rpms/unbound/EL-5 unbound-1.4.4-00f12c.patch, NONE, 1.1 unbound-1.4.4-28093c.patch, NONE, 1.1 unbound-1.4.4-374822.patch, NONE, 1.1 unbound-1.4.4-40d18f.patch, NONE, 1.1 unbound-1.4.4-41b631.patch, NONE, 1.1 unbound-1.4.4-5e989a.patch, NONE, 1.1 unbound-1.4.4-5f58ed.patch, NONE, 1.1 unbound-1.4.4-74d75e.patch, NONE, 1.1 unbound-1.4.4-778d4a.patch, NONE, 1.1 unbound-1.4.4-7f27d6.patch, NONE, 1.1 unbound-1.4.4-a6f07b.patch, NONE, 1.1 unbound-1.4.4-c2baa7.patch, NONE, 1.1 unbound-1.4.4-d7ef7b.patch, NONE, 1.1 .cvsignore, 1.4, 1.5 sources, 1.7, 1.8 unbound.spec, 1.12, 1.13
Paul Wouters
pwouters at fedoraproject.org
Sun May 23 02:53:16 UTC 2010
Author: pwouters
Update of /cvs/extras/rpms/unbound/EL-5
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv19569
Modified Files:
.cvsignore sources unbound.spec
Added Files:
unbound-1.4.4-00f12c.patch unbound-1.4.4-28093c.patch
unbound-1.4.4-374822.patch unbound-1.4.4-40d18f.patch
unbound-1.4.4-41b631.patch unbound-1.4.4-5e989a.patch
unbound-1.4.4-5f58ed.patch unbound-1.4.4-74d75e.patch
unbound-1.4.4-778d4a.patch unbound-1.4.4-7f27d6.patch
unbound-1.4.4-a6f07b.patch unbound-1.4.4-c2baa7.patch
unbound-1.4.4-d7ef7b.patch
Log Message:
* Sat May 22 2010 Paul Wouters <paul at xelerance.com> - 1.4.4-1
- Upgraded to 1.4.4 with svn patches
- Obsolete dnssec-conf to ensure it is de-installed
unbound-1.4.4-00f12c.patch:
doc/unbound.conf.5.in | 2 ++
iterator/iterator.c | 6 ++++++
2 files changed, 8 insertions(+)
--- NEW FILE unbound-1.4.4-00f12c.patch ---
commit 00f12c3365fbb1f8a185a9972734c6bf225e7c0d
Author: wouter <wouter at be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Tue Apr 27 14:15:19 2010 +0000
Fix harden-referral-path so it does not generate lookup failures.
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index fbe3748..16a607c 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -456,6 +456,8 @@ path to the answer.
Default off, because it burdens the authority servers, and it is
not RFC standard, and could lead to performance problems because of the
extra query load that is generated. Experimental option.
+If you enable it consider adding more numbers after the target\-fetch\-policy
+to increase the max depth that is checked to.
.TP
.B use\-caps\-for\-id: \fI<yes or no>
Use 0x20\-encoded random bits in the query to foil spoof attempts.
diff --git a/iterator/iterator.c b/iterator/iterator.c
index 08354e8..19b9a26 100644
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -695,12 +695,15 @@ static void
generate_a_aaaa_check(struct module_qstate* qstate, struct iter_qstate* iq,
int id)
{
+ struct iter_env* ie = (struct iter_env*)qstate->env->modinfo[id];
struct module_qstate* subq;
size_t i;
struct reply_info* rep = iq->response->rep;
struct ub_packed_rrset_key* s;
log_assert(iq->dp);
+ if(iq->depth == ie->max_dependency_depth)
+ return;
/* walk through additional, and check if in-zone,
* only relevant A, AAAA are left after scrub anyway */
for(i=rep->an_numrrsets+rep->ns_numrrsets; i<rep->rrset_count; i++) {
@@ -746,9 +749,12 @@ generate_a_aaaa_check(struct module_qstate* qstate, struct iter_qstate* iq,
static void
generate_ns_check(struct module_qstate* qstate, struct iter_qstate* iq, int id)
{
+ struct iter_env* ie = (struct iter_env*)qstate->env->modinfo[id];
struct module_qstate* subq;
log_assert(iq->dp);
+ if(iq->depth == ie->max_dependency_depth)
+ return;
/* is this query the same as the nscheck? */
if(qstate->qinfo.qtype == LDNS_RR_TYPE_NS &&
query_dname_compare(iq->dp->name, qstate->qinfo.qname)==0 &&
unbound-1.4.4-28093c.patch:
testcode/unitmsgparse.c | 77 ++++++++++++++++++++++++++++++++++++++++++++++++
testdata/test_packets.7 | 18 +++++++++++
util/data/msgparse.c | 11 ++++--
3 files changed, 103 insertions(+), 3 deletions(-)
--- NEW FILE unbound-1.4.4-28093c.patch ---
commit 28093c6d7d9bafbb9763fc6d9b7f222642e8a835
Author: wouter <wouter at be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Thu Apr 22 15:01:02 2010 +0000
- Fix validation failure for qtype ANY caused by a RRSIG parse failure.
The validator error message was 'no signatures from ...'.
diff --git a/testcode/unitmsgparse.c b/testcode/unitmsgparse.c
index 43e4377..d1ef854 100644
--- a/testcode/unitmsgparse.c
+++ b/testcode/unitmsgparse.c
@@ -45,6 +45,7 @@
#include "util/data/msgparse.h"
#include "util/data/msgreply.h"
#include "util/data/msgencode.h"
+#include "util/data/dname.h"
#include "util/alloc.h"
#include "util/regional.h"
#include "util/net_help.h"
@@ -54,6 +55,8 @@
static int vbmp = 0;
/** if matching within a section should disregard the order of RRs. */
static int matches_nolocation = 0;
+/** see if RRSIGs are properly matched to RRsets. */
+static int check_rrsigs = 0;
/** match two rr lists */
static int
@@ -318,6 +321,76 @@ perftestpkt(ldns_buffer* pkt, struct alloc_cache* alloc, ldns_buffer* out,
regional_destroy(region);
}
+/** debug print a packet that failed */
+static void
+print_packet_rrsets(struct query_info* qinfo, struct reply_info* rep)
+{
+ size_t i;
+ ldns_rr_list* l;
+ ldns_buffer* buf = ldns_buffer_new(65536);
+ log_query_info(0, "failed query", qinfo);
+ printf(";; ANSWER SECTION (%d rrsets)\n", (int)rep->an_numrrsets);
+ for(i=0; i<rep->an_numrrsets; i++) {
+ l = packed_rrset_to_rr_list(rep->rrsets[i], buf);
+ printf("; rrset %d\n", (int)i);
+ ldns_rr_list_print(stdout, l);
+ ldns_rr_list_deep_free(l);
+ }
+ printf(";; AUTHORITY SECTION (%d rrsets)\n", (int)rep->ns_numrrsets);
+ for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep->ns_numrrsets; i++) {
+ l = packed_rrset_to_rr_list(rep->rrsets[i], buf);
+ printf("; rrset %d\n", (int)i);
+ ldns_rr_list_print(stdout, l);
+ ldns_rr_list_deep_free(l);
+ }
+ printf(";; ADDITIONAL SECTION (%d rrsets)\n", (int)rep->ar_numrrsets);
+ for(i=rep->an_numrrsets+rep->ns_numrrsets; i<rep->rrset_count; i++) {
+ l = packed_rrset_to_rr_list(rep->rrsets[i], buf);
+ printf("; rrset %d\n", (int)i);
+ ldns_rr_list_print(stdout, l);
+ ldns_rr_list_deep_free(l);
+ }
+ printf(";; packet end\n");
+ ldns_buffer_free(buf);
+}
+
+/** check that there is no data element that matches the RRSIG */
+static int
+no_data_for_rrsig(struct reply_info* rep, struct ub_packed_rrset_key* rrsig)
+{
+ size_t i;
+ for(i=0; i<rep->rrset_count; i++) {
+ if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_RRSIG)
+ continue;
+ if(query_dname_compare(rep->rrsets[i]->rk.dname,
+ rrsig->rk.dname) == 0)
+ /* only name is compared right now */
+ return 0;
+ }
+ return 1;
+}
+
+/** check RRSIGs in packet */
+static void
+check_the_rrsigs(struct query_info* qinfo, struct reply_info* rep)
+{
+ /* every RRSIG must be matched to an RRset */
+ size_t i;
+ for(i=0; i<rep->rrset_count; i++) {
+ struct ub_packed_rrset_key* s = rep->rrsets[i];
+ if(ntohs(s->rk.type) == LDNS_RR_TYPE_RRSIG) {
+ /* see if really a problem, i.e. is there a data
+ * element. */
+ if(no_data_for_rrsig(rep, rep->rrsets[i]))
+ continue;
+ log_dns_msg("rrsig failed for packet", qinfo, rep);
+ print_packet_rrsets(qinfo, rep);
+ printf("failed rrset is nr %d\n", (int)i);
+ unit_assert(0);
+ }
+ }
+}
+
/** test a packet */
static void
testpkt(ldns_buffer* pkt, struct alloc_cache* alloc, ldns_buffer* out,
@@ -355,6 +428,8 @@ testpkt(ldns_buffer* pkt, struct alloc_cache* alloc, ldns_buffer* out,
(unsigned)ldns_buffer_limit(pkt),
(unsigned)ldns_buffer_limit(out));
test_buffers(pkt, out);
+ if(check_rrsigs)
+ check_the_rrsigs(&qi, rep);
if(ldns_buffer_limit(out) > lim) {
ret = reply_info_encode(&qi, rep, id, flags, out,
@@ -519,7 +594,9 @@ void msgparse_test()
matches_nolocation = 1; /* RR order not important for the next test */
testfromdrillfile(pkt, &alloc, out, "testdata/test_packets.6");
+ check_rrsigs = 1;
testfromdrillfile(pkt, &alloc, out, "testdata/test_packets.7");
+ check_rrsigs = 0;
matches_nolocation = 0;
/* cleanup */
diff --git a/testdata/test_packets.7 b/testdata/test_packets.7
index 4f71c2c..357fa40 100644
--- a/testdata/test_packets.7
+++ b/testdata/test_packets.7
@@ -17,3 +17,21 @@ A608C7155005EBEDCA2176A559EFAF28D5DA1E91F540874BAA1C46BB08B1BAAE1812699A18139CF0
13BBDA2EC641FB23993A72ED6606C8C85E0D1660CC1770769697CEE7EB8E6474714984D7FF41FBBE48FF4A70669101BF00320340B82DC590B2C19D0006841121DC6AC933002E00010000012C007D000105030000012C4B11ADE94AEA20E9FC600673776974636802636800561C052414445D427CE00A40ACE2DA2EC168523823830CA724B087B8116F46B3CD051C5EC5874F6FC75CF6BA846279E469C474A75F9334242BB66FDD367C73B8BBC3F8748736BC5E6AED8B9B7C5FB5FE2DEDFBF46B403BC173DE958C038CFCCAC933002E00010000012C007D001C05030000012C4B11ADE94AEA20E9FC600673776974636802636800A6F44063C12A5A8BF5BCFADD
745C5B3915E463DA478131E636347EED414675023BBCA5BA2AABEC2FA3DF976A2343B4AA3403D1AFA3D470D25812BD1A319FBB5B833244D0FA18A59BB69ABB77BBDB3D7F62740D3871A69A5B9D43331D78AB8AE8C91B002E00010000012C007D000105030000012C4B11ADE94AEA20E9FC6006737769746368026368008906D2CFEFC3AA652125DD021CAB6392EBC4A9B4B3CFE3B07E4AFE7DA3263C7B8CE5DC3B66DA45D120E75B3D49ADC1F7D2E9A04A31760698FCFDEAB4AC82915D8E0AD2494DB4F11C02E115C3BD47DC8E57EDA7805BF0E7820A445F93A07698DF0000291000000080000000
+;-- es.net IN ANY about RRSIG ordering.
+687D8410000100150000000E026573036E65740000FF0001C00C00060001000151800027036E7331C00C0A686F73746D6173746572C00C77CECF4300001C2000000E100012750000000258C00C002E000100015180011A00300502000151804BE2932A4BD0101A2522026573036E657400AF2107A80A9D98A0712FF20826B95D8E686FFF023BEEAD1019045569D94D1493C84C819446ECB5489EBC6B556F4BE4B51A8E9CAC8BAA69F2B74948B78CBB197044E3D3A9E0E5EA958254637984D34BAE34167E1437D275E01C4B7C04C34053333514E1FE7EAC7C4777B02F24356F1F775526E19F54A21D3A134DC74DE153F9267008F5605D3BE38E61352BA9495D77
+97A76735BD68350CD648F40F95ADA4B25464A615E7CD4870E23C21D681F5C68C3DE9477D2EC7216FDF3269F5993428D0F1A4B7E203A04AB6807836263FDD7D6796BE6D84478B906B802DEBDCB1E0870481388503F0396CAD24147BC819A855E6CBCE98526ECAF8423450E30CB4F59C7062C069002E000100015180009A00300502000151804BE2932A4BD0101A4BA3026573036E657400602356C2D379E94F97D2900473D118288D46CFBCAAFF73D8A6FDF0B4305E8B338DD53A90106CDD78BF82A1AEC20B7C02067FDE1BEEC912E5581687BB32DD8BDC7E84B3F844F01E198E75C179194447C13B568886B33933FF35370060440D64E2DB7446962CA348C199
+DDFE4AA252AFFDEB3A818D1BF45CD795EA0907332B4508C18F002E000100015180009A00060502000151804BE2932A4BD0101A4BA3026573036E6574004FFB07563C6F88028C0E09CF163BAC777065BDCC826C583A3B3ABD525D6AF5101A6D5533888E5BAAA33DE28B52330815E14034506C4C69EDE8AD1A1F00B486C670FE0DC2F3B5F7210EBAC66695CC8679F2CA2353666A143A2E3E87377DCD8D3E6E450934BBD4CC6F9EE033E11D05CA3F44B1A64A2666E3AF2A8710F16FF8CC33C235002E000100000258009A002F0502000002584BE2932A4BD0101A4BA3026573036E6574003D2DDC713285C7338263BD338AFEEAB77571054B1F483A7BADC87BAF32
+0740A8D1B8B28CB23E04A80F90979704B44FE379103F4D91482D0EBC1D7005E326668F30B2A434F9DE76BB90DFEF2BFEDEE8CAD62164CA089651AB31498F18ED9A1E5694B4D460FFA4E667950322B2A75E8FD408B6A54EDB00257CE44AC865D1567346C2DB002E000100000258009A00100502000002584BE2932A4BD0101A4BA3026573036E6574004367180234A327C0AF72B3963518FC6E53A43E92CE6F5560E383FE8E7EF258FEA28BA666C026A90DAB67F46FBA4FF82F2704FEB3A27E25F3A8E6874B78938D70C5A20D94BEC90596B55C594F94A1438B14C8F890CE61D9630EFD897DEA9B3995D2C668469F62DB9346BB6AAF2EB6F3EE20EC31EAC80BCB
+962105A64CCD5783EFC381002E000100000258009A000F0502000002584BE2932A4BD0101A4BA3026573036E657400D36D367D4D95060CB2952870BE9E826E6F7835CF6517FF83957F5097B6FC401FE5815B8895D02C68E23A47D7015A3DCE9FDE63AF9D9E1D697016444355633D0BE03177B35BE54980B241C12978A7F3EBF2420861EBFAA028CAF9FCBBF54C069869BFB7F9AB9E60D4791ACCA276AE698EB6EF7582235977E158DA8530EC84327EC427002E000100000258009A00010502000002584BE2932A4BD0101A4BA3026573036E65740068E7176D8561B49621F80DB36DC12A3C5DCD2DE5FE3973F5D7DE15769F099F2A1A9BB088042E794747E3AB
+BB4AE48651F815D5D38BE7F4FB94F08F51FC209246296BE108111E90A7A5E2A5A79D305F81DBE313569B72598F36F3CFAA02FD9F321FBC2BDA10861F1D537D48DDF80BBF4B228724636FD79C06C4487365F602E6F5C4CD002E000100000258009A00020502000002584BE2932A4BD0101A4BA3026573036E657400BAA98093DDB57F38CA58C599EEED47F16AA20C1CCF668FF0A022AFAAC97059A28C50FE63034E58FBE361059B43FCBAE3876AC6AE8450987B8A00BEC29093267B9B655E645B7478294FF5E149984459A39D191585463BD80F635C21DBCF30462E60E4EACF8EECC25E4D02C181954CCBB8BDF5D19882CF6F9E982B1BEBEF14797DC573003000
+0100015180008801000305030100017D08356710D7E8A11F9B4C29E5E0F6B65F18CE64B4AAFAD7EA0E08DB85013CD777436CB8BC4EE33C0B4E6EEDFBE4227B25354F2EA2F978EE3222F3F32C1D4D3AF0F6014A527981FC5A0D2B65BF78B86A1D37965A98CAE3746CBB250655C2200FB9B8EBCC8C0AFD3182738F246AD0DAACA3199C54F08CF5F666477281872710E7C573003000010001518000880100030503010001DF43A43270EA741D5E79034C5E46A8310C9CFC7BD65C532D815D6B8C245EFF8F0C365DE400B6CDAC0124B00E08017DFB98D91133D5C18251EE0868852AD9E7FED091B393DAD1CD57381A5A1E7EA74E8FB4B708DB0F93B9EA4296EA4A71
+6E3572F168779CB5288880699413B3FFD4B7432EBE2AA2767B8EA6CB576A65C5163A3DC5730030000100015180010801010305030100017DA2FA058940109205AA36338EB8AA8B5B0D9788C4229368D371DBDE4BD24F0805C60EDD8DF223D250F23D189CDC434F388A91D6CEC1A9D6F305817409ACA784F381DFFD7EC3EC688FFE16D2AC57BD7F0B625EFC3099B3A9A5EDA1742460229669DD67D81F12069877F6AFA497F81EB12D179B183F5C8185B2786B790BEAFB6D02E0F94C780065511CF46AF80D40055022867DF712869CC262C0D315B92DFA96D58BC2336DAB5D1258DD60406913D116DC2EC1135D89C6D2092C35A19C67959743B407A3C30F3C6B8B
+C4763504FE12541EDD947A5FBE8E402D31816D1824867E2CD89AEE5FF6ED7A2D683B8C5E6B7B5972BDFF355BFD9128F0D0EDB59A60F321C573003000010001518001080101030503010001DD8EC709089B6D74BAF2D294E4C626CF789B89A74B7E320D7002A03D0F94EA62DF1F19717FE8C4BFD732DA495E481353C78167255CC6256A98ACBFF5977B81A48C5E2A5AF23E8377423C4034D5D84E9E3548B9D0A07955586F67324B6B5720CC4456D86AEE3A21A4EBED9BA13358C8127D182A5083739B042D7E06307E417D020DD68EC0628E9C8279AF0F7E608A3C5D51AB33BF7C32EBD27B45D72B1AD5752BB485D52488FBA9A1B5BF3B2B50F074F481171E4B65
+3AF846E58FE46DEB3491FA683959B38B893BF55721CED8FC4A64DBEDB6BF1C7FADE650EE219A01E81DD0212B89259319CA5DC81F26821A5CC29B4CC1059AE28227B89B8816039E43C35E33C57300300001000151800108018103050301000188F31BEFA3466D6FCAF11E0D1954D2011D6EAECF922D9E1B8D620095A0D15E7CFF8EA33F8E2A8C3B3F45A1ADACFED62E3E4EDC884AEF8A7CADBCFF8EDF2158730136D01BDB6D057BEBF3D35A92ADB5E8ACB1152FE1244B2D36DCB500E952CFB6D744BF7DBAB24A901B984F869FF47113C9515D53FE1A57293B01C24195A1D40580566CDAE5B04348CB60507267BB38F34839EE959D43FB9605652157014059FDBD
+39EB0836D4043A63F8660D241006F757DB92B35B39B5ABCA32A16A81C65C9F53DA79A99F1134CF3ED5304F189434AF787A3A10D63862E6C2E5FBA08B6EF6701783DB00CB41851DF13070947EEC090FCED3539F3F494170BD90E68F99453DF9C573002F00010000025800220B726573657276652D3132380231340131026573036E657400000762018000000380CA7C0010000100000258009C9B763D73706631206D7820613A6D61696C312E65732E6E657420613A6D61696C322E65732E6E657420613A6D61696C332E65732E6E657420613A6D61696C342E65732E6E657420613A6D61696C2E65732E6E657420613A6D61696C67772E65732E6E657420613A
+706F7374616C312E65732E6E657420613A706F7374616C322E65732E6E657420613A706F7374616C332E65732E6E6574207E616C6CCA7C000F00010000025800090032046D61696CCA7CCA7C00010001000002580004C6800370CA7C00020001000002580009066E732D616F61CA7CCA7C00020001000002580002C024CA7C00020001000002580009066E732D6C766BCA7CCB4300010001000002580004C0BC1609CB43001C000100000258001020010400FFFFFFFFFFFFFFFFFFFFFF81C02400010001000151800004C680020AC024001C000100000258001020010400001400020000000000000010CB6600010001000002580004C67CFC16CB66001C0001
+00000258001020010400600000000000000000000022CB8900010001000002580004C681FC22CB89001C000100000258001020010400091000010000000000000002CB43002E000100000258009A00010503000002584BE2932A4BD0101A4BA3026573036E657400B425467E45E411066B99B85420FB7E844D734F414FFAF6B9528867B3DF808733BF479A0F125C84179401306579994AB8D84DF0173E2824527CEDA45C75ED4D818722EEB2D5A37641108B112D9A6D832D29A507C35DBBEBD46D50DE9915E924F53F55B5A2A263A48B48209FB50A13A7DF40AE697B1BCCE71A2B95C1BB9E47ACCACB43002E000100000258009A001C0503000002584BE2932A
+4BD0101A4BA3026573036E6574002588E73F85BE8FAFD09628232906913DB78592B59F9C3C95A4AD1334D383C1326EE0C6FCF38892D8BB74631D680A6E4DB2D603D32394BC7B4EC798A1511667D246A0C30B33D03AB144C3704AA80AFCA27F197B2F83F20A9F0D2835C7C0A9B49E47E7CF2E192DC7DBF4635C39ECCCB291DB4B2832E0B8FF430A75726500194D9EC024002E000100015180009A00010503000151804BE2932A4BD0101A4BA3026573036E6574000E9F4098B1EF4F429B802007E3A9EA8E267A1F78EA7241AADD120A74CEBF70DC1DF76065A2CE0CDAA51AAB2F68411D9DEDC1F9DBEB3AB114A1FCBE122610756DE205EEC576CA5E62BD02497F
+84D5DDB7110AC7F2BF02485B3E7B28FC1EB2999724B64D811270B085D1D10E184295D423F0141D652BD7E97633AC2E98C2819EDAC024002E000100000258009A001C0503000002584BE2932A4BD0101A4BA3026573036E657400936ADA283A90836E92BD42E2B6C8A0299147BCB8E47D9D4464C4151FCC99DC4F2D1C39FB691F6E322715B22F61E7BB8D5507982A3119674B350C569BDC2CD95C708EC73B4E5DEA516D053A4FD725326FFC5B0D0562B542BA96124D9FFBBF787CA0BBE6960951CC2FDD074376A1D184287C2C56A93FBBC1C7FFAA6977B30AE808CB66002E000100000258009A00010503000002584BE2932A4BD0101A4BA3026573036E657400
+0CE145578E56BB359606C9B85538450D2BCA3E9AD0DEFC8FF865DA646F900B9CBC7325B7F04706B60E2770107E62894FE9CF3B1A432F0FB53C5C7A8F37D0F60354C7D52F4DF88BDD4C46774AA728DFC1C807EF5276641CA28774F323C7326B7C1D99DFCB9498C6E096392009AA972B83F0583A5D1002CA26B59B5C97F6A8309C0000291000000080000000
+
diff --git a/util/data/msgparse.c b/util/data/msgparse.c
index 2db8832..ae6dfc1 100644
--- a/util/data/msgparse.c
+++ b/util/data/msgparse.c
@@ -335,16 +335,20 @@ moveover_rrsigs(ldns_buffer* pkt, struct regional* region,
struct rr_parse* sig = sigset->rr_first;
struct rr_parse* prev = NULL;
struct rr_parse* insert;
+ struct rr_parse* nextsig;
while(sig) {
+ nextsig = sig->next;
if(pkt_rrsig_covered_equals(pkt, sig->ttl_data,
dataset->type)) {
if(duplicate) {
/* new */
insert = (struct rr_parse*)regional_alloc(
region, sizeof(struct rr_parse));
+ if(!insert) return 0;
insert->outside_packet = 0;
insert->ttl_data = sig->ttl_data;
insert->size = sig->size;
+ /* prev not used */
} else {
/* remove from sigset */
if(prev) prev->next = sig->next;
@@ -354,6 +358,7 @@ moveover_rrsigs(ldns_buffer* pkt, struct regional* region,
sigset->rr_count--;
sigset->size -= sig->size;
insert = sig;
+ /* prev not changed */
}
/* add to dataset */
dataset->rrsig_count++;
@@ -363,9 +368,9 @@ moveover_rrsigs(ldns_buffer* pkt, struct regional* region,
else dataset->rrsig_first = insert;
dataset->rrsig_last = insert;
dataset->size += insert->size;
- }
- prev = sig;
- sig = sig->next;
+ } else
+ prev = sig;
+ sig = nextsig;
}
return 1;
}
unbound-1.4.4-374822.patch:
iter_utils.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- NEW FILE unbound-1.4.4-374822.patch ---
commit 374822322e33503d3576c85b3e43fef158a80e42
Author: wouter <wouter at be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Thu Apr 29 12:36:12 2010 +0000
dnssec lameness detection looks in key cache if dnssec is expected.
diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c
index 6124650..f63b6fe 100644
--- a/iterator/iter_utils.c
+++ b/iterator/iter_utils.c
@@ -60,6 +60,8 @@
#include "util/random.h"
#include "util/fptr_wlist.h"
#include "validator/val_anchor.h"
+#include "validator/val_kcache.h"
+#include "validator/val_kentry.h"
/** time when nameserver glue is said to be 'recent' */
#define SUSPICION_RECENT_EXPIRY 86400
@@ -570,6 +572,18 @@ iter_indicates_dnssec(struct module_env* env, struct delegpt* dp,
reply_find_rrset_section_ns(msg->rep, dp->name, dp->namelen,
LDNS_RR_TYPE_DS, dclass))
return 1;
+ /* look in key cache */
+ if(env->key_cache) {
+ struct key_entry_key* kk = key_cache_obtain(env->key_cache,
+ dp->name, dp->namelen, dclass, env->scratch, *env->now);
+ if(kk) {
+ if(key_entry_isgood(kk) || key_entry_isbad(kk)) {
+ regional_free_all(env->scratch);
+ return 1;
+ }
+ regional_free_all(env->scratch);
+ }
+ }
return 0;
}
unbound-1.4.4-40d18f.patch:
iter_utils.c | 6 +++---
iter_utils.h | 4 ++--
iterator.c | 24 +++++++++++++++---------
iterator.h | 6 ++++++
4 files changed, 26 insertions(+), 14 deletions(-)
--- NEW FILE unbound-1.4.4-40d18f.patch ---
commit 40d18f7cfb64a806699545410858b655e76660e1
Author: wouter <wouter at be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Tue May 4 08:39:04 2010 +0000
- Fix dnssec-missing detection that was turned off by server selection.
diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c
index b3a31fa..3a75d03 100644
--- a/iterator/iter_utils.c
+++ b/iterator/iter_utils.c
@@ -310,7 +310,7 @@ iter_filter_order(struct iter_env* iter_env, struct module_env* env,
struct delegpt_addr*
iter_server_selection(struct iter_env* iter_env,
struct module_env* env, struct delegpt* dp,
- uint8_t* name, size_t namelen, uint16_t qtype, int* dnssec_expected,
+ uint8_t* name, size_t namelen, uint16_t qtype, int* dnssec_lame,
int* chase_to_rd, int open_target, struct sock_list* blacklist)
{
int sel;
@@ -331,7 +331,7 @@ iter_server_selection(struct iter_env* iter_env,
if(selrtt-BLACKLIST_PENALTY > USEFUL_SERVER_TOP_TIMEOUT) {
verbose(VERB_ALGO, "chase to "
"blacklisted dnssec lame server");
- *dnssec_expected = 0;
+ *dnssec_lame = 1;
}
} else {
if(selrtt > USEFUL_SERVER_TOP_TIMEOUT*2) {
@@ -340,7 +340,7 @@ iter_server_selection(struct iter_env* iter_env,
}
if(selrtt > USEFUL_SERVER_TOP_TIMEOUT) {
verbose(VERB_ALGO, "chase to dnssec lame server");
- *dnssec_expected = 0;
+ *dnssec_lame = 1;
}
if(selrtt == USEFUL_SERVER_TOP_TIMEOUT) {
verbose(VERB_ALGO, "chase to blacklisted lame server");
diff --git a/iterator/iter_utils.h b/iterator/iter_utils.h
index a9f4247..d3870ec 100644
--- a/iterator/iter_utils.h
+++ b/iterator/iter_utils.h
@@ -80,7 +80,7 @@ int iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg);
* @param name: zone name (for lameness check).
* @param namelen: length of name.
* @param qtype: query type that we want to send.
- * @param dnssec_expected: set to 0, if a known dnssec-lame server is selected
+ * @param dnssec_lame: set to 1, if a known dnssec-lame server is selected
* these are not preferred, but are used as a last resort.
* @param chase_to_rd: set to 1 if a known recursion lame server is selected
* these are not preferred, but are used as a last resort.
@@ -92,7 +92,7 @@ int iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg);
*/
struct delegpt_addr* iter_server_selection(struct iter_env* iter_env,
struct module_env* env, struct delegpt* dp, uint8_t* name,
- size_t namelen, uint16_t qtype, int* dnssec_expected,
+ size_t namelen, uint16_t qtype, int* dnssec_lame,
int* chase_to_rd, int open_target, struct sock_list* blacklist);
/**
diff --git a/iterator/iterator.c b/iterator/iterator.c
index 19b9a26..6f486bf 100644
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -120,6 +120,7 @@ iter_new(struct module_qstate* qstate, int id)
iq->wait_priming_stub = 0;
iq->refetch_glue = 0;
iq->dnssec_expected = 0;
+ iq->dnssec_lame_query = 0;
iq->chase_flags = qstate->query_flags;
/* Start with the (current) qname. */
iq->qchase = qstate->qinfo;
@@ -1451,8 +1452,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
/* Select the next usable target, filtering out unsuitable targets. */
target = iter_server_selection(ie, qstate->env, iq->dp,
iq->dp->name, iq->dp->namelen, iq->qchase.qtype,
- &iq->dnssec_expected, &iq->chase_to_rd, iq->num_target_queries,
- qstate->blacklist);
+ &iq->dnssec_lame_query, &iq->chase_to_rd,
+ iq->num_target_queries, qstate->blacklist);
/* If no usable target was selected... */
if(!target) {
@@ -1530,10 +1531,14 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
}
/* We have a valid target. */
- if(iq->dnssec_expected) verbose(VERB_ALGO, "dnssec is expected");
- log_query_info(VERB_QUERY, "sending query:", &iq->qchase);
- log_name_addr(VERB_QUERY, "sending to target:", iq->dp->name,
- &target->addr, target->addrlen);
+ if(verbosity >= VERB_QUERY) {
+ log_query_info(VERB_QUERY, "sending query:", &iq->qchase);
+ log_name_addr(VERB_QUERY, "sending to target:", iq->dp->name,
+ &target->addr, target->addrlen);
+ verbose(VERB_ALGO, "dnssec status: %s%s",
+ iq->dnssec_expected?"expected": "not expected",
+ iq->dnssec_lame_query?" but lame_query anyway": "");
+ }
fptr_ok(fptr_whitelist_modenv_send_query(qstate->env->send_query));
outq = (*qstate->env->send_query)(
iq->qchase.qname, iq->qchase.qname_len,
@@ -1587,6 +1592,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
iq->num_current_queries--;
if(iq->response == NULL) {
iq->chase_to_rd = 0;
+ iq->dnssec_lame_query = 0;
verbose(VERB_ALGO, "query response was timeout");
return next_state(iq, QUERYTARGETS_STATE);
}
@@ -1599,7 +1605,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
* differently. No queries should be sent elsewhere */
type = RESPONSE_TYPE_ANSWER;
}
- if(iq->dnssec_expected && !(iq->chase_flags&BIT_RD)
+ if(iq->dnssec_expected && !iq->dnssec_lame_query &&
+ !(iq->chase_flags&BIT_RD)
&& type != RESPONSE_TYPE_LAME
&& type != RESPONSE_TYPE_REC_LAME
&& type != RESPONSE_TYPE_THROWAWAY
@@ -1615,7 +1622,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
type = RESPONSE_TYPE_LAME;
dnsseclame = 1;
}
- }
+ } else iq->dnssec_lame_query = 0;
/* see if referral brings us close to the target */
if(type == RESPONSE_TYPE_REFERRAL) {
struct ub_packed_rrset_key* ns = find_NS(
@@ -1764,7 +1771,6 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
/* Clear the query state, since this is a query restart. */
iq->deleg_msg = NULL;
iq->dp = NULL;
- iq->dnssec_expected = 0;
/* Note the query restart. */
iq->query_restart_count++;
diff --git a/iterator/iterator.h b/iterator/iterator.h
index 736af51..350fb1d 100644
--- a/iterator/iterator.h
+++ b/iterator/iterator.h
@@ -255,6 +255,12 @@ struct iter_qstate {
int dnssec_expected;
/**
+ * We are expecting dnssec information, but we also know the server
+ * is DNSSEC lame. The response need not be marked dnssec-lame again.
+ */
+ int dnssec_lame_query;
+
+ /**
* This is flag that, if true, means that this event is
* waiting for a stub priming query.
*/
unbound-1.4.4-41b631.patch:
iterator/iterator.c | 9 ++-
testdata/iter_hint_lame.rpl | 120 ++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 126 insertions(+), 3 deletions(-)
--- NEW FILE unbound-1.4.4-41b631.patch ---
commit 41b631ca4182e68b09eecdaec7d67ac576f3800d
Author: wouter <wouter at be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Tue Apr 27 11:10:35 2010 +0000
- fix retry sequence if prime hints are recursion-lame.
diff --git a/iterator/iterator.c b/iterator/iterator.c
index b1a948d..08354e8 100644
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -1897,8 +1897,11 @@ static int
processPrimeResponse(struct module_qstate* qstate, int id)
{
struct iter_qstate* iq = (struct iter_qstate*)qstate->minfo[id];
- enum response_type type = response_type_from_server(0, iq->response,
- &iq->qchase, iq->dp);
+ enum response_type type;
+ iq->response->rep->flags &= ~(BIT_RD|BIT_RA); /* ignore rec-lame */
+ type = response_type_from_server(
+ (int)((iq->chase_flags&BIT_RD) || iq->chase_to_rd),
+ iq->response, &iq->qchase, iq->dp);
if(type == RESPONSE_TYPE_ANSWER) {
qstate->return_rcode = LDNS_RCODE_NOERROR;
qstate->return_msg = iq->response;
@@ -2230,7 +2233,7 @@ void
iter_inform_super(struct module_qstate* qstate, int id,
struct module_qstate* super)
{
- if(super->qinfo.qclass == LDNS_RR_CLASS_ANY)
+ if(!qstate->is_priming && super->qinfo.qclass == LDNS_RR_CLASS_ANY)
processClassResponse(qstate, id, super);
else if(qstate->return_rcode != LDNS_RCODE_NOERROR)
error_supers(qstate, id, super);
diff --git a/testdata/iter_hint_lame.rpl b/testdata/iter_hint_lame.rpl
new file mode 100644
index 0000000..8cbede1
--- /dev/null
+++ b/testdata/iter_hint_lame.rpl
@@ -0,0 +1,120 @@
+; config options
+server:
+ target-fetch-policy: "0 0 0 0 0"
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test iterative resolve with lame hints.
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR RA NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION AUTHORITY
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+ ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION ANSWER
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A 10.20.30.40
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+; recursion happens here.
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A 10.20.30.40
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+SCENARIO_END
unbound-1.4.4-5e989a.patch:
iter_utils.c | 8 +++++++-
iterator.c | 9 +++++++++
2 files changed, 16 insertions(+), 1 deletion(-)
--- NEW FILE unbound-1.4.4-5e989a.patch ---
commit 5e989a15b927094a83d0f3a08be0cd559e29d3ff
Author: wouter <wouter at be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Fri Apr 23 09:07:05 2010 +0000
- Fix to fetch data as last resort more tenaciously. When cycle
targets cause the server selection to believe there are more options
when they really are not there, the server selection is reinitiated.
- Fix fetch from blacklisted dnssec lame servers as last resort. The
servers IP address is then given in validator errors as well.
diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c
index a706e6b..9082055 100644
--- a/iterator/iter_utils.c
+++ b/iterator/iter_utils.c
@@ -322,9 +322,15 @@ iter_server_selection(struct iter_env* iter_env,
verbose(VERB_ALGO, "selrtt %d", selrtt);
if(selrtt > BLACKLIST_PENALTY) {
if(selrtt-BLACKLIST_PENALTY > USEFUL_SERVER_TOP_TIMEOUT*2) {
- verbose(VERB_ALGO, "chase to recursion lame server");
+ verbose(VERB_ALGO, "chase to "
+ "blacklisted recursion lame server");
*chase_to_rd = 1;
}
+ if(selrtt-BLACKLIST_PENALTY > USEFUL_SERVER_TOP_TIMEOUT) {
+ verbose(VERB_ALGO, "chase to "
+ "blacklisted dnssec lame server");
+ *dnssec_expected = 0;
+ }
} else {
if(selrtt > USEFUL_SERVER_TOP_TIMEOUT*2) {
verbose(VERB_ALGO, "chase to recursion lame server");
diff --git a/iterator/iterator.c b/iterator/iterator.c
index e8345c8..c7cdbc8 100644
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -1469,6 +1469,15 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
return error_response(qstate, id,
LDNS_RCODE_SERVFAIL);
}
+ if(qs == 0 &&
+ delegpt_count_missing_targets(iq->dp) == 0){
+ /* it looked like there were missing
+ * targets, but they did not turn up.
+ * Try the bad choices again (if any),
+ * when we get back here missing==0,
+ * so this is not a loop. */
+ return 1;
+ }
iq->num_target_queries += qs;
}
/* Since a target query might have been made, we
unbound-1.4.4-5f58ed.patch:
config_file.c | 1 +
1 file changed, 1 insertion(+)
--- NEW FILE unbound-1.4.4-5f58ed.patch ---
commit 5f58ed252d7bcd500ebedfb351e3ce7c84c44211
Author: wouter <wouter at be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Tue Apr 27 09:16:23 2010 +0000
unbound-control get_option domain-insecure works.
diff --git a/util/config_file.c b/util/config_file.c
index aca82e1..ec0866c 100644
--- a/util/config_file.c
+++ b/util/config_file.c
@@ -609,6 +609,7 @@ config_get_option(struct config_file* cfg, const char* opt,
else O_LST(opt, "trusted-keys-file", trusted_keys_file_list)
else O_LST(opt, "dlv-anchor", dlv_anchor_list)
else O_LST(opt, "control-interface", control_ifs)
+ else O_LST(opt, "domain-insecure", domain_insecure)
else O_UNS(opt, "val-override-date", val_date_override)
/* not here:
* outgoing-permit, outgoing-avoid - have list of ports
unbound-1.4.4-74d75e.patch:
iter_utils.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- NEW FILE unbound-1.4.4-74d75e.patch ---
commit 74d75e591a6f5343109922f2bf1f83eba59f0a4f
Author: wouter <wouter at be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Thu Apr 29 12:52:44 2010 +0000
fix for key cache lookup
diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c
index f63b6fe..b3a31fa 100644
--- a/iterator/iter_utils.c
+++ b/iterator/iter_utils.c
@@ -577,9 +577,14 @@ iter_indicates_dnssec(struct module_env* env, struct delegpt* dp,
struct key_entry_key* kk = key_cache_obtain(env->key_cache,
dp->name, dp->namelen, dclass, env->scratch, *env->now);
if(kk) {
- if(key_entry_isgood(kk) || key_entry_isbad(kk)) {
+ if(query_dname_compare(kk->name, dp->name) == 0) {
+ if(key_entry_isgood(kk) || key_entry_isbad(kk)) {
regional_free_all(env->scratch);
return 1;
+ } else if(key_entry_isnull(kk)) {
+ regional_free_all(env->scratch);
+ return 0;
+ }
}
regional_free_all(env->scratch);
}
unbound-1.4.4-778d4a.patch:
services/localzone.c | 6 +++---
testdata/localdata.rpl | 36 ++++++++++++++++++++++++++++++++++++
2 files changed, 39 insertions(+), 3 deletions(-)
--- NEW FILE unbound-1.4.4-778d4a.patch ---
commit 778d4ab54a4e9efb41b042607b9a685853c5483c
Author: wouter <wouter at be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Fri Apr 23 14:03:09 2010 +0000
- Fix local-zone type redirect that did not use the query name for
the answer rrset.
diff --git a/services/localzone.c b/services/localzone.c
index dba7f3b..b8da77a 100644
--- a/services/localzone.c
+++ b/services/localzone.c
@@ -1040,10 +1040,10 @@ local_data_answer(struct local_zone* z, struct query_info* qinfo,
if(!lr)
return 0;
if(z->type == local_zone_redirect) {
- /* convert rrset name to zone name; like a wildcard */
+ /* convert rrset name to query name; like a wildcard */
struct ub_packed_rrset_key r = *lr->rrset;
- r.rk.dname = z->name;
- r.rk.dname_len = z->namelen;
+ r.rk.dname = qinfo->qname;
+ r.rk.dname_len = qinfo->qname_len;
return local_encode(qinfo, edns, buf, temp, &r, 1,
LDNS_RCODE_NOERROR);
}
diff --git a/testdata/localdata.rpl b/testdata/localdata.rpl
index 5bb259e..08aec6d 100644
--- a/testdata/localdata.rpl
+++ b/testdata/localdata.rpl
@@ -30,6 +30,10 @@ server:
; refuse zone (error)
local-zone: "refuse.top." refuse
+ ; redirect zone
+ local-zone: "redirect.top." redirect
+ local-data: "redirect.top. A 20.30.40.54"
+
; create implicit data in the IN domain as well
local-data: "a.a.implicit. A 20.30.41.50"
local-data: "b.a.implicit. A 20.30.42.50"
@@ -318,4 +322,36 @@ www.deny.top. IN A
ENTRY_END
; no answer is checked at exit of testbound.
+; redirect zone apex
+STEP 50 QUERY
+ENTRY_BEGIN
+SECTION QUESTION
+redirect.top. IN A
+ENTRY_END
+STEP 51 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RA AA NOERROR
+SECTION QUESTION
+redirect.top. IN A
+SECTION ANSWER
+redirect.top. IN A 20.30.40.54
+ENTRY_END
+
+; redirect zone
+STEP 52 QUERY
+ENTRY_BEGIN
+SECTION QUESTION
+www.redirect.top. IN A
+ENTRY_END
+STEP 53 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RA AA NOERROR
+SECTION QUESTION
+www.redirect.top. IN A
+SECTION ANSWER
+www.redirect.top. IN A 20.30.40.54
+ENTRY_END
+
SCENARIO_END
unbound-1.4.4-7f27d6.patch:
infra.c | 37 ++++++++++++++++++++++---------------
1 file changed, 22 insertions(+), 15 deletions(-)
--- NEW FILE unbound-1.4.4-7f27d6.patch ---
commit 7f27d6c9992fec6847ae914f38db6a3d1b28e81a
Author: wouter <wouter at be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Thu Apr 29 14:12:54 2010 +0000
- infra cache entries that are expired are wiped clean. Previously
it was possible to not expire host data (if accessed often).
diff --git a/services/cache/infra.c b/services/cache/infra.c
index 9c32c81..6066f98 100644
--- a/services/cache/infra.c
+++ b/services/cache/infra.c
@@ -187,6 +187,19 @@ infra_lookup_host(struct infra_cache* infra,
return data;
}
+/** init the host elements (not lame elems) */
+static void
+host_entry_init(struct infra_cache* infra, struct lruhash_entry* e,
+ uint32_t timenow)
+{
+ struct infra_host_data* data = (struct infra_host_data*)e->data;
+ data->ttl = timenow + infra->host_ttl;
+ rtt_init(&data->rtt);
+ data->edns_version = 0;
+ data->edns_lame_known = 0;
+ data->num_timeouts = 0;
+}
+
/**
* Create and init a new entry for a host
* @param infra: infra structure with config parameters.
@@ -216,12 +229,8 @@ new_host_entry(struct infra_cache* infra, struct sockaddr_storage* addr,
key->entry.data = (void*)data;
key->addrlen = addrlen;
memcpy(&key->addr, addr, addrlen);
- data->ttl = tm + infra->host_ttl;
data->lameness = NULL;
- data->edns_version = 0;
- data->edns_lame_known = 0;
- data->num_timeouts = 0;
- rtt_init(&data->rtt);
+ host_entry_init(infra, &key->entry, tm);
return &key->entry;
}
@@ -240,12 +249,8 @@ infra_host(struct infra_cache* infra, struct sockaddr_storage* addr,
if(e) {
/* if its still there we have a writelock, init */
/* re-initialise */
- data = (struct infra_host_data*)e->data;
- data->ttl = timenow + infra->host_ttl;
- rtt_init(&data->rtt);
/* do not touch lameness, it may be valid still */
- data->edns_version = 0;
- data->edns_lame_known = 0;
+ host_entry_init(infra, e, timenow);
}
}
if(!e) {
@@ -469,10 +474,11 @@ infra_rtt_update(struct infra_cache* infra,
if(!(e = new_host_entry(infra, addr, addrlen, timenow)))
return 0;
needtoinsert = 1;
- }
- /* have an entry, update the rtt, and the ttl */
+ } else if(((struct infra_host_data*)e->data)->ttl < timenow) {
+ host_entry_init(infra, e, timenow);
+ }
+ /* have an entry, update the rtt */
data = (struct infra_host_data*)e->data;
- data->ttl = timenow + infra->host_ttl;
if(roundtrip == -1) {
rtt_lost(&data->rtt, orig_rtt);
if(data->num_timeouts<255)
@@ -503,10 +509,11 @@ infra_edns_update(struct infra_cache* infra,
if(!(e = new_host_entry(infra, addr, addrlen, timenow)))
return 0;
needtoinsert = 1;
- }
+ } else if(((struct infra_host_data*)e->data)->ttl < timenow) {
+ host_entry_init(infra, e, timenow);
+ }
/* have an entry, update the rtt, and the ttl */
data = (struct infra_host_data*)e->data;
- data->ttl = timenow + infra->host_ttl;
data->edns_version = edns_version;
data->edns_lame_known = 1;
unbound-1.4.4-a6f07b.patch:
net_help.c | 8 ++++++++
net_help.h | 8 ++++++++
netevent.c | 6 ++++++
3 files changed, 22 insertions(+)
--- NEW FILE unbound-1.4.4-a6f07b.patch ---
commit a6f07ba49319bbb62772a99cc3267fe8409a39d4
Author: wouter <wouter at be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Fri Apr 23 06:48:49 2010 +0000
- Squelch log message: sendto failed permission denied for
255.255.255.255, it is visible in VERB_DETAIL (verbosity 2).
diff --git a/util/net_help.c b/util/net_help.c
index 182f39d..7b2a3f4 100644
--- a/util/net_help.c
+++ b/util/net_help.c
@@ -494,6 +494,14 @@ addr_is_ip4mapped(struct sockaddr_storage* addr, socklen_t addrlen)
return (memcmp(s, map_prefix, 12) == 0);
}
+int addr_is_broadcast(struct sockaddr_storage* addr, socklen_t addrlen)
+{
+ int af = (int)((struct sockaddr_in*)addr)->sin_family;
+ void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
+ return af == AF_INET && addrlen>=(socklen_t)sizeof(struct sockaddr_in)
+ && memcmp(sinaddr, "\377\377\377\377", 4) == 0;
+}
+
void sock_list_insert(struct sock_list** list, struct sockaddr_storage* addr,
socklen_t len, struct regional* region)
{
diff --git a/util/net_help.h b/util/net_help.h
index 9ac96eb..8afa84b 100644
--- a/util/net_help.h
+++ b/util/net_help.h
@@ -280,6 +280,14 @@ void addr_to_str(struct sockaddr_storage* addr, socklen_t addrlen,
int addr_is_ip4mapped(struct sockaddr_storage* addr, socklen_t addrlen);
/**
+ * See if sockaddr is 255.255.255.255.
+ * @param addr: address
+ * @param addrlen: length of address
+ * @return true if so
+ */
+int addr_is_broadcast(struct sockaddr_storage* addr, socklen_t addrlen);
+
+/**
* Insert new socket list item. If fails logs error.
* @param list: pointer to pointer to first item.
* @param addr: address or NULL if 'cache'.
diff --git a/util/netevent.c b/util/netevent.c
index 4b6a0a3..3f3c6ce 100644
--- a/util/netevent.c
+++ b/util/netevent.c
@@ -301,6 +301,12 @@ comm_point_send_udp_msg(struct comm_point *c, ldns_buffer* packet,
(struct sockaddr_storage*)addr, addrlen) &&
verbosity < VERB_DETAIL)
return 0;
+ /* SO_BROADCAST sockopt can give access to 255.255.255.255,
+ * but a dns cache does not need it. */
+ if(errno == EACCES && addr_is_broadcast(
+ (struct sockaddr_storage*)addr, addrlen) &&
+ verbosity < VERB_DETAIL)
+ return 0;
#ifndef USE_WINSOCK
verbose(VERB_OPS, "sendto failed: %s", strerror(errno));
#else
unbound-1.4.4-c2baa7.patch:
doc/unbound.conf.5.in | 8 +++++++-
services/localzone.c | 3 +++
2 files changed, 10 insertions(+), 1 deletion(-)
--- NEW FILE unbound-1.4.4-c2baa7.patch ---
commit c2baa73db1a2a0b0c0c8bba3d203a28ca86c5f31
Author: wouter <wouter at be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Tue May 4 10:50:27 2010 +0000
- Conforms to draft-ietf-dnsop-default-local-zones-13. Added default
reverse lookup blocks for IPv4 test nets 100.51.198.in-addr.arpa,
113.0.203.in-addr.arpa and Orchid prefix 0.1.1.0.0.2.ip6.arpa.
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index 16a607c..40b4bad 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -778,7 +778,8 @@ records are provided.
.TP 10
\h'5'\fIreverse RFC3330 IP4 this, link\-local, testnet and broadcast\fR
Reverse data for zones 0.in\-addr.arpa, 254.169.in\-addr.arpa,
-2.0.192.in\-addr.arpa, 255.255.255.255.in\-addr.arpa.
+2.0.192.in\-addr.arpa (TEST NET 1), 100.51.198.in\-addr.arpa (TEST NET 2),
+113.0.203.in\-addr.arpa (TEST NET 3), 255.255.255.255.in\-addr.arpa.
.TP 10
\h'5'\fIreverse RFC4291 IP6 unspecified\fR
Reverse data for zone
@@ -793,12 +794,17 @@ Reverse data for zone D.F.ip6.arpa.
\h'5'\fIreverse RFC4291 IPv6 Link Local Addresses\fR
Reverse data for zones 8.E.F.ip6.arpa to B.E.F.ip6.arpa.
.TP 10
+\h'5'\fIreverse RFC4843 Orchid Prefix\fR
+Reverse data for zone 0.1.1.0.0.2.ip6.arpa.
+.TP 10
\h'5'\fIreverse IPv6 Example Prefix\fR
Reverse data for zone 8.B.D.0.1.0.0.2.ip6.arpa. This zone is used for
tutorials and examples. You can remove the block on this zone with:
.nf
local\-zone: 8.B.D.0.1.0.0.2.ip6.arpa. nodefault
.fi
+You can also selectively unblock a part of the zone by making that part
+transparent with a local\-zone statement.
This also works with the other default zones.
.\" End of local-zone listing.
.TP 5
diff --git a/services/localzone.c b/services/localzone.c
index b8da77a..248d45f 100644
--- a/services/localzone.c
+++ b/services/localzone.c
@@ -689,6 +689,8 @@ lz_enter_defaults(struct local_zones* zones, struct config_file* cfg,
!add_as112_default(zones, cfg, buf, "0.in-addr.arpa.") ||
!add_as112_default(zones, cfg, buf, "254.169.in-addr.arpa.") ||
!add_as112_default(zones, cfg, buf, "2.0.192.in-addr.arpa.") ||
+ !add_as112_default(zones, cfg, buf, "100.51.198.in-addr.arpa.") ||
+ !add_as112_default(zones, cfg, buf, "113.0.203.in-addr.arpa.") ||
!add_as112_default(zones, cfg, buf, "255.255.255.255.in-addr.arpa.") ||
!add_as112_default(zones, cfg, buf, "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.") ||
!add_as112_default(zones, cfg, buf, "d.f.ip6.arpa.") ||
@@ -696,6 +698,7 @@ lz_enter_defaults(struct local_zones* zones, struct config_file* cfg,
!add_as112_default(zones, cfg, buf, "9.e.f.ip6.arpa.") ||
!add_as112_default(zones, cfg, buf, "a.e.f.ip6.arpa.") ||
!add_as112_default(zones, cfg, buf, "b.e.f.ip6.arpa.") ||
+ !add_as112_default(zones, cfg, buf, "0.1.1.0.0.2.ip6.arpa.") ||
!add_as112_default(zones, cfg, buf, "8.b.d.0.1.0.0.2.ip6.arpa.")) {
log_err("out of memory adding default zone");
return 0;
unbound-1.4.4-d7ef7b.patch:
iter_utils.c | 42 +++++++++++++++++++++++++++++++++++++++---
iter_utils.h | 10 +++++++++-
iterator.c | 6 +++++-
3 files changed, 53 insertions(+), 5 deletions(-)
--- NEW FILE unbound-1.4.4-d7ef7b.patch ---
commit d7ef7b31e0dbb0a73b201649c3729508b270f43f
Author: wouter <wouter at be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Mon Apr 26 14:59:44 2010 +0000
Fix bug#307: 0x20 fallback outstanding query count, together with rec_lame,
and canonical rrset comparison.
diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c
index 9082055..6124650 100644
--- a/iterator/iter_utils.c
+++ b/iterator/iter_utils.c
@@ -674,7 +674,7 @@ rrset_equal(struct ub_packed_rrset_key* k1, struct ub_packed_rrset_key* k2)
}
int
-reply_equal(struct reply_info* p, struct reply_info* q)
+reply_equal(struct reply_info* p, struct reply_info* q, ldns_buffer* scratch)
{
size_t i;
if(p->flags != q->flags ||
@@ -688,8 +688,29 @@ reply_equal(struct reply_info* p, struct reply_info* q)
p->rrset_count != q->rrset_count)
return 0;
for(i=0; i<p->rrset_count; i++) {
- if(!rrset_equal(p->rrsets[i], q->rrsets[i]))
- return 0;
+ if(!rrset_equal(p->rrsets[i], q->rrsets[i])) {
+ /* fallback procedure: try to sort and canonicalize */
+ ldns_rr_list* pl, *ql;
+ pl = packed_rrset_to_rr_list(p->rrsets[i], scratch);
+ ql = packed_rrset_to_rr_list(q->rrsets[i], scratch);
+ if(!pl || !ql) {
+ ldns_rr_list_deep_free(pl);
+ ldns_rr_list_deep_free(ql);
+ return 0;
+ }
+ ldns_rr_list2canonical(pl);
+ ldns_rr_list2canonical(ql);
+ ldns_rr_list_sort(pl);
+ ldns_rr_list_sort(ql);
+ if(ldns_rr_list_compare(pl, ql) != 0) {
+ ldns_rr_list_deep_free(pl);
+ ldns_rr_list_deep_free(ql);
+ return 0;
+ }
+ ldns_rr_list_deep_free(pl);
+ ldns_rr_list_deep_free(ql);
+ continue;
+ }
}
return 1;
}
@@ -792,3 +813,18 @@ iter_scrub_ds(struct dns_msg* msg, struct ub_packed_rrset_key* ns, uint8_t* z)
i++;
}
}
+
+void iter_dec_attempts(struct delegpt* dp, int d)
+{
+ struct delegpt_addr* a;
+ for(a=dp->target_list; a; a = a->next_target) {
+ if(a->attempts >= OUTBOUND_MSG_RETRY) {
+ /* add back to result list */
+ a->next_result = dp->result_list;
+ dp->result_list = a;
+ }
+ if(a->attempts > d)
+ a->attempts -= d;
+ else a->attempts = 0;
+ }
+}
diff --git a/iterator/iter_utils.h b/iterator/iter_utils.h
index 9a1db5f..a9f4247 100644
--- a/iterator/iter_utils.h
+++ b/iterator/iter_utils.h
@@ -211,9 +211,10 @@ int iter_msg_from_zone(struct dns_msg* msg, struct delegpt* dp,
* @param p: reply one. The reply has rrset data pointers in region.
* Does not check rrset-IDs
* @param q: reply two
+ * @param buf: scratch buffer.
* @return if one and two are equal.
*/
-int reply_equal(struct reply_info* p, struct reply_info* q);
+int reply_equal(struct reply_info* p, struct reply_info* q, ldns_buffer* buf);
/**
* Store in-zone glue in seperate rrset cache entries for later last-resort
@@ -257,4 +258,11 @@ int iter_get_next_root(struct iter_hints* hints, struct iter_forwards* fwd,
void iter_scrub_ds(struct dns_msg* msg, struct ub_packed_rrset_key* ns,
uint8_t* z);
+/**
+ * Remove query attempts from all available ips. For 0x20.
+ * @param dp: delegpt.
+ * @param d: decrease.
+ */
+void iter_dec_attempts(struct delegpt* dp, int d);
+
#endif /* ITERATOR_ITER_UTILS_H */
diff --git a/iterator/iterator.c b/iterator/iterator.c
index c7cdbc8..b1a948d 100644
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -1416,6 +1416,9 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
"match for %d wanted, done.",
(int)iq->caps_server+1, (int)naddr*3);
iq->caps_fallback = 0;
+ iter_dec_attempts(iq->dp, 3); /* space for fallback */
+ iq->num_current_queries++; /* RespState decrements it*/
+ iq->referral_count++; /* make sure we don't loop */
iq->state = QUERY_RESP_STATE;
return 1;
}
@@ -2384,7 +2387,8 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
goto handle_it;
} else {
/* check if reply is the same, otherwise, fail */
- if(!reply_equal(iq->response->rep, iq->caps_reply)) {
+ if(!reply_equal(iq->response->rep, iq->caps_reply,
+ qstate->env->scratch_buffer)) {
verbose(VERB_DETAIL, "Capsforid fallback: "
"getting different replies, failed");
outbound_list_remove(&iq->outlist, outbound);
Index: .cvsignore
===================================================================
RCS file: /cvs/extras/rpms/unbound/EL-5/.cvsignore,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -p -r1.4 -r1.5
--- .cvsignore 9 Oct 2009 03:34:04 -0000 1.4
+++ .cvsignore 23 May 2010 02:53:14 -0000 1.5
@@ -6,3 +6,4 @@ unbound-1.3.2.tar.gz
unbound-1.3.1.tar.gz
unbound-1.3.3.tar.gz
unbound-1.3.4.tar.gz
+unbound-1.4.4.tar.gz
Index: sources
===================================================================
RCS file: /cvs/extras/rpms/unbound/EL-5/sources,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -p -r1.7 -r1.8
--- sources 7 Apr 2010 17:03:26 -0000 1.7
+++ sources 23 May 2010 02:53:14 -0000 1.8
@@ -1 +1,2 @@
2dffdd42f94b8238447a41835439d129 unbound-1.4.3.tar.gz
+c7e6a35b92cbd2c93bc808228aa76725 unbound-1.4.4.tar.gz
Index: unbound.spec
===================================================================
RCS file: /cvs/extras/rpms/unbound/EL-5/unbound.spec,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -p -r1.12 -r1.13
--- unbound.spec 7 Apr 2010 17:03:26 -0000 1.12
+++ unbound.spec 23 May 2010 02:53:15 -0000 1.13
@@ -8,7 +8,7 @@
Summary: Validating, recursive, and caching DNS(SEC) resolver
Name: unbound
-Version: 1.4.3
+Version: 1.4.4
Release: 1%{?dist}
License: BSD
Url: http://www.nlnetlabs.nl/unbound/
@@ -18,6 +18,19 @@ Source2: unbound.conf
Source3: unbound.munin
Source4: dlv.isc.org.key
Patch1: unbound-1.2-glob.patch
+Patch2: unbound-1.4.4-c2baa7.patch
+Patch3: unbound-1.4.4-40d18f.patch
+Patch4: unbound-1.4.4-7f27d6.patch
+Patch5: unbound-1.4.4-74d75e.patch
+Patch6: unbound-1.4.4-374822.patch
+Patch7: unbound-1.4.4-00f12c.patch
+Patch8: unbound-1.4.4-41b631.patch
+Patch9: unbound-1.4.4-5f58ed.patch
+Patch10: unbound-1.4.4-d7ef7b.patch
+Patch11: unbound-1.4.4-778d4a.patch
+Patch12: unbound-1.4.4-5e989a.patch
+Patch13: unbound-1.4.4-a6f07b.patch
+Patch14: unbound-1.4.4-28093c.patch
Group: System Environment/Daemons
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -29,7 +42,6 @@ BuildRequires: python-devel swig
# Required for SVN versions
#BuildRequires: bison
-
Requires(post): chkconfig
Requires(preun): chkconfig
Requires(preun): initscripts
@@ -37,6 +49,9 @@ Requires(postun): initscripts
Requires: ldns >= 1.5.0
Requires(pre): shadow-utils
+Obsoletes: dnssec-conf < 1.27-2
+Provides: dnssec-conf = 1.27-1
+
%description
Unbound is a validating, recursive, and caching DNS(SEC) resolver.
@@ -87,6 +102,20 @@ Python modules and extensions for unboun
%prep
%setup -q
%patch1 -p1
+# svn/git patches
+%patch2 -p1
+%patch4 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
+%patch14 -p1
+%patch3 -p1
+%patch5 -p1
%build
%configure --with-ldns= --with-libevent --with-pthreads --with-ssl \
@@ -191,6 +220,10 @@ fi
%postun libs -p /sbin/ldconfig
%changelog
+* Sat May 22 2010 Paul Wouters <paul at xelerance.com> - 1.4.4-1
+- Upgraded to 1.4.4 with svn patches
+- Obsolete dnssec-conf to ensure it is de-installed
+
* Wed Apr 07 2010 Paul Wouters <paul at xelerance.com> - 1.4.3-1
- Upgrade to 1.4.3
- Updated unbound.conf file
More information about the scm-commits
mailing list