards
1e0cf1e86b - Merge patch to fix for glue that is outside of zone, with 
`harden-unverified-glue`, from Karthik Umashankar (Microsoft).
  Enabling this option protects the Unbound resolver against bad
  glue, that is unverified out of zone glue, by resolving them.
  It uses the records as last resort if there is no other working
  glue.
 2024-08-23 08:56:48 +02:00
W.C.A. Wijngaards
03b511b1a2 - Fix for #1114: Fix that cache fill for forward-host names is 
performed, so that with nonzero target-fetch-policy it fetches
  forwarder addresses and uses them from cache. Also updated that
  delegation point cache fill routines use CDflag for AAAA message
  lookups, so that its negative lookup stops a recursion since the
  cache uses the bit for disambiguation for dns64 but the recursion
  uses CDflag for the AAAA target lookups, so the check correctly
  stops a useless recursion by its cache lookup.
 2024-07-31 11:42:44 +02:00
W.C.A. Wijngaards
5bea29b01c - For #1110: Test for fallthrough attribute in configure and add 
fallthrough attribute annotations.
 2024-07-23 09:47:42 +02:00
Yorgos Thessalonikefs
02f4446833 - Don't check for message TTL changes if the RRsets remain the same. 2024-07-05 19:58:19 +02:00
W.C.A. Wijngaards
c8a2289542 - Fix for #1099: Fix to check for deleted RRset when the contents 
is updated and fetched after it is stored, and also check for a
  changed RRset.
 2024-07-05 17:54:46 +02:00
W.C.A. Wijngaards
b53d90053e - Fix #1099: Unbound core dump on SIGSEGV. 2024-07-05 17:18:01 +02:00
W.C.A. Wijngaards
7fbc061846 - Fix ip-ratelimit-cookie setting, it was not applied. 2024-06-27 14:51:58 +02:00
W.C.A. Wijngaards
1974732d19 - Fix typos for 'the the' in text. 2024-06-06 09:35:57 +02:00
Yorgos Thessalonikefs
3ff5c7a74d
Fix rtt assignement for low values of infra-cache-max-rtt (#1070) 
* Fix rtt assignement for still useful servers when a low value for
  infra-cache-max-rtt is configured.
 2024-05-16 13:42:32 +02:00
W.C.A. Wijngaards
c3206f4568 - Fix for the DNSBomb vulnerability CVE-2024-33655. Thanks to Xiang Li 
from the Network and Information Security Lab of Tsinghua University
  for reporting it.
 2024-05-01 10:10:58 +02:00
Yorgos Thessalonikefs
3ec74d1e3a - When a granchild delegation is returned, remove any cached child delegations 
up to parent to not cause delegation invalidation because of an
  expired child delegation that would never be updated. Most likely to
  happen without qname-minimisation. Reported by Roland van Rijswijk-Deij.
 2024-04-22 15:46:06 +02:00
W.C.A. Wijngaards
d47849a26e - Fix cachedb for serve-expired with serve-expired-reply-ttl. 2024-04-10 17:01:57 +02:00
W.C.A. Wijngaards
0818841038 - Fix TTL of synthesized CNAME when a DNAME is used from cache. 2024-03-08 09:47:59 +01:00
W.C.A. Wijngaards
56a2b564ef Merge commit '92f2a1ca690a44880f4c4fa70a4b5a4b029aaf1c' 2024-02-13 13:58:09 +01:00
W.C.A. Wijngaards
92f2a1ca69 - Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU. 2024-02-13 13:02:43 +01:00
Yorgos Thessalonikefs
3522451600 - Update message TTL when using cached RRSETs. It could result in 
non-expired messages with expired RRSETs (non-usable messages by
  Unbound).
 2024-01-23 10:10:37 +01:00
Yorgos Thessalonikefs
8517f49745 - Use the origin (DNAME) TTL for syntesized CNAMEs as per RFC 6672. 2023-12-06 23:40:01 +01:00
George Thessalonikefs
49e4258102 - For #762: Interaction between DNS Cookies and source IP ratelimiting 
by allowing Cookies to bypass the ratelimit, but still allowing
  ratelimit to valid DNS Cookie clients via the new
  ip-ratelimit-cookie option.
 2023-08-08 10:14:03 +02:00
George Thessalonikefs
f97927a47e Merge branch 'master' into features/ede-caching-cachedb 2023-07-30 14:17:52 +02:00
George Thessalonikefs
0912015fb9 - Review for #790: Fix memory leak. 2023-07-28 17:21:15 +02:00
George Thessalonikefs
f5a2a58ce3 Review for #759: 
- Fix SEGFAULT in load_cache control command.
- Change reason_bogus_str to an explicit NULL-terminated string.
- Fix potential memory leak when discarding a message for referrals and
  0 TTL answers.
- Fix reason_bogus initialization in localzone answers.
- reply_info creation in validator is always regional.
 2023-07-17 17:26:31 +02:00
George Thessalonikefs
15b8d8b96a Merge branch 'master' into features/ede-caching 2023-07-13 11:25:59 +02:00
Philip Homburg
1aa2c318e7 Remove msg_del_for_0ttl, call msg_cache_remove directly 2023-04-26 17:11:29 +02:00
Philip Homburg
1ac9b7548b Small fixes from Wouter's review 2023-03-23 15:15:54 +01:00
Philip Homburg
9d7b1d3127 Fix issue #860: Bad interaction with 0 TTL records and serve-expired 2023-03-22 15:23:47 +01:00
TCY16
79d39e7f4d Add subnetcache support 2022-11-24 16:14:12 +01:00
George Thessalonikefs
896f7a8306 - Ignore expired error responses. 2022-11-22 17:44:55 +01:00
TCY16
8b4a8493d0 Merge branch 'master' of github.com:NLnetLabs/unbound into features/ede-caching 2022-11-21 11:34:36 +01:00
Yorgos Thessalonikefs
c4e51a4cfe
PROXYv2 downstream support (#760) 2022-10-03 15:29:47 +02:00
W.C.A. Wijngaards
e3871ca907 Merge branch 'branch-1.16.3' 2022-09-21 12:11:26 +02:00
W.C.A. Wijngaards
137719522a - Patch for CVE-2022-3204 Non-Responsive Delegation Attack. 2022-09-21 11:10:38 +02:00
TCY16
5f309d0018 Add caching EDEs 2022-09-01 14:10:14 +02:00
W.C.A. Wijngaards
fbe8e3b0b2 - Fix ratelimit inconsistency, for ip-ratelimits the value is the 
amount allowed, like for ratelimits.
 2022-08-04 11:33:37 +02:00
W.C.A. Wijngaards
f6753a0f10 - Fix the novel ghost domain issues CVE-2022-30698 and CVE-2022-30699. 2022-08-01 13:24:40 +02:00
W.C.A. Wijngaards
33bd49af81 - Merge PR 714: Avoid treat normal hosts as unresponsive servers. 
And fixup the lock code.
 2022-07-15 08:51:31 +02:00
Hunts Chen
88bf803297 Avoid treat normal hosts as unresponsive servers 
This is a fix for issue #713

When infra-keep-probing is on, all hosts with expired entries were treated as
unresponsive servers and thus causing problems (see #713).

This commit change that, so that normal hosts with expired entries are treated
as unknown servers.
 2022-07-14 10:16:13 -07:00
tcarpay
0ce36e8289
Add the basic EDE (RFC8914) cases (#604) 2022-05-06 12:48:53 +02:00
George Thessalonikefs
3086335724 - Introduce ratelimit-backoff and ip-ratelimit-backoff options for more 
aggressive rate limiting.
 2022-01-30 00:36:29 +01:00
George Thessalonikefs
f857af873e - Update ratelimit code for recent serviced_query changes and more 
accurate ratelimit calculation.
 2022-01-29 23:49:38 +01:00
Dimitris Apostolou
c21d6af617
Fix typos 2021-11-13 16:56:15 +02:00
W.C.A. Wijngaards
79209823ac - Fix a number of warnings reported by the gcc analyzer. 2021-06-18 18:12:26 +02:00
W.C.A. Wijngaards
55ba863440 - Fix that nxdomain synthesis does not happen above the stub or 
forward definition.
 2021-04-13 13:52:57 +02:00
Roland van Rijswijk-Deij
c4c849d878 Rebase on master 2021-01-22 16:44:56 +00:00
W.C.A. Wijngaards
37354c8927 Merge branch 'master' into infra-keep-probing 2020-10-21 10:13:10 +02:00
W.C.A. Wijngaards
c0c722cd97 DLV removal 2020-08-04 09:05:09 +02:00
Ubuntu
b5b79e3a36 Add feature to serve original TTLs rather than decrementing ones 2020-07-15 15:15:45 +00:00
W.C.A. Wijngaards
4fe2122890 Merge branch 'master' into infra-keep-probing 
Remade yacc and lex files.
 2020-06-24 13:21:14 +02:00
W.C.A. Wijngaards
ba0f382eee - CVE-2020-12662 Unbound can be tricked into amplifying an incoming 
query into a large number of queries directed to a target.
- CVE-2020-12663 Malformed answers from upstream name servers can be
  used to make Unbound unresponsive.
 2020-05-19 10:27:27 +02:00
W.C.A. Wijngaards
055f5e68a3 Add infra-keep-probing: yes option. Hosts that are down are probed more 
frequently.
 2020-04-22 16:29:06 +02:00
gthess
f7fe95ad7b
Serve stale (#159) 
- Added serve-stale functionality as described in
  draft-ietf-dnsop-serve-stale-10. `serve-expired-*` options can be used
  to configure the behavior.
- Updated cachedb to honor `serve-expired-ttl`; Fixes #107.
- Renamed statistic `num.zero_ttl` to `num.expired` as expired replies
  come with a configurable TTL value (`serve-expired-reply-ttl`).
- Fixed stats when replying with cached, cname-aliased records.
- Added missing default values for redis cachedb backend.
 2020-02-05 14:20:27 +01:00