upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-22 07:41:16 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
6058 commits 23 branches 209 tags 123 MiB
Commit graph

1678 commits

Author SHA1 Message Date
Yaroslav K
c0118410a2 add ip-dscp configuration option for setting IP DiffServ codepoint (DSCP, previously TOS) on sockets 2020-03-23 19:37:43 +00:00
Florian Obser
bdd245ff7d Make log_ident_revert_to_default() a proper prototype. 
Pointed out by clang with -Wstrict-prototypes.
 2020-03-20 11:44:38 +01:00
Ralph Dolmans
4504dd3737 - Log warning when using outgoing-port-permit and outgoing-port-avoid 
while explicit port randomisation is disabled.
 2020-03-19 17:34:46 +01:00
Ralph Dolmans
2c03028fa3 - Fix #158: open tls-session-ticket-keys as binary, for Windows. By Daisuke 
HIGASHI.
 2020-03-19 14:00:33 +01:00
Jeffrey Walton
6ab0db6e25
Fix NetBSD compile (GH #189) 2020-03-11 03:35:28 -04:00
W.C.A. Wijngaards
614ed2717b Merge branch 'master' into framestreams 
Fixed bison and flex conflicts by regenerating the files.
 2020-02-28 14:31:24 +01:00
W.C.A. Wijngaards
e13dfc743d For incoming ssl context with verifypem != NULL, we can set 
SSL_VERIFY_FAIL_IF_NO_PEER_CERT that can reject client
connections without peer cert during the handshake, which is nicer
than just a connection drop to the client (when we then check
for no peer certificate afterwards).
 2020-02-28 11:10:12 +01:00
W.C.A. Wijngaards
b63032b4dd dnstap io, fixup fptr_wlist for unbound_dnstap_socket tool. 2020-02-28 08:55:10 +01:00
W.C.A. Wijngaards
5b61afd38c Return 0 when ssl authentication is not available 2020-02-28 08:11:11 +01:00
W.C.A. Wijngaards
398e260145 Fixup ssl authentication not available with check for it. 2020-02-27 16:57:24 +01:00
W.C.A. Wijngaards
f03245c362 Document log check functions. 2020-02-27 16:28:36 +01:00
W.C.A. Wijngaards
f469049198 - iana portlist updated. 2020-02-26 14:32:14 +01:00
W.C.A. Wijngaards
6a51e9e037 Add dnstap io callbacks to fptr whitelist event. 2020-02-26 12:14:52 +01:00
W.C.A. Wijngaards
318d4e91cc - Fix #165: Add prefer-ip4: yesno config option to prefer ipv4 for 
using ipv4 filters, because the hosts ip6 netblock /64 is not owned
  by one operator, and thus reputation is shared.
 2020-02-25 09:55:59 +01:00
W.C.A. Wijngaards
184f26355a Fix ifdef of X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS, and 
Merge branch 'master' into framestreams
 2020-02-18 08:33:58 +01:00
W.C.A. Wijngaards
465af58457 dnstap io, fix to compile without ssl. 2020-02-14 13:23:58 +01:00
W.C.A. Wijngaards
6d1b4e050d dnstap io, dnstap tls default is yes, and man page documentation. 2020-02-14 10:01:37 +01:00
W.C.A. Wijngaards
00700bbe13 dnstap io, config entries parse and lex. 2020-02-14 09:40:37 +01:00
W.C.A. Wijngaards
78e6060858 dnstap io, example.conf example, config_file entries for tcp and tls. 2020-02-14 09:03:09 +01:00
W.C.A. Wijngaards
25a88d6d54 dnstap io, check peer verification in dtstream dtio_ssl_handshake. 2020-02-12 15:23:58 +01:00
W.C.A. Wijngaards
6c14c7520b Merge branch 'master' into stream-reuse 2020-02-12 11:58:17 +01:00
W.C.A. Wijngaards
e5e72eb398 Merge branch 'master' into framestreams 2020-02-12 11:58:01 +01:00
W.C.A. Wijngaards
2916cfb3b0 - Fix with libnettle make test with dsa disabled. 2020-02-12 11:15:24 +01:00
George Thessalonikefs
da2bda6f4d - Clean debug comments. 2020-02-10 15:54:41 +01:00
George Thessalonikefs
adda4f6ace - Fix use after free on log-identity after a reload; Fixes #163. 2020-02-10 13:56:22 +01:00
W.C.A. Wijngaards
ad180402ea dnstap io, set tls auth name in outgoing ssl 2020-02-05 16:17:21 +01:00
W.C.A. Wijngaards
58fdcf06e8 Merge branch 'master' into framestreams 2020-02-05 14:25:47 +01:00
gthess
f7fe95ad7b
Serve stale (#159) 
- Added serve-stale functionality as described in
  draft-ietf-dnsop-serve-stale-10. `serve-expired-*` options can be used
  to configure the behavior.
- Updated cachedb to honor `serve-expired-ttl`; Fixes #107.
- Renamed statistic `num.zero_ttl` to `num.expired` as expired replies
  come with a configurable TTL value (`serve-expired-reply-ttl`).
- Fixed stats when replying with cached, cname-aliased records.
- Added missing default values for redis cachedb backend.
 2020-02-05 14:20:27 +01:00
W.C.A. Wijngaards
dc31cf3652 dnstap unbound-dnstap-sock, read from TLS. 2020-01-31 14:03:28 +01:00
W.C.A. Wijngaards
7495b25f94 - Fix fclose on error in TLS session ticket code. 2020-01-31 07:49:14 +01:00
Ralph Dolmans
810862dc65 - Stop working on socket when socket() call returns an error. 
- Check malloc return values in TLS session ticket code
 2020-01-30 19:15:58 +01:00
Ralph Dolmans
056176ec9a Merge branch 'master' into rpz 2020-01-30 15:57:34 +01:00
W.C.A. Wijngaards
c79de51da8 Merge branch 'master' into stream-reuse 2020-01-30 14:25:00 +01:00
Ralph Dolmans
88a706acf8 - Add extra dnamelen checks to ipdnametoaddr and netblockdnametoaddr 2020-01-29 15:16:44 +01:00
Ralph Dolmans
1d9185229e - Make dname_has_label's dnamelen check work with 0 length 2020-01-29 11:30:22 +01:00
W.C.A. Wijngaards
6c0a863584 - Fix to silence the tls handshake errors for broken pipe and reset 
by peer, unless verbosity is set to 2 or higher.
 2020-01-28 14:32:06 +01:00
PMunch
b7e8dc1182
Merge branch 'master' into master 2020-01-28 13:18:01 +01:00
W.C.A. Wijngaards
f6287fc718 - iana portlist updated. 2020-01-28 12:25:37 +01:00
Steven Chamberlain
f6b4f2a149 Allow use of libbsd functions with configure option --with-libbsd 
Add a new configure option `--with-libbsd', which allows to use libbsd's
portable implementations of:

    strlcpy strlcat arc4random arc4random_uniform reallocarray

instead of the embedded code copies in contrib/, which will be
difficult to maintain in the long term.

Also patch util/random.c so that, when building with libbsd and without
OpenSSL, arc4random can still be used as the PRNG.  Otherwise, building
with libnettle would need a kernel-specific getentropy implementation,
and libbsd does not export one.

[edmonds@debian.org: Imported patch description from BTS, refreshed
patch against Unbound 1.9.6.]
 2020-01-26 19:09:43 -05:00
Ralph Dolmans
bda4c4a375 - improve dname_has_label(), add unit test 2020-01-16 17:50:44 +01:00
W.C.A. Wijngaards
57aefd102e Stream reuse branch, for TCP and TLS stream reuse. 
This is for upstream pipes and using them again for the next query.

Signposted code for reuse_tcp structure in outside_network.h
 2020-01-16 17:12:32 +01:00
Ralph Dolmans
72c4c6b30c - Fix the dname_has_label fix 2020-01-16 01:36:07 +01:00
Ralph Dolmans
9877e52161 Merge branch 'master' of github.com:NLnetLabs/unbound into rpz 2020-01-15 23:44:10 +01:00
Ralph Dolmans
627285af23 - Fix faulty assert 2020-01-15 23:19:24 +01:00
Ralph Dolmans
344f12dd99 - fix compiler warnings 2020-01-15 23:03:44 +01:00
Ralph Dolmans
14913d75c0 - processed RPZ review feedback 
- fix potential locking issue
  - add extra out of bound checks
 2020-01-15 22:45:29 +01:00
W.C.A. Wijngaards
ea26e5038e - Fix for memory leak when edns subnet config options are read when 
compiled without edns subnet support.
 2020-01-14 15:48:27 +01:00
W.C.A. Wijngaards
e149bc7046 - Fix unreachable code in ssl set options code. 2020-01-10 11:28:01 +01:00
Ralph Dolmans
2abaca7a49 - Fix dname_has_label() code review changes 2019-12-23 17:35:11 +01:00
Ralph Dolmans
ae4f6a259b Proccess more review feedback 2019-12-23 16:02:43 +01:00
Florian Obser
0a499ec2ee Fix typo to let serve-expired-ttl work with ub_ctx_set_option(). 2019-12-10 18:03:24 +01:00
W.C.A. Wijngaards
6c3a0b54ed - Fix Out of Bound Write Compressed Names in rdata_copy(), 
reported by X41 D-Sec.
 2019-12-03 16:18:47 +01:00
W.C.A. Wijngaards
2d444a5037 - Fix Insufficient Handling of Compressed Names in dname_pkt_copy(), 
reported by X41 D-Sec.
 2019-12-03 16:17:03 +01:00
W.C.A. Wijngaards
d2eb78e871 - Fix Assert Causing DoS in dname_pkt_copy(), 
reported by X41 D-Sec.
 2019-12-03 15:20:48 +01:00
Wouter Wijngaards
4edb16296b
Merge pull request #124 from rmetrich/basic_loglock 
Changed log lock from 'quick' to 'basic' because this is an I/O lock.
 2019-12-03 10:03:24 +01:00
Renaud Métrich
d63cb99649 Changed log lock from 'quick' to 'basic' because this is an I/O lock. 
We cannot use a 'quick' lock (i.e. lock spinning on the CPU) for the log
lock because it can wait a lot on I/Os. Using a 'quick' lock leads to
eating the CPU for no good reason.

Example of 'pidstat' output when using various locks for log_lock:

- 'quick' lock and slow log file system (tail -f on the log file on XFS on RHEL 8)

04:15:11 PM   UID      TGID       TID    %usr %system    %CPU CPU  Command
04:15:21 PM   998     16431         -  100.00    4.20  100.00   2  unbound
04:15:21 PM   998         -     16431   31.00    1.00   32.00   2  |__unbound
04:15:21 PM   998         -     16432   31.30    0.80   32.10   0  |__unbound
04:15:21 PM   998         -     16433   30.20    1.40   31.60   1  |__unbound
04:15:21 PM   998         -     16434   30.70    1.00   31.70   3  |__unbound

- 'quick' lock and log file system being fast

04:15:40 PM   UID      TGID       TID    %usr %system   %CPU CPU  Command
04:15:50 PM   998     16431         -   10.00    1.60  11.60   1  unbound
04:15:50 PM   998         -     16431    2.50    0.50   3.00   1  |__unbound
04:15:50 PM   998         -     16432    2.30    0.40   2.70   3  |__unbound
04:15:50 PM   998         -     16433    2.70    0.30   3.00   0  |__unbound
04:15:50 PM   998         -     16434    2.60    0.40   3.00   2  |__unbound

- 'basic' lock (this commit) and slow log file system (tail -f on the log file on XFS on RHEL 8)

04:29:48 PM   UID      TGID       TID    %usr %system   %CPU CPU  Command
04:29:58 PM   998     11632         -    7.10   14.10  21.20   3  unbound
04:29:58 PM   998         -     11632    1.70    3.20   4.90   3  |__unbound
04:29:58 PM   998         -     11633    1.60    3.30   4.90   1  |__unbound
04:29:58 PM   998         -     11634    2.00    4.10   6.10   1  |__unbound
04:29:58 PM   998         -     11635    1.90    3.50   5.40   1  |__unbound

We can see in the above example, when 'basic' lock is used, that CPU
isn't consumed when log file system is slow.

Another reproducer scenario: put the log file on a NFS share with 'sync'
option.
 2019-11-26 16:32:07 +01:00
Havard Eidnes
dc0b1699e5 In tcp_callback_writer(), don't disable time-out when changing to read. 2019-11-26 00:02:34 +01:00
W.C.A. Wijngaards
da4d6ffee3 - Fix Bad Randomness in Seed, reported by X41 D-Sec. 2019-11-20 14:40:50 +01:00
W.C.A. Wijngaards
3a49e683ed - Fix Enum Name not Used, reported by X41 D-Sec. 2019-11-20 14:22:06 +01:00
W.C.A. Wijngaards
3907876eac - Fix Unrequired Checks, reported by X41 D-Sec. 2019-11-20 14:05:54 +01:00
W.C.A. Wijngaards
09707fc403 - Fix Integer Underflow in Regional Allocator, 
reported by X41 D-Sec.
 2019-11-20 13:00:56 +01:00
W.C.A. Wijngaards
72d348de6a - Fix Out-of-Bounds Read in dname_valid(), 
reported by X41 D-Sec.
 2019-11-20 11:38:11 +01:00
W.C.A. Wijngaards
7646c96259 - Fix Randomness Error not Handled Properly, 
reported by X41 D-Sec.
 2019-11-20 11:35:07 +01:00
W.C.A. Wijngaards
d8809c672a - Fix Weak Entropy Used For Nettle, 
reported by X41 D-Sec.
 2019-11-20 11:28:53 +01:00
W.C.A. Wijngaards
c54fe82886 - Fix Shared Memory World Writeable, 
reported by X41 D-Sec.
 2019-11-20 11:13:45 +01:00
W.C.A. Wijngaards
226298bbd3 - Fix Integer Overflow in Regional Allocator, 
reported by X41 D-Sec.
 2019-11-19 15:38:05 +01:00
W.C.A. Wijngaards
79a6e9fbe2 - Fixes to please lint checks. 2019-11-19 12:10:03 +01:00
W.C.A. Wijngaards
442e95620e - Portable grep usage for reuseport configure test. 
- Check return type of HMAC_Init_ex for openssl 0.9.8.
 2019-11-18 15:53:47 +01:00
W.C.A. Wijngaards
253d95a8ef - update to bison output of 3.4.1 in code repository. 2019-11-18 10:50:54 +01:00
W.C.A. Wijngaards
d05d6b959a - fixes for splint cleanliness, long vs int in SSL set_mode. 2019-11-13 15:16:27 +01:00
W.C.A. Wijngaards
5ac9bf3f9b - iana portlist updated. 2019-11-13 11:37:06 +01:00
PMunch
d104d3be22 Add inplace callback to dynlibmod, improve example 
This adds the possibility to properly register inplace callbacks in the
dynamic library module. It works by creating a wrapper procedure that
is available to the dynamic library and will call the given callback
through a whitelisted callback function.

The dynamic library example has already been improved to include
comments and some simple examples on allocating and deallocating memory
and registering callbacks.
 2019-11-01 10:44:26 +01:00
PMunch
f177dc974c Add support for multiple dynamic modules 
Allows the use of multiple dynamic modules. Simply add more "dynlib"
entries to the "modules-config" and the same amount of "dynlib-file"
entries in the dynlib configuration block.
 2019-10-21 15:59:53 +02:00
PMunch
8eeb910e3d Improve dynlib module and add documentation 
Dynamic library module is now only a thin wrapper that loads dynamic
libraries and forwards all function calls directly to the loaded module.
This meant adding get_mem and clear, and get_mem calls have been added
in the expected places.

Documentation has also been added to the example.conf and the
unbound.conf manpage.
 2019-10-21 14:20:33 +02:00
PMunch
1762437121 Add dynamic library support 2019-10-21 09:34:51 +02:00
W.C.A. Wijngaards
380b87e21a Merge remote-tracking branch 'origin/branch-1.9.4' 2019-10-03 11:37:22 +02:00
W.C.A. Wijngaards
b60c4a472c Branch 1.9.4 prepares for 1.9.4 release from 1.9.3 2019-10-03 10:34:40 +02:00
W.C.A. Wijngaards
55bb4c1275 - The unbound.conf includes are sorted ascending, for include 
statements with a '*' from glob.
 2019-09-25 16:50:30 +02:00
Ralph Dolmans
9843b836ee Merge branch 'master' into rpz 2019-09-09 17:17:43 +02:00
Ralph Dolmans
4ac33aa104 - Merge clean up 
- revert dname2str off by one fix
- fix str2dname off by one at right location
 2019-09-09 17:13:08 +02:00
Ralph Dolmans
2b5cd8e9b4 Merge remote-tracking branch 'ralph/feature/rpz' into rpz 2019-09-09 17:11:26 +02:00
W.C.A. Wijngaards
e45e9f1ce0 - Fix #72: configure --with-syslog-facility=LOCAL0-7 with default 
LOG_DAEMON (as before) can set the syslog facility that the server
  uses to log messages.
 2019-09-09 14:27:55 +02:00
W.C.A. Wijngaards
05b9f4fd28 - Fix #71: fix openssl error squelch commit compilation error. 2019-09-04 08:44:19 +02:00
W.C.A. Wijngaards
1089fd6dc1 - squelch DNS over TLS errors 'ssl handshake failed crypto error' 
on low verbosity, they show on verbosity 3 (query details), because
  there is a high volume and the operator cannot do anything for the
  remote failure.  Specifically filters the high volume errors.
 2019-09-03 09:47:27 +02:00
W.C.A. Wijngaards
80c2c69fa7 - Fix log_dns_msg to log irrespective of minimal responses config. 2019-08-21 17:41:29 +02:00
W.C.A. Wijngaards
c1c75929fa - iana portlist updated. 2019-08-15 13:07:26 +02:00
W.C.A. Wijngaards
b5a52f8c86 - Generate configlexer with newer flex. 2019-08-14 11:40:35 +02:00
W.C.A. Wijngaards
df0c844eed - Fix to timeval_add for remaining second in microseconds. 2019-08-01 16:48:41 +02:00
W.C.A. Wijngaards
c94e13220b - Fix #49: Set no renegotiation on the SSL context to stop client 
session renegotiation.
 2019-07-19 08:18:06 +02:00
Ralph Dolmans
9ce7045413 - Fix doxygen issue 
- Fix memory leak
 - IANA ports update
 - merge littlehash ASAN changes
 2019-07-16 19:45:49 +02:00
Ralph Dolmans
a8d6147ae4 - Added RPZ response IP support 2019-07-16 18:43:16 +02:00
W.C.A. Wijngaards
368386c011 - Fix #48: Unbound returns additional records on NODATA response, 
if minimal-responses is enabled, also the additional for negative
  responses is removed.
 2019-07-12 14:34:35 +02:00
Ralph Dolmans
395d83cfc8 Procedures to parse RPZ ip address notation. 2019-06-24 16:01:01 +02:00
W.C.A. Wijngaards
78b2f1cc20 - Fix python dict reference and double free in config. 2019-06-18 17:25:08 +02:00
W.C.A. Wijngaards
63b2628a18 Merge branch 'dev/all-merged/master' of git://github.com/episource/unbound into episource-dev/all-merged/master 2019-06-18 17:07:57 +02:00
W.C.A. Wijngaards
c1e75c0369 - Fix to make unbound-control with ipset, remove unused variable, 
use unsigned type because of comparison, and assign null instead
  of compare with it.  Remade lex and yacc output.
 2019-06-18 15:57:28 +02:00
W.C.A. Wijngaards
ed95b07764 Merge branch 'master' of git://github.com/k9982874/unbound into k9982874-master 2019-06-18 13:52:52 +02:00
W.C.A. Wijngaards
af6c5dea43 - Fix another spoolbuf storage code point, in prefetch. 2019-06-12 08:32:45 +02:00
Ralph Dolmans
3021e320dd Only strdup rpz_log_name when configured 2019-06-05 14:26:57 +02:00
Ralph Dolmans
bc83e0b016 fix double free issue 2019-06-04 12:38:44 +02:00
W.C.A. Wijngaards
09a0e6ee30 - iana portlist updated. 2019-06-04 12:21:21 +02:00
Ralph Dolmans
268580f348 Added RPZ log name and stats 2019-06-03 15:46:39 +02:00
Ralph Dolmans
b0b69321f9 - Added RPZ action overrides 
- Added RPZ policy apply logging
 2019-05-16 22:30:42 +02:00
W.C.A. Wijngaards
a95f5fd5cb - Squelch log messages from tcp send about connection reset by peer. 
They can be enabled with verbosity at higher values for diagnosing
  network connectivity issues.
 2019-05-13 10:39:39 +02:00
W.C.A. Wijngaards
73484d3b36 Fix spelling in code annotation of changes 
in the public domain lookup3.c file.
 2019-05-06 10:10:58 +02:00
W.C.A. Wijngaards
f1c23891ab - Fix #30: AddressSanitizer finding in lookup3.c. 
This sets the hash function to use a slower but better auditable code
that does not read beyond array boundaries.  This makes code better
security checkable, and is better for security.  It is fixed to be
slower, but not read outside of the array.
 2019-05-06 09:44:01 +02:00
Kevin Chu
56af87e2f3 edit config parser to support ipset 2019-05-03 17:45:34 +08:00
Kevin Chu
1a48bdebb5 Add support for ipset 2019-05-02 19:43:30 +08:00
Ralph Dolmans
46acf0f99d Merge branch 'feature/rpz' of github.com:ralphdolmans/unbound into feature/rpz 2019-04-25 14:47:09 +02:00
Ralph Dolmans
ba67920f9a - IXFR/AXFR support for RPZ 2019-04-25 14:46:45 +02:00
Ralph Dolmans
186c9e8e82
Merge pull request #5 from NLnetLabs/master 
bring fork up to date
 2019-04-25 14:43:02 +02:00
Wouter Wijngaards
61a28c2ee5 - iana portlist updated. 
git-svn-id: file:///svn/unbound/trunk@5161 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-04-16 13:21:22 +00:00
Wouter Wijngaards
ab6f1d0fc7 - Fix tls write event for read state change to re-call SSL_write and 
not resume the TLS handshake.


git-svn-id: file:///svn/unbound/trunk@5159 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-04-15 11:52:21 +00:00
Wouter Wijngaards
c8a56bfa8f - Squelch SSL read and write connection reset by peer and broken pipe 
messages.  Verbosity 2 and higher enables them.


git-svn-id: file:///svn/unbound/trunk@5158 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-04-11 15:04:32 +00:00
George Thessalonikefs
d1150541bb - Update python documentation for init_standard(). 
- Typos.


git-svn-id: file:///svn/unbound/trunk@5157 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-04-11 15:03:04 +00:00
Wouter Wijngaards
c6369e9ffa - Fix that auth zone fails over to next master for timeout in tcp. 
git-svn-id: file:///svn/unbound/trunk@5155 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-04-11 13:41:53 +00:00
Ralph Dolmans
edcf2ddd12 - Fix locking issue 
- Fixes for compiler warnings
 2019-04-10 11:53:08 +02:00
Wouter Wijngaards
bd3c02bd59 - Fix to wipe ssl ticket keys from memory with explicit_bzero, 
if available.


git-svn-id: file:///svn/unbound/trunk@5153 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-04-08 14:42:08 +00:00
Wouter Wijngaards
2b47ca080e - Fix to use event_assign with libevent for thread-safety. 
git-svn-id: file:///svn/unbound/trunk@5149 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-04-08 11:02:34 +00:00
Ralph Dolmans
c66e47c372 Initial RPZ commit - now with all files 2019-04-05 17:39:10 +02:00
Wouter Wijngaards
348cbab016 - Fix to reinit event structure for accepted TCP (and TLS) sockets. 
git-svn-id: file:///svn/unbound/trunk@5148 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-04-05 14:11:28 +00:00
Wouter Wijngaards
a777329b7f - Fix spelling error in log output for event method. 
git-svn-id: file:///svn/unbound/trunk@5147 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-04-04 14:28:39 +00:00
Wouter Wijngaards
e338143639 - Fix for out of bounds integers, thanks to OSTIF audit. It is in 
allocation debug code.


git-svn-id: file:///svn/unbound/trunk@5143 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-04-02 12:28:20 +00:00
Wouter Wijngaards
78adebf8ec - Fix crash if tls-servic-pem not filled in when necessary. 
git-svn-id: file:///svn/unbound/trunk@5141 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-03-25 08:51:17 +00:00
Philipp Serr
b248654aab Support multiple python module instances 
This commit adds proper support for multiple instances of the python
module: When more than one instance is added to the module list, the
first instance loads the first script specified in the `python:`
configuration section. The second instance loads the second script,
and so on.

When there are more module instances in the module list than there are
scripts in the `python:` section, an error is raised during
initialization and unbound won't start. When more scripts than module
instances are provided, the surplus scripts are ignored.
 2019-03-02 14:32:48 +01:00
Wouter Wijngaards
225534e5ab - Fix #4227: pair event del and add for libevent for tcp_req_info. 
git-svn-id: file:///svn/unbound/trunk@5122 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-02-25 15:48:27 +00:00
Wouter Wijngaards
fe97f25b75 - Fix that log-replies prints the correct name for local-alias 
names, for names that have a CNAME in local-data configuration.
  It logs the original query name, not the target of the CNAME.
- Add local-zone type inform_redirect, which logs like type inform,
  and redirects like type redirect.


git-svn-id: file:///svn/unbound/trunk@5099 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-02-04 09:51:27 +00:00
Wouter Wijngaards
281030d576 - Wipe TLS session key data from memory on exit. 
git-svn-id: file:///svn/unbound/trunk@5098 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-01-31 15:25:27 +00:00
Wouter Wijngaards
df8f236b62 - For openssl 1.0.2 use the CRYPTO_THREADID locking callbacks, 
still supports the set_id_callback previous API.  And for 1.1.0
  no locking callbacks are needed.


git-svn-id: file:///svn/unbound/trunk@5094 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-01-31 11:31:55 +00:00
Wouter Wijngaards
aae44940c7 - output of newer lex 2.6.1 and bison 3.0.5. 
git-svn-id: file:///svn/unbound/trunk@5078 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-01-25 13:00:09 +00:00
Wouter Wijngaards
062c2cacfc - remove compile warnings from libnettle compile. 
git-svn-id: file:///svn/unbound/trunk@5077 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-01-25 12:58:06 +00:00
Wouter Wijngaards
f11d6653d6 - Fix that tcp for auth zone and outgoing does not remove and 
then gets the ssl read again applied to the deleted commpoint.


git-svn-id: file:///svn/unbound/trunk@5074 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-01-25 12:46:15 +00:00
Wouter Wijngaards
20d5e35576 - Moved includes and make depend. 
git-svn-id: file:///svn/unbound/trunk@5073 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-01-24 16:10:05 +00:00
Wouter Wijngaards
3028fa50a8 - Patch from Florian Obser fixes some compiler warnings: 
include mini_event.h to have a prototype for mini_ev_cmp
  include edns.h to have a prototype for apply_edns_options
  sldns_wire2str_edns_keepalive_print is only called in the wire2str,
  module declare it static to get rid of compiler warning:
  no previous prototype for function
  infra_find_ip_ratedata() is only called in the infra module,
  declare it static to get rid of compiler warning:
  no previous prototype for function
  do not shadow local variable buf in authzone
  auth_chunks_delete and az_nsec3_findnode are only called in the
  authzone module, declare them static to get rid of compiler warning:
  no previous prototype for function...
  copy_rrset() is only called in the respip module, declare it
  static to get rid of compiler warning:
  no previous prototype for function 'copy_rrset'
  no need for another variable "r"; gets rid of compiler warning:
  declaration shadows a local variable in libunbound.c
  no need for another variable "ns"; gets rid of compiler warning:
  declaration shadows a local variable in iterator.c



git-svn-id: file:///svn/unbound/trunk@5072 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-01-24 16:05:00 +00:00
Wouter Wijngaards
707e5a915b Neater spaces 
git-svn-id: file:///svn/unbound/trunk@5067 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-01-23 14:18:24 +00:00
Wouter Wijngaards
68a57554a6 For TLS session keys, keep config options in order read from file to keep the first one as the first one. 
git-svn-id: file:///svn/unbound/trunk@5064 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-01-23 10:41:03 +00:00
Wouter Wijngaards
cc9fb69911 fix lint and clang analysis errors 
git-svn-id: file:///svn/unbound/trunk@5063 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-01-23 10:23:02 +00:00
Wouter Wijngaards
d3f397c686 More fixes, statistic counter at end of struct for backwards compatibility, man page, free at exit, indent. 
git-svn-id: file:///svn/unbound/trunk@5062 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-01-23 10:19:04 +00:00
Wouter Wijngaards
011a7d8830 - Fixes for patch (includes, declarations, warnings). 
git-svn-id: file:///svn/unbound/trunk@5060 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-01-23 09:43:47 +00:00
Wouter Wijngaards
510606dd1c - Patch for TLS session resumption from Manabu Sonoda, 
enable with tls-session-ticket-keys in unbound.conf.


git-svn-id: file:///svn/unbound/trunk@5059 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-01-23 09:35:52 +00:00
Wouter Wijngaards
4c8f334c15 another spelling fix. 
git-svn-id: file:///svn/unbound/trunk@5057 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-01-23 08:48:52 +00:00
Wouter Wijngaards
2f52ecdd9c lex and yacc. 
git-svn-id: file:///svn/unbound/trunk@5056 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-01-23 08:46:33 +00:00
Wouter Wijngaards
5d82b7c421 - Fixes for the patch, and man page entry. 
git-svn-id: file:///svn/unbound/trunk@5055 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-01-23 08:45:16 +00:00
Wouter Wijngaards
8ae9f26bce - Patch from Manabu Sonoda with tls-ciphers and tls-ciphersuites 
options for unbound.conf.


git-svn-id: file:///svn/unbound/trunk@5054 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-01-23 08:37:00 +00:00
Wouter Wijngaards
d81e2c654f - Add stream-wait-size: 4m config option to limit the maximum 
memory used by waiting tcp and tls stream replies.  This avoids
  a denial of service where these replies use up all of the memory.


git-svn-id: file:///svn/unbound/trunk@5046 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-01-21 16:20:14 +00:00
Wouter Wijngaards
f5dcd84d27 Fix reread of buffer data, better, also for TCP. 
git-svn-id: file:///svn/unbound/trunk@5045 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-01-21 14:14:12 +00:00
Wouter Wijngaards
be4583ac84 - Fix that multiple dns fragments can be carried in one TLS frame. 
git-svn-id: file:///svn/unbound/trunk@5043 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-01-21 13:41:13 +00:00
Wouter Wijngaards
dd19026e91 - Initial commit for out-of-order processing for TCP and TLS. 
git-svn-id: file:///svn/unbound/trunk@5032 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-01-11 14:12:27 +00:00
Wouter Wijngaards
4c7f824e0a - Fix config parser memory leaks. 
git-svn-id: file:///svn/unbound/trunk@5014 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-12-10 09:27:49 +00:00
Wouter Wijngaards
198a7ce74d - cache-max-ttl also defines upperbound of initial TTL in response. 
git-svn-id: file:///svn/unbound/trunk@5007 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-12-03 14:50:47 +00:00
Wouter Wijngaards
2ad55ba791 - log-tag-queryreply: yes in unbound.conf tags the log-queries and 
log-replies in the log file for easier log filter maintenance.


git-svn-id: file:///svn/unbound/trunk@5000 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-11-30 09:45:37 +00:00
Wouter Wijngaards
fb342b73d3 - iana portlist updated. 
git-svn-id: file:///svn/unbound/trunk@4991 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-11-29 08:27:22 +00:00
Wouter Wijngaards
7bb6358540 Better fix. 
git-svn-id: file:///svn/unbound/trunk@4987 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-11-27 13:46:44 +00:00
Wouter Wijngaards
ca33c52086 - Fix windows compile for new rrset roundrobin fix. 
git-svn-id: file:///svn/unbound/trunk@4986 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-11-27 13:35:29 +00:00
Wouter Wijngaards
4d5b32ee59 - Fix to not set GLOB_NOSORT so the unbound.conf include: files are 
sorted and in a predictable order.


git-svn-id: file:///svn/unbound/trunk@4975 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-11-26 09:54:34 +00:00
Wouter Wijngaards
04d73b9192 - Add patch from Jan Vcelak for pythonmod, 
add sockaddr_storage getters, add support for query callbacks,
  allow raw address access via comm_reply and update API documentation.


git-svn-id: file:///svn/unbound/trunk@4962 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-11-20 12:24:40 +00:00
Wouter Wijngaards
c9955f9fdf - Fix #4152: Logs shows wrong time when using log-time-ascii: yes. 
git-svn-id: file:///svn/unbound/trunk@4957 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-10-25 13:52:13 +00:00
Wouter Wijngaards
fd5e4e6019 - Fix #4126: RTT_band too low on VSAT links with 600+ms latency, 
adds the option unknown-server-time-limit to unbound.conf that
  can be increased to avoid the problem.


git-svn-id: file:///svn/unbound/trunk@4954 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-10-25 09:21:41 +00:00
Ralph Dolmans
6021341118 - Add min-client-subnet-ipv6 and min-client-subnet-ipv4 options. 
git-svn-id: file:///svn/unbound/trunk@4951 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-10-25 08:53:50 +00:00
Wouter Wijngaards
d5922830d0 - Fix #4141: More randomness to rrset-roundrobin. 
git-svn-id: file:///svn/unbound/trunk@4950 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-10-25 08:26:40 +00:00
Wouter Wijngaards
23505d30a5 - Fix #4190: Please create a "ANY" deny option, adds the option 
deny-any: yes in unbound.conf.  This responds with an empty message
  to queries of type ANY.


git-svn-id: file:///svn/unbound/trunk@4949 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-10-25 08:07:37 +00:00
Ralph Dolmans
140a165ab2 - Add markdel function to ECS slabhash. 
- Limit ECS scope returned to client to the scope used for caching.      
 - Make lint like previous #4154 fix. 


git-svn-id: file:///svn/unbound/trunk@4946 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-10-24 13:50:18 +00:00
Wouter Wijngaards
5fec1c8b1f - Fix #4154: make ECS_MAX_TREESIZE configurable, with 
the max-ecs-tree-size-ipv4 and max-ecs-tree-size-ipv6 options.


git-svn-id: file:///svn/unbound/trunk@4945 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-10-22 14:54:28 +00:00
Ralph Dolmans
6b5e7d78e3 - Change fast-server-num default to 3. 
git-svn-id: file:///svn/unbound/trunk@4941 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-10-22 09:36:36 +00:00
Ralph Dolmans
a8b2c64cbf More lint pleasing 
git-svn-id: file:///svn/unbound/trunk@4940 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-10-08 16:38:25 +00:00
Ralph Dolmans
9268f0db50 Please lint by using proper types 
git-svn-id: file:///svn/unbound/trunk@4939 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-10-08 16:33:04 +00:00
Ralph Dolmans
02bd3e2ff1 - Add fast-server-permil and fast-server-num options. 
- Deprecate low-rtt and low-rtt-permil options.


git-svn-id: file:///svn/unbound/trunk@4938 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-10-08 16:03:46 +00:00
Wouter Wijngaards
837565c505 - iana port update. 
git-svn-id: file:///svn/unbound/trunk@4933 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-10-05 15:18:08 +00:00
Wouter Wijngaards
fece182cf5 - Set default for so-reuseport to no for FreeBSD. It is enabled 
by default for Linux and DragonFlyBSD.  The setting can 
  be configured in unbound.conf to override the default.


git-svn-id: file:///svn/unbound/trunk@4932 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-10-05 15:07:19 +00:00
Wouter Wijngaards
d967ceb98b Remove that fix, analyzer is for debug with assertions. 
- Fix clang analyzer for optimize compile analysis.


git-svn-id: file:///svn/unbound/trunk@4929 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-10-02 12:32:33 +00:00
Wouter Wijngaards
c85ff492d0 - Fix clang analyzer for optimize compile analysis. 
git-svn-id: file:///svn/unbound/trunk@4922 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-10-02 10:51:05 +00:00
Wouter Wijngaards
898d4c8dd9 - Fix memory leak when message parse fails partway through copy. 
- remove unused udpsize assignment in message encode.


git-svn-id: file:///svn/unbound/trunk@4904 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-09-13 12:30:44 +00:00
Wouter Wijngaards
75b8b8c875 - Free memory leak in config strlist append. 
- make sure nsec3 comparison salt is initialized.


git-svn-id: file:///svn/unbound/trunk@4900 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-09-13 10:23:30 +00:00
Wouter Wijngaards
9a82526b91 - exit log routine is annotated as noreturn function. 
- free memory leaks in config strlist and str2list insert functions.
- do not move unused argv variable after getopt.
- Remove unused if clause in testcode.


git-svn-id: file:///svn/unbound/trunk@4896 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-09-13 08:58:21 +00:00
Wouter Wijngaards
d8f890a43a - iana port update. 
git-svn-id: file:///svn/unbound/trunk@4890 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-09-10 12:35:01 +00:00
Wouter Wijngaards
d4a69e4d2a flex. 
git-svn-id: file:///svn/unbound/trunk@4878 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-08-30 09:02:29 +00:00
Ralph Dolmans
2e5e31e8ac - Added serve-expired-ttl and serve-expired-ttl-reset options. 
git-svn-id: file:///svn/unbound/trunk@4876 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-08-28 14:21:56 +00:00
Wouter Wijngaards
e0745813f4 - Set defaults to yes for a number of options to increase speed and 
resilience of the server.  The so-reuseport, harden-below-nxdomain,
  and minimal-responses options are enabled by default.  They used
  to be disabled by default, waiting to make sure they worked.  They
  are enabled by default now, and can be disabled explicitly by
  setting them to "no" in the unbound.conf config file.  The reuseport
  and minimal options increases speed of the server, and should be
  otherwise harmless.  The harden-below-nxdomain option works well
  together with the recently default enabled qname minimisation, this
  causes more fetches to use information from the cache.


git-svn-id: file:///svn/unbound/trunk@4871 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-08-27 13:18:19 +00:00
George Thessalonikefs
0171d06aa2 - #4140: Expose repinfo (comm_reply) to the inplace_callbacks. This 
gives access to reply information for the client's communication
  point when the callback is called before the mesh state (modules).
  Changes to C and Python's inplace_callback signatures were also
  necessary.


git-svn-id: file:///svn/unbound/trunk@4870 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-08-22 10:51:13 +00:00
Wouter Wijngaards
4daf8f5bdb - Fix only misc failure from log-servfail when val-log-level is not 
enabled.


git-svn-id: file:///svn/unbound/trunk@4869 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-08-21 14:31:37 +00:00
Wouter Wijngaards
9926fcac4b flex and bison re-run. 
git-svn-id: file:///svn/unbound/trunk@4865 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-08-21 07:10:49 +00:00
Wouter Wijngaards
01d8dc2240 - log-local-actions: yes option for unbound.conf that logs all the 
local zone actions, a patch from Saksham Manchanda (Secure64).


git-svn-id: file:///svn/unbound/trunk@4864 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-08-21 07:10:09 +00:00
Wouter Wijngaards
4fe427ded2 - log-servfail: yes prints log lines that say why queries are 
returning SERVFAIL to clients.


git-svn-id: file:///svn/unbound/trunk@4863 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-08-17 15:22:05 +00:00
Wouter Wijngaards
b0daf867c2 and the error looks good. 
git-svn-id: file:///svn/unbound/trunk@4860 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-08-17 14:17:48 +00:00
Wouter Wijngaards
df85836b15 - Fix warning on compile without threads. 
git-svn-id: file:///svn/unbound/trunk@4855 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-08-16 10:28:11 +00:00
Wouter Wijngaards
256ab3d935 - Patch for stub-no-cache and forward-no-cache options that disable 
caching for the contents of that stub or forward, for when you
  want immediate changes visible, from Bjoern A. Zeeb.


git-svn-id: file:///svn/unbound/trunk@4846 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-08-09 12:44:40 +00:00
Wouter Wijngaards
611e37aa2d (On the patch) 
- make depend, yacc, lex, doc, headers.  And log the limit exceeded
  message only on high verbosity, so as to not spam the logs when
  it is busy.


git-svn-id: file:///svn/unbound/trunk@4841 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-08-07 12:48:49 +00:00
Wouter Wijngaards
77bd7d228b Fix comment reference to variable name in header file. 
git-svn-id: file:///svn/unbound/trunk@4838 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-08-07 12:03:46 +00:00
Wouter Wijngaards
b97b04a9db yacc and lex. 
git-svn-id: file:///svn/unbound/trunk@4837 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-08-07 12:02:10 +00:00
Wouter Wijngaards
586b811b87 - Patch to implement tcp-connection-limit from Jim Hague (Sinodun). 
This limits the number of simultaneous TCP client connections
  from a nominated netblock.
And a simple test for TCP connection limit.


git-svn-id: file:///svn/unbound/trunk@4835 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-08-07 11:57:42 +00:00
George Thessalonikefs
749d1b9ebc - Expose if a query (or a subquery) was ratelimited (not src IP 
ratelimiting) to libunbound under 'ub_result.was_ratelimited'.
  This also introduces a change to 'ub_event_callback_type' in
  libunbound/unbound-event.h.
- Tidy pylib tests.


git-svn-id: file:///svn/unbound/trunk@4828 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-08-03 14:00:46 +00:00
Wouter Wijngaards
37e9f5591a - Revert previous change for #4136: because it introduces build 
problems.


git-svn-id: file:///svn/unbound/trunk@4826 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-08-03 09:47:53 +00:00
Wouter Wijngaards
d546e7766d - iana port list update. 
git-svn-id: file:///svn/unbound/trunk@4825 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-08-01 14:07:54 +00:00
Wouter Wijngaards
1f148e632f remove unused variable 
git-svn-id: file:///svn/unbound/trunk@4822 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-07-31 13:36:45 +00:00
Wouter Wijngaards
f9c0f359a7 please lint. 
git-svn-id: file:///svn/unbound/trunk@4814 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-07-31 08:14:52 +00:00
Wouter Wijngaards
cc538f4f9f - Please doxygen so it passes. 
git-svn-id: file:///svn/unbound/trunk@4813 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-07-31 08:10:20 +00:00
Wouter Wijngaards
900cd200a2 more comments (from commit messages). 
git-svn-id: file:///svn/unbound/trunk@4812 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-07-31 08:00:57 +00:00
Wouter Wijngaards
26eaf2d1ee And these source files. 
git-svn-id: file:///svn/unbound/trunk@4810 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-07-31 07:48:58 +00:00
Wouter Wijngaards
b7abbd1d72 - Fix mesh.c incompatible pointer pass. 
- yacc and lex.


git-svn-id: file:///svn/unbound/trunk@4808 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-07-31 07:23:58 +00:00
Wouter Wijngaards
e3f08cb2a2 - Implement progressive backoff of TCP idle/keepalive timeout. 
git-svn-id: file:///svn/unbound/trunk@4806 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-07-31 07:20:15 +00:00