clones/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2024-09-21 06:37:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into svcb

Browse Source
This commit is contained in:
Tom Carpay 2021-07-02 13:37:08 +02:00
commit ab017cde0f
91 changed files with 7030 additions and 6135 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
.github/ISSUE_TEMPLATE/bug_report.md vendored Normal file
View File

@ -0,0 +1,41 @@
---
name: Bug report
about: Create a report to help us improve Unbound
title: ''
labels: ''
assignees: ''
---
<!--
Thanks for taking the time to report an issue!
Before continuing please make sure that you checked the existing (opened and closed) issues and pull requests to avoid opening a duplicate issue. We would rather prefer to add the information to the existing one. If you are able, feel free to reopen the closed issue afterwards. If not, please create a new issue linking to the old one.
If you rather have a support question and you need guidance on running/configuring Unbound, please refrain from opening an issue and use the community support mailing list instead (https://www.nlnetlabs.nl/support/mailing-lists/).
We would like to keep GitHub issues for possible bugs and feature requests only.
If you are unsure whether an issue is a bug or not, feel free to reach out to mailing list users or open an issue here.
If you are opening an issue, please complete as much of the following sections as possible to give us a better understanding of your situation.
-->
**Describe the bug**
A clear and concise description of what the bug is.
**To reproduce**
Steps to reproduce the behavior:
1.
2.
3.
**Expected behavior**
A clear and concise description of what you expected to happen.
**System:**
- Unbound version:
- OS:
- `unbound -V` output:
**Additional information**
Add any other information that you may have gathered about the issue here.

31
.github/ISSUE_TEMPLATE/feature_request.md vendored Normal file
View File

@ -0,0 +1,31 @@
---
name: Feature request
about: Suggest an idea for Unbound
title: "[FR]"
labels: ''
assignees: ''
---
<!--
Thanks for taking the time to report an issue!
Before continuing please make sure that you checked the existing (opened and closed) issues and pull requests to avoid opening a duplicate issue. We would rather prefer to add the information to the existing one. If you are able, feel free to reopen the closed issue afterwards. If not, please create a new issue linking to the old one.
If you rather have a support question and you need guidance on running/configuring Unbound, please refrain from opening an issue and use the community support mailing list instead (https://www.nlnetlabs.nl/support/mailing-lists/).
We would like to keep GitHub issues for possible bugs and feature requests only.
If you are unsure whether an issue is a bug or not, feel free to reach out to mailing list users or open an issue here.
If you are opening an issue, please complete as much of the following sections as possible to give us a better understanding of your situation.
-->
**Current behavior**
Is there a current behavior that the feature relates to?
If yes, would you wish the current behavior to change?
**Describe the desired feature**
A clear and concise description of what the feature should be.
**Potential use-case**
Describe how you see this feature being useful to other Unbound users.

346
.github/workflows/analysis_ports.yml vendored Normal file
View File

@ -0,0 +1,346 @@
name: Analysis and Ports
on:
workflow_dispatch:
inputs:
start:
description: 'Start analysis and port workflow'
default: 'yes'
required: true
jobs:
build:
runs-on: ${{ matrix.os }}
strategy:
matrix:
include:
- name: GCC on Linux
os: ubuntu-latest
config: "--enable-debug --disable-flto"
make_test: "yes"
- name: Clang-analyzer
os: ubuntu-latest
config: "CC=clang --enable-debug --disable-flto --disable-static"
make_test: "yes"
clang_analysis: "yes"
- name: libevent
os: ubuntu-latest
install_libevent: "yes"
config: "CC=clang --enable-debug --disable-flto --with-libevent --disable-static"
make_test: "yes"
clang_analysis: "yes"
- name: OS X
os: macos-latest
install_expat: "yes"
config: "--enable-debug --disable-flto --with-ssl=/usr/local/opt/openssl --with-libexpat=/usr/local/opt/expat"
make_test: "yes"
- name: Clang on OS X
os: macos-latest
install_expat: "yes"
config: "CC=clang --enable-debug --disable-flto --with-ssl=/usr/local/opt/openssl --with-libexpat=/usr/local/opt/expat --disable-static"
make_test: "yes"
clang_analysis: "yes"
- name: ubsan (gcc undefined behaviour sanitizer)
os: ubuntu-latest
config: 'CFLAGS="-DNDEBUG -g2 -O3 -fsanitize=undefined -fno-sanitize-recover=all" --disable-flto --disable-static'
make_test: "yes"
- name: asan (gcc address sanitizer)
os: ubuntu-latest
config: 'CFLAGS="-DNDEBUG -g2 -O3 -fsanitize=address" --disable-flto --disable-static'
make_test: "yes"
- name: Apple iPhone on iOS, armv7
os: macos-latest
AUTOTOOLS_HOST: armv7-apple-ios
OPENSSL_HOST: ios-cross
IOS_SDK: iPhoneOS
IOS_CPU: armv7s
test_ios: "yes"
config: "no"
make: "no"
- name: Apple iPhone on iOS, arm64
os: macos-latest
AUTOTOOLS_HOST: aarch64-apple-ios
OPENSSL_HOST: ios64-cross
IOS_SDK: iPhoneOS
IOS_CPU: arm64
test_ios: "yes"
config: "no"
make: "no"
- name: Apple TV on iOS, arm64
os: macos-latest
AUTOTOOLS_HOST: aarch64-apple-ios
OPENSSL_HOST: ios64-cross
IOS_SDK: AppleTVOS
IOS_CPU: arm64
test_ios: "yes"
config: "no"
make: "no"
- name: Apple Watch on iOS, armv7
os: macos-latest
AUTOTOOLS_HOST: armv7-apple-ios
OPENSSL_HOST: ios-cross
IOS_SDK: WatchOS
IOS_CPU: armv7k
test_ios: "yes"
config: "no"
make: "no"
- name: iPhoneSimulator on OS X, i386
os: macos-latest
AUTOTOOLS_HOST: i386-apple-ios
OPENSSL_HOST: iphoneos-cross
IOS_SDK: iPhoneSimulator
IOS_CPU: i386
test_ios: "yes"
config: "no"
make: "no"
- name: iPhoneSimulator on OS X, x86_64
os: macos-latest
AUTOTOOLS_HOST: x86_64-apple-ios
OPENSSL_HOST: iphoneos-cross
IOS_SDK: iPhoneSimulator
IOS_CPU: x86_64
test_ios: "yes"
config: "no"
make: "no"
- name: AppleTVSimulator on OS X, x86_64
os: macos-latest
AUTOTOOLS_HOST: x86_64-apple-ios
OPENSSL_HOST: iphoneos-cross
IOS_SDK: AppleTVSimulator
IOS_CPU: x86_64
test_ios: "yes"
config: "no"
make: "no"
- name: WatchSimulator on OS X, i386
os: macos-latest
AUTOTOOLS_HOST: i386-apple-ios
OPENSSL_HOST: iphoneos-cross
IOS_SDK: WatchSimulator
IOS_CPU: i386
test_ios: "yes"
config: "no"
make: "no"
- name: Android armv7a
os: ubuntu-latest
AUTOTOOLS_HOST: armv7a-linux-androidabi
OPENSSL_HOST: android-arm
ANDROID_CPU: armv7a
ANDROID_API: 23
test_android: "yes"
config: "no"
make: "no"
- name: Android aarch64
os: ubuntu-latest
AUTOTOOLS_HOST: aarch64-linux-android
OPENSSL_HOST: android-arm64
ANDROID_CPU: aarch64
ANDROID_API: 23
test_android: "yes"
config: "no"
make: "no"
- name: Android x86
os: ubuntu-latest
AUTOTOOLS_HOST: i686-linux-android
OPENSSL_HOST: android-x86
ANDROID_CPU: x86
ANDROID_API: 23
test_android: "yes"
config: "no"
make: "no"
- name: Android x86_64
os: ubuntu-latest
AUTOTOOLS_HOST: x86_64-linux-android
OPENSSL_HOST: android-x86_64
ANDROID_CPU: x86_64
ANDROID_API: 23
test_android: "yes"
config: "no"
make: "no"
- name: Windows
os: windows-latest
test_windows: "yes"
config: "no"
make: "no"
steps:
- uses: actions/checkout@v2
with:
submodules: false
- name: test_windows
if: ${{ matrix.test_windows == 'yes' }}
shell: bash
run: |
export unboundpath=`pwd`
echo unboundpath=${unboundpath}
cd ..
export prepath=`pwd`
echo prepath=${prepath}
#echo "curl cpanm"
#curl -L -k -s -S -o cpanm https://cpanmin.us/
#echo "perl cpanm Pod::Usage"
#perl cpanm Pod::Usage
mkdir openssl
echo "curl openssl"
curl -L -k -s -S -o openssl-1.1.1j.tar.gz https://www.openssl.org/source/openssl-1.1.1j.tar.gz
tar xzf openssl-1.1.1j.tar.gz
cd openssl-1.1.1j
# remove pod::Usage because we do not need -help or -man output
# from the Configure script
echo "Fixup ./Configure by removing use Pod::Usage require"
sed -e 's/use Pod::Usage//' < Configure > Configure.fix
echo "./Configure.fix no-shared no-asm -DOPENSSL_NO_CAPIENG mingw64 --prefix=\""$prepath/openssl\"""
./Configure.fix no-shared no-asm -DOPENSSL_NO_CAPIENG mingw64 --prefix="$prepath/openssl"
# make the libs only, build faster
echo "make build_libs"
#make
make build_libs
mv Makefile Makefile.orig
# fixup \\ in the installtop to /.
echo "fixup INSTALLTOP"
sed -e 's?^INSTALLTOP=.*$?INSTALLTOP='"$prepath"'/openssl?' < Makefile.orig > Makefile
# install the includes and libs only, build faster
echo "make install_dev"
#make install_sw
make install_dev
cd ..
mkdir expat
echo "curl expat"
curl -L -k -s -S -o expat-2.2.10.tar.gz https://github.com/libexpat/libexpat/releases/download/R_2_2_10/expat-2.2.10.tar.gz
tar xzf expat-2.2.10.tar.gz
cd expat-2.2.10
echo "./configure SHELL=/usr/bin/bash CONFIG_SHELL=/usr/bin/bash --prefix=\"$prepath/expat\" --exec-prefix=\"$prepath/expat\" --bindir=\"$prepath/expat/bin\" --includedir=\"$prepath/expat/include\" --mandir=\"$prepath/expat/man\" --libdir=\"$prepath/expat/lib\""
./configure SHELL=/usr/bin/bash CONFIG_SHELL=/usr/bin/bash --prefix="$prepath/expat" --exec-prefix="$prepath/expat" --bindir="$prepath/expat/bin" --includedir="$prepath/expat/include" --mandir="$prepath/expat/man" --libdir="$prepath/expat/lib"
# fixup SHELL is treated specially, but SHELZZ is not by make.
echo "Fixup Makefiles by renaming SHELL to SHELLZZ"
mv Makefile Makefile.orig
sed -e 's/SHELL/SHELLZZ/g' < Makefile.orig > Makefile
mv lib/Makefile lib/Makefile.orig
sed -e 's/SHELL/SHELLZZ/g' < lib/Makefile.orig > lib/Makefile
mv doc/Makefile doc/Makefile.orig
sed -e 's/SHELL/SHELLZZ/g' < doc/Makefile.orig > doc/Makefile
mv examples/Makefile examples/Makefile.orig
sed -e 's/SHELL/SHELLZZ/g' < examples/Makefile.orig > examples/Makefile
mv tests/Makefile tests/Makefile.orig
sed -e 's/SHELL/SHELLZZ/g' < tests/Makefile.orig > tests/Makefile
mv xmlwf/Makefile xmlwf/Makefile.orig
sed -e 's/SHELL/SHELLZZ/g' < xmlwf/Makefile.orig > xmlwf/Makefile
echo "make"
make
echo "make install"
make install
cd ..
echo "unbound"
cd unbound
echo "./configure --enable-debug --enable-static-exe --disable-flto \"--with-ssl=$prepath/openssl\" --with-libexpat=\"$prepath/expat\" --disable-shared"
./configure --enable-debug --enable-static-exe --disable-flto "--with-ssl=$prepath/openssl" --with-libexpat="$prepath/expat" --disable-shared
make
# specific test output
#make testbound.exe; ./testbound.exe -s
#make testbound; ./testbound.exe -p testdata/acl.rpl -o -vvvv
make test
- name: test_android
if: ${{ matrix.test_android == 'yes' }}
env:
AUTOTOOLS_HOST: ${{ matrix.AUTOTOOLS_HOST }}
OPENSSL_HOST: ${{ matrix.OPENSSL_HOST }}
ANDROID_API: ${{ matrix.ANDROID_API }}
ANDROID_CPU: ${{ matrix.ANDROID_CPU }}
run: |
#(already installed) ./contrib/android/install_tools.sh
export ANDROID_PREFIX="$HOME/android$ANDROID_API-$ANDROID_CPU"
echo ANDROID_PREFIX=${ANDROID_PREFIX}
export ANDROID_SDK_ROOT="$HOME/android-sdk"
echo ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}
export ANDROID_NDK_ROOT="$HOME/android-ndk"
echo ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}
export AUTOTOOLS_BUILD="$(./config.guess)"
echo AUTOTOOLS_BUILD=${AUTOTOOLS_BUILD}
export PKG_CONFIG_PATH="$ANDROID_PREFIX/lib/pkgconfig"
echo PKG_CONFIG_PATH=${PKG_CONFIG_PATH}
export CONFIG_OPTS="--build=$AUTOTOOLS_BUILD --host=$AUTOTOOLS_HOST --prefix=$ANDROID_PREFIX --with-ssl=$ANDROID_PREFIX --disable-gost --with-libexpat=$ANDROID_PREFIX"
echo CONFIG_OPTS=${CONFIG_OPTS}
echo "::group::install_ndk"
echo "./contrib/android/install_ndk.sh"
./contrib/android/install_ndk.sh
echo "::endgroup::"
echo "::group::setenv_android.sh"
echo "./contrib/android/setenv_android.sh"
source ./contrib/android/setenv_android.sh
echo "::endgroup::"
echo "::group::install_openssl"
echo "./contrib/android/install_openssl.sh"
./contrib/android/install_openssl.sh
echo "::endgroup::"
echo "::group::install_expat"
echo "./contrib/android/install_expat.sh"
./contrib/android/install_expat.sh
echo "::endgroup::"
echo "::group::configure"
echo "./configure ${CONFIG_OPTS}"
./configure ${CONFIG_OPTS}
echo "::endgroup::"
echo "::group::make"
# make is here to preserve environment variables
make
echo "::endgroup::"
echo "::group::make install"
make install
echo "::endgroup::"
- name: test ios
if: ${{ matrix.test_ios == 'yes' }}
env:
AUTOTOOLS_HOST: ${{ matrix.AUTOTOOLS_HOST }}
OPENSSL_HOST: ${{ matrix.OPENSSL_HOST }}
IOS_SDK: ${{ matrix.IOS_SDK }}
IOS_CPU: ${{ matrix.IOS_CPU }}
run: |
#(already installed) ./contrib/ios/install_tools.sh
export AUTOTOOLS_BUILD="$(./config.guess)"
echo AUTOTOOLS_BUILD=${AUTOTOOLS_BUILD}
export IOS_PREFIX="$HOME/$IOS_SDK-$IOS_CPU"
echo IOS_PREFIX=${IOS_PREFIX}
export PKG_CONFIG_PATH="$IOS_PREFIX/lib/pkgconfig"
echo PKG_CONFIG_PATH=${PKG_CONFIG_PATH}
export CONFIG_OPTS="--build=$AUTOTOOLS_BUILD --host=$AUTOTOOLS_HOST --prefix=$IOS_PREFIX --with-ssl=$IOS_PREFIX --disable-gost --with-libexpat=$IOS_PREFIX"
echo CONFIG_OPTS=${CONFIG_OPTS}
echo "::group::setenv_ios.sh"
echo "./contrib/ios/setenv_ios.sh"
source ./contrib/ios/setenv_ios.sh
echo "::endgroup::"
echo "::group::install_openssl"
echo "./contrib/ios/install_openssl.sh"
./contrib/ios/install_openssl.sh
echo "::endgroup::"
echo "::group::install_expat"
echo "./contrib/ios/install_expat.sh"
./contrib/ios/install_expat.sh
echo "::endgroup::"
echo "::group::configure"
echo "./configure ${CONFIG_OPTS}"
./configure ${CONFIG_OPTS}
echo "::endgroup::"
echo "::group::make"
# make is here to preserve environment variables
make
echo "::endgroup::"
echo "::group::make install"
make install
echo "::endgroup::"
- name: install libevent
if: ${{ matrix.install_libevent == 'yes' }}
run: sudo apt-get install libevent-dev
- name: install expat
if: ${{ matrix.install_expat == 'yes' }}
run: brew install expat
- name: configure
if: ${{ matrix.config != 'no' }}
run: ./configure ${{ matrix.config }}
- name: make
if: ${{ matrix.make != 'no' }}
run: make
- name: make test
if: ${{ matrix.make_test == 'yes' }}
run: make test
- name: clang-analysis
if: ${{ matrix.clang_analysis == 'yes' }}
run: (cd testdata/clang-analysis.tdir; bash clang-analysis.test)

21
.github/workflows/ci.yml vendored Normal file
View File

@ -0,0 +1,21 @@
name: ci
on:
push:
branches: [ master ]
pull_request:
branches: [ master ]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: configure
run: ./configure --enable-debug
- name: make
run: make
- name: make test
run: make test

7
acx_nlnetlabs.m4
View File

@ -2,7 +2,10 @@
# Copyright 2009, Wouter Wijngaards, NLnet Labs.
# BSD licensed.
#
# Version 38
# Version 40
# 2021-06-14 fix nonblocking test to use host instead of target for mingw test.
# 2021-05-17 fix nonblocking socket test from grep on mingw32 to mingw for
# 64bit compatibility.
# 2021-03-24 fix ACX_FUNC_DEPRECATED to use CPPFLAGS and CFLAGS.
# 2021-01-05 fix defun for aclocal
# 2021-01-05 autoconf 2.70 autoupdate and fixes, no AC_TRY_COMPILE
@ -915,7 +918,7 @@ dnl a nonblocking socket do not work, a new call to select is necessary.
AC_DEFUN([ACX_CHECK_NONBLOCKING_BROKEN],
[
AC_MSG_CHECKING([if nonblocking sockets work])
if echo $target | grep mingw32 >/dev/null; then
if echo $host | grep mingw >/dev/null; then
AC_MSG_RESULT([no (windows)])
AC_DEFINE([NONBLOCKING_IS_BROKEN], 1, [Define if the network stack does not fully support nonblocking io (causes lower performance).])
else

2
compat/ctime_r.c
View File

@ -38,5 +38,5 @@ char *ctime_r(const time_t *timep, char *buf)
strcpy(buf, result);
}
lock_basic_unlock(&ctime_lock);
return result;
return buf;
}

9
config.h.in
View File

@ -28,6 +28,9 @@
/* Whether daemon is deprecated */
#undef DEPRECATED_DAEMON
/* Deprecate RSA 1024 bit length, makes that an unsupported key */
#undef DEPRECATE_RSA_1024
/* Define this to enable kernel based UDP source port randomization. */
#undef DISABLE_EXPLICIT_PORT_RANDOMISATION
@ -516,6 +519,9 @@
/* Define if you have the SSL libraries installed. */
#undef HAVE_SSL
/* Define to 1 if you have the `SSL_CTX_set_alpn_protos' function. */
#undef HAVE_SSL_CTX_SET_ALPN_PROTOS
/* Define to 1 if you have the `SSL_CTX_set_alpn_select_cb' function. */
#undef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
@ -529,6 +535,9 @@
function. */
#undef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
/* Define to 1 if you have the `SSL_get0_alpn_selected' function. */
#undef HAVE_SSL_GET0_ALPN_SELECTED
/* Define to 1 if you have the `SSL_get0_peername' function. */
#undef HAVE_SSL_GET0_PEERNAME

47
configure vendored
View File

@ -877,6 +877,7 @@ enable_subnet
enable_gost
enable_ecdsa
enable_dsa
with_deprecate_rsa_1024
enable_ed25519
enable_ed448
enable_event_api
@ -1639,6 +1640,10 @@ Optional Packages:
/usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw
/usr)
--with-libbsd Use portable libbsd functions
--with-deprecate-rsa-1024
Deprecate RSA 1024 bit length, makes that an
unsupported key, for use when OpenSSL FIPS refuses
1024 bit verification
--with-libevent=pathname
use libevent (will check /usr/local /opt/local
/usr/lib /usr/pkg /usr/sfw /usr or you can specify
@ -4199,9 +4204,9 @@ case "$exec_prefix" in
esac
# are we on MinGW?
if uname -s 2>&1 | grep MINGW32 >/dev/null; then on_mingw="yes"
if uname -s 2>&1 | grep MINGW >/dev/null; then on_mingw="yes"
else
if echo $host $target | grep mingw32 >/dev/null; then on_mingw="yes"
if echo $host | grep mingw >/dev/null; then on_mingw="yes"
else on_mingw="no"; fi
fi
@ -14611,6 +14616,8 @@ CC=$lt_save_CC
# pkg-config is only needed for these options, do not require it otherwise
if test "$enable_systemd" = "yes" -o "$with_pyunbound" = "yes" -o "$with_pythonmod" = "yes"; then
@ -14731,6 +14738,7 @@ $as_echo "no" >&6; }
PKG_CONFIG=""
fi
fi
fi
# Checks for header files.
for ac_header in stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h
@ -15922,7 +15930,7 @@ fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if nonblocking sockets work" >&5
$as_echo_n "checking if nonblocking sockets work... " >&6; }
if echo $target | grep mingw32 >/dev/null; then
if echo $host | grep mingw >/dev/null; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no (windows)" >&5
$as_echo "no (windows)" >&6; }
@ -16190,7 +16198,10 @@ done
# check if we can use SO_REUSEPORT
if echo "$host" | $GREP -i -e linux -e dragonfly >/dev/null; then
reuseport_default=0
if echo "$host" | $GREP -i -e linux >/dev/null; then reuseport_default=1; fi
if echo "$host" | $GREP -i -e dragonfly >/dev/null; then reuseport_default=1; fi
if test "$reuseport_default" = 1; then
$as_echo "#define REUSEPORT_DEFAULT 1" >>confdefs.h
@ -18418,7 +18429,7 @@ done
# these check_funcs need -lssl
BAKLIBS="$LIBS"
LIBS="-lssl $LIBS"
for ac_func in OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb SSL_CTX_set_alpn_select_cb
for ac_func in OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb SSL_CTX_set_alpn_select_cb SSL_get0_alpn_selected SSL_CTX_set_alpn_protos
do :
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@ -19035,6 +19046,18 @@ _ACEOF
;;
esac
# Check whether --with-deprecate-rsa-1024 was given.
if test "${with_deprecate_rsa_1024+set}" = set; then :
withval=$with_deprecate_rsa_1024;
fi
if test "$with_deprecate_rsa_1024" = "yes"; then
$as_echo "#define DEPRECATE_RSA_1024 1" >>confdefs.h
fi
# Check whether --enable-ed25519 was given.
if test "${enable_ed25519+set}" = set; then :
enableval=$enable_ed25519;
@ -19161,8 +19184,8 @@ fi
case "$enable_tfo_client" in
yes)
case `uname` in
Linux) ac_fn_c_check_decl "$LINENO" "MSG_FASTOPEN" "ac_cv_have_decl_MSG_FASTOPEN" "$ac_includes_default
case "$host_os" in
linux*) ac_fn_c_check_decl "$LINENO" "MSG_FASTOPEN" "ac_cv_have_decl_MSG_FASTOPEN" "$ac_includes_default
#include <netinet/tcp.h>
"
@ -19178,8 +19201,8 @@ cat >>confdefs.h <<_ACEOF
#define USE_MSG_FASTOPEN 1
_ACEOF
;;
Darwin) ac_fn_c_check_decl "$LINENO" "CONNECT_RESUME_ON_READ_WRITE" "ac_cv_have_decl_CONNECT_RESUME_ON_READ_WRITE" "$ac_includes_default
;;
darwin*) ac_fn_c_check_decl "$LINENO" "CONNECT_RESUME_ON_READ_WRITE" "ac_cv_have_decl_CONNECT_RESUME_ON_READ_WRITE" "$ac_includes_default
#include <sys/socket.h>
"
@ -19195,9 +19218,9 @@ cat >>confdefs.h <<_ACEOF
#define USE_OSX_MSG_FASTOPEN 1
_ACEOF
;;
;;
esac
;;
;;
no|*)
;;
esac
@ -20412,7 +20435,7 @@ done
# check if setreuid en setregid fail, on MacOSX10.4(darwin8).
if echo $target_os | grep darwin8 > /dev/null; then
if echo $host_os | grep darwin8 > /dev/null; then
$as_echo "#define DARWIN_BROKEN_SETREUID 1" >>confdefs.h

45
configure.ac
View File

@ -147,9 +147,9 @@ case "$exec_prefix" in
esac
# are we on MinGW?
if uname -s 2>&1 | grep MINGW32 >/dev/null; then on_mingw="yes"
if uname -s 2>&1 | grep MINGW >/dev/null; then on_mingw="yes"
else
if echo $host $target | grep mingw32 >/dev/null; then on_mingw="yes"
if echo $host | grep mingw >/dev/null; then on_mingw="yes"
else on_mingw="no"; fi
fi
@ -385,7 +385,10 @@ AC_CHECK_PROG(doxygen, doxygen, doxygen)
AC_CHECK_TOOL(STRIP, strip)
ACX_LIBTOOL_C_ONLY
# pkg-config is only needed for these options, do not require it otherwise
if test "$enable_systemd" = "yes" -o "$with_pyunbound" = "yes" -o "$with_pythonmod" = "yes"; then
PKG_PROG_PKG_CONFIG
fi
# Checks for header files.
AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h],,, [AC_INCLUDES_DEFAULT])
@ -490,7 +493,10 @@ ACX_MKDIR_ONE_ARG
AC_CHECK_FUNCS([strptime],[AC_CHECK_STRPTIME_WORKS],[AC_LIBOBJ([strptime])])
# check if we can use SO_REUSEPORT
if echo "$host" | $GREP -i -e linux -e dragonfly >/dev/null; then
reuseport_default=0
if echo "$host" | $GREP -i -e linux >/dev/null; then reuseport_default=1; fi
if echo "$host" | $GREP -i -e dragonfly >/dev/null; then reuseport_default=1; fi
if test "$reuseport_default" = 1; then
AC_DEFINE(REUSEPORT_DEFAULT, 1, [if REUSEPORT is enabled by default])
else
AC_DEFINE(REUSEPORT_DEFAULT, 0, [if REUSEPORT is enabled by default])
@ -859,7 +865,7 @@ AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_C
# these check_funcs need -lssl
BAKLIBS="$LIBS"
LIBS="-lssl $LIBS"
AC_CHECK_FUNCS([OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb SSL_CTX_set_alpn_select_cb])
AC_CHECK_FUNCS([OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb SSL_CTX_set_alpn_select_cb SSL_get0_alpn_selected SSL_CTX_set_alpn_protos])
LIBS="$BAKLIBS"
AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [
@ -1155,6 +1161,11 @@ AC_INCLUDES_DEFAULT
;;
esac
AC_ARG_WITH(deprecate-rsa-1024, AS_HELP_STRING([--with-deprecate-rsa-1024],[Deprecate RSA 1024 bit length, makes that an unsupported key, for use when OpenSSL FIPS refuses 1024 bit verification]))
if test "$with_deprecate_rsa_1024" = "yes"; then
AC_DEFINE([DEPRECATE_RSA_1024], [1], [Deprecate RSA 1024 bit length, makes that an unsupported key])
fi
AC_ARG_ENABLE(ed25519, AS_HELP_STRING([--disable-ed25519],[Disable ED25519 support]))
use_ed25519="no"
case "$enable_ed25519" in
@ -1211,23 +1222,23 @@ esac
AC_ARG_ENABLE(tfo-client, AS_HELP_STRING([--enable-tfo-client],[Enable TCP Fast Open for client mode]))
case "$enable_tfo_client" in
yes)
case `uname` in
Linux) AC_CHECK_DECL([MSG_FASTOPEN], [AC_MSG_WARN([Check the platform specific TFO kernel parameters are correctly configured to support client mode TFO])],
[AC_MSG_ERROR([TCP Fast Open is not available for client mode: please rerun without --enable-tfo-client])],
[AC_INCLUDES_DEFAULT
case "$host_os" in
linux*) AC_CHECK_DECL([MSG_FASTOPEN], [AC_MSG_WARN([Check the platform specific TFO kernel parameters are correctly configured to support client mode TFO])],
[AC_MSG_ERROR([TCP Fast Open is not available for client mode: please rerun without --enable-tfo-client])],
[AC_INCLUDES_DEFAULT
#include <netinet/tcp.h>
])
AC_DEFINE_UNQUOTED([USE_MSG_FASTOPEN], [1], [Define this to enable client TCP Fast Open.])
;;
Darwin) AC_CHECK_DECL([CONNECT_RESUME_ON_READ_WRITE], [AC_MSG_WARN([Check the platform specific TFO kernel parameters are correctly configured to support client mode TFO])],
[AC_MSG_ERROR([TCP Fast Open is not available for client mode: please rerun without --enable-tfo-client])],
[AC_INCLUDES_DEFAULT
AC_DEFINE_UNQUOTED([USE_MSG_FASTOPEN], [1], [Define this to enable client TCP Fast Open.])
;;
darwin*) AC_CHECK_DECL([CONNECT_RESUME_ON_READ_WRITE], [AC_MSG_WARN([Check the platform specific TFO kernel parameters are correctly configured to support client mode TFO])],
[AC_MSG_ERROR([TCP Fast Open is not available for client mode: please rerun without --enable-tfo-client])],
[AC_INCLUDES_DEFAULT
#include <sys/socket.h>
])
AC_DEFINE_UNQUOTED([USE_OSX_MSG_FASTOPEN], [1], [Define this to enable client TCP Fast Open.])
;;
AC_DEFINE_UNQUOTED([USE_OSX_MSG_FASTOPEN], [1], [Define this to enable client TCP Fast Open.])
;;
esac
;;
;;
no|*)
;;
esac
@ -1588,7 +1599,7 @@ AC_CHECK_FUNCS([setresuid],,[AC_CHECK_FUNCS([setreuid])])
AC_CHECK_FUNCS([setresgid],,[AC_CHECK_FUNCS([setregid])])
# check if setreuid en setregid fail, on MacOSX10.4(darwin8).
if echo $target_os | grep darwin8 > /dev/null; then
if echo $host_os | grep darwin8 > /dev/null; then
AC_DEFINE(DARWIN_BROKEN_SETREUID, 1, [Define this if on macOSX10.4-darwin8 and setreuid and setregid do not work])
fi
AC_CHECK_DECLS([inet_pton,inet_ntop], [], [], [

20
contrib/unbound.spec
View File

@ -1,15 +1,14 @@
Summary: Validating, recursive, and caching DNS resolver
Name: unbound
Version: 1.4.18
Version: 1.13.1
Release: 1%{?dist}
License: BSD
Url: http://www.nlnetlabs.nl/unbound/
Source: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz
Source: http://www.nlnetlabs.nl/downloads/unbound/%{name}-%{version}.tar.gz
#Source1: unbound.init
Group: System Environment/Daemons
Requires: ldns
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: flex, openssl-devel, expat-devel, ldns-devel
BuildRequires: flex, openssl-devel, expat-devel
%description
Unbound is a validating, recursive, and caching DNS resolver.
@ -42,7 +41,7 @@ install -d 0700 %{buildroot}%{_localstatedir}/%{name}
install -d 0755 %{buildroot}%{_initrddir}
install -m 0755 contrib/unbound.init %{buildroot}%{_initrddir}/unbound
# add symbolic link from /etc/unbound.conf -> /var/unbound/unbound.conf
ln -s %{_localstatedir}/unbound/unbound.conf %{buildroot}%{_sysconfdir}/unbound.conf
ln -s ../%{_localstatedir}/unbound/unbound.conf %{buildroot}%{_sysconfdir}/unbound.conf
# remove static library from install (fedora packaging guidelines)
rm -f %{buildroot}%{_libdir}/libunbound.a %{buildroot}%{_libdir}/libunbound.la
@ -55,11 +54,12 @@ rm -rf ${RPM_BUILD_ROOT}
%attr(0755,root,root) %{_initrddir}/%{name}
%attr(0700,%{name},%{name}) %dir %{_localstatedir}/%{name}
%attr(0644,%{name},%{name}) %config(noreplace) %{_localstatedir}/%{name}/unbound.conf
%attr(0644,%{name},%{name}) %config(noreplace) %{_sysconfdir}/unbound.conf
%config(noreplace) %{_sysconfdir}/unbound.conf
%{_sbindir}/*
%{_mandir}/*/*
%{_includedir}/*
%{_libdir}/libunbound*
%{_libdir}/pkgconfig/libunbound*
%pre
getent group unbound >/dev/null || groupadd -r unbound
@ -89,7 +89,13 @@ if [ "$1" -ge "1" ]; then
fi
%changelog
* Thu Jul 13 2011 Wouter Wijngaards <wouter@nlnetlabs.nl> - 1.4.8
* Thu Jun 10 2021 Wouter Wijngaards <wouter@nlnetlabs.nl> - 1.13.1
- ldns and ldns-devel no longer required. Fixed date. Version to 1.13.1.
- Removed symlink attr mode, made unbound.conf symlink relative.
- Added pkgconfig/libunbound.pc to the packaged files.
- fixed download url to nlnetlabs.nl download.
* Wed Jul 13 2011 Wouter Wijngaards <wouter@nlnetlabs.nl> - 1.4.8
- ldns required and ldns-devel required for build, no more ldns-builtin.
* Thu Mar 17 2011 Wouter Wijngaards <wouter@nlnetlabs.nl> - 1.4.8

71
contrib/unbound_munin_
View File

@ -14,7 +14,6 @@
# Run the command unbound-control-setup to generate the key files.
#
# Environment variables for this script
# statefile - where to put temporary statefile.
# unbound_conf - where the unbound.conf file is located.
# unbound_control - where to find unbound-control executable.
# spoof_warn - what level to warn about spoofing
@ -24,7 +23,6 @@
# with:
# [unbound*]
# user root
# env.statefile /usr/local/var/munin/plugin-state/unbound-state
# env.unbound_conf /usr/local/etc/unbound/unbound.conf
# env.unbound_control /usr/local/sbin/unbound-control
# env.spoof_warn 1000
@ -66,7 +64,6 @@ System with unbound daemon.
[unbound*]
user root
env.statefile /usr/local/var/munin/plugin-state/unbound-state
env.unbound_conf /usr/local/etc/unbound/unbound.conf
env.unbound_control /usr/local/sbin/unbound-control
env.spoof_warn 1000
@ -98,7 +95,8 @@ BSD
=cut
state=${statefile:-/usr/local/var/munin/plugin-state/unbound-state}
state="${MUNIN_PLUGSTATE}/unbound.state"
seentags="${MUNIN_PLUGSTATE}/unbound-seentags.state"
conf=${unbound_conf:-/usr/local/etc/unbound/unbound.conf}
ctrl=${unbound_control:-/usr/local/sbin/unbound-control}
warn=${spoof_warn:-1000}
@ -121,12 +119,24 @@ get_value ( ) {
fi
}
# Update list of seen query types etc to seentags file. This is run while
# holding the lock, after the state file is updated.
update_seentags() {
tmplist="$(cat ${seentags} 2> /dev/null)
num.query.type.A
num.query.class.IN
num.query.opcode.QUERY
num.answer.rcode.NOERROR
"
(echo "${tmplist}"; grep ^num ${state} | sed -e 's/=.*//') | sort -u > ${seentags}
}
# download the state from the unbound server.
get_state ( ) {
# obtain lock for fetching the state
# because there is a race condition in fetching and writing to file
# see if the lock is stale, if so, take it
# see if the lock is stale, if so, take it
if test -f $lock ; then
pid="`cat $lock 2>&1`"
kill -0 "$pid" >/dev/null 2>&1
@ -168,6 +178,7 @@ get_state ( ) {
rm -f $lock
exit 1
fi
update_seentags
rm -f $lock
}
@ -232,7 +243,7 @@ if test "$1" = "config" ; then
echo "graph_args --base 1000 -l 0"
echo "graph_vlabel queries / \${graph_period}"
echo "graph_scale no"
echo "graph_category DNS"
echo "graph_category dns"
for x in `grep "^thread[0-9][0-9]*\.num\.queries=" $state |
sed -e 's/=.*//'`; do
exist_config $x "queries handled by `basename $x .num.queries`"
@ -256,7 +267,7 @@ if test "$1" = "config" ; then
echo "graph_args --base 1000 -l 0"
echo "graph_vlabel number of queries"
echo "graph_scale no"
echo "graph_category DNS"
echo "graph_category dns"
p_config "total.requestlist.avg" "Average size of queue on insert" "GAUGE"
p_config "total.requestlist.max" "Max size of queue (in 5 min)" "GAUGE"
p_config "total.requestlist.overwritten" "Number of queries replaced by new ones" "GAUGE"
@ -267,7 +278,7 @@ if test "$1" = "config" ; then
echo "graph_title Unbound memory usage"
echo "graph_args --base 1024 -l 0"
echo "graph_vlabel memory used in bytes"
echo "graph_category DNS"
echo "graph_category dns"
p_config "mem.cache.rrset" "RRset cache memory" "GAUGE"
p_config "mem.cache.message" "Message cache memory" "GAUGE"
p_config "mem.mod.iterator" "Iterator module memory" "GAUGE"
@ -283,9 +294,8 @@ if test "$1" = "config" ; then
echo "graph_args --base 1000 -l 0"
echo "graph_vlabel queries / \${graph_period}"
echo "graph_scale no"
echo "graph_category DNS"
for x in `grep "^num.query.type" $state`; do
nm=`echo $x | sed -e 's/=.*$//'`
echo "graph_category dns"
for nm in `grep "^num.query.type" $seentags`; do
tp=`echo $nm | sed -e s/num.query.type.//`
p_config "$nm" "$tp" "ABSOLUTE"
done
@ -296,9 +306,8 @@ if test "$1" = "config" ; then
echo "graph_args --base 1000 -l 0"
echo "graph_vlabel queries / \${graph_period}"
echo "graph_scale no"
echo "graph_category DNS"
for x in `grep "^num.query.class" $state`; do
nm=`echo $x | sed -e 's/=.*$//'`
echo "graph_category dns"
for nm in `grep "^num.query.class" $seentags`; do
tp=`echo $nm | sed -e s/num.query.class.//`
p_config "$nm" "$tp" "ABSOLUTE"
done
@ -309,9 +318,8 @@ if test "$1" = "config" ; then
echo "graph_args --base 1000 -l 0"
echo "graph_vlabel queries / \${graph_period}"
echo "graph_scale no"
echo "graph_category DNS"
for x in `grep "^num.query.opcode" $state`; do
nm=`echo $x | sed -e 's/=.*$//'`
echo "graph_category dns"
for nm in `grep "^num.query.opcode" $seentags`; do
tp=`echo $nm | sed -e s/num.query.opcode.//`
p_config "$nm" "$tp" "ABSOLUTE"
done
@ -322,9 +330,8 @@ if test "$1" = "config" ; then
echo "graph_args --base 1000 -l 0"
echo "graph_vlabel answer packets / \${graph_period}"
echo "graph_scale no"
echo "graph_category DNS"
for x in `grep "^num.answer.rcode" $state`; do
nm=`echo $x | sed -e 's/=.*$//'`
echo "graph_category dns"
for nm in `grep "^num.answer.rcode" $seentags`; do
tp=`echo $nm | sed -e s/num.answer.rcode.//`
p_config "$nm" "$tp" "ABSOLUTE"
done
@ -338,7 +345,7 @@ if test "$1" = "config" ; then
echo "graph_args --base 1000 -l 0"
echo "graph_vlabel queries / \${graph_period}"
echo "graph_scale no"
echo "graph_category DNS"
echo "graph_category dns"
p_config "num.query.flags.QR" "QR (query reply) flag" "ABSOLUTE"
p_config "num.query.flags.AA" "AA (auth answer) flag" "ABSOLUTE"
p_config "num.query.flags.TC" "TC (truncated) flag" "ABSOLUTE"
@ -356,7 +363,7 @@ if test "$1" = "config" ; then
echo "graph_args --base 1000 -l 0"
echo "graph_vlabel queries / \${graph_period}"
echo "graph_scale no"
echo "graph_category DNS"
echo "graph_category dns"
echo hcache.label "cache hits"
echo hcache.min 0
echo hcache.type ABSOLUTE
@ -467,27 +474,23 @@ memory)
done
;;
by_type)
for x in `grep "^num.query.type" $state`; do
nm=`echo $x | sed -e 's/=.*$//'`
print_value_line $nm $x
for nm in `grep "^num.query.type" $seentags`; do
print_value $nm
done
;;
by_class)
for x in `grep "^num.query.class" $state`; do
nm=`echo $x | sed -e 's/=.*$//'`
print_value_line $nm $x
for nm in `grep "^num.query.class" $seentags`; do
print_value $nm
done
;;
by_opcode)
for x in `grep "^num.query.opcode" $state`; do
nm=`echo $x | sed -e 's/=.*$//'`
print_value_line $nm $x
for nm in `grep "^num.query.opcode" $seentags`; do
print_value $nm
done
;;
by_rcode)
for x in `grep "^num.answer.rcode" $state`; do
nm=`echo $x | sed -e 's/=.*$//'`
print_value_line $nm $x
for nm in `grep "^num.answer.rcode" $seentags`; do
print_value $nm
done
print_value "num.answer.secure"
print_value "num.answer.bogus"

10
daemon/remote.c
View File

@ -130,7 +130,7 @@ timeval_divide(struct timeval* avg, const struct timeval* sum, long long d)
{
#ifndef S_SPLINT_S
size_t leftover;
if(d == 0) {
if(d <= 0) {
avg->tv_sec = 0;
avg->tv_usec = 0;
return;
@ -139,7 +139,13 @@ timeval_divide(struct timeval* avg, const struct timeval* sum, long long d)
avg->tv_usec = sum->tv_usec / d;
/* handle fraction from seconds divide */
leftover = sum->tv_sec - avg->tv_sec*d;
avg->tv_usec += (leftover*1000000)/d;
if(leftover <= 0)
leftover = 0;
avg->tv_usec += (((long long)leftover)*((long long)1000000))/d;
if(avg->tv_sec < 0)
avg->tv_sec = 0;
if(avg->tv_usec < 0)
avg->tv_usec = 0;
#endif
}

2
daemon/unbound.c
View File

@ -212,12 +212,14 @@ checkrlimits(struct config_file* cfg)
}
#endif
#ifdef RLIMIT_AS
if(getrlimit(RLIMIT_AS, &rlim) == 0) {
if(rlim.rlim_cur != (rlim_t)RLIM_INFINITY &&
rlim.rlim_cur < (rlim_t)memsize_expect) {
log_warn("the ulimit(max memory size) is smaller than the expected memory usage (added size of caches). %u < %u bytes", (unsigned)rlim.rlim_cur, (unsigned)memsize_expect);
}
}
#endif
if(getrlimit(RLIMIT_DATA, &rlim) == 0) {
if(rlim.rlim_cur != (rlim_t)RLIM_INFINITY &&
rlim.rlim_cur < memsize_expect) {

18
daemon/worker.c
View File

@ -1794,7 +1794,9 @@ worker_init(struct worker* worker, struct config_file *cfg,
&worker_alloc_cleanup, worker,
cfg->do_udp || cfg->udp_upstream_without_downstream,
worker->daemon->connect_sslctx, cfg->delay_close,
cfg->tls_use_sni, dtenv, cfg->udp_connect);
cfg->tls_use_sni, dtenv, cfg->udp_connect,
cfg->max_reuse_tcp_queries, cfg->tcp_reuse_timeout,
cfg->tcp_auth_query_timeout);
if(!worker->back) {
log_err("could not create outgoing sockets");
worker_delete(worker);
@ -1848,6 +1850,11 @@ worker_init(struct worker* worker, struct config_file *cfg,
return 0;
}
worker->env.mesh = mesh_create(&worker->daemon->mods, &worker->env);
if(!worker->env.mesh) {
log_err("malloc failure");
worker_delete(worker);
return 0;
}
/* Pass on daemon variables that we would need in the mesh area */
worker->env.mesh->use_response_ip = worker->daemon->use_response_ip;
worker->env.mesh->use_rpz = worker->daemon->use_rpz;
@ -1858,6 +1865,11 @@ worker_init(struct worker* worker, struct config_file *cfg,
worker->env.kill_sub = &mesh_state_delete;
worker->env.detect_cycle = &mesh_detect_cycle;
worker->env.scratch_buffer = sldns_buffer_new(cfg->msg_buffer_size);
if(!worker->env.scratch_buffer) {
log_err("malloc failure");
worker_delete(worker);
return 0;
}
if(!(worker->env.fwds = forwards_create()) ||
!forwards_apply_cfg(worker->env.fwds, cfg)) {
log_err("Could not set forward zones");
@ -1912,10 +1924,6 @@ worker_init(struct worker* worker, struct config_file *cfg,
}
}
#endif /* USE_DNSTAP */
if(!worker->env.mesh || !worker->env.scratch_buffer) {
worker_delete(worker);
return 0;
}
worker_mem_report(worker, NULL);
/* if statistics enabled start timer */
if(worker->env.cfg->stat_interval > 0) {

18
dnstap/dnstap.c
View File

@ -507,19 +507,19 @@ dt_msg_send_outside_query(struct dt_env *env,
void
dt_msg_send_outside_response(struct dt_env *env,
struct sockaddr_storage *rsock,
struct sockaddr_storage *qsock,
enum comm_point_type cptype,
uint8_t *zone, size_t zone_len,
uint8_t *qbuf, size_t qbuf_len,
const struct timeval *qtime,
const struct timeval *rtime,
sldns_buffer *rmsg)
struct sockaddr_storage *rsock,
struct sockaddr_storage *qsock,
enum comm_point_type cptype,
uint8_t *zone, size_t zone_len,
uint8_t *qbuf, size_t qbuf_len,
const struct timeval *qtime,
const struct timeval *rtime,
sldns_buffer *rmsg)
{
struct dt_msg dm;
uint16_t qflags;
log_assert(qbuf_len >= sizeof(qflags));
(void)qbuf_len; log_assert(qbuf_len >= sizeof(qflags));
memcpy(&qflags, qbuf, sizeof(qflags));
qflags = ntohs(qflags);

9
dnstap/unbound-dnstap-socket.c
View File

@ -1012,6 +1012,7 @@ void dtio_tap_callback(int fd, short ATTR_UNUSED(bits), void* arg)
if(verbosity) log_info("bidirectional stream");
if(!reply_with_accept(data)) {
tap_data_free(data);
return;
}
} else if(data->len >= 4 && sldns_read_uint32(data->frame) ==
FSTRM_CONTROL_FRAME_STOP && data->is_bidirectional) {
@ -1166,8 +1167,12 @@ int sig_quit = 0;
/** signal handler for user quit */
static RETSIGTYPE main_sigh(int sig)
{
if(!sig_quit)
fprintf(stderr, "exit on signal %d\n", sig);
if(!sig_quit) {
char str[] = "exit on signal \n";
str[15] = '0' + (sig/10)%10;
str[16] = '0' + sig%10;
write(STDERR_FILENO, str, strlen(str));
}
if(sig_base) {
ub_event_base_loopexit(sig_base);
sig_base = NULL;

129
doc/Changelog
View File

@ -1,3 +1,132 @@
2 July 2021: Wouter
- Fix #506: Python Module Seems to Leak Memory if it Experiences an
Unhandled Exception.
25 June 2021: Wouter
- Fix up permissions on rpl data file in tests.
- Fix testbound newline treatment in moment_read and tempfile write.
- Fix configure grep for reuseport default for failure.
- Fix compat ctime_r return value
- Fix configure does not require pkg-config if not needed.
- Fix unit test in the ctime_r calls for autotrust and in testbound.
- Fix auth zone download on windows to unlink before rename.
24 June 2021: Wouter
- Add analyzer and port compile github workflow.
23 June 2021: Wouter
- Fix #503: DNS over HTTPS response truncated.
- Fix warnings reported by the gcc analyzer.
21 June 2021: George
- Fix #495: Documentation or implementation of "verbosity" option.
18 June 2021: Wouter
- Fix a number of warnings reported by the gcc analyzer.
15 June 2021: George
- Merge #440 by kimheino: Various fixes to contrib/unbound_munin_ file.
14 June 2021: Wouter
- Fix configure nonblocking test and onmingw test to use host.
10 June 2021: Wouter
- Fix #500: SPEC file in version 1.13.1 references version 1.4;
unable to build RPM from source.
- Fix contrib/unbound.spec, fixed url and comment.
9 June 2021: George
- Merge #486 by fobster: Make VAL_MAX_RESTART_COUNT configurable.
- Generated lexer and parser for #486; updated example.conf.
- Fix #413 (based on patch by k-ronny): unbound: does not compile
on macOS 11.1-x86_64 host.
- Use host_os instead of target_os in configure for Darwin8 build.
8 June 2021: George
- Fix unused variable warning when compiling with --enable-dnstap.
7 June 2021: George
- Merge #448 from shoeper: Update unbound-control.8.in, fix
rpz_disable typo.
- Fix #425: Document auth-zone supports communication with DNS
primary on nondefault port.
1 June 2021: George
- Fix test for zonemd-check option.
27 May 2021: Wouter
- Merge #496 from banburybill: Use build system endianness if
available, otherwise try to work it out.
- zonemd-check: yesno option, default no, enables the processing
of ZONEMD records for that zone.
25 May 2021: Wouter
- Move the NSEC3 max iterations count in line with the 150 value
used by BIND, Knot and PowerDNS. This sets the default value
for it in the configuration to 150 for all key sizes.
- Fix #492: module-config respip missing in unbound.conf.5.in man
page. Merges #494 from he32.
- For #492: Fix font highlighting for the man page on emacs.
21 May 2021: Wouter
- Test code has -q option for quiet output.
19 May 2021: George
- Fix for #411, #439, #469: Reset the DNS message ID when moving queries
between TCP streams.
- Refactor for uniform way to produce random DNS message IDs.
17 May 2021: Wouter
- Fix #489: Compile using MSYS2 MinGW 64-bit.
12 May 2021: Wouter
- Fix that auth-zone zonefiles use last TTL if no TTL is specified.
10 May 2021: Wouter
- Merge PR #487: ifdef RLIMIT_AS in recently added check.
7 May 2021: Wouter
- Fix #485: Unbound occasionally reports broken stats.
- Add ./configure --with-deprecate-rsa-1024 that turns off RSA 1024.
- Remove case fallthrough from deprecate-rsa-1024 code.
4 May 2021: George
- Fix for #367: only attempt to get the interface for queries that are no
longer on the tcp_waiting_list.
- Add more logging for out-of-memory cases.
4 May 2021: Wouter
- Merge #478: Allow configuration of TCP timeout while waiting for
response.
- Fix to squelch tcp socket bind failures when the interface is gone.
- Rerun flex and bison.
3 May 2021: Wouter
- Fix #481: Fix comment in configuration file.
29 April 2021: Wouter
- Add that log-servfail prints an IP address and more information
about one of the last failures for that query.
28 April 2021: George
- Fix compiler warning for signed/unsigned comparison for
max_reuse_tcp_queries.
28 April 2021: Wouter
- Fix #474: always_null and others inside view.
26 April 2021: Wouter
- Merge #470 from edevil: Allow configuration of persistent TCP
connections.
22 April 2021: Wouter
- Merge #466 from FGasper: Support OpenSSLs that lack
SSL_get0_alpn_selected.
- Fix #468: OpenSSL 1.0.1 can no longer build Unbound.
- Further fix for #468: detect SSL_CTX_set_alpn_protos for build with
OpenSSL 1.0.1.
- Fix that testcode dohclient has OpenSSL initialisation calls.
13 April 2021: George
- Fix documentation comment for files previously residing in checkconf/.
- Remove unused functions worker_handle_reply and libworker_handle_reply.

17
doc/example.conf.in
View File

@ -507,7 +507,8 @@ server:
# Use several entries, one per domain name, to track multiple zones.
#
# If you want to perform DNSSEC validation, run unbound-anchor before
# you start unbound (i.e. in the system boot scripts). And enable:
# you start unbound (i.e. in the system boot scripts).
# And then enable the auto-trust-anchor-file config item.
# Please note usage of unbound-anchor root anchor is at your own risk
# and under the terms of our LICENSE (see that file in the source).
# auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
@ -556,6 +557,10 @@ server:
# val-sig-skew-min: 3600
# val-sig-skew-max: 86400
# The maximum number the validator should restart validation with
# another authority in case of failed validation.
# val-max-restart: 5
# Should additional section of secure message also be kept clean of
# unsecure data. Useful to shield the users of this validator from
# potential bogus data in the additional section. All unsigned data
@ -613,7 +618,7 @@ server:
# keysize. Keep this table very short, as linear search is done.
# A message with an NSEC3 with larger count is marked insecure.
# List in ascending order the keysize and count values.
# val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500"
# val-nsec3-keysize-iterations: "1024 150 2048 150 4096 150"
# if enabled, ZONEMD verification failures do not block the zone.
# zonemd-permissive-mode: no
@ -901,6 +906,13 @@ server:
# ipsecmod-allow: "example.com"
# ipsecmod-allow: "nlnetlabs.nl"
# Timeout for REUSE entries in milliseconds.
# tcp-reuse-timeout: 60000
# Max number of queries on a reuse connection.
# max-reuse-tcp-queries: 200
# Timeout in milliseconds for TCP queries to auth servers.
# tcp-auth-query-timeout: 3000
# Python config section. To enable:
# o use --with-pythonmodule to configure before compiling.
@ -1025,6 +1037,7 @@ remote-control:
# name: "example.org"
# for-downstream: yes
# for-upstream: yes
# zonemd-check: no
# zonemd-reject-absence: no
# zonefile: "example.org.zone"

2
doc/unbound-control.8.in
View File

@ -308,7 +308,7 @@ serial check). And then the zone is transferred for a newer zone version.
.B rpz_enable \fIzone\fR
Enable the RPZ zone if it had previously been disabled.
.TP
.B rpz_enable \fIzone\fR
.B rpz_disable \fIzone\fR
Disable the RPZ zone.
.TP
.B view_list_local_zones \fIview\fR

151
doc/unbound.conf.5.in
View File

@ -89,11 +89,11 @@ These options are part of the
clause.
.TP
.B verbosity: \fI<number>
The verbosity number, level 0 means no verbosity, only errors. Level 1
gives operational information. Level 2 gives detailed operational
information. Level 3 gives query level information, output per query.
Level 4 gives algorithm level information. Level 5 logs client
identification for cache misses. Default is level 1.
The verbosity number, level 0 means no verbosity, only errors. Level 1
gives operational information. Level 2 gives detailed operational
information including short information per query. Level 3 gives query level
information, output per query. Level 4 gives algorithm level information.
Level 5 logs client identification for cache misses. Default is level 1.
The verbosity can also be increased from the commandline, see \fIunbound\fR(8).
.TP
.B statistics\-interval: \fI<seconds>
@ -451,6 +451,19 @@ total number configured, and finally to 0 if the number of free buffers
falls below 20% of the total number configured. A minimum timeout of
200 milliseconds is observed regardless of the option value used.
.TP
.B tcp-reuse-timeout: \fI<msec>\fR
The period Unbound will keep TCP persistent connections open to
authority servers. This option defaults to 60000 milliseconds.
.TP
.B max-reuse-tcp-queries: \fI<number>\fR
The maximum number of queries that can be sent on a persistent TCP
connection.
This option defaults to 200 queries.
.TP
.B tcp-auth-query-timeout: \fI<number>\fR
Timeout in milliseconds for TCP queries to auth servers.
This option defaults to 3000 milliseconds.
.TP
.B edns-tcp-keepalive: \fI<yes or no>\fR
Enable or disable EDNS TCP Keepalive. Default is no.
.TP
@ -1013,7 +1026,7 @@ If yes, Unbound rotates RRSet order in response (the random number is taken
from the query ID, for speed and thread safety). Default is yes.
.TP
.B minimal-responses: \fI<yes or no>
If yes, Unbound doesn't insert authority/additional sections into response
If yes, Unbound does not insert authority/additional sections into response
messages when those sections are not required. This reduces response
size significantly, and may avoid TCP fallback for some responses.
This may cause a slight speedup. The default is yes, even though the DNS
@ -1031,15 +1044,24 @@ of this setting, if a trust anchor is loaded.
.TP
.B module\-config: \fI<"module names">
Module configuration, a list of module names separated by spaces, surround
the string with quotes (""). The modules can be validator, iterator.
Setting this to "iterator" will result in a non\-validating server.
Setting this to "validator iterator" will turn on DNSSEC validation.
The ordering of the modules is important.
You must also set trust\-anchors for validation to be useful.
The default is "validator iterator". When the server is built with
EDNS client subnet support the default is "subnetcache validator iterator".
the string with quotes (""). The modules can be \fIrespip\fR,
\fIvalidator\fR, or \fIiterator\fR (and possibly more, see below).
Setting this to just "\fIiterator\fR" will result in a non\-validating
server.
Setting this to "\fIvalidator iterator\fR" will turn on DNSSEC validation.
The ordering of the modules is significant, the order decides the
order of processing.
You must also set \fItrust\-anchors\fR for validation to be useful.
Adding \fIrespip\fR to the front will cause RPZ processing to be done on
all queries.
The default is "\fIvalidator iterator\fR".
.IP
When the server is built with
EDNS client subnet support the default is "\fIsubnetcache validator
iterator\fR".
Most modules that need to be listed here have to be listed at the beginning
of the line. The cachedb module has to be listed just before the iterator.
of the line. The subnetcachedb module has to be listed just before
the iterator.
The python module can be listed in different places, it then processes the
output of the module it is just before. The dynlib module can be listed pretty
much anywhere, it is only a very thin wrapper that allows dynamic libraries to
@ -1118,6 +1140,10 @@ min and max very low disables the clock skew allowances. Setting both
min and max very high makes the validator check the signature timestamps
less strictly.
.TP
.B val\-max\-restart: \fI<number>
The maximum number the validator should restart validation with
another authority in case of failed validation. Default is 5.
.TP
.B val\-bogus\-ttl: \fI<number>
The time to live for bogus data. This is data that has failed validation;
due to invalid signatures or other checks. The TTL from that data cannot be
@ -1202,7 +1228,7 @@ Default is "no".
.TP
.B val\-nsec3\-keysize\-iterations: \fI<"list of values">
List of keysize and iteration count values, separated by spaces, surrounded
by quotes. Default is "1024 150 2048 500 4096 2500". This determines the
by quotes. Default is "1024 150 2048 150 4096 150". This determines the
maximum allowed NSEC3 iteration count before a message is simply marked
insecure instead of performing the many hashing iterations. The list must
be in ascending order and have at least one entry. If you set it to
@ -1514,6 +1540,82 @@ Use this localzone type, regardless the type configured for the local-zone
(both tagged and untagged) and regardless the type configured using
access\-control\-tag\-action.
.TP 5
.B response\-ip: \fI<IP-netblock> <action>
This requires use of the "respip" module.
.IP
If the IP address in an AAAA or A RR in the answer section of a
response matches the specified IP netblock, the specified action will
apply.
\fI<action>\fR has generally the same semantics as that for
\fIaccess-control-tag-action\fR, but there are some exceptions.
.IP
Actions for \fIresponse-ip\fR are different from those for
\fIlocal-zone\fR in that in case of the former there is no point of
such conditions as "the query matches it but there is no local data".
Because of this difference, the semantics of \fIresponse-ip\fR actions
are modified or simplified as follows: The \fIstatic, refuse,
transparent, typetransparent,\fR and \fInodefault\fR actions are
invalid for \fIresponse-ip\fR.
Using any of these will cause the configuration to be rejected as
faulty. The \fIdeny\fR action is non-conditional, i.e. it always
results in dropping the corresponding query.
The resolution result before applying the deny action is still cached
and can be used for other queries.
.TP 5
.B response-ip-data: \fI<IP-netblock> <"resource record string">
This requires use of the "respip" module.
.IP
This specifies the action data for \fIresponse-ip\fR with action being
to redirect as specified by "\fIresource record string\fR". "Resource
record string" is similar to that of \fIaccess-control-tag-action\fR,
but it must be of either AAAA, A or CNAME types.
If the IP-netblock is an IPv6/IPV4 prefix, the record
must be AAAA/A respectively, unless it is a CNAME (which can be used
for both versions of IP netblocks). If it is CNAME there must not be
more than one \fIresponse-ip-data\fR for the same IP-netblock.
Also, CNAME and other types of records must not coexist for the same
IP-netblock, following the normal rules for CNAME records.
The textual domain name for the CNAME does not have to be explicitly
terminated with a dot ("."); the root name is assumed to be the origin
for the name.
.TP 5
.B response-ip-tag: \fI<IP-netblock> <"list of tags">
This requires use of the "respip" module.
.IP
Assign tags to response IP-netblocks. If the IP address in an AAAA or
A RR in the answer section of a response matches the specified
IP-netblock, the specified tags are assigned to the IP address.
Then, if an \fIaccess-control-tag\fR is defined for the client and it
includes one of the tags for the response IP, the corresponding
\fIaccess-control-tag-action\fR will apply.
Tag matching rule is the same as that for \fIaccess-control-tag\fR and
\fIlocal-zones\fR.
Unlike \fIlocal-zone-tag\fR, \fIresponse-ip-tag\fR can be defined for
an IP-netblock even if no \fIresponse-ip\fR is defined for that
netblock.
If multiple \fIresponse-ip-tag\fR options are specified for the same
IP-netblock in different statements, all but the first will be
ignored.
However, this will not be flagged as a configuration error, but the
result is probably not what was intended.
.IP
Actions specified in an
\fIaccess-control-tag-action\fR that has a matching tag with
\fIresponse-ip-tag\fR can be those that are "invalid" for
\fIresponse-ip\fR listed above, since \fIaccess-control-tag-action\fRs
can be shared with local zones.
For these actions, if they behave differently depending on whether
local data exists or not in case of local zones, the behavior for
\fIresponse-ip-data\fR will generally result in NOERROR/NODATA instead
of NXDOMAIN, since the \fIresponse-ip\fR data are inherently type
specific, and non-existence of data does not indicate anything about
the existence or non-existence of the qname itself.
For example, if the matching tag action is \fIstatic\fR but there is
no data for the corresponding \fIresponse-ip\fR configuration, then
the result will be NOERROR/NODATA.
The only case where NXDOMAIN is returned is when an
\fIalways_nxdomain\fR action applies.
.TP 5
.B ratelimit: \fI<number or 0>
Enable ratelimiting of queries sent to nameserver for performing recursion.
If 0, the default, it is disabled. This option is experimental at this time.
@ -1825,7 +1927,9 @@ Name of the authority zone.
.B primary: \fI<IP address or host name>
Where to download a copy of the zone from, with AXFR and IXFR. Multiple
primaries can be specified. They are all tried if one fails.
With the "ip#name" notation a AXFR over TLS can be used.
To use a nondefault port for DNS communication append '@' with the port number.
You can append a '#' and a name, then AXFR over TLS can be used and the tls authentication certificates will be checked with that name. If you combine
the '@' and '#', the '@' comes first.
If you point it at another Unbound instance, it would not work because
that does not support AXFR/IXFR for the zone, but if you used \fBurl:\fR to download
the zonefile as a text file from a webserver that would work.
@ -1882,6 +1986,12 @@ to the authority servers for this zone, it'll fetch the data directly from
the zone data. Turn it on when you want unbound to provide recursion for
downstream clients, and use the zone data as a local copy to speed up lookups.
.TP
.B zonemd\-check: \fI<yes or no>
Enable this option to check ZONEMD records in the zone. Default is disabled.
The ZONEMD record is a checksum over the zone data. This includes glue in
the zone and data from the zone file, and excludes comments from the zone file.
When there is a DNSSEC chain of trust, DNSSEC signatures are checked too.
.TP
.B zonemd\-reject\-absence: \fI<yes or no>
Enable this option to reject the absence of the ZONEMD record. Without it,
when zonemd is not there it is not checked. It is useful to enable for a
@ -2396,6 +2506,15 @@ Name of the authority zone.
.B primary: \fI<IP address or host name>
Where to download a copy of the zone from, with AXFR and IXFR. Multiple
primaries can be specified. They are all tried if one fails.
To use a nondefault port for DNS communication append '@' with the port number.
You can append a '#' and a name, then AXFR over TLS can be used and the tls authentication certificates will be checked with that name. If you combine
the '@' and '#', the '@' comes first.
If you point it at another Unbound instance, it would not work because
that does not support AXFR/IXFR for the zone, but if you used \fBurl:\fR to download
the zonefile as a text file from a webserver that would work.
If you specify the hostname, you cannot use the domain from the zonefile,
because it may not have that when retrieving that data, instead use a plain
IP address to avoid a circular dependency on retrieving that IP address.
.TP
.B master: \fI<IP address or host name>
Alternate syntax for \fBprimary\fR.

6
ipsecmod/ipsecmod.c
View File

@ -419,6 +419,7 @@ ipsecmod_handle_query(struct module_qstate* qstate,
if(!qstate->env->cfg->ipsecmod_ignore_bogus &&
rrset_data->security == sec_status_bogus) {
log_err("ipsecmod: bogus IPSECKEY");
errinf(qstate, "ipsecmod: bogus IPSECKEY");
ipsecmod_error(qstate, id);
return;
}
@ -426,6 +427,7 @@ ipsecmod_handle_query(struct module_qstate* qstate,
if(!call_hook(qstate, iq, ie) &&
qstate->env->cfg->ipsecmod_strict) {
log_err("ipsecmod: ipsecmod-hook failed");
errinf(qstate, "ipsecmod: ipsecmod-hook failed");
ipsecmod_error(qstate, id);
return;
}
@ -497,6 +499,7 @@ ipsecmod_handle_response(struct module_qstate* qstate,
qstate->qinfo.qname_len, LDNS_RR_TYPE_IPSECKEY,
qstate->qinfo.qclass, 0)) {
log_err("ipsecmod: could not generate subquery.");
errinf(qstate, "ipsecmod: could not generate subquery.");
ipsecmod_error(qstate, id);
}
return;
@ -520,6 +523,7 @@ ipsecmod_operate(struct module_qstate* qstate, enum module_ev event, int id,
if((event == module_event_new || event == module_event_pass) &&
iq == NULL) {
if(!ipsecmod_new(qstate, id)) {
errinf(qstate, "ipsecmod: could not ipsecmod_new");
ipsecmod_error(qstate, id);
return;
}
@ -542,6 +546,7 @@ ipsecmod_operate(struct module_qstate* qstate, enum module_ev event, int id,
}
if(event == module_event_error) {
verbose(VERB_ALGO, "got called with event error, giving up");
errinf(qstate, "ipsecmod: got called with event error");
ipsecmod_error(qstate, id);
return;
}
@ -552,6 +557,7 @@ ipsecmod_operate(struct module_qstate* qstate, enum module_ev event, int id,
}
log_err("ipsecmod: bad event %s", strmodulevent(event));
errinf(qstate, "ipsecmod: operate got bad event");
ipsecmod_error(qstate, id);
return;
}

2
iterator/iter_utils.c
View File

@ -440,6 +440,7 @@ iter_filter_order(struct iter_env* iter_env, struct module_env* env,
prev = NULL;
a = dp->result_list;
for(i = 0; i < got_num; i++) {
if(!a) break; /* robustness */
swap_to_front = 0;
if(a->addr.ss_family != AF_INET6 && attempt == -1) {
/* if we only have ip4 at low attempt count,
@ -497,6 +498,7 @@ iter_filter_order(struct iter_env* iter_env, struct module_env* env,
prev = NULL;
a = dp->result_list;
for(i = 0; i < got_num; i++) {
if(!a) break; /* robustness */
swap_to_front = 0;
if(a->addr.ss_family != AF_INET && attempt == -1) {
/* if we only have ip6 at low attempt count,

65
iterator/iterator.c
View File

@ -585,6 +585,60 @@ handle_cname_response(struct module_qstate* qstate, struct iter_qstate* iq,
return 1;
}
/** add response specific error information for log servfail */
static void
errinf_reply(struct module_qstate* qstate, struct iter_qstate* iq)
{
if(qstate->env->cfg->val_log_level < 2 && !qstate->env->cfg->log_servfail)
return;
if((qstate->reply && qstate->reply->addrlen != 0) ||
(iq->fail_reply && iq->fail_reply->addrlen != 0)) {
char from[256], frm[512];
if(qstate->reply && qstate->reply->addrlen != 0)
addr_to_str(&qstate->reply->addr, qstate->reply->addrlen,
from, sizeof(from));
else
addr_to_str(&iq->fail_reply->addr, iq->fail_reply->addrlen,
from, sizeof(from));
snprintf(frm, sizeof(frm), "from %s", from);
errinf(qstate, frm);
}
if(iq->scrub_failures || iq->parse_failures) {
if(iq->scrub_failures)
errinf(qstate, "upstream response failed scrub");
if(iq->parse_failures)
errinf(qstate, "could not parse upstream response");
} else if(iq->response == NULL && iq->timeout_count != 0) {
errinf(qstate, "upstream server timeout");
} else if(iq->response == NULL) {
errinf(qstate, "no server to query");
if(iq->dp) {
if(iq->dp->target_list == NULL)
errinf(qstate, "no addresses for nameservers");
else errinf(qstate, "nameserver addresses not usable");
if(iq->dp->nslist == NULL)
errinf(qstate, "have no nameserver names");
if(iq->dp->bogus)
errinf(qstate, "NS record was dnssec bogus");
}
}
if(iq->response && iq->response->rep) {
if(FLAGS_GET_RCODE(iq->response->rep->flags) != 0) {
char rcode[256], rc[32];
(void)sldns_wire2str_rcode_buf(
FLAGS_GET_RCODE(iq->response->rep->flags),
rc, sizeof(rc));
snprintf(rcode, sizeof(rcode), "got %s", rc);
errinf(qstate, rcode);
} else {
/* rcode NOERROR */
if(iq->response->rep->an_numrrsets == 0) {
errinf(qstate, "nodata answer");
}
}
}
}
/** see if last resort is possible - does config allow queries to parent */
static int
can_have_last_resort(struct module_env* env, uint8_t* nm, size_t nmlen,
@ -1922,6 +1976,7 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
* of a response. */
errinf(qstate, "all the configured stub or forward servers failed,");
errinf_dname(qstate, "at zone", iq->dp->name);
errinf_reply(qstate, iq);
verbose(VERB_QUERY, "configured stub or forward servers failed -- returning SERVFAIL");
return error_response_cache(qstate, id, LDNS_RCODE_SERVFAIL);
}
@ -2068,6 +2123,7 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
errinf(qstate, "all servers for this domain failed,");
errinf_dname(qstate, "at zone", iq->dp->name);
errinf_reply(qstate, iq);
verbose(VERB_QUERY, "out of query targets -- returning SERVFAIL");
/* fail -- no more targets, no more hope of targets, no hope
* of a response. */
@ -2959,6 +3015,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
qstate->env->detach_subs));
(*qstate->env->detach_subs)(qstate);
iq->num_target_queries = 0;
iq->response = NULL;
iq->fail_reply = NULL;
verbose(VERB_ALGO, "cleared outbound list for next round");
return next_state(iq, QUERYTARGETS_STATE);
} else if(type == RESPONSE_TYPE_CNAME) {
@ -3722,6 +3780,7 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
}
/* parse message */
iq->fail_reply = qstate->reply;
prs = (struct msg_parse*)regional_alloc(qstate->env->scratch,
sizeof(struct msg_parse));
if(!prs) {
@ -3735,12 +3794,15 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
sldns_buffer_set_position(pkt, 0);
if(parse_packet(pkt, prs, qstate->env->scratch) != LDNS_RCODE_NOERROR) {
verbose(VERB_ALGO, "parse error on reply packet");
iq->parse_failures++;
goto handle_it;
}
/* edns is not examined, but removed from message to help cache */
if(parse_extract_edns(prs, &edns, qstate->env->scratch) !=
LDNS_RCODE_NOERROR)
LDNS_RCODE_NOERROR) {
iq->parse_failures++;
goto handle_it;
}
/* Copy the edns options we may got from the back end */
if(edns.opt_list) {
@ -3774,6 +3836,7 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
iq->num_current_queries--;
verbose(VERB_DETAIL, "Capsforid: scrub failed, starting fallback with no response");
}
iq->scrub_failures++;
goto handle_it;
}

6
iterator/iterator.h
View File

@ -406,6 +406,12 @@ struct iter_qstate {
int auth_zone_response;
/** True if the auth_zones should not be consulted for the query */
int auth_zone_avoid;
/** true if there have been scrubbing failures of reply packets */
int scrub_failures;
/** true if there have been parse failures of reply packets */
int parse_failures;
/** a failure printout address for last received answer */
struct comm_reply* fail_reply;
};
/**

34
libunbound/libworker.c
View File

@ -241,7 +241,9 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
ports, numports, cfg->unwanted_threshold,
cfg->outgoing_tcp_mss, &libworker_alloc_cleanup, w,
cfg->do_udp || cfg->udp_upstream_without_downstream, w->sslctx,
cfg->delay_close, cfg->tls_use_sni, NULL, cfg->udp_connect);
cfg->delay_close, cfg->tls_use_sni, NULL, cfg->udp_connect,
cfg->max_reuse_tcp_queries, cfg->tcp_reuse_timeout,
cfg->tcp_auth_query_timeout);
w->env->outnet = w->back;
if(!w->is_bg || w->is_bg_thread) {
lock_basic_unlock(&ctx->cfglock);
@ -454,8 +456,15 @@ fill_res(struct ub_result* res, struct ub_packed_rrset_key* answer,
if(rep->rrset_count != 0)
res->ttl = (int)rep->ttl;
res->data = (char**)calloc(1, sizeof(char*));
if(!res->data)
return 0; /* out of memory */
res->len = (int*)calloc(1, sizeof(int));
return (res->data && res->len);
if(!res->len) {
free(res->data);
res->data = NULL;
return 0; /* out of memory */
}
return 1;
}
data = (struct packed_rrset_data*)answer->entry.data;
if(query_dname_compare(rq->qname, answer->rk.dname) != 0) {
@ -463,15 +472,30 @@ fill_res(struct ub_result* res, struct ub_packed_rrset_key* answer,
return 0; /* out of memory */
} else res->canonname = NULL;
res->data = (char**)calloc(data->count+1, sizeof(char*));
res->len = (int*)calloc(data->count+1, sizeof(int));
if(!res->data || !res->len)
if(!res->data)
return 0; /* out of memory */
res->len = (int*)calloc(data->count+1, sizeof(int));
if(!res->len) {
free(res->data);
res->data = NULL;
return 0; /* out of memory */
}
for(i=0; i<data->count; i++) {
/* remove rdlength from rdata */
res->len[i] = (int)(data->rr_len[i] - 2);
res->data[i] = memdup(data->rr_data[i]+2, (size_t)res->len[i]);
if(!res->data[i])
if(!res->data[i]) {
size_t j;
for(j=0; j<i; j++) {
free(res->data[j]);
res->data[j] = NULL;
}
free(res->data);
res->data = NULL;
free(res->len);
res->len = NULL;
return 0; /* out of memory */
}
}
/* ttl for positive answers, from CNAME and answer RRs */
if(data->count != 0) {

2
libunbound/python/libunbound.i
View File

@ -936,6 +936,8 @@ int _ub_resolve_async(struct ub_ctx* ctx, char* name, int rrtype, int rrclass, v
int r;
struct cb_data* id;
id = (struct cb_data*) malloc(sizeof(struct cb_data));
if(!id)
return -2; /* UB_NOMEM */
id->data = mydata;
id->func = pyfunc;

41
pythonmod/interface.i
View File

@ -1546,7 +1546,7 @@ int edns_opt_list_append(struct edns_option** list, uint16_t code, size_t len,
{
PyObject *func, *py_edns, *py_qstate, *py_opt_list_out, *py_qinfo;
PyObject *py_rep, *py_repinfo, *py_region;
PyObject *py_args, *py_kwargs, *result;
PyObject *py_args = NULL, *py_kwargs = NULL, *result = NULL;
int res = 0;
double py_start_time = ((double)start_time->tv_sec) + ((double)start_time->tv_usec) / 1.0e6;
@ -1561,11 +1561,20 @@ int edns_opt_list_append(struct edns_option** list, uint16_t code, size_t len,
py_rep = SWIG_NewPointerObj((void*) rep, SWIGTYPE_p_reply_info, 0);
py_repinfo = SWIG_NewPointerObj((void*) repinfo, SWIGTYPE_p_comm_reply, 0);
py_region = SWIG_NewPointerObj((void*) region, SWIGTYPE_p_regional, 0);
py_args = Py_BuildValue("(OOOiOOO)", py_qinfo, py_qstate, py_rep,
rcode, py_edns, py_opt_list_out, py_region);
py_kwargs = Py_BuildValue("{s:O,s:d}", "repinfo", py_repinfo, "start_time",
py_start_time);
result = PyObject_Call(func, py_args, py_kwargs);
if(py_qinfo && py_qstate && py_rep && py_edns && py_opt_list_out
&& py_region && py_repinfo) {
py_args = Py_BuildValue("(OOOiOOO)", py_qinfo, py_qstate, py_rep,
rcode, py_edns, py_opt_list_out, py_region);
py_kwargs = Py_BuildValue("{s:O,s:d}", "repinfo", py_repinfo, "start_time",
py_start_time);
if(py_args && py_kwargs) {
result = PyObject_Call(func, py_args, py_kwargs);
} else {
log_err("pythonmod: malloc failure in python_inplace_cb_reply_generic");
}
} else {
log_err("pythonmod: malloc failure in python_inplace_cb_reply_generic");
}
Py_XDECREF(py_edns);
Py_XDECREF(py_qstate);
Py_XDECREF(py_opt_list_out);
@ -1624,6 +1633,7 @@ int edns_opt_list_append(struct edns_option** list, uint16_t code, size_t len,
{
int res = 0;
PyObject *func = python_callback;
PyObject *py_args = NULL, *py_kwargs = NULL, *result = NULL;
PyGILState_STATE gstate = PyGILState_Ensure();
@ -1632,12 +1642,19 @@ int edns_opt_list_append(struct edns_option** list, uint16_t code, size_t len,
PyObject *py_addr = SWIG_NewPointerObj((void *) addr, SWIGTYPE_p_sockaddr_storage, 0);
PyObject *py_zone = PyBytes_FromStringAndSize((const char *)zone, zonelen);
PyObject *py_region = SWIG_NewPointerObj((void*) region, SWIGTYPE_p_regional, 0);
PyObject *py_args = Py_BuildValue("(OiOOOO)", py_qinfo, flags, py_qstate, py_addr, py_zone, py_region);
PyObject *py_kwargs = Py_BuildValue("{}");
PyObject *result = PyObject_Call(func, py_args, py_kwargs);
if (result) {
res = PyInt_AsLong(result);
if(py_qinfo && py_qstate && py_addr && py_zone && py_region) {
py_args = Py_BuildValue("(OiOOOO)", py_qinfo, flags, py_qstate, py_addr, py_zone, py_region);
py_kwargs = Py_BuildValue("{}");
if(py_args && py_kwargs) {
result = PyObject_Call(func, py_args, py_kwargs);
if (result) {
res = PyInt_AsLong(result);
}
} else {
log_err("pythonmod: malloc failure in python_inplace_cb_query_generic");
}
} else {
log_err("pythonmod: malloc failure in python_inplace_cb_query_generic");
}
Py_XDECREF(py_qinfo);

15
pythonmod/pythonmod.c
View File

@ -245,6 +245,11 @@ cleanup:
/* clear the exception, by not restoring it */
/* Restore the exception state */
/* PyErr_Restore(exc_typ, exc_val, exc_tb); */
/* when using PyErr_Restore there is no need to Py_XDECREF for
* these 3 pointers. */
Py_XDECREF(exc_typ);
Py_XDECREF(exc_val);
Py_XDECREF(exc_tb);
}
int pythonmod_init(struct module_env* env, int id)
@ -561,9 +566,19 @@ void pythonmod_operate(struct module_qstate* qstate, enum module_ev event,
{
/* create qstate */
pq = qstate->minfo[id] = malloc(sizeof(struct pythonmod_qstate));
if(!pq) {
log_err("pythonmod_operate: malloc failure for qstate");
PyGILState_Release(gil);
return;
}
/* Initialize per query data */
pq->data = PyDict_New();
if(!pq->data) {
log_err("pythonmod_operate: malloc failure for query data dict");
PyGILState_Release(gil);
return;
}
}
/* Call operate */

19
services/authzone.c
View File

@ -1755,6 +1755,8 @@ zonemd_offline_verify(struct auth_zone* z, struct module_env* env_for_val,
{
struct module_env env;
time_t now = 0;
if(!z->zonemd_check)
return;
env = *env_for_val;
env.scratch_buffer = sldns_buffer_new(env.cfg->msg_buffer_size);
if(!env.scratch_buffer) {
@ -2096,6 +2098,7 @@ auth_zones_cfg(struct auth_zones* az, struct config_auth* c)
z->for_downstream = c->for_downstream;
z->for_upstream = c->for_upstream;
z->fallback_enabled = c->fallback_enabled;
z->zonemd_check = c->zonemd_check;
z->zonemd_reject_absence = c->zonemd_reject_absence;
if(c->isrpz && !z->rpz){
if(!(z->rpz = rpz_create(c))){
@ -5149,6 +5152,9 @@ xfr_write_after_update(struct auth_xfer* xfr, struct module_env* env)
lock_rw_unlock(&z->lock);
return;
}
#ifdef UB_ON_WINDOWS
(void)unlink(zfilename); /* windows does not replace file with rename() */
#endif
if(rename(tmpfile, zfilename) < 0) {
log_err("could not rename(%s, %s): %s", tmpfile, zfilename,
strerror(errno));
@ -5442,7 +5448,7 @@ xfr_transfer_init_fetch(struct auth_xfer* xfr, struct module_env* env)
/* perform AXFR/IXFR */
/* set the packet to be written */
/* create new ID */
xfr->task_transfer->id = (uint16_t)(ub_random(env->rnd)&0xffff);
xfr->task_transfer->id = GET_RANDOM_ID(env->rnd);
xfr_create_ixfr_packet(xfr, env->scratch_buffer,
xfr->task_transfer->id, master);
@ -6292,7 +6298,7 @@ xfr_probe_send_probe(struct auth_xfer* xfr, struct module_env* env,
/* create new ID for new probes, but not on timeout retries,
* this means we'll accept replies to previous retries to same ip */
if(timeout == AUTH_PROBE_TIMEOUT)
xfr->task_probe->id = (uint16_t)(ub_random(env->rnd)&0xffff);
xfr->task_probe->id = GET_RANDOM_ID(env->rnd);
xfr_create_soa_probe_packet(xfr, env->scratch_buffer,
xfr->task_probe->id);
/* we need to remove the cp if we have a different ip4/ip6 type now */
@ -7165,12 +7171,14 @@ xfer_set_masters(struct auth_master** list, struct config_auth* c,
if(with_http)
for(p = c->urls; p; p = p->next) {
m = auth_master_new(&list);
if(!m) return 0;
m->http = 1;
if(!parse_url(p->str, &m->host, &m->file, &m->port, &m->ssl))
return 0;
}
for(p = c->masters; p; p = p->next) {
m = auth_master_new(&list);
if(!m) return 0;
m->ixfr = 1; /* this flag is not configurable */
m->host = strdup(p->str);
if(!m->host) {
@ -7180,6 +7188,7 @@ xfer_set_masters(struct auth_master** list, struct config_auth* c,
}
for(p = c->allow_notify; p; p = p->next) {
m = auth_master_new(&list);
if(!m) return 0;
m->allow_notify = 1;
m->host = strdup(p->str);
if(!m->host) {
@ -8234,6 +8243,8 @@ void auth_zone_verify_zonemd(struct auth_zone* z, struct module_env* env,
int is_insecure = 0;
/* verify the ZONEMD if present.
* If not present check if absence is allowed by DNSSEC */
if(!z->zonemd_check)
return;
/* if zone is under a trustanchor */
/* is it equal to trustanchor - get dnskey's verified */
@ -8302,6 +8313,10 @@ void auth_zones_pickup_zonemd_verify(struct auth_zones* az,
lock_rw_rdlock(&az->lock);
RBTREE_FOR(z, struct auth_zone*, &az->ztree) {
lock_rw_wrlock(&z->lock);
if(!z->zonemd_check) {
lock_rw_unlock(&z->lock);
continue;
}
key.dclass = z->dclass;
key.namelabs = z->namelabs;
if(z->namelen > sizeof(savezname)) {

2
services/authzone.h
View File

@ -132,6 +132,8 @@ struct auth_zone {
/** for upstream: this zone answers queries that unbound intends to
* send upstream. */
int for_upstream;
/** check ZONEMD records */
int zonemd_check;
/** reject absence of ZONEMD records */
int zonemd_reject_absence;
/** RPZ zones */

3
services/cache/infra.c vendored
View File

@ -236,6 +236,9 @@ infra_create(struct config_file* cfg)
sizeof(struct infra_cache));
size_t maxmem = cfg->infra_cache_numhosts * (sizeof(struct infra_key)+
sizeof(struct infra_data)+INFRA_BYTES_NAME);
if(!infra) {
return NULL;
}
infra->hosts = slabhash_create(cfg->infra_cache_slabs,
INFRA_HOST_STARTSIZE, maxmem, &infra_sizefunc, &infra_compfunc,
&infra_delkeyfunc, &infra_deldatafunc, NULL);

51
services/listen_dnsport.c
View File

@ -2678,18 +2678,45 @@ static int http2_buffer_uri_query(struct http2_session* h2_session,
return 0;
}
if(!(b64len = sldns_b64url_pton(
(char const *)start, length,
sldns_buffer_current(h2_stream->qbuffer),
expectb64len)) || b64len < 0) {
lock_basic_lock(&http2_query_buffer_count_lock);
http2_query_buffer_count -= expectb64len;
lock_basic_unlock(&http2_query_buffer_count_lock);
sldns_buffer_free(h2_stream->qbuffer);
h2_stream->qbuffer = NULL;
/* return without error, method can be an
* unknown POST */
return 1;
if(sldns_b64_contains_nonurl((char const*)start, length)) {
char buf[65536+4];
verbose(VERB_ALGO, "HTTP2 stream contains wrong b64 encoding");
/* copy to the scratch buffer temporarily to terminate the
* string with a zero */
if(length+1 > sizeof(buf)) {
/* too long */
lock_basic_lock(&http2_query_buffer_count_lock);
http2_query_buffer_count -= expectb64len;
lock_basic_unlock(&http2_query_buffer_count_lock);
sldns_buffer_free(h2_stream->qbuffer);
h2_stream->qbuffer = NULL;
return 1;
}
memmove(buf, start, length);
buf[length] = 0;
if(!(b64len = sldns_b64_pton(buf, sldns_buffer_current(
h2_stream->qbuffer), expectb64len)) || b64len < 0) {
lock_basic_lock(&http2_query_buffer_count_lock);
http2_query_buffer_count -= expectb64len;
lock_basic_unlock(&http2_query_buffer_count_lock);
sldns_buffer_free(h2_stream->qbuffer);
h2_stream->qbuffer = NULL;
return 1;
}
} else {
if(!(b64len = sldns_b64url_pton(
(char const *)start, length,
sldns_buffer_current(h2_stream->qbuffer),
expectb64len)) || b64len < 0) {
lock_basic_lock(&http2_query_buffer_count_lock);
http2_query_buffer_count -= expectb64len;
lock_basic_unlock(&http2_query_buffer_count_lock);
sldns_buffer_free(h2_stream->qbuffer);
h2_stream->qbuffer = NULL;
/* return without error, method can be an
* unknown POST */
return 1;
}
}
sldns_buffer_skip(h2_stream->qbuffer, (size_t)b64len);
return 1;

10
services/mesh.c
View File

@ -99,7 +99,7 @@ timeval_divide(struct timeval* avg, const struct timeval* sum, size_t d)
{
#ifndef S_SPLINT_S
size_t leftover;
if(d == 0) {
if(d <= 0) {
avg->tv_sec = 0;
avg->tv_usec = 0;
return;
@ -108,7 +108,13 @@ timeval_divide(struct timeval* avg, const struct timeval* sum, size_t d)
avg->tv_usec = sum->tv_usec / d;
/* handle fraction from seconds divide */
leftover = sum->tv_sec - avg->tv_sec*d;
avg->tv_usec += (leftover*1000000)/d;
if(leftover <= 0)
leftover = 0;
avg->tv_usec += (((long long)leftover)*((long long)1000000))/d;
if(avg->tv_sec < 0)
avg->tv_sec = 0;
if(avg->tv_usec < 0)
avg->tv_usec = 0;
#endif
}

94
services/outside_network.c
View File

@ -94,6 +94,10 @@ static void waiting_list_remove(struct outside_network* outnet,
static void reuse_tcp_remove_tree_list(struct outside_network* outnet,
struct reuse_tcp* reuse);
/** select a DNS ID for a TCP stream */
static uint16_t tcp_select_id(struct outside_network* outnet,
struct reuse_tcp* reuse);
int
pending_cmp(const void* key1, const void* key2)
{
@ -238,7 +242,14 @@ pick_outgoing_tcp(struct pending_tcp* pend, struct waiting_tcp* w, int s)
((struct sockaddr_in6*)&pi->addr)->sin6_port = 0;
else ((struct sockaddr_in*)&pi->addr)->sin_port = 0;
if(bind(s, (struct sockaddr*)&pi->addr, pi->addrlen) != 0) {
log_err("outgoing tcp: bind: %s", sock_strerror(errno));
#ifndef USE_WINSOCK
#ifdef EADDRNOTAVAIL
if(!(verbosity < 4 && errno == EADDRNOTAVAIL))
#endif
#else /* USE_WINSOCK */
if(!(verbosity < 4 && WSAGetLastError() == WSAEADDRNOTAVAIL))
#endif
log_err("outgoing tcp: bind: %s", sock_strerror(errno));
sock_close(s);
return 0;
}
@ -399,9 +410,18 @@ static void reuse_write_wait_push_back(struct reuse_tcp* reuse,
void
reuse_tree_by_id_insert(struct reuse_tcp* reuse, struct waiting_tcp* w)
{
#ifdef UNBOUND_DEBUG
rbnode_type* added;
#endif
log_assert(w->id_node.key == NULL);
w->id_node.key = w;
#ifdef UNBOUND_DEBUG
added =
#else
(void)
#endif
rbtree_insert(&reuse->tree_by_id, &w->id_node);
log_assert(added); /* should have been added */
}
/** find element in tree by id */
@ -514,7 +534,7 @@ reuse_tcp_find(struct outside_network* outnet, struct sockaddr_storage* addr,
while(result && result != RBTREE_NULL &&
reuse_cmp_addrportssl(result->key, &key_p.reuse) == 0) {
if(((struct reuse_tcp*)result)->tree_by_id.count <
MAX_REUSE_TCP_QUERIES) {
outnet->max_reuse_tcp_queries) {
/* same address, port, ssl-yes-or-no, and has
* space for another query */
return (struct reuse_tcp*)result;
@ -745,6 +765,9 @@ use_free_buffer(struct outside_network* outnet)
w->on_tcp_waiting_list = 0;
reuse = reuse_tcp_find(outnet, &w->addr, w->addrlen,
w->ssl_upstream);
/* re-select an ID when moving to a new TCP buffer */
w->id = tcp_select_id(outnet, reuse);
LDNS_ID_SET(w->pkt, w->id);
if(reuse) {
log_reuse_tcp(VERB_CLIENT, "use free buffer for waiting tcp: "
"found reuse", reuse);
@ -823,8 +846,17 @@ outnet_add_tcp_waiting(struct outside_network* outnet, struct waiting_tcp* w)
static void
reuse_tree_by_id_delete(struct reuse_tcp* reuse, struct waiting_tcp* w)
{
#ifdef UNBOUND_DEBUG
rbnode_type* rem;
#endif
log_assert(w->id_node.key != NULL);
#ifdef UNBOUND_DEBUG
rem =
#else
(void)
#endif
rbtree_delete(&reuse->tree_by_id, w);
log_assert(rem); /* should have been there */
w->id_node.key = NULL;
}
@ -1012,22 +1044,22 @@ static void reuse_cb_and_decommission(struct outside_network* outnet,
/** set timeout on tcp fd and setup read event to catch incoming dns msgs */
static void
reuse_tcp_setup_timeout(struct pending_tcp* pend_tcp)
reuse_tcp_setup_timeout(struct pending_tcp* pend_tcp, int tcp_reuse_timeout)
{
log_reuse_tcp(VERB_CLIENT, "reuse_tcp_setup_timeout", &pend_tcp->reuse);
comm_point_start_listening(pend_tcp->c, -1, REUSE_TIMEOUT);
comm_point_start_listening(pend_tcp->c, -1, tcp_reuse_timeout);
}
/** set timeout on tcp fd and setup read event to catch incoming dns msgs */
static void
reuse_tcp_setup_read_and_timeout(struct pending_tcp* pend_tcp)
reuse_tcp_setup_read_and_timeout(struct pending_tcp* pend_tcp, int tcp_reuse_timeout)
{
log_reuse_tcp(VERB_CLIENT, "reuse_tcp_setup_readtimeout", &pend_tcp->reuse);
sldns_buffer_clear(pend_tcp->c->buffer);
pend_tcp->c->tcp_is_reading = 1;
pend_tcp->c->tcp_byte_count = 0;
comm_point_stop_listening(pend_tcp->c);
comm_point_start_listening(pend_tcp->c, -1, REUSE_TIMEOUT);
comm_point_start_listening(pend_tcp->c, -1, tcp_reuse_timeout);
}
int
@ -1083,7 +1115,7 @@ outnet_tcp_cb(struct comm_point* c, void* arg, int error,
pend->reuse.cp_more_write_again = 0;
pend->c->tcp_is_reading = 1;
comm_point_stop_listening(pend->c);
reuse_tcp_setup_timeout(pend);
reuse_tcp_setup_timeout(pend, outnet->tcp_reuse_timeout);
}
return 0;
} else if(error != NETEVENT_NOERROR) {
@ -1136,7 +1168,7 @@ outnet_tcp_cb(struct comm_point* c, void* arg, int error,
* and there could be more bytes to read on the input */
if(pend->reuse.tree_by_id.count != 0)
pend->reuse.cp_more_read_again = 1;
reuse_tcp_setup_read_and_timeout(pend);
reuse_tcp_setup_read_and_timeout(pend, outnet->tcp_reuse_timeout);
return 0;
}
verbose(VERB_CLIENT, "outnet_tcp_cb reuse after cb: decommission it");
@ -1404,7 +1436,8 @@ outside_network_create(struct comm_base *base, size_t bufsize,
int numavailports, size_t unwanted_threshold, int tcp_mss,
void (*unwanted_action)(void*), void* unwanted_param, int do_udp,
void* sslctx, int delayclose, int tls_use_sni, struct dt_env* dtenv,
int udp_connect)
int udp_connect, int max_reuse_tcp_queries, int tcp_reuse_timeout,
int tcp_auth_query_timeout)
{
struct outside_network* outnet = (struct outside_network*)
calloc(1, sizeof(struct outside_network));
@ -1416,6 +1449,9 @@ outside_network_create(struct comm_base *base, size_t bufsize,
comm_base_timept(base, &outnet->now_secs, &outnet->now_tv);
outnet->base = base;
outnet->num_tcp = num_tcp;
outnet->max_reuse_tcp_queries = max_reuse_tcp_queries;
outnet->tcp_reuse_timeout= tcp_reuse_timeout;
outnet->tcp_auth_query_timeout = tcp_auth_query_timeout;
outnet->num_tcp_outgoing = 0;
outnet->infra = infra;
outnet->rnd = rnd;
@ -1777,14 +1813,14 @@ select_id(struct outside_network* outnet, struct pending* pend,
sldns_buffer* packet)
{
int id_tries = 0;
pend->id = ((unsigned)ub_random(outnet->rnd)>>8) & 0xffff;
pend->id = GET_RANDOM_ID(outnet->rnd);
LDNS_ID_SET(sldns_buffer_begin(packet), pend->id);
/* insert in tree */
pend->node.key = pend;
while(!rbtree_insert(outnet->pending, &pend->node)) {
/* change ID to avoid collision */
pend->id = ((unsigned)ub_random(outnet->rnd)>>8) & 0xffff;
pend->id = GET_RANDOM_ID(outnet->rnd);
LDNS_ID_SET(sldns_buffer_begin(packet), pend->id);
id_tries++;
if(id_tries == MAX_ID_RETRY) {
@ -2077,6 +2113,14 @@ reuse_tcp_close_oldest(struct outside_network* outnet)
reuse_cb_and_decommission(outnet, pend, NETEVENT_CLOSED);
}
static uint16_t
tcp_select_id(struct outside_network* outnet, struct reuse_tcp* reuse)
{
if(reuse)
return reuse_tcp_select_id(reuse, outnet);
return GET_RANDOM_ID(outnet->rnd);
}
/** find spare ID value for reuse tcp stream. That is random and also does
* not collide with an existing query ID that is in use or waiting */
uint16_t
@ -2090,13 +2134,13 @@ reuse_tcp_select_id(struct reuse_tcp* reuse, struct outside_network* outnet)
/* make really sure the tree is not empty */
if(reuse->tree_by_id.count == 0) {
id = ((unsigned)ub_random(outnet->rnd)>>8) & 0xffff;
id = GET_RANDOM_ID(outnet->rnd);
return id;
}
/* try to find random empty spots by picking them */
for(i = 0; i<try_random; i++) {
id = ((unsigned)ub_random(outnet->rnd)>>8) & 0xffff;
id = GET_RANDOM_ID(outnet->rnd);
if(!reuse_tcp_by_id_find(reuse, id)) {
return id;
}
@ -2194,9 +2238,7 @@ pending_tcp_query(struct serviced_query* sq, sldns_buffer* packet,
w->pkt = (uint8_t*)w + sizeof(struct waiting_tcp);
w->pkt_len = sldns_buffer_limit(packet);
memmove(w->pkt, sldns_buffer_begin(packet), w->pkt_len);
if(reuse)
w->id = reuse_tcp_select_id(reuse, sq->outnet);
else w->id = ((unsigned)ub_random(sq->outnet->rnd)>>8) & 0xffff;
w->id = tcp_select_id(sq->outnet, reuse);
LDNS_ID_SET(w->pkt, w->id);
memcpy(&w->addr, &sq->addr, sq->addrlen);
w->addrlen = sq->addrlen;
@ -2443,7 +2485,7 @@ reuse_tcp_remove_serviced_keep(struct waiting_tcp* w,
if(!reuse_tcp_insert(sq->outnet, pend_tcp)) {
return 0;
}
reuse_tcp_setup_timeout(pend_tcp);
reuse_tcp_setup_timeout(pend_tcp, sq->outnet->tcp_reuse_timeout);
return 1;
}
return 0;
@ -2779,8 +2821,12 @@ serviced_tcp_callback(struct comm_point* c, void* arg, int error,
struct comm_reply r2;
#ifdef USE_DNSTAP
struct waiting_tcp* w = (struct waiting_tcp*)sq->pending;
struct pending_tcp* pend_tcp = (struct pending_tcp*)w->next_waiting;
struct port_if* pi = pend_tcp->pi;
struct pending_tcp* pend_tcp = NULL;
struct port_if* pi = NULL;
if(!w->on_tcp_waiting_list && w->next_waiting) {
pend_tcp = (struct pending_tcp*)w->next_waiting;
pi = pend_tcp->pi;
}
#endif
sq->pending = NULL; /* removed after this callback */
if(error != NETEVENT_NOERROR)
@ -2793,7 +2839,7 @@ serviced_tcp_callback(struct comm_point* c, void* arg, int error,
/*
* sending src (local service)/dst (upstream) addresses over DNSTAP
*/
if(error==NETEVENT_NOERROR && sq->outnet->dtenv &&
if(error==NETEVENT_NOERROR && pi && sq->outnet->dtenv &&
(sq->outnet->dtenv->log_resolver_response_messages ||
sq->outnet->dtenv->log_forwarder_response_messages)) {
log_addr(VERB_ALGO, "response from upstream", &sq->addr, sq->addrlen);
@ -2873,7 +2919,7 @@ serviced_tcp_initiate(struct serviced_query* sq, sldns_buffer* buff)
sq->status==serviced_query_TCP_EDNS?"EDNS":"");
serviced_encode(sq, buff, sq->status == serviced_query_TCP_EDNS);
sq->last_sent_time = *sq->outnet->now_tv;
sq->pending = pending_tcp_query(sq, buff, TCP_AUTH_QUERY_TIMEOUT,
sq->pending = pending_tcp_query(sq, buff, sq->outnet->tcp_auth_query_timeout,
serviced_tcp_callback, sq);
if(!sq->pending) {
/* delete from tree so that a retry by above layer does not
@ -2901,10 +2947,10 @@ serviced_tcp_send(struct serviced_query* sq, sldns_buffer* buff)
sq->last_sent_time = *sq->outnet->now_tv;
if(sq->tcp_upstream || sq->ssl_upstream) {
timeout = rtt;
if(rtt >= UNKNOWN_SERVER_NICENESS && rtt < TCP_AUTH_QUERY_TIMEOUT)
timeout = TCP_AUTH_QUERY_TIMEOUT;
if(rtt >= UNKNOWN_SERVER_NICENESS && rtt < sq->outnet->tcp_auth_query_timeout)
timeout = sq->outnet->tcp_auth_query_timeout;
} else {
timeout = TCP_AUTH_QUERY_TIMEOUT;
timeout = sq->outnet->tcp_auth_query_timeout;
}
sq->pending = pending_tcp_query(sq, buff, timeout,
serviced_tcp_callback, sq);

17
services/outside_network.h
View File

@ -158,6 +158,12 @@ struct outside_network {
size_t num_tcp;
/** number of tcp communication points in use. */
size_t num_tcp_outgoing;
/** max number of queries on a reuse connection */
size_t max_reuse_tcp_queries;
/** timeout for REUSE entries in milliseconds. */
int tcp_reuse_timeout;
/** timeout in milliseconds for TCP queries to auth servers. */
int tcp_auth_query_timeout;
/**
* tree of still-open and waiting tcp connections for reuse.
* can be closed and reopened to get a new tcp connection.
@ -295,11 +301,6 @@ struct reuse_tcp {
struct outside_network* outnet;
};
/** max number of queries on a reuse connection */
#define MAX_REUSE_TCP_QUERIES 200
/** timeout for REUSE entries in milliseconds. */
#define REUSE_TIMEOUT 60000
/**
* A query that has an answer pending for it.
*/
@ -540,6 +541,9 @@ struct serviced_query {
* @param tls_use_sni: if SNI is used for TLS connections.
* @param dtenv: environment to send dnstap events with (if enabled).
* @param udp_connect: if the udp_connect option is enabled.
* @param max_reuse_tcp_queries: max number of queries on a reuse connection.
* @param tcp_reuse_timeout: timeout for REUSE entries in milliseconds.
* @param tcp_auth_query_timeout: timeout in milliseconds for TCP queries to auth servers.
* @return: the new structure (with no pending answers) or NULL on error.
*/
struct outside_network* outside_network_create(struct comm_base* base,
@ -549,7 +553,8 @@ struct outside_network* outside_network_create(struct comm_base* base,
int numavailports, size_t unwanted_threshold, int tcp_mss,
void (*unwanted_action)(void*), void* unwanted_param, int do_udp,
void* sslctx, int delayclose, int tls_use_sni, struct dt_env *dtenv,
int udp_connect);
int udp_connect, int max_reuse_tcp_queries, int tcp_reuse_timeout,
int tcp_auth_query_timeout);
/**
* Delete outside_network structure.

15
sldns/parseutil.c
View File

@ -790,3 +790,18 @@ int sldns_b64url_pton(char const *src, size_t srcsize, uint8_t *target,
}
return sldns_b64_pton_base(src, srcsize, target, targsize, 1);
}
int sldns_b64_contains_nonurl(char const *src, size_t srcsize)
{
const char* s = src;
while(*s && srcsize) {
char d = *s++;
srcsize--;
/* the '+' and the '/' and padding '=' is not allowed in b64
* url encoding */
if(d == '+' || d == '/' || d == '=') {
return 1;
}
}
return 0;
}

1
sldns/parseutil.h
View File

@ -102,6 +102,7 @@ size_t sldns_b64_pton_calculate_size(size_t srcsize);
int sldns_b64_pton(char const *src, uint8_t *target, size_t targsize);
int sldns_b64url_pton(char const *src, size_t srcsize, uint8_t *target,
size_t targsize);
int sldns_b64_contains_nonurl(char const *src, size_t srcsize);
/**
* calculates the size needed to store the result of b32_ntop

4
sldns/str2wire.c
View File

@ -1078,6 +1078,10 @@ int sldns_fp2wire_rr_buf(FILE* in, uint8_t* rr, size_t* len, size_t* dname_len,
memmove(parse_state->prev_rr, rr, *dname_len);
parse_state->prev_rr_len = (*dname_len);
}
if(r == LDNS_WIREPARSE_ERR_OK && parse_state) {
parse_state->default_ttl = sldns_wirerr_get_ttl(
rr, *len, *dname_len);
}
return r;
}
return LDNS_WIREPARSE_ERR_OK;

10
smallapp/unbound-control.c
View File

@ -188,7 +188,7 @@ timeval_divide(struct timeval* avg, const struct timeval* sum, long long d)
{
#ifndef S_SPLINT_S
size_t leftover;
if(d == 0) {
if(d <= 0) {
avg->tv_sec = 0;
avg->tv_usec = 0;
return;
@ -197,7 +197,13 @@ timeval_divide(struct timeval* avg, const struct timeval* sum, long long d)
avg->tv_usec = sum->tv_usec / d;
/* handle fraction from seconds divide */
leftover = sum->tv_sec - avg->tv_sec*d;
avg->tv_usec += (leftover*1000000)/d;
if(leftover <= 0)
leftover = 0;
avg->tv_usec += (((long long)leftover)*((long long)1000000))/d;
if(avg->tv_sec < 0)
avg->tv_sec = 0;
if(avg->tv_usec < 0)
avg->tv_usec = 0;
#endif
}

5
testcode/delayer.c
View File

@ -347,7 +347,10 @@ static volatile int do_quit = 0;
/** signal handler for user quit */
static RETSIGTYPE delayer_sigh(int sig)
{
printf("exit on signal %d\n", sig);
char str[] = "exit on signal \n";
str[15] = '0' + (sig/10)%10;
str[16] = '0' + sig%10;
write(STDOUT_FILENO, str, strlen(str));
do_quit = 1;
}

12
testcode/do-tests.sh
View File

@ -1,5 +1,11 @@
#!/usr/bin/env bash
. testdata/common.sh
quiet=0
if test "$1" = "-q"; then
quiet=1
tdirarg="-q"
shift
fi
NEED_SPLINT='00-lint.tdir'
NEED_DOXYGEN='01-doc.tdir'
@ -33,7 +39,7 @@ fi
export -n NOTIFY_SOCKET
cd testdata;
sh ../testcode/mini_tdir.sh clean
sh ../testcode/mini_tdir.sh $tdirarg clean
rm -f .perfstats.txt
for test in `ls -d *.tdir`; do
SKIP=0
@ -57,10 +63,10 @@ for test in `ls -d *.tdir`; do
fi
if test $SKIP -eq 0; then
echo $test
sh ../testcode/mini_tdir.sh -a ../.. exe $test
sh ../testcode/mini_tdir.sh -a ../.. $tdirarg exe $test
else
echo "skip $test"
fi
done
sh ../testcode/mini_tdir.sh report
sh ../testcode/mini_tdir.sh $tdirarg report
cat .perfstats.txt

23
testcode/dohclient.c
View File

@ -423,6 +423,7 @@ http2_session_create()
if(nghttp2_session_callbacks_new(&callbacks) == NGHTTP2_ERR_NOMEM) {
log_err("failed to initialize nghttp2 callback");
free(h2_session);
return NULL;
}
nghttp2_session_callbacks_set_recv_callback(callbacks, http2_recv_cb);
@ -501,7 +502,9 @@ run(struct http2_session* h2_session, int port, int no_tls, int count, char** q)
if(!no_tls) {
ctx = connect_sslctx_create(NULL, NULL, NULL, 0);
if(!ctx) fatal_exit("cannot create ssl ctx");
#ifdef HAVE_SSL_CTX_SET_ALPN_PROTOS
SSL_CTX_set_alpn_protos(ctx, (const unsigned char *)"\x02h2", 3);
#endif
ssl = outgoing_ssl_fd(ctx, fd);
if(!ssl) {
printf("cannot create ssl\n");
@ -620,7 +623,25 @@ int main(int argc, char** argv)
return 1;
}
if(!no_tls) {
#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL)
ERR_load_SSL_strings();
#endif
#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_CRYPTO)
# ifndef S_SPLINT_S
OpenSSL_add_all_algorithms();
# endif
#else
OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS
| OPENSSL_INIT_ADD_ALL_DIGESTS
| OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
#endif
#if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL)
(void)SSL_library_init();
#else
(void)OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL);
#endif
}
run(h2_session, port, no_tls, argc, argv);
checklock_stop();

18
testcode/fake_event.c
View File

@ -451,6 +451,8 @@ fake_front_query(struct replay_runtime* runtime, struct replay_moment *todo)
struct comm_reply repinfo;
memset(&repinfo, 0, sizeof(repinfo));
repinfo.c = (struct comm_point*)calloc(1, sizeof(struct comm_point));
if(!repinfo.c)
fatal_exit("out of memory in fake_front_query");
repinfo.addrlen = (socklen_t)sizeof(struct sockaddr_in);
if(todo->addrlen != 0) {
repinfo.addrlen = todo->addrlen;
@ -597,7 +599,7 @@ autotrust_check(struct replay_runtime* runtime, struct replay_moment* mom)
log_err("should be: %s", p->str);
fatal_exit("autotrust_check failed");
}
if(line[0]) line[strlen(line)-1] = 0; /* remove newline */
strip_end_white(line);
expanded = macro_process(runtime->vars, runtime, p->str);
if(!expanded)
fatal_exit("could not expand macro line %d", lineno);
@ -650,7 +652,7 @@ tempfile_check(struct replay_runtime* runtime, struct replay_moment* mom)
log_err("should be: %s", p->str);
fatal_exit("tempfile_check failed");
}
if(line[0]) line[strlen(line)-1] = 0; /* remove newline */
strip_end_white(line);
expanded = macro_process(runtime->vars, runtime, p->str);
if(!expanded)
fatal_exit("could not expand macro line %d", lineno);
@ -909,6 +911,8 @@ comm_base_create(int ATTR_UNUSED(sigs))
/* we return the runtime structure instead. */
struct replay_runtime* runtime = (struct replay_runtime*)
calloc(1, sizeof(struct replay_runtime));
if(!runtime)
fatal_exit("out of memory in fake_event.c:comm_base_create");
runtime->scenario = saved_scenario;
runtime->vars = macro_store_create();
if(!runtime->vars) fatal_exit("out of memory");
@ -1046,7 +1050,9 @@ outside_network_create(struct comm_base* base, size_t bufsize,
void (*unwanted_action)(void*), void* ATTR_UNUSED(unwanted_param),
int ATTR_UNUSED(do_udp), void* ATTR_UNUSED(sslctx),
int ATTR_UNUSED(delayclose), int ATTR_UNUSED(tls_use_sni),
struct dt_env* ATTR_UNUSED(dtenv), int ATTR_UNUSED(udp_connect))
struct dt_env* ATTR_UNUSED(dtenv), int ATTR_UNUSED(udp_connect),
int ATTR_UNUSED(max_reuse_tcp_queries), int ATTR_UNUSED(tcp_reuse_timeout),
int ATTR_UNUSED(tcp_auth_query_timeout))
{
struct replay_runtime* runtime = (struct replay_runtime*)base;
struct outside_network* outnet = calloc(1,
@ -1532,6 +1538,8 @@ struct comm_timer* comm_timer_create(struct comm_base* base,
{
struct replay_runtime* runtime = (struct replay_runtime*)base;
struct fake_timer* t = (struct fake_timer*)calloc(1, sizeof(*t));
if(!t)
fatal_exit("out of memory in fake_event.c:comm_timer_create");
t->cb = cb;
t->cb_arg = cb_arg;
fptr_ok(fptr_whitelist_comm_timer(t->cb)); /* check in advance */
@ -1709,7 +1717,7 @@ struct comm_point* outnet_comm_point_for_tcp(struct outside_network* outnet,
addr_to_str((struct sockaddr_storage*)to_addr, to_addrlen,
addrbuf, sizeof(addrbuf));
if(verbosity >= VERB_ALGO) {
if(buf[0] != 0) buf[strlen(buf)-1] = 0; /* del newline*/
strip_end_white(buf);
log_info("tcp to %s: %s", addrbuf, buf);
}
log_assert(sldns_buffer_limit(query)-LDNS_HEADER_SIZE >= 2);
@ -1799,7 +1807,7 @@ int comm_point_send_udp_msg(struct comm_point *c, sldns_buffer* packet,
addr_to_str((struct sockaddr_storage*)addr, addrlen,
addrbuf, sizeof(addrbuf));
if(verbosity >= VERB_ALGO) {
if(buf[0] != 0) buf[strlen(buf)-1] = 0; /* del newline*/
strip_end_white(buf);
log_info("udp to %s: %s", addrbuf, buf);
}
log_assert(sldns_buffer_limit(packet)-LDNS_HEADER_SIZE >= 2);

45
testcode/mini_tdir.sh
View File

@ -5,14 +5,23 @@ if test "$1" = "-a"; then
shift
shift
fi
quiet=0
if test "$1" = "-q"; then
quiet=1
shift
fi
if test "$1" = "clean"; then
echo "rm -f result.* .done* .tdir.var.master .tdir.var.test"
if test $quiet = 0; then
echo "rm -f result.* .done* .tdir.var.master .tdir.var.test"
fi
rm -f result.* .done* .tdir.var.master .tdir.var.test
exit 0
fi
if test "$1" = "fake"; then
echo "minitdir fake $2"
if test $quiet = 0; then
echo "minitdir fake $2"
fi
echo "fake" > .done-`basename $2 .tdir`
exit 0
fi
@ -37,7 +46,7 @@ if test "$1" = "-f" && test "$2" = "report"; then
desc=`grep ^Description: "result.$name" | sed -e 's/Description: //'`
fi
if test -f ".done-$name"; then
if test "$1" != "-q"; then
if test $quiet = 0; then
echo "** PASSED ** $timelen $name: $desc"
pass=`expr $pass + 1`
fi
@ -65,7 +74,7 @@ if test "$1" = "report" || test "$2" = "report"; then
for result in *.tdir; do
name=`basename $result .tdir`
if test -f ".done-$name"; then
if test "$1" != "-q"; then
if test $quiet = 0; then
echo "** PASSED ** : $name"
fi
else
@ -82,9 +91,9 @@ fi
if test "$1" != 'exe'; then
# usage
echo "mini tdir. Reduced functionality for old shells."
echo " tdir exe <file>"
echo " tdir fake <file>"
echo " tdir clean"
echo " tdir [-q] exe <file>"
echo " tdir [-q] fake <file>"
echo " tdir [-q] clean"
echo " tdir [-q|-f] report"
exit 1
fi
@ -117,7 +126,9 @@ if test -f .done-$name; then
fi
# Copy
echo "minitdir copy $1 to $dir"
if test $quiet = 0; then
echo "minitdir copy $1 to $dir"
fi
mkdir $dir
if cp --help 2>&1 | grep -- "-a" >/dev/null; then
cp -a $name.tdir/* $dir/
@ -131,7 +142,9 @@ echo "minitdir exe $name" > $result
grep "Description:" $name.dsc >> $result 2>&1
echo "DateRunStart: "`date "+%s" 2>/dev/null` >> $result
if test -f $name.pre; then
echo "minitdir exe $name.pre"
if test $quiet = 0; then
echo "minitdir exe $name.pre"
fi
echo "minitdir exe $name.pre" >> $result
$shell $name.pre $args >> $result
if test $? -ne 0; then
@ -139,7 +152,9 @@ if test -f $name.pre; then
fi
fi
if test -f $name.test; then
echo "minitdir exe $name.test"
if test $quiet = 0; then
echo "minitdir exe $name.test"
fi
echo "minitdir exe $name.test" >> $result
$shell $name.test $args >>$result 2>&1
if test $? -ne 0; then
@ -149,12 +164,16 @@ if test -f $name.test; then
else
echo "$name: PASSED" >> $result
echo "$name: PASSED" > ../.done-$name
echo "$name: PASSED"
if test $quiet = 0; then
echo "$name: PASSED"
fi
success="yes"
fi
fi
if test -f $name.post; then
echo "minitdir exe $name.post"
if test $quiet = 0; then
echo "minitdir exe $name.post"
fi
echo "minitdir exe $name.post" >> $result
$shell $name.post $args >> $result
if test $? -ne 0; then

25
testcode/replay.c
View File

@ -124,8 +124,7 @@ replay_range_delete(struct replay_range* rng)
free(rng);
}
/** strip whitespace from end of string */
static void
void
strip_end_white(char* p)
{
size_t i;
@ -227,7 +226,7 @@ read_file_content(FILE* in, int* lineno, struct replay_moment* mom)
if(strncmp(line, "FILE_END", 8) == 0) {
return;
}
if(line[0]) line[strlen(line)-1] = 0; /* remove newline */
strip_end_white(line);
if(!cfg_strlist_insert(last, strdup(line)))
fatal_exit("malloc failure");
last = &( (*last)->next );
@ -249,7 +248,7 @@ read_assign_step(char* remain, struct replay_moment* mom)
if(eq != '=')
fatal_exit("no '=' in assign: %s", remain);
remain += skip;
if(remain[0]) remain[strlen(remain)-1]=0; /* remove newline */
strip_end_white(remain);
mom->string = strdup(remain);
if(!mom->variable || !mom->string)
fatal_exit("out of memory");
@ -318,8 +317,7 @@ replay_moment_read(char* remain, FILE* in, const char* name,
mom->evt_type = repevt_autotrust_check;
while(isspace((unsigned char)*remain))
remain++;
if(strlen(remain)>0 && remain[strlen(remain)-1]=='\n')
remain[strlen(remain)-1] = 0;
strip_end_white(remain);
mom->autotrust_id = strdup(remain);
if(!mom->autotrust_id) fatal_exit("out of memory");
read_file_content(in, &pstate->lineno, mom);
@ -327,8 +325,7 @@ replay_moment_read(char* remain, FILE* in, const char* name,
mom->evt_type = repevt_tempfile_check;
while(isspace((unsigned char)*remain))
remain++;
if(strlen(remain)>0 && remain[strlen(remain)-1]=='\n')
remain[strlen(remain)-1] = 0;
strip_end_white(remain);
mom->autotrust_id = strdup(remain);
if(!mom->autotrust_id) fatal_exit("out of memory");
read_file_content(in, &pstate->lineno, mom);
@ -359,8 +356,7 @@ replay_moment_read(char* remain, FILE* in, const char* name,
m++;
if(!extstrtoaddr(s, &mom->addr, &mom->addrlen))
fatal_exit("bad infra_rtt address %s", s);
if(strlen(m)>0 && m[strlen(m)-1]=='\n')
m[strlen(m)-1] = 0;
strip_end_white(m);
mom->variable = strdup(remain);
mom->string = strdup(m);
if(!mom->string) fatal_exit("out of memory");
@ -375,8 +371,7 @@ replay_moment_read(char* remain, FILE* in, const char* name,
if(parse_keyword(&remain, "ADDRESS")) {
while(isspace((unsigned char)*remain))
remain++;
if(strlen(remain) > 0) /* remove \n */
remain[strlen(remain)-1] = 0;
strip_end_white(remain);
if(!extstrtoaddr(remain, &mom->addr, &mom->addrlen)) {
log_err("line %d: could not parse ADDRESS: %s",
pstate->lineno, remain);
@ -693,7 +688,11 @@ do_macro_ctime(char* arg)
return NULL;
}
ctime_r(&tt, buf);
if(buf[0]) buf[strlen(buf)-1]=0; /* remove trailing newline */
#ifdef USE_WINSOCK
if(strlen(buf) > 10 && buf[7]==' ' && buf[8]=='0')
buf[8]=' '; /* fix error in windows ctime */
#endif
strip_end_white(buf);
return strdup(buf);
}

3
testcode/replay.h
View File

@ -425,6 +425,9 @@ int replay_var_compare(const void* a, const void* b);
/** get oldest enabled fake timer */
struct fake_timer* replay_get_oldest_timer(struct replay_runtime* runtime);
/** strip whitespace from end of string */
void strip_end_white(char* p);
/**
* Create variable storage
* @return new or NULL on failure.

8
testcode/streamtcp.c
View File

@ -397,11 +397,15 @@ send_em(const char* svr, int udp, int usessl, int noanswer, int onarrival,
/** SIGPIPE handler */
static RETSIGTYPE sigh(int sig)
{
char str[] = "Got unhandled signal \n";
if(sig == SIGPIPE) {
printf("got SIGPIPE, remote connection gone\n");
char* strpipe = "got SIGPIPE, remote connection gone\n";
write(STDOUT_FILENO, strpipe, strlen(strpipe));
exit(1);
}
printf("Got unhandled signal %d\n", sig);
str[21] = '0' + (sig/10)%10;
str[22] = '0' + sig%10;
write(STDOUT_FILENO, str, strlen(str));
exit(1);
}
#endif /* SIGPIPE */

9
testcode/testbound.c
View File

@ -168,7 +168,7 @@ spool_temp_file_name(int* lineno, FILE* cfg, char* id)
id++;
if(*id == '\0')
fatal_exit("TEMPFILE_NAME must have id, line %d", *lineno);
id[strlen(id)-1]=0; /* remove newline */
strip_end_white(id);
fake_temp_file("_temp_", id, line, sizeof(line));
fprintf(cfg, "\"%s\"\n", line);
}
@ -185,7 +185,7 @@ spool_temp_file(FILE* in, int* lineno, char* id)
id++;
if(*id == '\0')
fatal_exit("TEMPFILE_CONTENTS must have id, line %d", *lineno);
id[strlen(id)-1]=0; /* remove newline */
strip_end_white(id);
fake_temp_file("_temp_", id, line, sizeof(line));
/* open file and spool to it */
spool = fopen(line, "w");
@ -205,7 +205,7 @@ spool_temp_file(FILE* in, int* lineno, char* id)
char* tid = parse+17;
while(isspace((unsigned char)*tid))
tid++;
tid[strlen(tid)-1]=0; /* remove newline */
strip_end_white(tid);
fake_temp_file("_temp_", tid, l2, sizeof(l2));
snprintf(line, sizeof(line), "$INCLUDE %s\n", l2);
}
@ -230,7 +230,7 @@ spool_auto_file(FILE* in, int* lineno, FILE* cfg, char* id)
id++;
if(*id == '\0')
fatal_exit("AUTROTRUST_FILE must have id, line %d", *lineno);
id[strlen(id)-1]=0; /* remove newline */
strip_end_white(id);
fake_temp_file("_auto_", id, line, sizeof(line));
/* add option for the file */
fprintf(cfg, "server: auto-trust-anchor-file: \"%s\"\n", line);
@ -279,6 +279,7 @@ setup_config(FILE* in, int* lineno, int* pass_argc, char* pass_argv[])
fprintf(cfg, " username: \"\"\n");
fprintf(cfg, " pidfile: \"\"\n");
fprintf(cfg, " val-log-level: 2\n");
fprintf(cfg, " log-servfail: yes\n");
fprintf(cfg, "remote-control: control-enable: no\n");
while(fgets(line, MAX_LINE_LEN-1, in)) {
parse = line;

10
testcode/unitauth.c
View File

@ -468,8 +468,13 @@ tmpfilecleanup(void)
int i;
char buf[256];
for(i=0; i<tempno; i++) {
#ifdef USE_WINSOCK
snprintf(buf, sizeof(buf), "unbound.unittest.%u.%d",
(unsigned)getpid(), i);
#else
snprintf(buf, sizeof(buf), "/tmp/unbound.unittest.%u.%d",
(unsigned)getpid(), i);
#endif
if(vbmp) printf("cleanup: unlink %s\n", buf);
unlink(buf);
}
@ -483,8 +488,13 @@ create_tmp_file(const char* s)
char *fname;
FILE *out;
size_t r;
#ifdef USE_WINSOCK
snprintf(buf, sizeof(buf), "unbound.unittest.%u.%d",
(unsigned)getpid(), tempno++);
#else
snprintf(buf, sizeof(buf), "/tmp/unbound.unittest.%u.%d",
(unsigned)getpid(), tempno++);
#endif
fname = strdup(buf);
if(!fname) fatal_exit("out of memory");
/* if no string, just make the name */

3
testcode/unitzonemd.c
View File

@ -82,6 +82,7 @@ static void zonemd_generate_test(const char* zname, char* zfile,
/* read file */
z = authtest_addzone(az, zname, zfile);
unit_assert(z);
z->zonemd_check = 1;
/* create zonemd digest */
result = auth_zone_generate_zonemd_hash(z, scheme, hashalgo,
@ -196,6 +197,7 @@ static void zonemd_check_test(void)
/* read file */
z = authtest_addzone(az, zname, zfile);
unit_assert(z);
z->zonemd_check = 1;
hashlen = sizeof(hash);
if(sldns_str2wire_hex_buf(digest, hash, &hashlen) != 0) {
unit_assert(0); /* parse failure */
@ -291,6 +293,7 @@ static void zonemd_verify_test(char* zname, char* zfile, char* tastr,
/* test */
lock_rw_wrlock(&z->lock);
z->zonemd_check = 1;
auth_zone_verify_zonemd(z, &env, &mods, &result, 1, 0);
lock_rw_unlock(&z->lock);
if(verbosity >= VERB_ALGO) {

1
testdata/auth_zonemd_anchor.rpl vendored
View File

@ -24,6 +24,7 @@ auth-zone:
## on failures with for-upstream, fallback to sending queries to
## the authority servers
## fallback-enabled: no
zonemd-check: yes
## this line generates zonefile: \n"/tmp/xxx.example.com"\n
zonefile:

1
testdata/auth_zonemd_anchor_fail.rpl vendored
View File

@ -27,6 +27,7 @@ auth-zone:
## on failures with for-upstream, fallback to sending queries to
## the authority servers
## fallback-enabled: no
zonemd-check: yes
## this line generates zonefile: \n"/tmp/xxx.example.com"\n
zonefile:

1
testdata/auth_zonemd_chain.rpl vendored
View File

@ -24,6 +24,7 @@ auth-zone:
## on failures with for-upstream, fallback to sending queries to
## the authority servers
## fallback-enabled: no
zonemd-check: yes
## this line generates zonefile: \n"/tmp/xxx.example.com"\n
zonefile:

1
testdata/auth_zonemd_chain_fail.rpl vendored
View File

@ -24,6 +24,7 @@ auth-zone:
## on failures with for-upstream, fallback to sending queries to
## the authority servers
## fallback-enabled: no
zonemd-check: yes
## this line generates zonefile: \n"/tmp/xxx.example.com"\n
zonefile:

1
testdata/auth_zonemd_file.rpl vendored
View File

@ -21,6 +21,7 @@ auth-zone:
## on failures with for-upstream, fallback to sending queries to
## the authority servers
## fallback-enabled: no
zonemd-check: yes
## this line generates zonefile: \n"/tmp/xxx.example.com"\n
zonefile:

1
testdata/auth_zonemd_file_fail.rpl vendored
View File

@ -21,6 +21,7 @@ auth-zone:
## on failures with for-upstream, fallback to sending queries to
## the authority servers
## fallback-enabled: no
zonemd-check: yes
## this line generates zonefile: \n"/tmp/xxx.example.com"\n
zonefile:

1
testdata/auth_zonemd_insecure.rpl vendored
View File

@ -24,6 +24,7 @@ auth-zone:
## on failures with for-upstream, fallback to sending queries to
## the authority servers
## fallback-enabled: no
zonemd-check: yes
## this line generates zonefile: \n"/tmp/xxx.example.com"\n
zonefile:

1
testdata/auth_zonemd_insecure_absent.rpl vendored
View File

@ -24,6 +24,7 @@ auth-zone:
## on failures with for-upstream, fallback to sending queries to
## the authority servers
## fallback-enabled: no
zonemd-check: yes
## this line generates zonefile: \n"/tmp/xxx.example.com"\n
zonefile:

1
testdata/auth_zonemd_insecure_absent_reject.rpl vendored
View File

@ -7,6 +7,7 @@ server:
auth-zone:
name: "example.com."
zonemd-check: yes
zonemd-reject-absence: yes
## zonefile (or none).
## zonefile: "example.com.zone"

1
testdata/auth_zonemd_insecure_fail.rpl vendored
View File

@ -24,6 +24,7 @@ auth-zone:
## on failures with for-upstream, fallback to sending queries to
## the authority servers
## fallback-enabled: no
zonemd-check: yes
## this line generates zonefile: \n"/tmp/xxx.example.com"\n
zonefile:

1
testdata/auth_zonemd_nokey.rpl vendored
View File

@ -24,6 +24,7 @@ auth-zone:
## on failures with for-upstream, fallback to sending queries to
## the authority servers
## fallback-enabled: no
zonemd-check: yes
## this line generates zonefile: \n"/tmp/xxx.example.com"\n
zonefile:

1
testdata/auth_zonemd_permissive_mode.rpl vendored
View File

@ -22,6 +22,7 @@ auth-zone:
## on failures with for-upstream, fallback to sending queries to
## the authority servers
## fallback-enabled: no
zonemd-check: yes
## this line generates zonefile: \n"/tmp/xxx.example.com"\n
zonefile:

1
testdata/auth_zonemd_xfr.rpl vendored
View File

@ -22,6 +22,7 @@ auth-zone:
## on failures with for-upstream, fallback to sending queries to
## the authority servers
## fallback-enabled: no
zonemd-check: yes
## this line generates zonefile: \n"/tmp/xxx.example.com"\n
zonefile:

1
testdata/auth_zonemd_xfr_anchor.rpl vendored
View File

@ -25,6 +25,7 @@ auth-zone:
## on failures with for-upstream, fallback to sending queries to
## the authority servers
## fallback-enabled: no
zonemd-check: yes
## this line generates zonefile: \n"/tmp/xxx.example.com"\n
zonefile:

1
testdata/auth_zonemd_xfr_anchor_fail.rpl vendored
View File

@ -25,6 +25,7 @@ auth-zone:
## on failures with for-upstream, fallback to sending queries to
## the authority servers
## fallback-enabled: no
zonemd-check: yes
## this line generates zonefile: \n"/tmp/xxx.example.com"\n
zonefile:

1
testdata/auth_zonemd_xfr_chain.rpl vendored
View File

@ -25,6 +25,7 @@ auth-zone:
## on failures with for-upstream, fallback to sending queries to
## the authority servers
## fallback-enabled: no
zonemd-check: yes
## this line generates zonefile: \n"/tmp/xxx.example.com"\n
zonefile:

1
testdata/auth_zonemd_xfr_chain_fail.rpl vendored
View File

@ -25,6 +25,7 @@ auth-zone:
## on failures with for-upstream, fallback to sending queries to
## the authority servers
## fallback-enabled: no
zonemd-check: yes
## this line generates zonefile: \n"/tmp/xxx.example.com"\n
zonefile:

1
testdata/auth_zonemd_xfr_fail.rpl vendored
View File

@ -22,6 +22,7 @@ auth-zone:
## on failures with for-upstream, fallback to sending queries to
## the authority servers
## fallback-enabled: no
zonemd-check: yes
## this line generates zonefile: \n"/tmp/xxx.example.com"\n
zonefile:

0
testdata/root_key_sentinel.rpl vendored Executable file → Normal file
View File

1
testdata/zonemd_reload.tdir/zonemd_reload.conf vendored
View File

@ -19,4 +19,5 @@ auth-zone:
for-upstream: yes
for-downstream: yes
zonefile: "zonemd_reload.zone"
zonemd-check: yes
#master: "127.0.0.1@@TOPORT@"

19
util/config_file.c
View File

@ -105,11 +105,14 @@ config_create(void)
cfg->do_ip6 = 1;
cfg->do_udp = 1;
cfg->do_tcp = 1;
cfg->tcp_reuse_timeout = 60 * 1000; /* 60s in milisecs */
cfg->max_reuse_tcp_queries = 200;
cfg->tcp_upstream = 0;
cfg->udp_upstream_without_downstream = 0;
cfg->tcp_mss = 0;
cfg->outgoing_tcp_mss = 0;
cfg->tcp_idle_timeout = 30 * 1000; /* 30s in millisecs */
cfg->tcp_auth_query_timeout = 3 * 1000; /* 3s in millisecs */
cfg->do_tcp_keepalive = 0;
cfg->tcp_keepalive_timeout = 120 * 1000; /* 120s in millisecs */
cfg->ssl_service_key = NULL;
@ -250,6 +253,7 @@ config_create(void)
cfg->val_date_override = 0;
cfg->val_sig_skew_min = 3600; /* at least daylight savings trouble */
cfg->val_sig_skew_max = 86400; /* at most timezone settings trouble */
cfg->val_max_restart = 5;
cfg->val_clean_additional = 1;
cfg->val_log_level = 0;
cfg->val_log_squelch = 0;
@ -306,7 +310,7 @@ config_create(void)
if(!(cfg->module_conf = strdup("validator iterator"))) goto error_exit;
#endif
if(!(cfg->val_nsec3_key_iterations =
strdup("1024 150 2048 500 4096 2500"))) goto error_exit;
strdup("1024 150 2048 150 4096 150"))) goto error_exit;
#if defined(DNSTAP_SOCKET_PATH)
if(!(cfg->dnstap_socket_path = strdup(DNSTAP_SOCKET_PATH)))
goto error_exit;
@ -517,7 +521,10 @@ int config_set_option(struct config_file* cfg, const char* opt,
udp_upstream_without_downstream)
else S_NUMBER_NONZERO("tcp-mss:", tcp_mss)
else S_NUMBER_NONZERO("outgoing-tcp-mss:", outgoing_tcp_mss)
else S_NUMBER_NONZERO("tcp-auth-query-timeout:", tcp_auth_query_timeout)
else S_NUMBER_NONZERO("tcp-idle-timeout:", tcp_idle_timeout)
else S_NUMBER_NONZERO("max-reuse-tcp-queries:", max_reuse_tcp_queries)
else S_NUMBER_NONZERO("tcp-reuse-timeout:", tcp_reuse_timeout)
else S_YNO("edns-tcp-keepalive:", do_tcp_keepalive)
else S_NUMBER_NONZERO("edns-tcp-keepalive-timeout:", tcp_keepalive_timeout)
else S_YNO("ssl-upstream:", ssl_upstream)
@ -758,12 +765,14 @@ int config_set_option(struct config_file* cfg, const char* opt,
#endif
else if(strcmp(opt, "define-tag:") ==0) {
return config_add_tag(cfg, val);
/* val_sig_skew_min and max are copied into val_env during init,
* so this does not update val_env with set_option */
/* val_sig_skew_min, max and val_max_restart are copied into val_env
* during init so this does not update val_env with set_option */
} else if(strcmp(opt, "val-sig-skew-min:") == 0)
{ IS_NUMBER_OR_ZERO; cfg->val_sig_skew_min = (int32_t)atoi(val); }
else if(strcmp(opt, "val-sig-skew-max:") == 0)
{ IS_NUMBER_OR_ZERO; cfg->val_sig_skew_max = (int32_t)atoi(val); }
else if(strcmp(opt, "val-max-restart:") == 0)
{ IS_NUMBER_OR_ZERO; cfg->val_max_restart = (int32_t)atoi(val); }
else if (strcmp(opt, "outgoing-interface:") == 0) {
char* d = strdup(val);
char** oi =
@ -1007,7 +1016,10 @@ config_get_option(struct config_file* cfg, const char* opt,
else O_YNO(opt, "udp-upstream-without-downstream", udp_upstream_without_downstream)
else O_DEC(opt, "tcp-mss", tcp_mss)
else O_DEC(opt, "outgoing-tcp-mss", outgoing_tcp_mss)
else O_DEC(opt, "tcp-auth-query-timeout", tcp_auth_query_timeout)
else O_DEC(opt, "tcp-idle-timeout", tcp_idle_timeout)
else O_DEC(opt, "max-reuse-tcp-queries", max_reuse_tcp_queries)
else O_DEC(opt, "tcp-reuse-timeout", tcp_reuse_timeout)
else O_YNO(opt, "edns-tcp-keepalive", do_tcp_keepalive)
else O_DEC(opt, "edns-tcp-keepalive-timeout", tcp_keepalive_timeout)
else O_YNO(opt, "ssl-upstream", ssl_upstream)
@ -1181,6 +1193,7 @@ config_get_option(struct config_file* cfg, const char* opt,
else O_DEC(opt, "fast-server-permil", fast_server_permil)
else O_DEC(opt, "val-sig-skew-min", val_sig_skew_min)
else O_DEC(opt, "val-sig-skew-max", val_sig_skew_max)
else O_DEC(opt, "val-max-restart", val_max_restart)
else O_YNO(opt, "qname-minimisation", qname_minimisation)
else O_YNO(opt, "qname-minimisation-strict", qname_minimisation_strict)
else O_IFC(opt, "define-tag", num_tags, tagname)

10
util/config_file.h
View File

@ -93,6 +93,12 @@ struct config_file {
int do_udp;
/** do tcp query support. */
int do_tcp;
/** max number of queries on a reuse connection. */
size_t max_reuse_tcp_queries;
/** timeout for REUSE entries in milliseconds. */
int tcp_reuse_timeout;
/** timeout in milliseconds for TCP queries to auth servers. */
int tcp_auth_query_timeout;
/** tcp upstream queries (no UDP upstream queries) */
int tcp_upstream;
/** udp upstream enabled when no UDP downstream is enabled (do_udp no)*/
@ -367,6 +373,8 @@ struct config_file {
int32_t val_sig_skew_min;
/** the maximum for signature clock skew */
int32_t val_sig_skew_max;
/** max number of query restarts, number of IPs to probe */
int32_t val_max_restart;
/** this value sets the number of seconds before revalidating bogus */
int bogus_ttl;
/** should validator clean additional section for secure msgs */
@ -729,6 +737,8 @@ struct config_auth {
/** Always reply with this CNAME target if the cname override action is
* used */
char* rpz_cname;
/** Check ZONEMD records for this zone */
int zonemd_check;
/** Reject absence of ZONEMD records, zone must have one */
int zonemd_reject_absence;
};

5265
util/configlexer.c
View File

File diff suppressed because it is too large Load Diff

5
util/configlexer.lex
View File

@ -235,6 +235,9 @@ tcp-upstream{COLON} { YDVAR(1, VAR_TCP_UPSTREAM) }
tcp-mss{COLON} { YDVAR(1, VAR_TCP_MSS) }
outgoing-tcp-mss{COLON} { YDVAR(1, VAR_OUTGOING_TCP_MSS) }
tcp-idle-timeout{COLON} { YDVAR(1, VAR_TCP_IDLE_TIMEOUT) }
max-reuse-tcp-queries{COLON} { YDVAR(1, VAR_MAX_REUSE_TCP_QUERIES) }
tcp-reuse-timeout{COLON} { YDVAR(1, VAR_TCP_REUSE_TIMEOUT) }
tcp-auth-query-timeout{COLON} { YDVAR(1, VAR_TCP_AUTH_QUERY_TIMEOUT) }
edns-tcp-keepalive{COLON} { YDVAR(1, VAR_EDNS_TCP_KEEPALIVE) }
edns-tcp-keepalive-timeout{COLON} { YDVAR(1, VAR_EDNS_TCP_KEEPALIVE_TIMEOUT) }
ssl-upstream{COLON} { YDVAR(1, VAR_SSL_UPSTREAM) }
@ -382,6 +385,7 @@ root-key-sentinel{COLON} { YDVAR(1, VAR_ROOT_KEY_SENTINEL) }
val-override-date{COLON} { YDVAR(1, VAR_VAL_OVERRIDE_DATE) }
val-sig-skew-min{COLON} { YDVAR(1, VAR_VAL_SIG_SKEW_MIN) }
val-sig-skew-max{COLON} { YDVAR(1, VAR_VAL_SIG_SKEW_MAX) }
val-max-restart{COLON} { YDVAR(1, VAR_VAL_MAX_RESTART) }
val-bogus-ttl{COLON} { YDVAR(1, VAR_BOGUS_TTL) }
val-clean-additional{COLON} { YDVAR(1, VAR_VAL_CLEAN_ADDITIONAL) }
val-permissive-mode{COLON} { YDVAR(1, VAR_VAL_PERMISSIVE_MODE) }
@ -402,6 +406,7 @@ neg-cache-size{COLON} { YDVAR(1, VAR_NEG_CACHE_SIZE) }
val-nsec3-keysize-iterations{COLON} {
YDVAR(1, VAR_VAL_NSEC3_KEYSIZE_ITERATIONS) }
zonemd-permissive-mode{COLON} { YDVAR(1, VAR_ZONEMD_PERMISSIVE_MODE) }
zonemd-check{COLON} { YDVAR(1, VAR_ZONEMD_CHECK) }
zonemd-reject-absence{COLON} { YDVAR(1, VAR_ZONEMD_REJECT_ABSENCE) }
add-holddown{COLON} { YDVAR(1, VAR_ADD_HOLDDOWN) }
del-holddown{COLON} { YDVAR(1, VAR_DEL_HOLDDOWN) }

5052
util/configparser.c
View File

File diff suppressed because it is too large Load Diff

839
util/configparser.h
View File

@ -1,4 +1,4 @@
/* A Bison parser, made by GNU Bison 3.6.4. */
/* A Bison parser, made by GNU Bison 3.7.4. */
/* Bison interface for Yacc-like parsers in C
@ -156,216 +156,222 @@ extern int yydebug;
VAR_CONTROL_KEY_FILE = 357, /* VAR_CONTROL_KEY_FILE */
VAR_CONTROL_CERT_FILE = 358, /* VAR_CONTROL_CERT_FILE */
VAR_CONTROL_USE_CERT = 359, /* VAR_CONTROL_USE_CERT */
VAR_EXTENDED_STATISTICS = 360, /* VAR_EXTENDED_STATISTICS */
VAR_LOCAL_DATA_PTR = 361, /* VAR_LOCAL_DATA_PTR */
VAR_JOSTLE_TIMEOUT = 362, /* VAR_JOSTLE_TIMEOUT */
VAR_STUB_PRIME = 363, /* VAR_STUB_PRIME */
VAR_UNWANTED_REPLY_THRESHOLD = 364, /* VAR_UNWANTED_REPLY_THRESHOLD */
VAR_LOG_TIME_ASCII = 365, /* VAR_LOG_TIME_ASCII */
VAR_DOMAIN_INSECURE = 366, /* VAR_DOMAIN_INSECURE */
VAR_PYTHON = 367, /* VAR_PYTHON */
VAR_PYTHON_SCRIPT = 368, /* VAR_PYTHON_SCRIPT */
VAR_VAL_SIG_SKEW_MIN = 369, /* VAR_VAL_SIG_SKEW_MIN */
VAR_VAL_SIG_SKEW_MAX = 370, /* VAR_VAL_SIG_SKEW_MAX */
VAR_CACHE_MIN_TTL = 371, /* VAR_CACHE_MIN_TTL */
VAR_VAL_LOG_LEVEL = 372, /* VAR_VAL_LOG_LEVEL */
VAR_AUTO_TRUST_ANCHOR_FILE = 373, /* VAR_AUTO_TRUST_ANCHOR_FILE */
VAR_KEEP_MISSING = 374, /* VAR_KEEP_MISSING */
VAR_ADD_HOLDDOWN = 375, /* VAR_ADD_HOLDDOWN */
VAR_DEL_HOLDDOWN = 376, /* VAR_DEL_HOLDDOWN */
VAR_SO_RCVBUF = 377, /* VAR_SO_RCVBUF */
VAR_EDNS_BUFFER_SIZE = 378, /* VAR_EDNS_BUFFER_SIZE */
VAR_PREFETCH = 379, /* VAR_PREFETCH */
VAR_PREFETCH_KEY = 380, /* VAR_PREFETCH_KEY */
VAR_SO_SNDBUF = 381, /* VAR_SO_SNDBUF */
VAR_SO_REUSEPORT = 382, /* VAR_SO_REUSEPORT */
VAR_HARDEN_BELOW_NXDOMAIN = 383, /* VAR_HARDEN_BELOW_NXDOMAIN */
VAR_IGNORE_CD_FLAG = 384, /* VAR_IGNORE_CD_FLAG */
VAR_LOG_QUERIES = 385, /* VAR_LOG_QUERIES */
VAR_LOG_REPLIES = 386, /* VAR_LOG_REPLIES */
VAR_LOG_LOCAL_ACTIONS = 387, /* VAR_LOG_LOCAL_ACTIONS */
VAR_TCP_UPSTREAM = 388, /* VAR_TCP_UPSTREAM */
VAR_SSL_UPSTREAM = 389, /* VAR_SSL_UPSTREAM */
VAR_SSL_SERVICE_KEY = 390, /* VAR_SSL_SERVICE_KEY */
VAR_SSL_SERVICE_PEM = 391, /* VAR_SSL_SERVICE_PEM */
VAR_SSL_PORT = 392, /* VAR_SSL_PORT */
VAR_FORWARD_FIRST = 393, /* VAR_FORWARD_FIRST */
VAR_STUB_SSL_UPSTREAM = 394, /* VAR_STUB_SSL_UPSTREAM */
VAR_FORWARD_SSL_UPSTREAM = 395, /* VAR_FORWARD_SSL_UPSTREAM */
VAR_TLS_CERT_BUNDLE = 396, /* VAR_TLS_CERT_BUNDLE */
VAR_HTTPS_PORT = 397, /* VAR_HTTPS_PORT */
VAR_HTTP_ENDPOINT = 398, /* VAR_HTTP_ENDPOINT */
VAR_HTTP_MAX_STREAMS = 399, /* VAR_HTTP_MAX_STREAMS */
VAR_HTTP_QUERY_BUFFER_SIZE = 400, /* VAR_HTTP_QUERY_BUFFER_SIZE */
VAR_HTTP_RESPONSE_BUFFER_SIZE = 401, /* VAR_HTTP_RESPONSE_BUFFER_SIZE */
VAR_HTTP_NODELAY = 402, /* VAR_HTTP_NODELAY */
VAR_HTTP_NOTLS_DOWNSTREAM = 403, /* VAR_HTTP_NOTLS_DOWNSTREAM */
VAR_STUB_FIRST = 404, /* VAR_STUB_FIRST */
VAR_MINIMAL_RESPONSES = 405, /* VAR_MINIMAL_RESPONSES */
VAR_RRSET_ROUNDROBIN = 406, /* VAR_RRSET_ROUNDROBIN */
VAR_MAX_UDP_SIZE = 407, /* VAR_MAX_UDP_SIZE */
VAR_DELAY_CLOSE = 408, /* VAR_DELAY_CLOSE */
VAR_UDP_CONNECT = 409, /* VAR_UDP_CONNECT */
VAR_UNBLOCK_LAN_ZONES = 410, /* VAR_UNBLOCK_LAN_ZONES */
VAR_INSECURE_LAN_ZONES = 411, /* VAR_INSECURE_LAN_ZONES */
VAR_INFRA_CACHE_MIN_RTT = 412, /* VAR_INFRA_CACHE_MIN_RTT */
VAR_INFRA_KEEP_PROBING = 413, /* VAR_INFRA_KEEP_PROBING */
VAR_DNS64_PREFIX = 414, /* VAR_DNS64_PREFIX */
VAR_DNS64_SYNTHALL = 415, /* VAR_DNS64_SYNTHALL */
VAR_DNS64_IGNORE_AAAA = 416, /* VAR_DNS64_IGNORE_AAAA */
VAR_DNSTAP = 417, /* VAR_DNSTAP */
VAR_DNSTAP_ENABLE = 418, /* VAR_DNSTAP_ENABLE */
VAR_DNSTAP_SOCKET_PATH = 419, /* VAR_DNSTAP_SOCKET_PATH */
VAR_DNSTAP_IP = 420, /* VAR_DNSTAP_IP */
VAR_DNSTAP_TLS = 421, /* VAR_DNSTAP_TLS */
VAR_DNSTAP_TLS_SERVER_NAME = 422, /* VAR_DNSTAP_TLS_SERVER_NAME */
VAR_DNSTAP_TLS_CERT_BUNDLE = 423, /* VAR_DNSTAP_TLS_CERT_BUNDLE */
VAR_DNSTAP_TLS_CLIENT_KEY_FILE = 424, /* VAR_DNSTAP_TLS_CLIENT_KEY_FILE */
VAR_DNSTAP_TLS_CLIENT_CERT_FILE = 425, /* VAR_DNSTAP_TLS_CLIENT_CERT_FILE */
VAR_DNSTAP_SEND_IDENTITY = 426, /* VAR_DNSTAP_SEND_IDENTITY */
VAR_DNSTAP_SEND_VERSION = 427, /* VAR_DNSTAP_SEND_VERSION */
VAR_DNSTAP_BIDIRECTIONAL = 428, /* VAR_DNSTAP_BIDIRECTIONAL */
VAR_DNSTAP_IDENTITY = 429, /* VAR_DNSTAP_IDENTITY */
VAR_DNSTAP_VERSION = 430, /* VAR_DNSTAP_VERSION */
VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 431, /* VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES */
VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 432, /* VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES */
VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 433, /* VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES */
VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 434, /* VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES */
VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 435, /* VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES */
VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 436, /* VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES */
VAR_RESPONSE_IP_TAG = 437, /* VAR_RESPONSE_IP_TAG */
VAR_RESPONSE_IP = 438, /* VAR_RESPONSE_IP */
VAR_RESPONSE_IP_DATA = 439, /* VAR_RESPONSE_IP_DATA */
VAR_HARDEN_ALGO_DOWNGRADE = 440, /* VAR_HARDEN_ALGO_DOWNGRADE */
VAR_IP_TRANSPARENT = 441, /* VAR_IP_TRANSPARENT */
VAR_IP_DSCP = 442, /* VAR_IP_DSCP */
VAR_DISABLE_DNSSEC_LAME_CHECK = 443, /* VAR_DISABLE_DNSSEC_LAME_CHECK */
VAR_IP_RATELIMIT = 444, /* VAR_IP_RATELIMIT */
VAR_IP_RATELIMIT_SLABS = 445, /* VAR_IP_RATELIMIT_SLABS */
VAR_IP_RATELIMIT_SIZE = 446, /* VAR_IP_RATELIMIT_SIZE */
VAR_RATELIMIT = 447, /* VAR_RATELIMIT */
VAR_RATELIMIT_SLABS = 448, /* VAR_RATELIMIT_SLABS */
VAR_RATELIMIT_SIZE = 449, /* VAR_RATELIMIT_SIZE */
VAR_RATELIMIT_FOR_DOMAIN = 450, /* VAR_RATELIMIT_FOR_DOMAIN */
VAR_RATELIMIT_BELOW_DOMAIN = 451, /* VAR_RATELIMIT_BELOW_DOMAIN */
VAR_IP_RATELIMIT_FACTOR = 452, /* VAR_IP_RATELIMIT_FACTOR */
VAR_RATELIMIT_FACTOR = 453, /* VAR_RATELIMIT_FACTOR */
VAR_SEND_CLIENT_SUBNET = 454, /* VAR_SEND_CLIENT_SUBNET */
VAR_CLIENT_SUBNET_ZONE = 455, /* VAR_CLIENT_SUBNET_ZONE */
VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 456, /* VAR_CLIENT_SUBNET_ALWAYS_FORWARD */
VAR_CLIENT_SUBNET_OPCODE = 457, /* VAR_CLIENT_SUBNET_OPCODE */
VAR_MAX_CLIENT_SUBNET_IPV4 = 458, /* VAR_MAX_CLIENT_SUBNET_IPV4 */
VAR_MAX_CLIENT_SUBNET_IPV6 = 459, /* VAR_MAX_CLIENT_SUBNET_IPV6 */
VAR_MIN_CLIENT_SUBNET_IPV4 = 460, /* VAR_MIN_CLIENT_SUBNET_IPV4 */
VAR_MIN_CLIENT_SUBNET_IPV6 = 461, /* VAR_MIN_CLIENT_SUBNET_IPV6 */
VAR_MAX_ECS_TREE_SIZE_IPV4 = 462, /* VAR_MAX_ECS_TREE_SIZE_IPV4 */
VAR_MAX_ECS_TREE_SIZE_IPV6 = 463, /* VAR_MAX_ECS_TREE_SIZE_IPV6 */
VAR_CAPS_WHITELIST = 464, /* VAR_CAPS_WHITELIST */
VAR_CACHE_MAX_NEGATIVE_TTL = 465, /* VAR_CACHE_MAX_NEGATIVE_TTL */
VAR_PERMIT_SMALL_HOLDDOWN = 466, /* VAR_PERMIT_SMALL_HOLDDOWN */
VAR_QNAME_MINIMISATION = 467, /* VAR_QNAME_MINIMISATION */
VAR_QNAME_MINIMISATION_STRICT = 468, /* VAR_QNAME_MINIMISATION_STRICT */
VAR_IP_FREEBIND = 469, /* VAR_IP_FREEBIND */
VAR_DEFINE_TAG = 470, /* VAR_DEFINE_TAG */
VAR_LOCAL_ZONE_TAG = 471, /* VAR_LOCAL_ZONE_TAG */
VAR_ACCESS_CONTROL_TAG = 472, /* VAR_ACCESS_CONTROL_TAG */
VAR_LOCAL_ZONE_OVERRIDE = 473, /* VAR_LOCAL_ZONE_OVERRIDE */
VAR_ACCESS_CONTROL_TAG_ACTION = 474, /* VAR_ACCESS_CONTROL_TAG_ACTION */
VAR_ACCESS_CONTROL_TAG_DATA = 475, /* VAR_ACCESS_CONTROL_TAG_DATA */
VAR_VIEW = 476, /* VAR_VIEW */
VAR_ACCESS_CONTROL_VIEW = 477, /* VAR_ACCESS_CONTROL_VIEW */
VAR_VIEW_FIRST = 478, /* VAR_VIEW_FIRST */
VAR_SERVE_EXPIRED = 479, /* VAR_SERVE_EXPIRED */
VAR_SERVE_EXPIRED_TTL = 480, /* VAR_SERVE_EXPIRED_TTL */
VAR_SERVE_EXPIRED_TTL_RESET = 481, /* VAR_SERVE_EXPIRED_TTL_RESET */
VAR_SERVE_EXPIRED_REPLY_TTL = 482, /* VAR_SERVE_EXPIRED_REPLY_TTL */
VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 483, /* VAR_SERVE_EXPIRED_CLIENT_TIMEOUT */
VAR_SERVE_ORIGINAL_TTL = 484, /* VAR_SERVE_ORIGINAL_TTL */
VAR_FAKE_DSA = 485, /* VAR_FAKE_DSA */
VAR_FAKE_SHA1 = 486, /* VAR_FAKE_SHA1 */
VAR_LOG_IDENTITY = 487, /* VAR_LOG_IDENTITY */
VAR_HIDE_TRUSTANCHOR = 488, /* VAR_HIDE_TRUSTANCHOR */
VAR_TRUST_ANCHOR_SIGNALING = 489, /* VAR_TRUST_ANCHOR_SIGNALING */
VAR_AGGRESSIVE_NSEC = 490, /* VAR_AGGRESSIVE_NSEC */
VAR_USE_SYSTEMD = 491, /* VAR_USE_SYSTEMD */
VAR_SHM_ENABLE = 492, /* VAR_SHM_ENABLE */
VAR_SHM_KEY = 493, /* VAR_SHM_KEY */
VAR_ROOT_KEY_SENTINEL = 494, /* VAR_ROOT_KEY_SENTINEL */
VAR_DNSCRYPT = 495, /* VAR_DNSCRYPT */
VAR_DNSCRYPT_ENABLE = 496, /* VAR_DNSCRYPT_ENABLE */
VAR_DNSCRYPT_PORT = 497, /* VAR_DNSCRYPT_PORT */
VAR_DNSCRYPT_PROVIDER = 498, /* VAR_DNSCRYPT_PROVIDER */
VAR_DNSCRYPT_SECRET_KEY = 499, /* VAR_DNSCRYPT_SECRET_KEY */
VAR_DNSCRYPT_PROVIDER_CERT = 500, /* VAR_DNSCRYPT_PROVIDER_CERT */
VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 501, /* VAR_DNSCRYPT_PROVIDER_CERT_ROTATED */
VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 502, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE */
VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 503, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS */
VAR_DNSCRYPT_NONCE_CACHE_SIZE = 504, /* VAR_DNSCRYPT_NONCE_CACHE_SIZE */
VAR_DNSCRYPT_NONCE_CACHE_SLABS = 505, /* VAR_DNSCRYPT_NONCE_CACHE_SLABS */
VAR_PAD_RESPONSES = 506, /* VAR_PAD_RESPONSES */
VAR_PAD_RESPONSES_BLOCK_SIZE = 507, /* VAR_PAD_RESPONSES_BLOCK_SIZE */
VAR_PAD_QUERIES = 508, /* VAR_PAD_QUERIES */
VAR_PAD_QUERIES_BLOCK_SIZE = 509, /* VAR_PAD_QUERIES_BLOCK_SIZE */
VAR_IPSECMOD_ENABLED = 510, /* VAR_IPSECMOD_ENABLED */
VAR_IPSECMOD_HOOK = 511, /* VAR_IPSECMOD_HOOK */
VAR_IPSECMOD_IGNORE_BOGUS = 512, /* VAR_IPSECMOD_IGNORE_BOGUS */
VAR_IPSECMOD_MAX_TTL = 513, /* VAR_IPSECMOD_MAX_TTL */
VAR_IPSECMOD_WHITELIST = 514, /* VAR_IPSECMOD_WHITELIST */
VAR_IPSECMOD_STRICT = 515, /* VAR_IPSECMOD_STRICT */
VAR_CACHEDB = 516, /* VAR_CACHEDB */
VAR_CACHEDB_BACKEND = 517, /* VAR_CACHEDB_BACKEND */
VAR_CACHEDB_SECRETSEED = 518, /* VAR_CACHEDB_SECRETSEED */
VAR_CACHEDB_REDISHOST = 519, /* VAR_CACHEDB_REDISHOST */
VAR_CACHEDB_REDISPORT = 520, /* VAR_CACHEDB_REDISPORT */
VAR_CACHEDB_REDISTIMEOUT = 521, /* VAR_CACHEDB_REDISTIMEOUT */
VAR_CACHEDB_REDISEXPIRERECORDS = 522, /* VAR_CACHEDB_REDISEXPIRERECORDS */
VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 523, /* VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM */
VAR_FOR_UPSTREAM = 524, /* VAR_FOR_UPSTREAM */
VAR_AUTH_ZONE = 525, /* VAR_AUTH_ZONE */
VAR_ZONEFILE = 526, /* VAR_ZONEFILE */
VAR_MASTER = 527, /* VAR_MASTER */
VAR_URL = 528, /* VAR_URL */
VAR_FOR_DOWNSTREAM = 529, /* VAR_FOR_DOWNSTREAM */
VAR_FALLBACK_ENABLED = 530, /* VAR_FALLBACK_ENABLED */
VAR_TLS_ADDITIONAL_PORT = 531, /* VAR_TLS_ADDITIONAL_PORT */
VAR_LOW_RTT = 532, /* VAR_LOW_RTT */
VAR_LOW_RTT_PERMIL = 533, /* VAR_LOW_RTT_PERMIL */
VAR_FAST_SERVER_PERMIL = 534, /* VAR_FAST_SERVER_PERMIL */
VAR_FAST_SERVER_NUM = 535, /* VAR_FAST_SERVER_NUM */
VAR_ALLOW_NOTIFY = 536, /* VAR_ALLOW_NOTIFY */
VAR_TLS_WIN_CERT = 537, /* VAR_TLS_WIN_CERT */
VAR_TCP_CONNECTION_LIMIT = 538, /* VAR_TCP_CONNECTION_LIMIT */
VAR_FORWARD_NO_CACHE = 539, /* VAR_FORWARD_NO_CACHE */
VAR_STUB_NO_CACHE = 540, /* VAR_STUB_NO_CACHE */
VAR_LOG_SERVFAIL = 541, /* VAR_LOG_SERVFAIL */
VAR_DENY_ANY = 542, /* VAR_DENY_ANY */
VAR_UNKNOWN_SERVER_TIME_LIMIT = 543, /* VAR_UNKNOWN_SERVER_TIME_LIMIT */
VAR_LOG_TAG_QUERYREPLY = 544, /* VAR_LOG_TAG_QUERYREPLY */
VAR_STREAM_WAIT_SIZE = 545, /* VAR_STREAM_WAIT_SIZE */
VAR_TLS_CIPHERS = 546, /* VAR_TLS_CIPHERS */
VAR_TLS_CIPHERSUITES = 547, /* VAR_TLS_CIPHERSUITES */
VAR_TLS_USE_SNI = 548, /* VAR_TLS_USE_SNI */
VAR_IPSET = 549, /* VAR_IPSET */
VAR_IPSET_NAME_V4 = 550, /* VAR_IPSET_NAME_V4 */
VAR_IPSET_NAME_V6 = 551, /* VAR_IPSET_NAME_V6 */
VAR_TLS_SESSION_TICKET_KEYS = 552, /* VAR_TLS_SESSION_TICKET_KEYS */
VAR_RPZ = 553, /* VAR_RPZ */
VAR_TAGS = 554, /* VAR_TAGS */
VAR_RPZ_ACTION_OVERRIDE = 555, /* VAR_RPZ_ACTION_OVERRIDE */
VAR_RPZ_CNAME_OVERRIDE = 556, /* VAR_RPZ_CNAME_OVERRIDE */
VAR_RPZ_LOG = 557, /* VAR_RPZ_LOG */
VAR_RPZ_LOG_NAME = 558, /* VAR_RPZ_LOG_NAME */
VAR_DYNLIB = 559, /* VAR_DYNLIB */
VAR_DYNLIB_FILE = 560, /* VAR_DYNLIB_FILE */
VAR_EDNS_CLIENT_STRING = 561, /* VAR_EDNS_CLIENT_STRING */
VAR_EDNS_CLIENT_STRING_OPCODE = 562, /* VAR_EDNS_CLIENT_STRING_OPCODE */
VAR_NSID = 563, /* VAR_NSID */
VAR_ZONEMD_PERMISSIVE_MODE = 564, /* VAR_ZONEMD_PERMISSIVE_MODE */
VAR_ZONEMD_REJECT_ABSENCE = 565 /* VAR_ZONEMD_REJECT_ABSENCE */
VAR_TCP_REUSE_TIMEOUT = 360, /* VAR_TCP_REUSE_TIMEOUT */
VAR_MAX_REUSE_TCP_QUERIES = 361, /* VAR_MAX_REUSE_TCP_QUERIES */
VAR_EXTENDED_STATISTICS = 362, /* VAR_EXTENDED_STATISTICS */
VAR_LOCAL_DATA_PTR = 363, /* VAR_LOCAL_DATA_PTR */
VAR_JOSTLE_TIMEOUT = 364, /* VAR_JOSTLE_TIMEOUT */
VAR_STUB_PRIME = 365, /* VAR_STUB_PRIME */
VAR_UNWANTED_REPLY_THRESHOLD = 366, /* VAR_UNWANTED_REPLY_THRESHOLD */
VAR_LOG_TIME_ASCII = 367, /* VAR_LOG_TIME_ASCII */
VAR_DOMAIN_INSECURE = 368, /* VAR_DOMAIN_INSECURE */
VAR_PYTHON = 369, /* VAR_PYTHON */
VAR_PYTHON_SCRIPT = 370, /* VAR_PYTHON_SCRIPT */
VAR_VAL_SIG_SKEW_MIN = 371, /* VAR_VAL_SIG_SKEW_MIN */
VAR_VAL_SIG_SKEW_MAX = 372, /* VAR_VAL_SIG_SKEW_MAX */
VAR_VAL_MAX_RESTART = 373, /* VAR_VAL_MAX_RESTART */
VAR_CACHE_MIN_TTL = 374, /* VAR_CACHE_MIN_TTL */
VAR_VAL_LOG_LEVEL = 375, /* VAR_VAL_LOG_LEVEL */
VAR_AUTO_TRUST_ANCHOR_FILE = 376, /* VAR_AUTO_TRUST_ANCHOR_FILE */
VAR_KEEP_MISSING = 377, /* VAR_KEEP_MISSING */
VAR_ADD_HOLDDOWN = 378, /* VAR_ADD_HOLDDOWN */
VAR_DEL_HOLDDOWN = 379, /* VAR_DEL_HOLDDOWN */
VAR_SO_RCVBUF = 380, /* VAR_SO_RCVBUF */
VAR_EDNS_BUFFER_SIZE = 381, /* VAR_EDNS_BUFFER_SIZE */
VAR_PREFETCH = 382, /* VAR_PREFETCH */
VAR_PREFETCH_KEY = 383, /* VAR_PREFETCH_KEY */
VAR_SO_SNDBUF = 384, /* VAR_SO_SNDBUF */
VAR_SO_REUSEPORT = 385, /* VAR_SO_REUSEPORT */
VAR_HARDEN_BELOW_NXDOMAIN = 386, /* VAR_HARDEN_BELOW_NXDOMAIN */
VAR_IGNORE_CD_FLAG = 387, /* VAR_IGNORE_CD_FLAG */
VAR_LOG_QUERIES = 388, /* VAR_LOG_QUERIES */
VAR_LOG_REPLIES = 389, /* VAR_LOG_REPLIES */
VAR_LOG_LOCAL_ACTIONS = 390, /* VAR_LOG_LOCAL_ACTIONS */
VAR_TCP_UPSTREAM = 391, /* VAR_TCP_UPSTREAM */
VAR_SSL_UPSTREAM = 392, /* VAR_SSL_UPSTREAM */
VAR_TCP_AUTH_QUERY_TIMEOUT = 393, /* VAR_TCP_AUTH_QUERY_TIMEOUT */
VAR_SSL_SERVICE_KEY = 394, /* VAR_SSL_SERVICE_KEY */
VAR_SSL_SERVICE_PEM = 395, /* VAR_SSL_SERVICE_PEM */
VAR_SSL_PORT = 396, /* VAR_SSL_PORT */
VAR_FORWARD_FIRST = 397, /* VAR_FORWARD_FIRST */
VAR_STUB_SSL_UPSTREAM = 398, /* VAR_STUB_SSL_UPSTREAM */
VAR_FORWARD_SSL_UPSTREAM = 399, /* VAR_FORWARD_SSL_UPSTREAM */
VAR_TLS_CERT_BUNDLE = 400, /* VAR_TLS_CERT_BUNDLE */
VAR_HTTPS_PORT = 401, /* VAR_HTTPS_PORT */
VAR_HTTP_ENDPOINT = 402, /* VAR_HTTP_ENDPOINT */
VAR_HTTP_MAX_STREAMS = 403, /* VAR_HTTP_MAX_STREAMS */
VAR_HTTP_QUERY_BUFFER_SIZE = 404, /* VAR_HTTP_QUERY_BUFFER_SIZE */
VAR_HTTP_RESPONSE_BUFFER_SIZE = 405, /* VAR_HTTP_RESPONSE_BUFFER_SIZE */
VAR_HTTP_NODELAY = 406, /* VAR_HTTP_NODELAY */
VAR_HTTP_NOTLS_DOWNSTREAM = 407, /* VAR_HTTP_NOTLS_DOWNSTREAM */
VAR_STUB_FIRST = 408, /* VAR_STUB_FIRST */
VAR_MINIMAL_RESPONSES = 409, /* VAR_MINIMAL_RESPONSES */
VAR_RRSET_ROUNDROBIN = 410, /* VAR_RRSET_ROUNDROBIN */
VAR_MAX_UDP_SIZE = 411, /* VAR_MAX_UDP_SIZE */
VAR_DELAY_CLOSE = 412, /* VAR_DELAY_CLOSE */
VAR_UDP_CONNECT = 413, /* VAR_UDP_CONNECT */
VAR_UNBLOCK_LAN_ZONES = 414, /* VAR_UNBLOCK_LAN_ZONES */
VAR_INSECURE_LAN_ZONES = 415, /* VAR_INSECURE_LAN_ZONES */
VAR_INFRA_CACHE_MIN_RTT = 416, /* VAR_INFRA_CACHE_MIN_RTT */
VAR_INFRA_KEEP_PROBING = 417, /* VAR_INFRA_KEEP_PROBING */
VAR_DNS64_PREFIX = 418, /* VAR_DNS64_PREFIX */
VAR_DNS64_SYNTHALL = 419, /* VAR_DNS64_SYNTHALL */
VAR_DNS64_IGNORE_AAAA = 420, /* VAR_DNS64_IGNORE_AAAA */
VAR_DNSTAP = 421, /* VAR_DNSTAP */
VAR_DNSTAP_ENABLE = 422, /* VAR_DNSTAP_ENABLE */
VAR_DNSTAP_SOCKET_PATH = 423, /* VAR_DNSTAP_SOCKET_PATH */
VAR_DNSTAP_IP = 424, /* VAR_DNSTAP_IP */
VAR_DNSTAP_TLS = 425, /* VAR_DNSTAP_TLS */
VAR_DNSTAP_TLS_SERVER_NAME = 426, /* VAR_DNSTAP_TLS_SERVER_NAME */
VAR_DNSTAP_TLS_CERT_BUNDLE = 427, /* VAR_DNSTAP_TLS_CERT_BUNDLE */
VAR_DNSTAP_TLS_CLIENT_KEY_FILE = 428, /* VAR_DNSTAP_TLS_CLIENT_KEY_FILE */
VAR_DNSTAP_TLS_CLIENT_CERT_FILE = 429, /* VAR_DNSTAP_TLS_CLIENT_CERT_FILE */
VAR_DNSTAP_SEND_IDENTITY = 430, /* VAR_DNSTAP_SEND_IDENTITY */
VAR_DNSTAP_SEND_VERSION = 431, /* VAR_DNSTAP_SEND_VERSION */
VAR_DNSTAP_BIDIRECTIONAL = 432, /* VAR_DNSTAP_BIDIRECTIONAL */
VAR_DNSTAP_IDENTITY = 433, /* VAR_DNSTAP_IDENTITY */
VAR_DNSTAP_VERSION = 434, /* VAR_DNSTAP_VERSION */
VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 435, /* VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES */
VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 436, /* VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES */
VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 437, /* VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES */
VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 438, /* VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES */
VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 439, /* VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES */
VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 440, /* VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES */
VAR_RESPONSE_IP_TAG = 441, /* VAR_RESPONSE_IP_TAG */
VAR_RESPONSE_IP = 442, /* VAR_RESPONSE_IP */
VAR_RESPONSE_IP_DATA = 443, /* VAR_RESPONSE_IP_DATA */
VAR_HARDEN_ALGO_DOWNGRADE = 444, /* VAR_HARDEN_ALGO_DOWNGRADE */
VAR_IP_TRANSPARENT = 445, /* VAR_IP_TRANSPARENT */
VAR_IP_DSCP = 446, /* VAR_IP_DSCP */
VAR_DISABLE_DNSSEC_LAME_CHECK = 447, /* VAR_DISABLE_DNSSEC_LAME_CHECK */
VAR_IP_RATELIMIT = 448, /* VAR_IP_RATELIMIT */
VAR_IP_RATELIMIT_SLABS = 449, /* VAR_IP_RATELIMIT_SLABS */
VAR_IP_RATELIMIT_SIZE = 450, /* VAR_IP_RATELIMIT_SIZE */
VAR_RATELIMIT = 451, /* VAR_RATELIMIT */
VAR_RATELIMIT_SLABS = 452, /* VAR_RATELIMIT_SLABS */
VAR_RATELIMIT_SIZE = 453, /* VAR_RATELIMIT_SIZE */
VAR_RATELIMIT_FOR_DOMAIN = 454, /* VAR_RATELIMIT_FOR_DOMAIN */
VAR_RATELIMIT_BELOW_DOMAIN = 455, /* VAR_RATELIMIT_BELOW_DOMAIN */
VAR_IP_RATELIMIT_FACTOR = 456, /* VAR_IP_RATELIMIT_FACTOR */
VAR_RATELIMIT_FACTOR = 457, /* VAR_RATELIMIT_FACTOR */
VAR_SEND_CLIENT_SUBNET = 458, /* VAR_SEND_CLIENT_SUBNET */
VAR_CLIENT_SUBNET_ZONE = 459, /* VAR_CLIENT_SUBNET_ZONE */
VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 460, /* VAR_CLIENT_SUBNET_ALWAYS_FORWARD */
VAR_CLIENT_SUBNET_OPCODE = 461, /* VAR_CLIENT_SUBNET_OPCODE */
VAR_MAX_CLIENT_SUBNET_IPV4 = 462, /* VAR_MAX_CLIENT_SUBNET_IPV4 */
VAR_MAX_CLIENT_SUBNET_IPV6 = 463, /* VAR_MAX_CLIENT_SUBNET_IPV6 */
VAR_MIN_CLIENT_SUBNET_IPV4 = 464, /* VAR_MIN_CLIENT_SUBNET_IPV4 */
VAR_MIN_CLIENT_SUBNET_IPV6 = 465, /* VAR_MIN_CLIENT_SUBNET_IPV6 */
VAR_MAX_ECS_TREE_SIZE_IPV4 = 466, /* VAR_MAX_ECS_TREE_SIZE_IPV4 */
VAR_MAX_ECS_TREE_SIZE_IPV6 = 467, /* VAR_MAX_ECS_TREE_SIZE_IPV6 */
VAR_CAPS_WHITELIST = 468, /* VAR_CAPS_WHITELIST */
VAR_CACHE_MAX_NEGATIVE_TTL = 469, /* VAR_CACHE_MAX_NEGATIVE_TTL */
VAR_PERMIT_SMALL_HOLDDOWN = 470, /* VAR_PERMIT_SMALL_HOLDDOWN */
VAR_QNAME_MINIMISATION = 471, /* VAR_QNAME_MINIMISATION */
VAR_QNAME_MINIMISATION_STRICT = 472, /* VAR_QNAME_MINIMISATION_STRICT */
VAR_IP_FREEBIND = 473, /* VAR_IP_FREEBIND */
VAR_DEFINE_TAG = 474, /* VAR_DEFINE_TAG */
VAR_LOCAL_ZONE_TAG = 475, /* VAR_LOCAL_ZONE_TAG */
VAR_ACCESS_CONTROL_TAG = 476, /* VAR_ACCESS_CONTROL_TAG */
VAR_LOCAL_ZONE_OVERRIDE = 477, /* VAR_LOCAL_ZONE_OVERRIDE */
VAR_ACCESS_CONTROL_TAG_ACTION = 478, /* VAR_ACCESS_CONTROL_TAG_ACTION */
VAR_ACCESS_CONTROL_TAG_DATA = 479, /* VAR_ACCESS_CONTROL_TAG_DATA */
VAR_VIEW = 480, /* VAR_VIEW */
VAR_ACCESS_CONTROL_VIEW = 481, /* VAR_ACCESS_CONTROL_VIEW */
VAR_VIEW_FIRST = 482, /* VAR_VIEW_FIRST */
VAR_SERVE_EXPIRED = 483, /* VAR_SERVE_EXPIRED */
VAR_SERVE_EXPIRED_TTL = 484, /* VAR_SERVE_EXPIRED_TTL */
VAR_SERVE_EXPIRED_TTL_RESET = 485, /* VAR_SERVE_EXPIRED_TTL_RESET */
VAR_SERVE_EXPIRED_REPLY_TTL = 486, /* VAR_SERVE_EXPIRED_REPLY_TTL */
VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 487, /* VAR_SERVE_EXPIRED_CLIENT_TIMEOUT */
VAR_SERVE_ORIGINAL_TTL = 488, /* VAR_SERVE_ORIGINAL_TTL */
VAR_FAKE_DSA = 489, /* VAR_FAKE_DSA */
VAR_FAKE_SHA1 = 490, /* VAR_FAKE_SHA1 */
VAR_LOG_IDENTITY = 491, /* VAR_LOG_IDENTITY */
VAR_HIDE_TRUSTANCHOR = 492, /* VAR_HIDE_TRUSTANCHOR */
VAR_TRUST_ANCHOR_SIGNALING = 493, /* VAR_TRUST_ANCHOR_SIGNALING */
VAR_AGGRESSIVE_NSEC = 494, /* VAR_AGGRESSIVE_NSEC */
VAR_USE_SYSTEMD = 495, /* VAR_USE_SYSTEMD */
VAR_SHM_ENABLE = 496, /* VAR_SHM_ENABLE */
VAR_SHM_KEY = 497, /* VAR_SHM_KEY */
VAR_ROOT_KEY_SENTINEL = 498, /* VAR_ROOT_KEY_SENTINEL */
VAR_DNSCRYPT = 499, /* VAR_DNSCRYPT */
VAR_DNSCRYPT_ENABLE = 500, /* VAR_DNSCRYPT_ENABLE */
VAR_DNSCRYPT_PORT = 501, /* VAR_DNSCRYPT_PORT */
VAR_DNSCRYPT_PROVIDER = 502, /* VAR_DNSCRYPT_PROVIDER */
VAR_DNSCRYPT_SECRET_KEY = 503, /* VAR_DNSCRYPT_SECRET_KEY */
VAR_DNSCRYPT_PROVIDER_CERT = 504, /* VAR_DNSCRYPT_PROVIDER_CERT */
VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 505, /* VAR_DNSCRYPT_PROVIDER_CERT_ROTATED */
VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 506, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE */
VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 507, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS */
VAR_DNSCRYPT_NONCE_CACHE_SIZE = 508, /* VAR_DNSCRYPT_NONCE_CACHE_SIZE */
VAR_DNSCRYPT_NONCE_CACHE_SLABS = 509, /* VAR_DNSCRYPT_NONCE_CACHE_SLABS */
VAR_PAD_RESPONSES = 510, /* VAR_PAD_RESPONSES */
VAR_PAD_RESPONSES_BLOCK_SIZE = 511, /* VAR_PAD_RESPONSES_BLOCK_SIZE */
VAR_PAD_QUERIES = 512, /* VAR_PAD_QUERIES */
VAR_PAD_QUERIES_BLOCK_SIZE = 513, /* VAR_PAD_QUERIES_BLOCK_SIZE */
VAR_IPSECMOD_ENABLED = 514, /* VAR_IPSECMOD_ENABLED */
VAR_IPSECMOD_HOOK = 515, /* VAR_IPSECMOD_HOOK */
VAR_IPSECMOD_IGNORE_BOGUS = 516, /* VAR_IPSECMOD_IGNORE_BOGUS */
VAR_IPSECMOD_MAX_TTL = 517, /* VAR_IPSECMOD_MAX_TTL */
VAR_IPSECMOD_WHITELIST = 518, /* VAR_IPSECMOD_WHITELIST */
VAR_IPSECMOD_STRICT = 519, /* VAR_IPSECMOD_STRICT */
VAR_CACHEDB = 520, /* VAR_CACHEDB */
VAR_CACHEDB_BACKEND = 521, /* VAR_CACHEDB_BACKEND */
VAR_CACHEDB_SECRETSEED = 522, /* VAR_CACHEDB_SECRETSEED */
VAR_CACHEDB_REDISHOST = 523, /* VAR_CACHEDB_REDISHOST */
VAR_CACHEDB_REDISPORT = 524, /* VAR_CACHEDB_REDISPORT */
VAR_CACHEDB_REDISTIMEOUT = 525, /* VAR_CACHEDB_REDISTIMEOUT */
VAR_CACHEDB_REDISEXPIRERECORDS = 526, /* VAR_CACHEDB_REDISEXPIRERECORDS */
VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 527, /* VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM */
VAR_FOR_UPSTREAM = 528, /* VAR_FOR_UPSTREAM */
VAR_AUTH_ZONE = 529, /* VAR_AUTH_ZONE */
VAR_ZONEFILE = 530, /* VAR_ZONEFILE */
VAR_MASTER = 531, /* VAR_MASTER */
VAR_URL = 532, /* VAR_URL */
VAR_FOR_DOWNSTREAM = 533, /* VAR_FOR_DOWNSTREAM */
VAR_FALLBACK_ENABLED = 534, /* VAR_FALLBACK_ENABLED */
VAR_TLS_ADDITIONAL_PORT = 535, /* VAR_TLS_ADDITIONAL_PORT */
VAR_LOW_RTT = 536, /* VAR_LOW_RTT */
VAR_LOW_RTT_PERMIL = 537, /* VAR_LOW_RTT_PERMIL */
VAR_FAST_SERVER_PERMIL = 538, /* VAR_FAST_SERVER_PERMIL */
VAR_FAST_SERVER_NUM = 539, /* VAR_FAST_SERVER_NUM */
VAR_ALLOW_NOTIFY = 540, /* VAR_ALLOW_NOTIFY */
VAR_TLS_WIN_CERT = 541, /* VAR_TLS_WIN_CERT */
VAR_TCP_CONNECTION_LIMIT = 542, /* VAR_TCP_CONNECTION_LIMIT */
VAR_FORWARD_NO_CACHE = 543, /* VAR_FORWARD_NO_CACHE */
VAR_STUB_NO_CACHE = 544, /* VAR_STUB_NO_CACHE */
VAR_LOG_SERVFAIL = 545, /* VAR_LOG_SERVFAIL */
VAR_DENY_ANY = 546, /* VAR_DENY_ANY */
VAR_UNKNOWN_SERVER_TIME_LIMIT = 547, /* VAR_UNKNOWN_SERVER_TIME_LIMIT */
VAR_LOG_TAG_QUERYREPLY = 548, /* VAR_LOG_TAG_QUERYREPLY */
VAR_STREAM_WAIT_SIZE = 549, /* VAR_STREAM_WAIT_SIZE */
VAR_TLS_CIPHERS = 550, /* VAR_TLS_CIPHERS */
VAR_TLS_CIPHERSUITES = 551, /* VAR_TLS_CIPHERSUITES */
VAR_TLS_USE_SNI = 552, /* VAR_TLS_USE_SNI */
VAR_IPSET = 553, /* VAR_IPSET */
VAR_IPSET_NAME_V4 = 554, /* VAR_IPSET_NAME_V4 */
VAR_IPSET_NAME_V6 = 555, /* VAR_IPSET_NAME_V6 */
VAR_TLS_SESSION_TICKET_KEYS = 556, /* VAR_TLS_SESSION_TICKET_KEYS */
VAR_RPZ = 557, /* VAR_RPZ */
VAR_TAGS = 558, /* VAR_TAGS */
VAR_RPZ_ACTION_OVERRIDE = 559, /* VAR_RPZ_ACTION_OVERRIDE */
VAR_RPZ_CNAME_OVERRIDE = 560, /* VAR_RPZ_CNAME_OVERRIDE */
VAR_RPZ_LOG = 561, /* VAR_RPZ_LOG */
VAR_RPZ_LOG_NAME = 562, /* VAR_RPZ_LOG_NAME */
VAR_DYNLIB = 563, /* VAR_DYNLIB */
VAR_DYNLIB_FILE = 564, /* VAR_DYNLIB_FILE */
VAR_EDNS_CLIENT_STRING = 565, /* VAR_EDNS_CLIENT_STRING */
VAR_EDNS_CLIENT_STRING_OPCODE = 566, /* VAR_EDNS_CLIENT_STRING_OPCODE */
VAR_NSID = 567, /* VAR_NSID */
VAR_ZONEMD_PERMISSIVE_MODE = 568, /* VAR_ZONEMD_PERMISSIVE_MODE */
VAR_ZONEMD_CHECK = 569, /* VAR_ZONEMD_CHECK */
VAR_ZONEMD_REJECT_ABSENCE = 570 /* VAR_ZONEMD_REJECT_ABSENCE */
};
typedef enum yytokentype yytoken_kind_t;
#endif
/* Token kinds. */
#define YYEMPTY -2
#define YYEOF 0
#define YYerror 256
#define YYUNDEF 257
@ -471,212 +477,217 @@ extern int yydebug;
#define VAR_CONTROL_KEY_FILE 357
#define VAR_CONTROL_CERT_FILE 358
#define VAR_CONTROL_USE_CERT 359
#define VAR_EXTENDED_STATISTICS 360
#define VAR_LOCAL_DATA_PTR 361
#define VAR_JOSTLE_TIMEOUT 362
#define VAR_STUB_PRIME 363
#define VAR_UNWANTED_REPLY_THRESHOLD 364
#define VAR_LOG_TIME_ASCII 365
#define VAR_DOMAIN_INSECURE 366
#define VAR_PYTHON 367
#define VAR_PYTHON_SCRIPT 368
#define VAR_VAL_SIG_SKEW_MIN 369
#define VAR_VAL_SIG_SKEW_MAX 370
#define VAR_CACHE_MIN_TTL 371
#define VAR_VAL_LOG_LEVEL 372
#define VAR_AUTO_TRUST_ANCHOR_FILE 373
#define VAR_KEEP_MISSING 374
#define VAR_ADD_HOLDDOWN 375
#define VAR_DEL_HOLDDOWN 376
#define VAR_SO_RCVBUF 377
#define VAR_EDNS_BUFFER_SIZE 378
#define VAR_PREFETCH 379
#define VAR_PREFETCH_KEY 380
#define VAR_SO_SNDBUF 381
#define VAR_SO_REUSEPORT 382
#define VAR_HARDEN_BELOW_NXDOMAIN 383
#define VAR_IGNORE_CD_FLAG 384
#define VAR_LOG_QUERIES 385
#define VAR_LOG_REPLIES 386
#define VAR_LOG_LOCAL_ACTIONS 387
#define VAR_TCP_UPSTREAM 388
#define VAR_SSL_UPSTREAM 389
#define VAR_SSL_SERVICE_KEY 390
#define VAR_SSL_SERVICE_PEM 391
#define VAR_SSL_PORT 392
#define VAR_FORWARD_FIRST 393
#define VAR_STUB_SSL_UPSTREAM 394
#define VAR_FORWARD_SSL_UPSTREAM 395
#define VAR_TLS_CERT_BUNDLE 396
#define VAR_HTTPS_PORT 397
#define VAR_HTTP_ENDPOINT 398
#define VAR_HTTP_MAX_STREAMS 399
#define VAR_HTTP_QUERY_BUFFER_SIZE 400
#define VAR_HTTP_RESPONSE_BUFFER_SIZE 401
#define VAR_HTTP_NODELAY 402
#define VAR_HTTP_NOTLS_DOWNSTREAM 403
#define VAR_STUB_FIRST 404
#define VAR_MINIMAL_RESPONSES 405
#define VAR_RRSET_ROUNDROBIN 406
#define VAR_MAX_UDP_SIZE 407
#define VAR_DELAY_CLOSE 408
#define VAR_UDP_CONNECT 409
#define VAR_UNBLOCK_LAN_ZONES 410
#define VAR_INSECURE_LAN_ZONES 411
#define VAR_INFRA_CACHE_MIN_RTT 412
#define VAR_INFRA_KEEP_PROBING 413
#define VAR_DNS64_PREFIX 414
#define VAR_DNS64_SYNTHALL 415
#define VAR_DNS64_IGNORE_AAAA 416
#define VAR_DNSTAP 417
#define VAR_DNSTAP_ENABLE 418
#define VAR_DNSTAP_SOCKET_PATH 419
#define VAR_DNSTAP_IP 420
#define VAR_DNSTAP_TLS 421
#define VAR_DNSTAP_TLS_SERVER_NAME 422
#define VAR_DNSTAP_TLS_CERT_BUNDLE 423
#define VAR_DNSTAP_TLS_CLIENT_KEY_FILE 424
#define VAR_DNSTAP_TLS_CLIENT_CERT_FILE 425
#define VAR_DNSTAP_SEND_IDENTITY 426
#define VAR_DNSTAP_SEND_VERSION 427
#define VAR_DNSTAP_BIDIRECTIONAL 428
#define VAR_DNSTAP_IDENTITY 429
#define VAR_DNSTAP_VERSION 430
#define VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES 431
#define VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES 432
#define VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES 433
#define VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES 434
#define VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES 435
#define VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES 436
#define VAR_RESPONSE_IP_TAG 437
#define VAR_RESPONSE_IP 438
#define VAR_RESPONSE_IP_DATA 439
#define VAR_HARDEN_ALGO_DOWNGRADE 440
#define VAR_IP_TRANSPARENT 441
#define VAR_IP_DSCP 442
#define VAR_DISABLE_DNSSEC_LAME_CHECK 443
#define VAR_IP_RATELIMIT 444
#define VAR_IP_RATELIMIT_SLABS 445
#define VAR_IP_RATELIMIT_SIZE 446
#define VAR_RATELIMIT 447
#define VAR_RATELIMIT_SLABS 448
#define VAR_RATELIMIT_SIZE 449
#define VAR_RATELIMIT_FOR_DOMAIN 450
#define VAR_RATELIMIT_BELOW_DOMAIN 451
#define VAR_IP_RATELIMIT_FACTOR 452
#define VAR_RATELIMIT_FACTOR 453
#define VAR_SEND_CLIENT_SUBNET 454
#define VAR_CLIENT_SUBNET_ZONE 455
#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 456
#define VAR_CLIENT_SUBNET_OPCODE 457
#define VAR_MAX_CLIENT_SUBNET_IPV4 458
#define VAR_MAX_CLIENT_SUBNET_IPV6 459
#define VAR_MIN_CLIENT_SUBNET_IPV4 460
#define VAR_MIN_CLIENT_SUBNET_IPV6 461
#define VAR_MAX_ECS_TREE_SIZE_IPV4 462
#define VAR_MAX_ECS_TREE_SIZE_IPV6 463
#define VAR_CAPS_WHITELIST 464
#define VAR_CACHE_MAX_NEGATIVE_TTL 465
#define VAR_PERMIT_SMALL_HOLDDOWN 466
#define VAR_QNAME_MINIMISATION 467
#define VAR_QNAME_MINIMISATION_STRICT 468
#define VAR_IP_FREEBIND 469
#define VAR_DEFINE_TAG 470
#define VAR_LOCAL_ZONE_TAG 471
#define VAR_ACCESS_CONTROL_TAG 472
#define VAR_LOCAL_ZONE_OVERRIDE 473
#define VAR_ACCESS_CONTROL_TAG_ACTION 474
#define VAR_ACCESS_CONTROL_TAG_DATA 475
#define VAR_VIEW 476
#define VAR_ACCESS_CONTROL_VIEW 477
#define VAR_VIEW_FIRST 478
#define VAR_SERVE_EXPIRED 479
#define VAR_SERVE_EXPIRED_TTL 480
#define VAR_SERVE_EXPIRED_TTL_RESET 481
#define VAR_SERVE_EXPIRED_REPLY_TTL 482
#define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 483
#define VAR_SERVE_ORIGINAL_TTL 484
#define VAR_FAKE_DSA 485
#define VAR_FAKE_SHA1 486
#define VAR_LOG_IDENTITY 487
#define VAR_HIDE_TRUSTANCHOR 488
#define VAR_TRUST_ANCHOR_SIGNALING 489
#define VAR_AGGRESSIVE_NSEC 490
#define VAR_USE_SYSTEMD 491
#define VAR_SHM_ENABLE 492
#define VAR_SHM_KEY 493
#define VAR_ROOT_KEY_SENTINEL 494
#define VAR_DNSCRYPT 495
#define VAR_DNSCRYPT_ENABLE 496
#define VAR_DNSCRYPT_PORT 497
#define VAR_DNSCRYPT_PROVIDER 498
#define VAR_DNSCRYPT_SECRET_KEY 499
#define VAR_DNSCRYPT_PROVIDER_CERT 500
#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 501
#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 502
#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 503
#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 504
#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 505
#define VAR_PAD_RESPONSES 506
#define VAR_PAD_RESPONSES_BLOCK_SIZE 507
#define VAR_PAD_QUERIES 508
#define VAR_PAD_QUERIES_BLOCK_SIZE 509
#define VAR_IPSECMOD_ENABLED 510
#define VAR_IPSECMOD_HOOK 511
#define VAR_IPSECMOD_IGNORE_BOGUS 512
#define VAR_IPSECMOD_MAX_TTL 513
#define VAR_IPSECMOD_WHITELIST 514
#define VAR_IPSECMOD_STRICT 515
#define VAR_CACHEDB 516
#define VAR_CACHEDB_BACKEND 517
#define VAR_CACHEDB_SECRETSEED 518
#define VAR_CACHEDB_REDISHOST 519
#define VAR_CACHEDB_REDISPORT 520
#define VAR_CACHEDB_REDISTIMEOUT 521
#define VAR_CACHEDB_REDISEXPIRERECORDS 522
#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 523
#define VAR_FOR_UPSTREAM 524
#define VAR_AUTH_ZONE 525
#define VAR_ZONEFILE 526
#define VAR_MASTER 527
#define VAR_URL 528
#define VAR_FOR_DOWNSTREAM 529
#define VAR_FALLBACK_ENABLED 530
#define VAR_TLS_ADDITIONAL_PORT 531
#define VAR_LOW_RTT 532
#define VAR_LOW_RTT_PERMIL 533
#define VAR_FAST_SERVER_PERMIL 534
#define VAR_FAST_SERVER_NUM 535
#define VAR_ALLOW_NOTIFY 536
#define VAR_TLS_WIN_CERT 537
#define VAR_TCP_CONNECTION_LIMIT 538
#define VAR_FORWARD_NO_CACHE 539
#define VAR_STUB_NO_CACHE 540
#define VAR_LOG_SERVFAIL 541
#define VAR_DENY_ANY 542
#define VAR_UNKNOWN_SERVER_TIME_LIMIT 543
#define VAR_LOG_TAG_QUERYREPLY 544
#define VAR_STREAM_WAIT_SIZE 545
#define VAR_TLS_CIPHERS 546
#define VAR_TLS_CIPHERSUITES 547
#define VAR_TLS_USE_SNI 548
#define VAR_IPSET 549
#define VAR_IPSET_NAME_V4 550
#define VAR_IPSET_NAME_V6 551
#define VAR_TLS_SESSION_TICKET_KEYS 552
#define VAR_RPZ 553
#define VAR_TAGS 554
#define VAR_RPZ_ACTION_OVERRIDE 555
#define VAR_RPZ_CNAME_OVERRIDE 556
#define VAR_RPZ_LOG 557
#define VAR_RPZ_LOG_NAME 558
#define VAR_DYNLIB 559
#define VAR_DYNLIB_FILE 560
#define VAR_EDNS_CLIENT_STRING 561
#define VAR_EDNS_CLIENT_STRING_OPCODE 562
#define VAR_NSID 563
#define VAR_ZONEMD_PERMISSIVE_MODE 564
#define VAR_ZONEMD_REJECT_ABSENCE 565
#define VAR_TCP_REUSE_TIMEOUT 360
#define VAR_MAX_REUSE_TCP_QUERIES 361
#define VAR_EXTENDED_STATISTICS 362
#define VAR_LOCAL_DATA_PTR 363
#define VAR_JOSTLE_TIMEOUT 364
#define VAR_STUB_PRIME 365
#define VAR_UNWANTED_REPLY_THRESHOLD 366
#define VAR_LOG_TIME_ASCII 367
#define VAR_DOMAIN_INSECURE 368
#define VAR_PYTHON 369
#define VAR_PYTHON_SCRIPT 370
#define VAR_VAL_SIG_SKEW_MIN 371
#define VAR_VAL_SIG_SKEW_MAX 372
#define VAR_VAL_MAX_RESTART 373
#define VAR_CACHE_MIN_TTL 374
#define VAR_VAL_LOG_LEVEL 375
#define VAR_AUTO_TRUST_ANCHOR_FILE 376
#define VAR_KEEP_MISSING 377
#define VAR_ADD_HOLDDOWN 378
#define VAR_DEL_HOLDDOWN 379
#define VAR_SO_RCVBUF 380
#define VAR_EDNS_BUFFER_SIZE 381
#define VAR_PREFETCH 382
#define VAR_PREFETCH_KEY 383
#define VAR_SO_SNDBUF 384
#define VAR_SO_REUSEPORT 385
#define VAR_HARDEN_BELOW_NXDOMAIN 386
#define VAR_IGNORE_CD_FLAG 387
#define VAR_LOG_QUERIES 388
#define VAR_LOG_REPLIES 389
#define VAR_LOG_LOCAL_ACTIONS 390
#define VAR_TCP_UPSTREAM 391
#define VAR_SSL_UPSTREAM 392
#define VAR_TCP_AUTH_QUERY_TIMEOUT 393
#define VAR_SSL_SERVICE_KEY 394
#define VAR_SSL_SERVICE_PEM 395
#define VAR_SSL_PORT 396
#define VAR_FORWARD_FIRST 397
#define VAR_STUB_SSL_UPSTREAM 398
#define VAR_FORWARD_SSL_UPSTREAM 399
#define VAR_TLS_CERT_BUNDLE 400
#define VAR_HTTPS_PORT 401
#define VAR_HTTP_ENDPOINT 402
#define VAR_HTTP_MAX_STREAMS 403
#define VAR_HTTP_QUERY_BUFFER_SIZE 404
#define VAR_HTTP_RESPONSE_BUFFER_SIZE 405
#define VAR_HTTP_NODELAY 406
#define VAR_HTTP_NOTLS_DOWNSTREAM 407
#define VAR_STUB_FIRST 408
#define VAR_MINIMAL_RESPONSES 409
#define VAR_RRSET_ROUNDROBIN 410
#define VAR_MAX_UDP_SIZE 411
#define VAR_DELAY_CLOSE 412
#define VAR_UDP_CONNECT 413
#define VAR_UNBLOCK_LAN_ZONES 414
#define VAR_INSECURE_LAN_ZONES 415
#define VAR_INFRA_CACHE_MIN_RTT 416
#define VAR_INFRA_KEEP_PROBING 417
#define VAR_DNS64_PREFIX 418
#define VAR_DNS64_SYNTHALL 419
#define VAR_DNS64_IGNORE_AAAA 420
#define VAR_DNSTAP 421
#define VAR_DNSTAP_ENABLE 422
#define VAR_DNSTAP_SOCKET_PATH 423
#define VAR_DNSTAP_IP 424
#define VAR_DNSTAP_TLS 425
#define VAR_DNSTAP_TLS_SERVER_NAME 426
#define VAR_DNSTAP_TLS_CERT_BUNDLE 427
#define VAR_DNSTAP_TLS_CLIENT_KEY_FILE 428
#define VAR_DNSTAP_TLS_CLIENT_CERT_FILE 429
#define VAR_DNSTAP_SEND_IDENTITY 430
#define VAR_DNSTAP_SEND_VERSION 431
#define VAR_DNSTAP_BIDIRECTIONAL 432
#define VAR_DNSTAP_IDENTITY 433
#define VAR_DNSTAP_VERSION 434
#define VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES 435
#define VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES 436
#define VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES 437
#define VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES 438
#define VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES 439
#define VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES 440
#define VAR_RESPONSE_IP_TAG 441
#define VAR_RESPONSE_IP 442
#define VAR_RESPONSE_IP_DATA 443
#define VAR_HARDEN_ALGO_DOWNGRADE 444
#define VAR_IP_TRANSPARENT 445
#define VAR_IP_DSCP 446
#define VAR_DISABLE_DNSSEC_LAME_CHECK 447
#define VAR_IP_RATELIMIT 448
#define VAR_IP_RATELIMIT_SLABS 449
#define VAR_IP_RATELIMIT_SIZE 450
#define VAR_RATELIMIT 451
#define VAR_RATELIMIT_SLABS 452
#define VAR_RATELIMIT_SIZE 453
#define VAR_RATELIMIT_FOR_DOMAIN 454
#define VAR_RATELIMIT_BELOW_DOMAIN 455
#define VAR_IP_RATELIMIT_FACTOR 456
#define VAR_RATELIMIT_FACTOR 457
#define VAR_SEND_CLIENT_SUBNET 458
#define VAR_CLIENT_SUBNET_ZONE 459
#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 460
#define VAR_CLIENT_SUBNET_OPCODE 461
#define VAR_MAX_CLIENT_SUBNET_IPV4 462
#define VAR_MAX_CLIENT_SUBNET_IPV6 463
#define VAR_MIN_CLIENT_SUBNET_IPV4 464
#define VAR_MIN_CLIENT_SUBNET_IPV6 465
#define VAR_MAX_ECS_TREE_SIZE_IPV4 466
#define VAR_MAX_ECS_TREE_SIZE_IPV6 467
#define VAR_CAPS_WHITELIST 468
#define VAR_CACHE_MAX_NEGATIVE_TTL 469
#define VAR_PERMIT_SMALL_HOLDDOWN 470
#define VAR_QNAME_MINIMISATION 471
#define VAR_QNAME_MINIMISATION_STRICT 472
#define VAR_IP_FREEBIND 473
#define VAR_DEFINE_TAG 474
#define VAR_LOCAL_ZONE_TAG 475
#define VAR_ACCESS_CONTROL_TAG 476
#define VAR_LOCAL_ZONE_OVERRIDE 477
#define VAR_ACCESS_CONTROL_TAG_ACTION 478
#define VAR_ACCESS_CONTROL_TAG_DATA 479
#define VAR_VIEW 480
#define VAR_ACCESS_CONTROL_VIEW 481
#define VAR_VIEW_FIRST 482
#define VAR_SERVE_EXPIRED 483
#define VAR_SERVE_EXPIRED_TTL 484
#define VAR_SERVE_EXPIRED_TTL_RESET 485
#define VAR_SERVE_EXPIRED_REPLY_TTL 486
#define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 487
#define VAR_SERVE_ORIGINAL_TTL 488
#define VAR_FAKE_DSA 489
#define VAR_FAKE_SHA1 490
#define VAR_LOG_IDENTITY 491
#define VAR_HIDE_TRUSTANCHOR 492
#define VAR_TRUST_ANCHOR_SIGNALING 493
#define VAR_AGGRESSIVE_NSEC 494
#define VAR_USE_SYSTEMD 495
#define VAR_SHM_ENABLE 496
#define VAR_SHM_KEY 497
#define VAR_ROOT_KEY_SENTINEL 498
#define VAR_DNSCRYPT 499
#define VAR_DNSCRYPT_ENABLE 500
#define VAR_DNSCRYPT_PORT 501
#define VAR_DNSCRYPT_PROVIDER 502
#define VAR_DNSCRYPT_SECRET_KEY 503
#define VAR_DNSCRYPT_PROVIDER_CERT 504
#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 505
#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 506
#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 507
#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 508
#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 509
#define VAR_PAD_RESPONSES 510
#define VAR_PAD_RESPONSES_BLOCK_SIZE 511
#define VAR_PAD_QUERIES 512
#define VAR_PAD_QUERIES_BLOCK_SIZE 513
#define VAR_IPSECMOD_ENABLED 514
#define VAR_IPSECMOD_HOOK 515
#define VAR_IPSECMOD_IGNORE_BOGUS 516
#define VAR_IPSECMOD_MAX_TTL 517
#define VAR_IPSECMOD_WHITELIST 518
#define VAR_IPSECMOD_STRICT 519
#define VAR_CACHEDB 520
#define VAR_CACHEDB_BACKEND 521
#define VAR_CACHEDB_SECRETSEED 522
#define VAR_CACHEDB_REDISHOST 523
#define VAR_CACHEDB_REDISPORT 524
#define VAR_CACHEDB_REDISTIMEOUT 525
#define VAR_CACHEDB_REDISEXPIRERECORDS 526
#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 527
#define VAR_FOR_UPSTREAM 528
#define VAR_AUTH_ZONE 529
#define VAR_ZONEFILE 530
#define VAR_MASTER 531
#define VAR_URL 532
#define VAR_FOR_DOWNSTREAM 533
#define VAR_FALLBACK_ENABLED 534
#define VAR_TLS_ADDITIONAL_PORT 535
#define VAR_LOW_RTT 536
#define VAR_LOW_RTT_PERMIL 537
#define VAR_FAST_SERVER_PERMIL 538
#define VAR_FAST_SERVER_NUM 539
#define VAR_ALLOW_NOTIFY 540
#define VAR_TLS_WIN_CERT 541
#define VAR_TCP_CONNECTION_LIMIT 542
#define VAR_FORWARD_NO_CACHE 543
#define VAR_STUB_NO_CACHE 544
#define VAR_LOG_SERVFAIL 545
#define VAR_DENY_ANY 546
#define VAR_UNKNOWN_SERVER_TIME_LIMIT 547
#define VAR_LOG_TAG_QUERYREPLY 548
#define VAR_STREAM_WAIT_SIZE 549
#define VAR_TLS_CIPHERS 550
#define VAR_TLS_CIPHERSUITES 551
#define VAR_TLS_USE_SNI 552
#define VAR_IPSET 553
#define VAR_IPSET_NAME_V4 554
#define VAR_IPSET_NAME_V6 555
#define VAR_TLS_SESSION_TICKET_KEYS 556
#define VAR_RPZ 557
#define VAR_TAGS 558
#define VAR_RPZ_ACTION_OVERRIDE 559
#define VAR_RPZ_CNAME_OVERRIDE 560
#define VAR_RPZ_LOG 561
#define VAR_RPZ_LOG_NAME 562
#define VAR_DYNLIB 563
#define VAR_DYNLIB_FILE 564
#define VAR_EDNS_CLIENT_STRING 565
#define VAR_EDNS_CLIENT_STRING_OPCODE 566
#define VAR_NSID 567
#define VAR_ZONEMD_PERMISSIVE_MODE 568
#define VAR_ZONEMD_CHECK 569
#define VAR_ZONEMD_REJECT_ABSENCE 570
/* Value type. */
#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
@ -686,7 +697,7 @@ union YYSTYPE
char* str;
#line 690 "util/configparser.h"
#line 701 "util/configparser.h"
};
typedef union YYSTYPE YYSTYPE;

100
util/configparser.y
View File

@ -100,17 +100,18 @@ extern struct config_parser_state* cfg_parser;
%token VAR_PRIVATE_DOMAIN VAR_REMOTE_CONTROL VAR_CONTROL_ENABLE
%token VAR_CONTROL_INTERFACE VAR_CONTROL_PORT VAR_SERVER_KEY_FILE
%token VAR_SERVER_CERT_FILE VAR_CONTROL_KEY_FILE VAR_CONTROL_CERT_FILE
%token VAR_CONTROL_USE_CERT
%token VAR_CONTROL_USE_CERT VAR_TCP_REUSE_TIMEOUT VAR_MAX_REUSE_TCP_QUERIES
%token VAR_EXTENDED_STATISTICS VAR_LOCAL_DATA_PTR VAR_JOSTLE_TIMEOUT
%token VAR_STUB_PRIME VAR_UNWANTED_REPLY_THRESHOLD VAR_LOG_TIME_ASCII
%token VAR_DOMAIN_INSECURE VAR_PYTHON VAR_PYTHON_SCRIPT VAR_VAL_SIG_SKEW_MIN
%token VAR_VAL_SIG_SKEW_MAX VAR_CACHE_MIN_TTL VAR_VAL_LOG_LEVEL
%token VAR_AUTO_TRUST_ANCHOR_FILE VAR_KEEP_MISSING VAR_ADD_HOLDDOWN
%token VAR_DEL_HOLDDOWN VAR_SO_RCVBUF VAR_EDNS_BUFFER_SIZE VAR_PREFETCH
%token VAR_PREFETCH_KEY VAR_SO_SNDBUF VAR_SO_REUSEPORT VAR_HARDEN_BELOW_NXDOMAIN
%token VAR_IGNORE_CD_FLAG VAR_LOG_QUERIES VAR_LOG_REPLIES VAR_LOG_LOCAL_ACTIONS
%token VAR_TCP_UPSTREAM VAR_SSL_UPSTREAM
%token VAR_SSL_SERVICE_KEY VAR_SSL_SERVICE_PEM VAR_SSL_PORT VAR_FORWARD_FIRST
%token VAR_VAL_SIG_SKEW_MAX VAR_VAL_MAX_RESTART VAR_CACHE_MIN_TTL
%token VAR_VAL_LOG_LEVEL VAR_AUTO_TRUST_ANCHOR_FILE VAR_KEEP_MISSING
%token VAR_ADD_HOLDDOWN VAR_DEL_HOLDDOWN VAR_SO_RCVBUF VAR_EDNS_BUFFER_SIZE
%token VAR_PREFETCH VAR_PREFETCH_KEY VAR_SO_SNDBUF VAR_SO_REUSEPORT
%token VAR_HARDEN_BELOW_NXDOMAIN VAR_IGNORE_CD_FLAG VAR_LOG_QUERIES
%token VAR_LOG_REPLIES VAR_LOG_LOCAL_ACTIONS VAR_TCP_UPSTREAM
%token VAR_SSL_UPSTREAM VAR_TCP_AUTH_QUERY_TIMEOUT VAR_SSL_SERVICE_KEY
%token VAR_SSL_SERVICE_PEM VAR_SSL_PORT VAR_FORWARD_FIRST
%token VAR_STUB_SSL_UPSTREAM VAR_FORWARD_SSL_UPSTREAM VAR_TLS_CERT_BUNDLE
%token VAR_HTTPS_PORT VAR_HTTP_ENDPOINT VAR_HTTP_MAX_STREAMS
%token VAR_HTTP_QUERY_BUFFER_SIZE VAR_HTTP_RESPONSE_BUFFER_SIZE
@ -182,7 +183,7 @@ extern struct config_parser_state* cfg_parser;
%token VAR_RPZ_CNAME_OVERRIDE VAR_RPZ_LOG VAR_RPZ_LOG_NAME
%token VAR_DYNLIB VAR_DYNLIB_FILE VAR_EDNS_CLIENT_STRING
%token VAR_EDNS_CLIENT_STRING_OPCODE VAR_NSID
%token VAR_ZONEMD_PERMISSIVE_MODE VAR_ZONEMD_REJECT_ABSENCE
%token VAR_ZONEMD_PERMISSIVE_MODE VAR_ZONEMD_CHECK VAR_ZONEMD_REJECT_ABSENCE
%%
toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@ -243,8 +244,9 @@ content_server: server_num_threads | server_verbosity | server_port |
server_local_data_ptr | server_jostle_timeout |
server_unwanted_reply_threshold | server_log_time_ascii |
server_domain_insecure | server_val_sig_skew_min |
server_val_sig_skew_max | server_cache_min_ttl | server_val_log_level |
server_auto_trust_anchor_file | server_add_holddown |
server_val_sig_skew_max | server_val_max_restart |
server_cache_min_ttl | server_val_log_level |
server_auto_trust_anchor_file | server_add_holddown |
server_del_holddown | server_keep_missing | server_so_rcvbuf |
server_edns_buffer_size | server_prefetch | server_prefetch_key |
server_so_sndbuf | server_harden_below_nxdomain | server_ignore_cd_flag |
@ -301,7 +303,9 @@ content_server: server_num_threads | server_verbosity | server_port |
server_tls_ciphersuites | server_tls_session_ticket_keys |
server_tls_use_sni | server_edns_client_string |
server_edns_client_string_opcode | server_nsid |
server_zonemd_permissive_mode
server_zonemd_permissive_mode | server_max_reuse_tcp_queries |
server_tcp_reuse_timeout | server_tcp_auth_query_timeout
;
stubstart: VAR_STUB_ZONE
{
@ -368,6 +372,7 @@ authstart: VAR_AUTH_ZONE
s->for_downstream = 1;
s->for_upstream = 1;
s->fallback_enabled = 0;
s->zonemd_check = 0;
s->zonemd_reject_absence = 0;
s->isrpz = 0;
} else
@ -378,7 +383,7 @@ contents_auth: contents_auth content_auth
| ;
content_auth: auth_name | auth_zonefile | auth_master | auth_url |
auth_for_downstream | auth_for_upstream | auth_fallback_enabled |
auth_allow_notify | auth_zonemd_reject_absence
auth_allow_notify | auth_zonemd_check | auth_zonemd_reject_absence
;
rpz_tag: VAR_TAGS STRING_ARG
@ -859,6 +864,39 @@ server_tcp_idle_timeout: VAR_TCP_IDLE_TIMEOUT STRING_ARG
free($2);
}
;
server_max_reuse_tcp_queries: VAR_MAX_REUSE_TCP_QUERIES STRING_ARG
{
OUTYY(("P(server_max_reuse_tcp_queries:%s)\n", $2));
if(atoi($2) == 0 && strcmp($2, "0") != 0)
yyerror("number expected");
else if (atoi($2) < 1)
cfg_parser->cfg->max_reuse_tcp_queries = 0;
else cfg_parser->cfg->max_reuse_tcp_queries = atoi($2);
free($2);
}
;
server_tcp_reuse_timeout: VAR_TCP_REUSE_TIMEOUT STRING_ARG
{
OUTYY(("P(server_tcp_reuse_timeout:%s)\n", $2));
if(atoi($2) == 0 && strcmp($2, "0") != 0)
yyerror("number expected");
else if (atoi($2) < 1)
cfg_parser->cfg->tcp_reuse_timeout = 0;
else cfg_parser->cfg->tcp_reuse_timeout = atoi($2);
free($2);
}
;
server_tcp_auth_query_timeout: VAR_TCP_AUTH_QUERY_TIMEOUT STRING_ARG
{
OUTYY(("P(server_tcp_auth_query_timeout:%s)\n", $2));
if(atoi($2) == 0 && strcmp($2, "0") != 0)
yyerror("number expected");
else if (atoi($2) < 1)
cfg_parser->cfg->tcp_auth_query_timeout = 0;
else cfg_parser->cfg->tcp_auth_query_timeout = atoi($2);
free($2);
}
;
server_tcp_keepalive: VAR_EDNS_TCP_KEEPALIVE STRING_ARG
{
OUTYY(("P(server_tcp_keepalive:%s)\n", $2));
@ -1817,6 +1855,19 @@ server_val_sig_skew_max: VAR_VAL_SIG_SKEW_MAX STRING_ARG
free($2);
}
;
server_val_max_restart: VAR_VAL_MAX_RESTART STRING_ARG
{
OUTYY(("P(server_val_max_restart:%s)\n", $2));
if(*$2 == '\0' || strcmp($2, "0") == 0) {
cfg_parser->cfg->val_max_restart = 0;
} else {
cfg_parser->cfg->val_max_restart = atoi($2);
if(!cfg_parser->cfg->val_max_restart)
yyerror("number expected");
}
free($2);
}
;
server_cache_max_ttl: VAR_CACHE_MAX_TTL STRING_ARG
{
OUTYY(("P(server_cache_max_ttl:%s)\n", $2));
@ -2753,6 +2804,16 @@ auth_allow_notify: VAR_ALLOW_NOTIFY STRING_ARG
yyerror("out of memory");
}
;
auth_zonemd_check: VAR_ZONEMD_CHECK STRING_ARG
{
OUTYY(("P(zonemd-check:%s)\n", $2));
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
yyerror("expected yes or no.");
else cfg_parser->cfg->auths->zonemd_check =
(strcmp($2, "yes")==0);
free($2);
}
;
auth_zonemd_reject_absence: VAR_ZONEMD_REJECT_ABSENCE STRING_ARG
{
OUTYY(("P(zonemd-reject-absence:%s)\n", $2));
@ -2813,13 +2874,20 @@ view_local_zone: VAR_LOCAL_ZONE STRING_ARG STRING_ARG
&& strcmp($3, "always_transparent")!=0
&& strcmp($3, "always_refuse")!=0
&& strcmp($3, "always_nxdomain")!=0
&& strcmp($3, "always_nodata")!=0
&& strcmp($3, "always_deny")!=0
&& strcmp($3, "always_null")!=0
&& strcmp($3, "noview")!=0
&& strcmp($3, "inform")!=0 && strcmp($3, "inform_deny")!=0) {
&& strcmp($3, "inform")!=0 && strcmp($3, "inform_deny")!=0
&& strcmp($3, "inform_redirect") != 0
&& strcmp($3, "ipset") != 0) {
yyerror("local-zone type: expected static, deny, "
"refuse, redirect, transparent, "
"typetransparent, inform, inform_deny, "
"always_transparent, always_refuse, "
"always_nxdomain, noview or nodefault");
"inform_redirect, always_transparent, "
"always_refuse, always_nxdomain, "
"always_nodata, always_deny, always_null, "
"noview, nodefault or ipset");
free($2);
free($3);
} else if(strcmp($3, "nodefault")==0) {

22
util/data/msgreply.c
View File

@ -329,7 +329,10 @@ parse_create_rrset(sldns_buffer* pkt, struct rrset_parse* pset,
return 0;
/* copy & decompress */
if(!parse_rr_copy(pkt, pset, *data)) {
if(!region) free(*data);
if(!region) {
free(*data);
*data = NULL;
}
return 0;
}
return 1;
@ -394,8 +397,13 @@ parse_copy_decompress_rrset(sldns_buffer* pkt, struct msg_parse* msg,
pk->rk.type = htons(pset->type);
pk->rk.rrset_class = pset->rrset_class;
/** read data part. */
if(!parse_create_rrset(pkt, pset, &data, region))
if(!parse_create_rrset(pkt, pset, &data, region)) {
if(!region) {
free(pk->rk.dname);
pk->rk.dname = NULL;
}
return 0;
}
pk->entry.data = (void*)data;
pk->entry.key = (void*)pk;
pk->entry.hash = pset->hash;
@ -825,9 +833,15 @@ log_dns_msg(const char* str, struct query_info* qinfo, struct reply_info* rep)
/* not particularly fast but flexible, make wireformat and print */
sldns_buffer* buf = sldns_buffer_new(65535);
struct regional* region = regional_create();
if(!reply_info_encode(qinfo, rep, 0, rep->flags, buf, 0,
if(!(buf && region)) {
log_err("%s: log_dns_msg: out of memory", str);
sldns_buffer_free(buf);
regional_destroy(region);
return;
}
if(!reply_info_encode(qinfo, rep, 0, rep->flags, buf, 0,
region, 65535, 1, 0)) {
log_info("%s: log_dns_msg: out of memory", str);
log_err("%s: log_dns_msg: out of memory", str);
} else {
char* s = sldns_wire2str_pkt(sldns_buffer_begin(buf),
sldns_buffer_limit(buf));

2
util/net_help.c
View File

@ -887,7 +887,7 @@ log_cert(unsigned level, const char* str, void* cert)
}
#endif /* HAVE_SSL */
#if defined(HAVE_SSL) && defined(HAVE_NGHTTP2)
#if defined(HAVE_SSL) && defined(HAVE_NGHTTP2) && defined(HAVE_SSL_CTX_SET_ALPN_SELECT_CB)
static int alpn_select_cb(SSL* ATTR_UNUSED(ssl), const unsigned char** out,
unsigned char* outlen, const unsigned char* in, unsigned int inlen,
void* ATTR_UNUSED(arg))

6
util/net_help.h
View File

@ -42,6 +42,7 @@
#ifndef NET_HELP_H
#define NET_HELP_H
#include "util/log.h"
#include "util/random.h"
struct sock_list;
struct regional;
struct config_strlist;
@ -76,8 +77,6 @@ struct config_strlist;
/** timeout in milliseconds for UDP queries to auth servers. */
#define UDP_AUTH_QUERY_TIMEOUT 3000
/** timeout in milliseconds for TCP queries to auth servers. */
#define TCP_AUTH_QUERY_TIMEOUT 3000
/** Advertised version of EDNS capabilities */
#define EDNS_ADVERTISED_VERSION 0
/** Advertised size of EDNS capabilities */
@ -94,6 +93,9 @@ extern uint16_t EDNS_ADVERTISED_SIZE;
/** DNSKEY secure entry point, KSK flag */
#define DNSKEY_BIT_SEP 0x0001
/** return a random 16-bit number given a random source */
#define GET_RANDOM_ID(rnd) (((unsigned)ub_random(rnd)>>8) & 0xffff)
/** minimal responses when positive answer */
extern int MINIMAL_RESPONSES;

2
util/netevent.c
View File

@ -1314,6 +1314,7 @@ ssl_handshake(struct comm_point* c)
c->repinfo.addrlen);
}
#ifdef HAVE_SSL_GET0_ALPN_SELECTED
/* check if http2 use is negotiated */
if(c->type == comm_http && c->h2_session) {
const unsigned char *alpn;
@ -1325,6 +1326,7 @@ ssl_handshake(struct comm_point* c)
c->use_h2 = 1;
}
}
#endif
/* setup listen rw correctly */
if(c->tcp_is_reading) {

6
util/shm_side/shm_main.c
View File

@ -130,6 +130,7 @@ int shm_main_init(struct daemon* daemon)
/* Just release memory unused */
free(daemon->shm_info);
daemon->shm_info = NULL;
return 0;
}
@ -143,6 +144,7 @@ int shm_main_init(struct daemon* daemon)
/* Just release memory unused */
free(daemon->shm_info);
daemon->shm_info = NULL;
return 0;
}
@ -156,6 +158,7 @@ int shm_main_init(struct daemon* daemon)
/* Just release memory unused */
free(daemon->shm_info);
daemon->shm_info = NULL;
return 0;
}
@ -170,6 +173,7 @@ int shm_main_init(struct daemon* daemon)
/* Just release memory unused */
free(daemon->shm_info);
daemon->shm_info = NULL;
return 0;
}
@ -210,6 +214,8 @@ void shm_main_shutdown(struct daemon* daemon)
if (daemon->shm_info->ptr_arr)
shmdt(daemon->shm_info->ptr_arr);
free(daemon->shm_info);
daemon->shm_info = NULL;
#else
(void)daemon;
#endif /* HAVE_SHMGET */

102
util/storage/lookup3.c
View File

@ -53,21 +53,69 @@ on 1 byte), but shoehorning those bytes into integers efficiently is messy.
#include "util/storage/lookup3.h"
#include <stdio.h> /* defines printf for tests */
#include <time.h> /* defines time_t for timings in the test */
/*#include <stdint.h> defines uint32_t etc (from config.h) */
#include <sys/param.h> /* attempt to define endianness */
#ifdef HAVE_SYS_TYPES_H
# include <sys/types.h> /* attempt to define endianness (solaris) */
#endif
#if defined(linux) || defined(__OpenBSD__)
/*
* If our build system provides endianness info, signalled by
* HAVE_TARGET_ENDIANNESS and the presence or absence of TARGET_IS_BIG_ENDIAN,
* use that. Otherwise try to work out the endianness.
*/
#if defined(HAVE_TARGET_ENDIANNESS)
# if defined(TARGET_IS_BIG_ENDIAN)
# define HASH_LITTLE_ENDIAN 0
# define HASH_BIG_ENDIAN 1
# else
# define HASH_LITTLE_ENDIAN 1
# define HASH_BIG_ENDIAN 0
# endif
#else
# include <sys/param.h> /* attempt to define endianness */
# ifdef HAVE_SYS_TYPES_H
# include <sys/types.h> /* attempt to define endianness (solaris) */
# endif
# if defined(linux) || defined(__OpenBSD__)
# ifdef HAVE_ENDIAN_H
# include <endian.h> /* attempt to define endianness */
# else
# include <machine/endian.h> /* on older OpenBSD */
# endif
#endif
#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__DragonFly__)
#include <sys/endian.h> /* attempt to define endianness */
#endif
# endif
# if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__DragonFly__)
# include <sys/endian.h> /* attempt to define endianness */
# endif
/*
* My best guess at if you are big-endian or little-endian. This may
* need adjustment.
*/
# if (defined(__BYTE_ORDER) && defined(__LITTLE_ENDIAN) && \
__BYTE_ORDER == __LITTLE_ENDIAN) || \
(defined(i386) || defined(__i386__) || defined(__i486__) || \
defined(__i586__) || defined(__i686__) || defined(vax) || defined(MIPSEL) || defined(__x86))
# define HASH_LITTLE_ENDIAN 1
# define HASH_BIG_ENDIAN 0
# elif (defined(__BYTE_ORDER) && defined(__BIG_ENDIAN) && \
__BYTE_ORDER == __BIG_ENDIAN) || \
(defined(sparc) || defined(__sparc) || defined(__sparc__) || defined(POWERPC) || defined(mc68000) || defined(sel))
# define HASH_LITTLE_ENDIAN 0
# define HASH_BIG_ENDIAN 1
# elif defined(_MACHINE_ENDIAN_H_)
/* test for machine_endian_h protects failure if some are empty strings */
# if defined(_BYTE_ORDER) && defined(_BIG_ENDIAN) && _BYTE_ORDER == _BIG_ENDIAN
# define HASH_LITTLE_ENDIAN 0
# define HASH_BIG_ENDIAN 1
# endif
# if defined(_BYTE_ORDER) && defined(_LITTLE_ENDIAN) && _BYTE_ORDER == _LITTLE_ENDIAN
# define HASH_LITTLE_ENDIAN 1
# define HASH_BIG_ENDIAN 0
# endif /* _MACHINE_ENDIAN_H_ */
# else
# define HASH_LITTLE_ENDIAN 0
# define HASH_BIG_ENDIAN 0
# endif
#endif /* defined(HAVE_TARGET_ENDIANNESS) */
#define hashsize(n) ((uint32_t)1<<(n))
#define hashmask(n) (hashsize(n)-1)
#define rot(x,k) (((x)<<(k)) | ((x)>>(32-(k))))
/* random initial value */
static uint32_t raninit = (uint32_t)0xdeadbeef;
@ -78,40 +126,6 @@ hash_set_raninit(uint32_t v)
raninit = v;
}
/*
* My best guess at if you are big-endian or little-endian. This may
* need adjustment.
*/
#if (defined(__BYTE_ORDER) && defined(__LITTLE_ENDIAN) && \
__BYTE_ORDER == __LITTLE_ENDIAN) || \
(defined(i386) || defined(__i386__) || defined(__i486__) || \
defined(__i586__) || defined(__i686__) || defined(vax) || defined(MIPSEL) || defined(__x86))
# define HASH_LITTLE_ENDIAN 1
# define HASH_BIG_ENDIAN 0
#elif (defined(__BYTE_ORDER) && defined(__BIG_ENDIAN) && \
__BYTE_ORDER == __BIG_ENDIAN) || \
(defined(sparc) || defined(__sparc) || defined(__sparc__) || defined(POWERPC) || defined(mc68000) || defined(sel))
# define HASH_LITTLE_ENDIAN 0
# define HASH_BIG_ENDIAN 1
#elif defined(_MACHINE_ENDIAN_H_)
/* test for machine_endian_h protects failure if some are empty strings */
# if defined(_BYTE_ORDER) && defined(_BIG_ENDIAN) && _BYTE_ORDER == _BIG_ENDIAN
# define HASH_LITTLE_ENDIAN 0
# define HASH_BIG_ENDIAN 1
# endif
# if defined(_BYTE_ORDER) && defined(_LITTLE_ENDIAN) && _BYTE_ORDER == _LITTLE_ENDIAN
# define HASH_LITTLE_ENDIAN 1
# define HASH_BIG_ENDIAN 0
# endif /* _MACHINE_ENDIAN_H_ */
#else
# define HASH_LITTLE_ENDIAN 0
# define HASH_BIG_ENDIAN 0
#endif
#define hashsize(n) ((uint32_t)1<<(n))
#define hashmask(n) (hashsize(n)-1)
#define rot(x,k) (((x)<<(k)) | ((x)>>(32-(k))))
/*
-------------------------------------------------------------------------------
mix -- mix 3 32-bit values reversibly.

31
validator/autotrust.c
View File

@ -1077,6 +1077,17 @@ trustanchor_state2str(autr_state_type s)
return " UNKNOWN ";
}
/** ctime r for autotrust */
static char* autr_ctime_r(time_t* t, char* s)
{
ctime_r(t, s);
#ifdef USE_WINSOCK
if(strlen(s) > 10 && s[7]==' ' && s[8]=='0')
s[8]=' '; /* fix error in windows ctime */
#endif
return s;
}
/** print ID to file */
static int
print_id(FILE* out, char* fname, uint8_t* nm, size_t nmlen, uint16_t dclass)
@ -1123,13 +1134,13 @@ autr_write_contents(FILE* out, char* fn, struct trust_anchor* tp)
}
if(fprintf(out, ";;last_queried: %u ;;%s",
(unsigned int)tp->autr->last_queried,
ctime_r(&(tp->autr->last_queried), tmi)) < 0 ||
autr_ctime_r(&(tp->autr->last_queried), tmi)) < 0 ||
fprintf(out, ";;last_success: %u ;;%s",
(unsigned int)tp->autr->last_success,
ctime_r(&(tp->autr->last_success), tmi)) < 0 ||
autr_ctime_r(&(tp->autr->last_success), tmi)) < 0 ||
fprintf(out, ";;next_probe_time: %u ;;%s",
(unsigned int)tp->autr->next_probe_time,
ctime_r(&(tp->autr->next_probe_time), tmi)) < 0 ||
autr_ctime_r(&(tp->autr->next_probe_time), tmi)) < 0 ||
fprintf(out, ";;query_failed: %d\n", (int)tp->autr->query_failed)<0
|| fprintf(out, ";;query_interval: %d\n",
(int)tp->autr->query_interval) < 0 ||
@ -1160,7 +1171,7 @@ autr_write_contents(FILE* out, char* fn, struct trust_anchor* tp)
";;lastchange=%u ;;%s", str, (int)ta->s,
trustanchor_state2str(ta->s), (int)ta->pending_count,
(unsigned int)ta->last_change,
ctime_r(&(ta->last_change), tmi)) < 0) {
autr_ctime_r(&(ta->last_change), tmi)) < 0) {
log_err("could not write to %s: %s", fn, strerror(errno));
free(str);
return 0;
@ -1579,6 +1590,7 @@ key_matches_a_ds(struct module_env* env, struct val_env* ve,
for(ds_idx=0; ds_idx<num; ds_idx++) {
if(!ds_digest_algo_is_supported(ds_rrset, ds_idx) ||
!ds_key_algo_is_supported(ds_rrset, ds_idx) ||
!dnskey_size_is_supported(dnskey_rrset, key_idx) ||
ds_get_digest_algo(ds_rrset, ds_idx) != d)
continue;
if(ds_get_key_algo(ds_rrset, ds_idx)
@ -1633,7 +1645,8 @@ update_events(struct module_env* env, struct val_env* ve,
}
/* is a key of this type supported?. Note rr_list and
* packed_rrset are in the same order. */
if(!dnskey_algo_is_supported(dnskey_rrset, i)) {
if(!dnskey_algo_is_supported(dnskey_rrset, i) ||
!dnskey_size_is_supported(dnskey_rrset, i)) {
/* skip unknown algorithm key, it is useless to us */
log_nametypeclass(VERB_DETAIL, "trust point has "
"unsupported algorithm at",
@ -2262,7 +2275,7 @@ autr_debug_print_ta(struct autr_ta* ta)
return;
}
if(str[0]) str[strlen(str)-1]=0; /* remove newline */
ctime_r(&ta->last_change, buf);
autr_ctime_r(&ta->last_change, buf);
if(buf[0]) buf[strlen(buf)-1]=0; /* remove newline */
log_info("[%s] %s ;;state:%d ;;pending_count:%d%s%s last:%s",
trustanchor_state2str(ta->s), str, ta->s, ta->pending_count,
@ -2289,13 +2302,13 @@ autr_debug_print_tp(struct trust_anchor* tp)
log_packed_rrset(NO_VERBOSE, "DNSKEY:", tp->dnskey_rrset);
}
log_info("file %s", tp->autr->file);
ctime_r(&tp->autr->last_queried, buf);
autr_ctime_r(&tp->autr->last_queried, buf);
if(buf[0]) buf[strlen(buf)-1]=0; /* remove newline */
log_info("last_queried: %u %s", (unsigned)tp->autr->last_queried, buf);
ctime_r(&tp->autr->last_success, buf);
autr_ctime_r(&tp->autr->last_success, buf);
if(buf[0]) buf[strlen(buf)-1]=0; /* remove newline */
log_info("last_success: %u %s", (unsigned)tp->autr->last_success, buf);
ctime_r(&tp->autr->next_probe_time, buf);
autr_ctime_r(&tp->autr->next_probe_time, buf);
if(buf[0]) buf[strlen(buf)-1]=0; /* remove newline */
log_info("next_probe_time: %u %s", (unsigned)tp->autr->next_probe_time,
buf);

7
validator/val_anchor.c
View File

@ -971,7 +971,8 @@ anchors_dnskey_unsupported(struct trust_anchor* ta)
{
size_t i, num = 0;
for(i=0; i<ta->numDNSKEY; i++) {
if(!dnskey_algo_is_supported(ta->dnskey_rrset, i))
if(!dnskey_algo_is_supported(ta->dnskey_rrset, i) ||
!dnskey_size_is_supported(ta->dnskey_rrset, i))
num++;
}
return num;
@ -1048,6 +1049,10 @@ anchors_apply_cfg(struct val_anchors* anchors, struct config_file* cfg)
const char** zstr;
char* nm;
sldns_buffer* parsebuf = sldns_buffer_new(65535);
if(!parsebuf) {
log_err("malloc error in anchors_apply_cfg.");
return 0;
}
if(cfg->insecure_lan_zones) {
for(zstr = as112_zones; *zstr; zstr++) {
if(!anchor_insert_insecure(anchors, *zstr)) {

1
validator/val_nsec.c
View File

@ -180,6 +180,7 @@ nsec_verify_rrset(struct module_env* env, struct val_env* ve,
{
struct packed_rrset_data* d = (struct packed_rrset_data*)
nsec->entry.data;
if(!d) return 0;
if(d->security == sec_status_secure)
return 1;
rrset_check_sec_status(env->rrset_cache, nsec, *env->now);

43
validator/val_sigcrypt.c
View File

@ -386,6 +386,49 @@ int dnskey_algo_is_supported(struct ub_packed_rrset_key* dnskey_rrset,
dnskey_idx));
}
int dnskey_size_is_supported(struct ub_packed_rrset_key* dnskey_rrset,
size_t dnskey_idx)
{
#ifdef DEPRECATE_RSA_1024
uint8_t* rdata;
size_t len;
int alg = dnskey_get_algo(dnskey_rrset, dnskey_idx);
size_t keysize;
rrset_get_rdata(dnskey_rrset, dnskey_idx, &rdata, &len);
if(len < 2+4)
return 0;
keysize = sldns_rr_dnskey_key_size_raw(rdata+2+4, len-2-4, alg);
switch((sldns_algorithm)alg) {
case LDNS_RSAMD5:
case LDNS_RSASHA1:
case LDNS_RSASHA1_NSEC3:
case LDNS_RSASHA256:
case LDNS_RSASHA512:
/* reject RSA keys of 1024 bits and shorter */
if(keysize <= 1024)
return 0;
break;
default:
break;
}
#else
(void)dnskey_rrset; (void)dnskey_idx;
#endif /* DEPRECATE_RSA_1024 */
return 1;
}
int dnskeyset_size_is_supported(struct ub_packed_rrset_key* dnskey_rrset)
{
size_t i, num = rrset_get_count(dnskey_rrset);
for(i=0; i<num; i++) {
if(!dnskey_size_is_supported(dnskey_rrset, i))
return 0;
}
return 1;
}
void algo_needs_init_dnskey_add(struct algo_needs* n,
struct ub_packed_rrset_key* dnskey, uint8_t* sigalg)
{

17
validator/val_sigcrypt.h
View File

@ -180,6 +180,23 @@ uint16_t ds_get_keytag(struct ub_packed_rrset_key* ds_rrset, size_t ds_idx);
int dnskey_algo_is_supported(struct ub_packed_rrset_key* dnskey_rrset,
size_t dnskey_idx);
/**
* See if the DNSKEY size at that algorithm is supported.
* @param dnskey_rrset: DNSKEY rrset.
* @param dnskey_idx: index of RR in rrset.
* @return true if supported.
*/
int dnskey_size_is_supported(struct ub_packed_rrset_key* dnskey_rrset,
size_t dnskey_idx);
/**
* See if the DNSKEY size at that algorithm is supported for all the
* RRs in the DNSKEY RRset.
* @param dnskey_rrset: DNSKEY rrset.
* @return true if supported.
*/
int dnskeyset_size_is_supported(struct ub_packed_rrset_key* dnskey_rrset);
/**
* See if DS digest algorithm is supported
* @param ds_rrset: DS rrset

39
validator/val_utils.c
View File

@ -418,7 +418,7 @@ verify_dnskeys_with_ds_rr(struct module_env* env, struct val_env* ve,
struct module_qstate* qstate)
{
enum sec_status sec = sec_status_bogus;
size_t i, num, numchecked = 0, numhashok = 0;
size_t i, num, numchecked = 0, numhashok = 0, numsizesupp = 0;
num = rrset_get_count(dnskey_rrset);
for(i=0; i<num; i++) {
/* Skip DNSKEYs that don't match the basic criteria. */
@ -441,6 +441,11 @@ verify_dnskeys_with_ds_rr(struct module_env* env, struct val_env* ve,
continue;
}
numhashok++;
if(!dnskey_size_is_supported(dnskey_rrset, i)) {
verbose(VERB_ALGO, "DS okay but that DNSKEY size is not supported");
numsizesupp++;
continue;
}
verbose(VERB_ALGO, "DS match digest ok, trying signature");
/* Otherwise, we have a match! Make sure that the DNSKEY
@ -452,6 +457,10 @@ verify_dnskeys_with_ds_rr(struct module_env* env, struct val_env* ve,
}
/* If it didn't validate with the DNSKEY, try the next one! */
}
if(numsizesupp != 0) {
/* there is a working DS, but that DNSKEY is not supported */
return sec_status_insecure;
}
if(numchecked == 0)
algo_needs_reason(env, ds_get_key_algo(ds_rrset, ds_idx),
reason, "no keys have a DS");
@ -519,17 +528,24 @@ val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve,
continue;
}
sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset,
ds_rrset, i, reason, qstate);
if(sec == sec_status_insecure)
continue;
/* Once we see a single DS with a known digestID and
* algorithm, we cannot return INSECURE (with a
* "null" KeyEntry). */
has_useful_ds = 1;
sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset,
ds_rrset, i, reason, qstate);
if(sec == sec_status_secure) {
if(!sigalg || algo_needs_set_secure(&needs,
(uint8_t)ds_get_key_algo(ds_rrset, i))) {
verbose(VERB_ALGO, "DS matched DNSKEY.");
if(!dnskeyset_size_is_supported(dnskey_rrset)) {
verbose(VERB_ALGO, "DS works, but dnskeyset contain keys that are unsupported, treat as insecure");
return sec_status_insecure;
}
return sec_status_secure;
}
} else if(sigalg && sec == sec_status_bogus) {
@ -631,17 +647,24 @@ val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve,
ds_get_digest_algo(ta_ds, i) != digest_algo)
continue;
sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset,
ta_ds, i, reason, qstate);
if(sec == sec_status_insecure)
continue;
/* Once we see a single DS with a known digestID and
* algorithm, we cannot return INSECURE (with a
* "null" KeyEntry). */
has_useful_ta = 1;
sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset,
ta_ds, i, reason, qstate);
if(sec == sec_status_secure) {
if(!sigalg || algo_needs_set_secure(&needs,
(uint8_t)ds_get_key_algo(ta_ds, i))) {
verbose(VERB_ALGO, "DS matched DNSKEY.");
if(!dnskeyset_size_is_supported(dnskey_rrset)) {
verbose(VERB_ALGO, "trustanchor works, but dnskeyset contain keys that are unsupported, treat as insecure");
return sec_status_insecure;
}
return sec_status_secure;
}
} else if(sigalg && sec == sec_status_bogus) {
@ -658,6 +681,8 @@ val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve,
/* Check to see if we can understand this DNSKEY */
if(!dnskey_algo_is_supported(ta_dnskey, i))
continue;
if(!dnskey_size_is_supported(ta_dnskey, i))
continue;
/* we saw a useful TA */
has_useful_ta = 1;
@ -668,6 +693,10 @@ val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve,
if(!sigalg || algo_needs_set_secure(&needs,
(uint8_t)dnskey_get_algo(ta_dnskey, i))) {
verbose(VERB_ALGO, "anchor matched DNSKEY.");
if(!dnskeyset_size_is_supported(dnskey_rrset)) {
verbose(VERB_ALGO, "trustanchor works, but dnskeyset contain keys that are unsupported, treat as insecure");
return sec_status_insecure;
}
return sec_status_secure;
}
} else if(sigalg && sec == sec_status_bogus) {

18
validator/validator.c
View File

@ -137,6 +137,7 @@ val_apply_cfg(struct module_env* env, struct val_env* val_env,
val_env->date_override = cfg->val_date_override;
val_env->skew_min = cfg->val_sig_skew_min;
val_env->skew_max = cfg->val_sig_skew_max;
val_env->max_restart = cfg->val_max_restart;
c = cfg_count_numbers(cfg->val_nsec3_key_iterations);
if(c < 1 || (c&1)) {
log_err("validator: unparseable or odd nsec3 key "
@ -1487,7 +1488,7 @@ processInit(struct module_qstate* qstate, struct val_qstate* vq,
enum val_classification subtype = val_classify_response(
qstate->query_flags, &qstate->qinfo, &vq->qchase,
vq->orig_msg->rep, vq->rrset_skip);
if(vq->restart_count > VAL_MAX_RESTART_COUNT) {
if(vq->restart_count > ve->max_restart) {
verbose(VERB_ALGO, "restart count exceeded");
return val_error(qstate, id);
}
@ -1640,7 +1641,7 @@ processInit(struct module_qstate* qstate, struct val_qstate* vq,
errinf(qstate, key_entry_get_reason(vq->key_entry));
}
/* no retries, stop bothering the authority until timeout */
vq->restart_count = VAL_MAX_RESTART_COUNT;
vq->restart_count = ve->max_restart;
vq->chase_reply->security = sec_status_bogus;
vq->state = VAL_FINISHED_STATE;
return 1;
@ -1848,7 +1849,7 @@ processValidate(struct module_qstate* qstate, struct val_qstate* vq,
LDNS_RR_TYPE_DNSKEY, vq->key_entry->key_class);
vq->chase_reply->security = sec_status_bogus;
errinf(qstate, "while building chain of trust");
if(vq->restart_count >= VAL_MAX_RESTART_COUNT)
if(vq->restart_count >= ve->max_restart)
key_cache_insert(ve->kcache, vq->key_entry, qstate);
return 1;
}
@ -2064,7 +2065,7 @@ processFinished(struct module_qstate* qstate, struct val_qstate* vq,
* endless bogus revalidation */
if(vq->orig_msg->rep->security == sec_status_bogus) {
/* see if we can try again to fetch data */
if(vq->restart_count < VAL_MAX_RESTART_COUNT) {
if(vq->restart_count < ve->max_restart) {
int restart_count = vq->restart_count+1;
verbose(VERB_ALGO, "validation failed, "
"blacklist and retry to fetch data");
@ -2605,6 +2606,7 @@ process_ds_response(struct module_qstate* qstate, struct val_qstate* vq,
int id, int rcode, struct dns_msg* msg, struct query_info* qinfo,
struct sock_list* origin)
{
struct val_env* ve = (struct val_env*)qstate->env->modinfo[id];
struct key_entry_key* dske = NULL;
uint8_t* olds = vq->empty_DS_name;
vq->empty_DS_name = NULL;
@ -2638,7 +2640,7 @@ process_ds_response(struct module_qstate* qstate, struct val_qstate* vq,
vq->chain_blacklist = NULL; /* fresh blacklist for next part*/
/* Keep the forState.state on FINDKEY. */
} else if(key_entry_isbad(dske)
&& vq->restart_count < VAL_MAX_RESTART_COUNT) {
&& vq->restart_count < ve->max_restart) {
vq->empty_DS_name = olds;
val_blacklist(&vq->chain_blacklist, qstate->region, origin, 1);
qstate->errinf = NULL;
@ -2691,7 +2693,7 @@ process_dnskey_response(struct module_qstate* qstate, struct val_qstate* vq,
/* bad response */
verbose(VERB_DETAIL, "Missing DNSKEY RRset in response to "
"DNSKEY query.");
if(vq->restart_count < VAL_MAX_RESTART_COUNT) {
if(vq->restart_count < ve->max_restart) {
val_blacklist(&vq->chain_blacklist, qstate->region,
origin, 1);
qstate->errinf = NULL;
@ -2730,7 +2732,7 @@ process_dnskey_response(struct module_qstate* qstate, struct val_qstate* vq,
* state. */
if(!key_entry_isgood(vq->key_entry)) {
if(key_entry_isbad(vq->key_entry)) {
if(vq->restart_count < VAL_MAX_RESTART_COUNT) {
if(vq->restart_count < ve->max_restart) {
val_blacklist(&vq->chain_blacklist,
qstate->region, origin, 1);
qstate->errinf = NULL;
@ -2807,7 +2809,7 @@ process_prime_response(struct module_qstate* qstate, struct val_qstate* vq,
lock_basic_unlock(&ta->lock);
if(vq->key_entry) {
if(key_entry_isbad(vq->key_entry)
&& vq->restart_count < VAL_MAX_RESTART_COUNT) {
&& vq->restart_count < ve->max_restart) {
val_blacklist(&vq->chain_blacklist, qstate->region,
origin, 1);
qstate->errinf = NULL;

6
validator/validator.h
View File

@ -64,9 +64,6 @@ struct config_strlist;
*/
#define BOGUS_KEY_TTL 60 /* seconds */
/** max number of query restarts, number of IPs to probe */
#define VAL_MAX_RESTART_COUNT 5
/** Root key sentinel is ta preamble */
#define SENTINEL_IS "root-key-sentinel-is-ta-"
/** Root key sentinel is not ta preamble */
@ -95,6 +92,9 @@ struct val_env {
/** clock skew max for signatures */
int32_t skew_max;
/** max number of query restarts, number of IPs to probe */
int32_t max_restart;
/** TTL for bogus data; used instead of untrusted TTL from data.
* Bogus data will not be verified more often than this interval.
* seconds. */