upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-29 19:09:36 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
7962 commits 23 branches 209 tags 124 MiB
Commit graph

4859 commits

Author SHA1 Message Date
Yorgos Thessalonikefs
1894c0a150 Changelog entry for #1241: 
- Merge #1241: Fix infra-keep-probing for low infra-cache-max-rtt
  values.
 2025-02-19 13:46:01 +01:00
Yorgos Thessalonikefs
5e1f35b59b - Fix static analysis report about unhandled EOF on error conditions 
when reading anchor key files.
 2025-02-19 11:24:49 +01:00
Yorgos Thessalonikefs
72828ff81c - Consider reconfigurations when calculating the still_useful_timeout 
for servers in the infrastructure cache.
 2025-02-17 15:21:18 +01:00
W.C.A. Wijngaards
01cea4d5be - Fix #986: Resolving sas.com with dnssec-validation fails though 
signed delegations seem to be (mostly) correct.
 2025-01-30 16:26:31 +01:00
Yorgos Thessalonikefs
35dbbcb2f5 - Make the default value of module-config "validator iterator" 
regardless of compilation options. --enable-subnet would implicitly
  change the value to enable the subnetcache module by default in the
  past.
 2025-01-29 12:08:28 +01:00
Yorgos Thessalonikefs
911509fd59 Changelog entry for #1220: 
- Merge #1220 from Petr Menšík, Add unbound members group access to
  control key.
 2025-01-24 16:56:09 +01:00
Yorgos Thessalonikefs
cc55beefc8 Changelog entry for #1224: 
- Merge #1224 from Theo Buehler: Do not use DSA API unless USE_DSA is
  set.
 2025-01-21 17:35:00 +01:00
W.C.A. Wijngaards
d9b863ed76 Changelog note for #1229 
- Merge #1229: check before use daemon->shm_info.
 2025-01-21 15:48:46 +01:00
Yorgos Thessalonikefs
f822042cd0 - Do not open unencrypted channels next to encrypted ones on the same 
port.
 2025-01-21 15:26:40 +01:00
W.C.A. Wijngaards
5f58ced71e - Fix to check length in ATMA string to wire. 2025-01-21 12:30:30 +01:00
W.C.A. Wijngaards
207ae97ff9 - Fix encoding of RR type ATMA. 2025-01-21 12:27:15 +01:00
W.C.A. Wijngaards
9a0de14aa1 - Fix compile of interface check code when dnscrypt or quic is 
disabled.
 2025-01-21 10:13:48 +01:00
Yorgos Thessalonikefs
048c193243 - Use the same interface listening port discovery code for all needed 
protocols.
- Port to string only when needed before getaddrinfo().
 2025-01-21 10:04:30 +01:00
Yorgos Thessalonikefs
d62fff2c7c - Create the quic SSL listening context only when needed. 2025-01-20 15:49:37 +01:00
Yorgos Thessalonikefs
3f839cebc3 Changelog entry for #1222: 
- Merge #1222: Unique DoT and DoH SSL contexts to allow for different
  ALPN.
 2025-01-20 15:45:11 +01:00
Yorgos Thessalonikefs
1d428f2d54 Changelog entry for #1221: 
- Merge #1221: Consider auth zones when checking for forwarders.
 2025-01-17 10:19:26 +01:00
Yorgos Thessalonikefs
f52b2a6ea2 - Add resolver.arpa and service.arpa to the default locally served 
zones.
 2025-01-14 17:18:32 +01:00
Yorgos Thessalonikefs
62a0e03801 - Fix #1213: Misleading error message on default access control causing 
refuse.
 2025-01-13 11:33:24 +01:00
Yorgos Thessalonikefs
716f3df385 Changelog entry for #1214: 
- Merge #1214: Use TCP_NODELAY on TLS sockets to speed up the TLS
  handshake.
 2025-01-10 13:54:49 +01:00
Yorgos Thessalonikefs
eb36c880de Changelog entry for #1174: 
- Merge #1174: Serve expired cache update fixes. Fixes a regression bug
  with serve-expired that appeared in 1.22.0 and would not allow the
  iterator to update the cache with not-yet-validated entries resulting
  in increased outgoing traffic.
 2024-12-31 16:30:35 +01:00
Yorgos Thessalonikefs
e57e537c85 - For #1207: [FR] Support for RESINFO RRType 261 (RFC9606), add 
LDNS_RR_TYPE_RESINFO similar to LDNS_RR_TYPE_TXT.
 2024-12-20 15:04:34 +01:00
Yorgos Thessalonikefs
71d821fde9 Changelog entry for #1204: 
- Merge #1204: ci: set persist-credentials: false for actions/checkout
  per zizmor suggestion.
 2024-12-13 13:43:29 +01:00
Yorgos Thessalonikefs
ded4c82ced - Fix typo in log_servfail.tdir test. 2024-12-03 16:03:05 +01:00
Yorgos Thessalonikefs
e82a691efe Changelog entry for #1187: 
- Merge #1187: Create the SSL_CTX for QUIC before chroot and privilege
  drop.
 2024-12-03 14:21:34 +01:00
Yorgos Thessalonikefs
b4a9c8bb05 - Safeguard alias loop while looking in the cache for expired answers. 2024-12-03 14:10:17 +01:00
Yorgos Thessalonikefs
be92752368 - Merge #1198: Fix log-servfail with serve expired and no useful cache 
contents.
 2024-12-03 14:05:12 +01:00
Yorgos Thessalonikefs
9de159b96b - For #1175, the default value of serve-expired-ttl is set to 86400 
(1 day) as suggested by RFC8767.
 2024-12-03 13:09:51 +01:00
Yorgos Thessalonikefs
bd2e66de1e Changelog entry for #1189, #1197: 
- Merge #1189: Fix the dname_str method to cause conversion errors
  when the domain name length is 255.
- Merge #1197: dname_str() fixes.
 2024-12-03 11:58:06 +01:00
Yorgos Thessalonikefs
9e3c50ec9e - For #1175, update serve-expired tests. 2024-11-22 16:14:02 +01:00
Yorgos Thessalonikefs
eefdbb341f - Fix #1175: serve-expired does not adhere to secure-by-default 
principle. The default value of serve-expired-client-timeout
  is set to 1800 as suggested by RFC8767.
 2024-11-22 15:32:34 +01:00
Yorgos Thessalonikefs
e75da7d954 - Fix comparison to help static analyzer. 2024-11-20 10:53:45 +01:00
Yorgos Thessalonikefs
9a3a1bc221 Changelog entry for #1169: 
- Merge #1169 from Sergey Kacheev, fix: lock-free counters for
  auth_zone up/down queries.
 2024-11-19 17:01:34 +01:00
W.C.A. Wijngaards
4cf7fae50c - Fix for #1183: release nsec3 hashes per test file. 2024-11-15 10:47:27 +01:00
W.C.A. Wijngaards
a2ac980737 - Fix #1183: the data being used is released in method 
nsec3_hash_test_entry.
 2024-11-15 10:37:35 +01:00
Yorgos Thessalonikefs
733d5f7161 - Complete fix for max-global-quota to 200. 2024-11-08 17:34:28 +01:00
Yorgos Thessalonikefs
fe288a9b06 - More descriptive text for 'harden-algo-downgrade'. 2024-11-08 13:56:04 +01:00
Yorgos Thessalonikefs
fd1a1d5fa0 - Increase the default of max-global-quota to 200 from 128 after 
operational feedback. Still keeping the possible amplification
  factor (CAMP related issues) in the hundreds.
 2024-11-06 16:28:37 +01:00
Yorgos Thessalonikefs
3c4b87636a Changelog entry for: 
- Fix SETEX check during Redis (re)initialization.
 2024-11-05 12:20:25 +01:00
W.C.A. Wijngaards
60fd77b8f9 - Fix to log redis timeout error string on failure. 2024-11-05 11:41:41 +01:00
W.C.A. Wijngaards
d5e91d181b - Fix for the serve expired DNSSEC information fix, it would not allow 
current delegation information be updated in cache. The fix allows
  current delegation and validation recursion information to be
  updated, but as a consequence no longer has certain expired
  information around for later dnssec valid expired responses.
 2024-11-05 10:39:27 +01:00
W.C.A. Wijngaards
7985d17b57 Changelog note for #1167 
- Merge #1167: Makefile.in: fix occasional parallel build failures
  around bison rule.
 2024-11-04 13:26:27 +01:00
W.C.A. Wijngaards
533c3b0514 - Fix redis that during a reload it does not fail if the redis 
server does not connect or does not respond. It still logs the
  errors and if the server is up checks expiration features.
 2024-11-04 10:14:26 +01:00
Yorgos Thessalonikefs
11b8157a98 Changelog entry for #1157: 
- Merge #1157 from Liang Zhu, Fix heap corruption when calling
  ub_ctx_delete in Windows.
 2024-11-01 16:27:06 +01:00
Yorgos Thessalonikefs
d34fb3ed77 Changelog entry for #1170: 
- Merge #1170 from Melroy van den Berg, Fix chroot manpage
  description.
 2024-11-01 16:12:07 +01:00
Yorgos Thessalonikefs
8a6a4bd7f3 - Add test case for #1159. 
- Some clean up for stat_values.test.
 2024-11-01 15:57:52 +01:00
Yorgos Thessalonikefs
d23523e528 - Merge #1159: Stats for discard-timeout and wait-limit. 2024-11-01 15:54:24 +01:00
Yorgos Thessalonikefs
f5580f0a63 - Fix #1163: Typos in unbound.conf documentation. 2024-10-25 21:25:16 +02:00
W.C.A. Wijngaards
0e2b2743d8 Add changelog entry for tag for 1.22.0rc1. 2024-10-17 10:57:07 +02:00
W.C.A. Wijngaards
018be1d089 - Tag for 1.22.0 release. This did not contain the 1154 fix 
from 16 oct. The code repository continues with
  version 1.22.1 in development.
 2024-10-17 10:48:58 +02:00
W.C.A. Wijngaards
9a63db344e - Fix #1154: Tag Incorrectly Applying for Other Interfaces 
Using the Same IP. This fix is not for 1.22.0.
 2024-10-16 15:56:33 +02:00
W.C.A. Wijngaards
0076736fc4 - Fix for dnstap with dnscrypt and dnstap without dnsoverquic. 2024-10-16 11:52:49 +02:00
Yorgos Thessalonikefs
f8e45ed696 - Fix for dnsoverquic and dnstap to use the correct dnstap 
environment.
 2024-10-16 11:02:31 +02:00
W.C.A. Wijngaards
2a28c7389c - Fix dnsoverquic to extend the number of streams when one is closed. 2024-10-14 13:53:55 +02:00
W.C.A. Wijngaards
114edf2c38 - Fix to display warning if quic-port is set but dnsoverquic is not 
enabled when compiled.
 2024-10-14 11:34:26 +02:00
W.C.A. Wijngaards
e0c93e300b - Fix contrib/aaaa-filter-iterator.patch for change in call 
signature for cache_fill_missing.
 2024-10-11 11:42:30 +02:00
W.C.A. Wijngaards
bd1813b126 - Fix harden-unverified-glue for AAAA cache_fill_missing lookups. 2024-10-11 09:03:11 +02:00
W.C.A. Wijngaards
1b7e14dc39 - Fix to disable detection of quic configured ports when quic is 
not compiled in.
 2024-10-11 08:51:14 +02:00
W.C.A. Wijngaards
8b7782e8fc - Fix add reallocarray to alloc stats unit test, and disable 
override of strdup in unbound-host, and the result of config
  get option is freed properly.
 2024-10-10 10:43:23 +02:00
W.C.A. Wijngaards
e0201435a4 - Fix cookie_file test sporadic fails for time change during 
the test.
 2024-10-10 09:45:48 +02:00
W.C.A. Wijngaards
66fb3ff670 - Fix for dnstap compile of doqclient with doq disabled. 2024-10-09 15:52:33 +02:00
W.C.A. Wijngaards
36461ea73d Changelog entry and unit test for fix of NSEC TTL and prefetch ttl. 
- Fix to limit NSEC TTL for messages from cachedb. Fix to limit the
  prefetch ttl for messages after a CNAME with short TTL.
 2024-10-09 15:29:23 +02:00
W.C.A. Wijngaards
a4d8c0c43b Changelog note for #871 
- Merge #871: DNS over QUIC. This adds `quic-port: 853` and
  `quic-size: 8m` that enable dnsoverquic, and the counters
  `num.query.quic` and `mem.quic` in the statistics output.
  The feature needs to be enabled by compiling with libngtcp2,
  with `--with-libngtcp2=path` and libngtcp2 needs openssl+quic,
  pass that with `--with-ssl=path` to compile unbound as well.
 2024-10-09 10:35:45 +02:00
W.C.A. Wijngaards
dcf7afd722 - Fix #1128: Cannot override tcp-upstream and tls-upstream with 
forward-tcp-upstream and forward-tls-upstream.
 2024-10-08 15:29:03 +02:00
W.C.A. Wijngaards
e67171612b - Fix #1149: unbound-control-setup hangs sometimes depending on 
the openssl version.
 2024-10-08 11:54:07 +02:00
Yorgos Thessalonikefs
a1b25f0296 - The fix for CVE-2024-8508 was part of 1.21.1, a security point release 
on 1.21.0. The code repository continues with this fix and the version
  number 1.22.0.
 2024-10-03 18:19:01 +02:00
W.C.A. Wijngaards
5bb3b9cc83 - Fix unbound dnstap socket test program analyzer warnings about 
unused variable assignments and variable initialization.
 2024-09-30 16:36:01 +02:00
W.C.A. Wijngaards
3a1b79f6a1 - Fix negative cache NSEC3 parameter compares for zero length NSEC3 
salt.
 2024-09-30 09:25:51 +02:00
W.C.A. Wijngaards
84eeb9b97c - Fix #1144: [FR] log timestamps in ISO8601 format with timezone. 
This adds the option `log-time-iso: yes` that logs in ISO8601
  format.
 2024-09-25 11:16:46 +02:00
Yorgos Thessalonikefs
d88eeb4c32 Changelog entry for #1143: 
- Merge #1143: Fix cache update when serve expired is used. Expired
  records are favored over resolution and validation failures when
  serve-expired is used.
 2024-09-24 16:49:34 +02:00
Yorgos Thessalonikefs
24ebca7df6 - More clear text for prefetch and minimal-responses in the 
unbound.conf man page.
 2024-09-24 15:10:21 +02:00
Yorgos Thessalonikefs
7f4a61e6fc - Attempt to further fix doh_downstream_buffer_size.tdir flakiness. 2024-09-24 12:21:03 +02:00
Yorgos Thessalonikefs
db719d404f - Fix doxygen warnings by commenting out CLANG_ASSISTED_PARSING, 
CLANG_ADD_INC_PATHS, CLANG_OPTIONS and CLANG_DATABASE_PATH; they were
  already disabled.
 2024-09-23 15:31:32 +02:00
W.C.A. Wijngaards
a35a0c49da - Fix dns64 with prefetch that the prefetch is stored in cache. 2024-09-23 12:19:43 +02:00
W.C.A. Wijngaards
5e9b6296b7 - Add redis-command-timeout: 20 and redis-connect-timeout: 200, 
that can set the timeout separately for commands and the
  connection set up to the redis server. If they are not
  specified, the redis-timeout value is used.
 2024-09-17 13:10:34 +02:00
W.C.A. Wijngaards
606e262fdd Changelog comment for #1140. 
- Merge #1140: Fix spelling mistake in comments.
 2024-09-16 12:15:04 +02:00
Yorgos Thessalonikefs
6bf2b2ac56 - Fix and add comments in testdata/val_negcache_ttl.rpl. 2024-09-11 12:16:02 +02:00
W.C.A. Wijngaards
5767b0933f - Add unit test for ttl limit for aggressive nsec. 2024-09-10 10:17:31 +02:00
W.C.A. Wijngaards
24e0f0ab7e - Fix to limit NSEC and NSEC3 TTL when aggressive nsec is 
enabled (RFC9077).
 2024-09-10 10:13:48 +02:00
Yorgos Thessalonikefs
d3fdbba877 - Fix comment to not trigger doxygen unknown command. 2024-09-06 16:03:20 +02:00
Yorgos Thessalonikefs
c36ce2a390 - Fix alloc-size and calloc-transposed-args compiler warnings. 2024-09-06 16:01:30 +02:00
W.C.A. Wijngaards
7ecff4113c - Fix config file read for dnstap-sample-rate. 2024-09-05 09:35:54 +02:00
W.C.A. Wijngaards
99824bc0e6 Changelog note for #1135 
- Merge #1135: Add new IANA trust anchor.
 2024-09-02 09:25:44 +02:00
W.C.A. Wijngaards
a887284703 - Fix for #1132, comment about adjusted copy of reference check. 2024-08-30 08:56:00 +02:00
W.C.A. Wijngaards
fb198b96f1 Changelog note for #1132 and fix for #1132. 
- Merge #1132: b.root renumbering.
- Fix for #1132, adjusted unit test for change in the test file.
 2024-08-30 08:51:56 +02:00
W.C.A. Wijngaards
52154e658a - Fix to print port number in logs for auth zone transfer activities. 2024-08-29 13:04:03 +02:00
W.C.A. Wijngaards
c06d3646a9 - Unit test for auth zone transfer TLS, and TLS failure. 2024-08-29 10:40:31 +02:00
W.C.A. Wijngaards
42d421a305 - Fix that stub-zone and forward-zone clauses do not exhaust memory 
for long content.
 2024-08-28 13:16:29 +02:00
W.C.A. Wijngaards
b5951ce1fa - Fix that when rpz is applied the message does not get picked up by 
the validator. That stops validation failures for the message.
 2024-08-28 10:51:22 +02:00
W.C.A. Wijngaards
6b37309705 - Fix #1130: Loads of logs: "validation failure: key for validation 
<domain>. is marked as invalid because of a previous" for
  non-DNSSEC signed zone.
 2024-08-27 17:00:27 +02:00
W.C.A. Wijngaards
dc274fef9b - Fix documentation for cache_fill_missing function. 2024-08-23 13:19:15 +02:00
W.C.A. Wijngaards
db1167c8b3 - Fix #1127: error: "memory exhausted" when defining more than 9994 
local-zones.
 2024-08-23 09:22:07 +02:00
W.C.A. Wijngaards
1e0cf1e86b - Merge patch to fix for glue that is outside of zone, with 
`harden-unverified-glue`, from Karthik Umashankar (Microsoft).
  Enabling this option protects the Unbound resolver against bad
  glue, that is unverified out of zone glue, by resolving them.
  It uses the records as last resort if there is no other working
  glue.
 2024-08-23 08:56:48 +02:00
W.C.A. Wijngaards
6b3266aaf8 - Fix for char signedness warnings on NetBSD. 2024-08-21 14:15:23 +02:00
W.C.A. Wijngaards
4f52461e81 - Add cross platform netbsd to github ci. 2024-08-21 14:03:11 +02:00
W.C.A. Wijngaards
06d5031d22 - Add cross platform openbsd to github ci. 2024-08-21 13:50:55 +02:00
W.C.A. Wijngaards
04e6f9e03b - Add cross platform freebsd to github ci. 2024-08-21 13:20:00 +02:00
W.C.A. Wijngaards
3d350fa73d - Add iter-scrub-ns, iter-scrub-cname and max-global-quota 
configuration options.
 2024-08-20 14:08:52 +02:00
W.C.A. Wijngaards
015b2b0daf - Fix #1126: unbound-control-setup hangs while testing for openssl 
presence starting from version 1.21.0.
 2024-08-19 15:51:47 +02:00
W.C.A. Wijngaards
5fa84d50bf - Tag for release 1.21.0, the repository continues with 1.21.1 
in development.
 2024-08-15 11:01:41 +02:00
W.C.A. Wijngaards
79e4c57851 - Fix spelling for the cache-min-negative-ttl entry in the 
example.conf.
 2024-08-09 14:04:25 +02:00