mirror of
https://git.FreeBSD.org/src.git
synced 2024-12-11 09:50:12 +00:00
Upgrade Unbound to 1.7.2. More to follow.
Approved by: re (kib@)
This commit is contained in:
commit
3bd4df0a68
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=338568
@ -327,7 +327,7 @@ unbound-control$(EXEEXT): $(CONTROL_OBJ_LINK) libunbound.la
|
||||
$(LINK) -o $@ $(CONTROL_OBJ_LINK) $(EXTRALINK) $(SSLLIB) $(LIBS)
|
||||
|
||||
unbound-host$(EXEEXT): $(HOST_OBJ_LINK) libunbound.la
|
||||
$(LINK) -o $@ $(HOST_OBJ_LINK) -L. -L.libs -lunbound $(LIBS)
|
||||
$(LINK) -o $@ $(HOST_OBJ_LINK) -L. -L.libs -lunbound $(SSLLIB) $(LIBS)
|
||||
|
||||
unbound-anchor$(EXEEXT): $(UBANCHOR_OBJ_LINK) libunbound.la
|
||||
$(LINK) -o $@ $(UBANCHOR_OBJ_LINK) -L. -L.libs -lunbound -lexpat $(SSLLIB) $(LIBS)
|
||||
@ -360,7 +360,7 @@ memstats$(EXEEXT): $(MEMSTATS_OBJ_LINK)
|
||||
$(LINK) -o $@ $(MEMSTATS_OBJ_LINK) $(SSLLIB) $(LIBS)
|
||||
|
||||
asynclook$(EXEEXT): $(ASYNCLOOK_OBJ_LINK) libunbound.la
|
||||
$(LINK) -o $@ $(ASYNCLOOK_OBJ_LINK) $(LIBS) -L. -L.libs -lunbound
|
||||
$(LINK) -o $@ $(ASYNCLOOK_OBJ_LINK) -L. -L.libs -lunbound $(SSLLIB) $(LIBS)
|
||||
|
||||
streamtcp$(EXEEXT): $(STREAMTCP_OBJ_LINK)
|
||||
$(LINK) -o $@ $(STREAMTCP_OBJ_LINK) $(SSLLIB) $(LIBS)
|
||||
@ -1463,7 +1463,7 @@ win_svc.lo win_svc.o: $(srcdir)/winrc/win_svc.c config.h $(srcdir)/winrc/win_svc
|
||||
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \
|
||||
$(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
|
||||
$(srcdir)/daemon/remote.h \
|
||||
$(srcdir)/util/config_file.h $(srcdir)/util/ub_event.h
|
||||
$(srcdir)/util/config_file.h $(srcdir)/util/ub_event.h $(srcdir)/util/net_help.h
|
||||
w_inst.lo w_inst.o: $(srcdir)/winrc/w_inst.c config.h $(srcdir)/winrc/w_inst.h $(srcdir)/winrc/win_svc.h
|
||||
unbound-service-install.lo unbound-service-install.o: $(srcdir)/winrc/unbound-service-install.c config.h \
|
||||
$(srcdir)/winrc/w_inst.h
|
||||
|
@ -71,6 +71,72 @@ static struct {
|
||||
|
||||
static inline void _rs_rekey(u_char *dat, size_t datlen);
|
||||
|
||||
/*
|
||||
* Basic sanity checking; wish we could do better.
|
||||
*/
|
||||
static int
|
||||
fallback_gotdata(char *buf, size_t len)
|
||||
{
|
||||
char any_set = 0;
|
||||
size_t i;
|
||||
|
||||
for (i = 0; i < len; ++i)
|
||||
any_set |= buf[i];
|
||||
if (any_set == 0)
|
||||
return -1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* fallback for getentropy in case libc returns failure */
|
||||
static int
|
||||
fallback_getentropy_urandom(void *buf, size_t len)
|
||||
{
|
||||
size_t i;
|
||||
int fd, flags;
|
||||
int save_errno = errno;
|
||||
|
||||
start:
|
||||
|
||||
flags = O_RDONLY;
|
||||
#ifdef O_NOFOLLOW
|
||||
flags |= O_NOFOLLOW;
|
||||
#endif
|
||||
#ifdef O_CLOEXEC
|
||||
flags |= O_CLOEXEC;
|
||||
#endif
|
||||
fd = open("/dev/urandom", flags, 0);
|
||||
if (fd == -1) {
|
||||
if (errno == EINTR)
|
||||
goto start;
|
||||
goto nodevrandom;
|
||||
}
|
||||
#ifndef O_CLOEXEC
|
||||
# ifdef HAVE_FCNTL
|
||||
fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
|
||||
# endif
|
||||
#endif
|
||||
for (i = 0; i < len; ) {
|
||||
size_t wanted = len - i;
|
||||
ssize_t ret = read(fd, (char*)buf + i, wanted);
|
||||
|
||||
if (ret == -1) {
|
||||
if (errno == EAGAIN || errno == EINTR)
|
||||
continue;
|
||||
close(fd);
|
||||
goto nodevrandom;
|
||||
}
|
||||
i += ret;
|
||||
}
|
||||
close(fd);
|
||||
if (fallback_gotdata(buf, len) == 0) {
|
||||
errno = save_errno;
|
||||
return 0; /* satisfied */
|
||||
}
|
||||
nodevrandom:
|
||||
errno = EIO;
|
||||
return -1;
|
||||
}
|
||||
|
||||
static inline void
|
||||
_rs_init(u_char *buf, size_t n)
|
||||
{
|
||||
@ -114,11 +180,14 @@ _rs_stir(void)
|
||||
u_char rnd[KEYSZ + IVSZ];
|
||||
|
||||
if (getentropy(rnd, sizeof rnd) == -1) {
|
||||
if(errno != ENOSYS ||
|
||||
fallback_getentropy_urandom(rnd, sizeof rnd) == -1) {
|
||||
#ifdef SIGKILL
|
||||
raise(SIGKILL);
|
||||
raise(SIGKILL);
|
||||
#else
|
||||
exit(9); /* windows */
|
||||
exit(9); /* windows */
|
||||
#endif
|
||||
}
|
||||
}
|
||||
|
||||
if (!rs)
|
||||
|
@ -31,6 +31,9 @@
|
||||
internal symbols */
|
||||
/* #undef EXPORT_ALL_SYMBOLS */
|
||||
|
||||
/* Define to 1 if you have the `accept4' function. */
|
||||
#define HAVE_ACCEPT4 1
|
||||
|
||||
/* Define to 1 if you have the `arc4random' function. */
|
||||
#define HAVE_ARC4RANDOM 1
|
||||
|
||||
@ -628,7 +631,7 @@
|
||||
#define PACKAGE_NAME "unbound"
|
||||
|
||||
/* Define to the full name and version of this package. */
|
||||
#define PACKAGE_STRING "unbound 1.7.1"
|
||||
#define PACKAGE_STRING "unbound 1.7.2"
|
||||
|
||||
/* Define to the one symbol short name of this package. */
|
||||
#define PACKAGE_TARNAME "unbound"
|
||||
@ -637,7 +640,7 @@
|
||||
#define PACKAGE_URL ""
|
||||
|
||||
/* Define to the version of this package. */
|
||||
#define PACKAGE_VERSION "1.7.1"
|
||||
#define PACKAGE_VERSION "1.7.2"
|
||||
|
||||
/* default pidfile location */
|
||||
#define PIDFILE "/var/unbound/unbound.pid"
|
||||
@ -656,7 +659,7 @@
|
||||
#define ROOT_CERT_FILE "/var/unbound/icannbundle.pem"
|
||||
|
||||
/* version number for resource files */
|
||||
#define RSRC_PACKAGE_VERSION 1,7,1,0
|
||||
#define RSRC_PACKAGE_VERSION 1,7,2,0
|
||||
|
||||
/* Directory to chdir to */
|
||||
#define RUN_DIR "/var/unbound"
|
||||
|
@ -30,6 +30,9 @@
|
||||
internal symbols */
|
||||
#undef EXPORT_ALL_SYMBOLS
|
||||
|
||||
/* Define to 1 if you have the `accept4' function. */
|
||||
#undef HAVE_ACCEPT4
|
||||
|
||||
/* Define to 1 if you have the `arc4random' function. */
|
||||
#undef HAVE_ARC4RANDOM
|
||||
|
||||
|
31
contrib/unbound/configure
vendored
31
contrib/unbound/configure
vendored
@ -1,6 +1,6 @@
|
||||
#! /bin/sh
|
||||
# Guess values for system-dependent variables and create Makefiles.
|
||||
# Generated by GNU Autoconf 2.69 for unbound 1.7.1.
|
||||
# Generated by GNU Autoconf 2.69 for unbound 1.7.2.
|
||||
#
|
||||
# Report bugs to <unbound-bugs@nlnetlabs.nl>.
|
||||
#
|
||||
@ -590,8 +590,8 @@ MAKEFLAGS=
|
||||
# Identity of this package.
|
||||
PACKAGE_NAME='unbound'
|
||||
PACKAGE_TARNAME='unbound'
|
||||
PACKAGE_VERSION='1.7.1'
|
||||
PACKAGE_STRING='unbound 1.7.1'
|
||||
PACKAGE_VERSION='1.7.2'
|
||||
PACKAGE_STRING='unbound 1.7.2'
|
||||
PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl'
|
||||
PACKAGE_URL=''
|
||||
|
||||
@ -1440,7 +1440,7 @@ if test "$ac_init_help" = "long"; then
|
||||
# Omit some internal or obsolete options to make the list less imposing.
|
||||
# This message is too long to be a string in the A/UX 3.1 sh.
|
||||
cat <<_ACEOF
|
||||
\`configure' configures unbound 1.7.1 to adapt to many kinds of systems.
|
||||
\`configure' configures unbound 1.7.2 to adapt to many kinds of systems.
|
||||
|
||||
Usage: $0 [OPTION]... [VAR=VALUE]...
|
||||
|
||||
@ -1505,7 +1505,7 @@ fi
|
||||
|
||||
if test -n "$ac_init_help"; then
|
||||
case $ac_init_help in
|
||||
short | recursive ) echo "Configuration of unbound 1.7.1:";;
|
||||
short | recursive ) echo "Configuration of unbound 1.7.2:";;
|
||||
esac
|
||||
cat <<\_ACEOF
|
||||
|
||||
@ -1722,7 +1722,7 @@ fi
|
||||
test -n "$ac_init_help" && exit $ac_status
|
||||
if $ac_init_version; then
|
||||
cat <<\_ACEOF
|
||||
unbound configure 1.7.1
|
||||
unbound configure 1.7.2
|
||||
generated by GNU Autoconf 2.69
|
||||
|
||||
Copyright (C) 2012 Free Software Foundation, Inc.
|
||||
@ -2431,7 +2431,7 @@ cat >config.log <<_ACEOF
|
||||
This file contains any messages produced by compilers while
|
||||
running configure, to aid debugging if configure makes a mistake.
|
||||
|
||||
It was created by unbound $as_me 1.7.1, which was
|
||||
It was created by unbound $as_me 1.7.2, which was
|
||||
generated by GNU Autoconf 2.69. Invocation command line was
|
||||
|
||||
$ $0 $@
|
||||
@ -2783,11 +2783,11 @@ UNBOUND_VERSION_MAJOR=1
|
||||
|
||||
UNBOUND_VERSION_MINOR=7
|
||||
|
||||
UNBOUND_VERSION_MICRO=1
|
||||
UNBOUND_VERSION_MICRO=2
|
||||
|
||||
|
||||
LIBUNBOUND_CURRENT=7
|
||||
LIBUNBOUND_REVISION=9
|
||||
LIBUNBOUND_REVISION=10
|
||||
LIBUNBOUND_AGE=5
|
||||
# 1.0.0 had 0:12:0
|
||||
# 1.0.1 had 0:13:0
|
||||
@ -2848,6 +2848,7 @@ LIBUNBOUND_AGE=5
|
||||
# 1.6.8 had 7:7:5
|
||||
# 1.7.0 had 7:8:5
|
||||
# 1.7.1 had 7:9:5
|
||||
# 1.7.2 had 7:10:5
|
||||
|
||||
# Current -- the number of the binary API that we're implementing
|
||||
# Revision -- which iteration of the implementation of the binary
|
||||
@ -19467,7 +19468,7 @@ else
|
||||
WINDRES="$ac_cv_prog_WINDRES"
|
||||
fi
|
||||
|
||||
LIBS="$LIBS -liphlpapi"
|
||||
LIBS="$LIBS -liphlpapi -lcrypt32"
|
||||
WINAPPS="unbound-service-install.exe unbound-service-remove.exe anchor-update.exe"
|
||||
|
||||
WIN_DAEMON_SRC="winrc/win_svc.c winrc/w_inst.c"
|
||||
@ -19701,7 +19702,7 @@ if test "$ac_res" != no; then :
|
||||
|
||||
fi
|
||||
|
||||
for ac_func in tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget
|
||||
for ac_func in tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4
|
||||
do :
|
||||
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
|
||||
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
|
||||
@ -20854,6 +20855,8 @@ if test "${enable_cachedb+set}" = set; then :
|
||||
enableval=$enable_cachedb;
|
||||
fi
|
||||
|
||||
# turn on cachedb when hiredis support is enabled.
|
||||
if test "$found_libhiredis" = "yes"; then enable_cachedb="yes"; fi
|
||||
case "$enable_cachedb" in
|
||||
yes)
|
||||
|
||||
@ -21041,7 +21044,7 @@ _ACEOF
|
||||
|
||||
|
||||
|
||||
version=1.7.1
|
||||
version=1.7.2
|
||||
|
||||
date=`date +'%b %e, %Y'`
|
||||
|
||||
@ -21560,7 +21563,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
|
||||
# report actual input values of CONFIG_FILES etc. instead of their
|
||||
# values after options handling.
|
||||
ac_log="
|
||||
This file was extended by unbound $as_me 1.7.1, which was
|
||||
This file was extended by unbound $as_me 1.7.2, which was
|
||||
generated by GNU Autoconf 2.69. Invocation command line was
|
||||
|
||||
CONFIG_FILES = $CONFIG_FILES
|
||||
@ -21626,7 +21629,7 @@ _ACEOF
|
||||
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
|
||||
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
|
||||
ac_cs_version="\\
|
||||
unbound config.status 1.7.1
|
||||
unbound config.status 1.7.2
|
||||
configured by $0, generated by GNU Autoconf 2.69,
|
||||
with options \\"\$ac_cs_config\\"
|
||||
|
||||
|
@ -11,14 +11,14 @@ sinclude(dnscrypt/dnscrypt.m4)
|
||||
# must be numbers. ac_defun because of later processing
|
||||
m4_define([VERSION_MAJOR],[1])
|
||||
m4_define([VERSION_MINOR],[7])
|
||||
m4_define([VERSION_MICRO],[1])
|
||||
m4_define([VERSION_MICRO],[2])
|
||||
AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl, unbound)
|
||||
AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
|
||||
AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
|
||||
AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
|
||||
|
||||
LIBUNBOUND_CURRENT=7
|
||||
LIBUNBOUND_REVISION=9
|
||||
LIBUNBOUND_REVISION=10
|
||||
LIBUNBOUND_AGE=5
|
||||
# 1.0.0 had 0:12:0
|
||||
# 1.0.1 had 0:13:0
|
||||
@ -79,6 +79,7 @@ LIBUNBOUND_AGE=5
|
||||
# 1.6.8 had 7:7:5
|
||||
# 1.7.0 had 7:8:5
|
||||
# 1.7.1 had 7:9:5
|
||||
# 1.7.2 had 7:10:5
|
||||
|
||||
# Current -- the number of the binary API that we're implementing
|
||||
# Revision -- which iteration of the implementation of the binary
|
||||
@ -1245,7 +1246,7 @@ if test "$USE_WINSOCK" = 1; then
|
||||
#include <windows.h>
|
||||
])
|
||||
AC_CHECK_TOOL(WINDRES, windres)
|
||||
LIBS="$LIBS -liphlpapi"
|
||||
LIBS="$LIBS -liphlpapi -lcrypt32"
|
||||
WINAPPS="unbound-service-install.exe unbound-service-remove.exe anchor-update.exe"
|
||||
AC_SUBST(WINAPPS)
|
||||
WIN_DAEMON_SRC="winrc/win_svc.c winrc/w_inst.c"
|
||||
@ -1318,7 +1319,7 @@ AC_INCLUDES_DEFAULT
|
||||
#endif
|
||||
])
|
||||
AC_SEARCH_LIBS([setusercontext], [util])
|
||||
AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget])
|
||||
AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4])
|
||||
AC_CHECK_FUNCS([setresuid],,[AC_CHECK_FUNCS([setreuid])])
|
||||
AC_CHECK_FUNCS([setresgid],,[AC_CHECK_FUNCS([setregid])])
|
||||
|
||||
@ -1488,6 +1489,8 @@ dnsc_DNSCRYPT([
|
||||
|
||||
# check for cachedb if requested
|
||||
AC_ARG_ENABLE(cachedb, AC_HELP_STRING([--enable-cachedb], [enable cachedb module that can use external cache storage]))
|
||||
# turn on cachedb when hiredis support is enabled.
|
||||
if test "$found_libhiredis" = "yes"; then enable_cachedb="yes"; fi
|
||||
case "$enable_cachedb" in
|
||||
yes)
|
||||
AC_DEFINE([USE_CACHEDB], [1], [Define to 1 to use cachedb support])
|
||||
|
@ -7,7 +7,7 @@ Name: unbound
|
||||
Description: Library with validating, recursive, and caching DNS resolver
|
||||
URL: http://www.unbound.net
|
||||
Version: @PACKAGE_VERSION@
|
||||
Requires: libcrypto libssl @PC_LIBEVENT_DEPENDENCY@ @PC_PY_DEPENDENCY@
|
||||
Libs: -L${libdir} -lunbound
|
||||
Requires: @PC_LIBEVENT_DEPENDENCY@ @PC_PY_DEPENDENCY@
|
||||
Libs: -L${libdir} -lunbound -lssl -lcrypto
|
||||
Libs.private: @SSLLIB@ @LIBS@
|
||||
Cflags: -I${includedir}
|
||||
|
@ -111,6 +111,8 @@ acl_list_str_cfg(struct acl_list* acl, const char* str, const char* s2,
|
||||
control = acl_refuse_non_local;
|
||||
else if(strcmp(s2, "allow_snoop") == 0)
|
||||
control = acl_allow_snoop;
|
||||
else if(strcmp(s2, "allow_setrd") == 0)
|
||||
control = acl_allow_setrd;
|
||||
else {
|
||||
log_err("access control type %s unknown", str);
|
||||
return 0;
|
||||
|
@ -63,7 +63,9 @@ enum acl_access {
|
||||
/** allow full access for recursion (+RD) queries */
|
||||
acl_allow,
|
||||
/** allow full access for all queries, recursion and cache snooping */
|
||||
acl_allow_snoop
|
||||
acl_allow_snoop,
|
||||
/** allow full access for recursion queries and set RD flag regardless of request */
|
||||
acl_allow_setrd
|
||||
};
|
||||
|
||||
/**
|
||||
|
@ -704,6 +704,7 @@ daemon_cleanup(struct daemon* daemon)
|
||||
free(daemon->workers);
|
||||
daemon->workers = NULL;
|
||||
daemon->num = 0;
|
||||
alloc_clear_special(&daemon->superalloc);
|
||||
#ifdef USE_DNSTAP
|
||||
dt_delete(daemon->dtenv);
|
||||
daemon->dtenv = NULL;
|
||||
|
@ -431,7 +431,7 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
|
||||
fatal_exit("could not set up listen SSL_CTX");
|
||||
}
|
||||
if(!(daemon->connect_sslctx = connect_sslctx_create(NULL, NULL,
|
||||
cfg->tls_cert_bundle)))
|
||||
cfg->tls_cert_bundle, cfg->tls_win_cert)))
|
||||
fatal_exit("could not set up connect SSL_CTX");
|
||||
#endif
|
||||
|
||||
|
@ -1350,6 +1350,13 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
|
||||
return ret;
|
||||
}
|
||||
|
||||
/* If this request does not have the recursion bit set, verify
|
||||
* ACLs allow the recursion bit to be treated as set. */
|
||||
if(!(LDNS_RD_WIRE(sldns_buffer_begin(c->buffer))) &&
|
||||
acl == acl_allow_setrd ) {
|
||||
LDNS_RD_SET(sldns_buffer_begin(c->buffer));
|
||||
}
|
||||
|
||||
/* If this request does not have the recursion bit set, verify
|
||||
* ACLs allow the snooping. */
|
||||
if(!(LDNS_RD_WIRE(sldns_buffer_begin(c->buffer))) &&
|
||||
|
@ -1,8 +1,80 @@
|
||||
4 June 2018: Wouter
|
||||
- Fix deadlock caused by incoming notify for auth-zone.
|
||||
- tag for 1.7.2rc1
|
||||
|
||||
1 June 2018: Wouter
|
||||
- Rename additional-tls-port to tls-additional-ports.
|
||||
The older name is accepted for backwards compatibility.
|
||||
|
||||
30 May 2018: Wouter
|
||||
- Patch from Syzdek: Add ability to ignore RD bit and treat all
|
||||
requests as if the RD bit is set.
|
||||
|
||||
29 May 2018: Wouter
|
||||
- in compat/arc4random call getentropy_urandom when getentropy fails
|
||||
with ENOSYS.
|
||||
- Fix that fallback for windows port.
|
||||
|
||||
28 May 2018: Wouter
|
||||
- Fix windows tcp and tls spin on events.
|
||||
- Add routine from getdns to add windows cert store to the SSL_CTX.
|
||||
- tls-win-cert option that adds the system certificate store for
|
||||
authenticating DNS-over-TLS connections. It can be used instead
|
||||
of the tls-cert-bundle option, or with it to add certificates.
|
||||
|
||||
25 May 2018: Wouter
|
||||
- For TCP and TLS connections that don't establish, perform address
|
||||
update in infra cache, so future selections can exclude them.
|
||||
- Fix that tcp sticky events are removed for closed fd on windows.
|
||||
- Fix close events for tcp only.
|
||||
|
||||
24 May 2018: Wouter
|
||||
- Fix that libunbound can do DNS-over-TLS, when configured.
|
||||
- Fix that windows unbound service can use DNS-over-TLS.
|
||||
- unbound-host initializes ssl (for potential DNS-over-TLS usage
|
||||
inside libunbound), when ssl upstream or a cert-bundle is configured.
|
||||
|
||||
23 May 2018: Wouter
|
||||
- Use accept4 to speed up incoming TCP (and TLS) connections,
|
||||
available on Linux, FreeBSD and OpenBSD.
|
||||
|
||||
17 May 2018: Ralph
|
||||
- Qname minimisation default changed to yes.
|
||||
|
||||
15 May 2018: Wouter
|
||||
- Fix low-rtt-pct to low-rtt-permil, as it is parts in one thousand.
|
||||
|
||||
11 May 2018: Wouter
|
||||
- Fix contrib/libunbound.pc for libssl libcrypto references,
|
||||
from https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226914
|
||||
|
||||
7 May 2018: Wouter
|
||||
- Fix windows to not have sticky TLS events for TCP.
|
||||
- Fix read of DNS over TLS length and data in one read call.
|
||||
- Fix mesh state assertion failure due to callback removal.
|
||||
|
||||
3 May 2018: Wouter
|
||||
- Fix that configure --with-libhiredis also turns on cachedb.
|
||||
- Fix gcc 8 buffer warning in testcode.
|
||||
- Fix function type cast warning in libunbound context callback type.
|
||||
|
||||
2 May 2018: Wouter
|
||||
- Fix fail to reject dead peers in forward-zone, with ssl-upstream.
|
||||
|
||||
1 May 2018: Wouter
|
||||
- Fix that unbound-control reload frees the rrset keys and returns
|
||||
the memory pages to the system.
|
||||
|
||||
30 April 2018: Wouter
|
||||
- Fix spelling error in man page and note defaults as no instead of
|
||||
off.
|
||||
|
||||
26 April 2018: Wouter
|
||||
- Fix for crash in daemon_cleanup with dnstap during reload,
|
||||
from Saksham Manchanda.
|
||||
- Also that for dnscrypt.
|
||||
- tag for 1.7.1rc1 release.
|
||||
- tag for 1.7.1rc1 release. Became 1.7.1 release on 3 May, trunk
|
||||
is from here 1.7.2 in development.
|
||||
|
||||
25 April 2018: Ralph
|
||||
- Fix memory leak when caching wildcard records for aggressive NSEC use
|
||||
|
@ -1,4 +1,4 @@
|
||||
README for Unbound 1.7.1
|
||||
README for Unbound 1.7.2
|
||||
Copyright 2007 NLnet Labs
|
||||
http://unbound.net
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
#
|
||||
# Example configuration file.
|
||||
#
|
||||
# See unbound.conf(5) man page, version 1.7.1.
|
||||
# See unbound.conf(5) man page, version 1.7.2.
|
||||
#
|
||||
# this is a comment.
|
||||
|
||||
@ -223,7 +223,8 @@ server:
|
||||
# to this server. Specify classless netblocks with /size and action.
|
||||
# By default everything is refused, except for localhost.
|
||||
# Choose deny (drop message), refuse (polite error reply),
|
||||
# allow (recursive ok), allow_snoop (recursive and nonrecursive ok)
|
||||
# allow (recursive ok), allow_setrd (recursive ok, rd bit is forced on),
|
||||
# allow_snoop (recursive and nonrecursive ok)
|
||||
# deny_non_local (drop queries unless can be answered from local-data)
|
||||
# refuse_non_local (like deny_non_local but polite error reply).
|
||||
# access-control: 0.0.0.0/0 refuse
|
||||
@ -372,7 +373,7 @@ server:
|
||||
# Sent minimum amount of information to upstream servers to enhance
|
||||
# privacy. Only sent minimum required labels of the QNAME and set QTYPE
|
||||
# to A when possible.
|
||||
# qname-minimisation: no
|
||||
# qname-minimisation: yes
|
||||
|
||||
# QNAME minimisation in strict mode. Do not fall-back to sending full
|
||||
# QNAME to potentially broken nameservers. A lot of domains will not be
|
||||
@ -681,8 +682,11 @@ server:
|
||||
# Certificates used to authenticate connections made upstream.
|
||||
# tls-cert-bundle: ""
|
||||
|
||||
# Add system certs to the cert bundle, from the Windows Cert Store
|
||||
# tls-win-cert: no
|
||||
|
||||
# Also serve tls on these port numbers (eg. 443, ...), by listing
|
||||
# additional-tls-port: portno for each of the port numbers.
|
||||
# tls-additional-ports: portno for each of the port numbers.
|
||||
|
||||
# DNS64 prefix. Must be specified when DNS64 is use.
|
||||
# Enable dns64 in module-config. Used to synthesize IPv6 from IPv4.
|
||||
@ -725,7 +729,7 @@ server:
|
||||
# low-rtt: 45
|
||||
# select low rtt this many times out of 1000. 0 means the fast server
|
||||
# select is disabled. prefetches are not sped up.
|
||||
# low-rtt-pct: 0
|
||||
# low-rtt-permil: 0
|
||||
|
||||
# Specific options for ipsecmod. unbound needs to be configured with
|
||||
# --enable-ipsecmod for these to take effect.
|
||||
|
@ -1,7 +1,7 @@
|
||||
#
|
||||
# Example configuration file.
|
||||
#
|
||||
# See unbound.conf(5) man page, version 1.7.1.
|
||||
# See unbound.conf(5) man page, version 1.7.2.
|
||||
#
|
||||
# this is a comment.
|
||||
|
||||
@ -223,7 +223,8 @@ server:
|
||||
# to this server. Specify classless netblocks with /size and action.
|
||||
# By default everything is refused, except for localhost.
|
||||
# Choose deny (drop message), refuse (polite error reply),
|
||||
# allow (recursive ok), allow_snoop (recursive and nonrecursive ok)
|
||||
# allow (recursive ok), allow_setrd (recursive ok, rd bit is forced on),
|
||||
# allow_snoop (recursive and nonrecursive ok)
|
||||
# deny_non_local (drop queries unless can be answered from local-data)
|
||||
# refuse_non_local (like deny_non_local but polite error reply).
|
||||
# access-control: 0.0.0.0/0 refuse
|
||||
@ -372,7 +373,7 @@ server:
|
||||
# Sent minimum amount of information to upstream servers to enhance
|
||||
# privacy. Only sent minimum required labels of the QNAME and set QTYPE
|
||||
# to A when possible.
|
||||
# qname-minimisation: no
|
||||
# qname-minimisation: yes
|
||||
|
||||
# QNAME minimisation in strict mode. Do not fall-back to sending full
|
||||
# QNAME to potentially broken nameservers. A lot of domains will not be
|
||||
@ -681,8 +682,11 @@ server:
|
||||
# Certificates used to authenticate connections made upstream.
|
||||
# tls-cert-bundle: ""
|
||||
|
||||
# Add system certs to the cert bundle, from the Windows Cert Store
|
||||
# tls-win-cert: no
|
||||
|
||||
# Also serve tls on these port numbers (eg. 443, ...), by listing
|
||||
# additional-tls-port: portno for each of the port numbers.
|
||||
# tls-additional-ports: portno for each of the port numbers.
|
||||
|
||||
# DNS64 prefix. Must be specified when DNS64 is use.
|
||||
# Enable dns64 in module-config. Used to synthesize IPv6 from IPv4.
|
||||
@ -725,7 +729,7 @@ server:
|
||||
# low-rtt: 45
|
||||
# select low rtt this many times out of 1000. 0 means the fast server
|
||||
# select is disabled. prefetches are not sped up.
|
||||
# low-rtt-pct: 0
|
||||
# low-rtt-permil: 0
|
||||
|
||||
# Specific options for ipsecmod. unbound needs to be configured with
|
||||
# --enable-ipsecmod for these to take effect.
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "libunbound" "3" "May 3, 2018" "NLnet Labs" "unbound 1.7.1"
|
||||
.TH "libunbound" "3" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
|
||||
.\"
|
||||
.\" libunbound.3 -- unbound library functions manual
|
||||
.\"
|
||||
@ -43,7 +43,7 @@
|
||||
.B ub_ctx_zone_remove,
|
||||
.B ub_ctx_data_add,
|
||||
.B ub_ctx_data_remove
|
||||
\- Unbound DNS validating resolver 1.7.1 functions.
|
||||
\- Unbound DNS validating resolver 1.7.2 functions.
|
||||
.SH "SYNOPSIS"
|
||||
.B #include <unbound.h>
|
||||
.LP
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "libunbound" "3" "May 3, 2018" "NLnet Labs" "unbound 1.7.1"
|
||||
.TH "libunbound" "3" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
|
||||
.\"
|
||||
.\" libunbound.3 -- unbound library functions manual
|
||||
.\"
|
||||
@ -43,7 +43,7 @@
|
||||
.B ub_ctx_zone_remove,
|
||||
.B ub_ctx_data_add,
|
||||
.B ub_ctx_data_remove
|
||||
\- Unbound DNS validating resolver 1.7.1 functions.
|
||||
\- Unbound DNS validating resolver 1.7.2 functions.
|
||||
.SH "SYNOPSIS"
|
||||
.B #include <unbound.h>
|
||||
.LP
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound-anchor" "8" "May 3, 2018" "NLnet Labs" "unbound 1.7.1"
|
||||
.TH "unbound-anchor" "8" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
|
||||
.\"
|
||||
.\" unbound-anchor.8 -- unbound anchor maintenance utility manual
|
||||
.\"
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound-anchor" "8" "May 3, 2018" "NLnet Labs" "unbound 1.7.1"
|
||||
.TH "unbound-anchor" "8" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
|
||||
.\"
|
||||
.\" unbound-anchor.8 -- unbound anchor maintenance utility manual
|
||||
.\"
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound-checkconf" "8" "May 3, 2018" "NLnet Labs" "unbound 1.7.1"
|
||||
.TH "unbound-checkconf" "8" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
|
||||
.\"
|
||||
.\" unbound-checkconf.8 -- unbound configuration checker manual
|
||||
.\"
|
||||
@ -8,7 +8,7 @@
|
||||
.\"
|
||||
.\"
|
||||
.SH "NAME"
|
||||
unbound\-checkconf
|
||||
.B unbound\-checkconf
|
||||
\- Check unbound configuration file for errors.
|
||||
.SH "SYNOPSIS"
|
||||
.B unbound\-checkconf
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound-checkconf" "8" "May 3, 2018" "NLnet Labs" "unbound 1.7.1"
|
||||
.TH "unbound-checkconf" "8" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
|
||||
.\"
|
||||
.\" unbound-checkconf.8 -- unbound configuration checker manual
|
||||
.\"
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound-control" "8" "May 3, 2018" "NLnet Labs" "unbound 1.7.1"
|
||||
.TH "unbound-control" "8" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
|
||||
.\"
|
||||
.\" unbound-control.8 -- unbound remote control manual
|
||||
.\"
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound-control" "8" "May 3, 2018" "NLnet Labs" "unbound 1.7.1"
|
||||
.TH "unbound-control" "8" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
|
||||
.\"
|
||||
.\" unbound-control.8 -- unbound remote control manual
|
||||
.\"
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound\-host" "1" "May 3, 2018" "NLnet Labs" "unbound 1.7.1"
|
||||
.TH "unbound\-host" "1" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
|
||||
.\"
|
||||
.\" unbound-host.1 -- unbound DNS lookup utility
|
||||
.\"
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound\-host" "1" "May 3, 2018" "NLnet Labs" "unbound 1.7.1"
|
||||
.TH "unbound\-host" "1" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
|
||||
.\"
|
||||
.\" unbound-host.1 -- unbound DNS lookup utility
|
||||
.\"
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound" "8" "May 3, 2018" "NLnet Labs" "unbound 1.7.1"
|
||||
.TH "unbound" "8" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
|
||||
.\"
|
||||
.\" unbound.8 -- unbound manual
|
||||
.\"
|
||||
@ -9,7 +9,7 @@
|
||||
.\"
|
||||
.SH "NAME"
|
||||
.B unbound
|
||||
\- Unbound DNS validating resolver 1.7.1.
|
||||
\- Unbound DNS validating resolver 1.7.2.
|
||||
.SH "SYNOPSIS"
|
||||
.B unbound
|
||||
.RB [ \-h ]
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound" "8" "May 3, 2018" "NLnet Labs" "unbound 1.7.1"
|
||||
.TH "unbound" "8" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
|
||||
.\"
|
||||
.\" unbound.8 -- unbound manual
|
||||
.\"
|
||||
@ -9,7 +9,7 @@
|
||||
.\"
|
||||
.SH "NAME"
|
||||
.B unbound
|
||||
\- Unbound DNS validating resolver 1.7.1.
|
||||
\- Unbound DNS validating resolver 1.7.2.
|
||||
.SH "SYNOPSIS"
|
||||
.B unbound
|
||||
.RB [ \-h ]
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound.conf" "5" "May 3, 2018" "NLnet Labs" "unbound 1.7.1"
|
||||
.TH "unbound.conf" "5" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
|
||||
.\"
|
||||
.\" unbound.conf.5 -- unbound.conf manual
|
||||
.\"
|
||||
@ -403,6 +403,8 @@ Enabled or disable whether the upstream queries use TLS only for transport.
|
||||
Default is no. Useful in tunneling scenarios. The TLS contains plain DNS in
|
||||
TCP wireformat. The other server must support this (see
|
||||
\fBtls\-service\-key\fR).
|
||||
If you enable this, also configure a tls\-cert\-bundle or use tls\-win\cert to
|
||||
load CA certs, otherwise the connections cannot be authenticated.
|
||||
.TP
|
||||
.B ssl\-upstream: \fI<yes or no>
|
||||
Alternate syntax for \fBtls\-upstream\fR. If both are present in the config
|
||||
@ -444,8 +446,14 @@ urls, and also DNS over TLS connections.
|
||||
.B ssl\-cert\-bundle: \fI<file>
|
||||
Alternate syntax for \fBtls\-cert\-bundle\fR.
|
||||
.TP
|
||||
.B additional\-tls\-port: \fI<portnr>
|
||||
List portnumbers as additional\-tls\-port, and when interfaces are defined,
|
||||
.B tls\-win\-cert: \fI<yes or no>
|
||||
Add the system certificates to the cert bundle certificates for authentication.
|
||||
If no cert bundle, it uses only these certificates. Default is no.
|
||||
On windows this option uses the certificates from the cert store. Use
|
||||
the tls\-cert\-bundle option on other systems.
|
||||
.TP
|
||||
.B tls\-additional\-ports: \fI<portnr>
|
||||
List portnumbers as tls\-additional\-ports, and when interfaces are defined,
|
||||
eg. with the @port suffix, as this port number, they provide dns over TLS
|
||||
service. Can list multiple, each on a new statement.
|
||||
.TP
|
||||
@ -461,7 +469,8 @@ Default is yes.
|
||||
.B access\-control: \fI<IP netblock> <action>
|
||||
The netblock is given as an IP4 or IP6 address with /size appended for a
|
||||
classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
|
||||
\fIallow\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or \fIrefuse_non_local\fR.
|
||||
\fIallow\fR, \fIallow_setrd\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or
|
||||
\fIrefuse_non_local\fR.
|
||||
The most specific netblock match is used, if none match \fIdeny\fR is used.
|
||||
.IP
|
||||
The action \fIdeny\fR stops queries from hosts from that netblock.
|
||||
@ -480,6 +489,15 @@ in the reply. This supports normal operations where nonrecursive queries
|
||||
are made for the authoritative data. For nonrecursive queries any replies
|
||||
from the dynamic cache are refused.
|
||||
.IP
|
||||
The \fIallow_setrd\fR action ignores the recursion desired (RD) bit and
|
||||
treats all requests as if the recursion desired bit is set. Note that this
|
||||
behavior violates RFC 1034 which states that a name server should never perform
|
||||
recursive service unless asked via the RD bit since this interferes with
|
||||
trouble shooting of name servers and their databases. This prohibited behavior
|
||||
may be useful if another DNS server must forward requests for specific
|
||||
zones to a resolver DNS server, but only supports stub domains and
|
||||
sends queries to the resolver DNS server with the RD bit cleared.
|
||||
.IP
|
||||
The action \fIallow_snoop\fR gives nonrecursive access too. This give
|
||||
both recursive and non recursive access. The name \fIallow_snoop\fR refers
|
||||
to cache snooping, a technique to use nonrecursive queries to examine
|
||||
@ -691,7 +709,7 @@ infrastructure data. Validates the replies if trust anchors are configured
|
||||
and the zones are signed. This enforces DNSSEC validation on nameserver
|
||||
NS sets and the nameserver addresses that are encountered on the referral
|
||||
path to the answer.
|
||||
Default off, because it burdens the authority servers, and it is
|
||||
Default no, because it burdens the authority servers, and it is
|
||||
not RFC standard, and could lead to performance problems because of the
|
||||
extra query load that is generated. Experimental option.
|
||||
If you enable it consider adding more numbers after the target\-fetch\-policy
|
||||
@ -722,7 +740,7 @@ Send minimum amount of information to upstream servers to enhance privacy.
|
||||
Only sent minimum required labels of the QNAME and set QTYPE to A when
|
||||
possible. Best effort approach; full QNAME and original QTYPE will be sent when
|
||||
upstream replies with a RCODE other than NOERROR, except when receiving
|
||||
NXDOMAIN from a DNSSEC signed zone. Default is off.
|
||||
NXDOMAIN from a DNSSEC signed zone. Default is yes.
|
||||
.TP
|
||||
.B qname\-minimisation\-strict: \fI<yes or no>
|
||||
QNAME minimisation in strict mode. Do not fall-back to sending full QNAME to
|
||||
@ -1315,10 +1333,10 @@ factor given.
|
||||
.TP 5
|
||||
.B low\-rtt: \fI<msec time>
|
||||
Set the time in millisecond that is considere a low ping time for fast
|
||||
server selection with the low\-rtt\-pct option, that turns this on or off.
|
||||
server selection with the low\-rtt\-permil option, that turns this on or off.
|
||||
The default is 45 msec, a number from IPv6 quick response documents.
|
||||
.TP 5
|
||||
.B low\-rtt\-pct: \fI<number>
|
||||
.B low\-rtt\-permil: \fI<number>
|
||||
Specify how many times out of 1000 to pick the fast server from the low
|
||||
rtt band. 0 turns the feature off. A value of 900 would pick the fast
|
||||
server when such fast servers are available 90 percent of the time, and
|
||||
@ -1328,7 +1346,7 @@ sped up, because there is no one waiting for it, and it presents a good
|
||||
moment to perform server exploration. The low\-rtt option can be used
|
||||
to specify which servers are picked for fast server selection, servers
|
||||
with a ping roundtrip time below that value are considered.
|
||||
The default for low\-rtt\-pct is 0.
|
||||
The default for low\-rtt\-permil is 0.
|
||||
.SS "Remote Control Options"
|
||||
In the
|
||||
.B remote\-control:
|
||||
@ -1429,7 +1447,7 @@ IP address of stub zone nameserver. Can be IP 4 or IP 6.
|
||||
To use a nondefault port for DNS communication append '@' with the port number.
|
||||
.TP
|
||||
.B stub\-prime: \fI<yes or no>
|
||||
This option is by default off. If enabled it performs NS set priming,
|
||||
This option is by default no. If enabled it performs NS set priming,
|
||||
which is similar to root hints, where it starts using the list of nameservers
|
||||
currently published by the zone. Thus, if the hint list is slightly outdated,
|
||||
the resolver picks up a correct list online.
|
||||
@ -1490,6 +1508,8 @@ The default is no.
|
||||
.B forward\-tls\-upstream: \fI<yes or no>
|
||||
Enabled or disable whether the queries to this forwarder use TLS for transport.
|
||||
Default is no.
|
||||
If you enable this, also configure a tls\-cert\-bundle or use tls\-win\cert to
|
||||
load CA certs, otherwise the connections cannot be authenticated.
|
||||
.TP
|
||||
.B forward\-ssl\-upstream: \fI<yes or no>
|
||||
Alternate syntax for \fBforward\-tls\-upstream\fR.
|
||||
@ -1827,7 +1847,7 @@ If Unbound was built with
|
||||
on a system that has installed the hiredis C client library of Redis,
|
||||
then the "redis" backend can be used.
|
||||
This backend communicates with the specified Redis server over a TCP
|
||||
connection to store and retrive cache data.
|
||||
connection to store and retrieve cache data.
|
||||
It can be used as a persistent and/or shared cache backend.
|
||||
It should be noted that Unbound never removes data stored in the Redis server,
|
||||
even if some data have expired in terms of DNS TTL or the Redis server has
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound.conf" "5" "May 3, 2018" "NLnet Labs" "unbound 1.7.1"
|
||||
.TH "unbound.conf" "5" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
|
||||
.\"
|
||||
.\" unbound.conf.5 -- unbound.conf manual
|
||||
.\"
|
||||
@ -403,6 +403,8 @@ Enabled or disable whether the upstream queries use TLS only for transport.
|
||||
Default is no. Useful in tunneling scenarios. The TLS contains plain DNS in
|
||||
TCP wireformat. The other server must support this (see
|
||||
\fBtls\-service\-key\fR).
|
||||
If you enable this, also configure a tls\-cert\-bundle or use tls\-win\cert to
|
||||
load CA certs, otherwise the connections cannot be authenticated.
|
||||
.TP
|
||||
.B ssl\-upstream: \fI<yes or no>
|
||||
Alternate syntax for \fBtls\-upstream\fR. If both are present in the config
|
||||
@ -444,8 +446,14 @@ urls, and also DNS over TLS connections.
|
||||
.B ssl\-cert\-bundle: \fI<file>
|
||||
Alternate syntax for \fBtls\-cert\-bundle\fR.
|
||||
.TP
|
||||
.B additional\-tls\-port: \fI<portnr>
|
||||
List portnumbers as additional\-tls\-port, and when interfaces are defined,
|
||||
.B tls\-win\-cert: \fI<yes or no>
|
||||
Add the system certificates to the cert bundle certificates for authentication.
|
||||
If no cert bundle, it uses only these certificates. Default is no.
|
||||
On windows this option uses the certificates from the cert store. Use
|
||||
the tls\-cert\-bundle option on other systems.
|
||||
.TP
|
||||
.B tls\-additional\-ports: \fI<portnr>
|
||||
List portnumbers as tls\-additional\-ports, and when interfaces are defined,
|
||||
eg. with the @port suffix, as this port number, they provide dns over TLS
|
||||
service. Can list multiple, each on a new statement.
|
||||
.TP
|
||||
@ -461,7 +469,8 @@ Default is yes.
|
||||
.B access\-control: \fI<IP netblock> <action>
|
||||
The netblock is given as an IP4 or IP6 address with /size appended for a
|
||||
classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
|
||||
\fIallow\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or \fIrefuse_non_local\fR.
|
||||
\fIallow\fR, \fIallow_setrd\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or
|
||||
\fIrefuse_non_local\fR.
|
||||
The most specific netblock match is used, if none match \fIdeny\fR is used.
|
||||
.IP
|
||||
The action \fIdeny\fR stops queries from hosts from that netblock.
|
||||
@ -480,6 +489,15 @@ in the reply. This supports normal operations where nonrecursive queries
|
||||
are made for the authoritative data. For nonrecursive queries any replies
|
||||
from the dynamic cache are refused.
|
||||
.IP
|
||||
The \fIallow_setrd\fR action ignores the recursion desired (RD) bit and
|
||||
treats all requests as if the recursion desired bit is set. Note that this
|
||||
behavior violates RFC 1034 which states that a name server should never perform
|
||||
recursive service unless asked via the RD bit since this interferes with
|
||||
trouble shooting of name servers and their databases. This prohibited behavior
|
||||
may be useful if another DNS server must forward requests for specific
|
||||
zones to a resolver DNS server, but only supports stub domains and
|
||||
sends queries to the resolver DNS server with the RD bit cleared.
|
||||
.IP
|
||||
The action \fIallow_snoop\fR gives nonrecursive access too. This give
|
||||
both recursive and non recursive access. The name \fIallow_snoop\fR refers
|
||||
to cache snooping, a technique to use nonrecursive queries to examine
|
||||
@ -691,7 +709,7 @@ infrastructure data. Validates the replies if trust anchors are configured
|
||||
and the zones are signed. This enforces DNSSEC validation on nameserver
|
||||
NS sets and the nameserver addresses that are encountered on the referral
|
||||
path to the answer.
|
||||
Default off, because it burdens the authority servers, and it is
|
||||
Default no, because it burdens the authority servers, and it is
|
||||
not RFC standard, and could lead to performance problems because of the
|
||||
extra query load that is generated. Experimental option.
|
||||
If you enable it consider adding more numbers after the target\-fetch\-policy
|
||||
@ -722,7 +740,7 @@ Send minimum amount of information to upstream servers to enhance privacy.
|
||||
Only sent minimum required labels of the QNAME and set QTYPE to A when
|
||||
possible. Best effort approach; full QNAME and original QTYPE will be sent when
|
||||
upstream replies with a RCODE other than NOERROR, except when receiving
|
||||
NXDOMAIN from a DNSSEC signed zone. Default is off.
|
||||
NXDOMAIN from a DNSSEC signed zone. Default is yes.
|
||||
.TP
|
||||
.B qname\-minimisation\-strict: \fI<yes or no>
|
||||
QNAME minimisation in strict mode. Do not fall-back to sending full QNAME to
|
||||
@ -1315,10 +1333,10 @@ factor given.
|
||||
.TP 5
|
||||
.B low\-rtt: \fI<msec time>
|
||||
Set the time in millisecond that is considere a low ping time for fast
|
||||
server selection with the low\-rtt\-pct option, that turns this on or off.
|
||||
server selection with the low\-rtt\-permil option, that turns this on or off.
|
||||
The default is 45 msec, a number from IPv6 quick response documents.
|
||||
.TP 5
|
||||
.B low\-rtt\-pct: \fI<number>
|
||||
.B low\-rtt\-permil: \fI<number>
|
||||
Specify how many times out of 1000 to pick the fast server from the low
|
||||
rtt band. 0 turns the feature off. A value of 900 would pick the fast
|
||||
server when such fast servers are available 90 percent of the time, and
|
||||
@ -1328,7 +1346,7 @@ sped up, because there is no one waiting for it, and it presents a good
|
||||
moment to perform server exploration. The low\-rtt option can be used
|
||||
to specify which servers are picked for fast server selection, servers
|
||||
with a ping roundtrip time below that value are considered.
|
||||
The default for low\-rtt\-pct is 0.
|
||||
The default for low\-rtt\-permil is 0.
|
||||
.SS "Remote Control Options"
|
||||
In the
|
||||
.B remote\-control:
|
||||
@ -1429,7 +1447,7 @@ IP address of stub zone nameserver. Can be IP 4 or IP 6.
|
||||
To use a nondefault port for DNS communication append '@' with the port number.
|
||||
.TP
|
||||
.B stub\-prime: \fI<yes or no>
|
||||
This option is by default off. If enabled it performs NS set priming,
|
||||
This option is by default no. If enabled it performs NS set priming,
|
||||
which is similar to root hints, where it starts using the list of nameservers
|
||||
currently published by the zone. Thus, if the hint list is slightly outdated,
|
||||
the resolver picks up a correct list online.
|
||||
@ -1490,6 +1508,8 @@ The default is no.
|
||||
.B forward\-tls\-upstream: \fI<yes or no>
|
||||
Enabled or disable whether the queries to this forwarder use TLS for transport.
|
||||
Default is no.
|
||||
If you enable this, also configure a tls\-cert\-bundle or use tls\-win\cert to
|
||||
load CA certs, otherwise the connections cannot be authenticated.
|
||||
.TP
|
||||
.B forward\-ssl\-upstream: \fI<yes or no>
|
||||
Alternate syntax for \fBforward\-tls\-upstream\fR.
|
||||
@ -1827,7 +1847,7 @@ If Unbound was built with
|
||||
on a system that has installed the hiredis C client library of Redis,
|
||||
then the "redis" backend can be used.
|
||||
This backend communicates with the specified Redis server over a TCP
|
||||
connection to store and retrive cache data.
|
||||
connection to store and retrieve cache data.
|
||||
It can be used as a persistent and/or shared cache backend.
|
||||
It should be noted that Unbound never removes data stored in the Redis server,
|
||||
even if some data have expired in terms of DNS TTL or the Redis server has
|
||||
|
@ -329,9 +329,9 @@ iter_filter_order(struct iter_env* iter_env, struct module_env* env,
|
||||
return 0 to force the caller to fetch more */
|
||||
}
|
||||
|
||||
if(env->cfg->low_rtt_pct != 0 && prefetch == 0 &&
|
||||
if(env->cfg->low_rtt_permil != 0 && prefetch == 0 &&
|
||||
low_rtt < env->cfg->low_rtt &&
|
||||
ub_random_max(env->rnd, 1000) < env->cfg->low_rtt_pct) {
|
||||
ub_random_max(env->rnd, 1000) < env->cfg->low_rtt_permil) {
|
||||
/* the query is not prefetch, but for a downstream client,
|
||||
* there is a low_rtt (fast) server. We choose that x% of the
|
||||
* time */
|
||||
|
@ -130,7 +130,7 @@ find_id(struct ub_ctx* ctx, int* id)
|
||||
|
||||
struct ctx_query*
|
||||
context_new(struct ub_ctx* ctx, const char* name, int rrtype, int rrclass,
|
||||
ub_callback_type cb, void* cbarg)
|
||||
ub_callback_type cb, ub_event_callback_type cb_event, void* cbarg)
|
||||
{
|
||||
struct ctx_query* q = (struct ctx_query*)calloc(1, sizeof(*q));
|
||||
if(!q) return NULL;
|
||||
@ -142,8 +142,9 @@ context_new(struct ub_ctx* ctx, const char* name, int rrtype, int rrclass,
|
||||
}
|
||||
lock_basic_unlock(&ctx->cfglock);
|
||||
q->node.key = &q->querynum;
|
||||
q->async = (cb != NULL);
|
||||
q->async = (cb != NULL || cb_event != NULL);
|
||||
q->cb = cb;
|
||||
q->cb_event = cb_event;
|
||||
q->cb_arg = cbarg;
|
||||
q->res = (struct ub_result*)calloc(1, sizeof(*q->res));
|
||||
if(!q->res) {
|
||||
|
@ -45,6 +45,7 @@
|
||||
#include "util/rbtree.h"
|
||||
#include "services/modstack.h"
|
||||
#include "libunbound/unbound.h"
|
||||
#include "libunbound/unbound-event.h"
|
||||
#include "util/data/packed_rrset.h"
|
||||
struct libworker;
|
||||
struct tube;
|
||||
@ -148,8 +149,10 @@ struct ctx_query {
|
||||
/** was this query cancelled (for bg worker) */
|
||||
int cancelled;
|
||||
|
||||
/** for async query, the callback function */
|
||||
/** for async query, the callback function of type ub_callback_type */
|
||||
ub_callback_type cb;
|
||||
/** for event callbacks the type is ub_event_callback_type */
|
||||
ub_event_callback_type cb_event;
|
||||
/** for async query, the callback user arg */
|
||||
void* cb_arg;
|
||||
|
||||
@ -238,11 +241,13 @@ void context_query_delete(struct ctx_query* q);
|
||||
* @param rrtype: type
|
||||
* @param rrclass: class
|
||||
* @param cb: callback for async, or NULL for sync.
|
||||
* @param cb_event: event callback for async, or NULL for sync.
|
||||
* @param cbarg: user arg for async queries.
|
||||
* @return new ctx_query or NULL for malloc failure.
|
||||
*/
|
||||
struct ctx_query* context_new(struct ub_ctx* ctx, const char* name, int rrtype,
|
||||
int rrclass, ub_callback_type cb, void* cbarg);
|
||||
int rrclass, ub_callback_type cb, ub_event_callback_type cb_event,
|
||||
void* cbarg);
|
||||
|
||||
/**
|
||||
* Get a new alloc. Creates a new one or uses a cached one.
|
||||
|
@ -690,7 +690,7 @@ ub_resolve(struct ub_ctx* ctx, const char* name, int rrtype,
|
||||
}
|
||||
/* create new ctx_query and attempt to add to the list */
|
||||
lock_basic_unlock(&ctx->cfglock);
|
||||
q = context_new(ctx, name, rrtype, rrclass, NULL, NULL);
|
||||
q = context_new(ctx, name, rrtype, rrclass, NULL, NULL, NULL);
|
||||
if(!q)
|
||||
return UB_NOMEM;
|
||||
/* become a resolver thread for a bit */
|
||||
@ -747,8 +747,7 @@ ub_resolve_event(struct ub_ctx* ctx, const char* name, int rrtype,
|
||||
ub_comm_base_now(ctx->event_worker->base);
|
||||
|
||||
/* create new ctx_query and attempt to add to the list */
|
||||
q = context_new(ctx, name, rrtype, rrclass, (ub_callback_type)callback,
|
||||
mydata);
|
||||
q = context_new(ctx, name, rrtype, rrclass, NULL, callback, mydata);
|
||||
if(!q)
|
||||
return UB_NOMEM;
|
||||
|
||||
@ -793,7 +792,7 @@ ub_resolve_async(struct ub_ctx* ctx, const char* name, int rrtype,
|
||||
}
|
||||
|
||||
/* create new ctx_query and attempt to add to the list */
|
||||
q = context_new(ctx, name, rrtype, rrclass, callback, mydata);
|
||||
q = context_new(ctx, name, rrtype, rrclass, callback, NULL, mydata);
|
||||
if(!q)
|
||||
return UB_NOMEM;
|
||||
|
||||
|
@ -158,9 +158,9 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
|
||||
hints_delete(w->env->hints);
|
||||
w->env->hints = NULL;
|
||||
}
|
||||
if(cfg->ssl_upstream) {
|
||||
if(cfg->ssl_upstream || (cfg->tls_cert_bundle && cfg->tls_cert_bundle[0]) || cfg->tls_win_cert) {
|
||||
w->sslctx = connect_sslctx_create(NULL, NULL,
|
||||
cfg->tls_cert_bundle);
|
||||
cfg->tls_cert_bundle, cfg->tls_win_cert);
|
||||
if(!w->sslctx) {
|
||||
/* to make the setup fail after unlock */
|
||||
hints_delete(w->env->hints);
|
||||
@ -637,7 +637,7 @@ libworker_event_done_cb(void* arg, int rcode, sldns_buffer* buf,
|
||||
enum sec_status s, char* why_bogus)
|
||||
{
|
||||
struct ctx_query* q = (struct ctx_query*)arg;
|
||||
ub_event_callback_type cb = (ub_event_callback_type)q->cb;
|
||||
ub_event_callback_type cb = q->cb_event;
|
||||
void* cb_arg = q->cb_arg;
|
||||
int cancelled = q->cancelled;
|
||||
|
||||
|
@ -3425,14 +3425,17 @@ xfr_process_notify(struct auth_xfer* xfr, struct module_env* env,
|
||||
{
|
||||
/* if the serial of notify is older than we have, don't fetch
|
||||
* a zone, we already have it */
|
||||
if(has_serial && !xfr_serial_means_update(xfr, serial))
|
||||
if(has_serial && !xfr_serial_means_update(xfr, serial)) {
|
||||
lock_basic_unlock(&xfr->lock);
|
||||
return;
|
||||
}
|
||||
/* start new probe with this addr src, or note serial */
|
||||
if(!xfr_start_probe(xfr, env, fromhost)) {
|
||||
/* not started because already in progress, note the serial */
|
||||
xfr_note_notify_serial(xfr, has_serial, serial);
|
||||
lock_basic_unlock(&xfr->lock);
|
||||
}
|
||||
/* successful end of start_probe unlocked xfr->lock */
|
||||
}
|
||||
|
||||
int auth_zones_notify(struct auth_zones* az, struct module_env* env,
|
||||
|
@ -1059,7 +1059,7 @@ set_recvpktinfo(int s, int family)
|
||||
/** see if interface is ssl, its port number == the ssl port number */
|
||||
static int
|
||||
if_is_ssl(const char* ifname, const char* port, int ssl_port,
|
||||
struct config_strlist* additional_tls_port)
|
||||
struct config_strlist* tls_additional_ports)
|
||||
{
|
||||
struct config_strlist* s;
|
||||
char* p = strchr(ifname, '@');
|
||||
@ -1067,7 +1067,7 @@ if_is_ssl(const char* ifname, const char* port, int ssl_port,
|
||||
return 1;
|
||||
if(p && atoi(p+1) == ssl_port)
|
||||
return 1;
|
||||
for(s = additional_tls_port; s; s = s->next) {
|
||||
for(s = tls_additional_ports; s; s = s->next) {
|
||||
if(p && atoi(p+1) == atoi(s->str))
|
||||
return 1;
|
||||
if(!p && atoi(port) == atoi(s->str))
|
||||
@ -1089,7 +1089,7 @@ if_is_ssl(const char* ifname, const char* port, int ssl_port,
|
||||
* @param rcv: receive buffer size for UDP
|
||||
* @param snd: send buffer size for UDP
|
||||
* @param ssl_port: ssl service port number
|
||||
* @param additional_tls_port: list of additional ssl service port numbers.
|
||||
* @param tls_additional_ports: list of additional ssl service port numbers.
|
||||
* @param reuseport: try to set SO_REUSEPORT if nonNULL and true.
|
||||
* set to false on exit if reuseport failed due to no kernel support.
|
||||
* @param transparent: set IP_TRANSPARENT socket option.
|
||||
@ -1103,7 +1103,7 @@ static int
|
||||
ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
|
||||
struct addrinfo *hints, const char* port, struct listen_port** list,
|
||||
size_t rcv, size_t snd, int ssl_port,
|
||||
struct config_strlist* additional_tls_port, int* reuseport,
|
||||
struct config_strlist* tls_additional_ports, int* reuseport,
|
||||
int transparent, int tcp_mss, int freebind, int use_systemd,
|
||||
int dnscrypt_port)
|
||||
{
|
||||
@ -1170,7 +1170,7 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
|
||||
}
|
||||
if(do_tcp) {
|
||||
int is_ssl = if_is_ssl(ifname, port, ssl_port,
|
||||
additional_tls_port);
|
||||
tls_additional_ports);
|
||||
if((s = make_sock_port(SOCK_STREAM, ifname, port, hints, 1,
|
||||
&noip6, 0, 0, reuseport, transparent, tcp_mss,
|
||||
freebind, use_systemd)) == -1) {
|
||||
@ -1356,7 +1356,7 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
|
||||
do_auto, cfg->do_udp, do_tcp,
|
||||
&hints, portbuf, &list,
|
||||
cfg->so_rcvbuf, cfg->so_sndbuf,
|
||||
cfg->ssl_port, cfg->additional_tls_port,
|
||||
cfg->ssl_port, cfg->tls_additional_ports,
|
||||
reuseport, cfg->ip_transparent,
|
||||
cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd,
|
||||
cfg->dnscrypt_port)) {
|
||||
@ -1370,7 +1370,7 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
|
||||
do_auto, cfg->do_udp, do_tcp,
|
||||
&hints, portbuf, &list,
|
||||
cfg->so_rcvbuf, cfg->so_sndbuf,
|
||||
cfg->ssl_port, cfg->additional_tls_port,
|
||||
cfg->ssl_port, cfg->tls_additional_ports,
|
||||
reuseport, cfg->ip_transparent,
|
||||
cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd,
|
||||
cfg->dnscrypt_port)) {
|
||||
@ -1386,7 +1386,7 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
|
||||
if(!ports_create_if(cfg->ifs[i], 0, cfg->do_udp,
|
||||
do_tcp, &hints, portbuf, &list,
|
||||
cfg->so_rcvbuf, cfg->so_sndbuf,
|
||||
cfg->ssl_port, cfg->additional_tls_port,
|
||||
cfg->ssl_port, cfg->tls_additional_ports,
|
||||
reuseport, cfg->ip_transparent,
|
||||
cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd,
|
||||
cfg->dnscrypt_port)) {
|
||||
@ -1400,7 +1400,7 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
|
||||
if(!ports_create_if(cfg->ifs[i], 0, cfg->do_udp,
|
||||
do_tcp, &hints, portbuf, &list,
|
||||
cfg->so_rcvbuf, cfg->so_sndbuf,
|
||||
cfg->ssl_port, cfg->additional_tls_port,
|
||||
cfg->ssl_port, cfg->tls_additional_ports,
|
||||
reuseport, cfg->ip_transparent,
|
||||
cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd,
|
||||
cfg->dnscrypt_port)) {
|
||||
|
@ -1173,6 +1173,10 @@ void mesh_query_done(struct mesh_state* mstate)
|
||||
while((c = mstate->cb_list) != NULL) {
|
||||
/* take this cb off the list; so that the list can be
|
||||
* changed, eg. by adds from the callback routine */
|
||||
if(!mstate->reply_list && mstate->cb_list && !c->next) {
|
||||
/* was a reply state, not anymore */
|
||||
mstate->s.env->mesh->num_reply_states--;
|
||||
}
|
||||
mstate->cb_list = c->next;
|
||||
if(!mstate->reply_list && !mstate->cb_list &&
|
||||
mstate->super_set.count == 0)
|
||||
|
@ -1301,8 +1301,8 @@ pending_tcp_query(struct serviced_query* sq, sldns_buffer* packet,
|
||||
w->ssl_upstream = sq->ssl_upstream;
|
||||
w->tls_auth_name = sq->tls_auth_name;
|
||||
#ifndef S_SPLINT_S
|
||||
tv.tv_sec = timeout;
|
||||
tv.tv_usec = 0;
|
||||
tv.tv_sec = timeout/1000;
|
||||
tv.tv_usec = (timeout%1000)*1000;
|
||||
#endif
|
||||
comm_timer_set(w->timer, &tv);
|
||||
if(pend) {
|
||||
@ -1812,7 +1812,12 @@ serviced_tcp_callback(struct comm_point* c, void* arg, int error,
|
||||
}
|
||||
if(sq->tcp_upstream || sq->ssl_upstream) {
|
||||
struct timeval now = *sq->outnet->now_tv;
|
||||
if(now.tv_sec > sq->last_sent_time.tv_sec ||
|
||||
if(error!=NETEVENT_NOERROR) {
|
||||
if(!infra_rtt_update(sq->outnet->infra, &sq->addr,
|
||||
sq->addrlen, sq->zone, sq->zonelen, sq->qtype,
|
||||
-1, sq->last_rtt, (time_t)now.tv_sec))
|
||||
log_err("out of memory in TCP exponential backoff.");
|
||||
} else if(now.tv_sec > sq->last_sent_time.tv_sec ||
|
||||
(now.tv_sec == sq->last_sent_time.tv_sec &&
|
||||
now.tv_usec > sq->last_sent_time.tv_usec)) {
|
||||
/* convert from microseconds to milliseconds */
|
||||
@ -1822,7 +1827,7 @@ serviced_tcp_callback(struct comm_point* c, void* arg, int error,
|
||||
log_assert(roundtime >= 0);
|
||||
/* only store if less then AUTH_TIMEOUT seconds, it could be
|
||||
* huge due to system-hibernated and we woke up */
|
||||
if(roundtime < TCP_AUTH_QUERY_TIMEOUT*1000) {
|
||||
if(roundtime < 60000) {
|
||||
if(!infra_rtt_update(sq->outnet->infra, &sq->addr,
|
||||
sq->addrlen, sq->zone, sq->zonelen, sq->qtype,
|
||||
roundtime, sq->last_rtt, (time_t)now.tv_sec))
|
||||
@ -1863,18 +1868,26 @@ serviced_tcp_initiate(struct serviced_query* sq, sldns_buffer* buff)
|
||||
static int
|
||||
serviced_tcp_send(struct serviced_query* sq, sldns_buffer* buff)
|
||||
{
|
||||
int vs, rtt;
|
||||
int vs, rtt, timeout;
|
||||
uint8_t edns_lame_known;
|
||||
if(!infra_host(sq->outnet->infra, &sq->addr, sq->addrlen, sq->zone,
|
||||
sq->zonelen, *sq->outnet->now_secs, &vs, &edns_lame_known,
|
||||
&rtt))
|
||||
return 0;
|
||||
sq->last_rtt = rtt;
|
||||
if(vs != -1)
|
||||
sq->status = serviced_query_TCP_EDNS;
|
||||
else sq->status = serviced_query_TCP;
|
||||
serviced_encode(sq, buff, sq->status == serviced_query_TCP_EDNS);
|
||||
sq->last_sent_time = *sq->outnet->now_tv;
|
||||
sq->pending = pending_tcp_query(sq, buff, TCP_AUTH_QUERY_TIMEOUT,
|
||||
if(sq->tcp_upstream || sq->ssl_upstream) {
|
||||
timeout = rtt;
|
||||
if(rtt >= 376 && rtt < TCP_AUTH_QUERY_TIMEOUT)
|
||||
timeout = TCP_AUTH_QUERY_TIMEOUT;
|
||||
} else {
|
||||
timeout = TCP_AUTH_QUERY_TIMEOUT;
|
||||
}
|
||||
sq->pending = pending_tcp_query(sq, buff, timeout,
|
||||
serviced_tcp_callback, sq);
|
||||
return sq->pending != NULL;
|
||||
}
|
||||
|
@ -376,7 +376,7 @@ struct serviced_query {
|
||||
int retry;
|
||||
/** time last UDP was sent */
|
||||
struct timeval last_sent_time;
|
||||
/** rtt of last (UDP) message */
|
||||
/** rtt of last message */
|
||||
int last_rtt;
|
||||
/** do we know edns probe status already, for UDP_EDNS queries */
|
||||
int edns_lame_known;
|
||||
@ -456,7 +456,7 @@ struct pending* pending_udp_query(struct serviced_query* sq,
|
||||
* checks id.
|
||||
* @param sq: serviced query.
|
||||
* @param packet: wireformat query to send to destination. copied from.
|
||||
* @param timeout: in seconds from now.
|
||||
* @param timeout: in milliseconds from now.
|
||||
* Timer starts running now. Timer may expire if all buffers are used,
|
||||
* without any query been sent to the server yet.
|
||||
* @param callback: function to call on error, timeout or reply.
|
||||
|
@ -66,6 +66,14 @@
|
||||
/* nss3 */
|
||||
#include "nss.h"
|
||||
#endif
|
||||
#ifdef HAVE_SSL
|
||||
#ifdef HAVE_OPENSSL_SSL_H
|
||||
#include <openssl/ssl.h>
|
||||
#endif
|
||||
#ifdef HAVE_OPENSSL_ERR_H
|
||||
#include <openssl/err.h>
|
||||
#endif
|
||||
#endif /* HAVE_SSL */
|
||||
|
||||
/** verbosity for unbound-host app */
|
||||
static int verb = 0;
|
||||
@ -487,6 +495,26 @@ int main(int argc, char* argv[])
|
||||
if(argc != 1)
|
||||
usage();
|
||||
|
||||
#ifdef HAVE_SSL
|
||||
#ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS
|
||||
ERR_load_crypto_strings();
|
||||
#endif
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL)
|
||||
ERR_load_SSL_strings();
|
||||
#endif
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_CRYPTO)
|
||||
OpenSSL_add_all_algorithms();
|
||||
#else
|
||||
OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS
|
||||
| OPENSSL_INIT_ADD_ALL_DIGESTS
|
||||
| OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
|
||||
#endif
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL)
|
||||
(void)SSL_library_init();
|
||||
#else
|
||||
(void)OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL);
|
||||
#endif
|
||||
#endif /* HAVE_SSL */
|
||||
#ifdef HAVE_NSS
|
||||
if(NSS_NoDB_Init(".") != SECSuccess) {
|
||||
fprintf(stderr, "could not init NSS\n");
|
||||
|
@ -126,10 +126,40 @@ alloc_init(struct alloc_cache* alloc, struct alloc_cache* super,
|
||||
}
|
||||
}
|
||||
|
||||
/** free the special list */
|
||||
static void
|
||||
alloc_clear_special_list(struct alloc_cache* alloc)
|
||||
{
|
||||
alloc_special_type* p, *np;
|
||||
/* free */
|
||||
p = alloc->quar;
|
||||
while(p) {
|
||||
np = alloc_special_next(p);
|
||||
/* deinit special type */
|
||||
lock_rw_destroy(&p->entry.lock);
|
||||
free(p);
|
||||
p = np;
|
||||
}
|
||||
}
|
||||
|
||||
void
|
||||
alloc_clear_special(struct alloc_cache* alloc)
|
||||
{
|
||||
if(!alloc->super) {
|
||||
lock_quick_lock(&alloc->lock);
|
||||
}
|
||||
alloc_clear_special_list(alloc);
|
||||
alloc->quar = 0;
|
||||
alloc->num_quar = 0;
|
||||
if(!alloc->super) {
|
||||
lock_quick_unlock(&alloc->lock);
|
||||
}
|
||||
}
|
||||
|
||||
void
|
||||
alloc_clear(struct alloc_cache* alloc)
|
||||
{
|
||||
alloc_special_type* p, *np;
|
||||
alloc_special_type* p;
|
||||
struct regional* r, *nr;
|
||||
if(!alloc)
|
||||
return;
|
||||
@ -147,15 +177,7 @@ alloc_clear(struct alloc_cache* alloc)
|
||||
alloc->super->num_quar += alloc->num_quar;
|
||||
lock_quick_unlock(&alloc->super->lock);
|
||||
} else {
|
||||
/* free */
|
||||
p = alloc->quar;
|
||||
while(p) {
|
||||
np = alloc_special_next(p);
|
||||
/* deinit special type */
|
||||
lock_rw_destroy(&p->entry.lock);
|
||||
free(p);
|
||||
p = np;
|
||||
}
|
||||
alloc_clear_special_list(alloc);
|
||||
}
|
||||
alloc->quar = 0;
|
||||
alloc->num_quar = 0;
|
||||
|
@ -115,6 +115,14 @@ void alloc_init(struct alloc_cache* alloc, struct alloc_cache* super,
|
||||
*/
|
||||
void alloc_clear(struct alloc_cache* alloc);
|
||||
|
||||
/**
|
||||
* Free the special alloced items. The rrset and message caches must be
|
||||
* empty, there must be no more references to rrset pointers into the
|
||||
* rrset cache.
|
||||
* @param alloc: the special allocs are freed.
|
||||
*/
|
||||
void alloc_clear_special(struct alloc_cache* alloc);
|
||||
|
||||
/**
|
||||
* Get a new special_type element.
|
||||
* @param alloc: where to alloc it.
|
||||
|
@ -109,6 +109,7 @@ config_create(void)
|
||||
cfg->ssl_port = UNBOUND_DNS_OVER_TLS_PORT;
|
||||
cfg->ssl_upstream = 0;
|
||||
cfg->tls_cert_bundle = NULL;
|
||||
cfg->tls_win_cert = 0;
|
||||
cfg->use_syslog = 1;
|
||||
cfg->log_identity = NULL; /* changed later with argv[0] */
|
||||
cfg->log_time_ascii = 0;
|
||||
@ -161,7 +162,7 @@ config_create(void)
|
||||
if(!(cfg->logfile = strdup(""))) goto error_exit;
|
||||
if(!(cfg->pidfile = strdup(PIDFILE))) goto error_exit;
|
||||
if(!(cfg->target_fetch_policy = strdup("3 2 1 0 0"))) goto error_exit;
|
||||
cfg->low_rtt_pct = 0;
|
||||
cfg->low_rtt_permil = 0;
|
||||
cfg->low_rtt = 45;
|
||||
cfg->donotqueryaddrs = NULL;
|
||||
cfg->donotquery_localhost = 1;
|
||||
@ -280,7 +281,7 @@ config_create(void)
|
||||
cfg->ratelimit_below_domain = NULL;
|
||||
cfg->ip_ratelimit_factor = 10;
|
||||
cfg->ratelimit_factor = 10;
|
||||
cfg->qname_minimisation = 0;
|
||||
cfg->qname_minimisation = 1;
|
||||
cfg->qname_minimisation_strict = 0;
|
||||
cfg->shm_enable = 0;
|
||||
cfg->shm_key = 11777;
|
||||
@ -455,7 +456,9 @@ int config_set_option(struct config_file* cfg, const char* opt,
|
||||
else S_STR("ssl-service-pem:", ssl_service_pem)
|
||||
else S_NUMBER_NONZERO("ssl-port:", ssl_port)
|
||||
else S_STR("tls-cert-bundle:", tls_cert_bundle)
|
||||
else S_STRLIST("additional-tls-port:", additional_tls_port)
|
||||
else S_YNO("tls-win-cert:", tls_win_cert)
|
||||
else S_STRLIST("additional-tls-port:", tls_additional_ports)
|
||||
else S_STRLIST("tls-additional-ports:", tls_additional_ports)
|
||||
else S_YNO("interface-automatic:", if_automatic)
|
||||
else S_YNO("use-systemd:", use_systemd)
|
||||
else S_YNO("do-daemonize:", do_daemonize)
|
||||
@ -618,7 +621,8 @@ int config_set_option(struct config_file* cfg, const char* opt,
|
||||
else S_NUMBER_OR_ZERO("ip-ratelimit-factor:", ip_ratelimit_factor)
|
||||
else S_NUMBER_OR_ZERO("ratelimit-factor:", ratelimit_factor)
|
||||
else S_NUMBER_OR_ZERO("low-rtt:", low_rtt)
|
||||
else S_NUMBER_OR_ZERO("low-rtt-pct:", low_rtt_pct)
|
||||
else S_NUMBER_OR_ZERO("low-rtt-pct:", low_rtt_permil)
|
||||
else S_NUMBER_OR_ZERO("low-rtt-permil:", low_rtt_permil)
|
||||
else S_YNO("qname-minimisation:", qname_minimisation)
|
||||
else S_YNO("qname-minimisation-strict:", qname_minimisation_strict)
|
||||
#ifdef USE_IPSECMOD
|
||||
@ -874,7 +878,8 @@ config_get_option(struct config_file* cfg, const char* opt,
|
||||
else O_STR(opt, "ssl-service-pem", ssl_service_pem)
|
||||
else O_DEC(opt, "ssl-port", ssl_port)
|
||||
else O_STR(opt, "tls-cert-bundle", tls_cert_bundle)
|
||||
else O_LST(opt, "additional-tls-port", additional_tls_port)
|
||||
else O_YNO(opt, "tls-win-cert", tls_win_cert)
|
||||
else O_LST(opt, "tls-additional-ports", tls_additional_ports)
|
||||
else O_YNO(opt, "use-systemd", use_systemd)
|
||||
else O_YNO(opt, "do-daemonize", do_daemonize)
|
||||
else O_STR(opt, "chroot", chrootdir)
|
||||
@ -1001,7 +1006,8 @@ config_get_option(struct config_file* cfg, const char* opt,
|
||||
else O_DEC(opt, "ip-ratelimit-factor", ip_ratelimit_factor)
|
||||
else O_DEC(opt, "ratelimit-factor", ratelimit_factor)
|
||||
else O_DEC(opt, "low-rtt", low_rtt)
|
||||
else O_DEC(opt, "low-rtt-pct", low_rtt_pct)
|
||||
else O_DEC(opt, "low-rtt-pct", low_rtt_permil)
|
||||
else O_DEC(opt, "low-rtt-permil", low_rtt_permil)
|
||||
else O_DEC(opt, "val-sig-skew-min", val_sig_skew_min)
|
||||
else O_DEC(opt, "val-sig-skew-max", val_sig_skew_max)
|
||||
else O_YNO(opt, "qname-minimisation", qname_minimisation)
|
||||
@ -1297,7 +1303,7 @@ config_delete(struct config_file* cfg)
|
||||
free(cfg->ssl_service_key);
|
||||
free(cfg->ssl_service_pem);
|
||||
free(cfg->tls_cert_bundle);
|
||||
config_delstrlist(cfg->additional_tls_port);
|
||||
config_delstrlist(cfg->tls_additional_ports);
|
||||
free(cfg->log_identity);
|
||||
config_del_strarray(cfg->ifs, cfg->num_ifs);
|
||||
config_del_strarray(cfg->out_ifs, cfg->num_out_ifs);
|
||||
|
@ -102,8 +102,10 @@ struct config_file {
|
||||
int ssl_upstream;
|
||||
/** cert bundle for outgoing connections */
|
||||
char* tls_cert_bundle;
|
||||
/** should the system certificate store get added to the cert bundle */
|
||||
int tls_win_cert;
|
||||
/** additional tls ports */
|
||||
struct config_strlist* additional_tls_port;
|
||||
struct config_strlist* tls_additional_ports;
|
||||
|
||||
/** outgoing port range number of ports (per thread) */
|
||||
int outgoing_num_ports;
|
||||
@ -144,7 +146,7 @@ struct config_file {
|
||||
/** the target fetch policy for the iterator */
|
||||
char* target_fetch_policy;
|
||||
/** percent*10, how many times in 1000 to pick low rtt destinations */
|
||||
int low_rtt_pct;
|
||||
int low_rtt_permil;
|
||||
/** what time in msec is a low rtt destination */
|
||||
int low_rtt;
|
||||
|
||||
|
@ -239,8 +239,10 @@ ssl-port{COLON} { YDVAR(1, VAR_SSL_PORT) }
|
||||
tls-port{COLON} { YDVAR(1, VAR_SSL_PORT) }
|
||||
ssl-cert-bundle{COLON} { YDVAR(1, VAR_TLS_CERT_BUNDLE) }
|
||||
tls-cert-bundle{COLON} { YDVAR(1, VAR_TLS_CERT_BUNDLE) }
|
||||
additional-ssl-port{COLON} { YDVAR(1, VAR_ADDITIONAL_TLS_PORT) }
|
||||
additional-tls-port{COLON} { YDVAR(1, VAR_ADDITIONAL_TLS_PORT) }
|
||||
tls-win-cert{COLON} { YDVAR(1, VAR_TLS_WIN_CERT) }
|
||||
additional-ssl-port{COLON} { YDVAR(1, VAR_TLS_ADDITIONAL_PORTS) }
|
||||
additional-tls-port{COLON} { YDVAR(1, VAR_TLS_ADDITIONAL_PORTS) }
|
||||
tls-additional-ports{COLON} { YDVAR(1, VAR_TLS_ADDITIONAL_PORTS) }
|
||||
use-systemd{COLON} { YDVAR(1, VAR_USE_SYSTEMD) }
|
||||
do-daemonize{COLON} { YDVAR(1, VAR_DO_DAEMONIZE) }
|
||||
interface{COLON} { YDVAR(1, VAR_INTERFACE) }
|
||||
@ -429,7 +431,8 @@ ratelimit-below-domain{COLON} { YDVAR(2, VAR_RATELIMIT_BELOW_DOMAIN) }
|
||||
ip-ratelimit-factor{COLON} { YDVAR(1, VAR_IP_RATELIMIT_FACTOR) }
|
||||
ratelimit-factor{COLON} { YDVAR(1, VAR_RATELIMIT_FACTOR) }
|
||||
low-rtt{COLON} { YDVAR(1, VAR_LOW_RTT) }
|
||||
low-rtt-pct{COLON} { YDVAR(1, VAR_LOW_RTT_PCT) }
|
||||
low-rtt-pct{COLON} { YDVAR(1, VAR_LOW_RTT_PERMIL) }
|
||||
low-rtt-permil{COLON} { YDVAR(1, VAR_LOW_RTT_PERMIL) }
|
||||
response-ip-tag{COLON} { YDVAR(2, VAR_RESPONSE_IP_TAG) }
|
||||
response-ip{COLON} { YDVAR(2, VAR_RESPONSE_IP) }
|
||||
response-ip-data{COLON} { YDVAR(2, VAR_RESPONSE_IP_DATA) }
|
||||
|
@ -156,8 +156,8 @@ extern struct config_parser_state* cfg_parser;
|
||||
%token VAR_CACHEDB_REDISHOST VAR_CACHEDB_REDISPORT VAR_CACHEDB_REDISTIMEOUT
|
||||
%token VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM VAR_FOR_UPSTREAM
|
||||
%token VAR_AUTH_ZONE VAR_ZONEFILE VAR_MASTER VAR_URL VAR_FOR_DOWNSTREAM
|
||||
%token VAR_FALLBACK_ENABLED VAR_ADDITIONAL_TLS_PORT VAR_LOW_RTT VAR_LOW_RTT_PCT
|
||||
%token VAR_ALLOW_NOTIFY
|
||||
%token VAR_FALLBACK_ENABLED VAR_TLS_ADDITIONAL_PORTS VAR_LOW_RTT VAR_LOW_RTT_PERMIL
|
||||
%token VAR_ALLOW_NOTIFY VAR_TLS_WIN_CERT
|
||||
|
||||
%%
|
||||
toplevelvars: /* empty */ | toplevelvars toplevelvar ;
|
||||
@ -248,8 +248,8 @@ content_server: server_num_threads | server_verbosity | server_port |
|
||||
server_ipsecmod_ignore_bogus | server_ipsecmod_max_ttl |
|
||||
server_ipsecmod_whitelist | server_ipsecmod_strict |
|
||||
server_udp_upstream_without_downstream | server_aggressive_nsec |
|
||||
server_tls_cert_bundle | server_additional_tls_port | server_low_rtt |
|
||||
server_low_rtt_pct
|
||||
server_tls_cert_bundle | server_tls_additional_ports | server_low_rtt |
|
||||
server_low_rtt_permil | server_tls_win_cert
|
||||
;
|
||||
stubstart: VAR_STUB_ZONE
|
||||
{
|
||||
@ -688,10 +688,19 @@ server_tls_cert_bundle: VAR_TLS_CERT_BUNDLE STRING_ARG
|
||||
cfg_parser->cfg->tls_cert_bundle = $2;
|
||||
}
|
||||
;
|
||||
server_additional_tls_port: VAR_ADDITIONAL_TLS_PORT STRING_ARG
|
||||
server_tls_win_cert: VAR_TLS_WIN_CERT STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_additional_tls_port:%s)\n", $2));
|
||||
if(!cfg_strlist_insert(&cfg_parser->cfg->additional_tls_port,
|
||||
OUTYY(("P(server_tls_win_cert:%s)\n", $2));
|
||||
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
|
||||
yyerror("expected yes or no.");
|
||||
else cfg_parser->cfg->tls_win_cert = (strcmp($2, "yes")==0);
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
server_tls_additional_ports: VAR_TLS_ADDITIONAL_PORTS STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_tls_additional_ports:%s)\n", $2));
|
||||
if(!cfg_strlist_insert(&cfg_parser->cfg->tls_additional_ports,
|
||||
$2))
|
||||
yyerror("out of memory");
|
||||
}
|
||||
@ -1305,11 +1314,12 @@ server_access_control: VAR_ACCESS_CONTROL STRING_ARG STRING_ARG
|
||||
if(strcmp($3, "deny")!=0 && strcmp($3, "refuse")!=0 &&
|
||||
strcmp($3, "deny_non_local")!=0 &&
|
||||
strcmp($3, "refuse_non_local")!=0 &&
|
||||
strcmp($3, "allow_setrd")!=0 &&
|
||||
strcmp($3, "allow")!=0 &&
|
||||
strcmp($3, "allow_snoop")!=0) {
|
||||
yyerror("expected deny, refuse, deny_non_local, "
|
||||
"refuse_non_local, allow or allow_snoop "
|
||||
"in access control action");
|
||||
"refuse_non_local, allow, allow_setrd or "
|
||||
"allow_snoop in access control action");
|
||||
} else {
|
||||
if(!cfg_str2list_insert(&cfg_parser->cfg->acls, $2, $3))
|
||||
fatal_exit("out of memory adding acl");
|
||||
@ -1885,12 +1895,12 @@ server_low_rtt: VAR_LOW_RTT STRING_ARG
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
server_low_rtt_pct: VAR_LOW_RTT_PCT STRING_ARG
|
||||
server_low_rtt_permil: VAR_LOW_RTT_PERMIL STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_low_rtt_pct:%s)\n", $2));
|
||||
OUTYY(("P(server_low_rtt_permil:%s)\n", $2));
|
||||
if(atoi($2) == 0 && strcmp($2, "0") != 0)
|
||||
yyerror("number expected");
|
||||
else cfg_parser->cfg->low_rtt_pct = atoi($2);
|
||||
else cfg_parser->cfg->low_rtt_permil = atoi($2);
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
|
@ -52,6 +52,9 @@
|
||||
#ifdef HAVE_OPENSSL_ERR_H
|
||||
#include <openssl/err.h>
|
||||
#endif
|
||||
#ifdef USE_WINSOCK
|
||||
#include <wincrypt.h>
|
||||
#endif
|
||||
|
||||
/** max length of an IP address (the address portion) that we allow */
|
||||
#define MAX_ADDR_STRLEN 128 /* characters */
|
||||
@ -796,7 +799,97 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem)
|
||||
#endif
|
||||
}
|
||||
|
||||
void* connect_sslctx_create(char* key, char* pem, char* verifypem)
|
||||
#ifdef USE_WINSOCK
|
||||
/* For windows, the CA trust store is not read by openssl.
|
||||
Add code to open the trust store using wincrypt API and add
|
||||
the root certs into openssl trust store */
|
||||
static int
|
||||
add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx)
|
||||
{
|
||||
HCERTSTORE hSystemStore;
|
||||
PCCERT_CONTEXT pTargetCert = NULL;
|
||||
X509_STORE* store;
|
||||
|
||||
verbose(VERB_ALGO, "Adding Windows certificates from system root store to CA store");
|
||||
|
||||
/* load just once per context lifetime for this version
|
||||
TODO: dynamically update CA trust changes as they are available */
|
||||
if (!tls_ctx)
|
||||
return 0;
|
||||
|
||||
/* Call wincrypt's CertOpenStore to open the CA root store. */
|
||||
|
||||
if ((hSystemStore = CertOpenStore(
|
||||
CERT_STORE_PROV_SYSTEM,
|
||||
0,
|
||||
0,
|
||||
/* NOTE: mingw does not have this const: replace with 1 << 16 from code
|
||||
CERT_SYSTEM_STORE_CURRENT_USER, */
|
||||
1 << 16,
|
||||
L"root")) == 0)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
||||
store = SSL_CTX_get_cert_store(tls_ctx);
|
||||
if (!store)
|
||||
return 0;
|
||||
|
||||
/* failure if the CA store is empty or the call fails */
|
||||
if ((pTargetCert = CertEnumCertificatesInStore(
|
||||
hSystemStore, pTargetCert)) == 0) {
|
||||
verbose(VERB_ALGO, "CA certificate store for Windows is empty.");
|
||||
return 0;
|
||||
}
|
||||
/* iterate over the windows cert store and add to openssl store */
|
||||
do
|
||||
{
|
||||
X509 *cert1 = d2i_X509(NULL,
|
||||
(const unsigned char **)&pTargetCert->pbCertEncoded,
|
||||
pTargetCert->cbCertEncoded);
|
||||
if (!cert1) {
|
||||
/* return error if a cert fails */
|
||||
verbose(VERB_ALGO, "%s %d:%s",
|
||||
"Unable to parse certificate in memory",
|
||||
(int)ERR_get_error(), ERR_error_string(ERR_get_error(), NULL));
|
||||
return 0;
|
||||
}
|
||||
else {
|
||||
/* return error if a cert add to store fails */
|
||||
if (X509_STORE_add_cert(store, cert1) == 0) {
|
||||
unsigned long error = ERR_peek_last_error();
|
||||
|
||||
/* Ignore error X509_R_CERT_ALREADY_IN_HASH_TABLE which means the
|
||||
* certificate is already in the store. */
|
||||
if(ERR_GET_LIB(error) != ERR_LIB_X509 ||
|
||||
ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE) {
|
||||
verbose(VERB_ALGO, "%s %d:%s\n",
|
||||
"Error adding certificate", (int)ERR_get_error(),
|
||||
ERR_error_string(ERR_get_error(), NULL));
|
||||
X509_free(cert1);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
X509_free(cert1);
|
||||
}
|
||||
} while ((pTargetCert = CertEnumCertificatesInStore(
|
||||
hSystemStore, pTargetCert)) != 0);
|
||||
|
||||
/* Clean up memory and quit. */
|
||||
if (pTargetCert)
|
||||
CertFreeCertificateContext(pTargetCert);
|
||||
if (hSystemStore)
|
||||
{
|
||||
if (!CertCloseStore(
|
||||
hSystemStore, 0))
|
||||
return 0;
|
||||
}
|
||||
verbose(VERB_ALGO, "Completed adding Windows certificates to CA store successfully");
|
||||
return 1;
|
||||
}
|
||||
#endif /* USE_WINSOCK */
|
||||
|
||||
void* connect_sslctx_create(char* key, char* pem, char* verifypem, int wincert)
|
||||
{
|
||||
#ifdef HAVE_SSL
|
||||
SSL_CTX* ctx = SSL_CTX_new(SSLv23_client_method());
|
||||
@ -836,17 +929,30 @@ void* connect_sslctx_create(char* key, char* pem, char* verifypem)
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
if(verifypem && verifypem[0]) {
|
||||
if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) {
|
||||
log_crypto_err("error in SSL_CTX verify");
|
||||
SSL_CTX_free(ctx);
|
||||
return NULL;
|
||||
if((verifypem && verifypem[0]) || wincert) {
|
||||
if(verifypem && verifypem[0]) {
|
||||
if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) {
|
||||
log_crypto_err("error in SSL_CTX verify");
|
||||
SSL_CTX_free(ctx);
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
#ifdef USE_WINSOCK
|
||||
if(wincert) {
|
||||
if(!add_WIN_cacerts_to_openssl_store(ctx)) {
|
||||
log_crypto_err("error in add_WIN_cacerts_to_openssl_store");
|
||||
SSL_CTX_free(ctx);
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
#else
|
||||
(void)wincert;
|
||||
#endif
|
||||
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
|
||||
}
|
||||
return ctx;
|
||||
#else
|
||||
(void)key; (void)pem; (void)verifypem;
|
||||
(void)key; (void)pem; (void)verifypem; (void)wincert;
|
||||
return NULL;
|
||||
#endif
|
||||
}
|
||||
|
@ -73,10 +73,10 @@ struct regional;
|
||||
/** set RCODE bits in uint16 flags */
|
||||
#define FLAGS_SET_RCODE(f, r) (f = (((f) & 0xfff0) | (r)))
|
||||
|
||||
/** timeout in seconds for UDP queries to auth servers. */
|
||||
#define UDP_AUTH_QUERY_TIMEOUT 4
|
||||
/** timeout in seconds for TCP queries to auth servers. */
|
||||
#define TCP_AUTH_QUERY_TIMEOUT 30
|
||||
/** timeout in milliseconds for UDP queries to auth servers. */
|
||||
#define UDP_AUTH_QUERY_TIMEOUT 3000
|
||||
/** timeout in milliseconds for TCP queries to auth servers. */
|
||||
#define TCP_AUTH_QUERY_TIMEOUT 3000
|
||||
/** Advertised version of EDNS capabilities */
|
||||
#define EDNS_ADVERTISED_VERSION 0
|
||||
/** Advertised size of EDNS capabilities */
|
||||
@ -395,9 +395,11 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem);
|
||||
* @param key: if nonNULL (also pem nonNULL), the client private key.
|
||||
* @param pem: client public key (or NULL if key is NULL).
|
||||
* @param verifypem: if nonNULL used for verifylocation file.
|
||||
* @param wincert: add system certificate store to ctx (add to verifypem ca
|
||||
* certs).
|
||||
* @return SSL_CTX* or NULL on failure (logged).
|
||||
*/
|
||||
void* connect_sslctx_create(char* key, char* pem, char* verifypem);
|
||||
void* connect_sslctx_create(char* key, char* pem, char* verifypem, int wincert);
|
||||
|
||||
/**
|
||||
* accept a new fd and wrap it in a BIO in SSL
|
||||
|
@ -764,7 +764,12 @@ int comm_point_perform_accept(struct comm_point* c,
|
||||
{
|
||||
int new_fd;
|
||||
*addrlen = (socklen_t)sizeof(*addr);
|
||||
#ifndef HAVE_ACCEPT4
|
||||
new_fd = accept(c->fd, (struct sockaddr*)addr, addrlen);
|
||||
#else
|
||||
/* SOCK_NONBLOCK saves extra calls to fcntl for the same result */
|
||||
new_fd = accept4(c->fd, (struct sockaddr*)addr, addrlen, SOCK_NONBLOCK);
|
||||
#endif
|
||||
if(new_fd == -1) {
|
||||
#ifndef USE_WINSOCK
|
||||
/* EINTR is signal interrupt. others are closed connection. */
|
||||
@ -827,7 +832,9 @@ int comm_point_perform_accept(struct comm_point* c,
|
||||
#endif
|
||||
return -1;
|
||||
}
|
||||
#ifndef HAVE_ACCEPT4
|
||||
fd_set_nonblock(new_fd);
|
||||
#endif
|
||||
return new_fd;
|
||||
}
|
||||
|
||||
@ -835,20 +842,21 @@ int comm_point_perform_accept(struct comm_point* c,
|
||||
static long win_bio_cb(BIO *b, int oper, const char* ATTR_UNUSED(argp),
|
||||
int ATTR_UNUSED(argi), long argl, long retvalue)
|
||||
{
|
||||
int wsa_err = WSAGetLastError(); /* store errcode before it is gone */
|
||||
verbose(VERB_ALGO, "bio_cb %d, %s %s %s", oper,
|
||||
(oper&BIO_CB_RETURN)?"return":"before",
|
||||
(oper&BIO_CB_READ)?"read":((oper&BIO_CB_WRITE)?"write":"other"),
|
||||
WSAGetLastError()==WSAEWOULDBLOCK?"wsawb":"");
|
||||
wsa_err==WSAEWOULDBLOCK?"wsawb":"");
|
||||
/* on windows, check if previous operation caused EWOULDBLOCK */
|
||||
if( (oper == (BIO_CB_READ|BIO_CB_RETURN) && argl == 0) ||
|
||||
(oper == (BIO_CB_GETS|BIO_CB_RETURN) && argl == 0)) {
|
||||
if(WSAGetLastError() == WSAEWOULDBLOCK)
|
||||
if(wsa_err == WSAEWOULDBLOCK)
|
||||
ub_winsock_tcp_wouldblock((struct ub_event*)
|
||||
BIO_get_callback_arg(b), UB_EV_READ);
|
||||
}
|
||||
if( (oper == (BIO_CB_WRITE|BIO_CB_RETURN) && argl == 0) ||
|
||||
(oper == (BIO_CB_PUTS|BIO_CB_RETURN) && argl == 0)) {
|
||||
if(WSAGetLastError() == WSAEWOULDBLOCK)
|
||||
if(wsa_err == WSAEWOULDBLOCK)
|
||||
ub_winsock_tcp_wouldblock((struct ub_event*)
|
||||
BIO_get_callback_arg(b), UB_EV_WRITE);
|
||||
}
|
||||
@ -1128,6 +1136,7 @@ ssl_handle_read(struct comm_point* c)
|
||||
if(want == SSL_ERROR_ZERO_RETURN) {
|
||||
return 0; /* shutdown, closed */
|
||||
} else if(want == SSL_ERROR_WANT_READ) {
|
||||
ub_winsock_tcp_wouldblock(c->ev->ev, UB_EV_READ);
|
||||
return 1; /* read more later */
|
||||
} else if(want == SSL_ERROR_WANT_WRITE) {
|
||||
c->ssl_shake_state = comm_ssl_shake_hs_write;
|
||||
@ -1143,7 +1152,7 @@ ssl_handle_read(struct comm_point* c)
|
||||
return 0;
|
||||
}
|
||||
c->tcp_byte_count += r;
|
||||
if(c->tcp_byte_count != sizeof(uint16_t))
|
||||
if(c->tcp_byte_count < sizeof(uint16_t))
|
||||
return 1;
|
||||
if(sldns_buffer_read_u16_at(c->buffer, 0) >
|
||||
sldns_buffer_capacity(c->buffer)) {
|
||||
@ -1156,33 +1165,36 @@ ssl_handle_read(struct comm_point* c)
|
||||
verbose(VERB_QUERY, "ssl: dropped bogus too short.");
|
||||
return 0;
|
||||
}
|
||||
sldns_buffer_skip(c->buffer, (ssize_t)(c->tcp_byte_count-sizeof(uint16_t)));
|
||||
verbose(VERB_ALGO, "Reading ssl tcp query of length %d",
|
||||
(int)sldns_buffer_limit(c->buffer));
|
||||
}
|
||||
log_assert(sldns_buffer_remaining(c->buffer) > 0);
|
||||
ERR_clear_error();
|
||||
r = SSL_read(c->ssl, (void*)sldns_buffer_current(c->buffer),
|
||||
(int)sldns_buffer_remaining(c->buffer));
|
||||
if(r <= 0) {
|
||||
int want = SSL_get_error(c->ssl, r);
|
||||
if(want == SSL_ERROR_ZERO_RETURN) {
|
||||
return 0; /* shutdown, closed */
|
||||
} else if(want == SSL_ERROR_WANT_READ) {
|
||||
return 1; /* read more later */
|
||||
} else if(want == SSL_ERROR_WANT_WRITE) {
|
||||
c->ssl_shake_state = comm_ssl_shake_hs_write;
|
||||
comm_point_listen_for_rw(c, 0, 1);
|
||||
return 1;
|
||||
} else if(want == SSL_ERROR_SYSCALL) {
|
||||
if(errno != 0)
|
||||
log_err("SSL_read syscall: %s",
|
||||
strerror(errno));
|
||||
if(sldns_buffer_remaining(c->buffer) > 0) {
|
||||
ERR_clear_error();
|
||||
r = SSL_read(c->ssl, (void*)sldns_buffer_current(c->buffer),
|
||||
(int)sldns_buffer_remaining(c->buffer));
|
||||
if(r <= 0) {
|
||||
int want = SSL_get_error(c->ssl, r);
|
||||
if(want == SSL_ERROR_ZERO_RETURN) {
|
||||
return 0; /* shutdown, closed */
|
||||
} else if(want == SSL_ERROR_WANT_READ) {
|
||||
ub_winsock_tcp_wouldblock(c->ev->ev, UB_EV_READ);
|
||||
return 1; /* read more later */
|
||||
} else if(want == SSL_ERROR_WANT_WRITE) {
|
||||
c->ssl_shake_state = comm_ssl_shake_hs_write;
|
||||
comm_point_listen_for_rw(c, 0, 1);
|
||||
return 1;
|
||||
} else if(want == SSL_ERROR_SYSCALL) {
|
||||
if(errno != 0)
|
||||
log_err("SSL_read syscall: %s",
|
||||
strerror(errno));
|
||||
return 0;
|
||||
}
|
||||
log_crypto_err("could not SSL_read");
|
||||
return 0;
|
||||
}
|
||||
log_crypto_err("could not SSL_read");
|
||||
return 0;
|
||||
sldns_buffer_skip(c->buffer, (ssize_t)r);
|
||||
}
|
||||
sldns_buffer_skip(c->buffer, (ssize_t)r);
|
||||
if(sldns_buffer_remaining(c->buffer) <= 0) {
|
||||
tcp_callback_reader(c);
|
||||
}
|
||||
@ -1237,6 +1249,7 @@ ssl_handle_write(struct comm_point* c)
|
||||
comm_point_listen_for_rw(c, 1, 0);
|
||||
return 1; /* wait for read condition */
|
||||
} else if(want == SSL_ERROR_WANT_WRITE) {
|
||||
ub_winsock_tcp_wouldblock(c->ev->ev, UB_EV_WRITE);
|
||||
return 1; /* write more later */
|
||||
} else if(want == SSL_ERROR_SYSCALL) {
|
||||
if(errno != 0)
|
||||
@ -1270,6 +1283,7 @@ ssl_handle_write(struct comm_point* c)
|
||||
comm_point_listen_for_rw(c, 1, 0);
|
||||
return 1; /* wait for read condition */
|
||||
} else if(want == SSL_ERROR_WANT_WRITE) {
|
||||
ub_winsock_tcp_wouldblock(c->ev->ev, UB_EV_WRITE);
|
||||
return 1; /* write more later */
|
||||
} else if(want == SSL_ERROR_SYSCALL) {
|
||||
if(errno != 0)
|
||||
@ -2887,12 +2901,18 @@ comm_point_close(struct comm_point* c)
|
||||
{
|
||||
if(!c)
|
||||
return;
|
||||
if(c->fd != -1)
|
||||
if(c->fd != -1) {
|
||||
if(ub_event_del(c->ev->ev) != 0) {
|
||||
log_err("could not event_del on close");
|
||||
}
|
||||
}
|
||||
/* close fd after removing from event lists, or epoll.. is messed up */
|
||||
if(c->fd != -1 && !c->do_not_close) {
|
||||
if(c->type == comm_tcp || c->type == comm_http) {
|
||||
/* delete sticky events for the fd, it gets closed */
|
||||
ub_winsock_tcp_wouldblock(c->ev->ev, UB_EV_READ);
|
||||
ub_winsock_tcp_wouldblock(c->ev->ev, UB_EV_WRITE);
|
||||
}
|
||||
verbose(VERB_ALGO, "close fd %d", c->fd);
|
||||
#ifndef USE_WINSOCK
|
||||
close(c->fd);
|
||||
|
@ -22,12 +22,12 @@ SRCS= alloc.c as112.c authzone.c autotrust.c cachedb.c config_file.c \
|
||||
listen_dnsport.c localzone.c locks.c log.c lookup3.c lruhash.c \
|
||||
mesh.c mini_event.c modstack.c module.c msgencode.c msgparse.c \
|
||||
msgreply.c net_help.c netevent.c outbound_list.c outside_network.c \
|
||||
packed_rrset.c parse.c parseutil.c random.c rbtree.c regional.c \
|
||||
respip.c rrdef.c rrset.c rtt.c sbuffer.c slabhash.c str2wire.c \
|
||||
timehist.c tube.c ub_event_pluggable.c val_anchor.c val_kcache.c \
|
||||
val_kentry.c val_neg.c val_nsec.c val_nsec3.c val_secalgo.c \
|
||||
val_sigcrypt.c val_utils.c validator.c view.c winsock_event.c \
|
||||
wire2str.c
|
||||
packed_rrset.c parse.c parseutil.c random.c rbtree.c redis.c \
|
||||
regional.c respip.c rrdef.c rrset.c rtt.c sbuffer.c slabhash.c \
|
||||
str2wire.c timehist.c tube.c ub_event_pluggable.c val_anchor.c \
|
||||
val_kcache.c val_kentry.c val_neg.c val_nsec.c val_nsec3.c \
|
||||
val_secalgo.c val_sigcrypt.c val_utils.c validator.c view.c \
|
||||
winsock_event.c wire2str.c
|
||||
|
||||
WARNS?= 3
|
||||
NO_WTHREAD_SAFETY= true
|
||||
|
Loading…
Reference in New Issue
Block a user