mirror of
https://github.com/NLnetLabs/unbound.git
synced 2024-09-21 06:37:08 +00:00
Merge branch 'master' into svcb
This commit is contained in:
commit
ab017cde0f
41
.github/ISSUE_TEMPLATE/bug_report.md
vendored
Normal file
41
.github/ISSUE_TEMPLATE/bug_report.md
vendored
Normal file
@ -0,0 +1,41 @@
|
||||
---
|
||||
name: Bug report
|
||||
about: Create a report to help us improve Unbound
|
||||
title: ''
|
||||
labels: ''
|
||||
assignees: ''
|
||||
|
||||
---
|
||||
|
||||
<!--
|
||||
Thanks for taking the time to report an issue!
|
||||
|
||||
Before continuing please make sure that you checked the existing (opened and closed) issues and pull requests to avoid opening a duplicate issue. We would rather prefer to add the information to the existing one. If you are able, feel free to reopen the closed issue afterwards. If not, please create a new issue linking to the old one.
|
||||
|
||||
If you rather have a support question and you need guidance on running/configuring Unbound, please refrain from opening an issue and use the community support mailing list instead (https://www.nlnetlabs.nl/support/mailing-lists/).
|
||||
We would like to keep GitHub issues for possible bugs and feature requests only.
|
||||
|
||||
If you are unsure whether an issue is a bug or not, feel free to reach out to mailing list users or open an issue here.
|
||||
|
||||
If you are opening an issue, please complete as much of the following sections as possible to give us a better understanding of your situation.
|
||||
-->
|
||||
|
||||
**Describe the bug**
|
||||
A clear and concise description of what the bug is.
|
||||
|
||||
**To reproduce**
|
||||
Steps to reproduce the behavior:
|
||||
1.
|
||||
2.
|
||||
3.
|
||||
|
||||
**Expected behavior**
|
||||
A clear and concise description of what you expected to happen.
|
||||
|
||||
**System:**
|
||||
- Unbound version:
|
||||
- OS:
|
||||
- `unbound -V` output:
|
||||
|
||||
**Additional information**
|
||||
Add any other information that you may have gathered about the issue here.
|
31
.github/ISSUE_TEMPLATE/feature_request.md
vendored
Normal file
31
.github/ISSUE_TEMPLATE/feature_request.md
vendored
Normal file
@ -0,0 +1,31 @@
|
||||
---
|
||||
name: Feature request
|
||||
about: Suggest an idea for Unbound
|
||||
title: "[FR]"
|
||||
labels: ''
|
||||
assignees: ''
|
||||
|
||||
---
|
||||
|
||||
<!--
|
||||
Thanks for taking the time to report an issue!
|
||||
|
||||
Before continuing please make sure that you checked the existing (opened and closed) issues and pull requests to avoid opening a duplicate issue. We would rather prefer to add the information to the existing one. If you are able, feel free to reopen the closed issue afterwards. If not, please create a new issue linking to the old one.
|
||||
|
||||
If you rather have a support question and you need guidance on running/configuring Unbound, please refrain from opening an issue and use the community support mailing list instead (https://www.nlnetlabs.nl/support/mailing-lists/).
|
||||
We would like to keep GitHub issues for possible bugs and feature requests only.
|
||||
|
||||
If you are unsure whether an issue is a bug or not, feel free to reach out to mailing list users or open an issue here.
|
||||
|
||||
If you are opening an issue, please complete as much of the following sections as possible to give us a better understanding of your situation.
|
||||
-->
|
||||
|
||||
**Current behavior**
|
||||
Is there a current behavior that the feature relates to?
|
||||
If yes, would you wish the current behavior to change?
|
||||
|
||||
**Describe the desired feature**
|
||||
A clear and concise description of what the feature should be.
|
||||
|
||||
**Potential use-case**
|
||||
Describe how you see this feature being useful to other Unbound users.
|
346
.github/workflows/analysis_ports.yml
vendored
Normal file
346
.github/workflows/analysis_ports.yml
vendored
Normal file
@ -0,0 +1,346 @@
|
||||
name: Analysis and Ports
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
inputs:
|
||||
start:
|
||||
description: 'Start analysis and port workflow'
|
||||
default: 'yes'
|
||||
required: true
|
||||
|
||||
jobs:
|
||||
build:
|
||||
runs-on: ${{ matrix.os }}
|
||||
strategy:
|
||||
matrix:
|
||||
include:
|
||||
- name: GCC on Linux
|
||||
os: ubuntu-latest
|
||||
config: "--enable-debug --disable-flto"
|
||||
make_test: "yes"
|
||||
- name: Clang-analyzer
|
||||
os: ubuntu-latest
|
||||
config: "CC=clang --enable-debug --disable-flto --disable-static"
|
||||
make_test: "yes"
|
||||
clang_analysis: "yes"
|
||||
- name: libevent
|
||||
os: ubuntu-latest
|
||||
install_libevent: "yes"
|
||||
config: "CC=clang --enable-debug --disable-flto --with-libevent --disable-static"
|
||||
make_test: "yes"
|
||||
clang_analysis: "yes"
|
||||
- name: OS X
|
||||
os: macos-latest
|
||||
install_expat: "yes"
|
||||
config: "--enable-debug --disable-flto --with-ssl=/usr/local/opt/openssl --with-libexpat=/usr/local/opt/expat"
|
||||
make_test: "yes"
|
||||
- name: Clang on OS X
|
||||
os: macos-latest
|
||||
install_expat: "yes"
|
||||
config: "CC=clang --enable-debug --disable-flto --with-ssl=/usr/local/opt/openssl --with-libexpat=/usr/local/opt/expat --disable-static"
|
||||
make_test: "yes"
|
||||
clang_analysis: "yes"
|
||||
- name: ubsan (gcc undefined behaviour sanitizer)
|
||||
os: ubuntu-latest
|
||||
config: 'CFLAGS="-DNDEBUG -g2 -O3 -fsanitize=undefined -fno-sanitize-recover=all" --disable-flto --disable-static'
|
||||
make_test: "yes"
|
||||
- name: asan (gcc address sanitizer)
|
||||
os: ubuntu-latest
|
||||
config: 'CFLAGS="-DNDEBUG -g2 -O3 -fsanitize=address" --disable-flto --disable-static'
|
||||
make_test: "yes"
|
||||
- name: Apple iPhone on iOS, armv7
|
||||
os: macos-latest
|
||||
AUTOTOOLS_HOST: armv7-apple-ios
|
||||
OPENSSL_HOST: ios-cross
|
||||
IOS_SDK: iPhoneOS
|
||||
IOS_CPU: armv7s
|
||||
test_ios: "yes"
|
||||
config: "no"
|
||||
make: "no"
|
||||
- name: Apple iPhone on iOS, arm64
|
||||
os: macos-latest
|
||||
AUTOTOOLS_HOST: aarch64-apple-ios
|
||||
OPENSSL_HOST: ios64-cross
|
||||
IOS_SDK: iPhoneOS
|
||||
IOS_CPU: arm64
|
||||
test_ios: "yes"
|
||||
config: "no"
|
||||
make: "no"
|
||||
- name: Apple TV on iOS, arm64
|
||||
os: macos-latest
|
||||
AUTOTOOLS_HOST: aarch64-apple-ios
|
||||
OPENSSL_HOST: ios64-cross
|
||||
IOS_SDK: AppleTVOS
|
||||
IOS_CPU: arm64
|
||||
test_ios: "yes"
|
||||
config: "no"
|
||||
make: "no"
|
||||
- name: Apple Watch on iOS, armv7
|
||||
os: macos-latest
|
||||
AUTOTOOLS_HOST: armv7-apple-ios
|
||||
OPENSSL_HOST: ios-cross
|
||||
IOS_SDK: WatchOS
|
||||
IOS_CPU: armv7k
|
||||
test_ios: "yes"
|
||||
config: "no"
|
||||
make: "no"
|
||||
- name: iPhoneSimulator on OS X, i386
|
||||
os: macos-latest
|
||||
AUTOTOOLS_HOST: i386-apple-ios
|
||||
OPENSSL_HOST: iphoneos-cross
|
||||
IOS_SDK: iPhoneSimulator
|
||||
IOS_CPU: i386
|
||||
test_ios: "yes"
|
||||
config: "no"
|
||||
make: "no"
|
||||
- name: iPhoneSimulator on OS X, x86_64
|
||||
os: macos-latest
|
||||
AUTOTOOLS_HOST: x86_64-apple-ios
|
||||
OPENSSL_HOST: iphoneos-cross
|
||||
IOS_SDK: iPhoneSimulator
|
||||
IOS_CPU: x86_64
|
||||
test_ios: "yes"
|
||||
config: "no"
|
||||
make: "no"
|
||||
- name: AppleTVSimulator on OS X, x86_64
|
||||
os: macos-latest
|
||||
AUTOTOOLS_HOST: x86_64-apple-ios
|
||||
OPENSSL_HOST: iphoneos-cross
|
||||
IOS_SDK: AppleTVSimulator
|
||||
IOS_CPU: x86_64
|
||||
test_ios: "yes"
|
||||
config: "no"
|
||||
make: "no"
|
||||
- name: WatchSimulator on OS X, i386
|
||||
os: macos-latest
|
||||
AUTOTOOLS_HOST: i386-apple-ios
|
||||
OPENSSL_HOST: iphoneos-cross
|
||||
IOS_SDK: WatchSimulator
|
||||
IOS_CPU: i386
|
||||
test_ios: "yes"
|
||||
config: "no"
|
||||
make: "no"
|
||||
- name: Android armv7a
|
||||
os: ubuntu-latest
|
||||
AUTOTOOLS_HOST: armv7a-linux-androidabi
|
||||
OPENSSL_HOST: android-arm
|
||||
ANDROID_CPU: armv7a
|
||||
ANDROID_API: 23
|
||||
test_android: "yes"
|
||||
config: "no"
|
||||
make: "no"
|
||||
- name: Android aarch64
|
||||
os: ubuntu-latest
|
||||
AUTOTOOLS_HOST: aarch64-linux-android
|
||||
OPENSSL_HOST: android-arm64
|
||||
ANDROID_CPU: aarch64
|
||||
ANDROID_API: 23
|
||||
test_android: "yes"
|
||||
config: "no"
|
||||
make: "no"
|
||||
- name: Android x86
|
||||
os: ubuntu-latest
|
||||
AUTOTOOLS_HOST: i686-linux-android
|
||||
OPENSSL_HOST: android-x86
|
||||
ANDROID_CPU: x86
|
||||
ANDROID_API: 23
|
||||
test_android: "yes"
|
||||
config: "no"
|
||||
make: "no"
|
||||
- name: Android x86_64
|
||||
os: ubuntu-latest
|
||||
AUTOTOOLS_HOST: x86_64-linux-android
|
||||
OPENSSL_HOST: android-x86_64
|
||||
ANDROID_CPU: x86_64
|
||||
ANDROID_API: 23
|
||||
test_android: "yes"
|
||||
config: "no"
|
||||
make: "no"
|
||||
- name: Windows
|
||||
os: windows-latest
|
||||
test_windows: "yes"
|
||||
config: "no"
|
||||
make: "no"
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
with:
|
||||
submodules: false
|
||||
- name: test_windows
|
||||
if: ${{ matrix.test_windows == 'yes' }}
|
||||
shell: bash
|
||||
run: |
|
||||
export unboundpath=`pwd`
|
||||
echo unboundpath=${unboundpath}
|
||||
cd ..
|
||||
export prepath=`pwd`
|
||||
echo prepath=${prepath}
|
||||
#echo "curl cpanm"
|
||||
#curl -L -k -s -S -o cpanm https://cpanmin.us/
|
||||
#echo "perl cpanm Pod::Usage"
|
||||
#perl cpanm Pod::Usage
|
||||
mkdir openssl
|
||||
echo "curl openssl"
|
||||
curl -L -k -s -S -o openssl-1.1.1j.tar.gz https://www.openssl.org/source/openssl-1.1.1j.tar.gz
|
||||
tar xzf openssl-1.1.1j.tar.gz
|
||||
cd openssl-1.1.1j
|
||||
# remove pod::Usage because we do not need -help or -man output
|
||||
# from the Configure script
|
||||
echo "Fixup ./Configure by removing use Pod::Usage require"
|
||||
sed -e 's/use Pod::Usage//' < Configure > Configure.fix
|
||||
echo "./Configure.fix no-shared no-asm -DOPENSSL_NO_CAPIENG mingw64 --prefix=\""$prepath/openssl\"""
|
||||
./Configure.fix no-shared no-asm -DOPENSSL_NO_CAPIENG mingw64 --prefix="$prepath/openssl"
|
||||
# make the libs only, build faster
|
||||
echo "make build_libs"
|
||||
#make
|
||||
make build_libs
|
||||
mv Makefile Makefile.orig
|
||||
# fixup \\ in the installtop to /.
|
||||
echo "fixup INSTALLTOP"
|
||||
sed -e 's?^INSTALLTOP=.*$?INSTALLTOP='"$prepath"'/openssl?' < Makefile.orig > Makefile
|
||||
# install the includes and libs only, build faster
|
||||
echo "make install_dev"
|
||||
#make install_sw
|
||||
make install_dev
|
||||
cd ..
|
||||
mkdir expat
|
||||
echo "curl expat"
|
||||
curl -L -k -s -S -o expat-2.2.10.tar.gz https://github.com/libexpat/libexpat/releases/download/R_2_2_10/expat-2.2.10.tar.gz
|
||||
tar xzf expat-2.2.10.tar.gz
|
||||
cd expat-2.2.10
|
||||
echo "./configure SHELL=/usr/bin/bash CONFIG_SHELL=/usr/bin/bash --prefix=\"$prepath/expat\" --exec-prefix=\"$prepath/expat\" --bindir=\"$prepath/expat/bin\" --includedir=\"$prepath/expat/include\" --mandir=\"$prepath/expat/man\" --libdir=\"$prepath/expat/lib\""
|
||||
./configure SHELL=/usr/bin/bash CONFIG_SHELL=/usr/bin/bash --prefix="$prepath/expat" --exec-prefix="$prepath/expat" --bindir="$prepath/expat/bin" --includedir="$prepath/expat/include" --mandir="$prepath/expat/man" --libdir="$prepath/expat/lib"
|
||||
# fixup SHELL is treated specially, but SHELZZ is not by make.
|
||||
echo "Fixup Makefiles by renaming SHELL to SHELLZZ"
|
||||
mv Makefile Makefile.orig
|
||||
sed -e 's/SHELL/SHELLZZ/g' < Makefile.orig > Makefile
|
||||
mv lib/Makefile lib/Makefile.orig
|
||||
sed -e 's/SHELL/SHELLZZ/g' < lib/Makefile.orig > lib/Makefile
|
||||
mv doc/Makefile doc/Makefile.orig
|
||||
sed -e 's/SHELL/SHELLZZ/g' < doc/Makefile.orig > doc/Makefile
|
||||
mv examples/Makefile examples/Makefile.orig
|
||||
sed -e 's/SHELL/SHELLZZ/g' < examples/Makefile.orig > examples/Makefile
|
||||
mv tests/Makefile tests/Makefile.orig
|
||||
sed -e 's/SHELL/SHELLZZ/g' < tests/Makefile.orig > tests/Makefile
|
||||
mv xmlwf/Makefile xmlwf/Makefile.orig
|
||||
sed -e 's/SHELL/SHELLZZ/g' < xmlwf/Makefile.orig > xmlwf/Makefile
|
||||
echo "make"
|
||||
make
|
||||
echo "make install"
|
||||
make install
|
||||
cd ..
|
||||
echo "unbound"
|
||||
cd unbound
|
||||
echo "./configure --enable-debug --enable-static-exe --disable-flto \"--with-ssl=$prepath/openssl\" --with-libexpat=\"$prepath/expat\" --disable-shared"
|
||||
./configure --enable-debug --enable-static-exe --disable-flto "--with-ssl=$prepath/openssl" --with-libexpat="$prepath/expat" --disable-shared
|
||||
make
|
||||
# specific test output
|
||||
#make testbound.exe; ./testbound.exe -s
|
||||
#make testbound; ./testbound.exe -p testdata/acl.rpl -o -vvvv
|
||||
make test
|
||||
- name: test_android
|
||||
if: ${{ matrix.test_android == 'yes' }}
|
||||
env:
|
||||
AUTOTOOLS_HOST: ${{ matrix.AUTOTOOLS_HOST }}
|
||||
OPENSSL_HOST: ${{ matrix.OPENSSL_HOST }}
|
||||
ANDROID_API: ${{ matrix.ANDROID_API }}
|
||||
ANDROID_CPU: ${{ matrix.ANDROID_CPU }}
|
||||
run: |
|
||||
#(already installed) ./contrib/android/install_tools.sh
|
||||
export ANDROID_PREFIX="$HOME/android$ANDROID_API-$ANDROID_CPU"
|
||||
echo ANDROID_PREFIX=${ANDROID_PREFIX}
|
||||
export ANDROID_SDK_ROOT="$HOME/android-sdk"
|
||||
echo ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}
|
||||
export ANDROID_NDK_ROOT="$HOME/android-ndk"
|
||||
echo ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}
|
||||
export AUTOTOOLS_BUILD="$(./config.guess)"
|
||||
echo AUTOTOOLS_BUILD=${AUTOTOOLS_BUILD}
|
||||
export PKG_CONFIG_PATH="$ANDROID_PREFIX/lib/pkgconfig"
|
||||
echo PKG_CONFIG_PATH=${PKG_CONFIG_PATH}
|
||||
export CONFIG_OPTS="--build=$AUTOTOOLS_BUILD --host=$AUTOTOOLS_HOST --prefix=$ANDROID_PREFIX --with-ssl=$ANDROID_PREFIX --disable-gost --with-libexpat=$ANDROID_PREFIX"
|
||||
echo CONFIG_OPTS=${CONFIG_OPTS}
|
||||
echo "::group::install_ndk"
|
||||
echo "./contrib/android/install_ndk.sh"
|
||||
./contrib/android/install_ndk.sh
|
||||
echo "::endgroup::"
|
||||
echo "::group::setenv_android.sh"
|
||||
echo "./contrib/android/setenv_android.sh"
|
||||
source ./contrib/android/setenv_android.sh
|
||||
echo "::endgroup::"
|
||||
echo "::group::install_openssl"
|
||||
echo "./contrib/android/install_openssl.sh"
|
||||
./contrib/android/install_openssl.sh
|
||||
echo "::endgroup::"
|
||||
echo "::group::install_expat"
|
||||
echo "./contrib/android/install_expat.sh"
|
||||
./contrib/android/install_expat.sh
|
||||
echo "::endgroup::"
|
||||
echo "::group::configure"
|
||||
echo "./configure ${CONFIG_OPTS}"
|
||||
./configure ${CONFIG_OPTS}
|
||||
echo "::endgroup::"
|
||||
echo "::group::make"
|
||||
# make is here to preserve environment variables
|
||||
make
|
||||
echo "::endgroup::"
|
||||
echo "::group::make install"
|
||||
make install
|
||||
echo "::endgroup::"
|
||||
- name: test ios
|
||||
if: ${{ matrix.test_ios == 'yes' }}
|
||||
env:
|
||||
AUTOTOOLS_HOST: ${{ matrix.AUTOTOOLS_HOST }}
|
||||
OPENSSL_HOST: ${{ matrix.OPENSSL_HOST }}
|
||||
IOS_SDK: ${{ matrix.IOS_SDK }}
|
||||
IOS_CPU: ${{ matrix.IOS_CPU }}
|
||||
run: |
|
||||
#(already installed) ./contrib/ios/install_tools.sh
|
||||
export AUTOTOOLS_BUILD="$(./config.guess)"
|
||||
echo AUTOTOOLS_BUILD=${AUTOTOOLS_BUILD}
|
||||
export IOS_PREFIX="$HOME/$IOS_SDK-$IOS_CPU"
|
||||
echo IOS_PREFIX=${IOS_PREFIX}
|
||||
export PKG_CONFIG_PATH="$IOS_PREFIX/lib/pkgconfig"
|
||||
echo PKG_CONFIG_PATH=${PKG_CONFIG_PATH}
|
||||
export CONFIG_OPTS="--build=$AUTOTOOLS_BUILD --host=$AUTOTOOLS_HOST --prefix=$IOS_PREFIX --with-ssl=$IOS_PREFIX --disable-gost --with-libexpat=$IOS_PREFIX"
|
||||
echo CONFIG_OPTS=${CONFIG_OPTS}
|
||||
echo "::group::setenv_ios.sh"
|
||||
echo "./contrib/ios/setenv_ios.sh"
|
||||
source ./contrib/ios/setenv_ios.sh
|
||||
echo "::endgroup::"
|
||||
echo "::group::install_openssl"
|
||||
echo "./contrib/ios/install_openssl.sh"
|
||||
./contrib/ios/install_openssl.sh
|
||||
echo "::endgroup::"
|
||||
echo "::group::install_expat"
|
||||
echo "./contrib/ios/install_expat.sh"
|
||||
./contrib/ios/install_expat.sh
|
||||
echo "::endgroup::"
|
||||
echo "::group::configure"
|
||||
echo "./configure ${CONFIG_OPTS}"
|
||||
./configure ${CONFIG_OPTS}
|
||||
echo "::endgroup::"
|
||||
echo "::group::make"
|
||||
# make is here to preserve environment variables
|
||||
make
|
||||
echo "::endgroup::"
|
||||
echo "::group::make install"
|
||||
make install
|
||||
echo "::endgroup::"
|
||||
- name: install libevent
|
||||
if: ${{ matrix.install_libevent == 'yes' }}
|
||||
run: sudo apt-get install libevent-dev
|
||||
- name: install expat
|
||||
if: ${{ matrix.install_expat == 'yes' }}
|
||||
run: brew install expat
|
||||
- name: configure
|
||||
if: ${{ matrix.config != 'no' }}
|
||||
run: ./configure ${{ matrix.config }}
|
||||
- name: make
|
||||
if: ${{ matrix.make != 'no' }}
|
||||
run: make
|
||||
- name: make test
|
||||
if: ${{ matrix.make_test == 'yes' }}
|
||||
run: make test
|
||||
- name: clang-analysis
|
||||
if: ${{ matrix.clang_analysis == 'yes' }}
|
||||
run: (cd testdata/clang-analysis.tdir; bash clang-analysis.test)
|
21
.github/workflows/ci.yml
vendored
Normal file
21
.github/workflows/ci.yml
vendored
Normal file
@ -0,0 +1,21 @@
|
||||
name: ci
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ master ]
|
||||
pull_request:
|
||||
branches: [ master ]
|
||||
|
||||
jobs:
|
||||
build:
|
||||
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- name: configure
|
||||
run: ./configure --enable-debug
|
||||
- name: make
|
||||
run: make
|
||||
- name: make test
|
||||
run: make test
|
@ -2,7 +2,10 @@
|
||||
# Copyright 2009, Wouter Wijngaards, NLnet Labs.
|
||||
# BSD licensed.
|
||||
#
|
||||
# Version 38
|
||||
# Version 40
|
||||
# 2021-06-14 fix nonblocking test to use host instead of target for mingw test.
|
||||
# 2021-05-17 fix nonblocking socket test from grep on mingw32 to mingw for
|
||||
# 64bit compatibility.
|
||||
# 2021-03-24 fix ACX_FUNC_DEPRECATED to use CPPFLAGS and CFLAGS.
|
||||
# 2021-01-05 fix defun for aclocal
|
||||
# 2021-01-05 autoconf 2.70 autoupdate and fixes, no AC_TRY_COMPILE
|
||||
@ -915,7 +918,7 @@ dnl a nonblocking socket do not work, a new call to select is necessary.
|
||||
AC_DEFUN([ACX_CHECK_NONBLOCKING_BROKEN],
|
||||
[
|
||||
AC_MSG_CHECKING([if nonblocking sockets work])
|
||||
if echo $target | grep mingw32 >/dev/null; then
|
||||
if echo $host | grep mingw >/dev/null; then
|
||||
AC_MSG_RESULT([no (windows)])
|
||||
AC_DEFINE([NONBLOCKING_IS_BROKEN], 1, [Define if the network stack does not fully support nonblocking io (causes lower performance).])
|
||||
else
|
||||
|
@ -38,5 +38,5 @@ char *ctime_r(const time_t *timep, char *buf)
|
||||
strcpy(buf, result);
|
||||
}
|
||||
lock_basic_unlock(&ctime_lock);
|
||||
return result;
|
||||
return buf;
|
||||
}
|
||||
|
@ -28,6 +28,9 @@
|
||||
/* Whether daemon is deprecated */
|
||||
#undef DEPRECATED_DAEMON
|
||||
|
||||
/* Deprecate RSA 1024 bit length, makes that an unsupported key */
|
||||
#undef DEPRECATE_RSA_1024
|
||||
|
||||
/* Define this to enable kernel based UDP source port randomization. */
|
||||
#undef DISABLE_EXPLICIT_PORT_RANDOMISATION
|
||||
|
||||
@ -516,6 +519,9 @@
|
||||
/* Define if you have the SSL libraries installed. */
|
||||
#undef HAVE_SSL
|
||||
|
||||
/* Define to 1 if you have the `SSL_CTX_set_alpn_protos' function. */
|
||||
#undef HAVE_SSL_CTX_SET_ALPN_PROTOS
|
||||
|
||||
/* Define to 1 if you have the `SSL_CTX_set_alpn_select_cb' function. */
|
||||
#undef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
|
||||
|
||||
@ -529,6 +535,9 @@
|
||||
function. */
|
||||
#undef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
|
||||
|
||||
/* Define to 1 if you have the `SSL_get0_alpn_selected' function. */
|
||||
#undef HAVE_SSL_GET0_ALPN_SELECTED
|
||||
|
||||
/* Define to 1 if you have the `SSL_get0_peername' function. */
|
||||
#undef HAVE_SSL_GET0_PEERNAME
|
||||
|
||||
|
47
configure
vendored
47
configure
vendored
@ -877,6 +877,7 @@ enable_subnet
|
||||
enable_gost
|
||||
enable_ecdsa
|
||||
enable_dsa
|
||||
with_deprecate_rsa_1024
|
||||
enable_ed25519
|
||||
enable_ed448
|
||||
enable_event_api
|
||||
@ -1639,6 +1640,10 @@ Optional Packages:
|
||||
/usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw
|
||||
/usr)
|
||||
--with-libbsd Use portable libbsd functions
|
||||
--with-deprecate-rsa-1024
|
||||
Deprecate RSA 1024 bit length, makes that an
|
||||
unsupported key, for use when OpenSSL FIPS refuses
|
||||
1024 bit verification
|
||||
--with-libevent=pathname
|
||||
use libevent (will check /usr/local /opt/local
|
||||
/usr/lib /usr/pkg /usr/sfw /usr or you can specify
|
||||
@ -4199,9 +4204,9 @@ case "$exec_prefix" in
|
||||
esac
|
||||
|
||||
# are we on MinGW?
|
||||
if uname -s 2>&1 | grep MINGW32 >/dev/null; then on_mingw="yes"
|
||||
if uname -s 2>&1 | grep MINGW >/dev/null; then on_mingw="yes"
|
||||
else
|
||||
if echo $host $target | grep mingw32 >/dev/null; then on_mingw="yes"
|
||||
if echo $host | grep mingw >/dev/null; then on_mingw="yes"
|
||||
else on_mingw="no"; fi
|
||||
fi
|
||||
|
||||
@ -14611,6 +14616,8 @@ CC=$lt_save_CC
|
||||
|
||||
|
||||
|
||||
# pkg-config is only needed for these options, do not require it otherwise
|
||||
if test "$enable_systemd" = "yes" -o "$with_pyunbound" = "yes" -o "$with_pythonmod" = "yes"; then
|
||||
|
||||
|
||||
|
||||
@ -14731,6 +14738,7 @@ $as_echo "no" >&6; }
|
||||
PKG_CONFIG=""
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
# Checks for header files.
|
||||
for ac_header in stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h
|
||||
@ -15922,7 +15930,7 @@ fi
|
||||
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if nonblocking sockets work" >&5
|
||||
$as_echo_n "checking if nonblocking sockets work... " >&6; }
|
||||
if echo $target | grep mingw32 >/dev/null; then
|
||||
if echo $host | grep mingw >/dev/null; then
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no (windows)" >&5
|
||||
$as_echo "no (windows)" >&6; }
|
||||
|
||||
@ -16190,7 +16198,10 @@ done
|
||||
|
||||
|
||||
# check if we can use SO_REUSEPORT
|
||||
if echo "$host" | $GREP -i -e linux -e dragonfly >/dev/null; then
|
||||
reuseport_default=0
|
||||
if echo "$host" | $GREP -i -e linux >/dev/null; then reuseport_default=1; fi
|
||||
if echo "$host" | $GREP -i -e dragonfly >/dev/null; then reuseport_default=1; fi
|
||||
if test "$reuseport_default" = 1; then
|
||||
|
||||
$as_echo "#define REUSEPORT_DEFAULT 1" >>confdefs.h
|
||||
|
||||
@ -18418,7 +18429,7 @@ done
|
||||
# these check_funcs need -lssl
|
||||
BAKLIBS="$LIBS"
|
||||
LIBS="-lssl $LIBS"
|
||||
for ac_func in OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb SSL_CTX_set_alpn_select_cb
|
||||
for ac_func in OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb SSL_CTX_set_alpn_select_cb SSL_get0_alpn_selected SSL_CTX_set_alpn_protos
|
||||
do :
|
||||
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
|
||||
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
|
||||
@ -19035,6 +19046,18 @@ _ACEOF
|
||||
;;
|
||||
esac
|
||||
|
||||
|
||||
# Check whether --with-deprecate-rsa-1024 was given.
|
||||
if test "${with_deprecate_rsa_1024+set}" = set; then :
|
||||
withval=$with_deprecate_rsa_1024;
|
||||
fi
|
||||
|
||||
if test "$with_deprecate_rsa_1024" = "yes"; then
|
||||
|
||||
$as_echo "#define DEPRECATE_RSA_1024 1" >>confdefs.h
|
||||
|
||||
fi
|
||||
|
||||
# Check whether --enable-ed25519 was given.
|
||||
if test "${enable_ed25519+set}" = set; then :
|
||||
enableval=$enable_ed25519;
|
||||
@ -19161,8 +19184,8 @@ fi
|
||||
|
||||
case "$enable_tfo_client" in
|
||||
yes)
|
||||
case `uname` in
|
||||
Linux) ac_fn_c_check_decl "$LINENO" "MSG_FASTOPEN" "ac_cv_have_decl_MSG_FASTOPEN" "$ac_includes_default
|
||||
case "$host_os" in
|
||||
linux*) ac_fn_c_check_decl "$LINENO" "MSG_FASTOPEN" "ac_cv_have_decl_MSG_FASTOPEN" "$ac_includes_default
|
||||
#include <netinet/tcp.h>
|
||||
|
||||
"
|
||||
@ -19178,8 +19201,8 @@ cat >>confdefs.h <<_ACEOF
|
||||
#define USE_MSG_FASTOPEN 1
|
||||
_ACEOF
|
||||
|
||||
;;
|
||||
Darwin) ac_fn_c_check_decl "$LINENO" "CONNECT_RESUME_ON_READ_WRITE" "ac_cv_have_decl_CONNECT_RESUME_ON_READ_WRITE" "$ac_includes_default
|
||||
;;
|
||||
darwin*) ac_fn_c_check_decl "$LINENO" "CONNECT_RESUME_ON_READ_WRITE" "ac_cv_have_decl_CONNECT_RESUME_ON_READ_WRITE" "$ac_includes_default
|
||||
#include <sys/socket.h>
|
||||
|
||||
"
|
||||
@ -19195,9 +19218,9 @@ cat >>confdefs.h <<_ACEOF
|
||||
#define USE_OSX_MSG_FASTOPEN 1
|
||||
_ACEOF
|
||||
|
||||
;;
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
;;
|
||||
no|*)
|
||||
;;
|
||||
esac
|
||||
@ -20412,7 +20435,7 @@ done
|
||||
|
||||
|
||||
# check if setreuid en setregid fail, on MacOSX10.4(darwin8).
|
||||
if echo $target_os | grep darwin8 > /dev/null; then
|
||||
if echo $host_os | grep darwin8 > /dev/null; then
|
||||
|
||||
$as_echo "#define DARWIN_BROKEN_SETREUID 1" >>confdefs.h
|
||||
|
||||
|
45
configure.ac
45
configure.ac
@ -147,9 +147,9 @@ case "$exec_prefix" in
|
||||
esac
|
||||
|
||||
# are we on MinGW?
|
||||
if uname -s 2>&1 | grep MINGW32 >/dev/null; then on_mingw="yes"
|
||||
if uname -s 2>&1 | grep MINGW >/dev/null; then on_mingw="yes"
|
||||
else
|
||||
if echo $host $target | grep mingw32 >/dev/null; then on_mingw="yes"
|
||||
if echo $host | grep mingw >/dev/null; then on_mingw="yes"
|
||||
else on_mingw="no"; fi
|
||||
fi
|
||||
|
||||
@ -385,7 +385,10 @@ AC_CHECK_PROG(doxygen, doxygen, doxygen)
|
||||
AC_CHECK_TOOL(STRIP, strip)
|
||||
ACX_LIBTOOL_C_ONLY
|
||||
|
||||
# pkg-config is only needed for these options, do not require it otherwise
|
||||
if test "$enable_systemd" = "yes" -o "$with_pyunbound" = "yes" -o "$with_pythonmod" = "yes"; then
|
||||
PKG_PROG_PKG_CONFIG
|
||||
fi
|
||||
|
||||
# Checks for header files.
|
||||
AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h],,, [AC_INCLUDES_DEFAULT])
|
||||
@ -490,7 +493,10 @@ ACX_MKDIR_ONE_ARG
|
||||
AC_CHECK_FUNCS([strptime],[AC_CHECK_STRPTIME_WORKS],[AC_LIBOBJ([strptime])])
|
||||
|
||||
# check if we can use SO_REUSEPORT
|
||||
if echo "$host" | $GREP -i -e linux -e dragonfly >/dev/null; then
|
||||
reuseport_default=0
|
||||
if echo "$host" | $GREP -i -e linux >/dev/null; then reuseport_default=1; fi
|
||||
if echo "$host" | $GREP -i -e dragonfly >/dev/null; then reuseport_default=1; fi
|
||||
if test "$reuseport_default" = 1; then
|
||||
AC_DEFINE(REUSEPORT_DEFAULT, 1, [if REUSEPORT is enabled by default])
|
||||
else
|
||||
AC_DEFINE(REUSEPORT_DEFAULT, 0, [if REUSEPORT is enabled by default])
|
||||
@ -859,7 +865,7 @@ AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_C
|
||||
# these check_funcs need -lssl
|
||||
BAKLIBS="$LIBS"
|
||||
LIBS="-lssl $LIBS"
|
||||
AC_CHECK_FUNCS([OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb SSL_CTX_set_alpn_select_cb])
|
||||
AC_CHECK_FUNCS([OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb SSL_CTX_set_alpn_select_cb SSL_get0_alpn_selected SSL_CTX_set_alpn_protos])
|
||||
LIBS="$BAKLIBS"
|
||||
|
||||
AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [
|
||||
@ -1155,6 +1161,11 @@ AC_INCLUDES_DEFAULT
|
||||
;;
|
||||
esac
|
||||
|
||||
AC_ARG_WITH(deprecate-rsa-1024, AS_HELP_STRING([--with-deprecate-rsa-1024],[Deprecate RSA 1024 bit length, makes that an unsupported key, for use when OpenSSL FIPS refuses 1024 bit verification]))
|
||||
if test "$with_deprecate_rsa_1024" = "yes"; then
|
||||
AC_DEFINE([DEPRECATE_RSA_1024], [1], [Deprecate RSA 1024 bit length, makes that an unsupported key])
|
||||
fi
|
||||
|
||||
AC_ARG_ENABLE(ed25519, AS_HELP_STRING([--disable-ed25519],[Disable ED25519 support]))
|
||||
use_ed25519="no"
|
||||
case "$enable_ed25519" in
|
||||
@ -1211,23 +1222,23 @@ esac
|
||||
AC_ARG_ENABLE(tfo-client, AS_HELP_STRING([--enable-tfo-client],[Enable TCP Fast Open for client mode]))
|
||||
case "$enable_tfo_client" in
|
||||
yes)
|
||||
case `uname` in
|
||||
Linux) AC_CHECK_DECL([MSG_FASTOPEN], [AC_MSG_WARN([Check the platform specific TFO kernel parameters are correctly configured to support client mode TFO])],
|
||||
[AC_MSG_ERROR([TCP Fast Open is not available for client mode: please rerun without --enable-tfo-client])],
|
||||
[AC_INCLUDES_DEFAULT
|
||||
case "$host_os" in
|
||||
linux*) AC_CHECK_DECL([MSG_FASTOPEN], [AC_MSG_WARN([Check the platform specific TFO kernel parameters are correctly configured to support client mode TFO])],
|
||||
[AC_MSG_ERROR([TCP Fast Open is not available for client mode: please rerun without --enable-tfo-client])],
|
||||
[AC_INCLUDES_DEFAULT
|
||||
#include <netinet/tcp.h>
|
||||
])
|
||||
AC_DEFINE_UNQUOTED([USE_MSG_FASTOPEN], [1], [Define this to enable client TCP Fast Open.])
|
||||
;;
|
||||
Darwin) AC_CHECK_DECL([CONNECT_RESUME_ON_READ_WRITE], [AC_MSG_WARN([Check the platform specific TFO kernel parameters are correctly configured to support client mode TFO])],
|
||||
[AC_MSG_ERROR([TCP Fast Open is not available for client mode: please rerun without --enable-tfo-client])],
|
||||
[AC_INCLUDES_DEFAULT
|
||||
AC_DEFINE_UNQUOTED([USE_MSG_FASTOPEN], [1], [Define this to enable client TCP Fast Open.])
|
||||
;;
|
||||
darwin*) AC_CHECK_DECL([CONNECT_RESUME_ON_READ_WRITE], [AC_MSG_WARN([Check the platform specific TFO kernel parameters are correctly configured to support client mode TFO])],
|
||||
[AC_MSG_ERROR([TCP Fast Open is not available for client mode: please rerun without --enable-tfo-client])],
|
||||
[AC_INCLUDES_DEFAULT
|
||||
#include <sys/socket.h>
|
||||
])
|
||||
AC_DEFINE_UNQUOTED([USE_OSX_MSG_FASTOPEN], [1], [Define this to enable client TCP Fast Open.])
|
||||
;;
|
||||
AC_DEFINE_UNQUOTED([USE_OSX_MSG_FASTOPEN], [1], [Define this to enable client TCP Fast Open.])
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
;;
|
||||
no|*)
|
||||
;;
|
||||
esac
|
||||
@ -1588,7 +1599,7 @@ AC_CHECK_FUNCS([setresuid],,[AC_CHECK_FUNCS([setreuid])])
|
||||
AC_CHECK_FUNCS([setresgid],,[AC_CHECK_FUNCS([setregid])])
|
||||
|
||||
# check if setreuid en setregid fail, on MacOSX10.4(darwin8).
|
||||
if echo $target_os | grep darwin8 > /dev/null; then
|
||||
if echo $host_os | grep darwin8 > /dev/null; then
|
||||
AC_DEFINE(DARWIN_BROKEN_SETREUID, 1, [Define this if on macOSX10.4-darwin8 and setreuid and setregid do not work])
|
||||
fi
|
||||
AC_CHECK_DECLS([inet_pton,inet_ntop], [], [], [
|
||||
|
@ -1,15 +1,14 @@
|
||||
Summary: Validating, recursive, and caching DNS resolver
|
||||
Name: unbound
|
||||
Version: 1.4.18
|
||||
Version: 1.13.1
|
||||
Release: 1%{?dist}
|
||||
License: BSD
|
||||
Url: http://www.nlnetlabs.nl/unbound/
|
||||
Source: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz
|
||||
Source: http://www.nlnetlabs.nl/downloads/unbound/%{name}-%{version}.tar.gz
|
||||
#Source1: unbound.init
|
||||
Group: System Environment/Daemons
|
||||
Requires: ldns
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
BuildRequires: flex, openssl-devel, expat-devel, ldns-devel
|
||||
BuildRequires: flex, openssl-devel, expat-devel
|
||||
|
||||
%description
|
||||
Unbound is a validating, recursive, and caching DNS resolver.
|
||||
@ -42,7 +41,7 @@ install -d 0700 %{buildroot}%{_localstatedir}/%{name}
|
||||
install -d 0755 %{buildroot}%{_initrddir}
|
||||
install -m 0755 contrib/unbound.init %{buildroot}%{_initrddir}/unbound
|
||||
# add symbolic link from /etc/unbound.conf -> /var/unbound/unbound.conf
|
||||
ln -s %{_localstatedir}/unbound/unbound.conf %{buildroot}%{_sysconfdir}/unbound.conf
|
||||
ln -s ../%{_localstatedir}/unbound/unbound.conf %{buildroot}%{_sysconfdir}/unbound.conf
|
||||
# remove static library from install (fedora packaging guidelines)
|
||||
rm -f %{buildroot}%{_libdir}/libunbound.a %{buildroot}%{_libdir}/libunbound.la
|
||||
|
||||
@ -55,11 +54,12 @@ rm -rf ${RPM_BUILD_ROOT}
|
||||
%attr(0755,root,root) %{_initrddir}/%{name}
|
||||
%attr(0700,%{name},%{name}) %dir %{_localstatedir}/%{name}
|
||||
%attr(0644,%{name},%{name}) %config(noreplace) %{_localstatedir}/%{name}/unbound.conf
|
||||
%attr(0644,%{name},%{name}) %config(noreplace) %{_sysconfdir}/unbound.conf
|
||||
%config(noreplace) %{_sysconfdir}/unbound.conf
|
||||
%{_sbindir}/*
|
||||
%{_mandir}/*/*
|
||||
%{_includedir}/*
|
||||
%{_libdir}/libunbound*
|
||||
%{_libdir}/pkgconfig/libunbound*
|
||||
|
||||
%pre
|
||||
getent group unbound >/dev/null || groupadd -r unbound
|
||||
@ -89,7 +89,13 @@ if [ "$1" -ge "1" ]; then
|
||||
fi
|
||||
|
||||
%changelog
|
||||
* Thu Jul 13 2011 Wouter Wijngaards <wouter@nlnetlabs.nl> - 1.4.8
|
||||
* Thu Jun 10 2021 Wouter Wijngaards <wouter@nlnetlabs.nl> - 1.13.1
|
||||
- ldns and ldns-devel no longer required. Fixed date. Version to 1.13.1.
|
||||
- Removed symlink attr mode, made unbound.conf symlink relative.
|
||||
- Added pkgconfig/libunbound.pc to the packaged files.
|
||||
- fixed download url to nlnetlabs.nl download.
|
||||
|
||||
* Wed Jul 13 2011 Wouter Wijngaards <wouter@nlnetlabs.nl> - 1.4.8
|
||||
- ldns required and ldns-devel required for build, no more ldns-builtin.
|
||||
|
||||
* Thu Mar 17 2011 Wouter Wijngaards <wouter@nlnetlabs.nl> - 1.4.8
|
||||
|
@ -14,7 +14,6 @@
|
||||
# Run the command unbound-control-setup to generate the key files.
|
||||
#
|
||||
# Environment variables for this script
|
||||
# statefile - where to put temporary statefile.
|
||||
# unbound_conf - where the unbound.conf file is located.
|
||||
# unbound_control - where to find unbound-control executable.
|
||||
# spoof_warn - what level to warn about spoofing
|
||||
@ -24,7 +23,6 @@
|
||||
# with:
|
||||
# [unbound*]
|
||||
# user root
|
||||
# env.statefile /usr/local/var/munin/plugin-state/unbound-state
|
||||
# env.unbound_conf /usr/local/etc/unbound/unbound.conf
|
||||
# env.unbound_control /usr/local/sbin/unbound-control
|
||||
# env.spoof_warn 1000
|
||||
@ -66,7 +64,6 @@ System with unbound daemon.
|
||||
|
||||
[unbound*]
|
||||
user root
|
||||
env.statefile /usr/local/var/munin/plugin-state/unbound-state
|
||||
env.unbound_conf /usr/local/etc/unbound/unbound.conf
|
||||
env.unbound_control /usr/local/sbin/unbound-control
|
||||
env.spoof_warn 1000
|
||||
@ -98,7 +95,8 @@ BSD
|
||||
|
||||
=cut
|
||||
|
||||
state=${statefile:-/usr/local/var/munin/plugin-state/unbound-state}
|
||||
state="${MUNIN_PLUGSTATE}/unbound.state"
|
||||
seentags="${MUNIN_PLUGSTATE}/unbound-seentags.state"
|
||||
conf=${unbound_conf:-/usr/local/etc/unbound/unbound.conf}
|
||||
ctrl=${unbound_control:-/usr/local/sbin/unbound-control}
|
||||
warn=${spoof_warn:-1000}
|
||||
@ -121,12 +119,24 @@ get_value ( ) {
|
||||
fi
|
||||
}
|
||||
|
||||
# Update list of seen query types etc to seentags file. This is run while
|
||||
# holding the lock, after the state file is updated.
|
||||
update_seentags() {
|
||||
tmplist="$(cat ${seentags} 2> /dev/null)
|
||||
num.query.type.A
|
||||
num.query.class.IN
|
||||
num.query.opcode.QUERY
|
||||
num.answer.rcode.NOERROR
|
||||
"
|
||||
(echo "${tmplist}"; grep ^num ${state} | sed -e 's/=.*//') | sort -u > ${seentags}
|
||||
}
|
||||
|
||||
# download the state from the unbound server.
|
||||
get_state ( ) {
|
||||
# obtain lock for fetching the state
|
||||
# because there is a race condition in fetching and writing to file
|
||||
|
||||
# see if the lock is stale, if so, take it
|
||||
# see if the lock is stale, if so, take it
|
||||
if test -f $lock ; then
|
||||
pid="`cat $lock 2>&1`"
|
||||
kill -0 "$pid" >/dev/null 2>&1
|
||||
@ -168,6 +178,7 @@ get_state ( ) {
|
||||
rm -f $lock
|
||||
exit 1
|
||||
fi
|
||||
update_seentags
|
||||
rm -f $lock
|
||||
}
|
||||
|
||||
@ -232,7 +243,7 @@ if test "$1" = "config" ; then
|
||||
echo "graph_args --base 1000 -l 0"
|
||||
echo "graph_vlabel queries / \${graph_period}"
|
||||
echo "graph_scale no"
|
||||
echo "graph_category DNS"
|
||||
echo "graph_category dns"
|
||||
for x in `grep "^thread[0-9][0-9]*\.num\.queries=" $state |
|
||||
sed -e 's/=.*//'`; do
|
||||
exist_config $x "queries handled by `basename $x .num.queries`"
|
||||
@ -256,7 +267,7 @@ if test "$1" = "config" ; then
|
||||
echo "graph_args --base 1000 -l 0"
|
||||
echo "graph_vlabel number of queries"
|
||||
echo "graph_scale no"
|
||||
echo "graph_category DNS"
|
||||
echo "graph_category dns"
|
||||
p_config "total.requestlist.avg" "Average size of queue on insert" "GAUGE"
|
||||
p_config "total.requestlist.max" "Max size of queue (in 5 min)" "GAUGE"
|
||||
p_config "total.requestlist.overwritten" "Number of queries replaced by new ones" "GAUGE"
|
||||
@ -267,7 +278,7 @@ if test "$1" = "config" ; then
|
||||
echo "graph_title Unbound memory usage"
|
||||
echo "graph_args --base 1024 -l 0"
|
||||
echo "graph_vlabel memory used in bytes"
|
||||
echo "graph_category DNS"
|
||||
echo "graph_category dns"
|
||||
p_config "mem.cache.rrset" "RRset cache memory" "GAUGE"
|
||||
p_config "mem.cache.message" "Message cache memory" "GAUGE"
|
||||
p_config "mem.mod.iterator" "Iterator module memory" "GAUGE"
|
||||
@ -283,9 +294,8 @@ if test "$1" = "config" ; then
|
||||
echo "graph_args --base 1000 -l 0"
|
||||
echo "graph_vlabel queries / \${graph_period}"
|
||||
echo "graph_scale no"
|
||||
echo "graph_category DNS"
|
||||
for x in `grep "^num.query.type" $state`; do
|
||||
nm=`echo $x | sed -e 's/=.*$//'`
|
||||
echo "graph_category dns"
|
||||
for nm in `grep "^num.query.type" $seentags`; do
|
||||
tp=`echo $nm | sed -e s/num.query.type.//`
|
||||
p_config "$nm" "$tp" "ABSOLUTE"
|
||||
done
|
||||
@ -296,9 +306,8 @@ if test "$1" = "config" ; then
|
||||
echo "graph_args --base 1000 -l 0"
|
||||
echo "graph_vlabel queries / \${graph_period}"
|
||||
echo "graph_scale no"
|
||||
echo "graph_category DNS"
|
||||
for x in `grep "^num.query.class" $state`; do
|
||||
nm=`echo $x | sed -e 's/=.*$//'`
|
||||
echo "graph_category dns"
|
||||
for nm in `grep "^num.query.class" $seentags`; do
|
||||
tp=`echo $nm | sed -e s/num.query.class.//`
|
||||
p_config "$nm" "$tp" "ABSOLUTE"
|
||||
done
|
||||
@ -309,9 +318,8 @@ if test "$1" = "config" ; then
|
||||
echo "graph_args --base 1000 -l 0"
|
||||
echo "graph_vlabel queries / \${graph_period}"
|
||||
echo "graph_scale no"
|
||||
echo "graph_category DNS"
|
||||
for x in `grep "^num.query.opcode" $state`; do
|
||||
nm=`echo $x | sed -e 's/=.*$//'`
|
||||
echo "graph_category dns"
|
||||
for nm in `grep "^num.query.opcode" $seentags`; do
|
||||
tp=`echo $nm | sed -e s/num.query.opcode.//`
|
||||
p_config "$nm" "$tp" "ABSOLUTE"
|
||||
done
|
||||
@ -322,9 +330,8 @@ if test "$1" = "config" ; then
|
||||
echo "graph_args --base 1000 -l 0"
|
||||
echo "graph_vlabel answer packets / \${graph_period}"
|
||||
echo "graph_scale no"
|
||||
echo "graph_category DNS"
|
||||
for x in `grep "^num.answer.rcode" $state`; do
|
||||
nm=`echo $x | sed -e 's/=.*$//'`
|
||||
echo "graph_category dns"
|
||||
for nm in `grep "^num.answer.rcode" $seentags`; do
|
||||
tp=`echo $nm | sed -e s/num.answer.rcode.//`
|
||||
p_config "$nm" "$tp" "ABSOLUTE"
|
||||
done
|
||||
@ -338,7 +345,7 @@ if test "$1" = "config" ; then
|
||||
echo "graph_args --base 1000 -l 0"
|
||||
echo "graph_vlabel queries / \${graph_period}"
|
||||
echo "graph_scale no"
|
||||
echo "graph_category DNS"
|
||||
echo "graph_category dns"
|
||||
p_config "num.query.flags.QR" "QR (query reply) flag" "ABSOLUTE"
|
||||
p_config "num.query.flags.AA" "AA (auth answer) flag" "ABSOLUTE"
|
||||
p_config "num.query.flags.TC" "TC (truncated) flag" "ABSOLUTE"
|
||||
@ -356,7 +363,7 @@ if test "$1" = "config" ; then
|
||||
echo "graph_args --base 1000 -l 0"
|
||||
echo "graph_vlabel queries / \${graph_period}"
|
||||
echo "graph_scale no"
|
||||
echo "graph_category DNS"
|
||||
echo "graph_category dns"
|
||||
echo hcache.label "cache hits"
|
||||
echo hcache.min 0
|
||||
echo hcache.type ABSOLUTE
|
||||
@ -467,27 +474,23 @@ memory)
|
||||
done
|
||||
;;
|
||||
by_type)
|
||||
for x in `grep "^num.query.type" $state`; do
|
||||
nm=`echo $x | sed -e 's/=.*$//'`
|
||||
print_value_line $nm $x
|
||||
for nm in `grep "^num.query.type" $seentags`; do
|
||||
print_value $nm
|
||||
done
|
||||
;;
|
||||
by_class)
|
||||
for x in `grep "^num.query.class" $state`; do
|
||||
nm=`echo $x | sed -e 's/=.*$//'`
|
||||
print_value_line $nm $x
|
||||
for nm in `grep "^num.query.class" $seentags`; do
|
||||
print_value $nm
|
||||
done
|
||||
;;
|
||||
by_opcode)
|
||||
for x in `grep "^num.query.opcode" $state`; do
|
||||
nm=`echo $x | sed -e 's/=.*$//'`
|
||||
print_value_line $nm $x
|
||||
for nm in `grep "^num.query.opcode" $seentags`; do
|
||||
print_value $nm
|
||||
done
|
||||
;;
|
||||
by_rcode)
|
||||
for x in `grep "^num.answer.rcode" $state`; do
|
||||
nm=`echo $x | sed -e 's/=.*$//'`
|
||||
print_value_line $nm $x
|
||||
for nm in `grep "^num.answer.rcode" $seentags`; do
|
||||
print_value $nm
|
||||
done
|
||||
print_value "num.answer.secure"
|
||||
print_value "num.answer.bogus"
|
||||
|
@ -130,7 +130,7 @@ timeval_divide(struct timeval* avg, const struct timeval* sum, long long d)
|
||||
{
|
||||
#ifndef S_SPLINT_S
|
||||
size_t leftover;
|
||||
if(d == 0) {
|
||||
if(d <= 0) {
|
||||
avg->tv_sec = 0;
|
||||
avg->tv_usec = 0;
|
||||
return;
|
||||
@ -139,7 +139,13 @@ timeval_divide(struct timeval* avg, const struct timeval* sum, long long d)
|
||||
avg->tv_usec = sum->tv_usec / d;
|
||||
/* handle fraction from seconds divide */
|
||||
leftover = sum->tv_sec - avg->tv_sec*d;
|
||||
avg->tv_usec += (leftover*1000000)/d;
|
||||
if(leftover <= 0)
|
||||
leftover = 0;
|
||||
avg->tv_usec += (((long long)leftover)*((long long)1000000))/d;
|
||||
if(avg->tv_sec < 0)
|
||||
avg->tv_sec = 0;
|
||||
if(avg->tv_usec < 0)
|
||||
avg->tv_usec = 0;
|
||||
#endif
|
||||
}
|
||||
|
||||
|
@ -212,12 +212,14 @@ checkrlimits(struct config_file* cfg)
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef RLIMIT_AS
|
||||
if(getrlimit(RLIMIT_AS, &rlim) == 0) {
|
||||
if(rlim.rlim_cur != (rlim_t)RLIM_INFINITY &&
|
||||
rlim.rlim_cur < (rlim_t)memsize_expect) {
|
||||
log_warn("the ulimit(max memory size) is smaller than the expected memory usage (added size of caches). %u < %u bytes", (unsigned)rlim.rlim_cur, (unsigned)memsize_expect);
|
||||
}
|
||||
}
|
||||
#endif
|
||||
if(getrlimit(RLIMIT_DATA, &rlim) == 0) {
|
||||
if(rlim.rlim_cur != (rlim_t)RLIM_INFINITY &&
|
||||
rlim.rlim_cur < memsize_expect) {
|
||||
|
@ -1794,7 +1794,9 @@ worker_init(struct worker* worker, struct config_file *cfg,
|
||||
&worker_alloc_cleanup, worker,
|
||||
cfg->do_udp || cfg->udp_upstream_without_downstream,
|
||||
worker->daemon->connect_sslctx, cfg->delay_close,
|
||||
cfg->tls_use_sni, dtenv, cfg->udp_connect);
|
||||
cfg->tls_use_sni, dtenv, cfg->udp_connect,
|
||||
cfg->max_reuse_tcp_queries, cfg->tcp_reuse_timeout,
|
||||
cfg->tcp_auth_query_timeout);
|
||||
if(!worker->back) {
|
||||
log_err("could not create outgoing sockets");
|
||||
worker_delete(worker);
|
||||
@ -1848,6 +1850,11 @@ worker_init(struct worker* worker, struct config_file *cfg,
|
||||
return 0;
|
||||
}
|
||||
worker->env.mesh = mesh_create(&worker->daemon->mods, &worker->env);
|
||||
if(!worker->env.mesh) {
|
||||
log_err("malloc failure");
|
||||
worker_delete(worker);
|
||||
return 0;
|
||||
}
|
||||
/* Pass on daemon variables that we would need in the mesh area */
|
||||
worker->env.mesh->use_response_ip = worker->daemon->use_response_ip;
|
||||
worker->env.mesh->use_rpz = worker->daemon->use_rpz;
|
||||
@ -1858,6 +1865,11 @@ worker_init(struct worker* worker, struct config_file *cfg,
|
||||
worker->env.kill_sub = &mesh_state_delete;
|
||||
worker->env.detect_cycle = &mesh_detect_cycle;
|
||||
worker->env.scratch_buffer = sldns_buffer_new(cfg->msg_buffer_size);
|
||||
if(!worker->env.scratch_buffer) {
|
||||
log_err("malloc failure");
|
||||
worker_delete(worker);
|
||||
return 0;
|
||||
}
|
||||
if(!(worker->env.fwds = forwards_create()) ||
|
||||
!forwards_apply_cfg(worker->env.fwds, cfg)) {
|
||||
log_err("Could not set forward zones");
|
||||
@ -1912,10 +1924,6 @@ worker_init(struct worker* worker, struct config_file *cfg,
|
||||
}
|
||||
}
|
||||
#endif /* USE_DNSTAP */
|
||||
if(!worker->env.mesh || !worker->env.scratch_buffer) {
|
||||
worker_delete(worker);
|
||||
return 0;
|
||||
}
|
||||
worker_mem_report(worker, NULL);
|
||||
/* if statistics enabled start timer */
|
||||
if(worker->env.cfg->stat_interval > 0) {
|
||||
|
@ -507,19 +507,19 @@ dt_msg_send_outside_query(struct dt_env *env,
|
||||
|
||||
void
|
||||
dt_msg_send_outside_response(struct dt_env *env,
|
||||
struct sockaddr_storage *rsock,
|
||||
struct sockaddr_storage *qsock,
|
||||
enum comm_point_type cptype,
|
||||
uint8_t *zone, size_t zone_len,
|
||||
uint8_t *qbuf, size_t qbuf_len,
|
||||
const struct timeval *qtime,
|
||||
const struct timeval *rtime,
|
||||
sldns_buffer *rmsg)
|
||||
struct sockaddr_storage *rsock,
|
||||
struct sockaddr_storage *qsock,
|
||||
enum comm_point_type cptype,
|
||||
uint8_t *zone, size_t zone_len,
|
||||
uint8_t *qbuf, size_t qbuf_len,
|
||||
const struct timeval *qtime,
|
||||
const struct timeval *rtime,
|
||||
sldns_buffer *rmsg)
|
||||
{
|
||||
struct dt_msg dm;
|
||||
uint16_t qflags;
|
||||
|
||||
log_assert(qbuf_len >= sizeof(qflags));
|
||||
(void)qbuf_len; log_assert(qbuf_len >= sizeof(qflags));
|
||||
memcpy(&qflags, qbuf, sizeof(qflags));
|
||||
qflags = ntohs(qflags);
|
||||
|
||||
|
@ -1012,6 +1012,7 @@ void dtio_tap_callback(int fd, short ATTR_UNUSED(bits), void* arg)
|
||||
if(verbosity) log_info("bidirectional stream");
|
||||
if(!reply_with_accept(data)) {
|
||||
tap_data_free(data);
|
||||
return;
|
||||
}
|
||||
} else if(data->len >= 4 && sldns_read_uint32(data->frame) ==
|
||||
FSTRM_CONTROL_FRAME_STOP && data->is_bidirectional) {
|
||||
@ -1166,8 +1167,12 @@ int sig_quit = 0;
|
||||
/** signal handler for user quit */
|
||||
static RETSIGTYPE main_sigh(int sig)
|
||||
{
|
||||
if(!sig_quit)
|
||||
fprintf(stderr, "exit on signal %d\n", sig);
|
||||
if(!sig_quit) {
|
||||
char str[] = "exit on signal \n";
|
||||
str[15] = '0' + (sig/10)%10;
|
||||
str[16] = '0' + sig%10;
|
||||
write(STDERR_FILENO, str, strlen(str));
|
||||
}
|
||||
if(sig_base) {
|
||||
ub_event_base_loopexit(sig_base);
|
||||
sig_base = NULL;
|
||||
|
129
doc/Changelog
129
doc/Changelog
@ -1,3 +1,132 @@
|
||||
2 July 2021: Wouter
|
||||
- Fix #506: Python Module Seems to Leak Memory if it Experiences an
|
||||
Unhandled Exception.
|
||||
|
||||
25 June 2021: Wouter
|
||||
- Fix up permissions on rpl data file in tests.
|
||||
- Fix testbound newline treatment in moment_read and tempfile write.
|
||||
- Fix configure grep for reuseport default for failure.
|
||||
- Fix compat ctime_r return value
|
||||
- Fix configure does not require pkg-config if not needed.
|
||||
- Fix unit test in the ctime_r calls for autotrust and in testbound.
|
||||
- Fix auth zone download on windows to unlink before rename.
|
||||
|
||||
24 June 2021: Wouter
|
||||
- Add analyzer and port compile github workflow.
|
||||
|
||||
23 June 2021: Wouter
|
||||
- Fix #503: DNS over HTTPS response truncated.
|
||||
- Fix warnings reported by the gcc analyzer.
|
||||
|
||||
21 June 2021: George
|
||||
- Fix #495: Documentation or implementation of "verbosity" option.
|
||||
|
||||
18 June 2021: Wouter
|
||||
- Fix a number of warnings reported by the gcc analyzer.
|
||||
|
||||
15 June 2021: George
|
||||
- Merge #440 by kimheino: Various fixes to contrib/unbound_munin_ file.
|
||||
|
||||
14 June 2021: Wouter
|
||||
- Fix configure nonblocking test and onmingw test to use host.
|
||||
|
||||
10 June 2021: Wouter
|
||||
- Fix #500: SPEC file in version 1.13.1 references version 1.4;
|
||||
unable to build RPM from source.
|
||||
- Fix contrib/unbound.spec, fixed url and comment.
|
||||
|
||||
9 June 2021: George
|
||||
- Merge #486 by fobster: Make VAL_MAX_RESTART_COUNT configurable.
|
||||
- Generated lexer and parser for #486; updated example.conf.
|
||||
- Fix #413 (based on patch by k-ronny): unbound: does not compile
|
||||
on macOS 11.1-x86_64 host.
|
||||
- Use host_os instead of target_os in configure for Darwin8 build.
|
||||
|
||||
8 June 2021: George
|
||||
- Fix unused variable warning when compiling with --enable-dnstap.
|
||||
|
||||
7 June 2021: George
|
||||
- Merge #448 from shoeper: Update unbound-control.8.in, fix
|
||||
rpz_disable typo.
|
||||
- Fix #425: Document auth-zone supports communication with DNS
|
||||
primary on nondefault port.
|
||||
|
||||
1 June 2021: George
|
||||
- Fix test for zonemd-check option.
|
||||
|
||||
27 May 2021: Wouter
|
||||
- Merge #496 from banburybill: Use build system endianness if
|
||||
available, otherwise try to work it out.
|
||||
- zonemd-check: yesno option, default no, enables the processing
|
||||
of ZONEMD records for that zone.
|
||||
|
||||
25 May 2021: Wouter
|
||||
- Move the NSEC3 max iterations count in line with the 150 value
|
||||
used by BIND, Knot and PowerDNS. This sets the default value
|
||||
for it in the configuration to 150 for all key sizes.
|
||||
- Fix #492: module-config respip missing in unbound.conf.5.in man
|
||||
page. Merges #494 from he32.
|
||||
- For #492: Fix font highlighting for the man page on emacs.
|
||||
|
||||
21 May 2021: Wouter
|
||||
- Test code has -q option for quiet output.
|
||||
|
||||
19 May 2021: George
|
||||
- Fix for #411, #439, #469: Reset the DNS message ID when moving queries
|
||||
between TCP streams.
|
||||
- Refactor for uniform way to produce random DNS message IDs.
|
||||
|
||||
17 May 2021: Wouter
|
||||
- Fix #489: Compile using MSYS2 MinGW 64-bit.
|
||||
|
||||
12 May 2021: Wouter
|
||||
- Fix that auth-zone zonefiles use last TTL if no TTL is specified.
|
||||
|
||||
10 May 2021: Wouter
|
||||
- Merge PR #487: ifdef RLIMIT_AS in recently added check.
|
||||
|
||||
7 May 2021: Wouter
|
||||
- Fix #485: Unbound occasionally reports broken stats.
|
||||
- Add ./configure --with-deprecate-rsa-1024 that turns off RSA 1024.
|
||||
- Remove case fallthrough from deprecate-rsa-1024 code.
|
||||
|
||||
4 May 2021: George
|
||||
- Fix for #367: only attempt to get the interface for queries that are no
|
||||
longer on the tcp_waiting_list.
|
||||
- Add more logging for out-of-memory cases.
|
||||
|
||||
4 May 2021: Wouter
|
||||
- Merge #478: Allow configuration of TCP timeout while waiting for
|
||||
response.
|
||||
- Fix to squelch tcp socket bind failures when the interface is gone.
|
||||
- Rerun flex and bison.
|
||||
|
||||
3 May 2021: Wouter
|
||||
- Fix #481: Fix comment in configuration file.
|
||||
|
||||
29 April 2021: Wouter
|
||||
- Add that log-servfail prints an IP address and more information
|
||||
about one of the last failures for that query.
|
||||
|
||||
28 April 2021: George
|
||||
- Fix compiler warning for signed/unsigned comparison for
|
||||
max_reuse_tcp_queries.
|
||||
|
||||
28 April 2021: Wouter
|
||||
- Fix #474: always_null and others inside view.
|
||||
|
||||
26 April 2021: Wouter
|
||||
- Merge #470 from edevil: Allow configuration of persistent TCP
|
||||
connections.
|
||||
|
||||
22 April 2021: Wouter
|
||||
- Merge #466 from FGasper: Support OpenSSLs that lack
|
||||
SSL_get0_alpn_selected.
|
||||
- Fix #468: OpenSSL 1.0.1 can no longer build Unbound.
|
||||
- Further fix for #468: detect SSL_CTX_set_alpn_protos for build with
|
||||
OpenSSL 1.0.1.
|
||||
- Fix that testcode dohclient has OpenSSL initialisation calls.
|
||||
|
||||
13 April 2021: George
|
||||
- Fix documentation comment for files previously residing in checkconf/.
|
||||
- Remove unused functions worker_handle_reply and libworker_handle_reply.
|
||||
|
@ -507,7 +507,8 @@ server:
|
||||
# Use several entries, one per domain name, to track multiple zones.
|
||||
#
|
||||
# If you want to perform DNSSEC validation, run unbound-anchor before
|
||||
# you start unbound (i.e. in the system boot scripts). And enable:
|
||||
# you start unbound (i.e. in the system boot scripts).
|
||||
# And then enable the auto-trust-anchor-file config item.
|
||||
# Please note usage of unbound-anchor root anchor is at your own risk
|
||||
# and under the terms of our LICENSE (see that file in the source).
|
||||
# auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
|
||||
@ -556,6 +557,10 @@ server:
|
||||
# val-sig-skew-min: 3600
|
||||
# val-sig-skew-max: 86400
|
||||
|
||||
# The maximum number the validator should restart validation with
|
||||
# another authority in case of failed validation.
|
||||
# val-max-restart: 5
|
||||
|
||||
# Should additional section of secure message also be kept clean of
|
||||
# unsecure data. Useful to shield the users of this validator from
|
||||
# potential bogus data in the additional section. All unsigned data
|
||||
@ -613,7 +618,7 @@ server:
|
||||
# keysize. Keep this table very short, as linear search is done.
|
||||
# A message with an NSEC3 with larger count is marked insecure.
|
||||
# List in ascending order the keysize and count values.
|
||||
# val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500"
|
||||
# val-nsec3-keysize-iterations: "1024 150 2048 150 4096 150"
|
||||
|
||||
# if enabled, ZONEMD verification failures do not block the zone.
|
||||
# zonemd-permissive-mode: no
|
||||
@ -901,6 +906,13 @@ server:
|
||||
# ipsecmod-allow: "example.com"
|
||||
# ipsecmod-allow: "nlnetlabs.nl"
|
||||
|
||||
# Timeout for REUSE entries in milliseconds.
|
||||
# tcp-reuse-timeout: 60000
|
||||
# Max number of queries on a reuse connection.
|
||||
# max-reuse-tcp-queries: 200
|
||||
# Timeout in milliseconds for TCP queries to auth servers.
|
||||
# tcp-auth-query-timeout: 3000
|
||||
|
||||
|
||||
# Python config section. To enable:
|
||||
# o use --with-pythonmodule to configure before compiling.
|
||||
@ -1025,6 +1037,7 @@ remote-control:
|
||||
# name: "example.org"
|
||||
# for-downstream: yes
|
||||
# for-upstream: yes
|
||||
# zonemd-check: no
|
||||
# zonemd-reject-absence: no
|
||||
# zonefile: "example.org.zone"
|
||||
|
||||
|
@ -308,7 +308,7 @@ serial check). And then the zone is transferred for a newer zone version.
|
||||
.B rpz_enable \fIzone\fR
|
||||
Enable the RPZ zone if it had previously been disabled.
|
||||
.TP
|
||||
.B rpz_enable \fIzone\fR
|
||||
.B rpz_disable \fIzone\fR
|
||||
Disable the RPZ zone.
|
||||
.TP
|
||||
.B view_list_local_zones \fIview\fR
|
||||
|
@ -89,11 +89,11 @@ These options are part of the
|
||||
clause.
|
||||
.TP
|
||||
.B verbosity: \fI<number>
|
||||
The verbosity number, level 0 means no verbosity, only errors. Level 1
|
||||
gives operational information. Level 2 gives detailed operational
|
||||
information. Level 3 gives query level information, output per query.
|
||||
Level 4 gives algorithm level information. Level 5 logs client
|
||||
identification for cache misses. Default is level 1.
|
||||
The verbosity number, level 0 means no verbosity, only errors. Level 1
|
||||
gives operational information. Level 2 gives detailed operational
|
||||
information including short information per query. Level 3 gives query level
|
||||
information, output per query. Level 4 gives algorithm level information.
|
||||
Level 5 logs client identification for cache misses. Default is level 1.
|
||||
The verbosity can also be increased from the commandline, see \fIunbound\fR(8).
|
||||
.TP
|
||||
.B statistics\-interval: \fI<seconds>
|
||||
@ -451,6 +451,19 @@ total number configured, and finally to 0 if the number of free buffers
|
||||
falls below 20% of the total number configured. A minimum timeout of
|
||||
200 milliseconds is observed regardless of the option value used.
|
||||
.TP
|
||||
.B tcp-reuse-timeout: \fI<msec>\fR
|
||||
The period Unbound will keep TCP persistent connections open to
|
||||
authority servers. This option defaults to 60000 milliseconds.
|
||||
.TP
|
||||
.B max-reuse-tcp-queries: \fI<number>\fR
|
||||
The maximum number of queries that can be sent on a persistent TCP
|
||||
connection.
|
||||
This option defaults to 200 queries.
|
||||
.TP
|
||||
.B tcp-auth-query-timeout: \fI<number>\fR
|
||||
Timeout in milliseconds for TCP queries to auth servers.
|
||||
This option defaults to 3000 milliseconds.
|
||||
.TP
|
||||
.B edns-tcp-keepalive: \fI<yes or no>\fR
|
||||
Enable or disable EDNS TCP Keepalive. Default is no.
|
||||
.TP
|
||||
@ -1013,7 +1026,7 @@ If yes, Unbound rotates RRSet order in response (the random number is taken
|
||||
from the query ID, for speed and thread safety). Default is yes.
|
||||
.TP
|
||||
.B minimal-responses: \fI<yes or no>
|
||||
If yes, Unbound doesn't insert authority/additional sections into response
|
||||
If yes, Unbound does not insert authority/additional sections into response
|
||||
messages when those sections are not required. This reduces response
|
||||
size significantly, and may avoid TCP fallback for some responses.
|
||||
This may cause a slight speedup. The default is yes, even though the DNS
|
||||
@ -1031,15 +1044,24 @@ of this setting, if a trust anchor is loaded.
|
||||
.TP
|
||||
.B module\-config: \fI<"module names">
|
||||
Module configuration, a list of module names separated by spaces, surround
|
||||
the string with quotes (""). The modules can be validator, iterator.
|
||||
Setting this to "iterator" will result in a non\-validating server.
|
||||
Setting this to "validator iterator" will turn on DNSSEC validation.
|
||||
The ordering of the modules is important.
|
||||
You must also set trust\-anchors for validation to be useful.
|
||||
The default is "validator iterator". When the server is built with
|
||||
EDNS client subnet support the default is "subnetcache validator iterator".
|
||||
the string with quotes (""). The modules can be \fIrespip\fR,
|
||||
\fIvalidator\fR, or \fIiterator\fR (and possibly more, see below).
|
||||
Setting this to just "\fIiterator\fR" will result in a non\-validating
|
||||
server.
|
||||
Setting this to "\fIvalidator iterator\fR" will turn on DNSSEC validation.
|
||||
The ordering of the modules is significant, the order decides the
|
||||
order of processing.
|
||||
You must also set \fItrust\-anchors\fR for validation to be useful.
|
||||
Adding \fIrespip\fR to the front will cause RPZ processing to be done on
|
||||
all queries.
|
||||
The default is "\fIvalidator iterator\fR".
|
||||
.IP
|
||||
When the server is built with
|
||||
EDNS client subnet support the default is "\fIsubnetcache validator
|
||||
iterator\fR".
|
||||
Most modules that need to be listed here have to be listed at the beginning
|
||||
of the line. The cachedb module has to be listed just before the iterator.
|
||||
of the line. The subnetcachedb module has to be listed just before
|
||||
the iterator.
|
||||
The python module can be listed in different places, it then processes the
|
||||
output of the module it is just before. The dynlib module can be listed pretty
|
||||
much anywhere, it is only a very thin wrapper that allows dynamic libraries to
|
||||
@ -1118,6 +1140,10 @@ min and max very low disables the clock skew allowances. Setting both
|
||||
min and max very high makes the validator check the signature timestamps
|
||||
less strictly.
|
||||
.TP
|
||||
.B val\-max\-restart: \fI<number>
|
||||
The maximum number the validator should restart validation with
|
||||
another authority in case of failed validation. Default is 5.
|
||||
.TP
|
||||
.B val\-bogus\-ttl: \fI<number>
|
||||
The time to live for bogus data. This is data that has failed validation;
|
||||
due to invalid signatures or other checks. The TTL from that data cannot be
|
||||
@ -1202,7 +1228,7 @@ Default is "no".
|
||||
.TP
|
||||
.B val\-nsec3\-keysize\-iterations: \fI<"list of values">
|
||||
List of keysize and iteration count values, separated by spaces, surrounded
|
||||
by quotes. Default is "1024 150 2048 500 4096 2500". This determines the
|
||||
by quotes. Default is "1024 150 2048 150 4096 150". This determines the
|
||||
maximum allowed NSEC3 iteration count before a message is simply marked
|
||||
insecure instead of performing the many hashing iterations. The list must
|
||||
be in ascending order and have at least one entry. If you set it to
|
||||
@ -1514,6 +1540,82 @@ Use this localzone type, regardless the type configured for the local-zone
|
||||
(both tagged and untagged) and regardless the type configured using
|
||||
access\-control\-tag\-action.
|
||||
.TP 5
|
||||
.B response\-ip: \fI<IP-netblock> <action>
|
||||
This requires use of the "respip" module.
|
||||
.IP
|
||||
If the IP address in an AAAA or A RR in the answer section of a
|
||||
response matches the specified IP netblock, the specified action will
|
||||
apply.
|
||||
\fI<action>\fR has generally the same semantics as that for
|
||||
\fIaccess-control-tag-action\fR, but there are some exceptions.
|
||||
.IP
|
||||
Actions for \fIresponse-ip\fR are different from those for
|
||||
\fIlocal-zone\fR in that in case of the former there is no point of
|
||||
such conditions as "the query matches it but there is no local data".
|
||||
Because of this difference, the semantics of \fIresponse-ip\fR actions
|
||||
are modified or simplified as follows: The \fIstatic, refuse,
|
||||
transparent, typetransparent,\fR and \fInodefault\fR actions are
|
||||
invalid for \fIresponse-ip\fR.
|
||||
Using any of these will cause the configuration to be rejected as
|
||||
faulty. The \fIdeny\fR action is non-conditional, i.e. it always
|
||||
results in dropping the corresponding query.
|
||||
The resolution result before applying the deny action is still cached
|
||||
and can be used for other queries.
|
||||
.TP 5
|
||||
.B response-ip-data: \fI<IP-netblock> <"resource record string">
|
||||
This requires use of the "respip" module.
|
||||
.IP
|
||||
This specifies the action data for \fIresponse-ip\fR with action being
|
||||
to redirect as specified by "\fIresource record string\fR". "Resource
|
||||
record string" is similar to that of \fIaccess-control-tag-action\fR,
|
||||
but it must be of either AAAA, A or CNAME types.
|
||||
If the IP-netblock is an IPv6/IPV4 prefix, the record
|
||||
must be AAAA/A respectively, unless it is a CNAME (which can be used
|
||||
for both versions of IP netblocks). If it is CNAME there must not be
|
||||
more than one \fIresponse-ip-data\fR for the same IP-netblock.
|
||||
Also, CNAME and other types of records must not coexist for the same
|
||||
IP-netblock, following the normal rules for CNAME records.
|
||||
The textual domain name for the CNAME does not have to be explicitly
|
||||
terminated with a dot ("."); the root name is assumed to be the origin
|
||||
for the name.
|
||||
.TP 5
|
||||
.B response-ip-tag: \fI<IP-netblock> <"list of tags">
|
||||
This requires use of the "respip" module.
|
||||
.IP
|
||||
Assign tags to response IP-netblocks. If the IP address in an AAAA or
|
||||
A RR in the answer section of a response matches the specified
|
||||
IP-netblock, the specified tags are assigned to the IP address.
|
||||
Then, if an \fIaccess-control-tag\fR is defined for the client and it
|
||||
includes one of the tags for the response IP, the corresponding
|
||||
\fIaccess-control-tag-action\fR will apply.
|
||||
Tag matching rule is the same as that for \fIaccess-control-tag\fR and
|
||||
\fIlocal-zones\fR.
|
||||
Unlike \fIlocal-zone-tag\fR, \fIresponse-ip-tag\fR can be defined for
|
||||
an IP-netblock even if no \fIresponse-ip\fR is defined for that
|
||||
netblock.
|
||||
If multiple \fIresponse-ip-tag\fR options are specified for the same
|
||||
IP-netblock in different statements, all but the first will be
|
||||
ignored.
|
||||
However, this will not be flagged as a configuration error, but the
|
||||
result is probably not what was intended.
|
||||
.IP
|
||||
Actions specified in an
|
||||
\fIaccess-control-tag-action\fR that has a matching tag with
|
||||
\fIresponse-ip-tag\fR can be those that are "invalid" for
|
||||
\fIresponse-ip\fR listed above, since \fIaccess-control-tag-action\fRs
|
||||
can be shared with local zones.
|
||||
For these actions, if they behave differently depending on whether
|
||||
local data exists or not in case of local zones, the behavior for
|
||||
\fIresponse-ip-data\fR will generally result in NOERROR/NODATA instead
|
||||
of NXDOMAIN, since the \fIresponse-ip\fR data are inherently type
|
||||
specific, and non-existence of data does not indicate anything about
|
||||
the existence or non-existence of the qname itself.
|
||||
For example, if the matching tag action is \fIstatic\fR but there is
|
||||
no data for the corresponding \fIresponse-ip\fR configuration, then
|
||||
the result will be NOERROR/NODATA.
|
||||
The only case where NXDOMAIN is returned is when an
|
||||
\fIalways_nxdomain\fR action applies.
|
||||
.TP 5
|
||||
.B ratelimit: \fI<number or 0>
|
||||
Enable ratelimiting of queries sent to nameserver for performing recursion.
|
||||
If 0, the default, it is disabled. This option is experimental at this time.
|
||||
@ -1825,7 +1927,9 @@ Name of the authority zone.
|
||||
.B primary: \fI<IP address or host name>
|
||||
Where to download a copy of the zone from, with AXFR and IXFR. Multiple
|
||||
primaries can be specified. They are all tried if one fails.
|
||||
With the "ip#name" notation a AXFR over TLS can be used.
|
||||
To use a nondefault port for DNS communication append '@' with the port number.
|
||||
You can append a '#' and a name, then AXFR over TLS can be used and the tls authentication certificates will be checked with that name. If you combine
|
||||
the '@' and '#', the '@' comes first.
|
||||
If you point it at another Unbound instance, it would not work because
|
||||
that does not support AXFR/IXFR for the zone, but if you used \fBurl:\fR to download
|
||||
the zonefile as a text file from a webserver that would work.
|
||||
@ -1882,6 +1986,12 @@ to the authority servers for this zone, it'll fetch the data directly from
|
||||
the zone data. Turn it on when you want unbound to provide recursion for
|
||||
downstream clients, and use the zone data as a local copy to speed up lookups.
|
||||
.TP
|
||||
.B zonemd\-check: \fI<yes or no>
|
||||
Enable this option to check ZONEMD records in the zone. Default is disabled.
|
||||
The ZONEMD record is a checksum over the zone data. This includes glue in
|
||||
the zone and data from the zone file, and excludes comments from the zone file.
|
||||
When there is a DNSSEC chain of trust, DNSSEC signatures are checked too.
|
||||
.TP
|
||||
.B zonemd\-reject\-absence: \fI<yes or no>
|
||||
Enable this option to reject the absence of the ZONEMD record. Without it,
|
||||
when zonemd is not there it is not checked. It is useful to enable for a
|
||||
@ -2396,6 +2506,15 @@ Name of the authority zone.
|
||||
.B primary: \fI<IP address or host name>
|
||||
Where to download a copy of the zone from, with AXFR and IXFR. Multiple
|
||||
primaries can be specified. They are all tried if one fails.
|
||||
To use a nondefault port for DNS communication append '@' with the port number.
|
||||
You can append a '#' and a name, then AXFR over TLS can be used and the tls authentication certificates will be checked with that name. If you combine
|
||||
the '@' and '#', the '@' comes first.
|
||||
If you point it at another Unbound instance, it would not work because
|
||||
that does not support AXFR/IXFR for the zone, but if you used \fBurl:\fR to download
|
||||
the zonefile as a text file from a webserver that would work.
|
||||
If you specify the hostname, you cannot use the domain from the zonefile,
|
||||
because it may not have that when retrieving that data, instead use a plain
|
||||
IP address to avoid a circular dependency on retrieving that IP address.
|
||||
.TP
|
||||
.B master: \fI<IP address or host name>
|
||||
Alternate syntax for \fBprimary\fR.
|
||||
|
@ -419,6 +419,7 @@ ipsecmod_handle_query(struct module_qstate* qstate,
|
||||
if(!qstate->env->cfg->ipsecmod_ignore_bogus &&
|
||||
rrset_data->security == sec_status_bogus) {
|
||||
log_err("ipsecmod: bogus IPSECKEY");
|
||||
errinf(qstate, "ipsecmod: bogus IPSECKEY");
|
||||
ipsecmod_error(qstate, id);
|
||||
return;
|
||||
}
|
||||
@ -426,6 +427,7 @@ ipsecmod_handle_query(struct module_qstate* qstate,
|
||||
if(!call_hook(qstate, iq, ie) &&
|
||||
qstate->env->cfg->ipsecmod_strict) {
|
||||
log_err("ipsecmod: ipsecmod-hook failed");
|
||||
errinf(qstate, "ipsecmod: ipsecmod-hook failed");
|
||||
ipsecmod_error(qstate, id);
|
||||
return;
|
||||
}
|
||||
@ -497,6 +499,7 @@ ipsecmod_handle_response(struct module_qstate* qstate,
|
||||
qstate->qinfo.qname_len, LDNS_RR_TYPE_IPSECKEY,
|
||||
qstate->qinfo.qclass, 0)) {
|
||||
log_err("ipsecmod: could not generate subquery.");
|
||||
errinf(qstate, "ipsecmod: could not generate subquery.");
|
||||
ipsecmod_error(qstate, id);
|
||||
}
|
||||
return;
|
||||
@ -520,6 +523,7 @@ ipsecmod_operate(struct module_qstate* qstate, enum module_ev event, int id,
|
||||
if((event == module_event_new || event == module_event_pass) &&
|
||||
iq == NULL) {
|
||||
if(!ipsecmod_new(qstate, id)) {
|
||||
errinf(qstate, "ipsecmod: could not ipsecmod_new");
|
||||
ipsecmod_error(qstate, id);
|
||||
return;
|
||||
}
|
||||
@ -542,6 +546,7 @@ ipsecmod_operate(struct module_qstate* qstate, enum module_ev event, int id,
|
||||
}
|
||||
if(event == module_event_error) {
|
||||
verbose(VERB_ALGO, "got called with event error, giving up");
|
||||
errinf(qstate, "ipsecmod: got called with event error");
|
||||
ipsecmod_error(qstate, id);
|
||||
return;
|
||||
}
|
||||
@ -552,6 +557,7 @@ ipsecmod_operate(struct module_qstate* qstate, enum module_ev event, int id,
|
||||
}
|
||||
|
||||
log_err("ipsecmod: bad event %s", strmodulevent(event));
|
||||
errinf(qstate, "ipsecmod: operate got bad event");
|
||||
ipsecmod_error(qstate, id);
|
||||
return;
|
||||
}
|
||||
|
@ -440,6 +440,7 @@ iter_filter_order(struct iter_env* iter_env, struct module_env* env,
|
||||
prev = NULL;
|
||||
a = dp->result_list;
|
||||
for(i = 0; i < got_num; i++) {
|
||||
if(!a) break; /* robustness */
|
||||
swap_to_front = 0;
|
||||
if(a->addr.ss_family != AF_INET6 && attempt == -1) {
|
||||
/* if we only have ip4 at low attempt count,
|
||||
@ -497,6 +498,7 @@ iter_filter_order(struct iter_env* iter_env, struct module_env* env,
|
||||
prev = NULL;
|
||||
a = dp->result_list;
|
||||
for(i = 0; i < got_num; i++) {
|
||||
if(!a) break; /* robustness */
|
||||
swap_to_front = 0;
|
||||
if(a->addr.ss_family != AF_INET && attempt == -1) {
|
||||
/* if we only have ip6 at low attempt count,
|
||||
|
@ -585,6 +585,60 @@ handle_cname_response(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
return 1;
|
||||
}
|
||||
|
||||
/** add response specific error information for log servfail */
|
||||
static void
|
||||
errinf_reply(struct module_qstate* qstate, struct iter_qstate* iq)
|
||||
{
|
||||
if(qstate->env->cfg->val_log_level < 2 && !qstate->env->cfg->log_servfail)
|
||||
return;
|
||||
if((qstate->reply && qstate->reply->addrlen != 0) ||
|
||||
(iq->fail_reply && iq->fail_reply->addrlen != 0)) {
|
||||
char from[256], frm[512];
|
||||
if(qstate->reply && qstate->reply->addrlen != 0)
|
||||
addr_to_str(&qstate->reply->addr, qstate->reply->addrlen,
|
||||
from, sizeof(from));
|
||||
else
|
||||
addr_to_str(&iq->fail_reply->addr, iq->fail_reply->addrlen,
|
||||
from, sizeof(from));
|
||||
snprintf(frm, sizeof(frm), "from %s", from);
|
||||
errinf(qstate, frm);
|
||||
}
|
||||
if(iq->scrub_failures || iq->parse_failures) {
|
||||
if(iq->scrub_failures)
|
||||
errinf(qstate, "upstream response failed scrub");
|
||||
if(iq->parse_failures)
|
||||
errinf(qstate, "could not parse upstream response");
|
||||
} else if(iq->response == NULL && iq->timeout_count != 0) {
|
||||
errinf(qstate, "upstream server timeout");
|
||||
} else if(iq->response == NULL) {
|
||||
errinf(qstate, "no server to query");
|
||||
if(iq->dp) {
|
||||
if(iq->dp->target_list == NULL)
|
||||
errinf(qstate, "no addresses for nameservers");
|
||||
else errinf(qstate, "nameserver addresses not usable");
|
||||
if(iq->dp->nslist == NULL)
|
||||
errinf(qstate, "have no nameserver names");
|
||||
if(iq->dp->bogus)
|
||||
errinf(qstate, "NS record was dnssec bogus");
|
||||
}
|
||||
}
|
||||
if(iq->response && iq->response->rep) {
|
||||
if(FLAGS_GET_RCODE(iq->response->rep->flags) != 0) {
|
||||
char rcode[256], rc[32];
|
||||
(void)sldns_wire2str_rcode_buf(
|
||||
FLAGS_GET_RCODE(iq->response->rep->flags),
|
||||
rc, sizeof(rc));
|
||||
snprintf(rcode, sizeof(rcode), "got %s", rc);
|
||||
errinf(qstate, rcode);
|
||||
} else {
|
||||
/* rcode NOERROR */
|
||||
if(iq->response->rep->an_numrrsets == 0) {
|
||||
errinf(qstate, "nodata answer");
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/** see if last resort is possible - does config allow queries to parent */
|
||||
static int
|
||||
can_have_last_resort(struct module_env* env, uint8_t* nm, size_t nmlen,
|
||||
@ -1922,6 +1976,7 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
* of a response. */
|
||||
errinf(qstate, "all the configured stub or forward servers failed,");
|
||||
errinf_dname(qstate, "at zone", iq->dp->name);
|
||||
errinf_reply(qstate, iq);
|
||||
verbose(VERB_QUERY, "configured stub or forward servers failed -- returning SERVFAIL");
|
||||
return error_response_cache(qstate, id, LDNS_RCODE_SERVFAIL);
|
||||
}
|
||||
@ -2068,6 +2123,7 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
|
||||
errinf(qstate, "all servers for this domain failed,");
|
||||
errinf_dname(qstate, "at zone", iq->dp->name);
|
||||
errinf_reply(qstate, iq);
|
||||
verbose(VERB_QUERY, "out of query targets -- returning SERVFAIL");
|
||||
/* fail -- no more targets, no more hope of targets, no hope
|
||||
* of a response. */
|
||||
@ -2959,6 +3015,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
qstate->env->detach_subs));
|
||||
(*qstate->env->detach_subs)(qstate);
|
||||
iq->num_target_queries = 0;
|
||||
iq->response = NULL;
|
||||
iq->fail_reply = NULL;
|
||||
verbose(VERB_ALGO, "cleared outbound list for next round");
|
||||
return next_state(iq, QUERYTARGETS_STATE);
|
||||
} else if(type == RESPONSE_TYPE_CNAME) {
|
||||
@ -3722,6 +3780,7 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
}
|
||||
|
||||
/* parse message */
|
||||
iq->fail_reply = qstate->reply;
|
||||
prs = (struct msg_parse*)regional_alloc(qstate->env->scratch,
|
||||
sizeof(struct msg_parse));
|
||||
if(!prs) {
|
||||
@ -3735,12 +3794,15 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
sldns_buffer_set_position(pkt, 0);
|
||||
if(parse_packet(pkt, prs, qstate->env->scratch) != LDNS_RCODE_NOERROR) {
|
||||
verbose(VERB_ALGO, "parse error on reply packet");
|
||||
iq->parse_failures++;
|
||||
goto handle_it;
|
||||
}
|
||||
/* edns is not examined, but removed from message to help cache */
|
||||
if(parse_extract_edns(prs, &edns, qstate->env->scratch) !=
|
||||
LDNS_RCODE_NOERROR)
|
||||
LDNS_RCODE_NOERROR) {
|
||||
iq->parse_failures++;
|
||||
goto handle_it;
|
||||
}
|
||||
|
||||
/* Copy the edns options we may got from the back end */
|
||||
if(edns.opt_list) {
|
||||
@ -3774,6 +3836,7 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
iq->num_current_queries--;
|
||||
verbose(VERB_DETAIL, "Capsforid: scrub failed, starting fallback with no response");
|
||||
}
|
||||
iq->scrub_failures++;
|
||||
goto handle_it;
|
||||
}
|
||||
|
||||
|
@ -406,6 +406,12 @@ struct iter_qstate {
|
||||
int auth_zone_response;
|
||||
/** True if the auth_zones should not be consulted for the query */
|
||||
int auth_zone_avoid;
|
||||
/** true if there have been scrubbing failures of reply packets */
|
||||
int scrub_failures;
|
||||
/** true if there have been parse failures of reply packets */
|
||||
int parse_failures;
|
||||
/** a failure printout address for last received answer */
|
||||
struct comm_reply* fail_reply;
|
||||
};
|
||||
|
||||
/**
|
||||
|
@ -241,7 +241,9 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
|
||||
ports, numports, cfg->unwanted_threshold,
|
||||
cfg->outgoing_tcp_mss, &libworker_alloc_cleanup, w,
|
||||
cfg->do_udp || cfg->udp_upstream_without_downstream, w->sslctx,
|
||||
cfg->delay_close, cfg->tls_use_sni, NULL, cfg->udp_connect);
|
||||
cfg->delay_close, cfg->tls_use_sni, NULL, cfg->udp_connect,
|
||||
cfg->max_reuse_tcp_queries, cfg->tcp_reuse_timeout,
|
||||
cfg->tcp_auth_query_timeout);
|
||||
w->env->outnet = w->back;
|
||||
if(!w->is_bg || w->is_bg_thread) {
|
||||
lock_basic_unlock(&ctx->cfglock);
|
||||
@ -454,8 +456,15 @@ fill_res(struct ub_result* res, struct ub_packed_rrset_key* answer,
|
||||
if(rep->rrset_count != 0)
|
||||
res->ttl = (int)rep->ttl;
|
||||
res->data = (char**)calloc(1, sizeof(char*));
|
||||
if(!res->data)
|
||||
return 0; /* out of memory */
|
||||
res->len = (int*)calloc(1, sizeof(int));
|
||||
return (res->data && res->len);
|
||||
if(!res->len) {
|
||||
free(res->data);
|
||||
res->data = NULL;
|
||||
return 0; /* out of memory */
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
data = (struct packed_rrset_data*)answer->entry.data;
|
||||
if(query_dname_compare(rq->qname, answer->rk.dname) != 0) {
|
||||
@ -463,15 +472,30 @@ fill_res(struct ub_result* res, struct ub_packed_rrset_key* answer,
|
||||
return 0; /* out of memory */
|
||||
} else res->canonname = NULL;
|
||||
res->data = (char**)calloc(data->count+1, sizeof(char*));
|
||||
res->len = (int*)calloc(data->count+1, sizeof(int));
|
||||
if(!res->data || !res->len)
|
||||
if(!res->data)
|
||||
return 0; /* out of memory */
|
||||
res->len = (int*)calloc(data->count+1, sizeof(int));
|
||||
if(!res->len) {
|
||||
free(res->data);
|
||||
res->data = NULL;
|
||||
return 0; /* out of memory */
|
||||
}
|
||||
for(i=0; i<data->count; i++) {
|
||||
/* remove rdlength from rdata */
|
||||
res->len[i] = (int)(data->rr_len[i] - 2);
|
||||
res->data[i] = memdup(data->rr_data[i]+2, (size_t)res->len[i]);
|
||||
if(!res->data[i])
|
||||
if(!res->data[i]) {
|
||||
size_t j;
|
||||
for(j=0; j<i; j++) {
|
||||
free(res->data[j]);
|
||||
res->data[j] = NULL;
|
||||
}
|
||||
free(res->data);
|
||||
res->data = NULL;
|
||||
free(res->len);
|
||||
res->len = NULL;
|
||||
return 0; /* out of memory */
|
||||
}
|
||||
}
|
||||
/* ttl for positive answers, from CNAME and answer RRs */
|
||||
if(data->count != 0) {
|
||||
|
@ -936,6 +936,8 @@ int _ub_resolve_async(struct ub_ctx* ctx, char* name, int rrtype, int rrclass, v
|
||||
int r;
|
||||
struct cb_data* id;
|
||||
id = (struct cb_data*) malloc(sizeof(struct cb_data));
|
||||
if(!id)
|
||||
return -2; /* UB_NOMEM */
|
||||
id->data = mydata;
|
||||
id->func = pyfunc;
|
||||
|
||||
|
@ -1546,7 +1546,7 @@ int edns_opt_list_append(struct edns_option** list, uint16_t code, size_t len,
|
||||
{
|
||||
PyObject *func, *py_edns, *py_qstate, *py_opt_list_out, *py_qinfo;
|
||||
PyObject *py_rep, *py_repinfo, *py_region;
|
||||
PyObject *py_args, *py_kwargs, *result;
|
||||
PyObject *py_args = NULL, *py_kwargs = NULL, *result = NULL;
|
||||
int res = 0;
|
||||
double py_start_time = ((double)start_time->tv_sec) + ((double)start_time->tv_usec) / 1.0e6;
|
||||
|
||||
@ -1561,11 +1561,20 @@ int edns_opt_list_append(struct edns_option** list, uint16_t code, size_t len,
|
||||
py_rep = SWIG_NewPointerObj((void*) rep, SWIGTYPE_p_reply_info, 0);
|
||||
py_repinfo = SWIG_NewPointerObj((void*) repinfo, SWIGTYPE_p_comm_reply, 0);
|
||||
py_region = SWIG_NewPointerObj((void*) region, SWIGTYPE_p_regional, 0);
|
||||
py_args = Py_BuildValue("(OOOiOOO)", py_qinfo, py_qstate, py_rep,
|
||||
rcode, py_edns, py_opt_list_out, py_region);
|
||||
py_kwargs = Py_BuildValue("{s:O,s:d}", "repinfo", py_repinfo, "start_time",
|
||||
py_start_time);
|
||||
result = PyObject_Call(func, py_args, py_kwargs);
|
||||
if(py_qinfo && py_qstate && py_rep && py_edns && py_opt_list_out
|
||||
&& py_region && py_repinfo) {
|
||||
py_args = Py_BuildValue("(OOOiOOO)", py_qinfo, py_qstate, py_rep,
|
||||
rcode, py_edns, py_opt_list_out, py_region);
|
||||
py_kwargs = Py_BuildValue("{s:O,s:d}", "repinfo", py_repinfo, "start_time",
|
||||
py_start_time);
|
||||
if(py_args && py_kwargs) {
|
||||
result = PyObject_Call(func, py_args, py_kwargs);
|
||||
} else {
|
||||
log_err("pythonmod: malloc failure in python_inplace_cb_reply_generic");
|
||||
}
|
||||
} else {
|
||||
log_err("pythonmod: malloc failure in python_inplace_cb_reply_generic");
|
||||
}
|
||||
Py_XDECREF(py_edns);
|
||||
Py_XDECREF(py_qstate);
|
||||
Py_XDECREF(py_opt_list_out);
|
||||
@ -1624,6 +1633,7 @@ int edns_opt_list_append(struct edns_option** list, uint16_t code, size_t len,
|
||||
{
|
||||
int res = 0;
|
||||
PyObject *func = python_callback;
|
||||
PyObject *py_args = NULL, *py_kwargs = NULL, *result = NULL;
|
||||
|
||||
PyGILState_STATE gstate = PyGILState_Ensure();
|
||||
|
||||
@ -1632,12 +1642,19 @@ int edns_opt_list_append(struct edns_option** list, uint16_t code, size_t len,
|
||||
PyObject *py_addr = SWIG_NewPointerObj((void *) addr, SWIGTYPE_p_sockaddr_storage, 0);
|
||||
PyObject *py_zone = PyBytes_FromStringAndSize((const char *)zone, zonelen);
|
||||
PyObject *py_region = SWIG_NewPointerObj((void*) region, SWIGTYPE_p_regional, 0);
|
||||
|
||||
PyObject *py_args = Py_BuildValue("(OiOOOO)", py_qinfo, flags, py_qstate, py_addr, py_zone, py_region);
|
||||
PyObject *py_kwargs = Py_BuildValue("{}");
|
||||
PyObject *result = PyObject_Call(func, py_args, py_kwargs);
|
||||
if (result) {
|
||||
res = PyInt_AsLong(result);
|
||||
if(py_qinfo && py_qstate && py_addr && py_zone && py_region) {
|
||||
py_args = Py_BuildValue("(OiOOOO)", py_qinfo, flags, py_qstate, py_addr, py_zone, py_region);
|
||||
py_kwargs = Py_BuildValue("{}");
|
||||
if(py_args && py_kwargs) {
|
||||
result = PyObject_Call(func, py_args, py_kwargs);
|
||||
if (result) {
|
||||
res = PyInt_AsLong(result);
|
||||
}
|
||||
} else {
|
||||
log_err("pythonmod: malloc failure in python_inplace_cb_query_generic");
|
||||
}
|
||||
} else {
|
||||
log_err("pythonmod: malloc failure in python_inplace_cb_query_generic");
|
||||
}
|
||||
|
||||
Py_XDECREF(py_qinfo);
|
||||
|
@ -245,6 +245,11 @@ cleanup:
|
||||
/* clear the exception, by not restoring it */
|
||||
/* Restore the exception state */
|
||||
/* PyErr_Restore(exc_typ, exc_val, exc_tb); */
|
||||
/* when using PyErr_Restore there is no need to Py_XDECREF for
|
||||
* these 3 pointers. */
|
||||
Py_XDECREF(exc_typ);
|
||||
Py_XDECREF(exc_val);
|
||||
Py_XDECREF(exc_tb);
|
||||
}
|
||||
|
||||
int pythonmod_init(struct module_env* env, int id)
|
||||
@ -561,9 +566,19 @@ void pythonmod_operate(struct module_qstate* qstate, enum module_ev event,
|
||||
{
|
||||
/* create qstate */
|
||||
pq = qstate->minfo[id] = malloc(sizeof(struct pythonmod_qstate));
|
||||
if(!pq) {
|
||||
log_err("pythonmod_operate: malloc failure for qstate");
|
||||
PyGILState_Release(gil);
|
||||
return;
|
||||
}
|
||||
|
||||
/* Initialize per query data */
|
||||
pq->data = PyDict_New();
|
||||
if(!pq->data) {
|
||||
log_err("pythonmod_operate: malloc failure for query data dict");
|
||||
PyGILState_Release(gil);
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
/* Call operate */
|
||||
|
@ -1755,6 +1755,8 @@ zonemd_offline_verify(struct auth_zone* z, struct module_env* env_for_val,
|
||||
{
|
||||
struct module_env env;
|
||||
time_t now = 0;
|
||||
if(!z->zonemd_check)
|
||||
return;
|
||||
env = *env_for_val;
|
||||
env.scratch_buffer = sldns_buffer_new(env.cfg->msg_buffer_size);
|
||||
if(!env.scratch_buffer) {
|
||||
@ -2096,6 +2098,7 @@ auth_zones_cfg(struct auth_zones* az, struct config_auth* c)
|
||||
z->for_downstream = c->for_downstream;
|
||||
z->for_upstream = c->for_upstream;
|
||||
z->fallback_enabled = c->fallback_enabled;
|
||||
z->zonemd_check = c->zonemd_check;
|
||||
z->zonemd_reject_absence = c->zonemd_reject_absence;
|
||||
if(c->isrpz && !z->rpz){
|
||||
if(!(z->rpz = rpz_create(c))){
|
||||
@ -5149,6 +5152,9 @@ xfr_write_after_update(struct auth_xfer* xfr, struct module_env* env)
|
||||
lock_rw_unlock(&z->lock);
|
||||
return;
|
||||
}
|
||||
#ifdef UB_ON_WINDOWS
|
||||
(void)unlink(zfilename); /* windows does not replace file with rename() */
|
||||
#endif
|
||||
if(rename(tmpfile, zfilename) < 0) {
|
||||
log_err("could not rename(%s, %s): %s", tmpfile, zfilename,
|
||||
strerror(errno));
|
||||
@ -5442,7 +5448,7 @@ xfr_transfer_init_fetch(struct auth_xfer* xfr, struct module_env* env)
|
||||
/* perform AXFR/IXFR */
|
||||
/* set the packet to be written */
|
||||
/* create new ID */
|
||||
xfr->task_transfer->id = (uint16_t)(ub_random(env->rnd)&0xffff);
|
||||
xfr->task_transfer->id = GET_RANDOM_ID(env->rnd);
|
||||
xfr_create_ixfr_packet(xfr, env->scratch_buffer,
|
||||
xfr->task_transfer->id, master);
|
||||
|
||||
@ -6292,7 +6298,7 @@ xfr_probe_send_probe(struct auth_xfer* xfr, struct module_env* env,
|
||||
/* create new ID for new probes, but not on timeout retries,
|
||||
* this means we'll accept replies to previous retries to same ip */
|
||||
if(timeout == AUTH_PROBE_TIMEOUT)
|
||||
xfr->task_probe->id = (uint16_t)(ub_random(env->rnd)&0xffff);
|
||||
xfr->task_probe->id = GET_RANDOM_ID(env->rnd);
|
||||
xfr_create_soa_probe_packet(xfr, env->scratch_buffer,
|
||||
xfr->task_probe->id);
|
||||
/* we need to remove the cp if we have a different ip4/ip6 type now */
|
||||
@ -7165,12 +7171,14 @@ xfer_set_masters(struct auth_master** list, struct config_auth* c,
|
||||
if(with_http)
|
||||
for(p = c->urls; p; p = p->next) {
|
||||
m = auth_master_new(&list);
|
||||
if(!m) return 0;
|
||||
m->http = 1;
|
||||
if(!parse_url(p->str, &m->host, &m->file, &m->port, &m->ssl))
|
||||
return 0;
|
||||
}
|
||||
for(p = c->masters; p; p = p->next) {
|
||||
m = auth_master_new(&list);
|
||||
if(!m) return 0;
|
||||
m->ixfr = 1; /* this flag is not configurable */
|
||||
m->host = strdup(p->str);
|
||||
if(!m->host) {
|
||||
@ -7180,6 +7188,7 @@ xfer_set_masters(struct auth_master** list, struct config_auth* c,
|
||||
}
|
||||
for(p = c->allow_notify; p; p = p->next) {
|
||||
m = auth_master_new(&list);
|
||||
if(!m) return 0;
|
||||
m->allow_notify = 1;
|
||||
m->host = strdup(p->str);
|
||||
if(!m->host) {
|
||||
@ -8234,6 +8243,8 @@ void auth_zone_verify_zonemd(struct auth_zone* z, struct module_env* env,
|
||||
int is_insecure = 0;
|
||||
/* verify the ZONEMD if present.
|
||||
* If not present check if absence is allowed by DNSSEC */
|
||||
if(!z->zonemd_check)
|
||||
return;
|
||||
|
||||
/* if zone is under a trustanchor */
|
||||
/* is it equal to trustanchor - get dnskey's verified */
|
||||
@ -8302,6 +8313,10 @@ void auth_zones_pickup_zonemd_verify(struct auth_zones* az,
|
||||
lock_rw_rdlock(&az->lock);
|
||||
RBTREE_FOR(z, struct auth_zone*, &az->ztree) {
|
||||
lock_rw_wrlock(&z->lock);
|
||||
if(!z->zonemd_check) {
|
||||
lock_rw_unlock(&z->lock);
|
||||
continue;
|
||||
}
|
||||
key.dclass = z->dclass;
|
||||
key.namelabs = z->namelabs;
|
||||
if(z->namelen > sizeof(savezname)) {
|
||||
|
@ -132,6 +132,8 @@ struct auth_zone {
|
||||
/** for upstream: this zone answers queries that unbound intends to
|
||||
* send upstream. */
|
||||
int for_upstream;
|
||||
/** check ZONEMD records */
|
||||
int zonemd_check;
|
||||
/** reject absence of ZONEMD records */
|
||||
int zonemd_reject_absence;
|
||||
/** RPZ zones */
|
||||
|
3
services/cache/infra.c
vendored
3
services/cache/infra.c
vendored
@ -236,6 +236,9 @@ infra_create(struct config_file* cfg)
|
||||
sizeof(struct infra_cache));
|
||||
size_t maxmem = cfg->infra_cache_numhosts * (sizeof(struct infra_key)+
|
||||
sizeof(struct infra_data)+INFRA_BYTES_NAME);
|
||||
if(!infra) {
|
||||
return NULL;
|
||||
}
|
||||
infra->hosts = slabhash_create(cfg->infra_cache_slabs,
|
||||
INFRA_HOST_STARTSIZE, maxmem, &infra_sizefunc, &infra_compfunc,
|
||||
&infra_delkeyfunc, &infra_deldatafunc, NULL);
|
||||
|
@ -2678,18 +2678,45 @@ static int http2_buffer_uri_query(struct http2_session* h2_session,
|
||||
return 0;
|
||||
}
|
||||
|
||||
if(!(b64len = sldns_b64url_pton(
|
||||
(char const *)start, length,
|
||||
sldns_buffer_current(h2_stream->qbuffer),
|
||||
expectb64len)) || b64len < 0) {
|
||||
lock_basic_lock(&http2_query_buffer_count_lock);
|
||||
http2_query_buffer_count -= expectb64len;
|
||||
lock_basic_unlock(&http2_query_buffer_count_lock);
|
||||
sldns_buffer_free(h2_stream->qbuffer);
|
||||
h2_stream->qbuffer = NULL;
|
||||
/* return without error, method can be an
|
||||
* unknown POST */
|
||||
return 1;
|
||||
if(sldns_b64_contains_nonurl((char const*)start, length)) {
|
||||
char buf[65536+4];
|
||||
verbose(VERB_ALGO, "HTTP2 stream contains wrong b64 encoding");
|
||||
/* copy to the scratch buffer temporarily to terminate the
|
||||
* string with a zero */
|
||||
if(length+1 > sizeof(buf)) {
|
||||
/* too long */
|
||||
lock_basic_lock(&http2_query_buffer_count_lock);
|
||||
http2_query_buffer_count -= expectb64len;
|
||||
lock_basic_unlock(&http2_query_buffer_count_lock);
|
||||
sldns_buffer_free(h2_stream->qbuffer);
|
||||
h2_stream->qbuffer = NULL;
|
||||
return 1;
|
||||
}
|
||||
memmove(buf, start, length);
|
||||
buf[length] = 0;
|
||||
if(!(b64len = sldns_b64_pton(buf, sldns_buffer_current(
|
||||
h2_stream->qbuffer), expectb64len)) || b64len < 0) {
|
||||
lock_basic_lock(&http2_query_buffer_count_lock);
|
||||
http2_query_buffer_count -= expectb64len;
|
||||
lock_basic_unlock(&http2_query_buffer_count_lock);
|
||||
sldns_buffer_free(h2_stream->qbuffer);
|
||||
h2_stream->qbuffer = NULL;
|
||||
return 1;
|
||||
}
|
||||
} else {
|
||||
if(!(b64len = sldns_b64url_pton(
|
||||
(char const *)start, length,
|
||||
sldns_buffer_current(h2_stream->qbuffer),
|
||||
expectb64len)) || b64len < 0) {
|
||||
lock_basic_lock(&http2_query_buffer_count_lock);
|
||||
http2_query_buffer_count -= expectb64len;
|
||||
lock_basic_unlock(&http2_query_buffer_count_lock);
|
||||
sldns_buffer_free(h2_stream->qbuffer);
|
||||
h2_stream->qbuffer = NULL;
|
||||
/* return without error, method can be an
|
||||
* unknown POST */
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
sldns_buffer_skip(h2_stream->qbuffer, (size_t)b64len);
|
||||
return 1;
|
||||
|
@ -99,7 +99,7 @@ timeval_divide(struct timeval* avg, const struct timeval* sum, size_t d)
|
||||
{
|
||||
#ifndef S_SPLINT_S
|
||||
size_t leftover;
|
||||
if(d == 0) {
|
||||
if(d <= 0) {
|
||||
avg->tv_sec = 0;
|
||||
avg->tv_usec = 0;
|
||||
return;
|
||||
@ -108,7 +108,13 @@ timeval_divide(struct timeval* avg, const struct timeval* sum, size_t d)
|
||||
avg->tv_usec = sum->tv_usec / d;
|
||||
/* handle fraction from seconds divide */
|
||||
leftover = sum->tv_sec - avg->tv_sec*d;
|
||||
avg->tv_usec += (leftover*1000000)/d;
|
||||
if(leftover <= 0)
|
||||
leftover = 0;
|
||||
avg->tv_usec += (((long long)leftover)*((long long)1000000))/d;
|
||||
if(avg->tv_sec < 0)
|
||||
avg->tv_sec = 0;
|
||||
if(avg->tv_usec < 0)
|
||||
avg->tv_usec = 0;
|
||||
#endif
|
||||
}
|
||||
|
||||
|
@ -94,6 +94,10 @@ static void waiting_list_remove(struct outside_network* outnet,
|
||||
static void reuse_tcp_remove_tree_list(struct outside_network* outnet,
|
||||
struct reuse_tcp* reuse);
|
||||
|
||||
/** select a DNS ID for a TCP stream */
|
||||
static uint16_t tcp_select_id(struct outside_network* outnet,
|
||||
struct reuse_tcp* reuse);
|
||||
|
||||
int
|
||||
pending_cmp(const void* key1, const void* key2)
|
||||
{
|
||||
@ -238,7 +242,14 @@ pick_outgoing_tcp(struct pending_tcp* pend, struct waiting_tcp* w, int s)
|
||||
((struct sockaddr_in6*)&pi->addr)->sin6_port = 0;
|
||||
else ((struct sockaddr_in*)&pi->addr)->sin_port = 0;
|
||||
if(bind(s, (struct sockaddr*)&pi->addr, pi->addrlen) != 0) {
|
||||
log_err("outgoing tcp: bind: %s", sock_strerror(errno));
|
||||
#ifndef USE_WINSOCK
|
||||
#ifdef EADDRNOTAVAIL
|
||||
if(!(verbosity < 4 && errno == EADDRNOTAVAIL))
|
||||
#endif
|
||||
#else /* USE_WINSOCK */
|
||||
if(!(verbosity < 4 && WSAGetLastError() == WSAEADDRNOTAVAIL))
|
||||
#endif
|
||||
log_err("outgoing tcp: bind: %s", sock_strerror(errno));
|
||||
sock_close(s);
|
||||
return 0;
|
||||
}
|
||||
@ -399,9 +410,18 @@ static void reuse_write_wait_push_back(struct reuse_tcp* reuse,
|
||||
void
|
||||
reuse_tree_by_id_insert(struct reuse_tcp* reuse, struct waiting_tcp* w)
|
||||
{
|
||||
#ifdef UNBOUND_DEBUG
|
||||
rbnode_type* added;
|
||||
#endif
|
||||
log_assert(w->id_node.key == NULL);
|
||||
w->id_node.key = w;
|
||||
#ifdef UNBOUND_DEBUG
|
||||
added =
|
||||
#else
|
||||
(void)
|
||||
#endif
|
||||
rbtree_insert(&reuse->tree_by_id, &w->id_node);
|
||||
log_assert(added); /* should have been added */
|
||||
}
|
||||
|
||||
/** find element in tree by id */
|
||||
@ -514,7 +534,7 @@ reuse_tcp_find(struct outside_network* outnet, struct sockaddr_storage* addr,
|
||||
while(result && result != RBTREE_NULL &&
|
||||
reuse_cmp_addrportssl(result->key, &key_p.reuse) == 0) {
|
||||
if(((struct reuse_tcp*)result)->tree_by_id.count <
|
||||
MAX_REUSE_TCP_QUERIES) {
|
||||
outnet->max_reuse_tcp_queries) {
|
||||
/* same address, port, ssl-yes-or-no, and has
|
||||
* space for another query */
|
||||
return (struct reuse_tcp*)result;
|
||||
@ -745,6 +765,9 @@ use_free_buffer(struct outside_network* outnet)
|
||||
w->on_tcp_waiting_list = 0;
|
||||
reuse = reuse_tcp_find(outnet, &w->addr, w->addrlen,
|
||||
w->ssl_upstream);
|
||||
/* re-select an ID when moving to a new TCP buffer */
|
||||
w->id = tcp_select_id(outnet, reuse);
|
||||
LDNS_ID_SET(w->pkt, w->id);
|
||||
if(reuse) {
|
||||
log_reuse_tcp(VERB_CLIENT, "use free buffer for waiting tcp: "
|
||||
"found reuse", reuse);
|
||||
@ -823,8 +846,17 @@ outnet_add_tcp_waiting(struct outside_network* outnet, struct waiting_tcp* w)
|
||||
static void
|
||||
reuse_tree_by_id_delete(struct reuse_tcp* reuse, struct waiting_tcp* w)
|
||||
{
|
||||
#ifdef UNBOUND_DEBUG
|
||||
rbnode_type* rem;
|
||||
#endif
|
||||
log_assert(w->id_node.key != NULL);
|
||||
#ifdef UNBOUND_DEBUG
|
||||
rem =
|
||||
#else
|
||||
(void)
|
||||
#endif
|
||||
rbtree_delete(&reuse->tree_by_id, w);
|
||||
log_assert(rem); /* should have been there */
|
||||
w->id_node.key = NULL;
|
||||
}
|
||||
|
||||
@ -1012,22 +1044,22 @@ static void reuse_cb_and_decommission(struct outside_network* outnet,
|
||||
|
||||
/** set timeout on tcp fd and setup read event to catch incoming dns msgs */
|
||||
static void
|
||||
reuse_tcp_setup_timeout(struct pending_tcp* pend_tcp)
|
||||
reuse_tcp_setup_timeout(struct pending_tcp* pend_tcp, int tcp_reuse_timeout)
|
||||
{
|
||||
log_reuse_tcp(VERB_CLIENT, "reuse_tcp_setup_timeout", &pend_tcp->reuse);
|
||||
comm_point_start_listening(pend_tcp->c, -1, REUSE_TIMEOUT);
|
||||
comm_point_start_listening(pend_tcp->c, -1, tcp_reuse_timeout);
|
||||
}
|
||||
|
||||
/** set timeout on tcp fd and setup read event to catch incoming dns msgs */
|
||||
static void
|
||||
reuse_tcp_setup_read_and_timeout(struct pending_tcp* pend_tcp)
|
||||
reuse_tcp_setup_read_and_timeout(struct pending_tcp* pend_tcp, int tcp_reuse_timeout)
|
||||
{
|
||||
log_reuse_tcp(VERB_CLIENT, "reuse_tcp_setup_readtimeout", &pend_tcp->reuse);
|
||||
sldns_buffer_clear(pend_tcp->c->buffer);
|
||||
pend_tcp->c->tcp_is_reading = 1;
|
||||
pend_tcp->c->tcp_byte_count = 0;
|
||||
comm_point_stop_listening(pend_tcp->c);
|
||||
comm_point_start_listening(pend_tcp->c, -1, REUSE_TIMEOUT);
|
||||
comm_point_start_listening(pend_tcp->c, -1, tcp_reuse_timeout);
|
||||
}
|
||||
|
||||
int
|
||||
@ -1083,7 +1115,7 @@ outnet_tcp_cb(struct comm_point* c, void* arg, int error,
|
||||
pend->reuse.cp_more_write_again = 0;
|
||||
pend->c->tcp_is_reading = 1;
|
||||
comm_point_stop_listening(pend->c);
|
||||
reuse_tcp_setup_timeout(pend);
|
||||
reuse_tcp_setup_timeout(pend, outnet->tcp_reuse_timeout);
|
||||
}
|
||||
return 0;
|
||||
} else if(error != NETEVENT_NOERROR) {
|
||||
@ -1136,7 +1168,7 @@ outnet_tcp_cb(struct comm_point* c, void* arg, int error,
|
||||
* and there could be more bytes to read on the input */
|
||||
if(pend->reuse.tree_by_id.count != 0)
|
||||
pend->reuse.cp_more_read_again = 1;
|
||||
reuse_tcp_setup_read_and_timeout(pend);
|
||||
reuse_tcp_setup_read_and_timeout(pend, outnet->tcp_reuse_timeout);
|
||||
return 0;
|
||||
}
|
||||
verbose(VERB_CLIENT, "outnet_tcp_cb reuse after cb: decommission it");
|
||||
@ -1404,7 +1436,8 @@ outside_network_create(struct comm_base *base, size_t bufsize,
|
||||
int numavailports, size_t unwanted_threshold, int tcp_mss,
|
||||
void (*unwanted_action)(void*), void* unwanted_param, int do_udp,
|
||||
void* sslctx, int delayclose, int tls_use_sni, struct dt_env* dtenv,
|
||||
int udp_connect)
|
||||
int udp_connect, int max_reuse_tcp_queries, int tcp_reuse_timeout,
|
||||
int tcp_auth_query_timeout)
|
||||
{
|
||||
struct outside_network* outnet = (struct outside_network*)
|
||||
calloc(1, sizeof(struct outside_network));
|
||||
@ -1416,6 +1449,9 @@ outside_network_create(struct comm_base *base, size_t bufsize,
|
||||
comm_base_timept(base, &outnet->now_secs, &outnet->now_tv);
|
||||
outnet->base = base;
|
||||
outnet->num_tcp = num_tcp;
|
||||
outnet->max_reuse_tcp_queries = max_reuse_tcp_queries;
|
||||
outnet->tcp_reuse_timeout= tcp_reuse_timeout;
|
||||
outnet->tcp_auth_query_timeout = tcp_auth_query_timeout;
|
||||
outnet->num_tcp_outgoing = 0;
|
||||
outnet->infra = infra;
|
||||
outnet->rnd = rnd;
|
||||
@ -1777,14 +1813,14 @@ select_id(struct outside_network* outnet, struct pending* pend,
|
||||
sldns_buffer* packet)
|
||||
{
|
||||
int id_tries = 0;
|
||||
pend->id = ((unsigned)ub_random(outnet->rnd)>>8) & 0xffff;
|
||||
pend->id = GET_RANDOM_ID(outnet->rnd);
|
||||
LDNS_ID_SET(sldns_buffer_begin(packet), pend->id);
|
||||
|
||||
/* insert in tree */
|
||||
pend->node.key = pend;
|
||||
while(!rbtree_insert(outnet->pending, &pend->node)) {
|
||||
/* change ID to avoid collision */
|
||||
pend->id = ((unsigned)ub_random(outnet->rnd)>>8) & 0xffff;
|
||||
pend->id = GET_RANDOM_ID(outnet->rnd);
|
||||
LDNS_ID_SET(sldns_buffer_begin(packet), pend->id);
|
||||
id_tries++;
|
||||
if(id_tries == MAX_ID_RETRY) {
|
||||
@ -2077,6 +2113,14 @@ reuse_tcp_close_oldest(struct outside_network* outnet)
|
||||
reuse_cb_and_decommission(outnet, pend, NETEVENT_CLOSED);
|
||||
}
|
||||
|
||||
static uint16_t
|
||||
tcp_select_id(struct outside_network* outnet, struct reuse_tcp* reuse)
|
||||
{
|
||||
if(reuse)
|
||||
return reuse_tcp_select_id(reuse, outnet);
|
||||
return GET_RANDOM_ID(outnet->rnd);
|
||||
}
|
||||
|
||||
/** find spare ID value for reuse tcp stream. That is random and also does
|
||||
* not collide with an existing query ID that is in use or waiting */
|
||||
uint16_t
|
||||
@ -2090,13 +2134,13 @@ reuse_tcp_select_id(struct reuse_tcp* reuse, struct outside_network* outnet)
|
||||
|
||||
/* make really sure the tree is not empty */
|
||||
if(reuse->tree_by_id.count == 0) {
|
||||
id = ((unsigned)ub_random(outnet->rnd)>>8) & 0xffff;
|
||||
id = GET_RANDOM_ID(outnet->rnd);
|
||||
return id;
|
||||
}
|
||||
|
||||
/* try to find random empty spots by picking them */
|
||||
for(i = 0; i<try_random; i++) {
|
||||
id = ((unsigned)ub_random(outnet->rnd)>>8) & 0xffff;
|
||||
id = GET_RANDOM_ID(outnet->rnd);
|
||||
if(!reuse_tcp_by_id_find(reuse, id)) {
|
||||
return id;
|
||||
}
|
||||
@ -2194,9 +2238,7 @@ pending_tcp_query(struct serviced_query* sq, sldns_buffer* packet,
|
||||
w->pkt = (uint8_t*)w + sizeof(struct waiting_tcp);
|
||||
w->pkt_len = sldns_buffer_limit(packet);
|
||||
memmove(w->pkt, sldns_buffer_begin(packet), w->pkt_len);
|
||||
if(reuse)
|
||||
w->id = reuse_tcp_select_id(reuse, sq->outnet);
|
||||
else w->id = ((unsigned)ub_random(sq->outnet->rnd)>>8) & 0xffff;
|
||||
w->id = tcp_select_id(sq->outnet, reuse);
|
||||
LDNS_ID_SET(w->pkt, w->id);
|
||||
memcpy(&w->addr, &sq->addr, sq->addrlen);
|
||||
w->addrlen = sq->addrlen;
|
||||
@ -2443,7 +2485,7 @@ reuse_tcp_remove_serviced_keep(struct waiting_tcp* w,
|
||||
if(!reuse_tcp_insert(sq->outnet, pend_tcp)) {
|
||||
return 0;
|
||||
}
|
||||
reuse_tcp_setup_timeout(pend_tcp);
|
||||
reuse_tcp_setup_timeout(pend_tcp, sq->outnet->tcp_reuse_timeout);
|
||||
return 1;
|
||||
}
|
||||
return 0;
|
||||
@ -2779,8 +2821,12 @@ serviced_tcp_callback(struct comm_point* c, void* arg, int error,
|
||||
struct comm_reply r2;
|
||||
#ifdef USE_DNSTAP
|
||||
struct waiting_tcp* w = (struct waiting_tcp*)sq->pending;
|
||||
struct pending_tcp* pend_tcp = (struct pending_tcp*)w->next_waiting;
|
||||
struct port_if* pi = pend_tcp->pi;
|
||||
struct pending_tcp* pend_tcp = NULL;
|
||||
struct port_if* pi = NULL;
|
||||
if(!w->on_tcp_waiting_list && w->next_waiting) {
|
||||
pend_tcp = (struct pending_tcp*)w->next_waiting;
|
||||
pi = pend_tcp->pi;
|
||||
}
|
||||
#endif
|
||||
sq->pending = NULL; /* removed after this callback */
|
||||
if(error != NETEVENT_NOERROR)
|
||||
@ -2793,7 +2839,7 @@ serviced_tcp_callback(struct comm_point* c, void* arg, int error,
|
||||
/*
|
||||
* sending src (local service)/dst (upstream) addresses over DNSTAP
|
||||
*/
|
||||
if(error==NETEVENT_NOERROR && sq->outnet->dtenv &&
|
||||
if(error==NETEVENT_NOERROR && pi && sq->outnet->dtenv &&
|
||||
(sq->outnet->dtenv->log_resolver_response_messages ||
|
||||
sq->outnet->dtenv->log_forwarder_response_messages)) {
|
||||
log_addr(VERB_ALGO, "response from upstream", &sq->addr, sq->addrlen);
|
||||
@ -2873,7 +2919,7 @@ serviced_tcp_initiate(struct serviced_query* sq, sldns_buffer* buff)
|
||||
sq->status==serviced_query_TCP_EDNS?"EDNS":"");
|
||||
serviced_encode(sq, buff, sq->status == serviced_query_TCP_EDNS);
|
||||
sq->last_sent_time = *sq->outnet->now_tv;
|
||||
sq->pending = pending_tcp_query(sq, buff, TCP_AUTH_QUERY_TIMEOUT,
|
||||
sq->pending = pending_tcp_query(sq, buff, sq->outnet->tcp_auth_query_timeout,
|
||||
serviced_tcp_callback, sq);
|
||||
if(!sq->pending) {
|
||||
/* delete from tree so that a retry by above layer does not
|
||||
@ -2901,10 +2947,10 @@ serviced_tcp_send(struct serviced_query* sq, sldns_buffer* buff)
|
||||
sq->last_sent_time = *sq->outnet->now_tv;
|
||||
if(sq->tcp_upstream || sq->ssl_upstream) {
|
||||
timeout = rtt;
|
||||
if(rtt >= UNKNOWN_SERVER_NICENESS && rtt < TCP_AUTH_QUERY_TIMEOUT)
|
||||
timeout = TCP_AUTH_QUERY_TIMEOUT;
|
||||
if(rtt >= UNKNOWN_SERVER_NICENESS && rtt < sq->outnet->tcp_auth_query_timeout)
|
||||
timeout = sq->outnet->tcp_auth_query_timeout;
|
||||
} else {
|
||||
timeout = TCP_AUTH_QUERY_TIMEOUT;
|
||||
timeout = sq->outnet->tcp_auth_query_timeout;
|
||||
}
|
||||
sq->pending = pending_tcp_query(sq, buff, timeout,
|
||||
serviced_tcp_callback, sq);
|
||||
|
@ -158,6 +158,12 @@ struct outside_network {
|
||||
size_t num_tcp;
|
||||
/** number of tcp communication points in use. */
|
||||
size_t num_tcp_outgoing;
|
||||
/** max number of queries on a reuse connection */
|
||||
size_t max_reuse_tcp_queries;
|
||||
/** timeout for REUSE entries in milliseconds. */
|
||||
int tcp_reuse_timeout;
|
||||
/** timeout in milliseconds for TCP queries to auth servers. */
|
||||
int tcp_auth_query_timeout;
|
||||
/**
|
||||
* tree of still-open and waiting tcp connections for reuse.
|
||||
* can be closed and reopened to get a new tcp connection.
|
||||
@ -295,11 +301,6 @@ struct reuse_tcp {
|
||||
struct outside_network* outnet;
|
||||
};
|
||||
|
||||
/** max number of queries on a reuse connection */
|
||||
#define MAX_REUSE_TCP_QUERIES 200
|
||||
/** timeout for REUSE entries in milliseconds. */
|
||||
#define REUSE_TIMEOUT 60000
|
||||
|
||||
/**
|
||||
* A query that has an answer pending for it.
|
||||
*/
|
||||
@ -540,6 +541,9 @@ struct serviced_query {
|
||||
* @param tls_use_sni: if SNI is used for TLS connections.
|
||||
* @param dtenv: environment to send dnstap events with (if enabled).
|
||||
* @param udp_connect: if the udp_connect option is enabled.
|
||||
* @param max_reuse_tcp_queries: max number of queries on a reuse connection.
|
||||
* @param tcp_reuse_timeout: timeout for REUSE entries in milliseconds.
|
||||
* @param tcp_auth_query_timeout: timeout in milliseconds for TCP queries to auth servers.
|
||||
* @return: the new structure (with no pending answers) or NULL on error.
|
||||
*/
|
||||
struct outside_network* outside_network_create(struct comm_base* base,
|
||||
@ -549,7 +553,8 @@ struct outside_network* outside_network_create(struct comm_base* base,
|
||||
int numavailports, size_t unwanted_threshold, int tcp_mss,
|
||||
void (*unwanted_action)(void*), void* unwanted_param, int do_udp,
|
||||
void* sslctx, int delayclose, int tls_use_sni, struct dt_env *dtenv,
|
||||
int udp_connect);
|
||||
int udp_connect, int max_reuse_tcp_queries, int tcp_reuse_timeout,
|
||||
int tcp_auth_query_timeout);
|
||||
|
||||
/**
|
||||
* Delete outside_network structure.
|
||||
|
@ -790,3 +790,18 @@ int sldns_b64url_pton(char const *src, size_t srcsize, uint8_t *target,
|
||||
}
|
||||
return sldns_b64_pton_base(src, srcsize, target, targsize, 1);
|
||||
}
|
||||
|
||||
int sldns_b64_contains_nonurl(char const *src, size_t srcsize)
|
||||
{
|
||||
const char* s = src;
|
||||
while(*s && srcsize) {
|
||||
char d = *s++;
|
||||
srcsize--;
|
||||
/* the '+' and the '/' and padding '=' is not allowed in b64
|
||||
* url encoding */
|
||||
if(d == '+' || d == '/' || d == '=') {
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
@ -102,6 +102,7 @@ size_t sldns_b64_pton_calculate_size(size_t srcsize);
|
||||
int sldns_b64_pton(char const *src, uint8_t *target, size_t targsize);
|
||||
int sldns_b64url_pton(char const *src, size_t srcsize, uint8_t *target,
|
||||
size_t targsize);
|
||||
int sldns_b64_contains_nonurl(char const *src, size_t srcsize);
|
||||
|
||||
/**
|
||||
* calculates the size needed to store the result of b32_ntop
|
||||
|
@ -1078,6 +1078,10 @@ int sldns_fp2wire_rr_buf(FILE* in, uint8_t* rr, size_t* len, size_t* dname_len,
|
||||
memmove(parse_state->prev_rr, rr, *dname_len);
|
||||
parse_state->prev_rr_len = (*dname_len);
|
||||
}
|
||||
if(r == LDNS_WIREPARSE_ERR_OK && parse_state) {
|
||||
parse_state->default_ttl = sldns_wirerr_get_ttl(
|
||||
rr, *len, *dname_len);
|
||||
}
|
||||
return r;
|
||||
}
|
||||
return LDNS_WIREPARSE_ERR_OK;
|
||||
|
@ -188,7 +188,7 @@ timeval_divide(struct timeval* avg, const struct timeval* sum, long long d)
|
||||
{
|
||||
#ifndef S_SPLINT_S
|
||||
size_t leftover;
|
||||
if(d == 0) {
|
||||
if(d <= 0) {
|
||||
avg->tv_sec = 0;
|
||||
avg->tv_usec = 0;
|
||||
return;
|
||||
@ -197,7 +197,13 @@ timeval_divide(struct timeval* avg, const struct timeval* sum, long long d)
|
||||
avg->tv_usec = sum->tv_usec / d;
|
||||
/* handle fraction from seconds divide */
|
||||
leftover = sum->tv_sec - avg->tv_sec*d;
|
||||
avg->tv_usec += (leftover*1000000)/d;
|
||||
if(leftover <= 0)
|
||||
leftover = 0;
|
||||
avg->tv_usec += (((long long)leftover)*((long long)1000000))/d;
|
||||
if(avg->tv_sec < 0)
|
||||
avg->tv_sec = 0;
|
||||
if(avg->tv_usec < 0)
|
||||
avg->tv_usec = 0;
|
||||
#endif
|
||||
}
|
||||
|
||||
|
@ -347,7 +347,10 @@ static volatile int do_quit = 0;
|
||||
/** signal handler for user quit */
|
||||
static RETSIGTYPE delayer_sigh(int sig)
|
||||
{
|
||||
printf("exit on signal %d\n", sig);
|
||||
char str[] = "exit on signal \n";
|
||||
str[15] = '0' + (sig/10)%10;
|
||||
str[16] = '0' + sig%10;
|
||||
write(STDOUT_FILENO, str, strlen(str));
|
||||
do_quit = 1;
|
||||
}
|
||||
|
||||
|
@ -1,5 +1,11 @@
|
||||
#!/usr/bin/env bash
|
||||
. testdata/common.sh
|
||||
quiet=0
|
||||
if test "$1" = "-q"; then
|
||||
quiet=1
|
||||
tdirarg="-q"
|
||||
shift
|
||||
fi
|
||||
|
||||
NEED_SPLINT='00-lint.tdir'
|
||||
NEED_DOXYGEN='01-doc.tdir'
|
||||
@ -33,7 +39,7 @@ fi
|
||||
export -n NOTIFY_SOCKET
|
||||
|
||||
cd testdata;
|
||||
sh ../testcode/mini_tdir.sh clean
|
||||
sh ../testcode/mini_tdir.sh $tdirarg clean
|
||||
rm -f .perfstats.txt
|
||||
for test in `ls -d *.tdir`; do
|
||||
SKIP=0
|
||||
@ -57,10 +63,10 @@ for test in `ls -d *.tdir`; do
|
||||
fi
|
||||
if test $SKIP -eq 0; then
|
||||
echo $test
|
||||
sh ../testcode/mini_tdir.sh -a ../.. exe $test
|
||||
sh ../testcode/mini_tdir.sh -a ../.. $tdirarg exe $test
|
||||
else
|
||||
echo "skip $test"
|
||||
fi
|
||||
done
|
||||
sh ../testcode/mini_tdir.sh report
|
||||
sh ../testcode/mini_tdir.sh $tdirarg report
|
||||
cat .perfstats.txt
|
||||
|
@ -423,6 +423,7 @@ http2_session_create()
|
||||
|
||||
if(nghttp2_session_callbacks_new(&callbacks) == NGHTTP2_ERR_NOMEM) {
|
||||
log_err("failed to initialize nghttp2 callback");
|
||||
free(h2_session);
|
||||
return NULL;
|
||||
}
|
||||
nghttp2_session_callbacks_set_recv_callback(callbacks, http2_recv_cb);
|
||||
@ -501,7 +502,9 @@ run(struct http2_session* h2_session, int port, int no_tls, int count, char** q)
|
||||
if(!no_tls) {
|
||||
ctx = connect_sslctx_create(NULL, NULL, NULL, 0);
|
||||
if(!ctx) fatal_exit("cannot create ssl ctx");
|
||||
#ifdef HAVE_SSL_CTX_SET_ALPN_PROTOS
|
||||
SSL_CTX_set_alpn_protos(ctx, (const unsigned char *)"\x02h2", 3);
|
||||
#endif
|
||||
ssl = outgoing_ssl_fd(ctx, fd);
|
||||
if(!ssl) {
|
||||
printf("cannot create ssl\n");
|
||||
@ -620,7 +623,25 @@ int main(int argc, char** argv)
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
||||
if(!no_tls) {
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL)
|
||||
ERR_load_SSL_strings();
|
||||
#endif
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_CRYPTO)
|
||||
# ifndef S_SPLINT_S
|
||||
OpenSSL_add_all_algorithms();
|
||||
# endif
|
||||
#else
|
||||
OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS
|
||||
| OPENSSL_INIT_ADD_ALL_DIGESTS
|
||||
| OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
|
||||
#endif
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL)
|
||||
(void)SSL_library_init();
|
||||
#else
|
||||
(void)OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL);
|
||||
#endif
|
||||
}
|
||||
run(h2_session, port, no_tls, argc, argv);
|
||||
|
||||
checklock_stop();
|
||||
|
@ -451,6 +451,8 @@ fake_front_query(struct replay_runtime* runtime, struct replay_moment *todo)
|
||||
struct comm_reply repinfo;
|
||||
memset(&repinfo, 0, sizeof(repinfo));
|
||||
repinfo.c = (struct comm_point*)calloc(1, sizeof(struct comm_point));
|
||||
if(!repinfo.c)
|
||||
fatal_exit("out of memory in fake_front_query");
|
||||
repinfo.addrlen = (socklen_t)sizeof(struct sockaddr_in);
|
||||
if(todo->addrlen != 0) {
|
||||
repinfo.addrlen = todo->addrlen;
|
||||
@ -597,7 +599,7 @@ autotrust_check(struct replay_runtime* runtime, struct replay_moment* mom)
|
||||
log_err("should be: %s", p->str);
|
||||
fatal_exit("autotrust_check failed");
|
||||
}
|
||||
if(line[0]) line[strlen(line)-1] = 0; /* remove newline */
|
||||
strip_end_white(line);
|
||||
expanded = macro_process(runtime->vars, runtime, p->str);
|
||||
if(!expanded)
|
||||
fatal_exit("could not expand macro line %d", lineno);
|
||||
@ -650,7 +652,7 @@ tempfile_check(struct replay_runtime* runtime, struct replay_moment* mom)
|
||||
log_err("should be: %s", p->str);
|
||||
fatal_exit("tempfile_check failed");
|
||||
}
|
||||
if(line[0]) line[strlen(line)-1] = 0; /* remove newline */
|
||||
strip_end_white(line);
|
||||
expanded = macro_process(runtime->vars, runtime, p->str);
|
||||
if(!expanded)
|
||||
fatal_exit("could not expand macro line %d", lineno);
|
||||
@ -909,6 +911,8 @@ comm_base_create(int ATTR_UNUSED(sigs))
|
||||
/* we return the runtime structure instead. */
|
||||
struct replay_runtime* runtime = (struct replay_runtime*)
|
||||
calloc(1, sizeof(struct replay_runtime));
|
||||
if(!runtime)
|
||||
fatal_exit("out of memory in fake_event.c:comm_base_create");
|
||||
runtime->scenario = saved_scenario;
|
||||
runtime->vars = macro_store_create();
|
||||
if(!runtime->vars) fatal_exit("out of memory");
|
||||
@ -1046,7 +1050,9 @@ outside_network_create(struct comm_base* base, size_t bufsize,
|
||||
void (*unwanted_action)(void*), void* ATTR_UNUSED(unwanted_param),
|
||||
int ATTR_UNUSED(do_udp), void* ATTR_UNUSED(sslctx),
|
||||
int ATTR_UNUSED(delayclose), int ATTR_UNUSED(tls_use_sni),
|
||||
struct dt_env* ATTR_UNUSED(dtenv), int ATTR_UNUSED(udp_connect))
|
||||
struct dt_env* ATTR_UNUSED(dtenv), int ATTR_UNUSED(udp_connect),
|
||||
int ATTR_UNUSED(max_reuse_tcp_queries), int ATTR_UNUSED(tcp_reuse_timeout),
|
||||
int ATTR_UNUSED(tcp_auth_query_timeout))
|
||||
{
|
||||
struct replay_runtime* runtime = (struct replay_runtime*)base;
|
||||
struct outside_network* outnet = calloc(1,
|
||||
@ -1532,6 +1538,8 @@ struct comm_timer* comm_timer_create(struct comm_base* base,
|
||||
{
|
||||
struct replay_runtime* runtime = (struct replay_runtime*)base;
|
||||
struct fake_timer* t = (struct fake_timer*)calloc(1, sizeof(*t));
|
||||
if(!t)
|
||||
fatal_exit("out of memory in fake_event.c:comm_timer_create");
|
||||
t->cb = cb;
|
||||
t->cb_arg = cb_arg;
|
||||
fptr_ok(fptr_whitelist_comm_timer(t->cb)); /* check in advance */
|
||||
@ -1709,7 +1717,7 @@ struct comm_point* outnet_comm_point_for_tcp(struct outside_network* outnet,
|
||||
addr_to_str((struct sockaddr_storage*)to_addr, to_addrlen,
|
||||
addrbuf, sizeof(addrbuf));
|
||||
if(verbosity >= VERB_ALGO) {
|
||||
if(buf[0] != 0) buf[strlen(buf)-1] = 0; /* del newline*/
|
||||
strip_end_white(buf);
|
||||
log_info("tcp to %s: %s", addrbuf, buf);
|
||||
}
|
||||
log_assert(sldns_buffer_limit(query)-LDNS_HEADER_SIZE >= 2);
|
||||
@ -1799,7 +1807,7 @@ int comm_point_send_udp_msg(struct comm_point *c, sldns_buffer* packet,
|
||||
addr_to_str((struct sockaddr_storage*)addr, addrlen,
|
||||
addrbuf, sizeof(addrbuf));
|
||||
if(verbosity >= VERB_ALGO) {
|
||||
if(buf[0] != 0) buf[strlen(buf)-1] = 0; /* del newline*/
|
||||
strip_end_white(buf);
|
||||
log_info("udp to %s: %s", addrbuf, buf);
|
||||
}
|
||||
log_assert(sldns_buffer_limit(packet)-LDNS_HEADER_SIZE >= 2);
|
||||
|
@ -5,14 +5,23 @@ if test "$1" = "-a"; then
|
||||
shift
|
||||
shift
|
||||
fi
|
||||
|
||||
quiet=0
|
||||
if test "$1" = "-q"; then
|
||||
quiet=1
|
||||
shift
|
||||
fi
|
||||
|
||||
if test "$1" = "clean"; then
|
||||
echo "rm -f result.* .done* .tdir.var.master .tdir.var.test"
|
||||
if test $quiet = 0; then
|
||||
echo "rm -f result.* .done* .tdir.var.master .tdir.var.test"
|
||||
fi
|
||||
rm -f result.* .done* .tdir.var.master .tdir.var.test
|
||||
exit 0
|
||||
fi
|
||||
if test "$1" = "fake"; then
|
||||
echo "minitdir fake $2"
|
||||
if test $quiet = 0; then
|
||||
echo "minitdir fake $2"
|
||||
fi
|
||||
echo "fake" > .done-`basename $2 .tdir`
|
||||
exit 0
|
||||
fi
|
||||
@ -37,7 +46,7 @@ if test "$1" = "-f" && test "$2" = "report"; then
|
||||
desc=`grep ^Description: "result.$name" | sed -e 's/Description: //'`
|
||||
fi
|
||||
if test -f ".done-$name"; then
|
||||
if test "$1" != "-q"; then
|
||||
if test $quiet = 0; then
|
||||
echo "** PASSED ** $timelen $name: $desc"
|
||||
pass=`expr $pass + 1`
|
||||
fi
|
||||
@ -65,7 +74,7 @@ if test "$1" = "report" || test "$2" = "report"; then
|
||||
for result in *.tdir; do
|
||||
name=`basename $result .tdir`
|
||||
if test -f ".done-$name"; then
|
||||
if test "$1" != "-q"; then
|
||||
if test $quiet = 0; then
|
||||
echo "** PASSED ** : $name"
|
||||
fi
|
||||
else
|
||||
@ -82,9 +91,9 @@ fi
|
||||
if test "$1" != 'exe'; then
|
||||
# usage
|
||||
echo "mini tdir. Reduced functionality for old shells."
|
||||
echo " tdir exe <file>"
|
||||
echo " tdir fake <file>"
|
||||
echo " tdir clean"
|
||||
echo " tdir [-q] exe <file>"
|
||||
echo " tdir [-q] fake <file>"
|
||||
echo " tdir [-q] clean"
|
||||
echo " tdir [-q|-f] report"
|
||||
exit 1
|
||||
fi
|
||||
@ -117,7 +126,9 @@ if test -f .done-$name; then
|
||||
fi
|
||||
|
||||
# Copy
|
||||
echo "minitdir copy $1 to $dir"
|
||||
if test $quiet = 0; then
|
||||
echo "minitdir copy $1 to $dir"
|
||||
fi
|
||||
mkdir $dir
|
||||
if cp --help 2>&1 | grep -- "-a" >/dev/null; then
|
||||
cp -a $name.tdir/* $dir/
|
||||
@ -131,7 +142,9 @@ echo "minitdir exe $name" > $result
|
||||
grep "Description:" $name.dsc >> $result 2>&1
|
||||
echo "DateRunStart: "`date "+%s" 2>/dev/null` >> $result
|
||||
if test -f $name.pre; then
|
||||
echo "minitdir exe $name.pre"
|
||||
if test $quiet = 0; then
|
||||
echo "minitdir exe $name.pre"
|
||||
fi
|
||||
echo "minitdir exe $name.pre" >> $result
|
||||
$shell $name.pre $args >> $result
|
||||
if test $? -ne 0; then
|
||||
@ -139,7 +152,9 @@ if test -f $name.pre; then
|
||||
fi
|
||||
fi
|
||||
if test -f $name.test; then
|
||||
echo "minitdir exe $name.test"
|
||||
if test $quiet = 0; then
|
||||
echo "minitdir exe $name.test"
|
||||
fi
|
||||
echo "minitdir exe $name.test" >> $result
|
||||
$shell $name.test $args >>$result 2>&1
|
||||
if test $? -ne 0; then
|
||||
@ -149,12 +164,16 @@ if test -f $name.test; then
|
||||
else
|
||||
echo "$name: PASSED" >> $result
|
||||
echo "$name: PASSED" > ../.done-$name
|
||||
echo "$name: PASSED"
|
||||
if test $quiet = 0; then
|
||||
echo "$name: PASSED"
|
||||
fi
|
||||
success="yes"
|
||||
fi
|
||||
fi
|
||||
if test -f $name.post; then
|
||||
echo "minitdir exe $name.post"
|
||||
if test $quiet = 0; then
|
||||
echo "minitdir exe $name.post"
|
||||
fi
|
||||
echo "minitdir exe $name.post" >> $result
|
||||
$shell $name.post $args >> $result
|
||||
if test $? -ne 0; then
|
||||
|
@ -124,8 +124,7 @@ replay_range_delete(struct replay_range* rng)
|
||||
free(rng);
|
||||
}
|
||||
|
||||
/** strip whitespace from end of string */
|
||||
static void
|
||||
void
|
||||
strip_end_white(char* p)
|
||||
{
|
||||
size_t i;
|
||||
@ -227,7 +226,7 @@ read_file_content(FILE* in, int* lineno, struct replay_moment* mom)
|
||||
if(strncmp(line, "FILE_END", 8) == 0) {
|
||||
return;
|
||||
}
|
||||
if(line[0]) line[strlen(line)-1] = 0; /* remove newline */
|
||||
strip_end_white(line);
|
||||
if(!cfg_strlist_insert(last, strdup(line)))
|
||||
fatal_exit("malloc failure");
|
||||
last = &( (*last)->next );
|
||||
@ -249,7 +248,7 @@ read_assign_step(char* remain, struct replay_moment* mom)
|
||||
if(eq != '=')
|
||||
fatal_exit("no '=' in assign: %s", remain);
|
||||
remain += skip;
|
||||
if(remain[0]) remain[strlen(remain)-1]=0; /* remove newline */
|
||||
strip_end_white(remain);
|
||||
mom->string = strdup(remain);
|
||||
if(!mom->variable || !mom->string)
|
||||
fatal_exit("out of memory");
|
||||
@ -318,8 +317,7 @@ replay_moment_read(char* remain, FILE* in, const char* name,
|
||||
mom->evt_type = repevt_autotrust_check;
|
||||
while(isspace((unsigned char)*remain))
|
||||
remain++;
|
||||
if(strlen(remain)>0 && remain[strlen(remain)-1]=='\n')
|
||||
remain[strlen(remain)-1] = 0;
|
||||
strip_end_white(remain);
|
||||
mom->autotrust_id = strdup(remain);
|
||||
if(!mom->autotrust_id) fatal_exit("out of memory");
|
||||
read_file_content(in, &pstate->lineno, mom);
|
||||
@ -327,8 +325,7 @@ replay_moment_read(char* remain, FILE* in, const char* name,
|
||||
mom->evt_type = repevt_tempfile_check;
|
||||
while(isspace((unsigned char)*remain))
|
||||
remain++;
|
||||
if(strlen(remain)>0 && remain[strlen(remain)-1]=='\n')
|
||||
remain[strlen(remain)-1] = 0;
|
||||
strip_end_white(remain);
|
||||
mom->autotrust_id = strdup(remain);
|
||||
if(!mom->autotrust_id) fatal_exit("out of memory");
|
||||
read_file_content(in, &pstate->lineno, mom);
|
||||
@ -359,8 +356,7 @@ replay_moment_read(char* remain, FILE* in, const char* name,
|
||||
m++;
|
||||
if(!extstrtoaddr(s, &mom->addr, &mom->addrlen))
|
||||
fatal_exit("bad infra_rtt address %s", s);
|
||||
if(strlen(m)>0 && m[strlen(m)-1]=='\n')
|
||||
m[strlen(m)-1] = 0;
|
||||
strip_end_white(m);
|
||||
mom->variable = strdup(remain);
|
||||
mom->string = strdup(m);
|
||||
if(!mom->string) fatal_exit("out of memory");
|
||||
@ -375,8 +371,7 @@ replay_moment_read(char* remain, FILE* in, const char* name,
|
||||
if(parse_keyword(&remain, "ADDRESS")) {
|
||||
while(isspace((unsigned char)*remain))
|
||||
remain++;
|
||||
if(strlen(remain) > 0) /* remove \n */
|
||||
remain[strlen(remain)-1] = 0;
|
||||
strip_end_white(remain);
|
||||
if(!extstrtoaddr(remain, &mom->addr, &mom->addrlen)) {
|
||||
log_err("line %d: could not parse ADDRESS: %s",
|
||||
pstate->lineno, remain);
|
||||
@ -693,7 +688,11 @@ do_macro_ctime(char* arg)
|
||||
return NULL;
|
||||
}
|
||||
ctime_r(&tt, buf);
|
||||
if(buf[0]) buf[strlen(buf)-1]=0; /* remove trailing newline */
|
||||
#ifdef USE_WINSOCK
|
||||
if(strlen(buf) > 10 && buf[7]==' ' && buf[8]=='0')
|
||||
buf[8]=' '; /* fix error in windows ctime */
|
||||
#endif
|
||||
strip_end_white(buf);
|
||||
return strdup(buf);
|
||||
}
|
||||
|
||||
|
@ -425,6 +425,9 @@ int replay_var_compare(const void* a, const void* b);
|
||||
/** get oldest enabled fake timer */
|
||||
struct fake_timer* replay_get_oldest_timer(struct replay_runtime* runtime);
|
||||
|
||||
/** strip whitespace from end of string */
|
||||
void strip_end_white(char* p);
|
||||
|
||||
/**
|
||||
* Create variable storage
|
||||
* @return new or NULL on failure.
|
||||
|
@ -397,11 +397,15 @@ send_em(const char* svr, int udp, int usessl, int noanswer, int onarrival,
|
||||
/** SIGPIPE handler */
|
||||
static RETSIGTYPE sigh(int sig)
|
||||
{
|
||||
char str[] = "Got unhandled signal \n";
|
||||
if(sig == SIGPIPE) {
|
||||
printf("got SIGPIPE, remote connection gone\n");
|
||||
char* strpipe = "got SIGPIPE, remote connection gone\n";
|
||||
write(STDOUT_FILENO, strpipe, strlen(strpipe));
|
||||
exit(1);
|
||||
}
|
||||
printf("Got unhandled signal %d\n", sig);
|
||||
str[21] = '0' + (sig/10)%10;
|
||||
str[22] = '0' + sig%10;
|
||||
write(STDOUT_FILENO, str, strlen(str));
|
||||
exit(1);
|
||||
}
|
||||
#endif /* SIGPIPE */
|
||||
|
@ -168,7 +168,7 @@ spool_temp_file_name(int* lineno, FILE* cfg, char* id)
|
||||
id++;
|
||||
if(*id == '\0')
|
||||
fatal_exit("TEMPFILE_NAME must have id, line %d", *lineno);
|
||||
id[strlen(id)-1]=0; /* remove newline */
|
||||
strip_end_white(id);
|
||||
fake_temp_file("_temp_", id, line, sizeof(line));
|
||||
fprintf(cfg, "\"%s\"\n", line);
|
||||
}
|
||||
@ -185,7 +185,7 @@ spool_temp_file(FILE* in, int* lineno, char* id)
|
||||
id++;
|
||||
if(*id == '\0')
|
||||
fatal_exit("TEMPFILE_CONTENTS must have id, line %d", *lineno);
|
||||
id[strlen(id)-1]=0; /* remove newline */
|
||||
strip_end_white(id);
|
||||
fake_temp_file("_temp_", id, line, sizeof(line));
|
||||
/* open file and spool to it */
|
||||
spool = fopen(line, "w");
|
||||
@ -205,7 +205,7 @@ spool_temp_file(FILE* in, int* lineno, char* id)
|
||||
char* tid = parse+17;
|
||||
while(isspace((unsigned char)*tid))
|
||||
tid++;
|
||||
tid[strlen(tid)-1]=0; /* remove newline */
|
||||
strip_end_white(tid);
|
||||
fake_temp_file("_temp_", tid, l2, sizeof(l2));
|
||||
snprintf(line, sizeof(line), "$INCLUDE %s\n", l2);
|
||||
}
|
||||
@ -230,7 +230,7 @@ spool_auto_file(FILE* in, int* lineno, FILE* cfg, char* id)
|
||||
id++;
|
||||
if(*id == '\0')
|
||||
fatal_exit("AUTROTRUST_FILE must have id, line %d", *lineno);
|
||||
id[strlen(id)-1]=0; /* remove newline */
|
||||
strip_end_white(id);
|
||||
fake_temp_file("_auto_", id, line, sizeof(line));
|
||||
/* add option for the file */
|
||||
fprintf(cfg, "server: auto-trust-anchor-file: \"%s\"\n", line);
|
||||
@ -279,6 +279,7 @@ setup_config(FILE* in, int* lineno, int* pass_argc, char* pass_argv[])
|
||||
fprintf(cfg, " username: \"\"\n");
|
||||
fprintf(cfg, " pidfile: \"\"\n");
|
||||
fprintf(cfg, " val-log-level: 2\n");
|
||||
fprintf(cfg, " log-servfail: yes\n");
|
||||
fprintf(cfg, "remote-control: control-enable: no\n");
|
||||
while(fgets(line, MAX_LINE_LEN-1, in)) {
|
||||
parse = line;
|
||||
|
@ -468,8 +468,13 @@ tmpfilecleanup(void)
|
||||
int i;
|
||||
char buf[256];
|
||||
for(i=0; i<tempno; i++) {
|
||||
#ifdef USE_WINSOCK
|
||||
snprintf(buf, sizeof(buf), "unbound.unittest.%u.%d",
|
||||
(unsigned)getpid(), i);
|
||||
#else
|
||||
snprintf(buf, sizeof(buf), "/tmp/unbound.unittest.%u.%d",
|
||||
(unsigned)getpid(), i);
|
||||
#endif
|
||||
if(vbmp) printf("cleanup: unlink %s\n", buf);
|
||||
unlink(buf);
|
||||
}
|
||||
@ -483,8 +488,13 @@ create_tmp_file(const char* s)
|
||||
char *fname;
|
||||
FILE *out;
|
||||
size_t r;
|
||||
#ifdef USE_WINSOCK
|
||||
snprintf(buf, sizeof(buf), "unbound.unittest.%u.%d",
|
||||
(unsigned)getpid(), tempno++);
|
||||
#else
|
||||
snprintf(buf, sizeof(buf), "/tmp/unbound.unittest.%u.%d",
|
||||
(unsigned)getpid(), tempno++);
|
||||
#endif
|
||||
fname = strdup(buf);
|
||||
if(!fname) fatal_exit("out of memory");
|
||||
/* if no string, just make the name */
|
||||
|
@ -82,6 +82,7 @@ static void zonemd_generate_test(const char* zname, char* zfile,
|
||||
/* read file */
|
||||
z = authtest_addzone(az, zname, zfile);
|
||||
unit_assert(z);
|
||||
z->zonemd_check = 1;
|
||||
|
||||
/* create zonemd digest */
|
||||
result = auth_zone_generate_zonemd_hash(z, scheme, hashalgo,
|
||||
@ -196,6 +197,7 @@ static void zonemd_check_test(void)
|
||||
/* read file */
|
||||
z = authtest_addzone(az, zname, zfile);
|
||||
unit_assert(z);
|
||||
z->zonemd_check = 1;
|
||||
hashlen = sizeof(hash);
|
||||
if(sldns_str2wire_hex_buf(digest, hash, &hashlen) != 0) {
|
||||
unit_assert(0); /* parse failure */
|
||||
@ -291,6 +293,7 @@ static void zonemd_verify_test(char* zname, char* zfile, char* tastr,
|
||||
|
||||
/* test */
|
||||
lock_rw_wrlock(&z->lock);
|
||||
z->zonemd_check = 1;
|
||||
auth_zone_verify_zonemd(z, &env, &mods, &result, 1, 0);
|
||||
lock_rw_unlock(&z->lock);
|
||||
if(verbosity >= VERB_ALGO) {
|
||||
|
1
testdata/auth_zonemd_anchor.rpl
vendored
1
testdata/auth_zonemd_anchor.rpl
vendored
@ -24,6 +24,7 @@ auth-zone:
|
||||
## on failures with for-upstream, fallback to sending queries to
|
||||
## the authority servers
|
||||
## fallback-enabled: no
|
||||
zonemd-check: yes
|
||||
|
||||
## this line generates zonefile: \n"/tmp/xxx.example.com"\n
|
||||
zonefile:
|
||||
|
1
testdata/auth_zonemd_anchor_fail.rpl
vendored
1
testdata/auth_zonemd_anchor_fail.rpl
vendored
@ -27,6 +27,7 @@ auth-zone:
|
||||
## on failures with for-upstream, fallback to sending queries to
|
||||
## the authority servers
|
||||
## fallback-enabled: no
|
||||
zonemd-check: yes
|
||||
|
||||
## this line generates zonefile: \n"/tmp/xxx.example.com"\n
|
||||
zonefile:
|
||||
|
1
testdata/auth_zonemd_chain.rpl
vendored
1
testdata/auth_zonemd_chain.rpl
vendored
@ -24,6 +24,7 @@ auth-zone:
|
||||
## on failures with for-upstream, fallback to sending queries to
|
||||
## the authority servers
|
||||
## fallback-enabled: no
|
||||
zonemd-check: yes
|
||||
|
||||
## this line generates zonefile: \n"/tmp/xxx.example.com"\n
|
||||
zonefile:
|
||||
|
1
testdata/auth_zonemd_chain_fail.rpl
vendored
1
testdata/auth_zonemd_chain_fail.rpl
vendored
@ -24,6 +24,7 @@ auth-zone:
|
||||
## on failures with for-upstream, fallback to sending queries to
|
||||
## the authority servers
|
||||
## fallback-enabled: no
|
||||
zonemd-check: yes
|
||||
|
||||
## this line generates zonefile: \n"/tmp/xxx.example.com"\n
|
||||
zonefile:
|
||||
|
1
testdata/auth_zonemd_file.rpl
vendored
1
testdata/auth_zonemd_file.rpl
vendored
@ -21,6 +21,7 @@ auth-zone:
|
||||
## on failures with for-upstream, fallback to sending queries to
|
||||
## the authority servers
|
||||
## fallback-enabled: no
|
||||
zonemd-check: yes
|
||||
|
||||
## this line generates zonefile: \n"/tmp/xxx.example.com"\n
|
||||
zonefile:
|
||||
|
1
testdata/auth_zonemd_file_fail.rpl
vendored
1
testdata/auth_zonemd_file_fail.rpl
vendored
@ -21,6 +21,7 @@ auth-zone:
|
||||
## on failures with for-upstream, fallback to sending queries to
|
||||
## the authority servers
|
||||
## fallback-enabled: no
|
||||
zonemd-check: yes
|
||||
|
||||
## this line generates zonefile: \n"/tmp/xxx.example.com"\n
|
||||
zonefile:
|
||||
|
1
testdata/auth_zonemd_insecure.rpl
vendored
1
testdata/auth_zonemd_insecure.rpl
vendored
@ -24,6 +24,7 @@ auth-zone:
|
||||
## on failures with for-upstream, fallback to sending queries to
|
||||
## the authority servers
|
||||
## fallback-enabled: no
|
||||
zonemd-check: yes
|
||||
|
||||
## this line generates zonefile: \n"/tmp/xxx.example.com"\n
|
||||
zonefile:
|
||||
|
1
testdata/auth_zonemd_insecure_absent.rpl
vendored
1
testdata/auth_zonemd_insecure_absent.rpl
vendored
@ -24,6 +24,7 @@ auth-zone:
|
||||
## on failures with for-upstream, fallback to sending queries to
|
||||
## the authority servers
|
||||
## fallback-enabled: no
|
||||
zonemd-check: yes
|
||||
|
||||
## this line generates zonefile: \n"/tmp/xxx.example.com"\n
|
||||
zonefile:
|
||||
|
@ -7,6 +7,7 @@ server:
|
||||
|
||||
auth-zone:
|
||||
name: "example.com."
|
||||
zonemd-check: yes
|
||||
zonemd-reject-absence: yes
|
||||
## zonefile (or none).
|
||||
## zonefile: "example.com.zone"
|
||||
|
1
testdata/auth_zonemd_insecure_fail.rpl
vendored
1
testdata/auth_zonemd_insecure_fail.rpl
vendored
@ -24,6 +24,7 @@ auth-zone:
|
||||
## on failures with for-upstream, fallback to sending queries to
|
||||
## the authority servers
|
||||
## fallback-enabled: no
|
||||
zonemd-check: yes
|
||||
|
||||
## this line generates zonefile: \n"/tmp/xxx.example.com"\n
|
||||
zonefile:
|
||||
|
1
testdata/auth_zonemd_nokey.rpl
vendored
1
testdata/auth_zonemd_nokey.rpl
vendored
@ -24,6 +24,7 @@ auth-zone:
|
||||
## on failures with for-upstream, fallback to sending queries to
|
||||
## the authority servers
|
||||
## fallback-enabled: no
|
||||
zonemd-check: yes
|
||||
|
||||
## this line generates zonefile: \n"/tmp/xxx.example.com"\n
|
||||
zonefile:
|
||||
|
1
testdata/auth_zonemd_permissive_mode.rpl
vendored
1
testdata/auth_zonemd_permissive_mode.rpl
vendored
@ -22,6 +22,7 @@ auth-zone:
|
||||
## on failures with for-upstream, fallback to sending queries to
|
||||
## the authority servers
|
||||
## fallback-enabled: no
|
||||
zonemd-check: yes
|
||||
|
||||
## this line generates zonefile: \n"/tmp/xxx.example.com"\n
|
||||
zonefile:
|
||||
|
1
testdata/auth_zonemd_xfr.rpl
vendored
1
testdata/auth_zonemd_xfr.rpl
vendored
@ -22,6 +22,7 @@ auth-zone:
|
||||
## on failures with for-upstream, fallback to sending queries to
|
||||
## the authority servers
|
||||
## fallback-enabled: no
|
||||
zonemd-check: yes
|
||||
|
||||
## this line generates zonefile: \n"/tmp/xxx.example.com"\n
|
||||
zonefile:
|
||||
|
1
testdata/auth_zonemd_xfr_anchor.rpl
vendored
1
testdata/auth_zonemd_xfr_anchor.rpl
vendored
@ -25,6 +25,7 @@ auth-zone:
|
||||
## on failures with for-upstream, fallback to sending queries to
|
||||
## the authority servers
|
||||
## fallback-enabled: no
|
||||
zonemd-check: yes
|
||||
|
||||
## this line generates zonefile: \n"/tmp/xxx.example.com"\n
|
||||
zonefile:
|
||||
|
1
testdata/auth_zonemd_xfr_anchor_fail.rpl
vendored
1
testdata/auth_zonemd_xfr_anchor_fail.rpl
vendored
@ -25,6 +25,7 @@ auth-zone:
|
||||
## on failures with for-upstream, fallback to sending queries to
|
||||
## the authority servers
|
||||
## fallback-enabled: no
|
||||
zonemd-check: yes
|
||||
|
||||
## this line generates zonefile: \n"/tmp/xxx.example.com"\n
|
||||
zonefile:
|
||||
|
1
testdata/auth_zonemd_xfr_chain.rpl
vendored
1
testdata/auth_zonemd_xfr_chain.rpl
vendored
@ -25,6 +25,7 @@ auth-zone:
|
||||
## on failures with for-upstream, fallback to sending queries to
|
||||
## the authority servers
|
||||
## fallback-enabled: no
|
||||
zonemd-check: yes
|
||||
|
||||
## this line generates zonefile: \n"/tmp/xxx.example.com"\n
|
||||
zonefile:
|
||||
|
1
testdata/auth_zonemd_xfr_chain_fail.rpl
vendored
1
testdata/auth_zonemd_xfr_chain_fail.rpl
vendored
@ -25,6 +25,7 @@ auth-zone:
|
||||
## on failures with for-upstream, fallback to sending queries to
|
||||
## the authority servers
|
||||
## fallback-enabled: no
|
||||
zonemd-check: yes
|
||||
|
||||
## this line generates zonefile: \n"/tmp/xxx.example.com"\n
|
||||
zonefile:
|
||||
|
1
testdata/auth_zonemd_xfr_fail.rpl
vendored
1
testdata/auth_zonemd_xfr_fail.rpl
vendored
@ -22,6 +22,7 @@ auth-zone:
|
||||
## on failures with for-upstream, fallback to sending queries to
|
||||
## the authority servers
|
||||
## fallback-enabled: no
|
||||
zonemd-check: yes
|
||||
|
||||
## this line generates zonefile: \n"/tmp/xxx.example.com"\n
|
||||
zonefile:
|
||||
|
0
testdata/root_key_sentinel.rpl
vendored
Executable file → Normal file
0
testdata/root_key_sentinel.rpl
vendored
Executable file → Normal file
@ -19,4 +19,5 @@ auth-zone:
|
||||
for-upstream: yes
|
||||
for-downstream: yes
|
||||
zonefile: "zonemd_reload.zone"
|
||||
zonemd-check: yes
|
||||
#master: "127.0.0.1@@TOPORT@"
|
||||
|
@ -105,11 +105,14 @@ config_create(void)
|
||||
cfg->do_ip6 = 1;
|
||||
cfg->do_udp = 1;
|
||||
cfg->do_tcp = 1;
|
||||
cfg->tcp_reuse_timeout = 60 * 1000; /* 60s in milisecs */
|
||||
cfg->max_reuse_tcp_queries = 200;
|
||||
cfg->tcp_upstream = 0;
|
||||
cfg->udp_upstream_without_downstream = 0;
|
||||
cfg->tcp_mss = 0;
|
||||
cfg->outgoing_tcp_mss = 0;
|
||||
cfg->tcp_idle_timeout = 30 * 1000; /* 30s in millisecs */
|
||||
cfg->tcp_auth_query_timeout = 3 * 1000; /* 3s in millisecs */
|
||||
cfg->do_tcp_keepalive = 0;
|
||||
cfg->tcp_keepalive_timeout = 120 * 1000; /* 120s in millisecs */
|
||||
cfg->ssl_service_key = NULL;
|
||||
@ -250,6 +253,7 @@ config_create(void)
|
||||
cfg->val_date_override = 0;
|
||||
cfg->val_sig_skew_min = 3600; /* at least daylight savings trouble */
|
||||
cfg->val_sig_skew_max = 86400; /* at most timezone settings trouble */
|
||||
cfg->val_max_restart = 5;
|
||||
cfg->val_clean_additional = 1;
|
||||
cfg->val_log_level = 0;
|
||||
cfg->val_log_squelch = 0;
|
||||
@ -306,7 +310,7 @@ config_create(void)
|
||||
if(!(cfg->module_conf = strdup("validator iterator"))) goto error_exit;
|
||||
#endif
|
||||
if(!(cfg->val_nsec3_key_iterations =
|
||||
strdup("1024 150 2048 500 4096 2500"))) goto error_exit;
|
||||
strdup("1024 150 2048 150 4096 150"))) goto error_exit;
|
||||
#if defined(DNSTAP_SOCKET_PATH)
|
||||
if(!(cfg->dnstap_socket_path = strdup(DNSTAP_SOCKET_PATH)))
|
||||
goto error_exit;
|
||||
@ -517,7 +521,10 @@ int config_set_option(struct config_file* cfg, const char* opt,
|
||||
udp_upstream_without_downstream)
|
||||
else S_NUMBER_NONZERO("tcp-mss:", tcp_mss)
|
||||
else S_NUMBER_NONZERO("outgoing-tcp-mss:", outgoing_tcp_mss)
|
||||
else S_NUMBER_NONZERO("tcp-auth-query-timeout:", tcp_auth_query_timeout)
|
||||
else S_NUMBER_NONZERO("tcp-idle-timeout:", tcp_idle_timeout)
|
||||
else S_NUMBER_NONZERO("max-reuse-tcp-queries:", max_reuse_tcp_queries)
|
||||
else S_NUMBER_NONZERO("tcp-reuse-timeout:", tcp_reuse_timeout)
|
||||
else S_YNO("edns-tcp-keepalive:", do_tcp_keepalive)
|
||||
else S_NUMBER_NONZERO("edns-tcp-keepalive-timeout:", tcp_keepalive_timeout)
|
||||
else S_YNO("ssl-upstream:", ssl_upstream)
|
||||
@ -758,12 +765,14 @@ int config_set_option(struct config_file* cfg, const char* opt,
|
||||
#endif
|
||||
else if(strcmp(opt, "define-tag:") ==0) {
|
||||
return config_add_tag(cfg, val);
|
||||
/* val_sig_skew_min and max are copied into val_env during init,
|
||||
* so this does not update val_env with set_option */
|
||||
/* val_sig_skew_min, max and val_max_restart are copied into val_env
|
||||
* during init so this does not update val_env with set_option */
|
||||
} else if(strcmp(opt, "val-sig-skew-min:") == 0)
|
||||
{ IS_NUMBER_OR_ZERO; cfg->val_sig_skew_min = (int32_t)atoi(val); }
|
||||
else if(strcmp(opt, "val-sig-skew-max:") == 0)
|
||||
{ IS_NUMBER_OR_ZERO; cfg->val_sig_skew_max = (int32_t)atoi(val); }
|
||||
else if(strcmp(opt, "val-max-restart:") == 0)
|
||||
{ IS_NUMBER_OR_ZERO; cfg->val_max_restart = (int32_t)atoi(val); }
|
||||
else if (strcmp(opt, "outgoing-interface:") == 0) {
|
||||
char* d = strdup(val);
|
||||
char** oi =
|
||||
@ -1007,7 +1016,10 @@ config_get_option(struct config_file* cfg, const char* opt,
|
||||
else O_YNO(opt, "udp-upstream-without-downstream", udp_upstream_without_downstream)
|
||||
else O_DEC(opt, "tcp-mss", tcp_mss)
|
||||
else O_DEC(opt, "outgoing-tcp-mss", outgoing_tcp_mss)
|
||||
else O_DEC(opt, "tcp-auth-query-timeout", tcp_auth_query_timeout)
|
||||
else O_DEC(opt, "tcp-idle-timeout", tcp_idle_timeout)
|
||||
else O_DEC(opt, "max-reuse-tcp-queries", max_reuse_tcp_queries)
|
||||
else O_DEC(opt, "tcp-reuse-timeout", tcp_reuse_timeout)
|
||||
else O_YNO(opt, "edns-tcp-keepalive", do_tcp_keepalive)
|
||||
else O_DEC(opt, "edns-tcp-keepalive-timeout", tcp_keepalive_timeout)
|
||||
else O_YNO(opt, "ssl-upstream", ssl_upstream)
|
||||
@ -1181,6 +1193,7 @@ config_get_option(struct config_file* cfg, const char* opt,
|
||||
else O_DEC(opt, "fast-server-permil", fast_server_permil)
|
||||
else O_DEC(opt, "val-sig-skew-min", val_sig_skew_min)
|
||||
else O_DEC(opt, "val-sig-skew-max", val_sig_skew_max)
|
||||
else O_DEC(opt, "val-max-restart", val_max_restart)
|
||||
else O_YNO(opt, "qname-minimisation", qname_minimisation)
|
||||
else O_YNO(opt, "qname-minimisation-strict", qname_minimisation_strict)
|
||||
else O_IFC(opt, "define-tag", num_tags, tagname)
|
||||
|
@ -93,6 +93,12 @@ struct config_file {
|
||||
int do_udp;
|
||||
/** do tcp query support. */
|
||||
int do_tcp;
|
||||
/** max number of queries on a reuse connection. */
|
||||
size_t max_reuse_tcp_queries;
|
||||
/** timeout for REUSE entries in milliseconds. */
|
||||
int tcp_reuse_timeout;
|
||||
/** timeout in milliseconds for TCP queries to auth servers. */
|
||||
int tcp_auth_query_timeout;
|
||||
/** tcp upstream queries (no UDP upstream queries) */
|
||||
int tcp_upstream;
|
||||
/** udp upstream enabled when no UDP downstream is enabled (do_udp no)*/
|
||||
@ -367,6 +373,8 @@ struct config_file {
|
||||
int32_t val_sig_skew_min;
|
||||
/** the maximum for signature clock skew */
|
||||
int32_t val_sig_skew_max;
|
||||
/** max number of query restarts, number of IPs to probe */
|
||||
int32_t val_max_restart;
|
||||
/** this value sets the number of seconds before revalidating bogus */
|
||||
int bogus_ttl;
|
||||
/** should validator clean additional section for secure msgs */
|
||||
@ -729,6 +737,8 @@ struct config_auth {
|
||||
/** Always reply with this CNAME target if the cname override action is
|
||||
* used */
|
||||
char* rpz_cname;
|
||||
/** Check ZONEMD records for this zone */
|
||||
int zonemd_check;
|
||||
/** Reject absence of ZONEMD records, zone must have one */
|
||||
int zonemd_reject_absence;
|
||||
};
|
||||
|
5265
util/configlexer.c
5265
util/configlexer.c
File diff suppressed because it is too large
Load Diff
@ -235,6 +235,9 @@ tcp-upstream{COLON} { YDVAR(1, VAR_TCP_UPSTREAM) }
|
||||
tcp-mss{COLON} { YDVAR(1, VAR_TCP_MSS) }
|
||||
outgoing-tcp-mss{COLON} { YDVAR(1, VAR_OUTGOING_TCP_MSS) }
|
||||
tcp-idle-timeout{COLON} { YDVAR(1, VAR_TCP_IDLE_TIMEOUT) }
|
||||
max-reuse-tcp-queries{COLON} { YDVAR(1, VAR_MAX_REUSE_TCP_QUERIES) }
|
||||
tcp-reuse-timeout{COLON} { YDVAR(1, VAR_TCP_REUSE_TIMEOUT) }
|
||||
tcp-auth-query-timeout{COLON} { YDVAR(1, VAR_TCP_AUTH_QUERY_TIMEOUT) }
|
||||
edns-tcp-keepalive{COLON} { YDVAR(1, VAR_EDNS_TCP_KEEPALIVE) }
|
||||
edns-tcp-keepalive-timeout{COLON} { YDVAR(1, VAR_EDNS_TCP_KEEPALIVE_TIMEOUT) }
|
||||
ssl-upstream{COLON} { YDVAR(1, VAR_SSL_UPSTREAM) }
|
||||
@ -382,6 +385,7 @@ root-key-sentinel{COLON} { YDVAR(1, VAR_ROOT_KEY_SENTINEL) }
|
||||
val-override-date{COLON} { YDVAR(1, VAR_VAL_OVERRIDE_DATE) }
|
||||
val-sig-skew-min{COLON} { YDVAR(1, VAR_VAL_SIG_SKEW_MIN) }
|
||||
val-sig-skew-max{COLON} { YDVAR(1, VAR_VAL_SIG_SKEW_MAX) }
|
||||
val-max-restart{COLON} { YDVAR(1, VAR_VAL_MAX_RESTART) }
|
||||
val-bogus-ttl{COLON} { YDVAR(1, VAR_BOGUS_TTL) }
|
||||
val-clean-additional{COLON} { YDVAR(1, VAR_VAL_CLEAN_ADDITIONAL) }
|
||||
val-permissive-mode{COLON} { YDVAR(1, VAR_VAL_PERMISSIVE_MODE) }
|
||||
@ -402,6 +406,7 @@ neg-cache-size{COLON} { YDVAR(1, VAR_NEG_CACHE_SIZE) }
|
||||
val-nsec3-keysize-iterations{COLON} {
|
||||
YDVAR(1, VAR_VAL_NSEC3_KEYSIZE_ITERATIONS) }
|
||||
zonemd-permissive-mode{COLON} { YDVAR(1, VAR_ZONEMD_PERMISSIVE_MODE) }
|
||||
zonemd-check{COLON} { YDVAR(1, VAR_ZONEMD_CHECK) }
|
||||
zonemd-reject-absence{COLON} { YDVAR(1, VAR_ZONEMD_REJECT_ABSENCE) }
|
||||
add-holddown{COLON} { YDVAR(1, VAR_ADD_HOLDDOWN) }
|
||||
del-holddown{COLON} { YDVAR(1, VAR_DEL_HOLDDOWN) }
|
||||
|
5052
util/configparser.c
5052
util/configparser.c
File diff suppressed because it is too large
Load Diff
@ -1,4 +1,4 @@
|
||||
/* A Bison parser, made by GNU Bison 3.6.4. */
|
||||
/* A Bison parser, made by GNU Bison 3.7.4. */
|
||||
|
||||
/* Bison interface for Yacc-like parsers in C
|
||||
|
||||
@ -156,216 +156,222 @@ extern int yydebug;
|
||||
VAR_CONTROL_KEY_FILE = 357, /* VAR_CONTROL_KEY_FILE */
|
||||
VAR_CONTROL_CERT_FILE = 358, /* VAR_CONTROL_CERT_FILE */
|
||||
VAR_CONTROL_USE_CERT = 359, /* VAR_CONTROL_USE_CERT */
|
||||
VAR_EXTENDED_STATISTICS = 360, /* VAR_EXTENDED_STATISTICS */
|
||||
VAR_LOCAL_DATA_PTR = 361, /* VAR_LOCAL_DATA_PTR */
|
||||
VAR_JOSTLE_TIMEOUT = 362, /* VAR_JOSTLE_TIMEOUT */
|
||||
VAR_STUB_PRIME = 363, /* VAR_STUB_PRIME */
|
||||
VAR_UNWANTED_REPLY_THRESHOLD = 364, /* VAR_UNWANTED_REPLY_THRESHOLD */
|
||||
VAR_LOG_TIME_ASCII = 365, /* VAR_LOG_TIME_ASCII */
|
||||
VAR_DOMAIN_INSECURE = 366, /* VAR_DOMAIN_INSECURE */
|
||||
VAR_PYTHON = 367, /* VAR_PYTHON */
|
||||
VAR_PYTHON_SCRIPT = 368, /* VAR_PYTHON_SCRIPT */
|
||||
VAR_VAL_SIG_SKEW_MIN = 369, /* VAR_VAL_SIG_SKEW_MIN */
|
||||
VAR_VAL_SIG_SKEW_MAX = 370, /* VAR_VAL_SIG_SKEW_MAX */
|
||||
VAR_CACHE_MIN_TTL = 371, /* VAR_CACHE_MIN_TTL */
|
||||
VAR_VAL_LOG_LEVEL = 372, /* VAR_VAL_LOG_LEVEL */
|
||||
VAR_AUTO_TRUST_ANCHOR_FILE = 373, /* VAR_AUTO_TRUST_ANCHOR_FILE */
|
||||
VAR_KEEP_MISSING = 374, /* VAR_KEEP_MISSING */
|
||||
VAR_ADD_HOLDDOWN = 375, /* VAR_ADD_HOLDDOWN */
|
||||
VAR_DEL_HOLDDOWN = 376, /* VAR_DEL_HOLDDOWN */
|
||||
VAR_SO_RCVBUF = 377, /* VAR_SO_RCVBUF */
|
||||
VAR_EDNS_BUFFER_SIZE = 378, /* VAR_EDNS_BUFFER_SIZE */
|
||||
VAR_PREFETCH = 379, /* VAR_PREFETCH */
|
||||
VAR_PREFETCH_KEY = 380, /* VAR_PREFETCH_KEY */
|
||||
VAR_SO_SNDBUF = 381, /* VAR_SO_SNDBUF */
|
||||
VAR_SO_REUSEPORT = 382, /* VAR_SO_REUSEPORT */
|
||||
VAR_HARDEN_BELOW_NXDOMAIN = 383, /* VAR_HARDEN_BELOW_NXDOMAIN */
|
||||
VAR_IGNORE_CD_FLAG = 384, /* VAR_IGNORE_CD_FLAG */
|
||||
VAR_LOG_QUERIES = 385, /* VAR_LOG_QUERIES */
|
||||
VAR_LOG_REPLIES = 386, /* VAR_LOG_REPLIES */
|
||||
VAR_LOG_LOCAL_ACTIONS = 387, /* VAR_LOG_LOCAL_ACTIONS */
|
||||
VAR_TCP_UPSTREAM = 388, /* VAR_TCP_UPSTREAM */
|
||||
VAR_SSL_UPSTREAM = 389, /* VAR_SSL_UPSTREAM */
|
||||
VAR_SSL_SERVICE_KEY = 390, /* VAR_SSL_SERVICE_KEY */
|
||||
VAR_SSL_SERVICE_PEM = 391, /* VAR_SSL_SERVICE_PEM */
|
||||
VAR_SSL_PORT = 392, /* VAR_SSL_PORT */
|
||||
VAR_FORWARD_FIRST = 393, /* VAR_FORWARD_FIRST */
|
||||
VAR_STUB_SSL_UPSTREAM = 394, /* VAR_STUB_SSL_UPSTREAM */
|
||||
VAR_FORWARD_SSL_UPSTREAM = 395, /* VAR_FORWARD_SSL_UPSTREAM */
|
||||
VAR_TLS_CERT_BUNDLE = 396, /* VAR_TLS_CERT_BUNDLE */
|
||||
VAR_HTTPS_PORT = 397, /* VAR_HTTPS_PORT */
|
||||
VAR_HTTP_ENDPOINT = 398, /* VAR_HTTP_ENDPOINT */
|
||||
VAR_HTTP_MAX_STREAMS = 399, /* VAR_HTTP_MAX_STREAMS */
|
||||
VAR_HTTP_QUERY_BUFFER_SIZE = 400, /* VAR_HTTP_QUERY_BUFFER_SIZE */
|
||||
VAR_HTTP_RESPONSE_BUFFER_SIZE = 401, /* VAR_HTTP_RESPONSE_BUFFER_SIZE */
|
||||
VAR_HTTP_NODELAY = 402, /* VAR_HTTP_NODELAY */
|
||||
VAR_HTTP_NOTLS_DOWNSTREAM = 403, /* VAR_HTTP_NOTLS_DOWNSTREAM */
|
||||
VAR_STUB_FIRST = 404, /* VAR_STUB_FIRST */
|
||||
VAR_MINIMAL_RESPONSES = 405, /* VAR_MINIMAL_RESPONSES */
|
||||
VAR_RRSET_ROUNDROBIN = 406, /* VAR_RRSET_ROUNDROBIN */
|
||||
VAR_MAX_UDP_SIZE = 407, /* VAR_MAX_UDP_SIZE */
|
||||
VAR_DELAY_CLOSE = 408, /* VAR_DELAY_CLOSE */
|
||||
VAR_UDP_CONNECT = 409, /* VAR_UDP_CONNECT */
|
||||
VAR_UNBLOCK_LAN_ZONES = 410, /* VAR_UNBLOCK_LAN_ZONES */
|
||||
VAR_INSECURE_LAN_ZONES = 411, /* VAR_INSECURE_LAN_ZONES */
|
||||
VAR_INFRA_CACHE_MIN_RTT = 412, /* VAR_INFRA_CACHE_MIN_RTT */
|
||||
VAR_INFRA_KEEP_PROBING = 413, /* VAR_INFRA_KEEP_PROBING */
|
||||
VAR_DNS64_PREFIX = 414, /* VAR_DNS64_PREFIX */
|
||||
VAR_DNS64_SYNTHALL = 415, /* VAR_DNS64_SYNTHALL */
|
||||
VAR_DNS64_IGNORE_AAAA = 416, /* VAR_DNS64_IGNORE_AAAA */
|
||||
VAR_DNSTAP = 417, /* VAR_DNSTAP */
|
||||
VAR_DNSTAP_ENABLE = 418, /* VAR_DNSTAP_ENABLE */
|
||||
VAR_DNSTAP_SOCKET_PATH = 419, /* VAR_DNSTAP_SOCKET_PATH */
|
||||
VAR_DNSTAP_IP = 420, /* VAR_DNSTAP_IP */
|
||||
VAR_DNSTAP_TLS = 421, /* VAR_DNSTAP_TLS */
|
||||
VAR_DNSTAP_TLS_SERVER_NAME = 422, /* VAR_DNSTAP_TLS_SERVER_NAME */
|
||||
VAR_DNSTAP_TLS_CERT_BUNDLE = 423, /* VAR_DNSTAP_TLS_CERT_BUNDLE */
|
||||
VAR_DNSTAP_TLS_CLIENT_KEY_FILE = 424, /* VAR_DNSTAP_TLS_CLIENT_KEY_FILE */
|
||||
VAR_DNSTAP_TLS_CLIENT_CERT_FILE = 425, /* VAR_DNSTAP_TLS_CLIENT_CERT_FILE */
|
||||
VAR_DNSTAP_SEND_IDENTITY = 426, /* VAR_DNSTAP_SEND_IDENTITY */
|
||||
VAR_DNSTAP_SEND_VERSION = 427, /* VAR_DNSTAP_SEND_VERSION */
|
||||
VAR_DNSTAP_BIDIRECTIONAL = 428, /* VAR_DNSTAP_BIDIRECTIONAL */
|
||||
VAR_DNSTAP_IDENTITY = 429, /* VAR_DNSTAP_IDENTITY */
|
||||
VAR_DNSTAP_VERSION = 430, /* VAR_DNSTAP_VERSION */
|
||||
VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 431, /* VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES */
|
||||
VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 432, /* VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES */
|
||||
VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 433, /* VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES */
|
||||
VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 434, /* VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES */
|
||||
VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 435, /* VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES */
|
||||
VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 436, /* VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES */
|
||||
VAR_RESPONSE_IP_TAG = 437, /* VAR_RESPONSE_IP_TAG */
|
||||
VAR_RESPONSE_IP = 438, /* VAR_RESPONSE_IP */
|
||||
VAR_RESPONSE_IP_DATA = 439, /* VAR_RESPONSE_IP_DATA */
|
||||
VAR_HARDEN_ALGO_DOWNGRADE = 440, /* VAR_HARDEN_ALGO_DOWNGRADE */
|
||||
VAR_IP_TRANSPARENT = 441, /* VAR_IP_TRANSPARENT */
|
||||
VAR_IP_DSCP = 442, /* VAR_IP_DSCP */
|
||||
VAR_DISABLE_DNSSEC_LAME_CHECK = 443, /* VAR_DISABLE_DNSSEC_LAME_CHECK */
|
||||
VAR_IP_RATELIMIT = 444, /* VAR_IP_RATELIMIT */
|
||||
VAR_IP_RATELIMIT_SLABS = 445, /* VAR_IP_RATELIMIT_SLABS */
|
||||
VAR_IP_RATELIMIT_SIZE = 446, /* VAR_IP_RATELIMIT_SIZE */
|
||||
VAR_RATELIMIT = 447, /* VAR_RATELIMIT */
|
||||
VAR_RATELIMIT_SLABS = 448, /* VAR_RATELIMIT_SLABS */
|
||||
VAR_RATELIMIT_SIZE = 449, /* VAR_RATELIMIT_SIZE */
|
||||
VAR_RATELIMIT_FOR_DOMAIN = 450, /* VAR_RATELIMIT_FOR_DOMAIN */
|
||||
VAR_RATELIMIT_BELOW_DOMAIN = 451, /* VAR_RATELIMIT_BELOW_DOMAIN */
|
||||
VAR_IP_RATELIMIT_FACTOR = 452, /* VAR_IP_RATELIMIT_FACTOR */
|
||||
VAR_RATELIMIT_FACTOR = 453, /* VAR_RATELIMIT_FACTOR */
|
||||
VAR_SEND_CLIENT_SUBNET = 454, /* VAR_SEND_CLIENT_SUBNET */
|
||||
VAR_CLIENT_SUBNET_ZONE = 455, /* VAR_CLIENT_SUBNET_ZONE */
|
||||
VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 456, /* VAR_CLIENT_SUBNET_ALWAYS_FORWARD */
|
||||
VAR_CLIENT_SUBNET_OPCODE = 457, /* VAR_CLIENT_SUBNET_OPCODE */
|
||||
VAR_MAX_CLIENT_SUBNET_IPV4 = 458, /* VAR_MAX_CLIENT_SUBNET_IPV4 */
|
||||
VAR_MAX_CLIENT_SUBNET_IPV6 = 459, /* VAR_MAX_CLIENT_SUBNET_IPV6 */
|
||||
VAR_MIN_CLIENT_SUBNET_IPV4 = 460, /* VAR_MIN_CLIENT_SUBNET_IPV4 */
|
||||
VAR_MIN_CLIENT_SUBNET_IPV6 = 461, /* VAR_MIN_CLIENT_SUBNET_IPV6 */
|
||||
VAR_MAX_ECS_TREE_SIZE_IPV4 = 462, /* VAR_MAX_ECS_TREE_SIZE_IPV4 */
|
||||
VAR_MAX_ECS_TREE_SIZE_IPV6 = 463, /* VAR_MAX_ECS_TREE_SIZE_IPV6 */
|
||||
VAR_CAPS_WHITELIST = 464, /* VAR_CAPS_WHITELIST */
|
||||
VAR_CACHE_MAX_NEGATIVE_TTL = 465, /* VAR_CACHE_MAX_NEGATIVE_TTL */
|
||||
VAR_PERMIT_SMALL_HOLDDOWN = 466, /* VAR_PERMIT_SMALL_HOLDDOWN */
|
||||
VAR_QNAME_MINIMISATION = 467, /* VAR_QNAME_MINIMISATION */
|
||||
VAR_QNAME_MINIMISATION_STRICT = 468, /* VAR_QNAME_MINIMISATION_STRICT */
|
||||
VAR_IP_FREEBIND = 469, /* VAR_IP_FREEBIND */
|
||||
VAR_DEFINE_TAG = 470, /* VAR_DEFINE_TAG */
|
||||
VAR_LOCAL_ZONE_TAG = 471, /* VAR_LOCAL_ZONE_TAG */
|
||||
VAR_ACCESS_CONTROL_TAG = 472, /* VAR_ACCESS_CONTROL_TAG */
|
||||
VAR_LOCAL_ZONE_OVERRIDE = 473, /* VAR_LOCAL_ZONE_OVERRIDE */
|
||||
VAR_ACCESS_CONTROL_TAG_ACTION = 474, /* VAR_ACCESS_CONTROL_TAG_ACTION */
|
||||
VAR_ACCESS_CONTROL_TAG_DATA = 475, /* VAR_ACCESS_CONTROL_TAG_DATA */
|
||||
VAR_VIEW = 476, /* VAR_VIEW */
|
||||
VAR_ACCESS_CONTROL_VIEW = 477, /* VAR_ACCESS_CONTROL_VIEW */
|
||||
VAR_VIEW_FIRST = 478, /* VAR_VIEW_FIRST */
|
||||
VAR_SERVE_EXPIRED = 479, /* VAR_SERVE_EXPIRED */
|
||||
VAR_SERVE_EXPIRED_TTL = 480, /* VAR_SERVE_EXPIRED_TTL */
|
||||
VAR_SERVE_EXPIRED_TTL_RESET = 481, /* VAR_SERVE_EXPIRED_TTL_RESET */
|
||||
VAR_SERVE_EXPIRED_REPLY_TTL = 482, /* VAR_SERVE_EXPIRED_REPLY_TTL */
|
||||
VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 483, /* VAR_SERVE_EXPIRED_CLIENT_TIMEOUT */
|
||||
VAR_SERVE_ORIGINAL_TTL = 484, /* VAR_SERVE_ORIGINAL_TTL */
|
||||
VAR_FAKE_DSA = 485, /* VAR_FAKE_DSA */
|
||||
VAR_FAKE_SHA1 = 486, /* VAR_FAKE_SHA1 */
|
||||
VAR_LOG_IDENTITY = 487, /* VAR_LOG_IDENTITY */
|
||||
VAR_HIDE_TRUSTANCHOR = 488, /* VAR_HIDE_TRUSTANCHOR */
|
||||
VAR_TRUST_ANCHOR_SIGNALING = 489, /* VAR_TRUST_ANCHOR_SIGNALING */
|
||||
VAR_AGGRESSIVE_NSEC = 490, /* VAR_AGGRESSIVE_NSEC */
|
||||
VAR_USE_SYSTEMD = 491, /* VAR_USE_SYSTEMD */
|
||||
VAR_SHM_ENABLE = 492, /* VAR_SHM_ENABLE */
|
||||
VAR_SHM_KEY = 493, /* VAR_SHM_KEY */
|
||||
VAR_ROOT_KEY_SENTINEL = 494, /* VAR_ROOT_KEY_SENTINEL */
|
||||
VAR_DNSCRYPT = 495, /* VAR_DNSCRYPT */
|
||||
VAR_DNSCRYPT_ENABLE = 496, /* VAR_DNSCRYPT_ENABLE */
|
||||
VAR_DNSCRYPT_PORT = 497, /* VAR_DNSCRYPT_PORT */
|
||||
VAR_DNSCRYPT_PROVIDER = 498, /* VAR_DNSCRYPT_PROVIDER */
|
||||
VAR_DNSCRYPT_SECRET_KEY = 499, /* VAR_DNSCRYPT_SECRET_KEY */
|
||||
VAR_DNSCRYPT_PROVIDER_CERT = 500, /* VAR_DNSCRYPT_PROVIDER_CERT */
|
||||
VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 501, /* VAR_DNSCRYPT_PROVIDER_CERT_ROTATED */
|
||||
VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 502, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE */
|
||||
VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 503, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS */
|
||||
VAR_DNSCRYPT_NONCE_CACHE_SIZE = 504, /* VAR_DNSCRYPT_NONCE_CACHE_SIZE */
|
||||
VAR_DNSCRYPT_NONCE_CACHE_SLABS = 505, /* VAR_DNSCRYPT_NONCE_CACHE_SLABS */
|
||||
VAR_PAD_RESPONSES = 506, /* VAR_PAD_RESPONSES */
|
||||
VAR_PAD_RESPONSES_BLOCK_SIZE = 507, /* VAR_PAD_RESPONSES_BLOCK_SIZE */
|
||||
VAR_PAD_QUERIES = 508, /* VAR_PAD_QUERIES */
|
||||
VAR_PAD_QUERIES_BLOCK_SIZE = 509, /* VAR_PAD_QUERIES_BLOCK_SIZE */
|
||||
VAR_IPSECMOD_ENABLED = 510, /* VAR_IPSECMOD_ENABLED */
|
||||
VAR_IPSECMOD_HOOK = 511, /* VAR_IPSECMOD_HOOK */
|
||||
VAR_IPSECMOD_IGNORE_BOGUS = 512, /* VAR_IPSECMOD_IGNORE_BOGUS */
|
||||
VAR_IPSECMOD_MAX_TTL = 513, /* VAR_IPSECMOD_MAX_TTL */
|
||||
VAR_IPSECMOD_WHITELIST = 514, /* VAR_IPSECMOD_WHITELIST */
|
||||
VAR_IPSECMOD_STRICT = 515, /* VAR_IPSECMOD_STRICT */
|
||||
VAR_CACHEDB = 516, /* VAR_CACHEDB */
|
||||
VAR_CACHEDB_BACKEND = 517, /* VAR_CACHEDB_BACKEND */
|
||||
VAR_CACHEDB_SECRETSEED = 518, /* VAR_CACHEDB_SECRETSEED */
|
||||
VAR_CACHEDB_REDISHOST = 519, /* VAR_CACHEDB_REDISHOST */
|
||||
VAR_CACHEDB_REDISPORT = 520, /* VAR_CACHEDB_REDISPORT */
|
||||
VAR_CACHEDB_REDISTIMEOUT = 521, /* VAR_CACHEDB_REDISTIMEOUT */
|
||||
VAR_CACHEDB_REDISEXPIRERECORDS = 522, /* VAR_CACHEDB_REDISEXPIRERECORDS */
|
||||
VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 523, /* VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM */
|
||||
VAR_FOR_UPSTREAM = 524, /* VAR_FOR_UPSTREAM */
|
||||
VAR_AUTH_ZONE = 525, /* VAR_AUTH_ZONE */
|
||||
VAR_ZONEFILE = 526, /* VAR_ZONEFILE */
|
||||
VAR_MASTER = 527, /* VAR_MASTER */
|
||||
VAR_URL = 528, /* VAR_URL */
|
||||
VAR_FOR_DOWNSTREAM = 529, /* VAR_FOR_DOWNSTREAM */
|
||||
VAR_FALLBACK_ENABLED = 530, /* VAR_FALLBACK_ENABLED */
|
||||
VAR_TLS_ADDITIONAL_PORT = 531, /* VAR_TLS_ADDITIONAL_PORT */
|
||||
VAR_LOW_RTT = 532, /* VAR_LOW_RTT */
|
||||
VAR_LOW_RTT_PERMIL = 533, /* VAR_LOW_RTT_PERMIL */
|
||||
VAR_FAST_SERVER_PERMIL = 534, /* VAR_FAST_SERVER_PERMIL */
|
||||
VAR_FAST_SERVER_NUM = 535, /* VAR_FAST_SERVER_NUM */
|
||||
VAR_ALLOW_NOTIFY = 536, /* VAR_ALLOW_NOTIFY */
|
||||
VAR_TLS_WIN_CERT = 537, /* VAR_TLS_WIN_CERT */
|
||||
VAR_TCP_CONNECTION_LIMIT = 538, /* VAR_TCP_CONNECTION_LIMIT */
|
||||
VAR_FORWARD_NO_CACHE = 539, /* VAR_FORWARD_NO_CACHE */
|
||||
VAR_STUB_NO_CACHE = 540, /* VAR_STUB_NO_CACHE */
|
||||
VAR_LOG_SERVFAIL = 541, /* VAR_LOG_SERVFAIL */
|
||||
VAR_DENY_ANY = 542, /* VAR_DENY_ANY */
|
||||
VAR_UNKNOWN_SERVER_TIME_LIMIT = 543, /* VAR_UNKNOWN_SERVER_TIME_LIMIT */
|
||||
VAR_LOG_TAG_QUERYREPLY = 544, /* VAR_LOG_TAG_QUERYREPLY */
|
||||
VAR_STREAM_WAIT_SIZE = 545, /* VAR_STREAM_WAIT_SIZE */
|
||||
VAR_TLS_CIPHERS = 546, /* VAR_TLS_CIPHERS */
|
||||
VAR_TLS_CIPHERSUITES = 547, /* VAR_TLS_CIPHERSUITES */
|
||||
VAR_TLS_USE_SNI = 548, /* VAR_TLS_USE_SNI */
|
||||
VAR_IPSET = 549, /* VAR_IPSET */
|
||||
VAR_IPSET_NAME_V4 = 550, /* VAR_IPSET_NAME_V4 */
|
||||
VAR_IPSET_NAME_V6 = 551, /* VAR_IPSET_NAME_V6 */
|
||||
VAR_TLS_SESSION_TICKET_KEYS = 552, /* VAR_TLS_SESSION_TICKET_KEYS */
|
||||
VAR_RPZ = 553, /* VAR_RPZ */
|
||||
VAR_TAGS = 554, /* VAR_TAGS */
|
||||
VAR_RPZ_ACTION_OVERRIDE = 555, /* VAR_RPZ_ACTION_OVERRIDE */
|
||||
VAR_RPZ_CNAME_OVERRIDE = 556, /* VAR_RPZ_CNAME_OVERRIDE */
|
||||
VAR_RPZ_LOG = 557, /* VAR_RPZ_LOG */
|
||||
VAR_RPZ_LOG_NAME = 558, /* VAR_RPZ_LOG_NAME */
|
||||
VAR_DYNLIB = 559, /* VAR_DYNLIB */
|
||||
VAR_DYNLIB_FILE = 560, /* VAR_DYNLIB_FILE */
|
||||
VAR_EDNS_CLIENT_STRING = 561, /* VAR_EDNS_CLIENT_STRING */
|
||||
VAR_EDNS_CLIENT_STRING_OPCODE = 562, /* VAR_EDNS_CLIENT_STRING_OPCODE */
|
||||
VAR_NSID = 563, /* VAR_NSID */
|
||||
VAR_ZONEMD_PERMISSIVE_MODE = 564, /* VAR_ZONEMD_PERMISSIVE_MODE */
|
||||
VAR_ZONEMD_REJECT_ABSENCE = 565 /* VAR_ZONEMD_REJECT_ABSENCE */
|
||||
VAR_TCP_REUSE_TIMEOUT = 360, /* VAR_TCP_REUSE_TIMEOUT */
|
||||
VAR_MAX_REUSE_TCP_QUERIES = 361, /* VAR_MAX_REUSE_TCP_QUERIES */
|
||||
VAR_EXTENDED_STATISTICS = 362, /* VAR_EXTENDED_STATISTICS */
|
||||
VAR_LOCAL_DATA_PTR = 363, /* VAR_LOCAL_DATA_PTR */
|
||||
VAR_JOSTLE_TIMEOUT = 364, /* VAR_JOSTLE_TIMEOUT */
|
||||
VAR_STUB_PRIME = 365, /* VAR_STUB_PRIME */
|
||||
VAR_UNWANTED_REPLY_THRESHOLD = 366, /* VAR_UNWANTED_REPLY_THRESHOLD */
|
||||
VAR_LOG_TIME_ASCII = 367, /* VAR_LOG_TIME_ASCII */
|
||||
VAR_DOMAIN_INSECURE = 368, /* VAR_DOMAIN_INSECURE */
|
||||
VAR_PYTHON = 369, /* VAR_PYTHON */
|
||||
VAR_PYTHON_SCRIPT = 370, /* VAR_PYTHON_SCRIPT */
|
||||
VAR_VAL_SIG_SKEW_MIN = 371, /* VAR_VAL_SIG_SKEW_MIN */
|
||||
VAR_VAL_SIG_SKEW_MAX = 372, /* VAR_VAL_SIG_SKEW_MAX */
|
||||
VAR_VAL_MAX_RESTART = 373, /* VAR_VAL_MAX_RESTART */
|
||||
VAR_CACHE_MIN_TTL = 374, /* VAR_CACHE_MIN_TTL */
|
||||
VAR_VAL_LOG_LEVEL = 375, /* VAR_VAL_LOG_LEVEL */
|
||||
VAR_AUTO_TRUST_ANCHOR_FILE = 376, /* VAR_AUTO_TRUST_ANCHOR_FILE */
|
||||
VAR_KEEP_MISSING = 377, /* VAR_KEEP_MISSING */
|
||||
VAR_ADD_HOLDDOWN = 378, /* VAR_ADD_HOLDDOWN */
|
||||
VAR_DEL_HOLDDOWN = 379, /* VAR_DEL_HOLDDOWN */
|
||||
VAR_SO_RCVBUF = 380, /* VAR_SO_RCVBUF */
|
||||
VAR_EDNS_BUFFER_SIZE = 381, /* VAR_EDNS_BUFFER_SIZE */
|
||||
VAR_PREFETCH = 382, /* VAR_PREFETCH */
|
||||
VAR_PREFETCH_KEY = 383, /* VAR_PREFETCH_KEY */
|
||||
VAR_SO_SNDBUF = 384, /* VAR_SO_SNDBUF */
|
||||
VAR_SO_REUSEPORT = 385, /* VAR_SO_REUSEPORT */
|
||||
VAR_HARDEN_BELOW_NXDOMAIN = 386, /* VAR_HARDEN_BELOW_NXDOMAIN */
|
||||
VAR_IGNORE_CD_FLAG = 387, /* VAR_IGNORE_CD_FLAG */
|
||||
VAR_LOG_QUERIES = 388, /* VAR_LOG_QUERIES */
|
||||
VAR_LOG_REPLIES = 389, /* VAR_LOG_REPLIES */
|
||||
VAR_LOG_LOCAL_ACTIONS = 390, /* VAR_LOG_LOCAL_ACTIONS */
|
||||
VAR_TCP_UPSTREAM = 391, /* VAR_TCP_UPSTREAM */
|
||||
VAR_SSL_UPSTREAM = 392, /* VAR_SSL_UPSTREAM */
|
||||
VAR_TCP_AUTH_QUERY_TIMEOUT = 393, /* VAR_TCP_AUTH_QUERY_TIMEOUT */
|
||||
VAR_SSL_SERVICE_KEY = 394, /* VAR_SSL_SERVICE_KEY */
|
||||
VAR_SSL_SERVICE_PEM = 395, /* VAR_SSL_SERVICE_PEM */
|
||||
VAR_SSL_PORT = 396, /* VAR_SSL_PORT */
|
||||
VAR_FORWARD_FIRST = 397, /* VAR_FORWARD_FIRST */
|
||||
VAR_STUB_SSL_UPSTREAM = 398, /* VAR_STUB_SSL_UPSTREAM */
|
||||
VAR_FORWARD_SSL_UPSTREAM = 399, /* VAR_FORWARD_SSL_UPSTREAM */
|
||||
VAR_TLS_CERT_BUNDLE = 400, /* VAR_TLS_CERT_BUNDLE */
|
||||
VAR_HTTPS_PORT = 401, /* VAR_HTTPS_PORT */
|
||||
VAR_HTTP_ENDPOINT = 402, /* VAR_HTTP_ENDPOINT */
|
||||
VAR_HTTP_MAX_STREAMS = 403, /* VAR_HTTP_MAX_STREAMS */
|
||||
VAR_HTTP_QUERY_BUFFER_SIZE = 404, /* VAR_HTTP_QUERY_BUFFER_SIZE */
|
||||
VAR_HTTP_RESPONSE_BUFFER_SIZE = 405, /* VAR_HTTP_RESPONSE_BUFFER_SIZE */
|
||||
VAR_HTTP_NODELAY = 406, /* VAR_HTTP_NODELAY */
|
||||
VAR_HTTP_NOTLS_DOWNSTREAM = 407, /* VAR_HTTP_NOTLS_DOWNSTREAM */
|
||||
VAR_STUB_FIRST = 408, /* VAR_STUB_FIRST */
|
||||
VAR_MINIMAL_RESPONSES = 409, /* VAR_MINIMAL_RESPONSES */
|
||||
VAR_RRSET_ROUNDROBIN = 410, /* VAR_RRSET_ROUNDROBIN */
|
||||
VAR_MAX_UDP_SIZE = 411, /* VAR_MAX_UDP_SIZE */
|
||||
VAR_DELAY_CLOSE = 412, /* VAR_DELAY_CLOSE */
|
||||
VAR_UDP_CONNECT = 413, /* VAR_UDP_CONNECT */
|
||||
VAR_UNBLOCK_LAN_ZONES = 414, /* VAR_UNBLOCK_LAN_ZONES */
|
||||
VAR_INSECURE_LAN_ZONES = 415, /* VAR_INSECURE_LAN_ZONES */
|
||||
VAR_INFRA_CACHE_MIN_RTT = 416, /* VAR_INFRA_CACHE_MIN_RTT */
|
||||
VAR_INFRA_KEEP_PROBING = 417, /* VAR_INFRA_KEEP_PROBING */
|
||||
VAR_DNS64_PREFIX = 418, /* VAR_DNS64_PREFIX */
|
||||
VAR_DNS64_SYNTHALL = 419, /* VAR_DNS64_SYNTHALL */
|
||||
VAR_DNS64_IGNORE_AAAA = 420, /* VAR_DNS64_IGNORE_AAAA */
|
||||
VAR_DNSTAP = 421, /* VAR_DNSTAP */
|
||||
VAR_DNSTAP_ENABLE = 422, /* VAR_DNSTAP_ENABLE */
|
||||
VAR_DNSTAP_SOCKET_PATH = 423, /* VAR_DNSTAP_SOCKET_PATH */
|
||||
VAR_DNSTAP_IP = 424, /* VAR_DNSTAP_IP */
|
||||
VAR_DNSTAP_TLS = 425, /* VAR_DNSTAP_TLS */
|
||||
VAR_DNSTAP_TLS_SERVER_NAME = 426, /* VAR_DNSTAP_TLS_SERVER_NAME */
|
||||
VAR_DNSTAP_TLS_CERT_BUNDLE = 427, /* VAR_DNSTAP_TLS_CERT_BUNDLE */
|
||||
VAR_DNSTAP_TLS_CLIENT_KEY_FILE = 428, /* VAR_DNSTAP_TLS_CLIENT_KEY_FILE */
|
||||
VAR_DNSTAP_TLS_CLIENT_CERT_FILE = 429, /* VAR_DNSTAP_TLS_CLIENT_CERT_FILE */
|
||||
VAR_DNSTAP_SEND_IDENTITY = 430, /* VAR_DNSTAP_SEND_IDENTITY */
|
||||
VAR_DNSTAP_SEND_VERSION = 431, /* VAR_DNSTAP_SEND_VERSION */
|
||||
VAR_DNSTAP_BIDIRECTIONAL = 432, /* VAR_DNSTAP_BIDIRECTIONAL */
|
||||
VAR_DNSTAP_IDENTITY = 433, /* VAR_DNSTAP_IDENTITY */
|
||||
VAR_DNSTAP_VERSION = 434, /* VAR_DNSTAP_VERSION */
|
||||
VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 435, /* VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES */
|
||||
VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 436, /* VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES */
|
||||
VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 437, /* VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES */
|
||||
VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 438, /* VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES */
|
||||
VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 439, /* VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES */
|
||||
VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 440, /* VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES */
|
||||
VAR_RESPONSE_IP_TAG = 441, /* VAR_RESPONSE_IP_TAG */
|
||||
VAR_RESPONSE_IP = 442, /* VAR_RESPONSE_IP */
|
||||
VAR_RESPONSE_IP_DATA = 443, /* VAR_RESPONSE_IP_DATA */
|
||||
VAR_HARDEN_ALGO_DOWNGRADE = 444, /* VAR_HARDEN_ALGO_DOWNGRADE */
|
||||
VAR_IP_TRANSPARENT = 445, /* VAR_IP_TRANSPARENT */
|
||||
VAR_IP_DSCP = 446, /* VAR_IP_DSCP */
|
||||
VAR_DISABLE_DNSSEC_LAME_CHECK = 447, /* VAR_DISABLE_DNSSEC_LAME_CHECK */
|
||||
VAR_IP_RATELIMIT = 448, /* VAR_IP_RATELIMIT */
|
||||
VAR_IP_RATELIMIT_SLABS = 449, /* VAR_IP_RATELIMIT_SLABS */
|
||||
VAR_IP_RATELIMIT_SIZE = 450, /* VAR_IP_RATELIMIT_SIZE */
|
||||
VAR_RATELIMIT = 451, /* VAR_RATELIMIT */
|
||||
VAR_RATELIMIT_SLABS = 452, /* VAR_RATELIMIT_SLABS */
|
||||
VAR_RATELIMIT_SIZE = 453, /* VAR_RATELIMIT_SIZE */
|
||||
VAR_RATELIMIT_FOR_DOMAIN = 454, /* VAR_RATELIMIT_FOR_DOMAIN */
|
||||
VAR_RATELIMIT_BELOW_DOMAIN = 455, /* VAR_RATELIMIT_BELOW_DOMAIN */
|
||||
VAR_IP_RATELIMIT_FACTOR = 456, /* VAR_IP_RATELIMIT_FACTOR */
|
||||
VAR_RATELIMIT_FACTOR = 457, /* VAR_RATELIMIT_FACTOR */
|
||||
VAR_SEND_CLIENT_SUBNET = 458, /* VAR_SEND_CLIENT_SUBNET */
|
||||
VAR_CLIENT_SUBNET_ZONE = 459, /* VAR_CLIENT_SUBNET_ZONE */
|
||||
VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 460, /* VAR_CLIENT_SUBNET_ALWAYS_FORWARD */
|
||||
VAR_CLIENT_SUBNET_OPCODE = 461, /* VAR_CLIENT_SUBNET_OPCODE */
|
||||
VAR_MAX_CLIENT_SUBNET_IPV4 = 462, /* VAR_MAX_CLIENT_SUBNET_IPV4 */
|
||||
VAR_MAX_CLIENT_SUBNET_IPV6 = 463, /* VAR_MAX_CLIENT_SUBNET_IPV6 */
|
||||
VAR_MIN_CLIENT_SUBNET_IPV4 = 464, /* VAR_MIN_CLIENT_SUBNET_IPV4 */
|
||||
VAR_MIN_CLIENT_SUBNET_IPV6 = 465, /* VAR_MIN_CLIENT_SUBNET_IPV6 */
|
||||
VAR_MAX_ECS_TREE_SIZE_IPV4 = 466, /* VAR_MAX_ECS_TREE_SIZE_IPV4 */
|
||||
VAR_MAX_ECS_TREE_SIZE_IPV6 = 467, /* VAR_MAX_ECS_TREE_SIZE_IPV6 */
|
||||
VAR_CAPS_WHITELIST = 468, /* VAR_CAPS_WHITELIST */
|
||||
VAR_CACHE_MAX_NEGATIVE_TTL = 469, /* VAR_CACHE_MAX_NEGATIVE_TTL */
|
||||
VAR_PERMIT_SMALL_HOLDDOWN = 470, /* VAR_PERMIT_SMALL_HOLDDOWN */
|
||||
VAR_QNAME_MINIMISATION = 471, /* VAR_QNAME_MINIMISATION */
|
||||
VAR_QNAME_MINIMISATION_STRICT = 472, /* VAR_QNAME_MINIMISATION_STRICT */
|
||||
VAR_IP_FREEBIND = 473, /* VAR_IP_FREEBIND */
|
||||
VAR_DEFINE_TAG = 474, /* VAR_DEFINE_TAG */
|
||||
VAR_LOCAL_ZONE_TAG = 475, /* VAR_LOCAL_ZONE_TAG */
|
||||
VAR_ACCESS_CONTROL_TAG = 476, /* VAR_ACCESS_CONTROL_TAG */
|
||||
VAR_LOCAL_ZONE_OVERRIDE = 477, /* VAR_LOCAL_ZONE_OVERRIDE */
|
||||
VAR_ACCESS_CONTROL_TAG_ACTION = 478, /* VAR_ACCESS_CONTROL_TAG_ACTION */
|
||||
VAR_ACCESS_CONTROL_TAG_DATA = 479, /* VAR_ACCESS_CONTROL_TAG_DATA */
|
||||
VAR_VIEW = 480, /* VAR_VIEW */
|
||||
VAR_ACCESS_CONTROL_VIEW = 481, /* VAR_ACCESS_CONTROL_VIEW */
|
||||
VAR_VIEW_FIRST = 482, /* VAR_VIEW_FIRST */
|
||||
VAR_SERVE_EXPIRED = 483, /* VAR_SERVE_EXPIRED */
|
||||
VAR_SERVE_EXPIRED_TTL = 484, /* VAR_SERVE_EXPIRED_TTL */
|
||||
VAR_SERVE_EXPIRED_TTL_RESET = 485, /* VAR_SERVE_EXPIRED_TTL_RESET */
|
||||
VAR_SERVE_EXPIRED_REPLY_TTL = 486, /* VAR_SERVE_EXPIRED_REPLY_TTL */
|
||||
VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 487, /* VAR_SERVE_EXPIRED_CLIENT_TIMEOUT */
|
||||
VAR_SERVE_ORIGINAL_TTL = 488, /* VAR_SERVE_ORIGINAL_TTL */
|
||||
VAR_FAKE_DSA = 489, /* VAR_FAKE_DSA */
|
||||
VAR_FAKE_SHA1 = 490, /* VAR_FAKE_SHA1 */
|
||||
VAR_LOG_IDENTITY = 491, /* VAR_LOG_IDENTITY */
|
||||
VAR_HIDE_TRUSTANCHOR = 492, /* VAR_HIDE_TRUSTANCHOR */
|
||||
VAR_TRUST_ANCHOR_SIGNALING = 493, /* VAR_TRUST_ANCHOR_SIGNALING */
|
||||
VAR_AGGRESSIVE_NSEC = 494, /* VAR_AGGRESSIVE_NSEC */
|
||||
VAR_USE_SYSTEMD = 495, /* VAR_USE_SYSTEMD */
|
||||
VAR_SHM_ENABLE = 496, /* VAR_SHM_ENABLE */
|
||||
VAR_SHM_KEY = 497, /* VAR_SHM_KEY */
|
||||
VAR_ROOT_KEY_SENTINEL = 498, /* VAR_ROOT_KEY_SENTINEL */
|
||||
VAR_DNSCRYPT = 499, /* VAR_DNSCRYPT */
|
||||
VAR_DNSCRYPT_ENABLE = 500, /* VAR_DNSCRYPT_ENABLE */
|
||||
VAR_DNSCRYPT_PORT = 501, /* VAR_DNSCRYPT_PORT */
|
||||
VAR_DNSCRYPT_PROVIDER = 502, /* VAR_DNSCRYPT_PROVIDER */
|
||||
VAR_DNSCRYPT_SECRET_KEY = 503, /* VAR_DNSCRYPT_SECRET_KEY */
|
||||
VAR_DNSCRYPT_PROVIDER_CERT = 504, /* VAR_DNSCRYPT_PROVIDER_CERT */
|
||||
VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 505, /* VAR_DNSCRYPT_PROVIDER_CERT_ROTATED */
|
||||
VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 506, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE */
|
||||
VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 507, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS */
|
||||
VAR_DNSCRYPT_NONCE_CACHE_SIZE = 508, /* VAR_DNSCRYPT_NONCE_CACHE_SIZE */
|
||||
VAR_DNSCRYPT_NONCE_CACHE_SLABS = 509, /* VAR_DNSCRYPT_NONCE_CACHE_SLABS */
|
||||
VAR_PAD_RESPONSES = 510, /* VAR_PAD_RESPONSES */
|
||||
VAR_PAD_RESPONSES_BLOCK_SIZE = 511, /* VAR_PAD_RESPONSES_BLOCK_SIZE */
|
||||
VAR_PAD_QUERIES = 512, /* VAR_PAD_QUERIES */
|
||||
VAR_PAD_QUERIES_BLOCK_SIZE = 513, /* VAR_PAD_QUERIES_BLOCK_SIZE */
|
||||
VAR_IPSECMOD_ENABLED = 514, /* VAR_IPSECMOD_ENABLED */
|
||||
VAR_IPSECMOD_HOOK = 515, /* VAR_IPSECMOD_HOOK */
|
||||
VAR_IPSECMOD_IGNORE_BOGUS = 516, /* VAR_IPSECMOD_IGNORE_BOGUS */
|
||||
VAR_IPSECMOD_MAX_TTL = 517, /* VAR_IPSECMOD_MAX_TTL */
|
||||
VAR_IPSECMOD_WHITELIST = 518, /* VAR_IPSECMOD_WHITELIST */
|
||||
VAR_IPSECMOD_STRICT = 519, /* VAR_IPSECMOD_STRICT */
|
||||
VAR_CACHEDB = 520, /* VAR_CACHEDB */
|
||||
VAR_CACHEDB_BACKEND = 521, /* VAR_CACHEDB_BACKEND */
|
||||
VAR_CACHEDB_SECRETSEED = 522, /* VAR_CACHEDB_SECRETSEED */
|
||||
VAR_CACHEDB_REDISHOST = 523, /* VAR_CACHEDB_REDISHOST */
|
||||
VAR_CACHEDB_REDISPORT = 524, /* VAR_CACHEDB_REDISPORT */
|
||||
VAR_CACHEDB_REDISTIMEOUT = 525, /* VAR_CACHEDB_REDISTIMEOUT */
|
||||
VAR_CACHEDB_REDISEXPIRERECORDS = 526, /* VAR_CACHEDB_REDISEXPIRERECORDS */
|
||||
VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 527, /* VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM */
|
||||
VAR_FOR_UPSTREAM = 528, /* VAR_FOR_UPSTREAM */
|
||||
VAR_AUTH_ZONE = 529, /* VAR_AUTH_ZONE */
|
||||
VAR_ZONEFILE = 530, /* VAR_ZONEFILE */
|
||||
VAR_MASTER = 531, /* VAR_MASTER */
|
||||
VAR_URL = 532, /* VAR_URL */
|
||||
VAR_FOR_DOWNSTREAM = 533, /* VAR_FOR_DOWNSTREAM */
|
||||
VAR_FALLBACK_ENABLED = 534, /* VAR_FALLBACK_ENABLED */
|
||||
VAR_TLS_ADDITIONAL_PORT = 535, /* VAR_TLS_ADDITIONAL_PORT */
|
||||
VAR_LOW_RTT = 536, /* VAR_LOW_RTT */
|
||||
VAR_LOW_RTT_PERMIL = 537, /* VAR_LOW_RTT_PERMIL */
|
||||
VAR_FAST_SERVER_PERMIL = 538, /* VAR_FAST_SERVER_PERMIL */
|
||||
VAR_FAST_SERVER_NUM = 539, /* VAR_FAST_SERVER_NUM */
|
||||
VAR_ALLOW_NOTIFY = 540, /* VAR_ALLOW_NOTIFY */
|
||||
VAR_TLS_WIN_CERT = 541, /* VAR_TLS_WIN_CERT */
|
||||
VAR_TCP_CONNECTION_LIMIT = 542, /* VAR_TCP_CONNECTION_LIMIT */
|
||||
VAR_FORWARD_NO_CACHE = 543, /* VAR_FORWARD_NO_CACHE */
|
||||
VAR_STUB_NO_CACHE = 544, /* VAR_STUB_NO_CACHE */
|
||||
VAR_LOG_SERVFAIL = 545, /* VAR_LOG_SERVFAIL */
|
||||
VAR_DENY_ANY = 546, /* VAR_DENY_ANY */
|
||||
VAR_UNKNOWN_SERVER_TIME_LIMIT = 547, /* VAR_UNKNOWN_SERVER_TIME_LIMIT */
|
||||
VAR_LOG_TAG_QUERYREPLY = 548, /* VAR_LOG_TAG_QUERYREPLY */
|
||||
VAR_STREAM_WAIT_SIZE = 549, /* VAR_STREAM_WAIT_SIZE */
|
||||
VAR_TLS_CIPHERS = 550, /* VAR_TLS_CIPHERS */
|
||||
VAR_TLS_CIPHERSUITES = 551, /* VAR_TLS_CIPHERSUITES */
|
||||
VAR_TLS_USE_SNI = 552, /* VAR_TLS_USE_SNI */
|
||||
VAR_IPSET = 553, /* VAR_IPSET */
|
||||
VAR_IPSET_NAME_V4 = 554, /* VAR_IPSET_NAME_V4 */
|
||||
VAR_IPSET_NAME_V6 = 555, /* VAR_IPSET_NAME_V6 */
|
||||
VAR_TLS_SESSION_TICKET_KEYS = 556, /* VAR_TLS_SESSION_TICKET_KEYS */
|
||||
VAR_RPZ = 557, /* VAR_RPZ */
|
||||
VAR_TAGS = 558, /* VAR_TAGS */
|
||||
VAR_RPZ_ACTION_OVERRIDE = 559, /* VAR_RPZ_ACTION_OVERRIDE */
|
||||
VAR_RPZ_CNAME_OVERRIDE = 560, /* VAR_RPZ_CNAME_OVERRIDE */
|
||||
VAR_RPZ_LOG = 561, /* VAR_RPZ_LOG */
|
||||
VAR_RPZ_LOG_NAME = 562, /* VAR_RPZ_LOG_NAME */
|
||||
VAR_DYNLIB = 563, /* VAR_DYNLIB */
|
||||
VAR_DYNLIB_FILE = 564, /* VAR_DYNLIB_FILE */
|
||||
VAR_EDNS_CLIENT_STRING = 565, /* VAR_EDNS_CLIENT_STRING */
|
||||
VAR_EDNS_CLIENT_STRING_OPCODE = 566, /* VAR_EDNS_CLIENT_STRING_OPCODE */
|
||||
VAR_NSID = 567, /* VAR_NSID */
|
||||
VAR_ZONEMD_PERMISSIVE_MODE = 568, /* VAR_ZONEMD_PERMISSIVE_MODE */
|
||||
VAR_ZONEMD_CHECK = 569, /* VAR_ZONEMD_CHECK */
|
||||
VAR_ZONEMD_REJECT_ABSENCE = 570 /* VAR_ZONEMD_REJECT_ABSENCE */
|
||||
};
|
||||
typedef enum yytokentype yytoken_kind_t;
|
||||
#endif
|
||||
/* Token kinds. */
|
||||
#define YYEMPTY -2
|
||||
#define YYEOF 0
|
||||
#define YYerror 256
|
||||
#define YYUNDEF 257
|
||||
@ -471,212 +477,217 @@ extern int yydebug;
|
||||
#define VAR_CONTROL_KEY_FILE 357
|
||||
#define VAR_CONTROL_CERT_FILE 358
|
||||
#define VAR_CONTROL_USE_CERT 359
|
||||
#define VAR_EXTENDED_STATISTICS 360
|
||||
#define VAR_LOCAL_DATA_PTR 361
|
||||
#define VAR_JOSTLE_TIMEOUT 362
|
||||
#define VAR_STUB_PRIME 363
|
||||
#define VAR_UNWANTED_REPLY_THRESHOLD 364
|
||||
#define VAR_LOG_TIME_ASCII 365
|
||||
#define VAR_DOMAIN_INSECURE 366
|
||||
#define VAR_PYTHON 367
|
||||
#define VAR_PYTHON_SCRIPT 368
|
||||
#define VAR_VAL_SIG_SKEW_MIN 369
|
||||
#define VAR_VAL_SIG_SKEW_MAX 370
|
||||
#define VAR_CACHE_MIN_TTL 371
|
||||
#define VAR_VAL_LOG_LEVEL 372
|
||||
#define VAR_AUTO_TRUST_ANCHOR_FILE 373
|
||||
#define VAR_KEEP_MISSING 374
|
||||
#define VAR_ADD_HOLDDOWN 375
|
||||
#define VAR_DEL_HOLDDOWN 376
|
||||
#define VAR_SO_RCVBUF 377
|
||||
#define VAR_EDNS_BUFFER_SIZE 378
|
||||
#define VAR_PREFETCH 379
|
||||
#define VAR_PREFETCH_KEY 380
|
||||
#define VAR_SO_SNDBUF 381
|
||||
#define VAR_SO_REUSEPORT 382
|
||||
#define VAR_HARDEN_BELOW_NXDOMAIN 383
|
||||
#define VAR_IGNORE_CD_FLAG 384
|
||||
#define VAR_LOG_QUERIES 385
|
||||
#define VAR_LOG_REPLIES 386
|
||||
#define VAR_LOG_LOCAL_ACTIONS 387
|
||||
#define VAR_TCP_UPSTREAM 388
|
||||
#define VAR_SSL_UPSTREAM 389
|
||||
#define VAR_SSL_SERVICE_KEY 390
|
||||
#define VAR_SSL_SERVICE_PEM 391
|
||||
#define VAR_SSL_PORT 392
|
||||
#define VAR_FORWARD_FIRST 393
|
||||
#define VAR_STUB_SSL_UPSTREAM 394
|
||||
#define VAR_FORWARD_SSL_UPSTREAM 395
|
||||
#define VAR_TLS_CERT_BUNDLE 396
|
||||
#define VAR_HTTPS_PORT 397
|
||||
#define VAR_HTTP_ENDPOINT 398
|
||||
#define VAR_HTTP_MAX_STREAMS 399
|
||||
#define VAR_HTTP_QUERY_BUFFER_SIZE 400
|
||||
#define VAR_HTTP_RESPONSE_BUFFER_SIZE 401
|
||||
#define VAR_HTTP_NODELAY 402
|
||||
#define VAR_HTTP_NOTLS_DOWNSTREAM 403
|
||||
#define VAR_STUB_FIRST 404
|
||||
#define VAR_MINIMAL_RESPONSES 405
|
||||
#define VAR_RRSET_ROUNDROBIN 406
|
||||
#define VAR_MAX_UDP_SIZE 407
|
||||
#define VAR_DELAY_CLOSE 408
|
||||
#define VAR_UDP_CONNECT 409
|
||||
#define VAR_UNBLOCK_LAN_ZONES 410
|
||||
#define VAR_INSECURE_LAN_ZONES 411
|
||||
#define VAR_INFRA_CACHE_MIN_RTT 412
|
||||
#define VAR_INFRA_KEEP_PROBING 413
|
||||
#define VAR_DNS64_PREFIX 414
|
||||
#define VAR_DNS64_SYNTHALL 415
|
||||
#define VAR_DNS64_IGNORE_AAAA 416
|
||||
#define VAR_DNSTAP 417
|
||||
#define VAR_DNSTAP_ENABLE 418
|
||||
#define VAR_DNSTAP_SOCKET_PATH 419
|
||||
#define VAR_DNSTAP_IP 420
|
||||
#define VAR_DNSTAP_TLS 421
|
||||
#define VAR_DNSTAP_TLS_SERVER_NAME 422
|
||||
#define VAR_DNSTAP_TLS_CERT_BUNDLE 423
|
||||
#define VAR_DNSTAP_TLS_CLIENT_KEY_FILE 424
|
||||
#define VAR_DNSTAP_TLS_CLIENT_CERT_FILE 425
|
||||
#define VAR_DNSTAP_SEND_IDENTITY 426
|
||||
#define VAR_DNSTAP_SEND_VERSION 427
|
||||
#define VAR_DNSTAP_BIDIRECTIONAL 428
|
||||
#define VAR_DNSTAP_IDENTITY 429
|
||||
#define VAR_DNSTAP_VERSION 430
|
||||
#define VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES 431
|
||||
#define VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES 432
|
||||
#define VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES 433
|
||||
#define VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES 434
|
||||
#define VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES 435
|
||||
#define VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES 436
|
||||
#define VAR_RESPONSE_IP_TAG 437
|
||||
#define VAR_RESPONSE_IP 438
|
||||
#define VAR_RESPONSE_IP_DATA 439
|
||||
#define VAR_HARDEN_ALGO_DOWNGRADE 440
|
||||
#define VAR_IP_TRANSPARENT 441
|
||||
#define VAR_IP_DSCP 442
|
||||
#define VAR_DISABLE_DNSSEC_LAME_CHECK 443
|
||||
#define VAR_IP_RATELIMIT 444
|
||||
#define VAR_IP_RATELIMIT_SLABS 445
|
||||
#define VAR_IP_RATELIMIT_SIZE 446
|
||||
#define VAR_RATELIMIT 447
|
||||
#define VAR_RATELIMIT_SLABS 448
|
||||
#define VAR_RATELIMIT_SIZE 449
|
||||
#define VAR_RATELIMIT_FOR_DOMAIN 450
|
||||
#define VAR_RATELIMIT_BELOW_DOMAIN 451
|
||||
#define VAR_IP_RATELIMIT_FACTOR 452
|
||||
#define VAR_RATELIMIT_FACTOR 453
|
||||
#define VAR_SEND_CLIENT_SUBNET 454
|
||||
#define VAR_CLIENT_SUBNET_ZONE 455
|
||||
#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 456
|
||||
#define VAR_CLIENT_SUBNET_OPCODE 457
|
||||
#define VAR_MAX_CLIENT_SUBNET_IPV4 458
|
||||
#define VAR_MAX_CLIENT_SUBNET_IPV6 459
|
||||
#define VAR_MIN_CLIENT_SUBNET_IPV4 460
|
||||
#define VAR_MIN_CLIENT_SUBNET_IPV6 461
|
||||
#define VAR_MAX_ECS_TREE_SIZE_IPV4 462
|
||||
#define VAR_MAX_ECS_TREE_SIZE_IPV6 463
|
||||
#define VAR_CAPS_WHITELIST 464
|
||||
#define VAR_CACHE_MAX_NEGATIVE_TTL 465
|
||||
#define VAR_PERMIT_SMALL_HOLDDOWN 466
|
||||
#define VAR_QNAME_MINIMISATION 467
|
||||
#define VAR_QNAME_MINIMISATION_STRICT 468
|
||||
#define VAR_IP_FREEBIND 469
|
||||
#define VAR_DEFINE_TAG 470
|
||||
#define VAR_LOCAL_ZONE_TAG 471
|
||||
#define VAR_ACCESS_CONTROL_TAG 472
|
||||
#define VAR_LOCAL_ZONE_OVERRIDE 473
|
||||
#define VAR_ACCESS_CONTROL_TAG_ACTION 474
|
||||
#define VAR_ACCESS_CONTROL_TAG_DATA 475
|
||||
#define VAR_VIEW 476
|
||||
#define VAR_ACCESS_CONTROL_VIEW 477
|
||||
#define VAR_VIEW_FIRST 478
|
||||
#define VAR_SERVE_EXPIRED 479
|
||||
#define VAR_SERVE_EXPIRED_TTL 480
|
||||
#define VAR_SERVE_EXPIRED_TTL_RESET 481
|
||||
#define VAR_SERVE_EXPIRED_REPLY_TTL 482
|
||||
#define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 483
|
||||
#define VAR_SERVE_ORIGINAL_TTL 484
|
||||
#define VAR_FAKE_DSA 485
|
||||
#define VAR_FAKE_SHA1 486
|
||||
#define VAR_LOG_IDENTITY 487
|
||||
#define VAR_HIDE_TRUSTANCHOR 488
|
||||
#define VAR_TRUST_ANCHOR_SIGNALING 489
|
||||
#define VAR_AGGRESSIVE_NSEC 490
|
||||
#define VAR_USE_SYSTEMD 491
|
||||
#define VAR_SHM_ENABLE 492
|
||||
#define VAR_SHM_KEY 493
|
||||
#define VAR_ROOT_KEY_SENTINEL 494
|
||||
#define VAR_DNSCRYPT 495
|
||||
#define VAR_DNSCRYPT_ENABLE 496
|
||||
#define VAR_DNSCRYPT_PORT 497
|
||||
#define VAR_DNSCRYPT_PROVIDER 498
|
||||
#define VAR_DNSCRYPT_SECRET_KEY 499
|
||||
#define VAR_DNSCRYPT_PROVIDER_CERT 500
|
||||
#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 501
|
||||
#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 502
|
||||
#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 503
|
||||
#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 504
|
||||
#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 505
|
||||
#define VAR_PAD_RESPONSES 506
|
||||
#define VAR_PAD_RESPONSES_BLOCK_SIZE 507
|
||||
#define VAR_PAD_QUERIES 508
|
||||
#define VAR_PAD_QUERIES_BLOCK_SIZE 509
|
||||
#define VAR_IPSECMOD_ENABLED 510
|
||||
#define VAR_IPSECMOD_HOOK 511
|
||||
#define VAR_IPSECMOD_IGNORE_BOGUS 512
|
||||
#define VAR_IPSECMOD_MAX_TTL 513
|
||||
#define VAR_IPSECMOD_WHITELIST 514
|
||||
#define VAR_IPSECMOD_STRICT 515
|
||||
#define VAR_CACHEDB 516
|
||||
#define VAR_CACHEDB_BACKEND 517
|
||||
#define VAR_CACHEDB_SECRETSEED 518
|
||||
#define VAR_CACHEDB_REDISHOST 519
|
||||
#define VAR_CACHEDB_REDISPORT 520
|
||||
#define VAR_CACHEDB_REDISTIMEOUT 521
|
||||
#define VAR_CACHEDB_REDISEXPIRERECORDS 522
|
||||
#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 523
|
||||
#define VAR_FOR_UPSTREAM 524
|
||||
#define VAR_AUTH_ZONE 525
|
||||
#define VAR_ZONEFILE 526
|
||||
#define VAR_MASTER 527
|
||||
#define VAR_URL 528
|
||||
#define VAR_FOR_DOWNSTREAM 529
|
||||
#define VAR_FALLBACK_ENABLED 530
|
||||
#define VAR_TLS_ADDITIONAL_PORT 531
|
||||
#define VAR_LOW_RTT 532
|
||||
#define VAR_LOW_RTT_PERMIL 533
|
||||
#define VAR_FAST_SERVER_PERMIL 534
|
||||
#define VAR_FAST_SERVER_NUM 535
|
||||
#define VAR_ALLOW_NOTIFY 536
|
||||
#define VAR_TLS_WIN_CERT 537
|
||||
#define VAR_TCP_CONNECTION_LIMIT 538
|
||||
#define VAR_FORWARD_NO_CACHE 539
|
||||
#define VAR_STUB_NO_CACHE 540
|
||||
#define VAR_LOG_SERVFAIL 541
|
||||
#define VAR_DENY_ANY 542
|
||||
#define VAR_UNKNOWN_SERVER_TIME_LIMIT 543
|
||||
#define VAR_LOG_TAG_QUERYREPLY 544
|
||||
#define VAR_STREAM_WAIT_SIZE 545
|
||||
#define VAR_TLS_CIPHERS 546
|
||||
#define VAR_TLS_CIPHERSUITES 547
|
||||
#define VAR_TLS_USE_SNI 548
|
||||
#define VAR_IPSET 549
|
||||
#define VAR_IPSET_NAME_V4 550
|
||||
#define VAR_IPSET_NAME_V6 551
|
||||
#define VAR_TLS_SESSION_TICKET_KEYS 552
|
||||
#define VAR_RPZ 553
|
||||
#define VAR_TAGS 554
|
||||
#define VAR_RPZ_ACTION_OVERRIDE 555
|
||||
#define VAR_RPZ_CNAME_OVERRIDE 556
|
||||
#define VAR_RPZ_LOG 557
|
||||
#define VAR_RPZ_LOG_NAME 558
|
||||
#define VAR_DYNLIB 559
|
||||
#define VAR_DYNLIB_FILE 560
|
||||
#define VAR_EDNS_CLIENT_STRING 561
|
||||
#define VAR_EDNS_CLIENT_STRING_OPCODE 562
|
||||
#define VAR_NSID 563
|
||||
#define VAR_ZONEMD_PERMISSIVE_MODE 564
|
||||
#define VAR_ZONEMD_REJECT_ABSENCE 565
|
||||
#define VAR_TCP_REUSE_TIMEOUT 360
|
||||
#define VAR_MAX_REUSE_TCP_QUERIES 361
|
||||
#define VAR_EXTENDED_STATISTICS 362
|
||||
#define VAR_LOCAL_DATA_PTR 363
|
||||
#define VAR_JOSTLE_TIMEOUT 364
|
||||
#define VAR_STUB_PRIME 365
|
||||
#define VAR_UNWANTED_REPLY_THRESHOLD 366
|
||||
#define VAR_LOG_TIME_ASCII 367
|
||||
#define VAR_DOMAIN_INSECURE 368
|
||||
#define VAR_PYTHON 369
|
||||
#define VAR_PYTHON_SCRIPT 370
|
||||
#define VAR_VAL_SIG_SKEW_MIN 371
|
||||
#define VAR_VAL_SIG_SKEW_MAX 372
|
||||
#define VAR_VAL_MAX_RESTART 373
|
||||
#define VAR_CACHE_MIN_TTL 374
|
||||
#define VAR_VAL_LOG_LEVEL 375
|
||||
#define VAR_AUTO_TRUST_ANCHOR_FILE 376
|
||||
#define VAR_KEEP_MISSING 377
|
||||
#define VAR_ADD_HOLDDOWN 378
|
||||
#define VAR_DEL_HOLDDOWN 379
|
||||
#define VAR_SO_RCVBUF 380
|
||||
#define VAR_EDNS_BUFFER_SIZE 381
|
||||
#define VAR_PREFETCH 382
|
||||
#define VAR_PREFETCH_KEY 383
|
||||
#define VAR_SO_SNDBUF 384
|
||||
#define VAR_SO_REUSEPORT 385
|
||||
#define VAR_HARDEN_BELOW_NXDOMAIN 386
|
||||
#define VAR_IGNORE_CD_FLAG 387
|
||||
#define VAR_LOG_QUERIES 388
|
||||
#define VAR_LOG_REPLIES 389
|
||||
#define VAR_LOG_LOCAL_ACTIONS 390
|
||||
#define VAR_TCP_UPSTREAM 391
|
||||
#define VAR_SSL_UPSTREAM 392
|
||||
#define VAR_TCP_AUTH_QUERY_TIMEOUT 393
|
||||
#define VAR_SSL_SERVICE_KEY 394
|
||||
#define VAR_SSL_SERVICE_PEM 395
|
||||
#define VAR_SSL_PORT 396
|
||||
#define VAR_FORWARD_FIRST 397
|
||||
#define VAR_STUB_SSL_UPSTREAM 398
|
||||
#define VAR_FORWARD_SSL_UPSTREAM 399
|
||||
#define VAR_TLS_CERT_BUNDLE 400
|
||||
#define VAR_HTTPS_PORT 401
|
||||
#define VAR_HTTP_ENDPOINT 402
|
||||
#define VAR_HTTP_MAX_STREAMS 403
|
||||
#define VAR_HTTP_QUERY_BUFFER_SIZE 404
|
||||
#define VAR_HTTP_RESPONSE_BUFFER_SIZE 405
|
||||
#define VAR_HTTP_NODELAY 406
|
||||
#define VAR_HTTP_NOTLS_DOWNSTREAM 407
|
||||
#define VAR_STUB_FIRST 408
|
||||
#define VAR_MINIMAL_RESPONSES 409
|
||||
#define VAR_RRSET_ROUNDROBIN 410
|
||||
#define VAR_MAX_UDP_SIZE 411
|
||||
#define VAR_DELAY_CLOSE 412
|
||||
#define VAR_UDP_CONNECT 413
|
||||
#define VAR_UNBLOCK_LAN_ZONES 414
|
||||
#define VAR_INSECURE_LAN_ZONES 415
|
||||
#define VAR_INFRA_CACHE_MIN_RTT 416
|
||||
#define VAR_INFRA_KEEP_PROBING 417
|
||||
#define VAR_DNS64_PREFIX 418
|
||||
#define VAR_DNS64_SYNTHALL 419
|
||||
#define VAR_DNS64_IGNORE_AAAA 420
|
||||
#define VAR_DNSTAP 421
|
||||
#define VAR_DNSTAP_ENABLE 422
|
||||
#define VAR_DNSTAP_SOCKET_PATH 423
|
||||
#define VAR_DNSTAP_IP 424
|
||||
#define VAR_DNSTAP_TLS 425
|
||||
#define VAR_DNSTAP_TLS_SERVER_NAME 426
|
||||
#define VAR_DNSTAP_TLS_CERT_BUNDLE 427
|
||||
#define VAR_DNSTAP_TLS_CLIENT_KEY_FILE 428
|
||||
#define VAR_DNSTAP_TLS_CLIENT_CERT_FILE 429
|
||||
#define VAR_DNSTAP_SEND_IDENTITY 430
|
||||
#define VAR_DNSTAP_SEND_VERSION 431
|
||||
#define VAR_DNSTAP_BIDIRECTIONAL 432
|
||||
#define VAR_DNSTAP_IDENTITY 433
|
||||
#define VAR_DNSTAP_VERSION 434
|
||||
#define VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES 435
|
||||
#define VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES 436
|
||||
#define VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES 437
|
||||
#define VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES 438
|
||||
#define VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES 439
|
||||
#define VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES 440
|
||||
#define VAR_RESPONSE_IP_TAG 441
|
||||
#define VAR_RESPONSE_IP 442
|
||||
#define VAR_RESPONSE_IP_DATA 443
|
||||
#define VAR_HARDEN_ALGO_DOWNGRADE 444
|
||||
#define VAR_IP_TRANSPARENT 445
|
||||
#define VAR_IP_DSCP 446
|
||||
#define VAR_DISABLE_DNSSEC_LAME_CHECK 447
|
||||
#define VAR_IP_RATELIMIT 448
|
||||
#define VAR_IP_RATELIMIT_SLABS 449
|
||||
#define VAR_IP_RATELIMIT_SIZE 450
|
||||
#define VAR_RATELIMIT 451
|
||||
#define VAR_RATELIMIT_SLABS 452
|
||||
#define VAR_RATELIMIT_SIZE 453
|
||||
#define VAR_RATELIMIT_FOR_DOMAIN 454
|
||||
#define VAR_RATELIMIT_BELOW_DOMAIN 455
|
||||
#define VAR_IP_RATELIMIT_FACTOR 456
|
||||
#define VAR_RATELIMIT_FACTOR 457
|
||||
#define VAR_SEND_CLIENT_SUBNET 458
|
||||
#define VAR_CLIENT_SUBNET_ZONE 459
|
||||
#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 460
|
||||
#define VAR_CLIENT_SUBNET_OPCODE 461
|
||||
#define VAR_MAX_CLIENT_SUBNET_IPV4 462
|
||||
#define VAR_MAX_CLIENT_SUBNET_IPV6 463
|
||||
#define VAR_MIN_CLIENT_SUBNET_IPV4 464
|
||||
#define VAR_MIN_CLIENT_SUBNET_IPV6 465
|
||||
#define VAR_MAX_ECS_TREE_SIZE_IPV4 466
|
||||
#define VAR_MAX_ECS_TREE_SIZE_IPV6 467
|
||||
#define VAR_CAPS_WHITELIST 468
|
||||
#define VAR_CACHE_MAX_NEGATIVE_TTL 469
|
||||
#define VAR_PERMIT_SMALL_HOLDDOWN 470
|
||||
#define VAR_QNAME_MINIMISATION 471
|
||||
#define VAR_QNAME_MINIMISATION_STRICT 472
|
||||
#define VAR_IP_FREEBIND 473
|
||||
#define VAR_DEFINE_TAG 474
|
||||
#define VAR_LOCAL_ZONE_TAG 475
|
||||
#define VAR_ACCESS_CONTROL_TAG 476
|
||||
#define VAR_LOCAL_ZONE_OVERRIDE 477
|
||||
#define VAR_ACCESS_CONTROL_TAG_ACTION 478
|
||||
#define VAR_ACCESS_CONTROL_TAG_DATA 479
|
||||
#define VAR_VIEW 480
|
||||
#define VAR_ACCESS_CONTROL_VIEW 481
|
||||
#define VAR_VIEW_FIRST 482
|
||||
#define VAR_SERVE_EXPIRED 483
|
||||
#define VAR_SERVE_EXPIRED_TTL 484
|
||||
#define VAR_SERVE_EXPIRED_TTL_RESET 485
|
||||
#define VAR_SERVE_EXPIRED_REPLY_TTL 486
|
||||
#define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 487
|
||||
#define VAR_SERVE_ORIGINAL_TTL 488
|
||||
#define VAR_FAKE_DSA 489
|
||||
#define VAR_FAKE_SHA1 490
|
||||
#define VAR_LOG_IDENTITY 491
|
||||
#define VAR_HIDE_TRUSTANCHOR 492
|
||||
#define VAR_TRUST_ANCHOR_SIGNALING 493
|
||||
#define VAR_AGGRESSIVE_NSEC 494
|
||||
#define VAR_USE_SYSTEMD 495
|
||||
#define VAR_SHM_ENABLE 496
|
||||
#define VAR_SHM_KEY 497
|
||||
#define VAR_ROOT_KEY_SENTINEL 498
|
||||
#define VAR_DNSCRYPT 499
|
||||
#define VAR_DNSCRYPT_ENABLE 500
|
||||
#define VAR_DNSCRYPT_PORT 501
|
||||
#define VAR_DNSCRYPT_PROVIDER 502
|
||||
#define VAR_DNSCRYPT_SECRET_KEY 503
|
||||
#define VAR_DNSCRYPT_PROVIDER_CERT 504
|
||||
#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 505
|
||||
#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 506
|
||||
#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 507
|
||||
#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 508
|
||||
#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 509
|
||||
#define VAR_PAD_RESPONSES 510
|
||||
#define VAR_PAD_RESPONSES_BLOCK_SIZE 511
|
||||
#define VAR_PAD_QUERIES 512
|
||||
#define VAR_PAD_QUERIES_BLOCK_SIZE 513
|
||||
#define VAR_IPSECMOD_ENABLED 514
|
||||
#define VAR_IPSECMOD_HOOK 515
|
||||
#define VAR_IPSECMOD_IGNORE_BOGUS 516
|
||||
#define VAR_IPSECMOD_MAX_TTL 517
|
||||
#define VAR_IPSECMOD_WHITELIST 518
|
||||
#define VAR_IPSECMOD_STRICT 519
|
||||
#define VAR_CACHEDB 520
|
||||
#define VAR_CACHEDB_BACKEND 521
|
||||
#define VAR_CACHEDB_SECRETSEED 522
|
||||
#define VAR_CACHEDB_REDISHOST 523
|
||||
#define VAR_CACHEDB_REDISPORT 524
|
||||
#define VAR_CACHEDB_REDISTIMEOUT 525
|
||||
#define VAR_CACHEDB_REDISEXPIRERECORDS 526
|
||||
#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 527
|
||||
#define VAR_FOR_UPSTREAM 528
|
||||
#define VAR_AUTH_ZONE 529
|
||||
#define VAR_ZONEFILE 530
|
||||
#define VAR_MASTER 531
|
||||
#define VAR_URL 532
|
||||
#define VAR_FOR_DOWNSTREAM 533
|
||||
#define VAR_FALLBACK_ENABLED 534
|
||||
#define VAR_TLS_ADDITIONAL_PORT 535
|
||||
#define VAR_LOW_RTT 536
|
||||
#define VAR_LOW_RTT_PERMIL 537
|
||||
#define VAR_FAST_SERVER_PERMIL 538
|
||||
#define VAR_FAST_SERVER_NUM 539
|
||||
#define VAR_ALLOW_NOTIFY 540
|
||||
#define VAR_TLS_WIN_CERT 541
|
||||
#define VAR_TCP_CONNECTION_LIMIT 542
|
||||
#define VAR_FORWARD_NO_CACHE 543
|
||||
#define VAR_STUB_NO_CACHE 544
|
||||
#define VAR_LOG_SERVFAIL 545
|
||||
#define VAR_DENY_ANY 546
|
||||
#define VAR_UNKNOWN_SERVER_TIME_LIMIT 547
|
||||
#define VAR_LOG_TAG_QUERYREPLY 548
|
||||
#define VAR_STREAM_WAIT_SIZE 549
|
||||
#define VAR_TLS_CIPHERS 550
|
||||
#define VAR_TLS_CIPHERSUITES 551
|
||||
#define VAR_TLS_USE_SNI 552
|
||||
#define VAR_IPSET 553
|
||||
#define VAR_IPSET_NAME_V4 554
|
||||
#define VAR_IPSET_NAME_V6 555
|
||||
#define VAR_TLS_SESSION_TICKET_KEYS 556
|
||||
#define VAR_RPZ 557
|
||||
#define VAR_TAGS 558
|
||||
#define VAR_RPZ_ACTION_OVERRIDE 559
|
||||
#define VAR_RPZ_CNAME_OVERRIDE 560
|
||||
#define VAR_RPZ_LOG 561
|
||||
#define VAR_RPZ_LOG_NAME 562
|
||||
#define VAR_DYNLIB 563
|
||||
#define VAR_DYNLIB_FILE 564
|
||||
#define VAR_EDNS_CLIENT_STRING 565
|
||||
#define VAR_EDNS_CLIENT_STRING_OPCODE 566
|
||||
#define VAR_NSID 567
|
||||
#define VAR_ZONEMD_PERMISSIVE_MODE 568
|
||||
#define VAR_ZONEMD_CHECK 569
|
||||
#define VAR_ZONEMD_REJECT_ABSENCE 570
|
||||
|
||||
/* Value type. */
|
||||
#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
|
||||
@ -686,7 +697,7 @@ union YYSTYPE
|
||||
|
||||
char* str;
|
||||
|
||||
#line 690 "util/configparser.h"
|
||||
#line 701 "util/configparser.h"
|
||||
|
||||
};
|
||||
typedef union YYSTYPE YYSTYPE;
|
||||
|
@ -100,17 +100,18 @@ extern struct config_parser_state* cfg_parser;
|
||||
%token VAR_PRIVATE_DOMAIN VAR_REMOTE_CONTROL VAR_CONTROL_ENABLE
|
||||
%token VAR_CONTROL_INTERFACE VAR_CONTROL_PORT VAR_SERVER_KEY_FILE
|
||||
%token VAR_SERVER_CERT_FILE VAR_CONTROL_KEY_FILE VAR_CONTROL_CERT_FILE
|
||||
%token VAR_CONTROL_USE_CERT
|
||||
%token VAR_CONTROL_USE_CERT VAR_TCP_REUSE_TIMEOUT VAR_MAX_REUSE_TCP_QUERIES
|
||||
%token VAR_EXTENDED_STATISTICS VAR_LOCAL_DATA_PTR VAR_JOSTLE_TIMEOUT
|
||||
%token VAR_STUB_PRIME VAR_UNWANTED_REPLY_THRESHOLD VAR_LOG_TIME_ASCII
|
||||
%token VAR_DOMAIN_INSECURE VAR_PYTHON VAR_PYTHON_SCRIPT VAR_VAL_SIG_SKEW_MIN
|
||||
%token VAR_VAL_SIG_SKEW_MAX VAR_CACHE_MIN_TTL VAR_VAL_LOG_LEVEL
|
||||
%token VAR_AUTO_TRUST_ANCHOR_FILE VAR_KEEP_MISSING VAR_ADD_HOLDDOWN
|
||||
%token VAR_DEL_HOLDDOWN VAR_SO_RCVBUF VAR_EDNS_BUFFER_SIZE VAR_PREFETCH
|
||||
%token VAR_PREFETCH_KEY VAR_SO_SNDBUF VAR_SO_REUSEPORT VAR_HARDEN_BELOW_NXDOMAIN
|
||||
%token VAR_IGNORE_CD_FLAG VAR_LOG_QUERIES VAR_LOG_REPLIES VAR_LOG_LOCAL_ACTIONS
|
||||
%token VAR_TCP_UPSTREAM VAR_SSL_UPSTREAM
|
||||
%token VAR_SSL_SERVICE_KEY VAR_SSL_SERVICE_PEM VAR_SSL_PORT VAR_FORWARD_FIRST
|
||||
%token VAR_VAL_SIG_SKEW_MAX VAR_VAL_MAX_RESTART VAR_CACHE_MIN_TTL
|
||||
%token VAR_VAL_LOG_LEVEL VAR_AUTO_TRUST_ANCHOR_FILE VAR_KEEP_MISSING
|
||||
%token VAR_ADD_HOLDDOWN VAR_DEL_HOLDDOWN VAR_SO_RCVBUF VAR_EDNS_BUFFER_SIZE
|
||||
%token VAR_PREFETCH VAR_PREFETCH_KEY VAR_SO_SNDBUF VAR_SO_REUSEPORT
|
||||
%token VAR_HARDEN_BELOW_NXDOMAIN VAR_IGNORE_CD_FLAG VAR_LOG_QUERIES
|
||||
%token VAR_LOG_REPLIES VAR_LOG_LOCAL_ACTIONS VAR_TCP_UPSTREAM
|
||||
%token VAR_SSL_UPSTREAM VAR_TCP_AUTH_QUERY_TIMEOUT VAR_SSL_SERVICE_KEY
|
||||
%token VAR_SSL_SERVICE_PEM VAR_SSL_PORT VAR_FORWARD_FIRST
|
||||
%token VAR_STUB_SSL_UPSTREAM VAR_FORWARD_SSL_UPSTREAM VAR_TLS_CERT_BUNDLE
|
||||
%token VAR_HTTPS_PORT VAR_HTTP_ENDPOINT VAR_HTTP_MAX_STREAMS
|
||||
%token VAR_HTTP_QUERY_BUFFER_SIZE VAR_HTTP_RESPONSE_BUFFER_SIZE
|
||||
@ -182,7 +183,7 @@ extern struct config_parser_state* cfg_parser;
|
||||
%token VAR_RPZ_CNAME_OVERRIDE VAR_RPZ_LOG VAR_RPZ_LOG_NAME
|
||||
%token VAR_DYNLIB VAR_DYNLIB_FILE VAR_EDNS_CLIENT_STRING
|
||||
%token VAR_EDNS_CLIENT_STRING_OPCODE VAR_NSID
|
||||
%token VAR_ZONEMD_PERMISSIVE_MODE VAR_ZONEMD_REJECT_ABSENCE
|
||||
%token VAR_ZONEMD_PERMISSIVE_MODE VAR_ZONEMD_CHECK VAR_ZONEMD_REJECT_ABSENCE
|
||||
|
||||
%%
|
||||
toplevelvars: /* empty */ | toplevelvars toplevelvar ;
|
||||
@ -243,8 +244,9 @@ content_server: server_num_threads | server_verbosity | server_port |
|
||||
server_local_data_ptr | server_jostle_timeout |
|
||||
server_unwanted_reply_threshold | server_log_time_ascii |
|
||||
server_domain_insecure | server_val_sig_skew_min |
|
||||
server_val_sig_skew_max | server_cache_min_ttl | server_val_log_level |
|
||||
server_auto_trust_anchor_file | server_add_holddown |
|
||||
server_val_sig_skew_max | server_val_max_restart |
|
||||
server_cache_min_ttl | server_val_log_level |
|
||||
server_auto_trust_anchor_file | server_add_holddown |
|
||||
server_del_holddown | server_keep_missing | server_so_rcvbuf |
|
||||
server_edns_buffer_size | server_prefetch | server_prefetch_key |
|
||||
server_so_sndbuf | server_harden_below_nxdomain | server_ignore_cd_flag |
|
||||
@ -301,7 +303,9 @@ content_server: server_num_threads | server_verbosity | server_port |
|
||||
server_tls_ciphersuites | server_tls_session_ticket_keys |
|
||||
server_tls_use_sni | server_edns_client_string |
|
||||
server_edns_client_string_opcode | server_nsid |
|
||||
server_zonemd_permissive_mode
|
||||
server_zonemd_permissive_mode | server_max_reuse_tcp_queries |
|
||||
server_tcp_reuse_timeout | server_tcp_auth_query_timeout
|
||||
|
||||
;
|
||||
stubstart: VAR_STUB_ZONE
|
||||
{
|
||||
@ -368,6 +372,7 @@ authstart: VAR_AUTH_ZONE
|
||||
s->for_downstream = 1;
|
||||
s->for_upstream = 1;
|
||||
s->fallback_enabled = 0;
|
||||
s->zonemd_check = 0;
|
||||
s->zonemd_reject_absence = 0;
|
||||
s->isrpz = 0;
|
||||
} else
|
||||
@ -378,7 +383,7 @@ contents_auth: contents_auth content_auth
|
||||
| ;
|
||||
content_auth: auth_name | auth_zonefile | auth_master | auth_url |
|
||||
auth_for_downstream | auth_for_upstream | auth_fallback_enabled |
|
||||
auth_allow_notify | auth_zonemd_reject_absence
|
||||
auth_allow_notify | auth_zonemd_check | auth_zonemd_reject_absence
|
||||
;
|
||||
|
||||
rpz_tag: VAR_TAGS STRING_ARG
|
||||
@ -859,6 +864,39 @@ server_tcp_idle_timeout: VAR_TCP_IDLE_TIMEOUT STRING_ARG
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
server_max_reuse_tcp_queries: VAR_MAX_REUSE_TCP_QUERIES STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_max_reuse_tcp_queries:%s)\n", $2));
|
||||
if(atoi($2) == 0 && strcmp($2, "0") != 0)
|
||||
yyerror("number expected");
|
||||
else if (atoi($2) < 1)
|
||||
cfg_parser->cfg->max_reuse_tcp_queries = 0;
|
||||
else cfg_parser->cfg->max_reuse_tcp_queries = atoi($2);
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
server_tcp_reuse_timeout: VAR_TCP_REUSE_TIMEOUT STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_tcp_reuse_timeout:%s)\n", $2));
|
||||
if(atoi($2) == 0 && strcmp($2, "0") != 0)
|
||||
yyerror("number expected");
|
||||
else if (atoi($2) < 1)
|
||||
cfg_parser->cfg->tcp_reuse_timeout = 0;
|
||||
else cfg_parser->cfg->tcp_reuse_timeout = atoi($2);
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
server_tcp_auth_query_timeout: VAR_TCP_AUTH_QUERY_TIMEOUT STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_tcp_auth_query_timeout:%s)\n", $2));
|
||||
if(atoi($2) == 0 && strcmp($2, "0") != 0)
|
||||
yyerror("number expected");
|
||||
else if (atoi($2) < 1)
|
||||
cfg_parser->cfg->tcp_auth_query_timeout = 0;
|
||||
else cfg_parser->cfg->tcp_auth_query_timeout = atoi($2);
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
server_tcp_keepalive: VAR_EDNS_TCP_KEEPALIVE STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_tcp_keepalive:%s)\n", $2));
|
||||
@ -1817,6 +1855,19 @@ server_val_sig_skew_max: VAR_VAL_SIG_SKEW_MAX STRING_ARG
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
server_val_max_restart: VAR_VAL_MAX_RESTART STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_val_max_restart:%s)\n", $2));
|
||||
if(*$2 == '\0' || strcmp($2, "0") == 0) {
|
||||
cfg_parser->cfg->val_max_restart = 0;
|
||||
} else {
|
||||
cfg_parser->cfg->val_max_restart = atoi($2);
|
||||
if(!cfg_parser->cfg->val_max_restart)
|
||||
yyerror("number expected");
|
||||
}
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
server_cache_max_ttl: VAR_CACHE_MAX_TTL STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_cache_max_ttl:%s)\n", $2));
|
||||
@ -2753,6 +2804,16 @@ auth_allow_notify: VAR_ALLOW_NOTIFY STRING_ARG
|
||||
yyerror("out of memory");
|
||||
}
|
||||
;
|
||||
auth_zonemd_check: VAR_ZONEMD_CHECK STRING_ARG
|
||||
{
|
||||
OUTYY(("P(zonemd-check:%s)\n", $2));
|
||||
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
|
||||
yyerror("expected yes or no.");
|
||||
else cfg_parser->cfg->auths->zonemd_check =
|
||||
(strcmp($2, "yes")==0);
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
auth_zonemd_reject_absence: VAR_ZONEMD_REJECT_ABSENCE STRING_ARG
|
||||
{
|
||||
OUTYY(("P(zonemd-reject-absence:%s)\n", $2));
|
||||
@ -2813,13 +2874,20 @@ view_local_zone: VAR_LOCAL_ZONE STRING_ARG STRING_ARG
|
||||
&& strcmp($3, "always_transparent")!=0
|
||||
&& strcmp($3, "always_refuse")!=0
|
||||
&& strcmp($3, "always_nxdomain")!=0
|
||||
&& strcmp($3, "always_nodata")!=0
|
||||
&& strcmp($3, "always_deny")!=0
|
||||
&& strcmp($3, "always_null")!=0
|
||||
&& strcmp($3, "noview")!=0
|
||||
&& strcmp($3, "inform")!=0 && strcmp($3, "inform_deny")!=0) {
|
||||
&& strcmp($3, "inform")!=0 && strcmp($3, "inform_deny")!=0
|
||||
&& strcmp($3, "inform_redirect") != 0
|
||||
&& strcmp($3, "ipset") != 0) {
|
||||
yyerror("local-zone type: expected static, deny, "
|
||||
"refuse, redirect, transparent, "
|
||||
"typetransparent, inform, inform_deny, "
|
||||
"always_transparent, always_refuse, "
|
||||
"always_nxdomain, noview or nodefault");
|
||||
"inform_redirect, always_transparent, "
|
||||
"always_refuse, always_nxdomain, "
|
||||
"always_nodata, always_deny, always_null, "
|
||||
"noview, nodefault or ipset");
|
||||
free($2);
|
||||
free($3);
|
||||
} else if(strcmp($3, "nodefault")==0) {
|
||||
|
@ -329,7 +329,10 @@ parse_create_rrset(sldns_buffer* pkt, struct rrset_parse* pset,
|
||||
return 0;
|
||||
/* copy & decompress */
|
||||
if(!parse_rr_copy(pkt, pset, *data)) {
|
||||
if(!region) free(*data);
|
||||
if(!region) {
|
||||
free(*data);
|
||||
*data = NULL;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
@ -394,8 +397,13 @@ parse_copy_decompress_rrset(sldns_buffer* pkt, struct msg_parse* msg,
|
||||
pk->rk.type = htons(pset->type);
|
||||
pk->rk.rrset_class = pset->rrset_class;
|
||||
/** read data part. */
|
||||
if(!parse_create_rrset(pkt, pset, &data, region))
|
||||
if(!parse_create_rrset(pkt, pset, &data, region)) {
|
||||
if(!region) {
|
||||
free(pk->rk.dname);
|
||||
pk->rk.dname = NULL;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
pk->entry.data = (void*)data;
|
||||
pk->entry.key = (void*)pk;
|
||||
pk->entry.hash = pset->hash;
|
||||
@ -825,9 +833,15 @@ log_dns_msg(const char* str, struct query_info* qinfo, struct reply_info* rep)
|
||||
/* not particularly fast but flexible, make wireformat and print */
|
||||
sldns_buffer* buf = sldns_buffer_new(65535);
|
||||
struct regional* region = regional_create();
|
||||
if(!reply_info_encode(qinfo, rep, 0, rep->flags, buf, 0,
|
||||
if(!(buf && region)) {
|
||||
log_err("%s: log_dns_msg: out of memory", str);
|
||||
sldns_buffer_free(buf);
|
||||
regional_destroy(region);
|
||||
return;
|
||||
}
|
||||
if(!reply_info_encode(qinfo, rep, 0, rep->flags, buf, 0,
|
||||
region, 65535, 1, 0)) {
|
||||
log_info("%s: log_dns_msg: out of memory", str);
|
||||
log_err("%s: log_dns_msg: out of memory", str);
|
||||
} else {
|
||||
char* s = sldns_wire2str_pkt(sldns_buffer_begin(buf),
|
||||
sldns_buffer_limit(buf));
|
||||
|
@ -887,7 +887,7 @@ log_cert(unsigned level, const char* str, void* cert)
|
||||
}
|
||||
#endif /* HAVE_SSL */
|
||||
|
||||
#if defined(HAVE_SSL) && defined(HAVE_NGHTTP2)
|
||||
#if defined(HAVE_SSL) && defined(HAVE_NGHTTP2) && defined(HAVE_SSL_CTX_SET_ALPN_SELECT_CB)
|
||||
static int alpn_select_cb(SSL* ATTR_UNUSED(ssl), const unsigned char** out,
|
||||
unsigned char* outlen, const unsigned char* in, unsigned int inlen,
|
||||
void* ATTR_UNUSED(arg))
|
||||
|
@ -42,6 +42,7 @@
|
||||
#ifndef NET_HELP_H
|
||||
#define NET_HELP_H
|
||||
#include "util/log.h"
|
||||
#include "util/random.h"
|
||||
struct sock_list;
|
||||
struct regional;
|
||||
struct config_strlist;
|
||||
@ -76,8 +77,6 @@ struct config_strlist;
|
||||
|
||||
/** timeout in milliseconds for UDP queries to auth servers. */
|
||||
#define UDP_AUTH_QUERY_TIMEOUT 3000
|
||||
/** timeout in milliseconds for TCP queries to auth servers. */
|
||||
#define TCP_AUTH_QUERY_TIMEOUT 3000
|
||||
/** Advertised version of EDNS capabilities */
|
||||
#define EDNS_ADVERTISED_VERSION 0
|
||||
/** Advertised size of EDNS capabilities */
|
||||
@ -94,6 +93,9 @@ extern uint16_t EDNS_ADVERTISED_SIZE;
|
||||
/** DNSKEY secure entry point, KSK flag */
|
||||
#define DNSKEY_BIT_SEP 0x0001
|
||||
|
||||
/** return a random 16-bit number given a random source */
|
||||
#define GET_RANDOM_ID(rnd) (((unsigned)ub_random(rnd)>>8) & 0xffff)
|
||||
|
||||
/** minimal responses when positive answer */
|
||||
extern int MINIMAL_RESPONSES;
|
||||
|
||||
|
@ -1314,6 +1314,7 @@ ssl_handshake(struct comm_point* c)
|
||||
c->repinfo.addrlen);
|
||||
}
|
||||
|
||||
#ifdef HAVE_SSL_GET0_ALPN_SELECTED
|
||||
/* check if http2 use is negotiated */
|
||||
if(c->type == comm_http && c->h2_session) {
|
||||
const unsigned char *alpn;
|
||||
@ -1325,6 +1326,7 @@ ssl_handshake(struct comm_point* c)
|
||||
c->use_h2 = 1;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
/* setup listen rw correctly */
|
||||
if(c->tcp_is_reading) {
|
||||
|
@ -130,6 +130,7 @@ int shm_main_init(struct daemon* daemon)
|
||||
|
||||
/* Just release memory unused */
|
||||
free(daemon->shm_info);
|
||||
daemon->shm_info = NULL;
|
||||
|
||||
return 0;
|
||||
}
|
||||
@ -143,6 +144,7 @@ int shm_main_init(struct daemon* daemon)
|
||||
|
||||
/* Just release memory unused */
|
||||
free(daemon->shm_info);
|
||||
daemon->shm_info = NULL;
|
||||
|
||||
return 0;
|
||||
}
|
||||
@ -156,6 +158,7 @@ int shm_main_init(struct daemon* daemon)
|
||||
|
||||
/* Just release memory unused */
|
||||
free(daemon->shm_info);
|
||||
daemon->shm_info = NULL;
|
||||
|
||||
return 0;
|
||||
}
|
||||
@ -170,6 +173,7 @@ int shm_main_init(struct daemon* daemon)
|
||||
|
||||
/* Just release memory unused */
|
||||
free(daemon->shm_info);
|
||||
daemon->shm_info = NULL;
|
||||
|
||||
return 0;
|
||||
}
|
||||
@ -210,6 +214,8 @@ void shm_main_shutdown(struct daemon* daemon)
|
||||
if (daemon->shm_info->ptr_arr)
|
||||
shmdt(daemon->shm_info->ptr_arr);
|
||||
|
||||
free(daemon->shm_info);
|
||||
daemon->shm_info = NULL;
|
||||
#else
|
||||
(void)daemon;
|
||||
#endif /* HAVE_SHMGET */
|
||||
|
@ -53,21 +53,69 @@ on 1 byte), but shoehorning those bytes into integers efficiently is messy.
|
||||
#include "util/storage/lookup3.h"
|
||||
#include <stdio.h> /* defines printf for tests */
|
||||
#include <time.h> /* defines time_t for timings in the test */
|
||||
/*#include <stdint.h> defines uint32_t etc (from config.h) */
|
||||
#include <sys/param.h> /* attempt to define endianness */
|
||||
#ifdef HAVE_SYS_TYPES_H
|
||||
# include <sys/types.h> /* attempt to define endianness (solaris) */
|
||||
#endif
|
||||
#if defined(linux) || defined(__OpenBSD__)
|
||||
|
||||
/*
|
||||
* If our build system provides endianness info, signalled by
|
||||
* HAVE_TARGET_ENDIANNESS and the presence or absence of TARGET_IS_BIG_ENDIAN,
|
||||
* use that. Otherwise try to work out the endianness.
|
||||
*/
|
||||
#if defined(HAVE_TARGET_ENDIANNESS)
|
||||
# if defined(TARGET_IS_BIG_ENDIAN)
|
||||
# define HASH_LITTLE_ENDIAN 0
|
||||
# define HASH_BIG_ENDIAN 1
|
||||
# else
|
||||
# define HASH_LITTLE_ENDIAN 1
|
||||
# define HASH_BIG_ENDIAN 0
|
||||
# endif
|
||||
#else
|
||||
# include <sys/param.h> /* attempt to define endianness */
|
||||
# ifdef HAVE_SYS_TYPES_H
|
||||
# include <sys/types.h> /* attempt to define endianness (solaris) */
|
||||
# endif
|
||||
# if defined(linux) || defined(__OpenBSD__)
|
||||
# ifdef HAVE_ENDIAN_H
|
||||
# include <endian.h> /* attempt to define endianness */
|
||||
# else
|
||||
# include <machine/endian.h> /* on older OpenBSD */
|
||||
# endif
|
||||
#endif
|
||||
#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__DragonFly__)
|
||||
#include <sys/endian.h> /* attempt to define endianness */
|
||||
#endif
|
||||
# endif
|
||||
# if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__DragonFly__)
|
||||
# include <sys/endian.h> /* attempt to define endianness */
|
||||
# endif
|
||||
/*
|
||||
* My best guess at if you are big-endian or little-endian. This may
|
||||
* need adjustment.
|
||||
*/
|
||||
# if (defined(__BYTE_ORDER) && defined(__LITTLE_ENDIAN) && \
|
||||
__BYTE_ORDER == __LITTLE_ENDIAN) || \
|
||||
(defined(i386) || defined(__i386__) || defined(__i486__) || \
|
||||
defined(__i586__) || defined(__i686__) || defined(vax) || defined(MIPSEL) || defined(__x86))
|
||||
# define HASH_LITTLE_ENDIAN 1
|
||||
# define HASH_BIG_ENDIAN 0
|
||||
# elif (defined(__BYTE_ORDER) && defined(__BIG_ENDIAN) && \
|
||||
__BYTE_ORDER == __BIG_ENDIAN) || \
|
||||
(defined(sparc) || defined(__sparc) || defined(__sparc__) || defined(POWERPC) || defined(mc68000) || defined(sel))
|
||||
# define HASH_LITTLE_ENDIAN 0
|
||||
# define HASH_BIG_ENDIAN 1
|
||||
# elif defined(_MACHINE_ENDIAN_H_)
|
||||
/* test for machine_endian_h protects failure if some are empty strings */
|
||||
# if defined(_BYTE_ORDER) && defined(_BIG_ENDIAN) && _BYTE_ORDER == _BIG_ENDIAN
|
||||
# define HASH_LITTLE_ENDIAN 0
|
||||
# define HASH_BIG_ENDIAN 1
|
||||
# endif
|
||||
# if defined(_BYTE_ORDER) && defined(_LITTLE_ENDIAN) && _BYTE_ORDER == _LITTLE_ENDIAN
|
||||
# define HASH_LITTLE_ENDIAN 1
|
||||
# define HASH_BIG_ENDIAN 0
|
||||
# endif /* _MACHINE_ENDIAN_H_ */
|
||||
# else
|
||||
# define HASH_LITTLE_ENDIAN 0
|
||||
# define HASH_BIG_ENDIAN 0
|
||||
# endif
|
||||
#endif /* defined(HAVE_TARGET_ENDIANNESS) */
|
||||
|
||||
#define hashsize(n) ((uint32_t)1<<(n))
|
||||
#define hashmask(n) (hashsize(n)-1)
|
||||
#define rot(x,k) (((x)<<(k)) | ((x)>>(32-(k))))
|
||||
|
||||
/* random initial value */
|
||||
static uint32_t raninit = (uint32_t)0xdeadbeef;
|
||||
@ -78,40 +126,6 @@ hash_set_raninit(uint32_t v)
|
||||
raninit = v;
|
||||
}
|
||||
|
||||
/*
|
||||
* My best guess at if you are big-endian or little-endian. This may
|
||||
* need adjustment.
|
||||
*/
|
||||
#if (defined(__BYTE_ORDER) && defined(__LITTLE_ENDIAN) && \
|
||||
__BYTE_ORDER == __LITTLE_ENDIAN) || \
|
||||
(defined(i386) || defined(__i386__) || defined(__i486__) || \
|
||||
defined(__i586__) || defined(__i686__) || defined(vax) || defined(MIPSEL) || defined(__x86))
|
||||
# define HASH_LITTLE_ENDIAN 1
|
||||
# define HASH_BIG_ENDIAN 0
|
||||
#elif (defined(__BYTE_ORDER) && defined(__BIG_ENDIAN) && \
|
||||
__BYTE_ORDER == __BIG_ENDIAN) || \
|
||||
(defined(sparc) || defined(__sparc) || defined(__sparc__) || defined(POWERPC) || defined(mc68000) || defined(sel))
|
||||
# define HASH_LITTLE_ENDIAN 0
|
||||
# define HASH_BIG_ENDIAN 1
|
||||
#elif defined(_MACHINE_ENDIAN_H_)
|
||||
/* test for machine_endian_h protects failure if some are empty strings */
|
||||
# if defined(_BYTE_ORDER) && defined(_BIG_ENDIAN) && _BYTE_ORDER == _BIG_ENDIAN
|
||||
# define HASH_LITTLE_ENDIAN 0
|
||||
# define HASH_BIG_ENDIAN 1
|
||||
# endif
|
||||
# if defined(_BYTE_ORDER) && defined(_LITTLE_ENDIAN) && _BYTE_ORDER == _LITTLE_ENDIAN
|
||||
# define HASH_LITTLE_ENDIAN 1
|
||||
# define HASH_BIG_ENDIAN 0
|
||||
# endif /* _MACHINE_ENDIAN_H_ */
|
||||
#else
|
||||
# define HASH_LITTLE_ENDIAN 0
|
||||
# define HASH_BIG_ENDIAN 0
|
||||
#endif
|
||||
|
||||
#define hashsize(n) ((uint32_t)1<<(n))
|
||||
#define hashmask(n) (hashsize(n)-1)
|
||||
#define rot(x,k) (((x)<<(k)) | ((x)>>(32-(k))))
|
||||
|
||||
/*
|
||||
-------------------------------------------------------------------------------
|
||||
mix -- mix 3 32-bit values reversibly.
|
||||
|
@ -1077,6 +1077,17 @@ trustanchor_state2str(autr_state_type s)
|
||||
return " UNKNOWN ";
|
||||
}
|
||||
|
||||
/** ctime r for autotrust */
|
||||
static char* autr_ctime_r(time_t* t, char* s)
|
||||
{
|
||||
ctime_r(t, s);
|
||||
#ifdef USE_WINSOCK
|
||||
if(strlen(s) > 10 && s[7]==' ' && s[8]=='0')
|
||||
s[8]=' '; /* fix error in windows ctime */
|
||||
#endif
|
||||
return s;
|
||||
}
|
||||
|
||||
/** print ID to file */
|
||||
static int
|
||||
print_id(FILE* out, char* fname, uint8_t* nm, size_t nmlen, uint16_t dclass)
|
||||
@ -1123,13 +1134,13 @@ autr_write_contents(FILE* out, char* fn, struct trust_anchor* tp)
|
||||
}
|
||||
if(fprintf(out, ";;last_queried: %u ;;%s",
|
||||
(unsigned int)tp->autr->last_queried,
|
||||
ctime_r(&(tp->autr->last_queried), tmi)) < 0 ||
|
||||
autr_ctime_r(&(tp->autr->last_queried), tmi)) < 0 ||
|
||||
fprintf(out, ";;last_success: %u ;;%s",
|
||||
(unsigned int)tp->autr->last_success,
|
||||
ctime_r(&(tp->autr->last_success), tmi)) < 0 ||
|
||||
autr_ctime_r(&(tp->autr->last_success), tmi)) < 0 ||
|
||||
fprintf(out, ";;next_probe_time: %u ;;%s",
|
||||
(unsigned int)tp->autr->next_probe_time,
|
||||
ctime_r(&(tp->autr->next_probe_time), tmi)) < 0 ||
|
||||
autr_ctime_r(&(tp->autr->next_probe_time), tmi)) < 0 ||
|
||||
fprintf(out, ";;query_failed: %d\n", (int)tp->autr->query_failed)<0
|
||||
|| fprintf(out, ";;query_interval: %d\n",
|
||||
(int)tp->autr->query_interval) < 0 ||
|
||||
@ -1160,7 +1171,7 @@ autr_write_contents(FILE* out, char* fn, struct trust_anchor* tp)
|
||||
";;lastchange=%u ;;%s", str, (int)ta->s,
|
||||
trustanchor_state2str(ta->s), (int)ta->pending_count,
|
||||
(unsigned int)ta->last_change,
|
||||
ctime_r(&(ta->last_change), tmi)) < 0) {
|
||||
autr_ctime_r(&(ta->last_change), tmi)) < 0) {
|
||||
log_err("could not write to %s: %s", fn, strerror(errno));
|
||||
free(str);
|
||||
return 0;
|
||||
@ -1579,6 +1590,7 @@ key_matches_a_ds(struct module_env* env, struct val_env* ve,
|
||||
for(ds_idx=0; ds_idx<num; ds_idx++) {
|
||||
if(!ds_digest_algo_is_supported(ds_rrset, ds_idx) ||
|
||||
!ds_key_algo_is_supported(ds_rrset, ds_idx) ||
|
||||
!dnskey_size_is_supported(dnskey_rrset, key_idx) ||
|
||||
ds_get_digest_algo(ds_rrset, ds_idx) != d)
|
||||
continue;
|
||||
if(ds_get_key_algo(ds_rrset, ds_idx)
|
||||
@ -1633,7 +1645,8 @@ update_events(struct module_env* env, struct val_env* ve,
|
||||
}
|
||||
/* is a key of this type supported?. Note rr_list and
|
||||
* packed_rrset are in the same order. */
|
||||
if(!dnskey_algo_is_supported(dnskey_rrset, i)) {
|
||||
if(!dnskey_algo_is_supported(dnskey_rrset, i) ||
|
||||
!dnskey_size_is_supported(dnskey_rrset, i)) {
|
||||
/* skip unknown algorithm key, it is useless to us */
|
||||
log_nametypeclass(VERB_DETAIL, "trust point has "
|
||||
"unsupported algorithm at",
|
||||
@ -2262,7 +2275,7 @@ autr_debug_print_ta(struct autr_ta* ta)
|
||||
return;
|
||||
}
|
||||
if(str[0]) str[strlen(str)-1]=0; /* remove newline */
|
||||
ctime_r(&ta->last_change, buf);
|
||||
autr_ctime_r(&ta->last_change, buf);
|
||||
if(buf[0]) buf[strlen(buf)-1]=0; /* remove newline */
|
||||
log_info("[%s] %s ;;state:%d ;;pending_count:%d%s%s last:%s",
|
||||
trustanchor_state2str(ta->s), str, ta->s, ta->pending_count,
|
||||
@ -2289,13 +2302,13 @@ autr_debug_print_tp(struct trust_anchor* tp)
|
||||
log_packed_rrset(NO_VERBOSE, "DNSKEY:", tp->dnskey_rrset);
|
||||
}
|
||||
log_info("file %s", tp->autr->file);
|
||||
ctime_r(&tp->autr->last_queried, buf);
|
||||
autr_ctime_r(&tp->autr->last_queried, buf);
|
||||
if(buf[0]) buf[strlen(buf)-1]=0; /* remove newline */
|
||||
log_info("last_queried: %u %s", (unsigned)tp->autr->last_queried, buf);
|
||||
ctime_r(&tp->autr->last_success, buf);
|
||||
autr_ctime_r(&tp->autr->last_success, buf);
|
||||
if(buf[0]) buf[strlen(buf)-1]=0; /* remove newline */
|
||||
log_info("last_success: %u %s", (unsigned)tp->autr->last_success, buf);
|
||||
ctime_r(&tp->autr->next_probe_time, buf);
|
||||
autr_ctime_r(&tp->autr->next_probe_time, buf);
|
||||
if(buf[0]) buf[strlen(buf)-1]=0; /* remove newline */
|
||||
log_info("next_probe_time: %u %s", (unsigned)tp->autr->next_probe_time,
|
||||
buf);
|
||||
|
@ -971,7 +971,8 @@ anchors_dnskey_unsupported(struct trust_anchor* ta)
|
||||
{
|
||||
size_t i, num = 0;
|
||||
for(i=0; i<ta->numDNSKEY; i++) {
|
||||
if(!dnskey_algo_is_supported(ta->dnskey_rrset, i))
|
||||
if(!dnskey_algo_is_supported(ta->dnskey_rrset, i) ||
|
||||
!dnskey_size_is_supported(ta->dnskey_rrset, i))
|
||||
num++;
|
||||
}
|
||||
return num;
|
||||
@ -1048,6 +1049,10 @@ anchors_apply_cfg(struct val_anchors* anchors, struct config_file* cfg)
|
||||
const char** zstr;
|
||||
char* nm;
|
||||
sldns_buffer* parsebuf = sldns_buffer_new(65535);
|
||||
if(!parsebuf) {
|
||||
log_err("malloc error in anchors_apply_cfg.");
|
||||
return 0;
|
||||
}
|
||||
if(cfg->insecure_lan_zones) {
|
||||
for(zstr = as112_zones; *zstr; zstr++) {
|
||||
if(!anchor_insert_insecure(anchors, *zstr)) {
|
||||
|
@ -180,6 +180,7 @@ nsec_verify_rrset(struct module_env* env, struct val_env* ve,
|
||||
{
|
||||
struct packed_rrset_data* d = (struct packed_rrset_data*)
|
||||
nsec->entry.data;
|
||||
if(!d) return 0;
|
||||
if(d->security == sec_status_secure)
|
||||
return 1;
|
||||
rrset_check_sec_status(env->rrset_cache, nsec, *env->now);
|
||||
|
@ -386,6 +386,49 @@ int dnskey_algo_is_supported(struct ub_packed_rrset_key* dnskey_rrset,
|
||||
dnskey_idx));
|
||||
}
|
||||
|
||||
int dnskey_size_is_supported(struct ub_packed_rrset_key* dnskey_rrset,
|
||||
size_t dnskey_idx)
|
||||
{
|
||||
#ifdef DEPRECATE_RSA_1024
|
||||
uint8_t* rdata;
|
||||
size_t len;
|
||||
int alg = dnskey_get_algo(dnskey_rrset, dnskey_idx);
|
||||
size_t keysize;
|
||||
|
||||
rrset_get_rdata(dnskey_rrset, dnskey_idx, &rdata, &len);
|
||||
if(len < 2+4)
|
||||
return 0;
|
||||
keysize = sldns_rr_dnskey_key_size_raw(rdata+2+4, len-2-4, alg);
|
||||
|
||||
switch((sldns_algorithm)alg) {
|
||||
case LDNS_RSAMD5:
|
||||
case LDNS_RSASHA1:
|
||||
case LDNS_RSASHA1_NSEC3:
|
||||
case LDNS_RSASHA256:
|
||||
case LDNS_RSASHA512:
|
||||
/* reject RSA keys of 1024 bits and shorter */
|
||||
if(keysize <= 1024)
|
||||
return 0;
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
#else
|
||||
(void)dnskey_rrset; (void)dnskey_idx;
|
||||
#endif /* DEPRECATE_RSA_1024 */
|
||||
return 1;
|
||||
}
|
||||
|
||||
int dnskeyset_size_is_supported(struct ub_packed_rrset_key* dnskey_rrset)
|
||||
{
|
||||
size_t i, num = rrset_get_count(dnskey_rrset);
|
||||
for(i=0; i<num; i++) {
|
||||
if(!dnskey_size_is_supported(dnskey_rrset, i))
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
void algo_needs_init_dnskey_add(struct algo_needs* n,
|
||||
struct ub_packed_rrset_key* dnskey, uint8_t* sigalg)
|
||||
{
|
||||
|
@ -180,6 +180,23 @@ uint16_t ds_get_keytag(struct ub_packed_rrset_key* ds_rrset, size_t ds_idx);
|
||||
int dnskey_algo_is_supported(struct ub_packed_rrset_key* dnskey_rrset,
|
||||
size_t dnskey_idx);
|
||||
|
||||
/**
|
||||
* See if the DNSKEY size at that algorithm is supported.
|
||||
* @param dnskey_rrset: DNSKEY rrset.
|
||||
* @param dnskey_idx: index of RR in rrset.
|
||||
* @return true if supported.
|
||||
*/
|
||||
int dnskey_size_is_supported(struct ub_packed_rrset_key* dnskey_rrset,
|
||||
size_t dnskey_idx);
|
||||
|
||||
/**
|
||||
* See if the DNSKEY size at that algorithm is supported for all the
|
||||
* RRs in the DNSKEY RRset.
|
||||
* @param dnskey_rrset: DNSKEY rrset.
|
||||
* @return true if supported.
|
||||
*/
|
||||
int dnskeyset_size_is_supported(struct ub_packed_rrset_key* dnskey_rrset);
|
||||
|
||||
/**
|
||||
* See if DS digest algorithm is supported
|
||||
* @param ds_rrset: DS rrset
|
||||
|
@ -418,7 +418,7 @@ verify_dnskeys_with_ds_rr(struct module_env* env, struct val_env* ve,
|
||||
struct module_qstate* qstate)
|
||||
{
|
||||
enum sec_status sec = sec_status_bogus;
|
||||
size_t i, num, numchecked = 0, numhashok = 0;
|
||||
size_t i, num, numchecked = 0, numhashok = 0, numsizesupp = 0;
|
||||
num = rrset_get_count(dnskey_rrset);
|
||||
for(i=0; i<num; i++) {
|
||||
/* Skip DNSKEYs that don't match the basic criteria. */
|
||||
@ -441,6 +441,11 @@ verify_dnskeys_with_ds_rr(struct module_env* env, struct val_env* ve,
|
||||
continue;
|
||||
}
|
||||
numhashok++;
|
||||
if(!dnskey_size_is_supported(dnskey_rrset, i)) {
|
||||
verbose(VERB_ALGO, "DS okay but that DNSKEY size is not supported");
|
||||
numsizesupp++;
|
||||
continue;
|
||||
}
|
||||
verbose(VERB_ALGO, "DS match digest ok, trying signature");
|
||||
|
||||
/* Otherwise, we have a match! Make sure that the DNSKEY
|
||||
@ -452,6 +457,10 @@ verify_dnskeys_with_ds_rr(struct module_env* env, struct val_env* ve,
|
||||
}
|
||||
/* If it didn't validate with the DNSKEY, try the next one! */
|
||||
}
|
||||
if(numsizesupp != 0) {
|
||||
/* there is a working DS, but that DNSKEY is not supported */
|
||||
return sec_status_insecure;
|
||||
}
|
||||
if(numchecked == 0)
|
||||
algo_needs_reason(env, ds_get_key_algo(ds_rrset, ds_idx),
|
||||
reason, "no keys have a DS");
|
||||
@ -519,17 +528,24 @@ val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve,
|
||||
continue;
|
||||
}
|
||||
|
||||
sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset,
|
||||
ds_rrset, i, reason, qstate);
|
||||
if(sec == sec_status_insecure)
|
||||
continue;
|
||||
|
||||
/* Once we see a single DS with a known digestID and
|
||||
* algorithm, we cannot return INSECURE (with a
|
||||
* "null" KeyEntry). */
|
||||
has_useful_ds = 1;
|
||||
|
||||
sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset,
|
||||
ds_rrset, i, reason, qstate);
|
||||
if(sec == sec_status_secure) {
|
||||
if(!sigalg || algo_needs_set_secure(&needs,
|
||||
(uint8_t)ds_get_key_algo(ds_rrset, i))) {
|
||||
verbose(VERB_ALGO, "DS matched DNSKEY.");
|
||||
if(!dnskeyset_size_is_supported(dnskey_rrset)) {
|
||||
verbose(VERB_ALGO, "DS works, but dnskeyset contain keys that are unsupported, treat as insecure");
|
||||
return sec_status_insecure;
|
||||
}
|
||||
return sec_status_secure;
|
||||
}
|
||||
} else if(sigalg && sec == sec_status_bogus) {
|
||||
@ -631,17 +647,24 @@ val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve,
|
||||
ds_get_digest_algo(ta_ds, i) != digest_algo)
|
||||
continue;
|
||||
|
||||
sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset,
|
||||
ta_ds, i, reason, qstate);
|
||||
if(sec == sec_status_insecure)
|
||||
continue;
|
||||
|
||||
/* Once we see a single DS with a known digestID and
|
||||
* algorithm, we cannot return INSECURE (with a
|
||||
* "null" KeyEntry). */
|
||||
has_useful_ta = 1;
|
||||
|
||||
sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset,
|
||||
ta_ds, i, reason, qstate);
|
||||
if(sec == sec_status_secure) {
|
||||
if(!sigalg || algo_needs_set_secure(&needs,
|
||||
(uint8_t)ds_get_key_algo(ta_ds, i))) {
|
||||
verbose(VERB_ALGO, "DS matched DNSKEY.");
|
||||
if(!dnskeyset_size_is_supported(dnskey_rrset)) {
|
||||
verbose(VERB_ALGO, "trustanchor works, but dnskeyset contain keys that are unsupported, treat as insecure");
|
||||
return sec_status_insecure;
|
||||
}
|
||||
return sec_status_secure;
|
||||
}
|
||||
} else if(sigalg && sec == sec_status_bogus) {
|
||||
@ -658,6 +681,8 @@ val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve,
|
||||
/* Check to see if we can understand this DNSKEY */
|
||||
if(!dnskey_algo_is_supported(ta_dnskey, i))
|
||||
continue;
|
||||
if(!dnskey_size_is_supported(ta_dnskey, i))
|
||||
continue;
|
||||
|
||||
/* we saw a useful TA */
|
||||
has_useful_ta = 1;
|
||||
@ -668,6 +693,10 @@ val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve,
|
||||
if(!sigalg || algo_needs_set_secure(&needs,
|
||||
(uint8_t)dnskey_get_algo(ta_dnskey, i))) {
|
||||
verbose(VERB_ALGO, "anchor matched DNSKEY.");
|
||||
if(!dnskeyset_size_is_supported(dnskey_rrset)) {
|
||||
verbose(VERB_ALGO, "trustanchor works, but dnskeyset contain keys that are unsupported, treat as insecure");
|
||||
return sec_status_insecure;
|
||||
}
|
||||
return sec_status_secure;
|
||||
}
|
||||
} else if(sigalg && sec == sec_status_bogus) {
|
||||
|
@ -137,6 +137,7 @@ val_apply_cfg(struct module_env* env, struct val_env* val_env,
|
||||
val_env->date_override = cfg->val_date_override;
|
||||
val_env->skew_min = cfg->val_sig_skew_min;
|
||||
val_env->skew_max = cfg->val_sig_skew_max;
|
||||
val_env->max_restart = cfg->val_max_restart;
|
||||
c = cfg_count_numbers(cfg->val_nsec3_key_iterations);
|
||||
if(c < 1 || (c&1)) {
|
||||
log_err("validator: unparseable or odd nsec3 key "
|
||||
@ -1487,7 +1488,7 @@ processInit(struct module_qstate* qstate, struct val_qstate* vq,
|
||||
enum val_classification subtype = val_classify_response(
|
||||
qstate->query_flags, &qstate->qinfo, &vq->qchase,
|
||||
vq->orig_msg->rep, vq->rrset_skip);
|
||||
if(vq->restart_count > VAL_MAX_RESTART_COUNT) {
|
||||
if(vq->restart_count > ve->max_restart) {
|
||||
verbose(VERB_ALGO, "restart count exceeded");
|
||||
return val_error(qstate, id);
|
||||
}
|
||||
@ -1640,7 +1641,7 @@ processInit(struct module_qstate* qstate, struct val_qstate* vq,
|
||||
errinf(qstate, key_entry_get_reason(vq->key_entry));
|
||||
}
|
||||
/* no retries, stop bothering the authority until timeout */
|
||||
vq->restart_count = VAL_MAX_RESTART_COUNT;
|
||||
vq->restart_count = ve->max_restart;
|
||||
vq->chase_reply->security = sec_status_bogus;
|
||||
vq->state = VAL_FINISHED_STATE;
|
||||
return 1;
|
||||
@ -1848,7 +1849,7 @@ processValidate(struct module_qstate* qstate, struct val_qstate* vq,
|
||||
LDNS_RR_TYPE_DNSKEY, vq->key_entry->key_class);
|
||||
vq->chase_reply->security = sec_status_bogus;
|
||||
errinf(qstate, "while building chain of trust");
|
||||
if(vq->restart_count >= VAL_MAX_RESTART_COUNT)
|
||||
if(vq->restart_count >= ve->max_restart)
|
||||
key_cache_insert(ve->kcache, vq->key_entry, qstate);
|
||||
return 1;
|
||||
}
|
||||
@ -2064,7 +2065,7 @@ processFinished(struct module_qstate* qstate, struct val_qstate* vq,
|
||||
* endless bogus revalidation */
|
||||
if(vq->orig_msg->rep->security == sec_status_bogus) {
|
||||
/* see if we can try again to fetch data */
|
||||
if(vq->restart_count < VAL_MAX_RESTART_COUNT) {
|
||||
if(vq->restart_count < ve->max_restart) {
|
||||
int restart_count = vq->restart_count+1;
|
||||
verbose(VERB_ALGO, "validation failed, "
|
||||
"blacklist and retry to fetch data");
|
||||
@ -2605,6 +2606,7 @@ process_ds_response(struct module_qstate* qstate, struct val_qstate* vq,
|
||||
int id, int rcode, struct dns_msg* msg, struct query_info* qinfo,
|
||||
struct sock_list* origin)
|
||||
{
|
||||
struct val_env* ve = (struct val_env*)qstate->env->modinfo[id];
|
||||
struct key_entry_key* dske = NULL;
|
||||
uint8_t* olds = vq->empty_DS_name;
|
||||
vq->empty_DS_name = NULL;
|
||||
@ -2638,7 +2640,7 @@ process_ds_response(struct module_qstate* qstate, struct val_qstate* vq,
|
||||
vq->chain_blacklist = NULL; /* fresh blacklist for next part*/
|
||||
/* Keep the forState.state on FINDKEY. */
|
||||
} else if(key_entry_isbad(dske)
|
||||
&& vq->restart_count < VAL_MAX_RESTART_COUNT) {
|
||||
&& vq->restart_count < ve->max_restart) {
|
||||
vq->empty_DS_name = olds;
|
||||
val_blacklist(&vq->chain_blacklist, qstate->region, origin, 1);
|
||||
qstate->errinf = NULL;
|
||||
@ -2691,7 +2693,7 @@ process_dnskey_response(struct module_qstate* qstate, struct val_qstate* vq,
|
||||
/* bad response */
|
||||
verbose(VERB_DETAIL, "Missing DNSKEY RRset in response to "
|
||||
"DNSKEY query.");
|
||||
if(vq->restart_count < VAL_MAX_RESTART_COUNT) {
|
||||
if(vq->restart_count < ve->max_restart) {
|
||||
val_blacklist(&vq->chain_blacklist, qstate->region,
|
||||
origin, 1);
|
||||
qstate->errinf = NULL;
|
||||
@ -2730,7 +2732,7 @@ process_dnskey_response(struct module_qstate* qstate, struct val_qstate* vq,
|
||||
* state. */
|
||||
if(!key_entry_isgood(vq->key_entry)) {
|
||||
if(key_entry_isbad(vq->key_entry)) {
|
||||
if(vq->restart_count < VAL_MAX_RESTART_COUNT) {
|
||||
if(vq->restart_count < ve->max_restart) {
|
||||
val_blacklist(&vq->chain_blacklist,
|
||||
qstate->region, origin, 1);
|
||||
qstate->errinf = NULL;
|
||||
@ -2807,7 +2809,7 @@ process_prime_response(struct module_qstate* qstate, struct val_qstate* vq,
|
||||
lock_basic_unlock(&ta->lock);
|
||||
if(vq->key_entry) {
|
||||
if(key_entry_isbad(vq->key_entry)
|
||||
&& vq->restart_count < VAL_MAX_RESTART_COUNT) {
|
||||
&& vq->restart_count < ve->max_restart) {
|
||||
val_blacklist(&vq->chain_blacklist, qstate->region,
|
||||
origin, 1);
|
||||
qstate->errinf = NULL;
|
||||
|
@ -64,9 +64,6 @@ struct config_strlist;
|
||||
*/
|
||||
#define BOGUS_KEY_TTL 60 /* seconds */
|
||||
|
||||
/** max number of query restarts, number of IPs to probe */
|
||||
#define VAL_MAX_RESTART_COUNT 5
|
||||
|
||||
/** Root key sentinel is ta preamble */
|
||||
#define SENTINEL_IS "root-key-sentinel-is-ta-"
|
||||
/** Root key sentinel is not ta preamble */
|
||||
@ -95,6 +92,9 @@ struct val_env {
|
||||
/** clock skew max for signatures */
|
||||
int32_t skew_max;
|
||||
|
||||
/** max number of query restarts, number of IPs to probe */
|
||||
int32_t max_restart;
|
||||
|
||||
/** TTL for bogus data; used instead of untrusted TTL from data.
|
||||
* Bogus data will not be verified more often than this interval.
|
||||
* seconds. */
|
||||
|
Loading…
Reference in New Issue
Block a user