From: Cy Schubert Date: Fri, 18 Feb 2022 00:05:15 +0000 (-0800) Subject: unbound: Vendor import 1.15.0 X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=6b3a14c24c48d0459b99234af9efb5e57ff6375f;p=people%2Froyger%2Ffreebsd.git unbound: Vendor import 1.15.0 Vendor import GA release of unbound 1.15.0. (cherry picked from commit 9cf5bc93f6ba1711ae7bf96a982a2b3c8b073a18) --- diff --git a/contrib/unbound/README.md b/contrib/unbound/README.md index c8877d1e9df5..d1bbcf2b7797 100644 --- a/contrib/unbound/README.md +++ b/contrib/unbound/README.md @@ -11,7 +11,7 @@ have any feedback, we would love to hear from you. Don’t hesitate to [create an issue on Github](https://github.com/NLnetLabs/unbound/issues/new) or post a message on the [Unbound mailing list](https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users). You can learn more about Unbound by reading our -[documentation](https://nlnetlabs.nl/documentation/unbound/). +[documentation](https://unbound.docs.nlnetlabs.nl/). ## Compiling @@ -33,7 +33,7 @@ support. All of Unbound's configuration options are described in the man pages, which will be installed and are available on the Unbound -[documentation page](https://nlnetlabs.nl/documentation/unbound/). +[documentation page](https://unbound.docs.nlnetlabs.nl/). An example configuration file is located in [doc/example.conf](https://github.com/NLnetLabs/unbound/blob/master/doc/example.conf.in). diff --git a/contrib/unbound/config.guess b/contrib/unbound/config.guess index e81d3ae7c210..7f76b6228f73 100755 --- a/contrib/unbound/config.guess +++ b/contrib/unbound/config.guess @@ -1,14 +1,14 @@ #! /bin/sh # Attempt to guess a canonical system name. -# Copyright 1992-2021 Free Software Foundation, Inc. +# Copyright 1992-2022 Free Software Foundation, Inc. # shellcheck disable=SC2006,SC2268 # see below for rationale -timestamp='2021-06-03' +timestamp='2022-01-09' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 3 of the License, or +# the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, but @@ -60,7 +60,7 @@ version="\ GNU config.guess ($timestamp) Originally written by Per Bothner. -Copyright 1992-2021 Free Software Foundation, Inc. +Copyright 1992-2022 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -437,7 +437,7 @@ case $UNAME_MACHINE:$UNAME_SYSTEM:$UNAME_RELEASE:$UNAME_VERSION in # This test works for both compilers. if test "$CC_FOR_BUILD" != no_compiler_found; then if (echo '#ifdef __amd64'; echo IS_64BIT_ARCH; echo '#endif') | \ - (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ + (CCOPTS="" $CC_FOR_BUILD -m64 -E - 2>/dev/null) | \ grep IS_64BIT_ARCH >/dev/null then SUN_ARCH=x86_64 @@ -929,6 +929,9 @@ EOF i*:PW*:*) GUESS=$UNAME_MACHINE-pc-pw32 ;; + *:SerenityOS:*:*) + GUESS=$UNAME_MACHINE-pc-serenity + ;; *:Interix*:*) case $UNAME_MACHINE in x86) @@ -1522,6 +1525,9 @@ EOF i*86:rdos:*:*) GUESS=$UNAME_MACHINE-pc-rdos ;; + i*86:Fiwix:*:*) + GUESS=$UNAME_MACHINE-pc-fiwix + ;; *:AROS:*:*) GUESS=$UNAME_MACHINE-unknown-aros ;; diff --git a/contrib/unbound/config.h.in b/contrib/unbound/config.h.in index e8a26735d2d3..197c2838b33f 100644 --- a/contrib/unbound/config.h.in +++ b/contrib/unbound/config.h.in @@ -381,6 +381,9 @@ /* Define to 1 if you have the header file. */ #undef HAVE_NETINET_TCP_H +/* Define to 1 if you have the header file. */ +#undef HAVE_NETIOAPI_H + /* Use libnettle for crypto */ #undef HAVE_NETTLE diff --git a/contrib/unbound/config.sub b/contrib/unbound/config.sub index d74fb6deac94..dba16e84c77c 100755 --- a/contrib/unbound/config.sub +++ b/contrib/unbound/config.sub @@ -1,14 +1,14 @@ #! /bin/sh # Configuration validation subroutine script. -# Copyright 1992-2021 Free Software Foundation, Inc. +# Copyright 1992-2022 Free Software Foundation, Inc. # shellcheck disable=SC2006,SC2268 # see below for rationale -timestamp='2021-08-14' +timestamp='2022-01-03' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 3 of the License, or +# the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, but @@ -76,7 +76,7 @@ Report bugs and patches to ." version="\ GNU config.sub ($timestamp) -Copyright 1992-2021 Free Software Foundation, Inc. +Copyright 1992-2022 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -1020,6 +1020,11 @@ case $cpu-$vendor in ;; # Here we normalize CPU types with a missing or matching vendor + armh-unknown | armh-alt) + cpu=armv7l + vendor=alt + basic_os=${basic_os:-linux-gnueabihf} + ;; dpx20-unknown | dpx20-bull) cpu=rs6000 vendor=bull @@ -1121,7 +1126,7 @@ case $cpu-$vendor in xscale-* | xscalee[bl]-*) cpu=`echo "$cpu" | sed 's/^xscale/arm/'` ;; - arm64-*) + arm64-* | aarch64le-*) cpu=aarch64 ;; @@ -1304,7 +1309,7 @@ esac if test x$basic_os != x then -# First recognize some ad-hoc caes, or perhaps split kernel-os, or else just +# First recognize some ad-hoc cases, or perhaps split kernel-os, or else just # set os. case $basic_os in gnu/linux*) @@ -1748,7 +1753,8 @@ case $os in | skyos* | haiku* | rdos* | toppers* | drops* | es* \ | onefs* | tirtos* | phoenix* | fuchsia* | redox* | bme* \ | midnightbsd* | amdhsa* | unleashed* | emscripten* | wasi* \ - | nsk* | powerunix* | genode* | zvmoe* | qnx* | emx* | zephyr*) + | nsk* | powerunix* | genode* | zvmoe* | qnx* | emx* | zephyr* \ + | fiwix* ) ;; # This one is extra strict with allowed versions sco3.2v2 | sco3.2v[4-9]* | sco5v6*) diff --git a/contrib/unbound/configure b/contrib/unbound/configure index 0e964568e234..48f9c2d02b68 100755 --- a/contrib/unbound/configure +++ b/contrib/unbound/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for unbound 1.14.0. +# Generated by GNU Autoconf 2.69 for unbound 1.15.0. # # Report bugs to . # @@ -591,8 +591,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='unbound' PACKAGE_TARNAME='unbound' -PACKAGE_VERSION='1.14.0' -PACKAGE_STRING='unbound 1.14.0' +PACKAGE_VERSION='1.15.0' +PACKAGE_STRING='unbound 1.15.0' PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues' PACKAGE_URL='' @@ -1466,7 +1466,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures unbound 1.14.0 to adapt to many kinds of systems. +\`configure' configures unbound 1.15.0 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1531,7 +1531,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of unbound 1.14.0:";; + short | recursive ) echo "Configuration of unbound 1.15.0:";; esac cat <<\_ACEOF @@ -1773,7 +1773,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -unbound configure 1.14.0 +unbound configure 1.15.0 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2482,7 +2482,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by unbound $as_me 1.14.0, which was +It was created by unbound $as_me 1.15.0, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2832,13 +2832,13 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu UNBOUND_VERSION_MAJOR=1 -UNBOUND_VERSION_MINOR=14 +UNBOUND_VERSION_MINOR=15 UNBOUND_VERSION_MICRO=0 LIBUNBOUND_CURRENT=9 -LIBUNBOUND_REVISION=14 +LIBUNBOUND_REVISION=15 LIBUNBOUND_AGE=1 # 1.0.0 had 0:12:0 # 1.0.1 had 0:13:0 @@ -2920,6 +2920,7 @@ LIBUNBOUND_AGE=1 # 1.13.1 had 9:12:1 # 1.13.2 had 9:13:1 # 1.14.0 had 9:14:1 +# 1.15.0 had 9:15:1 # Current -- the number of the binary API that we're implementing # Revision -- which iteration of the implementation of the binary @@ -14812,6 +14813,51 @@ fi done +for ac_header in netioapi.h +do : + ac_fn_c_check_header_compile "$LINENO" "netioapi.h" "ac_cv_header_netioapi_h" "$ac_includes_default +#if HAVE_SYS_PARAM_H +#include +#endif + +#ifdef HAVE_SYS_SOCKET_H +#include +#endif + +#ifdef HAVE_SYS_UIO_H +#include +#endif + +#ifdef HAVE_NETINET_IN_H +#include +#endif + +#ifdef HAVE_NETINET_TCP_H +#include +#endif + +#ifdef HAVE_ARPA_INET_H +#include +#endif + +#ifdef HAVE_WINSOCK2_H +#include +#endif + +#ifdef HAVE_WS2TCPIP_H +#include +#endif + +" +if test "x$ac_cv_header_netioapi_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_NETIOAPI_H 1 +_ACEOF + +fi + +done + # check for types. # Using own tests for int64* because autoconf builtin only give 32bit. @@ -17895,7 +17941,7 @@ if test "`uname`" = "NetBSD"; then fi -if test "`uname -o`" = "GNU/Linux"; then +if test "`uname`" = "Linux"; then # splint cannot parse modern c99 header files GCC_DOCKER_LINTFLAGS='-syntax' @@ -21840,7 +21886,7 @@ _ACEOF -version=1.14.0 +version=1.15.0 date=`date +'%b %e, %Y'` @@ -22359,7 +22405,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by unbound $as_me 1.14.0, which was +This file was extended by unbound $as_me 1.15.0, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -22425,7 +22471,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -unbound config.status 1.14.0 +unbound config.status 1.15.0 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/contrib/unbound/configure.ac b/contrib/unbound/configure.ac index 36fdb4598c27..5c7da1978131 100644 --- a/contrib/unbound/configure.ac +++ b/contrib/unbound/configure.ac @@ -10,7 +10,7 @@ sinclude(dnscrypt/dnscrypt.m4) # must be numbers. ac_defun because of later processing m4_define([VERSION_MAJOR],[1]) -m4_define([VERSION_MINOR],[14]) +m4_define([VERSION_MINOR],[15]) m4_define([VERSION_MICRO],[0]) AC_INIT([unbound],m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]),[unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues],[unbound]) AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR]) @@ -18,7 +18,7 @@ AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR]) AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO]) LIBUNBOUND_CURRENT=9 -LIBUNBOUND_REVISION=14 +LIBUNBOUND_REVISION=15 LIBUNBOUND_AGE=1 # 1.0.0 had 0:12:0 # 1.0.1 had 0:13:0 @@ -100,6 +100,7 @@ LIBUNBOUND_AGE=1 # 1.13.1 had 9:12:1 # 1.13.2 had 9:13:1 # 1.14.0 had 9:14:1 +# 1.15.0 had 9:15:1 # Current -- the number of the binary API that we're implementing # Revision -- which iteration of the implementation of the binary @@ -412,6 +413,39 @@ AC_CHECK_HEADERS([net/if.h],,, [ # Check for Apple header. This uncovers TARGET_OS_IPHONE, TARGET_OS_TV or TARGET_OS_WATCH AC_CHECK_HEADERS([TargetConditionals.h],,, [AC_INCLUDES_DEFAULT]) +AC_CHECK_HEADERS([netioapi.h],,, [AC_INCLUDES_DEFAULT +#if HAVE_SYS_PARAM_H +#include +#endif + +#ifdef HAVE_SYS_SOCKET_H +#include +#endif + +#ifdef HAVE_SYS_UIO_H +#include +#endif + +#ifdef HAVE_NETINET_IN_H +#include +#endif + +#ifdef HAVE_NETINET_TCP_H +#include +#endif + +#ifdef HAVE_ARPA_INET_H +#include +#endif + +#ifdef HAVE_WINSOCK2_H +#include +#endif + +#ifdef HAVE_WS2TCPIP_H +#include +#endif +]) # check for types. # Using own tests for int64* because autoconf builtin only give 32bit. @@ -782,7 +816,7 @@ if test "`uname`" = "NetBSD"; then AC_SUBST(NETBSD_LINTFLAGS) fi -if test "`uname -o`" = "GNU/Linux"; then +if test "`uname`" = "Linux"; then # splint cannot parse modern c99 header files GCC_DOCKER_LINTFLAGS='-syntax' AC_SUBST(GCC_DOCKER_LINTFLAGS) diff --git a/contrib/unbound/contrib/aaaa-filter-iterator.patch b/contrib/unbound/contrib/aaaa-filter-iterator.patch index f51de2a40d9b..5513133722db 100644 --- a/contrib/unbound/contrib/aaaa-filter-iterator.patch +++ b/contrib/unbound/contrib/aaaa-filter-iterator.patch @@ -1,8 +1,8 @@ diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in -index f426ac5f..147fbfa9 100644 +index 5a75e319..c6c6dbe2 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in -@@ -872,6 +872,13 @@ potentially broken nameservers. A lot of domains will not be resolvable when +@@ -970,6 +970,13 @@ potentially broken nameservers. A lot of domains will not be resolvable when this option in enabled. Only use if you know what you are doing. This option only has effect when qname-minimisation is enabled. Default is no. .TP @@ -17,10 +17,10 @@ index f426ac5f..147fbfa9 100644 Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN and other denials, using information from previous NXDOMAINs answers. diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c -index aae934dd..55c55de0 100644 +index f093c1bf..e55a2246 100644 --- a/iterator/iter_scrub.c +++ b/iterator/iter_scrub.c -@@ -667,6 +667,32 @@ static int sanitize_nsec_is_overreach(struct rrset_parse* rrset, +@@ -679,6 +679,32 @@ static int sanitize_nsec_is_overreach(sldns_buffer* pkt, return 0; } @@ -53,7 +53,7 @@ index aae934dd..55c55de0 100644 /** * Given a response event, remove suspect RRsets from the response. * "Suspect" rrsets are potentially poison. Note that this routine expects -@@ -686,6 +712,7 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg, +@@ -698,6 +724,7 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg, struct query_info* qinfo, uint8_t* zonename, struct module_env* env, struct iter_env* ie) { @@ -61,7 +61,7 @@ index aae934dd..55c55de0 100644 int del_addi = 0; /* if additional-holding rrsets are deleted, we do not trust the normalized additional-A-AAAA any more */ struct rrset_parse* rrset, *prev; -@@ -721,6 +748,13 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg, +@@ -733,6 +760,13 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg, rrset = rrset->rrset_all_next; } @@ -75,7 +75,7 @@ index aae934dd..55c55de0 100644 /* At this point, we brutally remove ALL rrsets that aren't * children of the originating zone. The idea here is that, * as far as we know, the server that we contacted is ONLY -@@ -732,6 +766,24 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg, +@@ -744,6 +778,24 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg, rrset = msg->rrset_first; while(rrset) { @@ -101,22 +101,22 @@ index aae934dd..55c55de0 100644 if( (rrset->type == LDNS_RR_TYPE_A || rrset->type == LDNS_RR_TYPE_AAAA)) { diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c -index 7bc67da6..e10f547a 100644 +index 2482a1f4..bd5ba243 100644 --- a/iterator/iter_utils.c +++ b/iterator/iter_utils.c -@@ -175,6 +175,7 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg) - } +@@ -177,6 +177,7 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg) iter_env->supports_ipv6 = cfg->do_ip6; iter_env->supports_ipv4 = cfg->do_ip4; + iter_env->outbound_msg_retry = cfg->outbound_msg_retry; + iter_env->aaaa_filter = cfg->aaaa_filter; return 1; } diff --git a/iterator/iterator.c b/iterator/iterator.c -index 23b07ea9..ca29b48c 100644 +index 54006940..768fe202 100644 --- a/iterator/iterator.c +++ b/iterator/iterator.c -@@ -2127,6 +2127,53 @@ processDSNSFind(struct module_qstate* qstate, struct iter_qstate* iq, int id) +@@ -2155,6 +2155,53 @@ processDSNSFind(struct module_qstate* qstate, struct iter_qstate* iq, int id) return 0; } @@ -170,7 +170,7 @@ index 23b07ea9..ca29b48c 100644 /** * This is the request event state where the request will be sent to one of -@@ -2186,6 +2233,13 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, +@@ -2216,6 +2263,13 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, return error_response(qstate, id, LDNS_RCODE_SERVFAIL); } @@ -184,7 +184,7 @@ index 23b07ea9..ca29b48c 100644 /* Make sure we have a delegation point, otherwise priming failed * or another failure occurred */ if(!iq->dp) { -@@ -3574,6 +3628,61 @@ processFinished(struct module_qstate* qstate, struct iter_qstate* iq, +@@ -3648,6 +3702,61 @@ processFinished(struct module_qstate* qstate, struct iter_qstate* iq, return 0; } @@ -246,7 +246,7 @@ index 23b07ea9..ca29b48c 100644 /* * Return priming query results to interested super querystates. * -@@ -3593,6 +3702,9 @@ iter_inform_super(struct module_qstate* qstate, int id, +@@ -3667,6 +3776,9 @@ iter_inform_super(struct module_qstate* qstate, int id, else if(super->qinfo.qtype == LDNS_RR_TYPE_DS && ((struct iter_qstate*) super->minfo[id])->state == DSNS_FIND_STATE) processDSNSResponse(qstate, id, super); @@ -256,7 +256,7 @@ index 23b07ea9..ca29b48c 100644 else if(qstate->return_rcode != LDNS_RCODE_NOERROR) error_supers(qstate, id, super); else if(qstate->is_priming) -@@ -3630,6 +3742,9 @@ iter_handle(struct module_qstate* qstate, struct iter_qstate* iq, +@@ -3704,6 +3816,9 @@ iter_handle(struct module_qstate* qstate, struct iter_qstate* iq, case INIT_REQUEST_3_STATE: cont = processInitRequest3(qstate, iq, id); break; @@ -266,7 +266,7 @@ index 23b07ea9..ca29b48c 100644 case QUERYTARGETS_STATE: cont = processQueryTargets(qstate, iq, ie, id); break; -@@ -3961,6 +4076,8 @@ iter_state_to_string(enum iter_state state) +@@ -4040,6 +4155,8 @@ iter_state_to_string(enum iter_state state) return "INIT REQUEST STATE (stage 2)"; case INIT_REQUEST_3_STATE: return "INIT REQUEST STATE (stage 3)"; @@ -275,7 +275,7 @@ index 23b07ea9..ca29b48c 100644 case QUERYTARGETS_STATE : return "QUERY TARGETS STATE"; case PRIME_RESP_STATE : -@@ -3985,6 +4102,7 @@ iter_state_is_responsestate(enum iter_state s) +@@ -4064,6 +4181,7 @@ iter_state_is_responsestate(enum iter_state s) case INIT_REQUEST_STATE : case INIT_REQUEST_2_STATE : case INIT_REQUEST_3_STATE : @@ -284,10 +284,10 @@ index 23b07ea9..ca29b48c 100644 case COLLECT_CLASS_STATE : return 0; diff --git a/iterator/iterator.h b/iterator/iterator.h -index 342ac207..731948d1 100644 +index 8b840528..a61c4195 100644 --- a/iterator/iterator.h +++ b/iterator/iterator.h -@@ -135,6 +135,9 @@ struct iter_env { +@@ -133,6 +133,9 @@ struct iter_env { */ int* target_fetch_policy; @@ -297,7 +297,7 @@ index 342ac207..731948d1 100644 /** lock on ratelimit counter */ lock_basic_type queries_ratelimit_lock; /** number of queries that have been ratelimited */ -@@ -186,6 +189,14 @@ enum iter_state { +@@ -187,6 +190,14 @@ enum iter_state { */ INIT_REQUEST_3_STATE, @@ -312,7 +312,7 @@ index 342ac207..731948d1 100644 /** * Each time a delegation point changes for a given query or a * query times out and/or wakes up, this state is (re)visited. -@@ -375,6 +386,13 @@ struct iter_qstate { +@@ -376,6 +387,13 @@ struct iter_qstate { */ int refetch_glue; @@ -327,10 +327,10 @@ index 342ac207..731948d1 100644 struct outbound_list outlist; diff --git a/pythonmod/interface.i b/pythonmod/interface.i -index f08b575d..47f1bb2e 100644 +index 1ca8686a..d91b19ec 100644 --- a/pythonmod/interface.i +++ b/pythonmod/interface.i -@@ -975,6 +975,7 @@ struct config_file { +@@ -995,6 +995,7 @@ struct config_file { int harden_dnssec_stripped; int harden_referral_path; int use_caps_bits_for_id; @@ -339,10 +339,10 @@ index f08b575d..47f1bb2e 100644 struct config_strlist* private_domain; size_t unwanted_threshold; diff --git a/util/config_file.c b/util/config_file.c -index 0ab8614a..729fb147 100644 +index 969d664b..8d94b008 100644 --- a/util/config_file.c +++ b/util/config_file.c -@@ -218,6 +218,7 @@ config_create(void) +@@ -231,6 +231,7 @@ config_create(void) cfg->harden_referral_path = 0; cfg->harden_algo_downgrade = 0; cfg->use_caps_bits_for_id = 0; @@ -351,10 +351,10 @@ index 0ab8614a..729fb147 100644 cfg->private_address = NULL; cfg->private_domain = NULL; diff --git a/util/config_file.h b/util/config_file.h -index e61257a3..dabaa7bb 100644 +index c7c9a0a4..e3aa15b0 100644 --- a/util/config_file.h +++ b/util/config_file.h -@@ -260,6 +260,8 @@ struct config_file { +@@ -285,6 +285,8 @@ struct config_file { int harden_algo_downgrade; /** use 0x20 bits in query as random ID bits */ int use_caps_bits_for_id; @@ -364,38 +364,38 @@ index e61257a3..dabaa7bb 100644 struct config_strlist* caps_whitelist; /** strip away these private addrs from answers, no DNS Rebinding */ diff --git a/util/configlexer.lex b/util/configlexer.lex -index 79a0edca..4eaec678 100644 +index 34a0e5dd..c890be2a 100644 --- a/util/configlexer.lex +++ b/util/configlexer.lex -@@ -304,6 +304,7 @@ harden-algo-downgrade{COLON} { YDVAR(1, VAR_HARDEN_ALGO_DOWNGRADE) } - use-caps-for-id{COLON} { YDVAR(1, VAR_USE_CAPS_FOR_ID) } +@@ -317,6 +317,7 @@ use-caps-for-id{COLON} { YDVAR(1, VAR_USE_CAPS_FOR_ID) } caps-whitelist{COLON} { YDVAR(1, VAR_CAPS_WHITELIST) } + caps-exempt{COLON} { YDVAR(1, VAR_CAPS_WHITELIST) } unwanted-reply-threshold{COLON} { YDVAR(1, VAR_UNWANTED_REPLY_THRESHOLD) } +aaaa-filter{COLON} { YDVAR(1, VAR_AAAA_FILTER) } private-address{COLON} { YDVAR(1, VAR_PRIVATE_ADDRESS) } private-domain{COLON} { YDVAR(1, VAR_PRIVATE_DOMAIN) } prefetch-key{COLON} { YDVAR(1, VAR_PREFETCH_KEY) } diff --git a/util/configparser.y b/util/configparser.y -index 1d0e8658..f284dd43 100644 +index d4f965f9..8cc237c6 100644 --- a/util/configparser.y +++ b/util/configparser.y @@ -97,6 +97,7 @@ extern struct config_parser_state* cfg_parser; - %token VAR_STATISTICS_CUMULATIVE VAR_OUTGOING_PORT_PERMIT + %token VAR_STATISTICS_CUMULATIVE VAR_OUTGOING_PORT_PERMIT %token VAR_OUTGOING_PORT_AVOID VAR_DLV_ANCHOR_FILE VAR_DLV_ANCHOR %token VAR_NEG_CACHE_SIZE VAR_HARDEN_REFERRAL_PATH VAR_PRIVATE_ADDRESS +%token VAR_AAAA_FILTER %token VAR_PRIVATE_DOMAIN VAR_REMOTE_CONTROL VAR_CONTROL_ENABLE %token VAR_CONTROL_INTERFACE VAR_CONTROL_PORT VAR_SERVER_KEY_FILE %token VAR_SERVER_CERT_FILE VAR_CONTROL_KEY_FILE VAR_CONTROL_CERT_FILE -@@ -233,6 +234,7 @@ content_server: server_num_threads | server_verbosity | server_port | +@@ -247,6 +248,7 @@ content_server: server_num_threads | server_verbosity | server_port | server_dlv_anchor_file | server_dlv_anchor | server_neg_cache_size | server_harden_referral_path | server_private_address | - server_private_domain | server_extended_statistics | + server_private_domain | server_extended_statistics | + server_aaaa_filter | - server_local_data_ptr | server_jostle_timeout | - server_unwanted_reply_threshold | server_log_time_ascii | - server_domain_insecure | server_val_sig_skew_min | -@@ -1563,6 +1565,15 @@ server_caps_whitelist: VAR_CAPS_WHITELIST STRING_ARG + server_local_data_ptr | server_jostle_timeout | + server_unwanted_reply_threshold | server_log_time_ascii | + server_domain_insecure | server_val_sig_skew_min | +@@ -1754,6 +1756,15 @@ server_caps_whitelist: VAR_CAPS_WHITELIST STRING_ARG yyerror("out of memory"); } ; diff --git a/contrib/unbound/daemon/remote.c b/contrib/unbound/daemon/remote.c index adf0383895d4..675ef43970d1 100644 --- a/contrib/unbound/daemon/remote.c +++ b/contrib/unbound/daemon/remote.c @@ -300,6 +300,7 @@ add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err, */ if(fd != -1) { #ifdef HAVE_CHOWN + chmod(ip, (mode_t)(S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP)); if (cfg->username && cfg->username[0] && cfg_uid != (uid_t)-1) { if(chown(ip, cfg_uid, cfg_gid) == -1) @@ -307,7 +308,6 @@ add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err, (unsigned)cfg_uid, (unsigned)cfg_gid, ip, strerror(errno)); } - chmod(ip, (mode_t)(S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP)); #else (void)cfg; #endif @@ -2015,7 +2015,7 @@ print_root_fwds(RES* ssl, struct iter_forwards* fwds, uint8_t* root) /** parse args into delegpt */ static struct delegpt* -parse_delegpt(RES* ssl, char* args, uint8_t* nm, int allow_names) +parse_delegpt(RES* ssl, char* args, uint8_t* nm) { /* parse args and add in */ char* p = args; @@ -2037,40 +2037,35 @@ parse_delegpt(RES* ssl, char* args, uint8_t* nm, int allow_names) } /* parse address */ if(!authextstrtoaddr(todo, &addr, &addrlen, &auth_name)) { - if(allow_names) { - uint8_t* n = NULL; - size_t ln; - int lb; - if(!parse_arg_name(ssl, todo, &n, &ln, &lb)) { - (void)ssl_printf(ssl, "error cannot " - "parse IP address or name " - "'%s'\n", todo); - delegpt_free_mlc(dp); - return NULL; - } - if(!delegpt_add_ns_mlc(dp, n, 0)) { - (void)ssl_printf(ssl, "error out of memory\n"); - free(n); - delegpt_free_mlc(dp); - return NULL; - } - free(n); - - } else { + uint8_t* dname= NULL; + int port; + dname = authextstrtodname(todo, &port, &auth_name); + if(!dname) { (void)ssl_printf(ssl, "error cannot parse" - " IP address '%s'\n", todo); + " '%s'\n", todo); + delegpt_free_mlc(dp); + return NULL; + } +#if ! defined(HAVE_SSL_SET1_HOST) && ! defined(HAVE_X509_VERIFY_PARAM_SET1_HOST) + if(auth_name) + log_err("no name verification functionality in " + "ssl library, ignored name for %s", todo); +#endif + if(!delegpt_add_ns_mlc(dp, dname, 0, auth_name, port)) { + (void)ssl_printf(ssl, "error out of memory\n"); + free(dname); delegpt_free_mlc(dp); return NULL; } } else { #if ! defined(HAVE_SSL_SET1_HOST) && ! defined(HAVE_X509_VERIFY_PARAM_SET1_HOST) if(auth_name) - log_err("no name verification functionality in " + log_err("no name verification functionality in " "ssl library, ignored name for %s", todo); #endif /* add address */ if(!delegpt_add_addr_mlc(dp, &addr, addrlen, 0, 0, - auth_name)) { + auth_name, -1)) { (void)ssl_printf(ssl, "error out of memory\n"); delegpt_free_mlc(dp); return NULL; @@ -2103,7 +2098,7 @@ do_forward(RES* ssl, struct worker* worker, char* args) forwards_delete_zone(fwd, LDNS_RR_CLASS_IN, root); } else { struct delegpt* dp; - if(!(dp = parse_delegpt(ssl, args, root, 0))) + if(!(dp = parse_delegpt(ssl, args, root))) return; if(!forwards_add_zone(fwd, LDNS_RR_CLASS_IN, dp)) { (void)ssl_printf(ssl, "error out of memory\n"); @@ -2149,7 +2144,7 @@ parse_fs_args(RES* ssl, char* args, uint8_t** nm, struct delegpt** dp, /* parse dp */ if(dp) { - if(!(*dp = parse_delegpt(ssl, args, *nm, 1))) { + if(!(*dp = parse_delegpt(ssl, args, *nm))) { free(*nm); return 0; } @@ -2865,6 +2860,8 @@ struct ratelimit_list_arg { int all; /** current time */ time_t now; + /** if backoff is enabled */ + int backoff; }; #define ip_ratelimit_list_arg ratelimit_list_arg @@ -2878,7 +2875,7 @@ rate_list(struct lruhash_entry* e, void* arg) struct rate_data* d = (struct rate_data*)e->data; char buf[257]; int lim = infra_find_ratelimit(a->infra, k->name, k->namelen); - int max = infra_rate_max(d, a->now); + int max = infra_rate_max(d, a->now, a->backoff); if(a->all == 0) { if(max < lim) return; @@ -2896,7 +2893,7 @@ ip_rate_list(struct lruhash_entry* e, void* arg) struct ip_rate_key* k = (struct ip_rate_key*)e->key; struct ip_rate_data* d = (struct ip_rate_data*)e->data; int lim = infra_ip_ratelimit; - int max = infra_rate_max(d, a->now); + int max = infra_rate_max(d, a->now, a->backoff); if(a->all == 0) { if(max < lim) return; @@ -2914,6 +2911,7 @@ do_ratelimit_list(RES* ssl, struct worker* worker, char* arg) a.infra = worker->env.infra_cache; a.now = *worker->env.now; a.ssl = ssl; + a.backoff = worker->env.cfg->ratelimit_backoff; arg = skipwhite(arg); if(strcmp(arg, "+a") == 0) a.all = 1; @@ -2932,6 +2930,7 @@ do_ip_ratelimit_list(RES* ssl, struct worker* worker, char* arg) a.infra = worker->env.infra_cache; a.now = *worker->env.now; a.ssl = ssl; + a.backoff = worker->env.cfg->ip_ratelimit_backoff; arg = skipwhite(arg); if(strcmp(arg, "+a") == 0) a.all = 1; diff --git a/contrib/unbound/daemon/worker.c b/contrib/unbound/daemon/worker.c index 5d2483cd2cd9..862affb24e9a 100644 --- a/contrib/unbound/daemon/worker.c +++ b/contrib/unbound/daemon/worker.c @@ -1167,7 +1167,8 @@ worker_handle_request(struct comm_point* c, void* arg, int error, /* check if this query should be dropped based on source ip rate limiting */ if(!infra_ip_ratelimit_inc(worker->env.infra_cache, repinfo, - *worker->env.now, c->buffer)) { + *worker->env.now, + worker->env.cfg->ip_ratelimit_backoff, c->buffer)) { /* See if we are passed through with slip factor */ if(worker->env.cfg->ip_ratelimit_factor != 0 && ub_random_max(worker->env.rnd, @@ -1967,9 +1968,10 @@ worker_delete(struct worker* worker) struct outbound_entry* worker_send_query(struct query_info* qinfo, uint16_t flags, int dnssec, - int want_dnssec, int nocaps, struct sockaddr_storage* addr, - socklen_t addrlen, uint8_t* zone, size_t zonelen, int tcp_upstream, - int ssl_upstream, char* tls_auth_name, struct module_qstate* q) + int want_dnssec, int nocaps, int check_ratelimit, + struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone, + size_t zonelen, int tcp_upstream, int ssl_upstream, char* tls_auth_name, + struct module_qstate* q, int* was_ratelimited) { struct worker* worker = q->env->worker; struct outbound_entry* e = (struct outbound_entry*)regional_alloc( @@ -1978,9 +1980,10 @@ worker_send_query(struct query_info* qinfo, uint16_t flags, int dnssec, return NULL; e->qstate = q; e->qsent = outnet_serviced_query(worker->back, qinfo, flags, dnssec, - want_dnssec, nocaps, tcp_upstream, + want_dnssec, nocaps, check_ratelimit, tcp_upstream, ssl_upstream, tls_auth_name, addr, addrlen, zone, zonelen, q, - worker_handle_service_reply, e, worker->back->udp_buff, q->env); + worker_handle_service_reply, e, worker->back->udp_buff, q->env, + was_ratelimited); if(!e->qsent) { return NULL; } @@ -2024,10 +2027,11 @@ struct outbound_entry* libworker_send_query( struct query_info* ATTR_UNUSED(qinfo), uint16_t ATTR_UNUSED(flags), int ATTR_UNUSED(dnssec), int ATTR_UNUSED(want_dnssec), int ATTR_UNUSED(nocaps), + int ATTR_UNUSED(check_ratelimit), struct sockaddr_storage* ATTR_UNUSED(addr), socklen_t ATTR_UNUSED(addrlen), uint8_t* ATTR_UNUSED(zone), size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(tcp_upstream), int ATTR_UNUSED(ssl_upstream), char* ATTR_UNUSED(tls_auth_name), - struct module_qstate* ATTR_UNUSED(q)) + struct module_qstate* ATTR_UNUSED(q), int* ATTR_UNUSED(was_ratelimited)) { log_assert(0); return 0; diff --git a/contrib/unbound/dnstap/dtstream.c b/contrib/unbound/dnstap/dtstream.c index 14aacaef567b..a1dd9703ea95 100644 --- a/contrib/unbound/dnstap/dtstream.c +++ b/contrib/unbound/dnstap/dtstream.c @@ -188,9 +188,9 @@ mq_wakeup_cb(void* arg) /** start timer to wakeup dtio because there is content in the queue */ static void -dt_msg_queue_start_timer(struct dt_msg_queue* mq) +dt_msg_queue_start_timer(struct dt_msg_queue* mq, int wakeupnow) { - struct timeval tv; + struct timeval tv = {0}; /* Start a timer to process messages to be logged. * If we woke up the dtio thread for every message, the wakeup * messages take up too much processing power. If the queue @@ -204,19 +204,26 @@ dt_msg_queue_start_timer(struct dt_msg_queue* mq) /* do not start the timer if a timer already exists, perhaps * in another worker. So this variable is protected by a lock in - * dtio */ + * dtio. */ + + /* If we need to wakeupnow, 0 the timer to force the callback. */ lock_basic_lock(&mq->dtio->wakeup_timer_lock); if(mq->dtio->wakeup_timer_enabled) { + if(wakeupnow) { + comm_timer_set(mq->wakeup_timer, &tv); + } lock_basic_unlock(&mq->dtio->wakeup_timer_lock); return; } mq->dtio->wakeup_timer_enabled = 1; /* we are going to start one */ - lock_basic_unlock(&mq->dtio->wakeup_timer_lock); /* start the timer, in mq, in the event base of our worker */ - tv.tv_sec = 1; - tv.tv_usec = 0; + if(!wakeupnow) { + tv.tv_sec = 1; + tv.tv_usec = 0; + } comm_timer_set(mq->wakeup_timer, &tv); + lock_basic_unlock(&mq->dtio->wakeup_timer_lock); } void @@ -283,10 +290,8 @@ dt_msg_queue_submit(struct dt_msg_queue* mq, void* buf, size_t len) /* release lock */ lock_basic_unlock(&mq->lock); - if(wakeupnow) { - dtio_wakeup(mq->dtio); - } else if(wakeupstarttimer) { - dt_msg_queue_start_timer(mq); + if(wakeupnow || wakeupstarttimer) { + dt_msg_queue_start_timer(mq, wakeupnow); } } diff --git a/contrib/unbound/dnstap/unbound-dnstap-socket.c b/contrib/unbound/dnstap/unbound-dnstap-socket.c index 990b8a866af1..63292fbca36e 100644 --- a/contrib/unbound/dnstap/unbound-dnstap-socket.c +++ b/contrib/unbound/dnstap/unbound-dnstap-socket.c @@ -1413,11 +1413,12 @@ void worker_sighandler(int ATTR_UNUSED(sig), void* ATTR_UNUSED(arg)) struct outbound_entry* worker_send_query( struct query_info* ATTR_UNUSED(qinfo), uint16_t ATTR_UNUSED(flags), int ATTR_UNUSED(dnssec), int ATTR_UNUSED(want_dnssec), - int ATTR_UNUSED(nocaps), struct sockaddr_storage* ATTR_UNUSED(addr), + int ATTR_UNUSED(nocaps), int ATTR_UNUSED(check_ratelimit), + struct sockaddr_storage* ATTR_UNUSED(addr), socklen_t ATTR_UNUSED(addrlen), uint8_t* ATTR_UNUSED(zone), size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(tcp_upstream), int ATTR_UNUSED(ssl_upstream), char* ATTR_UNUSED(tls_auth_name), - struct module_qstate* ATTR_UNUSED(q)) + struct module_qstate* ATTR_UNUSED(q), int* ATTR_UNUSED(was_ratelimited)) { log_assert(0); return 0; @@ -1446,11 +1447,12 @@ worker_alloc_cleanup(void* ATTR_UNUSED(arg)) struct outbound_entry* libworker_send_query( struct query_info* ATTR_UNUSED(qinfo), uint16_t ATTR_UNUSED(flags), int ATTR_UNUSED(dnssec), int ATTR_UNUSED(want_dnssec), - int ATTR_UNUSED(nocaps), struct sockaddr_storage* ATTR_UNUSED(addr), + int ATTR_UNUSED(nocaps), int ATTR_UNUSED(check_ratelimit), + struct sockaddr_storage* ATTR_UNUSED(addr), socklen_t ATTR_UNUSED(addrlen), uint8_t* ATTR_UNUSED(zone), size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(tcp_upstream), int ATTR_UNUSED(ssl_upstream), char* ATTR_UNUSED(tls_auth_name), - struct module_qstate* ATTR_UNUSED(q)) + struct module_qstate* ATTR_UNUSED(q), int* ATTR_UNUSED(was_ratelimited)) { log_assert(0); return 0; diff --git a/contrib/unbound/doc/Changelog b/contrib/unbound/doc/Changelog index 8aec7694f42d..8af7d3f888ad 100644 --- a/contrib/unbound/doc/Changelog +++ b/contrib/unbound/doc/Changelog @@ -1,5 +1,138 @@ +3 February 2022: Wouter + - Fix for #611: Integer overflow in sldns_wire2str_pkt_scan. + +2 February 2022: George + - Merge PR #532 from Shchelk: Fix: buffer overflow bug. + - Merge PR #616: Update ratelimit logic. It also introduces + ratelimit-backoff and ip-ratelimit-backoff configuration options. + - Change aggressive-nsec default to yes. + - Merge PR #617: Update stub/forward-host notation to accept port and + tls-auth-name. + - Update stream_ssl.tdir test to also use the new forward-host + notation. + +2 February 2022: Wouter + - Update version number in repo to 1.15.0 for upcoming release, + since it changes the aggressive-nsec default and the ratelimit change. + - Fix header comment for doxygen for authextstrtoaddr. + - please clang analyzer for loop in test code. + - Fix docker splint test to use more portable uname. + - Update contrib/aaaa-filter-iterator.patch with diff for current + software version. + +1 February 2022: George + - Merge PR #603 from fobser: Use OpenSSL 1.1 API to access DSA and RSA + internals. + +31 January 2022: George + - Fix review comment for use-after-free when failing to send UDP out. + +31 January 2022: Wouter + - iana portlist update. + +29 January 2022: George + - Fix tls-* and ssl-* documented alternate syntax to also be available + through remote-control and unbound-checkconf. + - Better cleanup on failed DoT/DoH listening socket creation. + +26 January 2022: George + - Fix #599: [FR] RFC 9156 (obsoletes RFC 7816), by noting the new RFC + document. + +26 January 2022: Wouter + - Test for NSID in SERVFAIL response due to DNSSEC bogus. + +25 January 2022: George + - Fix #588: Unbound 1.13.2 crashes due to p->pc is NULL in + serviced_udp_callback. + - Merge PR #612: TCP race condition. + +25 January 2022: Wouter + - Fix #610: Undefine-shift in sldns_str2wire_hip_buf. + +19 January 2022: George + - For dnstap, do not wakeupnow right there. Instead zero the timer to + force the wakeup callback asap. + +14 January 2022: George + - Merge PR #605: + - Fix EDNS to upstream where the same option could be attached + more than once. + - Add a region to serviced_query for allocations. + +14 January 2022: Wouter + - Add rpz: for-downstream: yesno option, where the RPZ zone is + authoritatively answered for, so the RPZ zone contents can be + checked with DNS queries directed at the RPZ zone. + - For #602: Allow the module-config "subnetcache validator cachedb + iterator". + +11 January 2022: George + - Fix prematurely terminated TCP queries when a reply has the same ID. + +7 January 2022: Wouter + - Merge #600 from pemensik: Change file mode before changing file + owner. + +5 January 2022: Wouter + - Fix for #596: fix that rpz return message is returned and not just + the rcode from the iterator return path. This fixes signal unset RA + after a CNAME. + - Fix unit tests for rpz now that the AA flag returns successfully from + the iterator loop. + - Fix for #596: add unit test for nsdname trigger and signal unset RA. + - Fix for #596: add unit test for nsip trigger and signal unset RA. + - Fix #598: Fix unbound-checkconf fatal error: module conf + 'respip dns64 validator iterator' is not known to work. + - Fix for #596: Fix rpz-signal-nxdomain-ra to work for clientip + triggered operation. + +4 January 2022: Wouter + - Fix #596: unset the RA bit when a query is blocked by an unbound + RPZ nxdomain reply. The option rpz-signal-nxdomain-ra allows to + signal that a domain is externally blocked to clients when it + is blocked with NXDOMAIN by unsetting RA. + - Fix to add test for rpz-signal-nxdomain-ra. + - Fix #596: only unset RA when NXDOMAIN is signalled. + - Fix that RPZ does not set RD flag on replies, it should be copied + from the query. + +22 December 2021: George + - contrib/aaaa-filter-iterator.patch file renewed diff content to + apply cleanly to the current coderepo for the current code version. + +20 December 2021: George + - Fix #591: Unbound-anchor manpage links to non-existent license file. + +13 December 2021: George + - Add missing configure flags for optional features in the + documentation. + - Fix Unbound capitalization in the documentation. + +13 December 2021: Wouter + - Fix to pick up other class local zone information before unlock. + +10 December 2021: George + - Allow local-data for classes other than IN to inherit a configured + local-zone's type if possible, instead of defaulting to type + transparent as per the implicit rule. + +10 December 2021: Wouter + - Add code similar to fix for ldns for tab between strings, for + consistency, the test case was not broken. + +6 December 2021: Wouter + - Merge PR #581 from fobser: Fix -Wmissing-prototypes and -Wshadow + warnings in rpz. + - Fix validator debug output about DS support, print correct algorithm. + +3 December 2021: Wouter + - Fix compile warning for if_nametoindex on windows 64bit. + 1 December 2021: Wouter - configure is set to 1.14.0, and release branch. + This was released as version 1.14.0 on 9 Dec 2021, with the doxygen + fix below included. The main branch continues as 1.14.1. - Fix doc/unbound.doxygen to remove obsolete tag warning. 1 December 2021: George diff --git a/contrib/unbound/doc/README b/contrib/unbound/doc/README index 3b8d0cce3170..9d9794d5cfa5 100644 --- a/contrib/unbound/doc/README +++ b/contrib/unbound/doc/README @@ -1,4 +1,4 @@ -README for Unbound 1.14.0 +README for Unbound 1.15.0 Copyright 2007 NLnet Labs http://unbound.net diff --git a/contrib/unbound/doc/example.conf b/contrib/unbound/doc/example.conf index d9f4995e41ef..ab9445fc69f1 100644 --- a/contrib/unbound/doc/example.conf +++ b/contrib/unbound/doc/example.conf @@ -1,7 +1,7 @@ # # Example configuration file. # -# See unbound.conf(5) man page, version 1.14.0. +# See unbound.conf(5) man page, version 1.15.0. # # this is a comment. @@ -82,13 +82,13 @@ server: # num-queries-per-thread, or, use as many as the OS will allow you. # outgoing-range: 4096 - # permit unbound to use this port number or port range for + # permit Unbound to use this port number or port range for # making outgoing queries, using an outgoing interface. # outgoing-port-permit: 32768 - # deny unbound the use this of port number or port range for + # deny Unbound the use this of port number or port range for # making outgoing queries, using an outgoing interface. - # Use this to make sure unbound does not grab a UDP port that some + # Use this to make sure Unbound does not grab a UDP port that some # other server on this computer needs. The default is to avoid # IANA-assigned port numbers. # If multiple outgoing-port-permit and outgoing-port-avoid options @@ -254,7 +254,7 @@ server: # use-systemd: no # Detach from the terminal, run in background, "yes" or "no". - # Set the value to "no" when unbound runs as systemd service. + # Set the value to "no" when Unbound runs as systemd service. # do-daemonize: yes # control which clients are allowed to make (recursive) queries @@ -307,7 +307,7 @@ server: # The pid file can be absolute and outside of the chroot, it is # written just prior to performing the chroot and dropping permissions. # - # Additionally, unbound may need to access /dev/urandom (for entropy). + # Additionally, Unbound may need to access /dev/urandom (for entropy). # How to do this is specific to your OS. # # If you give "" no chroot is performed. The path must not end in a /. @@ -442,7 +442,7 @@ server: # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN # and other denials, using information from previous NXDOMAINs answers. - # aggressive-nsec: no + # aggressive-nsec: yes # Use 0x20-encoded random bits in the query to foil spoof attempts. # This feature is an experimental implementation of draft dns-0x20. @@ -517,7 +517,7 @@ server: # Use several entries, one per domain name, to track multiple zones. # # If you want to perform DNSSEC validation, run unbound-anchor before - # you start unbound (i.e. in the system boot scripts). + # you start Unbound (i.e. in the system boot scripts). # And then enable the auto-trust-anchor-file config item. # Please note usage of unbound-anchor root anchor is at your own risk # and under the terms of our LICENSE (see that file in the source). @@ -585,7 +585,7 @@ server: # val-permissive-mode: no # Ignore the CD flag in incoming queries and refuse them bogus data. - # Enable it if the only clients of unbound are legacy servers (w2008) + # Enable it if the only clients of Unbound are legacy servers (w2008) # that set CD but cannot validate themselves. # ignore-cd-flag: no @@ -615,7 +615,7 @@ server: # Return the original TTL as received from the upstream name server rather # than the decrementing TTL as stored in the cache. Enabling this feature - # does not impact cache expiry, it only changes the TTL unbound embeds in + # does not impact cache expiry, it only changes the TTL Unbound embeds in # responses to queries. Note that enabling this feature implicitly disables # enforcement of the configured minimum and maximum TTL. # serve-original-ttl: no @@ -709,9 +709,9 @@ server: # Add example.com into ipset # local-zone: "example.com" ipset - # If unbound is running service for the local host then it is useful + # If Unbound is running service for the local host then it is useful # to perform lan-wide lookups to the upstream, and unblock the - # long list of local-zones above. If this unbound is a dns server + # long list of local-zones above. If this Unbound is a dns server # for a network of computers, disabled is better and stops information # leakage of local lan information. # unblock-lan-zones: no @@ -860,6 +860,10 @@ server: # 0 blocks when ratelimited, otherwise let 1/xth traffic through # ratelimit-factor: 10 + # Aggressive rate limit when the limit is reached and until demand has + # decreased in a 2 second rate window. + # ratelimit-backoff: no + # override the ratelimit for a specific domain name. # give this setting multiple times to have multiple overrides. # ratelimit-for-domain: example.com 1000 @@ -880,6 +884,10 @@ server: # 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through # ip-ratelimit-factor: 10 + # Aggressive rate limit when the limit is reached and until demand has + # decreased in a 2 second rate window. + # ip-ratelimit-backoff: no + # Limit the number of connections simultaneous from a netblock # tcp-connection-limit: 192.0.2.0/24 12 @@ -889,7 +897,7 @@ server: # the number of servers that will be used in the fast server selection. # fast-server-num: 3 - # Specific options for ipsecmod. unbound needs to be configured with + # Specific options for ipsecmod. Unbound needs to be configured with # --enable-ipsecmod for these to take effect. # # Enable or disable ipsecmod (it still needs to be defined in @@ -901,7 +909,7 @@ server: # listed in module-config (above). # ipsecmod-hook: "./my_executable" # - # When enabled unbound will reply with SERVFAIL if the return value of + # When enabled Unbound will reply with SERVFAIL if the return value of # the ipsecmod-hook is not 0. # ipsecmod-strict: no # @@ -966,10 +974,10 @@ remote-control: # For local sockets this option is ignored, and TLS is not used. # control-use-cert: "yes" - # unbound server key file. + # Unbound server key file. # server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key" - # unbound server certificate file. + # Unbound server certificate file. # server-cert-file: "@UNBOUND_RUN_DIR@/unbound_server.pem" # unbound-control key file. @@ -1072,8 +1080,9 @@ remote-control: # local-zone: "example.com" refuse # DNSCrypt +# To enable, use --enable-dnscrypt to configure before compiling. # Caveats: -# 1. the keys/certs cannot be produced by unbound. You can use dnscrypt-wrapper +# 1. the keys/certs cannot be produced by Unbound. You can use dnscrypt-wrapper # for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage # 2. dnscrypt channel attaches to an interface. you MUST set interfaces to # listen on `dnscrypt-port` with the follo0wing snippet: @@ -1092,7 +1101,9 @@ remote-control: # dnscrypt-provider-cert: /path/unbound-conf/keys2/1.cert # CacheDB -# Enable external backend DB as auxiliary cache. Specify the backend name +# External backend DB as auxiliary cache. +# To enable, use --enable-cachedb to configure before compiling. +# Specify the backend name # (default is "testframe", which has no use other than for debugging and # testing) and backend-specific options. The 'cachedb' module must be # included in module-config, just before the iterator module. @@ -1102,6 +1113,7 @@ remote-control: # secret-seed: "default" # # # For "redis" backend: +# # (to enable, use --with-libhiredis to configure before compiling) # # redis server's IP address or host name # redis-server-host: 127.0.0.1 # # redis server's TCP port @@ -1113,7 +1125,9 @@ remote-control: # IPSet # Add specify domain into set via ipset. -# Note: To enable ipset unbound needs to run as root user. +# To enable: +# o use --enable-ipset to configure before compiling; +# o Unbound then needs to run as root user. # ipset: # # set name for ip v4 addresses # name-v4: "list-v4" @@ -1121,9 +1135,10 @@ remote-control: # name-v6: "list-v6" # -# Dnstap logging support, if compiled in. To enable, set the dnstap-enable -# to yes and also some of dnstap-log-..-messages to yes. And select an -# upstream log destination, by socket path, TCP or TLS destination. +# Dnstap logging support, if compiled in by using --enable-dnstap to configure. +# To enable, set the dnstap-enable to yes and also some of +# dnstap-log-..-messages to yes. And select an upstream log destination, by +# socket path, TCP or TLS destination. # dnstap: # dnstap-enable: no # # if set to yes frame streams will be used in bidirectional mode @@ -1136,7 +1151,7 @@ remote-control: # dnstap-tls: yes # # name for authenticating the upstream server. or "" disabled. # dnstap-tls-server-name: "" -# # if "", it uses the cert bundle from the main unbound config. +# # if "", it uses the cert bundle from the main Unbound config. # dnstap-tls-cert-bundle: "" # # key file for client authentication, or "" disabled. # dnstap-tls-client-key-file: "" @@ -1172,4 +1187,6 @@ remote-control: # rpz-cname-override: www.example.org # rpz-log: yes # rpz-log-name: "example policy" +# rpz-signal-nxdomain-ra: no +# for-downstream: no # tags: "example" diff --git a/contrib/unbound/doc/example.conf.in b/contrib/unbound/doc/example.conf.in index d9f4995e41ef..ab9445fc69f1 100644 --- a/contrib/unbound/doc/example.conf.in +++ b/contrib/unbound/doc/example.conf.in @@ -1,7 +1,7 @@ # # Example configuration file. # -# See unbound.conf(5) man page, version 1.14.0. +# See unbound.conf(5) man page, version 1.15.0. # # this is a comment. @@ -82,13 +82,13 @@ server: # num-queries-per-thread, or, use as many as the OS will allow you. # outgoing-range: 4096 - # permit unbound to use this port number or port range for + # permit Unbound to use this port number or port range for # making outgoing queries, using an outgoing interface. # outgoing-port-permit: 32768 - # deny unbound the use this of port number or port range for + # deny Unbound the use this of port number or port range for # making outgoing queries, using an outgoing interface. - # Use this to make sure unbound does not grab a UDP port that some + # Use this to make sure Unbound does not grab a UDP port that some # other server on this computer needs. The default is to avoid # IANA-assigned port numbers. # If multiple outgoing-port-permit and outgoing-port-avoid options @@ -254,7 +254,7 @@ server: # use-systemd: no # Detach from the terminal, run in background, "yes" or "no". - # Set the value to "no" when unbound runs as systemd service. + # Set the value to "no" when Unbound runs as systemd service. # do-daemonize: yes # control which clients are allowed to make (recursive) queries @@ -307,7 +307,7 @@ server: # The pid file can be absolute and outside of the chroot, it is # written just prior to performing the chroot and dropping permissions. # - # Additionally, unbound may need to access /dev/urandom (for entropy). + # Additionally, Unbound may need to access /dev/urandom (for entropy). # How to do this is specific to your OS. # # If you give "" no chroot is performed. The path must not end in a /. @@ -442,7 +442,7 @@ server: # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN # and other denials, using information from previous NXDOMAINs answers. - # aggressive-nsec: no + # aggressive-nsec: yes # Use 0x20-encoded random bits in the query to foil spoof attempts. # This feature is an experimental implementation of draft dns-0x20. @@ -517,7 +517,7 @@ server: # Use several entries, one per domain name, to track multiple zones. # # If you want to perform DNSSEC validation, run unbound-anchor before - # you start unbound (i.e. in the system boot scripts). + # you start Unbound (i.e. in the system boot scripts). # And then enable the auto-trust-anchor-file config item. # Please note usage of unbound-anchor root anchor is at your own risk # and under the terms of our LICENSE (see that file in the source). @@ -585,7 +585,7 @@ server: # val-permissive-mode: no # Ignore the CD flag in incoming queries and refuse them bogus data. - # Enable it if the only clients of unbound are legacy servers (w2008) + # Enable it if the only clients of Unbound are legacy servers (w2008) # that set CD but cannot validate themselves. # ignore-cd-flag: no @@ -615,7 +615,7 @@ server: # Return the original TTL as received from the upstream name server rather # than the decrementing TTL as stored in the cache. Enabling this feature - # does not impact cache expiry, it only changes the TTL unbound embeds in + # does not impact cache expiry, it only changes the TTL Unbound embeds in # responses to queries. Note that enabling this feature implicitly disables # enforcement of the configured minimum and maximum TTL. # serve-original-ttl: no @@ -709,9 +709,9 @@ server: # Add example.com into ipset # local-zone: "example.com" ipset - # If unbound is running service for the local host then it is useful + # If Unbound is running service for the local host then it is useful # to perform lan-wide lookups to the upstream, and unblock the - # long list of local-zones above. If this unbound is a dns server + # long list of local-zones above. If this Unbound is a dns server # for a network of computers, disabled is better and stops information # leakage of local lan information. # unblock-lan-zones: no @@ -860,6 +860,10 @@ server: # 0 blocks when ratelimited, otherwise let 1/xth traffic through # ratelimit-factor: 10 + # Aggressive rate limit when the limit is reached and until demand has + # decreased in a 2 second rate window. + # ratelimit-backoff: no + # override the ratelimit for a specific domain name. # give this setting multiple times to have multiple overrides. # ratelimit-for-domain: example.com 1000 @@ -880,6 +884,10 @@ server: # 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through # ip-ratelimit-factor: 10 + # Aggressive rate limit when the limit is reached and until demand has + # decreased in a 2 second rate window. + # ip-ratelimit-backoff: no + # Limit the number of connections simultaneous from a netblock # tcp-connection-limit: 192.0.2.0/24 12 @@ -889,7 +897,7 @@ server: # the number of servers that will be used in the fast server selection. # fast-server-num: 3 - # Specific options for ipsecmod. unbound needs to be configured with + # Specific options for ipsecmod. Unbound needs to be configured with # --enable-ipsecmod for these to take effect. # # Enable or disable ipsecmod (it still needs to be defined in @@ -901,7 +909,7 @@ server: # listed in module-config (above). # ipsecmod-hook: "./my_executable" # - # When enabled unbound will reply with SERVFAIL if the return value of + # When enabled Unbound will reply with SERVFAIL if the return value of # the ipsecmod-hook is not 0. # ipsecmod-strict: no # @@ -966,10 +974,10 @@ remote-control: # For local sockets this option is ignored, and TLS is not used. # control-use-cert: "yes" - # unbound server key file. + # Unbound server key file. # server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key" - # unbound server certificate file. + # Unbound server certificate file. # server-cert-file: "@UNBOUND_RUN_DIR@/unbound_server.pem" # unbound-control key file. @@ -1072,8 +1080,9 @@ remote-control: # local-zone: "example.com" refuse # DNSCrypt +# To enable, use --enable-dnscrypt to configure before compiling. # Caveats: -# 1. the keys/certs cannot be produced by unbound. You can use dnscrypt-wrapper +# 1. the keys/certs cannot be produced by Unbound. You can use dnscrypt-wrapper # for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage # 2. dnscrypt channel attaches to an interface. you MUST set interfaces to # listen on `dnscrypt-port` with the follo0wing snippet: @@ -1092,7 +1101,9 @@ remote-control: # dnscrypt-provider-cert: /path/unbound-conf/keys2/1.cert # CacheDB -# Enable external backend DB as auxiliary cache. Specify the backend name +# External backend DB as auxiliary cache. +# To enable, use --enable-cachedb to configure before compiling. +# Specify the backend name # (default is "testframe", which has no use other than for debugging and # testing) and backend-specific options. The 'cachedb' module must be # included in module-config, just before the iterator module. @@ -1102,6 +1113,7 @@ remote-control: # secret-seed: "default" # # # For "redis" backend: +# # (to enable, use --with-libhiredis to configure before compiling) # # redis server's IP address or host name # redis-server-host: 127.0.0.1 # # redis server's TCP port @@ -1113,7 +1125,9 @@ remote-control: # IPSet # Add specify domain into set via ipset. -# Note: To enable ipset unbound needs to run as root user. +# To enable: +# o use --enable-ipset to configure before compiling; +# o Unbound then needs to run as root user. # ipset: # # set name for ip v4 addresses # name-v4: "list-v4" @@ -1121,9 +1135,10 @@ remote-control: # name-v6: "list-v6" # -# Dnstap logging support, if compiled in. To enable, set the dnstap-enable -# to yes and also some of dnstap-log-..-messages to yes. And select an -# upstream log destination, by socket path, TCP or TLS destination. +# Dnstap logging support, if compiled in by using --enable-dnstap to configure. +# To enable, set the dnstap-enable to yes and also some of +# dnstap-log-..-messages to yes. And select an upstream log destination, by +# socket path, TCP or TLS destination. # dnstap: # dnstap-enable: no # # if set to yes frame streams will be used in bidirectional mode @@ -1136,7 +1151,7 @@ remote-control: # dnstap-tls: yes # # name for authenticating the upstream server. or "" disabled. # dnstap-tls-server-name: "" -# # if "", it uses the cert bundle from the main unbound config. +# # if "", it uses the cert bundle from the main Unbound config. # dnstap-tls-cert-bundle: "" # # key file for client authentication, or "" disabled. # dnstap-tls-client-key-file: "" @@ -1172,4 +1187,6 @@ remote-control: # rpz-cname-override: www.example.org # rpz-log: yes # rpz-log-name: "example policy" +# rpz-signal-nxdomain-ra: no +# for-downstream: no # tags: "example" diff --git a/contrib/unbound/doc/libunbound.3 b/contrib/unbound/doc/libunbound.3 index 6c5217aa04c4..7df4f59d7831 100644 --- a/contrib/unbound/doc/libunbound.3 +++ b/contrib/unbound/doc/libunbound.3 @@ -1,4 +1,4 @@ -.TH "libunbound" "3" "Dec 9, 2021" "NLnet Labs" "unbound 1.14.0" +.TH "libunbound" "3" "Feb 10, 2022" "NLnet Labs" "unbound 1.15.0" .\" .\" libunbound.3 -- unbound library functions manual .\" @@ -44,7 +44,7 @@ .B ub_ctx_zone_remove, .B ub_ctx_data_add, .B ub_ctx_data_remove -\- Unbound DNS validating resolver 1.14.0 functions. +\- Unbound DNS validating resolver 1.15.0 functions. .SH "SYNOPSIS" .B #include .LP diff --git a/contrib/unbound/doc/libunbound.3.in b/contrib/unbound/doc/libunbound.3.in index 6c5217aa04c4..7df4f59d7831 100644 --- a/contrib/unbound/doc/libunbound.3.in +++ b/contrib/unbound/doc/libunbound.3.in @@ -1,4 +1,4 @@ -.TH "libunbound" "3" "Dec 9, 2021" "NLnet Labs" "unbound 1.14.0" +.TH "libunbound" "3" "Feb 10, 2022" "NLnet Labs" "unbound 1.15.0" .\" .\" libunbound.3 -- unbound library functions manual .\" @@ -44,7 +44,7 @@ .B ub_ctx_zone_remove, .B ub_ctx_data_add, .B ub_ctx_data_remove -\- Unbound DNS validating resolver 1.14.0 functions. +\- Unbound DNS validating resolver 1.15.0 functions. .SH "SYNOPSIS" .B #include .LP diff --git a/contrib/unbound/doc/unbound-anchor.8 b/contrib/unbound/doc/unbound-anchor.8 index ddab3d27f120..268640d8155c 100644 --- a/contrib/unbound/doc/unbound-anchor.8 +++ b/contrib/unbound/doc/unbound-anchor.8 @@ -1,4 +1,4 @@ -.TH "unbound-anchor" "8" "Dec 9, 2021" "NLnet Labs" "unbound 1.14.0" +.TH "unbound-anchor" "8" "Feb 10, 2022" "NLnet Labs" "unbound 1.15.0" .\" .\" unbound-anchor.8 -- unbound anchor maintenance utility manual .\" @@ -41,7 +41,7 @@ update certificate files. .P It tests if the root anchor file works, and if not, and an update is possible, attempts to update the root anchor using the root update certificate. -It performs a https fetch of root-anchors.xml and checks the results (RFC7958), +It performs a https fetch of root-anchors.xml and checks the results (RFC7958), if all checks are successful, it updates the root anchor file. Otherwise the root anchor file is unchanged. It performs RFC5011 tracking if the DNSSEC information available via the DNS makes that possible. @@ -159,7 +159,7 @@ Or something more suitable for your operational environment. The root keys and update certificate included in this tool are provided for convenience and under the terms of our license (see the LICENSE file in the source distribution or -http://unbound.nlnetlabs.nl/svn/trunk/LICENSE) and might be stale or +https://github.com/NLnetLabs/unbound/blob/master/LICENSE) and might be stale or not suitable to your purpose. .P By running "unbound\-anchor \-l" the keys and certificate that are @@ -185,5 +185,5 @@ Source for the root key information. .I https://data.iana.org/root\-anchors/root\-anchors.p7s Signature on the root key information. .SH "SEE ALSO" -\fIunbound.conf\fR(5), +\fIunbound.conf\fR(5), \fIunbound\fR(8). diff --git a/contrib/unbound/doc/unbound-anchor.8.in b/contrib/unbound/doc/unbound-anchor.8.in index ddab3d27f120..268640d8155c 100644 --- a/contrib/unbound/doc/unbound-anchor.8.in +++ b/contrib/unbound/doc/unbound-anchor.8.in @@ -1,4 +1,4 @@ -.TH "unbound-anchor" "8" "Dec 9, 2021" "NLnet Labs" "unbound 1.14.0" +.TH "unbound-anchor" "8" "Feb 10, 2022" "NLnet Labs" "unbound 1.15.0" .\" .\" unbound-anchor.8 -- unbound anchor maintenance utility manual .\" @@ -41,7 +41,7 @@ update certificate files. .P It tests if the root anchor file works, and if not, and an update is possible, attempts to update the root anchor using the root update certificate. -It performs a https fetch of root-anchors.xml and checks the results (RFC7958), +It performs a https fetch of root-anchors.xml and checks the results (RFC7958), if all checks are successful, it updates the root anchor file. Otherwise the root anchor file is unchanged. It performs RFC5011 tracking if the DNSSEC information available via the DNS makes that possible. @@ -159,7 +159,7 @@ Or something more suitable for your operational environment. The root keys and update certificate included in this tool are provided for convenience and under the terms of our license (see the LICENSE file in the source distribution or -http://unbound.nlnetlabs.nl/svn/trunk/LICENSE) and might be stale or +https://github.com/NLnetLabs/unbound/blob/master/LICENSE) and might be stale or not suitable to your purpose. .P By running "unbound\-anchor \-l" the keys and certificate that are @@ -185,5 +185,5 @@ Source for the root key information. .I https://data.iana.org/root\-anchors/root\-anchors.p7s Signature on the root key information. .SH "SEE ALSO" -\fIunbound.conf\fR(5), +\fIunbound.conf\fR(5), \fIunbound\fR(8). diff --git a/contrib/unbound/doc/unbound-checkconf.8 b/contrib/unbound/doc/unbound-checkconf.8 index bd1ab8ad696d..ac8782dcde40 100644 --- a/contrib/unbound/doc/unbound-checkconf.8 +++ b/contrib/unbound/doc/unbound-checkconf.8 @@ -1,4 +1,4 @@ -.TH "unbound-checkconf" "8" "Dec 9, 2021" "NLnet Labs" "unbound 1.14.0" +.TH "unbound-checkconf" "8" "Feb 10, 2022" "NLnet Labs" "unbound 1.15.0" .\" .\" unbound-checkconf.8 -- unbound configuration checker manual .\" @@ -8,8 +8,8 @@ .\" .\" .SH "NAME" -.B unbound\-checkconf -\- Check unbound configuration file for errors. +unbound\-checkconf +\- Check Unbound configuration file for errors. .SH "SYNOPSIS" .B unbound\-checkconf .RB [ \-h ] @@ -21,8 +21,8 @@ .B Unbound\-checkconf checks the configuration file for the \fIunbound\fR(8) -DNS resolver for syntax and other errors. -The config file syntax is described in +DNS resolver for syntax and other errors. +The config file syntax is described in \fIunbound.conf\fR(5). .P The available options are: @@ -34,19 +34,19 @@ Show the version and commandline option help. Print full pathname, with chroot applied to it. Use with the \-o option. .TP .B \-o\fI option -If given, after checking the config file the value of this option is +If given, after checking the config file the value of this option is printed to stdout. For "" (disabled) options an empty line is printed. .TP .I cfgfile -The config file to read with settings for unbound. It is checked. +The config file to read with settings for Unbound. It is checked. If omitted, the config file at the default location is checked. .SH "EXIT CODE" -The unbound\-checkconf program exits with status code 1 on error, +The unbound\-checkconf program exits with status code 1 on error, 0 for a correct config file. .SH "FILES" .TP .I @ub_conf_file@ -unbound configuration file. +Unbound configuration file. .SH "SEE ALSO" -\fIunbound.conf\fR(5), +\fIunbound.conf\fR(5), \fIunbound\fR(8). diff --git a/contrib/unbound/doc/unbound-checkconf.8.in b/contrib/unbound/doc/unbound-checkconf.8.in index bd1ab8ad696d..ac8782dcde40 100644 --- a/contrib/unbound/doc/unbound-checkconf.8.in +++ b/contrib/unbound/doc/unbound-checkconf.8.in @@ -1,4 +1,4 @@ -.TH "unbound-checkconf" "8" "Dec 9, 2021" "NLnet Labs" "unbound 1.14.0" +.TH "unbound-checkconf" "8" "Feb 10, 2022" "NLnet Labs" "unbound 1.15.0" .\" .\" unbound-checkconf.8 -- unbound configuration checker manual .\" @@ -8,8 +8,8 @@ .\" .\" .SH "NAME" -.B unbound\-checkconf -\- Check unbound configuration file for errors. +unbound\-checkconf +\- Check Unbound configuration file for errors. .SH "SYNOPSIS" .B unbound\-checkconf .RB [ \-h ] @@ -21,8 +21,8 @@ .B Unbound\-checkconf checks the configuration file for the \fIunbound\fR(8) -DNS resolver for syntax and other errors. -The config file syntax is described in +DNS resolver for syntax and other errors. +The config file syntax is described in \fIunbound.conf\fR(5). .P The available options are: @@ -34,19 +34,19 @@ Show the version and commandline option help. Print full pathname, with chroot applied to it. Use with the \-o option. .TP .B \-o\fI option -If given, after checking the config file the value of this option is +If given, after checking the config file the value of this option is printed to stdout. For "" (disabled) options an empty line is printed. .TP .I cfgfile -The config file to read with settings for unbound. It is checked. +The config file to read with settings for Unbound. It is checked. If omitted, the config file at the default location is checked. .SH "EXIT CODE" -The unbound\-checkconf program exits with status code 1 on error, +The unbound\-checkconf program exits with status code 1 on error, 0 for a correct config file. .SH "FILES" .TP .I @ub_conf_file@ -unbound configuration file. +Unbound configuration file. .SH "SEE ALSO" -\fIunbound.conf\fR(5), +\fIunbound.conf\fR(5), \fIunbound\fR(8). diff --git a/contrib/unbound/doc/unbound-control.8 b/contrib/unbound/doc/unbound-control.8 index ab5413c9a0ba..9d0c10e942bd 100644 --- a/contrib/unbound/doc/unbound-control.8 +++ b/contrib/unbound/doc/unbound-control.8 @@ -1,4 +1,4 @@ -.TH "unbound-control" "8" "Dec 9, 2021" "NLnet Labs" "unbound 1.14.0" +.TH "unbound-control" "8" "Feb 10, 2022" "NLnet Labs" "unbound 1.15.0" .\" .\" unbound-control.8 -- unbound remote control manual .\" @@ -14,15 +14,15 @@ .SH "SYNOPSIS" .B unbound\-control .RB [ \-hq ] -.RB [ \-c +.RB [ \-c .IR cfgfile ] -.RB [ \-s +.RB [ \-s .IR server ] .IR command .SH "DESCRIPTION" .B Unbound\-control performs remote administration on the \fIunbound\fR(8) DNS server. -It reads the configuration file, contacts the unbound server over SSL +It reads the configuration file, contacts the Unbound server over SSL sends the command and displays the result. .P The available options are: @@ -44,8 +44,8 @@ quiet, if the option is given it does not print anything if it works ok. There are several commands that the server understands. .TP .B start -Start the server. Simply execs \fIunbound\fR(8). The unbound executable -is searched for in the \fBPATH\fR set in the environment. It is started +Start the server. Simply execs \fIunbound\fR(8). The Unbound executable +is searched for in the \fBPATH\fR set in the environment. It is started with the config file specified using \fI\-c\fR or the default config file. .TP .B stop @@ -65,8 +65,8 @@ daemon release the file it is logging to. If you are using syslog it will attempt to close and open the syslog (which may not work if chrooted). .TP .B stats -Print statistics. Resets the internal counters to zero, this can be -controlled using the \fBstatistics\-cumulative\fR config statement. +Print statistics. Resets the internal counters to zero, this can be +controlled using the \fBstatistics\-cumulative\fR config statement. Statistics are printed with one [name]: [value] per line. .TP .B stats_noreset @@ -74,7 +74,7 @@ Peek at statistics. Prints them like the \fBstats\fR command does, but does not reset the internal counters to zero. .TP .B status -Display server status. Exit code 3 if not running (the connection to the +Display server status. Exit code 3 if not running (the connection to the port is refused), 1 on error, 0 if running. .TP .B local_zone \fIname\fR \fItype @@ -88,14 +88,14 @@ it. If the zone does not exist, the command succeeds. .B local_data \fIRR data... Add new local data, the given resource record. Like \fBlocal\-data\fR config statement, except for when no covering zone exists. In that case -this remote control command creates a transparent zone with the same +this remote control command creates a transparent zone with the same name as this record. .TP .B local_data_remove \fIname Remove all RR data from local name. If the name already has no items, nothing happens. Often results in NXDOMAIN for the name (in a static zone), -but if the name has become an empty nonterminal (there is still data in -domain names below the removed name), NOERROR nodata answers are the +but if the name has become an empty nonterminal (there is still data in +domain names below the removed name), NOERROR nodata answers are the result for that name. .TP .B local_zones @@ -125,22 +125,22 @@ in old or wrong data returned to clients. Loading data into the cache in this way is supported in order to aid with debugging. .TP .B lookup \fIname -Print to stdout the name servers that would be used to look up the +Print to stdout the name servers that would be used to look up the name specified. .TP .B flush \fIname Remove the name from the cache. Removes the types A, AAAA, NS, SOA, CNAME, DNAME, MX, PTR, SRV and NAPTR. -Because that is fast to do. Other record types can be removed using -.B flush_type -or +Because that is fast to do. Other record types can be removed using +.B flush_type +or .B flush_zone\fR. .TP .B flush_type \fIname\fR \fItype Remove the name, type information from the cache. .TP .B flush_zone \fIname -Remove all information at or below the name from the cache. +Remove all information at or below the name from the cache. The rrsets and key entries are removed so that new lookups will be performed. This needs to walk and inspect the entire cache, and is a slow operation. The entries are set to expired in the implementation of this command (so, @@ -187,7 +187,7 @@ therefore not flushed. The option must end with a ':' and whitespace must be between the option and the value. Some values may not have an effect if set this way, the new values are not written to the config file, not all options are supported. This is different from the set_option call -in libunbound, where all values work because unbound has not been initialized. +in libunbound, where all values work because Unbound has not been initialized. .IP The values that work are: statistics\-interval, statistics\-cumulative, do\-not\-query\-localhost, harden\-short\-bufsize, harden\-large\-queries, @@ -227,36 +227,36 @@ List the local data RRs in use. The resource records are printed. .TP .B insecure_add \fIzone Add a \fBdomain\-insecure\fR for the given zone, like the statement in unbound.conf. -Adds to the running unbound without affecting the cache contents (which may +Adds to the running Unbound without affecting the cache contents (which may still be bogus, use \fBflush_zone\fR to remove it), does not affect the config file. .TP .B insecure_remove \fIzone Removes domain\-insecure for the given zone. .TP .B forward_add \fR[\fI+i\fR] \fIzone addr ... -Add a new forward zone to running unbound. With +i option also adds a +Add a new forward zone to running Unbound. With +i option also adds a \fIdomain\-insecure\fR for the zone (so it can resolve insecurely if you have a DNSSEC root trust anchor configured for other names). The addr can be IP4, IP6 or nameserver names, like \fIforward-zone\fR config in unbound.conf. .TP .B forward_remove \fR[\fI+i\fR] \fIzone -Remove a forward zone from running unbound. The +i also removes a +Remove a forward zone from running Unbound. The +i also removes a \fIdomain\-insecure\fR for the zone. .TP .B stub_add \fR[\fI+ip\fR] \fIzone addr ... -Add a new stub zone to running unbound. With +i option also adds a +Add a new stub zone to running Unbound. With +i option also adds a \fIdomain\-insecure\fR for the zone. With +p the stub zone is set to prime, without it it is set to notprime. The addr can be IP4, IP6 or nameserver names, like the \fIstub-zone\fR config in unbound.conf. .TP .B stub_remove \fR[\fI+i\fR] \fIzone -Remove a stub zone from running unbound. The +i also removes a +Remove a stub zone from running Unbound. The +i also removes a \fIdomain\-insecure\fR for the zone. .TP .B forward \fR[\fIoff\fR | \fIaddr ...\fR ] Setup forwarding mode. Configures if the server should ask other upstream -nameservers, should go to the internet root nameservers itself, or show +nameservers, should go to the internet root nameservers itself, or show the current config. You could pass the nameservers after a DHCP update. .IP Without arguments the current list of addresses used to forward all queries @@ -296,7 +296,7 @@ status, indicating if the zone is expired and current serial number. Reload the auth zone from zonefile. The zonefile is read in overwriting the current contents of the zone in memory. This changes the auth zone contents itself, not the cache contents. Such cache contents exists if -you set unbound to validate with for-upstream yes and that can be cleared +you set Unbound to validate with for-upstream yes and that can be cleared with \fBflush_zone\fR \fIzone\fR. .TP .B auth_zone_transfer \fIzone\fR @@ -336,7 +336,7 @@ Add a list of \fIlocal_data\fR for given view from stdin. Like local_datas. .SH "EXIT CODE" The unbound\-control program exits with status code 1 on error, 0 on success. .SH "SET UP" -The setup requires a self\-signed certificate and private keys for both +The setup requires a self\-signed certificate and private keys for both the server and client. The script \fIunbound\-control\-setup\fR generates these in the default run directory, or with \-d in another directory. If you change the access control permissions on the key files you can decide @@ -350,7 +350,7 @@ If you have not configured a username in unbound.conf, the keys need read permission for the user credentials under which the daemon is started. The script preserves private keys present in the directory. -After running the script as root, turn on \fBcontrol\-enable\fR in +After running the script as root, turn on \fBcontrol\-enable\fR in \fIunbound.conf\fR. .SH "STATISTIC COUNTERS" The \fIstats\fR command shows a number of statistic counters. @@ -417,8 +417,8 @@ Average time it took to answer queries that needed recursive processing. Note th .TP .I threadX.recursion.time.median The median of the time it took to answer queries that needed recursive -processing. The median means that 50% of the user queries were answered in -less than this time. Because of big outliers (usually queries to non +processing. The median means that 50% of the user queries were answered in +less than this time. Because of big outliers (usually queries to non responsive servers), the average can be bigger than the median. This median has been calculated by interpolation from a histogram. .TP @@ -544,32 +544,32 @@ The total number of queries over all threads with query opcode QUERY. Also printed for other opcodes, UPDATE, ... .TP .I num.query.tcp -Number of queries that were made using TCP towards the unbound server. +Number of queries that were made using TCP towards the Unbound server. .TP .I num.query.tcpout -Number of queries that the unbound server made using TCP outgoing towards +Number of queries that the Unbound server made using TCP outgoing towards other servers. .TP .I num.query.tls -Number of queries that were made using TLS towards the unbound server. +Number of queries that were made using TLS towards the Unbound server. These are also counted in num.query.tcp, because TLS uses TCP. .TP .I num.query.tls.resume Number of TLS session resumptions, these are queries over TLS towards -the unbound server where the client negotiated a TLS session resumption key. +the Unbound server where the client negotiated a TLS session resumption key. .TP .I num.query.https -Number of queries that were made using HTTPS towards the unbound server. +Number of queries that were made using HTTPS towards the Unbound server. These are also counted in num.query.tcp and num.query.tls, because HTTPS uses TLS and TCP. .TP .I num.query.ipv6 -Number of queries that were made using IPv6 towards the unbound server. +Number of queries that were made using IPv6 towards the Unbound server. .TP .I num.query.flags.RD The number of queries that had the RD flag set in the header. Also printed for flags QR, AA, TC, RA, Z, AD, CD. -Note that queries with flags QR, AA or TC may have been rejected +Note that queries with flags QR, AA or TC may have been rejected because of that. .TP .I num.query.edns.present @@ -603,7 +603,7 @@ These queries are also included in the num.answer.rcode.NOERROR number. Common for AAAA lookups when an A record exists, and no AAAA. .TP .I num.answer.secure -Number of answers that were secure. The answer validated correctly. +Number of answers that were secure. The answer validated correctly. The AD bit might have been set in some of these answers, where the client signalled (with DO or AD bit in the query) that they were ready to accept the AD bit in the answer. @@ -644,7 +644,7 @@ per delegation point, and their validation status. .I dnscrypt_shared_secret.cache.count The number of items in the shared secret cache. These are precomputed shared secrets for a given client public key/server secret key pair. Shared secrets -are CPU intensive and this cache allows unbound to avoid recomputing the +are CPU intensive and this cache allows Unbound to avoid recomputing the shared secret when multiple dnscrypt queries are sent from the same client. .TP .I dnscrypt_nonce.cache.count @@ -689,11 +689,11 @@ disabled, and cname\-override. .SH "FILES" .TP .I @ub_conf_file@ -unbound configuration file. +Unbound configuration file. .TP .I @UNBOUND_RUN_DIR@ directory with private keys (unbound_server.key and unbound_control.key) and self\-signed certificates (unbound_server.pem and unbound_control.pem). .SH "SEE ALSO" -\fIunbound.conf\fR(5), +\fIunbound.conf\fR(5), \fIunbound\fR(8). diff --git a/contrib/unbound/doc/unbound-control.8.in b/contrib/unbound/doc/unbound-control.8.in index ab5413c9a0ba..9d0c10e942bd 100644 --- a/contrib/unbound/doc/unbound-control.8.in +++ b/contrib/unbound/doc/unbound-control.8.in @@ -1,4 +1,4 @@ -.TH "unbound-control" "8" "Dec 9, 2021" "NLnet Labs" "unbound 1.14.0" +.TH "unbound-control" "8" "Feb 10, 2022" "NLnet Labs" "unbound 1.15.0" .\" .\" unbound-control.8 -- unbound remote control manual .\" @@ -14,15 +14,15 @@ .SH "SYNOPSIS" .B unbound\-control .RB [ \-hq ] -.RB [ \-c +.RB [ \-c .IR cfgfile ] -.RB [ \-s +.RB [ \-s .IR server ] .IR command .SH "DESCRIPTION" .B Unbound\-control performs remote administration on the \fIunbound\fR(8) DNS server. -It reads the configuration file, contacts the unbound server over SSL +It reads the configuration file, contacts the Unbound server over SSL sends the command and displays the result. .P The available options are: @@ -44,8 +44,8 @@ quiet, if the option is given it does not print anything if it works ok. There are several commands that the server understands. .TP .B start -Start the server. Simply execs \fIunbound\fR(8). The unbound executable -is searched for in the \fBPATH\fR set in the environment. It is started +Start the server. Simply execs \fIunbound\fR(8). The Unbound executable +is searched for in the \fBPATH\fR set in the environment. It is started with the config file specified using \fI\-c\fR or the default config file. .TP .B stop @@ -65,8 +65,8 @@ daemon release the file it is logging to. If you are using syslog it will attempt to close and open the syslog (which may not work if chrooted). .TP .B stats -Print statistics. Resets the internal counters to zero, this can be -controlled using the \fBstatistics\-cumulative\fR config statement. +Print statistics. Resets the internal counters to zero, this can be +controlled using the \fBstatistics\-cumulative\fR config statement. Statistics are printed with one [name]: [value] per line. .TP .B stats_noreset @@ -74,7 +74,7 @@ Peek at statistics. Prints them like the \fBstats\fR command does, but does not reset the internal counters to zero. .TP .B status -Display server status. Exit code 3 if not running (the connection to the +Display server status. Exit code 3 if not running (the connection to the port is refused), 1 on error, 0 if running. .TP .B local_zone \fIname\fR \fItype @@ -88,14 +88,14 @@ it. If the zone does not exist, the command succeeds. .B local_data \fIRR data... Add new local data, the given resource record. Like \fBlocal\-data\fR config statement, except for when no covering zone exists. In that case -this remote control command creates a transparent zone with the same +this remote control command creates a transparent zone with the same name as this record. .TP .B local_data_remove \fIname Remove all RR data from local name. If the name already has no items, nothing happens. Often results in NXDOMAIN for the name (in a static zone), -but if the name has become an empty nonterminal (there is still data in -domain names below the removed name), NOERROR nodata answers are the +but if the name has become an empty nonterminal (there is still data in +domain names below the removed name), NOERROR nodata answers are the result for that name. .TP .B local_zones @@ -125,22 +125,22 @@ in old or wrong data returned to clients. Loading data into the cache in this way is supported in order to aid with debugging. .TP .B lookup \fIname -Print to stdout the name servers that would be used to look up the +Print to stdout the name servers that would be used to look up the name specified. .TP .B flush \fIname Remove the name from the cache. Removes the types A, AAAA, NS, SOA, CNAME, DNAME, MX, PTR, SRV and NAPTR. -Because that is fast to do. Other record types can be removed using -.B flush_type -or +Because that is fast to do. Other record types can be removed using +.B flush_type +or .B flush_zone\fR. .TP .B flush_type \fIname\fR \fItype Remove the name, type information from the cache. .TP .B flush_zone \fIname -Remove all information at or below the name from the cache. +Remove all information at or below the name from the cache. The rrsets and key entries are removed so that new lookups will be performed. This needs to walk and inspect the entire cache, and is a slow operation. The entries are set to expired in the implementation of this command (so, @@ -187,7 +187,7 @@ therefore not flushed. The option must end with a ':' and whitespace must be between the option and the value. Some values may not have an effect if set this way, the new values are not written to the config file, not all options are supported. This is different from the set_option call -in libunbound, where all values work because unbound has not been initialized. +in libunbound, where all values work because Unbound has not been initialized. .IP The values that work are: statistics\-interval, statistics\-cumulative, do\-not\-query\-localhost, harden\-short\-bufsize, harden\-large\-queries, @@ -227,36 +227,36 @@ List the local data RRs in use. The resource records are printed. .TP .B insecure_add \fIzone Add a \fBdomain\-insecure\fR for the given zone, like the statement in unbound.conf. -Adds to the running unbound without affecting the cache contents (which may +Adds to the running Unbound without affecting the cache contents (which may still be bogus, use \fBflush_zone\fR to remove it), does not affect the config file. .TP .B insecure_remove \fIzone Removes domain\-insecure for the given zone. .TP .B forward_add \fR[\fI+i\fR] \fIzone addr ... -Add a new forward zone to running unbound. With +i option also adds a +Add a new forward zone to running Unbound. With +i option also adds a \fIdomain\-insecure\fR for the zone (so it can resolve insecurely if you have a DNSSEC root trust anchor configured for other names). The addr can be IP4, IP6 or nameserver names, like \fIforward-zone\fR config in unbound.conf. .TP .B forward_remove \fR[\fI+i\fR] \fIzone -Remove a forward zone from running unbound. The +i also removes a +Remove a forward zone from running Unbound. The +i also removes a \fIdomain\-insecure\fR for the zone. .TP .B stub_add \fR[\fI+ip\fR] \fIzone addr ... -Add a new stub zone to running unbound. With +i option also adds a +Add a new stub zone to running Unbound. With +i option also adds a \fIdomain\-insecure\fR for the zone. With +p the stub zone is set to prime, without it it is set to notprime. The addr can be IP4, IP6 or nameserver names, like the \fIstub-zone\fR config in unbound.conf. .TP .B stub_remove \fR[\fI+i\fR] \fIzone -Remove a stub zone from running unbound. The +i also removes a +Remove a stub zone from running Unbound. The +i also removes a \fIdomain\-insecure\fR for the zone. .TP .B forward \fR[\fIoff\fR | \fIaddr ...\fR ] Setup forwarding mode. Configures if the server should ask other upstream -nameservers, should go to the internet root nameservers itself, or show +nameservers, should go to the internet root nameservers itself, or show the current config. You could pass the nameservers after a DHCP update. .IP Without arguments the current list of addresses used to forward all queries @@ -296,7 +296,7 @@ status, indicating if the zone is expired and current serial number. Reload the auth zone from zonefile. The zonefile is read in overwriting the current contents of the zone in memory. This changes the auth zone contents itself, not the cache contents. Such cache contents exists if -you set unbound to validate with for-upstream yes and that can be cleared +you set Unbound to validate with for-upstream yes and that can be cleared with \fBflush_zone\fR \fIzone\fR. .TP .B auth_zone_transfer \fIzone\fR @@ -336,7 +336,7 @@ Add a list of \fIlocal_data\fR for given view from stdin. Like local_datas. .SH "EXIT CODE" The unbound\-control program exits with status code 1 on error, 0 on success. .SH "SET UP" -The setup requires a self\-signed certificate and private keys for both +The setup requires a self\-signed certificate and private keys for both the server and client. The script \fIunbound\-control\-setup\fR generates these in the default run directory, or with \-d in another directory. If you change the access control permissions on the key files you can decide @@ -350,7 +350,7 @@ If you have not configured a username in unbound.conf, the keys need read permission for the user credentials under which the daemon is started. The script preserves private keys present in the directory. -After running the script as root, turn on \fBcontrol\-enable\fR in +After running the script as root, turn on \fBcontrol\-enable\fR in \fIunbound.conf\fR. .SH "STATISTIC COUNTERS" The \fIstats\fR command shows a number of statistic counters. @@ -417,8 +417,8 @@ Average time it took to answer queries that needed recursive processing. Note th .TP .I threadX.recursion.time.median The median of the time it took to answer queries that needed recursive -processing. The median means that 50% of the user queries were answered in -less than this time. Because of big outliers (usually queries to non +processing. The median means that 50% of the user queries were answered in +less than this time. Because of big outliers (usually queries to non responsive servers), the average can be bigger than the median. This median has been calculated by interpolation from a histogram. .TP @@ -544,32 +544,32 @@ The total number of queries over all threads with query opcode QUERY. Also printed for other opcodes, UPDATE, ... .TP .I num.query.tcp -Number of queries that were made using TCP towards the unbound server. +Number of queries that were made using TCP towards the Unbound server. .TP .I num.query.tcpout -Number of queries that the unbound server made using TCP outgoing towards +Number of queries that the Unbound server made using TCP outgoing towards other servers. .TP .I num.query.tls -Number of queries that were made using TLS towards the unbound server. +Number of queries that were made using TLS towards the Unbound server. These are also counted in num.query.tcp, because TLS uses TCP. .TP .I num.query.tls.resume Number of TLS session resumptions, these are queries over TLS towards -the unbound server where the client negotiated a TLS session resumption key. +the Unbound server where the client negotiated a TLS session resumption key. .TP .I num.query.https -Number of queries that were made using HTTPS towards the unbound server. +Number of queries that were made using HTTPS towards the Unbound server. These are also counted in num.query.tcp and num.query.tls, because HTTPS uses TLS and TCP. .TP .I num.query.ipv6 -Number of queries that were made using IPv6 towards the unbound server. +Number of queries that were made using IPv6 towards the Unbound server. .TP .I num.query.flags.RD The number of queries that had the RD flag set in the header. Also printed for flags QR, AA, TC, RA, Z, AD, CD. -Note that queries with flags QR, AA or TC may have been rejected +Note that queries with flags QR, AA or TC may have been rejected because of that. .TP .I num.query.edns.present @@ -603,7 +603,7 @@ These queries are also included in the num.answer.rcode.NOERROR number. Common for AAAA lookups when an A record exists, and no AAAA. .TP .I num.answer.secure -Number of answers that were secure. The answer validated correctly. +Number of answers that were secure. The answer validated correctly. The AD bit might have been set in some of these answers, where the client signalled (with DO or AD bit in the query) that they were ready to accept the AD bit in the answer. @@ -644,7 +644,7 @@ per delegation point, and their validation status. .I dnscrypt_shared_secret.cache.count The number of items in the shared secret cache. These are precomputed shared secrets for a given client public key/server secret key pair. Shared secrets -are CPU intensive and this cache allows unbound to avoid recomputing the +are CPU intensive and this cache allows Unbound to avoid recomputing the shared secret when multiple dnscrypt queries are sent from the same client. .TP .I dnscrypt_nonce.cache.count @@ -689,11 +689,11 @@ disabled, and cname\-override. .SH "FILES" .TP .I @ub_conf_file@ -unbound configuration file. +Unbound configuration file. .TP .I @UNBOUND_RUN_DIR@ directory with private keys (unbound_server.key and unbound_control.key) and self\-signed certificates (unbound_server.pem and unbound_control.pem). .SH "SEE ALSO" -\fIunbound.conf\fR(5), +\fIunbound.conf\fR(5), \fIunbound\fR(8). diff --git a/contrib/unbound/doc/unbound-host.1 b/contrib/unbound/doc/unbound-host.1 index b7d4d2350074..94c8ca3dd569 100644 --- a/contrib/unbound/doc/unbound-host.1 +++ b/contrib/unbound/doc/unbound-host.1 @@ -1,4 +1,4 @@ -.TH "unbound\-host" "1" "Dec 9, 2021" "NLnet Labs" "unbound 1.14.0" +.TH "unbound\-host" "1" "Feb 10, 2022" "NLnet Labs" "unbound 1.15.0" .\" .\" unbound-host.1 -- unbound DNS lookup utility .\" @@ -15,7 +15,7 @@ .RB [ \-C .IR configfile ] .RB [ \-vdhr46D ] -.RB [ \-c +.RB [ \-c .IR class ] .RB [ \-t .IR type ] @@ -28,12 +28,12 @@ .I hostname .SH "DESCRIPTION" .B Unbound\-host -uses the unbound validating resolver to query for the hostname and display -results. With the \fB\-v\fR option it displays validation +uses the Unbound validating resolver to query for the hostname and display +results. With the \fB\-v\fR option it displays validation status: secure, insecure, bogus (security failure). .P By default it reads no configuration file whatsoever. It attempts to reach -the internet root servers. With \fB\-C\fR an unbound config file and with +the internet root servers. With \fB\-C\fR an Unbound config file and with \fB\-r\fR resolv.conf can be read. .P The available options are: @@ -73,7 +73,7 @@ For example \-y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546 .TP .B \-D Enables DNSSEC validation. Reads the root anchor from the default configured -root anchor at the default location, \fI@UNBOUND_ROOTKEY_FILE@\fR. +root anchor at the default location, \fI@UNBOUND_ROOTKEY_FILE@\fR. .TP .B \-f \fIkeyfile Reads keys from a file. Every line has a DS or DNSKEY record, in the format @@ -110,9 +110,9 @@ $ unbound\-host \-v \-y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325 .P $ unbound\-host \-v \-y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546CD" 192.0.2.153 .SH "EXIT CODE" -The unbound\-host program exits with status code 1 on error, +The unbound\-host program exits with status code 1 on error, 0 on no error. The data may not be available on exit code 0, exit code 1 means the lookup encountered a fatal error. .SH "SEE ALSO" -\fIunbound.conf\fR(5), +\fIunbound.conf\fR(5), \fIunbound\fR(8). diff --git a/contrib/unbound/doc/unbound-host.1.in b/contrib/unbound/doc/unbound-host.1.in index b7d4d2350074..94c8ca3dd569 100644 --- a/contrib/unbound/doc/unbound-host.1.in +++ b/contrib/unbound/doc/unbound-host.1.in @@ -1,4 +1,4 @@ -.TH "unbound\-host" "1" "Dec 9, 2021" "NLnet Labs" "unbound 1.14.0" +.TH "unbound\-host" "1" "Feb 10, 2022" "NLnet Labs" "unbound 1.15.0" .\" .\" unbound-host.1 -- unbound DNS lookup utility .\" @@ -15,7 +15,7 @@ .RB [ \-C .IR configfile ] .RB [ \-vdhr46D ] -.RB [ \-c +.RB [ \-c .IR class ] .RB [ \-t .IR type ] @@ -28,12 +28,12 @@ .I hostname .SH "DESCRIPTION" .B Unbound\-host -uses the unbound validating resolver to query for the hostname and display -results. With the \fB\-v\fR option it displays validation +uses the Unbound validating resolver to query for the hostname and display +results. With the \fB\-v\fR option it displays validation status: secure, insecure, bogus (security failure). .P By default it reads no configuration file whatsoever. It attempts to reach -the internet root servers. With \fB\-C\fR an unbound config file and with +the internet root servers. With \fB\-C\fR an Unbound config file and with \fB\-r\fR resolv.conf can be read. .P The available options are: @@ -73,7 +73,7 @@ For example \-y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546 .TP .B \-D Enables DNSSEC validation. Reads the root anchor from the default configured -root anchor at the default location, \fI@UNBOUND_ROOTKEY_FILE@\fR. +root anchor at the default location, \fI@UNBOUND_ROOTKEY_FILE@\fR. .TP .B \-f \fIkeyfile Reads keys from a file. Every line has a DS or DNSKEY record, in the format @@ -110,9 +110,9 @@ $ unbound\-host \-v \-y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325 .P $ unbound\-host \-v \-y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546CD" 192.0.2.153 .SH "EXIT CODE" -The unbound\-host program exits with status code 1 on error, +The unbound\-host program exits with status code 1 on error, 0 on no error. The data may not be available on exit code 0, exit code 1 means the lookup encountered a fatal error. .SH "SEE ALSO" -\fIunbound.conf\fR(5), +\fIunbound.conf\fR(5), \fIunbound\fR(8). diff --git a/contrib/unbound/doc/unbound.8 b/contrib/unbound/doc/unbound.8 index 11b02aebcb2e..723f23238b8e 100644 --- a/contrib/unbound/doc/unbound.8 +++ b/contrib/unbound/doc/unbound.8 @@ -1,4 +1,4 @@ -.TH "unbound" "8" "Dec 9, 2021" "NLnet Labs" "unbound 1.14.0" +.TH "unbound" "8" "Feb 10, 2022" "NLnet Labs" "unbound 1.15.0" .\" .\" unbound.8 -- unbound manual .\" @@ -9,7 +9,7 @@ .\" .SH "NAME" .B unbound -\- Unbound DNS validating resolver 1.14.0. +\- Unbound DNS validating resolver 1.15.0. .SH "SYNOPSIS" .B unbound .RB [ \-h ] @@ -57,7 +57,7 @@ The available options are: Show the version number and commandline option help, and exit. .TP .B \-c\fI cfgfile -Set the config file with settings for unbound to read instead of reading the +Set the config file with settings for Unbound to read instead of reading the file at the default location, @ub_conf_file@. The syntax is described in \fIunbound.conf\fR(5). .TP @@ -70,7 +70,7 @@ or to syslog, but the log messages are printed to stderr all the time. .TP .B \-p Don't use a pidfile. This argument should only be used by supervision -systems which can ensure that only one instance of unbound will run +systems which can ensure that only one instance of Unbound will run concurrently. .TP .B \-v diff --git a/contrib/unbound/doc/unbound.8.in b/contrib/unbound/doc/unbound.8.in index 11b02aebcb2e..723f23238b8e 100644 --- a/contrib/unbound/doc/unbound.8.in +++ b/contrib/unbound/doc/unbound.8.in @@ -1,4 +1,4 @@ -.TH "unbound" "8" "Dec 9, 2021" "NLnet Labs" "unbound 1.14.0" +.TH "unbound" "8" "Feb 10, 2022" "NLnet Labs" "unbound 1.15.0" .\" .\" unbound.8 -- unbound manual .\" @@ -9,7 +9,7 @@ .\" .SH "NAME" .B unbound -\- Unbound DNS validating resolver 1.14.0. +\- Unbound DNS validating resolver 1.15.0. .SH "SYNOPSIS" .B unbound .RB [ \-h ] @@ -57,7 +57,7 @@ The available options are: Show the version number and commandline option help, and exit. .TP .B \-c\fI cfgfile -Set the config file with settings for unbound to read instead of reading the +Set the config file with settings for Unbound to read instead of reading the file at the default location, @ub_conf_file@. The syntax is described in \fIunbound.conf\fR(5). .TP @@ -70,7 +70,7 @@ or to syslog, but the log messages are printed to stderr all the time. .TP .B \-p Don't use a pidfile. This argument should only be used by supervision -systems which can ensure that only one instance of unbound will run +systems which can ensure that only one instance of Unbound will run concurrently. .TP .B \-v diff --git a/contrib/unbound/doc/unbound.conf.5 b/contrib/unbound/doc/unbound.conf.5 index 4c144db22ab5..e1cc5c020756 100644 --- a/contrib/unbound/doc/unbound.conf.5 +++ b/contrib/unbound/doc/unbound.conf.5 @@ -1,4 +1,4 @@ -.TH "unbound.conf" "5" "Dec 9, 2021" "NLnet Labs" "unbound 1.14.0" +.TH "unbound.conf" "5" "Feb 10, 2022" "NLnet Labs" "unbound 1.15.0" .\" .\" unbound.conf.5 -- unbound.conf manual .\" @@ -104,7 +104,7 @@ requestlist statistics are printed for every interval (but can be 0). This is because the median calculation requires data to be present. .TP .B statistics\-cumulative: \fI -If enabled, statistics are cumulative since starting unbound, without clearing +If enabled, statistics are cumulative since starting Unbound, without clearing the statistics counters after logging the statistics. Default is no. .TP .B extended\-statistics: \fI @@ -136,7 +136,7 @@ Same as interface: (for ease of compatibility with nsd.conf). Listen on all addresses on all (current and future) interfaces, detect the source interface on UDP queries and copy them to replies. This is a lot like ip\-transparent, but this option services all interfaces whilst with -ip\-transparent you can select which (future) interfaces unbound provides +ip\-transparent you can select which (future) interfaces Unbound provides service on. This feature is experimental, and needs support in your OS for particular socket options. Default value is no. .TP @@ -154,7 +154,7 @@ sent via a random outgoing interface to counter spoofing. If an IPv6 netblock is specified instead of an individual IPv6 address, outgoing UDP queries will use a randomised source address taken from the netblock to counter spoofing. Requires the IPv6 netblock to be routed to the -host running unbound, and requires OS support for unprivileged non-local binds +host running Unbound, and requires OS support for unprivileged non-local binds (currently only supported on Linux). Several netblocks may be specified with multiple .B outgoing\-interface: @@ -174,7 +174,7 @@ numbers need extra resources from the operating system. For performance a very large value is best, use libevent to make this possible. .TP .B outgoing\-port\-permit: \fI -Permit unbound to open this port or range of ports for use to send queries. +Permit Unbound to open this port or range of ports for use to send queries. A larger number of permitted outgoing ports increases resilience against spoofing attempts. Make sure these ports are not needed by other daemons. By default only ports above 1024 that have not been assigned by IANA are used. @@ -187,8 +187,8 @@ processing starts with the non IANA allocated ports above 1024 in the set of allowed ports. .TP .B outgoing\-port\-avoid: \fI -Do not permit unbound to open this port or range of ports for use to send -queries. Use this to make sure unbound does not grab a port that another +Do not permit Unbound to open this port or range of ports for use to send +queries. Use this to make sure Unbound does not grab a port that another daemon needs. The port is avoided on all outgoing interfaces, both IP4 and IP6. By default only ports above 1024 that have not been assigned by IANA are used. Give a port number or a range of the form "low\-high", without spaces. @@ -289,7 +289,7 @@ If not 0, then set the SO_RCVBUF socket option to get more buffer space on UDP port 53 incoming queries. So that short spikes on busy servers do not drop packets (see counter in netstat \-su). Default is 0 (use system value). Otherwise, the number of bytes to ask for, try -"4m" on a busy server. The OS caps it at a maximum, on linux unbound +"4m" on a busy server. The OS caps it at a maximum, on linux Unbound needs root permission to bypass the limit, or the admin can use sysctl net.core.rmem_max. On BSD change kern.ipc.maxsockbuf in /etc/sysctl.conf. On OpenBSD change header and recompile kernel. On Solaris ndd \-set @@ -302,7 +302,7 @@ in answer traffic, otherwise 'send: resource temporarily unavailable' can get logged, the buffer overrun is also visible by netstat \-su. Default is 0 (use system value). Specify the number of bytes to ask for, try "4m" on a very busy server. The OS caps it at a maximum, on -linux unbound needs root permission to bypass the limit, or the admin +linux Unbound needs root permission to bypass the limit, or the admin can use sysctl net.core.wmem_max. On BSD, Solaris changes are similar to so\-rcvbuf. .TP @@ -319,18 +319,18 @@ At extreme load it could be better to turn it off to distribute the queries evenly, reported for Linux systems (4.4.x). .TP .B ip\-transparent: \fI -If yes, then use IP_TRANSPARENT socket option on sockets where unbound +If yes, then use IP_TRANSPARENT socket option on sockets where Unbound is listening for incoming traffic. Default no. Allows you to bind to non\-local interfaces. For example for non\-existent IP addresses that are going to exist later on, with host failover configuration. This is a lot like interface\-automatic, but that one services all interfaces -and with this option you can select which (future) interfaces unbound -provides service on. This option needs unbound to be started with root +and with this option you can select which (future) interfaces Unbound +provides service on. This option needs Unbound to be started with root permissions on some systems. The option uses IP_BINDANY on FreeBSD systems and SO_BINDANY on OpenBSD systems. .TP .B ip\-freebind: \fI -If yes, then use IP_FREEBIND socket option on sockets where unbound +If yes, then use IP_FREEBIND socket option on sockets where Unbound is listening to incoming traffic. Default no. Allows you to bind to IP addresses that are nonlocal or do not exist, like when the network interface or IP address is down. Exists only on Linux, where the similar @@ -560,7 +560,7 @@ service. Can list multiple, each on a new statement. .TP .B tls-session-ticket-keys: \fI If not "", lists files with 80 bytes of random contents that are used to -perform TLS session resumption for clients using the unbound server. +perform TLS session resumption for clients using the Unbound server. These files contain the secret key for the TLS session tickets. First key use to encrypt and decrypt TLS session tickets. Other keys use to decrypt only. With this you can roll over to new keys, @@ -642,8 +642,8 @@ Enable or disable systemd socket activation. Default is no. .TP .B do\-daemonize: \fI -Enable or disable whether the unbound server forks into the background as -a daemon. Set the value to \fIno\fR when unbound runs as systemd service. +Enable or disable whether the Unbound server forks into the background as +a daemon. Set the value to \fIno\fR when Unbound runs as systemd service. Default is yes. .TP .B tcp\-connection\-limit: \fI @@ -670,7 +670,7 @@ what almost all clients need). Nonrecursive queries are refused. .IP The \fIallow\fR action does allow nonrecursive queries to access the local\-data that is configured. The reason is that this does not involve -the unbound server recursive lookup algorithm, and static data is served +the Unbound server recursive lookup algorithm, and static data is served in the reply. This supports normal operations where nonrecursive queries are made for the authoritative data. For nonrecursive queries any replies from the dynamic cache are refused. @@ -742,7 +742,7 @@ to chroot and dropping permissions. This allows the pidfile to be Unbound is not able to remove the pidfile after termination when it is located outside of the chroot directory. .IP -Additionally, unbound may need to access /dev/urandom (for entropy) +Additionally, Unbound may need to access /dev/urandom (for entropy) from inside the chroot. .IP If given a chroot is done to the given directory. By default chroot is @@ -776,7 +776,7 @@ The logfile is reopened (for append) when the config file is reread, on SIGHUP. .TP .B use\-syslog: \fI -Sets unbound to send log messages to the syslogd, using +Sets Unbound to send log messages to the syslogd, using \fIsyslog\fR(3). The log facility LOG_DAEMON is used, with identity "unbound". The logfile setting is overridden when use\-syslog is turned on. @@ -786,7 +786,7 @@ The default is to log to syslog. If "" is given (default), then the name of the executable, usually "unbound" is used to report to the log. Enter a string to override it with that, which is useful on systems that run more than one instance of -unbound, with different configurations, so that the logs can be easily +Unbound, with different configurations, so that the logs can be easily distinguished against. .TP .B log\-time\-ascii: \fI @@ -874,12 +874,12 @@ with ascii_ prefix and then an ascii string. If enabled trustanchor.unbound queries are refused. .TP .B target\-fetch\-policy: \fI<"list of numbers"> -Set the target fetch policy used by unbound to determine if it should fetch +Set the target fetch policy used by Unbound to determine if it should fetch nameserver target addresses opportunistically. The policy is described per dependency depth. .IP The number of values determines the maximum dependency depth -that unbound will pursue in answering a query. +that Unbound will pursue in answering a query. A value of \-1 means to fetch all targets opportunistically for that dependency depth. A value of 0 means to fetch on demand only. A positive value fetches that many targets opportunistically. @@ -973,7 +973,7 @@ This option only has effect when qname-minimisation is enabled. Default is no. .B aggressive\-nsec: \fI Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN and other denials, using information from previous NXDOMAINs answers. -Default is no. It helps to reduce the query rate towards targets that get +Default is yes. It helps to reduce the query rate towards targets that get a very high nonexistent name lookup rate. .TP .B private\-address: \fI @@ -1030,7 +1030,7 @@ a little more CPU. Also if the cache is set to 0, it is no use. Default is no. .TP .B deny\-any: \fI If yes, deny queries of type ANY with an empty response. Default is no. -If disabled, unbound responds with a short list of resource records if some +If disabled, Unbound responds with a short list of resource records if some can be found in the cache and makes the upstream type ANY query if there are none. .TP @@ -1090,7 +1090,7 @@ File with trust anchor for one zone, which is tracked with RFC5011 probes. The probes are run several times per month, thus the machine must be online frequently. The initial file can be one with contents as described in \fBtrust\-anchor\-file\fR. The file is written to when the anchor is updated, -so the unbound user must have write permission. Write permission to the file, +so the Unbound user must have write permission. Write permission to the file, but also to the directory it is in (to create a temporary file, which is necessary to deal with filesystem full events), it must also be inside the chroot (if that is used). @@ -1176,7 +1176,7 @@ the verbosity setting. Default is 0, off. At 1, for every user query that fails a line is printed to the logs. This way you can monitor what happens with validation. Use a diagnosis tool, such as dig or drill, to find out why validation is failing for these queries. At 2, not only -the query that failed is printed but also the reason why unbound thought +the query that failed is printed but also the reason why Unbound thought it was wrong and which server sent the faulty data. .TP .B val\-permissive\-mode: \fI @@ -1188,15 +1188,15 @@ is set in replies. Also logging is performed as for full validation. The default value is "no". .TP .B ignore\-cd\-flag: \fI -Instruct unbound to ignore the CD flag from clients and refuse to +Instruct Unbound to ignore the CD flag from clients and refuse to return bogus answers to them. Thus, the CD (Checking Disabled) flag does not disable checking any more. This is useful if legacy (w2008) servers that set the CD flag but cannot validate DNSSEC themselves are -the clients, and then unbound provides them with DNSSEC protection. +the clients, and then Unbound provides them with DNSSEC protection. The default value is "no". .TP .B serve\-expired: \fI -If enabled, unbound attempts to serve old responses from cache with a +If enabled, Unbound attempts to serve old responses from cache with a TTL of \fBserve\-expired\-reply\-ttl\fR in the response without waiting for the actual resolution to finish. The actual resolution answer ends up in the cache later on. Default is "no". @@ -1227,14 +1227,14 @@ RFC 8767 is 1800. Setting this to 0 will disable this behavior. Default is 0. .TP .B serve\-original\-ttl: \fI -If enabled, unbound will always return the original TTL as received from +If enabled, Unbound will always return the original TTL as received from the upstream name server rather than the decrementing TTL as -stored in the cache. This feature may be useful if unbound serves as a -front-end to a hidden authoritative name server. Enabling this feature does -not impact cache expiry, it only changes the TTL unbound embeds in responses to +stored in the cache. This feature may be useful if Unbound serves as a +front-end to a hidden authoritative name server. Enabling this feature does +not impact cache expiry, it only changes the TTL Unbound embeds in responses to queries. Note that enabling this feature implicitly disables enforcement of -the configured minimum and maximum TTL, as it is assumed users who enable this -feature do not want unbound to change the TTL obtained from an upstream server. +the configured minimum and maximum TTL, as it is assumed users who enable this +feature do not want Unbound to change the TTL obtained from an upstream server. Thus, the values set using \fBcache\-min\-ttl\fR and \fBcache\-max\-ttl\fR are ignored. Default is "no". @@ -1295,11 +1295,11 @@ or gigabytes (1024*1024 bytes in a megabyte). .TP .B unblock\-lan\-zones: \fI Default is disabled. If enabled, then for private address space, -the reverse lookups are no longer filtered. This allows unbound when +the reverse lookups are no longer filtered. This allows Unbound when running as dns service on a host where it provides service for that host, to put out all of the queries for the 'lan' upstream. When enabled, only localhost, 127.0.0.1 reverse and ::1 reverse zones are configured -with default local zones. Disable the option when unbound is running +with default local zones. Disable the option when Unbound is running as a (DHCP-) DNS network resolver for a group of machines, where such lookups should be filtered (RFC compliance), this also stops potential data leakage about the local network to the upstream DNS servers. @@ -1403,7 +1403,7 @@ Breaks out of that view and moves towards the global local zones for answer to the query. If the view first is no, it'll resolve normally. If view first is enabled, it'll break perform that step and check the global answers. For when the view has view specific overrides but some zone has to be -answered from global local zone contents. +answered from global local zone contents. .TP 10 \h'5'\fInodefault\fR Used to turn off default contents for AS112 zones. The other types @@ -1647,8 +1647,9 @@ query names, but not spoofed reflection floods. Cached responses are not ratelimited by this setting. The zone of the query is determined by examining the nameservers for it, the zone name is used to keep track of the rate. For example, 1000 may be a suitable value to stop the server from being -overloaded with random names, and keeps unbound from sending traffic to the -nameservers for those zones. +overloaded with random names, and keeps Unbound from sending traffic to the +nameservers for those zones. Configured forwarders are excluded from +ratelimiting. .TP 5 .B ratelimit\-size: \fI Give the size of the data structure in which the current ongoing rates are @@ -1670,6 +1671,15 @@ This can make ordinary queries complete (if repeatedly queried for), and enter the cache, whilst also mitigating the traffic flow by the factor given. .TP 5 +.B ratelimit\-backoff: \fI +If enabled, the ratelimit is treated as a hard failure instead of the default +maximum allowed constant rate. When the limit is reached, traffic is +ratelimited and demand continues to be kept track of for a 2 second rate +window. No traffic is allowed, except for ratelimit\-factor, until demand +decreases below the configured ratelimit for a 2 second rate window. Useful to +set ratelimit to a suspicious rate to aggressively limit unusually high +traffic. Default is off. +.TP 5 .B ratelimit\-for\-domain: \fI Override the global ratelimit for an exact match domain name with the listed number. You can give this for any number of names. For example, for @@ -1686,7 +1696,7 @@ to use different settings for a top\-level\-domain and subdomains. A value of 0 will disable ratelimiting for domain names that end in this name. .TP 5 .B ip\-ratelimit: \fI -Enable global ratelimiting of queries accepted per ip address. +Enable global ratelimiting of queries accepted per IP address. If 0, the default, it is disabled. This option is experimental at this time. The ratelimit is in queries per second that are allowed. More queries are completely dropped and will not receive a reply, SERVFAIL or otherwise. @@ -1713,8 +1723,17 @@ This can make ordinary queries complete (if repeatedly queried for), and enter the cache, whilst also mitigating the traffic flow by the factor given. .TP 5 +.B ip\-ratelimit\-backoff: \fI +If enabled, the ratelimit is treated as a hard failure instead of the default +maximum allowed constant rate. When the limit is reached, traffic is +ratelimited and demand continues to be kept track of for a 2 second rate +window. No traffic is allowed, except for ip\-ratelimit\-factor, until demand +decreases below the configured ratelimit for a 2 second rate window. Useful to +set ip\-ratelimit to a suspicious rate to aggressively limit unusually high +traffic. Default is off. +.TP 5 .B outbound\-msg\-retry: \fI -The number of retries unbound will do in case of a non positive response is +The number of retries Unbound will do in case of a non positive response is received. If a forward nameserver is used, this is the number of retries per forward nameserver in case of throwaway response. .TP 5 @@ -1747,7 +1766,7 @@ In the .B remote\-control: clause are the declarations for the remote control facility. If this is enabled, the \fIunbound\-control\fR(8) utility can be used to send -commands to the running unbound server. The server uses these clauses +commands to the running Unbound server. The server uses these clauses to setup TLSv1 security for the connection. The \fIunbound\-control\fR(8) utility also reads the \fBremote\-control\fR section for options. To setup the correct self\-signed certificates use the @@ -1767,7 +1786,7 @@ the server for the change to take effect. .IP If you set it to an absolute path, a local socket is used. The local socket does not use the certificates and keys, so those files need not be present. -To restrict access, unbound sets permissions on the file to the user and +To restrict access, Unbound sets permissions on the file to the user and group that is configured, the access bits are set to allow the group members to access the control socket file. Put users that need to access the socket in the that group. To restrict access further, create a directory to put @@ -1787,12 +1806,12 @@ and the value of this option is ignored. .B server\-key\-file: \fI Path to the server private key, by default unbound_server.key. This file is generated by the \fIunbound\-control\-setup\fR utility. -This file is used by the unbound server, but not by \fIunbound\-control\fR. +This file is used by the Unbound server, but not by \fIunbound\-control\fR. .TP 5 .B server\-cert\-file: \fI Path to the server self signed certificate, by default unbound_server.pem. This file is generated by the \fIunbound\-control\-setup\fR utility. -This file is used by the unbound server, and also by \fIunbound\-control\fR. +This file is used by the Unbound server, and also by \fIunbound\-control\fR. .TP 5 .B control\-key\-file: \fI Path to the control client private key, by default unbound_control.key. @@ -1810,24 +1829,24 @@ There may be multiple .B stub\-zone: clauses. Each with a name: and zero or more hostnames or IP addresses. For the stub zone this list of nameservers is used. Class IN is assumed. -The servers should be authority servers, not recursors; unbound performs +The servers should be authority servers, not recursors; Unbound performs the recursive processing itself for stub zones. .P The stub zone can be used to configure authoritative data to be used by the resolver that cannot be accessed using the public internet servers. This is useful for company\-local data or private zones. Setup an authoritative server on a different host (or different port). Enter a config -entry for unbound with +entry for Unbound with .B stub\-addr: . -The unbound resolver can then access the data, without referring to the +The Unbound resolver can then access the data, without referring to the public internet for it. .P This setup allows DNSSEC signed zones to be served by that authoritative server, in which case a trusted key entry with the public key -can be put in config, so that unbound can validate the data and set the AD +can be put in config, so that Unbound can validate the data and set the AD bit on replies for the private zone (authoritative servers do not set the -AD bit). This setup makes unbound capable of answering queries for the +AD bit). This setup makes Unbound capable of answering queries for the private zone, and can even set the AD bit ('authentic'), but the AA ('authoritative') bit is not set on these replies. .P @@ -1835,20 +1854,26 @@ Consider adding \fBserver:\fR statements for \fBdomain\-insecure:\fR and for \fBlocal\-zone:\fI name nodefault\fR for the zone if it is a locally served zone. The insecure clause stops DNSSEC from invalidating the zone. The local zone nodefault (or \fItransparent\fR) clause makes the -(reverse\-) zone bypass unbound's filtering of RFC1918 zones. +(reverse\-) zone bypass Unbound's filtering of RFC1918 zones. .TP .B name: \fI Name of the stub zone. This is the full domain name of the zone. .TP .B stub\-host: \fI Name of stub zone nameserver. Is itself resolved before it is used. +To use a nondefault port for DNS communication append '@' with the port number. +If tls is enabled, then you can append a '#' and a name, then it'll check the +tls authentication certificates with that name. If you combine the '@' +and '#', the '@' comes first. If only '#' is used the default port is the +configured tls\-port. .TP .B stub\-addr: \fI IP address of stub zone nameserver. Can be IP 4 or IP 6. To use a nondefault port for DNS communication append '@' with the port number. -If tls is enabled, then you can append a '#' and a name, then it'll check -the tls authentication certificates with that name. If you combine -the '@' and '#', the '@' comes first. +If tls is enabled, then you can append a '#' and a name, then it'll check the +tls authentication certificates with that name. If you combine the '@' +and '#', the '@' comes first. If only '#' is used the default port is the +configured tls\-port. .TP .B stub\-prime: \fI This option is by default no. If enabled it performs NS set priming, @@ -1884,10 +1909,10 @@ clauses. Each with a \fBname:\fR and zero or more hostnames or IP addresses. For the forward zone this list of nameservers is used to forward the queries to. The servers listed as \fBforward\-host:\fR and \fBforward\-addr:\fR have to handle further recursion for the query. Thus, -those servers are not authority servers, but are (just like unbound is) -recursive servers too; unbound does not perform recursion itself for the +those servers are not authority servers, but are (just like Unbound is) +recursive servers too; Unbound does not perform recursion itself for the forward zone, it lets the remote server do it. Class IN is assumed. -CNAMEs are chased by unbound itself, asking the remote server for every +CNAMEs are chased by Unbound itself, asking the remote server for every name in the indirection chain, to protect the local cache from illegal indirect referenced items. A forward\-zone entry with name "." and a forward\-addr target will @@ -1899,13 +1924,19 @@ Name of the forward zone. This is the full domain name of the zone. .TP .B forward\-host: \fI Name of server to forward to. Is itself resolved before it is used. +To use a nondefault port for DNS communication append '@' with the port number. +If tls is enabled, then you can append a '#' and a name, then it'll check the +tls authentication certificates with that name. If you combine the '@' +and '#', the '@' comes first. If only '#' is used the default port is the +configured tls\-port. .TP .B forward\-addr: \fI IP address of server to forward to. Can be IP 4 or IP 6. To use a nondefault port for DNS communication append '@' with the port number. -If tls is enabled, then you can append a '#' and a name, then it'll check -the tls authentication certificates with that name. If you combine -the '@' and '#', the '@' comes first. +If tls is enabled, then you can append a '#' and a name, then it'll check the +tls authentication certificates with that name. If you combine the '@' +and '#', the '@' comes first. If only '#' is used the default port is the +configured tls\-port. .IP At high verbosity it logs the TLS certificate, with TLS enabled. If you leave out the '#' and auth name from the forward\-addr, any @@ -1913,7 +1944,7 @@ name is accepted. The cert must also match a CA from the tls\-cert\-bundle. .TP .B forward\-first: \fI If a forwarded query is met with a SERVFAIL error, and this option is -enabled, unbound will fall back to normal recursive resolution for this +enabled, Unbound will fall back to normal recursive resolution for this query as if no query forwarding had been specified. The default is "no". .TP .B forward\-tls\-upstream: \fI @@ -1939,7 +1970,7 @@ have a \fBname:\fR. There can be multiple ones, by listing multiple auth\-zone The authority zone with the name closest to the name looked up is used. Authority zones are processed after \fBlocal\-zones\fR and before cache (\fBfor\-downstream:\fR \fIyes\fR), and when used in this manner -make unbound respond like an authority server. Authority zones are also +make Unbound respond like an authority server. Authority zones are also processed after cache, just before going to the network to fetch information for recursion (\fBfor\-upstream:\fR \fIyes\fR), and when used in this manner provide a local copy of an authority server that speeds up @@ -2000,25 +2031,25 @@ file is downloaded when notified. The primaries from primary: statements are allowed notify by default. .TP .B fallback\-enabled: \fI -Default no. If enabled, unbound falls back to querying the internet as +Default no. If enabled, Unbound falls back to querying the internet as a resolver for this zone when lookups fail. For example for DNSSEC validation failures. .TP .B for\-downstream: \fI -Default yes. If enabled, unbound serves authority responses to -downstream clients for this zone. This option makes unbound behave, for +Default yes. If enabled, Unbound serves authority responses to +downstream clients for this zone. This option makes Unbound behave, for the queries with names in this zone, like one of the authority servers for -that zone. Turn it off if you want unbound to provide recursion for the +that zone. Turn it off if you want Unbound to provide recursion for the zone but have a local copy of zone data. If for\-downstream is no and -for\-upstream is yes, then unbound will DNSSEC validate the contents of the +for\-upstream is yes, then Unbound will DNSSEC validate the contents of the zone before serving the zone contents to clients and store validation results in the cache. .TP .B for\-upstream: \fI -Default yes. If enabled, unbound fetches data from this data collection +Default yes. If enabled, Unbound fetches data from this data collection for answering recursion queries. Instead of sending queries over the internet to the authority servers for this zone, it'll fetch the data directly from -the zone data. Turn it on when you want unbound to provide recursion for +the zone data. Turn it on when you want Unbound to provide recursion for downstream clients, and use the zone data as a local copy to speed up lookups. .TP .B zonemd\-check: \fI @@ -2042,14 +2073,14 @@ a ZONEMD is always a failure, also for nonDNSSEC signed zones. .TP .B zonefile: \fI The filename where the zone is stored. If not given then no zonefile is used. -If the file does not exist or is empty, unbound will attempt to fetch zone +If the file does not exist or is empty, Unbound will attempt to fetch zone data (eg. from the primary servers). .SS "View Options" .LP There may be multiple .B view: clauses. Each with a \fBname:\fR and zero or more \fBlocal\-zone\fR and -\fBlocal\-data\fR elements. Views can also contain view\-first, +\fBlocal\-data\fR elements. Views can also contain view\-first, response\-ip, response\-ip\-data and local\-data\-ptr elements. View can be mapped to requests by specifying the view name in an \fBaccess\-control\-view\fR element. Options from matching @@ -2142,9 +2173,9 @@ underneath the name given. The .B dnscrypt: clause gives the settings of the dnscrypt channel. While those options are -available, they are only meaningful if unbound was compiled with +available, they are only meaningful if Unbound was compiled with \fB\-\-enable\-dnscrypt\fR. -Currently certificate and secret/public keys cannot be generated by unbound. +Currently certificate and secret/public keys cannot be generated by Unbound. You can use dnscrypt-wrapper to generate those: https://github.com/cofyc/\ dnscrypt-wrapper/blob/master/README.md#usage .TP @@ -2263,7 +2294,7 @@ of 0 is always accepted. Default is 0. .TP .B min\-client\-subnet\-ipv4: \fI\fR Specifies the minimum prefix length of the IPv4 source mask we are willing to -accept in queries. Shorter source masks result in REFUSED answers. Source mask +accept in queries. Shorter source masks result in REFUSED answers. Source mask of 0 is always accepted. Default is 0. .TP .B max\-ecs\-tree\-size\-ipv4: \fI\fR @@ -2276,12 +2307,13 @@ This number applies for each qname/qclass/qtype tuple. Defaults to 100. .SS "Opportunistic IPsec Support Module Options" .LP The IPsec module must be configured in the \fBmodule\-config:\fR "ipsecmod -validator iterator" directive and be compiled into the daemon to be -enabled. These settings go in the \fBserver:\fR section. +validator iterator" directive and be compiled into Unbound by using +\fB\-\-enable\-ipsecmod\fR to be enabled. +These settings go in the \fBserver:\fR section. .LP -When unbound receives an A/AAAA query that is not in the cache and finds a +When Unbound receives an A/AAAA query that is not in the cache and finds a valid answer, it will withhold returning the answer and instead will generate -an IPSECKEY subquery for the same domain name. If an answer was found, unbound +an IPSECKEY subquery for the same domain name. If an answer was found, Unbound will call an external hook passing the following arguments: .TP 10 \h'5'\fIQNAME\fR @@ -2310,19 +2342,19 @@ relevant for opportunistic IPsec. .B ipsecmod-enabled: \fI\fR Specifies whether the IPsec module is enabled or not. The IPsec module still needs to be defined in the \fBmodule\-config:\fR directive. This option -facilitates turning on/off the module without restarting/reloading unbound. +facilitates turning on/off the module without restarting/reloading Unbound. Defaults to yes. .TP .B ipsecmod\-hook: \fI\fR -Specifies the external hook that unbound will call with \fIsystem\fR(3). The +Specifies the external hook that Unbound will call with \fIsystem\fR(3). The file can be specified as an absolute/relative path. The file needs the proper -permissions to be able to be executed by the same user that runs unbound. It +permissions to be able to be executed by the same user that runs Unbound. It must be present when the IPsec module is defined in the \fBmodule\-config:\fR directive. .TP .B ipsecmod-strict: \fI\fR -If enabled unbound requires the external hook to return a success value of 0. -Failing to do so unbound will reply with SERVFAIL. The A/AAAA answer will also +If enabled Unbound requires the external hook to return a success value of 0. +Failing to do so Unbound will reply with SERVFAIL. The A/AAAA answer will also not be cached. Defaults to no. .TP .B ipsecmod\-max-ttl: \fI\fR @@ -2330,7 +2362,7 @@ Time to live maximum for A/AAAA cached records after calling the external hook. Defaults to 3600. .TP .B ipsecmod-ignore-bogus: \fI\fR -Specifies the behaviour of unbound when the IPSECKEY answer is bogus. If set +Specifies the behaviour of Unbound when the IPSECKEY answer is bogus. If set to yes, the hook will be called and the A/AAAA answer will be returned to the client. If set to no, the hook will not be called and the answer to the A/AAAA query will be SERVFAIL. Mainly used for testing. Defaults to no. @@ -2357,7 +2389,7 @@ If Unbound cannot even find an answer in the backend, it resolves the query as usual, and stores the answer in the backend. .P This module interacts with the \fBserve\-expired\-*\fR options and will reply -with expired data if unbound is configured for that. Currently the use +with expired data if Unbound is configured for that. Currently the use of \fBserve\-expired\-client\-timeout:\fR and \fBserve\-expired\-reply\-ttl:\fR is not consistent for data originating from the external cache as these will result in a reply with 0 TTL without trying to @@ -2436,16 +2468,17 @@ re-establish a new connection later. This option defaults to 100 milliseconds. .TP .B redis-expire-records: \fI -If Redis record expiration is enabled. If yes, unbound sets timeout for Redis +If Redis record expiration is enabled. If yes, Unbound sets timeout for Redis records so that Redis can evict keys that have expired automatically. If -unbound is configured with \fBserve-expired\fR and \fBserve-expired-ttl\fR is 0, +Unbound is configured with \fBserve-expired\fR and \fBserve-expired-ttl\fR is 0, this option is internally reverted to "no". Redis SETEX support is required for this option (Redis >= 2.0.0). This option defaults to no. .SS DNSTAP Logging Options -DNSTAP support, when compiled in, is enabled in the \fBdnstap:\fR section. +DNSTAP support, when compiled in by using \fB\-\-enable\-dnstap\fR, is enabled +in the \fBdnstap:\fR section. This starts an extra thread (when compiled with threading) that writes -the log information to the destination. If unbound is compiled without +the log information to the destination. If Unbound is compiled without threading it does not spawn a thread, but connects per-process to the destination. .TP @@ -2503,19 +2536,19 @@ Default is "". .TP .B dnstap-log-resolver-query-messages: \fI Enable to log resolver query messages. Default is no. -These are messages from unbound to upstream servers. +These are messages from Unbound to upstream servers. .TP .B dnstap-log-resolver-response-messages: \fI Enable to log resolver response messages. Default is no. -These are replies from upstream servers to unbound. +These are replies from upstream servers to Unbound. .TP .B dnstap-log-client-query-messages: \fI Enable to log client query messages. Default is no. -These are client queries to unbound. +These are client queries to Unbound. .TP .B dnstap-log-client-response-messages: \fI Enable to log client response messages. Default is no. -These are responses from unbound to clients. +These are responses from Unbound to clients. .TP .B dnstap-log-forwarder-query-messages: \fI Enable to log forwarder query messages. Default is no. @@ -2614,7 +2647,7 @@ allowed notify by default. .TP .B zonefile: \fI The filename where the zone is stored. If not given then no zonefile is used. -If the file does not exist or is empty, unbound will attempt to fetch zone +If the file does not exist or is empty, Unbound will attempt to fetch zone data (eg. from the primary servers). .TP .B rpz\-action\-override: \fI @@ -2631,6 +2664,17 @@ Log all applied RPZ actions for this RPZ zone. Default is no. .B rpz\-log\-name: \fI Specify a string to be part of the log line, for easy referencing. .TP +.B rpz\-signal\-nxdomain\-ra: \fI +Signal when a query is blocked by the RPZ with NXDOMAIN with an unset RA flag. +This allows certain clients, like dnsmasq, to infer that the domain is +externally blocked. Default is no. +.TP +.B for\-downstream: \fI +If enabled the zone is authoritatively answered for and queries for the RPZ +zone information are answered to downstream clients. This is useful for +monitoring scripts, that can then access the SOA information to check if +the rpz information is up to date. Default is no. +.TP .B tags: \fI Limit the policies from this RPZ clause to clients with a matching tag. Tags need to be defined in \fBdefine\-tag\fR and can be assigned to client addresses @@ -2671,7 +2715,7 @@ server: .SH "FILES" .TP .I @UNBOUND_RUN_DIR@ -default unbound working directory. +default Unbound working directory. .TP .I @UNBOUND_CHROOT_DIR@ default @@ -2679,13 +2723,13 @@ default location. .TP .I @ub_conf_file@ -unbound configuration file. +Unbound configuration file. .TP .I @UNBOUND_PIDFILE@ -default unbound pidfile with process ID of the running daemon. +default Unbound pidfile with process ID of the running daemon. .TP .I unbound.log -unbound log file. default is to log to +Unbound log file. default is to log to \fIsyslog\fR(3). .SH "SEE ALSO" \fIunbound\fR(8), diff --git a/contrib/unbound/doc/unbound.conf.5.in b/contrib/unbound/doc/unbound.conf.5.in index 4c144db22ab5..e1cc5c020756 100644 --- a/contrib/unbound/doc/unbound.conf.5.in +++ b/contrib/unbound/doc/unbound.conf.5.in @@ -1,4 +1,4 @@ -.TH "unbound.conf" "5" "Dec 9, 2021" "NLnet Labs" "unbound 1.14.0" +.TH "unbound.conf" "5" "Feb 10, 2022" "NLnet Labs" "unbound 1.15.0" .\" .\" unbound.conf.5 -- unbound.conf manual .\" @@ -104,7 +104,7 @@ requestlist statistics are printed for every interval (but can be 0). This is because the median calculation requires data to be present. .TP .B statistics\-cumulative: \fI -If enabled, statistics are cumulative since starting unbound, without clearing +If enabled, statistics are cumulative since starting Unbound, without clearing the statistics counters after logging the statistics. Default is no. .TP .B extended\-statistics: \fI @@ -136,7 +136,7 @@ Same as interface: (for ease of compatibility with nsd.conf). Listen on all addresses on all (current and future) interfaces, detect the source interface on UDP queries and copy them to replies. This is a lot like ip\-transparent, but this option services all interfaces whilst with -ip\-transparent you can select which (future) interfaces unbound provides +ip\-transparent you can select which (future) interfaces Unbound provides service on. This feature is experimental, and needs support in your OS for particular socket options. Default value is no. .TP @@ -154,7 +154,7 @@ sent via a random outgoing interface to counter spoofing. If an IPv6 netblock is specified instead of an individual IPv6 address, outgoing UDP queries will use a randomised source address taken from the netblock to counter spoofing. Requires the IPv6 netblock to be routed to the -host running unbound, and requires OS support for unprivileged non-local binds +host running Unbound, and requires OS support for unprivileged non-local binds (currently only supported on Linux). Several netblocks may be specified with multiple .B outgoing\-interface: @@ -174,7 +174,7 @@ numbers need extra resources from the operating system. For performance a very large value is best, use libevent to make this possible. .TP .B outgoing\-port\-permit: \fI -Permit unbound to open this port or range of ports for use to send queries. +Permit Unbound to open this port or range of ports for use to send queries. A larger number of permitted outgoing ports increases resilience against spoofing attempts. Make sure these ports are not needed by other daemons. By default only ports above 1024 that have not been assigned by IANA are used. @@ -187,8 +187,8 @@ processing starts with the non IANA allocated ports above 1024 in the set of allowed ports. .TP .B outgoing\-port\-avoid: \fI -Do not permit unbound to open this port or range of ports for use to send -queries. Use this to make sure unbound does not grab a port that another +Do not permit Unbound to open this port or range of ports for use to send +queries. Use this to make sure Unbound does not grab a port that another daemon needs. The port is avoided on all outgoing interfaces, both IP4 and IP6. By default only ports above 1024 that have not been assigned by IANA are used. Give a port number or a range of the form "low\-high", without spaces. @@ -289,7 +289,7 @@ If not 0, then set the SO_RCVBUF socket option to get more buffer space on UDP port 53 incoming queries. So that short spikes on busy servers do not drop packets (see counter in netstat \-su). Default is 0 (use system value). Otherwise, the number of bytes to ask for, try -"4m" on a busy server. The OS caps it at a maximum, on linux unbound +"4m" on a busy server. The OS caps it at a maximum, on linux Unbound needs root permission to bypass the limit, or the admin can use sysctl net.core.rmem_max. On BSD change kern.ipc.maxsockbuf in /etc/sysctl.conf. On OpenBSD change header and recompile kernel. On Solaris ndd \-set @@ -302,7 +302,7 @@ in answer traffic, otherwise 'send: resource temporarily unavailable' can get logged, the buffer overrun is also visible by netstat \-su. Default is 0 (use system value). Specify the number of bytes to ask for, try "4m" on a very busy server. The OS caps it at a maximum, on -linux unbound needs root permission to bypass the limit, or the admin +linux Unbound needs root permission to bypass the limit, or the admin can use sysctl net.core.wmem_max. On BSD, Solaris changes are similar to so\-rcvbuf. .TP @@ -319,18 +319,18 @@ At extreme load it could be better to turn it off to distribute the queries evenly, reported for Linux systems (4.4.x). .TP .B ip\-transparent: \fI -If yes, then use IP_TRANSPARENT socket option on sockets where unbound +If yes, then use IP_TRANSPARENT socket option on sockets where Unbound is listening for incoming traffic. Default no. Allows you to bind to non\-local interfaces. For example for non\-existent IP addresses that are going to exist later on, with host failover configuration. This is a lot like interface\-automatic, but that one services all interfaces -and with this option you can select which (future) interfaces unbound -provides service on. This option needs unbound to be started with root +and with this option you can select which (future) interfaces Unbound +provides service on. This option needs Unbound to be started with root permissions on some systems. The option uses IP_BINDANY on FreeBSD systems and SO_BINDANY on OpenBSD systems. .TP .B ip\-freebind: \fI -If yes, then use IP_FREEBIND socket option on sockets where unbound +If yes, then use IP_FREEBIND socket option on sockets where Unbound is listening to incoming traffic. Default no. Allows you to bind to IP addresses that are nonlocal or do not exist, like when the network interface or IP address is down. Exists only on Linux, where the similar @@ -560,7 +560,7 @@ service. Can list multiple, each on a new statement. .TP .B tls-session-ticket-keys: \fI If not "", lists files with 80 bytes of random contents that are used to -perform TLS session resumption for clients using the unbound server. +perform TLS session resumption for clients using the Unbound server. These files contain the secret key for the TLS session tickets. First key use to encrypt and decrypt TLS session tickets. Other keys use to decrypt only. With this you can roll over to new keys, @@ -642,8 +642,8 @@ Enable or disable systemd socket activation. Default is no. .TP .B do\-daemonize: \fI -Enable or disable whether the unbound server forks into the background as -a daemon. Set the value to \fIno\fR when unbound runs as systemd service. +Enable or disable whether the Unbound server forks into the background as +a daemon. Set the value to \fIno\fR when Unbound runs as systemd service. Default is yes. .TP .B tcp\-connection\-limit: \fI @@ -670,7 +670,7 @@ what almost all clients need). Nonrecursive queries are refused. .IP The \fIallow\fR action does allow nonrecursive queries to access the local\-data that is configured. The reason is that this does not involve -the unbound server recursive lookup algorithm, and static data is served +the Unbound server recursive lookup algorithm, and static data is served in the reply. This supports normal operations where nonrecursive queries are made for the authoritative data. For nonrecursive queries any replies from the dynamic cache are refused. @@ -742,7 +742,7 @@ to chroot and dropping permissions. This allows the pidfile to be Unbound is not able to remove the pidfile after termination when it is located outside of the chroot directory. .IP -Additionally, unbound may need to access /dev/urandom (for entropy) +Additionally, Unbound may need to access /dev/urandom (for entropy) from inside the chroot. .IP If given a chroot is done to the given directory. By default chroot is @@ -776,7 +776,7 @@ The logfile is reopened (for append) when the config file is reread, on SIGHUP. .TP .B use\-syslog: \fI -Sets unbound to send log messages to the syslogd, using +Sets Unbound to send log messages to the syslogd, using \fIsyslog\fR(3). The log facility LOG_DAEMON is used, with identity "unbound". The logfile setting is overridden when use\-syslog is turned on. @@ -786,7 +786,7 @@ The default is to log to syslog. If "" is given (default), then the name of the executable, usually "unbound" is used to report to the log. Enter a string to override it with that, which is useful on systems that run more than one instance of -unbound, with different configurations, so that the logs can be easily +Unbound, with different configurations, so that the logs can be easily distinguished against. .TP .B log\-time\-ascii: \fI @@ -874,12 +874,12 @@ with ascii_ prefix and then an ascii string. If enabled trustanchor.unbound queries are refused. .TP .B target\-fetch\-policy: \fI<"list of numbers"> -Set the target fetch policy used by unbound to determine if it should fetch +Set the target fetch policy used by Unbound to determine if it should fetch nameserver target addresses opportunistically. The policy is described per dependency depth. .IP The number of values determines the maximum dependency depth -that unbound will pursue in answering a query. +that Unbound will pursue in answering a query. A value of \-1 means to fetch all targets opportunistically for that dependency depth. A value of 0 means to fetch on demand only. A positive value fetches that many targets opportunistically. @@ -973,7 +973,7 @@ This option only has effect when qname-minimisation is enabled. Default is no. .B aggressive\-nsec: \fI Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN and other denials, using information from previous NXDOMAINs answers. -Default is no. It helps to reduce the query rate towards targets that get +Default is yes. It helps to reduce the query rate towards targets that get a very high nonexistent name lookup rate. .TP .B private\-address: \fI @@ -1030,7 +1030,7 @@ a little more CPU. Also if the cache is set to 0, it is no use. Default is no. .TP .B deny\-any: \fI If yes, deny queries of type ANY with an empty response. Default is no. -If disabled, unbound responds with a short list of resource records if some +If disabled, Unbound responds with a short list of resource records if some can be found in the cache and makes the upstream type ANY query if there are none. .TP @@ -1090,7 +1090,7 @@ File with trust anchor for one zone, which is tracked with RFC5011 probes. The probes are run several times per month, thus the machine must be online frequently. The initial file can be one with contents as described in \fBtrust\-anchor\-file\fR. The file is written to when the anchor is updated, -so the unbound user must have write permission. Write permission to the file, +so the Unbound user must have write permission. Write permission to the file, but also to the directory it is in (to create a temporary file, which is necessary to deal with filesystem full events), it must also be inside the chroot (if that is used). @@ -1176,7 +1176,7 @@ the verbosity setting. Default is 0, off. At 1, for every user query that fails a line is printed to the logs. This way you can monitor what happens with validation. Use a diagnosis tool, such as dig or drill, to find out why validation is failing for these queries. At 2, not only -the query that failed is printed but also the reason why unbound thought +the query that failed is printed but also the reason why Unbound thought it was wrong and which server sent the faulty data. .TP .B val\-permissive\-mode: \fI @@ -1188,15 +1188,15 @@ is set in replies. Also logging is performed as for full validation. The default value is "no". .TP .B ignore\-cd\-flag: \fI -Instruct unbound to ignore the CD flag from clients and refuse to +Instruct Unbound to ignore the CD flag from clients and refuse to return bogus answers to them. Thus, the CD (Checking Disabled) flag does not disable checking any more. This is useful if legacy (w2008) servers that set the CD flag but cannot validate DNSSEC themselves are -the clients, and then unbound provides them with DNSSEC protection. +the clients, and then Unbound provides them with DNSSEC protection. The default value is "no". .TP .B serve\-expired: \fI -If enabled, unbound attempts to serve old responses from cache with a +If enabled, Unbound attempts to serve old responses from cache with a TTL of \fBserve\-expired\-reply\-ttl\fR in the response without waiting for the actual resolution to finish. The actual resolution answer ends up in the cache later on. Default is "no". @@ -1227,14 +1227,14 @@ RFC 8767 is 1800. Setting this to 0 will disable this behavior. Default is 0. .TP .B serve\-original\-ttl: \fI -If enabled, unbound will always return the original TTL as received from +If enabled, Unbound will always return the original TTL as received from the upstream name server rather than the decrementing TTL as -stored in the cache. This feature may be useful if unbound serves as a -front-end to a hidden authoritative name server. Enabling this feature does -not impact cache expiry, it only changes the TTL unbound embeds in responses to +stored in the cache. This feature may be useful if Unbound serves as a +front-end to a hidden authoritative name server. Enabling this feature does +not impact cache expiry, it only changes the TTL Unbound embeds in responses to queries. Note that enabling this feature implicitly disables enforcement of -the configured minimum and maximum TTL, as it is assumed users who enable this -feature do not want unbound to change the TTL obtained from an upstream server. +the configured minimum and maximum TTL, as it is assumed users who enable this +feature do not want Unbound to change the TTL obtained from an upstream server. Thus, the values set using \fBcache\-min\-ttl\fR and \fBcache\-max\-ttl\fR are ignored. Default is "no". @@ -1295,11 +1295,11 @@ or gigabytes (1024*1024 bytes in a megabyte). .TP .B unblock\-lan\-zones: \fI Default is disabled. If enabled, then for private address space, -the reverse lookups are no longer filtered. This allows unbound when +the reverse lookups are no longer filtered. This allows Unbound when running as dns service on a host where it provides service for that host, to put out all of the queries for the 'lan' upstream. When enabled, only localhost, 127.0.0.1 reverse and ::1 reverse zones are configured -with default local zones. Disable the option when unbound is running +with default local zones. Disable the option when Unbound is running as a (DHCP-) DNS network resolver for a group of machines, where such lookups should be filtered (RFC compliance), this also stops potential data leakage about the local network to the upstream DNS servers. @@ -1403,7 +1403,7 @@ Breaks out of that view and moves towards the global local zones for answer to the query. If the view first is no, it'll resolve normally. If view first is enabled, it'll break perform that step and check the global answers. For when the view has view specific overrides but some zone has to be -answered from global local zone contents. +answered from global local zone contents. .TP 10 \h'5'\fInodefault\fR Used to turn off default contents for AS112 zones. The other types @@ -1647,8 +1647,9 @@ query names, but not spoofed reflection floods. Cached responses are not ratelimited by this setting. The zone of the query is determined by examining the nameservers for it, the zone name is used to keep track of the rate. For example, 1000 may be a suitable value to stop the server from being -overloaded with random names, and keeps unbound from sending traffic to the -nameservers for those zones. +overloaded with random names, and keeps Unbound from sending traffic to the +nameservers for those zones. Configured forwarders are excluded from +ratelimiting. .TP 5 .B ratelimit\-size: \fI Give the size of the data structure in which the current ongoing rates are @@ -1670,6 +1671,15 @@ This can make ordinary queries complete (if repeatedly queried for), and enter the cache, whilst also mitigating the traffic flow by the factor given. .TP 5 +.B ratelimit\-backoff: \fI +If enabled, the ratelimit is treated as a hard failure instead of the default +maximum allowed constant rate. When the limit is reached, traffic is +ratelimited and demand continues to be kept track of for a 2 second rate +window. No traffic is allowed, except for ratelimit\-factor, until demand +decreases below the configured ratelimit for a 2 second rate window. Useful to +set ratelimit to a suspicious rate to aggressively limit unusually high +traffic. Default is off. +.TP 5 .B ratelimit\-for\-domain: \fI Override the global ratelimit for an exact match domain name with the listed number. You can give this for any number of names. For example, for @@ -1686,7 +1696,7 @@ to use different settings for a top\-level\-domain and subdomains. A value of 0 will disable ratelimiting for domain names that end in this name. .TP 5 .B ip\-ratelimit: \fI -Enable global ratelimiting of queries accepted per ip address. +Enable global ratelimiting of queries accepted per IP address. If 0, the default, it is disabled. This option is experimental at this time. The ratelimit is in queries per second that are allowed. More queries are completely dropped and will not receive a reply, SERVFAIL or otherwise. @@ -1713,8 +1723,17 @@ This can make ordinary queries complete (if repeatedly queried for), and enter the cache, whilst also mitigating the traffic flow by the factor given. .TP 5 +.B ip\-ratelimit\-backoff: \fI +If enabled, the ratelimit is treated as a hard failure instead of the default +maximum allowed constant rate. When the limit is reached, traffic is +ratelimited and demand continues to be kept track of for a 2 second rate +window. No traffic is allowed, except for ip\-ratelimit\-factor, until demand +decreases below the configured ratelimit for a 2 second rate window. Useful to +set ip\-ratelimit to a suspicious rate to aggressively limit unusually high +traffic. Default is off. +.TP 5 .B outbound\-msg\-retry: \fI -The number of retries unbound will do in case of a non positive response is +The number of retries Unbound will do in case of a non positive response is received. If a forward nameserver is used, this is the number of retries per forward nameserver in case of throwaway response. .TP 5 @@ -1747,7 +1766,7 @@ In the .B remote\-control: clause are the declarations for the remote control facility. If this is enabled, the \fIunbound\-control\fR(8) utility can be used to send -commands to the running unbound server. The server uses these clauses +commands to the running Unbound server. The server uses these clauses to setup TLSv1 security for the connection. The \fIunbound\-control\fR(8) utility also reads the \fBremote\-control\fR section for options. To setup the correct self\-signed certificates use the @@ -1767,7 +1786,7 @@ the server for the change to take effect. .IP If you set it to an absolute path, a local socket is used. The local socket does not use the certificates and keys, so those files need not be present. -To restrict access, unbound sets permissions on the file to the user and +To restrict access, Unbound sets permissions on the file to the user and group that is configured, the access bits are set to allow the group members to access the control socket file. Put users that need to access the socket in the that group. To restrict access further, create a directory to put @@ -1787,12 +1806,12 @@ and the value of this option is ignored. .B server\-key\-file: \fI Path to the server private key, by default unbound_server.key. This file is generated by the \fIunbound\-control\-setup\fR utility. -This file is used by the unbound server, but not by \fIunbound\-control\fR. +This file is used by the Unbound server, but not by \fIunbound\-control\fR. .TP 5 .B server\-cert\-file: \fI Path to the server self signed certificate, by default unbound_server.pem. This file is generated by the \fIunbound\-control\-setup\fR utility. -This file is used by the unbound server, and also by \fIunbound\-control\fR. +This file is used by the Unbound server, and also by \fIunbound\-control\fR. .TP 5 .B control\-key\-file: \fI Path to the control client private key, by default unbound_control.key. @@ -1810,24 +1829,24 @@ There may be multiple .B stub\-zone: clauses. Each with a name: and zero or more hostnames or IP addresses. For the stub zone this list of nameservers is used. Class IN is assumed. -The servers should be authority servers, not recursors; unbound performs +The servers should be authority servers, not recursors; Unbound performs the recursive processing itself for stub zones. .P The stub zone can be used to configure authoritative data to be used by the resolver that cannot be accessed using the public internet servers. This is useful for company\-local data or private zones. Setup an authoritative server on a different host (or different port). Enter a config -entry for unbound with +entry for Unbound with .B stub\-addr: . -The unbound resolver can then access the data, without referring to the +The Unbound resolver can then access the data, without referring to the public internet for it. .P This setup allows DNSSEC signed zones to be served by that authoritative server, in which case a trusted key entry with the public key -can be put in config, so that unbound can validate the data and set the AD +can be put in config, so that Unbound can validate the data and set the AD bit on replies for the private zone (authoritative servers do not set the -AD bit). This setup makes unbound capable of answering queries for the +AD bit). This setup makes Unbound capable of answering queries for the private zone, and can even set the AD bit ('authentic'), but the AA ('authoritative') bit is not set on these replies. .P @@ -1835,20 +1854,26 @@ Consider adding \fBserver:\fR statements for \fBdomain\-insecure:\fR and for \fBlocal\-zone:\fI name nodefault\fR for the zone if it is a locally served zone. The insecure clause stops DNSSEC from invalidating the zone. The local zone nodefault (or \fItransparent\fR) clause makes the -(reverse\-) zone bypass unbound's filtering of RFC1918 zones. +(reverse\-) zone bypass Unbound's filtering of RFC1918 zones. .TP .B name: \fI Name of the stub zone. This is the full domain name of the zone. .TP .B stub\-host: \fI Name of stub zone nameserver. Is itself resolved before it is used. +To use a nondefault port for DNS communication append '@' with the port number. +If tls is enabled, then you can append a '#' and a name, then it'll check the +tls authentication certificates with that name. If you combine the '@' +and '#', the '@' comes first. If only '#' is used the default port is the +configured tls\-port. .TP .B stub\-addr: \fI IP address of stub zone nameserver. Can be IP 4 or IP 6. To use a nondefault port for DNS communication append '@' with the port number. -If tls is enabled, then you can append a '#' and a name, then it'll check -the tls authentication certificates with that name. If you combine -the '@' and '#', the '@' comes first. +If tls is enabled, then you can append a '#' and a name, then it'll check the +tls authentication certificates with that name. If you combine the '@' +and '#', the '@' comes first. If only '#' is used the default port is the +configured tls\-port. .TP .B stub\-prime: \fI This option is by default no. If enabled it performs NS set priming, @@ -1884,10 +1909,10 @@ clauses. Each with a \fBname:\fR and zero or more hostnames or IP addresses. For the forward zone this list of nameservers is used to forward the queries to. The servers listed as \fBforward\-host:\fR and \fBforward\-addr:\fR have to handle further recursion for the query. Thus, -those servers are not authority servers, but are (just like unbound is) -recursive servers too; unbound does not perform recursion itself for the +those servers are not authority servers, but are (just like Unbound is) +recursive servers too; Unbound does not perform recursion itself for the forward zone, it lets the remote server do it. Class IN is assumed. -CNAMEs are chased by unbound itself, asking the remote server for every +CNAMEs are chased by Unbound itself, asking the remote server for every name in the indirection chain, to protect the local cache from illegal indirect referenced items. A forward\-zone entry with name "." and a forward\-addr target will @@ -1899,13 +1924,19 @@ Name of the forward zone. This is the full domain name of the zone. .TP .B forward\-host: \fI Name of server to forward to. Is itself resolved before it is used. +To use a nondefault port for DNS communication append '@' with the port number. +If tls is enabled, then you can append a '#' and a name, then it'll check the +tls authentication certificates with that name. If you combine the '@' +and '#', the '@' comes first. If only '#' is used the default port is the +configured tls\-port. .TP .B forward\-addr: \fI IP address of server to forward to. Can be IP 4 or IP 6. To use a nondefault port for DNS communication append '@' with the port number. -If tls is enabled, then you can append a '#' and a name, then it'll check -the tls authentication certificates with that name. If you combine -the '@' and '#', the '@' comes first. +If tls is enabled, then you can append a '#' and a name, then it'll check the +tls authentication certificates with that name. If you combine the '@' +and '#', the '@' comes first. If only '#' is used the default port is the +configured tls\-port. .IP At high verbosity it logs the TLS certificate, with TLS enabled. If you leave out the '#' and auth name from the forward\-addr, any @@ -1913,7 +1944,7 @@ name is accepted. The cert must also match a CA from the tls\-cert\-bundle. .TP .B forward\-first: \fI If a forwarded query is met with a SERVFAIL error, and this option is -enabled, unbound will fall back to normal recursive resolution for this +enabled, Unbound will fall back to normal recursive resolution for this query as if no query forwarding had been specified. The default is "no". .TP .B forward\-tls\-upstream: \fI @@ -1939,7 +1970,7 @@ have a \fBname:\fR. There can be multiple ones, by listing multiple auth\-zone The authority zone with the name closest to the name looked up is used. Authority zones are processed after \fBlocal\-zones\fR and before cache (\fBfor\-downstream:\fR \fIyes\fR), and when used in this manner -make unbound respond like an authority server. Authority zones are also +make Unbound respond like an authority server. Authority zones are also processed after cache, just before going to the network to fetch information for recursion (\fBfor\-upstream:\fR \fIyes\fR), and when used in this manner provide a local copy of an authority server that speeds up @@ -2000,25 +2031,25 @@ file is downloaded when notified. The primaries from primary: statements are allowed notify by default. .TP .B fallback\-enabled: \fI -Default no. If enabled, unbound falls back to querying the internet as +Default no. If enabled, Unbound falls back to querying the internet as a resolver for this zone when lookups fail. For example for DNSSEC validation failures. .TP .B for\-downstream: \fI -Default yes. If enabled, unbound serves authority responses to -downstream clients for this zone. This option makes unbound behave, for +Default yes. If enabled, Unbound serves authority responses to +downstream clients for this zone. This option makes Unbound behave, for the queries with names in this zone, like one of the authority servers for -that zone. Turn it off if you want unbound to provide recursion for the +that zone. Turn it off if you want Unbound to provide recursion for the zone but have a local copy of zone data. If for\-downstream is no and -for\-upstream is yes, then unbound will DNSSEC validate the contents of the +for\-upstream is yes, then Unbound will DNSSEC validate the contents of the zone before serving the zone contents to clients and store validation results in the cache. .TP .B for\-upstream: \fI -Default yes. If enabled, unbound fetches data from this data collection +Default yes. If enabled, Unbound fetches data from this data collection for answering recursion queries. Instead of sending queries over the internet to the authority servers for this zone, it'll fetch the data directly from -the zone data. Turn it on when you want unbound to provide recursion for +the zone data. Turn it on when you want Unbound to provide recursion for downstream clients, and use the zone data as a local copy to speed up lookups. .TP .B zonemd\-check: \fI @@ -2042,14 +2073,14 @@ a ZONEMD is always a failure, also for nonDNSSEC signed zones. .TP .B zonefile: \fI The filename where the zone is stored. If not given then no zonefile is used. -If the file does not exist or is empty, unbound will attempt to fetch zone +If the file does not exist or is empty, Unbound will attempt to fetch zone data (eg. from the primary servers). .SS "View Options" .LP There may be multiple .B view: clauses. Each with a \fBname:\fR and zero or more \fBlocal\-zone\fR and -\fBlocal\-data\fR elements. Views can also contain view\-first, +\fBlocal\-data\fR elements. Views can also contain view\-first, response\-ip, response\-ip\-data and local\-data\-ptr elements. View can be mapped to requests by specifying the view name in an \fBaccess\-control\-view\fR element. Options from matching @@ -2142,9 +2173,9 @@ underneath the name given. The .B dnscrypt: clause gives the settings of the dnscrypt channel. While those options are -available, they are only meaningful if unbound was compiled with +available, they are only meaningful if Unbound was compiled with \fB\-\-enable\-dnscrypt\fR. -Currently certificate and secret/public keys cannot be generated by unbound. +Currently certificate and secret/public keys cannot be generated by Unbound. You can use dnscrypt-wrapper to generate those: https://github.com/cofyc/\ dnscrypt-wrapper/blob/master/README.md#usage .TP @@ -2263,7 +2294,7 @@ of 0 is always accepted. Default is 0. .TP .B min\-client\-subnet\-ipv4: \fI\fR Specifies the minimum prefix length of the IPv4 source mask we are willing to -accept in queries. Shorter source masks result in REFUSED answers. Source mask +accept in queries. Shorter source masks result in REFUSED answers. Source mask of 0 is always accepted. Default is 0. .TP .B max\-ecs\-tree\-size\-ipv4: \fI\fR @@ -2276,12 +2307,13 @@ This number applies for each qname/qclass/qtype tuple. Defaults to 100. .SS "Opportunistic IPsec Support Module Options" .LP The IPsec module must be configured in the \fBmodule\-config:\fR "ipsecmod -validator iterator" directive and be compiled into the daemon to be -enabled. These settings go in the \fBserver:\fR section. +validator iterator" directive and be compiled into Unbound by using +\fB\-\-enable\-ipsecmod\fR to be enabled. +These settings go in the \fBserver:\fR section. .LP -When unbound receives an A/AAAA query that is not in the cache and finds a +When Unbound receives an A/AAAA query that is not in the cache and finds a valid answer, it will withhold returning the answer and instead will generate -an IPSECKEY subquery for the same domain name. If an answer was found, unbound +an IPSECKEY subquery for the same domain name. If an answer was found, Unbound will call an external hook passing the following arguments: .TP 10 \h'5'\fIQNAME\fR @@ -2310,19 +2342,19 @@ relevant for opportunistic IPsec. .B ipsecmod-enabled: \fI\fR Specifies whether the IPsec module is enabled or not. The IPsec module still needs to be defined in the \fBmodule\-config:\fR directive. This option -facilitates turning on/off the module without restarting/reloading unbound. +facilitates turning on/off the module without restarting/reloading Unbound. Defaults to yes. .TP .B ipsecmod\-hook: \fI\fR -Specifies the external hook that unbound will call with \fIsystem\fR(3). The +Specifies the external hook that Unbound will call with \fIsystem\fR(3). The file can be specified as an absolute/relative path. The file needs the proper -permissions to be able to be executed by the same user that runs unbound. It +permissions to be able to be executed by the same user that runs Unbound. It must be present when the IPsec module is defined in the \fBmodule\-config:\fR directive. .TP .B ipsecmod-strict: \fI\fR -If enabled unbound requires the external hook to return a success value of 0. -Failing to do so unbound will reply with SERVFAIL. The A/AAAA answer will also +If enabled Unbound requires the external hook to return a success value of 0. +Failing to do so Unbound will reply with SERVFAIL. The A/AAAA answer will also not be cached. Defaults to no. .TP .B ipsecmod\-max-ttl: \fI\fR @@ -2330,7 +2362,7 @@ Time to live maximum for A/AAAA cached records after calling the external hook. Defaults to 3600. .TP .B ipsecmod-ignore-bogus: \fI\fR -Specifies the behaviour of unbound when the IPSECKEY answer is bogus. If set +Specifies the behaviour of Unbound when the IPSECKEY answer is bogus. If set to yes, the hook will be called and the A/AAAA answer will be returned to the client. If set to no, the hook will not be called and the answer to the A/AAAA query will be SERVFAIL. Mainly used for testing. Defaults to no. @@ -2357,7 +2389,7 @@ If Unbound cannot even find an answer in the backend, it resolves the query as usual, and stores the answer in the backend. .P This module interacts with the \fBserve\-expired\-*\fR options and will reply -with expired data if unbound is configured for that. Currently the use +with expired data if Unbound is configured for that. Currently the use of \fBserve\-expired\-client\-timeout:\fR and \fBserve\-expired\-reply\-ttl:\fR is not consistent for data originating from the external cache as these will result in a reply with 0 TTL without trying to @@ -2436,16 +2468,17 @@ re-establish a new connection later. This option defaults to 100 milliseconds. .TP .B redis-expire-records: \fI -If Redis record expiration is enabled. If yes, unbound sets timeout for Redis +If Redis record expiration is enabled. If yes, Unbound sets timeout for Redis records so that Redis can evict keys that have expired automatically. If -unbound is configured with \fBserve-expired\fR and \fBserve-expired-ttl\fR is 0, +Unbound is configured with \fBserve-expired\fR and \fBserve-expired-ttl\fR is 0, this option is internally reverted to "no". Redis SETEX support is required for this option (Redis >= 2.0.0). This option defaults to no. .SS DNSTAP Logging Options -DNSTAP support, when compiled in, is enabled in the \fBdnstap:\fR section. +DNSTAP support, when compiled in by using \fB\-\-enable\-dnstap\fR, is enabled +in the \fBdnstap:\fR section. This starts an extra thread (when compiled with threading) that writes -the log information to the destination. If unbound is compiled without +the log information to the destination. If Unbound is compiled without threading it does not spawn a thread, but connects per-process to the destination. .TP @@ -2503,19 +2536,19 @@ Default is "". .TP .B dnstap-log-resolver-query-messages: \fI Enable to log resolver query messages. Default is no. -These are messages from unbound to upstream servers. +These are messages from Unbound to upstream servers. .TP .B dnstap-log-resolver-response-messages: \fI Enable to log resolver response messages. Default is no. -These are replies from upstream servers to unbound. +These are replies from upstream servers to Unbound. .TP .B dnstap-log-client-query-messages: \fI Enable to log client query messages. Default is no. -These are client queries to unbound. +These are client queries to Unbound. .TP .B dnstap-log-client-response-messages: \fI Enable to log client response messages. Default is no. -These are responses from unbound to clients. +These are responses from Unbound to clients. .TP .B dnstap-log-forwarder-query-messages: \fI Enable to log forwarder query messages. Default is no. @@ -2614,7 +2647,7 @@ allowed notify by default. .TP .B zonefile: \fI The filename where the zone is stored. If not given then no zonefile is used. -If the file does not exist or is empty, unbound will attempt to fetch zone +If the file does not exist or is empty, Unbound will attempt to fetch zone data (eg. from the primary servers). .TP .B rpz\-action\-override: \fI @@ -2631,6 +2664,17 @@ Log all applied RPZ actions for this RPZ zone. Default is no. .B rpz\-log\-name: \fI Specify a string to be part of the log line, for easy referencing. .TP +.B rpz\-signal\-nxdomain\-ra: \fI +Signal when a query is blocked by the RPZ with NXDOMAIN with an unset RA flag. +This allows certain clients, like dnsmasq, to infer that the domain is +externally blocked. Default is no. +.TP +.B for\-downstream: \fI +If enabled the zone is authoritatively answered for and queries for the RPZ +zone information are answered to downstream clients. This is useful for +monitoring scripts, that can then access the SOA information to check if +the rpz information is up to date. Default is no. +.TP .B tags: \fI Limit the policies from this RPZ clause to clients with a matching tag. Tags need to be defined in \fBdefine\-tag\fR and can be assigned to client addresses @@ -2671,7 +2715,7 @@ server: .SH "FILES" .TP .I @UNBOUND_RUN_DIR@ -default unbound working directory. +default Unbound working directory. .TP .I @UNBOUND_CHROOT_DIR@ default @@ -2679,13 +2723,13 @@ default location. .TP .I @ub_conf_file@ -unbound configuration file. +Unbound configuration file. .TP .I @UNBOUND_PIDFILE@ -default unbound pidfile with process ID of the running daemon. +default Unbound pidfile with process ID of the running daemon. .TP .I unbound.log -unbound log file. default is to log to +Unbound log file. default is to log to \fIsyslog\fR(3). .SH "SEE ALSO" \fIunbound\fR(8), diff --git a/contrib/unbound/iterator/iter_delegpt.c b/contrib/unbound/iterator/iter_delegpt.c index bdac42b0ddb3..80148e810890 100644 --- a/contrib/unbound/iterator/iter_delegpt.c +++ b/contrib/unbound/iterator/iter_delegpt.c @@ -75,7 +75,8 @@ struct delegpt* delegpt_copy(struct delegpt* dp, struct regional* region) copy->ssl_upstream = dp->ssl_upstream; copy->tcp_upstream = dp->tcp_upstream; for(ns = dp->nslist; ns; ns = ns->next) { - if(!delegpt_add_ns(copy, region, ns->name, ns->lame)) + if(!delegpt_add_ns(copy, region, ns->name, ns->lame, + ns->tls_auth_name, ns->port)) return NULL; copy->nslist->resolved = ns->resolved; copy->nslist->got4 = ns->got4; @@ -84,8 +85,8 @@ struct delegpt* delegpt_copy(struct delegpt* dp, struct regional* region) copy->nslist->done_pside6 = ns->done_pside6; } for(a = dp->target_list; a; a = a->next_target) { - if(!delegpt_add_addr(copy, region, &a->addr, a->addrlen, - a->bogus, a->lame, a->tls_auth_name, NULL)) + if(!delegpt_add_addr(copy, region, &a->addr, a->addrlen, + a->bogus, a->lame, a->tls_auth_name, -1, NULL)) return NULL; } return copy; @@ -102,7 +103,7 @@ delegpt_set_name(struct delegpt* dp, struct regional* region, uint8_t* name) int delegpt_add_ns(struct delegpt* dp, struct regional* region, uint8_t* name, - uint8_t lame) + uint8_t lame, char* tls_auth_name, int port) { struct delegpt_ns* ns; size_t len; @@ -126,6 +127,14 @@ delegpt_add_ns(struct delegpt* dp, struct regional* region, uint8_t* name, ns->lame = lame; ns->done_pside4 = 0; ns->done_pside6 = 0; + ns->port = port; + if(tls_auth_name) { + ns->tls_auth_name = regional_strdup(region, tls_auth_name); + if(!ns->tls_auth_name) + return 0; + } else { + ns->tls_auth_name = NULL; + } return ns->name != 0; } @@ -159,9 +168,9 @@ delegpt_find_addr(struct delegpt* dp, struct sockaddr_storage* addr, return NULL; } -int -delegpt_add_target(struct delegpt* dp, struct regional* region, - uint8_t* name, size_t namelen, struct sockaddr_storage* addr, +int +delegpt_add_target(struct delegpt* dp, struct regional* region, + uint8_t* name, size_t namelen, struct sockaddr_storage* addr, socklen_t addrlen, uint8_t bogus, uint8_t lame, int* additions) { struct delegpt_ns* ns = delegpt_find_ns(dp, name, namelen); @@ -177,17 +186,22 @@ delegpt_add_target(struct delegpt* dp, struct regional* region, if(ns->got4 && ns->got6) ns->resolved = 1; } - return delegpt_add_addr(dp, region, addr, addrlen, bogus, lame, NULL, - additions); + log_assert(ns->port>0); + return delegpt_add_addr(dp, region, addr, addrlen, bogus, lame, + ns->tls_auth_name, ns->port, additions); } -int -delegpt_add_addr(struct delegpt* dp, struct regional* region, - struct sockaddr_storage* addr, socklen_t addrlen, uint8_t bogus, - uint8_t lame, char* tls_auth_name, int* additions) +int +delegpt_add_addr(struct delegpt* dp, struct regional* region, + struct sockaddr_storage* addr, socklen_t addrlen, uint8_t bogus, + uint8_t lame, char* tls_auth_name, int port, int* additions) { struct delegpt_addr* a; log_assert(!dp->dp_type_mlc); + if(port != -1) { + log_assert(port>0); + sockaddr_store_port(addr, addrlen, port); + } /* check for duplicates */ if((a = delegpt_find_addr(dp, addr, addrlen))) { if(bogus) @@ -412,7 +426,8 @@ delegpt_rrset_add_ns(struct delegpt* dp, struct regional* region, (size_t)sldns_read_uint16(nsdata->rr_data[i])) continue; /* bad format */ /* add rdata of NS (= wirefmt dname), skip rdatalen bytes */ - if(!delegpt_add_ns(dp, region, nsdata->rr_data[i]+2, lame)) + if(!delegpt_add_ns(dp, region, nsdata->rr_data[i]+2, lame, + NULL, UNBOUND_DNS_PORT)) return 0; } return 1; @@ -429,7 +444,6 @@ delegpt_add_rrset_A(struct delegpt* dp, struct regional* region, log_assert(!dp->dp_type_mlc); memset(&sa, 0, len); sa.sin_family = AF_INET; - sa.sin_port = (in_port_t)htons(UNBOUND_DNS_PORT); for(i=0; icount; i++) { if(d->rr_len[i] != 2 + INET_SIZE) continue; @@ -453,7 +467,6 @@ delegpt_add_rrset_AAAA(struct delegpt* dp, struct regional* region, log_assert(!dp->dp_type_mlc); memset(&sa, 0, len); sa.sin6_family = AF_INET6; - sa.sin6_port = (in_port_t)htons(UNBOUND_DNS_PORT); for(i=0; icount; i++) { if(d->rr_len[i] != 2 + INET6_SIZE) /* rdatalen + len of IP6 */ continue; @@ -555,6 +568,7 @@ void delegpt_free_mlc(struct delegpt* dp) while(n) { nn = n->next; free(n->name); + free(n->tls_auth_name); free(n); n = nn; } @@ -577,7 +591,8 @@ int delegpt_set_name_mlc(struct delegpt* dp, uint8_t* name) return (dp->name != NULL); } -int delegpt_add_ns_mlc(struct delegpt* dp, uint8_t* name, uint8_t lame) +int delegpt_add_ns_mlc(struct delegpt* dp, uint8_t* name, uint8_t lame, + char* tls_auth_name, int port) { struct delegpt_ns* ns; size_t len; @@ -604,14 +619,30 @@ int delegpt_add_ns_mlc(struct delegpt* dp, uint8_t* name, uint8_t lame) ns->lame = (uint8_t)lame; ns->done_pside4 = 0; ns->done_pside6 = 0; + ns->port = port; + if(tls_auth_name) { + ns->tls_auth_name = strdup(tls_auth_name); + if(!ns->tls_auth_name) { + free(ns->name); + free(ns); + return 0; + } + } else { + ns->tls_auth_name = NULL; + } return 1; } int delegpt_add_addr_mlc(struct delegpt* dp, struct sockaddr_storage* addr, - socklen_t addrlen, uint8_t bogus, uint8_t lame, char* tls_auth_name) + socklen_t addrlen, uint8_t bogus, uint8_t lame, char* tls_auth_name, + int port) { struct delegpt_addr* a; log_assert(dp->dp_type_mlc); + if(port != -1) { + log_assert(port>0); + sockaddr_store_port(addr, addrlen, port); + } /* check for duplicates */ if((a = delegpt_find_addr(dp, addr, addrlen))) { if(bogus) @@ -664,7 +695,9 @@ int delegpt_add_target_mlc(struct delegpt* dp, uint8_t* name, size_t namelen, if(ns->got4 && ns->got6) ns->resolved = 1; } - return delegpt_add_addr_mlc(dp, addr, addrlen, bogus, lame, NULL); + log_assert(ns->port>0); + return delegpt_add_addr_mlc(dp, addr, addrlen, bogus, lame, + ns->tls_auth_name, ns->port); } size_t delegpt_get_mem(struct delegpt* dp) diff --git a/contrib/unbound/iterator/iter_delegpt.h b/contrib/unbound/iterator/iter_delegpt.h index 9c8cfb281bae..17db15a23e26 100644 --- a/contrib/unbound/iterator/iter_delegpt.h +++ b/contrib/unbound/iterator/iter_delegpt.h @@ -126,6 +126,11 @@ struct delegpt_ns { * Also enabled if a parent-side cache entry exists, or a parent-side * negative-cache entry exists. */ uint8_t done_pside6; + /** the TLS authentication name, (if not NULL) to use. */ + char* tls_auth_name; + /** the port to use; it should mosty be the default 53 but configured + * upstreams can provide nondefault ports. */ + int port; }; /** @@ -191,10 +196,12 @@ int delegpt_set_name(struct delegpt* dp, struct regional* regional, * @param regional: where to allocate the info. * @param name: domain name in wire format. * @param lame: name is lame, disprefer it. + * @param tls_auth_name: TLS authentication name (or NULL). + * @param port: port to use for resolved addresses. * @return false on error. */ -int delegpt_add_ns(struct delegpt* dp, struct regional* regional, - uint8_t* name, uint8_t lame); +int delegpt_add_ns(struct delegpt* dp, struct regional* regional, + uint8_t* name, uint8_t lame, char* tls_auth_name, int port); /** * Add NS rrset; calls add_ns repeatedly. @@ -271,12 +278,14 @@ int delegpt_add_rrset(struct delegpt* dp, struct regional* regional, * @param bogus: if address is bogus. * @param lame: if address is lame. * @param tls_auth_name: TLS authentication name (or NULL). + * @param port: the port to use; if -1 the port is taken from addr. * @param additions: will be set to 1 if a new address is added * @return false on error. */ -int delegpt_add_addr(struct delegpt* dp, struct regional* regional, +int delegpt_add_addr(struct delegpt* dp, struct regional* regional, struct sockaddr_storage* addr, socklen_t addrlen, - uint8_t bogus, uint8_t lame, char* tls_auth_name, int* additions); + uint8_t bogus, uint8_t lame, char* tls_auth_name, int port, + int* additions); /** * Find NS record in name list of delegation point. @@ -404,22 +413,27 @@ int delegpt_set_name_mlc(struct delegpt* dp, uint8_t* name); * @param dp: must have been created with delegpt_create_mlc. * @param name: the name to add. * @param lame: the name is lame, disprefer. + * @param tls_auth_name: TLS authentication name (or NULL). + * @param port: port to use for resolved addresses. * @return false on error. */ -int delegpt_add_ns_mlc(struct delegpt* dp, uint8_t* name, uint8_t lame); +int delegpt_add_ns_mlc(struct delegpt* dp, uint8_t* name, uint8_t lame, + char* tls_auth_name, int port); /** * add an address to a malloced delegation point. - * @param dp: must have been created with delegpt_create_mlc. + * @param dp: must have been created with delegpt_create_mlc. * @param addr: the address. * @param addrlen: the length of addr. * @param bogus: if address is bogus. * @param lame: if address is lame. * @param tls_auth_name: TLS authentication name (or NULL). + * @param port: the port to use; if -1 the port is taken from addr. * @return false on error. */ int delegpt_add_addr_mlc(struct delegpt* dp, struct sockaddr_storage* addr, - socklen_t addrlen, uint8_t bogus, uint8_t lame, char* tls_auth_name); + socklen_t addrlen, uint8_t bogus, uint8_t lame, char* tls_auth_name, + int port); /** * Add target address to the delegation point. diff --git a/contrib/unbound/iterator/iter_fwd.c b/contrib/unbound/iterator/iter_fwd.c index 128007a0412c..151372912476 100644 --- a/contrib/unbound/iterator/iter_fwd.c +++ b/contrib/unbound/iterator/iter_fwd.c @@ -200,21 +200,27 @@ read_fwds_name(struct config_stub* s) } /** set fwd host names */ -static int +static int read_fwds_host(struct config_stub* s, struct delegpt* dp) { struct config_strlist* p; uint8_t* dname; - size_t dname_len; + char* tls_auth_name; + int port; for(p = s->hosts; p; p = p->next) { log_assert(p->str); - dname = sldns_str2wire_dname(p->str, &dname_len); + dname = authextstrtodname(p->str, &port, &tls_auth_name); if(!dname) { log_err("cannot parse forward %s server name: '%s'", s->name, p->str); return 0; } - if(!delegpt_add_ns_mlc(dp, dname, 0)) { +#if ! defined(HAVE_SSL_SET1_HOST) && ! defined(HAVE_X509_VERIFY_PARAM_SET1_HOST) + if(tls_auth_name) + log_err("no name verification functionality in " + "ssl library, ignored name for %s", p->str); +#endif + if(!delegpt_add_ns_mlc(dp, dname, 0, tls_auth_name, port)) { free(dname); log_err("out of memory"); return 0; @@ -245,7 +251,7 @@ read_fwds_addr(struct config_stub* s, struct delegpt* dp) "ssl library, ignored name for %s", p->str); #endif if(!delegpt_add_addr_mlc(dp, &addr, addrlen, 0, 0, - tls_auth_name)) { + tls_auth_name, -1)) { log_err("out of memory"); return 0; } diff --git a/contrib/unbound/iterator/iter_hints.c b/contrib/unbound/iterator/iter_hints.c index 5819cfb1703d..9b1a200bbb17 100644 --- a/contrib/unbound/iterator/iter_hints.c +++ b/contrib/unbound/iterator/iter_hints.c @@ -99,7 +99,7 @@ ah(struct delegpt* dp, const char* sv, const char* ip) log_err("could not parse %s", sv); return 0; } - if(!delegpt_add_ns_mlc(dp, dname, 0) || + if(!delegpt_add_ns_mlc(dp, dname, 0, NULL, UNBOUND_DNS_PORT) || !extstrtoaddr(ip, &addr, &addrlen) || !delegpt_add_target_mlc(dp, dname, dname_len, &addr, addrlen, 0, 0)) { @@ -213,21 +213,27 @@ read_stubs_name(struct config_stub* s) } /** set stub host names */ -static int +static int read_stubs_host(struct config_stub* s, struct delegpt* dp) { struct config_strlist* p; - size_t dname_len; uint8_t* dname; + char* tls_auth_name; + int port; for(p = s->hosts; p; p = p->next) { log_assert(p->str); - dname = sldns_str2wire_dname(p->str, &dname_len); + dname = authextstrtodname(p->str, &port, &tls_auth_name); if(!dname) { log_err("cannot parse stub %s nameserver name: '%s'", s->name, p->str); return 0; } - if(!delegpt_add_ns_mlc(dp, dname, 0)) { +#if ! defined(HAVE_SSL_SET1_HOST) && ! defined(HAVE_X509_VERIFY_PARAM_SET1_HOST) + if(tls_auth_name) + log_err("no name verification functionality in " + "ssl library, ignored name for %s", p->str); +#endif + if(!delegpt_add_ns_mlc(dp, dname, 0, tls_auth_name, port)) { free(dname); log_err("out of memory"); return 0; @@ -258,7 +264,7 @@ read_stubs_addr(struct config_stub* s, struct delegpt* dp) "ssl library, ignored name for %s", p->str); #endif if(!delegpt_add_addr_mlc(dp, &addr, addrlen, 0, 0, - auth_name)) { + auth_name, -1)) { log_err("out of memory"); return 0; } @@ -338,7 +344,7 @@ read_root_hints(struct iter_hints* hints, char* fname) if(sldns_wirerr_get_type(rr, rr_len, dname_len) == LDNS_RR_TYPE_NS) { if(!delegpt_add_ns_mlc(dp, sldns_wirerr_get_rdata(rr, - rr_len, dname_len), 0)) { + rr_len, dname_len), 0, NULL, UNBOUND_DNS_PORT)) { log_err("out of memory reading root hints"); goto stop_read; } diff --git a/contrib/unbound/iterator/iterator.c b/contrib/unbound/iterator/iterator.c index 48238a231b13..54006940d90e 100644 --- a/contrib/unbound/iterator/iterator.c +++ b/contrib/unbound/iterator/iterator.c @@ -1533,36 +1533,6 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq, if(!iq->ratelimit_ok && qstate->prefetch_leeway) iq->ratelimit_ok = 1; /* allow prefetches, this keeps otherwise valid data in the cache */ - if(!iq->ratelimit_ok && infra_ratelimit_exceeded( - qstate->env->infra_cache, iq->dp->name, - iq->dp->namelen, *qstate->env->now)) { - /* and increment the rate, so that the rate for time - * now will also exceed the rate, keeping cache fresh */ - (void)infra_ratelimit_inc(qstate->env->infra_cache, - iq->dp->name, iq->dp->namelen, - *qstate->env->now, &qstate->qinfo, - qstate->reply); - /* see if we are passed through with slip factor */ - if(qstate->env->cfg->ratelimit_factor != 0 && - ub_random_max(qstate->env->rnd, - qstate->env->cfg->ratelimit_factor) == 1) { - iq->ratelimit_ok = 1; - log_nametypeclass(VERB_ALGO, "ratelimit allowed through for " - "delegation point", iq->dp->name, - LDNS_RR_TYPE_NS, LDNS_RR_CLASS_IN); - } else { - lock_basic_lock(&ie->queries_ratelimit_lock); - ie->num_queries_ratelimited++; - lock_basic_unlock(&ie->queries_ratelimit_lock); - log_nametypeclass(VERB_ALGO, "ratelimit exceeded with " - "delegation point", iq->dp->name, - LDNS_RR_TYPE_NS, LDNS_RR_CLASS_IN); - qstate->was_ratelimited = 1; - errinf(qstate, "query was ratelimited"); - errinf_dname(qstate, "for zone", iq->dp->name); - return error_response(qstate, id, LDNS_RCODE_SERVFAIL); - } - } /* see if this dp not useless. * It is useless if: @@ -1988,12 +1958,13 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq, iq->chase_flags &= ~BIT_RD; /* go to authorities */ for(ns = p->nslist; ns; ns=ns->next) { (void)delegpt_add_ns(iq->dp, qstate->region, - ns->name, ns->lame); + ns->name, ns->lame, ns->tls_auth_name, + ns->port); } for(a = p->target_list; a; a=a->next_target) { (void)delegpt_add_addr(iq->dp, qstate->region, &a->addr, a->addrlen, a->bogus, - a->lame, a->tls_auth_name, NULL); + a->lame, a->tls_auth_name, -1, NULL); } } iq->dp->has_parent_side_NS = 1; @@ -2211,9 +2182,11 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, int auth_fallback = 0; uint8_t* qout_orig = NULL; size_t qout_orig_len = 0; + int sq_check_ratelimit = 1; + int sq_was_ratelimited = 0; - /* NOTE: a request will encounter this state for each target it - * needs to send a query to. That is, at least one per referral, + /* NOTE: a request will encounter this state for each target it + * needs to send a query to. That is, at least one per referral, * more if some targets timeout or return throwaway answers. */ log_query_info(VERB_QUERY, "processQueryTargets:", &qstate->qinfo); @@ -2534,7 +2507,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, struct dns_msg* forged_response = rpz_callback_from_iterator_module(qstate, iq); if(forged_response != NULL) { qstate->ext_state[id] = module_finished; - qstate->return_rcode = FLAGS_GET_RCODE(forged_response->rep->flags); + qstate->return_rcode = LDNS_RCODE_NOERROR; qstate->return_msg = forged_response; iq->response = forged_response; next_state(iq, FINISHED_STATE); @@ -2646,22 +2619,9 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, return 0; } - /* if not forwarding, check ratelimits per delegationpoint name */ - if(!(iq->chase_flags & BIT_RD) && !iq->ratelimit_ok) { - if(!infra_ratelimit_inc(qstate->env->infra_cache, iq->dp->name, - iq->dp->namelen, *qstate->env->now, &qstate->qinfo, - qstate->reply)) { - lock_basic_lock(&ie->queries_ratelimit_lock); - ie->num_queries_ratelimited++; - lock_basic_unlock(&ie->queries_ratelimit_lock); - verbose(VERB_ALGO, "query exceeded ratelimits"); - qstate->was_ratelimited = 1; - errinf_dname(qstate, "exceeded ratelimit for zone", - iq->dp->name); - return error_response(qstate, id, LDNS_RCODE_SERVFAIL); - } - } - + /* Do not check ratelimit for forwarding queries or if we already got a + * pass. */ + sq_check_ratelimit = (!(iq->chase_flags & BIT_RD) && !iq->ratelimit_ok); /* We have a valid target. */ if(verbosity >= VERB_QUERY) { log_query_info(VERB_QUERY, "sending query:", &iq->qinfo_out); @@ -2673,25 +2633,32 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, } fptr_ok(fptr_whitelist_modenv_send_query(qstate->env->send_query)); outq = (*qstate->env->send_query)(&iq->qinfo_out, - iq->chase_flags | (iq->chase_to_rd?BIT_RD:0), + iq->chase_flags | (iq->chase_to_rd?BIT_RD:0), /* unset CD if to forwarder(RD set) and not dnssec retry * (blacklist nonempty) and no trust-anchors are configured * above the qname or on the first attempt when dnssec is on */ EDNS_DO| ((iq->chase_to_rd||(iq->chase_flags&BIT_RD)!=0)&& !qstate->blacklist&&(!iter_qname_indicates_dnssec(qstate->env, - &iq->qinfo_out)||target->attempts==1)?0:BIT_CD), + &iq->qinfo_out)||target->attempts==1)?0:BIT_CD), iq->dnssec_expected, iq->caps_fallback || is_caps_whitelisted( - ie, iq), &target->addr, target->addrlen, + ie, iq), sq_check_ratelimit, &target->addr, target->addrlen, iq->dp->name, iq->dp->namelen, (iq->dp->tcp_upstream || qstate->env->cfg->tcp_upstream), (iq->dp->ssl_upstream || qstate->env->cfg->ssl_upstream), - target->tls_auth_name, qstate); + target->tls_auth_name, qstate, &sq_was_ratelimited); if(!outq) { + if(sq_was_ratelimited) { + lock_basic_lock(&ie->queries_ratelimit_lock); + ie->num_queries_ratelimited++; + lock_basic_unlock(&ie->queries_ratelimit_lock); + verbose(VERB_ALGO, "query exceeded ratelimits"); + qstate->was_ratelimited = 1; + errinf_dname(qstate, "exceeded ratelimit for zone", + iq->dp->name); + return error_response(qstate, id, LDNS_RCODE_SERVFAIL); + } log_addr(VERB_QUERY, "error sending query to auth server", &target->addr, target->addrlen); - if(!(iq->chase_flags & BIT_RD) && !iq->ratelimit_ok) - infra_ratelimit_dec(qstate->env->infra_cache, iq->dp->name, - iq->dp->namelen, *qstate->env->now); if(qstate->env->cfg->qname_minimisation) iq->minimisation_state = SKIP_MINIMISE_STATE; return next_state(iq, QUERYTARGETS_STATE); @@ -2935,14 +2902,6 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, * delegation point, and back to the QUERYTARGETS_STATE. */ verbose(VERB_DETAIL, "query response was REFERRAL"); - if(!(iq->chase_flags & BIT_RD) && !iq->ratelimit_ok) { - /* we have a referral, no ratelimit, we can send - * our queries to the given name */ - infra_ratelimit_dec(qstate->env->infra_cache, - iq->dp->name, iq->dp->namelen, - *qstate->env->now); - } - /* if hardened, only store referral if we asked for it */ if(!qstate->no_cache_store && (!qstate->env->cfg->harden_referral_path || @@ -3103,7 +3062,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, } if(forged_response != NULL) { qstate->ext_state[id] = module_finished; - qstate->return_rcode = FLAGS_GET_RCODE(forged_response->rep->flags); + qstate->return_rcode = LDNS_RCODE_NOERROR; qstate->return_msg = forged_response; iq->response = forged_response; next_state(iq, FINISHED_STATE); @@ -3384,21 +3343,22 @@ processTargetResponse(struct module_qstate* qstate, int id, log_err("out of memory adding pside glue"); } - /* This response is relevant to the current query, so we - * add (attempt to add, anyway) this target(s) and reactivate - * the original event. - * NOTE: we could only look for the AnswerRRset if the + /* This response is relevant to the current query, so we + * add (attempt to add, anyway) this target(s) and reactivate + * the original event. + * NOTE: we could only look for the AnswerRRset if the * response type was ANSWER. */ rrset = reply_find_answer_rrset(&iq->qchase, qstate->return_msg->rep); if(rrset) { int additions = 0; /* if CNAMEs have been followed - add new NS to delegpt. */ /* BTW. RFC 1918 says NS should not have got CNAMEs. Robust. */ - if(!delegpt_find_ns(foriq->dp, rrset->rk.dname, + if(!delegpt_find_ns(foriq->dp, rrset->rk.dname, rrset->rk.dname_len)) { /* if dpns->lame then set newcname ns lame too */ - if(!delegpt_add_ns(foriq->dp, forq->region, - rrset->rk.dname, dpns->lame)) + if(!delegpt_add_ns(foriq->dp, forq->region, + rrset->rk.dname, dpns->lame, dpns->tls_auth_name, + dpns->port)) log_err("out of memory adding cnamed-ns"); } /* if dpns->lame then set the address(es) lame too */ diff --git a/contrib/unbound/iterator/iterator.h b/contrib/unbound/iterator/iterator.h index a9e58569fcf3..8b840528d9d9 100644 --- a/contrib/unbound/iterator/iterator.h +++ b/contrib/unbound/iterator/iterator.h @@ -80,7 +80,7 @@ struct rbtree_type; /** * number of labels from QNAME that are always send individually when using * QNAME minimisation, even when the number of labels of the QNAME is bigger - * tham MAX_MINIMISE_COUNT */ + * than MAX_MINIMISE_COUNT */ #define MINIMISE_ONE_LAB 4 #define MINIMISE_MULTIPLE_LABS (MAX_MINIMISE_COUNT - MINIMISE_ONE_LAB) /** at what query-sent-count to stop target fetch policy */ @@ -379,7 +379,7 @@ struct iter_qstate { /** list of pending queries to authoritative servers. */ struct outbound_list outlist; - /** QNAME minimisation state, RFC7816 */ + /** QNAME minimisation state, RFC9156 */ enum minimisation_state minimisation_state; /** State for capsfail: QNAME minimisation state for comparisons. */ diff --git a/contrib/unbound/libunbound/libworker.c b/contrib/unbound/libunbound/libworker.c index 7f753435d068..ab28dd54f942 100644 --- a/contrib/unbound/libunbound/libworker.c +++ b/contrib/unbound/libunbound/libworker.c @@ -882,9 +882,10 @@ void libworker_alloc_cleanup(void* arg) struct outbound_entry* libworker_send_query(struct query_info* qinfo, uint16_t flags, int dnssec, int want_dnssec, int nocaps, + int check_ratelimit, struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone, size_t zonelen, int tcp_upstream, int ssl_upstream, char* tls_auth_name, - struct module_qstate* q) + struct module_qstate* q, int* was_ratelimited) { struct libworker* w = (struct libworker*)q->env->worker; struct outbound_entry* e = (struct outbound_entry*)regional_alloc( @@ -893,9 +894,10 @@ struct outbound_entry* libworker_send_query(struct query_info* qinfo, return NULL; e->qstate = q; e->qsent = outnet_serviced_query(w->back, qinfo, flags, dnssec, - want_dnssec, nocaps, tcp_upstream, ssl_upstream, + want_dnssec, nocaps, check_ratelimit, tcp_upstream, ssl_upstream, tls_auth_name, addr, addrlen, zone, zonelen, q, - libworker_handle_service_reply, e, w->back->udp_buff, q->env); + libworker_handle_service_reply, e, w->back->udp_buff, q->env, + was_ratelimited); if(!e->qsent) { return NULL; } @@ -976,10 +978,11 @@ void worker_sighandler(int ATTR_UNUSED(sig), void* ATTR_UNUSED(arg)) struct outbound_entry* worker_send_query(struct query_info* ATTR_UNUSED(qinfo), uint16_t ATTR_UNUSED(flags), int ATTR_UNUSED(dnssec), int ATTR_UNUSED(want_dnssec), int ATTR_UNUSED(nocaps), + int ATTR_UNUSED(check_ratelimit), struct sockaddr_storage* ATTR_UNUSED(addr), socklen_t ATTR_UNUSED(addrlen), uint8_t* ATTR_UNUSED(zone), size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(tcp_upstream), int ATTR_UNUSED(ssl_upstream), char* ATTR_UNUSED(tls_auth_name), - struct module_qstate* ATTR_UNUSED(q)) + struct module_qstate* ATTR_UNUSED(q), int* ATTR_UNUSED(was_ratelimited)) { log_assert(0); return 0; diff --git a/contrib/unbound/libunbound/worker.h b/contrib/unbound/libunbound/worker.h index 974b66a30e84..0fa5bfa99430 100644 --- a/contrib/unbound/libunbound/worker.h +++ b/contrib/unbound/libunbound/worker.h @@ -58,6 +58,7 @@ struct query_info; * @param dnssec: if set, EDNS record will have DO bit set. * @param want_dnssec: signatures needed. * @param nocaps: ignore capsforid(if in config), do not perturb qname. + * @param check_ratelimit: if set, will check ratelimit before sending out. * @param addr: where to. * @param addrlen: length of addr. * @param zone: delegation point name. @@ -67,14 +68,17 @@ struct query_info; * @param tls_auth_name: if ssl_upstream, use this name with TLS * authentication. * @param q: which query state to reactivate upon return. + * @param was_ratelimited: it will signal back if the query failed to pass the + * ratelimit check. * @return: false on failure (memory or socket related). no query was * sent. */ struct outbound_entry* libworker_send_query(struct query_info* qinfo, uint16_t flags, int dnssec, int want_dnssec, int nocaps, + int check_ratelimit, struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone, size_t zonelen, int tcp_upstream, int ssl_upstream, char* tls_auth_name, - struct module_qstate* q); + struct module_qstate* q, int* was_ratelimited); /** process incoming serviced query replies from the network */ int libworker_handle_service_reply(struct comm_point* c, void* arg, int error, @@ -110,6 +114,7 @@ void worker_sighandler(int sig, void* arg); * @param dnssec: if set, EDNS record will have DO bit set. * @param want_dnssec: signatures needed. * @param nocaps: ignore capsforid(if in config), do not perturb qname. + * @param check_ratelimit: if set, will check ratelimit before sending out. * @param addr: where to. * @param addrlen: length of addr. * @param zone: wireformat dname of the zone. @@ -119,14 +124,17 @@ void worker_sighandler(int sig, void* arg); * @param tls_auth_name: if ssl_upstream, use this name with TLS * authentication. * @param q: which query state to reactivate upon return. + * @param was_ratelimited: it will signal back if the query failed to pass the + * ratelimit check. * @return: false on failure (memory or socket related). no query was * sent. */ struct outbound_entry* worker_send_query(struct query_info* qinfo, uint16_t flags, int dnssec, int want_dnssec, int nocaps, + int check_ratelimit, struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone, size_t zonelen, int tcp_upstream, int ssl_upstream, char* tls_auth_name, - struct module_qstate* q); + struct module_qstate* q, int* was_ratelimited); /** * process control messages from the main thread. Frees the control diff --git a/contrib/unbound/services/cache/infra.c b/contrib/unbound/services/cache/infra.c index 518e69622f83..252e1e288b35 100644 --- a/contrib/unbound/services/cache/infra.c +++ b/contrib/unbound/services/cache/infra.c @@ -898,8 +898,9 @@ static void infra_ip_create_ratedata(struct infra_cache* infra, slabhash_insert(infra->client_ip_rates, h, &k->entry, d, NULL); } -/** find the second and return its rate counter, if none, remove oldest */ -static int* infra_rate_find_second(void* data, time_t t) +/** Find the second and return its rate counter. If none and should_add, remove + * oldest to accommodate. Else return none. */ +static int* infra_rate_find_second_or_none(void* data, time_t t, int should_add) { struct rate_data* d = (struct rate_data*)data; int i, oldest; @@ -907,6 +908,7 @@ static int* infra_rate_find_second(void* data, time_t t) if(d->timestamp[i] == t) return &(d->qps[i]); } + if(!should_add) return NULL; /* remove oldest timestamp, and insert it at t with 0 qps */ oldest = 0; for(i=0; iqps[oldest]); } -int infra_rate_max(void* data, time_t now) +/** find the second and return its rate counter, if none, remove oldest to + * accommodate */ +static int* infra_rate_give_second(void* data, time_t t) +{ + return infra_rate_find_second_or_none(data, t, 1); +} + +/** find the second and return its rate counter only if it exists. Caller + * should check for NULL return value */ +static int* infra_rate_get_second(void* data, time_t t) +{ + return infra_rate_find_second_or_none(data, t, 0); +} + +int infra_rate_max(void* data, time_t now, int backoff) { struct rate_data* d = (struct rate_data*)data; int i, max = 0; for(i=0; itimestamp[i] <= RATE_WINDOW) { - if(d->qps[i] > max) + if(backoff) { + if(now-d->timestamp[i] <= RATE_WINDOW && + d->qps[i] > max) { max = d->qps[i]; + } + } else { + if(now == d->timestamp[i]) { + return d->qps[i]; + } } } return max; } int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name, - size_t namelen, time_t timenow, struct query_info* qinfo, + size_t namelen, time_t timenow, int backoff, struct query_info* qinfo, struct comm_reply* replylist) { int lim, max; @@ -949,13 +971,13 @@ int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name, /* find or insert ratedata */ entry = infra_find_ratedata(infra, name, namelen, 1); if(entry) { - int premax = infra_rate_max(entry->data, timenow); - int* cur = infra_rate_find_second(entry->data, timenow); + int premax = infra_rate_max(entry->data, timenow, backoff); + int* cur = infra_rate_give_second(entry->data, timenow); (*cur)++; - max = infra_rate_max(entry->data, timenow); + max = infra_rate_max(entry->data, timenow, backoff); lock_rw_unlock(&entry->lock); - if(premax < lim && max >= lim) { + if(premax <= lim && max > lim) { char buf[257], qnm[257], ts[12], cs[12], ip[128]; dname_str(name, buf); dname_str(qinfo->qname, qnm); @@ -970,12 +992,12 @@ int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name, verbose(VERB_OPS, "ratelimit exceeded %s %d query %s %s %s", buf, lim, qnm, cs, ts); } } - return (max < lim); + return (max <= lim); } /* create */ infra_create_ratedata(infra, name, namelen, timenow); - return (1 < lim); + return (1 <= lim); } void infra_ratelimit_dec(struct infra_cache* infra, uint8_t* name, @@ -987,14 +1009,19 @@ void infra_ratelimit_dec(struct infra_cache* infra, uint8_t* name, return; /* not enabled */ entry = infra_find_ratedata(infra, name, namelen, 1); if(!entry) return; /* not cached */ - cur = infra_rate_find_second(entry->data, timenow); + cur = infra_rate_get_second(entry->data, timenow); + if(cur == NULL) { + /* our timenow is not available anymore; nothing to decrease */ + lock_rw_unlock(&entry->lock); + return; + } if((*cur) > 0) (*cur)--; lock_rw_unlock(&entry->lock); } int infra_ratelimit_exceeded(struct infra_cache* infra, uint8_t* name, - size_t namelen, time_t timenow) + size_t namelen, time_t timenow, int backoff) { struct lruhash_entry* entry; int lim, max; @@ -1010,7 +1037,7 @@ int infra_ratelimit_exceeded(struct infra_cache* infra, uint8_t* name, entry = infra_find_ratedata(infra, name, namelen, 0); if(!entry) return 0; /* not cached */ - max = infra_rate_max(entry->data, timenow); + max = infra_rate_max(entry->data, timenow, backoff); lock_rw_unlock(&entry->lock); return (max >= lim); @@ -1027,7 +1054,8 @@ infra_get_mem(struct infra_cache* infra) } int infra_ip_ratelimit_inc(struct infra_cache* infra, - struct comm_reply* repinfo, time_t timenow, struct sldns_buffer* buffer) + struct comm_reply* repinfo, time_t timenow, int backoff, + struct sldns_buffer* buffer) { int max; struct lruhash_entry* entry; @@ -1039,10 +1067,10 @@ int infra_ip_ratelimit_inc(struct infra_cache* infra, /* find or insert ratedata */ entry = infra_find_ip_ratedata(infra, repinfo, 1); if(entry) { - int premax = infra_rate_max(entry->data, timenow); - int* cur = infra_rate_find_second(entry->data, timenow); + int premax = infra_rate_max(entry->data, timenow, backoff); + int* cur = infra_rate_give_second(entry->data, timenow); (*cur)++; - max = infra_rate_max(entry->data, timenow); + max = infra_rate_max(entry->data, timenow, backoff); lock_rw_unlock(&entry->lock); if(premax < infra_ip_ratelimit && max >= infra_ip_ratelimit) { diff --git a/contrib/unbound/services/cache/infra.h b/contrib/unbound/services/cache/infra.h index 14f97c4c64d3..6a2371aca477 100644 --- a/contrib/unbound/services/cache/infra.h +++ b/contrib/unbound/services/cache/infra.h @@ -368,6 +368,7 @@ long long infra_get_host_rto(struct infra_cache* infra, * @param name: zone name * @param namelen: zone name length * @param timenow: what time it is now. + * @param backoff: if backoff is enabled. * @param qinfo: for logging, query name. * @param replylist: for logging, querier's address (if any). * @return 1 if it could be incremented. 0 if the increment overshot the @@ -375,7 +376,7 @@ long long infra_get_host_rto(struct infra_cache* infra, * Failures like alloc failures are not returned (probably as 1). */ int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name, - size_t namelen, time_t timenow, struct query_info* qinfo, + size_t namelen, time_t timenow, int backoff, struct query_info* qinfo, struct comm_reply* replylist); /** @@ -398,13 +399,15 @@ void infra_ratelimit_dec(struct infra_cache* infra, uint8_t* name, * @param name: zone name * @param namelen: zone name length * @param timenow: what time it is now. + * @param backoff: if backoff is enabled. * @return true if exceeded. */ int infra_ratelimit_exceeded(struct infra_cache* infra, uint8_t* name, - size_t namelen, time_t timenow); + size_t namelen, time_t timenow, int backoff); -/** find the maximum rate stored, not too old. 0 if no information. */ -int infra_rate_max(void* data, time_t now); +/** find the maximum rate stored. 0 if no information. + * When backoff is enabled look for the maximum in the whole RATE_WINDOW. */ +int infra_rate_max(void* data, time_t now, int backoff); /** find the ratelimit in qps for a domain. 0 if no limit for domain. */ int infra_find_ratelimit(struct infra_cache* infra, uint8_t* name, @@ -415,11 +418,12 @@ int infra_find_ratelimit(struct infra_cache* infra, uint8_t* name, * @param infra: infra cache * @param repinfo: information about client * @param timenow: what time it is now. + * @param backoff: if backoff is enabled. * @param buffer: with query for logging. * @return 1 if it could be incremented. 0 if the increment overshot the * ratelimit and the query should be dropped. */ int infra_ip_ratelimit_inc(struct infra_cache* infra, - struct comm_reply* repinfo, time_t timenow, + struct comm_reply* repinfo, time_t timenow, int backoff, struct sldns_buffer* buffer); /** diff --git a/contrib/unbound/services/listen_dnsport.c b/contrib/unbound/services/listen_dnsport.c index 6a33fbcdaf7e..983b96f09eec 100644 --- a/contrib/unbound/services/listen_dnsport.c +++ b/contrib/unbound/services/listen_dnsport.c @@ -1370,39 +1370,38 @@ listen_create(struct comm_base* base, struct listen_port* ports, struct comm_point* cp = NULL; if(ports->ftype == listen_type_udp || ports->ftype == listen_type_udp_dnscrypt) - cp = comm_point_create_udp(base, ports->fd, + cp = comm_point_create_udp(base, ports->fd, front->udp_buff, cb, cb_arg, ports->socket); else if(ports->ftype == listen_type_tcp || ports->ftype == listen_type_tcp_dnscrypt) - cp = comm_point_create_tcp(base, ports->fd, + cp = comm_point_create_tcp(base, ports->fd, tcp_accept_count, tcp_idle_timeout, harden_large_queries, 0, NULL, tcp_conn_limit, bufsize, front->udp_buff, ports->ftype, cb, cb_arg, ports->socket); else if(ports->ftype == listen_type_ssl || ports->ftype == listen_type_http) { - cp = comm_point_create_tcp(base, ports->fd, + cp = comm_point_create_tcp(base, ports->fd, tcp_accept_count, tcp_idle_timeout, harden_large_queries, http_max_streams, http_endpoint, tcp_conn_limit, bufsize, front->udp_buff, ports->ftype, cb, cb_arg, ports->socket); - if(http_notls && ports->ftype == listen_type_http) - cp->ssl = NULL; - else - cp->ssl = sslctx; if(ports->ftype == listen_type_http) { if(!sslctx && !http_notls) { - log_warn("HTTPS port configured, but no TLS " - "tls-service-key or tls-service-pem " - "set"); + log_warn("HTTPS port configured, but " + "no TLS tls-service-key or " + "tls-service-pem set"); } #ifndef HAVE_SSL_CTX_SET_ALPN_SELECT_CB - if(!http_notls) - log_warn("Unbound is not compiled with an " - "OpenSSL version supporting ALPN " - " (OpenSSL >= 1.0.2). This is required " - "to use DNS-over-HTTPS"); + if(!http_notls) { + log_warn("Unbound is not compiled " + "with an OpenSSL version " + "supporting ALPN " + "(OpenSSL >= 1.0.2). This " + "is required to use " + "DNS-over-HTTPS"); + } #endif #ifndef HAVE_NGHTTP2_NGHTTP2_H log_warn("Unbound is not compiled with " @@ -1412,13 +1411,17 @@ listen_create(struct comm_base* base, struct listen_port* ports, } } else if(ports->ftype == listen_type_udpancil || ports->ftype == listen_type_udpancil_dnscrypt) - cp = comm_point_create_udp_ancil(base, ports->fd, + cp = comm_point_create_udp_ancil(base, ports->fd, front->udp_buff, cb, cb_arg, ports->socket); if(!cp) { - log_err("can't create commpoint"); + log_err("can't create commpoint"); listen_delete(front); return NULL; } + if(http_notls && ports->ftype == listen_type_http) + cp->ssl = NULL; + else + cp->ssl = sslctx; cp->dtenv = dtenv; cp->do_not_close = 1; #ifdef USE_DNSCRYPT diff --git a/contrib/unbound/services/localzone.c b/contrib/unbound/services/localzone.c index 77d0107f9f6f..3e3a71aea3c5 100644 --- a/contrib/unbound/services/localzone.c +++ b/contrib/unbound/services/localzone.c @@ -56,6 +56,44 @@ * with 16 bytes for an A record, a 64K packet has about 4000 max */ #define LOCALZONE_RRSET_COUNT_MAX 4096 +/** print all RRsets in local zone */ +static void +local_zone_out(struct local_zone* z) +{ + struct local_data* d; + struct local_rrset* p; + RBTREE_FOR(d, struct local_data*, &z->data) { + for(p = d->rrsets; p; p = p->next) { + log_nametypeclass(NO_VERBOSE, "rrset", d->name, + ntohs(p->rrset->rk.type), + ntohs(p->rrset->rk.rrset_class)); + } + } +} + +static void +local_zone_print(struct local_zone* z) +{ + char buf[64]; + lock_rw_rdlock(&z->lock); + snprintf(buf, sizeof(buf), "%s zone", + local_zone_type2str(z->type)); + log_nametypeclass(NO_VERBOSE, buf, z->name, 0, z->dclass); + local_zone_out(z); + lock_rw_unlock(&z->lock); +} + +void local_zones_print(struct local_zones* zones) +{ + struct local_zone* z; + lock_rw_rdlock(&zones->lock); + log_info("number of auth zones %u", (unsigned)zones->ztree.count); + RBTREE_FOR(z, struct local_zone*, &zones->ztree) { + local_zone_print(z); + } + lock_rw_unlock(&zones->lock); +} + struct local_zones* local_zones_create(void) { @@ -1010,6 +1048,38 @@ lz_setup_implicit(struct local_zones* zones, struct config_file* cfg) lock_rw_rdlock(&zones->lock); if(!local_zones_lookup(zones, rr_name, len, labs, rr_class, rr_type)) { + /* Check if there is a zone that this could go + * under but for different class; created zones are + * always for LDNS_RR_CLASS_IN. Create the zone with + * a different class but the same configured + * local_zone_type. */ + struct local_zone* z = local_zones_lookup(zones, + rr_name, len, labs, LDNS_RR_CLASS_IN, rr_type); + if(z) { + uint8_t* name = memdup(z->name, z->namelen); + size_t znamelen = z->namelen; + int znamelabs = z->namelabs; + enum localzone_type ztype = z->type; + lock_rw_unlock(&zones->lock); + if(!name) { + log_err("out of memory"); + free(rr_name); + return 0; + } + if(!( +#ifndef THREADS_DISABLED + z = +#endif + lz_enter_zone_dname(zones, name, + znamelen, znamelabs, + ztype, rr_class))) { + free(rr_name); + return 0; + } + lock_rw_unlock(&z->lock); + free(rr_name); + continue; + } if(!have_name) { dclass = rr_class; nm = rr_name; @@ -1220,38 +1290,6 @@ local_zones_find_le(struct local_zones* zones, return (struct local_zone*)node; } -/** print all RRsets in local zone */ -static void -local_zone_out(struct local_zone* z) -{ - struct local_data* d; - struct local_rrset* p; - RBTREE_FOR(d, struct local_data*, &z->data) { - for(p = d->rrsets; p; p = p->next) { - log_nametypeclass(NO_VERBOSE, "rrset", d->name, - ntohs(p->rrset->rk.type), - ntohs(p->rrset->rk.rrset_class)); - } - } -} - -void local_zones_print(struct local_zones* zones) -{ - struct local_zone* z; - lock_rw_rdlock(&zones->lock); - log_info("number of auth zones %u", (unsigned)zones->ztree.count); - RBTREE_FOR(z, struct local_zone*, &zones->ztree) { - char buf[64]; - lock_rw_rdlock(&z->lock); - snprintf(buf, sizeof(buf), "%s zone", - local_zone_type2str(z->type)); - log_nametypeclass(NO_VERBOSE, buf, z->name, 0, z->dclass); - local_zone_out(z); - lock_rw_unlock(&z->lock); - } - lock_rw_unlock(&zones->lock); -} - /** encode answer consisting of 1 rrset */ static int local_encode(struct query_info* qinfo, struct module_env* env, diff --git a/contrib/unbound/services/outside_network.c b/contrib/unbound/services/outside_network.c index f4a5d0707845..a7e5fa3ad583 100644 --- a/contrib/unbound/services/outside_network.c +++ b/contrib/unbound/services/outside_network.c @@ -94,6 +94,16 @@ static void waiting_list_remove(struct outside_network* outnet, static uint16_t tcp_select_id(struct outside_network* outnet, struct reuse_tcp* reuse); +/** Perform serviced query UDP sending operation */ +static int serviced_udp_send(struct serviced_query* sq, sldns_buffer* buff); + +/** Send serviced query over TCP return false on initial failure */ +static int serviced_tcp_send(struct serviced_query* sq, sldns_buffer* buff); + +/** call the callbacks for a serviced query */ +static void serviced_callbacks(struct serviced_query* sq, int error, + struct comm_point* c, struct comm_reply* rep); + int pending_cmp(const void* key1, const void* key2) { @@ -836,6 +846,7 @@ outnet_add_tcp_waiting_first(struct outside_network* outnet, if(w->on_tcp_waiting_list) return; w->next_waiting = outnet->tcp_wait_first; + log_assert(w->next_waiting != w); if(!outnet->tcp_wait_last) outnet->tcp_wait_last = w; outnet->tcp_wait_first = w; @@ -1136,6 +1147,22 @@ static void reuse_cb_readwait_for_failure(rbtree_type* tree_by_id, int err) } } +/** mark the entry for being in the cb_and_decommission stage */ +static void mark_for_cb_and_decommission(rbnode_type* node, + void* ATTR_UNUSED(arg)) +{ + struct waiting_tcp* w = (struct waiting_tcp*)node->key; + /* Mark the waiting_tcp to signal later code (serviced_delete) that + * this item is part of the backed up tree_by_id and will be deleted + * later. */ + w->in_cb_and_decommission = 1; + /* Mark the serviced_query for deletion so that later code through + * callbacks (iter_clear .. outnet_serviced_query_stop) won't + * prematurely delete it. */ + if(w->cb) + ((struct serviced_query*)w->cb_arg)->to_be_deleted = 1; +} + /** perform callbacks for failure and also decommission pending tcp. * the callbacks remove references in sq->pending to the waiting_tcp * members of the tree_by_id in the pending tcp. The pending_tcp is @@ -1151,6 +1178,9 @@ static void reuse_cb_and_decommission(struct outside_network* outnet, pend->reuse.write_wait_first = NULL; pend->reuse.write_wait_last = NULL; decommission_pending_tcp(outnet, pend); + if(store.root != NULL && store.root != RBTREE_NULL) { + traverse_postorder(&store, &mark_for_cb_and_decommission, NULL); + } reuse_cb_readwait_for_failure(&store, error); reuse_del_readwait(&store); } @@ -1248,6 +1278,12 @@ outnet_tcp_cb(struct comm_point* c, void* arg, int error, c->buffer)); /* find the query the reply is for */ w = reuse_tcp_by_id_find(&pend->reuse, id); + /* Make sure that the reply we got is at least for a + * sent query with the same ID; the waiting_tcp that + * gets a reply is assumed to not be waiting to be + * sent. */ + if(w && (w->on_tcp_waiting_list || w->write_wait_queued)) + w = NULL; } } if(error == NETEVENT_NOERROR && !w) { @@ -1265,6 +1301,8 @@ outnet_tcp_cb(struct comm_point* c, void* arg, int error, } } if(w) { + log_assert(!w->on_tcp_waiting_list); + log_assert(!w->write_wait_queued); reuse_tree_by_id_delete(&pend->reuse, w); verbose(VERB_CLIENT, "outnet tcp callback query err %d buflen %d", error, (int)sldns_buffer_limit(c->buffer)); @@ -1324,7 +1362,7 @@ outnet_send_wait_udp(struct outside_network* outnet) { struct pending* pend; /* process waiting queries */ - while(outnet->udp_wait_first && outnet->unused_fds + while(outnet->udp_wait_first && outnet->unused_fds && !outnet->want_to_quit) { pend = outnet->udp_wait_first; outnet->udp_wait_first = pend->next_waiting; @@ -1333,8 +1371,10 @@ outnet_send_wait_udp(struct outside_network* outnet) sldns_buffer_write(outnet->udp_buff, pend->pkt, pend->pkt_len); sldns_buffer_flip(outnet->udp_buff); free(pend->pkt); /* freeing now makes get_mem correct */ - pend->pkt = NULL; + pend->pkt = NULL; pend->pkt_len = 0; + log_assert(!pend->sq->busy); + pend->sq->busy = 1; if(!randomize_and_send_udp(pend, outnet->udp_buff, pend->timeout)) { /* callback error on pending */ @@ -1344,6 +1384,8 @@ outnet_send_wait_udp(struct outside_network* outnet) NETEVENT_CLOSED, NULL); } pending_delete(outnet, pend); + } else { + pend->sq->busy = 0; } } } @@ -1454,7 +1496,6 @@ calc_num46(char** ifs, int num_ifs, int do_ip4, int do_ip6, (*num_ip4)++; } } - } void @@ -1708,16 +1749,9 @@ static void serviced_node_del(rbnode_type* node, void* ATTR_UNUSED(arg)) { struct serviced_query* sq = (struct serviced_query*)node; - struct service_callback* p = sq->cblist, *np; - free(sq->qbuf); - free(sq->zone); - free(sq->tls_auth_name); - edns_opt_list_free(sq->opt_list); - while(p) { - np = p->next; - free(p); - p = np; - } + alloc_reg_release(sq->alloc, sq->region); + if(sq->timer) + comm_timer_delete(sq->timer); free(sq); } @@ -2174,10 +2208,13 @@ pending_udp_query(struct serviced_query* sq, struct sldns_buffer* packet, sq->outnet->udp_wait_last = pend; return pend; } + log_assert(!sq->busy); + sq->busy = 1; if(!randomize_and_send_udp(pend, packet, timeout)) { pending_delete(sq->outnet, pend); return NULL; } + sq->busy = 0; return pend; } @@ -2247,7 +2284,7 @@ reuse_tcp_select_id(struct reuse_tcp* reuse, struct outside_network* outnet) } /* equally pick a random unused element from the tree that is - * not in use. Pick a the n-th index of an ununused number, + * not in use. Pick a the n-th index of an unused number, * then loop over the empty spaces in the tree and find it */ log_assert(reuse->tree_by_id.count < 0xffff); select = ub_random_max(outnet->rnd, 0xffff - reuse->tree_by_id.count); @@ -2360,6 +2397,7 @@ pending_tcp_query(struct serviced_query* sq, sldns_buffer* packet, #ifdef USE_DNSTAP w->sq = NULL; #endif + w->in_cb_and_decommission = 0; if(pend) { /* we have a buffer available right now */ if(reuse) { @@ -2456,30 +2494,62 @@ lookup_serviced(struct outside_network* outnet, sldns_buffer* buff, int dnssec, return (struct serviced_query*)rbtree_search(outnet->serviced, &key); } +void +serviced_timer_cb(void* arg) +{ + struct serviced_query* sq = (struct serviced_query*)arg; + struct outside_network* outnet = sq->outnet; + verbose(VERB_ALGO, "serviced send timer"); + /* By the time this cb is called, if we don't have any registered + * callbacks for this serviced_query anymore; do not send. */ + if(!sq->cblist) + goto delete; + /* perform first network action */ + if(outnet->do_udp && !(sq->tcp_upstream || sq->ssl_upstream)) { + if(!serviced_udp_send(sq, outnet->udp_buff)) + goto delete; + } else { + if(!serviced_tcp_send(sq, outnet->udp_buff)) + goto delete; + } + /* Maybe by this time we don't have callbacks attached anymore. Don't + * proactively try to delete; let it run and maybe another callback + * will get attached by the time we get an answer. */ + return; +delete: + serviced_callbacks(sq, NETEVENT_CLOSED, NULL, NULL); +} + /** Create new serviced entry */ static struct serviced_query* serviced_create(struct outside_network* outnet, sldns_buffer* buff, int dnssec, int want_dnssec, int nocaps, int tcp_upstream, int ssl_upstream, char* tls_auth_name, struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone, size_t zonelen, int qtype, struct edns_option* opt_list, - size_t pad_queries_block_size) + size_t pad_queries_block_size, struct alloc_cache* alloc, + struct regional* region) { struct serviced_query* sq = (struct serviced_query*)malloc(sizeof(*sq)); + struct timeval t; #ifdef UNBOUND_DEBUG rbnode_type* ins; #endif if(!sq) return NULL; sq->node.key = sq; - sq->qbuf = memdup(sldns_buffer_begin(buff), sldns_buffer_limit(buff)); + sq->alloc = alloc; + sq->region = region; + sq->qbuf = regional_alloc_init(region, sldns_buffer_begin(buff), + sldns_buffer_limit(buff)); if(!sq->qbuf) { + alloc_reg_release(alloc, region); free(sq); return NULL; } sq->qbuflen = sldns_buffer_limit(buff); - sq->zone = memdup(zone, zonelen); + sq->zone = regional_alloc_init(region, zone, zonelen); if(!sq->zone) { - free(sq->qbuf); + alloc_reg_release(alloc, region); free(sq); return NULL; } @@ -2491,10 +2561,9 @@ serviced_create(struct outside_network* outnet, sldns_buffer* buff, int dnssec, sq->tcp_upstream = tcp_upstream; sq->ssl_upstream = ssl_upstream; if(tls_auth_name) { - sq->tls_auth_name = strdup(tls_auth_name); + sq->tls_auth_name = regional_strdup(region, tls_auth_name); if(!sq->tls_auth_name) { - free(sq->zone); - free(sq->qbuf); + alloc_reg_release(alloc, region); free(sq); return NULL; } @@ -2503,17 +2572,16 @@ serviced_create(struct outside_network* outnet, sldns_buffer* buff, int dnssec, } memcpy(&sq->addr, addr, addrlen); sq->addrlen = addrlen; - sq->opt_list = NULL; - if(opt_list) { - sq->opt_list = edns_opt_copy_alloc(opt_list); - if(!sq->opt_list) { - free(sq->tls_auth_name); - free(sq->zone); - free(sq->qbuf); - free(sq); - return NULL; - } + sq->opt_list = opt_list; + sq->busy = 0; + sq->timer = comm_timer_create(outnet->base, serviced_timer_cb, sq); + if(!sq->timer) { + alloc_reg_release(alloc, region); + free(sq); + return NULL; } + memset(&t, 0, sizeof(t)); + comm_timer_set(sq->timer, &t); sq->outnet = outnet; sq->cblist = NULL; sq->pending = NULL; @@ -2522,7 +2590,7 @@ serviced_create(struct outside_network* outnet, sldns_buffer* buff, int dnssec, sq->to_be_deleted = 0; sq->padding_block_size = pad_queries_block_size; #ifdef UNBOUND_DEBUG - ins = + ins = #else (void) #endif @@ -2620,29 +2688,38 @@ serviced_delete(struct serviced_query* sq) struct waiting_tcp* w = (struct waiting_tcp*) sq->pending; verbose(VERB_CLIENT, "serviced_delete: TCP"); + log_assert(!(w->write_wait_queued && w->on_tcp_waiting_list)); /* if on stream-write-waiting list then * remove from waiting list and waiting_tcp_delete */ if(w->write_wait_queued) { struct pending_tcp* pend = (struct pending_tcp*)w->next_waiting; verbose(VERB_CLIENT, "serviced_delete: writewait"); - reuse_tree_by_id_delete(&pend->reuse, w); + if(!w->in_cb_and_decommission) + reuse_tree_by_id_delete(&pend->reuse, w); reuse_write_wait_remove(&pend->reuse, w); - waiting_tcp_delete(w); + if(!w->in_cb_and_decommission) + waiting_tcp_delete(w); } else if(!w->on_tcp_waiting_list) { struct pending_tcp* pend = (struct pending_tcp*)w->next_waiting; verbose(VERB_CLIENT, "serviced_delete: tcpreusekeep"); + /* w needs to stay on tree_by_id to not assign + * the same ID; remove the callback since its + * serviced_query will be gone. */ + w->cb = NULL; if(!reuse_tcp_remove_serviced_keep(w, sq)) { - reuse_cb_and_decommission(sq->outnet, - pend, NETEVENT_CLOSED); + if(!w->in_cb_and_decommission) + reuse_cb_and_decommission(sq->outnet, + pend, NETEVENT_CLOSED); use_free_buffer(sq->outnet); } sq->pending = NULL; } else { verbose(VERB_CLIENT, "serviced_delete: tcpwait"); waiting_list_remove(sq->outnet, w); - waiting_tcp_delete(w); + if(!w->in_cb_and_decommission) + waiting_tcp_delete(w); } } } @@ -2892,7 +2969,8 @@ serviced_callbacks(struct serviced_query* sq, int error, struct comm_point* c, * use secondary buffer to store the query. * This is a data copy, but faster than packet to server */ backlen = sldns_buffer_limit(c->buffer); - backup_p = memdup(sldns_buffer_begin(c->buffer), backlen); + backup_p = regional_alloc_init(sq->region, + sldns_buffer_begin(c->buffer), backlen); if(!backup_p) { log_err("malloc failure in serviced query callbacks"); error = NETEVENT_CLOSED; @@ -2910,10 +2988,8 @@ serviced_callbacks(struct serviced_query* sq, int error, struct comm_point* c, } fptr_ok(fptr_whitelist_serviced_query(p->cb)); (void)(*p->cb)(c, p->cb_arg, error, rep); - free(p); } if(backup_p) { - free(backup_p); sq->outnet->svcd_overhead = 0; } verbose(VERB_ALGO, "svcd callbacks end"); @@ -2931,7 +3007,7 @@ serviced_tcp_callback(struct comm_point* c, void* arg, int error, struct waiting_tcp* w = (struct waiting_tcp*)sq->pending; struct pending_tcp* pend_tcp = NULL; struct port_if* pi = NULL; - if(!w->on_tcp_waiting_list && w->next_waiting) { + if(w && !w->on_tcp_waiting_list && w->next_waiting) { pend_tcp = (struct pending_tcp*)w->next_waiting; pi = pend_tcp->pi; } @@ -3027,8 +3103,11 @@ serviced_tcp_initiate(struct serviced_query* sq, sldns_buffer* buff) sq->status==serviced_query_TCP_EDNS?"EDNS":""); serviced_encode(sq, buff, sq->status == serviced_query_TCP_EDNS); sq->last_sent_time = *sq->outnet->now_tv; + log_assert(!sq->busy); + sq->busy = 1; sq->pending = pending_tcp_query(sq, buff, sq->outnet->tcp_auth_query_timeout, serviced_tcp_callback, sq); + sq->busy = 0; if(!sq->pending) { /* delete from tree so that a retry by above layer does not * clash with this entry */ @@ -3060,8 +3139,11 @@ serviced_tcp_send(struct serviced_query* sq, sldns_buffer* buff) } else { timeout = sq->outnet->tcp_auth_query_timeout; } + log_assert(!sq->busy); + sq->busy = 1; sq->pending = pending_tcp_query(sq, buff, timeout, serviced_tcp_callback, sq); + sq->busy = 0; return sq->pending != NULL; } @@ -3112,7 +3194,6 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error, struct timeval now = *sq->outnet->now_tv; #ifdef USE_DNSTAP struct pending* p = (struct pending*)sq->pending; - struct port_if* pi = p->pc->pif; #endif sq->pending = NULL; /* removed after callback */ @@ -3154,14 +3235,16 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error, /* * sending src (local service)/dst (upstream) addresses over DNSTAP */ - if(error == NETEVENT_NOERROR && outnet->dtenv && - (outnet->dtenv->log_resolver_response_messages || - outnet->dtenv->log_forwarder_response_messages)) { + if(error == NETEVENT_NOERROR && outnet->dtenv && p->pc && + (outnet->dtenv->log_resolver_response_messages || + outnet->dtenv->log_forwarder_response_messages)) { log_addr(VERB_ALGO, "response from upstream", &sq->addr, sq->addrlen); - log_addr(VERB_ALGO, "to local addr", &pi->addr, pi->addrlen); - dt_msg_send_outside_response(outnet->dtenv, &sq->addr, &pi->addr, c->type, - sq->zone, sq->zonelen, sq->qbuf, sq->qbuflen, - &sq->last_sent_time, sq->outnet->now_tv, c->buffer); + log_addr(VERB_ALGO, "to local addr", &p->pc->pif->addr, + p->pc->pif->addrlen); + dt_msg_send_outside_response(outnet->dtenv, &sq->addr, + &p->pc->pif->addr, c->type, sq->zone, sq->zonelen, + sq->qbuf, sq->qbuflen, &sq->last_sent_time, + sq->outnet->now_tv, c->buffer); } #endif if( (sq->status == serviced_query_UDP_EDNS @@ -3251,64 +3334,117 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error, struct serviced_query* outnet_serviced_query(struct outside_network* outnet, struct query_info* qinfo, uint16_t flags, int dnssec, int want_dnssec, - int nocaps, int tcp_upstream, int ssl_upstream, char* tls_auth_name, - struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone, - size_t zonelen, struct module_qstate* qstate, - comm_point_callback_type* callback, void* callback_arg, sldns_buffer* buff, - struct module_env* env) + int nocaps, int check_ratelimit, int tcp_upstream, int ssl_upstream, + char* tls_auth_name, struct sockaddr_storage* addr, socklen_t addrlen, + uint8_t* zone, size_t zonelen, struct module_qstate* qstate, + comm_point_callback_type* callback, void* callback_arg, + sldns_buffer* buff, struct module_env* env, int* was_ratelimited) { struct serviced_query* sq; struct service_callback* cb; struct edns_string_addr* client_string_addr; - - if(!inplace_cb_query_call(env, qinfo, flags, addr, addrlen, zone, zonelen, - qstate, qstate->region)) + struct regional* region; + struct edns_option* backed_up_opt_list = qstate->edns_opts_back_out; + struct edns_option* per_upstream_opt_list = NULL; + time_t timenow = 0; + + /* If we have an already populated EDNS option list make a copy since + * we may now add upstream specific EDNS options. */ + /* Use a region that could be attached to a serviced_query, if it needs + * to be created. If an existing one is found then this region will be + * destroyed here. */ + region = alloc_reg_obtain(env->alloc); + if(!region) return NULL; + if(qstate->edns_opts_back_out) { + per_upstream_opt_list = edns_opt_copy_region( + qstate->edns_opts_back_out, region); + if(!per_upstream_opt_list) { + alloc_reg_release(env->alloc, region); return NULL; + } + qstate->edns_opts_back_out = per_upstream_opt_list; + } + + if(!inplace_cb_query_call(env, qinfo, flags, addr, addrlen, zone, + zonelen, qstate, region)) { + alloc_reg_release(env->alloc, region); + return NULL; + } + /* Restore the option list; we can explicitly use the copied one from + * now on. */ + per_upstream_opt_list = qstate->edns_opts_back_out; + qstate->edns_opts_back_out = backed_up_opt_list; if((client_string_addr = edns_string_addr_lookup( &env->edns_strings->client_strings, addr, addrlen))) { - edns_opt_list_append(&qstate->edns_opts_back_out, + edns_opt_list_append(&per_upstream_opt_list, env->edns_strings->client_string_opcode, client_string_addr->string_len, - client_string_addr->string, qstate->region); + client_string_addr->string, region); } serviced_gen_query(buff, qinfo->qname, qinfo->qname_len, qinfo->qtype, qinfo->qclass, flags); sq = lookup_serviced(outnet, buff, dnssec, addr, addrlen, - qstate->edns_opts_back_out); - /* duplicate entries are included in the callback list, because - * there is a counterpart registration by our caller that needs to - * be doubly-removed (with callbacks perhaps). */ - if(!(cb = (struct service_callback*)malloc(sizeof(*cb)))) - return NULL; + per_upstream_opt_list); if(!sq) { + /* Check ratelimit only for new serviced_query */ + if(check_ratelimit) { + timenow = *env->now; + if(!infra_ratelimit_inc(env->infra_cache, zone, + zonelen, timenow, env->cfg->ratelimit_backoff, + &qstate->qinfo, qstate->reply)) { + /* Can we pass through with slip factor? */ + if(env->cfg->ratelimit_factor == 0 || + ub_random_max(env->rnd, + env->cfg->ratelimit_factor) != 1) { + *was_ratelimited = 1; + alloc_reg_release(env->alloc, region); + return NULL; + } + log_nametypeclass(VERB_ALGO, + "ratelimit allowed through for " + "delegation point", zone, + LDNS_RR_TYPE_NS, LDNS_RR_CLASS_IN); + } + } /* make new serviced query entry */ sq = serviced_create(outnet, buff, dnssec, want_dnssec, nocaps, tcp_upstream, ssl_upstream, tls_auth_name, addr, addrlen, zone, zonelen, (int)qinfo->qtype, - qstate->edns_opts_back_out, + per_upstream_opt_list, ( ssl_upstream && env->cfg->pad_queries - ? env->cfg->pad_queries_block_size : 0 )); + ? env->cfg->pad_queries_block_size : 0 ), + env->alloc, region); if(!sq) { - free(cb); + if(check_ratelimit) { + infra_ratelimit_dec(env->infra_cache, + zone, zonelen, timenow); + } + alloc_reg_release(env->alloc, region); return NULL; } - /* perform first network action */ - if(outnet->do_udp && !(tcp_upstream || ssl_upstream)) { - if(!serviced_udp_send(sq, buff)) { - (void)rbtree_delete(outnet->serviced, sq); - serviced_node_del(&sq->node, NULL); - free(cb); - return NULL; - } - } else { - if(!serviced_tcp_send(sq, buff)) { - (void)rbtree_delete(outnet->serviced, sq); - serviced_node_del(&sq->node, NULL); - free(cb); - return NULL; + if(!(cb = (struct service_callback*)regional_alloc( + sq->region, sizeof(*cb)))) { + if(check_ratelimit) { + infra_ratelimit_dec(env->infra_cache, + zone, zonelen, timenow); } + (void)rbtree_delete(outnet->serviced, sq); + serviced_node_del(&sq->node, NULL); + return NULL; + } + /* No network action at this point; it will be invoked with the + * serviced_query timer instead to run outside of the mesh. */ + } else { + /* We don't need this region anymore. */ + alloc_reg_release(env->alloc, region); + /* duplicate entries are included in the callback list, because + * there is a counterpart registration by our caller that needs + * to be doubly-removed (with callbacks perhaps). */ + if(!(cb = (struct service_callback*)regional_alloc( + sq->region, sizeof(*cb)))) { + return NULL; } } /* add callback to list of callbacks */ @@ -3328,7 +3464,6 @@ callback_list_remove(struct serviced_query* sq, void* cb_arg) if((*pp)->cb_arg == cb_arg) { struct service_callback* del = *pp; *pp = del->next; - free(del); return; } pp = &(*pp)->next; @@ -3337,13 +3472,13 @@ callback_list_remove(struct serviced_query* sq, void* cb_arg) void outnet_serviced_query_stop(struct serviced_query* sq, void* cb_arg) { - if(!sq) + if(!sq) return; callback_list_remove(sq, cb_arg); /* if callbacks() routine scheduled deletion, let it do that */ - if(!sq->cblist && !sq->to_be_deleted) { + if(!sq->cblist && !sq->busy && !sq->to_be_deleted) { (void)rbtree_delete(sq->outnet->serviced, sq); - serviced_delete(sq); + serviced_delete(sq); } } diff --git a/contrib/unbound/services/outside_network.h b/contrib/unbound/services/outside_network.h index d0d532e6425f..4c5b96f83424 100644 --- a/contrib/unbound/services/outside_network.h +++ b/contrib/unbound/services/outside_network.h @@ -43,7 +43,9 @@ #ifndef OUTSIDE_NETWORK_H #define OUTSIDE_NETWORK_H +#include "util/alloc.h" #include "util/rbtree.h" +#include "util/regional.h" #include "util/netevent.h" #include "dnstap/dnstap_config.h" struct pending; @@ -412,6 +414,8 @@ struct waiting_tcp { char* tls_auth_name; /** the packet was involved in an error, to stop looping errors */ int error_count; + /** if true, the item is at the cb_and_decommission stage */ + int in_cb_and_decommission; #ifdef USE_DNSTAP /** serviced query pointer for dnstap to get logging info, if nonNULL*/ struct serviced_query* sq; @@ -512,6 +516,15 @@ struct serviced_query { void* pending; /** block size with which to pad encrypted queries (default: 128) */ size_t padding_block_size; + /** region for this serviced query. Will be cleared when this + * serviced_query will be deleted */ + struct regional* region; + /** allocation service for the region */ + struct alloc_cache* alloc; + /** flash timer to start the net I/O as a separate event */ + struct comm_timer* timer; + /** true if serviced_query is currently doing net I/O and may block */ + int busy; }; /** @@ -619,6 +632,7 @@ void pending_delete(struct outside_network* outnet, struct pending* p); * @param want_dnssec: signatures are needed, without EDNS the answer is * likely to be useless. * @param nocaps: ignore use_caps_for_id and use unperturbed qname. + * @param check_ratelimit: if set, will check ratelimit before sending out. * @param tcp_upstream: use TCP for upstream queries. * @param ssl_upstream: use SSL for upstream queries. * @param tls_auth_name: when ssl_upstream is true, use this name to check @@ -635,16 +649,18 @@ void pending_delete(struct outside_network* outnet, struct pending* p); * @param callback_arg: user argument to callback function. * @param buff: scratch buffer to create query contents in. Empty on exit. * @param env: the module environment. + * @param was_ratelimited: it will signal back if the query failed to pass the + * ratelimit check. * @return 0 on error, or pointer to serviced query that is used to answer * this serviced query may be shared with other callbacks as well. */ struct serviced_query* outnet_serviced_query(struct outside_network* outnet, struct query_info* qinfo, uint16_t flags, int dnssec, int want_dnssec, - int nocaps, int tcp_upstream, int ssl_upstream, char* tls_auth_name, - struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone, - size_t zonelen, struct module_qstate* qstate, + int nocaps, int check_ratelimit, int tcp_upstream, int ssl_upstream, + char* tls_auth_name, struct sockaddr_storage* addr, socklen_t addrlen, + uint8_t* zone, size_t zonelen, struct module_qstate* qstate, comm_point_callback_type* callback, void* callback_arg, - struct sldns_buffer* buff, struct module_env* env); + struct sldns_buffer* buff, struct module_env* env, int* was_ratelimited); /** * Remove service query callback. @@ -785,6 +801,9 @@ void pending_udp_timer_delay_cb(void *arg); /** callback for outgoing TCP timer event */ void outnet_tcptimer(void* arg); +/** callback to send serviced queries */ +void serviced_timer_cb(void *arg); + /** callback for serviced query UDP answers */ int serviced_udp_callback(struct comm_point* c, void* arg, int error, struct comm_reply* rep); diff --git a/contrib/unbound/services/rpz.c b/contrib/unbound/services/rpz.c index d408f9383d24..322e9d1393c4 100644 --- a/contrib/unbound/services/rpz.c +++ b/contrib/unbound/services/rpz.c @@ -542,6 +542,7 @@ rpz_create(struct config_auth* p) } } r->log = p->rpz_log; + r->signal_nxdomain_ra = p->rpz_signal_nxdomain_ra; if(p->rpz_log_name) { if(!(r->log_name = strdup(p->rpz_log_name))) { log_err("malloc failure on RPZ log_name strdup"); @@ -836,7 +837,7 @@ rpz_report_rrset_error(const char* msg, uint8_t* rr, size_t rr_len) { } /* from localzone.c; difference is we don't have a dname */ -struct local_rrset* +static struct local_rrset* rpz_clientip_new_rrset(struct regional* region, struct clientip_synthesized_rr* raddr, uint16_t rrtype, uint16_t rrclass) { @@ -1384,9 +1385,9 @@ log_rpz_apply(char* trigger, uint8_t* dname, struct addr_tree_node* addrnode, if(dname) { dname_str(dname, dnamestr); } else if(addrnode) { - char a[128]; - addr_to_str(&addrnode->addr, addrnode->addrlen, a, sizeof(a)); - snprintf(dnamestr, sizeof(dnamestr), "%s/%d", a, addrnode->net); + char addrbuf[128]; + addr_to_str(&addrnode->addr, addrnode->addrlen, addrbuf, sizeof(addrbuf)); + snprintf(dnamestr, sizeof(dnamestr), "%s/%d", addrbuf, addrnode->net); } else { dnamestr[0]=0; } @@ -1697,7 +1698,7 @@ rpz_synthesize_nodata(struct rpz* ATTR_UNUSED(r), struct module_qstate* ms, if(msg == NULL) { return msg; } msg->qinfo = *qinfo; msg->rep = construct_reply_info_base(ms->region, - LDNS_RCODE_NOERROR | BIT_RD | BIT_QR | BIT_AA | BIT_RA, + LDNS_RCODE_NOERROR | BIT_QR | BIT_AA | BIT_RA, 1, /* qd */ 0, /* ttl */ 0, /* prettl */ @@ -1715,14 +1716,18 @@ rpz_synthesize_nodata(struct rpz* ATTR_UNUSED(r), struct module_qstate* ms, } static inline struct dns_msg* -rpz_synthesize_nxdomain(struct rpz* ATTR_UNUSED(r), struct module_qstate* ms, +rpz_synthesize_nxdomain(struct rpz* r, struct module_qstate* ms, struct query_info* qinfo, struct auth_zone* az) { struct dns_msg* msg = rpz_dns_msg_new(ms->region); + uint16_t flags; if(msg == NULL) { return msg; } msg->qinfo = *qinfo; + flags = LDNS_RCODE_NXDOMAIN | BIT_QR | BIT_AA | BIT_RA; + if(r->signal_nxdomain_ra) + flags &= ~BIT_RA; msg->rep = construct_reply_info_base(ms->region, - LDNS_RCODE_NXDOMAIN | BIT_RD | BIT_QR | BIT_AA | BIT_RA, + flags, 1, /* qd */ 0, /* ttl */ 0, /* prettl */ @@ -1752,7 +1757,7 @@ rpz_synthesize_localdata_from_rrset(struct rpz* ATTR_UNUSED(r), struct module_qs if(msg == NULL) { return NULL; } new_reply_info = construct_reply_info_base(ms->region, - LDNS_RCODE_NOERROR | BIT_RD | BIT_QR | BIT_AA | BIT_RA, + LDNS_RCODE_NOERROR | BIT_QR | BIT_AA | BIT_RA, 1, /* qd */ 0, /* ttl */ 0, /* prettl */ @@ -1922,6 +1927,9 @@ rpz_synthesize_qname_localdata(struct module_env* env, struct rpz* r, ret = local_zones_zone_answer(z, env, qinfo, edns, repinfo, buf, temp, 0 /* no local data used */, lzt); + if(r->signal_nxdomain_ra && LDNS_RCODE_WIRE(sldns_buffer_begin(buf)) + == LDNS_RCODE_NXDOMAIN) + LDNS_RA_CLR(sldns_buffer_begin(buf)); if(r->log) { log_rpz_apply("qname", z->name, NULL, localzone_type_to_rpz_action(lzt), qinfo, repinfo, NULL, r->log_name); @@ -1930,7 +1938,7 @@ rpz_synthesize_qname_localdata(struct module_env* env, struct rpz* r, return ret; } -struct clientip_synthesized_rr* +static struct clientip_synthesized_rr* rpz_delegation_point_ipbased_trigger_lookup(struct rpz* rpz, struct iter_qstate* is) { struct delegpt_addr* cursor; @@ -1947,7 +1955,7 @@ rpz_delegation_point_ipbased_trigger_lookup(struct rpz* rpz, struct iter_qstate* return NULL; } -struct dns_msg* +static struct dns_msg* rpz_apply_nsip_trigger(struct module_qstate* ms, struct rpz* r, struct clientip_synthesized_rr* raddr, struct auth_zone* az) { @@ -2006,7 +2014,7 @@ done: return ret; } -struct dns_msg* +static struct dns_msg* rpz_apply_nsdname_trigger(struct module_qstate* ms, struct rpz* r, struct local_zone* z, struct matched_delegation_point const* match, struct auth_zone* az) @@ -2295,6 +2303,10 @@ rpz_apply_maybe_clientip_trigger(struct auth_zones* az, struct module_env* env, local_zones_zone_answer(*z_out /*likely NULL, no zone*/, env, qinfo, edns, repinfo, buf, temp, 0 /* no local data used */, rpz_action_to_localzone_type(client_action)); + if(*r_out && (*r_out)->signal_nxdomain_ra && + LDNS_RCODE_WIRE(sldns_buffer_begin(buf)) + == LDNS_RCODE_NXDOMAIN) + LDNS_RA_CLR(sldns_buffer_begin(buf)); } ret = 1; goto done; diff --git a/contrib/unbound/services/rpz.h b/contrib/unbound/services/rpz.h index 691475743606..c29d30dff506 100644 --- a/contrib/unbound/services/rpz.h +++ b/contrib/unbound/services/rpz.h @@ -123,6 +123,8 @@ struct rpz { struct ub_packed_rrset_key* cname_override; int log; char* log_name; + /** signal NXDOMAIN blocked with unset RA flag */ + int signal_nxdomain_ra; struct regional* region; int disabled; }; diff --git a/contrib/unbound/sldns/keyraw.c b/contrib/unbound/sldns/keyraw.c index b1e60d8b52a8..befe1f722424 100644 --- a/contrib/unbound/sldns/keyraw.c +++ b/contrib/unbound/sldns/keyraw.c @@ -250,7 +250,8 @@ sldns_key_buf2dsa_raw(unsigned char* key, size_t len) if(!(dsa = DSA_new())) { return NULL; } -#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL) +#if OPENSSL_VERSION_NUMBER < 0x10100000 || \ + (defined(HAVE_LIBRESSL) && LIBRESSL_VERSION_NUMBER < 0x02070000f) #ifndef S_SPLINT_S dsa->p = P; dsa->q = Q; @@ -428,7 +429,8 @@ sldns_key_buf2rsa_raw(unsigned char* key, size_t len) BN_free(modulus); return NULL; } -#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL) +#if OPENSSL_VERSION_NUMBER < 0x10100000 || \ + (defined(HAVE_LIBRESSL) && LIBRESSL_VERSION_NUMBER < 0x02070000f) #ifndef S_SPLINT_S rsa->n = modulus; rsa->e = exponent; diff --git a/contrib/unbound/sldns/str2wire.c b/contrib/unbound/sldns/str2wire.c index ddaccd1b292d..d2cefae1c09e 100644 --- a/contrib/unbound/sldns/str2wire.c +++ b/contrib/unbound/sldns/str2wire.c @@ -25,8 +25,10 @@ #include #endif +/** bits for the offset */ +#define RET_OFFSET_MASK (((unsigned)(~LDNS_WIREPARSE_MASK))>>LDNS_WIREPARSE_SHIFT) /** return an error */ -#define RET_ERR(e, off) ((int)((e)|((off)< 0 && !*quoted && - *(sldns_buffer_current(strbuf)) == ' ') { + (*(sldns_buffer_current(strbuf)) == ' ' || + *(sldns_buffer_current(strbuf)) == '\t')) { sldns_buffer_skip(strbuf, 1); } @@ -601,7 +604,10 @@ sldns_affix_token(sldns_buffer* strbuf, char* token, size_t* token_len, size_t addstrlen = 0; /* add space */ - if(addlen < 1) return 0; + /* when addlen < 2, the token buffer is full considering the NULL byte + * from strlen and will lead to buffer overflow with the second + * assignement below. */ + if(addlen < 2) return 0; token[*token_strlen] = ' '; token[++(*token_strlen)] = 0; diff --git a/contrib/unbound/sldns/str2wire.h b/contrib/unbound/sldns/str2wire.h index 0c316498956e..baee4236fe55 100644 --- a/contrib/unbound/sldns/str2wire.h +++ b/contrib/unbound/sldns/str2wire.h @@ -187,7 +187,7 @@ uint8_t* sldns_wirerr_get_rdatawl(uint8_t* rr, size_t len, size_t dname_len); #define LDNS_WIREPARSE_MASK 0x0fff #define LDNS_WIREPARSE_SHIFT 12 #define LDNS_WIREPARSE_ERROR(e) ((e)&LDNS_WIREPARSE_MASK) -#define LDNS_WIREPARSE_OFFSET(e) (((e)&~LDNS_WIREPARSE_MASK)>>LDNS_WIREPARSE_SHIFT) +#define LDNS_WIREPARSE_OFFSET(e) ((((unsigned)(e))&~LDNS_WIREPARSE_MASK)>>LDNS_WIREPARSE_SHIFT) /* use lookuptable to get error string, sldns_wireparse_errors */ #define LDNS_WIREPARSE_ERR_OK 0 #define LDNS_WIREPARSE_ERR_GENERAL 342 diff --git a/contrib/unbound/sldns/wire2str.c b/contrib/unbound/sldns/wire2str.c index 6a177ec0b06c..b70efe299d4b 100644 --- a/contrib/unbound/sldns/wire2str.c +++ b/contrib/unbound/sldns/wire2str.c @@ -817,6 +817,7 @@ int sldns_wire2str_dname_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen, unsigned i, counter=0; unsigned maxcompr = MAX_COMPRESS_PTRS; /* loop detection, max compr ptrs */ int in_buf = 1; + size_t dname_len = 0; if(comprloop) { if(*comprloop != 0) maxcompr = 30; /* for like ipv6 reverse name, per label */ @@ -872,6 +873,16 @@ int sldns_wire2str_dname_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen, labellen = (uint8_t)*dlen; else if(!in_buf && pos+(size_t)labellen > pkt+pktlen) labellen = (uint8_t)(pkt + pktlen - pos); + dname_len += ((size_t)labellen)+1; + if(dname_len > LDNS_MAX_DOMAINLEN) { + /* dname_len counts the uncompressed length we have + * seen so far, and the domain name has become too + * long, prevent the loop from printing overly long + * content. */ + w += sldns_str_print(s, slen, + "ErrorDomainNameTooLong"); + return w; + } for(i=0; i<(unsigned)labellen; i++) { w += dname_char_print(s, slen, *pos++); } diff --git a/contrib/unbound/smallapp/unbound-checkconf.c b/contrib/unbound/smallapp/unbound-checkconf.c index 8f114b862c9a..fc4f4f212d0a 100644 --- a/contrib/unbound/smallapp/unbound-checkconf.c +++ b/contrib/unbound/smallapp/unbound-checkconf.c @@ -691,6 +691,8 @@ morechecks(struct config_file* cfg) && strcmp(cfg->module_conf, "dns64 iterator") != 0 && strcmp(cfg->module_conf, "respip iterator") != 0 && strcmp(cfg->module_conf, "respip validator iterator") != 0 + && strcmp(cfg->module_conf, "respip dns64 validator iterator") != 0 + && strcmp(cfg->module_conf, "respip dns64 iterator") != 0 #ifdef WITH_PYTHONMODULE && strcmp(cfg->module_conf, "python iterator") != 0 && strcmp(cfg->module_conf, "python respip iterator") != 0 @@ -785,6 +787,10 @@ morechecks(struct config_file* cfg) && strcmp(cfg->module_conf, "validator python cachedb iterator") != 0 && strcmp(cfg->module_conf, "respip validator python cachedb iterator") != 0 #endif +#if defined(CLIENT_SUBNET) && defined(USE_CACHEDB) + && strcmp(cfg->module_conf, "respip subnetcache validator cachedb iterator") != 0 + && strcmp(cfg->module_conf, "subnetcache validator cachedb iterator") != 0 +#endif #ifdef CLIENT_SUBNET && strcmp(cfg->module_conf, "subnetcache iterator") != 0 && strcmp(cfg->module_conf, "respip subnetcache iterator") != 0 diff --git a/contrib/unbound/smallapp/worker_cb.c b/contrib/unbound/smallapp/worker_cb.c index 78e773938c88..c68981735cb7 100644 --- a/contrib/unbound/smallapp/worker_cb.c +++ b/contrib/unbound/smallapp/worker_cb.c @@ -97,10 +97,12 @@ void worker_sighandler(int ATTR_UNUSED(sig), void* ATTR_UNUSED(arg)) struct outbound_entry* worker_send_query( struct query_info* ATTR_UNUSED(qinfo), uint16_t ATTR_UNUSED(flags), int ATTR_UNUSED(dnssec), int ATTR_UNUSED(want_dnssec), - int ATTR_UNUSED(nocaps), struct sockaddr_storage* ATTR_UNUSED(addr), + int ATTR_UNUSED(nocaps), int ATTR_UNUSED(check_ratelimit), + struct sockaddr_storage* ATTR_UNUSED(addr), socklen_t ATTR_UNUSED(addrlen), uint8_t* ATTR_UNUSED(zone), size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(tcp_upstream), int ATTR_UNUSED(ssl_upstream), - char* ATTR_UNUSED(tls_auth_name), struct module_qstate* ATTR_UNUSED(q)) + char* ATTR_UNUSED(tls_auth_name), struct module_qstate* ATTR_UNUSED(q), + int* ATTR_UNUSED(was_ratelimited)) { log_assert(0); return 0; @@ -129,10 +131,12 @@ worker_alloc_cleanup(void* ATTR_UNUSED(arg)) struct outbound_entry* libworker_send_query( struct query_info* ATTR_UNUSED(qinfo), uint16_t ATTR_UNUSED(flags), int ATTR_UNUSED(dnssec), int ATTR_UNUSED(want_dnssec), - int ATTR_UNUSED(nocaps), struct sockaddr_storage* ATTR_UNUSED(addr), + int ATTR_UNUSED(nocaps), int ATTR_UNUSED(check_ratelimit), + struct sockaddr_storage* ATTR_UNUSED(addr), socklen_t ATTR_UNUSED(addrlen), uint8_t* ATTR_UNUSED(zone), size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(tcp_upstream), int ATTR_UNUSED(ssl_upstream), - char* ATTR_UNUSED(tls_auth_name), struct module_qstate* ATTR_UNUSED(q)) + char* ATTR_UNUSED(tls_auth_name), struct module_qstate* ATTR_UNUSED(q), + int* ATTR_UNUSED(was_ratelimited)) { log_assert(0); return 0; diff --git a/contrib/unbound/testdata/edns_attached_once_per_upstream.rpl b/contrib/unbound/testdata/edns_attached_once_per_upstream.rpl new file mode 100644 index 000000000000..19f1ba75df49 --- /dev/null +++ b/contrib/unbound/testdata/edns_attached_once_per_upstream.rpl @@ -0,0 +1,90 @@ +; config options +server: + edns-client-string: 10.0.0.0/24 "abc d" + outbound-msg-retry: 1 + +stub-zone: + name: "edns-string-abc." + stub-addr: 10.0.0.3 + stub-first: yes + +forward-zone: + name: "." + forward-addr: 10.0.0.1 + +CONFIG_END + +SCENARIO_BEGIN Test that upstream specific EDNS is attached once; uses string tag option + +RANGE_BEGIN 0 1000 + ADDRESS 10.0.0.3 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR SERVFAIL +SECTION QUESTION +edns-string-abc. IN A +ENTRY_END +RANGE_END + +RANGE_BEGIN 0 1000 + ADDRESS 10.0.0.1 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +edns-string-abc. IN A +SECTION ANSWER +edns-string-abc. IN A 10.20.30.40 +SECTION ADDITIONAL +ENTRY_END +RANGE_END + +STEP 10 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +edns-string-abc. IN A +ENTRY_END + +; This will receive SERVFAIL and the next address will be queried +STEP 20 CHECK_OUT_QUERY ADDRESS 10.0.0.3 +ENTRY_BEGIN +MATCH qname qtype opcode ednsdata +SECTION QUESTION +edns-string-abc. IN A +SECTION ADDITIONAL + HEX_EDNSDATA_BEGIN + fd e9 ; Opcode 65001 + 00 05 ; Length 5 + 61 62 63 20 64 ; "abc d" + HEX_EDNSDATA_END +ENTRY_END + +; This will receive the answer; makes sure that EDNS is attached once +STEP 22 CHECK_OUT_QUERY ADDRESS 10.0.0.1 +ENTRY_BEGIN +MATCH qname qtype opcode ednsdata +SECTION QUESTION +edns-string-abc. IN A +SECTION ADDITIONAL + HEX_EDNSDATA_BEGIN + fd e9 ; Opcode 65001 + 00 05 ; Length 5 + 61 62 63 20 64 ; "abc d" + HEX_EDNSDATA_END +ENTRY_END + + +STEP 30 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +edns-string-abc. IN A +SECTION ANSWER +edns-string-abc. IN A 10.20.30.40 +ENTRY_END + +SCENARIO_END diff --git a/contrib/unbound/testdata/nsid_bogus.rpl b/contrib/unbound/testdata/nsid_bogus.rpl new file mode 100644 index 000000000000..1414163f8a6a --- /dev/null +++ b/contrib/unbound/testdata/nsid_bogus.rpl @@ -0,0 +1,174 @@ +; config options +; The island of trust is at example.com +server: + trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b" + val-override-date: "20070916134226" + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no + nsid: "ascii_hopsa kidee" + +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test for NSID in SERVFAIL response due to DNSSEC bogus + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION AUTHORITY +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END +RANGE_END + +; a.gtld-servers.net. +RANGE_BEGIN 0 100 + ADDRESS 192.5.6.30 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION ANSWER +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END +RANGE_END + +; ns.example.com. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +example.com. IN NS +SECTION ANSWER +example.com. IN NS ns.example.com. +example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} +ENTRY_END + +; response to DNSKEY priming query +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +example.com. IN DNSKEY +SECTION ANSWER +example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b} +example.com. 3600 IN RRSIG DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854} +SECTION AUTHORITY +example.com. IN NS ns.example.com. +example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} +ENTRY_END + +; nodata for ns.example.com AAAA +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns.example.com. IN AAAA +SECTION ANSWER +SECTION ADDITIONAL +ENTRY_END + + +; response to query of interest +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.40 +;good signature +;www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854} +;missing +www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2855 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= +SECTION AUTHORITY +example.com. IN NS ns.example.com. +example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854} +ENTRY_END +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +www.example.com. IN A +SECTION ADDITIONAL + HEX_EDNSDATA_BEGIN + 00 03 ; Opcode NSID (3) + 00 00 ; Length 0 + HEX_EDNSDATA_END +ENTRY_END + +; recursion happens here. +STEP 10 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA DO SERVFAIL +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +SECTION ADDITIONAL + HEX_EDNSDATA_BEGIN + 00 03 ; Opcode NSID (3) + 00 0b ; Length 11 + 68 6F 70 73 61 20 ; "hopsa " + 6B 69 64 65 65 ; "kidee" + HEX_EDNSDATA_END +ENTRY_END + +SCENARIO_END diff --git a/contrib/unbound/testdata/ratelimit.tdir/ratelimit.conf b/contrib/unbound/testdata/ratelimit.tdir/ratelimit.conf new file mode 100644 index 000000000000..5d2456c39311 --- /dev/null +++ b/contrib/unbound/testdata/ratelimit.tdir/ratelimit.conf @@ -0,0 +1,29 @@ +server: + verbosity: 5 + # num-threads: 1 + interface: 127.0.0.1 + port: @PORT@ + use-syslog: no + directory: . + pidfile: "unbound.pid" + chroot: "" + username: "" + do-not-query-localhost: no + + ratelimit: 1 + ratelimit-factor: 0 + +stub-zone: + name: "example.com." + stub-addr: "127.0.0.1@@TOPORT@" + stub-no-cache: yes + +remote-control: + control-enable: yes + control-interface: 127.0.0.1 + # control-interface: ::1 + control-port: @CONTROL_PORT@ + server-key-file: "unbound_server.key" + server-cert-file: "unbound_server.pem" + control-key-file: "unbound_control.key" + control-cert-file: "unbound_control.pem" diff --git a/contrib/unbound/testdata/ratelimit.tdir/ratelimit.dsc b/contrib/unbound/testdata/ratelimit.tdir/ratelimit.dsc new file mode 100644 index 000000000000..abd5307c79ef --- /dev/null +++ b/contrib/unbound/testdata/ratelimit.tdir/ratelimit.dsc @@ -0,0 +1,16 @@ +BaseName: ratelimit +Version: 1.0 +Description: Test ratelimit. +CreationDate: Sun Jan 30 00:40:00 CET 2022 +Maintainer: Yorgos Thessalonikefs +Category: +Component: +CmdDepends: +Depends: +Help: +Pre: ratelimit.pre +Post: ratelimit.post +Test: ratelimit.test +AuxFiles: +Passed: +Failure: diff --git a/contrib/unbound/testdata/ratelimit.tdir/ratelimit.post b/contrib/unbound/testdata/ratelimit.tdir/ratelimit.post new file mode 100644 index 000000000000..6738ed55ad07 --- /dev/null +++ b/contrib/unbound/testdata/ratelimit.tdir/ratelimit.post @@ -0,0 +1,14 @@ +# #-- ratelimit.post --# +# source the master var file when it's there +[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master +# source the test var file when it's there +[ -f .tpkg.var.test ] && source .tpkg.var.test +# +# do your teardown here +. ../common.sh +kill_pid $STUB_PID +kill_pid $UNBOUND_PID +if test -f unbound.log; then + echo ">>> unbound log" + cat unbound.log +fi diff --git a/contrib/unbound/testdata/ratelimit.tdir/ratelimit.pre b/contrib/unbound/testdata/ratelimit.tdir/ratelimit.pre new file mode 100644 index 000000000000..2404cfc00b93 --- /dev/null +++ b/contrib/unbound/testdata/ratelimit.tdir/ratelimit.pre @@ -0,0 +1,33 @@ +# #-- ratelimit.pre--# +# source the master var file when it's there +[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing +[ -f .tpkg.var.test ] && source .tpkg.var.test + +PRE="../.." +. ../common.sh +get_random_port 2 +UNBOUND_PORT=$RND_PORT +STUB_PORT=$(($RND_PORT + 1)) +CONTROL_PORT=$(($RND_PORT + 2)) +echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test +echo "STUB_PORT=$STUB_PORT" >> .tpkg.var.test +echo "CONTROL_PORT=$CONTROL_PORT" >> .tpkg.var.test + +# start ldns-testns +get_ldns_testns +$LDNS_TESTNS -v -p $STUB_PORT ratelimit.testns >stub.log 2>&1 & +STUB_PID=$! +echo "STUB_PID=$STUB_PID" >> .tpkg.var.test + +# make config file +sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$STUB_PORT'/' -e 's/@CONTROL_PORT\@/'$CONTROL_PORT'/' < ratelimit.conf > ub.conf +# start unbound in the background +$PRE/unbound -d -c ub.conf >unbound.log 2>&1 & +UNBOUND_PID=$! +echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test + +wait_ldns_testns_up stub.log +wait_unbound_up unbound.log + +cat .tpkg.var.test diff --git a/contrib/unbound/testdata/ratelimit.tdir/ratelimit.test b/contrib/unbound/testdata/ratelimit.tdir/ratelimit.test new file mode 100644 index 000000000000..cc14717405c6 --- /dev/null +++ b/contrib/unbound/testdata/ratelimit.tdir/ratelimit.test @@ -0,0 +1,183 @@ +# #-- ratelimit.test --# +# source the master var file when it's there +[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing +[ -f .tpkg.var.test ] && source .tpkg.var.test + +PRE="../.." +. ../common.sh + +get_make +(cd $PRE; $MAKE streamtcp) + +# These tests rely on second time precision. To combat false negatives the +# tests run multiple times and we allow 1/3 of the runs to fail. +total_runs=6 +success_threshold=4 # 2/3*total_runs + +successes=0 +echo "> Three parallel queries" +# For this test we send three parallel queries and we expect only one of them +# to be allowed through each second. +for i in $(seq 1 $total_runs); do + $PRE/streamtcp -na -f 127.0.0.1@$UNBOUND_PORT www1.example.com. A IN www2.example.com. A IN www3.example.com. A IN >outfile 2>&1 + if test "$?" -ne 0; then + echo "exit status not OK" + echo "> cat logfiles" + cat outfile + cat unbound.log + echo "Not OK" + exit 1 + fi + cat outfile + if test `grep "rcode: SERVFAIL" outfile | wc -l` -eq 2; then + ((successes++)) + fi + # We don't have to wait for all the runs to complete if we know + # we passed the threshold. + if test $successes -ge $success_threshold; then + break + fi + sleep 1 +done +if test $successes -ge $success_threshold; then + echo "Number of ratelimited queries OK for three parallel queries" +else + echo "Number of ratelimited queries not OK for three parallel queries" + echo "> cat logfiles" + cat outfile + cat unbound.log + echo "Number of ratelimited queries not OK for three parallel queries" + exit 1 +fi + +echo "> Activating ratelimit-factor" +echo "$PRE/unbound-control -c ub.conf set_option ratelimit-factor: 3" +$PRE/unbound-control -c ub.conf set_option ratelimit-factor: 3 +if test $? -ne 0; then + echo "wrong exit value after success" + exit 1 +fi + +slipped_through=0 +echo "> Three parallel queries with ratelimit-factor" +# For this test we send three parallel queries and we expect at least two of +# them to be allowed through at a given second; one from the ratelimit itself +# and one from the ratelimit-factor. +for i in {1..10}; do + $PRE/streamtcp -na -f 127.0.0.1@$UNBOUND_PORT www1.example.com. A IN www2.example.com. A IN www3.example.com. A IN >outfile 2>&1 + if test "$?" -ne 0; then + echo "exit status not OK" + echo "> cat logfiles" + cat outfile + cat unbound.log + echo "Not OK" + exit 1 + fi + cat outfile + if test `grep "rcode: SERVFAIL" outfile | wc -l` -lt 2; then + slipped_through=1 + break + fi + sleep 2 +done +if test $slipped_through -eq 0; then + echo "ratelimit-factor did not work" + echo "> cat logfiles" + cat outfile + cat unbound.log + echo "ratelimit-factor did not work" + exit 1 +fi +echo "ratelimit-factor OK" + +echo "> Disabling ratelimit-factor" +echo "$PRE/unbound-control -c ub.conf set_option ratelimit-factor: 0" +$PRE/unbound-control -c ub.conf set_option ratelimit-factor: 0 +if test $? -ne 0; then + echo "wrong exit value after success" + exit 1 +fi +echo "> Activating ratelimit-backoff" +echo "$PRE/unbound-control -c ub.conf set_option ratelimit-backoff: yes" +$PRE/unbound-control -c ub.conf set_option ratelimit-backoff: yes +if test $? -ne 0; then + echo "wrong exit value after success" + exit 1 +fi + +successes=0 +echo "> Three parallel queries with backoff" +# For this test we send three parallel queries. The ratelimit should be reached +# for that second. Then for the next second we again send three parallel +# queries and we expect none of them to be allowed through because of the +# backoff logic that keeps rolling the RATE_WINDOW based on demand. +for i in $(seq 1 $total_runs); do + $PRE/streamtcp -na -f 127.0.0.1@$UNBOUND_PORT www1.example.com. A IN www2.example.com. A IN www3.example.com. A IN >outfile 2>&1 + if test "$?" -ne 0; then + echo "exit status not OK" + echo "> cat logfiles" + cat outfile + cat unbound.log + echo "Not OK" + exit 1 + fi + sleep 1 # Limit is reached; it should also be active for the next second + $PRE/streamtcp -na -f 127.0.0.1@$UNBOUND_PORT www1.example.com. A IN www2.example.com. A IN www3.example.com. A IN >outfile 2>&1 + if test "$?" -ne 0; then + echo "exit status not OK" + echo "> cat logfiles" + cat outfile + cat unbound.log + echo "Not OK" + exit 1 + fi + cat outfile + if test `grep "rcode: SERVFAIL" outfile | wc -l` -eq 3; then + ((successes++)) + fi + # We don't have to wait for all the runs to complete if we know + # we passed the threshold. + if test $successes -ge $success_threshold; then + break + fi +done + +if test $successes -ge $success_threshold; then + echo "three parallel queries with backoff OK" +else + echo "Number of ratelimited queries not OK for three parallel queries with backoff" + echo "> cat logfiles" + cat outfile + cat unbound.log + echo "Number of ratelimited queries not OK for three parallel queries with backoff" + exit 1 +fi + +echo "> Three parallel queries after backoff RATE_WINDOW" +sleep 3 # Make sure the RATE_WINDOW is renewed +# For this test we make three parallel queries after the RATE_WINDOW has passed +# without any new demand and we expect at least one query to pass through. This +# is to check that the backoff logic does not insist on past (outside of +# RATE_WINDOW) limits. +$PRE/streamtcp -na -f 127.0.0.1@$UNBOUND_PORT www1.example.com. A IN www2.example.com. A IN www3.example.com. A IN >outfile 2>&1 +if test "$?" -ne 0; then + echo "exit status not OK" + echo "> cat logfiles" + cat outfile + cat unbound.log + echo "Not OK" + exit 1 +fi +cat outfile +if test `grep "rcode: NOERROR" outfile | wc -l` -gt 0; then + echo "Number of ratelimited queries OK for three parallel queries after backoff RATE_WINDOW" +else + echo "Number of ratelimited queries not OK for three parallel queries after backoff RATE_WINDOW" + echo "> cat logfiles" + cat outfile + cat unbound.log + echo "Number of ratelimited queries not OK for three parallel queries after backoff RATE_WINDOW" + exit 1 +fi +exit 0 diff --git a/contrib/unbound/testdata/ratelimit.tdir/ratelimit.testns b/contrib/unbound/testdata/ratelimit.tdir/ratelimit.testns new file mode 100644 index 000000000000..673bd15a598b --- /dev/null +++ b/contrib/unbound/testdata/ratelimit.tdir/ratelimit.testns @@ -0,0 +1,13 @@ +; nameserver test file +$ORIGIN example.com. +$TTL 3600 + +ENTRY_BEGIN +MATCH opcode qtype +REPLY QR AA NOERROR +ADJUST copy_id copy_query +SECTION QUESTION +wild IN A +SECTION ANSWER +wild IN A 10.20.30.40 +ENTRY_END diff --git a/contrib/unbound/testdata/ratelimit.tdir/unbound_control.key b/contrib/unbound/testdata/ratelimit.tdir/unbound_control.key new file mode 100644 index 000000000000..753a4ef6162e --- /dev/null +++ b/contrib/unbound/testdata/ratelimit.tdir/unbound_control.key @@ -0,0 +1,39 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIG4gIBAAKCAYEAstEp+Pyh8XGrtZ77A4FhYjvbeB3dMa7Q2rGWxobzlA9przhA +1aChAvUtCOAuM+rB6NTNB8YWfZJbQHawyMNpmC77cg6vXLYCGUQHZyAqidN049RJ +F5T7j4N8Vniv17LiRdr0S6swy4PRvEnIPPV43EQHZqC5jVvHsKkhIfmBF/Dj5TXR +ypeawWV/m5jeU6/4HRYMfytBZdO1mPXuWLh0lgbQ4SCbgrOUVD3rniMk1yZIbQOm +vlDHYqekjDb/vOW2KxUQLG04aZMJ1mWfdbwG0CKQkSjISEDZ1l76vhM6mTM0fwXb +IvyFZ9yPPCle1mF5aSlxS2cmGuGVSRQaw8XF9fe3a9ACJJTr33HdSpyaZkKRAUzL +cKqLCl323daKv3NwwAT03Tj4iQM416ASMoiyfFa/2GWTKQVjddu8Crar7tGaf5xr +lig4DBmrBvdYA3njy72/RD71hLwmlRoCGU7dRuDr9O6KASUm1Ri91ONZ/qdjMvov +15l2vj4GV+KXR00dAgMBAAECggGAHepIL1N0dEQkCdpy+/8lH54L9WhpnOo2HqAf +LU9eaKK7d4jdr9+TkD8cLaPzltPrZNxVALvu/0sA4SP6J1wpyj/x6P7z73qzly5+ +Xo5PD4fEwmi9YaiW/UduAblnEZrnp/AddptJKoL/D5T4XtpiQddPtael4zQ7kB57 +YIexRSQTvEDovA/o3/nvA0TrzOxfgd4ycQP3iOWGN/TMzyLsvjydrUwbOB567iz9 +whL3Etdgvnwh5Sz2blbFfH+nAR8ctvFFz+osPvuIVR21VMEI6wm7kTpSNnQ6sh/c +lrLb/bTADn4g7z/LpIZJ+MrLvyEcoqValrLYeFBhM9CV8woPxvkO2P3pU47HVGax +tC7GV6a/kt5RoKFd/TNdiA3OC7NGZtaeXv9VkPf4fVwBtSO9d5ZZXTGEynDD/rUQ +U4KFJe6OD23APjse08HiiKqTPhsOneOONU67iqoaTdIkT2R4EdlkVEDpXVtWb+G9 +Q+IqYzVljlzuyHrhWXLJw/FMa2aBAoHBAOnZbi4gGpH+P6886WDWVgIlTccuXoyc +Mg9QQYk9UDeXxL0AizR5bZy49Sduegz9vkHpAiZARQsUnizHjZ8YlRcrmn4t6tx3 +ahTIKAjdprnxJfYINM580j8CGbXvX5LhIlm3O267D0Op+co3+7Ujy+cjsIuFQrP+ +1MqMgXSeBjzC1APivmps7HeFE+4w0k2PfN5wSMDNCzLo99PZuUG5XZ93OVOS5dpN +b+WskdcD8NOoJy/X/5A08veEI/jYO/DyqQKBwQDDwUQCOWf41ecvJLtBHKmEnHDz +ftzHino9DRKG8a9XaN4rmetnoWEaM2vHGX3pf3mwH+dAe8vJdAQueDhBKYeEpm6C +TYNOpou1+Zs5s99BilCTNYo8fkMOAyqwRwmz9zgHS6QxXuPwsghKefLJGt6o6RFF +tfWVTfLlYJ+I3GQe3ySsk3wjVz4oUTKiyiq5+KzD+HhEkS7u+RQ7Z0ZI2xd2cF8Y +aN2hjKDpcOiFf3CDoqka5D1qMNLgIHO52AHww1UCgcA1h7o7AMpURRka6hyaODY0 +A4oMYEbwdQjYjIyT998W+rzkbu1us6UtzQEBZ760npkgyU/epbOoV63lnkCC/MOU +LD0PST+L/CHiY/cWIHb79YG1EifUZKpUFg0Aoq0EGFkepF0MefGCkbRGYA5UZr9U +R80wAu9D+L+JJiS0J0BSRF74DL196zUuHt5zFeXuLzxsRtPAnq9DliS08BACRYZy +7H3I7cWD9Vn5/0jbKWHFcaaWwyETR6uekTcSzZzbCRECgcBeoE3/xUA9SSk34Mmj +7/cB4522Ft0imA3+9RK/qJTZ7Bd5fC4PKjOGNtUiqW/0L2rjeIiQ40bfWvWqgPKw +jSK1PL6uvkl6+4cNsFsYyZpiVDoe7wKju2UuoNlB3RUTqa2r2STFuNj2wRjA57I1 +BIgdnox65jqQsd14g/yaa+75/WP9CE45xzKEyrtvdcqxm0Pod3OrsYK+gikFjiar +kT0GQ8u0QPzh2tjt/2ZnIfOBrl+QYERP0MofDZDjhUdq2wECgcB0Lu841+yP5cdR +qbJhXO4zJNh7oWNcJlOuQp3ZMNFrA1oHpe9pmLukiROOy01k9WxIMQDzU5GSqRv3 +VLkYOIcbhJ3kClKAcM3j95SkKbU2H5/RENb3Ck52xtl4pNU1x/3PnVFZfDVuuHO9 +MZ9YBcIeK98MyP2jr5JtFKnOyPE7xKq0IHIhXadpbc2wjje5FtZ1cUtMyEECCXNa +C1TpXebHGyXGpY9WdWXhjdE/1jPvfS+uO5WyuDpYPr339gsdq1g= +-----END RSA PRIVATE KEY----- diff --git a/contrib/unbound/testdata/ratelimit.tdir/unbound_control.pem b/contrib/unbound/testdata/ratelimit.tdir/unbound_control.pem new file mode 100644 index 000000000000..a1edf7017f1d --- /dev/null +++ b/contrib/unbound/testdata/ratelimit.tdir/unbound_control.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDszCCAhsCFGD5193whHQ2bVdzbaQfdf1gc4SkMA0GCSqGSIb3DQEBCwUAMBIx +EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMjMwWhcNNDAwMzI1MTMzMjMw +WjAaMRgwFgYDVQQDDA91bmJvdW5kLWNvbnRyb2wwggGiMA0GCSqGSIb3DQEBAQUA +A4IBjwAwggGKAoIBgQCy0Sn4/KHxcau1nvsDgWFiO9t4Hd0xrtDasZbGhvOUD2mv +OEDVoKEC9S0I4C4z6sHo1M0HxhZ9kltAdrDIw2mYLvtyDq9ctgIZRAdnICqJ03Tj +1EkXlPuPg3xWeK/XsuJF2vRLqzDLg9G8Scg89XjcRAdmoLmNW8ewqSEh+YEX8OPl +NdHKl5rBZX+bmN5Tr/gdFgx/K0Fl07WY9e5YuHSWBtDhIJuCs5RUPeueIyTXJkht +A6a+UMdip6SMNv+85bYrFRAsbThpkwnWZZ91vAbQIpCRKMhIQNnWXvq+EzqZMzR/ +Bdsi/IVn3I88KV7WYXlpKXFLZyYa4ZVJFBrDxcX197dr0AIklOvfcd1KnJpmQpEB +TMtwqosKXfbd1oq/c3DABPTdOPiJAzjXoBIyiLJ8Vr/YZZMpBWN127wKtqvu0Zp/ +nGuWKDgMGasG91gDeePLvb9EPvWEvCaVGgIZTt1G4Ov07ooBJSbVGL3U41n+p2My ++i/XmXa+PgZX4pdHTR0CAwEAATANBgkqhkiG9w0BAQsFAAOCAYEAd++Wen6l8Ifj +4h3p/y16PhSsWJWuJ4wdNYy3/GM84S26wGjzlEEwiW76HpH6VJzPOiBAeWnFKE83 +hFyetEIxgJeIPbcs9ZP/Uoh8GZH9tRISBSN9Hgk2Slr9llo4t1H0g/XTgA5HqMQU +9YydlBh43G7Vw3FVwh09OM6poNOGQKNc/tq2/QdKeUMtyBbLWpRmjH5XcCT35fbn +ZiVOUldqSHD4kKrFO4nJYXZyipRbcXybsLiX9GP0GLemc3IgIvOXyJ2RPp06o/SJ +pzlMlkcAfLJaSuEW57xRakhuNK7m051TKKzJzIEX+NFYOVdafFHS8VwGrYsdrFvD +72tMfu+Fu55y3awdWWGc6YlaGogZiuMnJkvQphwgn+5qE/7CGEckoKEsH601rqIZ +muaIc85+nEcHJeijd/ZlBN9zeltjFoMuqTUENgmv8+tUAdVm/UMY9Vjme6b43ydP +uv6DS02+k9z8toxXworLiPr94BGaiGV1NxgwZKLZigYJt/Fi2Qte +-----END CERTIFICATE----- diff --git a/contrib/unbound/testdata/ratelimit.tdir/unbound_server.key b/contrib/unbound/testdata/ratelimit.tdir/unbound_server.key new file mode 100644 index 000000000000..370a7bbb2f22 --- /dev/null +++ b/contrib/unbound/testdata/ratelimit.tdir/unbound_server.key @@ -0,0 +1,39 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIG5AIBAAKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI +0x41iG32a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+Nqq +GRS7XVQ24vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Z +uh9MDgotaBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8K +WaBe1ca4TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5 +FzUReSXZuTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xP +q6O9UPj4+nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XL +A5UoZgRzXgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP +7kFZSngxdy1+A/bNAgMBAAECggGBALpTOIqQwVg4CFBylL/a8K1IWJTI/I65sklf +XxYL7G7SB2HlEJ//z+E+F0+S4Vlao1vyLQ5QkgE82pAUB8FoMWvY1qF0Y8A5wtm6 +iZSGk4OLK488ZbT8Ii9i+AGKgPe2XbVxsJwj8N4k7Zooqec9hz73Up8ATEWJkRz7 +2u7oMGG4z91E0PULA64dOi3l/vOQe5w/Aa+CwVbAWtI05o7kMvQEBMDJn6C7CByo +MB5op9wueJMnz7PM7hns+U7Dy6oE4ljuolJUy51bDzFWwoM54cRoQqLFNHd8JVQj +WxldCkbfF43iyprlsEcUrTyUjtdA+ZeiG39vg/mtdmgNpGmdupHJZQvSuG8IcVlz +O+eMSeQS1QXPD6Ik8UK4SU0h+zOl8xIWtRrsxQuh4fnTN40udm/YUWl/6gOebsBI +IrVLlKGqJSfB3tMjpCRqdTzJ0dA9keVpkqm2ugZkxEf1+/efq/rFIQ2pUBLCqNTN +qpNqruK8y8FphP30I2uI4Ej2UIB8AQKBwQDd2Yptj2FyDyaXCycsyde0wYkNyzGU +dRnzdibfHnMZwjgTjwAwgIUBVIS8H0/z7ZJQKN7osJfddMrtjJtYYUk9g/dCpHXs +bNh2QSoWah3FdzNGuWd0iRf9+LFxhjAAMo/FS8zFJAJKrFsBdCGTfFUMdsLC0bjr +YjiWBuvV72uKf8XIZX5KIZruKdWBBcWukcb21R1UDyFYyXRBsly5XHaIYKZql3km +7pV7MKWO0IYgHbHIqGUqPQlzZ/lkunS1jKECgcEA23wHffD6Ou9/x3okPx2AWpTr +gh8rgqbyo6hQkBW5Y90Wz824cqaYebZDaBR/xlVx/YwjKkohv8Bde2lpH/ZxRZ1Z +5Sk2s6GJ/vU0L9RsJZgCgj4L6Coal1NMxuZtCXAlnOpiCdxSZgfqbshbTVz30KsG +ZJG361Cua1ScdAHxlZBxT52/1Sm0zRC2hnxL7h4qo7Idmtzs40LAJvYOKekR0pPN +oWeJfra7vgx/jVNvMFWoOoSLpidVO4g+ot4ery6tAoHAdW3rCic1C2zdnmH28Iw+ +s50l8Lk3mz+I5wgJd1zkzCO0DxZIoWPGA3g7cmCYr6N3KRsZMs4W9NAXgjpFGDkW +zYsG3K21BdpvkdjYcFjnPVjlOXB2RIc0vehf9Jl02wXoeCSxVUDEPcaRvWk9RJYx +ZpGOchUU7vNkxHURbIJ4yCzuAi9G8/Jp0dsu+kaV5tufF5SjG5WOrzKjaQsCbdN1 +oqaWMCHRrTvov/Z2C+xwsptFOdN5CSyZzg6hQiI4GMlBAoHAXyb6KINcOEi0YMp3 +BFXJ23tMTnEs78tozcKeipigcsbaqORK3omS+NEnj+uzKUzJyl4CsMbKstK2tFYS +mSTCHqgE3PBtIpsZtEqhgUraR8IK9GPpzZDTTl9ynZgwFTNlWw3RyuyVXF56J+T8 +kCGJ3hEHCHqT/ZRQyX85BKIDFhA0z4tYKxWVqIFiYBNq56R0X9tMMmMs36mEnF93 +7Ht6mowxTZQRa7nU0qOgeKh/P7ki4Zus3y+WJ+T9IqahLtlRAoHBAIhqMrcxSAB8 +RpB9jukJlAnidw2jCMPgrFE8tP0khhVvGrXMldxAUsMKntDIo8dGCnG1KTcWDI0O +jepvSPHSsxVLFugL79h0eVIS5z4huW48i9xgU8VlHdgAcgEPIAOFcOw2BCu/s0Vp +O+MM/EyUOdo3NsibB3qc/GJI6iNBYS7AljYEVo6rXo5V/MZvZUF4vClen6Obzsre +MTTb+4sJjfqleWuvr1XNMeu2mBfXBQkWGZP1byBK0MvD/aQ2PWq92A== +-----END RSA PRIVATE KEY----- diff --git a/contrib/unbound/testdata/ratelimit.tdir/unbound_server.pem b/contrib/unbound/testdata/ratelimit.tdir/unbound_server.pem new file mode 100644 index 000000000000..986807310f2b --- /dev/null +++ b/contrib/unbound/testdata/ratelimit.tdir/unbound_server.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDqzCCAhMCFBHWXeQ6ZIa9QcQbXLFfC6tj+KA+MA0GCSqGSIb3DQEBCwUAMBIx +EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMjI5WhcNNDAwMzI1MTMzMjI5 +WjASMRAwDgYDVQQDDAd1bmJvdW5kMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIB +igKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI0x41iG32 +a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+NqqGRS7XVQ2 +4vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Zuh9MDgot +aBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8KWaBe1ca4 +TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5FzUReSXZ +uTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xPq6O9UPj4 ++nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XLA5UoZgRz +XgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP7kFZSngx +dy1+A/bNAgMBAAEwDQYJKoZIhvcNAQELBQADggGBABunf93MKaCUHiZgnoOTinsW +84/EgInrgtKzAyH+BhnKkJOhhR0kkIAx5d9BpDlaSiRTACFon9moWCgDIIsK/Ar7 +JE0Kln9cV//wiiNoFU0O4mnzyGUIMvlaEX6QHMJJQYvL05+w/3AAcf5XmMJtR5ca +fJ8FqvGC34b2WxX9lTQoyT52sRt+1KnQikiMEnEyAdKktMG+MwKsFDdOwDXyZhZg +XZhRrfX3/NVJolqB6EahjWIGXDeKuSSKZVtCyib6LskyeMzN5lcRfvubKDdlqFVF +qlD7rHBsKhQUWK/IO64mGf7y/de+CgHtED5vDvr/p2uj/9sABATfbrOQR3W/Of25 +sLBj4OEfrJ7lX8hQgFaxkMI3x6VFT3W8dTCp7xnQgb6bgROWB5fNEZ9jk/gjSRmD +yIU+r0UbKe5kBk/CmZVFXL2TyJ92V5NYEQh8V4DGy19qZ6u/XKYyNJL4ocs35GGe +CA8SBuyrmdhx38h1RHErR2Skzadi1S7MwGf1y431fQ== +-----END CERTIFICATE----- diff --git a/contrib/unbound/testdata/rpz_nsdname.rpl b/contrib/unbound/testdata/rpz_nsdname.rpl index 08ff3c2e2f5b..1c678cc13bad 100644 --- a/contrib/unbound/testdata/rpz_nsdname.rpl +++ b/contrib/unbound/testdata/rpz_nsdname.rpl @@ -348,7 +348,7 @@ ENTRY_END STEP 11 CHECK_ANSWER ENTRY_BEGIN MATCH all -REPLY QR RD RA NXDOMAIN +REPLY QR AA RD RA NXDOMAIN SECTION QUESTION gotham.aa. IN A SECTION ANSWER diff --git a/contrib/unbound/testdata/rpz_nsip.rpl b/contrib/unbound/testdata/rpz_nsip.rpl index ac132cae0996..34dbd9fef816 100644 --- a/contrib/unbound/testdata/rpz_nsip.rpl +++ b/contrib/unbound/testdata/rpz_nsip.rpl @@ -348,7 +348,7 @@ ENTRY_END STEP 11 CHECK_ANSWER ENTRY_BEGIN MATCH all -REPLY QR RD RA NXDOMAIN +REPLY QR AA RD RA NXDOMAIN SECTION QUESTION gotham.aa. IN A SECTION ANSWER diff --git a/contrib/unbound/testdata/rpz_signal_nxdomain_ra.rpl b/contrib/unbound/testdata/rpz_signal_nxdomain_ra.rpl new file mode 100644 index 000000000000..b89498cf9626 --- /dev/null +++ b/contrib/unbound/testdata/rpz_signal_nxdomain_ra.rpl @@ -0,0 +1,254 @@ +; config options +server: + module-config: "respip validator iterator" + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: no + access-control: 192.0.0.0/8 allow + +rpz: + name: "rpz.example.com." + rpz-signal-nxdomain-ra: yes + zonefile: +TEMPFILE_NAME rpz.example.com +TEMPFILE_CONTENTS rpz.example.com +$ORIGIN example.com. +rpz 3600 IN SOA ns1.rpz.example.com. hostmaster.rpz.example.com. ( + 1379078166 28800 7200 604800 7200 ) + 3600 IN NS ns1.rpz.example.com. + 3600 IN NS ns2.rpz.example.com. +$ORIGIN rpz.example.com. +a.a CNAME . +b.a CNAME . +ns1.a.rpz-nsdname CNAME . +24.0.0.0.192.rpz-nsip CNAME . +24.0.3.0.192.rpz-client-ip CNAME . +TEMPFILE_END + +stub-zone: + name: "a." + stub-addr: 10.20.30.40 +CONFIG_END + +SCENARIO_BEGIN Test RPZ qname trigger and signal NXDOMAIN with unset RA. + +RANGE_BEGIN 0 100 + ADDRESS 10.20.30.40 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +a. IN NS +SECTION ANSWER +a. IN NS ns.a. +SECTION ADDITIONAL +ns.a IN A 10.20.30.40 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +a.a. IN TXT +SECTION ANSWER +a.a. IN TXT "upstream txt rr a.a." +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +b.a. IN TXT +SECTION ANSWER +b.a. IN TXT "upstream txt rr b.a." +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +c.a. IN TXT +SECTION ANSWER +c.a. IN CNAME b.a +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +d.a. IN NS +SECTION ANSWER +SECTION AUTHORITY +d.a. IN NS ns1.a. +SECTION ADDITIONAL +ns1.a. IN A 10.20.30.50 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +e.a. IN NS +SECTION ANSWER +SECTION AUTHORITY +e.a. IN NS ns2.a. +SECTION ADDITIONAL +ns2.a. IN A 192.0.0.5 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +f.a. IN TXT +SECTION ANSWER +f.a. IN TXT "upstream txt rr f.a." +ENTRY_END + +RANGE_END + +RANGE_BEGIN 0 100 + ADDRESS 10.20.30.50 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +d.a. IN NS +SECTION ANSWER +d.a. IN NS ns1.a. +SECTION ADDITIONAL +ns1.a. IN A 10.20.30.50 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +d.d.a. IN TXT +SECTION ANSWER +d.d.a. IN TXT "upstream answer for d.d.a" +ENTRY_END + +RANGE_END + +RANGE_BEGIN 0 100 + ADDRESS 192.0.0.5 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +e.a. IN NS +SECTION ANSWER +e.a. IN NS ns2.a. +SECTION ADDITIONAL +ns2.a. IN A 192.0.0.5 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +e.e.a. IN TXT +SECTION ANSWER +e.e.a. IN TXT "upstream answer for e.e.a" +ENTRY_END + +RANGE_END + +; qname trigger +STEP 10 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +a.a. IN TXT +ENTRY_END + +STEP 11 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD AA NXDOMAIN +SECTION QUESTION +a.a. IN TXT +SECTION ANSWER +ENTRY_END + +; qname trigger after cname +STEP 20 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +c.a. IN TXT +ENTRY_END + +STEP 21 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD AA NXDOMAIN +SECTION QUESTION +c.a. IN TXT +SECTION ANSWER +c.a. IN CNAME b.a +ENTRY_END + +; nsdname trigger +STEP 30 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +d.d.a. IN TXT +ENTRY_END + +STEP 31 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD AA NXDOMAIN +SECTION QUESTION +d.d.a. IN TXT +SECTION ANSWER +ENTRY_END + +; nsip trigger +STEP 40 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +e.e.a. IN TXT +ENTRY_END + +STEP 41 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD AA NXDOMAIN +SECTION QUESTION +e.e.a. IN TXT +SECTION ANSWER +ENTRY_END + +; clientip trigger +STEP 50 QUERY ADDRESS 192.0.3.1 +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +f.a. IN TXT +ENTRY_END + +STEP 51 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR AA RD NXDOMAIN +SECTION QUESTION +f.a. IN TXT +SECTION ANSWER +ENTRY_END + +SCENARIO_END diff --git a/contrib/unbound/util/config_file.c b/contrib/unbound/util/config_file.c index 413d7e3221dd..e5492afd3cfa 100644 --- a/contrib/unbound/util/config_file.c +++ b/contrib/unbound/util/config_file.c @@ -260,7 +260,7 @@ config_create(void) cfg->val_log_level = 0; cfg->val_log_squelch = 0; cfg->val_permissive_mode = 0; - cfg->aggressive_nsec = 0; + cfg->aggressive_nsec = 1; cfg->ignore_cd = 0; cfg->serve_expired = 0; cfg->serve_expired_ttl = 0; @@ -328,9 +328,11 @@ config_create(void) cfg->ratelimit_size = 4*1024*1024; cfg->ratelimit_for_domain = NULL; cfg->ratelimit_below_domain = NULL; - cfg->outbound_msg_retry = 5; cfg->ip_ratelimit_factor = 10; cfg->ratelimit_factor = 10; + cfg->ip_ratelimit_backoff = 0; + cfg->ratelimit_backoff = 0; + cfg->outbound_msg_retry = 5; cfg->qname_minimisation = 1; cfg->qname_minimisation_strict = 0; cfg->shm_enable = 0; @@ -531,11 +533,17 @@ int config_set_option(struct config_file* cfg, const char* opt, else S_YNO("edns-tcp-keepalive:", do_tcp_keepalive) else S_NUMBER_NONZERO("edns-tcp-keepalive-timeout:", tcp_keepalive_timeout) else S_YNO("ssl-upstream:", ssl_upstream) + else S_YNO("tls-upstream:", ssl_upstream) else S_STR("ssl-service-key:", ssl_service_key) + else S_STR("tls-service-key:", ssl_service_key) else S_STR("ssl-service-pem:", ssl_service_pem) + else S_STR("tls-service-pem:", ssl_service_pem) else S_NUMBER_NONZERO("ssl-port:", ssl_port) + else S_NUMBER_NONZERO("tls-port:", ssl_port) + else S_STR("ssl-cert-bundle:", tls_cert_bundle) else S_STR("tls-cert-bundle:", tls_cert_bundle) else S_YNO("tls-win-cert:", tls_win_cert) + else S_STRLIST("additional-ssl-port:", tls_additional_port) else S_STRLIST("additional-tls-port:", tls_additional_port) else S_STRLIST("tls-additional-ports:", tls_additional_port) else S_STRLIST("tls-additional-port:", tls_additional_port) @@ -753,6 +761,8 @@ int config_set_option(struct config_file* cfg, const char* opt, else S_POW2("ratelimit-slabs:", ratelimit_slabs) else S_NUMBER_OR_ZERO("ip-ratelimit-factor:", ip_ratelimit_factor) else S_NUMBER_OR_ZERO("ratelimit-factor:", ratelimit_factor) + else S_YNO("ip-ratelimit-backoff:", ip_ratelimit_backoff) + else S_YNO("ratelimit-backoff:", ratelimit_backoff) else S_NUMBER_NONZERO("outbound-msg-retry:", outbound_msg_retry) else S_SIZET_NONZERO("fast-server-num:", fast_server_num) else S_NUMBER_OR_ZERO("fast-server-permil:", fast_server_permil) @@ -1029,11 +1039,19 @@ config_get_option(struct config_file* cfg, const char* opt, else O_YNO(opt, "edns-tcp-keepalive", do_tcp_keepalive) else O_DEC(opt, "edns-tcp-keepalive-timeout", tcp_keepalive_timeout) else O_YNO(opt, "ssl-upstream", ssl_upstream) + else O_YNO(opt, "tls-upstream", ssl_upstream) else O_STR(opt, "ssl-service-key", ssl_service_key) + else O_STR(opt, "tls-service-key", ssl_service_key) else O_STR(opt, "ssl-service-pem", ssl_service_pem) + else O_STR(opt, "tls-service-pem", ssl_service_pem) else O_DEC(opt, "ssl-port", ssl_port) + else O_DEC(opt, "tls-port", ssl_port) + else O_STR(opt, "ssl-cert-bundle", tls_cert_bundle) else O_STR(opt, "tls-cert-bundle", tls_cert_bundle) else O_YNO(opt, "tls-win-cert", tls_win_cert) + else O_LST(opt, "additional-ssl-port", tls_additional_port) + else O_LST(opt, "additional-tls-port", tls_additional_port) + else O_LST(opt, "tls-additional-ports", tls_additional_port) else O_LST(opt, "tls-additional-port", tls_additional_port) else O_LST(opt, "tls-session-ticket-keys", tls_session_ticket_keys.first) else O_STR(opt, "tls-ciphers", tls_ciphers) @@ -1197,6 +1215,8 @@ config_get_option(struct config_file* cfg, const char* opt, else O_LS2(opt, "ratelimit-below-domain", ratelimit_below_domain) else O_DEC(opt, "ip-ratelimit-factor", ip_ratelimit_factor) else O_DEC(opt, "ratelimit-factor", ratelimit_factor) + else O_YNO(opt, "ip-ratelimit-backoff", ip_ratelimit_backoff) + else O_YNO(opt, "ratelimit-backoff", ratelimit_backoff) else O_UNS(opt, "outbound-msg-retry", outbound_msg_retry) else O_DEC(opt, "fast-server-num", fast_server_num) else O_DEC(opt, "fast-server-permil", fast_server_permil) diff --git a/contrib/unbound/util/config_file.h b/contrib/unbound/util/config_file.h index 18910bee39fc..c7c9a0a48e6b 100644 --- a/contrib/unbound/util/config_file.h +++ b/contrib/unbound/util/config_file.h @@ -565,6 +565,10 @@ struct config_file { size_t ip_ratelimit_size; /** ip_ratelimit factor, 0 blocks all, 10 allows 1/10 of traffic */ int ip_ratelimit_factor; + /** ratelimit backoff, when on, if the limit is reached it is + * considered an attack and it backs off until 'demand' decreases over + * the RATE_WINDOW. */ + int ip_ratelimit_backoff; /** ratelimit for domains. 0 is off, otherwise qps (unless overridden) */ int ratelimit; @@ -578,6 +582,11 @@ struct config_file { struct config_str2list* ratelimit_below_domain; /** ratelimit factor, 0 blocks all, 10 allows 1/10 of traffic */ int ratelimit_factor; + /** ratelimit backoff, when on, if the limit is reached it is + * considered an attack and it backs off until 'demand' decreases over + * the RATE_WINDOW. */ + int ratelimit_backoff; + /** number of retries on outgoing queries */ int outbound_msg_retry; /** minimise outgoing QNAME and hide original QTYPE if possible */ @@ -745,6 +754,8 @@ struct config_auth { /** Always reply with this CNAME target if the cname override action is * used */ char* rpz_cname; + /** signal nxdomain block with unset RA */ + int rpz_signal_nxdomain_ra; /** Check ZONEMD records for this zone */ int zonemd_check; /** Reject absence of ZONEMD records, zone must have one */ diff --git a/contrib/unbound/util/configlexer.lex b/contrib/unbound/util/configlexer.lex index 0fcd74a0cf53..5797292d68e2 100644 --- a/contrib/unbound/util/configlexer.lex +++ b/contrib/unbound/util/configlexer.lex @@ -348,6 +348,7 @@ rpz-action-override{COLON} { YDVAR(1, VAR_RPZ_ACTION_OVERRIDE) } rpz-cname-override{COLON} { YDVAR(1, VAR_RPZ_CNAME_OVERRIDE) } rpz-log{COLON} { YDVAR(1, VAR_RPZ_LOG) } rpz-log-name{COLON} { YDVAR(1, VAR_RPZ_LOG_NAME) } +rpz-signal-nxdomain-ra{COLON} { YDVAR(1, VAR_RPZ_SIGNAL_NXDOMAIN_RA) } zonefile{COLON} { YDVAR(1, VAR_ZONEFILE) } master{COLON} { YDVAR(1, VAR_MASTER) } primary{COLON} { YDVAR(1, VAR_MASTER) } @@ -502,6 +503,8 @@ ratelimit-for-domain{COLON} { YDVAR(2, VAR_RATELIMIT_FOR_DOMAIN) } ratelimit-below-domain{COLON} { YDVAR(2, VAR_RATELIMIT_BELOW_DOMAIN) } ip-ratelimit-factor{COLON} { YDVAR(1, VAR_IP_RATELIMIT_FACTOR) } ratelimit-factor{COLON} { YDVAR(1, VAR_RATELIMIT_FACTOR) } +ip-ratelimit-backoff{COLON} { YDVAR(1, VAR_IP_RATELIMIT_BACKOFF) } +ratelimit-backoff{COLON} { YDVAR(1, VAR_RATELIMIT_BACKOFF) } outbound-msg-retry{COLON} { YDVAR(1, VAR_OUTBOUND_MSG_RETRY) } low-rtt{COLON} { YDVAR(1, VAR_LOW_RTT) } fast-server-num{COLON} { YDVAR(1, VAR_FAST_SERVER_NUM) } diff --git a/contrib/unbound/util/configparser.y b/contrib/unbound/util/configparser.y index 1daf853d5749..d4f965f94465 100644 --- a/contrib/unbound/util/configparser.y +++ b/contrib/unbound/util/configparser.y @@ -142,6 +142,7 @@ extern struct config_parser_state* cfg_parser; %token VAR_OUTBOUND_MSG_RETRY %token VAR_RATELIMIT_FOR_DOMAIN VAR_RATELIMIT_BELOW_DOMAIN %token VAR_IP_RATELIMIT_FACTOR VAR_RATELIMIT_FACTOR +%token VAR_IP_RATELIMIT_BACKOFF VAR_RATELIMIT_BACKOFF %token VAR_SEND_CLIENT_SUBNET VAR_CLIENT_SUBNET_ZONE %token VAR_CLIENT_SUBNET_ALWAYS_FORWARD VAR_CLIENT_SUBNET_OPCODE %token VAR_MAX_CLIENT_SUBNET_IPV4 VAR_MAX_CLIENT_SUBNET_IPV6 @@ -187,6 +188,7 @@ extern struct config_parser_state* cfg_parser; %token VAR_DYNLIB VAR_DYNLIB_FILE VAR_EDNS_CLIENT_STRING %token VAR_EDNS_CLIENT_STRING_OPCODE VAR_NSID %token VAR_ZONEMD_PERMISSIVE_MODE VAR_ZONEMD_CHECK VAR_ZONEMD_REJECT_ABSENCE +%token VAR_RPZ_SIGNAL_NXDOMAIN_RA %% toplevelvars: /* empty */ | toplevelvars toplevelvar ; @@ -271,7 +273,8 @@ content_server: server_num_threads | server_verbosity | server_port | server_ip_ratelimit_size | server_ratelimit_size | server_ratelimit_for_domain | server_ratelimit_below_domain | server_ratelimit_factor | - server_ip_ratelimit_factor | server_outbound_msg_retry | + server_ip_ratelimit_factor | server_ratelimit_backoff | + server_ip_ratelimit_backoff | server_outbound_msg_retry | server_send_client_subnet | server_client_subnet_zone | server_client_subnet_always_forward | server_client_subnet_opcode | server_max_client_subnet_ipv4 | server_max_client_subnet_ipv6 | @@ -455,6 +458,15 @@ rpz_log_name: VAR_RPZ_LOG_NAME STRING_ARG cfg_parser->cfg->auths->rpz_log_name = $2; } ; +rpz_signal_nxdomain_ra: VAR_RPZ_SIGNAL_NXDOMAIN_RA STRING_ARG + { + OUTYY(("P(rpz_signal_nxdomain_ra:%s)\n", $2)); + if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->auths->rpz_signal_nxdomain_ra = (strcmp($2, "yes")==0); + free($2); + } + ; rpzstart: VAR_RPZ { @@ -478,7 +490,7 @@ contents_rpz: contents_rpz content_rpz | ; content_rpz: auth_name | auth_zonefile | rpz_tag | auth_master | auth_url | auth_allow_notify | rpz_action_override | rpz_cname_override | - rpz_log | rpz_log_name + rpz_log | rpz_log_name | rpz_signal_nxdomain_ra | auth_for_downstream ; server_num_threads: VAR_NUM_THREADS STRING_ARG { @@ -2494,6 +2506,26 @@ server_ratelimit_factor: VAR_RATELIMIT_FACTOR STRING_ARG free($2); } ; +server_ip_ratelimit_backoff: VAR_IP_RATELIMIT_BACKOFF STRING_ARG + { + OUTYY(("P(server_ip_ratelimit_backoff:%s)\n", $2)); + if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->ip_ratelimit_backoff = + (strcmp($2, "yes")==0); + free($2); + } + ; +server_ratelimit_backoff: VAR_RATELIMIT_BACKOFF STRING_ARG + { + OUTYY(("P(server_ratelimit_backoff:%s)\n", $2)); + if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->ratelimit_backoff = + (strcmp($2, "yes")==0); + free($2); + } + ; server_outbound_msg_retry: VAR_OUTBOUND_MSG_RETRY STRING_ARG { OUTYY(("P(server_outbound_msg_retry:%s)\n", $2)); diff --git a/contrib/unbound/util/fptr_wlist.c b/contrib/unbound/util/fptr_wlist.c index f8dac65c59a0..05a22d402ee1 100644 --- a/contrib/unbound/util/fptr_wlist.c +++ b/contrib/unbound/util/fptr_wlist.c @@ -138,6 +138,7 @@ fptr_whitelist_comm_timer(void (*fptr)(void*)) else if(fptr == &auth_xfer_probe_timer_callback) return 1; else if(fptr == &auth_xfer_transfer_timer_callback) return 1; else if(fptr == &mesh_serve_expired_callback) return 1; + else if(fptr == &serviced_timer_cb) return 1; #ifdef USE_DNSTAP else if(fptr == &mq_wakeup_cb) return 1; #endif @@ -334,9 +335,10 @@ fptr_whitelist_hash_markdelfunc(lruhash_markdelfunc_type fptr) int fptr_whitelist_modenv_send_query(struct outbound_entry* (*fptr)( struct query_info* qinfo, uint16_t flags, int dnssec, int want_dnssec, - int nocaps, struct sockaddr_storage* addr, socklen_t addrlen, - uint8_t* zone, size_t zonelen, int tcp_upstream, int ssl_upstream, char* tls_auth_name, - struct module_qstate* q)) + int nocaps, int check_ratelimit, struct sockaddr_storage* addr, + socklen_t addrlen, uint8_t* zone, size_t zonelen, int tcp_upstream, + int ssl_upstream, char* tls_auth_name, struct module_qstate* q, + int* was_ratelimited)) { if(fptr == &worker_send_query) return 1; else if(fptr == &libworker_send_query) return 1; diff --git a/contrib/unbound/util/fptr_wlist.h b/contrib/unbound/util/fptr_wlist.h index a5470992550f..a0d9867554b5 100644 --- a/contrib/unbound/util/fptr_wlist.h +++ b/contrib/unbound/util/fptr_wlist.h @@ -211,9 +211,10 @@ int fptr_whitelist_hash_markdelfunc(lruhash_markdelfunc_type fptr); */ int fptr_whitelist_modenv_send_query(struct outbound_entry* (*fptr)( struct query_info* qinfo, uint16_t flags, int dnssec, int want_dnssec, - int nocaps, struct sockaddr_storage* addr, socklen_t addrlen, - uint8_t* zone, size_t zonelen, int tcp_upstream, int ssl_upstream, char* tls_auth_name, - struct module_qstate* q)); + int nocaps, int check_ratelimit, struct sockaddr_storage* addr, + socklen_t addrlen, uint8_t* zone, size_t zonelen, int tcp_upstream, + int ssl_upstream, char* tls_auth_name, struct module_qstate* q, + int* was_ratelimited)); /** * Check function pointer whitelist for module_env detach_subs callback values. diff --git a/contrib/unbound/util/iana_ports.inc b/contrib/unbound/util/iana_ports.inc index 9183c3987292..c7662dc62fe3 100644 --- a/contrib/unbound/util/iana_ports.inc +++ b/contrib/unbound/util/iana_ports.inc @@ -3784,6 +3784,7 @@ 4308, 4309, 4310, +4319, 4320, 4321, 4322, @@ -4054,7 +4055,6 @@ 5026, 5027, 5029, -5030, 5031, 5042, 5043, diff --git a/contrib/unbound/util/module.h b/contrib/unbound/util/module.h index c6b7e573ce00..7a548003397a 100644 --- a/contrib/unbound/util/module.h +++ b/contrib/unbound/util/module.h @@ -350,6 +350,7 @@ struct module_env { * EDNS, the answer is likely to be useless for this domain. * @param nocaps: do not use caps_for_id, use the qname as given. * (ignored if caps_for_id is disabled). + * @param check_ratelimit: if set, will check ratelimit before sending out. * @param addr: where to. * @param addrlen: length of addr. * @param zone: delegation point name. @@ -359,6 +360,8 @@ struct module_env { * @param tls_auth_name: if ssl_upstream, use this name with TLS * authentication. * @param q: which query state to reactivate upon return. + * @param was_ratelimited: it will signal back if the query failed to pass the + * ratelimit check. * @return: false on failure (memory or socket related). no query was * sent. Or returns an outbound entry with qsent and qstate set. * This outbound_entry will be used on later module invocations @@ -366,9 +369,10 @@ struct module_env { */ struct outbound_entry* (*send_query)(struct query_info* qinfo, uint16_t flags, int dnssec, int want_dnssec, int nocaps, + int check_ratelimit, struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone, size_t zonelen, int tcp_upstream, int ssl_upstream, - char* tls_auth_name, struct module_qstate* q); + char* tls_auth_name, struct module_qstate* q, int* was_ratelimited); /** * Detach-subqueries. diff --git a/contrib/unbound/util/net_help.c b/contrib/unbound/util/net_help.c index d63fccd55ca2..8bef5689050e 100644 --- a/contrib/unbound/util/net_help.c +++ b/contrib/unbound/util/net_help.c @@ -44,6 +44,9 @@ #ifdef HAVE_NET_IF_H #include #endif +#ifdef HAVE_NETIOAPI_H +#include +#endif #include "util/net_help.h" #include "util/log.h" #include "util/data/dname.h" @@ -52,6 +55,7 @@ #include "util/config_file.h" #include "sldns/parseutil.h" #include "sldns/wire2str.h" +#include "sldns/str2wire.h" #include #ifdef HAVE_OPENSSL_SSL_H #include @@ -476,6 +480,42 @@ int authextstrtoaddr(char* str, struct sockaddr_storage* addr, return ipstrtoaddr(str, port, addr, addrlen); } +uint8_t* authextstrtodname(char* str, int* port, char** auth_name) +{ + char* s; + uint8_t* dname; + size_t dname_len; + *port = UNBOUND_DNS_PORT; + *auth_name = NULL; + if((s=strchr(str, '@'))) { + char* hash = strchr(s+1, '#'); + if(hash) { + *auth_name = hash+1; + } else { + *auth_name = NULL; + } + *port = atoi(s+1); + if(*port == 0) { + if(!hash && strcmp(s+1,"0")!=0) + return 0; + if(hash && strncmp(s+1,"0#",2)!=0) + return 0; + } + *s = 0; + dname = sldns_str2wire_dname(str, &dname_len); + *s = '@'; + } else if((s=strchr(str, '#'))) { + *port = UNBOUND_DNS_OVER_TLS_PORT; + *auth_name = s+1; + *s = 0; + dname = sldns_str2wire_dname(str, &dname_len); + *s = '#'; + } else { + dname = sldns_str2wire_dname(str, &dname_len); + } + return dname; +} + /** store port number into sockaddr structure */ void sockaddr_store_port(struct sockaddr_storage* addr, socklen_t addrlen, int port) diff --git a/contrib/unbound/util/net_help.h b/contrib/unbound/util/net_help.h index 79835270c477..4dd398460294 100644 --- a/contrib/unbound/util/net_help.h +++ b/contrib/unbound/util/net_help.h @@ -210,17 +210,30 @@ int netblockstrtoaddr(const char* ip, int port, struct sockaddr_storage* addr, /** * Convert address string, with "@port" appendix, to sockaddr. * It can also have an "#tls-auth-name" appendix (after the port). - * The returned tls-auth-name string is a pointer into the input string. - * Uses DNS port by default. + * The returned auth_name string is a pointer into the input string. + * Uses DNS port by default; TLS port when a "#tls-auth-name" is configured. * @param str: the string * @param addr: where to store sockaddr. * @param addrlen: length of stored sockaddr is returned. * @param auth_name: returned pointer to tls_auth_name, or NULL if none. * @return 0 on error. */ -int authextstrtoaddr(char* str, struct sockaddr_storage* addr, +int authextstrtoaddr(char* str, struct sockaddr_storage* addr, socklen_t* addrlen, char** auth_name); +/** + * Convert domain string, with "@port" appendix, to dname. + * It can also have an "#tls-auth-name" appendix (after the port). + * The return port is the parsed port. + * Uses DNS port by default; TLS port when a "#tls-auth-name" is configured. + * The returned auth_name string is a pointer into the input string. + * @param str: the string + * @param port: pointer to be assigned the parsed port value. + * @param auth_name: returned pointer to tls_auth_name, or NULL if none. + * @return pointer to the dname. + */ +uint8_t* authextstrtodname(char* str, int* port, char** auth_name); + /** * Store port number into sockaddr structure * @param addr: sockaddr structure, ip4 or ip6. diff --git a/contrib/unbound/util/netevent.c b/contrib/unbound/util/netevent.c index 595e5dc80516..b9b7230e41ae 100644 --- a/contrib/unbound/util/netevent.c +++ b/contrib/unbound/util/netevent.c @@ -1146,6 +1146,8 @@ reclaim_tcp_handler(struct comm_point* c) } c->tcp_more_read_again = NULL; c->tcp_more_write_again = NULL; + c->tcp_byte_count = 0; + sldns_buffer_clear(c->buffer); } /** do the callback when writing is done */ diff --git a/contrib/unbound/validator/val_utils.c b/contrib/unbound/validator/val_utils.c index dd8d320e515d..bb366d339400 100644 --- a/contrib/unbound/validator/val_utils.c +++ b/contrib/unbound/validator/val_utils.c @@ -767,15 +767,15 @@ val_dsset_isusable(struct ub_packed_rrset_key* ds_rrset) sldns_lookup_table *lt; char herr[64], aerr[64]; lt = sldns_lookup_by_id(sldns_hashes, - (int)ds_get_digest_algo(ds_rrset, i)); + (int)ds_get_digest_algo(ds_rrset, 0)); if(lt) snprintf(herr, sizeof(herr), "%s", lt->name); else snprintf(herr, sizeof(herr), "%d", - (int)ds_get_digest_algo(ds_rrset, i)); + (int)ds_get_digest_algo(ds_rrset, 0)); lt = sldns_lookup_by_id(sldns_algorithms, - (int)ds_get_key_algo(ds_rrset, i)); + (int)ds_get_key_algo(ds_rrset, 0)); if(lt) snprintf(aerr, sizeof(aerr), "%s", lt->name); else snprintf(aerr, sizeof(aerr), "%d", - (int)ds_get_key_algo(ds_rrset, i)); + (int)ds_get_key_algo(ds_rrset, 0)); verbose(VERB_ALGO, "DS unsupported, hash %s %s, " "key algorithm %s %s", herr, (ds_digest_algo_is_supported(ds_rrset, 0)?