upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-20 23:00:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
8148 commits 23 branches 209 tags 123 MiB
Commit graph

8148 commits

This branch
This branch
All branches
Author SHA1 Message Date
W.C.A. Wijngaards
01cea4d5be - Fix #986: Resolving sas.com with dnssec-validation fails though 
signed delegations seem to be (mostly) correct.
 2025-01-30 16:26:31 +01:00
Yorgos Thessalonikefs
35dbbcb2f5 - Make the default value of module-config "validator iterator" 
regardless of compilation options. --enable-subnet would implicitly
  change the value to enable the subnetcache module by default in the
  past.
 2025-01-29 12:08:28 +01:00
Yorgos Thessalonikefs
911509fd59 Changelog entry for #1220: 
- Merge #1220 from Petr Menšík, Add unbound members group access to
  control key.
 2025-01-24 16:56:09 +01:00
Yorgos Thessalonikefs
b48958c983
Merge pull request #1220 from InfrastructureServices/unbound-control-group-key 
Add unbound members group access to control key
 2025-01-24 16:53:12 +01:00
Yorgos Thessalonikefs
cc55beefc8 Changelog entry for #1224: 
- Merge #1224 from Theo Buehler: Do not use DSA API unless USE_DSA is
  set.
 2025-01-21 17:35:00 +01:00
Yorgos Thessalonikefs
a2bf32bb4e
Merge pull request #1224 from botovq/improve-use-dsa 
Do not use DSA API unless USE_DSA is set
 2025-01-21 17:33:48 +01:00
W.C.A. Wijngaards
d9b863ed76 Changelog note for #1229 
- Merge #1229: check before use daemon->shm_info.
 2025-01-21 15:48:46 +01:00
eaglegai
073c7301eb
check before use daemon->shm_info (#1229) 
fix core after the command `unbound-control stop unbound`

fix:https://github.com/NLnetLabs/unbound/issues/1228

Signed-off-by: eaglegai <eaglegai@163.com>
 2025-01-21 15:47:51 +01:00
Yorgos Thessalonikefs
f822042cd0 - Do not open unencrypted channels next to encrypted ones on the same 
port.
 2025-01-21 15:26:40 +01:00
W.C.A. Wijngaards
5f58ced71e - Fix to check length in ATMA string to wire. 2025-01-21 12:30:30 +01:00
W.C.A. Wijngaards
207ae97ff9 - Fix encoding of RR type ATMA. 2025-01-21 12:27:15 +01:00
W.C.A. Wijngaards
9a0de14aa1 - Fix compile of interface check code when dnscrypt or quic is 
disabled.
 2025-01-21 10:13:48 +01:00
Yorgos Thessalonikefs
048c193243 - Use the same interface listening port discovery code for all needed 
protocols.
- Port to string only when needed before getaddrinfo().
 2025-01-21 10:04:30 +01:00
Yorgos Thessalonikefs
d62fff2c7c - Create the quic SSL listening context only when needed. 2025-01-20 15:49:37 +01:00
Yorgos Thessalonikefs
3f839cebc3 Changelog entry for #1222: 
- Merge #1222: Unique DoT and DoH SSL contexts to allow for different
  ALPN.
 2025-01-20 15:45:11 +01:00
Yorgos Thessalonikefs
e4483bbbd1
Unique DoT and DoH SSL contexts to allow for different ALPN (#1222) 2025-01-20 15:43:44 +01:00
Theo Buehler
8672b34fca Do not use DSA API unless USE_DSA is set 
Even if USE_DSA is unset, unbound ends up linking against OpenSSL
DSA API because these guards are missing.
 2025-01-18 10:40:43 +01:00
Yorgos Thessalonikefs
1d428f2d54 Changelog entry for #1221: 
- Merge #1221: Consider auth zones when checking for forwarders.
 2025-01-17 10:19:26 +01:00
Yorgos Thessalonikefs
9882a395ab
Merge pull request #1221 from NLnetLabs/bugfix/consider-auth-zones-when-forwarding 
Consider auth zones when checking for forwarders
 2025-01-17 10:18:32 +01:00
Yorgos Thessalonikefs
394588818f - Use correct RFC number for resolver.arpa. 2025-01-15 10:55:31 +01:00
Yorgos Thessalonikefs
f52b2a6ea2 - Add resolver.arpa and service.arpa to the default locally served 
zones.
 2025-01-14 17:18:32 +01:00
Yorgos Thessalonikefs
b2fec3be11 - Take configured auth zones into consideration when checking if a 
request needs to be forwarded.
 2025-01-14 16:38:53 +01:00
Petr Menšík
f4881bd81a Add unbound members group access to control key 
Recent openssl genrsa does not use umask for generated keys. There is no
strong reason why every member of unbound group should be able read
server key. But control key would be quite useful to be group readable
and to allow control access to whole group. Allowing access to control
by group membership, not via sudo.
 2025-01-14 14:35:09 +01:00
Yorgos Thessalonikefs
c3b5bff311 - Fix typo. 2025-01-13 12:32:16 +01:00
Yorgos Thessalonikefs
62a0e03801 - Fix #1213: Misleading error message on default access control causing 
refuse.
 2025-01-13 11:33:24 +01:00
Yorgos Thessalonikefs
716f3df385 Changelog entry for #1214: 
- Merge #1214: Use TCP_NODELAY on TLS sockets to speed up the TLS
  handshake.
 2025-01-10 13:54:49 +01:00
Yorgos Thessalonikefs
7e4f7ec5be
Merge pull request #1214 from NLnetLabs/bugfix/tls-handshake 
Use TCP_NODELAY on TLS sockets to speed up the TLS handshake.
 2025-01-10 13:53:46 +01:00
Yorgos Thessalonikefs
7559d26c93 - Use TCP_NODELAY on TLS sockets to speed up the TLS handshake. 2025-01-10 12:11:59 +01:00
Yorgos Thessalonikefs
eb36c880de Changelog entry for #1174: 
- Merge #1174: Serve expired cache update fixes. Fixes a regression bug
  with serve-expired that appeared in 1.22.0 and would not allow the
  iterator to update the cache with not-yet-validated entries resulting
  in increased outgoing traffic.
 2024-12-31 16:30:35 +01:00
Yorgos Thessalonikefs
fff9f62a1e
Serve expired cache update fixes (#1174) 
- Fixes a regression bug with serve-expired that appeared in 1.22.0
  and would not allow the iterator to update the cache with
  not-yet-validated entries resulting in increased outgoing traffic.

- Treat serve_expired_norec_ttl as a backoff timer for failed updates of expired records.
- Try to use expired answers instead of SERVFAIL if serve-expired is
  enabled even without serve-expired-client-timeout.
- Add suggestion to refresh the cached norec_ttl and expired_ttl when a
  response cannot update the usable expired entry.
 2024-12-31 16:28:12 +01:00
Yorgos Thessalonikefs
e57e537c85 - For #1207: [FR] Support for RESINFO RRType 261 (RFC9606), add 
LDNS_RR_TYPE_RESINFO similar to LDNS_RR_TYPE_TXT.
 2024-12-20 15:04:34 +01:00
Yorgos Thessalonikefs
71d821fde9 Changelog entry for #1204: 
- Merge #1204: ci: set persist-credentials: false for actions/checkout
  per zizmor suggestion.
 2024-12-13 13:43:29 +01:00
Yorgos Thessalonikefs
df5ab5624d
Merge pull request #1204 from NLnetLabs/zizmor-improvements 2024-12-13 13:42:31 +01:00
Maarten Aertsen
eb08dc617a set persist-credentials: false per zizmor suggestion 2024-12-13 13:12:03 +01:00
Yorgos Thessalonikefs
ded4c82ced - Fix typo in log_servfail.tdir test. 2024-12-03 16:03:05 +01:00
Yorgos Thessalonikefs
e82a691efe Changelog entry for #1187: 
- Merge #1187: Create the SSL_CTX for QUIC before chroot and privilege
  drop.
 2024-12-03 14:21:34 +01:00
Yorgos Thessalonikefs
61d7250b96
Create the SSL_CTX for QUIC before chroot and privilege drop (#1187) 
Fixes #1185 by creating the SSL_CTX for QUIC before chroot and
privilege drop, just like the other SSL_CTX creations.

---------

Co-authored-by: Wouter Wijngaards <wcawijngaards@users.noreply.github.com>
 2024-12-03 14:20:33 +01:00
Yorgos Thessalonikefs
b4a9c8bb05 - Safeguard alias loop while looking in the cache for expired answers. 2024-12-03 14:10:17 +01:00
Yorgos Thessalonikefs
be92752368 - Merge #1198: Fix log-servfail with serve expired and no useful cache 
contents.
 2024-12-03 14:05:12 +01:00
Yorgos Thessalonikefs
1512945c79
Merge pull request #1198 from NLnetLabs/bugfix/log-servfail-serve-expired 
Fix log-servfail with serve expired and no useful cache contents
 2024-12-03 14:02:03 +01:00
Yorgos Thessalonikefs
9de159b96b - For #1175, the default value of serve-expired-ttl is set to 86400 
(1 day) as suggested by RFC8767.
 2024-12-03 13:09:51 +01:00
Yorgos Thessalonikefs
bd2e66de1e Changelog entry for #1189, #1197: 
- Merge #1189: Fix the dname_str method to cause conversion errors
  when the domain name length is 255.
- Merge #1197: dname_str() fixes.
 2024-12-03 11:58:06 +01:00
Yorgos Thessalonikefs
9770e855d2
Merge pull request #1197 from NLnetLabs/dname_str-more-tests 
dname_str() fixes
 2024-12-03 11:55:41 +01:00
Yorgos Thessalonikefs
c124f67f33 - For #1193, introduce log-servfail.tdir and cleanup the log-servfail 
setting from other tests.
 2024-12-02 12:30:11 +01:00
Yorgos Thessalonikefs
c55490c1e6 - Fix #1193: log-servfail fails to log host SERVFAIL responses in 
Unbound 1.19.2 on Ubuntu 24.04.1 LTS, by not considering cached
  failures when trying to reply with expired data.
 2024-12-02 12:28:11 +01:00
Yorgos Thessalonikefs
f46acec35f - For #1189, homogenize the input buffer size for dname_str(). 2024-12-02 11:53:56 +01:00
Yorgos Thessalonikefs
1cd2fb3b9d - For #1189, add unit tests for dname_str() and debug check the input 
buffer size.
 2024-12-02 10:03:35 +01:00
wenxuan70
06fb30d0a0 Fix the dname_str method to cause conversion errors when the domain name length is 255 2024-11-24 17:53:23 +08:00
Yorgos Thessalonikefs
9e3c50ec9e - For #1175, update serve-expired tests. 2024-11-22 16:14:02 +01:00
Yorgos Thessalonikefs
eefdbb341f - Fix #1175: serve-expired does not adhere to secure-by-default 
principle. The default value of serve-expired-client-timeout
  is set to 1800 as suggested by RFC8767.
 2024-11-22 15:32:34 +01:00