upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-20 23:00:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
8155 commits 23 branches 209 tags 123 MiB
Commit graph

5001 commits

Author SHA1 Message Date
Yorgos Thessalonikefs
f822042cd0 - Do not open unencrypted channels next to encrypted ones on the same 
port.
 2025-01-21 15:26:40 +01:00
W.C.A. Wijngaards
5f58ced71e - Fix to check length in ATMA string to wire. 2025-01-21 12:30:30 +01:00
W.C.A. Wijngaards
207ae97ff9 - Fix encoding of RR type ATMA. 2025-01-21 12:27:15 +01:00
W.C.A. Wijngaards
9a0de14aa1 - Fix compile of interface check code when dnscrypt or quic is 
disabled.
 2025-01-21 10:13:48 +01:00
Yorgos Thessalonikefs
048c193243 - Use the same interface listening port discovery code for all needed 
protocols.
- Port to string only when needed before getaddrinfo().
 2025-01-21 10:04:30 +01:00
Yorgos Thessalonikefs
d62fff2c7c - Create the quic SSL listening context only when needed. 2025-01-20 15:49:37 +01:00
Yorgos Thessalonikefs
3f839cebc3 Changelog entry for #1222: 
- Merge #1222: Unique DoT and DoH SSL contexts to allow for different
  ALPN.
 2025-01-20 15:45:11 +01:00
Yorgos Thessalonikefs
1d428f2d54 Changelog entry for #1221: 
- Merge #1221: Consider auth zones when checking for forwarders.
 2025-01-17 10:19:26 +01:00
Yorgos Thessalonikefs
f52b2a6ea2 - Add resolver.arpa and service.arpa to the default locally served 
zones.
 2025-01-14 17:18:32 +01:00
Yorgos Thessalonikefs
62a0e03801 - Fix #1213: Misleading error message on default access control causing 
refuse.
 2025-01-13 11:33:24 +01:00
Yorgos Thessalonikefs
716f3df385 Changelog entry for #1214: 
- Merge #1214: Use TCP_NODELAY on TLS sockets to speed up the TLS
  handshake.
 2025-01-10 13:54:49 +01:00
Yorgos Thessalonikefs
eb36c880de Changelog entry for #1174: 
- Merge #1174: Serve expired cache update fixes. Fixes a regression bug
  with serve-expired that appeared in 1.22.0 and would not allow the
  iterator to update the cache with not-yet-validated entries resulting
  in increased outgoing traffic.
 2024-12-31 16:30:35 +01:00
Yorgos Thessalonikefs
e57e537c85 - For #1207: [FR] Support for RESINFO RRType 261 (RFC9606), add 
LDNS_RR_TYPE_RESINFO similar to LDNS_RR_TYPE_TXT.
 2024-12-20 15:04:34 +01:00
Yorgos Thessalonikefs
71d821fde9 Changelog entry for #1204: 
- Merge #1204: ci: set persist-credentials: false for actions/checkout
  per zizmor suggestion.
 2024-12-13 13:43:29 +01:00
Yorgos Thessalonikefs
ded4c82ced - Fix typo in log_servfail.tdir test. 2024-12-03 16:03:05 +01:00
Yorgos Thessalonikefs
e82a691efe Changelog entry for #1187: 
- Merge #1187: Create the SSL_CTX for QUIC before chroot and privilege
  drop.
 2024-12-03 14:21:34 +01:00
Yorgos Thessalonikefs
b4a9c8bb05 - Safeguard alias loop while looking in the cache for expired answers. 2024-12-03 14:10:17 +01:00
Yorgos Thessalonikefs
be92752368 - Merge #1198: Fix log-servfail with serve expired and no useful cache 
contents.
 2024-12-03 14:05:12 +01:00
Yorgos Thessalonikefs
9de159b96b - For #1175, the default value of serve-expired-ttl is set to 86400 
(1 day) as suggested by RFC8767.
 2024-12-03 13:09:51 +01:00
Yorgos Thessalonikefs
bd2e66de1e Changelog entry for #1189, #1197: 
- Merge #1189: Fix the dname_str method to cause conversion errors
  when the domain name length is 255.
- Merge #1197: dname_str() fixes.
 2024-12-03 11:58:06 +01:00
Yorgos Thessalonikefs
9e3c50ec9e - For #1175, update serve-expired tests. 2024-11-22 16:14:02 +01:00
Yorgos Thessalonikefs
eefdbb341f - Fix #1175: serve-expired does not adhere to secure-by-default 
principle. The default value of serve-expired-client-timeout
  is set to 1800 as suggested by RFC8767.
 2024-11-22 15:32:34 +01:00
Yorgos Thessalonikefs
e75da7d954 - Fix comparison to help static analyzer. 2024-11-20 10:53:45 +01:00
Yorgos Thessalonikefs
9a3a1bc221 Changelog entry for #1169: 
- Merge #1169 from Sergey Kacheev, fix: lock-free counters for
  auth_zone up/down queries.
 2024-11-19 17:01:34 +01:00
W.C.A. Wijngaards
4cf7fae50c - Fix for #1183: release nsec3 hashes per test file. 2024-11-15 10:47:27 +01:00
W.C.A. Wijngaards
a2ac980737 - Fix #1183: the data being used is released in method 
nsec3_hash_test_entry.
 2024-11-15 10:37:35 +01:00
Yorgos Thessalonikefs
733d5f7161 - Complete fix for max-global-quota to 200. 2024-11-08 17:34:28 +01:00
Yorgos Thessalonikefs
fe288a9b06 - More descriptive text for 'harden-algo-downgrade'. 2024-11-08 13:56:04 +01:00
Yorgos Thessalonikefs
fd1a1d5fa0 - Increase the default of max-global-quota to 200 from 128 after 
operational feedback. Still keeping the possible amplification
  factor (CAMP related issues) in the hundreds.
 2024-11-06 16:28:37 +01:00
Yorgos Thessalonikefs
3c4b87636a Changelog entry for: 
- Fix SETEX check during Redis (re)initialization.
 2024-11-05 12:20:25 +01:00
W.C.A. Wijngaards
60fd77b8f9 - Fix to log redis timeout error string on failure. 2024-11-05 11:41:41 +01:00
W.C.A. Wijngaards
d5e91d181b - Fix for the serve expired DNSSEC information fix, it would not allow 
current delegation information be updated in cache. The fix allows
  current delegation and validation recursion information to be
  updated, but as a consequence no longer has certain expired
  information around for later dnssec valid expired responses.
 2024-11-05 10:39:27 +01:00
W.C.A. Wijngaards
7985d17b57 Changelog note for #1167 
- Merge #1167: Makefile.in: fix occasional parallel build failures
  around bison rule.
 2024-11-04 13:26:27 +01:00
W.C.A. Wijngaards
533c3b0514 - Fix redis that during a reload it does not fail if the redis 
server does not connect or does not respond. It still logs the
  errors and if the server is up checks expiration features.
 2024-11-04 10:14:26 +01:00
Yorgos Thessalonikefs
11b8157a98 Changelog entry for #1157: 
- Merge #1157 from Liang Zhu, Fix heap corruption when calling
  ub_ctx_delete in Windows.
 2024-11-01 16:27:06 +01:00
Yorgos Thessalonikefs
d34fb3ed77 Changelog entry for #1170: 
- Merge #1170 from Melroy van den Berg, Fix chroot manpage
  description.
 2024-11-01 16:12:07 +01:00
Yorgos Thessalonikefs
8a6a4bd7f3 - Add test case for #1159. 
- Some clean up for stat_values.test.
 2024-11-01 15:57:52 +01:00
Yorgos Thessalonikefs
d23523e528 - Merge #1159: Stats for discard-timeout and wait-limit. 2024-11-01 15:54:24 +01:00
Yorgos Thessalonikefs
f5580f0a63 - Fix #1163: Typos in unbound.conf documentation. 2024-10-25 21:25:16 +02:00
W.C.A. Wijngaards
0e2b2743d8 Add changelog entry for tag for 1.22.0rc1. 2024-10-17 10:57:07 +02:00
W.C.A. Wijngaards
018be1d089 - Tag for 1.22.0 release. This did not contain the 1154 fix 
from 16 oct. The code repository continues with
  version 1.22.1 in development.
 2024-10-17 10:48:58 +02:00
W.C.A. Wijngaards
9a63db344e - Fix #1154: Tag Incorrectly Applying for Other Interfaces 
Using the Same IP. This fix is not for 1.22.0.
 2024-10-16 15:56:33 +02:00
W.C.A. Wijngaards
0076736fc4 - Fix for dnstap with dnscrypt and dnstap without dnsoverquic. 2024-10-16 11:52:49 +02:00
Yorgos Thessalonikefs
f8e45ed696 - Fix for dnsoverquic and dnstap to use the correct dnstap 
environment.
 2024-10-16 11:02:31 +02:00
W.C.A. Wijngaards
2a28c7389c - Fix dnsoverquic to extend the number of streams when one is closed. 2024-10-14 13:53:55 +02:00
W.C.A. Wijngaards
114edf2c38 - Fix to display warning if quic-port is set but dnsoverquic is not 
enabled when compiled.
 2024-10-14 11:34:26 +02:00
W.C.A. Wijngaards
e0c93e300b - Fix contrib/aaaa-filter-iterator.patch for change in call 
signature for cache_fill_missing.
 2024-10-11 11:42:30 +02:00
W.C.A. Wijngaards
bd1813b126 - Fix harden-unverified-glue for AAAA cache_fill_missing lookups. 2024-10-11 09:03:11 +02:00
W.C.A. Wijngaards
1b7e14dc39 - Fix to disable detection of quic configured ports when quic is 
not compiled in.
 2024-10-11 08:51:14 +02:00
W.C.A. Wijngaards
8b7782e8fc - Fix add reallocarray to alloc stats unit test, and disable 
override of strdup in unbound-host, and the result of config
  get option is freed properly.
 2024-10-10 10:43:23 +02:00
W.C.A. Wijngaards
e0201435a4 - Fix cookie_file test sporadic fails for time change during 
the test.
 2024-10-10 09:45:48 +02:00
W.C.A. Wijngaards
66fb3ff670 - Fix for dnstap compile of doqclient with doq disabled. 2024-10-09 15:52:33 +02:00
W.C.A. Wijngaards
36461ea73d Changelog entry and unit test for fix of NSEC TTL and prefetch ttl. 
- Fix to limit NSEC TTL for messages from cachedb. Fix to limit the
  prefetch ttl for messages after a CNAME with short TTL.
 2024-10-09 15:29:23 +02:00
W.C.A. Wijngaards
a4d8c0c43b Changelog note for #871 
- Merge #871: DNS over QUIC. This adds `quic-port: 853` and
  `quic-size: 8m` that enable dnsoverquic, and the counters
  `num.query.quic` and `mem.quic` in the statistics output.
  The feature needs to be enabled by compiling with libngtcp2,
  with `--with-libngtcp2=path` and libngtcp2 needs openssl+quic,
  pass that with `--with-ssl=path` to compile unbound as well.
 2024-10-09 10:35:45 +02:00
W.C.A. Wijngaards
dcf7afd722 - Fix #1128: Cannot override tcp-upstream and tls-upstream with 
forward-tcp-upstream and forward-tls-upstream.
 2024-10-08 15:29:03 +02:00
W.C.A. Wijngaards
e67171612b - Fix #1149: unbound-control-setup hangs sometimes depending on 
the openssl version.
 2024-10-08 11:54:07 +02:00
Yorgos Thessalonikefs
a1b25f0296 - The fix for CVE-2024-8508 was part of 1.21.1, a security point release 
on 1.21.0. The code repository continues with this fix and the version
  number 1.22.0.
 2024-10-03 18:19:01 +02:00
W.C.A. Wijngaards
5bb3b9cc83 - Fix unbound dnstap socket test program analyzer warnings about 
unused variable assignments and variable initialization.
 2024-09-30 16:36:01 +02:00
W.C.A. Wijngaards
3a1b79f6a1 - Fix negative cache NSEC3 parameter compares for zero length NSEC3 
salt.
 2024-09-30 09:25:51 +02:00
W.C.A. Wijngaards
84eeb9b97c - Fix #1144: [FR] log timestamps in ISO8601 format with timezone. 
This adds the option `log-time-iso: yes` that logs in ISO8601
  format.
 2024-09-25 11:16:46 +02:00
Yorgos Thessalonikefs
d88eeb4c32 Changelog entry for #1143: 
- Merge #1143: Fix cache update when serve expired is used. Expired
  records are favored over resolution and validation failures when
  serve-expired is used.
 2024-09-24 16:49:34 +02:00
Yorgos Thessalonikefs
24ebca7df6 - More clear text for prefetch and minimal-responses in the 
unbound.conf man page.
 2024-09-24 15:10:21 +02:00
Yorgos Thessalonikefs
7f4a61e6fc - Attempt to further fix doh_downstream_buffer_size.tdir flakiness. 2024-09-24 12:21:03 +02:00
Yorgos Thessalonikefs
db719d404f - Fix doxygen warnings by commenting out CLANG_ASSISTED_PARSING, 
CLANG_ADD_INC_PATHS, CLANG_OPTIONS and CLANG_DATABASE_PATH; they were
  already disabled.
 2024-09-23 15:31:32 +02:00
W.C.A. Wijngaards
a35a0c49da - Fix dns64 with prefetch that the prefetch is stored in cache. 2024-09-23 12:19:43 +02:00
W.C.A. Wijngaards
5e9b6296b7 - Add redis-command-timeout: 20 and redis-connect-timeout: 200, 
that can set the timeout separately for commands and the
  connection set up to the redis server. If they are not
  specified, the redis-timeout value is used.
 2024-09-17 13:10:34 +02:00
W.C.A. Wijngaards
606e262fdd Changelog comment for #1140. 
- Merge #1140: Fix spelling mistake in comments.
 2024-09-16 12:15:04 +02:00
Yorgos Thessalonikefs
6bf2b2ac56 - Fix and add comments in testdata/val_negcache_ttl.rpl. 2024-09-11 12:16:02 +02:00
W.C.A. Wijngaards
5767b0933f - Add unit test for ttl limit for aggressive nsec. 2024-09-10 10:17:31 +02:00
W.C.A. Wijngaards
24e0f0ab7e - Fix to limit NSEC and NSEC3 TTL when aggressive nsec is 
enabled (RFC9077).
 2024-09-10 10:13:48 +02:00
Yorgos Thessalonikefs
d3fdbba877 - Fix comment to not trigger doxygen unknown command. 2024-09-06 16:03:20 +02:00
Yorgos Thessalonikefs
c36ce2a390 - Fix alloc-size and calloc-transposed-args compiler warnings. 2024-09-06 16:01:30 +02:00
W.C.A. Wijngaards
7ecff4113c - Fix config file read for dnstap-sample-rate. 2024-09-05 09:35:54 +02:00
W.C.A. Wijngaards
99824bc0e6 Changelog note for #1135 
- Merge #1135: Add new IANA trust anchor.
 2024-09-02 09:25:44 +02:00
W.C.A. Wijngaards
a887284703 - Fix for #1132, comment about adjusted copy of reference check. 2024-08-30 08:56:00 +02:00
W.C.A. Wijngaards
fb198b96f1 Changelog note for #1132 and fix for #1132. 
- Merge #1132: b.root renumbering.
- Fix for #1132, adjusted unit test for change in the test file.
 2024-08-30 08:51:56 +02:00
W.C.A. Wijngaards
52154e658a - Fix to print port number in logs for auth zone transfer activities. 2024-08-29 13:04:03 +02:00
W.C.A. Wijngaards
c06d3646a9 - Unit test for auth zone transfer TLS, and TLS failure. 2024-08-29 10:40:31 +02:00
W.C.A. Wijngaards
42d421a305 - Fix that stub-zone and forward-zone clauses do not exhaust memory 
for long content.
 2024-08-28 13:16:29 +02:00
W.C.A. Wijngaards
b5951ce1fa - Fix that when rpz is applied the message does not get picked up by 
the validator. That stops validation failures for the message.
 2024-08-28 10:51:22 +02:00
W.C.A. Wijngaards
6b37309705 - Fix #1130: Loads of logs: "validation failure: key for validation 
<domain>. is marked as invalid because of a previous" for
  non-DNSSEC signed zone.
 2024-08-27 17:00:27 +02:00
W.C.A. Wijngaards
dc274fef9b - Fix documentation for cache_fill_missing function. 2024-08-23 13:19:15 +02:00
W.C.A. Wijngaards
db1167c8b3 - Fix #1127: error: "memory exhausted" when defining more than 9994 
local-zones.
 2024-08-23 09:22:07 +02:00
W.C.A. Wijngaards
1e0cf1e86b - Merge patch to fix for glue that is outside of zone, with 
`harden-unverified-glue`, from Karthik Umashankar (Microsoft).
  Enabling this option protects the Unbound resolver against bad
  glue, that is unverified out of zone glue, by resolving them.
  It uses the records as last resort if there is no other working
  glue.
 2024-08-23 08:56:48 +02:00
W.C.A. Wijngaards
6b3266aaf8 - Fix for char signedness warnings on NetBSD. 2024-08-21 14:15:23 +02:00
W.C.A. Wijngaards
4f52461e81 - Add cross platform netbsd to github ci. 2024-08-21 14:03:11 +02:00
W.C.A. Wijngaards
06d5031d22 - Add cross platform openbsd to github ci. 2024-08-21 13:50:55 +02:00
W.C.A. Wijngaards
04e6f9e03b - Add cross platform freebsd to github ci. 2024-08-21 13:20:00 +02:00
W.C.A. Wijngaards
3d350fa73d - Add iter-scrub-ns, iter-scrub-cname and max-global-quota 
configuration options.
 2024-08-20 14:08:52 +02:00
W.C.A. Wijngaards
015b2b0daf - Fix #1126: unbound-control-setup hangs while testing for openssl 
presence starting from version 1.21.0.
 2024-08-19 15:51:47 +02:00
W.C.A. Wijngaards
5fa84d50bf - Tag for release 1.21.0, the repository continues with 1.21.1 
in development.
 2024-08-15 11:01:41 +02:00
W.C.A. Wijngaards
79e4c57851 - Fix spelling for the cache-min-negative-ttl entry in the 
example.conf.
 2024-08-09 14:04:25 +02:00
W.C.A. Wijngaards
5abdd09095 - Fix that for windows the module startup is called and sets up 
the module-config.
 2024-08-08 16:14:09 +02:00
W.C.A. Wijngaards
158c1defe3 - Set version number to 1.21.0 for release. 2024-08-08 09:30:53 +02:00
W.C.A. Wijngaards
b4519012dc - Fix CacheFlush issues with limit on NS RRs. Thanks to Yehuda Afek, 
Anat Bremler-Barr, Shoham Danino and Yuval Shavitt (Tel-Aviv
  University and Reichman University).
 2024-08-08 09:28:44 +02:00
W.C.A. Wijngaards
ed883238fd - Fix CAMP issues with global quota. Thanks to Huayi Duan, Marco 
Bearzi, Jodok Vieli, and Cagin Tanir from NetSec group, ETH Zurich.
 2024-08-08 09:27:45 +02:00
W.C.A. Wijngaards
0f2f6025e7 - Fix that alloc stats for forwards and hints are printed, and when 
alloc stats is enabled, the unit test for unbound control waits for
  reloads to complete.
 2024-08-02 15:51:40 +02:00
W.C.A. Wijngaards
3cbf554e3b Changelog note for #1090 
- Merge #1090: Cookie secret file. Adds
  `cookie-secret-file: "unbound_cookiesecrets.txt"` option to store
  cookie secrets for EDNS COOKIE secret rollover. The remote control
  add_cookie_secret, activate_cookie_secret and drop_cookie_secret
  commands can be used for rollover, the command print_cookie_secrets
  shows the values in use.
 2024-08-02 13:36:06 +02:00
W.C.A. Wijngaards
50cf55bdac Update changelog. 
- Fix testbound for alloc stats strdup in util/alloc.c.
 2024-08-02 08:59:47 +02:00
W.C.A. Wijngaards
befa7d8cd8 - Fix that alloc stats has strdup checks, it stops debuggers from 
complaining about mismatch at free time.
 2024-08-02 08:54:54 +02:00
W.C.A. Wijngaards
92be76fb89 - Fix that the worker mem report with alloc stats does not attempt 
to print memory use of forwards and hints if they have been
  deleted already.
 2024-08-01 17:15:07 +02:00
W.C.A. Wijngaards
9a6b6765cc - Fix dnstap test program, cleans up to have clean memory on exit, 
for tap_data_free, does not delete NULL items. Also it does not try
  to free the tail, specifically in the free of the list since that
  picked up the next item in the list for its loop causing invalid
  free. Added internal unit test to unbound-dnstap-socket for that.
 2024-08-01 16:12:04 +02:00
W.C.A. Wijngaards
03b511b1a2 - Fix for #1114: Fix that cache fill for forward-host names is 
performed, so that with nonzero target-fetch-policy it fetches
  forwarder addresses and uses them from cache. Also updated that
  delegation point cache fill routines use CDflag for AAAA message
  lookups, so that its negative lookup stops a recursion since the
  cache uses the bit for disambiguation for dns64 but the recursion
  uses CDflag for the AAAA target lookups, so the check correctly
  stops a useless recursion by its cache lookup.
 2024-07-31 11:42:44 +02:00
W.C.A. Wijngaards
6af28bed08 - Fix to document parameters of auth_zone_verify_zonemd_with_key. 2024-07-30 13:47:53 +02:00
W.C.A. Wijngaards
f094f4ea3c - Add root key 38696 from 2024 for DNSSEC validation. It is added 
to the default root keys in unbound-anchor. The content can be
  inspected with `unbound-anchor -l`.
 2024-07-25 11:42:22 +02:00
Yorgos Thessalonikefs
c717debace - For #935 and #1104, clarify RPZ order and semantics. 2024-07-24 01:54:02 +02:00
Yorgos Thessalonikefs
7d4d21764a - Cleanup ede.tdir test. 2024-07-23 20:22:25 +02:00
W.C.A. Wijngaards
83e6977f06 - Fix link of unbound-dnstap-socket without openssl. 2024-07-23 15:06:54 +02:00
W.C.A. Wijngaards
671e11552c - Fix link of dnstap without openssl. 2024-07-23 14:56:21 +02:00
W.C.A. Wijngaards
c4541e634b - Fix uninitialized variable warning in create_tcp_accept_sock. 2024-07-23 10:42:36 +02:00
W.C.A. Wijngaards
30da725e67 - Fix to have empty definition when not supported for weak attribute. 2024-07-23 10:02:39 +02:00
W.C.A. Wijngaards
8de5ae3552 - Fix compile when the compiler does not support the noreturn 
attribute.
 2024-07-23 09:55:31 +02:00
W.C.A. Wijngaards
5bea29b01c - For #1110: Test for fallthrough attribute in configure and add 
fallthrough attribute annotations.
 2024-07-23 09:47:42 +02:00
Yorgos Thessalonikefs
3512eaec48 - Fix #1106: ratelimit-below-domain logs the wrong FROM address. 2024-07-23 09:07:06 +02:00
W.C.A. Wijngaards
3af4e44646 - Fix dnstap wakeup, a running wakeup timer is left to expire and not 
increased, a timer is started when the dtio thread is sleeping,
  the timer set disabled when the dtio thread goes to sleep, and
  after sleep the thread checks to see if there are messages to log
  immediately.
 2024-07-19 16:16:02 +02:00
W.C.A. Wijngaards
c3dd6a2dbd - Add dnstap-sample-rate that logs only 1/N messages, for high volume 
server environments. Thanks Dan Luther.
 2024-07-19 10:04:40 +02:00
W.C.A. Wijngaards
8fca3e7c5b - For #1103: Fix to drop mesh state reference for the http2 stream 
associated with the reply, not the currently active stream. And
  it does not remove it twice on a mesh_send_reply call. The reply
  h2_stream is NULL when not in use, for more initialisation.
 2024-07-16 14:23:10 +02:00
W.C.A. Wijngaards
8947c2c764 - For #1103: fix to also drop mesh state reference when the discard 
limit is reached, when there is an error making a new recursion
  state and when the connection is dropped with is_drop.
 2024-07-15 14:51:20 +02:00
W.C.A. Wijngaards
b1e3319a11 Merge branch 'master' of github.com:NLnetLabs/unbound 2024-07-12 16:41:58 +02:00
W.C.A. Wijngaards
d52f501d90 - For #1103: fix to also drop mesh state reference when a h2 reply is 
dropped.
 2024-07-12 16:41:46 +02:00
Yorgos Thessalonikefs
7083d58c6b - For #1102: clearer text for using interface-* options for the 
loopback interface.
 2024-07-12 16:29:44 +02:00
W.C.A. Wijngaards
3adb9c8f92 - Fix #1103: unbound 1.20.0 segmentation fault with nghttp2. 2024-07-12 16:11:29 +02:00
Yorgos Thessalonikefs
51425b2388 - Add RPZ tag tests in acl_interface.tdir. 2024-07-12 15:38:12 +02:00
W.C.A. Wijngaards
d43760a8cd - For #773: In contrib/unbound.service.in set unbound to start after 
network-online.target. Also for contrib/unbound_portable.service.in.
 2024-07-10 14:05:43 +02:00
Yorgos Thessalonikefs
ea3e327006 - Update list of known EDE codes. 2024-07-09 15:58:30 +02:00
W.C.A. Wijngaards
be09350eca - Fix shadowed error string variable in validator dnskey handling. 2024-07-08 16:50:16 +02:00
W.C.A. Wijngaards
169acfc546 - Fixup algo_needs_reason string buffer length. 2024-07-08 15:38:27 +02:00
W.C.A. Wijngaards
bed7cc2a90 - Fix that validation reason failure that uses string print uses 
separate buffer that is passed, from the scratch validation buffer.
 2024-07-08 15:29:20 +02:00
Yorgos Thessalonikefs
02f4446833 - Don't check for message TTL changes if the RRsets remain the same. 2024-07-05 19:58:19 +02:00
W.C.A. Wijngaards
c8a2289542 - Fix for #1099: Fix to check for deleted RRset when the contents 
is updated and fetched after it is stored, and also check for a
  changed RRset.
 2024-07-05 17:54:46 +02:00
W.C.A. Wijngaards
b53d90053e - Fix #1099: Unbound core dump on SIGSEGV. 2024-07-05 17:18:01 +02:00
W.C.A. Wijngaards
978b0696d3 - Fix neater printout. 2024-07-05 14:11:26 +02:00
W.C.A. Wijngaards
ec5f86b4eb - Fix for neater printout for error for missing DS response. 2024-07-05 08:49:52 +02:00
W.C.A. Wijngaards
ec2f45c6fd - Fix to print details about the failure to lookup a DNSKEY record 
when validation fails due to the missing DNSKEY. Also for key prime
  and DS lookups.
 2024-07-04 14:51:18 +02:00
W.C.A. Wijngaards
6b319c97ee - Fix compile warnings in fptr_wlist.c. 2024-07-03 16:42:52 +02:00
W.C.A. Wijngaards
6eb3992c9e - Fix to remove unneeded linebreak in fptr_wlist.c. 2024-07-03 15:51:22 +02:00
W.C.A. Wijngaards
94a94fd8c8 - Fix to use modstack_init in zonemd unit test. 2024-07-03 15:49:13 +02:00
W.C.A. Wijngaards
36f9d1a2a9 - Add unit test skip files and bison and flex output to gitignore. 2024-07-03 14:59:39 +02:00
W.C.A. Wijngaards
d3a2264272 Changelog entry for #144 and #1098 
- Fix #144: Port ipset to BSD pf tables.
 2024-07-03 14:53:42 +02:00
Yorgos Thessalonikefs
96f8a94c19 - Fix for repeated use of a DNAME record: first overallocate and then 
move the exact size of the init value to avoid false positive heap
  overflow reads from address sanitizers.
 2024-07-03 10:08:44 +02:00
W.C.A. Wijngaards
2fe4e2ec3e - Fix compile warning in worker pthread id printout. 2024-07-02 09:44:58 +02:00
W.C.A. Wijngaards
e54928a628 - Fix unused variable warning in do_cache_remove. 2024-07-02 09:33:22 +02:00
W.C.A. Wijngaards
538434186e - Fix to remove unused include from the readzone test program. 2024-07-02 09:31:34 +02:00
W.C.A. Wijngaards
7fbc061846 - Fix ip-ratelimit-cookie setting, it was not applied. 2024-06-27 14:51:58 +02:00
Yorgos Thessalonikefs
70f73a33b3 - Explicitly set the RD bit for the mesh query flags when prefetching. 
These queries have no waiting client but they need to be treated as
  recursive.
 2024-06-26 15:51:58 +02:00
Yorgos Thessalonikefs
b67fbb69e7 - Fix pkg-config availability check in dnstap/dnstap.m4 and 
systemd.m4.
- autoconf.
 2024-06-21 14:34:12 +02:00
Yorgos Thessalonikefs
902c79608c - Fix #1092: Ubuntu 22.04 Jammy fails to compile unbound 1.20.0; by 
adding helpful text for the Python interpreter version and allowing
  the default pkg-config unavailability error message to be shown.
- autoconf.
 2024-06-19 15:27:50 +02:00
W.C.A. Wijngaards
08050dc939 - Fix #1091: Build fails with OpenSSL >= 3.0 built with 
OPENSSL_NO_DEPRECATED.
 2024-06-17 12:28:45 +02:00
W.C.A. Wijngaards
9603924bb4 - Add unit test for validation of repeated use of a DNAME record. 2024-06-07 11:56:19 +02:00
W.C.A. Wijngaards
4c2da2b979 - Fix validation for repeated use of a DNAME record. 2024-06-06 15:28:21 +02:00
W.C.A. Wijngaards
1974732d19 - Fix typos for 'the the' in text. 2024-06-06 09:35:57 +02:00
W.C.A. Wijngaards
3cad5818a1 - Fix memory leak in setup of dsa sig. 2024-06-06 09:30:09 +02:00
Yorgos Thessalonikefs
ad12109191 - Merge #1080: AddressSanitizer detection in tdir tests and memory leak 
fixes.
 2024-06-04 17:34:58 +02:00
W.C.A. Wijngaards
86fe9cbce5 - Fix to squelch connection reset by peer errors from log. And fix 
that the tcp read errors are labeled as initial for the first calls.
 2024-06-03 12:14:51 +02:00
W.C.A. Wijngaards
4b30e88eec - Fix for #1079: fix RPZ taglist in iterator callback that no client 
info is like no taglist intersection.
 2024-05-30 12:44:26 +02:00
W.C.A. Wijngaards
b6c7ea563f - Fix #1079: tags from tagged rpz zones are no longer honored after 
upgrade from 1.19.3 to 1.20.0.
 2024-05-30 12:11:30 +02:00
W.C.A. Wijngaards
910d7cf446 Changelog note for #1078. 
- Merge #1078: Only check old pid if no username.
 2024-05-29 14:45:01 +02:00
Yorgos Thessalonikefs
5fc4673901 - Update patch to remove 'command' shell builtin and update error 
text.
 2024-05-27 17:17:48 +02:00
Yorgos Thessalonikefs
f5a2160ba3 - Fix unused variable warning on compilation with no thread support. 2024-05-27 14:56:52 +02:00
W.C.A. Wijngaards
0c0c36f015 - Fix spelling of tcp-idle-timeout docs, from Michael Tokarev. 2024-05-27 14:36:35 +02:00
W.C.A. Wijngaards
47956de897 - Fix to enable that SERVFAIL is cached, for a short period, for more 
cases. In the cases where limits are exceeded.
 2024-05-27 13:53:16 +02:00
Yorgos Thessalonikefs
b30c869a59 Changelog entry for #1059: 
- Fix #1059: Intermittent DNS blocking failure with local-zone and
  always_nxdomain. Addition of local_zones dynamically via
  unbound-control was not finding the zone's parent correctly.
 2024-05-24 15:24:52 +02:00
W.C.A. Wijngaards
7107d3c9e7 - Fix #1064: Unbound 1.20 Cachedb broken? 
Add unit test for validation status commit.
 2024-05-24 09:06:48 +02:00
W.C.A. Wijngaards
fbdc06ebc4 - Fix for #1064: Fix that cachedb expired messages are considered 
insecure, and thus can be served to clients when dnssec is enabled.
 2024-05-21 17:06:18 +02:00
W.C.A. Wijngaards
d149e755fd - Fix for parse end of forward-zone, stub-zone and view. 2024-05-21 12:04:57 +02:00
W.C.A. Wijngaards
86ee8ccd12 - Fix to print a parse error when config is read with no name for 
a forward-zone, stub-zone or view.
 2024-05-21 11:54:18 +02:00
W.C.A. Wijngaards
8d6a1ba811 Changelog note for #1073. 
- Merge #1073: fix null pointer dereference issue in function
  ub_ctx_set_fwd.
 2024-05-21 11:52:47 +02:00
Yorgos Thessalonikefs
2e70506763 Changelog entry for #1069: 
- Merge #1069: Fix unbound-control stdin commands for multi-process
  Unbounds.
 2024-05-17 10:31:20 +02:00
W.C.A. Wijngaards
da2b307aa3 - Fix #1071: [FR] Clear both in-memory and cachedb module cache with 
`unbound-control flush*` commands.
 2024-05-16 16:56:58 +02:00
Yorgos Thessalonikefs
739a88ceed Changelog entry for #1070: 
- Merge #1070: Fix rtt assignement for low values of
  infra-cache-max-rtt.
 2024-05-16 13:43:24 +02:00
Yorgos Thessalonikefs
1048c4a28c - Add missing common functions to tdir tests. 2024-05-15 11:20:36 +02:00
W.C.A. Wijngaards
7de009f99a - Fix when the mesh jostle is exceeded that nameserver targets are 
marked as resolved, so that the lookup is not stuck on the
  requestlist.
 2024-05-10 09:50:35 +02:00
W.C.A. Wijngaards
95669855fb - Fix to squelch udp connect errors in the log at low verbosity about 
invalid argument for IPv6 link local addresses.
 2024-05-08 16:40:41 +02:00
W.C.A. Wijngaards
56e7cade28 The code repository continues with version 1.20.1. 2024-05-08 11:10:53 +02:00
W.C.A. Wijngaards
c085a53268 - Fix for #1062: declaration before statement, avoid print of null, 
and redundant check for array size.
And changelog note for merge of #1062.
 2024-05-07 14:05:21 +02:00
W.C.A. Wijngaards
b9525c5fd4 - Set version number to 1.20.0 for release. 2024-05-01 10:15:12 +02:00
W.C.A. Wijngaards
c3206f4568 - Fix for the DNSBomb vulnerability CVE-2024-33655. Thanks to Xiang Li 
from the Network and Information Security Lab of Tsinghua University
  for reporting it.
 2024-05-01 10:10:58 +02:00
W.C.A. Wijngaards
9abed3fc83 - Fix doxygen comment for errinf_to_str_bogus. 2024-04-29 13:42:26 +02:00
Yorgos Thessalonikefs
63a6b7b255 - Cleanup unnecessary strdup calls for EDE strings. 2024-04-29 10:15:19 +02:00
W.C.A. Wijngaards
15dc8e8a3f - Man page entry for unbound-checkconf -q. 2024-04-26 14:54:25 +02:00
Yorgos Thessalonikefs
cd4a017e96 - Fix #876: [FR] can unbound-checkconf be silenced when configuration 
is valid?
 2024-04-26 14:50:39 +02:00
W.C.A. Wijngaards
82c0207fa6 - Add unit tests for cachedb and subnet cache expired data. 2024-04-26 13:33:26 +02:00
W.C.A. Wijngaards
7c5e765b3b - Fix cachedb with serve-expired-client-timeout disabled. The edns 
subnet module deletes global cache and cachedb cache when it
  stores a result, and serve-expired is enabled, so that the global
  reply, that is older than the ecs reply, does not return after
  the ecs reply expires.
 2024-04-26 13:32:15 +02:00
W.C.A. Wijngaards
f456d97a34 - Fix doc unit test for out of directory build. 2024-04-25 17:06:06 +02:00
W.C.A. Wijngaards
8b490b1540 - Fix to disable fragmentation on systems with IP_DONTFRAG, 
with a nonzero value for the socket option argument.
 2024-04-25 12:53:05 +02:00
W.C.A. Wijngaards
b3951e5885 Changelog note for #1041 and #1038. 
- Merge #1041: Stub and Forward unshare. This has one structure
  for them and fixes #1038: fatal error: Could not initialize
  thread / error: reading root hints.
 2024-04-25 11:12:27 +02:00
W.C.A. Wijngaards
07859a9ef3 - Fix configure flto check error, by finding grep for it. 2024-04-25 10:53:35 +02:00
W.C.A. Wijngaards
cb74467acb - Fix ci workflow for macos for moved install locations. 2024-04-24 16:31:44 +02:00
Yorgos Thessalonikefs
62dad42152 - Merge #1053: Remove child delegations from cache when grandchild 
delegations are returned from parent.
 2024-04-23 14:24:07 +02:00
W.C.A. Wijngaards
52aff65e35 - Fix edns subnet to sort rrset references when storing messages 
in the cache. This fixes a race condition in the rrset locks.
 2024-04-22 13:44:42 +02:00
W.C.A. Wijngaards
5994fb3db5 - Add checklock feature verbose_locking to trace locks and unlocks. 2024-04-22 13:42:35 +02:00
Yorgos Thessalonikefs
0dbcb45d28 Changelog entry for #1049: 
- Merge #1049 from Petr Menšík: Py_NoSiteFlag is not needed since
  Python 3.8
 2024-04-15 14:49:14 +02:00
W.C.A. Wijngaards
0d4c5aa421 - Fix configure, autoconf for #1048. 2024-04-15 12:17:56 +02:00
W.C.A. Wijngaards
9e60f93b84 Changelog note for #1048. 
- Fix #1048: Update ax_pkg_swig.m4 and ax_pthread.m4.
 2024-04-15 12:15:54 +02:00
W.C.A. Wijngaards
491b56d051 - Fixup cachedb to not refetch when serve-expired-client-timeout is 
used.
 2024-04-12 14:22:18 +02:00
W.C.A. Wijngaards
4d530920e0 - Fixup unit test for cachedb server expired client timeout with 
a check if response if from upstream or from cachedb.
 2024-04-12 11:51:00 +02:00
W.C.A. Wijngaards
08fb9a9209 - Fix cachedb for serve-expired with serve-expired-client-timeout. 2024-04-12 11:26:53 +02:00
W.C.A. Wijngaards
04ff2672b5 - Fix to not reply serve expired unless enabled for cachedb. 2024-04-10 17:06:01 +02:00
W.C.A. Wijngaards
d47849a26e - Fix cachedb for serve-expired with serve-expired-reply-ttl. 2024-04-10 17:01:57 +02:00
W.C.A. Wijngaards
63ee97d0fd - Fix makefile dependencies for fake_event.c. 2024-04-10 14:04:39 +02:00
W.C.A. Wijngaards
bd74a32b79 - Extended test for cachedb serve expired. 2024-04-10 13:08:23 +02:00
W.C.A. Wijngaards
b990be88ef - Add test for cachedb serve expired. 2024-04-10 12:36:21 +02:00
W.C.A. Wijngaards
d55511f1dd - Fixup compile without cachedb. 2024-04-10 11:27:08 +02:00
W.C.A. Wijngaards
d98c7b9ae3 - Implement cachedb-check-when-serve-expired: yes option, default 
is enabled. When serve expired is enabled with cachedb, it first
  checks cachedb before serving the expired response.
 2024-04-10 11:21:28 +02:00
Yorgos Thessalonikefs
a30221c5bb - Merge #1043 from xiaoxiaoafeifei: Add loongarch support; updates 
config.guess(2024-01-01) and config.sub(2024-01-01), verified
  with upstream.
 2024-04-09 17:00:59 +02:00
Yorgos Thessalonikefs
8575d5b35c - Fix #595: unbound-anchor cannot deal with full disk; it will now 
first write out to a temp file before replacing the original one,
  like Unbound already does for auto-trust-anchor-file.
 2024-04-08 14:15:03 +02:00
W.C.A. Wijngaards
ba16e41160 - Fix comment syntax for view function views_find_view. 2024-04-05 16:11:29 +02:00
Yorgos Thessalonikefs
708d5229ae - Merge #1027: Introduce 'cache-min-negative-ttl' option. 2024-04-05 11:44:37 +02:00
Yorgos Thessalonikefs
fb4a7d65d7 - Fix #369: dnstap showing extra responses; for client responses 
right from the cache when replying with expired data or
  prefetching.
 2024-04-03 15:18:13 +02:00
Yorgos Thessalonikefs
91e8e0e511 - Fix #1035: Potential Bug while parsing port from the "stub-host" 
string; also affected forward-zones and remote-control host
  directives.
 2024-04-03 13:37:57 +02:00
W.C.A. Wijngaards
dfff8d23cf - For #1040: adjust error text and disallow negative ports in other 
parts of cfg_mark_ports.
 2024-04-03 10:16:18 +02:00
W.C.A. Wijngaards
103d9a68fa Changelog note for #1040 
- Fix #1040: fix heap-buffer-overflow issue in function cfg_mark_ports
  of file util/config_file.c.
 2024-04-03 10:03:04 +02:00
W.C.A. Wijngaards
e1aeabde44 - Fix for crypto related failures to have a better error string. 2024-03-28 09:58:57 +01:00
W.C.A. Wijngaards
6d1e61173b - Fix #1034: DoT forward-zone via unbound-control. 2024-03-28 09:58:03 +01:00
W.C.A. Wijngaards
6f82b5be4a - Fix that the server does not chown the pidfile. 2024-03-27 14:52:25 +01:00
W.C.A. Wijngaards
192f1b0e2b - Fix that when the server truncates the pidfile, it does not follow 
symbolic links.
 2024-03-27 14:07:54 +01:00
W.C.A. Wijngaards
238a796e38 - Fix to add unit test for lruhash space that exercises the routines. 2024-03-27 13:33:46 +01:00
W.C.A. Wijngaards
fe393ac355 - Fix comment in lruhash space function. 2024-03-27 12:30:00 +01:00
W.C.A. Wijngaards
3ea078baf6 - Fix for #1032, add safeguard to make table space positive. 2024-03-27 11:49:20 +01:00
W.C.A. Wijngaards
eb3e1ae24f - Fix #1032: The size of subnet_msg_cache calculation mistake cause 
memory usage increased beyond expectations.
 2024-03-27 11:45:34 +01:00
W.C.A. Wijngaards
c2b20c585e - Fix name of unit test for subnet cache response. 2024-03-27 11:43:55 +01:00
Yorgos Thessalonikefs
07561964fc - For #831: Format text, use exclamation icon and explicit label 
names.
 2024-03-25 22:02:08 +01:00
Yorgos Thessalonikefs
ce8c1ce5b0 Changelog entry for #831 
- Merge #831 from Pierre4012: Improve Windows NSIS installer
  script (setup.nsi).
 2024-03-25 16:46:25 +01:00
W.C.A. Wijngaards
73bd5a19aa - Fix localdata and rpz localdata to match CNAME only if no direct 
type match is available.
 2024-03-19 10:21:10 +01:00
W.C.A. Wijngaards
fef974ca5c - Fix rpz so that rpz CNAME can apply after rpz CNAME. And fix that 
clientip and nsip can give a CNAME.
 2024-03-19 09:32:53 +01:00
W.C.A. Wijngaards
8dbf46913b - Fix rpz for qtype CNAME after nameserver trigger. 2024-03-18 14:36:29 +01:00
W.C.A. Wijngaards
e46b188fe8 - Add rpz unit test for nsip action override. 2024-03-18 14:11:43 +01:00
W.C.A. Wijngaards
e6b1f9a4c3 - Fix rpz that copies the cname override completely to the temp 
region, so there are no references to the rpz region.
 2024-03-18 13:52:59 +01:00
W.C.A. Wijngaards
39cfc8c1c0 - Fix rpz, it follows iterator CNAMEs for nsip and nsdname and sets 
the reply query_info values, that is better for debug logging.
 2024-03-18 12:45:00 +01:00
W.C.A. Wijngaards
79e25e192c - Fix that rpz CNAME content is limited to the max number of cnames. 2024-03-18 11:25:29 +01:00
Yorgos Thessalonikefs
792089f523 Merge branch 'features/makedist-persist-windir' 2024-03-15 17:22:00 +01:00
W.C.A. Wijngaards
2993437eaa - Fix that addrinfo is not kept around but copied and freed, so that 
log-destaddr uses a copy of the information, much like NSD does.
 2024-03-15 13:39:49 +01:00
W.C.A. Wijngaards
0bcc8c0211 - The code repository continues with version 1.19.4. 2024-03-14 10:33:13 +01:00
W.C.A. Wijngaards
4b54d8e15e - Fix rpz for cname override action after nsdname and nsip triggers. 2024-03-13 17:14:14 +01:00
W.C.A. Wijngaards
afe52595a9 - Fix to unify codepath for local alias for rpz cname action override. 2024-03-13 16:12:48 +01:00
W.C.A. Wijngaards
4f417262e3 - Fix rpz that the rpz override is taken in case of clientip triggers. 
Fix that the clientip passthru action is logged. Fix that the
  clientip localdata action is logged. Fix rpz override action cname
  for the clientip trigger.
 2024-03-13 16:04:58 +01:00
W.C.A. Wijngaards
1db3b38104 - Fix #1029: rpz trigger clientip and action rpz-passthru not working 
as expected.
 2024-03-13 13:45:04 +01:00
Yorgos Thessalonikefs
bc47f50926 Changelog entry for #1028: 
- Merge #1028: Clearer documentation for tcp-idle-timeout and
  edns-tcp-keepalive-timeout.
 2024-03-12 14:52:57 +01:00
W.C.A. Wijngaards
320d0a5f1b - Fix #1021 Inconsistent Behavior with Changing rpz-cname-override 
and doing a unbound-control reload.
 2024-03-11 16:31:58 +01:00
W.C.A. Wijngaards
d382210fce Update doc/Changelog to note the fixes included in 1.19.3rc2. 2024-03-11 12:30:24 +01:00
W.C.A. Wijngaards
7b62767e16 - Fix unbound-control-setup.cmd to have CA v3 basicConstraints, 
like unbound-control-setup.sh has.
 2024-03-08 17:18:05 +01:00
W.C.A. Wijngaards
6568841bb0 - Fix doc test so it ignores but outputs unsupported doxygen options. 2024-03-08 16:43:24 +01:00
W.C.A. Wijngaards
e361f6b284 - Fix qname minimisation for reply with a DNAME for qtype CNAME that 
answers it.
 2024-03-08 16:33:17 +01:00
Yorgos Thessalonikefs
53766917ef - Update doc/unbound.doxygen with 'doxygen -u'. Fixes option 
deprecation warnings and updates with newer defaults.
 2024-03-08 16:13:36 +01:00
W.C.A. Wijngaards
2a255076f5 - Fix validator classification of qtype DNAME for positive and 
redirection answers, and fix validator signature routine for dealing
  with the synthesized CNAME for a DNAME without previously
  encountering it and also for when the qtype is DNAME.
 2024-03-08 14:10:06 +01:00
W.C.A. Wijngaards
fb080e7853 - Remove unused portion from iter_dname_ttl unit test. 2024-03-08 09:51:37 +01:00
W.C.A. Wijngaards
0818841038 - Fix TTL of synthesized CNAME when a DNAME is used from cache. 2024-03-08 09:47:59 +01:00
W.C.A. Wijngaards
939baebfe7 - Fix unbound-control-setup.cmd to use 3072 bits so that certificates 
are long enough for newer OpenSSL versions.
 2024-03-08 09:07:36 +01:00
W.C.A. Wijngaards
326ba26522 - Version set to 1.19.3 for release. After 1.19.2 point release with 
security fix for CVE-2024-1931, Denial of service when trimming
  EDE text on positive replies. The code repo includes the fix and
  is for version 1.19.3.
 2024-03-07 11:06:42 +01:00
W.C.A. Wijngaards
ec0b510f1c - Fix for #1022: Fix ede prohibited in access control refused answers. 2024-03-05 13:39:29 +01:00