rpms/unbound/F-11 dlv.isc.org.key, NONE, 1.1 unbound-1.4.4-00f12c.patch, NONE, 1.1 unbound-1.4.4-28093c.patch, NONE, 1.1 unbound-1.4.4-374822.patch, NONE, 1.1 unbound-1.4.4-40d18f.patch, NONE, 1.1 unbound-1.4.4-41b631.patch, NONE, 1.1 unbound-1.4.4-5e989a.patch, NONE, 1.1 unbound-1.4.4-5f58ed.patch, NONE, 1.1 unbound-1.4.4-74d75e.patch, NONE, 1.1 unbound-1.4.4-778d4a.patch, NONE, 1.1 unbound-1.4.4-7f27d6.patch, NONE, 1.1 unbound-1.4.4-a6f07b.patch, NONE, 1.1 unbound-1.4.4-c2baa7.patch, NONE, 1.1 unbound-1.4.4-d7ef7b.patch, NONE, 1.1 unbound.conf, 1.8, 1.9 unbound.init, 1.7, 1.8 unbound.spec, 1.26, 1.27
Paul Wouters
pwouters at fedoraproject.org
Tue Jun 1 16:45:51 UTC 2010
Author: pwouters
Update of /cvs/extras/rpms/unbound/F-11
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv23972
Modified Files:
unbound.conf unbound.init unbound.spec
Added Files:
dlv.isc.org.key unbound-1.4.4-00f12c.patch
unbound-1.4.4-28093c.patch unbound-1.4.4-374822.patch
unbound-1.4.4-40d18f.patch unbound-1.4.4-41b631.patch
unbound-1.4.4-5e989a.patch unbound-1.4.4-5f58ed.patch
unbound-1.4.4-74d75e.patch unbound-1.4.4-778d4a.patch
unbound-1.4.4-7f27d6.patch unbound-1.4.4-a6f07b.patch
unbound-1.4.4-c2baa7.patch unbound-1.4.4-d7ef7b.patch
Log Message:
* Tue Jun 1 2010 Paul Wouters <paul at xelerance.com> - 1.4.4-1
- Upgraded to 1.4.4 with svn patches
- Updated unbound.conf config file
- Obsolete dnssec-conf to ensure it is de-installed
--- NEW FILE dlv.isc.org.key ---
; https://secure.isc.org/ops/dlv/dlv.isc.org.key
dlv.isc.org. IN DNSKEY 257 3 5 BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh
unbound-1.4.4-00f12c.patch:
doc/unbound.conf.5.in | 2 ++
iterator/iterator.c | 6 ++++++
2 files changed, 8 insertions(+)
--- NEW FILE unbound-1.4.4-00f12c.patch ---
commit 00f12c3365fbb1f8a185a9972734c6bf225e7c0d
Author: wouter <wouter at be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Tue Apr 27 14:15:19 2010 +0000
Fix harden-referral-path so it does not generate lookup failures.
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index fbe3748..16a607c 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -456,6 +456,8 @@ path to the answer.
Default off, because it burdens the authority servers, and it is
not RFC standard, and could lead to performance problems because of the
extra query load that is generated. Experimental option.
+If you enable it consider adding more numbers after the target\-fetch\-policy
+to increase the max depth that is checked to.
.TP
.B use\-caps\-for\-id: \fI<yes or no>
Use 0x20\-encoded random bits in the query to foil spoof attempts.
diff --git a/iterator/iterator.c b/iterator/iterator.c
index 08354e8..19b9a26 100644
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -695,12 +695,15 @@ static void
generate_a_aaaa_check(struct module_qstate* qstate, struct iter_qstate* iq,
int id)
{
+ struct iter_env* ie = (struct iter_env*)qstate->env->modinfo[id];
struct module_qstate* subq;
size_t i;
struct reply_info* rep = iq->response->rep;
struct ub_packed_rrset_key* s;
log_assert(iq->dp);
+ if(iq->depth == ie->max_dependency_depth)
+ return;
/* walk through additional, and check if in-zone,
* only relevant A, AAAA are left after scrub anyway */
for(i=rep->an_numrrsets+rep->ns_numrrsets; i<rep->rrset_count; i++) {
@@ -746,9 +749,12 @@ generate_a_aaaa_check(struct module_qstate* qstate, struct iter_qstate* iq,
static void
generate_ns_check(struct module_qstate* qstate, struct iter_qstate* iq, int id)
{
+ struct iter_env* ie = (struct iter_env*)qstate->env->modinfo[id];
struct module_qstate* subq;
log_assert(iq->dp);
+ if(iq->depth == ie->max_dependency_depth)
+ return;
/* is this query the same as the nscheck? */
if(qstate->qinfo.qtype == LDNS_RR_TYPE_NS &&
query_dname_compare(iq->dp->name, qstate->qinfo.qname)==0 &&
unbound-1.4.4-28093c.patch:
testcode/unitmsgparse.c | 77 ++++++++++++++++++++++++++++++++++++++++++++++++
testdata/test_packets.7 | 18 +++++++++++
util/data/msgparse.c | 11 ++++--
3 files changed, 103 insertions(+), 3 deletions(-)
--- NEW FILE unbound-1.4.4-28093c.patch ---
commit 28093c6d7d9bafbb9763fc6d9b7f222642e8a835
Author: wouter <wouter at be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Thu Apr 22 15:01:02 2010 +0000
- Fix validation failure for qtype ANY caused by a RRSIG parse failure.
The validator error message was 'no signatures from ...'.
diff --git a/testcode/unitmsgparse.c b/testcode/unitmsgparse.c
index 43e4377..d1ef854 100644
--- a/testcode/unitmsgparse.c
+++ b/testcode/unitmsgparse.c
@@ -45,6 +45,7 @@
#include "util/data/msgparse.h"
#include "util/data/msgreply.h"
#include "util/data/msgencode.h"
+#include "util/data/dname.h"
#include "util/alloc.h"
#include "util/regional.h"
#include "util/net_help.h"
@@ -54,6 +55,8 @@
static int vbmp = 0;
/** if matching within a section should disregard the order of RRs. */
static int matches_nolocation = 0;
+/** see if RRSIGs are properly matched to RRsets. */
+static int check_rrsigs = 0;
/** match two rr lists */
static int
@@ -318,6 +321,76 @@ perftestpkt(ldns_buffer* pkt, struct alloc_cache* alloc, ldns_buffer* out,
regional_destroy(region);
}
+/** debug print a packet that failed */
+static void
+print_packet_rrsets(struct query_info* qinfo, struct reply_info* rep)
+{
+ size_t i;
+ ldns_rr_list* l;
+ ldns_buffer* buf = ldns_buffer_new(65536);
+ log_query_info(0, "failed query", qinfo);
+ printf(";; ANSWER SECTION (%d rrsets)\n", (int)rep->an_numrrsets);
+ for(i=0; i<rep->an_numrrsets; i++) {
+ l = packed_rrset_to_rr_list(rep->rrsets[i], buf);
+ printf("; rrset %d\n", (int)i);
+ ldns_rr_list_print(stdout, l);
+ ldns_rr_list_deep_free(l);
+ }
+ printf(";; AUTHORITY SECTION (%d rrsets)\n", (int)rep->ns_numrrsets);
+ for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep->ns_numrrsets; i++) {
+ l = packed_rrset_to_rr_list(rep->rrsets[i], buf);
+ printf("; rrset %d\n", (int)i);
+ ldns_rr_list_print(stdout, l);
+ ldns_rr_list_deep_free(l);
+ }
+ printf(";; ADDITIONAL SECTION (%d rrsets)\n", (int)rep->ar_numrrsets);
+ for(i=rep->an_numrrsets+rep->ns_numrrsets; i<rep->rrset_count; i++) {
+ l = packed_rrset_to_rr_list(rep->rrsets[i], buf);
+ printf("; rrset %d\n", (int)i);
+ ldns_rr_list_print(stdout, l);
+ ldns_rr_list_deep_free(l);
+ }
+ printf(";; packet end\n");
+ ldns_buffer_free(buf);
+}
+
+/** check that there is no data element that matches the RRSIG */
+static int
+no_data_for_rrsig(struct reply_info* rep, struct ub_packed_rrset_key* rrsig)
+{
+ size_t i;
+ for(i=0; i<rep->rrset_count; i++) {
+ if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_RRSIG)
+ continue;
+ if(query_dname_compare(rep->rrsets[i]->rk.dname,
+ rrsig->rk.dname) == 0)
+ /* only name is compared right now */
+ return 0;
+ }
+ return 1;
+}
+
+/** check RRSIGs in packet */
+static void
+check_the_rrsigs(struct query_info* qinfo, struct reply_info* rep)
+{
+ /* every RRSIG must be matched to an RRset */
+ size_t i;
+ for(i=0; i<rep->rrset_count; i++) {
+ struct ub_packed_rrset_key* s = rep->rrsets[i];
+ if(ntohs(s->rk.type) == LDNS_RR_TYPE_RRSIG) {
+ /* see if really a problem, i.e. is there a data
+ * element. */
+ if(no_data_for_rrsig(rep, rep->rrsets[i]))
+ continue;
+ log_dns_msg("rrsig failed for packet", qinfo, rep);
+ print_packet_rrsets(qinfo, rep);
+ printf("failed rrset is nr %d\n", (int)i);
+ unit_assert(0);
+ }
+ }
+}
+
/** test a packet */
static void
testpkt(ldns_buffer* pkt, struct alloc_cache* alloc, ldns_buffer* out,
@@ -355,6 +428,8 @@ testpkt(ldns_buffer* pkt, struct alloc_cache* alloc, ldns_buffer* out,
(unsigned)ldns_buffer_limit(pkt),
(unsigned)ldns_buffer_limit(out));
test_buffers(pkt, out);
+ if(check_rrsigs)
+ check_the_rrsigs(&qi, rep);
if(ldns_buffer_limit(out) > lim) {
ret = reply_info_encode(&qi, rep, id, flags, out,
@@ -519,7 +594,9 @@ void msgparse_test()
matches_nolocation = 1; /* RR order not important for the next test */
testfromdrillfile(pkt, &alloc, out, "testdata/test_packets.6");
+ check_rrsigs = 1;
testfromdrillfile(pkt, &alloc, out, "testdata/test_packets.7");
+ check_rrsigs = 0;
matches_nolocation = 0;
/* cleanup */
diff --git a/testdata/test_packets.7 b/testdata/test_packets.7
index 4f71c2c..357fa40 100644
--- a/testdata/test_packets.7
+++ b/testdata/test_packets.7
@@ -17,3 +17,21 @@ A608C7155005EBEDCA2176A559EFAF28D5DA1E91F540874BAA1C46BB08B1BAAE1812699A18139CF0
13BBDA2EC641FB23993A72ED6606C8C85E0D1660CC1770769697CEE7EB8E6474714984D7FF41FBBE48FF4A70669101BF00320340B82DC590B2C19D0006841121DC6AC933002E00010000012C007D000105030000012C4B11ADE94AEA20E9FC600673776974636802636800561C052414445D427CE00A40ACE2DA2EC168523823830CA724B087B8116F46B3CD051C5EC5874F6FC75CF6BA846279E469C474A75F9334242BB66FDD367C73B8BBC3F8748736BC5E6AED8B9B7C5FB5FE2DEDFBF46B403BC173DE958C038CFCCAC933002E00010000012C007D001C05030000012C4B11ADE94AEA20E9FC600673776974636802636800A6F44063C12A5A8BF5BCFADD
745C5B3915E463DA478131E636347EED414675023BBCA5BA2AABEC2FA3DF976A2343B4AA3403D1AFA3D470D25812BD1A319FBB5B833244D0FA18A59BB69ABB77BBDB3D7F62740D3871A69A5B9D43331D78AB8AE8C91B002E00010000012C007D000105030000012C4B11ADE94AEA20E9FC6006737769746368026368008906D2CFEFC3AA652125DD021CAB6392EBC4A9B4B3CFE3B07E4AFE7DA3263C7B8CE5DC3B66DA45D120E75B3D49ADC1F7D2E9A04A31760698FCFDEAB4AC82915D8E0AD2494DB4F11C02E115C3BD47DC8E57EDA7805BF0E7820A445F93A07698DF0000291000000080000000
+;-- es.net IN ANY about RRSIG ordering.
+687D8410000100150000000E026573036E65740000FF0001C00C00060001000151800027036E7331C00C0A686F73746D6173746572C00C77CECF4300001C2000000E100012750000000258C00C002E000100015180011A00300502000151804BE2932A4BD0101A2522026573036E657400AF2107A80A9D98A0712FF20826B95D8E686FFF023BEEAD1019045569D94D1493C84C819446ECB5489EBC6B556F4BE4B51A8E9CAC8BAA69F2B74948B78CBB197044E3D3A9E0E5EA958254637984D34BAE34167E1437D275E01C4B7C04C34053333514E1FE7EAC7C4777B02F24356F1F775526E19F54A21D3A134DC74DE153F9267008F5605D3BE38E61352BA9495D77
+97A76735BD68350CD648F40F95ADA4B25464A615E7CD4870E23C21D681F5C68C3DE9477D2EC7216FDF3269F5993428D0F1A4B7E203A04AB6807836263FDD7D6796BE6D84478B906B802DEBDCB1E0870481388503F0396CAD24147BC819A855E6CBCE98526ECAF8423450E30CB4F59C7062C069002E000100015180009A00300502000151804BE2932A4BD0101A4BA3026573036E657400602356C2D379E94F97D2900473D118288D46CFBCAAFF73D8A6FDF0B4305E8B338DD53A90106CDD78BF82A1AEC20B7C02067FDE1BEEC912E5581687BB32DD8BDC7E84B3F844F01E198E75C179194447C13B568886B33933FF35370060440D64E2DB7446962CA348C199
+DDFE4AA252AFFDEB3A818D1BF45CD795EA0907332B4508C18F002E000100015180009A00060502000151804BE2932A4BD0101A4BA3026573036E6574004FFB07563C6F88028C0E09CF163BAC777065BDCC826C583A3B3ABD525D6AF5101A6D5533888E5BAAA33DE28B52330815E14034506C4C69EDE8AD1A1F00B486C670FE0DC2F3B5F7210EBAC66695CC8679F2CA2353666A143A2E3E87377DCD8D3E6E450934BBD4CC6F9EE033E11D05CA3F44B1A64A2666E3AF2A8710F16FF8CC33C235002E000100000258009A002F0502000002584BE2932A4BD0101A4BA3026573036E6574003D2DDC713285C7338263BD338AFEEAB77571054B1F483A7BADC87BAF32
+0740A8D1B8B28CB23E04A80F90979704B44FE379103F4D91482D0EBC1D7005E326668F30B2A434F9DE76BB90DFEF2BFEDEE8CAD62164CA089651AB31498F18ED9A1E5694B4D460FFA4E667950322B2A75E8FD408B6A54EDB00257CE44AC865D1567346C2DB002E000100000258009A00100502000002584BE2932A4BD0101A4BA3026573036E6574004367180234A327C0AF72B3963518FC6E53A43E92CE6F5560E383FE8E7EF258FEA28BA666C026A90DAB67F46FBA4FF82F2704FEB3A27E25F3A8E6874B78938D70C5A20D94BEC90596B55C594F94A1438B14C8F890CE61D9630EFD897DEA9B3995D2C668469F62DB9346BB6AAF2EB6F3EE20EC31EAC80BCB
+962105A64CCD5783EFC381002E000100000258009A000F0502000002584BE2932A4BD0101A4BA3026573036E657400D36D367D4D95060CB2952870BE9E826E6F7835CF6517FF83957F5097B6FC401FE5815B8895D02C68E23A47D7015A3DCE9FDE63AF9D9E1D697016444355633D0BE03177B35BE54980B241C12978A7F3EBF2420861EBFAA028CAF9FCBBF54C069869BFB7F9AB9E60D4791ACCA276AE698EB6EF7582235977E158DA8530EC84327EC427002E000100000258009A00010502000002584BE2932A4BD0101A4BA3026573036E65740068E7176D8561B49621F80DB36DC12A3C5DCD2DE5FE3973F5D7DE15769F099F2A1A9BB088042E794747E3AB
+BB4AE48651F815D5D38BE7F4FB94F08F51FC209246296BE108111E90A7A5E2A5A79D305F81DBE313569B72598F36F3CFAA02FD9F321FBC2BDA10861F1D537D48DDF80BBF4B228724636FD79C06C4487365F602E6F5C4CD002E000100000258009A00020502000002584BE2932A4BD0101A4BA3026573036E657400BAA98093DDB57F38CA58C599EEED47F16AA20C1CCF668FF0A022AFAAC97059A28C50FE63034E58FBE361059B43FCBAE3876AC6AE8450987B8A00BEC29093267B9B655E645B7478294FF5E149984459A39D191585463BD80F635C21DBCF30462E60E4EACF8EECC25E4D02C181954CCBB8BDF5D19882CF6F9E982B1BEBEF14797DC573003000
+0100015180008801000305030100017D08356710D7E8A11F9B4C29E5E0F6B65F18CE64B4AAFAD7EA0E08DB85013CD777436CB8BC4EE33C0B4E6EEDFBE4227B25354F2EA2F978EE3222F3F32C1D4D3AF0F6014A527981FC5A0D2B65BF78B86A1D37965A98CAE3746CBB250655C2200FB9B8EBCC8C0AFD3182738F246AD0DAACA3199C54F08CF5F666477281872710E7C573003000010001518000880100030503010001DF43A43270EA741D5E79034C5E46A8310C9CFC7BD65C532D815D6B8C245EFF8F0C365DE400B6CDAC0124B00E08017DFB98D91133D5C18251EE0868852AD9E7FED091B393DAD1CD57381A5A1E7EA74E8FB4B708DB0F93B9EA4296EA4A71
+6E3572F168779CB5288880699413B3FFD4B7432EBE2AA2767B8EA6CB576A65C5163A3DC5730030000100015180010801010305030100017DA2FA058940109205AA36338EB8AA8B5B0D9788C4229368D371DBDE4BD24F0805C60EDD8DF223D250F23D189CDC434F388A91D6CEC1A9D6F305817409ACA784F381DFFD7EC3EC688FFE16D2AC57BD7F0B625EFC3099B3A9A5EDA1742460229669DD67D81F12069877F6AFA497F81EB12D179B183F5C8185B2786B790BEAFB6D02E0F94C780065511CF46AF80D40055022867DF712869CC262C0D315B92DFA96D58BC2336DAB5D1258DD60406913D116DC2EC1135D89C6D2092C35A19C67959743B407A3C30F3C6B8B
+C4763504FE12541EDD947A5FBE8E402D31816D1824867E2CD89AEE5FF6ED7A2D683B8C5E6B7B5972BDFF355BFD9128F0D0EDB59A60F321C573003000010001518001080101030503010001DD8EC709089B6D74BAF2D294E4C626CF789B89A74B7E320D7002A03D0F94EA62DF1F19717FE8C4BFD732DA495E481353C78167255CC6256A98ACBFF5977B81A48C5E2A5AF23E8377423C4034D5D84E9E3548B9D0A07955586F67324B6B5720CC4456D86AEE3A21A4EBED9BA13358C8127D182A5083739B042D7E06307E417D020DD68EC0628E9C8279AF0F7E608A3C5D51AB33BF7C32EBD27B45D72B1AD5752BB485D52488FBA9A1B5BF3B2B50F074F481171E4B65
+3AF846E58FE46DEB3491FA683959B38B893BF55721CED8FC4A64DBEDB6BF1C7FADE650EE219A01E81DD0212B89259319CA5DC81F26821A5CC29B4CC1059AE28227B89B8816039E43C35E33C57300300001000151800108018103050301000188F31BEFA3466D6FCAF11E0D1954D2011D6EAECF922D9E1B8D620095A0D15E7CFF8EA33F8E2A8C3B3F45A1ADACFED62E3E4EDC884AEF8A7CADBCFF8EDF2158730136D01BDB6D057BEBF3D35A92ADB5E8ACB1152FE1244B2D36DCB500E952CFB6D744BF7DBAB24A901B984F869FF47113C9515D53FE1A57293B01C24195A1D40580566CDAE5B04348CB60507267BB38F34839EE959D43FB9605652157014059FDBD
+39EB0836D4043A63F8660D241006F757DB92B35B39B5ABCA32A16A81C65C9F53DA79A99F1134CF3ED5304F189434AF787A3A10D63862E6C2E5FBA08B6EF6701783DB00CB41851DF13070947EEC090FCED3539F3F494170BD90E68F99453DF9C573002F00010000025800220B726573657276652D3132380231340131026573036E657400000762018000000380CA7C0010000100000258009C9B763D73706631206D7820613A6D61696C312E65732E6E657420613A6D61696C322E65732E6E657420613A6D61696C332E65732E6E657420613A6D61696C342E65732E6E657420613A6D61696C2E65732E6E657420613A6D61696C67772E65732E6E657420613A
+706F7374616C312E65732E6E657420613A706F7374616C322E65732E6E657420613A706F7374616C332E65732E6E6574207E616C6CCA7C000F00010000025800090032046D61696CCA7CCA7C00010001000002580004C6800370CA7C00020001000002580009066E732D616F61CA7CCA7C00020001000002580002C024CA7C00020001000002580009066E732D6C766BCA7CCB4300010001000002580004C0BC1609CB43001C000100000258001020010400FFFFFFFFFFFFFFFFFFFFFF81C02400010001000151800004C680020AC024001C000100000258001020010400001400020000000000000010CB6600010001000002580004C67CFC16CB66001C0001
+00000258001020010400600000000000000000000022CB8900010001000002580004C681FC22CB89001C000100000258001020010400091000010000000000000002CB43002E000100000258009A00010503000002584BE2932A4BD0101A4BA3026573036E657400B425467E45E411066B99B85420FB7E844D734F414FFAF6B9528867B3DF808733BF479A0F125C84179401306579994AB8D84DF0173E2824527CEDA45C75ED4D818722EEB2D5A37641108B112D9A6D832D29A507C35DBBEBD46D50DE9915E924F53F55B5A2A263A48B48209FB50A13A7DF40AE697B1BCCE71A2B95C1BB9E47ACCACB43002E000100000258009A001C0503000002584BE2932A
+4BD0101A4BA3026573036E6574002588E73F85BE8FAFD09628232906913DB78592B59F9C3C95A4AD1334D383C1326EE0C6FCF38892D8BB74631D680A6E4DB2D603D32394BC7B4EC798A1511667D246A0C30B33D03AB144C3704AA80AFCA27F197B2F83F20A9F0D2835C7C0A9B49E47E7CF2E192DC7DBF4635C39ECCCB291DB4B2832E0B8FF430A75726500194D9EC024002E000100015180009A00010503000151804BE2932A4BD0101A4BA3026573036E6574000E9F4098B1EF4F429B802007E3A9EA8E267A1F78EA7241AADD120A74CEBF70DC1DF76065A2CE0CDAA51AAB2F68411D9DEDC1F9DBEB3AB114A1FCBE122610756DE205EEC576CA5E62BD02497F
+84D5DDB7110AC7F2BF02485B3E7B28FC1EB2999724B64D811270B085D1D10E184295D423F0141D652BD7E97633AC2E98C2819EDAC024002E000100000258009A001C0503000002584BE2932A4BD0101A4BA3026573036E657400936ADA283A90836E92BD42E2B6C8A0299147BCB8E47D9D4464C4151FCC99DC4F2D1C39FB691F6E322715B22F61E7BB8D5507982A3119674B350C569BDC2CD95C708EC73B4E5DEA516D053A4FD725326FFC5B0D0562B542BA96124D9FFBBF787CA0BBE6960951CC2FDD074376A1D184287C2C56A93FBBC1C7FFAA6977B30AE808CB66002E000100000258009A00010503000002584BE2932A4BD0101A4BA3026573036E657400
+0CE145578E56BB359606C9B85538450D2BCA3E9AD0DEFC8FF865DA646F900B9CBC7325B7F04706B60E2770107E62894FE9CF3B1A432F0FB53C5C7A8F37D0F60354C7D52F4DF88BDD4C46774AA728DFC1C807EF5276641CA28774F323C7326B7C1D99DFCB9498C6E096392009AA972B83F0583A5D1002CA26B59B5C97F6A8309C0000291000000080000000
+
diff --git a/util/data/msgparse.c b/util/data/msgparse.c
index 2db8832..ae6dfc1 100644
--- a/util/data/msgparse.c
+++ b/util/data/msgparse.c
@@ -335,16 +335,20 @@ moveover_rrsigs(ldns_buffer* pkt, struct regional* region,
struct rr_parse* sig = sigset->rr_first;
struct rr_parse* prev = NULL;
struct rr_parse* insert;
+ struct rr_parse* nextsig;
while(sig) {
+ nextsig = sig->next;
if(pkt_rrsig_covered_equals(pkt, sig->ttl_data,
dataset->type)) {
if(duplicate) {
/* new */
insert = (struct rr_parse*)regional_alloc(
region, sizeof(struct rr_parse));
+ if(!insert) return 0;
insert->outside_packet = 0;
insert->ttl_data = sig->ttl_data;
insert->size = sig->size;
+ /* prev not used */
} else {
/* remove from sigset */
if(prev) prev->next = sig->next;
@@ -354,6 +358,7 @@ moveover_rrsigs(ldns_buffer* pkt, struct regional* region,
sigset->rr_count--;
sigset->size -= sig->size;
insert = sig;
+ /* prev not changed */
}
/* add to dataset */
dataset->rrsig_count++;
@@ -363,9 +368,9 @@ moveover_rrsigs(ldns_buffer* pkt, struct regional* region,
else dataset->rrsig_first = insert;
dataset->rrsig_last = insert;
dataset->size += insert->size;
- }
- prev = sig;
- sig = sig->next;
+ } else
+ prev = sig;
+ sig = nextsig;
}
return 1;
}
unbound-1.4.4-374822.patch:
iter_utils.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- NEW FILE unbound-1.4.4-374822.patch ---
commit 374822322e33503d3576c85b3e43fef158a80e42
Author: wouter <wouter at be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Thu Apr 29 12:36:12 2010 +0000
dnssec lameness detection looks in key cache if dnssec is expected.
diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c
index 6124650..f63b6fe 100644
--- a/iterator/iter_utils.c
+++ b/iterator/iter_utils.c
@@ -60,6 +60,8 @@
#include "util/random.h"
#include "util/fptr_wlist.h"
#include "validator/val_anchor.h"
+#include "validator/val_kcache.h"
+#include "validator/val_kentry.h"
/** time when nameserver glue is said to be 'recent' */
#define SUSPICION_RECENT_EXPIRY 86400
@@ -570,6 +572,18 @@ iter_indicates_dnssec(struct module_env* env, struct delegpt* dp,
reply_find_rrset_section_ns(msg->rep, dp->name, dp->namelen,
LDNS_RR_TYPE_DS, dclass))
return 1;
+ /* look in key cache */
+ if(env->key_cache) {
+ struct key_entry_key* kk = key_cache_obtain(env->key_cache,
+ dp->name, dp->namelen, dclass, env->scratch, *env->now);
+ if(kk) {
+ if(key_entry_isgood(kk) || key_entry_isbad(kk)) {
+ regional_free_all(env->scratch);
+ return 1;
+ }
+ regional_free_all(env->scratch);
+ }
+ }
return 0;
}
unbound-1.4.4-40d18f.patch:
iter_utils.c | 6 +++---
iter_utils.h | 4 ++--
iterator.c | 24 +++++++++++++++---------
iterator.h | 6 ++++++
4 files changed, 26 insertions(+), 14 deletions(-)
--- NEW FILE unbound-1.4.4-40d18f.patch ---
commit 40d18f7cfb64a806699545410858b655e76660e1
Author: wouter <wouter at be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Tue May 4 08:39:04 2010 +0000
- Fix dnssec-missing detection that was turned off by server selection.
diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c
index b3a31fa..3a75d03 100644
--- a/iterator/iter_utils.c
+++ b/iterator/iter_utils.c
@@ -310,7 +310,7 @@ iter_filter_order(struct iter_env* iter_env, struct module_env* env,
struct delegpt_addr*
iter_server_selection(struct iter_env* iter_env,
struct module_env* env, struct delegpt* dp,
- uint8_t* name, size_t namelen, uint16_t qtype, int* dnssec_expected,
+ uint8_t* name, size_t namelen, uint16_t qtype, int* dnssec_lame,
int* chase_to_rd, int open_target, struct sock_list* blacklist)
{
int sel;
@@ -331,7 +331,7 @@ iter_server_selection(struct iter_env* iter_env,
if(selrtt-BLACKLIST_PENALTY > USEFUL_SERVER_TOP_TIMEOUT) {
verbose(VERB_ALGO, "chase to "
"blacklisted dnssec lame server");
- *dnssec_expected = 0;
+ *dnssec_lame = 1;
}
} else {
if(selrtt > USEFUL_SERVER_TOP_TIMEOUT*2) {
@@ -340,7 +340,7 @@ iter_server_selection(struct iter_env* iter_env,
}
if(selrtt > USEFUL_SERVER_TOP_TIMEOUT) {
verbose(VERB_ALGO, "chase to dnssec lame server");
- *dnssec_expected = 0;
+ *dnssec_lame = 1;
}
if(selrtt == USEFUL_SERVER_TOP_TIMEOUT) {
verbose(VERB_ALGO, "chase to blacklisted lame server");
diff --git a/iterator/iter_utils.h b/iterator/iter_utils.h
index a9f4247..d3870ec 100644
--- a/iterator/iter_utils.h
+++ b/iterator/iter_utils.h
@@ -80,7 +80,7 @@ int iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg);
* @param name: zone name (for lameness check).
* @param namelen: length of name.
* @param qtype: query type that we want to send.
- * @param dnssec_expected: set to 0, if a known dnssec-lame server is selected
+ * @param dnssec_lame: set to 1, if a known dnssec-lame server is selected
* these are not preferred, but are used as a last resort.
* @param chase_to_rd: set to 1 if a known recursion lame server is selected
* these are not preferred, but are used as a last resort.
@@ -92,7 +92,7 @@ int iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg);
*/
struct delegpt_addr* iter_server_selection(struct iter_env* iter_env,
struct module_env* env, struct delegpt* dp, uint8_t* name,
- size_t namelen, uint16_t qtype, int* dnssec_expected,
+ size_t namelen, uint16_t qtype, int* dnssec_lame,
int* chase_to_rd, int open_target, struct sock_list* blacklist);
/**
diff --git a/iterator/iterator.c b/iterator/iterator.c
index 19b9a26..6f486bf 100644
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -120,6 +120,7 @@ iter_new(struct module_qstate* qstate, int id)
iq->wait_priming_stub = 0;
iq->refetch_glue = 0;
iq->dnssec_expected = 0;
+ iq->dnssec_lame_query = 0;
iq->chase_flags = qstate->query_flags;
/* Start with the (current) qname. */
iq->qchase = qstate->qinfo;
@@ -1451,8 +1452,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
/* Select the next usable target, filtering out unsuitable targets. */
target = iter_server_selection(ie, qstate->env, iq->dp,
iq->dp->name, iq->dp->namelen, iq->qchase.qtype,
- &iq->dnssec_expected, &iq->chase_to_rd, iq->num_target_queries,
- qstate->blacklist);
+ &iq->dnssec_lame_query, &iq->chase_to_rd,
+ iq->num_target_queries, qstate->blacklist);
/* If no usable target was selected... */
if(!target) {
@@ -1530,10 +1531,14 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
}
/* We have a valid target. */
- if(iq->dnssec_expected) verbose(VERB_ALGO, "dnssec is expected");
- log_query_info(VERB_QUERY, "sending query:", &iq->qchase);
- log_name_addr(VERB_QUERY, "sending to target:", iq->dp->name,
- &target->addr, target->addrlen);
+ if(verbosity >= VERB_QUERY) {
+ log_query_info(VERB_QUERY, "sending query:", &iq->qchase);
+ log_name_addr(VERB_QUERY, "sending to target:", iq->dp->name,
+ &target->addr, target->addrlen);
+ verbose(VERB_ALGO, "dnssec status: %s%s",
+ iq->dnssec_expected?"expected": "not expected",
+ iq->dnssec_lame_query?" but lame_query anyway": "");
+ }
fptr_ok(fptr_whitelist_modenv_send_query(qstate->env->send_query));
outq = (*qstate->env->send_query)(
iq->qchase.qname, iq->qchase.qname_len,
@@ -1587,6 +1592,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
iq->num_current_queries--;
if(iq->response == NULL) {
iq->chase_to_rd = 0;
+ iq->dnssec_lame_query = 0;
verbose(VERB_ALGO, "query response was timeout");
return next_state(iq, QUERYTARGETS_STATE);
}
@@ -1599,7 +1605,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
* differently. No queries should be sent elsewhere */
type = RESPONSE_TYPE_ANSWER;
}
- if(iq->dnssec_expected && !(iq->chase_flags&BIT_RD)
+ if(iq->dnssec_expected && !iq->dnssec_lame_query &&
+ !(iq->chase_flags&BIT_RD)
&& type != RESPONSE_TYPE_LAME
&& type != RESPONSE_TYPE_REC_LAME
&& type != RESPONSE_TYPE_THROWAWAY
@@ -1615,7 +1622,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
type = RESPONSE_TYPE_LAME;
dnsseclame = 1;
}
- }
+ } else iq->dnssec_lame_query = 0;
/* see if referral brings us close to the target */
if(type == RESPONSE_TYPE_REFERRAL) {
struct ub_packed_rrset_key* ns = find_NS(
@@ -1764,7 +1771,6 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
/* Clear the query state, since this is a query restart. */
iq->deleg_msg = NULL;
iq->dp = NULL;
- iq->dnssec_expected = 0;
/* Note the query restart. */
iq->query_restart_count++;
diff --git a/iterator/iterator.h b/iterator/iterator.h
index 736af51..350fb1d 100644
--- a/iterator/iterator.h
+++ b/iterator/iterator.h
@@ -255,6 +255,12 @@ struct iter_qstate {
int dnssec_expected;
/**
+ * We are expecting dnssec information, but we also know the server
+ * is DNSSEC lame. The response need not be marked dnssec-lame again.
+ */
+ int dnssec_lame_query;
+
+ /**
* This is flag that, if true, means that this event is
* waiting for a stub priming query.
*/
unbound-1.4.4-41b631.patch:
iterator/iterator.c | 9 ++-
testdata/iter_hint_lame.rpl | 120 ++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 126 insertions(+), 3 deletions(-)
--- NEW FILE unbound-1.4.4-41b631.patch ---
commit 41b631ca4182e68b09eecdaec7d67ac576f3800d
Author: wouter <wouter at be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Tue Apr 27 11:10:35 2010 +0000
- fix retry sequence if prime hints are recursion-lame.
diff --git a/iterator/iterator.c b/iterator/iterator.c
index b1a948d..08354e8 100644
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -1897,8 +1897,11 @@ static int
processPrimeResponse(struct module_qstate* qstate, int id)
{
struct iter_qstate* iq = (struct iter_qstate*)qstate->minfo[id];
- enum response_type type = response_type_from_server(0, iq->response,
- &iq->qchase, iq->dp);
+ enum response_type type;
+ iq->response->rep->flags &= ~(BIT_RD|BIT_RA); /* ignore rec-lame */
+ type = response_type_from_server(
+ (int)((iq->chase_flags&BIT_RD) || iq->chase_to_rd),
+ iq->response, &iq->qchase, iq->dp);
if(type == RESPONSE_TYPE_ANSWER) {
qstate->return_rcode = LDNS_RCODE_NOERROR;
qstate->return_msg = iq->response;
@@ -2230,7 +2233,7 @@ void
iter_inform_super(struct module_qstate* qstate, int id,
struct module_qstate* super)
{
- if(super->qinfo.qclass == LDNS_RR_CLASS_ANY)
+ if(!qstate->is_priming && super->qinfo.qclass == LDNS_RR_CLASS_ANY)
processClassResponse(qstate, id, super);
else if(qstate->return_rcode != LDNS_RCODE_NOERROR)
error_supers(qstate, id, super);
diff --git a/testdata/iter_hint_lame.rpl b/testdata/iter_hint_lame.rpl
new file mode 100644
index 0000000..8cbede1
--- /dev/null
+++ b/testdata/iter_hint_lame.rpl
@@ -0,0 +1,120 @@
+; config options
+server:
+ target-fetch-policy: "0 0 0 0 0"
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test iterative resolve with lame hints.
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR RA NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION AUTHORITY
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+ ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION ANSWER
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A 10.20.30.40
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+; recursion happens here.
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A 10.20.30.40
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+SCENARIO_END
unbound-1.4.4-5e989a.patch:
iter_utils.c | 8 +++++++-
iterator.c | 9 +++++++++
2 files changed, 16 insertions(+), 1 deletion(-)
--- NEW FILE unbound-1.4.4-5e989a.patch ---
commit 5e989a15b927094a83d0f3a08be0cd559e29d3ff
Author: wouter <wouter at be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Fri Apr 23 09:07:05 2010 +0000
- Fix to fetch data as last resort more tenaciously. When cycle
targets cause the server selection to believe there are more options
when they really are not there, the server selection is reinitiated.
- Fix fetch from blacklisted dnssec lame servers as last resort. The
servers IP address is then given in validator errors as well.
diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c
index a706e6b..9082055 100644
--- a/iterator/iter_utils.c
+++ b/iterator/iter_utils.c
@@ -322,9 +322,15 @@ iter_server_selection(struct iter_env* iter_env,
verbose(VERB_ALGO, "selrtt %d", selrtt);
if(selrtt > BLACKLIST_PENALTY) {
if(selrtt-BLACKLIST_PENALTY > USEFUL_SERVER_TOP_TIMEOUT*2) {
- verbose(VERB_ALGO, "chase to recursion lame server");
+ verbose(VERB_ALGO, "chase to "
+ "blacklisted recursion lame server");
*chase_to_rd = 1;
}
+ if(selrtt-BLACKLIST_PENALTY > USEFUL_SERVER_TOP_TIMEOUT) {
+ verbose(VERB_ALGO, "chase to "
+ "blacklisted dnssec lame server");
+ *dnssec_expected = 0;
+ }
} else {
if(selrtt > USEFUL_SERVER_TOP_TIMEOUT*2) {
verbose(VERB_ALGO, "chase to recursion lame server");
diff --git a/iterator/iterator.c b/iterator/iterator.c
index e8345c8..c7cdbc8 100644
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -1469,6 +1469,15 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
return error_response(qstate, id,
LDNS_RCODE_SERVFAIL);
}
+ if(qs == 0 &&
+ delegpt_count_missing_targets(iq->dp) == 0){
+ /* it looked like there were missing
+ * targets, but they did not turn up.
+ * Try the bad choices again (if any),
+ * when we get back here missing==0,
+ * so this is not a loop. */
+ return 1;
+ }
iq->num_target_queries += qs;
}
/* Since a target query might have been made, we
unbound-1.4.4-5f58ed.patch:
config_file.c | 1 +
1 file changed, 1 insertion(+)
--- NEW FILE unbound-1.4.4-5f58ed.patch ---
commit 5f58ed252d7bcd500ebedfb351e3ce7c84c44211
Author: wouter <wouter at be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Tue Apr 27 09:16:23 2010 +0000
unbound-control get_option domain-insecure works.
diff --git a/util/config_file.c b/util/config_file.c
index aca82e1..ec0866c 100644
--- a/util/config_file.c
+++ b/util/config_file.c
@@ -609,6 +609,7 @@ config_get_option(struct config_file* cfg, const char* opt,
else O_LST(opt, "trusted-keys-file", trusted_keys_file_list)
else O_LST(opt, "dlv-anchor", dlv_anchor_list)
else O_LST(opt, "control-interface", control_ifs)
+ else O_LST(opt, "domain-insecure", domain_insecure)
else O_UNS(opt, "val-override-date", val_date_override)
/* not here:
* outgoing-permit, outgoing-avoid - have list of ports
unbound-1.4.4-74d75e.patch:
iter_utils.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- NEW FILE unbound-1.4.4-74d75e.patch ---
commit 74d75e591a6f5343109922f2bf1f83eba59f0a4f
Author: wouter <wouter at be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Thu Apr 29 12:52:44 2010 +0000
fix for key cache lookup
diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c
index f63b6fe..b3a31fa 100644
--- a/iterator/iter_utils.c
+++ b/iterator/iter_utils.c
@@ -577,9 +577,14 @@ iter_indicates_dnssec(struct module_env* env, struct delegpt* dp,
struct key_entry_key* kk = key_cache_obtain(env->key_cache,
dp->name, dp->namelen, dclass, env->scratch, *env->now);
if(kk) {
- if(key_entry_isgood(kk) || key_entry_isbad(kk)) {
+ if(query_dname_compare(kk->name, dp->name) == 0) {
+ if(key_entry_isgood(kk) || key_entry_isbad(kk)) {
regional_free_all(env->scratch);
return 1;
+ } else if(key_entry_isnull(kk)) {
+ regional_free_all(env->scratch);
+ return 0;
+ }
}
regional_free_all(env->scratch);
}
unbound-1.4.4-778d4a.patch:
services/localzone.c | 6 +++---
testdata/localdata.rpl | 36 ++++++++++++++++++++++++++++++++++++
2 files changed, 39 insertions(+), 3 deletions(-)
--- NEW FILE unbound-1.4.4-778d4a.patch ---
commit 778d4ab54a4e9efb41b042607b9a685853c5483c
Author: wouter <wouter at be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Fri Apr 23 14:03:09 2010 +0000
- Fix local-zone type redirect that did not use the query name for
the answer rrset.
diff --git a/services/localzone.c b/services/localzone.c
index dba7f3b..b8da77a 100644
--- a/services/localzone.c
+++ b/services/localzone.c
@@ -1040,10 +1040,10 @@ local_data_answer(struct local_zone* z, struct query_info* qinfo,
if(!lr)
return 0;
if(z->type == local_zone_redirect) {
- /* convert rrset name to zone name; like a wildcard */
+ /* convert rrset name to query name; like a wildcard */
struct ub_packed_rrset_key r = *lr->rrset;
- r.rk.dname = z->name;
- r.rk.dname_len = z->namelen;
+ r.rk.dname = qinfo->qname;
+ r.rk.dname_len = qinfo->qname_len;
return local_encode(qinfo, edns, buf, temp, &r, 1,
LDNS_RCODE_NOERROR);
}
diff --git a/testdata/localdata.rpl b/testdata/localdata.rpl
index 5bb259e..08aec6d 100644
--- a/testdata/localdata.rpl
+++ b/testdata/localdata.rpl
@@ -30,6 +30,10 @@ server:
; refuse zone (error)
local-zone: "refuse.top." refuse
+ ; redirect zone
+ local-zone: "redirect.top." redirect
+ local-data: "redirect.top. A 20.30.40.54"
+
; create implicit data in the IN domain as well
local-data: "a.a.implicit. A 20.30.41.50"
local-data: "b.a.implicit. A 20.30.42.50"
@@ -318,4 +322,36 @@ www.deny.top. IN A
ENTRY_END
; no answer is checked at exit of testbound.
+; redirect zone apex
+STEP 50 QUERY
+ENTRY_BEGIN
+SECTION QUESTION
+redirect.top. IN A
+ENTRY_END
+STEP 51 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RA AA NOERROR
+SECTION QUESTION
+redirect.top. IN A
+SECTION ANSWER
+redirect.top. IN A 20.30.40.54
+ENTRY_END
+
+; redirect zone
+STEP 52 QUERY
+ENTRY_BEGIN
+SECTION QUESTION
+www.redirect.top. IN A
+ENTRY_END
+STEP 53 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RA AA NOERROR
+SECTION QUESTION
+www.redirect.top. IN A
+SECTION ANSWER
+www.redirect.top. IN A 20.30.40.54
+ENTRY_END
+
SCENARIO_END
unbound-1.4.4-7f27d6.patch:
infra.c | 37 ++++++++++++++++++++++---------------
1 file changed, 22 insertions(+), 15 deletions(-)
--- NEW FILE unbound-1.4.4-7f27d6.patch ---
commit 7f27d6c9992fec6847ae914f38db6a3d1b28e81a
Author: wouter <wouter at be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Thu Apr 29 14:12:54 2010 +0000
- infra cache entries that are expired are wiped clean. Previously
it was possible to not expire host data (if accessed often).
diff --git a/services/cache/infra.c b/services/cache/infra.c
index 9c32c81..6066f98 100644
--- a/services/cache/infra.c
+++ b/services/cache/infra.c
@@ -187,6 +187,19 @@ infra_lookup_host(struct infra_cache* infra,
return data;
}
+/** init the host elements (not lame elems) */
+static void
+host_entry_init(struct infra_cache* infra, struct lruhash_entry* e,
+ uint32_t timenow)
+{
+ struct infra_host_data* data = (struct infra_host_data*)e->data;
+ data->ttl = timenow + infra->host_ttl;
+ rtt_init(&data->rtt);
+ data->edns_version = 0;
+ data->edns_lame_known = 0;
+ data->num_timeouts = 0;
+}
+
/**
* Create and init a new entry for a host
* @param infra: infra structure with config parameters.
@@ -216,12 +229,8 @@ new_host_entry(struct infra_cache* infra, struct sockaddr_storage* addr,
key->entry.data = (void*)data;
key->addrlen = addrlen;
memcpy(&key->addr, addr, addrlen);
- data->ttl = tm + infra->host_ttl;
data->lameness = NULL;
- data->edns_version = 0;
- data->edns_lame_known = 0;
- data->num_timeouts = 0;
- rtt_init(&data->rtt);
+ host_entry_init(infra, &key->entry, tm);
return &key->entry;
}
@@ -240,12 +249,8 @@ infra_host(struct infra_cache* infra, struct sockaddr_storage* addr,
if(e) {
/* if its still there we have a writelock, init */
/* re-initialise */
- data = (struct infra_host_data*)e->data;
- data->ttl = timenow + infra->host_ttl;
- rtt_init(&data->rtt);
/* do not touch lameness, it may be valid still */
- data->edns_version = 0;
- data->edns_lame_known = 0;
+ host_entry_init(infra, e, timenow);
}
}
if(!e) {
@@ -469,10 +474,11 @@ infra_rtt_update(struct infra_cache* infra,
if(!(e = new_host_entry(infra, addr, addrlen, timenow)))
return 0;
needtoinsert = 1;
- }
- /* have an entry, update the rtt, and the ttl */
+ } else if(((struct infra_host_data*)e->data)->ttl < timenow) {
+ host_entry_init(infra, e, timenow);
+ }
+ /* have an entry, update the rtt */
data = (struct infra_host_data*)e->data;
- data->ttl = timenow + infra->host_ttl;
if(roundtrip == -1) {
rtt_lost(&data->rtt, orig_rtt);
if(data->num_timeouts<255)
@@ -503,10 +509,11 @@ infra_edns_update(struct infra_cache* infra,
if(!(e = new_host_entry(infra, addr, addrlen, timenow)))
return 0;
needtoinsert = 1;
- }
+ } else if(((struct infra_host_data*)e->data)->ttl < timenow) {
+ host_entry_init(infra, e, timenow);
+ }
/* have an entry, update the rtt, and the ttl */
data = (struct infra_host_data*)e->data;
- data->ttl = timenow + infra->host_ttl;
data->edns_version = edns_version;
data->edns_lame_known = 1;
unbound-1.4.4-a6f07b.patch:
net_help.c | 8 ++++++++
net_help.h | 8 ++++++++
netevent.c | 6 ++++++
3 files changed, 22 insertions(+)
--- NEW FILE unbound-1.4.4-a6f07b.patch ---
commit a6f07ba49319bbb62772a99cc3267fe8409a39d4
Author: wouter <wouter at be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Fri Apr 23 06:48:49 2010 +0000
- Squelch log message: sendto failed permission denied for
255.255.255.255, it is visible in VERB_DETAIL (verbosity 2).
diff --git a/util/net_help.c b/util/net_help.c
index 182f39d..7b2a3f4 100644
--- a/util/net_help.c
+++ b/util/net_help.c
@@ -494,6 +494,14 @@ addr_is_ip4mapped(struct sockaddr_storage* addr, socklen_t addrlen)
return (memcmp(s, map_prefix, 12) == 0);
}
+int addr_is_broadcast(struct sockaddr_storage* addr, socklen_t addrlen)
+{
+ int af = (int)((struct sockaddr_in*)addr)->sin_family;
+ void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
+ return af == AF_INET && addrlen>=(socklen_t)sizeof(struct sockaddr_in)
+ && memcmp(sinaddr, "\377\377\377\377", 4) == 0;
+}
+
void sock_list_insert(struct sock_list** list, struct sockaddr_storage* addr,
socklen_t len, struct regional* region)
{
diff --git a/util/net_help.h b/util/net_help.h
index 9ac96eb..8afa84b 100644
--- a/util/net_help.h
+++ b/util/net_help.h
@@ -280,6 +280,14 @@ void addr_to_str(struct sockaddr_storage* addr, socklen_t addrlen,
int addr_is_ip4mapped(struct sockaddr_storage* addr, socklen_t addrlen);
/**
+ * See if sockaddr is 255.255.255.255.
+ * @param addr: address
+ * @param addrlen: length of address
+ * @return true if so
+ */
+int addr_is_broadcast(struct sockaddr_storage* addr, socklen_t addrlen);
+
+/**
* Insert new socket list item. If fails logs error.
* @param list: pointer to pointer to first item.
* @param addr: address or NULL if 'cache'.
diff --git a/util/netevent.c b/util/netevent.c
index 4b6a0a3..3f3c6ce 100644
--- a/util/netevent.c
+++ b/util/netevent.c
@@ -301,6 +301,12 @@ comm_point_send_udp_msg(struct comm_point *c, ldns_buffer* packet,
(struct sockaddr_storage*)addr, addrlen) &&
verbosity < VERB_DETAIL)
return 0;
+ /* SO_BROADCAST sockopt can give access to 255.255.255.255,
+ * but a dns cache does not need it. */
+ if(errno == EACCES && addr_is_broadcast(
+ (struct sockaddr_storage*)addr, addrlen) &&
+ verbosity < VERB_DETAIL)
+ return 0;
#ifndef USE_WINSOCK
verbose(VERB_OPS, "sendto failed: %s", strerror(errno));
#else
unbound-1.4.4-c2baa7.patch:
doc/unbound.conf.5.in | 8 +++++++-
services/localzone.c | 3 +++
2 files changed, 10 insertions(+), 1 deletion(-)
--- NEW FILE unbound-1.4.4-c2baa7.patch ---
commit c2baa73db1a2a0b0c0c8bba3d203a28ca86c5f31
Author: wouter <wouter at be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Tue May 4 10:50:27 2010 +0000
- Conforms to draft-ietf-dnsop-default-local-zones-13. Added default
reverse lookup blocks for IPv4 test nets 100.51.198.in-addr.arpa,
113.0.203.in-addr.arpa and Orchid prefix 0.1.1.0.0.2.ip6.arpa.
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index 16a607c..40b4bad 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -778,7 +778,8 @@ records are provided.
.TP 10
\h'5'\fIreverse RFC3330 IP4 this, link\-local, testnet and broadcast\fR
Reverse data for zones 0.in\-addr.arpa, 254.169.in\-addr.arpa,
-2.0.192.in\-addr.arpa, 255.255.255.255.in\-addr.arpa.
+2.0.192.in\-addr.arpa (TEST NET 1), 100.51.198.in\-addr.arpa (TEST NET 2),
+113.0.203.in\-addr.arpa (TEST NET 3), 255.255.255.255.in\-addr.arpa.
.TP 10
\h'5'\fIreverse RFC4291 IP6 unspecified\fR
Reverse data for zone
@@ -793,12 +794,17 @@ Reverse data for zone D.F.ip6.arpa.
\h'5'\fIreverse RFC4291 IPv6 Link Local Addresses\fR
Reverse data for zones 8.E.F.ip6.arpa to B.E.F.ip6.arpa.
.TP 10
+\h'5'\fIreverse RFC4843 Orchid Prefix\fR
+Reverse data for zone 0.1.1.0.0.2.ip6.arpa.
+.TP 10
\h'5'\fIreverse IPv6 Example Prefix\fR
Reverse data for zone 8.B.D.0.1.0.0.2.ip6.arpa. This zone is used for
tutorials and examples. You can remove the block on this zone with:
.nf
local\-zone: 8.B.D.0.1.0.0.2.ip6.arpa. nodefault
.fi
+You can also selectively unblock a part of the zone by making that part
+transparent with a local\-zone statement.
This also works with the other default zones.
.\" End of local-zone listing.
.TP 5
diff --git a/services/localzone.c b/services/localzone.c
index b8da77a..248d45f 100644
--- a/services/localzone.c
+++ b/services/localzone.c
@@ -689,6 +689,8 @@ lz_enter_defaults(struct local_zones* zones, struct config_file* cfg,
!add_as112_default(zones, cfg, buf, "0.in-addr.arpa.") ||
!add_as112_default(zones, cfg, buf, "254.169.in-addr.arpa.") ||
!add_as112_default(zones, cfg, buf, "2.0.192.in-addr.arpa.") ||
+ !add_as112_default(zones, cfg, buf, "100.51.198.in-addr.arpa.") ||
+ !add_as112_default(zones, cfg, buf, "113.0.203.in-addr.arpa.") ||
!add_as112_default(zones, cfg, buf, "255.255.255.255.in-addr.arpa.") ||
!add_as112_default(zones, cfg, buf, "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.") ||
!add_as112_default(zones, cfg, buf, "d.f.ip6.arpa.") ||
@@ -696,6 +698,7 @@ lz_enter_defaults(struct local_zones* zones, struct config_file* cfg,
!add_as112_default(zones, cfg, buf, "9.e.f.ip6.arpa.") ||
!add_as112_default(zones, cfg, buf, "a.e.f.ip6.arpa.") ||
!add_as112_default(zones, cfg, buf, "b.e.f.ip6.arpa.") ||
+ !add_as112_default(zones, cfg, buf, "0.1.1.0.0.2.ip6.arpa.") ||
!add_as112_default(zones, cfg, buf, "8.b.d.0.1.0.0.2.ip6.arpa.")) {
log_err("out of memory adding default zone");
return 0;
unbound-1.4.4-d7ef7b.patch:
iter_utils.c | 42 +++++++++++++++++++++++++++++++++++++++---
iter_utils.h | 10 +++++++++-
iterator.c | 6 +++++-
3 files changed, 53 insertions(+), 5 deletions(-)
--- NEW FILE unbound-1.4.4-d7ef7b.patch ---
commit d7ef7b31e0dbb0a73b201649c3729508b270f43f
Author: wouter <wouter at be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Mon Apr 26 14:59:44 2010 +0000
Fix bug#307: 0x20 fallback outstanding query count, together with rec_lame,
and canonical rrset comparison.
diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c
index 9082055..6124650 100644
--- a/iterator/iter_utils.c
+++ b/iterator/iter_utils.c
@@ -674,7 +674,7 @@ rrset_equal(struct ub_packed_rrset_key* k1, struct ub_packed_rrset_key* k2)
}
int
-reply_equal(struct reply_info* p, struct reply_info* q)
+reply_equal(struct reply_info* p, struct reply_info* q, ldns_buffer* scratch)
{
size_t i;
if(p->flags != q->flags ||
@@ -688,8 +688,29 @@ reply_equal(struct reply_info* p, struct reply_info* q)
p->rrset_count != q->rrset_count)
return 0;
for(i=0; i<p->rrset_count; i++) {
- if(!rrset_equal(p->rrsets[i], q->rrsets[i]))
- return 0;
+ if(!rrset_equal(p->rrsets[i], q->rrsets[i])) {
+ /* fallback procedure: try to sort and canonicalize */
+ ldns_rr_list* pl, *ql;
+ pl = packed_rrset_to_rr_list(p->rrsets[i], scratch);
+ ql = packed_rrset_to_rr_list(q->rrsets[i], scratch);
+ if(!pl || !ql) {
+ ldns_rr_list_deep_free(pl);
+ ldns_rr_list_deep_free(ql);
+ return 0;
+ }
+ ldns_rr_list2canonical(pl);
+ ldns_rr_list2canonical(ql);
+ ldns_rr_list_sort(pl);
+ ldns_rr_list_sort(ql);
+ if(ldns_rr_list_compare(pl, ql) != 0) {
+ ldns_rr_list_deep_free(pl);
+ ldns_rr_list_deep_free(ql);
+ return 0;
+ }
+ ldns_rr_list_deep_free(pl);
+ ldns_rr_list_deep_free(ql);
+ continue;
+ }
}
return 1;
}
@@ -792,3 +813,18 @@ iter_scrub_ds(struct dns_msg* msg, struct ub_packed_rrset_key* ns, uint8_t* z)
i++;
}
}
+
+void iter_dec_attempts(struct delegpt* dp, int d)
+{
+ struct delegpt_addr* a;
+ for(a=dp->target_list; a; a = a->next_target) {
+ if(a->attempts >= OUTBOUND_MSG_RETRY) {
+ /* add back to result list */
+ a->next_result = dp->result_list;
+ dp->result_list = a;
+ }
+ if(a->attempts > d)
+ a->attempts -= d;
+ else a->attempts = 0;
+ }
+}
diff --git a/iterator/iter_utils.h b/iterator/iter_utils.h
index 9a1db5f..a9f4247 100644
--- a/iterator/iter_utils.h
+++ b/iterator/iter_utils.h
@@ -211,9 +211,10 @@ int iter_msg_from_zone(struct dns_msg* msg, struct delegpt* dp,
* @param p: reply one. The reply has rrset data pointers in region.
* Does not check rrset-IDs
* @param q: reply two
+ * @param buf: scratch buffer.
* @return if one and two are equal.
*/
-int reply_equal(struct reply_info* p, struct reply_info* q);
+int reply_equal(struct reply_info* p, struct reply_info* q, ldns_buffer* buf);
/**
* Store in-zone glue in seperate rrset cache entries for later last-resort
@@ -257,4 +258,11 @@ int iter_get_next_root(struct iter_hints* hints, struct iter_forwards* fwd,
void iter_scrub_ds(struct dns_msg* msg, struct ub_packed_rrset_key* ns,
uint8_t* z);
+/**
+ * Remove query attempts from all available ips. For 0x20.
+ * @param dp: delegpt.
+ * @param d: decrease.
+ */
+void iter_dec_attempts(struct delegpt* dp, int d);
+
#endif /* ITERATOR_ITER_UTILS_H */
diff --git a/iterator/iterator.c b/iterator/iterator.c
index c7cdbc8..b1a948d 100644
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -1416,6 +1416,9 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
"match for %d wanted, done.",
(int)iq->caps_server+1, (int)naddr*3);
iq->caps_fallback = 0;
+ iter_dec_attempts(iq->dp, 3); /* space for fallback */
+ iq->num_current_queries++; /* RespState decrements it*/
+ iq->referral_count++; /* make sure we don't loop */
iq->state = QUERY_RESP_STATE;
return 1;
}
@@ -2384,7 +2387,8 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
goto handle_it;
} else {
/* check if reply is the same, otherwise, fail */
- if(!reply_equal(iq->response->rep, iq->caps_reply)) {
+ if(!reply_equal(iq->response->rep, iq->caps_reply,
+ qstate->env->scratch_buffer)) {
verbose(VERB_DETAIL, "Capsforid fallback: "
"getting different replies, failed");
outbound_list_remove(&iq->outlist, outbound);
Index: unbound.conf
===================================================================
RCS file: /cvs/extras/rpms/unbound/F-11/unbound.conf,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -p -r1.8 -r1.9
--- unbound.conf 14 Jan 2009 14:57:11 -0000 1.8
+++ unbound.conf 1 Jun 2010 16:45:51 -0000 1.9
@@ -10,15 +10,6 @@
server:
# whitespace is not necessary, but looks cleaner.
- # To enable DNSSEC trust anchors, install the dnssec-keys package and
- # uncomment the line below, or run dnssec-configure -h for more options
- # trusted-keys-file: "/etc/pki/dnssec/production.conf"
-
- # To enable DLV trust anchor with DLV, install the dnssec-keys package
- # and uncomment the line below, or run dnssec-configure -h for more
- # options
- # dlv-anchor-file: "/etc/pki/dnssec-keys/dlv/dlv.isc.org.key"
-
# verbosity number, 0 is least verbose. 1 is default.
verbosity: 1
@@ -87,7 +78,15 @@ server:
# number of incoming simultaneous tcp buffers to hold per thread.
# incoming-num-tcp: 10
-
+
+ # buffer size for UDP port 53 incoming (SO_RCVBUF socket option).
+ # 0 is system default. Use 4m to catch query spikes for busy servers.
+ # so-rcvbuf: 0
+
+ # EDNS reassembly buffer to advertise to UDP peers (the actual buffer
+ # is set with msg-buffer-size). 1480 can solve fragmentation (timeouts).
+ # edns-buffer-size: 4096
+
# buffer size for handling DNS data. No messages larger than this
# size can be sent or received, by UDP or TCP. In bytes.
# msg-buffer-size: 65552
@@ -115,7 +114,11 @@ server:
# the number of slabs must be a power of 2.
# more slabs reduce lock contention, but fragment memory usage.
# rrset-cache-slabs: 4
-
+
+ # the time to live (TTL) value lower bound, in seconds. Default 0.
+ # If more than an hour could easily give trouble due to stale data.
+ # cache-min-ttl: 0
+
# the time to live (TTL) value cap for RRsets and messages in the
# cache. Items are not cached for longer. In seconds.
# cache-max-ttl: 86400
@@ -208,6 +211,9 @@ server:
# log to, with identity "unbound". If yes, it overrides the logfile.
# use-syslog: yes
+ # print UTC timestamp in ascii to logfile, default is epoch in seconds.
+ log-time-ascii: yes
+
# the pid file. Can be an absolute path outside of chroot/work dir.
pidfile: "/var/run/unbound/unbound.pid"
@@ -293,21 +299,32 @@ server:
# if yes, the above default do-not-query-address entries are present.
# if no, localhost can be queried (for testing and debugging).
# do-not-query-localhost: yes
-
+
+ # if yes, perform prefetching of almost expired message cache entries.
+ prefetch: yes
+
+ # if yes, perform key lookups adjacent to normal lookups.
+ prefetch-key: yes
+
# module configuration of the server. A string with identifiers
# separated by spaces. "iterator" or "validator iterator"
# module-config: "validator iterator"
# File with DLV trusted keys. Same format as trust-anchor-file.
# There can be only one DLV configured, it is trusted from root down.
- # Download https://secure.isc.org/ops/dlv/dlv.isc.org.key
- # dlv-anchor-file: "/etc/pki/dnssec-keys/dlv.isc.org.key"
+ # Downloaded from https://secure.isc.org/ops/dlv/dlv.isc.org.key
+ dlv-anchor-file: "/etc/unbound/dlv.isc.org.key"
# File with trusted keys for validation. Specify more than one file
# with several entries, one file per entry.
# Zone file format, with DS and DNSKEY entries.
# trust-anchor-file: ""
+ # File with trusted keys, kept uptodate using RFC5011 probes,
+ # initial file like trust-anchor-file, then it stores metadata.
+ # Use several entries, one per domain name, to track multiple zones.
+ # auto-trust-anchor-file: ""
+
# Trusted key for validation. DS or DNSKEY. specify the RR on a
# single line, surrounded by "". TTL is ignored. class is IN default.
# (These examples are from August 2007 and may not be valid anymore).
@@ -319,7 +336,10 @@ server:
# but has a different file format. Format is BIND-9 style format,
# the trusted-keys { name flag proto algo "key"; }; clauses are read.
# trusted-keys-file: ""
-
+
+ # Ignore chain of trust. Domain is treated as insecure.
+ # domain-insecure: "example.com"
+
# Override the date for validation with a specific fixed date.
# Do not set this unless you are debugging signature inception
# and expiration. "" or "0" turns the feature off.
@@ -328,7 +348,13 @@ server:
# The time to live for bogus data, rrsets and messages. This avoids
# some of the revalidation, until the time interval expires. in secs.
# val-bogus-ttl: 60
-
+
+ # The signature inception and expiration dates are allowed to be off
+ # by 10% of the lifetime of the signature from our local clock.
+ # This leeway is capped with a minimum and a maximum. In seconds.
+ # val-sig-skew-min: 3600
+ # val-sig-skew-max: 86400
+
# Should additional section of secure message also be kept clean of
# unsecure data. Useful to shield the users of this validator from
# potential bogus data in the additional section. All unsigned data
@@ -342,6 +368,10 @@ server:
# replies if the message is found secure. The default is off.
# NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY
val-permissive-mode: no
+
+ # Have the validator log failed validations for your diagnosis.
+ # 0: off. 1: A line per failed user query. 2: With reason and bad IP.
+ val-log-level: 1
# It is possible to configure NSEC3 maximum iteration counts per
# keysize. Keep this table very short, as linear search is done.
@@ -349,6 +379,16 @@ server:
# List in ascending order the keysize and count values.
# val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500"
+ # instruct the auto-trust-anchor-file probing to add anchors after ttl.
+ # add-holddown: 2592000 # 30 days
+
+ # instruct the auto-trust-anchor-file probing to del anchors after ttl.
+ # del-holddown: 2592000 # 30 days
+
+ # auto-trust-anchor-file probing removes missing anchors after ttl.
+ # If the value 0 is given, missing anchors are not removed.
+ # keep-missing: 31622400 # 366 days
+
# the amount of memory to use for the key cache.
# plain value in bytes or you can append k, m or G. default is "4Mb".
# key-cache-size: 4m
@@ -368,7 +408,7 @@ server:
# o deny serves local data (if any), else, drops queries.
# o refuse serves local data (if any), else, replies with error.
# o static serves local data, else, nxdomain or nodata answer.
- # o transparent serves local data, else, resolves normally .
+ # o transparent serves local data, but resolves normally for other names
# o redirect serves the zone data for any subdomain in the zone.
# o nodefault can be used to normally resolve AS112 zones.
#
@@ -397,6 +437,15 @@ server:
# you need to do the reverse notation yourself.
# local-data-ptr: "192.0.2.3 www.example.com"
+## Python config section. To enable:
+## o use --with-pythonmodule to configure before compiling.
+## o list python in the module-config string (above) to enable.
+## o and give a python-script to run.
+#python:
+# # Script file to load
+# # python-script: "/etc/unbound/ubmodule-tst.py"
+
+
# Remote control config section.
remote-control:
# Enable remote control with unbound-control(8) here.
Index: unbound.init
===================================================================
RCS file: /cvs/extras/rpms/unbound/F-11/unbound.init,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -p -r1.7 -r1.8
--- unbound.init 9 Mar 2009 20:36:02 -0000 1.7
+++ unbound.init 1 Jun 2010 16:45:51 -0000 1.8
@@ -11,6 +11,8 @@
# Provides: unbound
# Required-Start: $network $local_fs
# Required-Stop: $network $local_fs
+# Default-Start:
+# Default-Stop: 0 1 2 3 4 5 6
# Should-Start: $syslog
# Should-Stop: $syslog
# Short-Description: unbound recursive Domain Name Server.
@@ -46,9 +48,19 @@ start() {
then
echo -n $"Generating unbound control key and certificate: "
/usr/sbin/unbound-control-setup -d /etc/unbound/ > /dev/null 2> /dev/null
+ chgrp unbound /etc/unbound/unbound_*key /etc/unbound/unbound_*pem
[ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled && \
[ -x /sbin/restorecon ] && /sbin/restorecon /etc/unbound/*
echo
+ else
+ # old init script created these as root instead of unbound.
+ if [ -G /etc/unbound/unbound_control.key ]
+ then
+ chgrp unbound /etc/unbound/unbound_*key /etc/unbound/unbound_*pem
+ [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled && \
+ [ -x /sbin/restorecon ] && /sbin/restorecon /etc/unbound/*
+ echo
+ fi
fi
echo -n $"Starting unbound: "
Index: unbound.spec
===================================================================
RCS file: /cvs/extras/rpms/unbound/F-11/unbound.spec,v
retrieving revision 1.26
retrieving revision 1.27
diff -u -p -r1.26 -r1.27
--- unbound.spec 9 Oct 2009 03:06:30 -0000 1.26
+++ unbound.spec 1 Jun 2010 16:45:51 -0000 1.27
@@ -1,26 +1,57 @@
+# not ready yet
+%{?!with_python: %global with_python 0}
+
+%if %{with_python}
+%{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")}
+%{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
+%endif
+
Summary: Validating, recursive, and caching DNS(SEC) resolver
Name: unbound
-Version: 1.3.4
-Release: 2%{?dist}
+Version: 1.4.4
+Release: 1%{?dist}
License: BSD
Url: http://www.nlnetlabs.nl/unbound/
Source: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz
Source1: unbound.init
Source2: unbound.conf
Source3: unbound.munin
+Source4: dlv.isc.org.key
+Patch1: unbound-1.2-glob.patch
+Patch2: unbound-1.4.4-c2baa7.patch
+Patch3: unbound-1.4.4-40d18f.patch
+Patch4: unbound-1.4.4-7f27d6.patch
+Patch5: unbound-1.4.4-74d75e.patch
+Patch6: unbound-1.4.4-374822.patch
+Patch7: unbound-1.4.4-00f12c.patch
+Patch8: unbound-1.4.4-41b631.patch
+Patch9: unbound-1.4.4-5f58ed.patch
+Patch10: unbound-1.4.4-d7ef7b.patch
+Patch11: unbound-1.4.4-778d4a.patch
+Patch12: unbound-1.4.4-5e989a.patch
+Patch13: unbound-1.4.4-a6f07b.patch
+Patch14: unbound-1.4.4-28093c.patch
+
Group: System Environment/Daemons
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-BuildRequires: flex, openssl-devel >= 0.9.8g-12, ldns-devel >= 1.5.0,
-BuildRequires: libevent-devel >= 1.4.5
+BuildRequires: flex, openssl-devel , ldns-devel >= 1.5.0,
+BuildRequires: libevent-devel
+%if %{with_python}
+BuildRequires: python-devel swig
+%endif
+# Required for SVN versions
+#BuildRequires: bison
+
+
Requires(post): chkconfig
Requires(preun): chkconfig
Requires(preun): initscripts
Requires(postun): initscripts
-Requires: ldns >= 1.5.0, dnssec-conf >= 1.19
+Requires: ldns >= 1.5.0
Requires(pre): shadow-utils
-Requires: dnssec-conf
-# Is this obsolete?
-#Provides: caching-nameserver
+
+Obsoletes: dnssec-conf < 1.27-2
+Provides: dnssec-conf = 1.27-1
%description
Unbound is a validating, recursive, and caching DNS(SEC) resolver.
@@ -60,15 +91,44 @@ Requires: openssl >= 0.9.8g-12
%description libs
Contains libraries used by the unbound server and client applications
+%if %{with_python}
+%package python
+Summary: Python modules and extensions for unbound
+Group: Applications/System
+Requires: %{name}-libs = %{version}-%{release}
+
+%description python
+Python modules and extensions for unbound
+%endif
+
%prep
%setup -q
+%patch1 -p1
+# svn/git patches
+%patch2 -p1
+%patch4 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
+%patch14 -p1
+%patch3 -p1
+%patch5 -p1
%build
%configure --with-ldns= --with-libevent --with-pthreads --with-ssl \
--disable-rpath --enable-debug --disable-static \
--with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \
- --with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid
-%{__make} CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE" QUIET=no %{?_smp_mflags}
+ --with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid \
+%if %{with_python}
+ --with-pythonmodule --with-pyunbound \
+%endif
+ --enable-sha2
+%{__make} %{?_smp_mflags}
%install
rm -rf %{buildroot}
@@ -85,8 +145,14 @@ for plugin in unbound_munin_hits unbound
ln -s unbound %{buildroot}%{_datadir}/munin/plugins/$plugin
done
+# install DLV key
+install -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/unbound/
+
# remove static library from install (fedora packaging guidelines)
rm -rf %{buildroot}%{_libdir}/*.la
+%if %{with_python}
+rm -rf %{buildroot}%{python_sitelib}/*/*.la
+%endif
mkdir -p %{buildroot}%{_localstatedir}/run/unbound
@@ -100,9 +166,15 @@ rm -rf ${RPM_BUILD_ROOT}
%attr(0755,root,root) %dir %{_sysconfdir}/%{name}
%attr(0755,unbound,unbound) %dir %{_localstatedir}/run/%{name}
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key
%{_sbindir}/*
%{_mandir}/*/*
+%if %{with_python}
+%files python
+%{python_sitelib}/*
+%endif
+
%files munin
%defattr(-,root,root,-)
%config(noreplace) %{_sysconfdir}/munin/plugin-conf.d/unbound
@@ -128,15 +200,11 @@ exit 0
%post
/sbin/chkconfig --add %{name}
-# Check DNSSEC settings if this is a fresh install
-if [ "$1" -eq 1 ]; then
- if [ -r /etc/sysconfig/dnssec ]; then
- . /etc/sysconfig/dnssec
- [ -x /usr/sbin/dnssec-configure ] && \
- dnssec-configure -u --norestart --nocheck --dnssec="$DNSSEC" --dlv="$DLV" > \
- /dev/null 2>&1
- fi;
-fi
+# dnssec-conf used to contain our DLV key, but now we include it via unbound
+# If unbound had previously been configured with dnssec-configure, we need
+# to migrate the location of the DLV key file (to keep DLV enabled, and because
+# unbound won't start with a bad location for a DLV key file.
+sed -i "s:/etc/pki/dnssec-keys[/]*dlv:/etc/unbound:" %{_sysconfdir}/unbound/unbound.conf
%post libs -p /sbin/ldconfig
@@ -154,6 +222,11 @@ fi
%postun libs -p /sbin/ldconfig
%changelog
+* Tue Jun 1 2010 Paul Wouters <paul at xelerance.com> - 1.4.4-1
+- Upgraded to 1.4.4 with svn patches
+- Updated unbound.conf config file
+- Obsolete dnssec-conf to ensure it is de-installed
+
* Thu Oct 08 2009 Paul Wouters <paul at xelerance.com> - 1.3.4-2
- Long neglected update
More information about the scm-commits
mailing list