Upgrade unbound library

These files were pulled from the 1.6.3 release tarball.

This new version builds against OpenSSL version 1.1 which will be
the default in the new Debian Stable which is due to be released
RealSoonNow (tm).
This commit is contained in:
Erik de Castro Lopo 2017-06-16 20:16:05 +10:00
parent e3da0ca828
commit a85b5759f3
241 changed files with 33336 additions and 12049 deletions

View file

@ -85,13 +85,16 @@ set(common_src
iterator/iter_resptype.c
iterator/iter_scrub.c
iterator/iter_utils.c
respip/respip.c
services/listen_dnsport.c
services/localzone.c
services/mesh.c
services/modstack.c
services/outbound_list.c
services/outside_network.c
services/view.c
util/alloc.c
util/as112.c
util/config_file.c
util/configlexer.c
util/configparser.c
@ -112,6 +115,7 @@ set(common_src
util/storage/slabhash.c
util/timehist.c
util/tube.c
util/ub_event.c
util/winsock_event.c
validator/autotrust.c
validator/val_anchor.c
@ -131,7 +135,7 @@ set(common_src
set(compat_src)
foreach (symbol IN ITEMS ctime_r gmtime_r inet_aton inet_ntop inet_pton isblank malloc memmove snprintf strlcat strlcpy strptime explicit_bzero arc4random arc4random_uniform reallocarray)
foreach (symbol IN ITEMS ctime_r gmtime_r inet_aton inet_ntop inet_pton isblank malloc memmove snprintf strsep strlcat strlcpy strptime explicit_bzero arc4random arc4random_uniform reallocarray)
string(TOUPPER "${symbol}" upper_sym)
if (NOT HAVE_${upper_sym})
list(APPEND compat_src

View file

@ -23,6 +23,8 @@ CHECKLOCK_SRC=testcode/checklocks.c
CHECKLOCK_OBJ=@CHECKLOCK_OBJ@
DNSTAP_SRC=@DNSTAP_SRC@
DNSTAP_OBJ=@DNSTAP_OBJ@
DNSCRYPT_SRC=@DNSCRYPT_SRC@
DNSCRYPT_OBJ=@DNSCRYPT_OBJ@
WITH_PYTHONMODULE=@WITH_PYTHONMODULE@
WITH_PYUNBOUND=@WITH_PYUNBOUND@
PY_MAJOR_VERSION=@PY_MAJOR_VERSION@
@ -54,6 +56,7 @@ LEX=@LEX@
STRIP=@STRIP@
CC=@CC@
CPPFLAGS=-I. @CPPFLAGS@
PYTHON_CPPFLAGS=-I. @PYTHON_CPPFLAGS@
CFLAGS=@CFLAGS@
LDFLAGS=@LDFLAGS@
LIBS=@LIBS@
@ -80,7 +83,7 @@ LINTFLAGS+=@NETBSD_LINTFLAGS@
# compat with OpenBSD
LINTFLAGS+="-Dsigset_t=long"
# FreeBSD
LINTFLAGS+="-D__uint16_t=uint16_t" "-DEVP_PKEY_ASN1_METHOD=int" "-D_RuneLocale=int" "-D__va_list=va_list"
LINTFLAGS+="-D__uint16_t=uint16_t" "-DEVP_PKEY_ASN1_METHOD=int" "-D_RuneLocale=int" "-D__va_list=va_list" "-D__uint32_t=uint32_t"
INSTALL=$(SHELL) $(srcdir)/install-sh
@ -94,37 +97,47 @@ PYTHONMOD_HEADER=@PYTHONMOD_HEADER@
PYUNBOUND_SRC=
# libunbound_wrap.lo if python libunbound wrapper enabled.
PYUNBOUND_OBJ=@PYUNBOUND_OBJ@
SUBNET_SRC=edns-subnet/edns-subnet.c edns-subnet/subnetmod.c edns-subnet/addrtree.c edns-subnet/subnet-whitelist.c
SUBNET_OBJ=@SUBNET_OBJ@
SUBNET_HEADER=@SUBNET_HEADER@
COMMON_SRC=services/cache/dns.c services/cache/infra.c services/cache/rrset.c \
util/data/dname.c util/data/msgencode.c util/data/msgparse.c \
util/as112.c util/data/dname.c util/data/msgencode.c util/data/msgparse.c \
util/data/msgreply.c util/data/packed_rrset.c iterator/iterator.c \
iterator/iter_delegpt.c iterator/iter_donotq.c iterator/iter_fwd.c \
iterator/iter_hints.c iterator/iter_priv.c iterator/iter_resptype.c \
iterator/iter_scrub.c iterator/iter_utils.c services/listen_dnsport.c \
services/localzone.c services/mesh.c services/modstack.c \
services/localzone.c services/mesh.c services/modstack.c services/view.c \
services/outbound_list.c services/outside_network.c util/alloc.c \
util/config_file.c util/configlexer.c util/configparser.c \
util/shm_side/shm_main.c \
util/fptr_wlist.c util/locks.c util/log.c util/mini_event.c util/module.c \
util/netevent.c util/net_help.c util/random.c util/rbtree.c util/regional.c \
util/rtt.c util/storage/dnstree.c util/storage/lookup3.c \
util/storage/lruhash.c util/storage/slabhash.c util/timehist.c util/tube.c \
util/winsock_event.c validator/autotrust.c validator/val_anchor.c \
validator/validator.c validator/val_kcache.c validator/val_kentry.c \
validator/val_neg.c validator/val_nsec3.c validator/val_nsec.c \
validator/val_secalgo.c validator/val_sigcrypt.c \
validator/val_utils.c dns64/dns64.c $(CHECKLOCK_SRC) $(DNSTAP_SRC)
util/ub_event.c util/ub_event_pluggable.c util/winsock_event.c \
validator/autotrust.c validator/val_anchor.c validator/validator.c \
validator/val_kcache.c validator/val_kentry.c validator/val_neg.c \
validator/val_nsec3.c validator/val_nsec.c validator/val_secalgo.c \
validator/val_sigcrypt.c validator/val_utils.c dns64/dns64.c \
edns-subnet/edns-subnet.c edns-subnet/subnetmod.c \
edns-subnet/addrtree.c edns-subnet/subnet-whitelist.c \
cachedb/cachedb.c respip/respip.c $(CHECKLOCK_SRC) \
$(DNSTAP_SRC) $(DNSCRYPT_SRC)
COMMON_OBJ_WITHOUT_NETCALL=dns.lo infra.lo rrset.lo dname.lo msgencode.lo \
msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \
as112.lo msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \
iter_donotq.lo iter_fwd.lo iter_hints.lo iter_priv.lo iter_resptype.lo \
iter_scrub.lo iter_utils.lo localzone.lo mesh.lo modstack.lo \
iter_scrub.lo iter_utils.lo localzone.lo mesh.lo modstack.lo view.lo \
outbound_list.lo alloc.lo config_file.lo configlexer.lo configparser.lo \
fptr_wlist.lo locks.lo log.lo mini_event.lo module.lo net_help.lo \
random.lo rbtree.lo regional.lo rtt.lo dnstree.lo lookup3.lo lruhash.lo \
slabhash.lo timehist.lo tube.lo winsock_event.lo autotrust.lo val_anchor.lo \
validator.lo val_kcache.lo val_kentry.lo val_neg.lo val_nsec3.lo val_nsec.lo \
val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo \
$(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ) $(DNSTAP_OBJ)
COMMON_OBJ=$(COMMON_OBJ_WITHOUT_NETCALL) netevent.lo listen_dnsport.lo \
val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo cachedb.lo \
$(SUBNET_OBJ) $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ) $(DNSTAP_OBJ) $(DNSCRYPT_OBJ)
COMMON_OBJ_WITHOUT_NETCALL+=respip.lo
COMMON_OBJ_WITHOUT_UB_EVENT=$(COMMON_OBJ_WITHOUT_NETCALL) netevent.lo listen_dnsport.lo \
outside_network.lo
COMMON_OBJ=$(COMMON_OBJ_WITHOUT_UB_EVENT) ub_event.lo
# set to $COMMON_OBJ or to "" if --enableallsymbols
COMMON_OBJ_ALL_SYMBOLS=@COMMON_OBJ_ALL_SYMBOLS@
COMPAT_SRC=compat/ctime_r.c compat/fake-rfc2553.c compat/gmtime_r.c \
@ -133,7 +146,8 @@ compat/memcmp.c compat/memmove.c compat/snprintf.c compat/strlcat.c \
compat/strlcpy.c compat/strptime.c compat/getentropy_linux.c \
compat/getentropy_osx.c compat/getentropy_solaris.c compat/getentropy_win.c \
compat/explicit_bzero.c compat/arc4random.c compat/arc4random_uniform.c \
compat/arc4_lock.c compat/sha512.c compat/reallocarray.c compat/isblank.c
compat/arc4_lock.c compat/sha512.c compat/reallocarray.c compat/isblank.c \
compat/strsep.c
COMPAT_OBJ=$(LIBOBJS:.o=.lo)
COMPAT_OBJ_WITHOUT_CTIME=$(LIBOBJ_WITHOUT_CTIME:.o=.lo)
COMPAT_OBJ_WITHOUT_CTIMEARC4=$(LIBOBJ_WITHOUT_CTIMEARC4:.o=.lo)
@ -144,15 +158,16 @@ str2wire.lo
UNITTEST_SRC=testcode/unitanchor.c testcode/unitdname.c \
testcode/unitlruhash.c testcode/unitmain.c testcode/unitmsgparse.c \
testcode/unitneg.c testcode/unitregional.c testcode/unitslabhash.c \
testcode/unitverify.c testcode/readhex.c testcode/testpkts.c testcode/unitldns.c
testcode/unitverify.c testcode/readhex.c testcode/testpkts.c testcode/unitldns.c \
testcode/unitecs.c
UNITTEST_OBJ=unitanchor.lo unitdname.lo unitlruhash.lo unitmain.lo \
unitmsgparse.lo unitneg.lo unitregional.lo unitslabhash.lo unitverify.lo \
readhex.lo testpkts.lo unitldns.lo
readhex.lo testpkts.lo unitldns.lo unitecs.lo
UNITTEST_OBJ_LINK=$(UNITTEST_OBJ) worker_cb.lo $(COMMON_OBJ) $(SLDNS_OBJ) \
$(COMPAT_OBJ)
DAEMON_SRC=daemon/acl_list.c daemon/cachedump.c daemon/daemon.c \
daemon/remote.c daemon/stats.c daemon/unbound.c daemon/worker.c @WIN_DAEMON_SRC@
DAEMON_OBJ=acl_list.lo cachedump.lo daemon.lo remote.lo stats.lo unbound.lo \
DAEMON_OBJ=acl_list.lo cachedump.lo daemon.lo shm_main.lo remote.lo stats.lo unbound.lo \
worker.lo @WIN_DAEMON_OBJ@
DAEMON_OBJ_LINK=$(DAEMON_OBJ) $(COMMON_OBJ_ALL_SYMBOLS) $(SLDNS_OBJ) \
$(COMPAT_OBJ) @WIN_DAEMON_OBJ_LINK@
@ -176,7 +191,8 @@ daemon/worker.c daemon/acl_list.c daemon/daemon.c daemon/stats.c \
testcode/replay.c testcode/fake_event.c
TESTBOUND_OBJ=testbound.lo replay.lo fake_event.lo
TESTBOUND_OBJ_LINK=$(TESTBOUND_OBJ) testpkts.lo worker.lo acl_list.lo \
daemon.lo stats.lo $(COMMON_OBJ_WITHOUT_NETCALL) $(SLDNS_OBJ) $(COMPAT_OBJ)
daemon.lo stats.lo shm_main.lo $(COMMON_OBJ_WITHOUT_NETCALL) ub_event.lo $(SLDNS_OBJ) \
$(COMPAT_OBJ)
LOCKVERIFY_SRC=testcode/lock_verify.c
LOCKVERIFY_OBJ=lock_verify.lo
LOCKVERIFY_OBJ_LINK=$(LOCKVERIFY_OBJ) worker_cb.lo $(COMMON_OBJ) $(COMPAT_OBJ) \
@ -208,22 +224,22 @@ DELAYER_OBJ_LINK=$(DELAYER_OBJ) worker_cb.lo $(COMMON_OBJ) $(COMPAT_OBJ) \
$(SLDNS_OBJ)
LIBUNBOUND_SRC=libunbound/context.c libunbound/libunbound.c \
libunbound/libworker.c
LIBUNBOUND_OBJ=context.lo libunbound.lo libworker.lo
LIBUNBOUND_OBJ_LINK=$(LIBUNBOUND_OBJ) $(COMMON_OBJ) $(SLDNS_OBJ) $(COMPAT_OBJ)
LIBUNBOUND_OBJ=context.lo libunbound.lo libworker.lo ub_event_pluggable.lo
LIBUNBOUND_OBJ_LINK=$(LIBUNBOUND_OBJ) $(COMMON_OBJ_WITHOUT_UB_EVENT) $(SLDNS_OBJ) $(COMPAT_OBJ)
# win apps or "" if not on windows
WINAPPS=@WINAPPS@
WIN_DAEMON_THE_SRC=winrc/win_svc.c winrc/w_inst.c
SVCINST_SRC=winrc/unbound-service-install.c
SVCINST_OBJ=unbound-service-install.lo
SVCINST_OBJ_LINK=$(SVCINST_OBJ) w_inst.lo rsrc_svcinst.o $(COMPAT_OBJ_WITHOUT_CTIME)
SVCINST_OBJ_LINK=$(SVCINST_OBJ) w_inst.lo rsrc_svcinst.o $(COMPAT_OBJ_WITHOUT_CTIMEARC4)
SVCUNINST_SRC=winrc/unbound-service-remove.c
SVCUNINST_OBJ=unbound-service-remove.lo
SVCUNINST_OBJ_LINK=$(SVCUNINST_OBJ) w_inst.lo rsrc_svcuninst.o \
$(COMPAT_OBJ_WITHOUT_CTIME)
$(COMPAT_OBJ_WITHOUT_CTIMEARC4)
ANCHORUPD_SRC=winrc/anchor-update.c
ANCHORUPD_OBJ=anchor-update.lo
ANCHORUPD_OBJ_LINK=$(ANCHORUPD_OBJ) rsrc_anchorupd.o $(COMPAT_OBJ_WITHOUT_CTIME)
ANCHORUPD_OBJ_LINK=$(ANCHORUPD_OBJ) rsrc_anchorupd.o $(COMPAT_OBJ_WITHOUT_CTIMEARC4) wire2str.lo str2wire.lo parseutil.lo sbuffer.lo rrdef.lo keyraw.lo parse.lo
RSRC_OBJ=rsrc_svcinst.o rsrc_svcuninst.o rsrc_anchorupd.o rsrc_unbound.o \
rsrc_unbound_host.o rsrc_unbound_anchor.o rsrc_unbound_control.o \
rsrc_unbound_checkconf.o
@ -374,6 +390,13 @@ dnstap/dnstap.pb-c.c dnstap/dnstap.pb-c.h: $(srcdir)/dnstap/dnstap.proto
dnstap.pb-c.lo dnstap.pb-c.o: dnstap/dnstap.pb-c.c dnstap/dnstap.pb-c.h
# dnscrypt
dnscrypt.lo dnscrypt.o: $(srcdir)/dnscrypt/dnscrypt.c config.h \
dnscrypt/dnscrypt_config.h \
$(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
$(srcdir)/util/config_file.h $(srcdir)/util/log.h \
$(srcdir)/util/netevent.h
# Python Module
pythonmod.lo pythonmod.o: $(srcdir)/pythonmod/pythonmod.c config.h \
pythonmod/interface.h \
@ -389,13 +412,13 @@ pythonmod.lo pythonmod.o: $(srcdir)/pythonmod/pythonmod.c config.h \
pythonmod/interface.h: $(srcdir)/pythonmod/interface.i config.h
@-if test ! -d pythonmod; then $(INSTALL) -d pythonmod; fi
$(SWIG) $(CPPFLAGS) -o $@ -python $(srcdir)/pythonmod/interface.i
$(SWIG) $(PYTHON_CPPFLAGS) -o $@ -python $(srcdir)/pythonmod/interface.i
libunbound_wrap.lo libunbound_wrap.o: libunbound/python/libunbound_wrap.c \
unbound.h
libunbound/python/libunbound_wrap.c: $(srcdir)/libunbound/python/libunbound.i unbound.h
@-if test ! -d libunbound/python; then $(INSTALL) -d libunbound/python; fi
$(SWIG) -python -o $@ $(CPPFLAGS) -DPY_MAJOR_VERSION=$(PY_MAJOR_VERSION) $(srcdir)/libunbound/python/libunbound.i
$(SWIG) -python -o $@ $(PYTHON_CPPFLAGS) -DPY_MAJOR_VERSION=$(PY_MAJOR_VERSION) $(srcdir)/libunbound/python/libunbound.i
# Pyunbound python unbound wrapper
_unbound.la: libunbound_wrap.lo libunbound.la
@ -506,11 +529,11 @@ install-all: all $(PYTHONMOD_INSTALL) $(PYUNBOUND_INSTALL) $(UNBOUND_EVENT_INSTA
$(INSTALL) -m 755 -d $(DESTDIR)$(mandir)/man8
$(INSTALL) -m 755 -d $(DESTDIR)$(mandir)/man5
$(INSTALL) -m 755 -d $(DESTDIR)$(mandir)/man1
$(LIBTOOL) --mode=install cp unbound$(EXEEXT) $(DESTDIR)$(sbindir)/unbound$(EXEEXT)
$(LIBTOOL) --mode=install cp unbound-checkconf$(EXEEXT) $(DESTDIR)$(sbindir)/unbound-checkconf$(EXEEXT)
$(LIBTOOL) --mode=install cp unbound-control$(EXEEXT) $(DESTDIR)$(sbindir)/unbound-control$(EXEEXT)
$(LIBTOOL) --mode=install cp unbound-host$(EXEEXT) $(DESTDIR)$(sbindir)/unbound-host$(EXEEXT)
$(LIBTOOL) --mode=install cp unbound-anchor$(EXEEXT) $(DESTDIR)$(sbindir)/unbound-anchor$(EXEEXT)
$(LIBTOOL) --mode=install cp -f unbound$(EXEEXT) $(DESTDIR)$(sbindir)/unbound$(EXEEXT)
$(LIBTOOL) --mode=install cp -f unbound-checkconf$(EXEEXT) $(DESTDIR)$(sbindir)/unbound-checkconf$(EXEEXT)
$(LIBTOOL) --mode=install cp -f unbound-control$(EXEEXT) $(DESTDIR)$(sbindir)/unbound-control$(EXEEXT)
$(LIBTOOL) --mode=install cp -f unbound-host$(EXEEXT) $(DESTDIR)$(sbindir)/unbound-host$(EXEEXT)
$(LIBTOOL) --mode=install cp -f unbound-anchor$(EXEEXT) $(DESTDIR)$(sbindir)/unbound-anchor$(EXEEXT)
$(INSTALL) -c -m 644 doc/unbound.8 $(DESTDIR)$(mandir)/man8
$(INSTALL) -c -m 644 doc/unbound-checkconf.8 $(DESTDIR)$(mandir)/man8
$(INSTALL) -c -m 644 doc/unbound-control.8 $(DESTDIR)$(mandir)/man8
@ -551,7 +574,7 @@ uninstall: $(PYTHONMOD_UNINSTALL) $(PYUNBOUND_UNINSTALL) $(UNBOUND_EVENT_UNINSTA
@echo "You still need to remove "`dirname $(DESTDIR)$(configfile)`" , $(DESTDIR)$(configfile) by hand"
iana_update:
curl -o port-numbers.tmp http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml --compressed
curl -o port-numbers.tmp https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml --compressed
if file port-numbers.tmp | grep 'gzip' >/dev/null; then zcat port-numbers.tmp; else cat port-numbers.tmp; fi | awk '/<record>/ {p=0;} /<protocol>udp/ {p=1;} /<protocol>[^u]/ {p=0;} /Decomissioned|Decommissioned|Removed|De-registered|unassigned|Unassigned|Reserved/ {u=1;} /<number>/ { if(u==1) {u=0;} else { if(p==1) { match($$0,/[0-9]+/); print substr($$0, RSTART, RLENGTH) ","}}}' | sort -nu > util/iana_ports.inc
rm -f port-numbers.tmp
@ -579,7 +602,9 @@ depend:
-e 's?$$(srcdir)/util/configparser.c?util/configparser.c?g' \
-e 's?$$(srcdir)/util/configparser.h?util/configparser.h?g' \
-e 's?$$(srcdir)/dnstap/dnstap_config.h??g' \
-e 's?$$(srcdir)/dnscrypt/dnscrypt_config.h??g' \
-e 's?$$(srcdir)/pythonmod/pythonmod.h?$$(PYTHONMOD_HEADER)?g' \
-e 's?$$(srcdir)/edns-subnet/subnetmod.h $$(srcdir)/edns-subnet/subnet-whitelist.h $$(srcdir)/edns-subnet/edns-subnet.h $$(srcdir)/edns-subnet/addrtree.h?$$(SUBNET_HEADER)?g' \
-e 's!\(.*\)\.o[ :]*!\1.lo \1.o: !g' \
> $(DEPEND_TMP)
cp $(DEPEND_TARGET) $(DEPEND_TMP2)
@ -603,15 +628,17 @@ dns.lo dns.o: $(srcdir)/services/cache/dns.c config.h $(srcdir)/iterator/iter_de
$(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h
infra.lo infra.o: $(srcdir)/services/cache/infra.c config.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h \
$(srcdir)/services/cache/infra.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/storage/slabhash.h \
$(srcdir)/util/storage/lookup3.h $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h \
$(srcdir)/util/config_file.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h \
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h \
$(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lookup3.h \
$(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/iterator/iterator.h \
$(srcdir)/services/outbound_list.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/sldns/pkthdr.h
rrset.lo rrset.o: $(srcdir)/services/cache/rrset.c config.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/slabhash.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/config_file.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/regional.h $(srcdir)/util/alloc.h
as112.lo as112.o: $(srcdir)/util/as112.c $(srcdir)/util/as112.h
dname.lo dname.o: $(srcdir)/util/data/dname.c config.h $(srcdir)/util/data/dname.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/storage/lookup3.h $(srcdir)/sldns/sbuffer.h
@ -619,17 +646,21 @@ msgencode.lo msgencode.o: $(srcdir)/util/data/msgencode.c config.h $(srcdir)/uti
$(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/util/data/dname.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \
$(srcdir)/sldns/sbuffer.h
$(srcdir)/sldns/sbuffer.h $(srcdir)/services/localzone.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/module.h $(srcdir)/services/view.h
msgparse.lo msgparse.o: $(srcdir)/util/data/msgparse.c config.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/util/data/dname.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/storage/lookup3.h $(srcdir)/util/regional.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h \
$(srcdir)/sldns/wire2str.h
$(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/data/dname.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/regional.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h
msgreply.lo msgreply.o: $(srcdir)/util/data/msgreply.c config.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/storage/lookup3.h $(srcdir)/util/alloc.h $(srcdir)/util/netevent.h $(srcdir)/util/net_help.h \
$(srcdir)/util/data/dname.h $(srcdir)/util/regional.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgencode.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h
$(srcdir)/util/storage/lookup3.h $(srcdir)/util/alloc.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h \
$(srcdir)/util/regional.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
$(srcdir)/util/data/msgencode.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/module.h \
$(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
$(srcdir)/services/modstack.h
packed_rrset.lo packed_rrset.o: $(srcdir)/util/data/packed_rrset.c config.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/data/dname.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/alloc.h $(srcdir)/util/regional.h \
@ -642,7 +673,8 @@ iterator.lo iterator.o: $(srcdir)/iterator/iterator.c config.h $(srcdir)/iterato
$(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_donotq.h \
$(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_scrub.h $(srcdir)/iterator/iter_priv.h \
$(srcdir)/validator/val_neg.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/infra.h \
$(srcdir)/util/rtt.h $(srcdir)/util/netevent.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \
$(srcdir)/util/rtt.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/util/net_help.h $(srcdir)/util/regional.h \
$(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
$(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/util/config_file.h $(srcdir)/util/random.h \
$(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/sbuffer.h
@ -686,52 +718,69 @@ iter_utils.lo iter_utils.o: $(srcdir)/iterator/iter_utils.c config.h $(srcdir)/i
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/iterator/iter_hints.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_fwd.h \
$(srcdir)/iterator/iter_donotq.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_priv.h \
$(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/services/cache/dns.h \
$(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/net_help.h \
$(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/data/dname.h $(srcdir)/util/random.h \
$(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \
$(srcdir)/services/modstack.h $(srcdir)/validator/val_anchor.h $(srcdir)/validator/val_kcache.h \
$(srcdir)/validator/val_kentry.h $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_sigcrypt.h \
$(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h
$(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h \
$(srcdir)/util/regional.h $(srcdir)/util/data/dname.h $(srcdir)/util/random.h $(srcdir)/util/fptr_wlist.h \
$(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/validator/val_anchor.h \
$(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_kentry.h $(srcdir)/validator/val_utils.h \
$(srcdir)/validator/val_sigcrypt.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h
listen_dnsport.lo listen_dnsport.o: $(srcdir)/services/listen_dnsport.c config.h \
$(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h $(srcdir)/services/outside_network.h \
$(srcdir)/util/rbtree.h $(srcdir)/util/log.h $(srcdir)/util/config_file.h \
$(srcdir)/util/net_help.h $(srcdir)/sldns/sbuffer.h
$(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \
$(srcdir)/sldns/sbuffer.h
localzone.lo localzone.o: $(srcdir)/services/localzone.c config.h $(srcdir)/services/localzone.h \
$(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h \
$(srcdir)/sldns/sbuffer.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h \
$(srcdir)/util/net_help.h $(srcdir)/util/netevent.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h
$(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h \
$(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/services/view.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h \
$(srcdir)/util/data/msgencode.h $(srcdir)/util/net_help.h $(srcdir)/util/netevent.h \
$(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/as112.h
mesh.lo mesh.o: $(srcdir)/services/mesh.c config.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/netevent.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
$(srcdir)/util/log.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/modstack.h \
$(srcdir)/services/outbound_list.h $(srcdir)/services/cache/dns.h $(srcdir)/util/net_help.h \
$(srcdir)/util/regional.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/timehist.h $(srcdir)/util/fptr_wlist.h \
$(srcdir)/util/tube.h $(srcdir)/util/alloc.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/services/modstack.h $(srcdir)/services/outbound_list.h \
$(srcdir)/services/cache/dns.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \
$(srcdir)/util/data/msgencode.h $(srcdir)/util/timehist.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
$(srcdir)/util/alloc.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h \
$(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
$(srcdir)/util/data/dname.h $(srcdir)/respip/respip.h
modstack.lo modstack.o: $(srcdir)/services/modstack.c config.h $(srcdir)/services/modstack.h \
$(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \
$(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/dns64/dns64.h \
$(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/validator/validator.h \
$(srcdir)/validator/val_utils.h
$(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/tube.h \
$(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/dns64/dns64.h $(srcdir)/iterator/iterator.h \
$(srcdir)/services/outbound_list.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \
$(srcdir)/respip/respip.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
$(srcdir)/services/view.h $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/util/alloc.h $(srcdir)/util/net_help.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/edns-subnet/addrtree.h $(srcdir)/edns-subnet/edns-subnet.h
view.lo view.o: $(srcdir)/services/view.c config.h $(srcdir)/services/view.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
$(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/util/config_file.h
outbound_list.lo outbound_list.o: $(srcdir)/services/outbound_list.c config.h \
$(srcdir)/services/outbound_list.h $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/netevent.h
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
outside_network.lo outside_network.o: $(srcdir)/services/outside_network.c config.h \
$(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h $(srcdir)/util/netevent.h \
$(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/infra.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h \
$(srcdir)/util/rtt.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h \
$(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/fptr_wlist.h \
$(srcdir)/util/module.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h \
$(srcdir)/sldns/sbuffer.h $(srcdir)/dnstap/dnstap.h
$(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h \
$(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \
$(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/dnstap/dnstap.h
alloc.lo alloc.o: $(srcdir)/util/alloc.c config.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/regional.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
$(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h
config_file.lo config_file.o: $(srcdir)/util/config_file.c config.h $(srcdir)/util/log.h \
@ -739,44 +788,61 @@ config_file.lo config_file.o: $(srcdir)/util/config_file.c config.h $(srcdir)/ut
$(srcdir)/util/net_help.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/regional.h $(srcdir)/util/fptr_wlist.h \
$(srcdir)/util/netevent.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
$(srcdir)/services/modstack.h $(srcdir)/util/data/dname.h $(srcdir)/util/rtt.h $(srcdir)/services/cache/infra.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
$(srcdir)/util/data/dname.h $(srcdir)/util/rtt.h $(srcdir)/services/cache/infra.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h \
$(srcdir)/util/iana_ports.inc
$(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/util/iana_ports.inc
configlexer.lo configlexer.o: util/configlexer.c config.h $(srcdir)/util/configyyrename.h \
$(srcdir)/util/config_file.h util/configparser.h
configparser.lo configparser.o: util/configparser.c config.h $(srcdir)/util/configyyrename.h \
$(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h
shm_main.lo shm_main.o: $(srcdir)/util/shm_side/shm_main.c config.h $(srcdir)/util/shm_side/shm_main.h \
$(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
$(srcdir)/daemon/worker.h \
$(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
$(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
$(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
$(srcdir)/util/rtt.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \
$(srcdir)/util/config_file.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h
fptr_wlist.lo fptr_wlist.o: $(srcdir)/util/fptr_wlist.c config.h $(srcdir)/util/fptr_wlist.h \
$(srcdir)/util/netevent.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
$(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/util/mini_event.h \
$(srcdir)/util/rbtree.h $(srcdir)/services/outside_network.h \
$(srcdir)/services/localzone.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
$(srcdir)/util/rtt.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/dns64/dns64.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/module.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
$(srcdir)/services/modstack.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h \
$(srcdir)/services/outside_network.h $(srcdir)/services/localzone.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
$(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/dns64/dns64.h \
$(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h \
$(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_anchor.h \
$(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/val_kentry.h \
$(srcdir)/validator/val_neg.h $(srcdir)/validator/autotrust.h $(srcdir)/libunbound/libworker.h \
$(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/libunbound/unbound.h \
$(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h
$(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/respip/respip.h \
$(srcdir)/edns-subnet/subnetmod.h $(srcdir)/util/net_help.h $(srcdir)/edns-subnet/addrtree.h \
$(srcdir)/edns-subnet/edns-subnet.h
locks.lo locks.o: $(srcdir)/util/locks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h
log.lo log.o: $(srcdir)/util/log.c config.h $(srcdir)/util/log.h $(srcdir)/util/locks.h $(srcdir)/sldns/sbuffer.h
mini_event.lo mini_event.o: $(srcdir)/util/mini_event.c config.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
$(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
$(srcdir)/util/log.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
$(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h
module.lo module.o: $(srcdir)/util/module.c config.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h
netevent.lo netevent.o: $(srcdir)/util/netevent.c config.h $(srcdir)/util/netevent.h $(srcdir)/util/log.h \
$(srcdir)/util/net_help.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
$(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/dnstap/dnstap.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h
netevent.lo netevent.o: $(srcdir)/util/netevent.c config.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/util/ub_event.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
$(srcdir)/util/fptr_wlist.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
$(srcdir)/services/modstack.h $(srcdir)/sldns/sbuffer.h $(srcdir)/dnstap/dnstap.h \
net_help.lo net_help.o: $(srcdir)/util/net_help.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
$(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
@ -784,10 +850,11 @@ net_help.lo net_help.o: $(srcdir)/util/net_help.c config.h $(srcdir)/util/net_he
$(srcdir)/sldns/wire2str.h
random.lo random.o: $(srcdir)/util/random.c config.h $(srcdir)/util/random.h $(srcdir)/util/log.h
rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c config.h $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h \
$(srcdir)/util/netevent.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
$(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/module.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
$(srcdir)/services/modstack.h
regional.lo regional.o: $(srcdir)/util/regional.c config.h $(srcdir)/util/log.h $(srcdir)/util/regional.h
rtt.lo rtt.o: $(srcdir)/util/rtt.c config.h $(srcdir)/util/rtt.h
dnstree.lo dnstree.o: $(srcdir)/util/storage/dnstree.c config.h $(srcdir)/util/storage/dnstree.h \
@ -795,7 +862,8 @@ dnstree.lo dnstree.o: $(srcdir)/util/storage/dnstree.c config.h $(srcdir)/util/s
$(srcdir)/util/log.h $(srcdir)/util/net_help.h
lookup3.lo lookup3.o: $(srcdir)/util/storage/lookup3.c config.h $(srcdir)/util/storage/lookup3.h
lruhash.lo lruhash.o: $(srcdir)/util/storage/lruhash.c config.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/util/module.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \
$(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/module.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
$(srcdir)/services/modstack.h
@ -803,10 +871,21 @@ slabhash.lo slabhash.o: $(srcdir)/util/storage/slabhash.c config.h $(srcdir)/uti
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h
timehist.lo timehist.o: $(srcdir)/util/timehist.c config.h $(srcdir)/util/timehist.h $(srcdir)/util/log.h
tube.lo tube.o: $(srcdir)/util/tube.c config.h $(srcdir)/util/tube.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
$(srcdir)/util/netevent.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/services/mesh.h \
$(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/util/fptr_wlist.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
$(srcdir)/services/modstack.h $(srcdir)/util/ub_event.h
ub_event.lo ub_event.o: $(srcdir)/util/ub_event.c config.h $(srcdir)/util/ub_event.h $(srcdir)/util/log.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/util/tube.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
ub_event_pluggable.lo ub_event_pluggable.o: $(srcdir)/util/ub_event_pluggable.c config.h $(srcdir)/util/ub_event.h \
$(srcdir)/libunbound/unbound-event.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
$(srcdir)/services/modstack.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
winsock_event.lo winsock_event.o: $(srcdir)/util/winsock_event.c config.h
autotrust.lo autotrust.o: $(srcdir)/validator/autotrust.c config.h $(srcdir)/validator/autotrust.h \
$(srcdir)/util/rbtree.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
@ -814,14 +893,15 @@ autotrust.lo autotrust.o: $(srcdir)/validator/autotrust.c config.h $(srcdir)/val
$(srcdir)/validator/val_sigcrypt.h $(srcdir)/util/data/dname.h $(srcdir)/util/module.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
$(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/random.h \
$(srcdir)/services/mesh.h $(srcdir)/util/netevent.h $(srcdir)/services/modstack.h \
$(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/validator/val_kcache.h \
$(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/keyraw.h
$(srcdir)/services/mesh.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/services/modstack.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/validator/val_kcache.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/keyraw.h
val_anchor.lo val_anchor.o: $(srcdir)/validator/val_anchor.c config.h $(srcdir)/validator/val_anchor.h \
$(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_sigcrypt.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/validator/autotrust.h \
$(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h
$(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/util/as112.h \
$(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h
validator.lo validator.o: $(srcdir)/validator/validator.c config.h $(srcdir)/validator/validator.h \
$(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
@ -831,8 +911,8 @@ validator.lo validator.o: $(srcdir)/validator/validator.c config.h $(srcdir)/val
$(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_neg.h $(srcdir)/validator/val_sigcrypt.h \
$(srcdir)/validator/autotrust.h $(srcdir)/services/cache/dns.h $(srcdir)/util/data/dname.h \
$(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/fptr_wlist.h \
$(srcdir)/util/netevent.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h \
$(srcdir)/sldns/wire2str.h
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/sldns/wire2str.h
val_kcache.lo val_kcache.o: $(srcdir)/validator/val_kcache.c config.h $(srcdir)/validator/val_kcache.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/validator/val_kentry.h $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h \
@ -869,8 +949,8 @@ val_sigcrypt.lo val_sigcrypt.o: $(srcdir)/validator/val_sigcrypt.c config.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_secalgo.h $(srcdir)/validator/validator.h \
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_utils.h $(srcdir)/util/data/dname.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/sldns/keyraw.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h
$(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h \
$(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h
val_utils.lo val_utils.o: $(srcdir)/validator/val_utils.c config.h $(srcdir)/validator/val_utils.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/validator/validator.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
@ -878,14 +958,43 @@ val_utils.lo val_utils.o: $(srcdir)/validator/val_utils.c config.h $(srcdir)/val
$(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/val_anchor.h $(srcdir)/util/rbtree.h \
$(srcdir)/validator/val_nsec.h $(srcdir)/validator/val_neg.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h $(srcdir)/util/data/dname.h \
$(srcdir)/util/net_help.h $(srcdir)/util/regional.h
$(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h
dns64.lo dns64.o: $(srcdir)/dns64/dns64.c config.h $(srcdir)/dns64/dns64.h $(srcdir)/util/module.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/util/config_file.h $(srcdir)/util/fptr_wlist.h \
$(srcdir)/util/netevent.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
$(srcdir)/services/modstack.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
$(srcdir)/util/net_help.h $(srcdir)/util/regional.h
edns-subnet.lo edns-subnet.o: $(srcdir)/edns-subnet/edns-subnet.c config.h \
$(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h
subnetmod.lo subnetmod.o: $(srcdir)/edns-subnet/subnetmod.c config.h $(srcdir)/edns-subnet/subnetmod.h \
$(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/services/outbound_list.h $(srcdir)/util/alloc.h \
$(srcdir)/util/net_help.h $(srcdir)/util/storage/slabhash.h $(srcdir)/edns-subnet/addrtree.h \
$(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/edns-subnet/subnet-whitelist.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h \
$(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/services/modstack.h \
$(srcdir)/services/cache/dns.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h
addrtree.lo addrtree.o: $(srcdir)/edns-subnet/addrtree.c config.h $(srcdir)/util/log.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/edns-subnet/addrtree.h
subnet-whitelist.lo subnet-whitelist.o: $(srcdir)/edns-subnet/subnet-whitelist.c config.h \
$(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
$(srcdir)/edns-subnet/subnet-whitelist.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/regional.h $(srcdir)/util/config_file.h
cachedb.lo cachedb.o: $(srcdir)/cachedb/cachedb.c config.h
respip.lo respip.o: $(srcdir)/respip/respip.c config.h $(srcdir)/services/localzone.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/module.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/services/view.h \
$(srcdir)/services/cache/dns.h $(srcdir)/sldns/str2wire.h $(srcdir)/util/config_file.h \
$(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/util/tube.h $(srcdir)/services/mesh.h \
$(srcdir)/services/modstack.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/respip/respip.h
checklocks.lo checklocks.o: $(srcdir)/testcode/checklocks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/testcode/checklocks.h
unitanchor.lo unitanchor.o: $(srcdir)/testcode/unitanchor.c config.h $(srcdir)/util/log.h $(srcdir)/util/data/dname.h \
@ -900,7 +1009,10 @@ unitmain.lo unitmain.o: $(srcdir)/testcode/unitmain.c config.h $(srcdir)/sldns/r
$(srcdir)/util/log.h $(srcdir)/testcode/unitmain.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
$(srcdir)/util/config_file.h $(srcdir)/util/rtt.h $(srcdir)/services/cache/infra.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/random.h
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/random.h \
$(srcdir)/respip/respip.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/services/localzone.h $(srcdir)/services/view.h
unitmsgparse.lo unitmsgparse.o: $(srcdir)/testcode/unitmsgparse.c config.h $(srcdir)/util/log.h \
$(srcdir)/testcode/unitmain.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
@ -931,43 +1043,55 @@ testpkts.lo testpkts.o: $(srcdir)/testcode/testpkts.c config.h $(srcdir)/testcod
$(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h
unitldns.lo unitldns.o: $(srcdir)/testcode/unitldns.c config.h $(srcdir)/util/log.h $(srcdir)/testcode/unitmain.h \
$(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h
unitecs.lo unitecs.o: $(srcdir)/testcode/unitecs.c config.h $(srcdir)/util/log.h $(srcdir)/util/module.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/testcode/unitmain.h $(srcdir)/edns-subnet/addrtree.h \
$(srcdir)/edns-subnet/subnetmod.h $(srcdir)/services/outbound_list.h $(srcdir)/util/alloc.h \
$(srcdir)/util/net_help.h $(srcdir)/util/storage/slabhash.h $(srcdir)/edns-subnet/edns-subnet.h
acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/acl_list.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/regional.h $(srcdir)/util/log.h \
$(srcdir)/util/config_file.h $(srcdir)/util/net_help.h
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/locks.h \
$(srcdir)/util/log.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \
$(srcdir)/services/localzone.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h
cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h $(srcdir)/daemon/cachedump.h \
$(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/netevent.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
$(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
$(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h \
$(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h \
$(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h $(srcdir)/iterator/iterator.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \
$(srcdir)/dnstap/dnstap.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/infra.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/regional.h \
$(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h $(srcdir)/iterator/iterator.h \
$(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_utils.h \
$(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \
$(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h \
$(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
$(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
$(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
$(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/config_file.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/storage/slabhash.h \
$(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
$(srcdir)/util/rtt.h $(srcdir)/services/localzone.h $(srcdir)/util/random.h $(srcdir)/util/tube.h \
$(srcdir)/util/net_help.h $(srcdir)/sldns/keyraw.h
$(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
$(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \
$(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
$(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \
$(srcdir)/util/config_file.h $(srcdir)/util/shm_side/shm_main.h $(srcdir)/util/storage/lookup3.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/services/localzone.h $(srcdir)/util/random.h \
$(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/sldns/keyraw.h $(srcdir)/respip/respip.h
remote.lo remote.o: $(srcdir)/daemon/remote.c config.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h \
$(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h \
$(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \
$(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \
$(srcdir)/services/modstack.h $(srcdir)/daemon/cachedump.h $(srcdir)/util/config_file.h \
$(srcdir)/util/net_help.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
$(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \
$(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/data/dname.h $(srcdir)/validator/validator.h \
$(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/alloc.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
$(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
$(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h \
$(srcdir)/daemon/cachedump.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \
$(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
$(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h \
$(srcdir)/services/mesh.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/util/fptr_wlist.h \
$(srcdir)/util/tube.h $(srcdir)/util/data/dname.h $(srcdir)/validator/validator.h \
$(srcdir)/validator/val_utils.h $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_kentry.h \
$(srcdir)/validator/val_anchor.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \
$(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/iterator/iter_delegpt.h \
@ -976,111 +1100,122 @@ remote.lo remote.o: $(srcdir)/daemon/remote.c config.h $(srcdir)/daemon/remote.h
stats.lo stats.o: $(srcdir)/daemon/stats.c config.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
$(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/netevent.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
$(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h \
$(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/outside_network.h \
$(srcdir)/services/listen_dnsport.h $(srcdir)/util/config_file.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h \
$(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
$(srcdir)/util/rtt.h $(srcdir)/validator/val_kcache.h
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
$(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
$(srcdir)/services/outside_network.h $(srcdir)/services/listen_dnsport.h $(srcdir)/util/config_file.h \
$(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \
$(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h $(srcdir)/validator/val_kcache.h
unbound.lo unbound.o: $(srcdir)/daemon/unbound.c config.h $(srcdir)/util/log.h $(srcdir)/daemon/daemon.h \
$(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
$(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h $(srcdir)/util/storage/slabhash.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h \
$(srcdir)/services/cache/rrset.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/fptr_wlist.h \
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/net_help.h \
$(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
$(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h $(srcdir)/services/listen_dnsport.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
$(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/fptr_wlist.h \
$(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
$(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/net_help.h $(srcdir)/util/ub_event.h
worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
$(srcdir)/util/random.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
$(srcdir)/util/netevent.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
$(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \
$(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \
$(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/config_file.h $(srcdir)/util/regional.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/config_file.h \
$(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h \
$(srcdir)/services/outside_network.h $(srcdir)/services/outbound_list.h \
$(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
$(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \
$(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
$(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/validator/autotrust.h \
$(srcdir)/validator/val_anchor.h $(srcdir)/libunbound/context.h $(srcdir)/libunbound/unbound.h \
$(srcdir)/libunbound/libworker.h
$(srcdir)/validator/val_anchor.h $(srcdir)/respip/respip.h $(srcdir)/libunbound/context.h \
$(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/libworker.h $(srcdir)/sldns/wire2str.h \
$(srcdir)/util/shm_side/shm_main.h
testbound.lo testbound.o: $(srcdir)/testcode/testbound.c config.h $(srcdir)/testcode/testpkts.h \
$(srcdir)/testcode/replay.h $(srcdir)/util/netevent.h $(srcdir)/util/rbtree.h $(srcdir)/testcode/fake_event.h \
$(srcdir)/testcode/replay.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/util/rbtree.h $(srcdir)/testcode/fake_event.h \
$(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h $(srcdir)/daemon/unbound.c \
$(srcdir)/util/log.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
$(srcdir)/util/rtt.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/util/rtt.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
$(srcdir)/services/mesh.h $(srcdir)/util/net_help.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
$(srcdir)/services/mesh.h $(srcdir)/util/net_help.h $(srcdir)/util/ub_event.h
testpkts.lo testpkts.o: $(srcdir)/testcode/testpkts.c config.h $(srcdir)/testcode/testpkts.h \
$(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h
worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
$(srcdir)/util/random.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
$(srcdir)/util/netevent.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
$(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \
$(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \
$(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/config_file.h $(srcdir)/util/regional.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/config_file.h \
$(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h \
$(srcdir)/services/outside_network.h $(srcdir)/services/outbound_list.h \
$(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
$(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \
$(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
$(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/validator/autotrust.h \
$(srcdir)/validator/val_anchor.h $(srcdir)/libunbound/context.h $(srcdir)/libunbound/unbound.h \
$(srcdir)/libunbound/libworker.h
$(srcdir)/validator/val_anchor.h $(srcdir)/respip/respip.h $(srcdir)/libunbound/context.h \
$(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/libworker.h $(srcdir)/sldns/wire2str.h \
$(srcdir)/util/shm_side/shm_main.h
acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/acl_list.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/regional.h $(srcdir)/util/log.h \
$(srcdir)/util/config_file.h $(srcdir)/util/net_help.h
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/locks.h \
$(srcdir)/util/log.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \
$(srcdir)/services/localzone.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h
daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h \
$(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
$(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
$(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
$(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/config_file.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/storage/slabhash.h \
$(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
$(srcdir)/util/rtt.h $(srcdir)/services/localzone.h $(srcdir)/util/random.h $(srcdir)/util/tube.h \
$(srcdir)/util/net_help.h $(srcdir)/sldns/keyraw.h
$(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
$(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \
$(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
$(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \
$(srcdir)/util/config_file.h $(srcdir)/util/shm_side/shm_main.h $(srcdir)/util/storage/lookup3.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/services/localzone.h $(srcdir)/util/random.h \
$(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/sldns/keyraw.h $(srcdir)/respip/respip.h
stats.lo stats.o: $(srcdir)/daemon/stats.c config.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
$(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/netevent.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
$(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h \
$(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/outside_network.h \
$(srcdir)/services/listen_dnsport.h $(srcdir)/util/config_file.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h \
$(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
$(srcdir)/util/rtt.h $(srcdir)/validator/val_kcache.h
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
$(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
$(srcdir)/services/outside_network.h $(srcdir)/services/listen_dnsport.h $(srcdir)/util/config_file.h \
$(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \
$(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h $(srcdir)/validator/val_kcache.h
replay.lo replay.o: $(srcdir)/testcode/replay.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
$(srcdir)/util/config_file.h $(srcdir)/testcode/replay.h $(srcdir)/util/netevent.h $(srcdir)/testcode/testpkts.h \
$(srcdir)/util/rbtree.h $(srcdir)/testcode/fake_event.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h
$(srcdir)/util/config_file.h $(srcdir)/testcode/replay.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/testcode/testpkts.h $(srcdir)/util/rbtree.h \
$(srcdir)/testcode/fake_event.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h
fake_event.lo fake_event.o: $(srcdir)/testcode/fake_event.c config.h $(srcdir)/testcode/fake_event.h \
$(srcdir)/util/netevent.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h \
$(srcdir)/util/data/dname.h $(srcdir)/util/config_file.h $(srcdir)/services/listen_dnsport.h \
$(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h \
$(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h \
$(srcdir)/testcode/replay.h $(srcdir)/testcode/testpkts.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \
$(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h \
$(srcdir)/util/config_file.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
$(srcdir)/util/rbtree.h $(srcdir)/services/cache/infra.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h $(srcdir)/testcode/replay.h $(srcdir)/testcode/testpkts.h \
$(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \
$(srcdir)/services/modstack.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
lock_verify.lo lock_verify.o: $(srcdir)/testcode/lock_verify.c config.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/locks.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
$(srcdir)/services/mesh.h $(srcdir)/services/modstack.h
$(srcdir)/util/locks.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \
$(srcdir)/services/modstack.h
pktview.lo pktview.o: $(srcdir)/testcode/pktview.c config.h $(srcdir)/util/log.h $(srcdir)/util/data/dname.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/testcode/unitmain.h $(srcdir)/testcode/readhex.h $(srcdir)/sldns/sbuffer.h \
@ -1088,10 +1223,11 @@ pktview.lo pktview.o: $(srcdir)/testcode/pktview.c config.h $(srcdir)/util/log.h
readhex.lo readhex.o: $(srcdir)/testcode/readhex.c config.h $(srcdir)/testcode/readhex.h $(srcdir)/util/log.h \
$(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h
memstats.lo memstats.o: $(srcdir)/testcode/memstats.c config.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/locks.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
$(srcdir)/services/mesh.h $(srcdir)/services/modstack.h
$(srcdir)/util/locks.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \
$(srcdir)/services/modstack.h
unbound-checkconf.lo unbound-checkconf.o: $(srcdir)/smallapp/unbound-checkconf.c config.h $(srcdir)/util/log.h \
$(srcdir)/util/config_file.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
@ -1099,41 +1235,48 @@ unbound-checkconf.lo unbound-checkconf.o: $(srcdir)/smallapp/unbound-checkconf.c
$(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h \
$(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_hints.h $(srcdir)/util/storage/dnstree.h \
$(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/services/localzone.h \
$(srcdir)/sldns/sbuffer.h
$(srcdir)/services/view.h $(srcdir)/respip/respip.h $(srcdir)/sldns/sbuffer.h
worker_cb.lo worker_cb.o: $(srcdir)/smallapp/worker_cb.c config.h $(srcdir)/libunbound/context.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
$(srcdir)/libunbound/unbound.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h
$(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/module.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
$(srcdir)/util/tube.h $(srcdir)/services/mesh.h
context.lo context.o: $(srcdir)/libunbound/context.c config.h $(srcdir)/libunbound/context.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
$(srcdir)/libunbound/unbound.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/services/localzone.h \
$(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h $(srcdir)/sldns/sbuffer.h
$(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/sldns/sbuffer.h
libunbound.lo libunbound.o: $(srcdir)/libunbound/libunbound.c $(srcdir)/libunbound/unbound.h \
$(srcdir)/libunbound/unbound-event.h config.h $(srcdir)/libunbound/context.h $(srcdir)/util/locks.h \
$(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/libunbound/libworker.h \
$(srcdir)/util/config_file.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h \
$(srcdir)/util/random.h $(srcdir)/util/net_help.h $(srcdir)/util/tube.h $(srcdir)/services/localzone.h \
$(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h \
$(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/sldns/sbuffer.h
$(srcdir)/util/random.h $(srcdir)/util/net_help.h $(srcdir)/util/tube.h $(srcdir)/util/ub_event.h \
$(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
$(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/services/cache/rrset.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/sldns/sbuffer.h
libworker.lo libworker.o: $(srcdir)/libunbound/libworker.c config.h $(srcdir)/libunbound/libworker.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
$(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/libunbound/unbound-event.h $(srcdir)/services/outside_network.h $(srcdir)/util/netevent.h \
$(srcdir)/services/mesh.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/services/localzone.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
$(srcdir)/services/outbound_list.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/regional.h \
$(srcdir)/util/random.h $(srcdir)/util/config_file.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/net_help.h \
$(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h $(srcdir)/iterator/iter_fwd.h \
$(srcdir)/iterator/iter_hints.h $(srcdir)/util/storage/dnstree.h $(srcdir)/sldns/str2wire.h
$(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/services/mesh.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/services/localzone.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/outbound_list.h $(srcdir)/util/fptr_wlist.h \
$(srcdir)/util/tube.h $(srcdir)/util/regional.h $(srcdir)/util/random.h $(srcdir)/util/config_file.h \
$(srcdir)/util/storage/lookup3.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h \
$(srcdir)/util/data/msgencode.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \
$(srcdir)/sldns/str2wire.h
unbound-host.lo unbound-host.o: $(srcdir)/smallapp/unbound-host.c config.h $(srcdir)/libunbound/unbound.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h
asynclook.lo asynclook.o: $(srcdir)/testcode/asynclook.c config.h $(srcdir)/libunbound/unbound.h \
@ -1152,23 +1295,26 @@ perf.lo perf.o: $(srcdir)/testcode/perf.c config.h $(srcdir)/util/log.h $(srcdir
delayer.lo delayer.o: $(srcdir)/testcode/delayer.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
$(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h
unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c config.h $(srcdir)/util/log.h \
$(srcdir)/util/config_file.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h
$(srcdir)/util/config_file.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h $(srcdir)/util/shm_side/shm_main.h \
$(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/pkthdr.h
unbound-anchor.lo unbound-anchor.o: $(srcdir)/smallapp/unbound-anchor.c config.h $(srcdir)/libunbound/unbound.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h
petal.lo petal.o: $(srcdir)/testcode/petal.c config.h
pythonmod_utils.lo pythonmod_utils.o: $(srcdir)/pythonmod/pythonmod_utils.c config.h $(srcdir)/util/module.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/util/netevent.h $(srcdir)/util/net_help.h $(srcdir)/services/cache/dns.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/util/net_help.h $(srcdir)/services/cache/dns.h \
$(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/regional.h \
$(srcdir)/iterator/iter_delegpt.h $(srcdir)/sldns/sbuffer.h
win_svc.lo win_svc.o: $(srcdir)/winrc/win_svc.c config.h $(srcdir)/winrc/win_svc.h $(srcdir)/winrc/w_inst.h \
$(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
$(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
$(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/netevent.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \
$(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h $(srcdir)/util/winsock_event.h
$(srcdir)/daemon/worker.h \
$(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
$(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
$(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h $(srcdir)/util/ub_event.h
w_inst.lo w_inst.o: $(srcdir)/winrc/w_inst.c config.h $(srcdir)/winrc/w_inst.h $(srcdir)/winrc/win_svc.h
unbound-service-install.lo unbound-service-install.o: $(srcdir)/winrc/unbound-service-install.c config.h \
$(srcdir)/winrc/w_inst.h
@ -1211,3 +1357,4 @@ arc4_lock.lo arc4_lock.o: $(srcdir)/compat/arc4_lock.c config.h $(srcdir)/util/l
sha512.lo sha512.o: $(srcdir)/compat/sha512.c config.h
reallocarray.lo reallocarray.o: $(srcdir)/compat/reallocarray.c config.h
isblank.lo isblank.o: $(srcdir)/compat/isblank.c config.h
strsep.lo strsep.o: $(srcdir)/compat/strsep.c config.h

View file

@ -103,9 +103,20 @@ AC_DEFUN([AC_PROG_SWIG],[
if test -z "$available_patch" ; then
[available_patch=0]
fi
if test $available_major -ne $required_major \
-o $available_minor -ne $required_minor \
-o $available_patch -lt $required_patch ; then
[badversion=0]
if test $available_major -lt $required_major ; then
[badversion=1]
fi
if test $available_major -eq $required_major \
-a $available_minor -lt $required_minor ; then
[badversion=1]
fi
if test $available_major -eq $required_major \
-a $available_minor -eq $required_minor \
-a $available_patch -lt $required_patch ; then
[badversion=1]
fi
if test $badversion -eq 1 ; then
AC_MSG_WARN([SWIG version >= $1 is required. You have $swig_version. You should look at http://www.swig.org])
SWIG='echo "Error: SWIG version >= $1 is required. You have '"$swig_version"'. You should look at http://www.swig.org" ; false'
else

File diff suppressed because it is too large Load diff

View file

@ -2,7 +2,10 @@
# Copyright 2009, Wouter Wijngaards, NLnet Labs.
# BSD licensed.
#
# Version 31
# Version 34
# 2016-03-21 Check -ldl -pthread for libcrypto for ldns and openssl 1.1.0.
# 2016-03-21 Use HMAC_Update instead of HMAC_CTX_Init (for openssl-1.1.0).
# 2016-01-04 -D_DEFAULT_SOURCE defined with -D_BSD_SOURCE for Linux glibc 2.20
# 2015-12-11 FLTO check for new OSX, clang.
# 2015-11-18 spelling check fix.
# 2015-11-05 ACX_SSL_CHECKS no longer adds -ldl needlessly.
@ -242,7 +245,7 @@ ACX_CHECK_COMPILER_FLAG(xc99, [C99FLAG="-xc99"])
AC_CHECK_HEADERS([getopt.h time.h],,, [AC_INCLUDES_DEFAULT])
ACX_CHECK_COMPILER_FLAG_NEEDED($C99FLAG -D__EXTENSIONS__ -D_BSD_SOURCE -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600 -D_XOPEN_SOURCE_EXTENDED=1 -D_ALL_SOURCE,
ACX_CHECK_COMPILER_FLAG_NEEDED($C99FLAG -D__EXTENSIONS__ -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600 -D_XOPEN_SOURCE_EXTENDED=1 -D_ALL_SOURCE,
[
#include "confdefs.h"
#include <stdlib.h>
@ -277,9 +280,9 @@ int test() {
a = 0;
return a;
}
], [CFLAGS="$CFLAGS $C99FLAG -D__EXTENSIONS__ -D_BSD_SOURCE -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600 -D_XOPEN_SOURCE_EXTENDED=1 -D_ALL_SOURCE"])
], [CFLAGS="$CFLAGS $C99FLAG -D__EXTENSIONS__ -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600 -D_XOPEN_SOURCE_EXTENDED=1 -D_ALL_SOURCE"])
ACX_CHECK_COMPILER_FLAG_NEEDED($C99FLAG -D__EXTENSIONS__ -D_BSD_SOURCE -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600 -D_ALL_SOURCE,
ACX_CHECK_COMPILER_FLAG_NEEDED($C99FLAG -D__EXTENSIONS__ -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600 -D_ALL_SOURCE,
[
#include "confdefs.h"
#include <stdlib.h>
@ -314,7 +317,7 @@ int test() {
a = 0;
return a;
}
], [CFLAGS="$CFLAGS $C99FLAG -D__EXTENSIONS__ -D_BSD_SOURCE -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600 -D_ALL_SOURCE"])
], [CFLAGS="$CFLAGS $C99FLAG -D__EXTENSIONS__ -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600 -D_ALL_SOURCE"])
ACX_CHECK_COMPILER_FLAG_NEEDED($C99FLAG,
[
@ -326,7 +329,7 @@ int test() {
}
], [CFLAGS="$CFLAGS $C99FLAG"])
ACX_CHECK_COMPILER_FLAG_NEEDED(-D_BSD_SOURCE,
ACX_CHECK_COMPILER_FLAG_NEEDED(-D_BSD_SOURCE -D_DEFAULT_SOURCE,
[
#include <ctype.h>
@ -335,7 +338,7 @@ int test() {
a = isascii(32);
return a;
}
], [CFLAGS="$CFLAGS -D_BSD_SOURCE"])
], [CFLAGS="$CFLAGS -D_BSD_SOURCE -D_DEFAULT_SOURCE"])
ACX_CHECK_COMPILER_FLAG_NEEDED(-D_GNU_SOURCE,
[
@ -670,16 +673,16 @@ AC_DEFUN([ACX_SSL_CHECKS], [
ACX_RUNTIME_PATH_ADD([$ssldir/lib])
fi
AC_MSG_CHECKING([for HMAC_CTX_init in -lcrypto])
AC_MSG_CHECKING([for HMAC_Update in -lcrypto])
LIBS="$LIBS -lcrypto"
LIBSSL_LIBS="$LIBSSL_LIBS -lcrypto"
AC_TRY_LINK(, [
int HMAC_CTX_init(void);
(void)HMAC_CTX_init();
int HMAC_Update(void);
(void)HMAC_Update();
], [
AC_MSG_RESULT(yes)
AC_DEFINE([HAVE_HMAC_CTX_INIT], 1,
[If you have HMAC_CTX_init])
AC_DEFINE([HAVE_HMAC_UPDATE], 1,
[If you have HMAC_Update])
], [
AC_MSG_RESULT(no)
# check if -lwsock32 or -lgdi32 are needed.
@ -689,11 +692,11 @@ AC_DEFUN([ACX_SSL_CHECKS], [
LIBSSL_LIBS="$LIBSSL_LIBS -lgdi32"
AC_MSG_CHECKING([if -lcrypto needs -lgdi32])
AC_TRY_LINK([], [
int HMAC_CTX_init(void);
(void)HMAC_CTX_init();
int HMAC_Update(void);
(void)HMAC_Update();
],[
AC_DEFINE([HAVE_HMAC_CTX_INIT], 1,
[If you have HMAC_CTX_init])
AC_DEFINE([HAVE_HMAC_UPDATE], 1,
[If you have HMAC_Update])
AC_MSG_RESULT(yes)
],[
AC_MSG_RESULT(no)
@ -703,11 +706,25 @@ AC_DEFUN([ACX_SSL_CHECKS], [
LIBSSL_LIBS="$LIBSSL_LIBS -ldl"
AC_MSG_CHECKING([if -lcrypto needs -ldl])
AC_TRY_LINK([], [
int HMAC_CTX_init(void);
(void)HMAC_CTX_init();
int HMAC_Update(void);
(void)HMAC_Update();
],[
AC_DEFINE([HAVE_HMAC_CTX_INIT], 1,
[If you have HMAC_CTX_init])
AC_DEFINE([HAVE_HMAC_UPDATE], 1,
[If you have HMAC_Update])
AC_MSG_RESULT(yes)
],[
AC_MSG_RESULT(no)
LIBS="$BAKLIBS"
LIBSSL_LIBS="$BAKSSLLIBS"
LIBS="$LIBS -ldl -pthread"
LIBSSL_LIBS="$LIBSSL_LIBS -ldl -pthread"
AC_MSG_CHECKING([if -lcrypto needs -ldl -pthread])
AC_TRY_LINK([], [
int HMAC_Update(void);
(void)HMAC_Update();
],[
AC_DEFINE([HAVE_HMAC_UPDATE], 1,
[If you have HMAC_Update])
AC_MSG_RESULT(yes)
],[
AC_MSG_RESULT(no)
@ -715,6 +732,7 @@ AC_DEFUN([ACX_SSL_CHECKS], [
])
])
])
])
fi
AC_SUBST(HAVE_SSL)
AC_SUBST(RUNTIME_PATH)
@ -1285,6 +1303,7 @@ AC_DEFUN([ACX_STRIP_EXT_FLAGS],
AC_MSG_NOTICE([Stripping extension flags...])
ACX_CFLAGS_STRIP(-D_GNU_SOURCE)
ACX_CFLAGS_STRIP(-D_BSD_SOURCE)
ACX_CFLAGS_STRIP(-D_DEFAULT_SOURCE)
ACX_CFLAGS_STRIP(-D__EXTENSIONS__)
ACX_CFLAGS_STRIP(-D_POSIX_C_SOURCE=200112)
ACX_CFLAGS_STRIP(-D_XOPEN_SOURCE=600)
@ -1312,6 +1331,7 @@ dnl config.h part to define omitted cflags, use with ACX_STRIP_EXT_FLAGS.
AC_DEFUN([AHX_CONFIG_EXT_FLAGS],
[AHX_CONFIG_FLAG_EXT(-D_GNU_SOURCE)
AHX_CONFIG_FLAG_EXT(-D_BSD_SOURCE)
AHX_CONFIG_FLAG_EXT(-D_DEFAULT_SOURCE)
AHX_CONFIG_FLAG_EXT(-D__EXTENSIONS__)
AHX_CONFIG_FLAG_EXT(-D_POSIX_C_SOURCE=200112)
AHX_CONFIG_FLAG_EXT(-D_XOPEN_SOURCE=600)

View file

@ -22,8 +22,7 @@ AC_DEFUN([AC_PYTHON_DEVEL],[
# Check if you have distutils, else fail
#
AC_MSG_CHECKING([for the distutils Python package])
ac_distutils_result=`$PYTHON -c "import distutils" 2>&1`
if test -z "$ac_distutils_result"; then
if ac_distutils_result=`$PYTHON -c "import distutils" 2>&1`; then
AC_MSG_RESULT([yes])
else
AC_MSG_RESULT([no])
@ -54,7 +53,7 @@ $ac_distutils_result])
AC_MSG_CHECKING([for Python library path])
if test -z "$PYTHON_LDFLAGS"; then
PYTHON_LDFLAGS=`$PYTHON -c "from distutils.sysconfig import *; \
print(get_config_var('BLDLIBRARY'));"`
print('-L'+get_config_var('LIBDIR')+' -L'+get_config_var('LIBDEST')+' '+get_config_var('BLDLIBRARY'));"`
fi
AC_MSG_RESULT([$PYTHON_LDFLAGS])
AC_SUBST([PYTHON_LDFLAGS])

View file

@ -48,7 +48,7 @@ void _ARC4_UNLOCK(void)
}
#else /* !THREADS_DISABLED */
static lock_quick_t arc4lock;
static lock_quick_type arc4lock;
static int arc4lockinit = 0;
void _ARC4_LOCK(void)

View file

@ -48,6 +48,9 @@
#else /* !__GNUC__ */
#define inline
#endif /* !__GNUC__ */
#ifndef MAP_ANON
#define MAP_ANON MAP_ANONYMOUS
#endif
#define KEYSZ 32
#define IVSZ 8

View file

@ -6,7 +6,7 @@
#include "util/locks.h"
/** the lock for ctime buffer */
static lock_basic_t ctime_lock;
static lock_basic_type ctime_lock;
/** has it been inited */
static int ctime_r_init = 0;

View file

@ -6,7 +6,11 @@
#include "config.h"
#include <string.h>
#ifdef HAVE_ATTR_WEAK
__attribute__((weak)) void
#else
void
#endif
__explicit_bzero_hook(void *ATTR_UNUSED(buf), size_t ATTR_UNUSED(len))
{
}

View file

@ -66,6 +66,9 @@
#include <sys/auxv.h>
#endif
#include <sys/vfs.h>
#ifndef MAP_ANON
#define MAP_ANON MAP_ANONYMOUS
#endif
#define REPEAT 5
#define min(a, b) (((a) < (b)) ? (a) : (b))
@ -100,7 +103,7 @@ int getentropy(void *buf, size_t len);
extern int main(int, char *argv[]);
#endif
static int gotdata(char *buf, size_t len);
#ifdef SYS_getrandom
#if defined(SYS_getrandom) && defined(__NR_getrandom)
static int getentropy_getrandom(void *buf, size_t len);
#endif
static int getentropy_urandom(void *buf, size_t len);
@ -119,7 +122,7 @@ getentropy(void *buf, size_t len)
return -1;
}
#ifdef SYS_getrandom
#if defined(SYS_getrandom) && defined(__NR_getrandom)
/*
* Try descriptor-less getrandom()
*/
@ -215,7 +218,7 @@ gotdata(char *buf, size_t len)
return 0;
}
#ifdef SYS_getrandom
#if defined(SYS_getrandom) && defined(__NR_getrandom)
static int
getentropy_getrandom(void *buf, size_t len)
{

65
external/unbound/compat/strsep.c vendored Normal file
View file

@ -0,0 +1,65 @@
/**
* strsep implementation for compatibility.
*
* LICENSE
* Copyright (c) 2016, NLnet Labs
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
* * Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* * Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* * Neither the name of NLnetLabs nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
**/
#include "config.h"
/** see if character is in the delimiter array */
static int
in_delim(char c, const char* delim)
{
const char* p;
if(!delim)
return 0;
for(p=delim; *p; p++) {
if(*p == c)
return 1;
}
return 0;
}
char *strsep(char **stringp, const char *delim)
{
char* s;
char* orig;
if(stringp == NULL || *stringp == NULL)
return NULL;
orig = *stringp;
s = *stringp;
while(*s && !in_delim(*s, delim))
s++;
if(*s) {
*s = 0;
*stringp = s+1;
} else {
*stringp = NULL;
}
return orig;
}

View file

@ -45,12 +45,18 @@
/* Whether the C compiler accepts the "unused" attribute */
#cmakedefine HAVE_ATTR_UNUSED
/* Whether the C compiler accepts the "weak" attribute */
#cmakedefine HAVE_ATTR_WEAK
/* Define to 1 if you have the `chown' function. */
#cmakedefine HAVE_CHOWN
/* Define to 1 if you have the `chroot' function. */
#cmakedefine HAVE_CHROOT
/* Define to 1 if you have the `CRYPTO_cleanup_all_ex_data' function. */
#cmakedefine HAVE_CRYPTO_CLEANUP_ALL_EX_DATA
/* Define to 1 if you have the `ctime_r' function. */
#cmakedefine HAVE_CTIME_R
@ -65,6 +71,14 @@
if you don't. */
#cmakedefine HAVE_DECL_ARC4RANDOM_UNIFORM
/* Define to 1 if you have the declaration of `inet_ntop', and to 0 if you
don't. */
#cmakedefine HAVE_DECL_INET_NTOP
/* Define to 1 if you have the declaration of `inet_pton', and to 0 if you
don't. */
#cmakedefine HAVE_DECL_INET_PTON
/* Define to 1 if you have the declaration of `NID_secp384r1', and to 0 if you
don't. */
#cmakedefine HAVE_DECL_NID_SECP384R1
@ -104,15 +118,27 @@
/* Define to 1 if you have the <dlfcn.h> header file. */
#cmakedefine HAVE_DLFCN_H
/* Define to 1 if you have the `DSA_SIG_set0' function. */
#cmakedefine HAVE_DSA_SIG_SET0
/* Define to 1 if you have the <endian.h> header file. */
#cmakedefine HAVE_ENDIAN_H
/* Define to 1 if you have the `endprotoent' function. */
#cmakedefine HAVE_ENDPROTOENT
/* Define to 1 if you have the `endpwent' function. */
#cmakedefine HAVE_ENDPWENT
/* Define to 1 if you have the `endservent' function. */
#cmakedefine HAVE_ENDSERVENT
/* Define to 1 if you have the `ERR_free_strings' function. */
#cmakedefine HAVE_ERR_FREE_STRINGS
/* Define to 1 if you have the `ERR_load_crypto_strings' function. */
#cmakedefine HAVE_ERR_LOAD_CRYPTO_STRINGS
/* Define to 1 if you have the `event_base_free' function. */
#cmakedefine HAVE_EVENT_BASE_FREE
@ -128,6 +154,15 @@
/* Define to 1 if you have the <event.h> header file. */
#cmakedefine HAVE_EVENT_H
/* Define to 1 if you have the `EVP_cleanup' function. */
#cmakedefine HAVE_EVP_CLEANUP
/* Define to 1 if you have the `EVP_dss1' function. */
#cmakedefine HAVE_EVP_DSS1
/* Define to 1 if you have the `EVP_MD_CTX_new' function. */
#cmakedefine HAVE_EVP_MD_CTX_NEW
/* Define to 1 if you have the `EVP_sha1' function. */
#cmakedefine HAVE_EVP_SHA1
@ -191,8 +226,8 @@
/* Define to 1 if you have the <grp.h> header file. */
#cmakedefine HAVE_GRP_H
/* If you have HMAC_CTX_init */
#cmakedefine HAVE_HMAC_CTX_INIT
/* If you have HMAC_Update */
#cmakedefine HAVE_HMAC_UPDATE
/* Define to 1 if you have the `inet_aton' function. */
#cmakedefine HAVE_INET_ATON
@ -245,27 +280,54 @@
/* Define to 1 if you have the <netinet/in.h> header file. */
#cmakedefine HAVE_NETINET_IN_H
/* Define to 1 if you have the <netinet/tcp.h> header file. */
#cmakedefine HAVE_NETINET_TCP_H
/* Use libnettle for crypto */
#cmakedefine HAVE_NETTLE
/* Define to 1 if you have the <nettle/dsa-compat.h> header file. */
#cmakedefine HAVE_NETTLE_DSA_COMPAT_H
/* Use libnss for crypto */
#cmakedefine HAVE_NSS
/* Define to 1 if you have the `OpenSSL_add_all_digests' function. */
#cmakedefine HAVE_OPENSSL_ADD_ALL_DIGESTS
/* Define to 1 if you have the <openssl/bn.h> header file. */
#cmakedefine HAVE_OPENSSL_BN_H
/* Define to 1 if you have the `OPENSSL_config' function. */
#cmakedefine HAVE_OPENSSL_CONFIG
/* Define to 1 if you have the <openssl/conf.h> header file. */
#cmakedefine HAVE_OPENSSL_CONF_H
/* Define to 1 if you have the <openssl/dh.h> header file. */
#cmakedefine HAVE_OPENSSL_DH_H
/* Define to 1 if you have the <openssl/dsa.h> header file. */
#cmakedefine HAVE_OPENSSL_DSA_H
/* Define to 1 if you have the <openssl/engine.h> header file. */
#cmakedefine HAVE_OPENSSL_ENGINE_H
/* Define to 1 if you have the <openssl/err.h> header file. */
#cmakedefine HAVE_OPENSSL_ERR_H
/* Define to 1 if you have the `OPENSSL_init_crypto' function. */
#cmakedefine HAVE_OPENSSL_INIT_CRYPTO
/* Define to 1 if you have the `OPENSSL_init_ssl' function. */
#cmakedefine HAVE_OPENSSL_INIT_SSL
/* Define to 1 if you have the <openssl/rand.h> header file. */
#cmakedefine HAVE_OPENSSL_RAND_H
/* Define to 1 if you have the <openssl/rsa.h> header file. */
#cmakedefine HAVE_OPENSSL_RSA_H
/* Define to 1 if you have the <openssl/ssl.h> header file. */
#cmakedefine HAVE_OPENSSL_SSL_H
@ -290,15 +352,15 @@
/* Define to 1 if you have the `random' function. */
#cmakedefine HAVE_RANDOM
/* Define to 1 if you have the `RAND_cleanup' function. */
#cmakedefine HAVE_RAND_CLEANUP
/* Define to 1 if you have the `reallocarray' function. */
#cmakedefine HAVE_REALLOCARRAY
/* Define to 1 if you have the `recvmsg' function. */
#cmakedefine HAVE_RECVMSG
/* define if you have the sbrk() call */
#cmakedefine HAVE_SBRK
/* Define to 1 if you have the `sendmsg' function. */
#cmakedefine HAVE_SENDMSG
@ -326,6 +388,9 @@
/* Define to 1 if you have the `SHA512_Update' function. */
#cmakedefine HAVE_SHA512_UPDATE
/* Define to 1 if you have the `shmget' function. */
#cmakedefine HAVE_SHMGET
/* Define to 1 if you have the `sigprocmask' function. */
#cmakedefine HAVE_SIGPROCMASK
@ -347,6 +412,9 @@
/* Define if you have the SSL libraries installed. */
#cmakedefine HAVE_SSL
/* Define to 1 if you have the `SSL_CTX_set_security_level' function. */
#cmakedefine HAVE_SSL_CTX_SET_SECURITY_LEVEL
/* Define to 1 if you have the <stdarg.h> header file. */
#cmakedefine HAVE_STDARG_H
@ -377,6 +445,9 @@
/* Define to 1 if you have the `strptime' function. */
#cmakedefine HAVE_STRPTIME
/* Define to 1 if you have the `strsep' function. */
#cmakedefine HAVE_STRSEP
/* Define to 1 if `ipi_spec_dst' is a member of `struct in_pktinfo'. */
#cmakedefine HAVE_STRUCT_IN_PKTINFO_IPI_SPEC_DST
@ -389,6 +460,12 @@
/* Define to 1 if you have the <syslog.h> header file. */
#cmakedefine HAVE_SYSLOG_H
/* Define to 1 if systemd should be used */
#undef HAVE_SYSTEMD
/* Define to 1 if you have the <sys/ipc.h> header file. */
#cmakedefine HAVE_SYS_IPC_H
/* Define to 1 if you have the <sys/param.h> header file. */
#cmakedefine01 HAVE_SYS_PARAM_H
@ -398,6 +475,9 @@
/* Define to 1 if you have the <sys/sha2.h> header file. */
#cmakedefine HAVE_SYS_SHA2_H
/* Define to 1 if you have the <sys/shm.h> header file. */
#cmakedefine HAVE_SYS_SHM_H
/* Define to 1 if you have the <sys/socket.h> header file. */
#cmakedefine HAVE_SYS_SOCKET_H
@ -487,6 +567,9 @@
/* Put -D_BSD_SOURCE define in config.h */
#cmakedefine OMITTED__D_BSD_SOURCE
/* Put -D_DEFAULT_SOURCE define in config.h */
#cmakedefine OMITTED__D_DEFAULT_SOURCE
/* Put -D_GNU_SOURCE define in config.h */
#cmakedefine OMITTED__D_GNU_SOURCE
@ -578,9 +661,18 @@
/* define this to enable debug checks. */
#cmakedefine UNBOUND_DEBUG
/* Define to 1 to use cachedb support */
#cmakedefine USE_CACHEDB
/* Define to 1 to enable dnscrypt support */
#cmakedefine USE_DNSCRYPT
/* Define to 1 to enable dnstap support */
#cmakedefine USE_DNSTAP
/* Define this to enable DSA support. */
#cmakedefine USE_DSA
/* Define this to enable ECDSA support. */
#cmakedefine USE_ECDSA
@ -591,12 +683,24 @@
#cmakedefine USE_GOST
/* Define if you want to use internal select based events */
/* #cmakedefine USE_MINI_EVENT */
#define USE_MINI_EVENT 1
/* Define this to enable client TCP Fast Open. */
#cmakedefine USE_MSG_FASTOPEN
/* Define this to enable client TCP Fast Open. */
#cmakedefine USE_OSX_MSG_FASTOPEN
/* Define this to enable SHA1 support. */
#cmakedefine USE_SHA1
/* Define this to enable SHA256 and SHA512 support. */
#cmakedefine USE_SHA2
/* Define this to disable code that can trigger Valgrind/AddressSanitizer
errors. See https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=1301 */
#define VALGRIND
/* Enable extensions on AIX 3, Interix. */
#ifndef _ALL_SOURCE
# define _ALL_SOURCE 1
@ -619,6 +723,9 @@
#endif
/* Define this to enable server TCP Fast Open. */
#cmakedefine USE_TCP_FASTOPEN
/* Whether the windows socket API is used */
#cmakedefine USE_WINSOCK
@ -744,6 +851,10 @@
#define _BSD_SOURCE 1
#endif
#if defined(OMITTED__D_DEFAULT_SOURCE) && !defined(_DEFAULT_SOURCE)
#define _DEFAULT_SOURCE 1
#endif
#if defined(OMITTED__D__EXTENSIONS__) && !defined(__EXTENSIONS__)
#define __EXTENSIONS__ 1
#endif
@ -819,6 +930,10 @@
#include <netinet/in.h>
#endif
#ifdef HAVE_NETINET_TCP_H
#include <netinet/tcp.h>
#endif
#ifdef HAVE_ARPA_INET_H
#include <arpa/inet.h>
#endif
@ -976,6 +1091,11 @@ int memcmp(const void *x, const void *y, size_t n);
char *ctime_r(const time_t *timep, char *buf);
#endif
#ifndef HAVE_STRSEP
#define strsep unbound_strsep
char *strsep(char **stringp, const char *delim);
#endif
#ifndef HAVE_ISBLANK
#define isblank unbound_isblank
int isblank(int c);

View file

@ -3,6 +3,9 @@
/* Directory to chroot to */
#undef CHROOT_DIR
/* Define this to enable client subnet option. */
#undef CLIENT_SUBNET
/* Do sha512 definitions in config.h */
#undef COMPAT_SHA512
@ -42,12 +45,18 @@
/* Whether the C compiler accepts the "unused" attribute */
#undef HAVE_ATTR_UNUSED
/* Whether the C compiler accepts the "weak" attribute */
#undef HAVE_ATTR_WEAK
/* Define to 1 if you have the `chown' function. */
#undef HAVE_CHOWN
/* Define to 1 if you have the `chroot' function. */
#undef HAVE_CHROOT
/* Define to 1 if you have the `CRYPTO_cleanup_all_ex_data' function. */
#undef HAVE_CRYPTO_CLEANUP_ALL_EX_DATA
/* Define to 1 if you have the `ctime_r' function. */
#undef HAVE_CTIME_R
@ -62,6 +71,14 @@
if you don't. */
#undef HAVE_DECL_ARC4RANDOM_UNIFORM
/* Define to 1 if you have the declaration of `inet_ntop', and to 0 if you
don't. */
#undef HAVE_DECL_INET_NTOP
/* Define to 1 if you have the declaration of `inet_pton', and to 0 if you
don't. */
#undef HAVE_DECL_INET_PTON
/* Define to 1 if you have the declaration of `NID_secp384r1', and to 0 if you
don't. */
#undef HAVE_DECL_NID_SECP384R1
@ -101,15 +118,27 @@
/* Define to 1 if you have the <dlfcn.h> header file. */
#undef HAVE_DLFCN_H
/* Define to 1 if you have the `DSA_SIG_set0' function. */
#undef HAVE_DSA_SIG_SET0
/* Define to 1 if you have the <endian.h> header file. */
#undef HAVE_ENDIAN_H
/* Define to 1 if you have the `endprotoent' function. */
#undef HAVE_ENDPROTOENT
/* Define to 1 if you have the `endpwent' function. */
#undef HAVE_ENDPWENT
/* Define to 1 if you have the `endservent' function. */
#undef HAVE_ENDSERVENT
/* Define to 1 if you have the `ERR_free_strings' function. */
#undef HAVE_ERR_FREE_STRINGS
/* Define to 1 if you have the `ERR_load_crypto_strings' function. */
#undef HAVE_ERR_LOAD_CRYPTO_STRINGS
/* Define to 1 if you have the `event_base_free' function. */
#undef HAVE_EVENT_BASE_FREE
@ -125,6 +154,15 @@
/* Define to 1 if you have the <event.h> header file. */
#undef HAVE_EVENT_H
/* Define to 1 if you have the `EVP_cleanup' function. */
#undef HAVE_EVP_CLEANUP
/* Define to 1 if you have the `EVP_dss1' function. */
#undef HAVE_EVP_DSS1
/* Define to 1 if you have the `EVP_MD_CTX_new' function. */
#undef HAVE_EVP_MD_CTX_NEW
/* Define to 1 if you have the `EVP_sha1' function. */
#undef HAVE_EVP_SHA1
@ -188,8 +226,8 @@
/* Define to 1 if you have the <grp.h> header file. */
#undef HAVE_GRP_H
/* If you have HMAC_CTX_init */
#undef HAVE_HMAC_CTX_INIT
/* If you have HMAC_Update */
#undef HAVE_HMAC_UPDATE
/* Define to 1 if you have the `inet_aton' function. */
#undef HAVE_INET_ATON
@ -242,27 +280,54 @@
/* Define to 1 if you have the <netinet/in.h> header file. */
#undef HAVE_NETINET_IN_H
/* Define to 1 if you have the <netinet/tcp.h> header file. */
#undef HAVE_NETINET_TCP_H
/* Use libnettle for crypto */
#undef HAVE_NETTLE
/* Define to 1 if you have the <nettle/dsa-compat.h> header file. */
#undef HAVE_NETTLE_DSA_COMPAT_H
/* Use libnss for crypto */
#undef HAVE_NSS
/* Define to 1 if you have the `OpenSSL_add_all_digests' function. */
#undef HAVE_OPENSSL_ADD_ALL_DIGESTS
/* Define to 1 if you have the <openssl/bn.h> header file. */
#undef HAVE_OPENSSL_BN_H
/* Define to 1 if you have the `OPENSSL_config' function. */
#undef HAVE_OPENSSL_CONFIG
/* Define to 1 if you have the <openssl/conf.h> header file. */
#undef HAVE_OPENSSL_CONF_H
/* Define to 1 if you have the <openssl/dh.h> header file. */
#undef HAVE_OPENSSL_DH_H
/* Define to 1 if you have the <openssl/dsa.h> header file. */
#undef HAVE_OPENSSL_DSA_H
/* Define to 1 if you have the <openssl/engine.h> header file. */
#undef HAVE_OPENSSL_ENGINE_H
/* Define to 1 if you have the <openssl/err.h> header file. */
#undef HAVE_OPENSSL_ERR_H
/* Define to 1 if you have the `OPENSSL_init_crypto' function. */
#undef HAVE_OPENSSL_INIT_CRYPTO
/* Define to 1 if you have the `OPENSSL_init_ssl' function. */
#undef HAVE_OPENSSL_INIT_SSL
/* Define to 1 if you have the <openssl/rand.h> header file. */
#undef HAVE_OPENSSL_RAND_H
/* Define to 1 if you have the <openssl/rsa.h> header file. */
#undef HAVE_OPENSSL_RSA_H
/* Define to 1 if you have the <openssl/ssl.h> header file. */
#undef HAVE_OPENSSL_SSL_H
@ -287,15 +352,15 @@
/* Define to 1 if you have the `random' function. */
#undef HAVE_RANDOM
/* Define to 1 if you have the `RAND_cleanup' function. */
#undef HAVE_RAND_CLEANUP
/* Define to 1 if you have the `reallocarray' function. */
#undef HAVE_REALLOCARRAY
/* Define to 1 if you have the `recvmsg' function. */
#undef HAVE_RECVMSG
/* define if you have the sbrk() call */
#undef HAVE_SBRK
/* Define to 1 if you have the `sendmsg' function. */
#undef HAVE_SENDMSG
@ -323,6 +388,9 @@
/* Define to 1 if you have the `SHA512_Update' function. */
#undef HAVE_SHA512_UPDATE
/* Define to 1 if you have the `shmget' function. */
#undef HAVE_SHMGET
/* Define to 1 if you have the `sigprocmask' function. */
#undef HAVE_SIGPROCMASK
@ -344,6 +412,9 @@
/* Define if you have the SSL libraries installed. */
#undef HAVE_SSL
/* Define to 1 if you have the `SSL_CTX_set_security_level' function. */
#undef HAVE_SSL_CTX_SET_SECURITY_LEVEL
/* Define to 1 if you have the <stdarg.h> header file. */
#undef HAVE_STDARG_H
@ -374,6 +445,9 @@
/* Define to 1 if you have the `strptime' function. */
#undef HAVE_STRPTIME
/* Define to 1 if you have the `strsep' function. */
#undef HAVE_STRSEP
/* Define to 1 if `ipi_spec_dst' is a member of `struct in_pktinfo'. */
#undef HAVE_STRUCT_IN_PKTINFO_IPI_SPEC_DST
@ -386,6 +460,12 @@
/* Define to 1 if you have the <syslog.h> header file. */
#undef HAVE_SYSLOG_H
/* Define to 1 if systemd should be used */
#undef HAVE_SYSTEMD
/* Define to 1 if you have the <sys/ipc.h> header file. */
#undef HAVE_SYS_IPC_H
/* Define to 1 if you have the <sys/param.h> header file. */
#undef HAVE_SYS_PARAM_H
@ -395,6 +475,9 @@
/* Define to 1 if you have the <sys/sha2.h> header file. */
#undef HAVE_SYS_SHA2_H
/* Define to 1 if you have the <sys/shm.h> header file. */
#undef HAVE_SYS_SHM_H
/* Define to 1 if you have the <sys/socket.h> header file. */
#undef HAVE_SYS_SOCKET_H
@ -461,8 +544,7 @@
/* if lex has yylex_destroy */
#undef LEX_HAS_YYLEX_DESTROY
/* Define to the sub-directory in which libtool stores uninstalled libraries.
*/
/* Define to the sub-directory where libtool stores uninstalled libraries. */
#undef LT_OBJDIR
/* Define to the maximum message length to pass to syslog. */
@ -484,6 +566,9 @@
/* Put -D_BSD_SOURCE define in config.h */
#undef OMITTED__D_BSD_SOURCE
/* Put -D_DEFAULT_SOURCE define in config.h */
#undef OMITTED__D_DEFAULT_SOURCE
/* Put -D_GNU_SOURCE define in config.h */
#undef OMITTED__D_GNU_SOURCE
@ -575,9 +660,18 @@
/* define this to enable debug checks. */
#undef UNBOUND_DEBUG
/* Define to 1 to use cachedb support */
#undef USE_CACHEDB
/* Define to 1 to enable dnscrypt support */
#undef USE_DNSCRYPT
/* Define to 1 to enable dnstap support */
#undef USE_DNSTAP
/* Define this to enable DSA support. */
#undef USE_DSA
/* Define this to enable ECDSA support. */
#undef USE_ECDSA
@ -590,6 +684,15 @@
/* Define if you want to use internal select based events */
#undef USE_MINI_EVENT
/* Define this to enable client TCP Fast Open. */
#undef USE_MSG_FASTOPEN
/* Define this to enable client TCP Fast Open. */
#undef USE_OSX_MSG_FASTOPEN
/* Define this to enable SHA1 support. */
#undef USE_SHA1
/* Define this to enable SHA256 and SHA512 support. */
#undef USE_SHA2
@ -615,6 +718,9 @@
#endif
/* Define this to enable server TCP Fast Open. */
#undef USE_TCP_FASTOPEN
/* Whether the windows socket API is used */
#undef USE_WINSOCK
@ -738,6 +844,10 @@
#define _BSD_SOURCE 1
#endif
#if defined(OMITTED__D_DEFAULT_SOURCE) && !defined(_DEFAULT_SOURCE)
#define _DEFAULT_SOURCE 1
#endif
#if defined(OMITTED__D__EXTENSIONS__) && !defined(__EXTENSIONS__)
#define __EXTENSIONS__ 1
#endif
@ -811,6 +921,10 @@
#include <netinet/in.h>
#endif
#ifdef HAVE_NETINET_TCP_H
#include <netinet/tcp.h>
#endif
#ifdef HAVE_ARPA_INET_H
#include <arpa/inet.h>
#endif
@ -966,11 +1080,24 @@ int memcmp(const void *x, const void *y, size_t n);
char *ctime_r(const time_t *timep, char *buf);
#endif
#ifndef HAVE_STRSEP
#define strsep unbound_strsep
char *strsep(char **stringp, const char *delim);
#endif
#ifndef HAVE_ISBLANK
#define isblank unbound_isblank
int isblank(int c);
#endif
#if defined(HAVE_INET_NTOP) && !HAVE_DECL_INET_NTOP
const char *inet_ntop(int af, const void *src, char *dst, size_t size);
#endif
#if defined(HAVE_INET_PTON) && !HAVE_DECL_INET_PTON
int inet_pton(int af, const char* src, void* dst);
#endif
#if !defined(HAVE_STRPTIME) || !defined(STRPTIME_WORKS)
#define strptime unbound_strptime
struct tm;

File diff suppressed because it is too large Load diff

View file

@ -6,19 +6,20 @@ sinclude(ax_pthread.m4)
sinclude(acx_python.m4)
sinclude(ac_pkg_swig.m4)
sinclude(dnstap/dnstap.m4)
sinclude(dnscrypt/dnscrypt.m4)
# must be numbers. ac_defun because of later processing
m4_define([VERSION_MAJOR],[1])
m4_define([VERSION_MINOR],[5])
m4_define([VERSION_MICRO],[8])
m4_define([VERSION_MINOR],[6])
m4_define([VERSION_MICRO],[3])
AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl, unbound)
AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
LIBUNBOUND_CURRENT=5
LIBUNBOUND_REVISION=11
LIBUNBOUND_AGE=3
LIBUNBOUND_CURRENT=7
LIBUNBOUND_REVISION=2
LIBUNBOUND_AGE=5
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
# 1.0.2 had 0:14:0
@ -64,7 +65,13 @@ LIBUNBOUND_AGE=3
# 1.5.5 had 5:8:3
# 1.5.6 had 5:9:3
# 1.5.7 had 5:10:3
# 1.5.8 had 5:11:3
# 1.5.8 had 6:0:4 # adds ub_ctx_set_stub
# 1.5.9 had 6:1:4
# 1.5.10 had 6:2:4
# 1.6.0 had 6:3:4
# 1.6.1 had 7:0:5 # ub_callback_t typedef renamed to ub_callback_type
# 1.6.2 had 7:1:5
# 1.6.3 had 7:2:5
# Current -- the number of the binary API that we're implementing
# Revision -- which iteration of the implementation of the binary
@ -106,7 +113,7 @@ esac
# are we on MinGW?
if uname -s 2>&1 | grep MINGW32 >/dev/null; then on_mingw="yes"
else
if echo $target | grep mingw32 >/dev/null; then on_mingw="yes"
if echo $host $target | grep mingw32 >/dev/null; then on_mingw="yes"
else on_mingw="no"; fi
fi
@ -257,6 +264,29 @@ AC_C_INLINE
ACX_CHECK_FORMAT_ATTRIBUTE
ACX_CHECK_UNUSED_ATTRIBUTE
AC_DEFUN([CHECK_WEAK_ATTRIBUTE],
[AC_REQUIRE([AC_PROG_CC])
AC_MSG_CHECKING(whether the C compiler (${CC-cc}) accepts the "weak" attribute)
AC_CACHE_VAL(ac_cv_c_weak_attribute,
[ac_cv_c_weak_attribute=no
AC_TRY_COMPILE(
[ #include <stdio.h>
__attribute__((weak)) void f(int x) { printf("%d", x); }
], [
f(1);
],
[ac_cv_c_weak_attribute="yes"],
[ac_cv_c_weak_attribute="no"])
])
AC_MSG_RESULT($ac_cv_c_weak_attribute)
if test $ac_cv_c_weak_attribute = yes; then
AC_DEFINE(HAVE_ATTR_WEAK, 1, [Whether the C compiler accepts the "weak" attribute])
fi
])dnl End of CHECK_WEAK_ATTRIBUTE
CHECK_WEAK_ATTRIBUTE
if test "$srcdir" != "."; then
CPPFLAGS="$CPPFLAGS -I$srcdir"
fi
@ -277,7 +307,7 @@ AC_CHECK_TOOL(STRIP, strip)
ACX_LIBTOOL_C_ONLY
# Checks for header files.
AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h sys/param.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/ipc.h sys/shm.h],,, [AC_INCLUDES_DEFAULT])
# check for types.
# Using own tests for int64* because autoconf builtin only give 32bit.
@ -419,7 +449,7 @@ if test x_$withval != x_no; then
ub_have_pthreads=yes
AC_CHECK_TYPES([pthread_spinlock_t, pthread_rwlock_t],,,[#include <pthread.h>])
if echo "$CFLAGS" | grep -e "-pthread" >/dev/null; then
if echo "$CFLAGS" | $GREP -e "-pthread" >/dev/null; then
AC_MSG_CHECKING([if -pthread unused during linking])
# catch clang warning 'argument unused during compilation'
AC_LANG_CONFTEST([AC_LANG_SOURCE(AC_INCLUDES_DEFAULT
@ -518,10 +548,12 @@ if test x_$ub_test_python != x_no; then
LIBS="$PYTHON_LDFLAGS $LIBS"
CPPFLAGS="$CPPFLAGS $PYTHON_CPPFLAGS"
ub_have_python=yes
PC_PY_DEPENDENCY="python"
AC_SUBST(PC_PY_DEPENDENCY)
# Check for SWIG
ub_have_swig=no
AC_PROG_SWIG
AC_PROG_SWIG(2.0.1)
AC_MSG_CHECKING(SWIG)
if test ! -x "$SWIG"; then
AC_ERROR([failed to find swig tool, install it, or do not build Python module and PyUnbound])
@ -605,6 +637,7 @@ AC_ARG_WITH([nettle], AC_HELP_STRING([--with-nettle=path],
[
USE_NETTLE="yes"
AC_DEFINE(HAVE_NETTLE, 1, [Use libnettle for crypto])
AC_CHECK_HEADERS([nettle/dsa-compat.h],,, [AC_INCLUDES_DEFAULT])
if test "$withval" != "" -a "$withval" != "yes"; then
CPPFLAGS="$CPPFLAGS -I$withval/include/nettle"
LDFLAGS="$LDFLAGS -L$withval/lib"
@ -622,6 +655,20 @@ if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
ACX_WITH_SSL
ACX_LIB_SSL
SSLLIB="-lssl"
# check if -lcrypt32 is needed because CAPIENG needs that. (on windows)
BAKLIBS="$LIBS"
LIBS="-lssl $LIBS"
AC_MSG_CHECKING([if libssl needs -lcrypt32])
AC_TRY_LINK_FUNC([HMAC_Update], [
AC_MSG_RESULT([no])
LIBS="$BAKLIBS"
], [
AC_MSG_RESULT([yes])
LIBS="$BAKLIBS"
LIBS="$LIBS -lcrypt32"
])
AC_MSG_CHECKING([for LibreSSL])
if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
AC_MSG_RESULT([yes])
@ -632,9 +679,15 @@ if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/
else
AC_MSG_RESULT([no])
fi
AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode])
AC_CHECK_HEADERS([openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1])
# these check_funcs need -lssl
BAKLIBS="$LIBS"
LIBS="-lssl $LIBS"
AC_CHECK_FUNCS([OPENSSL_init_ssl SSL_CTX_set_security_level])
LIBS="$BAKLIBS"
AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [
AC_INCLUDES_DEFAULT
#ifdef HAVE_OPENSSL_ERR_H
@ -659,6 +712,16 @@ fi
AC_SUBST(SSLLIB)
AC_ARG_ENABLE(sha1, AC_HELP_STRING([--disable-sha1], [Disable SHA1 RRSIG support, does not disable nsec3 support]))
case "$enable_sha1" in
no)
;;
yes|*)
AC_DEFINE([USE_SHA1], [1], [Define this to enable SHA1 support.])
;;
esac
AC_ARG_ENABLE(sha2, AC_HELP_STRING([--disable-sha2], [Disable SHA256 and SHA512 RRSIG support]))
case "$enable_sha2" in
no)
@ -668,6 +731,19 @@ case "$enable_sha2" in
;;
esac
AC_ARG_ENABLE(subnet, AC_HELP_STRING([--enable-subnet], [Enable client subnet]))
case "$enable_subnet" in
yes)
AC_DEFINE([CLIENT_SUBNET], [1], [Define this to enable client subnet option.])
SUBNET_OBJ="edns-subnet.lo subnetmod.lo addrtree.lo subnet-whitelist.lo"
AC_SUBST(SUBNET_OBJ)
SUBNET_HEADER='$(srcdir)/edns-subnet/subnetmod.h $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/edns-subnet/subnet-whitelist.h $(srcdir)/edns-subnet/addrtree.h'
AC_SUBST(SUBNET_HEADER)
;;
no|*)
;;
esac
# check wether gost also works
AC_DEFUN([AC_CHECK_GOST_WORKS],
[AC_REQUIRE([AC_PROG_CC])
@ -816,13 +892,64 @@ case "$enable_ecdsa" in
;;
esac
AC_ARG_ENABLE(event-api, AC_HELP_STRING([--enable-event-api], [Enable (experimental) libevent-based libunbound API installed to unbound-event.h]))
use_unbound_event="no"
case "$enable_event_api" in
yes)
use_unbound_event="yes"
AC_ARG_ENABLE(dsa, AC_HELP_STRING([--disable-dsa], [Disable DSA support]))
use_dsa="no"
case "$enable_dsa" in
no)
;;
*)
# detect if DSA is supported, and turn it off if not.
AC_CHECK_FUNC(DSA_SIG_new, [
AC_DEFINE_UNQUOTED([USE_DSA], [1], [Define this to enable DSA support.])
], [if test "x$enable_dsa" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support DSA and you used --enable-dsa.])
fi ])
;;
esac
AC_ARG_ENABLE(event-api, AC_HELP_STRING([--enable-event-api], [Enable (experimental) pluggable event base libunbound API installed to unbound-event.h]))
case "$enable_event_api" in
yes)
AC_SUBST(UNBOUND_EVENT_INSTALL, [unbound-event-install])
AC_SUBST(UNBOUND_EVENT_UNINSTALL, [unbound-event-uninstall])
;;
*)
;;
esac
AC_ARG_ENABLE(tfo-client, AC_HELP_STRING([--enable-tfo-client], [Enable TCP Fast Open for client mode]))
case "$enable_tfo_client" in
yes)
case `uname` in
Linux) AC_CHECK_DECL([MSG_FASTOPEN], [AC_MSG_WARN([Check the platform specific TFO kernel parameters are correctly configured to support client mode TFO])],
[AC_MSG_ERROR([TCP Fast Open is not available for client mode: please rerun without --enable-tfo-client])],
[AC_INCLUDES_DEFAULT
#include <netinet/tcp.h>
])
AC_DEFINE_UNQUOTED([USE_MSG_FASTOPEN], [1], [Define this to enable client TCP Fast Open.])
;;
Darwin) AC_CHECK_DECL([CONNECT_RESUME_ON_READ_WRITE], [AC_MSG_WARN([Check the platform specific TFO kernel parameters are correctly configured to support client mode TFO])],
[AC_MSG_ERROR([TCP Fast Open is not available for client mode: please rerun without --enable-tfo-client])],
[AC_INCLUDES_DEFAULT
#include <sys/socket.h>
])
AC_DEFINE_UNQUOTED([USE_OSX_MSG_FASTOPEN], [1], [Define this to enable client TCP Fast Open.])
;;
esac
;;
no|*)
;;
esac
AC_ARG_ENABLE(tfo-server, AC_HELP_STRING([--enable-tfo-server], [Enable TCP Fast Open for server mode]))
case "$enable_tfo_server" in
yes)
AC_CHECK_DECL([TCP_FASTOPEN], [AC_MSG_WARN([Check the platform specific TFO kernel parameters are correctly configured to support server mode TFO])], [AC_MSG_ERROR([TCP Fast Open is not available for server mode: please rerun without --enable-tfo-server])], [AC_INCLUDES_DEFAULT
#include <netinet/tcp.h>
])
AC_DEFINE_UNQUOTED([USE_TCP_FASTOPEN], [1], [Define this to enable server TCP Fast Open.])
;;
no|*)
;;
esac
@ -903,13 +1030,11 @@ large outgoing port ranges. ])
AC_CHECK_FUNCS([event_base_get_method]) # only in libevent 1.4.3 and later
AC_CHECK_FUNCS([ev_loop]) # only in libev. (tested on 3.51)
AC_CHECK_FUNCS([ev_default_loop]) # only in libev. (tested on 4.00)
PC_LIBEVENT_DEPENDENCY="libevent"
AC_SUBST(PC_LIBEVENT_DEPENDENCY)
if test -n "$BAK_LDFLAGS_SET"; then
LDFLAGS="$BAK_LDFLAGS"
fi
if test "$use_unbound_event" = "yes"; then
AC_SUBST(UNBOUND_EVENT_INSTALL, [unbound-event-install])
AC_SUBST(UNBOUND_EVENT_UNINSTALL, [unbound-event-uninstall])
fi
else
AC_DEFINE(USE_MINI_EVENT, 1, [Define if you want to use internal select based events])
fi
@ -950,13 +1075,15 @@ if test x_$enable_static_exe = x_yes; then
staticexe="-static"
if test "$on_mingw" = yes; then
staticexe="-all-static"
# for static crosscompile, include gdi32 and zlib here.
if test "`uname`" = "Linux"; then
# for static compile, include gdi32 and zlib here.
LIBS="$LIBS -lgdi32 -lz"
fi
fi
fi
# Include systemd.m4 - begin
sinclude(systemd.m4)
# Include systemd.m4 - end
# set lock checking if requested
AC_ARG_ENABLE(lock_checks, AC_HELP_STRING([--enable-lock-checks],
[ enable to check lock and unlock calls, for debug purposes ]),
@ -1030,6 +1157,10 @@ AC_INCLUDES_DEFAULT
#include <netinet/in.h>
#endif
#ifdef HAVE_NETINET_TCP_H
#include <netinet/tcp.h>
#endif
#ifdef HAVE_ARPA_INET_H
#include <arpa/inet.h>
#endif
@ -1043,27 +1174,36 @@ AC_INCLUDES_DEFAULT
#endif
])
AC_SEARCH_LIBS([setusercontext], [util])
AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync])
AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget])
AC_CHECK_FUNCS([setresuid],,[AC_CHECK_FUNCS([setreuid])])
AC_CHECK_FUNCS([setresgid],,[AC_CHECK_FUNCS([setregid])])
AC_MSG_CHECKING([for sbrk])
# catch the warning of deprecated sbrk
old_cflags="$CFLAGS"
CFLAGS="$CFLAGS -Werror"
AC_COMPILE_IFELSE([AC_LANG_SOURCE(AC_INCLUDES_DEFAULT
[[
int main(void) { void* cur = sbrk(0); printf("%u\n", (unsigned)(size_t)((char*)cur - (char*)sbrk(0))); return 0; }
]])], [
AC_MSG_RESULT(yes)
AC_DEFINE(HAVE_SBRK, 1, [define if you have the sbrk() call])
], [AC_MSG_RESULT(no)])
CFLAGS="$old_cflags"
# check if setreuid en setregid fail, on MacOSX10.4(darwin8).
if echo $build_os | grep darwin8 > /dev/null; then
AC_DEFINE(DARWIN_BROKEN_SETREUID, 1, [Define this if on macOSX10.4-darwin8 and setreuid and setregid do not work])
fi
AC_CHECK_DECLS([inet_pton,inet_ntop], [], [], [
AC_INCLUDES_DEFAULT
#ifdef HAVE_NETINET_IN_H
#include <netinet/in.h>
#endif
#ifdef HAVE_NETINET_TCP_H
#include <netinet/tcp.h>
#endif
#ifdef HAVE_ARPA_INET_H
#include <arpa/inet.h>
#endif
#ifdef HAVE_WINSOCK2_H
#include <winsock2.h>
#endif
#ifdef HAVE_WS2TCPIP_H
#include <ws2tcpip.h>
#endif
])
AC_REPLACE_FUNCS(inet_aton)
AC_REPLACE_FUNCS(inet_pton)
AC_REPLACE_FUNCS(inet_ntop)
@ -1101,11 +1241,11 @@ if test "$USE_NSS" = "no"; then
if test "$USE_WINSOCK" = 1; then
AC_LIBOBJ(getentropy_win)
else
case `uname` in
Darwin)
case "$host" in
Darwin|*darwin*)
AC_LIBOBJ(getentropy_osx)
;;
SunOS)
*solaris*|*sunos*|SunOS)
AC_LIBOBJ(getentropy_solaris)
AC_CHECK_HEADERS([sys/sha2.h],, [
AC_CHECK_FUNCS([SHA512_Update],,[
@ -1118,7 +1258,7 @@ if test "$USE_NSS" = "no"; then
fi
AC_SEARCH_LIBS([clock_gettime], [rt])
;;
Linux|*)
*linux*|Linux|*)
AC_LIBOBJ(getentropy_linux)
AC_CHECK_FUNCS([SHA512_Update],,[
AC_DEFINE([COMPAT_SHA512], [1], [Do sha512 definitions in config.h])
@ -1136,6 +1276,7 @@ fi
LIBOBJ_WITHOUT_CTIME="$LIBOBJS"
AC_SUBST(LIBOBJ_WITHOUT_CTIME)
AC_REPLACE_FUNCS(ctime_r)
AC_REPLACE_FUNCS(strsep)
AC_ARG_ENABLE(allsymbols, AC_HELP_STRING([--enable-allsymbols], [export all symbols from libunbound and link binaries to it, smaller install size but libunbound export table is polluted by internal symbols]))
case "$enable_allsymbols" in
@ -1188,6 +1329,30 @@ dt_DNSTAP([$UNBOUND_RUN_DIR/dnstap.sock],
]
)
# check for dnscrypt if requested
dnsc_DNSCRYPT([
AC_DEFINE([USE_DNSCRYPT], [1], [Define to 1 to enable dnscrypt support])
AC_SUBST([ENABLE_DNSCRYPT], [1])
AC_SUBST([DNSCRYPT_SRC], ["dnscrypt/dnscrypt.c"])
AC_SUBST([DNSCRYPT_OBJ], ["dnscrypt.lo"])
],
[
AC_SUBST([ENABLE_DNSCRYPT], [0])
]
)
# check for cachedb if requested
AC_ARG_ENABLE(cachedb, AC_HELP_STRING([--enable-cachedb], [enable cachedb module that can use external cache storage]))
case "$enable_cachedb" in
yes)
AC_DEFINE([USE_CACHEDB], [1], [Define to 1 to use cachedb support])
;;
no|*)
# nothing
;;
esac
AC_MSG_CHECKING([if ${MAKE:-make} supports $< with implicit rule in scope])
# on openBSD, the implicit rule make $< work.
# on Solaris, it does not work ($? is changed sources, $^ lists dependencies).
@ -1294,6 +1459,10 @@ dnl includes
#include <netinet/in.h>
#endif
#ifdef HAVE_NETINET_TCP_H
#include <netinet/tcp.h>
#endif
#ifdef HAVE_ARPA_INET_H
#include <arpa/inet.h>
#endif
@ -1350,11 +1519,24 @@ AHX_MEMCMP_BROKEN(unbound)
char *ctime_r(const time_t *timep, char *buf);
#endif
#ifndef HAVE_STRSEP
#define strsep unbound_strsep
char *strsep(char **stringp, const char *delim);
#endif
#ifndef HAVE_ISBLANK
#define isblank unbound_isblank
int isblank(int c);
#endif
#if defined(HAVE_INET_NTOP) && !HAVE_DECL_INET_NTOP
const char *inet_ntop(int af, const void *src, char *dst, size_t size);
#endif
#if defined(HAVE_INET_PTON) && !HAVE_DECL_INET_PTON
int inet_pton(int af, const char* src, void* dst);
#endif
#if !defined(HAVE_STRPTIME) || !defined(STRPTIME_WORKS)
#define strptime unbound_strptime
struct tm;
@ -1463,6 +1645,6 @@ dnl if this is a distro tarball, that was already done by makedist.sh
AC_SUBST(version, [VERSION_MAJOR.VERSION_MINOR.VERSION_MICRO])
AC_SUBST(date, [`date +'%b %e, %Y'`])
AC_CONFIG_FILES([Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8 doc/unbound-host.1 smallapp/unbound-control-setup.sh dnstap/dnstap_config.h])
AC_CONFIG_FILES([Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8 doc/unbound-host.1 smallapp/unbound-control-setup.sh dnstap/dnstap_config.h dnscrypt/dnscrypt_config.h contrib/libunbound.pc contrib/unbound.socket contrib/unbound.service])
AC_CONFIG_HEADER([config.h])
AC_OUTPUT

View file

@ -18,6 +18,7 @@ check_include_file(login_cap.h HAVE_LOGIN_CAP_H)
check_include_file(memory.h HAVE_MEMORY_H)
check_include_file(netdb.h HAVE_NETDB_H)
check_include_file(netinet/in.h HAVE_NETINET_IN_H)
check_include_file(pthread.h HAVE_PTHREAD)
check_include_file(pwd.h HAVE_PWD_H)
check_include_file(stdarg.h HAVE_STDARG_H)
check_include_file(stdbool.h HAVE_STDBOOL_H)
@ -95,6 +96,7 @@ check_function_exists(sleep HAVE_SLEEP)
check_function_exists(snprintf HAVE_SNPRINTF)
check_function_exists(socketpair HAVE_SOCKETPAIR)
check_function_exists(srandom HAVE_SRANDOM)
check_function_exists(strsep HAVE_STRSEP)
check_function_exists(strftime HAVE_STRFTIME)
check_function_exists(strlcat HAVE_STRLCAT)
check_function_exists(strlcpy HAVE_STRLCPY)
@ -165,6 +167,11 @@ endif ()
# XXX: Check for broken vfork()?
# XXX: Check for one-arg mkdir?
check_symbol_exists(inet_pton "arpa/inet.h" HAVE_INET_PTON)
check_symbol_exists(inet_ntop "arpa/inet.h" HAVE_INET_NTOP)
check_symbol_exists(strsep "string.h" HAVE_STRSEP)
check_symbol_exists(PTHREAD_PRIO_INHERIT "pthread.h" HAVE_PTHREAD_PRIO_INHERIT)
check_symbol_exists(pthread_rwlock_t "pthread.h" HAVE_PTHREAD_RWLOCK_T)
check_symbol_exists(pthread_spinlock_t "pthread.h" HAVE_PTHREAD_SPINLOCK_T)
@ -189,11 +196,12 @@ check_symbol_exists(SSL_COMP_get_compression_methods "openssl/ssl.h" HAVE_DECL_S
set(CMAKE_REQUIRED_LIBRARIES
${OPENSSL_LIBRARIES})
check_function_exists(EVP_MD_CTX_new HAVE_EVP_MD_CTX_NEW)
check_function_exists(EVP_sha1 HAVE_EVP_SHA1)
check_function_exists(EVP_sha256 HAVE_EVP_SHA256)
check_function_exists(EVP_sha512 HAVE_EVP_SHA512)
check_function_exists(FIPS_mode HAVE_FIPS_MODE)
check_function_exists(HMAC_CTX_init HAVE_HMAC_CTX_INIT)
check_function_exists(HMAC_Update HAVE_HMAC_UPDATE)
check_function_exists(OPENSSL_config HAVE_OPENSSL_CONFIG)
check_function_exists(SHA512_Update HAVE_SHA512_UPDATE)

View file

@ -29,3 +29,5 @@ distribution but may be helpful.
Patch from Stephane Lapie for ASAHI Net.
* unbound_smf22.tar.gz: Solaris SMF installation/removal scripts.
Contributed by Yuri Voinov.
* unbound.socket and unbound.service: systemd files for unbound, install them
in /usr/lib/systemd/system. Contributed by Sami Kerola and Pavel Odintsov.

View file

@ -1,8 +1,10 @@
--- unbound-1.4.17.orig/doc/unbound.conf.5.in
+++ unbound-1.4.17/doc/unbound.conf.5.in
@@ -519,6 +519,13 @@ authority servers and checks if the repl
Disabled by default.
This feature is an experimental implementation of draft dns\-0x20.
Index: trunk/doc/unbound.conf.5.in
===================================================================
--- trunk/doc/unbound.conf.5.in (revision 3587)
+++ trunk/doc/unbound.conf.5.in (working copy)
@@ -593,6 +593,13 @@
possible. Best effort approach, full QNAME and original QTYPE will be sent when
upstream replies with a RCODE other than NOERROR. Default is off.
.TP
+.B aaaa\-filter: \fI<yes or no>
+Activate behavior similar to BIND's AAAA-filter.
@ -13,20 +15,12 @@
+.TP
.B private\-address: \fI<IP address or subnet>
Give IPv4 of IPv6 addresses or classless subnets. These are addresses
on your private network, and are not allowed to be returned for public
--- unbound-1.4.17.orig/util/config_file.c
+++ unbound-1.4.17/util/config_file.c
@@ -160,6 +160,7 @@ config_create(void)
cfg->harden_below_nxdomain = 0;
cfg->harden_referral_path = 0;
cfg->use_caps_bits_for_id = 0;
+ cfg->aaaa_filter = 0; /* ASN: default is disabled */
cfg->private_address = NULL;
cfg->private_domain = NULL;
cfg->unwanted_threshold = 0;
--- unbound-1.4.17.orig/iterator/iter_scrub.c
+++ unbound-1.4.17/iterator/iter_scrub.c
@@ -580,6 +580,32 @@ static int sanitize_nsec_is_overreach(st
on your private network, and are not allowed to be returned for
Index: trunk/iterator/iter_scrub.c
===================================================================
--- trunk/iterator/iter_scrub.c (revision 3587)
+++ trunk/iterator/iter_scrub.c (working copy)
@@ -617,6 +617,32 @@
}
/**
@ -38,7 +32,7 @@
+ */
+static int
+asn_lookup_a_record_from_cache(struct query_info* qinfo,
+ struct module_env* env, struct iter_env* ie)
+ struct module_env* env, struct iter_env* ATTR_UNUSED(ie))
+{
+ struct ub_packed_rrset_key* akey;
+
@ -59,7 +53,7 @@
* Given a response event, remove suspect RRsets from the response.
* "Suspect" rrsets are potentially poison. Note that this routine expects
* the response to be in a "normalized" state -- that is, all "irrelevant"
@@ -598,6 +625,7 @@ scrub_sanitize(ldns_buffer* pkt, struct
@@ -635,6 +661,7 @@
struct query_info* qinfo, uint8_t* zonename, struct module_env* env,
struct iter_env* ie)
{
@ -67,7 +61,7 @@
int del_addi = 0; /* if additional-holding rrsets are deleted, we
do not trust the normalized additional-A-AAAA any more */
struct rrset_parse* rrset, *prev;
@@ -633,6 +661,13 @@ scrub_sanitize(ldns_buffer* pkt, struct
@@ -670,6 +697,13 @@
rrset = rrset->rrset_all_next;
}
@ -81,7 +75,7 @@
/* At this point, we brutally remove ALL rrsets that aren't
* children of the originating zone. The idea here is that,
* as far as we know, the server that we contacted is ONLY
@@ -644,6 +679,24 @@ scrub_sanitize(ldns_buffer* pkt, struct
@@ -681,6 +715,24 @@
rrset = msg->rrset_first;
while(rrset) {
@ -105,10 +99,24 @@
+
/* remove private addresses */
if( (rrset->type == LDNS_RR_TYPE_A ||
rrset->type == LDNS_RR_TYPE_AAAA) &&
--- unbound-1.4.17.orig/iterator/iterator.c
+++ unbound-1.4.17/iterator/iterator.c
@@ -1579,6 +1579,53 @@ processDSNSFind(struct module_qstate* qs
rrset->type == LDNS_RR_TYPE_AAAA)) {
Index: trunk/iterator/iter_utils.c
===================================================================
--- trunk/iterator/iter_utils.c (revision 3587)
+++ trunk/iterator/iter_utils.c (working copy)
@@ -175,6 +175,7 @@
}
iter_env->supports_ipv6 = cfg->do_ip6;
iter_env->supports_ipv4 = cfg->do_ip4;
+ iter_env->aaaa_filter = cfg->aaaa_filter;
return 1;
}
Index: trunk/iterator/iterator.c
===================================================================
--- trunk/iterator/iterator.c (revision 3587)
+++ trunk/iterator/iterator.c (working copy)
@@ -1776,6 +1776,53 @@
return 0;
}
@ -128,7 +136,7 @@
+ */
+static int
+asn_processQueryAAAA(struct module_qstate* qstate, struct iter_qstate* iq,
+ struct iter_env* ie, int id)
+ struct iter_env* ATTR_UNUSED(ie), int id)
+{
+ struct module_qstate* subq = NULL;
+
@ -162,7 +170,7 @@
/**
* This is the request event state where the request will be sent to one of
@@ -1626,6 +1673,13 @@ processQueryTargets(struct module_qstate
@@ -1823,6 +1870,13 @@
return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
}
@ -176,7 +184,7 @@
/* Make sure we have a delegation point, otherwise priming failed
* or another failure occurred */
if(!iq->dp) {
@@ -2568,6 +2622,62 @@ processFinished(struct module_qstate* qs
@@ -2922,6 +2976,61 @@
return 0;
}
@ -195,9 +203,8 @@
+asn_processAAAAResponse(struct module_qstate* qstate, int id,
+ struct module_qstate* super)
+{
+ struct iter_qstate* iq = (struct iter_qstate*)qstate->minfo[id];
+ /*struct iter_qstate* iq = (struct iter_qstate*)qstate->minfo[id];*/
+ struct iter_qstate* super_iq = (struct iter_qstate*)super->minfo[id];
+ struct ub_packed_rrset_key* rrset;
+ struct delegpt_ns* dpns = NULL;
+ int error = (qstate->return_rcode != LDNS_RCODE_NOERROR);
+
@ -239,7 +246,7 @@
/*
* Return priming query results to interestes super querystates.
*
@@ -2587,6 +2697,9 @@ iter_inform_super(struct module_qstate*
@@ -2941,6 +3050,9 @@
else if(super->qinfo.qtype == LDNS_RR_TYPE_DS && ((struct iter_qstate*)
super->minfo[id])->state == DSNS_FIND_STATE)
processDSNSResponse(qstate, id, super);
@ -249,7 +256,7 @@
else if(qstate->return_rcode != LDNS_RCODE_NOERROR)
error_supers(qstate, id, super);
else if(qstate->is_priming)
@@ -2624,6 +2737,9 @@ iter_handle(struct module_qstate* qstate
@@ -2978,6 +3090,9 @@
case INIT_REQUEST_3_STATE:
cont = processInitRequest3(qstate, iq, id);
break;
@ -259,7 +266,7 @@
case QUERYTARGETS_STATE:
cont = processQueryTargets(qstate, iq, ie, id);
break;
@@ -2863,6 +2979,8 @@ iter_state_to_string(enum iter_state sta
@@ -3270,6 +3385,8 @@
return "INIT REQUEST STATE (stage 2)";
case INIT_REQUEST_3_STATE:
return "INIT REQUEST STATE (stage 3)";
@ -268,7 +275,7 @@
case QUERYTARGETS_STATE :
return "QUERY TARGETS STATE";
case PRIME_RESP_STATE :
@@ -2887,6 +3005,7 @@ iter_state_is_responsestate(enum iter_st
@@ -3294,6 +3411,7 @@
case INIT_REQUEST_STATE :
case INIT_REQUEST_2_STATE :
case INIT_REQUEST_3_STATE :
@ -276,29 +283,21 @@
case QUERYTARGETS_STATE :
case COLLECT_CLASS_STATE :
return 0;
--- unbound-1.4.17.orig/iterator/iter_utils.c
+++ unbound-1.4.17/iterator/iter_utils.c
@@ -128,6 +128,7 @@ iter_apply_cfg(struct iter_env* iter_env
}
iter_env->supports_ipv6 = cfg->do_ip6;
iter_env->supports_ipv4 = cfg->do_ip4;
+ iter_env->aaaa_filter = cfg->aaaa_filter;
return 1;
}
--- unbound-1.4.17.orig/iterator/iterator.h
+++ unbound-1.4.17/iterator/iterator.h
@@ -110,6 +110,9 @@ struct iter_env {
* array of max_dependency_depth+1 size.
Index: trunk/iterator/iterator.h
===================================================================
--- trunk/iterator/iterator.h (revision 3587)
+++ trunk/iterator/iterator.h (working copy)
@@ -113,6 +113,9 @@
*/
int* target_fetch_policy;
+
+ /** ASN: AAAA-filter flag */
+ int aaaa_filter;
+
/** ip6.arpa dname in wireformat, used for qname-minimisation */
uint8_t* ip6arpa_dname;
};
/**
@@ -135,6 +138,14 @@ enum iter_state {
@@ -163,6 +166,14 @@
INIT_REQUEST_3_STATE,
/**
@ -312,8 +311,8 @@
+ /**
* Each time a delegation point changes for a given query or a
* query times out and/or wakes up, this state is (re)visited.
* This state is responsible for iterating through a list of
@@ -309,6 +320,13 @@ struct iter_qstate {
* This state is reponsible for iterating through a list of
@@ -346,6 +357,13 @@
*/
int refetch_glue;
@ -326,31 +325,61 @@
+
/** list of pending queries to authoritative servers. */
struct outbound_list outlist;
};
--- unbound-1.4.17.orig/util/config_file.h
+++ unbound-1.4.17/util/config_file.h
@@ -169,6 +169,8 @@ struct config_file {
Index: trunk/pythonmod/interface.i
===================================================================
--- trunk/pythonmod/interface.i (revision 3587)
+++ trunk/pythonmod/interface.i (working copy)
@@ -632,6 +632,7 @@
int harden_dnssec_stripped;
int harden_referral_path;
int use_caps_bits_for_id;
+ int aaaa_filter; /* ASN */
struct config_strlist* private_address;
struct config_strlist* private_domain;
size_t unwanted_threshold;
Index: trunk/util/config_file.c
===================================================================
--- trunk/util/config_file.c (revision 3587)
+++ trunk/util/config_file.c (working copy)
@@ -176,6 +176,7 @@
cfg->harden_referral_path = 0;
cfg->harden_algo_downgrade = 0;
cfg->use_caps_bits_for_id = 0;
+ cfg->aaaa_filter = 0; /* ASN: default is disabled */
cfg->caps_whitelist = NULL;
cfg->private_address = NULL;
cfg->private_domain = NULL;
Index: trunk/util/config_file.h
===================================================================
--- trunk/util/config_file.h (revision 3587)
+++ trunk/util/config_file.h (working copy)
@@ -179,6 +179,8 @@
int harden_algo_downgrade;
/** use 0x20 bits in query as random ID bits */
int use_caps_bits_for_id;
+ /** ASN: enable AAAA filter? */
+ int aaaa_filter;
/** 0x20 whitelist, domains that do not use capsforid */
struct config_strlist* caps_whitelist;
/** strip away these private addrs from answers, no DNS Rebinding */
struct config_strlist* private_address;
/** allow domain (and subdomains) to use private address space */
--- unbound-1.4.17.orig/util/configlexer.lex
+++ unbound-1.4.17/util/configlexer.lex
@@ -177,6 +177,7 @@ harden-below-nxdomain{COLON} { YDVAR(1,
harden-referral-path{COLON} { YDVAR(1, VAR_HARDEN_REFERRAL_PATH) }
Index: trunk/util/configlexer.lex
===================================================================
--- trunk/util/configlexer.lex (revision 3587)
+++ trunk/util/configlexer.lex (working copy)
@@ -267,6 +267,7 @@
use-caps-for-id{COLON} { YDVAR(1, VAR_USE_CAPS_FOR_ID) }
caps-whitelist{COLON} { YDVAR(1, VAR_CAPS_WHITELIST) }
unwanted-reply-threshold{COLON} { YDVAR(1, VAR_UNWANTED_REPLY_THRESHOLD) }
+aaaa-filter{COLON} { YDVAR(1, VAR_AAAA_FILTER) }
private-address{COLON} { YDVAR(1, VAR_PRIVATE_ADDRESS) }
private-domain{COLON} { YDVAR(1, VAR_PRIVATE_DOMAIN) }
prefetch-key{COLON} { YDVAR(1, VAR_PREFETCH_KEY) }
--- unbound-1.4.17.orig/util/configparser.y
+++ unbound-1.4.17/util/configparser.y
@@ -92,6 +92,7 @@ extern struct config_parser_state* cfg_p
Index: trunk/util/configparser.y
===================================================================
--- trunk/util/configparser.y (revision 3587)
+++ trunk/util/configparser.y (working copy)
@@ -92,6 +92,7 @@
%token VAR_STATISTICS_CUMULATIVE VAR_OUTGOING_PORT_PERMIT
%token VAR_OUTGOING_PORT_AVOID VAR_DLV_ANCHOR_FILE VAR_DLV_ANCHOR
%token VAR_NEG_CACHE_SIZE VAR_HARDEN_REFERRAL_PATH VAR_PRIVATE_ADDRESS
@ -358,7 +387,7 @@
%token VAR_PRIVATE_DOMAIN VAR_REMOTE_CONTROL VAR_CONTROL_ENABLE
%token VAR_CONTROL_INTERFACE VAR_CONTROL_PORT VAR_SERVER_KEY_FILE
%token VAR_SERVER_CERT_FILE VAR_CONTROL_KEY_FILE VAR_CONTROL_CERT_FILE
@@ -151,6 +152,7 @@ content_server: server_num_threads | ser
@@ -169,6 +170,7 @@
server_dlv_anchor_file | server_dlv_anchor | server_neg_cache_size |
server_harden_referral_path | server_private_address |
server_private_domain | server_extended_statistics |
@ -366,8 +395,8 @@
server_local_data_ptr | server_jostle_timeout |
server_unwanted_reply_threshold | server_log_time_ascii |
server_domain_insecure | server_val_sig_skew_min |
@@ -802,6 +803,15 @@ server_use_caps_for_id: VAR_USE_CAPS_FOR
free($2);
@@ -893,6 +895,15 @@
yyerror("out of memory");
}
;
+server_aaaa_filter: VAR_AAAA_FILTER STRING_ARG
@ -382,13 +411,3 @@
server_private_address: VAR_PRIVATE_ADDRESS STRING_ARG
{
OUTYY(("P(server_private_address:%s)\n", $2));
--- unbound-1.4.17.orig/pythonmod/interface.i
+++ unbound-1.4.17/pythonmod/interface.i
@@ -626,6 +626,7 @@ struct config_file {
int harden_dnssec_stripped;
int harden_referral_path;
int use_caps_bits_for_id;
+ int aaaa_filter; /* ASN */
struct config_strlist* private_address;
struct config_strlist* private_domain;
size_t unwanted_threshold;

View file

@ -150,7 +150,7 @@ get_state ( ) {
fi
done
# try to get it
echo $$ >$lock
if echo $$ >$lock ; then : ; else break; fi
done
# do not refetch if the file exists and only LEE seconds old
if test -f $state; then
@ -266,7 +266,6 @@ if test "$1" = "config" ; then
echo "graph_args --base 1024 -l 0"
echo "graph_vlabel memory used in bytes"
echo "graph_category DNS"
p_config "mem.total.sbrk" "Total memory" "GAUGE"
p_config "mem.cache.rrset" "RRset cache memory" "GAUGE"
p_config "mem.cache.message" "Message cache memory" "GAUGE"
p_config "mem.mod.iterator" "Iterator module memory" "GAUGE"
@ -458,20 +457,6 @@ queue)
done
;;
memory)
mn=`echo mem.total.sbrk | sed $ABBREV | tr . _`
get_value 'mem.total.sbrk'
if test $value -eq 0; then
chk=`echo $ctrl | sed -e 's/-control$/-checkconf/'`
pidf=`$chk -o pidfile $conf 2>&1`
pid=`cat $pidf 2>&1`
value=`ps -p "$pid" -o rss= 2>&1`
if test "`expr $value + 1 - 1 2>&1`" -eq "$value" 2>&1; then
value=`expr $value \* 1024`
else
value=0
fi
fi
echo "$mn.value" $value
for x in mem.cache.rrset mem.cache.message mem.mod.iterator \
mem.mod.validator msg.cache.count rrset.cache.count \
infra.cache.count key.cache.count; do

View file

@ -45,6 +45,8 @@
#include "util/log.h"
#include "util/config_file.h"
#include "util/net_help.h"
#include "services/localzone.h"
#include "sldns/str2wire.h"
struct acl_list*
acl_list_create(void)
@ -71,21 +73,21 @@ acl_list_delete(struct acl_list* acl)
}
/** insert new address into acl_list structure */
static int
static struct acl_addr*
acl_list_insert(struct acl_list* acl, struct sockaddr_storage* addr,
socklen_t addrlen, int net, enum acl_access control,
int complain_duplicates)
{
struct acl_addr* node = regional_alloc(acl->region,
struct acl_addr* node = regional_alloc_zero(acl->region,
sizeof(struct acl_addr));
if(!node)
return 0;
return NULL;
node->control = control;
if(!addr_tree_insert(&acl->tree, &node->node, addr, addrlen, net)) {
if(complain_duplicates)
verbose(VERB_QUERY, "duplicate acl address ignored.");
}
return 1;
return node;
}
/** apply acl_list string */
@ -125,6 +127,205 @@ acl_list_str_cfg(struct acl_list* acl, const char* str, const char* s2,
return 1;
}
/** find or create node (NULL on parse or error) */
static struct acl_addr*
acl_find_or_create(struct acl_list* acl, const char* str)
{
struct acl_addr* node;
struct sockaddr_storage addr;
int net;
socklen_t addrlen;
if(!netblockstrtoaddr(str, UNBOUND_DNS_PORT, &addr, &addrlen, &net)) {
log_err("cannot parse netblock: %s", str);
return NULL;
}
/* find or create node */
if(!(node=(struct acl_addr*)addr_tree_find(&acl->tree, &addr,
addrlen, net))) {
/* create node, type 'allow' since otherwise tags are
* pointless, can override with specific access-control: cfg */
if(!(node=(struct acl_addr*)acl_list_insert(acl, &addr,
addrlen, net, acl_allow, 1))) {
log_err("out of memory");
return NULL;
}
}
return node;
}
/** apply acl_tag string */
static int
acl_list_tags_cfg(struct acl_list* acl, const char* str, uint8_t* bitmap,
size_t bitmaplen)
{
struct acl_addr* node;
if(!(node=acl_find_or_create(acl, str)))
return 0;
node->taglen = bitmaplen;
node->taglist = regional_alloc_init(acl->region, bitmap, bitmaplen);
if(!node->taglist) {
log_err("out of memory");
return 0;
}
return 1;
}
/** apply acl_view string */
static int
acl_list_view_cfg(struct acl_list* acl, const char* str, const char* str2,
struct views* vs)
{
struct acl_addr* node;
if(!(node=acl_find_or_create(acl, str)))
return 0;
node->view = views_find_view(vs, str2, 0 /* get read lock*/);
if(!node->view) {
log_err("no view with name: %s", str2);
return 0;
}
lock_rw_unlock(&node->view->lock);
return 1;
}
/** apply acl_tag_action string */
static int
acl_list_tag_action_cfg(struct acl_list* acl, struct config_file* cfg,
const char* str, const char* tag, const char* action)
{
struct acl_addr* node;
int tagid;
enum localzone_type t;
if(!(node=acl_find_or_create(acl, str)))
return 0;
/* allocate array if not yet */
if(!node->tag_actions) {
node->tag_actions = (uint8_t*)regional_alloc_zero(acl->region,
sizeof(*node->tag_actions)*cfg->num_tags);
if(!node->tag_actions) {
log_err("out of memory");
return 0;
}
node->tag_actions_size = (size_t)cfg->num_tags;
}
/* parse tag */
if((tagid=find_tag_id(cfg, tag)) == -1) {
log_err("cannot parse tag (define-tag it): %s %s", str, tag);
return 0;
}
if((size_t)tagid >= node->tag_actions_size) {
log_err("tagid too large for array %s %s", str, tag);
return 0;
}
if(!local_zone_str2type(action, &t)) {
log_err("cannot parse access control action type: %s %s %s",
str, tag, action);
return 0;
}
node->tag_actions[tagid] = (uint8_t)t;
return 1;
}
/** check wire data parse */
static int
check_data(const char* data, const struct config_strlist* head)
{
char buf[65536];
uint8_t rr[LDNS_RR_BUF_SIZE];
size_t len = sizeof(rr);
int res;
/* '.' is sufficient for validation, and it makes the call to
* sldns_wirerr_get_type() simpler below. */
snprintf(buf, sizeof(buf), "%s %s", ".", data);
res = sldns_str2wire_rr_buf(buf, rr, &len, NULL, 3600, NULL, 0,
NULL, 0);
/* Reject it if we would end up having CNAME and other data (including
* another CNAME) for the same tag. */
if(res == 0 && head) {
const char* err_data = NULL;
if(sldns_wirerr_get_type(rr, len, 1) == LDNS_RR_TYPE_CNAME) {
/* adding CNAME while other data already exists. */
err_data = data;
} else {
snprintf(buf, sizeof(buf), "%s %s", ".", head->str);
len = sizeof(rr);
res = sldns_str2wire_rr_buf(buf, rr, &len, NULL, 3600,
NULL, 0, NULL, 0);
if(res != 0) {
/* This should be impossible here as head->str
* has been validated, but we check it just in
* case. */
return 0;
}
if(sldns_wirerr_get_type(rr, len, 1) ==
LDNS_RR_TYPE_CNAME) /* already have CNAME */
err_data = head->str;
}
if(err_data) {
log_err("redirect tag data '%s' must not coexist with "
"other data.", err_data);
return 0;
}
}
if(res == 0)
return 1;
log_err("rr data [char %d] parse error %s",
(int)LDNS_WIREPARSE_OFFSET(res)-13,
sldns_get_errorstr_parse(res));
return 0;
}
/** apply acl_tag_data string */
static int
acl_list_tag_data_cfg(struct acl_list* acl, struct config_file* cfg,
const char* str, const char* tag, const char* data)
{
struct acl_addr* node;
int tagid;
char* dupdata;
if(!(node=acl_find_or_create(acl, str)))
return 0;
/* allocate array if not yet */
if(!node->tag_datas) {
node->tag_datas = (struct config_strlist**)regional_alloc_zero(
acl->region, sizeof(*node->tag_datas)*cfg->num_tags);
if(!node->tag_datas) {
log_err("out of memory");
return 0;
}
node->tag_datas_size = (size_t)cfg->num_tags;
}
/* parse tag */
if((tagid=find_tag_id(cfg, tag)) == -1) {
log_err("cannot parse tag (define-tag it): %s %s", str, tag);
return 0;
}
if((size_t)tagid >= node->tag_datas_size) {
log_err("tagid too large for array %s %s", str, tag);
return 0;
}
/* check data? */
if(!check_data(data, node->tag_datas[tagid])) {
log_err("cannot parse access-control-tag data: %s %s '%s'",
str, tag, data);
return 0;
}
dupdata = regional_strdup(acl->region, data);
if(!dupdata) {
log_err("out of memory");
return 0;
}
if(!cfg_region_strlist_insert(acl->region,
&(node->tag_datas[tagid]), dupdata)) {
log_err("out of memory");
return 0;
}
return 1;
}
/** read acl_list config */
static int
read_acl_list(struct acl_list* acl, struct config_file* cfg)
@ -138,13 +339,114 @@ read_acl_list(struct acl_list* acl, struct config_file* cfg)
return 1;
}
/** read acl tags config */
static int
read_acl_tags(struct acl_list* acl, struct config_file* cfg)
{
struct config_strbytelist* np, *p = cfg->acl_tags;
cfg->acl_tags = NULL;
while(p) {
log_assert(p->str && p->str2);
if(!acl_list_tags_cfg(acl, p->str, p->str2, p->str2len)) {
config_del_strbytelist(p);
return 0;
}
/* free the items as we go to free up memory */
np = p->next;
free(p->str);
free(p->str2);
free(p);
p = np;
}
return 1;
}
/** read acl view config */
static int
read_acl_view(struct acl_list* acl, struct config_file* cfg, struct views* v)
{
struct config_str2list* np, *p = cfg->acl_view;
cfg->acl_view = NULL;
while(p) {
log_assert(p->str && p->str2);
if(!acl_list_view_cfg(acl, p->str, p->str2, v)) {
return 0;
}
/* free the items as we go to free up memory */
np = p->next;
free(p->str);
free(p->str2);
free(p);
p = np;
}
return 1;
}
/** read acl tag actions config */
static int
read_acl_tag_actions(struct acl_list* acl, struct config_file* cfg)
{
struct config_str3list* p, *np;
p = cfg->acl_tag_actions;
cfg->acl_tag_actions = NULL;
while(p) {
log_assert(p->str && p->str2 && p->str3);
if(!acl_list_tag_action_cfg(acl, cfg, p->str, p->str2,
p->str3)) {
config_deltrplstrlist(p);
return 0;
}
/* free the items as we go to free up memory */
np = p->next;
free(p->str);
free(p->str2);
free(p->str3);
free(p);
p = np;
}
return 1;
}
/** read acl tag datas config */
static int
read_acl_tag_datas(struct acl_list* acl, struct config_file* cfg)
{
struct config_str3list* p, *np;
p = cfg->acl_tag_datas;
cfg->acl_tag_datas = NULL;
while(p) {
log_assert(p->str && p->str2 && p->str3);
if(!acl_list_tag_data_cfg(acl, cfg, p->str, p->str2, p->str3)) {
config_deltrplstrlist(p);
return 0;
}
/* free the items as we go to free up memory */
np = p->next;
free(p->str);
free(p->str2);
free(p->str3);
free(p);
p = np;
}
return 1;
}
int
acl_list_apply_cfg(struct acl_list* acl, struct config_file* cfg)
acl_list_apply_cfg(struct acl_list* acl, struct config_file* cfg,
struct views* v)
{
regional_free_all(acl->region);
addr_tree_init(&acl->tree);
if(!read_acl_list(acl, cfg))
return 0;
if(!read_acl_view(acl, cfg, v))
return 0;
if(!read_acl_tags(acl, cfg))
return 0;
if(!read_acl_tag_actions(acl, cfg))
return 0;
if(!read_acl_tag_datas(acl, cfg))
return 0;
/* insert defaults, with '0' to ignore them if they are duplicates */
if(!acl_list_str_cfg(acl, "0.0.0.0/0", "refuse", 0))
return 0;
@ -163,13 +465,18 @@ acl_list_apply_cfg(struct acl_list* acl, struct config_file* cfg)
}
enum acl_access
acl_list_lookup(struct acl_list* acl, struct sockaddr_storage* addr,
acl_get_control(struct acl_addr* acl)
{
if(acl) return acl->control;
return acl_deny;
}
struct acl_addr*
acl_addr_lookup(struct acl_list* acl, struct sockaddr_storage* addr,
socklen_t addrlen)
{
struct acl_addr* r = (struct acl_addr*)addr_tree_lookup(&acl->tree,
return (struct acl_addr*)addr_tree_lookup(&acl->tree,
addr, addrlen);
if(r) return r->control;
return acl_deny;
}
size_t

View file

@ -43,6 +43,7 @@
#ifndef DAEMON_ACL_LIST_H
#define DAEMON_ACL_LIST_H
#include "util/storage/dnstree.h"
#include "services/view.h"
struct config_file;
struct regional;
@ -75,7 +76,7 @@ struct acl_list {
* Tree of the addresses that are allowed/blocked.
* contents of type acl_addr.
*/
rbtree_t tree;
rbtree_type tree;
};
/**
@ -87,6 +88,21 @@ struct acl_addr {
struct addr_tree_node node;
/** access control on this netblock */
enum acl_access control;
/** tag bitlist */
uint8_t* taglist;
/** length of the taglist (in bytes) */
size_t taglen;
/** array per tagnumber of localzonetype(in one byte). NULL if none. */
uint8_t* tag_actions;
/** size of the tag_actions_array */
size_t tag_actions_size;
/** array per tagnumber, with per tag a list of rdata strings.
* NULL if none. strings are like 'A 127.0.0.1' 'AAAA ::1' */
struct config_strlist** tag_datas;
/** size of the tag_datas array */
size_t tag_datas_size;
/* view element, NULL if none */
struct view* view;
};
/**
@ -105,19 +121,29 @@ void acl_list_delete(struct acl_list* acl);
* Process access control config.
* @param acl: where to store.
* @param cfg: config options.
* @param v: views structure
* @return 0 on error.
*/
int acl_list_apply_cfg(struct acl_list* acl, struct config_file* cfg);
int acl_list_apply_cfg(struct acl_list* acl, struct config_file* cfg,
struct views* v);
/**
* Lookup address to see its access control status.
* Lookup access control status for acl structure.
* @param acl: structure for acl storage.
* @return: what to do with message from this address.
*/
enum acl_access acl_get_control(struct acl_addr* acl);
/**
* Lookup address to see its acl structure
* @param acl: structure for address storage.
* @param addr: address to check
* @param addrlen: length of addr.
* @return: what to do with message from this address.
* @return: acl structure from this address.
*/
enum acl_access acl_list_lookup(struct acl_list* acl,
struct sockaddr_storage* addr, socklen_t addrlen);
struct acl_addr*
acl_addr_lookup(struct acl_list* acl, struct sockaddr_storage* addr,
socklen_t addrlen);
/**
* Get memory used by acl structure.

View file

@ -563,6 +563,7 @@ load_qinfo(char* str, struct query_info* qinfo, struct regional* region)
qinfo->qclass = sldns_wirerr_get_class(rr, rr_len, dname_len);
qinfo->qname_len = dname_len;
qinfo->qname = (uint8_t*)regional_alloc_init(region, rr, dname_len);
qinfo->local_alias = NULL;
if(!qinfo->qname) {
log_warn("error out of memory");
return NULL;
@ -826,6 +827,7 @@ int print_deleg_lookup(SSL* ssl, struct worker* worker, uint8_t* nm,
qinfo.qname_len = nmlen;
qinfo.qtype = LDNS_RR_TYPE_A;
qinfo.qclass = LDNS_RR_CLASS_IN;
qinfo.local_alias = NULL;
dname_str(nm, b);
if(!ssl_printf(ssl, "The following name servers are used for lookup "

View file

@ -73,20 +73,27 @@
#include "util/log.h"
#include "util/config_file.h"
#include "util/data/msgreply.h"
#include "util/shm_side/shm_main.h"
#include "util/storage/lookup3.h"
#include "util/storage/slabhash.h"
#include "services/listen_dnsport.h"
#include "services/cache/rrset.h"
#include "services/cache/infra.h"
#include "services/localzone.h"
#include "services/view.h"
#include "services/modstack.h"
#include "util/module.h"
#include "util/random.h"
#include "util/tube.h"
#include "util/net_help.h"
#include "sldns/keyraw.h"
#include "respip/respip.h"
#include <signal.h>
#ifdef HAVE_SYSTEMD
#include <systemd/sd-daemon.h>
#endif
/** How many quit requests happened. */
static int sig_record_quit = 0;
/** How many reload requests happened. */
@ -174,8 +181,15 @@ static void
signal_handling_playback(struct worker* wrk)
{
#ifdef SIGHUP
if(sig_record_reload)
if(sig_record_reload) {
# ifdef HAVE_SYSTEMD
sd_notify(0, "RELOADING=1");
# endif
worker_sighandler(SIGHUP, wrk);
# ifdef HAVE_SYSTEMD
sd_notify(0, "READY=1");
# endif
}
#endif
if(sig_record_quit)
worker_sighandler(SIGTERM, wrk);
@ -204,20 +218,29 @@ daemon_init(void)
signal_handling_record();
checklock_start();
#ifdef HAVE_SSL
# ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS
ERR_load_crypto_strings();
ERR_load_SSL_strings();
# ifdef HAVE_OPENSSL_CONFIG
OPENSSL_config("unbound");
# endif
ERR_load_SSL_strings();
# ifdef USE_GOST
(void)sldns_key_EVP_load_gost_id();
# endif
# if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_CRYPTO)
OpenSSL_add_all_algorithms();
# else
OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS
| OPENSSL_INIT_ADD_ALL_DIGESTS
| OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
# endif
# if HAVE_DECL_SSL_COMP_GET_COMPRESSION_METHODS
/* grab the COMP method ptr because openssl leaks it */
comp_meth = (void*)SSL_COMP_get_compression_methods();
# endif
# if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL)
(void)SSL_library_init();
# else
(void)OPENSSL_init_ssl(0, NULL);
# endif
# if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED)
if(!ub_openssl_lock_init())
fatal_exit("could not init openssl locks");
@ -239,9 +262,16 @@ daemon_init(void)
free(daemon);
return NULL;
}
/* init edns_known_options */
if(!edns_known_options_init(daemon->env)) {
free(daemon->env);
free(daemon);
return NULL;
}
alloc_init(&daemon->superalloc, NULL, 0);
daemon->acl = acl_list_create();
if(!daemon->acl) {
edns_known_options_delete(daemon->env);
free(daemon->env);
free(daemon);
return NULL;
@ -338,6 +368,7 @@ static void daemon_setup_modules(struct daemon* daemon)
daemon->env)) {
fatal_exit("failed to setup modules");
}
log_edns_known_options(VERB_ALGO, daemon->env);
}
/**
@ -407,6 +438,8 @@ daemon_create_workers(struct daemon* daemon)
}
daemon->workers = (struct worker**)calloc((size_t)daemon->num,
sizeof(struct worker*));
if(!daemon->workers)
fatal_exit("out of memory during daemon init");
if(daemon->cfg->dnstap) {
#ifdef USE_DNSTAP
daemon->dtenv = dt_create(daemon->cfg->dnstap_socket_path,
@ -530,17 +563,55 @@ daemon_stop_others(struct daemon* daemon)
void
daemon_fork(struct daemon* daemon)
{
int have_view_respip_cfg = 0;
log_assert(daemon);
if(!acl_list_apply_cfg(daemon->acl, daemon->cfg))
if(!(daemon->views = views_create()))
fatal_exit("Could not create views: out of memory");
/* create individual views and their localzone/data trees */
if(!views_apply_cfg(daemon->views, daemon->cfg))
fatal_exit("Could not set up views");
if(!acl_list_apply_cfg(daemon->acl, daemon->cfg, daemon->views))
fatal_exit("Could not setup access control list");
if(daemon->cfg->dnscrypt) {
#ifdef USE_DNSCRYPT
daemon->dnscenv = dnsc_create();
if (!daemon->dnscenv)
fatal_exit("dnsc_create failed");
dnsc_apply_cfg(daemon->dnscenv, daemon->cfg);
#else
fatal_exit("dnscrypt enabled in config but unbound was not built with "
"dnscrypt support");
#endif
}
/* create global local_zones */
if(!(daemon->local_zones = local_zones_create()))
fatal_exit("Could not create local zones: out of memory");
if(!local_zones_apply_cfg(daemon->local_zones, daemon->cfg))
fatal_exit("Could not set up local zones");
/* process raw response-ip configuration data */
if(!(daemon->respip_set = respip_set_create()))
fatal_exit("Could not create response IP set");
if(!respip_global_apply_cfg(daemon->respip_set, daemon->cfg))
fatal_exit("Could not set up response IP set");
if(!respip_views_apply_cfg(daemon->views, daemon->cfg,
&have_view_respip_cfg))
fatal_exit("Could not set up per-view response IP sets");
daemon->use_response_ip = !respip_set_is_empty(daemon->respip_set) ||
have_view_respip_cfg;
/* setup modules */
daemon_setup_modules(daemon);
/* response-ip-xxx options don't work as expected without the respip
* module. To avoid run-time operational surprise we reject such
* configuration. */
if(daemon->use_response_ip &&
modstack_find(&daemon->mods, "respip") < 0)
fatal_exit("response-ip options require respip module");
/* first create all the worker structures, so we can pass
* them to the newly created threads.
*/
@ -567,14 +638,26 @@ daemon_fork(struct daemon* daemon)
#endif
signal_handling_playback(daemon->workers[0]);
if (!shm_main_init(daemon))
log_warn("SHM has failed");
/* Start resolver service on main thread. */
#ifdef HAVE_SYSTEMD
sd_notify(0, "READY=1");
#endif
log_info("start of service (%s).", PACKAGE_STRING);
worker_work(daemon->workers[0]);
#ifdef HAVE_SYSTEMD
sd_notify(0, "STOPPING=1");
#endif
log_info("service stopped (%s).", PACKAGE_STRING);
/* we exited! a signal happened! Stop other threads */
daemon_stop_others(daemon);
/* Shutdown SHM */
shm_main_shutdown(daemon);
daemon->need_to_exit = daemon->workers[0]->need_to_exit;
}
@ -589,13 +672,16 @@ daemon_cleanup(struct daemon* daemon)
log_thread_set(NULL);
/* clean up caches because
* a) RRset IDs will be recycled after a reload, causing collisions
* b) validation config can change, thus rrset, msg, keycache clear
* The infra cache is kept, the timing and edns info is still valid */
* b) validation config can change, thus rrset, msg, keycache clear */
slabhash_clear(&daemon->env->rrset_cache->table);
slabhash_clear(daemon->env->msg_cache);
local_zones_delete(daemon->local_zones);
daemon->local_zones = NULL;
/* key cache is cleared by module desetup during next daemon_init() */
respip_set_delete(daemon->respip_set);
daemon->respip_set = NULL;
views_delete(daemon->views);
daemon->views = NULL;
/* key cache is cleared by module desetup during next daemon_fork() */
daemon_remote_clear(daemon->rc);
for(i=0; i<daemon->num; i++)
worker_delete(daemon->workers[i]);
@ -624,6 +710,7 @@ daemon_delete(struct daemon* daemon)
slabhash_delete(daemon->env->msg_cache);
rrset_cache_delete(daemon->env->rrset_cache);
infra_delete(daemon->env->infra_cache);
edns_known_options_delete(daemon->env);
}
ub_randfree(daemon->rand);
alloc_clear(&daemon->superalloc);
@ -647,18 +734,27 @@ daemon_delete(struct daemon* daemon)
# endif
# if HAVE_DECL_SSL_COMP_GET_COMPRESSION_METHODS && HAVE_DECL_SK_SSL_COMP_POP_FREE
# ifndef S_SPLINT_S
# if OPENSSL_VERSION_NUMBER < 0x10100000
sk_SSL_COMP_pop_free(comp_meth, (void(*)())CRYPTO_free);
# endif
# endif
# endif
# ifdef HAVE_OPENSSL_CONFIG
EVP_cleanup();
# if OPENSSL_VERSION_NUMBER < 0x10100000
ENGINE_cleanup();
# endif
CONF_modules_free();
# endif
# ifdef HAVE_CRYPTO_CLEANUP_ALL_EX_DATA
CRYPTO_cleanup_all_ex_data(); /* safe, no more threads right now */
ERR_remove_state(0);
# endif
# ifdef HAVE_ERR_FREE_STRINGS
ERR_free_strings();
# endif
# if OPENSSL_VERSION_NUMBER < 0x10100000
RAND_cleanup();
# endif
# if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED)
ub_openssl_lock_delete();
# endif

View file

@ -56,14 +56,22 @@ struct module_env;
struct rrset_cache;
struct acl_list;
struct local_zones;
struct views;
struct ub_randstate;
struct daemon_remote;
struct respip_set;
struct shm_main_info;
#include "dnstap/dnstap_config.h"
#ifdef USE_DNSTAP
struct dt_env;
#endif
#include "dnscrypt/dnscrypt_config.h"
#ifdef USE_DNSCRYPT
struct dnsc_env;
#endif
/**
* Structure holding worker list.
* Holds globally visible information.
@ -114,9 +122,20 @@ struct daemon {
struct timeval time_last_stat;
/** time when daemon started */
struct timeval time_boot;
/** views structure containing view tree */
struct views* views;
#ifdef USE_DNSTAP
/** the dnstap environment master value, copied and changed by threads*/
struct dt_env* dtenv;
#endif
struct shm_main_info* shm_info;
/** response-ip set with associated actions and tags. */
struct respip_set* respip_set;
/** some response-ip tags or actions are configured if true */
int use_response_ip;
#ifdef USE_DNSCRYPT
/** the dnscrypt environment */
struct dnsc_env* dnscenv;
#endif
};

View file

@ -46,9 +46,12 @@
#ifdef HAVE_OPENSSL_ERR_H
#include <openssl/err.h>
#endif
#ifndef HEADER_DH_H
#ifdef HAVE_OPENSSL_DH_H
#include <openssl/dh.h>
#endif
#ifdef HAVE_OPENSSL_BN_H
#include <openssl/bn.h>
#endif
#include <ctype.h>
#include "daemon/remote.h"
@ -140,49 +143,68 @@ timeval_divide(struct timeval* avg, const struct timeval* sum, size_t d)
/*
* The following function was generated using the openssl utility, using
* the command : "openssl dhparam -dsaparam -C 1024"
* the command : "openssl dhparam -C 2048"
* (some openssl versions reject DH that is 'too small', eg. 512).
*/
#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
#ifndef S_SPLINT_S
DH *get_dh1024()
static DH *get_dh2048(void)
{
static unsigned char dh1024_p[]={
0xB3,0x67,0x2E,0x3B,0x68,0xC5,0xDA,0x58,0x46,0xD6,0x2B,0xD3,
0x41,0x78,0x97,0xE4,0xE1,0x61,0x71,0x68,0xE6,0x0F,0x1D,0x78,
0x05,0xAA,0xF0,0xFF,0x30,0xDF,0xAC,0x49,0x7F,0xE0,0x90,0xFE,
0xB9,0x56,0x4E,0x3F,0xE2,0x98,0x8A,0xED,0xF5,0x28,0x39,0xEF,
0x2E,0xA6,0xB7,0x67,0xB2,0x43,0xE4,0x53,0xF8,0xEB,0x2C,0x1F,
0x06,0x77,0x3A,0x6F,0x62,0x98,0xC1,0x3B,0xF7,0xBA,0x4D,0x93,
0xF7,0xEB,0x5A,0xAD,0xC5,0x5F,0xF0,0xB7,0x24,0x35,0x81,0xF7,
0x7F,0x1F,0x24,0xC0,0xDF,0xD3,0xD8,0x40,0x72,0x7E,0xF3,0x19,
0x2B,0x26,0x27,0xF4,0xB6,0xB3,0xD4,0x7D,0x08,0x23,0xBE,0x68,
0x2B,0xCA,0xB4,0x46,0xA8,0x9E,0xDD,0x6C,0x3D,0x75,0xA6,0x48,
0xF7,0x44,0x43,0xBF,0x91,0xC2,0xB4,0x49,
static unsigned char dh2048_p[]={
0xE7,0x36,0x28,0x3B,0xE4,0xC3,0x32,0x1C,0x01,0xC3,0x67,0xD6,
0xF5,0xF3,0xDA,0xDC,0x71,0xC0,0x42,0x8B,0xE6,0xEB,0x8D,0x80,
0x35,0x7F,0x09,0x45,0x30,0xE5,0xB2,0x92,0x81,0x3F,0x08,0xCD,
0x36,0x5E,0x19,0x83,0x62,0xCC,0xAE,0x9B,0x81,0x66,0x24,0xEE,
0x16,0x6F,0xA9,0x9E,0xF4,0x82,0x1B,0xDD,0x46,0xC7,0x33,0x5D,
0xF4,0xCA,0xE6,0x8F,0xFC,0xD4,0xD8,0x58,0x94,0x24,0x5D,0xFF,
0x0A,0xE8,0xEF,0x3D,0xCE,0xBB,0x50,0x94,0xE0,0x5F,0xE8,0x41,
0xC3,0x35,0x30,0x37,0xD5,0xCB,0x8F,0x3D,0x95,0x15,0x1A,0x77,
0x42,0xB2,0x06,0x86,0xF6,0x09,0x66,0x0E,0x9A,0x25,0x94,0x3E,
0xD2,0x04,0x25,0x25,0x1D,0x23,0xEB,0xDC,0x4D,0x0C,0x83,0x28,
0x2E,0x15,0x81,0x2D,0xC1,0xAF,0x8D,0x36,0x64,0xE3,0x9A,0x83,
0x78,0xC2,0x8D,0xC0,0x9D,0xD9,0x3A,0x1C,0xC5,0x2B,0x50,0x68,
0x07,0xA9,0x4B,0x8C,0x07,0x57,0xD6,0x15,0x03,0x4E,0x9E,0x01,
0xF2,0x6F,0x35,0xAC,0x26,0x9C,0x92,0x68,0x61,0x13,0xFB,0x01,
0xBA,0x22,0x36,0x01,0x55,0xB6,0x62,0xD9,0xB2,0x98,0xCE,0x5D,
0x4B,0xA5,0x41,0xD6,0xE5,0x70,0x78,0x12,0x1F,0x64,0xB6,0x6F,
0xB0,0x91,0x51,0x91,0x92,0xC0,0x94,0x3A,0xD1,0x28,0x4D,0x30,
0x84,0x3E,0xE4,0xE4,0x7F,0x47,0x89,0xB1,0xB6,0x8C,0x8E,0x0E,
0x26,0xDB,0xCD,0x17,0x07,0x2A,0x21,0x7A,0xCC,0x68,0xE8,0x57,
0x94,0x9E,0x59,0x61,0xEC,0x20,0x34,0x26,0x0D,0x66,0x44,0xEB,
0x6F,0x02,0x58,0xE2,0xED,0xF6,0xF3,0x1B,0xBF,0x9E,0x45,0x52,
0x5A,0x49,0xA1,0x5B,
};
static unsigned char dh1024_g[]={
0x5F,0x37,0xB5,0x80,0x4D,0xB4,0xC4,0xB2,0x37,0x12,0xD5,0x2F,
0x56,0x81,0xB0,0xDF,0x3D,0x27,0xA2,0x54,0xE7,0x14,0x65,0x2D,
0x72,0xA8,0x97,0xE0,0xA9,0x4A,0x09,0x5E,0x89,0xBE,0x34,0x9A,
0x90,0x98,0xC1,0xE8,0xBB,0x01,0x2B,0xC2,0x74,0x74,0x90,0x59,
0x0B,0x72,0x62,0x5C,0xFD,0x49,0x63,0x4B,0x38,0x91,0xF1,0x7F,
0x13,0x25,0xEB,0x52,0x50,0x47,0xA2,0x8C,0x32,0x28,0x42,0xAC,
0xBD,0x7A,0xCC,0x58,0xBE,0x36,0xDA,0x6A,0x24,0x06,0xC7,0xF1,
0xDA,0x8D,0x8A,0x3B,0x03,0xFA,0x6F,0x25,0xE5,0x20,0xA7,0xD6,
0x6F,0x74,0x61,0x53,0x14,0x81,0x29,0x04,0xB5,0x61,0x12,0x53,
0xA3,0xD6,0x09,0x98,0x0C,0x8F,0x1C,0xBB,0xD7,0x1C,0x2C,0xEE,
0x56,0x4B,0x74,0x8F,0x4A,0xF8,0xA9,0xD5,
static unsigned char dh2048_g[]={
0x02,
};
DH *dh;
DH *dh = NULL;
BIGNUM *p = NULL, *g = NULL;
if ((dh=DH_new()) == NULL) return(NULL);
dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
if ((dh->p == NULL) || (dh->g == NULL))
{ DH_free(dh); return(NULL); }
dh->length = 160;
return(dh);
dh = DH_new();
p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL);
if (!dh || !p || !g)
goto err;
#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
dh->p = p;
dh->g = g;
#else
if (!DH_set0_pqg(dh, p, NULL, g))
goto err;
#endif
return dh;
err:
if (p)
BN_free(p);
if (g)
BN_free(g);
if (dh)
DH_free(dh);
return NULL;
}
#endif /* SPLINT */
#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
struct daemon_remote*
daemon_remote_create(struct config_file* cfg)
@ -220,21 +242,53 @@ daemon_remote_create(struct config_file* cfg)
daemon_remote_delete(rc);
return NULL;
}
#if defined(SSL_OP_NO_TLSv1) && defined(SSL_OP_NO_TLSv1_1)
/* if we have tls 1.1 disable 1.0 */
if((SSL_CTX_set_options(rc->ctx, SSL_OP_NO_TLSv1) & SSL_OP_NO_TLSv1)
!= SSL_OP_NO_TLSv1){
log_crypto_err("could not set SSL_OP_NO_TLSv1");
daemon_remote_delete(rc);
return NULL;
}
#endif
#if defined(SSL_OP_NO_TLSv1_1) && defined(SSL_OP_NO_TLSv1_2)
/* if we have tls 1.2 disable 1.1 */
if((SSL_CTX_set_options(rc->ctx, SSL_OP_NO_TLSv1_1) & SSL_OP_NO_TLSv1_1)
!= SSL_OP_NO_TLSv1_1){
log_crypto_err("could not set SSL_OP_NO_TLSv1_1");
daemon_remote_delete(rc);
return NULL;
}
#endif
#ifdef SHA256_DIGEST_LENGTH
/* if we have sha256, set the cipher list to have no known vulns */
if(!SSL_CTX_set_cipher_list(rc->ctx, "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"))
log_crypto_err("coult not set cipher list with SSL_CTX_set_cipher_list");
#endif
if (cfg->remote_control_use_cert == 0) {
/* No certificates are requested */
if(!SSL_CTX_set_cipher_list(rc->ctx, "aNULL")) {
#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
SSL_CTX_set_security_level(rc->ctx, 0);
#endif
if(!SSL_CTX_set_cipher_list(rc->ctx, "aNULL, eNULL")) {
log_crypto_err("Failed to set aNULL cipher list");
daemon_remote_delete(rc);
return NULL;
}
/* in openssl 1.1, the securitylevel 0 allows eNULL, that
* does not need the DH */
#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
/* Since we have no certificates and hence no source of
* DH params, let's generate and set them
*/
if(!SSL_CTX_set_tmp_dh(rc->ctx,get_dh1024())) {
if(!SSL_CTX_set_tmp_dh(rc->ctx,get_dh2048())) {
log_crypto_err("Wanted to set DH param, but failed");
daemon_remote_delete(rc);
return NULL;
}
#endif
return rc;
}
rc->use_cert = 1;
@ -350,7 +404,7 @@ add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err,
if(ip[0] == '/') {
/* This looks like a local socket */
fd = create_local_accept_sock(ip, &noproto);
fd = create_local_accept_sock(ip, &noproto, cfg->use_systemd);
/*
* Change socket ownership and permissions so users other
* than root can access it provided they are in the same
@ -359,8 +413,12 @@ add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err,
if(fd != -1) {
#ifdef HAVE_CHOWN
if (cfg->username && cfg->username[0] &&
cfg_uid != (uid_t)-1)
chown(ip, cfg_uid, cfg_gid);
cfg_uid != (uid_t)-1) {
if(chown(ip, cfg_uid, cfg_gid) == -1)
log_err("cannot chown %u.%u %s: %s",
(unsigned)cfg_uid, (unsigned)cfg_gid,
ip, strerror(errno));
}
chmod(ip, (mode_t)(S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP));
#else
(void)cfg;
@ -389,7 +447,7 @@ add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err,
/* open fd */
fd = create_tcp_accept_sock(res, 1, &noproto, 0,
cfg->ip_transparent);
cfg->ip_transparent, 0, cfg->ip_freebind, cfg->use_systemd);
freeaddrinfo(res);
}
@ -727,6 +785,8 @@ print_stats(SSL* ssl, const char* nm, struct stats_info* s)
struct timeval avg;
if(!ssl_printf(ssl, "%s.num.queries"SQ"%lu\n", nm,
(unsigned long)s->svr.num_queries)) return 0;
if(!ssl_printf(ssl, "%s.num.queries_ip_ratelimited"SQ"%lu\n", nm,
(unsigned long)s->svr.num_queries_ip_ratelimited)) return 0;
if(!ssl_printf(ssl, "%s.num.cachehits"SQ"%lu\n", nm,
(unsigned long)(s->svr.num_queries
- s->svr.num_queries_missed_cache))) return 0;
@ -734,8 +794,20 @@ print_stats(SSL* ssl, const char* nm, struct stats_info* s)
(unsigned long)s->svr.num_queries_missed_cache)) return 0;
if(!ssl_printf(ssl, "%s.num.prefetch"SQ"%lu\n", nm,
(unsigned long)s->svr.num_queries_prefetch)) return 0;
if(!ssl_printf(ssl, "%s.num.zero_ttl"SQ"%lu\n", nm,
(unsigned long)s->svr.zero_ttl_responses)) return 0;
if(!ssl_printf(ssl, "%s.num.recursivereplies"SQ"%lu\n", nm,
(unsigned long)s->mesh_replies_sent)) return 0;
#ifdef USE_DNSCRYPT
if(!ssl_printf(ssl, "%s.num.dnscrypt.crypted"SQ"%lu\n", nm,
(unsigned long)s->svr.num_query_dnscrypt_crypted)) return 0;
if(!ssl_printf(ssl, "%s.num.dnscrypt.cert"SQ"%lu\n", nm,
(unsigned long)s->svr.num_query_dnscrypt_cert)) return 0;
if(!ssl_printf(ssl, "%s.num.dnscrypt.cleartext"SQ"%lu\n", nm,
(unsigned long)s->svr.num_query_dnscrypt_cleartext)) return 0;
if(!ssl_printf(ssl, "%s.num.dnscrypt.malformed"SQ"%lu\n", nm,
(unsigned long)s->svr.num_query_dnscrypt_crypted_malformed)) return 0;
#endif
if(!ssl_printf(ssl, "%s.requestlist.avg"SQ"%g\n", nm,
(s->svr.num_queries_missed_cache+s->svr.num_queries_prefetch)?
(double)s->svr.sum_query_list_size/
@ -791,17 +863,15 @@ static int
print_mem(SSL* ssl, struct worker* worker, struct daemon* daemon)
{
int m;
size_t msg, rrset, val, iter;
#ifdef HAVE_SBRK
extern void* unbound_start_brk;
void* cur = sbrk(0);
if(!print_longnum(ssl, "mem.total.sbrk"SQ,
(size_t)((char*)cur - (char*)unbound_start_brk))) return 0;
#endif /* HAVE_SBRK */
size_t msg, rrset, val, iter, respip;
#ifdef CLIENT_SUBNET
size_t subnet = 0;
#endif /* CLIENT_SUBNET */
msg = slabhash_get_mem(daemon->env->msg_cache);
rrset = slabhash_get_mem(&daemon->env->rrset_cache->table);
val=0;
iter=0;
respip=0;
m = modstack_find(&worker->env.mesh->mods, "validator");
if(m != -1) {
fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh->
@ -816,6 +886,22 @@ print_mem(SSL* ssl, struct worker* worker, struct daemon* daemon)
iter = (*worker->env.mesh->mods.mod[m]->get_mem)
(&worker->env, m);
}
m = modstack_find(&worker->env.mesh->mods, "respip");
if(m != -1) {
fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh->
mods.mod[m]->get_mem));
respip = (*worker->env.mesh->mods.mod[m]->get_mem)
(&worker->env, m);
}
#ifdef CLIENT_SUBNET
m = modstack_find(&worker->env.mesh->mods, "subnet");
if(m != -1) {
fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh->
mods.mod[m]->get_mem));
subnet = (*worker->env.mesh->mods.mod[m]->get_mem)
(&worker->env, m);
}
#endif /* CLIENT_SUBNET */
if(!print_longnum(ssl, "mem.cache.rrset"SQ, rrset))
return 0;
@ -825,6 +911,12 @@ print_mem(SSL* ssl, struct worker* worker, struct daemon* daemon)
return 0;
if(!print_longnum(ssl, "mem.mod.validator"SQ, val))
return 0;
if(!print_longnum(ssl, "mem.mod.respip"SQ, respip))
return 0;
#ifdef CLIENT_SUBNET
if(!print_longnum(ssl, "mem.mod.subnet"SQ, subnet))
return 0;
#endif /* CLIENT_SUBNET */
return 1;
}
@ -1097,8 +1189,8 @@ find_arg2(SSL* ssl, char* arg, char** arg2)
}
/** Add a new zone */
static void
do_zone_add(SSL* ssl, struct worker* worker, char* arg)
static int
perform_zone_add(SSL* ssl, struct local_zones* zones, char* arg)
{
uint8_t* nm;
int nmlabs;
@ -1107,83 +1199,290 @@ do_zone_add(SSL* ssl, struct worker* worker, char* arg)
enum localzone_type t;
struct local_zone* z;
if(!find_arg2(ssl, arg, &arg2))
return;
return 0;
if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs))
return;
return 0;
if(!local_zone_str2type(arg2, &t)) {
ssl_printf(ssl, "error not a zone type. %s\n", arg2);
free(nm);
return;
return 0;
}
lock_rw_wrlock(&worker->daemon->local_zones->lock);
if((z=local_zones_find(worker->daemon->local_zones, nm, nmlen,
lock_rw_wrlock(&zones->lock);
if((z=local_zones_find(zones, nm, nmlen,
nmlabs, LDNS_RR_CLASS_IN))) {
/* already present in tree */
lock_rw_wrlock(&z->lock);
z->type = t; /* update type anyway */
lock_rw_unlock(&z->lock);
free(nm);
lock_rw_unlock(&worker->daemon->local_zones->lock);
send_ok(ssl);
return;
lock_rw_unlock(&zones->lock);
return 1;
}
if(!local_zones_add_zone(worker->daemon->local_zones, nm, nmlen,
if(!local_zones_add_zone(zones, nm, nmlen,
nmlabs, LDNS_RR_CLASS_IN, t)) {
lock_rw_unlock(&worker->daemon->local_zones->lock);
lock_rw_unlock(&zones->lock);
ssl_printf(ssl, "error out of memory\n");
return;
return 0;
}
lock_rw_unlock(&worker->daemon->local_zones->lock);
lock_rw_unlock(&zones->lock);
return 1;
}
/** Do the local_zone command */
static void
do_zone_add(SSL* ssl, struct local_zones* zones, char* arg)
{
if(!perform_zone_add(ssl, zones, arg))
return;
send_ok(ssl);
}
/** Remove a zone */
/** Do the local_zones command */
static void
do_zone_remove(SSL* ssl, struct worker* worker, char* arg)
do_zones_add(SSL* ssl, struct local_zones* zones)
{
char buf[2048];
int num = 0;
while(ssl_read_line(ssl, buf, sizeof(buf))) {
if(buf[0] == 0x04 && buf[1] == 0)
break; /* end of transmission */
if(!perform_zone_add(ssl, zones, buf)) {
if(!ssl_printf(ssl, "error for input line: %s\n", buf))
return;
}
else
num++;
}
(void)ssl_printf(ssl, "added %d zones\n", num);
}
/** Remove a zone */
static int
perform_zone_remove(SSL* ssl, struct local_zones* zones, char* arg)
{
uint8_t* nm;
int nmlabs;
size_t nmlen;
struct local_zone* z;
if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs))
return;
lock_rw_wrlock(&worker->daemon->local_zones->lock);
if((z=local_zones_find(worker->daemon->local_zones, nm, nmlen,
return 0;
lock_rw_wrlock(&zones->lock);
if((z=local_zones_find(zones, nm, nmlen,
nmlabs, LDNS_RR_CLASS_IN))) {
/* present in tree */
local_zones_del_zone(worker->daemon->local_zones, z);
local_zones_del_zone(zones, z);
}
lock_rw_unlock(&worker->daemon->local_zones->lock);
lock_rw_unlock(&zones->lock);
free(nm);
return 1;
}
/** Do the local_zone_remove command */
static void
do_zone_remove(SSL* ssl, struct local_zones* zones, char* arg)
{
if(!perform_zone_remove(ssl, zones, arg))
return;
send_ok(ssl);
}
/** Do the local_zones_remove command */
static void
do_zones_remove(SSL* ssl, struct local_zones* zones)
{
char buf[2048];
int num = 0;
while(ssl_read_line(ssl, buf, sizeof(buf))) {
if(buf[0] == 0x04 && buf[1] == 0)
break; /* end of transmission */
if(!perform_zone_remove(ssl, zones, buf)) {
if(!ssl_printf(ssl, "error for input line: %s\n", buf))
return;
}
else
num++;
}
(void)ssl_printf(ssl, "removed %d zones\n", num);
}
/** Add new RR data */
static void
do_data_add(SSL* ssl, struct worker* worker, char* arg)
static int
perform_data_add(SSL* ssl, struct local_zones* zones, char* arg)
{
if(!local_zones_add_RR(worker->daemon->local_zones, arg)) {
if(!local_zones_add_RR(zones, arg)) {
ssl_printf(ssl,"error in syntax or out of memory, %s\n", arg);
return;
return 0;
}
return 1;
}
/** Do the local_data command */
static void
do_data_add(SSL* ssl, struct local_zones* zones, char* arg)
{
if(!perform_data_add(ssl, zones, arg))
return;
send_ok(ssl);
}
/** Remove RR data */
/** Do the local_datas command */
static void
do_data_remove(SSL* ssl, struct worker* worker, char* arg)
do_datas_add(SSL* ssl, struct local_zones* zones)
{
char buf[2048];
int num = 0;
while(ssl_read_line(ssl, buf, sizeof(buf))) {
if(buf[0] == 0x04 && buf[1] == 0)
break; /* end of transmission */
if(!perform_data_add(ssl, zones, buf)) {
if(!ssl_printf(ssl, "error for input line: %s\n", buf))
return;
}
else
num++;
}
(void)ssl_printf(ssl, "added %d datas\n", num);
}
/** Remove RR data */
static int
perform_data_remove(SSL* ssl, struct local_zones* zones, char* arg)
{
uint8_t* nm;
int nmlabs;
size_t nmlen;
if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs))
return;
local_zones_del_data(worker->daemon->local_zones, nm,
return 0;
local_zones_del_data(zones, nm,
nmlen, nmlabs, LDNS_RR_CLASS_IN);
free(nm);
return 1;
}
/** Do the local_data_remove command */
static void
do_data_remove(SSL* ssl, struct local_zones* zones, char* arg)
{
if(!perform_data_remove(ssl, zones, arg))
return;
send_ok(ssl);
}
/** Do the local_datas_remove command */
static void
do_datas_remove(SSL* ssl, struct local_zones* zones)
{
char buf[2048];
int num = 0;
while(ssl_read_line(ssl, buf, sizeof(buf))) {
if(buf[0] == 0x04 && buf[1] == 0)
break; /* end of transmission */
if(!perform_data_remove(ssl, zones, buf)) {
if(!ssl_printf(ssl, "error for input line: %s\n", buf))
return;
}
else
num++;
}
(void)ssl_printf(ssl, "removed %d datas\n", num);
}
/** Add a new zone to view */
static void
do_view_zone_add(SSL* ssl, struct worker* worker, char* arg)
{
char* arg2;
struct view* v;
if(!find_arg2(ssl, arg, &arg2))
return;
v = views_find_view(worker->daemon->views,
arg, 1 /* get write lock*/);
if(!v) {
ssl_printf(ssl,"no view with name: %s\n", arg);
return;
}
if(!v->local_zones) {
if(!(v->local_zones = local_zones_create())){
lock_rw_unlock(&v->lock);
ssl_printf(ssl,"error out of memory\n");
return;
}
}
do_zone_add(ssl, v->local_zones, arg2);
lock_rw_unlock(&v->lock);
}
/** Remove a zone from view */
static void
do_view_zone_remove(SSL* ssl, struct worker* worker, char* arg)
{
char* arg2;
struct view* v;
if(!find_arg2(ssl, arg, &arg2))
return;
v = views_find_view(worker->daemon->views,
arg, 1 /* get write lock*/);
if(!v) {
ssl_printf(ssl,"no view with name: %s\n", arg);
return;
}
if(!v->local_zones) {
lock_rw_unlock(&v->lock);
send_ok(ssl);
return;
}
do_zone_remove(ssl, v->local_zones, arg2);
lock_rw_unlock(&v->lock);
}
/** Add new RR data to view */
static void
do_view_data_add(SSL* ssl, struct worker* worker, char* arg)
{
char* arg2;
struct view* v;
if(!find_arg2(ssl, arg, &arg2))
return;
v = views_find_view(worker->daemon->views,
arg, 1 /* get write lock*/);
if(!v) {
ssl_printf(ssl,"no view with name: %s\n", arg);
return;
}
if(!v->local_zones) {
if(!(v->local_zones = local_zones_create())){
lock_rw_unlock(&v->lock);
ssl_printf(ssl,"error out of memory\n");
return;
}
}
do_data_add(ssl, v->local_zones, arg2);
lock_rw_unlock(&v->lock);
}
/** Remove RR data from view */
static void
do_view_data_remove(SSL* ssl, struct worker* worker, char* arg)
{
char* arg2;
struct view* v;
if(!find_arg2(ssl, arg, &arg2))
return;
v = views_find_view(worker->daemon->views,
arg, 1 /* get write lock*/);
if(!v) {
ssl_printf(ssl,"no view with name: %s\n", arg);
return;
}
if(!v->local_zones) {
lock_rw_unlock(&v->lock);
send_ok(ssl);
return;
}
do_data_remove(ssl, v->local_zones, arg2);
lock_rw_unlock(&v->lock);
}
/** cache lookup of nameservers */
static void
do_lookup(SSL* ssl, struct worker* worker, char* arg)
@ -1202,7 +1501,7 @@ static void
do_cache_remove(struct worker* worker, uint8_t* nm, size_t nmlen,
uint16_t t, uint16_t c)
{
hashvalue_t h;
hashvalue_type h;
struct query_info k;
rrset_cache_remove(worker->env.rrset_cache, nm, nmlen, t, c, 0);
if(t == LDNS_RR_TYPE_SOA)
@ -1212,6 +1511,7 @@ do_cache_remove(struct worker* worker, uint8_t* nm, size_t nmlen,
k.qname_len = nmlen;
k.qtype = t;
k.qclass = c;
k.local_alias = NULL;
h = query_info_hash(&k, 0);
slabhash_remove(worker->env.msg_cache, h, &k);
if(t == LDNS_RR_TYPE_AAAA) {
@ -2157,6 +2457,14 @@ do_set_option(SSL* ssl, struct worker* worker, char* arg)
(void)ssl_printf(ssl, "error setting option\n");
return;
}
/* effectuate some arguments */
if(strcmp(arg, "val-override-date:") == 0) {
int m = modstack_find(&worker->env.mesh->mods, "validator");
struct val_env* val_env = NULL;
if(m != -1) val_env = (struct val_env*)worker->env.modinfo[m];
if(val_env)
val_env->date_override = worker->env.cfg->val_date_override;
}
send_ok(ssl);
}
@ -2237,9 +2545,8 @@ do_list_stubs(SSL* ssl, struct worker* worker)
/** do the list_local_zones command */
static void
do_list_local_zones(SSL* ssl, struct worker* worker)
do_list_local_zones(SSL* ssl, struct local_zones* zones)
{
struct local_zones* zones = worker->daemon->local_zones;
struct local_zone* z;
char buf[257];
lock_rw_rdlock(&zones->lock);
@ -2260,9 +2567,8 @@ do_list_local_zones(SSL* ssl, struct worker* worker)
/** do the list_local_data command */
static void
do_list_local_data(SSL* ssl, struct worker* worker)
do_list_local_data(SSL* ssl, struct worker* worker, struct local_zones* zones)
{
struct local_zones* zones = worker->daemon->local_zones;
struct local_zone* z;
struct local_data* d;
struct local_rrset* p;
@ -2298,6 +2604,38 @@ do_list_local_data(SSL* ssl, struct worker* worker)
lock_rw_unlock(&zones->lock);
}
/** do the view_list_local_zones command */
static void
do_view_list_local_zones(SSL* ssl, struct worker* worker, char* arg)
{
struct view* v = views_find_view(worker->daemon->views,
arg, 0 /* get read lock*/);
if(!v) {
ssl_printf(ssl,"no view with name: %s\n", arg);
return;
}
if(v->local_zones) {
do_list_local_zones(ssl, v->local_zones);
}
lock_rw_unlock(&v->lock);
}
/** do the view_list_local_data command */
static void
do_view_list_local_data(SSL* ssl, struct worker* worker, char* arg)
{
struct view* v = views_find_view(worker->daemon->views,
arg, 0 /* get read lock*/);
if(!v) {
ssl_printf(ssl,"no view with name: %s\n", arg);
return;
}
if(v->local_zones) {
do_list_local_data(ssl, worker, v->local_zones);
}
lock_rw_unlock(&v->lock);
}
/** struct for user arg ratelimit list */
struct ratelimit_list_arg {
/** the infra cache */
@ -2310,6 +2648,8 @@ struct ratelimit_list_arg {
time_t now;
};
#define ip_ratelimit_list_arg ratelimit_list_arg
/** list items in the ratelimit table */
static void
rate_list(struct lruhash_entry* e, void* arg)
@ -2328,6 +2668,24 @@ rate_list(struct lruhash_entry* e, void* arg)
ssl_printf(a->ssl, "%s %d limit %d\n", buf, max, lim);
}
/** list items in the ip_ratelimit table */
static void
ip_rate_list(struct lruhash_entry* e, void* arg)
{
char ip[128];
struct ip_ratelimit_list_arg* a = (struct ip_ratelimit_list_arg*)arg;
struct ip_rate_key* k = (struct ip_rate_key*)e->key;
struct ip_rate_data* d = (struct ip_rate_data*)e->data;
int lim = infra_ip_ratelimit;
int max = infra_rate_max(d, a->now);
if(a->all == 0) {
if(max < lim)
return;
}
addr_to_str(&k->addr, k->addrlen, ip, sizeof(ip));
ssl_printf(a->ssl, "%s %d limit %d\n", ip, max, lim);
}
/** do the ratelimit_list command */
static void
do_ratelimit_list(SSL* ssl, struct worker* worker, char* arg)
@ -2346,6 +2704,24 @@ do_ratelimit_list(SSL* ssl, struct worker* worker, char* arg)
slabhash_traverse(a.infra->domain_rates, 0, rate_list, &a);
}
/** do the ip_ratelimit_list command */
static void
do_ip_ratelimit_list(SSL* ssl, struct worker* worker, char* arg)
{
struct ip_ratelimit_list_arg a;
a.all = 0;
a.infra = worker->env.infra_cache;
a.now = *worker->env.now;
a.ssl = ssl;
arg = skipwhite(arg);
if(strcmp(arg, "+a") == 0)
a.all = 1;
if(a.infra->client_ip_rates==NULL ||
(a.all == 0 && infra_ip_ratelimit == 0))
return;
slabhash_traverse(a.infra->client_ip_rates, 0, ip_rate_list, &a);
}
/** tell other processes to execute the command */
static void
distribute_cmd(struct daemon_remote* rc, SSL* ssl, char* cmd)
@ -2410,14 +2786,23 @@ execute_cmd(struct daemon_remote* rc, SSL* ssl, char* cmd,
do_insecure_list(ssl, worker);
return;
} else if(cmdcmp(p, "list_local_zones", 16)) {
do_list_local_zones(ssl, worker);
do_list_local_zones(ssl, worker->daemon->local_zones);
return;
} else if(cmdcmp(p, "list_local_data", 15)) {
do_list_local_data(ssl, worker);
do_list_local_data(ssl, worker, worker->daemon->local_zones);
return;
} else if(cmdcmp(p, "view_list_local_zones", 21)) {
do_view_list_local_zones(ssl, worker, skipwhite(p+21));
return;
} else if(cmdcmp(p, "view_list_local_data", 20)) {
do_view_list_local_data(ssl, worker, skipwhite(p+20));
return;
} else if(cmdcmp(p, "ratelimit_list", 14)) {
do_ratelimit_list(ssl, worker, p+14);
return;
} else if(cmdcmp(p, "ip_ratelimit_list", 17)) {
do_ip_ratelimit_list(ssl, worker, p+17);
return;
} else if(cmdcmp(p, "stub_add", 8)) {
/* must always distribute this cmd */
if(rc) distribute_cmd(rc, ssl, cmd);
@ -2479,13 +2864,29 @@ execute_cmd(struct daemon_remote* rc, SSL* ssl, char* cmd,
if(cmdcmp(p, "verbosity", 9)) {
do_verbosity(ssl, skipwhite(p+9));
} else if(cmdcmp(p, "local_zone_remove", 17)) {
do_zone_remove(ssl, worker, skipwhite(p+17));
do_zone_remove(ssl, worker->daemon->local_zones, skipwhite(p+17));
} else if(cmdcmp(p, "local_zones_remove", 18)) {
do_zones_remove(ssl, worker->daemon->local_zones);
} else if(cmdcmp(p, "local_zone", 10)) {
do_zone_add(ssl, worker, skipwhite(p+10));
do_zone_add(ssl, worker->daemon->local_zones, skipwhite(p+10));
} else if(cmdcmp(p, "local_zones", 11)) {
do_zones_add(ssl, worker->daemon->local_zones);
} else if(cmdcmp(p, "local_data_remove", 17)) {
do_data_remove(ssl, worker, skipwhite(p+17));
do_data_remove(ssl, worker->daemon->local_zones, skipwhite(p+17));
} else if(cmdcmp(p, "local_datas_remove", 18)) {
do_datas_remove(ssl, worker->daemon->local_zones);
} else if(cmdcmp(p, "local_data", 10)) {
do_data_add(ssl, worker, skipwhite(p+10));
do_data_add(ssl, worker->daemon->local_zones, skipwhite(p+10));
} else if(cmdcmp(p, "local_datas", 11)) {
do_datas_add(ssl, worker->daemon->local_zones);
} else if(cmdcmp(p, "view_local_zone_remove", 22)) {
do_view_zone_remove(ssl, worker, skipwhite(p+22));
} else if(cmdcmp(p, "view_local_zone", 15)) {
do_view_zone_add(ssl, worker, skipwhite(p+15));
} else if(cmdcmp(p, "view_local_data_remove", 22)) {
do_view_data_remove(ssl, worker, skipwhite(p+22));
} else if(cmdcmp(p, "view_local_data", 15)) {
do_view_data_add(ssl, worker, skipwhite(p+15));
} else if(cmdcmp(p, "flush_zone", 10)) {
do_flush_zone(ssl, worker, skipwhite(p+10));
} else if(cmdcmp(p, "flush_type", 10)) {

View file

@ -56,8 +56,8 @@ struct comm_reply;
struct comm_point;
struct daemon_remote;
/** number of seconds timeout on incoming remote control handshake */
#define REMOTE_CONTROL_TCP_TIMEOUT 120
/** number of milliseconds timeout on incoming remote control handshake */
#define REMOTE_CONTROL_TCP_TIMEOUT 120000
/**
* a busy control command connection, SSL state

View file

@ -102,12 +102,14 @@ void server_stats_log(struct server_stats* stats, struct worker* worker,
int threadnum)
{
log_info("server stats for thread %d: %u queries, "
"%u answers from cache, %u recursions, %u prefetch",
"%u answers from cache, %u recursions, %u prefetch, %u rejected by "
"ip ratelimiting",
threadnum, (unsigned)stats->num_queries,
(unsigned)(stats->num_queries -
stats->num_queries_missed_cache),
(unsigned)stats->num_queries_missed_cache,
(unsigned)stats->num_queries_prefetch);
(unsigned)stats->num_queries_prefetch,
(unsigned)stats->num_queries_ip_ratelimited);
log_info("server stats for thread %d: requestlist max %u avg %g "
"exceeded %u jostled %u", threadnum,
(unsigned)stats->max_query_list_size,
@ -226,9 +228,18 @@ void server_stats_reply(struct worker* worker, int reset)
void server_stats_add(struct stats_info* total, struct stats_info* a)
{
total->svr.num_queries += a->svr.num_queries;
total->svr.num_queries_ip_ratelimited += a->svr.num_queries_ip_ratelimited;
total->svr.num_queries_missed_cache += a->svr.num_queries_missed_cache;
total->svr.num_queries_prefetch += a->svr.num_queries_prefetch;
total->svr.sum_query_list_size += a->svr.sum_query_list_size;
#ifdef USE_DNSCRYPT
total->svr.num_query_dnscrypt_crypted += a->svr.num_query_dnscrypt_crypted;
total->svr.num_query_dnscrypt_cert += a->svr.num_query_dnscrypt_cert;
total->svr.num_query_dnscrypt_cleartext += \
a->svr.num_query_dnscrypt_cleartext;
total->svr.num_query_dnscrypt_crypted_malformed += \
a->svr.num_query_dnscrypt_crypted_malformed;
#endif
/* the max size reached is upped to higher of both */
if(a->svr.max_query_list_size > total->svr.max_query_list_size)
total->svr.max_query_list_size = a->svr.max_query_list_size;
@ -251,6 +262,7 @@ void server_stats_add(struct stats_info* total, struct stats_info* a)
total->svr.qEDNS += a->svr.qEDNS;
total->svr.qEDNS_DO += a->svr.qEDNS_DO;
total->svr.ans_rcode_nodata += a->svr.ans_rcode_nodata;
total->svr.zero_ttl_responses += a->svr.zero_ttl_responses;
total->svr.ans_secure += a->svr.ans_secure;
total->svr.ans_bogus += a->svr.ans_bogus;
total->svr.rrset_bogus += a->svr.rrset_bogus;

View file

@ -43,6 +43,7 @@
#ifndef DAEMON_STATS_H
#define DAEMON_STATS_H
#include "util/timehist.h"
#include "dnscrypt/dnscrypt_config.h"
struct worker;
struct config_file;
struct comm_point;
@ -63,6 +64,8 @@ struct sldns_buffer;
struct server_stats {
/** number of queries from clients received. */
size_t num_queries;
/** number of queries that have been dropped/ratelimited by ip. */
size_t num_queries_ip_ratelimited;
/** number of queries that had a cache-miss. */
size_t num_queries_missed_cache;
/** number of prefetch queries - cachehits with prefetch */
@ -131,7 +134,8 @@ struct server_stats {
size_t unwanted_queries;
/** usage of tcp accept list */
size_t tcp_accept_usage;
/** answers served from expired cache */
size_t zero_ttl_responses;
/** histogram data exported to array
* if the array is the same size, no data is lost, and
* if all histograms are same size (is so by default) then
@ -146,6 +150,16 @@ struct server_stats {
size_t infra_cache_count;
/** number of key cache entries */
size_t key_cache_count;
#ifdef USE_DNSCRYPT
/** number of queries that used dnscrypt */
size_t num_query_dnscrypt_crypted;
/** number of queries that queried dnscrypt certificates */
size_t num_query_dnscrypt_cert;
/** number of queries in clear text and not asking for the certificates */
size_t num_query_dnscrypt_cleartext;
/** number of malformed encrypted queries */
size_t num_query_dnscrypt_crypted_malformed;
#endif
};
/**

View file

@ -57,6 +57,7 @@
#include "util/data/msgreply.h"
#include "util/module.h"
#include "util/net_help.h"
#include "util/ub_event.h"
#include <signal.h>
#include <fcntl.h>
#include <openssl/crypto.h>
@ -77,22 +78,6 @@
#include <login_cap.h>
#endif
#ifdef USE_MINI_EVENT
# ifdef USE_WINSOCK
# include "util/winsock_event.h"
# else
# include "util/mini_event.h"
# endif
#else
# ifdef HAVE_EVENT_H
# include <event.h>
# else
# include "event2/event.h"
# include "event2/event_struct.h"
# include "event2/event_compat.h"
# endif
#endif
#ifdef UB_ON_WINDOWS
# include "winrc/win_svc.h"
#endif
@ -102,64 +87,14 @@
# include "nss.h"
#endif
#ifdef HAVE_SBRK
/** global debug value to keep track of heap memory allocation */
void* unbound_start_brk = 0;
#endif
#if !defined(HAVE_EVENT_BASE_GET_METHOD) && (defined(HAVE_EV_LOOP) || defined(HAVE_EV_DEFAULT_LOOP))
static const char* ev_backend2str(int b)
{
switch(b) {
case EVBACKEND_SELECT: return "select";
case EVBACKEND_POLL: return "poll";
case EVBACKEND_EPOLL: return "epoll";
case EVBACKEND_KQUEUE: return "kqueue";
case EVBACKEND_DEVPOLL: return "devpoll";
case EVBACKEND_PORT: return "evport";
}
return "unknown";
}
#endif
/** get the event system in use */
static void get_event_sys(const char** n, const char** s, const char** m)
{
#ifdef USE_WINSOCK
*n = "event";
*s = "winsock";
*m = "WSAWaitForMultipleEvents";
#elif defined(USE_MINI_EVENT)
*n = "mini-event";
*s = "internal";
*m = "select";
#else
struct event_base* b;
*s = event_get_version();
# ifdef HAVE_EVENT_BASE_GET_METHOD
*n = "libevent";
b = event_base_new();
*m = event_base_get_method(b);
# elif defined(HAVE_EV_LOOP) || defined(HAVE_EV_DEFAULT_LOOP)
*n = "libev";
b = (struct event_base*)ev_default_loop(EVFLAG_AUTO);
*m = ev_backend2str(ev_backend((struct ev_loop*)b));
# else
*n = "unknown";
*m = "not obtainable";
b = NULL;
# endif
# ifdef HAVE_EVENT_BASE_FREE
event_base_free(b);
# endif
#endif
}
/** print usage. */
static void usage()
static void usage(void)
{
const char** m;
const char *evnm="event", *evsys="", *evmethod="";
time_t t;
struct timeval now;
struct ub_event_base* base;
printf("usage: unbound [options]\n");
printf(" start unbound daemon DNS resolver.\n");
printf("-h this help\n");
@ -173,11 +108,16 @@ static void usage()
printf(" service - used to start from services control panel\n");
#endif
printf("Version %s\n", PACKAGE_VERSION);
get_event_sys(&evnm, &evsys, &evmethod);
base = ub_default_event_base(0,&t,&now);
ub_get_event_sys(base, &evnm, &evsys, &evmethod);
printf("linked libs: %s %s (it uses %s), %s\n",
evnm, evsys, evmethod,
#ifdef HAVE_SSL
# ifdef SSLEAY_VERSION
SSLeay_version(SSLEAY_VERSION)
# else
OpenSSL_version(OPENSSL_VERSION)
# endif
#elif defined(HAVE_NSS)
NSS_GetVersion()
#elif defined(HAVE_NETTLE)
@ -190,6 +130,7 @@ static void usage()
printf("\n");
printf("BSD licensed, see LICENSE in source package for details.\n");
printf("Report bugs to %s\n", PACKAGE_BUGREPORT);
ub_event_base_free(base);
}
#ifndef unbound_testbound
@ -230,7 +171,7 @@ checkrlimits(struct config_file* cfg)
struct rlimit rlim;
if(total > 1024 &&
strncmp(event_get_version(), "mini-event", 10) == 0) {
strncmp(ub_event_get_version(), "mini-event", 10) == 0) {
log_warn("too many file descriptors requested. The builtin"
"mini-event cannot handle more than 1024. Config "
"for less fds or compile with libevent");
@ -244,7 +185,7 @@ checkrlimits(struct config_file* cfg)
total = 1024;
}
if(perthread > 64 &&
strncmp(event_get_version(), "winsock-event", 13) == 0) {
strncmp(ub_event_get_version(), "winsock-event", 13) == 0) {
log_err("too many file descriptors requested. The winsock"
" event handler cannot handle more than 64 per "
" thread. Config for less fds");
@ -298,19 +239,37 @@ checkrlimits(struct config_file* cfg)
#endif /* S_SPLINT_S */
}
/** set default logfile identity based on value from argv[0] at startup **/
static void
log_ident_set_fromdefault(struct config_file* cfg,
const char *log_default_identity)
{
if(cfg->log_identity == NULL || cfg->log_identity[0] == 0)
log_ident_set(log_default_identity);
else
log_ident_set(cfg->log_identity);
}
/** set verbosity, check rlimits, cache settings */
static void
apply_settings(struct daemon* daemon, struct config_file* cfg,
int cmdline_verbose, int debug_mode)
int cmdline_verbose, int debug_mode, const char* log_default_identity)
{
/* apply if they have changed */
verbosity = cmdline_verbose + cfg->verbosity;
if (debug_mode > 1) {
cfg->use_syslog = 0;
free(cfg->logfile);
cfg->logfile = NULL;
}
daemon_apply_cfg(daemon, cfg);
checkrlimits(cfg);
if (cfg->use_systemd && cfg->do_daemonize) {
log_warn("use-systemd and do-daemonize should not be enabled at the same time");
}
log_ident_set_fromdefault(cfg, log_default_identity);
}
#ifdef HAVE_KILL
@ -443,6 +402,9 @@ static void
perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
const char** cfgfile)
{
#ifdef HAVE_KILL
int pidinchroot;
#endif
#ifdef HAVE_GETPWNAM
struct passwd *pwd = NULL;
@ -481,6 +443,12 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
#endif
#ifdef HAVE_KILL
/* true if pidfile is inside chrootdir, or nochroot */
pidinchroot = !(cfg->chrootdir && cfg->chrootdir[0]) ||
(cfg->chrootdir && cfg->chrootdir[0] &&
strncmp(cfg->pidfile, cfg->chrootdir,
strlen(cfg->chrootdir))==0);
/* check old pid file before forking */
if(cfg->pidfile && cfg->pidfile[0]) {
/* calculate position of pidfile */
@ -490,12 +458,7 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
cfg, 1);
if(!daemon->pidfile)
fatal_exit("pidfile alloc: out of memory");
checkoldpid(daemon->pidfile,
/* true if pidfile is inside chrootdir, or nochroot */
!(cfg->chrootdir && cfg->chrootdir[0]) ||
(cfg->chrootdir && cfg->chrootdir[0] &&
strncmp(daemon->pidfile, cfg->chrootdir,
strlen(cfg->chrootdir))==0));
checkoldpid(daemon->pidfile, pidinchroot);
}
#endif
@ -508,10 +471,11 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
#ifdef HAVE_KILL
if(cfg->pidfile && cfg->pidfile[0]) {
writepid(daemon->pidfile, getpid());
if(cfg->username && cfg->username[0] && cfg_uid != (uid_t)-1) {
if(cfg->username && cfg->username[0] && cfg_uid != (uid_t)-1 &&
pidinchroot) {
# ifdef HAVE_CHOWN
if(chown(daemon->pidfile, cfg_uid, cfg_gid) == -1) {
log_err("cannot chown %u.%u %s: %s",
verbose(VERB_QUERY, "cannot chown %u.%u %s: %s",
(unsigned)cfg_uid, (unsigned)cfg_gid,
daemon->pidfile, strerror(errno));
}
@ -597,7 +561,9 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
log_warn("unable to initgroups %s: %s",
cfg->username, strerror(errno));
# endif /* HAVE_INITGROUPS */
# ifdef HAVE_ENDPWENT
endpwent();
# endif
#ifdef HAVE_SETRESGID
if(setresgid(cfg_gid,cfg_gid,cfg_gid) != 0)
@ -633,9 +599,10 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
* @param cmdline_verbose: verbosity resulting from commandline -v.
* These increase verbosity as specified in the config file.
* @param debug_mode: if set, do not daemonize.
* @param log_default_identity: Default identity to report in logs
*/
static void
run_daemon(const char* cfgfile, int cmdline_verbose, int debug_mode)
run_daemon(const char* cfgfile, int cmdline_verbose, int debug_mode, const char* log_default_identity)
{
struct config_file* cfg = NULL;
struct daemon* daemon = NULL;
@ -657,7 +624,7 @@ run_daemon(const char* cfgfile, int cmdline_verbose, int debug_mode)
cfgfile);
log_warn("Continuing with default config settings");
}
apply_settings(daemon, cfg, cmdline_verbose, debug_mode);
apply_settings(daemon, cfg, cmdline_verbose, debug_mode, log_default_identity);
if(!done_setup)
config_lookup_uid(cfg);
@ -712,19 +679,16 @@ main(int argc, char* argv[])
int c;
const char* cfgfile = CONFIGFILE;
const char* winopt = NULL;
const char* log_ident_default;
int cmdline_verbose = 0;
int debug_mode = 0;
#ifdef UB_ON_WINDOWS
int cmdline_cfg = 0;
#endif
#ifdef HAVE_SBRK
/* take debug snapshot of heap */
unbound_start_brk = sbrk(0);
#endif
log_init(NULL, 0, NULL);
log_ident_set(strrchr(argv[0],'/')?strrchr(argv[0],'/')+1:argv[0]);
log_ident_default = strrchr(argv[0],'/')?strrchr(argv[0],'/')+1:argv[0];
log_ident_set(log_ident_default);
/* parse the options */
while( (c=getopt(argc, argv, "c:dhvw:")) != -1) {
switch(c) {
@ -735,7 +699,7 @@ main(int argc, char* argv[])
#endif
break;
case 'v':
cmdline_verbose ++;
cmdline_verbose++;
verbosity++;
break;
case 'd':
@ -768,7 +732,7 @@ main(int argc, char* argv[])
return 1;
}
run_daemon(cfgfile, cmdline_verbose, debug_mode);
run_daemon(cfgfile, cmdline_verbose, debug_mode, log_ident_default);
log_init(NULL, 0, NULL); /* close logfile */
return 0;
}

View file

@ -69,9 +69,13 @@
#include "iterator/iter_hints.h"
#include "validator/autotrust.h"
#include "validator/val_anchor.h"
#include "respip/respip.h"
#include "libunbound/context.h"
#include "libunbound/libworker.h"
#include "sldns/sbuffer.h"
#include "sldns/wire2str.h"
#include "util/shm_side/shm_main.h"
#include "dnscrypt/dnscrypt.h"
#ifdef HAVE_SYS_TYPES_H
# include <sys/types.h>
@ -101,61 +105,21 @@
*/
#define PREFETCH_EXPIRY_ADD 60
#ifdef UNBOUND_ALLOC_STATS
/** measure memory leakage */
static void
debug_memleak(size_t accounted, size_t heap,
size_t total_alloc, size_t total_free)
{
static int init = 0;
static size_t base_heap, base_accounted, base_alloc, base_free;
size_t base_af, cur_af, grow_af, grow_acc;
if(!init) {
init = 1;
base_heap = heap;
base_accounted = accounted;
base_alloc = total_alloc;
base_free = total_free;
}
base_af = base_alloc - base_free;
cur_af = total_alloc - total_free;
grow_af = cur_af - base_af;
grow_acc = accounted - base_accounted;
log_info("Leakage: %d leaked. growth: %u use, %u acc, %u heap",
(int)(grow_af - grow_acc), (unsigned)grow_af,
(unsigned)grow_acc, (unsigned)(heap - base_heap));
}
/** give debug heap size indication */
static void
debug_total_mem(size_t calctotal)
{
#ifdef HAVE_SBRK
extern void* unbound_start_brk;
extern size_t unbound_mem_alloc, unbound_mem_freed;
void* cur = sbrk(0);
int total = cur-unbound_start_brk;
log_info("Total heap memory estimate: %u total-alloc: %u "
"total-free: %u", (unsigned)total,
(unsigned)unbound_mem_alloc, (unsigned)unbound_mem_freed);
debug_memleak(calctotal, (size_t)total,
unbound_mem_alloc, unbound_mem_freed);
#else
(void)calctotal;
#endif /* HAVE_SBRK */
}
#endif /* UNBOUND_ALLOC_STATS */
/** Report on memory usage by this thread and global */
static void
worker_mem_report(struct worker* ATTR_UNUSED(worker),
struct serviced_query* ATTR_UNUSED(cur_serv))
{
#ifdef UNBOUND_ALLOC_STATS
/* measure memory leakage */
extern size_t unbound_mem_alloc, unbound_mem_freed;
/* debug func in validator module */
size_t total, front, back, mesh, msg, rrset, infra, ac, superac;
size_t me, iter, val, anch;
int i;
#ifdef CLIENT_SUBNET
size_t subnet = 0;
#endif /* CLIENT_SUBNET */
if(verbosity < VERB_ALGO)
return;
front = listen_get_mem(worker->front);
@ -175,6 +139,12 @@ worker_mem_report(struct worker* ATTR_UNUSED(worker),
if(strcmp(worker->env.mesh->mods.mod[i]->name, "validator")==0)
val += (*worker->env.mesh->mods.mod[i]->get_mem)
(&worker->env, i);
#ifdef CLIENT_SUBNET
else if(strcmp(worker->env.mesh->mods.mod[i]->name,
"subnet")==0)
subnet += (*worker->env.mesh->mods.mod[i]->get_mem)
(&worker->env, i);
#endif /* CLIENT_SUBNET */
else iter += (*worker->env.mesh->mods.mod[i]->get_mem)
(&worker->env, i);
}
@ -192,6 +162,17 @@ worker_mem_report(struct worker* ATTR_UNUSED(worker),
me += serviced_get_mem(cur_serv);
}
total = front+back+mesh+msg+rrset+infra+iter+val+ac+superac+me;
#ifdef CLIENT_SUBNET
total += subnet;
log_info("Memory conditions: %u front=%u back=%u mesh=%u msg=%u "
"rrset=%u infra=%u iter=%u val=%u subnet=%u anchors=%u "
"alloccache=%u globalalloccache=%u me=%u",
(unsigned)total, (unsigned)front, (unsigned)back,
(unsigned)mesh, (unsigned)msg, (unsigned)rrset, (unsigned)infra,
(unsigned)iter, (unsigned)val,
(unsigned)subnet, (unsigned)anch, (unsigned)ac,
(unsigned)superac, (unsigned)me);
#else /* no CLIENT_SUBNET */
log_info("Memory conditions: %u front=%u back=%u mesh=%u msg=%u "
"rrset=%u infra=%u iter=%u val=%u anchors=%u "
"alloccache=%u globalalloccache=%u me=%u",
@ -199,9 +180,15 @@ worker_mem_report(struct worker* ATTR_UNUSED(worker),
(unsigned)mesh, (unsigned)msg, (unsigned)rrset,
(unsigned)infra, (unsigned)iter, (unsigned)val, (unsigned)anch,
(unsigned)ac, (unsigned)superac, (unsigned)me);
debug_total_mem(total);
#endif /* CLIENT_SUBNET */
log_info("Total heap memory estimate: %u total-alloc: %u "
"total-free: %u", (unsigned)total,
(unsigned)unbound_mem_alloc, (unsigned)unbound_mem_freed);
#else /* no UNBOUND_ALLOC_STATS */
size_t val = 0;
#ifdef CLIENT_SUBNET
size_t subnet = 0;
#endif /* CLIENT_SUBNET */
int i;
if(verbosity < VERB_QUERY)
return;
@ -211,12 +198,27 @@ worker_mem_report(struct worker* ATTR_UNUSED(worker),
if(strcmp(worker->env.mesh->mods.mod[i]->name, "validator")==0)
val += (*worker->env.mesh->mods.mod[i]->get_mem)
(&worker->env, i);
#ifdef CLIENT_SUBNET
else if(strcmp(worker->env.mesh->mods.mod[i]->name,
"subnet")==0)
subnet += (*worker->env.mesh->mods.mod[i]->get_mem)
(&worker->env, i);
#endif /* CLIENT_SUBNET */
}
#ifdef CLIENT_SUBNET
verbose(VERB_QUERY, "cache memory msg=%u rrset=%u infra=%u val=%u "
"subnet=%u",
(unsigned)slabhash_get_mem(worker->env.msg_cache),
(unsigned)slabhash_get_mem(&worker->env.rrset_cache->table),
(unsigned)infra_get_mem(worker->env.infra_cache),
(unsigned)val, (unsigned)subnet);
#else /* no CLIENT_SUBNET */
verbose(VERB_QUERY, "cache memory msg=%u rrset=%u infra=%u val=%u",
(unsigned)slabhash_get_mem(worker->env.msg_cache),
(unsigned)slabhash_get_mem(&worker->env.rrset_cache->table),
(unsigned)infra_get_mem(worker->env.infra_cache),
(unsigned)val);
#endif /* CLIENT_SUBNET */
#endif /* UNBOUND_ALLOC_STATS */
}
@ -483,15 +485,17 @@ answer_norec_from_cache(struct worker* worker, struct query_info* qinfo,
qinfo->qname_len, qinfo->qtype, qinfo->qclass,
worker->scratchpad, &msg, timenow);
if(!dp) { /* no delegation, need to reprime */
regional_free_all(worker->scratchpad);
return 0;
}
/* In case we have a local alias, copy it into the delegation message.
* Shallow copy should be fine, as we'll be done with msg in this
* function. */
msg->qinfo.local_alias = qinfo->local_alias;
if(must_validate) {
switch(check_delegation_secure(msg->rep)) {
case sec_status_unchecked:
/* some rrsets have not been verified yet, go and
* let validator do that */
regional_free_all(worker->scratchpad);
return 0;
case sec_status_bogus:
/* some rrsets are bogus, reply servfail */
@ -499,9 +503,11 @@ answer_norec_from_cache(struct worker* worker, struct query_info* qinfo,
edns->udp_size = EDNS_ADVERTISED_SIZE;
edns->ext_rcode = 0;
edns->bits &= EDNS_DO;
if(!inplace_cb_reply_servfail_call(&worker->env, qinfo, NULL,
msg->rep, LDNS_RCODE_SERVFAIL, edns, worker->scratchpad))
return 0;
error_encode(repinfo->c->buffer, LDNS_RCODE_SERVFAIL,
&msg->qinfo, id, flags, edns);
regional_free_all(worker->scratchpad);
if(worker->stats.extended) {
worker->stats.ans_bogus++;
worker->stats.ans_rcode[LDNS_RCODE_SERVFAIL]++;
@ -527,14 +533,19 @@ answer_norec_from_cache(struct worker* worker, struct query_info* qinfo,
edns->udp_size = EDNS_ADVERTISED_SIZE;
edns->ext_rcode = 0;
edns->bits &= EDNS_DO;
if(!inplace_cb_reply_cache_call(&worker->env, qinfo, NULL, msg->rep,
(int)(flags&LDNS_RCODE_MASK), edns, worker->scratchpad))
return 0;
msg->rep->flags |= BIT_QR|BIT_RA;
if(!reply_info_answer_encode(&msg->qinfo, msg->rep, id, flags,
repinfo->c->buffer, 0, 1, worker->scratchpad,
udpsize, edns, (int)(edns->bits & EDNS_DO), secure)) {
if(!inplace_cb_reply_servfail_call(&worker->env, qinfo, NULL, NULL,
LDNS_RCODE_SERVFAIL, edns, worker->scratchpad))
edns->opt_list = NULL;
error_encode(repinfo->c->buffer, LDNS_RCODE_SERVFAIL,
&msg->qinfo, id, flags, edns);
}
regional_free_all(worker->scratchpad);
if(worker->stats.extended) {
if(secure) worker->stats.ans_secure++;
server_stats_insrcode(&worker->stats, repinfo->c->buffer);
@ -542,17 +553,81 @@ answer_norec_from_cache(struct worker* worker, struct query_info* qinfo,
return 1;
}
/** answer query from the cache */
/** Apply, if applicable, a response IP action to a cached answer.
* If the answer is rewritten as a result of an action, '*encode_repp' will
* point to the reply info containing the modified answer. '*encode_repp' will
* be intact otherwise.
* It returns 1 on success, 0 otherwise. */
static int
apply_respip_action(struct worker* worker, const struct query_info* qinfo,
struct respip_client_info* cinfo, struct reply_info* rep,
struct comm_reply* repinfo, struct ub_packed_rrset_key** alias_rrset,
struct reply_info** encode_repp)
{
struct respip_action_info actinfo = {respip_none, NULL};
if(qinfo->qtype != LDNS_RR_TYPE_A &&
qinfo->qtype != LDNS_RR_TYPE_AAAA &&
qinfo->qtype != LDNS_RR_TYPE_ANY)
return 1;
if(!respip_rewrite_reply(qinfo, cinfo, rep, encode_repp, &actinfo,
alias_rrset, 0, worker->scratchpad))
return 0;
/* xxx_deny actions mean dropping the reply, unless the original reply
* was redirected to response-ip data. */
if((actinfo.action == respip_deny ||
actinfo.action == respip_inform_deny) &&
*encode_repp == rep)
*encode_repp = NULL;
/* If address info is returned, it means the action should be an
* 'inform' variant and the information should be logged. */
if(actinfo.addrinfo) {
respip_inform_print(actinfo.addrinfo, qinfo->qname,
qinfo->qtype, qinfo->qclass, qinfo->local_alias,
repinfo);
}
return 1;
}
/** answer query from the cache.
* Normally, the answer message will be built in repinfo->c->buffer; if the
* answer is supposed to be suppressed or the answer is supposed to be an
* incomplete CNAME chain, the buffer is explicitly cleared to signal the
* caller as such. In the latter case *partial_rep will point to the incomplete
* reply, and this function is (possibly) supposed to be called again with that
* *partial_rep value to complete the chain. In addition, if the query should
* be completely dropped, '*need_drop' will be set to 1. */
static int
answer_from_cache(struct worker* worker, struct query_info* qinfo,
struct respip_client_info* cinfo, int* need_drop,
struct ub_packed_rrset_key** alias_rrset,
struct reply_info** partial_repp,
struct reply_info* rep, uint16_t id, uint16_t flags,
struct comm_reply* repinfo, struct edns_data* edns)
{
time_t timenow = *worker->env.now;
uint16_t udpsize = edns->udp_size;
struct reply_info* encode_rep = rep;
struct reply_info* partial_rep = *partial_repp;
int secure;
int must_validate = (!(flags&BIT_CD) || worker->env.cfg->ignore_cd)
&& worker->env.need_to_validate;
*partial_repp = NULL; /* avoid accidental further pass */
if(worker->env.cfg->serve_expired) {
/* always lock rrsets, rep->ttl is ignored */
if(!rrset_array_lock(rep->ref, rep->rrset_count, 0))
return 0;
/* below, rrsets with ttl before timenow become TTL 0 in
* the response */
/* This response was served with zero TTL */
if (timenow >= rep->ttl) {
worker->stats.zero_ttl_responses++;
}
} else {
/* see if it is possible */
if(rep->ttl < timenow) {
/* the rrsets may have been updated in the meantime.
@ -564,6 +639,7 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
if(!rrset_array_lock(rep->ref, rep->rrset_count, timenow))
return 0;
/* locked and ids and ttls are OK. */
}
/* check CNAME chain (if any) */
if(rep->an_numrrsets > 0 && (rep->rrsets[0]->rk.type ==
htons(LDNS_RR_TYPE_CNAME) || rep->rrsets[0]->rk.type ==
@ -574,7 +650,6 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
bail_out:
rrset_array_unlock_touch(worker->env.rrset_cache,
worker->scratchpad, rep->ref, rep->rrset_count);
regional_free_all(worker->scratchpad);
return 0;
}
}
@ -585,11 +660,13 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
edns->udp_size = EDNS_ADVERTISED_SIZE;
edns->ext_rcode = 0;
edns->bits &= EDNS_DO;
if(!inplace_cb_reply_servfail_call(&worker->env, qinfo, NULL, rep,
LDNS_RCODE_SERVFAIL, edns, worker->scratchpad))
goto bail_out;
error_encode(repinfo->c->buffer, LDNS_RCODE_SERVFAIL,
qinfo, id, flags, edns);
rrset_array_unlock_touch(worker->env.rrset_cache,
worker->scratchpad, rep->ref, rep->rrset_count);
regional_free_all(worker->scratchpad);
if(worker->stats.extended) {
worker->stats.ans_bogus ++;
worker->stats.ans_rcode[LDNS_RCODE_SERVFAIL] ++;
@ -616,9 +693,41 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
edns->udp_size = EDNS_ADVERTISED_SIZE;
edns->ext_rcode = 0;
edns->bits &= EDNS_DO;
if(!reply_info_answer_encode(qinfo, rep, id, flags,
if(!inplace_cb_reply_cache_call(&worker->env, qinfo, NULL, rep,
(int)(flags&LDNS_RCODE_MASK), edns, worker->scratchpad))
goto bail_out;
*alias_rrset = NULL; /* avoid confusion if caller set it to non-NULL */
if(worker->daemon->use_response_ip && !partial_rep &&
!apply_respip_action(worker, qinfo, cinfo, rep, repinfo, alias_rrset,
&encode_rep)) {
goto bail_out;
} else if(partial_rep &&
!respip_merge_cname(partial_rep, qinfo, rep, cinfo,
must_validate, &encode_rep, worker->scratchpad)) {
goto bail_out;
}
if(encode_rep != rep)
secure = 0; /* if rewritten, it can't be considered "secure" */
if(!encode_rep || *alias_rrset) {
sldns_buffer_clear(repinfo->c->buffer);
sldns_buffer_flip(repinfo->c->buffer);
if(!encode_rep)
*need_drop = 1;
else {
/* If a partial CNAME chain is found, we first need to
* make a copy of the reply in the scratchpad so we
* can release the locks and lookup the cache again. */
*partial_repp = reply_info_copy(encode_rep, NULL,
worker->scratchpad);
if(!*partial_repp)
goto bail_out;
}
} else if(!reply_info_answer_encode(qinfo, encode_rep, id, flags,
repinfo->c->buffer, timenow, 1, worker->scratchpad,
udpsize, edns, (int)(edns->bits & EDNS_DO), secure)) {
if(!inplace_cb_reply_servfail_call(&worker->env, qinfo, NULL, NULL,
LDNS_RCODE_SERVFAIL, edns, worker->scratchpad))
edns->opt_list = NULL;
error_encode(repinfo->c->buffer, LDNS_RCODE_SERVFAIL,
qinfo, id, flags, edns);
}
@ -626,7 +735,6 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
* is bad while holding locks. */
rrset_array_unlock_touch(worker->env.rrset_cache, worker->scratchpad,
rep->ref, rep->rrset_count);
regional_free_all(worker->scratchpad);
if(worker->stats.extended) {
if(secure) worker->stats.ans_secure++;
server_stats_insrcode(&worker->stats, repinfo->c->buffer);
@ -635,13 +743,17 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
return 1;
}
/** Reply to client and perform prefetch to keep cache up to date */
/** Reply to client and perform prefetch to keep cache up to date.
* If the buffer for the reply is empty, it indicates that only prefetch is
* necessary and the reply should be suppressed (because it's dropped or
* being deferred). */
static void
reply_and_prefetch(struct worker* worker, struct query_info* qinfo,
uint16_t flags, struct comm_reply* repinfo, time_t leeway)
{
/* first send answer to client to keep its latency
* as small as a cachereply */
if(sldns_buffer_limit(repinfo->c->buffer) != 0)
comm_point_send_reply(repinfo);
server_stats_prefetch(&worker->stats, worker);
@ -657,41 +769,115 @@ reply_and_prefetch(struct worker* worker, struct query_info* qinfo,
* Fill CH class answer into buffer. Keeps query.
* @param pkt: buffer
* @param str: string to put into text record (<255).
* array of strings, every string becomes a text record.
* @param num: number of strings in array.
* @param edns: edns reply information.
* @param worker: worker with scratch region.
*/
static void
chaos_replystr(sldns_buffer* pkt, const char* str, struct edns_data* edns)
chaos_replystr(sldns_buffer* pkt, char** str, int num, struct edns_data* edns,
struct worker* worker)
{
size_t len = strlen(str);
int i;
unsigned int rd = LDNS_RD_WIRE(sldns_buffer_begin(pkt));
unsigned int cd = LDNS_CD_WIRE(sldns_buffer_begin(pkt));
if(len>255) len=255; /* cap size of TXT record */
sldns_buffer_clear(pkt);
sldns_buffer_skip(pkt, (ssize_t)sizeof(uint16_t)); /* skip id */
sldns_buffer_write_u16(pkt, (uint16_t)(BIT_QR|BIT_RA));
if(rd) LDNS_RD_SET(sldns_buffer_begin(pkt));
if(cd) LDNS_CD_SET(sldns_buffer_begin(pkt));
sldns_buffer_write_u16(pkt, 1); /* qdcount */
sldns_buffer_write_u16(pkt, 1); /* ancount */
sldns_buffer_write_u16(pkt, (uint16_t)num); /* ancount */
sldns_buffer_write_u16(pkt, 0); /* nscount */
sldns_buffer_write_u16(pkt, 0); /* arcount */
(void)query_dname_len(pkt); /* skip qname */
sldns_buffer_skip(pkt, (ssize_t)sizeof(uint16_t)); /* skip qtype */
sldns_buffer_skip(pkt, (ssize_t)sizeof(uint16_t)); /* skip qclass */
for(i=0; i<num; i++) {
size_t len = strlen(str[i]);
if(len>255) len=255; /* cap size of TXT record */
sldns_buffer_write_u16(pkt, 0xc00c); /* compr ptr to query */
sldns_buffer_write_u16(pkt, LDNS_RR_TYPE_TXT);
sldns_buffer_write_u16(pkt, LDNS_RR_CLASS_CH);
sldns_buffer_write_u32(pkt, 0); /* TTL */
sldns_buffer_write_u16(pkt, sizeof(uint8_t) + len);
sldns_buffer_write_u8(pkt, len);
sldns_buffer_write(pkt, str, len);
sldns_buffer_write(pkt, str[i], len);
}
sldns_buffer_flip(pkt);
edns->edns_version = EDNS_ADVERTISED_VERSION;
edns->udp_size = EDNS_ADVERTISED_SIZE;
edns->bits &= EDNS_DO;
if(!inplace_cb_reply_local_call(&worker->env, NULL, NULL, NULL,
LDNS_RCODE_NOERROR, edns, worker->scratchpad))
edns->opt_list = NULL;
attach_edns_record(pkt, edns);
}
/** Reply with one string */
static void
chaos_replyonestr(sldns_buffer* pkt, const char* str, struct edns_data* edns,
struct worker* worker)
{
chaos_replystr(pkt, (char**)&str, 1, edns, worker);
}
/**
* Create CH class trustanchor answer.
* @param pkt: buffer
* @param edns: edns reply information.
* @param w: worker with scratch region.
*/
static void
chaos_trustanchor(sldns_buffer* pkt, struct edns_data* edns, struct worker* w)
{
#define TA_RESPONSE_MAX_TXT 16 /* max number of TXT records */
#define TA_RESPONSE_MAX_TAGS 32 /* max number of tags printed per zone */
char* str_array[TA_RESPONSE_MAX_TXT];
uint16_t tags[TA_RESPONSE_MAX_TAGS];
int num = 0;
struct trust_anchor* ta;
if(!w->env.need_to_validate) {
/* no validator module, reply no trustanchors */
chaos_replystr(pkt, NULL, 0, edns, w);
return;
}
/* fill the string with contents */
lock_basic_lock(&w->env.anchors->lock);
RBTREE_FOR(ta, struct trust_anchor*, w->env.anchors->tree) {
char* str;
size_t i, numtag, str_len = 255;
if(num == TA_RESPONSE_MAX_TXT) continue;
str = (char*)regional_alloc(w->scratchpad, str_len);
if(!str) continue;
lock_basic_lock(&ta->lock);
numtag = anchor_list_keytags(ta, tags, TA_RESPONSE_MAX_TAGS);
if(numtag == 0) {
/* empty, insecure point */
lock_basic_unlock(&ta->lock);
continue;
}
str_array[num] = str;
num++;
/* spool name of anchor */
(void)sldns_wire2str_dname_buf(ta->name, ta->namelen, str, str_len);
str_len -= strlen(str); str += strlen(str);
/* spool tags */
for(i=0; i<numtag; i++) {
snprintf(str, str_len, " %u", (unsigned)tags[i]);
str_len -= strlen(str); str += strlen(str);
}
lock_basic_unlock(&ta->lock);
}
lock_basic_unlock(&w->env.anchors->lock);
chaos_replystr(pkt, str_array, num, edns, w);
regional_free_all(w->scratchpad);
}
/**
* Answer CH class queries.
* @param w: worker
@ -718,13 +904,13 @@ answer_chaos(struct worker* w, struct query_info* qinfo,
char buf[MAXHOSTNAMELEN+1];
if (gethostname(buf, MAXHOSTNAMELEN) == 0) {
buf[MAXHOSTNAMELEN] = 0;
chaos_replystr(pkt, buf, edns);
chaos_replyonestr(pkt, buf, edns, w);
} else {
log_err("gethostname: %s", strerror(errno));
chaos_replystr(pkt, "no hostname", edns);
chaos_replyonestr(pkt, "no hostname", edns, w);
}
}
else chaos_replystr(pkt, cfg->identity, edns);
else chaos_replyonestr(pkt, cfg->identity, edns, w);
return 1;
}
if(query_dname_compare(qinfo->qname,
@ -735,10 +921,19 @@ answer_chaos(struct worker* w, struct query_info* qinfo,
if(cfg->hide_version)
return 0;
if(cfg->version==NULL || cfg->version[0]==0)
chaos_replystr(pkt, PACKAGE_STRING, edns);
else chaos_replystr(pkt, cfg->version, edns);
chaos_replyonestr(pkt, PACKAGE_STRING, edns, w);
else chaos_replyonestr(pkt, cfg->version, edns, w);
return 1;
}
if(query_dname_compare(qinfo->qname,
(uint8_t*)"\013trustanchor\007unbound") == 0)
{
if(cfg->hide_trustanchor)
return 0;
chaos_trustanchor(pkt, edns, w);
return 1;
}
return 0;
}
@ -768,6 +963,8 @@ deny_refuse(struct comm_point* c, enum acl_access acl,
LDNS_QR_SET(sldns_buffer_begin(c->buffer));
LDNS_RCODE_SET(sldns_buffer_begin(c->buffer),
LDNS_RCODE_REFUSED);
sldns_buffer_set_position(c->buffer, LDNS_HEADER_SIZE);
sldns_buffer_flip(c->buffer);
return 1;
}
@ -794,25 +991,75 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
{
struct worker* worker = (struct worker*)arg;
int ret;
hashvalue_t h;
hashvalue_type h;
struct lruhash_entry* e;
struct query_info qinfo;
struct edns_data edns;
enum acl_access acl;
struct acl_addr* acladdr;
int rc = 0;
int need_drop = 0;
/* We might have to chase a CNAME chain internally, in which case
* we'll have up to two replies and combine them to build a complete
* answer. These variables control this case. */
struct ub_packed_rrset_key* alias_rrset = NULL;
struct reply_info* partial_rep = NULL;
struct query_info* lookup_qinfo = &qinfo;
struct query_info qinfo_tmp; /* placeholdoer for lookup_qinfo */
struct respip_client_info* cinfo = NULL, cinfo_tmp;
if(error != NETEVENT_NOERROR) {
/* some bad tcp query DNS formats give these error calls */
verbose(VERB_ALGO, "handle request called with err=%d", error);
return 0;
}
#ifdef USE_DNSCRYPT
repinfo->max_udp_size = worker->daemon->cfg->max_udp_size;
if(!dnsc_handle_curved_request(worker->daemon->dnscenv, repinfo)) {
worker->stats.num_query_dnscrypt_crypted_malformed++;
return 0;
}
if(c->dnscrypt && !repinfo->is_dnscrypted) {
char buf[LDNS_MAX_DOMAINLEN+1];
// Check if this is unencrypted and asking for certs
if(worker_check_request(c->buffer, worker) != 0) {
verbose(VERB_ALGO, "dnscrypt: worker check request: bad query.");
log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
comm_point_drop_reply(repinfo);
return 0;
}
if(!query_info_parse(&qinfo, c->buffer)) {
verbose(VERB_ALGO, "dnscrypt: worker parse request: formerror.");
log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
comm_point_drop_reply(repinfo);
return 0;
}
dname_str(qinfo.qname, buf);
if(!(qinfo.qtype == LDNS_RR_TYPE_TXT &&
strcasecmp(buf, worker->daemon->dnscenv->provider_name) == 0)) {
verbose(VERB_ALGO,
"dnscrypt: not TXT %s. Receive: %s %s",
worker->daemon->dnscenv->provider_name,
sldns_rr_descript(qinfo.qtype)->_name,
buf);
comm_point_drop_reply(repinfo);
worker->stats.num_query_dnscrypt_cleartext++;
return 0;
}
worker->stats.num_query_dnscrypt_cert++;
sldns_buffer_rewind(c->buffer);
} else if(c->dnscrypt && repinfo->is_dnscrypted) {
worker->stats.num_query_dnscrypt_crypted++;
}
#endif
#ifdef USE_DNSTAP
if(worker->dtenv.log_client_query_messages)
dt_msg_send_client_query(&worker->dtenv, &repinfo->addr, c->type,
c->buffer);
#endif
acl = acl_list_lookup(worker->daemon->acl, &repinfo->addr,
acladdr = acl_addr_lookup(worker->daemon->acl, &repinfo->addr,
repinfo->addrlen);
acl = acl_get_control(acladdr);
if((ret=deny_refuse_all(c, acl, worker, repinfo)) != -1)
{
if(ret == 1)
@ -830,7 +1077,29 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
comm_point_drop_reply(repinfo);
return 0;
}
worker->stats.num_queries++;
/* check if this query should be dropped based on source ip rate limiting */
if(!infra_ip_ratelimit_inc(worker->env.infra_cache, repinfo,
*worker->env.now)) {
/* See if we are passed through with slip factor */
if(worker->env.cfg->ip_ratelimit_factor != 0 &&
ub_random_max(worker->env.rnd,
worker->env.cfg->ip_ratelimit_factor) == 1) {
char addrbuf[128];
addr_to_str(&repinfo->addr, repinfo->addrlen,
addrbuf, sizeof(addrbuf));
verbose(VERB_OPS, "ip_ratelimit allowed through for ip address %s ",
addrbuf);
} else {
worker->stats.num_queries_ip_ratelimited++;
comm_point_drop_reply(repinfo);
return 0;
}
}
/* see if query is in the cache */
if(!query_info_parse(&qinfo, c->buffer)) {
verbose(VERB_ALGO, "worker parse request: formerror.");
@ -865,7 +1134,29 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
}
goto send_reply;
}
if((ret=parse_edns_from_pkt(c->buffer, &edns)) != 0) {
if(qinfo.qtype == LDNS_RR_TYPE_OPT ||
qinfo.qtype == LDNS_RR_TYPE_TSIG ||
qinfo.qtype == LDNS_RR_TYPE_TKEY ||
qinfo.qtype == LDNS_RR_TYPE_MAILA ||
qinfo.qtype == LDNS_RR_TYPE_MAILB ||
(qinfo.qtype >= 128 && qinfo.qtype <= 248)) {
verbose(VERB_ALGO, "worker request: formerror for meta-type.");
log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
if(worker_err_ratelimit(worker, LDNS_RCODE_FORMERR) == -1) {
comm_point_drop_reply(repinfo);
return 0;
}
sldns_buffer_rewind(c->buffer);
LDNS_QR_SET(sldns_buffer_begin(c->buffer));
LDNS_RCODE_SET(sldns_buffer_begin(c->buffer),
LDNS_RCODE_FORMERR);
if(worker->stats.extended) {
worker->stats.qtype[qinfo.qtype]++;
server_stats_insrcode(&worker->stats, c->buffer);
}
goto send_reply;
}
if((ret=parse_edns_from_pkt(c->buffer, &edns, worker->scratchpad)) != 0) {
struct edns_data reply_edns;
verbose(VERB_ALGO, "worker parse edns: formerror.");
log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
@ -876,6 +1167,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
error_encode(c->buffer, ret, &qinfo,
*(uint16_t*)(void *)sldns_buffer_begin(c->buffer),
sldns_buffer_read_u16_at(c->buffer, 2), &reply_edns);
regional_free_all(worker->scratchpad);
server_stats_insrcode(&worker->stats, c->buffer);
goto send_reply;
}
@ -884,12 +1176,14 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
edns.edns_version = EDNS_ADVERTISED_VERSION;
edns.udp_size = EDNS_ADVERTISED_SIZE;
edns.bits &= EDNS_DO;
edns.opt_list = NULL;
verbose(VERB_ALGO, "query with bad edns version.");
log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
error_encode(c->buffer, EDNS_RCODE_BADVERS&0xf, &qinfo,
*(uint16_t*)(void *)sldns_buffer_begin(c->buffer),
sldns_buffer_read_u16_at(c->buffer, 2), NULL);
attach_edns_record(c->buffer, &edns);
regional_free_all(worker->scratchpad);
goto send_reply;
}
if(edns.edns_present && edns.udp_size < NORMAL_UDP_SIZE &&
@ -918,6 +1212,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
sldns_buffer_write_at(c->buffer, 4,
(uint8_t*)"\0\0\0\0\0\0\0\0", 8);
sldns_buffer_flip(c->buffer);
regional_free_all(worker->scratchpad);
goto send_reply;
}
if(worker->stats.extended)
@ -928,10 +1223,15 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
if(qinfo.qclass == LDNS_RR_CLASS_CH && answer_chaos(worker, &qinfo,
&edns, c->buffer)) {
server_stats_insrcode(&worker->stats, c->buffer);
regional_free_all(worker->scratchpad);
goto send_reply;
}
if(local_zones_answer(worker->daemon->local_zones, &qinfo, &edns,
c->buffer, worker->scratchpad, repinfo)) {
if(local_zones_answer(worker->daemon->local_zones, &worker->env, &qinfo,
&edns, c->buffer, worker->scratchpad, repinfo, acladdr->taglist,
acladdr->taglen, acladdr->tag_actions,
acladdr->tag_actions_size, acladdr->tag_datas,
acladdr->tag_datas_size, worker->daemon->cfg->tagname,
worker->daemon->cfg->num_tags, acladdr->view)) {
regional_free_all(worker->scratchpad);
if(sldns_buffer_limit(c->buffer) == 0) {
comm_point_drop_reply(repinfo);
@ -945,6 +1245,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
* might need to bail out based on ACLs now. */
if((ret=deny_refuse_non_local(c, acl, worker, repinfo)) != -1)
{
regional_free_all(worker->scratchpad);
if(ret == 1)
goto send_reply;
return ret;
@ -961,34 +1262,111 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
LDNS_RCODE_SET(sldns_buffer_begin(c->buffer),
LDNS_RCODE_REFUSED);
sldns_buffer_flip(c->buffer);
regional_free_all(worker->scratchpad);
server_stats_insrcode(&worker->stats, c->buffer);
log_addr(VERB_ALGO, "refused nonrec (cache snoop) query from",
&repinfo->addr, repinfo->addrlen);
goto send_reply;
}
h = query_info_hash(&qinfo, sldns_buffer_read_u16_at(c->buffer, 2));
if((e=slabhash_lookup(worker->env.msg_cache, h, &qinfo, 0))) {
/* If we've found a local alias, replace the qname with the alias
* target before resolving it. */
if(qinfo.local_alias) {
struct ub_packed_rrset_key* rrset = qinfo.local_alias->rrset;
struct packed_rrset_data* d = rrset->entry.data;
/* Sanity check: our current implementation only supports
* a single CNAME RRset as a local alias. */
if(qinfo.local_alias->next ||
rrset->rk.type != htons(LDNS_RR_TYPE_CNAME) ||
d->count != 1) {
log_err("assumption failure: unexpected local alias");
regional_free_all(worker->scratchpad);
return 0; /* drop it */
}
qinfo.qname = d->rr_data[0] + 2;
qinfo.qname_len = d->rr_len[0] - 2;
}
/* If we may apply IP-based actions to the answer, build the client
* information. As this can be expensive, skip it if there is
* absolutely no possibility of it. */
if(worker->daemon->use_response_ip &&
(qinfo.qtype == LDNS_RR_TYPE_A ||
qinfo.qtype == LDNS_RR_TYPE_AAAA ||
qinfo.qtype == LDNS_RR_TYPE_ANY)) {
cinfo_tmp.taglist = acladdr->taglist;
cinfo_tmp.taglen = acladdr->taglen;
cinfo_tmp.tag_actions = acladdr->tag_actions;
cinfo_tmp.tag_actions_size = acladdr->tag_actions_size;
cinfo_tmp.tag_datas = acladdr->tag_datas;
cinfo_tmp.tag_datas_size = acladdr->tag_datas_size;
cinfo_tmp.view = acladdr->view;
cinfo_tmp.respip_set = worker->daemon->respip_set;
cinfo = &cinfo_tmp;
}
lookup_cache:
/* Lookup the cache. In case we chase an intermediate CNAME chain
* this is a two-pass operation, and lookup_qinfo is different for
* each pass. We should still pass the original qinfo to
* answer_from_cache(), however, since it's used to build the reply. */
if(!edns_bypass_cache_stage(edns.opt_list, &worker->env)) {
h = query_info_hash(lookup_qinfo, sldns_buffer_read_u16_at(c->buffer, 2));
if((e=slabhash_lookup(worker->env.msg_cache, h, lookup_qinfo, 0))) {
/* answer from cache - we have acquired a readlock on it */
if(answer_from_cache(worker, &qinfo,
cinfo, &need_drop, &alias_rrset, &partial_rep,
(struct reply_info*)e->data,
*(uint16_t*)(void *)sldns_buffer_begin(c->buffer),
sldns_buffer_read_u16_at(c->buffer, 2), repinfo,
&edns)) {
/* prefetch it if the prefetch TTL expired */
if(worker->env.cfg->prefetch && *worker->env.now >=
/* prefetch it if the prefetch TTL expired.
* Note that if there is more than one pass
* its qname must be that used for cache
* lookup. */
if((worker->env.cfg->prefetch || worker->env.cfg->serve_expired)
&& *worker->env.now >=
((struct reply_info*)e->data)->prefetch_ttl) {
time_t leeway = ((struct reply_info*)e->
data)->ttl - *worker->env.now;
if(((struct reply_info*)e->data)->ttl
< *worker->env.now)
leeway = 0;
lock_rw_unlock(&e->lock);
reply_and_prefetch(worker, &qinfo,
reply_and_prefetch(worker, lookup_qinfo,
sldns_buffer_read_u16_at(c->buffer, 2),
repinfo, leeway);
if(!partial_rep) {
rc = 0;
regional_free_all(worker->scratchpad);
goto send_reply_rc;
}
} else if(!partial_rep) {
lock_rw_unlock(&e->lock);
regional_free_all(worker->scratchpad);
goto send_reply;
}
/* We've found a partial reply ending with an
* alias. Replace the lookup qinfo for the
* alias target and lookup the cache again to
* (possibly) complete the reply. As we're
* passing the "base" reply, there will be no
* more alias chasing. */
lock_rw_unlock(&e->lock);
memset(&qinfo_tmp, 0, sizeof(qinfo_tmp));
get_cname_target(alias_rrset, &qinfo_tmp.qname,
&qinfo_tmp.qname_len);
if(!qinfo_tmp.qname) {
log_err("unexpected: invalid answer alias");
regional_free_all(worker->scratchpad);
return 0; /* drop query */
}
qinfo_tmp.qtype = qinfo.qtype;
qinfo_tmp.qclass = qinfo.qclass;
lookup_qinfo = &qinfo_tmp;
goto lookup_cache;
}
verbose(VERB_ALGO, "answer from the cache failed");
lock_rw_unlock(&e->lock);
}
@ -997,11 +1375,13 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
*(uint16_t*)(void *)sldns_buffer_begin(c->buffer),
sldns_buffer_read_u16_at(c->buffer, 2), repinfo,
&edns)) {
regional_free_all(worker->scratchpad);
goto send_reply;
}
verbose(VERB_ALGO, "answer norec from cache -- "
"need to validate or not primed");
}
}
sldns_buffer_rewind(c->buffer);
server_stats_querymiss(&worker->stats, worker);
@ -1014,19 +1394,35 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
}
/* grab a work request structure for this new request */
mesh_new_client(worker->env.mesh, &qinfo,
mesh_new_client(worker->env.mesh, &qinfo, cinfo,
sldns_buffer_read_u16_at(c->buffer, 2),
&edns, repinfo, *(uint16_t*)(void *)sldns_buffer_begin(c->buffer));
regional_free_all(worker->scratchpad);
worker_mem_report(worker, NULL);
return 0;
send_reply:
rc = 1;
send_reply_rc:
if(need_drop) {
comm_point_drop_reply(repinfo);
return 0;
}
#ifdef USE_DNSTAP
if(worker->dtenv.log_client_response_messages)
dt_msg_send_client_response(&worker->dtenv, &repinfo->addr,
c->type, c->buffer);
#endif
if(worker->env.cfg->log_replies)
{
struct timeval tv = {0, 0};
log_reply_info(0, &qinfo, &repinfo->addr, repinfo->addrlen,
tv, 1, c->buffer);
}
#ifdef USE_DNSCRYPT
if(!dnsc_handle_uncurved_request(repinfo)) {
return 0;
}
#endif
return rc;
}
@ -1083,6 +1479,10 @@ void worker_stat_timer_cb(void* arg)
server_stats_log(&worker->stats, worker, worker->thread_num);
mesh_stats(worker->env.mesh, "mesh has");
worker_mem_report(worker, NULL);
/* SHM is enabled, process data to SHM */
if (worker->daemon->cfg->shm_enable) {
shm_main_run(worker);
}
if(!worker->daemon->cfg->stat_cumulative) {
worker_stats_clear(worker);
}
@ -1217,7 +1617,8 @@ worker_init(struct worker* worker, struct config_file *cfg,
cfg->do_tcp?cfg->outgoing_num_tcp:0,
worker->daemon->env->infra_cache, worker->rndstate,
cfg->use_caps_bits_for_id, worker->ports, worker->numports,
cfg->unwanted_threshold, &worker_alloc_cleanup, worker,
cfg->unwanted_threshold, cfg->outgoing_tcp_mss,
&worker_alloc_cleanup, worker,
cfg->do_udp, worker->daemon->connect_sslctx, cfg->delay_close,
dtenv);
if(!worker->back) {
@ -1352,10 +1753,10 @@ worker_delete(struct worker* worker)
}
struct outbound_entry*
worker_send_query(uint8_t* qname, size_t qnamelen, uint16_t qtype,
uint16_t qclass, uint16_t flags, int dnssec, int want_dnssec,
int nocaps, struct sockaddr_storage* addr, socklen_t addrlen,
uint8_t* zone, size_t zonelen, struct module_qstate* q)
worker_send_query(struct query_info* qinfo, uint16_t flags, int dnssec,
int want_dnssec, int nocaps, struct sockaddr_storage* addr,
socklen_t addrlen, uint8_t* zone, size_t zonelen, int ssl_upstream,
struct module_qstate* q)
{
struct worker* worker = q->env->worker;
struct outbound_entry* e = (struct outbound_entry*)regional_alloc(
@ -1363,11 +1764,10 @@ worker_send_query(uint8_t* qname, size_t qnamelen, uint16_t qtype,
if(!e)
return NULL;
e->qstate = q;
e->qsent = outnet_serviced_query(worker->back, qname,
qnamelen, qtype, qclass, flags, dnssec, want_dnssec, nocaps,
q->env->cfg->tcp_upstream, q->env->cfg->ssl_upstream, addr,
addrlen, zone, zonelen, worker_handle_service_reply, e,
worker->back->udp_buff);
e->qsent = outnet_serviced_query(worker->back, qinfo, flags, dnssec,
want_dnssec, nocaps, q->env->cfg->tcp_upstream,
ssl_upstream, addr, addrlen, zone, zonelen, q,
worker_handle_service_reply, e, worker->back->udp_buff, q->env);
if(!e->qsent) {
return NULL;
}
@ -1407,13 +1807,13 @@ void worker_stop_accept(void* arg)
}
/* --- fake callbacks for fptr_wlist to work --- */
struct outbound_entry* libworker_send_query(uint8_t* ATTR_UNUSED(qname),
size_t ATTR_UNUSED(qnamelen), uint16_t ATTR_UNUSED(qtype),
uint16_t ATTR_UNUSED(qclass), uint16_t ATTR_UNUSED(flags),
int ATTR_UNUSED(dnssec), int ATTR_UNUSED(want_dnssec),
int ATTR_UNUSED(nocaps), struct sockaddr_storage* ATTR_UNUSED(addr),
socklen_t ATTR_UNUSED(addrlen), uint8_t* ATTR_UNUSED(zone),
size_t ATTR_UNUSED(zonelen), struct module_qstate* ATTR_UNUSED(q))
struct outbound_entry* libworker_send_query(
struct query_info* ATTR_UNUSED(qinfo),
uint16_t ATTR_UNUSED(flags), int ATTR_UNUSED(dnssec),
int ATTR_UNUSED(want_dnssec), int ATTR_UNUSED(nocaps),
struct sockaddr_storage* ATTR_UNUSED(addr), socklen_t ATTR_UNUSED(addrlen),
uint8_t* ATTR_UNUSED(zone), size_t ATTR_UNUSED(zonelen),
int ATTR_UNUSED(ssl_upstream), struct module_qstate* ATTR_UNUSED(q))
{
log_assert(0);
return 0;

View file

@ -61,6 +61,7 @@ struct ub_randstate;
struct regional;
struct tube;
struct daemon_remote;
struct query_info;
/** worker commands */
enum worker_commands {
@ -84,7 +85,7 @@ struct worker {
/** global shared daemon structure */
struct daemon* daemon;
/** thread id */
ub_thread_t thr_id;
ub_thread_type thr_id;
/** pipe, for commands for this worker */
struct tube* cmd;
/** the event base this worker works with */

View file

@ -411,31 +411,6 @@ handle_ipv6_ptr(struct module_qstate* qstate, int id)
return module_wait_subquery;
}
/** allocate (special) rrset keys, return 0 on error */
static int
repinfo_alloc_rrset_keys(struct reply_info* rep,
struct regional* region)
{
size_t i;
for(i=0; i<rep->rrset_count; i++) {
if(region) {
rep->rrsets[i] = (struct ub_packed_rrset_key*)
regional_alloc(region,
sizeof(struct ub_packed_rrset_key));
if(rep->rrsets[i]) {
memset(rep->rrsets[i], 0,
sizeof(struct ub_packed_rrset_key));
rep->rrsets[i]->entry.key = rep->rrsets[i];
}
}
else return 0;/* rep->rrsets[i] = alloc_special_obtain(alloc);*/
if(!rep->rrsets[i])
return 0;
rep->rrsets[i]->entry.data = NULL;
}
return 1;
}
static enum module_ext_state
generate_type_A_query(struct module_qstate* qstate, int id)
{
@ -521,13 +496,14 @@ handle_event_moddone(struct module_qstate* qstate, int id)
* - An internal query.
* - A query for a record type other than AAAA.
* - CD FLAG was set on querier
* - An AAAA query for which an error was returned.
* - An AAAA query for which an error was returned.(qstate.return_rcode)
* -> treated as servfail thus synthesize (sec 5.1.3 6147), thus
* synthesize in (sec 5.1.2 of RFC6147).
* - A successful AAAA query with an answer.
*/
if ( (enum dns64_qstate)qstate->minfo[id] == DNS64_INTERNAL_QUERY
|| qstate->qinfo.qtype != LDNS_RR_TYPE_AAAA
|| (qstate->query_flags & BIT_CD)
|| qstate->return_rcode != LDNS_RCODE_NOERROR
|| (qstate->return_msg &&
qstate->return_msg->rep &&
reply_find_answer_rrset(&qstate->qinfo,
@ -706,7 +682,7 @@ dns64_adjust_a(int id, struct module_qstate* super, struct module_qstate* qstate
return;
/* allocate ub_key structures special or not */
if(!repinfo_alloc_rrset_keys(cp, super->region)) {
if(!reply_info_alloc_rrset_keys(cp, NULL, super->region)) {
return;
}
@ -824,7 +800,8 @@ dns64_inform_super(struct module_qstate* qstate, int id,
}
/* Store the generated response in cache. */
if (!dns_cache_store(super->env, &super->qinfo, super->return_msg->rep,
if (!super->no_cache_store &&
!dns_cache_store(super->env, &super->qinfo, super->return_msg->rep,
0, 0, 0, NULL, super->query_flags))
log_err("out of memory");
}
@ -871,7 +848,7 @@ static struct module_func_block dns64_block = {
* Function for returning the above function block.
*/
struct module_func_block *
dns64_get_funcblock()
dns64_get_funcblock(void)
{
return &dns64_block;
}

32
external/unbound/dnscrypt/cert.h vendored Normal file
View file

@ -0,0 +1,32 @@
#ifndef UNBOUND_DNSCRYPT_CERT_H
#define UNBOUND_DNSCRYPT_CERT_H
/**
* \file
* certificate type for dnscrypt for use in other header files
*/
#include <sodium.h>
#define CERT_MAGIC_CERT "DNSC"
#define CERT_MAJOR_VERSION 1
#define CERT_MINOR_VERSION 0
#define CERT_OLD_MAGIC_HEADER "7PYqwfzt"
#define CERT_FILE_EXPIRE_DAYS 365
struct SignedCert {
uint8_t magic_cert[4];
uint8_t version_major[2];
uint8_t version_minor[2];
// Signed Content
uint8_t server_publickey[crypto_box_PUBLICKEYBYTES];
uint8_t magic_query[8];
uint8_t serial[4];
uint8_t ts_begin[4];
uint8_t ts_end[4];
uint8_t end[64];
};
#endif

531
external/unbound/dnscrypt/dnscrypt.c vendored Normal file
View file

@ -0,0 +1,531 @@
#include "config.h"
#include <stdlib.h>
#include <fcntl.h>
#ifdef HAVE_TIME_H
#include <time.h>
#endif
#include <sys/time.h>
#include <sys/types.h>
#include "sldns/sbuffer.h"
#include "util/config_file.h"
#include "util/net_help.h"
#include "util/netevent.h"
#include "util/log.h"
#include "dnscrypt/cert.h"
#include "dnscrypt/dnscrypt.h"
#include <ctype.h>
/**
* \file
* dnscrypt functions for encrypting DNS packets.
*/
#define DNSCRYPT_QUERY_BOX_OFFSET \
(DNSCRYPT_MAGIC_HEADER_LEN + crypto_box_PUBLICKEYBYTES + crypto_box_HALF_NONCEBYTES)
// 8 bytes: magic header (CERT_MAGIC_HEADER)
// 12 bytes: the client's nonce
// 12 bytes: server nonce extension
// 16 bytes: Poly1305 MAC (crypto_box_ZEROBYTES - crypto_box_BOXZEROBYTES)
#define DNSCRYPT_REPLY_BOX_OFFSET \
(DNSCRYPT_MAGIC_HEADER_LEN + crypto_box_HALF_NONCEBYTES + crypto_box_HALF_NONCEBYTES)
/**
* Decrypt a query using the keypair that was found using dnsc_find_keypair.
* The client nonce will be extracted from the encrypted query and stored in
* client_nonce, a shared secret will be computed and stored in nmkey and the
* buffer will be decrypted inplace.
* \param[in] keypair the keypair that matches this encrypted query.
* \param[in] client_nonce where the client nonce will be stored.
* \param[in] nmkey where the shared secret key will be written.
* \param[in] buffer the encrypted buffer.
* \return 0 on success.
*/
static int
dnscrypt_server_uncurve(const KeyPair *keypair,
uint8_t client_nonce[crypto_box_HALF_NONCEBYTES],
uint8_t nmkey[crypto_box_BEFORENMBYTES],
struct sldns_buffer* buffer)
{
size_t len = sldns_buffer_limit(buffer);
uint8_t *const buf = sldns_buffer_begin(buffer);
uint8_t nonce[crypto_box_NONCEBYTES];
struct dnscrypt_query_header *query_header;
if (len <= DNSCRYPT_QUERY_HEADER_SIZE) {
return -1;
}
query_header = (struct dnscrypt_query_header *)buf;
memcpy(nmkey, query_header->publickey, crypto_box_PUBLICKEYBYTES);
if (crypto_box_beforenm(nmkey, nmkey, keypair->crypt_secretkey) != 0) {
return -1;
}
memcpy(nonce, query_header->nonce, crypto_box_HALF_NONCEBYTES);
memset(nonce + crypto_box_HALF_NONCEBYTES, 0, crypto_box_HALF_NONCEBYTES);
sldns_buffer_set_at(buffer,
DNSCRYPT_QUERY_BOX_OFFSET - crypto_box_BOXZEROBYTES,
0, crypto_box_BOXZEROBYTES);
if (crypto_box_open_afternm
(buf + DNSCRYPT_QUERY_BOX_OFFSET - crypto_box_BOXZEROBYTES,
buf + DNSCRYPT_QUERY_BOX_OFFSET - crypto_box_BOXZEROBYTES,
len - DNSCRYPT_QUERY_BOX_OFFSET + crypto_box_BOXZEROBYTES, nonce,
nmkey) != 0) {
return -1;
}
while (*sldns_buffer_at(buffer, --len) == 0)
;
if (*sldns_buffer_at(buffer, len) != 0x80) {
return -1;
}
memcpy(client_nonce, nonce, crypto_box_HALF_NONCEBYTES);
memmove(sldns_buffer_begin(buffer),
sldns_buffer_at(buffer, DNSCRYPT_QUERY_HEADER_SIZE),
len - DNSCRYPT_QUERY_HEADER_SIZE);
sldns_buffer_set_position(buffer, 0);
sldns_buffer_set_limit(buffer, len - DNSCRYPT_QUERY_HEADER_SIZE);
return 0;
}
/**
* Add random padding to a buffer, according to a client nonce.
* The length has to depend on the query in order to avoid reply attacks.
*
* @param buf a buffer
* @param len the initial size of the buffer
* @param max_len the maximum size
* @param nonce a nonce, made of the client nonce repeated twice
* @param secretkey
* @return the new size, after padding
*/
size_t
dnscrypt_pad(uint8_t *buf, const size_t len, const size_t max_len,
const uint8_t *nonce, const uint8_t *secretkey)
{
uint8_t *buf_padding_area = buf + len;
size_t padded_len;
uint32_t rnd;
// no padding
if (max_len < len + DNSCRYPT_MIN_PAD_LEN)
return len;
assert(nonce[crypto_box_HALF_NONCEBYTES] == nonce[0]);
crypto_stream((unsigned char *)&rnd, (unsigned long long)sizeof(rnd), nonce,
secretkey);
padded_len =
len + DNSCRYPT_MIN_PAD_LEN + rnd % (max_len - len -
DNSCRYPT_MIN_PAD_LEN + 1);
padded_len += DNSCRYPT_BLOCK_SIZE - padded_len % DNSCRYPT_BLOCK_SIZE;
if (padded_len > max_len)
padded_len = max_len;
memset(buf_padding_area, 0, padded_len - len);
*buf_padding_area = 0x80;
return padded_len;
}
uint64_t
dnscrypt_hrtime(void)
{
struct timeval tv;
uint64_t ts = (uint64_t)0U;
int ret;
ret = gettimeofday(&tv, NULL);
if (ret == 0) {
ts = (uint64_t)tv.tv_sec * 1000000U + (uint64_t)tv.tv_usec;
} else {
log_err("gettimeofday: %s", strerror(errno));
}
return ts;
}
/**
* Add the server nonce part to once.
* The nonce is made half of client nonce and the seconf half of the server
* nonce, both of them of size crypto_box_HALF_NONCEBYTES.
* \param[in] nonce: a uint8_t* of size crypto_box_NONCEBYTES
*/
static void
add_server_nonce(uint8_t *nonce)
{
uint64_t ts;
uint64_t tsn;
uint32_t suffix;
ts = dnscrypt_hrtime();
// TODO? dnscrypt-wrapper does some logic with context->nonce_ts_last
// unclear if we really need it, so skipping it for now.
tsn = (ts << 10) | (randombytes_random() & 0x3ff);
#if (BYTE_ORDER == LITTLE_ENDIAN)
tsn =
(((uint64_t)htonl((uint32_t)tsn)) << 32) | htonl((uint32_t)(tsn >> 32));
#endif
memcpy(nonce + crypto_box_HALF_NONCEBYTES, &tsn, 8);
suffix = randombytes_random();
memcpy(nonce + crypto_box_HALF_NONCEBYTES + 8, &suffix, 4);
}
/**
* Encrypt a reply using the keypair that was used with the query.
* The client nonce will be extracted from the encrypted query and stored in
* The buffer will be encrypted inplace.
* \param[in] keypair the keypair that matches this encrypted query.
* \param[in] client_nonce client nonce used during the query
* \param[in] nmkey shared secret key used during the query.
* \param[in] buffer the buffer where to encrypt the reply.
* \param[in] udp if whether or not it is a UDP query.
* \param[in] max_udp_size configured max udp size.
* \return 0 on success.
*/
static int
dnscrypt_server_curve(const KeyPair *keypair,
uint8_t client_nonce[crypto_box_HALF_NONCEBYTES],
uint8_t nmkey[crypto_box_BEFORENMBYTES],
struct sldns_buffer* buffer,
uint8_t udp,
size_t max_udp_size)
{
size_t dns_reply_len = sldns_buffer_limit(buffer);
size_t max_len = dns_reply_len + DNSCRYPT_MAX_PADDING + DNSCRYPT_REPLY_HEADER_SIZE;
size_t max_reply_size = max_udp_size - 20U - 8U;
uint8_t nonce[crypto_box_NONCEBYTES];
uint8_t *boxed;
uint8_t *const buf = sldns_buffer_begin(buffer);
size_t len = sldns_buffer_limit(buffer);
if(udp){
if (max_len > max_reply_size)
max_len = max_reply_size;
}
memcpy(nonce, client_nonce, crypto_box_HALF_NONCEBYTES);
memcpy(nonce + crypto_box_HALF_NONCEBYTES, client_nonce,
crypto_box_HALF_NONCEBYTES);
boxed = buf + DNSCRYPT_REPLY_BOX_OFFSET;
memmove(boxed + crypto_box_MACBYTES, buf, len);
len = dnscrypt_pad(boxed + crypto_box_MACBYTES, len,
max_len - DNSCRYPT_REPLY_HEADER_SIZE, nonce,
keypair->crypt_secretkey);
sldns_buffer_set_at(buffer,
DNSCRYPT_REPLY_BOX_OFFSET - crypto_box_BOXZEROBYTES,
0, crypto_box_ZEROBYTES);
// add server nonce extension
add_server_nonce(nonce);
if (crypto_box_afternm
(boxed - crypto_box_BOXZEROBYTES, boxed - crypto_box_BOXZEROBYTES,
len + crypto_box_ZEROBYTES, nonce, nmkey) != 0) {
return -1;
}
sldns_buffer_write_at(buffer, 0, DNSCRYPT_MAGIC_RESPONSE, DNSCRYPT_MAGIC_HEADER_LEN);
sldns_buffer_write_at(buffer, DNSCRYPT_MAGIC_HEADER_LEN, nonce, crypto_box_NONCEBYTES);
sldns_buffer_set_limit(buffer, len + DNSCRYPT_REPLY_HEADER_SIZE);
return 0;
}
/**
* Read the content of fname into buf.
* \param[in] fname name of the file to read.
* \param[in] buf the buffer in which to read the content of the file.
* \param[in] count number of bytes to read.
* \return 0 on success.
*/
static int
dnsc_read_from_file(char *fname, char *buf, size_t count)
{
int fd;
fd = open(fname, O_RDONLY);
if (fd == -1) {
return -1;
}
if (read(fd, buf, count) != (ssize_t)count) {
close(fd);
return -2;
}
close(fd);
return 0;
}
/**
* Parse certificates files provided by the configuration and load them into
* dnsc_env.
* \param[in] env the dnsc_env structure to load the certs into.
* \param[in] cfg the configuration.
* \return the number of certificates loaded.
*/
static int
dnsc_parse_certs(struct dnsc_env *env, struct config_file *cfg)
{
struct config_strlist *head;
size_t signed_cert_id;
env->signed_certs_count = 0U;
for (head = cfg->dnscrypt_provider_cert; head; head = head->next) {
env->signed_certs_count++;
}
env->signed_certs = sodium_allocarray(env->signed_certs_count,
sizeof *env->signed_certs);
signed_cert_id = 0U;
for(head = cfg->dnscrypt_provider_cert; head; head = head->next, signed_cert_id++) {
if(dnsc_read_from_file(
head->str,
(char *)(env->signed_certs + signed_cert_id),
sizeof(struct SignedCert)) != 0) {
fatal_exit("dnsc_parse_certs: failed to load %s: %s", head->str, strerror(errno));
}
verbose(VERB_OPS, "Loaded cert %s", head->str);
}
return signed_cert_id;
}
/**
* Helper function to convert a binary key into a printable fingerprint.
* \param[in] fingerprint the buffer in which to write the printable key.
* \param[in] key the key to convert.
*/
void
dnsc_key_to_fingerprint(char fingerprint[80U], const uint8_t * const key)
{
const size_t fingerprint_size = 80U;
size_t fingerprint_pos = (size_t) 0U;
size_t key_pos = (size_t) 0U;
for (;;) {
assert(fingerprint_size > fingerprint_pos);
snprintf(&fingerprint[fingerprint_pos],
fingerprint_size - fingerprint_pos, "%02X%02X",
key[key_pos], key[key_pos + 1U]);
key_pos += 2U;
if (key_pos >= crypto_box_PUBLICKEYBYTES) {
break;
}
fingerprint[fingerprint_pos + 4U] = ':';
fingerprint_pos += 5U;
}
}
/**
* Find the keypair matching a DNSCrypt query.
* \param[in] dnscenv The DNSCrypt enviroment, which contains the list of keys
* supported by the server.
* \param[in] buffer The encrypted DNS query.
* \return a KeyPair * if we found a key pair matching the query, NULL otherwise.
*/
static const KeyPair *
dnsc_find_keypair(struct dnsc_env* dnscenv, struct sldns_buffer* buffer)
{
const KeyPair *keypairs = dnscenv->keypairs;
struct dnscrypt_query_header *dnscrypt_header;
size_t i;
if (sldns_buffer_limit(buffer) < DNSCRYPT_QUERY_HEADER_SIZE) {
return NULL;
}
dnscrypt_header = (struct dnscrypt_query_header *)sldns_buffer_begin(buffer);
for (i = 0U; i < dnscenv->keypairs_count; i++) {
if (memcmp(keypairs[i].crypt_publickey, dnscrypt_header->magic_query,
DNSCRYPT_MAGIC_HEADER_LEN) == 0) {
return &keypairs[i];
}
}
return NULL;
}
/**
* Insert local-zone and local-data into configuration.
* In order to be able to serve certs over TXT, we can reuse the local-zone and
* local-data config option. The zone and qname are infered from the
* provider_name and the content of the TXT record from the certificate content.
* returns the number of certtificate TXT record that were loaded.
* < 0 in case of error.
*/
static int
dnsc_load_local_data(struct dnsc_env* dnscenv, struct config_file *cfg)
{
size_t i, j;
// Insert 'local-zone: "2.dnscrypt-cert.example.com" deny'
if(!cfg_str2list_insert(&cfg->local_zones,
strdup(dnscenv->provider_name),
strdup("deny"))) {
log_err("Could not load dnscrypt local-zone: %s deny",
dnscenv->provider_name);
return -1;
}
// Add local data entry of type:
// 2.dnscrypt-cert.example.com 86400 IN TXT "DNSC......"
for(i=0; i<dnscenv->signed_certs_count; i++) {
const char *ttl_class_type = " 86400 IN TXT \"";
struct SignedCert *cert = dnscenv->signed_certs + i;
uint16_t rrlen = strlen(dnscenv->provider_name) +
strlen(ttl_class_type) +
4 * sizeof(struct SignedCert) + // worst case scenario
1 + // trailing double quote
1;
char *rr = malloc(rrlen);
if(!rr) {
log_err("Could not allocate memory");
return -2;
}
snprintf(rr, rrlen - 1, "%s 86400 IN TXT \"", dnscenv->provider_name);
for(j=0; j<sizeof(struct SignedCert); j++) {
int c = (int)*((const uint8_t *) cert + j);
if (isprint(c) && c != '"' && c != '\\') {
snprintf(rr + strlen(rr), rrlen - 1 - strlen(rr), "%c", c);
} else {
snprintf(rr + strlen(rr), rrlen - 1 - strlen(rr), "\\%03d", c);
}
}
snprintf(rr + strlen(rr), rrlen - 1 - strlen(rr), "\"");
cfg_strlist_insert(&cfg->local_data, strdup(rr));
free(rr);
}
return dnscenv->signed_certs_count;
}
/**
* Parse the secret key files from `dnscrypt-secret-key` config and populates
* a list of secret/public keys supported by dnscrypt listener.
* \param[in] env The dnsc_env structure which will hold the keypairs.
* \param[in] cfg The config with the secret key file paths.
*/
static int
dnsc_parse_keys(struct dnsc_env *env, struct config_file *cfg)
{
struct config_strlist *head;
size_t keypair_id;
env->keypairs_count = 0U;
for (head = cfg->dnscrypt_secret_key; head; head = head->next) {
env->keypairs_count++;
}
env->keypairs = sodium_allocarray(env->keypairs_count,
sizeof *env->keypairs);
keypair_id = 0U;
for(head = cfg->dnscrypt_secret_key; head; head = head->next, keypair_id++) {
char fingerprint[80];
if(dnsc_read_from_file(
head->str,
(char *)(env->keypairs[keypair_id].crypt_secretkey),
crypto_box_SECRETKEYBYTES) != 0) {
fatal_exit("dnsc_parse_keys: failed to load %s: %s", head->str, strerror(errno));
}
verbose(VERB_OPS, "Loaded key %s", head->str);
if (crypto_scalarmult_base(env->keypairs[keypair_id].crypt_publickey,
env->keypairs[keypair_id].crypt_secretkey) != 0) {
fatal_exit("dnsc_parse_keys: could not generate public key from %s", head->str);
}
dnsc_key_to_fingerprint(fingerprint, env->keypairs[keypair_id].crypt_publickey);
verbose(VERB_OPS, "Crypt public key fingerprint for %s: %s", head->str, fingerprint);
}
return keypair_id;
}
/**
* #########################################################
* ############# Publicly accessible functions #############
* #########################################################
*/
int
dnsc_handle_curved_request(struct dnsc_env* dnscenv,
struct comm_reply* repinfo)
{
struct comm_point* c = repinfo->c;
repinfo->is_dnscrypted = 0;
if( !c->dnscrypt ) {
return 1;
}
// Attempt to decrypt the query. If it is not crypted, we may still need
// to serve the certificate.
verbose(VERB_ALGO, "handle request called on DNSCrypt socket");
if ((repinfo->keypair = dnsc_find_keypair(dnscenv, c->buffer)) != NULL) {
if(dnscrypt_server_uncurve(repinfo->keypair,
repinfo->client_nonce,
repinfo->nmkey,
c->buffer) != 0){
verbose(VERB_ALGO, "dnscrypt: Failed to uncurve");
comm_point_drop_reply(repinfo);
return 0;
}
repinfo->is_dnscrypted = 1;
sldns_buffer_rewind(c->buffer);
}
return 1;
}
int
dnsc_handle_uncurved_request(struct comm_reply *repinfo)
{
if(!repinfo->c->dnscrypt) {
return 1;
}
sldns_buffer_copy(repinfo->c->dnscrypt_buffer, repinfo->c->buffer);
if(!repinfo->is_dnscrypted) {
return 1;
}
if(dnscrypt_server_curve(repinfo->keypair,
repinfo->client_nonce,
repinfo->nmkey,
repinfo->c->dnscrypt_buffer,
repinfo->c->type == comm_udp,
repinfo->max_udp_size) != 0){
verbose(VERB_ALGO, "dnscrypt: Failed to curve cached missed answer");
comm_point_drop_reply(repinfo);
return 0;
}
return 1;
}
struct dnsc_env *
dnsc_create(void)
{
struct dnsc_env *env;
if (sodium_init() == -1) {
fatal_exit("dnsc_create: could not initialize libsodium.");
}
env = (struct dnsc_env *) calloc(1, sizeof(struct dnsc_env));
return env;
}
int
dnsc_apply_cfg(struct dnsc_env *env, struct config_file *cfg)
{
if(dnsc_parse_certs(env, cfg) <= 0) {
fatal_exit("dnsc_apply_cfg: no cert file loaded");
}
if(dnsc_parse_keys(env, cfg) <= 0) {
fatal_exit("dnsc_apply_cfg: no key file loaded");
}
randombytes_buf(env->hash_key, sizeof env->hash_key);
env->provider_name = cfg->dnscrypt_provider;
if(dnsc_load_local_data(env, cfg) <= 0) {
fatal_exit("dnsc_apply_cfg: could not load local data");
}
return 0;
}

102
external/unbound/dnscrypt/dnscrypt.h vendored Normal file
View file

@ -0,0 +1,102 @@
#ifndef UNBOUND_DNSCRYPT_H
#define UNBOUND_DNSCRYPT_H
/**
* \file
* dnscrypt functions for encrypting DNS packets.
*/
#include "dnscrypt/dnscrypt_config.h"
#ifdef USE_DNSCRYPT
#define DNSCRYPT_MAGIC_HEADER_LEN 8U
#define DNSCRYPT_MAGIC_RESPONSE "r6fnvWj8"
#ifndef DNSCRYPT_MAX_PADDING
# define DNSCRYPT_MAX_PADDING 256U
#endif
#ifndef DNSCRYPT_BLOCK_SIZE
# define DNSCRYPT_BLOCK_SIZE 64U
#endif
#ifndef DNSCRYPT_MIN_PAD_LEN
# define DNSCRYPT_MIN_PAD_LEN 8U
#endif
#define crypto_box_HALF_NONCEBYTES (crypto_box_NONCEBYTES / 2U)
#include "config.h"
#include "dnscrypt/cert.h"
#define DNSCRYPT_QUERY_HEADER_SIZE \
(DNSCRYPT_MAGIC_HEADER_LEN + crypto_box_PUBLICKEYBYTES + crypto_box_HALF_NONCEBYTES + crypto_box_MACBYTES)
#define DNSCRYPT_RESPONSE_HEADER_SIZE \
(DNSCRYPT_MAGIC_HEADER_LEN + crypto_box_NONCEBYTES + crypto_box_MACBYTES)
#define DNSCRYPT_REPLY_HEADER_SIZE \
(DNSCRYPT_MAGIC_HEADER_LEN + crypto_box_HALF_NONCEBYTES * 2 + crypto_box_MACBYTES)
struct sldns_buffer;
struct config_file;
struct comm_reply;
typedef struct KeyPair_ {
uint8_t crypt_publickey[crypto_box_PUBLICKEYBYTES];
uint8_t crypt_secretkey[crypto_box_SECRETKEYBYTES];
} KeyPair;
struct dnsc_env {
struct SignedCert *signed_certs;
size_t signed_certs_count;
uint8_t provider_publickey[crypto_sign_ed25519_PUBLICKEYBYTES];
uint8_t provider_secretkey[crypto_sign_ed25519_SECRETKEYBYTES];
KeyPair *keypairs;
size_t keypairs_count;
uint64_t nonce_ts_last;
unsigned char hash_key[crypto_shorthash_KEYBYTES];
char * provider_name;
};
struct dnscrypt_query_header {
uint8_t magic_query[DNSCRYPT_MAGIC_HEADER_LEN];
uint8_t publickey[crypto_box_PUBLICKEYBYTES];
uint8_t nonce[crypto_box_HALF_NONCEBYTES];
uint8_t mac[crypto_box_MACBYTES];
};
/**
* Initialize DNSCrypt enviroment.
* Initialize sodium library and allocate the dnsc_env structure.
* \return an uninitialized struct dnsc_env.
*/
struct dnsc_env * dnsc_create(void);
/**
* Apply configuration.
* Read certificates and secret keys from configuration. Initialize hashkey and
* provider name as well as loading cert TXT records.
* In case of issue applying configuration, this function fatals.
* \param[in] env the struct dnsc_env to populate.
* \param[in] cfg the config_file struct with dnscrypt options.
* \return 0 on success.
*/
int dnsc_apply_cfg(struct dnsc_env *env, struct config_file *cfg);
/**
* handle a crypted dnscrypt request.
* Determine wether or not a query is coming over the dnscrypt listener and
* attempt to uncurve it or detect if it is a certificate query.
* return 0 in case of failure.
*/
int dnsc_handle_curved_request(struct dnsc_env* dnscenv,
struct comm_reply* repinfo);
/**
* handle an unencrypted dnscrypt request.
* Determine wether or not a query is going over the dnscrypt channel and
* attempt to curve it unless it was not crypted like when it is a
* certificate query.
* \return 0 in case of failure.
*/
int dnsc_handle_uncurved_request(struct comm_reply *repinfo);
#endif /* USE_DNSCRYPT */
#endif

25
external/unbound/dnscrypt/dnscrypt.m4 vendored Normal file
View file

@ -0,0 +1,25 @@
# dnscrypt.m4
# dnsc_DNSCRYPT([action-if-true], [action-if-false])
# --------------------------------------------------------------------------
# Check for required dnscrypt libraries and add dnscrypt configure args.
AC_DEFUN([dnsc_DNSCRYPT],
[
AC_ARG_ENABLE([dnscrypt],
AS_HELP_STRING([--enable-dnscrypt],
[Enable dnscrypt support (requires libsodium)]),
[opt_dnscrypt=$enableval], [opt_dnscrypt=no])
if test "x$opt_dnscrypt" != "xno"; then
AC_ARG_WITH([libsodium], AC_HELP_STRING([--with-libsodium=path],
[Path where libsodium is installed, for dnscrypt]), [
CFLAGS="$CFLAGS -I$withval/include"
LDFLAGS="$LDFLAGS -L$withval/lib"
])
AC_SEARCH_LIBS([sodium_init], [sodium], [],
AC_MSG_ERROR([The sodium library was not found. Please install sodium!]))
$1
else
$2
fi
])

View file

@ -0,0 +1,17 @@
#ifndef UNBOUND_DNSCRYPT_CONFIG_H
#define UNBOUND_DNSCRYPT_CONFIG_H
/*
* Process this file (dnscrypt_config.h.in) with AC_CONFIG_FILES to generate
* dnscrypt_config.h.
*
* This file exists so that USE_DNSCRYPT can be used without including config.h.
*/
#if 0 /* ENABLE_DNSCRYPT */
# ifndef USE_DNSCRYPT
# define USE_DNSCRYPT 1
# endif
#endif
#endif /* UNBOUND_DNSCRYPT_CONFIG_H */

View file

@ -121,14 +121,17 @@ dt_msg_init(const struct dt_env *env,
struct dt_env *
dt_create(const char *socket_path, unsigned num_workers)
{
#ifdef UNBOUND_DEBUG
fstrm_res res;
#endif
struct dt_env *env;
struct fstrm_iothr_options *fopt;
struct fstrm_unix_writer_options *fuwopt;
struct fstrm_writer *fw;
struct fstrm_writer_options *fwopt;
verbose(VERB_OPS, "opening dnstap socket %s", socket_path);
verbose(VERB_OPS, "attempting to connect to dnstap socket %s",
socket_path);
log_assert(socket_path != NULL);
log_assert(num_workers > 0);
@ -137,7 +140,12 @@ dt_create(const char *socket_path, unsigned num_workers)
return NULL;
fwopt = fstrm_writer_options_init();
res = fstrm_writer_options_add_content_type(fwopt,
#ifdef UNBOUND_DEBUG
res =
#else
(void)
#endif
fstrm_writer_options_add_content_type(fwopt,
DNSTAP_CONTENT_TYPE, sizeof(DNSTAP_CONTENT_TYPE) - 1);
log_assert(res == fstrm_res_success);
@ -474,7 +482,7 @@ dt_msg_send_outside_response(struct dt_env *env,
return;
dt_msg_init(env, &dm, DNSTAP__MESSAGE__TYPE__FORWARDER_RESPONSE);
} else {
if (!env->log_resolver_query_messages)
if (!env->log_resolver_response_messages)
return;
dt_msg_init(env, &dm, DNSTAP__MESSAGE__TYPE__RESOLVER_RESPONSE);
}

View file

@ -1,3 +1,910 @@
13 June 2017: Wouter
- Fix #1280: Unbound fails assert when response from authoritative
contains malformed qname. When 0x20 caps-for-id is enabled, when
assertions are not enabled the malformed qname is handled correctly.
- tag for 1.6.3
13 April 2017: Wouter
- Fix #1250: inconsistent indentation in services/listen_dnsport.c.
- tag for 1.6.2rc1
12 April 2017: Wouter
- subnet mem value is available in shm, also when not enabled,
to make the struct easier to memmap by other applications,
independent of the configuration of unbound.
12 April 2017: Ralph
- Fix #1247: unbound does not shorten source prefix length when
forwarding ECS.
- Properly check for allocation failure in local_data_find_tag_datas.
- Fix #1249: unbound doesn't return FORMERR to bogus ECS.
- Set SHM ECS memory usage to 0 when module not loaded.
11 April 2017: Ralph
- Display ECS module memory usage.
10 April 2017: Wouter
- harden-algo-downgrade: no also makes unbound more lenient about
digest algorithms in DS records.
10 April 2017: Ralph
- Remove ECS option after REFUSED answer.
- Fix small memory leak in edns_opt_copy_alloc.
- Respip dereference after NULL check.
- Zero initialize addrtree allocation.
- Use correct identifier for SHM destroy.
7 April 2017: George
- Fix pythonmod for cb changes.
- Some whitespace fixup.
7 April 2017: Ralph
- Unlock view in respip unit test
6 April 2017: Ralph
- Generalise inplace callback (de)registration
- (de)register inplace callbacks for module id
- No unbound-control set_option for ECS options
- Deprecated client-subnet-opcode config option
- Introduced client-subnet-always-forward config option
- Changed max-client-subnet-ipv6 default to 56 (as in RFC)
- Removed extern ECS config options
- module_restart_next now calls clear on all following modules
- Also create ECS module qstate on module_event_pass event
- remove malloc from inplace_cb_register
6 April 2017: Wouter
- Small fixup for documentation.
- iana portlist update
- Fix respip for braces when locks arent used.
- Fix pythonmod for cb changes.
4 April 2017: Wouter
- Fix #1244: document that use of chroot requires trust anchor file to
be under chroot.
- iana portlist update
3 April 2017: Ralph
- Do not add current time twice to TTL before ECS cache store.
- Do not touch rrset cache after ECS cache message generation.
- Use LDNS_EDNS_CLIENT_SUBNET as default ECS opcode.
3 April 2017: Wouter
- Fix #1217: Add metrics to unbound-control interface showing
crypted, cert request, plaintext and malformed queries (from
Manu Bretelle).
- iana portlist update
27 March 2017: Wouter
- Remove (now unused) event2 include from dnscrypt code.
24 March 2017: George
- Fix to prevent non-referal query from being cached as referal when the
no_cache_store flag was set.
23 March 2017: Wouter
- Fix #1239: configure fails to find python distutils if python
prints warning.
22 March 2017: Wouter
- Fix #1238: segmentation fault when adding through the remote
interface a per-view local zone to a view with no previous
(configured) local zones.
- Fix #1229: Systemd service sandboxing, options in wrong sections.
21 March 2017: Ralph
- Merge EDNS Client subnet implementation from feature branch into main
branch, using new EDNS processing framework.
21 March 2017: Wouter
- Fix doxygen for dnscrypt files.
20 March 2017: Wouter
- #1217. DNSCrypt support, with --enable-dnscrypt, libsodium and then
enabled in the config file from Manu Bretelle.
- make depend, autoconf, remove warnings about statement before var.
- lru_demote and lruhash_insert_or_retrieve functions for getdns.
- fixup for lruhash (whitespace and header file comment).
- dnscrypt tests.
17 March 2017: Wouter
- Patch for view functionality for local-data-ptr from Björn Ketelaars.
- Fix #1237 - Wrong resolving in chain, for norec queries that get
SERVFAIL returned.
16 March 2017: Wouter
- Fix that SHM is not inited if not enabled.
- Add trustanchor.unbound CH TXT that gets a response with a number
of TXT RRs with a string like "example.com. 2345 1234" with
the trust anchors and their keytags.
- Fix that looped DNAMEs do not cause unbound to spend effort.
- trustanchor tags are sorted. reusable routine to fetch taglist.
13 March 2017: Wouter
- testbound understands Deckard MATCH rcode question answer commands.
- Fix #1235: Fix too long DNAME expansion produces SERVFAIL instead
of YXDOMAIN + query loop, reported by Petr Spacek.
10 March 2017: Wouter
- Fix #1234: shortening DNAME loop produces duplicate DNAME records
in ANSWER section.
9 March 2017: Wouter
- --disable-sha1 disables SHA1 support in RRSIG, so from DNSKEY and
DS records. NSEC3 is not disabled.
- fake-sha1 test option; print warning if used. To make unit tests.
- unbound-control list local zone and data commands listed in the
help output.
8 March 2017: Wouter
- make depend for build dependencies.
- swig version 2.0.1 required.
- fix enum conversion warnings
7 March 2017: Wouter
- Fix #1230: swig version 2.0.0 is required for pythonmod, with
1.3.40 it crashes when running repeatly unbound-control reload.
- Response actions based on IP address from Jinmei Tatuya (Infoblox).
6 March 2017: Wouter
- Fix #1229: Systemd service sandboxing in contrib/unbound.service.
- iana portlist update
28 February 2017: Ralph
- Fix testpkts.c, check if DO bit is set, not only if there is an OPT
record.
28 February 2017: Wouter
- For #1227: if we have sha256, set the cipher list to have no
known vulns.
27 February 2017: Wouter
- Fix #1227: Fix that Unbound control allows weak ciphersuits.
- Fix #1226: provide official 32bit binary for windows.
24 February 2017: Wouter
- include sys/time.h for new shm code on NetBSD.
23 February 2017: Wouter
- Fix doc/CNAME-basedRedirectionDesignNotes.pdf zone static to
redirect.
- Patch from Luiz Fernando Softov for Stats Shared Memory.
- unbound-control stats_shm command prints stats using shared memory,
which uses less cpu.
- make depend, autoconf, doxygen and lint fixed up.
22 February 2017: Wouter
- Fix #1224: Fix that defaults should not fall back to "Program Files
(x86) if Unbound is 64bit by default on windows.
21 February 2017: Wouter
- iana portlist update
16 February 2017: Wouter
- sldns updated for vfixed and buffer resize indication from getdns.
15 February 2017: Wouter
- sldns has ED25519 and ED448 algorithm number and name for display.
14 February 2017: Wouter
- tag 1.6.1rc3. -- which became 1.6.1 on 21feb, trunk has 1.6.2
13 February 2017: Wouter
- Fix autoconf of systemd check for lack of pkg-config.
10 February 2017: Wouter
- Fix pythonmod for typedef changes.
- Fix dnstap for warning of set but not used.
- tag 1.6.1rc2.
9 February 2017: Wouter
- tag 1.6.1rc1.
8 February 2017: Wouter
- Fix for type name change and fix warning on windows compile.
7 February 2017: Wouter
- Include root trust anchor id 20326 in unbound-anchor.
6 February 2017: Wouter
- Fix compile on solaris of the fix to use $host detect.
4 February 2017: Wouter
- fix root_anchor test for updated icannbundle.pem lower certificates.
26 January 2017: Wouter
- Fix 1211: Fix can't enable interface-automatic if no IPv6 with
more helpful error message.
20 January 2017: Wouter
- Increase MAX_MODULE to 16.
19 January 2017: Wouter
- Fix to Rename ub_callback_t to ub_callback_type, because POSIX
reserves _t typedefs.
- Fix to rename internally used types from _t to _type, because _t
type names are reserved by POSIX.
- iana portlist update
12 January 2017: Wouter
- Fix to also block meta types 128 through to 248 with formerr.
- Fix #1206: Some view-related commands are missing from 'unbound-control -h'
9 January 2017: Wouter
- Fix #1202: Fix code comment that packed_rrset_data is not always
'packed'.
6 January 2017: Wouter
- Fix #1201: Fix missing unlock in answer_from_cache error condition.
5 January 2017: Wouter
- Fix to return formerr for queries for meta-types, to avoid
packet amplification if this meta-type is sent on to upstream.
- Fix #1184: Log DNS replies. This includes the same logging
information that DNS queries and response code and response size,
patch from Larissa Feng.
- Fix #1185: Source IP rate limiting, patch from Larissa Feng.
3 January 2017: Wouter
- configure --enable-systemd and lets unbound use systemd sockets if
you enable use-systemd: yes in unbound.conf.
Also there are contrib/unbound.socket and contrib/unbound.service:
systemd files for unbound, install them in /usr/lib/systemd/system.
Contributed by Sami Kerola and Pavel Odintsov.
- Fix reload chdir failure when also chrooted to that directory.
2 January 2017: Wouter
- Fix #1194: Cross build fails when $host isn't `uname` for getentropy.
23 December 2016: Ralph
- Fix #1190: Do not echo back EDNS options in local-zone error response.
- iana portlist update
21 December 2016: Ralph
- Fix #1188: Unresolved symbol 'fake_dsa' in libunbound.so when built
with Nettle
19 December 2016: Ralph
- Fix #1191: remove comment about view deletion.
15 December 2016: Wouter
- iana portlist update
- 64bit is default for windows builds.
- Fix inet_ntop and inet_pton warnings in windows compile.
14 December 2016: Wouter
- Fix #1178: attempt to fix setup error at end, pop result values
at end of install.
13 December 2016: Wouter
- Fix #1182: Fix Resource leak (socket), at startup.
- Fix unbound-control and ipv6 only.
9 December 2016: Wouter
- Fix #1176: stack size too small for Alpine Linux.
8 December 2016: Wouter
- Fix downcast warnings from visual studio in sldns code.
- tag 1.6.0rc1 which became 1.6.0 on 15 dec, and trunk is 1.6.1.
7 December 2016: Ralph
- Add DSA support for OpenSSL 1.1.0
- Fix remote control without cert for LibreSSL
6 December 2016: George
- Added generic EDNS code for registering known EDNS option codes,
bypassing the cache response stage and uniquifying mesh states. Four EDNS
option lists were added to module_qstate (module_qstate.edns_opts_*) to
store EDNS options from/to front/back side.
- Added two flags to module_qstate (no_cache_lookup, no_cache_store) that
control the modules' cache interactions.
- Added code for registering inplace callback functions. The registered
functions can be called just before replying with local data or Chaos,
replying from cache, replying with SERVFAIL, replying with a resolved
query, sending a query to a nameserver. The functions can inspect the
available data and maybe change response/query related data (i.e. append
EDNS options).
- Updated Python module for the above.
- Updated Python documentation.
5 December 2016: Ralph
- Fix #1173: differ local-zone type deny from unset
tag_actions element.
5 December 2016: Wouter
- Fix #1170: document that 'inform' local-zone uses local-data.
1 December 2016: Ralph
- hyphen as minus fix, by Andreas Schulze
30 November 2016: Ralph
- Added local-zones and local-data bulk addition and removal
functionality in unbound-control (local_zones, local_zones_remove,
local_datas and local_datas_remove).
- iana portlist update
29 November 2016: Wouter
- version 1.6.0 is in the development branch.
- braces in view.c around lock statements.
28 November 2016: Wouter
- new install-sh.
25 November 2016: Wouter
- Fix that with openssl 1.1 control-use-cert: no uses less cpu, by
using no encryption over the unix socket.
22 Novenber 2016: Ralph
- Make access-control-tag-data RDATA absolute. This makes the RDATA
origin consistent between local-data and access-control-tag-data.
- Fix NSEC ENT wildcard check. Matching wildcard does not have to be a
subdomain of the NSEC owner.
- QNAME minimisation uses QTYPE=A, therefore always check cache for
this type in harden-below-nxdomain functionality.
- Added unit test for QNAME minimisation + harden below nxdomain
synergy.
22 November 2016: Wouter
- iana portlist update.
- Fix unit tests for DS hash processing for fake-dsa test option.
- patch from Dag-Erling Smorgrav that removes code that relies
on sbrk().
21 November 2016: Wouter
- Fix #1158: reference RFC 8020 "NXDOMAIN: There Really Is Nothing
Underneath" for the harden-below-nxdomain option.
10 November 2016: Ralph
- Fix #1155: test status code of unbound-control in 04-checkconf,
not the status code from the tee command.
4 November 2016: Ralph
- Added stub-ssl-upstream and forward-ssl-upstream options.
4 November 2016: Wouter
- configure detects ssl security level API function in the autoconf
manner. Every function on its own, so that other libraries (eg.
LibreSSL) can develop their API without hindrance.
- Fix #1154: segfault when reading config with duplicate zones.
- Note that for harden-below-nxdomain the nxdomain must be secure,
this means nsec3 with optout is insufficient.
3 November 2016: Ralph
- Set OpenSSL security level to 0 when using aNULL ciphers.
3 November 2016: Wouter
- .gitattributes line for githubs code language display.
- log-identity: config option to set sys log identity, patch from
"Robin H. Johnson" <robbat2@gentoo.org>
2 November 2016: Wouter
- iana portlist update.
31 October 2016: Wouter
- Fix failure to build on arm64 with no sbrk.
- iana portlist update.
28 October 2016: Wouter
- Patch for server.num.zero_ttl stats for count of expired replies,
from Pavel Odintsov.
26 October 2016: Wouter
- Fix unit tests for openssl 1.1, with no DSA, by faking DSA, enabled
with the undocumented switch 'fake-dsa'. It logs a warning.
25 October 2016: Wouter
- Fix #1134: unbound-control set_option -- val-override-date: -1 works
immediately to ignore datetime, or back to 0 to enable it again.
The -- is to ignore the '-1' as an option flag.
24 October 2016: Wouter
- serve-expired config option: serve expired responses with TTL 0.
- g.root-servers.net has AAAA address.
21 October 2016: Wouter
- Ported tests for local_cname unit test to testbound framework.
20 October 2016: Wouter
- suppress compile warning in lex files.
- init lzt variable, for older gcc compiler warnings.
- fix --enable-dsa to work, instead of copying ecdsa enable.
- Fix DNSSEC validation of query type ANY with DNAME answers.
- Fixup query_info local_alias init.
19 October 2016: Wouter
- Fix #1130: whitespace in example.conf.in more consistent.
18 October 2016: Wouter
- Patch that resolves CNAMEs entered in local-data conf statements that
point to data on the internet, from Jinmei Tatuya (Infoblox).
- Removed patch comments from acllist.c and msgencode.c
- Added documentation doc/CNAME-basedRedirectionDesignNotes.pdf,
from Jinmei Tatuya (Infoblox).
- Fix #1125: unbound could reuse an answer packet incorrectly for
clients with different EDNS parameters, from Jinmei Tatuya.
- Fix #1118: libunbound.pc sets strange Libs, Libs.private values.
- Added Requires line to libunbound.pc
- Please doxygen by modifying mesh.h
17 October 2016: Wouter
- Re-fix #839 from view commit overwrite.
- Fixup const void cast warning.
12 October 2016: Ralph
- Free view config elements.
11 October 2016: Ralph
- Added qname-minimisation-strict config option.
- iana portlist update.
- fix memoryleak logfile when in debug mode.
5 October 2016: Ralph
- Added views functionality.
- Fix #1117: spelling errors, from Robert Edmonds.
30 September 2016: Wouter
- Fix Nits for 1.5.10 reported by Dag-Erling Smorgrav.
29 September 2016: Wouter
- Fix #838: 1.5.10 cannot be built on Solaris, undefined PATH_MAX.
- Fix #839: Memory grows unexpectedly with large RPZ files.
- Fix #840: infinite loop in unbound_munin_ plugin on unowned lockfile.
- Fix #841: big local-zone's make it consume large amounts of memory.
27 September 2016: Wouter
- tag for 1.5.10 release
- trunk contains 1.5.11 in development.
- Fix dnstap relaying "random" messages instead of resolver/forwarder
responses, from Nikolay Edigaryev.
- Fix #836: unbound could echo back EDNS options in an error response.
20 September 2016: Wouter
- iana portlist update.
- Fix #835: fix --disable-dsa with nettle verify.
- tag for 1.5.10rc1 release.
15 September 2016: Wouter
- Fix 883: error for duplicate local zone entry.
- Test for openssl init_crypto and init_ssl functions.
15 September 2016: Ralph
- fix potential memory leak in daemon/remote.c and nullpointer
dereference in validator/autotrust.
- iana portlist update.
13 September 2016: Wouter
- Silenced flex-generated sign-unsigned warning print with gcc
diagnostic pragma.
- Fix for new splint on FreeBSD. Fix cast for sockaddr_un.sun_len.
9 September 2016: Wouter
- Fix #831: workaround for spurious fread_chk warning against petal.c
5 September 2016: Ralph
- Take configured minimum TTL into consideration when reducing TTL
to original TTL from RRSIG.
5 September 2016: Wouter
- Fix #829: doc of sldns_wire2str_rdata_buf() return value has an
off-by-one typo, from Jinmei Tatuya (Infoblox).
- Fix incomplete prototypes reported by Dag-Erling Smørgrav.
- Fix #828: missing type in access-control-tag-action redirect results
in NXDOMAIN.
2 September 2016: Wouter
- Fix compile with openssl 1.1.0 with api=1.1.0.
1 September 2016: Wouter
- RFC 7958 is now out, updated docs for unbound-anchor.
- Fix for compile without warnings with openssl 1.1.0.
- Fix #826: Fix refuse_non_local could result in a broken response.
- iana portlist update.
29 August 2016: Wouter
- Fix #777: OpenSSL 1.1.0 compatibility, patch from Sebastian A.
Siewior.
- Add default root hints for IPv6 E.ROOT-SERVERS.NET, 2001:500:a8::e.
25 August 2016: Ralph
- Clarify local-zone-override entry in unbound.conf.5
25 August 2016: Wouter
- 64bit build option for makedist windows compile, -w64.
24 August 2016: Ralph
- Fix #820: set sldns_str2wire_rr_buf() dual meaning len parameter
in each iteration in find_tag_datas().
- unbound.conf.5 entries for define-tag, access-control-tag,
access-control-tag-action, access-control-tag-data, local-zone-tag,
and local-zone-override.
23 August 2016: Wouter
- Fix #804: unbound stops responding after outage. Fixes queries
that attempt to wait for an empty list of subqueries.
- Fix #804: lower num_target_queries for iterator also for failed
lookups.
8 August 2016: Wouter
- Note that OPENPGPKEY type is RFC 7929.
4 August 2016: Wouter
- Fix #807: workaround for possible some "unused" function parameters
in test code, from Jinmei Tatuya.
3 August 2016: Wouter
- use sendmsg instead of sendto for TFO.
28 July 2016: Wouter
- Fix #806: wrong comment removed.
26 July 2016: Wouter
- nicer ratelimit-below-domain explanation.
22 July 2016: Wouter
- Fix #801: missing error condition handling in
daemon_create_workers().
- Fix #802: workaround for function parameters that are "unused"
without log_assert.
- Fix #803: confusing (and incorrect) code comment in daemon_cleanup().
20 July 2016: Wouter
- Fix typo in unbound.conf.
18 July 2016: Wouter
- Fix #798: Client-side TCP fast open fails (Linux).
14 July 2016: Wouter
- TCP Fast open patch from Sara Dickinson.
- Fixed unbound.doxygen for 1.8.11.
7 July 2016: Wouter
- access-control-tag-data implemented. verbose(4) prints tag debug.
5 July 2016: Wouter
- Fix dynamic link of anchor-update.exe on windows.
- Fix detect of mingw for MXE package build.
- Fixes for 64bit windows compile.
- Fix #788 for nettle 3.0: Failed to build with Nettle >= 3.0 and
--with-libunbound-only --with-nettle.
4 July 2016: Wouter
- For #787: prefer-ip6 option for unbound.conf prefers to send
upstream queries to ipv6 servers.
- Fix #787: outgoing-interface netblock/64 ipv6 option to use linux
freebind to use 64bits of entropy for every query with random local
part.
30 June 2016: Wouter
- Document always_transparent, always_refuse, always_nxdomain types.
29 June 2016: Wouter
- Fix static compile on windows missing gdi32.
28 June 2016: Wouter
- Create a pkg-config file for libunbound in contrib.
27 June 2016: Wouter
- Fix #784: Build configure assumess that having getpwnam means there
is endpwent function available.
- Updated repository with newer flex and bison output.
24 June 2016: Ralph
- Possibility to specify local-zone type for an acl/tag pair
- Possibility to specify (override) local-zone type for a source address
block
16 June 2016: Ralph
- Decrease dp attempts at each QNAME minimisation iteration
16 June 2016: Wouter
- Fix tcp timeouts in tv.usec.
15 June 2016: Wouter
- TCP_TIMEOUT is specified in milliseconds.
- If more than half of tcp connections are in use, a shorter timeout
is used (200 msec, vs 2 minutes) to pressure tcp for new connects.
14 June 2016: Ralph
- QNAME minimisation unit test for dropped QTYPE=A queries.
14 June 2016: Wouter
- Fix 775: unbound-host and unbound-anchor crash on windows, ignore
null delete for wsaevent.
- Fix spelling in freebind option man page text.
- Fix windows link of ssl with crypt32.
- Fix 779: Union casting is non-portable.
- Fix 780: MAP_ANON not defined in HP-UX 11.31.
- Fix 781: prealloc() is an HP-UX system library call.
13 June 2016: Ralph
- Use QTYPE=A for QNAME minimisation.
- Keep track of number of time-outs when performing QNAME minimisation.
Stop minimising when number of time-outs for a QNAME/QTYPE pair is
more than three.
13 June 2016: Wouter
- Fix #778: unbound 1.5.9: -h segfault (null deref).
- Fix directory: fix for unbound-checkconf, it restores cwd.
10 June 2016: Wouter
- And delete service.conf.shipped on uninstall.
- In unbound.conf directory: dir immediately changes to that directory,
so that include: file below that is relative to that directory.
With chroot, make the directory an absolute path inside chroot.
- keep debug symbols in windows build.
- do not delete service.conf on windows uninstall.
- document directory immediate fix and allow EXECUTABLE syntax in it
on windows.
9 June 2016: Wouter
- Trunk is called 1.5.10 (with previous fixes already in there to 2
june).
- Revert fix for NetworkService account on windows due to breakage
it causes.
- Fix that windows install will not overwrite existing service.conf
file (and ignore gui config choices if it exists).
7 June 2016: Ralph
- Lookup localzones by taglist from acl.
- Possibility to lookup local_zone, regardless the taglist.
- Added local_zone/taglist/acl unit test.
7 June 2016: Wouter
- Fix #773: Non-standard Python location build failure with pyunbound.
- Improve threadsafety for openssl 0.9.8 ecdsa dnssec signatures.
6 June 2016: Wouter
- Better help text from -h (from Ray Griffith).
- access-control-tag config directive.
- local-zone-override config directive.
- access-control-tag-action and access-control-tag-data config
directives.
- free acl-tags, acltag-action and acltag-data config lists during
initialisation to free up memory for more entries.
3 June 2016: Wouter
- Fix to not ignore return value of chown() in daemon startup.
2 June 2016: Wouter
- Fix libubound for edns optlist feature.
- Fix distinction between free and CRYPTO_free in dsa and ecdsa alloc.
- Fix #752: retry resource temporarily unavailable on control pipe.
- un-document localzone tags.
- tag for release 1.5.9rc1.
And this also became release 1.5.9.
- Fix (for 1.5.10): Fix unbound-anchor.exe file location defaults to
Program Files with (x86) appended.
- re-documented localzone tags in example.conf.
31 May 2016: Wouter
- Fix windows service to be created run with limited rights, as a
network service account, from Mario Turschmann.
- compat strsep implementation.
- generic edns option parse and store code.
- and also generic edns options for upstream messages (and replies).
after parse use edns_opt_find(edns.opt_list, LDNS_EDNS_NSID),
to insert use edns_opt_append(edns, region, code, len, bindata) on
the opt_list passed to send_query, or in edns_opt_inplace_reply.
30 May 2016: Wouter
- Fix time in case answer comes from cache in ub_resolve_event().
- Attempted fix for #765: _unboundmodule missing for python3.
27 May 2016: Wouter
- Fix #770: Small subgroup attack on DH used in unix pipe on localhost
if unbound control uses a unix local named pipe.
- Document write permission to directory of trust anchor needed.
- Fix #768: Unbound Service Sometimes Can Not Shutdown
Completely, WER Report Shown Up. Close handle before closing WSA.
26 May 2016: Wouter
- Updated patch from Charles Walker.
24 May 2016: Wouter
- disable-dnssec-lame-check config option from Charles Walker.
- remove memory leak from lame-check patch.
- iana portlist update.
23 May 2016: Wouter
- Fix #767: Reference to an expired Internet-Draft in
harden-below-nxdomain documentation.
20 May 2016: Ralph
- No QNAME minimisation fall-back for NXDOMAIN answers from DNSSEC
signed zones.
- iana portlist update.
19 May 2016: Wouter
- Fix #766: dns64 should synthesize results on timeout/errors.
18 May 2016: Wouter
- Fix #761: DNSSEC LAME false positive resolving nic.club.
17 May 2016: Wouter
- trunk updated with output of flex 2.6.0.
6 May 2016: Wouter
- Fix memory leak in out-of-memory conditions of local zone add.
29 April 2016: Wouter
- Fix sldns with static checking fixes copied from getdns.
28 April 2016: Wouter
- Fix #759: 0x20 capsforid no longer checks type PTR, for
compatibility with cisco dns guard. This lowers false positives.
18 April 2016: Wouter
- Fix some malformed reponses to edns queries get fallback to nonedns.
15 April 2016: Wouter
- cachedb module event handling design.
14 April 2016: Wouter
- cachedb module framework (empty).
- iana portlist update.
12 April 2016: Wouter
- Fix #753: document dump_requestlist is for first thread.
24 March 2016: Wouter
- Document permit-small-holddown for 5011 debug.
- Fix #749: unbound-checkconf gets SIGSEGV when use against a
malformatted conf file.
23 March 2016: Wouter
- OpenSSL 1.1.0 portability, --disable-dsa configure option.
21 March 2016: Wouter
- Fix compile of getentropy_linux for SLES11 servicepack 4.
- Fix dnstap-log-resolver-response-messages, from Nikolay Edigaryev.
- Fix test for openssl to use HMAC_Update for 1.1.0.
- acx_nlnetlabs.m4 to v33, with HMAC_Update.
- acx_nlnetlabs.m4 to v34, with -ldl -pthread test for libcrypto.
- ERR_remove_state deprecated since openssl 1.0.0.
- OPENSSL_config is deprecated, removing.
18 March 2016: Ralph
- Validate QNAME minimised NXDOMAIN responses.
- If QNAME minimisation is enabled, do cache lookup for QTYPE NS in
harden-below-nxdomain.
17 March 2016: Ralph
- Limit number of QNAME minimisation iterations.
17 March 2016: Wouter
- Fix #746: Fix unbound sets CD bit on all forwards.
If no trust anchors, it'll not set CD bit when forwarding to another
server. If a trust anchor, no CD bit on the first attempt to a
forwarder, but CD bit thereafter on repeated attempts to get DNSSEC.
- iana portlist update.
16 March 2016: Wouter
- Fix ip-transparent for ipv6 on FreeBSD, thanks to Nick Hibma.
- Fix ip-transparent for tcp on freebsd.
15 March 2016: Wouter
- ip_freebind: yesno option in unbound.conf sets IP_FREEBIND for
binding to an IP address while the interface or address is down.
14 March 2016: Wouter
- Fix warnings in ifdef corner case, older or unknown libevent.
- Fix compile for ub_event code with older libev.
11 March 2016: Wouter
- Remove warning about unused parameter in event_pluggable.c.
- Fix libev usage of dispatch return value.
- No side effects in tolower() call, in case it is a macro.
- For test put free in pluggable api in parenthesis.
10 March 2016: Wouter
- Fixup backend2str for libev.
09 March 2016: Willem
- User defined pluggable event API for libunbound
- Fixup of compile fix for pluggable event API from P.Y. Adi
Prasaja.
09 March 2016: Wouter
- Updated configure and ltmain.sh.
- Updated L root IPv6 address.
07 March 2016: Wouter
- Fix #747: assert in outnet_serviced_query_stop.
- iana ports fetched via https.
- iana portlist update.
03 March 2016: Wouter
- configure tests for the weak attribute support by the compiler.
02 March 2016: Wouter
- 1.5.8 release tag
- trunk contains 1.5.9 in development.
- iana portlist update.
- Fix #745: unbound.py - idn2dname throws UnicodeError when idnname
contains trailing dot.
24 February 2016: Wouter
- Fix OpenBSD asynclook lock free that gets used later (fix test code).
- Fix that NSEC3 negative cache is used when there is no salt.
23 February 2016: Wouter
- ub_ctx_set_stub() function for libunbound to config stub zones.
- sorted ubsyms.def file with exported libunbound functions.
19 February 2016: Wouter
- Print understandable debug log when unusable DS record is seen.
- load gost algorithm if digest is seen before key algorithm.
- iana portlist update.
17 February 2016: Wouter
- Fix that "make install" fails due to "text file busy" error.
16 February 2016: Wouter
- Set IPPROTO_IP6 for ipv6 sockets otherwise invalid argument error.
15 February 2016: Wouter
- ip-transparent option for FreeBSD with IP_BINDANY socket option.
- wait for sendto to drain socket buffers when they are full.
9 February 2016: Wouter
- Test for type OPENPGPKEY.
- insecure-lan-zones: yesno config option, patch from Dag-Erling
Smørgrav.
8 February 2016: Wouter
- Fix patch typo in prevuous commit for 734 from Adi Prasaja.
- RR Type CSYNC support RFC 7477, in debug printout and config input.
- RR Type OPENPGPKEY support (draft-ietf-dane-openpgpkey-07).
29 January 2016: Wouter
- Neater cmdline_verbose increment patch from Edgar Pettijohn.
27 January 2016: Wouter
- Made netbsd sendmsg test nonfatal, in case of false positives.
- Fix #741: log message for dnstap socket connection is more clear.
26 January 2016: Wouter
- Fix #734: chown the pidfile if it resides inside the chroot.
- Use arc4random instead of random in tests (because it is
available, possibly as compat, anyway).
- Fix cmsg alignment for argument to sendmsg on NetBSD.
- Fix that unbound complains about unimplemented IP_PKTINFO for
sendmsg on NetBSD (for interface-automatic).
25 January 2016: Wouter
- Fix #738: Swig should not be invoked with CPPFLAGS.
19 January 2016: Wouter
- Squelch 'cannot assign requested address' log messages unless
verbosity is high, it was spammed after network down.
14 January 2016: Wouter
- Fix to simplify empty string checking from Michael McConville.
- iana portlist update.
12 January 2016: Wouter
- Fix #734: Do not log an error when the PID file cannot be chown'ed.
Patch from Simon Deziel.
11 January 2016: Wouter
- Fix test if -pthreads unused to use better grep for portability.
06 January 2016: Wouter
- Fix mingw crosscompile for recent mingw.
- Update aclocal, autoconf output with new versions (1.15, 2.4.6).
05 January 2016: Wouter
- #731: tcp-mss, outgoing-tcp-mss options for unbound.conf, patch
from Daisuke Higashi.
- Support RFC7686: handle ".onion" Special-Use Domain. It is blocked
by default, and can be unblocked with "nodefault" localzone config.
04 January 2016: Wouter
- Define DEFAULT_SOURCE together with BSD_SOURCE when that is defined,
for Linux glibc 2.20.
- Fixup contrib/aaaa-filter-iterator.patch for moved contents in the
source code, so it applies cleanly again. Removed unused variable
warnings.
15 December 2015: Ralph
- Fix #729: omit use of escape sequences in echo since they are not
portable (unbound-control-setup).

View file

@ -1,4 +1,4 @@
README for Unbound @version@
README for Unbound 1.6.3
Copyright 2007 NLnet Labs
http://unbound.net

View file

@ -1,7 +1,7 @@
#
# Example configuration file.
#
# See unbound.conf(5) man page, version @version@.
# See unbound.conf(5) man page, version 1.6.3.
#
# this is a comment.
@ -19,6 +19,14 @@ server:
# Set to "" or 0 to disable. Default is disabled.
# statistics-interval: 0
# enable shm for stats, default no. if you enable also enable
# statistics-interval, every time it also writes stats to the
# shared memory segment keyed with shm-key.
# shm-enable: no
# shm for stats uses this key, and key+1 for the shared mem segment.
# shm-key: 11777
# enable cumulative statistics, without clearing them after printing.
# statistics-cumulative: no
@ -53,6 +61,15 @@ server:
# outgoing-interface: 2001:DB8::5
# outgoing-interface: 2001:DB8::6
# Specify a netblock to use remainder 64 bits as random bits for
# upstream queries. Uses freebind option (Linux).
# outgoing-interface: 2001:DB8::/64
# Also (Linux:) ip -6 addr add 2001:db8::/64 dev lo
# And: ip -6 route add local 2001:db8::/64 dev lo
# And set prefer-ip6: yes to use the ip6 randomness from a netblock.
# Set this to yes to prefer ipv6 upstream servers over ipv4.
# prefer-ip6: no
# number of ports to allocate per thread, determines the size of the
# port range that can be open simultaneously. About double the
# num-queries-per-thread, or, use as many as the OS will allow you.
@ -90,8 +107,14 @@ server:
# use IP_TRANSPARENT so the interface: addresses can be non-local
# and you can config non-existing IPs that are going to work later on
# (uses IP_BINDANY on FreeBSD).
# ip-transparent: no
# use IP_FREEBIND so the interface: addresses can be non-local
# and you can bind to nonexisting IPs and interfaces that are down.
# Linux only. On Linux you also have ip-transparent that is similar.
# ip-freebind: no
# EDNS reassembly buffer to advertise to UDP peers (the actual buffer
# is set with msg-buffer-size). 1480 can solve fragmentation (timeouts).
# edns-buffer-size: 4096
@ -157,6 +180,10 @@ server:
# the maximum number of hosts that are cached (roundtrip, EDNS, lame).
# infra-cache-numhosts: 10000
# define a number of tags here, use with local-zone, access-control.
# repeat the define-tag statement to add additional tags.
# define-tag: "tag1 tag2 tag3"
# Enable IPv4, "yes" or "no".
# do-ip4: yes
@ -173,7 +200,19 @@ server:
# useful for tunneling scenarios, default no.
# tcp-upstream: no
# Maximum segment size (MSS) of TCP socket on which the server
# responds to queries. Default is 0, system default MSS.
# tcp-mss: 0
# Maximum segment size (MSS) of TCP socket for outgoing queries.
# Default is 0, system default MSS.
# outgoing-tcp-mss: 0
# Use systemd socket activation for UDP, TCP, and control sockets.
# use-systemd: no
# Detach from the terminal, run in background, "yes" or "no".
# Set the value to "no" when unbound runs as systemd service.
# do-daemonize: yes
# control which clients are allowed to make (recursive) queries
@ -189,6 +228,23 @@ server:
# access-control: ::1 allow
# access-control: ::ffff:127.0.0.1 allow
# tag access-control with list of tags (in "" with spaces between)
# Clients using this access control element use localzones that
# are tagged with one of these tags.
# access-control-tag: 192.0.2.0/24 "tag2 tag3"
# set action for particular tag for given access control element
# if you have multiple tag values, the tag used to lookup the action
# is the first tag match between access-control-tag and local-zone-tag
# where "first" comes from the order of the define-tag values.
# access-control-tag-action: 192.0.2.0/24 tag3 refuse
# set redirect data for particular tag for access control element
# access-control-tag-data: 192.0.2.0/24 tag2 "A 127.0.0.1"
# Set view for access control element
# access-control-view: 192.0.2.0/24 viewname
# if given, a chroot(2) is done to the given directory.
# i.e. you can chroot to the working directory, for example,
# for extra security, but make sure all files are in that directory.
@ -222,6 +278,8 @@ server:
# the working directory. The relative files in this config are
# relative to this directory. If you give "" the working directory
# is not changed.
# If you give a server: directory: dir before include: file statements
# then those includes can be relative to the working directory.
# directory: "@UNBOUND_RUN_DIR@"
# the log file, "" means log to stderr.
@ -229,15 +287,23 @@ server:
# logfile: ""
# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
# log to, with identity "unbound". If yes, it overrides the logfile.
# log to. If yes, it overrides the logfile.
# use-syslog: yes
# Log identity to report. if empty, defaults to the name of argv[0]
# (usually "unbound").
# log-identity: ""
# print UTC timestamp in ascii to logfile, default is epoch in seconds.
# log-time-ascii: no
# print one line with time, IP, name, type, class for every query.
# log-queries: no
# print one line per reply, with time, IP, name, type, class, rcode,
# timetoresolve, fromcache and responsesize.
# log-replies: no
# the pid file. Can be an absolute path outside of chroot/work dir.
# pidfile: "@UNBOUND_PIDFILE@"
@ -251,6 +317,9 @@ server:
# enable to not answer version.server and version.bind queries.
# hide-version: no
# enable to not answer trustanchor.unbound queries.
# hide-trustanchor: no
# the identity to report. Leave "" or default to return hostname.
# identity: ""
@ -301,6 +370,12 @@ server:
# to NS when possible.
# qname-minimisation: no
# QNAME minimisation in strict mode. Do not fall-back to sending full
# QNAME to potentially broken nameservers. A lot of domains will not be
# resolvable when this option in enabled.
# This option only has effect when qname-minimisation is enabled.
# qname-minimisation-strict: no
# Use 0x20-encoded random bits in the query to foil spoof attempts.
# This feature is an experimental implementation of draft dns-0x20.
# use-caps-for-id: no
@ -308,6 +383,7 @@ server:
# Domains (and domains in them) without support for dns-0x20 and
# the fallback fails because they keep sending different answers.
# caps-whitelist: "licdn.com"
# caps-whitelist: "senderbase.org"
# Enforce privacy of these addresses. Strips them away from answers.
# It may cause DNSSEC validation to additionally mark it as bogus.
@ -355,6 +431,9 @@ server:
# into response messages when those sections are not required.
# minimal-responses: no
# true to disable DNSSEC lameness check in iterator.
# disable-dnssec-lame-check: no
# module configuration of the server. A string with identifiers
# separated by spaces. Syntax: "[dns64] [validator] iterator"
# module-config: "validator iterator"
@ -430,6 +509,10 @@ server:
# that set CD but cannot validate themselves.
# ignore-cd-flag: no
# Serve expired reponses from cache, with TTL 0 in the response,
# and then attempt to fetch the data afresh.
# serve-expired: no
# Have the validator log failed validations for your diagnosis.
# 0: off. 1: A line per failed user query. 2: With reason and bad IP.
# val-log-level: 0
@ -450,7 +533,8 @@ server:
# If the value 0 is given, missing anchors are not removed.
# keep-missing: 31622400 # 366 days
# debug option that allows very small holddown times for key rollover
# debug option that allows very small holddown times for key rollover,
# otherwise the RFC mandates probe intervals must be at least 1 hour.
# permit-small-holddown: no
# the amount of memory to use for the key cache.
@ -475,6 +559,7 @@ server:
# local-zone: "localhost." nodefault
# local-zone: "127.in-addr.arpa." nodefault
# local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault
# local-zone: "onion." nodefault
# local-zone: "10.in-addr.arpa." nodefault
# local-zone: "16.172.in-addr.arpa." nodefault
# local-zone: "17.172.in-addr.arpa." nodefault
@ -508,13 +593,17 @@ server:
# local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
# And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa.
# if unbound is running service for the local host then it is useful
# If unbound is running service for the local host then it is useful
# to perform lan-wide lookups to the upstream, and unblock the
# long list of local-zones above. If this unbound is a dns server
# for a network of computers, disabled is better and stops information
# leakage of local lan information.
# unblock-lan-zones: no
# The insecure-lan-zones option disables validation for
# these zones, as if they were all listed as domain-insecure.
# insecure-lan-zones: no
# a number of locally served zones can be configured.
# local-zone: <zone> <type>
# local-data: "<resource record string>"
@ -525,8 +614,10 @@ server:
# o redirect serves the zone data for any subdomain in the zone.
# o nodefault can be used to normally resolve AS112 zones.
# o typetransparent resolves normally for other types and other names
# o inform resolves normally, but logs client IP address
# o inform acts like transparent, but logs client IP address
# o inform_deny drops queries and logs client IP address
# o always_transparent, always_refuse, always_nxdomain, resolve in
# that way but ignore local data for that name.
#
# defaults are localhost address, reverse for 127.0.0.1 and ::1
# and nxdomain for AS112 zones. If you configure one of these zones
@ -553,6 +644,12 @@ server:
# you need to do the reverse notation yourself.
# local-data-ptr: "192.0.2.3 www.example.com"
# tag a localzone with a list of tag names (in "" with spaces between)
# local-zone-tag: "example.com" "tag2 tag3"
# add a netblock specific override to a localzone, with zone type
# local-zone-override: "example.com" 192.0.2.0/24 refuse
# service clients over SSL (on the TCP sockets), with plain DNS inside
# the SSL stream. Give the certificate to use and private key.
# default is "" (disabled). requires restart to take effect.
@ -586,7 +683,21 @@ server:
# ratelimit-for-domain: example.com 1000
# override the ratelimits for all domains below a domain name
# can give this multiple times, the name closest to the zone is used.
# ratelimit-below-domain: example 1000
# ratelimit-below-domain: com 1000
# global query ratelimit for all ip addresses.
# feature is experimental.
# if 0(default) it is disabled, otherwise states qps allowed per ip address
# ip-ratelimit: 0
# ip ratelimits are tracked in a cache, size in bytes of cache (or k,m).
# ip-ratelimit-size: 4m
# ip ratelimit cache slabs, reduces lock contention if equal to cpucount.
# ip-ratelimit-slabs: 4
# 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through
# ip-ratelimit-factor: 10
# Python config section. To enable:
# o use --with-pythonmodule to configure before compiling.
@ -639,6 +750,7 @@ remote-control:
# stub-addr: 192.0.2.68
# stub-prime: no
# stub-first: no
# stub-ssl-upstream: no
# stub-zone:
# name: "example.org"
# stub-host: ns.example.com.
@ -654,6 +766,44 @@ remote-control:
# forward-addr: 192.0.2.68
# forward-addr: 192.0.2.73@5355 # forward to port 5355.
# forward-first: no
# forward-ssl-upstream: no
# forward-zone:
# name: "example.org"
# forward-host: fwd.example.com
# Views
# Create named views. Name must be unique. Map views to requests using
# the access-control-view option. Views can contain zero or more local-zone
# and local-data options. Options from matching views will override global
# options. Global options will be used if no matching view is found.
# With view-first yes, it will try to answer using the global local-zone and
# local-data elements if there is no view specific match.
# view:
# name: "viewname"
# local-zone: "example.com" redirect
# local-data: "example.com A 192.0.2.3"
# local-data-ptr: "192.0.2.3 www.example.com"
# view-first: no
# view:
# name: "anotherview"
# local-zone: "example.com" refuse
# DNSCrypt
# Caveats:
# 1. the keys/certs cannot be produced by unbound. You can use dnscrypt-wrapper
# for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage
# 2. dnscrypt channel attaches to an interface. you MUST set interfaces to
# listen on `dnscrypt-port` with the follo0wing snippet:
# server:
# interface: 0.0.0.0@443
# interface: ::0@443
#
# Finally, `dnscrypt` config has its own section.
# dnscrypt:
# dnscrypt-enable: yes
# dnscrypt-port: 443
# dnscrypt-provider: 2.dnscrypt-cert.example.com.
# dnscrypt-secret-key: /path/unbound-conf/keys1/1.key
# dnscrypt-secret-key: /path/unbound-conf/keys2/1.key
# dnscrypt-provider-cert: /path/unbound-conf/keys1/1.cert
# dnscrypt-provider-cert: /path/unbound-conf/keys2/1.cert

View file

@ -1,4 +1,4 @@
.TH "libunbound" "3" "@date@" "NLnet Labs" "unbound @version@"
.TH "libunbound" "3" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
.\"
.\" libunbound.3 -- unbound library functions manual
.\"
@ -12,13 +12,14 @@
.B unbound.h,
.B ub_ctx,
.B ub_result,
.B ub_callback_t,
.B ub_callback_type,
.B ub_ctx_create,
.B ub_ctx_delete,
.B ub_ctx_set_option,
.B ub_ctx_get_option,
.B ub_ctx_config,
.B ub_ctx_set_fwd,
.B ub_ctx_set_stub,
.B ub_ctx_resolvconf,
.B ub_ctx_hosts,
.B ub_ctx_add_ta,
@ -42,7 +43,7 @@
.B ub_ctx_zone_remove,
.B ub_ctx_data_add,
.B ub_ctx_data_remove
\- Unbound DNS validating resolver @version@ functions.
\- Unbound DNS validating resolver 1.6.3 functions.
.SH "SYNOPSIS"
.B #include <unbound.h>
.LP
@ -65,6 +66,12 @@
\fBub_ctx_set_fwd\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR addr);
.LP
\fIint\fR
\fBub_ctx_set_stub\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR zone,
\fIchar*\fR addr,
.br
\fIint\fR isprime);
.LP
\fIint\fR
\fBub_ctx_resolvconf\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname);
.LP
\fIint\fR
@ -113,7 +120,7 @@
.br
\fIint\fR rrtype, \fIint\fR rrclass, \fIvoid*\fR mydata,
.br
\fIub_callback_t\fR callback, \fIint*\fR async_id);
\fIub_callback_type\fR callback, \fIint*\fR async_id);
.LP
\fIint\fR
\fBub_cancel\fR(\fIstruct ub_ctx*\fR ctx, \fIint\fR async_id);
@ -173,7 +180,7 @@ and
.B ub_ctx_hosts
to read them.
Before you call this, use the openssl functions CRYPTO_set_id_callback and
CRYPTO_set_locking_callback to set up asyncronous operation if you use
CRYPTO_set_locking_callback to set up asynchronous operation if you use
lib openssl (the application calls these functions once for initialisation).
Openssl 1.0.0 or later uses the CRYPTO_THREADID_set_callback function.
.TP
@ -207,6 +214,15 @@ that case the addresses are used as backup servers.
At this time it is only possible to set configuration before the
first resolve is done.
.TP
.B ub_ctx_set_stub
Set a stub zone, authoritative dns servers to use for a particular zone.
IP4 or IP6 address. If the address is NULL the stub entry is removed.
Set isprime true if you configure root hints with it. Otherwise similar to
the stub zone item from unbound's config file. Can be called several times,
for different zones, or to add multiple addresses for a particular zone.
At this time it is only possible to set configuration before the
first resolve is done.
.TP
.B ub_ctx_resolvconf
By default the root servers are queried and full resolver mode is used, but
you can use this call to read the list of nameservers to use from the

View file

@ -1,4 +1,4 @@
.TH "unbound-anchor" "8" "@date@" "NLnet Labs" "unbound @version@"
.TH "unbound-anchor" "8" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
.\"
.\" unbound-anchor.8 -- unbound anchor maintenance utility manual
.\"
@ -16,6 +16,8 @@
.SH "DESCRIPTION"
.B Unbound\-anchor
performs setup or update of the root trust anchor for DNSSEC validation.
The program fetches the trust anchor with the method from RFC7958 when
regular RFC5011 update fails to bring it up to date.
It can be run (as root) from the commandline, or run as part of startup
scripts. Before you start the \fIunbound\fR(8) DNS server.
.P
@ -39,8 +41,8 @@ update certificate files.
.P
It tests if the root anchor file works, and if not, and an update is possible,
attempts to update the root anchor using the root update certificate.
It performs a https fetch of root-anchors.xml and checks the results, if
all checks are successful, it updates the root anchor file. Otherwise
It performs a https fetch of root-anchors.xml and checks the results (RFC7958),
if all checks are successful, it updates the root anchor file. Otherwise
the root anchor file is unchanged. It performs RFC5011 tracking if the
DNSSEC information available via the DNS makes that possible.
.P
@ -65,7 +67,7 @@ List the builtin root key and builtin root update certificate on stdout.
.B \-u \fIname
The server name, it connects to https://name. Specify without https:// prefix.
The default is "data.iana.org". It connects to the port specified with \-P.
You can pass an IPv4 addres or IPv6 address (no brackets) if you want.
You can pass an IPv4 address or IPv6 address (no brackets) if you want.
.TP
.B \-x \fIpath
The pathname to the root\-anchors.xml file on the server. (forms URL with \-u).

View file

@ -1,4 +1,4 @@
.TH "unbound-checkconf" "8" "@date@" "NLnet Labs" "unbound @version@"
.TH "unbound-checkconf" "8" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
.\"
.\" unbound-checkconf.8 -- unbound configuration checker manual
.\"

View file

@ -1,4 +1,4 @@
.TH "unbound-control" "8" "@date@" "NLnet Labs" "unbound @version@"
.TH "unbound-control" "8" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
.\"
.\" unbound-control.8 -- unbound remote control manual
.\"
@ -99,6 +99,22 @@ but if the name has become an empty nonterminal (there is still data in
domain names below the removed name), NOERROR nodata answers are the
result for that name.
.TP
.B local_zones
Add local zones read from stdin of unbound\-control. Input is read per line,
with name space type on a line. For bulk additions.
.TP
.B local_zones_remove
Remove local zones read from stdin of unbound\-control. Input is one name per
line. For bulk removals.
.TP
.B local_datas
Add local data RRs read from stdin of unbound\-control. Input is one RR per
line. For bulk additions.
.TP
.B local_datas_remove
Remove local data RRs read from stdin of unbound\-control. Input is one name per
line. For bulk removals.
.TP
.B dump_cache
The contents of the cache is printed in a text format to stdout. You can
redirect it to a file to store the cache in a file.
@ -178,7 +194,7 @@ harden\-referral\-path, prefetch, prefetch\-key, log\-queries,
hide\-identity, hide\-version, identity, version, val\-log\-level,
val\-log\-squelch, ignore\-cd\-flag, add\-holddown, del\-holddown,
keep\-missing, tcp\-upstream, ssl\-upstream, max\-udp\-size, ratelimit,
cache\-max\-ttl, cache\-min\-ttl, cache\-max\-negative\-ttl.
ip\-ratelimit, cache\-max\-ttl, cache\-min\-ttl, cache\-max\-negative\-ttl.
.TP
.B get_option \fIopt
Get the value of the option. Give the option name without a trailing ':'.
@ -263,6 +279,30 @@ estimated qps and qps limit from config. With +a it prints all domains, not
just the ratelimited domains, with their estimated qps. The ratelimited
domains return an error for uncached (new) queries, but cached queries work
as normal.
.TP
.B ip_ratelimit_list \fR[\fI+a\fR]
List the ip addresses that are ratelimited. Printed one per line with current
estimated qps and qps limit from config. With +a it prints all ips, not
just the ratelimited ips, with their estimated qps. The ratelimited
ips are dropped before checking the cache.
.TP
.B view_list_local_zones \fIview\fR
\fIlist_local_zones\fR for given view.
.TP
.B view_local_zone \fIview\fR \fIname\fR \fItype
\fIlocal_zone\fR for given view.
.TP
.B view_local_zone_remove \fIview\fR \fIname
\fIlocal_zone_remove\fR for given view.
.TP
.B view_list_local_data \fIview\fR
\fIlist_local_data\fR for given view.
.TP
.B view_local_data \fIview\fR \fIRR data...
\fIlocal_data\fR for given view.
.TP
.B view_local_data_remove \fIview\fR \fIname
\fIlocal_data_remove\fR for given view.
.SH "EXIT CODE"
The unbound\-control program exits with status code 1 on error, 0 on success.
.SH "SET UP"
@ -288,6 +328,9 @@ The \fIstats\fR command shows a number of statistic counters.
.I threadX.num.queries
number of queries received by thread
.TP
.I threadX.num.queries_ip_ratelimited
number of queries rate limited by thread
.TP
.I threadX.num.cachehits
number of queries that were successfully answered using a cache lookup
.TP
@ -301,6 +344,9 @@ and resulted in recursive processing, taking a slot in the requestlist.
Not part of the recursivereplies (or the histogram thereof) or cachemiss,
as a cache response was sent.
.TP
.I threadX.num.zero_ttl
number of replies with ttl zero, because they served an expired cache entry.
.TP
.I threadX.num.recursivereplies
The number of replies sent to queries that needed recursive processing. Could be smaller than threadX.num.cachemiss if due to timeouts no replies were sent for some queries.
.TP
@ -350,6 +396,9 @@ summed over threads.
.I total.num.prefetch
summed over threads.
.TP
.I total.num.zero_ttl
summed over threads.
.TP
.I total.num.recursivereplies
summed over threads.
.TP
@ -384,9 +433,6 @@ uptime since server boot in seconds.
time since last statistics printout, in seconds.
.SH EXTENDED STATISTICS
.TP
.I mem.total.sbrk
If sbrk(2) is available, an estimate of the heap size of the program in number of bytes. Close to the total memory used by the program, as reported by top and ps. Could be wrong if the OS allocates memory non\-contiguously.
.TP
.I mem.cache.rrset
Memory in bytes in use by the RRset cache.
.TP

View file

@ -1,4 +1,4 @@
.TH "unbound\-host" "1" "@date@" "NLnet Labs" "unbound @version@"
.TH "unbound\-host" "1" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
.\"
.\" unbound-host.1 -- unbound DNS lookup utility
.\"

View file

@ -1,4 +1,4 @@
.TH "unbound" "8" "@date@" "NLnet Labs" "unbound @version@"
.TH "unbound" "8" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
.\"
.\" unbound.8 -- unbound manual
.\"
@ -9,7 +9,7 @@
.\"
.SH "NAME"
.B unbound
\- Unbound DNS validating resolver @version@.
\- Unbound DNS validating resolver 1.6.3.
.SH "SYNOPSIS"
.B unbound
.RB [ \-h ]

View file

@ -1,4 +1,4 @@
.TH "unbound.conf" "5" "@date@" "NLnet Labs" "unbound @version@"
.TH "unbound.conf" "5" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
.\"
.\" unbound.conf.5 -- unbound.conf manual
.\"
@ -72,7 +72,8 @@ Processing continues as if the text from the included file was copied into
the config file at that point. If also using chroot, using full path names
for the included files works, relative pathnames for the included names work
if the directory where the daemon is started equals its chroot/working
directory. Wildcards can be used to include multiple files, see \fIglob\fR(7).
directory or is specified before the include statement with directory: dir.
Wildcards can be used to include multiple files, see \fIglob\fR(7).
.SS "Server Options"
These options are part of the
.B server:
@ -126,7 +127,7 @@ Detect source interface on UDP queries and copy them to replies. This
feature is experimental, and needs support in your OS for particular socket
options. Default value is no.
.TP
.B outgoing\-interface: \fI<ip address>
.B outgoing\-interface: \fI<ip address or ip6 netblock>
Interface to use to connect to the network. This interface is used to send
queries to authoritative servers and receive their replies. Can be given
multiple times to work on several interfaces. If none are given the
@ -136,12 +137,28 @@ and
.B outgoing\-interface:
lines, the interfaces are then used for both purposes. Outgoing queries are
sent via a random outgoing interface to counter spoofing.
.IP
If an IPv6 netblock is specified instead of an individual IPv6 address,
outgoing UDP queries will use a randomised source address taken from the
netblock to counter spoofing. Requires the IPv6 netblock to be routed to the
host running unbound, and requires OS support for unprivileged non-local binds
(currently only supported on Linux). Several netblocks may be specified with
multiple
.B outgoing\-interface:
options, but do not specify both an individual IPv6 address and an IPv6
netblock, or the randomisation will be compromised. Consider combining with
.B prefer\-ip6: yes
to increase the likelihood of IPv6 nameservers being selected for queries.
On Linux you need these two commands to be able to use the freebind socket
option to receive traffic for the ip6 netblock:
ip \-6 addr add mynetblock/64 dev lo &&
ip \-6 route add local mynetblock/64 dev lo
.TP
.B outgoing\-range: \fI<number>
Number of ports to open. This number of file descriptors can be opened per
thread. Must be at least 1. Default depends on compile options. Larger
numbers need extra resources from the operating system. For performance a
a very large value is best, use libevent to make this possible.
very large value is best, use libevent to make this possible.
.TP
.B outgoing\-port\-permit: \fI<port number or range>
Permit unbound to open this port or range of ports for use to send queries.
@ -275,7 +292,14 @@ are going to exist later on, with host failover configuration. This is
a lot like interface\-automatic, but that one services all interfaces
and with this option you can select which (future) interfaces unbound
provides service on. This option needs unbound to be started with root
permissions on some systems.
permissions on some systems. The option uses IP_BINDANY on FreeBSD systems.
.TP
.B ip\-freebind: \fI<yes or no>
If yes, then use IP_FREEBIND socket option on sockets where unbound
is listening to incoming traffic. Default no. Allows you to bind to
IP addresses that are nonlocal or do not exist, like when the network
interface or IP address is down. Exists only on Linux, where the similar
ip\-transparent option is also available.
.TP
.B rrset\-cache\-size: \fI<number>
Number of bytes size of the RRset cache. Default is 4 megabytes.
@ -322,6 +346,10 @@ Lower limit for dynamic retransmit timeout calculation in infrastructure
cache. Default is 50 milliseconds. Increase this value if using forwarders
needing more time to do recursive name resolution.
.TP
.B define\-tag: \fI<"list of tags">
Define the tags that can be used with local\-zone and access\-control.
Enclose the list between quotes ("") and put spaces between tags.
.TP
.B do\-ip4: \fI<yes or no>
Enable or disable whether ip4 queries are answered or issued. Default is yes.
.TP
@ -332,12 +360,32 @@ IPv6 to the internet nameservers. With this option you can disable the
ipv6 transport for sending DNS traffic, it does not impact the contents of
the DNS traffic, which may have ip4 and ip6 addresses in it.
.TP
.B prefer\-ip6: \fI<yes or no>
If enabled, prefer IPv6 transport for sending DNS queries to internet
nameservers. Default is no.
.TP
.B do\-udp: \fI<yes or no>
Enable or disable whether UDP queries are answered or issued. Default is yes.
.TP
.B do\-tcp: \fI<yes or no>
Enable or disable whether TCP queries are answered or issued. Default is yes.
.TP
.B tcp\-mss: \fI<number>
Maximum segment size (MSS) of TCP socket on which the server responds
to queries. Value lower than common MSS on Ethernet
(1220 for example) will address path MTU problem.
Note that not all platform supports socket option to set MSS (TCP_MAXSEG).
Default is system default MSS determined by interface MTU and
negotiation between server and client.
.TP
.B outgoing\-tcp\-mss: \fI<number>
Maximum segment size (MSS) of TCP socket for outgoing queries
(from Unbound to other servers). Value lower than
common MSS on Ethernet (1220 for example) will address path MTU problem.
Note that not all platform supports socket option to set MSS (TCP_MAXSEG).
Default is system default MSS determined by interface MTU and
negotiation between Unbound and other servers.
.TP
.B tcp\-upstream: \fI<yes or no>
Enable or disable whether the upstream queries use TCP only for transport.
Default is no. Useful in tunneling scenarios.
@ -365,9 +413,14 @@ turned off.
The port number on which to provide TCP SSL service, default 853, only
interfaces configured with that port number as @number get the SSL service.
.TP
.B use\-systemd: \fI<yes or no>
Enable or disable systemd socket activation.
Default is no.
.TP
.B do\-daemonize: \fI<yes or no>
Enable or disable whether the unbound server forks into the background as
a daemon. Default is yes.
a daemon. Set the value to \fIno\fR when unbound runs as systemd service.
Default is yes.
.TP
.B access\-control: \fI<IP netblock> <action>
The netblock is given as an IP4 or IP6 address with /size appended for a
@ -409,6 +462,26 @@ allowed full recursion but only the static data. With deny_non_local,
messages that are disallowed are dropped, with refuse_non_local they
receive error code REFUSED.
.TP
.B access\-control\-tag: \fI<IP netblock> <"list of tags">
Assign tags to access-control elements. Clients using this access control
element use localzones that are tagged with one of these tags. Tags must be
defined in \fIdefine\-tags\fR. Enclose list of tags in quotes ("") and put
spaces between tags. If access\-control\-tag is configured for a netblock that
does not have an access\-control, an access\-control element with action
\fIallow\fR is configured for this netblock.
.TP
.B access\-control\-tag\-action: \fI<IP netblock> <tag> <action>
Set action for particular tag for given access control element. If you have
multiple tag values, the tag used to lookup the action is the first tag match
between access\-control\-tag and local\-zone\-tag where "first" comes from the
order of the define-tag values.
.TP
.B access\-control\-tag\-data: \fI<IP netblock> <tag> <"resource record string">
Set redirect data for particular tag for given access control element.
.TP
.B access\-control\-view: \fI<IP netblock> <view name>
Set view for given access control element.
.TP
.B chroot: \fI<directory>
If chroot is enabled, you should pass the configfile (from the
commandline) as a full path from the original root. After the
@ -446,6 +519,8 @@ requires privileges, then a reload will fail; a restart is needed.
Sets the working directory for the program. Default is "@UNBOUND_RUN_DIR@".
On Windows the string "%EXECUTABLE%" tries to change to the directory
that unbound.exe resides in.
If you give a server: directory: dir before include: file statements
then those includes can be relative to the working directory.
.TP
.B logfile: \fI<filename>
If "" is given, logging goes to stderr, or nowhere once daemonized.
@ -464,6 +539,13 @@ The log facility LOG_DAEMON is used, with identity "unbound".
The logfile setting is overridden when use\-syslog is turned on.
The default is to log to syslog.
.TP
.B log\-identity: \fI<string>
If "" is given (default), then the name of the executable, usually "unbound"
is used to report to the log. Enter a string to override it
with that, which is useful on systems that run more than one instance of
unbound, with different configurations, so that the logs can be easily
distinguished against.
.TP
.B log\-time\-ascii: \fI<yes or no>
Sets logfile lines to use a timestamp in UTC ascii. Default is no, which
prints the seconds since 1970 in brackets. No effect if using syslog, in
@ -475,6 +557,13 @@ name, type and class. Default is no. Note that it takes time to print these
lines which makes the server (significantly) slower. Odd (nonprintable)
characters in names are printed as '?'.
.TP
.B log\-replies: \fI<yes or no>
Prints one line per reply to the log, with the log timestamp and IP address,
name, type, class, return code, time to resolve, from cache and response size.
Default is no. Note that it takes time to print these
lines which makes the server (significantly) slower. Odd (nonprintable)
characters in names are printed as '?'.
.TP
.B pidfile: \fI<filename>
The process id is written to the file. Default is "@UNBOUND_PIDFILE@".
So,
@ -507,6 +596,9 @@ If enabled version.server and version.bind queries are refused.
Set the version to report. If set to "", the default, then the package
version is returned.
.TP
.B hide\-trustanchor: \fI<yes or no>
If enabled trustanchor.unbound queries are refused.
.TP
.B target\-fetch\-policy: \fI<"list of numbers">
Set the target fetch policy used by unbound to determine if it should fetch
nameserver target addresses opportunistically. The policy is described per
@ -547,13 +639,15 @@ unsigned to badly signed often. If turned off you run the risk of a
downgrade attack that disables security for a zone. Default is on.
.TP
.B harden\-below\-nxdomain: \fI<yes or no>
From draft\-vixie\-dnsext\-resimprove, returns nxdomain to queries for a name
From RFC 8020 (with title "NXDOMAIN: There Really Is Nothing Underneath"),
returns nxdomain to queries for a name
below another name that is already known to be nxdomain. DNSSEC mandates
noerror for empty nonterminals, hence this is possible. Very old software
might return nxdomain for empty nonterminals (that usually happen for reverse
IP address lookups), and thus may be incompatible with this. To try to avoid
this only DNSSEC-secure nxdomains are used, because the old software does not
have DNSSEC. Default is off.
The nxdomain must be secure, this means nsec3 with optout is insufficient.
.TP
.B harden\-referral\-path: \fI<yes or no>
Harden the referral path by performing additional queries for
@ -590,8 +684,15 @@ Can be given multiple times, for different domains.
.B qname\-minimisation: \fI<yes or no>
Send minimum amount of information to upstream servers to enhance privacy.
Only sent minimum required labels of the QNAME and set QTYPE to NS when
possible. Best effort approach, full QNAME and original QTYPE will be sent when
upstream replies with a RCODE other than NOERROR. Default is off.
possible. Best effort approach; full QNAME and original QTYPE will be sent when
upstream replies with a RCODE other than NOERROR, except when receiving
NXDOMAIN from a DNSSEC signed zone. Default is off.
.TP
.B qname\-minimisation\-strict: \fI<yes or no>
QNAME minimisation in strict mode. Do not fall-back to sending full QNAME to
potentially broken nameservers. A lot of domains will not be resolvable when
this option in enabled. Only use if you know what you are doing.
This option only has effect when qname-minimisation is enabled. Default is off.
.TP
.B private\-address: \fI<IP address or subnet>
Give IPv4 of IPv6 addresses or classless subnets. These are addresses
@ -657,6 +758,13 @@ This may cause a slight speedup. The default is no, because the DNS
protocol RFCs mandate these sections, and the additional content could
be of use and save roundtrips for clients.
.TP
.B disable-dnssec-lame-check: \fI<yes or no>
If true, disables the DNSSEC lameness check in the iterator. This check
sees if RRSIGs are present in the answer, when dnssec is expected,
and retries another authority if RRSIGs are unexpectedly missing.
The validator will insist in RRSIGs for DNSSEC signed domains regardless
of this setting, if a trust anchor is loaded.
.TP
.B module\-config: \fI<"module names">
Module configuration, a list of module names separated by spaces, surround
the string with quotes (""). The modules can be validator, iterator.
@ -675,7 +783,10 @@ File with trust anchor for one zone, which is tracked with RFC5011 probes.
The probes are several times per month, thus the machine must be online
frequently. The initial file can be one with contents as described in
\fBtrust\-anchor\-file\fR. The file is written to when the anchor is updated,
so the unbound user must have write permission.
so the unbound user must have write permission. Write permission to the file,
but also to the directory it is in (to create a temporary file, which is
necessary to deal with filesystem full events), it must also be inside the
chroot (if that is used).
.TP
.B trust\-anchor: \fI<"Resource Record">
A DS or DNSKEY RR for a key to use for validation. Multiple entries can be
@ -782,6 +893,11 @@ servers that set the CD flag but cannot validate DNSSEC themselves are
the clients, and then unbound provides them with DNSSEC protection.
The default value is "no".
.TP
.B serve\-expired: \fI<yes or no>
If enabled, unbound attempts to serve old responses from cache with a
TTL of 0 in the response without waiting for the actual resolution to finish.
The actual resolution answer ends up in the cache later on. Default is "no".
.TP
.B val\-nsec3\-keysize\-iterations: \fI<"list of values">
List of keysize and iteration count values, separated by spaces, surrounded
by quotes. Default is "1024 150 2048 500 4096 2500". This determines the
@ -841,10 +957,16 @@ as a (DHCP-) DNS network resolver for a group of machines, where such
lookups should be filtered (RFC compliance), this also stops potential
data leakage about the local network to the upstream DNS servers.
.TP
.B insecure\-lan\-zones: \fI<yesno>
Default is disabled. If enabled, then reverse lookups in private
address space are not validated. This is usually required whenever
\fIunblock\-lan\-zones\fR is used.
.TP
.B local\-zone: \fI<zone> <type>
Configure a local zone. The type determines the answer to give if
there is no match from local\-data. The types are deny, refuse, static,
transparent, redirect, nodefault, typetransparent, inform, inform_deny,
always_transparent, always_refuse, always_nxdomain,
and are explained below. After that the default settings are listed. Use
local\-data: to enter data into the local zone. Answers for local zones
are authoritative DNS answers. By default the zones are class IN.
@ -895,16 +1017,25 @@ queries for www.example.com and www.foo.example.com are redirected, so
that users with web browsers cannot access sites with suffix example.com.
.TP 10
\h'5'\fIinform\fR
The query is answered normally. The client IP address (@portnumber)
is printed to the logfile. The log message is: timestamp, unbound-pid,
info: zonename inform IP@port queryname type class. This option can be
used for normal resolution, but machines looking up infected names are
logged, eg. to run antivirus on them.
The query is answered normally, same as transparent. The client IP
address (@portnumber) is printed to the logfile. The log message is:
timestamp, unbound-pid, info: zonename inform IP@port queryname type
class. This option can be used for normal resolution, but machines
looking up infected names are logged, eg. to run antivirus on them.
.TP 10
\h'5'\fIinform_deny\fR
The query is dropped, like 'deny', and logged, like 'inform'. Ie. find
infected machines without answering the queries.
.TP 10
\h'5'\fIalways_transparent\fR
Like transparent, but ignores local data and resolves normally.
.TP 10
\h'5'\fIalways_refuse\fR
Like refuse, but ignores local data and refuses the query.
.TP 10
\h'5'\fIalways_nxdomain\fR
Like static, but ignores local data and returns nxdomain for the query.
.TP 10
\h'5'\fInodefault\fR
Used to turn off default contents for AS112 zones. The other types
also turn off default contents for the zone. The 'nodefault' option
@ -912,10 +1043,10 @@ has no other effect than turning off default contents for the
given zone. Use \fInodefault\fR if you use exactly that zone, if you want to
use a subzone, use \fItransparent\fR.
.P
The default zones are localhost, reverse 127.0.0.1 and ::1, and the AS112
zones. The AS112 zones are reverse DNS zones for private use and reserved
IP addresses for which the servers on the internet cannot provide correct
answers. They are configured by default to give nxdomain (no reverse
The default zones are localhost, reverse 127.0.0.1 and ::1, the onion and
the AS112 zones. The AS112 zones are reverse DNS zones for private use and
reserved IP addresses for which the servers on the internet cannot provide
correct answers. They are configured by default to give nxdomain (no reverse
information) answers. The defaults can be turned off by specifying your
own local\-zone of that name, or using the 'nodefault' type. Below is a
list of the default zone contents.
@ -959,6 +1090,15 @@ local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
PTR localhost."
.fi
.TP 10
\h'5'\fIonion (RFC 7686)\fR
Default content:
.nf
local\-zone: "onion." static
local\-data: "onion. 10800 IN NS localhost."
local\-data: "onion. 10800 IN
SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
.fi
.TP 10
\h'5'\fIreverse RFC1918 local use zones\fR
Reverse data for zones 10.in\-addr.arpa, 16.172.in\-addr.arpa to
31.172.in\-addr.arpa, 168.192.in\-addr.arpa.
@ -1013,6 +1153,18 @@ Configure local data shorthand for a PTR record with the reversed IPv4 or
IPv6 address and the host name. For example "192.0.2.4 www.example.com".
TTL can be inserted like this: "2001:DB8::4 7200 www.example.com"
.TP 5
.B local\-zone\-tag: \fI<zone> <"list of tags">
Assign tags to localzones. Tagged localzones will only be applied when the
used access-control element has a matching tag. Tags must be defined in
\fIdefine\-tags\fR. Enclose list of tags in quotes ("") and put spaces between
tags.
.TP 5
.B local\-zone\-override: \fI<zone> <IP netblock> <type>
Override the localzone type for queries from addresses matching netblock.
Use this localzone type, regardless the type configured for the local-zone
(both tagged and untagged) and regardless the type configured using
access\-control\-tag\-action.
.TP 5
.B ratelimit: \fI<number or 0>
Enable ratelimiting of queries sent to nameserver for performing recursion.
If 0, the default, it is disabled. This option is experimental at this time.
@ -1057,6 +1209,34 @@ in different parts of the namespace. The closest matching suffix is used
to determine the qps limit. The rate for the exact matching domain name
is not changed, use ratelimit\-for\-domain to set that, you might want
to use different settings for a top\-level\-domain and subdomains.
.TP 5
.B ip\-ratelimit: \fI<number or 0>
Enable global ratelimiting of queries accepted per ip address.
If 0, the default, it is disabled. This option is experimental at this time.
The ratelimit is in queries per second that are allowed. More queries are
completely dropped and will not receive a reply, SERVFAIL or otherwise.
IP ratelimiting happens before looking in the cache. This may be useful for
mitigating amplification attacks.
.TP 5
.B ip\-ratelimit\-size: \fI<memory size>
Give the size of the data structure in which the current ongoing rates are
kept track in. Default 4m. In bytes or use m(mega), k(kilo), g(giga).
The ip ratelimit structure is small, so this data structure likely does
not need to be large.
.TP 5
.B ip\-ratelimit\-slabs: \fI<number>
Give power of 2 number of slabs, this is used to reduce lock contention
in the ip ratelimit tracking data structure. Close to the number of cpus is
a fairly good setting.
.TP 5
.B ip\-ratelimit\-factor: \fI<number>
Set the amount of queries to rate limit when the limit is exceeded.
If set to 0, all queries are dropped for addresses where the limit is
exceeded. If set to another value, 1 in that number is allowed through
to complete. Default is 10, allowing 1/10 traffic to flow normally.
This can make ordinary queries complete (if repeatedly queried for),
and enter the cache, whilst also mitigating the traffic flow by the
factor given.
.SS "Remote Control Options"
In the
.B remote\-control:
@ -1167,6 +1347,10 @@ If enabled, a query is attempted without the stub clause if it fails.
The data could not be retrieved and would have caused SERVFAIL because
the servers are unreachable, instead it is tried without this clause.
The default is no.
.TP
.B stub\-ssl\-upstream: \fI<yes or no>
Enabled or disable whether the queries to this stub use SSL for transport.
Default is no.
.SS "Forward Zone Options"
.LP
There may be multiple
@ -1197,6 +1381,40 @@ If enabled, a query is attempted without the forward clause if it fails.
The data could not be retrieved and would have caused SERVFAIL because
the servers are unreachable, instead it is tried without this clause.
The default is no.
.TP
.B forward\-ssl\-upstream: \fI<yes or no>
Enabled or disable whether the queries to this forwarder use SSL for transport.
Default is no.
.SS "View Options"
.LP
There may be multiple
.B view:
clauses. Each with a \fBname:\fR and zero or more \fBlocal\-zone\fR and
\fBlocal\-data\fR elements. View can be mapped to requests by specifying the view
name in an \fBaccess\-control\-view\fR element. Options from matching views will
override global options. Global options will be used if no matching view
is found.
.TP
.B name: \fI<view name>
Name of the view. Must be unique. This name is used in access\-control\-view
elements.
.TP
.B local\-zone: \fI<zone> <type>
View specific local\-zone elements. Has the same types and behaviour as the
global local\-zone elements.
.TP
.B local\-data: \fI"<resource record string>"
View specific local\-data elements. Has the same behaviour as the global
local\-data elements.
.TP
.B local\-data\-ptr: \fI"IPaddr name"
View specific local\-data\-ptr elements. Has the same behaviour as the global
local\-data\-ptr elements.
.TP
.B view\-first: \fI<yes or no>
If enabled, it attempts to use the global local\-zone and local\-data if there
is no match in the view specific options.
The default is no.
.SS "Python Module Options"
.LP
The
@ -1206,6 +1424,12 @@ acts like the iterator and validator modules do, on queries and answers.
To enable the script module it has to be compiled into the daemon,
and the word "python" has to be put in the \fBmodule\-config:\fR option
(usually first, or between the validator and iterator).
.LP
If the \fBchroot:\fR option is enabled, you should make sure Python's
library directory structure is bind mounted in the new root environment, see
\fImount\fR(8). Also the \fBpython\-script:\fR path should be specified as an
absolute path relative to the new root, or as a relative path to the working
directory.
.TP
.B python\-script: \fI<python file>\fR
The script file to load.
@ -1222,6 +1446,79 @@ It must be /96 or shorter. The default prefix is 64:ff9b::/96.
.B dns64\-synthall: \fI<yes or no>\fR
Debug option, default no. If enabled, synthesize all AAAA records
despite the presence of actual AAAA records.
.SS "DNSCrypt Options"
.LP
The
.B dnscrypt:
clause give the settings of the dnscrypt channel. While those options are
available, they are only meaningful if unbound was compiled with
\fB\-\-enable\-dnscrypt\fR.
Currently certificate and secret/public keys cannot be generated by unbound.
You can use dnscrypt-wrapper to generate those: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage
.TP
.B dnscrypt\-enable: \fI<yes or no>\fR
Whether or not the \fBdnscrypt\fR config should be enabled. You may define
configuration but not activate it.
The default is no.
.TP
.B dnscrypt\-port: \fI<port number>
On which port should \fBdnscrypt\fR should be activated. Note that you should
have a matching \fBinterface\fR option defined in the \fBserver\fR section for
this port.
.TP
.B dnscrypt\-provider: \fI<provider name>\fR
The provider name to use to distribute certificates. This is of the form:
\fB2.dnscrypt-cert.example.com.\fR. The name \fIMUST\fR end with a dot.
.TP
.B dnscrypt\-secret\-key: \fI<path to secret key file>\fR
Path to the time limited secret key file. This option may be specified multiple
times.
.TP
.B dnscrypt\-provider\-cert: \fI<path to cert file>\fR
Path to the certificate related to the \fBdnscrypt\-secret\-key\fRs. This option
may be specified multiple times.
.SS "EDNS Client Subnet Module Options"
.LP
The ECS module must be configured in the \fBmodule\-config:\fR "subnetcache
validator iterator" directive and be compiled into the daemon to be
enabled. These settings go in the \fBserver:\fR section.
.LP
If the destination address is whitelisted with Unbound will add the EDNS0 option
to the query containing the relevant part of the client's address. When an
answer contains the ECS option the response and the option are placed in a
specialized cache. If the authority indicated no support, the response is stored
in the regular cache.
.LP
Additionally, when a client includes the option in its queries, Unbound will
forward the option to the authority regardless of the authorities presence in
the whitelist. In this case the lookup in the regular cache is skipped.
.LP
The maximum size of the ECS cache is controlled by 'msg-cache-size' in the
configuration file. On top of that, for each query only 100 different subnets
are allowed to be stored for each address family. Exceeding that number, older
entries will be purged from cache.
.TP
.B send\-client\-subnet: \fI<IP address>\fR
Send client source address to this authority. Append /num to indicate a
classless delegation netblock, for example like 10.2.3.4/24 or 2001::11/64. Can
be given multiple times. Authorities not listed will not receive edns-subnet
information.
.TP
.B client\-subnet\-always\-forward: \fI<yes or no>\fR
Specify whether the ECS whitelist check (configured using
\fBsend\-client\-subnet\fR) is applied for all queries, even if the triggering
query contains an ECS record, or only for queries for which the ECS record is
generated using the querier address (and therefore did not contain ECS data in
the client query). If enabled, the whitelist check is skipped when the client
query contains an ECS record. Default is no.
.TP
.B max\-client\-subnet\-ipv6: \fI<number>\fR
Specifies the maximum prefix length of the client source address we are willing
to expose to third parties for IPv6. Defaults to 56.
.TP
.B max\-client\-subnet\-ipv4: \fI<number>\fR
Specifies the maximum prefix length of the client source address we are willing
to expose to third parties for IPv4. Defaults to 24.
.SH "MEMORY CONTROL EXAMPLE"
In the example config settings below memory usage is reduced. Some service
levels are lower, notable very large data and a high TCP load are no longer

View file

@ -623,7 +623,9 @@ EXCLUDE = ./build \
pythonmod/examples/resip.py \
libunbound/python/unbound.py \
libunbound/python/libunbound_wrap.c \
./ldns-src
./ldns-src \
doc/control_proto_spec.txt \
doc/requirements.txt
# The EXCLUDE_SYMLINKS tag can be used select whether or not files or
# directories that are symbolic links (a Unix filesystem feature) are excluded

View file

@ -1,7 +1,7 @@
#!/bin/sh
# install - install a program, script, or datafile
scriptversion=2011-11-20.07; # UTC
scriptversion=2013-12-25.23; # UTC
# This originates from X11R5 (mit/util/scripts/install.sh), which was
# later released in X11R6 (xc/config/util/install.sh) with the
@ -41,19 +41,15 @@ scriptversion=2011-11-20.07; # UTC
# This script is compatible with the BSD install script, but was written
# from scratch.
tab=' '
nl='
'
IFS=" "" $nl"
IFS=" $tab$nl"
# set DOITPROG to echo to test this script
# Set DOITPROG to "echo" to test this script.
# Don't use :- since 4.3BSD and earlier shells don't like it.
doit=${DOITPROG-}
if test -z "$doit"; then
doit_exec=exec
else
doit_exec=$doit
fi
doit_exec=${doit:-exec}
# Put in absolute file names if you don't have them in your path;
# or use environment vars.
@ -68,17 +64,6 @@ mvprog=${MVPROG-mv}
rmprog=${RMPROG-rm}
stripprog=${STRIPPROG-strip}
posix_glob='?'
initialize_posix_glob='
test "$posix_glob" != "?" || {
if (set -f) 2>/dev/null; then
posix_glob=
else
posix_glob=:
fi
}
'
posix_mkdir=
# Desired mode of installed file.
@ -97,7 +82,7 @@ dir_arg=
dst_arg=
copy_on_change=false
no_target_directory=
is_target_a_directory=possibly
usage="\
Usage: $0 [OPTION]... [-T] SRCFILE DSTFILE
@ -143,8 +128,7 @@ while test $# -ne 0; do
-m) mode=$2
case $mode in
*' '* | *' '* | *'
'* | *'*'* | *'?'* | *'['*)
*' '* | *"$tab"* | *"$nl"* | *'*'* | *'?'* | *'['*)
echo "$0: invalid mode: $mode" >&2
exit 1;;
esac
@ -155,14 +139,16 @@ while test $# -ne 0; do
-s) stripcmd=$stripprog;;
-t) dst_arg=$2
-t)
is_target_a_directory=always
dst_arg=$2
# Protect names problematic for 'test' and other utilities.
case $dst_arg in
-* | [=\(\)!]) dst_arg=./$dst_arg;;
esac
shift;;
-T) no_target_directory=true;;
-T) is_target_a_directory=never;;
--version) echo "$0 $scriptversion"; exit $?;;
@ -177,6 +163,16 @@ while test $# -ne 0; do
shift
done
# We allow the use of options -d and -T together, by making -d
# take the precedence; this is for compatibility with GNU install.
if test -n "$dir_arg"; then
if test -n "$dst_arg"; then
echo "$0: target directory not allowed when installing a directory." >&2
exit 1
fi
fi
if test $# -ne 0 && test -z "$dir_arg$dst_arg"; then
# When -d is used, all remaining arguments are directories to create.
# When -t is used, the destination is already specified.
@ -207,6 +203,15 @@ if test $# -eq 0; then
exit 0
fi
if test -z "$dir_arg"; then
if test $# -gt 1 || test "$is_target_a_directory" = always; then
if test ! -d "$dst_arg"; then
echo "$0: $dst_arg: Is not a directory." >&2
exit 1
fi
fi
fi
if test -z "$dir_arg"; then
do_exit='(exit $ret); exit $ret'
trap "ret=129; $do_exit" 1
@ -269,7 +274,7 @@ do
# If destination is a directory, append the input filename; won't work
# if double slashes aren't ignored.
if test -d "$dst"; then
if test -n "$no_target_directory"; then
if test "$is_target_a_directory" = never; then
echo "$0: $dst_arg: Is a directory" >&2
exit 1
fi
@ -277,33 +282,7 @@ do
dst=$dstdir/`basename "$src"`
dstdir_status=0
else
# Prefer dirname, but fall back on a substitute if dirname fails.
dstdir=`
(dirname "$dst") 2>/dev/null ||
expr X"$dst" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
X"$dst" : 'X\(//\)[^/]' \| \
X"$dst" : 'X\(//\)$' \| \
X"$dst" : 'X\(/\)' \| . 2>/dev/null ||
echo X"$dst" |
sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
s//\1/
q
}
/^X\(\/\/\)[^/].*/{
s//\1/
q
}
/^X\(\/\/\)$/{
s//\1/
q
}
/^X\(\/\).*/{
s//\1/
q
}
s/.*/./; q'
`
dstdir=`dirname "$dst"`
test -d "$dstdir"
dstdir_status=$?
fi
@ -396,14 +375,12 @@ do
*) prefix='';;
esac
eval "$initialize_posix_glob"
oIFS=$IFS
IFS=/
$posix_glob set -f
set -f
set fnord $dstdir
shift
$posix_glob set +f
set +f
IFS=$oIFS
prefixes=
@ -474,13 +451,10 @@ do
if $copy_on_change &&
old=`LC_ALL=C ls -dlL "$dst" 2>/dev/null` &&
new=`LC_ALL=C ls -dlL "$dsttmp" 2>/dev/null` &&
eval "$initialize_posix_glob" &&
$posix_glob set -f &&
set -f &&
set X $old && old=:$2:$4:$5:$6 &&
set X $new && new=:$2:$4:$5:$6 &&
$posix_glob set +f &&
set +f &&
test "$old" = "$new" &&
$cmpprog "$dst" "$dsttmp" >/dev/null 2>&1
then

View file

@ -72,6 +72,7 @@ struct delegpt* delegpt_copy(struct delegpt* dp, struct regional* region)
return NULL;
copy->bogus = dp->bogus;
copy->has_parent_side_NS = dp->has_parent_side_NS;
copy->ssl_upstream = dp->ssl_upstream;
for(ns = dp->nslist; ns; ns = ns->next) {
if(!delegpt_add_ns(copy, region, ns->name, ns->lame))
return NULL;

View file

@ -81,6 +81,8 @@ struct delegpt {
uint8_t has_parent_side_NS;
/** for assertions on type of delegpt */
uint8_t dp_type_mlc;
/** use SSL for upstream query */
uint8_t ssl_upstream;
};
/**
@ -355,7 +357,7 @@ void delegpt_no_ipv4(struct delegpt* dp);
/**
* create malloced delegation point, with the given name
* @param name: uncompressed wireformat of degegpt name.
* @param name: uncompressed wireformat of delegpt name.
* @return NULL on alloc failure
*/
struct delegpt* delegpt_create_mlc(uint8_t* name);

View file

@ -58,7 +58,7 @@ struct iter_donotq {
* contents of type addr_tree_node. Each node is an address span
* that must not be used to send queries to.
*/
rbtree_t tree;
rbtree_type tree;
};
/**

View file

@ -82,7 +82,7 @@ static void fwd_zone_free(struct iter_forward_zone* n)
free(n);
}
static void delfwdnode(rbnode_t* n, void* ATTR_UNUSED(arg))
static void delfwdnode(rbnode_type* n, void* ATTR_UNUSED(arg))
{
struct iter_forward_zone* node = (struct iter_forward_zone*)n;
fwd_zone_free(node);
@ -265,6 +265,8 @@ read_forwards(struct iter_forwards* fwd, struct config_file* cfg)
* last resort will ask for parent-side NS record and thus
* fallback to the internet name servers on a failure */
dp->has_parent_side_NS = (uint8_t)!s->isfirst;
/* use SSL for queries to this forwarder */
dp->ssl_upstream = (uint8_t)s->ssl_upstream;
verbose(VERB_QUERY, "Forward zone server list:");
delegpt_log(VERB_QUERY, dp);
if(!forwards_insert(fwd, LDNS_RR_CLASS_IN, dp))
@ -294,6 +296,7 @@ make_stub_holes(struct iter_forwards* fwd, struct config_file* cfg)
uint8_t* dname;
size_t dname_len;
for(s = cfg->stubs; s; s = s->next) {
if(!s->name) continue;
dname = sldns_str2wire_dname(s->name, &dname_len);
if(!dname) {
log_err("cannot parse stub name '%s'", s->name);
@ -329,7 +332,7 @@ forwards_apply_cfg(struct iter_forwards* fwd, struct config_file* cfg)
struct delegpt*
forwards_find(struct iter_forwards* fwd, uint8_t* qname, uint16_t qclass)
{
rbnode_t* res = NULL;
rbnode_type* res = NULL;
struct iter_forward_zone key;
key.node.key = &key;
key.dclass = qclass;
@ -344,7 +347,7 @@ struct delegpt*
forwards_lookup(struct iter_forwards* fwd, uint8_t* qname, uint16_t qclass)
{
/* lookup the forward zone in the tree */
rbnode_t* res = NULL;
rbnode_type* res = NULL;
struct iter_forward_zone *result;
struct iter_forward_zone key;
key.node.key = &key;
@ -385,7 +388,7 @@ int
forwards_next_root(struct iter_forwards* fwd, uint16_t* dclass)
{
struct iter_forward_zone key;
rbnode_t* n;
rbnode_type* n;
struct iter_forward_zone* p;
if(*dclass == 0) {
/* first root item is first item in tree */

View file

@ -57,7 +57,7 @@ struct iter_forwards {
* match which gives the ancestor needed.
* contents of type iter_forward_zone.
*/
rbtree_t* tree;
rbtree_type* tree;
};
/**
@ -65,7 +65,7 @@ struct iter_forwards {
*/
struct iter_forward_zone {
/** redblacktree node, key is this structure: class and name */
rbnode_t node;
rbnode_type node;
/** name */
uint8_t* name;
/** length of name */

View file

@ -67,7 +67,7 @@ static void hints_stub_free(struct iter_hints_stub* s)
free(s);
}
static void delhintnode(rbnode_t* n, void* ATTR_UNUSED(arg))
static void delhintnode(rbnode_type* n, void* ATTR_UNUSED(arg))
{
struct iter_hints_stub* node = (struct iter_hints_stub*)n;
hints_stub_free(node);
@ -147,12 +147,14 @@ compile_time_root_prime(int do_ip4, int do_ip6)
if(!ah(dp, "B.ROOT-SERVERS.NET.", "2001:500:84::b")) goto failed;
if(!ah(dp, "C.ROOT-SERVERS.NET.", "2001:500:2::c")) goto failed;
if(!ah(dp, "D.ROOT-SERVERS.NET.", "2001:500:2d::d")) goto failed;
if(!ah(dp, "E.ROOT-SERVERS.NET.", "2001:500:a8::e")) goto failed;
if(!ah(dp, "F.ROOT-SERVERS.NET.", "2001:500:2f::f")) goto failed;
if(!ah(dp, "G.ROOT-SERVERS.NET.", "2001:500:12::d0d")) goto failed;
if(!ah(dp, "H.ROOT-SERVERS.NET.", "2001:500:1::53")) goto failed;
if(!ah(dp, "I.ROOT-SERVERS.NET.", "2001:7fe::53")) goto failed;
if(!ah(dp, "J.ROOT-SERVERS.NET.", "2001:503:c27::2:30")) goto failed;
if(!ah(dp, "K.ROOT-SERVERS.NET.", "2001:7fd::1")) goto failed;
if(!ah(dp, "L.ROOT-SERVERS.NET.", "2001:500:3::42")) goto failed;
if(!ah(dp, "L.ROOT-SERVERS.NET.", "2001:500:9f::42")) goto failed;
if(!ah(dp, "M.ROOT-SERVERS.NET.", "2001:dc3::35")) goto failed;
}
return dp;
@ -274,6 +276,8 @@ read_stubs(struct iter_hints* hints, struct config_file* cfg)
* last resort will ask for parent-side NS record and thus
* fallback to the internet name servers on a failure */
dp->has_parent_side_NS = (uint8_t)!s->isfirst;
/* ssl_upstream */
dp->ssl_upstream = (uint8_t)s->ssl_upstream;
delegpt_log(VERB_QUERY, dp);
if(!hints_insert(hints, LDNS_RR_CLASS_IN, dp, !s->isprime))
return 0;

View file

@ -59,7 +59,7 @@ struct iter_hints {
* contents of type iter_hints_stub. The class IN root is in here.
* uses name_tree_node from dnstree.h.
*/
rbtree_t tree;
rbtree_type tree;
};
/**

View file

@ -60,14 +60,14 @@ struct iter_priv {
* contents of type addr_tree_node.
* No further data need, only presence or absence.
*/
rbtree_t a;
rbtree_type a;
/**
* Tree of the domains spans that are allowed to contain
* the blocked address spans.
* contents of type name_tree_node.
* No further data need, only presence or absence.
*/
rbtree_t n;
rbtree_type n;
};
/**

View file

@ -161,8 +161,8 @@ mark_additional_rrset(sldns_buffer* pkt, struct msg_parse* msg,
for(rr = rrset->rr_first; rr; rr = rr->next) {
if(get_additional_name(rrset, rr, &nm, &nmlen, pkt)) {
/* mark A */
hashvalue_t h = pkt_hash_rrset(pkt, nm, LDNS_RR_TYPE_A,
rrset->rrset_class, 0);
hashvalue_type h = pkt_hash_rrset(pkt, nm,
LDNS_RR_TYPE_A, rrset->rrset_class, 0);
struct rrset_parse* r = msgparse_hashtable_lookup(
msg, pkt, h, 0, nm, nmlen,
LDNS_RR_TYPE_A, rrset->rrset_class);

View file

@ -108,7 +108,7 @@ read_fetch_policy(struct iter_env* ie, const char* str)
/** apply config caps whitelist items to name tree */
static int
caps_white_apply_cfg(rbtree_t* ntree, struct config_file* cfg)
caps_white_apply_cfg(rbtree_type* ntree, struct config_file* cfg)
{
struct config_strlist* p;
for(p=cfg->caps_whitelist; p; p=p->next) {
@ -360,6 +360,39 @@ iter_filter_order(struct iter_env* iter_env, struct module_env* env,
}
}
*selected_rtt = low_rtt;
if (env->cfg->prefer_ip6) {
int got_num6 = 0;
int low_rtt6 = 0;
int i;
prev = NULL;
a = dp->result_list;
for(i = 0; i < got_num; i++) {
swap_to_front = 0;
if(a->addr.ss_family == AF_INET6) {
got_num6++;
swap_to_front = 1;
if(low_rtt6 == 0 || a->sel_rtt < low_rtt6) {
low_rtt6 = a->sel_rtt;
}
}
/* swap to front if IPv6, or move to next result */
if(swap_to_front && prev) {
n = a->next_result;
prev->next_result = n;
a->next_result = dp->result_list;
dp->result_list = a;
a = n;
} else {
prev = a;
a = a->next_result;
}
}
if(got_num6 > 0) {
got_num = got_num6;
*selected_rtt = low_rtt6;
}
}
return got_num;
}
@ -499,6 +532,7 @@ causes_cycle(struct module_qstate* qstate, uint8_t* name, size_t namelen,
qinf.qname_len = namelen;
qinf.qtype = t;
qinf.qclass = c;
qinf.local_alias = NULL;
fptr_ok(fptr_whitelist_modenv_detect_cycle(
qstate->env->detect_cycle));
return (*qstate->env->detect_cycle)(qstate, &qinf,
@ -590,6 +624,27 @@ iter_dp_is_useless(struct query_info* qinfo, uint16_t qflags,
return 1;
}
int
iter_indicates_dnssec_fwd(struct module_env* env, struct query_info *qinfo)
{
struct trust_anchor* a;
if(!env || !env->anchors || !qinfo || !qinfo->qname)
return 0;
/* a trust anchor exists above the name? */
if((a=anchors_lookup(env->anchors, qinfo->qname, qinfo->qname_len,
qinfo->qclass))) {
if(a->numDS == 0 && a->numDNSKEY == 0) {
/* insecure trust point */
lock_basic_unlock(&a->lock);
return 0;
}
lock_basic_unlock(&a->lock);
return 1;
}
/* no trust anchor above it. */
return 0;
}
int
iter_indicates_dnssec(struct module_env* env, struct delegpt* dp,
struct dns_msg* msg, uint16_t dclass)

View file

@ -173,6 +173,18 @@ void iter_mark_pside_cycle_targets(struct module_qstate* qstate,
int iter_dp_is_useless(struct query_info* qinfo, uint16_t qflags,
struct delegpt* dp);
/**
* See if qname has DNSSEC needs in the forwarding case. This is true if
* there is a trust anchor above it. Whether there is an insecure delegation
* to the data is unknown, but CD-retry is needed.
* @param env: environment with anchors.
* @param qinfo: query name and class.
* @return true if trust anchor above qname, false if no anchor or insecure
* point above qname.
*/
int iter_indicates_dnssec_fwd(struct module_env* env,
struct query_info *qinfo);
/**
* See if delegation is expected to have DNSSEC information (RRSIGs) in
* its answers, or not. Inspects delegation point (name), trust anchors,

View file

@ -82,27 +82,13 @@ iter_init(struct module_env* env, int id)
log_err("iterator: could not apply configuration settings.");
return 0;
}
if(env->cfg->qname_minimisation) {
uint8_t dname[LDNS_MAX_DOMAINLEN+1];
size_t len = sizeof(dname);
if(sldns_str2wire_dname_buf("ip6.arpa.", dname, &len) != 0) {
log_err("ip6.arpa. parse error");
return 0;
}
iter_env->ip6arpa_dname = (uint8_t*)malloc(len);
if(!iter_env->ip6arpa_dname) {
log_err("malloc failure");
return 0;
}
memcpy(iter_env->ip6arpa_dname, dname, len);
}
return 1;
}
/** delete caps_whitelist element */
static void
caps_free(struct rbnode_t* n, void* ATTR_UNUSED(d))
caps_free(struct rbnode_type* n, void* ATTR_UNUSED(d))
{
if(n) {
free(((struct name_tree_node*)n)->name);
@ -117,7 +103,6 @@ iter_deinit(struct module_env* env, int id)
if(!env || !env->modinfo[id])
return;
iter_env = (struct iter_env*)env->modinfo[id];
free(iter_env->ip6arpa_dname);
free(iter_env->target_fetch_policy);
priv_delete(iter_env->priv);
donotq_delete(iter_env->donotq);
@ -162,6 +147,8 @@ iter_new(struct module_qstate* qstate, int id)
/* Start with the (current) qname. */
iq->qchase = qstate->qinfo;
outbound_list_init(&iq->outlist);
iq->minimise_count = 0;
iq->minimise_timeout_count = 0;
if (qstate->env->cfg->qname_minimisation)
iq->minimisation_state = INIT_MINIMISE_STATE;
else
@ -229,6 +216,7 @@ error_supers(struct module_qstate* qstate, int id, struct module_qstate* super)
qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA) {
/* mark address as failed. */
struct delegpt_ns* dpns = NULL;
super_iq->num_target_queries--;
if(super_iq->dp)
dpns = delegpt_find_ns(super_iq->dp,
qstate->qinfo.qname, qstate->qinfo.qname_len);
@ -242,13 +230,11 @@ error_supers(struct module_qstate* qstate, int id, struct module_qstate* super)
return;
} else {
/* see if the failure did get (parent-lame) info */
if(!cache_fill_missing(super->env,
super_iq->qchase.qclass, super->region,
super_iq->dp))
if(!cache_fill_missing(super->env, super_iq->qchase.qclass,
super->region, super_iq->dp))
log_err("out of memory adding missing");
}
dpns->resolved = 1; /* mark as failed */
super_iq->num_target_queries--;
}
if(qstate->qinfo.qtype == LDNS_RR_TYPE_NS) {
/* prime failed to get delegation */
@ -291,6 +277,7 @@ error_response(struct module_qstate* qstate, int id, int rcode)
static int
error_response_cache(struct module_qstate* qstate, int id, int rcode)
{
if(!qstate->no_cache_store) {
/* store in cache */
struct reply_info err;
if(qstate->prefetch_leeway > NORR_TTL) {
@ -312,6 +299,7 @@ error_response_cache(struct module_qstate* qstate, int id, int rcode)
verbose(VERB_ALGO, "store error response in message cache");
iter_dns_store(qstate->env, &qstate->qinfo, &err, 0, 0, 0, NULL,
qstate->query_flags);
}
return error_response(qstate, id, rcode);
}
@ -384,6 +372,29 @@ iter_prepend(struct iter_qstate* iq, struct dns_msg* msg,
return 1;
}
/**
* Find rrset in ANSWER prepend list.
* to avoid duplicate DNAMEs when a DNAME is traversed twice.
* @param iq: iterator query state.
* @param rrset: rrset to add.
* @return false if not found
*/
static int
iter_find_rrset_in_prepend_answer(struct iter_qstate* iq,
struct ub_packed_rrset_key* rrset)
{
struct iter_prep_list* p = iq->an_prepend_list;
while(p) {
if(ub_rrset_compare(p->rrset, rrset) == 0 &&
rrsetdata_equal((struct packed_rrset_data*)p->rrset
->entry.data, (struct packed_rrset_data*)rrset
->entry.data))
return 1;
p = p->next;
}
return 0;
}
/**
* Add rrset to ANSWER prepend list
* @param qstate: query state.
@ -466,14 +477,16 @@ handle_cname_response(struct module_qstate* qstate, struct iter_qstate* iq,
* by this DNAME following, so we don't process the DNAME
* directly. */
if(ntohs(r->rk.type) == LDNS_RR_TYPE_DNAME &&
dname_strict_subdomain_c(*mname, r->rk.dname)) {
dname_strict_subdomain_c(*mname, r->rk.dname) &&
!iter_find_rrset_in_prepend_answer(iq, r)) {
if(!iter_add_prepend_answer(qstate, iq, r))
return 0;
continue;
}
if(ntohs(r->rk.type) == LDNS_RR_TYPE_CNAME &&
query_dname_compare(*mname, r->rk.dname) == 0) {
query_dname_compare(*mname, r->rk.dname) == 0 &&
!iter_find_rrset_in_prepend_answer(iq, r)) {
/* Add this relevant CNAME rrset to the prepend list.*/
if(!iter_add_prepend_answer(qstate, iq, r))
return 0;
@ -564,6 +577,7 @@ generate_sub_request(uint8_t* qname, size_t qnamelen, uint16_t qtype,
qinf.qname_len = qnamelen;
qinf.qtype = qtype;
qinf.qclass = qclass;
qinf.local_alias = NULL;
/* RD should be set only when sending the query back through the INIT
* state. */
@ -981,7 +995,7 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
{
uint8_t* delname;
size_t delnamelen;
struct dns_msg* msg;
struct dns_msg* msg = NULL;
log_query_info(VERB_DETAIL, "resolving", &qstate->qinfo);
/* check effort */
@ -1021,7 +1035,7 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
* getting older results from cache is a bad idea, no cache */
verbose(VERB_ALGO, "cache blacklisted, going to the network");
msg = NULL;
} else {
} else if(!qstate->no_cache_lookup) {
msg = dns_cache_lookup(qstate->env, iq->qchase.qname,
iq->qchase.qname_len, iq->qchase.qtype,
iq->qchase.qclass, qstate->query_flags,
@ -1337,7 +1351,7 @@ processInitRequest3(struct module_qstate* qstate, struct iter_qstate* iq,
/* If the RD flag wasn't set, then we just finish with the
* cached referral as the response. */
if(!(qstate->query_flags & BIT_RD)) {
if(!(qstate->query_flags & BIT_RD) && iq->deleg_msg) {
iq->response = iq->deleg_msg;
if(verbosity >= VERB_ALGO && iq->response)
log_dns_msg("no RD requested, using delegation msg",
@ -1713,7 +1727,8 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
/* if this was a parent-side glue query itself, then store that
* failure in cache. */
if(iq->query_for_pside_glue && !iq->pside_glue)
if(!qstate->no_cache_store && iq->query_for_pside_glue
&& !iq->pside_glue)
iter_store_parentside_neg(qstate->env, &qstate->qinfo,
iq->deleg_msg?iq->deleg_msg->rep:
(iq->response?iq->response->rep:NULL));
@ -2009,9 +2024,10 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
}
if(iq->minimisation_state == INIT_MINIMISE_STATE) {
/* (Re)set qinfo_out to (new) delegation point, except
* when qinfo_out is already a subdomain of dp. This happens
* when resolving ip6.arpa dnames. */
/* (Re)set qinfo_out to (new) delegation point, except when
* qinfo_out is already a subdomain of dp. This happens when
* increasing by more than one label at once (QNAMEs with more
* than MAX_MINIMISE_COUNT labels). */
if(!(iq->qinfo_out.qname_len
&& dname_subdomain_c(iq->qchase.qname,
iq->qinfo_out.qname)
@ -2019,30 +2035,53 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
iq->dp->name))) {
iq->qinfo_out.qname = iq->dp->name;
iq->qinfo_out.qname_len = iq->dp->namelen;
iq->qinfo_out.qtype = LDNS_RR_TYPE_NS;
iq->qinfo_out.qtype = LDNS_RR_TYPE_A;
iq->qinfo_out.qclass = iq->qchase.qclass;
iq->qinfo_out.local_alias = NULL;
iq->minimise_count = 0;
}
iq->minimisation_state = MINIMISE_STATE;
}
if(iq->minimisation_state == MINIMISE_STATE) {
int labdiff = dname_count_labels(iq->qchase.qname) -
int qchaselabs = dname_count_labels(iq->qchase.qname);
int labdiff = qchaselabs -
dname_count_labels(iq->qinfo_out.qname);
iq->qinfo_out.qname = iq->qchase.qname;
iq->qinfo_out.qname_len = iq->qchase.qname_len;
iq->minimise_count++;
iq->minimise_timeout_count = 0;
/* Special treatment for ip6.arpa lookups.
* Reverse IPv6 dname has 34 labels, increment the IP part
* (usually first 32 labels) by 8 labels (7 more than the
* default 1 label increment). */
if(labdiff <= 32 &&
dname_subdomain_c(iq->qchase.qname, ie->ip6arpa_dname)) {
labdiff -= 7;
/* Small chance of zone cut after first label. Stop
* minimising */
if(labdiff <= 1)
labdiff = 0;
iter_dec_attempts(iq->dp, 1);
/* Limit number of iterations for QNAMEs with more
* than MAX_MINIMISE_COUNT labels. Send first MINIMISE_ONE_LAB
* labels of QNAME always individually.
*/
if(qchaselabs > MAX_MINIMISE_COUNT && labdiff > 1 &&
iq->minimise_count > MINIMISE_ONE_LAB) {
if(iq->minimise_count < MAX_MINIMISE_COUNT) {
int multilabs = qchaselabs - 1 -
MINIMISE_ONE_LAB;
int extralabs = multilabs /
MINIMISE_MULTIPLE_LABS;
if (MAX_MINIMISE_COUNT - iq->minimise_count >=
multilabs % MINIMISE_MULTIPLE_LABS)
/* Default behaviour is to add 1 label
* every iteration. Therefore, decrement
* the extralabs by 1 */
extralabs--;
if (extralabs < labdiff)
labdiff -= extralabs;
else
labdiff = 1;
}
/* Last minimised iteration, send all labels with
* QTYPE=NS */
else
labdiff = 1;
}
if(labdiff > 1) {
@ -2051,11 +2090,12 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
&iq->qinfo_out.qname_len,
labdiff-1);
}
if(labdiff < 1 ||
(labdiff < 2 && iq->qchase.qtype == LDNS_RR_TYPE_DS))
if(labdiff < 1 || (labdiff < 2
&& (iq->qchase.qtype == LDNS_RR_TYPE_DS
|| iq->qchase.qtype == LDNS_RR_TYPE_A)))
/* Stop minimising this query, resolve "as usual" */
iq->minimisation_state = DONOT_MINIMISE_STATE;
else {
else if(!qstate->no_cache_lookup) {
struct dns_msg* msg = dns_cache_lookup(qstate->env,
iq->qinfo_out.qname, iq->qinfo_out.qname_len,
iq->qinfo_out.qtype, iq->qinfo_out.qclass,
@ -2068,12 +2108,18 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
* cached as NOERROR/NODATA */
return 1;
}
}
if(iq->minimisation_state == SKIP_MINIMISE_STATE)
if(iq->minimisation_state == SKIP_MINIMISE_STATE) {
iq->minimise_timeout_count++;
if(iq->minimise_timeout_count < MAX_MINIMISE_TIMEOUT_COUNT)
/* Do not increment qname, continue incrementing next
* iteration */
iq->minimisation_state = MINIMISE_STATE;
else if(!qstate->env->cfg->qname_minimisation_strict)
/* Too many time-outs detected for this QNAME and QTYPE.
* We give up, disable QNAME minimisation. */
iq->minimisation_state = DONOT_MINIMISE_STATE;
}
if(iq->minimisation_state == DONOT_MINIMISE_STATE)
iq->qinfo_out = iq->qchase;
@ -2087,13 +2133,18 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
iq->dnssec_lame_query?" but lame_query anyway": "");
}
fptr_ok(fptr_whitelist_modenv_send_query(qstate->env->send_query));
outq = (*qstate->env->send_query)(
iq->qinfo_out.qname, iq->qinfo_out.qname_len,
iq->qinfo_out.qtype, iq->qinfo_out.qclass,
iq->chase_flags | (iq->chase_to_rd?BIT_RD:0), EDNS_DO|BIT_CD,
outq = (*qstate->env->send_query)(&iq->qinfo_out,
iq->chase_flags | (iq->chase_to_rd?BIT_RD:0),
/* unset CD if to forwarder(RD set) and not dnssec retry
* (blacklist nonempty) and no trust-anchors are configured
* above the qname or on the first attempt when dnssec is on */
EDNS_DO| ((iq->chase_to_rd||(iq->chase_flags&BIT_RD)!=0)&&
!qstate->blacklist&&(!iter_indicates_dnssec_fwd(qstate->env,
&iq->qinfo_out)||target->attempts==1)?0:BIT_CD),
iq->dnssec_expected, iq->caps_fallback || is_caps_whitelisted(
ie, iq), &target->addr, target->addrlen, iq->dp->name,
iq->dp->namelen, qstate);
ie, iq), &target->addr, target->addrlen,
iq->dp->name, iq->dp->namelen,
(iq->dp->ssl_upstream || qstate->env->cfg->ssl_upstream), qstate);
if(!outq) {
log_addr(VERB_DETAIL, "error sending query to auth server",
&target->addr, target->addrlen);
@ -2143,9 +2194,13 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
int dnsseclame = 0;
enum response_type type;
iq->num_current_queries--;
if(!inplace_cb_query_response_call(qstate->env, qstate, iq->response))
log_err("unable to call query_response callback");
if(iq->response == NULL) {
/* Don't increment qname when QNAME minimisation is enabled */
if (qstate->env->cfg->qname_minimisation)
if(qstate->env->cfg->qname_minimisation)
iq->minimisation_state = SKIP_MINIMISE_STATE;
iq->chase_to_rd = 0;
iq->dnssec_lame_query = 0;
@ -2161,8 +2216,10 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
* differently. No queries should be sent elsewhere */
type = RESPONSE_TYPE_ANSWER;
}
if(iq->dnssec_expected && !iq->dnssec_lame_query &&
if(!qstate->env->cfg->disable_dnssec_lame_check && iq->dnssec_expected
&& !iq->dnssec_lame_query &&
!(iq->chase_flags&BIT_RD)
&& iq->sent_count < DNSSEC_LAME_DETECT_COUNT
&& type != RESPONSE_TYPE_LAME
&& type != RESPONSE_TYPE_REC_LAME
&& type != RESPONSE_TYPE_THROWAWAY
@ -2205,6 +2262,22 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
} else
iter_scrub_ds(iq->response, ns, iq->dp->name);
} else iter_scrub_ds(iq->response, NULL, NULL);
if(type == RESPONSE_TYPE_THROWAWAY &&
FLAGS_GET_RCODE(iq->response->rep->flags) == LDNS_RCODE_YXDOMAIN) {
/* YXDOMAIN is a permanent error, no need to retry */
type = RESPONSE_TYPE_ANSWER;
}
if(type == RESPONSE_TYPE_CNAME && iq->response->rep->an_numrrsets >= 1
&& ntohs(iq->response->rep->rrsets[0]->rk.type) == LDNS_RR_TYPE_DNAME) {
uint8_t* sname = NULL;
size_t snamelen = 0;
get_cname_target(iq->response->rep->rrsets[0], &sname,
&snamelen);
if(snamelen && dname_subdomain_c(sname, iq->response->rep->rrsets[0]->rk.dname)) {
/* DNAME to a subdomain loop; do not recurse */
type = RESPONSE_TYPE_ANSWER;
}
}
/* handle each of the type cases */
if(type == RESPONSE_TYPE_ANSWER) {
@ -2232,6 +2305,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
iq->num_target_queries = 0;
return processDSNSFind(qstate, iq, id);
}
if(!qstate->no_cache_store)
iter_dns_store(qstate->env, &iq->response->qinfo,
iq->response->rep, 0, qstate->prefetch_leeway,
iq->dp&&iq->dp->has_parent_side_NS,
@ -2248,12 +2322,44 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
&qstate->reply->addr, qstate->reply->addrlen,
qstate->region);
if(iq->minimisation_state != DONOT_MINIMISE_STATE) {
/* Best effort qname-minimisation.
* Stop minimising and send full query when RCODE
* is not NOERROR */
if(FLAGS_GET_RCODE(iq->response->rep->flags) !=
LDNS_RCODE_NOERROR)
LDNS_RCODE_NOERROR) {
if(qstate->env->cfg->qname_minimisation_strict)
return final_state(iq);
/* Best effort qname-minimisation.
* Stop minimising and send full query when
* RCODE is not NOERROR. */
iq->minimisation_state = DONOT_MINIMISE_STATE;
}
if(FLAGS_GET_RCODE(iq->response->rep->flags) ==
LDNS_RCODE_NXDOMAIN) {
/* Stop resolving when NXDOMAIN is DNSSEC
* signed. Based on assumption that namservers
* serving signed zones do not return NXDOMAIN
* for empty-non-terminals. */
if(iq->dnssec_expected)
return final_state(iq);
/* Make subrequest to validate intermediate
* NXDOMAIN if harden-below-nxdomain is
* enabled. */
if(qstate->env->cfg->harden_below_nxdomain) {
struct module_qstate* subq = NULL;
log_query_info(VERB_QUERY,
"schedule NXDOMAIN validation:",
&iq->response->qinfo);
if(!generate_sub_request(
iq->response->qinfo.qname,
iq->response->qinfo.qname_len,
iq->response->qinfo.qtype,
iq->response->qinfo.qclass,
qstate, id, iq,
INIT_REQUEST_STATE,
FINISHED_STATE, &subq, 1))
verbose(VERB_ALGO,
"could not validate NXDOMAIN "
"response");
}
}
return next_state(iq, QUERYTARGETS_STATE);
}
return final_state(iq);
@ -2271,7 +2377,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
}
/* if hardened, only store referral if we asked for it */
if(!qstate->env->cfg->harden_referral_path ||
if(!qstate->no_cache_store &&
(!qstate->env->cfg->harden_referral_path ||
( qstate->qinfo.qtype == LDNS_RR_TYPE_NS
&& (qstate->query_flags&BIT_RD)
&& !(qstate->query_flags&BIT_CD)
@ -2286,7 +2393,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
iq->qchase.qname, iq->qchase.qname_len,
LDNS_RR_TYPE_NS, iq->qchase.qclass)
)
)) {
))) {
/* Store the referral under the current query */
/* no prefetch-leeway, since its not the answer */
iter_dns_store(qstate->env, &iq->response->qinfo,
@ -2299,7 +2406,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
iq->response->rep, iq->dp->name);
}
/* store parent-side-in-zone-glue, if directly queried for */
if(iq->query_for_pside_glue && !iq->pside_glue) {
if(!qstate->no_cache_store && iq->query_for_pside_glue
&& !iq->pside_glue) {
iq->pside_glue = reply_find_rrset(iq->response->rep,
iq->qchase.qname, iq->qchase.qname_len,
iq->qchase.qtype, iq->qchase.qclass);
@ -2389,6 +2497,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
/* NOTE : set referral=1, so that rrsets get stored but not
* the partial query answer (CNAME only). */
/* prefetchleeway applied because this updates answer parts */
if(!qstate->no_cache_store)
iter_dns_store(qstate->env, &iq->response->qinfo,
iq->response->rep, 1, qstate->prefetch_leeway,
iq->dp&&iq->dp->has_parent_side_NS, NULL,
@ -2471,7 +2580,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
/* LAME, THROWAWAY and "unknown" all end up here.
* Recycle to the QUERYTARGETS state to hopefully try a
* different target. */
if (qstate->env->cfg->qname_minimisation)
if (qstate->env->cfg->qname_minimisation &&
!qstate->env->cfg->qname_minimisation_strict)
iq->minimisation_state = DONOT_MINIMISE_STATE;
return next_state(iq, QUERYTARGETS_STATE);
}
@ -2605,6 +2715,10 @@ processTargetResponse(struct module_qstate* qstate, int id,
log_query_info(VERB_ALGO, "processTargetResponse", &qstate->qinfo);
log_query_info(VERB_ALGO, "processTargetResponse super", &forq->qinfo);
/* Tell the originating event that this target query has finished
* (regardless if it succeeded or not). */
foriq->num_target_queries--;
/* check to see if parent event is still interested (in orig name). */
if(!foriq->dp) {
verbose(VERB_ALGO, "subq: parent not interested, was reset");
@ -2620,10 +2734,6 @@ processTargetResponse(struct module_qstate* qstate, int id,
return;
}
/* Tell the originating event that this target query has finished
* (regardless if it succeeded or not). */
foriq->num_target_queries--;
/* if iq->query_for_pside_glue then add the pside_glue (marked lame) */
if(iq->pside_glue) {
/* if the pside_glue is NULL, then it could not be found,
@ -2871,7 +2981,8 @@ processFinished(struct module_qstate* qstate, struct iter_qstate* iq,
&qstate->qinfo);
/* store negative cache element for parent side glue. */
if(iq->query_for_pside_glue && !iq->pside_glue)
if(!qstate->no_cache_store && iq->query_for_pside_glue
&& !iq->pside_glue)
iter_store_parentside_neg(qstate->env, &qstate->qinfo,
iq->deleg_msg?iq->deleg_msg->rep:
(iq->response?iq->response->rep:NULL));
@ -2910,7 +3021,7 @@ processFinished(struct module_qstate* qstate, struct iter_qstate* iq,
/* store message with the finished prepended items,
* but only if we did recursion. The nonrecursion referral
* from cache does not need to be stored in the msg cache. */
if(qstate->query_flags&BIT_RD) {
if(!qstate->no_cache_store && qstate->query_flags&BIT_RD) {
iter_dns_store(qstate->env, &qstate->qinfo,
iq->response->rep, 0, qstate->prefetch_leeway,
iq->dp&&iq->dp->has_parent_side_NS,
@ -3082,8 +3193,25 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
goto handle_it;
}
/* edns is not examined, but removed from message to help cache */
if(parse_extract_edns(prs, &edns) != LDNS_RCODE_NOERROR)
if(parse_extract_edns(prs, &edns, qstate->env->scratch) !=
LDNS_RCODE_NOERROR)
goto handle_it;
/* Copy the edns options we may got from the back end */
if(edns.opt_list) {
qstate->edns_opts_back_in = edns_opt_copy_region(edns.opt_list,
qstate->region);
if(!qstate->edns_opts_back_in) {
log_err("out of memory on incoming message");
/* like packet got dropped */
goto handle_it;
}
if(!inplace_cb_edns_back_parsed_call(qstate->env, qstate)) {
log_err("unable to call edns_back_parsed callback");
goto handle_it;
}
}
/* remove CD-bit, we asked for in case we handle validation ourself */
prs->flags &= ~BIT_CD;

View file

@ -51,7 +51,7 @@ struct iter_forwards;
struct iter_donotq;
struct iter_prep_list;
struct iter_priv;
struct rbtree_t;
struct rbtree_type;
/** max number of targets spawned for a query and its subqueries */
#define MAX_TARGET_COUNT 64
@ -61,6 +61,23 @@ struct rbtree_t;
#define MAX_REFERRAL_COUNT 130
/** max number of queries-sent-out. Make sure large NS set does not loop */
#define MAX_SENT_COUNT 32
/** max number of queries for which to perform dnsseclameness detection,
* (rrsigs misssing detection) after that, just pick up that response */
#define DNSSEC_LAME_DETECT_COUNT 4
/**
* max number of QNAME minimisation iterations. Limits number of queries for
* QNAMEs with a lot of labels.
*/
#define MAX_MINIMISE_COUNT 10
/* max number of time-outs for minimised query. Prevents resolving failures
* when the QNAME minimisation QTYPE is blocked. */
#define MAX_MINIMISE_TIMEOUT_COUNT 3
/**
* number of labels from QNAME that are always send individually when using
* QNAME minimisation, even when the number of labels of the QNAME is bigger
* tham MAX_MINIMISE_COUNT */
#define MINIMISE_ONE_LAB 4
#define MINIMISE_MULTIPLE_LABS (MAX_MINIMISE_COUNT - MINIMISE_ONE_LAB)
/** at what query-sent-count to stop target fetch policy */
#define TARGET_FETCH_STOP 3
/** how nice is a server without further information, in msec
@ -98,7 +115,7 @@ struct iter_env {
struct iter_priv* priv;
/** whitelist for capsforid names */
struct rbtree_t* caps_white;
struct rbtree_type* caps_white;
/** The maximum dependency depth that this resolver will pursue. */
int max_dependency_depth;
@ -349,7 +366,7 @@ struct iter_qstate {
/** list of pending queries to authoritative servers. */
struct outbound_list outlist;
/** QNAME minimisation state */
/** QNAME minimisation state, RFC7816 */
enum minimisation_state minimisation_state;
/**
@ -357,6 +374,17 @@ struct iter_qstate {
* when qname minimisation is enabled.
*/
struct query_info qinfo_out;
/**
* Count number of QNAME minisation iterations. Used to limit number of
* outgoing queries when QNAME minimisation is enabled.
*/
int minimise_count;
/**
* Count number of time-outs. Used to prevent resolving failures when
* the QNAME minimisation QTYPE is blocked. */
int minimise_timeout_count;
};
/**

View file

@ -62,6 +62,7 @@ context_finalize(struct ub_ctx* ctx)
config_apply(cfg);
if(!modstack_setup(&ctx->mods, cfg->module_conf, ctx->env))
return UB_INITFAIL;
log_edns_known_options(VERB_ALGO, ctx->env);
ctx->local_zones = local_zones_create();
if(!ctx->local_zones)
return UB_NOMEM;
@ -126,7 +127,7 @@ find_id(struct ub_ctx* ctx, int* id)
struct ctx_query*
context_new(struct ub_ctx* ctx, const char* name, int rrtype, int rrclass,
ub_callback_t cb, void* cbarg)
ub_callback_type cb, void* cbarg)
{
struct ctx_query* q = (struct ctx_query*)calloc(1, sizeof(*q));
if(!q) return NULL;

View file

@ -49,7 +49,7 @@
struct libworker;
struct tube;
struct sldns_buffer;
struct event_base;
struct ub_event_base;
/**
* The context structure
@ -61,17 +61,17 @@ struct event_base;
struct ub_ctx {
/* --- pipes --- */
/** mutex on query write pipe */
lock_basic_t qqpipe_lock;
lock_basic_type qqpipe_lock;
/** the query write pipe */
struct tube* qq_pipe;
/** mutex on result read pipe */
lock_basic_t rrpipe_lock;
lock_basic_type rrpipe_lock;
/** the result read pipe */
struct tube* rr_pipe;
/* --- shared data --- */
/** mutex for access to env.cfg, finalized and dothread */
lock_basic_t cfglock;
lock_basic_type cfglock;
/**
* The context has been finalized
* This is after config when the first resolve is done.
@ -84,7 +84,7 @@ struct ub_ctx {
/** pid of bg worker process */
pid_t bg_pid;
/** tid of bg worker thread */
ub_thread_t bg_tid;
ub_thread_type bg_tid;
/** do threading (instead of forking) for async resolution */
int dothread;
@ -114,7 +114,7 @@ struct ub_ctx {
struct ub_randstate* seed_rnd;
/** event base for event oriented interface */
struct event_base* event_base;
struct ub_event_base* event_base;
/** libworker for event based interface */
struct libworker* event_worker;
@ -129,7 +129,7 @@ struct ub_ctx {
* Used to see if querynum is free for use.
* Content of type ctx_query.
*/
rbtree_t queries;
rbtree_type queries;
};
/**
@ -140,7 +140,7 @@ struct ub_ctx {
*/
struct ctx_query {
/** node in rbtree, must be first entry, key is ptr to the querynum */
struct rbnode_t node;
struct rbnode_type node;
/** query id number, key for node */
int querynum;
/** was this an async query? */
@ -149,7 +149,7 @@ struct ctx_query {
int cancelled;
/** for async query, the callback function */
ub_callback_t cb;
ub_callback_type cb;
/** for async query, the callback user arg */
void* cb_arg;
@ -242,7 +242,7 @@ void context_query_delete(struct ctx_query* q);
* @return new ctx_query or NULL for malloc failure.
*/
struct ctx_query* context_new(struct ub_ctx* ctx, const char* name, int rrtype,
int rrclass, ub_callback_t cb, void* cbarg);
int rrclass, ub_callback_type cb, void* cbarg);
/**
* Get a new alloc. Creates a new one or uses a cached one.

View file

@ -57,6 +57,7 @@
#include "util/random.h"
#include "util/net_help.h"
#include "util/tube.h"
#include "util/ub_event.h"
#include "services/modstack.h"
#include "services/localzone.h"
#include "services/cache/infra.h"
@ -131,6 +132,15 @@ static struct ub_ctx* ub_ctx_create_nopipe(void)
errno = ENOMEM;
return NULL;
}
/* init edns_known_options */
if(!edns_known_options_init(ctx->env)) {
config_delete(ctx->env->cfg);
free(ctx->env);
ub_randfree(ctx->seed_rnd);
free(ctx);
errno = ENOMEM;
return NULL;
}
ctx->env->alloc = &ctx->superalloc;
ctx->env->worker = NULL;
ctx->env->need_to_validate = 0;
@ -150,6 +160,7 @@ ub_ctx_create(void)
ub_randfree(ctx->seed_rnd);
config_delete(ctx->env->cfg);
modstack_desetup(&ctx->mods, ctx->env);
edns_known_options_delete(ctx->env);
free(ctx->env);
free(ctx);
errno = e;
@ -161,6 +172,7 @@ ub_ctx_create(void)
ub_randfree(ctx->seed_rnd);
config_delete(ctx->env->cfg);
modstack_desetup(&ctx->mods, ctx->env);
edns_known_options_delete(ctx->env);
free(ctx->env);
free(ctx);
errno = e;
@ -169,6 +181,20 @@ ub_ctx_create(void)
return ctx;
}
struct ub_ctx*
ub_ctx_create_ub_event(struct ub_event_base* ueb)
{
struct ub_ctx* ctx = ub_ctx_create_nopipe();
if(!ctx)
return NULL;
/* no pipes, but we have the locks to make sure everything works */
ctx->created_bg = 0;
ctx->dothread = 1; /* the processing is in the same process,
makes ub_cancel and ub_ctx_delete do the right thing */
ctx->event_base = ueb;
return ctx;
}
struct ub_ctx*
ub_ctx_create_event(struct event_base* eb)
{
@ -179,13 +205,17 @@ ub_ctx_create_event(struct event_base* eb)
ctx->created_bg = 0;
ctx->dothread = 1; /* the processing is in the same process,
makes ub_cancel and ub_ctx_delete do the right thing */
ctx->event_base = eb;
ctx->event_base = ub_libevent_event_base(eb);
if (!ctx->event_base) {
ub_ctx_delete(ctx);
return NULL;
}
return ctx;
}
/** delete q */
static void
delq(rbnode_t* n, void* ATTR_UNUSED(arg))
delq(rbnode_type* n, void* ATTR_UNUSED(arg))
{
struct ctx_query* q = (struct ctx_query*)n;
context_query_delete(q);
@ -279,6 +309,7 @@ ub_ctx_delete(struct ub_ctx* ctx)
rrset_cache_delete(ctx->env->rrset_cache);
infra_delete(ctx->env->infra_cache);
config_delete(ctx->env->cfg);
edns_known_options_delete(ctx->env);
free(ctx->env);
}
ub_randfree(ctx->seed_rnd);
@ -468,7 +499,7 @@ ub_fd(struct ub_ctx* ctx)
/** process answer from bg worker */
static int
process_answer_detail(struct ub_ctx* ctx, uint8_t* msg, uint32_t len,
ub_callback_t* cb, void** cbarg, int* err,
ub_callback_type* cb, void** cbarg, int* err,
struct ub_result** res)
{
struct ctx_query* q;
@ -535,7 +566,7 @@ static int
process_answer(struct ub_ctx* ctx, uint8_t* msg, uint32_t len)
{
int err;
ub_callback_t cb;
ub_callback_type cb;
void* cbarg;
struct ub_result* res;
int r;
@ -578,7 +609,7 @@ int
ub_wait(struct ub_ctx* ctx)
{
int err;
ub_callback_t cb;
ub_callback_type cb;
void* cbarg;
struct ub_result* res;
int r;
@ -674,7 +705,8 @@ ub_resolve(struct ub_ctx* ctx, const char* name, int rrtype,
int
ub_resolve_event(struct ub_ctx* ctx, const char* name, int rrtype,
int rrclass, void* mydata, ub_event_callback_t callback, int* async_id)
int rrclass, void* mydata, ub_event_callback_type callback,
int* async_id)
{
struct ctx_query* q;
int r;
@ -698,8 +730,11 @@ ub_resolve_event(struct ub_ctx* ctx, const char* name, int rrtype,
}
}
/* set time in case answer comes from cache */
ub_comm_base_now(ctx->event_worker->base);
/* create new ctx_query and attempt to add to the list */
q = context_new(ctx, name, rrtype, rrclass, (ub_callback_t)callback,
q = context_new(ctx, name, rrtype, rrclass, (ub_callback_type)callback,
mydata);
if(!q)
return UB_NOMEM;
@ -713,7 +748,7 @@ ub_resolve_event(struct ub_ctx* ctx, const char* name, int rrtype,
int
ub_resolve_async(struct ub_ctx* ctx, const char* name, int rrtype,
int rrclass, void* mydata, ub_callback_t callback, int* async_id)
int rrclass, void* mydata, ub_callback_type callback, int* async_id)
{
struct ctx_query* q;
uint8_t* msg = NULL;
@ -924,6 +959,88 @@ ub_ctx_set_fwd(struct ub_ctx* ctx, const char* addr)
return UB_NOERROR;
}
int ub_ctx_set_stub(struct ub_ctx* ctx, const char* zone, const char* addr,
int isprime)
{
char* a;
struct config_stub **prev, *elem;
/* check syntax for zone name */
if(zone) {
uint8_t* nm;
int nmlabs;
size_t nmlen;
if(!parse_dname(zone, &nm, &nmlen, &nmlabs)) {
errno=EINVAL;
return UB_SYNTAX;
}
free(nm);
} else {
zone = ".";
}
/* check syntax for addr (if not NULL) */
if(addr) {
struct sockaddr_storage storage;
socklen_t stlen;
if(!extstrtoaddr(addr, &storage, &stlen)) {
errno=EINVAL;
return UB_SYNTAX;
}
}
lock_basic_lock(&ctx->cfglock);
if(ctx->finalized) {
lock_basic_unlock(&ctx->cfglock);
errno=EINVAL;
return UB_AFTERFINAL;
}
/* arguments all right, now find or add the stub */
prev = &ctx->env->cfg->stubs;
elem = cfg_stub_find(&prev, zone);
if(!elem && !addr) {
/* not found and we want to delete, nothing to do */
lock_basic_unlock(&ctx->cfglock);
return UB_NOERROR;
} else if(elem && !addr) {
/* found, and we want to delete */
*prev = elem->next;
config_delstub(elem);
lock_basic_unlock(&ctx->cfglock);
return UB_NOERROR;
} else if(!elem) {
/* not found, create the stub entry */
elem=(struct config_stub*)calloc(1, sizeof(struct config_stub));
if(elem) elem->name = strdup(zone);
if(!elem || !elem->name) {
free(elem);
lock_basic_unlock(&ctx->cfglock);
errno = ENOMEM;
return UB_NOMEM;
}
elem->next = ctx->env->cfg->stubs;
ctx->env->cfg->stubs = elem;
}
/* add the address to the list and set settings */
elem->isprime = isprime;
a = strdup(addr);
if(!a) {
lock_basic_unlock(&ctx->cfglock);
errno = ENOMEM;
return UB_NOMEM;
}
if(!cfg_strlist_insert(&elem->addrs, a)) {
lock_basic_unlock(&ctx->cfglock);
free(a);
errno = ENOMEM;
return UB_NOMEM;
}
lock_basic_unlock(&ctx->cfglock);
return UB_NOERROR;
}
int
ub_ctx_resolvconf(struct ub_ctx* ctx, const char* fname)
{
@ -1241,10 +1358,12 @@ const char* ub_version(void)
int
ub_ctx_set_event(struct ub_ctx* ctx, struct event_base* base) {
struct ub_event_base* new_base;
if (!ctx || !ctx->event_base || !base) {
return UB_INITFAIL;
}
if (ctx->event_base == base) {
if (ub_libevent_get_event_base(ctx->event_base) == base) {
/* already set */
return UB_NOERROR;
}
@ -1253,9 +1372,11 @@ ub_ctx_set_event(struct ub_ctx* ctx, struct event_base* base) {
/* destroy the current worker - safe to pass in NULL */
libworker_delete_event(ctx->event_worker);
ctx->event_worker = NULL;
ctx->event_base = base;
new_base = ub_libevent_event_base(base);
if (new_base)
ctx->event_base = new_base;
ctx->created_bg = 0;
ctx->dothread = 1;
lock_basic_unlock(&ctx->cfglock);
return UB_NOERROR;
return new_base ? UB_NOERROR : UB_INITFAIL;
}

View file

@ -119,7 +119,7 @@ libworker_delete_event(struct libworker* w)
/** setup fresh libworker struct */
static struct libworker*
libworker_setup(struct ub_ctx* ctx, int is_bg, struct event_base* eb)
libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
{
unsigned int seed;
struct libworker* w = (struct libworker*)calloc(1, sizeof(*w));
@ -232,6 +232,7 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct event_base* eb)
cfg->do_tcp?cfg->outgoing_num_tcp:0,
w->env->infra_cache, w->env->rnd, cfg->use_caps_bits_for_id,
ports, numports, cfg->unwanted_threshold,
cfg->outgoing_tcp_mss,
&libworker_alloc_cleanup, w, cfg->do_udp, w->sslctx,
cfg->delay_close, NULL);
if(!w->is_bg || w->is_bg_thread) {
@ -257,7 +258,7 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct event_base* eb)
}
struct libworker* libworker_create_event(struct ub_ctx* ctx,
struct event_base* eb)
struct ub_event_base* eb)
{
return libworker_setup(ctx, 0, eb);
}
@ -572,14 +573,17 @@ setup_qinfo_edns(struct libworker* w, struct ctx_query* q,
{
qinfo->qtype = (uint16_t)q->res->qtype;
qinfo->qclass = (uint16_t)q->res->qclass;
qinfo->local_alias = NULL;
qinfo->qname = sldns_str2wire_dname(q->res->qname, &qinfo->qname_len);
if(!qinfo->qname) {
return 0;
}
qinfo->local_alias = NULL;
edns->edns_present = 1;
edns->ext_rcode = 0;
edns->edns_version = 0;
edns->bits = EDNS_DO;
edns->opt_list = NULL;
if(sldns_buffer_capacity(w->back->udp_buff) < 65535)
edns->udp_size = (uint16_t)sldns_buffer_capacity(
w->back->udp_buff);
@ -605,8 +609,9 @@ int libworker_fg(struct ub_ctx* ctx, struct ctx_query* q)
/* see if there is a fixed answer */
sldns_buffer_write_u16_at(w->back->udp_buff, 0, qid);
sldns_buffer_write_u16_at(w->back->udp_buff, 2, qflags);
if(local_zones_answer(ctx->local_zones, &qinfo, &edns,
w->back->udp_buff, w->env->scratch, NULL)) {
if(local_zones_answer(ctx->local_zones, w->env, &qinfo, &edns,
w->back->udp_buff, w->env->scratch, NULL, NULL, 0, NULL, 0,
NULL, 0, NULL, 0, NULL)) {
regional_free_all(w->env->scratch);
libworker_fillup_fg(q, LDNS_RCODE_NOERROR,
w->back->udp_buff, sec_status_insecure, NULL);
@ -634,7 +639,7 @@ libworker_event_done_cb(void* arg, int rcode, sldns_buffer* buf,
enum sec_status s, char* why_bogus)
{
struct ctx_query* q = (struct ctx_query*)arg;
ub_event_callback_t cb = (ub_event_callback_t)q->cb;
ub_event_callback_type cb = (ub_event_callback_type)q->cb;
void* cb_arg = q->cb_arg;
int cancelled = q->cancelled;
@ -675,8 +680,9 @@ int libworker_attach_mesh(struct ub_ctx* ctx, struct ctx_query* q,
/* see if there is a fixed answer */
sldns_buffer_write_u16_at(w->back->udp_buff, 0, qid);
sldns_buffer_write_u16_at(w->back->udp_buff, 2, qflags);
if(local_zones_answer(ctx->local_zones, &qinfo, &edns,
w->back->udp_buff, w->env->scratch, NULL)) {
if(local_zones_answer(ctx->local_zones, w->env, &qinfo, &edns,
w->back->udp_buff, w->env->scratch, NULL, NULL, 0, NULL, 0,
NULL, 0, NULL, 0, NULL)) {
regional_free_all(w->env->scratch);
free(qinfo.qname);
libworker_event_done_cb(q, LDNS_RCODE_NOERROR,
@ -795,8 +801,9 @@ handle_newq(struct libworker* w, uint8_t* buf, uint32_t len)
/* see if there is a fixed answer */
sldns_buffer_write_u16_at(w->back->udp_buff, 0, qid);
sldns_buffer_write_u16_at(w->back->udp_buff, 2, qflags);
if(local_zones_answer(w->ctx->local_zones, &qinfo, &edns,
w->back->udp_buff, w->env->scratch, NULL)) {
if(local_zones_answer(w->ctx->local_zones, w->env, &qinfo, &edns,
w->back->udp_buff, w->env->scratch, NULL, NULL, 0, NULL, 0,
NULL, 0, NULL, 0, NULL)) {
regional_free_all(w->env->scratch);
q->msg_security = sec_status_insecure;
add_bg_result(w, q, w->back->udp_buff, UB_NOERROR, NULL);
@ -819,11 +826,10 @@ void libworker_alloc_cleanup(void* arg)
slabhash_clear(w->env->msg_cache);
}
struct outbound_entry* libworker_send_query(uint8_t* qname, size_t qnamelen,
uint16_t qtype, uint16_t qclass, uint16_t flags, int dnssec,
int want_dnssec, int nocaps, struct sockaddr_storage* addr,
socklen_t addrlen, uint8_t* zone, size_t zonelen,
struct module_qstate* q)
struct outbound_entry* libworker_send_query(struct query_info* qinfo,
uint16_t flags, int dnssec, int want_dnssec, int nocaps,
struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone,
size_t zonelen, int ssl_upstream, struct module_qstate* q)
{
struct libworker* w = (struct libworker*)q->env->worker;
struct outbound_entry* e = (struct outbound_entry*)regional_alloc(
@ -831,11 +837,10 @@ struct outbound_entry* libworker_send_query(uint8_t* qname, size_t qnamelen,
if(!e)
return NULL;
e->qstate = q;
e->qsent = outnet_serviced_query(w->back, qname,
qnamelen, qtype, qclass, flags, dnssec, want_dnssec, nocaps,
q->env->cfg->tcp_upstream, q->env->cfg->ssl_upstream, addr,
addrlen, zone, zonelen, libworker_handle_service_reply, e,
w->back->udp_buff);
e->qsent = outnet_serviced_query(w->back, qinfo, flags, dnssec,
want_dnssec, nocaps, q->env->cfg->tcp_upstream, ssl_upstream,
addr, addrlen, zone, zonelen, q, libworker_handle_service_reply,
e, w->back->udp_buff, q->env);
if(!e->qsent) {
return NULL;
}
@ -950,13 +955,12 @@ void worker_sighandler(int ATTR_UNUSED(sig), void* ATTR_UNUSED(arg))
log_assert(0);
}
struct outbound_entry* worker_send_query(uint8_t* ATTR_UNUSED(qname),
size_t ATTR_UNUSED(qnamelen), uint16_t ATTR_UNUSED(qtype),
uint16_t ATTR_UNUSED(qclass), uint16_t ATTR_UNUSED(flags),
int ATTR_UNUSED(dnssec), int ATTR_UNUSED(want_dnssec),
int ATTR_UNUSED(nocaps), struct sockaddr_storage* ATTR_UNUSED(addr),
socklen_t ATTR_UNUSED(addrlen), uint8_t* ATTR_UNUSED(zone),
size_t ATTR_UNUSED(zonelen), struct module_qstate* ATTR_UNUSED(q))
struct outbound_entry* worker_send_query(struct query_info* ATTR_UNUSED(qinfo),
uint16_t ATTR_UNUSED(flags), int ATTR_UNUSED(dnssec),
int ATTR_UNUSED(want_dnssec), int ATTR_UNUSED(nocaps),
struct sockaddr_storage* ATTR_UNUSED(addr), socklen_t ATTR_UNUSED(addrlen),
uint8_t* ATTR_UNUSED(zone), size_t ATTR_UNUSED(zonelen),
int ATTR_UNUSED(ssl_upstream), struct module_qstate* ATTR_UNUSED(q))
{
log_assert(0);
return 0;

View file

@ -1,5 +1,5 @@
/*
* libunbound/worker.h - worker thread or process that resolves
* libunbound/libworker.h - worker thread or process that resolves
*
* Copyright (c) 2007, NLnet Labs. All rights reserved.
*
@ -58,7 +58,8 @@ struct comm_reply;
struct regional;
struct tube;
struct sldns_buffer;
struct event_base;
struct ub_event_base;
struct query_info;
/**
* The library-worker status structure
@ -115,7 +116,7 @@ int libworker_fg(struct ub_ctx* ctx, struct ctx_query* q);
* @return new worker or NULL.
*/
struct libworker* libworker_create_event(struct ub_ctx* ctx,
struct event_base* eb);
struct ub_event_base* eb);
/**
* Attach context_query to mesh for callback in event-driven setup.

View file

@ -82,10 +82,13 @@ pygments_style = 'sphinx'
# Options for HTML output
# -----------------------
# The theme that the html output should use.
html_theme = "classic"
# The style sheet to use for HTML and HTML Help pages. A file of that name
# must exist either in Sphinx' static/ path, or in one of the custom paths
# given in html_static_path.
html_style = 'default.css'
#html_style = 'default.css'
# The name for this set of Sphinx documents. If None, it defaults to
# "<project> v<release> documentation".

View file

@ -1,10 +1,13 @@
.. _example_resolve_name:
==============================
Resolve a name
==============================
==============
This basic example shows how to create a context and resolve a host address (DNS record of A type).
This basic example shows how to create a context and resolve a host address
(DNS record of A type).
Source code
-----------
::
@ -20,7 +23,11 @@ This basic example shows how to create a context and resolve a host address (DNS
elif status != 0:
print "Resolve error:", unbound.ub_strerror(status)
In contrast with C API, the source code is more compact while the performance of C implementation is preserved.
The main advantage is that you need not take care about the deallocation and allocation of context and result structures; pyUnbound module do it automatically for you.
In contrast with the C API, the source code is more compact while the
performance of C implementation is preserved.
The main advantage is that you need not take care about the deallocation and
allocation of context and result structures; pyUnbound module does it
automatically for you.
If only domain name is given, the :meth:`unbound.ub_ctx.resolve` looks for A records in IN class.
If only domain name is given, the :meth:`unbound.ub_ctx.resolve` looks for
A records in IN class.

View file

@ -1,14 +1,19 @@
.. _example_reverse_lookup:
==============================
Reverse DNS lookup
==============================
==================
Reverse DNS lookup involves determining the hostname associated with a given IP address.
Reverse DNS lookup involves determining the hostname associated with a given IP
address.
This example shows how reverse lookup can be done using unbound module.
For the reverse DNS records, the special domain in-addr.arpa is reserved.
For example, a host name for the IP address 74.125.43.147 can be obtained by issuing a DNS query for the PTR record for address 147.43.125.74.in-addr.arpa.
For example, a host name for the IP address ``74.125.43.147`` can be obtained
by issuing a DNS query for the PTR record for address
``147.43.125.74.in-addr.arpa.``
Source code
-----------
::
@ -24,10 +29,9 @@ For example, a host name for the IP address 74.125.43.147 can be obtained by iss
elif status != 0:
print "Resolve error:", unbound.ub_strerror(status)
In order to simplify the python code, unbound module contains function which reverses the hostname components.
In order to simplify the python code, unbound module contains the
:meth:`unbound.reverse` function which reverses the hostname components.
This function is defined as follows::
def reverse(domain):
return '.'.join([a for a in domain.split(".")][::-1])

View file

@ -1,13 +1,15 @@
.. _example_setup_ctx:
==============================
Lookup from threads
==============================
===================
This example shows how to use unbound module from a threaded program.
In this example, three lookup threads are created which work in background.
Each thread resolves different DNS record.
Source code
-----------
::
#!/usr/bin/python
@ -37,5 +39,3 @@ Each thread resolves different DNS record.
for thread in threads:
thread.join()

View file

@ -1,12 +1,14 @@
.. _example_asynch:
==============================
Asynchronous lookup
==============================
===================
This example performs the name lookup in the background.
The main program keeps running while the name is resolved.
Source code
-----------
::
#!/usr/bin/python
@ -33,4 +35,5 @@ The main program keeps running while the name is resolved.
if (status != 0):
print "Resolve error:", unbound.ub_strerror(status)
The :meth:`unbound.ub_ctx.resolve_async` method is able to pass on any Python object. In this example, we used a dictionary object `my_data`.
The :meth:`unbound.ub_ctx.resolve_async` method is able to pass on any Python
object. In this example, we used a dictionary object ``my_data``.

View file

@ -1,11 +1,13 @@
.. _example_examine:
==============================
DNSSEC validator
==============================
================
This example program performs DNSSEC validation of a DNS lookup.
Source code
-----------
::
#!/usr/bin/python

View file

@ -1,13 +1,17 @@
.. _example_resolver_only:
==============================
Resolver only
==============================
=============
This example program shows how to perform DNS resolution only.
Unbound contains two basic modules: resolver and validator.
In case, the validator is not necessary, the validator module can be turned off using "module-config" option.
This option contains a list of module names separated by the space char. This list determined which modules should be employed and in what order.
In case, the validator is not necessary, the validator module can be turned off
using "module-config" option.
This option contains a list of module names separated by the space char. This
list determined which modules should be employed and in what order.
Source code
-----------
::
@ -25,5 +29,6 @@ This option contains a list of module names separated by the space char. This li
print "Result:", result.data.address_list
.. note::
The :meth:`unbound.ub_ctx.set_option` method must be used before the first resolution (i.e. before :meth:`unbound.ub_ctx.resolve` or :meth:`unbound.ub_ctx.resolve_async` call).
The :meth:`unbound.ub_ctx.set_option` method must be used before the first
resolution (i.e. before :meth:`unbound.ub_ctx.resolve` or
:meth:`unbound.ub_ctx.resolve_async` call).

View file

@ -1,11 +1,13 @@
.. _example_localzone:
==============================
Local zone manipulation
==============================
=======================
This example program shows how to define local zone containing custom DNS records.
This example program shows how to define local zone containing custom DNS
records.
Source code
-----------
.. literalinclude:: example6-1.py
:language: python

View file

@ -1,18 +1,33 @@
.. _example_idna:
=================================================
Internationalized domain name support
=================================================
=====================================
Unlike the libUnbound, pyUnbound is able to handle IDN queries.
Automatic IDN DNAME conversion
-------------------------------
If we use unicode string in :meth:`unbound.ub_ctx.resolve` method,
the IDN DNAME conversion (if it is necessary) is performed on background.
Source code
...........
.. literalinclude:: example7-1.py
:language: python
If we use unicode string in :meth:`unbound.ub_ctx.resolve` method, the IDN DNAME conversion (if it is necessary) is performed on background.
IDN converted attributes
------------------------
The :class:`unbound.ub_data` class contains attributes suffix which converts
the dname to UTF string. These attributes have the ``_idn`` suffix.
Apart from this aproach, two conversion functions exist
(:func:`unbound.idn2dname` and :func:`unbound.dname2idn`).
Source code
...........
.. literalinclude:: example7-2.py
:language: python
The :class:`unbound.ub_data` class contains attributes suffix which converts the dname to UTF string. These attributes have the '_idn' suffix.
Apart from this aproach, two conversion functions exist (:func:`unbound.idn2dname` and :func:`unbound.dname2idn`).

View file

@ -1,15 +1,21 @@
.. _example_mxlookup:
=================================================
Lookup for MX and NS records
=================================================
============================
The pyUnbound extension provides functions which are able to encode RAW RDATA produces by unbound resolver (see :class:`unbound.ub_data`).
The pyUnbound extension provides functions which are able to encode RAW RDATA
produces by unbound resolver (see :class:`unbound.ub_data`).
Source code
-----------
.. literalinclude:: example8-1.py
:language: python
Previous example produces following output::
Output
------
The previous example produces the following output::
Result:
raw data: 00 0F 05 6D 61 69 6C 34 03 6E 69 63 02 63 7A 00;00 14 02 6D 78 05 63 7A 6E 69 63 03 6F 72 67 00;00 0A 04 6D 61 69 6C 03 6E 69 63 02 63 7A 00

View file

@ -1,11 +1,13 @@
Examples
==============================
========
Here you can find several examples which utilizes the unbound library in Python environment.
Unbound is a caching validator and resolver and can be linked into an application, as a library where can answer DNS queries for the application.
Here you can find several examples which utilizes the unbound library in Python
environment. Unbound is a caching validator and resolver and can be linked into
an application, as a library where can answer DNS queries for the application.
This set of examples shows how to use the functions from Python environment.
`Tutorials`
Tutorials
---------
.. toctree::
:maxdepth: 1

View file

@ -1,11 +1,13 @@
Installation
===================================
============
**Prerequisites**
Prerequisites
-------------
Python 2.4 or higher, SWIG 1.3 or higher, GNU make
**Compiling**
Compiling
---------
After downloading, you can compile the pyUnbound library by doing::
@ -14,18 +16,23 @@ After downloading, you can compile the pyUnbound library by doing::
> ./configure --with-pyunbound
> make
You may want to --with-pythonmodule as well if you want to use python as
a module in the resolver.
You may want to enable ``--with-pythonmodule`` as well if you want to use
python as a module in the resolver.
You need GNU make to compile sources; SWIG and Python devel libraries to compile extension module.
You need ``GNU make`` to compile sources; ``SWIG`` and ``Python devel``
libraries to compile extension module.
**Testing**
Testing
-------
If the compilation is successful, you can test the python LDNS extension module by::
If the compilation is successful, you can test the python LDNS extension module
by::
> cd contrib/python
> make testenv
> ./dns-lookup.py
You may want to make install in the main directory since make testenv is for debugging. In contrib/examples you can find simple applications written in Python using the Unbound extension.
You may want to ``make install`` in the main directory since ``make testenv``
is for debugging. In contrib/examples you can find simple applications written
in Python using the Unbound extension.

View file

@ -1,39 +1,58 @@
Introduction
===================================
============
**Unbound**
Unbound
-------
`Unbound`_ is an implementation of a DNS resolver, that performs caching and DNSSEC validation.
Together with unbound, the libunbound library is provided.
This library can be used to convert hostnames to ip addresses, and back, as well as obtain other information.
Since the resolver allows to specify the class and type of a query (A record, NS, MX, ...), this library offers powerful resolving tool.
The library also performs public-key validation of results with DNSSEC.
`Unbound`_ is an implementation of a DNS resolver, that performs caching and
DNSSEC validation.
Together with unbound, the libunbound library is provided.
This library can be used to convert hostnames to ip addresses, and back, as
well as obtain other information.
Since the resolver allows to specify the class and type of a query (A record,
NS, MX, ...), this library offers powerful resolving tool.
The library also performs public-key validation of results with DNSSEC.
.. _Unbound: http://www.unbound.net/documentation
.. _Unbound: http://www.unbound.net/documentation
**pyUnbound**
pyUnbound
---------
The pyUnbound is an extension module for Python which provides an object-oriented interface to libunbound.
It is the first Python module which offers thread-safe caching resolver.
The pyUnbound is an extension module for Python which provides an
object-oriented interface to libunbound.
It is the first Python module which offers thread-safe caching resolver.
The interface was designed with the emphasis on the simplicity of use.
There are two main classes :class:`unbound.ub_ctx` (a validation and resolution context) and :class:`unbound.ub_result` which contains the validation and resolution results.
The objects are thread-safe, and a context can be used in non-threaded as well as threaded environment.
Resolution can be performed blocking and non-blocking (i.e. asynchronous).
The asynchronous method returns from the call immediately, so that processing can go on, while the results become available later.
The interface was designed with the emphasis on the simplicity of use.
There are two main classes :class:`unbound.ub_ctx` (a validation and resolution
context) and :class:`unbound.ub_result` which contains the validation and
resolution results.
The objects are thread-safe, and a context can be used in non-threaded as well
as threaded environment.
Resolution can be performed blocking and non-blocking (i.e. asynchronous).
The asynchronous method returns from the call immediately, so that processing
can go on, while the results become available later.
**Features**
* customizable caching validation resolver for synchronous and asynchronous lookups
* easy to use object interface
* easy to integrate extension module
* designed for thread environment (i.e. thread-safe)
* allows define and customize of local zone and its RR's during the operation (i.e. without restart)
* includes encoding functions to simplify the results retrieval
* Internationalized domain name (`IDN`_) support
Features
--------
.. _IDN: http://en.wikipedia.org/wiki/Internationalized_domain_name
* Customizable caching validation resolver for synchronous and asynchronous
lookups
* Easy to use object interface
* Easy to integrate extension module
* Designed for thread environment (i.e. thread-safe)
* Allows define and customize of local zone and its RR's during the operation
(i.e. without restart)
* Includes encoding functions to simplify the results retrieval
* Internationalized domain name (`IDN`_) support
**Application area**
* DNS-based applications performing DNS lookups; the caching resolver can reduce overhead
* Applications where the validation of DNS records is required
* Great solution for customizable and dynamic DNS-based white/blacklists (spam rejection, connection rejection, ...) using the dynamic local zone manipulation
.. _IDN: http://en.wikipedia.org/wiki/Internationalized_domain_name
Application area
----------------
* DNS-based applications performing DNS lookups; the caching resolver can
reduce overhead
* Applications where the validation of DNS records is required
* Great solution for customizable and dynamic DNS-based white/blacklists (spam
rejection, connection rejection, ...) using the dynamic local zone
manipulation

View file

@ -945,7 +945,7 @@ int _ub_resolve_async(struct ub_ctx* ctx, char* name, int rrtype, int rrclass, v
:param idnname: (unicode string) IDN name
:returns: (string) domain name
"""
return '.'.join([encodings.idna.ToASCII(a) for a in idnname.split('.')])
return '.'.join([encodings.idna.ToASCII(a) if a else '' for a in idnname.split('.')])
def dname2idn(name):
"""Converts canonic domain name in IDN format to unicode string

View file

@ -1,33 +1,35 @@
ub_ctx_create
ub_ctx_create_event
ub_ctx_delete
ub_ctx_get_option
ub_ctx_set_option
ub_ctx_config
ub_ctx_set_fwd
ub_ctx_resolvconf
ub_ctx_hosts
ub_cancel
ub_ctx_add_ta
ub_ctx_add_ta_autr
ub_ctx_add_ta_file
ub_ctx_trustedkeys
ub_ctx_debugout
ub_ctx_debuglevel
ub_ctx_async
ub_poll
ub_wait
ub_ctx_config
ub_ctx_create
ub_ctx_create_event
ub_ctx_create_ub_event
ub_ctx_data_add
ub_ctx_data_remove
ub_ctx_debuglevel
ub_ctx_debugout
ub_ctx_delete
ub_ctx_get_option
ub_ctx_hosts
ub_ctx_print_local_zones
ub_ctx_resolvconf
ub_ctx_set_event
ub_ctx_set_fwd
ub_ctx_set_option
ub_ctx_set_stub
ub_ctx_trustedkeys
ub_ctx_zone_add
ub_ctx_zone_remove
ub_fd
ub_poll
ub_process
ub_resolve
ub_resolve_async
ub_resolve_event
ub_cancel
ub_resolve_free
ub_strerror
ub_ctx_print_local_zones
ub_ctx_zone_add
ub_ctx_zone_remove
ub_ctx_data_add
ub_ctx_data_remove
ub_version
ub_ctx_set_event
ub_wait

View file

@ -36,20 +36,21 @@
/**
* \file
*
* This file contains the unbound interface for use with libevent.
* You have to use the same libevent that unbound was compiled with,
* otherwise it wouldn't work, the event and event_base structures would
* be different. If unbound is compiled without libevent support then
* this header file is not supposed to be installed on the system.
* This file contains the unbound interface for use with user defined
* pluggable event bases.
*
* Use ub_ctx_create_event_base() to create an unbound context that uses
* the event base that you have made. Then, use the ub_resolve_event call
* to add DNS resolve queries to the context. Those then run when you
* call event_dispatch() on your event_base, and when they are done you
* get a function callback.
* Use ub_ctx_create_event_ub_base() to create an unbound context that uses
* the user provided event base API. Then, use the ub_resolve_event call
* to add DNS resolve queries to the context. Those then run whith the
* provided event_base, and when they are done you get a function callback.
*
* This method does not fork another process or create a thread, the effort
* is done by the unbound state machines that are connected to the event_base.
* is done by the unbound state machines that are connected to the event base.
*
* It is also possible to provide a libevent based event base by using
* ub_ctx_create_event_base(). But you have to use the same libevent that
* unbound was compiled with, otherwise it wouldn't work, the event and
* event_base structures would be different.
*/
#ifndef _UB_UNBOUND_EVENT_H
#define _UB_UNBOUND_EVENT_H
@ -62,12 +63,136 @@ struct ub_ctx;
struct ub_result;
struct event_base;
typedef void (*ub_event_callback_t)(void*, int, void*, int, int, char*);
/** event timeout */
#define UB_EV_TIMEOUT 0x01
/** event fd readable */
#define UB_EV_READ 0x02
/** event fd writable */
#define UB_EV_WRITE 0x04
/** event signal */
#define UB_EV_SIGNAL 0x08
/** event must persist */
#define UB_EV_PERSIST 0x10
/** magic number to identify this version of the pluggable event api */
#define UB_EVENT_MAGIC 0x44d74d78
struct ub_event;
struct ub_event_base;
struct timeval;
/**
* The Virtual Method Table for and ub_event_base "object"
*/
struct ub_event_base_vmt {
/** Destructor for the ub_event_base object,
* (not called by libunbound) */
void (*free)(struct ub_event_base*);
/** Run the event loop
* (not called by libunbound when using ub_resolve_event) */
int (*dispatch)(struct ub_event_base*);
/** Exit the given event loop */
int (*loopexit)(struct ub_event_base*, struct timeval*);
/** Instantiate a new ub_event associated with this event base */
struct ub_event* (*new_event)(struct ub_event_base*,
int fd, short bits, void (*cb)(int, short, void*), void* arg);
/** Instantiate a new signal associated with this event base,
* (not called by libunbound) */
struct ub_event* (*new_signal)(struct ub_event_base*, int fd,
void (*cb)(int, short, void*), void* arg);
/** Create a new ub_event associated with the given wsaevent,
* (not called by libunbound) */
struct ub_event* (*winsock_register_wsaevent)(struct ub_event_base*,
void* wsaevent, void (*cb)(int, short, void*), void* arg);
};
/**
* A user defined pluggable event base is registered by providing a
* ub_event_base "object" with the ub_ctx_create_ub_event() function.
* The magic number must be correct and the Virtual Method Table must be
* fully equipped providing the event base API to be used by libunbound.
*/
struct ub_event_base {
/** magic must be UB_EVENT_MAGIC (0x44d74d78) */
unsigned long magic;
/** Virtual Method Table for ub_event_base */
struct ub_event_base_vmt* vmt;
};
/**
* The Virtual Method Table for and ub_event "object"
*/
struct ub_event_vmt {
/** Add event bits for this event to fire on.
* The event will be deactivated before this function is called. */
void (*add_bits)(struct ub_event*, short);
/** Configure the event so it will not longer fire on given bits
* The event will be deactivated before this function is called. */
void (*del_bits)(struct ub_event*, short);
/** Change or set the file descriptor on the event
* The event will be deactivated before this function is called. */
void (*set_fd)(struct ub_event*, int);
/** Destructor for the ub_event object */
void (*free)(struct ub_event*);
/** Activate the event. The given timeval is an timeout value. */
int (*add)(struct ub_event*, struct timeval*);
/** Deactivate the event */
int (*del)(struct ub_event*);
/** Reconfigure and activate a timeout event */
int (*add_timer)(struct ub_event*, struct ub_event_base*,
void (*cb)(int, short, void*), void* arg, struct timeval*);
/** Deactivate the timeout event */
int (*del_timer)(struct ub_event*);
/** Activate a signal event (not called by libunbound). */
int (*add_signal)(struct ub_event*, struct timeval*);
/** Deactivate a signal event (not called by libunbound). */
int (*del_signal)(struct ub_event*);
/** Destructor for a ub_event associated with a wsaevent,
* (not called by libunbound)
*/
void (*winsock_unregister_wsaevent)(struct ub_event* ev);
/** Libunbound will signal the eventloop when a TCP windows socket
* will block on next read or write (given by the eventbits), to work
* around edge trigger event behaviour of select on windows with TCP.
*/
void (*winsock_tcp_wouldblock)(struct ub_event*, int eventbit);
};
/**
* An "object" comprising a user defined pluggable event.
* The magic number must be correct and the Virtual Method Table must be
* fully equipped providing the ub_event API to be used by libunbound.
*/
struct ub_event {
/** magic must be UB_EVENT_MAGIC (0x44d74d78) */
unsigned long magic;
/** Virtual Method Table for ub_event */
struct ub_event_vmt* vmt;
};
typedef void (*ub_event_callback_type)(void*, int, void*, int, int, char*);
/**
* Create a resolving and validation context.
* The information from /etc/resolv.conf and /etc/hosts is not utilised by
* default. Use ub_ctx_resolvconf and ub_ctx_hosts to read them.
* @param base: the pluggable event base that the caller has created.
* The unbound context uses this event base.
* @return a new context. default initialisation.
* returns NULL on error.
* You must use ub_resolve_event with this context.
* Do not call ub_ctx_async, ub_poll, ub_wait, ub_process, this is all done
* with the event_base. Setup the options you like with the other functions.
*/
struct ub_ctx* ub_ctx_create_ub_event(struct ub_event_base* base);
/**
* Create a resolving and validation context.
* The information from /etc/resolv.conf and /etc/hosts is not utilised by
* default. Use ub_ctx_resolvconf and ub_ctx_hosts to read them.
* You have to use the same libevent that unbound was compiled with,
* otherwise it wouldn't work, the event and event_base structures would
* be different.
* @param base: the event base that the caller has created. The unbound
* context uses this event base.
* @return a new context. default initialisation.
@ -79,7 +204,10 @@ typedef void (*ub_event_callback_t)(void*, int, void*, int, int, char*);
struct ub_ctx* ub_ctx_create_event(struct event_base* base);
/**
* Set a new event_base on a context created with ub_ctx_create_event.
* Set a new libevent event_base on a context created with ub_ctx_create_event.
* You have to use the same libevent that unbound was compiled with,
* otherwise it wouldn't work, the event and event_base structures would
* be different.
* Any outbound queries will be canceled.
* @param ctx the ub_ctx to update. Must have been created with ub_ctx_create_event
* @param base the new event_base to attach to the ctx
@ -126,7 +254,8 @@ int ub_ctx_set_event(struct ub_ctx* ctx, struct event_base* base);
* @return 0 if OK, else error.
*/
int ub_resolve_event(struct ub_ctx* ctx, const char* name, int rrtype,
int rrclass, void* mydata, ub_event_callback_t callback, int* async_id);
int rrclass, void* mydata, ub_event_callback_type callback,
int* async_id);
#ifdef __cplusplus
}

View file

@ -102,9 +102,9 @@ extern "C" {
#endif
/** the version of this header file */
#define UNBOUND_VERSION_MAJOR @UNBOUND_VERSION_MAJOR@
#define UNBOUND_VERSION_MINOR @UNBOUND_VERSION_MINOR@
#define UNBOUND_VERSION_MICRO @UNBOUND_VERSION_MICRO@
#define UNBOUND_VERSION_MAJOR 1
#define UNBOUND_VERSION_MINOR 6
#define UNBOUND_VERSION_MICRO 3
/**
* The validation context is created to hold the resolver status,
@ -223,7 +223,7 @@ struct ub_result {
* This structure is allocated on the heap and needs to be
* freed with ub_resolve_free(result);
*/
typedef void (*ub_callback_t)(void*, int, struct ub_result*);
typedef void (*ub_callback_type)(void*, int, struct ub_result*);
/**
* Create a resolving and validation context.
@ -303,6 +303,27 @@ int ub_ctx_config(struct ub_ctx* ctx, const char* fname);
*/
int ub_ctx_set_fwd(struct ub_ctx* ctx, const char* addr);
/**
* Add a stub zone, with given address to send to. This is for custom
* root hints or pointing to a local authoritative dns server.
* For dns resolvers and the 'DHCP DNS' ip address, use ub_ctx_set_fwd.
* This is similar to a stub-zone entry in unbound.conf.
*
* @param ctx: context.
* It is only possible to set configuration before the
* first resolve is done.
* @param zone: name of the zone, string.
* @param addr: address, IP4 or IP6 in string format.
* The addr is added to the list of stub-addresses if the entry exists.
* If the addr is NULL the stub entry is removed.
* @param isprime: set to true to set stub-prime to yes for the stub.
* For local authoritative servers, people usually set it to false,
* For root hints it should be set to true.
* @return 0 if OK, else error.
*/
int ub_ctx_set_stub(struct ub_ctx* ctx, const char* zone, const char* addr,
int isprime);
/**
* Read list of nameservers to use from the filename given.
* Usually "/etc/resolv.conf". Uses those nameservers as caching proxies.
@ -498,7 +519,7 @@ int ub_resolve(struct ub_ctx* ctx, const char* name, int rrtype,
* @return 0 if OK, else error.
*/
int ub_resolve_async(struct ub_ctx* ctx, const char* name, int rrtype,
int rrclass, void* mydata, ub_callback_t callback, int* async_id);
int rrclass, void* mydata, ub_callback_type callback, int* async_id);
/**
* Cancel an async query in progress.

View file

@ -48,13 +48,12 @@ struct comm_reply;
struct comm_point;
struct module_qstate;
struct tube;
struct edns_option;
struct query_info;
/**
* Worker service routine to send serviced queries to authoritative servers.
* @param qname: query name. (host order)
* @param qnamelen: length in bytes of qname, including trailing 0.
* @param qtype: query type. (host order)
* @param qclass: query class. (host order)
* @param qinfo: query info.
* @param flags: host order flags word, with opcode and CD bit.
* @param dnssec: if set, EDNS record will have DO bit set.
* @param want_dnssec: signatures needed.
@ -63,15 +62,15 @@ struct tube;
* @param addrlen: length of addr.
* @param zone: delegation point name.
* @param zonelen: length of zone name wireformat dname.
* @param ssl_upstream: use SSL for upstream queries.
* @param q: wich query state to reactivate upon return.
* @return: false on failure (memory or socket related). no query was
* sent.
*/
struct outbound_entry* libworker_send_query(uint8_t* qname, size_t qnamelen,
uint16_t qtype, uint16_t qclass, uint16_t flags, int dnssec,
int want_dnssec, int nocaps, struct sockaddr_storage* addr,
socklen_t addrlen, uint8_t* zone, size_t zonelen,
struct module_qstate* q);
struct outbound_entry* libworker_send_query(struct query_info* qinfo,
uint16_t flags, int dnssec, int want_dnssec, int nocaps,
struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone,
size_t zonelen, int ssl_upstream, struct module_qstate* q);
/** process incoming replies from the network */
int libworker_handle_reply(struct comm_point* c, void* arg, int error,
@ -106,10 +105,7 @@ void worker_sighandler(int sig, void* arg);
/**
* Worker service routine to send serviced queries to authoritative servers.
* @param qname: query name. (host order)
* @param qnamelen: length in bytes of qname, including trailing 0.
* @param qtype: query type. (host order)
* @param qclass: query class. (host order)
* @param qinfo: query info.
* @param flags: host order flags word, with opcode and CD bit.
* @param dnssec: if set, EDNS record will have DO bit set.
* @param want_dnssec: signatures needed.
@ -118,15 +114,15 @@ void worker_sighandler(int sig, void* arg);
* @param addrlen: length of addr.
* @param zone: wireformat dname of the zone.
* @param zonelen: length of zone name.
* @param ssl_upstream: use SSL for upstream queries.
* @param q: wich query state to reactivate upon return.
* @return: false on failure (memory or socket related). no query was
* sent.
*/
struct outbound_entry* worker_send_query(uint8_t* qname, size_t qnamelen,
uint16_t qtype, uint16_t qclass, uint16_t flags, int dnssec,
int want_dnssec, int nocaps, struct sockaddr_storage* addr,
socklen_t addrlen, uint8_t* zone, size_t zonelen,
struct module_qstate* q);
struct outbound_entry* worker_send_query(struct query_info* qinfo,
uint16_t flags, int dnssec, int want_dnssec, int nocaps,
struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone,
size_t zonelen, int ssl_upstream, struct module_qstate* q);
/**
* process control messages from the main thread. Frees the control

File diff suppressed because it is too large Load diff

View file

@ -80,10 +80,13 @@ pygments_style = 'sphinx'
# Options for HTML output
# -----------------------
# The theme that the html output should use.
html_theme = "classic"
# The style sheet to use for HTML and HTML Help pages. A file of that name
# must exist either in Sphinx' static/ path, or in one of the custom paths
# given in html_static_path.
html_style = 'default.css'
#html_style = 'default.css'
# The name for this set of Sphinx documents. If None, it defaults to
# "<project> v<release> documentation".

View file

@ -1,10 +1,12 @@
.. _log_handler:
Packet logger
=========================
=============
This example shows how to log and print details about query and response.
As soon as the ``iterator`` has finished (event is :data:`module_event_moddone`), ``qstate.return_msg`` contains response packet or ``None``.
As soon as the ``iterator`` has finished (event is
:data:`module_event_moddone`), ``qstate.return_msg`` contains response packet
or ``None``.
This packet will be send to a client that asked for it.
Complete source code
@ -14,12 +16,14 @@ Complete source code
:language: python
Testing
------------------
-------
Run the unbound server:
``root@localhost>unbound -dv -c ./test-log.conf``
In case you use own configuration file, don't forget to enable python module: ``module-config: "validator python iterator"`` and use valid script path: ``python-script: "./examples/log.py"``.
In case you use own configuration file, don't forget to enable python module:
``module-config: "validator python iterator"`` and use valid script path:
``python-script: "./examples/log.py"``.
Example of output::

View file

@ -1,12 +1,14 @@
Response generation
=====================
===================
This example shows how to handle queries and generate response packet.
.. note::
If the python module is the first module and validator module is enabled (``module-config: "python validator iterator"``),
a return_msg security flag has to be set at least to 2. Leaving security flag untouched causes that the
response will be refused by unbound worker as unbound will consider it as non-valid response.
If the python module is the first module and validator module is enabled
(``module-config: "python validator iterator"``), a return_msg security flag
has to be set at least to 2. Leaving security flag untouched causes that the
response will be refused by unbound worker as unbound will consider it as
non-valid response.
Complete source code
--------------------
@ -43,4 +45,5 @@ Dig produces the following output::
;; WHEN: Mon Jan 01 12:46:02 2009
;; MSG SIZE rcvd: 54
As we handle (override) in python module only queries ending with "localdomain.", the unboud can still resolve host names.
As we handle (override) in the python module only queries ending with
``localdomain.``, unboud can still resolve host names.

View file

@ -1,15 +1,19 @@
DNS-based language dictionary
===============================
=============================
This example shows how to create a simple language dictionary based on **DNS**
service within 15 minutes. The translation will be performed using TXT resource records.
service within 15 minutes. The translation will be performed using TXT resource
records.
Key parts
-----------
---------
Initialization
~~~~~~~~~~~~~~~~~~~~~~~
On **init()** module loads dictionary from a text file containing records in ``word [tab] translation`` format.
~~~~~~~~~~~~~~
On **init()** module loads dictionary from a text file containing records in
``word [tab] translation`` format.
::
def init(id, cfg):
@ -20,11 +24,14 @@ On **init()** module loads dictionary from a text file containing records in ``w
The suitable file can be found at http://slovnik.zcu.cz
DNS query and word lookup
~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~
Let's define the following format od DNS queries: ``word1[.]word2[.] ... wordN[.]{en,cs}[._dict_.cz.]``.
Let's define the following format od DNS queries:
``word1[.]word2[.] ... wordN[.]{en,cs}[._dict_.cz.]``.
Word lookup is done by simple ``dict`` lookup from broken DNS request.
Query name is divided into a list of labels. This list is accessible as qname_list attribute.
Query name is divided into a list of labels. This list is accessible as
``qname_list`` attribute.
::
aword = ' '.join(qstate.qinfo.qname_list[0:-4]) #skip last four labels
@ -37,15 +44,17 @@ Query name is divided into a list of labels. This list is accessible as qname_li
if (adict == "cs") and (aword in cz_dict):
words = cz_dict[aword] # CS -> EN
In the first step, we get a string in the form: ``word1[space]word2[space]...word[space]``.
In the second assignment, fourth label from the end is obtained. This label should contains *"cs"* or *"en"*.
This label determines the direction of translation.
In the first step, we get a string in the form:
``word1[space]word2[space]...word[space]``.
In the second assignment, fourth label from the end is obtained. This label
should contains *"cs"* or *"en"*. This label determines the direction of
translation.
Forming of a DNS reply
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~
DNS reply is formed only on valid match and added as TXT answer.
::
msg = DNSMessage(qstate.qinfo.qname_str, RR_TYPE_TXT, RR_CLASS_IN, PKT_AA)
@ -61,11 +70,14 @@ DNS reply is formed only on valid match and added as TXT answer.
qstate.ext_state[id] = MODULE_FINISHED
return True
In the first step, a :class:`DNSMessage` instance is created for a given query *(type TXT)*.
In the first step, a :class:`DNSMessage` instance is created for a given query
*(type TXT)*.
The fourth argument specifies the flags *(authoritative answer)*.
In the second step, we append TXT records containing the translation *(on the right side of RR)*.
In the second step, we append TXT records containing the translation *(on the
right side of RR)*.
Then, the response is finished and ``qstate.return_msg`` contains new response.
If no error, the module sets :attr:`module_qstate.return_rcode` and :attr:`module_qstate.ext_state`.
If no error, the module sets :attr:`module_qstate.return_rcode` and
:attr:`module_qstate.ext_state`.
**Steps:**
@ -112,6 +124,7 @@ The translation from english word *"a bar fly"* to Czech can be done by doing:
;; MSG SIZE rcvd: 67
``>>>dig TXT @127.0.0.1 nic.cs._dict_.cz``
::
; <<>> DiG 9.5.0-P2 <<>> TXT @127.0.0.1 nic.cs._dict_.cz
@ -137,9 +150,10 @@ The translation from english word *"a bar fly"* to Czech can be done by doing:
;; WHEN: Mon Jan 01 17:45:39 2009
;; MSG SIZE rcvd: 143
Proof that the unbound still works as resolver.
Proof that the unbound still works as resolver.
``>>>dig A @127.0.0.1 www.nic.cz``
::
; (1 server found)

View file

@ -0,0 +1,191 @@
EDNS options
============
This example shows how to interact with EDNS options.
When quering unbound with the EDNS option ``65001`` and data ``0xc001`` we
expect an answer with the same EDNS option code and data ``0xdeadbeef``.
Key parts
~~~~~~~~~
This example relies on the following functionalities:
Registering EDNS options
------------------------
By registering EDNS options we can tune unbound's behavior when encountering a
query with a known EDNS option. The two available options are:
- ``bypass_cache_stage``: If set to ``True`` unbound will not try to answer
from cache. Instead execution is passed to the modules
- ``no_aggregation``: If set to ``True`` unbound will consider this query
unique and will not aggregate it with similar queries
Both values default to ``False``.
.. code-block:: python
if not register_edns_option(env, 65001, bypass_cache_stage=True,
no_aggregation=True):
log_info("python: Could not register EDNS option {}".format(65001))
EDNS option lists
-----------------
EDNS option lists can be found in the :class:`module_qstate` class. There are
four available lists in total:
- :class:`module_qstate.edns_opts_front_in`: options that came from the client
side. **Should not** be changed
- :class:`module_qstate.edns_opts_back_out`: options that will be sent to the
server side. Can be populated by edns literate modules
- :class:`module_qstate.edns_opts_back_in`: options that came from the server
side. **Should not** be changed
- :class:`module_qstate.edns_opts_front_out`: options that will be sent to the
client side. Can be populated by edns literate modules
Each list element has the following members:
- ``code``: the EDNS option code;
- ``data``: the EDNS option data.
Reading an EDNS option list
...........................
The lists' contents can be accessed in python by their ``_iter`` counterpart as
an iterator:
.. code-block:: python
if not edns_opt_list_is_empty(qstate.edns_opts_front_in):
for o in qstate.edns_opts_front_in_iter:
log_info("python: Code: {}, Data: '{}'".format(o.code,
"".join('{:02x}'.format(x) for x in o.data)))
Writing to an EDNS option list
..............................
By appending to an EDNS option list we can add new EDNS options. The new
element is going to be allocated in :class:`module_qstate.region`. The data
**must** be represented with a python ``bytearray``:
.. code-block:: python
b = bytearray.fromhex("deadbeef")
if not edns_opt_list_append(qstate.edns_opts_front_out,
o.code, b, qstate.region):
log_info("python: Could not append EDNS option {}".format(o.code))
We can also remove an EDNS option code from an EDNS option list.
.. code-block:: python
if not edns_opt_list_remove(edns_opt_list, code):
log_info("python: Option code {} was not found in the "
"list.".format(code))
.. note:: All occurences of the EDNS option code will be removed from the list:
Controlling other modules' cache behavior
-----------------------------------------
During the modules' operation, some modules may interact with the cache
(e.g., iterator). This behavior can be controlled by using the following
:class:`module_qstate` flags:
- :class:`module_qstate.no_cache_lookup`: Modules *operating after* this module
will not lookup the cache for an answer
- :class:`module_qstate.no_cache_store`: Modules *operating after* this module
will not store the response in the cache
Both values default to ``0``.
.. code-block:: python
def operate(id, event, qstate, qdata):
if (event == MODULE_EVENT_NEW) or (event == MODULE_EVENT_PASS):
# Detect if edns option code 56001 is present from the client side. If
# so turn on the flags for cache management.
if not edns_opt_list_is_empty(qstate.edns_opts_front_in):
log_info("python: searching for edns option code 65001 during NEW "
"or PASS event ")
for o in qstate.edns_opts_front_in_iter:
if o.code == 65001:
log_info("python: found edns option code 65001")
# Instruct other modules to not lookup for an
# answer in the cache.
qstate.no_cache_lookup = 1
log_info("python: enabled no_cache_lookup")
# Instruct other modules to not store the answer in
# the cache.
qstate.no_cache_store = 1
log_info("python: enabled no_cache_store")
Testing
~~~~~~~
Run the Unbound server: ::
root@localhost$ unbound -dv -c ./test-edns.conf
In case you use your own configuration file, don't forget to enable the Python
module::
module-config: "validator python iterator"
and use a valid script path::
python-script: "./examples/edns.py"
Quering with EDNS option ``65001:0xc001``:
::
root@localhost$ dig @localhost nlnetlabs.nl +ednsopt=65001:c001
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @localhost nlnetlabs.nl +ednsopt=65001:c001
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33450
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; OPT=65001: de ad be ef ("....")
;; QUESTION SECTION:
;nlnetlabs.nl. IN A
;; ANSWER SECTION:
nlnetlabs.nl. 10200 IN A 185.49.140.10
;; AUTHORITY SECTION:
nlnetlabs.nl. 10200 IN NS anyns.pch.net.
nlnetlabs.nl. 10200 IN NS ns.nlnetlabs.nl.
nlnetlabs.nl. 10200 IN NS ns-ext1.sidn.nl.
nlnetlabs.nl. 10200 IN NS sec2.authdns.ripe.net.
;; ADDITIONAL SECTION:
ns.nlnetlabs.nl. 10200 IN AAAA 2a04:b900::8:0:0:60
ns.nlnetlabs.nl. 10200 IN A 185.49.140.60
;; Query time: 10 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Dec 05 14:50:56 CET 2016
;; MSG SIZE rcvd: 212
Complete source code
~~~~~~~~~~~~~~~~~~~~
.. literalinclude:: ../../examples/edns.py
:language: python

View file

@ -0,0 +1,299 @@
Inplace callbacks
=================
This example shows how to register and use inplace callback functions. These
functions are going to be called just before unbound replies back to a client.
They can perform certain actions without interrupting unbound's execution flow
(e.g. add/remove EDNS options, manipulate the reply).
Two different scenarios will be shown:
- If answering from cache and the client used EDNS option code ``65002`` we
will answer with the same code but with data ``0xdeadbeef``;
- When answering with a SERVFAIL we also add an empty EDNS option code
``65003``.
Key parts
~~~~~~~~~
This example relies on the following functionalities:
Registering inplace callback functions
--------------------------------------
There are four types of inplace callback functions:
- `inplace callback reply functions`_
- `inplace callback reply_cache functions`_
- `inplace callback reply_local functions`_
- `inplace callback reply_servfail functions`_
Inplace callback reply functions
................................
Called when answering with a *resolved* query.
The callback function's prototype is the following:
.. code-block:: python
def inplace_reply_callback(qinfo, qstate, rep, rcode, edns, opt_list_out, region):
"""Function that will be registered as an inplace callback function.
It will be called when answering with a resolved query.
:param qinfo: query_info struct;
:param qstate: module qstate. It contains the available opt_lists; It
SHOULD NOT be altered;
:param rep: reply_info struct;
:param rcode: return code for the query;
:param edns: edns_data to be sent to the client side. It SHOULD NOT be
altered;
:param opt_list_out: the list with the EDNS options that will be sent as a
reply. It can be populated with EDNS options;
:param region: region to allocate temporary data. Needs to be used when we
want to append a new option to opt_list_out.
:return: True on success, False on failure.
"""
.. note:: The function's name is irrelevant.
We can register such function as:
.. code-block:: python
if not register_inplace_cb_reply(inplace_reply_callback, env, id):
log_info("python: Could not register inplace callback function.")
Inplace callback reply_cache functions
......................................
Called when answering *from cache*.
The callback function's prototype is the following:
.. code-block:: python
def inplace_cache_callback(qinfo, qstate, rep, rcode, edns, opt_list_out, region):
"""Function that will be registered as an inplace callback function.
It will be called when answering from the cache.
:param qinfo: query_info struct;
:param qstate: module qstate. None;
:param rep: reply_info struct;
:param rcode: return code for the query;
:param edns: edns_data sent from the client side. The list with the EDNS
options is accesible through edns.opt_list. It SHOULD NOT be
altered;
:param opt_list_out: the list with the EDNS options that will be sent as a
reply. It can be populated with EDNS options;
:param region: region to allocate temporary data. Needs to be used when we
want to append a new option to opt_list_out.
:return: True on success, False on failure.
"""
.. note:: The function's name is irrelevant.
We can register such function as:
.. code-block:: python
if not register_inplace_cb_reply_cache(inplace_cache_callback, env, id):
log_info("python: Could not register inplace callback function.")
Inplace callback reply_local functions
......................................
Called when answering with *local data* or a *Chaos(CH) reply*.
The callback function's prototype is the following:
.. code-block:: python
def inplace_local_callback(qinfo, qstate, rep, rcode, edns, opt_list_out, region):
"""Function that will be registered as an inplace callback function.
It will be called when answering from local data.
:param qinfo: query_info struct;
:param qstate: module qstate. None;
:param rep: reply_info struct;
:param rcode: return code for the query;
:param edns: edns_data sent from the client side. The list with the
EDNS options is accesible through edns.opt_list. It
SHOULD NOT be altered;
:param opt_list_out: the list with the EDNS options that will be sent as a
reply. It can be populated with EDNS options;
:param region: region to allocate temporary data. Needs to be used when we
want to append a new option to opt_list_out.
:return: True on success, False on failure.
"""
.. note:: The function's name is irrelevant.
We can register such function as:
.. code-block:: python
if not register_inplace_cb_reply_local(inplace_local_callback, env, id):
log_info("python: Could not register inplace callback function.")
Inplace callback reply_servfail functions
.........................................
Called when answering with *SERVFAIL*.
The callback function's prototype is the following:
.. code-block:: python
def inplace_servfail_callback(qinfo, qstate, rep, rcode, edns, opt_list_out, region):
"""Function that will be registered as an inplace callback function.
It will be called when answering with SERVFAIL.
:param qinfo: query_info struct;
:param qstate: module qstate. If not None the relevant opt_lists are
available here;
:param rep: reply_info struct. None;
:param rcode: return code for the query. LDNS_RCODE_SERVFAIL;
:param edns: edns_data to be sent to the client side. If qstate is None
edns.opt_list contains the EDNS options sent from the client
side. It SHOULD NOT be altered;
:param opt_list_out: the list with the EDNS options that will be sent as a
reply. It can be populated with EDNS options;
:param region: region to allocate temporary data. Needs to be used when we
want to append a new option to opt_list_out.
:return: True on success, False on failure.
"""
.. note:: The function's name is irrelevant.
We can register such function as:
.. code-block:: python
if not register_inplace_cb_reply_servfail(inplace_servfail_callback, env, id):
log_info("python: Could not register inplace callback function.")
Testing
~~~~~~~
Run the Unbound server: ::
root@localhost$ unbound -dv -c ./test-inplace_callbacks.conf
In case you use your own configuration file, don't forget to enable the Python
module::
module-config: "validator python iterator"
and use a valid script path ::
python-script: "./examples/inplace_callbacks.py"
On the first query for the nlnetlabs.nl A record we get no EDNS option back:
::
root@localhost$ dig @localhost nlnetlabs.nl +ednsopt=65002
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @localhost nlnetlabs.nl +ednsopt=65002
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48057
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;nlnetlabs.nl. IN A
;; ANSWER SECTION:
nlnetlabs.nl. 10200 IN A 185.49.140.10
;; AUTHORITY SECTION:
nlnetlabs.nl. 10200 IN NS ns.nlnetlabs.nl.
nlnetlabs.nl. 10200 IN NS sec2.authdns.ripe.net.
nlnetlabs.nl. 10200 IN NS anyns.pch.net.
nlnetlabs.nl. 10200 IN NS ns-ext1.sidn.nl.
;; ADDITIONAL SECTION:
ns.nlnetlabs.nl. 10200 IN A 185.49.140.60
ns.nlnetlabs.nl. 10200 IN AAAA 2a04:b900::8:0:0:60
;; Query time: 813 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Dec 05 16:15:32 CET 2016
;; MSG SIZE rcvd: 204
When we issue the same query again we get a cached response and the expected
``65002: 0xdeadbeef`` EDNS option:
::
root@localhost$ dig @localhost nlnetlabs.nl +ednsopt=65002
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @localhost nlnetlabs.nl +ednsopt=65002
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26489
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; OPT=65002: de ad be ef ("....")
;; QUESTION SECTION:
;nlnetlabs.nl. IN A
;; ANSWER SECTION:
nlnetlabs.nl. 10197 IN A 185.49.140.10
;; AUTHORITY SECTION:
nlnetlabs.nl. 10197 IN NS ns.nlnetlabs.nl.
nlnetlabs.nl. 10197 IN NS sec2.authdns.ripe.net.
nlnetlabs.nl. 10197 IN NS anyns.pch.net.
nlnetlabs.nl. 10197 IN NS ns-ext1.sidn.nl.
;; ADDITIONAL SECTION:
ns.nlnetlabs.nl. 10197 IN AAAA 2a04:b900::8:0:0:60
ns.nlnetlabs.nl. 10197 IN A 185.49.140.60
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Dec 05 16:50:04 CET 2016
;; MSG SIZE rcvd: 212
By issuing a query for a bogus domain unbound replies with SERVFAIL and an
empty EDNS option code ``65003``. *For this example to work unbound needs to be
validating*:
::
root@localhost$ dig @localhost bogus.nlnetlabs.nl txt
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @localhost bogus.nlnetlabs.nl txt
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 19865
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; OPT=65003
;; QUESTION SECTION:
;bogus.nlnetlabs.nl. IN TXT
;; Query time: 11 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Dec 05 17:06:01 CET 2016
;; MSG SIZE rcvd: 51
Complete source code
~~~~~~~~~~~~~~~~~~~~
.. literalinclude:: ../../examples/inplace_callbacks.py
:language: python

View file

@ -1,12 +1,13 @@
.. _Tutorials:
==============================
Examples
========
Here you can find several tutorials which clarify the usage and capabilities of
the Unbound scriptable interface.
Tutorials
==============================
Here you can find several tutorials which clarify the usage and capabilities of Unbound scriptable interface.
`Tutorials`
---------
.. toctree::
:maxdepth: 2

View file

@ -1,18 +1,21 @@
Installation
===================================
============
**Prerequisites**
Prerequisites
-------------
Python 2.4 or higher, SWIG 1.3 or higher, GNU make
**Download**
Download
--------
You can download the source codes `here`_.
The latest release is 1.1.1, Jan 15, 2009.
.. _here: unbound-1.1.1-py.tar.gz
**Compiling**
Compiling
---------
After downloading, you can compile the Unbound library by doing::
@ -24,14 +27,16 @@ After downloading, you can compile the Unbound library by doing::
You need GNU make to compile sources.
SWIG and Python devel libraries to compile extension module.
**Testing**
Testing
-------
If the compilation is successful, you can test the extension module by::
> cd pythonmod
> make sudo # or "make test" or "make suexec"
This will start unbound server with language dictionary service (see :ref:`Tutorials`).
This will start unbound server with language dictionary service
(see :ref:`Tutorials`).
In order to test this service, type::
> dig TXT @127.0.0.1 aught.en._dict_.cz
@ -56,4 +61,5 @@ Dig should print this message (czech equivalent of aught)::
;; WHEN: Thu Jan 10 16:45:58 2009
;; MSG SIZE rcvd: 52
The ``pythonmod/examples`` directory contains simple applications written in Python.
The ``pythonmod/examples`` directory contains simple applications written in
Python.

View file

@ -7,7 +7,8 @@ Network
.. function:: ntohs(netshort)
This subroutine converts values between the host and network byte order.
Specifically, **ntohs()** converts 16-bit quantities from network byte order to host byte order.
Specifically, **ntohs()** converts 16-bit quantities from network byte order
to host byte order.
:param netshort: 16-bit short addr
:rtype: converted addr
@ -34,6 +35,111 @@ Cache
:param qinfo: :class:`query_info`
EDNS options
------------
.. function:: register_edns_option(env, code, bypass_cache_stage=False, no_aggregation=False)
Register EDNS option code.
:param env: :class:`module_env`
:param code: option code(integer)
:param bypass_cache_stage: whether to bypass the cache response stage
:param no_aggregation: whether this query should be unique
:return: ``1`` if successful, ``0`` otherwise
:rtype: integer
.. function:: edns_opt_list_find(list, code)
Find the EDNS option code in the EDNS option list.
:param list: linked list of :class:`edns_option`
:param code: option code (integer)
:return: the edns option if found or None
:rtype: :class:`edns_option` or None
.. function:: edns_opt_list_remove(list, code);
Remove an ENDS option code from the list.
.. note:: All :class:`edns_option` with the code will be removed
:param list: linked list of :class:`edns_option`
:param code: option code (integer)
:return: ``1`` if at least one :class:`edns_option` was removed, ``0`` otherwise
:rtype: integer
.. function:: edns_opt_list_append(list, code, data, region)
Append given EDNS option code with data to the list.
:param list: linked list of :class:`edns_option`
:param code: option code (integer)
:param data: EDNS data. **Must** be a :class:`bytearray`
:param region: :class:`regional`
.. function:: edns_opt_list_is_empty(list)
Check if an EDNS option list is empty.
:param list: linked list of :class:`edns_option`
:return: ``1`` if list is empty, ``0`` otherwise
:rtype: integer
Inplace callbacks
-----------------
.. function:: inplace_cb_reply(qinfo, qstate, rep, rcode, edns, opt_list_out, region)
Function prototype for callback functions used in
`register_inplace_cb_reply`_, `register_inplace_cb_reply_cache`_,
`register_inplace_cb_reply_local` and `register_inplace_cb_reply_servfail`.
:param qinfo: :class:`query_info`
:param qstate: :class:`module_qstate`
:param rep: :class:`reply_info`
:param rcode: return code (integer), check ``RCODE_`` constants.
:param edns: :class:`edns_data`
:param opt_list_out: :class:`edns_option`. EDNS option list to append options to.
:param region: :class:`regional`
.. function:: register_inplace_cb_reply(py_cb, env)
Register py_cb as an inplace reply callback function.
:param py_cb: Python function that follows `inplace_cb_reply`_'s prototype. **Must** be callable.
:param env: :class:`module_env`
:return: True on success, False otherwise
:rtype: boolean
.. function:: register_inplace_cb_reply_cache(py_cb, env)
Register py_cb as an inplace reply_cache callback function.
:param py_cb: Python function that follows `inplace_cb_reply`_'s prototype. **Must** be callable.
:param env: :class:`module_env`
:return: True on success, False otherwise
:rtype: boolean
.. function:: register_inplace_cb_reply_local(py_cb, env)
Register py_cb as an inplace reply_local callback function.
:param py_cb: Python function that follows `inplace_cb_reply`_'s prototype. **Must** be callable.
:param env: :class:`module_env`
:return: True on success, False otherwise
:rtype: boolean
.. function:: register_inplace_cb_reply_servfail(py_cb, env)
Register py_cb as an inplace reply_servfail callback function.
:param py_cb: Python function that follows `inplace_cb_reply`_'s prototype. **Must** be callable.
:param env: :class:`module_env`
:return: True on success, False otherwise
:rtype: boolean
Logging
-------
@ -94,6 +200,7 @@ Logging
:param r: :class:`regional`
Debugging
---------

View file

@ -55,6 +55,45 @@ module_qstate
Mesh related information for this query.
.. attribute:: edns_opts_front_in
Incoming EDNS options from the front end.
.. attribute:: edns_opts_front_in_iter
Iterator for `edns_opts_front_in`.
.. attribute:: edns_opts_back_out
Outgoing EDNS options to the back end.
.. attribute:: edns_opts_back_out_iter
Iterator for `edns_opts_back_out`.
.. attribute:: edns_opts_back_in
Incoming EDNS options from the back end.
.. attribute:: edns_opts_back_in_iter
Iterator for `ends_opts_back_in`.
.. attribute:: edns_opts_front_out
Outgoing EDNS options to the front end.
.. attribute:: edns_opts_front_out_iter
Iterator for `edns_opts_front_out`.
.. attribute:: no_cache_lookup
Flag to indicate whether modules should answer from the cache.
.. attribute:: no_cache_store
Flag to indicate whether modules should store answer in the cache.
query_info
----------------
@ -95,6 +134,56 @@ query_info
The ``qclass`` in display presentation format (string).
edns_data
---------
.. class:: edns_data
This class represents the EDNS information parsed/encoded from/to a packet. It provides these data attributes:
.. attribute:: edns_present
If EDNS OPT record is present.
.. attribute:: ext_rcode
Extended RCODE.
.. attribute:: edns_version
The EDNS version number.
.. attribute:: bits
The EDNS bits field from ttl (host order): Z.
.. attribute:: udp_size
UDP reassembly size.
.. attribute:: opt_list
The EDNS option list.
.. attribute:: opt_list_iter
Iterator for `opt_list`.
edns_option
-----------
.. class:: edns_option
This class represents an EDNS option (code, data) found in EDNS option lists. It provides these data attributes:
.. attribute:: code
The EDNS option code.
.. attribute:: data
The EDNS option data.
reply_info
--------------------

View file

@ -1,7 +1,6 @@
/*
* interface.i: unbound python module
*/
%module unboundmodule
%{
/**
@ -34,10 +33,10 @@
#include "sldns/pkthdr.h"
%}
%include "stdint.i" // uint_16_t can be known type now
%include "stdint.i" /* uint_16_t can be known type now */
%inline %{
//converts [len][data][len][data][0] string to a List of labels (PyBytes)
/* converts [len][data][len][data][0] string to a List of labels (PyBytes) */
PyObject* GetNameAsLabelList(const char* name, int len) {
PyObject* list;
int cnt=0, i;
@ -202,13 +201,16 @@ struct packed_rrset_key {
char* dname;
size_t dname_len;
uint32_t flags;
uint16_t type; //rrset type in network format
uint16_t rrset_class; //rrset class in network format
uint16_t type; /* rrset type in network format */
uint16_t rrset_class; /* rrset class in network format */
%mutable;
};
//This subroutine converts values between the host and network byte order.
//Specifically, ntohs() converts 16-bit quantities from network byte order to host byte order.
/**
* This subroutine converts values between the host and network byte order.
* Specifically, ntohs() converts 16-bit quantities from network byte order to
* host byte order.
*/
uint16_t ntohs(uint16_t netshort);
%inline %{
@ -243,23 +245,23 @@ uint16_t ntohs(uint16_t netshort);
}
#if defined(SWIGWORDSIZE64)
typedef long int rrset_id_t;
typedef long int rrset_id_type;
#else
typedef long long int rrset_id_t;
typedef long long int rrset_id_type;
#endif
struct ub_packed_rrset_key {
struct lruhash_entry entry;
rrset_id_t id;
rrset_id_type id;
struct packed_rrset_key rk;
};
struct lruhash_entry {
lock_rw_t lock;
lock_rw_type lock;
struct lruhash_entry* overflow_next;
struct lruhash_entry* lru_next;
struct lruhash_entry* lru_prev;
hashvalue_t hash;
hashvalue_type hash;
void* key;
struct packed_rrset_data* data;
};
@ -269,17 +271,24 @@ struct lruhash_entry {
%ignore packed_rrset_data::rr_data;
struct packed_rrset_data {
uint32_t ttl; //TTL (in seconds like time())
/* TTL (in seconds like time()) */
uint32_t ttl;
size_t count; //number of rrs
size_t rrsig_count; //number of rrsigs
/* number of rrs */
size_t count;
/* number of rrsigs */
size_t rrsig_count;
enum rrset_trust trust;
enum sec_status security;
size_t* rr_len; //length of every rr's rdata
uint32_t *rr_ttl; //ttl of every rr
uint8_t** rr_data; //array of pointers to every rr's rdata; The rr_data[i] rdata is stored in uncompressed wireformat.
/* length of every rr's rdata */
size_t* rr_len;
/* ttl of every rr */
uint32_t *rr_ttl;
/* array of pointers to every rr's rdata. The rr_data[i] rdata is stored in
* uncompressed wireformat. */
uint8_t** rr_data;
};
%pythoncode %{
@ -359,15 +368,15 @@ struct reply_info {
size_t an_numrrsets;
size_t ns_numrrsets;
size_t ar_numrrsets;
size_t rrset_count; // an_numrrsets + ns_numrrsets + ar_numrrsets
size_t rrset_count; /* an_numrrsets + ns_numrrsets + ar_numrrsets */
struct ub_packed_rrset_key** rrsets;
struct rrset_ref ref[1]; //?
struct rrset_ref ref[1]; /* ? */
};
struct rrset_ref {
struct ub_packed_rrset_key* key;
rrset_id_t id;
rrset_id_type id;
};
struct dns_msg {
@ -396,11 +405,11 @@ struct dns_msg {
struct rrset_ref* _rrset_ref_get(struct reply_info* r, int idx) {
if ((r != NULL) && (idx >= 0) && ((size_t)idx < r->rrset_count)) {
//printf("_rrset_ref_get: %lX key:%lX\n", r->ref + idx, r->ref[idx].key);
/* printf("_rrset_ref_get: %lX key:%lX\n", r->ref + idx, r->ref[idx].key); */
return &(r->ref[idx]);
// return &(r->ref[idx]);
/* return &(r->ref[idx]); */
}
//printf("_rrset_ref_get: NULL\n");
/* printf("_rrset_ref_get: NULL\n"); */
return NULL;
}
%}
@ -479,17 +488,144 @@ struct comm_reply {
if _newclass:family = _swig_property(_family_get)
%}
}
/* ************************************************************************************ *
Structure edns_option
* ************************************************************************************ */
/* Rename the members to follow the python convention of marking them as
* private. Access to the opt_code and opt_data members is given by the later
* python defined code and data members respectively. */
%rename(_next) edns_option::next;
%rename(_opt_code) edns_option::opt_code;
%rename(_opt_len) edns_option::opt_len;
%rename(_opt_data) edns_option::opt_data;
struct edns_option {
struct edns_option* next;
uint16_t opt_code;
size_t opt_len;
uint8_t* opt_data;
};
%inline %{
PyObject* _edns_option_opt_code_get(struct edns_option* option) {
uint16_t opt_code = option->opt_code;
return PyInt_FromLong(opt_code);
}
PyObject* _edns_option_opt_data_get(struct edns_option* option) {
return PyByteArray_FromStringAndSize((void*)option->opt_data,
option->opt_len);
}
%}
%extend edns_option {
%pythoncode %{
def _opt_code_get(self): return _edns_option_opt_code_get(self)
__swig_getmethods__["code"] = _opt_code_get
if _newclass: opt_code = _swig_property(_opt_code_get)
def _opt_data_get(self): return _edns_option_opt_data_get(self)
__swig_getmethods__["data"] = _opt_data_get
if _newclass: opt_data = _swig_property(_opt_data_get)
%}
}
/* ************************************************************************************ *
Structure edns_data
* ************************************************************************************ */
/* This is ignored because we will pass a double pointer of this to Python
* with custom getmethods. This is done to bypass Swig's behavior to pass NULL
* pointers as None. */
%ignore edns_data::opt_list;
struct edns_data {
int edns_present;
uint8_t ext_rcode;
uint8_t edns_version;
uint16_t bits;
uint16_t udp_size;
struct edns_option* opt_list;
};
%inline %{
struct edns_option** _edns_data_opt_list_get(struct edns_data* edns) {
return &edns->opt_list;
}
%}
%extend edns_data {
%pythoncode %{
def _opt_list_iter(self): return EdnsOptsListIter(self.opt_list)
__swig_getmethods__["opt_list_iter"] = _opt_list_iter
if _newclass:opt_list_iter = _swig_property(_opt_list_iter)
def _opt_list(self): return _edns_data_opt_list_get(self)
__swig_getmethods__["opt_list"] = _opt_list
if _newclass:opt_list = _swig_property(_opt_list)
%}
}
/* ************************************************************************************ *
Structure module_env
* ************************************************************************************ */
struct module_env {
struct config_file* cfg;
struct slabhash* msg_cache;
struct rrset_cache* rrset_cache;
struct infra_cache* infra_cache;
struct key_cache* key_cache;
/* --- services --- */
struct outbound_entry* (*send_query)(struct query_info* qinfo,
uint16_t flags, int dnssec, int want_dnssec, int nocaps,
struct sockaddr_storage* addr, socklen_t addrlen,
uint8_t* zone, size_t zonelen, int ssl_upstream,
struct module_qstate* q);
void (*detach_subs)(struct module_qstate* qstate);
int (*attach_sub)(struct module_qstate* qstate,
struct query_info* qinfo, uint16_t qflags, int prime,
int valrec, struct module_qstate** newq);
void (*kill_sub)(struct module_qstate* newq);
int (*detect_cycle)(struct module_qstate* qstate,
struct query_info* qinfo, uint16_t flags, int prime,
int valrec);
struct regional* scratch;
struct sldns_buffer* scratch_buffer;
struct worker* worker;
struct mesh_area* mesh;
struct alloc_cache* alloc;
struct ub_randstate* rnd;
time_t* now;
struct timeval* now_tv;
int need_to_validate;
struct val_anchors* anchors;
struct val_neg_cache* neg_cache;
struct comm_timer* probe_timer;
struct iter_forwards* fwds;
struct iter_hints* hints;
void* modinfo[MAX_MODULE];
void* inplace_cb_lists[inplace_cb_types_total];
struct edns_known_option* edns_known_options;
size_t edns_known_options_num;
};
/* ************************************************************************************ *
Structure module_qstate
* ************************************************************************************ */
%ignore module_qstate::ext_state;
%ignore module_qstate::minfo;
/* These are ignored because we will pass a double pointer of them to Python
* with custom getmethods. This is done to bypass Swig's behavior to pass NULL
* pointers as None. */
%ignore module_qstate::edns_opts_front_in;
%ignore module_qstate::edns_opts_back_out;
%ignore module_qstate::edns_opts_back_in;
%ignore module_qstate::edns_opts_front_out;
/* Query state */
struct module_qstate {
struct query_info qinfo;
uint16_t query_flags; //See QF_BIT_xx constants
uint16_t query_flags; /* See QF_BIT_xx constants */
int is_priming;
int is_valrec;
struct comm_reply* reply;
struct dns_msg* return_msg;
@ -500,9 +636,17 @@ struct module_qstate {
enum module_ext_state ext_state[MAX_MODULE];
void* minfo[MAX_MODULE];
time_t prefetch_leeway;
struct module_env* env; /* unwrapped */
struct mesh_state* mesh_info;
struct edns_option* edns_opts_front_in;
struct edns_option* edns_opts_back_out;
struct edns_option* edns_opts_back_in;
struct edns_option* edns_opts_front_out;
int no_cache_lookup;
int no_cache_store;
};
%constant int MODULE_COUNT = MAX_MODULE;
@ -540,6 +684,25 @@ struct module_qstate {
def __getitem__(self, index): return _unboundmodule._ext_state_get(self.obj, index)
def __setitem__(self, index, value): _unboundmodule._ext_state_set(self.obj, index, value)
def __len__(self): return _unboundmodule.MODULE_COUNT
class EdnsOptsListIter:
def __init__(self, obj):
self._current = obj
self._temp = None
def __iter__(self): return self
def __next__(self):
"""Python 3 compatibility"""
return self._get_next()
def next(self):
"""Python 2 compatibility"""
return self._get_next()
def _get_next(self):
if not edns_opt_list_is_empty(self._current):
self._temp = self._current
self._current = _p_p_edns_option_get_next(self._current)
return _dereference_edns_option(self._temp)
else:
raise StopIteration
%}
%inline %{
@ -555,6 +718,36 @@ struct module_qstate {
q->ext_state[idx] = state;
}
}
int edns_opt_list_is_empty(struct edns_option** opt) {
if (!opt || !(*opt)) return 1;
return 0;
}
struct edns_option* _dereference_edns_option(struct edns_option** opt) {
if (!opt) return NULL;
return *opt;
}
struct edns_option** _p_p_edns_option_get_next(struct edns_option** opt) {
return &(*opt)->next;
}
struct edns_option** _edns_opts_front_in_get(struct module_qstate* q) {
return &q->edns_opts_front_in;
}
struct edns_option** _edns_opts_back_out_get(struct module_qstate* q) {
return &q->edns_opts_back_out;
}
struct edns_option** _edns_opts_back_in_get(struct module_qstate* q) {
return &q->edns_opts_back_in;
}
struct edns_option** _edns_opts_front_out_get(struct module_qstate* q) {
return &q->edns_opts_front_out;
}
%}
%extend module_qstate {
@ -566,6 +759,32 @@ struct module_qstate {
def __ext_state_get(self): return ExtState(self)
__swig_getmethods__["ext_state"] = __ext_state_get
if _newclass:ext_state = _swig_property(__ext_state_get)#, __ext_state_set)
def _edns_opts_front_in_iter(self): return EdnsOptsListIter(self.edns_opts_front_in)
__swig_getmethods__["edns_opts_front_in_iter"] = _edns_opts_front_in_iter
if _newclass:edns_opts_front_in_iter = _swig_property(_edns_opts_front_in_iter)
def _edns_opts_back_out_iter(self): return EdnsOptsListIter(self.edns_opts_back_out)
__swig_getmethods__["edns_opts_back_out_iter"] = _edns_opts_back_out_iter
if _newclass:edns_opts_back_out_iter = _swig_property(_edns_opts_back_out_iter)
def _edns_opts_back_in_iter(self): return EdnsOptsListIter(self.edns_opts_back_in)
__swig_getmethods__["edns_opts_back_in_iter"] = _edns_opts_back_in_iter
if _newclass:edns_opts_back_in_iter = _swig_property(_edns_opts_back_in_iter)
def _edns_opts_front_out_iter(self): return EdnsOptsListIter(self.edns_opts_front_out)
__swig_getmethods__["edns_opts_front_out_iter"] = _edns_opts_front_out_iter
if _newclass:edns_opts_front_out_iter = _swig_property(_edns_opts_front_out_iter)
def _edns_opts_front_in(self): return _edns_opts_front_in_get(self)
__swig_getmethods__["edns_opts_front_in"] = _edns_opts_front_in
if _newclass:edns_opts_front_in = _swig_property(_edns_opts_front_in)
def _edns_opts_back_out(self): return _edns_opts_back_out_get(self)
__swig_getmethods__["edns_opts_back_out"] = _edns_opts_back_out
if _newclass:edns_opts_back_out = _swig_property(_edns_opts_back_out)
def _edns_opts_back_in(self): return _edns_opts_back_in_get(self)
__swig_getmethods__["edns_opts_back_in"] = _edns_opts_back_in
if _newclass:edns_opts_back_in = _swig_property(_edns_opts_back_in)
def _edns_opts_front_out(self): return _edns_opts_front_out_get(self)
__swig_getmethods__["edns_opts_front_out"] = _edns_opts_front_out
if _newclass:edns_opts_front_out = _swig_property(_edns_opts_front_out)
%}
}
@ -820,6 +1039,26 @@ enum verbosity_value {
VERB_ALGO
};
enum inplace_cb_list_type {
/* Inplace callbacks for when a resolved reply is ready to be sent to the
* front.*/
inplace_cb_reply = 0,
/* Inplace callbacks for when a reply is given from the cache. */
inplace_cb_reply_cache,
/* Inplace callbacks for when a reply is given with local data
* (or Chaos reply). */
inplace_cb_reply_local,
/* Inplace callbacks for when the reply is servfail. */
inplace_cb_reply_servfail,
/* Inplace callbacks for when a query is ready to be sent to the back.*/
inplace_cb_query,
/* Inplace callback for when a reply is received from the back. */
inplace_cb_edns_back_parsed,
/* Total number of types. Used for array initialization.
* Should always be last. */
inplace_cb_types_total
};
%constant uint16_t PKT_QR = 1; /* QueRy - query flag */
%constant uint16_t PKT_AA = 2; /* Authoritative Answer - server flag */
%constant uint16_t PKT_TC = 4; /* TrunCated - server flag */
@ -1037,8 +1276,9 @@ struct delegpt* find_delegation(struct module_qstate* qstate, char *nm, size_t n
/* ************************************************************************************ *
Functions
* ************************************************************************************ */
// Various debuging functions
/******************************
* Various debuging functions *
******************************/
void verbose(enum verbosity_value level, const char* format, ...);
void log_info(const char* format, ...);
void log_err(const char* format, ...);
@ -1048,24 +1288,159 @@ void log_dns_msg(const char* str, struct query_info* qinfo, struct reply_info* r
void log_query_info(enum verbosity_value v, const char* str, struct query_info* qinf);
void regional_log_stats(struct regional *r);
// Free allocated memory from marked sources returning corresponding types
/***************************************************************************
* Free allocated memory from marked sources returning corresponding types *
***************************************************************************/
%typemap(newfree, noblock = 1) char * {
free($1);
}
// Mark as source returning newly allocated memory
/***************************************************
* Mark as source returning newly allocated memory *
***************************************************/
%newobject sldns_wire2str_type;
%newobject sldns_wire2str_class;
// LDNS functions
/******************
* LDNS functions *
******************/
char *sldns_wire2str_type(const uint16_t atype);
char *sldns_wire2str_class(const uint16_t aclass);
// Functions from pythonmod_utils
/**********************************
* Functions from pythonmod_utils *
**********************************/
int storeQueryInCache(struct module_qstate* qstate, struct query_info* qinfo, struct reply_info* msgrep, int is_referral);
void invalidateQueryInCache(struct module_qstate* qstate, struct query_info* qinfo);
// Module conversion functions
/*******************************
* Module conversion functions *
*******************************/
const char* strextstate(enum module_ext_state s);
const char* strmodulevent(enum module_ev e);
/**************************
* Edns related functions *
**************************/
struct edns_option* edns_opt_list_find(struct edns_option* list, uint16_t code);
int edns_register_option(uint16_t opt_code, int bypass_cache_stage,
int no_aggregation, struct module_env* env);
%pythoncode %{
def register_edns_option(env, code, bypass_cache_stage=False,
no_aggregation=False):
"""Wrapper function to provide keyword attributes."""
return edns_register_option(code, bypass_cache_stage,
no_aggregation, env)
%}
/******************************
* Callback related functions *
******************************/
/* typemap to check if argument is callable */
%typemap(in) PyObject *py_cb {
if (!PyCallable_Check($input)) {
SWIG_exception_fail(SWIG_TypeError, "Need a callable object!");
return NULL;
}
$1 = $input;
}
/* typemap to get content/size from a bytearray */
%typemap(in) (size_t len, uint8_t* py_bytearray_data) {
if (!PyByteArray_CheckExact($input)) {
SWIG_exception_fail(SWIG_TypeError, "Expected bytearray!");
return NULL;
}
$2 = (void*)PyByteArray_AsString($input);
$1 = PyByteArray_Size($input);
}
int edns_opt_list_remove(struct edns_option** list, uint16_t code);
int edns_opt_list_append(struct edns_option** list, uint16_t code, size_t len,
uint8_t* py_bytearray_data, struct regional* region);
%{
/* This function is called by unbound in order to call the python
* callback function. */
int python_inplace_cb_reply_generic(struct query_info* qinfo,
struct module_qstate* qstate, struct reply_info* rep, int rcode,
struct edns_data* edns, struct edns_option** opt_list_out,
struct regional* region, int id, void* python_callback)
{
PyObject *func, *py_edns, *py_qstate, *py_opt_list_out, *py_qinfo;
PyObject *py_rep, *py_region;
PyObject *result;
int res = 0;
PyGILState_STATE gstate = PyGILState_Ensure();
func = (PyObject *) python_callback;
py_edns = SWIG_NewPointerObj((void*) edns, SWIGTYPE_p_edns_data, 0);
py_qstate = SWIG_NewPointerObj((void*) qstate,
SWIGTYPE_p_module_qstate, 0);
py_opt_list_out = SWIG_NewPointerObj((void*) opt_list_out,
SWIGTYPE_p_p_edns_option, 0);
py_qinfo = SWIG_NewPointerObj((void*) qinfo, SWIGTYPE_p_query_info, 0);
py_rep = SWIG_NewPointerObj((void*) rep, SWIGTYPE_p_reply_info, 0);
py_region = SWIG_NewPointerObj((void*) region, SWIGTYPE_p_regional, 0);
result = PyObject_CallFunction(func, "OOOiOOO", py_qinfo, py_qstate,
py_rep, rcode, py_edns, py_opt_list_out, py_region);
Py_XDECREF(py_edns);
Py_XDECREF(py_qstate);
Py_XDECREF(py_opt_list_out);
Py_XDECREF(py_qinfo);
Py_XDECREF(py_rep);
Py_XDECREF(py_region);
if (result) {
res = PyInt_AsLong(result);
}
Py_XDECREF(result);
PyGILState_Release(gstate);
return res;
}
/* register a callback */
static int python_inplace_cb_register(enum inplace_cb_list_type type,
PyObject* py_cb, struct module_env* env, int id)
{
int ret = inplace_cb_register(python_inplace_cb_reply_generic,
type, (void*) py_cb, env, id);
if (ret) Py_INCREF(py_cb);
return ret;
}
/* Swig implementations for Python */
static int register_inplace_cb_reply(PyObject* py_cb,
struct module_env* env, int id)
{
return python_inplace_cb_register(inplace_cb_reply, py_cb, env, id);
}
static int register_inplace_cb_reply_cache(PyObject* py_cb,
struct module_env* env, int id)
{
return python_inplace_cb_register(inplace_cb_reply_cache, py_cb, env, id);
}
static int register_inplace_cb_reply_local(PyObject* py_cb,
struct module_env* env, int id)
{
return python_inplace_cb_register(inplace_cb_reply_local, py_cb, env, id);
}
static int register_inplace_cb_reply_servfail(PyObject* py_cb,
struct module_env* env, int id)
{
return python_inplace_cb_register(inplace_cb_reply_servfail,
py_cb, env, id);
}
%}
/* C declarations */
int inplace_cb_register(void* cb, enum inplace_cb_list_type type, void* cbarg,
struct module_env* env, int id);
/* Swig declarations */
static int register_inplace_cb_reply(PyObject* py_cb,
struct module_env* env, int id);
static int register_inplace_cb_reply_cache(PyObject* py_cb,
struct module_env* env, int id);
static int register_inplace_cb_reply_local(PyObject* py_cb,
struct module_env* env, int id);
static int register_inplace_cb_reply_servfail(PyObject* py_cb,
struct module_env* env, int id);

View file

@ -112,8 +112,10 @@ int pythonmod_init(struct module_env* env, int id)
{
/* Initialize module */
FILE* script_py = NULL;
PyObject* py_cfg, *res;
PyObject* py_init_arg, *res;
PyGILState_STATE gil;
int init_standard = 1;
struct pythonmod_env* pe = (struct pythonmod_env*)calloc(1, sizeof(struct pythonmod_env));
if (!pe)
{
@ -141,6 +143,9 @@ int pythonmod_init(struct module_env* env, int id)
#endif
Py_SetProgramName(progname);
Py_NoSiteFlag = 1;
#if PY_MAJOR_VERSION >= 3
PyImport_AppendInittab(SWIG_name, (void*)SWIG_init);
#endif
Py_Initialize();
PyEval_InitThreads();
SWIG_init();
@ -195,12 +200,16 @@ int pythonmod_init(struct module_env* env, int id)
fclose(script_py);
if ((pe->func_init = PyDict_GetItemString(pe->dict, "init_standard")) == NULL)
{
init_standard = 0;
if ((pe->func_init = PyDict_GetItemString(pe->dict, "init")) == NULL)
{
log_err("pythonmod: function init is missing in %s", pe->fname);
PyGILState_Release(gil);
return 0;
}
}
if ((pe->func_deinit = PyDict_GetItemString(pe->dict, "deinit")) == NULL)
{
log_err("pythonmod: function deinit is missing in %s", pe->fname);
@ -220,16 +229,28 @@ int pythonmod_init(struct module_env* env, int id)
return 0;
}
py_cfg = SWIG_NewPointerObj((void*) env->cfg, SWIGTYPE_p_config_file, 0);
res = PyObject_CallFunction(pe->func_init, "iO", id, py_cfg);
if (init_standard)
{
py_init_arg = SWIG_NewPointerObj((void*) env, SWIGTYPE_p_module_env, 0);
}
else
{
py_init_arg = SWIG_NewPointerObj((void*) env->cfg,
SWIGTYPE_p_config_file, 0);
}
res = PyObject_CallFunction(pe->func_init, "iO", id, py_init_arg);
if (PyErr_Occurred())
{
log_err("pythonmod: Exception occurred in function init");
PyErr_Print();
Py_XDECREF(res);
Py_XDECREF(py_init_arg);
PyGILState_Release(gil);
return 0;
}
Py_XDECREF(res);
Py_XDECREF(py_cfg);
Py_XDECREF(py_init_arg);
PyGILState_Release(gil);
return 1;

Some files were not shown because too many files have changed in this diff Show more