diff options
-rw-r--r-- | Makefile | 3 | ||||
-rw-r--r-- | ObsoleteFiles.inc | 2 | ||||
-rw-r--r-- | contrib/unbound/Makefile.in | 9 | ||||
-rw-r--r-- | contrib/unbound/doc/example.conf | 6 | ||||
-rw-r--r-- | contrib/unbound/doc/example.conf.in | 6 | ||||
-rw-r--r-- | contrib/unbound/doc/unbound.conf.5 | 5 | ||||
-rw-r--r-- | contrib/unbound/doc/unbound.conf.5.in | 5 | ||||
-rw-r--r-- | contrib/unbound/services/localzone.c | 114 | ||||
-rw-r--r-- | contrib/unbound/util/as112.c | 143 | ||||
-rw-r--r-- | contrib/unbound/util/as112.h | 57 | ||||
-rw-r--r-- | contrib/unbound/util/config_file.c | 3 | ||||
-rw-r--r-- | contrib/unbound/util/config_file.h | 4 | ||||
-rw-r--r-- | contrib/unbound/util/configlexer.lex | 1 | ||||
-rw-r--r-- | contrib/unbound/util/configparser.y | 16 | ||||
-rw-r--r-- | contrib/unbound/validator/val_anchor.c | 11 | ||||
-rw-r--r-- | lib/libfetch/http.c | 1 | ||||
-rw-r--r-- | lib/libunbound/Makefile | 2 | ||||
-rw-r--r-- | share/man/man8/uefi.8 | 32 | ||||
-rw-r--r-- | sys/kern/init_main.c | 2 | ||||
-rw-r--r-- | sys/kern/kern_fork.c | 2 | ||||
-rw-r--r-- | tools/build/mk/OptionalObsoleteFiles.inc | 1 | ||||
-rw-r--r-- | usr.sbin/unbound/control/Makefile | 1 | ||||
-rwxr-xr-x | usr.sbin/unbound/local-setup/local-unbound-setup.sh | 26 |
23 files changed, 287 insertions, 165 deletions
@@ -482,7 +482,8 @@ _THINNER=cat _THINNER=xargs grep -L "^.NO_UNIVERSE" || true .endif KERNCONFS!= cd ${KERNSRCDIR}/${TARGET}/conf && \ - find [A-Z0-9]*[A-Z0-9] -type f -maxdepth 0 \ + find [[:upper:][:digit:]]*[[:upper:][:digit:]] \ + -type f -maxdepth 0 \ ! -name DEFAULTS ! -name NOTES | \ ${_THINNER} universe_kernconfs: diff --git a/ObsoleteFiles.inc b/ObsoleteFiles.inc index eed1f14..ef2f2f5 100644 --- a/ObsoleteFiles.inc +++ b/ObsoleteFiles.inc @@ -38,6 +38,8 @@ # xargs -n1 | sort | uniq -d; # done +# 20160216: Remove obsolete unbound-control-setup +OLD_FILES+=usr/sbin/unbound-control-setup # 20151222: liblzma header OLD_FILES+=usr/include/lzma/lzma.h # 20151115: added missing _test suffix on multiple tests in lib/libc diff --git a/contrib/unbound/Makefile.in b/contrib/unbound/Makefile.in index 282c7d6..381c383 100644 --- a/contrib/unbound/Makefile.in +++ b/contrib/unbound/Makefile.in @@ -95,7 +95,7 @@ PYUNBOUND_SRC= # libunbound_wrap.lo if python libunbound wrapper enabled. PYUNBOUND_OBJ=@PYUNBOUND_OBJ@ COMMON_SRC=services/cache/dns.c services/cache/infra.c services/cache/rrset.c \ -util/data/dname.c util/data/msgencode.c util/data/msgparse.c \ +util/as112.c util/data/dname.c util/data/msgencode.c util/data/msgparse.c \ util/data/msgreply.c util/data/packed_rrset.c iterator/iterator.c \ iterator/iter_delegpt.c iterator/iter_donotq.c iterator/iter_fwd.c \ iterator/iter_hints.c iterator/iter_priv.c iterator/iter_resptype.c \ @@ -113,7 +113,7 @@ validator/val_neg.c validator/val_nsec3.c validator/val_nsec.c \ validator/val_secalgo.c validator/val_sigcrypt.c \ validator/val_utils.c dns64/dns64.c $(CHECKLOCK_SRC) $(DNSTAP_SRC) COMMON_OBJ_WITHOUT_NETCALL=dns.lo infra.lo rrset.lo dname.lo msgencode.lo \ -msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \ +as112.lo msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \ iter_donotq.lo iter_fwd.lo iter_hints.lo iter_priv.lo iter_resptype.lo \ iter_scrub.lo iter_utils.lo localzone.lo mesh.lo modstack.lo \ outbound_list.lo alloc.lo config_file.lo configlexer.lo configparser.lo \ @@ -595,6 +595,7 @@ depend: rm -f $(DEPEND_TMP) $(DEPEND_TMP2) # Dependencies +as112.lo as112.o: $(srcdir)/util/as112.c $(srcdir)/util/as112.h dns.lo dns.o: $(srcdir)/services/cache/dns.c config.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/util/log.h \ $(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \ $(srcdir)/util/locks.h $(srcdir)/services/cache/dns.h $(srcdir)/util/data/msgreply.h \ @@ -702,7 +703,7 @@ localzone.lo localzone.o: $(srcdir)/services/localzone.c config.h $(srcdir)/serv $(srcdir)/sldns/sbuffer.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h \ $(srcdir)/util/net_help.h $(srcdir)/util/netevent.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/as112.h mesh.lo mesh.o: $(srcdir)/services/mesh.c config.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \ $(srcdir)/util/netevent.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ $(srcdir)/util/log.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h \ @@ -821,7 +822,7 @@ val_anchor.lo val_anchor.o: $(srcdir)/validator/val_anchor.c config.h $(srcdir)/ $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_sigcrypt.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/validator/autotrust.h \ $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h + $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h $(srcdir)/util/as112.h validator.lo validator.o: $(srcdir)/validator/validator.c config.h $(srcdir)/validator/validator.h \ $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ diff --git a/contrib/unbound/doc/example.conf b/contrib/unbound/doc/example.conf index 11c3ba9..37d58e4 100644 --- a/contrib/unbound/doc/example.conf +++ b/contrib/unbound/doc/example.conf @@ -508,13 +508,17 @@ server: # local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault # And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa. - # if unbound is running service for the local host then it is useful + # If unbound is running service for the local host then it is useful # to perform lan-wide lookups to the upstream, and unblock the # long list of local-zones above. If this unbound is a dns server # for a network of computers, disabled is better and stops information # leakage of local lan information. # unblock-lan-zones: no + # The insecure-lan-zones option disables validation for + # these zones, as if they were all listed as domain-insecure. + # insecure-lan-zones: no + # a number of locally served zones can be configured. # local-zone: <zone> <type> # local-data: "<resource record string>" diff --git a/contrib/unbound/doc/example.conf.in b/contrib/unbound/doc/example.conf.in index ff90e3b..cf9a4ee 100644 --- a/contrib/unbound/doc/example.conf.in +++ b/contrib/unbound/doc/example.conf.in @@ -508,13 +508,17 @@ server: # local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault # And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa. - # if unbound is running service for the local host then it is useful + # If unbound is running service for the local host then it is useful # to perform lan-wide lookups to the upstream, and unblock the # long list of local-zones above. If this unbound is a dns server # for a network of computers, disabled is better and stops information # leakage of local lan information. # unblock-lan-zones: no + # The insecure-lan-zones option disables validation for + # these zones, as if they were all listed as domain-insecure. + # insecure-lan-zones: no + # a number of locally served zones can be configured. # local-zone: <zone> <type> # local-data: "<resource record string>" diff --git a/contrib/unbound/doc/unbound.conf.5 b/contrib/unbound/doc/unbound.conf.5 index 16155de..24a1b4e 100644 --- a/contrib/unbound/doc/unbound.conf.5 +++ b/contrib/unbound/doc/unbound.conf.5 @@ -841,6 +841,11 @@ as a (DHCP-) DNS network resolver for a group of machines, where such lookups should be filtered (RFC compliance), this also stops potential data leakage about the local network to the upstream DNS servers. .TP +.B insecure\-lan\-zones: \fI<yesno> +Default is disabled. If enabled, then reverse lookups in private +address space are not validated. This is usually required whenever +\fIunblock\-lan\-zones\fR is used. +.TP .B local\-zone: \fI<zone> <type> Configure a local zone. The type determines the answer to give if there is no match from local\-data. The types are deny, refuse, static, diff --git a/contrib/unbound/doc/unbound.conf.5.in b/contrib/unbound/doc/unbound.conf.5.in index 51f7c4e..cc4c1df 100644 --- a/contrib/unbound/doc/unbound.conf.5.in +++ b/contrib/unbound/doc/unbound.conf.5.in @@ -841,6 +841,11 @@ as a (DHCP-) DNS network resolver for a group of machines, where such lookups should be filtered (RFC compliance), this also stops potential data leakage about the local network to the upstream DNS servers. .TP +.B insecure\-lan\-zones: \fI<yesno> +Default is disabled. If enabled, then reverse lookups in private +address space are not validated. This is usually required whenever +\fIunblock\-lan\-zones\fR is used. +.TP .B local\-zone: \fI<zone> <type> Configure a local zone. The type determines the answer to give if there is no match from local\-data. The types are deny, refuse, static, diff --git a/contrib/unbound/services/localzone.c b/contrib/unbound/services/localzone.c index c50ad0f..f3b30ae 100644 --- a/contrib/unbound/services/localzone.c +++ b/contrib/unbound/services/localzone.c @@ -51,6 +51,7 @@ #include "util/netevent.h" #include "util/data/msgreply.h" #include "util/data/msgparse.h" +#include "util/as112.h" struct local_zones* local_zones_create(void) @@ -592,6 +593,7 @@ static int lz_enter_defaults(struct local_zones* zones, struct config_file* cfg) { struct local_zone* z; + const char** zstr; /* this list of zones is from RFC 6303 */ @@ -654,110 +656,14 @@ lz_enter_defaults(struct local_zones* zones, struct config_file* cfg) lock_rw_unlock(&z->lock); } - /* if unblock lan-zones, then do not add the zones below. - * we do add the zones above, about 127.0.0.1, because localhost is - * not on the lan. */ - if(cfg->unblock_lan_zones) - return 1; - - /* block LAN level zones */ - if ( !add_as112_default(zones, cfg, "10.in-addr.arpa.") || - !add_as112_default(zones, cfg, "16.172.in-addr.arpa.") || - !add_as112_default(zones, cfg, "17.172.in-addr.arpa.") || - !add_as112_default(zones, cfg, "18.172.in-addr.arpa.") || - !add_as112_default(zones, cfg, "19.172.in-addr.arpa.") || - !add_as112_default(zones, cfg, "20.172.in-addr.arpa.") || - !add_as112_default(zones, cfg, "21.172.in-addr.arpa.") || - !add_as112_default(zones, cfg, "22.172.in-addr.arpa.") || - !add_as112_default(zones, cfg, "23.172.in-addr.arpa.") || - !add_as112_default(zones, cfg, "24.172.in-addr.arpa.") || - !add_as112_default(zones, cfg, "25.172.in-addr.arpa.") || - !add_as112_default(zones, cfg, "26.172.in-addr.arpa.") || - !add_as112_default(zones, cfg, "27.172.in-addr.arpa.") || - !add_as112_default(zones, cfg, "28.172.in-addr.arpa.") || - !add_as112_default(zones, cfg, "29.172.in-addr.arpa.") || - !add_as112_default(zones, cfg, "30.172.in-addr.arpa.") || - !add_as112_default(zones, cfg, "31.172.in-addr.arpa.") || - !add_as112_default(zones, cfg, "168.192.in-addr.arpa.") || - !add_as112_default(zones, cfg, "0.in-addr.arpa.") || - !add_as112_default(zones, cfg, "64.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "65.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "66.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "67.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "68.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "69.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "70.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "71.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "72.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "73.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "74.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "75.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "76.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "77.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "78.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "79.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "80.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "81.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "82.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "83.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "84.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "85.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "86.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "87.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "88.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "89.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "90.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "91.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "92.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "93.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "94.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "95.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "96.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "97.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "98.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "99.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "100.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "101.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "102.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "103.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "104.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "105.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "106.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "107.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "108.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "109.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "110.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "111.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "112.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "113.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "114.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "115.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "116.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "117.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "118.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "119.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "120.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "121.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "122.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "123.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "124.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "125.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "126.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "127.100.in-addr.arpa.") || - !add_as112_default(zones, cfg, "254.169.in-addr.arpa.") || - !add_as112_default(zones, cfg, "2.0.192.in-addr.arpa.") || - !add_as112_default(zones, cfg, "100.51.198.in-addr.arpa.") || - !add_as112_default(zones, cfg, "113.0.203.in-addr.arpa.") || - !add_as112_default(zones, cfg, "255.255.255.255.in-addr.arpa.") || - !add_as112_default(zones, cfg, "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.") || - !add_as112_default(zones, cfg, "d.f.ip6.arpa.") || - !add_as112_default(zones, cfg, "8.e.f.ip6.arpa.") || - !add_as112_default(zones, cfg, "9.e.f.ip6.arpa.") || - !add_as112_default(zones, cfg, "a.e.f.ip6.arpa.") || - !add_as112_default(zones, cfg, "b.e.f.ip6.arpa.") || - !add_as112_default(zones, cfg, "8.b.d.0.1.0.0.2.ip6.arpa.")) { - log_err("out of memory adding default zone"); - return 0; + /* block AS112 zones, unless asked not to */ + if(!cfg->unblock_lan_zones) { + for(zstr = as112_zones; *zstr; zstr++) { + if(!add_as112_default(zones, cfg, *zstr)) { + log_err("out of memory adding default zone"); + return 0; + } + } } return 1; } diff --git a/contrib/unbound/util/as112.c b/contrib/unbound/util/as112.c new file mode 100644 index 0000000..6ee6940 --- /dev/null +++ b/contrib/unbound/util/as112.c @@ -0,0 +1,143 @@ +/* + * util/as112.c - list of local zones. + * + * Copyright (c) 2007, NLnet Labs. All rights reserved. + * + * This software is open source. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * Neither the name of the NLNET LABS nor the names of its contributors may + * be used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/** + * \file + * + * This file provides a list of lan zones. + */ + +#include "util/as112.h" + +static const char* as112_zone_array[] = { + "10.in-addr.arpa.", + "16.172.in-addr.arpa.", + "17.172.in-addr.arpa.", + "18.172.in-addr.arpa.", + "19.172.in-addr.arpa.", + "20.172.in-addr.arpa.", + "21.172.in-addr.arpa.", + "22.172.in-addr.arpa.", + "23.172.in-addr.arpa.", + "24.172.in-addr.arpa.", + "25.172.in-addr.arpa.", + "26.172.in-addr.arpa.", + "27.172.in-addr.arpa.", + "28.172.in-addr.arpa.", + "29.172.in-addr.arpa.", + "30.172.in-addr.arpa.", + "31.172.in-addr.arpa.", + "168.192.in-addr.arpa.", + "0.in-addr.arpa.", + "64.100.in-addr.arpa.", + "65.100.in-addr.arpa.", + "66.100.in-addr.arpa.", + "67.100.in-addr.arpa.", + "68.100.in-addr.arpa.", + "69.100.in-addr.arpa.", + "70.100.in-addr.arpa.", + "71.100.in-addr.arpa.", + "72.100.in-addr.arpa.", + "73.100.in-addr.arpa.", + "74.100.in-addr.arpa.", + "75.100.in-addr.arpa.", + "76.100.in-addr.arpa.", + "77.100.in-addr.arpa.", + "78.100.in-addr.arpa.", + "79.100.in-addr.arpa.", + "80.100.in-addr.arpa.", + "81.100.in-addr.arpa.", + "82.100.in-addr.arpa.", + "83.100.in-addr.arpa.", + "84.100.in-addr.arpa.", + "85.100.in-addr.arpa.", + "86.100.in-addr.arpa.", + "87.100.in-addr.arpa.", + "88.100.in-addr.arpa.", + "89.100.in-addr.arpa.", + "90.100.in-addr.arpa.", + "91.100.in-addr.arpa.", + "92.100.in-addr.arpa.", + "93.100.in-addr.arpa.", + "94.100.in-addr.arpa.", + "95.100.in-addr.arpa.", + "96.100.in-addr.arpa.", + "97.100.in-addr.arpa.", + "98.100.in-addr.arpa.", + "99.100.in-addr.arpa.", + "100.100.in-addr.arpa.", + "101.100.in-addr.arpa.", + "102.100.in-addr.arpa.", + "103.100.in-addr.arpa.", + "104.100.in-addr.arpa.", + "105.100.in-addr.arpa.", + "106.100.in-addr.arpa.", + "107.100.in-addr.arpa.", + "108.100.in-addr.arpa.", + "109.100.in-addr.arpa.", + "110.100.in-addr.arpa.", + "111.100.in-addr.arpa.", + "112.100.in-addr.arpa.", + "113.100.in-addr.arpa.", + "114.100.in-addr.arpa.", + "115.100.in-addr.arpa.", + "116.100.in-addr.arpa.", + "117.100.in-addr.arpa.", + "118.100.in-addr.arpa.", + "119.100.in-addr.arpa.", + "120.100.in-addr.arpa.", + "121.100.in-addr.arpa.", + "122.100.in-addr.arpa.", + "123.100.in-addr.arpa.", + "124.100.in-addr.arpa.", + "125.100.in-addr.arpa.", + "126.100.in-addr.arpa.", + "127.100.in-addr.arpa.", + "254.169.in-addr.arpa.", + "2.0.192.in-addr.arpa.", + "100.51.198.in-addr.arpa.", + "113.0.203.in-addr.arpa.", + "255.255.255.255.in-addr.arpa.", + "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.", + "d.f.ip6.arpa.", + "8.e.f.ip6.arpa.", + "9.e.f.ip6.arpa.", + "a.e.f.ip6.arpa.", + "b.e.f.ip6.arpa.", + "8.b.d.0.1.0.0.2.ip6.arpa.", + 0 +}; + +const char** as112_zones = as112_zone_array; diff --git a/contrib/unbound/util/as112.h b/contrib/unbound/util/as112.h new file mode 100644 index 0000000..7d0329e --- /dev/null +++ b/contrib/unbound/util/as112.h @@ -0,0 +1,57 @@ +/* + * util/as112.c - list of local zones. + * + * Copyright (c) 2007, NLnet Labs. All rights reserved. + * + * This software is open source. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * Neither the name of the NLNET LABS nor the names of its contributors may + * be used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/** + * \file + * + * This file provides a list of lan zones + */ + +#ifndef UTIL_AS112_H +#define UTIL_AS112_H + +/** + * Array of text-format domain names of the AS112 zones. + * The array ends with NULL. "AS112" is a service on the internet that + * that this array is named after. The names in this list (or some of them) + * are null-routed by this service to avoid load on central servers caused by + * mistaken lookups for local content on the global internet. + * + * This is the list of names that unbound should not normally be sending + * on towards the internet, because they are local-use. + */ +extern const char** as112_zones; + +#endif diff --git a/contrib/unbound/util/config_file.c b/contrib/unbound/util/config_file.c index 6354e99..4d8f806 100644 --- a/contrib/unbound/util/config_file.c +++ b/contrib/unbound/util/config_file.c @@ -210,6 +210,7 @@ config_create(void) cfg->local_zones_nodefault = NULL; cfg->local_data = NULL; cfg->unblock_lan_zones = 0; + cfg->insecure_lan_zones = 0; cfg->python_script = NULL; cfg->remote_control_enable = 0; cfg->control_ifs = NULL; @@ -458,6 +459,7 @@ int config_set_option(struct config_file* cfg, const char* opt, else S_YNO("rrset-roundrobin:", rrset_roundrobin) else S_STRLIST("local-data:", local_data) else S_YNO("unblock-lan-zones:", unblock_lan_zones) + else S_YNO("insecure-lan-zones:", insecure_lan_zones) else S_YNO("control-enable:", remote_control_enable) else S_STRLIST("control-interface:", control_ifs) else S_NUMBER_NONZERO("control-port:", control_port) @@ -739,6 +741,7 @@ config_get_option(struct config_file* cfg, const char* opt, else O_YNO(opt, "minimal-responses", minimal_responses) else O_YNO(opt, "rrset-roundrobin", rrset_roundrobin) else O_YNO(opt, "unblock-lan-zones", unblock_lan_zones) + else O_YNO(opt, "insecure-lan-zones", insecure_lan_zones) else O_DEC(opt, "max-udp-size", max_udp_size) else O_STR(opt, "python-script", python_script) else O_DEC(opt, "ratelimit", ratelimit) diff --git a/contrib/unbound/util/config_file.h b/contrib/unbound/util/config_file.h index 8fa163e..c758d64 100644 --- a/contrib/unbound/util/config_file.h +++ b/contrib/unbound/util/config_file.h @@ -285,8 +285,10 @@ struct config_file { struct config_strlist* local_zones_nodefault; /** local data RRs configured */ struct config_strlist* local_data; - /** unblock lan zones (reverse lookups for 10/8 and so on) */ + /** unblock lan zones (reverse lookups for AS112 zones) */ int unblock_lan_zones; + /** insecure lan zones (don't validate AS112 zones) */ + int insecure_lan_zones; /** remote control section. enable toggle. */ int remote_control_enable; diff --git a/contrib/unbound/util/configlexer.lex b/contrib/unbound/util/configlexer.lex index a368066..5b25ef5 100644 --- a/contrib/unbound/util/configlexer.lex +++ b/contrib/unbound/util/configlexer.lex @@ -321,6 +321,7 @@ local-zone{COLON} { YDVAR(2, VAR_LOCAL_ZONE) } local-data{COLON} { YDVAR(1, VAR_LOCAL_DATA) } local-data-ptr{COLON} { YDVAR(1, VAR_LOCAL_DATA_PTR) } unblock-lan-zones{COLON} { YDVAR(1, VAR_UNBLOCK_LAN_ZONES) } +insecure-lan-zones{COLON} { YDVAR(1, VAR_INSECURE_LAN_ZONES) } statistics-interval{COLON} { YDVAR(1, VAR_STATISTICS_INTERVAL) } statistics-cumulative{COLON} { YDVAR(1, VAR_STATISTICS_CUMULATIVE) } extended-statistics{COLON} { YDVAR(1, VAR_EXTENDED_STATISTICS) } diff --git a/contrib/unbound/util/configparser.y b/contrib/unbound/util/configparser.y index abc0bb0..a276fae 100644 --- a/contrib/unbound/util/configparser.y +++ b/contrib/unbound/util/configparser.y @@ -106,7 +106,8 @@ extern struct config_parser_state* cfg_parser; %token VAR_IGNORE_CD_FLAG VAR_LOG_QUERIES VAR_TCP_UPSTREAM VAR_SSL_UPSTREAM %token VAR_SSL_SERVICE_KEY VAR_SSL_SERVICE_PEM VAR_SSL_PORT VAR_FORWARD_FIRST %token VAR_STUB_FIRST VAR_MINIMAL_RESPONSES VAR_RRSET_ROUNDROBIN -%token VAR_MAX_UDP_SIZE VAR_DELAY_CLOSE VAR_UNBLOCK_LAN_ZONES +%token VAR_MAX_UDP_SIZE VAR_DELAY_CLOSE +%token VAR_UNBLOCK_LAN_ZONES VAR_INSECURE_LAN_ZONES %token VAR_INFRA_CACHE_MIN_RTT %token VAR_DNS64_PREFIX VAR_DNS64_SYNTHALL %token VAR_DNSTAP VAR_DNSTAP_ENABLE VAR_DNSTAP_SOCKET_PATH @@ -180,7 +181,8 @@ content_server: server_num_threads | server_verbosity | server_port | server_log_queries | server_tcp_upstream | server_ssl_upstream | server_ssl_service_key | server_ssl_service_pem | server_ssl_port | server_minimal_responses | server_rrset_roundrobin | server_max_udp_size | - server_so_reuseport | server_delay_close | server_unblock_lan_zones | + server_so_reuseport | server_delay_close | + server_unblock_lan_zones | server_insecure_lan_zones | server_dns64_prefix | server_dns64_synthall | server_infra_cache_min_rtt | server_harden_algo_downgrade | server_ip_transparent | server_ratelimit | server_ratelimit_slabs | @@ -722,6 +724,16 @@ server_unblock_lan_zones: VAR_UNBLOCK_LAN_ZONES STRING_ARG free($2); } ; +server_insecure_lan_zones: VAR_INSECURE_LAN_ZONES STRING_ARG + { + OUTYY(("P(server_insecure_lan_zones:%s)\n", $2)); + if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->insecure_lan_zones = + (strcmp($2, "yes")==0); + free($2); + } + ; server_rrset_cache_size: VAR_RRSET_CACHE_SIZE STRING_ARG { OUTYY(("P(server_rrset_cache_size:%s)\n", $2)); diff --git a/contrib/unbound/validator/val_anchor.c b/contrib/unbound/validator/val_anchor.c index 845b54a..bc9f8b8 100644 --- a/contrib/unbound/validator/val_anchor.c +++ b/contrib/unbound/validator/val_anchor.c @@ -48,6 +48,7 @@ #include "util/log.h" #include "util/net_help.h" #include "util/config_file.h" +#include "util/as112.h" #include "sldns/sbuffer.h" #include "sldns/rrdef.h" #include "sldns/str2wire.h" @@ -1044,8 +1045,18 @@ int anchors_apply_cfg(struct val_anchors* anchors, struct config_file* cfg) { struct config_strlist* f; + const char** zstr; char* nm; sldns_buffer* parsebuf = sldns_buffer_new(65535); + if(cfg->insecure_lan_zones) { + for(zstr = as112_zones; *zstr; zstr++) { + if(!anchor_insert_insecure(anchors, *zstr)) { + log_err("error in insecure-lan-zones: %s", *zstr); + sldns_buffer_free(parsebuf); + return 0; + } + } + } for(f = cfg->domain_insecure; f; f = f->next) { if(!f->str || f->str[0] == 0) /* empty "" */ continue; diff --git a/lib/libfetch/http.c b/lib/libfetch/http.c index 206648d..ca522a6 100644 --- a/lib/libfetch/http.c +++ b/lib/libfetch/http.c @@ -1435,7 +1435,6 @@ http_connect(struct url *URL, struct url *purl, const char *flags) } if (strcasecmp(URL->scheme, SCHEME_HTTPS) == 0 && fetch_ssl(conn, URL, verbose) == -1) { - fetch_close(conn); /* grrr */ errno = EAUTH; fetch_syserr(); diff --git a/lib/libunbound/Makefile b/lib/libunbound/Makefile index 8519b77..3c66181 100644 --- a/lib/libunbound/Makefile +++ b/lib/libunbound/Makefile @@ -12,7 +12,7 @@ PRIVATELIB= CFLAGS= -I${UNBOUNDDIR} -I${LDNSDIR} -I${.OBJDIR} -SRCS= alloc.c autotrust.c config_file.c configlexer.l configparser.y \ +SRCS= alloc.c as112.c autotrust.c config_file.c configlexer.l configparser.y \ context.c dname.c dns.c dns64.c dnstree.c fptr_wlist.c infra.c \ iter_delegpt.c iter_donotq.c iter_fwd.c iter_hints.c iter_priv.c \ iter_resptype.c iter_scrub.c iter_utils.c iterator.c keyraw.c \ diff --git a/share/man/man8/uefi.8 b/share/man/man8/uefi.8 index 8907ef3..8c1c979 100644 --- a/share/man/man8/uefi.8 +++ b/share/man/man8/uefi.8 @@ -24,7 +24,7 @@ .\" .\" $FreeBSD$ .\" -.Dd February 14, 2016 +.Dd February 15, 2016 .Dt UEFI 8 .Os .Sh NAME @@ -83,9 +83,17 @@ passes the configuration to the next stage boot loader and does not itself act on the contents of the file. .It .Pa boot1.efi -locates the first partition with the type -.Li freebsd-ufs , -and from it loads +searches partitions of type +.Li freebsd-ufs +and +.Li freebsd-zfs +for +.Pa loader.efi . +The search begins with partitions on the device from which +.Pa boot1.efi +was loaded, and continues with other available partitions. +.Pa boot1.efi +then loads and executes .Pa loader.efi . .It .Pa loader.efi @@ -146,19 +154,3 @@ Foundation sponsored portions of the work. EFI environment variables are not supported by .Xr loader 8 or the kernel. -.Pp -.Pa boot1.efi -loads -.Pa loader.efi -from the first FreeBSD-UFS file system it locates, even if it is on a -different disk. -.Pp -.Pa boot1.efi -cannot load -.Pa loader.efi -from a -.Xr ZFS 8 -file system. -As a result, -.Nm -does not support a typical root file system on ZFS configuration. diff --git a/sys/kern/init_main.c b/sys/kern/init_main.c index 201680a..ae6bd3a 100644 --- a/sys/kern/init_main.c +++ b/sys/kern/init_main.c @@ -479,7 +479,7 @@ proc0_init(void *dummy __unused) session0.s_leader = p; p->p_sysent = &null_sysvec; - p->p_flag = P_SYSTEM | P_INMEM; + p->p_flag = P_SYSTEM | P_INMEM | P_KTHREAD; p->p_flag2 = 0; p->p_state = PRS_NORMAL; knlist_init_mtx(&p->p_klist, &p->p_mtx); diff --git a/sys/kern/kern_fork.c b/sys/kern/kern_fork.c index 6ca41d4..f24ba20 100644 --- a/sys/kern/kern_fork.c +++ b/sys/kern/kern_fork.c @@ -1033,7 +1033,7 @@ fork_exit(void (*callout)(void *, struct trapframe *), void *arg, if (p->p_flag & P_KTHREAD) { printf("Kernel thread \"%s\" (pid %d) exited prematurely.\n", td->td_name, p->p_pid); - kproc_exit(0); + kthread_exit(); } mtx_assert(&Giant, MA_NOTOWNED); diff --git a/tools/build/mk/OptionalObsoleteFiles.inc b/tools/build/mk/OptionalObsoleteFiles.inc index a682631..405e9e2 100644 --- a/tools/build/mk/OptionalObsoleteFiles.inc +++ b/tools/build/mk/OptionalObsoleteFiles.inc @@ -5010,7 +5010,6 @@ OLD_FILES+=usr/sbin/unbound OLD_FILES+=usr/sbin/unbound-anchor OLD_FILES+=usr/sbin/unbound-checkconf OLD_FILES+=usr/sbin/unbound-control -OLD_FILES+=usr/sbin/unbound-control-setup .endif .if ${MK_USB} == no diff --git a/usr.sbin/unbound/control/Makefile b/usr.sbin/unbound/control/Makefile index 7056a9e..32dbb56 100644 --- a/usr.sbin/unbound/control/Makefile +++ b/usr.sbin/unbound/control/Makefile @@ -7,7 +7,6 @@ UNBOUNDDIR= ${.CURDIR}/../../../contrib/unbound .PATH: ${UNBOUNDDIR} ${UNBOUNDDIR}/smallapp ${UNBOUNDDIR}/doc PROG= unbound-control -SCRIPTS= unbound-control-setup.sh SRCS= unbound-control.c worker_cb.c CFLAGS= -I${UNBOUNDDIR} -I${LDNSDIR} DPADD= ${LIBUNBOUND} ${LIBLDNS} ${LIBUTIL} ${LIBSSL} ${LIBCRYPTO} ${LIBPTHREAD} diff --git a/usr.sbin/unbound/local-setup/local-unbound-setup.sh b/usr.sbin/unbound/local-setup/local-unbound-setup.sh index 5df4760..cd21f6f 100755 --- a/usr.sbin/unbound/local-setup/local-unbound-setup.sh +++ b/usr.sbin/unbound/local-setup/local-unbound-setup.sh @@ -210,31 +210,7 @@ gen_lanzones_conf() { echo "server:" echo " # Unblock reverse lookups for LAN addresses" echo " unblock-lan-zones: yes" - echo " domain-insecure: 10.in-addr.arpa." - echo " domain-insecure: 127.in-addr.arpa." - echo " domain-insecure: 16.172.in-addr.arpa." - echo " domain-insecure: 17.172.in-addr.arpa." - echo " domain-insecure: 18.172.in-addr.arpa." - echo " domain-insecure: 19.172.in-addr.arpa." - echo " domain-insecure: 20.172.in-addr.arpa." - echo " domain-insecure: 21.172.in-addr.arpa." - echo " domain-insecure: 22.172.in-addr.arpa." - echo " domain-insecure: 23.172.in-addr.arpa." - echo " domain-insecure: 24.172.in-addr.arpa." - echo " domain-insecure: 25.172.in-addr.arpa." - echo " domain-insecure: 26.172.in-addr.arpa." - echo " domain-insecure: 27.172.in-addr.arpa." - echo " domain-insecure: 28.172.in-addr.arpa." - echo " domain-insecure: 29.172.in-addr.arpa." - echo " domain-insecure: 30.172.in-addr.arpa." - echo " domain-insecure: 31.172.in-addr.arpa." - echo " domain-insecure: 168.192.in-addr.arpa." - echo " domain-insecure: 254.169.in-addr.arpa." - echo " domain-insecure: d.f.ip6.arpa." - echo " domain-insecure: 8.e.ip6.arpa." - echo " domain-insecure: 9.e.ip6.arpa." - echo " domain-insecure: a.e.ip6.arpa." - echo " domain-insecure: b.e.ip6.arpa." + echo " insecure-lan-zones: yes" } # |