diff options
| author | des <des@FreeBSD.org> | 2015-12-04 13:26:12 +0000 |
|---|---|---|
| committer | des <des@FreeBSD.org> | 2015-12-04 13:26:12 +0000 |
| commit | 72c7e45913048bf7a7a9f4f898363ea802ba3ab7 (patch) | |
| tree | 658b312c2da2a4079aee851908bd5b4bd805ab2b /contrib/unbound | |
| parent | fc230dcf447eb45f054aa940c35313f825b926df (diff) | |
| download | FreeBSD-src-72c7e45913048bf7a7a9f4f898363ea802ba3ab7.zip FreeBSD-src-72c7e45913048bf7a7a9f4f898363ea802ba3ab7.tar.gz | |
MFH (r287917, r287918, r289063): upgrade to latest Unbound
MFH (r283301, r289592, r291582): rc script improvements
MFH (r287880): respect manually configured forwarders when using DHCP
MFH (r289321): deconfuse man page
PR: 184047 203580 204931
Diffstat (limited to 'contrib/unbound')
121 files changed, 2923 insertions, 607 deletions
diff --git a/contrib/unbound/Makefile.in b/contrib/unbound/Makefile.in index 0c7e0c6..20829d8 100644 --- a/contrib/unbound/Makefile.in +++ b/contrib/unbound/Makefile.in @@ -25,6 +25,7 @@ DNSTAP_SRC=@DNSTAP_SRC@ DNSTAP_OBJ=@DNSTAP_OBJ@ WITH_PYTHONMODULE=@WITH_PYTHONMODULE@ WITH_PYUNBOUND=@WITH_PYUNBOUND@ +PY_MAJOR_VERSION=@PY_MAJOR_VERSION@ PYTHON_SITE_PKG=@PYTHON_SITE_PKG@ PYTHONMOD_INSTALL=@PYTHONMOD_INSTALL@ PYTHONMOD_UNINSTALL=@PYTHONMOD_UNINSTALL@ @@ -131,12 +132,12 @@ compat/memcmp.c compat/memmove.c compat/snprintf.c compat/strlcat.c \ compat/strlcpy.c compat/strptime.c compat/getentropy_linux.c \ compat/getentropy_osx.c compat/getentropy_solaris.c compat/getentropy_win.c \ compat/explicit_bzero.c compat/arc4random.c compat/arc4random_uniform.c \ -compat/arc4_lock.c compat/sha512.c +compat/arc4_lock.c compat/sha512.c compat/reallocarray.c COMPAT_OBJ=$(LIBOBJS:.o=.lo) COMPAT_OBJ_WITHOUT_CTIME=$(LIBOBJ_WITHOUT_CTIME:.o=.lo) COMPAT_OBJ_WITHOUT_CTIMEARC4=$(LIBOBJ_WITHOUT_CTIMEARC4:.o=.lo) -SLDNS_SRC=ldns/keyraw.c ldns/sbuffer.c ldns/wire2str.c ldns/parse.c \ -ldns/parseutil.c ldns/rrdef.c ldns/str2wire.c +SLDNS_SRC=sldns/keyraw.c sldns/sbuffer.c sldns/wire2str.c sldns/parse.c \ +sldns/parseutil.c sldns/rrdef.c sldns/str2wire.c SLDNS_OBJ=keyraw.lo sbuffer.lo wire2str.lo parse.lo parseutil.lo rrdef.lo \ str2wire.lo UNITTEST_SRC=testcode/unitanchor.c testcode/unitdname.c \ @@ -167,7 +168,7 @@ HOST_OBJ=unbound-host.lo HOST_OBJ_LINK=$(HOST_OBJ) $(SLDNS_OBJ) $(COMPAT_OBJ_WITHOUT_CTIMEARC4) @WIN_HOST_OBJ_LINK@ UBANCHOR_SRC=smallapp/unbound-anchor.c UBANCHOR_OBJ=unbound-anchor.lo -UBANCHOR_OBJ_LINK=$(UBANCHOR_OBJ) \ +UBANCHOR_OBJ_LINK=$(UBANCHOR_OBJ) parseutil.lo \ $(COMPAT_OBJ_WITHOUT_CTIME) @WIN_UBANCHOR_OBJ_LINK@ TESTBOUND_SRC=testcode/testbound.c testcode/testpkts.c \ daemon/worker.c daemon/acl_list.c daemon/daemon.c daemon/stats.c \ @@ -393,7 +394,7 @@ libunbound_wrap.lo libunbound_wrap.o: libunbound/python/libunbound_wrap.c \ unbound.h libunbound/python/libunbound_wrap.c: $(srcdir)/libunbound/python/libunbound.i unbound.h @-if test ! -d libunbound/python; then $(INSTALL) -d libunbound/python; fi - $(SWIG) -python -o $@ $(CPPFLAGS) $(srcdir)/libunbound/python/libunbound.i + $(SWIG) -python -o $@ $(CPPFLAGS) -DPY_MAJOR_VERSION=$(PY_MAJOR_VERSION) $(srcdir)/libunbound/python/libunbound.i # Pyunbound python unbound wrapper _unbound.la: libunbound_wrap.lo libunbound.la @@ -597,146 +598,151 @@ dns.lo dns.o: $(srcdir)/services/cache/dns.c config.h $(srcdir)/iterator/iter_de $(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \ $(srcdir)/util/locks.h $(srcdir)/services/cache/dns.h $(srcdir)/util/data/msgreply.h \ $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/data/dname.h \ - $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/rrdef.h \ - $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/ldns/sbuffer.h -infra.lo infra.o: $(srcdir)/services/cache/infra.c config.h $(srcdir)/ldns/rrdef.h \ + $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h +infra.lo infra.o: $(srcdir)/services/cache/infra.c config.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h \ $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ - $(srcdir)/util/rtt.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lookup3.h \ - $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/iterator/iterator.h \ - $(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/ldns/pkthdr.h + $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/storage/slabhash.h \ + $(srcdir)/util/storage/lookup3.h $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/config_file.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h rrset.lo rrset.o: $(srcdir)/services/cache/rrset.c config.h $(srcdir)/services/cache/rrset.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/slabhash.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/ldns/rrdef.h $(srcdir)/util/config_file.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/config_file.h \ $(srcdir)/util/data/msgreply.h $(srcdir)/util/regional.h $(srcdir)/util/alloc.h dname.lo dname.o: $(srcdir)/util/data/dname.c config.h $(srcdir)/util/data/dname.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/rrdef.h $(srcdir)/util/storage/lookup3.h $(srcdir)/ldns/sbuffer.h + $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/storage/lookup3.h $(srcdir)/sldns/sbuffer.h msgencode.lo msgencode.o: $(srcdir)/util/data/msgencode.c config.h $(srcdir)/util/data/msgencode.h \ $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/rrdef.h \ - $(srcdir)/util/data/dname.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/ldns/sbuffer.h + $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/dname.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \ + $(srcdir)/sldns/sbuffer.h msgparse.lo msgparse.o: $(srcdir)/util/data/msgparse.c config.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/ldns/pkthdr.h \ - $(srcdir)/ldns/rrdef.h $(srcdir)/util/data/dname.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/util/storage/lookup3.h $(srcdir)/util/regional.h $(srcdir)/ldns/sbuffer.h $(srcdir)/ldns/parseutil.h \ - $(srcdir)/ldns/wire2str.h + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/sldns/pkthdr.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/dname.h $(srcdir)/util/data/packed_rrset.h \ + $(srcdir)/util/storage/lookup3.h $(srcdir)/util/regional.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h \ + $(srcdir)/sldns/wire2str.h msgreply.lo msgreply.o: $(srcdir)/util/data/msgreply.c config.h $(srcdir)/util/data/msgreply.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h \ $(srcdir)/util/storage/lookup3.h $(srcdir)/util/alloc.h $(srcdir)/util/netevent.h $(srcdir)/util/net_help.h \ - $(srcdir)/util/data/dname.h $(srcdir)/util/regional.h $(srcdir)/util/data/msgparse.h $(srcdir)/ldns/pkthdr.h \ - $(srcdir)/ldns/rrdef.h $(srcdir)/util/data/msgencode.h $(srcdir)/ldns/sbuffer.h $(srcdir)/ldns/wire2str.h + $(srcdir)/util/data/dname.h $(srcdir)/util/regional.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgencode.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h packed_rrset.lo packed_rrset.o: $(srcdir)/util/data/packed_rrset.c config.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/alloc.h $(srcdir)/util/regional.h \ - $(srcdir)/util/net_help.h $(srcdir)/ldns/rrdef.h $(srcdir)/ldns/sbuffer.h $(srcdir)/ldns/wire2str.h + $(srcdir)/util/net_help.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h iterator.lo iterator.o: $(srcdir)/iterator/iterator.c config.h $(srcdir)/iterator/iterator.h \ $(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/rrdef.h $(srcdir)/iterator/iter_utils.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/iterator/iter_utils.h \ $(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_hints.h $(srcdir)/util/storage/dnstree.h \ $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_donotq.h \ $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_scrub.h $(srcdir)/iterator/iter_priv.h \ $(srcdir)/validator/val_neg.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/infra.h \ $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \ $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \ - $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/util/config_file.h $(srcdir)/ldns/wire2str.h \ - $(srcdir)/ldns/parseutil.h $(srcdir)/ldns/sbuffer.h + $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/util/config_file.h $(srcdir)/util/random.h \ + $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/sbuffer.h iter_delegpt.lo iter_delegpt.o: $(srcdir)/iterator/iter_delegpt.c config.h $(srcdir)/iterator/iter_delegpt.h \ $(srcdir)/util/log.h $(srcdir)/services/cache/dns.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/regional.h \ - $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/ldns/rrdef.h $(srcdir)/ldns/sbuffer.h + $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h iter_donotq.lo iter_donotq.o: $(srcdir)/iterator/iter_donotq.c config.h $(srcdir)/iterator/iter_donotq.h \ $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/regional.h $(srcdir)/util/log.h \ $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h iter_fwd.lo iter_fwd.o: $(srcdir)/iterator/iter_fwd.c config.h $(srcdir)/iterator/iter_fwd.h \ $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/util/log.h $(srcdir)/util/config_file.h \ $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ - $(srcdir)/ldns/rrdef.h $(srcdir)/ldns/str2wire.h + $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h iter_hints.lo iter_hints.o: $(srcdir)/iterator/iter_hints.c config.h $(srcdir)/iterator/iter_hints.h \ $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/util/log.h \ $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/ldns/rrdef.h $(srcdir)/ldns/str2wire.h \ - $(srcdir)/ldns/wire2str.h + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h \ + $(srcdir)/sldns/wire2str.h iter_priv.lo iter_priv.o: $(srcdir)/iterator/iter_priv.c config.h $(srcdir)/iterator/iter_priv.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/regional.h $(srcdir)/util/log.h $(srcdir)/util/config_file.h \ $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/rrdef.h $(srcdir)/util/net_help.h \ - $(srcdir)/util/storage/dnstree.h $(srcdir)/ldns/str2wire.h $(srcdir)/ldns/sbuffer.h + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/storage/dnstree.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/sbuffer.h iter_resptype.lo iter_resptype.o: $(srcdir)/iterator/iter_resptype.c config.h \ $(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/util/log.h \ $(srcdir)/services/cache/dns.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/net_help.h \ - $(srcdir)/util/data/dname.h $(srcdir)/ldns/rrdef.h $(srcdir)/ldns/pkthdr.h + $(srcdir)/util/data/dname.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h iter_scrub.lo iter_scrub.o: $(srcdir)/iterator/iter_scrub.c config.h $(srcdir)/iterator/iter_scrub.h \ $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/rrdef.h \ + $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \ $(srcdir)/iterator/iter_priv.h $(srcdir)/util/rbtree.h $(srcdir)/services/cache/rrset.h \ $(srcdir)/util/storage/slabhash.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \ - $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h $(srcdir)/util/alloc.h $(srcdir)/ldns/sbuffer.h + $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h $(srcdir)/util/alloc.h $(srcdir)/sldns/sbuffer.h iter_utils.lo iter_utils.o: $(srcdir)/iterator/iter_utils.c config.h $(srcdir)/iterator/iter_utils.h \ $(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \ $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/rrdef.h $(srcdir)/iterator/iter_hints.h $(srcdir)/util/storage/dnstree.h \ - $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_donotq.h \ - $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_priv.h $(srcdir)/services/cache/infra.h \ - $(srcdir)/util/rtt.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h \ - $(srcdir)/util/storage/slabhash.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h \ - $(srcdir)/util/regional.h $(srcdir)/util/data/dname.h $(srcdir)/util/random.h $(srcdir)/util/fptr_wlist.h \ - $(srcdir)/util/netevent.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h \ - $(srcdir)/validator/val_anchor.h $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_kentry.h \ - $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_sigcrypt.h $(srcdir)/ldns/sbuffer.h + $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/iterator/iter_hints.h \ + $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_fwd.h \ + $(srcdir)/iterator/iter_donotq.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_priv.h \ + $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/services/cache/dns.h \ + $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/data/dname.h $(srcdir)/util/random.h \ + $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \ + $(srcdir)/services/modstack.h $(srcdir)/validator/val_anchor.h $(srcdir)/validator/val_kcache.h \ + $(srcdir)/validator/val_kentry.h $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_sigcrypt.h \ + $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h listen_dnsport.lo listen_dnsport.o: $(srcdir)/services/listen_dnsport.c config.h \ $(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h $(srcdir)/services/outside_network.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/log.h $(srcdir)/util/config_file.h \ - $(srcdir)/util/net_help.h $(srcdir)/ldns/sbuffer.h + $(srcdir)/util/net_help.h $(srcdir)/sldns/sbuffer.h localzone.lo localzone.o: $(srcdir)/services/localzone.c config.h $(srcdir)/services/localzone.h \ - $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/ldns/str2wire.h $(srcdir)/ldns/rrdef.h \ - $(srcdir)/ldns/sbuffer.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h \ + $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/sldns/sbuffer.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h \ $(srcdir)/util/net_help.h $(srcdir)/util/netevent.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/ldns/pkthdr.h + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h mesh.lo mesh.o: $(srcdir)/services/mesh.c config.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \ $(srcdir)/util/netevent.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ - $(srcdir)/util/log.h $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/modstack.h $(srcdir)/services/outbound_list.h \ - $(srcdir)/services/cache/dns.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \ - $(srcdir)/util/data/msgencode.h $(srcdir)/util/timehist.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \ - $(srcdir)/util/alloc.h $(srcdir)/util/config_file.h $(srcdir)/ldns/sbuffer.h + $(srcdir)/util/log.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/modstack.h \ + $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/dns.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/regional.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/timehist.h $(srcdir)/util/fptr_wlist.h \ + $(srcdir)/util/tube.h $(srcdir)/util/alloc.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h modstack.lo modstack.o: $(srcdir)/services/modstack.c config.h $(srcdir)/services/modstack.h \ $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/rrdef.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/util/tube.h \ - $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/dns64/dns64.h $(srcdir)/iterator/iterator.h \ - $(srcdir)/services/outbound_list.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h + $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \ + $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/dns64/dns64.h \ + $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/validator/validator.h \ + $(srcdir)/validator/val_utils.h outbound_list.lo outbound_list.o: $(srcdir)/services/outbound_list.c config.h \ $(srcdir)/services/outbound_list.h $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h \ $(srcdir)/util/netevent.h outside_network.lo outside_network.o: $(srcdir)/services/outside_network.c config.h \ $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h $(srcdir)/util/netevent.h \ $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/infra.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/rtt.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/rrdef.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h \ - $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \ - $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/ldns/sbuffer.h \ - $(srcdir)/dnstap/dnstap.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h \ + $(srcdir)/util/rtt.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h \ + $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/fptr_wlist.h \ + $(srcdir)/util/module.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h \ + $(srcdir)/sldns/sbuffer.h $(srcdir)/dnstap/dnstap.h \ alloc.lo alloc.o: $(srcdir)/util/alloc.c config.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ $(srcdir)/util/regional.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \ $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/rrdef.h $(srcdir)/util/tube.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \ $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h config_file.lo config_file.o: $(srcdir)/util/config_file.c config.h $(srcdir)/util/log.h \ $(srcdir)/util/configyyrename.h $(srcdir)/util/config_file.h util/configparser.h \ $(srcdir)/util/net_help.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ - $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/regional.h $(srcdir)/util/fptr_wlist.h \ $(srcdir)/util/netevent.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \ - $(srcdir)/services/modstack.h $(srcdir)/util/data/dname.h $(srcdir)/util/rtt.h $(srcdir)/ldns/wire2str.h \ - $(srcdir)/ldns/parseutil.h $(srcdir)/util/iana_ports.inc + $(srcdir)/services/modstack.h $(srcdir)/util/data/dname.h $(srcdir)/util/rtt.h $(srcdir)/services/cache/infra.h \ + $(srcdir)/util/storage/dnstree.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h \ + $(srcdir)/util/iana_ports.inc configlexer.lo configlexer.o: util/configlexer.c config.h $(srcdir)/util/configyyrename.h \ $(srcdir)/util/config_file.h util/configparser.h configparser.lo configparser.o: util/configparser.c config.h $(srcdir)/util/configyyrename.h \ @@ -744,46 +750,45 @@ configparser.lo configparser.o: util/configparser.c config.h $(srcdir)/util/conf fptr_wlist.lo fptr_wlist.o: $(srcdir)/util/fptr_wlist.c config.h $(srcdir)/util/fptr_wlist.h \ $(srcdir)/util/netevent.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/rrdef.h $(srcdir)/util/tube.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \ $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/util/mini_event.h \ $(srcdir)/util/rbtree.h $(srcdir)/services/outside_network.h \ - $(srcdir)/services/localzone.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \ - $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/dns64/dns64.h \ + $(srcdir)/services/localzone.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \ + $(srcdir)/util/rtt.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/dns64/dns64.h \ $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h \ $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_anchor.h \ $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/val_kentry.h \ - $(srcdir)/validator/val_neg.h $(srcdir)/validator/autotrust.h $(srcdir)/util/storage/dnstree.h \ - $(srcdir)/libunbound/libworker.h $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h \ - $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/worker.h $(srcdir)/ldns/sbuffer.h \ - $(srcdir)/util/config_file.h + $(srcdir)/validator/val_neg.h $(srcdir)/validator/autotrust.h $(srcdir)/libunbound/libworker.h \ + $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/libunbound/unbound.h \ + $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h locks.lo locks.o: $(srcdir)/util/locks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h -log.lo log.o: $(srcdir)/util/log.c config.h $(srcdir)/util/log.h $(srcdir)/util/locks.h $(srcdir)/ldns/sbuffer.h +log.lo log.o: $(srcdir)/util/log.c config.h $(srcdir)/util/log.h $(srcdir)/util/locks.h $(srcdir)/sldns/sbuffer.h mini_event.lo mini_event.o: $(srcdir)/util/mini_event.c config.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h \ $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ $(srcdir)/util/log.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/rrdef.h $(srcdir)/util/tube.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \ $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h module.lo module.o: $(srcdir)/util/module.c config.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/rrdef.h + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h netevent.lo netevent.o: $(srcdir)/util/netevent.c config.h $(srcdir)/util/netevent.h $(srcdir)/util/log.h \ $(srcdir)/util/net_help.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/rrdef.h $(srcdir)/util/tube.h \ - $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/ldns/sbuffer.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \ + $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/sldns/sbuffer.h \ $(srcdir)/dnstap/dnstap.h \ $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h net_help.lo net_help.o: $(srcdir)/util/net_help.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \ $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h \ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/rrdef.h $(srcdir)/util/regional.h $(srcdir)/ldns/parseutil.h \ - $(srcdir)/ldns/wire2str.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h $(srcdir)/sldns/parseutil.h \ + $(srcdir)/sldns/wire2str.h \ random.lo random.o: $(srcdir)/util/random.c config.h $(srcdir)/util/random.h $(srcdir)/util/log.h rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c config.h $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h \ $(srcdir)/util/netevent.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/rrdef.h $(srcdir)/util/tube.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \ $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h regional.lo regional.o: $(srcdir)/util/regional.c config.h $(srcdir)/util/log.h $(srcdir)/util/regional.h rtt.lo rtt.o: $(srcdir)/util/rtt.c config.h $(srcdir)/util/rtt.h @@ -794,7 +799,7 @@ lookup3.lo lookup3.o: $(srcdir)/util/storage/lookup3.c config.h $(srcdir)/util/s lruhash.lo lruhash.o: $(srcdir)/util/storage/lruhash.c config.h $(srcdir)/util/storage/lruhash.h \ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/util/module.h \ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \ $(srcdir)/services/modstack.h slabhash.lo slabhash.o: $(srcdir)/util/storage/slabhash.c config.h $(srcdir)/util/storage/slabhash.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h @@ -802,43 +807,44 @@ timehist.lo timehist.o: $(srcdir)/util/timehist.c config.h $(srcdir)/util/timehi tube.lo tube.o: $(srcdir)/util/tube.c config.h $(srcdir)/util/tube.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \ $(srcdir)/util/netevent.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/rrdef.h $(srcdir)/services/mesh.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/services/mesh.h \ $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h winsock_event.lo winsock_event.o: $(srcdir)/util/winsock_event.c config.h autotrust.lo autotrust.o: $(srcdir)/validator/autotrust.c config.h $(srcdir)/validator/autotrust.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_anchor.h $(srcdir)/validator/val_utils.h \ $(srcdir)/validator/val_sigcrypt.h $(srcdir)/util/data/dname.h $(srcdir)/util/module.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/rrdef.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \ $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/random.h \ $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h $(srcdir)/services/modstack.h \ $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/validator/val_kcache.h \ - $(srcdir)/ldns/sbuffer.h $(srcdir)/ldns/wire2str.h $(srcdir)/ldns/str2wire.h $(srcdir)/ldns/keyraw.h \ + $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/keyraw.h \ val_anchor.lo val_anchor.o: $(srcdir)/validator/val_anchor.c config.h $(srcdir)/validator/val_anchor.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_sigcrypt.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/validator/autotrust.h \ - $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/ldns/sbuffer.h \ - $(srcdir)/ldns/rrdef.h $(srcdir)/ldns/str2wire.h + $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h validator.lo validator.o: $(srcdir)/validator/validator.c config.h $(srcdir)/validator/validator.h \ $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/rrdef.h $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_anchor.h \ - $(srcdir)/util/rbtree.h $(srcdir)/validator/val_kcache.h $(srcdir)/util/storage/slabhash.h \ - $(srcdir)/validator/val_kentry.h $(srcdir)/validator/val_nsec.h $(srcdir)/validator/val_nsec3.h \ - $(srcdir)/validator/val_neg.h $(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/autotrust.h \ - $(srcdir)/services/cache/dns.h $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \ - $(srcdir)/util/config_file.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/util/tube.h \ - $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/ldns/wire2str.h + $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_utils.h \ + $(srcdir)/validator/val_anchor.h $(srcdir)/util/rbtree.h $(srcdir)/validator/val_kcache.h \ + $(srcdir)/util/storage/slabhash.h $(srcdir)/validator/val_kentry.h $(srcdir)/validator/val_nsec.h \ + $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_neg.h $(srcdir)/validator/val_sigcrypt.h \ + $(srcdir)/validator/autotrust.h $(srcdir)/services/cache/dns.h $(srcdir)/util/data/dname.h \ + $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/fptr_wlist.h \ + $(srcdir)/util/netevent.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h \ + $(srcdir)/sldns/wire2str.h val_kcache.lo val_kcache.o: $(srcdir)/validator/val_kcache.c config.h $(srcdir)/validator/val_kcache.h \ $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ $(srcdir)/validator/val_kentry.h $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h \ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/rrdef.h + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h val_kentry.lo val_kentry.o: $(srcdir)/validator/val_kentry.c config.h $(srcdir)/validator/val_kentry.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h \ $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \ - $(srcdir)/ldns/rrdef.h $(srcdir)/ldns/keyraw.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \ val_neg.lo val_neg.o: $(srcdir)/validator/val_neg.c config.h \ $(srcdir)/validator/val_neg.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h \ @@ -846,78 +852,78 @@ val_neg.lo val_neg.o: $(srcdir)/validator/val_neg.c config.h \ $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_utils.h $(srcdir)/util/data/dname.h \ $(srcdir)/util/data/msgreply.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h \ $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h \ - $(srcdir)/ldns/rrdef.h $(srcdir)/ldns/sbuffer.h + $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h val_nsec3.lo val_nsec3.o: $(srcdir)/validator/val_nsec3.c config.h \ $(srcdir)/validator/val_nsec3.h $(srcdir)/util/rbtree.h $(srcdir)/util/data/packed_rrset.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/validator.h \ - $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/ldns/pkthdr.h \ - $(srcdir)/ldns/rrdef.h $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_kentry.h \ + $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_kentry.h \ $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/regional.h \ - $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h $(srcdir)/validator/val_nsec.h $(srcdir)/ldns/sbuffer.h + $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h $(srcdir)/validator/val_nsec.h $(srcdir)/sldns/sbuffer.h val_nsec.lo val_nsec.o: $(srcdir)/validator/val_nsec.c config.h $(srcdir)/validator/val_nsec.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ $(srcdir)/validator/val_utils.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/dname.h \ - $(srcdir)/util/net_help.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/ldns/pkthdr.h \ - $(srcdir)/ldns/rrdef.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h + $(srcdir)/util/net_help.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h val_secalgo.lo val_secalgo.o: $(srcdir)/validator/val_secalgo.c config.h $(srcdir)/util/data/packed_rrset.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_secalgo.h \ - $(srcdir)/ldns/rrdef.h $(srcdir)/ldns/keyraw.h \ - $(srcdir)/ldns/sbuffer.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \ + $(srcdir)/sldns/sbuffer.h \ val_sigcrypt.lo val_sigcrypt.o: $(srcdir)/validator/val_sigcrypt.c config.h \ $(srcdir)/validator/val_sigcrypt.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_secalgo.h $(srcdir)/validator/validator.h \ - $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/ldns/pkthdr.h \ - $(srcdir)/ldns/rrdef.h $(srcdir)/validator/val_utils.h $(srcdir)/util/data/dname.h $(srcdir)/util/rbtree.h \ - $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/ldns/keyraw.h \ - $(srcdir)/ldns/sbuffer.h $(srcdir)/ldns/parseutil.h $(srcdir)/ldns/wire2str.h \ + $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_utils.h $(srcdir)/util/data/dname.h $(srcdir)/util/rbtree.h \ + $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/sldns/keyraw.h \ + $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h \ val_utils.lo val_utils.o: $(srcdir)/validator/val_utils.c config.h $(srcdir)/validator/val_utils.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ $(srcdir)/validator/validator.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/rrdef.h $(srcdir)/validator/val_kentry.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_kentry.h \ $(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/val_anchor.h $(srcdir)/util/rbtree.h \ $(srcdir)/validator/val_nsec.h $(srcdir)/validator/val_neg.h $(srcdir)/services/cache/rrset.h \ $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h $(srcdir)/util/data/dname.h \ $(srcdir)/util/net_help.h $(srcdir)/util/regional.h dns64.lo dns64.o: $(srcdir)/dns64/dns64.c config.h $(srcdir)/dns64/dns64.h $(srcdir)/util/module.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/rrdef.h \ - $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \ - $(srcdir)/util/config_file.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/util/tube.h \ - $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/util/net_help.h \ - $(srcdir)/util/regional.h + $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h \ + $(srcdir)/util/storage/slabhash.h $(srcdir)/util/config_file.h $(srcdir)/util/fptr_wlist.h \ + $(srcdir)/util/netevent.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \ + $(srcdir)/services/modstack.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h checklocks.lo checklocks.o: $(srcdir)/testcode/checklocks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ $(srcdir)/testcode/checklocks.h -dnstap.lo dnstap.o: $(srcdir)/dnstap/dnstap.c config.h $(srcdir)/ldns/sbuffer.h \ +dnstap.lo dnstap.o: $(srcdir)/dnstap/dnstap.c config.h $(srcdir)/sldns/sbuffer.h \ $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h \ $(srcdir)/dnstap/dnstap.h \ $(srcdir)/dnstap/dnstap.pb-c.h dnstap.pb-c.lo dnstap.pb-c.o: $(srcdir)/dnstap/dnstap.pb-c.c $(srcdir)/dnstap/dnstap.pb-c.h unitanchor.lo unitanchor.o: $(srcdir)/testcode/unitanchor.c config.h $(srcdir)/util/log.h $(srcdir)/util/data/dname.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/testcode/unitmain.h \ - $(srcdir)/validator/val_anchor.h $(srcdir)/util/rbtree.h $(srcdir)/ldns/sbuffer.h $(srcdir)/ldns/rrdef.h + $(srcdir)/validator/val_anchor.h $(srcdir)/util/rbtree.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h unitdname.lo unitdname.o: $(srcdir)/testcode/unitdname.c config.h $(srcdir)/util/log.h $(srcdir)/testcode/unitmain.h \ - $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/ldns/sbuffer.h \ - $(srcdir)/ldns/str2wire.h $(srcdir)/ldns/rrdef.h + $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/sldns/sbuffer.h \ + $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h unitlruhash.lo unitlruhash.o: $(srcdir)/testcode/unitlruhash.c config.h $(srcdir)/testcode/unitmain.h \ $(srcdir)/util/log.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/storage/slabhash.h unitmain.lo unitmain.o: $(srcdir)/testcode/unitmain.c config.h \ - $(srcdir)/ldns/rrdef.h $(srcdir)/ldns/keyraw.h \ - $(srcdir)/util/log.h \ - $(srcdir)/testcode/unitmain.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \ + $(srcdir)/util/log.h $(srcdir)/testcode/unitmain.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \ $(srcdir)/util/config_file.h $(srcdir)/util/rtt.h $(srcdir)/services/cache/infra.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/util/random.h + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \ + $(srcdir)/util/random.h unitmsgparse.lo unitmsgparse.o: $(srcdir)/testcode/unitmsgparse.c config.h $(srcdir)/util/log.h \ $(srcdir)/testcode/unitmain.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h \ - $(srcdir)/util/locks.h $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/rrdef.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h \ $(srcdir)/util/alloc.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/testcode/readhex.h \ - $(srcdir)/testcode/testpkts.h $(srcdir)/ldns/sbuffer.h $(srcdir)/ldns/str2wire.h $(srcdir)/ldns/wire2str.h + $(srcdir)/testcode/testpkts.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h unitneg.lo unitneg.o: $(srcdir)/testcode/unitneg.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ $(srcdir)/util/data/dname.h $(srcdir)/testcode/unitmain.h $(srcdir)/validator/val_neg.h $(srcdir)/util/rbtree.h \ - $(srcdir)/ldns/rrdef.h + $(srcdir)/sldns/rrdef.h unitregional.lo unitregional.o: $(srcdir)/testcode/unitregional.c config.h $(srcdir)/testcode/unitmain.h \ $(srcdir)/util/log.h $(srcdir)/util/regional.h unitslabhash.lo unitslabhash.o: $(srcdir)/testcode/unitslabhash.c config.h $(srcdir)/testcode/unitmain.h \ @@ -927,88 +933,89 @@ unitverify.lo unitverify.o: $(srcdir)/testcode/unitverify.c config.h $(srcdir)/u $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/validator/val_secalgo.h \ $(srcdir)/validator/val_nsec.h $(srcdir)/validator/val_nsec3.h $(srcdir)/util/rbtree.h \ $(srcdir)/validator/validator.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/rrdef.h $(srcdir)/validator/val_utils.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_utils.h \ $(srcdir)/testcode/testpkts.h $(srcdir)/util/data/dname.h $(srcdir)/util/regional.h $(srcdir)/util/alloc.h \ - $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/ldns/sbuffer.h $(srcdir)/ldns/keyraw.h \ - $(srcdir)/ldns/str2wire.h $(srcdir)/ldns/wire2str.h + $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/keyraw.h \ + $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h readhex.lo readhex.o: $(srcdir)/testcode/readhex.c config.h $(srcdir)/testcode/readhex.h $(srcdir)/util/log.h \ - $(srcdir)/ldns/sbuffer.h $(srcdir)/ldns/parseutil.h + $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h testpkts.lo testpkts.o: $(srcdir)/testcode/testpkts.c config.h $(srcdir)/testcode/testpkts.h \ - $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/ldns/sbuffer.h $(srcdir)/ldns/rrdef.h $(srcdir)/ldns/pkthdr.h \ - $(srcdir)/ldns/str2wire.h $(srcdir)/ldns/wire2str.h + $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h \ + $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h unitldns.lo unitldns.o: $(srcdir)/testcode/unitldns.c config.h $(srcdir)/util/log.h $(srcdir)/testcode/unitmain.h \ - $(srcdir)/ldns/sbuffer.h $(srcdir)/ldns/str2wire.h $(srcdir)/ldns/rrdef.h $(srcdir)/ldns/wire2str.h + $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/acl_list.h \ $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/regional.h $(srcdir)/util/log.h \ $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h \ $(srcdir)/daemon/cachedump.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \ - $(srcdir)/ldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \ + $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h $(srcdir)/util/alloc.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/rrdef.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \ $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \ $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \ - $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/util/regional.h \ - $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h $(srcdir)/iterator/iterator.h \ - $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_utils.h \ - $(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/util/rbtree.h \ - $(srcdir)/iterator/iter_hints.h $(srcdir)/util/storage/dnstree.h $(srcdir)/ldns/wire2str.h \ - $(srcdir)/ldns/str2wire.h + $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \ + $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/data/dname.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \ + $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h \ + $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/sldns/wire2str.h \ + $(srcdir)/sldns/str2wire.h daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h \ $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \ $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \ - $(srcdir)/ldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \ - $(srcdir)/util/netevent.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/ldns/pkthdr.h \ - $(srcdir)/ldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \ + $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \ + $(srcdir)/util/netevent.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \ $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \ $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \ $(srcdir)/util/config_file.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/storage/slabhash.h \ $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \ $(srcdir)/util/rtt.h $(srcdir)/services/localzone.h $(srcdir)/util/random.h $(srcdir)/util/tube.h \ - $(srcdir)/util/net_help.h $(srcdir)/ldns/keyraw.h + $(srcdir)/util/net_help.h $(srcdir)/sldns/keyraw.h remote.lo remote.o: $(srcdir)/daemon/remote.c config.h \ $(srcdir)/daemon/remote.h \ - $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/ldns/sbuffer.h \ + $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ $(srcdir)/util/netevent.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \ - $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ + $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \ $(srcdir)/services/modstack.h $(srcdir)/daemon/cachedump.h $(srcdir)/util/config_file.h \ $(srcdir)/util/net_help.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \ - $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \ - $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/localzone.h $(srcdir)/util/fptr_wlist.h \ - $(srcdir)/util/tube.h $(srcdir)/util/data/dname.h $(srcdir)/validator/validator.h \ + $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \ + $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \ + $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/data/dname.h $(srcdir)/validator/validator.h \ $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_kentry.h \ $(srcdir)/validator/val_anchor.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \ - $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/util/storage/dnstree.h \ - $(srcdir)/iterator/iter_delegpt.h $(srcdir)/services/outside_network.h $(srcdir)/ldns/str2wire.h \ - $(srcdir)/ldns/parseutil.h $(srcdir)/ldns/wire2str.h + $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/iterator/iter_delegpt.h \ + $(srcdir)/services/outside_network.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/parseutil.h \ + $(srcdir)/sldns/wire2str.h stats.lo stats.o: $(srcdir)/daemon/stats.c config.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ - $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/ldns/sbuffer.h \ + $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ $(srcdir)/util/netevent.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \ $(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h \ $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/outside_network.h \ - $(srcdir)/util/config_file.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/validator/validator.h \ - $(srcdir)/validator/val_utils.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \ - $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/validator/val_kcache.h + $(srcdir)/services/listen_dnsport.h $(srcdir)/util/config_file.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h \ + $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/services/cache/rrset.h \ + $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \ + $(srcdir)/util/rtt.h $(srcdir)/validator/val_kcache.h unbound.lo unbound.o: $(srcdir)/daemon/unbound.c config.h $(srcdir)/util/log.h $(srcdir)/daemon/daemon.h \ $(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \ $(srcdir)/daemon/remote.h \ $(srcdir)/util/config_file.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h \ $(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h $(srcdir)/services/cache/rrset.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \ - $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/rrdef.h $(srcdir)/util/tube.h \ - $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/util/net_help.h $(srcdir)/util/mini_event.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \ + $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/net_help.h $(srcdir)/util/mini_event.h \ $(srcdir)/util/rbtree.h worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \ - $(srcdir)/util/random.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/ldns/sbuffer.h \ + $(srcdir)/util/random.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ $(srcdir)/util/netevent.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \ - $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ + $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \ $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h \ $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \ $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h \ @@ -1022,23 +1029,23 @@ worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(sr testbound.lo testbound.o: $(srcdir)/testcode/testbound.c config.h $(srcdir)/testcode/testpkts.h \ $(srcdir)/testcode/replay.h $(srcdir)/util/netevent.h $(srcdir)/util/rbtree.h $(srcdir)/testcode/fake_event.h \ $(srcdir)/daemon/remote.h \ - $(srcdir)/util/config_file.h $(srcdir)/ldns/keyraw.h $(srcdir)/daemon/unbound.c $(srcdir)/util/log.h \ + $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h $(srcdir)/daemon/unbound.c $(srcdir)/util/log.h \ $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \ $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h \ $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \ - $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/rrdef.h $(srcdir)/util/tube.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \ + $(srcdir)/util/rtt.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \ $(srcdir)/services/mesh.h $(srcdir)/util/net_help.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h testpkts.lo testpkts.o: $(srcdir)/testcode/testpkts.c config.h $(srcdir)/testcode/testpkts.h \ - $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/ldns/sbuffer.h $(srcdir)/ldns/rrdef.h $(srcdir)/ldns/pkthdr.h \ - $(srcdir)/ldns/str2wire.h $(srcdir)/ldns/wire2str.h + $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h \ + $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \ - $(srcdir)/util/random.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/ldns/sbuffer.h \ + $(srcdir)/util/random.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ $(srcdir)/util/netevent.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \ - $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ + $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \ $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h \ $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \ $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h \ @@ -1055,134 +1062,135 @@ acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/ac daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h \ $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \ $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \ - $(srcdir)/ldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \ - $(srcdir)/util/netevent.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/ldns/pkthdr.h \ - $(srcdir)/ldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \ + $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \ + $(srcdir)/util/netevent.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \ $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \ $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \ $(srcdir)/util/config_file.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/storage/slabhash.h \ $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \ $(srcdir)/util/rtt.h $(srcdir)/services/localzone.h $(srcdir)/util/random.h $(srcdir)/util/tube.h \ - $(srcdir)/util/net_help.h $(srcdir)/ldns/keyraw.h + $(srcdir)/util/net_help.h $(srcdir)/sldns/keyraw.h stats.lo stats.o: $(srcdir)/daemon/stats.c config.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ - $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/ldns/sbuffer.h \ + $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ $(srcdir)/util/netevent.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \ $(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h \ $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/outside_network.h \ - $(srcdir)/util/config_file.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/validator/validator.h \ - $(srcdir)/validator/val_utils.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \ - $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/validator/val_kcache.h + $(srcdir)/services/listen_dnsport.h $(srcdir)/util/config_file.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h \ + $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/services/cache/rrset.h \ + $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \ + $(srcdir)/util/rtt.h $(srcdir)/validator/val_kcache.h replay.lo replay.o: $(srcdir)/testcode/replay.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \ $(srcdir)/util/config_file.h $(srcdir)/testcode/replay.h $(srcdir)/util/netevent.h $(srcdir)/testcode/testpkts.h \ - $(srcdir)/util/rbtree.h $(srcdir)/testcode/fake_event.h $(srcdir)/ldns/str2wire.h $(srcdir)/ldns/rrdef.h + $(srcdir)/util/rbtree.h $(srcdir)/testcode/fake_event.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h fake_event.lo fake_event.o: $(srcdir)/testcode/fake_event.c config.h $(srcdir)/testcode/fake_event.h \ $(srcdir)/util/netevent.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/rrdef.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h \ $(srcdir)/util/data/dname.h $(srcdir)/util/config_file.h $(srcdir)/services/listen_dnsport.h \ $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h \ - $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/testcode/replay.h $(srcdir)/testcode/testpkts.h \ - $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \ - $(srcdir)/services/modstack.h $(srcdir)/ldns/sbuffer.h $(srcdir)/ldns/wire2str.h $(srcdir)/ldns/str2wire.h + $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h \ + $(srcdir)/testcode/replay.h $(srcdir)/testcode/testpkts.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \ + $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/sldns/sbuffer.h \ + $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h lock_verify.lo lock_verify.o: $(srcdir)/testcode/lock_verify.c config.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h \ $(srcdir)/util/locks.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/util/storage/lruhash.h \ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/rrdef.h $(srcdir)/util/tube.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \ $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h pktview.lo pktview.o: $(srcdir)/testcode/pktview.c config.h $(srcdir)/util/log.h $(srcdir)/util/data/dname.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/data/msgparse.h $(srcdir)/ldns/pkthdr.h \ - $(srcdir)/ldns/rrdef.h $(srcdir)/testcode/unitmain.h $(srcdir)/testcode/readhex.h $(srcdir)/ldns/sbuffer.h \ - $(srcdir)/ldns/parseutil.h + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/testcode/unitmain.h $(srcdir)/testcode/readhex.h $(srcdir)/sldns/sbuffer.h \ + $(srcdir)/sldns/parseutil.h readhex.lo readhex.o: $(srcdir)/testcode/readhex.c config.h $(srcdir)/testcode/readhex.h $(srcdir)/util/log.h \ - $(srcdir)/ldns/sbuffer.h $(srcdir)/ldns/parseutil.h + $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h memstats.lo memstats.o: $(srcdir)/testcode/memstats.c config.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h \ $(srcdir)/util/locks.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/util/storage/lruhash.h \ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/rrdef.h $(srcdir)/util/tube.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \ $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h unbound-checkconf.lo unbound-checkconf.o: $(srcdir)/smallapp/unbound-checkconf.c config.h $(srcdir)/util/log.h \ $(srcdir)/util/config_file.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/rrdef.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \ $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h \ $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_hints.h $(srcdir)/util/storage/dnstree.h \ $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/services/localzone.h \ - $(srcdir)/ldns/sbuffer.h + $(srcdir)/sldns/sbuffer.h worker_cb.lo worker_cb.o: $(srcdir)/smallapp/worker_cb.c config.h $(srcdir)/libunbound/context.h \ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \ $(srcdir)/libunbound/unbound.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \ - $(srcdir)/libunbound/worker.h $(srcdir)/ldns/sbuffer.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \ - $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/ldns/pkthdr.h \ - $(srcdir)/ldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h + $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \ + $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h context.lo context.o: $(srcdir)/libunbound/context.c config.h $(srcdir)/libunbound/context.h \ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \ $(srcdir)/libunbound/unbound.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \ - $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/ldns/pkthdr.h \ - $(srcdir)/ldns/rrdef.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/services/localzone.h \ + $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/services/localzone.h \ $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h \ - $(srcdir)/util/rtt.h $(srcdir)/ldns/sbuffer.h + $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h $(srcdir)/sldns/sbuffer.h libunbound.lo libunbound.o: $(srcdir)/libunbound/libunbound.c $(srcdir)/libunbound/unbound.h \ $(srcdir)/libunbound/unbound-event.h config.h $(srcdir)/libunbound/context.h $(srcdir)/util/locks.h \ $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/libunbound/libworker.h \ $(srcdir)/util/config_file.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/rrdef.h $(srcdir)/util/regional.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h \ $(srcdir)/util/random.h $(srcdir)/util/net_help.h $(srcdir)/util/tube.h $(srcdir)/services/localzone.h \ - $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/services/cache/rrset.h \ - $(srcdir)/util/storage/slabhash.h $(srcdir)/ldns/sbuffer.h + $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h \ + $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/sldns/sbuffer.h libworker.lo libworker.o: $(srcdir)/libunbound/libworker.c config.h \ $(srcdir)/libunbound/libworker.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h \ $(srcdir)/services/modstack.h $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/worker.h \ - $(srcdir)/ldns/sbuffer.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/services/outside_network.h \ + $(srcdir)/sldns/sbuffer.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/services/outside_network.h \ $(srcdir)/util/netevent.h $(srcdir)/services/mesh.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/rrdef.h $(srcdir)/util/module.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h \ $(srcdir)/util/data/msgreply.h $(srcdir)/services/localzone.h $(srcdir)/services/cache/rrset.h \ $(srcdir)/util/storage/slabhash.h $(srcdir)/services/outbound_list.h $(srcdir)/util/fptr_wlist.h \ $(srcdir)/util/tube.h $(srcdir)/util/regional.h $(srcdir)/util/random.h $(srcdir)/util/config_file.h \ $(srcdir)/util/storage/lookup3.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h \ $(srcdir)/util/data/msgencode.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \ - $(srcdir)/util/storage/dnstree.h $(srcdir)/ldns/str2wire.h + $(srcdir)/util/storage/dnstree.h $(srcdir)/sldns/str2wire.h unbound-host.lo unbound-host.o: $(srcdir)/smallapp/unbound-host.c config.h $(srcdir)/libunbound/unbound.h \ - $(srcdir)/ldns/rrdef.h $(srcdir)/ldns/wire2str.h + $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h asynclook.lo asynclook.o: $(srcdir)/testcode/asynclook.c config.h $(srcdir)/libunbound/unbound.h \ $(srcdir)/libunbound/context.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h \ $(srcdir)/services/modstack.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \ - $(srcdir)/ldns/rrdef.h + $(srcdir)/sldns/rrdef.h streamtcp.lo streamtcp.o: $(srcdir)/testcode/streamtcp.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ $(srcdir)/util/net_help.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/rrdef.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/dname.h $(srcdir)/ldns/sbuffer.h \ - $(srcdir)/ldns/str2wire.h $(srcdir)/ldns/wire2str.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/sbuffer.h \ + $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h \ perf.lo perf.o: $(srcdir)/testcode/perf.c config.h $(srcdir)/util/log.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \ $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/rrdef.h \ - $(srcdir)/ldns/sbuffer.h $(srcdir)/ldns/wire2str.h $(srcdir)/ldns/str2wire.h + $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h delayer.lo delayer.o: $(srcdir)/testcode/delayer.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \ - $(srcdir)/util/config_file.h $(srcdir)/ldns/sbuffer.h + $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c config.h \ - $(srcdir)/util/log.h \ - $(srcdir)/util/config_file.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h + $(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h unbound-anchor.lo unbound-anchor.o: $(srcdir)/smallapp/unbound-anchor.c config.h $(srcdir)/libunbound/unbound.h \ - $(srcdir)/ldns/rrdef.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h \ petal.lo petal.o: $(srcdir)/testcode/petal.c config.h \ pythonmod_utils.lo pythonmod_utils.o: $(srcdir)/pythonmod/pythonmod_utils.c config.h $(srcdir)/util/module.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/rrdef.h \ - $(srcdir)/util/netevent.h $(srcdir)/util/net_help.h $(srcdir)/services/cache/dns.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/util/netevent.h $(srcdir)/util/net_help.h $(srcdir)/services/cache/dns.h \ $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/regional.h \ - $(srcdir)/iterator/iter_delegpt.h $(srcdir)/ldns/sbuffer.h + $(srcdir)/iterator/iter_delegpt.h $(srcdir)/sldns/sbuffer.h win_svc.lo win_svc.o: $(srcdir)/winrc/win_svc.c config.h $(srcdir)/winrc/win_svc.h $(srcdir)/winrc/w_inst.h \ $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \ $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \ - $(srcdir)/ldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \ - $(srcdir)/util/netevent.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/ldns/pkthdr.h \ - $(srcdir)/ldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \ + $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \ + $(srcdir)/util/netevent.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \ $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \ $(srcdir)/util/config_file.h $(srcdir)/util/winsock_event.h w_inst.lo w_inst.o: $(srcdir)/winrc/w_inst.c config.h $(srcdir)/winrc/w_inst.h $(srcdir)/winrc/win_svc.h @@ -1191,20 +1199,21 @@ unbound-service-install.lo unbound-service-install.o: $(srcdir)/winrc/unbound-se unbound-service-remove.lo unbound-service-remove.o: $(srcdir)/winrc/unbound-service-remove.c config.h \ $(srcdir)/winrc/w_inst.h anchor-update.lo anchor-update.o: $(srcdir)/winrc/anchor-update.c config.h $(srcdir)/libunbound/unbound.h \ - $(srcdir)/ldns/rrdef.h $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/wire2str.h -keyraw.lo keyraw.o: $(srcdir)/ldns/keyraw.c config.h $(srcdir)/ldns/keyraw.h \ - $(srcdir)/ldns/rrdef.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/wire2str.h +keyraw.lo keyraw.o: $(srcdir)/sldns/keyraw.c config.h $(srcdir)/sldns/keyraw.h \ + $(srcdir)/sldns/rrdef.h \ -sbuffer.lo sbuffer.o: $(srcdir)/ldns/sbuffer.c config.h $(srcdir)/ldns/sbuffer.h -wire2str.lo wire2str.o: $(srcdir)/ldns/wire2str.c config.h $(srcdir)/ldns/wire2str.h $(srcdir)/ldns/str2wire.h \ - $(srcdir)/ldns/rrdef.h $(srcdir)/ldns/pkthdr.h $(srcdir)/ldns/parseutil.h $(srcdir)/ldns/sbuffer.h $(srcdir)/ldns/keyraw.h \ +sbuffer.lo sbuffer.o: $(srcdir)/sldns/sbuffer.c config.h $(srcdir)/sldns/sbuffer.h +wire2str.lo wire2str.o: $(srcdir)/sldns/wire2str.c config.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/sbuffer.h \ + $(srcdir)/sldns/keyraw.h \ -parse.lo parse.o: $(srcdir)/ldns/parse.c config.h $(srcdir)/ldns/parse.h $(srcdir)/ldns/parseutil.h \ - $(srcdir)/ldns/sbuffer.h -parseutil.lo parseutil.o: $(srcdir)/ldns/parseutil.c config.h $(srcdir)/ldns/parseutil.h -rrdef.lo rrdef.o: $(srcdir)/ldns/rrdef.c config.h $(srcdir)/ldns/rrdef.h $(srcdir)/ldns/parseutil.h -str2wire.lo str2wire.o: $(srcdir)/ldns/str2wire.c config.h $(srcdir)/ldns/str2wire.h $(srcdir)/ldns/rrdef.h \ - $(srcdir)/ldns/wire2str.h $(srcdir)/ldns/sbuffer.h $(srcdir)/ldns/parse.h $(srcdir)/ldns/parseutil.h +parse.lo parse.o: $(srcdir)/sldns/parse.c config.h $(srcdir)/sldns/parse.h $(srcdir)/sldns/parseutil.h \ + $(srcdir)/sldns/sbuffer.h +parseutil.lo parseutil.o: $(srcdir)/sldns/parseutil.c config.h $(srcdir)/sldns/parseutil.h +rrdef.lo rrdef.o: $(srcdir)/sldns/rrdef.c config.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h +str2wire.lo str2wire.o: $(srcdir)/sldns/str2wire.c config.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parse.h $(srcdir)/sldns/parseutil.h ctime_r.lo ctime_r.o: $(srcdir)/compat/ctime_r.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h fake-rfc2553.lo fake-rfc2553.o: $(srcdir)/compat/fake-rfc2553.c $(srcdir)/compat/fake-rfc2553.h config.h gmtime_r.lo gmtime_r.o: $(srcdir)/compat/gmtime_r.c config.h @@ -1228,3 +1237,4 @@ arc4random.lo arc4random.o: $(srcdir)/compat/arc4random.c config.h $(srcdir)/com arc4random_uniform.lo arc4random_uniform.o: $(srcdir)/compat/arc4random_uniform.c config.h arc4_lock.lo arc4_lock.o: $(srcdir)/compat/arc4_lock.c config.h $(srcdir)/util/locks.h sha512.lo sha512.o: $(srcdir)/compat/sha512.c config.h +reallocarray.lo reallocarray.o: $(srcdir)/compat/reallocarray.c config.h diff --git a/contrib/unbound/acx_nlnetlabs.m4 b/contrib/unbound/acx_nlnetlabs.m4 index e1cf83a..c9ca755 100644 --- a/contrib/unbound/acx_nlnetlabs.m4 +++ b/contrib/unbound/acx_nlnetlabs.m4 @@ -2,7 +2,9 @@ # Copyright 2009, Wouter Wijngaards, NLnet Labs. # BSD licensed. # -# Version 26 +# Version 28 +# 2015-08-28 ACX_CHECK_PIE and ACX_CHECK_RELRO_NOW added. +# 2015-03-17 AHX_CONFIG_REALLOCARRAY added # 2013-09-19 FLTO help text improved. # 2013-07-18 Enable ACX_CHECK_COMPILER_FLAG to test for -Wstrict-prototypes # 2013-06-25 FLTO has --disable-flto option. @@ -93,6 +95,8 @@ # ACX_CHECK_MEMCMP_SIGNED - check if memcmp uses signed characters. # AHX_MEMCMP_BROKEN - replace memcmp func for CHECK_MEMCMP_SIGNED. # ACX_CHECK_SS_FAMILY - check for sockaddr_storage.ss_family +# ACX_CHECK_PIE - add --enable-pie option and check if works +# ACX_CHECK_RELRO_NOW - add --enable-relro-now option and check it # dnl Escape backslashes as \\, for C:\ paths, for the C preprocessor defines. @@ -1213,6 +1217,16 @@ struct tm *gmtime_r(const time_t *timep, struct tm *result); #endif ]) +dnl provide reallocarray compat prototype. +dnl $1: unique name for compat code +AC_DEFUN([AHX_CONFIG_REALLOCARRAY], +[ +#ifndef HAVE_REALLOCARRAY +#define reallocarray reallocarray$1 +void* reallocarray(void *ptr, size_t nmemb, size_t size); +#endif +]) + dnl provide w32 compat definition for sleep AC_DEFUN([AHX_CONFIG_W32_SLEEP], [ @@ -1375,4 +1389,46 @@ AC_DEFUN([ACX_CHECK_SS_FAMILY], #endif ]) ]) +dnl Check if CC and linker support -fPIE and -pie. +dnl If so, sets them in CFLAGS / LDFLAGS. +AC_DEFUN([ACX_CHECK_PIE], [ + AC_ARG_ENABLE([pie], AS_HELP_STRING([--enable-pie], [Enable Position-Independent Executable (eg. to fully benefit from ASLR, small performance penalty)])) + AS_IF([test "x$enable_pie" = "xyes"], [ + AC_MSG_CHECKING([if $CC supports PIE]) + BAKLDFLAGS="$LDFLAGS" + BAKCFLAGS="$CFLAGS" + LDFLAGS="$LDFLAGS -pie" + CFLAGS="$CFLAGS -fPIE" + AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], [ + if $CC $CFLAGS $LDFLAGS -o conftest conftest.c 2>&1 | grep "warning: no debug symbols in executable" >/dev/null; then + LDFLAGS="$BAKLDFLAGS" + AC_MSG_RESULT(no) + else + AC_MSG_RESULT(yes) + fi + rm -f conftest conftest.c conftest.o + ], [LDFLAGS="$BAKLDFLAGS" ; CFLAGS="$BAKCFLAGS" ; AC_MSG_RESULT(no)]) + ]) +]) + +dnl Check if linker supports -Wl,-z,relro,-z,now. +dnl If so, adds it to LDFLAGS. +AC_DEFUN([ACX_CHECK_RELRO_NOW], [ + AC_ARG_ENABLE([relro_now], AS_HELP_STRING([--enable-relro-now], [Enable full relocation binding at load-time (RELRO NOW, to protect GOT and .dtor areas)])) + AS_IF([test "x$enable_relro_now" = "xyes"], [ + AC_MSG_CHECKING([if $CC supports -Wl,-z,relro,-z,now]) + BAKLDFLAGS="$LDFLAGS" + LDFLAGS="$LDFLAGS -Wl,-z,relro,-z,now" + AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], [ + if $CC $CFLAGS $LDFLAGS -o conftest conftest.c 2>&1 | grep "warning: no debug symbols in executable" >/dev/null; then + LDFLAGS="$BAKLDFLAGS" + AC_MSG_RESULT(no) + else + AC_MSG_RESULT(yes) + fi + rm -f conftest conftest.c conftest.o + ], [LDFLAGS="$BAKLDFLAGS" ; AC_MSG_RESULT(no)]) + ]) +]) + dnl End of file diff --git a/contrib/unbound/compat/getentropy_linux.c b/contrib/unbound/compat/getentropy_linux.c index d4adab2..76f0f9d 100644 --- a/contrib/unbound/compat/getentropy_linux.c +++ b/contrib/unbound/compat/getentropy_linux.c @@ -77,6 +77,9 @@ int getentropy(void *buf, size_t len); extern int main(int, char *argv[]); #endif static int gotdata(char *buf, size_t len); +#ifdef SYS_getrandom +static int getentropy_getrandom(void *buf, size_t len); +#endif static int getentropy_urandom(void *buf, size_t len); #ifdef SYS__sysctl static int getentropy_sysctl(void *buf, size_t len); @@ -94,11 +97,15 @@ getentropy(void *buf, size_t len) } #ifdef SYS_getrandom - /* try to use getrandom syscall introduced with kernel 3.17 */ - ret = syscall(SYS_getrandom, buf, len, 0); + /* + * Try descriptor-less getrandom() + */ + ret = getentropy_getrandom(buf, len); if (ret != -1) return (ret); -#endif /* SYS_getrandom */ + if (errno != ENOSYS) + return (-1); +#endif /* * Try to get entropy with /dev/urandom @@ -185,6 +192,25 @@ gotdata(char *buf, size_t len) return 0; } +#ifdef SYS_getrandom +static int +getentropy_getrandom(void *buf, size_t len) +{ + int pre_errno = errno; + int ret; + if (len > 256) + return (-1); + do { + ret = syscall(SYS_getrandom, buf, len, 0); + } while (ret == -1 && errno == EINTR); + + if (ret != (int)len) + return (-1); + errno = pre_errno; + return (0); +} +#endif + static int getentropy_urandom(void *buf, size_t len) { @@ -258,7 +284,7 @@ getentropy_sysctl(void *buf, size_t len) struct __sysctl_args args = { .name = mib, .nlen = 3, - .oldval = buf + i, + .oldval = (char *)buf + i, .oldlenp = &chunk, }; if (syscall(SYS__sysctl, &args) != 0) diff --git a/contrib/unbound/compat/reallocarray.c b/contrib/unbound/compat/reallocarray.c new file mode 100644 index 0000000..04d5d71 --- /dev/null +++ b/contrib/unbound/compat/reallocarray.c @@ -0,0 +1,39 @@ +/* $OpenBSD: reallocarray.c,v 1.1 2014/05/08 21:43:49 deraadt Exp $ */ +/* + * Copyright (c) 2008 Otto Moerbeek <otto@drijf.net> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "config.h" +#include <sys/types.h> +#include <errno.h> +#include <stdint.h> +#include <stdlib.h> + +/* + * This is sqrt(SIZE_MAX+1), as s1*s2 <= SIZE_MAX + * if both s1 < MUL_NO_OVERFLOW and s2 < MUL_NO_OVERFLOW + */ +#define MUL_NO_OVERFLOW ((size_t)1 << (sizeof(size_t) * 4)) + +void * +reallocarray(void *optr, size_t nmemb, size_t size) +{ + if ((nmemb >= MUL_NO_OVERFLOW || size >= MUL_NO_OVERFLOW) && + nmemb > 0 && SIZE_MAX / nmemb < size) { + errno = ENOMEM; + return NULL; + } + return realloc(optr, size * nmemb); +} diff --git a/contrib/unbound/config.h b/contrib/unbound/config.h index 641ddd3..6e322ea 100644 --- a/contrib/unbound/config.h +++ b/contrib/unbound/config.h @@ -71,6 +71,10 @@ if you don't. */ #define HAVE_DECL_NID_X9_62_PRIME256V1 1 +/* Define to 1 if you have the declaration of `reallocarray', and to 0 if you + don't. */ +/* #undef HAVE_DECL_REALLOCARRAY */ + /* Define to 1 if you have the declaration of `sk_SSL_COMP_pop_free', and to 0 if you don't. */ #define HAVE_DECL_SK_SSL_COMP_POP_FREE 1 @@ -79,6 +83,10 @@ `SSL_COMP_get_compression_methods', and to 0 if you don't. */ #define HAVE_DECL_SSL_COMP_GET_COMPRESSION_METHODS 1 +/* Define to 1 if you have the declaration of `SSL_CTX_set_ecdh_auto', and to + 0 if you don't. */ +#define HAVE_DECL_SSL_CTX_SET_ECDH_AUTO 0 + /* Define to 1 if you have the declaration of `strlcat', and to 0 if you don't. */ /* #undef HAVE_DECL_STRLCAT */ @@ -267,6 +275,9 @@ /* Define to 1 if you have the `random' function. */ #define HAVE_RANDOM 1 +/* Define to 1 if you have the `reallocarray' function. */ +/* #undef HAVE_REALLOCARRAY */ + /* Define to 1 if you have the `recvmsg' function. */ #define HAVE_RECVMSG 1 @@ -486,7 +497,7 @@ #define PACKAGE_NAME "unbound" /* Define to the full name and version of this package. */ -#define PACKAGE_STRING "unbound 1.5.3" +#define PACKAGE_STRING "unbound 1.5.5" /* Define to the one symbol short name of this package. */ #define PACKAGE_TARNAME "unbound" @@ -495,7 +506,7 @@ #define PACKAGE_URL "" /* Define to the version of this package. */ -#define PACKAGE_VERSION "1.5.3" +#define PACKAGE_VERSION "1.5.5" /* default pidfile location */ #define PIDFILE "/var/unbound/unbound.pid" @@ -514,7 +525,7 @@ #define ROOT_CERT_FILE "/var/unbound/icannbundle.pem" /* version number for resource files */ -#define RSRC_PACKAGE_VERSION 1,5,3,0 +#define RSRC_PACKAGE_VERSION 1,5,5,0 /* Directory to chdir to */ #define RUN_DIR "/var/unbound" @@ -890,6 +901,12 @@ struct tm *gmtime_r(const time_t *timep, struct tm *result); #endif +#ifndef HAVE_REALLOCARRAY +#define reallocarray reallocarrayunbound +void* reallocarray(void *ptr, size_t nmemb, size_t size); +#endif + + #if !defined(HAVE_SLEEP) || defined(HAVE_WINDOWS_H) #define sleep(x) Sleep((x)*1000) /* on win32 */ #endif /* HAVE_SLEEP */ @@ -955,6 +972,9 @@ uint32_t arc4random(void); # if !HAVE_DECL_ARC4RANDOM_UNIFORM && defined(HAVE_ARC4RANDOM_UNIFORM) uint32_t arc4random_uniform(uint32_t upper_bound); # endif +# if !HAVE_DECL_REALLOCARRAY +void *reallocarray(void *ptr, size_t nmemb, size_t size); +# endif #endif /* HAVE_LIBRESSL */ #ifndef HAVE_ARC4RANDOM void explicit_bzero(void* buf, size_t len); diff --git a/contrib/unbound/config.h.in b/contrib/unbound/config.h.in index c36d4b9..7576e15 100644 --- a/contrib/unbound/config.h.in +++ b/contrib/unbound/config.h.in @@ -70,6 +70,10 @@ if you don't. */ #undef HAVE_DECL_NID_X9_62_PRIME256V1 +/* Define to 1 if you have the declaration of `reallocarray', and to 0 if you + don't. */ +#undef HAVE_DECL_REALLOCARRAY + /* Define to 1 if you have the declaration of `sk_SSL_COMP_pop_free', and to 0 if you don't. */ #undef HAVE_DECL_SK_SSL_COMP_POP_FREE @@ -78,6 +82,10 @@ `SSL_COMP_get_compression_methods', and to 0 if you don't. */ #undef HAVE_DECL_SSL_COMP_GET_COMPRESSION_METHODS +/* Define to 1 if you have the declaration of `SSL_CTX_set_ecdh_auto', and to + 0 if you don't. */ +#undef HAVE_DECL_SSL_CTX_SET_ECDH_AUTO + /* Define to 1 if you have the declaration of `strlcat', and to 0 if you don't. */ #undef HAVE_DECL_STRLCAT @@ -266,6 +274,9 @@ /* Define to 1 if you have the `random' function. */ #undef HAVE_RANDOM +/* Define to 1 if you have the `reallocarray' function. */ +#undef HAVE_REALLOCARRAY + /* Define to 1 if you have the `recvmsg' function. */ #undef HAVE_RECVMSG @@ -889,6 +900,12 @@ struct tm *gmtime_r(const time_t *timep, struct tm *result); #endif +#ifndef HAVE_REALLOCARRAY +#define reallocarray reallocarrayunbound +void* reallocarray(void *ptr, size_t nmemb, size_t size); +#endif + + #if !defined(HAVE_SLEEP) || defined(HAVE_WINDOWS_H) #define sleep(x) Sleep((x)*1000) /* on win32 */ #endif /* HAVE_SLEEP */ @@ -954,6 +971,9 @@ uint32_t arc4random(void); # if !HAVE_DECL_ARC4RANDOM_UNIFORM && defined(HAVE_ARC4RANDOM_UNIFORM) uint32_t arc4random_uniform(uint32_t upper_bound); # endif +# if !HAVE_DECL_REALLOCARRAY +void *reallocarray(void *ptr, size_t nmemb, size_t size); +# endif #endif /* HAVE_LIBRESSL */ #ifndef HAVE_ARC4RANDOM void explicit_bzero(void* buf, size_t len); diff --git a/contrib/unbound/configure b/contrib/unbound/configure index 20ff33d..7b0a7e6 100755 --- a/contrib/unbound/configure +++ b/contrib/unbound/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for unbound 1.5.3. +# Generated by GNU Autoconf 2.69 for unbound 1.5.5. # # Report bugs to <unbound-bugs@nlnetlabs.nl>. # @@ -590,8 +590,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='unbound' PACKAGE_TARNAME='unbound' -PACKAGE_VERSION='1.5.3' -PACKAGE_STRING='unbound 1.5.3' +PACKAGE_VERSION='1.5.5' +PACKAGE_STRING='unbound 1.5.5' PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl' PACKAGE_URL='' @@ -677,6 +677,7 @@ WITH_PYTHONMODULE swig SWIG_LIB SWIG +PY_MAJOR_VERSION PYTHON_SITE_PKG PYTHON_LDFLAGS PYTHON_CPPFLAGS @@ -803,6 +804,8 @@ with_username enable_checking enable_debug enable_flto +enable_pie +enable_relro_now enable_shared enable_static with_pic @@ -1388,7 +1391,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures unbound 1.5.3 to adapt to many kinds of systems. +\`configure' configures unbound 1.5.5 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1453,7 +1456,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of unbound 1.5.3:";; + short | recursive ) echo "Configuration of unbound 1.5.5:";; esac cat <<\_ACEOF @@ -1464,6 +1467,10 @@ Optional Features: --enable-checking Enable warnings, asserts, makefile-dependencies --enable-debug same as enable-checking --disable-flto Disable link-time optimization (gcc specific option) + --enable-pie Enable Position-Independent Executable (eg. to fully + benefit from ASLR, small performance penalty) + --enable-relro-now Enable full relocation binding at load-time (RELRO + NOW, to protect GOT and .dtor areas) --enable-shared[=PKGS] build shared libraries [default=yes] --enable-static[=PKGS] build static libraries [default=yes] --enable-fast-install[=PKGS] @@ -1628,7 +1635,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -unbound configure 1.5.3 +unbound configure 1.5.5 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2337,7 +2344,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by unbound $as_me 1.5.3, which was +It was created by unbound $as_me 1.5.5, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2689,11 +2696,11 @@ UNBOUND_VERSION_MAJOR=1 UNBOUND_VERSION_MINOR=5 -UNBOUND_VERSION_MICRO=3 +UNBOUND_VERSION_MICRO=5 LIBUNBOUND_CURRENT=5 -LIBUNBOUND_REVISION=6 +LIBUNBOUND_REVISION=8 LIBUNBOUND_AGE=3 # 1.0.0 had 0:12:0 # 1.0.1 had 0:13:0 @@ -2736,6 +2743,8 @@ LIBUNBOUND_AGE=3 # 1.5.1 had 5:3:3 # 1.5.2 had 5:5:3 # 1.5.3 had 5:6:3 +# 1.5.4 had 5:7:3 +# 1.5.5 had 5:8:3 # Current -- the number of the binary API that we're implementing # Revision -- which iteration of the implementation of the binary @@ -5877,6 +5886,96 @@ rm -f core conftest.err conftest.$ac_objext \ fi + # Check whether --enable-pie was given. +if test "${enable_pie+set}" = set; then : + enableval=$enable_pie; +fi + + if test "x$enable_pie" = "xyes"; then : + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports PIE" >&5 +$as_echo_n "checking if $CC supports PIE... " >&6; } + BAKLDFLAGS="$LDFLAGS" + BAKCFLAGS="$CFLAGS" + LDFLAGS="$LDFLAGS -pie" + CFLAGS="$CFLAGS -fPIE" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + + if $CC $CFLAGS $LDFLAGS -o conftest conftest.c 2>&1 | grep "warning: no debug symbols in executable" >/dev/null; then + LDFLAGS="$BAKLDFLAGS" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + fi + rm -f conftest conftest.c conftest.o + +else + LDFLAGS="$BAKLDFLAGS" ; CFLAGS="$BAKCFLAGS" ; { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + +fi + + + # Check whether --enable-relro_now was given. +if test "${enable_relro_now+set}" = set; then : + enableval=$enable_relro_now; +fi + + if test "x$enable_relro_now" = "xyes"; then : + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports -Wl,-z,relro,-z,now" >&5 +$as_echo_n "checking if $CC supports -Wl,-z,relro,-z,now... " >&6; } + BAKLDFLAGS="$LDFLAGS" + LDFLAGS="$LDFLAGS -Wl,-z,relro,-z,now" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + + if $CC $CFLAGS $LDFLAGS -o conftest conftest.c 2>&1 | grep "warning: no debug symbols in executable" >/dev/null; then + LDFLAGS="$BAKLDFLAGS" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + fi + rm -f conftest conftest.c conftest.o + +else + LDFLAGS="$BAKLDFLAGS" ; { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + +fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for inline" >&5 $as_echo_n "checking for inline... " >&6; } if ${ac_cv_c_inline+:} false; then : @@ -16099,6 +16198,8 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu as_fn_error $? "Python version >= 2.4.0 is required" "$LINENO" 5 fi + PY_MAJOR_VERSION="`$PYTHON -c \"import sys; print(sys.version_info[0])\"`" + # Have Python $as_echo "#define HAVE_PYTHON 1" >>confdefs.h @@ -16680,7 +16781,7 @@ rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext { $as_echo "$as_me:${as_lineno-$LINENO}: checking for LibreSSL" >&5 $as_echo_n "checking for LibreSSL... " >&6; } -if grep OPENSSL_VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then +if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } @@ -16728,6 +16829,16 @@ fi cat >>confdefs.h <<_ACEOF #define HAVE_DECL_ARC4RANDOM_UNIFORM $ac_have_decl _ACEOF +ac_fn_c_check_decl "$LINENO" "reallocarray" "ac_cv_have_decl_reallocarray" "$ac_includes_default" +if test "x$ac_cv_have_decl_reallocarray" = xyes; then : + ac_have_decl=1 +else + ac_have_decl=0 +fi + +cat >>confdefs.h <<_ACEOF +#define HAVE_DECL_REALLOCARRAY $ac_have_decl +_ACEOF else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 @@ -16831,6 +16942,36 @@ fi cat >>confdefs.h <<_ACEOF #define HAVE_DECL_SK_SSL_COMP_POP_FREE $ac_have_decl _ACEOF +ac_fn_c_check_decl "$LINENO" "SSL_CTX_set_ecdh_auto" "ac_cv_have_decl_SSL_CTX_set_ecdh_auto" " +$ac_includes_default +#ifdef HAVE_OPENSSL_ERR_H +#include <openssl/err.h> +#endif + +#ifdef HAVE_OPENSSL_RAND_H +#include <openssl/rand.h> +#endif + +#ifdef HAVE_OPENSSL_CONF_H +#include <openssl/conf.h> +#endif + +#ifdef HAVE_OPENSSL_ENGINE_H +#include <openssl/engine.h> +#endif +#include <openssl/ssl.h> +#include <openssl/evp.h> + +" +if test "x$ac_cv_have_decl_SSL_CTX_set_ecdh_auto" = xyes; then : + ac_have_decl=1 +else + ac_have_decl=0 +fi + +cat >>confdefs.h <<_ACEOF +#define HAVE_DECL_SSL_CTX_SET_ECDH_AUTO $ac_have_decl +_ACEOF fi @@ -18138,6 +18279,20 @@ fi LIBOBJ_WITHOUT_CTIMEARC4="$LIBOBJS" +ac_fn_c_check_func "$LINENO" "reallocarray" "ac_cv_func_reallocarray" +if test "x$ac_cv_func_reallocarray" = xyes; then : + $as_echo "#define HAVE_REALLOCARRAY 1" >>confdefs.h + +else + case " $LIBOBJS " in + *" reallocarray.$ac_objext "* ) ;; + *) LIBOBJS="$LIBOBJS reallocarray.$ac_objext" + ;; +esac + +fi + + if test "$USE_NSS" = "no"; then ac_fn_c_check_func "$LINENO" "arc4random" "ac_cv_func_arc4random" if test "x$ac_cv_func_arc4random" = xyes; then : @@ -18862,7 +19017,7 @@ _ACEOF -version=1.5.3 +version=1.5.5 date=`date +'%b %e, %Y'` @@ -19377,7 +19532,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by unbound $as_me 1.5.3, which was +This file was extended by unbound $as_me 1.5.5, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -19443,7 +19598,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -unbound config.status 1.5.3 +unbound config.status 1.5.5 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/contrib/unbound/configure.ac b/contrib/unbound/configure.ac index ae0525b..871ea7c 100644 --- a/contrib/unbound/configure.ac +++ b/contrib/unbound/configure.ac @@ -10,14 +10,14 @@ sinclude(dnstap/dnstap.m4) # must be numbers. ac_defun because of later processing m4_define([VERSION_MAJOR],[1]) m4_define([VERSION_MINOR],[5]) -m4_define([VERSION_MICRO],[3]) +m4_define([VERSION_MICRO],[5]) AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl, unbound) AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR]) AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR]) AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO]) LIBUNBOUND_CURRENT=5 -LIBUNBOUND_REVISION=6 +LIBUNBOUND_REVISION=8 LIBUNBOUND_AGE=3 # 1.0.0 had 0:12:0 # 1.0.1 had 0:13:0 @@ -60,6 +60,8 @@ LIBUNBOUND_AGE=3 # 1.5.1 had 5:3:3 # 1.5.2 had 5:5:3 # 1.5.3 had 5:6:3 +# 1.5.4 had 5:7:3 +# 1.5.5 had 5:8:3 # Current -- the number of the binary API that we're implementing # Revision -- which iteration of the implementation of the binary @@ -245,6 +247,8 @@ case "$debug_enabled" in ;; esac ACX_CHECK_FLTO +ACX_CHECK_PIE +ACX_CHECK_RELRO_NOW AC_C_INLINE ACX_CHECK_FORMAT_ATTRIBUTE @@ -474,6 +478,8 @@ if test x_$ub_test_python != x_no; then AC_ERROR([Python version >= 2.4.0 is required]) fi + [PY_MAJOR_VERSION="`$PYTHON -c \"import sys; print(sys.version_info[0])\"`"] + AC_SUBST(PY_MAJOR_VERSION) # Have Python AC_DEFINE(HAVE_PYTHON,1,[Define if you have Python libraries and header files.]) LIBS="$PYTHON_LDFLAGS $LIBS" @@ -563,19 +569,19 @@ if test $USE_NSS = "no"; then ACX_WITH_SSL ACX_LIB_SSL AC_MSG_CHECKING([for LibreSSL]) -if grep OPENSSL_VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then +if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then AC_MSG_RESULT([yes]) AC_DEFINE([HAVE_LIBRESSL], [1], [Define if we have LibreSSL]) # libressl provides these compat functions, but they may also be # declared by the OS in libc. See if they have been declared. - AC_CHECK_DECLS([strlcpy,strlcat,arc4random,arc4random_uniform]) + AC_CHECK_DECLS([strlcpy,strlcat,arc4random,arc4random_uniform,reallocarray]) else AC_MSG_RESULT([no]) fi AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT]) AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT]) AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode]) -AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free], [], [], [ +AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [ AC_INCLUDES_DEFAULT #ifdef HAVE_OPENSSL_ERR_H #include <openssl/err.h> @@ -995,8 +1001,10 @@ AC_REPLACE_FUNCS(strlcat) AC_REPLACE_FUNCS(strlcpy) AC_REPLACE_FUNCS(memmove) AC_REPLACE_FUNCS(gmtime_r) +dnl without CTIME, ARC4-functions and without reallocarray. LIBOBJ_WITHOUT_CTIMEARC4="$LIBOBJS" AC_SUBST(LIBOBJ_WITHOUT_CTIMEARC4) +AC_REPLACE_FUNCS(reallocarray) if test "$USE_NSS" = "no"; then AC_REPLACE_FUNCS(arc4random) AC_REPLACE_FUNCS(arc4random_uniform) @@ -1235,6 +1243,7 @@ AHX_CONFIG_MEMMOVE(unbound) AHX_CONFIG_STRLCAT(unbound) AHX_CONFIG_STRLCPY(unbound) AHX_CONFIG_GMTIME_R(unbound) +AHX_CONFIG_REALLOCARRAY(unbound) AHX_CONFIG_W32_SLEEP AHX_CONFIG_W32_USLEEP AHX_CONFIG_W32_RANDOM @@ -1268,6 +1277,9 @@ uint32_t arc4random(void); # if !HAVE_DECL_ARC4RANDOM_UNIFORM && defined(HAVE_ARC4RANDOM_UNIFORM) uint32_t arc4random_uniform(uint32_t upper_bound); # endif +# if !HAVE_DECL_REALLOCARRAY +void *reallocarray(void *ptr, size_t nmemb, size_t size); +# endif #endif /* HAVE_LIBRESSL */ #ifndef HAVE_ARC4RANDOM void explicit_bzero(void* buf, size_t len); diff --git a/contrib/unbound/daemon/cachedump.c b/contrib/unbound/daemon/cachedump.c index 20a46ae..4b0a583 100644 --- a/contrib/unbound/daemon/cachedump.c +++ b/contrib/unbound/daemon/cachedump.c @@ -56,9 +56,9 @@ #include "iterator/iter_utils.h" #include "iterator/iter_fwd.h" #include "iterator/iter_hints.h" -#include "ldns/sbuffer.h" -#include "ldns/wire2str.h" -#include "ldns/str2wire.h" +#include "sldns/sbuffer.h" +#include "sldns/wire2str.h" +#include "sldns/str2wire.h" /** dump one rrset zonefile line */ static int @@ -223,6 +223,8 @@ copy_msg(struct regional* region, struct lruhash_entry* e, struct query_info** k, struct reply_info** d) { struct reply_info* rep = (struct reply_info*)e->data; + if(rep->rrset_count > RR_COUNT_MAX) + return 0; /* to protect against integer overflow */ *d = (struct reply_info*)regional_alloc_init(region, e->data, sizeof(struct reply_info) + sizeof(struct rrset_ref) * (rep->rrset_count-1) + @@ -470,6 +472,10 @@ load_rrset(SSL* ssl, sldns_buffer* buf, struct worker* worker) log_warn("bad rrset without contents"); return 0; } + if(rr_count > RR_COUNT_MAX || rrsig_count > RR_COUNT_MAX) { + log_warn("bad rrset with too many rrs"); + return 0; + } d->count = (size_t)rr_count; d->rrsig_count = (size_t)rrsig_count; d->security = (enum sec_status)security; @@ -646,6 +652,10 @@ load_msg(SSL* ssl, sldns_buffer* buf, struct worker* worker) rep.ttl = (time_t)ttl; rep.prefetch_ttl = PREFETCH_TTL_CALC(rep.ttl); rep.security = (enum sec_status)security; + if(an > RR_COUNT_MAX || ns > RR_COUNT_MAX || ar > RR_COUNT_MAX) { + log_warn("error too many rrsets"); + return 0; /* protect against integer overflow in alloc */ + } rep.an_numrrsets = (size_t)an; rep.ns_numrrsets = (size_t)ns; rep.ar_numrrsets = (size_t)ar; diff --git a/contrib/unbound/daemon/daemon.c b/contrib/unbound/daemon/daemon.c index f693a02..e763f72 100644 --- a/contrib/unbound/daemon/daemon.c +++ b/contrib/unbound/daemon/daemon.c @@ -84,7 +84,7 @@ #include "util/random.h" #include "util/tube.h" #include "util/net_help.h" -#include "ldns/keyraw.h" +#include "sldns/keyraw.h" #include <signal.h> /** How many quit requests happened. */ @@ -399,6 +399,12 @@ daemon_create_workers(struct daemon* daemon) verbose(VERB_ALGO, "total of %d outgoing ports available", numport); daemon->num = (daemon->cfg->num_threads?daemon->cfg->num_threads:1); + if(daemon->reuseport && (int)daemon->num < (int)daemon->num_ports) { + log_warn("cannot reduce num-threads to %d because so-reuseport " + "so continuing with %d threads.", (int)daemon->num, + (int)daemon->num_ports); + daemon->num = (int)daemon->num_ports; + } daemon->workers = (struct worker**)calloc((size_t)daemon->num, sizeof(struct worker*)); if(daemon->cfg->dnstap) { @@ -464,7 +470,7 @@ thread_start(void* arg) #endif #ifdef SO_REUSEPORT if(worker->daemon->cfg->so_reuseport) - port_num = worker->thread_num; + port_num = worker->thread_num % worker->daemon->num_ports; else port_num = 0; #endif diff --git a/contrib/unbound/daemon/remote.c b/contrib/unbound/daemon/remote.c index 3ce55ee..c16e4e5 100644 --- a/contrib/unbound/daemon/remote.c +++ b/contrib/unbound/daemon/remote.c @@ -78,10 +78,10 @@ #include "iterator/iter_delegpt.h" #include "services/outbound_list.h" #include "services/outside_network.h" -#include "ldns/str2wire.h" -#include "ldns/parseutil.h" -#include "ldns/wire2str.h" -#include "ldns/sbuffer.h" +#include "sldns/str2wire.h" +#include "sldns/parseutil.h" +#include "sldns/wire2str.h" +#include "sldns/sbuffer.h" #ifdef HAVE_SYS_TYPES_H # include <sys/types.h> @@ -140,34 +140,45 @@ timeval_divide(struct timeval* avg, const struct timeval* sum, size_t d) /* * The following function was generated using the openssl utility, using - * the command : "openssl dhparam -dsaparam -C 512" + * the command : "openssl dhparam -dsaparam -C 1024" + * (some openssl versions reject DH that is 'too small', eg. 512). */ #ifndef S_SPLINT_S -DH *get_dh512() -{ - static unsigned char dh512_p[]={ - 0xC9,0xD7,0x05,0xDA,0x5F,0xAB,0x14,0xE8,0x11,0x56,0x77,0x85, - 0xB1,0x24,0x2C,0x95,0x60,0xEA,0xE2,0x10,0x6F,0x0F,0x84,0xEC, - 0xF4,0x45,0xE8,0x90,0x7A,0xA7,0x03,0xFF,0x5B,0x88,0x53,0xDE, - 0xC4,0xDE,0xBC,0x42,0x78,0x71,0x23,0x7E,0x24,0xA5,0x5E,0x4E, - 0xEF,0x6F,0xFF,0x5F,0xAF,0xBE,0x8A,0x77,0x62,0xB4,0x65,0x82, - 0x7E,0xC9,0xED,0x2F, - }; - static unsigned char dh512_g[]={ - 0x8D,0x3A,0x52,0xBC,0x8A,0x71,0x94,0x33,0x2F,0xE1,0xE8,0x4C, - 0x73,0x47,0x03,0x4E,0x7D,0x40,0xE5,0x84,0xA0,0xB5,0x6D,0x10, - 0x6F,0x90,0x43,0x05,0x1A,0xF9,0x0B,0x6A,0xD1,0x2A,0x9C,0x25, - 0x0A,0xB9,0xD1,0x14,0xDC,0x35,0x1C,0x48,0x7C,0xC6,0x0C,0x6D, - 0x32,0x1D,0xD3,0xC8,0x10,0xA8,0x82,0x14,0xA2,0x1C,0xF4,0x53, - 0x23,0x3B,0x1C,0xB9, - }; +DH *get_dh1024() +{ + static unsigned char dh1024_p[]={ + 0xB3,0x67,0x2E,0x3B,0x68,0xC5,0xDA,0x58,0x46,0xD6,0x2B,0xD3, + 0x41,0x78,0x97,0xE4,0xE1,0x61,0x71,0x68,0xE6,0x0F,0x1D,0x78, + 0x05,0xAA,0xF0,0xFF,0x30,0xDF,0xAC,0x49,0x7F,0xE0,0x90,0xFE, + 0xB9,0x56,0x4E,0x3F,0xE2,0x98,0x8A,0xED,0xF5,0x28,0x39,0xEF, + 0x2E,0xA6,0xB7,0x67,0xB2,0x43,0xE4,0x53,0xF8,0xEB,0x2C,0x1F, + 0x06,0x77,0x3A,0x6F,0x62,0x98,0xC1,0x3B,0xF7,0xBA,0x4D,0x93, + 0xF7,0xEB,0x5A,0xAD,0xC5,0x5F,0xF0,0xB7,0x24,0x35,0x81,0xF7, + 0x7F,0x1F,0x24,0xC0,0xDF,0xD3,0xD8,0x40,0x72,0x7E,0xF3,0x19, + 0x2B,0x26,0x27,0xF4,0xB6,0xB3,0xD4,0x7D,0x08,0x23,0xBE,0x68, + 0x2B,0xCA,0xB4,0x46,0xA8,0x9E,0xDD,0x6C,0x3D,0x75,0xA6,0x48, + 0xF7,0x44,0x43,0xBF,0x91,0xC2,0xB4,0x49, + }; + static unsigned char dh1024_g[]={ + 0x5F,0x37,0xB5,0x80,0x4D,0xB4,0xC4,0xB2,0x37,0x12,0xD5,0x2F, + 0x56,0x81,0xB0,0xDF,0x3D,0x27,0xA2,0x54,0xE7,0x14,0x65,0x2D, + 0x72,0xA8,0x97,0xE0,0xA9,0x4A,0x09,0x5E,0x89,0xBE,0x34,0x9A, + 0x90,0x98,0xC1,0xE8,0xBB,0x01,0x2B,0xC2,0x74,0x74,0x90,0x59, + 0x0B,0x72,0x62,0x5C,0xFD,0x49,0x63,0x4B,0x38,0x91,0xF1,0x7F, + 0x13,0x25,0xEB,0x52,0x50,0x47,0xA2,0x8C,0x32,0x28,0x42,0xAC, + 0xBD,0x7A,0xCC,0x58,0xBE,0x36,0xDA,0x6A,0x24,0x06,0xC7,0xF1, + 0xDA,0x8D,0x8A,0x3B,0x03,0xFA,0x6F,0x25,0xE5,0x20,0xA7,0xD6, + 0x6F,0x74,0x61,0x53,0x14,0x81,0x29,0x04,0xB5,0x61,0x12,0x53, + 0xA3,0xD6,0x09,0x98,0x0C,0x8F,0x1C,0xBB,0xD7,0x1C,0x2C,0xEE, + 0x56,0x4B,0x74,0x8F,0x4A,0xF8,0xA9,0xD5, + }; DH *dh; if ((dh=DH_new()) == NULL) return(NULL); - dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL); - dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL); + dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL); + dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL); if ((dh->p == NULL) || (dh->g == NULL)) - { DH_free(dh); return(NULL); } + { DH_free(dh); return(NULL); } dh->length = 160; return(dh); } @@ -218,7 +229,7 @@ daemon_remote_create(struct config_file* cfg) /* Since we have no certificates and hence no source of * DH params, let's generate and set them */ - if(!SSL_CTX_set_tmp_dh(rc->ctx,get_dh512())) { + if(!SSL_CTX_set_tmp_dh(rc->ctx,get_dh1024())) { log_crypto_err("Wanted to set DH param, but failed"); return NULL; } @@ -232,9 +243,9 @@ daemon_remote_create(struct config_file* cfg) goto setup_error; } verbose(VERB_ALGO, "setup SSL certificates"); - if (!SSL_CTX_use_certificate_file(rc->ctx,s_cert,SSL_FILETYPE_PEM)) { + if (!SSL_CTX_use_certificate_chain_file(rc->ctx,s_cert)) { log_err("Error for server-cert-file: %s", s_cert); - log_crypto_err("Error in SSL_CTX use_certificate_file"); + log_crypto_err("Error in SSL_CTX use_certificate_chain_file"); goto setup_error; } if(!SSL_CTX_use_PrivateKey_file(rc->ctx,s_key,SSL_FILETYPE_PEM)) { @@ -247,6 +258,23 @@ daemon_remote_create(struct config_file* cfg) log_crypto_err("Error in SSL_CTX check_private_key"); goto setup_error; } +#if HAVE_DECL_SSL_CTX_SET_ECDH_AUTO + if(!SSL_CTX_set_ecdh_auto(rc->ctx,1)) { + log_crypto_err("Error in SSL_CTX_ecdh_auto, not enabling ECDHE"); + } +#elif defined(USE_ECDSA) + if(1) { + EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1); + if (!ecdh) { + log_crypto_err("could not find p256, not enabling ECDHE"); + } else { + if (1 != SSL_CTX_set_tmp_ecdh (rc->ctx, ecdh)) { + log_crypto_err("Error in SSL_CTX_set_tmp_ecdh, not enabling ECDHE"); + } + EC_KEY_free (ecdh); + } + } +#endif if(!SSL_CTX_load_verify_locations(rc->ctx, s_cert, NULL)) { log_crypto_err("Error setting up SSL_CTX verify locations"); setup_error: @@ -358,7 +386,8 @@ add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err, } /* open fd */ - fd = create_tcp_accept_sock(res, 1, &noproto, 0); + fd = create_tcp_accept_sock(res, 1, &noproto, 0, + cfg->ip_transparent); freeaddrinfo(res); } @@ -725,6 +754,8 @@ print_stats(SSL* ssl, const char* nm, struct stats_info* s) (long long)avg.tv_sec, (int)avg.tv_usec)) return 0; if(!ssl_printf(ssl, "%s.recursion.time.median"SQ"%g\n", nm, s->mesh_time_median)) return 0; + if(!ssl_printf(ssl, "%s.tcpusage"SQ"%lu\n", nm, + (unsigned long)s->svr.tcp_accept_usage)) return 0; return 1; } @@ -1228,8 +1259,6 @@ struct del_info { size_t len; /** labels */ int labs; - /** now */ - time_t now; /** time to invalidate to */ time_t expired; /** number of rrsets removed */ @@ -1258,7 +1287,7 @@ infra_del_host(struct lruhash_entry* e, void* arg) d->timeout_AAAA = 0; d->timeout_other = 0; rtt_init(&d->rtt); - if(d->ttl >= inf->now) { + if(d->ttl > inf->expired) { d->ttl = inf->expired; inf->num_keys++; } @@ -1287,7 +1316,6 @@ do_flush_infra(SSL* ssl, struct worker* worker, char* arg) inf.name = 0; inf.len = 0; inf.labs = 0; - inf.now = *worker->env.now; inf.expired = *worker->env.now; inf.expired -= 3; /* handle 3 seconds skew between threads */ inf.num_rrsets = 0; @@ -1318,7 +1346,7 @@ zone_del_rrset(struct lruhash_entry* e, void* arg) if(dname_subdomain_c(k->rk.dname, inf->name)) { struct packed_rrset_data* d = (struct packed_rrset_data*)e->data; - if(d->ttl >= inf->now) { + if(d->ttl > inf->expired) { d->ttl = inf->expired; inf->num_rrsets++; } @@ -1334,7 +1362,7 @@ zone_del_msg(struct lruhash_entry* e, void* arg) struct msgreply_entry* k = (struct msgreply_entry*)e->key; if(dname_subdomain_c(k->key.qname, inf->name)) { struct reply_info* d = (struct reply_info*)e->data; - if(d->ttl >= inf->now) { + if(d->ttl > inf->expired) { d->ttl = inf->expired; inf->num_msgs++; } @@ -1350,7 +1378,7 @@ zone_del_kcache(struct lruhash_entry* e, void* arg) struct key_entry_key* k = (struct key_entry_key*)e->key; if(dname_subdomain_c(k->name, inf->name)) { struct key_entry_data* d = (struct key_entry_data*)e->data; - if(d->ttl >= inf->now) { + if(d->ttl > inf->expired) { d->ttl = inf->expired; inf->num_keys++; } @@ -1373,7 +1401,6 @@ do_flush_zone(SSL* ssl, struct worker* worker, char* arg) inf.name = nm; inf.len = nmlen; inf.labs = nmlabs; - inf.now = *worker->env.now; inf.expired = *worker->env.now; inf.expired -= 3; /* handle 3 seconds skew between threads */ inf.num_rrsets = 0; @@ -1443,7 +1470,6 @@ do_flush_bogus(SSL* ssl, struct worker* worker) struct del_info inf; /* what we do is to set them all expired */ inf.worker = worker; - inf.now = *worker->env.now; inf.expired = *worker->env.now; inf.expired -= 3; /* handle 3 seconds skew between threads */ inf.num_rrsets = 0; @@ -1519,7 +1545,6 @@ do_flush_negative(SSL* ssl, struct worker* worker) struct del_info inf; /* what we do is to set them all expired */ inf.worker = worker; - inf.now = *worker->env.now; inf.expired = *worker->env.now; inf.expired -= 3; /* handle 3 seconds skew between threads */ inf.num_rrsets = 0; @@ -1669,6 +1694,7 @@ parse_delegpt(SSL* ssl, char* args, uint8_t* nm, int allow_names) } } } + dp->has_parent_side_NS = 1; return dp; } @@ -1889,6 +1915,21 @@ do_insecure_remove(SSL* ssl, struct worker* worker, char* arg) send_ok(ssl); } +static void +do_insecure_list(SSL* ssl, struct worker* worker) +{ + char buf[257]; + struct trust_anchor* a; + if(worker->env.anchors) { + RBTREE_FOR(a, struct trust_anchor*, worker->env.anchors->tree) { + if(a->numDS == 0 && a->numDNSKEY == 0) { + dname_str(a->name, buf); + ssl_printf(ssl, "%s\n", buf); + } + } + } +} + /** do the status command */ static void do_status(SSL* ssl, struct worker* worker) @@ -2074,7 +2115,7 @@ dump_infra_host(struct lruhash_entry* e, void* arg) d->rtt.srtt, d->rtt.rttvar, rtt_notimeout(&d->rtt), d->rtt.rto, d->timeout_A, d->timeout_AAAA, d->timeout_other, (int)d->edns_lame_known, (int)d->edns_version, - (int)(a->now<d->probedelay?d->probedelay-a->now:0), + (int)(a->now<d->probedelay?(d->probedelay - a->now):0), (int)d->isdnsseclame, (int)d->rec_lame, (int)d->lame_type_A, (int)d->lame_other)) { a->ssl_failed = 1; @@ -2236,11 +2277,17 @@ do_list_local_data(SSL* ssl, struct worker* worker) for(i=0; i<d->count + d->rrsig_count; i++) { if(!packed_rr_to_string(p->rrset, i, 0, s, slen)) { - if(!ssl_printf(ssl, "BADRR\n")) + if(!ssl_printf(ssl, "BADRR\n")) { + lock_rw_unlock(&z->lock); + lock_rw_unlock(&zones->lock); return; + } } - if(!ssl_printf(ssl, "%s\n", s)) + if(!ssl_printf(ssl, "%s\n", s)) { + lock_rw_unlock(&z->lock); + lock_rw_unlock(&zones->lock); return; + } } } } @@ -2249,6 +2296,54 @@ do_list_local_data(SSL* ssl, struct worker* worker) lock_rw_unlock(&zones->lock); } +/** struct for user arg ratelimit list */ +struct ratelimit_list_arg { + /** the infra cache */ + struct infra_cache* infra; + /** the SSL to print to */ + SSL* ssl; + /** all or only ratelimited */ + int all; + /** current time */ + time_t now; +}; + +/** list items in the ratelimit table */ +static void +rate_list(struct lruhash_entry* e, void* arg) +{ + struct ratelimit_list_arg* a = (struct ratelimit_list_arg*)arg; + struct rate_key* k = (struct rate_key*)e->key; + struct rate_data* d = (struct rate_data*)e->data; + char buf[257]; + int lim = infra_find_ratelimit(a->infra, k->name, k->namelen); + int max = infra_rate_max(d, a->now); + if(a->all == 0) { + if(max < lim) + return; + } + dname_str(k->name, buf); + ssl_printf(a->ssl, "%s %d limit %d\n", buf, max, lim); +} + +/** do the ratelimit_list command */ +static void +do_ratelimit_list(SSL* ssl, struct worker* worker, char* arg) +{ + struct ratelimit_list_arg a; + a.all = 0; + a.infra = worker->env.infra_cache; + a.now = *worker->env.now; + a.ssl = ssl; + arg = skipwhite(arg); + if(strcmp(arg, "+a") == 0) + a.all = 1; + if(a.infra->domain_rates==NULL || + (a.all == 0 && infra_dp_ratelimit == 0)) + return; + slabhash_traverse(a.infra->domain_rates, 0, rate_list, &a); +} + /** tell other processes to execute the command */ static void distribute_cmd(struct daemon_remote* rc, SSL* ssl, char* cmd) @@ -2309,12 +2404,18 @@ execute_cmd(struct daemon_remote* rc, SSL* ssl, char* cmd, } else if(cmdcmp(p, "list_stubs", 10)) { do_list_stubs(ssl, worker); return; + } else if(cmdcmp(p, "list_insecure", 13)) { + do_insecure_list(ssl, worker); + return; } else if(cmdcmp(p, "list_local_zones", 16)) { do_list_local_zones(ssl, worker); return; } else if(cmdcmp(p, "list_local_data", 15)) { do_list_local_data(ssl, worker); return; + } else if(cmdcmp(p, "ratelimit_list", 14)) { + do_ratelimit_list(ssl, worker, p+14); + return; } else if(cmdcmp(p, "stub_add", 8)) { /* must always distribute this cmd */ if(rc) distribute_cmd(rc, ssl, cmd); diff --git a/contrib/unbound/daemon/stats.c b/contrib/unbound/daemon/stats.c index d3f41de..838cf05 100644 --- a/contrib/unbound/daemon/stats.c +++ b/contrib/unbound/daemon/stats.c @@ -50,12 +50,13 @@ #include "daemon/daemon.h" #include "services/mesh.h" #include "services/outside_network.h" +#include "services/listen_dnsport.h" #include "util/config_file.h" #include "util/tube.h" #include "util/timehist.h" #include "util/net_help.h" #include "validator/validator.h" -#include "ldns/sbuffer.h" +#include "sldns/sbuffer.h" #include "services/cache/rrset.h" #include "services/cache/infra.h" #include "validator/val_kcache.h" @@ -140,6 +141,7 @@ void server_stats_compile(struct worker* worker, struct stats_info* s, int reset) { int i; + struct listen_list* lp; s->svr = worker->stats; s->mesh_num_states = worker->env.mesh->all.count; @@ -174,6 +176,13 @@ server_stats_compile(struct worker* worker, struct stats_info* s, int reset) s->svr.key_cache_count = count_slabhash_entries(worker->env.key_cache->slab); else s->svr.key_cache_count = 0; + /* get tcp accept usage */ + s->svr.tcp_accept_usage = 0; + for(lp = worker->front->cps; lp; lp = lp->next) { + if(lp->com->type == comm_tcp_accept) + s->svr.tcp_accept_usage += lp->com->cur_tcp_count; + } + if(reset && !worker->env.cfg->stat_cumulative) { worker_stats_clear(worker); } @@ -247,6 +256,7 @@ void server_stats_add(struct stats_info* total, struct stats_info* a) total->svr.rrset_bogus += a->svr.rrset_bogus; total->svr.unwanted_replies += a->svr.unwanted_replies; total->svr.unwanted_queries += a->svr.unwanted_queries; + total->svr.tcp_accept_usage += a->svr.tcp_accept_usage; for(i=0; i<STATS_QTYPE_NUM; i++) total->svr.qtype[i] += a->svr.qtype[i]; for(i=0; i<STATS_QCLASS_NUM; i++) diff --git a/contrib/unbound/daemon/stats.h b/contrib/unbound/daemon/stats.h index 5ea00a0..6985446 100644 --- a/contrib/unbound/daemon/stats.h +++ b/contrib/unbound/daemon/stats.h @@ -129,6 +129,8 @@ struct server_stats { size_t unwanted_replies; /** unwanted traffic received on client-facing ports */ size_t unwanted_queries; + /** usage of tcp accept list */ + size_t tcp_accept_usage; /** histogram data exported to array * if the array is the same size, no data is lost, and diff --git a/contrib/unbound/daemon/worker.c b/contrib/unbound/daemon/worker.c index 5edc21d..79aec4d 100644 --- a/contrib/unbound/daemon/worker.c +++ b/contrib/unbound/daemon/worker.c @@ -71,7 +71,7 @@ #include "validator/val_anchor.h" #include "libunbound/context.h" #include "libunbound/libworker.h" -#include "ldns/sbuffer.h" +#include "sldns/sbuffer.h" #ifdef HAVE_SYS_TYPES_H # include <sys/types.h> @@ -86,6 +86,8 @@ /** Size of an UDP datagram */ #define NORMAL_UDP_SIZE 512 /* bytes */ +/** ratelimit for error responses */ +#define ERROR_RATELIMIT 100 /* qps */ /** * seconds to add to prefetch leeway. This is a TTL that expires old rrsets @@ -291,6 +293,26 @@ worker_handle_service_reply(struct comm_point* c, void* arg, int error, return 0; } +/** ratelimit error replies + * @param worker: the worker struct with ratelimit counter + * @param err: error code that would be wanted. + * @return value of err if okay, or -1 if it should be discarded instead. + */ +static int +worker_err_ratelimit(struct worker* worker, int err) +{ + if(worker->err_limit_time == *worker->env.now) { + /* see if limit is exceeded for this second */ + if(worker->err_limit_count++ > ERROR_RATELIMIT) + return -1; + } else { + /* new second, new limits */ + worker->err_limit_time = *worker->env.now; + worker->err_limit_count = 1; + } + return err; +} + /** check request sanity. * @param pkt: the wire packet to examine for sanity. * @param worker: parameters for checking. @@ -315,32 +337,32 @@ worker_check_request(sldns_buffer* pkt, struct worker* worker) if(LDNS_TC_WIRE(sldns_buffer_begin(pkt))) { LDNS_TC_CLR(sldns_buffer_begin(pkt)); verbose(VERB_QUERY, "request bad, has TC bit on"); - return LDNS_RCODE_FORMERR; + return worker_err_ratelimit(worker, LDNS_RCODE_FORMERR); } if(LDNS_OPCODE_WIRE(sldns_buffer_begin(pkt)) != LDNS_PACKET_QUERY) { verbose(VERB_QUERY, "request unknown opcode %d", LDNS_OPCODE_WIRE(sldns_buffer_begin(pkt))); - return LDNS_RCODE_NOTIMPL; + return worker_err_ratelimit(worker, LDNS_RCODE_NOTIMPL); } if(LDNS_QDCOUNT(sldns_buffer_begin(pkt)) != 1) { verbose(VERB_QUERY, "request wrong nr qd=%d", LDNS_QDCOUNT(sldns_buffer_begin(pkt))); - return LDNS_RCODE_FORMERR; + return worker_err_ratelimit(worker, LDNS_RCODE_FORMERR); } if(LDNS_ANCOUNT(sldns_buffer_begin(pkt)) != 0) { verbose(VERB_QUERY, "request wrong nr an=%d", LDNS_ANCOUNT(sldns_buffer_begin(pkt))); - return LDNS_RCODE_FORMERR; + return worker_err_ratelimit(worker, LDNS_RCODE_FORMERR); } if(LDNS_NSCOUNT(sldns_buffer_begin(pkt)) != 0) { verbose(VERB_QUERY, "request wrong nr ns=%d", LDNS_NSCOUNT(sldns_buffer_begin(pkt))); - return LDNS_RCODE_FORMERR; + return worker_err_ratelimit(worker, LDNS_RCODE_FORMERR); } if(LDNS_ARCOUNT(sldns_buffer_begin(pkt)) > 1) { verbose(VERB_QUERY, "request wrong nr ar=%d", LDNS_ARCOUNT(sldns_buffer_begin(pkt))); - return LDNS_RCODE_FORMERR; + return worker_err_ratelimit(worker, LDNS_RCODE_FORMERR); } return 0; } @@ -546,7 +568,7 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo, if(rep->an_numrrsets > 0 && (rep->rrsets[0]->rk.type == htons(LDNS_RR_TYPE_CNAME) || rep->rrsets[0]->rk.type == htons(LDNS_RR_TYPE_DNAME))) { - if(!reply_check_cname_chain(rep)) { + if(!reply_check_cname_chain(qinfo, rep)) { /* cname chain invalid, redo iterator steps */ verbose(VERB_ALGO, "Cache reply: cname chain broken"); bail_out: @@ -813,6 +835,10 @@ worker_handle_request(struct comm_point* c, void* arg, int error, if(!query_info_parse(&qinfo, c->buffer)) { verbose(VERB_ALGO, "worker parse request: formerror."); log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen); + if(worker_err_ratelimit(worker, LDNS_RCODE_FORMERR) == -1) { + comm_point_drop_reply(repinfo); + return 0; + } sldns_buffer_rewind(c->buffer); LDNS_QR_SET(sldns_buffer_begin(c->buffer)); LDNS_RCODE_SET(sldns_buffer_begin(c->buffer), diff --git a/contrib/unbound/daemon/worker.h b/contrib/unbound/daemon/worker.h index ff69bc1..6361343 100644 --- a/contrib/unbound/daemon/worker.h +++ b/contrib/unbound/daemon/worker.h @@ -103,6 +103,10 @@ struct worker { struct comm_point* cmd_com; /** timer for statistics */ struct comm_timer* stat_timer; + /** ratelimit for errors, time value */ + time_t err_limit_time; + /** ratelimit for errors, packet count */ + unsigned int err_limit_count; /** random() table for this worker. */ struct ub_randstate* rndstate; diff --git a/contrib/unbound/dns64/dns64.c b/contrib/unbound/dns64/dns64.c index eaaa26f..63cc808 100644 --- a/contrib/unbound/dns64/dns64.c +++ b/contrib/unbound/dns64/dns64.c @@ -590,6 +590,10 @@ dns64_synth_aaaa_data(const struct ub_packed_rrset_key* fk, * for the RRs themselves. Each RR has a length, TTL, pointer to wireformat * data, 2 bytes of data length, and 16 bytes of IPv6 address. */ + if(fd->count > RR_COUNT_MAX) { + *dd_out = NULL; + return; /* integer overflow protection in alloc */ + } if (!(dd = *dd_out = regional_alloc(region, sizeof(struct packed_rrset_data) + fd->count * (sizeof(size_t) + sizeof(time_t) + @@ -713,6 +717,8 @@ dns64_adjust_a(int id, struct module_qstate* super, struct module_qstate* qstate if(i<rep->an_numrrsets && fk->rk.type == htons(LDNS_RR_TYPE_A)) { /* also sets dk->entry.hash */ dns64_synth_aaaa_data(fk, fd, dk, &dd, super->region, dns64_env); + if(!dd) + return; /* Delete negative AAAA record from cache stored by * the iterator module */ rrset_cache_remove(super->env->rrset_cache, dk->rk.dname, diff --git a/contrib/unbound/dnstap/dnstap.c b/contrib/unbound/dnstap/dnstap.c index b2dc053..b62dc5b 100644 --- a/contrib/unbound/dnstap/dnstap.c +++ b/contrib/unbound/dnstap/dnstap.c @@ -39,7 +39,7 @@ #include "config.h" #include <string.h> #include <sys/time.h> -#include "ldns/sbuffer.h" +#include "sldns/sbuffer.h" #include "util/config_file.h" #include "util/net_help.h" #include "util/netevent.h" diff --git a/contrib/unbound/doc/Changelog b/contrib/unbound/doc/Changelog index a1c2f76..3f3b245 100644 --- a/contrib/unbound/doc/Changelog +++ b/contrib/unbound/doc/Changelog @@ -1,6 +1,253 @@ +28 September 2015: Wouter + - MAX_TARGET_COUNT increased to 64, to fix up sporadic resolution + failures. + - tag for 1.5.5rc1 release. + - makedist.sh: pgp sig echo commands. + +25 September 2015: Wouter + - Fix unbound-control flush that does not succeed in removing data. + +22 September 2015: Wouter + - Fix config globbed include chroot treatment, this fixes reload of + globs (patch from Dag-Erling Smørgrav). + - iana portlist update. + - Fix #702: New IPs for for h.root-servers.net. + - Remove confusion comment from canonical_compare() function. + - Fix #705: ub_ctx_set_fwd() return value mishandled on windows. + - testbound selftest also works in non-debug mode. + - Fix minor error in unbound.conf.5.in + - Fix unbound.conf(5) access-control description for precedence + and default. + +31 August 2015: Wouter + - changed windows setup compression to be more transparent. + +28 August 2015: Wouter + - Fix #697: Get PY_MAJOR_VERSION failure at configure for python + 2.4 to 2.6. + - Feature #699: --enable-pie option to that builds PIE binary. + - Feature #700: --enable-relro-now option that enables full read-only + relocation. + +24 August 2015: Wouter + - Fix deadlock for local data add and zone add when unbound-control + list_local_data printout is interrupted. + - iana portlist update. + - Change default of harden-algo-downgrade to off. This is lenient + for algorithm rollover. + +13 August 2015: Wouter + - 5011 implementation does not insist on all algorithms, when + harden-algo-downgrade is turned off. + - Reap the child process that libunbound spawns. + +11 August 2015: Wouter + - Fix #694: configure script does not detect LibreSSL 2.2.2 + +4 August 2015: Wouter + - Document that local-zone nodefault matches exactly and transparent + can be used to release a subzone. + +3 August 2015: Wouter + - Document in the manual more text about configuring locally served + zones. + - Fix 5011 anchor update timer after reload. + - Fix mktime in unbound-anchor not using UTC. + +30 July 2015: Wouter + - please afl-gcc (llvm) for uninitialised variable warning. + - Added permit-small-holddown config to debug fast 5011 rollover. + +24 July 2015: Wouter + - Fix #690: Reload fails when so-reuseport is yes after changing + num-threads. + - iana portlist update. + +21 July 2015: Wouter + - Fix configure to detect SSL_CTX_set_ecdh_auto. + - iana portlist update. + +20 July 2015: Wouter + - Enable ECDHE for servers. Where available, use + SSL_CTX_set_ecdh_auto() for TLS-wrapped server configurations to + enable ECDHE. Otherwise, manually offer curve p256. + Client connections should automatically use ECDHE when available. + (thanks Daniel Kahn Gillmor) + +18 July 2015: Willem + - Allow certificate chain files to allow for intermediate certificates. + (thanks Daniel Kahn Gillmor) + +13 July 2015: Wouter + - makedist produces sha1 and sha256 files for created binaries too. + +9 July 2015: Wouter + - 1.5.4 release tag + - trunk has 1.5.5 in development. + - Fix #681: Setting forwarders with unbound-control forward + implicitly turns on forward-first. + +29 June 2015: Wouter + - iana portlist update. + - Fix alloc with log for allocation size checks. + +26 June 2015: Wouter + - Fix #677 Fix DNAME responses from cache that failed internal chain + test. + - iana portlist update. + +22 June 2015: Wouter + - Fix #677 Fix CNAME corresponding to a DNAME was checked incorrectly + and was therefore always synthesized (thanks to Valentin Dietrich). + +4 June 2015: Wouter + - RFC 7553 RR type URI support, is now enabled by default. + +2 June 2015: Wouter + - Fix #674: Do not free pointers given by getenv. + +29 May 2015: Wouter + - Fix that unparseable error responses are ratelimited. + - SOA negative TTL is capped at minimumttl in its rdata section. + - cache-max-negative-ttl config option, default 3600. + +26 May 2015: Wouter + - Document that ratelimit works with unbound-control set_option. + +21 May 2015: Wouter + - iana portlist update. + - documentation proposes ratelimit of 1000 (closer to what upstream + servers expect from us). + +20 May 2015: Wouter + - DLV is going to be decommissioned. Advice to stop using it, and + put text in the example configuration and man page to that effect. + +10 May 2015: Wouter + - Change syntax of particular validator error to be easier for + machine parse, swap rrset and ip adres info so it looks like: + validation failure <www.example.nl. TXT IN>: signature crypto + failed from 2001:DB8:7:bba4::53 for <*.example.nl. NSEC IN> + +1 May 2015: Wouter + - caps-whitelist in unbound.conf allows whitelist of loadbalancers + that cannot work with caps-for-id or its fallback. + +30 April 2015: Wouter + - Unit test for type ANY synthesis. + +22 April 2015: Wouter + - Removed contrib/unbound_unixsock.diff, because it has been + integrated, use control-interface: /path in unbound.conf. + - iana portlist update. + +17 April 2015: Wouter + - Synthesize ANY responses from cache. Does not search exhaustively, + but MX,A,AAAA,SOA,NS also CNAME. + - Fix leaked dns64prefix configuration string. + +16 April 2015: Wouter + - Add local-zone type inform_deny, that logs query and drops answer. + - Ratelimit does not apply to prefetched queries, and ratelimit-factor + is default 10. Repeated normal queries get resolved and with + prefetch stay in the cache. + - Fix bug#664: libunbound python3 related fixes (from Tomas Hozza) + Use print_function also for Python2. + libunbound examples: produce sorted output. + libunbound-Python: libldns is not used anymore. + Fix issue with Python 3 mapping of FILE* using file_py3.i from ldns. + +10 April 2015: Wouter + - unbound-control ratelimit_list lists high rate domains. + - ratelimit feature, ratelimit: 100, or some sensible qps, can be + used to turn it on. It ratelimits recursion effort per zone. + For particular names you can configure exceptions in unbound.conf. + - Fix that get_option for cache-sizes does not print double newline. + - Fix#663: ssl handshake fails when using unix socket because dh size + is too small. + +8 April 2015: Wouter + - Fix crash in dnstap: Do not try to log TCP responses after timeout. + +7 April 2015: Wouter + - Libunbound skips dos-line-endings from etc/hosts. + - Unbound exits with a fatal error when the auto-trust-anchor-file + fails to be writable. This is seconds after startup. You can + load a readonly auto-trust-anchor-file with trust-anchor-file. + The file has to be writable to notice the trust anchor change, + without it, a trust anchor change will be unnoticed and the system + will then become inoperable. + - unbound-control list_insecure command shows the negative trust + anchors currently configured, patch from Jelte Jansen. + +2 April 2015: Wouter + - Fix #660: Fix interface-automatic broken in the presence of + asymmetric routing. + +26 March 2015: Wouter + - remote.c probedelay line is easier to read. + - rename ldns subdirectory to sldns to avoid name collision. + +25 March 2015: Wouter + - Fix #657: libunbound(3) recommends deprecated + CRYPTO_set_id_callback. + - If unknown trust anchor algorithm, and libressl is used, error + message encourages upgrade of the libressl package. + 23 March 2015: Wouter - Fix segfault on user not found at startup (from Maciej Soltysiak). +20 March 2015: Wouter + - Fixed to add integer overflow checks on allocation (defense in depth). + +19 March 2015: Wouter + - Add ip-transparent config option for bind to non-local addresses. + +17 March 2015: Wouter + - Use reallocarray for integer overflow protection, patch submitted + by Loganaden Velvindron. + +16 March 2015: Wouter + - Fixup compile on cygwin, more portable openssl thread id. + +12 March 2015: Wouter + - Updated default keylength in unbound-control-setup to 3k. + +10 March 2015: Wouter + - Fix lintian warning in unbound-checkconf man page (from Andreas + Schulze). + - print svnroot when building windows dist. + - iana portlist update. + - Fix warning on sign compare in getentropy_linux. + +9 March 2015: Wouter + - Fix #644: harden-algo-downgrade option, if turned off, fixes the + reported excessive validation failure when multiple algorithms + are present. It allows the weakest algorithm to validate the zone. + - iana portlist update. + +5 March 2015: Wouter + - contrib/unbound_smf22.tar.gz: Solaris SMF installation/removal + scripts. Contributed by Yuri Voinov. + - Document that incoming-num-tcp increase is good for large servers. + - stats reports tcp usage, of incoming-num-tcp buffers. + +4 March 2015: Wouter + - Patch from Brad Smith that syncs compat/getentropy_linux with + OpenBSD's version (2015-03-04). + - 0x20 fallback improved: servfail responses do not count as missing + comparisons (except if all responses are errors), + inability to find nameservers does not fail equality comparisons, + many nameservers does not try to compare more than max-sent-count, + parse failures start 0x20 fallback procedure. + - store caps_response with best response in case downgrade response + happens to be the last one. + - Document windows 8 tests. + +3 March 2015: Wouter + - tag 1.5.3rc1 + [ This became 1.5.3 on 10 March, trunk is 1.5.4 in development ] + 2 March 2015: Wouter - iana portlist update. diff --git a/contrib/unbound/doc/README b/contrib/unbound/doc/README index f3530d6..c8bddcc 100644 --- a/contrib/unbound/doc/README +++ b/contrib/unbound/doc/README @@ -1,4 +1,4 @@ -README for Unbound 1.5.3 +README for Unbound 1.5.5 Copyright 2007 NLnet Labs http://unbound.net diff --git a/contrib/unbound/doc/example.conf b/contrib/unbound/doc/example.conf index acb553b..87bbebe 100644 --- a/contrib/unbound/doc/example.conf +++ b/contrib/unbound/doc/example.conf @@ -1,7 +1,7 @@ # # Example configuration file. # -# See unbound.conf(5) man page, version 1.5.3. +# See unbound.conf(5) man page, version 1.5.5. # # this is a comment. @@ -87,6 +87,10 @@ server: # use SO_REUSEPORT to distribute queries over threads. # so-reuseport: no + + # use IP_TRANSPARENT so the interface: addresses can be non-local + # and you can config non-existing IPs that are going to work later on + # ip-transparent: no # EDNS reassembly buffer to advertise to UDP peers (the actual buffer # is set with msg-buffer-size). 1480 can solve fragmentation (timeouts). @@ -135,6 +139,9 @@ server: # cache. Items are not cached for longer. In seconds. # cache-max-ttl: 86400 + # the time to live (TTL) value cap for negative responses in the cache + # cache-max-negative-ttl: 3600 + # the time to live (TTL) value for cached roundtrip times, lameness and # EDNS version information for hosts. In seconds. # infra-host-ttl: 900 @@ -284,9 +291,18 @@ server: # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. # harden-referral-path: no + # Harden against algorithm downgrade when multiple algorithms are + # advertised in the DS record. If no, allows the weakest algorithm + # to validate the zone. + # harden-algo-downgrade: no + # Use 0x20-encoded random bits in the query to foil spoof attempts. # This feature is an experimental implementation of draft dns-0x20. # use-caps-for-id: no + + # Domains (and domains in them) without support for dns-0x20 and + # the fallback fails because they keep sending different answers. + # caps-whitelist: "licdn.com" # Enforce privacy of these addresses. Strips them away from answers. # It may cause DNSSEC validation to additionally mark it as bogus. @@ -349,7 +365,7 @@ server: # File with DLV trusted keys. Same format as trust-anchor-file. # There can be only one DLV configured, it is trusted from root down. - # Download http://ftp.isc.org/www/dlv/dlv.isc.org.key + # DLV is going to be decommissioned. Please do not use it any more. # dlv-anchor-file: "dlv.isc.org.key" # File with trusted keys for validation. Specify more than one file @@ -428,6 +444,9 @@ server: # If the value 0 is given, missing anchors are not removed. # keep-missing: 31622400 # 366 days + # debug option that allows very small holddown times for key rollover + # permit-small-holddown: no + # the amount of memory to use for the key cache. # plain value in bytes or you can append k, m or G. default is "4Mb". # key-cache-size: 4m @@ -501,6 +520,7 @@ server: # o nodefault can be used to normally resolve AS112 zones. # o typetransparent resolves normally for other types and other names # o inform resolves normally, but logs client IP address + # o inform_deny drops queries and logs client IP address # # defaults are localhost address, reverse for 127.0.0.1 and ::1 # and nxdomain for AS112 zones. If you configure one of these zones @@ -542,6 +562,26 @@ server: # Enable dns64 in module-config. Used to synthesize IPv6 from IPv4. # dns64-prefix: 64:ff9b::0/96 + # ratelimit for uncached, new queries, this limits recursion effort. + # ratelimiting is experimental, and may help against randomqueryflood. + # if 0(default) it is disabled, otherwise state qps allowed per zone. + # ratelimit: 0 + + # ratelimits are tracked in a cache, size in bytes of cache (or k,m). + # ratelimit-size: 4m + # ratelimit cache slabs, reduces lock contention if equal to cpucount. + # ratelimit-slabs: 4 + + # 0 blocks when ratelimited, otherwise let 1/xth traffic through + # ratelimit-factor: 10 + + # override the ratelimit for a specific domain name. + # give this setting multiple times to have multiple overrides. + # ratelimit-for-domain: example.com 1000 + # override the ratelimits for all domains below a domain name + # can give this multiple times, the name closest to the zone is used. + # ratelimit-below-domain: example 1000 + # Python config section. To enable: # o use --with-pythonmodule to configure before compiling. # o list python in the module-config string (above) to enable. @@ -586,6 +626,8 @@ remote-control: # nameservers by hostname or by ipaddress. If you set stub-prime to yes, # the list is treated as priming hints (default is no). # With stub-first yes, it attempts without the stub if it fails. +# Consider adding domain-insecure: name and local-zone: name nodefault +# to the server: section if the stub is a locally served zone. # stub-zone: # name: "example.com" # stub-addr: 192.0.2.68 diff --git a/contrib/unbound/doc/example.conf.in b/contrib/unbound/doc/example.conf.in index 60ed5c8..399aa80 100644 --- a/contrib/unbound/doc/example.conf.in +++ b/contrib/unbound/doc/example.conf.in @@ -1,7 +1,7 @@ # # Example configuration file. # -# See unbound.conf(5) man page, version 1.5.3. +# See unbound.conf(5) man page, version 1.5.5. # # this is a comment. @@ -87,6 +87,10 @@ server: # use SO_REUSEPORT to distribute queries over threads. # so-reuseport: no + + # use IP_TRANSPARENT so the interface: addresses can be non-local + # and you can config non-existing IPs that are going to work later on + # ip-transparent: no # EDNS reassembly buffer to advertise to UDP peers (the actual buffer # is set with msg-buffer-size). 1480 can solve fragmentation (timeouts). @@ -135,6 +139,9 @@ server: # cache. Items are not cached for longer. In seconds. # cache-max-ttl: 86400 + # the time to live (TTL) value cap for negative responses in the cache + # cache-max-negative-ttl: 3600 + # the time to live (TTL) value for cached roundtrip times, lameness and # EDNS version information for hosts. In seconds. # infra-host-ttl: 900 @@ -284,9 +291,18 @@ server: # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. # harden-referral-path: no + # Harden against algorithm downgrade when multiple algorithms are + # advertised in the DS record. If no, allows the weakest algorithm + # to validate the zone. + # harden-algo-downgrade: no + # Use 0x20-encoded random bits in the query to foil spoof attempts. # This feature is an experimental implementation of draft dns-0x20. # use-caps-for-id: no + + # Domains (and domains in them) without support for dns-0x20 and + # the fallback fails because they keep sending different answers. + # caps-whitelist: "licdn.com" # Enforce privacy of these addresses. Strips them away from answers. # It may cause DNSSEC validation to additionally mark it as bogus. @@ -349,7 +365,7 @@ server: # File with DLV trusted keys. Same format as trust-anchor-file. # There can be only one DLV configured, it is trusted from root down. - # Download http://ftp.isc.org/www/dlv/dlv.isc.org.key + # DLV is going to be decommissioned. Please do not use it any more. # dlv-anchor-file: "dlv.isc.org.key" # File with trusted keys for validation. Specify more than one file @@ -428,6 +444,9 @@ server: # If the value 0 is given, missing anchors are not removed. # keep-missing: 31622400 # 366 days + # debug option that allows very small holddown times for key rollover + # permit-small-holddown: no + # the amount of memory to use for the key cache. # plain value in bytes or you can append k, m or G. default is "4Mb". # key-cache-size: 4m @@ -501,6 +520,7 @@ server: # o nodefault can be used to normally resolve AS112 zones. # o typetransparent resolves normally for other types and other names # o inform resolves normally, but logs client IP address + # o inform_deny drops queries and logs client IP address # # defaults are localhost address, reverse for 127.0.0.1 and ::1 # and nxdomain for AS112 zones. If you configure one of these zones @@ -542,6 +562,26 @@ server: # Enable dns64 in module-config. Used to synthesize IPv6 from IPv4. # dns64-prefix: 64:ff9b::0/96 + # ratelimit for uncached, new queries, this limits recursion effort. + # ratelimiting is experimental, and may help against randomqueryflood. + # if 0(default) it is disabled, otherwise state qps allowed per zone. + # ratelimit: 0 + + # ratelimits are tracked in a cache, size in bytes of cache (or k,m). + # ratelimit-size: 4m + # ratelimit cache slabs, reduces lock contention if equal to cpucount. + # ratelimit-slabs: 4 + + # 0 blocks when ratelimited, otherwise let 1/xth traffic through + # ratelimit-factor: 10 + + # override the ratelimit for a specific domain name. + # give this setting multiple times to have multiple overrides. + # ratelimit-for-domain: example.com 1000 + # override the ratelimits for all domains below a domain name + # can give this multiple times, the name closest to the zone is used. + # ratelimit-below-domain: example 1000 + # Python config section. To enable: # o use --with-pythonmodule to configure before compiling. # o list python in the module-config string (above) to enable. @@ -586,6 +626,8 @@ remote-control: # nameservers by hostname or by ipaddress. If you set stub-prime to yes, # the list is treated as priming hints (default is no). # With stub-first yes, it attempts without the stub if it fails. +# Consider adding domain-insecure: name and local-zone: name nodefault +# to the server: section if the stub is a locally served zone. # stub-zone: # name: "example.com" # stub-addr: 192.0.2.68 diff --git a/contrib/unbound/doc/libunbound.3 b/contrib/unbound/doc/libunbound.3 index a4c7945..9ef367f 100644 --- a/contrib/unbound/doc/libunbound.3 +++ b/contrib/unbound/doc/libunbound.3 @@ -1,4 +1,4 @@ -.TH "libunbound" "3" "Mar 10, 2015" "NLnet Labs" "unbound 1.5.3" +.TH "libunbound" "3" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5" .\" .\" libunbound.3 -- unbound library functions manual .\" @@ -42,7 +42,7 @@ .B ub_ctx_zone_remove, .B ub_ctx_data_add, .B ub_ctx_data_remove -\- Unbound DNS validating resolver 1.5.3 functions. +\- Unbound DNS validating resolver 1.5.5 functions. .SH "SYNOPSIS" .B #include <unbound.h> .LP @@ -175,6 +175,7 @@ to read them. Before you call this, use the openssl functions CRYPTO_set_id_callback and CRYPTO_set_locking_callback to set up asyncronous operation if you use lib openssl (the application calls these functions once for initialisation). +Openssl 1.0.0 or later uses the CRYPTO_THREADID_set_callback function. .TP .B ub_ctx_delete Delete validation context and free associated resources. diff --git a/contrib/unbound/doc/libunbound.3.in b/contrib/unbound/doc/libunbound.3.in index a4c7945..9ef367f 100644 --- a/contrib/unbound/doc/libunbound.3.in +++ b/contrib/unbound/doc/libunbound.3.in @@ -1,4 +1,4 @@ -.TH "libunbound" "3" "Mar 10, 2015" "NLnet Labs" "unbound 1.5.3" +.TH "libunbound" "3" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5" .\" .\" libunbound.3 -- unbound library functions manual .\" @@ -42,7 +42,7 @@ .B ub_ctx_zone_remove, .B ub_ctx_data_add, .B ub_ctx_data_remove -\- Unbound DNS validating resolver 1.5.3 functions. +\- Unbound DNS validating resolver 1.5.5 functions. .SH "SYNOPSIS" .B #include <unbound.h> .LP @@ -175,6 +175,7 @@ to read them. Before you call this, use the openssl functions CRYPTO_set_id_callback and CRYPTO_set_locking_callback to set up asyncronous operation if you use lib openssl (the application calls these functions once for initialisation). +Openssl 1.0.0 or later uses the CRYPTO_THREADID_set_callback function. .TP .B ub_ctx_delete Delete validation context and free associated resources. diff --git a/contrib/unbound/doc/unbound-anchor.8 b/contrib/unbound/doc/unbound-anchor.8 index 3682d8f..7fbb0a7 100644 --- a/contrib/unbound/doc/unbound-anchor.8 +++ b/contrib/unbound/doc/unbound-anchor.8 @@ -1,4 +1,4 @@ -.TH "unbound-anchor" "8" "Mar 10, 2015" "NLnet Labs" "unbound 1.5.3" +.TH "unbound-anchor" "8" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5" .\" .\" unbound-anchor.8 -- unbound anchor maintenance utility manual .\" diff --git a/contrib/unbound/doc/unbound-anchor.8.in b/contrib/unbound/doc/unbound-anchor.8.in index fb2136f..e89be5b 100644 --- a/contrib/unbound/doc/unbound-anchor.8.in +++ b/contrib/unbound/doc/unbound-anchor.8.in @@ -1,4 +1,4 @@ -.TH "unbound-anchor" "8" "Mar 10, 2015" "NLnet Labs" "unbound 1.5.3" +.TH "unbound-anchor" "8" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5" .\" .\" unbound-anchor.8 -- unbound anchor maintenance utility manual .\" diff --git a/contrib/unbound/doc/unbound-checkconf.8 b/contrib/unbound/doc/unbound-checkconf.8 index d2b659e..eaa406b 100644 --- a/contrib/unbound/doc/unbound-checkconf.8 +++ b/contrib/unbound/doc/unbound-checkconf.8 @@ -1,4 +1,4 @@ -.TH "unbound-checkconf" "8" "Mar 10, 2015" "NLnet Labs" "unbound 1.5.3" +.TH "unbound-checkconf" "8" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5" .\" .\" unbound-checkconf.8 -- unbound configuration checker manual .\" @@ -31,7 +31,7 @@ The available options are: Show the version and commandline option help. .TP .B \-f -Print full pathname, with chroot applied to it. Use with the -o option. +Print full pathname, with chroot applied to it. Use with the \-o option. .TP .B \-o\fI option If given, after checking the config file the value of this option is diff --git a/contrib/unbound/doc/unbound-checkconf.8.in b/contrib/unbound/doc/unbound-checkconf.8.in index e7db810..234a04a 100644 --- a/contrib/unbound/doc/unbound-checkconf.8.in +++ b/contrib/unbound/doc/unbound-checkconf.8.in @@ -1,4 +1,4 @@ -.TH "unbound-checkconf" "8" "Mar 10, 2015" "NLnet Labs" "unbound 1.5.3" +.TH "unbound-checkconf" "8" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5" .\" .\" unbound-checkconf.8 -- unbound configuration checker manual .\" @@ -31,7 +31,7 @@ The available options are: Show the version and commandline option help. .TP .B \-f -Print full pathname, with chroot applied to it. Use with the -o option. +Print full pathname, with chroot applied to it. Use with the \-o option. .TP .B \-o\fI option If given, after checking the config file the value of this option is diff --git a/contrib/unbound/doc/unbound-control.8 b/contrib/unbound/doc/unbound-control.8 index e6228b7..5de37cf 100644 --- a/contrib/unbound/doc/unbound-control.8 +++ b/contrib/unbound/doc/unbound-control.8 @@ -1,4 +1,4 @@ -.TH "unbound-control" "8" "Mar 10, 2015" "NLnet Labs" "unbound 1.5.3" +.TH "unbound-control" "8" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5" .\" .\" unbound-control.8 -- unbound remote control manual .\" @@ -177,7 +177,8 @@ harden\-glue, harden\-dnssec\-stripped, harden\-below\-nxdomain, harden\-referral\-path, prefetch, prefetch\-key, log\-queries, hide\-identity, hide\-version, identity, version, val\-log\-level, val\-log\-squelch, ignore\-cd\-flag, add\-holddown, del\-holddown, -keep\-missing, tcp\-upstream, ssl\-upstream, max\-udp\-size. +keep\-missing, tcp\-upstream, ssl\-upstream, max\-udp\-size, ratelimit, +cache\-max\-ttl, cache\-min\-ttl, cache\-max\-negative\-ttl. .TP .B get_option \fIopt Get the value of the option. Give the option name without a trailing ':'. @@ -197,6 +198,9 @@ This includes the root hints in use. .B list_forwards List the forward zones in use. These are printed zone by zone to the output. .TP +.B list_insecure +List the zones with domain\-insecure. +.TP .B list_local_zones List the local zones in use. These are printed one per line with zone type. .TP @@ -252,6 +256,13 @@ port number can be set explicitly (default port is 53 (DNS)). By default the forwarder information from the config file for the root "." is used. The config file is not changed, so after a reload these changes are gone. Other forward zones from the config file are not affected by this command. +.TP +.B ratelimit_list \fR[\fI+a\fR] +List the domains that are ratelimited. Printed one per line with current +estimated qps and qps limit from config. With +a it prints all domains, not +just the ratelimited domains, with their estimated qps. The ratelimited +domains return an error for uncached (new) queries, but cached queries work +as normal. .SH "EXIT CODE" The unbound\-control program exits with status code 1 on error, 0 on success. .SH "SET UP" @@ -322,6 +333,11 @@ less than this time. Because of big outliers (usually queries to non responsive servers), the average can be bigger than the median. This median has been calculated by interpolation from a histogram. .TP +.I threadX.tcpusage +The currently held tcp buffers for incoming connections. A spot value on +the time of the request. This helps you spot if the incoming\-num\-tcp +buffers are full. +.TP .I total.num.queries summed over threads. .TP @@ -355,6 +371,9 @@ summed over threads. .I total.recursion.time.median averaged over threads. .TP +.I total.tcpusage +summed over threads. +.TP .I time.now current time in seconds since 1970. .TP diff --git a/contrib/unbound/doc/unbound-control.8.in b/contrib/unbound/doc/unbound-control.8.in index f6eae24..eefd207 100644 --- a/contrib/unbound/doc/unbound-control.8.in +++ b/contrib/unbound/doc/unbound-control.8.in @@ -1,4 +1,4 @@ -.TH "unbound-control" "8" "Mar 10, 2015" "NLnet Labs" "unbound 1.5.3" +.TH "unbound-control" "8" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5" .\" .\" unbound-control.8 -- unbound remote control manual .\" @@ -177,7 +177,8 @@ harden\-glue, harden\-dnssec\-stripped, harden\-below\-nxdomain, harden\-referral\-path, prefetch, prefetch\-key, log\-queries, hide\-identity, hide\-version, identity, version, val\-log\-level, val\-log\-squelch, ignore\-cd\-flag, add\-holddown, del\-holddown, -keep\-missing, tcp\-upstream, ssl\-upstream, max\-udp\-size. +keep\-missing, tcp\-upstream, ssl\-upstream, max\-udp\-size, ratelimit, +cache\-max\-ttl, cache\-min\-ttl, cache\-max\-negative\-ttl. .TP .B get_option \fIopt Get the value of the option. Give the option name without a trailing ':'. @@ -197,6 +198,9 @@ This includes the root hints in use. .B list_forwards List the forward zones in use. These are printed zone by zone to the output. .TP +.B list_insecure +List the zones with domain\-insecure. +.TP .B list_local_zones List the local zones in use. These are printed one per line with zone type. .TP @@ -252,6 +256,13 @@ port number can be set explicitly (default port is 53 (DNS)). By default the forwarder information from the config file for the root "." is used. The config file is not changed, so after a reload these changes are gone. Other forward zones from the config file are not affected by this command. +.TP +.B ratelimit_list \fR[\fI+a\fR] +List the domains that are ratelimited. Printed one per line with current +estimated qps and qps limit from config. With +a it prints all domains, not +just the ratelimited domains, with their estimated qps. The ratelimited +domains return an error for uncached (new) queries, but cached queries work +as normal. .SH "EXIT CODE" The unbound\-control program exits with status code 1 on error, 0 on success. .SH "SET UP" @@ -322,6 +333,11 @@ less than this time. Because of big outliers (usually queries to non responsive servers), the average can be bigger than the median. This median has been calculated by interpolation from a histogram. .TP +.I threadX.tcpusage +The currently held tcp buffers for incoming connections. A spot value on +the time of the request. This helps you spot if the incoming\-num\-tcp +buffers are full. +.TP .I total.num.queries summed over threads. .TP @@ -355,6 +371,9 @@ summed over threads. .I total.recursion.time.median averaged over threads. .TP +.I total.tcpusage +summed over threads. +.TP .I time.now current time in seconds since 1970. .TP diff --git a/contrib/unbound/doc/unbound-host.1 b/contrib/unbound/doc/unbound-host.1 index bda99ce..d600ee6 100644 --- a/contrib/unbound/doc/unbound-host.1 +++ b/contrib/unbound/doc/unbound-host.1 @@ -1,4 +1,4 @@ -.TH "unbound\-host" "1" "Mar 10, 2015" "NLnet Labs" "unbound 1.5.3" +.TH "unbound\-host" "1" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5" .\" .\" unbound-host.1 -- unbound DNS lookup utility .\" diff --git a/contrib/unbound/doc/unbound-host.1.in b/contrib/unbound/doc/unbound-host.1.in index 9129bea..a4742d7 100644 --- a/contrib/unbound/doc/unbound-host.1.in +++ b/contrib/unbound/doc/unbound-host.1.in @@ -1,4 +1,4 @@ -.TH "unbound\-host" "1" "Mar 10, 2015" "NLnet Labs" "unbound 1.5.3" +.TH "unbound\-host" "1" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5" .\" .\" unbound-host.1 -- unbound DNS lookup utility .\" diff --git a/contrib/unbound/doc/unbound.8 b/contrib/unbound/doc/unbound.8 index 8609a0a..3935e61 100644 --- a/contrib/unbound/doc/unbound.8 +++ b/contrib/unbound/doc/unbound.8 @@ -1,4 +1,4 @@ -.TH "unbound" "8" "Mar 10, 2015" "NLnet Labs" "unbound 1.5.3" +.TH "unbound" "8" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5" .\" .\" unbound.8 -- unbound manual .\" @@ -9,7 +9,7 @@ .\" .SH "NAME" .B unbound -\- Unbound DNS validating resolver 1.5.3. +\- Unbound DNS validating resolver 1.5.5. .SH "SYNOPSIS" .B unbound .RB [ \-h ] diff --git a/contrib/unbound/doc/unbound.8.in b/contrib/unbound/doc/unbound.8.in index 7242469..df9baa0 100644 --- a/contrib/unbound/doc/unbound.8.in +++ b/contrib/unbound/doc/unbound.8.in @@ -1,4 +1,4 @@ -.TH "unbound" "8" "Mar 10, 2015" "NLnet Labs" "unbound 1.5.3" +.TH "unbound" "8" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5" .\" .\" unbound.8 -- unbound manual .\" @@ -9,7 +9,7 @@ .\" .SH "NAME" .B unbound -\- Unbound DNS validating resolver 1.5.3. +\- Unbound DNS validating resolver 1.5.5. .SH "SYNOPSIS" .B unbound .RB [ \-h ] diff --git a/contrib/unbound/doc/unbound.conf.5 b/contrib/unbound/doc/unbound.conf.5 index c2637aa..990a0a6 100644 --- a/contrib/unbound/doc/unbound.conf.5 +++ b/contrib/unbound/doc/unbound.conf.5 @@ -1,4 +1,4 @@ -.TH "unbound.conf" "5" "Mar 10, 2015" "NLnet Labs" "unbound 1.5.3" +.TH "unbound.conf" "5" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5" .\" .\" unbound.conf.5 -- unbound.conf manual .\" @@ -164,12 +164,14 @@ By default only ports above 1024 that have not been assigned by IANA are used. Give a port number or a range of the form "low\-high", without spaces. .TP .B outgoing\-num\-tcp: \fI<number> -Number of outgoing TCP buffers to allocate per thread. Default is 10. If set -to 0, or if do\-tcp is "no", no TCP queries to authoritative servers are done. +Number of outgoing TCP buffers to allocate per thread. Default is 10. If +set to 0, or if do\-tcp is "no", no TCP queries to authoritative servers +are done. For larger installations increasing this value is a good idea. .TP .B incoming\-num\-tcp: \fI<number> -Number of incoming TCP buffers to allocate per thread. Default is 10. If set -to 0, or if do\-tcp is "no", no TCP queries from clients are accepted. +Number of incoming TCP buffers to allocate per thread. Default is +10. If set to 0, or if do\-tcp is "no", no TCP queries from clients are +accepted. For larger installations increasing this value is a good idea. .TP .B edns\-buffer\-size: \fI<number> Number of bytes size to advertise as the EDNS reassembly buffer size. @@ -265,6 +267,16 @@ it then attempts to open the port and passes the option if it was available at compile time, if that works it is used, if it fails, it continues silently (unless verbosity 3) without the option. .TP +.B ip\-transparent: \fI<yes or no> +If yes, then use IP_TRANSPARENT socket option on sockets where unbound +is listening for incoming traffic. Default no. Allows you to bind to +non\-local interfaces. For example for non\-existant IP addresses that +are going to exist later on, with host failover configuration. This is +a lot like interface\-automatic, but that one services all interfaces +and with this option you can select which (future) interfaces unbound +provides service on. This option needs unbound to be started with root +permissions on some systems. +.TP .B rrset\-cache\-size: \fI<number> Number of bytes size of the RRset cache. Default is 4 megabytes. A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes @@ -284,12 +296,16 @@ trust (very large) TTL values. .TP .B cache\-min\-ttl: \fI<seconds> Time to live minimum for RRsets and messages in the cache. Default is 0. -If the the minimum kicks in, the data is cached for longer than the domain +If the minimum kicks in, the data is cached for longer than the domain owner intended, and thus less queries are made to look up the data. Zero makes sure the data in the cache is as the domain owner intended, higher values, especially more than an hour or so, can lead to trouble as the data in the cache does not match up with the actual data any more. .TP +.B cache\-max\-negative\-ttl: \fI<seconds> +Time to live maximum for negative responses, these have a SOA in the +authority section that is limited in time. Default is 3600. +.TP .B infra\-host\-ttl: \fI<seconds> Time to live for entries in the host cache. The host cache contains roundtrip timing, lameness and EDNS support information. Default is 900. @@ -357,6 +373,7 @@ a daemon. Default is yes. The netblock is given as an IP4 or IP6 address with /size appended for a classless network block. The action can be \fIdeny\fR, \fIrefuse\fR, \fIallow\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or \fIrefuse_non_local\fR. +The most specific netblock match is used, if none match \fIdeny\fR is used. .IP The action \fIdeny\fR stops queries from hosts from that netblock. .IP @@ -464,7 +481,7 @@ kill \-HUP `cat /var/unbound/unbound.pid` .fi triggers a reload, .nf -kill \-QUIT `cat /var/unbound/unbound.pid` +kill \-TERM `cat /var/unbound/unbound.pid` .fi gracefully terminates. .TP @@ -548,6 +565,13 @@ extra query load that is generated. Experimental option. If you enable it consider adding more numbers after the target\-fetch\-policy to increase the max depth that is checked to. .TP +.B harden\-algo\-downgrade: \fI<yes or no> +Harden against algorithm downgrade when multiple algorithms are +advertised in the DS record. If no, allows the weakest algorithm to +validate the zone. Default is no. Zone signers must produce zones +that allow this feature to work, but sometimes they do not, and turning +this option off avoids that validation failure. +.TP .B use\-caps\-for\-id: \fI<yes or no> Use 0x20\-encoded random bits in the query to foil spoof attempts. This perturbs the lowercase and uppercase of query names sent to @@ -555,6 +579,12 @@ authority servers and checks if the reply still has the correct casing. Disabled by default. This feature is an experimental implementation of draft dns\-0x20. .TP +.B caps\-whitelist: \fI<domain> +Whitelist the domain so that it does not receive caps\-for\-id perturbed +queries. For domains that do not support 0x20 and also fail with fallback +because they keep sending different answers, like some load balancers. +Can be given multiple times, for different domains. +.TP .B private\-address: \fI<IP address or subnet> Give IPv4 of IPv6 addresses or classless subnets. These are addresses on your private network, and are not allowed to be returned for public @@ -655,14 +685,19 @@ It is possible to use wildcards with this statement, the wildcard is expanded on start and on reload. .TP .B dlv\-anchor\-file: \fI<filename> +This option was used during early days DNSSEC deployment when no parent-side +DS record registrations were easily available. Nowadays, it is best to have +DS records registered with the parent zone (many top level zones are signed). File with trusted keys for DLV (DNSSEC Lookaside Validation). Both DS and DNSKEY entries can be used in the file, in the same format as for \fItrust\-anchor\-file:\fR statements. Only one DLV can be configured, more would be slow. The DLV configured is used as a root trusted DLV, this means that it is a lookaside for the root. Default is "", or no dlv anchor file. +DLV is going to be decommissioned. Please do not use it any more. .TP .B dlv\-anchor: \fI<"Resource Record"> Much like trust\-anchor, this is a DLV anchor with the DS or DNSKEY inline. +DLV is going to be decommissioned. Please do not use it any more. .TP .B domain\-insecure: \fI<domain name> Sets domain name to be insecure, DNSSEC chain of trust is ignored towards @@ -767,6 +802,10 @@ mechanism work with zones that perform regular (non\-5011) rollovers. The default is 366 days. The value 0 does not remove missing anchors, as per the RFC. .TP +.B permit\-small\-holddown: \fI<yes or no> +Debug option that allows the autotrust 5011 rollover timers to assume +very small values. Default is no. +.TP .B key\-cache\-size: \fI<number> Number of bytes size of the key cache. Default is 4 megabytes. A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes @@ -796,10 +835,10 @@ data leakage about the local network to the upstream DNS servers. .B local\-zone: \fI<zone> <type> Configure a local zone. The type determines the answer to give if there is no match from local\-data. The types are deny, refuse, static, -transparent, redirect, nodefault, typetransparent, inform, and are explained -below. After that the default settings are listed. Use local\-data: to -enter data into the local zone. Answers for local zones are authoritative -DNS answers. By default the zones are class IN. +transparent, redirect, nodefault, typetransparent, inform, inform_deny, +and are explained below. After that the default settings are listed. Use +local\-data: to enter data into the local zone. Answers for local zones +are authoritative DNS answers. By default the zones are class IN. .IP If you need more complicated authoritative data, with referrals, wildcards, CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for @@ -853,11 +892,16 @@ info: zonename inform IP@port queryname type class. This option can be used for normal resolution, but machines looking up infected names are logged, eg. to run antivirus on them. .TP 10 +\h'5'\fIinform_deny\fR +The query is dropped, like 'deny', and logged, like 'inform'. Ie. find +infected machines without answering the queries. +.TP 10 \h'5'\fInodefault\fR Used to turn off default contents for AS112 zones. The other types also turn off default contents for the zone. The 'nodefault' option has no other effect than turning off default contents for the -given zone. +given zone. Use \fInodefault\fR if you use exactly that zone, if you want to +use a subzone, use \fItransparent\fR. .P The default zones are localhost, reverse 127.0.0.1 and ::1, and the AS112 zones. The AS112 zones are reverse DNS zones for private use and reserved @@ -959,6 +1003,51 @@ it as detailed in the stub zone section below. Configure local data shorthand for a PTR record with the reversed IPv4 or IPv6 address and the host name. For example "192.0.2.4 www.example.com". TTL can be inserted like this: "2001:DB8::4 7200 www.example.com" +.TP 5 +.B ratelimit: \fI<number or 0> +Enable ratelimiting of queries sent to nameserver for performing recursion. +If 0, the default, it is disabled. This option is experimental at this time. +The ratelimit is in queries per second that are allowed. More queries are +turned away with an error (servfail). This stops recursive floods, eg. random +query names, but not spoofed reflection floods. Cached responses are not +ratelimited by this setting. The zone of the query is determined by examining +the nameservers for it, the zone name is used to keep track of the rate. +For example, 1000 may be a suitable value to stop the server from being +overloaded with random names, and keeps unbound from sending traffic to the +nameservers for those zones. +.TP 5 +.B ratelimit\-size: \fI<memory size> +Give the size of the data structure in which the current ongoing rates are +kept track in. Default 4m. In bytes or use m(mega), k(kilo), g(giga). +The ratelimit structure is small, so this data structure likely does +not need to be large. +.TP 5 +.B ratelimit\-slabs: \fI<number> +Give power of 2 number of slabs, this is used to reduce lock contention +in the ratelimit tracking data structure. Close to the number of cpus is +a fairly good setting. +.TP 5 +.B ratelimit\-factor: \fI<number> +Set the amount of queries to rate limit when the limit is exceeded. +If set to 0, all queries are dropped for domains where the limit is +exceeded. If set to another value, 1 in that number is allowed through +to complete. Default is 10, allowing 1/10 traffic to flow normally. +This can make ordinary queries complete (if repeatedly queried for), +and enter the cache, whilst also mitigiting the traffic flow by the +factor given. +.TP 5 +.B ratelimit\-for\-domain: \fI<domain> <number qps> +Override the global ratelimit for an exact match domain name with the listed +number. You can give this for any number of names. For example, for +a top\-level\-domain you may want to have a higher limit than other names. +.TP 5 +.B ratelimit\-below\-domain: \fI<domain> <number qps> +Override the global ratelimit for a domain name that ends in this name. +You can give this multiple times, it then describes different settings +in different parts of the namespace. The closest matching suffix is used +to determine the qps limit. The rate for the exact matching domain name +is not changed, use ratelimit\-for\-domain to set that, you might want +to use different settings for a top\-level\-domain and subdomains. .SS "Remote Control Options" In the .B remote\-control: @@ -1041,6 +1130,12 @@ bit on replies for the private zone (authoritative servers do not set the AD bit). This setup makes unbound capable of answering queries for the private zone, and can even set the AD bit ('authentic'), but the AA ('authoritative') bit is not set on these replies. +.P +Consider adding \fBserver:\fR statements for \fBdomain\-insecure:\fR and +for \fBlocal\-zone:\fI name nodefault\fR for the zone if it is a locally +served zone. The insecure clause stops DNSSEC from invalidating the +zone. The local zone nodefault (or \fItransparent\fR) clause makes the +(reverse\-) zone bypass unbound's filtering of RFC1918 zones. .TP .B name: \fI<domain name> Name of the stub zone. diff --git a/contrib/unbound/doc/unbound.conf.5.in b/contrib/unbound/doc/unbound.conf.5.in index 9b088f3..42653a5 100644 --- a/contrib/unbound/doc/unbound.conf.5.in +++ b/contrib/unbound/doc/unbound.conf.5.in @@ -1,4 +1,4 @@ -.TH "unbound.conf" "5" "Mar 10, 2015" "NLnet Labs" "unbound 1.5.3" +.TH "unbound.conf" "5" "Oct 6, 2015" "NLnet Labs" "unbound 1.5.5" .\" .\" unbound.conf.5 -- unbound.conf manual .\" @@ -164,12 +164,14 @@ By default only ports above 1024 that have not been assigned by IANA are used. Give a port number or a range of the form "low\-high", without spaces. .TP .B outgoing\-num\-tcp: \fI<number> -Number of outgoing TCP buffers to allocate per thread. Default is 10. If set -to 0, or if do\-tcp is "no", no TCP queries to authoritative servers are done. +Number of outgoing TCP buffers to allocate per thread. Default is 10. If +set to 0, or if do\-tcp is "no", no TCP queries to authoritative servers +are done. For larger installations increasing this value is a good idea. .TP .B incoming\-num\-tcp: \fI<number> -Number of incoming TCP buffers to allocate per thread. Default is 10. If set -to 0, or if do\-tcp is "no", no TCP queries from clients are accepted. +Number of incoming TCP buffers to allocate per thread. Default is +10. If set to 0, or if do\-tcp is "no", no TCP queries from clients are +accepted. For larger installations increasing this value is a good idea. .TP .B edns\-buffer\-size: \fI<number> Number of bytes size to advertise as the EDNS reassembly buffer size. @@ -265,6 +267,16 @@ it then attempts to open the port and passes the option if it was available at compile time, if that works it is used, if it fails, it continues silently (unless verbosity 3) without the option. .TP +.B ip\-transparent: \fI<yes or no> +If yes, then use IP_TRANSPARENT socket option on sockets where unbound +is listening for incoming traffic. Default no. Allows you to bind to +non\-local interfaces. For example for non\-existant IP addresses that +are going to exist later on, with host failover configuration. This is +a lot like interface\-automatic, but that one services all interfaces +and with this option you can select which (future) interfaces unbound +provides service on. This option needs unbound to be started with root +permissions on some systems. +.TP .B rrset\-cache\-size: \fI<number> Number of bytes size of the RRset cache. Default is 4 megabytes. A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes @@ -284,12 +296,16 @@ trust (very large) TTL values. .TP .B cache\-min\-ttl: \fI<seconds> Time to live minimum for RRsets and messages in the cache. Default is 0. -If the the minimum kicks in, the data is cached for longer than the domain +If the minimum kicks in, the data is cached for longer than the domain owner intended, and thus less queries are made to look up the data. Zero makes sure the data in the cache is as the domain owner intended, higher values, especially more than an hour or so, can lead to trouble as the data in the cache does not match up with the actual data any more. .TP +.B cache\-max\-negative\-ttl: \fI<seconds> +Time to live maximum for negative responses, these have a SOA in the +authority section that is limited in time. Default is 3600. +.TP .B infra\-host\-ttl: \fI<seconds> Time to live for entries in the host cache. The host cache contains roundtrip timing, lameness and EDNS support information. Default is 900. @@ -357,6 +373,7 @@ a daemon. Default is yes. The netblock is given as an IP4 or IP6 address with /size appended for a classless network block. The action can be \fIdeny\fR, \fIrefuse\fR, \fIallow\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or \fIrefuse_non_local\fR. +The most specific netblock match is used, if none match \fIdeny\fR is used. .IP The action \fIdeny\fR stops queries from hosts from that netblock. .IP @@ -464,7 +481,7 @@ kill \-HUP `cat @UNBOUND_PIDFILE@` .fi triggers a reload, .nf -kill \-QUIT `cat @UNBOUND_PIDFILE@` +kill \-TERM `cat @UNBOUND_PIDFILE@` .fi gracefully terminates. .TP @@ -548,6 +565,13 @@ extra query load that is generated. Experimental option. If you enable it consider adding more numbers after the target\-fetch\-policy to increase the max depth that is checked to. .TP +.B harden\-algo\-downgrade: \fI<yes or no> +Harden against algorithm downgrade when multiple algorithms are +advertised in the DS record. If no, allows the weakest algorithm to +validate the zone. Default is no. Zone signers must produce zones +that allow this feature to work, but sometimes they do not, and turning +this option off avoids that validation failure. +.TP .B use\-caps\-for\-id: \fI<yes or no> Use 0x20\-encoded random bits in the query to foil spoof attempts. This perturbs the lowercase and uppercase of query names sent to @@ -555,6 +579,12 @@ authority servers and checks if the reply still has the correct casing. Disabled by default. This feature is an experimental implementation of draft dns\-0x20. .TP +.B caps\-whitelist: \fI<domain> +Whitelist the domain so that it does not receive caps\-for\-id perturbed +queries. For domains that do not support 0x20 and also fail with fallback +because they keep sending different answers, like some load balancers. +Can be given multiple times, for different domains. +.TP .B private\-address: \fI<IP address or subnet> Give IPv4 of IPv6 addresses or classless subnets. These are addresses on your private network, and are not allowed to be returned for public @@ -655,14 +685,19 @@ It is possible to use wildcards with this statement, the wildcard is expanded on start and on reload. .TP .B dlv\-anchor\-file: \fI<filename> +This option was used during early days DNSSEC deployment when no parent-side +DS record registrations were easily available. Nowadays, it is best to have +DS records registered with the parent zone (many top level zones are signed). File with trusted keys for DLV (DNSSEC Lookaside Validation). Both DS and DNSKEY entries can be used in the file, in the same format as for \fItrust\-anchor\-file:\fR statements. Only one DLV can be configured, more would be slow. The DLV configured is used as a root trusted DLV, this means that it is a lookaside for the root. Default is "", or no dlv anchor file. +DLV is going to be decommissioned. Please do not use it any more. .TP .B dlv\-anchor: \fI<"Resource Record"> Much like trust\-anchor, this is a DLV anchor with the DS or DNSKEY inline. +DLV is going to be decommissioned. Please do not use it any more. .TP .B domain\-insecure: \fI<domain name> Sets domain name to be insecure, DNSSEC chain of trust is ignored towards @@ -767,6 +802,10 @@ mechanism work with zones that perform regular (non\-5011) rollovers. The default is 366 days. The value 0 does not remove missing anchors, as per the RFC. .TP +.B permit\-small\-holddown: \fI<yes or no> +Debug option that allows the autotrust 5011 rollover timers to assume +very small values. Default is no. +.TP .B key\-cache\-size: \fI<number> Number of bytes size of the key cache. Default is 4 megabytes. A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes @@ -796,10 +835,10 @@ data leakage about the local network to the upstream DNS servers. .B local\-zone: \fI<zone> <type> Configure a local zone. The type determines the answer to give if there is no match from local\-data. The types are deny, refuse, static, -transparent, redirect, nodefault, typetransparent, inform, and are explained -below. After that the default settings are listed. Use local\-data: to -enter data into the local zone. Answers for local zones are authoritative -DNS answers. By default the zones are class IN. +transparent, redirect, nodefault, typetransparent, inform, inform_deny, +and are explained below. After that the default settings are listed. Use +local\-data: to enter data into the local zone. Answers for local zones +are authoritative DNS answers. By default the zones are class IN. .IP If you need more complicated authoritative data, with referrals, wildcards, CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for @@ -853,11 +892,16 @@ info: zonename inform IP@port queryname type class. This option can be used for normal resolution, but machines looking up infected names are logged, eg. to run antivirus on them. .TP 10 +\h'5'\fIinform_deny\fR +The query is dropped, like 'deny', and logged, like 'inform'. Ie. find +infected machines without answering the queries. +.TP 10 \h'5'\fInodefault\fR Used to turn off default contents for AS112 zones. The other types also turn off default contents for the zone. The 'nodefault' option has no other effect than turning off default contents for the -given zone. +given zone. Use \fInodefault\fR if you use exactly that zone, if you want to +use a subzone, use \fItransparent\fR. .P The default zones are localhost, reverse 127.0.0.1 and ::1, and the AS112 zones. The AS112 zones are reverse DNS zones for private use and reserved @@ -959,6 +1003,51 @@ it as detailed in the stub zone section below. Configure local data shorthand for a PTR record with the reversed IPv4 or IPv6 address and the host name. For example "192.0.2.4 www.example.com". TTL can be inserted like this: "2001:DB8::4 7200 www.example.com" +.TP 5 +.B ratelimit: \fI<number or 0> +Enable ratelimiting of queries sent to nameserver for performing recursion. +If 0, the default, it is disabled. This option is experimental at this time. +The ratelimit is in queries per second that are allowed. More queries are +turned away with an error (servfail). This stops recursive floods, eg. random +query names, but not spoofed reflection floods. Cached responses are not +ratelimited by this setting. The zone of the query is determined by examining +the nameservers for it, the zone name is used to keep track of the rate. +For example, 1000 may be a suitable value to stop the server from being +overloaded with random names, and keeps unbound from sending traffic to the +nameservers for those zones. +.TP 5 +.B ratelimit\-size: \fI<memory size> +Give the size of the data structure in which the current ongoing rates are +kept track in. Default 4m. In bytes or use m(mega), k(kilo), g(giga). +The ratelimit structure is small, so this data structure likely does +not need to be large. +.TP 5 +.B ratelimit\-slabs: \fI<number> +Give power of 2 number of slabs, this is used to reduce lock contention +in the ratelimit tracking data structure. Close to the number of cpus is +a fairly good setting. +.TP 5 +.B ratelimit\-factor: \fI<number> +Set the amount of queries to rate limit when the limit is exceeded. +If set to 0, all queries are dropped for domains where the limit is +exceeded. If set to another value, 1 in that number is allowed through +to complete. Default is 10, allowing 1/10 traffic to flow normally. +This can make ordinary queries complete (if repeatedly queried for), +and enter the cache, whilst also mitigiting the traffic flow by the +factor given. +.TP 5 +.B ratelimit\-for\-domain: \fI<domain> <number qps> +Override the global ratelimit for an exact match domain name with the listed +number. You can give this for any number of names. For example, for +a top\-level\-domain you may want to have a higher limit than other names. +.TP 5 +.B ratelimit\-below\-domain: \fI<domain> <number qps> +Override the global ratelimit for a domain name that ends in this name. +You can give this multiple times, it then describes different settings +in different parts of the namespace. The closest matching suffix is used +to determine the qps limit. The rate for the exact matching domain name +is not changed, use ratelimit\-for\-domain to set that, you might want +to use different settings for a top\-level\-domain and subdomains. .SS "Remote Control Options" In the .B remote\-control: @@ -1041,6 +1130,12 @@ bit on replies for the private zone (authoritative servers do not set the AD bit). This setup makes unbound capable of answering queries for the private zone, and can even set the AD bit ('authentic'), but the AA ('authoritative') bit is not set on these replies. +.P +Consider adding \fBserver:\fR statements for \fBdomain\-insecure:\fR and +for \fBlocal\-zone:\fI name nodefault\fR for the zone if it is a locally +served zone. The insecure clause stops DNSSEC from invalidating the +zone. The local zone nodefault (or \fItransparent\fR) clause makes the +(reverse\-) zone bypass unbound's filtering of RFC1918 zones. .TP .B name: \fI<domain name> Name of the stub zone. diff --git a/contrib/unbound/iterator/iter_delegpt.c b/contrib/unbound/iterator/iter_delegpt.c index b212ec0..0e251ff 100644 --- a/contrib/unbound/iterator/iter_delegpt.c +++ b/contrib/unbound/iterator/iter_delegpt.c @@ -47,8 +47,8 @@ #include "util/data/packed_rrset.h" #include "util/data/msgreply.h" #include "util/net_help.h" -#include "ldns/rrdef.h" -#include "ldns/sbuffer.h" +#include "sldns/rrdef.h" +#include "sldns/sbuffer.h" struct delegpt* delegpt_create(struct regional* region) diff --git a/contrib/unbound/iterator/iter_fwd.c b/contrib/unbound/iterator/iter_fwd.c index 0121212..0feee03 100644 --- a/contrib/unbound/iterator/iter_fwd.c +++ b/contrib/unbound/iterator/iter_fwd.c @@ -46,8 +46,8 @@ #include "util/config_file.h" #include "util/net_help.h" #include "util/data/dname.h" -#include "ldns/rrdef.h" -#include "ldns/str2wire.h" +#include "sldns/rrdef.h" +#include "sldns/str2wire.h" int fwd_cmp(const void* k1, const void* k2) diff --git a/contrib/unbound/iterator/iter_hints.c b/contrib/unbound/iterator/iter_hints.c index 57b57c2..d7f8158 100644 --- a/contrib/unbound/iterator/iter_hints.c +++ b/contrib/unbound/iterator/iter_hints.c @@ -46,9 +46,9 @@ #include "util/config_file.h" #include "util/net_help.h" #include "util/data/dname.h" -#include "ldns/rrdef.h" -#include "ldns/str2wire.h" -#include "ldns/wire2str.h" +#include "sldns/rrdef.h" +#include "sldns/str2wire.h" +#include "sldns/wire2str.h" struct iter_hints* hints_create(void) @@ -135,7 +135,7 @@ compile_time_root_prime(int do_ip4, int do_ip6) if(!ah(dp, "E.ROOT-SERVERS.NET.", "192.203.230.10")) goto failed; if(!ah(dp, "F.ROOT-SERVERS.NET.", "192.5.5.241")) goto failed; if(!ah(dp, "G.ROOT-SERVERS.NET.", "192.112.36.4")) goto failed; - if(!ah(dp, "H.ROOT-SERVERS.NET.", "128.63.2.53")) goto failed; + if(!ah(dp, "H.ROOT-SERVERS.NET.", "198.97.190.53")) goto failed; if(!ah(dp, "I.ROOT-SERVERS.NET.", "192.36.148.17")) goto failed; if(!ah(dp, "J.ROOT-SERVERS.NET.", "192.58.128.30")) goto failed; if(!ah(dp, "K.ROOT-SERVERS.NET.", "193.0.14.129")) goto failed; @@ -148,7 +148,7 @@ compile_time_root_prime(int do_ip4, int do_ip6) if(!ah(dp, "C.ROOT-SERVERS.NET.", "2001:500:2::c")) goto failed; if(!ah(dp, "D.ROOT-SERVERS.NET.", "2001:500:2d::d")) goto failed; if(!ah(dp, "F.ROOT-SERVERS.NET.", "2001:500:2f::f")) goto failed; - if(!ah(dp, "H.ROOT-SERVERS.NET.", "2001:500:1::803f:235")) goto failed; + if(!ah(dp, "H.ROOT-SERVERS.NET.", "2001:500:1::53")) goto failed; if(!ah(dp, "I.ROOT-SERVERS.NET.", "2001:7fe::53")) goto failed; if(!ah(dp, "J.ROOT-SERVERS.NET.", "2001:503:c27::2:30")) goto failed; if(!ah(dp, "K.ROOT-SERVERS.NET.", "2001:7fd::1")) goto failed; diff --git a/contrib/unbound/iterator/iter_priv.c b/contrib/unbound/iterator/iter_priv.c index 9e09a84..90bea17 100644 --- a/contrib/unbound/iterator/iter_priv.c +++ b/contrib/unbound/iterator/iter_priv.c @@ -49,8 +49,8 @@ #include "util/data/msgparse.h" #include "util/net_help.h" #include "util/storage/dnstree.h" -#include "ldns/str2wire.h" -#include "ldns/sbuffer.h" +#include "sldns/str2wire.h" +#include "sldns/sbuffer.h" struct iter_priv* priv_create(void) { diff --git a/contrib/unbound/iterator/iter_resptype.c b/contrib/unbound/iterator/iter_resptype.c index 45f9193..f146a2b 100644 --- a/contrib/unbound/iterator/iter_resptype.c +++ b/contrib/unbound/iterator/iter_resptype.c @@ -45,8 +45,8 @@ #include "services/cache/dns.h" #include "util/net_help.h" #include "util/data/dname.h" -#include "ldns/rrdef.h" -#include "ldns/pkthdr.h" +#include "sldns/rrdef.h" +#include "sldns/pkthdr.h" enum response_type response_type_from_cache(struct dns_msg* msg, diff --git a/contrib/unbound/iterator/iter_scrub.c b/contrib/unbound/iterator/iter_scrub.c index 1c81975..cc05867 100644 --- a/contrib/unbound/iterator/iter_scrub.c +++ b/contrib/unbound/iterator/iter_scrub.c @@ -53,7 +53,7 @@ #include "util/data/dname.h" #include "util/data/msgreply.h" #include "util/alloc.h" -#include "ldns/sbuffer.h" +#include "sldns/sbuffer.h" /** RRset flag used during scrubbing. The RRset is OK. */ #define RRSET_SCRUB_OK 0x80 @@ -372,7 +372,7 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg, /* check next cname */ uint8_t* t = NULL; size_t tlen = 0; - if(!parse_get_cname_target(rrset, &t, &tlen)) + if(!parse_get_cname_target(nx, &t, &tlen)) return 0; if(dname_pkt_compare(pkt, alias, t) == 0) { /* it's OK and better capitalized */ diff --git a/contrib/unbound/iterator/iter_utils.c b/contrib/unbound/iterator/iter_utils.c index 10ae12f..bc94ef6 100644 --- a/contrib/unbound/iterator/iter_utils.c +++ b/contrib/unbound/iterator/iter_utils.c @@ -64,7 +64,8 @@ #include "validator/val_kentry.h" #include "validator/val_utils.h" #include "validator/val_sigcrypt.h" -#include "ldns/sbuffer.h" +#include "sldns/sbuffer.h" +#include "sldns/str2wire.h" /** time when nameserver glue is said to be 'recent' */ #define SUSPICION_RECENT_EXPIRY 86400 @@ -105,6 +106,40 @@ read_fetch_policy(struct iter_env* ie, const char* str) return 1; } +/** apply config caps whitelist items to name tree */ +static int +caps_white_apply_cfg(rbtree_t* ntree, struct config_file* cfg) +{ + struct config_strlist* p; + for(p=cfg->caps_whitelist; p; p=p->next) { + struct name_tree_node* n; + size_t len; + uint8_t* nm = sldns_str2wire_dname(p->str, &len); + if(!nm) { + log_err("could not parse %s", p->str); + return 0; + } + n = (struct name_tree_node*)calloc(1, sizeof(*n)); + if(!n) { + log_err("out of memory"); + free(nm); + return 0; + } + n->node.key = n; + n->name = nm; + n->len = len; + n->labs = dname_count_labels(nm); + n->dclass = LDNS_RR_CLASS_IN; + if(!name_tree_insert(ntree, n, nm, len, n->labs, n->dclass)) { + /* duplicate element ignored, idempotent */ + free(n->name); + free(n); + } + } + name_tree_init_parents(ntree); + return 1; +} + int iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg) { @@ -128,6 +163,16 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg) log_err("Could not set private addresses"); return 0; } + if(cfg->caps_whitelist) { + if(!iter_env->caps_white) + iter_env->caps_white = rbtree_create(name_tree_compare); + if(!iter_env->caps_white || !caps_white_apply_cfg( + iter_env->caps_white, cfg)) { + log_err("Could not set capsforid whitelist"); + return 0; + } + + } iter_env->supports_ipv6 = cfg->do_ip6; iter_env->supports_ipv4 = cfg->do_ip4; return 1; @@ -750,6 +795,12 @@ caps_strip_reply(struct reply_info* rep) } } +int caps_failed_rcode(struct reply_info* rep) +{ + return !(FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NOERROR || + FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN); +} + void iter_store_parentside_rrset(struct module_env* env, struct ub_packed_rrset_key* rrset) diff --git a/contrib/unbound/iterator/iter_utils.h b/contrib/unbound/iterator/iter_utils.h index 9373487..3a4df3e 100644 --- a/contrib/unbound/iterator/iter_utils.h +++ b/contrib/unbound/iterator/iter_utils.h @@ -232,6 +232,14 @@ int reply_equal(struct reply_info* p, struct reply_info* q, struct regional* reg void caps_strip_reply(struct reply_info* rep); /** + * see if reply has a 'useful' rcode for capsforid comparison, so + * not SERVFAIL or REFUSED, and thus NOERROR or NXDOMAIN. + * @param rep: reply to check. + * @return true if the rcode is a bad type of message. + */ +int caps_failed_rcode(struct reply_info* rep); + +/** * Store parent-side rrset in seperate rrset cache entries for later * last-resort * lookups in case the child-side versions of this information * fails. diff --git a/contrib/unbound/iterator/iterator.c b/contrib/unbound/iterator/iterator.c index 2037cc8..96918fa 100644 --- a/contrib/unbound/iterator/iterator.c +++ b/contrib/unbound/iterator/iterator.c @@ -61,10 +61,11 @@ #include "util/data/msgencode.h" #include "util/fptr_wlist.h" #include "util/config_file.h" -#include "ldns/rrdef.h" -#include "ldns/wire2str.h" -#include "ldns/parseutil.h" -#include "ldns/sbuffer.h" +#include "util/random.h" +#include "sldns/rrdef.h" +#include "sldns/wire2str.h" +#include "sldns/parseutil.h" +#include "sldns/sbuffer.h" int iter_init(struct module_env* env, int id) @@ -83,6 +84,16 @@ iter_init(struct module_env* env, int id) return 1; } +/** delete caps_whitelist element */ +static void +caps_free(struct rbnode_t* n, void* ATTR_UNUSED(d)) +{ + if(n) { + free(((struct name_tree_node*)n)->name); + free(n); + } +} + void iter_deinit(struct module_env* env, int id) { @@ -93,6 +104,10 @@ iter_deinit(struct module_env* env, int id) free(iter_env->target_fetch_policy); priv_delete(iter_env->priv); donotq_delete(iter_env->donotq); + if(iter_env->caps_white) { + traverse_postorder(iter_env->caps_white, caps_free, NULL); + free(iter_env->caps_white); + } free(iter_env); env->modinfo[id] = NULL; } @@ -120,6 +135,7 @@ iter_new(struct module_qstate* qstate, int id) iq->query_restart_count = 0; iq->referral_count = 0; iq->sent_count = 0; + iq->ratelimit_ok = 0; iq->target_count = NULL; iq->wait_priming_stub = 0; iq->refetch_glue = 0; @@ -308,6 +324,8 @@ iter_prepend(struct iter_qstate* iq, struct dns_msg* msg, if(num_an + num_ns == 0) return 1; verbose(VERB_ALGO, "prepending %d rrsets", (int)num_an + (int)num_ns); + if(num_an > RR_COUNT_MAX || num_ns > RR_COUNT_MAX || + msg->rep->rrset_count > RR_COUNT_MAX) return 0; /* overflow */ sets = regional_alloc(region, (num_an+num_ns+msg->rep->rrset_count) * sizeof(struct ub_packed_rrset_key*)); if(!sets) @@ -455,6 +473,16 @@ handle_cname_response(struct module_qstate* qstate, struct iter_qstate* iq, return 1; } +/** see if target name is caps-for-id whitelisted */ +static int +is_caps_whitelisted(struct iter_env* ie, struct iter_qstate* iq) +{ + if(!ie->caps_white) return 0; /* no whitelist, or no capsforid */ + return name_tree_lookup(ie->caps_white, iq->qchase.qname, + iq->qchase.qname_len, dname_count_labels(iq->qchase.qname), + iq->qchase.qclass) != NULL; +} + /** create target count structure for this query */ static void target_count_create(struct iter_qstate* iq) @@ -1123,6 +1151,32 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq, * results of priming. */ return 0; } + if(!iq->ratelimit_ok && qstate->prefetch_leeway) + iq->ratelimit_ok = 1; /* allow prefetches, this keeps + otherwise valid data in the cache */ + if(!iq->ratelimit_ok && infra_ratelimit_exceeded( + qstate->env->infra_cache, iq->dp->name, + iq->dp->namelen, *qstate->env->now)) { + /* and increment the rate, so that the rate for time + * now will also exceed the rate, keeping cache fresh */ + (void)infra_ratelimit_inc(qstate->env->infra_cache, + iq->dp->name, iq->dp->namelen, + *qstate->env->now); + /* see if we are passed through with slip factor */ + if(qstate->env->cfg->ratelimit_factor != 0 && + ub_random_max(qstate->env->rnd, + qstate->env->cfg->ratelimit_factor) == 1) { + iq->ratelimit_ok = 1; + log_nametypeclass(VERB_ALGO, "ratelimit allowed through for " + "delegation point", iq->dp->name, + LDNS_RR_TYPE_NS, LDNS_RR_CLASS_IN); + } else { + log_nametypeclass(VERB_ALGO, "ratelimit exceeded with " + "delegation point", iq->dp->name, + LDNS_RR_TYPE_NS, LDNS_RR_CLASS_IN); + return error_response(qstate, id, LDNS_RCODE_SERVFAIL); + } + } /* see if this dp not useless. * It is useless if: @@ -1787,11 +1841,13 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, * the original query is one that matched too, so we have * caps_server+1 number of matching queries now */ if(iq->caps_server+1 >= naddr*3 || - iq->caps_server+1 >= MAX_SENT_COUNT) { + iq->caps_server*2+2 >= MAX_SENT_COUNT) { + /* *2 on sentcount check because ipv6 may fail */ /* we're done, process the response */ verbose(VERB_ALGO, "0x20 fallback had %d responses " "match for %d wanted, done.", (int)iq->caps_server+1, (int)naddr*3); + iq->response = iq->caps_response; iq->caps_fallback = 0; iter_dec_attempts(iq->dp, 3); /* space for fallback */ iq->num_current_queries++; /* RespState decrements it*/ @@ -1866,6 +1922,24 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, /* Since a target query might have been made, we * need to check again. */ if(iq->num_target_queries == 0) { + /* if in capsforid fallback, instead of last + * resort, we agree with the current reply + * we have (if any) (our count of addrs bad)*/ + if(iq->caps_fallback && iq->caps_reply) { + /* we're done, process the response */ + verbose(VERB_ALGO, "0x20 fallback had %d responses, " + "but no more servers except " + "last resort, done.", + (int)iq->caps_server+1); + iq->response = iq->caps_response; + iq->caps_fallback = 0; + iter_dec_attempts(iq->dp, 3); /* space for fallback */ + iq->num_current_queries++; /* RespState decrements it*/ + iq->referral_count++; /* make sure we don't loop */ + iq->sent_count = 0; + iq->state = QUERY_RESP_STATE; + return 1; + } return processLastResort(qstate, iq, ie, id); } } @@ -1892,6 +1966,15 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, return 0; } + /* if not forwarding, check ratelimits per delegationpoint name */ + if(!(iq->chase_flags & BIT_RD) && !iq->ratelimit_ok) { + if(!infra_ratelimit_inc(qstate->env->infra_cache, iq->dp->name, + iq->dp->namelen, *qstate->env->now)) { + verbose(VERB_ALGO, "query exceeded ratelimits"); + return error_response(qstate, id, LDNS_RCODE_SERVFAIL); + } + } + /* We have a valid target. */ if(verbosity >= VERB_QUERY) { log_query_info(VERB_QUERY, "sending query:", &iq->qchase); @@ -1906,11 +1989,15 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, iq->qchase.qname, iq->qchase.qname_len, iq->qchase.qtype, iq->qchase.qclass, iq->chase_flags | (iq->chase_to_rd?BIT_RD:0), EDNS_DO|BIT_CD, - iq->dnssec_expected, iq->caps_fallback, &target->addr, - target->addrlen, iq->dp->name, iq->dp->namelen, qstate); + iq->dnssec_expected, iq->caps_fallback || is_caps_whitelisted( + ie, iq), &target->addr, target->addrlen, iq->dp->name, + iq->dp->namelen, qstate); if(!outq) { log_addr(VERB_DETAIL, "error sending query to auth server", &target->addr, target->addrlen); + if(!(iq->chase_flags & BIT_RD) && !iq->ratelimit_ok) + infra_ratelimit_dec(qstate->env->infra_cache, iq->dp->name, + iq->dp->namelen, *qstate->env->now); return next_state(iq, QUERYTARGETS_STATE); } outbound_list_insert(&iq->outlist, outq); @@ -2061,6 +2148,14 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, * delegation point, and back to the QUERYTARGETS_STATE. */ verbose(VERB_DETAIL, "query response was REFERRAL"); + if(!(iq->chase_flags & BIT_RD) && !iq->ratelimit_ok) { + /* we have a referral, no ratelimit, we can send + * our queries to the given name */ + infra_ratelimit_dec(qstate->env->infra_cache, + iq->dp->name, iq->dp->namelen, + *qstate->env->now); + } + /* if hardened, only store referral if we asked for it */ if(!qstate->env->cfg->harden_referral_path || ( qstate->qinfo.qtype == LDNS_RR_TYPE_NS @@ -2529,6 +2624,12 @@ processClassResponse(struct module_qstate* qstate, int id, /* copy appropriate rcode */ to->rep->flags = from->rep->flags; /* copy rrsets */ + if(from->rep->rrset_count > RR_COUNT_MAX || + to->rep->rrset_count > RR_COUNT_MAX) { + log_err("malloc failed (too many rrsets) in collect ANY"); + foriq->state = FINISHED_STATE; + return; /* integer overflow protection */ + } dest = regional_alloc(forq->region, sizeof(dest[0])*n); if(!dest) { log_err("malloc failed in collect ANY"); @@ -2825,6 +2926,7 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq, iq->caps_fallback = 1; iq->caps_server = 0; iq->caps_reply = NULL; + iq->caps_response = NULL; iq->state = QUERYTARGETS_STATE; iq->num_current_queries--; /* need fresh attempts for the 0x20 fallback, if @@ -2867,8 +2969,19 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq, /* normalize and sanitize: easy to delete items from linked lists */ if(!scrub_message(pkt, prs, &iq->qchase, iq->dp->name, - qstate->env->scratch, qstate->env, ie)) + qstate->env->scratch, qstate->env, ie)) { + /* if 0x20 enabled, start fallback, but we have no message */ + if(event == module_event_capsfail && !iq->caps_fallback) { + iq->caps_fallback = 1; + iq->caps_server = 0; + iq->caps_reply = NULL; + iq->caps_response = NULL; + iq->state = QUERYTARGETS_STATE; + iq->num_current_queries--; + verbose(VERB_DETAIL, "Capsforid: scrub failed, starting fallback with no response"); + } goto handle_it; + } /* allocate response dns_msg in region */ iq->response = dns_alloc_msg(pkt, prs, qstate->region); @@ -2890,6 +3003,7 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq, iq->caps_fallback = 1; iq->caps_server = 0; iq->caps_reply = iq->response->rep; + iq->caps_response = iq->response; iq->state = QUERYTARGETS_STATE; iq->num_current_queries--; verbose(VERB_DETAIL, "Capsforid: starting fallback"); @@ -2898,8 +3012,24 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq, /* check if reply is the same, otherwise, fail */ if(!iq->caps_reply) { iq->caps_reply = iq->response->rep; + iq->caps_response = iq->response; iq->caps_server = -1; /*become zero at ++, so that we start the full set of trials */ + } else if(caps_failed_rcode(iq->caps_reply) && + !caps_failed_rcode(iq->response->rep)) { + /* prefer to upgrade to non-SERVFAIL */ + iq->caps_reply = iq->response->rep; + iq->caps_response = iq->response; + } else if(!caps_failed_rcode(iq->caps_reply) && + caps_failed_rcode(iq->response->rep)) { + /* if we have non-SERVFAIL as answer then + * we can ignore SERVFAILs for the equality + * comparison */ + /* no instructions here, skip other else */ + } else if(caps_failed_rcode(iq->caps_reply) && + caps_failed_rcode(iq->response->rep)) { + /* failure is same as other failure in fallbk*/ + /* no instructions here, skip other else */ } else if(!reply_equal(iq->response->rep, iq->caps_reply, qstate->env->scratch)) { verbose(VERB_DETAIL, "Capsforid fallback: " diff --git a/contrib/unbound/iterator/iterator.h b/contrib/unbound/iterator/iterator.h index 1364b86..9cf53b2 100644 --- a/contrib/unbound/iterator/iterator.h +++ b/contrib/unbound/iterator/iterator.h @@ -51,9 +51,10 @@ struct iter_forwards; struct iter_donotq; struct iter_prep_list; struct iter_priv; +struct rbtree_t; /** max number of targets spawned for a query and its subqueries */ -#define MAX_TARGET_COUNT 32 +#define MAX_TARGET_COUNT 64 /** max number of query restarts. Determines max number of CNAME chain. */ #define MAX_RESTART_COUNT 8 /** max number of referrals. Makes sure resolver does not run away */ @@ -96,6 +97,9 @@ struct iter_env { /** private address space and private domains */ struct iter_priv* priv; + /** whitelist for capsforid names */ + struct rbtree_t* caps_white; + /** The maximum dependency depth that this resolver will pursue. */ int max_dependency_depth; @@ -235,6 +239,7 @@ struct iter_qstate { /** state for capsfail: stored query for comparisons. Can be NULL if * no response had been seen prior to starting the fallback. */ struct reply_info* caps_reply; + struct dns_msg* caps_response; /** Current delegation message - returned for non-RD queries */ struct dns_msg* deleg_msg; @@ -258,6 +263,9 @@ struct iter_qstate { * subqueries, the malloced-array is shared, [0] refcount. */ int* target_count; + /** if true, already tested for ratelimiting and passed the test */ + int ratelimit_ok; + /** * The query must store NS records from referrals as parentside RRs * Enabled once it hits resolution problems, to throttle retries. diff --git a/contrib/unbound/libunbound/context.c b/contrib/unbound/libunbound/context.c index c21f941..4469b5b 100644 --- a/contrib/unbound/libunbound/context.c +++ b/contrib/unbound/libunbound/context.c @@ -49,7 +49,7 @@ #include "services/cache/infra.h" #include "util/data/msgreply.h" #include "util/storage/slabhash.h" -#include "ldns/sbuffer.h" +#include "sldns/sbuffer.h" int context_finalize(struct ub_ctx* ctx) @@ -360,7 +360,7 @@ context_serialize_cancel(struct ctx_query* q, uint32_t* len) /* format of cancel: * o uint32 cmd * o uint32 async-id */ - uint8_t* p = (uint8_t*)malloc(2*sizeof(uint32_t)); + uint8_t* p = (uint8_t*)reallocarray(NULL, sizeof(uint32_t), 2); if(!p) return NULL; *len = 2*sizeof(uint32_t); sldns_write_uint32(p, UB_LIBCMD_CANCEL); diff --git a/contrib/unbound/libunbound/libunbound.c b/contrib/unbound/libunbound/libunbound.c index 91a663a..7c2509b 100644 --- a/contrib/unbound/libunbound/libunbound.c +++ b/contrib/unbound/libunbound/libunbound.c @@ -61,10 +61,13 @@ #include "services/localzone.h" #include "services/cache/infra.h" #include "services/cache/rrset.h" -#include "ldns/sbuffer.h" +#include "sldns/sbuffer.h" #ifdef HAVE_PTHREAD #include <signal.h> #endif +#ifdef HAVE_SYS_WAIT_H +#include <sys/wait.h> +#endif #if defined(UB_ON_WINDOWS) && defined (HAVE_WINDOWS_H) #include <windows.h> @@ -218,6 +221,12 @@ static void ub_stop_bg(struct ub_ctx* ctx) ub_thread_join(ctx->bg_tid); } else { lock_basic_unlock(&ctx->cfglock); +#ifndef UB_ON_WINDOWS + if(waitpid(ctx->bg_pid, NULL, 0) == -1) { + if(verbosity > 2) + log_err("waitpid: %s", strerror(errno)); + } +#endif } } else { @@ -946,7 +955,7 @@ ub_ctx_resolvconf(struct ub_ctx* ctx, const char* fname) while (ptr) { numserv++; if((retval=ub_ctx_set_fwd(ctx, - ptr->IpAddress.String)!=0)) { + ptr->IpAddress.String))!=0) { free(info); return retval; } @@ -1028,7 +1037,6 @@ ub_ctx_hosts(struct ub_ctx* ctx, const char* fname) "\\hosts"); retval=ub_ctx_hosts(ctx, buf); } - free(name); return retval; } return UB_READFILE; @@ -1053,6 +1061,8 @@ ub_ctx_hosts(struct ub_ctx* ctx, const char* fname) /* skip addr */ while(isxdigit((unsigned char)*parse) || *parse == '.' || *parse == ':') parse++; + if(*parse == '\r') + parse++; if(*parse == '\n' || *parse == 0) continue; if(*parse == '%') @@ -1066,7 +1076,8 @@ ub_ctx_hosts(struct ub_ctx* ctx, const char* fname) *parse++ = 0; /* end delimiter for addr ... */ /* go to names and add them */ while(*parse) { - while(*parse == ' ' || *parse == '\t' || *parse=='\n') + while(*parse == ' ' || *parse == '\t' || *parse=='\n' + || *parse=='\r') parse++; if(*parse == 0 || *parse == '#') break; diff --git a/contrib/unbound/libunbound/libworker.c b/contrib/unbound/libunbound/libworker.c index c72b586..72b6153 100644 --- a/contrib/unbound/libunbound/libworker.c +++ b/contrib/unbound/libunbound/libworker.c @@ -70,8 +70,8 @@ #include "util/tube.h" #include "iterator/iter_fwd.h" #include "iterator/iter_hints.h" -#include "ldns/sbuffer.h" -#include "ldns/str2wire.h" +#include "sldns/sbuffer.h" +#include "sldns/str2wire.h" /** handle new query command for bg worker */ static void handle_newq(struct libworker* w, uint8_t* buf, uint32_t len); diff --git a/contrib/unbound/libunbound/python/Makefile b/contrib/unbound/libunbound/python/Makefile index 86ba177..01b0577 100644 --- a/contrib/unbound/libunbound/python/Makefile +++ b/contrib/unbound/libunbound/python/Makefile @@ -48,17 +48,14 @@ help: #../../.libs/libunbound.so.0: ../../Makefile #$(MAKE) -C ../.. -#../../ldns-src/lib/libldns.so: ../../ldns-src/Makefile - #$(MAKE) -C ../../ldns-src - clean: rm -rdf examples/unbound rm -f _unbound.so libunbound_wrap.o $(MAKE) -C ../.. clean -testenv: ../../.libs/libunbound.so.2 ../../ldns-src/lib/libldns.so ../../.libs/_unbound.so +testenv: ../../.libs/libunbound.so.2 ../../.libs/_unbound.so rm -rdf examples/unbound - cd examples && mkdir unbound && ln -s ../../unbound.py unbound/__init__.py && ln -s ../../_unbound.so unbound/_unbound.so && ln -s ../../../../.libs/libunbound.so.2 unbound/libunbound.so.2 && ln -s ../../../../ldns-src/lib/libldns.so.1 unbound/libldns.so.1 && ls -la + cd examples && mkdir unbound && ln -s ../../unbound.py unbound/__init__.py && ln -s ../../_unbound.so unbound/_unbound.so && ln -s ../../../../.libs/libunbound.so.2 unbound/libunbound.so.2 && ls -la cd examples && if test -f ../../../.libs/_unbound.so; then cp ../../../.libs/_unbound.so . ; fi @echo "Run a script by typing ./script_name.py" cd examples && LD_LIBRARY_PATH=unbound bash diff --git a/contrib/unbound/libunbound/python/examples/async-lookup.py b/contrib/unbound/libunbound/python/examples/async-lookup.py index cbb8ea0..936be32 100644 --- a/contrib/unbound/libunbound/python/examples/async-lookup.py +++ b/contrib/unbound/libunbound/python/examples/async-lookup.py @@ -32,6 +32,7 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ''' +from __future__ import print_function import unbound import time @@ -39,9 +40,9 @@ ctx = unbound.ub_ctx() ctx.resolvconf("/etc/resolv.conf") def call_back(my_data,status,result): - print("Call_back:", my_data) + print("Call_back:", sorted(my_data)) if status == 0 and result.havedata: - print("Result:", result.data.address_list) + print("Result:", sorted(result.data.address_list)) my_data['done_flag'] = True diff --git a/contrib/unbound/libunbound/python/examples/dns-lookup.py b/contrib/unbound/libunbound/python/examples/dns-lookup.py index b3f4008..a175dfb 100644 --- a/contrib/unbound/libunbound/python/examples/dns-lookup.py +++ b/contrib/unbound/libunbound/python/examples/dns-lookup.py @@ -32,6 +32,7 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ''' +from __future__ import print_function import unbound ctx = unbound.ub_ctx() @@ -39,6 +40,6 @@ ctx.resolvconf("/etc/resolv.conf") status, result = ctx.resolve("www.nic.cz", unbound.RR_TYPE_A, unbound.RR_CLASS_IN) if status == 0 and result.havedata: - print("Result:", result.data.address_list) + print("Result:", sorted(result.data.address_list)) elif status != 0: print("Error:", unbound.ub_strerror(status)) diff --git a/contrib/unbound/libunbound/python/examples/dnssec-valid.py b/contrib/unbound/libunbound/python/examples/dnssec-valid.py index 5c3cad9..386f4c2 100644 --- a/contrib/unbound/libunbound/python/examples/dnssec-valid.py +++ b/contrib/unbound/libunbound/python/examples/dnssec-valid.py @@ -32,6 +32,7 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ''' +from __future__ import print_function import os from unbound import ub_ctx,RR_TYPE_A,RR_CLASS_IN @@ -48,7 +49,7 @@ if os.path.isfile("keys"): status, result = ctx.resolve("www.nic.cz", RR_TYPE_A, RR_CLASS_IN) if status == 0 and result.havedata: - print("Result:", result.data.address_list) + print("Result:", sorted(result.data.address_list)) if result.secure: print("Result is secure") diff --git a/contrib/unbound/libunbound/python/examples/dnssec_test.py b/contrib/unbound/libunbound/python/examples/dnssec_test.py index 0d62b9f..430e51a 100644 --- a/contrib/unbound/libunbound/python/examples/dnssec_test.py +++ b/contrib/unbound/libunbound/python/examples/dnssec_test.py @@ -1,4 +1,5 @@ #!/usr/bin/env python +from __future__ import print_function from unbound import ub_ctx, RR_TYPE_A, RR_TYPE_RRSIG, RR_TYPE_NSEC, RR_TYPE_NSEC3 import ldns @@ -12,16 +13,16 @@ def dnssecParse(domain, rrType=RR_TYPE_A): raise RuntimeError("Error parsing DNS packet") rrsigs = pkt.rr_list_by_type(RR_TYPE_RRSIG, ldns.LDNS_SECTION_ANSWER) - print("RRSIGs from answer:", rrsigs) + print("RRSIGs from answer:", sorted(rrsigs)) rrsigs = pkt.rr_list_by_type(RR_TYPE_RRSIG, ldns.LDNS_SECTION_AUTHORITY) - print("RRSIGs from authority:", rrsigs) + print("RRSIGs from authority:", sorted(rrsigs)) nsecs = pkt.rr_list_by_type(RR_TYPE_NSEC, ldns.LDNS_SECTION_AUTHORITY) - print("NSECs:", nsecs) + print("NSECs:", sorted(nsecs)) nsec3s = pkt.rr_list_by_type(RR_TYPE_NSEC3, ldns.LDNS_SECTION_AUTHORITY) - print("NSEC3s:", nsec3s) + print("NSEC3s:", sorted(nsec3s)) print("---") diff --git a/contrib/unbound/libunbound/python/examples/example8-1.py b/contrib/unbound/libunbound/python/examples/example8-1.py index ca868e5..723c406 100644 --- a/contrib/unbound/libunbound/python/examples/example8-1.py +++ b/contrib/unbound/libunbound/python/examples/example8-1.py @@ -33,6 +33,7 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ''' +from __future__ import print_function import unbound ctx = unbound.ub_ctx() @@ -42,20 +43,20 @@ status, result = ctx.resolve("nic.cz", unbound.RR_TYPE_MX, unbound.RR_CLASS_IN) if status == 0 and result.havedata: print("Result:") print(" raw data:", result.data) - for k in result.data.mx_list: + for k in sorted(result.data.mx_list): print(" priority:%d address:%s" % k) status, result = ctx.resolve("nic.cz", unbound.RR_TYPE_A, unbound.RR_CLASS_IN) if status == 0 and result.havedata: print("Result:") print(" raw data:", result.data) - for k in result.data.address_list: + for k in sorted(result.data.address_list): print(" address:%s" % k) status, result = ctx.resolve("nic.cz", unbound.RR_TYPE_NS, unbound.RR_CLASS_IN) if status == 0 and result.havedata: print("Result:") print(" raw data:", result.data) - for k in result.data.domain_list: + for k in sorted(result.data.domain_list): print(" host: %s" % k) diff --git a/contrib/unbound/libunbound/python/examples/idn-lookup.py b/contrib/unbound/libunbound/python/examples/idn-lookup.py index 2170637..f283150 100644 --- a/contrib/unbound/libunbound/python/examples/idn-lookup.py +++ b/contrib/unbound/libunbound/python/examples/idn-lookup.py @@ -33,6 +33,7 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ''' +from __future__ import print_function import unbound import locale @@ -45,18 +46,18 @@ status, result = ctx.resolve(u"www.háčkyčárky.cz", unbound.RR_TYPE_A, unboun if status == 0 and result.havedata: print("Result:") print(" raw data:", result.data) - for k in result.data.address_list: + for k in sorted(result.data.address_list): print(" address:%s" % k) status, result = ctx.resolve(u"háčkyčárky.cz", unbound.RR_TYPE_MX, unbound.RR_CLASS_IN) if status == 0 and result.havedata: print("Result:") print(" raw data:", result.data) - for k in result.data.mx_list_idn: + for k in sorted(result.data.mx_list_idn): print(" priority:%d address:%s" % k) status, result = ctx.resolve(unbound.reverse('217.31.204.66')+'.in-addr.arpa', unbound.RR_TYPE_PTR, unbound.RR_CLASS_IN) if status == 0 and result.havedata: print("Result.data:", result.data) - for k in result.data.domain_list_idn: + for k in sorted(result.data.domain_list_idn): print(" dname:%s" % k) diff --git a/contrib/unbound/libunbound/python/examples/mx-lookup.py b/contrib/unbound/libunbound/python/examples/mx-lookup.py index f83f690..e9394b3 100644 --- a/contrib/unbound/libunbound/python/examples/mx-lookup.py +++ b/contrib/unbound/libunbound/python/examples/mx-lookup.py @@ -33,6 +33,7 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ''' +from __future__ import print_function import unbound ctx = unbound.ub_ctx() @@ -42,12 +43,12 @@ status, result = ctx.resolve("nic.cz", unbound.RR_TYPE_MX, unbound.RR_CLASS_IN) if status == 0 and result.havedata: print("Result:") print(" raw data:", result.data) - for k in result.data.mx_list: + for k in sorted(result.data.mx_list): print(" priority:%d address:%s" % k) status, result = ctx.resolve("nic.cz", unbound.RR_TYPE_A, unbound.RR_CLASS_IN) if status == 0 and result.havedata: print("Result:") print(" raw data:", result.data) - for k in result.data.address_list: + for k in sorted(result.data.address_list): print(" address:%s" % k) diff --git a/contrib/unbound/libunbound/python/examples/ns-lookup.py b/contrib/unbound/libunbound/python/examples/ns-lookup.py index bcd51de..49f5672 100644 --- a/contrib/unbound/libunbound/python/examples/ns-lookup.py +++ b/contrib/unbound/libunbound/python/examples/ns-lookup.py @@ -33,6 +33,7 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ''' +from __future__ import print_function import unbound ctx = unbound.ub_ctx() @@ -42,6 +43,6 @@ status, result = ctx.resolve("vutbr.cz", unbound.RR_TYPE_NS, unbound.RR_CLASS_IN if status == 0 and result.havedata: print("Result:") print(" raw data:", result.data) - for k in result.data.domain_list: + for k in sorted(result.data.domain_list): print(" host: %s" % k) diff --git a/contrib/unbound/libunbound/python/examples/reverse-lookup.py b/contrib/unbound/libunbound/python/examples/reverse-lookup.py index 7e06844e..c9a13fe 100644 --- a/contrib/unbound/libunbound/python/examples/reverse-lookup.py +++ b/contrib/unbound/libunbound/python/examples/reverse-lookup.py @@ -32,6 +32,7 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ''' +from __future__ import print_function import unbound ctx = unbound.ub_ctx() @@ -39,5 +40,5 @@ ctx.resolvconf("/etc/resolv.conf") status, result = ctx.resolve(unbound.reverse("74.125.43.147") + ".in-addr.arpa.", unbound.RR_TYPE_PTR, unbound.RR_CLASS_IN) if status == 0 and result.havedata: - print("Result.data:", result.data, result.data.domain_list) + print("Result.data:", result.data, sorted(result.data.domain_list)) diff --git a/contrib/unbound/libunbound/python/file_py3.i b/contrib/unbound/libunbound/python/file_py3.i new file mode 100644 index 0000000..5d8b5a2 --- /dev/null +++ b/contrib/unbound/libunbound/python/file_py3.i @@ -0,0 +1,155 @@ +/* + * file_py3.i: Typemaps for FILE* for Python 3 + * + * Copyright (c) 2011, Karel Slany (karel.slany AT nic.cz) + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * * Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * * Neither the name of the organization nor the names of its + * contributors may be used to endorse or promote products derived from this + * software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +%{ +#include <unistd.h> +#include <fcntl.h> +%} + +%types(FILE *); + +//#define SWIG_FILE3_DEBUG + +/* converts basic file descriptor flags onto a string */ +%fragment("fdfl_to_str", "header") { +const char * +fdfl_to_str(int fdfl) { + + static const char * const file_mode[] = {"w+", "w", "r"}; + + if (fdfl & O_RDWR) { + return file_mode[0]; + } else if (fdfl & O_WRONLY) { + return file_mode[1]; + } else { + return file_mode[2]; + } +} +} + +%fragment("is_obj_file", "header") { +int +is_obj_file(PyObject *obj) { + int fd, fdfl; + if (!PyLong_Check(obj) && /* is not an integer */ + PyObject_HasAttrString(obj, "fileno") && /* has fileno method */ + (PyObject_CallMethod(obj, "flush", NULL) != NULL) && /* flush() succeeded */ + ((fd = PyObject_AsFileDescriptor(obj)) != -1) && /* got file descriptor */ + ((fdfl = fcntl(fd, F_GETFL)) != -1) /* got descriptor flags */ + ) { + return 1; + } + else { + return 0; + } +} +} + +%fragment("obj_to_file","header", fragment="fdfl_to_str,is_obj_file") { +FILE * +obj_to_file(PyObject *obj) { + int fd, fdfl; + FILE *fp; + if (is_obj_file(obj)) { + fd = PyObject_AsFileDescriptor(obj); + fdfl = fcntl(fd, F_GETFL); + fp = fdopen(dup(fd), fdfl_to_str(fdfl)); /* the FILE* must be flushed + and closed after being used */ +#ifdef SWIG_FILE3_DEBUG + fprintf(stderr, "opening fd %d (fl %d \"%s\") as FILE %p\n", + fd, fdfl, fdfl_to_str(fdfl), (void *)fp); +#endif + return fp; + } + return NULL; +} +} + +/* returns -1 if error occurred */ +/* caused magic SWIG Syntax errors when was commented out */ +#if 0 +%fragment("dispose_file", "header") { +int +dispose_file(FILE **fp) { +#ifdef SWIG_FILE3_DEBUG + fprintf(stderr, "flushing FILE %p\n", (void *)fp); +#endif + if (*fp == NULL) { + return 0; + } + if ((fflush(*fp) == 0) && /* flush file */ + (fclose(*fp) == 0)) { /* close file */ + *fp = NULL; + return 0; + } + return -1; +} +} +#endif + +%typemap(arginit, noblock = 1) FILE* { + $1 = NULL; +} + +/* + * added due to ub_ctx_debugout since since it is overloaded: + * takes void* and FILE*. In reality only FILE* but the wrapper + * and the function is declared in such way. + */ +%typemap(typecheck, noblock = 1, fragment = "is_obj_file", precedence = SWIG_TYPECHECK_POINTER) FILE* { + $1 = is_obj_file($input); +} + +%typemap(check, noblock = 1) FILE* { + if ($1 == NULL) { + /* The generated wrapper function raises TypeError on mismatching types. */ + SWIG_exception_fail(SWIG_TypeError, "in method '" "$symname" "', argument " + "$argnum"" of type '" "$type""'"); + } +} + +%typemap(in, noblock = 1, fragment = "obj_to_file") FILE* { + $1 = obj_to_file($input); +} + +/* + * Commented out due the way how ub_ctx_debugout() uses the parameter. + * This typemap would cause the FILE* to be closed after return from + * the function. This caused Python interpreter to crash, since the + * function just stores the FILE* internally in ctx and use it for + * logging. So we'll leave the closing of the file on the OS. + */ +/*%typemap(freearg, noblock = 1, fragment = "dispose_file") FILE* { + if (dispose_file(&$1) == -1) { + SWIG_exception_fail(SWIG_IOError, "closing file in method '" "$symname" "', argument " + "$argnum"" of type '" "$type""'"); + } +}*/ diff --git a/contrib/unbound/libunbound/python/libunbound.i b/contrib/unbound/libunbound/python/libunbound.i index 1bef79f..3c0e45b 100644 --- a/contrib/unbound/libunbound/python/libunbound.i +++ b/contrib/unbound/libunbound/python/libunbound.i @@ -60,7 +60,11 @@ %} //%include "doc.i" +#if PY_MAJOR_VERSION >= 3 +%include "file_py3.i" // python 3 FILE * +#else %include "file.i" +#endif %feature("docstring") strerror "Convert error value to a human readable string." diff --git a/contrib/unbound/libunbound/worker.h b/contrib/unbound/libunbound/worker.h index 824012a..a531501 100644 --- a/contrib/unbound/libunbound/worker.h +++ b/contrib/unbound/libunbound/worker.h @@ -42,7 +42,7 @@ #ifndef LIBUNBOUND_WORKER_H #define LIBUNBOUND_WORKER_H -#include "ldns/sbuffer.h" +#include "sldns/sbuffer.h" #include "util/data/packed_rrset.h" /* for enum sec_status */ struct comm_reply; struct comm_point; diff --git a/contrib/unbound/services/cache/dns.c b/contrib/unbound/services/cache/dns.c index 4692744..ba81afd 100644 --- a/contrib/unbound/services/cache/dns.c +++ b/contrib/unbound/services/cache/dns.c @@ -50,7 +50,7 @@ #include "util/net_help.h" #include "util/regional.h" #include "util/config_file.h" -#include "ldns/sbuffer.h" +#include "sldns/sbuffer.h" /** store rrsets in the rrset cache. * @param env: module environment with caches. @@ -366,6 +366,8 @@ dns_msg_create(uint8_t* qname, size_t qnamelen, uint16_t qtype, sizeof(struct reply_info)-sizeof(struct rrset_ref)); if(!msg->rep) return NULL; + if(capacity > RR_COUNT_MAX) + return NULL; /* integer overflow protection */ msg->rep->flags = BIT_QR; /* with QR, no AA */ msg->rep->qdcount = 1; msg->rep->rrsets = (struct ub_packed_rrset_key**) @@ -387,6 +389,18 @@ dns_msg_authadd(struct dns_msg* msg, struct regional* region, return 1; } +/** add rrset to answer section */ +static int +dns_msg_ansadd(struct dns_msg* msg, struct regional* region, + struct ub_packed_rrset_key* rrset, time_t now) +{ + if(!(msg->rep->rrsets[msg->rep->rrset_count++] = + packed_rrset_copy_region(rrset, region, now))) + return 0; + msg->rep->an_numrrsets++; + return 1; +} + struct delegpt* dns_cache_find_delegation(struct module_env* env, uint8_t* qname, size_t qnamelen, uint16_t qtype, uint16_t qclass, @@ -453,6 +467,8 @@ gen_dns_msg(struct regional* region, struct query_info* q, size_t num) sizeof(struct reply_info) - sizeof(struct rrset_ref)); if(!msg->rep) return NULL; + if(num > RR_COUNT_MAX) + return NULL; /* integer overflow protection */ msg->rep->rrsets = (struct ub_packed_rrset_key**) regional_alloc(region, num * sizeof(struct ub_packed_rrset_key*)); @@ -489,7 +505,7 @@ tomsg(struct module_env* env, struct query_info* q, struct reply_info* r, return NULL; if(r->an_numrrsets > 0 && (r->rrsets[0]->rk.type == htons( LDNS_RR_TYPE_CNAME) || r->rrsets[0]->rk.type == htons( - LDNS_RR_TYPE_DNAME)) && !reply_check_cname_chain(r)) { + LDNS_RR_TYPE_DNAME)) && !reply_check_cname_chain(q, r)) { /* cname chain is now invalid, reconstruct msg */ rrset_array_unlock(r->ref, r->rrset_count); return NULL; @@ -631,6 +647,58 @@ synth_dname_msg(struct ub_packed_rrset_key* rrset, struct regional* region, return msg; } +/** Fill TYPE_ANY response with some data from cache */ +static struct dns_msg* +fill_any(struct module_env* env, + uint8_t* qname, size_t qnamelen, uint16_t qtype, uint16_t qclass, + struct regional* region) +{ + time_t now = *env->now; + struct dns_msg* msg = NULL; + uint16_t lookup[] = {LDNS_RR_TYPE_A, LDNS_RR_TYPE_AAAA, + LDNS_RR_TYPE_MX, LDNS_RR_TYPE_SOA, LDNS_RR_TYPE_NS, 0}; + int i, num=5; /* number of RR types to look up */ + log_assert(lookup[num] == 0); + + for(i=0; i<num; i++) { + /* look up this RR for inclusion in type ANY response */ + struct ub_packed_rrset_key* rrset = rrset_cache_lookup( + env->rrset_cache, qname, qnamelen, lookup[i], + qclass, 0, now, 0); + struct packed_rrset_data *d; + if(!rrset) + continue; + + /* only if rrset from answer section */ + d = (struct packed_rrset_data*)rrset->entry.data; + if(d->trust == rrset_trust_add_noAA || + d->trust == rrset_trust_auth_noAA || + d->trust == rrset_trust_add_AA || + d->trust == rrset_trust_auth_AA) { + lock_rw_unlock(&rrset->entry.lock); + continue; + } + + /* create msg if none */ + if(!msg) { + msg = dns_msg_create(qname, qnamelen, qtype, qclass, + region, (size_t)(num-i)); + if(!msg) { + lock_rw_unlock(&rrset->entry.lock); + return NULL; + } + } + + /* add RRset to response */ + if(!dns_msg_ansadd(msg, region, rrset, now)) { + lock_rw_unlock(&rrset->entry.lock); + return NULL; + } + lock_rw_unlock(&rrset->entry.lock); + } + return msg; +} + struct dns_msg* dns_cache_lookup(struct module_env* env, uint8_t* qname, size_t qnamelen, uint16_t qtype, uint16_t qclass, @@ -743,6 +811,11 @@ dns_cache_lookup(struct module_env* env, } } + /* fill common RR types for ANY response to avoid requery */ + if(qtype == LDNS_RR_TYPE_ANY) { + return fill_any(env, qname, qnamelen, qtype, qclass, region); + } + return NULL; } diff --git a/contrib/unbound/services/cache/infra.c b/contrib/unbound/services/cache/infra.c index 07f2103..c0049d8 100644 --- a/contrib/unbound/services/cache/infra.c +++ b/contrib/unbound/services/cache/infra.c @@ -39,7 +39,8 @@ * This file contains the infrastructure cache. */ #include "config.h" -#include "ldns/rrdef.h" +#include "sldns/rrdef.h" +#include "sldns/str2wire.h" #include "services/cache/infra.h" #include "util/storage/slabhash.h" #include "util/storage/lookup3.h" @@ -57,6 +58,9 @@ * can do this number of packets (until those all timeout too) */ #define TIMEOUT_COUNT_MAX 3 +/** ratelimit value for delegation point */ +int infra_dp_ratelimit = 0; + size_t infra_sizefunc(void* k, void* ATTR_UNUSED(d)) { @@ -99,6 +103,114 @@ infra_deldatafunc(void* d, void* ATTR_UNUSED(arg)) free(data); } +size_t +rate_sizefunc(void* k, void* ATTR_UNUSED(d)) +{ + struct rate_key* key = (struct rate_key*)k; + return sizeof(*key) + sizeof(struct rate_data) + key->namelen + + lock_get_mem(&key->entry.lock); +} + +int +rate_compfunc(void* key1, void* key2) +{ + struct rate_key* k1 = (struct rate_key*)key1; + struct rate_key* k2 = (struct rate_key*)key2; + if(k1->namelen != k2->namelen) { + if(k1->namelen < k2->namelen) + return -1; + return 1; + } + return query_dname_compare(k1->name, k2->name); +} + +void +rate_delkeyfunc(void* k, void* ATTR_UNUSED(arg)) +{ + struct rate_key* key = (struct rate_key*)k; + if(!key) + return; + lock_rw_destroy(&key->entry.lock); + free(key->name); + free(key); +} + +void +rate_deldatafunc(void* d, void* ATTR_UNUSED(arg)) +{ + struct rate_data* data = (struct rate_data*)d; + free(data); +} + +/** find or create element in domainlimit tree */ +static struct domain_limit_data* domain_limit_findcreate( + struct infra_cache* infra, char* name) +{ + uint8_t* nm; + int labs; + size_t nmlen; + struct domain_limit_data* d; + + /* parse name */ + nm = sldns_str2wire_dname(name, &nmlen); + if(!nm) { + log_err("could not parse %s", name); + return NULL; + } + labs = dname_count_labels(nm); + + /* can we find it? */ + d = (struct domain_limit_data*)name_tree_find(&infra->domain_limits, + nm, nmlen, labs, LDNS_RR_CLASS_IN); + if(d) { + free(nm); + return d; + } + + /* create it */ + d = (struct domain_limit_data*)calloc(1, sizeof(*d)); + if(!d) { + free(nm); + return NULL; + } + d->node.node.key = &d->node; + d->node.name = nm; + d->node.len = nmlen; + d->node.labs = labs; + d->node.dclass = LDNS_RR_CLASS_IN; + d->lim = -1; + d->below = -1; + if(!name_tree_insert(&infra->domain_limits, &d->node, nm, nmlen, + labs, LDNS_RR_CLASS_IN)) { + log_err("duplicate element in domainlimit tree"); + free(nm); + free(d); + return NULL; + } + return d; +} + +/** insert rate limit configuration into lookup tree */ +static int infra_ratelimit_cfg_insert(struct infra_cache* infra, + struct config_file* cfg) +{ + struct config_str2list* p; + struct domain_limit_data* d; + for(p = cfg->ratelimit_for_domain; p; p = p->next) { + d = domain_limit_findcreate(infra, p->str); + if(!d) + return 0; + d->lim = atoi(p->str2); + } + for(p = cfg->ratelimit_below_domain; p; p = p->next) { + d = domain_limit_findcreate(infra, p->str); + if(!d) + return 0; + d->below = atoi(p->str2); + } + return 1; +} + struct infra_cache* infra_create(struct config_file* cfg) { @@ -114,15 +226,44 @@ infra_create(struct config_file* cfg) return NULL; } infra->host_ttl = cfg->host_ttl; + name_tree_init(&infra->domain_limits); + infra_dp_ratelimit = cfg->ratelimit; + if(cfg->ratelimit != 0) { + infra->domain_rates = slabhash_create(cfg->ratelimit_slabs, + INFRA_HOST_STARTSIZE, cfg->ratelimit_size, + &rate_sizefunc, &rate_compfunc, &rate_delkeyfunc, + &rate_deldatafunc, NULL); + if(!infra->domain_rates) { + infra_delete(infra); + return NULL; + } + /* insert config data into ratelimits */ + if(!infra_ratelimit_cfg_insert(infra, cfg)) { + infra_delete(infra); + return NULL; + } + name_tree_init_parents(&infra->domain_limits); + } return infra; } +/** delete domain_limit entries */ +static void domain_limit_free(rbnode_t* n, void* ATTR_UNUSED(arg)) +{ + if(n) { + free(((struct domain_limit_data*)n)->node.name); + free(n); + } +} + void infra_delete(struct infra_cache* infra) { if(!infra) return; slabhash_delete(infra->hosts); + slabhash_delete(infra->domain_rates); + traverse_postorder(&infra->domain_limits, domain_limit_free, NULL); free(infra); } @@ -562,8 +703,178 @@ infra_get_lame_rtt(struct infra_cache* infra, return 1; } +int infra_find_ratelimit(struct infra_cache* infra, uint8_t* name, + size_t namelen) +{ + int labs = dname_count_labels(name); + struct domain_limit_data* d = (struct domain_limit_data*) + name_tree_lookup(&infra->domain_limits, name, namelen, labs, + LDNS_RR_CLASS_IN); + if(!d) return infra_dp_ratelimit; + + if(d->node.labs == labs && d->lim != -1) + return d->lim; /* exact match */ + + /* find 'below match' */ + if(d->node.labs == labs) + d = (struct domain_limit_data*)d->node.parent; + while(d) { + if(d->below != -1) + return d->below; + d = (struct domain_limit_data*)d->node.parent; + } + return infra_dp_ratelimit; +} + +/** find data item in array, for write access, caller unlocks */ +static struct lruhash_entry* infra_find_ratedata(struct infra_cache* infra, + uint8_t* name, size_t namelen, int wr) +{ + struct rate_key key; + hashvalue_t h = dname_query_hash(name, 0xab); + memset(&key, 0, sizeof(key)); + key.name = name; + key.namelen = namelen; + key.entry.hash = h; + return slabhash_lookup(infra->domain_rates, h, &key, wr); +} + +/** create rate data item for name, number 1 in now */ +static void infra_create_ratedata(struct infra_cache* infra, + uint8_t* name, size_t namelen, time_t timenow) +{ + hashvalue_t h = dname_query_hash(name, 0xab); + struct rate_key* k = (struct rate_key*)calloc(1, sizeof(*k)); + struct rate_data* d = (struct rate_data*)calloc(1, sizeof(*d)); + if(!k || !d) { + free(k); + free(d); + return; /* alloc failure */ + } + k->namelen = namelen; + k->name = memdup(name, namelen); + if(!k->name) { + free(k); + free(d); + return; /* alloc failure */ + } + lock_rw_init(&k->entry.lock); + k->entry.hash = h; + k->entry.key = k; + k->entry.data = d; + d->qps[0] = 1; + d->timestamp[0] = timenow; + slabhash_insert(infra->domain_rates, h, &k->entry, d, NULL); +} + +/** find the second and return its rate counter, if none, remove oldest */ +static int* infra_rate_find_second(void* data, time_t t) +{ + struct rate_data* d = (struct rate_data*)data; + int i, oldest; + for(i=0; i<RATE_WINDOW; i++) { + if(d->timestamp[i] == t) + return &(d->qps[i]); + } + /* remove oldest timestamp, and insert it at t with 0 qps */ + oldest = 0; + for(i=0; i<RATE_WINDOW; i++) { + if(d->timestamp[i] < d->timestamp[oldest]) + oldest = i; + } + d->timestamp[oldest] = t; + d->qps[oldest] = 0; + return &(d->qps[oldest]); +} + +int infra_rate_max(void* data, time_t now) +{ + struct rate_data* d = (struct rate_data*)data; + int i, max = 0; + for(i=0; i<RATE_WINDOW; i++) { + if(now-d->timestamp[i] <= RATE_WINDOW) { + if(d->qps[i] > max) + max = d->qps[i]; + } + } + return max; +} + +int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name, + size_t namelen, time_t timenow) +{ + int lim, max; + struct lruhash_entry* entry; + + if(!infra_dp_ratelimit) + return 1; /* not enabled */ + + /* find ratelimit */ + lim = infra_find_ratelimit(infra, name, namelen); + + /* find or insert ratedata */ + entry = infra_find_ratedata(infra, name, namelen, 1); + if(entry) { + int premax = infra_rate_max(entry->data, timenow); + int* cur = infra_rate_find_second(entry->data, timenow); + (*cur)++; + max = infra_rate_max(entry->data, timenow); + lock_rw_unlock(&entry->lock); + + if(premax < lim && max >= lim) { + char buf[257]; + dname_str(name, buf); + verbose(VERB_OPS, "ratelimit exceeded %s %d", buf, lim); + } + return (max < lim); + } + + /* create */ + infra_create_ratedata(infra, name, namelen, timenow); + return (1 < lim); +} + +void infra_ratelimit_dec(struct infra_cache* infra, uint8_t* name, + size_t namelen, time_t timenow) +{ + struct lruhash_entry* entry; + int* cur; + if(!infra_dp_ratelimit) + return; /* not enabled */ + entry = infra_find_ratedata(infra, name, namelen, 1); + if(!entry) return; /* not cached */ + cur = infra_rate_find_second(entry->data, timenow); + if((*cur) > 0) + (*cur)--; + lock_rw_unlock(&entry->lock); +} + +int infra_ratelimit_exceeded(struct infra_cache* infra, uint8_t* name, + size_t namelen, time_t timenow) +{ + struct lruhash_entry* entry; + int lim, max; + if(!infra_dp_ratelimit) + return 0; /* not enabled */ + + /* find ratelimit */ + lim = infra_find_ratelimit(infra, name, namelen); + + /* find current rate */ + entry = infra_find_ratedata(infra, name, namelen, 0); + if(!entry) + return 0; /* not cached */ + max = infra_rate_max(entry->data, timenow); + lock_rw_unlock(&entry->lock); + + return (max >= lim); +} + size_t infra_get_mem(struct infra_cache* infra) { - return sizeof(*infra) + slabhash_get_mem(infra->hosts); + size_t s = sizeof(*infra) + slabhash_get_mem(infra->hosts); + if(infra->domain_rates) s += slabhash_get_mem(infra->domain_rates); + /* ignore domain_limits because walk through tree is big */ + return s; } diff --git a/contrib/unbound/services/cache/infra.h b/contrib/unbound/services/cache/infra.h index fc54f7f..fc7abb7 100644 --- a/contrib/unbound/services/cache/infra.h +++ b/contrib/unbound/services/cache/infra.h @@ -42,6 +42,7 @@ #ifndef SERVICES_CACHE_INFRA_H #define SERVICES_CACHE_INFRA_H #include "util/storage/lruhash.h" +#include "util/storage/dnstree.h" #include "util/rtt.h" struct slabhash; struct config_file; @@ -108,6 +109,55 @@ struct infra_cache { struct slabhash* hosts; /** TTL value for host information, in seconds */ int host_ttl; + /** hash table with query rates per name: rate_key, rate_data */ + struct slabhash* domain_rates; + /** ratelimit settings for domains, struct domain_limit_data */ + rbtree_t domain_limits; +}; + +/** ratelimit, unless overridden by domain_limits, 0 is off */ +extern int infra_dp_ratelimit; + +/** + * ratelimit settings for domains + */ +struct domain_limit_data { + /** key for rbtree, must be first in struct, name of domain */ + struct name_tree_node node; + /** ratelimit for exact match with this name, -1 if not set */ + int lim; + /** ratelimit for names below this name, -1 if not set */ + int below; +}; + +/** + * key for ratelimit lookups, a domain name + */ +struct rate_key { + /** lruhash key entry */ + struct lruhash_entry entry; + /** domain name in uncompressed wireformat */ + uint8_t* name; + /** length of name */ + size_t namelen; +}; + +/** number of seconds to track qps rate */ +#define RATE_WINDOW 2 + +/** + * Data for ratelimits per domain name + * It is incremented when a non-cache-lookup happens for that domain name. + * The name is the delegation point we have for the name. + * If a new delegation point is found (a referral reply), the previous + * delegation point is decremented, and the new one is charged with the query. + */ +struct rate_data { + /** queries counted, for that second. 0 if not in use. */ + int qps[RATE_WINDOW]; + /** what the timestamp is of the qps array members, counter is + * valid for that timestamp. Usually now and now-1. */ + time_t timestamp[RATE_WINDOW]; }; /** infra host cache default hash lookup size */ @@ -287,6 +337,51 @@ long long infra_get_host_rto(struct infra_cache* infra, int* tA, int* tAAAA, int* tother); /** + * Increment the query rate counter for a delegation point. + * @param infra: infra cache. + * @param name: zone name + * @param namelen: zone name length + * @param timenow: what time it is now. + * @return 1 if it could be incremented. 0 if the increment overshot the + * ratelimit or if in the previous second the ratelimit was exceeded. + * Failures like alloc failures are not returned (probably as 1). + */ +int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name, + size_t namelen, time_t timenow); + +/** + * Decrement the query rate counter for a delegation point. + * Because the reply received for the delegation point was pleasant, + * we do not charge this delegation point with it (i.e. it was a referral). + * Should call it with same second as when inc() was called. + * @param infra: infra cache. + * @param name: zone name + * @param namelen: zone name length + * @param timenow: what time it is now. + */ +void infra_ratelimit_dec(struct infra_cache* infra, uint8_t* name, + size_t namelen, time_t timenow); + +/** + * See if the query rate counter for a delegation point is exceeded. + * So, no queries are going to be allowed. + * @param infra: infra cache. + * @param name: zone name + * @param namelen: zone name length + * @param timenow: what time it is now. + * @return true if exceeded. + */ +int infra_ratelimit_exceeded(struct infra_cache* infra, uint8_t* name, + size_t namelen, time_t timenow); + +/** find the maximum rate stored, not too old. 0 if no information. */ +int infra_rate_max(void* data, time_t now); + +/** find the ratelimit in qps for a domain */ +int infra_find_ratelimit(struct infra_cache* infra, uint8_t* name, + size_t namelen); + +/** * Get memory used by the infra cache. * @param infra: infrastructure cache. * @return memory in use in bytes. @@ -306,4 +401,16 @@ void infra_delkeyfunc(void* k, void* arg); /** delete data and destroy the lameness hashtable */ void infra_deldatafunc(void* d, void* arg); +/** calculate size for the hashtable */ +size_t rate_sizefunc(void* k, void* d); + +/** compare two names, returns -1, 0, or +1 */ +int rate_compfunc(void* key1, void* key2); + +/** delete key, and destroy the lock */ +void rate_delkeyfunc(void* k, void* arg); + +/** delete data */ +void rate_deldatafunc(void* d, void* arg); + #endif /* SERVICES_CACHE_INFRA_H */ diff --git a/contrib/unbound/services/cache/rrset.c b/contrib/unbound/services/cache/rrset.c index 5f52dbc..2c85529 100644 --- a/contrib/unbound/services/cache/rrset.c +++ b/contrib/unbound/services/cache/rrset.c @@ -40,7 +40,7 @@ */ #include "config.h" #include "services/cache/rrset.h" -#include "ldns/rrdef.h" +#include "sldns/rrdef.h" #include "util/storage/slabhash.h" #include "util/config_file.h" #include "util/data/packed_rrset.h" @@ -304,10 +304,11 @@ rrset_array_unlock_touch(struct rrset_cache* r, struct regional* scratch, { hashvalue_t* h; size_t i; - if(!(h = (hashvalue_t*)regional_alloc(scratch, - sizeof(hashvalue_t)*count))) + if(count > RR_COUNT_MAX || !(h = (hashvalue_t*)regional_alloc(scratch, + sizeof(hashvalue_t)*count))) { log_warn("rrset LRU: memory allocation failed"); - else /* store hash values */ + h = NULL; + } else /* store hash values */ for(i=0; i<count; i++) h[i] = ref[i].key->entry.hash; /* unlock */ diff --git a/contrib/unbound/services/listen_dnsport.c b/contrib/unbound/services/listen_dnsport.c index 3e5bf40..276c0fb 100644 --- a/contrib/unbound/services/listen_dnsport.c +++ b/contrib/unbound/services/listen_dnsport.c @@ -49,7 +49,7 @@ #include "util/log.h" #include "util/config_file.h" #include "util/net_help.h" -#include "ldns/sbuffer.h" +#include "sldns/sbuffer.h" #ifdef HAVE_NETDB_H #include <netdb.h> @@ -96,10 +96,10 @@ verbose_print_addr(struct addrinfo *addr) int create_udp_sock(int family, int socktype, struct sockaddr* addr, socklen_t addrlen, int v6only, int* inuse, int* noproto, - int rcv, int snd, int listen, int* reuseport) + int rcv, int snd, int listen, int* reuseport, int transparent) { int s; -#if defined(SO_REUSEADDR) || defined(SO_REUSEPORT) || defined(IPV6_USE_MIN_MTU) +#if defined(SO_REUSEADDR) || defined(SO_REUSEPORT) || defined(IPV6_USE_MIN_MTU) || defined(IP_TRANSPARENT) int on=1; #endif #ifdef IPV6_MTU @@ -114,6 +114,9 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr, #ifndef IPV6_V6ONLY (void)v6only; #endif +#ifndef IP_TRANSPARENT + (void)transparent; +#endif if((s = socket(family, socktype, 0)) == -1) { *inuse = 0; #ifndef USE_WINSOCK @@ -177,6 +180,14 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr, #else (void)reuseport; #endif /* defined(SO_REUSEPORT) */ +#ifdef IP_TRANSPARENT + if (transparent && + setsockopt(s, IPPROTO_IP, IP_TRANSPARENT, (void*)&on, + (socklen_t)sizeof(on)) < 0) { + log_warn("setsockopt(.. IP_TRANSPARENT ..) failed: %s", + strerror(errno)); + } +#endif /* IP_TRANSPARENT */ } if(rcv) { #ifdef SO_RCVBUF @@ -472,12 +483,15 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr, int create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto, - int* reuseport) + int* reuseport, int transparent) { int s; -#if defined(SO_REUSEADDR) || defined(SO_REUSEPORT) || defined(IPV6_V6ONLY) +#if defined(SO_REUSEADDR) || defined(SO_REUSEPORT) || defined(IPV6_V6ONLY) || defined(IP_TRANSPARENT) int on = 1; -#endif /* SO_REUSEADDR || IPV6_V6ONLY */ +#endif +#ifndef IP_TRANSPARENT + (void)transparent; +#endif verbose_print_addr(addr); *noproto = 0; if((s = socket(addr->ai_family, addr->ai_socktype, 0)) == -1) { @@ -552,6 +566,14 @@ create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto, #else (void)v6only; #endif /* IPV6_V6ONLY */ +#ifdef IP_TRANSPARENT + if (transparent && + setsockopt(s, IPPROTO_IP, IP_TRANSPARENT, (void*)&on, + (socklen_t)sizeof(on)) < 0) { + log_warn("setsockopt(.. IP_TRANSPARENT ..) failed: %s", + strerror(errno)); + } +#endif /* IP_TRANSPARENT */ if(bind(s, addr->ai_addr, addr->ai_addrlen) != 0) { #ifndef USE_WINSOCK /* detect freebsd jail with no ipv6 permission */ @@ -656,7 +678,7 @@ create_local_accept_sock(const char *path, int* noproto) static int make_sock(int stype, const char* ifname, const char* port, struct addrinfo *hints, int v6only, int* noip6, size_t rcv, size_t snd, - int* reuseport) + int* reuseport, int transparent) { struct addrinfo *res = NULL; int r, s, inuse, noproto; @@ -684,14 +706,15 @@ make_sock(int stype, const char* ifname, const char* port, s = create_udp_sock(res->ai_family, res->ai_socktype, (struct sockaddr*)res->ai_addr, res->ai_addrlen, v6only, &inuse, &noproto, (int)rcv, (int)snd, 1, - reuseport); + reuseport, transparent); if(s == -1 && inuse) { log_err("bind: address already in use"); } else if(s == -1 && noproto && hints->ai_family == AF_INET6){ *noip6 = 1; } } else { - s = create_tcp_accept_sock(res, v6only, &noproto, reuseport); + s = create_tcp_accept_sock(res, v6only, &noproto, reuseport, + transparent); if(s == -1 && noproto && hints->ai_family == AF_INET6){ *noip6 = 1; } @@ -704,7 +727,7 @@ make_sock(int stype, const char* ifname, const char* port, static int make_sock_port(int stype, const char* ifname, const char* port, struct addrinfo *hints, int v6only, int* noip6, size_t rcv, size_t snd, - int* reuseport) + int* reuseport, int transparent) { char* s = strchr(ifname, '@'); if(s) { @@ -726,10 +749,10 @@ make_sock_port(int stype, const char* ifname, const char* port, (void)strlcpy(p, s+1, sizeof(p)); p[strlen(s+1)]=0; return make_sock(stype, newif, p, hints, v6only, noip6, - rcv, snd, reuseport); + rcv, snd, reuseport, transparent); } return make_sock(stype, ifname, port, hints, v6only, noip6, rcv, snd, - reuseport); + reuseport, transparent); } /** @@ -823,19 +846,20 @@ set_recvpktinfo(int s, int family) * @param ssl_port: ssl service port number * @param reuseport: try to set SO_REUSEPORT if nonNULL and true. * set to false on exit if reuseport failed due to no kernel support. + * @param transparent: set IP_TRANSPARENT socket option. * @return: returns false on error. */ static int ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp, struct addrinfo *hints, const char* port, struct listen_port** list, - size_t rcv, size_t snd, int ssl_port, int* reuseport) + size_t rcv, size_t snd, int ssl_port, int* reuseport, int transparent) { int s, noip6=0; if(!do_udp && !do_tcp) return 0; if(do_auto) { if((s = make_sock_port(SOCK_DGRAM, ifname, port, hints, 1, - &noip6, rcv, snd, reuseport)) == -1) { + &noip6, rcv, snd, reuseport, transparent)) == -1) { if(noip6) { log_warn("IPv6 protocol not available"); return 1; @@ -862,7 +886,7 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp, } else if(do_udp) { /* regular udp socket */ if((s = make_sock_port(SOCK_DGRAM, ifname, port, hints, 1, - &noip6, rcv, snd, reuseport)) == -1) { + &noip6, rcv, snd, reuseport, transparent)) == -1) { if(noip6) { log_warn("IPv6 protocol not available"); return 1; @@ -883,7 +907,7 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp, atoi(strchr(ifname, '@')+1) == ssl_port) || (!strchr(ifname, '@') && atoi(port) == ssl_port)); if((s = make_sock_port(SOCK_STREAM, ifname, port, hints, 1, - &noip6, 0, 0, reuseport)) == -1) { + &noip6, 0, 0, reuseport, transparent)) == -1) { if(noip6) { /*log_warn("IPv6 protocol not available");*/ return 1; @@ -1039,7 +1063,8 @@ listening_ports_open(struct config_file* cfg, int* reuseport) do_auto, cfg->do_udp, do_tcp, &hints, portbuf, &list, cfg->so_rcvbuf, cfg->so_sndbuf, - cfg->ssl_port, reuseport)) { + cfg->ssl_port, reuseport, + cfg->ip_transparent)) { listening_ports_free(list); return NULL; } @@ -1050,7 +1075,8 @@ listening_ports_open(struct config_file* cfg, int* reuseport) do_auto, cfg->do_udp, do_tcp, &hints, portbuf, &list, cfg->so_rcvbuf, cfg->so_sndbuf, - cfg->ssl_port, reuseport)) { + cfg->ssl_port, reuseport, + cfg->ip_transparent)) { listening_ports_free(list); return NULL; } @@ -1063,7 +1089,8 @@ listening_ports_open(struct config_file* cfg, int* reuseport) if(!ports_create_if(cfg->ifs[i], 0, cfg->do_udp, do_tcp, &hints, portbuf, &list, cfg->so_rcvbuf, cfg->so_sndbuf, - cfg->ssl_port, reuseport)) { + cfg->ssl_port, reuseport, + cfg->ip_transparent)) { listening_ports_free(list); return NULL; } @@ -1074,7 +1101,8 @@ listening_ports_open(struct config_file* cfg, int* reuseport) if(!ports_create_if(cfg->ifs[i], 0, cfg->do_udp, do_tcp, &hints, portbuf, &list, cfg->so_rcvbuf, cfg->so_sndbuf, - cfg->ssl_port, reuseport)) { + cfg->ssl_port, reuseport, + cfg->ip_transparent)) { listening_ports_free(list); return NULL; } diff --git a/contrib/unbound/services/listen_dnsport.h b/contrib/unbound/services/listen_dnsport.h index e9883a8..676f0c6 100644 --- a/contrib/unbound/services/listen_dnsport.h +++ b/contrib/unbound/services/listen_dnsport.h @@ -189,11 +189,12 @@ void listen_start_accept(struct listen_dnsport* listen); * set SO_REUSEADDR on it. * @param reuseport: if nonNULL and true, try to set SO_REUSEPORT on * listening UDP port. Set to false on return if it failed to do so. + * @param transparent: set IP_TRANSPARENT socket option. * @return: the socket. -1 on error. */ int create_udp_sock(int family, int socktype, struct sockaddr* addr, socklen_t addrlen, int v6only, int* inuse, int* noproto, int rcv, - int snd, int listen, int* reuseport); + int snd, int listen, int* reuseport, int transparent); /** * Create and bind TCP listening socket @@ -202,10 +203,11 @@ int create_udp_sock(int family, int socktype, struct sockaddr* addr, * @param noproto: if error caused by lack of protocol support. * @param reuseport: if nonNULL and true, try to set SO_REUSEPORT on * listening UDP port. Set to false on return if it failed to do so. + * @param transparent: set IP_TRANSPARENT socket option. * @return: the socket. -1 on error. */ int create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto, - int* reuseport); + int* reuseport, int transparent); /** * Create and bind local listening socket diff --git a/contrib/unbound/services/localzone.c b/contrib/unbound/services/localzone.c index 57510bd..c50ad0f 100644 --- a/contrib/unbound/services/localzone.c +++ b/contrib/unbound/services/localzone.c @@ -40,8 +40,8 @@ */ #include "config.h" #include "services/localzone.h" -#include "ldns/str2wire.h" -#include "ldns/sbuffer.h" +#include "sldns/str2wire.h" +#include "sldns/sbuffer.h" #include "util/regional.h" #include "util/config_file.h" #include "util/data/dname.h" @@ -1027,6 +1027,10 @@ void local_zones_print(struct local_zones* zones) log_nametypeclass(0, "inform zone", z->name, 0, z->dclass); break; + case local_zone_inform_deny: + log_nametypeclass(0, "inform_deny zone", + z->name, 0, z->dclass); + break; default: log_nametypeclass(0, "badtyped zone", z->name, 0, z->dclass); @@ -1124,7 +1128,7 @@ lz_zone_answer(struct local_zone* z, struct query_info* qinfo, struct edns_data* edns, sldns_buffer* buf, struct regional* temp, struct local_data* ld) { - if(z->type == local_zone_deny) { + if(z->type == local_zone_deny || z->type == local_zone_inform_deny) { /** no reply at all, signal caller by clearing buffer. */ sldns_buffer_clear(buf); sldns_buffer_flip(buf); @@ -1211,7 +1215,8 @@ local_zones_answer(struct local_zones* zones, struct query_info* qinfo, lock_rw_rdlock(&z->lock); lock_rw_unlock(&zones->lock); - if(z->type == local_zone_inform && repinfo) + if((z->type == local_zone_inform || z->type == local_zone_inform_deny) + && repinfo) lz_inform_print(z, qinfo, repinfo); if(local_data_answer(z, qinfo, edns, buf, temp, labs, &ld)) { @@ -1234,6 +1239,7 @@ const char* local_zone_type2str(enum localzone_type t) case local_zone_static: return "static"; case local_zone_nodefault: return "nodefault"; case local_zone_inform: return "inform"; + case local_zone_inform_deny: return "inform_deny"; } return "badtyped"; } @@ -1254,6 +1260,8 @@ int local_zone_str2type(const char* type, enum localzone_type* t) *t = local_zone_redirect; else if(strcmp(type, "inform") == 0) *t = local_zone_inform; + else if(strcmp(type, "inform_deny") == 0) + *t = local_zone_inform_deny; else return 0; return 1; } diff --git a/contrib/unbound/services/localzone.h b/contrib/unbound/services/localzone.h index 29ba866..3d62a69 100644 --- a/contrib/unbound/services/localzone.h +++ b/contrib/unbound/services/localzone.h @@ -73,7 +73,9 @@ enum localzone_type { * nodefault is used in config not during service. */ local_zone_nodefault, /** log client address, but no block (transparent) */ - local_zone_inform + local_zone_inform, + /** log client address, and block (drop) */ + local_zone_inform_deny }; /** diff --git a/contrib/unbound/services/mesh.c b/contrib/unbound/services/mesh.c index a69aced..8076874 100644 --- a/contrib/unbound/services/mesh.c +++ b/contrib/unbound/services/mesh.c @@ -55,7 +55,7 @@ #include "util/fptr_wlist.h" #include "util/alloc.h" #include "util/config_file.h" -#include "ldns/sbuffer.h" +#include "sldns/sbuffer.h" /** subtract timers and the values do not overflow or become negative */ static void diff --git a/contrib/unbound/services/outside_network.c b/contrib/unbound/services/outside_network.c index 5bb52ff..f105bc0 100644 --- a/contrib/unbound/services/outside_network.c +++ b/contrib/unbound/services/outside_network.c @@ -57,7 +57,7 @@ #include "util/net_help.h" #include "util/random.h" #include "util/fptr_wlist.h" -#include "ldns/sbuffer.h" +#include "sldns/sbuffer.h" #include "dnstap/dnstap.h" #ifdef HAVE_OPENSSL_SSL_H #include <openssl/ssl.h> @@ -893,13 +893,13 @@ udp_sockport(struct sockaddr_storage* addr, socklen_t addrlen, int port, sa->sin6_port = (in_port_t)htons((uint16_t)port); fd = create_udp_sock(AF_INET6, SOCK_DGRAM, (struct sockaddr*)addr, addrlen, 1, inuse, &noproto, - 0, 0, 0, NULL); + 0, 0, 0, NULL, 0); } else { struct sockaddr_in* sa = (struct sockaddr_in*)addr; sa->sin_port = (in_port_t)htons((uint16_t)port); fd = create_udp_sock(AF_INET, SOCK_DGRAM, (struct sockaddr*)addr, addrlen, 1, inuse, &noproto, - 0, 0, 0, NULL); + 0, 0, 0, NULL, 0); } return fd; } @@ -1510,7 +1510,8 @@ serviced_callbacks(struct serviced_query* sq, int error, struct comm_point* c, log_assert(rem); /* should have been present */ sq->to_be_deleted = 1; verbose(VERB_ALGO, "svcd callbacks start"); - if(sq->outnet->use_caps_for_id && error == NETEVENT_NOERROR && c) { + if(sq->outnet->use_caps_for_id && error == NETEVENT_NOERROR && c && + !sq->nocaps) { /* noerror and nxdomain must have a qname in reply */ if(sldns_buffer_read_u16_at(c->buffer, 4) == 0 && (LDNS_RCODE_WIRE(sldns_buffer_begin(c->buffer)) @@ -1590,7 +1591,7 @@ serviced_tcp_callback(struct comm_point* c, void* arg, int error, infra_update_tcp_works(sq->outnet->infra, &sq->addr, sq->addrlen, sq->zone, sq->zonelen); #ifdef USE_DNSTAP - if(sq->outnet->dtenv && + if(error==NETEVENT_NOERROR && sq->outnet->dtenv && (sq->outnet->dtenv->log_resolver_response_messages || sq->outnet->dtenv->log_forwarder_response_messages)) dt_msg_send_outside_response(sq->outnet->dtenv, &sq->addr, diff --git a/contrib/unbound/ldns/keyraw.c b/contrib/unbound/sldns/keyraw.c index 1ff0774..59e8000 100644 --- a/contrib/unbound/ldns/keyraw.c +++ b/contrib/unbound/sldns/keyraw.c @@ -11,8 +11,8 @@ */ #include "config.h" -#include "ldns/keyraw.h" -#include "ldns/rrdef.h" +#include "sldns/keyraw.h" +#include "sldns/rrdef.h" #ifdef HAVE_SSL #include <openssl/ssl.h> diff --git a/contrib/unbound/ldns/keyraw.h b/contrib/unbound/sldns/keyraw.h index 8abe235..8abe235 100644 --- a/contrib/unbound/ldns/keyraw.h +++ b/contrib/unbound/sldns/keyraw.h diff --git a/contrib/unbound/ldns/parse.c b/contrib/unbound/sldns/parse.c index a605e54..35dee71 100644 --- a/contrib/unbound/ldns/parse.c +++ b/contrib/unbound/sldns/parse.c @@ -8,9 +8,9 @@ * See the file LICENSE for the license */ #include "config.h" -#include "ldns/parse.h" -#include "ldns/parseutil.h" -#include "ldns/sbuffer.h" +#include "sldns/parse.h" +#include "sldns/parseutil.h" +#include "sldns/sbuffer.h" #include <limits.h> #include <strings.h> diff --git a/contrib/unbound/ldns/parse.h b/contrib/unbound/sldns/parse.h index 7b7456d..7b7456d 100644 --- a/contrib/unbound/ldns/parse.h +++ b/contrib/unbound/sldns/parse.h diff --git a/contrib/unbound/ldns/parseutil.c b/contrib/unbound/sldns/parseutil.c index 28b344e..2a2ebbb 100644 --- a/contrib/unbound/ldns/parseutil.c +++ b/contrib/unbound/sldns/parseutil.c @@ -13,7 +13,7 @@ */ #include "config.h" -#include "ldns/parseutil.h" +#include "sldns/parseutil.h" #include <sys/time.h> #include <time.h> #include <ctype.h> diff --git a/contrib/unbound/ldns/parseutil.h b/contrib/unbound/sldns/parseutil.h index dfa1c2a..dfa1c2a 100644 --- a/contrib/unbound/ldns/parseutil.h +++ b/contrib/unbound/sldns/parseutil.h diff --git a/contrib/unbound/ldns/pkthdr.h b/contrib/unbound/sldns/pkthdr.h index de9952e..de9952e 100644 --- a/contrib/unbound/ldns/pkthdr.h +++ b/contrib/unbound/sldns/pkthdr.h diff --git a/contrib/unbound/ldns/rrdef.c b/contrib/unbound/sldns/rrdef.c index 9b4bf7c..a8c6229 100644 --- a/contrib/unbound/ldns/rrdef.c +++ b/contrib/unbound/sldns/rrdef.c @@ -13,8 +13,8 @@ * Defines resource record types and constants. */ #include "config.h" -#include "ldns/rrdef.h" -#include "ldns/parseutil.h" +#include "sldns/rrdef.h" +#include "sldns/parseutil.h" /* classes */ static sldns_lookup_table sldns_rr_classes_data[] = { @@ -213,13 +213,11 @@ static const sldns_rdf_type type_eui48_wireformat[] = { static const sldns_rdf_type type_eui64_wireformat[] = { LDNS_RDF_TYPE_EUI64 }; -#ifdef DRAFT_RRTYPES static const sldns_rdf_type type_uri_wireformat[] = { LDNS_RDF_TYPE_INT16, LDNS_RDF_TYPE_INT16, LDNS_RDF_TYPE_LONG_STR }; -#endif static const sldns_rdf_type type_caa_wireformat[] = { LDNS_RDF_TYPE_INT8, LDNS_RDF_TYPE_TAG, @@ -590,12 +588,8 @@ static sldns_rr_descriptor rdata_field_descriptors[] = { /* ANY: A request for all (available) records */ {LDNS_RR_TYPE_ANY, "ANY", 1, 1, type_0_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 }, -#ifdef DRAFT_RRTYPES /* 256 */ {LDNS_RR_TYPE_URI, "URI", 3, 3, type_uri_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 }, -#else -{LDNS_RR_TYPE_NULL, "TYPE256", 1, 1, type_0_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 }, -#endif /* 257 */ {LDNS_RR_TYPE_CAA, "CAA", 3, 3, type_caa_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 }, diff --git a/contrib/unbound/ldns/rrdef.h b/contrib/unbound/sldns/rrdef.h index 933bcdf..ab65943 100644 --- a/contrib/unbound/ldns/rrdef.h +++ b/contrib/unbound/sldns/rrdef.h @@ -220,8 +220,7 @@ enum sldns_enum_rr_type LDNS_RR_TYPE_MAILA = 254, /** any type (wildcard) */ LDNS_RR_TYPE_ANY = 255, - /** draft-faltstrom-uri-06 */ - LDNS_RR_TYPE_URI = 256, + LDNS_RR_TYPE_URI = 256, /* RFC 7553 */ LDNS_RR_TYPE_CAA = 257, /* RFC 6844 */ /** DNSSEC Trust Authorities */ @@ -343,7 +342,7 @@ enum sldns_enum_rdf_type /** A <character-string> encoding of the value field as specified * [RFC1035], Section 5.1., encoded as remaining rdata. - * For CAA. + * For CAA, URI. */ LDNS_RDF_TYPE_LONG_STR, diff --git a/contrib/unbound/ldns/sbuffer.c b/contrib/unbound/sldns/sbuffer.c index 3d087bf..a7fe53a 100644 --- a/contrib/unbound/ldns/sbuffer.c +++ b/contrib/unbound/sldns/sbuffer.c @@ -12,7 +12,7 @@ * This file contains the definition of sldns_buffer, and functions to manipulate those. */ #include "config.h" -#include "ldns/sbuffer.h" +#include "sldns/sbuffer.h" #include <stdarg.h> sldns_buffer * diff --git a/contrib/unbound/ldns/sbuffer.h b/contrib/unbound/sldns/sbuffer.h index 3ce874f..3ce874f 100644 --- a/contrib/unbound/ldns/sbuffer.h +++ b/contrib/unbound/sldns/sbuffer.h diff --git a/contrib/unbound/ldns/str2wire.c b/contrib/unbound/sldns/str2wire.c index 931e28f..8cda8c7 100644 --- a/contrib/unbound/ldns/str2wire.c +++ b/contrib/unbound/sldns/str2wire.c @@ -12,11 +12,11 @@ * Parses text to wireformat. */ #include "config.h" -#include "ldns/str2wire.h" -#include "ldns/wire2str.h" -#include "ldns/sbuffer.h" -#include "ldns/parse.h" -#include "ldns/parseutil.h" +#include "sldns/str2wire.h" +#include "sldns/wire2str.h" +#include "sldns/sbuffer.h" +#include "sldns/parse.h" +#include "sldns/parseutil.h" #include <ctype.h> #ifdef HAVE_TIME_H #include <time.h> diff --git a/contrib/unbound/ldns/str2wire.h b/contrib/unbound/sldns/str2wire.h index 94c8933..527074a 100644 --- a/contrib/unbound/ldns/str2wire.h +++ b/contrib/unbound/sldns/str2wire.h @@ -16,7 +16,7 @@ #define LDNS_STR2WIRE_H /* include rrdef for MAX_DOMAINLEN constant */ -#include <ldns/rrdef.h> +#include <sldns/rrdef.h> #ifdef __cplusplus extern "C" { diff --git a/contrib/unbound/ldns/wire2str.c b/contrib/unbound/sldns/wire2str.c index 81e173c..cec3bc7 100644 --- a/contrib/unbound/ldns/wire2str.c +++ b/contrib/unbound/sldns/wire2str.c @@ -15,13 +15,13 @@ * representation, as well as functions to print them. */ #include "config.h" -#include "ldns/wire2str.h" -#include "ldns/str2wire.h" -#include "ldns/rrdef.h" -#include "ldns/pkthdr.h" -#include "ldns/parseutil.h" -#include "ldns/sbuffer.h" -#include "ldns/keyraw.h" +#include "sldns/wire2str.h" +#include "sldns/str2wire.h" +#include "sldns/rrdef.h" +#include "sldns/pkthdr.h" +#include "sldns/parseutil.h" +#include "sldns/sbuffer.h" +#include "sldns/keyraw.h" #ifdef HAVE_TIME_H #include <time.h> #endif diff --git a/contrib/unbound/ldns/wire2str.h b/contrib/unbound/sldns/wire2str.h index 67f5435..67f5435 100644 --- a/contrib/unbound/ldns/wire2str.h +++ b/contrib/unbound/sldns/wire2str.h diff --git a/contrib/unbound/smallapp/unbound-anchor.c b/contrib/unbound/smallapp/unbound-anchor.c index 9df0d95..92bfa84 100644 --- a/contrib/unbound/smallapp/unbound-anchor.c +++ b/contrib/unbound/smallapp/unbound-anchor.c @@ -116,7 +116,8 @@ #include "config.h" #include "libunbound/unbound.h" -#include "ldns/rrdef.h" +#include "sldns/rrdef.h" +#include "sldns/parseutil.h" #include <expat.h> #ifndef HAVE_EXPAT_H #error "need libexpat to parse root-anchors.xml file." @@ -915,7 +916,10 @@ read_data_chunk(SSL* ssl, size_t len) { size_t got = 0; int r; - char* data = malloc(len+1); + char* data; + if(len >= 0xfffffff0) + return NULL; /* to protect against integer overflow in malloc*/ + data = malloc(len+1); if(!data) { if(verb) printf("out of memory\n"); return NULL; @@ -1325,7 +1329,7 @@ xml_convertdate(const char* str) /* but ignore, (lenient) */ } - t = mktime(&tm); + t = sldns_mktime_from_utc(&tm); if(t == (time_t)-1) { if(verb) printf("xml_convertdate mktime failure\n"); return 0; diff --git a/contrib/unbound/smallapp/unbound-checkconf.c b/contrib/unbound/smallapp/unbound-checkconf.c index b5d7b9f..0524ede 100644 --- a/contrib/unbound/smallapp/unbound-checkconf.c +++ b/contrib/unbound/smallapp/unbound-checkconf.c @@ -53,7 +53,7 @@ #include "iterator/iter_hints.h" #include "validator/validator.h" #include "services/localzone.h" -#include "ldns/sbuffer.h" +#include "sldns/sbuffer.h" #ifdef HAVE_GETOPT_H #include <getopt.h> #endif diff --git a/contrib/unbound/smallapp/unbound-control-setup.sh b/contrib/unbound/smallapp/unbound-control-setup.sh index 010bfd4..816b4f5 100755 --- a/contrib/unbound/smallapp/unbound-control-setup.sh +++ b/contrib/unbound/smallapp/unbound-control-setup.sh @@ -46,7 +46,7 @@ CLIENTNAME=unbound-control DAYS=7200 # size of keys in bits -BITS=1536 +BITS=3072 # hash algorithm HASH=sha256 diff --git a/contrib/unbound/smallapp/unbound-control-setup.sh.in b/contrib/unbound/smallapp/unbound-control-setup.sh.in index 75e76e2..682ab26 100755 --- a/contrib/unbound/smallapp/unbound-control-setup.sh.in +++ b/contrib/unbound/smallapp/unbound-control-setup.sh.in @@ -46,7 +46,7 @@ CLIENTNAME=unbound-control DAYS=7200 # size of keys in bits -BITS=1536 +BITS=3072 # hash algorithm HASH=sha256 diff --git a/contrib/unbound/smallapp/unbound-control.c b/contrib/unbound/smallapp/unbound-control.c index 3b47d3b..571b4d0 100644 --- a/contrib/unbound/smallapp/unbound-control.c +++ b/contrib/unbound/smallapp/unbound-control.c @@ -109,6 +109,7 @@ usage() printf(" get_option opt get option value\n"); printf(" list_stubs list stub-zones and root hints in use\n"); printf(" list_forwards list forward-zones in use\n"); + printf(" list_insecure list domain-insecure zones\n"); printf(" list_local_zones list local-zones in use\n"); printf(" list_local_data list local-data RRs in use\n"); printf(" insecure_add zone add domain-insecure zone\n"); @@ -122,6 +123,8 @@ usage() printf(" forward [off | addr ...] without arg show forward setup\n"); printf(" or off to turn off root forwarding\n"); printf(" or give list of ip addresses\n"); + printf(" ratelimit_list [+a] list ratelimited domains\n"); + printf(" +a list all, also not ratelimited\n"); printf("Version %s\n", PACKAGE_VERSION); printf("BSD licensed, see LICENSE in source package for details.\n"); printf("Report bugs to %s\n", PACKAGE_BUGREPORT); @@ -158,7 +161,7 @@ setup_ctx(struct config_file* cfg) if(cfg->remote_control_use_cert) { if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)) ssl_err("could not set SSL_OP_NO_SSLv3"); - if(!SSL_CTX_use_certificate_file(ctx,c_cert,SSL_FILETYPE_PEM) || + if(!SSL_CTX_use_certificate_chain_file(ctx,c_cert) || !SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM) || !SSL_CTX_check_private_key(ctx)) ssl_err("Error setting up SSL_CTX client key and cert"); diff --git a/contrib/unbound/smallapp/unbound-host.c b/contrib/unbound/smallapp/unbound-host.c index 9597341..30fef51 100644 --- a/contrib/unbound/smallapp/unbound-host.c +++ b/contrib/unbound/smallapp/unbound-host.c @@ -60,8 +60,8 @@ #define unbound_lite_wrapstr(s) s #endif #include "libunbound/unbound.h" -#include "ldns/rrdef.h" -#include "ldns/wire2str.h" +#include "sldns/rrdef.h" +#include "sldns/wire2str.h" #ifdef HAVE_NSS /* nss3 */ #include "nss.h" diff --git a/contrib/unbound/util/alloc.c b/contrib/unbound/util/alloc.c index 4b81beb..05d2fa3 100644 --- a/contrib/unbound/util/alloc.c +++ b/contrib/unbound/util/alloc.c @@ -364,11 +364,18 @@ void *unbound_stat_malloc(size_t size) #ifdef calloc #undef calloc #endif +#ifndef INT_MAX +#define INT_MAX (((int)-1)>>1) +#endif /** calloc with stats */ void *unbound_stat_calloc(size_t nmemb, size_t size) { - size_t s = (nmemb*size==0)?(size_t)1:nmemb*size; - void* res = calloc(1, s+16); + size_t s; + void* res; + if(nmemb != 0 && INT_MAX/nmemb < size) + return NULL; /* integer overflow check */ + s = (nmemb*size==0)?(size_t)1:nmemb*size; + res = calloc(1, s+16); if(!res) return NULL; log_info("stat %p=calloc(%u, %u)", res+16, (unsigned)nmemb, (unsigned)size); unbound_mem_alloc += s; @@ -503,8 +510,12 @@ void *unbound_stat_malloc_lite(size_t size, const char* file, int line, void *unbound_stat_calloc_lite(size_t nmemb, size_t size, const char* file, int line, const char* func) { - size_t req = nmemb * size; - void* res = malloc(req+lite_pad*2+sizeof(size_t)); + size_t req; + void* res; + if(nmemb != 0 && INT_MAX/nmemb < size) + return NULL; /* integer overflow check */ + req = nmemb * size; + res = malloc(req+lite_pad*2+sizeof(size_t)); if(!res) return NULL; memmove(res, lite_pre, lite_pad); memmove(res+lite_pad, &req, sizeof(size_t)); diff --git a/contrib/unbound/util/alloc.h b/contrib/unbound/util/alloc.h index ffd605c..43fc30f 100644 --- a/contrib/unbound/util/alloc.h +++ b/contrib/unbound/util/alloc.h @@ -177,8 +177,8 @@ void alloc_set_id_cleanup(struct alloc_cache* alloc, void (*cleanup)(void*), void* arg); #ifdef UNBOUND_ALLOC_LITE -# include <ldns/ldns.h> -# include <ldns/packet.h> +# include <sldns/ldns.h> +# include <sldns/packet.h> # ifdef HAVE_OPENSSL_SSL_H # include <openssl/ssl.h> # endif diff --git a/contrib/unbound/util/config_file.c b/contrib/unbound/util/config_file.c index cdb2b33..062d12d 100644 --- a/contrib/unbound/util/config_file.c +++ b/contrib/unbound/util/config_file.c @@ -56,8 +56,9 @@ #include "util/fptr_wlist.h" #include "util/data/dname.h" #include "util/rtt.h" -#include "ldns/wire2str.h" -#include "ldns/parseutil.h" +#include "services/cache/infra.h" +#include "sldns/wire2str.h" +#include "sldns/parseutil.h" #ifdef HAVE_GLOB_H # include <glob.h> #endif @@ -69,6 +70,8 @@ uid_t cfg_uid = (uid_t)-1; /** from cfg username, after daemonise setup performed */ gid_t cfg_gid = (gid_t)-1; +/** for debug allow small timeout values for fast rollovers */ +int autr_permit_small_holddown = 0; /** global config during parsing */ struct config_parser_state* cfg_parser = 0; @@ -131,6 +134,7 @@ config_create(void) cfg->bogus_ttl = 60; cfg->min_ttl = 0; cfg->max_ttl = 3600 * 24; + cfg->max_negative_ttl = 3600; cfg->prefetch = 0; cfg->prefetch_key = 0; cfg->infra_cache_slabs = 4; @@ -156,6 +160,7 @@ config_create(void) cfg->so_rcvbuf = 0; cfg->so_sndbuf = 0; cfg->so_reuseport = 0; + cfg->ip_transparent = 0; cfg->num_ifs = 0; cfg->ifs = NULL; cfg->num_out_ifs = 0; @@ -169,7 +174,9 @@ config_create(void) cfg->harden_dnssec_stripped = 1; cfg->harden_below_nxdomain = 0; cfg->harden_referral_path = 0; + cfg->harden_algo_downgrade = 0; cfg->use_caps_bits_for_id = 0; + cfg->caps_whitelist = NULL; cfg->private_address = NULL; cfg->private_domain = NULL; cfg->unwanted_threshold = 0; @@ -195,6 +202,7 @@ config_create(void) cfg->add_holddown = 30*24*3600; cfg->del_holddown = 30*24*3600; cfg->keep_missing = 366*24*3600; /* one year plus a little leeway */ + cfg->permit_small_holddown = 0; cfg->key_cache_size = 4 * 1024 * 1024; cfg->key_cache_slabs = 4; cfg->neg_cache_size = 1 * 1024 * 1024; @@ -226,6 +234,12 @@ config_create(void) if(!(cfg->dnstap_socket_path = strdup(DNSTAP_SOCKET_PATH))) goto error_exit; #endif + cfg->ratelimit = 0; + cfg->ratelimit_slabs = 4; + cfg->ratelimit_size = 4*1024*1024; + cfg->ratelimit_for_domain = NULL; + cfg->ratelimit_below_domain = NULL; + cfg->ratelimit_factor = 10; return cfg; error_exit: config_delete(cfg); @@ -372,12 +386,15 @@ int config_set_option(struct config_file* cfg, const char* opt, else S_MEMSIZE("so-rcvbuf:", so_rcvbuf) else S_MEMSIZE("so-sndbuf:", so_sndbuf) else S_YNO("so-reuseport:", so_reuseport) + else S_YNO("ip-transparent:", ip_transparent) else S_MEMSIZE("rrset-cache-size:", rrset_cache_size) else S_POW2("rrset-cache-slabs:", rrset_cache_slabs) else S_YNO("prefetch:", prefetch) else S_YNO("prefetch-key:", prefetch_key) else if(strcmp(opt, "cache-max-ttl:") == 0) { IS_NUMBER_OR_ZERO; cfg->max_ttl = atoi(val); MAX_TTL=(time_t)cfg->max_ttl;} + else if(strcmp(opt, "cache-max-negative-ttl:") == 0) + { IS_NUMBER_OR_ZERO; cfg->max_negative_ttl = atoi(val); MAX_NEG_TTL=(time_t)cfg->max_negative_ttl;} else if(strcmp(opt, "cache-min-ttl:") == 0) { IS_NUMBER_OR_ZERO; cfg->min_ttl = atoi(val); MIN_TTL=(time_t)cfg->min_ttl;} else if(strcmp(opt, "infra-cache-min-rtt:") == 0) { @@ -404,7 +421,9 @@ int config_set_option(struct config_file* cfg, const char* opt, else S_YNO("harden-dnssec-stripped:", harden_dnssec_stripped) else S_YNO("harden-below-nxdomain:", harden_below_nxdomain) else S_YNO("harden-referral-path:", harden_referral_path) + else S_YNO("harden-algo-downgrade:", harden_algo_downgrade) else S_YNO("use-caps-for-id", use_caps_bits_for_id) + else S_STRLIST("caps-whitelist:", caps_whitelist) else S_SIZET_OR_ZERO("unwanted-reply-threshold:", unwanted_threshold) else S_STRLIST("private-address:", private_address) else S_STRLIST("private-domain:", private_domain) @@ -428,6 +447,9 @@ int config_set_option(struct config_file* cfg, const char* opt, else S_UNSIGNED_OR_ZERO("add-holddown:", add_holddown) else S_UNSIGNED_OR_ZERO("del-holddown:", del_holddown) else S_UNSIGNED_OR_ZERO("keep-missing:", keep_missing) + else if(strcmp(opt, "permit-small-holddown:") == 0) + { IS_YES_OR_NO; cfg->permit_small_holddown = (strcmp(val, "yes") == 0); + autr_permit_small_holddown = cfg->permit_small_holddown; } else S_MEMSIZE("key-cache-size:", key_cache_size) else S_POW2("key-cache-slabs:", key_cache_slabs) else S_MEMSIZE("neg-cache-size:", neg_cache_size) @@ -444,6 +466,13 @@ int config_set_option(struct config_file* cfg, const char* opt, else S_STR("control-cert-file:", control_cert_file) else S_STR("module-config:", module_conf) else S_STR("python-script:", python_script) + else if(strcmp(opt, "ratelimit:") == 0) { + IS_NUMBER_OR_ZERO; cfg->ratelimit = atoi(val); + infra_dp_ratelimit=cfg->ratelimit; + } + else S_MEMSIZE("ratelimit-size:", ratelimit_size) + else S_POW2("ratelimit-slabs:", ratelimit_slabs) + else S_NUMBER_OR_ZERO("ratelimit-factor:", ratelimit_factor) /* val_sig_skew_min and max are copied into val_env during init, * so this does not update val_env with set_option */ else if(strcmp(opt, "val-sig-skew-min:") == 0) @@ -452,7 +481,8 @@ int config_set_option(struct config_file* cfg, const char* opt, { IS_NUMBER_OR_ZERO; cfg->val_sig_skew_max = (int32_t)atoi(val); } else if (strcmp(opt, "outgoing-interface:") == 0) { char* d = strdup(val); - char** oi = (char**)malloc((cfg->num_out_ifs+1)*sizeof(char*)); + char** oi = + (char**)reallocarray(NULL, (size_t)cfg->num_out_ifs+1, sizeof(char*)); if(!d || !oi) { free(d); free(oi); return -1; } if(cfg->out_ifs && cfg->num_out_ifs) { memmove(oi, cfg->out_ifs, cfg->num_out_ifs*sizeof(char*)); @@ -465,7 +495,8 @@ int config_set_option(struct config_file* cfg, const char* opt, * interface, outgoing-interface, access-control, * stub-zone, name, stub-addr, stub-host, stub-prime * forward-first, stub-first, - * forward-zone, name, forward-addr, forward-host */ + * forward-zone, name, forward-addr, forward-host, + * ratelimit-for-domain, ratelimit-below-domain */ return 0; } return 1; @@ -577,8 +608,8 @@ config_collate_cat(struct config_strlist* list) #define O_MEM(opt, str, var) if(strcmp(opt, str)==0) { \ if(cfg->var > 1024*1024*1024) { \ size_t f=cfg->var/(size_t)1000000, b=cfg->var%(size_t)1000000; \ - snprintf(buf, len, "%u%6.6u\n", (unsigned)f, (unsigned)b); \ - } else snprintf(buf, len, "%u\n", (unsigned)cfg->var); \ + snprintf(buf, len, "%u%6.6u", (unsigned)f, (unsigned)b); \ + } else snprintf(buf, len, "%u", (unsigned)cfg->var); \ func(buf, arg);} /** compare and print list option */ #define O_LST(opt, name, lst) if(strcmp(opt, name)==0) { \ @@ -624,11 +655,13 @@ config_get_option(struct config_file* cfg, const char* opt, else O_MEM(opt, "so-rcvbuf", so_rcvbuf) else O_MEM(opt, "so-sndbuf", so_sndbuf) else O_YNO(opt, "so-reuseport", so_reuseport) + else O_YNO(opt, "ip-transparent", ip_transparent) else O_MEM(opt, "rrset-cache-size", rrset_cache_size) else O_DEC(opt, "rrset-cache-slabs", rrset_cache_slabs) else O_YNO(opt, "prefetch-key", prefetch_key) else O_YNO(opt, "prefetch", prefetch) else O_DEC(opt, "cache-max-ttl", max_ttl) + else O_DEC(opt, "cache-max-negative-ttl", max_negative_ttl) else O_DEC(opt, "cache-min-ttl", min_ttl) else O_DEC(opt, "infra-host-ttl", host_ttl) else O_DEC(opt, "infra-cache-slabs", infra_cache_slabs) @@ -662,7 +695,9 @@ config_get_option(struct config_file* cfg, const char* opt, else O_YNO(opt, "harden-dnssec-stripped", harden_dnssec_stripped) else O_YNO(opt, "harden-below-nxdomain", harden_below_nxdomain) else O_YNO(opt, "harden-referral-path", harden_referral_path) + else O_YNO(opt, "harden-algo-downgrade", harden_algo_downgrade) else O_YNO(opt, "use-caps-for-id", use_caps_bits_for_id) + else O_LST(opt, "caps-whitelist", caps_whitelist) else O_DEC(opt, "unwanted-reply-threshold", unwanted_threshold) else O_YNO(opt, "do-not-query-localhost", donotquery_localhost) else O_STR(opt, "module-config", module_conf) @@ -676,6 +711,7 @@ config_get_option(struct config_file* cfg, const char* opt, else O_UNS(opt, "add-holddown", add_holddown) else O_UNS(opt, "del-holddown", del_holddown) else O_UNS(opt, "keep-missing", keep_missing) + else O_YNO(opt, "permit-small-holddown", permit_small_holddown) else O_MEM(opt, "key-cache-size", key_cache_size) else O_DEC(opt, "key-cache-slabs", key_cache_slabs) else O_MEM(opt, "neg-cache-size", neg_cache_size) @@ -703,6 +739,12 @@ config_get_option(struct config_file* cfg, const char* opt, else O_YNO(opt, "unblock-lan-zones", unblock_lan_zones) else O_DEC(opt, "max-udp-size", max_udp_size) else O_STR(opt, "python-script", python_script) + else O_DEC(opt, "ratelimit", ratelimit) + else O_MEM(opt, "ratelimit-size", ratelimit_size) + else O_DEC(opt, "ratelimit-slabs", ratelimit_slabs) + else O_LS2(opt, "ratelimit-for-domain", ratelimit_for_domain) + else O_LS2(opt, "ratelimit-below-domain", ratelimit_below_domain) + else O_DEC(opt, "ratelimit-factor", ratelimit_factor) else O_DEC(opt, "val-sig-skew-min", val_sig_skew_min) else O_DEC(opt, "val-sig-skew-max", val_sig_skew_max) /* not here: @@ -890,6 +932,7 @@ config_delete(struct config_file* cfg) free(cfg->version); free(cfg->module_conf); free(cfg->outgoing_avail_ports); + config_delstrlist(cfg->caps_whitelist); config_delstrlist(cfg->private_address); config_delstrlist(cfg->private_domain); config_delstrlist(cfg->auto_trust_anchor_file_list); @@ -909,9 +952,12 @@ config_delete(struct config_file* cfg) free(cfg->server_cert_file); free(cfg->control_key_file); free(cfg->control_cert_file); + free(cfg->dns64_prefix); free(cfg->dnstap_socket_path); free(cfg->dnstap_identity); free(cfg->dnstap_version); + config_deldblstrlist(cfg->ratelimit_for_domain); + config_deldblstrlist(cfg->ratelimit_below_domain); free(cfg); } @@ -998,7 +1044,7 @@ int cfg_condense_ports(struct config_file* cfg, int** avail) *avail = NULL; if(num == 0) return 0; - *avail = (int*)malloc(sizeof(int)*num); + *avail = (int*)reallocarray(NULL, (size_t)num, sizeof(int)); if(!*avail) return 0; for(i=0; i<65536; i++) { @@ -1198,11 +1244,13 @@ config_apply(struct config_file* config) { MAX_TTL = (time_t)config->max_ttl; MIN_TTL = (time_t)config->min_ttl; + MAX_NEG_TTL = (time_t)config->max_negative_ttl; RTT_MIN_TIMEOUT = config->infra_cache_min_rtt; EDNS_ADVERTISED_SIZE = (uint16_t)config->edns_buffer_size; MINIMAL_RESPONSES = config->minimal_responses; RRSET_ROUNDROBIN = config->rrset_roundrobin; log_set_time_asc(config->log_time_ascii); + autr_permit_small_holddown = config->permit_small_holddown; } void config_lookup_uid(struct config_file* cfg) diff --git a/contrib/unbound/util/config_file.h b/contrib/unbound/util/config_file.h index ca512d7..99b15e0 100644 --- a/contrib/unbound/util/config_file.h +++ b/contrib/unbound/util/config_file.h @@ -136,6 +136,8 @@ struct config_file { size_t so_sndbuf; /** SO_REUSEPORT requested on port 53 sockets */ int so_reuseport; + /** IP_TRANSPARENT socket option requested on port 53 sockets */ + int ip_transparent; /** number of interfaces to open. If 0 default all interfaces. */ int num_ifs; @@ -173,8 +175,12 @@ struct config_file { int harden_below_nxdomain; /** harden the referral path, query for NS,A,AAAA and validate */ int harden_referral_path; + /** harden against algorithm downgrade */ + int harden_algo_downgrade; /** use 0x20 bits in query as random ID bits */ int use_caps_bits_for_id; + /** 0x20 whitelist, domains that do not use capsforid */ + struct config_strlist* caps_whitelist; /** strip away these private addrs from answers, no DNS Rebinding */ struct config_strlist* private_address; /** allow domain (and subdomains) to use private address space */ @@ -185,6 +191,8 @@ struct config_file { int max_ttl; /** the number of seconds minimum TTL used for RRsets and messages */ int min_ttl; + /** the number of seconds maximal negative TTL for SOA in auth */ + int max_negative_ttl; /** if prefetching of messages should be performed. */ int prefetch; /** if prefetching of DNSKEYs should be performed. */ @@ -261,6 +269,8 @@ struct config_file { unsigned int del_holddown; /** autotrust keep_missing time, in seconds. 0 is forever. */ unsigned int keep_missing; + /** permit small holddown values, allowing 5011 rollover very fast */ + int permit_small_holddown; /** size of the key cache */ size_t key_cache_size; @@ -341,12 +351,27 @@ struct config_file { int dnstap_log_forwarder_query_messages; /** true to log dnstap FORWARDER_RESPONSE message events */ int dnstap_log_forwarder_response_messages; + + /** ratelimit 0 is off, otherwise qps (unless overridden) */ + int ratelimit; + /** number of slabs for ratelimit cache */ + size_t ratelimit_slabs; + /** memory size in bytes for ratelimit cache */ + size_t ratelimit_size; + /** ratelimits for domain (exact match) */ + struct config_str2list* ratelimit_for_domain; + /** ratelimits below domain */ + struct config_str2list* ratelimit_below_domain; + /** ratelimit factor, 0 blocks all, 10 allows 1/10 of traffic */ + int ratelimit_factor; }; /** from cfg username, after daemonise setup performed */ extern uid_t cfg_uid; /** from cfg username, after daemonise setup performed */ extern gid_t cfg_gid; +/** debug and enable small timeouts */ +extern int autr_permit_small_holddown; /** * Stub config options diff --git a/contrib/unbound/util/configlexer.lex b/contrib/unbound/util/configlexer.lex index 0e22946..1aea22e 100644 --- a/contrib/unbound/util/configlexer.lex +++ b/contrib/unbound/util/configlexer.lex @@ -128,6 +128,10 @@ static void config_start_include_glob(const char* filename) #endif ; memset(&g, 0, sizeof(g)); + if(cfg_parser->chroot && strncmp(filename, cfg_parser->chroot, + strlen(cfg_parser->chroot)) == 0) { + filename += strlen(cfg_parser->chroot); + } r = glob(filename, flags, NULL, &g); if(r) { /* some error */ @@ -228,6 +232,7 @@ interface-automatic{COLON} { YDVAR(1, VAR_INTERFACE_AUTOMATIC) } so-rcvbuf{COLON} { YDVAR(1, VAR_SO_RCVBUF) } so-sndbuf{COLON} { YDVAR(1, VAR_SO_SNDBUF) } so-reuseport{COLON} { YDVAR(1, VAR_SO_REUSEPORT) } +ip-transparent{COLON} { YDVAR(1, VAR_IP_TRANSPARENT) } chroot{COLON} { YDVAR(1, VAR_CHROOT) } username{COLON} { YDVAR(1, VAR_USERNAME) } directory{COLON} { YDVAR(1, VAR_DIRECTORY) } @@ -241,6 +246,7 @@ msg-cache-slabs{COLON} { YDVAR(1, VAR_MSG_CACHE_SLABS) } rrset-cache-size{COLON} { YDVAR(1, VAR_RRSET_CACHE_SIZE) } rrset-cache-slabs{COLON} { YDVAR(1, VAR_RRSET_CACHE_SLABS) } cache-max-ttl{COLON} { YDVAR(1, VAR_CACHE_MAX_TTL) } +cache-max-negative-ttl{COLON} { YDVAR(1, VAR_CACHE_MAX_NEGATIVE_TTL) } cache-min-ttl{COLON} { YDVAR(1, VAR_CACHE_MIN_TTL) } infra-host-ttl{COLON} { YDVAR(1, VAR_INFRA_HOST_TTL) } infra-lame-ttl{COLON} { YDVAR(1, VAR_INFRA_LAME_TTL) } @@ -258,7 +264,9 @@ harden-glue{COLON} { YDVAR(1, VAR_HARDEN_GLUE) } harden-dnssec-stripped{COLON} { YDVAR(1, VAR_HARDEN_DNSSEC_STRIPPED) } harden-below-nxdomain{COLON} { YDVAR(1, VAR_HARDEN_BELOW_NXDOMAIN) } harden-referral-path{COLON} { YDVAR(1, VAR_HARDEN_REFERRAL_PATH) } +harden-algo-downgrade{COLON} { YDVAR(1, VAR_HARDEN_ALGO_DOWNGRADE) } use-caps-for-id{COLON} { YDVAR(1, VAR_USE_CAPS_FOR_ID) } +caps-whitelist{COLON} { YDVAR(1, VAR_CAPS_WHITELIST) } unwanted-reply-threshold{COLON} { YDVAR(1, VAR_UNWANTED_REPLY_THRESHOLD) } private-address{COLON} { YDVAR(1, VAR_PRIVATE_ADDRESS) } private-domain{COLON} { YDVAR(1, VAR_PRIVATE_DOMAIN) } @@ -304,6 +312,7 @@ val-nsec3-keysize-iterations{COLON} { add-holddown{COLON} { YDVAR(1, VAR_ADD_HOLDDOWN) } del-holddown{COLON} { YDVAR(1, VAR_DEL_HOLDDOWN) } keep-missing{COLON} { YDVAR(1, VAR_KEEP_MISSING) } +permit-small-holddown{COLON} { YDVAR(1, VAR_PERMIT_SMALL_HOLDDOWN) } use-syslog{COLON} { YDVAR(1, VAR_USE_SYSLOG) } log-time-ascii{COLON} { YDVAR(1, VAR_LOG_TIME_ASCII) } log-queries{COLON} { YDVAR(1, VAR_LOG_QUERIES) } @@ -350,6 +359,12 @@ dnstap-log-forwarder-query-messages{COLON} { YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES) } dnstap-log-forwarder-response-messages{COLON} { YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES) } +ratelimit{COLON} { YDVAR(1, VAR_RATELIMIT) } +ratelimit-slabs{COLON} { YDVAR(1, VAR_RATELIMIT_SLABS) } +ratelimit-size{COLON} { YDVAR(1, VAR_RATELIMIT_SIZE) } +ratelimit-for-domain{COLON} { YDVAR(2, VAR_RATELIMIT_FOR_DOMAIN) } +ratelimit-below-domain{COLON} { YDVAR(2, VAR_RATELIMIT_BELOW_DOMAIN) } +ratelimit-factor{COLON} { YDVAR(1, VAR_RATELIMIT_FACTOR) } <INITIAL,val>{NEWLINE} { LEXOUT(("NL\n")); cfg_parser->line++; } /* Quoted strings. Strip leading and ending quotes */ diff --git a/contrib/unbound/util/configparser.y b/contrib/unbound/util/configparser.y index 396ea3c..d6db3c8 100644 --- a/contrib/unbound/util/configparser.y +++ b/contrib/unbound/util/configparser.y @@ -118,6 +118,10 @@ extern struct config_parser_state* cfg_parser; %token VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES %token VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES %token VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES +%token VAR_HARDEN_ALGO_DOWNGRADE VAR_IP_TRANSPARENT +%token VAR_RATELIMIT VAR_RATELIMIT_SLABS VAR_RATELIMIT_SIZE +%token VAR_RATELIMIT_FOR_DOMAIN VAR_RATELIMIT_BELOW_DOMAIN VAR_RATELIMIT_FACTOR +%token VAR_CAPS_WHITELIST VAR_CACHE_MAX_NEGATIVE_TTL VAR_PERMIT_SMALL_HOLDDOWN %% toplevelvars: /* empty */ | toplevelvars toplevelvar ; @@ -177,7 +181,12 @@ content_server: server_num_threads | server_verbosity | server_port | server_minimal_responses | server_rrset_roundrobin | server_max_udp_size | server_so_reuseport | server_delay_close | server_unblock_lan_zones | server_dns64_prefix | server_dns64_synthall | - server_infra_cache_min_rtt + server_infra_cache_min_rtt | server_harden_algo_downgrade | + server_ip_transparent | server_ratelimit | server_ratelimit_slabs | + server_ratelimit_size | server_ratelimit_for_domain | + server_ratelimit_below_domain | server_ratelimit_factor | + server_caps_whitelist | server_cache_max_negative_ttl | + server_permit_small_holddown ; stubstart: VAR_STUB_ZONE { @@ -620,6 +629,16 @@ server_so_reuseport: VAR_SO_REUSEPORT STRING_ARG free($2); } ; +server_ip_transparent: VAR_IP_TRANSPARENT STRING_ARG + { + OUTYY(("P(server_ip_transparent:%s)\n", $2)); + if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->ip_transparent = + (strcmp($2, "yes")==0); + free($2); + } + ; server_edns_buffer_size: VAR_EDNS_BUFFER_SIZE STRING_ARG { OUTYY(("P(server_edns_buffer_size:%s)\n", $2)); @@ -846,6 +865,16 @@ server_harden_referral_path: VAR_HARDEN_REFERRAL_PATH STRING_ARG free($2); } ; +server_harden_algo_downgrade: VAR_HARDEN_ALGO_DOWNGRADE STRING_ARG + { + OUTYY(("P(server_harden_algo_downgrade:%s)\n", $2)); + if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->harden_algo_downgrade = + (strcmp($2, "yes")==0); + free($2); + } + ; server_use_caps_for_id: VAR_USE_CAPS_FOR_ID STRING_ARG { OUTYY(("P(server_use_caps_for_id:%s)\n", $2)); @@ -856,6 +885,13 @@ server_use_caps_for_id: VAR_USE_CAPS_FOR_ID STRING_ARG free($2); } ; +server_caps_whitelist: VAR_CAPS_WHITELIST STRING_ARG + { + OUTYY(("P(server_caps_whitelist:%s)\n", $2)); + if(!cfg_strlist_insert(&cfg_parser->cfg->caps_whitelist, $2)) + yyerror("out of memory"); + } + ; server_private_address: VAR_PRIVATE_ADDRESS STRING_ARG { OUTYY(("P(server_private_address:%s)\n", $2)); @@ -991,6 +1027,15 @@ server_cache_max_ttl: VAR_CACHE_MAX_TTL STRING_ARG free($2); } ; +server_cache_max_negative_ttl: VAR_CACHE_MAX_NEGATIVE_TTL STRING_ARG + { + OUTYY(("P(server_cache_max_negative_ttl:%s)\n", $2)); + if(atoi($2) == 0 && strcmp($2, "0") != 0) + yyerror("number expected"); + else cfg_parser->cfg->max_negative_ttl = atoi($2); + free($2); + } + ; server_cache_min_ttl: VAR_CACHE_MIN_TTL STRING_ARG { OUTYY(("P(server_cache_min_ttl:%s)\n", $2)); @@ -1081,6 +1126,15 @@ server_keep_missing: VAR_KEEP_MISSING STRING_ARG free($2); } ; +server_permit_small_holddown: VAR_PERMIT_SMALL_HOLDDOWN STRING_ARG + { + OUTYY(("P(server_permit_small_holddown:%s)\n", $2)); + if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->permit_small_holddown = + (strcmp($2, "yes")==0); + free($2); + } server_key_cache_size: VAR_KEY_CACHE_SIZE STRING_ARG { OUTYY(("P(server_key_cache_size:%s)\n", $2)); @@ -1117,10 +1171,11 @@ server_local_zone: VAR_LOCAL_ZONE STRING_ARG STRING_ARG strcmp($3, "refuse")!=0 && strcmp($3, "redirect")!=0 && strcmp($3, "transparent")!=0 && strcmp($3, "nodefault")!=0 && strcmp($3, "typetransparent")!=0 && - strcmp($3, "inform")!=0) + strcmp($3, "inform")!=0 && strcmp($3, "inform_deny")!=0) yyerror("local-zone type: expected static, deny, " "refuse, redirect, transparent, " - "typetransparent, inform or nodefault"); + "typetransparent, inform, inform_deny " + "or nodefault"); else if(strcmp($3, "nodefault")==0) { if(!cfg_strlist_insert(&cfg_parser->cfg-> local_zones_nodefault, $2)) @@ -1198,6 +1253,71 @@ server_dns64_synthall: VAR_DNS64_SYNTHALL STRING_ARG free($2); } ; +server_ratelimit: VAR_RATELIMIT STRING_ARG + { + OUTYY(("P(server_ratelimit:%s)\n", $2)); + if(atoi($2) == 0 && strcmp($2, "0") != 0) + yyerror("number expected"); + else cfg_parser->cfg->ratelimit = atoi($2); + free($2); + } + ; +server_ratelimit_size: VAR_RATELIMIT_SIZE STRING_ARG + { + OUTYY(("P(server_ratelimit_size:%s)\n", $2)); + if(!cfg_parse_memsize($2, &cfg_parser->cfg->ratelimit_size)) + yyerror("memory size expected"); + free($2); + } + ; +server_ratelimit_slabs: VAR_RATELIMIT_SLABS STRING_ARG + { + OUTYY(("P(server_ratelimit_slabs:%s)\n", $2)); + if(atoi($2) == 0) + yyerror("number expected"); + else { + cfg_parser->cfg->ratelimit_slabs = atoi($2); + if(!is_pow2(cfg_parser->cfg->ratelimit_slabs)) + yyerror("must be a power of 2"); + } + free($2); + } + ; +server_ratelimit_for_domain: VAR_RATELIMIT_FOR_DOMAIN STRING_ARG STRING_ARG + { + OUTYY(("P(server_ratelimit_for_domain:%s %s)\n", $2, $3)); + if(atoi($3) == 0 && strcmp($3, "0") != 0) { + yyerror("number expected"); + } else { + if(!cfg_str2list_insert(&cfg_parser->cfg-> + ratelimit_for_domain, $2, $3)) + fatal_exit("out of memory adding " + "ratelimit-for-domain"); + } + } + ; +server_ratelimit_below_domain: VAR_RATELIMIT_BELOW_DOMAIN STRING_ARG STRING_ARG + { + OUTYY(("P(server_ratelimit_below_domain:%s %s)\n", $2, $3)); + if(atoi($3) == 0 && strcmp($3, "0") != 0) { + yyerror("number expected"); + } else { + if(!cfg_str2list_insert(&cfg_parser->cfg-> + ratelimit_below_domain, $2, $3)) + fatal_exit("out of memory adding " + "ratelimit-below-domain"); + } + } + ; +server_ratelimit_factor: VAR_RATELIMIT_FACTOR STRING_ARG + { + OUTYY(("P(server_ratelimit_factor:%s)\n", $2)); + if(atoi($2) == 0 && strcmp($2, "0") != 0) + yyerror("number expected"); + else cfg_parser->cfg->ratelimit_factor = atoi($2); + free($2); + } + ; stub_name: VAR_NAME STRING_ARG { OUTYY(("P(name:%s)\n", $2)); diff --git a/contrib/unbound/util/data/dname.c b/contrib/unbound/util/data/dname.c index d43bbf6..79bf52a 100644 --- a/contrib/unbound/util/data/dname.c +++ b/contrib/unbound/util/data/dname.c @@ -45,7 +45,7 @@ #include "util/data/msgparse.h" #include "util/log.h" #include "util/storage/lookup3.h" -#include "ldns/sbuffer.h" +#include "sldns/sbuffer.h" /* determine length of a dname in buffer, no compression pointers allowed */ size_t diff --git a/contrib/unbound/util/data/msgencode.c b/contrib/unbound/util/data/msgencode.c index 26b5dea..43464e9 100644 --- a/contrib/unbound/util/data/msgencode.c +++ b/contrib/unbound/util/data/msgencode.c @@ -47,7 +47,7 @@ #include "util/log.h" #include "util/regional.h" #include "util/net_help.h" -#include "ldns/sbuffer.h" +#include "sldns/sbuffer.h" /** return code that means the function ran out of memory. negative so it does * not conflict with DNS rcodes. */ @@ -283,7 +283,7 @@ compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt, size_t owner_pos, uint16_t* owner_ptr, int owner_labs) { struct compress_tree_node* p; - struct compress_tree_node** insertpt; + struct compress_tree_node** insertpt = NULL; if(!*owner_ptr) { /* compress first time dname */ if((p = compress_tree_lookup(tree, key->rk.dname, diff --git a/contrib/unbound/util/data/msgparse.c b/contrib/unbound/util/data/msgparse.c index abe778a..108c9da 100644 --- a/contrib/unbound/util/data/msgparse.c +++ b/contrib/unbound/util/data/msgparse.c @@ -42,10 +42,10 @@ #include "util/data/packed_rrset.h" #include "util/storage/lookup3.h" #include "util/regional.h" -#include "ldns/rrdef.h" -#include "ldns/sbuffer.h" -#include "ldns/parseutil.h" -#include "ldns/wire2str.h" +#include "sldns/rrdef.h" +#include "sldns/sbuffer.h" +#include "sldns/parseutil.h" +#include "sldns/wire2str.h" /** smart comparison of (compressed, valid) dnames from packet */ static int diff --git a/contrib/unbound/util/data/msgparse.h b/contrib/unbound/util/data/msgparse.h index 221a45a..44497c8 100644 --- a/contrib/unbound/util/data/msgparse.h +++ b/contrib/unbound/util/data/msgparse.h @@ -63,8 +63,8 @@ #ifndef UTIL_DATA_MSGPARSE_H #define UTIL_DATA_MSGPARSE_H #include "util/storage/lruhash.h" -#include "ldns/pkthdr.h" -#include "ldns/rrdef.h" +#include "sldns/pkthdr.h" +#include "sldns/rrdef.h" struct sldns_buffer; struct rrset_parse; struct rr_parse; @@ -76,6 +76,8 @@ struct regional; extern time_t MAX_TTL; /** Minimum TTL that is allowed. */ extern time_t MIN_TTL; +/** Maximum Negative TTL that is allowed */ +extern time_t MAX_NEG_TTL; /** Negative cache time (for entries without any RRs.) */ #define NORR_TTL 5 /* seconds */ diff --git a/contrib/unbound/util/data/msgreply.c b/contrib/unbound/util/data/msgreply.c index 68bcfd0..06593ff 100644 --- a/contrib/unbound/util/data/msgreply.c +++ b/contrib/unbound/util/data/msgreply.c @@ -50,13 +50,15 @@ #include "util/regional.h" #include "util/data/msgparse.h" #include "util/data/msgencode.h" -#include "ldns/sbuffer.h" -#include "ldns/wire2str.h" +#include "sldns/sbuffer.h" +#include "sldns/wire2str.h" /** MAX TTL default for messages and rrsets */ time_t MAX_TTL = 3600 * 24 * 10; /* ten days */ /** MIN TTL default for messages and rrsets */ time_t MIN_TTL = 0; +/** MAX Negative TTL, for SOA records in authority section */ +time_t MAX_NEG_TTL = 3600; /* one hour */ /** allocate qinfo, return 0 on error */ static int @@ -87,6 +89,7 @@ construct_reply_info_base(struct regional* region, uint16_t flags, size_t qd, /* rrset_count-1 because the first ref is part of the struct. */ size_t s = sizeof(struct reply_info) - sizeof(struct rrset_ref) + sizeof(struct ub_packed_rrset_key*) * total; + if(total >= RR_COUNT_MAX) return NULL; /* sanity check on numRRS*/ if(region) rep = (struct reply_info*)regional_alloc(region, s); else rep = (struct reply_info*)malloc(s + @@ -152,10 +155,23 @@ repinfo_alloc_rrset_keys(struct reply_info* rep, struct alloc_cache* alloc, return 1; } +/** find the minimumttl in the rdata of SOA record */ +static time_t +soa_find_minttl(struct rr_parse* rr) +{ + uint16_t rlen = sldns_read_uint16(rr->ttl_data+4); + if(rlen < 20) + return 0; /* rdata too small for SOA (dname, dname, 5*32bit) */ + /* minimum TTL is the last 32bit value in the rdata of the record */ + /* at position ttl_data + 4(ttl) + 2(rdatalen) + rdatalen - 4(timeval)*/ + return (time_t)sldns_read_uint32(rr->ttl_data+6+rlen-4); +} + /** do the rdata copy */ static int rdata_copy(sldns_buffer* pkt, struct packed_rrset_data* data, uint8_t* to, - struct rr_parse* rr, time_t* rr_ttl, uint16_t type) + struct rr_parse* rr, time_t* rr_ttl, uint16_t type, + sldns_pkt_section section) { uint16_t pkt_len; const sldns_rr_descriptor* desc; @@ -164,6 +180,14 @@ rdata_copy(sldns_buffer* pkt, struct packed_rrset_data* data, uint8_t* to, /* RFC 2181 Section 8. if msb of ttl is set treat as if zero. */ if(*rr_ttl & 0x80000000U) *rr_ttl = 0; + if(type == LDNS_RR_TYPE_SOA && section == LDNS_SECTION_AUTHORITY) { + /* negative response. see if TTL of SOA record larger than the + * minimum-ttl in the rdata of the SOA record */ + if(*rr_ttl > soa_find_minttl(rr)) + *rr_ttl = soa_find_minttl(rr); + if(*rr_ttl > MAX_NEG_TTL) + *rr_ttl = MAX_NEG_TTL; + } if(*rr_ttl < MIN_TTL) *rr_ttl = MIN_TTL; if(*rr_ttl < data->ttl) @@ -253,7 +277,7 @@ parse_rr_copy(sldns_buffer* pkt, struct rrset_parse* pset, data->rr_data[i] = nextrdata; nextrdata += rr->size; if(!rdata_copy(pkt, data, data->rr_data[i], rr, - &data->rr_ttl[i], pset->type)) + &data->rr_ttl[i], pset->type, pset->section)) return 0; rr = rr->next; } @@ -264,7 +288,7 @@ parse_rr_copy(sldns_buffer* pkt, struct rrset_parse* pset, data->rr_data[i] = nextrdata; nextrdata += rr->size; if(!rdata_copy(pkt, data, data->rr_data[i], rr, - &data->rr_ttl[i], LDNS_RR_TYPE_RRSIG)) + &data->rr_ttl[i], LDNS_RR_TYPE_RRSIG, pset->section)) return 0; rr = rr->next; } @@ -277,7 +301,11 @@ parse_create_rrset(sldns_buffer* pkt, struct rrset_parse* pset, struct packed_rrset_data** data, struct regional* region) { /* allocate */ - size_t s = sizeof(struct packed_rrset_data) + + size_t s; + if(pset->rr_count > RR_COUNT_MAX || pset->rrsig_count > RR_COUNT_MAX || + pset->size > RR_COUNT_MAX) + return 0; /* protect against integer overflow */ + s = sizeof(struct packed_rrset_data) + (pset->rr_count + pset->rrsig_count) * (sizeof(size_t)+sizeof(uint8_t*)+sizeof(time_t)) + pset->size; @@ -794,13 +822,13 @@ log_query_info(enum verbosity_value v, const char* str, } int -reply_check_cname_chain(struct reply_info* rep) +reply_check_cname_chain(struct query_info* qinfo, struct reply_info* rep) { /* check only answer section rrs for matching cname chain. * the cache may return changed rdata, but owner names are untouched.*/ size_t i; - uint8_t* sname = rep->rrsets[0]->rk.dname; - size_t snamelen = rep->rrsets[0]->rk.dname_len; + uint8_t* sname = qinfo->qname; + size_t snamelen = qinfo->qname_len; for(i=0; i<rep->an_numrrsets; i++) { uint16_t t = ntohs(rep->rrsets[i]->rk.type); if(t == LDNS_RR_TYPE_DNAME) diff --git a/contrib/unbound/util/data/msgreply.h b/contrib/unbound/util/data/msgreply.h index e8d6d76..7088979 100644 --- a/contrib/unbound/util/data/msgreply.h +++ b/contrib/unbound/util/data/msgreply.h @@ -359,10 +359,11 @@ uint8_t* reply_find_final_cname_target(struct query_info* qinfo, /** * Check if cname chain in cached reply is still valid. + * @param qinfo: query info with query name. * @param rep: reply to check. * @return: true if valid, false if invalid. */ -int reply_check_cname_chain(struct reply_info* rep); +int reply_check_cname_chain(struct query_info* qinfo, struct reply_info* rep); /** * Check security status of all RRs in the message. diff --git a/contrib/unbound/util/data/packed_rrset.c b/contrib/unbound/util/data/packed_rrset.c index 8074685..0a5c9d3 100644 --- a/contrib/unbound/util/data/packed_rrset.c +++ b/contrib/unbound/util/data/packed_rrset.c @@ -47,9 +47,9 @@ #include "util/alloc.h" #include "util/regional.h" #include "util/net_help.h" -#include "ldns/rrdef.h" -#include "ldns/sbuffer.h" -#include "ldns/wire2str.h" +#include "sldns/rrdef.h" +#include "sldns/sbuffer.h" +#include "sldns/wire2str.h" void ub_packed_rrset_parsedelete(struct ub_packed_rrset_key* pkey, diff --git a/contrib/unbound/util/data/packed_rrset.h b/contrib/unbound/util/data/packed_rrset.h index 5d7990a..6039aef 100644 --- a/contrib/unbound/util/data/packed_rrset.h +++ b/contrib/unbound/util/data/packed_rrset.h @@ -58,6 +58,12 @@ typedef uint64_t rrset_id_t; * from the SOA in the answer section from a direct SOA query or ANY query. */ #define PACKED_RRSET_SOA_NEG 0x4 +/** number of rrs and rrsets for integer overflow protection. More than + * this is not really possible (64K packet has much less RRs and RRsets) in + * a message. And this is small enough that also multiplied there is no + * integer overflow. */ +#define RR_COUNT_MAX 0xffffff + /** * The identifying information for an RRset. */ diff --git a/contrib/unbound/util/fptr_wlist.c b/contrib/unbound/util/fptr_wlist.c index 5a77432..1397e9c 100644 --- a/contrib/unbound/util/fptr_wlist.c +++ b/contrib/unbound/util/fptr_wlist.c @@ -210,6 +210,7 @@ fptr_whitelist_hash_sizefunc(lruhash_sizefunc_t fptr) else if(fptr == &ub_rrset_sizefunc) return 1; else if(fptr == &infra_sizefunc) return 1; else if(fptr == &key_entry_sizefunc) return 1; + else if(fptr == &rate_sizefunc) return 1; else if(fptr == &test_slabhash_sizefunc) return 1; return 0; } @@ -221,6 +222,7 @@ fptr_whitelist_hash_compfunc(lruhash_compfunc_t fptr) else if(fptr == &ub_rrset_compare) return 1; else if(fptr == &infra_compfunc) return 1; else if(fptr == &key_entry_compfunc) return 1; + else if(fptr == &rate_compfunc) return 1; else if(fptr == &test_slabhash_compfunc) return 1; return 0; } @@ -232,6 +234,7 @@ fptr_whitelist_hash_delkeyfunc(lruhash_delkeyfunc_t fptr) else if(fptr == &ub_rrset_key_delete) return 1; else if(fptr == &infra_delkeyfunc) return 1; else if(fptr == &key_entry_delkeyfunc) return 1; + else if(fptr == &rate_delkeyfunc) return 1; else if(fptr == &test_slabhash_delkey) return 1; return 0; } @@ -243,6 +246,7 @@ fptr_whitelist_hash_deldatafunc(lruhash_deldatafunc_t fptr) else if(fptr == &rrset_data_delete) return 1; else if(fptr == &infra_deldatafunc) return 1; else if(fptr == &key_entry_deldatafunc) return 1; + else if(fptr == &rate_deldatafunc) return 1; else if(fptr == &test_slabhash_deldata) return 1; return 0; } diff --git a/contrib/unbound/util/iana_ports.inc b/contrib/unbound/util/iana_ports.inc index ce939d5..64edf0b 100644 --- a/contrib/unbound/util/iana_ports.inc +++ b/contrib/unbound/util/iana_ports.inc @@ -1066,7 +1066,6 @@ 1404, 1405, 1406, -1407, 1408, 1409, 1410, @@ -3791,7 +3790,6 @@ 4321, 4322, 4323, -4324, 4325, 4326, 4327, @@ -3842,6 +3840,8 @@ 4404, 4405, 4406, +4412, +4413, 4425, 4426, 4430, @@ -4015,6 +4015,7 @@ 4952, 4969, 4970, +4980, 4986, 4987, 4988, @@ -4359,6 +4360,7 @@ 6072, 6073, 6074, +6080, 6081, 6082, 6083, @@ -4433,6 +4435,7 @@ 6389, 6390, 6417, +6419, 6420, 6421, 6443, @@ -4665,6 +4668,7 @@ 7725, 7726, 7727, +7728, 7734, 7738, 7741, @@ -4779,6 +4783,7 @@ 8301, 8320, 8321, +8322, 8351, 8376, 8377, @@ -4786,6 +4791,7 @@ 8379, 8380, 8383, +8384, 8400, 8401, 8402, @@ -4802,6 +4808,7 @@ 8474, 8500, 8501, +8503, 8554, 8555, 8567, @@ -4853,6 +4860,7 @@ 9000, 9001, 9002, +9006, 9007, 9009, 9020, @@ -5031,6 +5039,7 @@ 10200, 10201, 10252, +10253, 10260, 10288, 10439, @@ -5165,6 +5174,8 @@ 17220, 17221, 17222, +17224, +17225, 17234, 17235, 17500, @@ -5237,6 +5248,7 @@ 22005, 22273, 22305, +22335, 22343, 22347, 22350, @@ -5376,6 +5388,7 @@ 40843, 40853, 41111, +41230, 41794, 41795, 42508, diff --git a/contrib/unbound/util/log.c b/contrib/unbound/util/log.c index f90efa7..3ebd120 100644 --- a/contrib/unbound/util/log.c +++ b/contrib/unbound/util/log.c @@ -40,7 +40,7 @@ #include "config.h" #include "util/log.h" #include "util/locks.h" -#include "ldns/sbuffer.h" +#include "sldns/sbuffer.h" #include <stdarg.h> #ifdef HAVE_TIME_H #include <time.h> @@ -164,6 +164,14 @@ void log_thread_set(int* num) ub_thread_key_set(logkey, num); } +int log_thread_get(void) +{ + unsigned int* tid; + if(!key_created) return 0; + tid = (unsigned int*)ub_thread_key_get(logkey); + return (int)(tid?*tid:0); +} + void log_ident_set(const char* id) { ident = id; diff --git a/contrib/unbound/util/log.h b/contrib/unbound/util/log.h index ea283da..8e85ee6 100644 --- a/contrib/unbound/util/log.h +++ b/contrib/unbound/util/log.h @@ -98,6 +98,15 @@ void log_file(FILE *f); void log_thread_set(int* num); /** + * Get the thread id from logging system. Set after log_init is + * initialised, or log_thread_set for newly created threads. + * This initialisation happens in unbound as a daemon, in daemon + * startup code, when that spawns threads. + * @return thread number, from 0 and up. Before initialised, returns 0. + */ +int log_thread_get(void); + +/** * Set identity to print, default is 'unbound'. * @param id: string to print. Name of executable. */ diff --git a/contrib/unbound/util/net_help.c b/contrib/unbound/util/net_help.c index e2b7c38..07605b1 100644 --- a/contrib/unbound/util/net_help.c +++ b/contrib/unbound/util/net_help.c @@ -43,8 +43,8 @@ #include "util/data/dname.h" #include "util/module.h" #include "util/regional.h" -#include "ldns/parseutil.h" -#include "ldns/wire2str.h" +#include "sldns/parseutil.h" +#include "sldns/wire2str.h" #include <fcntl.h> #ifdef HAVE_OPENSSL_SSL_H #include <openssl/ssl.h> @@ -629,9 +629,9 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem) SSL_CTX_free(ctx); return NULL; } - if(!SSL_CTX_use_certificate_file(ctx, pem, SSL_FILETYPE_PEM)) { + if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) { log_err("error for cert file: %s", pem); - log_crypto_err("error in SSL_CTX use_certificate_file"); + log_crypto_err("error in SSL_CTX use_certificate_chain_file"); SSL_CTX_free(ctx); return NULL; } @@ -647,6 +647,23 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem) SSL_CTX_free(ctx); return NULL; } +#if HAVE_DECL_SSL_CTX_SET_ECDH_AUTO + if(!SSL_CTX_set_ecdh_auto(ctx,1)) { + log_crypto_err("Error in SSL_CTX_ecdh_auto, not enabling ECDHE"); + } +#elif defined(USE_ECDSA) + if(1) { + EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1); + if (!ecdh) { + log_crypto_err("could not find p256, not enabling ECDHE"); + } else { + if (1 != SSL_CTX_set_tmp_ecdh (ctx, ecdh)) { + log_crypto_err("Error in SSL_CTX_set_tmp_ecdh, not enabling ECDHE"); + } + EC_KEY_free (ecdh); + } + } +#endif if(verifypem && verifypem[0]) { if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) { @@ -684,7 +701,7 @@ void* connect_sslctx_create(char* key, char* pem, char* verifypem) return NULL; } if(key && key[0]) { - if(!SSL_CTX_use_certificate_file(ctx, pem, SSL_FILETYPE_PEM)) { + if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) { log_err("error in client certificate %s", pem); log_crypto_err("error in certificate file"); SSL_CTX_free(ctx); @@ -770,7 +787,7 @@ static lock_basic_t *ub_openssl_locks = NULL; static unsigned long ub_crypto_id_cb(void) { - return (unsigned long)ub_thread_self(); + return (unsigned long)log_thread_get(); } static void @@ -789,8 +806,8 @@ int ub_openssl_lock_init(void) { #if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) int i; - ub_openssl_locks = (lock_basic_t*)malloc( - sizeof(lock_basic_t)*CRYPTO_num_locks()); + ub_openssl_locks = (lock_basic_t*)reallocarray( + NULL, (size_t)CRYPTO_num_locks(), sizeof(lock_basic_t)); if(!ub_openssl_locks) return 0; for(i=0; i<CRYPTO_num_locks(); i++) { diff --git a/contrib/unbound/util/netevent.c b/contrib/unbound/util/netevent.c index c7ed30e..3bb8948 100644 --- a/contrib/unbound/util/netevent.c +++ b/contrib/unbound/util/netevent.c @@ -43,8 +43,8 @@ #include "util/log.h" #include "util/net_help.h" #include "util/fptr_wlist.h" -#include "ldns/pkthdr.h" -#include "ldns/sbuffer.h" +#include "sldns/pkthdr.h" +#include "sldns/sbuffer.h" #include "dnstap/dnstap.h" #ifdef HAVE_OPENSSL_SSL_H #include <openssl/ssl.h> @@ -498,12 +498,16 @@ comm_point_send_udp_msg_if(struct comm_point *c, sldns_buffer* packet, cmsg = CMSG_FIRSTHDR(&msg); if(r->srctype == 4) { #ifdef IP_PKTINFO + void* cmsg_data; msg.msg_controllen = CMSG_SPACE(sizeof(struct in_pktinfo)); log_assert(msg.msg_controllen <= sizeof(control)); cmsg->cmsg_level = IPPROTO_IP; cmsg->cmsg_type = IP_PKTINFO; memmove(CMSG_DATA(cmsg), &r->pktinfo.v4info, sizeof(struct in_pktinfo)); + /* unset the ifindex to not bypass the routing tables */ + cmsg_data = CMSG_DATA(cmsg); + ((struct in_pktinfo *) cmsg_data)->ipi_ifindex = 0; cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo)); #elif defined(IP_SENDSRCADDR) msg.msg_controllen = CMSG_SPACE(sizeof(struct in_addr)); @@ -518,12 +522,16 @@ comm_point_send_udp_msg_if(struct comm_point *c, sldns_buffer* packet, msg.msg_control = NULL; #endif /* IP_PKTINFO or IP_SENDSRCADDR */ } else if(r->srctype == 6) { + void* cmsg_data; msg.msg_controllen = CMSG_SPACE(sizeof(struct in6_pktinfo)); log_assert(msg.msg_controllen <= sizeof(control)); cmsg->cmsg_level = IPPROTO_IPV6; cmsg->cmsg_type = IPV6_PKTINFO; memmove(CMSG_DATA(cmsg), &r->pktinfo.v6info, sizeof(struct in6_pktinfo)); + /* unset the ifindex to not bypass the routing tables */ + cmsg_data = CMSG_DATA(cmsg); + ((struct in6_pktinfo *) cmsg_data)->ipi6_ifindex = 0; cmsg->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo)); } else { /* try to pass all 0 to use default route */ @@ -879,12 +887,12 @@ comm_point_tcp_accept_callback(int fd, short event, void* arg) } /* grab the tcp handler buffers */ + c->cur_tcp_count++; c->tcp_free = c_hdl->tcp_free; if(!c->tcp_free) { /* stop accepting incoming queries for now. */ comm_point_stop_listening(c); } - /* addr is dropped. Not needed for tcp reply. */ setup_tcp_handler(c_hdl, new_fd); } @@ -902,6 +910,7 @@ reclaim_tcp_handler(struct comm_point* c) } comm_point_close(c); if(c->tcp_parent) { + c->tcp_parent->cur_tcp_count--; c->tcp_free = c->tcp_parent->tcp_free; c->tcp_parent->tcp_free = c; if(!c->tcp_free) { @@ -1528,6 +1537,7 @@ comm_point_create_udp(struct comm_base *base, int fd, sldns_buffer* buffer, c->tcp_byte_count = 0; c->tcp_parent = NULL; c->max_tcp_count = 0; + c->cur_tcp_count = 0; c->tcp_handlers = NULL; c->tcp_free = NULL; c->type = comm_udp; @@ -1578,6 +1588,7 @@ comm_point_create_udp_ancil(struct comm_base *base, int fd, c->tcp_byte_count = 0; c->tcp_parent = NULL; c->max_tcp_count = 0; + c->cur_tcp_count = 0; c->tcp_handlers = NULL; c->tcp_free = NULL; c->type = comm_udp; @@ -1639,6 +1650,7 @@ comm_point_create_tcp_handler(struct comm_base *base, c->tcp_byte_count = 0; c->tcp_parent = parent; c->max_tcp_count = 0; + c->cur_tcp_count = 0; c->tcp_handlers = NULL; c->tcp_free = NULL; c->type = comm_tcp; @@ -1691,6 +1703,7 @@ comm_point_create_tcp(struct comm_base *base, int fd, int num, size_t bufsize, c->tcp_byte_count = 0; c->tcp_parent = NULL; c->max_tcp_count = num; + c->cur_tcp_count = 0; c->tcp_handlers = (struct comm_point**)calloc((size_t)num, sizeof(struct comm_point*)); if(!c->tcp_handlers) { @@ -1758,6 +1771,7 @@ comm_point_create_tcp_out(struct comm_base *base, size_t bufsize, c->tcp_byte_count = 0; c->tcp_parent = NULL; c->max_tcp_count = 0; + c->cur_tcp_count = 0; c->tcp_handlers = NULL; c->tcp_free = NULL; c->type = comm_tcp; @@ -1810,6 +1824,7 @@ comm_point_create_local(struct comm_base *base, int fd, size_t bufsize, c->tcp_byte_count = 0; c->tcp_parent = NULL; c->max_tcp_count = 0; + c->cur_tcp_count = 0; c->tcp_handlers = NULL; c->tcp_free = NULL; c->type = comm_local; @@ -1857,6 +1872,7 @@ comm_point_create_raw(struct comm_base* base, int fd, int writing, c->tcp_byte_count = 0; c->tcp_parent = NULL; c->max_tcp_count = 0; + c->cur_tcp_count = 0; c->tcp_handlers = NULL; c->tcp_free = NULL; c->type = comm_raw; diff --git a/contrib/unbound/util/netevent.h b/contrib/unbound/util/netevent.h index 37322ab..4b87cdb 100644 --- a/contrib/unbound/util/netevent.h +++ b/contrib/unbound/util/netevent.h @@ -164,6 +164,8 @@ struct comm_point { /* -------- TCP Accept -------- */ /** the number of TCP handlers for this tcp-accept socket */ int max_tcp_count; + /** current number of tcp handler in-use for this accept socket */ + int cur_tcp_count; /** malloced array of tcp handlers for a tcp-accept, of size max_tcp_count. */ struct comm_point** tcp_handlers; diff --git a/contrib/unbound/validator/autotrust.c b/contrib/unbound/validator/autotrust.c index 5e1dc4e..e63b086 100644 --- a/contrib/unbound/validator/autotrust.c +++ b/contrib/unbound/validator/autotrust.c @@ -57,11 +57,11 @@ #include "services/mesh.h" #include "services/cache/rrset.h" #include "validator/val_kcache.h" -#include "ldns/sbuffer.h" -#include "ldns/wire2str.h" -#include "ldns/str2wire.h" -#include "ldns/keyraw.h" -#include "ldns/rrdef.h" +#include "sldns/sbuffer.h" +#include "sldns/wire2str.h" +#include "sldns/str2wire.h" +#include "sldns/keyraw.h" +#include "sldns/rrdef.h" #include <stdarg.h> #include <ctype.h> @@ -1184,7 +1184,7 @@ void autr_write_file(struct module_env* env, struct trust_anchor* tp) verbose(VERB_ALGO, "autotrust: write to disk: %s", tempf); out = fopen(tempf, "w"); if(!out) { - log_err("could not open autotrust file for writing, %s: %s", + fatal_exit("could not open autotrust file for writing, %s: %s", tempf, strerror(errno)); return; } @@ -1192,11 +1192,11 @@ void autr_write_file(struct module_env* env, struct trust_anchor* tp) /* failed to write contents (completely) */ fclose(out); unlink(tempf); - log_err("could not completely write: %s", fname); + fatal_exit("could not completely write: %s", fname); return; } if(fclose(out) != 0) { - log_err("could not complete write: %s: %s", + fatal_exit("could not complete write: %s: %s", fname, strerror(errno)); unlink(tempf); return; @@ -1207,7 +1207,7 @@ void autr_write_file(struct module_env* env, struct trust_anchor* tp) (void)unlink(fname); /* windows does not replace file with rename() */ #endif if(rename(tempf, fname) < 0) { - log_err("rename(%s to %s): %s", tempf, fname, strerror(errno)); + fatal_exit("rename(%s to %s): %s", tempf, fname, strerror(errno)); } } @@ -1225,7 +1225,7 @@ verify_dnskey(struct module_env* env, struct val_env* ve, { char* reason = NULL; uint8_t sigalg[ALGO_NEEDS_MAX+1]; - int downprot = 1; + int downprot = env->cfg->harden_algo_downgrade; enum sec_status sec = val_verify_DNSKEY_with_TA(env, ve, rrset, tp->ds_rrset, tp->dnskey_rrset, downprot?sigalg:NULL, &reason); /* sigalg is ignored, it returns algorithms signalled to exist, but @@ -1447,9 +1447,11 @@ set_tp_times(struct trust_anchor* tp, time_t rrsig_exp_interval, if(rrsig_exp_interval/2 < x) x = rrsig_exp_interval/2; /* MAX(1hr, x) */ - if(x < 3600) - tp->autr->query_interval = 3600; - else tp->autr->query_interval = x; + if(!autr_permit_small_holddown) { + if(x < 3600) + tp->autr->query_interval = 3600; + else tp->autr->query_interval = x; + } else tp->autr->query_interval = x; /* x= MIN(1day, ttl/10, expire/10) */ x = 24 * 3600; @@ -1458,9 +1460,11 @@ set_tp_times(struct trust_anchor* tp, time_t rrsig_exp_interval, if(rrsig_exp_interval/10 < x) x = rrsig_exp_interval/10; /* MAX(1hr, x) */ - if(x < 3600) - tp->autr->retry_time = 3600; - else tp->autr->retry_time = x; + if(!autr_permit_small_holddown) { + if(x < 3600) + tp->autr->retry_time = 3600; + else tp->autr->retry_time = x; + } else tp->autr->retry_time = x; if(qi != tp->autr->query_interval || rt != tp->autr->retry_time) { *changed = 1; @@ -1959,8 +1963,12 @@ calc_next_probe(struct module_env* env, time_t wait) { /* make it random, 90-100% */ time_t rnd, rest; - if(wait < 3600) - wait = 3600; + if(!autr_permit_small_holddown) { + if(wait < 3600) + wait = 3600; + } else { + if(wait == 0) wait = 1; + } rnd = wait/10; rest = wait-rnd; rnd = (time_t)ub_random_max(env->rnd, (long int)rnd); @@ -2349,6 +2357,8 @@ todo_probe(struct module_env* env, time_t* next) if( (el=rbtree_first(&env->anchors->autr->probe)) == RBTREE_NULL) { /* in case of revoked anchors */ lock_basic_unlock(&env->anchors->lock); + /* signal that there are no anchors to probe */ + *next = 0; return NULL; } tp = (struct trust_anchor*)el->key; @@ -2378,6 +2388,7 @@ autr_probe_timer(struct module_env* env) struct trust_anchor* tp; time_t next_probe = 3600; int num = 0; + if(autr_permit_small_holddown) next_probe = 1; verbose(VERB_ALGO, "autotrust probe timer callback"); /* while there are still anchors to probe */ while( (tp = todo_probe(env, &next_probe)) ) { @@ -2386,7 +2397,7 @@ autr_probe_timer(struct module_env* env) num++; } regional_free_all(env->scratch); - if(num == 0) + if(next_probe == 0) return 0; /* no trust points to probe */ verbose(VERB_ALGO, "autotrust probe timer %d callbacks done", num); return next_probe; diff --git a/contrib/unbound/validator/val_anchor.c b/contrib/unbound/validator/val_anchor.c index 3a67fff..845b54a 100644 --- a/contrib/unbound/validator/val_anchor.c +++ b/contrib/unbound/validator/val_anchor.c @@ -48,9 +48,9 @@ #include "util/log.h" #include "util/net_help.h" #include "util/config_file.h" -#include "ldns/sbuffer.h" -#include "ldns/rrdef.h" -#include "ldns/str2wire.h" +#include "sldns/sbuffer.h" +#include "sldns/rrdef.h" +#include "sldns/str2wire.h" #ifdef HAVE_GLOB_H #include <glob.h> #endif @@ -882,14 +882,14 @@ assemble_it(struct trust_anchor* ta, size_t num, uint16_t type) memset(pd, 0, sizeof(*pd)); pd->count = num; pd->trust = rrset_trust_ultimate; - pd->rr_len = (size_t*)malloc(num*sizeof(size_t)); + pd->rr_len = (size_t*)reallocarray(NULL, num, sizeof(size_t)); if(!pd->rr_len) { free(pd); free(pkey->rk.dname); free(pkey); return NULL; } - pd->rr_ttl = (time_t*)malloc(num*sizeof(time_t)); + pd->rr_ttl = (time_t*)reallocarray(NULL, num, sizeof(time_t)); if(!pd->rr_ttl) { free(pd->rr_len); free(pd); @@ -897,7 +897,7 @@ assemble_it(struct trust_anchor* ta, size_t num, uint16_t type) free(pkey); return NULL; } - pd->rr_data = (uint8_t**)malloc(num*sizeof(uint8_t*)); + pd->rr_data = (uint8_t**)reallocarray(NULL, num, sizeof(uint8_t*)); if(!pd->rr_data) { free(pd->rr_ttl); free(pd->rr_len); @@ -1020,7 +1020,13 @@ anchors_assemble_rrsets(struct val_anchors* anchors) dname_str(ta->name, b); log_warn("trust anchor %s has no supported algorithms," " the anchor is ignored (check if you need to" - " upgrade unbound and openssl)", b); + " upgrade unbound and " +#ifdef HAVE_LIBRESSL + "libressl" +#else + "openssl" +#endif + ")", b); (void)rbtree_delete(anchors->tree, &ta->node); lock_basic_unlock(&ta->lock); anchors_delfunc(&ta->node, NULL); diff --git a/contrib/unbound/validator/val_kentry.c b/contrib/unbound/validator/val_kentry.c index f99f18e..93fe214 100644 --- a/contrib/unbound/validator/val_kentry.c +++ b/contrib/unbound/validator/val_kentry.c @@ -45,8 +45,8 @@ #include "util/storage/lookup3.h" #include "util/regional.h" #include "util/net_help.h" -#include "ldns/rrdef.h" -#include "ldns/keyraw.h" +#include "sldns/rrdef.h" +#include "sldns/keyraw.h" size_t key_entry_sizefunc(void* key, void* data) diff --git a/contrib/unbound/validator/val_neg.c b/contrib/unbound/validator/val_neg.c index 1d7a5c5..b1ff8d9 100644 --- a/contrib/unbound/validator/val_neg.c +++ b/contrib/unbound/validator/val_neg.c @@ -59,8 +59,8 @@ #include "util/config_file.h" #include "services/cache/rrset.h" #include "services/cache/dns.h" -#include "ldns/rrdef.h" -#include "ldns/sbuffer.h" +#include "sldns/rrdef.h" +#include "sldns/sbuffer.h" int val_neg_data_compare(const void* a, const void* b) { diff --git a/contrib/unbound/validator/val_nsec3.c b/contrib/unbound/validator/val_nsec3.c index 548daf2..80ca4d0 100644 --- a/contrib/unbound/validator/val_nsec3.c +++ b/contrib/unbound/validator/val_nsec3.c @@ -62,7 +62,7 @@ #include "util/data/msgreply.h" /* we include nsec.h for the bitmap_has_type function */ #include "validator/val_nsec.h" -#include "ldns/sbuffer.h" +#include "sldns/sbuffer.h" /** * This function we get from ldns-compat or from base system diff --git a/contrib/unbound/validator/val_secalgo.c b/contrib/unbound/validator/val_secalgo.c index 3437c8d..8ed403d 100644 --- a/contrib/unbound/validator/val_secalgo.c +++ b/contrib/unbound/validator/val_secalgo.c @@ -45,9 +45,9 @@ #include "util/data/packed_rrset.h" #include "validator/val_secalgo.h" #include "util/log.h" -#include "ldns/rrdef.h" -#include "ldns/keyraw.h" -#include "ldns/sbuffer.h" +#include "sldns/rrdef.h" +#include "sldns/keyraw.h" +#include "sldns/sbuffer.h" #if !defined(HAVE_SSL) && !defined(HAVE_NSS) #error "Need crypto library to do digital signature cryptography" diff --git a/contrib/unbound/validator/val_sigcrypt.c b/contrib/unbound/validator/val_sigcrypt.c index 5a4d0f4..a2f1265 100644 --- a/contrib/unbound/validator/val_sigcrypt.c +++ b/contrib/unbound/validator/val_sigcrypt.c @@ -51,10 +51,10 @@ #include "util/module.h" #include "util/net_help.h" #include "util/regional.h" -#include "ldns/keyraw.h" -#include "ldns/sbuffer.h" -#include "ldns/parseutil.h" -#include "ldns/wire2str.h" +#include "sldns/keyraw.h" +#include "sldns/sbuffer.h" +#include "sldns/parseutil.h" +#include "sldns/wire2str.h" #include <ctype.h> #if !defined(HAVE_SSL) && !defined(HAVE_NSS) @@ -795,10 +795,6 @@ canonical_compare(struct ub_packed_rrset_key* rrset, size_t i, size_t j) if(i==j) return 0; - /* in case rdata-len is to be compared for canonical order - c = memcmp(d->rr_data[i], d->rr_data[j], 2); - if(c != 0) - return c; */ switch(type) { /* These RR types have only a name as RDATA. @@ -1079,6 +1075,8 @@ int rrset_canonical_equal(struct regional* region, fd.rr_data = fdata; rbtree_init(&sortree1, &canonical_tree_compare); rbtree_init(&sortree2, &canonical_tree_compare); + if(d1->count > RR_COUNT_MAX || d2->count > RR_COUNT_MAX) + return 1; /* protection against integer overflow */ rrs1 = regional_alloc(region, sizeof(struct canon_rr)*d1->count); rrs2 = regional_alloc(region, sizeof(struct canon_rr)*d2->count); if(!rrs1 || !rrs2) return 1; /* alloc failure */ @@ -1135,6 +1133,8 @@ rrset_canonical(struct regional* region, sldns_buffer* buf, sizeof(rbtree_t)); if(!*sortree) return 0; + if(d->count > RR_COUNT_MAX) + return 0; /* integer overflow protection */ rrs = regional_alloc(region, sizeof(struct canon_rr)*d->count); if(!rrs) { *sortree = NULL; diff --git a/contrib/unbound/validator/validator.c b/contrib/unbound/validator/validator.c index cc07cc2..f8b429e 100644 --- a/contrib/unbound/validator/validator.c +++ b/contrib/unbound/validator/validator.c @@ -58,8 +58,8 @@ #include "util/regional.h" #include "util/config_file.h" #include "util/fptr_wlist.h" -#include "ldns/rrdef.h" -#include "ldns/wire2str.h" +#include "sldns/rrdef.h" +#include "sldns/wire2str.h" /* forward decl for cache response and normal super inform calls of a DS */ static void process_ds_response(struct module_qstate* qstate, @@ -226,6 +226,8 @@ val_new_getmsg(struct module_qstate* qstate, struct val_qstate* vq) sizeof(struct reply_info) - sizeof(struct rrset_ref)); if(!vq->chase_reply) return NULL; + if(vq->orig_msg->rep->rrset_count > RR_COUNT_MAX) + return NULL; /* protect against integer overflow */ vq->chase_reply->rrsets = regional_alloc_init(qstate->region, vq->orig_msg->rep->rrsets, sizeof(struct ub_packed_rrset_key*) * vq->orig_msg->rep->rrset_count); @@ -517,8 +519,8 @@ validate_msg_signatures(struct module_qstate* qstate, struct module_env* env, "has failed AUTHORITY rrset:", s->rk.dname, ntohs(s->rk.type), ntohs(s->rk.rrset_class)); errinf(qstate, reason); - errinf_rrset(qstate, s); errinf_origin(qstate, qstate->reply_origin); + errinf_rrset(qstate, s); chase_reply->security = sec_status_bogus; return 0; } @@ -1813,6 +1815,8 @@ processValidate(struct module_qstate* qstate, struct val_qstate* vq, /** * Init DLV check. + * DLV is going to be decommissioned, but the code is still here for some time. + * * Called when a query is determined by other trust anchors to be insecure * (or indeterminate). Then we look if there is a key in the DLV. * Performs aggressive negative cache check to see if there is no key. @@ -2352,7 +2356,7 @@ primeResponseToKE(struct ub_packed_rrset_key* dnskey_rrset, struct key_entry_key* kkey = NULL; enum sec_status sec = sec_status_unchecked; char* reason = NULL; - int downprot = 1; + int downprot = qstate->env->cfg->harden_algo_downgrade; if(!dnskey_rrset) { log_nametypeclass(VERB_OPS, "failed to prime trust anchor -- " @@ -2765,7 +2769,7 @@ process_dnskey_response(struct module_qstate* qstate, struct val_qstate* vq, vq->state = VAL_VALIDATE_STATE; return; } - downprot = 1; + downprot = qstate->env->cfg->harden_algo_downgrade; vq->key_entry = val_verify_new_DNSKEYs(qstate->region, qstate->env, ve, dnskey, vq->ds_rrset, downprot, &reason); |
