git: 63e3850ce9fb - stable/12 - unbound: Vendor import 1.15.0
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 07 Mar 2022 13:35:21 UTC
The branch stable/12 has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=63e3850ce9fb25aaf3f441eef1a4a8f08f1e326a commit 63e3850ce9fb25aaf3f441eef1a4a8f08f1e326a Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2022-02-18 00:05:15 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2022-03-07 13:34:56 +0000 unbound: Vendor import 1.15.0 Vendor import GA release of unbound 1.15.0. (cherry picked from commit 9cf5bc93f6ba1711ae7bf96a982a2b3c8b073a18) --- contrib/unbound/README.md | 4 +- contrib/unbound/config.guess | 16 +- contrib/unbound/config.h.in | 3 + contrib/unbound/config.sub | 20 +- contrib/unbound/configure | 72 ++++- contrib/unbound/configure.ac | 40 ++- contrib/unbound/contrib/aaaa-filter-iterator.patch | 78 +++--- contrib/unbound/daemon/remote.c | 57 ++-- contrib/unbound/daemon/worker.c | 18 +- contrib/unbound/dnstap/dtstream.c | 25 +- contrib/unbound/dnstap/unbound-dnstap-socket.c | 10 +- contrib/unbound/doc/Changelog | 133 +++++++++ contrib/unbound/doc/README | 2 +- contrib/unbound/doc/example.conf | 63 +++-- contrib/unbound/doc/example.conf.in | 63 +++-- contrib/unbound/doc/libunbound.3 | 4 +- contrib/unbound/doc/libunbound.3.in | 4 +- contrib/unbound/doc/unbound-anchor.8 | 8 +- contrib/unbound/doc/unbound-anchor.8.in | 8 +- contrib/unbound/doc/unbound-checkconf.8 | 20 +- contrib/unbound/doc/unbound-checkconf.8.in | 20 +- contrib/unbound/doc/unbound-control.8 | 80 +++--- contrib/unbound/doc/unbound-control.8.in | 80 +++--- contrib/unbound/doc/unbound-host.1 | 16 +- contrib/unbound/doc/unbound-host.1.in | 16 +- contrib/unbound/doc/unbound.8 | 8 +- contrib/unbound/doc/unbound.8.in | 8 +- contrib/unbound/doc/unbound.conf.5 | 242 +++++++++------- contrib/unbound/doc/unbound.conf.5.in | 242 +++++++++------- contrib/unbound/iterator/iter_delegpt.c | 71 +++-- contrib/unbound/iterator/iter_delegpt.h | 28 +- contrib/unbound/iterator/iter_fwd.c | 16 +- contrib/unbound/iterator/iter_hints.c | 20 +- contrib/unbound/iterator/iterator.c | 108 +++----- contrib/unbound/iterator/iterator.h | 4 +- contrib/unbound/libunbound/libworker.c | 11 +- contrib/unbound/libunbound/worker.h | 12 +- contrib/unbound/services/cache/infra.c | 66 +++-- contrib/unbound/services/cache/infra.h | 14 +- contrib/unbound/services/listen_dnsport.c | 37 +-- contrib/unbound/services/localzone.c | 102 ++++--- contrib/unbound/services/outside_network.c | 307 +++++++++++++++------ contrib/unbound/services/outside_network.h | 27 +- contrib/unbound/services/rpz.c | 34 ++- contrib/unbound/services/rpz.h | 2 + contrib/unbound/sldns/keyraw.c | 6 +- contrib/unbound/sldns/str2wire.c | 14 +- contrib/unbound/sldns/str2wire.h | 2 +- contrib/unbound/sldns/wire2str.c | 11 + contrib/unbound/smallapp/unbound-checkconf.c | 6 + contrib/unbound/smallapp/worker_cb.c | 12 +- .../testdata/edns_attached_once_per_upstream.rpl | 90 ++++++ contrib/unbound/testdata/nsid_bogus.rpl | 174 ++++++++++++ .../unbound/testdata/ratelimit.tdir/ratelimit.conf | 29 ++ .../unbound/testdata/ratelimit.tdir/ratelimit.dsc | 16 ++ .../unbound/testdata/ratelimit.tdir/ratelimit.post | 14 + .../unbound/testdata/ratelimit.tdir/ratelimit.pre | 33 +++ .../unbound/testdata/ratelimit.tdir/ratelimit.test | 183 ++++++++++++ .../testdata/ratelimit.tdir/ratelimit.testns | 13 + .../testdata/ratelimit.tdir/unbound_control.key | 39 +++ .../testdata/ratelimit.tdir/unbound_control.pem | 22 ++ .../testdata/ratelimit.tdir/unbound_server.key | 39 +++ .../testdata/ratelimit.tdir/unbound_server.pem | 22 ++ contrib/unbound/testdata/rpz_nsdname.rpl | 2 +- contrib/unbound/testdata/rpz_nsip.rpl | 2 +- .../unbound/testdata/rpz_signal_nxdomain_ra.rpl | 254 +++++++++++++++++ contrib/unbound/util/config_file.c | 24 +- contrib/unbound/util/config_file.h | 11 + contrib/unbound/util/configlexer.lex | 3 + contrib/unbound/util/configparser.y | 36 ++- contrib/unbound/util/fptr_wlist.c | 8 +- contrib/unbound/util/fptr_wlist.h | 7 +- contrib/unbound/util/iana_ports.inc | 2 +- contrib/unbound/util/module.h | 6 +- contrib/unbound/util/net_help.c | 40 +++ contrib/unbound/util/net_help.h | 19 +- contrib/unbound/util/netevent.c | 2 + contrib/unbound/validator/val_utils.c | 8 +- 78 files changed, 2542 insertions(+), 826 deletions(-) diff --git a/contrib/unbound/README.md b/contrib/unbound/README.md index c8877d1e9df5..d1bbcf2b7797 100644 --- a/contrib/unbound/README.md +++ b/contrib/unbound/README.md @@ -11,7 +11,7 @@ have any feedback, we would love to hear from you. Don’t hesitate to [create an issue on Github](https://github.com/NLnetLabs/unbound/issues/new) or post a message on the [Unbound mailing list](https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users). You can learn more about Unbound by reading our -[documentation](https://nlnetlabs.nl/documentation/unbound/). +[documentation](https://unbound.docs.nlnetlabs.nl/). ## Compiling @@ -33,7 +33,7 @@ support. All of Unbound's configuration options are described in the man pages, which will be installed and are available on the Unbound -[documentation page](https://nlnetlabs.nl/documentation/unbound/). +[documentation page](https://unbound.docs.nlnetlabs.nl/). An example configuration file is located in [doc/example.conf](https://github.com/NLnetLabs/unbound/blob/master/doc/example.conf.in). diff --git a/contrib/unbound/config.guess b/contrib/unbound/config.guess index e81d3ae7c210..7f76b6228f73 100755 --- a/contrib/unbound/config.guess +++ b/contrib/unbound/config.guess @@ -1,14 +1,14 @@ #! /bin/sh # Attempt to guess a canonical system name. -# Copyright 1992-2021 Free Software Foundation, Inc. +# Copyright 1992-2022 Free Software Foundation, Inc. # shellcheck disable=SC2006,SC2268 # see below for rationale -timestamp='2021-06-03' +timestamp='2022-01-09' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 3 of the License, or +# the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, but @@ -60,7 +60,7 @@ version="\ GNU config.guess ($timestamp) Originally written by Per Bothner. -Copyright 1992-2021 Free Software Foundation, Inc. +Copyright 1992-2022 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -437,7 +437,7 @@ case $UNAME_MACHINE:$UNAME_SYSTEM:$UNAME_RELEASE:$UNAME_VERSION in # This test works for both compilers. if test "$CC_FOR_BUILD" != no_compiler_found; then if (echo '#ifdef __amd64'; echo IS_64BIT_ARCH; echo '#endif') | \ - (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ + (CCOPTS="" $CC_FOR_BUILD -m64 -E - 2>/dev/null) | \ grep IS_64BIT_ARCH >/dev/null then SUN_ARCH=x86_64 @@ -929,6 +929,9 @@ EOF i*:PW*:*) GUESS=$UNAME_MACHINE-pc-pw32 ;; + *:SerenityOS:*:*) + GUESS=$UNAME_MACHINE-pc-serenity + ;; *:Interix*:*) case $UNAME_MACHINE in x86) @@ -1522,6 +1525,9 @@ EOF i*86:rdos:*:*) GUESS=$UNAME_MACHINE-pc-rdos ;; + i*86:Fiwix:*:*) + GUESS=$UNAME_MACHINE-pc-fiwix + ;; *:AROS:*:*) GUESS=$UNAME_MACHINE-unknown-aros ;; diff --git a/contrib/unbound/config.h.in b/contrib/unbound/config.h.in index e8a26735d2d3..197c2838b33f 100644 --- a/contrib/unbound/config.h.in +++ b/contrib/unbound/config.h.in @@ -381,6 +381,9 @@ /* Define to 1 if you have the <netinet/tcp.h> header file. */ #undef HAVE_NETINET_TCP_H +/* Define to 1 if you have the <netioapi.h> header file. */ +#undef HAVE_NETIOAPI_H + /* Use libnettle for crypto */ #undef HAVE_NETTLE diff --git a/contrib/unbound/config.sub b/contrib/unbound/config.sub index d74fb6deac94..dba16e84c77c 100755 --- a/contrib/unbound/config.sub +++ b/contrib/unbound/config.sub @@ -1,14 +1,14 @@ #! /bin/sh # Configuration validation subroutine script. -# Copyright 1992-2021 Free Software Foundation, Inc. +# Copyright 1992-2022 Free Software Foundation, Inc. # shellcheck disable=SC2006,SC2268 # see below for rationale -timestamp='2021-08-14' +timestamp='2022-01-03' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 3 of the License, or +# the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, but @@ -76,7 +76,7 @@ Report bugs and patches to <config-patches@gnu.org>." version="\ GNU config.sub ($timestamp) -Copyright 1992-2021 Free Software Foundation, Inc. +Copyright 1992-2022 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -1020,6 +1020,11 @@ case $cpu-$vendor in ;; # Here we normalize CPU types with a missing or matching vendor + armh-unknown | armh-alt) + cpu=armv7l + vendor=alt + basic_os=${basic_os:-linux-gnueabihf} + ;; dpx20-unknown | dpx20-bull) cpu=rs6000 vendor=bull @@ -1121,7 +1126,7 @@ case $cpu-$vendor in xscale-* | xscalee[bl]-*) cpu=`echo "$cpu" | sed 's/^xscale/arm/'` ;; - arm64-*) + arm64-* | aarch64le-*) cpu=aarch64 ;; @@ -1304,7 +1309,7 @@ esac if test x$basic_os != x then -# First recognize some ad-hoc caes, or perhaps split kernel-os, or else just +# First recognize some ad-hoc cases, or perhaps split kernel-os, or else just # set os. case $basic_os in gnu/linux*) @@ -1748,7 +1753,8 @@ case $os in | skyos* | haiku* | rdos* | toppers* | drops* | es* \ | onefs* | tirtos* | phoenix* | fuchsia* | redox* | bme* \ | midnightbsd* | amdhsa* | unleashed* | emscripten* | wasi* \ - | nsk* | powerunix* | genode* | zvmoe* | qnx* | emx* | zephyr*) + | nsk* | powerunix* | genode* | zvmoe* | qnx* | emx* | zephyr* \ + | fiwix* ) ;; # This one is extra strict with allowed versions sco3.2v2 | sco3.2v[4-9]* | sco5v6*) diff --git a/contrib/unbound/configure b/contrib/unbound/configure index 0e964568e234..48f9c2d02b68 100755 --- a/contrib/unbound/configure +++ b/contrib/unbound/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for unbound 1.14.0. +# Generated by GNU Autoconf 2.69 for unbound 1.15.0. # # Report bugs to <unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues>. # @@ -591,8 +591,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='unbound' PACKAGE_TARNAME='unbound' -PACKAGE_VERSION='1.14.0' -PACKAGE_STRING='unbound 1.14.0' +PACKAGE_VERSION='1.15.0' +PACKAGE_STRING='unbound 1.15.0' PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues' PACKAGE_URL='' @@ -1466,7 +1466,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures unbound 1.14.0 to adapt to many kinds of systems. +\`configure' configures unbound 1.15.0 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1531,7 +1531,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of unbound 1.14.0:";; + short | recursive ) echo "Configuration of unbound 1.15.0:";; esac cat <<\_ACEOF @@ -1773,7 +1773,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -unbound configure 1.14.0 +unbound configure 1.15.0 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2482,7 +2482,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by unbound $as_me 1.14.0, which was +It was created by unbound $as_me 1.15.0, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2832,13 +2832,13 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu UNBOUND_VERSION_MAJOR=1 -UNBOUND_VERSION_MINOR=14 +UNBOUND_VERSION_MINOR=15 UNBOUND_VERSION_MICRO=0 LIBUNBOUND_CURRENT=9 -LIBUNBOUND_REVISION=14 +LIBUNBOUND_REVISION=15 LIBUNBOUND_AGE=1 # 1.0.0 had 0:12:0 # 1.0.1 had 0:13:0 @@ -2920,6 +2920,7 @@ LIBUNBOUND_AGE=1 # 1.13.1 had 9:12:1 # 1.13.2 had 9:13:1 # 1.14.0 had 9:14:1 +# 1.15.0 had 9:15:1 # Current -- the number of the binary API that we're implementing # Revision -- which iteration of the implementation of the binary @@ -14812,6 +14813,51 @@ fi done +for ac_header in netioapi.h +do : + ac_fn_c_check_header_compile "$LINENO" "netioapi.h" "ac_cv_header_netioapi_h" "$ac_includes_default +#if HAVE_SYS_PARAM_H +#include <sys/param.h> +#endif + +#ifdef HAVE_SYS_SOCKET_H +#include <sys/socket.h> +#endif + +#ifdef HAVE_SYS_UIO_H +#include <sys/uio.h> +#endif + +#ifdef HAVE_NETINET_IN_H +#include <netinet/in.h> +#endif + +#ifdef HAVE_NETINET_TCP_H +#include <netinet/tcp.h> +#endif + +#ifdef HAVE_ARPA_INET_H +#include <arpa/inet.h> +#endif + +#ifdef HAVE_WINSOCK2_H +#include <winsock2.h> +#endif + +#ifdef HAVE_WS2TCPIP_H +#include <ws2tcpip.h> +#endif + +" +if test "x$ac_cv_header_netioapi_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_NETIOAPI_H 1 +_ACEOF + +fi + +done + # check for types. # Using own tests for int64* because autoconf builtin only give 32bit. @@ -17895,7 +17941,7 @@ if test "`uname`" = "NetBSD"; then fi -if test "`uname -o`" = "GNU/Linux"; then +if test "`uname`" = "Linux"; then # splint cannot parse modern c99 header files GCC_DOCKER_LINTFLAGS='-syntax' @@ -21840,7 +21886,7 @@ _ACEOF -version=1.14.0 +version=1.15.0 date=`date +'%b %e, %Y'` @@ -22359,7 +22405,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by unbound $as_me 1.14.0, which was +This file was extended by unbound $as_me 1.15.0, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -22425,7 +22471,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -unbound config.status 1.14.0 +unbound config.status 1.15.0 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/contrib/unbound/configure.ac b/contrib/unbound/configure.ac index 36fdb4598c27..5c7da1978131 100644 --- a/contrib/unbound/configure.ac +++ b/contrib/unbound/configure.ac @@ -10,7 +10,7 @@ sinclude(dnscrypt/dnscrypt.m4) # must be numbers. ac_defun because of later processing m4_define([VERSION_MAJOR],[1]) -m4_define([VERSION_MINOR],[14]) +m4_define([VERSION_MINOR],[15]) m4_define([VERSION_MICRO],[0]) AC_INIT([unbound],m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]),[unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues],[unbound]) AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR]) @@ -18,7 +18,7 @@ AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR]) AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO]) LIBUNBOUND_CURRENT=9 -LIBUNBOUND_REVISION=14 +LIBUNBOUND_REVISION=15 LIBUNBOUND_AGE=1 # 1.0.0 had 0:12:0 # 1.0.1 had 0:13:0 @@ -100,6 +100,7 @@ LIBUNBOUND_AGE=1 # 1.13.1 had 9:12:1 # 1.13.2 had 9:13:1 # 1.14.0 had 9:14:1 +# 1.15.0 had 9:15:1 # Current -- the number of the binary API that we're implementing # Revision -- which iteration of the implementation of the binary @@ -412,6 +413,39 @@ AC_CHECK_HEADERS([net/if.h],,, [ # Check for Apple header. This uncovers TARGET_OS_IPHONE, TARGET_OS_TV or TARGET_OS_WATCH AC_CHECK_HEADERS([TargetConditionals.h],,, [AC_INCLUDES_DEFAULT]) +AC_CHECK_HEADERS([netioapi.h],,, [AC_INCLUDES_DEFAULT +#if HAVE_SYS_PARAM_H +#include <sys/param.h> +#endif + +#ifdef HAVE_SYS_SOCKET_H +#include <sys/socket.h> +#endif + +#ifdef HAVE_SYS_UIO_H +#include <sys/uio.h> +#endif + +#ifdef HAVE_NETINET_IN_H +#include <netinet/in.h> +#endif + +#ifdef HAVE_NETINET_TCP_H +#include <netinet/tcp.h> +#endif + +#ifdef HAVE_ARPA_INET_H +#include <arpa/inet.h> +#endif + +#ifdef HAVE_WINSOCK2_H +#include <winsock2.h> +#endif + +#ifdef HAVE_WS2TCPIP_H +#include <ws2tcpip.h> +#endif +]) # check for types. # Using own tests for int64* because autoconf builtin only give 32bit. @@ -782,7 +816,7 @@ if test "`uname`" = "NetBSD"; then AC_SUBST(NETBSD_LINTFLAGS) fi -if test "`uname -o`" = "GNU/Linux"; then +if test "`uname`" = "Linux"; then # splint cannot parse modern c99 header files GCC_DOCKER_LINTFLAGS='-syntax' AC_SUBST(GCC_DOCKER_LINTFLAGS) diff --git a/contrib/unbound/contrib/aaaa-filter-iterator.patch b/contrib/unbound/contrib/aaaa-filter-iterator.patch index f51de2a40d9b..5513133722db 100644 --- a/contrib/unbound/contrib/aaaa-filter-iterator.patch +++ b/contrib/unbound/contrib/aaaa-filter-iterator.patch @@ -1,8 +1,8 @@ diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in -index f426ac5f..147fbfa9 100644 +index 5a75e319..c6c6dbe2 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in -@@ -872,6 +872,13 @@ potentially broken nameservers. A lot of domains will not be resolvable when +@@ -970,6 +970,13 @@ potentially broken nameservers. A lot of domains will not be resolvable when this option in enabled. Only use if you know what you are doing. This option only has effect when qname-minimisation is enabled. Default is no. .TP @@ -17,10 +17,10 @@ index f426ac5f..147fbfa9 100644 Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN and other denials, using information from previous NXDOMAINs answers. diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c -index aae934dd..55c55de0 100644 +index f093c1bf..e55a2246 100644 --- a/iterator/iter_scrub.c +++ b/iterator/iter_scrub.c -@@ -667,6 +667,32 @@ static int sanitize_nsec_is_overreach(struct rrset_parse* rrset, +@@ -679,6 +679,32 @@ static int sanitize_nsec_is_overreach(sldns_buffer* pkt, return 0; } @@ -53,7 +53,7 @@ index aae934dd..55c55de0 100644 /** * Given a response event, remove suspect RRsets from the response. * "Suspect" rrsets are potentially poison. Note that this routine expects -@@ -686,6 +712,7 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg, +@@ -698,6 +724,7 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg, struct query_info* qinfo, uint8_t* zonename, struct module_env* env, struct iter_env* ie) { @@ -61,7 +61,7 @@ index aae934dd..55c55de0 100644 int del_addi = 0; /* if additional-holding rrsets are deleted, we do not trust the normalized additional-A-AAAA any more */ struct rrset_parse* rrset, *prev; -@@ -721,6 +748,13 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg, +@@ -733,6 +760,13 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg, rrset = rrset->rrset_all_next; } @@ -75,7 +75,7 @@ index aae934dd..55c55de0 100644 /* At this point, we brutally remove ALL rrsets that aren't * children of the originating zone. The idea here is that, * as far as we know, the server that we contacted is ONLY -@@ -732,6 +766,24 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg, +@@ -744,6 +778,24 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg, rrset = msg->rrset_first; while(rrset) { @@ -101,22 +101,22 @@ index aae934dd..55c55de0 100644 if( (rrset->type == LDNS_RR_TYPE_A || rrset->type == LDNS_RR_TYPE_AAAA)) { diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c -index 7bc67da6..e10f547a 100644 +index 2482a1f4..bd5ba243 100644 --- a/iterator/iter_utils.c +++ b/iterator/iter_utils.c -@@ -175,6 +175,7 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg) - } +@@ -177,6 +177,7 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg) iter_env->supports_ipv6 = cfg->do_ip6; iter_env->supports_ipv4 = cfg->do_ip4; + iter_env->outbound_msg_retry = cfg->outbound_msg_retry; + iter_env->aaaa_filter = cfg->aaaa_filter; return 1; } diff --git a/iterator/iterator.c b/iterator/iterator.c -index 23b07ea9..ca29b48c 100644 +index 54006940..768fe202 100644 --- a/iterator/iterator.c +++ b/iterator/iterator.c -@@ -2127,6 +2127,53 @@ processDSNSFind(struct module_qstate* qstate, struct iter_qstate* iq, int id) +@@ -2155,6 +2155,53 @@ processDSNSFind(struct module_qstate* qstate, struct iter_qstate* iq, int id) return 0; } @@ -170,7 +170,7 @@ index 23b07ea9..ca29b48c 100644 /** * This is the request event state where the request will be sent to one of -@@ -2186,6 +2233,13 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, +@@ -2216,6 +2263,13 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, return error_response(qstate, id, LDNS_RCODE_SERVFAIL); } @@ -184,7 +184,7 @@ index 23b07ea9..ca29b48c 100644 /* Make sure we have a delegation point, otherwise priming failed * or another failure occurred */ if(!iq->dp) { -@@ -3574,6 +3628,61 @@ processFinished(struct module_qstate* qstate, struct iter_qstate* iq, +@@ -3648,6 +3702,61 @@ processFinished(struct module_qstate* qstate, struct iter_qstate* iq, return 0; } @@ -246,7 +246,7 @@ index 23b07ea9..ca29b48c 100644 /* * Return priming query results to interested super querystates. * -@@ -3593,6 +3702,9 @@ iter_inform_super(struct module_qstate* qstate, int id, +@@ -3667,6 +3776,9 @@ iter_inform_super(struct module_qstate* qstate, int id, else if(super->qinfo.qtype == LDNS_RR_TYPE_DS && ((struct iter_qstate*) super->minfo[id])->state == DSNS_FIND_STATE) processDSNSResponse(qstate, id, super); @@ -256,7 +256,7 @@ index 23b07ea9..ca29b48c 100644 else if(qstate->return_rcode != LDNS_RCODE_NOERROR) error_supers(qstate, id, super); else if(qstate->is_priming) -@@ -3630,6 +3742,9 @@ iter_handle(struct module_qstate* qstate, struct iter_qstate* iq, +@@ -3704,6 +3816,9 @@ iter_handle(struct module_qstate* qstate, struct iter_qstate* iq, case INIT_REQUEST_3_STATE: cont = processInitRequest3(qstate, iq, id); break; @@ -266,7 +266,7 @@ index 23b07ea9..ca29b48c 100644 case QUERYTARGETS_STATE: cont = processQueryTargets(qstate, iq, ie, id); break; -@@ -3961,6 +4076,8 @@ iter_state_to_string(enum iter_state state) +@@ -4040,6 +4155,8 @@ iter_state_to_string(enum iter_state state) return "INIT REQUEST STATE (stage 2)"; case INIT_REQUEST_3_STATE: return "INIT REQUEST STATE (stage 3)"; @@ -275,7 +275,7 @@ index 23b07ea9..ca29b48c 100644 case QUERYTARGETS_STATE : return "QUERY TARGETS STATE"; case PRIME_RESP_STATE : -@@ -3985,6 +4102,7 @@ iter_state_is_responsestate(enum iter_state s) +@@ -4064,6 +4181,7 @@ iter_state_is_responsestate(enum iter_state s) case INIT_REQUEST_STATE : case INIT_REQUEST_2_STATE : case INIT_REQUEST_3_STATE : @@ -284,10 +284,10 @@ index 23b07ea9..ca29b48c 100644 case COLLECT_CLASS_STATE : return 0; diff --git a/iterator/iterator.h b/iterator/iterator.h -index 342ac207..731948d1 100644 +index 8b840528..a61c4195 100644 --- a/iterator/iterator.h +++ b/iterator/iterator.h -@@ -135,6 +135,9 @@ struct iter_env { +@@ -133,6 +133,9 @@ struct iter_env { */ int* target_fetch_policy; @@ -297,7 +297,7 @@ index 342ac207..731948d1 100644 /** lock on ratelimit counter */ lock_basic_type queries_ratelimit_lock; /** number of queries that have been ratelimited */ -@@ -186,6 +189,14 @@ enum iter_state { +@@ -187,6 +190,14 @@ enum iter_state { */ INIT_REQUEST_3_STATE, @@ -312,7 +312,7 @@ index 342ac207..731948d1 100644 /** * Each time a delegation point changes for a given query or a * query times out and/or wakes up, this state is (re)visited. -@@ -375,6 +386,13 @@ struct iter_qstate { +@@ -376,6 +387,13 @@ struct iter_qstate { */ int refetch_glue; @@ -327,10 +327,10 @@ index 342ac207..731948d1 100644 struct outbound_list outlist; diff --git a/pythonmod/interface.i b/pythonmod/interface.i -index f08b575d..47f1bb2e 100644 +index 1ca8686a..d91b19ec 100644 --- a/pythonmod/interface.i +++ b/pythonmod/interface.i -@@ -975,6 +975,7 @@ struct config_file { +@@ -995,6 +995,7 @@ struct config_file { int harden_dnssec_stripped; int harden_referral_path; int use_caps_bits_for_id; @@ -339,10 +339,10 @@ index f08b575d..47f1bb2e 100644 struct config_strlist* private_domain; size_t unwanted_threshold; diff --git a/util/config_file.c b/util/config_file.c -index 0ab8614a..729fb147 100644 +index 969d664b..8d94b008 100644 --- a/util/config_file.c +++ b/util/config_file.c -@@ -218,6 +218,7 @@ config_create(void) +@@ -231,6 +231,7 @@ config_create(void) cfg->harden_referral_path = 0; cfg->harden_algo_downgrade = 0; cfg->use_caps_bits_for_id = 0; @@ -351,10 +351,10 @@ index 0ab8614a..729fb147 100644 cfg->private_address = NULL; cfg->private_domain = NULL; diff --git a/util/config_file.h b/util/config_file.h -index e61257a3..dabaa7bb 100644 +index c7c9a0a4..e3aa15b0 100644 --- a/util/config_file.h +++ b/util/config_file.h -@@ -260,6 +260,8 @@ struct config_file { +@@ -285,6 +285,8 @@ struct config_file { int harden_algo_downgrade; /** use 0x20 bits in query as random ID bits */ int use_caps_bits_for_id; @@ -364,38 +364,38 @@ index e61257a3..dabaa7bb 100644 struct config_strlist* caps_whitelist; /** strip away these private addrs from answers, no DNS Rebinding */ diff --git a/util/configlexer.lex b/util/configlexer.lex -index 79a0edca..4eaec678 100644 +index 34a0e5dd..c890be2a 100644 --- a/util/configlexer.lex +++ b/util/configlexer.lex -@@ -304,6 +304,7 @@ harden-algo-downgrade{COLON} { YDVAR(1, VAR_HARDEN_ALGO_DOWNGRADE) } - use-caps-for-id{COLON} { YDVAR(1, VAR_USE_CAPS_FOR_ID) } +@@ -317,6 +317,7 @@ use-caps-for-id{COLON} { YDVAR(1, VAR_USE_CAPS_FOR_ID) } caps-whitelist{COLON} { YDVAR(1, VAR_CAPS_WHITELIST) } + caps-exempt{COLON} { YDVAR(1, VAR_CAPS_WHITELIST) } unwanted-reply-threshold{COLON} { YDVAR(1, VAR_UNWANTED_REPLY_THRESHOLD) } +aaaa-filter{COLON} { YDVAR(1, VAR_AAAA_FILTER) } private-address{COLON} { YDVAR(1, VAR_PRIVATE_ADDRESS) } private-domain{COLON} { YDVAR(1, VAR_PRIVATE_DOMAIN) } prefetch-key{COLON} { YDVAR(1, VAR_PREFETCH_KEY) } diff --git a/util/configparser.y b/util/configparser.y -index 1d0e8658..f284dd43 100644 +index d4f965f9..8cc237c6 100644 --- a/util/configparser.y +++ b/util/configparser.y @@ -97,6 +97,7 @@ extern struct config_parser_state* cfg_parser; - %token VAR_STATISTICS_CUMULATIVE VAR_OUTGOING_PORT_PERMIT + %token VAR_STATISTICS_CUMULATIVE VAR_OUTGOING_PORT_PERMIT %token VAR_OUTGOING_PORT_AVOID VAR_DLV_ANCHOR_FILE VAR_DLV_ANCHOR %token VAR_NEG_CACHE_SIZE VAR_HARDEN_REFERRAL_PATH VAR_PRIVATE_ADDRESS +%token VAR_AAAA_FILTER %token VAR_PRIVATE_DOMAIN VAR_REMOTE_CONTROL VAR_CONTROL_ENABLE %token VAR_CONTROL_INTERFACE VAR_CONTROL_PORT VAR_SERVER_KEY_FILE %token VAR_SERVER_CERT_FILE VAR_CONTROL_KEY_FILE VAR_CONTROL_CERT_FILE -@@ -233,6 +234,7 @@ content_server: server_num_threads | server_verbosity | server_port | +@@ -247,6 +248,7 @@ content_server: server_num_threads | server_verbosity | server_port | server_dlv_anchor_file | server_dlv_anchor | server_neg_cache_size | server_harden_referral_path | server_private_address | - server_private_domain | server_extended_statistics | + server_private_domain | server_extended_statistics | + server_aaaa_filter | - server_local_data_ptr | server_jostle_timeout | - server_unwanted_reply_threshold | server_log_time_ascii | - server_domain_insecure | server_val_sig_skew_min | -@@ -1563,6 +1565,15 @@ server_caps_whitelist: VAR_CAPS_WHITELIST STRING_ARG + server_local_data_ptr | server_jostle_timeout | + server_unwanted_reply_threshold | server_log_time_ascii | + server_domain_insecure | server_val_sig_skew_min | +@@ -1754,6 +1756,15 @@ server_caps_whitelist: VAR_CAPS_WHITELIST STRING_ARG yyerror("out of memory"); } ; diff --git a/contrib/unbound/daemon/remote.c b/contrib/unbound/daemon/remote.c index adf0383895d4..675ef43970d1 100644 --- a/contrib/unbound/daemon/remote.c +++ b/contrib/unbound/daemon/remote.c @@ -300,6 +300,7 @@ add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err, */ if(fd != -1) { #ifdef HAVE_CHOWN + chmod(ip, (mode_t)(S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP)); if (cfg->username && cfg->username[0] && cfg_uid != (uid_t)-1) { if(chown(ip, cfg_uid, cfg_gid) == -1) @@ -307,7 +308,6 @@ add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err, (unsigned)cfg_uid, (unsigned)cfg_gid, ip, strerror(errno)); } - chmod(ip, (mode_t)(S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP)); #else (void)cfg; #endif @@ -2015,7 +2015,7 @@ print_root_fwds(RES* ssl, struct iter_forwards* fwds, uint8_t* root) /** parse args into delegpt */ static struct delegpt* -parse_delegpt(RES* ssl, char* args, uint8_t* nm, int allow_names) +parse_delegpt(RES* ssl, char* args, uint8_t* nm) { /* parse args and add in */ char* p = args; @@ -2037,40 +2037,35 @@ parse_delegpt(RES* ssl, char* args, uint8_t* nm, int allow_names) } /* parse address */ if(!authextstrtoaddr(todo, &addr, &addrlen, &auth_name)) { - if(allow_names) { - uint8_t* n = NULL; - size_t ln; - int lb; - if(!parse_arg_name(ssl, todo, &n, &ln, &lb)) { - (void)ssl_printf(ssl, "error cannot " - "parse IP address or name " - "'%s'\n", todo); - delegpt_free_mlc(dp); - return NULL; - } - if(!delegpt_add_ns_mlc(dp, n, 0)) { - (void)ssl_printf(ssl, "error out of memory\n"); - free(n); - delegpt_free_mlc(dp); - return NULL; - } - free(n); - - } else { + uint8_t* dname= NULL; + int port; + dname = authextstrtodname(todo, &port, &auth_name); + if(!dname) { (void)ssl_printf(ssl, "error cannot parse" - " IP address '%s'\n", todo); + " '%s'\n", todo); + delegpt_free_mlc(dp); + return NULL; + } +#if ! defined(HAVE_SSL_SET1_HOST) && ! defined(HAVE_X509_VERIFY_PARAM_SET1_HOST) + if(auth_name) + log_err("no name verification functionality in " + "ssl library, ignored name for %s", todo); +#endif + if(!delegpt_add_ns_mlc(dp, dname, 0, auth_name, port)) { + (void)ssl_printf(ssl, "error out of memory\n"); + free(dname); delegpt_free_mlc(dp); return NULL; } } else { #if ! defined(HAVE_SSL_SET1_HOST) && ! defined(HAVE_X509_VERIFY_PARAM_SET1_HOST) if(auth_name) - log_err("no name verification functionality in " + log_err("no name verification functionality in " "ssl library, ignored name for %s", todo); #endif /* add address */ if(!delegpt_add_addr_mlc(dp, &addr, addrlen, 0, 0, - auth_name)) { + auth_name, -1)) { (void)ssl_printf(ssl, "error out of memory\n"); delegpt_free_mlc(dp); return NULL; @@ -2103,7 +2098,7 @@ do_forward(RES* ssl, struct worker* worker, char* args) forwards_delete_zone(fwd, LDNS_RR_CLASS_IN, root); } else { struct delegpt* dp; - if(!(dp = parse_delegpt(ssl, args, root, 0))) + if(!(dp = parse_delegpt(ssl, args, root))) return; if(!forwards_add_zone(fwd, LDNS_RR_CLASS_IN, dp)) { (void)ssl_printf(ssl, "error out of memory\n"); @@ -2149,7 +2144,7 @@ parse_fs_args(RES* ssl, char* args, uint8_t** nm, struct delegpt** dp, /* parse dp */ if(dp) { - if(!(*dp = parse_delegpt(ssl, args, *nm, 1))) { + if(!(*dp = parse_delegpt(ssl, args, *nm))) { free(*nm); return 0; } @@ -2865,6 +2860,8 @@ struct ratelimit_list_arg { int all; /** current time */ time_t now; + /** if backoff is enabled */ + int backoff; }; #define ip_ratelimit_list_arg ratelimit_list_arg @@ -2878,7 +2875,7 @@ rate_list(struct lruhash_entry* e, void* arg) struct rate_data* d = (struct rate_data*)e->data; char buf[257]; int lim = infra_find_ratelimit(a->infra, k->name, k->namelen); - int max = infra_rate_max(d, a->now); + int max = infra_rate_max(d, a->now, a->backoff); if(a->all == 0) { if(max < lim) return; @@ -2896,7 +2893,7 @@ ip_rate_list(struct lruhash_entry* e, void* arg) struct ip_rate_key* k = (struct ip_rate_key*)e->key; struct ip_rate_data* d = (struct ip_rate_data*)e->data; int lim = infra_ip_ratelimit; - int max = infra_rate_max(d, a->now); + int max = infra_rate_max(d, a->now, a->backoff); if(a->all == 0) { if(max < lim) return; @@ -2914,6 +2911,7 @@ do_ratelimit_list(RES* ssl, struct worker* worker, char* arg) a.infra = worker->env.infra_cache; a.now = *worker->env.now; a.ssl = ssl; + a.backoff = worker->env.cfg->ratelimit_backoff; arg = skipwhite(arg); if(strcmp(arg, "+a") == 0) a.all = 1; @@ -2932,6 +2930,7 @@ do_ip_ratelimit_list(RES* ssl, struct worker* worker, char* arg) a.infra = worker->env.infra_cache; a.now = *worker->env.now; a.ssl = ssl; + a.backoff = worker->env.cfg->ip_ratelimit_backoff; arg = skipwhite(arg); if(strcmp(arg, "+a") == 0) a.all = 1; diff --git a/contrib/unbound/daemon/worker.c b/contrib/unbound/daemon/worker.c index 5d2483cd2cd9..862affb24e9a 100644 --- a/contrib/unbound/daemon/worker.c +++ b/contrib/unbound/daemon/worker.c @@ -1167,7 +1167,8 @@ worker_handle_request(struct comm_point* c, void* arg, int error, /* check if this query should be dropped based on source ip rate limiting */ if(!infra_ip_ratelimit_inc(worker->env.infra_cache, repinfo, - *worker->env.now, c->buffer)) { + *worker->env.now, + worker->env.cfg->ip_ratelimit_backoff, c->buffer)) { /* See if we are passed through with slip factor */ if(worker->env.cfg->ip_ratelimit_factor != 0 && ub_random_max(worker->env.rnd, @@ -1967,9 +1968,10 @@ worker_delete(struct worker* worker) struct outbound_entry* worker_send_query(struct query_info* qinfo, uint16_t flags, int dnssec, - int want_dnssec, int nocaps, struct sockaddr_storage* addr, - socklen_t addrlen, uint8_t* zone, size_t zonelen, int tcp_upstream, - int ssl_upstream, char* tls_auth_name, struct module_qstate* q) + int want_dnssec, int nocaps, int check_ratelimit, + struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone, + size_t zonelen, int tcp_upstream, int ssl_upstream, char* tls_auth_name, + struct module_qstate* q, int* was_ratelimited) { struct worker* worker = q->env->worker; struct outbound_entry* e = (struct outbound_entry*)regional_alloc( @@ -1978,9 +1980,10 @@ worker_send_query(struct query_info* qinfo, uint16_t flags, int dnssec, return NULL; e->qstate = q; e->qsent = outnet_serviced_query(worker->back, qinfo, flags, dnssec, - want_dnssec, nocaps, tcp_upstream, + want_dnssec, nocaps, check_ratelimit, tcp_upstream, ssl_upstream, tls_auth_name, addr, addrlen, zone, zonelen, q, - worker_handle_service_reply, e, worker->back->udp_buff, q->env); + worker_handle_service_reply, e, worker->back->udp_buff, q->env, + was_ratelimited); if(!e->qsent) { return NULL; } @@ -2024,10 +2027,11 @@ struct outbound_entry* libworker_send_query( struct query_info* ATTR_UNUSED(qinfo), uint16_t ATTR_UNUSED(flags), int ATTR_UNUSED(dnssec), int ATTR_UNUSED(want_dnssec), int ATTR_UNUSED(nocaps), + int ATTR_UNUSED(check_ratelimit), struct sockaddr_storage* ATTR_UNUSED(addr), socklen_t ATTR_UNUSED(addrlen), uint8_t* ATTR_UNUSED(zone), size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(tcp_upstream), int ATTR_UNUSED(ssl_upstream), char* ATTR_UNUSED(tls_auth_name), - struct module_qstate* ATTR_UNUSED(q)) + struct module_qstate* ATTR_UNUSED(q), int* ATTR_UNUSED(was_ratelimited)) { log_assert(0); return 0; diff --git a/contrib/unbound/dnstap/dtstream.c b/contrib/unbound/dnstap/dtstream.c index 14aacaef567b..a1dd9703ea95 100644 --- a/contrib/unbound/dnstap/dtstream.c +++ b/contrib/unbound/dnstap/dtstream.c @@ -188,9 +188,9 @@ mq_wakeup_cb(void* arg) /** start timer to wakeup dtio because there is content in the queue */ static void -dt_msg_queue_start_timer(struct dt_msg_queue* mq) +dt_msg_queue_start_timer(struct dt_msg_queue* mq, int wakeupnow) { - struct timeval tv; + struct timeval tv = {0}; /* Start a timer to process messages to be logged. *** 6593 LINES SKIPPED ***